Info on Alcatel Femtocells

Alex allexander.alex at
Thu Nov 29 18:10:23 UTC 2018

little update(s):
I think I've found something on a Russian site about the signaling
I've also found a memory dump of the femto, but there is a major problem:
the dump is partial (ALU put 2 memories on the board) and i can only access
to the main fs of the system
ALU datas and configs are on anoter path (/opt/alu/fbsr and /mnt/mainfs)
which mounts the secondary memory, so nothing can be done.

Also the SVN at *
is currently offine without any mirror.

Does anyone have a backup or a mirror somewhere?

Thank you and best regards

Il giorno mer 28 nov 2018 alle ore 00:32 Alex <allexander.alex at>
ha scritto:

> Hi Domi,
> it will be fantastic if you can share the results of your research,
> especially the IPSEC part!
> Now I'm trying to emulate the secgw on my machine, but it's a black box
> problem without the serial console.
> Thank you!!!
> Il giorno mar 27 nov 2018 alle ore 23:43 Tomcsányi, Domonkos <
> domi at> ha scritto:
>> Hi Alex,
>> I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5
>> and 2.0). I did some research on them abour 4-5 years ago I think.
>> The SureSignal uses an embedded crypto chip to generate keys IIRC. I also
>> had the chance to have a look at a rooted board for some time (it was lent
>> to me). The THC wiki has pretty much all the info about the board.
>> I also was not able to find any UART or serial port on it when I looked.
>> I wanted to dump the flash but then got busy with other stuff. Maybe the
>> debug fuses are blown in the factory as well.
>> Anyways if you wish to do tests or try out something with the device(s) I
>> can dig them up, they must be somewhere in my cabinet.
>> As far as I remember though the actual femtocell implementation is a
>> closed source binary blob, but strongswan (or maybe openswan? I cannot
>> recall exactly) is used for the IPsec part, terefore I have a source code
>> tree downloaded somewhere as well. Alcatel or Vodafone stayed compliant to
>> GPL so the code was released. If only we were able to reconfigure the
>> strongswan daemon on the device then we could connect it to your network.
>> Provisioning of some parametere (e.g. frequency, Routing Area Code, allowed
>> IMSIs) is done via XML files I think inside the ipsec tunnel.
>> Now back to changing the ipsec configuration: dumping the flash and then
>> changing the config would be a good way to do it, although that would not
>> be a generic solution, but as a pilot it could just work.
>> I am also not sure if there are any cryptographic signatures protecting
>> the firmware, but I would guess probably not.
>> Sorry for the inconsistent rambling this email turned into, I wrote
>> things as they surfaced from the back of my brain, hidden parts of my
>> memory :)
>> Cheers,
>> Domi
>> 2018. nov. 27. dátummal, 19:57 időpontban Alex <allexander.alex at>
>> írta:
>> Hi,
>> little UP:
>> Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local
>> femtocell network based on similar platform from ALU.
>> Does anyone know something/ever tried to make something like connecting
>> one of these devs to osmoHNBGW or similar?
>> Thank you and best regards
>> Il giorno mar 27 nov 2018 alle ore 19:56 Alex <allexander.alex at>
>> ha scritto:
>>> Hi,
>>> thanks for the answer!
>>> This femto seems to have a discrete simcard (it has empty slot
>>> accessible from the external).
>>> I don't know the setup used by the original operator (TelecomItalia),
>>> because I bought it from ebay.
>>> I found a possible reset procedure (still to be tested), but I don't
>>> think it will "unlock" the board.
>>> Now I'm trying to find the UART on the board, but on the testpoints i
>>> only see "control" signals and clocks. Nothing seems to be a serial port
>>> pattern on my oscilloscope.
>>> On this site
>>> there are some information on a really similar cell (9361 I think) from
>>> Vodafone, which has a relly similar IPSEC config, but there ins't any spec.
>>> No one tried to disassemble it or do have just the serial pinout on the
>>> board?
>>> On the other side I've already deployed the CN part (HLR + MSC + SSGN +
>>> GSGN + STP + MGW + HNBGW), which seems to be fully operational, but i can't
>>> test without a test cell.
>>> I also thing the IuH protocol of this femto is little out-of-standard,
>>> but from ALU documentation I can't understand the differences with standard
>>> IuH.
>>> The idea is to implement ALU's IuH variant on HNBGW if i can take traces
>>> from a "lab" env, but without the femto it's just impossible.
>>> Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos <
>>> domi at> ha scritto:
>>>> Hi Alex,
>>>> Femtocells are provisioned with operator data - certificates/keys to be
>>>> able to talk to the gateway.
>>>> Some femtocells use EAP-SIM with an embedded SIM card, others just rely
>>>> on the configuration. If your femto supports a SIM card you can use a SIM
>>>> card with a known Ki to connect it to your gateway (strongswan I assume).
>>>> If however there is no SIM card support in the femtocell then you need
>>>> to somehow re-provision the device - probably using a proprietary software
>>>> and method.
>>>> Sorry, this is probably bad news for you.
>>>> Kind regards,
>>>> Domi
>>>> 2018. nov. 27. dátummal, 9:33 időpontban Alex <
>>>> allexander.alex at> írta:
>>>> Hi to everyone!
>>>> I'm a new member and I really appreciate the work done here!
>>>> I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with
>>>> osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step.
>>>> I've created an IPSEC server with EAP support, but I suspect there is a
>>>> problem with my  self signed certificate.
>>>> Probably the femtocell has an internal trusted CA which validates
>>>> server certs.
>>>> I din't find the console pins on the board also, so I cannot simply
>>>> connect to it and have a look at the system level.
>>>> Has anyone any experience with this kind of HW or just an idea about a
>>>> possible  work around?
>>>> Thank you and best regards
>>>> Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the OpenBSC mailing list