import of old now defunct presentation slides svn repo

19 files changed, 1240 insertions, 0 deletions

diff --git a/2011/gsm-ensa2011/NevadaTestSite.jpg b/2011/gsm-ensa2011/NevadaTestSite.jpg
new file mode 100644
index 0000000..aa3a627
--- /dev/null
+++ b/2011/gsm-ensa2011/NevadaTestSite.jpg
diff --git a/2011/gsm-ensa2011/OBTSBM2010.jpg b/2011/gsm-ensa2011/OBTSBM2010.jpg
new file mode 100644
index 0000000..7759978
--- /dev/null
+++ b/2011/gsm-ensa2011/OBTSBM2010.jpg
diff --git a/2011/gsm-ensa2011/abstract.txt b/2011/gsm-ensa2011/abstract.txt
new file mode 100644
index 0000000..2a3542c
--- /dev/null
+++ b/2011/gsm-ensa2011/abstract.txt
@@ -0,0 +1,26 @@
+Free Software for GSM networks
+
+During its 25 year history, Free Software has ventured in many areas of
+computing, such as TCP/IP networks, Internet servers, personal computers,
+laptops, desktop computers, embedded devices, and so on.
+
+However, there are other areas of computing that - until very recently - have
+not yet seen any Free Software.  One prime example is cellular telephony
+networks.   More than 3 billion subscribers use GSM cellular phones around the
+world.  All components in the public GSM networks are proprietary
+both on the network side and on the telephon side.
+
+The cellular networks consist of components like base stations, telephone
+switches, all running proprietary software.
+
+The cellular phones - even those running Free Software based operating systems
+liek Android - have a separate computer called "baseband processor" that
+interacts with the GSM network and runs proprietary software.
+
+Since 2009, projects like OpenBTS, OpenBSC and OsmocomBB have been created to
+change this.  They all implement components of a GSM network as Free Software.
+
+Harald Welte is the founder of OpenBSC and OsmocomBB.  He will discuss the
+proprietary nature of the GSM world, the progress of Free Software in GSM
+and how the GSM related Free Software projects can be used in research
+and production.
diff --git a/2011/gsm-ensa2011/bts_tree_full.jpg b/2011/gsm-ensa2011/bts_tree_full.jpg
new file mode 100644
index 0000000..6b5c5e8
--- /dev/null
+++ b/2011/gsm-ensa2011/bts_tree_full.jpg
diff --git a/2011/gsm-ensa2011/c123_pcb.jpg b/2011/gsm-ensa2011/c123_pcb.jpg
new file mode 100644
index 0000000..a9f24fc
--- /dev/null
+++ b/2011/gsm-ensa2011/c123_pcb.jpg
diff --git a/2011/gsm-ensa2011/calypso-block.pdf b/2011/gsm-ensa2011/calypso-block.pdf
new file mode 100644
index 0000000..27f8be8
--- /dev/null
+++ b/2011/gsm-ensa2011/calypso-block.pdf
diff --git a/2011/gsm-ensa2011/gsm.pdf b/2011/gsm-ensa2011/gsm.pdf
new file mode 100644
index 0000000..bb403ee
--- /dev/null
+++ b/2011/gsm-ensa2011/gsm.pdf
diff --git a/2011/gsm-ensa2011/gsm.snm b/2011/gsm-ensa2011/gsm.snm
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/2011/gsm-ensa2011/gsm.snm
diff --git a/2011/gsm-ensa2011/gsm.tex b/2011/gsm-ensa2011/gsm.tex
new file mode 100644
index 0000000..746611f
--- /dev/null
+++ b/2011/gsm-ensa2011/gsm.tex
@@ -0,0 +1,305 @@
+% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
+
+\documentclass{beamer}
+
+\usepackage{url}
+\makeatletter
+\def\url@leostyle{%
+  \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
+\makeatother
+%% Now actually use the newly defined style.
+\urlstyle{leo}
+
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice. 
+
+
+\mode<presentation>
+{
+  \usetheme{Warsaw}
+  % or ...
+
+  \setbeamercovered{transparent}
+  % or whatever (possibly just delete it)
+}
+
+
+\usepackage[english]{babel}
+% or whatever
+
+\usepackage[latin1]{inputenc}
+% or whatever
+
+\usepackage{times}
+\usepackage[T1]{fontenc}
+\usepackage{subfigure}
+\usepackage{hyperref}
+% Or whatever. Note that the encoding and the font should match. If T1
+% does not look nice, try deleting the line with the fontenc.
+
+
+\title{Free Software for GSM cellular telephony}
+
+\subtitle
+{OpenBSC, OsmoSGSN, OpenGGSN, OsmocomBB}
+
+\author{Harald Welte}
+
+\institute
+{gnumonks.org\\gpl-violations.org\\osmocom.org\\airprobe.org\\hmw-consulting.de}
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[ENSA 2011] % (optional, should be abbreviation of conference name)
+{ENSA, May 2011, Tetouan/Morocco}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+%   yourself) who are reading the slides online
+
+\subject{GSM Security}
+% This is only inserted into the PDF information catalog. Can be left
+% out. 
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+%  \begin{frame}<beamer>{Outline}
+%    \tableofcontents[currentsection,currentsubsection]
+%  \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command: 
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+\begin{frame}{Outline}
+  \tableofcontents[hideallsubsections]
+  % You might wish to add the option [pausesections]
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution: 
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+%   are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+%   enough. Leave out details, even if it means being less precise than
+%   you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+%   just say so once. Everybody will be happy with that.
+
+\begin{frame}{About the speaker}
+\begin{itemize}
+	\item Using + playing with GNU/Linux since 1994
+	\item Kernel / bootloader / driver / firmware development since 1999
+	\item IT security expert, focus on network protocol security
+	\item Core developer of Linux packet filter netfilter/iptables 
+	\item Trained as Electrical Engineer
+	\item Always looking for interesting protocols (RFID, DECT, GSM)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Success of Free Software}{depending on area of computing}
+\begin{itemize}
+	\item Free Software has proven to be successful in many areas of
+computing
+	\begin{itemize}
+		\item Operating Systems (GNU/Linux)
+		\item Internet Servers (Apache, Sendmail, Exim, Cyrus,
+...)
+		\item Desktop Computers (gnome, KDE, Firefox, LibreOffice, ...)
+		\item Mobile Devices
+		\item Embedded network devices (Router, Firewall, NAT, WiFi-AP)
+	\end{itemize}
+	\item There are more areas to computing that people tend to
+forget. Examples in the communications area:
+	\begin{itemize}
+		\item Cellular telephony networks (GSM, 3G, LTE)
+		\item Professional Mobile Radio (TETRA, TETRAPOL)
+		\item Cordless telephones (DECT)
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\include{part-security_research}
+
+\begin{frame}{Security analysis of GSM}{The bootstrapping process}
+\begin{itemize}
+	\item Start to read GSM specs (> 1000 PDF documents!)
+	\item Gradually grow knowledge about the protocols
+	\item Obtain actual GSM network equipment (BTS)
+	\item Try to get actual protocol traces as examples
+	\item Start a complete protocol stack implementation from scratch
+	\item Finally, go and play with GSM protocol security
+\end{itemize}
+\end{frame}
+
+\subsection{The GSM network}
+
+\begin{frame}{The GSM network}
+  \begin{figure}[h]
+  \centering
+  \includegraphics[width=100mm]{gsm_network.png}
+  \end{figure}
+\end{frame}
+
+\begin{frame}{GSM network components}
+  \begin{itemize}
+    \item The BSS (Base Station Subsystem)
+    \begin{itemize}
+      \item MS (Mobile Station): Your phone
+      \item BTS (Base Transceiver Station): The {\em cell tower}
+      \item BSC (Base Station Controller): Controlling up to hundreds of BTS
+    \end{itemize}
+    \item The NSS (Network Sub System)
+    \begin{itemize}
+      \item MSC (Mobile Switching Center): The central switch
+      \item HLR (Home Location Register): Database of subscribers
+      \item AUC (Authentication Center): Database of authentication keys
+      \item VLR (Visitor Location Register): For roaming users
+      \item EIR (Equipment Identity Register): To block stolen phones
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}{GSM network interfaces}
+  \begin{itemize}
+    \item Um: Interface between MS and BTS
+    \begin{itemize}
+	\item the only interface that is specified over radio
+    \end{itemize}
+    \item A-bis: Interface between BTS and BSC
+    \item A: Interface between BSC and MSC
+    \item B: Interface between MSC and other MSC
+  \end{itemize}
+  GSM networks are a prime example of an asymmetric distributed network,
+  very different from the end-to-end transparent IP network.
+\end{frame}
+
+
+\subsection{The GSM protocols}
+
+\begin{frame}{GSM network protocols}{On the Um interface}
+  \begin{itemize}
+    \item Layer 1: Radio Layer, TS 04.04
+    \item Layer 2: LAPDm, TS 04.06
+    \item Layer 3: Radio Resource, Mobility Management, Call Control: TS 04.08
+    \item Layer 4+: for USSD, SMS, LCS, ...
+  \end{itemize}
+\end{frame}
+
+\begin{frame}{GSM network protocols}{On the A-bis interface}
+  \begin{itemize}
+    \item Layer 1: Typically E1 line, TS 08.54
+    \item Layer 2: A variant of ISDN LAPD with fixed TEI's, TS 08.56
+    \item Layer 3: OML (Organization and Maintenance Layer, TS 12.21)
+    \item Layer 3: RSL (Radio Signalling Link, TS 08.58)
+    \item Layer 4+: transparent messages that are sent to the MS via Um
+  \end{itemize}
+\end{frame}
+
+\include{section-openbsc}
+
+\include{section-osmocombb}
+
+\include{section-openbts}
+\include{section-airprobe}
+\include{section-wireshark}
+
+%\section{Summary}
+%\subsection{What we've learned}
+
+\begin{frame}{Summary}{What we've learned}
+\begin{itemize}
+	\item The GSM industry is making security analysis very difficult
+	\item It is well-known that the security level of the GSM stacks is very low
+	\item We now have multiple solutions for sending arbitrary protocol data
+	\begin{itemize}
+		\item From a rogue network to phones (OpenBSC, OpenBTS)
+		\item From a FOSS controlled phone to the network (OsmocomBB)
+		\item From an A-bis proxy to the network or the phones
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{Where we go from here}
+
+\begin{frame}{TODO}{Where we go from here}
+\begin{itemize}
+	\item The tools for fuzzing mobile phone protocol stacks are available
+	\item It is up to the security community to make use of those tools (!)
+	\item Don't you too think that TCP/IP security is boring?
+	\item Join the GSM protocol security research projects
+	\item Boldly go where no (free) man has gone before
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Current Areas of Work / Future plans}
+\begin{itemize}
+	\item UMTS(3G) support for NodeB and femtocells
+	\item SS7 / MAP integration (Erlang and C)
+	\item Playing with SIM Toolkit from the operator side
+	\item Playing with MMS
+	\item More exploration of RRLP + SUPL
+\end{itemize}
+\end{frame}
+
+%\subsection{Further Reading}
+
+\begin{frame}{Further Reading}
+\begin{itemize}
+	\item \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
+	\item \url{http://bb.osmocom.org/}
+	\item \url{http://openbsc.osmocom.org/}
+	\item \url{http://openbts.sourceforge.net/}
+	\item \url{http://airprobe.org/}
+\end{itemize}
+\end{frame}
+
+\end{document}
diff --git a/2011/gsm-ensa2011/gsm.vrb b/2011/gsm-ensa2011/gsm.vrb
new file mode 100644
index 0000000..d917a88
--- /dev/null
+++ b/2011/gsm-ensa2011/gsm.vrb
@@ -0,0 +1,13 @@
+\frametitle {OpenBTS USRP Clocking}\framesubtitle {Kalibrator Example}
+\begin{block}{Example of running {\tt kal}}
+\begin{lstlisting}
+[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u
+USRP side: B
+FPGA clock: 52000000
+Decimation: 192
+Antenna: RX2
+Sample rate: 270833.343750
+average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444)
+\end{lstlisting}
+\end{block}
+The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp}
diff --git a/2011/gsm-ensa2011/gsm_network.png b/2011/gsm-ensa2011/gsm_network.png
new file mode 100644
index 0000000..c5f6399
--- /dev/null
+++ b/2011/gsm-ensa2011/gsm_network.png
diff --git a/2011/gsm-ensa2011/openbsc_host.jpg b/2011/gsm-ensa2011/openbsc_host.jpg
new file mode 100644
index 0000000..10c575d
--- /dev/null
+++ b/2011/gsm-ensa2011/openbsc_host.jpg
diff --git a/2011/gsm-ensa2011/osmosgsn.png b/2011/gsm-ensa2011/osmosgsn.png
new file mode 100644
index 0000000..f1dbc85
--- /dev/null
+++ b/2011/gsm-ensa2011/osmosgsn.png
diff --git a/2011/gsm-ensa2011/part-security_research.tex b/2011/gsm-ensa2011/part-security_research.tex
new file mode 100644
index 0000000..676a4f5
--- /dev/null
+++ b/2011/gsm-ensa2011/part-security_research.tex
@@ -0,0 +1,141 @@
+%\part{Security Research}
+\section{Researching GSM/3G security}
+%\begin{frame}{Part 3 -- Researching GSM/3G security}
+%\tableofcontents
+% You might wish to add the option [pausesections]
+%\end{frame}
+
+%\subsection{An interesting observation}
+
+\begin{frame}{Free specs / Free implementations}
+\begin{itemize}
+	\item Observation
+	\begin{itemize}
+		\item Both GSM/3G and TCP/IP protocol specs are publicly available
+		\item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
+		\item GSM networks are as widely deployed as the Internet
+		\item Yet, GSM/3G protocols receive no such scrutiny!
+	\end{itemize}
+	\item There are reasons for that:
+	\begin{itemize}
+		\item GSM industry is extremely closed (and closed-minded)
+		\item Only about 4 proprietary protocol stack implementations
+		\item GSM chip set makers never release any hardware documentation
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{The closed GSM industry}
+
+\begin{frame}{The closed GSM industry}{Handset manufacturing side}
+\begin{itemize}
+	\item Only very few companies build GSM/3.5G baseband chips today
+	\begin{itemize}
+		\item Those companies buy the operating system kernel and the protocol stack from third parties
+	\end{itemize}
+	\item Only very few handset makers are large enough to become a customer
+	\begin{itemize}
+		\item Even they only get limited access to hardware documentation
+		\item Even they never really get access to the firmware source
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+%\subsection{The closed GSM industry -- Network side}
+
+\begin{frame}{The closed GSM industry}{Network manufacturing side}
+\begin{itemize}
+	\item Only very few companies build GSM network equipment
+	\begin{itemize}
+		\item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei
+		\item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment
+	\end{itemize}
+	\item Only operators buy equipment from them
+	\item Since the quantities are low, the prices are extremely high
+	\begin{itemize}
+		\item e.g. for a BTS, easily 10-40k EUR
+		\item minimal network using standard components definitely in the 100,000s of EUR range
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The closed GSM industry}{Operator side}
+From my experience with Operators (prove me wrong!)
+\begin{itemize}
+	\item Operators are mainly finance + marketing today
+	\item Many operators outsources
+	\begin{itemize}
+		\item Network servicing / deployment, even planning
+		\item Other aspects of business like Billing
+	\end{itemize}
+	\item Operator just knows the closed equipment as shipped by manufacturer
+	\item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance
+\end{itemize}
+\end{frame}
+
+\subsection{Security implications}
+
+\begin{frame}{The closed GSM industry}{Security implications}
+The security implications of the closed GSM industry are:
+\begin{itemize}
+	\item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers
+	\item No independent research on protocol-level security
+	\begin{itemize}
+		\item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis)
+		\item Or on application level (e.g. mobile malware)
+	\end{itemize}
+	\item No free software protocol implementations
+	\begin{itemize}
+		\item which are key for making more people learn about the protocols
+		\item which enable quick prototyping/testing by modifying existing code
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{How would you get started?}
+If you were to start with GSM protocol level security analysis, where and
+how would you start?
+\begin{itemize}
+	\item On the handset side?
+	\begin{itemize}
+		\item Difficult since GSM firmware and protocol stacks are closed and proprietary
+		\item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too
+		\item Known attempts
+		\begin{itemize}
+			\item The TSM30 project as part of the THC GSM project
+			\item MADos, an alternative OS for Nokia DTC3 phones
+		\end{itemize}
+		\item none of those projects successful so far
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{How would you get started?}
+If you were to start with GSM protocol level security analysis, where and
+how would you start?
+\begin{itemize}
+	\item On the network side?
+	\begin{itemize}
+		\item Difficult since equipment is not easily available and normally extremely expensive
+		\item However, network is very modular and has many standardized/documented interfaces
+		\item Thus, if equipment is available, much easier/faster progress
+		\item Also, using SDR (software defined radio) approach, special-purpose / closed hardware can be avoided
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{The bootstrapping process}
+\begin{itemize}
+	\item Read GSM specs day and night (> 1000 PDF documents)
+	\item Gradually grow knowledge about the protocols
+	\begin{itemize}
+		\item OpenBSC: Obtain actual GSM network equipment (BTS)
+		\item OpenBTS: Develop SDR based GSM Um Layer 1
+	\end{itemize}
+	\item Try to get actual protocol traces as examples
+	\item Start a complete protocol stack implementation from scratch
+	\item Finally, go and play with GSM protocol security
+\end{itemize}
+\end{frame}
+
+
diff --git a/2011/gsm-ensa2011/section-airprobe.tex b/2011/gsm-ensa2011/section-airprobe.tex
new file mode 100644
index 0000000..526e317
--- /dev/null
+++ b/2011/gsm-ensa2011/section-airprobe.tex
@@ -0,0 +1,33 @@
+\subsection{airprobe}
+
+\begin{frame}{Open Source GSM Tools: Airprobe}
+\begin{itemize}
+	\item {\em airprobe} is a collection of Um protocol analyzer tools using the USRP software defined radio
+	\item A number of different Um receiver implementations
+	\begin{description}[gsm-receiver]
+		\item[gssm] One of the two early Um receiver implementations (M\&M clock recovery)
+		\item[gsmsp] The other early Um receiver implementation
+		\item[gsm-tvoid] For a long time the Um receiver with best performance
+		\item[gsm-receiver] The latest generation of Um receiver
+	\end{description}
+	\item Today, gsm-receiver seems to be the most popular choice
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Open Source GSM Tools: Airprobe}
+\begin{itemize}
+	\item Some other airprobe tools
+	\begin{description}[viterbi\_gen]
+		\item[gsmdecode] A standalone text-mode Um L2 frame parser
+		\item[wireshark] Dissector code for feeding Um frames into wireshark
+		\item[gsmstack] An unfinished more modular implementation of a Rx-only L1
+		\item[viterbi\_gen] Generate C++ implementations of a viterbi decoder
+	\end{description}
+	\item Still under development, no user friendly solution
+	\begin{itemize}
+		\item gsmtap frame format needs to be added as clean wireshark interface
+		\item receivers need automatic frequency scanning
+		\item full solution needs proper UI
+	\end{itemize}
+\end{itemize}
+\end{frame}
diff --git a/2011/gsm-ensa2011/section-openbsc.tex b/2011/gsm-ensa2011/section-openbsc.tex
new file mode 100644
index 0000000..3095cd9
--- /dev/null
+++ b/2011/gsm-ensa2011/section-openbsc.tex
@@ -0,0 +1,208 @@
+\section{OpenBSC}
+
+\subsection{OpenBSC Introduction}
+
+\begin{frame}{OpenBSC software}
+OpenBSC is a Open Source implementation of (not only) the BSC features
+of a GSM network.
+\begin{itemize}
+	\item Support A-bis interface over E1 and IP
+	\item Support for BTS vendor/model is modular, currently Siemens BS-11 and ip.access nanoBTS
+	\item Multiple BTS models/vendors can be mixed!
+	\item Can work as a {\em pure BSC} or as a full {\em network in a box}
+	\item Supports mobility management, authentication, intra-BSC hand-over, SMS, voice calls (FR/EFR/AMR)
+	\item GPRS + EDGE support if combined with OsmoSGSN and OpenGGSN
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC}
+\begin{itemize}
+	\item Supports Siemens BS-11 BTS (E1) and ip.access nanoBTS (IP based)
+	\item Has classic 2G signalling, voice and SMS support
+	\item Implements various GSM protocols like
+	\begin{itemize}
+		\item A-bis RSL (TS 08.58) and OML (TS 12.21)
+		\item TS 04.08 Radio Resource, Mobility Management, Call Control
+		\item TS 04.11 Short Message Service
+	\end{itemize}
+	\item Telnet console with Cisco-style interface
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC software architecture}
+\begin{itemize}
+	\item Implemented in pure C, similarities to Linux kernel
+	\begin{itemize}
+		\item Linked List handling, Timer API, coding style
+	\end{itemize}
+	\item Single-threaded event-loop / state machine design
+	\item Telnet based command line interface {\em Cisco-style}
+	\item Input driver abstraction (mISDN, Abis-over-IP)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC: GSM network protocols}{The A-bis interface}
+  \begin{description}[Layer 4+]
+    \item[Layer 1] Typically E1 line, TS 08.54
+    \item[Layer 2] A variant of ISDN LAPD with fixed TEI's, TS 08.56
+    \item[Layer 3] OML (Organization and Maintenance Layer, TS 12.21)
+    \item[Layer 3] RSL (Radio Signalling Link, TS 08.58)
+    \item[Layer 4+] transparent messages that are sent to the MS via Um
+  \end{description}
+\end{frame}
+
+\begin{frame}{OpenBSC: How it all started}
+\begin{itemize}
+	\item In 2006, I bought a Siemens BS-11 microBTS on eBay
+	\begin{itemize}
+		\item This is GSM900 BTS with 2 TRX at 2W output power (each)
+		\item A 48kg monster with attached antenna
+		\item 200W power consumption, passive cooling
+		\item E1 physical interface
+	\end{itemize}
+	\item I didn't have much time at the time (day job at Openmoko)
+	\item Started to read up on GSM specs whenever I could
+	\item Bought a HFC-E1 based PCI E1 controller, has mISDN kernel support
+	\item Found somebody in the GSM industry who provided protocol traces
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC: Timeline}
+\begin{itemize}
+	\item November 2008: I started the development of OpenBSC
+	\item December 2008: we did a first demo at 25C3
+	\item January 2009: we had full voice call support
+	\item Q1/2009: Add support for ip.access nanoBTS
+	\item June 2009: I started with actual security related stuff
+	\item August 2009: We had the first field test with 2BTS and > 860 phones
+	\item Q1/2010: The first 25 OpenBSC instances running in a commercial network
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC: Field Test at HAR2009}
+\begin{figure}[h]
+\subfigure{\includegraphics[width=5cm]{bts_tree_full.jpg}}
+\subfigure{\includegraphics[width=5cm]{openbsc_host.jpg}}
+\end{figure}
+\end{frame}
+
+
+\subsection{OpenBSC Network In The Box}
+
+\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode}
+The {\tt osmo-nitb} program
+\begin{itemize}
+	\item implements the A-bis interface towards any number of BTS
+	\item provides most typical features of a GSM network in one software
+	\item no need for MSC, AuC, HLR, VLR, EIR, ...
+	\begin{itemize}
+		\item HLR/VLR as SQLite3 table
+		\item Authentication + Ciphering support
+		\item GSM voice calls, MO/MT SMS
+		\item Hand-over between all BTS
+		\item Multiple Location Areas within one BSC
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC NITB features}
+OpenBSC NITB features
+\begin{itemize}
+	\item Run a small GSM network with 1-n BTS and OpenBSC
+	\item No need for MSC/HLR/AUC/...
+	\item No need for your own SIM cards (unless crypto/auth rqd)
+	\item Establish signalling and voice channels 
+	\item Make incoming and outgoing voice calls between phones
+	\item Send/receive SMS between phones
+	\item Connect to ISDN PBX or public ISDN via Linux Call Router
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode}
+The {\tt osmo-nitb} program
+\begin{itemize}
+	\item does not implement any other GSM interfaces apart from A-bis
+	\item no SS7 / TCAP / MAP based protocols
+	\item no integration (roaming) with existing traditional GSM networks
+	\item wired telephony interfacing with ISDN PBX {\tt lcr} (Linux Call Router)
+	\item Has been tested with up to 800 subscribers on 5 BTS
+	\item Intended for R\&D use or private PBX systems
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBSC LCR integration}{Interfacing with wired telephony}
+OpenBSC (NITB mode) can be linked into Linux Call Router ({\tt lcr})
+\begin{itemize}
+	\item OpenBSC is compiled as libbsc.a
+	\item libbsc.a includes full OpenBSC NITB mod code
+	\item linking the library into {\tt lcr} results in GSM {\em line interfaces} to become available inside {\tt lcr}
+	\item OpenBSC no longer takes care of call control, but simply hands everything off to {\tt lcr}
+	\item Dialling plan, etc. is now configure in {\tt lcr} like for any other wired phones
+\end{itemize}
+\end{frame}
+
+\subsection{OpenBSC BSC-only mode}
+
+\begin{frame}{OpenBSC in BSC-only mode}
+The {\tt osmo-bsc} program
+\begin{itemize}
+	\item behaves like a classic GSM BSC
+	\item uses SCCP-Lite (ip.access multipex) to any SoftMSC like ADC
+	\item used in production/commercial deployments (~ 75 BSCs)
+	\item mainly intended to replace proprietary BSC in traditional GSM networks
+\end{itemize}
+\end{frame}
+
+%\begin{frame}<handout:0>{OpenBSC}
+%        Demonstration
+%\end{frame}
+
+\subsection{OpenBSC GPRS support}
+
+\begin{frame}{GPRS and OpenBSC}
+\begin{itemize}
+	\item The BSC doesn't really do anything related to GPRS
+	\item GPRS implemented in separate SGSN and GGSN nodes
+	\item GPRS uses its own Gb interface to RAN, independent of A-bis
+	\item OpenBSC can configure the nanoBTS for GPRS+EDGE support via OML
+	\item Actual SGSN and GGSN implemented as OsmoSGSN and OpenGGSN programs
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmoSGSN}
+The Osmocom SGSN program implements
+\begin{itemize}
+	\item basic/minimal SGSN functionality
+	\item the Gb interface (NS/BSSGP/LLC/SNDCP)
+	\item mobility management, session management
+\end{itemize}
+It's a work in progress, many missing features
+\begin{itemize}
+	\item no HLR integration yet
+	\item no paging coordination with MSC/BSC
+	\item no encryption support yet
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenGGSN}
+\begin{itemize}
+	\item GPL licensed Linux program implementing GGSN node
+	\item Implements GTP-U protocol between SGSN and GGSN
+	\item User-configurable range/pool of IPv4 addresses for MS
+	\item Uses {\tt tun} device for terminating IP tunnel from MS
+	\item provides GTP implementation as libgtp
+	\item Experimental patches for IPv6 support
+\end{itemize}
+\end{frame}
+
+%\begin{frame}<handout:0>{OpenBSC + OpenGGSN + OsmoSGSN}
+%        Demonstration
+%\end{frame}
+
+\begin{frame}{OpenBSC and OsmoSGSN based network}
+\begin{figure}[h]
+\includegraphics[width=10cm]{osmosgsn.png}
+\end{figure}
+\end{frame}
+
+% FIXME: include slide showing full OpenBSC+OsmoSGSN+OpenGGSN network
diff --git a/2011/gsm-ensa2011/section-openbts.tex b/2011/gsm-ensa2011/section-openbts.tex
new file mode 100644
index 0000000..9c04222
--- /dev/null
+++ b/2011/gsm-ensa2011/section-openbts.tex
@@ -0,0 +1,183 @@
+\section{OpenBTS, airprobe and wireshark}
+
+\subsection{OpenBTS Introduction}
+
+\begin{frame}{What is OpenBTS?}
+\begin{itemize}
+	\item is {\em NOT} a BTS in the typical GSM sense
+	\item is better described as a GSM-Um to SIP gateway
+	\item implements the GSM Um (air interface) as SDR
+	\item uses the USRP hardware as RF interface
+	\item does not implement any of BSC, MSC, HLR, etc.
+	\item bridges the GSM Layer3 protocol onto SIP
+	\item uses SIP switch (like Asterisk) for switching calls + SMS
+	\item is developed as C++ program and runs on Linux + MacOS
+\end{itemize}
+\end{frame}
+
+\begin{frame}{What is OpenBTS?}
+\begin{itemize}
+	\item Open implementation of Um L1 \& L2, an all-software BTS.
+	\item L1/L2 design based on an object-oriented dataflow approach.
+	\item Includes L3 RR functions normally found in BSC.
+	\item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network.  L3 is like an ISDN/SIP gateway.
+	\item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Paget at Def Con).
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS Hardware}
+OpenBTS supports the following SDR hardware
+\begin{itemize}
+	\item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards
+	\begin{itemize}
+		\item Modification for external clock input recommended
+		\item External 52 MHz precision clock recommended
+	\end{itemize}
+	\item Kestrel Signal Processing / Range Networks custom radio
+	\item Close Haul Communications / GAPfiller (work in progress)
+	\item Ported to other radios by other clients
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{OpenBTS History + Tests}
+\begin{itemize}
+	\item Started work in August 2007, first call in January 2008, first SMS in December 2008.
+	\item First public release in September 2008, assigned to FSF in October 2008.
+	\item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada.
+	\item Tested 2-sector system with 40,000 handsets at September 2010 Burning Man event in Nevada.
+	\item Release 2.5 is about 13k lines of C++.
+	\item Part of GNU Radio project, distributed under GPLv3 (>= 2.6: AGPLv3)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS Software Architecture}
+\begin{itemize}
+	\item {\tt Transceiver} program
+	\begin{itemize}
+		\item SDR processing for Layer 0
+		\item BTS-side GSM Um Layer 1 implementation
+		\item sends GSM burst data via UDP socket
+	\end{itemize}
+	\item {\tt OpenBTS} program
+	\begin{itemize}
+		\item GSM Um Layer 2 (04.06) + 3 (04.08) implementation
+		\item SIP UA implementation
+		\item GSM Layer 3 CC to SIP bridge implementation
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS GSM <-> SIP mapping}
+\begin{itemize}
+	\item Location Updates mapped to SIP registration
+	\begin{itemize}
+		\item Use IMSI as SIP user name
+	\end{itemize}
+	\item Call Control mapped to SIP transactions
+	\begin{itemize}
+		\item relatively straight-forward
+	\end{itemize}
+	\item GSM Traffic Channels mapped to RTP channels
+	\begin{itemize}
+		\item No transcoding inside OpenBTS, FR/EFR messages are simply relayed
+	\end{itemize}
+	\item SMS mapped to SIP messaging according to RFC 3428
+	\begin{itemize}
+		\item A separate {\tt smqueue} daemon implements store+forward
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+%\subsection{Clocking}
+
+\begin{frame}{OpenBTS USRP Clocking}{Clock Stability}
+\begin{itemize}
+	\item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy
+	\item GSM requires 20ppb carrier clock accuracy
+	\item possible solutions
+	\begin{itemize}
+		\item use external VCTCXO clocking module 
+		\item use external OCXO clocking module
+		\item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks
+	\end{itemize}
+	\item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock}
+\begin{itemize}
+	\item The USRP master clock is 64 Mhz
+	\item In GSM, all clocks are derived from 13 MHz
+	\item Thus, a poly-phase re-sampler is part of SDR software
+	\item Alternative: use 52 MHz (13 MHz * 4) external clock
+	\item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz
+	\begin{itemize}
+		\item Make sure to never use the wrong transceiver for your clock!
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OpenBTS USRP Clocking}{Software Calibration}
+Basic idea: Use real GSM cell as clock source
+\begin{itemize}
+	\item Implemented by the {\em Kalibrator} ({\tt kal}) program
+	\item Acquire the FCCH burst of a real GSM cell
+	\item Measure the clock difference between USRP XO and that cell
+	\item Use the computed error as offset to USRP up/downconverter
+	\item However, temperature and other drift will make clocks go out of sync over time
+	\item Can only be used if a real-world GSM network is within range
+\end{itemize}
+\end{frame}
+
+%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example}
+%\begin{block}{Example of running {\tt kal}}
+%\begin{lstlisting}
+%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u
+%USRP side: B
+%FPGA clock: 52000000
+%Decimation: 192
+%Antenna: RX2
+%Sample rate: 270833.343750
+%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444)
+%\end{lstlisting}
+%\end{block}
+%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp}
+%\end{frame}
+
+\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=85mm]{NevadaTestSite.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Burning Man 2010 Tower Base}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=85mm]{OBTSBM2010.jpg}
+\end{figure}
+\end{frame}
+
+%\begin{frame}<handout:0>{OpenBTS}
+%        Demonstration
+%\end{frame}
+
+\begin{frame}{OpenMS}
+\begin{itemize}
+	\item Subscriber side stack based on OpenBTS.
+	\item Called MS, but just a BTS stack with data flows reversed and a different RR control logic.
+	\item Behavior is more like a passive interceptor that can also transmit.
+	\item Release 1.0 supports non-hopping multi-ARFCN networks.
+	\item Most L3 control logic provided by the end user.
+	\item A platform for
+	\begin{itemize}
+		\item passive interceptors
+		\item custom subscriber-side applications
+		\item environment analysis
+		\item intelligent jamming
+	\end{itemize}
+	\item NOT Open Source
+\end{itemize}
+\end{frame}
diff --git a/2011/gsm-ensa2011/section-osmocombb.tex b/2011/gsm-ensa2011/section-osmocombb.tex
new file mode 100644
index 0000000..a8f4cd1
--- /dev/null
+++ b/2011/gsm-ensa2011/section-osmocombb.tex
@@ -0,0 +1,296 @@
+\section{OsmocomBB Project}
+
+\begin{frame}{A GSM phone baseband processor}
+\begin{itemize}
+	\item GSM protocol stack always runs in a so-called baseband processor (BP)
+	\item What is the baseband processor
+	\begin{itemize}
+		\item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones)
+		\begin{itemize}
+			\item Runs some RTOS (often Nucleus, sometimes L4)
+			\item No memory protection between tasks
+		\end{itemize}
+		\item Some kind of DSP, model depends on vendor
+		\begin{itemize}
+			\item Runs the digital signal processing for the RF Layer 1
+			\item Has hardware peripherals for A5 encryption
+		\end{itemize}
+	\end{itemize}
+	\item The software stack on the baseband processor
+	\begin{itemize}
+		\item is written in C and assembly
+		\item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..)
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{A GSM Baseband Chipset}
+  \begin{figure}[h]
+  \centering
+  \includegraphics[width=100mm]{calypso-block.pdf}
+  \end{figure}
+  \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
+\end{frame}
+
+\begin{frame}{Requirements for GSM security analysis}
+What do we need for protocol-level security analysis?
+\begin{itemize}
+	\item A GSM MS-side baseband chipset under our control
+	\item A Layer1 that we can use to generate arbitrary L1 frames
+	\item A Layer2 protocol implementation that we can use + modify
+	\item A Layer3 protocol implementation that we can use + modify
+\end{itemize}
+None of those components existed, so we need to create them!
+\end{frame}
+
+\begin{frame}{A GSM baseband under our control}
+The two different DIY approaches
+\begin{itemize}
+	\item Build something using generic components (DSP, CPU, ADC, FPGA)
+	\begin{itemize}
+		\item No reverse engineering required
+		\item A lot of work in hardware design + debugging
+		\item Hardware will be low-quantity and thus expensive
+	\end{itemize}
+	\item Build something using existing baseband chipset
+	\begin{itemize}
+		\item Reverse engineering or leaked documents required
+		\item Less work on the 'Layer 0'
+		\item Still, custom hardware in low quantity
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{A GSM baseband under our control}
+Alternative 'lazy' approach
+\begin{itemize}
+	\item Re-purpose existing mobile phone
+	\begin{itemize}
+		\item Hardware is known to be working
+		\item No prototyping, hardware revisions, etc.
+		\item Reverse engineering required
+		\item Hardware drivers need to be written
+		\item But: More time to focus on the actual job: Protocol software
+	\end{itemize}
+	\item Searching for suitable phones
+	\begin{itemize}
+		\item As cheap as possible
+		\item Readily available: Many people can play with it
+		\item As old/simple as possible to keep complexity low
+		\item Baseband chipset with lots of leaked information
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Baseband chips with leaked information}
+\begin{itemize}
+	\item Texas Instruments Calypso
+	\begin{itemize}
+		\item DBB Documentation on cryptome.org and other sites
+		\item ABB Documentation on Chinese phone developer websites
+		\item Source code of GSM stack / drivers was on sf.net (tsm30 project)
+		\item End of life, no new phones with Calypso since about 2008
+		\item No cryptographic checks in bootloader
+	\end{itemize}
+	\item Mediatek MT622x chipsets
+	\begin{itemize}
+		\item Lots of Documentation on Chinese sites
+		\item SDK with binary-only GSM stack libraries on Chinese sites
+		\item 95 million produced/sold in Q1/2010
+	\end{itemize}
+\end{itemize}
+Initial choice: TI Calypso (GSM stack source available)
+\end{frame}
+
+
+\subsection{OsmocomBB Introduction}
+
+\begin{frame}{OsmocomBB Introduction}
+\begin{itemize}
+	\item Project was started only in January 2010 (9 months ago!)
+	\item Implementing a GSM baseband software from scratch
+	\item This includes
+	\begin{itemize}
+		\item GSM MS-side protocol stack from Layer 1 through Layer 3
+		\item Hardware drivers for GSM Baseband chipset
+		\item Simple User Interface on the phone itself
+		\item Verbose User Interface on the PC
+	\end{itemize}
+	\item Note about the strange project name
+	\begin{itemize}
+		\item Osmocom = Open Source MObile COMmunication
+		\item BB = Base Band
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Software Architecture}
+\begin{itemize}
+	\item Reuse code from OpenBSC where possible (libosmocore)
+	\begin{itemize}
+		\item We build libosmocore both for phone firmware and PC
+	\end{itemize}
+	\item Initially run as little software in the phone
+	\begin{itemize}
+		\item Debugging code on your host PC is so much easier
+		\item You have much more screen real-estate
+		\item Hardware drivers and Layer1 run in the phone
+		\item Layer2, 3 and actual phone application / MMI on PC
+		\item Later, L2 and L3 can me moved to the phone
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Software Interfaces}
+\begin{itemize}
+	\item Interface between Layer1 and Layer2 called L1CTL
+	\begin{itemize}
+		\item Fully custom protocol as there is no standard
+		\item Implemented as message based protocol over Sercomm/HDLC/RS232
+	\end{itemize}
+	\item Interface between Layer2 and Layer3 called RSLms
+	\begin{itemize}
+		\item In the GSM network, Um Layer2 terminates at the BTS but is controlled  by the BSC
+		\item Reuse this GSM 08.58 Radio Signalling Link
+		\item Extend it where needed for the MS case
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{OsmocomBB Software}
+
+\begin{frame}{OsmocomBB Target Firmware}
+\begin{itemize}
+	\item Firmware includes software like
+	\begin{itemize}
+		\item Drivers for the Ti Calypso Digital Baseband (DBB)
+		\item Drivers for the Ti Iota TWL3025 Analog Baseband (ABB)
+		\item Drivers for the Ti Rita TRF6151 RF Transceiver
+		\item Drivers for the LCD/LCM of a number of phones
+		\item CFI flash driver for NOR flash
+		\item GSM Layer1 synchronous/asynchronous part
+		\item Sercomm - A HDLC based multiplexer for the RS232 to host PC
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Host Software}
+\begin{itemize}
+	\item Current working name: layer23
+	\item Includes
+	\begin{itemize}
+		\item Layer 1 Control (L1CTL) protocol API
+		\item GSM Layer2 implementation (LAPDm)
+		\item GSM Layer3 implementation (RR/MM/CC)
+		\item GSM Cell (re)selection
+		\item SIM Card emulation
+		\item Supports various 'apps' depending on purpose
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{OsmocomBB Hardware Support}
+
+\begin{frame}{OsmocomBB Supported Hardware}
+\begin{itemize}
+	\item Baseband Chipsets
+	\begin{itemize}
+		\item TI Calypso/Iota/Rita
+		\item Some early research being done on Mediatek (MTK) MT622x
+	\end{itemize}
+	\item Actual Phones
+	\begin{itemize}
+		\item Compal/Motorola C11x, C12x, C13x, C14x and C15x models
+		\item Most development/testing on C123 and C155
+		\item GSM modem part of Openmoko Neo1973 and Freerunner
+	\end{itemize}
+	\item All those phones are simple feature phones built on a ARM7TDMI based DBB
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The Motorola/Compal C123}
+ \begin{figure}[h]
+  \centering
+  \includegraphics[width=100mm]{c123_pcb.jpg}
+  \end{figure}
+\end{frame}
+
+
+\subsection{OsmocomBB Project Status}
+
+\begin{frame}{OsmocomBB Project Status: Working}
+\begin{itemize}
+	\item Hardware Drivers for Calypso/Iota/Rita very complete
+	\item Drivers for Audio/Voice signal path
+	\item Layer1 
+	\begin{itemize}
+		\item Power measurements 
+		\item Carrier/bit/TDMA synchronization
+		\item Receive and transmit of normal bursts on SDCCH
+		\item Transmit of RACH bursts
+		\item Automatic Rx gain control (AGC)
+		\item Frequency Hopping
+	\end{itemize}
+	\item Layer2 UI/SABM/UA frames and ABM mode
+	\item Layer3 Messages for RR / MM / CC
+	\item Cell (re)selection according GSM 03.22
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Project Status: Working (2/2)}
+OsmocomBB can now do GSM Voice calls (since 08/2010)
+\begin{itemize}
+	\item Very Early Assignment + Late Assignment
+	\item A3/A8 Authentication of SIM
+	\item A5/1 + A5/2 Encryption
+	\item Full Rate (FR) and Enhanced Full Rate (EFR) codec
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Project Status: Not working}
+\begin{itemize}
+	\item Layer1 
+	\begin{itemize}
+		\item Automatic Tx power control (APC)
+		\item Neighbor Cell Measurements (WIP)
+		\item In-call hand-over to other cells (WIP)
+	\end{itemize}
+	\item Actual UI on the phone
+	\item Circuit Switched Data (CSD) calls
+	\item GPRS (packet data)
+	\item No Type Approval for the stack!
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB Project Status: Executive Summary}
+\begin{itemize}
+	\item We can establish control/signalling channels to both hopping and non-hopping GSM cells
+	\begin{itemize}
+		\item Control over synthesizer means we can even go to GSM-R band
+	\end{itemize}
+	\item We can send arbitrary data on those control channels
+	\begin{itemize}
+		\item RR messages to BSC
+		\item MM/CC messages to MSC
+		\item SMS messages to MSC/SMSC
+	\end{itemize}
+	\item TCH (Traffic Channel) support for voice calls
+	\begin{itemize}
+		\item Has been used on real networks for 30+ minute calls!
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB use cases}
+OsmocomBB can be used today for
+\begin{itemize}
+	\item practical lab exercises in education on any level of GSM,
+from the radio modem through the protocol stack
+	\item applied research in GSM protocols and GSM security
+	\item penetration testing of GSM operator equipment
+	\item measurement and exploration of real operator networks
+\end{itemize}
+With (your?) help, we can turn it into an actual mobile phone for
+regular users, i.e. bringing the freedom of Free Software into one of
+the most closed areas of computing.
+\end{frame}
diff --git a/2011/gsm-ensa2011/section-wireshark.tex b/2011/gsm-ensa2011/section-wireshark.tex
new file mode 100644
index 0000000..a3ee9c6
--- /dev/null
+++ b/2011/gsm-ensa2011/section-wireshark.tex
@@ -0,0 +1,35 @@
+\subsection{wireshark Protocol Analyzer}
+
+\begin{frame}{The wireshark protocol analyzer}
+\begin{itemize}
+	\item Software protocol analyzer for plethora of protocols
+	\item Portable, works on most flavors of Unix and Windows
+	\item Decode, display, search and filter packets with configurable level of detail
+	\item Over 1000 protocol decoders
+	\item Over 86000 display filters
+	\item Live capturing from many different network media
+	\item Import files from other capture programs
+	\item Used to be called ethereal, but is now called wireshark
+\item \url{http://www.wireshark.org/}
+\item \url{http://www.wireshark.org/download/docs/user-guide-a4.pdf}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The wireshark protocol analyzer}
+GSM protocol dissectors in wireshark
+\begin{itemize}
+	\item TCP/IP (transport layer for Abis/IP)
+	\item E1 Layer 2 (LAPD)
+	\item GSM Um Layer 2 (LAPDm)
+	\item GSM Layer 3 (RR, MM, CC)
+        \item A-bis Layer 3 (RSL)
+	\begin{itemize}
+		\item A-bis OML for Siemens and ip.access in OpenBSC git
+	\end{itemize}
+	\item GSMTAP pseudo-header (airprobe, OpenBTS, OsmocomBB)
+\end{itemize}
+\end{frame}
+
+%\begin{frame}<handout:0>{The wireshark protocol analyzer}
+%        Demonstration
+%\end{frame}