What's going on inside?

In the spirit of really understanding how the AT&T MicroCell works, I was determined to get inside its inviting white shell. Unfortunately, after doing my homework, I started to get a feel for just how locked down this thing is - and why that's the case. First off, there's no internal status webpage as a diagnostic aide like you'd expect from a cable or DSL modem. Nothing. I searched around comprehensively for anything of the sort; it isn't there. What's surprising is that briefly, at startup, I saw nmap report ports 23, 80, and 8080 as filtered instead of open or closed, but that doesn't do anyone any good. The device always reports a hostname of "AT&T" and always pulls a DHCP lease at startup. There's no network configuration to speak of, so if you want to configure a static IP, static DHCP assignment is your only route. 
 
Obviously, tech savvy users also are going to want to configure proper port forwarding and QoS rules for prioritizing MicroCell traffic. Unfortunately, documentation here is beyond spartan. There are (no joke) four versions of the users guide floating around. First is the printed copy in box, then there's an AT&T PDF, and finally one in the FCC filing - all of which lack the section on what ports should be forwarded. Curiously, there's another version online that I later found here with the relevant ports (on page 5), but this was after I had already discovered them on my own.
 
Before I stumbled across that real users guide, I was determined to find out how the MicroCell was talking with AT&T and over what ports. I grabbed a second NIC and set myself up in a machine-in-the-middle configuration and started sniffing packets. It's obvious immediately that this thing is locked down tight. After booting, the device grabs a DHCP lease, syncs network time over NTP with 12.230.208.48, and does a DNS query for dpewe.wireless.att.com. After it gets the results, it talks with that server over HTTPS (TLSv1) for a bit, and then immediately fires up an IPsec VPN with 12.230.209.193. After that, there's very little we can see going on - everything happens across that VPN tunnel. 
 
Lots of IPsec traffic and NAT-keepalive
 
The MicroCell uses IPsec with NAT traversal, explaining partly why you don't really have to port forward, but it's still a good idea. In fact, it's during the HTTPS session certificate exchange that we see the only bit of network traffic which would lead us to believe this is a micro, er, femtocell:
 
CPE - Customer Premises Equipment. Also parlance for locked down tight.
 

So those ports that you should forward or prioritize if you're setting up QoS that way? They're here:

Port Description
123/UDP NTP Traffic
443/TCP HTTPS over TLS/SSL for provisioning and management traffic
4500/UDP IPSec NAT Traversal (for all signaling, data, and voice traffic)
500/UDP IPSec Phase 1 prior to NAT detection, after which 4500/UDP is used
Unboxing a Cell Tower Inside The MicroCell: Hardware
POST A COMMENT

63 Comments

View All Comments

  • MyTechLife2 - Tuesday, April 6, 2010 - link

    Thanks for the in-depth review! I got my MicroCell yesterday and have been testing it thoroughly. I've also experienced problems on the opposite side of the house from the MicroCell with deteriorating call quality, dropped calls during hand-off and even after hand-off. I call 611 so my test calls are free (I didn't get a MicroCell calling plan). There's an extensive thread on the AT&T forums about dropped calls http://forums.wireless.att.com/t5/AT-T-3G-MicroCel...

    A few initial observations:

    • It runs on 1900Mhz, even though AT&T also has 850Mhz spectrum here. I use the SignalLoc BlackBerry app to check this and other call stats.

    • In my 2-story 2100 ft. house, the MIcroCell is located on the northernmost upstairs end of the house. Sometimes on the southernmost downstairs end of the house it will often switch from the MicroCell to the cell network. Locking my phone to 3G only seems to have minimized that.

    • I had a situation where I was on the MicroCell, but it was showing "SOS only". Putting the MicroCell in the DMZ on the router and power-cycling the MicroCell seems to have fixed that for now.

    • 2 of our 3 phones had to be power-cycled before they would recognize and switch over to using the MicroCell.

    • In the far side of my house while while standing still, signal strength will fluctuate from -110 (worst) to -70 (best) on my BlackBerry Bold 9700. About every 1/2 second It fluctuates down about 1 bar until it reaches 1 bar, then right back up to 5 bars. Seems like some power shifting going on.

    • The 3G antenna seems to be somewhat directional. I seem to get the best coverage on the far end of the house when the front of the device is pointed in that direction. I tried laying the unit horizontally with the top of it facing the far end of the house and that killed signal strength there. I was hoping to get some down-tilt in the antenna pattern to reach the far end downstairs, but that wasn't the way to do it.

    Did you experiment with placement of the device?
    Reply
  • mobius147 - Sunday, April 25, 2010 - link

    My unit covers one or two rooms at the most. In attempting to purchase additional units in our area ATT will refuse to sell more than one unit per household. Reason given is that the units will not
    handoff to one another. Still looking for a way to cover more of the house.
    Does anyone have information on the units mentioned in the review that are used in the
    Apple stores.
    My uplink data rate seems capped at 50 Kb or so and downlink about 1.5 Mb. Adequate for phone
    but "light" for data compared to a standard cell site.
    Im sure more folks have come up against the limited coverage. Interested to hear possible
    remedies.
    Reply
  • Raajah - Saturday, December 11, 2010 - link

    Wonder if anyone has noted the fact that Microcell looses the wireless connection each time a phone call is received or made from a landline conneted. To be sure, I need to mention that we have dsl from Bellsouth as well as the land line from the same company. There seems to be a conflict that occurs probably because voice calls are carried on the same line connected to dsl service. In this situation it is not worth buying the Microcell. Reply
  • SonarTech - Monday, December 20, 2010 - link

    There are actually two tamper traps inside the AT&T Microcell - one on the front of the PCB, and once on the back. The FCC pictures don't show the full tamper mechanism installed on the board, only the empty headers. The top-side tamper trap is located to the upper-right of the Ralink chip, U37, and consists of three jumper headers sitting side-by-side. During assembly, a gray plastic frame sits over this header. After that frame has been installed, three jumpers are installed on top of the frame. One or two of those jumpers aren't actually jumpers, however - they're just chunks of plastic that looks like jumpers. When the case is installed, two long plastic hooks built into the sides of the case "lock" into the sides of that gray plastic frame. Once locked in place, there's no easy way to remove them. If you attempt to open the case, you'll pull either the front-side or back-side tamper jumpers off the headers and you won't know what order to replace them. The odds of you getting them back in the same order they came off is very low. Once the unit is powered up, the jumpers get checked. If the pattern doesn't match what the unit expects, it goes into a tamper lock-down which, as far as I can tell, is a permanent condition requiring factory JTAG to clear.

    The rear (bottom) tamper header is located about 3 inches away from the top-side tamper header, near the unpopulated pads of D25. Again, it's a set of three 2-pin jumpers sitting side-by-side. It's also the only jumpers on the bottom-side of the board.

    Although very tedious, it IS possible to ascertain the correct positioning of the top-side jumpers (and blanks) with the case installed, but you have to know exactly where to look and what to look for.

    The bottom-side jumpers, however, are nearly impossible to see through the installed case, and I haven't yet found an easy way to record their values before opening the case.

    If you have no intentions of returning the unit for warranty service, the easiest way to get inside this case without bricking the unit would be to cut the case open, taking extra care around the clips that lock into the gray plastic tamper traps.

    Besides - you'll do significant (and very obvious) damage to the case just trying to get it open. You'll break at least 4 clips (that are designed to break, by the way) and you'll likely distort the plastic so it won't go together the right way again anyway.

    If you need nice hi-res pictures of the board, top and bottom, I have them - with the tamper traps installed.

    SonarTech
    Reply
  • SonarTech - Monday, December 20, 2010 - link

    One last update: The top-side tamper header is screened as J15, and the bottom-side header is J16. Both have traces that feed right into the Ralink RT2150F chip (U37). Reply
  • ivioo - Monday, April 11, 2011 - link

    I was wondering if you can show me where the tamper jumpers go. I'm pretty sure I know where 1 jumper goes but I have 2 jumpers left that I don't know where they go and then the 2 dummy ones Reply
  • vsa1977 - Thursday, March 3, 2011 - link

    This article seems to be well written based on facts. I however am an end user and have little knowledge on how this stuff works.

    This article states that "GPS is critical for getting very precise and accurate timing signals for the radio without expensive clock hardware". Would it make any difference in terms of performance if I get an external GPS antenna and connect to this Microcell? I have the microcell placed in a closet since my networking components are deployed there and the GPS at that location is pretty weak.

    Calls using the microcell is not often clear and I lose the signal all together maybe once in two weeks. I then have to resync-lock with GPS by taking it closer to the window and then back into the closet again.

    Is there any way to increase the range of the microcell by using any kind of external boosters or gain antennas? I do not see any options to connect any external antennas.

    I would appreciate if I get an answer on the external GPS antenna's effect on performance.
    Reply
  • akaken - Wednesday, July 20, 2011 - link

    you dont have to pay that 19.99 charge for unlimited microcell calling but what it does is give you UNLIMITED MINUTES WHILE YOU ARE ON YOUR MICROCELL your plan minutes are not used while on your microcell. Reply
  • MSSS - Monday, September 26, 2011 - link

    In an urban area near UC Berkeley (20min from SF) we are in a "dead zone" with irregular tower access.

    With the Microcell, we get constantly dropped calls and cannot be heard by the person on the other end of the line, often after a minute or two.

    Apparently, the microcell keeps handing off the calls to a mystery tower nearby, and cutting off calls.

    here’s what ATT says:

    In researching your issue we are not finding any network issues and see that the issue is with the micro cell handing off to towers in the area which will often cause the call to disconnect.

    They offer NO solution - they will replace the microcell, just in case it's the problem. But we are frustrated.

    One forum suggests moving the microcell to a room with bad reception:

    http://forums.att.com/t5/3G-MicroCell/add-option-t...
    Re: add option to disable handoffs completely to prevent dropped calls
    Options
    07:42:21 AM - 05-17-2010
    I've stumbled upon an option - put the MicroCell in a room with poor signal from the macro network.
    Over the past 6 weeks I've tried the MicroCell in 5 different rooms in my home in an attempt to keep it from handing off the the macro network prematurely. Placing it in the room with the worst signal from the macro network has solved the problem.
    The only drawback is that now the MicroCell will not in-call handoff to the macro network when leaving my home, moving down the street. The call always drops now. When it was in other rooms in my home it would successfully hand-off to a nearby cell about 1/2 the time. While a drawback, I've rarely found the need to continue a conversation while leaving my home.
    Reply
  • PointTechScottsdale - Wednesday, March 7, 2012 - link

    Just wanted to post a note to thank you for this great dissection of the microcell. Your work and writings are by far the best that I have been able to find on the web over the last six months.

    You had just the right amount of detail about just the issue I was looking for. Thanks and keep up the good work!

    Elliott

    --
    Point Technologists
    Scottsdale, AZ
    (480) 744-6464
    Reply

Log in

Don't have an account? Sign up now