 +====== PCB ======
 +hardware on the PCB:
 +  - [[http://www.xilinx.com/support/documentation/data_sheets/ds312.pdf|XILINX Spartan-3 XC3S1200E]] : FPGA is only used for the modulation (The later version of the picochip include this, there is no FPGA needed anymore)
 +  - [[http://www.picochip.com/page/75/#|picoChip PC202]] : main processor, UMTS processor
 +  - Spansion S99-5??06 : 64MB Flash. The free memory socket is the "alternative". If no intel memory exist, AMD memory is put on it. K2 dumped the memory using that
 +  - [[http://www.samsung.com/global/system/business/semiconductor/product/2008/9/9/635370ds_k4t51xx3qe_rev19.pdf|Samsung K4T51163QE-ZCD6]] : 32MB RAM
 +  - [[http://www.samsung.com/global/system/business/semiconductor/product/2008/9/9/635370ds_k4t51xx3qe_rev19.pdf|Samsung K4T51163QE-ZCD6]] : 32MB RAM
 +  - SIM card slot
 +  - power input : 6V, 2A max
 +  - Ethernet RJ45 connector
 +  - [[http://www.nxp.com/documents/data_sheet/TDA8029.pdf|NXP TDA8029HL07]] : card reader
 +  - [[http://www.maxim-ic.com/quick_view2.cfm/qv_pk/5459/t/al|MAXIM MAX2599]] : WCDMA/HSPA transmitter
 +  - [[http://www.maxim-ic.com/quick_view2.cfm/qv_pk/5435|MAXIM MAX2547]] : WCDMA/HSPA receiver (also for GSM sniffer)
 +  - antenna (2G?) (additional [[http://search.digikey.com/scripts/DkSearch/dksus.dll?vendor=0&keywords=CONN+MW+COAXIAL+WITH+SWITCH+SMD|murata connector]])
 +  - antenna (3G?) (additional [[http://search.digikey.com/scripts/DkSearch/dksus.dll?vendor=0&keywords=CONN+MW+COAXIAL+WITH+SWITCH+SMD|murata connector]])
 +====== serial ======
 +  * the hardware flag is defined in **customisation.ini** as **hwflag**.
 +  * it defines the running mode (see **rootfs/etc/init.d/rcS** l.66)
 +  * it controls the login prompt **rootfs/etc/inittab.hwflag''n''**
 +here are the modes
 +  - ''Development'': login prompt activated, u-boot interruptible, failed signature verification ignored
 +  - ''Trials'': login prompt activated
 +  - ''Commercial'': login prompt not activated
 +the root password is in md5. md5 is not secure anymore, thus it's possible to get the plain text password : ''advent''
 +there is a serial port **ttyS0** on the board. the pins are the following :
 +  * GND : TP417
 +  * Rx : TP415
 +  * Tx : TP416
 +  * conf : 115200 8N1
 +====== radio license ======
 +SFR is in possession of HNB licenses. These are applied as soon a you connect to their network.
 +This is the reason why you are not allowed to:
 +  * use it outside France: the license are issued for France
 +  * use it as your own access point: a license is needed to transmit on the UMTS frequencies.
 +more info :
 +  * [[http://docs.sfr.fr/guide/Guide_SFR_HOME3G.pdf|manual]]
 +  * [[http://conformitehome3g.sfr.fr|conformity]]
 +====== SIM ======
 +The SIM card is used to establish the [[IPsec]] tunnel. It's driven by a continuous 3.6864MHz clock (leading to a 9910bps serial communication). It does not put the SIM in sleep, but powers it on when required and off immediately afterwards, thus resetting it all the time.
 +A tool to sniff the traffic is this [[http://rebelmicrosimcutter.com/rebel-unlock-simcard/network-sim-apdu-scanner.html|device]] ([[http://rebelsimcard.com/virtu/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=194&category_id=339&option=com_virtuemart&Itemid=1http://rebelsimcard.com/network-sim-apdu-scanner.html|old]]). It uses a FT232RL, but this gets off track on long communications (not precise clock). The [[http://dangerousprototypes.com/docs/Bus_Pirate|bus pirate]] handles better the serial communication (**9600 8N1**).
 +The other, better solution is [[http://simtrace.osmocom.org|SIMtrace]] or use the [[debug|debug trace]] possibilities.
