diff options
| author | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
|---|---|---|
| committer | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
| commit | fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch) | |
| tree | a2011270df48d3501892ac1a56015c8be57e8a7d /2014 | |
import of old now defunct presentation slides svn repo
Diffstat (limited to '2014')
64 files changed, 3041 insertions, 0 deletions
diff --git a/2014/openbsc-dorscluc2014/NevadaTestSite.jpg b/2014/openbsc-dorscluc2014/NevadaTestSite.jpg Binary files differnew file mode 100644 index 0000000..aa3a627 --- /dev/null +++ b/2014/openbsc-dorscluc2014/NevadaTestSite.jpg diff --git a/2014/openbsc-dorscluc2014/OBTSBM2010.jpg b/2014/openbsc-dorscluc2014/OBTSBM2010.jpg Binary files differnew file mode 100644 index 0000000..7759978 --- /dev/null +++ b/2014/openbsc-dorscluc2014/OBTSBM2010.jpg diff --git a/2014/openbsc-dorscluc2014/abstract.txt b/2014/openbsc-dorscluc2014/abstract.txt new file mode 100644 index 0000000..2a3542c --- /dev/null +++ b/2014/openbsc-dorscluc2014/abstract.txt @@ -0,0 +1,26 @@ +Free Software for GSM networks + +During its 25 year history, Free Software has ventured in many areas of +computing, such as TCP/IP networks, Internet servers, personal computers, +laptops, desktop computers, embedded devices, and so on. + +However, there are other areas of computing that - until very recently - have +not yet seen any Free Software. One prime example is cellular telephony +networks. More than 3 billion subscribers use GSM cellular phones around the +world. All components in the public GSM networks are proprietary +both on the network side and on the telephon side. + +The cellular networks consist of components like base stations, telephone +switches, all running proprietary software. + +The cellular phones - even those running Free Software based operating systems +liek Android - have a separate computer called "baseband processor" that +interacts with the GSM network and runs proprietary software. + +Since 2009, projects like OpenBTS, OpenBSC and OsmocomBB have been created to +change this. They all implement components of a GSM network as Free Software. + +Harald Welte is the founder of OpenBSC and OsmocomBB. He will discuss the +proprietary nature of the GSM world, the progress of Free Software in GSM +and how the GSM related Free Software projects can be used in research +and production. diff --git a/2014/openbsc-dorscluc2014/bts_tree_full.jpg b/2014/openbsc-dorscluc2014/bts_tree_full.jpg Binary files differnew file mode 100644 index 0000000..6b5c5e8 --- /dev/null +++ b/2014/openbsc-dorscluc2014/bts_tree_full.jpg diff --git a/2014/openbsc-dorscluc2014/c123_pcb.jpg b/2014/openbsc-dorscluc2014/c123_pcb.jpg Binary files differnew file mode 100644 index 0000000..a9f24fc --- /dev/null +++ b/2014/openbsc-dorscluc2014/c123_pcb.jpg diff --git a/2014/openbsc-dorscluc2014/calypso-block.pdf b/2014/openbsc-dorscluc2014/calypso-block.pdf Binary files differnew file mode 100644 index 0000000..27f8be8 --- /dev/null +++ b/2014/openbsc-dorscluc2014/calypso-block.pdf diff --git a/2014/openbsc-dorscluc2014/gsm.pdf b/2014/openbsc-dorscluc2014/gsm.pdf Binary files differnew file mode 100644 index 0000000..6709b16 --- /dev/null +++ b/2014/openbsc-dorscluc2014/gsm.pdf diff --git a/2014/openbsc-dorscluc2014/gsm.snm b/2014/openbsc-dorscluc2014/gsm.snm new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/2014/openbsc-dorscluc2014/gsm.snm diff --git a/2014/openbsc-dorscluc2014/gsm.tex b/2014/openbsc-dorscluc2014/gsm.tex new file mode 100644 index 0000000..9b0207f --- /dev/null +++ b/2014/openbsc-dorscluc2014/gsm.tex @@ -0,0 +1,305 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>. +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode<presentation> +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +\usepackage{subfigure} +\usepackage{hyperref} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Free Software for GSM cellular telephony} + +\subtitle +{OpenBSC, OsmoBTS, OsmoSGSN, OpenGGSN} + +\author{Harald Welte} + +\institute +{gnumonks.org\\osmocom.org\\sysmocom.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[DORS/CLUC 2014] % (optional, should be abbreviation of conference name) +{DORS/CLUC, June 2014, Zagreb} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{GSM Security} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}<beamer>{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + playing with GNU/Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Core developer of Linux packet filter netfilter/iptables + \item Trained as Electrical Engineer + \item Always looking for interesting protocols (RFID, DECT, GSM) +\end{itemize} +\end{frame} + +\begin{frame}{Success of Free Software}{depending on area of computing} +\begin{itemize} + \item Free Software has proven to be successful in many areas of +computing + \begin{itemize} + \item Operating Systems (GNU/Linux) + \item Internet Servers (Apache, Sendmail, Exim, Cyrus, +...) + \item Desktop Computers (gnome, KDE, Firefox, LibreOffice, ...) + \item Mobile Devices + \item Embedded network devices (Router, Firewall, NAT, WiFi-AP) + \end{itemize} + \item There are more areas to computing that people tend to +forget. Examples in the communications area: + \begin{itemize} + \item Cellular telephony networks (GSM, 3G, LTE) + \item Professional Mobile Radio (TETRA, TETRAPOL) + \item Cordless telephones (DECT) + \end{itemize} +\end{itemize} +\end{frame} + +\include{part-security_research} + +\begin{frame}{Security analysis of GSM}{The bootstrapping process} +\begin{itemize} + \item Start to read GSM specs (> 1000 PDF documents!) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\subsection{The GSM network} + +\begin{frame}{The GSM network} + \begin{figure}[h] + \centering + \includegraphics[width=100mm]{gsm_network.png} + \end{figure} +\end{frame} + +\begin{frame}{GSM network components} + \begin{itemize} + \item The BSS (Base Station Subsystem) + \begin{itemize} + \item MS (Mobile Station): Your phone + \item BTS (Base Transceiver Station): The {\em cell tower} + \item BSC (Base Station Controller): Controlling up to hundreds of BTS + \end{itemize} + \item The NSS (Network Sub System) + \begin{itemize} + \item MSC (Mobile Switching Center): The central switch + \item HLR (Home Location Register): Database of subscribers + \item AUC (Authentication Center): Database of authentication keys + \item VLR (Visitor Location Register): For roaming users + \item EIR (Equipment Identity Register): To block stolen phones + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}{GSM network interfaces} + \begin{itemize} + \item Um: Interface between MS and BTS + \begin{itemize} + \item the only interface that is specified over radio + \end{itemize} + \item A-bis: Interface between BTS and BSC + \item A: Interface between BSC and MSC + \item B: Interface between MSC and other MSC + \end{itemize} + GSM networks are a prime example of an asymmetric distributed network, + very different from the end-to-end transparent IP network. +\end{frame} + + +\subsection{The GSM protocols} + +\begin{frame}{GSM network protocols}{On the Um interface} + \begin{itemize} + \item Layer 1: Radio Layer, TS 04.04 + \item Layer 2: LAPDm, TS 04.06 + \item Layer 3: Radio Resource, Mobility Management, Call Control: TS 04.08 + \item Layer 4+: for USSD, SMS, LCS, ... + \end{itemize} +\end{frame} + +\begin{frame}{GSM network protocols}{On the A-bis interface} + \begin{itemize} + \item Layer 1: Typically E1 line, TS 08.54 + \item Layer 2: A variant of ISDN LAPD with fixed TEI's, TS 08.56 + \item Layer 3: OML (Organization and Maintenance Layer, TS 12.21) + \item Layer 3: RSL (Radio Signalling Link, TS 08.58) + \item Layer 4+: transparent messages that are sent to the MS via Um + \end{itemize} +\end{frame} + +\include{section-openbsc} + +% \include{section-osmocombb} + +% \include{section-openbts} +% \include{section-airprobe} +% \include{section-wireshark} + +%\section{Summary} +%\subsection{What we've learned} + +\begin{frame}{Summary}{What we've learned} +\begin{itemize} + \item The GSM industry is making security analysis very difficult + \item It is well-known that the security level of the GSM stacks is very low + \item We now have multiple solutions for sending arbitrary protocol data + \begin{itemize} + \item From a rogue network to phones (OpenBSC, OpenBTS) + \item From a FOSS controlled phone to the network (OsmocomBB) + \item From an A-bis proxy to the network or the phones + \end{itemize} +\end{itemize} +\end{frame} + +% \subsection{Where we go from here} + +\begin{frame}{TODO}{Where we go from here} +\begin{itemize} + \item The tools for fuzzing mobile phone protocol stacks are available + \item It is up to the security community to make use of those tools (!) + \item Don't you too think that TCP/IP security is boring? + \item Join the GSM protocol security research projects + \item Boldly go where no (free) man has gone before +\end{itemize} +\end{frame} + +\begin{frame}{Current Areas of Work / Future plans} +\begin{itemize} + \item UMTS(3G) support for NodeB and femtocells + \item SS7 / MAP integration (Erlang and C) + \item Playing with SIM Toolkit from the operator side + \item Playing with MMS + \item More exploration of RRLP + SUPL +\end{itemize} +\end{frame} + +%\subsection{Further Reading} + +\begin{frame}{Further Reading} +\begin{itemize} + \item \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf} + \item \url{http://bb.osmocom.org/} + \item \url{http://openbsc.osmocom.org/} + \item \url{http://openbts.sourceforge.net/} + \item \url{http://airprobe.org/} +\end{itemize} +\end{frame} + +\end{document} diff --git a/2014/openbsc-dorscluc2014/gsm.vrb b/2014/openbsc-dorscluc2014/gsm.vrb new file mode 100644 index 0000000..d917a88 --- /dev/null +++ b/2014/openbsc-dorscluc2014/gsm.vrb @@ -0,0 +1,13 @@ +\frametitle {OpenBTS USRP Clocking}\framesubtitle {Kalibrator Example} +\begin{block}{Example of running {\tt kal}} +\begin{lstlisting} +[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u +USRP side: B +FPGA clock: 52000000 +Decimation: 192 +Antenna: RX2 +Sample rate: 270833.343750 +average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444) +\end{lstlisting} +\end{block} +The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp} diff --git a/2014/openbsc-dorscluc2014/gsm_network.png b/2014/openbsc-dorscluc2014/gsm_network.png Binary files differnew file mode 100644 index 0000000..c5f6399 --- /dev/null +++ b/2014/openbsc-dorscluc2014/gsm_network.png diff --git a/2014/openbsc-dorscluc2014/openbsc-bsc.png b/2014/openbsc-dorscluc2014/openbsc-bsc.png Binary files differnew file mode 100644 index 0000000..f146361 --- /dev/null +++ b/2014/openbsc-dorscluc2014/openbsc-bsc.png diff --git a/2014/openbsc-dorscluc2014/openbsc-nitb-lcr.png b/2014/openbsc-dorscluc2014/openbsc-nitb-lcr.png Binary files differnew file mode 100644 index 0000000..ffd4eed --- /dev/null +++ b/2014/openbsc-dorscluc2014/openbsc-nitb-lcr.png diff --git a/2014/openbsc-dorscluc2014/openbsc-nitb.png b/2014/openbsc-dorscluc2014/openbsc-nitb.png Binary files differnew file mode 100644 index 0000000..d79be10 --- /dev/null +++ b/2014/openbsc-dorscluc2014/openbsc-nitb.png diff --git a/2014/openbsc-dorscluc2014/openbsc_host.jpg b/2014/openbsc-dorscluc2014/openbsc_host.jpg Binary files differnew file mode 100644 index 0000000..10c575d --- /dev/null +++ b/2014/openbsc-dorscluc2014/openbsc_host.jpg diff --git a/2014/openbsc-dorscluc2014/osmosgsn.png b/2014/openbsc-dorscluc2014/osmosgsn.png Binary files differnew file mode 100644 index 0000000..f1dbc85 --- /dev/null +++ b/2014/openbsc-dorscluc2014/osmosgsn.png diff --git a/2014/openbsc-dorscluc2014/part-security_research.tex b/2014/openbsc-dorscluc2014/part-security_research.tex new file mode 100644 index 0000000..676a4f5 --- /dev/null +++ b/2014/openbsc-dorscluc2014/part-security_research.tex @@ -0,0 +1,141 @@ +%\part{Security Research} +\section{Researching GSM/3G security} +%\begin{frame}{Part 3 -- Researching GSM/3G security} +%\tableofcontents +% You might wish to add the option [pausesections] +%\end{frame} + +%\subsection{An interesting observation} + +\begin{frame}{Free specs / Free implementations} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 proprietary protocol stack implementations + \item GSM chip set makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +%\subsection{The closed GSM industry -- Network side} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \item minimal network using standard components definitely in the 100,000s of EUR range + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +From my experience with Operators (prove me wrong!) +\begin{itemize} + \item Operators are mainly finance + marketing today + \item Many operators outsources + \begin{itemize} + \item Network servicing / deployment, even planning + \item Other aspects of business like Billing + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No free software protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item MADos, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if equipment is available, much easier/faster progress + \item Also, using SDR (software defined radio) approach, special-purpose / closed hardware can be avoided + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Security analysis of GSM}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs day and night (> 1000 PDF documents) + \item Gradually grow knowledge about the protocols + \begin{itemize} + \item OpenBSC: Obtain actual GSM network equipment (BTS) + \item OpenBTS: Develop SDR based GSM Um Layer 1 + \end{itemize} + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + + diff --git a/2014/openbsc-dorscluc2014/section-airprobe.tex b/2014/openbsc-dorscluc2014/section-airprobe.tex new file mode 100644 index 0000000..526e317 --- /dev/null +++ b/2014/openbsc-dorscluc2014/section-airprobe.tex @@ -0,0 +1,33 @@ +\subsection{airprobe} + +\begin{frame}{Open Source GSM Tools: Airprobe} +\begin{itemize} + \item {\em airprobe} is a collection of Um protocol analyzer tools using the USRP software defined radio + \item A number of different Um receiver implementations + \begin{description}[gsm-receiver] + \item[gssm] One of the two early Um receiver implementations (M\&M clock recovery) + \item[gsmsp] The other early Um receiver implementation + \item[gsm-tvoid] For a long time the Um receiver with best performance + \item[gsm-receiver] The latest generation of Um receiver + \end{description} + \item Today, gsm-receiver seems to be the most popular choice +\end{itemize} +\end{frame} + +\begin{frame}{Open Source GSM Tools: Airprobe} +\begin{itemize} + \item Some other airprobe tools + \begin{description}[viterbi\_gen] + \item[gsmdecode] A standalone text-mode Um L2 frame parser + \item[wireshark] Dissector code for feeding Um frames into wireshark + \item[gsmstack] An unfinished more modular implementation of a Rx-only L1 + \item[viterbi\_gen] Generate C++ implementations of a viterbi decoder + \end{description} + \item Still under development, no user friendly solution + \begin{itemize} + \item gsmtap frame format needs to be added as clean wireshark interface + \item receivers need automatic frequency scanning + \item full solution needs proper UI + \end{itemize} +\end{itemize} +\end{frame} diff --git a/2014/openbsc-dorscluc2014/section-openbsc.tex b/2014/openbsc-dorscluc2014/section-openbsc.tex new file mode 100644 index 0000000..cee1e1b --- /dev/null +++ b/2014/openbsc-dorscluc2014/section-openbsc.tex @@ -0,0 +1,230 @@ +\section{OpenBSC} + +\subsection{OpenBSC Introduction} + +\begin{frame}{OpenBSC software} +OpenBSC is a Open Source implementation of (not only) the BSC features +of a GSM network. +\begin{itemize} + \item Support A-bis interface over E1 and IP + \item Support for BTS vendor/model is modular + \item Multiple BTS models/vendors can be mixed! + \item Can work as a {\em pure BSC} or as a full {\em network in a box} + \item Supports mobility management, authentication, intra-BSC hand-over, SMS, voice calls (FR/EFR/AMR) + \item GPRS + EDGE support if combined with OsmoSGSN and OpenGGSN +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item Supports various BTS brands/models (Siemens BS-11, + Ericsson RBS2000, Nokia MetroSite, ip.access nanoBTS, + sysmocom sysmoBTS) + \item Has classic 2G signalling, voice and SMS support + \item Implements various GSM protocols like + \begin{itemize} + \item A-bis RSL (TS 08.58) and OML (TS 12.21) + \item TS 04.08 Radio Resource, Mobility Management, Call Control + \item TS 04.11 Short Message Service + \end{itemize} + \item Telnet console with Cisco-style interface +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC software architecture} +\begin{itemize} + \item Implemented in pure C, similarities to Linux kernel + \begin{itemize} + \item Linked List handling, Timer API, coding style + \end{itemize} + \item Single-threaded event-loop / state machine design + \item Telnet based command line interface {\em Cisco-style} + \item Input driver abstraction (mISDN, Abis-over-IP) +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC: GSM network protocols}{The A-bis interface} + \begin{description}[Layer 4+] + \item[Layer 1] Typically E1 line, TS 08.54 + \item[Layer 2] A variant of ISDN LAPD with fixed TEI's, TS 08.56 + \item[Layer 3] OML (Organization and Maintenance Layer, TS 12.21) + \item[Layer 3] RSL (Radio Signalling Link, TS 08.58) + \item[Layer 4+] transparent messages that are sent to the MS via Um + \end{description} +\end{frame} + +\begin{frame}{OpenBSC: How it all started} +\begin{itemize} + \item In 2006, I bought a Siemens BS-11 microBTS on eBay + \begin{itemize} + \item This is GSM900 BTS with 2 TRX at 2W output power (each) + \item A 48kg monster with attached antenna + \item 200W power consumption, passive cooling + \item E1 physical interface + \end{itemize} + \item I didn't have much time at the time (day job at Openmoko) + \item Started to read up on GSM specs whenever I could + \item Bought a HFC-E1 based PCI E1 controller, has mISDN kernel support + \item Found somebody in the GSM industry who provided protocol traces +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC: Timeline} +\begin{itemize} + \item November 2008: Dieter+Harald started the development of OpenBSC + \item December 2008: we did a first demo at 25C3 + \item January 2009: we had full voice call support + \item Q1/2009: Add support for ip.access nanoBTS + \item June 2009: I started with actual security related stuff + \item August 2009: We had the first field test with 2BTS and > 860 phones + \item Q1/2010: The first 25 OpenBSC instances running in a commercial network +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC: Field Test at HAR2009} +\begin{figure}[h] +\subfigure{\includegraphics[width=5cm]{bts_tree_full.jpg}} +\subfigure{\includegraphics[width=5cm]{openbsc_host.jpg}} +\end{figure} +\end{frame} + + +\subsection{OpenBSC Network In The Box} + +\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode} +The {\tt osmo-nitb} program +\begin{itemize} + \item implements the A-bis interface towards any number of BTS + \item provides most typical features of a GSM network in one software + \item no need for MSC, AuC, HLR, VLR, EIR, ... + \begin{itemize} + \item HLR/VLR as SQLite3 table + \item Authentication + Ciphering support + \item GSM voice calls, MO/MT SMS + \item Hand-over between all BTS + \item Multiple Location Areas within one BSC + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode} +\begin{figure}[h] +\subfigure{\includegraphics[width=5cm]{openbsc-nitb.png}} +\end{figure} +\end{frame} + + +\begin{frame}{OpenBSC NITB features} +OpenBSC NITB features +\begin{itemize} + \item Run a small GSM network with 1-n BTS and OpenBSC + \item No need for MSC/HLR/AUC/... + \item No need for your own SIM cards (unless crypto/auth rqd) + \item Establish signalling and voice channels + \item Make incoming and outgoing voice calls between phones + \item Send/receive SMS between phones + \item Connect to ISDN PBX or public ISDN via Linux Call Router +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode} +The {\tt osmo-nitb} program +\begin{itemize} + \item does not implement any other GSM interfaces apart from A-bis + \item no SS7 / TCAP / MAP based protocols + \item no integration (roaming) with existing traditional GSM networks + \item wired telephony interfacing with ISDN PBX {\tt lcr} (Linux Call Router) + \item Has been tested with up to 800 subscribers on 5 BTS + \item Intended for R\&D use or private PBX systems +\end{itemize} +\end{frame} + +\begin{frame}{osmo-nitb LCR integration}{Interfacing with wired telephony} +OpenBSC (NITB mode) can be connected to Linux Call Router ({\tt lcr}) +\begin{itemize} + \item osmo-nitb exposes a MNCC interface (on unix domain socket) + \item lcr attachs to that MNCC interface + \item All call control inside osmo-nitb is disabled + \item Dialling plan, etc. is now configured in {\tt lcr} like for any other wired phones + \item lcr supports VoIP (SIP), E1 (ISDN) and other interfaces +\end{itemize} +\end{frame} + +\begin{frame}{osmo-nitb LCR integration}{Interfacing with wired telephony} +\begin{figure}[h] +\subfigure{\includegraphics[width=10cm]{openbsc-nitb-lcr.png}} +\end{figure} +\end{frame} + +\subsection{OpenBSC BSC-only mode} + +\begin{frame}{OpenBSC in BSC-only mode} +The {\tt osmo-bsc} program +\begin{itemize} + \item behaves like a classic GSM BSC + \item uses SCCP-Lite (ip.access multipex) to any SoftMSC like ADC + \item used in production/commercial deployments (~ 75 BSCs) + \item mainly intended to replace proprietary BSC in traditional GSM networks +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC in BSC-only mode} +\begin{figure}[h] +\subfigure{\includegraphics[width=11cm]{openbsc-bsc.png}} +\end{figure} +\end{frame} + + +%\begin{frame}<handout:0>{OpenBSC} +% Demonstration +%\end{frame} + +\subsection{OpenBSC GPRS support} + +\begin{frame}{GPRS and OpenBSC} +\begin{itemize} + \item The BSC doesn't really do anything related to GPRS + \item GPRS implemented in separate SGSN and GGSN nodes + \item GPRS uses its own Gb interface to RAN, independent of A-bis + \item OpenBSC can configure the nanoBTS for GPRS+EDGE support via OML + \item Actual SGSN and GGSN implemented as OsmoSGSN and OpenGGSN programs +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSGSN} +The Osmocom SGSN program implements +\begin{itemize} + \item basic/minimal SGSN functionality + \item the Gb interface (NS/BSSGP/LLC/SNDCP) + \item mobility management, session management +\end{itemize} +It's a work in progress, many missing features +\begin{itemize} + \item no HLR integration yet + \item no paging coordination with MSC/BSC + \item no encryption support yet +\end{itemize} +\end{frame} + +\begin{frame}{OpenGGSN} +\begin{itemize} + \item GPL licensed Linux program implementing GGSN node + \item Implements GTP-U protocol between SGSN and GGSN + \item User-configurable range/pool of IPv4 addresses for MS + \item Uses {\tt tun} device for terminating IP tunnel from MS + \item provides GTP implementation as libgtp + \item Experimental patches for IPv6 support +\end{itemize} +\end{frame} + +%\begin{frame}<handout:0>{OpenBSC + OpenGGSN + OsmoSGSN} +% Demonstration +%\end{frame} + +\begin{frame}{OpenBSC and OsmoSGSN based network} +\begin{figure}[h] +\includegraphics[width=10cm]{osmosgsn.png} +\end{figure} +\end{frame} + +% FIXME: include slide showing full OpenBSC+OsmoSGSN+OpenGGSN network diff --git a/2014/openbsc-dorscluc2014/section-openbts.tex b/2014/openbsc-dorscluc2014/section-openbts.tex new file mode 100644 index 0000000..9c04222 --- /dev/null +++ b/2014/openbsc-dorscluc2014/section-openbts.tex @@ -0,0 +1,183 @@ +\section{OpenBTS, airprobe and wireshark} + +\subsection{OpenBTS Introduction} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item is {\em NOT} a BTS in the typical GSM sense + \item is better described as a GSM-Um to SIP gateway + \item implements the GSM Um (air interface) as SDR + \item uses the USRP hardware as RF interface + \item does not implement any of BSC, MSC, HLR, etc. + \item bridges the GSM Layer3 protocol onto SIP + \item uses SIP switch (like Asterisk) for switching calls + SMS + \item is developed as C++ program and runs on Linux + MacOS +\end{itemize} +\end{frame} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item Open implementation of Um L1 \& L2, an all-software BTS. + \item L1/L2 design based on an object-oriented dataflow approach. + \item Includes L3 RR functions normally found in BSC. + \item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network. L3 is like an ISDN/SIP gateway. + \item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Paget at Def Con). +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS Hardware} +OpenBTS supports the following SDR hardware +\begin{itemize} + \item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards + \begin{itemize} + \item Modification for external clock input recommended + \item External 52 MHz precision clock recommended + \end{itemize} + \item Kestrel Signal Processing / Range Networks custom radio + \item Close Haul Communications / GAPfiller (work in progress) + \item Ported to other radios by other clients +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBTS History + Tests} +\begin{itemize} + \item Started work in August 2007, first call in January 2008, first SMS in December 2008. + \item First public release in September 2008, assigned to FSF in October 2008. + \item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada. + \item Tested 2-sector system with 40,000 handsets at September 2010 Burning Man event in Nevada. + \item Release 2.5 is about 13k lines of C++. + \item Part of GNU Radio project, distributed under GPLv3 (>= 2.6: AGPLv3) +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS Software Architecture} +\begin{itemize} + \item {\tt Transceiver} program + \begin{itemize} + \item SDR processing for Layer 0 + \item BTS-side GSM Um Layer 1 implementation + \item sends GSM burst data via UDP socket + \end{itemize} + \item {\tt OpenBTS} program + \begin{itemize} + \item GSM Um Layer 2 (04.06) + 3 (04.08) implementation + \item SIP UA implementation + \item GSM Layer 3 CC to SIP bridge implementation + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS GSM <-> SIP mapping} +\begin{itemize} + \item Location Updates mapped to SIP registration + \begin{itemize} + \item Use IMSI as SIP user name + \end{itemize} + \item Call Control mapped to SIP transactions + \begin{itemize} + \item relatively straight-forward + \end{itemize} + \item GSM Traffic Channels mapped to RTP channels + \begin{itemize} + \item No transcoding inside OpenBTS, FR/EFR messages are simply relayed + \end{itemize} + \item SMS mapped to SIP messaging according to RFC 3428 + \begin{itemize} + \item A separate {\tt smqueue} daemon implements store+forward + \end{itemize} +\end{itemize} +\end{frame} + +%\subsection{Clocking} + +\begin{frame}{OpenBTS USRP Clocking}{Clock Stability} +\begin{itemize} + \item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy + \item GSM requires 20ppb carrier clock accuracy + \item possible solutions + \begin{itemize} + \item use external VCTCXO clocking module + \item use external OCXO clocking module + \item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks + \end{itemize} + \item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900 +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock} +\begin{itemize} + \item The USRP master clock is 64 Mhz + \item In GSM, all clocks are derived from 13 MHz + \item Thus, a poly-phase re-sampler is part of SDR software + \item Alternative: use 52 MHz (13 MHz * 4) external clock + \item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz + \begin{itemize} + \item Make sure to never use the wrong transceiver for your clock! + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS USRP Clocking}{Software Calibration} +Basic idea: Use real GSM cell as clock source +\begin{itemize} + \item Implemented by the {\em Kalibrator} ({\tt kal}) program + \item Acquire the FCCH burst of a real GSM cell + \item Measure the clock difference between USRP XO and that cell + \item Use the computed error as offset to USRP up/downconverter + \item However, temperature and other drift will make clocks go out of sync over time + \item Can only be used if a real-world GSM network is within range +\end{itemize} +\end{frame} + +%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example} +%\begin{block}{Example of running {\tt kal}} +%\begin{lstlisting} +%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u +%USRP side: B +%FPGA clock: 52000000 +%Decimation: 192 +%Antenna: RX2 +%Sample rate: 270833.343750 +%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444) +%\end{lstlisting} +%\end{block} +%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp} +%\end{frame} + +\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{NevadaTestSite.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Burning Man 2010 Tower Base} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{OBTSBM2010.jpg} +\end{figure} +\end{frame} + +%\begin{frame}<handout:0>{OpenBTS} +% Demonstration +%\end{frame} + +\begin{frame}{OpenMS} +\begin{itemize} + \item Subscriber side stack based on OpenBTS. + \item Called MS, but just a BTS stack with data flows reversed and a different RR control logic. + \item Behavior is more like a passive interceptor that can also transmit. + \item Release 1.0 supports non-hopping multi-ARFCN networks. + \item Most L3 control logic provided by the end user. + \item A platform for + \begin{itemize} + \item passive interceptors + \item custom subscriber-side applications + \item environment analysis + \item intelligent jamming + \end{itemize} + \item NOT Open Source +\end{itemize} +\end{frame} diff --git a/2014/openbsc-dorscluc2014/section-osmocombb.tex b/2014/openbsc-dorscluc2014/section-osmocombb.tex new file mode 100644 index 0000000..a8f4cd1 --- /dev/null +++ b/2014/openbsc-dorscluc2014/section-osmocombb.tex @@ -0,0 +1,296 @@ +\section{OsmocomBB Project} + +\begin{frame}{A GSM phone baseband processor} +\begin{itemize} + \item GSM protocol stack always runs in a so-called baseband processor (BP) + \item What is the baseband processor + \begin{itemize} + \item Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones) + \begin{itemize} + \item Runs some RTOS (often Nucleus, sometimes L4) + \item No memory protection between tasks + \end{itemize} + \item Some kind of DSP, model depends on vendor + \begin{itemize} + \item Runs the digital signal processing for the RF Layer 1 + \item Has hardware peripherals for A5 encryption + \end{itemize} + \end{itemize} + \item The software stack on the baseband processor + \begin{itemize} + \item is written in C and assembly + \item lacks any modern security features (stack protection, non-executable pages, address space randomization, ..) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{A GSM Baseband Chipset} + \begin{figure}[h] + \centering + \includegraphics[width=100mm]{calypso-block.pdf} + \end{figure} + \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf} +\end{frame} + +\begin{frame}{Requirements for GSM security analysis} +What do we need for protocol-level security analysis? +\begin{itemize} + \item A GSM MS-side baseband chipset under our control + \item A Layer1 that we can use to generate arbitrary L1 frames + \item A Layer2 protocol implementation that we can use + modify + \item A Layer3 protocol implementation that we can use + modify +\end{itemize} +None of those components existed, so we need to create them! +\end{frame} + +\begin{frame}{A GSM baseband under our control} +The two different DIY approaches +\begin{itemize} + \item Build something using generic components (DSP, CPU, ADC, FPGA) + \begin{itemize} + \item No reverse engineering required + \item A lot of work in hardware design + debugging + \item Hardware will be low-quantity and thus expensive + \end{itemize} + \item Build something using existing baseband chipset + \begin{itemize} + \item Reverse engineering or leaked documents required + \item Less work on the 'Layer 0' + \item Still, custom hardware in low quantity + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{A GSM baseband under our control} +Alternative 'lazy' approach +\begin{itemize} + \item Re-purpose existing mobile phone + \begin{itemize} + \item Hardware is known to be working + \item No prototyping, hardware revisions, etc. + \item Reverse engineering required + \item Hardware drivers need to be written + \item But: More time to focus on the actual job: Protocol software + \end{itemize} + \item Searching for suitable phones + \begin{itemize} + \item As cheap as possible + \item Readily available: Many people can play with it + \item As old/simple as possible to keep complexity low + \item Baseband chipset with lots of leaked information + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Baseband chips with leaked information} +\begin{itemize} + \item Texas Instruments Calypso + \begin{itemize} + \item DBB Documentation on cryptome.org and other sites + \item ABB Documentation on Chinese phone developer websites + \item Source code of GSM stack / drivers was on sf.net (tsm30 project) + \item End of life, no new phones with Calypso since about 2008 + \item No cryptographic checks in bootloader + \end{itemize} + \item Mediatek MT622x chipsets + \begin{itemize} + \item Lots of Documentation on Chinese sites + \item SDK with binary-only GSM stack libraries on Chinese sites + \item 95 million produced/sold in Q1/2010 + \end{itemize} +\end{itemize} +Initial choice: TI Calypso (GSM stack source available) +\end{frame} + + +\subsection{OsmocomBB Introduction} + +\begin{frame}{OsmocomBB Introduction} +\begin{itemize} + \item Project was started only in January 2010 (9 months ago!) + \item Implementing a GSM baseband software from scratch + \item This includes + \begin{itemize} + \item GSM MS-side protocol stack from Layer 1 through Layer 3 + \item Hardware drivers for GSM Baseband chipset + \item Simple User Interface on the phone itself + \item Verbose User Interface on the PC + \end{itemize} + \item Note about the strange project name + \begin{itemize} + \item Osmocom = Open Source MObile COMmunication + \item BB = Base Band + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Software Architecture} +\begin{itemize} + \item Reuse code from OpenBSC where possible (libosmocore) + \begin{itemize} + \item We build libosmocore both for phone firmware and PC + \end{itemize} + \item Initially run as little software in the phone + \begin{itemize} + \item Debugging code on your host PC is so much easier + \item You have much more screen real-estate + \item Hardware drivers and Layer1 run in the phone + \item Layer2, 3 and actual phone application / MMI on PC + \item Later, L2 and L3 can me moved to the phone + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Software Interfaces} +\begin{itemize} + \item Interface between Layer1 and Layer2 called L1CTL + \begin{itemize} + \item Fully custom protocol as there is no standard + \item Implemented as message based protocol over Sercomm/HDLC/RS232 + \end{itemize} + \item Interface between Layer2 and Layer3 called RSLms + \begin{itemize} + \item In the GSM network, Um Layer2 terminates at the BTS but is controlled by the BSC + \item Reuse this GSM 08.58 Radio Signalling Link + \item Extend it where needed for the MS case + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{OsmocomBB Software} + +\begin{frame}{OsmocomBB Target Firmware} +\begin{itemize} + \item Firmware includes software like + \begin{itemize} + \item Drivers for the Ti Calypso Digital Baseband (DBB) + \item Drivers for the Ti Iota TWL3025 Analog Baseband (ABB) + \item Drivers for the Ti Rita TRF6151 RF Transceiver + \item Drivers for the LCD/LCM of a number of phones + \item CFI flash driver for NOR flash + \item GSM Layer1 synchronous/asynchronous part + \item Sercomm - A HDLC based multiplexer for the RS232 to host PC + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Host Software} +\begin{itemize} + \item Current working name: layer23 + \item Includes + \begin{itemize} + \item Layer 1 Control (L1CTL) protocol API + \item GSM Layer2 implementation (LAPDm) + \item GSM Layer3 implementation (RR/MM/CC) + \item GSM Cell (re)selection + \item SIM Card emulation + \item Supports various 'apps' depending on purpose + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{OsmocomBB Hardware Support} + +\begin{frame}{OsmocomBB Supported Hardware} +\begin{itemize} + \item Baseband Chipsets + \begin{itemize} + \item TI Calypso/Iota/Rita + \item Some early research being done on Mediatek (MTK) MT622x + \end{itemize} + \item Actual Phones + \begin{itemize} + \item Compal/Motorola C11x, C12x, C13x, C14x and C15x models + \item Most development/testing on C123 and C155 + \item GSM modem part of Openmoko Neo1973 and Freerunner + \end{itemize} + \item All those phones are simple feature phones built on a ARM7TDMI based DBB +\end{itemize} +\end{frame} + +\begin{frame}{The Motorola/Compal C123} + \begin{figure}[h] + \centering + \includegraphics[width=100mm]{c123_pcb.jpg} + \end{figure} +\end{frame} + + +\subsection{OsmocomBB Project Status} + +\begin{frame}{OsmocomBB Project Status: Working} +\begin{itemize} + \item Hardware Drivers for Calypso/Iota/Rita very complete + \item Drivers for Audio/Voice signal path + \item Layer1 + \begin{itemize} + \item Power measurements + \item Carrier/bit/TDMA synchronization + \item Receive and transmit of normal bursts on SDCCH + \item Transmit of RACH bursts + \item Automatic Rx gain control (AGC) + \item Frequency Hopping + \end{itemize} + \item Layer2 UI/SABM/UA frames and ABM mode + \item Layer3 Messages for RR / MM / CC + \item Cell (re)selection according GSM 03.22 +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Project Status: Working (2/2)} +OsmocomBB can now do GSM Voice calls (since 08/2010) +\begin{itemize} + \item Very Early Assignment + Late Assignment + \item A3/A8 Authentication of SIM + \item A5/1 + A5/2 Encryption + \item Full Rate (FR) and Enhanced Full Rate (EFR) codec +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Project Status: Not working} +\begin{itemize} + \item Layer1 + \begin{itemize} + \item Automatic Tx power control (APC) + \item Neighbor Cell Measurements (WIP) + \item In-call hand-over to other cells (WIP) + \end{itemize} + \item Actual UI on the phone + \item Circuit Switched Data (CSD) calls + \item GPRS (packet data) + \item No Type Approval for the stack! +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB Project Status: Executive Summary} +\begin{itemize} + \item We can establish control/signalling channels to both hopping and non-hopping GSM cells + \begin{itemize} + \item Control over synthesizer means we can even go to GSM-R band + \end{itemize} + \item We can send arbitrary data on those control channels + \begin{itemize} + \item RR messages to BSC + \item MM/CC messages to MSC + \item SMS messages to MSC/SMSC + \end{itemize} + \item TCH (Traffic Channel) support for voice calls + \begin{itemize} + \item Has been used on real networks for 30+ minute calls! + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB use cases} +OsmocomBB can be used today for +\begin{itemize} + \item practical lab exercises in education on any level of GSM, +from the radio modem through the protocol stack + \item applied research in GSM protocols and GSM security + \item penetration testing of GSM operator equipment + \item measurement and exploration of real operator networks +\end{itemize} +With (your?) help, we can turn it into an actual mobile phone for +regular users, i.e. bringing the freedom of Free Software into one of +the most closed areas of computing. +\end{frame} diff --git a/2014/openbsc-dorscluc2014/section-wireshark.tex b/2014/openbsc-dorscluc2014/section-wireshark.tex new file mode 100644 index 0000000..a3ee9c6 --- /dev/null +++ b/2014/openbsc-dorscluc2014/section-wireshark.tex @@ -0,0 +1,35 @@ +\subsection{wireshark Protocol Analyzer} + +\begin{frame}{The wireshark protocol analyzer} +\begin{itemize} + \item Software protocol analyzer for plethora of protocols + \item Portable, works on most flavors of Unix and Windows + \item Decode, display, search and filter packets with configurable level of detail + \item Over 1000 protocol decoders + \item Over 86000 display filters + \item Live capturing from many different network media + \item Import files from other capture programs + \item Used to be called ethereal, but is now called wireshark +\item \url{http://www.wireshark.org/} +\item \url{http://www.wireshark.org/download/docs/user-guide-a4.pdf} +\end{itemize} +\end{frame} + +\begin{frame}{The wireshark protocol analyzer} +GSM protocol dissectors in wireshark +\begin{itemize} + \item TCP/IP (transport layer for Abis/IP) + \item E1 Layer 2 (LAPD) + \item GSM Um Layer 2 (LAPDm) + \item GSM Layer 3 (RR, MM, CC) + \item A-bis Layer 3 (RSL) + \begin{itemize} + \item A-bis OML for Siemens and ip.access in OpenBSC git + \end{itemize} + \item GSMTAP pseudo-header (airprobe, OpenBTS, OsmocomBB) +\end{itemize} +\end{frame} + +%\begin{frame}<handout:0>{The wireshark protocol analyzer} +% Demonstration +%\end{frame} diff --git a/2014/osmocom-dorscluc2014/bts_tree_full.jpg b/2014/osmocom-dorscluc2014/bts_tree_full.jpg Binary files differnew file mode 100644 index 0000000..6b5c5e8 --- /dev/null +++ b/2014/osmocom-dorscluc2014/bts_tree_full.jpg diff --git a/2014/osmocom-dorscluc2014/c123_pcb.jpg b/2014/osmocom-dorscluc2014/c123_pcb.jpg Binary files differnew file mode 100644 index 0000000..a9f24fc --- /dev/null +++ b/2014/osmocom-dorscluc2014/c123_pcb.jpg diff --git a/2014/osmocom-dorscluc2014/ezcap_top.jpg b/2014/osmocom-dorscluc2014/ezcap_top.jpg Binary files differnew file mode 100644 index 0000000..d504471 --- /dev/null +++ b/2014/osmocom-dorscluc2014/ezcap_top.jpg diff --git a/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg b/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg Binary files differnew file mode 100644 index 0000000..8802e08 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.pdf b/2014/osmocom-dorscluc2014/osmocom-overview.pdf Binary files differnew file mode 100644 index 0000000..eb88f16 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmocom-overview.pdf diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.snm b/2014/osmocom-dorscluc2014/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmocom-overview.snm diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.tex b/2014/osmocom-dorscluc2014/osmocom-overview.tex new file mode 100644 index 0000000..c8ea668 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmocom-overview.tex @@ -0,0 +1,575 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>. +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode<presentation> +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile comms} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte <laforge@gnumonks.org>} + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{June 16, 2014, DORS/CLUC, Zagreb} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}<beamer>{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Primarily supports sysmoBTS and ip.access nanoBTS + \item Limited support for some Siemens, Ericsson and Nokia BTS models + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{First OpenBSC test installation (HAR 2009)} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OpenBSC use cases} +\begin{itemize} + \item can be used either as pure BSC (A-over-IP) + \begin{itemize} + \item suitable for operators with existing core (MSC/VLR/HLR/AUC) + \item easy integration into existing infrastructure + \end{itemize} + \item or as NITB (network in the box) + \begin{itemize} + \item suitable for private / autonomous small networks (PBX style) + \item no dependency on any other external component + \item connect to the outside via ISDN or VoIP (using + linux call router) + \item off-shore drilling rigs, underground mining, alternative to PMR + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + sysmoBTS or nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN use cases} +\begin{itemize} + \item Testing of M2M devices using your own BTS+SGSN+GGSN + \item Mobile malware research (analyze cellular data traffic of + apps) + \item Any type of GPRS related research + \item Teaching, training on mobile data protocols/interfaces + (RLC, MAC, LLC, SNDCP, BSSGP, NS, GTP, etc.) +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomBB use cases} +\begin{itemize} + \item Applied security research on Infrastructure + \begin{itemize} + \item Fuzzing / exploiting of protocol parsers on network side + \item RACH denial of service + \item Check if networks use random padding + \item Detect IMSI catchers or other fals base stations + \item Assess GSM network (operator) security level + \end{itemize} + \item Study + learn how a GSM stack / phone work + \item Protocol tracing of your own transactions with the network +\end{itemize} +\end{frame} + +\begin{frame}{OsmoBTS} +\begin{itemize} + \item OpenBSC/OsmoNITB takes care of BTS and higher elements + \item OsmoBTS implements a BTS with A-bis/IP back-haul to OpenBSC + \item Developed primarily for sysmoBTS hardware + \item Support for other hardware is ongoing in the community +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomTETRA use cases} +\begin{itemize} + \item Analysis/assessment of TETRA network security + \item Learn how TETRA works on teh lowest levels (L1, MAC, L3) + \item Protocol analysis / sniffing / intercepting unencrypted networks +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR use cases} +\begin{itemize} + \item Analysis/assessment of GMR/Thuraya security (there is none) + \item Learn and understnad how satellite telephony L1 and protocol work + \item Actual interception of SMS + data + \item Voice still difficult due to proprietary undocumented codec +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer + \item Use cases like OsmocomTETRA +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Developer units available +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr} +\begin{itemize} + \item re-purpose a USD 20 DVB-T USB dongle based on Realtek chipset + \item deactivate/bypass DVB-T demodulator / MPEG decoder + \item pass baseband samples via high-speed USB into PC + \item no open hardware, but Free Software +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmo-E1-Xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item SIGTRAN variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl use cases} +\begin{itemize} + \item Implement GSM/3G core network elements (HLR, SCF, etc.) + \item Applications that interact with GSM/3G core network + elements + \item Mostly useful for small MVNOs or other operators who have + requirements that cannot be fulfilled with off-the-shelf + proprietary equipment. +\end{itemize} +\end{frame} + +\begin{frame}{More Osmocom projects} +\begin{itemize} + \item Have a look at http://git.osmcoom.org/ + \item 79 public git repositories / projects at this point + \item way too many to cover here in this talk + \item Often RTFS, no manual/docs +\end{itemize} +\end{frame} + +\section{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{UmTRX} +\begin{itemize} + \item SDR hardware, specifically for GSM Um air interface + \item can be used with OpenBTS and soon: OsmoTRX / OsmoBTS + \item Oepen Hardware Design + \item http://code.google.com/p/umtrx/ +\end{itemize} +\end{frame} + +\begin{frame}{xgoldmon} +\begin{itemize} + \item extract all GSM/GPRS and even 3G protocol messages from + your Samsung Galaxy 2, Galaxy 3, Note 2, Nexus phone via USB + \item feed them into your PC running xgoldmon + \item forward them from xgoldmon via GSMTAP into wireshark + \item https://github.com/2b-as/xgoldmon +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops + sells products like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware items + like SIMtrace +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2014/osmocom-dorscluc2014/osmosdr.jpg b/2014/osmocom-dorscluc2014/osmosdr.jpg Binary files differnew file mode 100644 index 0000000..730b579 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmosdr.jpg diff --git a/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg b/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg Binary files differnew file mode 100644 index 0000000..3fddf27 --- /dev/null +++ b/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg diff --git a/2014/rtlsdr-openfest2014/dab.jpg b/2014/rtlsdr-openfest2014/dab.jpg Binary files differnew file mode 100644 index 0000000..97bbcc3 --- /dev/null +++ b/2014/rtlsdr-openfest2014/dab.jpg diff --git a/2014/rtlsdr-openfest2014/ezcap_top.jpg b/2014/rtlsdr-openfest2014/ezcap_top.jpg Binary files differnew file mode 100644 index 0000000..d504471 --- /dev/null +++ b/2014/rtlsdr-openfest2014/ezcap_top.jpg diff --git a/2014/rtlsdr-openfest2014/fcdp.jpg b/2014/rtlsdr-openfest2014/fcdp.jpg Binary files differnew file mode 100644 index 0000000..329bd82 --- /dev/null +++ b/2014/rtlsdr-openfest2014/fcdp.jpg diff --git a/2014/rtlsdr-openfest2014/fcdp_pcb.jpg b/2014/rtlsdr-openfest2014/fcdp_pcb.jpg Binary files differnew file mode 100644 index 0000000..6b4f94d --- /dev/null +++ b/2014/rtlsdr-openfest2014/fcdp_pcb.jpg diff --git a/2014/rtlsdr-openfest2014/glonass-sps2.8e6.png b/2014/rtlsdr-openfest2014/glonass-sps2.8e6.png Binary files differnew file mode 100644 index 0000000..9d4da31 --- /dev/null +++ b/2014/rtlsdr-openfest2014/glonass-sps2.8e6.png diff --git a/2014/rtlsdr-openfest2014/gps-sps2048e3.png b/2014/rtlsdr-openfest2014/gps-sps2048e3.png Binary files differnew file mode 100644 index 0000000..301f78e --- /dev/null +++ b/2014/rtlsdr-openfest2014/gps-sps2048e3.png diff --git a/2014/rtlsdr-openfest2014/gr-dab-constellation.png b/2014/rtlsdr-openfest2014/gr-dab-constellation.png Binary files differnew file mode 100644 index 0000000..c9869f1 --- /dev/null +++ b/2014/rtlsdr-openfest2014/gr-dab-constellation.png diff --git a/2014/rtlsdr-openfest2014/grc_wbfm.png b/2014/rtlsdr-openfest2014/grc_wbfm.png Binary files differnew file mode 100644 index 0000000..7033a36 --- /dev/null +++ b/2014/rtlsdr-openfest2014/grc_wbfm.png diff --git a/2014/rtlsdr-openfest2014/hama_nano1.jpg b/2014/rtlsdr-openfest2014/hama_nano1.jpg Binary files differnew file mode 100644 index 0000000..e1992fe --- /dev/null +++ b/2014/rtlsdr-openfest2014/hama_nano1.jpg diff --git a/2014/rtlsdr-openfest2014/inmarsat.png b/2014/rtlsdr-openfest2014/inmarsat.png Binary files differnew file mode 100644 index 0000000..b0300c3 --- /dev/null +++ b/2014/rtlsdr-openfest2014/inmarsat.png diff --git a/2014/rtlsdr-openfest2014/noxon_top.jpg b/2014/rtlsdr-openfest2014/noxon_top.jpg Binary files differnew file mode 100644 index 0000000..d696e98 --- /dev/null +++ b/2014/rtlsdr-openfest2014/noxon_top.jpg diff --git a/2014/rtlsdr-openfest2014/osmosdr.jpg b/2014/rtlsdr-openfest2014/osmosdr.jpg Binary files differnew file mode 100644 index 0000000..730b579 --- /dev/null +++ b/2014/rtlsdr-openfest2014/osmosdr.jpg diff --git a/2014/rtlsdr-openfest2014/rtl-sdr-gmr.png b/2014/rtlsdr-openfest2014/rtl-sdr-gmr.png Binary files differnew file mode 100644 index 0000000..2ec1265 --- /dev/null +++ b/2014/rtlsdr-openfest2014/rtl-sdr-gmr.png diff --git a/2014/rtlsdr-openfest2014/rtl-sdr.pdf b/2014/rtlsdr-openfest2014/rtl-sdr.pdf Binary files differnew file mode 100644 index 0000000..f24901f --- /dev/null +++ b/2014/rtlsdr-openfest2014/rtl-sdr.pdf diff --git a/2014/rtlsdr-openfest2014/rtl-sdr.snm b/2014/rtlsdr-openfest2014/rtl-sdr.snm new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/2014/rtlsdr-openfest2014/rtl-sdr.snm diff --git a/2014/rtlsdr-openfest2014/rtl-sdr.tex b/2014/rtlsdr-openfest2014/rtl-sdr.tex new file mode 100644 index 0000000..8a68222 --- /dev/null +++ b/2014/rtlsdr-openfest2014/rtl-sdr.tex @@ -0,0 +1,561 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>. +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode<presentation> +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{rtl-sdr} + +\subtitle +{Turning USD 20 Realtek DVB-T receiver into a SDR} + +\author{Harald Welte <laforge@gnumonks.org>} + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{Nuvember 2014, OpenFest, Sofia} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}<beamer>{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\begin{frame}{Disclaimer} +\begin{itemize} + \item This talk is not about the Linux kernel + \item This talk is not about consumer mass market + \item It's about turning a single-purpose device into many more features + \item ... and to illustrate the creativity unleashed when hardware / chipset makers don't lock their devices down +\end{itemize} +\end{frame} + +\section{Software Defined Radio} + +\subsection{Traditional radio receivers vs. SDR} + +\begin{frame}{Traditional Radio} +\begin{itemize} + \item uses hardware-based receiver + demodulator + \item uses analog filtering with fixed filters for given + application + \item recovers either analog signal or digitizes demodulated bits + \item has not changed much in close to 100 years of using radio + waves for communications +\end{itemize} +\end{frame} + +\begin{frame}{Software Defined Radio (SDR)} +\begin{itemize} + \item uses a more or less classic radio fronted / tuner to + down-convert either to IF or to baseband + \item uses a high-speed ADC to digitize that IF or baseband + signal + \item uses digital signal processing for filtering, + equalization, demodulation, decoding +\end{itemize} +\end{frame} + +\begin{frame}{SDR advantages vs. traditional radio} +\begin{itemize} + \item more flexibility in terms of communication system + \item as long as tuner input frequency, ADC sampling rate and + computing power are sufficient, any receiver can be + implemented in pure software, without hardware changes + \item this is used mostly by military (JTRS, SCA) and commercial + infrastructure equipment (e.g UMTS NodeB / LTE eNodeB) +\end{itemize} +\end{frame} + +\subsection{How the industry normally uses SDR} + +\begin{frame}{SDR technology in consumer electronics} +\begin{itemize} + \item lots of consumer devices already implement SDR technology + \begin{itemize} + \item GSM/UMTS/LTE baseband processor in mobile phones + \item WiFi, Bluetooth, GPS + \end{itemize} + \item flexibility of such implementations is restricted to + manufacturer, as low-level access to DSP code and/or raw + samples is not intended / documented / activated + \item user is locked out from real benefits and flexibility of SDR +\end{itemize} +\end{frame} + +\begin{frame}{Existing SDR hardware marketed as SDR} +\begin{itemize} + \item regular consumer-electronics SDR don't provide low-level + access or documentation + \item military / telco grade SDR device are way too expensive + (five-digit USD per unit) + \item Ettus developed the famous USRP family (four-digit USD per + unit). Used a lot in education + research + \item Even lower-cost devices now like Fun Cube Dongle Pro + (FCDP) or OsmoSDR (three-digit USD per unit) +\end{itemize} +\end{frame} + +\subsection{How the community wants to use SDR} + +\begin{frame}{Universal Software Radio Peripheral} +\begin{itemize} + \item A general-purpose open-source hardware SDR + \begin{itemize} + \item Schematics and component placement information public + \end{itemize} + \item Generally available to academia, professional users and individuals + \item Modular concept + \begin{itemize} + \item Mainboard contains Host PC interface and baseband codec + \item Daughter boards contain radio frontend with rf up/downconverter + \end{itemize} + \item Big step forward in pricing, but still not affordable for everyone + \begin{itemize} + \item USD~700 for mainboard + \item frontends from USD~75 to USD~250 + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{USRP1 Circuit Board Photograph} +\begin{figure}[h] + \centering + \includegraphics[width=55mm]{usrp_board_photo.jpg} +\end{figure} +\end{frame} + +\begin{frame}{USRP1 Block Diagram} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{usrp-block-diagram.png} +\end{figure} +\end{frame} + +\begin{frame}{USRP1 technical specs} +\begin{itemize} + \item $4\times$ 12~bit ADCs @ 64~MS/s (digitize band of up to 32~MHz) + \item $4\times$ 14~bit DACs @ 128~MS/s (useful output freq from DC...44~MHz) + \item $64\times$ Digital I/O ports, 16 to each daughter-board + \item The USRP mainboard has 4 slots for daughter-boards (2 Rx, 2 Tx) + \item transceiver frontends occupy 2 slots (1 Rx, 1 Tx) +\end{itemize} +\end{frame} + +\begin{frame}{Successors to USRP1} +\begin{itemize} + \item USRP2: 25MHz bandwidth, 100MHz ADC, 400MHz DAC, Ethernet + \item URSP N2x0: 100MHz ADC, 400MHz DAC, Ethernet + \item USRP B100/B2x0: USB-Attached SDRs + \item USRP E1x0: 64MHz 12bit ADC, 100MHz 14bit DAC, Embedded with OMAP3 +\end{itemize} +\end{frame} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{itemize} + \item 64 MHz to 1700 Mhz USB SDR receiver (193 USD) + \item limited to 96 kHz I/Q baseband sampling + \item great for amateur radio and TETRA, but most other +communications systems (like GSM introduced in 1992) use wider band-widths + \item great progress in terms of size and cost, but much more +limited than USRP + \item Hardware design and firmware sadly are proprietary +\end{itemize} +\end{frame} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{fcdp_pcb.jpg} +\end{figure} +\end{frame} + + +\begin{frame}{OsmoSDR (2012)} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware (225 USD) + \item higher bandwidth than FunCubeDonglePro (1.2 MHz / 14bit) + \item much lower cost than USRP, but more expensive than FCDP + \item Open Hardware (schematics), software (FPGA, firmware) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + + + +\section{Gnuradio Software Defined Radio} + +\subsection{Gnuradio SDR Architecture} + +\begin{frame}{Gnuradio architecture} +\begin{itemize} + \item Philosophy: Implement SDR not as hand-crafted special-case hand-optimized assembly code in some obscure DSP, but on a general purpose PC + \begin{itemize} + \item with modern x86 systems at multi-GHz clock speeds and with many cores this becomes feasible + \item of course way too expensive for a mass-produced product, but very suitable for research, teaching and rapid prototyping + \end{itemize} + \item Implement various signal processing elements in C++ + \begin{itemize} + \item assembly optimized libraries for low-level operations + \item provide python bindings for all blocks + \end{itemize} + \item Python script to define interaction, relation, signal~routing between blocks +\end{itemize} +\end{frame} + +\subsection{Gnuradio blocks and flow graphs} + +\begin{frame}{Gnuradio blocks and flow graphs} +\begin{description}[flow graph] + \item[block] represents one element of signal processing + \begin{itemize} + \item filters, adders, transforms, decoders, hardware interfaces + \end{itemize} + \item[flow graph] defines routing of signals and interconnection of blocks + \begin{itemize} + \item Think of it as the {\em plumbing} between the blocks + \end{itemize} +\end{description} +Data passing between blocks can be of any C++ data type +\end{frame} + +\begin{frame}{GRC flow graph for Wideband FM} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{grc_wbfm.png} +\end{figure} +\end{frame} + +\begin{frame}{GRC flow graph for SSB} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{ssb_rcv_grc.png} +\end{figure} +\end{frame} + + +\subsection{Gnuradio sinks and sources} + +\begin{frame}{Gnuradio sinks and sources} +\begin{description}[source] + \item[sink] special block that consumes data + \begin{description}[hardware sinks] + \item[hardware sinks] USRP, Sound card, COMEDI + \item[software sinks] Scope UI, UDP port, Video card + \end{description} + \item[source] special block that sources data + \begin{description}[hardware sources] + \item[hardware sources] USRP, Sound card, COMEDI + \item[software sources] Noise source, File, UDP port + \end{description} +\end{description} +Every flow graph needs at least one sink and one source! +\end{frame} + +\section{Finally: rtl-sdr} + +\subsection{The Realtek RTL2832U and its primary application} + +\begin{frame}{Realtek RTL2832U based DVB-T receivers} +\begin{itemize} + \item Realtek RTL2832U based DVB-T receivers are cheaply + available on the market (USD 20) + \item RTL2832U implements ADC, DVB-T demodulator and high-speed + USB device + \item Normal mode of operation includes full DVB-T receiver + inside RTL2832U hardware and only sends MPEG2-TS via USB + \item Realtek released GPL-licensed Linux kernel driver for + watching TV (not mainline style, but at least GPL) + \item Realtek released limited manual to V4L developers +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U based devices: EzTV 668} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{RTL2832U based devices: Hama nano1} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{hama_nano1.jpg} +\end{figure} +\end{frame} + +\begin{frame}{RTL2832U based devices} +\begin{itemize} + \item more than 20 different devices from various vendors + \item Brand names include ezcap, Hama, Terratec, Compro, GTek, Lifeview, Twintech, Dexatek, Genius, Gigabyte, Dikom, Peak, Sveon + \item all based on the identical RTL2832U reference design + \item only major difference is mechanical shape/size and silicon +tuner used. Best tuner we know is Elonics E4000 (high frequency range) +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U FM and DAB radio} +\begin{itemize} + \item Some people realized certain windows drivers for RTL2832U + based products implement FM Radio, others even DAB + \item Linux driver had no FM radio or DAB support + \item Realtek-disclosed limited data sheet didn't mention it + either + \item Sniffing USB protocol on Windows revealed that raw samples + are passed from ADC over USB, FM or DAB demodulation + happens in x86 software. + \item Realtek didn't provide documentation or source code for + this on request +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U towards rtl-sdr} +\begin{itemize} + \item Reverse engineering the USB protocol and replaying certain + commands from custom libusb based code was able to trigger the raw + sample transmission + \item remaining Realtek driver provided information on how to + use the I2C controller to control the tuner frontend + \item Harald already developed Elonics E4000 driver for + osmo-sdr, which could be re-cycled + \item Tuning to arbitrary frequencies allows digitizing spectrum + of any communications system within the tuner range +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U towards rtl-sdr} +\begin{itemize} + \item {\em librtlsdr} contains the major part of the driver + \item {\em rtl\_sdr} command line capture tool + \item {\em gr-osmosdr} gnuradio source block + \item Homepage: http://sdr.osmocom.org/trac/wiki/rtl-sdr + \item libusb is portable, there even are pre-built windows + binaries +\end{itemize} +\end{frame} + +\subsection{Some of the software supporting rtl-sdr} + +\begin{frame}{rtl-sdr software support} +\begin{itemize} + \item gnuradio (of course), using gr-osmosdr + \item gr-pocsag (POCSAG pagers) + \item simple\_fm\_rcv (FM receiver) + \item python-librtlsdr / pyrtlsdr (generic python bindings) + \item QtRadio + \item qgrx + \item rtl\_fm + \item SDR\# + \item gr-air-modes + \item tetra\_demod\_fft (TETRA radio) + \item airprobe (GSM receiver) +\end{itemize} +\end{frame} + +\begin{frame}{Free Software SDR Receivers} +Full FOSS receivers/demodulators/decoders available for +\begin{itemize} + \item Old analog modes like AM/FM/WFM/SSB + \item DAB (Digital Audio Broadcasting) + \item GSM downlink + uplink (airprobe) + \item TETRA downlink (OsmocomTETRA) + \item ETSI GMR / Thuraya (OsmocomGMR) + \item P25 (OsmocomOP25) + \item AIS (Maritime transponders) + \item Gen2 UHF RFID + \item DECT (Digital European Cordless Telephony) +\end{itemize} +\end{frame} + + +\begin{frame}{Who needs all of this?} +\begin{itemize} + \item Students learning about digital signal processing + \item Radio Amateurs + \item Communications (security) resarchers + \item Anyone interested in building their own software radio + receivers +\end{itemize} +This is of course not the 100k / million quantity consumer mass market. +But nonetheless, definitely thousands to tens of thousands +\end{frame} + +\subsection{Signal Plots} + +\begin{frame}{rtl-sdr: Multi-Carrier TETRA} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{tetra.png} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr: ETSI GMR (Thuraya Satphone)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{rtl-sdr-gmr.png} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr: GPS (after filter / LNA)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{gps-sps2048e3.png} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr: inmarsat (after LNA)} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{inmarsat.png} +\end{figure} +\end{frame} + + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Steve Markgraf + \item Dimitri Stolnikov + \item Hoernchen + \item Sylvain Munaut +\end{itemize} +also, Realtek for providing at least some (DVB oriented) documentation +and for releasing GPL licensed code for their hardware in the first +place. +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2014/rtlsdr-openfest2014/ssb_rcv_grc.png b/2014/rtlsdr-openfest2014/ssb_rcv_grc.png Binary files differnew file mode 100644 index 0000000..c79e086 --- /dev/null +++ b/2014/rtlsdr-openfest2014/ssb_rcv_grc.png diff --git a/2014/rtlsdr-openfest2014/tetra.png b/2014/rtlsdr-openfest2014/tetra.png Binary files differnew file mode 100644 index 0000000..7873cb2 --- /dev/null +++ b/2014/rtlsdr-openfest2014/tetra.png diff --git a/2014/rtlsdr-openfest2014/usrp-block-diagram.png b/2014/rtlsdr-openfest2014/usrp-block-diagram.png Binary files differnew file mode 100644 index 0000000..c79faf8 --- /dev/null +++ b/2014/rtlsdr-openfest2014/usrp-block-diagram.png diff --git a/2014/rtlsdr-openfest2014/usrp_board_photo.jpg b/2014/rtlsdr-openfest2014/usrp_board_photo.jpg Binary files differnew file mode 100644 index 0000000..0471cc4 --- /dev/null +++ b/2014/rtlsdr-openfest2014/usrp_board_photo.jpg diff --git a/2014/simtrace-openfest2014/bladox-turbosim.jpg b/2014/simtrace-openfest2014/bladox-turbosim.jpg Binary files differnew file mode 100644 index 0000000..02b6372 --- /dev/null +++ b/2014/simtrace-openfest2014/bladox-turbosim.jpg diff --git a/2014/simtrace-openfest2014/isim-dir-struct.png b/2014/simtrace-openfest2014/isim-dir-struct.png Binary files differnew file mode 100644 index 0000000..3c81156 --- /dev/null +++ b/2014/simtrace-openfest2014/isim-dir-struct.png diff --git a/2014/simtrace-openfest2014/part-sim.tex b/2014/simtrace-openfest2014/part-sim.tex new file mode 100644 index 0000000..a8f737a --- /dev/null +++ b/2014/simtrace-openfest2014/part-sim.tex @@ -0,0 +1,410 @@ +\section{SIM Cards} + +\subsection{Smart Card Basics} + +\begin{frame}{Terminology} +\begin{description} + \item[SIM] Subscriber Identity Module + \item[USIM] Universal Subscriber Identity Mdoule + \item[UICC] Universal Integrated Chip Card + \item[MS] GSM Mobile Station (phone, modem) + \item[UE] UMTS User Equipment + \item[ME] GSM Mobile Equipment (MS + SIM) + \item[OTA] Over The Air + \item[SAT] SIM Application Toolkit + \item[CAT] Card (UICC) Application Toolkit + \item[USAT] USIM Application Toolkit + \item[TAR] Toolkit Application Reference +\end{description} +\end{frame} + +\begin{frame}{Relevant Specification Bodies} +\begin{itemize} + \item ISO (ISO 7816) smart cards + \item ETSI (Eurpoean Telecomms Standardisation Institute) + \begin{itemize} + \item Classic GSM SIM + \item UICC card as basis for various telecom ID purposes + \item Card Application Toolkit (CAT) + \end{itemize} + \item 3GPP (3rd Generation Partnership Project) + \begin{itemize} + \item USIM Application + \item USIM Application Toolkit (USAT) + \item API based applet interworking + \end{itemize} + \item Global Platform + \begin{itemize} + \item Overall spec for SIM/USIM with Java + \end{itemize} + \item Sun Microsystems (now Oracle) + \begin{itemize} + \item Java Card Virtual Machine + \item Java Card Runtime Environment + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The Subscriber Identity Module (SIM)} +\begin{itemize} + \item Basic idea was to store cryptographic identity of subscriber inside smart card + \item User can thus migrate identity from one device to another + \item User can furthermore use different SIM in same device (e.g. local prepaid SIM while travelling) + \item Original SIM card design mostly ISO 7816-4 filesystem and single command to execute A3/A8 algorithm inside card + \begin{itemize} + \item This could even be done in logic, no processor required + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The modern SIM} +The modern SIM is an entirely different beast +\begin{itemize} + \item Cryptographic processor smart card + \begin{itemize} + \item Symmetric cryptography such as DES, 3DES, AES + \item Public key cryptography such as RSA, ECC + \end{itemize} + \item Java Card including a small Java VM and Java RE + \item Multiple application support + \item Ability to download applications (Applets) into card +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Basics} +\begin{itemize} + \item microprocessor with RAM, Flash and Operating System + \item Interface: Electrical + Logical Protocol (ISO7816-3, ISO7816-4) + \item File System based representation of information + \item Protocol describes remote operations on the file system + \item Few non-filesystem related commands for e.g. authentication +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Filesystem} +\begin{itemize} +\item Hierarchical file system like on PC +\begin{description}[MF] + \item[MF] (master file): root directory + \item[DF] (dedicated file): subdirectory + \item[EF] (entry file): actual file + \begin{itemize} + \item transparent or record oriented + \item record linear fixed/variable or record cyclic + \end{itemize} +\end{description} +\item File names don't exist on card. 16bit FID (File ID) or 8bit SFID used instead +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Filesystem Hierarchy} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{sim-mf-df_gsm.png} +\end{figure} +\end{frame} + + +%\begin{frame}{Smart Card Filesystem Permissions} +%\begin{itemize} +% \item similar to 'permission bits' on Linux or other PC OS +% \item each file can define separate read/write permissions +% \item some cards are permanently read-only +% \item other files can be written to after regular PIN verification +% \item yet another set of files e.g. needs one of the ADM PINs +%\end{itemize} +%\end{frame} + + +%\begin{frame}{Smart Card Logical Channels} +%\begin{itemize} +% \item Initially Smart Cards had only one interface (UART) +% \item This means that only one application on the host side can interact with it, as there's sharde state +% \item logical channels introduce a concept where this connection is virtualized, and multiple separate states (including with different access privileges) can exist in parallel +%\end{itemize} +%\end{frame} + +\begin{frame}{SIM Card APDU Commands} +Classic SIM card commands include the following +\begin{itemize} + \item SELECT (change directory / open file) + \item READ BINARY, UPDATE BINARY (read/write transparent EF) + \item READ RECORD, UPDATE RECORD (read/write record EF) + \item ENABLE CHV, DISABLE CHV, CHANGE CHV (enable, disable or change PIN) + \item VERIFY CHV, UNBLOCK CHV (verify or unblock PIN) + \item RUN GSM ALGORITHM (A3/A8 authentication) +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Filesystem} +Typical operations of the phone include +\begin{itemize} + \item navigating inside filesystem by SELECT on DF/EF + \item authenticating the user PIN + \item reading/updating files + \begin{itemize} + \item reading IMSI + \item old-school SMS and contact storage + \item storing session keys (Kc/KcGPRS, ...) + \item storing last cell on power-off + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card PINs} +The level of access to the filesystem and other card features is +determined by authentication using a shared secret, called 'PIN'. +\begin{itemize} + \item Regular PIN for normal use of the card by the end user + \item PUK for resetting the pin after too many retries + \item ADM1..n PIN for access by the operator only +\end{itemize} +\end{frame} + +%\begin{frame}{Multi-Application Smart Cards} +%\begin{itemize} +% \item Classic SIM cards are single application, accessing the +% GSM related files works by entering the known DF.GSM +% directory with its well-known FID +% \item Later the idea of multi-application smart cards entered +% the market +% \item A multi-application smart card contains an EF.DIR in the +% MF +% \item EF.DIR contains records with the AIDs of all applications +% on the card. +% \item AID prefix is well-known to the application, AID suffix is +% manufacturer specific. Applications use prefix-match +% \item application specific directory can be entered by SELECT on +% the AID +%\end{itemize} +%\end{frame} + +%\begin{frame}{USIM Application Dedicated File (ADF.USIM)} +%\begin{figure}[h] +% \centering +% \includegraphics[width=110mm]{usim-dir-structure.png} +%\end{figure} +%\end{frame} + + +%\subsection{From SIM to UICC and USIM} + +%\begin{frame}{Evolution of the SIM} +%\begin{itemize} +% \item Classic GSM SIM cards +% \begin{itemize} +% \item initial GSM / ETSI TS 11.11 for classic GSM SIM, based on ISO 7816-2/3/4 +% \item small changes for GPRS support by introducing a few new optional files +% \item Class byte 0xA0 used in GSM SIM +% \end{itemize} +% \item USIM cards +% \begin{itemize} +% \item Completely new approach based on ETSI UICC spec, multi-application capable +% \item Selection of ADF.USIM by AID +% \item Many new files +% \item backwards compatibility achieved by placing DF.GSM +% in MF and linking (think of symlink/hardlink) of +% relevant files +% \item Authentication for GSM and UMTS can be completely +% different (algorithm, secret key used, ...) +% \end{itemize} +% \item Additional application profiles exist for GSM-R, TETRA and +% other ETSI related communications systems. +%\end{itemize} +%\end{frame} + +%\begin{frame}{Evolution of Specifications} +%\begin{itemize} +% \item Classic SIM: ETSI TS 11.11 / 3GPP TS 51.011 +% \item UICC Card: 3GPP TS 31.101, 31.900, ETSI TS 102 221, 102 222 +% \item USIM application: 3GPP TS 31.102 +% \item ISIM application for IMS (VoIP for LTE): 3GPP TS 31.103 +%\end{itemize} +%\end{frame} + +%\begin{frame}{ISIM Application Dedicated File (ADF.ISIM)} +%\begin{figure}[h] +% \centering +% \includegraphics[width=110mm]{isim-dir-struct.png} +%\end{figure} +%\end{frame} + +\subsection{SIM Application Toolkit (SAT)} + +\begin{frame}{SIM Application Toolkit (SAT)} +\begin{itemize} + \item Ability for card to run applications that have UI on the phone + \begin{itemize} + \item Display menu items on-screen + \item Get user input from keypad/touch-screen + \end{itemize} + \item Original Version Described in TS 11.14 and 11.11 +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Proactive SIM} +The {\em Proactive SIM} features +\begin{itemize} + \item Sending a short message + \item Setting up a voice call + \item Playback of a tone in earpiece + \item Providing location information from ME to SIM + \item Have ME execute timers on behalf of SIM + \item Sending DTMF to network + \item Running an AT command received from SIM, sending result back to SIM + \item Ask ME to launch browser to SIM-provided URL +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Call and SMS Control} +\begin{itemize} + \item ME passes MO call setup attempts to SIM for approval + \item SIM can then + \begin{itemize} + \item approve or decline the MO call + \item modify the call details such as phone number + \item replace the call with USSD message + \end{itemize} + \item ME passes USSD requests similar to Call Control + \item Similar mechanism exists for all MO SMS +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Provide local information} +The SIM can inquire the ME about +\begin{itemize} + \item MCC / MNC / LAC / Cell ID + \item IMEI of ME + \item Network Measurement Results + \item BCCH channel list + \item Date, Time, Timezone + \item ME language setting + \item Timing Advance +\end{itemize} +\end{frame} + +\begin{frame}{SAT -- Event download} +The SIM is notified by ME about certain events such as +\begin{itemize} + \item Call Connected / Disconnected + \item Location Status (Location Area change) + \item User activity (keyboard input) + \item Idle screen available + \item Browser termination +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download} +\begin{itemize} + \item Enables Operator to exchange arbitrary data with the SIM + \item Could be RFM (Remote File Management) + \begin{itemize} + \item Read or modify phone book entries + \item Even change the IMSI of the SIM (!) + \end{itemize} + \item In case of Java Card, can be download of card applets + \begin{itemize} + \item Applets are stored permanently on SIM + \item Can later use SAT procedures to interact with ME + \item TS 03.19 specifies Java API to access SAT from Java RE + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download} +SAT Data Download can happen via +\begin{itemize} + \item via SMS or Cell Broadcast + \begin{itemize} + \item Uses TS 03.40 TP-PID {\em SIM DATA Download} + \item ME forwards such SMS to the SIM in {\tt ENVELOPE} APDU + \item Response from SIM is sent back as MO-SMS or DELIVERY REPORT + \end{itemize} + \item via BIP (Bearer Independent Protocol) + \begin{itemize} + \item Dedicated CSD call between network and SIM + \item GPRS session between network and SIM + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SAT - Data download}{Data download security} +\begin{itemize} + \item GSM TS 03.48 specifies secure messaging for data download + \item Includes replay protection + \item Supports DES and 3DES + \item SMS chaining for long commands / large data +\end{itemize} +\end{frame} + +\subsection{SIM threat model} +\begin{frame}{SIM card abuse by hostile operator} +\begin{itemize} + \item Even if the phone might be considered trusted, the SIM card is owned and controlled by the operator + \item Using SAT features, the operator can control many aspects of the phone + \item Examples + \begin{itemize} + \item Remotely reading address book / stored SMS + \item Monitor user behavior (browser termination, idle screen, ...) + \item Ask phone to establish packet data session + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SIM card re-programming by attacker} +\begin{itemize} + \item If the SIM is not properly secured (auth + encryption keys, ...) a third party attacker can send SAT envelope SMS to the card and install resident Java applets + \item The attacker can then + \begin{itemize} + \item Obtain detailed location information and send it via SMS + \item Intercept/log outgoing calls + \item Sending copies of incoming + outgoing SMS elsewhere + \end{itemize} + \item Even using SIM card channel to exploit baseband stack is feasible +\end{itemize} +\end{frame} + +\begin{frame}{SIM card proxy / MITM by attacker} +As soon as an attacker has temporary physical access to a phone, he can +\begin{itemize} + \item Insert a proxy-SIM between real SIM and phone + \item Do everything a Java applet could do, but even with a securely configured SIM as he does not modify the existing SIM + \item Sniff current Kc and send it out e.g. via SMS or even UDP/TCP packets over GPRS + \item ... by only using standard interfaces that are common among all phones (as opposed to baseband software hacking which is very model-specific) +\end{itemize} +Most users would never notice this as they rarely check their SIM slot +\end{frame} + +%%%%%% +\subsection{SIM attacks countermeasures} + +\begin{frame}{Defending against SIM based attacks} +\begin{itemize} + \item SIM cards are Operator issued, Ki is on the SIM + \begin{itemize} + \item SIM card can thus not be replaced, but original SIM must be used + \end{itemize} + \item Configure telephone to not store contacts or SMS on SIM + \item Communication between SIM and ME is not encrypted/authenticated + \item Solution: Proxy SIM between SIM and ME to break STK / OTA + \begin{itemize} + \item Filter all STK/OTA/Proactive commands like ENVELOPE + \item Indicate lack of STK support to ME (EF.Phase) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Proxy SIM with firewall} +\begin{itemize} + \item There are no known commercial products that implement STK/OTA filtering + \item But there are a number of shim SIM cards that are plugged between SIM and SIM slot + \item Most of them are used for SIM unlocking modern phones + \item Some vendors produce freely (re)programmable proxy SIMs: +\end{itemize} +\begin{figure}[h] +\subfigure{\includegraphics[width=40mm]{bladox-turbosim.jpg}} +\subfigure{\includegraphics[width=25mm]{rebelsim2.jpg}} + \caption{Bladox TurboSIM (AVR) and RebelSIM II (8051)} + %\caption{Bladox Turbo SIM (AVR)}} +\end{figure} +\end{frame} diff --git a/2014/simtrace-openfest2014/rebelsim2.jpg b/2014/simtrace-openfest2014/rebelsim2.jpg Binary files differnew file mode 100644 index 0000000..0ba6247 --- /dev/null +++ b/2014/simtrace-openfest2014/rebelsim2.jpg diff --git a/2014/simtrace-openfest2014/section-simtrace.tex b/2014/simtrace-openfest2014/section-simtrace.tex new file mode 100644 index 0000000..0d6ffc4 --- /dev/null +++ b/2014/simtrace-openfest2014/section-simtrace.tex @@ -0,0 +1,75 @@ +\section{Osmocom SIMtrace} + +\subsection{Analyzing SIM drivers and STK apps} + +\begin{frame}{Analyzing SIM toolkit applications is hard} +\begin{itemize} + \item Regular end-user phone does not give much debugging + \item SIM card itself has no debug interface for printing error messages, warnings, etc. + \item However, as SIM-ME interface is unencrypted, sniffing / tracing is possible + \item Commercial / proprietary solutions exist, but are expensive (USD 5,000 and up) + \item Technically, sniffing smard card interfaces is actually very simple +\end{itemize} +\end{frame} + +\subsection{Osmocom SIMtrace Introduction} + +\begin{frame}{Introducing Osmocom SIMtrace} +\begin{itemize} + \item Osmocom SIMtrace is a passive (U)SIM-ME communication sniffer + \item Insert SIM adapter cable into actual phone + \item Insert (U)SIM into SIMtrace hardware + \item SIMtrace hardware provides USB interface to host PC + \item {\tt simtrace} host PC program encapsulates APDU in GSMTAP + \item GSMTAP is sent via UDP to localhost + \item wireshark dissector for GSM TS 11.11 decodes APDUs +\end{itemize} +\end{frame} + +\subsection{Osmocom SIMtrace Hardware} + +\begin{frame}{Osmocom SIMtrace Principle} +\begin{figure}[h] + \centering + \includegraphics[width=70mm]{simtrace-schema.png} +\end{figure} +\end{frame} + +\begin{frame}{Osmocom SIMtrace Hardware} +\begin{figure}[h] + \centering + \includegraphics[width=105mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmocom SIMtrace Hardware} +\begin{itemize} + \item Hardware is based around AT91SAM7S controller + \item SAM7S Offers two ISO 7816-3 compatible USARTs + \item USARTs can be clock master (SIM reader) or slave (SIM card) + \item Open Source Firmware on SAM7S implementing APDU sniffing + \item Auto-bauding depending CLK signal, PPS supported + \item Schematics / layout is open source (CC-BY-SA) + \item Assembled + tested kits can be bought from {\url http://shop.sysmocom.de/} +\end{itemize} +\end{frame} + +\begin{frame}{wireshark decoding} +\begin{figure}[h] + \centering + \includegraphics[width=95mm]{wireshark-sim.png} +\end{figure} +\end{frame} + + +\begin{frame}{SIMtrace TODO} +SIMtrace hardware is capable, but no software yet for: +\begin{itemize} + \item perform MITM (APDU filtering) + \item full software SIM card emulation + \item PC/SC compatible smart card reader + \item autonomous tracing operation (No PC / USB), store APDU logs {\em in the field} on integrated SPI flash +\end{itemize} +Firmware and host software all FOSS, anyone can extend and innovate! +\end{frame} + diff --git a/2014/simtrace-openfest2014/sim-mf-df_gsm.png b/2014/simtrace-openfest2014/sim-mf-df_gsm.png Binary files differnew file mode 100644 index 0000000..f953075 --- /dev/null +++ b/2014/simtrace-openfest2014/sim-mf-df_gsm.png diff --git a/2014/simtrace-openfest2014/simtrace-schema.png b/2014/simtrace-openfest2014/simtrace-schema.png Binary files differnew file mode 100644 index 0000000..c324255 --- /dev/null +++ b/2014/simtrace-openfest2014/simtrace-schema.png diff --git a/2014/simtrace-openfest2014/simtrace.pdf b/2014/simtrace-openfest2014/simtrace.pdf Binary files differnew file mode 100644 index 0000000..33aaea4 --- /dev/null +++ b/2014/simtrace-openfest2014/simtrace.pdf diff --git a/2014/simtrace-openfest2014/simtrace.snm b/2014/simtrace-openfest2014/simtrace.snm new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/2014/simtrace-openfest2014/simtrace.snm diff --git a/2014/simtrace-openfest2014/simtrace.tex b/2014/simtrace-openfest2014/simtrace.tex new file mode 100644 index 0000000..c17c1b6 --- /dev/null +++ b/2014/simtrace-openfest2014/simtrace.tex @@ -0,0 +1,158 @@ + +\newcommand{\degree}{\ensuremath{^\circ}} +%\documentclass[handout]{beamer} +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>. +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode<presentation> +{ + \usetheme{CambridgeUS} + \usecolortheme{whale} + +%\setbeamercolor{titlelike}{parent=palette primary,fg=black} +\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg} +% from beamercolorthemeorchid.sty to make it look more like warsaw +\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black} +\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black} +\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black} + +\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg} +\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg} +\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg} + + + + % or ... + + %\setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + +\mode<handout>{ + \usepackage{misc/handoutWithNotes} + \pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm] + \usecolortheme{seahorse} +} + +% ensure the page number is printed in front of the author name in the footer +%\newcommand*\oldmacro{} +%\let\oldmacro\insertshortauthor% save previous definition +%\renewcommand*\insertshortauthor{% +% \leftskip=.3cm% before the author could be a plus1fill ... +% \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro} + +\usepackage[english]{babel} +\usepackage[latin1]{inputenc} +\usepackage{times} +\usepackage[T1]{fontenc} + +\usepackage{subfigure} +\usepackage{hyperref} +\usepackage{textcomp,listings} +%\usepackage{german} +\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8} + + +\title{Osmocom SIMtrace} + +\subtitle{SIM card protocol tracing - why and how} + +\author{Harald~Welte} + +%\institute{sysmocom - s.f.m.c. GmbH} + +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[November 2014] % (optional, should be abbreviation of conference name) +%{DeepSec Conference, November 2011, Vienna/Austria} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{GSM} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}<beamer>{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +%\include{part-introduction} + + +\part{Java SIM} +\include{part-sim} + +\include{section-simtrace} + +%\include{part-ota} + +\end{document} diff --git a/2014/simtrace-openfest2014/simtrace_and_phone.jpg b/2014/simtrace-openfest2014/simtrace_and_phone.jpg Binary files differnew file mode 100644 index 0000000..7c53de2 --- /dev/null +++ b/2014/simtrace-openfest2014/simtrace_and_phone.jpg diff --git a/2014/simtrace-openfest2014/usim-dir-structure.png b/2014/simtrace-openfest2014/usim-dir-structure.png Binary files differnew file mode 100644 index 0000000..180be9f --- /dev/null +++ b/2014/simtrace-openfest2014/usim-dir-structure.png diff --git a/2014/simtrace-openfest2014/wireshark-sim.png b/2014/simtrace-openfest2014/wireshark-sim.png Binary files differnew file mode 100644 index 0000000..e05f5b6 --- /dev/null +++ b/2014/simtrace-openfest2014/wireshark-sim.png |
