From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2009/gsm_network-har2009/1.jpg | Bin 0 -> 230909 bytes 2009/gsm_network-har2009/1_small.jpg | Bin 0 -> 63146 bytes 2009/gsm_network-har2009/2.jpg | Bin 0 -> 168737 bytes 2009/gsm_network-har2009/2_small.jpg | Bin 0 -> 49767 bytes 2009/gsm_network-har2009/3.jpg | Bin 0 -> 154870 bytes 2009/gsm_network-har2009/3_small.jpg | Bin 0 -> 47024 bytes 2009/gsm_network-har2009/4_small.jpg | Bin 0 -> 83009 bytes .../800px-HAR2009-2xBTS-BS11-Installation.JPG | Bin 0 -> 138321 bytes .../800px-HAR2009-BS11-Antennas.JPG | Bin 0 -> 175151 bytes .../gsm_network-har2009/800px-HAR2009-GSM-Tent.JPG | Bin 0 -> 97925 bytes .../800px-HAR2009-OpenBSC-Server.JPG | Bin 0 -> 118267 bytes 2009/gsm_network-har2009/BS11_Init.GIF | Bin 0 -> 19560 bytes 2009/gsm_network-har2009/P1010010-a.JPG | Bin 0 -> 314224 bytes 2009/gsm_network-har2009/calls.png | Bin 0 -> 58989 bytes 2009/gsm_network-har2009/default.mgp | 21 + 2009/gsm_network-har2009/gsm-har2009.mgp | 539 +++++++++++++++++++++ 2009/gsm_network-har2009/har2009-bs11_antennas.jpg | Bin 0 -> 5983413 bytes .../har2009-bs11_antennas.small.jpg | Bin 0 -> 456300 bytes .../gsm_network-har2009/har2009-bs11_antennas2.jpg | Bin 0 -> 5881874 bytes .../har2009-bs11_antennas2.small.jpg | Bin 0 -> 450757 bytes 2009/gsm_network-har2009/har2009-bs11_at_tree.jpg | Bin 0 -> 5853658 bytes .../har2009-bs11_at_tree.small.jpg | Bin 0 -> 442182 bytes 2009/gsm_network-har2009/har2009-gsm_tent.jpg | Bin 0 -> 5604832 bytes .../gsm_network-har2009/har2009-gsm_tent.small.jpg | Bin 0 -> 367411 bytes 2009/gsm_network-har2009/p1010012.jpg | Bin 0 -> 360212 bytes 2009/gsm_network-har2009/p1010012_small.jpg | Bin 0 -> 78955 bytes 2009/gsm_network-har2009/p1010013.jpg | Bin 0 -> 371084 bytes 2009/gsm_network-har2009/p1010013_small.jpg | Bin 0 -> 81358 bytes 2009/gsm_network-har2009/p1010020.jpg | Bin 0 -> 382058 bytes 2009/gsm_network-har2009/p1010020_small.jpg | Bin 0 -> 115640 bytes 2009/gsm_network-har2009/sms-social-graph.png | Bin 0 -> 470754 bytes 31 files changed, 560 insertions(+) create mode 100644 2009/gsm_network-har2009/1.jpg create mode 100644 2009/gsm_network-har2009/1_small.jpg create mode 100644 2009/gsm_network-har2009/2.jpg create mode 100644 2009/gsm_network-har2009/2_small.jpg create mode 100644 2009/gsm_network-har2009/3.jpg create mode 100644 2009/gsm_network-har2009/3_small.jpg create mode 100644 2009/gsm_network-har2009/4_small.jpg create mode 100644 2009/gsm_network-har2009/800px-HAR2009-2xBTS-BS11-Installation.JPG create mode 100644 2009/gsm_network-har2009/800px-HAR2009-BS11-Antennas.JPG create mode 100644 2009/gsm_network-har2009/800px-HAR2009-GSM-Tent.JPG create mode 100644 2009/gsm_network-har2009/800px-HAR2009-OpenBSC-Server.JPG create mode 100755 2009/gsm_network-har2009/BS11_Init.GIF create mode 100755 2009/gsm_network-har2009/P1010010-a.JPG create mode 100644 2009/gsm_network-har2009/calls.png create mode 100644 2009/gsm_network-har2009/default.mgp create mode 100644 2009/gsm_network-har2009/gsm-har2009.mgp create mode 100755 2009/gsm_network-har2009/har2009-bs11_antennas.jpg create mode 100644 2009/gsm_network-har2009/har2009-bs11_antennas.small.jpg create mode 100755 2009/gsm_network-har2009/har2009-bs11_antennas2.jpg create mode 100644 2009/gsm_network-har2009/har2009-bs11_antennas2.small.jpg create mode 100755 2009/gsm_network-har2009/har2009-bs11_at_tree.jpg create mode 100644 2009/gsm_network-har2009/har2009-bs11_at_tree.small.jpg create mode 100755 2009/gsm_network-har2009/har2009-gsm_tent.jpg create mode 100644 2009/gsm_network-har2009/har2009-gsm_tent.small.jpg create mode 100755 2009/gsm_network-har2009/p1010012.jpg create mode 100644 2009/gsm_network-har2009/p1010012_small.jpg create mode 100755 2009/gsm_network-har2009/p1010013.jpg create mode 100644 2009/gsm_network-har2009/p1010013_small.jpg create mode 100755 2009/gsm_network-har2009/p1010020.jpg create mode 100644 2009/gsm_network-har2009/p1010020_small.jpg create mode 100644 2009/gsm_network-har2009/sms-social-graph.png (limited to '2009/gsm_network-har2009') diff --git a/2009/gsm_network-har2009/1.jpg b/2009/gsm_network-har2009/1.jpg new file mode 100644 index 0000000..b03b57b Binary files /dev/null and b/2009/gsm_network-har2009/1.jpg differ diff --git a/2009/gsm_network-har2009/1_small.jpg b/2009/gsm_network-har2009/1_small.jpg new file mode 100644 index 0000000..602b830 Binary files /dev/null and b/2009/gsm_network-har2009/1_small.jpg differ diff --git a/2009/gsm_network-har2009/2.jpg b/2009/gsm_network-har2009/2.jpg new file mode 100644 index 0000000..8a3ac86 Binary files /dev/null and b/2009/gsm_network-har2009/2.jpg differ diff --git a/2009/gsm_network-har2009/2_small.jpg b/2009/gsm_network-har2009/2_small.jpg new file mode 100644 index 0000000..5ea0930 Binary files /dev/null and b/2009/gsm_network-har2009/2_small.jpg differ diff --git a/2009/gsm_network-har2009/3.jpg b/2009/gsm_network-har2009/3.jpg new file mode 100644 index 0000000..40569a6 Binary files /dev/null and b/2009/gsm_network-har2009/3.jpg differ diff --git a/2009/gsm_network-har2009/3_small.jpg b/2009/gsm_network-har2009/3_small.jpg new file mode 100644 index 0000000..669719f Binary files /dev/null and b/2009/gsm_network-har2009/3_small.jpg differ diff --git a/2009/gsm_network-har2009/4_small.jpg b/2009/gsm_network-har2009/4_small.jpg new file mode 100644 index 0000000..b15d3aa Binary files /dev/null and b/2009/gsm_network-har2009/4_small.jpg differ diff --git a/2009/gsm_network-har2009/800px-HAR2009-2xBTS-BS11-Installation.JPG b/2009/gsm_network-har2009/800px-HAR2009-2xBTS-BS11-Installation.JPG new file mode 100644 index 0000000..7c579b1 Binary files /dev/null and b/2009/gsm_network-har2009/800px-HAR2009-2xBTS-BS11-Installation.JPG differ diff --git a/2009/gsm_network-har2009/800px-HAR2009-BS11-Antennas.JPG b/2009/gsm_network-har2009/800px-HAR2009-BS11-Antennas.JPG new file mode 100644 index 0000000..440c611 Binary files /dev/null and b/2009/gsm_network-har2009/800px-HAR2009-BS11-Antennas.JPG differ diff --git a/2009/gsm_network-har2009/800px-HAR2009-GSM-Tent.JPG b/2009/gsm_network-har2009/800px-HAR2009-GSM-Tent.JPG new file mode 100644 index 0000000..7d16d2d Binary files /dev/null and b/2009/gsm_network-har2009/800px-HAR2009-GSM-Tent.JPG differ diff --git a/2009/gsm_network-har2009/800px-HAR2009-OpenBSC-Server.JPG b/2009/gsm_network-har2009/800px-HAR2009-OpenBSC-Server.JPG new file mode 100644 index 0000000..dac085c Binary files /dev/null and b/2009/gsm_network-har2009/800px-HAR2009-OpenBSC-Server.JPG differ diff --git a/2009/gsm_network-har2009/BS11_Init.GIF b/2009/gsm_network-har2009/BS11_Init.GIF new file mode 100755 index 0000000..bca506e Binary files /dev/null and b/2009/gsm_network-har2009/BS11_Init.GIF differ diff --git a/2009/gsm_network-har2009/P1010010-a.JPG b/2009/gsm_network-har2009/P1010010-a.JPG new file mode 100755 index 0000000..ded8aee Binary files /dev/null and b/2009/gsm_network-har2009/P1010010-a.JPG differ diff --git a/2009/gsm_network-har2009/calls.png b/2009/gsm_network-har2009/calls.png new file mode 100644 index 0000000..205b991 Binary files /dev/null and b/2009/gsm_network-har2009/calls.png differ diff --git a/2009/gsm_network-har2009/default.mgp b/2009/gsm_network-har2009/default.mgp new file mode 100644 index 0000000..a0fcfc2 --- /dev/null +++ b/2009/gsm_network-har2009/default.mgp @@ -0,0 +1,21 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% +%% This default.mgp is "Xft2" oriented. +%deffont "standard" xfont "serif" +%deffont "thick" xfont "sans-serif" +%deffont "typewriter" xfont "monospace" +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% +%% Default settings per each line numbers. +%% +%default 1 area 90 90, leftfill, size 2, fore "white", back "black", font "thick" +%default 2 size 7, vgap 10, prefix " " +%default 3 size 2, bar "gray70", vgap 10 +%default 4 size 5, fore "white", vgap 30, prefix " ", font "standard" +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% +%% Default settings that are applied to TAB-indented lines. +%% +%tab 1 size 5, vgap 40, prefix " ", icon box "green" 50 +%tab 2 size 4, vgap 40, prefix " ", icon arc "yellow" 50 +%tab 3 size 3, vgap 40, prefix " ", icon delta3 "white" 40 diff --git a/2009/gsm_network-har2009/gsm-har2009.mgp b/2009/gsm_network-har2009/gsm-har2009.mgp new file mode 100644 index 0000000..7c01fb0 --- /dev/null +++ b/2009/gsm_network-har2009/gsm-har2009.mgp @@ -0,0 +1,539 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + +OpenBSC + +%size 5 +Running Your own +GSM Network + +%center +%size 4 +by + +Harald Welte + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +Why? + + +Why would you run your own GSM network? + For the same reason you might run other networks + To learn and experiment with technology + To boldly go where no [free] man has gone before ;) + Practical demonstration of known GSM security problems + Raise public awareness abut GSM [in]security + thus increase the incentive for the market to improve + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +Legal Disclaimer + + +Legal Disclaimer + Don't try this at home! + GSM operates on LICENSED spectrum + Thus, you need approval from the regulatory authority + Only use BTS with dummy load! + Don't interfere with the operators! + Our software is strictly for research purpose only + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Network Architecture + + +The Hitchhikers Guide to the GSM Network + unfortunately does not exist + +The GSM related literature + is typically too high-level + +The GSM protocol specifications + are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Network Architecture + +GSM is a bit-synchronous network + it draws many analogies from ISDN and SDN + layer 2 modelled after Q.921 / LAPD + call signalling modelled Q.931 + but: many more protocols for mobility management, radio resources, ... + like all traditional Telco protocols: Intelligence in the network, not in the end nodes. + +GSM is a TDMA "nightmare" + e.g. you never know from/for whom data is without the timing context + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Network Architecture + +MS + Mobile Station (your Phone) +BTS + Base Transceiver Station +BSC + Base Station Controller +MSC + Mobile Switching Center +HLR/VLR + Home/Visitor Location Register + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Base Transceiver Station + + +BTS + As the name indicates "transceiver" + Handles + Layer 1 and some parts of RF layer2 + Modulation/Demodulation + Time Multiplex, scheduling of frames + Is not a "Base Station", i.e. not self-contained + True 'slave' to the BSC + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Base Station Controller + + +BSC + Base Station Controller + Handles + most of the actual decision making + really controls most aspects of BTSs + handles intra-BSC cell handover + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Mobile Switching Center + + +MSC + Mobile Switching Center + Handles + Actual switching of the calls + Interworking with ISDN or POTS + Inter-BSC cell handover +HLR/VLR + Home/Visitor Location Register + Handles + database of local / roaming subscribers + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Um interface + + +MS <-> BTS Interface + is called Um + layer 2: LAPD derived; called LAPDm + layer 3: GSM 04.08 RR / MM / CC + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM A-bis interface + + +BSC <-> BTS Interface + is called A-bis + has the following control layers on E1 TS1 + L2ML (Layer 2 Management) + TEI management similar to ISDN + OML (Organization & Maintenance) + System parameters, events + RSL (Radio Subsystem Layer) + has encoded voice data (TRAU frames) on other E1 TS + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM A-bis interface + +%image "2_small.jpg" + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM A-bis interface + +%image "3_small.jpg" + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM A-bis interface + + +Abis RSL + contains messages for + Radio Link Layer (RLL) + Dedicated Channel (DCHAN) + Common Channel (CCHAN) + Transceiver (TRX) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +GSM Mobile Switching Center + + +Abis RSL Radio Link Layer + contains messages for + Call Control (CC) + Mobility Management (MM) + Radio Resource (RR) + Short Message Service (SMS) + mostly specified in GSM TS 04.08 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The Siemens BS-11 microBTS + + +Siemens BS-11 microBTS + plain old 2G (GSM voice calls, CSD) + one or two TRX, 30mW to 2W each, GSM900 + two E1 interfaces (for daisy-chaining) + documentation under NDA, but + 99.9% of the A-bis protocol available from GSM specs + See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL) + RS232 serial port for Local Maintenance Terminal + LMT software proprietary under NDA + not needed for operation of the BTS + bs11_config is a FOSS replacement + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The Siemens BS-11 microBTS + +%image "1_small.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The Siemens BS-11 microBTS + +%image "p1010012_small.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The Siemens BS-11 microBTS + +%image "p1010013_small.jpg" +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The Siemens BS-11 microBTS + +%image "p1010020_small.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The Siemens BS-11 microBTS + + +First steps with the Siemens BS-11 + Harald bought a BS-11 on e-Bay in 2006 + Started to read some specs (08.5x) about A-bis + Started to build cables for E1 and power + Bought HFC-E1 PCI card + Bought Elmi EGM35 Abis analyzer (e-Bay once again) + Contacted with other people who also bought BS-11 + Found somebody who could provide Abis traces + Never really had time due to Openmoko and other projects + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The Siemens BS-11 microBTS + + +Further steps with the Siemens BS-11 + Dieter bought a BS-11 09/2008 + Bought HFC-E1 PCI card + Started development based on HFC-E1 reference driver code + Found somebody who could provide Abis traces + Made very quick progress + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +BS11-Init + + +BS11-Init (09/2008) + Chip cologne HFC-E1 reference code for DOS + polling, no interrupts + ported to Windows and Linux (mmap of HFC registers to userspace) + proof-of-concept code based on challenge-response + handles TEI assignment, brings OML and RSL up + allows for location update and paging of single phone + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +BS11-Init + +%image "4_small.jpg" + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +From BS11-Init to OpenBSC + + +From BS11-Init to OpenBSC (12/2008) + get L2ML to work with mISDN + mainline mISDN doesn't deal with multiple SAPIs and fixed TEI + learn how new sockets-based mISDN API works + come up with event-driven architecture, single sleect loop, no threads, ... + At 25C3: + add libdbi/sqlite database for "HLR" + get paging to work, support for configurable network ID + debugging + stabilization with > 1000 test users ;) + IMSI + IMEI skimming + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +OpenBSC takes off (2009) + + + implementation of more features + SMS store-and-forward switching + stable voice calls (FR and EFR codec) + support for more than one transceiver per BTS + support for multiple BTS + cisco-like console interface + support for more BTS models (ip.access nanoBTS) + interface to traditional E1 (using linux call router) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +OpenBSC takes off (2009) + + + fixing tons of bugs and stability issues + don't rely on the phone behaving properly (e.g. timeouts) + fix plenty of resource leaks (RAM) + fix plenty of resource leaks like on-air channels + finally uncover the last bits of the Siemens a-bis extensions + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +OpenBSC status today + + + OpenBSC is a 'gsm network in a box' + no need for separate MSC/HLR/VLR/AUC/SMSC + Capabilities + operation of a network with > 400 users + multiple BTS with each multiple TRX + voice calls and SMS implementation fairly complete + no in-call handover (only in idle mode) + no GPRS (yet), no EDGE (yet) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +OpenBSC future + + + Separation between BSC and MSC + Support actual A interface (over SCCP) + allows us to be used with real MSC + Support for GPRS + EDGE (with proper BTS) + Routing of calls between E1 and IP/RTP based BTS + Interfaces for external apps such as Scapy packet injection + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM Network + + + License from Agentschap Telecom + Stichting Hxx applied for a GSM test license + license permits us to use 4 ARFCN's + Transmit power of 100mW on each ARFCN + antenna height restricted to 3m + in case operators get interference, we have to shut down + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM Network + + + Two BS-11, each two TRX + BTS0 runs on ARFCN 121 and 123 (LAC 1) + BTS1 runs on ARFCN 124 and 122 (LAC 2) + Antennas mounted back-to-back to a tree on top of a hill + Two BTS share single E1 link in multi-drop mode + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM BTS's + +%image "har2009-bs11_at_tree.small.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 BTS Antennas + +%image "har2009-bs11_antennas.small.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 BTS Antennas + +%image "har2009-bs11_antennas2.small.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM Network + + + One Linux PC with OpenBSC + uses mISDN driver for HFC-E1 card + 60m of CAT5 cable runs E1 to the + Network ID: NCC 204 (NL), MNC 42 + Typical CPU usage < 5% + Typical RAM usage < 3MB RSS + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 OpenBSC + +%image "har2009-gsm_tent.small.jpg" + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM Network + + + Registration procedure + Your phone tries to use 204-42 or NL-42 + When we first see a particular IMSI + we send a SMS with auth token and URL + we kick phone off the network + You go to the URL indicated and enter your token + we mark the IMSI as authorized in our HLR DB + You try to register to the network again + we let the phone on our network + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM Network + + + How can I use the network + make and receive calls to/from other registered phones + send and receive SMS to/from other registered phones + How can I play with the network + use airprobe or other tools to eavesdrop on GSM protocol + we don't use any crypto nor frequency hopping + we don't do SMS filtering, i.e. you can send any RPDU to any other phone + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM Network + + + Helps us to test OpenBSC under higher load + already fixed several important software bugs + Helps us to obtain real-world protocol traces + Helps us to explore [in]compabibilities with certain phones + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +The HAR2009 GSM Network + + + Statistics + More than 1100 phones tried to use our network + More than 450 phones completed registration + More than 1000 SMS sent (use more bandwidth!) + More than FIXME attempted voice calls + More than FIXME established voice calls + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +Links + + OpenBSC + http://openbsc.gnumonks.org/ + 3GPP / ETSI GSM Specs + http://www.3gpp.org/ + Priv-Doz. Dr.-Ing Joachim Goeller + http://www2.informatik.hu-berlin.de/~goeller + THC GSM Wiki + http://wiki.thc.org/gsm + OpenBTS + http://gnuradio.org/trac/wiki/OpenBTS + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +Thanks + + +Thanks to + zecke, alphaone, Stefan, Jan for their work on OpenBSC + W. for his extensive A-bis protocol traces and MA-10 + Dieter Spaar for his most excellent input + Karsten Keil for mISDN + Andreas Eversberg for LCR interface and HFC-E1 driver + Stichting Hxx for getting the license + all the voluntary testers at HAR2009 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Running Your Own GSM Network +Thanks + + +LIVE DEMO diff --git a/2009/gsm_network-har2009/har2009-bs11_antennas.jpg b/2009/gsm_network-har2009/har2009-bs11_antennas.jpg new file mode 100755 index 0000000..456d556 Binary files /dev/null and b/2009/gsm_network-har2009/har2009-bs11_antennas.jpg differ diff --git a/2009/gsm_network-har2009/har2009-bs11_antennas.small.jpg b/2009/gsm_network-har2009/har2009-bs11_antennas.small.jpg new file mode 100644 index 0000000..bb5a5da Binary files /dev/null and b/2009/gsm_network-har2009/har2009-bs11_antennas.small.jpg differ diff --git a/2009/gsm_network-har2009/har2009-bs11_antennas2.jpg b/2009/gsm_network-har2009/har2009-bs11_antennas2.jpg new file mode 100755 index 0000000..2a1c0a0 Binary files /dev/null and b/2009/gsm_network-har2009/har2009-bs11_antennas2.jpg differ diff --git a/2009/gsm_network-har2009/har2009-bs11_antennas2.small.jpg b/2009/gsm_network-har2009/har2009-bs11_antennas2.small.jpg new file mode 100644 index 0000000..944db02 Binary files /dev/null and b/2009/gsm_network-har2009/har2009-bs11_antennas2.small.jpg differ diff --git a/2009/gsm_network-har2009/har2009-bs11_at_tree.jpg b/2009/gsm_network-har2009/har2009-bs11_at_tree.jpg new file mode 100755 index 0000000..abd99d6 Binary files /dev/null and b/2009/gsm_network-har2009/har2009-bs11_at_tree.jpg differ diff --git a/2009/gsm_network-har2009/har2009-bs11_at_tree.small.jpg b/2009/gsm_network-har2009/har2009-bs11_at_tree.small.jpg new file mode 100644 index 0000000..92f6aef Binary files /dev/null and b/2009/gsm_network-har2009/har2009-bs11_at_tree.small.jpg differ diff --git a/2009/gsm_network-har2009/har2009-gsm_tent.jpg b/2009/gsm_network-har2009/har2009-gsm_tent.jpg new file mode 100755 index 0000000..22620f4 Binary files /dev/null and b/2009/gsm_network-har2009/har2009-gsm_tent.jpg differ diff --git a/2009/gsm_network-har2009/har2009-gsm_tent.small.jpg b/2009/gsm_network-har2009/har2009-gsm_tent.small.jpg new file mode 100644 index 0000000..f161a8d Binary files /dev/null and b/2009/gsm_network-har2009/har2009-gsm_tent.small.jpg differ diff --git a/2009/gsm_network-har2009/p1010012.jpg b/2009/gsm_network-har2009/p1010012.jpg new file mode 100755 index 0000000..d5bb0a0 Binary files /dev/null and b/2009/gsm_network-har2009/p1010012.jpg differ diff --git a/2009/gsm_network-har2009/p1010012_small.jpg b/2009/gsm_network-har2009/p1010012_small.jpg new file mode 100644 index 0000000..84db0ce Binary files /dev/null and b/2009/gsm_network-har2009/p1010012_small.jpg differ diff --git a/2009/gsm_network-har2009/p1010013.jpg b/2009/gsm_network-har2009/p1010013.jpg new file mode 100755 index 0000000..5f02c04 Binary files /dev/null and b/2009/gsm_network-har2009/p1010013.jpg differ diff --git a/2009/gsm_network-har2009/p1010013_small.jpg b/2009/gsm_network-har2009/p1010013_small.jpg new file mode 100644 index 0000000..2d0100d Binary files /dev/null and b/2009/gsm_network-har2009/p1010013_small.jpg differ diff --git a/2009/gsm_network-har2009/p1010020.jpg b/2009/gsm_network-har2009/p1010020.jpg new file mode 100755 index 0000000..6054343 Binary files /dev/null and b/2009/gsm_network-har2009/p1010020.jpg differ diff --git a/2009/gsm_network-har2009/p1010020_small.jpg b/2009/gsm_network-har2009/p1010020_small.jpg new file mode 100644 index 0000000..241da98 Binary files /dev/null and b/2009/gsm_network-har2009/p1010020_small.jpg differ diff --git a/2009/gsm_network-har2009/sms-social-graph.png b/2009/gsm_network-har2009/sms-social-graph.png new file mode 100644 index 0000000..1ea1f86 Binary files /dev/null and b/2009/gsm_network-har2009/sms-social-graph.png differ -- cgit v1.2.3