Femtocell Ubiquisys v2
Here is a look of the PCB
In fact, it’s 2 PCB, one module from Ubiquisys connected with a B2B (board to board) connector to the NEC platform that is there for powering, ethernet, usb, at24 Eeprom.
Some info about the cpu, before Broadcom buys Percello, it used to be tagged as PRC6000.
As seen in the previous version, there is a A and B version of the File Systems. The boot contain a bootlader different from u-boot. It’s a custom Percello made.
Partitiomns are signed using an RSA algorithm. Each partiton is signed and a signature as well as a publick key is given. The bootloader is self verified
The Percello seems to be able to use an external i2c eeprom that is not populated. In the init script, “at24=at24c02..” is passed to a kernel helper called “dev_helper” which will load in this case the EEPROM. The funny part is that the EEPROM is configured at address 0×50 + A2 A1 A0. In this case A2..A0 are all wired to GND which would give this EEPROM the address 0×50. However, the script seems to be using 0×57… The script checks if the file /sys/class/i2c-adapter/i2c-1/1-0057/eeprom exist, if it does, it copies it and calls ee2ini which will convert it into an .ini file, using ipeeprom.xml as a field descriptor. Otherwise, an ipeeprom_default.bin is used.
As seen on the picture, the 3 chips is not populated:
- U18: AT24C02
- R129: 10k Pullup resistor
- C87: 100nf
The eeprom is only 256 bytes wide. However, the IP configurations would use less than 128 bytes. the rest could be used for some key ?
FTDI has a UMFT201XB-01 Module which is an I2C Slave to USB converter.
The module is part of the FT-X device series. Thanks to Richard Meadows who modified a FT_PROG compatible tool written my Mark Lord that lets us reconfigure the device to a specific i2c addres. We need to configure it to receive data on address 0×57 (dec 87) in order to let it transfert to our /dev/ttyUSB0 all the data received on that channel on the USB port. Here is a dump of once programmed
In order to analyze what is on the bus, I’m using a Open Bench Logic Sniffer
This cheap sniffer would let me analyze later on the trafic. It has a fancy features that automatically identifies the SDA and SCL bus of the i2c and show the datas on the bus, as well as the timing.
Here is a picture of the final test prototype. We can see the Femtocell connected with wrapping copper cable to the I2C module (white). and the Sniffer (red) on the path
In this video, on the right side, the terminal is a root shell on the femtocell. on the bottom, we have on /dev/ttyUSB1 the FTDI module connected to the I2C bus of the femto. And finally, on top left, the Open Bench Logic Sniffer. The video shows that at first, the file 1-0057/eeprom does not exist. After sending the at24=.. string to the dev_helper, something happen on the I2C bus (the sniffer is in red while waiting to be triggered). Now, the file 1-0057/eeprom exist. Next step, we write a “ABCDEF..” pattern to the /dev/ttyUSB1 device, which is the i2c to USB converter. this one will keep this string in it’s FIFO. When on the Femto console, we do a cat 1-0057/eeprom, the string that was passed to the /dev/ttyUSB is replied. We see on the sniffer that the data were sent at that moment trought the I2C bus on the addres 0×57. Therefor, the AT24C02 has been emulated