If you saw my last post, you know I’ve been diving deep into CBRS (Citizens Broadband Radio Service). The latest addition to the homelab is a Baicells Nova 227, and the process of getting it online with my own infrastructure was a classic exercise in hardware reverse engineering.
The Serial Discovery
These units were originally deployed as Pollen Mobile hardware, and like many specialized devices, they are locked down to their original ecosystem. Naturally, the first step was a teardown to look for a standard UART header for console access.
I actually found several serial ports on the board during the teardown, but after some probing, they turned out to be the wrong ones—likely for sub-components or secondary management controllers.
Then came the “Aha!” moment. It turns out Baicells utilized a clever physical interface: the serial UART lines are wired directly to the pins in the USB 3.0 connector. To be clear: it’s not a USB signal. The hardware is simply using the physical USB 3.0 pinout to carry the serial RX/TX lines. Once I mapped the pins and built a custom adapter, I had full console access.
Total System Access: A/B Partitions Gaining console access was only the first hurdle. The Nova 227 utilizes an A/B software partition scheme for redundancy and updates. To truly own the device, I had to intercept the boot sequence and perform a manual reset on both sections of memory.
By working through the serial port, I was able to:
-
Reset the User Admin password to regain WebUI access.
-
Modify the Root password for full underlying Linux OS control. Because of the A/B scheme, these changes had to be applied to both partitions to ensure the device remains unlocked regardless of which side it boots from. Ownership and Integration
With root access secured and the original credentials cleared, the eNodeB is now a clean slate. I can finally access the WebUI to configure the radio parameters and point the unit toward my own private LTE core network.