Introduction to mobile networks

By | June 1, 2015

The mobile network (2G(GSM)/UMTS/3G/LTE/4G) is a technology we use every day and we don’t really have to know how it works. However as an IT-developer it would be interesting to get an understanding of the underlying network and protocols. The standards have been public for a long time so it should not be impossible to get a theoretical knowledge. However most implementations have been held closed source by the manufacturers and programming the hardware in cellulars at a low level e.g. for making radio communcations has not been easily accessible. At youtube i found some talks from the Chaos Communication Congress (http://events.ccc.de/) that introduced me to the Osmocom project (http://osmocom.org/). They have made some partial open source implementations of the protocols used in a mobile network. It seems like a good place to start getting to know the mobile network better.

Getting the neccessary hardware

Osmocom is compatible with a few old cellular brands and models. Their main target has been the Motorola C123, but it is rather hard to find a place to buy it these days. I figured it would cause less headache buying one of the models closely related to this model and found that you can get a brand new Motorola C139 Tracfone very cheap at ebay. Osmocom has split the GSM protocal stack into three layers, such that layer 1 runs on the mobile and layer 2 and 3 is a program running on the pc. Now lets get started and flash the phone with the layer1 software.

First problem: This phone is updated with firmware (v9.2.17), which has disabled its possibility to flash a new firmware using the **16379# code to access a menu where you could enable “Trace”-mode (RiViera Trace MUX). This would have allowed for serial communication using ETM-commands (Enhanced Trace Mode) via the mini jack port. Also it has been patched for a former vulnerability (v8.8.x) where you could send an IRAM payload to get a buffer overflow to access the boot ROM and upload a custom firmware. Several people have dumped this firmware and disassembled it in order to find further ways to flash a custom rom as this method was used for unlocking the phones from certain carries some years ago. It does not seem worth the time trying to find a new vulnerability if any exists and there seems to be another way. We have to go into hardware mode though which I do not know anything about 🙂

Solution: I found this solution at an old GSM forum “just” remove the N1 ball. So first thing to do is to disassemble the phone.

1. Remove back cover, battery and sim card.

2. Remove screws at back with a Torx T5.

3. Remove the rubberbands at the side with a pry tool or a hobby knife and release the front cover.

4. Remove screws at front then take up PCB (Printed Circuit Board) and detach the antenna.

5. Unhook the metal clips holding the screen on front and remove the middle metal cover on the back.

6. Use your girlfriend’s hair dryer to heat up the glue under the orange flat flex/ribbon cable and slowly put a razor blade underneath to lift it from the PCB. This can be reattached e.g. by using M3 9703 electrically conductive adhesive tape. So far so good!

Motorola C139 disassembly

Disassembled phone

Next we need to remove the N1 ball which is a small solder ball underneath the Calypso BGA (Ball Grid Array) chip. Luckily the manual for the chip used in Motorola C139 has been leaked from Texas Instrument. There is a pin called nIBOOT that determines whether to boot internal mask-ROM or external NOR-flash and according to the manual the nIBOOT pin is the N1 solder ball that we need to remove. Unfortunately the only way to remove one ball is to desolder the chip and remove all the melted solder balls and then create new solder balls except for the N1 ball. According to the manual the BGA chip is in a GHH package, however by looking at the label at the chip it says ZHH. No matter as the layout seems to be the same anyway. The N1 ball can be located from following figure:

ZHH179

GHH/ZHH 179 pin packaging

Also this figure shows that the package has dimensions of nearly 12x12mm with a 0,8mm pitch and a preferable ball size of 0,5mm.

The process of BGA reballing can be done using several different methods, but for a limited budget for hobbyists there does not seems to be that many options. I looked at the Puhuit T862 IrDA BGA rework station as this device both has bottom preheater and an infrared welder but i seemed a bit limited in its applications except for desoldering a chip from cellular or any other very small device. Who knows some day i might want to use this for some pc hardware/xbox/ps/etc. Also you will probably need welding googles to avoid burning your eyes. After some searching and reading about bga reballing i decided to go with:

  • Aoyue 968+ soldering and hot air rework station
  • Aoyue 853 preheater (Considered Zephyrtronics ZT-1-CLS-MIL but was a bit expensive, both have cooling feature but also both are limited to small boards only)

To avoid stress on the chip and possible damage (warping, popcorning, etc) it must be heated gradually. We will need to make a thermal profile.

  • Aidetek VC99+ multimeter with included k-type thermalcouple (need to be modded to support rs232/usb output)
  • Probably need to mod the Aoyue 853 so the knob is turned by a motor controlled from a thermal profile application (should ramp up 2-4 Celsius degrees per second)

Technical specifications for helping staring with thermal profile

The process of reballing will create a lot of fumes. For that i bought the following

  • Flex tube
  • SeaFlo inline boat bilge blower (12V, 6A, 270ccm)
  • 400W 12V 33A LED power supply (A PSU from a PC should also work)

To avoid desoldering other components we will need

  • Kapton tape (heat shielding)

When chip can be removed from the board, we will need to clean it. Besides the soldering iron in Aoyue 968+ we will need

  • Leaded solder (for cleaning the remaining lead-free solder)
  • Solderwick (for cleaning up solder)
  • IPA (Isopropyl alcohol for cleaning)

For reballing we will need

  • Flux (A lot of fake knock off products exists for some of the “hyped” flux types in the xbox/ps repair scene, i believe this to be the genuine product of one of them (http://www.bga-reworking.co.uk/flux-solder-paste/amtech-nc-559-v2-bga-reflow-reball-tacky-flux-10cc.html) it is linked from a site mentioned as distributor at the Amtech official site http://www.amtechsolder.com/)
  • Paint brushes for applying flux
  • 80x80mm BGA jig
  • 80x80mm stencil for 179pin ghh package (http://conner.dk/download/stencil.ziphttp://www.soldertools.net/products/BT17908012012050.htmlhttps://www.oshstencils.com/)
  • PMTC BGA Solder Balls 0.5mm – Leaded Sn63Pb37

More to come…