MDM4-1. IMEI? I'm YOUREI

As you may remember from the previous post I pondered whether it’s possible to change the modem’s IMEI, which is supposed to be an unique identification number.

This is a slight peek behind the curtains as, in fact, I had root access to the modem and a full filesystem dump before I even started writing the first blogpost. As I was writing part 4 I decided to investigate the filesystem a bit further and discovered the templates directory for the web server (/etc_ro/web/tmpl, if you’ve got the modem filesystem available).

A thing stuck out to me, something that I didn’t spot in the web interface. Can you spot it?

drwxr-xr-x 19 svvv users 4.0K Mar 29 21:51 .
drwxr-xr-x 11 svvv users 4.0K Mar 29 21:51 ..
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 TR069
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 adm
-rw-r--r--  1 svvv users 3.7K Mar 29 21:50 band.html
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 firewall
-rw-r--r--  1 svvv users 5.1K Mar 29 21:50 home.html
-rw-r--r--  1 svvv users 1.4K Mar 29 21:50 imeiSetting.html
-rw-r--r--  1 svvv users 4.4K Mar 29 21:51 login.html
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 network
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 networkTool
-rw-r--r--  1 svvv users 2.7K Mar 29 21:50 network_lock.html
-rw-r--r--  1 svvv users 3.1K Mar 29 21:50 nosimcard.html
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 opmode
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:51 phonebook
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 sd
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 sms
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 status
-rw-r--r--  1 svvv users  784 Mar 29 21:50 switch_port.html
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 system
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 update
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 usb
drwxr-xr-x  5 svvv users 4.0K Mar 29 21:51 usrmanual
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 ussd
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 voip
drwxr-xr-x  2 svvv users 4.0K Mar 29 21:50 wifi

Maybe you noticed it. To build up suspense I left the most interesting template as the last :).

A thing that I noticed was that the URLs match the templates (wow, unexpected!) as per the following:

/index.html#wifi_main  -> wifi/wifi_main.html gets rendered
/index.html#ota_update -> update/ota_update.html gets rendered

So let’s give a couple of these bad boys without buttons a try and see if we can find out some super secret functionality ;). Not all of them are accessible (probably meant for a different model), but some seem to work!

Theres a template called adm/super.html. No idea what these are supposed to do. Maybe it won’t connect to the network when the “locked” cell isn’t in range. There was a significant amount of vertical whitespace inbetween the two entries which has now been cropped for reading pleasure.

The hidden menu “others” looks to be a leftover from an earlier frontend. The side menu buttons are also clickable and lead to some options not available from the default menu (eg DMZ, WiFi auto-sleep and UPnP settings).

Maybe some other model of this modem supports running as a serial modem as well, since it looks like you could configure it as a serial port. This side menu is different from the one in “Others” as it has an extra USSD (Unstructured Supplementary Service Data, eg filling up prepaids with codes) sending functionality.

And finally we reach the hidden menu related to the title of this post. Theres a template called imeiSetting.html. Visiting the menu offers us three things to change — the IMEI, WiFi MAC and LAN MAC. Cool, a fancy menu to change your IMEI. No need to get into complicated command line solutions ;).

I didn’t feel like entering a random IMEI, because knowing my luck, I’d end up making up an IMEI that belonged to someone that’s most wanted in the world and have the peaceful public servants come and shoot my dog ;)). So I dug up an old cellular telephone that I hadn’t used for many years now that could serve as the IMEI donor for this little test.

Cool! The menu is fully functional! The change was displayed both in the nv get output and the web interface. I put in pictures of the nv tool as they’re smaller in size. I do have to take the word for it from the administrative interface, as I don’t have any method that would allow me to check if that IMEI was registered in the operators network, but why would someone make a program that lies to you. Also I didn’t see if changing the IMEI in the non-volatile memory using the nv tool has the same behavior, since the web based interface works fine enough.