[GUIDE] How to change IMEI on Snapdragon devices

guide-change-imei-snapdragon.md

[GUIDE] How to change IMEI on Snapdragon devices

FOR EDUCATIONAL PURPOSE ONLY, CHANGING IMEI IS ILLEGAL IN MOST COUNTRIES, MAKE SURE YOU CONVINCE YOUR ACTIONS BEFORE DOING THIS.

I DON'T RESPONSIBLE IF YOUR DEVICE IS BROKEN OR THE IMEI IS NOT CHANGED CAUSED BY YOU DIDN'T FOLLOW THE STEPS CAREFULLY OR HAVING A DIFFERENT EFS PARTITION SCHEME.

This guide was tested on Google Pixel 3, different device may also have a different EFS partition scheme, please make sure you adjust it with this guide. Other Google Pixel devices may use this guide without adjusting.

Prerequisites:

• Unlocked bootloader
• Magisk (rooted)
• Your device's TWRP image
• Android ADB & fastboot drivers
• Qualcomm HS-USB Diagnostics driver
• Android platform tools (ADB & fastboot)
• QFIL
• QCN IMEI Writer

You can also go to this Google Drive folder to get most of the prerequisites.

Notes #1

• Make sure the drivers are installed correctly.
• Make sure the Android platform tools (ADB & fastboot) path is set on the environment variables, guide here.

A. Backup your EFS partition

This is IMPORTANT since the partition stores your original IMEI and if you don't backup it you will lose your original IMEI FOREVER!

1. Boot into TWRP from fastboot mode.

fastboot boot <your_device's_twrp_image.img>

2. Execute this commands on Command Prompt, this will backup your EFS partition to the current working directory:

adb pull /dev/block/bootdevice/by-name/modemst1
adb pull /dev/block/bootdevice/by-name/modemst2
adb pull /dev/block/bootdevice/by-name/fsg
adb pull /dev/block/bootdevice/by-name/fsc

B. Backup your QCN file

We will use this file to modify the original IMEI to the preferred one. This step can be skipped if you already have a QCN file as long as it comes from the same device.

1. Reboot your device normally.
2. Execute this commands on Command Prompt, this will open adb shell with superuser privilege. Make sure you grant the access after executing the command once:

adb shell
su

3. After that then execute this commands, this will enable diagnostic mode:

resetprop ro.bootmode usbradio
resetprop ro.build.type userdebug
setprop sys.usb.config diag,diag_mdm,adb

4. Change your USB mode to anything else to reload your USB mode.
5. Open QFIL then click Select Port ... to select your device's COM port.
6. Go to Tools > QCN Backup Restore and click Browse ... to save your original QCN file.
7. Click Backup QCN to proceed, wait until it finishes.

C. Reset your EFS partition

Once the EFS and QCN are backed up, we need to reset the EFS partition. Why? because the IMEI needs to be empty in order to successfully change the IMEI. The modified IMEI won't take effect if you don't reset the EFS partition first.

1. Boot into TWRP from fastboot mode, just like the step 1 from section A.
2. Execute this commands on Command Prompt, this will resets your EFS partition:

adb shell
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
dd if=/dev/zero of=/dev/block/bootdevice/by-name/fsg
dd if=/dev/zero of=/dev/block/bootdevice/by-name/fsc
reboot

Once it reboots normally the signal will be lost (no service). Don't panic, this is intentional as the IMEI is already empty. When you dial *#06#, your IMEI is usually now starts with 004xxxx.

D. Modify the QCN file

We will change the IMEI that inside the QCN file that we have backed up before or the one that you already have.

1. Enable the diagnostic mode just like the step 1-4 from section B.
2. Open QCN IMEI Tool.
3. Click Load QCN then browse the QCN file that we have backed up before or the one that you already have.

As you can see the first two fields contains the IMEI inside the QCN file, if your device is single sim then only the first field will show up.

4. Paste your preferred IMEI to the third field, if your device is dual sim then also paste to the fourth field.
5. Click Replace and export QCN to save the modified QCN file.

E. Restore the QCN file

The final step, we need to "flash" the modified QCN file.

1. Enable the diagnostic mode (if you haven't) just like the step 1-4 from section section B.
2. Open QFIL then click Select Port ... to select your device's COM port.
3. Go to Tools > QCN Backup Restore and click Browse ... to your modified QCN file.
4. Click Restore QCN to proceed, wait until it finishes.
5. Reboot your device normally.
6. Done! You will now see the IMEI changed with your preferred IMEI.

If you wish to restore the original IMEI, follow these steps

1. Boot into TWRP from fastboot mode, just like the step 1 from section A.
2. Make sure the EFS partition files are on the same folder with the Command Prompt.
3. Execute this commands on Command Prompt, this will restore your EFS partition:

adb push modemst1 /tmp
adb push modemst2 /tmp
adb push fsg /tmp
adb push fsc /tmp
adb shell
dd if=/tmp/modemst1 of=/dev/block/bootdevice/by-name/modemst1
dd if=/tmp/modemst2 of=/dev/block/bootdevice/by-name/modemst2
dd if=/tmp/fsg of=/dev/block/bootdevice/by-name/fsg
dd if=/tmp/fsc of=/dev/block/bootdevice/by-name/fsc

4. Reboot your device normally.
5. Done! Your device's IMEI is now restored to the original state.

Notes #2

• Factory resetting or adding e-sim will cause the IMEI will go back empty again.
• You need to restore the QCN again if the IMEI is empty caused by above.

Hello...

Thank you for your great topic...

I have (Xiaomi Note 11 Pro Plus 5G Indian Edition) (peux) ... Snapdragon 695 ... I applied the method... I took a backup copy and reset EFS... But the device did not boot after that, and it gives a message that NV files corrupted and reboot continuously and enter recovery mode ... I used Drepfest ROM... and I root it and enter Diag mode ... However, qfil could not restore the qcn file... It gives a message (Restore QCN Fail: Restore QCN Fail Check Connection Fail) ... I tried a second ROM called (evolution), but it gave the same result!

Thank you.

not working for mi pad4, backup qcn and restore qcn, will boot to 900e when android start

12-09 17:21:39.197   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x1 conn_h=0x7165c05010
12-09 17:21:39.197   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fs1: req_h=0x1 msg_id=1: Client found
12-09 17:21:39.197   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fs1: req_h=0x1 msg_id=1: Send response: res=0 err=0
12-09 17:21:39.197   767  1015 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs1: Worker thread started
12-09 17:21:39.197   767  1015 I vendor.rmt_storage: wake lock name: rmt_storage_487032077648, name creation success: 2412-09 17:21:39.198   773   773 D AudioPolicyManagerCustom: USE_XML_AUDIO_POLICY_CONF is TRUE
12-09 17:21:39.198   773   773 I         : Waiting for activity service
12-09 17:21:39.198   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x2 conn_h=0x7165c05020
12-09 17:21:39.198   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fs2: req_h=0x2 msg_id=1: Client found
12-09 17:21:39.198   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fs2: req_h=0x2 msg_id=1: Send response: res=0 err=0
12-09 17:21:39.198   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x1 conn_h=0x7165c05010
12-09 17:21:39.199   767  1016 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs2: Worker thread started
12-09 17:21:39.199   767  1016 I vendor.rmt_storage: wake lock name: rmt_storage_487014264144, name creation success: 2412-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x2 conn_h=0x7165c05020
12-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x3 conn_h=0x7165c05020
12-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fsg: req_h=0x3 msg_id=1: Client found
12-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fsg: req_h=0x3 msg_id=1: Send response: res=0 err=0
12-09 17:21:39.199   767  1017 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fsg: Worker thread started
12-09 17:21:39.199   767  1017 I vendor.rmt_storage: wake lock name: rmt_storage_486996450640, name creation success: 2412-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x4 conn_h=0x7165c05010
12-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fsc: req_h=0x4 msg_id=1: Client found
12-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_open_cb: /boot/modem_fsc: req_h=0x4 msg_id=1: Send response: res=0 err=0
12-09 17:21:39.199   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x3 conn_h=0x7165c05020
12-09 17:21:39.199   767  1018 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fsc: Worker thread started
12-09 17:21:39.199   767  1018 I vendor.rmt_storage: wake lock name: rmt_storage_486978637136, name creation success: 2412-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x4 conn_h=0x7165c05010
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x5 conn_h=0x7165c05010
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_open_cb: Unable to open /boot/modem_fsg_oem_1
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_open_cb: : req_h=0x5 msg_id=1: Send response: res=1 err=3
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x6 conn_h=0x7165c05020
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_open_cb: Unable to open /boot/modem_fsg_oem_2
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_open_cb: : req_h=0x6 msg_id=1: Send response: res=1 err=3
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x5 conn_h=0x7165c05010
12-09 17:21:39.200   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x6 conn_h=0x7165c05020
12-09 17:21:39.201   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x7 conn_h=0x7165c05020
12-09 17:21:39.201   767   767 I vendor.rmt_storage: rmt_storage_alloc_buff_cb: /boot/modem_fs1: req_h=0x7 msg_id=4: Alloc request received: Size: 0
12-09 17:21:39.201   767   767 I vendor.rmt_storage: rmt_storage_alloc_buff_cb: /boot/modem_fs1: req_h=0x7 msg_id=4: New client making a dummy request with buffer req size 0
12-09 17:21:39.201   767   767 I vendor.rmt_storage: rmt_storage_alloc_buff_cb: /boot/modem_fs1: req_h=0x7 msg_id=4: Send response: res=0 err=0
12-09 17:21:39.201   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x7 conn_h=0x7165c05020
12-09 17:21:39.201   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x8 conn_h=0x7165c05020
12-09 17:21:39.201   767   767 I vendor.rmt_storage: rmt_storage_rw_iovec_cb: /boot/modem_fs1: req_h=0x8 msg_id=3: R/W request received
12-09 17:21:39.201   767   767 I vendor.rmt_storage: wakelock acquired: 1, error no: 42
12-09 17:21:39.202   767  1015 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs1: Unblock worker thread (th_id: 487032077648)
12-09 17:21:39.202   767  1015 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs1: req_h=0x8 msg_id=3: Bytes read = 512
12-09 17:21:39.203   767  1015 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs1: req_h=0x8 msg_id=3: Send response: res=0 err=0
12-09 17:21:39.203   767  1015 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs1: About to block rmt_storage client thread (th_id: 487032077648) wakelock released: 1, error no: 0
12-09 17:21:39.203   767  1015 I vendor.rmt_storage:
12-09 17:21:39.203   767   767 I vendor.rmt_storage: rmt_storage_connect_cb: clnt_h=0x9 conn_h=0x7165c05010
12-09 17:21:39.203   767   767 I vendor.rmt_storage: rmt_storage_rw_iovec_cb: /boot/modem_fs2: req_h=0x9 msg_id=3: R/W request received
12-09 17:21:39.203   767   767 I vendor.rmt_storage: wakelock acquired: 1, error no: 42
12-09 17:21:39.203   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x8 conn_h=0x7165c05020
12-09 17:21:39.204   767  1016 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs2: Unblock worker thread (th_id: 487014264144)
12-09 17:21:39.204   767  1016 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs2: req_h=0x9 msg_id=3: Bytes read = 512
12-09 17:21:39.204   767  1016 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs2: req_h=0x9 msg_id=3: Send response: res=0 err=0
12-09 17:21:39.204   767  1016 I vendor.rmt_storage: rmt_storage_client_thread: /boot/modem_fs2: About to block rmt_storage client thread (th_id: 487014264144) wakelock released: 1, error no: 0
12-09 17:21:39.204   767  1016 I vendor.rmt_storage:
12-09 17:21:39.204   767   767 I vendor.rmt_storage: rmt_storage_disconnect_cb: clnt_h=0x9 conn_h=0x7165c05010

is there any way to write imei directly to efs partition so that it'll survive factory reset or adding esim?

Hi, will IMEI be reset to null or zero if I install pixel experience after I follow all these steps?

Any QCN tool available that's not bundled with backdoor & cryptominer?

every time i reinstall the OS,the Imei will go back to oringal?????

Is it possible with realme gt master edition, mine needs to change the imei and the programs only read the imei and say that it is encrypted, can it be done? Qualcomm Snapdragon 778G 5G pls need help

Any QCN tool available that's not bundled with backdoor & cryptominer?

I want to know this as well.

how change mac address?

I have tried to restore the IMEI on a Samsung Galaxy S20 FE SM-G780G, in my case, after restoring the QCN file, the imei remains unchanged (with the same IMEI).
Is there any other method to restore the QCN file?

Hi mas @uragiristereo , have you found a way to prevent the imei being empty again after factory reset?