297 lines
9.5 KiB
TeX
297 lines
9.5 KiB
TeX
\section{OsmocomBB Project}
|
|
|
|
\begin{frame}{A GSM phone baseband processor}
|
|
\begin{itemize}
|
|
\item GSM protocol stack always runs in a so-called baseband processor (BP)
|
|
\item What is the baseband processor
|
|
\begin{itemize}
|
|
\item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones)
|
|
\begin{itemize}
|
|
\item Runs some RTOS (often Nucleus, sometimes L4)
|
|
\item No memory protection between tasks
|
|
\end{itemize}
|
|
\item Some kind of DSP, model depends on vendor
|
|
\begin{itemize}
|
|
\item Runs the digital signal processing for the RF Layer 1
|
|
\item Has hardware peripherals for A5 encryption
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\item The software stack on the baseband processor
|
|
\begin{itemize}
|
|
\item is written in C and assembly
|
|
\item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..)
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{A GSM Baseband Chipset}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=100mm]{calypso-block.pdf}
|
|
\end{figure}
|
|
\url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Requirements for GSM security analysis}
|
|
What do we need for protocol-level security analysis?
|
|
\begin{itemize}
|
|
\item A GSM MS-side baseband chipset under our control
|
|
\item A Layer1 that we can use to generate arbitrary L1 frames
|
|
\item A Layer2 protocol implementation that we can use + modify
|
|
\item A Layer3 protocol implementation that we can use + modify
|
|
\end{itemize}
|
|
None of those components existed, so we need to create them!
|
|
\end{frame}
|
|
|
|
\begin{frame}{A GSM baseband under our control}
|
|
The two different DIY approaches
|
|
\begin{itemize}
|
|
\item Build something using generic components (DSP, CPU, ADC, FPGA)
|
|
\begin{itemize}
|
|
\item No reverse engineering required
|
|
\item A lot of work in hardware design + debugging
|
|
\item Hardware will be low-quantity and thus expensive
|
|
\end{itemize}
|
|
\item Build something using existing baseband chipset
|
|
\begin{itemize}
|
|
\item Reverse engineering or leaked documents required
|
|
\item Less work on the 'Layer 0'
|
|
\item Still, custom hardware in low quantity
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{A GSM baseband under our control}
|
|
Alternative 'lazy' approach
|
|
\begin{itemize}
|
|
\item Re-purpose existing mobile phone
|
|
\begin{itemize}
|
|
\item Hardware is known to be working
|
|
\item No prototyping, hardware revisions, etc.
|
|
\item Reverse engineering required
|
|
\item Hardware drivers need to be written
|
|
\item But: More time to focus on the actual job: Protocol software
|
|
\end{itemize}
|
|
\item Searching for suitable phones
|
|
\begin{itemize}
|
|
\item As cheap as possible
|
|
\item Readily available: Many people can play with it
|
|
\item As old/simple as possible to keep complexity low
|
|
\item Baseband chipset with lots of leaked information
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Baseband chips with leaked information}
|
|
\begin{itemize}
|
|
\item Texas Instruments Calypso
|
|
\begin{itemize}
|
|
\item DBB Documentation on cryptome.org and other sites
|
|
\item ABB Documentation on Chinese phone developer websites
|
|
\item Source code of GSM stack / drivers was on sf.net (tsm30 project)
|
|
\item End of life, no new phones with Calypso since about 2008
|
|
\item No cryptographic checks in bootloader
|
|
\end{itemize}
|
|
\item Mediatek MT622x chipsets
|
|
\begin{itemize}
|
|
\item Lots of Documentation on Chinese sites
|
|
\item SDK with binary-only GSM stack libraries on Chinese sites
|
|
\item 95 million produced/sold in Q1/2010
|
|
\end{itemize}
|
|
\end{itemize}
|
|
Initial choice: TI Calypso (GSM stack source available)
|
|
\end{frame}
|
|
|
|
|
|
\subsection{OsmocomBB Introduction}
|
|
|
|
\begin{frame}{OsmocomBB Introduction}
|
|
\begin{itemize}
|
|
\item Project was started only in January 2010 (9 months ago!)
|
|
\item Implementing a GSM baseband software from scratch
|
|
\item This includes
|
|
\begin{itemize}
|
|
\item GSM MS-side protocol stack from Layer 1 through Layer 3
|
|
\item Hardware drivers for GSM Baseband chipset
|
|
\item Simple User Interface on the phone itself
|
|
\item Verbose User Interface on the PC
|
|
\end{itemize}
|
|
\item Note about the strange project name
|
|
\begin{itemize}
|
|
\item Osmocom = Open Source MObile COMmunication
|
|
\item BB = Base Band
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB Software Architecture}
|
|
\begin{itemize}
|
|
\item Reuse code from OpenBSC where possible (libosmocore)
|
|
\begin{itemize}
|
|
\item We build libosmocore both for phone firmware and PC
|
|
\end{itemize}
|
|
\item Initially run as little software in the phone
|
|
\begin{itemize}
|
|
\item Debugging code on your host PC is so much easier
|
|
\item You have much more screen real-estate
|
|
\item Hardware drivers and Layer1 run in the phone
|
|
\item Layer2, 3 and actual phone application / MMI on PC
|
|
\item Later, L2 and L3 can me moved to the phone
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB Software Interfaces}
|
|
\begin{itemize}
|
|
\item Interface between Layer1 and Layer2 called L1CTL
|
|
\begin{itemize}
|
|
\item Fully custom protocol as there is no standard
|
|
\item Implemented as message based protocol over Sercomm/HDLC/RS232
|
|
\end{itemize}
|
|
\item Interface between Layer2 and Layer3 called RSLms
|
|
\begin{itemize}
|
|
\item In the GSM network, Um Layer2 terminates at the BTS but is controlled by the BSC
|
|
\item Reuse this GSM 08.58 Radio Signalling Link
|
|
\item Extend it where needed for the MS case
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{OsmocomBB Software}
|
|
|
|
\begin{frame}{OsmocomBB Target Firmware}
|
|
\begin{itemize}
|
|
\item Firmware includes software like
|
|
\begin{itemize}
|
|
\item Drivers for the Ti Calypso Digital Baseband (DBB)
|
|
\item Drivers for the Ti Iota TWL3025 Analog Baseband (ABB)
|
|
\item Drivers for the Ti Rita TRF6151 RF Transceiver
|
|
\item Drivers for the LCD/LCM of a number of phones
|
|
\item CFI flash driver for NOR flash
|
|
\item GSM Layer1 synchronous/asynchronous part
|
|
\item Sercomm - A HDLC based multiplexer for the RS232 to host PC
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB Host Software}
|
|
\begin{itemize}
|
|
\item Current working name: layer23
|
|
\item Includes
|
|
\begin{itemize}
|
|
\item Layer 1 Control (L1CTL) protocol API
|
|
\item GSM Layer2 implementation (LAPDm)
|
|
\item GSM Layer3 implementation (RR/MM/CC)
|
|
\item GSM Cell (re)selection
|
|
\item SIM Card emulation
|
|
\item Supports various 'apps' depending on purpose
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{OsmocomBB Hardware Support}
|
|
|
|
\begin{frame}{OsmocomBB Supported Hardware}
|
|
\begin{itemize}
|
|
\item Baseband Chipsets
|
|
\begin{itemize}
|
|
\item TI Calypso/Iota/Rita
|
|
\item Some early research being done on Mediatek (MTK) MT622x
|
|
\end{itemize}
|
|
\item Actual Phones
|
|
\begin{itemize}
|
|
\item Compal/Motorola C11x, C12x, C13x, C14x and C15x models
|
|
\item Most development/testing on C123 and C155
|
|
\item GSM modem part of Openmoko Neo1973 and Freerunner
|
|
\end{itemize}
|
|
\item All those phones are simple feature phones built on a ARM7TDMI based DBB
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{The Motorola/Compal C123}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=100mm]{c123_pcb.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
|
|
\subsection{OsmocomBB Project Status}
|
|
|
|
\begin{frame}{OsmocomBB Project Status: Working}
|
|
\begin{itemize}
|
|
\item Hardware Drivers for Calypso/Iota/Rita very complete
|
|
\item Drivers for Audio/Voice signal path
|
|
\item Layer1
|
|
\begin{itemize}
|
|
\item Power measurements
|
|
\item Carrier/bit/TDMA synchronization
|
|
\item Receive and transmit of normal bursts on SDCCH
|
|
\item Transmit of RACH bursts
|
|
\item Automatic Rx gain control (AGC)
|
|
\item Frequency Hopping
|
|
\end{itemize}
|
|
\item Layer2 UI/SABM/UA frames and ABM mode
|
|
\item Layer3 Messages for RR / MM / CC
|
|
\item Cell (re)selection according GSM 03.22
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB Project Status: Working (2/2)}
|
|
OsmocomBB can now do GSM Voice calls (since 08/2010)
|
|
\begin{itemize}
|
|
\item Very Early Assignment + Late Assignment
|
|
\item A3/A8 Authentication of SIM
|
|
\item A5/1 + A5/2 Encryption
|
|
\item Full Rate (FR) and Enhanced Full Rate (EFR) codec
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB Project Status: Not working}
|
|
\begin{itemize}
|
|
\item Layer1
|
|
\begin{itemize}
|
|
\item Automatic Tx power control (APC)
|
|
\item Neighbor Cell Measurements (WIP)
|
|
\item In-call hand-over to other cells (WIP)
|
|
\end{itemize}
|
|
\item Actual UI on the phone
|
|
\item Circuit Switched Data (CSD) calls
|
|
\item GPRS (packet data)
|
|
\item No Type Approval for the stack!
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB Project Status: Executive Summary}
|
|
\begin{itemize}
|
|
\item We can establish control/signalling channels to both hopping and non-hopping GSM cells
|
|
\begin{itemize}
|
|
\item Control over synthesizer means we can even go to GSM-R band
|
|
\end{itemize}
|
|
\item We can send arbitrary data on those control channels
|
|
\begin{itemize}
|
|
\item RR messages to BSC
|
|
\item MM/CC messages to MSC
|
|
\item SMS messages to MSC/SMSC
|
|
\end{itemize}
|
|
\item TCH (Traffic Channel) support for voice calls
|
|
\begin{itemize}
|
|
\item Has been used on real networks for 30+ minute calls!
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB use cases}
|
|
OsmocomBB can be used today for
|
|
\begin{itemize}
|
|
\item practical lab exercises in education on any level of GSM,
|
|
from the radio modem through the protocol stack
|
|
\item applied research in GSM protocols and GSM security
|
|
\item penetration testing of GSM operator equipment
|
|
\item measurement and exploration of real operator networks
|
|
\end{itemize}
|
|
With (your?) help, we can turn it into an actual mobile phone for
|
|
regular users, i.e. bringing the freedom of Free Software into one of
|
|
the most closed areas of computing.
|
|
\end{frame}
|