Project

General

Profile

Uap2105 » History » Version 21

Version 20 (tsaitgaist, 02/19/2016 10:48 PM) → Version 21/25 (tsaitgaist, 02/19/2016 10:48 PM)

{{>toc}} [[PageOutline]]
The Huawei UAP2105 is a UMTS femtocell.

h1.


=
Support

=

This product has been [[* [[httpcarrierhuaweicomenProductsLifecycleRadioAccessProductsUMTSRANProductshw-105766-productlifecycleannouncementhtmUAP2105]] [[http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm|EOL/deprecated]]:
* [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm|UAP2105]]
(2011-12-20)

* ["(2011-12-20)
[[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]] (2011-12-20)
* [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]]] V300R011]] (2011-12-20)

* [[V300R011]] [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-30)

* [[V300R012]] [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm|UAP2105C01 V300R012]] (2012-06-19)

h1.


=
Hardware

=

main board (QWG1SUAP VER C), front:
**

*
CPU (ARM based + integrated UMTS base station baseband): [[SD6121RBC]]
**
[[http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121|HiSilicon SD6121RBC]]
*
1Gb DDR2 RAM: [[K4T1G164QE-HCE6]]
**
[[http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf|Samsung K4T1G164QE-HCE6]]
*
10/100 Base-T transformer: [[Electronics [[http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35|Wurth Electronics Midcom 7112-35-H]]
**

*
10/100 Base-T transceiver: [[BCM5241]]
**
[[https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf|Broadcom BCM5241]]
*
AND-gate: [[74LCX08]]
**
[[https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf|Fairchild 74LCX08]]
*
3V voltage monitor: [[MAX708S]]
**
[[https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf|Maxim MAX708S]]
*
low dropout regulator: [[Instruments [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]]
**

*
step down DC-DC convert: [[Instruments [[http://www.ti.com/lit/ds/symlink/tps54331.pdf|Texas Instruments TPS54331]]

main board (QWG1SUAP VER C), back:
**

*
256Mb NOR flash: [[S29GL256N10TFI01]]
**
[[http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf|Spansion S29GL256N10TFI01]]
*
16-bit transceiver: [[LVT16245B]]
**
[[http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf|NXP LVT16245B]]
*
EPD TVS Diode Array: [[SLVU28-4]] [[http://www.semtech.com/images/datasheet/slvu2.8-4.pdf|Semtech SLVU2.8-4]]

radio board (QWG1SRM1 VER B):
**

*
low dropout regulator: [[Instruments [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]]
**

*
base station transmitter: [[MAX2599]]
**
[[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html|Maxim MAX2599]]
*
base station receiver: [[MAX2547]]
**
[[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html|Maxim MAX2547]]
*
GSM baseband: [[Instruments [[http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf|Texas Instruments T303IFZPH]]
**

*
16Mb CMOS flash: [[S29NS016J0LBJW00]]
**
[[https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf|Spansion S29NS016J0LBJW00]]
*
CPU?: Texas Instruments D6928BB

h2.


==
connectors

==

debug connector:
||= signal/state =||= pin =||= pin =||= signal/state =||
|| low || 1 || 2 || pulse ||
|| TX?/high || 3 || 4 || GND ||
|| RX?/high || 5 || 6 || low ||
|| low || 7 || 8 || low ||
|| TCK?/low || 9 || 10 || pulse ||
|| GND || 11 || 12 || GND ||
|| high || 13 || 14 || high ||
|| GND || 15 || 16 || GND ||
|| TDI?/high || 17 || 18 || pulse ||
|| TRST?/low || 19 || 20 || TDO?/low ||
|| high || 21 || 22 || TMS?/high ||
|| low || 23 || 24 || low ||
|| low || 25 || 26 || low ||
|||||||| DEBUG ||

mode connector (use jumper to select):
||= state =||= pin =||= pin =||= signal =||= mode =||
|| high || 1 || 2 || GND || WDGEN ||
|| low || 3 || 4 || GND || BOOTMODE ||
|| high || 5 || 6 || GND || JTAGMODE0 ||
|| high || 7 || 8 || GND || JTAGMODE1 ||
|| high || 9 || 10 || GND || RUNMODE ||
|||||||||| MODE ||

h2.


==
UAP1

==

The operator where it was bought from is Vodafone Greece.
The board date is 1023.

{{thumbnail(femto1-case_front.jpg​, size=200)}} [[Image(femto1-case_front.jpg​,200px)]]
{{thumbnail(femto1-case_back-blur.jpg​, size=200)}} [[Image(femto1-case_back-blur.jpg​,200px)]]
{{thumbnail(femto1-board_front-blur.jpg​​, size=200)}} [[Image(femto1-board_front-blur.jpg​​,200px)]]
{{thumbnail(femto1-board_back-blur.jpg​​, size=200)}} [[Image(femto1-board_back-blur.jpg​​,200px)]]
{{thumbnail(femto1-rf_front-blur.jpg​, size=200)}} [[Image(femto1-rf_front-blur.jpg​,200px)]]
{{thumbnail(femto1-rf_front-naked-blur.jpg​​, size=200)}} [[Image(femto1-rf_front-naked-blur.jpg​​,200px)]]
{{thumbnail(femto1-rf_back-blur.jpg​, size=200)}} [[Image(femto1-rf_back-blur.jpg​,200px)]]
{{thumbnail(femto1-rf_back-naked-blur.jpg​, size=200)}}

h2.
[[Image(femto1-rf_back-naked-blur.jpg​,200px)]]

==
UAP2

==

The operator where it was bought from is Vodafone Spain.
The board date is 1201.

This board has more shielding cans.

{{thumbnail(uap2-board_front-blur.jpg​​, size=200)}} [[Image(uap2-board_front-blur.jpg​​,200px)]]
{{thumbnail(uap2-board_back-blur.jpg​, size=200)}} [[Image(uap2-board_back-blur.jpg​,200px)]]
{{thumbnail(uap2-rf_front-blur.jpg​​​, size=200)}} [[Image(uap2-rf_front-blur.jpg​​​,200px)]]
{{thumbnail(uap2-rf_back-blur.jpg​ ​​, size=200)}}

h1.
[[Image(uap2-rf_back-blur.jpg​ ​​,200px)]]

=
Rooting

=

How to root this device and intercept communication has been shown in August 2015 at the [[in Femtoland [[https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun|Adventures in Femtoland: 350 Yuan for Invaluable Fun"httpswwwblackhatcomus-15briefingshtml#adventures-in-femtoland-350-yuan-for-invaluable-funAdventures] Fun]] presentation (["[[httpswwwyoutubecomwatchv=U-COwT7dwWgvideo]]). ([[http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun|slides]], [[https://www.youtube.com/watch?v=U-COwT7dwWg|video]]).

This issue has been [[and [[httpwww1huaweicomensecuritypsirtsecurity-bulletinssecurity-advisorieshw-452865htmfixed]] [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm|analyzed]] and [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm|fixed]] by the vendor.

h2.


==
UAP1

==

firmware version: QWGM3SUAP4 V300R011C00 SPC173

debug port:

* UART not found on pins described in slides (all modes)

* no UART identified using JTAGulator (all modes)

* JTAG not found on pins described in slides (all modes)

* no JTAG identified using JTAGulator, using id code and bypass scans (all modes)

boot process (all modes):
1. red and blue LEDs on for 7 s
1. ethernet link on
1. red and blue LEDs on for 9 s
1. ethernet link off
1. red and blue LEDs on for 2 s
1. ethernet link on
1. red and blue LEDs on for 12 s
1. red LED on for 23 s
1. red and blue LEDs on for 2 s
1. LEDs off for 0.1 s
1. red and blue LEDs on for 5 s
1. red LED on

network ports:

* the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:
<pre>
{{{
sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET
Nmap scan report for 172.16.1.1
Host is up (0.0030s latency).
PORT STATE SERVICE VERSION
...
17185/udp open wdbrpc?
</pre>
}}}
* the second time the link is on, all ports are blocked/filtered:
<pre>
{{{
sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET
Nmap scan report for 172.16.1.1
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
23/tcp closed telnet
80/tcp filtered http
6000/tcp filtered X11
6006/tcp filtered X11:6
7547/tcp filtered unknown
17185/tcp closed unknown
</pre>

h2.
}}}

==
UAP2

==

firmware version: QWGM3SUAP4 V300R011C02 SPC182

debug port:

* UART not found on pins described in slides (all modes)

* JTAG not found on pins described in slides (all modes)

* no JTAG identified using JTAGulator, using id code scan (all modes)

boot process (all modes):
1. red and blue LEDs on for 7 s
1. ethernet link on
1. red and blue LEDs on for 14 s
1. ethernet link off
1. red and blue LEDs on for 2 s
1. ethernet link on
1. red and blue LEDs on for 1 s
1. ethernet link off
1. red and blue LEDs on for 2 s
1. ethernet link on
1. red and blue LEDs on for 8 s
1. red and blue LEDs on for 25 s
1. red and blue LEDs on for 2 s
1. LEDs off for 0.5 s
1. red and blue LEDs on for 3 s
1. 6x LEDs off for 2 s
1. 6x red and blue LEDs on for 2 s
1. red LED on

network ports:

* the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):

* the second time the link is on, only TCP port 80 is open an there is an HTTP service
<pre>
{{{
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET
Nmap scan report for 172.16.1.1
Host is up (0.0014s latency).
PORT STATE SERVICE VERSION
...
80/tcp open http [[GoAhead]]-Webs GoAhead-Webs httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-title: User Login
|_Requested resource was http://172.16.1.1/index.htm
...
</pre> }}}
Add picture from clipboard (Maximum size: 48.8 MB)