Project

General

Profile

T-Mobile 4G LTE CellSpot » History » Version 12

eloy, 02/10/2022 01:03 AM

1 1 eloy
h1. T-Mobile 4G LTE CellSpot
2
3 5 eloy
_Any information that is and will be posted here is based on reverse engineering or using publicly available information, without private support from T-Mobile or Nokia. Use at your own risk._
4 1 eloy
5 3 eloy
* "Specifications by T-Mobile of the CellSpot V2":https://web.archive.org/web/20171125112632/https://support.t-mobile.com/docs/DOC-36766
6
7 4 eloy
The T-Mobile/Nokia branded version has been labled as the 4G LTE CellSpot V2 with the model "SS2FII Femtocell Multi-band SOHO". The Nokia-only branded version (pictured by the "FCC":https://fccid.io/H8NSS2FII) has been labeled with the model name "SOHO Small Cell V2 B2/B4". See the "Nokia quick guide":http://web.archive.org/web/20211201223549/https://data2.manualslib.com/pdf6/133/13212/1321196-nokia/b2.pdf?c77d329fcfca60ebf31fb2ad41fdcff4=&take=binary. According to "Nokia":https://www.nokia.com/networks/mobile-networks/smart-node-femtocells/#specifications, it has a IPSec with IKEv2 and a tamper alarm, so it is better not to disassemble the device to avoid triggering those. Using the LAN and WAN ports, it can be daisy-chained.
8 1 eloy
9 2 eloy
The device does not seem to support GSM, only UMTS and LTE. According to "pictures of the internals by the FCC":https://cdn-0.fccid.io/png.php?id=3432311&page=5, the SoC is a Qualcomm FSM9955. This SoC incorporates a DSP by Qualcomm from the Hexagon series, see "here":http://pages.cs.wisc.edu/~danav/pubs/qcom/hexagon_micro2014_v6.pdf for more detailed information. There is a "Linux kernel for the FSM99xx series":https://github.com/ipaccess/fsm99xx-kernel-sources released, made with Yocto. According to the "generic device tree include header":https://github.com/ipaccess/fsm99xx-kernel-sources/blob/master/arch/arm/boot/dts/qcom/fsm9900.dtsi, the FSM9900 series seems to be based on the 2012-era ARMv7 Qualcomm Krait cores. According to a "Reddit post":https://old.reddit.com/r/tmobile/comments/7ii5jm/4g_lte_cellspot_v2_virtual_teardown/ the FSM9955 also uses a Krait core, but I don't have the kernel sources to confirm this. Maybe request more recent kernel sources from T-Mobile or Nokia.
10 6 eloy
11
It has a GPS receiver because it is required by "FCC regulations":https://wireless.blog.law/2015/11/03/t-mobiles-cellspot-you-cover-what-they-cant/ to locate callers to 911. I don't know if it is also used for region locking.
12
13
h2. Notes
14
15
* The device does not seem to have any open ports or web interface, this makes hacking it without disassembly very hard
16
17 7 eloy
h3. Chips on the board
18
19
h4. Main side
20
21
* Qualcomm FSM9955, the main SoC
22 10 eloy
* "KLMBG4GEND-B031":https://semiconductor.samsung.com/estorage/emmc/emmc-5-0/klmbg4gend-b031/, eMMC
23 11 eloy
* Qualcomm PMF9900 AU7192K4 U071904, unknown chip, maybe PMF is power management functionality
24 7 eloy
*  QCA8334-AL3C, Ethernet switch
25 8 eloy
* "Samsung K4B4G1646E-BYK0":https://semiconductor.samsung.com/dram/ddr/ddr3/k4b4g1646e-byk0/, DRAM
26 7 eloy
27
h4. Back side
28
29
* Qualcomm FTR8900, RFIC
30
31 6 eloy
h2.  Prior research to other femtocells
32
33
"Early Vodafone femtocell":http://web.archive.org/web/20140109022704/http://wiki.thc.org/vodafone
34
"PhD thesis on femtocell security":http://www.cs.ru.nl/~fabianbr/pub/thesis_fabian_vd_broek.pdf
35
"Root on Samsung femtocell":https://rsaxvc.net/blog/2011/7/17/Gaining_root_on_Samsung_FemtoCells.html
36 12 eloy
"Article about Hexagon and femtocells":https://pages.cs.wisc.edu/~danav/pubs/qcom/hexagon_microreport2011_femto.pdf
Add picture from clipboard (Maximum size: 48.8 MB)