Hi everyone,
I purchased a Fairphone 5 at Murena a few months ago, just plugged in my SIM card and off I went for my first /e/OS experience.
I never connected to the Play Store so far (only to F-droid), meaning I didn’t install the customer App of my operator. I also never connected to my operator’s web site from my mobile (only from my GNU/Linux PC).
Despite of all this… I discovered weeks later that my operator is well aware of my new handset (brand and model)!
How is this - technically - possible??
Side note: I was assuming /e/OS would protect me from such hardware details disclosure, but facts proved the contrary. Not a big deal after all… but a huge surprise
one guess: your handset sends a user-agent string within IMS registration (that is the stack that lets you do hd voice calls aka VoLTE). It’s SIP basically - like with your browser it’s a header field you send (example). It gives operators the option to do custom things for handsets, either deny something or support some subset of x. Some of it is embedded in the modem partition (I think, for most devices?).
There are also the carrier services “com.google.android.ims” for APN configs that /e/ hasn’t removed I think. Could’ve been a first-time SIM card enroll sending that user-agent in the first place. Some ROMs remove that package. But even with the package gone I think the operator has means to see that user-agent later.
Thanks a lot @tcecyk
Thinking about it, I guess that spoofing the IMS User Agent string could lead to some undesired side effects (like removing support for some functionality, that the real handset does however support).
OK
It wouldn’t hurt if you spoof the user-agent to some common denominator per SoC. If you’d build your own device image you can probably make out the location where it gets declared. For a project targeting many devices that seems very hard.
For one, carriers want to control network members, but the user-agent in aggregate helps them to know when they can start to obsolete legacy tech without angering customers and see incompatibilities.
I’m not a fan or carrier tech, as it deprecates handsets earlier than necessary, keeps you from using capabilities that weren’t there yet when the phone got released - but that is the industry.
There isn’t a fully baked opensource IMS client and dialer yet (PoC type code - phh speculates Google will bring this into AOSP within 2 years).
The carrier automatically gets the IMEI of the device just by virtue of its being present on their network. Any IMEI is unique to an OEM and model. All phones have an IMEI.
It’s how your carrier knows your phone is “qualified” technologically to use their network.
Thank you @Taurus!
As @tcecyk wrote afterwards, the TAC part of the EMEI should provide information about the device manufacturer and model. By curiosity, I would have liked to know what information my TAC (35521450) holds exactly, but I didn’t find any decent (or trustworthy) online tool to decode it. Never mind
I really appreciated all your answers, very instructive. Thanks again!
By the way, my mobile service provider shows my IMEI directly in my online account, and if I move the SIM card to a different phone, the IMEI displayed in the account also changes to the new phone’s IMEI. They may even list all IMEIs I’ve used with the SIM in my account, but it’s been a while since I looked, so I could be mistaken. The brand and model number for the IMEIs is shown also.
TAC checks out here: https://www.imei.info/?imei=355214509999999 - last digit 9 is a checksum used to make it valid, the other nines leading up to the last digit is the id identifying you within the model… so every 1M-1 models sold a manufacturer has to introduce new TACs. The FP5 manufacturer+model number has the funny quirk that any same-digit serial number will result in the same checksum digit, hehe
