The mini A8 is a small battery operated GSM tracker and bug.
It allows to remotely locate the device and even enable the microphone to listen to the surrounding.
To power on and use the tracker, simply plug in a SIM card.
Operation
The manual is short and not very clear, but basically the configuration is done using SMSs.
Location
To locate the device send the SMS “DW” to the tracker.
Two minutes afterwards it will reply with an SMS containing a link in the form http://gpsui.net/smap.php?lac=<LAC>&cellid=<CI>&c=<MCC>&n=<MNC>&v=<signal strength><ASU> to locate the device.
The values identify the cell tower the tracker is connected to:
- Mobile Country Code (MCC): the country of the network
- Mobile Network Code (MNC): the operator of the network (in this country)
- Location Area Code (LAC): the region of the cell tower (for this operator)
- Cell Identity (CI): the cell tower number (within this area)
- the signal strength, in negative dBm and arbitrary strength unit (ASU)
These values can but used (e.g. through Google's geolocation API) to locate the cell tower, and thus the device. This is quite imprecise (up to several km accuracy) since the tracker only provides the information about the serving cell. To improve the accuracy it would need to also provide the information of the neighbor and even surrounding cells.
Note that you only get the SMS with the cell tower information if the device doesn't have any internet connectivity using GPRS. If the device has data connectivity it will reply with a street address and a link to http://gpsui.net/u/, but I never tested that. The tracker will periodically report your location to this site, and this functionality cannot be deactivated.
SOS
The tracker also has an SOS button on the side.
You first have to configure the device:
- send SMS “SQ<number of phone to be called in case of emergency>”. It should reply with “SQ:Authorization successful.”
- send SMS “SOS”. It will reply with “SOS one key call help is open.”
You have to do this procedure every time you boot the device.
Now whenever you press on the SOS button of the tracker for two seconds, it will call the programmed number, and the audio will come from the microphone. Note: for an unknown reason, the tracker calls the number 2 to 4 times.
Teardown
Pictures:
Parts:
- Toshiba TV00570002ADGB, NOR Flash Parallel 3V 128MBit 8M x 16bit 70ns 85-Pin TFBGA
- MediaTek MT6223DA, GSM/GPRS Baseband Processor
- MediaTek MT6139BN, RF transceiver
- Skyworks SKY77518-12, Front-End Module with power amplifier
UART and AT interface
The USB port does not offer USB. 5V and GND are used to charge the battery (also when no SIM is present). D+ and D- are UART RX and TX (115200 8N1).
The UART port is also available on the pads next to the SOS button:
2 4 ====== o o ====== o o o --- 1 3 5 button
pinout:
- UART RX (connected to USB D+)<br>
- battery+ (when SIM in present)
- UART TX (connected to USB D-)
- ground
- ground?
There is an unpopulated footprint next to the USB port. This might be for a UART to USB converter.
Here tome log output during boot:
LOG: MLBS_Task_Data_clean,Dw:0,TrkT:0,TrkD:0,FncA:0,FncB:0,DT:0 LOG: WZDW_sockBufInit malloc= 121E8, 151F0, 155F8 LOG: GPRS:0 name=China Mobile apn= cmnet,user=,pwd= ,auth= 0 LOG: MLBS_main VERSION= MTK6223.M907.14.07.10 , build date is 2014/07/29 16:39, curtime 2004-01-01 00:00 LOG: ----- 1 ----- ----- 0 ----- ----- 2 ----- LOG: g_mlbs_IMSI= 460001652565382 LOG: g_mlbs_IMEI= 355644053527574 LOG: service_availability= 1,PwronAlarm= 0,ChargerConnected= 1,poweron_mode= 0 LOG: idle_screen_network_name:Invalid IMEI LOG: MLBS_DeleteAllSmsFromPhone inbox,outobx,draftbox (0,0,0) LOG: MLBS_API_ClosePowerOnOffTime LOG: MLBS_mmi_msg_get_preferred_memory_status_rsp result= 0 LOG: simTotal, simUsed, meTotal, meUsed= 50,0,100,0 LOG: MLBS_mmi_msg_get_preferred_storage_rsp result= 0 LOG: MLBS_key_eint_hisr_high LOG: serving cell: 262, 3, 22000, 2207, 0, 0, 0, 0 LOG: MLBS_Update_Alltask_State LOG: ----- 1 ----- ----- 100 ----- ----- 8 -----
Here the log when receiving the DW message to locate the device (without GPRS):
LOG: serving cell: 1, 1, 23, 0, 0, 0, 0, 0 LOG: MLBS_Update_Alltask_State LOG: soc_create socket_id = 8 LOG: mlbs_socket_send URL= <bufSend>, iSendLenth= 347 LOG: gethostbyname(gpsui.net)--ret:-2 LOG: µ±ǰµçÁ¿: 3 ¼¶ 4.70V LOG: MLBS_socket_close= 8 LOG: soc_create socket_id = 10 LOG: mlbs_socket_send URL= <bufSend>, iSendLenth= 347 LOG: gethostbyname(gpsui.net)--ret:-2 LOG: µ±ǰµçÁ¿: 3 ¼¶ 4.90V LOG: MLBS_gprs_connet_error LOG: MLBS_socket_close= 10 LOG: MLBS_Timer_Task_Callback task: 554,ErrorCount: 0,taskstate: 2,delay: 30000 LOG: soc_create socket_id = 1 LOG: mlbs_socket_send URL= <bufSend>, iSendLenth= 347 LOG: gethostbyname(gpsui.net)--ret:-2 LOG: µ±ǰµçÁ¿: 3 ¼¶ 4.86V LOG: MLBS_gprs_connet_error LOG: MLBS_socket_close= 1
when pressing and releasing the SOS button:
LOG: MLBS_key_eint_hisr_low LOG: MLBS_key_eint_hisr_high
when keeping the SOS button pressed:
LOG: MLBS_key_eint_hisr_low LOG: MLBS_SoS_Eint disable
The UART interface also accepts AT commands. This can be used to query the device, send SMS, …:
# get manufacturer identification AT+CGMI +CGMI: MTK1 # get model identification AT+CGMM +CGMM: MTK2 # get revision identification AT+CGMR +CGMR: XM23C1_SLIM_V2.0, 2014/07/29 16:39 # get device information ATI MTK2 XM23C1_SLIM_V2.0 # text message format to text AT+CMGF=1 # send message (i.e. SMS) to 0005 AT+CMGS="0005" hello world # use CTRL+Z to end the SMS, and enter to send is
Links
Here some links to related work:
- GSM Tracker GT-170, with corresponding loader: trying to flash the same baseband, for a similar device
- Inside a low budget consumer hardware espionage implant: analyzing the S8 tracker, a very similar device with newer baseband
- SP Flash tool: tool to flash MTK basebands
