This toolkit has branched out into several different tools for
TRX interface hacking, and creating a virtual Um-interface
(FakeTRX) is only one of its potential applications.
Change-Id: I56bcbc76b9c273d6b469a2bb68ddc46f3980e835
There is no need to manually put the license header as a variable
in each application in order to print it. Let's use a common one.
Change-Id: I1a6e8716a9069e7ade3ae15f2c04fd45d18e223c
Since it is not required to specify a bind port to the UDPLink
constructor manually, let's use a random one by default, and
also allow user to set it from command line.
Change-Id: Ib4965ebeec83d9a99b2f026156eb5f5cb20875bf
This allows one to obtain a random available port from the
OS, instead of enforcing to pick a static value manually.
Change-Id: Ie8b60134239c5447d0b4373c6cca2f3a6ee3ec73
Previously, we used to check if all arguments of a command are
numeric. This was done in a wrong way, so parsing a *valid*
command with at least one negative argument could fail.
Let's remove this check, allowing the command handlers to
deal with argument types themselves.
Change-Id: If31295274a09102c414b5a7aec5dd85d88b2e514
In theory, the maximum TA value is 63 symbols, i.e. 63*256 in this
context. However, our test cases want to test the BTS behavior is
correct if ever a larger timing offset is reported from TRX to the BTS,
to ensure it is rejected in the BTS. Let's hence increase the values
to rather large min/max limits. We could also remove them completely.
Change-Id: I691d081256e8c6d18ef2836299ed8f7d502da3ee
Now that ctrl_if.py is capable of sending back the response to where
the command originated from, we can just as well send a positive
response back after executing the related commands.
Change-Id: Icba138835149a7264f4db3a6b05f54ca501c4d54
fake_trx is using locally bound and not connected UDP sockets for
control commands.
When we receive a control command, we should not simply send the
response to the default destination, but send it back to the exact
ip+prt from which the command originated. This ensures correct routing
of responses even in case multiple programs are interfacing concurrently
with a control socket.
Change-Id: I24a0bba6eed059b101af95dac7d059f34dd715fc
If field randomization is disabled, Timing Advance value
indicated by MS would be ignored. Let's fix this by
separating the TA calculation code.
Change-Id: If43d5823fc33efc2f1649ea941ab6f619bb6f5e7
FAKE_TOA is an auxilary CTRL command, which may be used to update
the ToA (Timing of Arrival) value of forwarded bursts at runtime.
This is useful for testing the measurement processing
code in OsmoBTS.
The command is implemented for both BTS and BB CTRL interfaces
in two absolute and relative forms:
CMD FAKE_TOA <BASE> <THRESH>
CMD FAKE_TOA <+-BASE_DELTA>
The first form overwrites both ToA value and its treshold.
The second one is relative, and applies a delta
to the current ToA value.
The command affects Downlink bursts if sent on BTS CTRL
interface, and Uplink bursts if sent on the BB CTRL.
Change-Id: Ia23becec4104d47e7b22350db67b8834d6f1ad1b
By default, both RSSI and ToA fields randomization is disabled.
Let's add command line options, which allow one to enable it.
Change-Id: Ieac63cc3aadef397906479a6179ba54a53a5311a
Both RSSI and ToA fields randomization is only required in some
specific test / use cases, so let's disable it by default.
Change-Id: I94835a840b6239f2c05197292825cb26977d0216
In order to be able to simulate and randomize both RSSI and ToA
values for Uplink and Downlink separately, let's calculate them
in separate methods of the BurstForwarder.
Change-Id: Ia2031f22f2b549c799c782d0c8c8d0691fb6f18c
Timing Advance value is a timing correction value, indicated by
the network to MS, which is used to compensate UL signal delay.
In other words, the network instructs a phone to transmit bursts
N=TA symbol periods earlier than expected.
Since we are in virtual environment, let's use TA value to
calculate the ToA (Timing of Arrival) value for BTS.
Change-Id: Ie5833a9f221587bbcac10f0b223ead9c1cbda72b
This change implements ToA (Timing of Arrival) parsing, which
was missing in the DATAMSG_TRX2L1. Since we use integer math,
a ToA value is represented in units of 1/256 symbol periods.
Change-Id: Ib11482c06b977c4cf01b0644f5845a2e49d059fb
In order to avoid both float arithmetic as well as loosing any
precision, let's use integer math fot ToA (Timing of Arrival),
i.e. let's express ToA values in units of 1/256 symbol periods.
Change-Id: I56b88740f4d782ac7591fc096d1969514784a4e1
There are no message specific initialization parts, excepting
the header specific fields setting. Let's us a common constructor,
dropping custom fields from its arguments.
Change-Id: I13a3e4b2f6a1f443ebe7d809df62736e3c43f56f
There is no 'file' type in Python3 anymore, so let's reverse the
condition in DATADumpFile constructor. Also, the tag definition
was incorrect: both '\x01' and b'\x01' aren't the same.
Change-Id: Ib00c7f0bd5871fcfce931a4bfa501ae5bf797c45
In Python3 a range has it's own type, so its comparasion with
a list is incorrect. Let's explicitly convert both bit ranges
to lists in the bit conversation tests.
Change-Id: I98c40d3d63cbcdc3e5dc840ebf8d7310c5c08e56
As the DATAMSG classes were introduced, let's use them.
This approach abstracts one from dealing with raw bytes.
Also, now BurstForwarder randomizes both RSSI and ToA values,
as this feature is supported from-the-box by the DATAMSG_TRX2L1.
Change-Id: Ib15018eab749150e244914dab4b6e433ce0c9209
This change introduces two new methods, which allow to perform
L12TRX <-> TRX2L1 message type transformations.
Change-Id: Ic99cf74baa1864bf20a8fc0fc025604bc160084c
Setting this option allows one to reuse existing connections,
for example, by injecting CTRL commands or DATA bursts into
existing connections between fake_trx.py and trxcon.
Change-Id: I0882c76affa9a668a12d10967081054d2b666ed1
Previously it was required to call the UDPLink.shutdown() method
manually in order to close a socket. Let's do this automatically
using the destructor of UDPLink.
Change-Id: I59c3dc61ec58cd9effeb789947d28fd602ca91f4
In order to avoid clashes with OsmoTRX, which may be also
running on the same host, let's use a different port range
starting from 6700 by default.
This idea was introduced as a result of OS#2984.
Change-Id: I66b5f25aaba3b836448ed29839c39869b5622bed
Related: OS#2984
One byte may store a value in range [0x00, 0xff]. The maximal 0xff
value is 255 in dec, so a message length is limited to 255 bytes.
This is enough for GSM bursts, but not for EDGE.
Since this change, two bytes of header are used to store the
pending message length. All captures created before are not
supported anymore...
Change-Id: I5a69d5cf2914fe56b2f9acca6054c9470627f91e
Previously, this tool was only able to read a hand-crafted text
file with bursts and send them via the DATA interface. This is
not so useful...
This change implements support of reading DATA capture files,
which can be generated e.g. by trx_sniff.py or burst_gen.py.
Both standart input (stdio) and text-files are not supported
anymore.
Usage example:
./burst_send.py -m L1 -i capture.bin --timeslot 2
Change-Id: I626662bd1897c874421ab5178970ec19325f8a47
Now all generated bursts can be also written to a capture file,
using a new option called '--output-file'. If a file already
exists, bursts would be appended to the end. Otherwise a new
capture file is created.
Change-Id: I074ff7dbc4d6beecdecce20de9dade5939e707f2
Since we have a separate class for DATA capture management now,
no need to implement the wheel - let's just use it!
Change-Id: I7c30bcea294ce7270bf905ae5420a06dbc2e46f1
This change introduces the following classes:
- DATADump - basic class, which contains methods to generate
and parse the a message header, and some constants.
- DATADumpFile - a child class, which contains methods to
write and parse DATA messages from capture files.
Usage example:
# Open a capture file
ddf = DATADumpFile("capture.bin")
# Parse the 10th message
msg = ddf.parse_msg(10)
msg.fn = 100
msg.tn = 0
# Append one to the end of the capture
ddf.append_msg(msg)
Change-Id: I1b31183bd7bcca94de089847ee0b2f4ec88a7f1d
Previously, it was expected that burst length should be equal
to 148. Let's also handle EDGE bursts and use GSM constants.
Change-Id: Iab13dd06f175556137c5e25d2cbddb9bea403b09
The DATAMSG API, that was introduced and extended a few commits
before, provides all required methods to create, validate,
generate and parse DATA messages. Let's use it now.
Change-Id: Ibc99126dc05d873c1ba538a5f4e74866de563f56
This change introduces a new method for both types of messages
called 'desc_hdr', that generates human-readable header
description.
Examples:
TRX -> L1: fn=571353 tn=1 rssi=-108 toa=-0.53
L1 -> TRX: fn=1777477 tn=3 pwr=161
Change-Id: Iafe63e39ad68f4ff373ae098424d76ca9f83c8fc
One L1 -> TRX message carries one to be transmitted burst encoded
as regular bits (0 or 1). One TRX -> L1 message carries one
received burst encoded as unsigned soft-bits (0..254).
This shall be noted during message encoding and decoding process.
Also, we shall distinguish between GSM and EDGE bursts.
Change-Id: I909b7a4dc70e8c632987bde07f00281a6595c4cb
This change introduces three new classes:
- DATAMSG - abstract class, defines common fields and methods
for any message on DATA interface, e.g. frame and timeslot
numbers, bit conversation methods, etc.
- DATAMSG_L12TRX - a child of DATAMSG, defines a message
coming from L1 to TRX.
- DATAMSG_TRX2L1 - a child of DATAMSG, defines a message
coming from TRX to L1.
Both child classes could be used to generate DATA messages from
known fields (i.e. fn, tn, etc.), and parse them back from
already encoded DATA messages.
Change-Id: Id1c72f0b18fb128acc74d0cd899fb7aab7bd8790
Previously there were multiple definitions of some common GSM
constants in different modules. Let's share them.
Change-Id: Id6cdfbc6e8688755a0df7e44daa512c9afa7dad2
This change introduces a new tool, which could be used to sniff a
single connection between L1 and TRX in both directions, filter
captured bursts by direction, timeslot and/or frame number, and
finally write them to a binary file for further analysis.
Sniffing capability is based on Scapy framework, so it should
be installed in order to run this tool. Please also note,
that sniffing requires root access. For details, see:
https://github.com/secdev/scapyhttps://scapy.readthedocs.io/en/latest/
Usage example:
sudo ./trx_sniff --frame-count 30 --timeslot 2 -o /tmp/bursts
This command will capture 30 frames on timeslot number 2, and
write them to a binary file. The format of this file is based
on TLV (Tag Length Value), that wraps each burst:
... |-TAG (byte)-|-LEN (byte)-|-BURST (LEN bytes)-| ...
TAG 0x01 - a message coming from L1 to TRX
TAG 0x02 - a message coming from TRX to L1
Change-Id: I6e65e1d657574cc3e67bc7cdb1c01ef6bf08ecde
Previously, the L1CTL_CRYPTO_REQ message contained only a ciphering
algorithm and actual Kc key to be used. The key length was
calculated manually using the MSGB API.
Let's avoid manual calculations here, as it may cause unexpected
behavior if the message structure is changed. Also, let's fill
the UL header with minimal information about a channel, which
is going to be encrypted.
Change-Id: I1813a188e755141241273479b17896415abcc3f1
Previously, TCH frames coming from L1 were reordered to the RTP
format. Moreover, the implementation had a few problems:
- L1CTL is not the best place for such manipulations;
- payloads with other than FR codec were corrupted.
Let's use RTP-ordered payloads on the L1CTL interface,
performing TCH frame reordering at the firmware.
Please note, that actual FR reordering was moved to the firmware
as is, without any codec determination. This could be fixed in
a separate change.
Change-Id: I235a9f535c39d8e57f5d2c6566daeaf883aeef9e
Vadim Yanitskiy
Harald Welte