Project

General

Profile

Actions

Uap2105 » History » Revision 24

« Previous | Revision 24/26 (diff) | Next »
tsaitgaist, 02/25/2016 09:14 AM
add UAP3 pictures


The Huawei UAP2105 is a UMTS femtocell.

Support

This product has been EOL/deprecated:

Hardware

main board (QWG1SUAP VER C), front: main board (QWG1SUAP VER C), back: radio board (QWG1SRM1 VER B):

connectors

debug connector:
signal/state pin pin signal/state
low 1 2 pulse
TX?/high 3 4 GND
RX?/high 5 6 low
low 7 8 low
TCK?/low 9 10 pulse
GND 11 12 GND
high 13 14 high
GND 15 16 GND
TDI?/high 17 18 pulse
TRST?/low 19 20 TDO?/low
high 21 22 TMS?/high
low 23 24 low
low 25 26 low
DEBUG
mode connector (use jumper to select):
state pin pin signal mode
high 1 2 GND WDGEN
low 3 4 GND BOOTMODE
high 5 6 GND JTAGMODE0
high 7 8 GND JTAGMODE1
high 9 10 GND RUNMODE
MODE

UAP1

The operator where it was bought from is Vodafone Greece.
The board date is 1023.

femto1-case_front.jpg femto1-case_back-blur.jpg femto1-board_front-blur.jpg femto1-board_back-blur.jpg femto1-rf_front-blur.jpg femto1-rf_front-naked-blur.jpg femto1-rf_back-blur.jpg femto1-rf_back-naked-blur.jpg

UAP2

The operator where it was bought from is Vodafone Spain.
The board date is 1201.

This board has more shielding cans.

uap2-board_front-blur.jpg uap2-board_back-blur.jpg uap2-rf_front-blur.jpg uap2-rf_back-blur.jpg

UAP3

This femtocell was baught directly in china and is not operator branded.
The board date is 1215.

This femtocell even has a power button on the case.

uap3-box-front.jpg uap3-box-back-blur.jpg uap3-board_main-front-blur.jpg uap3-board_main-front-naked-blur.jpg uap3-board_main-back-blur.jpg uap3-board_rf-front.jpg uap3-board_rf-front-naked.jpg uap3-board_rf-back-blur.jpg uap3-board_rf-back-naked-blur.jpg

Rooting

How to root this device and intercept communication has been shown in August 2015 at the in Femtoland 350 Yuan for Invaluable Fun presentation (slides, video).

This issue has been analysed and fixed by the vendor.

UAP1

firmware version: QWGM3SUAP4 V300R011C00 SPC173

debug port:
  • UART not found on pins described in slides (all modes)
  • no UART identified using JTAGulator (all modes)
  • JTAG not found on pins described in slides (all modes)
  • no JTAG identified using JTAGulator, using id code and bypass scans (all modes)
boot process (all modes):
  1. red and blue LEDs on for 7 s
  2. ethernet link on
  3. red and blue LEDs on for 9 s
  4. ethernet link off
  5. red and blue LEDs on for 2 s
  6. ethernet link on
  7. red and blue LEDs on for 12 s
  8. red LED on for 23 s
  9. red and blue LEDs on for 2 s
  10. LEDs off for 0.1 s
  11. red and blue LEDs on for 5 s
  12. red LED on
network ports:
  • the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:
    sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET
    Nmap scan report for 172.16.1.1
    Host is up (0.0030s latency).
    PORT      STATE  SERVICE VERSION
    ...
    17185/udp open   wdbrpc?
    
  • the second time the link is on, all ports are blocked/filtered:
    sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET
    Nmap scan report for 172.16.1.1
    Host is up (0.0019s latency).
    PORT      STATE    SERVICE VERSION
    21/tcp    closed   ftp
    23/tcp    closed   telnet
    80/tcp    filtered http
    6000/tcp  filtered X11
    6006/tcp  filtered X11:6
    7547/tcp  filtered unknown
    17185/tcp closed   unknown
    

UAP2

firmware version: QWGM3SUAP4 V300R011C02 SPC182

debug port:
  • UART not found on pins described in slides (all modes)
  • JTAG not found on pins described in slides (all modes)
  • no JTAG identified using JTAGulator, using id code scan (all modes)
boot process (all modes):
  1. red and blue LEDs on for 7 s
  2. ethernet link on
  3. red and blue LEDs on for 14 s
  4. ethernet link off
  5. red and blue LEDs on for 2 s
  6. ethernet link on
  7. red and blue LEDs on for 1 s
  8. ethernet link off
  9. red and blue LEDs on for 2 s
  10. ethernet link on
  11. red and blue LEDs on for 8 s
  12. red and blue LEDs on for 25 s
  13. red and blue LEDs on for 2 s
  14. LEDs off for 0.5 s
  15. red and blue LEDs on for 3 s
  16. 6x LEDs off for 2 s
  17. 6x red and blue LEDs on for 2 s
  18. red LED on
network ports:
  • the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):
  • the second time the link is on, only TCP port 80 is open an there is an HTTP service
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET
    Nmap scan report for 172.16.1.1
    Host is up (0.0014s latency).
    PORT      STATE    SERVICE VERSION
    ...
    80/tcp    open     http    [[GoAhead]]-Webs httpd
    |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
    | http-title: User Login
    |_Requested resource was http://172.16.1.1/index.htm
    ...
    
Files (32)
femto1-board_back-blur.jpg View femto1-board_back-blur.jpg 586 KB tsaitgaist, 11/27/2015 11:51 AM
femto1-board_front-blur.jpg View femto1-board_front-blur.jpg 655 KB tsaitgaist, 11/27/2015 11:51 AM
femto1-case_back-blur.jpg View femto1-case_back-blur.jpg 166 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-case_front.jpg View femto1-case_front.jpg 54.1 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-rf_back-blur.jpg View femto1-rf_back-blur.jpg 458 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-rf_back-naked-blur.jpg View femto1-rf_back-naked-blur.jpg 373 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-rf_front-blur.jpg View femto1-rf_front-blur.jpg 446 KB tsaitgaist, 11/27/2015 11:53 AM
femto1-rf_front-naked-blur.jpg View femto1-rf_front-naked-blur.jpg 542 KB tsaitgaist, 11/27/2015 11:53 AM
uap2-board_back-blur.jpg View uap2-board_back-blur.jpg 555 KB tsaitgaist, 11/27/2015 12:06 PM
uap2-board_front-blur.jpg View uap2-board_front-blur.jpg 598 KB tsaitgaist, 11/27/2015 12:06 PM
uap2-rf_back-blur.jpg View uap2-rf_back-blur.jpg 723 KB tsaitgaist, 11/27/2015 12:07 PM
uap2-rf_front-blur.jpg View uap2-rf_front-blur.jpg 416 KB tsaitgaist, 11/27/2015 12:07 PM
femto1-board_back-blur.jpg View femto1-board_back-blur.jpg 586 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-board_front-blur.jpg View femto1-board_front-blur.jpg 655 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-case_back-blur.jpg View femto1-case_back-blur.jpg 166 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-case_front.jpg View femto1-case_front.jpg 54.1 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_back-blur.jpg View femto1-rf_back-blur.jpg 458 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_back-naked-blur.jpg View femto1-rf_back-naked-blur.jpg 373 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_front-blur.jpg View femto1-rf_front-blur.jpg 446 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_front-naked-blur.jpg View femto1-rf_front-naked-blur.jpg 542 KB tsaitgaist, 02/24/2016 10:44 PM
uap2-board_back-blur.jpg View uap2-board_back-blur.jpg 555 KB tsaitgaist, 02/24/2016 10:44 PM
uap2-board_front-blur.jpg View uap2-board_front-blur.jpg 598 KB tsaitgaist, 02/24/2016 10:44 PM
uap3-board_main-back-blur.jpg View uap3-board_main-back-blur.jpg 411 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_main-front.jpg View uap3-board_main-front.jpg 434 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_main-front-blur.jpg View uap3-board_main-front-blur.jpg 430 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_main-front-naked-blur.jpg View uap3-board_main-front-naked-blur.jpg 457 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-back-blur.jpg View uap3-board_rf-back-blur.jpg 679 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-front.jpg View uap3-board_rf-front.jpg 369 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-back-naked-blur.jpg View uap3-board_rf-back-naked-blur.jpg 502 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-box-back-blur.jpg View uap3-box-back-blur.jpg 169 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-box-front.jpg View uap3-box-front.jpg 35.7 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-front-naked.jpg View uap3-board_rf-front-naked.jpg 532 KB tsaitgaist, 02/25/2016 09:07 AM

Updated by tsaitgaist about 8 years ago · 24 revisions

Add picture from clipboard (Maximum size: 48.8 MB)