Project

General

Profile

Uap2105 » History » Version 22

Version 21 (tsaitgaist, 02/19/2016 10:48 PM) → Version 22/25 (tsaitgaist, 02/24/2016 10:44 PM)

{{>toc}}


The Huawei UAP2105 is a UMTS femtocell.



h1. Support



This product has been "EOL/deprecated":http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm:
* "UAP2105":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm
[[* [[httpcarrierhuaweicomenProductsLifecycleRadioAccessProductsUMTSRANProductshw-105766-productlifecycleannouncementhtmUAP2105]] (2011-12-20)
* ​"UAP2105C01":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm (2011-12-20) ["(2011-12-20)
* "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]]] (2011-12-20)
* ​"UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm [[V300R011]] (2011-12-30)
* "UAP2105C01 V300R012":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm [[V300R012]] (2012-06-19)



h1. Hardware



main board (QWG1SUAP VER C), front:
* ** CPU (ARM based + integrated UMTS base station baseband): ​"HiSilicon SD6121RBC":http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121 [[SD6121RBC]]
* ** 1Gb DDR2 RAM: ​"Samsung K4T1G164QE-HCE6":http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf [[K4T1G164QE-HCE6]]
* ** 10/100 Base-T transformer: "​Wurth Electronics [[Electronics Midcom 7112-35-H":http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35 7112-35-H]]
* ** 10/100 Base-T transceiver: ​"Broadcom BCM5241":https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf [[BCM5241]]
* ** AND-gate: ​"Fairchild 74LCX08":https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf [[74LCX08]]
* ** 3V voltage monitor: ​"Maxim MAX708S":https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf [[MAX708S]]
* ** low dropout regulator: ​"Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737 [[Instruments TPS73701]]
* ** step down DC-DC convert: "​Texas Instruments TPS54331":http://www.ti.com/lit/ds/symlink/tps54331.pdf [[Instruments TPS54331]]

main board (QWG1SUAP VER C), back:
* ** 256Mb NOR flash: "​Spansion S29GL256N10TFI01":http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf [[S29GL256N10TFI01]]
* ** 16-bit transceiver: ​"NXP LVT16245B":http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf [[LVT16245B]]
* ** EPD TVS Diode Array: ​"Semtech SLVU2.8-4 ":http://www.semtech.com/images/datasheet/slvu2.8-4.pdf [[SLVU28-4]]

radio board (QWG1SRM1 VER B):
* ** low dropout regulator: "​Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737 [[Instruments TPS73701]]
* ** base station transmitter: ​"Maxim MAX2599":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html [[MAX2599]]
* ** base station receiver: "​Maxim MAX2547":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html [[MAX2547]]
* ** GSM baseband: ​"Texas Instruments T303IFZPH":http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf [[Instruments T303IFZPH]]
* ** 16Mb CMOS flash: ​"Spansion S29NS016J0LBJW00":https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf [[S29NS016J0LBJW00]]
* ** CPU?: Texas Instruments D6928BB



h2. connectors



debug connector:
|_. ||= signal/state |_. =||= pin |_. =||= pin |_. =||= signal/state | =||
| || low | || 1 | || 2 | || pulse | ||
| || TX?/high | || 3 | || 4 | || GND | ||
| || RX?/high | || 5 | || 6 | || low | ||
| || low | || 7 | || 8 | || low | ||
| || TCK?/low | || 9 | || 10 | || pulse | ||
| || GND | || 11 | || 12 | || GND | ||
| || high | || 13 | || 14 | || high | ||
| || GND | || 15 | || 16 | || GND | ||
| || TDI?/high | || 17 | || 18 | || pulse | ||
| || TRST?/low | || 19 | || 20 | || TDO?/low | ||
| || high | || 21 | || 22 | || TMS?/high | ||
| || low | || 23 | || 24 | || low | ||
| || low | || 25 | || 26 | || low | ||
|\4=. |||||||| DEBUG | ||

mode connector (use jumper to select):
|_. ||= state |_. =||= pin |_. =||= pin |_. =||= signal |_. =||= mode | =||
| || high | || 1 | || 2 | || GND | || WDGEN | ||
| || low | || 3 | || 4 | || GND | || BOOTMODE | ||
| || high | || 5 | || 6 | || GND | || JTAGMODE0 | ||
| || high | || 7 | || 8 | || GND | || JTAGMODE1 | ||
| || high | || 9 | || 10 | || GND | || RUNMODE | ||
|\5=. |||||||||| MODE |

||

h2. UAP1



The operator where it was bought from is Vodafone Greece.
The board date is 1023.

{{thumbnail(femto1-case_front.jpg​, size=200)}}
{{thumbnail(femto1-case_back-blur.jpg​, size=200)}}
{{thumbnail(femto1-board_front-blur.jpg​​, size=200)}}
{{thumbnail(femto1-board_back-blur.jpg​​, size=200)}}
{{thumbnail(femto1-rf_front-blur.jpg​, size=200)}}
{{thumbnail(femto1-rf_front-naked-blur.jpg​​, size=200)}}
{{thumbnail(femto1-rf_back-blur.jpg​, size=200)}}
{{thumbnail(femto1-rf_back-naked-blur.jpg​, size=200)}}



h2. UAP2



The operator where it was bought from is Vodafone Spain.
The board date is 1201.

This board has more shielding cans.

{{thumbnail(uap2-board_front-blur.jpg​​, size=200)}}
{{thumbnail(uap2-board_back-blur.jpg​, size=200)}}
{{thumbnail(uap2-rf_front-blur.jpg​​​, size=200)}}
{{thumbnail(uap2-rf_back-blur.jpg​ ​​, size=200)}}



h1. Rooting



How to root this device and intercept communication has been shown in August 2015 at the "in [[in Femtoland 350 Yuan for Invaluable Fun":https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun Fun"httpswwwblackhatcomus-15briefingshtml#adventures-in-femtoland-350-yuan-for-invaluable-funAdventures] presentation ("slides":http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun, "video":https://www.youtube.com/watch?v=U-COwT7dwWg). (["[[httpswwwyoutubecomwatchv=U-COwT7dwWgvideo]]).

This issue has been "analysed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm and "fixed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm [[and [[httpwww1huaweicomensecuritypsirtsecurity-bulletinssecurity-advisorieshw-452865htmfixed]] by the vendor.



h2. UAP1



firmware version: QWGM3SUAP4 V300R011C00 SPC173

debug port:
* UART not found on pins described in slides (all modes)
* no UART identified using JTAGulator (all modes)
* JTAG not found on pins described in slides (all modes)
* no JTAG identified using JTAGulator, using id code and bypass scans (all modes)

boot process (all modes):
#

1.
red and blue LEDs on for 7 s
#

1.
ethernet link on
#

1.
red and blue LEDs on for 9 s
#

1.
ethernet link off
#

1.
red and blue LEDs on for 2 s
#

1.
ethernet link on
#

1.
red and blue LEDs on for 12 s
#

1.
red LED on for 23 s
#

1.
red and blue LEDs on for 2 s
#

1.
LEDs off for 0.1 s
#

1.
red and blue LEDs on for 5 s
#

1.
red LED on

network ports:
* the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:
<pre>

sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET
Nmap scan report for 172.16.1.1
Host is up (0.0030s latency).
PORT STATE SERVICE VERSION
...
17185/udp open wdbrpc?
</pre>

* the second time the link is on, all ports are blocked/filtered:
<pre>

sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET
Nmap scan report for 172.16.1.1
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
23/tcp closed telnet
80/tcp filtered http
6000/tcp filtered X11
6006/tcp filtered X11:6
7547/tcp filtered unknown
17185/tcp closed unknown
</pre>



h2. UAP2



firmware version: QWGM3SUAP4 V300R011C02 SPC182

debug port:
* UART not found on pins described in slides (all modes)
* JTAG not found on pins described in slides (all modes)
* no JTAG identified using JTAGulator, using id code scan (all modes)

boot process (all modes):
#

1.
red and blue LEDs on for 7 s
#

1.
ethernet link on
#

1.
red and blue LEDs on for 14 s
#

1.
ethernet link off
#

1.
red and blue LEDs on for 2 s
#

1.
ethernet link on
#

1.
red and blue LEDs on for 1 s
#

1.
ethernet link off
#

1.
red and blue LEDs on for 2 s
#

1.
ethernet link on
#

1.
red and blue LEDs on for 8 s
#

1.
red and blue LEDs on for 25 s
#

1.
red and blue LEDs on for 2 s
#

1.
LEDs off for 0.5 s
#

1.
red and blue LEDs on for 3 s
#

1.
6x LEDs off for 2 s
#

1.
6x red and blue LEDs on for 2 s
#

1.
red LED on

network ports:
* the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):
* the second time the link is on, only TCP port 80 is open an there is an HTTP service
<pre>

Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET
Nmap scan report for 172.16.1.1
Host is up (0.0014s latency).
PORT STATE SERVICE VERSION
...
80/tcp open http [[GoAhead]]-Webs httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-title: User Login
|_Requested resource was http://172.16.1.1/index.htm
...
</pre>
Add picture from clipboard (Maximum size: 48.8 MB)