summaryrefslogtreecommitdiff
path: root/2014/osmocom-dorscluc2014
diff options
context:
space:
mode:
Diffstat (limited to '2014/osmocom-dorscluc2014')
-rw-r--r--2014/osmocom-dorscluc2014/bts_tree_full.jpgbin0 -> 1512137 bytes
-rw-r--r--2014/osmocom-dorscluc2014/c123_pcb.jpgbin0 -> 684904 bytes
-rw-r--r--2014/osmocom-dorscluc2014/ezcap_top.jpgbin0 -> 181997 bytes
-rw-r--r--2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpgbin0 -> 157754 bytes
-rw-r--r--2014/osmocom-dorscluc2014/osmocom-overview.pdfbin0 -> 2884916 bytes
-rw-r--r--2014/osmocom-dorscluc2014/osmocom-overview.snm0
-rw-r--r--2014/osmocom-dorscluc2014/osmocom-overview.tex575
-rw-r--r--2014/osmocom-dorscluc2014/osmosdr.jpgbin0 -> 177383 bytes
-rw-r--r--2014/osmocom-dorscluc2014/simtrace_and_phone.jpgbin0 -> 73335 bytes
9 files changed, 575 insertions, 0 deletions
diff --git a/2014/osmocom-dorscluc2014/bts_tree_full.jpg b/2014/osmocom-dorscluc2014/bts_tree_full.jpg
new file mode 100644
index 0000000..6b5c5e8
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/bts_tree_full.jpg
Binary files differ
diff --git a/2014/osmocom-dorscluc2014/c123_pcb.jpg b/2014/osmocom-dorscluc2014/c123_pcb.jpg
new file mode 100644
index 0000000..a9f24fc
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/c123_pcb.jpg
Binary files differ
diff --git a/2014/osmocom-dorscluc2014/ezcap_top.jpg b/2014/osmocom-dorscluc2014/ezcap_top.jpg
new file mode 100644
index 0000000..d504471
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/ezcap_top.jpg
Binary files differ
diff --git a/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg b/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg
new file mode 100644
index 0000000..8802e08
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg
Binary files differ
diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.pdf b/2014/osmocom-dorscluc2014/osmocom-overview.pdf
new file mode 100644
index 0000000..eb88f16
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/osmocom-overview.pdf
Binary files differ
diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.snm b/2014/osmocom-dorscluc2014/osmocom-overview.snm
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/osmocom-overview.snm
diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.tex b/2014/osmocom-dorscluc2014/osmocom-overview.tex
new file mode 100644
index 0000000..c8ea668
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/osmocom-overview.tex
@@ -0,0 +1,575 @@
+% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
+
+\documentclass{beamer}
+
+\usepackage{url}
+\makeatletter
+\def\url@leostyle{%
+ \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
+\makeatother
+%% Now actually use the newly defined style.
+\urlstyle{leo}
+
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice.
+
+
+\mode<presentation>
+{
+ \usetheme{Warsaw}
+ % or ...
+
+ \setbeamercovered{transparent}
+ % or whatever (possibly just delete it)
+}
+
+
+\usepackage[english]{babel}
+% or whatever
+
+\usepackage[latin1]{inputenc}
+% or whatever
+
+\usepackage{times}
+\usepackage[T1]{fontenc}
+% Or whatever. Note that the encoding and the font should match. If T1
+% does not look nice, try deleting the line with the fontenc.
+
+
+\title{osmocom.org - FOSS for mobile comms}
+
+\subtitle
+{community based Free / Open Source Software for communications}
+
+\author{Harald Welte <laforge@gnumonks.org>}
+
+\institute
+{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH}
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[] % (optional, should be abbreviation of conference name)
+{June 16, 2014, DORS/CLUC, Zagreb}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+% yourself) who are reading the slides online
+
+\subject{Communications}
+% This is only inserted into the PDF information catalog. Can be left
+% out.
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+% \begin{frame}<beamer>{Outline}
+% \tableofcontents[currentsection,currentsubsection]
+% \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command:
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+ \titlepage
+\end{frame}
+
+\begin{frame}{Outline}
+ \tableofcontents[hideallsubsections]
+ % You might wish to add the option [pausesections]
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution:
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+% 15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+% are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+% enough. Leave out details, even if it means being less precise than
+% you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+% just say so once. Everybody will be happy with that.
+
+\begin{frame}{About the speaker}
+\begin{itemize}
+ \item Using + toying with Linux since 1994
+ \item Kernel / bootloader / driver / firmware development since 1999
+ \item IT security expert, focus on network protocol security
+ \item Former core developer of Linux packet filter netfilter/iptables
+ \item Board-level Electrical Engineering
+ \item Always looking for interesting protocols (RFID, DECT, GSM)
+ \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN
+\end{itemize}
+\end{frame}
+
+
+\section{Researching communications systems}
+
+\subsection{The Rolle of FOSS}
+
+\begin{frame}{Research in TCP/IP/Ethernet}
+Assume you want to do some research in the TCP/IP/Ethernet
+communications area,
+\begin{itemize}
+ \item you use off-the-shelf hardware (x86, Ethernet card)
+ \item you start with the Linux / *BSD stack
+ \item you add the instrumentation you need
+ \item you make your proposed modifications
+ \item you do some testing
+ \item you write your paper and publish the results
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Research in (mobile) communications}
+Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms
+\begin{itemize}
+ \item there is no FOSS implementation of any of the protocols or
+ functional entities
+ \item almost no university has a test lab with the required
+ equipment. And if they do, it is black boxes that you
+ cannot modify according to your research requirements
+ \item you turn away at that point, or you cannot work on really
+ exciting stuff
+ \item only chance is to partner with commercial company, who
+ puts you under NDAs and who wants to profit from your
+ research
+\end{itemize}
+\end{frame}
+
+\begin{frame}{GSM/3G vs. Internet}
+\begin{itemize}
+ \item Observation
+ \begin{itemize}
+ \item Both GSM/3G and TCP/IP protocol specs are publicly available
+ \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
+ \item GSM networks are as widely deployed as the Internet
+ \item Yet, GSM/3G protocols receive no such scrutiny!
+ \end{itemize}
+ \item There are reasons for that:
+ \begin{itemize}
+ \item GSM industry is extremely closed (and closed-minded)
+ \item Only about 4 closed-source protocol stack implementations
+ \item GSM chipset makers never release any hardware documentation
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{GSM is more than phone calls}
+Listening to phone calls is boring...
+\begin{itemize}
+ \item Machine-to-Machine (M2M) communication
+ \begin{itemize}
+ \item BMW can unlock/open your car via GSM
+ \item Alarm systems often report via GSM
+ \item Smart Metering (Utility companies)
+ \item GSM-R / European Train Control System
+ \item Vending machines report that their cash box is full
+ \item Control if wind-mills supply power into the grid
+ \item Transaction numbers for electronic banking
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\section{The Osmocom project}
+
+\begin{frame}{Osmocom / osmocom.org}
+\begin{itemize}
+ \item Osmocom == Open Soruce Mobile Communications
+ \item Classic collaborative, community-driven FOSS project
+ \item Gathers creative people who want to explore this
+ industry-dominated closed mobile communications world
+ \item communication via mailing lists, IRC
+ \item soure code in git, information in trac/wiki
+ \item http://osmocom.org/
+\end{itemize}
+\end{frame}
+
+\subsection{Osmocom sub-projects}
+
+\begin{frame}{OpenBSC}
+\begin{itemize}
+ \item first Osmocom project
+ \item Implements GSM A-bis interface towards BTS
+ \item Primarily supports sysmoBTS and ip.access nanoBTS
+ \item Limited support for some Siemens, Ericsson and Nokia BTS models
+ \item can implement only BSC function (osmo-bsc) or a fully
+ autonomous self-contained GSM network (osmo-nitb) that
+ requires no external MSC/VLR/AUC/HLR/EIR
+ \item deployed in > 200 installations world-wide, commercial and
+ research
+\end{itemize}
+\end{frame}
+
+\begin{frame}{First OpenBSC test installation (HAR 2009)}
+\begin{figure}[h]
+\centering
+\includegraphics[width=60mm]{bts_tree_full.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{OpenBSC use cases}
+\begin{itemize}
+ \item can be used either as pure BSC (A-over-IP)
+ \begin{itemize}
+ \item suitable for operators with existing core (MSC/VLR/HLR/AUC)
+ \item easy integration into existing infrastructure
+ \end{itemize}
+ \item or as NITB (network in the box)
+ \begin{itemize}
+ \item suitable for private / autonomous small networks (PBX style)
+ \item no dependency on any other external component
+ \item connect to the outside via ISDN or VoIP (using
+ linux call router)
+ \item off-shore drilling rigs, underground mining, alternative to PMR
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{OsmoSGSN / OpenGGSN}
+\begin{itemize}
+ \item extends the OpenBSC based network from GSM to GPRS/EDGE by
+ implementing the classic SGSN and GGSN functional
+ entities
+ \item OpenGGSN existed already, but was abandoned by original
+ author
+ \item Works only with BTSs that provides Gb interface, like
+ sysmoBTS or nanoBTS
+ \item Suitable for research only, not production ready
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmoSGSN / OpenGGSN use cases}
+\begin{itemize}
+ \item Testing of M2M devices using your own BTS+SGSN+GGSN
+ \item Mobile malware research (analyze cellular data traffic of
+ apps)
+ \item Any type of GPRS related research
+ \item Teaching, training on mobile data protocols/interfaces
+ (RLC, MAC, LLC, SNDCP, BSSGP, NS, GTP, etc.)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomBB}
+\begin{itemize}
+ \item Full baseband processor firmware implementation of a mobile phone (MS)
+ \item We re-use existing phone hardware and re-wrote the L1, L2,
+ L3 and higher level logic
+ \item Higher layers reuse code from OpenBSC wherever possible
+ \item Used in a number of universities and other research contexts
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=50mm]{c123_pcb.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{OsmocomBB use cases}
+\begin{itemize}
+ \item Applied security research on Infrastructure
+ \begin{itemize}
+ \item Fuzzing / exploiting of protocol parsers on network side
+ \item RACH denial of service
+ \item Check if networks use random padding
+ \item Detect IMSI catchers or other fals base stations
+ \item Assess GSM network (operator) security level
+ \end{itemize}
+ \item Study + learn how a GSM stack / phone work
+ \item Protocol tracing of your own transactions with the network
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmoBTS}
+\begin{itemize}
+ \item OpenBSC/OsmoNITB takes care of BTS and higher elements
+ \item OsmoBTS implements a BTS with A-bis/IP back-haul to OpenBSC
+ \item Developed primarily for sysmoBTS hardware
+ \item Support for other hardware is ongoing in the community
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomTETRA}
+\begin{itemize}
+ \item SDR implementation of a TETRA radio-modem (PHY/MAC)
+ \item Rx is fully implemented, Tx only partial
+ \item Can be used for air interface interception
+ \item Accompanied by wireshark dissectors for the TETRA protocol
+ stack
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomTETRA use cases}
+\begin{itemize}
+ \item Analysis/assessment of TETRA network security
+ \item Learn how TETRA works on teh lowest levels (L1, MAC, L3)
+ \item Protocol analysis / sniffing / intercepting unencrypted networks
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomGMR}
+\begin{itemize}
+ \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites"
+ \item GMR-1 used by Thuraya satellite network
+ \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx)
+ \item Partial wireshark dissectors for the protocol stack
+ \item Reverse engineered implementation of GMR-A5 crypto
+ \item Speech codec is proprietary, still needs reverse engineering
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomGMR use cases}
+\begin{itemize}
+ \item Analysis/assessment of GMR/Thuraya security (there is none)
+ \item Learn and understnad how satellite telephony L1 and protocol work
+ \item Actual interception of SMS + data
+ \item Voice still difficult due to proprietary undocumented codec
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomDECT}
+\begin{itemize}
+ \item ETSI DECT (Digital European Cordless Telephony) is used in
+ millions of cordless phones
+ \item deDECTed.org project started with open source protocol
+ analyzers and demonstrated many vulnerabilities
+ \item OsmocomDECT is an implementation of the DECT hardware
+ drivers and protocols for the Linux kernel
+ \item Integrates with Asterisk
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomOP25}
+\begin{itemize}
+ \item APCO25 is Professional PMR system used in the US
+ \item Can be compared to TETRA in Europe
+ \item OsmocomOP25 is again SDR receiver + protocol analyzer
+ \item Use cases like OsmocomTETRA
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmoSDR}
+\begin{itemize}
+ \item small, low-power / low-cost USB SDR hardware
+ \item higher bandwidth than FunCubeDonglePro
+ \item much lower cost than USRP
+ \item Open Hardware
+ \item Developer units available
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=70mm]{osmosdr.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{rtl-sdr}
+\begin{itemize}
+ \item re-purpose a USD 20 DVB-T USB dongle based on Realtek chipset
+ \item deactivate/bypass DVB-T demodulator / MPEG decoder
+ \item pass baseband samples via high-speed USB into PC
+ \item no open hardware, but Free Software
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=70mm]{ezcap_top.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{OsmocomSIMTRACE}
+\begin{itemize}
+ \item Hardware protocol tracer for SIM - phone interface
+ \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11)
+ \item Can be used for SIM Application development / analysis
+ \item Also capable of SIM card emulation and man-in-the-middle attacks
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=60mm]{simtrace_and_phone.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Osmo-E1-Xcvr}
+\begin{itemize}
+ \item Open hardware project for interfacing E1 lines with
+ microcontrollers
+ \item So far no software/firmware yet, stay tuned!
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=60mm]{osmo-e1-xcvr.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{osmo\_ss7, osmo\_map, signerl}
+\begin{itemize}
+ \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP)
+ \item SIGTRAN variants (M2PA, M2UA, M3UA and SUA)
+ \item Enables us to interface with GSM/UMTS inter-operator core network
+ \item Already used in production in some really nasty
+ special-purpose protocol translators (think of NAT for
+ SS7)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{osmo\_ss7, osmo\_map, signerl use cases}
+\begin{itemize}
+ \item Implement GSM/3G core network elements (HLR, SCF, etc.)
+ \item Applications that interact with GSM/3G core network
+ elements
+ \item Mostly useful for small MVNOs or other operators who have
+ requirements that cannot be fulfilled with off-the-shelf
+ proprietary equipment.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{More Osmocom projects}
+\begin{itemize}
+ \item Have a look at http://git.osmcoom.org/
+ \item 79 public git repositories / projects at this point
+ \item way too many to cover here in this talk
+ \item Often RTFS, no manual/docs
+\end{itemize}
+\end{frame}
+
+\section{Non-osmocom projects}
+
+\begin{frame}{The OpenBTS Um - SIP bridge}
+\begin{itemize}
+ \item OpenBTS is a SDR implementation of GSM Um radio interface
+ \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC
+ \item suitable for research on air interface, but very different
+ from traditional GSM networks
+ \item work is being done to make it interoperable with OpenBSC
+\end{itemize}
+\end{frame}
+
+\begin{frame}{airprobe.org}
+\begin{itemize}
+ \item SDR implementation of Um sniffer
+ \item suitable for receiving GSM Um downlink and uplink
+ \item predates all of the other projects
+ \item more or less abandoned at this point
+\end{itemize}
+\end{frame}
+
+\begin{frame}{UmTRX}
+\begin{itemize}
+ \item SDR hardware, specifically for GSM Um air interface
+ \item can be used with OpenBTS and soon: OsmoTRX / OsmoBTS
+ \item Oepen Hardware Design
+ \item http://code.google.com/p/umtrx/
+\end{itemize}
+\end{frame}
+
+\begin{frame}{xgoldmon}
+\begin{itemize}
+ \item extract all GSM/GPRS and even 3G protocol messages from
+ your Samsung Galaxy 2, Galaxy 3, Note 2, Nexus phone via USB
+ \item feed them into your PC running xgoldmon
+ \item forward them from xgoldmon via GSMTAP into wireshark
+ \item https://github.com/2b-as/xgoldmon
+\end{itemize}
+\end{frame}
+
+\begin{frame}{sysmocom GmbH}{systems for mobile communications}
+\begin{itemize}
+ \item small company, started by two Osmocom developers in Berlin
+ \item provides commercial R\&d and support for professional
+ users of Osmocom software
+ \item develops + sells products like sysmoBTS (inexpensive,
+ small-form-factor, OpenBSC compatible BTS)
+ \item runs a small webshop for Osmocom related hardware items
+ like SIMtrace
+\end{itemize}
+\end{frame}
+
+
+\subsection{Future projects}
+
+\begin{frame}{Where do we go from here?}
+\begin{itemize}
+ \item Dieter Spaar has been working with 3G NodeBs (Ericsson,
+ Nokia) to be able to run our own RNC
+ \item Research into intercepting microwave back-haul links
+ \item Research into GPS simulation / transmission / faking
+ \item Port of OsmocomBB to other baseband chips
+ \item Low-level control from Free Software on a 3G/3.5G phone
+ \item Re-using femtocells in creative ways
+ \item Proprietary PMR systems
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Call for contributions}
+\begin{itemize}
+ \item Don't you agree that classic Internet/TCP/IP is boring and
+ has been researched to death?
+ \item There are many more communications systems out there
+ \item Never trust the industry, they only care about selling
+ their stuff
+ \item Lets democratize access to those communication systems
+ \item Become a contributor or developer today!
+ \item Join our mailing lists, use/improve our code
+ \item for OsmocomBB you only need a EUR 20 phone to start
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Thanks}
+I'd like to thank the many Osmocom developers and contributors,
+especially
+\begin{itemize}
+ \item Dieter Spaar
+ \item Holger Freyther
+ \item Andreas Eversberg
+ \item Sylvain Munaut
+ \item On-Waves e.h.f
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Thanks}
+Thanks for your attention. I hope we have time for Q\&A.
+\end{frame}
+
+
+\end{document}
diff --git a/2014/osmocom-dorscluc2014/osmosdr.jpg b/2014/osmocom-dorscluc2014/osmosdr.jpg
new file mode 100644
index 0000000..730b579
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/osmosdr.jpg
Binary files differ
diff --git a/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg b/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg
new file mode 100644
index 0000000..3fddf27
--- /dev/null
+++ b/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary