summaryrefslogtreecommitdiff
path: root/2009/gsm_network-har2009/gsm-har2009.mgp
diff options
context:
space:
mode:
Diffstat (limited to '2009/gsm_network-har2009/gsm-har2009.mgp')
-rw-r--r--2009/gsm_network-har2009/gsm-har2009.mgp539
1 files changed, 539 insertions, 0 deletions
diff --git a/2009/gsm_network-har2009/gsm-har2009.mgp b/2009/gsm_network-har2009/gsm-har2009.mgp
new file mode 100644
index 0000000..7c01fb0
--- /dev/null
+++ b/2009/gsm_network-har2009/gsm-har2009.mgp
@@ -0,0 +1,539 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+OpenBSC
+
+%size 5
+Running Your own
+GSM Network
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Why?
+
+
+Why would you run your own GSM network?
+ For the same reason you might run other networks
+ To learn and experiment with technology
+ To boldly go where no [free] man has gone before ;)
+ Practical demonstration of known GSM security problems
+ Raise public awareness abut GSM [in]security
+ thus increase the incentive for the market to improve
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Legal Disclaimer
+
+
+Legal Disclaimer
+ Don't try this at home!
+ GSM operates on LICENSED spectrum
+ Thus, you need approval from the regulatory authority
+ Only use BTS with dummy load!
+ Don't interfere with the operators!
+ Our software is strictly for research purpose only
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Network Architecture
+
+
+The Hitchhikers Guide to the GSM Network
+ unfortunately does not exist
+
+The GSM related literature
+ is typically too high-level
+
+The GSM protocol specifications
+ are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Network Architecture
+
+GSM is a bit-synchronous network
+ it draws many analogies from ISDN and SDN
+ layer 2 modelled after Q.921 / LAPD
+ call signalling modelled Q.931
+ but: many more protocols for mobility management, radio resources, ...
+ like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
+
+GSM is a TDMA "nightmare"
+ e.g. you never know from/for whom data is without the timing context
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Network Architecture
+
+MS
+ Mobile Station (your Phone)
+BTS
+ Base Transceiver Station
+BSC
+ Base Station Controller
+MSC
+ Mobile Switching Center
+HLR/VLR
+ Home/Visitor Location Register
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Base Transceiver Station
+
+
+BTS
+ As the name indicates "transceiver"
+ Handles
+ Layer 1 and some parts of RF layer2
+ Modulation/Demodulation
+ Time Multiplex, scheduling of frames
+ Is not a "Base Station", i.e. not self-contained
+ True 'slave' to the BSC
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Base Station Controller
+
+
+BSC
+ Base Station Controller
+ Handles
+ most of the actual decision making
+ really controls most aspects of BTSs
+ handles intra-BSC cell handover
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Mobile Switching Center
+
+
+MSC
+ Mobile Switching Center
+ Handles
+ Actual switching of the calls
+ Interworking with ISDN or POTS
+ Inter-BSC cell handover
+HLR/VLR
+ Home/Visitor Location Register
+ Handles
+ database of local / roaming subscribers
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Um interface
+
+
+MS <-> BTS Interface
+ is called Um
+ layer 2: LAPD derived; called LAPDm
+ layer 3: GSM 04.08 RR / MM / CC
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+
+BSC <-> BTS Interface
+ is called A-bis
+ has the following control layers on E1 TS1
+ L2ML (Layer 2 Management)
+ TEI management similar to ISDN
+ OML (Organization & Maintenance)
+ System parameters, events
+ RSL (Radio Subsystem Layer)
+ has encoded voice data (TRAU frames) on other E1 TS
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+%image "2_small.jpg"
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+%image "3_small.jpg"
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+
+Abis RSL
+ contains messages for
+ Radio Link Layer (RLL)
+ Dedicated Channel (DCHAN)
+ Common Channel (CCHAN)
+ Transceiver (TRX)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Mobile Switching Center
+
+
+Abis RSL Radio Link Layer
+ contains messages for
+ Call Control (CC)
+ Mobility Management (MM)
+ Radio Resource (RR)
+ Short Message Service (SMS)
+ mostly specified in GSM TS 04.08
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+
+Siemens BS-11 microBTS
+ plain old 2G (GSM voice calls, CSD)
+ one or two TRX, 30mW to 2W each, GSM900
+ two E1 interfaces (for daisy-chaining)
+ documentation under NDA, but
+ 99.9% of the A-bis protocol available from GSM specs
+ See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
+ RS232 serial port for Local Maintenance Terminal
+ LMT software proprietary under NDA
+ not needed for operation of the BTS
+ bs11_config is a FOSS replacement
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "1_small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "p1010012_small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "p1010013_small.jpg"
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "p1010020_small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+
+First steps with the Siemens BS-11
+ Harald bought a BS-11 on e-Bay in 2006
+ Started to read some specs (08.5x) about A-bis
+ Started to build cables for E1 and power
+ Bought HFC-E1 PCI card
+ Bought Elmi EGM35 Abis analyzer (e-Bay once again)
+ Contacted with other people who also bought BS-11
+ Found somebody who could provide Abis traces
+ Never really had time due to Openmoko and other projects
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+
+Further steps with the Siemens BS-11
+ Dieter bought a BS-11 09/2008
+ Bought HFC-E1 PCI card
+ Started development based on HFC-E1 reference driver code
+ Found somebody who could provide Abis traces
+ Made very quick progress
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+BS11-Init
+
+
+BS11-Init (09/2008)
+ Chip cologne HFC-E1 reference code for DOS
+ polling, no interrupts
+ ported to Windows and Linux (mmap of HFC registers to userspace)
+ proof-of-concept code based on challenge-response
+ handles TEI assignment, brings OML and RSL up
+ allows for location update and paging of single phone
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+BS11-Init
+
+%image "4_small.jpg"
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+From BS11-Init to OpenBSC
+
+
+From BS11-Init to OpenBSC (12/2008)
+ get L2ML to work with mISDN
+ mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
+ learn how new sockets-based mISDN API works
+ come up with event-driven architecture, single sleect loop, no threads, ...
+ At 25C3:
+ add libdbi/sqlite database for "HLR"
+ get paging to work, support for configurable network ID
+ debugging + stabilization with > 1000 test users ;)
+ IMSI + IMEI skimming
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+OpenBSC takes off (2009)
+
+
+ implementation of more features
+ SMS store-and-forward switching
+ stable voice calls (FR and EFR codec)
+ support for more than one transceiver per BTS
+ support for multiple BTS
+ cisco-like console interface
+ support for more BTS models (ip.access nanoBTS)
+ interface to traditional E1 (using linux call router)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+OpenBSC takes off (2009)
+
+
+ fixing tons of bugs and stability issues
+ don't rely on the phone behaving properly (e.g. timeouts)
+ fix plenty of resource leaks (RAM)
+ fix plenty of resource leaks like on-air channels
+ finally uncover the last bits of the Siemens a-bis extensions
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+OpenBSC status today
+
+
+ OpenBSC is a 'gsm network in a box'
+ no need for separate MSC/HLR/VLR/AUC/SMSC
+ Capabilities
+ operation of a network with > 400 users
+ multiple BTS with each multiple TRX
+ voice calls and SMS implementation fairly complete
+ no in-call handover (only in idle mode)
+ no GPRS (yet), no EDGE (yet)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+OpenBSC future
+
+
+ Separation between BSC and MSC
+ Support actual A interface (over SCCP)
+ allows us to be used with real MSC
+ Support for GPRS + EDGE (with proper BTS)
+ Routing of calls between E1 and IP/RTP based BTS
+ Interfaces for external apps such as Scapy packet injection
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM Network
+
+
+ License from Agentschap Telecom
+ Stichting Hxx applied for a GSM test license
+ license permits us to use 4 ARFCN's
+ Transmit power of 100mW on each ARFCN
+ antenna height restricted to 3m
+ in case operators get interference, we have to shut down
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM Network
+
+
+ Two BS-11, each two TRX
+ BTS0 runs on ARFCN 121 and 123 (LAC 1)
+ BTS1 runs on ARFCN 124 and 122 (LAC 2)
+ Antennas mounted back-to-back to a tree on top of a hill
+ Two BTS share single E1 link in multi-drop mode
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM BTS's
+
+%image "har2009-bs11_at_tree.small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 BTS Antennas
+
+%image "har2009-bs11_antennas.small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 BTS Antennas
+
+%image "har2009-bs11_antennas2.small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM Network
+
+
+ One Linux PC with OpenBSC
+ uses mISDN driver for HFC-E1 card
+ 60m of CAT5 cable runs E1 to the
+ Network ID: NCC 204 (NL), MNC 42
+ Typical CPU usage < 5%
+ Typical RAM usage < 3MB RSS
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 OpenBSC
+
+%image "har2009-gsm_tent.small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM Network
+
+
+ Registration procedure
+ Your phone tries to use 204-42 or NL-42
+ When we first see a particular IMSI
+ we send a SMS with auth token and URL
+ we kick phone off the network
+ You go to the URL indicated and enter your token
+ we mark the IMSI as authorized in our HLR DB
+ You try to register to the network again
+ we let the phone on our network
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM Network
+
+
+ How can I use the network
+ make and receive calls to/from other registered phones
+ send and receive SMS to/from other registered phones
+ How can I play with the network
+ use airprobe or other tools to eavesdrop on GSM protocol
+ we don't use any crypto nor frequency hopping
+ we don't do SMS filtering, i.e. you can send any RPDU to any other phone
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM Network
+
+
+ Helps us to test OpenBSC under higher load
+ already fixed several important software bugs
+ Helps us to obtain real-world protocol traces
+ Helps us to explore [in]compabibilities with certain phones
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The HAR2009 GSM Network
+
+
+ Statistics
+ More than 1100 phones tried to use our network
+ More than 450 phones completed registration
+ More than 1000 SMS sent (use more bandwidth!)
+ More than FIXME attempted voice calls
+ More than FIXME established voice calls
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Links
+
+ OpenBSC
+ http://openbsc.gnumonks.org/
+ 3GPP / ETSI GSM Specs
+ http://www.3gpp.org/
+ Priv-Doz. Dr.-Ing Joachim Goeller
+ http://www2.informatik.hu-berlin.de/~goeller
+ THC GSM Wiki
+ http://wiki.thc.org/gsm
+ OpenBTS
+ http://gnuradio.org/trac/wiki/OpenBTS
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Thanks
+
+
+Thanks to
+ zecke, alphaone, Stefan, Jan for their work on OpenBSC
+ W. for his extensive A-bis protocol traces and MA-10
+ Dieter Spaar for his most excellent input
+ Karsten Keil for mISDN
+ Andreas Eversberg for LCR interface and HFC-E1 driver
+ Stichting Hxx for getting the license
+ all the voluntary testers at HAR2009
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Thanks
+
+
+LIVE DEMO
personal git repositories of Harald Welte. Your mileage may vary