(2023-11-20) Is this the true end of the epoch for Nokia phones? Not sure yet
-----------------------------------------------------------------------------
Finally, something about phones on this phlog. Moreover, about phones of my
favorite brand. I could blabber about any (genuine) Nokias from 1993 up to 
2023 for hours but there's a single thing I always lacked in them (except 
KaiOS models which compensate for it with plenty of other issues): ability 
to edit IMEIs without special boxes or proprietary software. This _might_, 
however, be about to change sooner than we think. A 30-year epoch of 
untouchable IMEIs in Nokia non-smartphones might come to an end in the 
forseeable future.

I personally thought it would never be possible until I realized that the
newest (2023-made and probably some 2022-made) Nokia feature phones (with 
non-smartphone hardware, that is) are no longer made in Vietnam like they 
were before. I also heard HMD had set up some local manufacturing for the 
Indian market, well, in India, but as I'm not there, this doesn't concern me 
much. All current-gen Nokia feature phones produced this year onwards and 
sold where I live — 105-2023 2G, 106-2023, 110-2023 2G, 130-2023 and 
150-2023 — are coming to us from China. Yes, officially. These are not 
fakes. For the first time in history, we see official Nokia-branded keypad 
phones manufactured in mainland China. This was enough for me to pick one of 
them and see all the differences from the previous models. As HMD fully 
stopped announcing the chipset for their GSM-only models, it was a bit of 
hit and miss for me, but I ordered a new 130. And when it arrived, I was 
surprised it didn't have Unisoc SC6531F or something like that (I know that 
the new 105 and probably 106 and 110 do have SC6531E inside), but was still 
running on MediaTek MT6261D. Anyway, this was only the beginning of my 
surprises.

So, here it is, the model TA-1576, Nokia 130 2023. In some regions, it's
called 130 Music, and for the market of mainland China itself it was 
released as a 125 (probably because they totally missed the real 125... and 
for the greater good, I must add). It is quite a large barphone, 
dimensionally similar to the aforementioned 125 but a tiny bit thinner and 
narrower, which is a good thing in this case, and sporting yet another new 
removable battery type, BL-L5H with 1400 mAh rated capacity. As if the 
well-known BL-4UL wasn't good enough for that. Also, it looks like they 
changed the UI font one more time, no one knows what for. Anyway, judging 
merely by this amount of NIH syndrome, I thought that the inside of the 
phone would be just as different. Oh, how damn right I was...

You see, I didn't even have to dump the firmware with MTreader, as the main
partitions seem to be encrypted anyway, to see the obvious: this phone, or 
at least its board, was made in a totally different place. In case you 
didn't know, all of the Vietnamese MediaTek-based Nokias (that were running 
on MT6260, then MT6260A and MT6261D) tried to conceal in every possible way 
they were MediaTek-based. The Series30+ was a major overhaul of MAUI, and a 
good one at that. Not a single MAUI-specific secret code, besides a couple 
of debug-oriented ones, actually worked on those devices. Microsoft and then 
HMD spent a lot of effort even to conceal the fact those phones had an AT 
command interface... Well, not for long, but those events are already 
history, and I'm glad I was a part of it. But the fact remains the fact: on 
those Nokias, you couldn't even dial the *#63342835# (*#mediatek#) code and 
see the "MediaTek" word. If you could do this, it was an outright sign of a 
fake.

Well, guess what: on this new fully official and original 130, you can. You
also can enter an engineering menu with *#3646633# (*#engmode#), see the 
internal software version with *#8375# (*#ver5#), and yes, it's a different 
screen than what you get on the traditional Nokia's *#0000#, you can also 
enter a hardware test menu with *#15963#, or run quick tests with *#8378# or 
stress tests with *#87#. Again, I found all this without being able to fully 
analyze the firmware dump, but this was already enough for me to realize 
this firmware is much, much closer to the vanilla MAUI than any of its 
predecessors. I didn't, however, find the *#15963# code randomly. The phone 
had a hidden clue where to start looking for it. But what I found is 
something more.

Any MAUI firmware version string, as you might now, contains a hardware
revision substring. Usually it's an alphanumeric board identifier followed 
by the last three characters of the chipset model and then some other data 
after underscores. If you don't have a way to view this information via 
codes (which I initially didn't have), you can use various options for 
AT+EGMR subcommand. I ran the subcommand to get the board ID (AT+EGMR=0,4) 
and I saw the following string there: SAGETEL61D_11C_HW. This tells us that 
the chipset inside is indeed MT6261D and this is the revision 11C of the 
board codenamed SAGETEL. In fact, if we run an Internet search on the 
complete string, we already can find the device this board already had been 
used in: Itel IT2160, a barphone from Transsion released in ca. 2018. Of 
course, only the board is common with this Nokia but this inspired me to 
download some firmware for this IT2160 (which, of course, wasn't encrypted) 
and check for some codes from there. And, bizarrely enough, *#15963# was the 
only new code that actually fit my 130-2023.

So, we have pure-MAUI secret codes for version, engineering and test menus
for this phone (and I'm pretty sure they are the same for 150-2023 too). The 
main mystery, however, remains unsolved: are the IMEIs here editable in any 
way? Well, my first thought would be to go the traditional AT command route 
(by the way, yes, you have to sacrifice the USB storage mode if you set the 
PS config to USB in the respective engineering menu setting). So I tried 
AT+EGMR with corresponding parameters (AT+EGMR=1,7,"[new_imei]" for SIM1 and 
AT+EGMR=1,10,"[new_imei]" for SIM2) but got "CME ERROR: unknown" in both 
cases, while the read commands (AT+EGMR=0,7 and AT+EGMR=0,10 respectively) 
do work fine. In the Vietnamese MediaTek-based Nokias though, the write 
commands worked too but the result was ignored due to the NVRAM protection. 
Here, it just looks like it was disabled on the AT command processor level, 
whether or not protection is still there, I don't really know. Not gonna 
lie, if I find a working code for this, it will become my favorite post-2013 
Nokia. For now, I'm stuck. There is, however, some hope based on what I have 
seen with *another* NVRAM field in the same area: PSN.

PSN (product serial number) is the Nokia's name of the internal serial number
that all phones like this have, be they on MediaTek or Unisoc. It's assigned 
fully independently of IMEIs and, in case of MediaTek, can be accessed with 
AT+EGMR command too under the field #5: AT+EGMR=0,5 for reading and 
AT+EGMR=1,5,"[new_sn]" for writing. The biggest problem, however, is that 
the PSN itself takes 25 characters, but the NVRAM field for it reserves 63 
bytes and it actually is padded with whitespaces and ends with "10P" 
substring that's not a part of the serial number per se. But that's not all: 
it turns out that AT+EGMR command itself doesn't check the input length for 
this field, so if you don't include the padding, you can easily misalign all 
the subsequent NVRAM fields and mess up all calibration until you enter a 
63-character long PSN. And guess what: this field is actually editable and 
unprotected in this Nokia. So, in theory, by manipulating its contents, we 
could manipulate all fixed-length fields/files that come after PSN in that 
area. But that's something that has yet to be investigated. For now, the 
IMEI question remains open.

From the normal user's perspective, some very strange decisions had been made
there as well. For instance, this phone has absolutely no way of viewing 
images from the SD card and absolutely no way of setting them as wallpapers. 
I didn't use any of the previous iterations of 130 and can't say whether or 
not this is the case for them, but to me it sounds most illogical. Luckily, 
there are 6 pre-installed wallpapers, but what's the reason to limit the 
choice if you definitely allow to set your own ringtones here? Although this 
is a strange one too — you can't do this from the profile or general tone 
settings, only from the SD file manager itself. Same for message and alarm 
tone customization.

In the mass storage connection mode, the phone gets identified as "0e8d:0002
MediaTek Inc. phone (mass storage mode) [Doro Primo 413]".  They didn't even 
try to conceal anything at this point. But I also had a trouble connecting 
*just to this Nokia* in the Mass Storage mode from my Arch Linux (Garuda), 
until I found out I had to comment out the following line in 
/lib/udev/rules.d/40-usb_modeswitch.rules file:

ATTR{idVendor}=="0e8d", ATTR{idProduct}=="0002", RUN+="usb_modeswitch '/%k'"

After that, everything went smoothly. Except, of course, the transfer itself
being extremely slow. If you have a card reader and have a large amount of 
music to move, it will be your best bet. And, besides music (+ custom 
ringtones and audio recordings), there's pretty much nothing else you can 
use the SD card for in this phone (yes, even the phonebook VCard backup is 
scrapped). The player, by the way, is marketed as the central feature of 
this 130 and can be quickly entered by long-pressing the central D-pad key. 
On the first run, it scans the entire card for music files and generates the 
@Playlists/audio_play_list.sal file, whose format matches the one I 
described in my MAUI knowledge base ([1]). It also creates some temporary 
copy of this file's previous version, audio_play_list.sal.tmp, and the 
MyFav.sal playlist file that reflects your "Favorites" player selection. As 
far as I have seen, the format of MyFav.sal is exactly the same, with the 
only visible difference being that the "Favorites" entries end with the 01 
00 bytes instead of 00 00 bytes in both audio_play_list.sal and MyFav.sal 
files.

Out of all this, what conclusions can I make? Is this really the end of the
epoch for Nokia featurephones? Not quite yet, but it is very close to that. 
I mean, it still is a genuine Nokia, cased into very hard polycarbonate 
plastic, having some IP52 dustproof rating, booting extremely fast, offering 
good sound capabilities and (I suppose) not having any trojans in its 
firmware. But in terms of how this firmware differs from all other 
China-originated phones (and we see a proof that the hardware literally is 
the same as one of them), the difference is almost non-existent now. And the 
only thing that globally keeps this firmware from being fully identical is 
not the S30+ UI on top of MAUI, it is the uncertainty about whether or not 
boxless/dongle-less IMEI editing is possible here. That's why my research in 
this area needs to continue, regardless of how long the pause has been.

--- Luxferre ---

[1]: gopher://hoi.st:70/0/docs/own/maui-kb-mt6261.txt