contact@p1sec.com
Comment are off

Samsung LTE USB stick GT-B3730/B3740 hacking

Samsung LTE USB stick GT-B3730/B3740

Samsung LTE USB dongles codename Kalmia

I acquired a couple of GT-B3740 800Mhz LTE Dongle, and decided to open one of them to find out what the chipset was used in it.

The very surprizing part was to see that it had a JTAG connector there and it was written JTAG !
So after looking for some documentations about it, another interesting thing came. Googling a bit let me find the Service Manual of the device !

Even more surprizing, there was a schematic in there, with the JTAG pinout description!

After some investigation, I found the connector DATASHEET: http://www3.panasonic.biz/ac/e_download/control/connector/base-fpc/catalog/con_eng_f4s.pdf?via=ok It is in fact a PANASONIC AXT512124.

One can find those at Digikey or Mouser.
So THE problem with those connector is the size. In fact, any soldering iron would melt the connector before being able to soler anything to it. So there is no other way than finding the Female connector and extending it. My first attemp was a failure. In fact, I tried to do it with a flex based copper sheet and PNPBlue. here is the result

In fact, the clearance is so low that it could only be done in a factory with a pick and place.
Looking here and there, I found on Alibaba a multiple JTAG cable that looked quite similar.

http://www.aliexpress.com/store/product/JTAG-JPin-JIG-Pinouts-by-RIFF-ORT-JPR-MEDUSA-BOX/927318_922669231.html

So I decided to buy one to give it a test. The thing is that you have to buy the whole set. At the time I’m writing, it’s price was $68.

As one can see, the result is shown here under

The interesting part about this cable is that the little adapter they give respects the JTAG pinout standard of the ARM, therefor, I could easily connect it with a Board to Board connector to a Amontek Jtag-Mini. So it was time to play with OpenOCD !
Here is the configuration file used.


telnet_port 4444
#gdb_port 0
#tcl_port 0

jtag_khz    100000000
adapter_khz 100000000
#jtag_speed 3

reset_config trst_and_srst

jtag_nsrst_delay 400
jtag_ntrst_delay 400

if { [info exists CHIPNAME] } {
  set _CHIPNAME $CHIPNAME
} else {
  set _CHIPNAME cmc220
}

#reset_config none

if { [info exists CPU_TAPID ] } {
  set _CPU_TAPID $CPU_TAPID
} else {
  set _CPU_TAPID 0x4ba00477
}
jtag newtap $_CHIPNAME tap -irlen 4 -ircapture 0x1 -irmask 0x3 -expected-id $_CPU_TAPID

set _TARGETNAME $_CHIPNAME

target create $_TARGETNAME cortex_r4 -endian little -chain-position $_TARGETNAME.tap

So I managed to dump the Memory of the chip. And I got the firmware extracted. A couple of strings on the file shows that the file is REALLY verbose. All the debug symbols are there. All the printf are still there… It’s time to play with IDA pro !
One interesting part is that I was able to tell IDA pro that the GDB Server is in fact OpenOCD. so IDA pro would go into debug mode and be able to step in the running code. Most of the time that would generate an interrupt tho. But that is quite good enough with some scripting to see what part of the Firmware is Code segment or Datasegment..

And as said earlyer, the amount of Strings debug is really big. Worth digging into it.

In the meantime, I decided to get myself some GT-B3730 that does the 2.6Ghz LTE band as well as 2.75G and 3G. Hoping that they are similar.

So Opening it showed me that it’s based on the same chip, which is connected to another chip in charge of the 2/3 G.


2 different Firmware are written in this one. mode A and B. A is LTE, B = 2/3 G. Therefor, in order to switch, it needs to reboot on its new firmware.

About the Author