US wireless carriers have started selling femtocells to their customers. A femtocell is a device that essentially acts as a mini cellphone tower. It connects to the user’s broadband connection and their cellphone connects wirelessly just like it would to a regular tower. The call is trunked over the broadband connection and the customer gets a much better signal than they normally would. If the caller leaves range of the femtocell, it will be handed off seamlessly to a normal tower.
I was reading about AT&T’s MicroCell, which they’re testing in a couple markets, and saw this interesting note:
Due to broadcasting regulations, users will also be prevented from using the 3G MicroCell in areas where AT&T doesn’t officially do business. For example, it can’t be installed by users in Vermont or North Dakota or in other countries outside the US; this is enforced by GPS tracking in the device.
I hadn’t considered this restriction, but GPS receivers are standard in every femtocell being sold. I became curious about hacking femtocells since GPS devices are pretty much standardized as far as how they communicate. They’re usually sending NMEA messages over a serial connection. You’d just need to spoof that data to make the femtocell believe it’s in a proper location even if you took it to Europe. At least one device designed to spoof NMEA already exists.
I began digging to see how the GPS is actually connected. I found the FCC ID MXF-3GFP980217 in a post on Howard Forums. The FCC application has several documents that you can’t view because their confidential: block diagram, parts list, schematics. The internal photos are unprotected though, one of which appears above.
There doesn’t appear to be anything unusual. You can see the antenna and the related chip in the upper left corner. It’s from the RoyalTek REB-1315LPX family which isn’t unusual. You can see a four pin header in that area too which is probably a serial header with the NMEA data stream. It seems like it would be a matter of verifying the data and then replacing it with your own spoofer then you can take your cell tower wherever you please.
I don’t really like the idea of femtocells. They’re carrier specific, but worst of all there seems to be technology that’s even easier to work with, namely: UMA. UMA is a feature of some T-Mobile phones. It lets you make calls over wifi and will hand off to a cellphone tower if you walk out of range. Yes, it relies on the handset to have UMA specific hardware, but it doesn’t require anything other than a wifi connection, any connection, not a specific device.
If you’re interested in UMA, the BlackBerry 9700 has recently been released. It’s the first 3G T-Mobile device that has UMA.
The only other interesting thing I noticed on the MicroCell was a Xilinx Spartan-3A on the board. It’s not the main processor and is presumably being used as a either a DSP or crypto device.
Did you find a way to hack the 3G MicroCell GPS to spoof your location? I’d love to know more about the possibility of this too. AT&T force me down this path, by failing to provide any bars within my home in one of the biggest cities of the world!
Is there anyone out there who has been looking at this hardware in depth? Possibly logging in to the device itself? I can ssh into it.
Jeremy Cushing
I’m surprised I haven’t seen too much of these devices on hacking forums…
I think it will be sweet when we are able to SSH into the box, hack it up, and create our own cell network in our house that pipes over SIP to our Asterisk server…
If anyone has any information on any work being done, please post!
I really like your idea of spoofing the GPS signal! Did you ever get it to work???
Also does anyone know if it uses standard SIP for the voice transport?
@Daniel, he’s not suggesting spoofing the actual GPS signal, he’s suggesting spoofing the serial representation of what the GPS chip on the board is reporting as the device’s location.
When AT&T bricked my microcell after a week (http://nsayer.blogspot.com/2009/12/3g-microcell-fun-while-it-lasted.html), I contemplated a similar course. The problem with this idea, however, is that not only is the GPS location used to insure that the device is in a correctly licensed area, it’s also used for E-911 location information. If I dial 911 on my phone, I don’t want to get a response from the San Diego fire department.