Hi Alex,
I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5 and 2.0). I did
some research on them abour 4-5 years ago I think.
The SureSignal uses an embedded crypto chip to generate keys IIRC. I also had the chance
to have a look at a rooted board for some time (it was lent to me). The THC wiki has
pretty much all the info about the board.
I also was not able to find any UART or serial port on it when I looked. I wanted to dump
the flash but then got busy with other stuff. Maybe the debug fuses are blown in the
factory as well.
Anyways if you wish to do tests or try out something with the device(s) I can dig them up,
they must be somewhere in my cabinet.
As far as I remember though the actual femtocell implementation is a closed source binary
blob, but strongswan (or maybe openswan? I cannot recall exactly) is used for the IPsec
part, terefore I have a source code tree downloaded somewhere as well. Alcatel or Vodafone
stayed compliant to GPL so the code was released. If only we were able to reconfigure the
strongswan daemon on the device then we could connect it to your network. Provisioning of
some parametere (e.g. frequency, Routing Area Code, allowed IMSIs) is done via XML files I
think inside the ipsec tunnel.
Now back to changing the ipsec configuration: dumping the flash and then changing the
config would be a good way to do it, although that would not be a generic solution, but as
a pilot it could just work.
I am also not sure if there are any cryptographic signatures protecting the firmware, but
I would guess probably not.
Sorry for the inconsistent rambling this email turned into, I wrote things as they
surfaced from the back of my brain, hidden parts of my memory :)
Cheers,
Domi
2018. nov. 27. dátummal, 19:57 időpontban Alex <allexander.alex(a)gmail.com> írta:
Hi,
little UP:
Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local femtocell
network based on similar platform from ALU.
Does anyone know something/ever tried to make something like connecting one of these devs
to osmoHNBGW or similar?
Thank you and best regards
> Il giorno mar 27 nov 2018 alle ore 19:56 Alex <allexander.alex(a)gmail.com> ha
scritto:
> Hi,
> thanks for the answer!
>
> This femto seems to have a discrete simcard (it has empty slot accessible from the
external).
>
> I don't know the setup used by the original operator (TelecomItalia), because I
bought it from ebay.
>
> I found a possible reset procedure (still to be tested), but I don't think it
will "unlock" the board.
> Now I'm trying to find the UART on the board, but on the testpoints i only see
"control" signals and clocks. Nothing seems to be a serial port pattern on my
oscilloscope.
>
> On this site
https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone
there are some information on a really similar cell (9361 I think) from Vodafone, which
has a relly similar IPSEC config, but there ins't any spec.
>
> No one tried to disassemble it or do have just the serial pinout on the board?
>
> On the other side I've already deployed the CN part (HLR + MSC + SSGN + GSGN +
STP + MGW + HNBGW), which seems to be fully operational, but i can't test without a
test cell.
> I also thing the IuH protocol of this femto is little out-of-standard, but from ALU
documentation I can't understand the differences with standard IuH.
>
> The idea is to implement ALU's IuH variant on HNBGW if i can take traces from a
"lab" env, but without the femto it's just impossible.
>
>> Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos
<domi(a)tomcsanyi.net> ha scritto:
>> Hi Alex,
>>
>> Femtocells are provisioned with operator data - certificates/keys to be able to
talk to the gateway.
>> Some femtocells use EAP-SIM with an embedded SIM card, others just rely on the
configuration. If your femto supports a SIM card you can use a SIM card with a known Ki to
connect it to your gateway (strongswan I assume).
>> If however there is no SIM card support in the femtocell then you need to somehow
re-provision the device - probably using a proprietary software and method.
>> Sorry, this is probably bad news for you.
>>
>> Kind regards,
>> Domi
>>
>>
>> 2018. nov. 27. dátummal, 9:33 időpontban Alex <allexander.alex(a)gmail.com>
írta:
>>
>>> Hi to everyone!
>>>
>>> I'm a new member and I really appreciate the work done here!
>>>
>>>
>>> I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with
osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step.
>>>
>>> I've created an IPSEC server with EAP support, but I suspect there is a
problem with my self signed certificate.
>>>
>>> Probably the femtocell has an internal trusted CA which validates server
certs.
>>>
>>>
>>> I din't find the console pins on the board also, so I cannot simply
connect to it and have a look at the system level.
>>>
>>>
>>> Has anyone any experience with this kind of HW or just an idea about a
possible work around?
>>>
>>>
>>> Thank you and best regards
>>>
>>> Alex