Home
/
Blog
/

Samsung LTE USB stick GT-B3730/B3740

Breakin down parts of Samsung's LTE USB stick GT-B3730/B3740 with codename Kalmia and rebuilding it.

Research
Aug 9, 2013
Samsung LTE USB stick GT-B3730/B3740

Samsung LTE USB dongles codename Kalmia

I acquired a couple of GT-B3740 800Mhz LTE Dongle, and decided to open one of them to find out what the chipset was used in it.

The very surprizing part was to see that it had a JTAG connector there and it was written JTAG !
So after looking for some documentations about it, another interesting thing came. Googling a bit let me find the Service Manual of the device !

Even more surprizing, there was a schematic in there, with the JTAG pinout description!

After some investigation, I found the connector DATASHEET: http://www3.panasonic.biz/ac/e_download/control/connector/base-fpc/catalog/con_eng_f4s.pdf?via=ok It is in fact a PANASONIC AXT512124.

One can find those at Digikey or Mouser.
So THE problem with those connector is the size. In fact, any soldering iron would melt the connector before being able to soler anything to it. So there is no other way than finding the Female connector and extending it. My first attemp was a failure. In fact, I tried to do it with a flex based copper sheet and PNPBlue. here is the result

In fact, the clearance is so low that it could only be done in a factory with a pick and place.
Looking here and there, I found on Alibaba a multiple JTAG cable that looked quite similar.

http://www.aliexpress.com/store/product/JTAG-JPin-JIG-Pinouts-by-RIFF-ORT-JPR-MEDUSA-BOX/927318_922669231.html

So I decided to buy one to give it a test. The thing is that you have to buy the whole set. At the time I’m writing, it’s price was $68.

As one can see, the result is shown here under

The interesting part about this cable is that the little adapter they give respects the JTAG pinout standard of the ARM, therefor, I could easily connect it with a Board to Board connector to a Amontek Jtag-Mini. So it was time to play with OpenOCD !
Here is the configuration file used.


telnet_port 4444
#gdb_port 0
#tcl_port 0

jtag_khz    100000000
adapter_khz 100000000
#jtag_speed 3

reset_config trst_and_srst

jtag_nsrst_delay 400
jtag_ntrst_delay 400

if { [info exists CHIPNAME] } {
  set _CHIPNAME $CHIPNAME
} else {
  set _CHIPNAME cmc220
}

#reset_config none

if { [info exists CPU_TAPID ] } {
  set _CPU_TAPID $CPU_TAPID
} else {
  set _CPU_TAPID 0x4ba00477
}
jtag newtap $_CHIPNAME tap -irlen 4 -ircapture 0x1 -irmask 0x3 -expected-id $_CPU_TAPID

set _TARGETNAME $_CHIPNAME

target create $_TARGETNAME cortex_r4 -endian little -chain-position $_TARGETNAME.tap

So I managed to dump the Memory of the chip. And I got the firmware extracted. A couple of strings on the file shows that the file is REALLY verbose. All the debug symbols are there. All the printf are still there… It’s time to play with IDA pro !
One interesting part is that I was able to tell IDA pro that the GDB Server is in fact OpenOCD. so IDA pro would go into debug mode and be able to step in the running code. Most of the time that would generate an interrupt tho. But that is quite good enough with some scripting to see what part of the Firmware is Code segment or Datasegment..

And as said earlyer, the amount of Strings debug is really big. Worth digging into it.

In the meantime, I decided to get myself some GT-B3730 that does the 2.6Ghz LTE band as well as 2.75G and 3G. Hoping that they are similar.

So Opening it showed me that it’s based on the same chip, which is connected to another chip in charge of the 2/3 G.

2 different Firmware are written in this one. mode A and B. A is LTE, B = 2/3 G. Therefor, in order to switch, it needs to reboot on its new firmware.

Summary
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.