Uap2105 » History » Version 21
tsaitgaist, 02/19/2016 10:48 PM
add uap firmware versions
1 | 21 | tsaitgaist | {{>toc}} |
---|---|---|---|
2 | 1 | tsaitgaist | The Huawei UAP2105 is a UMTS femtocell. |
3 | |||
4 | |||
5 | 21 | tsaitgaist | h1. Support |
6 | 1 | tsaitgaist | |
7 | |||
8 | 21 | tsaitgaist | This product has been [[* [[httpcarrierhuaweicomenProductsLifecycleRadioAccessProductsUMTSRANProductshw-105766-productlifecycleannouncementhtmUAP2105]] (2011-12-20) |
9 | * ["(2011-12-20) |
||
10 | * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]]] (2011-12-20) |
||
11 | * [[V300R011]] (2011-12-30) |
||
12 | * [[V300R012]] (2012-06-19) |
||
13 | |||
14 | |||
15 | h1. Hardware |
||
16 | |||
17 | |||
18 | 5 | tsaitgaist | main board (QWG1SUAP VER C), front: |
19 | 21 | tsaitgaist | ** CPU (ARM based + integrated UMTS base station baseband): [[SD6121RBC]] |
20 | ** 1Gb DDR2 RAM: [[K4T1G164QE-HCE6]] |
||
21 | ** 10/100 Base-T transformer: [[Electronics Midcom 7112-35-H]] |
||
22 | ** 10/100 Base-T transceiver: [[BCM5241]] |
||
23 | ** AND-gate: [[74LCX08]] |
||
24 | ** 3V voltage monitor: [[MAX708S]] |
||
25 | ** low dropout regulator: [[Instruments TPS73701]] |
||
26 | ** step down DC-DC convert: [[Instruments TPS54331]] |
||
27 | 5 | tsaitgaist | |
28 | main board (QWG1SUAP VER C), back: |
||
29 | 21 | tsaitgaist | ** 256Mb NOR flash: [[S29GL256N10TFI01]] |
30 | ** 16-bit transceiver: [[LVT16245B]] |
||
31 | ** EPD TVS Diode Array: [[SLVU28-4]] |
||
32 | 5 | tsaitgaist | |
33 | radio board (QWG1SRM1 VER B): |
||
34 | 21 | tsaitgaist | ** low dropout regulator: [[Instruments TPS73701]] |
35 | ** base station transmitter: [[MAX2599]] |
||
36 | ** base station receiver: [[MAX2547]] |
||
37 | ** GSM baseband: [[Instruments T303IFZPH]] |
||
38 | ** 16Mb CMOS flash: [[S29NS016J0LBJW00]] |
||
39 | ** CPU?: Texas Instruments D6928BB |
||
40 | 15 | tsaitgaist | |
41 | |||
42 | 21 | tsaitgaist | h2. connectors |
43 | |||
44 | |||
45 | 1 | tsaitgaist | debug connector: |
46 | ||= signal/state =||= pin =||= pin =||= signal/state =|| |
||
47 | || low || 1 || 2 || pulse || |
||
48 | || TX?/high || 3 || 4 || GND || |
||
49 | || RX?/high || 5 || 6 || low || |
||
50 | 15 | tsaitgaist | || low || 7 || 8 || low || |
51 | 1 | tsaitgaist | || TCK?/low || 9 || 10 || pulse || |
52 | || GND || 11 || 12 || GND || |
||
53 | || high || 13 || 14 || high || |
||
54 | 16 | tsaitgaist | || GND || 15 || 16 || GND || |
55 | 1 | tsaitgaist | || TDI?/high || 17 || 18 || pulse || |
56 | || TRST?/low || 19 || 20 || TDO?/low || |
||
57 | || high || 21 || 22 || TMS?/high || |
||
58 | || low || 23 || 24 || low || |
||
59 | || low || 25 || 26 || low || |
||
60 | |||||||| DEBUG || |
||
61 | 17 | tsaitgaist | |
62 | 1 | tsaitgaist | mode connector (use jumper to select): |
63 | ||= state =||= pin =||= pin =||= signal =||= mode =|| |
||
64 | || high || 1 || 2 || GND || WDGEN || |
||
65 | || low || 3 || 4 || GND || BOOTMODE || |
||
66 | || high || 5 || 6 || GND || JTAGMODE0 || |
||
67 | || high || 7 || 8 || GND || JTAGMODE1 || |
||
68 | || high || 9 || 10 || GND || RUNMODE || |
||
69 | |||||||||| MODE || |
||
70 | |||
71 | 8 | tsaitgaist | |
72 | 21 | tsaitgaist | h2. UAP1 |
73 | |||
74 | |||
75 | 8 | tsaitgaist | The operator where it was bought from is Vodafone Greece. |
76 | The board date is 1023. |
||
77 | |||
78 | 21 | tsaitgaist | {{thumbnail(femto1-case_front.jpg, size=200)}} |
79 | {{thumbnail(femto1-case_back-blur.jpg, size=200)}} |
||
80 | {{thumbnail(femto1-board_front-blur.jpg, size=200)}} |
||
81 | {{thumbnail(femto1-board_back-blur.jpg, size=200)}} |
||
82 | {{thumbnail(femto1-rf_front-blur.jpg, size=200)}} |
||
83 | {{thumbnail(femto1-rf_front-naked-blur.jpg, size=200)}} |
||
84 | {{thumbnail(femto1-rf_back-blur.jpg, size=200)}} |
||
85 | {{thumbnail(femto1-rf_back-naked-blur.jpg, size=200)}} |
||
86 | 1 | tsaitgaist | |
87 | 9 | tsaitgaist | |
88 | 21 | tsaitgaist | h2. UAP2 |
89 | |||
90 | |||
91 | 9 | tsaitgaist | The operator where it was bought from is Vodafone Spain. |
92 | 1 | tsaitgaist | The board date is 1201. |
93 | |||
94 | This board has more shielding cans. |
||
95 | 9 | tsaitgaist | |
96 | 21 | tsaitgaist | {{thumbnail(uap2-board_front-blur.jpg, size=200)}} |
97 | {{thumbnail(uap2-board_back-blur.jpg, size=200)}} |
||
98 | {{thumbnail(uap2-rf_front-blur.jpg, size=200)}} |
||
99 | {{thumbnail(uap2-rf_back-blur.jpg , size=200)}} |
||
100 | 20 | tsaitgaist | |
101 | |||
102 | 21 | tsaitgaist | h1. Rooting |
103 | 11 | tsaitgaist | |
104 | |||
105 | 21 | tsaitgaist | How to root this device and intercept communication has been shown in August 2015 at the [[in Femtoland 350 Yuan for Invaluable Fun"httpswwwblackhatcomus-15briefingshtml#adventures-in-femtoland-350-yuan-for-invaluable-funAdventures] presentation (["[[httpswwwyoutubecomwatchv=U-COwT7dwWgvideo]]). |
106 | 11 | tsaitgaist | |
107 | 21 | tsaitgaist | This issue has been [[and [[httpwww1huaweicomensecuritypsirtsecurity-bulletinssecurity-advisorieshw-452865htmfixed]] by the vendor. |
108 | |||
109 | |||
110 | h2. UAP1 |
||
111 | |||
112 | |||
113 | 1 | tsaitgaist | firmware version: QWGM3SUAP4 V300R011C00 SPC173 |
114 | |||
115 | 14 | tsaitgaist | debug port: |
116 | 21 | tsaitgaist | * UART not found on pins described in slides (all modes) |
117 | * no UART identified using JTAGulator (all modes) |
||
118 | * JTAG not found on pins described in slides (all modes) |
||
119 | * no JTAG identified using JTAGulator, using id code and bypass scans (all modes) |
||
120 | 13 | tsaitgaist | |
121 | boot process (all modes): |
||
122 | 1. red and blue LEDs on for 7 s |
||
123 | 1. ethernet link on |
||
124 | 1. red and blue LEDs on for 9 s |
||
125 | 1. ethernet link off |
||
126 | 18 | tsaitgaist | 1. red and blue LEDs on for 2 s |
127 | 1. ethernet link on |
||
128 | 1. red and blue LEDs on for 12 s |
||
129 | 1. red LED on for 23 s |
||
130 | 1. red and blue LEDs on for 2 s |
||
131 | 1. LEDs off for 0.1 s |
||
132 | 1. red and blue LEDs on for 5 s |
||
133 | 1. red LED on |
||
134 | 1 | tsaitgaist | |
135 | network ports: |
||
136 | 21 | tsaitgaist | * the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service: |
137 | <pre> |
||
138 | 18 | tsaitgaist | sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 |
139 | |||
140 | Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET |
||
141 | 1 | tsaitgaist | Nmap scan report for 172.16.1.1 |
142 | 18 | tsaitgaist | Host is up (0.0030s latency). |
143 | PORT STATE SERVICE VERSION |
||
144 | ... |
||
145 | 1 | tsaitgaist | 17185/udp open wdbrpc? |
146 | 21 | tsaitgaist | </pre> |
147 | * the second time the link is on, all ports are blocked/filtered: |
||
148 | <pre> |
||
149 | 18 | tsaitgaist | sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 |
150 | |||
151 | Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET |
||
152 | Nmap scan report for 172.16.1.1 |
||
153 | Host is up (0.0019s latency). |
||
154 | PORT STATE SERVICE VERSION |
||
155 | 21/tcp closed ftp |
||
156 | 23/tcp closed telnet |
||
157 | 80/tcp filtered http |
||
158 | 12 | tsaitgaist | 6000/tcp filtered X11 |
159 | 20 | tsaitgaist | 6006/tcp filtered X11:6 |
160 | 7547/tcp filtered unknown |
||
161 | 12 | tsaitgaist | 17185/tcp closed unknown |
162 | 21 | tsaitgaist | </pre> |
163 | 12 | tsaitgaist | |
164 | |||
165 | 21 | tsaitgaist | h2. UAP2 |
166 | |||
167 | |||
168 | 14 | tsaitgaist | firmware version: QWGM3SUAP4 V300R011C02 SPC182 |
169 | |||
170 | debug port: |
||
171 | 21 | tsaitgaist | * UART not found on pins described in slides (all modes) |
172 | * JTAG not found on pins described in slides (all modes) |
||
173 | * no JTAG identified using JTAGulator, using id code scan (all modes) |
||
174 | 14 | tsaitgaist | |
175 | boot process (all modes): |
||
176 | 1. red and blue LEDs on for 7 s |
||
177 | 1. ethernet link on |
||
178 | 1. red and blue LEDs on for 14 s |
||
179 | 1. ethernet link off |
||
180 | 1. red and blue LEDs on for 2 s |
||
181 | 1. ethernet link on |
||
182 | 1. red and blue LEDs on for 1 s |
||
183 | 1. ethernet link off |
||
184 | 1. red and blue LEDs on for 2 s |
||
185 | 1. ethernet link on |
||
186 | 19 | tsaitgaist | 1. red and blue LEDs on for 8 s |
187 | 1. red and blue LEDs on for 25 s |
||
188 | 1. red and blue LEDs on for 2 s |
||
189 | 1. LEDs off for 0.5 s |
||
190 | 1. red and blue LEDs on for 3 s |
||
191 | 1. 6x LEDs off for 2 s |
||
192 | 1. 6x red and blue LEDs on for 2 s |
||
193 | 1. red LED on |
||
194 | |||
195 | network ports: |
||
196 | 21 | tsaitgaist | * the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service): |
197 | * the second time the link is on, only TCP port 80 is open an there is an HTTP service |
||
198 | <pre> |
||
199 | 19 | tsaitgaist | Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET |
200 | Nmap scan report for 172.16.1.1 |
||
201 | Host is up (0.0014s latency). |
||
202 | 1 | tsaitgaist | PORT STATE SERVICE VERSION |
203 | ... |
||
204 | 21 | tsaitgaist | 80/tcp open http [[GoAhead]]-Webs httpd |
205 | 1 | tsaitgaist | |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |
206 | | http-title: User Login |
||
207 | |_Requested resource was http://172.16.1.1/index.htm |
||
208 | ... |
||
209 | 21 | tsaitgaist | </pre> |