Hacking the Samsung Femtocell

Sprint, in partnership with Samsung released a femto-cell, sometime in late-2007/early-2008. The unit is(was?) available to consumers as a low-cost alternative for the company to deploy "better" home service to the end user, without the costs associated with developing a complete network.

The following document describes, in somewhat messy form, what I've learned about the box by hacking it up - with the end goal being to use the box with a custom firmware to deploy my own network

Chip info

The main ASIC/FPGA combo chip is labeled SBM1320, but it's really an Altera HC210. I have the data sheet on it, and maybe I'll post some pictures of the "guts" of the thing. Since I used to work on the Airvana femto (the AirHub or HubBub or whatever) I have some familiarity with the OTA stuff that's going on. Taking apart the shielded radio brought back some memories. I've found a number of i2c taps, and with the HC210 specs I should be able to locate the JTAG ports. I've got the Quantum II SDK, and hopefully I'll find all the assembler routines and write a small disassembler.

