Info on Alcatel Femtocells

Alex allexander.alex at gmail.com
Tue Nov 27 23:32:18 UTC 2018


Hi Domi,
it will be fantastic if you can share the results of your research,
especially the IPSEC part!
Now I'm trying to emulate the secgw on my machine, but it's a black box
problem without the serial console.

Thank you!!!


Il giorno mar 27 nov 2018 alle ore 23:43 Tomcsányi, Domonkos <
domi at tomcsanyi.net> ha scritto:

> Hi Alex,
>
> I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5
> and 2.0). I did some research on them abour 4-5 years ago I think.
> The SureSignal uses an embedded crypto chip to generate keys IIRC. I also
> had the chance to have a look at a rooted board for some time (it was lent
> to me). The THC wiki has pretty much all the info about the board.
> I also was not able to find any UART or serial port on it when I looked. I
> wanted to dump the flash but then got busy with other stuff. Maybe the
> debug fuses are blown in the factory as well.
> Anyways if you wish to do tests or try out something with the device(s) I
> can dig them up, they must be somewhere in my cabinet.
> As far as I remember though the actual femtocell implementation is a
> closed source binary blob, but strongswan (or maybe openswan? I cannot
> recall exactly) is used for the IPsec part, terefore I have a source code
> tree downloaded somewhere as well. Alcatel or Vodafone stayed compliant to
> GPL so the code was released. If only we were able to reconfigure the
> strongswan daemon on the device then we could connect it to your network.
> Provisioning of some parametere (e.g. frequency, Routing Area Code, allowed
> IMSIs) is done via XML files I think inside the ipsec tunnel.
> Now back to changing the ipsec configuration: dumping the flash and then
> changing the config would be a good way to do it, although that would not
> be a generic solution, but as a pilot it could just work.
> I am also not sure if there are any cryptographic signatures protecting
> the firmware, but I would guess probably not.
>
> Sorry for the inconsistent rambling this email turned into, I wrote things
> as they surfaced from the back of my brain, hidden parts of my memory :)
>
> Cheers,
> Domi
>
> 2018. nov. 27. dátummal, 19:57 időpontban Alex <allexander.alex at gmail.com>
> írta:
>
> Hi,
> little UP:
>
> Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local
> femtocell network based on similar platform from ALU.
>
> Does anyone know something/ever tried to make something like connecting
> one of these devs to osmoHNBGW or similar?
> Thank you and best regards
>
> Il giorno mar 27 nov 2018 alle ore 19:56 Alex <allexander.alex at gmail.com>
> ha scritto:
>
>> Hi,
>> thanks for the answer!
>>
>> This femto seems to have a discrete simcard (it has empty slot accessible
>> from the external).
>>
>> I don't know the setup used by the original operator (TelecomItalia),
>> because I bought it from ebay.
>>
>> I found a possible reset procedure (still to be tested), but I don't
>> think it will "unlock" the board.
>> Now I'm trying to find the UART on the board, but on the testpoints i
>> only see "control" signals and clocks. Nothing seems to be a serial port
>> pattern on my oscilloscope.
>>
>> On this site
>> https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone
>> there are some information on a really similar cell (9361 I think) from
>> Vodafone, which has a relly similar IPSEC config, but there ins't any spec.
>>
>> No one tried to disassemble it or do have just the serial pinout on the
>> board?
>>
>> On the other side I've already deployed the CN part (HLR + MSC + SSGN +
>> GSGN + STP + MGW + HNBGW), which seems to be fully operational, but i can't
>> test without a test cell.
>> I also thing the IuH protocol of this femto is little out-of-standard,
>> but from ALU documentation I can't understand the differences with standard
>> IuH.
>>
>> The idea is to implement ALU's IuH variant on HNBGW if i can take traces
>> from a "lab" env, but without the femto it's just impossible.
>>
>> Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos <
>> domi at tomcsanyi.net> ha scritto:
>>
>>> Hi Alex,
>>>
>>> Femtocells are provisioned with operator data - certificates/keys to be
>>> able to talk to the gateway.
>>> Some femtocells use EAP-SIM with an embedded SIM card, others just rely
>>> on the configuration. If your femto supports a SIM card you can use a SIM
>>> card with a known Ki to connect it to your gateway (strongswan I assume).
>>> If however there is no SIM card support in the femtocell then you need
>>> to somehow re-provision the device - probably using a proprietary software
>>> and method.
>>> Sorry, this is probably bad news for you.
>>>
>>> Kind regards,
>>> Domi
>>>
>>>
>>> 2018. nov. 27. dátummal, 9:33 időpontban Alex <allexander.alex at gmail.com>
>>> írta:
>>>
>>> Hi to everyone!
>>>
>>> I'm a new member and I really appreciate the work done here!
>>>
>>>
>>> I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with
>>> osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step.
>>>
>>> I've created an IPSEC server with EAP support, but I suspect there is a
>>> problem with my  self signed certificate.
>>>
>>> Probably the femtocell has an internal trusted CA which validates server
>>> certs.
>>>
>>>
>>> I din't find the console pins on the board also, so I cannot simply
>>> connect to it and have a look at the system level.
>>>
>>>
>>> Has anyone any experience with this kind of HW or just an idea about a
>>> possible  work around?
>>>
>>>
>>> Thank you and best regards
>>> Alex
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20181128/4d23d112/attachment.html>


More information about the OpenBSC mailing list