Hi, is it possible to use soapyMultiSdr for osmo-trx? I have a hackrf one, which isn't full duplex, so my idea is to use the hackrf for tx, and something else for Rx. With soapymultisdr it is possible to use multiple devices as a single soapysdr device.
Dear Harald,
Sorry to spam the openbsc list with this, but if you (or someone) can
confirm if the Sgsn-emu part of Osmo-GGSN utilizing the kernel GTP
module or not, that would be lovely.
FYI, I was not able to pass more than 280Mbit and the sgsn-emu process
was maxing out a single core. Based on this I suspect that it does not
use the kernel GTP module. I have seen some commits that indicates
preparation work for this feature, but it is unclear at least to me,
if this was finished or not. In the Osmo-GGSN.cfg example config I can
see the config option for kernel GTP, but not in the sgsn-emu.cfg
example.
Regards,
Csaba
Hi Pau and Harald,
> So sgsnemu is passing use_kernel=false, which makes the lib skip gtp-kernel functions
That is nice, I can play with that part quite nicely and take a look
how the GGSN handles the switch between kernel and non-kernel GTP.
Thanks for that!
@Harald:
In gtpnl.h there is
int gtp_dev_create()
and
int gtp_dev_create_sgsn()
So it seems there is a different dev create for the SGSN mode. And in
the later one the role is set to "GTP_ROLE_SGSN"
int gtp_dev_create(int dest_ns, const char *gtp_ifname, int fd0, int fd1)
{
return _gtp_dev_create(dest_ns, gtp_ifname, fd0, fd1, GTP_ROLE_GGSN);
}
EXPORT_SYMBOL(gtp_dev_create);
int gtp_dev_create_sgsn(int dest_ns, const char *gtp_ifname, int fd0, int fd1)
{
return _gtp_dev_create(dest_ns, gtp_ifname, fd0, fd1, GTP_ROLE_SGSN);
}
EXPORT_SYMBOL(gtp_dev_create_sgsn);
I just need to find the relevant part is sgsn-emu to see where these
parts are invoked so I can make the modifications.
Regards,
Csaba
<openbsc-request(a)lists.osmocom.org> ezt írta (időpont: 2022. dec. 24.,
Szo, 13:00):
>
> Send OpenBSC mailing list submissions to
> openbsc(a)lists.osmocom.org
>
> To subscribe or unsubscribe via email, send a message with subject or
> body 'help' to
> openbsc-request(a)lists.osmocom.org
>
> You can reach the person managing the list at
> openbsc-owner(a)lists.osmocom.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OpenBSC digest..."
>
> Today's Topics:
>
> 1. Re: SGSNemu performance (Pau Espin Pedrol)
> 2. Re: SGSNemu performance (Harald Welte)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 23 Dec 2022 18:38:55 +0100
> From: Pau Espin Pedrol <pespin(a)sysmocom.de>
> Subject: Re: SGSNemu performance
> To: Sipos Csaba <dchardware(a)gmail.com>,
> "openbsc-request(a)lists.osmocom.org" <openbsc(a)lists.osmocom.org>,
> laforge(a)osmocom.org
> Message-ID: <782d5c68-0393-e63a-ddbd-a78ca04256e0(a)sysmocom.de>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Hi Csaba,
>
>
>
> On 12/22/22 15:00, Sipos Csaba wrote:
> > Dear Harald,
> >
> > Sorry to spam the openbsc list with this, but if you (or someone) can
> > confirm if the Sgsn-emu part of Osmo-GGSN utilizing the kernel GTP
> > module or not, that would be lovely.
>
> sgsnemu is not using the kernel module, only osmo-ggsn has support for
> it so far.
>
> See osmo-ggsn.git/./sgsnemu/sgsnemu.c line 1905 calling:
> """
> if (tun_new((struct tun_t **)&tun, options.tun_dev_name, false, -1, -1))
> """
>
> See tun_new() function used by both osmo-ggsn and sgsnemu:
> """
> int tun_new(struct tun_t **tun, const char *dev_name, bool use_kernel,
> int fd0, int fd1u) {
> """
>
> So sgsnemu is passing use_kernel=false, which makes the lib skip
> gtp-kernel functions like gtp_kernel_create().
>
> >
> > FYI, I was not able to pass more than 280Mbit and the sgsn-emu process
> > was maxing out a single core. Based on this I suspect that it does not
> > use the kernel GTP module. I have seen some commits that indicates
> > preparation work for this feature, but it is unclear at least to me,
> > if this was finished or not. In the Osmo-GGSN.cfg example config I can
> > see the config option for kernel GTP, but not in the sgsn-emu.cfg
> > example.
> >
>
> You could try passing use_kernel=true to tun_new(), and see how far you
> can get. Patches welcome.
>
> Regards,
> Pau
>
>
> --
> - Pau Espin Pedrol <pespin(a)sysmocom.de> http://www.sysmocom.de/
> =======================================================================
> * sysmocom - systems for mobile communications GmbH
> * Alt-Moabit 93
> * 10559 Berlin, Germany
> * Sitz / Registered office: Berlin, HRB 134158 B
> * Geschaeftsfuehrer / Managing Director: Harald Welte
>
> ------------------------------
>
> Message: 2
> Date: Fri, 23 Dec 2022 18:47:57 +0100
> From: Harald Welte <laforge(a)gnumonks.org>
> Subject: Re: SGSNemu performance
> To: Pau Espin Pedrol <pespin(a)sysmocom.de>
> Cc: Sipos Csaba <dchardware(a)gmail.com>,
> "openbsc-request(a)lists.osmocom.org" <openbsc(a)lists.osmocom.org>
> Message-ID: <Y6XpzZoYYdVxYKdb@nataraja>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Csaba and Pau,
>
> On Fri, Dec 23, 2022 at 06:38:55PM +0100, Pau Espin Pedrol wrote:
> > You could try passing use_kernel=true to tun_new(), and see how far you can
> > get. Patches welcome.
>
> The GTP kernel module needs to be told if it operates in SGSN or GGSN mode.
>
> grep for GTP_ROLE_SGSN in libgtpnl. I don't know all of the related functions
> off my head, but on the SGSN side you need to make sure to initialize the kernel
> GTP with GTP_ROLE_SGSN instead of GTP_ROLE_GGSN.
>
> --
> - Harald Welte <laforge(a)gnumonks.org> https://laforge.gnumonks.org/
> ============================================================================
> "Privacy in residential applications is a desirable marketing option."
> (ETSI EN 300 175-7 Ch. A6)
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> OpenBSC mailing list -- openbsc(a)lists.osmocom.org
> To unsubscribe send an email to openbsc-leave(a)lists.osmocom.org
>
>
> ------------------------------
>
> End of OpenBSC Digest, Vol 98, Issue 9
> **************************************
Hi all!
Recently in the IRC I brought up a topic of testing voice calls in
OsmoCNI, which then turned into a discussion. The problem is I wanted
to highlight is that there is currently no *easy* way to test voice
calls, especially when running a virtual OsmoRAN setup (fake_trx.py +
trxcon or virtphy).
== A bit of history ==
Back in the openbsc/osmo-nitb days I used to run jolly's LCR (Linux Call
Router) [1], which was configured to play some hold melody when calling
995, and echo voice frames back when calling 999.
Nowadays openbsc/osmo-nitb is obsolete and completely suppressed by the
new and shiny OsmoRAN/OsmoCNI stack. The LCR is not actively maintained
anymore and does not support the MNCCv8, so it cannot talk to osmo-msc.
BTW, I forked it, fixed some compilation errors, created a package, and
tried to implement MNCCv8 support (no luck, calls still don't work):
https://gitea.osmocom.org/vyanitskiy/lcr/commits/branch/fixeria/fixeshttps://gitea.osmocom.org/vyanitskiy/lcr/commits/branch/fixeria/mncchttps://aur.archlinux.org/packages/lcr-git
Looks like it does not support late TCH assignment?
[1] http://www.linux-call-router.de/
== Current situation ==
Currently with the new post-NITB stack I see the following options:
a) run a virtual BTS, attach two mobiles, and setup a call between them;
b) run a real BTS, attach two phones, and setup a call between them;
c) run some PBX, talking to osmo-msc via osmo-sip-connector.
Personally I find neither of these options convenient because:
a) requires running two instances of the mobile app (from
osmocom-bb.git). I know one can run two and even more MS instances in
one mobile process, but this is still not handy.
b) requires running a real BTS and interacting with real phones. This
is what I usually do, but it takes more time than running everything
virtually.
c) requires setting up a PBX (e.g. Freeswitch, Asterisk), which in its
turn requires digging into the new world of configuration files. I do
have a repository with a know-to-work Freeswitch configuration [2], but
installing it (even from packages) is not trivial.
[2] https://people.osmocom.org/fixeria/freeswitch.cfg.zip
== What do I want ==
It would be great to have an easy-to-use echo service, be it attached to
osmo-msc via the MNCC socket, or be it built-in part of osmo-msc itself.
This would be usable for both real and virtual setups.
== Conclusion ==
I would like to know how do you guys test voice, and what do/would you
consider an easy approach. I actually found out that it's possible to
use osmo-msc's silent-call feature and play the Uplink RTP stream with
osmo-gapk. I'll share more details in a follow up mail.
In the IRC @whytek proposed to use sipp [3] and later came up with a
wiki page [4] describing how to achieve this with SEMS (SIP Express
Media Server). This is definitely easier than setting up Freeswitch or
Asterisk, but still feels like an overkill (sorry).
[3] https://sipp.sourceforge.net/doc/reference.html#RTP+echo
[4]
https://osmocom.org/projects/cellular-infrastructure/wiki/Simple_Echo_Server
Best regards,
Vadim.
--
- Vadim Yanitskiy <vyanitskiy at sysmocom.de> http://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Alt-Moabit 93
* 10559 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschaeftsfuehrer / Managing Director: Harald Welte
I'm also just trying to figure out how it works with global platform.
The problem you have with Global Platform is that you have not specified an
installation parameter. I tried it for example with "-default -params
80120100140600000000000000000000810600040200000400820600040200000400" and
the applet was installed and also made selectable.
You can find a discussion about that parameters here:
https://github.com/martinpaljak/GlobalPlatformPro/issues/293
I'm looking now why I can't open the menu e.g. from the iPhone. Probably
any access rules / directories access still need to be updated here?
Hello GSM community,
As I keep working on my project seeking to build a new GSM network that
will be no worse in every aspect than the one which T-Mobile USA are
itching to shut down, I need a way to ferry the uplink voice stream
from the BTS to my "soft TRAU" in RTP transport, but do it in a way
that is semantically no-worse than what happens in the traditional
T1/E1-based architecture. As part of this no-worse-than-TDM desire or
requirement, I need explicit BFI markers - in other words, any time
there is a 20 ms window in which there is no good traffic frame to be
sent because the uplink is in DTX, because that frame was lost to bad
radio conditions or because that frame was stolen for FACCH, I want my
BTS to send an explicit BFI frame instead of gapping/pausing the RTP
stream.
But this "simple and innocent" desire which I just expressed then turns
into a perplexing question: just how would one represent an explicit
BFI marker in an RTP stream? In the case of AMR codec there is a
straightforward solution already provided for in the specs: simply
send a NO_DATA frame. But what about FR and EFR codecs?
For my own Themyscira Wireless deployment, I currently run with my own
non-standard extension to RTP transport format for FR & EFR, documented
here:
https://www.freecalypso.org/hg/themwi-system-sw/file/tip/doc/RTP-BFI-extens…
My solution works great for my purposes, and I am very happy with it.
However, in the spirit of seeking at least some unity and at least
some chance of patches being merged, I am making a due-diligence
attempt to understand how others have addressed similar problems, and
what competing solutions may already exist out in the wild.
Here is my specific question to the community, mostly the narrower
Osmocom community but perhaps also the wider GSM community: where did
the idea of an all-zeros frame representing BFI come from? In the
current osmo-bts-trx implementation (although not in any other osmo-bts
variants that I can see from the code) there is code that sends an FR
codec frame of 260 zero bits or an EFR codec frame of 244 zero bits,
both intended to signal BFI, under the following conditions:
1) The BFI condition exists for some reason other than the uplink
being in DTX, i.e., because the frame was stolen for FACCH or was
lost to radio errors, but the last frame was not a SID;
and
2) There is no ECU on the channel, or the ECU failed to provide a
substitute frame.
Irrespective of specific conditions though, the key point is that
someone, somewhere, at some point in time had the idea that an FR or
EFR codec frame of all zeros (260 or 244 zero bits, respectively)
should mean BFI. There is also a patch to gapk by Vadim, adding an FR
codec EFU function, that detects a frame of all-zeros and treats it as
BFI - but I am not able to tell if the very idea of such BFI
representation comes from Vadim, or if Vadim simply added the code to
gapk to work with what osmo-bts-trx puts out under certain conditions.
To put the question differently: does there exist any spec from ETSI or
from 3GPP or from any other non-Osmocom standards body that defines an
FR codec frame of 260 all-zero bits and/or an EFR frame of 244 all-zero
bits to mean BFI, or is this idea a pure Osmocom invention?
The only official specs I could find for coded speech transport within
RAN, between a BTS and a separate transcoder, deal with the traditional
T1/E1 environment, as in GSM 08.60 and friends. In those specs BFI is
signaled out of band: in GSM 08.60 TRAU frames there is a control bit
carrying BFI, and another control bit carrying TAF (important for
traditional Rx DTX handlers for FR & EFR), both outside of 260 data
bits, and there is NO special bit pattern (all zeros or otherwise)
within data frame bits themselves that would also signal BFI.
Therefore, based on what I see in GSM 08.60 and other specs for T1/E1
world, I get the idea that BFI is meant to be an out-of-band signal,
not in-band, and that an in-band bit pattern that signals BFI seems to
go against the spirit of ETSI and 3GPP.
But maybe the problem is that I was only looking at older specs, maybe
there is some newer spec from 3GPP or some other standards body written
for the newer world of IP transport that officially repurposes in-band
all-zeros FR and EFR codec frames to mean BFI - is there any such spec?
Moving from the realm of rhetorical questions to the realm of tangible
code, here is my latest creation in the realm of GSM codecs:
https://www.freecalypso.org/hg/gsm-codec-lib/
I will make another announcement when this code reaches the level of
completeness I am after, but as a short summary, I am making a
librified (turned into a library) version of the official EFR codec
implementation from ETSI (libgsmefr), and I have also written another
library of my own (libgsmfrp) that implements Rx DTX handler functions
for GSM FR, to be run as a pre-processor before passing frames to a
GSM 06.10 decoder, which is typically gsm_decode() from libgsm.
libgsmfrp is already integrated into my "soft TRAU" implementation in
themwi-mgw, and libgsmefr will likewise be integrated when it is
complete. (Right now only the decoder works in libgsmefr, the encoder
remains to be finished.)
Both libgsmefr and libgsmfrp have BFI handling functions which the
"soft TRAU" application needs to call when it receives a BFI marker
instead of a good traffic frame, but the question of how these BFI
markers should be represented in an RTP stream is outside the scope of
the library - instead my themwi-mgw application currently implements
ThemWi RTP-BFI-extension and calls the respective library functions.
I may be open to the possibility that I should not be inventing my own
RTP-BFI-extension and should instead use in-band frames of all-zeros
to represent BFI in FR & EFR, *if* there is some official spec from
3GPP etc saying so - but if that idea is an Osmocom invention rather
than 3GPP, then I am going to argue for my invented alternative RTP
representation instead. So which is it?
With devotion to GSM Forever,
(Hasta la Victoria, Siempre,)
Mother Mychaela
I have a complete eNodeB (LTE base station) to offer, with following components:
- 1x Ericsson DUL 20 01 (the base station)
- 1x Ericsson RUS 01 B4 (80W RF fronted for LTE band B4)
- 1x Mean Well RS-150-48 (48V 3.3A power supply for both above)
- 2x power input cable (for DUL and RSU, based on RPM 777 193/00315 R1B cable connector)
- 1x spare power 20A cable (RPM 77 193/00315 R1B)
- 1x mini SPF cable (to interconnect DUL and RSU, RPM 777 211/00900)
- 2x coaxial cable to inter-connect RSU to its cavity block (RPM 777 701/00050, 1x on RSU, 1x spare)
- 3x coaxial to SMA cable (RPM 777 227/00080, for RSU RXA I/O, RXA OUT, RXB I/O ports)
- 1x USB to RS232 adapter, for DUL terminal port
- 1x RS-232 to RJ45 adapter, for DUL terminal port
- 2x 26mm RF connector to N connector adapters (for RUS RF A and B port)
- 2x N to SMA adapters
- 1x N termination (10W)
- 1x SMA termination (<1W)
- 1x alternative OS (on compact flash card, with different configuration/licenses)
- 1x N-connector antenna (antenna size is 35 cm, 698-960 + 1700-2700 MHz)
- 1x SMA cable antenna (antenna size is 30 cm, 688-960 + 1700-2700 MHz)
- 1x N-connector cable antenna (antenna size is 10 cm, flat PCB antenna, 700-2600 MHz)
you can have all of that for free, as long as you take care of the shipping (12 kg, from Germany).
if you are interested, just let me know.
Hi all,
I am having an automake / libtool problem and don't know how to solve it.
In libosmo-pfcp, there is the pfcp_test binary, which obviously requires
linking libosmo-pfcp.so -- more precisely, it should NOT link the system
installed libosmo-pfcp.so, but the locally built one, libosmo-pfcp.a.
I try to accomplish this by:
pfcp_test_LDADD = \
$(LIBOSMOCORE_LIBS) \
$(top_builddir)/src/libosmo-pfcp/libosmo-pfcp.la \
$(top_builddir)/src/libosmo-gtlv/libosmo-gtlv.la \
$(NULL)
https://cgit.osmocom.org/libosmo-pfcp/tree/tests/libosmo-pfcp/Makefile.am
I am now adding a new optional IE to libosmo-pfcp, and I found that this does
not work as expected! The pfcp_test binary is linked to the previously
installed libosmo-pfcp.so in /usr/local/lib, instead of the proper, new version
from the build tree. I found out by getting an obscure ABI corruption error,
verified it by:
~/osmo-dev/make/libosmo-pfcp/tests/libosmo-pfcp
$ ldd .libs/pfcp_test
[...]
libosmo-pfcp.so.0 => /usr/local/lib/libosmo-pfcp.so.0 (0x00007f1b6bc00000)
libosmo-gtlv.so.0 => /usr/local/lib/libosmo-gtlv.so.0 (0x00007f1b6cc0a000)
[...]
As soon as I 'make uninstall' in libosmo-pfcp.git's root dir, this changes to:
▶ ldd .libs/pfcp_test
[...]
libosmo-pfcp.so.0 => not found
libosmo-gtlv.so.0 => not found
[...]
and then the test succeeds (because './pfcp_test' is actually a shell script
generated by libtool with linker magic referencing the libs built within the
libosmo-pfcp.git tree).
Now I am at a loss:
How do I tell automake (libtool) to keep out the system installed .so and
prioritize the libs in the build tree?
I can work around this for me by doing 'make uninstall' every time the
libosmo-pfcp ABI changes, but I would much rather fix this, so that users
rebuilding a newer version pulled from git don't run into this obscure problem.
I suspect that we may have a similar pitfall in many other osmo source trees,
because the Makefile.am *looks* like it takes care of this problem, but
actually doesn't.
Any ideas?
I am using:
automake (GNU automake) 1.16.5
autoconf (GNU Autoconf) 2.71
libtoolize (GNU libtool) 2.4.7
(Debian Unstable)
Thanks!
~N
Hello Folks.
I am trying to get my head around on how java applet loading works for
sysmo-isim-sja2.
At first I used the following, updated example to compile a
HelloSTK2.cap: https://github.com/mrlnc/HelloSTK2.git
This works fine and it also loads fine on sysmo-usim-sjs2 using shadysim.py
Now I want to load the exact same file to a sysmo-isim-sja2.
I tried with shadysim_isim.py from
https://github.com/herlesupreeth/sim-tools:
---------------8<---------------
$ python shadysim_isim.py --pcsc 2 -l
/home/owner/work/simcard_applet_loading/HelloSTK2.cap -i
/home/owner/work/simcard_applet_loading/HelloSTK2.cap
--enable-sim-toolkit --module-aid d07002ca44900101 --instance-aid
d07002CA44900101 --nonvolatile-memory-required 0100
--volatile-memory-for-install 0100 --max-menu-entry-text 15
--max-menu-entries 05 --kic 56B6B26346DEF2A74BC8DFAF3BEA71D6 --kid
8EFE5A4B60C751FD18F33A24886967E7
Traceback (most recent call last):
File "shadysim_isim.py", line 494, in <module>
ac.load_app(args.load_app)
File "shadysim_isim.py", line 369, in load_app
self.load_aid_raw(aid, data, len(data) / 2)
File "shadysim_isim.py", line 271, in load_aid_raw
self.send_wrapped_apdu_checksw('80e60200' + ('%02x' % (len(data) /
2)) + data + '00c0000000')
File "shadysim_isim.py", line 246, in send_wrapped_apdu_checksw
raise RuntimeError("SW match failed! Expected %s and got %s." %
(sw.lower(), response[1]))
RuntimeError: SW match failed! Expected 9000 and got 6985.
---------------8<---------------
And I also tried with gp.jar from https://github.com/mrlnc/HelloSTK2.git
---------------8<---------------
$ java -jar ./gp.jar --key-enc 56B6B26346DEF2A74BC8DFAF3BEA71D6
--key-mac 8EFE5A4B60C751FD18F33A24886967E7 --key-dek
3BA47E883FE2462B5D43B85C4CCDF0AC --install
/home/owner/work/simcard_applet_loading/HelloSTK2.cap
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate
KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate
KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate
KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys:
ENC=56B6B26346DEF2A74BC8DFAF3BEA71D6 (KCV: 1ADB2F)
MAC=8EFE5A4B60C751FD18F33A24886967E7 (KCV: 174546)
DEK=3BA47E883FE2462B5D43B85C4CCDF0AC (KCV: D7011A) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys:
ENC=56B6B26346DEF2A74BC8DFAF3BEA71D6 (KCV: 1ADB2F)
MAC=8EFE5A4B60C751FD18F33A24886967E7 (KCV: 174546)
DEK=3BA47E883FE2462B5D43B85C4CCDF0AC (KCV: D7011A) for SCP02
[main] INFO pro.javacard.gp.GPSession - Session keys:
ENC=76900ED8B816F1822A29D7DC81F1B843
MAC=02D74CFFA5F85F1F999F23F60C22AF02
RMAC=87AFE7F26DDE69307EA35AE567AC8F26, card
keys=ENC=56B6B26346DEF2A74BC8DFAF3BEA71D6 (KCV: 1ADB2F)
MAC=8EFE5A4B60C751FD18F33A24886967E7 (KCV: 174546)
DEK=3BA47E883FE2462B5D43B85C4CCDF0AC (KCV: D7011A) for SCP02
CAP loaded
Error: INSTALL [for install and make selectable] failed: 0x6A80 (Wrong
data/incorrect values in data)
---------------8<---------------
As it seems gp.jar seems to work better than shadysim_isim.py.
Unfortunately I have no experience in java card programming yet, so its
difficult for me to tell where the error could be.
(When I run gp.jar once more it tells me "Error: STRICT WARNING: Package
with AID D07002CA44 is already present on card", I can also delete the
applet again, so apparently its kind of loaded...)
Is there anyone here who managed to load an applet to a sysmo-isim-sja2
and how?
best regards.
Philipp
--
Philipp Maier <pmaier(a)sysmocom.de> http://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Alt-Moabit 93
* 10559 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschaeftsfuehrer / Managing Director: Harald Welte
I have a plethora of femtocells (small base stations) I want to get rid of.
If you want it, it's yours, for free. You just need to cover the shipping costs.
Else it will become the property of Trash Inc.
Here the list of 3G femtocells:
- Cisco residential signal box USC3331, model 74-12584-01, PID USC3331-EE-K9. The flash (TSSOP) is desoldered but in the box (just is case you need to dump it). Just resolder it and it should work fine.
- 2x Vodafone (Greece) Access Gateway UAP2105. One is open, but nothing is missing. 5 pair of board to board connectors are included. This is the one first model that has been hacked.
- Vodafone Sure Signal AP 2820V. A cute plug style 3G femtocell. modded for serial output and external power supply (so the serial is not mains referenced). I have doc on how to root and flash it. Sadly it misses little effort for interfacing it with osmocom, but is the best candidate for such a project.
- Vodafone Sure Signal AP 2820V. not modded.
- Ubiquisys ZP-000-05EU, aka SerComm. Flash is desoldered and in the packages. Serial output is available.
- SFR Home 3G G2, Ubiquisys ZP-004-01FR. serial is available. This is the one I hacked and reflashed for a MitM attack back in 2011
- yet another Vodafone (Greece) Access Gateway UAP2105. already open. should work, but else perfect donor board.
- SFR Home 3G G3, FEM-SER-r0. flash is desoldered and in package.
Here the list of 4G femtocells:
- Samsung Verizon 4G LTE Network Extender, model SLS-BU103
- 3x T-Mobile (USA) Personal 4G LTE CellSpot, 9961 Home Cell V1. one is open and has plenty of test points soldered.
just let me know if you are interested.
