Wireless communications
Wireless card
| Model | Board | Modem | SDRAM | Antenna Switch Module |
|---|---|---|---|---|
| PCH1101 | ZOE_MP backside |
[] Qualcomm MDM6200 | [] Toshiba TY890A111222KA |
[] Sony CXM3555ER |
| --- | --- | --- | --- | --- |
| Model | Board | Power Management | Power Amplifier Module | Power Amplifier Module | Power Amplifier Module | Power Amplifier Module | Power Amplifier Module | SAW Duplexer |
|---|---|---|---|---|---|---|---|---|
| PCH1101 | ZOE_MP front |
[] Qualcomm PM8028 | [] Avago ACPM-7868 GSM850/900 bands DCS1800/PCS1900 bands |
[] Avago ACPM-5001 UMTS band: 1 CDMA band: 6 |
[] Avago ACPM-5008 UMTS band: 8 |
[] Avago ACPM-5002 UMTS band: 2 |
[] Avago ACPM-5005 UMTS band: 5 CDMA BC0 |
[] Epcos 7964 |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
On motherboard backside, there are a Marvell 88W878S-BKB2 Avastar WLAN/Bluetooth/FM Single-Chip SoC.
Point Of Interest: On early manufactured Stock Keeping Units (mostly with release firmware such as 1.06) there is a known issue with faulty 3G sub boards. For more information on how to remedy check the errors page: C2-9693-7.
Gallery
ZOE_MP back (labelled as front by TECHINSIGHTS.com)
ZOE_MP front (labelled as back by TECHINSIGHTS.com)
Qualcomm PM8028 die mark
Qualcomm MDM6600 die mark (same mark as MDM6200)
Mobile Data Modem
Qualcomm Gobi is a family of embedded mobile broadband modem products by Qualcomm. One of the more notable products that contain a Gobi modem is the PSVita, which contains a MDM6200™ (note:the MDM6600 got closer specs than the MDM6270).
| Individual Chipsets | IMT-2000 | Modem | Peak Data Rates | Application Processor | Voice | GPS | USB | Wifi |
| MDM6200 | 3G | HSPA+, GSM/GPRS/EDGE | Up to 14Mbps | No | Yes | gpsOneGen 8 with GLONASS | USB 2.0 HS Peripheral or Host | Supported with External Wifi |
Related articles
- Components (Parent Component is Half Mini PCIe Module)
Bluetooth / 
WiFi
Bluetooth
Bluetooth is a technology for creating personal area networks operating in the 2.4 GHz unlicensed band, with a default range of 10 meters.
An overview of Bluetooth:
- http://engineeringagenda.com/agenda/2013/09/bluetooth/ An introduction to Bluetooth
- https://learn.sparkfun.com/tutorials/bluetooth-basics bluetooth basics
- http://www.eetimes.com/document.asp?doc_id=1200909 An introduction to debugging Bluetooth in embedded systems
- http://travisgoodspeed.blogspot.fr/2011/12/introduction-to-bluetooth-rfcomm.html Introduction to Bluetooth RFCOMM Reverse Engineering
- http://ecomputernotes.com/computernetworkingnotes/communication-networks/bluetooth Bluetooth Architecture
- http://imperia.rz.rub.de:9085/imperia/md/content/seminare/itsss07/slides_bluetooth_security_and_hacks.pdf (or http://gsyc.es/~anto/ubicuos2/bluetooth_security_and_hacks.pdf) Bluetooth Security & Hacks
Bluetooth radio
Bluetooth 2.0 uses frequencies between 2.4000 and 2.4835 GHz, and divides the band into 79 MHz channels (numbered 0-78), with frequency hopping at a rate of 1600 times per second.
Channel 0 has a frequency centred at 2.4020 GHz, allowing a lower guard band of 2 MHz. Channel 78 has a frequency centred at 2.4800 GHz, allowing an upper guard band of 3.5 MHz.
Bluetooth devices are divided into three classes, depending on their maximum transmitted power (and hence their maximum range):
| Class | Power | Range |
| Class 1 | 100mW (20 dBm) |
100m (325ft) |
| Class 2 | 2.5mW (4 dBm) |
10m (32ft) |
| Class 3 | 1mW (0 dBm) |
1m (3ft) |
- http://www.instructables.com/id/Increase-and-extend-the-range-of-a-USB-Bluetooth-d/#step0 Increase and extend the range of a USB Bluetooth
- http://trifinite.org/trifinite_stuff_lds.html Long Distance Snarf showed that the range of Class 2 Bluetooth radios could be extended to 1.78 km (1.11 mi) with directional antennas and signal amplifiers.
Overlapping channels BT/WiFi
| Center Frequency (2.4xx Ghz) |
BT 2.0 Channel |
BT 4.0 Channel |
WiFi channel (center freq. in GHz) | ||||
|---|---|---|---|---|---|---|---|
| 00 | Guard | Guard | |||||
| 01 | 1 (2.412) | ||||||
| 02 | 0 | 0 | |||||
| 03 | 1 | ||||||
| 04 | 2 | 1 | |||||
| 05 | 3 | ||||||
| 06 | 4 | 2 | 2 (2.417) | ||||
| 07 | 5 | ||||||
| 08 | 6 | 3 | |||||
| 09 | 7 | ||||||
| 10 | 8 | 4 | |||||
| 11 | 9 | 3 (2.422) | |||||
| 12 | 10 | 5 | |||||
| 13 | 11 | ||||||
| 14 | 12 | 6 | |||||
| 15 | 13 | ||||||
| 16 | 14 | 7 | 4 (2.427) | ||||
| 17 | 15 | ||||||
| 18 | 16 | 8 | |||||
| 19 | 17 | ||||||
| 20 | 18 | 9 | |||||
| 21 | 19 | 5 (2.432) | |||||
| 22 | 20 | 10 | |||||
| 23 | 21 | ||||||
| 24 | 22 | 11 | |||||
| 25 | 23 | ||||||
| 26 | 24 | 12 | 6 (2.437) | ||||
| 27 | 25 | ||||||
| 28 | 26 | 13 | |||||
| 29 | 27 | ||||||
| 30 | 28 | 14 | |||||
| 31 | 29 | 7 (2.442) | |||||
| 32 | 30 | 15 | |||||
| 33 | 31 | ||||||
| 34 | 32 | 16 | |||||
| 35 | 33 | ||||||
| 36 | 34 | 17 | 8 (2.447) | ||||
| 37 | 35 | ||||||
| 38 | 36 | 18 | |||||
| 39 | 37 | ||||||
| 40 | 38 | 19 | |||||
| 41 | 39 | 9 (2.452) | |||||
| 42 | 40 | 20 | |||||
| 43 | 41 | ||||||
| 44 | 42 | 21 | |||||
| 45 | 43 | ||||||
| 46 | 44 | 22 | 10 (2.457) | ||||
| 47 | 45 | ||||||
| 48 | 46 | 23 | |||||
| 49 | 47 | ||||||
| 50 | 48 | 24 | |||||
| 51 | 49 | 11 (2.462) | |||||
| 52 | 50 | 25 | |||||
| 53 | 51 | ||||||
| 54 | 52 | 26 | |||||
| 55 | 53 | ||||||
| 56 | 54 | 27 | 12 (2.467) | ||||
| 57 | 55 | ||||||
| 58 | 56 | 28 | |||||
| 59 | 57 | ||||||
| 60 | 58 | 29 | |||||
| 61 | 59 | 13 (2.472) | |||||
| 62 | 60 | 30 | |||||
| 63 | 61 | ||||||
| 64 | 62 | 31 | |||||
| 65 | 63 | ||||||
| 66 | 64 | 32 | |||||
| 67 | 65 | ||||||
| 68 | 66 | 33 | |||||
| 69 | 67 | ||||||
| 70 | 68 | 34 | |||||
| 71 | 69 | ||||||
| 72 | 70 | 35 | |||||
| 73 | 71 | ||||||
| 74 | 72 | 36 | |||||
| 75 | 73 | ||||||
| 76 | 74 | 37 | |||||
| 77 | 75 | ||||||
| 78 | 76 | 38 | |||||
| 79 | 77 | ||||||
| 80 | 78 | 39 | |||||
| 81 | Guard | ||||||
| 82 | Guard | ||||||
| 83 | |||||||
Bluetooth connection
A PSVita (Bluetooth v2.1 + EDR) can connect up to seven (active) Bluetooth® devices at one time.
There are three type of (oriented) connections in Bluetooth:
- Single-slave: a point-to-point connection (only 2 Bluetooth units involved)
- Piconet: One Bluetooth unit acts as the master of the piconet, whereas the (up to seven active) others units acts as slaves.
- Scatternet: Multiple piconets with overlapping coverage areas form a scatternet.
Device icons
Shows the types of found Bluetooth® devices using icons.
| Icon | Device | 
|
|
 |
Wireless controller | No | Yes |
 |
BD Remote Control | No | Yes |
 |
Computer | Yes | Yes |
 |
Mobile phone, smartphone | Yes | Yes |
 |
Headset | Yes | Yes |
 |
Speakers | Yes | Yes |
 |
Mouse | Yes | Yes |
 |
Keyboard | Yes | Yes |
 |
Printer | Yes | Yes |
| No icon | Other devices | Yes | Yes |
Security target
For a secure communication via Bluetooth, the following security targets are defined: • confidentiality • (device) authentication • (device) authorisation • integrity
In order to accomplish those security targets, three possible modes of security are defined:
• Security Mode 1: No security efforts
• Security Mode 2: Service level security, applications have to implement needed cryptographic means
• Security Mode 3: Device level security (cryptographic means are implemented in LMP, independent of applications)
In mode 3, services make transparent use of a secure channel, which is normally established via the Link Managing Protocol (LMP). Therefore, a pairing process between two devices A and B has to be done, in order to establish a shared cryptographic secret for subsequent encryption or authentication.
Bluetooth Protocol and layers
- The Bluetooth protocol stack is split in two parts: a "controller stack" (Hardware) containing the timing critical radio interface, and a "host stack" (software) dealing with high level data.
The controller stack is generally implemented in a low cost silicon device containing the Bluetooth radio and a microprocessor. The host stack is generally implemented as part of an operating system.
- Bluetooth standard has many protocols that are organized into different layers.
- The layer structure of Bluetooth does not follow OS1 model, TCP/IP model or any other known model.
- Bluetooth makes use of a protocol stack, which makes it simple to seperate application logic from physical data connections.
Radio layer
The Bluetooth radio layer corresponds to the physical layer of OSI model.
• It deals with ratio transmission and modulation.
• The radio layer moves data from master to slave or vice versa.
• It is a low power system that uses 2.4 GHz ISM band in a range of 10 meters.
• This band is divided into 79 channels of 1MHz each. Bluetooth uses the Frequency Hopping Spread Spectrum (FHSS) method in the physical layer to avoid interference from other devices or networks.
• Bluetooth hops 1600 times per second, i.e. each device changes its modulation frequency 1600 times per second.
• In order to change bits into a signal, it uses a version of FSK called GFSK i.e. FSK with Gaussian bandwidth filtering.
Baseband Layer
• Baseband layer is equivalent to the MAC sublayer in LANs.
• Bluetooth uses a form of TDMA called TDD-TDMA (time division duplex TDMA).
• Master and slave stations communicate with each other using time slots.
• The master in each piconet defines the time slot of 625 µsec.
• In TDD- TDMA, communication is half duplex in which receiver can send and receive data but not at the same time.
• If the piconet has only no slave; the master uses even numbered slots (0, 2, 4, ...) and the slave uses odd-numbered slots (1, 3, 5, .... ). Both master and slave communicate in half duplex mode. In slot 0, master sends & secondary receives; in slot 1, secondary sends and primary receives.
• If piconet has more than one slave, the master uses even numbered slots. The slave sends in the next odd-numbered slot if the packet in the previous slot was addressed to it.
• In Baseband layer, two types of links can be created between a master and slave. These are:
1. Asynchronous Connection-less (ACL)
• It is used for packet switched data that is available at irregular intervals.
• ACL delivers traffic on a best effort basis. Frames can be lost & may have to be retransmitted.
• A slave can have only one ACL link to its master.
• Thus ACL link is used where correct delivery is preferred over fast delivery.
• The ACL can achieve a maximum data rate of 721 kbps by using one, three or more slots.
2. Synchronous Connection Oriented (SCO)
• A SCO (physical) link is a set of (up to 3) reserved timeslots on an existing ACL link.
• sco is used for real time data such as sound/voice data. It is used where fast delivery is preferred over accurate delivery.
• Damaged packet are not retransmitted over sco links (error correction can be optionally applied).
• A slave can have three sco links with the master and can send data at 64 Kbps.
• Enhanced SCO (eSCO) links allow greater flexibility: they may use retransmissions to achieve reliability, allow a wider variety of packet types, and greater intervals between packets than SCO, thus increasing radio availability for other link.
Link Managing Protocol
Especially interesting for further consideration is the Link Managing Protocol (LMP), as one of three possible security modes in Bluetooth is implemented in this layer.
Every Bluetooth device contains a Link Manager Unit, which keeps track of connected devices. Those Link Managers communicate via protocol data units (PDU), defined in LMP.
New connections are established, using an inquiry routine (detecting device address), followed by a page command (call for a device with known device address),
which have to be responded correctly by the opposite device.
Subsequently, devices may initiate the pairing process, where a link key, KAB is established and the opposite device is stored in the ”trusted devices” history.
Logical Link, Control Adaptation Protocol Layer (L2CAP)
The Logical Link Control and Adaption Protocol (L2CAP) provides connection oriented and connection less data services to protocols in upper layers, while making use of ACL (asynchronous connectionless) packets for communication via the Baseband.
• The logical unit link control adaptation protocol is equivalent to logical link control sublayer of LAN.
• The ACL link uses L2CAP for data exchange but sco channel does not use it.
• The various function of L2CAP is:
1. Segmentation and reassembly
• L2CAP receives the packets of upto 64 KB from upper layers and divides them into frames for transmission.
• It adds extra information to define the location of frame in the original packet.
• The L2CAP reassembles the frame into packets again at the destination.
2. Multiplexing
• L2CAP performs multiplexing at sender side and demultiplexing at receiver side.
• At the sender site, it accepts data from one of the upper layer protocols frames them and deliver them to the Baseband layer.
• At the receiver site, it accepts a frame from the baseband layer, extracts the data, and delivers them to the appropriate protocol1ayer.
3. Quality of Service (QOS)
• L2CAP handles quality of service requirements, both when links are established and during normal operation.
• It also enables the devices to negotiate the maximum payload size during connection establishment.
The Radio Frequency Communication (RFCOMM)
provides emulated RS-232 serial ports and makes use of the lower-level L2CAP protocol. Up to 60 simultaneous connections to other Bluetooth devices are possible, called RFCOMM channels
- The protocol is based on the ETSI standard TS 07.10.
- RFCOMM provides a simple reliable data stream to the user, similar to TCP. It is used directly by many telephony related profiles as a carrier for AT commands, as well as being a transport layer for OBEX over Bluetooth.
Bluetooth Profile
Bluetooth® devices that support the following profile can be paired with your system:
- A2DP (Advanced Audio Distribution Profile)
- AVRCP (Audio/Video Remote Control Profile)
- HSP (Headset Profile)
- HID (Human Interface Device Profile)
- HFP (3G model only?), PBAP (3G model only?)?
By using the Object Push Profile (OPP), on Firmware 3.18, the attempts forcing the connection to the Vita will give a loophole .
A2DP
AVRCP
HSP
HID
OPP
OPP defines the roles of push server and push client. These roles are analogous to and must interoperate with the server and client device roles that GOEP defines.
The Object Push Profile (OPP) provides basic functions for exchange of binary objects, mainly used for vCards in Bluetooth.
vCard is a file format standard for electronic business cards. Since vCards are not worth being especially protected, no authorisation procedure is performed before OPP transactions.
Supported OBEX commands are connect, disconnect, put, get and abort.
Usage Scenarios
An example scenario would be the exchange of a contact or appointment between two mobile phones, or a mobile phone and a PC.
Bluetooth Adressing
Each Bluetooth unit has a unique 48-bit address (BD_ADDR).
| Company_assigned | Company_id | ||||||||||
| Lower Adress Part (24-bit) transmitted with every packet as part of the packet header |
Upper Adress Part (8-bit) |
Non-Significant Adress Part (16-bit) assigned publicly by the IEEE | |||||||||
| lsbxxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxx | xxxxmsb |
|---|---|---|---|---|---|---|---|---|---|---|---|
Class of Device/Service (CoD)
In practice, most Bluetooth clients scan their surroundings in two successive steps: they first look for all bluetooth devices around them and find out their "class". You can do this on Linux with the hcitool scan command. Then, they use SDP in order to check if a device in a given class offers the type of service that they want.
The PlayStation Vita PCH-2000 has a class of Device/Service (CoD) 0x3e0100:
- Major Service Class : Networking (LAN, Ad hoc etc) (0x20000)
- Major Service Class : Rendering (printing, speaker etc) (0x40000)
- Major Service Class : Capturing (scanner, microphone etc) (0x80000)
- Major Service Class : Object Transfer (v-inbox, v-folder etc) (0x100000)
- Major Service Class : Audio (speaker, microphone, headset service etc) (0x200000)
- Major Device Class : Computer (desktop,notebook, PDA, organizers etc ) (0x100)
- Minor Device Class : Uncategorized, code for device not assigned
(Online Generator http://bluetooth-pentest.narod.ru/software/bluetooth_class_of_device-service_generator.html)