Project

General

Profile

Actions

T-Mobile 4G LTE CellSpot » History » Revision 6

« Previous | Revision 6/13 (diff) | Next »
eloy, 02/09/2022 12:39 PM


T-Mobile 4G LTE CellSpot

Any information that is and will be posted here is based on reverse engineering or using publicly available information, without private support from T-Mobile or Nokia. Use at your own risk.

The T-Mobile/Nokia branded version has been labled as the 4G LTE CellSpot V2 with the model "SS2FII Femtocell Multi-band SOHO". The Nokia-only branded version (pictured by the FCC) has been labeled with the model name "SOHO Small Cell V2 B2/B4". See the Nokia quick guide. According to Nokia, it has a IPSec with IKEv2 and a tamper alarm, so it is better not to disassemble the device to avoid triggering those. Using the LAN and WAN ports, it can be daisy-chained.

The device does not seem to support GSM, only UMTS and LTE. According to pictures of the internals by the FCC, the SoC is a Qualcomm FSM9955. This SoC incorporates a DSP by Qualcomm from the Hexagon series, see here for more detailed information. There is a Linux kernel for the FSM99xx series released, made with Yocto. According to the generic device tree include header, the FSM9900 series seems to be based on the 2012-era ARMv7 Qualcomm Krait cores. According to a Reddit post the FSM9955 also uses a Krait core, but I don't have the kernel sources to confirm this. Maybe request more recent kernel sources from T-Mobile or Nokia.

It has a GPS receiver because it is required by FCC regulations to locate callers to 911. I don't know if it is also used for region locking.

Notes

  • The device does not seem to have any open ports or web interface, this makes hacking it without disassembly very hard

Prior research to other femtocells

Early Vodafone femtocell
PhD thesis on femtocell security
Root on Samsung femtocell

Files (0)

Updated by eloy about 2 years ago · 6 revisions

Add picture from clipboard (Maximum size: 48.8 MB)