diff options
Diffstat (limited to '2009/gsm_workout-fossin2009')
-rwxr-xr-x | 2009/gsm_workout-fossin2009/26Multiframe.pdf | bin | 0 -> 124727 bytes | |||
-rwxr-xr-x | 2009/gsm_workout-fossin2009/GSMLayers.pdf | bin | 0 -> 85309 bytes | |||
-rwxr-xr-x | 2009/gsm_workout-fossin2009/L2Figure.pdf | bin | 0 -> 53019 bytes | |||
-rwxr-xr-x | 2009/gsm_workout-fossin2009/UmL1Overview.pdf | bin | 0 -> 72993 bytes | |||
-rw-r--r-- | 2009/gsm_workout-fossin2009/gsm_workout.pdf | bin | 0 -> 580021 bytes | |||
-rw-r--r-- | 2009/gsm_workout-fossin2009/gsm_workout.tex | 485 |
6 files changed, 485 insertions, 0 deletions
diff --git a/2009/gsm_workout-fossin2009/26Multiframe.pdf b/2009/gsm_workout-fossin2009/26Multiframe.pdf Binary files differnew file mode 100755 index 0000000..69b68e2 --- /dev/null +++ b/2009/gsm_workout-fossin2009/26Multiframe.pdf diff --git a/2009/gsm_workout-fossin2009/GSMLayers.pdf b/2009/gsm_workout-fossin2009/GSMLayers.pdf Binary files differnew file mode 100755 index 0000000..5051cba --- /dev/null +++ b/2009/gsm_workout-fossin2009/GSMLayers.pdf diff --git a/2009/gsm_workout-fossin2009/L2Figure.pdf b/2009/gsm_workout-fossin2009/L2Figure.pdf Binary files differnew file mode 100755 index 0000000..4186a7e --- /dev/null +++ b/2009/gsm_workout-fossin2009/L2Figure.pdf diff --git a/2009/gsm_workout-fossin2009/UmL1Overview.pdf b/2009/gsm_workout-fossin2009/UmL1Overview.pdf Binary files differnew file mode 100755 index 0000000..37b7b2b --- /dev/null +++ b/2009/gsm_workout-fossin2009/UmL1Overview.pdf diff --git a/2009/gsm_workout-fossin2009/gsm_workout.pdf b/2009/gsm_workout-fossin2009/gsm_workout.pdf Binary files differnew file mode 100644 index 0000000..59204eb --- /dev/null +++ b/2009/gsm_workout-fossin2009/gsm_workout.pdf diff --git a/2009/gsm_workout-fossin2009/gsm_workout.tex b/2009/gsm_workout-fossin2009/gsm_workout.tex new file mode 100644 index 0000000..5878f5f --- /dev/null +++ b/2009/gsm_workout-fossin2009/gsm_workout.tex @@ -0,0 +1,485 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>. +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode<presentation> +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. +\usepackage{listings} + + +\title{GSM Workout} + +\subtitle +{Improving GSM protocol analysis} + +\author{Harald Welte} + +\institute +{gnumonks.org\\gpl-violations.org\\OpenBSC\\airprobe.org\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[foss.in/2009] % (optional, should be abbreviation of conference name) +{FOSS.in conference, December 2009, Bangalore/India} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Free Software} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}<beamer>{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{The FOSS.in/2009 GSM workout} +What do we want to achieve? +\begin{itemize} + \item improve airprobe.org GSM protocol analyzer + \item improve wireshark protocol dissectors for GSM +\end{itemize} +\end{frame} + +\begin{frame}{The FOSS.in/2009 GSM workout} +What skills do you need? +\begin{itemize} + \item general underestanding about communications protocols + \item wireshark usage and preferrably wireshark dissector architecture + \item GSM protocol knowledge not really required +\end{itemize} +\end{frame} + +\section{airprobe.org} + +\begin{frame}{airprobe architecture} +\begin{itemize} + \item Software to receive GSM off the air + \begin{itemize} + \item implements GSM layer 0 and 1, sometimes 2 + \item many implementations available in airprobe.org + \item gsm-receiver and gsm-tvoid most popular + \end{itemize} + \item Intermediate data formate to pass information to protocol analyzer + \item Actual protocol analyzers like + \begin{itemize} + \item gsmdecode, part of airprobe + \item wireshark.org project + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Intermediate data formats} +\begin{itemize} + \item Intermediate data formate to pass information between GSM receiver and actual protocol analyzer + \begin{itemize} + \item hex bytes for every layer 2 or layer 3 message, or + \item PCAP file with GSM encapsulation type, or + \item some non-standard frames through tun/tap device, or + \item GSMTAP header (like wiretap) inside UDP packets over loopback device + \end{itemize} +\end{itemize} +\end{frame} + +\section{GSM Um interface} + +\begin{frame}{Understanding Um}{Overview} +% Following GSM 04.03 Section 4 +%\small{ +\begin{itemize} + \item Modeled after the U interface of ISDN + \item Broadcast channels: SCH, BCCH, FCCH + \item Common channels: CCCH (PCH \& AGCH), RACH + \item Dedicated Channels: + \begin{description}[Dm] + \item[Dm] SDCCH, FACCH, SACCH + \item[Bm] TCH/H, TCH/F + \end{description} +\end{itemize} +\end{frame} + +\begin{frame}{Understanding Um}{Channels \& Layers} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{GSMLayers.pdf} +\end{figure} +\end{frame} + +\subsection{Time Division Multiplex} + +\begin{frame}{Understanding Um}{TDM Structure} +\begin{itemize} + \item ARFCN (Absolute Radio Freq.~Chan.~Num.)-- A 270,833 Hz radio channel. ARFCNs within a BTS numbered C0, C1, etc. + \item 8 timeslots per frame on each ARFCN, numbered T0..T7. + \item ``physical channel'' -- one slot on one ARFCN, designated C0T0, C0T1, C1T5, etc. + \item Physical channel TDM follows a 26- or 52-frame multiframe, carrying multiple logical channels. +\end{itemize} +\end{frame} + +\begin{frame}{Understanding Um --TDM Example} +\begin{figure}[h] + \centering + \includegraphics[width=90mm]{26Multiframe.pdf} + \caption{Example of traffic channel TDM} +\end{figure} +\end{frame} + +\subsection{Logical Channels} + +\begin{frame}{Understanding Um}{The Beacon} +The beacon is always on C0T0 and always constant full power +\begin{description}[CCCH] + \item[SCH] (Sync.) -- TDM timing and reduced BTS identity + \item[FCCH] (Freq.~Corr.) -- Fine frequency synchronization + \item[BCCH] (Broadcast Control) -- Cell configuration and neighbor list + \item[CCCH] (Common Control) -- a set of unicast channels + \begin{description}[AGCH] + \item[PCH] paging channel for network-originated transactions + \item[AGCH] access grant channel + \item[RACH] uplink access request + \end{description} +\end{description} +\end{frame} + +\begin{frame}{Understanding Um}{SCH -- Synchronization CHannel} +\begin{itemize} + \item First channel acquired by a handset + \item T1, T2, T3' -- TDM clocks for GSM frame number + \item BCC -- 3 bits, identifies BTS in the local group + \item NCC -- 3 bits, identifies network within a region + \item BSIC is NCC:BCC +\end{itemize} +\end{frame} + +\begin{frame}{Understanding Um}{BCCH -- Broadcast Control CHannel} +\begin{itemize} + \item Second channel acquired by the handset. + \item A repeating cycle of system information messages. + \begin{description}[Type 4] + \item[Type 1] ARFCN set + \item[Type 2] Neighbor list + \item[Type 3] Cell/Network identity, CCCH configuration + \item[Type 4] Network identity, cell selection parameters + \item[GPRS] adds a few more (7, 9, 13, 16, 17) + \end{description} +\end{itemize} +\end{frame} + +\begin{frame}{Understanding Um}{CCCH -- Common Control CHannel} +\begin{description}[AGCH] + \item[PCH] Paging + \begin{itemize} + \item Unicast. Handsets addressed by IMSI or TMSI, never IMEI. + \item Handset sees paging request and then requests service on RACH. + \end{itemize} + \item[RACH] Random Access + \begin{itemize} + \item Handset requests channel with RACH burst, 8-bit tag. + \end{itemize} + \item[AGCH] Access Grant + \begin{itemize} + \item BTS answers on AGCH, echoing tag and timestamp. + \end{itemize} +\end{description} +\end{frame} + +\begin{frame}{Understanding Um}{Dm Channels} +\begin{description}[SDCCH] + \item[SDCCH] Most heavily used control channel: registration, SMS transfers, call setup in many networks. Payload rate of 0.8 kb/s. + \item[FACCH] Blank and burst channel steals bandwidth from traffic. Used for in-call signaling, call setup in some networks. Payload rate up to 9.2 kb/s on TCH/F. + \item[SACCH] Low rate channel muxed onto every other logical channel type. Used for timing/power control, measurement reports and in-call SMS transfers. +\end{description} +\end{frame} + +\begin{frame}{Frequency Hopping} +\begin{itemize} + \item Intended to improve radio performance through diversity in fading and interference + \item Two ways to implement hopping + \begin{itemize} + \item Baseband hopping: $N$ fixed-frequency transceivers are connected to $N$ baseband processors through a switch or commutator. Allows CA of $N$ ARFCNs. C0 can be in the CA. + \item Synthesizer hopping: Each of $N$ baseband processors connects to a dedicated transceiver. This requires transceivers that can be retuned and settled in less than 30~$\mu$s. Allows CA to have $\gg N$ ARFNCs. C0 is not in the CA. + \end{itemize} + \item Some networks implement synchronous hopping to prevent collisions of hopping bursts from neighboring cells. +\end{itemize} +\end{frame} + +\begin{frame}{Frequency Hopping Parameters} +A {\em hopping sequence} is an ordered list of ARFCNs used by a given physical channel (PCH), synced to the GSM frame clock. +Each PCH can have an independent hopping sequence. +\begin{description}[MAIO] + \item[CA] Cell Allocation, set of ARFCNs used for hopping in BTS + \item[HSN] Hopping Sequence Number, parameter used in pseudorandom algorithm generating hopping sequence + \item[MA] Mobile Allocation, subset of CA used by a particular PCH + \item[MAIO] MA Index Offset, offset added to hopping sequence when indexing MA. +\end{description} +\begin{itemize} + \item CA is the same for every PCH in the BTS + \item HSN, MA and MAIO can be different for every PCH, usually only MAIO is unique +\end{itemize} +\end{frame} + +\subsection{The Layers of the Um Interface} + +\begin{frame}{Understanding Um}{The Layers} +The Layers are not exactly the ISO model, but a similar theme. +\begin{description} + \item[L1] The radiomodem, TDM and FEC functions + \item[L2] Frame segmentation and retransmission + \item[L3] Connection \& mobility management + \item[L4] Relay functions between BSC and other entities +\end{description} +\end{frame} + + +\begin{frame}{Understanding Um}{The Layers} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{L2Figure.pdf} + \caption{Layers of a Dm channel} +\end{figure} +\end{frame} + +\subsection{Um Layer 1} + +\begin{frame}{Understanding Um}{L1} +\begin{itemize} + \item Analog radio path (transceiver, amplifiers, duplexer, antenna) + \item{GMSK or GMSK/EDGE radiomodem (``L0'')} + \item{TDM to define logical channels} + \item{FEC (Forward Error Correction)} + \begin{itemize} + \item{Rate-1/2 convolutional code is typical.} + \item{40-bit Fire code parity word on most control channels.} + \item{4-burst or 8-burst interleaving is typical.} + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{L1 Overview (see handout)} +\begin{figure}[h] + \centering + \includegraphics[width=50mm]{UmL1Overview.pdf} +\end{figure} +\end{frame} + +\begin{frame}{Um L1 Interleaving} +\begin{itemize} + \item Every GSM data frame is spread over 4 or 8 radio bursts. + \begin{itemize} + \item 4-burst block interleave on most channels + \item 8-burst diagonal interleave on TCHs + \end{itemize} + \item Loss of one burst means 1/4 or 1/8 missing channel bits, scattered throughout a frame. + \item Allows a slow-hopping system to achieve many performance gains associated with fast-hopping. +\end{itemize} +\end{frame} + +\subsection{Um Layer 2} + +\begin{frame}{Understanding Um}{L2} +\begin{itemize} + \item L1 drops frames, but L3 assumes a reliable link. + \item L1 uses fixed-length frames, but L3 uses variable-length messages. + \item L2 (Data Link Layer) bridges the gap with segmentation, sequencing and retransmission. + \item ISDN uses LAPD for L2, derived from HDLC, derived from SDLC, dating back to IBM's SNA mainframe networks. +\end{itemize} +\end{frame} + +\begin{frame}{Understanding Um}{L2} +\begin{itemize} + \item{LAPDm on Dm channels, a HDLC derivative, similar to ISDN's LAPD but simplified.} + \item{LLC on GPRS channels, another HDLC derivative.} + \item{GSM defines no L2 in Bm channels.} + \begin{itemize} + \item{Speech/fax are just media and have no L2.} + \item{CSD typically used with PPP for L2.} + \end{itemize} +\end{itemize} +\end{frame} + +\section{TODO} + +\subsection{GSMTAP} + +\begin{frame}{GSMTAP Interface} +It's important to find the right level of the GSMTAP interface +\begin{itemize} + \item If we simply pass every GSM burst, then wireshark would need to do the burst-rerassembly, forward error correction, etc - something it traditionally doesn't do + \item If we pass every Layer 2 Frame (23 bytes) + \begin{itemize} + \item burst decoding, reassembly, etc. is done in receiver + \item however, every burst might have different RF parameters like ARFCN, RX level, error rate, ... + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}[containsverbatim]{Current GSMTAP Header} +\tiny{ +\begin{lstlisting} +struct gsmtap_hdr { + u_int8_t version; /* version, set to 0x01 currently */ + u_int8_t hdr_len; /* length in number of 32bit words */ + u_int8_t type; /* see GSMTAP_TYPE_* */ + u_int8_t timeslot; /* timeslot (0..7 on Um) */ + + u_int16_t arfcn; /* ARFCN (frequency) */ + u_int8_t noise_db; /* noise figure in dB */ + u_int8_t signal_db; /* signal level in dB */ + + u_int32_t frame_number; /* GSM Frame Number (FN) */ + + u_int8_t burst_type; /* Type of burst, see above */ + u_int8_t antenna_nr; /* Antenna Number */ + u_int16_t res; /* reserved for future use (RFU) */ + +} __attribute__((packed)); +\end{lstlisting} +} +\end{frame} + +\subsection{ip.access wireshark dissectors} + +\begin{frame}{ip.access wireshark dissectors} +\begin{itemize} + \item ip.access wrote some wireshark dissectors against an old wireshark version + \item they never submtited them upstream, but we have the source under GPL + \item meanwhile, upstream wireshark has parts of that functionality + \item we now need to port those old dissectors to current wireshark +\end{itemize} +\end{frame} + +\begin{frame}{ip.access wireshark dissectors} +\begin{itemize} + \item IPA protocol as encapsulation layer + \begin{itemize} + \item different implementation in upstream (packet-gsm\_ipa.c) + \item maybe some few bits missing from upstream + \item port the missing bits from ip.access to upstream + \end{itemize} + \item GSM 12.21 (A-bis OML) + \begin{itemize} + \item different implementation in openbsc (abis-oml.patch) + \item quite a number of bits missing from upstream + \item BTS vendor specific decoding preference needed + \end{itemize} + \item GSM 08.58 (A-bis RSL) + \begin{itemize} + \item different implementation in upstream (packet-rsl.c) + \item many ip.access specific bits missing + \item port the missing bits from ip.access to upstream + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{ip.access wireshark dissectors} +\begin{itemize} + \item IPA IML (internal management link) + \begin{itemize} + \item no implementation in upstream + \item simply merge it into current upstream + \end{itemize} + \item RTP Multiplex (packet-rtp\_mux.c) + \begin{itemize} + \item no implementation in upstream + \item simply merge it into current upstream + \end{itemize} + \item GSM CSD (packet-gsm\_csd.c) + \begin{itemize} + \item no implementation in upstream + \item simply merge it into current upstream + \end{itemize} +\end{itemize} +\end{frame} + +\end{document} |