Info on Alcatel Femtocells

Tomcsányi, Domonkos domi at tomcsanyi.net
Tue Nov 27 22:43:12 UTC 2018


Hi Alex,

I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5 and 2.0). I did some research on them abour 4-5 years ago I think.
The SureSignal uses an embedded crypto chip to generate keys IIRC. I also had the chance to have a look at a rooted board for some time (it was lent to me). The THC wiki has pretty much all the info about the board.
I also was not able to find any UART or serial port on it when I looked. I wanted to dump the flash but then got busy with other stuff. Maybe the debug fuses are blown in the factory as well.
Anyways if you wish to do tests or try out something with the device(s) I can dig them up, they must be somewhere in my cabinet.
As far as I remember though the actual femtocell implementation is a closed source binary blob, but strongswan (or maybe openswan? I cannot recall exactly) is used for the IPsec part, terefore I have a source code tree downloaded somewhere as well. Alcatel or Vodafone stayed compliant to GPL so the code was released. If only we were able to reconfigure the strongswan daemon on the device then we could connect it to your network. Provisioning of some parametere (e.g. frequency, Routing Area Code, allowed IMSIs) is done via XML files I think inside the ipsec tunnel.
Now back to changing the ipsec configuration: dumping the flash and then changing the config would be a good way to do it, although that would not be a generic solution, but as a pilot it could just work.
I am also not sure if there are any cryptographic signatures protecting the firmware, but I would guess probably not.

Sorry for the inconsistent rambling this email turned into, I wrote things as they surfaced from the back of my brain, hidden parts of my memory :)

Cheers,
Domi

2018. nov. 27. dátummal, 19:57 időpontban Alex <allexander.alex at gmail.com> írta:

> Hi,
> little UP:
> 
> Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local femtocell network based on similar platform from ALU.
> 
> Does anyone know something/ever tried to make something like connecting one of these devs to osmoHNBGW or similar?
> 
> Thank you and best regards
> 
>> Il giorno mar 27 nov 2018 alle ore 19:56 Alex <allexander.alex at gmail.com> ha scritto:
>> Hi,
>> thanks for the answer!
>> 
>> This femto seems to have a discrete simcard (it has empty slot accessible from the external).
>> 
>> I don't know the setup used by the original operator (TelecomItalia), because I bought it from ebay.
>> 
>> I found a possible reset procedure (still to be tested), but I don't think it will "unlock" the board.
>> Now I'm trying to find the UART on the board, but on the testpoints i only see "control" signals and clocks. Nothing seems to be a serial port pattern on my oscilloscope.
>> 
>> On this site https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone there are some information on a really similar cell (9361 I think) from Vodafone, which has a relly similar IPSEC config, but there ins't any spec.
>> 
>> No one tried to disassemble it or do have just the serial pinout on the board?
>> 
>> On the other side I've already deployed the CN part (HLR + MSC + SSGN + GSGN + STP + MGW + HNBGW), which seems to be fully operational, but i can't test without a test cell.
>> I also thing the IuH protocol of this femto is little out-of-standard, but from ALU documentation I can't understand the differences with standard IuH.
>> 
>> The idea is to implement ALU's IuH variant on HNBGW if i can take traces from a "lab" env, but without the femto it's just impossible.
>> 
>>> Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos <domi at tomcsanyi.net> ha scritto:
>>> Hi Alex,
>>> 
>>> Femtocells are provisioned with operator data - certificates/keys to be able to talk to the gateway.
>>> Some femtocells use EAP-SIM with an embedded SIM card, others just rely on the configuration. If your femto supports a SIM card you can use a SIM card with a known Ki to connect it to your gateway (strongswan I assume).
>>> If however there is no SIM card support in the femtocell then you need to somehow re-provision the device - probably using a proprietary software and method.
>>> Sorry, this is probably bad news for you.
>>> 
>>> Kind regards,
>>> Domi
>>> 
>>> 
>>> 2018. nov. 27. dátummal, 9:33 időpontban Alex <allexander.alex at gmail.com> írta:
>>> 
>>>> Hi to everyone! 
>>>> 
>>>> I'm a new member and I really appreciate the work done here! 
>>>> 
>>>> 
>>>> I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step. 
>>>> 
>>>> I've created an IPSEC server with EAP support, but I suspect there is a problem with my  self signed certificate. 
>>>> 
>>>> Probably the femtocell has an internal trusted CA which validates server certs. 
>>>> 
>>>> 
>>>> I din't find the console pins on the board also, so I cannot simply connect to it and have a look at the system level. 
>>>> 
>>>> 
>>>> Has anyone any experience with this kind of HW or just an idea about a possible  work around? 
>>>> 
>>>> 
>>>> Thank you and best regards
>>>> 
>>>> Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20181127/401a8f9d/attachment-0001.html>


More information about the OpenBSC mailing list