diff options
Diffstat (limited to '2014/osmocom-dorscluc2014')
-rw-r--r-- | 2014/osmocom-dorscluc2014/bts_tree_full.jpg | bin | 0 -> 1512137 bytes | |||
-rw-r--r-- | 2014/osmocom-dorscluc2014/c123_pcb.jpg | bin | 0 -> 684904 bytes | |||
-rw-r--r-- | 2014/osmocom-dorscluc2014/ezcap_top.jpg | bin | 0 -> 181997 bytes | |||
-rw-r--r-- | 2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg | bin | 0 -> 157754 bytes | |||
-rw-r--r-- | 2014/osmocom-dorscluc2014/osmocom-overview.pdf | bin | 0 -> 2884916 bytes | |||
-rw-r--r-- | 2014/osmocom-dorscluc2014/osmocom-overview.snm | 0 | ||||
-rw-r--r-- | 2014/osmocom-dorscluc2014/osmocom-overview.tex | 575 | ||||
-rw-r--r-- | 2014/osmocom-dorscluc2014/osmosdr.jpg | bin | 0 -> 177383 bytes | |||
-rw-r--r-- | 2014/osmocom-dorscluc2014/simtrace_and_phone.jpg | bin | 0 -> 73335 bytes |
9 files changed, 575 insertions, 0 deletions
diff --git a/2014/osmocom-dorscluc2014/bts_tree_full.jpg b/2014/osmocom-dorscluc2014/bts_tree_full.jpg Binary files differnew file mode 100644 index 0000000..6b5c5e8 --- /dev/null +++ b/2014/osmocom-dorscluc2014/bts_tree_full.jpg diff --git a/2014/osmocom-dorscluc2014/c123_pcb.jpg b/2014/osmocom-dorscluc2014/c123_pcb.jpg Binary files differnew file mode 100644 index 0000000..a9f24fc --- /dev/null +++ b/2014/osmocom-dorscluc2014/c123_pcb.jpg diff --git a/2014/osmocom-dorscluc2014/ezcap_top.jpg b/2014/osmocom-dorscluc2014/ezcap_top.jpg Binary files differnew file mode 100644 index 0000000..d504471 --- /dev/null +++ b/2014/osmocom-dorscluc2014/ezcap_top.jpg diff --git a/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg b/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg Binary files differnew file mode 100644 index 0000000..8802e08 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmo-e1-xcvr.jpg diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.pdf b/2014/osmocom-dorscluc2014/osmocom-overview.pdf Binary files differnew file mode 100644 index 0000000..eb88f16 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmocom-overview.pdf diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.snm b/2014/osmocom-dorscluc2014/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmocom-overview.snm diff --git a/2014/osmocom-dorscluc2014/osmocom-overview.tex b/2014/osmocom-dorscluc2014/osmocom-overview.tex new file mode 100644 index 0000000..c8ea668 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmocom-overview.tex @@ -0,0 +1,575 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>. +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode<presentation> +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile comms} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte <laforge@gnumonks.org>} + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{June 16, 2014, DORS/CLUC, Zagreb} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}<beamer>{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Primarily supports sysmoBTS and ip.access nanoBTS + \item Limited support for some Siemens, Ericsson and Nokia BTS models + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{First OpenBSC test installation (HAR 2009)} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OpenBSC use cases} +\begin{itemize} + \item can be used either as pure BSC (A-over-IP) + \begin{itemize} + \item suitable for operators with existing core (MSC/VLR/HLR/AUC) + \item easy integration into existing infrastructure + \end{itemize} + \item or as NITB (network in the box) + \begin{itemize} + \item suitable for private / autonomous small networks (PBX style) + \item no dependency on any other external component + \item connect to the outside via ISDN or VoIP (using + linux call router) + \item off-shore drilling rigs, underground mining, alternative to PMR + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + sysmoBTS or nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN use cases} +\begin{itemize} + \item Testing of M2M devices using your own BTS+SGSN+GGSN + \item Mobile malware research (analyze cellular data traffic of + apps) + \item Any type of GPRS related research + \item Teaching, training on mobile data protocols/interfaces + (RLC, MAC, LLC, SNDCP, BSSGP, NS, GTP, etc.) +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomBB use cases} +\begin{itemize} + \item Applied security research on Infrastructure + \begin{itemize} + \item Fuzzing / exploiting of protocol parsers on network side + \item RACH denial of service + \item Check if networks use random padding + \item Detect IMSI catchers or other fals base stations + \item Assess GSM network (operator) security level + \end{itemize} + \item Study + learn how a GSM stack / phone work + \item Protocol tracing of your own transactions with the network +\end{itemize} +\end{frame} + +\begin{frame}{OsmoBTS} +\begin{itemize} + \item OpenBSC/OsmoNITB takes care of BTS and higher elements + \item OsmoBTS implements a BTS with A-bis/IP back-haul to OpenBSC + \item Developed primarily for sysmoBTS hardware + \item Support for other hardware is ongoing in the community +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomTETRA use cases} +\begin{itemize} + \item Analysis/assessment of TETRA network security + \item Learn how TETRA works on teh lowest levels (L1, MAC, L3) + \item Protocol analysis / sniffing / intercepting unencrypted networks +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR use cases} +\begin{itemize} + \item Analysis/assessment of GMR/Thuraya security (there is none) + \item Learn and understnad how satellite telephony L1 and protocol work + \item Actual interception of SMS + data + \item Voice still difficult due to proprietary undocumented codec +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer + \item Use cases like OsmocomTETRA +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Developer units available +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr} +\begin{itemize} + \item re-purpose a USD 20 DVB-T USB dongle based on Realtek chipset + \item deactivate/bypass DVB-T demodulator / MPEG decoder + \item pass baseband samples via high-speed USB into PC + \item no open hardware, but Free Software +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmo-E1-Xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item SIGTRAN variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl use cases} +\begin{itemize} + \item Implement GSM/3G core network elements (HLR, SCF, etc.) + \item Applications that interact with GSM/3G core network + elements + \item Mostly useful for small MVNOs or other operators who have + requirements that cannot be fulfilled with off-the-shelf + proprietary equipment. +\end{itemize} +\end{frame} + +\begin{frame}{More Osmocom projects} +\begin{itemize} + \item Have a look at http://git.osmcoom.org/ + \item 79 public git repositories / projects at this point + \item way too many to cover here in this talk + \item Often RTFS, no manual/docs +\end{itemize} +\end{frame} + +\section{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{UmTRX} +\begin{itemize} + \item SDR hardware, specifically for GSM Um air interface + \item can be used with OpenBTS and soon: OsmoTRX / OsmoBTS + \item Oepen Hardware Design + \item http://code.google.com/p/umtrx/ +\end{itemize} +\end{frame} + +\begin{frame}{xgoldmon} +\begin{itemize} + \item extract all GSM/GPRS and even 3G protocol messages from + your Samsung Galaxy 2, Galaxy 3, Note 2, Nexus phone via USB + \item feed them into your PC running xgoldmon + \item forward them from xgoldmon via GSMTAP into wireshark + \item https://github.com/2b-as/xgoldmon +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops + sells products like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware items + like SIMtrace +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2014/osmocom-dorscluc2014/osmosdr.jpg b/2014/osmocom-dorscluc2014/osmosdr.jpg Binary files differnew file mode 100644 index 0000000..730b579 --- /dev/null +++ b/2014/osmocom-dorscluc2014/osmosdr.jpg diff --git a/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg b/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg Binary files differnew file mode 100644 index 0000000..3fddf27 --- /dev/null +++ b/2014/osmocom-dorscluc2014/simtrace_and_phone.jpg |