This early support does not use the received postion, it just dumps it.
Later it can be used to set clock of the phone. Also it can be used
to calculate the location of a BTS.
This is required to detect duplicated messages during assignment or
handover. Each PDISC uses its own sequence number, but MM+CC+SS share the
same. The sequence number is only required in uplink direction.
Dieter: Please check, if your tester eats it now. Also try to trace if the
sequence number is set correctly.
The interface between l1 and upper layer is called by several
name. IMHO l1ctl is shorted and sounds good so try to unify
using that.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
This split the headers and adapt the source.
We use osmocom/bb as a prefix because libosomore also
uses osmocom and generic names such as misc & common could
conflict in the future.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
We split into :
- common: Everything that can be shared
- mobile: The real spec compliant mobile phones
- misc: Different test stuff
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
The upper layer will modify the headers and add somestuff in front,
so it's needed to avoid corrupting memory.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
If there is no (more) "PLMN in list", a complete search is triggered, so
all available cells are searched. Then the list of available networks is
tried for location updating (if allowed) in a defined order. If the
list is done, the process searches for all available cells again.
Note: The process will cause location updating on all networks until all
networks have rejected the mobile or if one network allowed the location
updating. To prevent this, use manual network selection, and set 'rplmn' of
test-sim, so only location updating is tried on the RPLMN.
tx-power: fixed or automatic transmit power selection
(not currently supported by layer 1)
simulated-delay: Make BTS believe that we are closer or at greater distance
than we actually are. This is required to use cells that only allows a limited
range to the mobile. Also it prevents from being tracked by location services.
stick: Make mobile stick to a given ARFCN only. For testing purpose the
cell selection process can be limited to only one frequency. This speeds
up cell selection process.
The radio ressource layer uses RSL messages to perform RACH requests now.
TX power and timing advance is controlled before RACH request, after IMM.ASS,
and during dedicated mode. (Note that TX power control is not yet supported
by layer 1.)
In dedicated mode a frame is sent to layer 1. Subsequent frames are queued
inside lapdm.c until a confirm from layer 1 is received. Since not all
pending frames are sent rapidly at once, the layer 1 does not crash anymore.
Also included in this commit: handling of reset confirm (maybe required
in the future after dedicated mode)
Now layer23 supports selecting TS 0-4 with SDCCH/8 channels.
But some tests showed me that it doesn't work. Please help debugging.
Added DM release function to l1ctl.c and gsm48_rr.c.
When trying to re-create the header file I made the 'valid' member
of the channel request history a single-bit field, but we actually
assign values different than 0 and 1 to it. This has caused layer23
to consider the IMM ASS to our own channel requests as non-matching.
It seems one of the recent commits introduced build errors due
to missing commits for header file changes. Based on the code,
I reconstructed what I believe might have been the header files...
We include all the parameters we're gonna need to support
TS!=0, hopping, TSC, ...
We also assume the upper layer have decoded the low level
bit fields and gives us neat accessible variables and a
sorted ARFCN array for the Mobile Allocation
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
We introduce the concept of CCCH mode. It can be either
- NONE: receive BCCCH only
- COMBINED: CCCH on a BCCH/CCCH+SDDCH/4
- NON_COMBINED: CCCH on a BCCH/CCCH
There is also a new command to change the mode without having
to do the resync.
Currently, we keep the previous default behavior of requesting
a combined CCCH by default
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Instead of handling numerical MCC and MNC, they are now stored and handled
hexadecimal, like they are received by the network. This makes it possible
to correctly handle 2 and 3 digits MNC. Internally 2 digit MNCs are stored
as 0xXXf, and 3 digits MNC are stored as 0xXXX, where X is the digit 0..9.
The length of MNC in the IMSI (2 or 3 digits) depend on the MNC length
trying to match. Anyway that MNC name can be printed even without knowing the
actual length. This is done by matching the IMSI against list of networks.
PLEASE REMOVE "/etc/osmocom/*.ba", because the MCC and MNC stored there is
not valid anymore.
First of all I cleaned up the VTY commands. Instead of something like
"barred-access (yes|no)", I use now "barred-access" and "no barred-access".
Your stored configuration file will not load, because config format has
changed. Just remove the lines that cannot be parsed by VTY from your
config. Then the default values are used on next startup. Modify these as
desired via VTY using the new commands.
Use "rplmn <mcc> <mnc>" or "no rplmn" to set the initial behaviour of
network search. If RPLMN is set, this network is selected. If it is not
found, it will be displayed, then it is time to do a search
"network search 1".
If you have set "no rplmn" the search is started automatically on power on.
After the search you can see available networks and show the cells using
"show cell 1" or the detailed information "show cell 1 <arfcn>".
For testing all that be sure to set the "sim" to "test" and the
"network-search" to "manual". Do "show run" to see all commands to be set.
Only the known BA (band allocation) is used to check for the cell to camp
on. If there is no BA or if nothing is found, the process triggers normal
cell selection.
After location update (for example), the mobile switches to the strongest
cell in the current band allocation.
Pressing CTRL+c causes the detach process to run, then the mobile exits.
This procedure only runs after attachment (location update) and if detach
is required.
The SABM with the detach message is confirmed by a DISC message. the BS11
says that this is caused by sequence error or N200+1 error. Maybe someone
can trace that.
While testing, you may find out that making an emergency call is rejected
with cause 5 (illegal ME), because emergency facilities in some countries
like to reject calls without knowing the subscriber.
An emergency IMSI can be defined via VTY, so it is possible to make calls
with that IMSI, even without the SIM, because authentication is not
applicable during emergency call establishment.
All the information above, I received from the freely available 3GPP TS 04.08.
See NOTE at sub clause 4.5.1.5.
Now location update reject works. The rejected network/cell is stored in
an appropriate list. The lists can be dumped from the VTY.
A fake authentication response is generated until the SIM interface is
available. If the network rejects the test SIM, due to authentication
failure, it is removed and limited service state is entered. This currenlty
works on networks with SDCCH on the TS0 only.
In case of registration not possible / requried, the appropriate result
message (REG_FAILED / REG_SUCCESS) must be returned to PLMN process.
Location updating message fix.
The "BA range" is used for cell re-selection.
Due to layer 1 issues, the process gets stuck very often or looses
synchronization.
After location update, I can now make a call via VTY on SDCCH:
Call control sends SETUP request after requesting an MM connection.
My phone on the network side rang!! Call control fails and requires
further debugging...
The location update is now performed after the channel is assigned.
In dedicated mode the network receives the LOCATION UPDATING REQUEST.
The reply (IDENTITY REQUEST and LOCATION UPDATING REJECT) is received.
But subsequent message like the IDENTITY RESPONSE is not transmitted
by lapdm.c.
I hope that it fixes the crash issues. If a sysinfo was received when no cell is
selected, it was written to a NULL-pointer.
Also after selecting a cell (dedicated mode), it was not good to "continue"
an already stopped search process, if the sync fails.
liblayer23. Other applications using liblayer23 don't need to re-implement it.
Messages from layer 1 are not freed in layer2_read() anymore. They will be
freed by the upper layers. The layers may also decide to queue or to forward
the messages. In general: A message is always discarded by the message handler
and not after calling the message handler.
* port 'mobile' application to new l1ctl_tx_fbsb_req()
* make sure we have a proper downlinke header in front of l1ctl_fbsb_resp
* remove duplicate band_arfcn member of struct l1ctl_fbsb_resp
* reset the AFC to its default value when starting new FBSB task
* remove bogus l1s.sb.{synced.count} variables
* allocate msg and send l1ctl_fbsb_resp() only from process context, not FIQ
* properly report SNR and BSIC in fbsb_resp
* introduce arbitrary SNR thresholds for FB0->FB1 and FB1->SB switching
We really want to have those two as distinct operations - and we
want proper state machines in L1 to quickly return if they've
managed to acquire a FB or SB or not. Otherwise scanning will
take ages...
This code now introduces a new l1ctl_fbsb_req that is sent via
L1CTL to ask for a bitmask of FB0/FB1/SB operations. The actual
FB0/FB1 detection now no longer runs for 500 TDMA interrupts
but completes as soon as we either know there is no FCCH,
or that our frequency error is smaller than a caller-specified
threshold.
FB0/FB1 are already working, SB is not yet, sorry.
- Load and save of config now works.
- Network search is displayed on VTY and the result can be selected there.
- Manual/auto mode can be selected via VTY and saved.
It is now possible to show informations about:
- mobile
- subscriber
- received cell informations
Later it can be used to do configurations (phone's menu)
and trigger events, like dialing a phone number.
- Fixes on PLMN search and cell selection process.
- Fixes on radio ressource.
- ^C will cause IMSI detach when pressed the first time.
Pressing ^C again will cause termination of process at any time.
- Fixed reference to system informations. (did crash when re-selecting).
- Fix in cell selection state machine. (any re-selection).
- MCC, MNC, LAC change of cell now triggers re-selection.
- Fixed some paging issues. Empty pagings are not displayed anymore. Also paging is now possible when 'camping on any cell'.
The current code will scan frequencies, select a cell and camps on it.
No SIM is inserted. Paging requests and Immediate assginments can be seen.
When inserting a SIM card (uncomment it in app_mobile.c), location update
is triggered after selecting a cell. The RACH request is sent, an
Immediate assignment is received, the dedicated mode is requested.
Nothing happens then, because no confirm / abort of layer 2 is received.
This is the current status of the layer 3 protocols. Everything compiles,
radio ressource layer is partly complete. Everything is untested, so don't
expect that it runs and does something usefull. The next step for me is
running and debugging it.
Here is the list of files that are added / modified:
new file: ../include/osmocom/gsm322.h
new file: ../include/osmocom/gsm48_cc.h
new file: ../include/osmocom/gsm48_mm.h
new file: ../include/osmocom/gsm48_rr.h
modified: ../include/osmocom/l23_app.h
modified: ../include/osmocom/logging.h
new file: ../include/osmocom/mncc.h
modified: ../include/osmocom/osmocom_data.h
new file: ../include/osmocom/subscriber.h
new file: ../include/osmocom/support.h
new file: ../include/osmocom/sysinfo.h
new file: ../include/osmocom/transaction.h
modified: Makefile.am
new file: app_mobile.c
new file: gsm322.c
new file: gsm48_cc.c
new file: gsm48_mm.c
new file: gsm48_rr.c
modified: main.c
new file: mnccms.c
new file: subscriber.c
new file: support.c
new file: sysinfo.c
new file: transaction.c
Added name to osmocom_ms structure.
l2_ctx is now named l23_ctx, because it is also used there.
A work-handler is usefull for applications that need to check queues.
The arfcn variable is renamed to test_arfcn.
I think that arfcn and other frequency parameters should be stored at
the process which sets it and using it when calling l1ctl_tx_ccch_req().
If file access is used to store network informations and user settings in the
/etc/ directory. Later it can be used to store them in the EEPROM of the
target.
bcch_scan first iterates over all GSM900/EGSM900/GSM1800 channels and
performs a power measurement. Based on this, it tries to look for
BCCH data on those ARFCNs. Currently, they are simply written to
the pcap file and not analyzed/processed in layer23 yet.
similar to the concept of having 'apps' in the firmware build process,
I'm now building the common code as liblayer23 and we have three apps
that use this library:
layer23 - the old layer23 program
bcch_scan - a passive bcch scanner under development
echo_test - a test program sending large msgb's containing zero bytes
* added missing param in call to gsm48_rx_bcch
* added 'extern' to declarations of rsl_rlm_cause_strs and target_board
* added several 'const' for strings
* removed useless 'bufptr,' from hexdump
(From: itsme <itsme@xs4all.nl>)
* introduce a new 'l1ctl_hdr' structure common to all messages
on this interface
* use struct l1ctl_hdr in both the firmware and layer23
* add a new L1CTL_PM_REQ request for performing layer23-initiated
power measurements (firmware does not implement them yet)
* remove linuxlist.h copy and use osmocore
* don't put 'struct gsm_time' into l1ctl packets
* include rx_level and snr for each burst in l1ctl
* properly build libosmocore.a for target
* move gsmtime functions into libosmocore
* move ctype.h to standard location
* use GSMTAP for uplink frames (generated by layer23; sent to L1)
* only use GSMTAP if the user specifies the '-i dstip' arguments
* properly encode the GSMTAP channel type
* requires GSMTAP protocol version 0x02 (see next commit for wireshark patch)
Andreas.Eversberg
Harald Welte
Sylvain Munaut
Steve Markgraf