Hacking ZTE-G S511, cheapest mobile phone at €7.50

From Technologia Incognita
Revision as of 06:51, 23 October 2014 by Amphack (talk | contribs)
Jump to: navigation, search
Projects
ZTE S516 big-pinout.jpg
Participants
Skills precise soldering of SMD, reverse engineering firmware, ARM assembly
Status Active
Niche Electronics
Purpose Use in other project


Samsung gt-e1200i (Keystone 2

TechnicalInfoE1200

Phone available from tele2 (website) as well as kijkshop (sometimes)

This phone got me thinking, you can get this including a prepaid sim card for €7,50 at the KIJKSHOP. It has a mp3 player, a sd card reader, and a micro-USB port to connect the headphones, as well as transfer files to the SD card (USB mode).

AFAIK now its possible to run the firmware from an external UART / serial feed. (you cannot flash the protected flash rom apparently, but there maybe ways around it, who knows). Its possible to read the flash and then disassemble with IDA PRO to see if anything can be done with it. would be nice to use this complete device with an extra board feeding it the firmware via UART and see if then a microcontroller can control some functions, (like dialing/sms-ing) on certain events, etc.

Nicest would be if of course the USB port could be used to interface and the whole thing could be reprogrammed this way to for instance perform a autonomous alarm system, tripwire whatever. Battery power limits the time (solar powering).

Basically the whole point was, €7,50, including battery, 5 euros of credit for a whole phone - worth to hack.

update

On this github repository there is loads of info regarding the MTK line of products.

Development Documents for MTK chipsets


http://mtk2000.ucoz.ru/


Hardware disassembly

DSC01325.JPG

It is based on the MT6251 Reference Phone (Sparrow51) Which is based on the ARM MT6251V.

It has a Macronix mx25u3235ezni 32M-BIT

It uses a RF7176 quad-band (GSM850/EGSM900/DCS1800/PCS1900) GSM/GPRS Class 12 compliant transmit module.

The LCD screen is a TXDT144CF 128x128 RGB 1,44"

Pages on MTK

Based China Phones briefing*** This thread describes everything to get the flash from the phone and hack it. I have made a seperate page to make sure that when this forum is taken down no information is lost.

plan

Ok i've figured out that according to this thread it is possible to UART(?) rx, tx and ground to pins on the board (figuring out which pins is simple with multimeter) and then feed the firmware from the serial port. Flashing the memory is not possible because the device is protected against that. But a very simple arduino? board or whatever which feeds the firmware could then control the GSM, mp3player, sd card etc.



With a based USB-to-serial converter a RS232-TTL level converter (12V to 3.3-5V) should not be necessery. The PL2303 already puts out 3.3-4 volt, actually it speaks about a pin that regulates the voltage level.


30 / 6 / 2013

my lack of soldering skills and general chaos have destroyed the phone. i need to find another one....


topic about MTK phones

http://forum.gsmhosting.com/vbb/f457/mtk-based-china-phones-briefing-817606/

succesful unlock

ZTE-G S511 Successful Unlock

SigmaKey 1.29.02 MTK: Direct unlock

Prolific USB-to-Serial Comm Port (COM2), Provider: Prolific, Driver ver.: 2.0.13.130, Date: 19.11.2009, USB\Vid_067b&Pid_2303&Rev_0202 Baud rate: 115200 Release "Power on" button! Baseband Processor:MT6251, HW Rev. A.03, SW Rev. 1.01 Serial number: DD0D735332AD9244 Testing external RAM...Skipped Detecting flash...SPI, ID: 00C22536-00000000 Flash size: 4 Mb, block size: 4 Kb File system: 384 Kb @ 003A0000 Firmware: ZTENJ51_32_11A_PCB01_gsm_MT6251_S01.PE-PT-TMN-P110A13V1_0_3B02 Hardware IMEI: Not found Software IMEI: 868608001756759 Mounting system disk...#0 Security area saved to "E:\WORK\Motorola\SmartMoto\Alcatel\86860800175675 9_ZTENJ51_32_11A_PCB01_gsm_MT6251_S01_PE-PT-TMN-P110A13V1_0_3B02.skb" Unlocking phone...Done

http://forum.gsmhosting.com/vbb/f719/zte-g-s511-successful-unlock-1733636/

about firmware reverse engineering

http://www.limited-entropy.com/insomnihack2013-hw

There is power in the blood and blitz in the benzedrine. 18:38, 12 July 2013 (CEST)


Some pages of possible interest

http://forum.gsmhosting.com/vbb/f312/____sagemjtagunlocker-support____-526394/

the 6250/6252, similar but focused on unlocking


°° chinese site with lots of files relating to other mtk models °°

https://github.com/luckasfb - has list of mtk related datasheets and software very close to mt6251

http://www.huayusoft.com/ develops educational boards, has file repostitory with mtk related material

downloadsite with lots of files related to mtk http://www.filecrop.com/mtk-6252-usb.html

other gsm related

http://forum.gsmhosting.com/vbb/f83/tutorial-how-extract-iso-image-huawei-modem-dashboards-1192243/

sim cloning