Uap2105 » History » Revision 22
Revision 21 (tsaitgaist, 02/19/2016 10:48 PM) → Revision 22/26 (tsaitgaist, 02/24/2016 10:44 PM)
{{>toc}} The Huawei UAP2105 is a UMTS femtocell. h1. Support This product has been "EOL/deprecated":http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm: * "UAP2105":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm [[* [[httpcarrierhuaweicomenProductsLifecycleRadioAccessProductsUMTSRANProductshw-105766-productlifecycleannouncementhtmUAP2105]] (2011-12-20) * "UAP2105C01":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm (2011-12-20) ["(2011-12-20) * "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]]] (2011-12-20) * "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm [[V300R011]] (2011-12-30) * "UAP2105C01 V300R012":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm [[V300R012]] (2012-06-19) h1. Hardware main board (QWG1SUAP VER C), front: * ** CPU (ARM based + integrated UMTS base station baseband): "HiSilicon SD6121RBC":http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121 [[SD6121RBC]] * ** 1Gb DDR2 RAM: "Samsung K4T1G164QE-HCE6":http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf [[K4T1G164QE-HCE6]] * ** 10/100 Base-T transformer: "Wurth Electronics [[Electronics Midcom 7112-35-H":http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35 7112-35-H]] * ** 10/100 Base-T transceiver: "Broadcom BCM5241":https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf [[BCM5241]] * ** AND-gate: "Fairchild 74LCX08":https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf [[74LCX08]] * ** 3V voltage monitor: "Maxim MAX708S":https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf [[MAX708S]] * ** low dropout regulator: "Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737 [[Instruments TPS73701]] * ** step down DC-DC convert: "Texas Instruments TPS54331":http://www.ti.com/lit/ds/symlink/tps54331.pdf [[Instruments TPS54331]] main board (QWG1SUAP VER C), back: * ** 256Mb NOR flash: "Spansion S29GL256N10TFI01":http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf [[S29GL256N10TFI01]] * ** 16-bit transceiver: "NXP LVT16245B":http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf [[LVT16245B]] * ** EPD TVS Diode Array: "Semtech SLVU2.8-4 ":http://www.semtech.com/images/datasheet/slvu2.8-4.pdf [[SLVU28-4]] radio board (QWG1SRM1 VER B): * ** low dropout regulator: "Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737 [[Instruments TPS73701]] * ** base station transmitter: "Maxim MAX2599":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html [[MAX2599]] * ** base station receiver: "Maxim MAX2547":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html [[MAX2547]] * ** GSM baseband: "Texas Instruments T303IFZPH":http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf [[Instruments T303IFZPH]] * ** 16Mb CMOS flash: "Spansion S29NS016J0LBJW00":https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf [[S29NS016J0LBJW00]] * ** CPU?: Texas Instruments D6928BB h2. connectors debug connector: |_. ||= signal/state |_. =||= pin |_. =||= pin |_. =||= signal/state | =|| | || low | || 1 | || 2 | || pulse | || | || TX?/high | || 3 | || 4 | || GND | || | || RX?/high | || 5 | || 6 | || low | || | || low | || 7 | || 8 | || low | || | || TCK?/low | || 9 | || 10 | || pulse | || | || GND | || 11 | || 12 | || GND | || | || high | || 13 | || 14 | || high | || | || GND | || 15 | || 16 | || GND | || | || TDI?/high | || 17 | || 18 | || pulse | || | || TRST?/low | || 19 | || 20 | || TDO?/low | || | || high | || 21 | || 22 | || TMS?/high | || | || low | || 23 | || 24 | || low | || | || low | || 25 | || 26 | || low | || |\4=. |||||||| DEBUG | || mode connector (use jumper to select): |_. ||= state |_. =||= pin |_. =||= pin |_. =||= signal |_. =||= mode | =|| | || high | || 1 | || 2 | || GND | || WDGEN | || | || low | || 3 | || 4 | || GND | || BOOTMODE | || | || high | || 5 | || 6 | || GND | || JTAGMODE0 | || | || high | || 7 | || 8 | || GND | || JTAGMODE1 | || | || high | || 9 | || 10 | || GND | || RUNMODE | || |\5=. |||||||||| MODE | || h2. UAP1 The operator where it was bought from is Vodafone Greece. The board date is 1023. {{thumbnail(femto1-case_front.jpg, size=200)}} {{thumbnail(femto1-case_back-blur.jpg, size=200)}} {{thumbnail(femto1-board_front-blur.jpg, size=200)}} {{thumbnail(femto1-board_back-blur.jpg, size=200)}} {{thumbnail(femto1-rf_front-blur.jpg, size=200)}} {{thumbnail(femto1-rf_front-naked-blur.jpg, size=200)}} {{thumbnail(femto1-rf_back-blur.jpg, size=200)}} {{thumbnail(femto1-rf_back-naked-blur.jpg, size=200)}} h2. UAP2 The operator where it was bought from is Vodafone Spain. The board date is 1201. This board has more shielding cans. {{thumbnail(uap2-board_front-blur.jpg, size=200)}} {{thumbnail(uap2-board_back-blur.jpg, size=200)}} {{thumbnail(uap2-rf_front-blur.jpg, size=200)}} {{thumbnail(uap2-rf_back-blur.jpg , size=200)}} h1. Rooting How to root this device and intercept communication has been shown in August 2015 at the "in [[in Femtoland 350 Yuan for Invaluable Fun":https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun Fun"httpswwwblackhatcomus-15briefingshtml#adventures-in-femtoland-350-yuan-for-invaluable-funAdventures] presentation ("slides":http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun, "video":https://www.youtube.com/watch?v=U-COwT7dwWg). (["[[httpswwwyoutubecomwatchv=U-COwT7dwWgvideo]]). This issue has been "analysed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm and "fixed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm [[and [[httpwww1huaweicomensecuritypsirtsecurity-bulletinssecurity-advisorieshw-452865htmfixed]] by the vendor. h2. UAP1 firmware version: QWGM3SUAP4 V300R011C00 SPC173 debug port: * UART not found on pins described in slides (all modes) * no UART identified using JTAGulator (all modes) * JTAG not found on pins described in slides (all modes) * no JTAG identified using JTAGulator, using id code and bypass scans (all modes) boot process (all modes): # 1. red and blue LEDs on for 7 s # 1. ethernet link on # 1. red and blue LEDs on for 9 s # 1. ethernet link off # 1. red and blue LEDs on for 2 s # 1. ethernet link on # 1. red and blue LEDs on for 12 s # 1. red LED on for 23 s # 1. red and blue LEDs on for 2 s # 1. LEDs off for 0.1 s # 1. red and blue LEDs on for 5 s # 1. red LED on network ports: * the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service: <pre> sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET Nmap scan report for 172.16.1.1 Host is up (0.0030s latency). PORT STATE SERVICE VERSION ... 17185/udp open wdbrpc? </pre> * the second time the link is on, all ports are blocked/filtered: <pre> sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1 Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET Nmap scan report for 172.16.1.1 Host is up (0.0019s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 23/tcp closed telnet 80/tcp filtered http 6000/tcp filtered X11 6006/tcp filtered X11:6 7547/tcp filtered unknown 17185/tcp closed unknown </pre> h2. UAP2 firmware version: QWGM3SUAP4 V300R011C02 SPC182 debug port: * UART not found on pins described in slides (all modes) * JTAG not found on pins described in slides (all modes) * no JTAG identified using JTAGulator, using id code scan (all modes) boot process (all modes): # 1. red and blue LEDs on for 7 s # 1. ethernet link on # 1. red and blue LEDs on for 14 s # 1. ethernet link off # 1. red and blue LEDs on for 2 s # 1. ethernet link on # 1. red and blue LEDs on for 1 s # 1. ethernet link off # 1. red and blue LEDs on for 2 s # 1. ethernet link on # 1. red and blue LEDs on for 8 s # 1. red and blue LEDs on for 25 s # 1. red and blue LEDs on for 2 s # 1. LEDs off for 0.5 s # 1. red and blue LEDs on for 3 s # 1. 6x LEDs off for 2 s # 1. 6x red and blue LEDs on for 2 s # 1. red LED on network ports: * the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service): * the second time the link is on, only TCP port 80 is open an there is an HTTP service <pre> Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET Nmap scan report for 172.16.1.1 Host is up (0.0014s latency). PORT STATE SERVICE VERSION ... 80/tcp open http [[GoAhead]]-Webs httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 400) | http-title: User Login |_Requested resource was http://172.16.1.1/index.htm ... </pre>