I’ve been digging into something odd — wanted to share for awareness and get expert input
I’ve been digging into something odd and wanted to share for awareness, plus get thoughts from people who understand modem/NV/EFS internals better.
Context (Pakistan)
- PTA (Pakistan Telecom Authority) imposes very high taxes on phones not officially sold here (sometimes 2× the price).
- If a device’s IMEI isn’t registered, the SIM can’t connect to telecom towers — calls, SMS, and data are blocked.
- Since Pixels (and some OnePlus, Sony, etc.) aren’t officially sold here, importers often spoof IMEIs to dodge these taxes.
- Typically they overwrite the IMEI with those from cheap “bar phones” that don’t even show up in global databases — just local burner-phone IMEIs already registered in the PTA database.
This has become a commercial service: for ~$2, sellers offer “permanent” IMEI spoofing and even ask if you want a specific IMEI patched in. They call this method the CPID method — not sure if sellers even know what that means.
Evolution of Spoofing
- Earlier methods: crude root-based patches that got removed after reset/update so users would realize the IMEI was tampered.
- Present methods: persistent spoofing, where both IMEI and serial are replaced at the root level. The original IMEI is unrecoverable unless recorded beforehand, or seen from the SIM jacket, or verified online from platforms like iUnlocker.
The Android 16 BP3A Update Issue
After the Google Android 16 QPR1/BP3A update drop, the CPID (IMEI-spoofed/tampered) phones, IMEIs started showing as 000000000000000, breaking SIM use. Many users reported this to Google (issue link), but it only affects tampered devices, so don’t expect a fix.
Workaround: sideload the radio.img from Android 16 BP2A → restores SIM function, but you lose the modem security patches included in the BP3A radio image. See the September 2025 security bulletin for details (many modem CVEs).
This was a shock to many users since they didn’t know their phone’s IMEI was tampered — they would have thought it was an officially registered phone with taxes paid.
My Test
Out of curiosity, I tested GrapheneOS on a tampered IMEI phone. I bought a CPID (IMEI-spoofed) Pixel 6A and tried:
- Stock Google Android 16 BP3A + BP2A radio.img → works, though you lose the BP3A modem CVE patches. More details here
- Latest GrapheneOS (bluejay 2025091000) + BP2A radio .img → also works, bootloader locked, spoofed IDs still present.
Why I’m Concerned
GrapheneOS (and stock Pixel builds) don’t detect tampered IMEIs/serials. A spoofed device can appear “locked and clean.” If Android 16 BP3A hadn’t broken IMEIs on tampered phones, users wouldn’t even have found out their IMEIs were tampered.
IMEI spoofing requires root/modem access. It raises the question: are sellers only altering NV/EFS storage, or could they also leave persistent code/backdoors? Hard to know without deep forensics.
Buyers of used Pixels may assume “locked bootloader + GOS = safe,” but if hardware IDs are already modified, that assumption is shaky. Is this anything to be concerned about? Or, even with changed hardware identifiers, is the device not compromised since those areas don’t directly communicate with the internet — that only happens via the OS?
Questions
- In practice, is IMEI spoofing usually limited to NV/EFS writes, or does it often involve deeper modem/firmware modification?
- What are the most reliable checks to confirm whether a Pixel has been tampered with at the NV/modem/EFS level?
- Short of full forensic analysis, is there a realistic checklist buyers can use to ensure a used Pixel is clean?
Closing
I’m not trying to alarm anyone — just pointing out that in markets like Pakistan, persistent IMEI spoofing is a widespread service, not a rare hack. I mean, I could find these tools myself.
Would really appreciate input from anyone with experience in modem/NV security or low-level Pixel internals.