Project

General

Profile

History

OsmoHNBGW » Femtocell-specific information »

Uap2105 » History » Revision 9

Revision 8 (tsaitgaist, 02/19/2016 10:48 PM) → Revision 9/26 (tsaitgaist, 02/19/2016 10:48 PM) 

The Huawei UAP2105 is a UMTS femtocell. 

 This product has been [[http://www1.huawei.com/en/ProductsLifecycle/RadioAccessProducts/small-cell/hw-331134.htm|EOL/deprecated]]: 
  * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105766-productlifecycleannouncement.htm|UAP2105]] (2011-12-20) 
  * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105768-productlifecycleannouncement.htm|UAP2105C01]] (2011-12-20) 
  * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-105771-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-20) 
  * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-112035-productlifecycleannouncement.htm|UAP2105C01 V300R011]] (2011-12-30) 
  * [[http://carrier.huawei.com/en/ProductsLifecycle/RadioAccessProducts/UMTSRANProducts/hw-145907.htm|UAP2105C01 V300R012]] (2012-06-19) 

 = Hardware = 

 main board (QWG1SUAP VER C), front: 
   * CPU (ARM based + integrated UMTS base station baseband): [[http://support.hisilicon.com/support/ServiceSupNav!getAllProductListByKeyword?mid=PRODUCT_SUPPORT&keyword=SD6121|HiSilicon SD6121RBC]] 
   * 1Gb DDR2 RAM: [[http://www.samsung.com/global/business/semiconductor/file/2011/product/2010/1/19/130882ds_k4t1gxx4qe_industrial_rev13.pdf|Samsung K4T1G164QE-HCE6]] 
   * 10/100 Base-T transformer: [[http://www.digchip.com/datasheets/download_datasheet.php?id=5503979&part-number=000-7112-35|Wurth Electronics Midcom 7112-35-H]] 
   * 10/100 Base-T transceiver: [[https://www.broadcom.com/collateral/pb/5241-PB01-R.pdf|Broadcom BCM5241]] 
   * AND-gate: [[https://www.fairchildsemi.com/datasheets/74/74LCX08.pdf|Fairchild 74LCX08]] 
   * 3V voltage monitor: [[https://datasheets.maximintegrated.com/en/ds/MAX706AP-MAX708T.pdf|Maxim MAX708S]] 
   * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] 
   * step down DC-DC convert: [[http://www.ti.com/lit/ds/symlink/tps54331.pdf|Texas Instruments TPS54331]] 

 main board (QWG1SUAP VER C), back: 
   * 256Mb NOR flash: [[http://www.spansion.com/Support/Related%20Product%20Info/S29GL256N_overview.pdf|Spansion S29GL256N10TFI01]] 
   * 16-bit transceiver: [[http://www.nxp.com/documents/data_sheet/74LVT_LVTH16245B.pdf|NXP LVT16245B]] 
   * EPD TVS Diode Array: [[http://www.semtech.com/images/datasheet/slvu2.8-4.pdf|Semtech SLVU2.8-4]] 

 radio board (QWG1SRM1 VER B): 
   * low dropout regulator: [[http://www.ti.com/lit/gpn/TPS737|Texas Instruments TPS73701]] 
   * base station transmitter: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2599.html|Maxim MAX2599]] 
   * base station receiver: [[https://www.maximintegrated.com/en/products/comms/wireless-rf/MAX2547.html|Maxim MAX2547]] 
   * GSM baseband: [[http://read.pudn.com/downloads152/ebook/667710/t3031_Datasheet_V1.6.pdf|Texas Instruments T303IFZPH]] 
   * 16Mb CMOS flash: [[https://www.spansion.com/Support/Obsolescence%20Notifications/2749.pdf|Spansion S29NS016J0LBJW00]] 
   * CPU?: Texas Instruments D6928BB 

 == UAP1 == 

 The operator where it was bought from is Vodafone Greece. 
 The board date is 1023. 

 [[Image(femto1-case_front.jpg​,200px)]] 
 [[Image(femto1-case_back-blur.jpg​,200px)]] 
 [[Image(femto1-board_front-blur.jpg​​,200px)]] 
 [[Image(femto1-board_back-blur.jpg​​,200px)]] 
 [[Image(femto1-rf_front-blur.jpg​,200px)]] 
 [[Image(femto1-rf_front-naked-blur.jpg​​,200px)]] 
 [[Image(femto1-rf_back-blur.jpg​,200px)]] 
 [[Image(femto1-rf_back-naked-blur.jpg​,200px)]] 

 == UAP2 == 

 The operator where it was bought from is Vodafone Spain. 
 The board date is 1201. 

 This board has more shielding cans. 

 [[Image(uap2-board_front-blur.jpg​​,200px)]] 
 [[Image(uap2-board_back-blur.jpg​,200px)]] 
 [[Image(uap2-rf_front-blur.jpg​​​,200px)]] 
 [[Image(uap2-rf_back-blur.jpg​ ​​,200px)]] 

 = Rooting = 

 How to root this device and intercept communication has been shown in August 2015 at the [[https://www.blackhat.com/us-15/briefings.html#adventures-in-femtoland-350-yuan-for-invaluable-fun|Adventures in Femtoland: 350 Yuan for Invaluable Fun]] presentation ([[http://www.slideshare.net/arbitrarycode/adventures-in-femtoland-350-yuan-for-invaluable-fun|slides]], [[https://www.youtube.com/watch?v=U-COwT7dwWg|video]]). 

 This issue has been [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-446728.htm|analyzed]] and [[http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-452865.htm|fixed]] by the vendor.
Add picture from clipboard (Maximum size: 48.8 MB)