Skip to content

re-ws.pl

ReverseEngineering WorkStation

  • Home
  • Tutorials
  • Random
  • About

Playing with GF-07 GPS device

Posted on December 11, 2019 by Kamil (aka. v3l0c1r4pt0r)
GPS GF-07

GF-07 is dirt-cheap GPS locator. You put SIM card in it, send SMS and you know where it is. That’s it. But not for me. I like to know what I am using, especially if it is that cheap and such obscure device as this one. It comes together with manual that is written in so bad English that I barely understand anything. Immediately after opening SIM slot, one can see few test pads. Fortunately all of them are described in silkscreen. Let’s see what can be done with it as a one-evening hack.

GF-07 opened
SIM cover opened (pin headers visible)

Disassembly

First thing to learn what we are talking about is to disassemble the whole thing to be able to examine PCB.

All you have to do is to put something thin between two parts of enclosure
M19-MB-V3.1
Top view of PCB
MT6260 board
Bottom view of PCB

Having the PCB visible, now one question arises: where is the power button? So, it turns out, it is SIM detect pin. You can see it in top right corner of SIM slot.

Worth noting is that we have two chips here:

  1. MT6260 by Mediatek (MTK) – this is main SoC and I expect it to have some internal ROM
  2. RDA 6625 – this is GSM chip by RDA Microelectronics

UART

Now, as we learned something about the hardware, what about software? Is it running Linux? FreeRTOS? Or maybe something custom? Pins TXD1 and RXD1 strongly suggest, we should expect working UART there. Slight problem is lack of ground pad there. However, it can be easily verified that battery ground is tied directly to SIM ground, which is bottom left pin in the picture above. And assumptions about TDX1/RXD1 being UART are verified to be true. It is working on ordinary 115200 8N1 mode. Here is part of the log:

F1: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
U0: 0000 0001 [0000]
G0: 0002 0000 [0000]
T0: 0000 00BB
Jump to BL


LOG: RegisterSn:
LOG: ZhiPu_task_ResetMediaState: 0
LOG: ZhiPu_socket_close= -1
LOG: ZhiPu_sock_buf_init malloc= 230C60, 230640, 2301E0
LOG: ZhiPu_mmi_get_imsi_request
LOG: ZhiPu_system_init VERSION= MTK6260M.M19.REC.17.07.03 , build date is 2017/07/03 18:25, curtime 2014-01-01 00:00
LOG: ----- 0 -----  ----- -268076492 -----  ----- 2 -----
LOG: ZhiPu_sms_ready_sync
LOG: ZhiPu System Language: English
LOG: service_availability= 0,ChargerConnected= 0,poweron_mode= 0
LOG: sim invalid, 4 minutes later reboot
LOG: ZhiPu System Language: English
LOG: ZhiPu_key_eint_hisr_high
LOG: ----- 0 -----  ----- 100 -----  ----- 2 -----
LOG: idle_screen_network_name:Insert SIM
LOG: ZhiPu_esio_task waiting
LOG: nbr cell count: 3

Later it started printing my nearby cell towers, so let me not show that 🙂

Unfortunately, this kind of output suggest that there is no Linux onboard 🙁 Looks rather like a custom bare-metal firmware. Let’s see if we can dump it somehow.

Dumping ROM

Fortunately MT6260 is well-known silicon and I am not the first one that tinkers with it. Actually there is whole open-source project that seems to allow running custom code on it. In bunnie’s post, you can see format of ROM and I expect to get something similar. According to bunnie the code delivered by MTK is modified usually only in its GUI part. Fernvale project shares some code for manipulating with bootloader, but does not seem to allow reading ROM straight away, so I gonna stay with MTK software. Last important information bunnie shares is that MT6260, when connected to USB, should register itself as serial console device and this is exactly the case for me.

In lsusb:

Bus 002 Device 031: ID 0e8d:0003 MediaTek Inc. MT6227 phone

The tool for flashing, I found is called FlashTool_v5.1516.00 and seems to be Windows only. It also needs some additional stuff to work. First important thing is so called scatter file. Out of what I found online, I made the simplest scatter file possible. It is on my Gist. However, it still requires some binary blob, which looks like a kind of bootloader, sent later to the device for running. It is called bl_mt62xx_by_dfgigger.bin in my case, but chances are some other blobs also would work. Before starting Flash Tool, it might happen that some drivers are required. Make sure you have COM port visible in device manager for these few seconds, bootloader is waiting for commands after power on. The catalog file of a driver probably should be usb2ser_2kXP_Comp.cat for Windows XP.

When ready, start Flash Tool. You should see a window like this:

MTK Flash Tool
Click on ‘Select Scatter/Config File’ and open .cfg file

If no error was given, switch to ‘Read Back’ tab and add new entry. Then double-click it, choose some name for your ROM and you should see a window like that:

MTK Flash Tool Read Back settings
Specify number of bytes to read (in my case it was 3 MiB)

Make sure you have USB mode not selected. We want to use COM port with baudrate of 921600 bps. Then insert SIM card or provoke startup in any other way (screwdriver 🙂 ?) and immediately click on ‘Read Back’ button. Process should start. If you are too fast, you may try once again. If there is still any problem, firmware will boot and process is not going to succeed this time. Reboot. If its fine, you should see something is going on:

MTK Flash Tool Read Back
Reading NOR

As can be seen, flash was identified as Winbond W25Q32BV, which is intriguing as there is no flash chip on PCB, so it must be integrated into MTK SoC itself. Anyway status bar confirms it is 24Mb, so 3 MiB as I stated above. Interestingly there is another size indicated – 32Mb, which must be somewhere else in the address space, but this is not the topic for today. Last interesting piece of information here is what appears after hovering mouse above status bar:

MT6260 memory data
Some more info. Unfortunately no address of the other memory chip

Finally, if are unlucky of not being in possession of the device, but would like to play with the firmware, there is some surprise 😀

Posted in RandomTagged English, GPS, GSM, hacking, hardware, Reverse Engineering

Post navigation

Hacking Android’s Bluetooth application to receive any file (outside whitelist)
OpenRISC 1000 support integrated into radare2

37 Comments

  1. Maurizio Butti says:
    March 3, 2020 at 20:47

    Very very interesting! I own an identical device but could not download the firmware. I tried your scatter file but Flash Tool complains about some errors in it. Tried a few changes with no success. Any idea?

    Reply
    1. Kamil (aka. v3l0c1r4pt0r) says:
      March 3, 2020 at 20:57

      What error exactly do you get? I’m not an expert in MTK chips (actually this is my first contact with it), but maybe I’ve seen something similar. I’ve seen a lot of error while trying to download the image.

      Reply
  2. Maurizio Butti says:
    March 4, 2020 at 17:13

    Can’t remember exactly, something about the wrong formatting of the scatter file. Depends on the Flash tool version. I found an example scatter file somewhere in the net and and trying with that. I I don’t go wrong it doesn’t really matter. Made some progress but still not able to read the ROM. The program hangs for minutes and pops up a message error.
    I noticed that the message on the UART changes slightly if the USB is connected:
    after
    00: 1029 0001
    I noticed this new line added
    01: 0000 0000

    Reply
  3. Maurizio Butti says:
    March 4, 2020 at 18:27

    Tried once more. The error of the read back is S_UNDEFINED_ERROR (1001), HINT: none

    Reply
  4. Maurizio Butti says:
    March 10, 2020 at 16:24

    Some step forward. I missed the “chose UART, not USB” part actually. WHere can i find the bl_mt62xx_by_dfgigger.bin file?

    Reply
  5. Kamil (aka. v3l0c1r4pt0r) says:
    March 10, 2020 at 21:05

    I would expect that it is still possible to find it by simply googling the name. Unfortunately nobody knows under what license it is distributed, like a lot of tools for hacking Chinese electronics, so I can’t link to it directly. If you’re not able to find a working link, you can drop me an email. Maybe I would be more lucky to find it 🙂

    Reply
    1. Maurizio Butti says:
      March 11, 2020 at 14:01

      Thank you. I sent you an email yesterday

      Reply
      1. Sergey says:
        June 1, 2020 at 20:36

        me too please

        Reply
  6. yeyo says:
    March 25, 2020 at 16:15

    hola. no el dispositivo no me anda. me queda el led prendido. con esos pines que se ven debajo la tarjeta SIM no se puede resetear el dispositivo?

    Reply
  7. Sergey says:
    June 1, 2020 at 12:49

    bl_mt62xx_by_dfgigger.bin where i ca find? Please

    Reply
    1. Kamil (aka. v3l0c1r4pt0r) says:
      June 1, 2020 at 13:23

      I got it from 4pda.ru. Guessing from your name, it will be way easier for you to find it than for me 🙂

      As far as I remember the archive where I found it had different name, but dfgigger was a nickname of the uploader.

      Reply
  8. Sergey says:
    June 1, 2020 at 20:40

    I found!

    https://4pda.ru/forum/dl/post/8005118/Scatter_for_16_32_64_128MB_MT62xx_by_dfgigger_for_4PDA.rar

    Reply
    1. Leonardo Rigaud says:
      March 8, 2021 at 21:02

      Hi Sergey, can you send to me the file ?

      Reply
    2. nogats07 says:
      April 10, 2022 at 22:26

      Hi, can you share the rar file? nogats07@gmail.com

      Reply
      1. anonus says:
        February 3, 2023 at 15:42

        Here: https://www.mediafire.com/file/9tsqbmb4xfh23jq/Scatter_for_16_32_64_128MB_MT62xx_by_dfgigger_for_4PDA.rar/file

        Reply
  9. Karl Peters says:
    August 14, 2020 at 14:20

    Very impressive, do you think it’s possible to add functionality to the device from your progress so far? I want a light sensitive trigger that will make a call when light is detected.

    Reply
    1. Kamil (aka. v3l0c1r4pt0r) says:
      August 15, 2020 at 15:55

      Definitely it is possible to even reimplement the firmware, especially taking into account the fact that I know that Mediatek’s original SDK is floating around. But for me it was never the goal. I bought the device to use it for its advertised purpose. What I wanted to do was to verify if there are any, let’s say, hidden functionalities, Chinese manufacturers are known to add. All in all I didn’t do that yet. All I did, was downloading the firmware.

      Reply
  10. xpl01t says:
    August 24, 2020 at 16:42

    Got two of these crappy boxes today (a gift from an office neighbor, after a tedious and still unsuccessful attempt to put it in his car).
    MT6260A is common for chinese feature phones and “smart” watches, it’s even used in newer Nokia grandma-phones. At first I thought GF-07 was gonna be based off one of their IoT SoCs, like MT2502A found in LinkItOne dev kit, which means – easy RTOS, but no luck with this IC.

    Did some googling, and apparently there is an RTOS port for MT6260DA-based dev. board
    https://www.bunniestudios.com/blog/?p=4297
    Not sure if it helps, but I’ll do some more digging on my next weekend.

    Reply
  11. Jose says:
    August 31, 2020 at 22:59

    Hi, great stuff. I got one of this today and started playing around and was wondering how can I open the firmware file from the end of the post?. Is it a binary file?

    Reply
  12. omata says:
    November 8, 2020 at 19:42

    i have gps gf-07 its work 100%
    but i send sms : IMEI
    after that the gf-07 can’t read the sim card
    any solution ?

    Reply
  13. Steve Quate says:
    January 3, 2021 at 23:14

    Is there any way to find the INEI number 15 digit number for my go’s GF-07 go’s tracker? I do t hv my packaging long ago threw it away. Dint know I would need it, no numbers on my box anyway POS tracker I think any help appreciated

    Reply
    1. MI-7 says:
      January 27, 2021 at 00:04

      Send 102 to the device and the username it returns is your IMEI nr.

      Reply
  14. rocha says:
    February 19, 2021 at 16:05

    Can you send to me the bl_mt62xx_by_dfgigger.bin ? thanks

    Reply
  15. Jacob says:
    March 2, 2021 at 14:47

    Do these gps trackers actually work? ive read that they only ping cell towers which is far away from actual gps so they’re useless.

    anyone know how accurate these are? can anyone verify they work?

    Reply
  16. Marcos says:
    March 4, 2021 at 11:51

    It would be possible to use the UART to send AT commands as well. It can be work as GSM modem?
    It is very compact so I see some applications.

    Reply
  17. Martin Erling Sand says:
    March 8, 2021 at 19:46

    Hello
    I have problem with mine. The red diod will not turn off after inserted sim. Why anyone ?

    Reply
    1. Fabri says:
      April 8, 2021 at 23:52

      Insert the sim in the right direction.
      Consider that if you connect the sim with the cable connected the GPS will charge the battery and the red light will be on until the battery charge is completed.

      Reply
  18. Halima says:
    April 7, 2021 at 18:49

    Aside from texting. Is there a way to get the IMEI number. And HOw do I switch binding numbers without erasing its history

    Reply
  19. Fabri says:
    April 8, 2021 at 23:10

    I’m trying to set the APN because the Chinese servers appear to be down now… setting the APN is the only way to enable gprs and get a better location using more cells than GSM.
    Any help?
    I see that there is an hidden command “103” but I’m not sure that this can set the APN.

    Thank you

    Reply
    1. M.Amin says:
      May 12, 2021 at 14:40

      Hi friend I buy gps gf-07 but these are not working correctly

      Reply
  20. Randominium says:
    August 23, 2021 at 14:05

    Is there a way to modify voice callback function and decrease sensitivity? This device seems to randomly callback even in silent room. Apparently factory set 40dB is too low for normal use.

    Reply
  21. Sann says:
    September 26, 2021 at 06:02

    Not sure but I am curious how it is possible to modify software so that it send positioning information to a custom server ?
    Anyone know how to do that?
    I am willing to pay for what I can learn from you.
    Best regards,
    Sann

    Reply
  22. nogats says:
    April 10, 2022 at 22:18

    I hope someone creates a guide/tutorial on how to modify the firmware and use a custom server with php script, that would be awesome.

    Reply
    1. JJ says:
      October 27, 2022 at 17:07

      Traccar is what are you looking for. I have my own server with traccar software installed on it. It’s free and supports many trackers.

      Reply
      1. Andre says:
        November 25, 2022 at 08:41

        Yes, I have traccar as well but I need to change the server url on the tracker. Would you perhaps know the command

        Reply
  23. Andre says:
    November 25, 2022 at 08:39

    Does anybody know the command to change the server url

    Reply
  24. geo says:
    December 12, 2022 at 12:13

    hello…..I also used this device…does the battery have a charging circuit separate from the pcb?? can another bigger battery be installed?….can a better microphone be installed?…..I ask as the unskilled one ….

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tags

Android assembly busybox C CAN can-hacking cc-factory cmake compiler docker Dreamspark electronics English gcc hacking hardware JavaCard JCOP kernel KiCAD library Linux PC PCB pinout PKI polski programming Python radio Raspberry Pi Reverse Engineering RTL-SDR SDC SDM SDR smart card software tor tty UART UEFi Windows X.509 Xperia Pro

Recent Posts

  • Pinout of laser driver for CPRI SFP+ module – GN1157
  • Sniffing USB traffic with DSLogic logic analyzer into pcap file
  • New ccfactory on its way, binutils are already here
  • Unboxing, startup and first impression of Nezha board marketed as first affordable RISCV SBC
  • Docker image with just cURL

Recent Comments

  • anonus on Playing with GF-07 GPS device
  • Hurr the Durr on Busybox-based Linux distro from scratch
  • geo on Playing with GF-07 GPS device
  • Andre on Playing with GF-07 GPS device
  • Andre on Playing with GF-07 GPS device

Categories

  • News
  • Random
  • Reversing LKV373A
  • Setting up new v3 Hidden Service with ultimate security
  • Tutorials
  • Uncategorized
  • Understanding JCOP

Links

  • Me @ github
  • LKV373A Wiki
  • DevTomek

Archives

  • October 2022
  • August 2022
  • July 2021
  • June 2021
  • May 2021
  • December 2020
  • November 2020
  • October 2020
  • August 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • February 2019
  • November 2018
  • October 2018
  • June 2018
  • May 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
Proudly powered by WordPress | Theme: micro, developed by DevriX.