Project

General

Profile

Uap2105 » History » Version 21

tsaitgaist, 02/19/2016 10:48 PM
add uap firmware versions

1 21 tsaitgaist
{{>toc}}
2 1 tsaitgaist
The Huawei UAP2105 is a UMTS femtocell.
3
4
5 21 tsaitgaist
h1. Support
6 1 tsaitgaist
7
8 21 tsaitgaist
This product has been [[* [[httpcarrierhuaweicomenProductsLifecycleRadioAccessProductsUMTSRANProductshw-105766-productlifecycleannouncementhtmUAP2105]] (2011-12-20)
9
* ["(2011-12-20)
10
* [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]]] (2011-12-20)
11
* [[V300R011]] (2011-12-30)
12
* [[V300R012]] (2012-06-19)
13
14
15
h1. Hardware
16
17
18 5 tsaitgaist
main board (QWG1SUAP VER C), front:
19 21 tsaitgaist
** CPU (ARM based + integrated UMTS base station baseband): [[SD6121RBC]]
20
** 1Gb DDR2 RAM: [[K4T1G164QE-HCE6]]
21
** 10/100 Base-T transformer: [[Electronics Midcom 7112-35-H]]
22
** 10/100 Base-T transceiver: [[BCM5241]]
23
** AND-gate: [[74LCX08]]
24
** 3V voltage monitor: [[MAX708S]]
25
** low dropout regulator: [[Instruments TPS73701]]
26
** step down DC-DC convert: [[Instruments TPS54331]]
27 5 tsaitgaist
28
main board (QWG1SUAP VER C), back:
29 21 tsaitgaist
** 256Mb NOR flash: [[S29GL256N10TFI01]]
30
** 16-bit transceiver: [[LVT16245B]]
31
** EPD TVS Diode Array: [[SLVU28-4]]
32 5 tsaitgaist
33
radio board (QWG1SRM1 VER B):
34 21 tsaitgaist
** low dropout regulator: [[Instruments TPS73701]]
35
** base station transmitter: [[MAX2599]]
36
** base station receiver: [[MAX2547]]
37
** GSM baseband: [[Instruments T303IFZPH]]
38
** 16Mb CMOS flash: [[S29NS016J0LBJW00]]
39
** CPU?: Texas Instruments D6928BB
40 15 tsaitgaist
41
42 21 tsaitgaist
h2. connectors
43
44
45 1 tsaitgaist
debug connector:
46
||= signal/state =||= pin =||= pin =||= signal/state =||
47
|| low || 1 || 2 || pulse ||
48
|| TX?/high || 3 || 4 || GND ||
49
|| RX?/high || 5 || 6 || low ||
50 15 tsaitgaist
|| low || 7 || 8 || low ||
51 1 tsaitgaist
|| TCK?/low || 9 || 10 || pulse ||
52
|| GND || 11 || 12 || GND ||
53
|| high || 13 || 14 || high ||
54 16 tsaitgaist
|| GND || 15 || 16 || GND ||
55 1 tsaitgaist
|| TDI?/high || 17 || 18 || pulse ||
56
|| TRST?/low || 19 || 20 || TDO?/low ||
57
|| high || 21 || 22 || TMS?/high ||
58
|| low || 23 || 24 || low ||
59
|| low || 25 || 26 || low ||
60
||||||||  DEBUG  ||
61 17 tsaitgaist
62 1 tsaitgaist
mode connector (use jumper to select):
63
||= state =||= pin =||= pin =||= signal =||= mode =||
64
|| high || 1 || 2 || GND || WDGEN ||
65
|| low || 3 || 4 || GND || BOOTMODE ||
66
|| high || 5 || 6 || GND || JTAGMODE0 ||
67
|| high || 7 || 8 || GND || JTAGMODE1 ||
68
|| high || 9 || 10 || GND || RUNMODE ||
69
||||||||||  MODE  ||
70
71 8 tsaitgaist
72 21 tsaitgaist
h2. UAP1
73
74
75 8 tsaitgaist
The operator where it was bought from is Vodafone Greece.
76
The board date is 1023.
77
78 21 tsaitgaist
{{thumbnail(femto1-case_front.jpg​, size=200)}}
79
{{thumbnail(femto1-case_back-blur.jpg​, size=200)}}
80
{{thumbnail(femto1-board_front-blur.jpg​​, size=200)}}
81
{{thumbnail(femto1-board_back-blur.jpg​​, size=200)}}
82
{{thumbnail(femto1-rf_front-blur.jpg​, size=200)}}
83
{{thumbnail(femto1-rf_front-naked-blur.jpg​​, size=200)}}
84
{{thumbnail(femto1-rf_back-blur.jpg​, size=200)}}
85
{{thumbnail(femto1-rf_back-naked-blur.jpg​, size=200)}}
86 1 tsaitgaist
87 9 tsaitgaist
88 21 tsaitgaist
h2. UAP2
89
90
91 9 tsaitgaist
The operator where it was bought from is Vodafone Spain.
92 1 tsaitgaist
The board date is 1201.
93
94
This board has more shielding cans.
95 9 tsaitgaist
96 21 tsaitgaist
{{thumbnail(uap2-board_front-blur.jpg​​, size=200)}}
97
{{thumbnail(uap2-board_back-blur.jpg​, size=200)}}
98
{{thumbnail(uap2-rf_front-blur.jpg​​​, size=200)}}
99
{{thumbnail(uap2-rf_back-blur.jpg​ ​​, size=200)}}
100 20 tsaitgaist
101
102 21 tsaitgaist
h1. Rooting
103 11 tsaitgaist
104
105 21 tsaitgaist
How to root this device and intercept communication has been shown in August 2015 at the [[in Femtoland 350 Yuan for Invaluable Fun"httpswwwblackhatcomus-15briefingshtml#adventures-in-femtoland-350-yuan-for-invaluable-funAdventures] presentation (["[[httpswwwyoutubecomwatchv=U-COwT7dwWgvideo]]).
106 11 tsaitgaist
107 21 tsaitgaist
This issue has been [[and [[httpwww1huaweicomensecuritypsirtsecurity-bulletinssecurity-advisorieshw-452865htmfixed]] by the vendor.
108
109
110
h2. UAP1
111
112
113 1 tsaitgaist
firmware version: QWGM3SUAP4 V300R011C00 SPC173
114
115 14 tsaitgaist
debug port:
116 21 tsaitgaist
* UART not found on pins described in slides (all modes)
117
* no UART identified using JTAGulator (all modes)
118
* JTAG not found on pins described in slides (all modes)
119
* no JTAG identified using JTAGulator, using id code and bypass scans (all modes)
120 13 tsaitgaist
121
boot process (all modes):
122
 1. red and blue LEDs on for 7 s
123
 1. ethernet link on
124
 1. red and blue LEDs on for 9 s
125
 1. ethernet link off
126 18 tsaitgaist
 1. red and blue LEDs on for 2 s
127
 1. ethernet link on
128
 1. red and blue LEDs on for 12 s
129
 1. red LED on for 23 s
130
 1. red and blue LEDs on for 2 s
131
 1. LEDs off for 0.1 s
132
 1. red and blue LEDs on for 5 s
133
 1. red LED on
134 1 tsaitgaist
135
network ports:
136 21 tsaitgaist
* the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:
137
<pre>
138 18 tsaitgaist
sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
139
140
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET
141 1 tsaitgaist
Nmap scan report for 172.16.1.1
142 18 tsaitgaist
Host is up (0.0030s latency).
143
PORT      STATE  SERVICE VERSION
144
...
145 1 tsaitgaist
17185/udp open   wdbrpc?
146 21 tsaitgaist
</pre>
147
* the second time the link is on, all ports are blocked/filtered:
148
<pre>
149 18 tsaitgaist
sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
150
151
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET
152
Nmap scan report for 172.16.1.1
153
Host is up (0.0019s latency).
154
PORT      STATE    SERVICE VERSION
155
21/tcp    closed   ftp
156
23/tcp    closed   telnet
157
80/tcp    filtered http
158 12 tsaitgaist
6000/tcp  filtered X11
159 20 tsaitgaist
6006/tcp  filtered X11:6
160
7547/tcp  filtered unknown
161 12 tsaitgaist
17185/tcp closed   unknown
162 21 tsaitgaist
</pre>
163 12 tsaitgaist
164
165 21 tsaitgaist
h2. UAP2
166
167
168 14 tsaitgaist
firmware version: QWGM3SUAP4 V300R011C02 SPC182
169
170
debug port:
171 21 tsaitgaist
* UART not found on pins described in slides (all modes)
172
* JTAG not found on pins described in slides (all modes)
173
* no JTAG identified using JTAGulator, using id code scan (all modes)
174 14 tsaitgaist
175
boot process (all modes):
176
 1. red and blue LEDs on for 7 s
177
 1. ethernet link on
178
 1. red and blue LEDs on for 14 s
179
 1. ethernet link off
180
 1. red and blue LEDs on for 2 s
181
 1. ethernet link on
182
 1. red and blue LEDs on for 1 s
183
 1. ethernet link off
184
 1. red and blue LEDs on for 2 s
185
 1. ethernet link on
186 19 tsaitgaist
 1. red and blue LEDs on for 8 s
187
 1. red and blue LEDs on for 25 s
188
 1. red and blue LEDs on for 2 s
189
 1. LEDs off for 0.5 s
190
 1. red and blue LEDs on for 3 s
191
 1. 6x LEDs off for 2 s
192
 1. 6x red and blue LEDs on for 2 s
193
 1. red LED on
194
195
network ports:
196 21 tsaitgaist
* the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):
197
* the second time the link is on, only TCP port 80 is open an there is an HTTP service
198
<pre>
199 19 tsaitgaist
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET
200
Nmap scan report for 172.16.1.1
201
Host is up (0.0014s latency).
202 1 tsaitgaist
PORT      STATE    SERVICE VERSION
203
...
204 21 tsaitgaist
80/tcp    open     http    [[GoAhead]]-Webs httpd
205 1 tsaitgaist
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
206
| http-title: User Login
207
|_Requested resource was http://172.16.1.1/index.htm
208
...
209 21 tsaitgaist
</pre>
Add picture from clipboard (Maximum size: 48.8 MB)