maurizio.buttiMCU
Sonix SN32F707
debug connector
from the SIM card side (left), to the switch (right)
- GND
- SWDCLK
- SWDIO
- +3.3V
GPRS module: Quectel M26
on USART1 (9600,N,8,1) turn on with GPIO P2.7
useul commands
AT+QIREGAPP="TM",,AT+QIOPEN="TCP","129.6.15.28",13AT+QNTP="193.204.114.233",123
GPS
UBLOX UBX-G70xx on USART0 (9600,N,8,1) turn on with GPIO P2.4
infos at start::
GPTXT,01,01,02,u-blox ag - www.u-blox.com*50 GPTXT,01,01,02,HW UBX-G70xx 00070000 *77 GPTXT,01,01,02,ROM CORE 1.00 (59842) Jun 27 2012 17:43:52*59 GPTXT,01,01,02,PROTVER 14.00*1E GPTXT,01,01,02,ANTSUPERV=AC SD PDoS SR*20 GPTXT,01,01,02,ANTSTATUS=DONTKNOW*33 GPTXT,01,01,02,LLC FFFFFFFF-FFFFFFFD-FFFFFFFF-FFFFFFFF-FFFFFFF9*53 GPTXT,01,01,02,ANTSTATUS=INIT*25 GPTXT,01,01,02,ANTSTATUS=OK*3B
Photos from FCC
https://fccid.io/2AI2O-OC30/Internal-Photos/Internal-photos-3426571
Mobile provider
Accelerometer: LIS3DH
Cold boot stepping
apparently the instruction at 0x2b8 is
ldr r3,[r4,#12]
putting an adress minus 12 in r4 it is posible to read memory at the specified address.
This makes a "cold boot stepping" attack possible.
See Bypassing CRP on Microcontrollers by Andrew Tierney
Other components
Routines of the bootloader (0x1fff0000)
- 0x1fff0318 eraseFlash(r0=address)
- 0x1fff033c writeFlash(r0=address,r1=bytes,r2=data address)
Curiosities
In the original firmware you can find a string containing coordinate expressed according to the NMEA standard (2237.75314,N,11408.62621,E). The point to somewhere in Shenzen 1500m from the site of Omni Intelligent Technology Co.
EEPROM dump
Arduino program adapted from https://www.insidegadgets.com/2010/12/22/reading-data-from-eeprom-i2c-on-a-pcb/ (rows containig only FF are not shown)
0020|AA 55 55 AA 68 6F 6C 6F 67 72 61 6D 00 FF FF FF |.UU.hologram....| 0040|FF FF FF FF 30 30 30 30 00 FF 31 32 33 34 35 36 |....0000..123456| 0050|00 FF FF FF 30 00 FF FF 31 32 30 2E 32 34 2E 32 |....0...120.24.2| 0060|32 38 2E 31 39 39 00 FF FF FF FF FF FF FF FF FF |28.199..........| 0090|FF FF FF FF FF FF FF FF 39 36 36 36 00 FF FF FF |........9666....| 00A0|4F 4D 00 FF FF FF FF FF 79 4F 54 6D 4B 35 30 7A |OM......yOTmK50z| 00B0|00 FF FF FF 56 67 7A 37 00 FF FF FF 04 00 FF FF |....Vgz7........| 00C0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 0400|55 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |U...............|
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.