In this post to Oscium’s blog, readers get a look at the insides of a simple cell phone. There are a number of subsystems that bring cell phone users the basic functionality attributed to almost every cell phone these days. These functions include a dynamic digital display, microphones and speakers, an audio output jack (for using phones as music players with headphones), digitization of voice and transceiver functions, and of course all the embedded systems and programming that ties everything together.
Goal: Operate The Cell Phone In “Spread Formation”
The motivation for dismantling this cell phone and adding the jumper wires shown in the included photos was to monitor nodes of interest in the phone’s signal path from voice to transmitting bits over the air. Nodes of interest would include some of the following:
- Digital I/O between the SIM card and the phone’s processor
- Signals between the Tx/Rx antenna and the processor and modulator sections
- Key points in the power regulation circuits during power up and power down
- Communication between the processor and tcodee memory or other pieces in the chip set.
Connecting Power And Ground
Great care was used in separating the many pieces of the phone and then adding jumper wires as needed to restore electrical connectivity between the removed battery and the phone’s PCB. Batteries tend to explode and out gas when heated above their operating temperature. Soldering to the terminals of a battery isn’t advisable because of the inherent risk of overheating the battery.
Another risk associated with hardwiring a battery to a load is the possibility of incorrectly wiring the connection and shorting out the battery. Batteries get very hot rather quickly when the positive and negative terminals are shorted together, and when the connections are made semi-permanent with solder, it’s just that much harder to break the connection in a hurry.
Understanding the associated risks explained previously, however, the power and ground connections were soldered to the battery and phone without incident. The phone powered up as expected. Kapton tape across the terminals of the battery and on the phone insulates the contacts and prevents inadvertent shorts.
Hacking An Interface With The SIM Card
First, what is a SIM Card and what exactly does it do?
“A subscriber identity module (SIM) is an integrated circuit that securely stores the international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers).
A SIM card contains its unique serial number (ICCID), international mobile subscriber identity (IMSI), security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to and two passwords: a personal identification number (PIN) for ordinary use and a personal unblocking code (PUK) for PIN unlocking.”
The figure below shows two SIM chips, each one with eight (8) contact points. Unfortunately, the pin assignments aren’t universal and while the two chips in the figure below are similar, the differences between them might make the difference between the SIM reader working or not if the wrong pin assignment is assumed.
The SIM card for this phone uses six (6) contacts. Fewer contacts might mean that the phone uses a simpler interface to the information on the SIM chip. Unfortunately, the SIM chip was damaged during the installation of the jumper wires. As shown in the figure below, the center pad on the left side of the chip is missing. “Lifting a pad” is a problem that occurs when the heat applied from the soldering iron is enough to soften the adhesive material holding the electrical contact, or the pad, to the substrate or circuit board. At first glance it seemed that the pad was a no connect point like those in the two example SIM chips. However, when the phone failed to acknowledge the SIM card after power up, it seemed more likely that the missing pad was in fact a critical element of the circuit.
A follow on exercise to this step would be to use iMSO-204 or iMSO-104 to monitor the signal present at the corresponding contact on the phone. Monitoring the signal at the phone might reveal the type of signal missing. Is it the CLK? Pad C3 in the two examples above is the clock for the SIM chip, so it’s likely that the phone didn’t recognize the SIM chip because the clock wasn’t getting to the chip.
Oscium's handheld oscilloscope is now available with universal platform support! So, if you're interested in using the scope on iOS, Android, PC or Mac, Oscium supports you. Please go to iMSO-204x for more information.