<div dir="ltr"><div>Hi<br></div><div>little update(s):</div><div>I think I've found something on a Russian site about the signaling protocols.</div><div>I've also found a memory dump of the femto, but there is a major problem:</div><div>the dump is partial (ALU put 2 memories on the board) and i can only access to the main fs of the system</div><div>ALU datas and configs are on anoter path (/opt/alu/fbsr and /mnt/mainfs) which mounts the secondary memory, so nothing can be done.</div><div><br></div><div>Also the SVN at
<em><a class="gmail-https" href="https://web.archive.org/web/20170606203549/https://forge.betavine.net/svn/voda-femtocell">https://forge.betavine.net/svn/voda-femtocell</a></em> is currently offine without any mirror.</div><div><br></div><div>
<span class="gmail-tlid-translation gmail-translation"><span title="" class="gmail-">Does anyone have a backup or a mirror somewhere?</span></span></div><div><span class="gmail-tlid-translation gmail-translation"><span title="" class="gmail-"><br></span></span></div><div><span class="gmail-tlid-translation gmail-translation"><span title="" class="gmail-">Thank you and best regards<br></span></span></div></div><br><div class="gmail_quote"><div dir="ltr">Il giorno mer 28 nov 2018 alle ore 00:32 Alex <<a href="mailto:allexander.alex@gmail.com">allexander.alex@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi Domi,</div><div>it will be fantastic if you can share the results of your research, especially the IPSEC part!</div><div>Now I'm trying to emulate the secgw on my machine, but it's a black box problem without the serial console.</div><div><br></div><div>Thank you!!!<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">Il giorno mar 27 nov 2018 alle ore 23:43 Tomcsányi, Domonkos <<a href="mailto:domi@tomcsanyi.net" target="_blank">domi@tomcsanyi.net</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div dir="ltr"><span></span></div><div dir="ltr">Hi Alex,<div><br></div><div>I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5 and 2.0). I did some research on them abour 4-5 years ago I think.</div><div>The SureSignal uses an embedded crypto chip to generate keys IIRC. I also had the chance to have a look at a rooted board for some time (it was lent to me). The THC wiki has pretty much all the info about the board.</div><div>I also was not able to find any UART or serial port on it when I looked. I wanted to dump the flash but then got busy with other stuff. Maybe the debug fuses are blown in the factory as well.</div><div>Anyways if you wish to do tests or try out something with the device(s) I can dig them up, they must be somewhere in my cabinet.</div><div>As far as I remember though the actual femtocell implementation is a closed source binary blob, but strongswan (or maybe openswan? I cannot recall exactly) is used for the IPsec part, terefore I have a source code tree downloaded somewhere as well. Alcatel or Vodafone stayed compliant to GPL so the code was released. If only we were able to reconfigure the strongswan daemon on the device then we could connect it to your network. Provisioning of some parametere (e.g. frequency, Routing Area Code, allowed IMSIs) is done via XML files I think inside the ipsec tunnel.</div><div>Now back to changing the ipsec configuration: dumping the flash and then changing the config would be a good way to do it, although that would not be a generic solution, but as a pilot it could just work.</div><div>I am also not sure if there are any cryptographic signatures protecting the firmware, but I would guess probably not.<br><br>Sorry for the inconsistent rambling this email turned into, I wrote things as they surfaced from the back of my brain, hidden parts of my memory :)</div><div><br></div><div>Cheers,</div><div>Domi<br><div dir="ltr"><br>2018. nov. 27. dátummal, 19:57 időpontban Alex <<a href="mailto:allexander.alex@gmail.com" target="_blank">allexander.alex@gmail.com</a>> írta:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">
<div>Hi,</div><div>little UP:</div><div><br></div><div>Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local femtocell network based on similar platform from ALU.</div><div><br></div><div>Does anyone know something/ever tried to make something like connecting one of these devs to osmoHNBGW or similar?</div><div class="m_-728559977310970304m_-451546201940724693gmail-yj6qo m_-728559977310970304m_-451546201940724693gmail-ajU"><div id="m_-728559977310970304m_-451546201940724693gmail-:10i" class="m_-728559977310970304m_-451546201940724693gmail-ajR"><img class="m_-728559977310970304m_-451546201940724693gmail-ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div><div class="m_-728559977310970304m_-451546201940724693gmail-ajR">Thank you and best regards<br></div></div></div><br><div class="gmail_quote"><div dir="ltr">Il giorno mar 27 nov 2018 alle ore 19:56 Alex <<a href="mailto:allexander.alex@gmail.com" target="_blank">allexander.alex@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">
<div>Hi,</div><div>thanks for the answer!</div><div><br></div><div>This femto seems to have a discrete simcard (it has empty slot accessible from the external).</div><div><br></div><div>I don't know the setup used by the original operator (TelecomItalia), because I bought it from ebay.</div><div><br></div><div>I found a possible reset procedure (still to be tested), but I don't think it will "unlock" the board.</div><div>Now
I'm trying to find the UART on the board, but on the testpoints i only
see "control" signals and clocks. Nothing seems to be a serial port
pattern on my oscilloscope.</div><div><br></div><div>On this site <a href="https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone" target="_blank">https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone</a>
there are some information on a really similar cell (9361 I think) from
Vodafone, which has a relly similar IPSEC config, but there ins't any
spec.</div><div><br></div><div>No one tried to disassemble it or do have just the serial pinout on the board?</div><div><br></div><div>On
the other side I've already deployed the CN part (HLR + MSC + SSGN +
GSGN + STP + MGW + HNBGW), which seems to be fully operational, but i
can't test without a test cell.</div><div>I also thing the IuH protocol
of this femto is little out-of-standard, but from ALU documentation I
can't understand the differences with standard IuH.</div><div><br></div><div>The
idea is to implement ALU's IuH variant on HNBGW if i can take traces
from a "lab" env, but without the femto it's just impossible.</div>
</div><br><div class="gmail_quote"><div dir="ltr">Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos <<a href="mailto:domi@tomcsanyi.net" target="_blank">domi@tomcsanyi.net</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Hi Alex,<div><br></div><div>Femtocells are provisioned with operator data - certificates/keys to be able to talk to the gateway.</div><div>Some femtocells use EAP-SIM with an embedded SIM card, others just rely on the configuration. If your femto supports a SIM card you can use a SIM card with a known Ki to connect it to your gateway (strongswan I assume).</div><div>If however there is no SIM card support in the femtocell then you need to somehow re-provision the device - probably using a proprietary software and method.</div><div>Sorry, this is probably bad news for you.</div><div><br></div><div>Kind regards,</div><div>Domi<br><br><div dir="ltr"><br>2018. nov. 27. dátummal, 9:33 időpontban Alex <<a href="mailto:allexander.alex@gmail.com" target="_blank">allexander.alex@gmail.com</a>> írta:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">
Hi to everyone!
<br>
<br>I'm a new member and I really appreciate the work done here!
<br>
<br>
<br>I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with
osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step.
<br>
<br>I've created an IPSEC server with EAP support, but I suspect there is a
problem with my self signed certificate.
<br>
<br>Probably the femtocell has an internal trusted CA which validates server
certs.
<br>
<br>
<br>I din't find the console pins on the board also, so I cannot simply
connect to it and have a look at the system level.
<br>
<br>
<br>Has anyone any experience with this kind of HW or just an idea about a
possible work around?
<br>
<br>
<br>Thank you and best regards
<div class="m_-728559977310970304m_-451546201940724693m_-809902754686413880m_-4365736422628299771gmail-yj6qo m_-728559977310970304m_-451546201940724693m_-809902754686413880m_-4365736422628299771gmail-ajU"><div id="m_-728559977310970304m_-451546201940724693m_-809902754686413880m_-4365736422628299771gmail-:2aj" class="m_-728559977310970304m_-451546201940724693m_-809902754686413880m_-4365736422628299771gmail-ajR"><img class="m_-728559977310970304m_-451546201940724693m_-809902754686413880m_-4365736422628299771gmail-ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div>
Alex</div>
</div></blockquote></div></div></blockquote></div>
</blockquote></div>
</div></blockquote></div></div></div></blockquote></div>
</blockquote></div>