415 lines
10 KiB
Plaintext
415 lines
10 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault
|
|
%back "blue"
|
|
|
|
%center
|
|
%size 7
|
|
|
|
Running
|
|
Your own
|
|
GSM Network
|
|
|
|
%center
|
|
%size 4
|
|
by
|
|
|
|
Harald Welte <laforge@gnumonks.org>
|
|
Dieter Spaar <spaar@mirider.augusta.de>
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Why?
|
|
|
|
|
|
Why would you run your own GSM network?
|
|
For the same reason you might run other networks
|
|
To learn and experiment with technology
|
|
To boldly go where no [free] man has gone before ;)
|
|
Practical demonstration of known GSM security problems
|
|
Raise public awareness abut GSM [in]security
|
|
thus increase the incentive for the market to improve
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Legal Disclaimer
|
|
|
|
|
|
Legal Disclaimer
|
|
Don't try this at home!
|
|
GSM operates on LICENSED spectrum
|
|
Thus, you need approval from the regulatory authority
|
|
Only use BTS with dummy load!
|
|
Don't interfere with the operators!
|
|
Our software is strictly for research purpose only
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Network Architecture
|
|
|
|
|
|
The Hitchhikers Guide to the GSM Network
|
|
unfortunately does not exist
|
|
|
|
The GSM related literature
|
|
is typically too high-level
|
|
|
|
The GSM protocol specifications
|
|
are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Network Architecture
|
|
|
|
GSM is a bit-synchronous network
|
|
it draws many analogies from ISDN and SDN
|
|
layer 2 modelled after Q.921 / LAPD
|
|
call signalling modelled Q.931
|
|
but: many more protocols for mobility management, radio resources, ...
|
|
like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
|
|
|
|
GSM is a TDMA "nightmare"
|
|
e.g. you never know from/for whom data is without the timing context
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Network Architecture
|
|
|
|
MS
|
|
Mobile Station (your Phone)
|
|
BTS
|
|
Base Transceiver Station
|
|
BSC
|
|
Base Station Controller
|
|
MSC
|
|
Mobile Switching Center
|
|
HLR/VLR
|
|
Home/Visitor Location Register
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Base Transceiver Station
|
|
|
|
BTS
|
|
As the name indicates "transceiver"
|
|
Handles
|
|
Layer 1 and some parts of RF layer2
|
|
Modulation/Demodulation
|
|
Time Multiplex, scheduling of frames
|
|
Is not a "Base Station", i.e. not self-contained
|
|
True 'slave' to the BSC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Base Station Controller
|
|
|
|
|
|
BSC
|
|
Base Station Controller
|
|
Handles
|
|
most of the actual decision making
|
|
really controls most aspects of BTSs
|
|
handles intra-BSC cell handover
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Mobile Switching Center
|
|
|
|
|
|
MSC
|
|
Mobile Switching Center
|
|
Handles
|
|
Actual switching of the calls
|
|
Interworking with ISDN or POTS
|
|
Inter-BSC cell handover
|
|
HLR/VLR
|
|
Home/Visitor Location Register
|
|
Handles
|
|
database of local / roaming subscribers
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
|
|
BSC <-> BTS Interface
|
|
is called A-bis
|
|
has the following control layers on E1 TS1
|
|
L2ML (Layer 2 Management)
|
|
TEI management similar to ISDN
|
|
OML (Organization & Maintenance)
|
|
System parameters, events
|
|
RSL (Radio Subsystem Layer)
|
|
has encoded voice data (TRAU frames) on other E1 TS
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
%image "2_small.jpg"
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
%image "3_small.jpg"
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
|
|
Abis RSL
|
|
contains messages for
|
|
Radio Link Layer (RLL)
|
|
Dedicated Channel (DCHAN)
|
|
Common Channel (CCHAN)
|
|
Transceiver (TRX)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Mobile Switching Center
|
|
|
|
|
|
Abis RSL Radio Link Layer
|
|
contains messages for
|
|
Call Control (CC)
|
|
Mobility Management (MM)
|
|
Radio Resource (RR)
|
|
Short Message Service (SMS)
|
|
mostly specified in GSM TS 04.08
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
Siemens BS-11 microBTS
|
|
plain old 2G (GSM voice calls, CSD)
|
|
one or two TRX, 30mW to 2W each, GSM900
|
|
two E1 interfaces (for daisy-chaining)
|
|
documentation under NDA, but
|
|
99.9% of the A-bis protocol available from GSM specs
|
|
See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
|
|
RS232 serial port for Local Maintenance Terminal
|
|
LMT software proprietary under NDA
|
|
not needed for operation of the BTS
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "1_small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "p1010012_small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "p1010013_small.jpg"
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "p1010020_small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
First steps with the Siemens BS-11
|
|
Harald bought a BS-11 on e-Bay in 2006
|
|
Started to read some specs (08.5x) about A-bis
|
|
Started to build cables for E1 and power
|
|
Bought HFC-E1 PCI card
|
|
Bought Elmi EGM35 Abis analyzer (e-Bay once again)
|
|
Contacted with other people who also bought BS-11
|
|
Found somebody who could provide Abis traces
|
|
Never really had time due to Openmoko and other projects
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
Further steps with the Siemens BS-11
|
|
Dieter bought a BS-11 09/2008
|
|
Bought HFC-E1 PCI card
|
|
Started development based on HFC-E1 reference driver code
|
|
Found somebody who could provide Abis traces
|
|
Made very quick progress
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
BS11-Init
|
|
|
|
|
|
BS11-Init (09/2008)
|
|
Chip cologne HFC-E1 reference code for DOS
|
|
polling, no interrupts
|
|
ported to Windows and Linux (mmap of HFC registers to userspace)
|
|
proof-of-concept code based on challenge-response
|
|
handles TEI assignment, brings OML and RSL up
|
|
allows for location update and paging of single phone
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
BS11-Init
|
|
|
|
%image "4_small.jpg"
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
From BS11-Init to OpenBSC
|
|
|
|
|
|
From BS11-Init to OpenBSC (12/2008)
|
|
get L2ML to work with mISDN
|
|
mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
|
|
learn how new sockets-based mISDN API works
|
|
come up with event-driven architecture, single sleect loop, no threads, ...
|
|
At 25C3:
|
|
add libdbi/sqlite database for "HLR"
|
|
get paging to work, support for configurable network ID
|
|
debugging + stabilization with > 1000 test users ;)
|
|
IMSI + IMEI skimming
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Work at 25C3
|
|
|
|
|
|
IMSI+IMEI skimming
|
|
very simple:
|
|
phones with automatic network selection pick strongest network
|
|
they send LOCATION UPDATE REQUEST
|
|
we send IDENTITY REQUEST IMSI + IMEISV
|
|
they send IMSI + IMEISV
|
|
we store this in the databasa
|
|
and then send LOCATION UPDATE REJECT
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Work at 25C3
|
|
|
|
|
|
Mobile Originated Call
|
|
once a MS is registered, we can
|
|
dial a number from the MS
|
|
allocate and establish a TCH/F
|
|
deal with the Signalling and get into Connect
|
|
unfortunately, code for handling voice streams not finished
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Work at 25C3
|
|
|
|
|
|
Mobile Originated SMS
|
|
once a MS is registered, we can
|
|
send a SMS
|
|
parse + acknowledge SMS PDU data
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Work at 25C3
|
|
|
|
|
|
The Egypt simulation
|
|
apparently GPS is illegal in mobile phones in Egypt
|
|
"Egypt detection" implemented by checking if any surrounding cells are with Egypt country code
|
|
phones don't even have to register to our BTS!
|
|
so if we claim to be e.g. MobiNil, phones will shut off their GPS
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Other GSM related FOSS
|
|
|
|
|
|
Other GSM related FOSS
|
|
OpenBTS
|
|
100% Software Defined Radio bsed on USRP + gnuradio
|
|
implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk
|
|
much more than just a BTS!!
|
|
some code overlap with OpenBSC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Links
|
|
|
|
OpenBSC
|
|
http://openbsc.gnumonks.org/
|
|
3GPP / ETSI GSM Specs
|
|
http://www.3gpp.org/
|
|
Priv-Doz. Dr.-Ing Joachim Goeller
|
|
http://www2.informatik.hu-berlin.de/~goeller
|
|
THC GSM Wiki
|
|
http://wiki.thc.org/gsm
|
|
OpenBTS
|
|
http://gnuradio.org/trac/wiki/OpenBTS
|
|
Harald's branch of gsm-tvoid, etc
|
|
git://git.gnumonks.org/gsm.git
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Thanks
|
|
|
|
|
|
Thanks to
|
|
zecke, alphaone, Stefan for their work on OpenBSC
|
|
W. for his extensive A-bis protocol traces and MA-10
|
|
all the voluntary testers at 25C3
|
|
Karsten Keil for mISDN
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Thanks
|
|
|
|
|
|
LIVE DEMO
|