184 lines
6.2 KiB
TeX
184 lines
6.2 KiB
TeX
\section{OpenBTS, airprobe and wireshark}
|
|
|
|
\subsection{OpenBTS Introduction}
|
|
|
|
\begin{frame}{What is OpenBTS?}
|
|
\begin{itemize}
|
|
\item is {\em NOT} a BTS in the typical GSM sense
|
|
\item is better described as a GSM-Um to SIP gateway
|
|
\item implements the GSM Um (air interface) as SDR
|
|
\item uses the USRP hardware as RF interface
|
|
\item does not implement any of BSC, MSC, HLR, etc.
|
|
\item bridges the GSM Layer3 protocol onto SIP
|
|
\item uses SIP switch (like Asterisk) for switching calls + SMS
|
|
\item is developed as C++ program and runs on Linux + MacOS
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{What is OpenBTS?}
|
|
\begin{itemize}
|
|
\item Open implementation of Um L1 \& L2, an all-software BTS.
|
|
\item L1/L2 design based on an object-oriented dataflow approach.
|
|
\item Includes L3 RR functions normally found in BSC.
|
|
\item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network. L3 is like an ISDN/SIP gateway.
|
|
\item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Paget at Def Con).
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OpenBTS Hardware}
|
|
OpenBTS supports the following SDR hardware
|
|
\begin{itemize}
|
|
\item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards
|
|
\begin{itemize}
|
|
\item Modification for external clock input recommended
|
|
\item External 52 MHz precision clock recommended
|
|
\end{itemize}
|
|
\item Kestrel Signal Processing / Range Networks custom radio
|
|
\item Close Haul Communications / GAPfiller (work in progress)
|
|
\item Ported to other radios by other clients
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{OpenBTS History + Tests}
|
|
\begin{itemize}
|
|
\item Started work in August 2007, first call in January 2008, first SMS in December 2008.
|
|
\item First public release in September 2008, assigned to FSF in October 2008.
|
|
\item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada.
|
|
\item Tested 2-sector system with 40,000 handsets at September 2010 Burning Man event in Nevada.
|
|
\item Release 2.5 is about 13k lines of C++.
|
|
\item Part of GNU Radio project, distributed under GPLv3 (>= 2.6: AGPLv3)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OpenBTS Software Architecture}
|
|
\begin{itemize}
|
|
\item {\tt Transceiver} program
|
|
\begin{itemize}
|
|
\item SDR processing for Layer 0
|
|
\item BTS-side GSM Um Layer 1 implementation
|
|
\item sends GSM burst data via UDP socket
|
|
\end{itemize}
|
|
\item {\tt OpenBTS} program
|
|
\begin{itemize}
|
|
\item GSM Um Layer 2 (04.06) + 3 (04.08) implementation
|
|
\item SIP UA implementation
|
|
\item GSM Layer 3 CC to SIP bridge implementation
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OpenBTS GSM <-> SIP mapping}
|
|
\begin{itemize}
|
|
\item Location Updates mapped to SIP registration
|
|
\begin{itemize}
|
|
\item Use IMSI as SIP user name
|
|
\end{itemize}
|
|
\item Call Control mapped to SIP transactions
|
|
\begin{itemize}
|
|
\item relatively straight-forward
|
|
\end{itemize}
|
|
\item GSM Traffic Channels mapped to RTP channels
|
|
\begin{itemize}
|
|
\item No transcoding inside OpenBTS, FR/EFR messages are simply relayed
|
|
\end{itemize}
|
|
\item SMS mapped to SIP messaging according to RFC 3428
|
|
\begin{itemize}
|
|
\item A separate {\tt smqueue} daemon implements store+forward
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
%\subsection{Clocking}
|
|
|
|
\begin{frame}{OpenBTS USRP Clocking}{Clock Stability}
|
|
\begin{itemize}
|
|
\item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy
|
|
\item GSM requires 20ppb carrier clock accuracy
|
|
\item possible solutions
|
|
\begin{itemize}
|
|
\item use external VCTCXO clocking module
|
|
\item use external OCXO clocking module
|
|
\item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks
|
|
\end{itemize}
|
|
\item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock}
|
|
\begin{itemize}
|
|
\item The USRP master clock is 64 Mhz
|
|
\item In GSM, all clocks are derived from 13 MHz
|
|
\item Thus, a poly-phase re-sampler is part of SDR software
|
|
\item Alternative: use 52 MHz (13 MHz * 4) external clock
|
|
\item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz
|
|
\begin{itemize}
|
|
\item Make sure to never use the wrong transceiver for your clock!
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OpenBTS USRP Clocking}{Software Calibration}
|
|
Basic idea: Use real GSM cell as clock source
|
|
\begin{itemize}
|
|
\item Implemented by the {\em Kalibrator} ({\tt kal}) program
|
|
\item Acquire the FCCH burst of a real GSM cell
|
|
\item Measure the clock difference between USRP XO and that cell
|
|
\item Use the computed error as offset to USRP up/downconverter
|
|
\item However, temperature and other drift will make clocks go out of sync over time
|
|
\item Can only be used if a real-world GSM network is within range
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example}
|
|
%\begin{block}{Example of running {\tt kal}}
|
|
%\begin{lstlisting}
|
|
%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u
|
|
%USRP side: B
|
|
%FPGA clock: 52000000
|
|
%Decimation: 192
|
|
%Antenna: RX2
|
|
%Sample rate: 270833.343750
|
|
%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444)
|
|
%\end{lstlisting}
|
|
%\end{block}
|
|
%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp}
|
|
%\end{frame}
|
|
|
|
\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=85mm]{NevadaTestSite.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Burning Man 2010 Tower Base}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=85mm]{OBTSBM2010.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
%\begin{frame}<handout:0>{OpenBTS}
|
|
% Demonstration
|
|
%\end{frame}
|
|
|
|
\begin{frame}{OpenMS}
|
|
\begin{itemize}
|
|
\item Subscriber side stack based on OpenBTS.
|
|
\item Called MS, but just a BTS stack with data flows reversed and a different RR control logic.
|
|
\item Behavior is more like a passive interceptor that can also transmit.
|
|
\item Release 1.0 supports non-hopping multi-ARFCN networks.
|
|
\item Most L3 control logic provided by the end user.
|
|
\item A platform for
|
|
\begin{itemize}
|
|
\item passive interceptors
|
|
\item custom subscriber-side applications
|
|
\item environment analysis
|
|
\item intelligent jamming
|
|
\end{itemize}
|
|
\item NOT Open Source
|
|
\end{itemize}
|
|
\end{frame}
|