AT&T 3G MicroCell hacking?

microcell

Update: Great post on the software side of AT&T’s MicroCells

US wireless carriers have started selling femtocells to their customers. A femtocell is a device that essentially acts as a mini cellphone tower. It connects to the user’s broadband connection and their cellphone connects wirelessly just like it would to a regular tower. The call is trunked over the broadband connection and the customer gets a much better signal than they normally would. If the caller leaves range of the femtocell, it will be handed off seamlessly to a normal tower.

I was reading about AT&T’s MicroCell, which they’re testing in a couple markets, and saw this interesting note:

Due to broadcasting regulations, users will also be prevented from using the 3G MicroCell in areas where AT&T doesn’t officially do business. For example, it can’t be installed by users in Vermont or North Dakota or in other countries outside the US; this is enforced by GPS tracking in the device.

I hadn’t considered this restriction, but GPS receivers are standard in every femtocell being sold. I became curious about hacking femtocells since GPS devices are pretty much standardized as far as how they communicate. They’re usually sending NMEA messages over a serial connection. You’d just need to spoof that data to make the femtocell believe it’s in a proper location even if you took it to Europe. At least one device designed to spoof NMEA already exists.

I began digging to see how the GPS is actually connected. I found the FCC ID MXF-3GFP980217 in a post on Howard Forums. The FCC application has several documents that you can’t view because their confidential: block diagram, parts list, schematics. The internal photos are unprotected though, one of which appears above.

There doesn’t appear to be anything unusual. You can see the antenna and the related chip in the upper left corner. It’s from the RoyalTek REB-1315LPX family which isn’t unusual. You can see a four pin header in that area too which is probably a serial header with the NMEA data stream. It seems like it would be a matter of verifying the data and then replacing it with your own spoofer then you can take your cell tower wherever you please.

I don’t really like the idea of femtocells. They’re carrier specific, but worst of all there seems to be technology that’s even easier to work with, namely: UMA. UMA is a feature of some T-Mobile phones. It lets you make calls over wifi and will hand off to a cellphone tower if you walk out of range. Yes, it relies on the handset to have UMA specific hardware, but it doesn’t require anything other than a wifi connection, any connection, not a specific device.

If you’re interested in UMA, the BlackBerry 9700 has recently been released. It’s the first 3G T-Mobile device that has UMA.

The only other interesting thing I noticed on the MicroCell was a Xilinx Spartan-3A on the board. It’s not the main processor and is presumably being used as a either a DSP or crypto device.

38 Responses to “AT&T 3G MicroCell hacking?”

  1. Chris says:

    Did you find a way to hack the 3G MicroCell GPS to spoof your location? I’d love to know more about the possibility of this too. AT&T force me down this path, by failing to provide any bars within my home in one of the biggest cities of the world!

  2. Is there anyone out there who has been looking at this hardware in depth? Possibly logging in to the device itself? I can ssh into it.

    Jeremy Cushing

  3. Stephen says:

    I’m surprised I haven’t seen too much of these devices on hacking forums…

    I think it will be sweet when we are able to SSH into the box, hack it up, and create our own cell network in our house that pipes over SIP to our Asterisk server…

    If anyone has any information on any work being done, please post!

  4. Daniel M says:

    I really like your idea of spoofing the GPS signal! Did you ever get it to work???
    Also does anyone know if it uses standard SIP for the voice transport?

  5. Nick says:

    @Daniel, he’s not suggesting spoofing the actual GPS signal, he’s suggesting spoofing the serial representation of what the GPS chip on the board is reporting as the device’s location.

    When AT&T bricked my microcell after a week (http://nsayer.blogspot.com/2009/12/3g-microcell-fun-while-it-lasted.html), I contemplated a similar course. The problem with this idea, however, is that not only is the GPS location used to insure that the device is in a correctly licensed area, it’s also used for E-911 location information. If I dial 911 on my phone, I don’t want to get a response from the San Diego fire department.

  6. I didnt realize the GPS was used for E-911. This is not a documented feature at all.

    Has anyone found any interesting entry points on this device?

    Jeremy Cushing

  7. anon says:

    The device uses more than just the GPS to determine location. It also listens to neighboring GSM cell towers. Spoofing GPS won’t make it activate outside of it’s expected location.

  8. James says:

    Are you sure? Has anyone tried spoofing the GPS signal as discussed above? Would see a whole host of potential if this was the only location check being used.

  9. Andy says:

    Can anyone out there help me? I just bought a AT&T MicroCell and lost the AC adapter. Both AT&T and Cisco can’t seem to help find a replacment. Does anyone know where I can get one? Thanks!

  10. brian says:

    So what if I buy this in an allowed area in which I need it, then move to an area which it is not allowed? Is there a buy back program? OR am I stuck with this lame piece of equipment I bought for almost $200 bones.

  11. DEVS says:

    are you guys sure that that it uses more than the GPS data for location ?

  12. Nick says:

    @Andy – just about any 12VDC @ 1A power adapter will work with the microcell, so long as the connector physically fits.

    FWIW, I use the supplied adapter with a pair of PoE wiring adapters to remotely power my microcell from a UPS in the garage. Works just fine.

    @brian – Yes, if you move to an area where AT&T doesn’t have a license for microcell service, it will emulate a doorstop.

    @DEVS – no, we’re not. One thing that has been discovered, however, is that apparently there is a physical “tamper” switch in the microcell that will brick the device if you open it up.

  13. drbroom says:

    The real problem with the device it the requirement that it HAS to be by a window.The best location for the unit I have in on my rack. It is in the center of my home the closest window is 11 feet away (Att requires no more then 3).

    I want to spoof the location now to cheat but so I don;t have to keep moving it to the window and then back again to get the dam thing to work!!!

    Have you discovered a way yet?

  14. maximus thaler says:

    Does anyone know anything about making the ATT microcell network work on other phone carriers? T-mobile? Verizon?

    Id love to be able to hook up my 3g Tmobile android phone to the microcell tower i just installed….

  15. justin says:

    it only initially must reside near a window so it can send your gps location to 911 service. then, you can move the microcell anywhere in your home as long as it’s still wired to your router.

  16. L Hemy says:

    When trying to add a 3G microcell tower in my daughter’s college dorm we ran into a problem. All devices going through their network need a user name and password and the microcell cannot apparently communicate this.
    We tried talking with the college “geek squad” but the had no clue as to what we could do.
    Any ideas?

  17. DB says:

    I have a GSM backup for my alarm system. Anyone thought of a way to add that as a user on the microcell? Security company says there is “phone” number associated with with my alarm only a MAC address.

    Any thoughts??

  18. DB says:

    That should be there is NO “phone” number …

  19. RA says:

    DB, the microcell need to have a phone number associated with an imsi, this imsi number is entered in ATT core network database. because this is a closed loop system the microcell only accept registered phone numbers and they have to be issued from ATT. It would work if your alarm GSM system uses a simcard, this way you might be able to program it to dial your number instead of 911 or security company.

  20. Stu says:

    Does it require a GPS fix at regular intervals? Can it be seeded with GPS coordinates and moved to a second location and operate? If it requires regular GPS feedings, that would mess up my plan…

    Thanks!

  21. J says:

    L.Hemy:

    You asked how to make the thing work through a network that requires a username and password to connect – The easiest way to ‘fix’ this is to spoof the MAC address on your computer (this is the hardware address and has nothing to do with apple computers…) to be identical to that of the microcell (or a router that the microcell is connected to). You then authenticate with the username/password, set the MAC adress back to normal on the computer and put the microcell/router in place (on the network) of the computer. The question is how long the authentication is good for, since this is not a practical solution if you need to re-authenticate every, say, 24 hours. In that case you can find a script to run on a modified router, such as the WRT54G(L) that will do the authentication for you.

    Your ‘geek squad’ should be able to work with this.

    J

  22. unspecified says:

    It sounds to me like spoofing the GPS signal can’t work for long if the spoofed location gets cross-checked against neighboring GSM cell tower locations. Firmware modifications that skip the checking altogether might be the way to go. Unless a user downloadable firmware update is or becomes available to reverse compile, someone inside Cisco would probably need to help out.

  23. barbara says:

    i’m having the same problem as andy had, and have tried 3 different 12vdc 1amp adapters but have not been successful: would someone post the part number on the at&t ac power adapter, or equivalent? much appreciated

  24. Alba says:

    It would be great if you folks can uncover what is repeatedly happening across the country in different regions with microcell outages. Mine has been down for 3 solid days, and I’ve seen many forum posts stating outages in different regions over the last year, but nobody has posted the resolution to the problem. They obviously have a connecting to the at&t network problem. All top 3 lights are solid on. The 3G light goes from solid to blinking after working with changes to the setup. POR, reset button, direct connect to modem all do not work. There’s obviously more than a hardware element down and not working. Cell towers, GPS, and phone signal over the internet all in sync seems to be more impossible to manage than at&t expected.

  25. Alba says:

    …with no changes…

  26. T-Robert says:

    I’m interested if anyone has figured out this “hack” too. I travel frequently to P.V. in Mexico and like to be able to use my Microcell and iPhones there. In the meantime, I’ll help by providing the Power Supply adapter from my 3G Microcell (model: DPH151-AT).
    ————————————
    Linear-Switching Power Supply
    Model: 3A-153WU12
    Input: 100-120V, 50-60Hz, 0.4A
    Output: 12V, 1.25A
    ————————————

    I did a little more research on the database dot UL dot com site and found that this model number is registered to the following Chinese manufacturer:

    ENG ELECTRIC CO LTD E163743
    5TH FL
    536 MIN SHENG N RD, SEC 1
    KWEISHAN HSIANG
    TAOYUAN HSIEN, 333 TAIWAN

    Their website is: www dot engelectric dot com

  27. Mike says:

    L Hemy – If you want to get nerdy, you could setup another Nic on your daughters pc that you can setup for connection sharing. Essential you would be using your daughther’s PC as a NATed router that has the added benifit of handleing the authentication.

  28. Dawn says:

    I purchased this Microcell at an estate sale. In order to use it, I need to type the serial
    number into AT&T’s website to register the device
    so I can configure it. Their website won’t let me
    register the device because it’s “already
    registered”. I spent an hour on the phone with
    AT&T, and talked to their “tier 2″ techs, but they
    couldn’t (or wouldn’t) help me. They said that
    unless the previous user called them on the phone,
    there is nothing they could do. They also would
    not give me any information as to the name, phone,
    or email of the prior registered user
    (understandably, for security reasons). I tried
    to get them to call the prior user themself, but
    they wouldn’t do that either.
    Anybody know if theres a way around this?

  29. Jim Q says:

    L Hemy
    I would look for an open public WiFi that you can connect to the microcell without continually logging in.

    The AT&T Microcell will apparently “remember” a GPS lock for a while. I am 200 feet from a window in my first floor office, and I come in at night periodically to capture a new GPS signal. The first time I did this the Microcell remained active for 2-3 months. Alas, the last time, only 3 days! It seems to reset periodically, especially after a power cycle following a software update. I keep mine on a UPS, and have to haul the UPS outside with it when I need to recapture, since the device needs both powe and an internet connection to lock the GPS. I’m trying to get my business to allow me to pay for pulling a cable with a remote antenna, which should allow a permanent fix.

  30. Michael says:

    Just installed one and noticed that I needed to open port 443/TCP. Looks like it does respond to SSH connections, anyone know the username/password? (I’m not familiar with Cisco wireless devices.)

  31. Tyguy7 says:

    I wonder if you can reverse it in order to turn it into a 3G mobile router for your laptop…

  32. Shovenose says:

    Hello everybody! I got a used MicroCell however I have the same problem as “Dawn” above. Any ideas to get it unregistered from the previous people?
    Thanks!
    PS: I urgently need this device, because AT&T has NO SERVICE in my area but I’m stuck on using AT&T because I don’t want to replace my phone, I’ve got a 2 year contract, and I’m on somebody else’s family plan so I don’t have to pay as much.

    Thank you!

  33. Robert says:

    do you know where the jumpers go? i opened mine up because it stopped working and all the jumpers fell out.

  34. ratsandwich says:

    @robert

    Microcell Tamper Switch Jumper Positions:

    The current vodoo on this is here: http://i.imgur.com/S7vhi.jpg
    and here: http://i.imgur.com/9LArj.jpg

    DL pics. Notice the two little nipples on the real jumpers and the lack of any surface features on the others. Solder the nippy ones together and snip the others.
    J16=top one real, bottom two fake
    j15=top two real, bottom one fake

    The idiots= what is top?

    Top is where the the letters are Not upside down. That way you can read j15, j16 right side up.

  35. Nelson says:

    You should look at this! Your wishes granted.

    http://fail0verflow.com/blog/2012/microcell-fail.html

  36. cmdred says:

    Any way to convert an ATT microcell to VERIZON?

    Just switched but still need a microcell. Would be great if I could reconfig the ATT one to Verizon. I’m guessing its tuned to ATT but… does anyone know for sure?

    thanks!!

  37. MicrocellMadness says:

    Has anyone found a solution to problems listed above when a Microcell is registered to another owner that can’t be contacted?
    Have a perfectly good unit that I can’t use.
    So frustrating.

    Any help is appreciated.

  38. Matt says:

    What about a case where the microcell is in a licensed area but simply cannot reliably establish a GPS signal – would be great to be able to spoof the GPS data for the correct location so that it would do the job it is meant to do in a location where it is perfectly allowed to do so.

Leave a Reply