Product Description
Flashing
System
Tools/Download
Presentation Material
Contact
News
Related Projects/Information
Impress

This wiki is about the SFR Home 3G femtocell.

The purpose of this wiki is to allow others to verify our research, enable more security testing, and provide tools for further research in the 3G/UMTS field. It would also be great to be able to use this device for your own telecommunication network, similar to OpenBSC, even though this is unlikely to happen for various reasons.

All the findings only cover the first SFR femtocell (as depicted on the right), which uses the G2 board from Ubiquisys.

Product Description

vendor: Ubiquisys
model: ZoneGate
operator: SFR
the hardware
LEDs pattern description

Numerous GPL software is used. The operator fails to mention it on the product or provide the source, but the vendor was kind enough to hint us to their repository.

Flashing

the recovery procedure is abused to flash the device
another way to flash, is to use the webupdate once you installed your own pubkey
important information: encryption and signature
additional information: partitions, boot process

System

Networking

all about ipsec

Software

binaries running on the device
acquiring debug information
build environment using scratchbox

Configuration

using the database for configuration
using the web interface and the html pages provided by Ubiquisys

Tools/Download

short description and download of our tools

Presentation Material

Contact

If you would like to send us bug reports, comments, questions, please contact us at via email.

The same is valid if you want to contribute to this wiki and need an account.

News

To flash the device we used the fact that the recovery rootfs (V2.1.1-DLG1_DLG1,2009-04-08 15:56:18) does not verify the recovery cert cert. This is not possible anymore though because the new recovery rootfs (V2.6.12.2,2011-07-20 14:49:28) does verify the certificate (using an included CA). In order to flash, you will have to provide the old recovery rootfs.
The remote root uses a stack buffer overflow in wsal from ubiqfs V2.0.23.1. This has been fixed with ubiqfs V2.0.24.1 as the code is not reachable any more (PUT request is prohibited).
Apparently the new recovery rootfs (V2.6.12.2,2011-07-20 14:49:28) or image locks the flash to prevent changing the main public key. This has not been verified yet.

Related Projects/Information

general: list
SFR:
- new ADSL box with new femtocell module. box, femto
Ubiquisys:
- picoChip:
  - USB femtocell dongle: press,attocell
vodafone UK
- THC vodafone femtocell: homepage
- source code: project
samsung scs26uc4: picture, source code, hack, stop autoboot
AT&T microcell: fail0verflow

Impress