From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2012/osmocom-brno2012/abstract.txt | 19 + 2012/osmocom-brno2012/bts_tree_full.jpg | Bin 0 -> 1512137 bytes 2012/osmocom-brno2012/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/osmocom-brno2012/osmo-e1-xcvr.jpg | Bin 0 -> 157754 bytes 2012/osmocom-brno2012/osmocom-overview.pdf | Bin 0 -> 2889508 bytes 2012/osmocom-brno2012/osmocom-overview.snm | 0 2012/osmocom-brno2012/osmocom-overview.tex | 583 +++++++++++++++++++++++++++ 2012/osmocom-brno2012/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/osmocom-brno2012/simtrace_and_phone.jpg | Bin 0 -> 73335 bytes 9 files changed, 602 insertions(+) create mode 100644 2012/osmocom-brno2012/abstract.txt create mode 100644 2012/osmocom-brno2012/bts_tree_full.jpg create mode 100644 2012/osmocom-brno2012/c123_pcb.jpg create mode 100644 2012/osmocom-brno2012/osmo-e1-xcvr.jpg create mode 100644 2012/osmocom-brno2012/osmocom-overview.pdf create mode 100644 2012/osmocom-brno2012/osmocom-overview.snm create mode 100644 2012/osmocom-brno2012/osmocom-overview.tex create mode 100644 2012/osmocom-brno2012/osmosdr.jpg create mode 100644 2012/osmocom-brno2012/simtrace_and_phone.jpg (limited to '2012/osmocom-brno2012') diff --git a/2012/osmocom-brno2012/abstract.txt b/2012/osmocom-brno2012/abstract.txt new file mode 100644 index 0000000..de22708 --- /dev/null +++ b/2012/osmocom-brno2012/abstract.txt @@ -0,0 +1,19 @@ +Osmocom.org - Community based Open Source Mobile Communications + +For decades, there is a sheer unlimited number of readily available +Free / Open Source Software (FOSS) projects related to TCP/IP/Ethernet +networks. + +On the contrary, until 2009, there was no FOSS in the field of mobile +communications protocols like GSM and UMTS at all. Projects like +OpenBSC and OpenBTS have changed this ever since. + +Osmocom.org is a community-based umbrella project containing +implementations for various network elements of GSM/GPRS/EDGE networks, +including MS, BTS, BSC (OpenBSC), MGW, STP, SGSN, GGSN, etc. +Furthermore, it also contains software for GMR (ETSI Geo Mobile Radio, +used by Thuraya), as well as TETRA, DECT and APCO25. + +This lecture will give an overview about the different osmocom.org +projects, their applications and the motivation of the people who +implemented the software. diff --git a/2012/osmocom-brno2012/bts_tree_full.jpg b/2012/osmocom-brno2012/bts_tree_full.jpg new file mode 100644 index 0000000..6b5c5e8 Binary files /dev/null and b/2012/osmocom-brno2012/bts_tree_full.jpg differ diff --git a/2012/osmocom-brno2012/c123_pcb.jpg b/2012/osmocom-brno2012/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/osmocom-brno2012/c123_pcb.jpg differ diff --git a/2012/osmocom-brno2012/osmo-e1-xcvr.jpg b/2012/osmocom-brno2012/osmo-e1-xcvr.jpg new file mode 100644 index 0000000..8802e08 Binary files /dev/null and b/2012/osmocom-brno2012/osmo-e1-xcvr.jpg differ diff --git a/2012/osmocom-brno2012/osmocom-overview.pdf b/2012/osmocom-brno2012/osmocom-overview.pdf new file mode 100644 index 0000000..d6ab5fd Binary files /dev/null and b/2012/osmocom-brno2012/osmocom-overview.pdf differ diff --git a/2012/osmocom-brno2012/osmocom-overview.snm b/2012/osmocom-brno2012/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/osmocom-brno2012/osmocom-overview.tex b/2012/osmocom-brno2012/osmocom-overview.tex new file mode 100644 index 0000000..e7fc7f4 --- /dev/null +++ b/2012/osmocom-brno2012/osmocom-overview.tex @@ -0,0 +1,583 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile comms} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{22nd February, Brno / Czech Republic} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +\begin{itemize} + \item Operators are mainly banks today + \item Typical operator outsources + \begin{itemize} + \item Network planning / deployment / servicing + \item Even Billing! + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No open source protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{My self-proclaimed mission} +Mission: Bring TCP/IP/Internet security knowledge to GSM +\begin{itemize} + \item Create tools to enable independent/public IT Security community to examine GSM + \item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks + \begin{itemize} + \item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified} + \item No proper incident response strategies! + \item No packet filters, firewalls, intrusion detection on GSM protocol level + \item General public assumes GSM networks are safer than Internet + \end{itemize} +\end{itemize} +\end{frame} + +\section{Bootstrapping Osmocom} + +\begin{frame} +To actually do research on GSM, we need +\begin{itemize} + \item detailed knowledge on the architecture and protocol stack + \item suitable hardware (there's no PHY/MAC only device like + Ethernet MAC) + \item a Free / Open Source Software implementation of at least + parts of the protocol stack +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM Research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Publicly known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item mados, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if BTS equipment is available, much easier/faster progress + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs (> 1000 PDF documents, each hundreds of pages) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson and Nokia BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC test installation} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + ip.access nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Available soon (Firmware not finished) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmo-E1-Xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item Sigtran variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\subsection{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own producst like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f + \item NETZING AG +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/osmocom-brno2012/osmosdr.jpg b/2012/osmocom-brno2012/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/osmocom-brno2012/osmosdr.jpg differ diff --git a/2012/osmocom-brno2012/simtrace_and_phone.jpg b/2012/osmocom-brno2012/simtrace_and_phone.jpg new file mode 100644 index 0000000..3fddf27 Binary files /dev/null and b/2012/osmocom-brno2012/simtrace_and_phone.jpg differ -- cgit v1.2.3