540 lines
14 KiB
Plaintext
540 lines
14 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault
|
|
%back "blue"
|
|
|
|
%center
|
|
%size 7
|
|
|
|
OpenBSC
|
|
|
|
%size 5
|
|
Running Your own
|
|
GSM Network
|
|
|
|
%center
|
|
%size 4
|
|
by
|
|
|
|
Harald Welte <laforge@gnumonks.org>
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Why?
|
|
|
|
|
|
Why would you run your own GSM network?
|
|
For the same reason you might run other networks
|
|
To learn and experiment with technology
|
|
To boldly go where no [free] man has gone before ;)
|
|
Practical demonstration of known GSM security problems
|
|
Raise public awareness abut GSM [in]security
|
|
thus increase the incentive for the market to improve
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Legal Disclaimer
|
|
|
|
|
|
Legal Disclaimer
|
|
Don't try this at home!
|
|
GSM operates on LICENSED spectrum
|
|
Thus, you need approval from the regulatory authority
|
|
Only use BTS with dummy load!
|
|
Don't interfere with the operators!
|
|
Our software is strictly for research purpose only
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Network Architecture
|
|
|
|
|
|
The Hitchhikers Guide to the GSM Network
|
|
unfortunately does not exist
|
|
|
|
The GSM related literature
|
|
is typically too high-level
|
|
|
|
The GSM protocol specifications
|
|
are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Network Architecture
|
|
|
|
GSM is a bit-synchronous network
|
|
it draws many analogies from ISDN and SDN
|
|
layer 2 modelled after Q.921 / LAPD
|
|
call signalling modelled Q.931
|
|
but: many more protocols for mobility management, radio resources, ...
|
|
like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
|
|
|
|
GSM is a TDMA "nightmare"
|
|
e.g. you never know from/for whom data is without the timing context
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Network Architecture
|
|
|
|
MS
|
|
Mobile Station (your Phone)
|
|
BTS
|
|
Base Transceiver Station
|
|
BSC
|
|
Base Station Controller
|
|
MSC
|
|
Mobile Switching Center
|
|
HLR/VLR
|
|
Home/Visitor Location Register
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Base Transceiver Station
|
|
|
|
|
|
BTS
|
|
As the name indicates "transceiver"
|
|
Handles
|
|
Layer 1 and some parts of RF layer2
|
|
Modulation/Demodulation
|
|
Time Multiplex, scheduling of frames
|
|
Is not a "Base Station", i.e. not self-contained
|
|
True 'slave' to the BSC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Base Station Controller
|
|
|
|
|
|
BSC
|
|
Base Station Controller
|
|
Handles
|
|
most of the actual decision making
|
|
really controls most aspects of BTSs
|
|
handles intra-BSC cell handover
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Mobile Switching Center
|
|
|
|
|
|
MSC
|
|
Mobile Switching Center
|
|
Handles
|
|
Actual switching of the calls
|
|
Interworking with ISDN or POTS
|
|
Inter-BSC cell handover
|
|
HLR/VLR
|
|
Home/Visitor Location Register
|
|
Handles
|
|
database of local / roaming subscribers
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Um interface
|
|
|
|
|
|
MS <-> BTS Interface
|
|
is called Um
|
|
layer 2: LAPD derived; called LAPDm
|
|
layer 3: GSM 04.08 RR / MM / CC
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
|
|
BSC <-> BTS Interface
|
|
is called A-bis
|
|
has the following control layers on E1 TS1
|
|
L2ML (Layer 2 Management)
|
|
TEI management similar to ISDN
|
|
OML (Organization & Maintenance)
|
|
System parameters, events
|
|
RSL (Radio Subsystem Layer)
|
|
has encoded voice data (TRAU frames) on other E1 TS
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
%image "2_small.jpg"
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
%image "3_small.jpg"
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM A-bis interface
|
|
|
|
|
|
Abis RSL
|
|
contains messages for
|
|
Radio Link Layer (RLL)
|
|
Dedicated Channel (DCHAN)
|
|
Common Channel (CCHAN)
|
|
Transceiver (TRX)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
GSM Mobile Switching Center
|
|
|
|
|
|
Abis RSL Radio Link Layer
|
|
contains messages for
|
|
Call Control (CC)
|
|
Mobility Management (MM)
|
|
Radio Resource (RR)
|
|
Short Message Service (SMS)
|
|
mostly specified in GSM TS 04.08
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
Siemens BS-11 microBTS
|
|
plain old 2G (GSM voice calls, CSD)
|
|
one or two TRX, 30mW to 2W each, GSM900
|
|
two E1 interfaces (for daisy-chaining)
|
|
documentation under NDA, but
|
|
99.9% of the A-bis protocol available from GSM specs
|
|
See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
|
|
RS232 serial port for Local Maintenance Terminal
|
|
LMT software proprietary under NDA
|
|
not needed for operation of the BTS
|
|
bs11_config is a FOSS replacement
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "1_small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "p1010012_small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "p1010013_small.jpg"
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
%image "p1010020_small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
First steps with the Siemens BS-11
|
|
Harald bought a BS-11 on e-Bay in 2006
|
|
Started to read some specs (08.5x) about A-bis
|
|
Started to build cables for E1 and power
|
|
Bought HFC-E1 PCI card
|
|
Bought Elmi EGM35 Abis analyzer (e-Bay once again)
|
|
Contacted with other people who also bought BS-11
|
|
Found somebody who could provide Abis traces
|
|
Never really had time due to Openmoko and other projects
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The Siemens BS-11 microBTS
|
|
|
|
|
|
Further steps with the Siemens BS-11
|
|
Dieter bought a BS-11 09/2008
|
|
Bought HFC-E1 PCI card
|
|
Started development based on HFC-E1 reference driver code
|
|
Found somebody who could provide Abis traces
|
|
Made very quick progress
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
BS11-Init
|
|
|
|
|
|
BS11-Init (09/2008)
|
|
Chip cologne HFC-E1 reference code for DOS
|
|
polling, no interrupts
|
|
ported to Windows and Linux (mmap of HFC registers to userspace)
|
|
proof-of-concept code based on challenge-response
|
|
handles TEI assignment, brings OML and RSL up
|
|
allows for location update and paging of single phone
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
BS11-Init
|
|
|
|
%image "4_small.jpg"
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
From BS11-Init to OpenBSC
|
|
|
|
|
|
From BS11-Init to OpenBSC (12/2008)
|
|
get L2ML to work with mISDN
|
|
mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
|
|
learn how new sockets-based mISDN API works
|
|
come up with event-driven architecture, single sleect loop, no threads, ...
|
|
At 25C3:
|
|
add libdbi/sqlite database for "HLR"
|
|
get paging to work, support for configurable network ID
|
|
debugging + stabilization with > 1000 test users ;)
|
|
IMSI + IMEI skimming
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
OpenBSC takes off (2009)
|
|
|
|
|
|
implementation of more features
|
|
SMS store-and-forward switching
|
|
stable voice calls (FR and EFR codec)
|
|
support for more than one transceiver per BTS
|
|
support for multiple BTS
|
|
cisco-like console interface
|
|
support for more BTS models (ip.access nanoBTS)
|
|
interface to traditional E1 (using linux call router)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
OpenBSC takes off (2009)
|
|
|
|
|
|
fixing tons of bugs and stability issues
|
|
don't rely on the phone behaving properly (e.g. timeouts)
|
|
fix plenty of resource leaks (RAM)
|
|
fix plenty of resource leaks like on-air channels
|
|
finally uncover the last bits of the Siemens a-bis extensions
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
OpenBSC status today
|
|
|
|
|
|
OpenBSC is a 'gsm network in a box'
|
|
no need for separate MSC/HLR/VLR/AUC/SMSC
|
|
Capabilities
|
|
operation of a network with > 400 users
|
|
multiple BTS with each multiple TRX
|
|
voice calls and SMS implementation fairly complete
|
|
no in-call handover (only in idle mode)
|
|
no GPRS (yet), no EDGE (yet)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
OpenBSC future
|
|
|
|
|
|
Separation between BSC and MSC
|
|
Support actual A interface (over SCCP)
|
|
allows us to be used with real MSC
|
|
Support for GPRS + EDGE (with proper BTS)
|
|
Routing of calls between E1 and IP/RTP based BTS
|
|
Interfaces for external apps such as Scapy packet injection
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM Network
|
|
|
|
|
|
License from Agentschap Telecom
|
|
Stichting Hxx applied for a GSM test license
|
|
license permits us to use 4 ARFCN's
|
|
Transmit power of 100mW on each ARFCN
|
|
antenna height restricted to 3m
|
|
in case operators get interference, we have to shut down
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM Network
|
|
|
|
|
|
Two BS-11, each two TRX
|
|
BTS0 runs on ARFCN 121 and 123 (LAC 1)
|
|
BTS1 runs on ARFCN 124 and 122 (LAC 2)
|
|
Antennas mounted back-to-back to a tree on top of a hill
|
|
Two BTS share single E1 link in multi-drop mode
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM BTS's
|
|
|
|
%image "har2009-bs11_at_tree.small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 BTS Antennas
|
|
|
|
%image "har2009-bs11_antennas.small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 BTS Antennas
|
|
|
|
%image "har2009-bs11_antennas2.small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM Network
|
|
|
|
|
|
One Linux PC with OpenBSC
|
|
uses mISDN driver for HFC-E1 card
|
|
60m of CAT5 cable runs E1 to the
|
|
Network ID: NCC 204 (NL), MNC 42
|
|
Typical CPU usage < 5%
|
|
Typical RAM usage < 3MB RSS
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 OpenBSC
|
|
|
|
%image "har2009-gsm_tent.small.jpg"
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM Network
|
|
|
|
|
|
Registration procedure
|
|
Your phone tries to use 204-42 or NL-42
|
|
When we first see a particular IMSI
|
|
we send a SMS with auth token and URL
|
|
we kick phone off the network
|
|
You go to the URL indicated and enter your token
|
|
we mark the IMSI as authorized in our HLR DB
|
|
You try to register to the network again
|
|
we let the phone on our network
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM Network
|
|
|
|
|
|
How can I use the network
|
|
make and receive calls to/from other registered phones
|
|
send and receive SMS to/from other registered phones
|
|
How can I play with the network
|
|
use airprobe or other tools to eavesdrop on GSM protocol
|
|
we don't use any crypto nor frequency hopping
|
|
we don't do SMS filtering, i.e. you can send any RPDU to any other phone
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM Network
|
|
|
|
|
|
Helps us to test OpenBSC under higher load
|
|
already fixed several important software bugs
|
|
Helps us to obtain real-world protocol traces
|
|
Helps us to explore [in]compabibilities with certain phones
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
The HAR2009 GSM Network
|
|
|
|
|
|
Statistics
|
|
More than 1100 phones tried to use our network
|
|
More than 450 phones completed registration
|
|
More than 1000 SMS sent (use more bandwidth!)
|
|
More than FIXME attempted voice calls
|
|
More than FIXME established voice calls
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Links
|
|
|
|
OpenBSC
|
|
http://openbsc.gnumonks.org/
|
|
3GPP / ETSI GSM Specs
|
|
http://www.3gpp.org/
|
|
Priv-Doz. Dr.-Ing Joachim Goeller
|
|
http://www2.informatik.hu-berlin.de/~goeller
|
|
THC GSM Wiki
|
|
http://wiki.thc.org/gsm
|
|
OpenBTS
|
|
http://gnuradio.org/trac/wiki/OpenBTS
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Thanks
|
|
|
|
|
|
Thanks to
|
|
zecke, alphaone, Stefan, Jan for their work on OpenBSC
|
|
W. for his extensive A-bis protocol traces and MA-10
|
|
Dieter Spaar for his most excellent input
|
|
Karsten Keil for mISDN
|
|
Andreas Eversberg for LCR interface and HFC-E1 driver
|
|
Stichting Hxx for getting the license
|
|
all the voluntary testers at HAR2009
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Running Your Own GSM Network
|
|
Thanks
|
|
|
|
|
|
LIVE DEMO
|