Uap2105 » History » Revision 23
Revision 22 (tsaitgaist, 02/24/2016 10:44 PM) → Revision 23/26 (tsaitgaist, 02/24/2016 11:13 PM)
{{>toc}}
The Huawei UAP2105 is a UMTS femtocell.
h1. Support
This product has been "EOL/deprecated":http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm:
* "UAP2105":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm (2011-12-20)
* "UAP2105C01":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm (2011-12-20)
* "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm (2011-12-20)
* "UAP2105C01 V300R011":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm (2011-12-30)
* "UAP2105C01 V300R012":http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm (2012-06-19)
h1. Hardware
main board (QWG1SUAP VER C), front:
* CPU (ARM based + integrated UMTS base station baseband): "HiSilicon SD6121RBC":http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121
* 1Gb DDR2 RAM: "Samsung K4T1G164QE-HCE6":http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf
* 10/100 Base-T transformer: "Wurth Electronics Midcom 7112-35-H":http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35
* 10/100 Base-T transceiver: "Broadcom BCM5241":https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf
* AND-gate: "Fairchild 74LCX08":https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf
* 3V voltage monitor: "Maxim MAX708S":https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf
* low dropout regulator: "Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737
* step down DC-DC convert: "Texas Instruments TPS54331":http://www.ti.com/lit/ds/symlink/tps54331.pdf
main board (QWG1SUAP VER C), back:
* 256Mb NOR flash: "Spansion S29GL256N10TFI01":http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf
* 16-bit transceiver: "NXP LVT16245B":http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf
* EPD TVS Diode Array: "Semtech SLVU2.8-4 ":http://www.semtech.com/images/datasheet/slvu2.8-4.pdf
radio board (QWG1SRM1 VER B):
* low dropout regulator: "Texas Instruments TPS73701":http://www.ti.com/lit/gpn/TPS737
* base station transmitter: "Maxim MAX2599":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html
* base station receiver: "Maxim MAX2547":https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html
* GSM baseband: "Texas Instruments T303IFZPH":http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf
* 16Mb CMOS flash: "Spansion S29NS016J0LBJW00":https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf
* CPU?: Texas Instruments D6928BB
h2. connectors
debug connector:
|_. signal/state |_. pin |_. pin |_. signal/state |
| low | 1 | 2 | pulse |
| TX?/high | 3 | 4 | GND |
| RX?/high | 5 | 6 | low |
| low | 7 | 8 | low |
| TCK?/low | 9 | 10 | pulse |
| GND | 11 | 12 | GND |
| high | 13 | 14 | high |
| GND | 15 | 16 | GND |
| TDI?/high | 17 | 18 | pulse |
| TRST?/low | 19 | 20 | TDO?/low |
| high | 21 | 22 | TMS?/high |
| low | 23 | 24 | low |
| low | 25 | 26 | low |
|\4=. DEBUG |
mode connector (use jumper to select):
|_. state |_. pin |_. pin |_. signal |_. mode |
| high | 1 | 2 | GND | WDGEN |
| low | 3 | 4 | GND | BOOTMODE |
| high | 5 | 6 | GND | JTAGMODE0 |
| high | 7 | 8 | GND | JTAGMODE1 |
| high | 9 | 10 | GND | RUNMODE |
|\5=. MODE |
h2. UAP1
The operator where it was bought from is Vodafone Greece.
The board date is 1023.
{{thumbnail(femto1-case_front.jpg, {{thumbnail(femto1-case_front.jpg, size=200)}}
{{thumbnail(femto1-case_back-blur.jpg, {{thumbnail(femto1-case_back-blur.jpg, size=200)}}
{{thumbnail(femto1-board_front-blur.jpg, {{thumbnail(femto1-board_front-blur.jpg, size=200)}}
{{thumbnail(femto1-board_back-blur.jpg, {{thumbnail(femto1-board_back-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_front-blur.jpg, {{thumbnail(femto1-rf_front-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_front-naked-blur.jpg, {{thumbnail(femto1-rf_front-naked-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_back-blur.jpg, {{thumbnail(femto1-rf_back-blur.jpg, size=200)}}
{{thumbnail(femto1-rf_back-naked-blur.jpg, {{thumbnail(femto1-rf_back-naked-blur.jpg, size=200)}}
h2. UAP2
The operator where it was bought from is Vodafone Spain.
The board date is 1201.
This board has more shielding cans.
{{thumbnail(uap2-board_front-blur.jpg, {{thumbnail(uap2-board_front-blur.jpg, size=200)}}
{{thumbnail(uap2-board_back-blur.jpg, {{thumbnail(uap2-board_back-blur.jpg, size=200)}}
{{thumbnail(uap2-rf_front-blur.jpg, {{thumbnail(uap2-rf_front-blur.jpg, size=200)}}
{{thumbnail(uap2-rf_back-blur.jpg, {{thumbnail(uap2-rf_back-blur.jpg , size=200)}}
h1. Rooting
How to root this device and intercept communication has been shown in August 2015 at the "in Femtoland 350 Yuan for Invaluable Fun":https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun presentation ("slides":http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun, "video":https://www.youtube.com/watch?v=U-COwT7dwWg).
This issue has been "analysed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm and "fixed":http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm by the vendor.
h2. UAP1
firmware version: QWGM3SUAP4 V300R011C00 SPC173
debug port:
* UART not found on pins described in slides (all modes)
* no UART identified using JTAGulator (all modes)
* JTAG not found on pins described in slides (all modes)
* no JTAG identified using JTAGulator, using id code and bypass scans (all modes)
boot process (all modes):
# red and blue LEDs on for 7 s
# ethernet link on
# red and blue LEDs on for 9 s
# ethernet link off
# red and blue LEDs on for 2 s
# ethernet link on
# red and blue LEDs on for 12 s
# red LED on for 23 s
# red and blue LEDs on for 2 s
# LEDs off for 0.1 s
# red and blue LEDs on for 5 s
# red LED on
network ports:
* the first time the link is on, only UDP port 17185 on fixed IP 172.16.1.1 is open, apparently providing wdbrpc service:
<pre>
sudo nmap -n -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:47 CET
Nmap scan report for 172.16.1.1
Host is up (0.0030s latency).
PORT STATE SERVICE VERSION
...
17185/udp open wdbrpc?
</pre>
* the second time the link is on, all ports are blocked/filtered:
<pre>
sudo nmap -n -A -Pn -p21,23,80,17185,6000,6006,7547 -sT -sU 172.16.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-22 20:53 CET
Nmap scan report for 172.16.1.1
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
23/tcp closed telnet
80/tcp filtered http
6000/tcp filtered X11
6006/tcp filtered X11:6
7547/tcp filtered unknown
17185/tcp closed unknown
</pre>
h2. UAP2
firmware version: QWGM3SUAP4 V300R011C02 SPC182
debug port:
* UART not found on pins described in slides (all modes)
* JTAG not found on pins described in slides (all modes)
* no JTAG identified using JTAGulator, using id code scan (all modes)
boot process (all modes):
# red and blue LEDs on for 7 s
# ethernet link on
# red and blue LEDs on for 14 s
# ethernet link off
# red and blue LEDs on for 2 s
# ethernet link on
# red and blue LEDs on for 1 s
# ethernet link off
# red and blue LEDs on for 2 s
# ethernet link on
# red and blue LEDs on for 8 s
# red and blue LEDs on for 25 s
# red and blue LEDs on for 2 s
# LEDs off for 0.5 s
# red and blue LEDs on for 3 s
# 6x LEDs off for 2 s
# 6x red and blue LEDs on for 2 s
# red LED on
network ports:
* the first time the link is on no ports are open on IP 172.16.1.1 (compared to UAP1 for wdbrpc service):
* the second time the link is on, only TCP port 80 is open an there is an HTTP service
<pre>
Starting Nmap 6.40 ( http://nmap.org ) at 2015-11-25 21:56 CET
Nmap scan report for 172.16.1.1
Host is up (0.0014s latency).
PORT STATE SERVICE VERSION
...
80/tcp open http [[GoAhead]]-Webs httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-title: User Login
|_Requested resource was http://172.16.1.1/index.htm
...
</pre>
