GF-07 is dirt-cheap GPS locator. You put SIM card in it, send SMS and you know where it is. That’s it. But not for me. I like to know what I am using, especially if it is that cheap and such obscure device as this one. It comes together with manual that is written in so bad English that I barely understand anything. Immediately after opening SIM slot, one can see few test pads. Fortunately all of them are described in silkscreen. Let’s see what can be done with it as a one-evening hack.
Disassembly
First thing to learn what we are talking about is to disassemble the whole thing to be able to examine PCB.
Having the PCB visible, now one question arises: where is the power button? So, it turns out, it is SIM detect pin. You can see it in top right corner of SIM slot.
Worth noting is that we have two chips here:
- MT6260 by Mediatek (MTK) – this is main SoC and I expect it to have some internal ROM
- RDA 6625 – this is GSM chip by RDA Microelectronics
UART
Now, as we learned something about the hardware, what about software? Is it running Linux? FreeRTOS? Or maybe something custom? Pins TXD1 and RXD1 strongly suggest, we should expect working UART there. Slight problem is lack of ground pad there. However, it can be easily verified that battery ground is tied directly to SIM ground, which is bottom left pin in the picture above. And assumptions about TDX1/RXD1 being UART are verified to be true. It is working on ordinary 115200 8N1 mode. Here is part of the log:
F1: 0000 0000 V0: 0000 0000 [0001] 00: 0000 0000 U0: 0000 0001 [0000] G0: 0002 0000 [0000] T0: 0000 00BB Jump to BL LOG: RegisterSn: LOG: ZhiPu_task_ResetMediaState: 0 LOG: ZhiPu_socket_close= -1 LOG: ZhiPu_sock_buf_init malloc= 230C60, 230640, 2301E0 LOG: ZhiPu_mmi_get_imsi_request LOG: ZhiPu_system_init VERSION= MTK6260M.M19.REC.17.07.03 , build date is 2017/07/03 18:25, curtime 2014-01-01 00:00 LOG: ----- 0 ----- ----- -268076492 ----- ----- 2 ----- LOG: ZhiPu_sms_ready_sync LOG: ZhiPu System Language: English LOG: service_availability= 0,ChargerConnected= 0,poweron_mode= 0 LOG: sim invalid, 4 minutes later reboot LOG: ZhiPu System Language: English LOG: ZhiPu_key_eint_hisr_high LOG: ----- 0 ----- ----- 100 ----- ----- 2 ----- LOG: idle_screen_network_name:Insert SIM LOG: ZhiPu_esio_task waiting LOG: nbr cell count: 3
Later it started printing my nearby cell towers, so let me not show that π
Unfortunately, this kind of output suggest that there is no Linux onboard π Looks rather like a custom bare-metal firmware. Let’s see if we can dump it somehow.
Dumping ROM
Fortunately MT6260 is well-known silicon and I am not the first one that tinkers with it. Actually there is whole open-source project that seems to allow running custom code on it. In bunnie’s post, you can see format of ROM and I expect to get something similar. According to bunnie the code delivered by MTK is modified usually only in its GUI part. Fernvale project shares some code for manipulating with bootloader, but does not seem to allow reading ROM straight away, so I gonna stay with MTK software. Last important information bunnie shares is that MT6260, when connected to USB, should register itself as serial console device and this is exactly the case for me.
In lsusb:
Bus 002 Device 031: ID 0e8d:0003 MediaTek Inc. MT6227 phone
The tool for flashing, I found is called FlashTool_v5.1516.00 and seems to be Windows only. It also needs some additional stuff to work. First important thing is so called scatter file. Out of what I found online, I made the simplest scatter file possible. It is on my Gist. However, it still requires some binary blob, which looks like a kind of bootloader, sent later to the device for running. It is called bl_mt62xx_by_dfgigger.bin in my case, but chances are some other blobs also would work. Before starting Flash Tool, it might happen that some drivers are required. Make sure you have COM port visible in device manager for these few seconds, bootloader is waiting for commands after power on. The catalog file of a driver probably should be usb2ser_2kXP_Comp.cat for Windows XP.
When ready, start Flash Tool. You should see a window like this:
If no error was given, switch to ‘Read Back’ tab and add new entry. Then double-click it, choose some name for your ROM and you should see a window like that:
Make sure you have USB mode not selected. We want to use COM port with baudrate of 921600 bps. Then insert SIM card or provoke startup in any other way (screwdriver π ?) and immediately click on ‘Read Back’ button. Process should start. If you are too fast, you may try once again. If there is still any problem, firmware will boot and process is not going to succeed this time. Reboot. If its fine, you should see something is going on:
As can be seen, flash was identified as Winbond W25Q32BV, which is intriguing as there is no flash chip on PCB, so it must be integrated into MTK SoC itself. Anyway status bar confirms it is 24Mb, so 3 MiB as I stated above. Interestingly there is another size indicated – 32Mb, which must be somewhere else in the address space, but this is not the topic for today. Last interesting piece of information here is what appears after hovering mouse above status bar:
Finally, if are unlucky of not being in possession of the device, but would like to play with the firmware, there is some surprise π
Very very interesting! I own an identical device but could not download the firmware. I tried your scatter file but Flash Tool complains about some errors in it. Tried a few changes with no success. Any idea?
What error exactly do you get? I’m not an expert in MTK chips (actually this is my first contact with it), but maybe I’ve seen something similar. I’ve seen a lot of error while trying to download the image.
Can’t remember exactly, something about the wrong formatting of the scatter file. Depends on the Flash tool version. I found an example scatter file somewhere in the net and and trying with that. I I don’t go wrong it doesn’t really matter. Made some progress but still not able to read the ROM. The program hangs for minutes and pops up a message error.
I noticed that the message on the UART changes slightly if the USB is connected:
after
00: 1029 0001
I noticed this new line added
01: 0000 0000
Tried once more. The error of the read back is S_UNDEFINED_ERROR (1001), HINT: none
Some step forward. I missed the “chose UART, not USB” part actually. WHere can i find the bl_mt62xx_by_dfgigger.bin file?
I would expect that it is still possible to find it by simply googling the name. Unfortunately nobody knows under what license it is distributed, like a lot of tools for hacking Chinese electronics, so I can’t link to it directly. If you’re not able to find a working link, you can drop me an email. Maybe I would be more lucky to find it π
Thank you. I sent you an email yesterday
me too please
hola. no el dispositivo no me anda. me queda el led prendido. con esos pines que se ven debajo la tarjeta SIM no se puede resetear el dispositivo?
bl_mt62xx_by_dfgigger.bin where i ca find? Please
I got it from 4pda.ru. Guessing from your name, it will be way easier for you to find it than for me π
As far as I remember the archive where I found it had different name, but dfgigger was a nickname of the uploader.
I found!
https://4pda.ru/forum/dl/post/8005118/Scatter_for_16_32_64_128MB_MT62xx_by_dfgigger_for_4PDA.rar