Playing with GF-07 GPS device

Posted on by Kamil (aka. v3l0c1r4pt0r)
GPS GF-07

GF-07 is dirt-cheap GPS locator. You put SIM card in it, send SMS and you know where it is. That’s it. But not for me. I like to know what I am using, especially if it is that cheap and such obscure device as this one. It comes together with manual that is written in so bad English that I barely understand anything. Immediately after opening SIM slot, one can see few test pads. Fortunately all of them are described in silkscreen. Let’s see what can be done with it as a one-evening hack.

GF-07 opened
SIM cover opened (pin headers visible)

Disassembly

First thing to learn what we are talking about is to disassemble the whole thing to be able to examine PCB.

All you have to do is to put something thin between two parts of enclosure
M19-MB-V3.1
Top view of PCB
MT6260 board
Bottom view of PCB

Having the PCB visible, now one question arises: where is the power button? So, it turns out, it is SIM detect pin. You can see it in top right corner of SIM slot.

Worth noting is that we have two chips here:

  1. MT6260 by Mediatek (MTK) – this is main SoC and I expect it to have some internal ROM
  2. RDA 6625 – this is GSM chip by RDA Microelectronics

UART

Now, as we learned something about the hardware, what about software? Is it running Linux? FreeRTOS? Or maybe something custom? Pins TXD1 and RXD1 strongly suggest, we should expect working UART there. Slight problem is lack of ground pad there. However, it can be easily verified that battery ground is tied directly to SIM ground, which is bottom left pin in the picture above. And assumptions about TDX1/RXD1 being UART are verified to be true. It is working on ordinary 115200 8N1 mode. Here is part of the log:

F1: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
U0: 0000 0001 [0000]
G0: 0002 0000 [0000]
T0: 0000 00BB
Jump to BL


LOG: RegisterSn:
LOG: ZhiPu_task_ResetMediaState: 0
LOG: ZhiPu_socket_close= -1
LOG: ZhiPu_sock_buf_init malloc= 230C60, 230640, 2301E0
LOG: ZhiPu_mmi_get_imsi_request
LOG: ZhiPu_system_init VERSION= MTK6260M.M19.REC.17.07.03 , build date is 2017/07/03 18:25, curtime 2014-01-01 00:00
LOG: ----- 0 -----  ----- -268076492 -----  ----- 2 -----
LOG: ZhiPu_sms_ready_sync
LOG: ZhiPu System Language: English
LOG: service_availability= 0,ChargerConnected= 0,poweron_mode= 0
LOG: sim invalid, 4 minutes later reboot
LOG: ZhiPu System Language: English
LOG: ZhiPu_key_eint_hisr_high
LOG: ----- 0 -----  ----- 100 -----  ----- 2 -----
LOG: idle_screen_network_name:Insert SIM
LOG: ZhiPu_esio_task waiting
LOG: nbr cell count: 3

Later it started printing my nearby cell towers, so let me not show that πŸ™‚

Unfortunately, this kind of output suggest that there is no Linux onboard πŸ™ Looks rather like a custom bare-metal firmware. Let’s see if we can dump it somehow.

Dumping ROM

Fortunately MT6260 is well-known silicon and I am not the first one that tinkers with it. Actually there is whole open-source project that seems to allow running custom code on it. In bunnie’s post, you can see format of ROM and I expect to get something similar. According to bunnie the code delivered by MTK is modified usually only in its GUI part. Fernvale project shares some code for manipulating with bootloader, but does not seem to allow reading ROM straight away, so I gonna stay with MTK software. Last important information bunnie shares is that MT6260, when connected to USB, should register itself as serial console device and this is exactly the case for me.

In lsusb:

Bus 002 Device 031: ID 0e8d:0003 MediaTek Inc. MT6227 phone

The tool for flashing, I found is called FlashTool_v5.1516.00 and seems to be Windows only. It also needs some additional stuff to work. First important thing is so called scatter file. Out of what I found online, I made the simplest scatter file possible. It is on my Gist. However, it still requires some binary blob, which looks like a kind of bootloader, sent later to the device for running. It is called bl_mt62xx_by_dfgigger.bin in my case, but chances are some other blobs also would work. Before starting Flash Tool, it might happen that some drivers are required. Make sure you have COM port visible in device manager for these few seconds, bootloader is waiting for commands after power on. The catalog file of a driver probably should be usb2ser_2kXP_Comp.cat for Windows XP.

When ready, start Flash Tool. You should see a window like this:

MTK Flash Tool
Click on ‘Select Scatter/Config File’ and open .cfg file

If no error was given, switch to ‘Read Back’ tab and add new entry. Then double-click it, choose some name for your ROM and you should see a window like that:

MTK Flash Tool Read Back settings
Specify number of bytes to read (in my case it was 3 MiB)

Make sure you have USB mode not selected. We want to use COM port with baudrate of 921600 bps. Then insert SIM card or provoke startup in any other way (screwdriver πŸ™‚ ?) and immediately click on ‘Read Back’ button. Process should start. If you are too fast, you may try once again. If there is still any problem, firmware will boot and process is not going to succeed this time. Reboot. If its fine, you should see something is going on:

MTK Flash Tool Read Back
Reading NOR

As can be seen, flash was identified as Winbond W25Q32BV, which is intriguing as there is no flash chip on PCB, so it must be integrated into MTK SoC itself. Anyway status bar confirms it is 24Mb, so 3 MiB as I stated above. Interestingly there is another size indicated – 32Mb, which must be somewhere else in the address space, but this is not the topic for today. Last interesting piece of information here is what appears after hovering mouse above status bar:

MT6260 memory data
Some more info. Unfortunately no address of the other memory chip

Finally, if are unlucky of not being in possession of the device, but would like to play with the firmware, there is some surprise πŸ˜€

Leave a Reply

Your email address will not be published. Required fields are marked *