Uap2105 » History » Version 18
tsaitgaist, 02/19/2016 10:48 PM
add uap1 nmap
1 | 10 | tsaitgaist | [[PageOutline]] |
---|---|---|---|
2 | 1 | tsaitgaist | The Huawei UAP2105 is a UMTS femtocell. |
3 | 10 | tsaitgaist | |
4 | = Support = |
||
5 | 4 | tsaitgaist | |
6 | This product has been [[http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm|EOL/deprecated]]: |
||
7 | * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm|UAP2105]] (2011-12-20) |
||
8 | * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]] (2011-12-20) |
||
9 | * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-20) |
||
10 | * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-30) |
||
11 | * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm|UAP2105C01 V300R012]] (2012-06-19) |
||
12 | 2 | tsaitgaist | |
13 | 5 | tsaitgaist | = Hardware = |
14 | |||
15 | 7 | tsaitgaist | main board (QWG1SUAP VER C), front: |
16 | 5 | tsaitgaist | * CPU (ARM based + integrated UMTS base station baseband): [[http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121|HiSilicon SD6121RBC]] |
17 | * 1Gb DDR2 RAM: [[http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf|Samsung K4T1G164QE-HCE6]] |
||
18 | * 10/100 Base-T transformer: [[http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35|Wurth Electronics Midcom 7112-35-H]] |
||
19 | * 10/100 Base-T transceiver: [[https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf|Broadcom BCM5241]] |
||
20 | * AND-gate: [[https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf|Fairchild 74LCX08]] |
||
21 | * 3V voltage monitor: [[https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf|Maxim MAX708S]] |
||
22 | * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] |
||
23 | * step down DC-DC convert: [[http://www.ti.com/lit/ds/symlink/tps54331.pdf|Texas Instruments TPS54331]] |
||
24 | |||
25 | 7 | tsaitgaist | main board (QWG1SUAP VER C), back: |
26 | 5 | tsaitgaist | * 256Mb NOR flash: [[http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf|Spansion S29GL256N10TFI01]] |
27 | * 16-bit transceiver: [[http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf|NXP LVT16245B]] |
||
28 | 6 | tsaitgaist | * EPD TVS Diode Array: [[http://www.semtech.com/images/datasheet/slvu2.8-4.pdf|Semtech SLVU2.8-4]] |
29 | 5 | tsaitgaist | |
30 | 7 | tsaitgaist | radio board (QWG1SRM1 VER B): |
31 | 5 | tsaitgaist | * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] |
32 | * base station transmitter: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html|Maxim MAX2599]] |
||
33 | * base station receiver: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html|Maxim MAX2547]] |
||
34 | * GSM baseband: [[http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf|Texas Instruments T303IFZPH]] |
||
35 | * 16Mb CMOS flash: [[https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf|Spansion S29NS016J0LBJW00]] |
||
36 | * CPU?: Texas Instruments D6928BB |
||
37 | |||
38 | 17 | tsaitgaist | == connectors == |
39 | |||
40 | 15 | tsaitgaist | debug connector: |
41 | ||= signal/state =||= pin =||= pin =||= signal/state =|| |
||
42 | || low || 1 || 2 || pulse || |
||
43 | || TX?/high || 3 || 4 || GND || |
||
44 | || RX?/high || 5 || 6 || low || |
||
45 | || low || 7 || 8 || low || |
||
46 | || TCK?/low || 9 || 10 || pulse || |
||
47 | || GND || 11 || 12 || GND || |
||
48 | || high || 13 || 14 || high || |
||
49 | || GND || 15 || 16 || GND || |
||
50 | || TDI?/high || 17 || 18 || pulse || |
||
51 | || TRST?/low || 19 || 20 || TDO?/low || |
||
52 | || high || 21 || 22 || TMS?/high || |
||
53 | || low || 23 || 24 || low || |
||
54 | || low || 25 || 26 || low || |
||
55 | |||||||| DEBUG || |
||
56 | |||
57 | 16 | tsaitgaist | mode connector (use jumper to select): |
58 | ||= state =||= pin =||= pin =||= signal =||= mode =|| |
||
59 | || high || 1 || 2 || GND || WDGEN || |
||
60 | || low || 3 || 4 || GND || BOOTMODE || |
||
61 | || high || 5 || 6 || GND || JTAGMODE0 || |
||
62 | || high || 7 || 8 || GND || JTAGMODE1 || |
||
63 | || high || 9 || 10 || GND || RUNMODE || |
||
64 | |||||||||| MODE || |
||
65 | 17 | tsaitgaist | |
66 | 8 | tsaitgaist | == UAP1 == |
67 | |||
68 | The operator where it was bought from is Vodafone Greece. |
||
69 | The board date is 1023. |
||
70 | |||
71 | [[Image(femto1-case_front.jpg,200px)]] |
||
72 | [[Image(femto1-case_back-blur.jpg,200px)]] |
||
73 | [[Image(femto1-board_front-blur.jpg,200px)]] |
||
74 | [[Image(femto1-board_back-blur.jpg,200px)]] |
||
75 | [[Image(femto1-rf_front-blur.jpg,200px)]] |
||
76 | [[Image(femto1-rf_front-naked-blur.jpg,200px)]] |
||
77 | [[Image(femto1-rf_back-blur.jpg,200px)]] |
||
78 | [[Image(femto1-rf_back-naked-blur.jpg,200px)]] |
||
79 | |||
80 | 9 | tsaitgaist | == UAP2 == |
81 | |||
82 | The operator where it was bought from is Vodafone Spain. |
||
83 | The board date is 1201. |
||
84 | |||
85 | This board has more shielding cans. |
||
86 | |||
87 | [[Image(uap2-board_front-blur.jpg,200px)]] |
||
88 | [[Image(uap2-board_back-blur.jpg,200px)]] |
||
89 | [[Image(uap2-rf_front-blur.jpg,200px)]] |
||
90 | [[Image(uap2-rf_back-blur.jpg ,200px)]] |
||
91 | |||
92 | 2 | tsaitgaist | = Rooting = |
93 | |||
94 | How to root this device and intercept communication has been shown in August 2015 at the [[https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun|Adventures in Femtoland: 350 Yuan for Invaluable Fun]] presentation ([[http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun|slides]], [[https://www.youtube.com/watch?v=U-COwT7dwWg|video]]). |
||
95 | 3 | tsaitgaist | |
96 | This issue has been [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm|analyzed]] and [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm|fixed]] by the vendor. |
||
97 | 11 | tsaitgaist | |
98 | == UAP1 == |
||
99 | |||
100 | debug port: |
||
101 | * UART not found on pins described in slides (all modes) |
||
102 | * no UART identified using JTAGulator (all modes) |
||
103 | * JTAG not found on pins described in slides (all modes) |
||
104 | * no JTAG identified using JTAGulator, using id code and bypass scans (all modes) |
||
105 | 12 | tsaitgaist | |
106 | 14 | tsaitgaist | boot process (all modes): |
107 | 13 | tsaitgaist | 1. red and blue LEDs on for 7 s |
108 | 1. ethernet link on |
||
109 | 1. red and blue LEDs on for 9 s |
||
110 | 1. ethernet link off |
||
111 | 1. red and blue LEDs on for 2 s |
||
112 | 1. ethernet link on |
||
113 | 1. red and blue LEDs on for 12 s |
||
114 | 1. red LED on for 23 s |
||
115 | 1. red and blue LEDs on for 2 s |
||
116 | 1. LEDs off for 0.1 s |
||
117 | 1. red and blue LEDs on for 5 s |
||
118 | 1. red LED on |
||
119 | |||
120 | 18 | tsaitgaist | network ports: |
121 | * the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service: |
||
122 | {{{ |
||
123 | sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 |
||
124 | |||
125 | Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET |
||
126 | Nmap scan report for 172.16.1.1 |
||
127 | Host is up (0.0030s latency). |
||
128 | PORT STATE SERVICE VERSION |
||
129 | ... |
||
130 | 17185/udp open wdbrpc? |
||
131 | }}} |
||
132 | * the second time the link is on, all ports are blocked/filtered: |
||
133 | {{{ |
||
134 | sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 |
||
135 | |||
136 | Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET |
||
137 | Nmap scan report for 172.16.1.1 |
||
138 | Host is up (0.0019s latency). |
||
139 | PORT STATE SERVICE VERSION |
||
140 | 21/tcp closed ftp |
||
141 | 23/tcp closed telnet |
||
142 | 80/tcp filtered http |
||
143 | 6000/tcp filtered X11 |
||
144 | 6006/tcp filtered X11:6 |
||
145 | 7547/tcp filtered unknown |
||
146 | 17185/tcp closed unknown |
||
147 | }}} |
||
148 | |||
149 | 12 | tsaitgaist | == UAP2 == |
150 | |||
151 | debug port: |
||
152 | * UART not found on pins described in slides (all modes) |
||
153 | * JTAG not found on pins described in slides (all modes) |
||
154 | 1 | tsaitgaist | * no JTAG identified using JTAGulator, using id code scan (all modes) |
155 | 14 | tsaitgaist | |
156 | boot process (all modes): |
||
157 | 1. red and blue LEDs on for 7 s |
||
158 | 1. ethernet link on |
||
159 | 1. red and blue LEDs on for 14 s |
||
160 | 1. ethernet link off |
||
161 | 1. red and blue LEDs on for 2 s |
||
162 | 1. ethernet link on |
||
163 | 1. red and blue LEDs on for 1 s |
||
164 | 1. ethernet link off |
||
165 | 1. red and blue LEDs on for 2 s |
||
166 | 1. ethernet link on |
||
167 | 1. red and blue LEDs on for 8 s |
||
168 | 1. red and blue LEDs on for 25 s |
||
169 | 1. red and blue LEDs on for 2 s |
||
170 | 1. LEDs off for 0.5 s |
||
171 | 1. red and blue LEDs on for 3 s |
||
172 | 1. 6x LEDs off for 2 s |
||
173 | 1. 6x red and blue LEDs on for 2 s |
||
174 | 1. red LED on |