Hi Domi, it will be fantastic if you can share the results of your research, especially the IPSEC part! Now I'm trying to emulate the secgw on my machine, but it's a black box problem without the serial console.
Thank you!!! Il giorno mar 27 nov 2018 alle ore 23:43 Tomcsányi, Domonkos < [email protected]> ha scritto: > Hi Alex, > > I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5 > and 2.0). I did some research on them abour 4-5 years ago I think. > The SureSignal uses an embedded crypto chip to generate keys IIRC. I also > had the chance to have a look at a rooted board for some time (it was lent > to me). The THC wiki has pretty much all the info about the board. > I also was not able to find any UART or serial port on it when I looked. I > wanted to dump the flash but then got busy with other stuff. Maybe the > debug fuses are blown in the factory as well. > Anyways if you wish to do tests or try out something with the device(s) I > can dig them up, they must be somewhere in my cabinet. > As far as I remember though the actual femtocell implementation is a > closed source binary blob, but strongswan (or maybe openswan? I cannot > recall exactly) is used for the IPsec part, terefore I have a source code > tree downloaded somewhere as well. Alcatel or Vodafone stayed compliant to > GPL so the code was released. If only we were able to reconfigure the > strongswan daemon on the device then we could connect it to your network. > Provisioning of some parametere (e.g. frequency, Routing Area Code, allowed > IMSIs) is done via XML files I think inside the ipsec tunnel. > Now back to changing the ipsec configuration: dumping the flash and then > changing the config would be a good way to do it, although that would not > be a generic solution, but as a pilot it could just work. > I am also not sure if there are any cryptographic signatures protecting > the firmware, but I would guess probably not. > > Sorry for the inconsistent rambling this email turned into, I wrote things > as they surfaced from the back of my brain, hidden parts of my memory :) > > Cheers, > Domi > > 2018. nov. 27. dátummal, 19:57 időpontban Alex <[email protected]> > írta: > > Hi, > little UP: > > Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local > femtocell network based on similar platform from ALU. > > Does anyone know something/ever tried to make something like connecting > one of these devs to osmoHNBGW or similar? > Thank you and best regards > > Il giorno mar 27 nov 2018 alle ore 19:56 Alex <[email protected]> > ha scritto: > >> Hi, >> thanks for the answer! >> >> This femto seems to have a discrete simcard (it has empty slot accessible >> from the external). >> >> I don't know the setup used by the original operator (TelecomItalia), >> because I bought it from ebay. >> >> I found a possible reset procedure (still to be tested), but I don't >> think it will "unlock" the board. >> Now I'm trying to find the UART on the board, but on the testpoints i >> only see "control" signals and clocks. Nothing seems to be a serial port >> pattern on my oscilloscope. >> >> On this site >> https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone >> there are some information on a really similar cell (9361 I think) from >> Vodafone, which has a relly similar IPSEC config, but there ins't any spec. >> >> No one tried to disassemble it or do have just the serial pinout on the >> board? >> >> On the other side I've already deployed the CN part (HLR + MSC + SSGN + >> GSGN + STP + MGW + HNBGW), which seems to be fully operational, but i can't >> test without a test cell. >> I also thing the IuH protocol of this femto is little out-of-standard, >> but from ALU documentation I can't understand the differences with standard >> IuH. >> >> The idea is to implement ALU's IuH variant on HNBGW if i can take traces >> from a "lab" env, but without the femto it's just impossible. >> >> Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos < >> [email protected]> ha scritto: >> >>> Hi Alex, >>> >>> Femtocells are provisioned with operator data - certificates/keys to be >>> able to talk to the gateway. >>> Some femtocells use EAP-SIM with an embedded SIM card, others just rely >>> on the configuration. If your femto supports a SIM card you can use a SIM >>> card with a known Ki to connect it to your gateway (strongswan I assume). >>> If however there is no SIM card support in the femtocell then you need >>> to somehow re-provision the device - probably using a proprietary software >>> and method. >>> Sorry, this is probably bad news for you. >>> >>> Kind regards, >>> Domi >>> >>> >>> 2018. nov. 27. dátummal, 9:33 időpontban Alex <[email protected]> >>> írta: >>> >>> Hi to everyone! >>> >>> I'm a new member and I really appreciate the work done here! >>> >>> >>> I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with >>> osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step. >>> >>> I've created an IPSEC server with EAP support, but I suspect there is a >>> problem with my self signed certificate. >>> >>> Probably the femtocell has an internal trusted CA which validates server >>> certs. >>> >>> >>> I din't find the console pins on the board also, so I cannot simply >>> connect to it and have a look at the system level. >>> >>> >>> Has anyone any experience with this kind of HW or just an idea about a >>> possible work around? >>> >>> >>> Thank you and best regards >>> Alex >>> >>>
