T-Mobile 4G LTE CellSpot » History » Version 6
eloy, 02/09/2022 12:39 PM
| 1 | 1 | eloy | h1. T-Mobile 4G LTE CellSpot |
|---|---|---|---|
| 2 | |||
| 3 | 5 | eloy | _Any information that is and will be posted here is based on reverse engineering or using publicly available information, without private support from T-Mobile or Nokia. Use at your own risk._ |
| 4 | 1 | eloy | |
| 5 | 3 | eloy | * "Specifications by T-Mobile of the CellSpot V2":https://web.archive.org/web/20171125112632/https://support.t-mobile.com/docs/DOC-36766 |
| 6 | |||
| 7 | 4 | eloy | The T-Mobile/Nokia branded version has been labled as the 4G LTE CellSpot V2 with the model "SS2FII Femtocell Multi-band SOHO". The Nokia-only branded version (pictured by the "FCC":https://fccid.io/H8NSS2FII) has been labeled with the model name "SOHO Small Cell V2 B2/B4". See the "Nokia quick guide":http://web.archive.org/web/20211201223549/https://data2.manualslib.com/pdf6/133/13212/1321196-nokia/b2.pdf?c77d329fcfca60ebf31fb2ad41fdcff4=&take=binary. According to "Nokia":https://www.nokia.com/networks/mobile-networks/smart-node-femtocells/#specifications, it has a IPSec with IKEv2 and a tamper alarm, so it is better not to disassemble the device to avoid triggering those. Using the LAN and WAN ports, it can be daisy-chained. |
| 8 | 1 | eloy | |
| 9 | 2 | eloy | The device does not seem to support GSM, only UMTS and LTE. According to "pictures of the internals by the FCC":https://cdn-0.fccid.io/png.php?id=3432311&page=5, the SoC is a Qualcomm FSM9955. This SoC incorporates a DSP by Qualcomm from the Hexagon series, see "here":http://pages.cs.wisc.edu/~danav/pubs/qcom/hexagon_micro2014_v6.pdf for more detailed information. There is a "Linux kernel for the FSM99xx series":https://github.com/ipaccess/fsm99xx-kernel-sources released, made with Yocto. According to the "generic device tree include header":https://github.com/ipaccess/fsm99xx-kernel-sources/blob/master/arch/arm/boot/dts/qcom/fsm9900.dtsi, the FSM9900 series seems to be based on the 2012-era ARMv7 Qualcomm Krait cores. According to a "Reddit post":https://old.reddit.com/r/tmobile/comments/7ii5jm/4g_lte_cellspot_v2_virtual_teardown/ the FSM9955 also uses a Krait core, but I don't have the kernel sources to confirm this. Maybe request more recent kernel sources from T-Mobile or Nokia. |
| 10 | 6 | eloy | |
| 11 | It has a GPS receiver because it is required by "FCC regulations":https://wireless.blog.law/2015/11/03/t-mobiles-cellspot-you-cover-what-they-cant/ to locate callers to 911. I don't know if it is also used for region locking. |
||
| 12 | |||
| 13 | h2. Notes |
||
| 14 | |||
| 15 | * The device does not seem to have any open ports or web interface, this makes hacking it without disassembly very hard |
||
| 16 | |||
| 17 | h2. Prior research to other femtocells |
||
| 18 | |||
| 19 | "Early Vodafone femtocell":http://web.archive.org/web/20140109022704/http://wiki.thc.org/vodafone |
||
| 20 | "PhD thesis on femtocell security":http://www.cs.ru.nl/~fabianbr/pub/thesis_fabian_vd_broek.pdf |
||
| 21 | "Root on Samsung femtocell":https://rsaxvc.net/blog/2011/7/17/Gaining_root_on_Samsung_FemtoCells.html |
