Hacking ZTE-G S511, cheapest mobile phone at €7.50
Projects | |
---|---|
Participants | |
Skills | precise soldering of SMD, reverse engineering firmware, ARM assembly |
Status | Dormant |
Niche | Electronics |
Purpose | Use in other project |
Contents
- 1 Samsung gt-e1200i (Keystone 2
- 2 Phone available from tele2 (website) as well as kijkshop (sometimes)
- 3 update
- 4 Hardware disassembly
- 5 Pages on MTK
- 6 plan
- 7 30 / 6 / 2013
- 8 topic about MTK phones
- 9 succesful unlock
- 10 about firmware reverse engineering
- 11 Some pages of possible interest
- 12 other gsm related
Samsung gt-e1200i (Keystone 2
Phone available from tele2 (website) as well as kijkshop (sometimes)
This phone got me thinking, you can get this including a prepaid sim card for €7,50 at the KIJKSHOP. It has a mp3 player, a sd card reader, and a micro-USB port to connect the headphones, as well as transfer files to the SD card (USB mode).
AFAIK now its possible to run the firmware from an external UART / serial feed. (you cannot flash the protected flash rom apparently, but there maybe ways around it, who knows). Its possible to read the flash and then disassemble with IDA PRO to see if anything can be done with it. would be nice to use this complete device with an extra board feeding it the firmware via UART and see if then a microcontroller can control some functions, (like dialing/sms-ing) on certain events, etc.
Nicest would be if of course the USB port could be used to interface and the whole thing could be reprogrammed this way to for instance perform a autonomous alarm system, tripwire whatever. Battery power limits the time (solar powering).
Basically the whole point was, €7,50, including battery, 5 euros of credit for a whole phone - worth to hack.
update
On this github repository there is loads of info regarding the MTK line of products.
Development Documents for MTK chipsets
Hardware disassembly
It is based on the MT6251 Reference Phone (Sparrow51) Which is based on the ARM MT6251V.
It has a Macronix mx25u3235ezni 32M-BIT
It uses a RF7176 quad-band (GSM850/EGSM900/DCS1800/PCS1900) GSM/GPRS Class 12 compliant transmit module.
The LCD screen is a TXDT144CF 128x128 RGB 1,44"
Pages on MTK
Based China Phones briefing*** This thread describes everything to get the flash from the phone and hack it. I have made a seperate page to make sure that when this forum is taken down no information is lost.
plan
Ok i've figured out that according to this thread it is possible to UART(?) rx, tx and ground to pins on the board (figuring out which pins is simple with multimeter) and then feed the firmware from the serial port. Flashing the memory is not possible because the device is protected against that. But a very simple arduino? board or whatever which feeds the firmware could then control the GSM, mp3player, sd card etc.
With a based USB-to-serial converter a RS232-TTL level converter (12V to 3.3-5V) should not be necessery. The PL2303 already puts out 3.3-4 volt, actually it speaks about a pin that regulates the voltage level.
30 / 6 / 2013
my lack of soldering skills and general chaos have destroyed the phone. i need to find another one....
topic about MTK phones
http://forum.gsmhosting.com/vbb/f457/mtk-based-china-phones-briefing-817606/
succesful unlock
ZTE-G S511 Successful Unlock
SigmaKey 1.29.02 MTK: Direct unlock
Prolific USB-to-Serial Comm Port (COM2), Provider: Prolific, Driver ver.: 2.0.13.130, Date: 19.11.2009, USB\Vid_067b&Pid_2303&Rev_0202 Baud rate: 115200 Release "Power on" button! Baseband Processor:MT6251, HW Rev. A.03, SW Rev. 1.01 Serial number: DD0D735332AD9244 Testing external RAM...Skipped Detecting flash...SPI, ID: 00C22536-00000000 Flash size: 4 Mb, block size: 4 Kb File system: 384 Kb @ 003A0000 Firmware: ZTENJ51_32_11A_PCB01_gsm_MT6251_S01.PE-PT-TMN-P110A13V1_0_3B02 Hardware IMEI: Not found Software IMEI: 868608001756759 Mounting system disk...#0 Security area saved to "E:\WORK\Motorola\SmartMoto\Alcatel\86860800175675 9_ZTENJ51_32_11A_PCB01_gsm_MT6251_S01_PE-PT-TMN-P110A13V1_0_3B02.skb" Unlocking phone...Done
http://forum.gsmhosting.com/vbb/f719/zte-g-s511-successful-unlock-1733636/
about firmware reverse engineering
http://www.limited-entropy.com/insomnihack2013-hw
There is power in the blood and blitz in the benzedrine. 18:38, 12 July 2013 (CEST)
Some pages of possible interest
http://forum.gsmhosting.com/vbb/f312/____sagemjtagunlocker-support____-526394/
the 6250/6252, similar but focused on unlocking
°° chinese site with lots of files relating to other mtk models °°
https://github.com/luckasfb - has list of mtk related datasheets and software very close to mt6251
http://www.huayusoft.com/ develops educational boards, has file repostitory with mtk related material
downloadsite with lots of files related to mtk http://www.filecrop.com/mtk-6252-usb.html
http://forum.gsmhosting.com/vbb/f83/tutorial-how-extract-iso-image-huawei-modem-dashboards-1192243/