1 files changed, 296 insertions, 0 deletions
diff --git a/2011/gsm-ensa2011/section-osmocombb.tex b/2011/gsm-ensa2011/section-osmocombb.tex
new file mode 100644
index 0000000..a8f4cd1
--- /dev/null
+++ b/2011/gsm-ensa2011/section-osmocombb.tex
@@ -0,0 +1,296 @@
+\section{OsmocomBB Project}
+
+\begin{frame}{A GSM phone baseband processor}
+\begin{itemize}
+	\item GSM protocol stack always runs in a so-called baseband processor (BP)
+	\item What is the baseband processor
+	\begin{itemize}
+		\item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones)
+		\begin{itemize}
+			\item Runs some RTOS (often Nucleus, sometimes L4)
+			\item No memory protection between tasks
+		\end{itemize}
+		\item Some kind of DSP, model depends on vendor
+		\begin{itemize}
+			\item Runs the digital signal processing for the RF Layer 1
+			\item Has hardware peripherals for A5 encryption
+		\end{itemize}
+	\end{itemize}
+	\item The software stack on the baseband processor
+	\begin{itemize}
+		\item is written in C and assembly
+		\item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..)
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{A GSM Baseband Chipset}
+  \begin{figure}[h]
+  \centering
+  \includegraphics[width=100mm]{calypso-block.pdf}
+  \end{figure}
+  \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
+\end{frame}
+
+\begin{frame}{Requirements for GSM security analysis}
+What do we need for protocol-level security analysis?
+\begin{itemize}
+	\item A GSM MS-side baseband chipset under our control
+	\item A Layer1 that we can use to generate arbitrary L1 frames
+	\item A Layer2 protocol implementation that we can use + modify
+	\item A Layer3 protocol implementation that we can use + modify
+\end{itemize}
+None of those components existed, so we need to create them!
+\end{frame}
+
+\begin{frame}{A GSM baseband under our control}
+The two different DIY approaches
+\begin{itemize}
+	\item Build something using generic components (DSP, CPU, ADC, FPGA)
+	\begin{itemize}
+		\item No reverse engineering required
+		\item A lot of work in hardware design + debugging
+		\item Hardware will be low-quantity and thus expensive
+	\end{itemize}
+	\item Build something using existing baseband chipset
+	\begin{itemize}
+		\item Reverse engineering or leaked documents required
+		\item Less work on the 'Layer 0'
+		\item Still, custom hardware in low quantity
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{A GSM baseband under our control}
+Alternative 'lazy' approach
+\begin{itemize}
+	\item Re-purpose existing mobile phone
+	\begin{itemize}
+		\item Hardware is known to be working
+		\item No prototyping, hardware revisions, etc.
+		\item Reverse engineering required
+		\item Hardware drivers need to be written
+		\item But: More time to focus on the actual job: Protocol software
+	\end{itemize}
+	\item Searching for suitable phones
+	\begin{itemize}
+		\item As cheap as possible
+		\item Readily available: Many people can play with it
+		\item As old/simple as possible to keep complexity low
+		\item Baseband chipset with lots of leaked information
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Baseband chips with leaked information}
+\begin{itemize}
+	\item Texas Instruments Calypso
+	\begin{itemize}
+		\item DBB Documentation on cryptome.org and other sites
+		\item ABB Documentation on Chinese phone developer websites
+		\item Source code of GSM stack / drivers was on sf.net (tsm30 project)
+		\item End of life, no new phones with Calypso since about 2008
+		\item No cryptographic checks in bootloader
+	\end{itemize}
+	\item Mediatek MT622x chipsets
+	\begin{itemize}
+		\item Lots of Documentation on Chinese sites
+		\item SDK with binary-only GSM stack libraries on Chinese sites
+		\item 95 million produced/sold in Q1/2010
+	\end{itemize}
+\end{itemize}
+Initial choice: TI Calypso (GSM stack source available)
+\end{frame}
+
+
+\subsection{OsmocomBB Introduction}
+
+\begin{frame}{OsmocomBB Introduction}
+\begin{itemize}
+	\item Project was started only in January 2010 (9 months ago!)
+	\item Implementing a GSM baseband software from scratch
+	\item This includes
+	\begin{itemize}
+		\item GSM MS-side protocol stack from Layer 1 through Layer 3
+		\item Hardware drivers for GSM Baseband chipset
+		\item Simple User Interface on the phone itself
+		\item Verbose User Interface on the PC
+	\end{itemize}
+	\item Note about the strange project name
+	\begin{itemize}
+		\item Osmocom = Open Source MObile COMmunication
+		\item BB = Base Band
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Software Architecture}
+\begin{itemize}
+	\item Reuse code from OpenBSC where possible (libosmocore)
+	\begin{itemize}
+		\item We build libosmocore both for phone firmware and PC
+	\end{itemize}
+	\item Initially run as little software in the phone
+	\begin{itemize}
+		\item Debugging code on your host PC is so much easier
+		\item You have much more screen real-estate
+		\item Hardware drivers and Layer1 run in the phone
+		\item Layer2, 3 and actual phone application / MMI on PC
+		\item Later, L2 and L3 can me moved to the phone
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Software Interfaces}
+\begin{itemize}
+	\item Interface between Layer1 and Layer2 called L1CTL
+	\begin{itemize}
+		\item Fully custom protocol as there is no standard
+		\item Implemented as message based protocol over Sercomm/HDLC/RS232
+	\end{itemize}
+	\item Interface between Layer2 and Layer3 called RSLms
+	\begin{itemize}
+		\item In the GSM network, Um Layer2 terminates at the BTS but is controlled  by the BSC
+		\item Reuse this GSM 08.58 Radio Signalling Link
+		\item Extend it where needed for the MS case
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{OsmocomBB Software}
+
+\begin{frame}{OsmocomBB Target Firmware}
+\begin{itemize}
+	\item Firmware includes software like
+	\begin{itemize}
+		\item Drivers for the Ti Calypso Digital Baseband (DBB)
+		\item Drivers for the Ti Iota TWL3025 Analog Baseband (ABB)
+		\item Drivers for the Ti Rita TRF6151 RF Transceiver
+		\item Drivers for the LCD/LCM of a number of phones
+		\item CFI flash driver for NOR flash
+		\item GSM Layer1 synchronous/asynchronous part
+		\item Sercomm - A HDLC based multiplexer for the RS232 to host PC
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Host Software}
+\begin{itemize}
+	\item Current working name: layer23
+	\item Includes
+	\begin{itemize}
+		\item Layer 1 Control (L1CTL) protocol API
+		\item GSM Layer2 implementation (LAPDm)
+		\item GSM Layer3 implementation (RR/MM/CC)
+		\item GSM Cell (re)selection
+		\item SIM Card emulation
+		\item Supports various 'apps' depending on purpose
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{OsmocomBB Hardware Support}
+
+\begin{frame}{OsmocomBB Supported Hardware}
+\begin{itemize}
+	\item Baseband Chipsets
+	\begin{itemize}
+		\item TI Calypso/Iota/Rita
+		\item Some early research being done on Mediatek (MTK) MT622x
+	\end{itemize}
+	\item Actual Phones
+	\begin{itemize}
+		\item Compal/Motorola C11x, C12x, C13x, C14x and C15x models
+		\item Most development/testing on C123 and C155
+		\item GSM modem part of Openmoko Neo1973 and Freerunner
+	\end{itemize}
+	\item All those phones are simple feature phones built on a ARM7TDMI based DBB
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The Motorola/Compal C123}
+ \begin{figure}[h]
+  \centering
+  \includegraphics[width=100mm]{c123_pcb.jpg}
+  \end{figure}
+\end{frame}
+
+
+\subsection{OsmocomBB Project Status}
+
+\begin{frame}{OsmocomBB Project Status: Working}
+\begin{itemize}
+	\item Hardware Drivers for Calypso/Iota/Rita very complete
+	\item Drivers for Audio/Voice signal path
+	\item Layer1 
+	\begin{itemize}
+		\item Power measurements 
+		\item Carrier/bit/TDMA synchronization
+		\item Receive and transmit of normal bursts on SDCCH
+		\item Transmit of RACH bursts
+		\item Automatic Rx gain control (AGC)
+		\item Frequency Hopping
+	\end{itemize}
+	\item Layer2 UI/SABM/UA frames and ABM mode
+	\item Layer3 Messages for RR / MM / CC
+	\item Cell (re)selection according GSM 03.22
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Project Status: Working (2/2)}
+OsmocomBB can now do GSM Voice calls (since 08/2010)
+\begin{itemize}
+	\item Very Early Assignment + Late Assignment
+	\item A3/A8 Authentication of SIM
+	\item A5/1 + A5/2 Encryption
+	\item Full Rate (FR) and Enhanced Full Rate (EFR) codec
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Project Status: Not working}
+\begin{itemize}
+	\item Layer1 
+	\begin{itemize}
+		\item Automatic Tx power control (APC)
+		\item Neighbor Cell Measurements (WIP)
+		\item In-call hand-over to other cells (WIP)
+	\end{itemize}
+	\item Actual UI on the phone
+	\item Circuit Switched Data (CSD) calls
+	\item GPRS (packet data)
+	\item No Type Approval for the stack!
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Project Status: Executive Summary}
+\begin{itemize}
+	\item We can establish control/signalling channels to both hopping and non-hopping GSM cells
+	\begin{itemize}
+		\item Control over synthesizer means we can even go to GSM-R band
+	\end{itemize}
+	\item We can send arbitrary data on those control channels
+	\begin{itemize}
+		\item RR messages to BSC
+		\item MM/CC messages to MSC
+		\item SMS messages to MSC/SMSC
+	\end{itemize}
+	\item TCH (Traffic Channel) support for voice calls
+	\begin{itemize}
+		\item Has been used on real networks for 30+ minute calls!
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB use cases}
+OsmocomBB can be used today for
+\begin{itemize}
+	\item practical lab exercises in education on any level of GSM,
+from the radio modem through the protocol stack
+	\item applied research in GSM protocols and GSM security
+	\item penetration testing of GSM operator equipment
+	\item measurement and exploration of real operator networks
+\end{itemize}
+With (your?) help, we can turn it into an actual mobile phone for
+regular users, i.e. bringing the freedom of Free Software into one of
+the most closed areas of computing.
+\end{frame}