4G GPS Tracker Reverse Engineering - Hardware Analysis

Поділитися
Вставка
  • Опубліковано 27 гру 2024

КОМЕНТАРІ •

  • @ParthBhat
    @ParthBhat 6 місяців тому +27

    Okay so yet another comment and let’s say I’m gonna shoot my 3 years of frustration and working with these Simcom A7672xx series modems and many others. Let’s go step by step
    1. The Simcom modem houses the ASR1603E chip which basically is the heart of the device, it runs the Threadx operating system. Perhaps, our world I can call it as we can run openCPU which allows us to basically code the modem over Simcom’s provided SDK and write our own code.
    2. The modem here in this case is itself the main brains, I wonder why they had to use the separate gps module from Quectel as the a767xx series has inbuilt gnss on it, moreover Simcom doesn’t provide their SDK or support unless you are taking over more than 2.5k pieces from them, here it is very clear that they happen to have used their SDK to talk over the uart with the gsm modem.
    3. More than the AT commands which I kinda doubt would work, you should check with the hardware datasheet, so pin no, 9 and 10 is TX1 and RX1 respectively, that’s mostly used in 95% of applications where a host mcu is connected with the gsm.
    Pin 27 and pin 28 is usb DP and DM respectively. Now the usb can be helpful as it would show as com port on a windows machine, on Linux it’s gonna show 4 USB on the tty! Usb0 is mostly what I use to hit the AT, but again long shot if that would work over the custom firmware.
    4.I happen to have their update binary’s if you wanna dissect them and see what’s inside, I never got time to do the reverse engineering on that. But I would take a look at it tommrow or even share the files with you.
    5. The whole gsm pins except the one which I’ve mentioned as USB works on 1.8V so be careful!
    6. It’s gonna be fun for even me to see how you could manage to extract the firmware since they never gave me any Linux support, they only happen to have know how to use alboot on windows and just flash the zip file which is the firmware usually.
    Idk if I went right on points or I went haywaya, but it’s just the mix of 3 nights of no sleep and continuously working with the same gsm modem just to fix the fricking network attach ! And it fails back and forth! Atleast in India! Idk about global.
    So yeah, I’d be absolutely happy to share the firmware files, they aren’t public I guess, since I’ve placed the orders for production pieces and have been using around 500pcs so far, they are 5% helpful!
    Hope this comment helps !

    • @mattbrwn
      @mattbrwn  6 місяців тому +7

      This was so helpful and tons of stuff I didn't know! thanks for the brain dump and I'm going to take another look at the cell modem with this info in mind.

    • @roetswicus
      @roetswicus 3 місяці тому

      Gotta agree 100%. Simcom excels at being non-supportive.

  • @mikehibbett3301
    @mikehibbett3301 6 місяців тому +22

    The missing cpu is not a surprise. The simcom module almost certainly has an application processor on it. The company did a great thing - they put an MCU down to implement the basic functionality easily, then when they worked out how to use the application processor on the simcom module, they could drop the MCU without needing a pcb re-spin. Thats a sensible approach, I do it myself.

    • @superaffenarsch
      @superaffenarsch 6 місяців тому

      Yea, i also thought why would i need another mcu to connect them?

  • @worldwide_wes
    @worldwide_wes 6 місяців тому +19

    Love the videos, this channel is gonna blow up! I appreciate how you break down your thought process and thinking visually even though I understand like 4% of it all.

  • @UntrackedEndorphins
    @UntrackedEndorphins 6 місяців тому +12

    SIMCOM modems (and modems in general) offer an SDK to run cutom code in em. Which is great for simple and cheap applications like this. Last time I checked out the SDK it seemed like a nightmare to learn

  • @zeewox
    @zeewox 6 місяців тому +41

    Some modem modules allow to run custom code. That would explain the lack of an external MCU.

    • @monad_tcp
      @monad_tcp 6 місяців тому +2

      exactly what I though, cell modems are usually pretty powerful, they have tens of megahertz MCUs on them.

    • @Padanian1
      @Padanian1 6 місяців тому +1

      it wouldn't surprise me if a java machine is running in the modem

    • @tonyfremont
      @tonyfremont 6 місяців тому +1

      The quectel l76 series gps modules support something called LOCUS. It can internally store a bunch of positions readings, then send that file to the UART. I suspect the app (or cloud server) periodically texts/calls the 4G module to trigger a log dump.

    • @tonyfremont
      @tonyfremont 6 місяців тому +1

      ​@@Padanian1I bet there's an 8052 compatible processor in the modem, and possibly the GPS module. Those things turn up in the oddest places, like nrf24l01 radios.

    • @cocusar
      @cocusar 6 місяців тому

      nah, the 7670 has an arm processor in it, and you can load apps into it. quectel lets you do that as well, for instance on the bg95/96 and some other simcom modems like the 7000 (same soc as the bg95). you need to sign an nda to get the tools, libraries and sources to build your app for it, but they're leaked on github and work fine. if this one has a qualcomm soc, then you certainly need its firmware so you can take the loader to dump the nand instead of flashing it

  • @LostDeadSoul
    @LostDeadSoul 6 місяців тому +4

    Yeah. @ GlobeTracker they use similar GSM/LTE modules in their shipping container trackers.
    I think the module can be programmed just as a regular micro controller. Then it's just a question of how fast you wish to empty your battery by sending data.
    There is even a module with integrated MEMS accelerometer.
    Love what you do. Please keep it up :)

  • @HandFromCoffin
    @HandFromCoffin 6 місяців тому +23

    I'm 46 and it made me laugh a little when in 2024 a guy is explaining AT commands.. My dial-up BBS days and Hayes modem AT commands come flooding back. AT OK.

    • @thiesenf
      @thiesenf 6 місяців тому +1

      ATDT
      ATH
      :-)

    • @rowanlidbury
      @rowanlidbury 6 місяців тому +2

      51 years old worked at ISP with Dail-up in the UK. Talked customers through AT commands over the phone. US Robotics were the nuts, but the software ones (aka "Hampsters") were terrible. 56k never got past 33k.

    • @robertstratton6444
      @robertstratton6444 6 місяців тому +1

      I was at the largest of the very first commercial ISPs, and have US Robotics stories. Back when dial-up Internet service took off, everyone was scrambling to cram as many modems into a data center as we could as fast as we could. USR came out with the Total Control rack. They had the highest density of modems, but some of the worst thermal management. They used to catch fire if one ran them too hard. I determined this empirically.
      We can thank a company called D.C. Hayes, if memory serves, for the original idea of AT commands. Their Micromodem II was the bomb until Novation came out with the AppleCAT.

  • @BlueJDev
    @BlueJDev 6 місяців тому +2

    If these are anything like the Chinese 3g GPS trackers I've worked with in the past, you can program the firmware via SMS codes. No need to use their app as you can set your own servers. Not quite a full device takeover though.
    If memory serves, and fw is similar, you can set your number as admin by texting admin {number texting from}
    You get a response like Admin ok if successful.

  • @mikehensley78
    @mikehensley78 6 місяців тому +33

    i would bet the GPRS radio has a microcontroller inside it. either that or the GPS module has one.

    • @mattbrwn
      @mattbrwn  6 місяців тому +2

      I don't have the datasheets in front of me ATM but I think I remember looking for anything about that and not finding it.

    • @GannDolph
      @GannDolph 6 місяців тому +1

      @@mattbrwnStill, assuming the device works and successfully transmits accurate gps data, it would seem this must be the answer, no?

    • @mikehensley78
      @mikehensley78 6 місяців тому +2

      @@GannDolph i think one module talks serial and the other module can hear serial. no magik voodoo.

    • @mikehensley78
      @mikehensley78 6 місяців тому +2

      OR! it just gets location data via the cellular network. i thought about that the other night.

    • @GannDolph
      @GannDolph 6 місяців тому +1

      @@mikehensley78 makes sense. needs some minor code to send it out the modem, but gotta imagine the radio module can run that since it has to have a processor to run the ' AT' commands etc. ..

  • @JamesIsNinja
    @JamesIsNinja 6 місяців тому +4

    Love the detail in your videos, every time I see a new one it makes me want to tear apart everything I own and see what's inside but I'd be so lost, although I do know soldering and am in IT. Any courses you're aware of for already moderately technical people to dip their toes in the water, or maybe a good device or types of device(s) to learn with? I want like a baby's first reverse engineer

  • @xDMG15x
    @xDMG15x 6 місяців тому +1

    The gps module is configured to output the coordinates via some protocol like i2c/spi/uart and the cell module can read and relay that data when queried. A server controlled by the app company who is also the cell service provider, queries the cell module, retrieves the raw location data and all the processing is performed by the app server? So the device is essentially just a sensor?

  • @zaprodk
    @zaprodk 5 місяців тому +1

    11:31 - There could be a series resistor or level shifter between the GPS and GSM module.

  • @Twellick
    @Twellick 6 місяців тому +2

    You should be able to connect to the module via UART pins or USB and then adb to it. Hardware design datasheet will help you locate required pins.

  • @smokeweedeveryday9099
    @smokeweedeveryday9099 6 місяців тому +1

    Love your videos man. Just got into hardware analysis, and you’ve helped me a ton.

  • @ab1244
    @ab1244 6 місяців тому +2

    Some cellular modems can operate in bridge mode. I bet if you connect to it, you will be directly communicating with the GPS module

  • @CezarySiw
    @CezarySiw 6 місяців тому +2

    This 4G module can directly talk to the GPS without any MCU in the middle. there are AT commands to support that see AT Commands for GNSS chapter in A76XX-Series_AT_Command_Manual.
    I guess this is a cost-optimised version of the GPS tracker.

    • @CezarySiw
      @CezarySiw 6 місяців тому

      Just noticed that some people already pointed it out. Also worth noting that some SIM cards can also run custom code that does stuff in the background. For example some travel SIM cards can change IMSI depending on what country you're in. I guess IoT SIMs can also do interesting stuff.

  • @vinitshandilya
    @vinitshandilya 6 місяців тому

    I’d assume the Simcom module houses the baseband and application processor and is receiving the GPS data over serial connection directly from the GPS module.

  • @superaffenarsch
    @superaffenarsch 6 місяців тому

    Does the gps module need another mcu to send data to the cell module? Why not use uart or so directly?

  • @samuraidriver4x4
    @samuraidriver4x4 6 місяців тому +10

    They made some "interesting" design choices on this one.
    Cutting out the microcontroller is a way to cut cost i guess.
    Btw this cellular module has an E variant thats widely used with arduino's and raspberry pi's.
    There are even boards like the crowtail-4g a7670e that are specifically advertised for serial uart data transfer of gps data.

    • @309electronics5
      @309electronics5 6 місяців тому +5

      Usually the mcu core is inside the module

    • @samuraidriver4x4
      @samuraidriver4x4 6 місяців тому

      @@309electronics5 got one of those "E" variants around somewhere but never actually looked into them.
      But it does seem likely it has an MCU inside.

    • @monad_tcp
      @monad_tcp 6 місяців тому +1

      I wonder why they didn't remove the metal shield.

  • @treybaxter9937
    @treybaxter9937 6 місяців тому

    Great video Matt! I'm looking forward to the next ones. What watch are you wearing? It looks really nice!

  • @Falney
    @Falney 6 місяців тому +5

    if there is no connection between the gps module and the lte modem, I am guessing it uses triangulation rather than true gps.

    • @tonik2558
      @tonik2558 6 місяців тому

      I was thinking that as well. A quick precision test would be enough to verify if it's actually using the gps module

    • @heavyiphone
      @heavyiphone 6 місяців тому

      but gps is at a base level still triangulation

    • @Falney
      @Falney 6 місяців тому

      @@heavyiphone OK..... Cell triangulation

  • @tonyfremont
    @tonyfremont 6 місяців тому +4

    Far too many chip documents require an NDA before you can see how they work. This was a big part of the problem, then the solution, to Broadcom non disclosure requirements. They just dont work with open source requirements. Fortunately for the raspberry pi, an inside employee was able to convince them to cooperate.

    • @KallePihlajasaari
      @KallePihlajasaari 6 місяців тому

      They are considering listing on a stock exchange and then BlackRock will take ownership and lock everything up.

  • @isettech
    @isettech 6 місяців тому

    It can work as built. The cell modem does not require AT commands to dial. It can be configured to Auto Answer and NEMA data is connected to the calling party.
    If you are old enough to have worked with dial up modems, and possibly was a Sysop for a BBS, you wild be familiar with the Auto Answer configuration.
    On modems , the dip switches could be set for auto answer or not. Without auto answer, the RI Ring Indicator signal would tell the program the modem was ringing. The program would reply with ATA which is the AT command Answer. To proceed, get all the info you can on modem AT commands and hardware configuration.

    • @sivalley
      @sivalley 6 місяців тому

      I see I'm not the only one who accidentally mixes up NEMA (electrical) NMEA (GPS). 😅

  • @Platano0311
    @Platano0311 6 місяців тому

    Hey Mat, I am a transitioning service member and I am currently a IT specialist. I have my AS in Information Technology and I wanted to know if electrical engineering is a better degree to peruse for someone’s BS. I wanted to know where you started your journey. Thanks ❤

  • @stevec5000
    @stevec5000 6 місяців тому

    We got an Invoxia tracker that is very small and works well. It comes with either a 1 yr or 2 yr subscription when you buy it so there is no SIM card but it doesn't come apart so I don't know what's inside it.

  • @runed0s86
    @runed0s86 6 місяців тому

    Wow that looks a lot like a lora module on the inside... Could the microcontroller be underneath of it?

  • @avri210984
    @avri210984 6 місяців тому +6

    Prob the LTE modem runs Linux or something and they use that

    • @EvzenEmanuel
      @EvzenEmanuel 6 місяців тому +1

      lol, no way it runs Linux.

  • @christianmeinert8806
    @christianmeinert8806 6 місяців тому

    The ESP8566 WIFI MCU started with a modem firmware flashed in factory to use it in conjunction with an mcu or other computer (like the C64 😅). Soon many people found out to flash own firmware and espressif quickly build a hole toolchain around it. Same with this cellular modules.

  • @sajalsanthosh
    @sajalsanthosh 6 місяців тому

    Maybe it does cellular triangulation for location data instead of gps? If then why would they add a GPS module? Btw, i love this series. Keep it coming :)

  • @GadgetReviewVideos
    @GadgetReviewVideos 6 місяців тому +5

    A lot of IoT cell modems have microchip controllers and processors that run the actual modem. One big company Quectel that does this. Al the binaries and commands that run the actual qualcomm cell modem chip for most of Quectel modems are done separately on the controller and storage built in running a cut back Linux and packages like busy box. One company like Invisagig uses their own firmware with this modems linux and not he onboard controller to have a web face GUI for configuring the modem instead of a separate controller and OS that some cell modem companies do and then just control the modem over the M.2 (or whatever) interface with the modem. I have gained access to some of my quectel modems and it really does have a lot going on in the OS.
    That’s probably what you have going on this with one since it’s a module. It’s also the same micro controller that runs the AT commands.

    • @mattbrwn
      @mattbrwn  6 місяців тому +1

      Nice. I'll have to dig into this more. Also just got my hands on 3 more devices with similar cell modems.

  • @shadyfly2576
    @shadyfly2576 6 місяців тому

    Quectel have capability of voice call, sms, gps, and lte, it just need AT commands, so the manufacturer add little controller to just send appropriate at command on based of task they want to execute from Quectel board, Quectel is a big company btw

  • @charleshines2142
    @charleshines2142 6 місяців тому

    If you had dialup internet you may have seen or had to mess with AT commands. I have no idea if cellular has more or fewer commands but on dialup you could use them to set the baud rate of the connection and various other things. Back then if you had dialup and had an unreliable connection the AT commands would allow you to try different settings that may work better or worse. I don't know who still uses dialup connections these days but there are probably a few. Dialup of course, worked on land lines and some people still have those for phone service or they might have kept it so they could send faxes.

  • @a6dulsalam511
    @a6dulsalam511 6 місяців тому

    can you make video about device related to satellites? it would be interesting like startlink or satellite commutation

  • @mrsockyman
    @mrsockyman 6 місяців тому

    Some of those sims have data caps, restricted apns, but some have shared network plans. Most are designed so you can't rip a sim out and run for free but you could in theory utilise the sim and direct to your own addresses and use inconspicuous amounts of data
    A lot of modern iot cell modems expect to get a gps module connected directly, I'd say there's a good routine doc that sends a status message that includes gps data, then whatever inbound server processes to show the user

  • @kb9mtd-aaronwebb
    @kb9mtd-aaronwebb 6 місяців тому

    @mattbrwn how can I send you material? I have a couple freight trackers that you may be able to compare to this.

  • @MrRyanPeel
    @MrRyanPeel 6 місяців тому

    Hey Matt, the discord invite link in the description is invalid

  • @gentoobr
    @gentoobr 6 місяців тому +3

    Maybe this device does not gets its location from the GPS chip at all. Maybe it gets its location from the cell network, which is less precise, but is still possible. In the first era of smartphones it was commom for cheaper phones not to have GPS and instead would use the cell network for location tracking, which was very imprecise, but it sort of worked.

    • @ferrellsl
      @ferrellsl 6 місяців тому +3

      That was my first thought too. Customers are paying extra for assumed GPS accuracy but getting cellular accuracy. Shady vendors do this all the time on AliExpress and it's becoming a problem on Amazon as well.

    • @gentoobr
      @gentoobr 6 місяців тому +1

      @@ferrellsl Exactly! Typical cheap chinese electronics scam.

  • @ecaparts
    @ecaparts 6 місяців тому +1

    The SIM card itself is a microcontroller and can run custom applications. I would imagine there is a custom application running on the SIM card to poll the GPS coordinates and shit them out via the 4G LTE network to some shady server.

    • @BlueJDev
      @BlueJDev 6 місяців тому

      I think they're just standard Sims

  • @lezbriddon
    @lezbriddon 6 місяців тому

    you'l notice the module spec sheet shows ''AT commands'' and as such are ''A''-''T'' commands but thats really not obvious as its not stated or taught, (electronics)convention is that capitalised abbreviations are spelled out, light emitting diodes being L-E-Dee's and LASERS being lasers, theres always exceptions to every rule.....

  • @jamescollier3
    @jamescollier3 6 місяців тому

    does the cellular use a triangulation estimation?

    • @mattbrwn
      @mattbrwn  6 місяців тому

      I think so 😄

  • @meistro32
    @meistro32 6 місяців тому +2

    I am betting this is using sim applets, the code is on the simcard. Reason for the unpopulated ic's is that the board can be populated with a microcontroller if you want a universial board that work with any simcard.

  • @nicklasbroberglarsson8427
    @nicklasbroberglarsson8427 6 місяців тому

    I guess the GPS outputs NMEA over serial and the cell modem might just relay the serial input to a pre defined receiver

  • @lezbriddon
    @lezbriddon 6 місяців тому

    code from missing controller will have been flashed into the gsm module. you can do this with the a9g module and build your own tracker as python has been ported for it. or just buy a gf21 tracker for less than $20

  • @zaprodk
    @zaprodk 5 місяців тому

    The SIMCOM module is a fully fledged computer runinning a RTOS. Wire up a keyboard, display, speaker and micropone and you can have a fully functioning cellphone. Even running Java!

  • @cypher_5785
    @cypher_5785 6 місяців тому

    Can you test Tapo C200 home security camera

  • @seanburnett7760
    @seanburnett7760 6 місяців тому

    Great content man. Look forward to more!

  • @tonyfremont
    @tonyfremont 6 місяців тому +1

    I hope you capture and reverse the communications between the two modules.

  • @matthewgavin
    @matthewgavin 6 місяців тому

    Exciting, great educational videos!

  • @gryzman
    @gryzman 6 місяців тому

    They are sending the commands and requests to the GPS module of the cellular connection

  • @helvetiaresearch9973
    @helvetiaresearch9973 6 місяців тому +1

    The cell modem has a processor in it.

  • @guerreroa85
    @guerreroa85 6 місяців тому

    Can't wait. Love this stuff

  • @tonibonbonii
    @tonibonbonii 6 місяців тому

    I adore your videos ! much love

  • @ACoey-fw9yq
    @ACoey-fw9yq 6 місяців тому

    Perfect video. Please make more related videos😅🍻👍👍👍❤️👍

  • @saeedbaloch2
    @saeedbaloch2 6 місяців тому

    I cant wait for next videos

  • @robertpalmer8925
    @robertpalmer8925 6 місяців тому

    Thanks for the video bro

  • @morroman325
    @morroman325 6 місяців тому

    Really was expecting an esim.

  • @amazinggameplays2275
    @amazinggameplays2275 6 місяців тому +2

    things you don't understand != sketchy

  • @thiesenf
    @thiesenf 6 місяців тому +1

    That thing doesn't actually need a satelite nav ship...
    The LTE will simply be talking to two or more cell towers and voila.... triangulation is happening...
    Oh... a null modem schematic... just hook up something to the RX/TX/GND pins and sniff yourself silly... :-)

  • @Sidrobot
    @Sidrobot 6 місяців тому

    Pro I love you video :)

  • @dfgaJK
    @dfgaJK 6 місяців тому +3

    This video is such a tease LOL. Please include how you know the sim capabilities and how to know its data cap etc. so it can be use with other projects without getting blacklisted.

    • @joeds3775
      @joeds3775 5 місяців тому

      You do your own research. Read the data sheets. Use your brain.

  • @MOHAMMEDABAALAWI
    @MOHAMMEDABAALAWI 6 місяців тому

    I hope to make video about extract dts file from boot in router cortex a15 and complie by openwrt and the router not supported by openwrt to make new profile to this device

  • @firebird687
    @firebird687 6 місяців тому +3

    like a trailer for a detective movie

  • @b0rd3n
    @b0rd3n 6 місяців тому

    what have I just watched

  • @stankenootgaming
    @stankenootgaming 6 місяців тому

    shouldnt you put a blur over amazon? mister Ashburn 20149

    • @mattbrwn
      @mattbrwn  6 місяців тому +1

      Yes... That's totally where I live...