HomeGo to P1 Security
labs@p1sec.com +33 01 40 37 17 71

P1 Labs Blog Post

0 Comment

Femtocell Ubiquisys G3 Security Analysis

28 Aug 2012

Femtocell Ubiquisys v2

Ubiquisys G3

sfr femto

Here is a look of the PCB

In fact, it’s 2 PCB, one module from Ubiquisys connected with a B2B (board to board) connector to the NEC platform that is there for powering, ethernet, usb, at24 Eeprom.

Some info about the cpu, before Broadcom buys Percello, it used to be tagged as PRC6000.

 
cat /proc/cpuinfo
system type		: Percello PRC6000
processor		: 0
cpu model		: MIPS 24Kc V8.1
BogoMIPS		: 408.78
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0000, 0x07a0, 0x0e28, 0x07e8]
ASEs implemented	: mips16
shadow register sets	: 2
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

As seen in the previous version, there is a A and B version of the File Systems. The boot contain a bootlader different from u-boot. It’s a custom Percello made.


cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00020000 "boot"
mtd1: 07fe0000 00020000 "system"
mtd2: 0001f800 0001f800 "bootdata"
mtd3: 00333000 0001f800 "recovery"
mtd4: 0001f800 0001f800 "keystore"
mtd5: 0005e800 0001f800 "operator"
mtd6: 00295800 0001f800 "kernelA"
mtd7: 00fff000 0001f800 "rootfsA"
mtd8: 013b0000 0001f800 "ubiqfsA"
mtd9: 009d8000 0001f800 "databaseA"
mtd10: 00295800 0001f800 "kernelB"
mtd11: 00fff000 0001f800 "rootfsB"
mtd12: 013b0000 0001f800 "ubiqfsB"
mtd13: 009d8000 0001f800 "databaseB"
mtd14: 00333000 0001f800 "recovery-bak"
mtd15: 003f0000 0001f800 "recovery-cache"

Partitiomns are signed using a RSA algorithm. Each partiton is signed and a signature as well as a publick key is given. The bootloader is self verified

schema

The Percello seams to be able to use an external i2c eeprom that is not populated. In the init script, “at24=at24c02..” is passed to a kernel helper called “dev_helper” which will load in this case the EEPROM. The funny part is that the EEPROM is configured at address 0x50 + A2 A1 A0. In this case A2..A0 are all wired to GND which would give this EEPROM the address 0x50. However, the script seems to be using 0x57… The script checks if the file /sys/class/i2c-adapter/i2c-1/1-0057/eeprom exist, if it does, it copies it and calls ee2ini which will convert it into an .ini file, using ipeeprom.xml as a field descriptor. Otherwise, an ipeeprom_default.bin is used.

at24c02

 
# Read IP EEPROM, if present
EESPEC="at24=24c02,1,0x57,256,8,0"
echo $EESPEC >/sys/kernel/ubiquisys/dev_helper
EEPROM="/sys/class/i2c-adapter/i2c-1/1-0057/eeprom"
if [ -e $EEPROM ]; then
    cp $EEPROM /tmp/ipeeprom.bin
    if ! ee2ini /etc/ipeeprom.xml /tmp/ipeeprom.bin /etc/ipeeprom.ini 2>/dev/null; then
        echo "No valid data in IP EEPROM, setting to DHCP"
        ee2ini /etc/ipeeprom.xml /etc/eeprom_default.bin >/etc/ipeeprom.ini
    fi
    rm /tmp/ipeeprom.bin
else
    ee2ini /etc/ipeeprom.xml /etc/eeprom_default.bin /etc/ipeeprom.ini
fi

as seen on the picture, the 3 chips is not populated:

  • U18: AT24C02

  • R129: 10k Pullup resistor

  • C87: 100nf

The eeprom is only 256 bytes wide. However, the IP configurations would use less than 128 bytes. the rest could be used for some key ? 😉

FTDI has a UMFT201XB-01 Module which is an I2C Slave to USB converter.

umft201xb-01

The module is part of the FT-X device series. Thanks to Richard Meadows who modified a FT_PROG compatible tool written my Mark Lord that lets us reconfigure the device to a specific i2c addres. We need to configure it to receive data on address 0x57 (dec 87) in order to let it transfert to our /dev/ttyUSB0 all the data received on that channel on the USB port. Here is a dump of once programmed


/ftx_prog --dump --verbose

ftx_prog: version 0.1
Modified for the FT-X series by Richard Meadows

Based upon:
ft232r_prog: version 1.23, by Mark Lord.
CRC: Okay (0xbbec)
existing eeprom:
0000: 00 00 03 04 15 60 00 10 80 2d 88 00 00 00 a0 03  .....`...-......
0010: a3 03 a6 03 57 00 00 00 00 00 08 08 08 08 00 00  ....W...........
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0080: 24 36 db c9 01 00 11 82 99 b0 30 00 00 00 00 00  $6........0.....
0090: 00 00 00 03 44 42 56 55 30 55 43 49 00 00 00 00  ....DBVU0UCI....
00a0: 06 03 46 12 03 46 10 03 46 00 00 00 00 00 00 00  ..F..F..F.......
00b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec bb  ................
	Battery Charge Detect (BCD) Enabled = False
	Force Power Enable Signal on CBUS = False
	Deactivate Sleep in Battery Charge Mode = False
	External Oscillator Enabled = False
	External Oscillator Feedback Resistor Enabled = False
	CBUS pin allocated to VBUS Sense Mode = False
	Load Virtual COM Port (VCP) Drivers = False
	Vendor ID (VID) = 0x0403
	Product ID (PID) = 0x6015
	USB Version = USB16.0
	Remote Wakeup by something other than USB = False
	Self Powered = False
	Maximum Current Supported from USB = 90mA
	Pins Pulled Down on USB Suspend = False
	Indicate USB Serial Number Available = True
 FT1248
-------
	FT1248 Clock Polarity = Active Low
	FT1248 Bit Order = MSB to LSB
	FT1248 Flow Control Enabled = False
 RS232
-------
	Invert TXD = False
	Invert RXD = False
	Invert RTS = False
	Invert CTS = False
	Invert DTR = False
	Invert DSR = False
	Invert DCD = False
	Invert RI = False
 RS485
-------
	RS485 Echo Suppression Enabled = False
	DBUS Drive Strength = 4mA
	DBUS Slow Slew Mode = 0
	DBUS Schmitt Trigger = 0
	CBUS Drive Strength = 4mA
	CBUS Slow Slew Mode = 0
	CBUS Schmitt Trigger = 0
	Manufacturer = F
	Product = F
	Serial Number = F
  I2C
-------
	I2C Slave Address = 87 
	I2C Device ID = 0 
	I2C Schmitt Triggers Disabled = True
  CBUS
-------
	CBUS0 = GPIO
	CBUS1 = GPIO
	CBUS2 = GPIO
	CBUS3 = GPIO
	CBUS4 = Tristate
	CBUS5 = Tristate
	CBUS6 = Tristate
No change from existing eeprom contents.

In order to analyze what is on the bus, I’m using a Open Bench Logic Sniffer

http://dangerousprototypes.com/docs/Open_Bench_Logic_Sniffer
open bench logic sniffer

This cheap sniffer would let me analyze later on the trafic. It has a fancy features that automatically identifies the SDA and SCL bus of the i2c and show the datas on the bus, as well as the timing.

Here is a picture of the final test prototype. We can see the Femtocell connected with wrapping copper cable to the I2C module (white). and the Sniffer (red) on the path

In this video, on the right side, the terminal is a root shell on the femtocell. on the bottom, we have on /dev/ttyUSB1 the FTDI module connected to the I2C bus of the femto. And finally, on top left, the Open Bench Logic Sniffer. The video shows that at first, the file 1-0057/eeprom does not exist. After sending the at24=.. string to the dev_helper, something happen on the I2C bus (the sniffer is in red while waiting to be triggered). Now, the file 1-0057/eeprom exist. Next step, we write a “ABCDEF..” pattern to the /dev/ttyUSB1 device, which is the i2c to USB converter. this one will keep this string in it’s FIFO. When on the Femto console, we do a cat 1-0057/eeprom, the string that was passed to the /dev/ttyUSB is replied. We see on the sniffer that the data were sent at that moment trought the I2C bus on the addres 0x57. Therefor, the AT24C02 has been emulated


"<?xml version="1.0" encoding="UTF-8"?>
<EEPROMFieldDefinitions>

    <SchemaVersion>0.0.2</SchemaVersion>
    <SchemaDate>Mon May  9 12:00:00 2011</SchemaDate>
    <EEPROMField>
        <Name>DHCPEnabled</Name>
         <Tag>1</Tag>
        <Type>unsigned</Type>
         <Min>0</Min>
        <Max>1</Max>
         <Modifiable>1</Modifiable>
        <Info>Configures whether the ZAP IP address is obtained by DHCP or not</Info>
         <Default>1</Default>
    </EEPROMField>
     <EEPROMField>
        <Name>StaticIPAddress</Name>
         <Tag>2</Tag>
        <Type>string</Type>
         <Size>15</Size>
        <Modifiable>1</Modifiable>
         <Info>ZAP static IP address (Only used if DHCP disabled)</Info>
        <Default>192.168.1.120</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>StaticNetmask</Name>
        <Tag>3</Tag>
         <Type>string</Type>
        <Size>15</Size>
         <Modifiable>1</Modifiable>
        <Info>ZAP static netmask (Only used if DHCP disabled)</Info>
         <Default>255.255.0.0</Default>
    </EEPROMField>
     <EEPROMField>
        <Name>GatewayAddress</Name>
         <Tag>4</Tag>
        <Type>string</Type>
         <Size>15</Size>
        <Modifiable>1</Modifiable>
         <Info>Gateway IP address (Only used if DHCP disabled)</Info>
        <Default>192.168.1.1</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>PrimaryDNSAddress</Name>
        <Tag>5</Tag>
         <Type>string</Type>
        <Size>15</Size>
         <Modifiable>1</Modifiable>
        <Info>Primary DNS server IP address (Mandatory if DHCP disabled)</Info>
         <Default>0.0.0.0</Default>
    </EEPROMField>
     <EEPROMField>
        <Name>SecondaryDNSAddress</Name>
         <Tag>6</Tag>
        <Type>string</Type>
         <Size>15</Size>
        <Modifiable>1</Modifiable>
         <Info>Secondary DNS server IP address (Mandatory if DHCP disabled)</Info>
        <Default>0.0.0.0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>VLANEnabled</Name>
        <Tag>7</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>1</Max>
        <Modifiable>1</Modifiable>
         <Info>Configures whether VLAN tagging is to be used (Only used if DHCP disabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>VLANID</Name>
        <Tag>8</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>4094</Max>
        <Modifiable>1</Modifiable>
         <Info>The ID of the VLAN in the tagging (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>Conversational</Name>
        <Tag>9</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for conversational data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>5</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>StreamingPS</Name>
        <Tag>10</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for streaming PS data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>4</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>InteractivePS_Priority1</Name>
        <Tag>11</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for interactive PS data, priority 1 (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>3</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>InteractivePS_Priority2</Name>
        <Tag>12</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for interactive PS data, priority 2 (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>2</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>InteractivePS_Priority3</Name>
        <Tag>13</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for interactive PS data, priority 3 (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>BackgroundPS</Name>
        <Tag>14</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for background PS data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>1</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>Signalling</Name>
        <Tag>15</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for signalling data to the core network (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>3</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>OAMP</Name>
        <Tag>16</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for OAMP/TR069 data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>0</Default>
     </EEPROMField>
    <EEPROMField>
         <Name>IPT</Name>
        <Tag>17</Tag>
         <Type>unsigned</Type>
        <Min>0</Min>
         <Max>7</Max>
        <Modifiable>1</Modifiable>
         <Info>Class of service for IP timing data (Only used if DHCP disabled and VLAN enabled)</Info>
        <Default>2</Default>
     </EEPROMField>
    <Digest>7a38eee56bb9218a797deeecac54db37382e8de2</Digest>
 </EEPROMFieldDefinitions>
About the Author

Leave a Reply

*

Copyright 2020 P1 Security, a P1 Group Company. All Rights Reserved.