Update: Great post on the software side of AT&T’s MicroCells
US wireless carriers have started selling femtocells to their customers. A femtocell is a device that essentially acts as a mini cellphone tower. It connects to the user’s broadband connection and their cellphone connects wirelessly just like it would to a regular tower. The call is trunked over the broadband connection and the customer gets a much better signal than they normally would. If the caller leaves range of the femtocell, it will be handed off seamlessly to a normal tower.
I was reading about AT&T’s MicroCell, which they’re testing in a couple markets, and saw this interesting note:
Due to broadcasting regulations, users will also be prevented from using the 3G MicroCell in areas where AT&T doesn’t officially do business. For example, it can’t be installed by users in Vermont or North Dakota or in other countries outside the US; this is enforced by GPS tracking in the device.
I hadn’t considered this restriction, but GPS receivers are standard in every femtocell being sold. I became curious about hacking femtocells since GPS devices are pretty much standardized as far as how they communicate. They’re usually sending NMEA messages over a serial connection. You’d just need to spoof that data to make the femtocell believe it’s in a proper location even if you took it to Europe. At least one device designed to spoof NMEA already exists.
I began digging to see how the GPS is actually connected. I found the FCC ID MXF-3GFP980217 in a post on Howard Forums. The FCC application has several documents that you can’t view because their confidential: block diagram, parts list, schematics. The internal photos are unprotected though, one of which appears above.
There doesn’t appear to be anything unusual. You can see the antenna and the related chip in the upper left corner. It’s from the RoyalTek REB-1315LPX family which isn’t unusual. You can see a four pin header in that area too which is probably a serial header with the NMEA data stream. It seems like it would be a matter of verifying the data and then replacing it with your own spoofer then you can take your cell tower wherever you please.
I don’t really like the idea of femtocells. They’re carrier specific, but worst of all there seems to be technology that’s even easier to work with, namely: UMA. UMA is a feature of some T-Mobile phones. It lets you make calls over wifi and will hand off to a cellphone tower if you walk out of range. Yes, it relies on the handset to have UMA specific hardware, but it doesn’t require anything other than a wifi connection, any connection, not a specific device.
If you’re interested in UMA, the BlackBerry 9700 has recently been released. It’s the first 3G T-Mobile device that has UMA.
The only other interesting thing I noticed on the MicroCell was a Xilinx Spartan-3A on the board. It’s not the main processor and is presumably being used as a either a DSP or crypto device.