拆一个京信 4G HNB3510 家庭级手机微基站 附设置资料

ant***

酒店拆迁，在一堆交换机路由器里发现个这个，看起来挺有意思的 拆！看看能不能改造个什么


皮基站，也叫家庭基站，飞基站，用来覆盖手机信号弱的地方，覆盖范围很小也就不到50m半径，运营商用来低成本补盲效果远好于信号放大器

因此，还叫微基站，这玩意用的是网络，简单理解机器内置系统通过专用V*N网络把信号传回运营商机房，就实现了打电话上网等，地下车库商场几乎都有安装


WAN口为千兆，但是该设备实际上传下载峰值速率也就100M,同时最大供32个设备通讯


此款机器设计很有意思，多个模块间是内组网设计，存在有多个网络变压器，网卡芯片，相当于机身自建了一个内部局域网互相通讯，活脱脱一个袖珍机房


外观篇







主板篇

拆开过程略过，，就2个螺丝，，外壳是卡扣，暴力

这个有网口，姑且叫底板或者主板




拆下散热片


底板背面，沉金工艺非常棒，不知道能不能T几克的金出来




银色芯片是博通BCM61735的主基带处理芯片，专门用于家用级信号处理，发热大户非常烫，

旁边是配套的2Gb flash 和1GB运存，配置比单模的翻倍，单模4G版本是512M运存 这款是2G+4G通讯，可能缓存与运算需求更大

空焊盘对比单模4G版本少了个莱迪思的FPGA，扩展板上有更高性能FPGA用于替换这个芯片作为数据解码运算




底板射频芯片是配套方案的bcm61297b  盲猜用于2G信号或者侦听接收


底板网络部分是3片网络芯片，其中WAN千兆ar8035，lan和拓展板为百兆ar8032，扩展板与底板间数据采用的网络信号传输，挺少见，上下底板插针链接，
通讯速率瓶颈目测就是这几个百兆网卡干的




底板看完了，现在看扩展板，这个上面好东西更多



缺失的焊盘上有标记WLAN，可能这个板子还有vowifi的预留设计
什么叫vowifi？？百科上这样写的
VoWiFi是指运营商利用WiFi热点，为用户提供语音服务。
通过VoWiFi技术，用户可以利用WiFi接入，在使用移动互联网的同时，拨打和接听语音或视频电话
反正没看见实物，，盲猜吧


最大的芯片altera FPGA 型号cyclone IV   据资料介绍，其用于解算加密通讯的数据包，类似于电脑的GPU加速功能




射频芯片 AD9365bbcz  宽频无线收发器 频率范围200mhz~2.3GHz  ，这个估计不少玩嵌入式的朋友知道，常见于数字通讯SDR类设备
这个无疑是用作4G通信了，说不定哪天固件升级下可以支持5G低频，


fPGA+ad射频芯片应该是玩软件无线电的朋友都熟悉的方案，可惜这种SDR开发板一般上千块，二手市场这种设备才一百左右，

不知道有没有大神可以开发个底板或者固件。把这款板子转接出来玩SDR, 应该是最廉价的玩法了





8041NL  百兆网卡，这块板子上几乎全部都是网络通讯的，走线看应该给L138芯片使用




OMAP-L138是美国德州仪器（TI）推出全新DSP+ARM工业处理器 ，
这款芯片也是业界功耗最低的浮点数字信号处理器 （DSP） + ARM9处理器，大大降低了双核通讯的开发难度

目测其用于控制FPGA和数字变频RF模块实现通讯，






此类设备接触的比较少  可能由于架构设计导致安全漏洞不断，致无法大面积投入使用，有兴趣可参考此链接中相关介绍

阿里移动安全团队与中国泰尔实验室无线技术部的通信专家们一起，联合对国内运营商某型Femtocell基站进行了安全分析，发现多枚重大漏洞，可导致用户的短信、通话、数据流量被窃听。恶意攻击者可以在免费申领一台Femtocell设备之后，迅速地将其改造成伪基站短信群发器和流量嗅探器，影响公众的通信安全。  https://www.qyyshop.com/info/1059715.html

总结：这是一种高度集成的SDR设备，运行的是特定固件，通过网络连接运营商专用服务器实现信号收发

B站上还有大佬有自制的类似SDR设备，也可以模拟5G站点搭建私网，体验一把自己当运营商的赶脚

badc***

这个就是室内基站，还有一种看起来跟吸顶ap差不多，其实就算外面的基站塔，工作原理也是一样的

ant***

badcrazy 发表于 2023-10-11 16:09
这个就是室内基站，还有一种看起来跟吸顶ap差不多，其实就算外面的基站塔，工作原理也是一样的
...

实际更像一个被AC控制器（远程服务器）控制的AP（微基站），本身它没有控制和管理能力

ant***

附 bcm芯片 串口打印信息



Broadcom bootrom version 3.0





PLL 19.2 Mhz
Flash interface voltage level: 0 - 3.3V
Strap clock mode: 4
Initialising nand flash
NAND ID: 01DA9095 ID_EXT: 4401DA90
Normal endianess
Reading again with opposite endianess
Activating L1 cache
NAND flash content detected
Internal mode
Loading image from flash...
Secured mode
Broadcom key: Found

BRCM section offset: 80
BRCM section length: 8d60
BRCM Sign. offset: 8de0
BRCM Sign. length: 100
Product section offset: 8ee0
Product section length: 17020
Product Sign. offset: 1ff00
Product Sign. length: 100

Starting RSA
Broadcom key verification: Passed
Broadcom authentication: Passed
FM key: Not found
Processing NAND bootloader from address: 1e0

Broadcom bootloader version 0.14.4 (1GB)
NAND)
Silicon type: 2, silicon ver: 3, feature ver: 61705, ROM ver: 0
Running authentication - check OK
CPUL PLL locked
lc pll clock rst1
lc pll clock rst2
lc pll clock rst3
cpuh clock rst1
cpuh clock rst2
cpuh clock rst3
cpuh clock rst4
Val=0
M
CPUH PLL locked
CPUL PLL locked
DSP PLL locked
PLL1 locked
CPU frequency 993.60 MHz

DDR initialized
Activating scrambler
cpuh clock rst1
cpuh clock rst2
cpuh clock rst3
cpuh clock rst4
CPU frequency 1203.20 MHz

Unzipping
Flushing ....Starting FMBootLoader
======================
fm_pubkey = A04FFF00
wdt open ;  please feed dog in 20'S
Broadcom FM-loader version 1.9.5

COMBA fm-loader version: V1.0.3-1:Jan 22 2017 09:24:41
get id for ACC : 4401DA90
NAND ID: 1DA9095 4401DA90

vol:   size   blocks last_leb name
  0: 005D0000     48       47 "linux0"
  1: 005D0000     48       47 "linux1"
  2: 0001F000      1        0 "index"
  3: 022E0000    259      287 "rfs0"
  4: 022E0000    266      287 "rfs1"
  5: 045C0000    396      575 "user1"
  6: 045A1000    359      574 "user2"
  7: 009B0000     67       79 "log"
kernel_current=1, kernel_pending=1
rootfs_current=1, rootfs_pending=1
no update kernel
no update rootfs
Loading uncompressed image
.......................................................................................................................
mem: current=0x1, pending=0x1
## Transferring control to Linux (at address 80598e00) ...
Linux version 3.0.1brcm-0-1-rt11_CPUH_2_21 (nansn@nansn) (gcc version 4.4.6 (crosstool-NG 1.13.1) ) #1 PREEMPT Tue Jul 17 17:23:37 CST 2018
(kernel version: v1.1.1-9:Jul 17 2018 17:13:09)
ISPRAM0: PA=1f000000,Size=00001000,enabled
DSPRAM0: PA=1f400000,Size=00002000,enabled

LINUX started...

                C E L T R I G O

running on MASTER
bootconsole [early0] enabled
CPU revision is: 59019750 (MIPS 74Kc)
Initializing HW RNG...
Determined physical RAM map:
memory: 00b00000 @ 00000000 (usable)
memory: 04000000 @ 04000000 (usable)
memory: 14000000 @ 20000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00020000
  HighMem  0x00020000 -> 0x00034000
Movable zone start PFN for each node
early_node_map[3] active PFN ranges
    0: 0x00000000 -> 0x00000b00
    0: 0x00004000 -> 0x00008000
    0: 0x00020000 -> 0x00034000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 99456
Kernel command line: mtdparts=celivero_cpuh-nand.0:0x20000@0(boot),-@0x40000(ubi) root=ubi0:rfs1 rw rootfstype=ubifs ubi.mtd=1 ethaddr=10:00:00:01:02:03 console=ttyS0,115200 panic=1 prt_disable=1
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
MIPS secondary cache 128kB, 8-way, linesize 128 bytes.
Writing ErrCtl register=00800000
Readback ErrCtl register=00800000
L2 cache parity protection enabled
Memory: 390492k/76800k available (4745k kernel code, 13988k reserved, 929k data, 240k init, 327680k highmem)
Preemptible hierarchical RCU implementation.
NR_IRQS:128
CPU frequency 1203.20 MHz
Console: colour dummy device 80x25
Calibrating delay loop... 600.47 BogoMIPS (lpj=3002368)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
GPIO: registering Celivero (CPUH) chip. Access protect mask = 0x1
bio: create slab <bio-0> at 0
Celivero DMA controller Driver loaded
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
dmac_ahb dmac_ahb.1: #0, irq 24
dmac_ahb dmac_ahb.1: #1, irq 25
dmac_ahb dmac_ahb.1: #2, irq 26
dmac_ahb dmac_ahb.1: #3, irq 27
audit: initializing netlink socket (disabled)
type=2000 audit(0.190:1): initialized
highmem bounce pool size: 64 pages
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
msgmni has been set to 122
NET: Registered protocol family 38
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
console [ttyS0] enabled, bootconsole disabled 8) is a 16550A
console [ttyS0] enabled, bootconsole disabled
serial8250.2: ttyS1 at MMIO 0x1ec01c00 (irq = 9) is a 16550A
brd: module loaded
loop: module loaded
nbd: registered device at major 43
ONFI flash detected
ONFI param page 0 valid
NAND device: Manufacturer ID: 0x01, Chip ID: 0xda (AMD S34ML02G1)
ONFI flash detected
ONFI param page 0 valid
NAND device: Manufacturer ID: 0x01, Chip ID: 0xda (AMD S34ML02G1)
celivero_cpuh-nand celivero_cpuh-nand.0: 256MiB total, 128KiB blocks, 2KiB pages, 16B OOB, 8-bit, BCH-4

Scanning device for bad blocks
2 cmdlinepart partitions found on MTD device celivero_cpuh-nand.0
Creating 2 MTD partitions on "celivero_cpuh-nand.0":
0x000000000000-0x000000020000 : "boot"
0x000000040000-0x000010000000 : "ubi"
celivero_cpuh-nand: NAND controller driver is loaded
UBI: attaching mtd1 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: max. sequence number:       1272326
UBI: attached mtd1 to ubi0
UBI: MTD device name:            "ubi"
UBI: MTD device size:            255 MiB
UBI: number of good PEBs:        2046
UBI: number of bad PEBs:         0
UBI: number of corrupted PEBs:   0
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     8
UBI: available PEBs:             44
UBI: total number of reserved PEBs: 2002
UBI: number of PEBs reserved for bad PEB handling: 20
UBI: max/mean erase counter: 1279/622
UBI: image sequence number:  643581761
UBI: background thread "ubi_bgt0d" started, PID 895
Fixed MDIO Bus: probed
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
i2c /dev entries driver
celivero_cpuh_i2c celivero_cpuh_i2c.0: Celivero i2c bus driver. Port 0=Enabled Port 1=Disabled
lm75 0-0049: hwmon0: sensor 'lm75'
GACT probability on
Mirror/redirect action on
Simple TC action Loaded
netem: version 1.3
u32 classifier
    Performance counters on
    input device check on
    Actions configured
nf_conntrack version 0.5.0 (6101 buckets, 24404 max)
IPVS: Registered protocols ()
IPVS: Connection hash table configured (size=4096, memory=32Kbytes)
IPVS: Creating netns size=744 id=0
IPVS: ipvs loaded.
IPv4 over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Bridge firewalling registered
802.1Q VLAN Support v1.8
sctp: Hash tables configured (established 16384 bind 32768)

UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 4, name "rfs1"
UBIFS: file system size:   35299328 bytes (34472 KiB, 33 MiB, 278 LEBs)
UBIFS: journal size:       4952064 bytes (4836 KiB, 4 MiB, 39 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root:  0 bytes (0 KiB)
VFS: Mounted root (ubifs filesystem) on device 0:12.
Freeing unused kernel memory: 240k freed
(rootfs version: v1.1.1-16 :2018-07-18 09:15:36)
Starting logging: OK
net.core.rmem_default = 16777216
net.core.rmem_max = 16777216
net.core.wmem_default = 16777216
net.core.wmem_max = 16777216
Initializing random number generator... done.
Starting OpenSSH sshd: OK
Starting Audit: type=1305 audit(7.170:2): audit_pid=990 old=0 auid=4294967295 ses=4294967295 res=1
OK
systerm ack
ubi0_2 = 1 1 1 1
wdt clk close
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 5, name "user1"
UBIFS: file system size:   71741440 bytes (70060 KiB, 68 MiB, 565 LEBs)
UBIFS: journal size:       9023488 bytes (8812 KiB, 8 MiB, 72 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root:  0 bytes (0 KiB)
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 6, name "user2"
UBIFS: file system size:   71741440 bytes (70060 KiB, 68 MiB, 565 LEBs)
UBIFS: journal size:       9023488 bytes (8812 KiB, 8 MiB, 72 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root:  0 bytes (0 KiB)
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 7, name "log"
UBIFS: file system size:   8888320 bytes (8680 KiB, 8 MiB, 70 LEBs)
UBIFS: journal size:       1650688 bytes (1612 KiB, 1 MiB, 13 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root:  0 bytes (0 KiB)
ramhda: unknown partition table
memory-log still in keep after reboot
      BRCM Procfs Util Ver 1.0 Address of init function is c02c1000
BRCM Syscall Ver 1.4: init
BRCM WD Driver ver 1.2: init
brcm_wd close
## conifg brcm_wd ##
WDT STOP
DN_SUCCESS: conifg brcm_wd.
############################### user.sh start ###############################
Version : LTE-start-script-2013-07-18
Close serialloc conctrl major: 252
al ...
version : LTE 0.

邪恶***

我的印象中这玩意是需要调试的,因为有鉴权机制所以并不是随便插上就能用...

ant***

邪恶海盗 发表于 2023-10-11 17:13
我的印象中这玩意是需要调试的,因为有鉴权机制所以并不是随便插上就能用... ...

正常用户拿到这玩意不都是已经调试好的么？基本都是运营商申请的，或者有的地方是押金租赁给的，
除非那些特殊渠道的，比如异常离线，脱离归属地，KPI不合格或者之前绑定的机主注销了这类没法再用的，
这东西好像没有听说有什么小厂生产的

邪恶***

antons 发表于 2023-10-11 20:53
正常用户拿到这玩意不都是已经调试好的么？基本都是运营商申请的，或者有的地方是押金租赁给的，
除非那些 ...

你又不是"正常用户"...


=====================

ant***

邪恶海盗 发表于 2023-10-11 22:35
你又不是"正常用户"...

问了厂家驻地代维人员，设备不存在没有调试好就交付出去的情况，厂家按合同或者订单号出厂时候就做了类似于手机空中激活这样的设置，交付给客户是直接可用的，因为设备只能由运营商招标采购再分配给各地市，私人是买不到的，在使用中被系统判定为异常的设备则会被锁机导致无法继续使用

邪恶***

antons 发表于 2023-10-11 23:38
问了厂家驻地代维人员，设备不存在没有调试好就交付出去的情况，厂家按合同或者订单号出厂时候就做了类似 ...

"正确的废话"...


=========================

笑傲***

长见识了，感谢大佬无私分享

Nvidi***

折腾个SDR可还行

xxxxx***

串口能输入命令吗？

ant***

更新一部分设置用帐密

CMCC-F2A
192.168.197.1
普 cmcc-iot  cmcc-iot
调测用户 admin q1N@R74TuyH!
192.168.197.241
调测用户 admin q1N@R74TuyH!

ENB-35
192.168.197.1
普 admin 123456
管理员  comba  W_Lte@ComBA!1#6

HNB-3510
192.168.197.1
普 admin 123456
管理员  comba  W_Lte@ComBA!1#6

yuand***

运营商派人过来安装还要扫码设备入库的

yuand***

我也一个这个设备现在不能跨市使用了，有的地方可以。