summaryrefslogtreecommitdiff
path: root/2014/openbsc-dorscluc2014/section-openbts.tex
diff options
context:
space:
mode:
Diffstat (limited to '2014/openbsc-dorscluc2014/section-openbts.tex')
-rw-r--r--2014/openbsc-dorscluc2014/section-openbts.tex183
1 files changed, 183 insertions, 0 deletions
diff --git a/2014/openbsc-dorscluc2014/section-openbts.tex b/2014/openbsc-dorscluc2014/section-openbts.tex
new file mode 100644
index 0000000..9c04222
--- /dev/null
+++ b/2014/openbsc-dorscluc2014/section-openbts.tex
@@ -0,0 +1,183 @@
+\section{OpenBTS, airprobe and wireshark}
+
+\subsection{OpenBTS Introduction}
+
+\begin{frame}{What is OpenBTS?}
+\begin{itemize}
+ \item is {\em NOT} a BTS in the typical GSM sense
+ \item is better described as a GSM-Um to SIP gateway
+ \item implements the GSM Um (air interface) as SDR
+ \item uses the USRP hardware as RF interface
+ \item does not implement any of BSC, MSC, HLR, etc.
+ \item bridges the GSM Layer3 protocol onto SIP
+ \item uses SIP switch (like Asterisk) for switching calls + SMS
+ \item is developed as C++ program and runs on Linux + MacOS
+\end{itemize}
+\end{frame}
+
+\begin{frame}{What is OpenBTS?}
+\begin{itemize}
+ \item Open implementation of Um L1 \& L2, an all-software BTS.
+ \item L1/L2 design based on an object-oriented dataflow approach.
+ \item Includes L3 RR functions normally found in BSC.
+ \item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network. L3 is like an ISDN/SIP gateway.
+ \item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Paget at Def Con).
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS Hardware}
+OpenBTS supports the following SDR hardware
+\begin{itemize}
+ \item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards
+ \begin{itemize}
+ \item Modification for external clock input recommended
+ \item External 52 MHz precision clock recommended
+ \end{itemize}
+ \item Kestrel Signal Processing / Range Networks custom radio
+ \item Close Haul Communications / GAPfiller (work in progress)
+ \item Ported to other radios by other clients
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{OpenBTS History + Tests}
+\begin{itemize}
+ \item Started work in August 2007, first call in January 2008, first SMS in December 2008.
+ \item First public release in September 2008, assigned to FSF in October 2008.
+ \item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada.
+ \item Tested 2-sector system with 40,000 handsets at September 2010 Burning Man event in Nevada.
+ \item Release 2.5 is about 13k lines of C++.
+ \item Part of GNU Radio project, distributed under GPLv3 (>= 2.6: AGPLv3)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS Software Architecture}
+\begin{itemize}
+ \item {\tt Transceiver} program
+ \begin{itemize}
+ \item SDR processing for Layer 0
+ \item BTS-side GSM Um Layer 1 implementation
+ \item sends GSM burst data via UDP socket
+ \end{itemize}
+ \item {\tt OpenBTS} program
+ \begin{itemize}
+ \item GSM Um Layer 2 (04.06) + 3 (04.08) implementation
+ \item SIP UA implementation
+ \item GSM Layer 3 CC to SIP bridge implementation
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS GSM <-> SIP mapping}
+\begin{itemize}
+ \item Location Updates mapped to SIP registration
+ \begin{itemize}
+ \item Use IMSI as SIP user name
+ \end{itemize}
+ \item Call Control mapped to SIP transactions
+ \begin{itemize}
+ \item relatively straight-forward
+ \end{itemize}
+ \item GSM Traffic Channels mapped to RTP channels
+ \begin{itemize}
+ \item No transcoding inside OpenBTS, FR/EFR messages are simply relayed
+ \end{itemize}
+ \item SMS mapped to SIP messaging according to RFC 3428
+ \begin{itemize}
+ \item A separate {\tt smqueue} daemon implements store+forward
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+%\subsection{Clocking}
+
+\begin{frame}{OpenBTS USRP Clocking}{Clock Stability}
+\begin{itemize}
+ \item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy
+ \item GSM requires 20ppb carrier clock accuracy
+ \item possible solutions
+ \begin{itemize}
+ \item use external VCTCXO clocking module
+ \item use external OCXO clocking module
+ \item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks
+ \end{itemize}
+ \item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock}
+\begin{itemize}
+ \item The USRP master clock is 64 Mhz
+ \item In GSM, all clocks are derived from 13 MHz
+ \item Thus, a poly-phase re-sampler is part of SDR software
+ \item Alternative: use 52 MHz (13 MHz * 4) external clock
+ \item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz
+ \begin{itemize}
+ \item Make sure to never use the wrong transceiver for your clock!
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS USRP Clocking}{Software Calibration}
+Basic idea: Use real GSM cell as clock source
+\begin{itemize}
+ \item Implemented by the {\em Kalibrator} ({\tt kal}) program
+ \item Acquire the FCCH burst of a real GSM cell
+ \item Measure the clock difference between USRP XO and that cell
+ \item Use the computed error as offset to USRP up/downconverter
+ \item However, temperature and other drift will make clocks go out of sync over time
+ \item Can only be used if a real-world GSM network is within range
+\end{itemize}
+\end{frame}
+
+%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example}
+%\begin{block}{Example of running {\tt kal}}
+%\begin{lstlisting}
+%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u
+%USRP side: B
+%FPGA clock: 52000000
+%Decimation: 192
+%Antenna: RX2
+%Sample rate: 270833.343750
+%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444)
+%\end{lstlisting}
+%\end{block}
+%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp}
+%\end{frame}
+
+\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast}
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=85mm]{NevadaTestSite.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Burning Man 2010 Tower Base}
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=85mm]{OBTSBM2010.jpg}
+\end{figure}
+\end{frame}
+
+%\begin{frame}<handout:0>{OpenBTS}
+% Demonstration
+%\end{frame}
+
+\begin{frame}{OpenMS}
+\begin{itemize}
+ \item Subscriber side stack based on OpenBTS.
+ \item Called MS, but just a BTS stack with data flows reversed and a different RR control logic.
+ \item Behavior is more like a passive interceptor that can also transmit.
+ \item Release 1.0 supports non-hopping multi-ARFCN networks.
+ \item Most L3 control logic provided by the end user.
+ \item A platform for
+ \begin{itemize}
+ \item passive interceptors
+ \item custom subscriber-side applications
+ \item environment analysis
+ \item intelligent jamming
+ \end{itemize}
+ \item NOT Open Source
+\end{itemize}
+\end{frame}
personal git repositories of Harald Welte. Your mileage may vary