Uap2105 » History » Revision 21
Revision 20 (tsaitgaist, 02/19/2016 10:48 PM) → Revision 21/26 (tsaitgaist, 02/19/2016 10:48 PM)
{{>toc}} [[PageOutline]] The Huawei UAP2105 is a UMTS femtocell. h1. = Support = This product has been [[* [[httpcarrierhuaweicomenProductsLifecycleRadioAccessProductsUMTSRANProductshw-105766-productlifecycleannouncementhtmUAP2105]] [[http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm|EOL/deprecated]]: * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm|UAP2105]] (2011-12-20) * ["(2011-12-20) [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]] (2011-12-20) * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]]] V300R011]] (2011-12-20) * [[V300R011]] [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-30) * [[V300R012]] [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm|UAP2105C01 V300R012]] (2012-06-19) h1. = Hardware = main board (QWG1SUAP VER C), front: ** * CPU (ARM based + integrated UMTS base station baseband): [[SD6121RBC]] ** [[http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121|HiSilicon SD6121RBC]] * 1Gb DDR2 RAM: [[K4T1G164QE-HCE6]] ** [[http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf|Samsung K4T1G164QE-HCE6]] * 10/100 Base-T transformer: [[Electronics [[http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35|Wurth Electronics Midcom 7112-35-H]] ** * 10/100 Base-T transceiver: [[BCM5241]] ** [[https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf|Broadcom BCM5241]] * AND-gate: [[74LCX08]] ** [[https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf|Fairchild 74LCX08]] * 3V voltage monitor: [[MAX708S]] ** [[https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf|Maxim MAX708S]] * low dropout regulator: [[Instruments [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] ** * step down DC-DC convert: [[Instruments [[http://www.ti.com/lit/ds/symlink/tps54331.pdf|Texas Instruments TPS54331]] main board (QWG1SUAP VER C), back: ** * 256Mb NOR flash: [[S29GL256N10TFI01]] ** [[http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf|Spansion S29GL256N10TFI01]] * 16-bit transceiver: [[LVT16245B]] ** [[http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf|NXP LVT16245B]] * EPD TVS Diode Array: [[SLVU28-4]] [[http://www.semtech.com/images/datasheet/slvu2.8-4.pdf|Semtech SLVU2.8-4]] radio board (QWG1SRM1 VER B): ** * low dropout regulator: [[Instruments [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] ** * base station transmitter: [[MAX2599]] ** [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html|Maxim MAX2599]] * base station receiver: [[MAX2547]] ** [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html|Maxim MAX2547]] * GSM baseband: [[Instruments [[http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf|Texas Instruments T303IFZPH]] ** * 16Mb CMOS flash: [[S29NS016J0LBJW00]] ** [[https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf|Spansion S29NS016J0LBJW00]] * CPU?: Texas Instruments D6928BB h2. == connectors == debug connector: ||= signal/state =||= pin =||= pin =||= signal/state =|| || low || 1 || 2 || pulse || || TX?/high || 3 || 4 || GND || || RX?/high || 5 || 6 || low || || low || 7 || 8 || low || || TCK?/low || 9 || 10 || pulse || || GND || 11 || 12 || GND || || high || 13 || 14 || high || || GND || 15 || 16 || GND || || TDI?/high || 17 || 18 || pulse || || TRST?/low || 19 || 20 || TDO?/low || || high || 21 || 22 || TMS?/high || || low || 23 || 24 || low || || low || 25 || 26 || low || |||||||| DEBUG || mode connector (use jumper to select): ||= state =||= pin =||= pin =||= signal =||= mode =|| || high || 1 || 2 || GND || WDGEN || || low || 3 || 4 || GND || BOOTMODE || || high || 5 || 6 || GND || JTAGMODE0 || || high || 7 || 8 || GND || JTAGMODE1 || || high || 9 || 10 || GND || RUNMODE || |||||||||| MODE || h2. == UAP1 == The operator where it was bought from is Vodafone Greece. The board date is 1023. {{thumbnail(femto1-case_front.jpg, size=200)}} [[Image(femto1-case_front.jpg,200px)]] {{thumbnail(femto1-case_back-blur.jpg, size=200)}} [[Image(femto1-case_back-blur.jpg,200px)]] {{thumbnail(femto1-board_front-blur.jpg, size=200)}} [[Image(femto1-board_front-blur.jpg,200px)]] {{thumbnail(femto1-board_back-blur.jpg, size=200)}} [[Image(femto1-board_back-blur.jpg,200px)]] {{thumbnail(femto1-rf_front-blur.jpg, size=200)}} [[Image(femto1-rf_front-blur.jpg,200px)]] {{thumbnail(femto1-rf_front-naked-blur.jpg, size=200)}} [[Image(femto1-rf_front-naked-blur.jpg,200px)]] {{thumbnail(femto1-rf_back-blur.jpg, size=200)}} [[Image(femto1-rf_back-blur.jpg,200px)]] {{thumbnail(femto1-rf_back-naked-blur.jpg, size=200)}} h2. [[Image(femto1-rf_back-naked-blur.jpg,200px)]] == UAP2 == The operator where it was bought from is Vodafone Spain. The board date is 1201. This board has more shielding cans. {{thumbnail(uap2-board_front-blur.jpg, size=200)}} [[Image(uap2-board_front-blur.jpg,200px)]] {{thumbnail(uap2-board_back-blur.jpg, size=200)}} [[Image(uap2-board_back-blur.jpg,200px)]] {{thumbnail(uap2-rf_front-blur.jpg, size=200)}} [[Image(uap2-rf_front-blur.jpg,200px)]] {{thumbnail(uap2-rf_back-blur.jpg , size=200)}} h1. [[Image(uap2-rf_back-blur.jpg ,200px)]] = Rooting = How to root this device and intercept communication has been shown in August 2015 at the [[in Femtoland [[https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun|Adventures in Femtoland: 350 Yuan for Invaluable Fun"httpswwwblackhatcomus-15briefingshtml#adventures-in-femtoland-350-yuan-for-invaluable-funAdventures] Fun]] presentation (["[[httpswwwyoutubecomwatchv=U-COwT7dwWgvideo]]). ([[http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun|slides]], [[https://www.youtube.com/watch?v=U-COwT7dwWg|video]]). This issue has been [[and [[httpwww1huaweicomensecuritypsirtsecurity-bulletinssecurity-advisorieshw-452865htmfixed]] [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm|analyzed]] and [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm|fixed]] by the vendor. h2. == UAP1 == firmware version: QWGM3SUAP4 V300R011C00 SPC173 debug port: * UART not found on pins described in slides (all modes) * no UART identified using JTAGulator (all modes) * JTAG not found on pins described in slides (all modes) * no JTAG identified using JTAGulator, using id code and bypass scans (all modes) boot process (all modes): 1. red and blue LEDs on for 7 s 1. ethernet link on 1. red and blue LEDs on for 9 s 1. ethernet link off 1. red and blue LEDs on for 2 s 1. ethernet link on 1. red and blue LEDs on for 12 s 1. red LED on for 23 s 1. red and blue LEDs on for 2 s 1. LEDs off for 0.1 s 1. red and blue LEDs on for 5 s 1. red LED on network ports: * the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service: <pre> {{{ sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET Nmap scan report for 172.16.1.1 Host is up (0.0030s latency). PORT STATE SERVICE VERSION ... 17185/udp open wdbrpc? </pre> }}} * the second time the link is on, all ports are blocked/filtered: <pre> {{{ sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET Nmap scan report for 172.16.1.1 Host is up (0.0019s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 23/tcp closed telnet 80/tcp filtered http 6000/tcp filtered X11 6006/tcp filtered X11:6 7547/tcp filtered unknown 17185/tcp closed unknown </pre> h2. }}} == UAP2 == firmware version: QWGM3SUAP4 V300R011C02 SPC182 debug port: * UART not found on pins described in slides (all modes) * JTAG not found on pins described in slides (all modes) * no JTAG identified using JTAGulator, using id code scan (all modes) boot process (all modes): 1. red and blue LEDs on for 7 s 1. ethernet link on 1. red and blue LEDs on for 14 s 1. ethernet link off 1. red and blue LEDs on for 2 s 1. ethernet link on 1. red and blue LEDs on for 1 s 1. ethernet link off 1. red and blue LEDs on for 2 s 1. ethernet link on 1. red and blue LEDs on for 8 s 1. red and blue LEDs on for 25 s 1. red and blue LEDs on for 2 s 1. LEDs off for 0.5 s 1. red and blue LEDs on for 3 s 1. 6x LEDs off for 2 s 1. 6x red and blue LEDs on for 2 s 1. red LED on network ports: * the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service): * the second time the link is on, only TCP port 80 is open an there is an HTTP service <pre> {{{ Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET Nmap scan report for 172.16.1.1 Host is up (0.0014s latency). PORT STATE SERVICE VERSION ... 80/tcp open http [[GoAhead]]-Webs GoAhead-Webs httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 400) | http-title: User Login |_Requested resource was http://172.16.1.1/index.htm ... </pre> }}}