summaryrefslogtreecommitdiff
path: root/2009/gsm_protocol_foss-bossa2009/gsm-ccc2008.mgp
diff options
context:
space:
mode:
Diffstat (limited to '2009/gsm_protocol_foss-bossa2009/gsm-ccc2008.mgp')
-rw-r--r--2009/gsm_protocol_foss-bossa2009/gsm-ccc2008.mgp414
1 files changed, 414 insertions, 0 deletions
diff --git a/2009/gsm_protocol_foss-bossa2009/gsm-ccc2008.mgp b/2009/gsm_protocol_foss-bossa2009/gsm-ccc2008.mgp
new file mode 100644
index 0000000..9fd769a
--- /dev/null
+++ b/2009/gsm_protocol_foss-bossa2009/gsm-ccc2008.mgp
@@ -0,0 +1,414 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+Running
+Your own
+GSM Network
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+Dieter Spaar <spaar@mirider.augusta.de>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Why?
+
+
+Why would you run your own GSM network?
+ For the same reason you might run other networks
+ To learn and experiment with technology
+ To boldly go where no [free] man has gone before ;)
+ Practical demonstration of known GSM security problems
+ Raise public awareness abut GSM [in]security
+ thus increase the incentive for the market to improve
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Legal Disclaimer
+
+
+Legal Disclaimer
+ Don't try this at home!
+ GSM operates on LICENSED spectrum
+ Thus, you need approval from the regulatory authority
+ Only use BTS with dummy load!
+ Don't interfere with the operators!
+ Our software is strictly for research purpose only
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Network Architecture
+
+
+The Hitchhikers Guide to the GSM Network
+ unfortunately does not exist
+
+The GSM related literature
+ is typically too high-level
+
+The GSM protocol specifications
+ are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Network Architecture
+
+GSM is a bit-synchronous network
+ it draws many analogies from ISDN and SDN
+ layer 2 modelled after Q.921 / LAPD
+ call signalling modelled Q.931
+ but: many more protocols for mobility management, radio resources, ...
+ like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
+
+GSM is a TDMA "nightmare"
+ e.g. you never know from/for whom data is without the timing context
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Network Architecture
+
+MS
+ Mobile Station (your Phone)
+BTS
+ Base Transceiver Station
+BSC
+ Base Station Controller
+MSC
+ Mobile Switching Center
+HLR/VLR
+ Home/Visitor Location Register
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Base Transceiver Station
+
+BTS
+ As the name indicates "transceiver"
+ Handles
+ Layer 1 and some parts of RF layer2
+ Modulation/Demodulation
+ Time Multiplex, scheduling of frames
+ Is not a "Base Station", i.e. not self-contained
+ True 'slave' to the BSC
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Base Station Controller
+
+
+BSC
+ Base Station Controller
+ Handles
+ most of the actual decision making
+ really controls most aspects of BTSs
+ handles intra-BSC cell handover
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Mobile Switching Center
+
+
+MSC
+ Mobile Switching Center
+ Handles
+ Actual switching of the calls
+ Interworking with ISDN or POTS
+ Inter-BSC cell handover
+HLR/VLR
+ Home/Visitor Location Register
+ Handles
+ database of local / roaming subscribers
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+
+BSC <-> BTS Interface
+ is called A-bis
+ has the following control layers on E1 TS1
+ L2ML (Layer 2 Management)
+ TEI management similar to ISDN
+ OML (Organization & Maintenance)
+ System parameters, events
+ RSL (Radio Subsystem Layer)
+ has encoded voice data (TRAU frames) on other E1 TS
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+%image "2_small.jpg"
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+%image "3_small.jpg"
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM A-bis interface
+
+
+Abis RSL
+ contains messages for
+ Radio Link Layer (RLL)
+ Dedicated Channel (DCHAN)
+ Common Channel (CCHAN)
+ Transceiver (TRX)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+GSM Mobile Switching Center
+
+
+Abis RSL Radio Link Layer
+ contains messages for
+ Call Control (CC)
+ Mobility Management (MM)
+ Radio Resource (RR)
+ Short Message Service (SMS)
+ mostly specified in GSM TS 04.08
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+
+Siemens BS-11 microBTS
+ plain old 2G (GSM voice calls, CSD)
+ one or two TRX, 30mW to 2W each, GSM900
+ two E1 interfaces (for daisy-chaining)
+ documentation under NDA, but
+ 99.9% of the A-bis protocol available from GSM specs
+ See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
+ RS232 serial port for Local Maintenance Terminal
+ LMT software proprietary under NDA
+ not needed for operation of the BTS
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "1_small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "p1010012_small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "p1010013_small.jpg"
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+%image "p1010020_small.jpg"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+
+First steps with the Siemens BS-11
+ Harald bought a BS-11 on e-Bay in 2006
+ Started to read some specs (08.5x) about A-bis
+ Started to build cables for E1 and power
+ Bought HFC-E1 PCI card
+ Bought Elmi EGM35 Abis analyzer (e-Bay once again)
+ Contacted with other people who also bought BS-11
+ Found somebody who could provide Abis traces
+ Never really had time due to Openmoko and other projects
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+The Siemens BS-11 microBTS
+
+
+Further steps with the Siemens BS-11
+ Dieter bought a BS-11 09/2008
+ Bought HFC-E1 PCI card
+ Started development based on HFC-E1 reference driver code
+ Found somebody who could provide Abis traces
+ Made very quick progress
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+BS11-Init
+
+
+BS11-Init (09/2008)
+ Chip cologne HFC-E1 reference code for DOS
+ polling, no interrupts
+ ported to Windows and Linux (mmap of HFC registers to userspace)
+ proof-of-concept code based on challenge-response
+ handles TEI assignment, brings OML and RSL up
+ allows for location update and paging of single phone
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+BS11-Init
+
+%image "4_small.jpg"
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+From BS11-Init to OpenBSC
+
+
+From BS11-Init to OpenBSC (12/2008)
+ get L2ML to work with mISDN
+ mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
+ learn how new sockets-based mISDN API works
+ come up with event-driven architecture, single sleect loop, no threads, ...
+ At 25C3:
+ add libdbi/sqlite database for "HLR"
+ get paging to work, support for configurable network ID
+ debugging + stabilization with > 1000 test users ;)
+ IMSI + IMEI skimming
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Work at 25C3
+
+
+IMSI+IMEI skimming
+ very simple:
+ phones with automatic network selection pick strongest network
+ they send LOCATION UPDATE REQUEST
+ we send IDENTITY REQUEST IMSI + IMEISV
+ they send IMSI + IMEISV
+ we store this in the databasa
+ and then send LOCATION UPDATE REJECT
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Work at 25C3
+
+
+Mobile Originated Call
+ once a MS is registered, we can
+ dial a number from the MS
+ allocate and establish a TCH/F
+ deal with the Signalling and get into Connect
+ unfortunately, code for handling voice streams not finished
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Work at 25C3
+
+
+Mobile Originated SMS
+ once a MS is registered, we can
+ send a SMS
+ parse + acknowledge SMS PDU data
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Work at 25C3
+
+
+The Egypt simulation
+ apparently GPS is illegal in mobile phones in Egypt
+ "Egypt detection" implemented by checking if any surrounding cells are with Egypt country code
+ phones don't even have to register to our BTS!
+ so if we claim to be e.g. MobiNil, phones will shut off their GPS
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Other GSM related FOSS
+
+
+Other GSM related FOSS
+ OpenBTS
+ 100% Software Defined Radio bsed on USRP + gnuradio
+ implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk
+ much more than just a BTS!!
+ some code overlap with OpenBSC
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Links
+
+ OpenBSC
+ http://openbsc.gnumonks.org/
+ 3GPP / ETSI GSM Specs
+ http://www.3gpp.org/
+ Priv-Doz. Dr.-Ing Joachim Goeller
+ http://www2.informatik.hu-berlin.de/~goeller
+ THC GSM Wiki
+ http://wiki.thc.org/gsm
+ OpenBTS
+ http://gnuradio.org/trac/wiki/OpenBTS
+ Harald's branch of gsm-tvoid, etc
+ git://git.gnumonks.org/gsm.git
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Thanks
+
+
+Thanks to
+ zecke, alphaone, Stefan for their work on OpenBSC
+ W. for his extensive A-bis protocol traces and MA-10
+ all the voluntary testers at 25C3
+ Karsten Keil for mISDN
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Running Your Own GSM Network
+Thanks
+
+
+LIVE DEMO
personal git repositories of Harald Welte. Your mileage may vary