Project

General

Profile

T-Mobile 4G LTE CellSpot » History » Revision 8

Revision 7 (eloy, 02/09/2022 10:09 PM) → Revision 8/13 (eloy, 02/09/2022 10:09 PM)

h1. T-Mobile 4G LTE CellSpot 

 _Any information that is and will be posted here is based on reverse engineering or using publicly available information, without private support from T-Mobile or Nokia. Use at your own risk._ 

 * "Specifications by T-Mobile of the CellSpot V2":https://web.archive.org/web/20171125112632/https://support.t-mobile.com/docs/DOC-36766 

 The T-Mobile/Nokia branded version has been labled as the 4G LTE CellSpot V2 with the model "SS2FII Femtocell Multi-band SOHO". The Nokia-only branded version (pictured by the "FCC":https://fccid.io/H8NSS2FII) has been labeled with the model name "SOHO Small Cell V2 B2/B4". See the "Nokia quick guide":http://web.archive.org/web/20211201223549/https://data2.manualslib.com/pdf6/133/13212/1321196-nokia/b2.pdf?c77d329fcfca60ebf31fb2ad41fdcff4=&take=binary. According to "Nokia":https://www.nokia.com/networks/mobile-networks/smart-node-femtocells/#specifications, it has a IPSec with IKEv2 and a tamper alarm, so it is better not to disassemble the device to avoid triggering those. Using the LAN and WAN ports, it can be daisy-chained. 

 The device does not seem to support GSM, only UMTS and LTE. According to "pictures of the internals by the FCC":https://cdn-0.fccid.io/png.php?id=3432311&page=5, the SoC is a Qualcomm FSM9955. This SoC incorporates a DSP by Qualcomm from the Hexagon series, see "here":http://pages.cs.wisc.edu/~danav/pubs/qcom/hexagon_micro2014_v6.pdf for more detailed information. There is a "Linux kernel for the FSM99xx series":https://github.com/ipaccess/fsm99xx-kernel-sources released, made with Yocto. According to the "generic device tree include header":https://github.com/ipaccess/fsm99xx-kernel-sources/blob/master/arch/arm/boot/dts/qcom/fsm9900.dtsi, the FSM9900 series seems to be based on the 2012-era ARMv7 Qualcomm Krait cores. According to a "Reddit post":https://old.reddit.com/r/tmobile/comments/7ii5jm/4g_lte_cellspot_v2_virtual_teardown/ the FSM9955 also uses a Krait core, but I don't have the kernel sources to confirm this. Maybe request more recent kernel sources from T-Mobile or Nokia. 

 It has a GPS receiver because it is required by "FCC regulations":https://wireless.blog.law/2015/11/03/t-mobiles-cellspot-you-cover-what-they-cant/ to locate callers to 911. I don't know if it is also used for region locking. 

 h2. Notes 

 * The device does not seem to have any open ports or web interface, this makes hacking it without disassembly very hard 

 h3. Chips on the board 

 h4. Main side 

 * Qualcomm FSM9955, the main SoC 
 * Qualcomm PMF9900 AU7192K4 U071904, unknown chip 
 *    QCA8334-AL3C, Ethernet switch 
 * "Samsung K4B4G1646E-BYK0":https://semiconductor.samsung.com/dram/ddr/ddr3/k4b4g1646e-byk0/, DRAM K4B4G1646E-BYK0":https://semiconductor.samsung.com/dram/ddr/ddr3/k4b4g1646e-byk0/ 

 h4. Back side 

 * Qualcomm FTR8900, RFIC 

 h2.    Prior research to other femtocells 

 "Early Vodafone femtocell":http://web.archive.org/web/20140109022704/http://wiki.thc.org/vodafone 
 "PhD thesis on femtocell security":http://www.cs.ru.nl/~fabianbr/pub/thesis_fabian_vd_broek.pdf 
 "Root on Samsung femtocell":https://rsaxvc.net/blog/2011/7/17/Gaining_root_on_Samsung_FemtoCells.html 


Add picture from clipboard (Maximum size: 48.8 MB)