Difference between revisions of "Hacking ZTE-G S511, cheapest mobile phone at €7.50"

Projects
Participants
Skills	precise soldering of SMD, reverse engineering firmware, ARM assembly
Status	Active
Niche	Electronics
Purpose	Use in other project

Phone available from tele2 (website) as well as kijkshop (sometimes)

This phone got me thinking, you can get this including a prepaid sim card for €7,50 at the KIJKSHOP. It has a mp3 player, a sd card reader, and a micro-USB port to connect the headphones, as well as transfer files to the SD card (USB mode).

AFAIK now its possible to run the firmware from an external UART / serial feed. (you cannot flash the protected flash rom apparently, but there maybe ways around it, who knows). Its possible to read the flash and then disassemble with IDA PRO to see if anything can be done with it. would be nice to use this complete device with an extra board feeding it the firmware via UART and see if then a microcontroller can control some functions, (like dialing/sms-ing) on certain events, etc.

Nicest would be if of course the USB port could be used to interface and the whole thing could be reprogrammed this way to for instance perform a autonomous alarm system, tripwire whatever. Battery power limits the time (solar powering).

Basically the whole point was, €7,50, including battery, 5 euros of credit for a whole phone - worth to hack.

update

On this github repository there is loads of info regarding the MTK line of products.

Development Documents for MTK chipsets

Hardware disassembly

It is based on the MT6251 Reference Phone (Sparrow51) Which is based on the ARM MT6251V.

It has a Macronix mx25u3235ezni 32M-BIT

It uses a RF7176 quad-band (GSM850/EGSM900/DCS1800/PCS1900) GSM/GPRS Class 12 compliant transmit module.

The LCD screen is a TXDT144CF 128x128 RGB 1,44"

Pages on MTK

Based China Phones briefing*** This thread describes everything to get the flash from the phone and hack it. I have made a seperate page to make sure that when this forum is taken down no information is lost.

plan

Ok i've figured out that according to this thread it is possible to UART(?) rx, tx and ground to pins on the board (figuring out which pins is simple with multimeter) and then feed the firmware from the serial port. Flashing the memory is not possible because the device is protected against that. But a very simple arduino? board or whatever which feeds the firmware could then control the GSM, mp3player, sd card etc.

With a based USB-to-serial converter a RS232-TTL level converter (12V to 3.3-5V) should not be necessery. The PL2303 already puts out 3.3-4 volt, actually it speaks about a pin that regulates the voltage level.

30 / 6 / 2013

my lack of soldering skills and general chaos have destroyed the phone. i need to find another one....

topic about MTK phones

http://forum.gsmhosting.com/vbb/f457/mtk-based-china-phones-briefing-817606/

about firmware reverse engineering

http://www.limited-entropy.com/insomnihack2013-hw

There is power in the blood and blitz in the benzedrine. 18:38, 12 July 2013 (CEST)

Some pages of possible interest

http://forum.gsmhosting.com/vbb/f312/____sagemjtagunlocker-support____-526394/

the 6250/6252, similar but focused on unlocking

°° chinese site with lots of files relating to other mtk models °°

https://github.com/luckasfb - has list of mtk related datasheets and software very close to mt6251

http://www.huayusoft.com/ develops educational boards, has file repostitory with mtk related material

downloadsite with lots of files related to mtk http://www.filecrop.com/mtk-6252-usb.html

other gsm related

http://forum.gsmhosting.com/vbb/f83/tutorial-how-extract-iso-image-huawei-modem-dashboards-1192243/

sim cloning