Project

General

Profile

Actions

Uap2105 » History » Revision 16

« Previous | Revision 16/26 (diff) | Next »
tsaitgaist, 02/19/2016 10:48 PM
add mode connector


PageOutline
The Huawei UAP2105 is a UMTS femtocell.

= Support =

This product has been [[http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm|EOL/deprecated]]: * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm|UAP2105]] (2011-12-20) * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]] (2011-12-20) * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-20) * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-30) * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm|UAP2105C01 V300R012]] (2012-06-19)

= Hardware =

main board (QWG1SUAP VER C), front: * CPU (ARM based + integrated UMTS base station baseband): [[http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121|HiSilicon SD6121RBC]] * 1Gb DDR2 RAM: [[http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf|Samsung K4T1G164QE-HCE6]] * 10/100 Base-T transformer: [[http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35|Wurth Electronics Midcom 7112-35-H]] * 10/100 Base-T transceiver: [[https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf|Broadcom BCM5241]] * AND-gate: [[https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf|Fairchild 74LCX08]] * 3V voltage monitor: [[https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf|Maxim MAX708S]] * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] * step down DC-DC convert: [[http://www.ti.com/lit/ds/symlink/tps54331.pdf|Texas Instruments TPS54331]]

main board (QWG1SUAP VER C), back: * 256Mb NOR flash: [[http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf|Spansion S29GL256N10TFI01]] * 16-bit transceiver: [[http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf|NXP LVT16245B]] * EPD TVS Diode Array: [[http://www.semtech.com/images/datasheet/slvu2.8-4.pdf|Semtech SLVU2.8-4]]

radio board (QWG1SRM1 VER B): * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] * base station transmitter: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html|Maxim MAX2599]] * base station receiver: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html|Maxim MAX2547]] * GSM baseband: [[http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf|Texas Instruments T303IFZPH]] * 16Mb CMOS flash: [[https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf|Spansion S29NS016J0LBJW00]] * CPU?: Texas Instruments D6928BB

debug connector:
= signal/state = = pin = = pin = = signal/state =
low 1 2 pulse
TX?/high 3 4 GND
RX?/high 5 6 low
low 7 8 low
TCK?/low 9 10 pulse
GND 11 12 GND
high 13 14 high
GND 15 16 GND
TDI?/high 17 18 pulse
TRST?/low 19 20 TDO?/low
high 21 22 TMS?/high
low 23 24 low
low 25 26 low
DEBUG

mode connector (use jumper to select): ||= state =||= pin =||= pin =||= signal =||= mode =|| || high || 1 || 2 || GND || WDGEN || || low || 3 || 4 || GND || BOOTMODE || || high || 5 || 6 || GND || JTAGMODE0 || || high || 7 || 8 || GND || JTAGMODE1 || || high || 9 || 10 || GND || RUNMODE || |||||||||| MODE ||
UAP1

The operator where it was bought from is Vodafone Greece.
The board date is 1023.

Image(femto1-case_front.jpg​,200px)
Image(femto1-case_back-blur.jpg​,200px)
Image(femto1-board_front-blur.jpg​​,200px)
Image(femto1-board_back-blur.jpg​​,200px)
Image(femto1-rf_front-blur.jpg​,200px)
Image(femto1-rf_front-naked-blur.jpg​​,200px)
Image(femto1-rf_back-blur.jpg​,200px)
Image(femto1-rf_back-naked-blur.jpg​,200px)

UAP2

The operator where it was bought from is Vodafone Spain.
The board date is 1201.

This board has more shielding cans.

Image(uap2-board_front-blur.jpg​​,200px)
Image(uap2-board_back-blur.jpg​,200px)
Image(uap2-rf_front-blur.jpg​​​,200px)
Image(uap2-rf_back-blur.jpg​ ​​,200px)

= Rooting =

How to root this device and intercept communication has been shown in August 2015 at the [[https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun|Adventures in Femtoland: 350 Yuan for Invaluable Fun]] presentation ([[http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun|slides]], [[https://www.youtube.com/watch?v=U-COwT7dwWg|video]]).

This issue has been [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm|analyzed]] and [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm|fixed]] by the vendor.

UAP1

debug port: * UART not found on pins described in slides (all modes) * no UART identified using JTAGulator (all modes) * JTAG not found on pins described in slides (all modes) * no JTAG identified using JTAGulator, using id code and bypass scans (all modes)

boot process (all modes):
1. red and blue LEDs on for 7 s
1. ethernet link on
1. red and blue LEDs on for 9 s
1. ethernet link off
1. red and blue LEDs on for 2 s
1. ethernet link on
1. red and blue LEDs on for 12 s
1. red LED on for 23 s
1. red and blue LEDs on for 2 s
1. LEDs off for 0.1 s
1. red and blue LEDs on for 5 s
1. red LED on

UAP2

debug port: * UART not found on pins described in slides (all modes) * JTAG not found on pins described in slides (all modes) * no JTAG identified using JTAGulator, using id code scan (all modes)

boot process (all modes):
1. red and blue LEDs on for 7 s
1. ethernet link on
1. red and blue LEDs on for 14 s
1. ethernet link off
1. red and blue LEDs on for 2 s
1. ethernet link on
1. red and blue LEDs on for 1 s
1. ethernet link off
1. red and blue LEDs on for 2 s
1. ethernet link on
1. red and blue LEDs on for 8 s
1. red and blue LEDs on for 25 s
1. red and blue LEDs on for 2 s
1. LEDs off for 0.5 s
1. red and blue LEDs on for 3 s
1. 6x LEDs off for 2 s
1. 6x red and blue LEDs on for 2 s
1. red LED on

Files (32)
femto1-board_back-blur.jpg View femto1-board_back-blur.jpg 586 KB tsaitgaist, 11/27/2015 11:51 AM
femto1-board_front-blur.jpg View femto1-board_front-blur.jpg 655 KB tsaitgaist, 11/27/2015 11:51 AM
femto1-case_back-blur.jpg View femto1-case_back-blur.jpg 166 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-case_front.jpg View femto1-case_front.jpg 54.1 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-rf_back-blur.jpg View femto1-rf_back-blur.jpg 458 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-rf_back-naked-blur.jpg View femto1-rf_back-naked-blur.jpg 373 KB tsaitgaist, 11/27/2015 11:52 AM
femto1-rf_front-blur.jpg View femto1-rf_front-blur.jpg 446 KB tsaitgaist, 11/27/2015 11:53 AM
femto1-rf_front-naked-blur.jpg View femto1-rf_front-naked-blur.jpg 542 KB tsaitgaist, 11/27/2015 11:53 AM
uap2-board_back-blur.jpg View uap2-board_back-blur.jpg 555 KB tsaitgaist, 11/27/2015 12:06 PM
uap2-board_front-blur.jpg View uap2-board_front-blur.jpg 598 KB tsaitgaist, 11/27/2015 12:06 PM
uap2-rf_back-blur.jpg View uap2-rf_back-blur.jpg 723 KB tsaitgaist, 11/27/2015 12:07 PM
uap2-rf_front-blur.jpg View uap2-rf_front-blur.jpg 416 KB tsaitgaist, 11/27/2015 12:07 PM
femto1-board_back-blur.jpg View femto1-board_back-blur.jpg 586 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-board_front-blur.jpg View femto1-board_front-blur.jpg 655 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-case_back-blur.jpg View femto1-case_back-blur.jpg 166 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-case_front.jpg View femto1-case_front.jpg 54.1 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_back-blur.jpg View femto1-rf_back-blur.jpg 458 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_back-naked-blur.jpg View femto1-rf_back-naked-blur.jpg 373 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_front-blur.jpg View femto1-rf_front-blur.jpg 446 KB tsaitgaist, 02/24/2016 10:44 PM
femto1-rf_front-naked-blur.jpg View femto1-rf_front-naked-blur.jpg 542 KB tsaitgaist, 02/24/2016 10:44 PM
uap2-board_back-blur.jpg View uap2-board_back-blur.jpg 555 KB tsaitgaist, 02/24/2016 10:44 PM
uap2-board_front-blur.jpg View uap2-board_front-blur.jpg 598 KB tsaitgaist, 02/24/2016 10:44 PM
uap3-board_main-back-blur.jpg View uap3-board_main-back-blur.jpg 411 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_main-front.jpg View uap3-board_main-front.jpg 434 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_main-front-blur.jpg View uap3-board_main-front-blur.jpg 430 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_main-front-naked-blur.jpg View uap3-board_main-front-naked-blur.jpg 457 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-back-blur.jpg View uap3-board_rf-back-blur.jpg 679 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-front.jpg View uap3-board_rf-front.jpg 369 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-back-naked-blur.jpg View uap3-board_rf-back-naked-blur.jpg 502 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-box-back-blur.jpg View uap3-box-back-blur.jpg 169 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-box-front.jpg View uap3-box-front.jpg 35.7 KB tsaitgaist, 02/25/2016 09:07 AM
uap3-board_rf-front-naked.jpg View uap3-board_rf-front-naked.jpg 532 KB tsaitgaist, 02/25/2016 09:07 AM

Updated by tsaitgaist about 8 years ago · 16 revisions

Add picture from clipboard (Maximum size: 48.8 MB)