# lsusb 
Bus 001 Device 038: ID 04e8:689a Samsung Electronics Co., Ltd LTE Storage Driver [CMC2xx]
Bus 002 Device 002: ID 05ca:18c2 Ricoh Co., Ltd 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

The command line for the usb_modswitch would be:

usb_modeswitch -W -v 0x04e8 -p 0x689a -I -M '55534243785634120100000080000601000000000000000000000000000000' 

Here is an output log:

# usb_modeswitch -W -v 0x04e8 -p 0x689a -I -M '55534243785634120100000080000601000000000000000000000000000000' 
Taking all parameters from the command line

 * usb_modeswitch: handle USB devices with multiple modes
 * Version 1.2.3 (C) Josua Dietze 2012
 * Based on libusb0 (0.1.12 and above)

 ! PLEASE REPORT NEW CONFIGURATIONS !

DefaultVendor=  0x04e8
DefaultProduct= 0x689a
TargetVendor=   not set
TargetProduct=  not set
TargetClass=    not set
TargetProductList=""

DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
MessageEndpoint=  not set
MessageContent="55534243785634120100000080000601000000000000000000000000000000"
NeedResponse=0
ResponseEndpoint= not set

InquireDevice disabled
Success check disabled
System integration mode disabled

usb_set_debug: Setting debugging level to 15 (on)
usb_os_find_busses: Found 006
usb_os_find_busses: Found 005
usb_os_find_busses: Found 004
usb_os_find_busses: Found 003
usb_os_find_busses: Found 002
usb_os_find_busses: Found 001
usb_os_find_devices: Found 001 on 006
skipping descriptor 0x30
skipped 1 class/vendor specific endpoint descriptors
usb_os_find_devices: Found 001 on 005
usb_os_find_devices: Found 001 on 004
usb_os_find_devices: Found 001 on 003
usb_os_find_devices: Found 002 on 002
skipping descriptor 0xB
skipped 1 class/vendor specific endpoint descriptors
skipped 5 class/vendor specific interface descriptors
skipping descriptor 0x25
skipped 1 class/vendor specific endpoint descriptors
skipped 18 class/vendor specific interface descriptors
usb_os_find_devices: Found 001 on 002
error obtaining child information: Inappropriate ioctl for device
usb_os_find_devices: Found 038 on 001
usb_os_find_devices: Found 001 on 001
error obtaining child information: Inappropriate ioctl for device
Looking for default devices ...
  searching devices, found USB ID 1d6b:0003
  searching devices, found USB ID 1d6b:0002
  searching devices, found USB ID 1d6b:0001
  searching devices, found USB ID 1d6b:0001
  searching devices, found USB ID 05ca:18c2
  searching devices, found USB ID 1d6b:0002
  searching devices, found USB ID 04e8:689a
   found matching vendor ID
   found matching product ID
   adding device
  searching devices, found USB ID 1d6b:0002
 Found device in default mode, class or configuration (1)
Accessing device 038 on bus 001 ...
Getting the current device configuration ...
USB error: error sending control message: Connection timed out
Error getting the current configuration (error -110). Assuming configuration 1.
Using first interface: 0x00
Using endpoints 0x06 (out) and 0x85 (in)

USB description data (for identification)
-------------------------
Manufacturer: not provided
     Product: not provided
  Serial No.: not provided
-------------------------
Looking for active driver ...
 OK, driver found ("usb-storage")
 OK, driver "usb-storage" detached
Setting up communication with interface 0
Using endpoint 0x06 for message sending ...
Trying to send message 1 to endpoint 0x06 ...
 OK, message successfully sent
Resetting response endpoint 0x85
USB error: could not clear/halt ep 133: Connection timed out
 Could not reset endpoint (probably harmless): -110
Resetting message endpoint 0x06
-> Run lsusb to note any changes. Bye.

So after that, a new lsusb would show us:

# lsusb 
Bus 001 Device 040: ID 04e8:6889 Samsung Electronics Co., Ltd GT-B3730 Composite LTE device (Commercial)
Bus 002 Device 002: ID 05ca:18c2 Ricoh Co., Ltd 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

In order to have a device descriptor for the stick, we need to modify the linux driver already available.

https://github.com/mkotsbak/linux-2.6/blob/Samsung_kalmia_driver-3.0/drivers/net/usb/kalmia.c

The new file kalmia.c is present HERE
. (Special thx to Xavier Martin for his this)
and I added the Makefile that let me compile it

obj-m += kalmia.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Now 2 new devices are present:

	/dev/ttyUSB0
	/dev/c2xx

Now the /dev/c2xx device will give us all the debug packet, including NAS and RRC, so we could look at them with wireshark.
In order to do that, we need a wireshark dissector that: packet-c2xx.c
As seen on the following picture, the dissector takes a packet that we named c2xx.

This packet is itself composed of a header, a HDLC flag, and a frame.

Packet containing NAS are then visible

Samsung LTE USB dongles codename Kalmia

I acquired a couple of GT-B3740 800Mhz LTE Dongle, and decided to open one of them to find out what the chipset was used in it.

The very surprizing part was to see that it had a JTAG connector there and it was written JTAG !
So after looking for some documentations about it, another interesting thing came. Googling a bit let me find the Service Manual of the device !

Even more surprizing, there was a schematic in there, with the JTAG pinout description!

After some investigation, I found the connector DATASHEET: http://www3.panasonic.biz/ac/e_download/control/connector/base-fpc/catalog/con_eng_f4s.pdf?via=ok It is in fact a PANASONIC AXT512124.

One can find those at Digikey or Mouser.
So THE problem with those connector is the size. In fact, any soldering iron would melt the connector before being able to soler anything to it. So there is no other way than finding the Female connector and extending it. My first attemp was a failure. In fact, I tried to do it with a flex based copper sheet and PNPBlue. here is the result

In fact, the clearance is so low that it could only be done in a factory with a pick and place.
Looking here and there, I found on Alibaba a multiple JTAG cable that looked quite similar.

http://www.aliexpress.com/store/product/JTAG-JPin-JIG-Pinouts-by-RIFF-ORT-JPR-MEDUSA-BOX/927318_922669231.html

So I decided to buy one to give it a test. The thing is that you have to buy the whole set. At the time I’m writing, it’s price was $68.

As one can see, the result is shown here under

The interesting part about this cable is that the little adapter they give respects the JTAG pinout standard of the ARM, therefor, I could easily connect it with a Board to Board connector to a Amontek Jtag-Mini. So it was time to play with OpenOCD !
Here is the configuration file used.

telnet_port 4444
#gdb_port 0
#tcl_port 0

jtag_khz    100000000
adapter_khz 100000000
#jtag_speed 3

reset_config trst_and_srst

jtag_nsrst_delay 400
jtag_ntrst_delay 400

if { [info exists CHIPNAME] } {
  set _CHIPNAME $CHIPNAME
} else {
  set _CHIPNAME cmc220
}

#reset_config none

if { [info exists CPU_TAPID ] } {
  set _CPU_TAPID $CPU_TAPID
} else {
  set _CPU_TAPID 0x4ba00477
}
jtag newtap $_CHIPNAME tap -irlen 4 -ircapture 0x1 -irmask 0x3 -expected-id $_CPU_TAPID

set _TARGETNAME $_CHIPNAME

target create $_TARGETNAME cortex_r4 -endian little -chain-position $_TARGETNAME.tap

So I managed to dump the Memory of the chip. And I got the firmware extracted. A couple of strings on the file shows that the file is REALLY verbose. All the debug symbols are there. All the printf are still there… It’s time to play with IDA pro !
One interesting part is that I was able to tell IDA pro that the GDB Server is in fact OpenOCD. so IDA pro would go into debug mode and be able to step in the running code. Most of the time that would generate an interrupt tho. But that is quite good enough with some scripting to see what part of the Firmware is Code segment or Datasegment..

And as said earlyer, the amount of Strings debug is really big. Worth digging into it.

In the meantime, I decided to get myself some GT-B3730 that does the 2.6Ghz LTE band as well as 2.75G and 3G. Hoping that they are similar.

So Opening it showed me that it’s based on the same chip, which is connected to another chip in charge of the 2/3 G.

2 different Firmware are written in this one. mode A and B. A is LTE, B = 2/3 G. Therefor, in order to switch, it needs to reboot on its new firmware.

I had in the past several time to sniff the traffic between a SIM card and a phone:

• In NFC applications, SIMs are updated OTA (Over The AIr) with the CAT_TP protocol. It was necessary to inspect the traffic
• Analyze the timing between the air traffic and the SIM traffic
• Inspect STK (SIM Tool Kit) Proactive command sent from the SIM to the phone
• …

I used several equipment to do those and created mine. I’ll explain in here what was the differences between those

• Rebel SIM

  

  RebelSim is a basic USB sniffer. Its schematic is quite simple. It’s composed of a USB to Serial converter (FTDI ft2232) and the RXD pin is connected to the data wire of the SIM and the phone. It’s therefor necessary to configure the baud-rate of the virtual serial interface to match the one of the SIM. The main disadvantage of this solution is that at the ATR (Answer to Reset) time, the bit-rate of the SIM card is not the same as the one after ATR. since the F and D factor are described in the ATR response. So following the dialog is not that trivial, and if the phone clocks the SIM at a non standard bit-rate, the dumping would not occur.

• Bladox

  

  Bladox is made of two pieces. the Turbo Lite 2, which embed an ARM processor which does the MITM between the SIM and the mobile. This one respond to the ATR and set its own ATR response. The Turbo Programmer hosts the TurboLite2 and sends the data back to the host computer using a FTDI chip. The advantage of the TurboLite2 is that the lines are isolated with optocoupler, and powered up with the phone itself. The disadvantage is that if a command is unknown, the TurboLite will not rely it back to the sim. It actually just uses the SIM card for its Telco resources (IMSI/Ki).

• SimTrace

  

  SIMTrace is part of the Osmocom project. It’s articulated around an ARM proc that could cut the line between the SIM and the reader and therefor emulate the SIM on one side and the reader on the other side. the software has never been finished for doing so. It has the advantaged of being connected to the CLK (clock) pin of the SIM and be able to count in order to be correct on the time division.

UMA = Unlicensed Mobile Access

GAN = Generic Access Network

ts 43.318 and 44.318

Wikipedia says: Generic Access Network or GAN is a telecommunication system that extends mobile voice, data and IP Multimedia Subsystem/Session Initiation Protocol (IMS/SIP) applications over IP networks. Unlicensed Mobile Access or UMA, is the commercial name used by mobile carriers for external IP access into their core networks.

To make it simple, on one side, a device connect to the mobile operator using IPSEC with EAP-SIM. Once connected, a session is established with ip/tcp/uma to the GANC (Gan controller) or UNC (Uma Network Controller). On top of that, GSM L3 packet could be sent

Here is a list of UMA devices

• UMA phones

  

  In order for a phone to be UMA enabled, it requires the baseband processor to communicate with the media processor since the signaling is involved, as well as to the SIM card for the EAP-sim establishment. Therefor, it’s not just an application

  here is a list of UMA enabled phone:

  Blackberry Bold 9700
  
  Blackberry Bold 9780
  
  Blackberry Pearl 8120
  
  Blackberry Curve 8320
  
  Blackberry Curve 8520
  
  Blackberry Flip 8220
  
  Blackberry 8900
  
  Blackberry 8820
  
  Blackberry 9100
  
  Blackberry 9300
  
  Blackberry 9700
  
  Blackberry 9800
  
  HP iPAQ 510
  
  LG KE520
  
  LG CL400
  
  Motorola A910
  
  Motorola Z6W
  
  Nokia 6086
  
  Nokia 6136
  
  Nokia 6301
  
  Nokia 7510
  
  Nokia E73
  
  Qisda/BenQ e72
  
  Sagem my419x
  
  Samsung P180
  
  Samsung P200
  
  Samsung P220
  
  Samsung P250
  
  Samsung P260
  
  Samsung P270
  
  Samsung T336
  
  Samsung T339
  
  Samsung T409
  
  Samsung T707
  
  Samsung T739 Katalyst
  
  SIMTech N6000
  
  T-Mobile (HTC) Shadow 2009
  
  T-Mobile (HTC) MyTouch
  
  T-Mobile (HTC) MyTouch 4G
  
  T-Mobile (HTC) G2
  
  T-Mobile (LG) Optimus T
  
  T-Mobile (Motorola) Defy
  
  

  As we can see, many of them are from RIM BlackBerry. Follows the Engineering screen mode for configuring UMA on a BlackBerry:

  

• UMA Gemalto USB key (Branded as Unik PC)

  

  
  
  Host: scsi9 Channel: 00 Id: 00 Lun: 00
  
  Vendor: Orange Model: ApplicationDRV Rev: 1.00
  
  Type: CD-ROM ANSI SCSI revision: 00
  
  Host: scsi9 Channel: 00 Id: 00 Lun: 01
  
  Vendor: Orange Model: PrivateDRV Rev: 1.00
  
  Type: Direct-Access ANSI SCSI revision: 00
  
  Host: scsi9 Channel: 00 Id: 00 Lun: 02
  
  Vendor: Orange Model: PublicDRV Rev: 1.00
  
  Type: Direct-Access ANSI SCSI revision: 00
  
  Host: scsi9 Channel: 00 Id: 00 Lun: 03
  
  Vendor: Orange Model: CommunicationDRV Rev: 1.00
  
  Type: Direct-Access ANSI SCSI revision: 00
  
  # cat /proc/scsi/usb-storage/9
  
  Host scsi9: usb-storage
  
  Vendor: GEMALTO
  
  Product: Unik PC
  
  Serial Number: A10600000000XXX
  
  Protocol: Transparent SCSI
  
  Transport: Bulk
  
  Quirks: SANE_SENSE
  
  

  When mounting the filesystem, we get 3 partitions, 1 protected by the sim pin, the 1 COM containing a CDROM image, and 1 System, writable

  
  
  mount -o loop -t vfat /dev/sdd /media/
  
  # ls -al
  
  total 128007
  
  drwxr-xr-x 2 root root 512 Jan 1 1970 .
  
  drwxr-xr-x 23 root root 4096 Jan 21 20:00 ..
  
  -rwxr-xr-x 1 root root 512 Apr 23 2009 ANCHORI.CLP
  
  -rwxr-xr-x 1 root root 512 Apr 23 2009 ANCHORO.CLP
  
  -rwxr-xr-x 1 root root 52 Apr 23 2009 AUTORUN.INF
  
  -rwxr-xr-x 1 root root 131072000 Apr 23 2009 CD-ROM.CLP
  
  -rwxr-xr-x 1 root root 1024 Apr 23 2009 MINIEXE.EXE
  
  # file CD-ROM.CLP
  
  CD-ROM.CLP: # ISO 9660 CD-ROM filesystem data 'Unik PC'
  
  # mount -t iso9660 -o loop CD-ROM.CLP /mnt/
  
  # ls /mnt
  
  Aide UNIK-PC.url apache Apps autorun.inf backup cdrom.ver Check Help lang private sdongle.conf sdongle.props Softphone Synchro system Unik_PC_Startup.exe usn.cfg
  
  #ls -al /mnt/Softphone
  
  dr-xr-xr-x 1 root root 2048 Sep 16 2009 .
  
  dr-xr-xr-x 1 root root 2048 Sep 16 2009 ..
  
  -r-xr-xr-x 1 root root 942080 Sep 16 2009 ftmvitendotools.dll
  
  -r-xr-xr-x 1 root root 376 Sep 16 2009 gac.ini
  
  -r-xr-xr-x 1 root root 1724416 Sep 16 2009 gdiplus.dll
  
  dr-xr-xr-x 1 root root 2048 Sep 16 2009 KB908002
  
  -r-xr-xr-x 1 root root 2539520 Sep 16 2009 Lang-fre.dll
  
  -r-xr-xr-x 1 root root 804 Sep 16 2009 orange.der
  
  -r-xr-xr-x 1 root root 106 Sep 16 2009 PluginConfig.ini
  
  -r-xr-xr-x 1 root root 81920 Sep 16 2009 PluginQuery.dll
  
  -r-xr-xr-x 1 root root 450560 Sep 16 2009 sdongleEventApi.dll
  
  -r-xr-xr-x 1 root root 1220 Sep 16 2009 softphone_eng.ini
  
  -r-xr-xr-x 1 root root 1221 Sep 16 2009 softphone_fre.ini
  
  -r-xr-xr-x 1 root root 9199616 Sep 16 2009 Unik_PC_Phone.exe
  
  -r-xr-xr-x 1 root root 314887 Sep 16 2009 Unik_PC_PlugInFF.exe
  
  -r-xr-xr-x 1 root root 583692 Sep 16 2009 Unik_PC_PlugInIE.exe
  
  -r-xr-xr-x 1 root root 921884 Sep 16 2009 Unik_PC_PlugInMgr.exe
  
  -r-xr-xr-x 1 root root 444416 Sep 16 2009 Unik_PC_PlugInOLE.exe
  
  -r-xr-xr-x 1 root root 1189376 Sep 16 2009 Unik_PC_PlugInOLE.msi
  
  -r-xr-xr-x 1 root root 430592 Sep 16 2009 Unik_PC_PlugInOLP.exe
  
  -r-xr-xr-x 1 root root 2253312 Sep 16 2009 Unik_PC_PlugInOLP.msi
  
  -r-xr-xr-x 1 root root 1970176 Sep 16 2009 Unik_PC_PlugIns.exe
  
  

• UMA Analog Telephone Adapters (Sold as Cisco HPort UTA200-tm)

  

  As we can see, the device has 2 Ethernet port, 1 RJ11 port to plugg a real phone, as well as a SIM card slot.

  

  The PCB shows that the main SoC is an ADM8668, classically used on Linksys WRTU54G-TM 1.0.

  … more coming …

• FemtoCell

  

  Some Femtocells (Home NodeB or HNB) use UMA as protocol. The other commonly Protocol used on Femtos are sccp/RANAP

StrongSwan configuration for EAP-SIM as client

A card reader is needed in order to do EAP-SIM with strongswan. Here is a configuration example

conn sfr

keyexchange=ikev2

ike=aes128-sha1-modp1024!

mobike=no

left=%any

leftikeport=4500

leftid=1(IMSI)@gan.mnc010.mcc208.3gppnetwork.org

leftauth=eap

leftsourceip=%cfg

right=unc1-ch1.fr.sfr.com

rightikeport=4500

rightid=@unc1-ch1.fr.sfr.com

rightca="C=FR, ST=Ile de France, L=Champlan, O=SFR, OU=DGRS, CN=SFR Femto Champlan 1tier CA"

rightsubnet=172.0.0.0/8

auto=add

Here we are doing a capture of a FemtoCell that does its Location Update

As seen, the packet is of type GA-CSR Uploing Direct. In embed a L3 GSM message (Location Update Request in this case).

I develpped a lib UMA a while ago that I put on github. it’s available here:

http://github.com/key2/libuma

Here is for example an example of creation of a UMA packet:

struct uma_msg_s *uma_msg;

int i,j;

u_int8_t *titi, *tata;

u_int8_t tem[610];

uma_msg = uma_create_msg(GA_RC_REGISTER_REQUEST ,0,GA_RC);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Mobile_Identity("\x29\x80\x01\x43\x58\x58\x54\x39",8);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Release_Indicator(1);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Classmark(7,1,1,0,0,0);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Radio_Identity(0,"\x00\x1b\x67\x00\x93\x87");

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_MS_Radio_Identity(0,"\x00\x1b\x67\x00\x93\x87");

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GSM_RR_UTRAN_RRC_State(7);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GERAN_UTRAN_coverage_Indicator(2);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Registration_indicators(0);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Location_Area_Identification("\x02\xf8\x11\xff\xfc",5);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Control_Channel_Description(0,1,0,0,1,1,16,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU3906_Timer(00,0x1e);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU3920_Timer(00,0x1e);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU4001_Timer(00,0x0f);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU4003_Timer(00,0x0f);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Cell_3G_Identity("\x32\x22\x00\x00");

j = uma_create_buffer(&titi,uma_msg);

The output looks like this:

00 53 00 10 01 08 29 80 01 43 58 58 54 39 02 01 01 07 02 37 00 03 07 00 00 1b 67 00 93 87 60 07 00 00 1b 67 00 93 87 11 01 07 06 01 02 44 01 00 05 05 02 f8 11 ff fc 0e 06 c4 10 01 1d 00 00 16 02 00 1e 25 02 00 1e 2b 02 00 0f 3c 02 00 0f 49 04 32 22 00 00

On the other side, if we take the same buffer and print it out:

uma_msg = uma_parse_msg(titi,j);

for(i = 0; i < uma_msg->ntlv; i++){

tlv_printf(uma_msg->tlv[i]);

}

uma_delete_msg(uma_msg);

upon execution we get this pretty printed output:

Mobile Identity

------------------------------

data = 29 80 01 43 58 58 54 39

------------------------------

GAN Release Indicator

------------------------------

URI = 01

------------------------------

GAN Classmark

------------------------------

TGA = 07

GC = 01

UC = 01

RRS = 00

PS_HA = 00

GMSI = 00

------------------------------

Radio Identity

------------------------------

type = 00

value = 00 1b 67 00 93 87

------------------------------

MS Radio Identity

------------------------------

type = 00

value = 00 1b 67 00 93 87

------------------------------

GSM RR UTRAN RRC State

------------------------------

GRS = 07

------------------------------

GERAN UTRAN coverage Indicator

------------------------------

CGI = 02

------------------------------

Registration indicators

------------------------------

MPS = 00

------------------------------

Location Area Identification

------------------------------

data = 02 f8 11 ff fc

------------------------------

GAN Control Channel Description

------------------------------

ECMC = 00

NMO = 01

GPRS = 00

DTM = 00

ATT = 01

MSCR = 01

T3212 = 10

RAC = 01

SGSNR = 01

ECMP = 00

RE = 01

PFCFM = 01

_3GECS = 01

PS_HA = 00

ACC8 = 00

ACC9 = 00

ACC10 = 00

ACC11 = 00

ACC12 = 00

ACC13 = 00

ACC14 = 00

ACC15 = 00

ACC0 = 00

ACC1 = 00

ACC2 = 00

ACC3 = 00

ACC4 = 00

ACC5 = 00

ACC6 = 00

ACC7 = 00

------------------------------

TU3906 Timer

------------------------------

MSB = 00

LSB = 1e

------------------------------

TU3920 Timer

------------------------------

MSB = 00

LSB = 1e

------------------------------

TU4001 Timer

------------------------------

MSB = 00

LSB = 0f

------------------------------

TU4003 Timer

------------------------------

MSB = 00

LSB = 0f

------------------------------

Cell 3G Identity

------------------------------

CellID = 32 22 00 00

Ubiquisys G3

Here is a look of the PCB

In fact, it’s 2 PCB, one module from Ubiquisys connected with a B2B (board to board) connector to the NEC platform that is there for powering, ethernet, usb, at24 Eeprom.

Some info about the cpu, before Broadcom buys Percello, it used to be tagged as PRC6000.

 
cat /proc/cpuinfo
system type		: Percello PRC6000
processor		: 0
cpu model		: MIPS 24Kc V8.1
BogoMIPS		: 408.78
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0000, 0x07a0, 0x0e28, 0x07e8]
ASEs implemented	: mips16
shadow register sets	: 2
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

As seen in the previous version, there is a A and B version of the File Systems. The boot contain a bootlader different from u-boot. It’s a custom Percello made.

cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00020000 "boot"
mtd1: 07fe0000 00020000 "system"
mtd2: 0001f800 0001f800 "bootdata"
mtd3: 00333000 0001f800 "recovery"
mtd4: 0001f800 0001f800 "keystore"
mtd5: 0005e800 0001f800 "operator"
mtd6: 00295800 0001f800 "kernelA"
mtd7: 00fff000 0001f800 "rootfsA"
mtd8: 013b0000 0001f800 "ubiqfsA"
mtd9: 009d8000 0001f800 "databaseA"
mtd10: 00295800 0001f800 "kernelB"
mtd11: 00fff000 0001f800 "rootfsB"
mtd12: 013b0000 0001f800 "ubiqfsB"
mtd13: 009d8000 0001f800 "databaseB"
mtd14: 00333000 0001f800 "recovery-bak"
mtd15: 003f0000 0001f800 "recovery-cache"

Partitiomns are signed using a RSA algorithm. Each partiton is signed and a signature as well as a publick key is given. The bootloader is self verified

The Percello seams to be able to use an external i2c eeprom that is not populated. In the init script, “at24=at24c02..” is passed to a kernel helper called “dev_helper” which will load in this case the EEPROM. The funny part is that the EEPROM is configured at address 0x50 + A2 A1 A0. In this case A2..A0 are all wired to GND which would give this EEPROM the address 0x50. However, the script seems to be using 0x57… The script checks if the file /sys/class/i2c-adapter/i2c-1/1-0057/eeprom exist, if it does, it copies it and calls ee2ini which will convert it into an .ini file, using ipeeprom.xml as a field descriptor. Otherwise, an ipeeprom_default.bin is used.

 
# Read IP EEPROM, if present
EESPEC="at24=24c02,1,0x57,256,8,0"
echo $EESPEC >/sys/kernel/ubiquisys/dev_helper
EEPROM="/sys/class/i2c-adapter/i2c-1/1-0057/eeprom"
if [ -e $EEPROM ]; then
    cp $EEPROM /tmp/ipeeprom.bin
    if ! ee2ini /etc/ipeeprom.xml /tmp/ipeeprom.bin /etc/ipeeprom.ini 2>/dev/null; then
        echo "No valid data in IP EEPROM, setting to DHCP"
        ee2ini /etc/ipeeprom.xml /etc/eeprom_default.bin >/etc/ipeeprom.ini
    fi
    rm /tmp/ipeeprom.bin
else
    ee2ini /etc/ipeeprom.xml /etc/eeprom_default.bin /etc/ipeeprom.ini
fi

as seen on the picture, the 3 chips is not populated:

• U18: AT24C02

• R129: 10k Pullup resistor

• C87: 100nf

The eeprom is only 256 bytes wide. However, the IP configurations would use less than 128 bytes. the rest could be used for some key ?

FTDI has a UMFT201XB-01 Module which is an I2C Slave to USB converter.

The module is part of the FT-X device series. Thanks to Richard Meadows who modified a FT_PROG compatible tool written my Mark Lord that lets us reconfigure the device to a specific i2c addres. We need to configure it to receive data on address 0x57 (dec 87) in order to let it transfert to our /dev/ttyUSB0 all the data received on that channel on the USB port. Here is a dump of once programmed

/ftx_prog --dump --verbose

ftx_prog: version 0.1
Modified for the FT-X series by Richard Meadows

Based upon:
ft232r_prog: version 1.23, by Mark Lord.
CRC: Okay (0xbbec)
existing eeprom:
0000: 00 00 03 04 15 60 00 10 80 2d 88 00 00 00 a0 03  .....`...-......
0010: a3 03 a6 03 57 00 00 00 00 00 08 08 08 08 00 00  ....W...........
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0080: 24 36 db c9 01 00 11 82 99 b0 30 00 00 00 00 00  $6........0.....
0090: 00 00 00 03 44 42 56 55 30 55 43 49 00 00 00 00  ....DBVU0UCI....
00a0: 06 03 46 12 03 46 10 03 46 00 00 00 00 00 00 00  ..F..F..F.......
00b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec bb  ................
	Battery Charge Detect (BCD) Enabled = False
	Force Power Enable Signal on CBUS = False
	Deactivate Sleep in Battery Charge Mode = False
	External Oscillator Enabled = False
	External Oscillator Feedback Resistor Enabled = False
	CBUS pin allocated to VBUS Sense Mode = False
	Load Virtual COM Port (VCP) Drivers = False
	Vendor ID (VID) = 0x0403
	Product ID (PID) = 0x6015
	USB Version = USB16.0
	Remote Wakeup by something other than USB = False
	Self Powered = False
	Maximum Current Supported from USB = 90mA
	Pins Pulled Down on USB Suspend = False
	Indicate USB Serial Number Available = True
 FT1248
-------
	FT1248 Clock Polarity = Active Low
	FT1248 Bit Order = MSB to LSB
	FT1248 Flow Control Enabled = False
 RS232
-------
	Invert TXD = False
	Invert RXD = False
	Invert RTS = False
	Invert CTS = False
	Invert DTR = False
	Invert DSR = False
	Invert DCD = False
	Invert RI = False
 RS485
-------
	RS485 Echo Suppression Enabled = False
	DBUS Drive Strength = 4mA
	DBUS Slow Slew Mode = 0
	DBUS Schmitt Trigger = 0
	CBUS Drive Strength = 4mA
	CBUS Slow Slew Mode = 0
	CBUS Schmitt Trigger = 0
	Manufacturer = F
	Product = F
	Serial Number = F
  I2C
-------
	I2C Slave Address = 87 
	I2C Device ID = 0 
	I2C Schmitt Triggers Disabled = True
  CBUS
-------
	CBUS0 = GPIO
	CBUS1 = GPIO
	CBUS2 = GPIO
	CBUS3 = GPIO
	CBUS4 = Tristate
	CBUS5 = Tristate
	CBUS6 = Tristate
No change from existing eeprom contents.

In order to analyze what is on the bus, I’m using a Open Bench Logic Sniffer

http://dangerousprototypes.com/docs/Open_Bench_Logic_Sniffer

This cheap sniffer would let me analyze later on the trafic. It has a fancy features that automatically identifies the SDA and SCL bus of the i2c and show the datas on the bus, as well as the timing.

Here is a picture of the final test prototype. We can see the Femtocell connected with wrapping copper cable to the I2C module (white). and the Sniffer (red) on the path

In this video, on the right side, the terminal is a root shell on the femtocell. on the bottom, we have on /dev/ttyUSB1 the FTDI module connected to the I2C bus of the femto. And finally, on top left, the Open Bench Logic Sniffer. The video shows that at first, the file 1-0057/eeprom does not exist. After sending the at24=.. string to the dev_helper, something happen on the I2C bus (the sniffer is in red while waiting to be triggered). Now, the file 1-0057/eeprom exist. Next step, we write a “ABCDEF..” pattern to the /dev/ttyUSB1 device, which is the i2c to USB converter. this one will keep this string in it’s FIFO. When on the Femto console, we do a cat 1-0057/eeprom, the string that was passed to the /dev/ttyUSB is replied. We see on the sniffer that the data were sent at that moment trought the I2C bus on the addres 0x57. Therefor, the AT24C02 has been emulated

"<?xml version="1.0" encoding="UTF-8"?>
<EEPROMFieldDefinitions>

    <SchemaVersion>0.0.2</SchemaVersion>
    <SchemaDate>Mon May  9 12:00:00 2011</SchemaDate>
    <EEPROMField>
        <Name>DHCPEnabled</Name>
         <Tag>1</Tag>
        <Type>unsigned</Type>
         <Min>0</Min>
        <Max>1</Max>
         <Modifiable>1</Modifiable>
        <Info>Configures whether the ZAP IP address is obtained by DHCP or not</Info>
         <Default>1</Default>
    </EEPROMField>
     <EEPROMField>
        <Name>StaticIPAddress</Name>
         <Tag>2</Tag>
        <Type>string</Type>
         <Size>15</Size>
        <Modifiable>1</Modifiable>
         <Info>ZAP static IP address (Only used if DHCP disabled)</Info>
        <Default>192.168.1.120</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>StaticNetmask</Name>
        <Tag>3</Tag>
         <Type>string</Type>
        <Size>15</Size>
         <Modifiable>1</Modifiable>
        <Info>ZAP static netmask (Only used if DHCP disabled)</Info>
         <Default>255.255.0.0</Default>
    </EEPROMField>
     <EEPROMField>
        <Name>GatewayAddress</Name>
         <Tag>4</Tag>
        <Type>string</Type>
         <Size>15</Size>
        <Modifiable>1</Modifiable>
         <Info>Gateway IP address (Only used if DHCP disabled)</Info>
        <Default>192.168.1.1</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>PrimaryDNSAddress</Name>
        <Tag>5</Tag>
         <Type>string</Type>
        <Size>15</Size>
         <Modifiable>1</Modifiable>
        <Info>Primary DNS server IP address (Mandatory if DHCP disabled)</Info>
         <Default>0.0.0.0</Default>
    </EEPROMField>
     <EEPROMField>
        <Name>SecondaryDNSAddress</Name>
         <Tag>6</Tag>
        <Type>string</Type>
         <Size>15</Size>
        <Modifiable>1</Modifiable>
         <Info>Secondary DNS server IP address (Mandatory if DHCP disabled)</Info>
        <Default>0.0.0.0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>VLANEnabled</Name>
        <Tag>7</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>1</Max>
        <Modifiable>1</Modifiable>
         <Info>Configures whether VLAN tagging is to be used (Only used if DHCP disabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>VLANID</Name>
        <Tag>8</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>4094</Max>
        <Modifiable>1</Modifiable>
         <Info>The ID of the VLAN in the tagging (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>Conversational</Name>
        <Tag>9</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for conversational data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>5</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>StreamingPS</Name>
        <Tag>10</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for streaming PS data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>4</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>InteractivePS_Priority1</Name>
        <Tag>11</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for interactive PS data, priority 1 (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>3</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>InteractivePS_Priority2</Name>
        <Tag>12</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for interactive PS data, priority 2 (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>2</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>InteractivePS_Priority3</Name>
        <Tag>13</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for interactive PS data, priority 3 (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>BackgroundPS</Name>
        <Tag>14</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for background PS data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>1</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>Signalling</Name>
        <Tag>15</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for signalling data to the core network (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>3</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>OAMP</Name>
        <Tag>16</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for OAMP/TR069 data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>IPT</Name>
        <Tag>17</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for IP timing data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>2</Default>
     </EEPROMField>
    <Digest>7a38eee56bb9218a797deeecac54db37382e8de2</Digest>
 </EEPROMFieldDefinitions>