tonyjr Posted October 29, 2014 Share Posted October 29, 2014 The reset and packet aniff is complete. Overall, not much more information can be gathered about whether the device connects to any other addresses outside of the ran the specified in my previous post. This is due to the reset causing the device to: Download a base image, config and the ipsec keys from the manufacturer website, using https and a unique client certificate assigned to the device. This is based on the imei and another unique identifier of the femtocell. The ipsec tunnel is then setup to the provider and then the operator image and configuration is downloaded, verified and applied. Reboot, then operational. A google search of some of the packets sniffed revealed a site that provided that information. There used to be some weaknesses in the process that allowed you, long-windedly, to get access to the keys and basic config but all operators have ceased to provide unencrypted OS images as a failback option for last-resort device recovery (corruption etc). Anyway, there we go. Hopefully they just use that one address block for the ipsec tunnel. If I get a chance, I will add a rule to my firewall for this and see what happens. Tony Link to comment Share on other sites More sharing options...
Recommended Posts