Ponderings on “The Cargo Bomb” (and Winner of Name that Ware October 2010)

The name that ware crowd does it again — guessed within the first few hours of being posted. Ryan Bavetta wins for being the first with the correct answer. email me to claim your prize!

Of course, I don’t have access to the ware itself so I must apply my judgment to the guesses, but I believe it’s fairly safe to say that it’s a Nokia 6120c or very closely related model (the entire 612x family has motherboards that are basically identical sans minor changes for specific regional or carrier variants; see the wikipedia page for the Nokia 6120 family).

I managed to dig up the original service manual schematics for the Nokia 6120c. There are some very curious features about the preparation of the cargo bomb package. First of all, the phone motherboard only has two wires (plus perhaps a ground strap) attached to it. I’m presuming at least one of the wires is for a battery voltage, assuming the return current is going through the metal case via the middle screw.

If this were, for example, a trigger mechanism for something, then presumably the other wire is for the trigger signal.

What makes this a little bit odd, then, is the lack of an antenna. If you look at the schematics for the device, there is a set of four leaf connectors at the top of the motherboard, X7550, X7551, X7552, and X7555 (would be on the rear right side in the photo taken by the press), which need to come in touch with an antenna for any reception worth a damn. I don’t see evidence of an antenna attached to these from the press photo, and if there was it would be pretty close to the large ground plane presented by the metal case. The sensitivity of the radio would be fairly bad, making it unreliable at best as a remotely activated trigger.

One may presume that this is simply because the creator of this package was not skilled in electronics; if that’s the case then I feel a little bit safer since the “bad guys” don’t know how to build a reliable remote bomb trigger out of a cell phone.

However, another possibility is that the motherboard didn’t even have a SIM card in it, and as a result this is just a cheeseball version of the “alarm clock” that you would see in, for example, a “movie bomb”. If they simply attached a wire to the vibrator motor terminals or the ringer/speaker connector, and set a wake-up alarm a couple days later, this would function fairly decently as a time-delay device to activate some mechanism. It’s not hard to find a used mobile phone that doesn’t work as a phone, but still works well enough to set an alarm, although if I were looking for a simple mechanism to just act as a trigger I wouldn’t pick something that has an IMEI (International Mobile Equipment Identity) or other serial numbers that can be traced through a supply chain. Then again, let’s hope that the “bad guys” aren’t smart enough to realize that mobile phones make poor event triggers if you were hoping for some kind of anonymity.

A little more browsing of the latest press releases note that there was a SIM card in the device, so presumably this was intended to receive a call to detonate the package. Glad to hear the sender of the package doesn’t know much about RF circuits and antennas. Granted, a phone can still receive a signal without an antenna, but the reliability would be poor; you’d need to be much closer to a base station so you have a high chance of failure in executing the plot. And SIM cards contain a wealth of traceable information. At the very least, someone has to call the phone to set off the trigger. If the phone is intercepted and the SIM card is put into a normal phone, the plotter would be unpleasantly surprised to find that it’s the FBI answering (and looking at your caller ID), instead of a bomb going off. Furthermore, scanning packages for suspicious devices becomes a lot easier, because you can just use a handheld RF scanner to look for radio waves in key frequency bands coming out of boxes that you would otherwise expect to be inert. In other words, a box with an active phone on the inside would advertise its presence in a detectable way to the outside world through its RF signature.

Of course, all wild speculation based on one low-res photo of a phone motherboard…

18 Responses to “Ponderings on “The Cargo Bomb” (and Winner of Name that Ware October 2010)”

  1. WestfW says:

    (oops. this should have gone here…)
    >> “There are some very curious features…”

    Of course, we have no way of knowing how much has been “removed” from the device prior to the actual photograph being taken… If I were disabling a suspicious device, I’d sure be likely to remove the battery and antenna rather early in the game…

    • bunnie says:

      Very true, I didn’t consider that they would have disconnected perhaps significant portions of the device prior to taking the photos.

      On the other hand, it’s reasonable for the sake of documentation to take a photo of the device prior to defusing it; it’s quick and fairly safe to do, and the intelligence you can gain from getting the fused device on photography is important. But, would they share that photo with the world — maybe not.

      Quite possible that the authorities could have removed significant portions of the device and kept them classified before the photo was released.

  2. ladyada says:

    nice work bavetta, EC represent! :)

    • bunnie says:

      Good eye. There’s actually quite a few differences, a couple of which are outlined in the photo below.

      The aljazeera version also reveals that the battery is attached to the phone on the bottom, so it’s self-powered.

      However, to wit, there was more than one suspicious package:


      At least two of them, maybe more. So it’s entirely possible that these are just photos of the different preparations of the same technique.

      And yes, I still don’t see the antenna on the al-jazeera version, and I would have expected to see *something* from that angle, although it is interesting to see that the original cell phone battery is attached to the motherboard. Despite having the LCD removed, the battery life of this assembly is probably not optimal, especially with the antenna nerfed, forcing the PAs to work extra hard; and UPS estimates about 4-5 days for delivery of a package from Yemen to Chicago. Not a very well thought-out plan.

      …but that’s good, right?

  3. Nate says:

    There are some more photos from the Al Jazeera page on SF Chronicle:


  4. Universal says:

    indeed very strange and crude device.

    seems the bad guy are not as competent as some would lead us to believe.

    agree with pa’s bunnie i bet the battery was in poor condition too considering the age of the phone.

    most news reports i have seen mention this device as a remote trigger though, i think your analysis of the trigger circuit connected to the vibrate motor or speaker is the most like just prober-able that a incoming call was a trigger and not a alarm.

    i did see a news report on sky news were they had a meting with a ied bomb factory using cb radio to remote detonate bombs much in same way your cheese ball alarm clock thing worked.

    anway great write up guys

  5. Matt C says:

    I wonder if the device might be set up like a reverse geocache puzzle? Is the GPS antenna on the board, or does it share the regular antenna? (I’m not too familiar with cell phone or GPS technology so I can’t tell from the service schematics if this is the case or not).

    Alternatively, since it looks like it has a battery, the phone could have been grounded to the metal frame, so one wire could be for the trigger and the other could be for an antenna.

    • pj says:

      The GPS doesn’t share the antenna with the phone. (different frequencies).

      I don’t know why nobody thought of this before, it would be the perfect trigger mechanism – enter the GPS coordinates of the target location, and set your GPS app to alarm when the phone reaches that location.

  6. Michel says:

    I have uploaded a (dis)assembly instruction with an exploded view of the 6120c on page 6:


    Maybe they used connector X7505 (left from the top push button) to connect an external antenna

  7. Universal says:

    hang on will this phone even work with components missing like lcd keypad surely it has something like power on self test

  8. sillyputty says:

    I wonder if the villain had the tracking page for their package open in a browser and was refreshing it every 5 min… using the shipping company’s infrastructure to keep track of package progress to the destination.

  9. kerneloops says:

    This story confirms that the cell phones were not used with radio, and were probably set as alarm clocks.


    • nes says:

      To get that kind of time delay with any degree of accuracy needs a digital system of some sort. It also needs to source a non-trivial amount of current to be able to trigger the device. A cell phone gives you the calendar alarm function and the pager motor output presumably is capable of sourcing the required current. And used cell phones are ubiquitous, whereas the components required to build something from scratch (not to mention the tools one might need to program them) possibly are not.

      Makes sense to me. We’re not dealing with EE grads here.

  10. How did you come up with this topic? Nice work, can’t wait to read more.

  11. melatrol says:

    I’m much a mute reader, but this put up compelled me to data that unique alone of the right posts I posit unravel.

  12. Properly, the article is in actuality the top-quality on this exemplary theme. I accord together with your selections and can thirstily stay up for your following updates. Solely telling thanks won’t just be satisfactory, for the nice limpidity in your writing. I’ll now seize your rss feed to proceed informed of any updates. Delicious work and far success in your business relations.