June 27, 2017

The DPH153-AT Femtocell

A friend gave me one of these. Probably because it is the 3G model and he upgraded to 4G. The marking say "Cisco, made in China, ATT, 3G MicroCell. It has a place for an antenna (for the GPS receiver believe it or not), two RJ-45 jacks, a reset button in a hole, and a place for a 12 volt wall wart to supply power to it.

Mine is a newer version, labelled on the PCB as W3GFP-103-GL-V01. I found information online (before tearing mine open) about one that is apparently an older version, labelled W3GFP-100-V06 on the PCB.

The concept is that a femtocell is a mini cell tower. If you have bad cell reception, and a decent internet connection, this routes your phone traffic onto your internet link. This also takes traffic off of the cell tower, which ought to be a benefit for the cell company. Another benefit is that you pay directly for the femtocell. It is surprising these things are not promoted more widely.

There was a famous vulnerability involving something called "the wizard" which ought not to have been shipped to the public with its wide open configuration. Apparently the root password for the Vodaphone was "newsys".

GPS inside

This is getting ahead of ourselves, but this unit has a GPS chip inside (of all things) and as I ponder things I might want to do with this object, the GPS has captured my attention, and I have developed a set of notes about just that.

The GPS module is "provided" to ensure that this device is not (and cannot) be used in areas where some legal policy prohibits it. The legal policy seems to be that you cannot use it in areas where ATT does not provide normal cell service. This seems like swatting a fly with a sledge hammer, but I guess the GPS chip must be cheap enough and the legal issues are important enough. And what does ATT care, you are the one that pays for the GPS hardware. The anti-tampering scheme ensures that the average joe is not going to open the unit up and find some way to spoof the NMEA data from the GPS receiver (I guess). Not that the average joe is ever going to pull that off, but it kept somebody happy.

Power (wall wart)

This requires a 12 volt DC "wart", with the usual center positive. I am using a high quality 1.2 Amp wart and it seems to be working fine.

Inside the unit are regulators for 4 separate power supply voltages. Holding the PCB with the 12 volt coaxial connector near your belly, the voltage sections are 1.2, 4.0, 3.3, and 1.5 volts. The GPS unit seems to run on 3.3 volts.

Anti-tampering

The bottom line here is that I get really lucky. So, I decided to open my unit up. I have read the online descriptions of the anti-tampering jumpers. The word is that when you open the unit up, it pulls the jumpers of the unit, and if you don't replace them exactly as they were, the unit will brick itself on the next power up.

I use a dremel tool to cut through the case. There are doubtlessly other ways to do it, but I actually never want to use this unit as a femtocell again, so I could really care less about the case. I end up pulling the backside off first and two jumpers rattle to the bottom of the case. I figure I am doomed, but it turns out these are "duds" -- just plastic placebos with no shorting strip inside. So they may as well not be present and no harm has been done. It turns out there are jumpers on the other side also. Three of them. And all three have shorting strips inside. So there is no mystery at all now. I replace these three jumpers where they came from on the front side of the board (there are only three places), and power up the PCB outside of the case -- everything is good!

Just for the record, the right way to do it is to pull the label off the bottom, which reveals a couple of screws, then figure out what to do about those jumpers before pulling the sides of the case off. You may not need a dremel if you are clever.

LED's

With the PCB outside of the case, these are somewhat mysterious, but here is how they go from what would have been the top of the unit to the bottom. D2 is red at first, but turns green after a few seconds. After a bit more time, LED17 starts blinking. Pretty soon all the LED are blinking (except D2, which stays solid green). After a while LED14 (the GPS indicator) goes solid. All the other LED's continue blinking in an odd pattern.

Notes on the hardware in my unit

Mine is a newer version, labelled on the PCB as W3GFP-103-GL-V01.

Date codes on the chips indicate that it was manufactured in 2012.

Compared to the older version, I see two main differences. One is that the GPS is no longer handled by a RoyalTek REB-1315 module, but the SiRF GSC3f/LPx chip is soldered directly on the main board, which probably cuts out the middle man and saves money. (The REB-1315 had a SiRF GSC3f/LPx inside anyway). Also the new version has PicoChip PC312 unit in lieu of the PicoChip PC202 and Xilinx SC3S400A FPGA on the old unit. In other words the newer PC312 let them get away without the FPGA. And on top of that, the PC312 does not require a heat sink.

The PC312 seems to be the star of the show -- it is described as a dedicated Femtocell SoC with an ARM11 core inside. They give it a 512 Mbit flash (the "spansion" chip) along with 256 megabytes of SDRAM via the two Samsung chips. This chip is probably what runs the linux kernel, allegedly 2.6.24 in some of the units.

There is another SoC, the RaLink RT2150F that apparently handles the WiFi. It may have a 360 Mhz MIPS processor inside. It gets its own flash and SDRAM chips. There are two Soc, one by RaLink (the RT2010F), which presumably handles WiFi and may have a 360 Mhz MIPS processor inside.

Some of the chips:

GPS - SiRF GSC3f/LPx
WiFi - Ralink RT2150F
SDRAM (for the Ralink) - EM639165TS (16 Mbyte, 16 bit wide)
Flash (for the Ralink) - MX29LC320 (32 Mbit)
PicoChip PC312 with ARM11 and a swarm of DSP units
SDRAM (for the Pico) - Samsung K4T1G164QF (128 Mbyte, 16 bit wide) two of these
Flash (for the Pico) - Spansion GL512P10FF (512 Mbit)
Ethernet Transceiver - SMSC LAN 8700c-aecz
Note that PicoChip (from Bath, England) got bought by Mindspeed Technologies in January, 2012. The PicoChip technology was acquired from Mindspeed by Intel in December of 2013. Who knows what is going on with it these days.
Have any comments? Questions? Drop me a line!

Tom's electronics pages / tom@mmto.org