[GUIDE] How to change IMEI on Snapdragon devices

guide-change-imei-snapdragon.md

[GUIDE] How to change IMEI on Snapdragon devices

FOR EDUCATIONAL PURPOSE ONLY, CHANGING IMEI IS ILLEGAL IN MOST COUNTRIES, MAKE SURE YOU CONVINCE YOUR ACTIONS BEFORE DOING THIS.

I DON'T RESPONSIBLE IF YOUR DEVICE IS BROKEN OR THE IMEI IS NOT CHANGED CAUSED BY YOU DIDN'T FOLLOW THE STEPS CAREFULLY OR HAVING A DIFFERENT EFS PARTITION SCHEME.

This guide was tested on Google Pixel 3, different device may also have a different EFS partition scheme, please make sure you adjust it with this guide. Other Google Pixel devices may use this guide without adjusting.

Prerequisites:

• Unlocked bootloader
• Magisk (rooted)
• Your device's TWRP image
• Android ADB & fastboot drivers
• Qualcomm HS-USB Diagnostics driver
• Android platform tools (ADB & fastboot)
• QFIL
• QCN IMEI Writer

You can also go to this Google Drive folder to get most of the prerequisites.

Notes #1

• Make sure the drivers are installed correctly.
• Make sure the Android platform tools (ADB & fastboot) path is set on the environment variables, guide here.

A. Backup your EFS partition

This is IMPORTANT since the partition stores your original IMEI and if you don't backup it you will lose your original IMEI FOREVER!

1. Boot into TWRP from fastboot mode.

fastboot boot <your_device's_twrp_image.img>

2. Execute this commands on Command Prompt, this will backup your EFS partition to the current working directory:

adb pull /dev/block/bootdevice/by-name/modemst1
adb pull /dev/block/bootdevice/by-name/modemst2
adb pull /dev/block/bootdevice/by-name/fsg
adb pull /dev/block/bootdevice/by-name/fsc

B. Backup your QCN file

We will use this file to modify the original IMEI to the preferred one. This step can be skipped if you already have a QCN file as long as it comes from the same device.

1. Reboot your device normally.
2. Execute this commands on Command Prompt, this will open adb shell with superuser privilege. Make sure you grant the access after executing the command once:

adb shell
su

3. After that then execute this commands, this will enable diagnostic mode:

resetprop ro.bootmode usbradio
resetprop ro.build.type userdebug
setprop sys.usb.config diag,diag_mdm,adb

4. Change your USB mode to anything else to reload your USB mode.
5. Open QFIL then click Select Port ... to select your device's COM port.
6. Go to Tools > QCN Backup Restore and click Browse ... to save your original QCN file.
7. Click Backup QCN to proceed, wait until it finishes.

C. Reset your EFS partition

Once the EFS and QCN are backed up, we need to reset the EFS partition. Why? because the IMEI needs to be empty in order to successfully change the IMEI. The modified IMEI won't take effect if you don't reset the EFS partition first.

1. Boot into TWRP from fastboot mode, just like the step 1 from section A.
2. Execute this commands on Command Prompt, this will resets your EFS partition:

adb shell
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
dd if=/dev/zero of=/dev/block/bootdevice/by-name/fsg
dd if=/dev/zero of=/dev/block/bootdevice/by-name/fsc
reboot

Once it reboots normally the signal will be lost (no service). Don't panic, this is intentional as the IMEI is already empty. When you dial *#06#, your IMEI is usually now starts with 004xxxx.

D. Modify the QCN file

We will change the IMEI that inside the QCN file that we have backed up before or the one that you already have.

1. Enable the diagnostic mode just like the step 1-4 from section B.
2. Open QCN IMEI Tool.
3. Click Load QCN then browse the QCN file that we have backed up before or the one that you already have.

As you can see the first two fields contains the IMEI inside the QCN file, if your device is single sim then only the first field will show up.

4. Paste your preferred IMEI to the third field, if your device is dual sim then also paste to the fourth field.
5. Click Replace and export QCN to save the modified QCN file.

E. Restore the QCN file

The final step, we need to "flash" the modified QCN file.

1. Enable the diagnostic mode (if you haven't) just like the step 1-4 from section section B.
2. Open QFIL then click Select Port ... to select your device's COM port.
3. Go to Tools > QCN Backup Restore and click Browse ... to your modified QCN file.
4. Click Restore QCN to proceed, wait until it finishes.
5. Reboot your device normally.
6. Done! You will now see the IMEI changed with your preferred IMEI.

If you wish to restore the original IMEI, follow these steps

1. Boot into TWRP from fastboot mode, just like the step 1 from section A.
2. Make sure the EFS partition files are on the same folder with the Command Prompt.
3. Execute this commands on Command Prompt, this will restore your EFS partition:

adb push modemst1 /tmp
adb push modemst2 /tmp
adb push fsg /tmp
adb push fsc /tmp
adb shell
dd if=/tmp/modemst1 of=/dev/block/bootdevice/by-name/modemst1
dd if=/tmp/modemst2 of=/dev/block/bootdevice/by-name/modemst2
dd if=/tmp/fsg of=/dev/block/bootdevice/by-name/fsg
dd if=/tmp/fsc of=/dev/block/bootdevice/by-name/fsc

4. Reboot your device normally.
5. Done! Your device's IMEI is now restored to the original state.

Notes #2

• Factory resetting or adding e-sim will cause the IMEI will go back empty again.
• You need to restore the QCN again if the IMEI is empty caused by above.

The editing utility is not available. I suggest using this https://xdaforums.com/t/guide-backup-edit-and-restore-qcn-fixing-lost-imei.4101611/post-82608841

Did you manage to fix the IMEI with that application?

Hello op, so much appreciated for the detailed guide you provided.

When I perform the "A. Backup your EFS partition", I have encountered the issue "No space left on device".

c:\platform-tools2>adb shell
cepheus:/ # dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd: /dev/block/bootdevice/by-name/modemst1: No space left on device
16385+0 records in
16384+0 records out
8388608 bytes transferred in 0.447 secs (18766460 bytes/sec)

Would you be able to shed some lights about how to solve it? Many thanks!

Once the EFS partition reset command is sent, it says "no space left on device" still the IMEI gets empty and don't show any more.

But after that to restore the QCN file, QFIL doesn't detect the phone, and can't restore the edited QCN file. (It shows phone id as ?)

If someone could fix that, please let me know

Hello op, so much appreciated for the detailed guide you provided.

When I perform the "A. Backup your EFS partition", I have encountered the issue "No space left on device".

c:\platform-tools2>adb shell cepheus:/ # dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1 dd: /dev/block/bootdevice/by-name/modemst1: No space left on device 16385+0 records in 16384+0 records out 8388608 bytes transferred in 0.447 secs (18766460 bytes/sec)

Would you be able to shed some lights about how to solve it? Many thanks!

That's not an error, treat it as a success of filling up your modemst1 with zeros using dd!

OP is not original author of the guide, OP is https://web.archive.org/web/20240122172714/https://gist.github.com/uragiristereo/7668e067e3b0525d6e4d4b12d9f71344

But when i connect again to push the new QCN file, it doesn't detect the Qualcomm device. Just says connection error, And when seen in devices in QPST, there is a question mark on the available device and labeled as unknown, While the connected devices(correct ones) show a alpha numeric code.

…

On Thu, 13 Feb 2025, 6:05 am Ivan Stepanov, ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Hello op, so much appreciated for the detailed guide you provided. When I perform the "A. Backup your EFS partition", I have encountered the issue "No space left on device". c:\platform-tools2>adb shell cepheus:/ # dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1 dd: /dev/block/bootdevice/by-name/modemst1: No space left on device 16385+0 records in 16384+0 records out 8388608 bytes transferred in 0.447 secs (18766460 bytes/sec) Would you be able to shed some lights about how to solve it? Many thanks! That's not an error, treat it as a success of filling up your modemst1 with zeros using dd! OP is not original author of the guide, OP is https://web.archive.org/web/20240122172714/https://gist.github.com/uragiristereo/7668e067e3b0525d6e4d4b12d9f71344 — Reply to this email directly, view it on GitHub <https://gist.github.com/Proxy13/91e9695eb1ae67950118a1673a27932b#gistcomment-5436806> or unsubscribe <https://github.com/notifications/unsubscribe-auth/A3JAHRD2WPGSN236MFTOOCL2PPVUVBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTENJRGA4DOMRZU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .