Cellular Network Infrastructure » Core Network (CN) » OsmoHNBGW

The Huawei UAP2105 is a UMTS femtocell.

{{>toc}}

h1. Support

This product has been "EOL/deprecated":http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm:

* "UAP2105":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm (2011-12-20)

* ​"UAP2105C01":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm (2011-12-20)

* "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm (2011-12-20)

* ​"UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm (2011-12-30)

* "UAP2105C01 V300R012":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm (2012-06-19)  

h1. Hardware

main board (QWG1SUAP VER C), front:

* CPU (ARM based + integrated UMTS base station baseband): ​"HiSilicon SD6121RBC":http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121

* 1Gb DDR2 RAM: ​"Samsung K4T1G164QE-HCE6":http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf

* 10/100 Base-T transformer: "​Wurth Electronics Midcom 7112-35-H":http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35

* 10/100 Base-T transceiver: ​"Broadcom BCM5241":https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf

* AND-gate: ​"Fairchild 74LCX08":https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf

* 3V voltage monitor: ​"Maxim MAX708S":https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf

* low dropout regulator: ​"Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737

* step down DC-DC convert: "​Texas Instruments TPS54331":http://www.ti.com/lit/ds/symlink/tps54331.pdf

main board (QWG1SUAP VER C), back:

* 256Mb NOR flash: "​Spansion S29GL256N10TFI01":http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf

* 16-bit transceiver: ​"NXP LVT16245B":http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf

* EPD TVS Diode Array: ​"Semtech SLVU2.8-4 ":http://www.semtech.com/images/datasheet/slvu2.8-4.pdf

radio board (QWG1SRM1 VER B):

* low dropout regulator: "​Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737

* base station transmitter: ​"Maxim MAX2599":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html

* base station receiver: "​Maxim MAX2547":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html

* GSM baseband: ​"Texas Instruments T303IFZPH":http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf

* 16Mb CMOS flash: ​"Spansion S29NS016J0LBJW00":https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf

* CPU?: Texas Instruments D6928BB 

h2. connectors

debug connector:

|_. signal/state |_. pin |_. pin |_. signal/state |

| low | 1 | 2 | pulse |

| TX?/high | 3 | 4 | GND |

| RX?/high | 5 | 6 | low |

| low | 7 | 8 | low |

| TCK?/low | 9 | 10 | pulse |

| GND | 11 | 12 | GND |

| high | 13 | 14 | high |

| GND | 15 | 16 | GND |

| TDI?/high | 17 | 18 | pulse |

| TRST?/low | 19 | 20 | TDO?/low |

| high | 21 | 22 | TMS?/high |

| low | 23 | 24 | low |

| low | 25 | 26 | low |

|\4=.  DEBUG  |

mode connector (use jumper to select):

|_. state |_. pin |_. pin |_. signal |_. mode |

| high | 1 | 2 | GND | WDGEN |

| low | 3 | 4 | GND | BOOTMODE |

| high | 5 | 6 | GND | JTAGMODE0 |

| high | 7 | 8 | GND | JTAGMODE1 |

| high | 9 | 10 | GND | RUNMODE |

|\5=.  MODE  |

h2. UAP1

The operator where it was bought from is Vodafone Greece.

The board date is 1023.

{{thumbnail(femto1-case_front.jpg, size=200)}}

{{thumbnail(femto1-case_back-blur.jpg, size=200)}}

{{thumbnail(femto1-board_front-blur.jpg, size=200)}}

{{thumbnail(femto1-board_back-blur.jpg, size=200)}}

{{thumbnail(femto1-rf_front-blur.jpg, size=200)}}

{{thumbnail(femto1-rf_front-naked-blur.jpg, size=200)}}

{{thumbnail(femto1-rf_back-blur.jpg, size=200)}}

{{thumbnail(femto1-rf_back-naked-blur.jpg, size=200)}}

h2. UAP2

The operator where it was bought from is Vodafone Spain.

The board date is 1201.

This board has more shielding cans.

{{thumbnail(uap2-board_front-blur.jpg, size=200)}}

{{thumbnail(uap2-board_back-blur.jpg, size=200)}}

{{thumbnail(uap2-rf_front-blur.jpg, size=200)}}

{{thumbnail(uap2-rf_back-blur.jpg, size=200)}}

h2. UAP3

This femtocell was baught directly in china and is not operator branded.

The board date is 1215.

This femtocell even has a power button on the case.

{{thumbnail(uap3-box-front.jpg, size=200)}}

{{thumbnail(uap3-box-back-blur.jpg, size=200)}}

{{thumbnail(uap3-board_main-front-blur.jpg, size=200)}}

{{thumbnail(uap3-board_main-front-naked-blur.jpg, size=200)}}

{{thumbnail(uap3-board_main-back-blur.jpg, size=200)}}

{{thumbnail(uap3-board_rf-front.jpg, size=200)}}

{{thumbnail(uap3-board_rf-front-naked.jpg, size=200)}}

{{thumbnail(uap3-board_rf-back-blur.jpg, size=200)}}

{{thumbnail(uap3-board_rf-back-naked-blur.jpg, size=200)}}

h1. Rooting

How to root this device and intercept communication has been shown in August 2015 at the "in Femtoland 350 Yuan for Invaluable Fun":https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun presentation ("slides":http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun, "video":https://www.youtube.com/watch?v=U-COwT7dwWg).

This issue has been "analysed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm and "fixed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm by the vendor.

All femtocells should use the a permanent static IP address 172.16.1.1.

The default web interface password is the femtocells serial (8 characters, starting with B?)

h2. UAP1

firmware version: QWGM3SUAP4 V300R011C00 SPC173

h3. ports

debug port:

* UART not found on pins described in slides (all modes)

* no UART identified using JTAGulator (all modes)

* JTAG not found on pins described in slides (all modes)

* no JTAG identified using JTAGulator, using id code and bypass scans (all modes)

h3. boot

boot process (all modes):

# red and blue LEDs on for 7 s

# ethernet link on

# red and blue LEDs on for 9 s

# ethernet link off

# red and blue LEDs on for 2 s

# ethernet link on

# red and blue LEDs on for 12 s

# red LED on for 23 s

# red and blue LEDs on for 2 s

# LEDs off for 0.1 s

# red and blue LEDs on for 5 s

# red LED on

h3. network

network ports:

* the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:

<pre>

sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET

Nmap scan report for 172.16.1.1

Host is up (0.0030s latency).

PORT      STATE  SERVICE VERSION

...

17185/udp open   wdbrpc?

</pre>

* the second time the link is on, all ports are blocked/filtered:

<pre>

sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET

Nmap scan report for 172.16.1.1

Host is up (0.0019s latency).

PORT      STATE    SERVICE VERSION

21/tcp    closed   ftp

23/tcp    closed   telnet

80/tcp    filtered http

6000/tcp  filtered X11

6006/tcp  filtered X11:6

7547/tcp  filtered unknown

17185/tcp closed   unknown

</pre>

h2. UAP2

firmware version: QWGM3SUAP4 V300R011C02 SPC182

h3. ports

debug port:

* UART not found on pins described in slides (all modes)

* JTAG not found on pins described in slides (all modes)

* no JTAG identified using JTAGulator, using id code scan (all modes)

h3. boot

boot process (all modes):

# red and blue LEDs on for 7 s

# ethernet link on

# red and blue LEDs on for 14 s

# ethernet link off

# red and blue LEDs on for 2 s

# ethernet link on

# red and blue LEDs on for 1 s

# ethernet link off

# red and blue LEDs on for 2 s

# ethernet link on

# red and blue LEDs on for 8 s

# red and blue LEDs on for 25 s

# red and blue LEDs on for 2 s

# LEDs off for 0.5 s

# red and blue LEDs on for 3 s

# 6x LEDs off for 2 s

# 6x red and blue LEDs on for 2 s

# red LED on

h3. network

network ports:

* the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):

* the second time the link is on, only TCP port 80 is open an there is an HTTP service

<pre>

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET

Nmap scan report for 172.16.1.1

Host is up (0.0014s latency).

PORT      STATE    SERVICE VERSION

...

80/tcp    open     http    [[GoAhead]]-Webs httpd

|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

| http-title: User Login

|_Requested resource was http://172.16.1.1/index.htm

...

</pre>

The IPsec server certificate is checked.

h2. UAP3

firmware version: QWGM3SUAP11 V300R011C02 SPC183

h3. network

This get the IPsec gateway information from the SIM card.

The IPsec server certificate is checked.

h2. UAP4

This is the femtocell from the "presentation":https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun speakers, which they got from a Russian operator.

h3. network

It uses the SIM only the get key material for the IPsec tunnel.

The IPsec gateway and HMS server are configured on the web interface.

The IPsec server certificate is not checked.

Once connect to the IPsec gateway, it will connect to the HMS.

The HMS needs to push the HNB-GW configuration using CWMP (own implementation, the femto CWMP client is very case sensitive and openCWMP did not work here).

Various parameters needs to be pushed.

Once everything is configured the ADMIN_STATE can be set to TRUE to enable broadcasting.