Skip to main content

UART on PayTM Soundbox (Part 2)

Understanding the chipset

Quectel EC200U-CN is a low-cost LTE Development Board, which is perfect for the use case scenario of these soundboxes since they can’t just be connected to a geographically tethered access point; and need to be connected to the internet while on-the-move.

The datasheet for this chipset is available on Quectel’s website and can be downloaded from here.

The chipset houses a lot of components under its metal cover, including an SPI NOR Flash with a size of 64 megabytes.


/images/paytm2_1.png

To analyze how the MQTT (presumably) communication takes place between the soundbox and PayTM servers, one needs to either:

  1. Sniff the communication traffic

  2. Find out a location where debug data is logged; or

  3. Dump and analyze the firmware

Since the soundbox uses a SIM (4G-enabled) and not WiFi to connect to the internet, it is difficult and might not even be possible to sniff the LTE traffic in most cases; therefore option 1 is implausible.

Getting access to the UART shell for this device might help us in executing both option 2 and 3.

The UART pinout

The datasheet describes that the EC200U chipset supports the UART protocol over pin 67 and 68.


/images/paytm2_2.png

Pin 67 and 68 are located on the periphery of the chip and therefore are accessible directly through the PCB without carrying out the disassembly or desoldering of the chip from the board.


/images/paytm2_3.png

After hooking these pins up with a trusty 10$ chinese logic sniffer which works perfectly with the Saleae Logic software, one can obtain a boot log on the UART console with a baud rate of 115200.


/images/paytm2_4.png

Some interesting strings down the log can be seen:

  1. APP_VERSION V3.6.0_EN , LIB VERSION: OAK4GQ01

  2. Base Firmware Release Date: 29/11  10:30:41:00

  3. RTOS VERSION: EC200UC

  4. PUBHOST          : iot-prefix-suffix-sounds.paytm.in

  5. [src\PayTM/awsMqttPublishQueue.c][92][INF][MQTT][TraceLog] --> gMqttPublishQueue initialized success.

It can be ascertained from the above that the soundbox runs a custom fork of FreeRTOS and does use MQTT for communication.

I tried to interact with the UART console by trying to send keystrokes and see if they were mirrored, however failed which could be because the UART is somehow locked down to basic debug messages for internal purposes or I had committed a wiring misconfiguration.

Since the UART dump was mostly a failure, the firmware will need to be dumped for analysis by sniffing the SPI flash lines, which requires desoldering the chip and is unfortunately out of my scope.