Info on Alcatel Femtocells

Alex allexander.alex at gmail.com
Thu Nov 29 18:10:23 UTC 2018


Hi
little update(s):
I think I've found something on a Russian site about the signaling
protocols.
I've also found a memory dump of the femto, but there is a major problem:
the dump is partial (ALU put 2 memories on the board) and i can only access
to the main fs of the system
ALU datas and configs are on anoter path (/opt/alu/fbsr and /mnt/mainfs)
which mounts the secondary memory, so nothing can be done.

Also the SVN at *https://forge.betavine.net/svn/voda-femtocell
<https://web.archive.org/web/20170606203549/https://forge.betavine.net/svn/voda-femtocell>*
is currently offine without any mirror.

Does anyone have a backup or a mirror somewhere?

Thank you and best regards

Il giorno mer 28 nov 2018 alle ore 00:32 Alex <allexander.alex at gmail.com>
ha scritto:

> Hi Domi,
> it will be fantastic if you can share the results of your research,
> especially the IPSEC part!
> Now I'm trying to emulate the secgw on my machine, but it's a black box
> problem without the serial console.
>
> Thank you!!!
>
>
> Il giorno mar 27 nov 2018 alle ore 23:43 Tomcsányi, Domonkos <
> domi at tomcsanyi.net> ha scritto:
>
>> Hi Alex,
>>
>> I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5
>> and 2.0). I did some research on them abour 4-5 years ago I think.
>> The SureSignal uses an embedded crypto chip to generate keys IIRC. I also
>> had the chance to have a look at a rooted board for some time (it was lent
>> to me). The THC wiki has pretty much all the info about the board.
>> I also was not able to find any UART or serial port on it when I looked.
>> I wanted to dump the flash but then got busy with other stuff. Maybe the
>> debug fuses are blown in the factory as well.
>> Anyways if you wish to do tests or try out something with the device(s) I
>> can dig them up, they must be somewhere in my cabinet.
>> As far as I remember though the actual femtocell implementation is a
>> closed source binary blob, but strongswan (or maybe openswan? I cannot
>> recall exactly) is used for the IPsec part, terefore I have a source code
>> tree downloaded somewhere as well. Alcatel or Vodafone stayed compliant to
>> GPL so the code was released. If only we were able to reconfigure the
>> strongswan daemon on the device then we could connect it to your network.
>> Provisioning of some parametere (e.g. frequency, Routing Area Code, allowed
>> IMSIs) is done via XML files I think inside the ipsec tunnel.
>> Now back to changing the ipsec configuration: dumping the flash and then
>> changing the config would be a good way to do it, although that would not
>> be a generic solution, but as a pilot it could just work.
>> I am also not sure if there are any cryptographic signatures protecting
>> the firmware, but I would guess probably not.
>>
>> Sorry for the inconsistent rambling this email turned into, I wrote
>> things as they surfaced from the back of my brain, hidden parts of my
>> memory :)
>>
>> Cheers,
>> Domi
>>
>> 2018. nov. 27. dátummal, 19:57 időpontban Alex <allexander.alex at gmail.com>
>> írta:
>>
>> Hi,
>> little UP:
>>
>> Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local
>> femtocell network based on similar platform from ALU.
>>
>> Does anyone know something/ever tried to make something like connecting
>> one of these devs to osmoHNBGW or similar?
>> Thank you and best regards
>>
>> Il giorno mar 27 nov 2018 alle ore 19:56 Alex <allexander.alex at gmail.com>
>> ha scritto:
>>
>>> Hi,
>>> thanks for the answer!
>>>
>>> This femto seems to have a discrete simcard (it has empty slot
>>> accessible from the external).
>>>
>>> I don't know the setup used by the original operator (TelecomItalia),
>>> because I bought it from ebay.
>>>
>>> I found a possible reset procedure (still to be tested), but I don't
>>> think it will "unlock" the board.
>>> Now I'm trying to find the UART on the board, but on the testpoints i
>>> only see "control" signals and clocks. Nothing seems to be a serial port
>>> pattern on my oscilloscope.
>>>
>>> On this site
>>> https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone
>>> there are some information on a really similar cell (9361 I think) from
>>> Vodafone, which has a relly similar IPSEC config, but there ins't any spec.
>>>
>>> No one tried to disassemble it or do have just the serial pinout on the
>>> board?
>>>
>>> On the other side I've already deployed the CN part (HLR + MSC + SSGN +
>>> GSGN + STP + MGW + HNBGW), which seems to be fully operational, but i can't
>>> test without a test cell.
>>> I also thing the IuH protocol of this femto is little out-of-standard,
>>> but from ALU documentation I can't understand the differences with standard
>>> IuH.
>>>
>>> The idea is to implement ALU's IuH variant on HNBGW if i can take traces
>>> from a "lab" env, but without the femto it's just impossible.
>>>
>>> Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos <
>>> domi at tomcsanyi.net> ha scritto:
>>>
>>>> Hi Alex,
>>>>
>>>> Femtocells are provisioned with operator data - certificates/keys to be
>>>> able to talk to the gateway.
>>>> Some femtocells use EAP-SIM with an embedded SIM card, others just rely
>>>> on the configuration. If your femto supports a SIM card you can use a SIM
>>>> card with a known Ki to connect it to your gateway (strongswan I assume).
>>>> If however there is no SIM card support in the femtocell then you need
>>>> to somehow re-provision the device - probably using a proprietary software
>>>> and method.
>>>> Sorry, this is probably bad news for you.
>>>>
>>>> Kind regards,
>>>> Domi
>>>>
>>>>
>>>> 2018. nov. 27. dátummal, 9:33 időpontban Alex <
>>>> allexander.alex at gmail.com> írta:
>>>>
>>>> Hi to everyone!
>>>>
>>>> I'm a new member and I really appreciate the work done here!
>>>>
>>>>
>>>> I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with
>>>> osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step.
>>>>
>>>> I've created an IPSEC server with EAP support, but I suspect there is a
>>>> problem with my  self signed certificate.
>>>>
>>>> Probably the femtocell has an internal trusted CA which validates
>>>> server certs.
>>>>
>>>>
>>>> I din't find the console pins on the board also, so I cannot simply
>>>> connect to it and have a look at the system level.
>>>>
>>>>
>>>> Has anyone any experience with this kind of HW or just an idea about a
>>>> possible  work around?
>>>>
>>>>
>>>> Thank you and best regards
>>>> Alex
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20181129/f472cd42/attachment.html>


More information about the OpenBSC mailing list