femtocell parts (see Partitions):
  • the OS is in kernel and rootfs
  • the radio applications are in apps.
  • the operator network configuration is in unidata
  • the femtocell configuration is in data
To access the operator network you have to configure the security gateway (SeGW) on the femtocell (it uses ipsec):
  • the server certificate is in cert/segw_ca.pem
  • the client/femtocell certificate is in cert/hnb.pem
  • the hostname is either in the server certificate, the local configuration (see below), or hard coded in /APP/bin/oamc_start (I'm not sure which one is used in which order)

The configuration is stored in SQLite database /data/tr106.db and /data/tr196.db (in table Parameters).
This should be settable remotely, once the femtocell connected to the operator's Home Management Server (HMS) behind the SeGW.


You need to configure ipsec (Strongswan)

  • create own IPsec certificates (on local machine)
    • create CA
      ipsec pki --gen --type rsa --size 4096 --outform pem > /etc/ipsec.d/private/ca_key.pem
      sudo ipsec pki --self --ca --lifetime 3650 --in /etc/ipsec.d/private/ca_key.pem --type rsa --dn "C = UK, O = Vodafone Group, CN = Vodafone" --outform pem > /etc/ipsec.d/certs/ca_cert.pem
    • create server certificate
      ipsec pki --gen --type rsa --size 2048 --outform pem  > server_key.pem
      ipsec pki --pub --in server_key.pem --type rsa |  ipsec pki --issue --lifetime 365 --cacert ca_cert.pem --cakey ca_key.pem --dn "C = UK, O = Vodafone Group, CN = Vodafone" --flag serverAuth --flag ikeIntermediate --outform pem > server_cert.pem
    • copy ipsec certificate to femtocell
      scp -i /tmp/femto_id_rsa -o KexAlgorithms=diffie-hellman-group1-sha1 server_cert.pem root@
  • on the femtocell (using original image, with root access):
    • stop ipsec (charon, from strongswan) before reconfiguring it
      killall starter
    • copy watchdog trigger before unmounting the partition
      cp /APP/dev_only/ /tmp/
    • periodically kick dog
      /tmp/ &
      sleep 10
    • stop monitor, monitor_start, oam_start, rnc_start
    • prepare own APP folder
      umount /APP
      mkdir /tmp/APP
      mount /dev/mtdblock10 /tmp/APP
      mount -t ramfs ramfs /APP
      cp -r /tmp/APP/* /APP/
      rm /APP/cert
      mkdir /APP/cert
      cp /tmp/APP/cert/hnb.pem /APP/cert/
      cp /tmp/segw_ca.pem /APP/cert/
    • set date for certificate to be valid
      date -s 2017.07.25-15:00:00

You can see what is going on by reading the logs produces by these applications using /sbin/logread -f

Files (0)

Updated by tsaitgaist over 6 years ago · 1 revisions

Add picture from clipboard (Maximum size: 48.8 MB)