Both functions are never used outside of both gen_msg() and parse_msg().
AFAIR, they were more complicated until we started to use struct, but
now they can be easily inlined.
Change-Id: Ie64b271cf502f3df23b32f4b14a1e2b551a0f794
Having fn = 1024 and tn = 0 in all tests decreases the chances
to spot encoding / decoding bugs of higher or lower values.
Let's randomize the reference data before all the tests.
Change-Id: Id3c5be9faaf0bef727b975c7182098af0cec6e71
During the handover the MS needs to release the existing dedicated
channel(s), establish the new one(s) as indicated by the network,
and then, depending on the synchronisation state, send one or more
HANDOVER ACCESS messages carried by Access Bursts.
In order to implement this, trxcon needs to be able to transmit
Access Bursts on any TDMA timeslot regardless of the logical
channel type and the associated handler, i.e. != TRXC_RACH.
The controlling side on L1CTL (layer23 or TTCN-3) needs to send
one or more L1CTL_RACH_REQ message(s) with properly populated
UL info header. Otherwise a regular RACH on TS0 is assumed.
Change-Id: Ia967820a536c99966ba2c60b63d2ea9edb093f46
Before this patch, prim_dequeue_sacch() used to ignore SACCH primitives
with odd length (e.g. 21, when sender forgot to push 2 octets of L1
SACCH header), so neither they were transmitted, nor rejected.
As a result, they would stay in the Tx queue until a dedicated
connection is released. The only way to notice such problem
was looking at the constantly growing talloc's report.
Instead of ignoring the primitives with odd length and keeping them
in the queue, let's pass them to a logical channel handler, so they
would be dequeued and rejected with a proper logging event.
Also, to simplify further debugging, let's print the final decision
of SACCH prioritization: whether it's a Measurement Report or not.
Change-Id: I3149fa518439470b397953306209eb859c83450a
According to 3GPP TS 05.02, section 6.4.1, CBCH replaces
SDCCH number 2 in both V (BCCH+CCCH+SDCCH/4+SACCH/4) and
VII (SDCCH/8+SACCH/8) logical channel combinations.
Unfortunately it is not clear whether we can use stolen UL slots
for RACH or not. For now, we should mark all of them as IDLE.
Somehow TRXC_SDCCH4_2 slots were left in the definition of
combination V (combined CCCH+BCCH). This is not critical,
but may be looking confusing. Let's fix this.
Change-Id: Id30f2fac3274de3edff4ae59f77d9c9cf8059155
The existing logic unconditionally wants to send a POWERON command
on TRXC whenever L1CTL_FBSB_REQ is received. That may cause some
problems when sending subsequent L1CTL_FBSB_REQ, e.g. due to signal loss.
Sending POWEROFF when transceiver is not powered on is normal though.
This can happen if trxcon is restarted while fake_trx was running.
The existing FSM state could unfortunately not been used, as it's a
mixture between the TRX connection state and the command/response state.
The current solution is just a work around. We definitely need to
introduce separate state machines for transceiver and its TRXC
interface.
Change-Id: I834e8897b95a2490811319697fc7cab6076db480
Both PRIM_IS_RACH() and PRIM_IS_EXT_RACH() macros to be used for
handover RACH detection in the follow up changes, thus we need
have them widely available. Let's also give them better names:
PRIM_IS_EXT_RACH -> PRIM_IS_RACH11
PRIM_IS_RACH -> PRIM_IS_RACH8
and introduce a new generic one for checking whether a given
primitive is RACH in general (either 8-bit or 11-bit) or not.
Change-Id: Ibc39c57fda000647be1829786f6423dcf3f435cd
It makes sense to do this first, before tuning to a different
ARFCN and changing the training sequence. Otherwise, if no
multi-frame configuration is found, trxcon would switch to
a different channel and then remain inactive there.
Change-Id: I274588ce3a9c49372b5da0629930afece46f799c
Having magic pre-calculated hex-masks gives one quite high chances
to shoot oneself in the foot, and decreases readability in general.
Let's do this pre-calculation during the compilation process, so
it's much easier to read, extend and spot potential bugs.
Change-Id: If945b3654e35c83fc0220fdd6d99c1c7a0503386
In I2fc61e1cdca4690a34e2861b9ee3b7c64ea64843 I introduced a regression.
TRXC_SDCCH4_CBCH should have TRX_CH_FLAG_AUTO, because it's a part of
GSM_PCHAN_CCCH_SDCCH4_CBCH multi-frame layout. If the controlling
side on the other end of the L1CTL link requests this particular
multi-frame layout, CBCH channel is expected to be active.
Change-Id: I3ed942106a03220417b5cb9176107af057120fbe
Let's avoid fancy alignment in the description of logical channels
for the benefits of having better readability, the ability to add
more comments and fields without making it look ugly.
Also, let's get rid of field 'chan' of 'trx_lchan_desc' structure
since it's not used anywhere, and not actually needed because the
position of each lchan description is defined by its TRXC_* type.
As a bonus, let's add a human readable description to each
lchan definition, so it can be printed in the VTY some day.
Change-Id: I2fc61e1cdca4690a34e2861b9ee3b7c64ea64843
PDCH channel support was introduced quite a while ago, but there
was no way to activate it via L1CTL so far. Let's fix this.
Change-Id: I3b66cab26108ab999a7fe969365ab57dc661399c
CBCH support in the firmware has been introduced almost at the same
time it was implemented in trxcon, and the same mistake was made
as described in Ia9a415628c659cbc2dd5dc65b875b7f935d6e211.
Despite Calypso based PHY does not support PDCH (GPRS channels),
let's avoid collisions and use the following cbits values:
0x19 / 0b11001 - MF_TASK_SDCCH4_CBCH on GSM_DCHAN_SDCCH_4_CBCH,
0x1a / 0b11010 - MF_TASK_SDCCH8_CBCH on GSM_DCHAN_SDCCH_8_CBCH.
Change-Id: Ibb0f90695460e6ede12016c12a0cfdf9c74dfb24
Related: OS#4027
Wherever possible, use #defines from libosmogsm as opposed to magic
numbers. Using magic numbers in several places has the danger of
different programs/repositories having different views on what those
values mean.
Change-Id: I7ab4958801b3422973b67ff0452b90afa8a3f501
Related: OS#4027
Depends: libosmocore Change-Id I93e557358cf1c1b622f77f906959df7ca6d5cb12
OsmoBTS, BSC and TTCN3 used cbits == 0x18 for dynamic PDCH, while
trxcon wanted to use 0x18 for CBCH on SDCCH/4. Let's fix this and
bring everyone in agreement.
Related: OS#4027
Change-Id: Ia9a415628c659cbc2dd5dc65b875b7f935d6e211
sap_fsm.c: In function ‘sap_negotiate_msg_size’: sap_fsm.c:103:15:
warning: passing argument 1 of ‘__bswap_16’ makes integer from pointer
without a cast [-Wint-conversion]:
size = ntohs((uint16_t *) param->value);
^~~~~~~~~~~~~~~~~~~~~~~~~
Change-Id: Ie58af6162c67ae377809b42daa897ca3f3d72af1
Starting from [1], not only LMA but also VMA areas are now checked
for overlaps (see also [2]). This results into linking errors:
arm-none-eabi-ld: section .text.exceptions VMA
[000000000080001c,0000000000800037] overlaps section
.compal.reservedram VMA [0000000000800000,00000000008000fe]
arm-none-eabi-ld: section .text.exceptions VMA
[000000000080001c,0000000000800037] overlaps section
.compal.loader VMA [0000000000800000,00000000008000ff]
Let's try to work around this.
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a87dd97a2098b7e18ff2574a4e81ae521ef7e6f2
[2] https://sourceware.org/bugzilla/show_bug.cgi?id=18452
Change-Id: I098ddd33aabd7ec27981e2f09d8582f167bb649b
Fixes: OS#1917
According to the man page of recv(), the only difference of this
call from read() is the presence of flags. With a zero flags
argument, recv() is generally equivalent to read().
Change-Id: I6d43bbf8d52c5fbb8ee0592b7d1c1dfd2dd1548e
Since we only set both ARFCN and TDMA frame number of the DL info
header, other fields remain uninitialized. Let's memset() them.
Change-Id: Ib39c333f1724fefa5d8bd8a2315b77a5612f7fa9
This would allow to abstract both L1CTL and TRX interfaces
from each other in the upcoming refactoring.
Change-Id: I74a23c73b03bad822272b9cfe76c2501666912b7
In both gsm48_mm.c and gsm48_rr.c we put / push 'gsm48_rr_hdr'
structure into the message buffers, so then it's retrieved by
the message receivers. The AddressSanitizer complains about
unaligned pointer access and potentially unexpected behaviour.
Change-Id: I8aa2c0074b405afd0e76044ef076b6819fe1083b
In gsm322_l1_signal(), if S_L1CTL_FBSB_ERR is received, we free
stored System Information of the current cell, but cs->si may
still point to it. Let's set it to NULL.
Found with AddressSanitizer:
DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
DCS INFO gsm322.c:2995 Channel sync error, try again
DCS INFO gsm322.c:467 Sync to ARFCN=860(DCS) rxlev=-106
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
DCS INFO gsm322.c:3008 Channel sync error.
DCS DEBUG gsm322.c:3013 free sysinfo ARFCN=860(DCS)
DCS INFO gsm322.c:3020 Unselect cell due to sync error!
DCS INFO gsm322.c:509 Unselecting serving cell.
=================================================================
==6014==ERROR: AddressSanitizer: heap-use-after-free on address
0x61b0000000e6 at pc 0x00000050d6dd
bp 0x7fff7f84aa60 sp 0x7fff7f84aa58
Change-Id: I9cc526c18d69695d810de98703579818408de011
The old TOA256 range was bigger than we can actually store:
struct.error: 'h' format requires -32768 <= number <= 32767
Change-Id: I5d4e1fea9d07f2c49f01e6644d1c0d1dc8cf4e40
According to 3GPP TS 05.03, section 5.3, two coding schemes are
specified for access bursts: one for regular 8-bit bursts,
another - for extended 11-bit packet access bursts.
According to 3GPP TS 05.02, section 5.2.7, there are two
additional training (synchronization) sequences for RACH
bursts: TS1 & TS2. By default, TS0 synch. sequence is used,
unless explicitly stated otherwise (see 3GPP TS 04.60).
According to 3GPP TS 04.60, section 11.2.5a, the EGPRS capability
can be indicated by the MS using an alternative training sequence
(i.e. TS1 or TS2) and the 11-bit RACH coding scheme.
Change-Id: I36fd20cd5502ce33c52f644ee4c22abb83350df8
Use static helper to prepare l1ctl_fbsb_conf - this simplifies
fbsb-related functions and make difference between timer callback and
regular response more obvious.
Change-Id: I43832d6a912a32ea5795ed0110981e0b714a7a61
Use static helpers to add l1ctl_info_dl to msgb - this simplifies
l1ctl_* routines and reduce code duplication.
Change-Id: I0b5b81f1fcd2984136e553a93735ea5456d2b3df
In OS#3582, the autor of TIFFS code, Mychaela Falconia, has noted:
... all of my code contributions are in the public domain and
are NOT copyrighted by me, and I strenuously object to anyone
taking it upon themselves to insert a copyright notice with
my name in it.
Let's update the copyright statements as recommended by the author.
Change-Id: If115991425372a4cdbcfefa115532c9c410e58c4
Instead of counting both RSSI and ToA measurements separately,
let's have a single counter in trx_lchan_state.meas struct.
Change-Id: I45454a3ac92b8cc85dd74092e4ab6eb350f20c9a
All known TI GSM firmwares implement some kind of flash file system, or FFS.
We call it TIFFS (Texas Instruments FFS) because it is TI's invention.
TIFFS is a file system with a hierarchical directory tree structure, and
with Unixy forward-slash-separated, case-sensitive pathnames; the semantics
of "what is a file" and "what is a directory" are exactly the same as in
UNIX; and TIFFS even supports symlinks, although that support is a little
under-developed, and apparently no FFS symlinks were ever used in any
production GSM device. Thus the FFS implemented in TI-based GSM devices
(modems and "dumbphone" handsets) is really no different from, for example,
JFFS2 in embedded Linux systems.
The FFS in a GSM device typically stores two kinds of content:
- Factory data: IMEI, RF calibration values, device make/model/revision
ID strings etc. These files are expected to be programmed on the
factory production line and not changed afterward.
- Dynamic data written into the FFS in normal device operation: contacts,
settings / preferences, call history, received SMS, etc.
It should be noted that both Compal (Mot C1xx) and Foxconn (Pirelli DP-L10)
vendors moved their vital per-unit factory data out of the FFS into their
own ad hoc flash data structures, leaving their FFS only for less
critical data. However, we do enable TIFFS access for them anyway.
The location of TIFFS within the flash memory of a given GSM device is
defined by the firmware design of that device, but is always some integral
number of contiguous flash sectors.
- On Motorola/Compal C139/140 phones, the FFS used by the original
proprietary firmware occupies 5 sectors of 64 KiB each (320 KiB
in total), starting at 0x370000. C11x/123 use smaller FFS
configurations, whereas C155/156 seem to have switched to some
other FFS format, different from our familiar TIFFS.
- On the Pirelli DP-L10, the FFS used by the original proprietary
firmware occupies 18 sectors of 256 KiB each (for 4.5 MiB in total),
starting at the beginning of the 2nd flash chip select (0x02000000
in the ARM7 address space).
- On FCDEV3B (FreeCalypso hardware), the FFS is located in the first
8 sectors (of 256 KiB each) in the 2nd flash chip select bank,
which appears at 0x01800000 in the ARM7 address space.
- On the GTA01/02 GSM modem, FFS occupies 7 sectors of 64 KiB each,
starting at flash offset 0x380000.
For more information, please refer to the FreeCalypso project
documentation, from where this great contribution comes from.
Please note that existing MediaTek targets most likely use different
storage format as they have nothing from TI Calypso. Also, we don't
(yet) know the location of TIFFS on SE J100i and Compal E99 targets.
The TIFFS support is needed for the follow-up change, that
implements reading of the factory RF calibration values.
Tweaked (coding style changes) by Vadim Yanitskiy <axilirator@gmail.com>
Change-Id: If6e212baeb10953129fb0d5253d263567f5e12d6
Related: OS#3582
Vadim Yanitskiy
Eric Wild
Harald Welte