From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2011/gsm-ensa2011/section-openbts.tex | 183 ++++++++++++++++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 2011/gsm-ensa2011/section-openbts.tex (limited to '2011/gsm-ensa2011/section-openbts.tex') diff --git a/2011/gsm-ensa2011/section-openbts.tex b/2011/gsm-ensa2011/section-openbts.tex new file mode 100644 index 0000000..9c04222 --- /dev/null +++ b/2011/gsm-ensa2011/section-openbts.tex @@ -0,0 +1,183 @@ +\section{OpenBTS, airprobe and wireshark} + +\subsection{OpenBTS Introduction} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item is {\em NOT} a BTS in the typical GSM sense + \item is better described as a GSM-Um to SIP gateway + \item implements the GSM Um (air interface) as SDR + \item uses the USRP hardware as RF interface + \item does not implement any of BSC, MSC, HLR, etc. + \item bridges the GSM Layer3 protocol onto SIP + \item uses SIP switch (like Asterisk) for switching calls + SMS + \item is developed as C++ program and runs on Linux + MacOS +\end{itemize} +\end{frame} + +\begin{frame}{What is OpenBTS?} +\begin{itemize} + \item Open implementation of Um L1 \& L2, an all-software BTS. + \item L1/L2 design based on an object-oriented dataflow approach. + \item Includes L3 RR functions normally found in BSC. + \item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network. L3 is like an ISDN/SIP gateway. + \item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Paget at Def Con). +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS Hardware} +OpenBTS supports the following SDR hardware +\begin{itemize} + \item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards + \begin{itemize} + \item Modification for external clock input recommended + \item External 52 MHz precision clock recommended + \end{itemize} + \item Kestrel Signal Processing / Range Networks custom radio + \item Close Haul Communications / GAPfiller (work in progress) + \item Ported to other radios by other clients +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBTS History + Tests} +\begin{itemize} + \item Started work in August 2007, first call in January 2008, first SMS in December 2008. + \item First public release in September 2008, assigned to FSF in October 2008. + \item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada. + \item Tested 2-sector system with 40,000 handsets at September 2010 Burning Man event in Nevada. + \item Release 2.5 is about 13k lines of C++. + \item Part of GNU Radio project, distributed under GPLv3 (>= 2.6: AGPLv3) +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS Software Architecture} +\begin{itemize} + \item {\tt Transceiver} program + \begin{itemize} + \item SDR processing for Layer 0 + \item BTS-side GSM Um Layer 1 implementation + \item sends GSM burst data via UDP socket + \end{itemize} + \item {\tt OpenBTS} program + \begin{itemize} + \item GSM Um Layer 2 (04.06) + 3 (04.08) implementation + \item SIP UA implementation + \item GSM Layer 3 CC to SIP bridge implementation + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS GSM <-> SIP mapping} +\begin{itemize} + \item Location Updates mapped to SIP registration + \begin{itemize} + \item Use IMSI as SIP user name + \end{itemize} + \item Call Control mapped to SIP transactions + \begin{itemize} + \item relatively straight-forward + \end{itemize} + \item GSM Traffic Channels mapped to RTP channels + \begin{itemize} + \item No transcoding inside OpenBTS, FR/EFR messages are simply relayed + \end{itemize} + \item SMS mapped to SIP messaging according to RFC 3428 + \begin{itemize} + \item A separate {\tt smqueue} daemon implements store+forward + \end{itemize} +\end{itemize} +\end{frame} + +%\subsection{Clocking} + +\begin{frame}{OpenBTS USRP Clocking}{Clock Stability} +\begin{itemize} + \item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy + \item GSM requires 20ppb carrier clock accuracy + \item possible solutions + \begin{itemize} + \item use external VCTCXO clocking module + \item use external OCXO clocking module + \item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks + \end{itemize} + \item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900 +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock} +\begin{itemize} + \item The USRP master clock is 64 Mhz + \item In GSM, all clocks are derived from 13 MHz + \item Thus, a poly-phase re-sampler is part of SDR software + \item Alternative: use 52 MHz (13 MHz * 4) external clock + \item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz + \begin{itemize} + \item Make sure to never use the wrong transceiver for your clock! + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{OpenBTS USRP Clocking}{Software Calibration} +Basic idea: Use real GSM cell as clock source +\begin{itemize} + \item Implemented by the {\em Kalibrator} ({\tt kal}) program + \item Acquire the FCCH burst of a real GSM cell + \item Measure the clock difference between USRP XO and that cell + \item Use the computed error as offset to USRP up/downconverter + \item However, temperature and other drift will make clocks go out of sync over time + \item Can only be used if a real-world GSM network is within range +\end{itemize} +\end{frame} + +%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example} +%\begin{block}{Example of running {\tt kal}} +%\begin{lstlisting} +%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u +%USRP side: B +%FPGA clock: 52000000 +%Decimation: 192 +%Antenna: RX2 +%Sample rate: 270833.343750 +%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444) +%\end{lstlisting} +%\end{block} +%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp} +%\end{frame} + +\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{NevadaTestSite.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Burning Man 2010 Tower Base} +\begin{figure}[h] + \centering + \includegraphics[width=85mm]{OBTSBM2010.jpg} +\end{figure} +\end{frame} + +%\begin{frame}{OpenBTS} +% Demonstration +%\end{frame} + +\begin{frame}{OpenMS} +\begin{itemize} + \item Subscriber side stack based on OpenBTS. + \item Called MS, but just a BTS stack with data flows reversed and a different RR control logic. + \item Behavior is more like a passive interceptor that can also transmit. + \item Release 1.0 supports non-hopping multi-ARFCN networks. + \item Most L3 control logic provided by the end user. + \item A platform for + \begin{itemize} + \item passive interceptors + \item custom subscriber-side applications + \item environment analysis + \item intelligent jamming + \end{itemize} + \item NOT Open Source +\end{itemize} +\end{frame} -- cgit v1.2.3