Difference between pages "UMTS" and "JTAG Huawei TracFone M865C"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Created page with "== JTAG Huawei TracFone M865C (Ascend II) == This phone is supported by the Cricket Network and Tracfone. This uses a Qualcomm 7627 600 MHz (S1) Processo and comes standard...")
 
Line 1: Line 1:
'''Universal Mobile Telecommunications System (UMTS)''' is one of the third-generation (3G) mobile telephone technologies. It uses W-CDMA as the underlying standard, is standardized by the 3GPP, and is the European answer to the ITU IMT-2000 requirements for 3G Cellular radio systems.
+
== JTAG Huawei TracFone M865C (Ascend II) ==
  
To differentiate UMTS from competing network technologies, UMTS is sometimes marketed as 3GSM, emphasizing the combination of the 3G nature of the technology and the GSM standard which it was designed to succeed.
 
  
For a more complete definition, see [http://en.wikipedia.org/wiki/Universal_Mobile_Telecommunications_System].
 
  
== Real-world Implementations ==
+
This phone is supported by the Cricket Network and Tracfone. This uses a Qualcomm 7627 600 MHz (S1) Processo and comes standard with Android version 2.3. This phone is unsupported by RIFF Box for the JTAG process for resurrector.
  
The first large scale real-life commercial UMTS network in the world went live in 2001 in Japan, operated by NTT DoCoMo.
 
  
Beginning in 2003 under the name 3, Hutchison Whampoa gradually launched their startup UMTS networks worldwide including Australia, Austria, Denmark, Hong Kong, Italy, Great Britain, Ireland and Sweden.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:huawei-tracfone-m865c-front.png | 400px ]]
 +
| [[ File:huawei-tracfone-m865c-back.png | 400px ]]
 +
|-
 +
|}
  
US provider AT&T Wireless (now Cingular) was required to build and market UMTS networks in four major United States cities by the end of 2004. At CTIA 2004, Cingular announced that their 3G network would be a 1900 MHz only implementation of UMTS and would launch by the end of that year as planned.  Cingular has deployed UMTS/HSDPA networks in 17 U.S. markets covering 52 cities. Markets include New York (NY), Austin (TX), Baltimore, Boston, Chicago, Dallas, Houston, Las Vegas, Phoenix, Portland (OR), Salt Lake City, San Diego, San Francisco, San Jose (CA), Seattle, Tacoma and Washington, D.C.
 
  
Operators are starting to sell mobile internet products that combine 3G and Wi-Fi in one service. Laptop owners are sold a UMTS modem and given a client program that detects the presence of a Wi-Fi network and switches between 3G and Wi-Fi when available. Initially Wi-Fi was seen as a competitor to 3G, but it is now recognised that as long as the operator owns or leases the Wi-Fi network, they will be able to offer a more competitive product than with UMTS only. Nokia has predicted that by the end of 2006 one sixth of all cellular phones will be UMTS devices.
 
  
== Interoperability and global roaming ==
+
=== Getting Started ===
  
At the air interface level, UMTS itself is incompatible with GSM. UMTS phones sold in Europe (as of 2004) are UMTS/GSM dual-mode phones, hence they can also make and receive calls on regular GSM networks. If a UMTS customer travels to an area without UMTS coverage, a UMTS phone will automatically switch to GSM (roaming charges may apply). If the customer travels outside of UMTS coverage during a call, the call will be transparently handed off to available GSM coverage.
 
  
Regular GSM phones cannot be used on the UMTS networks.
+
What you need:
  
== Forensics ==
 
  
Currently Paraben's SIM Card Seizure does not support UMTS SIM cards; there are plans to do so in the future.
+
# Riff Box
  
== Features ==
+
# USB to Micro USB cord
  
UMTS supports up to 1920 kbit/s data transfer rates; this is still much greater than the 14.4 kbit/s of a single GSM error-corrected circuit switched data channel or multiple 14.4 kbit/s channels in HSCSD, and - in competition to other network technologies such as CDMA-2000, PHS or WLAN - offers access to the World Wide Web and other data services on mobile devices.
 
  
From the beginning of 2006, UMTS networks in Japan are being upgraded with High Speed Downlink Packet Access (HSDPA), sometimes known as 3.5G. This will make a downlink transfer speed of up to 14.4 Mbit/s possible. Work is also progressing on improving the uplink transfer speed with the High-Speed Uplink Packet Access (HSUPA).
 
  
Marketing material for UMTS has emphasized the possibility of mobile videoconferencing, although experience in Japan and elsewhere has shown that user demand for Video calls is not very high.
+
=== NAND Dump Procedure ===
  
Other possible uses for UMTS include the downloading of music and video content, as well as live TV.
+
# Disassemble the phone down to the PCB.
 +
# Connect the RIFF box to the PC via USB.
 +
# Connect the RIFF box to the PCB via the JTAG pins.
 +
# Connect the PCB to a Micro USB cord and power via a power supply.
 +
# Start the "RIFF box" software.
 +
# Power the PCB.
 +
# Dump the NAND.
 +
 
 +
The TAPS are located under the battery, behind the Huawei phone label.  The phone will be powered by a Micro USB cord from an AC battery charger.
 +
 
 +
The TAPS order is as follows:
 +
 
 +
# 1=Not Used
 +
# 2=TCK
 +
# 3=GND
 +
# 4=TMS
 +
# 5=TDI
 +
# 6=TDO
 +
# 7=RTCK
 +
# 8=TRST
 +
# 9=NRST
 +
 
 +
 
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:huawei-tracfone-m865c-taps.png | 400px ]]
 +
|-
 +
|}
 +
 
 +
 
 +
 
 +
For the TAPs, the Huawei-8650 was utilized, pictured above. The TAPS on the M865C are located in the same location as the 8650. See below for TAPS locations.
 +
 
 +
 
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:huawei-tracfone-m865c-soldered-taps.png | 400px ]]
 +
|-
 +
|}
 +
 
 +
 
 +
 
 +
After the wires are connected to the board, the phone is powered by the USB connection. Plug the Micro USB into the USB connection on the device and then plug the phone into a wall outlet. The phone should respond with the vibrator switch activating for less than a second.
 +
 
 +
Launch the Riff Box JTAG Manager and use the following settings:
 +
 
 +
* JTAG TCK Speed = RTCK
 +
* Resurrector Settings= Huawei U8650
 +
* Auto FullFlash size
 +
 
 +
 
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:huawei-tracfone-m865c-riff-settings.png | 400px ]]
 +
|-
 +
|}
 +
 
 +
 
 +
 
 +
Advanced Settings:
 +
 
 +
* Ignore Target IDCODE during Resurrection and DCC Loader operations
 +
 
 +
 
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:huawei-tracfone-m865c-riff-advanced-settings.png | 400px ]]
 +
|-
 +
|}
 +
 
 +
 
 +
 
 +
Then connect and get the ID, you should receive the dead body signal. Then read the memory.  JTAG complete.
 +
 
 +
 
 +
=== Notes ===
 +
 
 +
 
 +
 
 +
The phone has a 512 MB NAND flash memory chip which should take approximately 30 minutes to download.

Revision as of 20:29, 11 September 2013

JTAG Huawei TracFone M865C (Ascend II)

This phone is supported by the Cricket Network and Tracfone. This uses a Qualcomm 7627 600 MHz (S1) Processo and comes standard with Android version 2.3. This phone is unsupported by RIFF Box for the JTAG process for resurrector.


400px 400px


Getting Started

What you need:


  1. Riff Box
  1. USB to Micro USB cord


NAND Dump Procedure

  1. Disassemble the phone down to the PCB.
  2. Connect the RIFF box to the PC via USB.
  3. Connect the RIFF box to the PCB via the JTAG pins.
  4. Connect the PCB to a Micro USB cord and power via a power supply.
  5. Start the "RIFF box" software.
  6. Power the PCB.
  7. Dump the NAND.

The TAPS are located under the battery, behind the Huawei phone label. The phone will be powered by a Micro USB cord from an AC battery charger.

The TAPS order is as follows:

  1. 1=Not Used
  2. 2=TCK
  3. 3=GND
  4. 4=TMS
  5. 5=TDI
  6. 6=TDO
  7. 7=RTCK
  8. 8=TRST
  9. 9=NRST


400px


For the TAPs, the Huawei-8650 was utilized, pictured above. The TAPS on the M865C are located in the same location as the 8650. See below for TAPS locations.


Huawei-tracfone-m865c-soldered-taps.png


After the wires are connected to the board, the phone is powered by the USB connection. Plug the Micro USB into the USB connection on the device and then plug the phone into a wall outlet. The phone should respond with the vibrator switch activating for less than a second.

Launch the Riff Box JTAG Manager and use the following settings:

  • JTAG TCK Speed = RTCK
  • Resurrector Settings= Huawei U8650
  • Auto FullFlash size


400px


Advanced Settings:

  • Ignore Target IDCODE during Resurrection and DCC Loader operations


400px


Then connect and get the ID, you should receive the dead body signal. Then read the memory. JTAG complete.


Notes

The phone has a 512 MB NAND flash memory chip which should take approximately 30 minutes to download.