diff options
Diffstat (limited to '2010/gsm_foss-mt2010/section-openbts.tex')
| -rw-r--r-- | 2010/gsm_foss-mt2010/section-openbts.tex | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/2010/gsm_foss-mt2010/section-openbts.tex b/2010/gsm_foss-mt2010/section-openbts.tex new file mode 100644 index 0000000..3675e85 --- /dev/null +++ b/2010/gsm_foss-mt2010/section-openbts.tex @@ -0,0 +1,140 @@ +\subsection{OpenBTS} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item is {\em NOT} a BTS in the typical GSM sense + \item is better described as a GSM-Um to SIP gateway + \item implements the GSM Um (air interface) as SDR + \item uses the USRP hardware as RF interface + \item does not implement any of BSC, MSC, HLR, etc. + \item bridges the GSM Layer3 protocol onto SIP + \item uses SIP switch (like Asterisk) for switching calls + SMS + \item is developed as C++ program and runs on Linux + MacOS +\end{itemize} +\end{frame} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item Open implementation of Um L1 \& L2, an all-software BTS. + \item L1/L2 design based on an object-oriented dataflow approach. + \item Includes L3 RR functions normally found in BSC. + \item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network. L3 is like an ISDN/SIP gateway. + \item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Pagent at Def Con). +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS Hardware} +OpenBTS supports the following SDR hardware +\begin{itemize} + \item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards + \begin{itemize} + \item Modification for external clock input recommended + \item External 52 MHz precision clock recommended + \end{itemize} + \item Kestrel Signal Processing / Range Networks custom radio + \item Close Haul Communications / GAPfiller (work in progress) + \item Ported to other radios by other clients. +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBTS History + Tests} +\begin{itemize} + \item Started work in Aug 2007, first call in Jan 2008, first SMS in Dec 2008. + \item First public release in September 2008, assigned to FSF in Oct 2008. + \item Ran 3-sector 3-TRX system with 10,000-20,000 handsets at Sept 2009 Burning Man event in Nevada. + \item Ran 2-sector 5-TRX system with 40,000 handsets at Sept 2010 Burning Man event in Nevada. + \item Release 2.5 is about 13k lines of C++. + \item Part of GNU Radio project, distributed under AGPLv3. + \item Range Networks launched in Sept 2010 to produce commercial products and distributions. +\end{itemize} +\end{frame} + + +\begin{frame}{Burning Man 2010 Tower Base} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{OBTSBM2010.jpg} +\end{figure} +\end{frame} + +%\subsection{Clocking} +% +%\begin{frame}{OpenBTS USRP Clocking}{Clock Stability} +%\begin{itemize} +% \item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy +% \item GSM requires 20ppb carrier clock accuracy +% \item possible solutions +% \begin{itemize} +% \item use external VCTCXO clocking module +% \item use external OCXO clocking module +% \item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks +% \end{itemize} +% \item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900 +%\end{itemize} +%\end{frame} + + +%\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock} +%\begin{itemize} +% \item The USRP master clock is 64 Mhz +% \item In GSM, all clocks are derived from 13 MHz +% \item Thus, a poly-phase re-sampler is part of SDR software +% \item Alternative: use 52 MHz (13 MHz * 4) external clock +% \item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz +% \begin{itemize} +% \item Make sure to never use the wrong transceiver for your clock! +% \end{itemize} +%\end{itemize} +%\end{frame} + +%\begin{frame}{OpenBTS USRP Clocking}{Software Calibration} +%Basic idea: Use real GSM cell as clock source +%\begin{itemize} +% \item Implemented by the {\em Kalibrator} ({\tt kal}) program +% \item Acquire the FCCH burst of a real GSM cell +% \item Measure the clock difference between USRP XO and that cell +% \item Use the computed error as offset to USRP up/downconverter +% \item However, temperature and other drift will make clocks go out of sync over time +% \item Can only be used if a real-world GSM network is within range +%\end{itemize} +%\end{frame} + +%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example} +%\begin{block}{Example of running {\tt kal}} +%\begin{lstlisting} +%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u +%USRP side: B +%FPGA clock: 52000000 +%Decimation: 192 +%Antenna: RX2 +%Sample rate: 270833.343750 +%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444) +%\end{lstlisting} +%\end{block} +%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp} +%\end{frame} + + +%\begin{frame}<handout:0>{OpenBTS} +% Demonstration +%\end{frame} + + +%\begin{frame}{OpenMS} +%\begin{itemize} +% \item Subscriber side stack based on OpenBTS. +% \item Called MS, but just a BTS stack with data flows reversed and a different RR control logic. +% \item Behavior is more like a passive interceptor that can also transmit. +% \item Release 1.0 supports non-hopping multi-ARFCN networks. +% \item Most L3 control logic provided by the end user. +% \item A platform for +% \begin{itemize} +% \item passive interceptors +% \item custom subscriber-side applications +% \item environment analysis +% \item intelligent jamming +% \end{itemize} +%\end{itemize} +%\end{frame} + |