Skip to content
August 22, 2010 / teknolog

Dissecting the Vodafone SureSignal Femtocell

This is the Vodafone SureSignal Femtocell. It is made by Sagem.

The device looks a lot like a WiFi router.

There are four activity LEDs: power, internet, phone and… check mark?.

On the back we find power and Ethernet ports, and a reset button.

Let’s remove the two screws and open the hatch.

Another screw holds the circuit board.

Closeup of the board.

Backside of the board.

That’s it! No magic, just a set of chips and capacitors, and a white thing which is probably the RF transceiver. It’s amazing how small a GSM base station can be these days.

Setting up the femtocell is trivial. I just plugged it into an Ethernet port on my router, and registered the device ID on the Vodafone website.

The femtocell runs quite warm even in standby, so much that I had to move it away from my router because it was overheathing.

All in all, I’m happy with the device. I now have perfect signal in my apartment, where before I had almost none.



Leave a Comment
  1. Andrew Back / Aug 22 2010 12:10 pm

    Thank you for letting us see inside one of these things!

    I’m not so surprised that there isn’t much to see – I gather than companies like picoChip have done a lot of integration, thus making such things possible at that size and price etc. Also, whilst it’s small it’s probably not doing that much more than a mobile phone does (which admittedly is pretty impressive once you look into the details).

    With regards the heat, by standby do you mean no calls or switched to standby? If the former it may be that it’s operating akin to a mobile on a constant call, in having to advertise the network and constantly operate control channels etc. It’s some time since I looked at GSM specs but ISTR that, as you would imagine, stuff is optimised such that the mobile is able to sleep and the base station constantly babbles away. If I’m not talking rubbish and this is to some extent true the higher TX duty cycle would perhaps help to explain the heat.

    I must admit that I’d like one myself, despite having absolutely no use for one.

  2. Sebastian Brannstrom (teknolog) / Aug 22 2010 1:00 pm

    Thanks for your comment.

    I would assume it does just what a phone does, but then takes the GSM data packages and wraps them in UDP (most likely) and sends them off to the network.

    By standby I meant no calls, just broadcasting network availability (for lack of a proper term). The power supply outputs 12V at max 1.5 A. Touching the device plastic shell I’d say it’s about 40 C warm.

    What seems a bit of a waste is that you have to register IMEIs with the femtocell. I, for one, wouldn’t mind sharing the love in this regard.

    • Andrew Back / Aug 22 2010 4:12 pm

      I’m almost certain it won’t just take whatever goes over the air interface (“Um” [1] in GSM parlance) and encapsulate this and forward it over IP. I suspect that the thing will act as a tiny base station transceiver (BTS) that appears on Vodafone’s network pretty much like any other base station, only using IP for backhaul instead of SDH links.

      That said, GSM is dependent upon high accuracy timing and even NTP isn’t up to par when it comes to providing this across network components, so I’m not sure how it would do this. Do calls seamlessly handover to a main mast when you wander into/out of range? If they’re dropped that might be a clue.

      With regards sharing the issue could be security. I cannot recall where the network endpoint is for encryption (A5). If it’s the BTS open access might imply reduced security for customers who make calls via third party femtocells. Although I imagine they could re-encrypt using notably stronger ciphers (e.g. AES) on the IP side, and then it would be a matter of ensuring that the device can’t be hacked to expose a plaintext stream.

      I’d love to get to speak with someone who actually knew how these worked. There are most likely a lot of clues in the OpenBSC project [2], which I’ll have to pay more attention to…


      • Sebastian Brannstrom (teknolog) / Aug 23 2010 9:13 am

        You clearly know a lot about this. The timing issue is interesting, but that’s assuming the thing actually does GSM at all. Maybe it’s only UMTS, which AFAIK does not have a TDMA component, and hence should not be as dependent on timing.

        I would love a presentation about this, and/or about OpenBSC.

  3. Rene Heuven / Aug 22 2010 4:45 pm


    that’s interesting. Does it also work with non-Vodafone subscriptions? That is if I have a T-Mobile SIM card in my phone, but the phone is registered (through IMEI) with the Femto cell, would that work?

    Also you can now write and test some interesting Symbian apps as your phone can know whether it is “at home” or “away”. Would it be possible to measure the signal strength using your PC and locate the phone “indoor”? In case you left it under the couch or so? Or send a welcome SMS when you come “at home”?

    Would also be interesting to see if it is possible to capture the UDP traffic using WireShark and see if it can be “replayed” … what is the destination address of these packages? Is the UDP package just a wrapper for each GSM package?

    Maybe I have a look if such Femtocells can also be purchased in the Netherlands … would also be cool if you can re-route your calls in-house to let’s say Skype without the need to install any software on your mobile phone … how cool would that be … and it would work with any phone – not only smartphones …



    • Sebastian Brannstrom (teknolog) / Aug 27 2010 12:35 pm

      That’s a good question. I don’t know if it would accept a non-Vodafone IMEI.

      I’m sure the femtocell would be capable of all the things you suggest, were it not locked down. Imagine a OpenWRT like project to make use of one of these (is that what OpenBSC intends to be?)

      Using WireShark is another great idea, to figure out just what it sends back.

  4. Andrew Back / Aug 27 2010 1:37 pm

    I’d be amazed if they don’t use an encrypted bootloader to prevent customers re-flashing them – GSM is apparently fragile and I’m led to believe that a poor implementation could bring a cell down, and preventing re-flashing is relatively easy.

    OpenBSC runs on a (PC) host anyway and it should just be a matter of adding support for this femtocell hardware. That said, the moment it’s not a managed device and you operate it with your own usable configuration you’re playing at being a mobile network and you need your own GSM licence. If you don’t have one of these you can be sure that Ofcom will come down very heavy on you, and pretty fast if you come to the attention of a licensed operator. Simple misconfiguration and you could inadvertently launch a DoS attack on neighbouring cellphone users.

    I’d be interested in knowing what they send back over the wire, but you can be certain it’s going to be wrapped up in encryption. It would be nothing short of madness were this not the case.

  5. Ras Bruno / May 8 2012 1:52 am was cracked big time…

    • teknolog / May 9 2012 2:29 am

      Wow, that is pretty crazy! And cool!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: