laforge
/
laforge-slides
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
laforge-slides/2011/gsm-ensa2011/section-osmocombb.tex

297 lines
9.5 KiB
TeX
Raw Permalink Blame History

\section{OsmocomBB Project}
\begin{frame}{A GSM phone baseband processor}
\begin{itemize}
\item GSM protocol stack always runs in a so-called baseband processor (BP)
\item What is the baseband processor
\begin{itemize}
\item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones)
\begin{itemize}
\item Runs some RTOS (often Nucleus, sometimes L4)
\item No memory protection between tasks
\end{itemize}
\item Some kind of DSP, model depends on vendor
\begin{itemize}
\item Runs the digital signal processing for the RF Layer 1
\item Has hardware peripherals for A5 encryption
\end{itemize}
\end{itemize}
\item The software stack on the baseband processor
\begin{itemize}
\item is written in C and assembly
\item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{A GSM Baseband Chipset}
\begin{figure}[h]
\centering
\includegraphics[width=100mm]{calypso-block.pdf}
\end{figure}
\url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
\end{frame}
\begin{frame}{Requirements for GSM security analysis}
What do we need for protocol-level security analysis?
\begin{itemize}
\item A GSM MS-side baseband chipset under our control
\item A Layer1 that we can use to generate arbitrary L1 frames
\item A Layer2 protocol implementation that we can use + modify
\item A Layer3 protocol implementation that we can use + modify
\end{itemize}
None of those components existed, so we need to create them!
\end{frame}
\begin{frame}{A GSM baseband under our control}
The two different DIY approaches
\begin{itemize}
\item Build something using generic components (DSP, CPU, ADC, FPGA)
\begin{itemize}
\item No reverse engineering required
\item A lot of work in hardware design + debugging
\item Hardware will be low-quantity and thus expensive
\end{itemize}
\item Build something using existing baseband chipset
\begin{itemize}
\item Reverse engineering or leaked documents required
\item Less work on the 'Layer 0'
\item Still, custom hardware in low quantity
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{A GSM baseband under our control}
Alternative 'lazy' approach
\begin{itemize}
\item Re-purpose existing mobile phone
\begin{itemize}
\item Hardware is known to be working
\item No prototyping, hardware revisions, etc.
\item Reverse engineering required
\item Hardware drivers need to be written
\item But: More time to focus on the actual job: Protocol software
\end{itemize}
\item Searching for suitable phones
\begin{itemize}
\item As cheap as possible
\item Readily available: Many people can play with it
\item As old/simple as possible to keep complexity low
\item Baseband chipset with lots of leaked information
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Baseband chips with leaked information}
\begin{itemize}
\item Texas Instruments Calypso
\begin{itemize}
\item DBB Documentation on cryptome.org and other sites
\item ABB Documentation on Chinese phone developer websites
\item Source code of GSM stack / drivers was on sf.net (tsm30 project)
\item End of life, no new phones with Calypso since about 2008
\item No cryptographic checks in bootloader
\end{itemize}
\item Mediatek MT622x chipsets
\begin{itemize}
\item Lots of Documentation on Chinese sites
\item SDK with binary-only GSM stack libraries on Chinese sites
\item 95 million produced/sold in Q1/2010
\end{itemize}
\end{itemize}
Initial choice: TI Calypso (GSM stack source available)
\end{frame}
\subsection{OsmocomBB Introduction}
\begin{frame}{OsmocomBB Introduction}
\begin{itemize}
\item Project was started only in January 2010 (9 months ago!)
\item Implementing a GSM baseband software from scratch
\item This includes
\begin{itemize}
\item GSM MS-side protocol stack from Layer 1 through Layer 3
\item Hardware drivers for GSM Baseband chipset
\item Simple User Interface on the phone itself
\item Verbose User Interface on the PC
\end{itemize}
\item Note about the strange project name
\begin{itemize}
\item Osmocom = Open Source MObile COMmunication
\item BB = Base Band
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{OsmocomBB Software Architecture}
\begin{itemize}
\item Reuse code from OpenBSC where possible (libosmocore)
\begin{itemize}
\item We build libosmocore both for phone firmware and PC
\end{itemize}
\item Initially run as little software in the phone
\begin{itemize}
\item Debugging code on your host PC is so much easier
\item You have much more screen real-estate
\item Hardware drivers and Layer1 run in the phone
\item Layer2, 3 and actual phone application / MMI on PC
\item Later, L2 and L3 can me moved to the phone
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{OsmocomBB Software Interfaces}
\begin{itemize}
\item Interface between Layer1 and Layer2 called L1CTL
\begin{itemize}
\item Fully custom protocol as there is no standard
\item Implemented as message based protocol over Sercomm/HDLC/RS232
\end{itemize}
\item Interface between Layer2 and Layer3 called RSLms
\begin{itemize}
\item In the GSM network, Um Layer2 terminates at the BTS but is controlled by the BSC
\item Reuse this GSM 08.58 Radio Signalling Link
\item Extend it where needed for the MS case
\end{itemize}
\end{itemize}
\end{frame}
\subsection{OsmocomBB Software}
\begin{frame}{OsmocomBB Target Firmware}
\begin{itemize}
\item Firmware includes software like
\begin{itemize}
\item Drivers for the Ti Calypso Digital Baseband (DBB)
\item Drivers for the Ti Iota TWL3025 Analog Baseband (ABB)
\item Drivers for the Ti Rita TRF6151 RF Transceiver
\item Drivers for the LCD/LCM of a number of phones
\item CFI flash driver for NOR flash
\item GSM Layer1 synchronous/asynchronous part
\item Sercomm - A HDLC based multiplexer for the RS232 to host PC
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{OsmocomBB Host Software}
\begin{itemize}
\item Current working name: layer23
\item Includes
\begin{itemize}
\item Layer 1 Control (L1CTL) protocol API
\item GSM Layer2 implementation (LAPDm)
\item GSM Layer3 implementation (RR/MM/CC)
\item GSM Cell (re)selection
\item SIM Card emulation
\item Supports various 'apps' depending on purpose
\end{itemize}
\end{itemize}
\end{frame}
\subsection{OsmocomBB Hardware Support}
\begin{frame}{OsmocomBB Supported Hardware}
\begin{itemize}
\item Baseband Chipsets
\begin{itemize}
\item TI Calypso/Iota/Rita
\item Some early research being done on Mediatek (MTK) MT622x
\end{itemize}
\item Actual Phones
\begin{itemize}
\item Compal/Motorola C11x, C12x, C13x, C14x and C15x models
\item Most development/testing on C123 and C155
\item GSM modem part of Openmoko Neo1973 and Freerunner
\end{itemize}
\item All those phones are simple feature phones built on a ARM7TDMI based DBB
\end{itemize}
\end{frame}
\begin{frame}{The Motorola/Compal C123}
\begin{figure}[h]
\centering
\includegraphics[width=100mm]{c123_pcb.jpg}
\end{figure}
\end{frame}
\subsection{OsmocomBB Project Status}
\begin{frame}{OsmocomBB Project Status: Working}
\begin{itemize}
\item Hardware Drivers for Calypso/Iota/Rita very complete
\item Drivers for Audio/Voice signal path
\item Layer1
\begin{itemize}
\item Power measurements
\item Carrier/bit/TDMA synchronization
\item Receive and transmit of normal bursts on SDCCH
\item Transmit of RACH bursts
\item Automatic Rx gain control (AGC)
\item Frequency Hopping
\end{itemize}
\item Layer2 UI/SABM/UA frames and ABM mode
\item Layer3 Messages for RR / MM / CC
\item Cell (re)selection according GSM 03.22
\end{itemize}
\end{frame}
\begin{frame}{OsmocomBB Project Status: Working (2/2)}
OsmocomBB can now do GSM Voice calls (since 08/2010)
\begin{itemize}
\item Very Early Assignment + Late Assignment
\item A3/A8 Authentication of SIM
\item A5/1 + A5/2 Encryption
\item Full Rate (FR) and Enhanced Full Rate (EFR) codec
\end{itemize}
\end{frame}
\begin{frame}{OsmocomBB Project Status: Not working}
\begin{itemize}
\item Layer1
\begin{itemize}
\item Automatic Tx power control (APC)
\item Neighbor Cell Measurements (WIP)
\item In-call hand-over to other cells (WIP)
\end{itemize}
\item Actual UI on the phone
\item Circuit Switched Data (CSD) calls
\item GPRS (packet data)
\item No Type Approval for the stack!
\end{itemize}
\end{frame}
\begin{frame}{OsmocomBB Project Status: Executive Summary}
\begin{itemize}
\item We can establish control/signalling channels to both hopping and non-hopping GSM cells
\begin{itemize}
\item Control over synthesizer means we can even go to GSM-R band
\end{itemize}
\item We can send arbitrary data on those control channels
\begin{itemize}
\item RR messages to BSC
\item MM/CC messages to MSC
\item SMS messages to MSC/SMSC
\end{itemize}
\item TCH (Traffic Channel) support for voice calls
\begin{itemize}
\item Has been used on real networks for 30+ minute calls!
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{OsmocomBB use cases}
OsmocomBB can be used today for
\begin{itemize}
\item practical lab exercises in education on any level of GSM,
from the radio modem through the protocol stack
\item applied research in GSM protocols and GSM security
\item penetration testing of GSM operator equipment
\item measurement and exploration of real operator networks
\end{itemize}
With (your?) help, we can turn it into an actual mobile phone for
regular users, i.e. bringing the freedom of Free Software into one of
the most closed areas of computing.
\end{frame}
View Git Blame Copy Permalink