summaryrefslogtreecommitdiff
path: root/2008/gsm-ccc2008/bs11-presentation.txt
diff options
context:
space:
mode:
Diffstat (limited to '2008/gsm-ccc2008/bs11-presentation.txt')
-rw-r--r--2008/gsm-ccc2008/bs11-presentation.txt78
1 files changed, 78 insertions, 0 deletions
diff --git a/2008/gsm-ccc2008/bs11-presentation.txt b/2008/gsm-ccc2008/bs11-presentation.txt
new file mode 100644
index 0000000..fc2d732
--- /dev/null
+++ b/2008/gsm-ccc2008/bs11-presentation.txt
@@ -0,0 +1,78 @@
+* why?
+** security research
+** demonstration of known theoretical problems
+** publci awareness about GSM [in]security
+
+* legal disclaimer
+** don't try this at home
+** ownership of devices: ok, operation: not ok, licensed spectrum
+** test licenses by Bundesnetzagentur
+
+* introduction to gsm network architecture
+** MS, BTS, BSC, MSC, HLR, VLR
+** "ISDN on steroids" (q.921 / q.931 as base for call control)
+** intelligence in the network, not the terminal
+** bit-synchronous network, like SDH
+** A-bis as interface between BTS and BSC
+
+* more details about A-bis interface
+** functional split BTS / BSC
+** low-level A-bis (timeslots / sub-slots)
+** A-bis protocol in GSM specs (04.08, 12.21, 08.58)
+*** Page 10, 08.58
+** structure of voice data in TRAU frames
+
+* Introducing the BS-11
+** features (1-2 TRX, 30mW-2W, GSM900)
+** 2 E1 interface (1 to BSC, 1 for daisy-chaining)
+** BS11 documentation
+*** documentation under NDA, not available publicly
+*** 99% of A-bis protocol in GSM specs (04.08, 12.21, 08.58)
+** photographs (big picture, connector panel, internal overview)
+** serial port for LMT, proprietary software
+*** needed commands (TX power, timeslot for RSL/OML, TEI)
+
+
+* first steps with BS-11
+** bought BS-11 on eBay (now 74 units)
+** A-bis protocol analyzer
+** Helpful anonymous person helped us with
+*** A-bis traces between Siemens BSC
+*** Wandel+Goltermann MA-10 protocol analyzer
+
+* BS11-Init (09/2008)
+** ChipCologne HFC-E1 reference code for DOS
+** polling, no interrupts
+** ported to Windows and Linux (mmap of E1 to userspace)
+** proof-of-concept code based on challenge-response
+
+* from BS11-Init to OpenBSC (12/2008)
+** get Layer2 to work (mISDN mainline doesn't deal with multiple SAPIs and fixed TEIs)
+** learn how to use new sockets-based mISDN API
+** send and receive first OML packets
+** come up with event-driven architecture, single select loop, no threads, ...
+** 25C3: add libdbi/sqlite database backend for "HLR"
+** 25C3: get paging to work, support for configurable network ID
+** 25C3: debugging/stabilization with > 1000 test users ;)
+** 25C3: IMSI+IMEI skimming
+
+* other FOSS projects related to GSM
+** OpenBTS
+** gssm / gsm-tvoid / gsmsp
+
+* availability of BS-11
+** remember: you need a HFC-E1, and shipping of 48kg
+** import/ownership restrictions at your place of residence!
+
+* short demo (10-15min)
+** IMSI/IMEI snooping
+** ringtone demonstration
+
+* links
+** OpenBSC http://openbsc.gnumonks.org
+** toast
+** 3GPP (http://www.3gpp.org/) / ETSI (http://www.etsi.org/)
+** Goeller homepage (http://www2.informatik.hu-berlin.de/~goeller)
+** THC Wiki (http://wiki.thc.org/gsm)
+** OpenBTS (http://openbts.sourceforge.net/) + gnuradio wiki
+** Harald's branch of gsm-tvoid, etc (git://git.gnumonks.org/gsm.git)
personal git repositories of Harald Welte. Your mileage may vary