Hacking ZTE-G S511, cheapest mobile phone at €7.50
Projects | |
---|---|
Participants | |
Skills | precise soldering of SMD, reverse engineering firmware, ARM assembly |
Status | Active |
Niche | Electronics |
Purpose | Use in other project |
This phone got me thinking, you can get this including a prepaid sim card for €7,50 at the KIJKSHOP. It has a mp3 player, a sd card reader, and a micro-USB port to connect the headphones, as well as transfer files to the SD card (USB mode).
AFAIK now its possible to run the firmware from an external UART / serial feed. (you cannot flash the protected flash rom apparently, but there maybe ways around it, who knows). Its possible to read the flash and then disassemble with IDA PRO to see if anything can be done with it. would be nice to use this complete device with an extra board feeding it the firmware via UART and see if then a microcontroller can control some functions, (like dialing/sms-ing) on certain events, etc.
Nicest would be if of course the USB port could be used to interface and the whole thing could be reprogrammed this way to for instance perform a autonomous alarm system, tripwire whatever. Battery power limits the time (solar powering).
Basically the whole point was, €7,50, including battery, 5 euros of credit for a whole phone - worth to hack.
Contents
update
On this github repository there is loads of info regarding the MTK line of products.
Development Documents for MTK chipsets
There is power in the blood and blitz in the benzedrine. 16:17, 9 July 2013 (CEST)
Hardware disassembly
It is based on the MT6251 Reference Phone (Sparrow51) Which is based on the ARM MT6251V.
It has a Macronix mx25u3235ezni 32M-BIT
It uses a RF7176 quad-band (GSM850/EGSM900/DCS1800/PCS1900) GSM/GPRS Class 12 compliant transmit module.
The LCD screen is a TXDT144CF 128x128 RGB 1,44"
Pages on MTK
Based China Phones briefing*** This thread describes everything to get the flash from the phone and hack it. I have made a seperate page to make sure that when this forum is taken down no information is lost.
plan
Ok i've figured out that according to this thread it is possible to UART(?) rx, tx and ground to pins on the board (figuring out which pins is simple with multimeter) and then feed the firmware from the serial port. Flashing the memory is not possible because the device is protected against that. But a very simple arduino? board or whatever which feeds the firmware could then control the GSM, mp3player, sd card etc.
With a based USB-to-serial converter a RS232-TTL level converter (12V to 3.3-5V) should not be necessery. The PL2303 already puts out 3.3-4 volt, actually it speaks about a pin that regulates the voltage level.
30 / 6 / 2013
my lack of soldering skills and general chaos have destroyed the phone. i need to find another one....
Some pages of possible interest
http://forum.gsmhosting.com/vbb/f312/____sagemjtagunlocker-support____-526394/ http://www.clones-chinois.com/index
°° chinese site with lots of files relating to other mtk models °°
https://github.com/luckasfb - has list of mtk related datasheets and software very close to mt6251
http://www.huayusoft.com/ develops educational boards, has file repostitory with mtk related material
downloadsite with lots of files related to mtk http://www.filecrop.com/mtk-6252-usb.html