Both '--bind-addr' and '--burst-type' had the same short '-b'.
Let's use the upper case version for '--burst-type'.
Change-Id: Ib8a46e25cbc6266c3e147582f9e8045362270151
There are multiple advantages of using Python's logging module:
- advanced message formatting (file name, line number, etc.),
- multiple logging targets (e.g. stderr, file, socket),
- logging levels (e.g. DEBUG, INFO, ERROR),
- the pythonic way ;)
so, let's replace multiple print() calls by logging calls,
add use the following logging message format by default:
[%(levelname)s] %(filename)s:%(lineno)d %(message)s
Examples:
[INFO] ctrl_if_bts.py:57 Starting transceiver...
[DEBUG] clck_gen.py:87 IND CLOCK 26826
[DEBUG] ctrl_if_bts.py:71 Recv POWEROFF cmd
[INFO] ctrl_if_bts.py:73 Stopping transceiver...
[INFO] fake_trx.py:127 Shutting down...
Please note that there is no way to filter messages by logging
level yet. This is to be introduced soon, together with argparse.
Change-Id: I7fcafabafe8323b58990997a47afdd48b6d1f357
The randomization of both UL/DL RSSI and ToA values is optional,
and can be configured from the control interface (see both
FAKE_RSSI and FAKE_TOA commands).
The command line options for enabling / disabling the randomization
were redundant, so let's get rid of them and check if the
corresponding treshold value is set.
Change-Id: I6adc13b8989ade2fab895673525c0ca17bf9b3f2
For some reason, the time-slot pass-filtering was only done for
DL bursts, but not for UL bursts. BurstForwarder shall not pass
UL bursts for unconfigured time-slots too.
Let's also print a warning if an UL burst is sent on a not
configured time-slot, i.e. before sending SETSLOT command.
Change-Id: Idb7f5b212e5814aeff8ca8bc875ad066674267cd
Previously it was only possible to configure a single time-slot
that would be pass-filtered by a BurstForwarder instance. In some
applications it would be useful to configure multiple time-slots,
so let's refactor the time-slot pass-filtering algorithm.
Change-Id: Ie1490adaf7a7c62c966aeb60c1898eaf3b5a1e84
Instead of having all configuration variables of BurstForwarder
initialized in the class heading, let's introduce two functions
for initialization (resetting to defaults) of both UL/DL params.
This would allow to reset a BurstForwarder instance from the
control interface in follow-up patches.
Let's also introduce some basic documentation for the class
fields, which were defined in the heading previously.
Change-Id: I6b1bf41cf22f01a7e7ecc91c625fb0d2bf4bfeac
Unlike the DATA messages, traffic frames may have different length.
Instead of having fixed payload (i.e. TCH frame) length, let's
introduce a flexible array member. This would allow one to
calculate the frame length using the MSGB API.
Change-Id: I119fa36c84e95c3003d57c19e25f8146ed45c3c6
Since FakeTRX is a proxy, it basically emulates transceiver for
both osmo-bts-trx and trxcon, hence there are two separate and
independent control interfaces (usually, ports 6701 and 5701).
All simulation commands (see 'FAKE_*') are usually implemented
on both interfaces separately:
- ctrl_if_bb.py - simulation commands affecting Uplink,
- ctrl_if_bts.py - simulation commands affecting Downlink.
This change introduces the 'FAKE_RSSI' command for both CTRL
interfaces in two variations:
- absolute: CMD FAKE_RSSI <BASE> <THRESH>
- relative: CMD FAKE_RSSI <+-BASE_DELTA>
where 'THRESH' affects optional value randomization.
Change-Id: Ic01c31fb0304345dd7337c3ee1c7ee3c2d3e8460
According to GSM TS 05.02, there are two ways to enable CBCH:
a) replace sub-slot number 2 of CCCH+SDCCH/4 (comb. V),
b) replace sub-slot number 2 of SDCCH/8 (comb. VII).
Unlike SDCCH/8 (case b), CCCH+SDCCH/4 can be allocated on TS0
only, and shall not use frequency hopping. This means that
implementing CBCH support on SDCCH/8 would require much more
efforts than on combined CCCH+SDCCH/4, as in last case CBCH
messages can be received without the need to switch from
idle to dedicated mode.
This change introduces a new ccch_mode item, which should be
used by the higher layers to indicate presence of CBCH channel
on C0/TS0, so the PHY would enable decoding of CBCH messages
on CCCH+SDCCH/4 (case a) in idle mode.
Regarding to CBCH on SDCCH/8 (case b), it makes sense to
extend the 'l1ctl_dm_est_req', so it would be handled in
dedicated mode on request from the higher layers.
Change-Id: Ia94ebf22a2ec439dfe1f31d703b832ae57b48ef2
According to GSM TS 05.02, section 3.3.5, Cell Broadcast Channel
(CBCH) is a downlink only channel, which is used to carry the
short message service cell broadcast (SMSCB). CBCH is optional,
and uses the same physical channel as SDCCH. More precisely,
CBCH replaces sub-slot number 2 of SDCCH channels when enabled.
This change introduces the following CBCH related tasks:
- MF_TASK_SDCCH4_CBCH (CBCH on C0/TS0 SDCCH/4),
- MF_TASK_SDCCH8_CBCH (CBCH on SDCCH/8),
which are identified using the following Osmocom specific cbits:
- MF_TASK_SDCCH4_CBCH - 0x18 (0b11000),
- MF_TASK_SDCCH8_CBCH - 0x19 (0b11001).
The only way to enable these tasks at the moment is to send
L1CTL_DM_EST_REQ message with required cbits and tn.
Change-Id: I1d7f02cba1cd8f6527360589d2d2747b6426f78b
The mframe_task2chan_nr() is used to get the channel number
(encoded according to 08.58 Chapter 9.3.1) corresponding to
a given multi-frame task type.
It makes sense to at least print some debug message in cases
when there is no matching channel number for a given task type.
Change-Id: I34587b6c67015513de35d85a7a3291f452ee7f3b
Despite the correct range of Timing Advance value is [0..63],
there is a special feature in OsmocomBB which allows one to
simulate the distance between both MS and a BTS by playing
with the signal delay.
So, let's drop the range limitation.
Change-Id: I8fd2a2ab7784b38bde5ebcfd0359b7e2cb53f5a7
This change introduces a couple of new CTRL commands for path loss
simulation, in particular a possibility to drop some amount of
bursts according to some TDMA frame period, separately for both
Uplink and Downlink directions.
Examples:
FAKE_DROP 4 - drop 4 consistent (period=1) bursts,
FAKE_DROP 16 2 - drop 16 even bursts (period=2).
Change-Id: Ib210138a03e2377c79875a4ff2f2bb58a43cfa46
Related: OS#3428
This change separates burst preprocessing (i.e. both RSSI and ToA
calculation) from BurstForwarder.transform_msg() because it's not
actually related to the message transformation process.
Change-Id: Ia7ad970593f38d9a9401975eb6dae67cd0c94e11
The Scapy itself was the actual cause of continuously growing
memory consumption. It was configured to store the captured
packets, what isn't required for this tool.
Change-Id: I0c6d9b76398e148b7febd94aa37aa2fa22d19b3f
Unfortunately current code architecture doesn't support a return path
with an error so tell the caller of L1CTL on the other side that
something's wrong.
Change-Id: Ib9b622dd5c9770c5e97fa58deee124a409544d3b
Some time ago a broken fix was committed which
then has been reverted again in commit
1724003737.
The purpose of this line is to clear the uplink
flag from the ARFCN. So far this worked because
both gsm_arfcn2band() and gsm_arfcn2freq10()
already do this internally.
Change-Id: Ie8a05ffc0ddec53d7fd6a25e03ea285fb216df29
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Previous hardcoded default of 0.0.0.0 was inappropiate in some
scenarios, as it sets the SRC addr of the packets sent through the
socket based on the routing.
For instance, if iface IF1 has assigned two IP addresses A and B,
A being the first addr of the interface, and osmo-bts-trx is
configured with "osmotrx ip local A" and "osmotrx ip remote B",
the following happens:
CMD POWER OFF src=A:5801 dst=B:5701
RSP POWER OFF src=A:5701 dst=A:5701 <-- A is assigned as src addr.
But osmo-bts-trx is waiting for packets from B:5701, and the packet
is dropped with ICMP Unreachable. If addr binding is forced in
fake_trx to B, then everthing's fine.
Let's extend the UDPLink in order to allow manual, but optional
setting of bind address, and add a corresponding cmdline
argument to all executables.
Change-Id: I7be18fef40967fb7551f4115f22cbbd9cdb0840d
Previously, TCH frames coming from L1 were reordered to the RTP
format. Moreover, the implementation had a few problems:
- L1CTL is not the best place for such manipulations;
- payloads with other than FR codec were corrupted.
Let's use RTP-ordered payloads on the L1CTL interface,
performing TCH frame reordering at the firmware.
Please note, that actual FR reordering was moved to the firmware
as is, without any codec determination. This could be fixed in
a separate change.
Change-Id: I81ec8ed3c9e72a62b22c1720c299cdc68b733cf1
Previously, the L1CTL_CRYPTO_REQ message contained only a ciphering
algorithm and actual Kc key to be used. The key length was
calculated manually using the MSGB API.
Let's avoid manual calculations here, as it may cause unexpected
behavior if the message structure is changed. Also, let's fill
the UL header with minimal information about a channel, which
is going to be encrypted.
Change-Id: I5fab079907c5276322d3ec2b46cab81f10c7ed09
This toolkit has branched out into several different tools for
TRX interface hacking, and creating a virtual Um-interface
(FakeTRX) is only one of its potential applications.
Change-Id: I56bcbc76b9c273d6b469a2bb68ddc46f3980e835
There is no need to manually put the license header as a variable
in each application in order to print it. Let's use a common one.
Change-Id: I1a6e8716a9069e7ade3ae15f2c04fd45d18e223c
Since it is not required to specify a bind port to the UDPLink
constructor manually, let's use a random one by default, and
also allow user to set it from command line.
Change-Id: Ib4965ebeec83d9a99b2f026156eb5f5cb20875bf
This allows one to obtain a random available port from the
OS, instead of enforcing to pick a static value manually.
Change-Id: Ie8b60134239c5447d0b4373c6cca2f3a6ee3ec73
Previously, we used to check if all arguments of a command are
numeric. This was done in a wrong way, so parsing a *valid*
command with at least one negative argument could fail.
Let's remove this check, allowing the command handlers to
deal with argument types themselves.
Change-Id: If31295274a09102c414b5a7aec5dd85d88b2e514
In theory, the maximum TA value is 63 symbols, i.e. 63*256 in this
context. However, our test cases want to test the BTS behavior is
correct if ever a larger timing offset is reported from TRX to the BTS,
to ensure it is rejected in the BTS. Let's hence increase the values
to rather large min/max limits. We could also remove them completely.
Change-Id: I691d081256e8c6d18ef2836299ed8f7d502da3ee
Now that ctrl_if.py is capable of sending back the response to where
the command originated from, we can just as well send a positive
response back after executing the related commands.
Change-Id: Icba138835149a7264f4db3a6b05f54ca501c4d54
fake_trx is using locally bound and not connected UDP sockets for
control commands.
When we receive a control command, we should not simply send the
response to the default destination, but send it back to the exact
ip+prt from which the command originated. This ensures correct routing
of responses even in case multiple programs are interfacing concurrently
with a control socket.
Change-Id: I24a0bba6eed059b101af95dac7d059f34dd715fc
If field randomization is disabled, Timing Advance value
indicated by MS would be ignored. Let's fix this by
separating the TA calculation code.
Change-Id: If43d5823fc33efc2f1649ea941ab6f619bb6f5e7
FAKE_TOA is an auxilary CTRL command, which may be used to update
the ToA (Timing of Arrival) value of forwarded bursts at runtime.
This is useful for testing the measurement processing
code in OsmoBTS.
The command is implemented for both BTS and BB CTRL interfaces
in two absolute and relative forms:
CMD FAKE_TOA <BASE> <THRESH>
CMD FAKE_TOA <+-BASE_DELTA>
The first form overwrites both ToA value and its treshold.
The second one is relative, and applies a delta
to the current ToA value.
The command affects Downlink bursts if sent on BTS CTRL
interface, and Uplink bursts if sent on the BB CTRL.
Change-Id: Ia23becec4104d47e7b22350db67b8834d6f1ad1b
By default, both RSSI and ToA fields randomization is disabled.
Let's add command line options, which allow one to enable it.
Change-Id: Ieac63cc3aadef397906479a6179ba54a53a5311a
Both RSSI and ToA fields randomization is only required in some
specific test / use cases, so let's disable it by default.
Change-Id: I94835a840b6239f2c05197292825cb26977d0216
In order to be able to simulate and randomize both RSSI and ToA
values for Uplink and Downlink separately, let's calculate them
in separate methods of the BurstForwarder.
Change-Id: Ia2031f22f2b549c799c782d0c8c8d0691fb6f18c
Timing Advance value is a timing correction value, indicated by
the network to MS, which is used to compensate UL signal delay.
In other words, the network instructs a phone to transmit bursts
N=TA symbol periods earlier than expected.
Since we are in virtual environment, let's use TA value to
calculate the ToA (Timing of Arrival) value for BTS.
Change-Id: Ie5833a9f221587bbcac10f0b223ead9c1cbda72b
This change implements ToA (Timing of Arrival) parsing, which
was missing in the DATAMSG_TRX2L1. Since we use integer math,
a ToA value is represented in units of 1/256 symbol periods.
Change-Id: Ib11482c06b977c4cf01b0644f5845a2e49d059fb
In order to avoid both float arithmetic as well as loosing any
precision, let's use integer math fot ToA (Timing of Arrival),
i.e. let's express ToA values in units of 1/256 symbol periods.
Change-Id: I56b88740f4d782ac7591fc096d1969514784a4e1
There are no message specific initialization parts, excepting
the header specific fields setting. Let's us a common constructor,
dropping custom fields from its arguments.
Change-Id: I13a3e4b2f6a1f443ebe7d809df62736e3c43f56f
There is no 'file' type in Python3 anymore, so let's reverse the
condition in DATADumpFile constructor. Also, the tag definition
was incorrect: both '\x01' and b'\x01' aren't the same.
Change-Id: Ib00c7f0bd5871fcfce931a4bfa501ae5bf797c45
In Python3 a range has it's own type, so its comparasion with
a list is incorrect. Let's explicitly convert both bit ranges
to lists in the bit conversation tests.
Change-Id: I98c40d3d63cbcdc3e5dc840ebf8d7310c5c08e56
As the DATAMSG classes were introduced, let's use them.
This approach abstracts one from dealing with raw bytes.
Also, now BurstForwarder randomizes both RSSI and ToA values,
as this feature is supported from-the-box by the DATAMSG_TRX2L1.
Change-Id: Ib15018eab749150e244914dab4b6e433ce0c9209
This change introduces two new methods, which allow to perform
L12TRX <-> TRX2L1 message type transformations.
Change-Id: Ic99cf74baa1864bf20a8fc0fc025604bc160084c
Setting this option allows one to reuse existing connections,
for example, by injecting CTRL commands or DATA bursts into
existing connections between fake_trx.py and trxcon.
Change-Id: I0882c76affa9a668a12d10967081054d2b666ed1
Previously it was required to call the UDPLink.shutdown() method
manually in order to close a socket. Let's do this automatically
using the destructor of UDPLink.
Change-Id: I59c3dc61ec58cd9effeb789947d28fd602ca91f4
In order to avoid clashes with OsmoTRX, which may be also
running on the same host, let's use a different port range
starting from 6700 by default.
This idea was introduced as a result of OS#2984.
Change-Id: I66b5f25aaba3b836448ed29839c39869b5622bed
Related: OS#2984
One byte may store a value in range [0x00, 0xff]. The maximal 0xff
value is 255 in dec, so a message length is limited to 255 bytes.
This is enough for GSM bursts, but not for EDGE.
Since this change, two bytes of header are used to store the
pending message length. All captures created before are not
supported anymore...
Change-Id: I5a69d5cf2914fe56b2f9acca6054c9470627f91e
Previously, this tool was only able to read a hand-crafted text
file with bursts and send them via the DATA interface. This is
not so useful...
This change implements support of reading DATA capture files,
which can be generated e.g. by trx_sniff.py or burst_gen.py.
Both standart input (stdio) and text-files are not supported
anymore.
Usage example:
./burst_send.py -m L1 -i capture.bin --timeslot 2
Change-Id: I626662bd1897c874421ab5178970ec19325f8a47
Now all generated bursts can be also written to a capture file,
using a new option called '--output-file'. If a file already
exists, bursts would be appended to the end. Otherwise a new
capture file is created.
Change-Id: I074ff7dbc4d6beecdecce20de9dade5939e707f2
Since we have a separate class for DATA capture management now,
no need to implement the wheel - let's just use it!
Change-Id: I7c30bcea294ce7270bf905ae5420a06dbc2e46f1
This change introduces the following classes:
- DATADump - basic class, which contains methods to generate
and parse the a message header, and some constants.
- DATADumpFile - a child class, which contains methods to
write and parse DATA messages from capture files.
Usage example:
# Open a capture file
ddf = DATADumpFile("capture.bin")
# Parse the 10th message
msg = ddf.parse_msg(10)
msg.fn = 100
msg.tn = 0
# Append one to the end of the capture
ddf.append_msg(msg)
Change-Id: I1b31183bd7bcca94de089847ee0b2f4ec88a7f1d
Previously, it was expected that burst length should be equal
to 148. Let's also handle EDGE bursts and use GSM constants.
Change-Id: Iab13dd06f175556137c5e25d2cbddb9bea403b09
The DATAMSG API, that was introduced and extended a few commits
before, provides all required methods to create, validate,
generate and parse DATA messages. Let's use it now.
Change-Id: Ibc99126dc05d873c1ba538a5f4e74866de563f56
This change introduces a new method for both types of messages
called 'desc_hdr', that generates human-readable header
description.
Examples:
TRX -> L1: fn=571353 tn=1 rssi=-108 toa=-0.53
L1 -> TRX: fn=1777477 tn=3 pwr=161
Change-Id: Iafe63e39ad68f4ff373ae098424d76ca9f83c8fc
One L1 -> TRX message carries one to be transmitted burst encoded
as regular bits (0 or 1). One TRX -> L1 message carries one
received burst encoded as unsigned soft-bits (0..254).
This shall be noted during message encoding and decoding process.
Also, we shall distinguish between GSM and EDGE bursts.
Change-Id: I909b7a4dc70e8c632987bde07f00281a6595c4cb
This change introduces three new classes:
- DATAMSG - abstract class, defines common fields and methods
for any message on DATA interface, e.g. frame and timeslot
numbers, bit conversation methods, etc.
- DATAMSG_L12TRX - a child of DATAMSG, defines a message
coming from L1 to TRX.
- DATAMSG_TRX2L1 - a child of DATAMSG, defines a message
coming from TRX to L1.
Both child classes could be used to generate DATA messages from
known fields (i.e. fn, tn, etc.), and parse them back from
already encoded DATA messages.
Change-Id: Id1c72f0b18fb128acc74d0cd899fb7aab7bd8790
Previously there were multiple definitions of some common GSM
constants in different modules. Let's share them.
Change-Id: Id6cdfbc6e8688755a0df7e44daa512c9afa7dad2
This change introduces a new tool, which could be used to sniff a
single connection between L1 and TRX in both directions, filter
captured bursts by direction, timeslot and/or frame number, and
finally write them to a binary file for further analysis.
Sniffing capability is based on Scapy framework, so it should
be installed in order to run this tool. Please also note,
that sniffing requires root access. For details, see:
https://github.com/secdev/scapyhttps://scapy.readthedocs.io/en/latest/
Usage example:
sudo ./trx_sniff --frame-count 30 --timeslot 2 -o /tmp/bursts
This command will capture 30 frames on timeslot number 2, and
write them to a binary file. The format of this file is based
on TLV (Tag Length Value), that wraps each burst:
... |-TAG (byte)-|-LEN (byte)-|-BURST (LEN bytes)-| ...
TAG 0x01 - a message coming from L1 to TRX
TAG 0x02 - a message coming from TRX to L1
Change-Id: I6e65e1d657574cc3e67bc7cdb1c01ef6bf08ecde
Previously, the L1CTL_CRYPTO_REQ message contained only a ciphering
algorithm and actual Kc key to be used. The key length was
calculated manually using the MSGB API.
Let's avoid manual calculations here, as it may cause unexpected
behavior if the message structure is changed. Also, let's fill
the UL header with minimal information about a channel, which
is going to be encrypted.
Change-Id: I1813a188e755141241273479b17896415abcc3f1
Previously, TCH frames coming from L1 were reordered to the RTP
format. Moreover, the implementation had a few problems:
- L1CTL is not the best place for such manipulations;
- payloads with other than FR codec were corrupted.
Let's use RTP-ordered payloads on the L1CTL interface,
performing TCH frame reordering at the firmware.
Please note, that actual FR reordering was moved to the firmware
as is, without any codec determination. This could be fixed in
a separate change.
Change-Id: I235a9f535c39d8e57f5d2c6566daeaf883aeef9e
The existing Makefile.mtk isn't compatible with the current
Makefile scheme, so nothing would happen when it was called.
This change updates the Makefile.mtk, so the Mediatek firmware
can be successfully compiled again.
Change-Id: Iecd619ed862f4d825095292ffde50544e647f6ff
This change introduces a new tool for sending existing bursts from
file or standard input either to L1 (OsmoBTS or OsmocomBB) or to
TRX (OsmoTRX and GR-GSM TRX).
Change-Id: I2c542583252d31daac466e6c7837317fda8a7020
Sometimes it's important to use different CTRL port, for example
when OsmoTRX is running at the same time. This change adds the
corresponding command line options and help message.
Change-Id: Ic6eeb69d9a1fc151eab2e63f3708e3d70e2e558b
This change introduces a new tool named 'burst_gen.py'. One can
be used for sending GSM bursts either to L1 (OsmoBTS or OsmocomBB)
or to TRX (OsmoTRX and GR-GSM TRX). Currently it is only possible
to send random bursts of different types: NB, FB, SB, AB.
Change-Id: Ie14281222d29536b8690517e57af2a1007fcbc91
Clock indications are only required for BTS, while MS can
obtain current frame number from messages on DATA interface.
Change-Id: Id2993847a3581cac0d355850ad09ceabc6116d3f
This change introduces a new class named FakePM, which is intended
to generate pseudo-random power levels for base stations and noise
levels inactive frequencies.
Also, there is a new command in BB CTRL, which instructs transceiver
to perform a power measurement on requested frequency. As we work in
virtual Um-interface, a FakePM instance is used to provide some fake
power levels.
Change-Id: If48c12fd0b1ba10e1cf76559b359e17a1256617d