Uap2105 » History » Revision 25
Revision 24 (tsaitgaist, 02/25/2016 09:14 AM) → Revision 25/26 (tsaitgaist, 02/25/2016 09:29 AM)
The Huawei UAP2105 is a UMTS femtocell.
{{>toc}}
h1. Support
This product has been "EOL/deprecated":http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm:
* "UAP2105":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm (2011-12-20)
* "UAP2105C01":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm (2011-12-20)
* "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm (2011-12-20)
* "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm (2011-12-30)
* "UAP2105C01 V300R012":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm (2012-06-19)
h1. Hardware
main board (QWG1SUAP VER C), front:
* CPU (ARM based + integrated UMTS base station baseband): "HiSilicon SD6121RBC":http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121
* 1Gb DDR2 RAM: "Samsung K4T1G164QE-HCE6":http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf
* 10/100 Base-T transformer: "Wurth Electronics Midcom 7112-35-H":http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35
* 10/100 Base-T transceiver: "Broadcom BCM5241":https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf
* AND-gate: "Fairchild 74LCX08":https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf
* 3V voltage monitor: "Maxim MAX708S":https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf
* low dropout regulator: "Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737
* step down DC-DC convert: "Texas Instruments TPS54331":http://www.ti.com/lit/ds/symlink/tps54331.pdf
main board (QWG1SUAP VER C), back:
* 256Mb NOR flash: "Spansion S29GL256N10TFI01":http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf
* 16-bit transceiver: "NXP LVT16245B":http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf
* EPD TVS Diode Array: "Semtech SLVU2.8-4 ":http://www.semtech.com/images/datasheet/slvu2.8-4.pdf
radio board (QWG1SRM1 VER B):
* low dropout regulator: "Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737
* base station transmitter: "Maxim MAX2599":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html
* base station receiver: "Maxim MAX2547":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html
* GSM baseband: "Texas Instruments T303IFZPH":http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf
* 16Mb CMOS flash: "Spansion S29NS016J0LBJW00":https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf
* CPU?: Texas Instruments D6928BB
h2. connectors
debug connector:
|_. signal/state |_. pin |_. pin |_. signal/state |
| low | 1 | 2 | pulse |
| TX?/high | 3 | 4 | GND |
| RX?/high | 5 | 6 | low |
| low | 7 | 8 | low |
| TCK?/low | 9 | 10 | pulse |
| GND | 11 | 12 | GND |
| high | 13 | 14 | high |
| GND | 15 | 16 | GND |
| TDI?/high | 17 | 18 | pulse |
| TRST?/low | 19 | 20 | TDO?/low |
| high | 21 | 22 | TMS?/high |
| low | 23 | 24 | low |
| low | 25 | 26 | low |
|\4=. DEBUG |
mode connector (use jumper to select):
|_. state |_. pin |_. pin |_. signal |_. mode |
| high | 1 | 2 | GND | WDGEN |
| low | 3 | 4 | GND | BOOTMODE |
| high | 5 | 6 | GND | JTAGMODE0 |
| high | 7 | 8 | GND | JTAGMODE1 |
| high | 9 | 10 | GND | RUNMODE |
|\5=. MODE |
h2. UAP1
The operator where it was bought from is Vodafone Greece.
The board date is 1023.
{{thumbnail(femto1-case_front.jpg, size=200)}}
{{thumbnail(femto1-case_back-blur.jpg, size=200)}}
{{thumbnail(femto1-board_front-blur.jpg, size=200)}}
{{thumbnail(femto1-board_back-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_front-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_front-naked-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_back-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_back-naked-blur.jpg, size=200)}}
h2. UAP2
The operator where it was bought from is Vodafone Spain.
The board date is 1201.
This board has more shielding cans.
{{thumbnail(uap2-board_front-blur.jpg, size=200)}}
{{thumbnail(uap2-board_back-blur.jpg, size=200)}}
{{thumbnail(uap2-rf_front-blur.jpg, size=200)}}
{{thumbnail(uap2-rf_back-blur.jpg, size=200)}}
h2. UAP3
This femtocell was baught directly in china and is not operator branded.
The board date is 1215.
This femtocell even has a power button on the case.
{{thumbnail(uap3-box-front.jpg, size=200)}}
{{thumbnail(uap3-box-back-blur.jpg, size=200)}}
{{thumbnail(uap3-board_main-front-blur.jpg, size=200)}}
{{thumbnail(uap3-board_main-front-naked-blur.jpg, size=200)}}
{{thumbnail(uap3-board_main-back-blur.jpg, size=200)}}
{{thumbnail(uap3-board_rf-front.jpg, size=200)}}
{{thumbnail(uap3-board_rf-front-naked.jpg, size=200)}}
{{thumbnail(uap3-board_rf-back-blur.jpg, size=200)}}
{{thumbnail(uap3-board_rf-back-naked-blur.jpg, size=200)}}
h1. Rooting
How to root this device and intercept communication has been shown in August 2015 at the "in Femtoland 350 Yuan for Invaluable Fun":https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun presentation ("slides":http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun, "video":https://www.youtube.com/watch?v=U-COwT7dwWg).
This issue has been "analysed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm and "fixed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm by the vendor.
All femtocells should use the a permanent static IP address 172.16.1.1.
The default web interface password is the femtocells serial (8 characters, starting with B?)
h2. UAP1
firmware version: QWGM3SUAP4 V300R011C00 SPC173
h3. ports
debug port:
* UART not found on pins described in slides (all modes)
* no UART identified using JTAGulator (all modes)
* JTAG not found on pins described in slides (all modes)
* no JTAG identified using JTAGulator, using id code and bypass scans (all modes)
h3. boot
boot process (all modes):
# red and blue LEDs on for 7 s
# ethernet link on
# red and blue LEDs on for 9 s
# ethernet link off
# red and blue LEDs on for 2 s
# ethernet link on
# red and blue LEDs on for 12 s
# red LED on for 23 s
# red and blue LEDs on for 2 s
# LEDs off for 0.1 s
# red and blue LEDs on for 5 s
# red LED on
h3. network
network ports:
* the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:
<pre>
sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET
Nmap scan report for 172.16.1.1
Host is up (0.0030s latency).
PORT STATE SERVICE VERSION
...
17185/udp open wdbrpc?
</pre>
* the second time the link is on, all ports are blocked/filtered:
<pre>
sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET
Nmap scan report for 172.16.1.1
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
23/tcp closed telnet
80/tcp filtered http
6000/tcp filtered X11
6006/tcp filtered X11:6
7547/tcp filtered unknown
17185/tcp closed unknown
</pre>
h2. UAP2
firmware version: QWGM3SUAP4 V300R011C02 SPC182
h3. ports
debug port:
* UART not found on pins described in slides (all modes)
* JTAG not found on pins described in slides (all modes)
* no JTAG identified using JTAGulator, using id code scan (all modes)
h3. boot
boot process (all modes):
# red and blue LEDs on for 7 s
# ethernet link on
# red and blue LEDs on for 14 s
# ethernet link off
# red and blue LEDs on for 2 s
# ethernet link on
# red and blue LEDs on for 1 s
# ethernet link off
# red and blue LEDs on for 2 s
# ethernet link on
# red and blue LEDs on for 8 s
# red and blue LEDs on for 25 s
# red and blue LEDs on for 2 s
# LEDs off for 0.5 s
# red and blue LEDs on for 3 s
# 6x LEDs off for 2 s
# 6x red and blue LEDs on for 2 s
# red LED on
h3. network
network ports:
* the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):
* the second time the link is on, only TCP port 80 is open an there is an HTTP service
<pre>
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET
Nmap scan report for 172.16.1.1
Host is up (0.0014s latency).
PORT STATE SERVICE VERSION
...
80/tcp open http [[GoAhead]]-Webs httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-title: User Login
|_Requested resource was http://172.16.1.1/index.htm
...
</pre>
The IPsec server certificate is checked.
h2. UAP3
firmware version: QWGM3SUAP11 V300R011C02 SPC183
h3. network
This get the IPsec gateway information from the SIM card.
The IPsec server certificate is checked.
h2. UAP4
This is the femtocell from the "presentation":https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun speakers, which they got from a Russian operator.
h3. network
It uses the SIM only the get key material for the IPsec tunnel.
The IPsec gateway and HMS server are configured on the web interface.
The IPsec server certificate is not checked.
Once connect to the IPsec gateway, it will connect to the HMS.
The HMS needs to push the HNB-GW configuration using CWMP (own implementation, the femto CWMP client is very case sensitive and openCWMP did not work here).
Various parameters needs to be pushed.
Once everything is configured the ADMIN_STATE can be set to TRUE to enable broadcasting.
