79 lines
2.7 KiB
Plaintext
79 lines
2.7 KiB
Plaintext
* why?
|
|
** security research
|
|
** demonstration of known theoretical problems
|
|
** publci awareness about GSM [in]security
|
|
|
|
* legal disclaimer
|
|
** don't try this at home
|
|
** ownership of devices: ok, operation: not ok, licensed spectrum
|
|
** test licenses by Bundesnetzagentur
|
|
|
|
* introduction to gsm network architecture
|
|
** MS, BTS, BSC, MSC, HLR, VLR
|
|
** "ISDN on steroids" (q.921 / q.931 as base for call control)
|
|
** intelligence in the network, not the terminal
|
|
** bit-synchronous network, like SDH
|
|
** A-bis as interface between BTS and BSC
|
|
|
|
* more details about A-bis interface
|
|
** functional split BTS / BSC
|
|
** low-level A-bis (timeslots / sub-slots)
|
|
** A-bis protocol in GSM specs (04.08, 12.21, 08.58)
|
|
*** Page 10, 08.58
|
|
** structure of voice data in TRAU frames
|
|
|
|
* Introducing the BS-11
|
|
** features (1-2 TRX, 30mW-2W, GSM900)
|
|
** 2 E1 interface (1 to BSC, 1 for daisy-chaining)
|
|
** BS11 documentation
|
|
*** documentation under NDA, not available publicly
|
|
*** 99% of A-bis protocol in GSM specs (04.08, 12.21, 08.58)
|
|
** photographs (big picture, connector panel, internal overview)
|
|
** serial port for LMT, proprietary software
|
|
*** needed commands (TX power, timeslot for RSL/OML, TEI)
|
|
|
|
|
|
* first steps with BS-11
|
|
** bought BS-11 on eBay (now 74 units)
|
|
** A-bis protocol analyzer
|
|
** Helpful anonymous person helped us with
|
|
*** A-bis traces between Siemens BSC
|
|
*** Wandel+Goltermann MA-10 protocol analyzer
|
|
|
|
* BS11-Init (09/2008)
|
|
** ChipCologne HFC-E1 reference code for DOS
|
|
** polling, no interrupts
|
|
** ported to Windows and Linux (mmap of E1 to userspace)
|
|
** proof-of-concept code based on challenge-response
|
|
|
|
* from BS11-Init to OpenBSC (12/2008)
|
|
** get Layer2 to work (mISDN mainline doesn't deal with multiple SAPIs and fixed TEIs)
|
|
** learn how to use new sockets-based mISDN API
|
|
** send and receive first OML packets
|
|
** come up with event-driven architecture, single select loop, no threads, ...
|
|
** 25C3: add libdbi/sqlite database backend for "HLR"
|
|
** 25C3: get paging to work, support for configurable network ID
|
|
** 25C3: debugging/stabilization with > 1000 test users ;)
|
|
** 25C3: IMSI+IMEI skimming
|
|
|
|
* other FOSS projects related to GSM
|
|
** OpenBTS
|
|
** gssm / gsm-tvoid / gsmsp
|
|
|
|
* availability of BS-11
|
|
** remember: you need a HFC-E1, and shipping of 48kg
|
|
** import/ownership restrictions at your place of residence!
|
|
|
|
* short demo (10-15min)
|
|
** IMSI/IMEI snooping
|
|
** ringtone demonstration
|
|
|
|
* links
|
|
** OpenBSC http://openbsc.gnumonks.org
|
|
** toast
|
|
** 3GPP (http://www.3gpp.org/) / ETSI (http://www.etsi.org/)
|
|
** Goeller homepage (http://www2.informatik.hu-berlin.de/~goeller)
|
|
** THC Wiki (http://wiki.thc.org/gsm)
|
|
** OpenBTS (http://openbts.sourceforge.net/) + gnuradio wiki
|
|
** Harald's branch of gsm-tvoid, etc (git://git.gnumonks.org/gsm.git)
|