Project

General

Profile

Uap2105 » History » Version 20

tsaitgaist, 02/19/2016 10:48 PM
add uap firmware versions

1 10 tsaitgaist
[[PageOutline]]
2 1 tsaitgaist
The Huawei UAP2105 is a UMTS femtocell.
3 10 tsaitgaist
4
= Support =
5 4 tsaitgaist
6
This product has been [[http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm|EOL/deprecated]]:
7
 * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm|UAP2105]] (2011-12-20)
8
 * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]] (2011-12-20)
9
 * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-20)
10
 * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-30)
11
 * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm|UAP2105C01 V300R012]] (2012-06-19)
12 2 tsaitgaist
13 5 tsaitgaist
= Hardware =
14
15 7 tsaitgaist
main board (QWG1SUAP VER C), front:
16 5 tsaitgaist
  * CPU (ARM based + integrated UMTS base station baseband): [[http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121|HiSilicon SD6121RBC]]
17
  * 1Gb DDR2 RAM: [[http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf|Samsung K4T1G164QE-HCE6]]
18
  * 10/100 Base-T transformer: [[http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35|Wurth Electronics Midcom 7112-35-H]]
19
  * 10/100 Base-T transceiver: [[https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf|Broadcom BCM5241]]
20
  * AND-gate: [[https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf|Fairchild 74LCX08]]
21
  * 3V voltage monitor: [[https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf|Maxim MAX708S]]
22
  * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]]
23
  * step down DC-DC convert: [[http://www.ti.com/lit/ds/symlink/tps54331.pdf|Texas Instruments TPS54331]]
24
25 7 tsaitgaist
main board (QWG1SUAP VER C), back:
26 5 tsaitgaist
  * 256Mb NOR flash: [[http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf|Spansion S29GL256N10TFI01]]
27
  * 16-bit transceiver: [[http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf|NXP LVT16245B]]
28 6 tsaitgaist
  * EPD TVS Diode Array: [[http://www.semtech.com/images/datasheet/slvu2.8-4.pdf|Semtech SLVU2.8-4]]
29 5 tsaitgaist
30 7 tsaitgaist
radio board (QWG1SRM1 VER B):
31 5 tsaitgaist
  * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]]
32
  * base station transmitter: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html|Maxim MAX2599]]
33
  * base station receiver: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html|Maxim MAX2547]]
34
  * GSM baseband: [[http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf|Texas Instruments T303IFZPH]]
35
  * 16Mb CMOS flash: [[https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf|Spansion S29NS016J0LBJW00]]
36
  * CPU?: Texas Instruments D6928BB
37
38 17 tsaitgaist
== connectors ==
39
40 15 tsaitgaist
debug connector:
41
||= signal/state =||= pin =||= pin =||= signal/state =||
42
|| low || 1 || 2 || pulse ||
43
|| TX?/high || 3 || 4 || GND ||
44
|| RX?/high || 5 || 6 || low ||
45
|| low || 7 || 8 || low ||
46
|| TCK?/low || 9 || 10 || pulse ||
47
|| GND || 11 || 12 || GND ||
48
|| high || 13 || 14 || high ||
49
|| GND || 15 || 16 || GND ||
50
|| TDI?/high || 17 || 18 || pulse ||
51
|| TRST?/low || 19 || 20 || TDO?/low ||
52
|| high || 21 || 22 || TMS?/high ||
53
|| low || 23 || 24 || low ||
54
|| low || 25 || 26 || low ||
55
||||||||  DEBUG  ||
56
57 16 tsaitgaist
mode connector (use jumper to select):
58
||= state =||= pin =||= pin =||= signal =||= mode =||
59
|| high || 1 || 2 || GND || WDGEN ||
60
|| low || 3 || 4 || GND || BOOTMODE ||
61
|| high || 5 || 6 || GND || JTAGMODE0 ||
62
|| high || 7 || 8 || GND || JTAGMODE1 ||
63
|| high || 9 || 10 || GND || RUNMODE ||
64
||||||||||  MODE  ||
65 17 tsaitgaist
66 8 tsaitgaist
== UAP1 ==
67
68
The operator where it was bought from is Vodafone Greece.
69
The board date is 1023.
70
71
[[Image(femto1-case_front.jpg​,200px)]]
72
[[Image(femto1-case_back-blur.jpg​,200px)]]
73
[[Image(femto1-board_front-blur.jpg​​,200px)]]
74
[[Image(femto1-board_back-blur.jpg​​,200px)]]
75
[[Image(femto1-rf_front-blur.jpg​,200px)]]
76
[[Image(femto1-rf_front-naked-blur.jpg​​,200px)]]
77
[[Image(femto1-rf_back-blur.jpg​,200px)]]
78
[[Image(femto1-rf_back-naked-blur.jpg​,200px)]]
79
80 9 tsaitgaist
== UAP2 ==
81
82
The operator where it was bought from is Vodafone Spain.
83
The board date is 1201.
84
85
This board has more shielding cans.
86
87
[[Image(uap2-board_front-blur.jpg​​,200px)]]
88
[[Image(uap2-board_back-blur.jpg​,200px)]]
89
[[Image(uap2-rf_front-blur.jpg​​​,200px)]]
90
[[Image(uap2-rf_back-blur.jpg​ ​​,200px)]]
91
92 2 tsaitgaist
= Rooting =
93
94
How to root this device and intercept communication has been shown in August 2015 at the [[https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun|Adventures in Femtoland: 350 Yuan for Invaluable Fun]] presentation ([[http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun|slides]], [[https://www.youtube.com/watch?v=U-COwT7dwWg|video]]).
95 3 tsaitgaist
96
This issue has been [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm|analyzed]] and [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm|fixed]] by the vendor.
97 11 tsaitgaist
98
== UAP1 ==
99
100 20 tsaitgaist
firmware version: QWGM3SUAP4 V300R011C00 SPC173
101
102 11 tsaitgaist
debug port:
103
 * UART not found on pins described in slides (all modes)
104
 * no UART identified using JTAGulator (all modes)
105
 * JTAG not found on pins described in slides (all modes)
106
 * no JTAG identified using JTAGulator, using id code and bypass scans (all modes)
107 12 tsaitgaist
108 14 tsaitgaist
boot process (all modes):
109 13 tsaitgaist
 1. red and blue LEDs on for 7 s
110
 1. ethernet link on
111
 1. red and blue LEDs on for 9 s
112
 1. ethernet link off
113
 1. red and blue LEDs on for 2 s
114
 1. ethernet link on
115
 1. red and blue LEDs on for 12 s
116
 1. red LED on for 23 s
117
 1. red and blue LEDs on for 2 s
118
 1. LEDs off for 0.1 s
119
 1. red and blue LEDs on for 5 s
120
 1. red LED on
121
122 18 tsaitgaist
network ports:
123
 * the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:
124
{{{
125
sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
126
127
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET
128
Nmap scan report for 172.16.1.1
129
Host is up (0.0030s latency).
130
PORT      STATE  SERVICE VERSION
131
...
132
17185/udp open   wdbrpc?
133
}}}
134
 * the second time the link is on, all ports are blocked/filtered:
135
{{{
136
sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
137
138
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET
139
Nmap scan report for 172.16.1.1
140
Host is up (0.0019s latency).
141
PORT      STATE    SERVICE VERSION
142
21/tcp    closed   ftp
143
23/tcp    closed   telnet
144
80/tcp    filtered http
145
6000/tcp  filtered X11
146
6006/tcp  filtered X11:6
147
7547/tcp  filtered unknown
148
17185/tcp closed   unknown
149
}}}
150
151 12 tsaitgaist
== UAP2 ==
152 20 tsaitgaist
153
firmware version: QWGM3SUAP4 V300R011C02 SPC182
154 12 tsaitgaist
155
debug port:
156
 * UART not found on pins described in slides (all modes)
157
 * JTAG not found on pins described in slides (all modes)
158 1 tsaitgaist
 * no JTAG identified using JTAGulator, using id code scan (all modes)
159 14 tsaitgaist
160
boot process (all modes):
161
 1. red and blue LEDs on for 7 s
162
 1. ethernet link on
163
 1. red and blue LEDs on for 14 s
164
 1. ethernet link off
165
 1. red and blue LEDs on for 2 s
166
 1. ethernet link on
167
 1. red and blue LEDs on for 1 s
168
 1. ethernet link off
169
 1. red and blue LEDs on for 2 s
170
 1. ethernet link on
171
 1. red and blue LEDs on for 8 s
172
 1. red and blue LEDs on for 25 s
173
 1. red and blue LEDs on for 2 s
174
 1. LEDs off for 0.5 s
175
 1. red and blue LEDs on for 3 s
176
 1. 6x LEDs off for 2 s
177
 1. 6x red and blue LEDs on for 2 s
178
 1. red LED on
179 19 tsaitgaist
180
network ports:
181
 * the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):
182
 * the second time the link is on, only TCP port 80 is open an there is an HTTP service
183
{{{
184
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET
185
Nmap scan report for 172.16.1.1
186
Host is up (0.0014s latency).
187
PORT      STATE    SERVICE VERSION
188
...
189
80/tcp    open     http    GoAhead-Webs httpd
190
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
191
| http-title: User Login
192
|_Requested resource was http://172.16.1.1/index.htm
193
...
194
}}}
Add picture from clipboard (Maximum size: 48.8 MB)