EasyJtag Huawei B5328 Jtag pins help - GSM-Forum

coolirc · 02-08-2018, 17:13

Hello
i was wondering if Easy Jtag will help me find jtag pinout of this modem's Board based on GCT GDM7243Q

i need some help finding the jtag pins for this model

i have tested with multimeter the pins for possible volt

here attached the picture of the board and the soft version as you can see the imei and uboot version does not appear so i want to interract with the device using jtag to perform any repair to the imei and uboot .
actually i did not find any firmware related to this device .any help would be appreciated.

system log messages from main menu .

Code:

Jan  1 00:00:01 syslogd started: BusyBox v1.21.0-uc0
Jan  1 00:00:01 kernel:   IPC_IF_RX_LIMIT=100
Jan  1 00:00:01 kernel: jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
Jan  1 00:00:01 kernel: msgmni has been set to 148
Jan  1 00:00:01 kernel: io scheduler noop registered
Jan  1 00:00:01 kernel: io scheduler deadline registered
Jan  1 00:00:01 kernel: io scheduler cfq registered (default)
Jan  1 00:00:01 kernel: Initialize gdm-i2c
Jan  1 00:00:01 kernel: Probe gdm-i2c
Jan  1 00:00:01 kernel: i2c bus frequency set to 400 KHz
Jan  1 00:00:01 kernel: i2c-0: GDM I2C adapter
Jan  1 00:00:01 kernel: PMIC Register [0x00~0x0f]
Jan  1 00:00:01 kernel: d4827e58: 10 03 00 f0 7e 0f 00 0b 13 5d 35 45 45 4c 00 00
Jan  1 00:00:01 kernel: PMIC SWREGADJ1=0xb
Jan  1 00:00:01 kernel: ECOSWREG: 0f->ff
Jan  1 00:00:01 kernel: PMIC GMT-G5851(id:12) probed!
Jan  1 00:00:01 kernel: gdm-uart.0: ttyS0 at I/O 0xfc007500 (irq = 2) is a gdm-uart
Jan  1 00:00:01 kernel: gdm-uart.1: ttyS1 at I/O 0xfc007540 (irq = 21) is a gdm-uart
Jan  1 00:00:01 kernel: gdm-uart.2: ttyS2 at I/O 0xfc007580 (irq = 33) is a gdm-uart
Jan  1 00:00:01 kernel: gdm-uart.3: ttyS3 at I/O 0xfc007600 (irq = 12) is a gdm-uart
Jan  1 00:00:01 kernel: [USIM] : GDM USIM device driver (1.0)
Jan  1 00:00:01 kernel: Serial flash ID[00000000] 
Jan  1 00:00:01 kernel: Serial flash driver MAJOR[140]
Jan  1 00:00:01 kernel: start : c4000000, regs : d6000000, area : d4a80440, size : 16777216
Jan  1 00:00:01 kernel: brd: module loaded
Jan  1 00:00:01 kernel: GDM7243 NAND Driver, GCT Semiconductor, Ltd.
Jan  1 00:00:01 kernel: Built-in Ecc Nand
Jan  1 00:00:01 kernel: pagesize : 2K
Jan  1 00:00:01 kernel: address cycle : 4
Jan  1 00:00:01 kernel: NAND device: Manufacturer ID: 0x98, Chip ID: 0xa1 (Toshiba NAND 128MiB 1,8V 8-bit), 128MiB, page size: 2048, OOB size: 64
Jan  1 00:00:01 kernel: Bad block table found at page 65472, version 0x01
Jan  1 00:00:01 kernel: Bad block table found at page 65408, version 0x01
Jan  1 00:00:01 kernel: nand_read_bbt: bad block at 0x000006000000
Jan  1 00:00:01 kernel: 17 cmdlinepart partitions found on MTD device gdm7243
Jan  1 00:00:01 kernel: 17 cmdlinepart partitions found on MTD device gdm7243
Jan  1 00:00:01 kernel: Creating 17 MTD partitions on "gdm7243":
Jan  1 00:00:01 kernel: 0x000000000000-0x000000080000 : "u-boot"
Jan  1 00:00:01 kernel: 0x000000080000-0x000000100000 : "env"
Jan  1 00:00:01 kernel: 0x000000100000-0x000000200000 : "rev0"
Jan  1 00:00:01 kernel: 0x000000200000-0x000000300000 : "ltenv"
Jan  1 00:00:01 kernel: 0x000000300000-0x000000400000 : "wmnv"
Jan  1 00:00:01 kernel: 0x000000400000-0x000000500000 : "cmnnv"
Jan  1 00:00:01 kernel: 0x000000500000-0x000000600000 : "cmnnv2"
Jan  1 00:00:01 kernel: 0x000000600000-0x000000a00000 : "rev1"
Jan  1 00:00:01 kernel: 0x000000a00000-0x000000e00000 : "linux"
Jan  1 00:00:01 kernel: 0x000000e00000-0x000001200000 : "linux2"
Jan  1 00:00:01 kernel: 0x000001200000-0x000003000000 : "rootfs"
Jan  1 00:00:01 kernel: 0x000003000000-0x000004e00000 : "rootfs2"
Jan  1 00:00:01 kernel: 0x000004e00000-0x000005300000 : "tk"
Jan  1 00:00:01 kernel: 0x000005300000-0x000005800000 : "tk2"
Jan  1 00:00:01 kernel: 0x000005800000-0x000005880000 : "customize"
Jan  1 00:00:01 kernel: 0x000005880000-0x000005b00000 : "log"
Jan  1 00:00:01 kernel: 0x000005b00000-0x000007b00000 : "update"
Jan  1 00:00:01 kernel: ---------------------

full logs
B5328-logs

mediafire link

any help would be appreciated . thanks

coolirc · 02-14-2018, 17:22

anyone can answer if i can use the easyjtag to find jtag pinouts and use it to dump the device ?

coolirc · 03-18-2018, 14:58

hello how can i know wich socket support for GDM7243Q i want to take a dump of it

JewsCrispy · 07-20-2018, 22:05

I have also been working on this chipset - pulled from a different device though.

The chip variant in your deice appears to be similar to a LC4RT mPCI-e card however obviously with some distinct differences. On the LC4RT, mPCIe only brings out a USB ethernet+acm interface along with dedicated UART to align with mPCIe standards. What you have looks like something custom though and its hard tell what the pins are without a datasheet.

Document below has a ton of information on the other variant. Not the most useful here but it does have AT commands and some things that could benefit you later on.

Search FCCIO for FCCID P27LC4RT (I cant post links yet but its easy to find).

UART and Telnet are both password protected (or it was in my case). Have you tried these? On OEM firmware gaining root access was trivial so hopefully it’s not that hard on Huawei either. At first, I used basic command injection that you may have to hunt for a little bit then afterword’s I found a hidden page - systemcommand<dot>html.

Chances are you will not have that command page since Huawei used their own UI but injection is still a greater possibility. The command you want to run is along the lines of - ‘mount -o remount,rw / && passwd -o root’. After you have root just telnet in and enable the ftpd then freely grab anything you want to look at.

This is all assuming that Huawei did not take extra measures to secure the device beyond GCT/oem provisioning – if they did it’s likely they also blew the jtag fuses or took other steps to prevent access after provisioning.

More notes…
Access to the DM> shell without UART can be achieved by running /usr/lted_cli from telnet. Direct ACM access is only available under Linux /dev/ttyACM0 however AT commands can be issued from the DM> shell. In theory once configurations are saved the device can work under Windows with USB Ethernet gadget options set however I have not been able to achieve a connection manually yet as I do not have service on the required bands to test with.

Most interesting thing here.. LTE modem has a wide range of RF operation listed on the product brief however seems to be locked down to a handful of specific bands - in my case separate from the bands listed for the Huawei device (even though it’s the same chip package). This makes me think it’s somehow controllable in firmware, likely locked down to align with FCC and other local regulation. This would be especially useful for me since I do not use the service provider who operates on the bands currently enabled.

Lastly, I wouldn’t go off and try installing openwrt or anything funny on the chip directly since storage is at some premium and unknown binaries are also at play however with the right cross compiler / tool set one could easily build additional apps/functionality for the chip.

JewsCrispy · 07-20-2018, 22:37

Forgot some more notes that may be useful. Sorry for the blast of data here

The IMEI is essentially unlocked and can be manually set in the DM> shell (or web interface on oem firmware). I would say that your's is listed as N/A because the modem initialization scripts have not yet invoked and this is likely how the software is made aware of the IMEI Huawei defined.

Huawei is fairly good about providing GPL src files. The B5328 is not listed on the site but I notice the "Open Source Notice" in the screenshot. It's possible you may get lucky if you ask them directly.

02-14-2018, 17:22	#2 (permalink)
coolirc Freak Poster Join Date: May 2011 Location: algeria Posts: 141 Member: 1582098 Status: Offline Thanks Meter: 17	anyone can answer if i can use the easyjtag to find jtag pinouts and use it to dump the device ?

03-18-2018, 14:58	#3 (permalink)
coolirc Freak Poster Join Date: May 2011 Location: algeria Posts: 141 Member: 1582098 Status: Offline Thanks Meter: 17	hello how can i know wich socket support for GDM7243Q i want to take a dump of it

07-20-2018, 22:05	#4 (permalink)
JewsCrispy Junior Member Join Date: Jul 2018 Posts: 2 Member: 2852300 Status: Offline Thanks Meter: 0	I have also been working on this chipset - pulled from a different device though. The chip variant in your deice appears to be similar to a LC4RT mPCI-e card however obviously with some distinct differences. On the LC4RT, mPCIe only brings out a USB ethernet+acm interface along with dedicated UART to align with mPCIe standards. What you have looks like something custom though and its hard tell what the pins are without a datasheet. Document below has a ton of information on the other variant. Not the most useful here but it does have AT commands and some things that could benefit you later on. Search FCCIO for FCCID P27LC4RT (I cant post links yet but its easy to find). UART and Telnet are both password protected (or it was in my case). Have you tried these? On OEM firmware gaining root access was trivial so hopefully it’s not that hard on Huawei either. At first, I used basic command injection that you may have to hunt for a little bit then afterword’s I found a hidden page - systemcommand<dot>html. Chances are you will not have that command page since Huawei used their own UI but injection is still a greater possibility. The command you want to run is along the lines of - ‘mount -o remount,rw / && passwd -o root’. After you have root just telnet in and enable the ftpd then freely grab anything you want to look at. This is all assuming that Huawei did not take extra measures to secure the device beyond GCT/oem provisioning – if they did it’s likely they also blew the jtag fuses or took other steps to prevent access after provisioning. More notes… Access to the DM> shell without UART can be achieved by running /usr/lted_cli from telnet. Direct ACM access is only available under Linux /dev/ttyACM0 however AT commands can be issued from the DM> shell. In theory once configurations are saved the device can work under Windows with USB Ethernet gadget options set however I have not been able to achieve a connection manually yet as I do not have service on the required bands to test with. Most interesting thing here.. LTE modem has a wide range of RF operation listed on the product brief however seems to be locked down to a handful of specific bands - in my case separate from the bands listed for the Huawei device (even though it’s the same chip package). This makes me think it’s somehow controllable in firmware, likely locked down to align with FCC and other local regulation. This would be especially useful for me since I do not use the service provider who operates on the bands currently enabled. Lastly, I wouldn’t go off and try installing openwrt or anything funny on the chip directly since storage is at some premium and unknown binaries are also at play however with the right cross compiler / tool set one could easily build additional apps/functionality for the chip.

07-20-2018, 22:37	#5 (permalink)
JewsCrispy Junior Member Join Date: Jul 2018 Posts: 2 Member: 2852300 Status: Offline Thanks Meter: 0	Forgot some more notes that may be useful. Sorry for the blast of data here The IMEI is essentially unlocked and can be manually set in the DM> shell (or web interface on oem firmware). I would say that your's is listed as N/A because the modem initialization scripts have not yet invoked and this is likely how the software is made aware of the IMEI Huawei defined. Huawei is fairly good about providing GPL src files. The B5328 is not listed on the site but I notice the "Open Source Notice" in the screenshot. It's possible you may get lucky if you ask them directly.