4G GPS Tracker Reverse Engineering - Cell Modem Interactions

Подписаться 33 тыс.

Просмотров 28 тыс.

50% 1

In this video, we take a look at the cell modem of a Chinese 4G GPS tracker.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity

Наука

Опубликовано:

17 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 122

@TheSlimHim 9 дней назад

Found your channel recently. I don't know much about hardware hacking but love what I've seen so far! Very informative and entertaining.

@mattbrwn 9 дней назад

Thanks for watching :) always love to hear from ppl outside the hardware hacking space. Cool that this content can be interesting outside of our little world!

@frankrizzo890 9 дней назад

AT commands were invented by Hayes in the 80's. They became the industry standard for sending commands to modems.

@RickTheGeek 9 дней назад

So many fun times on BBSs started with ATDT 😀☎️

@grantharmon3491 9 дней назад

Hyperterminal!

@pete3897 9 дней назад

@@RickTheGeek or even just ATD (for pulse) :)

@samuraidriver4x4 9 дней назад

The issue is that its not an actual standard. For setting a serial baudrate alone there can be atleast 5 variants that I can think of off the top of my head. AT+UART=115200,0,0 ATBAUD115200 AT+BAUD115200 AT+BAUD="115200" AT+BAUDX (X stands for a number in a lookup table from the manufacturer.) There are probably more options out there but these alone come from some experimenting with bluetooth modules I did recently.

@TechGorilla1987 9 дней назад

AT OK

@kramermccabe8601 9 дней назад

Absolutely love the content. Commenting and upvoting for the algorithm

@KyleWood1985 9 дней назад

You have a gift for IOT content! Always entertaining!

@Ingineerix 9 дней назад

Many of these cell modems have an "application processor" where you can run simple applications without the need for an external microcontroller. I doubt they would populate the GPS that's not connected to anything. It probably feeds the NMEA into a UART on the modem and they have installed a simple application to handle it.

@sivalley 9 дней назад

Came looking for this comment. The easiest way to implement is to literally use the cell modem as a data pipe and send the NMEA stream to the phone/web app and have it pipe that into Google/Apple/Open Maps to paint the location. It's likely someone forgot to use the GPS data in the 1NCE (lol 'once') api configuration instead of the cell tower effectively nerfing their own product. For the uninitiated reading this; a NMEA stream is usually 38400 on newer high speed modules that support GPS, GLONASS, BeiDou, and Galileo so the total bandwidth per device is even smaller than a voice stream so it's no wonder they can offer 10 years of data for $10. Edit: NMEA, not NEMA

@Jayjlow 9 дней назад

In the prior video he said he tried to find how the GPS is connect to the modem and he couldn’t find any connections.

@Ingineerix 9 дней назад

@@Jayjlow Yeah, I watched it. I didn't see any in-depth attempt to follow it. On a 4-layer board you have to do a lot of work to follow traces, or take an X-ray (what I do).

@tonyfremont 8 дней назад

This GPS module contains a feature that can log positions and then stream them out a UART port. I think it's call LOCUS and Quectel documents in the data sheet for the GPS module. A microcontroller is not needed to process and keep track of NMEA sentences. I highly suspect there is a serial connection between the GPS and the 4G modules.

@Ingineerix 8 дней назад

@@tonyfremont Agreed. Yeah, I don't think @Mattbrwn explored the PCB enough to prove or disprove it. There's no way they'd leave the GPS module populated just sitting there with no data connection. The missing Microcontroller was probably designed for models with more features.

@juandvalenciano2889 9 дней назад

Very good job on figuring out how it works, interesting that there are simcard providers with these plans. For very very low latency IotT projects it's great.

@mattbrwn 9 дней назад

yeah for me learning about this SIM provider alone was worth this project.

@nulltrope 9 дней назад

agreed im already thinking how I can use this 1nce service for my next project

@kmpnelson 9 дней назад

Absolutely appreciate the consistent content!

@mattbrwn 9 дней назад

thanks! :)

@AlexKiraly 9 дней назад

We don't deserve you, keep up the good work! Awesome content

@josh9761 9 дней назад

introduce me to so many new topics with each video really love the content

@nathanshoults2896 9 дней назад

absolutely love the content, the only criticism is possibly writing a script. regardless, great job

@Roborob12345 9 дней назад

Super interesting video! Thanks for explaining it in such a practical manner

@kaydog890 9 дней назад

It's a 16minute video, that was released 1 minute ago. Did you play it on 100x ?

@g4t375 9 дней назад

@@kaydog890 lmaoo

@mattbrwn 9 дней назад

LOL time for a story... one time I got a random content strike from YT on one of my videos. I appealed decision and they removed the content strike in LESS TIME than the duration of the video. This proves they didn't actually watch it...

@pete3897 9 дней назад

AT commands (called AYE TEE commands, not "at" commands) are a historical legacy from the Hayes modem days and have spread to all manner of modem and even non-modem devices over the years

@mattbrwn 9 дней назад

haha yeah realized I was saying it wrong after recording :D

@FloridaMan02 9 дней назад

@mattbrwn love your work. Accepting donations for projects? AT meant attention im almost sure. There's also an escape sequence to get back to AT mode when in binary transfer mode, such as after connection. AT DT 305.324.8811 would dial touchstone then after carrier detect would transfer binary and ignore AT command. A pause of 1 second then +++ and another pause would escape binary mode back to AT but stay connected. Some hidden devices can be found this way. Compuserve and some other 1980 and 1990s services could be crashed by using that escape code from remote users. Interesting things like having compuserve call you back long distance at their expense could be accomplished by this method and stringing commands and delays together.

@mattbrwn 8 дней назад

You mean HW donations? I'm looking to get a PO box to facilitate that soon.

@xrafter 9 дней назад

Matt have shown in 1st and 2nd video his abilities to not just understand the hardware but also the software intop of it, and also some OSINT skill. Totally a hacker

@TAELSDOLL 9 дней назад

thanks jimbo. love ur vids

@gomberfu 9 дней назад

Fantastic as usual!!!

@daverichards2979 9 дней назад

Every time I watch I get more jealous of your home lab.

@walkman1269 9 дней назад

Oh look I see you in West Tennessee. Love your content.

@mattbrwn 9 дней назад

patron state of shooting stuff :D

@3bdo3id 9 дней назад

love the content thanks from Egypt

@matejkuka797 9 дней назад

Love your channel and videos :) upVote

@DerinTheErkan 9 дней назад

Love the content, you said you wanted to hold onto the SIM card but weren't going to use the modem itself, do you anticipate any issues with eg. an IMEI whitelist on the network provider?

@mohammadrezamim272 9 дней назад

Some of Simcom modems have the ability to be programmed. This module can be one of them that you can write your own code on it. Because the board has gps antenna and gps module which is too much extra cust for manufacturer, I believe it is programmed to get GPS data from L76 gps module and send it over network to tracking Server. You can test it using different SIM CARD

@johnwilson3918 6 дней назад

My thoughts exactly. There's no need for a second MPU to handle the GPS data when you have one under the Simcom 'hud'. Did you look into the connections between the GPS and LTE Modem?

@hoteny 9 дней назад

This is even cooler.

@TheChillieboo 6 дней назад

Awesome!

@haruny 9 дней назад

Great video. For devices... try hardware analysis of random IOT devices. e.g.: X-sense mail sensor. $18 Lora (claimed) private device. Requires a hub. It would be great to jailbreak it so people can use it with ESPs.

@d3stinYwOw 9 дней назад

Thing is - you can use GPS external device with such modem, since some of them allow pluggin-in additional 'apps', including interfacing external modules

@TheSlimHim 9 дней назад

Why would it include the gps hardware but then not use it? 14:30

@GabrielHowat 9 дней назад

Probably just a cheaper version that does not require an MCU, but still very strange that they kept the GPS chip and antenna in the design, since they are quite expensive as well

@harisalic2568 9 дней назад

@@GabrielHowat Could be from the time where simple mcus were out of stock everywhere

@pozdroszejset4460 9 дней назад

that sounds insane but i can imagine the conversation - hey product owner we can't get any MCUs anywhere - okay just don't put it in then we'll get it from cell towers lmao

@harisalic2568 9 дней назад

@@pozdroszejset4460 thats basically how it goes in tech, ceos dont know shit and just Tell you to make it work

@doganertan7259 9 дней назад

To advertise it as a GPS tracker most probably.

@Turco949 9 дней назад

LOL....I'd only mention where something was made if it was NOT made in China. On a more serious note, good video, thanks for sharing!

@matthiasbehr3818 8 дней назад

Thank you, it's not easy to find really informative content on youtube. Why not connecting the GPS module with the cellmodem? Is that too complex to realize?

@fersunk 9 дней назад

I have used those 1nce sim cards in my last job, they're very useful with some nice APIs They have a VPN built in.

@outseeker 9 дней назад

very interesting! takes me back to 56k dialup days lol can you ATD the number of another, and ATA to answer the call or something similar to how land lines used to be? can they talk to each other like that?

@remiserriere 8 дней назад

Hey @MattBrown did you try to run AT commands to enable GNSS on the A7670SA? There's an application note on the product webpage. Not sure it applies to this module tho... FYIW I am using the GNSS features off a Dell EM7455B LTE minipcie modem (DW5811e Snapdragon X7 LTE based). It doesn't have any GNSS antenna, only the LTE ones, and it is able to get a fix. Maybe the A7670SA can as well, which would mean the GNSS chip and antenna would be a waste of resources....

@SureshotCyclonus 9 дней назад

Could you please talk about where you got your workbench and how you keep your gear organized?

@mattbrwn 9 дней назад

workbench is BenchPro. its $$$$ but nice. I'm NOT very organized so best not take that advice from me :D

@dfgaJK 9 дней назад

seems odd that the GPS hardware is populated... what is the "firmware" on the cell modem, does it have an onboard MCU, can it be updated with custom firmware to poll the GPS module?

@zoenagy9458 9 дней назад

would need uart tracing

@GadgetReviewVideos 9 дней назад

I would be curious to see if this modem takes this command? AT+QADBKEY? If it does then I could help. you with unlocking it completely and then you can use ADB to edit, transfer, install files in the shell.

@mattbrwn 9 дней назад

will try this when I get back to my workspace :)

@marcusaurelius3487 7 дней назад

couldnt you just ping with an end device connected to the modem? Or does the moden have a different communication IP?

@mattbrwn 7 дней назад

The modem gets a private IP. So I would need another device with a similar SIM to get on that same network and then hope they didn't firewall off the different devices from each other.

@marcusaurelius3487 7 дней назад

@@mattbrwn so the modems IP differs from the public IP that an end devices traffic routes trough?

@mattbrwn 7 дней назад

Correct

@alexfedorov1160 9 дней назад

It would be really strange product placement if they were actually not using the GPS receiver; maybe it's connected through some level shifter or whatnot. The absent microcontroller is a fraction of the price of the GPS thing. Also, the modem has to have a powerfull CPU to do its own thing, so it can easily receive and parse some UART data. Basically, the modem is more interesting than the tracker itself, and it *probably* runs Linux inside.

@Daniel-tw5qc 8 часов назад

The 10-year statement is also false advertising I guess? The 1NCE service states, "SIM cards that have not transmitted any data for 18 months consecutively are automatically deactivated." So sure you can use it for 10 years but you need to send some amount of data before 18 months. Also, personal use consumers aren't allowed to purchase the SIM apparently, "The 1NCE IoT Lifetime Flat is only aimed at companies, therefore students or developers looking to purchase the 1NCE SIM card as private individuals (consumers) are excluded from doing so."

@coreybabcock2023 9 дней назад

Ok I got the website working

@AlphaOmegaSigma 9 дней назад

quite bummed that the MCC, MNC, TAC, and CID didnt yield any location on public databases. i guess they have some private db or something.

@idgn 9 дней назад

Could you check how much data this device uses per location ping?

@john_turner 9 дней назад

This sounds like like a stupid question and I feel that way for asking it. On their website it says 500MB allowance but it doesn’t say anything about per month. Is it really 500 per month

@mattbrwn 9 дней назад

No it's over the life of the contract. So it's 500 MB total OR 10 years.

@Elixz89 9 дней назад

Using Ctrl + L in your terminal will clear your screen

@addas4 9 дней назад

I just don't get how the "GPS" device transmit data to USB without microcontroller (aka CPU or brain) Like how the logic is processed? There is clearly a shell interface when you connect to ttyUSB2, so how also it handles your data input without microcontroller?

@NeinIhFlyer 2 дня назад

How do you proactively keep yourself in loop with IOT/cyber hacking related news? Like reddit subs, twitter etc.

@mattbrwn 2 дня назад

honestly: twitter and linkedin. but I probably could use a better source than that. mostly ignore the news and focus on what I'm doing :)

@coreybabcock2023 9 дней назад

We need to do videos on Sierra wireless modems cause I need to learn how to hack mine

@Gunbudder 9 дней назад

id love to see you reverse one on those cell signal boosters that have rf in and out and an outdoor antenna and indoor antenna. i suspect most of them are a scam

@mattbrwn 9 дней назад

I've never looked at one of those but I do have some more cell-based devices coming up in the pipeline. cell stuff is new to me so these are all fun projects to learn on.

@temptemp7037 9 дней назад

Sorry, but this video makes no sense. Some code is still required to run on the device side to push its location to the backend. The API you are showing is just to pull data from 1NCE. The APN thing is that it works kind of like a VPN connection. Its possible that the device is running some "application" that is like an addon code that you can write and upload to the device that works alongside the default AT firmware. I seem to recall that you can write these "applications" in Python as well.

@Falney 9 дней назад

I said in the last video that I thought it used cell triangulation rather than GPS. No idea why the populated the GPS chi though if that's the case.

@LPgoesGOOD 2 дня назад

please do meta portal

@coreybabcock2023 9 дней назад

Anyone remember kore networks ? I have a iot board from a profile lighting box

@CINEMA-GHAR1122 2 дня назад

pleases please solve my dought i have a router 4 router that working on internet using SIM but i update my router farmwere how i gain ancces and countroll admin the router i already resaet,formate, it please help me i foller a lot of you channel

@ElvenJustice 7 дней назад

14:51 wow thaqt's messed up, but why would they waste the cost of putting that GPS chip on the board if it's not connected?

@tweebs1 8 дней назад

So it's essential the same as the $3 AliExpress "GPS" trackers but with a SIM card.

@mattbrwn 8 дней назад

Yeah I may mess around with some of those cheap ones now 😁

@roguesecurity 8 дней назад

If the GPS module was not used, why did they include it and increased the cost 🤔

@xrafter 9 дней назад

Can I ssh into your *public* DO server?

@mattbrwn 9 дней назад

Lol you are welcome to try 😜 If you pwn that server I'll feature you in a video

@foxfoxfoxfoxfoxfoxfoxfoxfoxfox 9 дней назад

I'm not completely convinced the GPS module is superfluous. If the manufacturer removed the microprocessor rendering the GPS useless why would they leave the GPS module there? Thats a costly component. You would need to trace (or sniff) the GPS serial lines to see where they terminate. They may go to the empty microprocessor slot as well as the cellular module. The poor location data could still be explained by waking the GPS up, getting the first coordinates it sends before it has a lock, and then putting it back to sleep and therefore never obtaining a GPS lock. I think if the cellular modem is running a custom program or built-in code that interacts with the GPS then we are missing the most interesting part of this device. Lets not dismiss the possibility based on an assumption.

@coreybabcock2023 9 дней назад

That website is not there

@UveysYakut-bd6jq 9 дней назад

please add subtitles

@Izik09834 9 дней назад

You really hurt yourself posting this late. You got to play the algorithm so you blow up like you should!

@pete3897 9 дней назад

Late where? It was posted at 6pm here

@mattbrwn 9 дней назад

Lol so it's funny you say that ... But I'm out of the country and YT studio has been doing some weird stuff to me with timezones 😂

@Izik09834 9 дней назад

@@pete3897 2am it said 2 hours ago

@zoenagy9458 9 дней назад

there is an option for scheduled posting

@mattbrwn 8 дней назад

Yeah I scheduled the videos but the time is relative to your timezone. IDK

@leexgx 8 дней назад

4g locator (not gps tracker)

@chasingcapsaicin 9 дней назад

tracert not ping

@mattbrwn 9 дней назад

this is a good idea. will try when I can.

@deanvangreunen6457 8 дней назад

Why does it say confidential? On the doc 😂😂😂

@mattbrwn 8 дней назад

🤐

@user-dt8ik3wv9l 8 дней назад

Hmmmmmmmm...?

@davidew98 8 дней назад

I did not catch the manufacturer of the cell phone modem chip. I do know that cell phone chips are a lot more sophisticated than people give them credit for it. Cell phone chips are not just a modem. It is also a single board computer with multiple different capabilities. A lot of them have Bluetooth or Wi-Fi or any other host of features.a lot of integrated devices like this would have for example the GPS attached to uart on the modem Chip. A lot of your older flip phones were basically running completely off the modem Chip. I know Motorola chips and QUALCOMM chips have a developer configuration software. You can run on a computer and connect into the uart on the modem Chip to configure them.