This is a set of tools for creating a virtual Um-interface between
OsmocomBB and OsmoBTS. It may be extremely useful for testing and
development of GSM stack, including both sides (MS and BTS). This
software implements OsmoTRX (Osmocom's fork of OpenBTS transceiver)
style clock (CLCK), control (CTRL) and data interfaces. So, OsmoBTS
source code doesn't require any modifications, while for OsmocomBB
you will need to use a new application - trxcon, which can be found
in the 'fixeria/sdr_phy' branch until one is merged to master.
Brief description of available applications:
- fake_trx.py - main application, that allows to connect both
OsmocomBB and OsmoBTS without actual RF hardware. Currently
only a single MS may work with a single BTS.
- clck_gen.py - a peripheral tool aimed to emulate TDMA frame
clock generator. Could be used for testing and clock
synchronization of multiple applications. It should be noted,
that one relays on generic system timer (via Python), so
a random clock jitter takes place.
- ctrl_cmd.py - another peripheral tool, which could be used
for sending CTRL commands directly in manual mode, and also
for application fuzzing.
Change-Id: Ib1fb80682002ac85a72fa6abef459a4c44f4ab97
This reverts commit 1724003737.
For some reason the "obviously broken" code is working, but the fixed
version is not. Let's go back to step 1 and analyze this in more
detail, but meanwhile make the code work again.
Some header files are auto-generated and are thus in the build
directory, not in the source directory. A cleaner way to handle this is
most likely to install libosmocore to some directory, but I don't want
to change the entire build process now.
Somebody (me?) wrote exclamation marks instead of pipe symbols.
Found by a modern gcc:
rf/trf6151.c: In function 'trf6151_set_arfcn':
rf/trf6151.c:439:8: warning: comparison is always true due to limited
range of data type [-Wtype-limits]
arfcn != ~ARFCN_UPLINK;
^
rf/trf6151.c:439:2: warning: statement with no effect [-Wunused-value]
arfcn != ~ARFCN_UPLINK;
^
It seems modern version of newlib define those themselves, so we should
avoid re-defining them. Removes tons of compiler warnings when
compiling against libnewlib 2.4.0
With GCC 4.9.3 the timing was broken and initializing
the SPCA552 on the Pirelli DP-L10 did not work.
Add a small delay which fixes that.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
"multiframe", the frame layout (used to compute neighbor
cell monitoring pattern) was uninitialized in TCH/H case.
This, in combination with gcc optimizing the
"switch(multiframe)"-statement into a LUT without bounds-
checking (since using an uninitialized value is undefined
behavior) caused neigh_task to be filled with an out-of-
bounds value, eventually crashing the TDMA scheduler.
Written-by: Felix Domke <tmbinc@elitedvb.net>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Starting with version 4.8, gcc places functions
with __attribute__ ((constructor)) in .init_array
instead of .ctors by default.
This broke firmware images built with gcc >= 4.8.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Since we now initialize the display for all apps, it
otherwise just shows the last content of the display
ram, which is weird.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
So far the loader-app used to do the init on its
own, which brought a lot of problems for board-
specific initialization.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Operation in GSM850 band requires IQ swap because of the offset PLL
used in the TRF causing spectrum reversal.
Thanks to Dieter Spaar for noticing the issue and the original patch
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
As Dieter points out, this drastically improves the resiliance to high
receive levels on the C155. We cannot blindly assume a received signal
level of -85 dBm if the BTS is 2m away and we actually receive -40 dBm.
This patch extends the L1CTL_FBSB_REQ data structure in layer 1 with the
respective field, as well as the l1ctl_tx_fbsb_req() API function called
from the various layer23 apps.
"mobile" and "bcch_scan" already did a PM request and thus know the
expected signal power. "ccch_scan" and "cbch_sniff" apparently don't
do, so the -85 dBm constant is now hardcoded into the host-side source
code there, and should probably be fixed in a follow-up patch.
This commit adds a combined driver for the Sunplus SPCA-552E
Multimedia Controller and the Samsung S6B33B1X LCD controller.
I have to thank Stephan Meier, who helped me to reverse-engineer
this beast during 28c3.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
When synced, press the green button to request channel from cell.
The result, timing advance, distance and response delay is printed
on the display. It only works, if TX is enabled and SI 3 has been
received.
By pressing the green button, the sync mode is entered. The screen
show some informations about the cell. The beep indicates, if the
received BCCH was valid or not.
By pressing the Down button, the list of channels of the serving cell
and neighbour cells can be viewed and scrolled through.
By pressing the Up button, the levels (downlink or uplink) of the serving
cell can be viewed. Also it is possible to select one of the serving
cell's frequencies by pressing the Left/Right button.
5 measurements are now performed during a 51 multiframe. They are performed
at one of the 5 FCCH.
Additionally a timeslot offset can be given for each measurement. This way
it is possible to measure each timeslot seperately. The given ARFCN must be in
sync with the serving cell.
By pressing '*', the analyzer is turned on or off.
Each beep indicated a new measurement result.
Right and left button can be used to scroll. By holding the button, the input
is repeated.
This app is used to measure receive level of given channels.
By pressing digits, the channel can be selected.
By pressing left or right button, the frequency is increased/decreased.
By pressing the menu button, the maximum received level is shown until
pressing menu button again. (usefull for hopping)
By pressing up or down button, the volume of a tone is changed, that
indicates rx level.
The left soft button is used to toggle PCS/DCS on shared channel numbers.
The right soft button is used to toggle uplink and downlink.
This application had already been removed a while ago, but
was added again with one of the initial framebuffer commits.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
We revert the initialization of the palette to the behaviour of the
old non-fb driver.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Signed-off-by: Andreas Eversberg <jolly@eversberg.eu>
Power measurement returned the first measurement result twice, now it is
returned only once.
Wrapping of ARFCN allows to measure the E-band en block. After measuring the
ARFCN 1023, the ARFCN wraps to 0. Special flags like ARFCN_UPLINK or
ARFCN_PCS are preserved while wrapping.
In order to allow applications to use the power button, the keypad handler
will wait half a second if the key is pressed and hold, until the power
is turned off. This way the application does not need to handle it.
The power off function will then wait until the button is released, so the
phone will not start again while the button is still pressed.
This way we can independentely control what frequency we want and
wheter we want to TX or RX. This allow TX on DL band and RX on UL band.
This also means all call to tx_window setup now need to properly set the
ARFCN_UPLINK flag !
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
I2C bus support up to 128 devices (mask 0x7F), but current calypso driver
is masked it to 64 (0x3F). I discover it because Motorola W220 has an I/O
expander PCA9537 at address 0x49 which could be reached.
Signed-off-by: Alan Carvalho de Assis <acassis@gmail.com>
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Originally written by dexter and then Andreas did a lot of cleanup
work to bring it into shape for inclusion in master
Written-by: Philipp Maier <zero-kelvin@gmx.de>
Written-by: Andreas Eversberg <jolly@eversberg.eu>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
The Compal E86 (C139/C140) has a different RFFE-configuration
than the other Compal phones. The Motorola C139 schematics
on this part look exactly the same, but in fact the board is missing
a transistor (U16), and it uses TSPACT2 adittionally.
This fixes the long-known problem with the C139/C140 phones
of the rx-level being over -20dBm worse as compared to the
E88/E89 phones, as well as the band selection on the
antenna switch in TX-mode (which was completely wrong,
but sort of worked anyway).
Signed-off-by: Steve Markgraf <steve@steve-m.de>
So far, the PA-enable signal has been enabled way to early and
also has been disabled much too late.
We're now setting the RFFE to TX-mode after opening the ABB
window, and setting the RFFE to RX-mode again after TX. This
yields to an almost perfectly timed TX-window, just like with the
stock firmware of the phone.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Found by clang:
warning: argument to 'sizeof' in 'memset' call is the same expression
as the destination; did you mean to remove the addressof?
Signed-off-by: Steve Markgraf <steve@steve-m.de>
This file was handled as a binary(!) file by git (thus the git rm).
Also, it missed the uppermost line of pixels in each character.
It will be replaced with a correct font in the next commit.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Since the powerbutton on the Pirelli DP-L10 doesn't seem to be
connected to the keypad scan matrix at all, we're using Iota's
PWON interrupt to determine if the powerbutton has been pressed,
and power off the phone after it has been released again.
This also affects the Compal phones, since the interrupt happens
quite some time before the keypad driver notices the keypress.
The code in the keypad driver that has been used so far to power
off the phone will remain as a backup when running without
interrupts at all (e.g. the loader application).
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Also hard limit to maximum 4 pending frames (should not happen !), the
upstream is supposed to do its own flow control.
Written-by: Andreas Eversberg <jolly@eversberg.eu>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
- It's broken by the use of compute_gain
- Since there is now an AGC loop, manually setting the register
as no effect.
If someone needs manual gain control for testing, he'll have to
re-implement a proper AGC override.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
When listening to BCCH, layer1 may measure the power level of neighbour
cells. A list of neighbour cell frequencies need to be sent to layer1.
After the measurement is done, the results are indicated to layer23.
rffe_compute_gain() is the new name for rffe_set_gain(). I needed to change
this, to solve the name collision with the rffe_set_gain() function, which
actually sets the absolute gain.
rffe_get_gain() will now read the absolute gain which has been computed by
rffe_compute_gain() or set by rffe_set_gain().
First we add 55500 to an int16_t, then later we subtract it again.
The bug only didn't become apparent as we wrap twice, once adding
then subtracting.
Discovered by Smatch:
firmware/layer1/tpu_window.c +127 l1s_rx_win_ctrl(24) warn: value 55000 can't fit into 32767 'stop'
Credits to Andreas Eversberg for finding this bug after countless
hours of debug and providing initial patch :)
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Credits to Andreas Eversberg for finding this bug after countless
hours of debug :)
Written-by: Andreas Eversberg <jolly@eversberg.eu>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Ideally we should only panic in interrupt context. In user
context, we could wait ...
We could also return NULL and let the calling code deal with it
but it's not ready for that yet.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
gcc3 (and some gcc4) produce code which does not fit into the
0x5000-sized RAM sections. Extend them to 0x6000 for now, so it will
build correctly again. The created binary (gcc3) has been successfully
tested on my G2.
Signed-off-by: Wolfram Sang <wolfram@the-dreams.de>
We also disable them by default because:
- It can operate fine out of spec
- Some phone will actually do it (like using the DCS port for PCS)
- It's verbose for nothing for most people anyway
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
* We actually support TX 850/1900 now
* We try to find the better settings for a given frequency,
no matter if it's in spec or not ...
(for e.g. TXin in DCS downlink is better done with PCS config)
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Depending on the chipset and the HW, not all ports are connected
and we need to know what we can use when we have the choice ...
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
We are just interested in the loaders here, no other applications needed.
Split it from the compal-based phones. Add mt62xx as first user.
Based on a patch by steve-m, but cleaned up and seperated from compal/calypso.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Signed-off-by: Wolfram Sang <wolfram@the-dreams.de>
This patch changes include paths to get osmocom-bb working with
the current libosmocore tree.
Among all these renames, you can notice several tweaks that I
added on purpose, and that require some explanation, they are:
* hexdump() in osmocon.c and osmoload.c has been renamed to avoid
clashing with hexdump() defined in libosmocore.
* gsmmap now depends on libosmogsm. Actually I had to cleanup
Makefile.am because I was experiencing weird linking problems,
probably due to a bug in the autotools. With the change included
in this patch, I got it compiled and linked here correctly.
This patch has been tested with the phone Motorola C123 and the
following images files:
* firmware/board/compal_e88/hello_world.compalram.bin
* firmware/board/compal_e88/layer1.compalram.bin
Using the osmocon, bcch_scan and mobile tools.
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
Without the delay we would fill the sercomm buffer faster than its
content can be sent, and the phone would end up in a panic and hang.
Signed-off-by: Steve Markgraf <steve@steve-m.de>
This attribute is toggled with the RTC interrupt, which is disabled
in layer1_init(). If an interrupt between rtc_init() and layer1_init()
occured, the display of the E88 phones remained inverted
Signed-off-by: Steve Markgraf <steve@steve-m.de>
This is for being able to read the whole flash on devices that use the bootrom,
and also fixes flash detection on the C139/C140/J100i
Signed-off-by: Steve Markgraf <steve@steve-m.de>
* This might be a workaround for a compiler bug
(gcc 4.5.2, binutils 2.21)
Signed-off-by: Andreas Oberritter <obi@saftware.de>
Signed-off-by: Steve Markgraf <steve@steve-m.de>
Newer GCC with GNU LIBC do not like our minimalistic version of
stdint.h and will have conflicts. Older GCC with older C Libs do
not have a stdint.h yet and the #include_next trick is failing. To
make matters worse NEWLIB does not export its version via the
pre-processor.
We will have to guess once more about the compiler. This code now
assumes that if we have a GCC < 4 that it does not have a stdint.h
and we will not try to include the next stdint.h file.
Don't assign to the variable given as argument. This prevents
clobbering the local 'reg' variables in uart_reg_{read,write}(),
which would in turn prevent the latch bits from being restored
correctly.
Signed-off-by: Alex Badea <vamposdecampos@gmail.com>
Store old_lcr only when switching to LCR == 0xBF. We don't want
to clobber old_lcr when switching back, otherwise we can't restore
the previous LCR value.
Signed-off-by: Alex Badea <vamposdecampos@gmail.com>
This works for both the default ROM bootloader and for our
custom one.
This will allow to implement easy patch loading.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Altough quite counterintuitive, the TCH_A task does some voice coding
work ... at least during TCH/H subchannel 1 ...
Go figure ...
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Otherwise, when it reached AFC_RETRY_COUNT, no new FB0 tasks
were scheduled, and you needed to restart the phone in order to
successfully sync to a cell
Signed-off-by: Steve Markgraf <steve@steve-m.de>
The initial bringup is mainly Dieter Spaar's work. I took the
logic and rewrote it, adapting to later scheduler changes and
adding support for several other things (tch_mode, initial HR
support, various cleanup, ...).
Initially-Written-by: Dieter Spaar <spaar@mirider.augusta.de>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
At this point in the code, we don't know if we're TCH/H or TCH/F, so
just store the speech mode and we'll figure out what to tell the DSP
in the task code itself.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
If the task interrupted because of a reset, an allocated msgb
will be present and we need to free it instead of just loosing
the reference to it.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Copying to/from the DSP API shared memory must be done using
16 bits word only. Using those method, we avoid the hassle of
repeating the code when we copy buffer back and forth.
API address must be 16 bits aligned but for our purpose, it's
good enough.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
For the host build the local_irq_save/_restore is a NOOP
and the compiler warns about the unused flags variable. Cast
it to void to avoid compiler warning.
This is Dieter's sync method adapted to the new TPU stuff.
Not perfect, but should work for TS[0:7] as long as you
leave a free frame between each TS changes ...
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
It's up to L23 to change the parameters using the appropriate
L1CTL call.
This is a mix between Harald's version and Dieter's version of
the TX control code.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Instead of each primitive doing it independently, if there is a TPU
scenario in one of the item, we do a common setup with the base tn
returned by rfch_get_params.
Then each rx / tx window setup is relative to that 'base tn'. For
TX window, you have to explicitely request an offset of 3. (this
would allow for some test code to TX on ts=0 for eg.)
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
If those flags are set in one of the item of the current frame,
we end the tpu & dsp scenario in common code.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Each item has a priority associated to it. The standard is :
-4 -> Responses processing
-3 -> L1S parameters changes
-2 -> [Reserved for TPU window setup]
-1 -> (anything)
0..7 -> Commands relative to time slot n
(relative to current l1s main timeslot)
8 -> (anything)
9 -> [Reserved for TPU window cleanup]
10 -> (anthing)
Note that with this modification, an item scheduled for the
current frame from within a call back won't have its priority
respected !
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Vadim Yanitskiy
Harald Welte
Steve Markgraf
Sylvain Munaut
Dieter Spaar