maurizio.butti-
Readme
07/23/2022 at 09:13 • 0 commentsMCU
Sonix SN32F707
debug connector
from the SIM card side (left), to the switch (right)
- GND
- SWDCLK
- SWDIO
- +3.3V
GPRS module: Quectel M26
on USART1 (9600,N,8,1) turn on with GPIO P2.7
useul commands
AT+QIREGAPP="TM",,AT+QIOPEN="TCP","129.6.15.28",13AT+QNTP="193.204.114.233",123
GPS
UBLOX UBX-G70xx on USART0 (9600,N,8,1) turn on with GPIO P2.4
infos at start::
GPTXT,01,01,02,u-blox ag - www.u-blox.com*50 GPTXT,01,01,02,HW UBX-G70xx 00070000 *77 GPTXT,01,01,02,ROM CORE 1.00 (59842) Jun 27 2012 17:43:52*59 GPTXT,01,01,02,PROTVER 14.00*1E GPTXT,01,01,02,ANTSUPERV=AC SD PDoS SR*20 GPTXT,01,01,02,ANTSTATUS=DONTKNOW*33 GPTXT,01,01,02,LLC FFFFFFFF-FFFFFFFD-FFFFFFFF-FFFFFFFF-FFFFFFF9*53 GPTXT,01,01,02,ANTSTATUS=INIT*25 GPTXT,01,01,02,ANTSTATUS=OK*3B
Photos from FCC
https://fccid.io/2AI2O-OC30/Internal-Photos/Internal-photos-3426571
Mobile provider
Accelerometer: LIS3DH
Cold boot stepping
apparently the instruction at 0x2b8 is
ldr r3,[r4,#12]putting an adress minus 12 in r4 it is posible to read memory at the specified address.
This makes a "cold boot stepping" attack possible.
See Bypassing CRP on Microcontrollers by Andrew Tierney
Other components
Routines of the bootloader (0x1fff0000)
- 0x1fff0318 eraseFlash(r0=address)
- 0x1fff033c writeFlash(r0=address,r1=bytes,r2=data address)
Curiosities
In the original firmware you can find a string containing coordinate expressed according to the NMEA standard (
2237.75314,N,11408.62621,E). The point to somewhere in Shenzen 1500m from the site of Omni Intelligent Technology Co.EEPROM dump
Arduino program adapted from https://www.insidegadgets.com/2010/12/22/reading-data-from-eeprom-i2c-on-a-pcb/ (rows containig only FF are not shown)
0020|AA 55 55 AA 68 6F 6C 6F 67 72 61 6D 00 FF FF FF |.UU.hologram....| 0040|FF FF FF FF 30 30 30 30 00 FF 31 32 33 34 35 36 |....0000..123456| 0050|00 FF FF FF 30 00 FF FF 31 32 30 2E 32 34 2E 32 |....0...120.24.2| 0060|32 38 2E 31 39 39 00 FF FF FF FF FF FF FF FF FF |28.199..........| 0090|FF FF FF FF FF FF FF FF 39 36 36 36 00 FF FF FF |........9666....| 00A0|4F 4D 00 FF FF FF FF FF 79 4F 54 6D 4B 35 30 7A |OM......yOTmK50z| 00B0|00 FF FF FF 56 67 7A 37 00 FF FF FF 04 00 FF FF |....Vgz7........| 00C0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 0400|55 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |U...............|
Bike sharing smart lock turns into car GPS
A bike sharing company left my town, leaving behind dozens of bikes with smart locks. This is my effort in reverse engineering the locks