From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2012/core_net-odc2012/core_net.pdf | Bin 0 -> 282736 bytes 2012/core_net-odc2012/core_net.snm | 0 2012/core_net-odc2012/core_net.tex | 138 +++++ 2012/core_net-odc2012/section-core_network.tex | 282 ++++++++++ 2012/core_net-odc2012/section-implementations.tex | 153 +++++ 2012/foss-sdr12europe/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/foss-sdr12europe/ezcap_top.jpg | Bin 0 -> 181997 bytes 2012/foss-sdr12europe/fcdp.jpg | Bin 0 -> 44766 bytes 2012/foss-sdr12europe/fcdp_pcb.jpg | Bin 0 -> 210808 bytes 2012/foss-sdr12europe/foss-sdr12europe.pdf | Bin 0 -> 2438521 bytes 2012/foss-sdr12europe/foss-sdr12europe.snm | 0 2012/foss-sdr12europe/foss-sdr12europe.tex | 464 +++++++++++++++ 2012/foss-sdr12europe/foss-sdr12europe.tex.bak | 464 +++++++++++++++ 2012/foss-sdr12europe/hama_nano1.jpg | Bin 0 -> 459455 bytes .../linux_netfilter_singapore_entertainment.jpg | Bin 0 -> 640673 bytes 2012/foss-sdr12europe/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/foss-sdr12europe/outline.txt | 47 ++ .../Sutton_WInnFEurope2011.pdf | Bin 0 -> 1178896 bytes 2012/gpl-freedomhec2012/gpl_compliance.pdf | Bin 0 -> 739330 bytes 2012/gpl-freedomhec2012/gpl_compliance.snm | 0 2012/gpl-freedomhec2012/gpl_compliance.tex | 507 +++++++++++++++++ 2012/gpl-freedomhec2012/gpl_compliance.tex.bak | 507 +++++++++++++++++ .../linux_netfilter_singapore_entertainment.jpg | Bin 0 -> 640673 bytes 2012/gpl-of2012/abstract.txt | 14 + 2012/gpl-of2012/handoutWithNotes.sty | 466 +++++++++++++++ 2012/gpl-of2012/license_compliance.pdf | Bin 0 -> 739760 bytes 2012/gpl-of2012/license_compliance.snm | 0 2012/gpl-of2012/license_compliance.tex | 571 +++++++++++++++++++ 2012/gpl-of2012/license_compliance2.pdf | Bin 0 -> 762159 bytes 2012/gpl-of2012/license_compliance4.pdf | Bin 0 -> 750981 bytes .../linux_netfilter_singapore_entertainment.jpg | Bin 0 -> 640673 bytes .../IS-advanced-layer-3-service.pdf | Bin 0 -> 1461539 bytes 2012/internet-lc2012/Netzentwurf_X-WiN.pdf | Bin 0 -> 207756 bytes 2012/internet-lc2012/breakdown-2007.jpg | Bin 0 -> 409005 bytes 2012/internet-lc2012/lawclinic-internet.pdf | Bin 0 -> 30594 bytes 2012/internet-lc2012/lawclinic-internet.vym | Bin 0 -> 3606 bytes 2012/mobsec-telcosecday2012/mobsec.pdf | Bin 0 -> 274588 bytes 2012/mobsec-telcosecday2012/mobsec.snm | 0 2012/mobsec-telcosecday2012/mobsec.tex | 488 ++++++++++++++++ 2012/osmo_erlang-osdc2012/core_net.pdf | Bin 0 -> 576753 bytes 2012/osmo_erlang-osdc2012/core_net.snm | 0 2012/osmo_erlang-osdc2012/core_net.tex | 139 +++++ 2012/osmo_erlang-osdc2012/gsm_network.png | Bin 0 -> 57000 bytes 2012/osmo_erlang-osdc2012/map_messaging.png | Bin 0 -> 89579 bytes 2012/osmo_erlang-osdc2012/map_supervision.png | Bin 0 -> 127410 bytes 2012/osmo_erlang-osdc2012/osi_model.png | Bin 0 -> 67094 bytes 2012/osmo_erlang-osdc2012/section-core_network.tex | 282 ++++++++++ 2012/osmo_erlang-osdc2012/section-erlang.tex | 72 +++ .../section-implementations.tex | 176 ++++++ 2012/osmo_erlang-osdc2012/tcap_messaging.png | Bin 0 -> 86453 bytes 2012/osmo_erlang-osdc2012/tcap_supervision.png | Bin 0 -> 259177 bytes 2012/osmocom-brno2012/abstract.txt | 19 + 2012/osmocom-brno2012/bts_tree_full.jpg | Bin 0 -> 1512137 bytes 2012/osmocom-brno2012/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/osmocom-brno2012/osmo-e1-xcvr.jpg | Bin 0 -> 157754 bytes 2012/osmocom-brno2012/osmocom-overview.pdf | Bin 0 -> 2889508 bytes 2012/osmocom-brno2012/osmocom-overview.snm | 0 2012/osmocom-brno2012/osmocom-overview.tex | 583 +++++++++++++++++++ 2012/osmocom-brno2012/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/osmocom-brno2012/simtrace_and_phone.jpg | Bin 0 -> 73335 bytes 2012/osmocom-cebit2012/abstract.txt | 19 + 2012/osmocom-cebit2012/bts_tree_full.jpg | Bin 0 -> 1512137 bytes 2012/osmocom-cebit2012/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/osmocom-cebit2012/osmo-e1-xcvr.jpg | Bin 0 -> 157754 bytes 2012/osmocom-cebit2012/osmocom-overview.pdf | Bin 0 -> 2889457 bytes 2012/osmocom-cebit2012/osmocom-overview.snm | 0 2012/osmocom-cebit2012/osmocom-overview.tex | 583 +++++++++++++++++++ 2012/osmocom-cebit2012/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/osmocom-cebit2012/simtrace_and_phone.jpg | Bin 0 -> 73335 bytes 2012/osmocom-ehsm2012/abstract.txt | 19 + 2012/osmocom-ehsm2012/bts_tree_full.jpg | Bin 0 -> 1512137 bytes 2012/osmocom-ehsm2012/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/osmocom-ehsm2012/ezcap_top.jpg | Bin 0 -> 181997 bytes 2012/osmocom-ehsm2012/osmo-e1-xcvr.jpg | Bin 0 -> 157754 bytes 2012/osmocom-ehsm2012/osmocom-overview.pdf | Bin 0 -> 2892136 bytes 2012/osmocom-ehsm2012/osmocom-overview.snm | 0 2012/osmocom-ehsm2012/osmocom-overview.tex | 596 ++++++++++++++++++++ 2012/osmocom-ehsm2012/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/osmocom-ehsm2012/simtrace_and_phone.jpg | Bin 0 -> 73335 bytes 2012/osmocom-of2012/abstract.txt | 19 + 2012/osmocom-of2012/bts_tree_full.jpg | Bin 0 -> 1512137 bytes 2012/osmocom-of2012/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/osmocom-of2012/ezcap_top.jpg | Bin 0 -> 181997 bytes 2012/osmocom-of2012/osmo-e1-xcvr.jpg | Bin 0 -> 157754 bytes 2012/osmocom-of2012/osmocom-overview.pdf | Bin 0 -> 2892149 bytes 2012/osmocom-of2012/osmocom-overview.snm | 0 2012/osmocom-of2012/osmocom-overview.tex | 596 ++++++++++++++++++++ 2012/osmocom-of2012/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/osmocom-of2012/simtrace_and_phone.jpg | Bin 0 -> 73335 bytes 2012/osmocom-osdc2012/abstract.txt | 19 + 2012/osmocom-osdc2012/bts_tree_full.jpg | Bin 0 -> 1512137 bytes 2012/osmocom-osdc2012/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/osmocom-osdc2012/osmo-e1-xcvr.jpg | Bin 0 -> 157754 bytes 2012/osmocom-osdc2012/osmocom-overview.pdf | Bin 0 -> 2714538 bytes 2012/osmocom-osdc2012/osmocom-overview.snm | 0 2012/osmocom-osdc2012/osmocom-overview.tex | 624 +++++++++++++++++++++ 2012/osmocom-osdc2012/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/osmocom-osdc2012/simtrace_and_phone.jpg | Bin 0 -> 73335 bytes 2012/phone_hw_arch-osmug2012/c123_pcb.jpg | Bin 0 -> 684904 bytes 2012/phone_hw_arch-osmug2012/phone_anatomy.pdf | Bin 0 -> 83253 bytes 2012/phone_hw_arch-osmug2012/phone_anatomy.snm | 0 2012/phone_hw_arch-osmug2012/phone_anatomy.tex | 434 ++++++++++++++ 2012/rtlsdr-freedomhec2012/dab.jpg | Bin 0 -> 226987 bytes 2012/rtlsdr-freedomhec2012/ezcap_top.jpg | Bin 0 -> 181997 bytes 2012/rtlsdr-freedomhec2012/fcdp.jpg | Bin 0 -> 44766 bytes 2012/rtlsdr-freedomhec2012/fcdp_pcb.jpg | Bin 0 -> 210808 bytes 2012/rtlsdr-freedomhec2012/glonass-sps2.8e6.png | Bin 0 -> 21339 bytes 2012/rtlsdr-freedomhec2012/gps-sps2048e3.png | Bin 0 -> 8198 bytes .../rtlsdr-freedomhec2012/gr-dab-constellation.png | Bin 0 -> 54986 bytes 2012/rtlsdr-freedomhec2012/grc_wbfm.png | Bin 0 -> 59693 bytes 2012/rtlsdr-freedomhec2012/hama_nano1.jpg | Bin 0 -> 459455 bytes 2012/rtlsdr-freedomhec2012/inmarsat.png | Bin 0 -> 326231 bytes 2012/rtlsdr-freedomhec2012/noxon_top.jpg | Bin 0 -> 405918 bytes 2012/rtlsdr-freedomhec2012/osmosdr.jpg | Bin 0 -> 177383 bytes 2012/rtlsdr-freedomhec2012/rtl-sdr-gmr.png | Bin 0 -> 43397 bytes 2012/rtlsdr-freedomhec2012/rtl-sdr.pdf | Bin 0 -> 1862733 bytes 2012/rtlsdr-freedomhec2012/rtl-sdr.snm | 0 2012/rtlsdr-freedomhec2012/rtl-sdr.tex | 570 +++++++++++++++++++ 2012/rtlsdr-freedomhec2012/ssb_rcv_grc.png | Bin 0 -> 203562 bytes 2012/rtlsdr-freedomhec2012/tetra.png | Bin 0 -> 15777 bytes 2012/rtlsdr-freedomhec2012/usrp-block-diagram.png | Bin 0 -> 35730 bytes 2012/rtlsdr-freedomhec2012/usrp_board_photo.jpg | Bin 0 -> 114387 bytes 122 files changed, 8851 insertions(+) create mode 100644 2012/core_net-odc2012/core_net.pdf create mode 100644 2012/core_net-odc2012/core_net.snm create mode 100644 2012/core_net-odc2012/core_net.tex create mode 100644 2012/core_net-odc2012/section-core_network.tex create mode 100644 2012/core_net-odc2012/section-implementations.tex create mode 100644 2012/foss-sdr12europe/c123_pcb.jpg create mode 100644 2012/foss-sdr12europe/ezcap_top.jpg create mode 100644 2012/foss-sdr12europe/fcdp.jpg create mode 100644 2012/foss-sdr12europe/fcdp_pcb.jpg create mode 100644 2012/foss-sdr12europe/foss-sdr12europe.pdf create mode 100644 2012/foss-sdr12europe/foss-sdr12europe.snm create mode 100644 2012/foss-sdr12europe/foss-sdr12europe.tex create mode 100644 2012/foss-sdr12europe/foss-sdr12europe.tex.bak create mode 100644 2012/foss-sdr12europe/hama_nano1.jpg create mode 100644 2012/foss-sdr12europe/linux_netfilter_singapore_entertainment.jpg create mode 100644 2012/foss-sdr12europe/osmosdr.jpg create mode 100644 2012/foss-sdr12europe/outline.txt create mode 100644 2012/foss_comms-winncom2012/Sutton_WInnFEurope2011.pdf create mode 100644 2012/gpl-freedomhec2012/gpl_compliance.pdf create mode 100644 2012/gpl-freedomhec2012/gpl_compliance.snm create mode 100644 2012/gpl-freedomhec2012/gpl_compliance.tex create mode 100644 2012/gpl-freedomhec2012/gpl_compliance.tex.bak create mode 100644 2012/gpl-freedomhec2012/linux_netfilter_singapore_entertainment.jpg create mode 100644 2012/gpl-of2012/abstract.txt create mode 100644 2012/gpl-of2012/handoutWithNotes.sty create mode 100644 2012/gpl-of2012/license_compliance.pdf create mode 100644 2012/gpl-of2012/license_compliance.snm create mode 100644 2012/gpl-of2012/license_compliance.tex create mode 100644 2012/gpl-of2012/license_compliance2.pdf create mode 100644 2012/gpl-of2012/license_compliance4.pdf create mode 100644 2012/gpl-of2012/linux_netfilter_singapore_entertainment.jpg create mode 100644 2012/internet-lc2012/IS-advanced-layer-3-service.pdf create mode 100644 2012/internet-lc2012/Netzentwurf_X-WiN.pdf create mode 100644 2012/internet-lc2012/breakdown-2007.jpg create mode 100644 2012/internet-lc2012/lawclinic-internet.pdf create mode 100644 2012/internet-lc2012/lawclinic-internet.vym create mode 100644 2012/mobsec-telcosecday2012/mobsec.pdf create mode 100644 2012/mobsec-telcosecday2012/mobsec.snm create mode 100644 2012/mobsec-telcosecday2012/mobsec.tex create mode 100644 2012/osmo_erlang-osdc2012/core_net.pdf create mode 100644 2012/osmo_erlang-osdc2012/core_net.snm create mode 100644 2012/osmo_erlang-osdc2012/core_net.tex create mode 100644 2012/osmo_erlang-osdc2012/gsm_network.png create mode 100644 2012/osmo_erlang-osdc2012/map_messaging.png create mode 100644 2012/osmo_erlang-osdc2012/map_supervision.png create mode 100644 2012/osmo_erlang-osdc2012/osi_model.png create mode 100644 2012/osmo_erlang-osdc2012/section-core_network.tex create mode 100644 2012/osmo_erlang-osdc2012/section-erlang.tex create mode 100644 2012/osmo_erlang-osdc2012/section-implementations.tex create mode 100644 2012/osmo_erlang-osdc2012/tcap_messaging.png create mode 100644 2012/osmo_erlang-osdc2012/tcap_supervision.png create mode 100644 2012/osmocom-brno2012/abstract.txt create mode 100644 2012/osmocom-brno2012/bts_tree_full.jpg create mode 100644 2012/osmocom-brno2012/c123_pcb.jpg create mode 100644 2012/osmocom-brno2012/osmo-e1-xcvr.jpg create mode 100644 2012/osmocom-brno2012/osmocom-overview.pdf create mode 100644 2012/osmocom-brno2012/osmocom-overview.snm create mode 100644 2012/osmocom-brno2012/osmocom-overview.tex create mode 100644 2012/osmocom-brno2012/osmosdr.jpg create mode 100644 2012/osmocom-brno2012/simtrace_and_phone.jpg create mode 100644 2012/osmocom-cebit2012/abstract.txt create mode 100644 2012/osmocom-cebit2012/bts_tree_full.jpg create mode 100644 2012/osmocom-cebit2012/c123_pcb.jpg create mode 100644 2012/osmocom-cebit2012/osmo-e1-xcvr.jpg create mode 100644 2012/osmocom-cebit2012/osmocom-overview.pdf create mode 100644 2012/osmocom-cebit2012/osmocom-overview.snm create mode 100644 2012/osmocom-cebit2012/osmocom-overview.tex create mode 100644 2012/osmocom-cebit2012/osmosdr.jpg create mode 100644 2012/osmocom-cebit2012/simtrace_and_phone.jpg create mode 100644 2012/osmocom-ehsm2012/abstract.txt create mode 100644 2012/osmocom-ehsm2012/bts_tree_full.jpg create mode 100644 2012/osmocom-ehsm2012/c123_pcb.jpg create mode 100644 2012/osmocom-ehsm2012/ezcap_top.jpg create mode 100644 2012/osmocom-ehsm2012/osmo-e1-xcvr.jpg create mode 100644 2012/osmocom-ehsm2012/osmocom-overview.pdf create mode 100644 2012/osmocom-ehsm2012/osmocom-overview.snm create mode 100644 2012/osmocom-ehsm2012/osmocom-overview.tex create mode 100644 2012/osmocom-ehsm2012/osmosdr.jpg create mode 100644 2012/osmocom-ehsm2012/simtrace_and_phone.jpg create mode 100644 2012/osmocom-of2012/abstract.txt create mode 100644 2012/osmocom-of2012/bts_tree_full.jpg create mode 100644 2012/osmocom-of2012/c123_pcb.jpg create mode 100644 2012/osmocom-of2012/ezcap_top.jpg create mode 100644 2012/osmocom-of2012/osmo-e1-xcvr.jpg create mode 100644 2012/osmocom-of2012/osmocom-overview.pdf create mode 100644 2012/osmocom-of2012/osmocom-overview.snm create mode 100644 2012/osmocom-of2012/osmocom-overview.tex create mode 100644 2012/osmocom-of2012/osmosdr.jpg create mode 100644 2012/osmocom-of2012/simtrace_and_phone.jpg create mode 100644 2012/osmocom-osdc2012/abstract.txt create mode 100644 2012/osmocom-osdc2012/bts_tree_full.jpg create mode 100644 2012/osmocom-osdc2012/c123_pcb.jpg create mode 100644 2012/osmocom-osdc2012/osmo-e1-xcvr.jpg create mode 100644 2012/osmocom-osdc2012/osmocom-overview.pdf create mode 100644 2012/osmocom-osdc2012/osmocom-overview.snm create mode 100644 2012/osmocom-osdc2012/osmocom-overview.tex create mode 100644 2012/osmocom-osdc2012/osmosdr.jpg create mode 100644 2012/osmocom-osdc2012/simtrace_and_phone.jpg create mode 100644 2012/phone_hw_arch-osmug2012/c123_pcb.jpg create mode 100644 2012/phone_hw_arch-osmug2012/phone_anatomy.pdf create mode 100644 2012/phone_hw_arch-osmug2012/phone_anatomy.snm create mode 100644 2012/phone_hw_arch-osmug2012/phone_anatomy.tex create mode 100644 2012/rtlsdr-freedomhec2012/dab.jpg create mode 100644 2012/rtlsdr-freedomhec2012/ezcap_top.jpg create mode 100644 2012/rtlsdr-freedomhec2012/fcdp.jpg create mode 100644 2012/rtlsdr-freedomhec2012/fcdp_pcb.jpg create mode 100644 2012/rtlsdr-freedomhec2012/glonass-sps2.8e6.png create mode 100644 2012/rtlsdr-freedomhec2012/gps-sps2048e3.png create mode 100644 2012/rtlsdr-freedomhec2012/gr-dab-constellation.png create mode 100644 2012/rtlsdr-freedomhec2012/grc_wbfm.png create mode 100644 2012/rtlsdr-freedomhec2012/hama_nano1.jpg create mode 100644 2012/rtlsdr-freedomhec2012/inmarsat.png create mode 100644 2012/rtlsdr-freedomhec2012/noxon_top.jpg create mode 100644 2012/rtlsdr-freedomhec2012/osmosdr.jpg create mode 100644 2012/rtlsdr-freedomhec2012/rtl-sdr-gmr.png create mode 100644 2012/rtlsdr-freedomhec2012/rtl-sdr.pdf create mode 100644 2012/rtlsdr-freedomhec2012/rtl-sdr.snm create mode 100644 2012/rtlsdr-freedomhec2012/rtl-sdr.tex create mode 100644 2012/rtlsdr-freedomhec2012/ssb_rcv_grc.png create mode 100644 2012/rtlsdr-freedomhec2012/tetra.png create mode 100644 2012/rtlsdr-freedomhec2012/usrp-block-diagram.png create mode 100644 2012/rtlsdr-freedomhec2012/usrp_board_photo.jpg (limited to '2012') diff --git a/2012/core_net-odc2012/core_net.pdf b/2012/core_net-odc2012/core_net.pdf new file mode 100644 index 0000000..b96f93d Binary files /dev/null and b/2012/core_net-odc2012/core_net.pdf differ diff --git a/2012/core_net-odc2012/core_net.snm b/2012/core_net-odc2012/core_net.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/core_net-odc2012/core_net.tex b/2012/core_net-odc2012/core_net.tex new file mode 100644 index 0000000..31110b0 --- /dev/null +++ b/2012/core_net-odc2012/core_net.tex @@ -0,0 +1,138 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - Core Network Protocols} + +%\subtitle +%{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{March 2012, OsmoDevCon 2012, Berlin / Germany} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\include{section-core_network} +\include{section-implementations} + +\end{document} diff --git a/2012/core_net-odc2012/section-core_network.tex b/2012/core_net-odc2012/section-core_network.tex new file mode 100644 index 0000000..629cac1 --- /dev/null +++ b/2012/core_net-odc2012/section-core_network.tex @@ -0,0 +1,282 @@ +\section{The GSM core network} + +\subsection{GSM core network components} + +\begin{frame}{GSM core network components} + \begin{description}[MSC] + \item[MSC] (Mobile Switching Center): The central switch + \item[HLR] (Home Location Register): Database of subscribers + \item[AUC] (Authentication Center): Database of authentication keys + \item[VLR] (Visitor Location Register): For roaming users + \item[EIR] (Equipment Identity Register): To block stolen phones + \end{description} +\end{frame} + +\begin{frame}{GSM network structure} +\begin{description}[BTS] +\item[MSC] Actual call switching and top-level mobility functions. May serve dozens of location areas +\item[VLR] Temporary cache of subscriber data from HLR + TMSI +\item[HLR] Subscriber databases + subscriber location information +\item[AUC] Generation of authentication tuples +\item[SMSC] SMS Service Centre, store+forward for SMS +\end{description} +\end{frame} + +\begin{frame}{GSM core network integration} +\begin{itemize} + \item VLR often integrated into MSC + \item AUC often integrated with AUC + \item integration so common, many graphs/diagrams are actually +not 100\% correct +\end{itemize} +\end{frame} + +%\begin{frame}{GSM Network Structure} +%\includegraphics[width=100mm]{GSMNetwork.pdf} +%\end{frame} + +\begin{frame}{GSM network interfaces} + \begin{description}[A-bis] + \item[C] Interface between GMSC and HLR + \item[D] Interface between MSC and HLR + \item[E] Interface between MSC and MSC + \end{description} +All of them based on MAP, so C/D/E not commonly distinguished +\end{frame} + +\subsection{GSM core network protocols} + +\begin{frame}{core network protocol stack} +Traditional telephony based on SS7 / CS7, GSM too +\begin{itemize} + \item Lower layers (MTP2/MTP3) re-used + \item ISUP used for actual call control signalling + \item SCCP for routing / GTT + \item TCAP for transaction supprt + \item MAP for actual GSM related signalling +\end{itemize} +\end{frame} + +\begin{frame}{SS7 networks} +\begin{itemize} + \item STP - Signalling Transfer Point + \begin{itemize} + \item {\em Router} for SCCP + \item performs GTT (see below) + \end{itemize} + \item SCP - Signalling Control Point + \begin{itemize} + \item {\em End-node} like MSC/HLR + \item SCP has GT, PC, .. + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SS7 addresses} +\begin{itemize} + \item Point Code (PC) + \begin{itemize} + \item typically unique within PLMN / country + \end{itemize} + \item Global Title (GT) + \begin{itemize} + \item world-wide unique address + \item translated into PC by GTT at STP + \end{itemize} + \item Subsystem Number (SSN) + \begin{itemize} + \item logical function address inside network (MSC, VLR, HLR, ...) + \item not used on international links + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SS7 GTT (Global Title Translation)} +Global Title Translation +\begin{itemize} + \item can happen at any STP + \item translates a Destination GT into new destination address + \item new dest address can be any address, such as + \begin{itemize} + \item new global title (GT) + \item point code (PC) + \item sub-system number (SSN) + \end{itemize} + \item GTT rules explicitly configured by operator, e.g. + \begin{itemize} + \item prefix or range based match + \item (inter)nationalize numbering plan + \item add digits at beginning or end + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SS7 physical layer} +\begin{itemize} + \item{classic SS7 signalling over TDM circuits} + \begin{itemize} + \item E1 timeslot (64kbps) + \item multiple E1 timeslots (N*64kbps) + \item MTP Level 2 / MTP Level 3 + \end{itemize} + \item modern networks use SIGTRAN + \begin{itemize} + \item IP as network layer replaces E1 lines + \item SCTP on top(no TCP/UDP!) + \item many different SIGTRAN stacking options + \end{itemize} + \item some vendor-proprietary protocols like SCCPlite +\end{itemize} +\end{frame} + +\begin{frame}{SIGTRAN stacking options} +SIGTRAN != SIGTRAN +\begin{itemize} + \item IP/SCTP/M2PA/MTP2/MTP3/SCCP/TCAP/MAP + \item IP/SCTP/M2UA/MTP3/SCCP/TCAP/MAP + \item IP/SCTP/M3UA/SCCP/TCAP/MAP + \item IP/SCTP/SUA/TCAP/MAP +\end{itemize} +\end{frame} + +\begin{frame}{SCCP} +SCCP takes care of +\begin{itemize} + \item Global Title based addressing + \item Global Title Translation + \item connection-oriented or connectionless semantics + \item GSM core network interfaces with MAP/CAP only use +connection-less UDT service +\end{itemize} +\end{frame} + +\begin{frame}{TCAP} +\begin{itemize} + \item Idea: decouple transaction logic from actual application + \item transaction semantics can be used by multiple higher-layer protocols + \item state machines on both sides maintained outside of application + \item protocol specified in ASN.1, BER encoding +\end{itemize} +\end{frame} + +\begin{frame}{MAP - Mobile Application Part} +\begin{itemize} + \item used between all classic GSM core network components + \item application protocol on top of TCAP + \item protocol specified in ASN.1, BER encoding +\end{itemize} +\end{frame} + +\begin{frame}{CAP - Camel Application Part} +\begin{itemize} + \item used for CAMEL entities (gsmSCF, gsmSSF, gprsSSF, gsmSRF) + \item application protocol on top of TCAP + \item protocol specified in ASN.1, BER encoding +\end{itemize} +\end{frame} + +\section{Roaming interfaces} + +\subsection{Roaming introduction} + +\begin{frame}{Introduction to Roaming} +Roaming enables subscribers to use other operators' networks +\begin{itemize} + \item Home Network is called HPLMN + \item Visited Network is called VPLMN + \item Roaming requres between HPLMN and VPLMN + \begin{itemize} + \item Roaming agreement (contract) + \item SS7 connectivity (ISUP/MAP/CAP) + \item IP connectivity (for packet data) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Roaming principle} +\begin{itemize} + \item MS, MSC, VLR and SGSN are in VPLMN + \item HLR, AUC, GMSC and GGSN are in HPLMN + \item they talk to each other via MAP, just like in non-roaming case + \item selection of HPLMN based on IMSI of subscriber + \item non-roaming caes: HPLMN == VPLMN +\end{itemize} +\end{frame} + +\begin{frame}{MVNO - Mobile Virtual Network Operators} +A MVNO setup is a special case of roaming +\begin{itemize} + \item MNO operates PLMN with RAN and CN + \item MVNO operates HPLMN without RAN (BSC/BTS) + \item MVNO subscribers always roam into MNO network +\end{itemize} +\end{frame} + +%\subsection{Roaming transactions} +%FIXME + +\subsection{Traditional Billing} + +\begin{frame}{Traditional Billing} +Initially, GSM was designed for business users +\begin{itemize} + \item Billing was always post-paid + \item Each PLMN simply logs all call/sms + \item Logs called CDR (Call Data Record) + \item At the end of the month, invoices are generated + \item CDR records are exchanged between roaming partners +\end{itemize} +\end{frame} + +\begin{frame}{Billing for Roaming} +\begin{itemize} + \item CDR files often vendor-specific / custom + \item GSMA established a standard called TAP + \item TAP is the standard for exchange of billing records +between roaming partners + \item Summary: Intra-PLMN: CDR, Inter-PLMN: TAP + \item TAP has many versions/generations + \item Specified in ASN.1 +\end{itemize} +\end{frame} + +\begin{frame}{The advent of pre-paid} +\begin{itemize} + \item At some point, users wanted pre-paid services + \item Difficult to implement in traditional billing architecture + \item In HPLMN, every operator could come up with custom +solution + \item Thus, pre-paid initially not supported in roaming + \item In the early pre-paid days, there were lots of ways to exceed pre-paid balance +\end{itemize} +\end{frame} + +\begin{frame}{Pre-paid required fundamental changes} +\begin{itemize} + \item The pre-paid balance / account is maintained in HPLMN + \item HPLMN needs much more control over user while roaming + \item A new protocol (CAMEL) was introduced, as well as new +entities in the network + \item Lots of changes all over netowrk elements (MSC, SGSN, HLR) +\end{itemize} +\end{frame} + +\subsection{CAMEL} + +\begin{frame}{CAMEL - Customized Applications Mobile Enhanced Logic} +\begin{itemize} + \item gsmSCF - Service Control Function + \begin{itemize} + \item receives per-subscriber specific config from HLR +(CSI: CAMEL Subscription Information) + \item remotely controls call, SMS, etc. processing + \end{itemize} + \item gsmSSF - Service Switching Function + \begin{itemize} + \item built into MSC + \item hooks / triggers at key state changes + \item allows gsmSCF to alter/override/abort transactions + \end{itemize} + \item gprsSSF provides similar feature inside SGSN +\end{itemize} +\end{frame} diff --git a/2012/core_net-odc2012/section-implementations.tex b/2012/core_net-odc2012/section-implementations.tex new file mode 100644 index 0000000..27d409d --- /dev/null +++ b/2012/core_net-odc2012/section-implementations.tex @@ -0,0 +1,153 @@ + +\section{Core Network protocol implementations} + +\subsection{Erlang implementations} + +\begin{frame}{Erlang osmo\_ss7} +\begin{itemize} + \item Signalling link management + \item Signalling linkset management + \item MTP-level routing + \item Protocol codecs + \begin{itemize} + \item BSSMAP, ISUP, M2PA, M2UA, M3UA, MTP3, SCCP, SUA + \end{itemize} + \item Various different protocol implementations + \begin{itemize} + \item SIGTRAN: M3UA, M2PA, M2UA, SUA + \item IPA multiplex / SCCP lite + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Erlang osmo\_sccp} +SCCP implementation, typcially used on top of osmo\_sccp +\begin{itemize} + \item SCCP connectionless (SCLC) + \item SCCP connection oriented (SCOC) + \item SCCP routing / gtt (SCRC) + \item applications can bind to SSN numbers +\end{itemize} +\end{frame} + +\begin{frame}{Erlang osmo\_map} +\begin{itemize} + \item Not a full-blown MAP end-user implementation + \item Primarily a set of integrated TCAP+MAP codec + \item Used for protocol analysis/dissection + \item Used for transparent MAP mangling engines + \item Think of FTP/IRC NAT in TCP/IP, where you need to modify + addresses contained in the payload (not header) of the + messages +\end{itemize} +\end{frame} + +\begin{frame}{Erlang mgw\_nat} +\begin{itemize} + \item Strange transparent SCCP/TCAP/MAP gateway + \item Supports all kinds of strange operations + \begin{itemize} + \item SCCP Global Title Masquerade (dynamic GT pool) + \item Replace VLR/MSC GT inside MAP payload + \item Supported Camel Phase patching + \item 1:1 IMSI mapping in MAP payload + \item ISUP GT mangling + \item national/international numbering plan conversions + \end{itemize} + \item Used in multiple production installations for ~ 1 year +\end{itemize} +\end{frame} + +\begin{frame}{Erlang signerl TCAP} +\begin{itemize} + \item Full ITU-T TCAP implementation + \item 1:1 mapping of ITU-T TCAP state machines to Erlang gen\_fsm + \begin{itemize} + \item DHA - Dialogue Handling + \item TSM - Transaction State Machine + \item ISM - Invocation State Machine + \end{itemize} + \item 1:1 mapping of other ITU-T entities to Erlang gen\_server + \begin{itemize} + \item CCO - Componen Coordinator + \item TCO - Transaction Coordinator + \end{itemize} + \item Some old/incomplete/bit-rotten ANSI TCAP code +\end{itemize} +\end{frame} + +\begin{frame}{Erlang signerl TCAP} +\begin{itemize} + \item properly implements the N-primitives to lower level + \item properly implements all TR-primitives internally (TC / TR + split) + \item properly implements all TC-primitives towards the TCAP user + \item Can be used on top of osmo\_sccp + \item Can be used directly by application servers or via signerl MAP +\end{itemize} +\end{frame} + +\begin{frame}{Erlang signerl MAP} +\begin{itemize} + \item Interface between MAP primitives and TCAP primitives + \item Provides very little benefit over using TCAP directly + \item Not used much so far, I always use TCAP user API instead +\end{itemize} +\end{frame} + +\begin{frame}{Erlang application servers} +\begin{itemize} + \item No complete implementation of any GSM core network node + yet + \item Lots of testing / experimentation code for generating + single MAP transactions against existing/proprietary + core network components + \item Work on a HLR based on Mnesia DB should be starting soon +\end{itemize} +\end{frame} + +\subsection{C implementations} + +\begin{frame}{libosmo-sccp} +\begin{itemize} + \item minimalistic SCCP implementation + \item only used inside IPA multiplex / SCCP lite + \item no retransmissions / GT routing / translation + \item stable, used in production (osmo-bsc) +\end{itemize} +\end{frame} + +\begin{frame}{libosmo-asn1-tcap} +\begin{itemize} + \item asn1c-generated TCAP codec + \item almost no manual code + \item built as shared library +\end{itemize} +\end{frame} + +\begin{frame}{libosmo-tcap} +\begin{itemize} + \item First attempt of Harald to implement TCAP (before Erlang) + \item 1:1 mapping of ITU-T TCAP components to C source files + \item Heavily based on asn1c-generated data structures + \item Uses libosmo-asn1-tcap +\end{itemize} +\end{frame} + +\begin{frame}{libosmo-asn1-map} +\begin{itemize} + \item asn1c-generated MAP code + \item almost no manual code + \item built as shared library +\end{itemize} +\end{frame} + +\begin{frame}{Future of C implementation?} +\begin{itemize} + \item unclear at this point + \item first finish testing/deploying Erlang implementations + \item possible use case for Gc interface of osmo-sgsn (SGSN-HLR) + \item Do we interface C code with Erlang MAP or maintain C implementation in parallel? +\end{itemize} +\end{frame} + diff --git a/2012/foss-sdr12europe/c123_pcb.jpg b/2012/foss-sdr12europe/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/foss-sdr12europe/c123_pcb.jpg differ diff --git a/2012/foss-sdr12europe/ezcap_top.jpg b/2012/foss-sdr12europe/ezcap_top.jpg new file mode 100644 index 0000000..d504471 Binary files /dev/null and b/2012/foss-sdr12europe/ezcap_top.jpg differ diff --git a/2012/foss-sdr12europe/fcdp.jpg b/2012/foss-sdr12europe/fcdp.jpg new file mode 100644 index 0000000..329bd82 Binary files /dev/null and b/2012/foss-sdr12europe/fcdp.jpg differ diff --git a/2012/foss-sdr12europe/fcdp_pcb.jpg b/2012/foss-sdr12europe/fcdp_pcb.jpg new file mode 100644 index 0000000..6b4f94d Binary files /dev/null and b/2012/foss-sdr12europe/fcdp_pcb.jpg differ diff --git a/2012/foss-sdr12europe/foss-sdr12europe.pdf b/2012/foss-sdr12europe/foss-sdr12europe.pdf new file mode 100644 index 0000000..0a2a69e Binary files /dev/null and b/2012/foss-sdr12europe/foss-sdr12europe.pdf differ diff --git a/2012/foss-sdr12europe/foss-sdr12europe.snm b/2012/foss-sdr12europe/foss-sdr12europe.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/foss-sdr12europe/foss-sdr12europe.tex b/2012/foss-sdr12europe/foss-sdr12europe.tex new file mode 100644 index 0000000..fa3ede4 --- /dev/null +++ b/2012/foss-sdr12europe/foss-sdr12europe.tex @@ -0,0 +1,464 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Free and Open Source Software in SDR} + +%\subtitle {community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{osmocom.org\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{June 29, SDR'12 - WInnForum Europe} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Linux Kernel / bootloader / driver / firmware developmer since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenPCD, Openmoko, deDECTed.org, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + +\begin{frame}{About sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own products like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\section{Free and Open Source Software} + +\subsection{Where is FOSS today} + +\begin{frame} +\begin{itemize} + \item Free and Open Source Software (FOSS) is everywhere + \item Particularly Servers and all areas of Embedded + \item FOSS has fundamentally changed the software industry + \item Systems architecture of products becomes more complex + \item Nobody can afford to build complex products from scratch + \item Everyone builds products on existing FOSS components, + particularly the Linux kernel and other OS-level + components +\end{itemize} +\end{frame} + +\begin{frame}{Linux and Free Software (FOSS) everywhere} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg} +\end{figure} +\end{frame} + +\begin{frame} +\begin{itemize} + \item FOSS is not a technology + \item FOSS is not a product + \item FOSS is not a company + \item FOSS is a development methodology and culture + \item Only companies with sufficient FOSS experience understand + the value of how to interact with the wider FOSS + communities +\end{itemize} +\end{frame} + +\begin{frame} +\begin{itemize} + \item FOSS enables participation + \item you don't have to work for a specific company in order to + do OS development + \item nobody has to have any formal relationship with their + collaborators, suppliers. + \item any {\em nobody} can contribute, even so-called amateurs, + hobbyists, students + \item it doesn't matter how deep your pockets are + \item meritocracy (the better your merits, the more you have a + say in the development process) +\end{itemize} +\end{frame} + +\begin{frame}{FOSS: Democracy / Equal Access} +\begin{itemize} + \item The means of productions (Computers, OS, Compilers) are + abundant and inexpensive (for the first world) + \item Anyone can create and produce software, all you need is + your brain + \item No membership required in exclusive forums, industry + clubs, consortia +\end{itemize} +\end{frame} + +\subsection{FOSS and SDR} + +\begin{frame}{Traditional Radio Engineering} +\begin{itemize} + \item Traditional radio development required electrical + engineering in hardware. You have to + \begin{itemize} + \item know analog / RF electronics + \item spin board revisions / prototypes + \item actually physically build something + \end{itemize} + \item Aside from the skills, there is a significant non-HR cost + involved for actually doing this development +\end{itemize} +\end{frame} + +\begin{frame}{SDR and FOSS} +\begin{itemize} + \item SDR transforms radio engineering into the software domain + \item In Software, all you need to do R\&D is a bit of general-purpose hardware and your brains + \item With inexpensive general-purpose SDR hardware, the same + conditions apply to development of radio software! + \item Participatory, collaborative, community driven R\&D +\end{itemize} +\end{frame} + + +\section{SDR hardware popular in community SDR projects} + +\begin{frame} +\begin{itemize} + \item When you (the audience) thinks of SDR, it's probably + mostly bleeding-edge high-end and high-cost + \item At the same time, if you don't have the same high-end + requirements, SDR receiver hardware is available cheap + \item commoditization effect +\end{itemize} +\end{frame} + + +\begin{frame}{The USRP family} +\begin{itemize} + \item probably the most-used SDR hardware in the FOSS world + \item still the primarily radio used with gnuradio today + \item at the low end of the 'professional sdr' price segment + \item still, typical configuration costs > 1000 USD + \item not everyone is able to spend that (students, hobbyists, + especially outside first world countries) +\end{itemize} +\end{frame} + + +\subsection{Fun Cube Dongle Pro} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{itemize} + \item 64 MHz to 1700 Mhz USB SDR receiver (193 USD) + \item limited to 96 kHz I/Q baseband sampling + \item great for amateur radio and TETRA, but most other +communications systems (like GSM introduced in 1992) use wider band-widths + \item great progress in terms of size and cost, but much more +limited than USRP + \item Hardware design and firmware sadly are proprietary +\end{itemize} +\end{frame} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{fcdp_pcb.jpg} +\end{figure} +\end{frame} + +\subsection{OsmoSDR} + +\begin{frame}{OsmoSDR (2012)} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware (225 USD) + \item higher bandwidth than FunCubeDonglePro (1.2 Ms/s / 14bit) + \item much lower cost than USRP, but more expensive than FCDP + \item Open Hardware (schematics), software (FPGA, firmware) + \item Undergoing another re-spin for 4.2 Ms/s @ 14bit +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\subsection{rtl-sdr} + +\begin{frame}{Realtek RTL2832U based DVB-T receivers} +\begin{itemize} + \item Realtek RTL2832U based DVB-T receivers are cheaply + available on the market (USD 20) + \item RTL2832U implements ADC, DVB-T demodulator and high-speed + USB device + \item Normal mode of operation includes full DVB-T receiver + inside RTL2832U hardware and only sends MPEG2-TS via USB + \item Reverse engineering the USB protocol and replaying certain + commands from custom libusb based code was able to trigger the raw + sample transmission to the host PC +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U based devices: EzTV 668} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{RTL2832U based devices: Hama nano1} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{hama_nano1.jpg} +\end{figure} +\end{frame} + + +\section{Free Software SDR software} + +\begin{frame}{Gnuradio} +\begin{itemize} + \item Philosophy: Implement SDR not as hand-crafted special-case hand-optimized assembly code in some obscure DSP, but on a general purpose PC + \begin{itemize} + \item with modern x86 systems at multi-GHz clock speeds and with many cores this becomes feasible + \item of course way too expensive for a mass-produced product, but very suitable for research, teaching and rapid prototyping + \end{itemize} + \item Implement various signal processing elements in C++ + \begin{itemize} + \item assembly optimized libraries for low-level operations + \item provide python bindings for all blocks + \end{itemize} + \item Python script to define interaction, relation, signal~routing between blocks +\end{itemize} +\end{frame} + +\begin{frame}{gnuradio based waveform implementations} +\begin{itemize} + \item Of course plenty of gr-based implementations for the various analog + modulation schemes + \item Check out CGRAN (comprehensive gnuradio archive network): + Includes 802.11, Zigbee, RDS, DECT, AIS, UHF RFID, ADS-B + \item Many other projects out of academia and community, such as + OpenLTE (early stage of downlink Rx/Tx) +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Source Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item http://osmocom.org/ + \begin{itemize} + \item non-sdr sub-projects like L2/L3 protocol stacks + \item sdr sub-projects for mostly Rx side + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson and Nokia BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts (including Ericsson Research) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/foss-sdr12europe/foss-sdr12europe.tex.bak b/2012/foss-sdr12europe/foss-sdr12europe.tex.bak new file mode 100644 index 0000000..118fcce --- /dev/null +++ b/2012/foss-sdr12europe/foss-sdr12europe.tex.bak @@ -0,0 +1,464 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Free and Open Source Software in SDR} + +%\subtitle {community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{osmocom.org\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{June 29, SDR'12 - WInnForum Europe} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Linux Kernel / bootloader / driver / firmware developmer since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenPCD, Openmoko, deDECTed.org, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + +\begin{frame}{About sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own producst like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\section{Free and Open Source Software} + +\subsection{Where is FOSS today} + +\begin{frame} +\begin{itemize} + \item Free and Open Source Software (FOSS) is everywhere + \item Particularly Servers and all areas of Embedded + \item FOSS has fundamentally changed the software industry + \item Systems architecture of products becomes more complex + \item Nobody can afford to build complex products from scratch + \item Everyone builds products on existing FOSS components, + particularly the Linux kernel and other OS-level + components +\end{itemize} +\end{frame} + +\begin{frame}{Linux and Free Software (FOSS) everywhere} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg} +\end{figure} +\end{frame} + +\begin{frame} +\begin{itemize} + \item FOSS is not a technology + \item FOSS is not a product + \item FOSS is not a company + \item FOSS is a development methodology and culture + \item Only companies with sufficient FOSS experience understand + the value of how to interact with the wider FOSS + communities +\end{itemize} +\end{frame} + +\begin{frame} +\begin{itemize} + \item FOSS enables participation + \item you don't have to work for a specific company in order to + do OS development + \item nobody has to have any formal relationship with their + collaborators, suppliers. + \item any {\em nobody} can contribute, even so-called amateurs, + hobbyists, students + \item it doesn't matter how deep your pockets are + \item meritocracy (the better your merits, the more you have a + say in the development process) +\end{itemize} +\end{frame} + +\begin{frame}{FOSS: Democracy / Equal Access} +\begin{itemize} + \item The means of productions (Computers, OS, Compilers) are + abundant and inexpensive (for the first world) + \item Anyone can create and produce software, all you need is + your brain + \item No membership required in exclusive forums, industry + clubs, consortia +\end{itemize} +\end{frame} + +\subsection{FOSS and SDR} + +\begin{frame}{Traditional Radio Engineering} +\begin{itemize} + \item Traditional radio development required electrical + engineering in hardware. You have to + \begin{itemize} + \item know analog / RF electronics + \item spin board revisions / prototypes + \item actually physically build something + \end{itemize} + \item Aside from the skills, there is a significant non-HR cost + involved for actually doing this development +\end{itemize} +\end{frame} + +\begin{frame}{SDR and FOSS} +\begin{itemize} + \item SDR transforms radio engineering into the software domain + \item In Software, all you need to do R\&D is a bit of general-purpose hardware and your brains + \item With inexpensive general-purpose SDR hardware, the same + conditions apply to development of radio software! + \item Participatory, collaborative, community driven R\&D +\end{itemize} +\end{frame} + + +\section{SDR hardware popular in community SDR projects} + +\begin{frame} +\begin{itemize} + \item When you (the audience) thinks of SDR, it's probably + mostly bleeding-edge high-end and high-cost + \item At the same time, if you don't have the same high-end + requirements, SDR receiver hardware is available cheap + \item commoditization effect +\end{itemize} +\end{frame} + + +\begin{frame}{The USRP family} +\begin{itemize} + \item probably the most-used SDR hardware in the FOSS world + \item still the primarly radio used with gnuradio today + \item at the low end of the 'professional sdr' price segment + \item still, typical configuration costs > 1000 USD + \item not everyone is able to spend that (students, hobbyists, + especially outside first world countries) +\end{itemize} +\end{frame} + + +\subsection{Fun Cube Dongle Pro} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{itemize} + \item 64 MHz to 1700 Mhz USB SDR receiver (193 USD) + \item limited to 96 kHz I/Q baseband sampling + \item great for amateur radio and TETRA, but most other +communications systems (like GSM introduced in 1992) use wider band-widths + \item great progress in terms of size and cost, but much more +limited than USRP + \item Hardware design and firmware sadly are proprietary +\end{itemize} +\end{frame} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{fcdp_pcb.jpg} +\end{figure} +\end{frame} + +\subsection{OsmoSDR} + +\begin{frame}{OsmoSDR (2012)} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware (225 USD) + \item higher bandwidth than FunCubeDonglePro (1.2 Ms/s / 14bit) + \item much lower cost than USRP, but more expensive than FCDP + \item Open Hardware (schematics), software (FPGA, firmware) + \item Undergoing another re-spin for 4.2 Ms/s @ 14bit +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\subsection{rtl-sdr} + +\begin{frame}{Realtek RTL2832U based DVB-T receivers} +\begin{itemize} + \item Realtek RTL2832U based DVB-T receivers are cheaply + available on the market (USD 20) + \item RTL2832U implements ADC, DVB-T demodulator and high-speed + USB device + \item Normal mode of operation includes full DVB-T receiver + inside RTL2832U hardware and only sends MPEG2-TS via USB + \item Reverse engineering the USB protocol and replaying certain + commands from custom libusb based code was able to trigger the raw + sample transmission to the host PC +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U based devices: EzTV 668} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{RTL2832U based devices: Hama nano1} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{hama_nano1.jpg} +\end{figure} +\end{frame} + + +\section{Free Software SDR software} + +\begin{frame}{Gnuradio} +\begin{itemize} + \item Philosophy: Implement SDR not as hand-crafted special-case hand-optimized assembly code in some obscure DSP, but on a general purpose PC + \begin{itemize} + \item with modern x86 systems at multi-GHz clock speeds and with many cores this becomes feasible + \item of course way too expensive for a mass-produced product, but very suitable for research, teaching and rapid prototyping + \end{itemize} + \item Implement various signal processing elements in C++ + \begin{itemize} + \item assembly optimized libraries for low-level operations + \item provide python bindings for all blocks + \end{itemize} + \item Python script to define interaction, relation, signal~routing between blocks +\end{itemize} +\end{frame} + +\begin{frame}{gnuradio based waveform implementations} +\begin{itemize} + \item Of course plenty of gr-based implementations for the various analog + modulation schemes + \item Check out CGRAN (comprehensive gnuradio archive network): + Includes 802.11, Zigbee, RDS, DECT, AIS, UHF RFID, ADS-B + \item Many other projects out of academia and community, such as + OpenLTE (early stage of downlink Rx/Tx) +\end{itemize} +\end{frame} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item http://osmocom.org/ + \begin{itemize} + \item non-sdr sub-projects like L2/L3 protocol stacks + \item sdr sub-projects for mostly Rx side + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson and Nokia BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts (including Ericsson Research) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/foss-sdr12europe/hama_nano1.jpg b/2012/foss-sdr12europe/hama_nano1.jpg new file mode 100644 index 0000000..e1992fe Binary files /dev/null and b/2012/foss-sdr12europe/hama_nano1.jpg differ diff --git a/2012/foss-sdr12europe/linux_netfilter_singapore_entertainment.jpg b/2012/foss-sdr12europe/linux_netfilter_singapore_entertainment.jpg new file mode 100644 index 0000000..91b839f Binary files /dev/null and b/2012/foss-sdr12europe/linux_netfilter_singapore_entertainment.jpg differ diff --git a/2012/foss-sdr12europe/osmosdr.jpg b/2012/foss-sdr12europe/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/foss-sdr12europe/osmosdr.jpg differ diff --git a/2012/foss-sdr12europe/outline.txt b/2012/foss-sdr12europe/outline.txt new file mode 100644 index 0000000..1ce09c2 --- /dev/null +++ b/2012/foss-sdr12europe/outline.txt @@ -0,0 +1,47 @@ +* Free and Open Source Software + * typically strong in infrastructure and embedded + * Linux to be found in many unexpected places today + * [various examples] +* Benefits of FOSS + * reduced "software BOM" cost + * joint development resources leading to less R&D cost at each + individual user (compared to custom implementation) + * more eyes reviewing code than any organization has developers in-house + +* existing community-driven FOSS projects + * gnuradio + * do SDR on x86, use C++ blocks connected by python scripts + * GUI for visually creating signal processing flow-graphs + * strength in research and prototyping of SDR applications + * OpenBTS + * airprobe + * GSM receiver for protocol analysis + * Osmocom (TETRA, GMR, SDR, ...) + +* inexpensive SDR hardware + * USRP family (>= USD 1000) + * OsmoSDR (USD 200) + * receive-only, 1.4 Ms/s @ 14bit (HW v3: 4.2 Ms/s) + * 64 MHz ... 2 GHz + * small FPGA + Cortex-M3 + * rtl-sdr (USD 20) + * 64 MHz ... 2 GHz + * ?? Ms/s @ 8 bit + * raw samples + * UmTRX + +* inexpensive "low-end" SDR hardware + FOSS go hand in hand + * enable participation in research and development to anyone with sufficient time and interest + * beyond traditional telecom industry + * beyond top-tier universities with large research grants + * removes entry barriers + * small businesses can innovate and participate in the market + +* accessibility of technology + * UFPA / Brazil + * ENSPT / Yaounde + +* slides from "FOSS in telco / security" + +* what can the industry get from this? + * ennabling students, researchers and hobbyists to experiment and build skills (whihc are diff --git a/2012/foss_comms-winncom2012/Sutton_WInnFEurope2011.pdf b/2012/foss_comms-winncom2012/Sutton_WInnFEurope2011.pdf new file mode 100644 index 0000000..b1d9d7f Binary files /dev/null and b/2012/foss_comms-winncom2012/Sutton_WInnFEurope2011.pdf differ diff --git a/2012/gpl-freedomhec2012/gpl_compliance.pdf b/2012/gpl-freedomhec2012/gpl_compliance.pdf new file mode 100644 index 0000000..5afa5dd Binary files /dev/null and b/2012/gpl-freedomhec2012/gpl_compliance.pdf differ diff --git a/2012/gpl-freedomhec2012/gpl_compliance.snm b/2012/gpl-freedomhec2012/gpl_compliance.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/gpl-freedomhec2012/gpl_compliance.tex b/2012/gpl-freedomhec2012/gpl_compliance.tex new file mode 100644 index 0000000..158dd5c --- /dev/null +++ b/2012/gpl-freedomhec2012/gpl_compliance.tex @@ -0,0 +1,507 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Current Developments in GPL Compliance} + +\author{Harald Welte} + +\institute +{gpl-violations.org} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[FreedomHEC 2012] % (optional, should be abbreviation of conference name) +{FreedomHEC 2012, Taipei} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Embedded Linux} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} +\item Programming computers since 1989 +\item Linux user + application developer since 1994 +\item Linux kernel development since 1999 +\item GNU GPL license enforcement since 2003 +\item IT security expert, network protocol security +\item Board-level Electrical Engineering +\item System-level Software for PPC, ARM, x86 +\item IANAL, but companies not complying with the license forced me to spend lots of time with legal issues +\end{itemize} +\end{frame} + + +\section{Historical Development} + +\begin{frame}{Historical development} +\begin{itemize} + \item 1970ies: Softare becomes copyrightable + \item 1980ies: GNU project, GPLv1 + \item 1990ies: Linux kernel, GPLv2, servers + \item 2000s: Linux and FOSS is everywhere +\end{itemize} +\end{frame} + +\subsection{FOSS is everywhere} + +\begin{frame}{Linux and Free Software (FOSS) everywhere} +\begin{figure}[h] +\centering +\includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg} +\end{figure} +\end{frame} + +\begin{frame}{More Linux - More License Violations} +\begin{itemize} + \item Boom of Linux results in many {\em new companies} using it in products + \item Such Linux newbies do not have a history in the FOSS community + \item They also do not share the same culture, values and norms + \item They simply use Linux to reduce royalty cost for proprietary OS + \item They run into trouble (GPL violations) +\end{itemize} +\end{frame} + +\subsection{GPL enforcement} + +\begin{frame}{More License Violations - More Enforcement} +\begin{itemize} + \item New Linux based products continue to enter the market + \item License compliance often very bad + \item Community is deeply upset about the violation of its rules + \item Often perceived as insult of the FOSS community culture + \item Lack of respect of corporations towards community + \item Legal enforcement is often the only possible way for community to educate corporations +\end{itemize} +\end{frame} + +\begin{frame}{GPL enforcement} +\begin{itemize} + \item Before 2003: Mostly Free Software Foundation + \item 2003-now: gpl-violations.org (Europe), ~ 200 cases + \item 2005-2010: SFLC (United States) + \item 2010-now: SFC (United States) + \item publicly invisible enforcement + \begin{itemize} + \item e.g. MySQL (dual-licensing) + \item e.g. Asterisk (dual-licensing) + \end{itemize} +\end{itemize} +\end{frame} + +\section{Beyond minimal license compliance} + +\subsection{FOSS communities vs. license terms} + +\begin{frame}{FOSS community is technical, not legal} +\begin{itemize} + \item FOSS is created by software developers working together in +collaborative ways, often without any formal structure + \item Individuals, Universities as well as Corporations +contribute their work + \item Cooperation in a culture of sharing + \item Even direct competitors like Intel and AMD cooperate in Linux +development, because everyone needs it + \item FOSS communities are deeply technical. They hate company +politics. + \item License is {\bf just} a last resort of protection against +those who absolutely don't understand FOSS +\end{itemize} +\end{frame} + +\begin{frame}{Beyond pure legal compliance with licenses} +\begin{itemize} + \item Compliance with the legal terms of the license is the +absolute bare minimum that companies have to do + \item If you use FOSS in your products, please consider +establishing a healthy relationship with the communities that drive +development of this software + \item It is not a customer / supplier relationship! + \item The community expects you to participate in development +\end{itemize} +\end{frame} + +\subsection{Becoming part of the community} + +\begin{frame}{Why should you join?} +Benefits to Embedded electronics companies +\begin{itemize} + \item Larger number of engineers can help you improve your product + \begin{itemize} + \item optimize performance (battery, speed, ...) + \item fix more bugs than your in-house R\&D + \item have more ideas/innovation than all engineers combined inside your company! + \end{itemize} + \item Be recognized within the community as {\em somebody who understands} + \begin{itemize} + \item allows you to attract skilled developers from the FOSS world who would otherwise never consider working for you + \item makes you more attractive to most technical customer base of {\em early adopters} + \end{itemize} + \item Reduce cost of maintaining your code base +\end{itemize} +\end{frame} + +\begin{frame}{How to become part of the community} +\begin{itemize} + \item Permit your engineers to engage in technical discussions on mailing lists + \item Submit your modifications to the respective upstream projects + \item Join technical conferences and discuss technical issues + \item Encourage the community to innovate and extend your products +\end{itemize} +\end{frame} + +\begin{frame}{When and how to release source code} +\begin{itemize} + \item Legal requirement: + \begin{itemize} + \item You're used to release source code at the time product ships because the license forces you to + \end{itemize} + \item Community norm: + \begin{itemize} + \item Your engineers interact with the project maintainers during R\&D + \item Source code of your modifications undergoes review + inclusion in mainline + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Quality of the source code release} +\begin{itemize} + \item Legal requirement / Reality: + \begin{itemize} + \item {\em complete and corresponding} source code + \item Often does not compile + \item Often contains proprietary kernel modules of questionable legality + \item Often provides no (simple) way of installing re-compiled program on the actual device + \end{itemize} + \item Community norm: + \begin{itemize} + \item {\em complete and corresponding} source code + \item no proprietary kernel modules that constrain e.g. updates to later kernels + \item complete utilities to install modified version of software on the device + \item maybe even some instructions on how to do so + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Summary} +\begin{itemize} + \item Show respect for the FOSS development model based on +mutual respect and understanding + \item Actively engage and discuss with the community + \item Don't try to cheat your way out of license compliance + \item Treat community as partner in development of your products + \item Don't treat them like your enemy (DRM, Tivo-ization)! +\end{itemize} +\end{frame} + +\section{Current Developments} + +\subsection{Software Freedom Conservancy} + +\begin{frame}{Software Freedom Conservancy} +\begin{itemize} + \item gpl-violations.org is no longer alone + \item SFC is doing busybox enforcement in the US + \item Some people/entities are upset about that... + \item ... but we {\bf need} to see more enforcement + \item SFC activities sometimes misrepresented in public! +\end{itemize} +\end{frame} + +\begin{frame}{Software Freedom Conservancy} +\begin{itemize} + \item It's great to see enforcement outside Europe + \item It's great to see cases go to court in the US + \item We need more precedent in favor of GPL enforcement to + deter people from intentionally taking the risk of + infringement + \item +\end{itemize} +\end{frame} + +\begin{frame}{Software Freedom Conservancy / beyond busybox} +\begin{itemize} + \item Some Linux kernel developers will work with SFC + \item SFC is now able to enforce GPL on Linux kernel, not just busybox + \item Lots of devices have Linux kernel but no busybox (e.g. Android) +\end{itemize} +\end{frame} + +\subsection{The AVM Case} + +\begin{frame}{The AVM Case}{Background (1/2)} +\begin{itemize} + \item AVM is commercially most successful vendor of DSL CPE (Fritz!Box) + \item They heavily use Linux and other FOSS in their products + \item They also have an unusual amount of proprietary code in + the devices, compared to most other vendors (e.g. bypass + netfilter/iptables and use their own packet filter/NAT) + \item Cybits is a German vendor of parental control / child safe + content filtering software (proprietary) +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{Background (2/2)} +\begin{itemize} + \item Cybits has developed a version of their filtering software + that can be installed by the user onto the AVM Fritz!Box + \item The installation procedure downloaded a AVM firmware + update, extracts the root filesystem, changes some + scripts, deactivates individual programs and adds their + own software into the filesystem image + \item The modified image is then installed by the user into his + device +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (preliminary proceedings)} +\begin{itemize} + \item AVM now asks court to grant injunction against Cybits + modifying {\em their firmware}, based on copyright, + trademark and unfair competition claims + \item Court grants that injunction based on AVMs claims + \item Cybits disputes that first decision + \item Harald Welte / gpl-violations.org become {\em side intervener} +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (preliminary proceedings)} +\begin{itemize} + \item {\em side intervener} because AVM tries to use legal means + to restrict the freedom granted by the GPL: The ability + to modify GPL licensed code, and to use such modified + versions + \item As Cybits only modifies code that is not copyrighted by + AVM, AVM cannot make copyright based claims + \item Court lifts preliminary injunction on condition that some + erroneous display in the web interface are resolved by + Cybits +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (main proceedings)} +\begin{itemize} + \item AVM sues Cybits in main proceedings, Harald Welte side + intervenes again + \item AVM is making claims over claims and files tons of papers, + up to a point where I have doubts that the court is able + to read all of them + \item Among other things, they always try to present the + firmware as something whole to which they own rights. + But if specifically asked, they do not explicitly claim + it's a derivative or collective work + \item Court accepts the fact that GPL licensed software is used +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (ridiculous AVM claims)} +\begin{itemize} + \item AVM claims that an illegal modification under copyright + law is happening, as Cybits is modifying their code by + unloading AVM's proprietary kernel module and replacing + it with standard kernel modules like ip\_tables. + \item AVM claims that illegal copying happens as one of AVM's + programs is copied from flash into RAM when Cybits + installations scripts are executing it + \item AVM claims copyright is about software, not firmware (lol) +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{December 2011: The verdict} +\begin{itemize} + \item Court rules that AVM cannot restrict Cybits based on + copyright law due to the provisions of the GPL + \item Court rules that the firmware (including all GPL and + non-gpl licensed components) constitutes a collective + work + \item Court rules that thus the entire collective work becomes + {\em infected} by the GPL (!) +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{Analysis of the verdict} +\begin{itemize} + \item Court has made a very far-reaching verdict + \item What is the result of the {\em infection} of the + collective work? + \item Why is it not {\em mere aggregation on a storage medium}? + \item Was AVM insisting that the firmware is somehow one + item/entity all along the court case the reason for this + somewhat unexpected outcome? +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{What do we learn from it?} +\begin{itemize} + \item Some companies are behaving outrageous in terms of GPL compliance + \item Trying to fight very hard to restrict the freedom of the + GPL can come back very hard to your own disadvantage. + \item AVM has publicly proven that they're probably the worst + aggressor against the freedom of the GPL, and they have + failed to get away with it. +\end{itemize} +\end{frame} + +\subsection{Current focus at gpl-violations.org} + +\begin{frame}{Chinese Android Phones} +\begin{itemize} + \item traditionally, we only see major brands/vendors like HTC, + Samsung, LG, Motorola in Europe + \item at the moment, TCT, ZTE, Huawei and others are starting to + become available + \item we're taking a {\em very} close look at all those devices + and have just obtained an injunction against TCT Mobile + (Alcatel branded) + \item Chinese vendors must learn that they have to respect + copyright and the GPL when they ship to EU or US market +\end{itemize} +\end{frame} + +\begin{frame}{Chinese Oscilloscopes (DSO)} +\begin{itemize} + \item did you know there are fairly decent Linux based DSO + (digital storage oscilloscopes) available? + \item wouldn't every system-level engineer dream of being able + to enhance the software on a DSO with his custom + analysis / trigger / protocol decoder code? Or for + factory testing/automation purpose? + \item as part of GPL enforcement, Hantek/Tekway have now + released the source code to bootloader/kernel, including + the kernel drivers for their DSO hardware! +\end{itemize} +\end{frame} + +\begin{frame}{no-name / store-branded OEM devices} +\begin{itemize} + \item Actually found one German "cheap electronics vendor" who + sell more than 13 currently active products in a + completely GPL in-compliant way + \item Pretty big surprise, given all the enforcement that has + been done in recent years +\end{itemize} +\end{frame} + +\begin{frame}{Cooperation with Free Software Foundation Europe} +\begin{itemize} + \item Cases that we have finished enforcement on are handed over + to FSFE + \item FSFE volunteers will continue to monitor compliance, + especially of firmware updates for them + \item If any such future incompliance is found, case gets handed + back to gpl-violations.org for enforcement of + contractual penalty and declaration of cease+desist + \item Contractual penalty gets donated to FSFE +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +\begin{itemize} + \item Thanks for your attention + \item Feel free to raise questions +\end{itemize} +\end{frame} + +\end{document} diff --git a/2012/gpl-freedomhec2012/gpl_compliance.tex.bak b/2012/gpl-freedomhec2012/gpl_compliance.tex.bak new file mode 100644 index 0000000..e7f86b7 --- /dev/null +++ b/2012/gpl-freedomhec2012/gpl_compliance.tex.bak @@ -0,0 +1,507 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Current Developments in GPL Compliance} + +\author{Harald Welte} + +\institute +{gpl-violations.org} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[FreedomHEC 2012] % (optional, should be abbreviation of conference name) +{FreedomHEC 2012, Taipei} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Embedded Linux} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} +\item Programming computers since 1989 +\item Linux user + application developer since 1994 +\item Linux kernel development since 1999 +\item GNU GPL license enforcement since 2003 +\item IT security expert, network protocol security +\item Board-level Electrical Engineering +\item System-level Software for PPC, ARM, x86 +\item IANAL, but companies not complying with the license forced me to spend lots of time with legal issues +\end{itemize} +\end{frame} + + +\section{Historical Development} + +\begin{frame}{Historical development} +\begin{itemize} + \item 1970ies: Softare becomes copyrightable + \item 1980ies: GNU project, GPLv1 + \item 1990ies: Linux kernel, GPLv2, servers + \item 2000s: Linux and FOSS is everywhere +\end{itemize} +\end{frame} + +\subsection{FOSS is everywhere} + +\begin{frame}{Linux and Free Software (FOSS) everywhere} +\begin{figure}[h] +\centering +\includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg} +\end{figure} +\end{frame} + +\begin{frame}{More Linux - More License Violations} +\begin{itemize} + \item Boom of Linux results in many {\em new companies} using it in products + \item Such Linux newbies do not have a history in the FOSS community + \item They also do not share the same culture, values and norms + \item They simply use Linux to reduce royalty cost for proprietary OS + \item They run into trouble (GPL violations) +\end{itemize} +\end{frame} + +\subsection{GPL enforcement} + +\begin{frame}{More License Violations - More Enforcement} +\begin{itemize} + \item New Linux based products continue to enter the market + \item License compliance often very bad + \item Community is deeply upset about the violation of its rules + \item Often percieved as insult of the FOSS community culture + \item Lack of respect of corporations towards community + \item Legal enforcement is often the only possible way for community to educate corporations +\end{itemize} +\end{frame} + +\begin{frame}{GPL enforcement} +\begin{itemize} + \item Before 2003: Mostly Free Software Foundation + \item 2003-now: gpl-violations.org (Europe), ~ 200 cases + \item 2005-2010: SFLC (United States) + \item 2010-now: SFC (United States) + \item publicly invisible enforcement + \begin{itemize} + \item e.g. MySQL (dual-licensing) + \item e.g. Asterisk (dual-licensing) + \end{itemize} +\end{itemize} +\end{frame} + +\section{Beyond minimal license compliance} + +\subsection{FOSS communities vs. license terms} + +\begin{frame}{FOSS community is technical, not legal} +\begin{itemize} + \item FOSS is created by software developers working together in +colalborative ways, often without any formal structure + \item Individuals, Universities as well as Corporations +contribute their work + \item Cooperation in a culture of sharing + \item Even direct competitors like Intel and AMD cooperate in Linux +development, because everyone needs it + \item FOSS communities are deeply technical. They hate company +politics. + \item License is {\bf just} a last resort of protection against +those who absolutely don't understand FOSS +\end{itemize} +\end{frame} + +\begin{frame}{Beyond pure legal compliance with licenses} +\begin{itemize} + \item Compliance with the legal terms of the license is the +absolute bare minimum that companies have to do + \item If you use FOSS in your products, please consider +establishing a healthy relationship with the communities that drive +development of this software + \item It is not a customer / supplier relationship! + \item The community expects you to participate in development +\end{itemize} +\end{frame} + +\subsection{Becoming part of the community} + +\begin{frame}{Why should you join?} +Benefits to Embedded electronics companies +\begin{itemize} + \item Larger number of engineers can help you improve your product + \begin{itemize} + \item optimize performance (battery, speed, ...) + \item fix more bugs than your in-house R\&D + \item have more ideas/innovation than all engineers combined inside your company! + \end{itemize} + \item Be recognized within the community as {\em somebody who understands} + \begin{itemize} + \item allows you to attract skilled developers from the FOSS world who would otherwise never consider working for you + \item makes you more attractive to most technical customer base of {\em early adopters} + \end{itemize} + \item Reduce cost of maintaining your code base +\end{itemize} +\end{frame} + +\begin{frame}{How to become part of the community} +\begin{itemize} + \item Permit your engineers to engage in technical discussions on mailing lists + \item Submit your modifications to the respective upstream projects + \item Join technical conferences and discuss technical issues + \item Encourage the community to innovate and extend your products +\end{itemize} +\end{frame} + +\begin{frame}{When and how to release source code} +\begin{itemize} + \item Legal requirement: + \begin{itemize} + \item You're used to release source code at the time product ships because the license forces you to + \end{itemize} + \item Community norm: + \begin{itemize} + \item Your engineers interact with the project maintainers during R\&D + \item Source code of your modifications undergoes review + inclusion in mainline + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Quality of the source code release} +\begin{itemize} + \item Legal requirement / Reality: + \begin{itemize} + \item {\em complete and corresponding} source code + \item Often does not compile + \item Often contains proprietary kernel modules of questinable legality + \item Often provides no (simple) way of installing re-compiled program on the actual device + \end{itemize} + \item Community norm: + \begin{itemize} + \item {\em complete and corresponding} source code + \item no proprietary kernel modules that constrain e.g. updates to later kernels + \item complete utilities to install modified version of software on the device + \item maybe even some instructions on how to do so + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Summary} +\begin{itemize} + \item Show respect for the FOSS development model based on +mutual respect and understanding + \item Actively engage and discuss with the community + \item Don't try to cheat your way out of license compliance + \item Treat community as partner in development of your products + \item Don't treat them like your enemy (DRM, Tivo-ization)! +\end{itemize} +\end{frame} + +\section{Current Developments} + +\subsection{Software Freedom Conservancy} + +\begin{frame}{Software Freedom Conservancy} +\begin{itemize} + \item gpl-violations.org is no longer alone + \item SFC is doing busybox enforcement in the US + \item Some people/entities are upset abuout that... + \item ... but we {\bf need} to see more enforcement + \item SFC activities sometimes misrepresented in public! +\end{itemize} +\end{frame} + +\begin{frame}{Software Freedom Conservancy} +\begin{itemize} + \item It's great to see enforcement outside Europe + \item It's great to see cases go to court in the US + \item We need more precedent in favor of GPL enforcement to + deter people from intentionally taking the risk of + infringement + \item +\end{itemize} +\end{frame} + +\begin{frame}{Software Freedom Conservancy / beyond busybox} +\begin{itemize} + \item Some Linux kernel developers will work with SFC + \item SFC is now able to enforce GPL on Linux kernel, not just busybox + \item Lots of devices have Linux kernel but no busybox (e.g. Android) +\end{itemize} +\end{frame} + +\subsection{The AVM Case} + +\begin{frame}{The AVM Case}{Background (1/2)} +\begin{itemize} + \item AVM is commercially most succesful vendor of DSL CPE (Fritz!Box) + \item They heavily use Linux and other FOSS in their products + \item They also have an unusual amount of proprietary code in + the devices, compared to most other vendors (e.g. bypass + netfilter/iptables and use their own packet filter/NAT) + \item Cybits is a German vendor of parental control / child safe + content filtering software (proprietary) +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{Background (2/2)} +\begin{itemize} + \item Cybits has developed a version of their filtering software + that can be installed by the user onto the AVM Fritz!Box + \item The installation procedure downloadsd a AVM firmware + update, extracts the root filesystem, changes some + scripts, deactivates individual programs and adds their + own software into the filesystem image + \item The modified image is then installed by the user into his + device +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (preliminary proceedings)} +\begin{itemize} + \item AVM now asks court to grant injunction against Cybits + modifying {\em their firmware}, based on copyright, + trademark and unfair competition claims + \item Court grants that injunction based on AVMs claims + \item Cybits disputes that first decision + \item Harald Welte / gpl-violations.org become {\em side intervener} +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (preliminary proceedings)} +\begin{itemize} + \item {\em side intervener} because AVM tries to use legal means + to restrict the freedom granted by the GPL: The ability + to modify GPL licensed code, and to use such modified + versions + \item As cybits only modifies code that is not copyrighted by + AVM, AVM cannot make copyright based claims + \item Court lifts preliminary injunction on condition that some + erroneous display in the web interface are resolved by + Cybits +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (main proceedings)} +\begin{itemize} + \item AVM sues Cybits in main proceedings, Harald Welte side + intervenes again + \item AVM is making claims over claims and files tons of papers, + up to a point where I have doubts that the court is able + to read all of them + \item Among other things, they always try to present the + firmware as something whole to which they own rights. + But if specifically asked, they do not explicitly claim + it's a derivative or collective work + \item Court accepts the fact that GPL licensed software is used +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{The Dispute (ridiculous AVM claims)} +\begin{itemize} + \item AVM claims that an illegal modification under copyright + law is happening, as Cybits is modifying their code by + unloading AVM's proprietary kernel module and replacing + it with standard kernel modules like ip\_tables. + \item AVM claims that illegal copying happens as one of AVM's + programs is copied from flash into RAM when Cybits + installations scripts are executing it + \item AVM claims copyright is about software, not firmware (lol) +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{December 2011: The verdict} +\begin{itemize} + \item Court rules that AVM cannot restrict Cybits based on + copyright law due to the provisions of the GPL + \item Court rules that the firmware (including all GPL and + non-gpl licensed components) constitutes a collective + work + \item Court rules that thus the entire collective work becomes + {\em infected} by the GPL (!) +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{Analysis of the verdict} +\begin{itemize} + \item Court has made a very far-reaching verdict + \item What is the result of the {\em infection} of the + collective work? + \item Why is it not {\em mere aggregation on a storage medium}? + \item Was AVM insisting that the firmware is somehow one + item/entity all along the court case the reason for this + somewhat unexpected outcome? +\end{itemize} +\end{frame} + +\begin{frame}{The AVM Case}{What do we learn from it?} +\begin{itemize} + \item Some companies are behaving outrageous in terms of GPL compliance + \item Trying to fight very hard to restrict the freedom of the + GPL can come back very hard to your own disadvantage. + \item AVM has publicly proven that they're probably the worst + aggressor against the freedom of the GPL, and they have + failed to get away with it. +\end{itemize} +\end{frame} + +\subsection{Current focus at gpl-violations.org} + +\begin{frame}{Chinese Android Phones} +\begin{itemize} + \item traditionally, we only see major brands/vendors like HTC, + Samsung, LG, Motorola in Europe + \item at the moment, TCT, ZTE, Huawei and others are starting to + become available + \item we're taking a {\em very} close look at all those devices + and have just obtained an injunction against TCT Mobile + (Alcatel branded) + \item Chinese vendors must learn that they have to respect + copyright and the GPL when they ship to EU or US market +\end{itemize} +\end{frame} + +\begin{frame}{Chinese Oscilloscopes (DSO)} +\begin{itemize} + \item did you know there are fairly decent Linux based DSO + (digital storage oscilloscopes) available? + \item wouldn't every system-level engineer dream of being able + to enhance the software on a DSO with his custom + analysis / trigger / protocol decoder code? Or for + factory testing/automation purpose? + \item as part of GPL enforcement, Hantek/Tekway have now + released the source code to bootloader/kernel, including + the kernel drivers for their DSO hardware! +\end{itemize} +\end{frame} + +\begin{frame}{no-name / store-branded OEM devices} +\begin{itemize} + \item Actually found one German "cheap electronics vendor" who + sell more than 13 currently active products in a + completely GPL incompliant way + \item Pretty big surprise, given all the enforcement that has + been done in recent years +\end{itemize} +\end{frame} + +\begin{frame}{Cooperation with Free Software Foundation Europe} +\begin{itemize} + \item Cases that we have finished enforcement on are handed over + to FSFE + \item FSFE volunteers will continue to monitor compliance, + especially of firmware updates for them + \item If any such future incompliance is found, case gets handed + back to gpl-violations.org for enforcement of + contractual penalty and declaration of cease+desist + \item Contractual penalty gets donated to FSFE +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +\begin{itemize} + \item Thanks for your attention + \item Feel free to raise questions +\end{itemize} +\end{frame} + +\end{document} diff --git a/2012/gpl-freedomhec2012/linux_netfilter_singapore_entertainment.jpg b/2012/gpl-freedomhec2012/linux_netfilter_singapore_entertainment.jpg new file mode 100644 index 0000000..91b839f Binary files /dev/null and b/2012/gpl-freedomhec2012/linux_netfilter_singapore_entertainment.jpg differ diff --git a/2012/gpl-of2012/abstract.txt b/2012/gpl-of2012/abstract.txt new file mode 100644 index 0000000..91f3463 --- /dev/null +++ b/2012/gpl-of2012/abstract.txt @@ -0,0 +1,14 @@ +GNU GPL Compliance in Embedded Devices + +GNU/Linux is a the most popular choice of an Operating System in many areas +of Embedded computing. It can be found in embedded networking equipment, +personal navigation systems, media players, mobile phones to print servers, +NAS, in-flight entertainment systems and even bicycle ergometers. + +Using the Linux kernel and other GPL licensed software is a convenient and +especially inexpensive choice. However, it is still copyrighted software +subject to a license: The GNU General Public License. + +The presentation will look at typical GPL violations in the embedded market +and how they could have easily been avoided by little extra effort in +product development. diff --git a/2012/gpl-of2012/handoutWithNotes.sty b/2012/gpl-of2012/handoutWithNotes.sty new file mode 100644 index 0000000..e25e965 --- /dev/null +++ b/2012/gpl-of2012/handoutWithNotes.sty @@ -0,0 +1,466 @@ +% Copyright 2009 by Guido Diepen +% Parts provided by Edson Valle +% +% This file may be distributed and/or modified +% +% 1. under the LaTeX Project Public License and/or +% 2. under the GNU Public License. +% +% Changelog +% 20091108 - Added "2 on 1 with notes landscape" layout, provided by Edson Valle +% 20091104 - Added "3 on 1 with notes" layout +% 20091104 - Added "2 on 1 with notes" layout +% 20091104 - Added "1 on 1 with notes landscape" layout, provided by Edson Valle +% 20090101 - Initial Version + +\RequirePackage{pgfpages} + \pgfpagesdeclarelayout{1 on 1 with notes portrait} { + \edef\pgfpageoptionheight{\the\paperwidth} + \edef\pgfpageoptionwidth{\the\paperheight} + \edef\pgfpageoptionborder{0pt} + } + { + \setkeys{pgfpagesuselayoutoption}{portrait} + \pgfpagesphysicalpageoptions + {% + logical pages=2,% + physical height=\pgfpageoptionheight,% + physical width=\pgfpageoptionwidth,% +% last logical shipout=3% + last logical shipout=1% + } + + \pgfpageslogicalpageoptions{1} + {% + scale=1.5, + center=\pgfpoint{.5\pgfphysicalwidth}{.73\pgfphysicalheight}% + }% + + + + \pgfpageslogicalpageoptions{2} + {% + border shrink=\pgfpageoptionborder,% + resized width=\pgfphysicalwidth,% + resized height=\pgfphysicalheight,% + center=\pgfpoint{.5\pgfphysicalwidth}{.25\pgfphysicalheight},% + copy from=2 + }% + + \AtBeginDocument{ + \newbox\notesbox + \setbox\notesbox=\vbox{ + \hsize=.85\paperwidth + \vskip-1in\hskip-1in\vbox{ + \vskip1cm + Notes\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth\vskip5mm + \hrule width\paperwidth} + } + \pgfpagesshipoutlogicalpage{2}\copy\notesbox + + + } + } + + \pgfpagesdeclarelayout{1 on 1 with notes landscape} { + \edef\pgfpageoptionheight{\the\paperwidth} + \edef\pgfpageoptionwidth{\the\paperheight} + \edef\pgfpageoptionborder{0pt} + } + { + \setkeys{pgfpagesuselayoutoption}{landscape} + \pgfpagesphysicalpageoptions + {% + logical pages=2,% + physical height=\pgfpageoptionheight,% + physical width=\pgfpageoptionwidth,% +% last logical shipout=3% + last logical shipout=1% + } + + \pgfpageslogicalpageoptions{1} + {% + scale=1.2, + center=\pgfpoint{.3\pgfphysicalwidth}{.5\pgfphysicalheight}% + }% + + + + \pgfpageslogicalpageoptions{2} + {% + border shrink=\pgfpageoptionborder,% + resized width=.45\pgfphysicalwidth,% + resized height=.45\pgfphysicalheight,% + center=\pgfpoint{.78\pgfphysicalwidth}{.6\pgfphysicalheight},% + copy from=2 + }% + + \AtBeginDocument{ + \newbox\notesbox + \setbox\notesbox=\vbox{ + \hsize=\paperwidth + \vskip-1in\hskip-1in\vbox{ + \vskip1cm + Notes\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth} + } + \pgfpagesshipoutlogicalpage{2}\copy\notesbox + + + } + } + + \pgfpagesdeclarelayout{4 on 1 with notes} { + \edef\pgfpageoptionheight{\the\paperheight} + \edef\pgfpageoptionwidth{\the\paperwidth} + \edef\pgfpageoptionborder{0pt} + } + { + \pgfpagesphysicalpageoptions + {% + logical pages=8,% + physical height=\pgfpageoptionheight,% + physical width=\pgfpageoptionwidth,% +% last logical shipout=3% + last logical shipout=4% + } + + \pgfpageslogicalpageoptions{1} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.875\pgfphysicalheight}% + }% + \pgfpageslogicalpageoptions{2} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.625\pgfphysicalheight}% + }% + + \pgfpageslogicalpageoptions{3} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.375\pgfphysicalheight}% + }% + + \pgfpageslogicalpageoptions{4} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.125\pgfphysicalheight}% + }% + + + + + + + + + \pgfpageslogicalpageoptions{5} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.3333\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.875\pgfphysicalheight},% + copy from=5 + }% + \pgfpageslogicalpageoptions{6} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.3333\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.625\pgfphysicalheight},% + copy from=6 + }% + \pgfpageslogicalpageoptions{7} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.3333\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.375\pgfphysicalheight},% + copy from=7 + }% + \pgfpageslogicalpageoptions{8} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.3333\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.125\pgfphysicalheight},% + copy from=8 + }% + \AtBeginDocument{ + \newbox\notesbox + \setbox\notesbox=\vbox{ + \hsize=\paperwidth + \vskip-1in\hskip-1in\vbox{ + \vskip1cm + Notes\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth} + } + \pgfpagesshipoutlogicalpage{5}\copy\notesbox + \pgfpagesshipoutlogicalpage{6}\copy\notesbox + \pgfpagesshipoutlogicalpage{7}\copy\notesbox + \pgfpagesshipoutlogicalpage{8}\copy\notesbox + } + } + + + + \pgfpagesdeclarelayout{2 on 1 with notes} { + \edef\pgfpageoptionheight{\the\paperheight} + \edef\pgfpageoptionwidth{\the\paperwidth} + \edef\pgfpageoptionborder{0pt} + } + { + \pgfpagesphysicalpageoptions + {% + logical pages=4,% + physical height=\pgfpageoptionheight,% + physical width=\pgfpageoptionwidth,% +% last logical shipout=3% + last logical shipout=2% + } + + \pgfpageslogicalpageoptions{1} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.67\pgfphysicalheight}% + }% + \pgfpageslogicalpageoptions{2} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.33\pgfphysicalheight}% + }% + + + \pgfpageslogicalpageoptions{3} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.5\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.67\pgfphysicalheight},% + copy from=3 + }% + \pgfpageslogicalpageoptions{4} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.5\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.33\pgfphysicalheight},% + copy from=4 + }% + + \AtBeginDocument{ + \newbox\notesbox + \setbox\notesbox=\vbox{ + \hsize=\paperwidth + \vskip-1in\hskip-1in\vbox{ + \vskip1cm + Notes\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth} + } + \pgfpagesshipoutlogicalpage{3}\copy\notesbox + \pgfpagesshipoutlogicalpage{4}\copy\notesbox + } + } + + + \pgfpagesdeclarelayout{3 on 1 with notes} { + \edef\pgfpageoptionheight{\the\paperheight} + \edef\pgfpageoptionwidth{\the\paperwidth} + \edef\pgfpageoptionborder{0pt} + } + { + \pgfpagesphysicalpageoptions + {% + logical pages=6,% + physical height=\pgfpageoptionheight,% + physical width=\pgfpageoptionwidth,% +% last logical shipout=3% + last logical shipout=3% + } + + \pgfpageslogicalpageoptions{1} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.82\pgfphysicalheight}% + }% + \pgfpageslogicalpageoptions{2} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.50\pgfphysicalheight}% + }% + \pgfpageslogicalpageoptions{3} + {% + scale=.70, + center=\pgfpoint{.25\pgfphysicalwidth}{.18\pgfphysicalheight}% + }% + + + \pgfpageslogicalpageoptions{4} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.5\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.82\pgfphysicalheight},% + copy from=4 + }% + \pgfpageslogicalpageoptions{5} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.5\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.50\pgfphysicalheight},% + copy from=5 + }% + \pgfpageslogicalpageoptions{6} + {% + border shrink=\pgfpageoptionborder,% + resized width=.5\pgfphysicalwidth,% + resized height=.5\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.18\pgfphysicalheight},% + copy from=6 + }% + + \AtBeginDocument{ + \newbox\notesbox + \setbox\notesbox=\vbox{ + \hsize=\paperwidth + \vskip-1in\hskip-1in\vbox{ + \vskip1cm + Notes\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth} + } + \pgfpagesshipoutlogicalpage{4}\copy\notesbox + \pgfpagesshipoutlogicalpage{5}\copy\notesbox + \pgfpagesshipoutlogicalpage{6}\copy\notesbox + } + } + + + + + + \pgfpagesdeclarelayout{2 on 1 with notes landscape} { + \edef\pgfpageoptionheight{\the\paperheight} + \edef\pgfpageoptionwidth{\the\paperwidth} + \edef\pgfpageoptionborder{0pt} + } + { + \setkeys{pgfpagesuselayoutoption}{landscape} + \pgfpagesphysicalpageoptions + {% + logical pages=4,% + physical height=\pgfpageoptionheight,% + physical width=\pgfpageoptionwidth,% +% last logical shipout=3% + last logical shipout=2% + } + + \pgfpageslogicalpageoptions{1} + {% + scale=1, + center=\pgfpoint{.3\pgfphysicalwidth}{.75\pgfphysicalheight}% + }% + \pgfpageslogicalpageoptions{2} + {% + scale=1, + center=\pgfpoint{.3\pgfphysicalwidth}{.25\pgfphysicalheight}% + }% + + + + \pgfpageslogicalpageoptions{3} + {% + border shrink=\pgfpageoptionborder,% + resized width=.7\pgfphysicalwidth,% + resized height=.4\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.3\pgfphysicalheight},% + copy from=3 + }% + + \pgfpageslogicalpageoptions{4} + {% + border shrink=\pgfpageoptionborder,% + resized width=.7\pgfphysicalwidth,% + resized height=.4\pgfphysicalheight,% + center=\pgfpoint{.75\pgfphysicalwidth}{.8\pgfphysicalheight},% + copy from=4 + }% + + \AtBeginDocument{ + \newbox\notesbox + \setbox\notesbox=\vbox{ + \hsize=\paperwidth + \vskip-1in\hskip-1in\vbox{ + \vskip1cm + Notes\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + %\hrule width\paperwidth\vskip1cm + %\hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth\vskip1cm + \hrule width\paperwidth} + } + \pgfpagesshipoutlogicalpage{3}\copy\notesbox + \pgfpagesshipoutlogicalpage{4}\copy\notesbox + + + } + } + + + + + + + + diff --git a/2012/gpl-of2012/license_compliance.pdf b/2012/gpl-of2012/license_compliance.pdf new file mode 100644 index 0000000..20c063a Binary files /dev/null and b/2012/gpl-of2012/license_compliance.pdf differ diff --git a/2012/gpl-of2012/license_compliance.snm b/2012/gpl-of2012/license_compliance.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/gpl-of2012/license_compliance.tex b/2012/gpl-of2012/license_compliance.tex new file mode 100644 index 0000000..68c320f --- /dev/null +++ b/2012/gpl-of2012/license_compliance.tex @@ -0,0 +1,571 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} +%\documentclass[handout]{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + \setbeamercovered{transparent} % or whatever (possibly just delete it) +} + +\mode{ + \usepackage{handoutWithNotes} + \pgfpagesuselayout{4 on 1 with notes}[a4paper,border shrink=5mm] + \usecolortheme{seahorse} +} + +% ensure the page number is printed in front of the author name in the footer +\newcommand*\oldmacro{} +\let\oldmacro\insertshortauthor% save previous definition +\renewcommand*\insertshortauthor{% + \leftskip=.3cm% before the author could be a plus1fill ... + \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{GPL License Compliance} + +\subtitle{in the embedded devices market} + +\author{Harald Welte} + +\institute +{gpl-violations.org\\gnumonks.org\\hmw-consulting.de} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[OF 2012] % (optional, should be abbreviation of conference name) +{November 4, 2012 / Sofia / Bulgaria} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Embedded Linux} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} +\item Using + playing with Linux since 1994 +\item Kernel development since 1999 +\item IT security expert, focus on network protocol security +\item Board-level Electrical Engineering +\item System-level Software for PPC, ARM, x86 +\item IANAL, but companies not complying with the license forced me to spend lots of time with legal issues +\end{itemize} +\end{frame} + + +\section{FOSS Licenses} + +\subsection{Free Software and Copyleft} + +\begin{frame}{Free Software}{Definition by the FSF} + % - A title should summarize the slide in an understandable fashion + % for anyone how does not follow everything on the slide itself. + Free Software has to ensure the following key freedoms: + \begin{itemize} + \item + Freedom to use the software for any purpose + \item + Freedom to make copies "to help your neighbor" + \item + Freedom to study its functionality (source code) + \item + Freedom to fix it yourself (make modifications) + \end{itemize} +\end{frame} + +\begin{frame}{Copyleft}{A concept to ensure Freedom} + Copyleft is an idea to use copyright to ensure Software Freedoms + \begin{itemize} + \item Use/claim copyright on the software + \item Create a license that is permissive enough for the 4 Freedoms + \item However, put some conditions/obligations in the license + \begin{itemize} + \item ensure the source code will always be available + \item ensure nobody is able to remove the 4 Freedoms from the software + \end{itemize} + \item Use that license for the software. + \end{itemize} +\end{frame} + +\subsection{The GNU GPL} + +\begin{frame}{The GNU GPL}{An implementation of Copyleft} +The GNU General Public License (GPL) +\begin{itemize} + \item is a Copyleft Free Software License + \item assures the original author that his work will always have the freedoms + \item establishes a level of fairness: You can use my code, if you share your additions back with us. + \item is a big motivation factor for many community members +\end{itemize} +\end{frame} + +\begin{frame}{Revisiting the GPLv2 License Terms} +The GNU GPLv2 +\begin{itemize} + \item Regulates distribution, not use (running the program) + \item Allows distribution of source code and modified source code, if + \begin{itemize} + \item The license is mentioned + \item A copy of the license text accompanies each copy + \end{itemize} + \item Allows distribution of or modified binaries, if + \begin{itemize} + \item The license is mentioned + \item A copy of the license text accompanies each copy + \item The source code is either included with the copy, or a written offer is made on how the source can be obtained. + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Complete Corresponding Source Code}{As required by GPLv2} +\dots complete source code means all the source code for all modules it (the software) contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. +\begin{itemize} + \item For a C language program, this means + \begin{itemize} + \item Source Code + \item Makefiles + \item compile-time configuration (e.g. kernel .config) + \end{itemize} + \item General rule + \begin{itemize} + \item Intent of the license is to enable the user to run modified versions of the program + \item If you provide everything needed for that, there will be no discussion + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Modifications of GPL'd source code}{The details that matter} +\begin{itemize} + \item In the GPL, it does not matter if you have modified the GPL'd program or if you ship it unmodified. + \item You always have to provide the source code! + \item If you modify the source code, your changes have to be visible/identifiable + \item For practical reasons, I suggest shipping original upstream tarball + a diff/patch with your changes +\end{itemize} +\end{frame} + +\subsection{GPL - Compatible source code offer} + +\begin{frame}{Complete + Corresponding Source}{For every Release you make} +\begin{itemize} +\item Whenever you {\em distribute} GPL licensed software, the license applies. This includes + \begin{itemize} + \item Actual sale of a physical embedded device with the software in flash + \item Download of a firmware update as a file from a website + \item Shipping of firmware updates on physical storage + \item Distribution of firmware updates e.g. by over-the-air mechanisms in DVB-S or other networks + \end{itemize} +\item Every time, the conditions of the license have to be fulfilled (mention there's software under GPL, include full license text, include or offer complete corresponding source code +\item For every release you ever ship (even beta release if it ever is shipped only to one customer), you need the {\em complete corresponding} source code. +\end{itemize} +\end{frame} + +\subsection{GPL - Derivative Works} + +\begin{frame}{Derivative Works}{Keeping it clean} +Derivative works are a question of copyright law, not the GPL +\begin{itemize} +\item whenever you couple a GPL and a non-GPL program tightly (e.g. static/dynamic linking), you're entering a legal grey area +\item there is little or no precedent on derivative works of software +\item you're violating the intention of the author. If he wanted you to link from proprietary programs, he would have used LGPL +\item try to work {\em with} the community, rather than against it +\end{itemize} +\end{frame} + +\begin{frame}{Intermission} +Take a break, go one step back +\begin{itemize} +\item The License is not a means to itself +\item Intent of the license is to make sure people can modify + enhance the product +\item The more open your product is, the less you have to worry +\item Using Linux + FOSS without enabling community to modify+enhance is cheating! +\item Try to make friends of the developer community, not enemies! +\end{itemize} +\end{frame} + +\begin{frame}{License compliance is not an afterthought} +Complying with the license terms is relatively easy {\em if} you consider the license terms {\em before} starting R\&D +\begin{itemize} +\item you can integrate building source releases in your build process +\item you can decide which software can be combined given the license terms +\end{itemize} +\end{frame} + +\begin{frame}{License compliance is not an afterthought} +Achieving license compliance after shipping the product is very hard +\begin{itemize} +\item lack of good engineering practise could mean old source code is gone +\item engineers working on the product might have left the company +\item you and your customers are under a lot of time pressure (legal threat) +\item you might have already shipped a derivative work to GPLd software and now have to release parts that you originally wanted to keep proprietary +\end{itemize} +\end{frame} + +\section{Linux and the Embedded Market} + +\subsection{Linux-based systems everywhere} + +\begin{frame}{Linux and Free Software (FOSS) everywhere} +\begin{figure}[h] +\centering +\includegraphics[width=100mm]{linux_netfilter_singapore_entertainment.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Areas of Embedded Linux} +\begin{itemize} +\item Embedded Network Devices (DSL-Modem, Router, WiFi-AP, NAS) +\item Telecommunications equipment (Switch, DSLAM, ...) +\item In-flight / In-vehicle entertainment +\item Personal Navigation Devices (Tomtom GO) +\item Mobile Phones (EZX, MAGX, Android, LiMo, WebOS) +\item PoS terminals, ATMs, Payphones +\item Digital Media Players, Set-Top-Boxes, Video Recorder +\item Exercycles + Fitness Gear +\item Building automation + control +\item VoIP telephones, VoIP switches, PBX +\item e-Ink readers, Tablet computers, MIDs +\end{itemize} +\end{frame} + +\subsection{Embedded Linux supply chain} + +\begin{frame}{Embedded Linux Supply Chain} +In a typical case, the supply chain consists minimal of +\begin{itemize} +\item The silicon maker of the SoC containing the core that runs Linux +\item The supplier of the reference design / board for that SoC +\item The ODM building an actual circuit board using that SoC +\item The OEM selling the product under his brand in the target market +\end{itemize} +\end{frame} + +\begin{frame}{Embedded Linux Supply Chain} +Situation can be further complicated by +\begin{itemize} +\item A 3rd party supplier of the BSP / SDK for the SoC or reference board +\item Multiple companies involved on the ODM or OEM side (building parts of a product, later integration into the real product e.g. IVE for a car) +\item 3rd party suppliers of application programs (which might use FOSS) +\end{itemize} +\end{frame} + +\begin{frame}{Embedded Linux Supply Chain} +Problems in the supply chain: +\begin{itemize} +\item OEM has no clue what kind of software ODM put into the product +\item ODM has limited technical skill and has no clue what BSP provider did +\item End user buys a product with license/copyright violations and has no clue + \begin{itemize} + \item who the entities in the supply chain are + \item who actually caused the license/copyright violation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{GPL - Embedded Systems} + +\begin{frame}{GPL and Embedded Systems}{Interpreting the meaning} +\begin{itemize} +\item The GNU GPLv2 was written for the GNU project, at the time this project was +working on replacing individual application programs on top of a proprietary +UNIX operating system kernel. +\item scripts used to control compilation and installation + \begin{itemize} + \item Intent: To enable the user to modify + run modified versions + \item In case of embedded systems, the "scripts used to control installation" include the software required for installing the program onto the target device + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GPL and Embedded DRM}{Sometimes called Tivo-ization} +\begin{itemize} +\item Some companies want to lock down their Linux-based system, by + \begin{itemize} + \item Cryptographic verification of bootloader by ROM loader + \item Cryptographic verification of kernel image by bootloader\dots + \end{itemize} +\item This is problematic from a GPL point of view, since + \begin{itemize} + \item You are depriving the user from practically exercising his right to run modified versions of the program + \item Thus, violation not of the GPLv2 wording, but likely of the GPL's intention + \item Legal outcome unclear, different scholars have different opinions, also depends on jurisdiction + \end{itemize} +\item GPLv3 makes this intent explicit in the license text +\end{itemize} +\end{frame} + +\section{GPL Violations and License Enforcement} + +\subsection{GPL Violations and Business Risks} + +\begin{frame}{GPL Violations} +\begin{itemize} +\item GPL violations are not new, just like GPL licensed software is not new +\item However, increased popularity of GNU/Linux based systems increase GPL violations +\item Today, many more people and companies unfamiliar with the history and values of Free Software start using and (re)distributing FOSS +\end{itemize} +\end{frame} + +\begin{frame}{Business Risk of GPL Violations}{Or: How to convince your managers} +If you ship a product that is incompliant to the GNU GPL, +\begin{itemize} +\item you are committing a copyright infringement not different from shipping a product with unlicensed copies of MS Windows +\item you can face civil and criminal charges in court +\item civil charges include (German jurisdiction) + \begin{itemize} + \item immediate cease + desist (halt of product sales) + \item information of which quantity of the product has been sold to whom + \item damages for lost revenue (see dual licensing) + \end{itemize} +\item civil charges can also be filed against every distributor/store/importer +\end{itemize} +\end{frame} + +\subsection{GPL Enforcement} + +\begin{frame}{Early GPL Enforcement} +\begin{itemize} +\item The Free Software Foundation (FSF) has alway been doing GPL enforcement on software {\em of which they are the copyright holder} + \begin{itemize} + \item They do so quietly, without much public notice + \item The quiet route sometimes leads to lengthy negotiations + \item The FSF only holds copyright on some Free Software programs + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The Linksys WRT54G case} +During 2003, the Linksys WRT54G case drew a lot of attention +\begin{itemize} + \item Linksys was selling 802.11 WLAN Access Points and Routers + \item Lots of GPL licensed software embedded into the device, including Linux, uClibc, busybox, iptables + \item FSF-led alliance took their usual {\em quiet} approach + \item Linksys bought itself a lot of time + \begin{itemize} + \item Some sources were released two months later + \item Full GPL compliance only achieved four months later + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Aftermath of the Linksys case} +\begin{itemize} + \item Some developers were not happy with the Linksys case + \begin{itemize} + \item Linksys didn't loose anything by not complying from the beginning + \item Four months delay is a long time given short product lifetimes + \end{itemize} + \item More embedded devices started to use Linux and other FOSS + \item The netfilter/iptables project started to do their own enforcement + \begin{itemize} + \item Using German copyright law against German subsidiary of vendor + \item Using direct legal / copyright based approach + \end{itemize} + \item The gpl-violations.org was later established +\end{itemize} +\end{frame} + +\begin{frame}{GPL Enforcement by the Community} +\begin{itemize} + \item The GPL is a Copyright License + \item GPL enforcement is thus Copyright enforcement + \item Copyright enforcement can normally only be done by copyright holders! + \item Alternative (less tested) legal approaches + \begin{itemize} + \item Competition / Anti-Trust law (by a GPL-abiding competitor) + \item Consumer protection (The product without source code is incomplete) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GPL Enforcement Requirements} +\begin{itemize} + \item Clean copyright situation + \begin{itemize} + \item Who wrote which (part of a) software + \item Was the copyright transferred to an employer? + \end{itemize} + \item Evidence for the violation + \begin{itemize} + \item Test purchase of the software on storage medium + \item Detailed screenshots of download side, downloaded software images + \item Evidence shows no notice of GPL or source code availability/offer + \end{itemize} + \item Copyright holders who want to do enforcement +\end{itemize} +\end{frame} + +\begin{frame}{GPL Enforcement by the Community} +\begin{itemize} + \item Authors/Developers of a project need to care about entities that violate their license + \item Legal options in case of a violation + \begin{itemize} + \item One or multiple copyright holders do their own enforcement + \item Copyright transfer to an entity that does enforcement + \begin{itemize} + \item Free Software Foundation + \item http://conservancy.softwarefreedom.org/ + \item Fiduciary License Agreement with the FSF Europe + \end{itemize} + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{gpl-violations.org} + +\begin{frame}{The gpl-violations.org work} +\begin{itemize} + \item Use all legal means necessary to bring infringing product in compliance + \item We only act where we hold copyright (Linux kernel) + \item We typically only act within Europe, mostly in Germany + \item Success so far + \begin{itemize} + \item More than 100 amicable agreements as results of settlements + \item More than 5 preliminary injunctions halting sales of products until compliance + \item Multiple actual court cases with court verdict + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The gpl-violations.org work}{Typical enforcement timeline} +\begin{itemize} + \item Customer of product sends a report about GPL violation + \begin{itemize} + \item There is no GPL license text and/or no source code or written offer + \end{itemize} + \item We do reverse engineering and make test purchase + \item After confirming the violation, send legal warning notice to vendor + \begin{itemize} + \item Tight deadline for complying with the GPL and signing a declaration to cease and desist + \end{itemize} + \item If no declaration is signed, we + \begin{itemize} + \item contract technical expert to do a study + \item apply for a preliminary injunction + \end{itemize} + \item If cease-desist is signed and license compliance reached: + \begin{itemize} + \item Resolve how the vendor can ensure already manufactured products are compliant + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The gpl-violations.org legal cases} +Commonly-known cases that actually went to court +\begin{itemize} + \item April 2004: Preliminary injunction against Sitecom + \item May 2004: Sitecom appeal case turned down by court + \item April 2005: Preliminary injunction against Fortinet + \item September 2006: Court case against D-Link +\end{itemize} +... all of those cases have been won +\end{frame} + + + +%\subsection*{Outlook} + +\begin{frame}{Outlook} + Outlook + \begin{itemize} + \item + Blatant GPL violations in embedded devices are declining, but are likely to continue due to lack of skill or negligence. + \item + We'll see more {\em derivative works} types of GPL violations, and we'll see actual legal enforcement and precedent in this area over the next years. + \item + Stronger copyright protection demanded by content industry will also mean stronger protection for FOSS licenses. Imagine GPL enforcement with {\em three strikes} law in France ?!? + \end{itemize} +\end{frame} + +\end{document} diff --git a/2012/gpl-of2012/license_compliance2.pdf b/2012/gpl-of2012/license_compliance2.pdf new file mode 100644 index 0000000..88d5039 Binary files /dev/null and b/2012/gpl-of2012/license_compliance2.pdf differ diff --git a/2012/gpl-of2012/license_compliance4.pdf b/2012/gpl-of2012/license_compliance4.pdf new file mode 100644 index 0000000..4eddda1 Binary files /dev/null and b/2012/gpl-of2012/license_compliance4.pdf differ diff --git a/2012/gpl-of2012/linux_netfilter_singapore_entertainment.jpg b/2012/gpl-of2012/linux_netfilter_singapore_entertainment.jpg new file mode 100644 index 0000000..91b839f Binary files /dev/null and b/2012/gpl-of2012/linux_netfilter_singapore_entertainment.jpg differ diff --git a/2012/internet-lc2012/IS-advanced-layer-3-service.pdf b/2012/internet-lc2012/IS-advanced-layer-3-service.pdf new file mode 100644 index 0000000..fad1bd8 Binary files /dev/null and b/2012/internet-lc2012/IS-advanced-layer-3-service.pdf differ diff --git a/2012/internet-lc2012/Netzentwurf_X-WiN.pdf b/2012/internet-lc2012/Netzentwurf_X-WiN.pdf new file mode 100644 index 0000000..83b317f Binary files /dev/null and b/2012/internet-lc2012/Netzentwurf_X-WiN.pdf differ diff --git a/2012/internet-lc2012/breakdown-2007.jpg b/2012/internet-lc2012/breakdown-2007.jpg new file mode 100644 index 0000000..7bc3fb2 Binary files /dev/null and b/2012/internet-lc2012/breakdown-2007.jpg differ diff --git a/2012/internet-lc2012/lawclinic-internet.pdf b/2012/internet-lc2012/lawclinic-internet.pdf new file mode 100644 index 0000000..2e4e9da Binary files /dev/null and b/2012/internet-lc2012/lawclinic-internet.pdf differ diff --git a/2012/internet-lc2012/lawclinic-internet.vym b/2012/internet-lc2012/lawclinic-internet.vym new file mode 100644 index 0000000..4a3fedc Binary files /dev/null and b/2012/internet-lc2012/lawclinic-internet.vym differ diff --git a/2012/mobsec-telcosecday2012/mobsec.pdf b/2012/mobsec-telcosecday2012/mobsec.pdf new file mode 100644 index 0000000..91eeaae Binary files /dev/null and b/2012/mobsec-telcosecday2012/mobsec.pdf differ diff --git a/2012/mobsec-telcosecday2012/mobsec.snm b/2012/mobsec-telcosecday2012/mobsec.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/mobsec-telcosecday2012/mobsec.tex b/2012/mobsec-telcosecday2012/mobsec.tex new file mode 100644 index 0000000..7b5647c --- /dev/null +++ b/2012/mobsec-telcosecday2012/mobsec.tex @@ -0,0 +1,488 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Structural deficits in Telco security} + +%\subtitle {community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{March 20, 2012 / TelcoSecDay / Heidelberg} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN + \item consulting/freelancing + sysmocom GmbH for custom-tailored GSM solutoins +\end{itemize} +\end{frame} + +\begin{frame}{Disclaimer} +\begin{itemize} + \item This presentation is not intended to insult any participant + \item No companies or individuals will be named + \item However, the collective failure of the mobile industry + cannot be ignored, sorry. + \item Many of the issues we have today could have been avoided + extremely easily, there really is no excuse... +\end{itemize} +\end{frame} + +\section{Symptoms} + +\begin{frame}{Telco vs. Internet-driven IT security} +mobile industry today has security practieses and procedures of the 20th century +\begin{itemize} + \item no proper incident response on RAN/CN + \item no procedures for quick roll-out of new sw releases + \item no requirements for software-upgradeability + \item no interaction with hacker community + \item no packet filtering / DPI / IDS on signalling traffic + \item active hostility towards operators who want to do pentesting + \item attempts to use legal means to stop researchers from publishing their findings +\end{itemize} +this sounds like medieval times. We are in 2012 ?!? +\end{frame} + +\subsection{Real-world quotes} + +\begin{frame}{Real-world quotes} +The following slides indicate some quotes that I have heard over the +last couple of years from my contacts inside the mobile industry. They +are not made up! +\end{frame} + + +\begin{frame}{Quote: Disclosure of Ki/K/OPC} +"we are sending our IMSI+Key lists as CSV files to the SIM card supplier in China" +\end{frame} + +\begin{frame}{Quote: RRLP} +"RRLP? What is that? We never heard about it!" +\end{frame} + +\begin{frame}{Quote: SIM OTA keys} +"we have no clue what remote accessible (OTA) features our sim cards have or what kind of keys were used during provisioning" +\end{frame} + +\begin{frame}{Quote: Malformed} +"we have never tried to intentionally send any malformed message to any of our equipment" +\end{frame} + +\begin{frame}{Quote: Roaming} +"We are seeing TCAP/MAP related attacks/fraud from Operator XYZ in Pakistan. However, it is more important that European travellers can roam into their network than it is for Pakistanis to roam into our network. Can you see while the roaming agreement was only suspended for two days?" +\end{frame} + +\begin{frame}{Quote: SIGTRAN IPsec} +"we are unable to mandate from our roaming partners that SIGTRAN links shall always go through IPsec - we don't even know how to facilitate safe distribution of certificates between operators" +\end{frame} + +\begin{frame}{Quote: NodeB / IPsec} +"We mandated IPsec to be used for all of the (e)NodeB back-haul in our tender, the supplier still shipped equipment that didn't comply to it. Do you think the CEO is going to cancel the contract with them for that?" +\end{frame} + +\begin{frame}{Quote: Government / independent study} +"Govt: We put out a tender for a study on overal operator network security in our country. Everyone who put in a bid is economically affiliated or dependent on one of the operators or equipment suppliers, so we knew the results were not worth much." +\end{frame} + +\begin{frame}{Quote: Technical Staff} +"15 years ago we still had staff that understood all those details. But today, you know, those experts are expensive - we laid them off." +\end{frame} + +\begin{frame}{Quote: Baseband chip vendor} +"We have no clue what version of our protocol stack with what modifications are shipped in which particular phones, or if/when the phone makers distribute updates to the actual phone population" +\end{frame} + +%we live in a world where +% operators regularly don't fully understand the equipment they use +% "The frequencies of the mircrowave back-haul links are a trade secret of the operator +% operators are compltely dependent and live at the merit of few equipment suppliers +% suppliers have spent decades of achieving as little mix+match compatibility as possible +% huge conflict of interest between operators and suppliers +% selling new hardware vs. updating software of old units +% extreme disconnect between technical merits of certain changes/features and prices / licensing +% charge a six-digit EUR amount for the A5/3 upgrade for each BSC, despite the fact that it is the BTS that changes, not the BSC! + +\subsection{Algorithm nightmares} + +\begin{frame}{The A5/2 desaster}{Brief history} +\begin{itemize} + \item August 2003: Barkan/Biham/Keller paper on instant ciphertext-only cryptanalysis of A5/2 + \item April 2006: GSMA initiative to withdraw A5/2. Resistance {\em mainly from north america}. + \item October 2006: SA WG3 formally requests removal of A5/2 from spec + \item July 2007: Almost all operators have moved to A5/1 + \item As long as phones support A5/2, semi-active down-grade attacks against A5/1 can be implemented! +\end{itemize} +Three years incident response to update the spec! I'm not even talking +about the time to update all equipment or until old equipment will be +fully phased out. +\end{frame} + +\begin{frame}{The A5/1 desaster}{history repeats itself} +The industry did not learn from the A5/2 incident. History repeated +itself: +\begin{itemize} + \item Kc generation was not changed between A5/1,2,3 + \item as long as phones support A5/1, A5/3 can be broken with + semi-active down-grade attacks just like A5/2 -> A5/1 + before + \item There is still no way to disable algorithms of devices in + the field, not even by flags on the SIM card +\end{itemize} +How can an entire industy be so resilient against learning? +\end{frame} + +\begin{frame}{The A5/3 desaster}{Nobody cares to implement it} +\begin{itemize} + \item May 2002: A5/3 spec first released. Target: supported in handsets and networks in 2004. + \item May 2007: SA WG3: lack of BSS vendors supporting A5/3 (5 years later!!!) + \item January 2009: First discussions with phone makers on A5/3 interop tests + \item November 2009: 10 handsets from 7 manufacturers being tested on a live A5/3 network +\end{itemize} +After the track record of A5/2 and A5/3, they seem to be on a {\em fast track} to improve. +\end{frame} + +\begin{frame}{The overall algorithm desaster} +\begin{itemize} + \item Advances in security require algorithms to be replaced and key lengths to grow + \item Nobody in the GSM world seems to have realized such a basic cryptographic truth + \item Infrastruture vendors reluctant to make algorithms software-upgradeable. They'd rather sell ten-thousands of new BTSs + \item Operators never made it a requirement to do in-field algorithm upgrades. Why would they? + \item Internet analogy: Who would ever want to use more than 40-bit RC4 encryption in his SSL implementation and upgrade that? +\end{itemize} +\end{frame} + +\begin{frame}{2009: GSMA starts to think} +\begin{itemize} + \item November 2009, 3GPP TSG SA3 WG, GSMA Liaison Report: {\em + The meeting considered the need to ensure that + future infrastructure algorithm updates will be + exclusively software based} + \item About one decade too late for anyone with even remote + knowledge of real-world cryptographic deployment + \item Six years after the A5/2 cryptanalysis paper + \item Seven years after A5/3 has been specified +\end{itemize} +\end{frame} + + +\begin{frame}{ETSI/3GPP security working group(s)} +\begin{itemize} + \item seem to have done excellent work + \item nobody seemed to care about what they say + \item A5/4 (128bit) was originally supposed to come together with A5/3 in 2004 + \begin{itemize} + \item has been put back as it would affect handset software (so what? there are only about 6 implementations out there. How hard is it to update all 6?) + is the only solution of fixing semi-active downgrade attacks + \end{itemize} + \item UMTS AKA over GERAN + \begin{itemize} + \item good idea, but where is the SIM card flag that tells the phone about mutual auth being mandatory? + \end{itemize} + \item Great ideas seem to fall short of being thought-through to + the end, and nobody implements them in a timely manner + anyway +\end{itemize} +\end{frame} + +\section{Causes / Reasons} + +\begin{frame}{Telco vs. Internet} +still remember the days of analog modems, UUCP, BBSs, Usenet? +\begin{itemize} + \item the culture gap between Internet vs. Telco has always existed + \item it didn't change much during the last decades + \item analogy: The "IBM priests" mainframes vs. personal computing in 1970ies/1980ies + \item IETF vs. ITU + \item open participation vs. closed club +\end{itemize} +\end{frame} + +\subsection{Change of power divide between Operators and Vendors} + +\begin{frame}{Evolving GSM specification process} +\begin{itemize} + \item At CEPT, it was government officials of postal/comms ministry equipment vendors didn't even have the right to propose something + \item At ETSI, equipment vendors got onto the table Over time, shift of power from operators to equipment manufacturers + \item At 3GPP, today we see way too little operator input in standardization + \item Interest of users seems completely absent + \begin{itemize} + \item neither professional users (companies worried about industrial espionage, government users, ...) + \item nor consumers in form of consumer protection, privacy, data protection or other organizations seems to be missing completely + \end{itemize} + \item standardization process primarily serves the interest of equipment vendors to get their patented technology into widespread adoption to drive IP licensing revenue +\end{itemize} +\end{frame} + +\begin{frame}{Evolution of operators} +\begin{itemize} + \item classic operator: Does everything in-house + \item common today: Outsource everything + \begin{itemize} + \item billing + \item network administration / operation / servicing + \item network planning + \end{itemize} + \item outsourcing to whom? + \begin{itemize} + \item to the equipment suppliers + \item am I the only one seing a conflict of interests here? + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Lack of Open Source Implementations} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper / proof-of-concept and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before OpenBSC/OsmocomBB) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only very few closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\section{Proposed Solution} + +\begin{frame}{Testing/Auditing just like in the IP world} +\begin{itemize} + \item Learn and adapt from the Internet security world + \item Encourage all kinds of testing and audits rather than prevent them + \item Fuzzing+Pentesting all protocols on all levels +\end{itemize} +\begin{itemize} + \item I'm not aware of any of the well-known GSM/GPRS security researchers having been invited to equipment vendors to do sophisticated testing/attacks/audit + \item That's inefficient use of existing skills! +\end{itemize} +\end{frame} + +\begin{frame}{Change the way of thinking} +\begin{itemize} + \item Give up the idea that certain interfaces are not exposed + \item TCAP/MAP/CAP are exposed to anyone with SCCP (SS7) access + \item This includes all government agencies world-wide, as they can easily force domestic operators to give them access! + \item Governments / regulators should put strong security requirements on domestic operators to secure those interfaces against attacks + \item This is critical infrastructure that the general public, industry and even government/administration increasingly relies on + \item Multiple lines of defences, not one or zero +\end{itemize} +\end{frame} + +\begin{frame}{Specifications / Testing} +\begin{itemize} + \item If specs require any tests, they are {\em functional} specs + \item I've never seen requirements to test for invalid / intentionally malformed messages + \item Actively provide equipment (access) to academia and research, invite researchers to test/break things +\end{itemize} +\end{frame} + +\begin{frame}{Skill building} +\begin{itemize} + \item We need more teaching/training in academia to generate independent experts, without vendor affiliation + \item Theoretic lectures are boring. Practical experiments / lab exercises required to get students excited / interested + \item Very few universities have been provided with sufficient equipment to run / experiment / play with their own GSM/3G networks + \item As long as it is much easier to research TCP/IP than mobile protocols, majority of the brain power will focus on TCP/IP + \item Open Source implementations are critical for experiments! +\end{itemize} +\end{frame} + +\begin{frame}{Less monoculture} +\begin{itemize} + \item Very few equipment vendors and protocol stack vendors + \item Even less vendors of ASN.1 / CSN.1 code generators + \item Finding an exploitable bug in one of the 2-3 major ASN.1 + code generators will permit you to exploit pretty much + any equipment independent of the vendor +\end{itemize} +\end{frame} + +\begin{frame}{Procedures / incident response} +\begin{itemize} + \item start to adopt scheme like CVE, vulnerability databases + \item be prepared to rapidly roll out updates to all elements in + the operator infrastructure + \item have specs that require sufficient spare FPGA / DSP / CPU + / RAM resources in hardware to ensure + software-upgradability of components +\end{itemize} +\end{frame} + +\begin{frame}{Engagement with the security community} +\begin{itemize} + \item Actively engage academic and individual security researchers + \item Sueing them is not a solution, this has been tried in the 1990ies in the PC/Software industry + \item If you don't provide researchers inexpensive/available hardware, they have to break femtocells and other devices in order to do their legitimate research + \item Compare with gaming consoles exploits: All of them have been broken by people who wanted to run Linux and custom software on them. Only PS3 survived much longer, as they provided such means to the users from day 1 (and later removed it, requiring to break the PS3, too) +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/osmo_erlang-osdc2012/core_net.pdf b/2012/osmo_erlang-osdc2012/core_net.pdf new file mode 100644 index 0000000..8fec0b2 Binary files /dev/null and b/2012/osmo_erlang-osdc2012/core_net.pdf differ diff --git a/2012/osmo_erlang-osdc2012/core_net.snm b/2012/osmo_erlang-osdc2012/core_net.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/osmo_erlang-osdc2012/core_net.tex b/2012/osmo_erlang-osdc2012/core_net.tex new file mode 100644 index 0000000..61d5f55 --- /dev/null +++ b/2012/osmo_erlang-osdc2012/core_net.tex @@ -0,0 +1,139 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Erlang SCCP/TCAP/MAP Implementations} + +%\subtitle +%{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{October 13, 2012 - OSDC.fr - Paris / France} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\include{section-core_network} +\include{section-erlang} +\include{section-implementations} + +\end{document} diff --git a/2012/osmo_erlang-osdc2012/gsm_network.png b/2012/osmo_erlang-osdc2012/gsm_network.png new file mode 100644 index 0000000..c5f6399 Binary files /dev/null and b/2012/osmo_erlang-osdc2012/gsm_network.png differ diff --git a/2012/osmo_erlang-osdc2012/map_messaging.png b/2012/osmo_erlang-osdc2012/map_messaging.png new file mode 100644 index 0000000..49d1dd9 Binary files /dev/null and b/2012/osmo_erlang-osdc2012/map_messaging.png differ diff --git a/2012/osmo_erlang-osdc2012/map_supervision.png b/2012/osmo_erlang-osdc2012/map_supervision.png new file mode 100644 index 0000000..1be3d11 Binary files /dev/null and b/2012/osmo_erlang-osdc2012/map_supervision.png differ diff --git a/2012/osmo_erlang-osdc2012/osi_model.png b/2012/osmo_erlang-osdc2012/osi_model.png new file mode 100644 index 0000000..982e529 Binary files /dev/null and b/2012/osmo_erlang-osdc2012/osi_model.png differ diff --git a/2012/osmo_erlang-osdc2012/section-core_network.tex b/2012/osmo_erlang-osdc2012/section-core_network.tex new file mode 100644 index 0000000..e9948cf --- /dev/null +++ b/2012/osmo_erlang-osdc2012/section-core_network.tex @@ -0,0 +1,282 @@ +\section{The GSM core network} + +\subsection{GSM core network components} + +\begin{frame}{GSM core network components} + \begin{description}[MSC] + \item[MSC] (Mobile Switching Center): The central switch + \item[HLR] (Home Location Register): Database of subscribers + \item[AUC] (Authentication Center): Database of authentication keys + \item[VLR] (Visitor Location Register): For roaming users + \item[EIR] (Equipment Identity Register): To block stolen phones + \end{description} +\end{frame} + +\begin{frame}{GSM network structure} +\begin{description}[BTS] +\item[MSC] Actual call switching and top-level mobility functions. May serve dozens of location areas +\item[VLR] Temporary cache of subscriber data from HLR + TMSI +\item[HLR] Subscriber databases + subscriber location information +\item[AUC] Generation of authentication tuples +\item[SMSC] SMS Service Centre, store+forward for SMS +\end{description} +\end{frame} + +\begin{frame}{GSM core network integration} +\begin{itemize} + \item VLR often integrated into MSC + \item AUC often integrated with AUC + \item integration so common, many graphs/diagrams are actually +not 100\% correct +\end{itemize} +\end{frame} + +\begin{frame}{GSM Network Structure} +\includegraphics[width=100mm]{gsm_network.png} +\end{frame} + +\begin{frame}{GSM network interfaces} + \begin{description}[D] + \item[C] Interface between GMSC and HLR + \item[D] Interface between MSC and HLR + \item[E] Interface between MSC and MSC + \end{description} +All of them based on MAP, so C/D/E not commonly distinguished +\end{frame} + +\subsection{GSM core network protocols} + +\begin{frame}{core network protocol stack} +Traditional telephony based on SS7 / CS7, GSM too +\begin{itemize} + \item Lower layers (MTP2/MTP3) re-used + \item ISUP used for actual call control signalling + \item SCCP for routing / GTT + \item TCAP for transaction supprt + \item MAP for actual GSM related signalling +\end{itemize} +\end{frame} + +\begin{frame}{SS7 networks} +\begin{itemize} + \item STP - Signalling Transfer Point + \begin{itemize} + \item {\em Router} for SCCP + \item performs GTT (see below) + \end{itemize} + \item SCP - Signalling Control Point + \begin{itemize} + \item {\em End-node} like MSC/HLR + \item SCP has GT, PC, .. + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SS7 addresses} +\begin{itemize} + \item Point Code (PC) + \begin{itemize} + \item typically unique within PLMN / country + \end{itemize} + \item Global Title (GT) + \begin{itemize} + \item world-wide unique address + \item translated into PC by GTT at STP + \end{itemize} + \item Subsystem Number (SSN) + \begin{itemize} + \item logical function address inside network (MSC, VLR, HLR, ...) + \item not used on international links + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SS7 GTT (Global Title Translation)} +Global Title Translation +\begin{itemize} + \item can happen at any STP + \item translates a Destination GT into new destination address + \item new dest address can be any address, such as + \begin{itemize} + \item new global title (GT) + \item point code (PC) + \item sub-system number (SSN) + \end{itemize} + \item GTT rules explicitly configured by operator, e.g. + \begin{itemize} + \item prefix or range based match + \item (inter)nationalize numbering plan + \item add digits at beginning or end + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SS7 physical layer} +\begin{itemize} + \item{classic SS7 signalling over TDM circuits} + \begin{itemize} + \item E1 timeslot (64kbps) + \item multiple E1 timeslots (N*64kbps) + \item MTP Level 2 / MTP Level 3 + \end{itemize} + \item modern networks use SIGTRAN + \begin{itemize} + \item IP as network layer replaces E1 lines + \item SCTP on top(no TCP/UDP!) + \item many different SIGTRAN stacking options + \end{itemize} + \item some vendor-proprietary protocols like SCCPlite +\end{itemize} +\end{frame} + +\begin{frame}{SIGTRAN stacking options} +SIGTRAN != SIGTRAN +\begin{itemize} + \item IP/SCTP/M2PA/MTP2/MTP3/SCCP/TCAP/MAP + \item IP/SCTP/M2UA/MTP3/SCCP/TCAP/MAP + \item IP/SCTP/M3UA/SCCP/TCAP/MAP + \item IP/SCTP/SUA/TCAP/MAP +\end{itemize} +\end{frame} + +\begin{frame}{SCCP} +SCCP takes care of +\begin{itemize} + \item Global Title based addressing + \item Global Title Translation + \item connection-oriented or connectionless semantics + \item GSM core network interfaces with MAP/CAP only use +connection-less UDT service +\end{itemize} +\end{frame} + +\begin{frame}{TCAP} +\begin{itemize} + \item Idea: decouple transaction logic from actual application + \item transaction semantics can be used by multiple higher-layer protocols + \item state machines on both sides maintained outside of application + \item protocol specified in ASN.1, BER encoding +\end{itemize} +\end{frame} + +\begin{frame}{MAP - Mobile Application Part} +\begin{itemize} + \item used between all classic GSM core network components + \item application protocol on top of TCAP + \item protocol specified in ASN.1, BER encoding +\end{itemize} +\end{frame} + +\begin{frame}{CAP - Camel Application Part} +\begin{itemize} + \item used for CAMEL entities (gsmSCF, gsmSSF, gprsSSF, gsmSRF) + \item application protocol on top of TCAP + \item protocol specified in ASN.1, BER encoding +\end{itemize} +\end{frame} + +%\section{Roaming interfaces} +% +%\subsection{Roaming introduction} +% +%\begin{frame}{Introduction to Roaming} +%Roaming enables subscribers to use other operators' networks +%\begin{itemize} +% \item Home Network is called HPLMN +% \item Visited Network is called VPLMN +% \item Roaming requres between HPLMN and VPLMN +% \begin{itemize} +% \item Roaming agreement (contract) +% \item SS7 connectivity (ISUP/MAP/CAP) +% \item IP connectivity (for packet data) +% \end{itemize} +%\end{itemize} +%\end{frame} +% +%\begin{frame}{Roaming principle} +%\begin{itemize} +% \item MS, MSC, VLR and SGSN are in VPLMN +% \item HLR, AUC, GMSC and GGSN are in HPLMN +% \item they talk to each other via MAP, just like in non-roaming case +% \item selection of HPLMN based on IMSI of subscriber +% \item non-roaming caes: HPLMN == VPLMN +%\end{itemize} +%\end{frame} +% +%\begin{frame}{MVNO - Mobile Virtual Network Operators} +%A MVNO setup is a special case of roaming +%\begin{itemize} +% \item MNO operates PLMN with RAN and CN +% \item MVNO operates HPLMN without RAN (BSC/BTS) +% \item MVNO subscribers always roam into MNO network +%\end{itemize} +%\end{frame} +% +%\subsection{Roaming transactions} +%FIXME + +%\subsection{Traditional Billing} +% +%\begin{frame}{Traditional Billing} +%Initially, GSM was designed for business users +%\begin{itemize} +% \item Billing was always post-paid +% \item Each PLMN simply logs all call/sms +% \item Logs called CDR (Call Data Record) +% \item At the end of the month, invoices are generated +% \item CDR records are exchanged between roaming partners +%\end{itemize} +%\end{frame} +% +%\begin{frame}{Billing for Roaming} +%\begin{itemize} +% \item CDR files often vendor-specific / custom +% \item GSMA established a standard called TAP +% \item TAP is the standard for exchange of billing records +%between roaming partners +% \item Summary: Intra-PLMN: CDR, Inter-PLMN: TAP +% \item TAP has many versions/generations +% \item Specified in ASN.1 +%\end{itemize} +%\end{frame} +% +%\begin{frame}{The advent of pre-paid} +%\begin{itemize} +% \item At some point, users wanted pre-paid services +% \item Difficult to implement in traditional billing architecture +% \item In HPLMN, every operator could come up with custom +%solution +% \item Thus, pre-paid initially not supported in roaming +% \item In the early pre-paid days, there were lots of ways to exceed pre-paid balance +%\end{itemize} +%\end{frame} +% +%\begin{frame}{Pre-paid required fundamental changes} +%\begin{itemize} +% \item The pre-paid balance / account is maintained in HPLMN +% \item HPLMN needs much more control over user while roaming +% \item A new protocol (CAMEL) was introduced, as well as new +%entities in the network +% \item Lots of changes all over netowrk elements (MSC, SGSN, HLR) +%\end{itemize} +%\end{frame} +% +%\subsection{CAMEL} +% +%\begin{frame}{CAMEL - Customized Applications Mobile Enhanced Logic} +%\begin{itemize} +% \item gsmSCF - Service Control Function +% \begin{itemize} +% \item receives per-subscriber specific config from HLR +%(CSI: CAMEL Subscription Information) +% \item remotely controls call, SMS, etc. processing +% \end{itemize} +% \item gsmSSF - Service Switching Function +% \begin{itemize} +% \item built into MSC +% \item hooks / triggers at key state changes +% \item allows gsmSCF to alter/override/abort transactions +% \end{itemize} +% \item gprsSSF provides similar feature inside SGSN +%\end{itemize} +%\end{frame} diff --git a/2012/osmo_erlang-osdc2012/section-erlang.tex b/2012/osmo_erlang-osdc2012/section-erlang.tex new file mode 100644 index 0000000..1af42e2 --- /dev/null +++ b/2012/osmo_erlang-osdc2012/section-erlang.tex @@ -0,0 +1,72 @@ +\section{Erlang in Osmocom} + +\begin{frame}{Introducing Erlang} +Erlang/OTP +\begin{itemize} + \item is a functional, non-OO programming language + \item promotes some principles that make it easier to write secure code + \item was crreated by Ericsson for Telecom signalling applications + \item has excellent built-in ASN.1 compiler + runtime support + \item has {\tt gen\_fsm} support for well-defined finit state machines +\end{itemize} +\end{frame} + +\begin{frame}{Safe and secure programming} +Erlang enables and encourages to +\begin{itemize} + \item avoid defensive programming, rather fail-fast and raise exceptions + \item avoid having global/shared state as everything is pass-by-value, not reference + \item avoid accidential/improper reuse of variables by single assignment + \item not have to worry about memory allocation problems like + buffer overflows / double-free +\end{itemize} +\end{frame} + +\begin{frame}{Erlang headaches} +If you're used to C/C++ or even Java, Erlang will give you headaches, +too. +\begin{itemize} + \item you have no interative loops like for/while, but always + have to use (tail) recursion + \item you have to type a lot when accessing members of records + (structures), as you need to specify the type name on + every access + \item avoiding global state may be useful, but very hard at + times +\end{itemize} +\end{frame} + +\begin{frame}{Reasons to use Erlang in Osmocom} +\begin{itemize} + \item best ASN.1 support found as Free Software for any + programming language + \begin{itemize} + \item TCAP/MAP use ASN.1 Information Object Classes, + which e.g. asn1c doesn't support + \item supports PER aligned and unaligned, required in + RANAP/RRC for UMTS. + \item very strict validation of input data, including + range checks of integer values against + constraings in ASN.1, etc. + \end{itemize} + \item built-in support for finite state machines + \item Erlang {\em many processes and message passing} model 1:1 + match to ITU TCAP specification. +\end{itemize} +\end{frame} + +\begin{frame}{Erlang in Osmocom projets} +\begin{itemize} + \item all current Osmocom developers are C (possibly C++) developers + \item nobody really likes to use some bloatet inefficient and + unknown programming language (compared to C...) + \item almost every other sub-project of Osmocom is implemented + in pure C + \item apart from my projects described here, Erlang hasn't + really picked up with other developers + \item Erlang wasn't chosen because we love it, but because it + makes techical sense in some specific applications, + compared to alternavies requiring to buy/user + porprietary ASN.1 tools or write our own +\end{itemize} +\end{frame} diff --git a/2012/osmo_erlang-osdc2012/section-implementations.tex b/2012/osmo_erlang-osdc2012/section-implementations.tex new file mode 100644 index 0000000..1c695ac --- /dev/null +++ b/2012/osmo_erlang-osdc2012/section-implementations.tex @@ -0,0 +1,176 @@ + +\section{Core Network protocol implementations} + +\subsection{Erlang implementations} + +\begin{frame}{Erlang osmo\_ss7} +\begin{itemize} + \item Signalling link management + \item Signalling linkset management + \item MTP-level routing + \item Protocol codecs + \begin{itemize} + \item BSSMAP, ISUP, M2PA, M2UA, M3UA, MTP3, SCCP, SUA + \end{itemize} + \item Various different protocol implementations + \begin{itemize} + \item SIGTRAN: M3UA, M2PA, M2UA, SUA + \item IPA multiplex / SCCP lite + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Erlang osmo\_sccp} +SCCP implementation, typcially used on top of osmo\_sccp +\begin{itemize} + \item SCCP connectionless (SCLC) + \item SCCP connection oriented (SCOC) + \item SCCP routing / gtt (SCRC) + \item applications can bind to SSN numbers +\end{itemize} +\end{frame} + +\begin{frame}{Erlang osmo\_map} +\begin{itemize} + \item Not a full-blown MAP end-user implementation + \item Primarily a set of integrated TCAP+MAP codec + \item Used for protocol analysis/dissection + \item Used for transparent MAP mangling engines + \item Think of FTP/IRC NAT in TCP/IP, where you need to modify + addresses contained in the payload (not header) of the + messages +\end{itemize} +\end{frame} + +\begin{frame}{Erlang mgw\_nat} +\begin{itemize} + \item Strange transparent SCCP/TCAP/MAP gateway + \item Supports all kinds of strange operations + \begin{itemize} + \item SCCP Global Title Masquerade (dynamic GT pool) + \item Replace VLR/MSC GT inside MAP payload + \item Supported Camel Phase patching + \item 1:1 IMSI mapping in MAP payload + \item ISUP GT mangling + \item national/international numbering plan conversions + \end{itemize} + \item Used in multiple production installations in real operator + core network for ~ 2 years +\end{itemize} +\end{frame} + +\begin{frame}{Erlang signerl TCAP} +\includegraphics[width=60mm]{osi_model.png} +\end{frame} + +\begin{frame}{Erlang signerl TCAP} +\begin{itemize} + \item Full ITU-T TCAP implementation + \item 1:1 mapping of ITU-T TCAP state machines to Erlang gen\_fsm + \begin{itemize} + \item DHA - Dialogue Handling + \item TSM - Transaction State Machine + \item ISM - Invocation State Machine + \end{itemize} + \item 1:1 mapping of other ITU-T entities to Erlang gen\_server + \begin{itemize} + \item CCO - Componen Coordinator + \item TCO - Transaction Coordinator + \end{itemize} + \item Some old/incomplete/bit-rotten ANSI TCAP code +\end{itemize} +\end{frame} + +\begin{frame}{Message flow among signerl TCAP Processes} +\includegraphics[width=100mm]{tcap_messaging.png} +\end{frame} + +\begin{frame}{Erlang supervisor hierarchy in signerl TCAP} +\includegraphics[width=70mm]{tcap_supervision.png} +\end{frame} + + +\begin{frame}{Erlang signerl TCAP} +\begin{itemize} + \item properly implements the N-primitives to lower level + \item properly implements all TR-primitives internally (TC / TR + split) + \item properly implements all TC-primitives towards the TCAP user + \item Can be used on top of osmo\_sccp + \item Can be used directly by application servers or via signerl MAP +\end{itemize} +\end{frame} + +\begin{frame}{Erlang signerl MAP} +\begin{itemize} + \item Interface between MAP primitives and TCAP primitives + \item Provides very little benefit over using TCAP directly + \item Not used much so far, I always use TCAP user API instead +\end{itemize} +\end{frame} + + +\begin{frame}{Message flow among signerl MAP Processes} +\includegraphics[width=100mm]{map_messaging.png} +\end{frame} + +\begin{frame}{Erlang supervisor hierarchy in signerl TCAP} +\includegraphics[width=90mm]{map_supervision.png} +\end{frame} + +\begin{frame}{Erlang application servers} +\begin{itemize} + \item No complete implementation of any GSM core network node + yet + \item Lots of testing / experimentation code for generating + single MAP transactions against existing/proprietary + core network components + \item Work on a HLR based on Mnesia DB should be starting soon +\end{itemize} +\end{frame} + +%\subsection{C implementations} +% +%\begin{frame}{libosmo-sccp} +%\begin{itemize} +% \item minimalistic SCCP implementation +% \item only used inside IPA multiplex / SCCP lite +% \item no retransmissions / GT routing / translation +% \item stable, used in production (osmo-bsc) +%\end{itemize} +%\end{frame} +% +%\begin{frame}{libosmo-asn1-tcap} +%\begin{itemize} +% \item asn1c-generated TCAP codec +% \item almost no manual code +% \item built as shared library +%\end{itemize} +%\end{frame} +% +%\begin{frame}{libosmo-tcap} +%\begin{itemize} +% \item First attempt of Harald to implement TCAP (before Erlang) +% \item 1:1 mapping of ITU-T TCAP components to C source files +% \item Heavily based on asn1c-generated data structures +% \item Uses libosmo-asn1-tcap +%\end{itemize} +%\end{frame} +% +%\begin{frame}{libosmo-asn1-map} +%\begin{itemize} +% \item asn1c-generated MAP code +% \item almost no manual code +% \item built as shared library +%\end{itemize} +%\end{frame} +% +%\begin{frame}{Future of C implementation?} +%\begin{itemize} +% \item unclear at this point +% \item first finish testing/deploying Erlang implementations +% \item possible use case for Gc interface of osmo-sgsn (SGSN-HLR) +% \item Do we interface C code with Erlang MAP or maintain C implementation in parallel? +%\end{itemize} +%\end{frame} + diff --git a/2012/osmo_erlang-osdc2012/tcap_messaging.png b/2012/osmo_erlang-osdc2012/tcap_messaging.png new file mode 100644 index 0000000..25a644f Binary files /dev/null and b/2012/osmo_erlang-osdc2012/tcap_messaging.png differ diff --git a/2012/osmo_erlang-osdc2012/tcap_supervision.png b/2012/osmo_erlang-osdc2012/tcap_supervision.png new file mode 100644 index 0000000..4199fd0 Binary files /dev/null and b/2012/osmo_erlang-osdc2012/tcap_supervision.png differ diff --git a/2012/osmocom-brno2012/abstract.txt b/2012/osmocom-brno2012/abstract.txt new file mode 100644 index 0000000..de22708 --- /dev/null +++ b/2012/osmocom-brno2012/abstract.txt @@ -0,0 +1,19 @@ +Osmocom.org - Community based Open Source Mobile Communications + +For decades, there is a sheer unlimited number of readily available +Free / Open Source Software (FOSS) projects related to TCP/IP/Ethernet +networks. + +On the contrary, until 2009, there was no FOSS in the field of mobile +communications protocols like GSM and UMTS at all. Projects like +OpenBSC and OpenBTS have changed this ever since. + +Osmocom.org is a community-based umbrella project containing +implementations for various network elements of GSM/GPRS/EDGE networks, +including MS, BTS, BSC (OpenBSC), MGW, STP, SGSN, GGSN, etc. +Furthermore, it also contains software for GMR (ETSI Geo Mobile Radio, +used by Thuraya), as well as TETRA, DECT and APCO25. + +This lecture will give an overview about the different osmocom.org +projects, their applications and the motivation of the people who +implemented the software. diff --git a/2012/osmocom-brno2012/bts_tree_full.jpg b/2012/osmocom-brno2012/bts_tree_full.jpg new file mode 100644 index 0000000..6b5c5e8 Binary files /dev/null and b/2012/osmocom-brno2012/bts_tree_full.jpg differ diff --git a/2012/osmocom-brno2012/c123_pcb.jpg b/2012/osmocom-brno2012/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/osmocom-brno2012/c123_pcb.jpg differ diff --git a/2012/osmocom-brno2012/osmo-e1-xcvr.jpg b/2012/osmocom-brno2012/osmo-e1-xcvr.jpg new file mode 100644 index 0000000..8802e08 Binary files /dev/null and b/2012/osmocom-brno2012/osmo-e1-xcvr.jpg differ diff --git a/2012/osmocom-brno2012/osmocom-overview.pdf b/2012/osmocom-brno2012/osmocom-overview.pdf new file mode 100644 index 0000000..d6ab5fd Binary files /dev/null and b/2012/osmocom-brno2012/osmocom-overview.pdf differ diff --git a/2012/osmocom-brno2012/osmocom-overview.snm b/2012/osmocom-brno2012/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/osmocom-brno2012/osmocom-overview.tex b/2012/osmocom-brno2012/osmocom-overview.tex new file mode 100644 index 0000000..e7fc7f4 --- /dev/null +++ b/2012/osmocom-brno2012/osmocom-overview.tex @@ -0,0 +1,583 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile comms} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{22nd February, Brno / Czech Republic} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +\begin{itemize} + \item Operators are mainly banks today + \item Typical operator outsources + \begin{itemize} + \item Network planning / deployment / servicing + \item Even Billing! + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No open source protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{My self-proclaimed mission} +Mission: Bring TCP/IP/Internet security knowledge to GSM +\begin{itemize} + \item Create tools to enable independent/public IT Security community to examine GSM + \item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks + \begin{itemize} + \item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified} + \item No proper incident response strategies! + \item No packet filters, firewalls, intrusion detection on GSM protocol level + \item General public assumes GSM networks are safer than Internet + \end{itemize} +\end{itemize} +\end{frame} + +\section{Bootstrapping Osmocom} + +\begin{frame} +To actually do research on GSM, we need +\begin{itemize} + \item detailed knowledge on the architecture and protocol stack + \item suitable hardware (there's no PHY/MAC only device like + Ethernet MAC) + \item a Free / Open Source Software implementation of at least + parts of the protocol stack +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM Research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Publicly known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item mados, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if BTS equipment is available, much easier/faster progress + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs (> 1000 PDF documents, each hundreds of pages) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson and Nokia BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC test installation} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + ip.access nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Available soon (Firmware not finished) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmo-E1-Xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item Sigtran variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\subsection{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own producst like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f + \item NETZING AG +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/osmocom-brno2012/osmosdr.jpg b/2012/osmocom-brno2012/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/osmocom-brno2012/osmosdr.jpg differ diff --git a/2012/osmocom-brno2012/simtrace_and_phone.jpg b/2012/osmocom-brno2012/simtrace_and_phone.jpg new file mode 100644 index 0000000..3fddf27 Binary files /dev/null and b/2012/osmocom-brno2012/simtrace_and_phone.jpg differ diff --git a/2012/osmocom-cebit2012/abstract.txt b/2012/osmocom-cebit2012/abstract.txt new file mode 100644 index 0000000..de22708 --- /dev/null +++ b/2012/osmocom-cebit2012/abstract.txt @@ -0,0 +1,19 @@ +Osmocom.org - Community based Open Source Mobile Communications + +For decades, there is a sheer unlimited number of readily available +Free / Open Source Software (FOSS) projects related to TCP/IP/Ethernet +networks. + +On the contrary, until 2009, there was no FOSS in the field of mobile +communications protocols like GSM and UMTS at all. Projects like +OpenBSC and OpenBTS have changed this ever since. + +Osmocom.org is a community-based umbrella project containing +implementations for various network elements of GSM/GPRS/EDGE networks, +including MS, BTS, BSC (OpenBSC), MGW, STP, SGSN, GGSN, etc. +Furthermore, it also contains software for GMR (ETSI Geo Mobile Radio, +used by Thuraya), as well as TETRA, DECT and APCO25. + +This lecture will give an overview about the different osmocom.org +projects, their applications and the motivation of the people who +implemented the software. diff --git a/2012/osmocom-cebit2012/bts_tree_full.jpg b/2012/osmocom-cebit2012/bts_tree_full.jpg new file mode 100644 index 0000000..6b5c5e8 Binary files /dev/null and b/2012/osmocom-cebit2012/bts_tree_full.jpg differ diff --git a/2012/osmocom-cebit2012/c123_pcb.jpg b/2012/osmocom-cebit2012/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/osmocom-cebit2012/c123_pcb.jpg differ diff --git a/2012/osmocom-cebit2012/osmo-e1-xcvr.jpg b/2012/osmocom-cebit2012/osmo-e1-xcvr.jpg new file mode 100644 index 0000000..8802e08 Binary files /dev/null and b/2012/osmocom-cebit2012/osmo-e1-xcvr.jpg differ diff --git a/2012/osmocom-cebit2012/osmocom-overview.pdf b/2012/osmocom-cebit2012/osmocom-overview.pdf new file mode 100644 index 0000000..ea171d3 Binary files /dev/null and b/2012/osmocom-cebit2012/osmocom-overview.pdf differ diff --git a/2012/osmocom-cebit2012/osmocom-overview.snm b/2012/osmocom-cebit2012/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/osmocom-cebit2012/osmocom-overview.tex b/2012/osmocom-cebit2012/osmocom-overview.tex new file mode 100644 index 0000000..0ad351f --- /dev/null +++ b/2012/osmocom-cebit2012/osmocom-overview.tex @@ -0,0 +1,583 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile networks} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{March 09, CeBIT, Hannover / Germany} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +\begin{itemize} + \item Operators are mainly banks today + \item Typical operator outsources + \begin{itemize} + \item Network planning / deployment / servicing + \item Even Billing! + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No open source protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{My self-proclaimed mission} +Mission: Bring TCP/IP/Internet security knowledge to GSM +\begin{itemize} + \item Create tools to enable independent/public IT Security community to examine GSM + \item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks + \begin{itemize} + \item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified} + \item No proper incident response strategies! + \item No packet filters, firewalls, intrusion detection on GSM protocol level + \item General public assumes GSM networks are safer than Internet + \end{itemize} +\end{itemize} +\end{frame} + +\section{Bootstrapping Osmocom} + +\begin{frame} +To actually do research on GSM, we need +\begin{itemize} + \item detailed knowledge on the architecture and protocol stack + \item suitable hardware (there's no PHY/MAC only device like + Ethernet MAC) + \item a Free / Open Source Software implementation of at least + parts of the protocol stack +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM Research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Publicly known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item mados, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if BTS equipment is available, much easier/faster progress + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs (> 1000 PDF documents, each hundreds of pages) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson and Nokia BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC test installation} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + ip.access nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Available soon (Firmware not finished) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmo-E1-Xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item Sigtran variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\subsection{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own producst like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f + \item NETZING AG +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/osmocom-cebit2012/osmosdr.jpg b/2012/osmocom-cebit2012/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/osmocom-cebit2012/osmosdr.jpg differ diff --git a/2012/osmocom-cebit2012/simtrace_and_phone.jpg b/2012/osmocom-cebit2012/simtrace_and_phone.jpg new file mode 100644 index 0000000..3fddf27 Binary files /dev/null and b/2012/osmocom-cebit2012/simtrace_and_phone.jpg differ diff --git a/2012/osmocom-ehsm2012/abstract.txt b/2012/osmocom-ehsm2012/abstract.txt new file mode 100644 index 0000000..de22708 --- /dev/null +++ b/2012/osmocom-ehsm2012/abstract.txt @@ -0,0 +1,19 @@ +Osmocom.org - Community based Open Source Mobile Communications + +For decades, there is a sheer unlimited number of readily available +Free / Open Source Software (FOSS) projects related to TCP/IP/Ethernet +networks. + +On the contrary, until 2009, there was no FOSS in the field of mobile +communications protocols like GSM and UMTS at all. Projects like +OpenBSC and OpenBTS have changed this ever since. + +Osmocom.org is a community-based umbrella project containing +implementations for various network elements of GSM/GPRS/EDGE networks, +including MS, BTS, BSC (OpenBSC), MGW, STP, SGSN, GGSN, etc. +Furthermore, it also contains software for GMR (ETSI Geo Mobile Radio, +used by Thuraya), as well as TETRA, DECT and APCO25. + +This lecture will give an overview about the different osmocom.org +projects, their applications and the motivation of the people who +implemented the software. diff --git a/2012/osmocom-ehsm2012/bts_tree_full.jpg b/2012/osmocom-ehsm2012/bts_tree_full.jpg new file mode 100644 index 0000000..6b5c5e8 Binary files /dev/null and b/2012/osmocom-ehsm2012/bts_tree_full.jpg differ diff --git a/2012/osmocom-ehsm2012/c123_pcb.jpg b/2012/osmocom-ehsm2012/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/osmocom-ehsm2012/c123_pcb.jpg differ diff --git a/2012/osmocom-ehsm2012/ezcap_top.jpg b/2012/osmocom-ehsm2012/ezcap_top.jpg new file mode 100644 index 0000000..d504471 Binary files /dev/null and b/2012/osmocom-ehsm2012/ezcap_top.jpg differ diff --git a/2012/osmocom-ehsm2012/osmo-e1-xcvr.jpg b/2012/osmocom-ehsm2012/osmo-e1-xcvr.jpg new file mode 100644 index 0000000..8802e08 Binary files /dev/null and b/2012/osmocom-ehsm2012/osmo-e1-xcvr.jpg differ diff --git a/2012/osmocom-ehsm2012/osmocom-overview.pdf b/2012/osmocom-ehsm2012/osmocom-overview.pdf new file mode 100644 index 0000000..12b8149 Binary files /dev/null and b/2012/osmocom-ehsm2012/osmocom-overview.pdf differ diff --git a/2012/osmocom-ehsm2012/osmocom-overview.snm b/2012/osmocom-ehsm2012/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/osmocom-ehsm2012/osmocom-overview.tex b/2012/osmocom-ehsm2012/osmocom-overview.tex new file mode 100644 index 0000000..7ec4e5f --- /dev/null +++ b/2012/osmocom-ehsm2012/osmocom-overview.tex @@ -0,0 +1,596 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile comms} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{December 30, 2012 / EHSM / Berlin} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +\begin{itemize} + \item Operators are mainly banks today + \item Typical operator outsources + \begin{itemize} + \item Network planning / deployment / servicing + \item Even Billing! + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No open source protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{My self-proclaimed mission} +Mission: Bring TCP/IP/Internet security knowledge to GSM +\begin{itemize} + \item Create tools to enable independent/public IT Security community to examine GSM + \item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks + \begin{itemize} + \item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified} + \item No proper incident response strategies! + \item No packet filters, firewalls, intrusion detection on GSM protocol level + \item General public assumes GSM networks are safer than Internet + \end{itemize} +\end{itemize} +\end{frame} + +\section{Bootstrapping Osmocom} + +\begin{frame} +To actually do research on GSM, we need +\begin{itemize} + \item detailed knowledge on the architecture and protocol stack + \item suitable hardware (there's no PHY/MAC only device like + Ethernet MAC) + \item a Free / Open Source Software implementation of at least + parts of the protocol stack +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM Research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Publicly known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item mados, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if BTS equipment is available, much easier/faster progress + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs (> 1000 PDF documents, each hundreds of pages) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson and Nokia BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC test installation} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + ip.access nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Developer units available +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr} +\begin{itemize} + \item re-purpose a USD 20 DVB-T USB dongle based on Realtek chipset + \item deactivate/bypass DVB-T demodulator / MPEG decoder + \item pass baseband samples via high-speed USB into PC + \item no open hardware, but Free Software +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmo-E1-Xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item Sigtran variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\subsection{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own producst like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f + \item NETZING AG +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/osmocom-ehsm2012/osmosdr.jpg b/2012/osmocom-ehsm2012/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/osmocom-ehsm2012/osmosdr.jpg differ diff --git a/2012/osmocom-ehsm2012/simtrace_and_phone.jpg b/2012/osmocom-ehsm2012/simtrace_and_phone.jpg new file mode 100644 index 0000000..3fddf27 Binary files /dev/null and b/2012/osmocom-ehsm2012/simtrace_and_phone.jpg differ diff --git a/2012/osmocom-of2012/abstract.txt b/2012/osmocom-of2012/abstract.txt new file mode 100644 index 0000000..de22708 --- /dev/null +++ b/2012/osmocom-of2012/abstract.txt @@ -0,0 +1,19 @@ +Osmocom.org - Community based Open Source Mobile Communications + +For decades, there is a sheer unlimited number of readily available +Free / Open Source Software (FOSS) projects related to TCP/IP/Ethernet +networks. + +On the contrary, until 2009, there was no FOSS in the field of mobile +communications protocols like GSM and UMTS at all. Projects like +OpenBSC and OpenBTS have changed this ever since. + +Osmocom.org is a community-based umbrella project containing +implementations for various network elements of GSM/GPRS/EDGE networks, +including MS, BTS, BSC (OpenBSC), MGW, STP, SGSN, GGSN, etc. +Furthermore, it also contains software for GMR (ETSI Geo Mobile Radio, +used by Thuraya), as well as TETRA, DECT and APCO25. + +This lecture will give an overview about the different osmocom.org +projects, their applications and the motivation of the people who +implemented the software. diff --git a/2012/osmocom-of2012/bts_tree_full.jpg b/2012/osmocom-of2012/bts_tree_full.jpg new file mode 100644 index 0000000..6b5c5e8 Binary files /dev/null and b/2012/osmocom-of2012/bts_tree_full.jpg differ diff --git a/2012/osmocom-of2012/c123_pcb.jpg b/2012/osmocom-of2012/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/osmocom-of2012/c123_pcb.jpg differ diff --git a/2012/osmocom-of2012/ezcap_top.jpg b/2012/osmocom-of2012/ezcap_top.jpg new file mode 100644 index 0000000..d504471 Binary files /dev/null and b/2012/osmocom-of2012/ezcap_top.jpg differ diff --git a/2012/osmocom-of2012/osmo-e1-xcvr.jpg b/2012/osmocom-of2012/osmo-e1-xcvr.jpg new file mode 100644 index 0000000..8802e08 Binary files /dev/null and b/2012/osmocom-of2012/osmo-e1-xcvr.jpg differ diff --git a/2012/osmocom-of2012/osmocom-overview.pdf b/2012/osmocom-of2012/osmocom-overview.pdf new file mode 100644 index 0000000..eb91fae Binary files /dev/null and b/2012/osmocom-of2012/osmocom-overview.pdf differ diff --git a/2012/osmocom-of2012/osmocom-overview.snm b/2012/osmocom-of2012/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/osmocom-of2012/osmocom-overview.tex b/2012/osmocom-of2012/osmocom-overview.tex new file mode 100644 index 0000000..708bbd2 --- /dev/null +++ b/2012/osmocom-of2012/osmocom-overview.tex @@ -0,0 +1,596 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile comms} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{November 4, 2012 / Sofia / Bulgaria} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +\begin{itemize} + \item Operators are mainly banks today + \item Typical operator outsources + \begin{itemize} + \item Network planning / deployment / servicing + \item Even Billing! + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No open source protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{My self-proclaimed mission} +Mission: Bring TCP/IP/Internet security knowledge to GSM +\begin{itemize} + \item Create tools to enable independent/public IT Security community to examine GSM + \item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks + \begin{itemize} + \item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified} + \item No proper incident response strategies! + \item No packet filters, firewalls, intrusion detection on GSM protocol level + \item General public assumes GSM networks are safer than Internet + \end{itemize} +\end{itemize} +\end{frame} + +\section{Bootstrapping Osmocom} + +\begin{frame} +To actually do research on GSM, we need +\begin{itemize} + \item detailed knowledge on the architecture and protocol stack + \item suitable hardware (there's no PHY/MAC only device like + Ethernet MAC) + \item a Free / Open Source Software implementation of at least + parts of the protocol stack +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM Research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Publicly known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item mados, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if BTS equipment is available, much easier/faster progress + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs (> 1000 PDF documents, each hundreds of pages) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson and Nokia BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC test installation} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + ip.access nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Developer units available +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr} +\begin{itemize} + \item re-purpose a USD 20 DVB-T USB dongle based on Realtek chipset + \item deactivate/bypass DVB-T demodulator / MPEG decoder + \item pass baseband samples via high-speed USB into PC + \item no open hardware, but Free Software +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{Osmo-E1-Xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item Sigtran variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\subsection{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own producst like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f + \item NETZING AG +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/osmocom-of2012/osmosdr.jpg b/2012/osmocom-of2012/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/osmocom-of2012/osmosdr.jpg differ diff --git a/2012/osmocom-of2012/simtrace_and_phone.jpg b/2012/osmocom-of2012/simtrace_and_phone.jpg new file mode 100644 index 0000000..3fddf27 Binary files /dev/null and b/2012/osmocom-of2012/simtrace_and_phone.jpg differ diff --git a/2012/osmocom-osdc2012/abstract.txt b/2012/osmocom-osdc2012/abstract.txt new file mode 100644 index 0000000..de22708 --- /dev/null +++ b/2012/osmocom-osdc2012/abstract.txt @@ -0,0 +1,19 @@ +Osmocom.org - Community based Open Source Mobile Communications + +For decades, there is a sheer unlimited number of readily available +Free / Open Source Software (FOSS) projects related to TCP/IP/Ethernet +networks. + +On the contrary, until 2009, there was no FOSS in the field of mobile +communications protocols like GSM and UMTS at all. Projects like +OpenBSC and OpenBTS have changed this ever since. + +Osmocom.org is a community-based umbrella project containing +implementations for various network elements of GSM/GPRS/EDGE networks, +including MS, BTS, BSC (OpenBSC), MGW, STP, SGSN, GGSN, etc. +Furthermore, it also contains software for GMR (ETSI Geo Mobile Radio, +used by Thuraya), as well as TETRA, DECT and APCO25. + +This lecture will give an overview about the different osmocom.org +projects, their applications and the motivation of the people who +implemented the software. diff --git a/2012/osmocom-osdc2012/bts_tree_full.jpg b/2012/osmocom-osdc2012/bts_tree_full.jpg new file mode 100644 index 0000000..6b5c5e8 Binary files /dev/null and b/2012/osmocom-osdc2012/bts_tree_full.jpg differ diff --git a/2012/osmocom-osdc2012/c123_pcb.jpg b/2012/osmocom-osdc2012/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/osmocom-osdc2012/c123_pcb.jpg differ diff --git a/2012/osmocom-osdc2012/osmo-e1-xcvr.jpg b/2012/osmocom-osdc2012/osmo-e1-xcvr.jpg new file mode 100644 index 0000000..8802e08 Binary files /dev/null and b/2012/osmocom-osdc2012/osmo-e1-xcvr.jpg differ diff --git a/2012/osmocom-osdc2012/osmocom-overview.pdf b/2012/osmocom-osdc2012/osmocom-overview.pdf new file mode 100644 index 0000000..181cd73 Binary files /dev/null and b/2012/osmocom-osdc2012/osmocom-overview.pdf differ diff --git a/2012/osmocom-osdc2012/osmocom-overview.snm b/2012/osmocom-osdc2012/osmocom-overview.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/osmocom-osdc2012/osmocom-overview.tex b/2012/osmocom-osdc2012/osmocom-overview.tex new file mode 100644 index 0000000..c25b053 --- /dev/null +++ b/2012/osmocom-osdc2012/osmocom-overview.tex @@ -0,0 +1,624 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{osmocom.org - FOSS for mobile comms} + +\subtitle +{community based Free / Open Source Software for communications} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{October 13, OSDC.fr / Paris} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Researching communications systems} + +\subsection{The Rolle of FOSS} + +\begin{frame}{Research in TCP/IP/Ethernet} +Assume you want to do some research in the TCP/IP/Ethernet +communications area, +\begin{itemize} + \item you use off-the-shelf hardware (x86, Ethernet card) + \item you start with the Linux / *BSD stack + \item you add the instrumentation you need + \item you make your proposed modifications + \item you do some testing + \item you write your paper and publish the results +\end{itemize} +\end{frame} + +\begin{frame}{Research in (mobile) communications} +Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms +\begin{itemize} + \item there is no FOSS implementation of any of the protocols or + functional entities + \item almost no university has a test lab with the required + equipment. And if they do, it is black boxes that you + cannot modify according to your research requirements + \item you turn away at that point, or you cannot work on really + exciting stuff + \item only chance is to partner with commercial company, who + puts you under NDAs and who wants to profit from your + research +\end{itemize} +\end{frame} + +\begin{frame}{GSM/3G vs. Internet} +\begin{itemize} + \item Observation + \begin{itemize} + \item Both GSM/3G and TCP/IP protocol specs are publicly available + \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny + \item GSM networks are as widely deployed as the Internet + \item Yet, GSM/3G protocols receive no such scrutiny! + \end{itemize} + \item There are reasons for that: + \begin{itemize} + \item GSM industry is extremely closed (and closed-minded) + \item Only about 4 closed-source protocol stack implementations + \item GSM chipset makers never release any hardware documentation + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The closed GSM industry} + +\begin{frame}{The closed GSM industry}{Handset manufacturing side} +\begin{itemize} + \item Only very few companies build GSM/3.5G baseband chips today + \begin{itemize} + \item Those companies buy the operating system kernel and the protocol stack from third parties + \end{itemize} + \item Only very few handset makers are large enough to become a customer + \begin{itemize} + \item Even they only get limited access to hardware documentation + \item Even they never really get access to the firmware source + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Network manufacturing side} +\begin{itemize} + \item Only very few companies build GSM network equipment + \begin{itemize} + \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei + \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment + \end{itemize} + \item Only operators buy equipment from them + \item Since the quantities are low, the prices are extremely high + \begin{itemize} + \item e.g. for a BTS, easily 10-40k EUR + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{Operator side} +\begin{itemize} + \item Operators are mainly banks today + \item Typical operator outsources + \begin{itemize} + \item Network planning / deployment / servicing + \item Even Billing! + \end{itemize} + \item Operator just knows the closed equipment as shipped by manufacturer + \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance +\end{itemize} +\end{frame} + +\begin{frame}{GSM is more than phone calls} +Listening to phone calls is boring... +\begin{itemize} + \item Machine-to-Machine (M2M) communication + \begin{itemize} + \item BMW can unlock/open your car via GSM + \item Alarm systems often report via GSM + \item Smart Metering (Utility companies) + \item GSM-R / European Train Control System + \item Vending machines report that their cash box is full + \item Control if wind-mills supply power into the grid + \item Transaction numbers for electronic banking + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Security implications} + +\begin{frame}{The closed GSM industry}{Security implications} +The security implications of the closed GSM industry are: +\begin{itemize} + \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers + \item No independent research on protocol-level security + \begin{itemize} + \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) + \item Or on application level (e.g. mobile malware) + \end{itemize} + \item No open source protocol implementations + \begin{itemize} + \item which are key for making more people learn about the protocols + \item which enable quick prototyping/testing by modifying existing code + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{The closed GSM industry}{My self-proclaimed mission} +Mission: Bring TCP/IP/Internet security knowledge to GSM +\begin{itemize} + \item Create tools to enable independent/public IT Security community to examine GSM + \item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks + \begin{itemize} + \item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified} + \item No proper incident response strategies! + \item No packet filters, firewalls, intrusion detection on GSM protocol level + \item General public assumes GSM networks are safer than Internet + \end{itemize} +\end{itemize} +\end{frame} + +\section{Bootstrapping Osmocom} + +\begin{frame} +To actually do research on GSM, we need +\begin{itemize} + \item detailed knowledge on the architecture and protocol stack + \item suitable hardware (there's no PHY/MAC only device like + Ethernet MAC) + \item a Free / Open Source Software implementation of at least + parts of the protocol stack +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM Research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the handset side? + \begin{itemize} + \item Difficult since GSM firmware and protocol stacks are closed and proprietary + \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too + \item Publicly known attempts + \begin{itemize} + \item The TSM30 project as part of the THC GSM project + \item mados, an alternative OS for Nokia DTC3 phones + \end{itemize} + \item none of those projects successful so far + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{How would you get started?} +If you were to start with GSM protocol level security analysis, where and +how would you start? +\begin{itemize} + \item On the network side? + \begin{itemize} + \item Difficult since equipment is not easily available and normally extremely expensive + \item However, network is very modular and has many standardized/documented interfaces + \item Thus, if BTS equipment is available, much easier/faster progress + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Bootstrapping GSM research}{The bootstrapping process} +\begin{itemize} + \item Read GSM specs (> 1000 PDF documents, each hundreds of pages) + \item Gradually grow knowledge about the protocols + \item Obtain actual GSM network equipment (BTS) + \item Try to get actual protocol traces as examples + \item Start a complete protocol stack implementation from scratch + \item Finally, go and play with GSM protocol security +\end{itemize} +\end{frame} + +\section{The Osmocom project} + +\begin{frame}{Osmocom / osmocom.org} +\begin{itemize} + \item Osmocom == Open Soruce Mobile Communications + \item Classic collaborative, community-driven FOSS project + \item Gathers creative people who want to explore this + industry-dominated closed mobile communications world + \item communication via mailing lists, IRC + \item soure code in git, information in trac/wiki + \item http://osmocom.org/ +\end{itemize} +\end{frame} + +\subsection{Osmocom sub-projects} + +\begin{frame}{OpenBSC} +\begin{itemize} + \item first Osmocom project + \item Implements GSM A-bis interface towards BTS + \item Supports Siemens, ip.access, Ericsson, Nokia and sysmocom BTS + \item can implement only BSC function (osmo-bsc) or a fully + autonomous self-contained GSM network (osmo-nitb) that + requires no external MSC/VLR/AUC/HLR/EIR + \item deployed in > 200 installations world-wide, commercial and + research +\end{itemize} +\end{frame} + +\begin{frame}{OpenBSC test installation} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{bts_tree_full.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmoSGSN / OpenGGSN} +\begin{itemize} + \item extends the OpenBSC based network from GSM to GPRS/EDGE by + implementing the classic SGSN and GGSN functional + entities + \item OpenGGSN existed already, but was abandoned by original + author + \item Works only with BTSs that provides Gb interface, like + ip.access nanoBTS + \item Suitable for research only, not production ready +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomBB} +\begin{itemize} + \item Full baseband processor firmware implementation of a mobile phone (MS) + \item We re-use existing phone hardware and re-wrote the L1, L2, + L3 and higher level logic + \item Higher layers reuse code from OpenBSC wherever possible + \item Used in a number of universities and other research contexts +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=50mm]{c123_pcb.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomTETRA} +\begin{itemize} + \item SDR implementation of a TETRA radio-modem (PHY/MAC) + \item Rx is fully implemented, Tx only partial + \item Can be used for air interface interception + \item Accompanied by wireshark dissectors for the TETRA protocol + stack +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomGMR} +\begin{itemize} + \item ETSI GMR (Geo Mobile Radio) is "GSM for satellites" + \item GMR-1 used by Thuraya satellite network + \item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx) + \item Partial wireshark dissectors for the protocol stack + \item Reverse engineered implementation of GMR-A5 crypto + \item Speech codec is proprietary, still needs reverse engineering +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomDECT} +\begin{itemize} + \item ETSI DECT (Digital European Cordless Telephony) is used in + millions of cordless phones + \item deDECTed.org project started with open source protocol + analyzers and demonstrated many vulnerabilities + \item OsmocomDECT is an implementation of the DECT hardware + drivers and protocols for the Linux kernel + \item Integrates with Asterisk +\end{itemize} +\end{frame} + +\begin{frame}{OsmocomOP25} +\begin{itemize} + \item APCO25 is Professional PMR system used in the US + \item Can be compared to TETRA in Europe + \item OsmocomOP25 is again SDR receiver + protocol analyzer +\end{itemize} +\end{frame} + +\begin{frame}{OsmoSDR} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware + \item higher bandwidth than FunCubeDonglePro + \item much lower cost than USRP + \item Open Hardware + \item Board available to developers only (Firmware not finished) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{OsmocomSIMTRACE} +\begin{itemize} + \item Hardware protocol tracer for SIM - phone interface + \item Wireshark protocol dissector for SIM-ME protocol (TS 11.11) + \item Can be used for SIM Application development / analysis + \item Also capable of SIM card emulation and man-in-the-middle attacks +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{simtrace_and_phone.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo-e1-xcvr} +\begin{itemize} + \item Open hardware project for interfacing E1 lines with + microcontrollers + \item So far no software/firmware yet, stay tuned! +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=60mm]{osmo-e1-xcvr.jpg} +\end{figure} +\end{frame} + +\begin{frame}{osmo-bts-amp} +\begin{itemize} + \item Open hardware project for a 2W PA, LNA and ceramic + duplexer to amplify small BTSs like ip.access nanoBTS + \item 2W may sound little, but from 200mW it's a factor of 10 + \item Still much less than a regular macro cell, but more than a + picocell for indoor coverage + \item Scheamtics and Gerber files for the hardware available openly + \item small and compact form factor compared to large/bulky cavity duplexers +\end{itemize} +\end{frame} + +\begin{frame}{OsmoCOS} +\begin{itemize} + \item Smartcards such as SIM/USIM cards, but actually any type + of chip/smartcards you can normally buy are proprietary + and closed, as chip makers never release manuals + \item Even if you write your own Card Operating System (COS), + normally you would have to put it in mask ROM, requiring + six or seven digit quantities as it basically would be + your own version of the silicon. + \item Thus, so far, all Smart Cards (even the OpenPGP Smart + Card) run proprietary software inside +\end{itemize} +\end{frame} + +\begin{frame}{OsmoCOS} +\begin{itemize} + \item We found a Chinese smarcard chip maker (ChipCity) that + provided the programming manual to their chip without + NDA. It has no ROM, but 256 kByte Flash and a known + ARM7TDMI core. + \item We started to write some low-level code like hardware + drivers and can now work on our own Card Operating + System + \item Progress is slow, due to many other projects and few + contributors +\end{itemize} +\end{frame} + + +\begin{frame}{osmo\_ss7, osmo\_map, signerl} +\begin{itemize} + \item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP) + \item Sigtran variants (M2PA, M2UA, M3UA and SUA) + \item Enables us to interface with GSM/UMTS inter-operator core network + \item Already used in production in some really nasty + special-purpose protocol translators (think of NAT for + SS7) +\end{itemize} +\end{frame} + +\subsection{Non-osmocom projects} + +\begin{frame}{The OpenBTS Um - SIP bridge} +\begin{itemize} + \item OpenBTS is a SDR implementation of GSM Um radio interface + \item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC + \item suitable for research on air interface, but very different + from traditional GSM networks + \item work is being done to make it interoperable with OpenBSC +\end{itemize} +\end{frame} + +\begin{frame}{airprobe.org} +\begin{itemize} + \item SDR implementation of Um sniffer + \item suitable for receiving GSM Um downlink and uplink + \item predates all of the other projects + \item more or less abandoned at this point +\end{itemize} +\end{frame} + +\begin{frame}{sysmocom GmbH}{systems for mobile communications} +\begin{itemize} + \item small company, started by two Osmocom developers in Berlin + \item provides commercial R\&d and support for professional + users of Osmocom software + \item develops its own producst like sysmoBTS (inexpensive, + small-form-factor, OpenBSC compatible BTS) + \item runs a small webshop for Osmocom related hardware like + OsmocomBB compatible phones, SIMtrace, etc. +\end{itemize} +\end{frame} + + +\subsection{Future projects} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Dieter Spaar has been working with 3G NodeBs (Ericsson, + Nokia) to be able to run our own RNC + \item Research into intercepting microwave back-haul links + \item Research into GPS simulation / transmission / faking + \item Port of OsmocomBB to other baseband chips + \item Low-level control from Free Software on a 3G/3.5G phone + \item Re-using femtocells in creative ways + \item Proprietary PMR systems +\end{itemize} +\end{frame} + +\begin{frame}{Call for contributions} +\begin{itemize} + \item Don't you agree that classic Internet/TCP/IP is boring and + has been researched to death? + \item There are many more communications systems out there + \item Never trust the industry, they only care about selling + their stuff + \item Lets democratize access to those communication systems + \item Become a contributor or developer today! + \item Join our mailing lists, use/improve our code + \item for OsmocomBB you only need a EUR 20 phone to start +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Dieter Spaar + \item Holger Freyther + \item Andreas Eversberg + \item Sylvain Munaut + \item On-Waves e.h.f + \item NETZING AG +\end{itemize} +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/osmocom-osdc2012/osmosdr.jpg b/2012/osmocom-osdc2012/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/osmocom-osdc2012/osmosdr.jpg differ diff --git a/2012/osmocom-osdc2012/simtrace_and_phone.jpg b/2012/osmocom-osdc2012/simtrace_and_phone.jpg new file mode 100644 index 0000000..3fddf27 Binary files /dev/null and b/2012/osmocom-osdc2012/simtrace_and_phone.jpg differ diff --git a/2012/phone_hw_arch-osmug2012/c123_pcb.jpg b/2012/phone_hw_arch-osmug2012/c123_pcb.jpg new file mode 100644 index 0000000..a9f24fc Binary files /dev/null and b/2012/phone_hw_arch-osmug2012/c123_pcb.jpg differ diff --git a/2012/phone_hw_arch-osmug2012/phone_anatomy.pdf b/2012/phone_hw_arch-osmug2012/phone_anatomy.pdf new file mode 100644 index 0000000..bff5f9f Binary files /dev/null and b/2012/phone_hw_arch-osmug2012/phone_anatomy.pdf differ diff --git a/2012/phone_hw_arch-osmug2012/phone_anatomy.snm b/2012/phone_hw_arch-osmug2012/phone_anatomy.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/phone_hw_arch-osmug2012/phone_anatomy.tex b/2012/phone_hw_arch-osmug2012/phone_anatomy.tex new file mode 100644 index 0000000..59fa740 --- /dev/null +++ b/2012/phone_hw_arch-osmug2012/phone_anatomy.tex @@ -0,0 +1,434 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{Anatomy of modern cell phones} + +\subtitle +{the 2012 update of the 2010 paper about 2005 phones ;)} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{August 8, 2012 / OSmocom Berlin User Group} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\section{Classic GSM phone architecture} + +\begin{frame}{The classic GSM phone design} +\begin{itemize} + \item Classic GSM mobile phones didn't really change much for 10 years from 1992 to 2002 + \item RF circuitry for analog RX and TX (mixers, filters, PA) + \item DSP for radio modem, mostly Rx side, hardware modulator + \item Microcontroller (often ARM7TDMI) for protocol stack + UI + \item VCTCXO for clock generation + \item Serial Port with AT-commands over RS-232 +\end{itemize} +\end{frame} + +% picture of calypso based phone + +\begin{frame}{Improvements in classic GSM phone design} +\begin{itemize} + \item DSP was becoming faster, permitted better voice codecs + \item DPS and controller merged in one chip/component to simply PCB design + \item Improvements on analog side from IF to zero-IF to low-IF designs + \item Smaller silicon processes for power and space savings +\end{itemize} +\end{frame} + +\section{Evolution to Smart Phones} + +\begin{frame}{Personal Digital Assistants} +\begin{itemize} + \item In the late 1990ies, PDAs became popular (Palm, Sharp, Compaq, ...) + \item A PDA was a mostly pen-operated embedded device with large screen + \item PDAs only had RS-232 to sync with desktop PCs but no wireless interfaces + \item Some people connect your PDA over RS-232 to the mobile phone + \item But: Until 2000, SMS and CSD was the only data transport medium +\end{itemize} +\end{frame} + +\begin{frame}{From classic phone to smart phone} +\begin{itemize} + \item Companies started to put a phone and a PDA in one case + \item Interconnection between still a normal UART with AT commands + \item Phone part had keyboard and display removed, AT commands are only interface + \item OS on PDA side much more powerful than OS on phones at that time (PalmOS, Windows CE / PocketPC, ...) + \item PDA-side CPU called {\em Application Processor} (AP) + \item Phone-side CPU called {\em Baseband Processor} (BP) +\end{itemize} +\end{frame} + +\begin{frame}{smart phone evolution} +\begin{itemize} + \item GSM phone (now called "modem") gets GPRS, later EDGE support + \item AP gets faster (from m68k/arm7tdmi to ARM920, ARM926, ARM11....) + \item Color displays, higher resolutions + \item Mobile GPUs for video encoding/decoding, cameras, ... + \item Resistive touch screens replaced by capacitive touch + \item AP OS more full-blown (Linux, iOS, ...) +\end{itemize} +\end{frame} + +\begin{frame}{Baseband processors: An abuse of feature phone SoCs!} +Until almost the end of the 2000's, +\begin{itemize} + \item BPs continue to be made primarily for feature phones + \item BPs thus still contain keypad scan matrix, display interface, etc. + \item BPs external interfaces are primarily developed for connecting + the feature phone to a computer, i.e. USB. +\end{itemize} +Only recently, smart phones have been so popular that BPs are designed with them as +a primary user! +\end{frame} + +\begin{frame}{AP / BP memories} +\begin{itemize} + \item AP and BP are separate SoCs + \item they each have their own address/memory bus and flash memories + \item those memories traditionally are in separate components for AP and BP + \begin{itemize} + \item often an integrated NOR+SRAM (later NAND+SDRAM) for the BP + \item SDRAM + NAND (later mDDR + eMMC) on the the AP + \end{itemize} + \item You can still see the 'two brain syndrome' from the DPA + + featurephone legacy +\end{itemize} +\end{frame} + +\section{Current situation and trends} + +\begin{frame}{2012 smart phones} +\begin{itemize} + \item Has AP with two or four cores (Exynos 4412, Tegra 3, ...) + \item Has BP with ARM1176 core (better than AP some years ago!) + \item Still have the separation of AP and BP processor + \item Often still use AT commands to control the BP + \item Normally don't use UART physical interface anymore, as it's too slow for HSPA speeds +\end{itemize} +\end{frame} + + +\subsection{AP/BP interface technologies} + +\begin{frame}{AP/BP interfaces} +Many different variants exist today: +\begin{description}[MIPI HSI] + \item[USB] e.g. used around 2005/2006 by Motorola EZX + \item[MIPI HSI] High-Speed serial interface designed specifically for phones + \item[HSIC] A different USB physical layer (from usb.org) + \item[DPRAM] Dual-Ported RAM +\end{description} +\end{frame} + +\begin{frame}{AP-BP IF: Universal Serial Bus} +\begin{itemize} + \item full-speed USB significantly better than UART speeds + \item AP SoC often contained USB host controller anyway + \item BP (made for feature phones) also had USB instead of UART for PC connection +\end{itemize} +\end{frame} + +\begin{frame}{AP-BP IF: MIPI HSI} +\begin{itemize} + \item HSI: High-Speed Synchronous Serial Interface + \item MIPI Alliance is a vendor consortium in the mobile space + \item They specify a variety of other interfaces, e.g. for display, battery, camera, ABB/DBB, ... + \item Adoption of MIPI HSI not very big (yet?) today +\end{itemize} +\end{frame} + +\begin{frame}{AP-BP IF: HSIC} +\begin{itemize} + \item High-Speed Inter-Circuit specification from USB forum + \item removes USB phy for transmission over long wires + \item can transport high-speed USB (480 Mbits) + \item regular USB protocol stack on AP and BP + \item primarily used by Samsung for Infineon XGold BP +\end{itemize} +\end{frame} + +\begin{frame}{AP-BP IF: Dual-Ported RAM} +\begin{itemize} + \item A RAM component with two separate Address and Data busses + \item Shared-Memory mailbox protocol between AP and BP + \item Lots of bus routing on PCB + \item Some AP have DPRAM internal and connect one side internally to the AP CPU core on the die + \item Very good match for SPoC (Smart Phone on a Chip) like Qualcomm MSM +\end{itemize} +\end{frame} + + +\section{Smart Phone on a Chip} + +\subsection{Introducing the SPoC} + +\begin{frame}{Smart Phone on a Chip (SPoC)} +Around the time the Google G1 came out +\begin{itemize} + \item Qualcomm was offering the first integrated SPoC (MSM7200) + \item Integrate AP and BP CPU core + their peripherals on one chip/die + \item Important for reducing required PCB footprint in devices + \item Important for reducing PCB routing requirements + \item Enables deeper integration between AP and BP +\end{itemize} +\end{frame} + +\begin{frame}{SPoC AP-BP integration} +\begin{itemize} + \item So far, AP and BP had their own SoCs, address/memory bus, memories, etc. + \item With SPoC, you can simply use the same RAM and flash chips, and somehow divide them between AP and BP + \begin{itemize} + \item part of the physical RAM is mapped into AP, another part into BP + \item part of the flash is accessed by the AP, another part by the BP + \item added benefit: you can map some RAM into both, and get a DPRAM-like shared memory mailbox interface for the AP-BP interface + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{Industry Politics} + +\begin{frame}{SPoC industry politics, 1/2} +\begin{itemize} + \item For years, ST-Ericsson only alternative to QC with integrated AP+BP (U8500) + \begin{itemize} + \item Infineon never had an AP business, only BP + \item Samsung System LSI never had a BP business, only AP + \item Nokia has been sleeping too long, then sold off their BP to Reensas + \item TI had a GSM/GPRS/EDGE BP business until 2008, then closed it down + \item NXP sold off their BP business and merged it with ST, later Ericsson Mobile Platforms (EMP) joined to create ST-Ericsson. They all lack a BP business + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SPoC industry politics, 2/2} +\begin{itemize} + \item Industry politics, continued + \begin{itemize} + \item Broadcom has APs, but never been very successful in the BP market + \item Intel once had an AP business (X-Scale, PXA25x,26x,27x), but sold it to Marvell + \item Marvell had integrated AP + GSM/GPRS/EDGE BP, but no WCDMA + \end{itemize} + \item Do you understand why Intel bought the Infineon BP business? +\end{itemize} +\end{frame} + +\subsection{Routing around the problem} + +\begin{frame}{Industry finds SPoC alternatives}{Samsung} +If you cannot get AP+BP in one package, you have to be innovative +\begin{itemize} + \item Samsung has long successful AP line (s3c24xx, s3c6410, Exynos) + \begin{itemize} + \item They also build mDDR and NAND flash as well as SD card controllers + \item They build MCP (Multi Chip Package) with multiple dies in one package + \item Reduces need for external memory components, simplifies PCB routing + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Industry finds SPoC alternatives}{Texas Instruments} +If you cannot get AP+BP in one package, you have to be innovative +\begin{itemize} + \item TI has successful OMAP3/OMAP4 AP business + \begin{itemize} + \item They have no RAM/flash business, thus cannot do MCP + \item They start with PoP (Package on Package) + \item Idea: expose memory interface on top of SoC, then solder memory BGa on top of SoC + \item Saves PCB footprint and simplifies routing, but adds height! + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{The odd SPoC alternatives} + +\begin{frame}{Have it the Mediatek way}{The MTK GSM/GPRS/EDGE chipsets} +\begin{itemize} + \item Users want features, they don't care about separate AP/BP + \item So instead of adding an AP to a feature phone, just add all the peripherals and software to the BP + \item Result: ARM7TDMI, later ARM920-EJS BP with hardware codec, GPU, lots of memory, JAVA, ... + \item Lots of applications like web browser, mail, games to make it look like a real smartphone + \item You save a lot in silicon footprint and ARM core licensing + \item Shipped up to 90 Million units / quarter ! +\end{itemize} +\end{frame} + +\begin{frame}{Mediatek 3G Evolution} +\begin{itemize} + \item Mediatek buys BP business from ADI (Analog Digital) + \item This most likely included Blackfin-based 3G baseband + \item Modern MTK chipsets are SPoC, with ARM9/ARM11 on AP side and ARM9 on BP + \item Shared memory components akin to Qualcomm solution + \item How can MTK become successful once they sell outside China (WCDMA patent licenses to QC?) +\end{itemize} +\end{frame} + +\begin{frame}{The ST-Ericsson low-cost solution} +\begin{itemize} + \item Use a single CPU core for AP and BP + \item Run a hypervisor on it to virtualize the hardware + \item Run BP OS in one guest compartment, AP in another + \item Save on silicon cost/size and ARM core licensing like MTK + \item Used in very few phones +\end{itemize} +\end{frame} + +\begin{frame}{AP/BP chipset market distribution} +Out of ~ 70 phone models available on German market today, +\begin{itemize} + \item Distribution by vendor + \begin{itemize} + \item 47 are Qualcomm BP based (mostly SPoC) + \item 17 are Infineon BP based (BP-only) + \item 5 are ST-Ericsson based (SPoC / 2 core) + \end{itemize} + \item Distribution by AP/BP interface + \begin{itemize} + \item 54 use shared memory interface + \item 8 use HSIC or USB + \item 4 use MIPI HSI + \end{itemize} +\end{itemize} +Careful: This is per models. Some models sell more units than 10 other models together ;) +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/rtlsdr-freedomhec2012/dab.jpg b/2012/rtlsdr-freedomhec2012/dab.jpg new file mode 100644 index 0000000..97bbcc3 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/dab.jpg differ diff --git a/2012/rtlsdr-freedomhec2012/ezcap_top.jpg b/2012/rtlsdr-freedomhec2012/ezcap_top.jpg new file mode 100644 index 0000000..d504471 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/ezcap_top.jpg differ diff --git a/2012/rtlsdr-freedomhec2012/fcdp.jpg b/2012/rtlsdr-freedomhec2012/fcdp.jpg new file mode 100644 index 0000000..329bd82 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/fcdp.jpg differ diff --git a/2012/rtlsdr-freedomhec2012/fcdp_pcb.jpg b/2012/rtlsdr-freedomhec2012/fcdp_pcb.jpg new file mode 100644 index 0000000..6b4f94d Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/fcdp_pcb.jpg differ diff --git a/2012/rtlsdr-freedomhec2012/glonass-sps2.8e6.png b/2012/rtlsdr-freedomhec2012/glonass-sps2.8e6.png new file mode 100644 index 0000000..9d4da31 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/glonass-sps2.8e6.png differ diff --git a/2012/rtlsdr-freedomhec2012/gps-sps2048e3.png b/2012/rtlsdr-freedomhec2012/gps-sps2048e3.png new file mode 100644 index 0000000..301f78e Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/gps-sps2048e3.png differ diff --git a/2012/rtlsdr-freedomhec2012/gr-dab-constellation.png b/2012/rtlsdr-freedomhec2012/gr-dab-constellation.png new file mode 100644 index 0000000..c9869f1 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/gr-dab-constellation.png differ diff --git a/2012/rtlsdr-freedomhec2012/grc_wbfm.png b/2012/rtlsdr-freedomhec2012/grc_wbfm.png new file mode 100644 index 0000000..7033a36 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/grc_wbfm.png differ diff --git a/2012/rtlsdr-freedomhec2012/hama_nano1.jpg b/2012/rtlsdr-freedomhec2012/hama_nano1.jpg new file mode 100644 index 0000000..e1992fe Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/hama_nano1.jpg differ diff --git a/2012/rtlsdr-freedomhec2012/inmarsat.png b/2012/rtlsdr-freedomhec2012/inmarsat.png new file mode 100644 index 0000000..b0300c3 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/inmarsat.png differ diff --git a/2012/rtlsdr-freedomhec2012/noxon_top.jpg b/2012/rtlsdr-freedomhec2012/noxon_top.jpg new file mode 100644 index 0000000..d696e98 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/noxon_top.jpg differ diff --git a/2012/rtlsdr-freedomhec2012/osmosdr.jpg b/2012/rtlsdr-freedomhec2012/osmosdr.jpg new file mode 100644 index 0000000..730b579 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/osmosdr.jpg differ diff --git a/2012/rtlsdr-freedomhec2012/rtl-sdr-gmr.png b/2012/rtlsdr-freedomhec2012/rtl-sdr-gmr.png new file mode 100644 index 0000000..2ec1265 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/rtl-sdr-gmr.png differ diff --git a/2012/rtlsdr-freedomhec2012/rtl-sdr.pdf b/2012/rtlsdr-freedomhec2012/rtl-sdr.pdf new file mode 100644 index 0000000..52ea02c Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/rtl-sdr.pdf differ diff --git a/2012/rtlsdr-freedomhec2012/rtl-sdr.snm b/2012/rtlsdr-freedomhec2012/rtl-sdr.snm new file mode 100644 index 0000000..e69de29 diff --git a/2012/rtlsdr-freedomhec2012/rtl-sdr.tex b/2012/rtlsdr-freedomhec2012/rtl-sdr.tex new file mode 100644 index 0000000..60206ad --- /dev/null +++ b/2012/rtlsdr-freedomhec2012/rtl-sdr.tex @@ -0,0 +1,570 @@ +% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ + +\documentclass{beamer} + +\usepackage{url} +\makeatletter +\def\url@leostyle{% + \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}} +\makeatother +%% Now actually use the newly defined style. +\urlstyle{leo} + + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{Warsaw} + % or ... + + \setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + + +\usepackage[english]{babel} +% or whatever + +\usepackage[latin1]{inputenc} +% or whatever + +\usepackage{times} +\usepackage[T1]{fontenc} +% Or whatever. Note that the encoding and the font should match. If T1 +% does not look nice, try deleting the line with the fontenc. + + +\title{rtl-sdr} + +\subtitle +{Turning USD 20 Realtek DVB-T receiver into a SDR} + +\author{Harald Welte } + +\institute +{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH} +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[] % (optional, should be abbreviation of conference name) +{June 12, FreedomHEC, Taipei} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{Communications} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] + % You might wish to add the option [pausesections] +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About the speaker} +\begin{itemize} + \item Using + toying with Linux since 1994 + \item Kernel / bootloader / driver / firmware development since 1999 + \item IT security expert, focus on network protocol security + \item Former core developer of Linux packet filter netfilter/iptables + \item Board-level Electrical Engineering + \item Always looking for interesting protocols (RFID, DECT, GSM) + \item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN +\end{itemize} +\end{frame} + + +\begin{frame}{Disclaimer} +\begin{itemize} + \item This talk is not about the Linux kernel + \item This talk is not about consumer mass market + \item It's about turning a single-purpose device into many more features + \item ... and to illustrate the creativity unleashed when hardware / chipset makers don't lock their devices down +\end{itemize} +\end{frame} + +\section{Software Defined Radio} + +\subsection{Traditional radio receivers vs. SDR} + +\begin{frame}{Traditional Radio} +\begin{itemize} + \item uses hardware-based receiver + demodulator + \item uses analog filtering with fixed filters for given + application + \item recovers either analog signal or digitizes demodulated bits + \item has not changed much in close to 100 years of using radio + waves for communications +\end{itemize} +\end{frame} + +\begin{frame}{Software Defined Radio (SDR)} +\begin{itemize} + \item uses a more or less classic radio fronted / tuner to + down-convert either to IF or to baseband + \item uses a high-speed ADC to digitize that IF or baseband + signal + \item uses digital signal processing for filtering, + equalization, demodulation, decoding +\end{itemize} +\end{frame} + +\begin{frame}{SDR advantages vs. traditional radio} +\begin{itemize} + \item more flexibility in terms of communication system + \item as long as tuner input frequency, ADC sampling rate and + computing power are sufficient, any receiver can be + implemented in pure software, without hardware changes + \item this is used mostly by military (JTRS, SCA) and commercial + infrastructure equipment (e.g UMTS NodeB / LTE eNodeB) +\end{itemize} +\end{frame} + +\subsection{How the industry normally uses SDR} + +\begin{frame}{SDR technology in consumer electronics} +\begin{itemize} + \item lots of consumer devices already implement SDR technology + \begin{itemize} + \item GSM/UMTS/LTE baseband processor in mobile phones + \item WiFi, Bluetooth, GPS + \end{itemize} + \item flexibility of such implementations is restricted to + manufacturer, as low-level access to DSP code and/or raw + samples is not intended / documented / activated + \item user is locked out from real benefits and flexibility of SDR +\end{itemize} +\end{frame} + +\begin{frame}{Existing SDR hardware marketed as SDR} +\begin{itemize} + \item regular consumer-electronics SDR don't provide low-level + access or documentation + \item military / telco grade SDR device are way too expensive + (five-digit USD per unit) + \item Ettus developed the famous USRP family (four-digit USD per + unit). Used a lot in education + research + \item Even lower-cost devices now like Fun Cube Dongle Pro + (FCDP) or OsmoSDR (three-digit USD per unit) +\end{itemize} +\end{frame} + +\subsection{How the community wants to use SDR} + +\begin{frame}{Universal Software Radio Peripheral} +\begin{itemize} + \item A general-purpose open-source hardware SDR + \begin{itemize} + \item Schematics and component placement information public + \end{itemize} + \item Generally available to academia, professional users and individuals + \item Modular concept + \begin{itemize} + \item Mainboard contains Host PC interface and baseband codec + \item Daughter boards contain radio frontend with rf up/downconverter + \end{itemize} + \item Big step forward in pricing, but still not affordable for everyone + \begin{itemize} + \item USD~700 for mainboard + \item frontends from USD~75 to USD~250 + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{USRP Circuit Board Photograph} +\begin{figure}[h] + \centering + \includegraphics[width=55mm]{usrp_board_photo.jpg} +\end{figure} +\end{frame} + +\begin{frame}{USRP Block Diagram} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{usrp-block-diagram.png} +\end{figure} +\end{frame} + +\begin{frame}{USRP technical specs} +\begin{itemize} + \item $4\times$ 12~bit ADCs @ 64~MS/s (digitize band of up to 32~MHz) + \item $4\times$ 14~bit DACs @ 128~MS/s (useful output freq from DC...44~MHz) + \item $64\times$ Digital I/O ports, 16 to each daughter-board + \item The USRP mainboard has 4 slots for daughter-boards (2 Rx, 2 Tx) + \item transceiver frontends occupy 2 slots (1 Rx, 1 Tx) +\end{itemize} +\end{frame} + +\begin{frame}{The second generation USRP: USRP2} +Main differences from USRP1 +\begin{itemize} + \item Gigabit Ethernet replacing USB2 (full-duplex, 1~GBit/sec) + \item 25~MHz of instantaneous RF bandwidth + \item Xilinx Spartan 3-2000 FPGA + \item $2\times$ 100~MHz 14~bit ADC + \item $2\times$ 400~MHz 16~bit DAC + \item 1~MByte high-speed SRAM + \item Clock can be locked to external 10~MHz reference + \item 1~pulse-per-second input (GPS clock conditioning) + \item FPGA configuration can be stored on SD card + \item Stand-alone operation without host PC + \item Multiple systems can be connected for MIMO + \item Daughterboards compatible with USRP(1) +\end{itemize} +\end{frame} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{itemize} + \item 64 MHz to 1700 Mhz USB SDR receiver (193 USD) + \item limited to 96 kHz I/Q baseband sampling + \item great for amateur radio and TETRA, but most other +communications systems (like GSM introduced in 1992) use wider band-widths + \item great progress in terms of size and cost, but much more +limited than USRP + \item Hardware design and firmware sadly are proprietary +\end{itemize} +\end{frame} + +\begin{frame}{Fun Cube Dongle Pro (2010)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{fcdp_pcb.jpg} +\end{figure} +\end{frame} + + +\begin{frame}{OsmoSDR (2012)} +\begin{itemize} + \item small, low-power / low-cost USB SDR hardware (225 USD) + \item higher bandwidth than FunCubeDonglePro (1.2 MHz / 14bit) + \item much lower cost than USRP, but more expensive than FCDP + \item Open Hardware (schematics), software (FPGA, firmware) +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=70mm]{osmosdr.jpg} +\end{figure} +\end{frame} + + + +\section{Gnuradio Software Defined Radio} + +\subsection{Gnuradio SDR Architecture} + +\begin{frame}{Gnuradio architecture} +\begin{itemize} + \item Philosophy: Implement SDR not as hand-crafted special-case hand-optimized assembly code in some obscure DSP, but on a general purpose PC + \begin{itemize} + \item with modern x86 systems at multi-GHz clock speeds and with many cores this becomes feasible + \item of course way too expensive for a mass-produced product, but very suitable for research, teaching and rapid prototyping + \end{itemize} + \item Implement various signal processing elements in C++ + \begin{itemize} + \item assembly optimized libraries for low-level operations + \item provide python bindings for all blocks + \end{itemize} + \item Python script to define interaction, relation, signal~routing between blocks +\end{itemize} +\end{frame} + +\subsection{Gnuradio blocks and flow graphs} + +\begin{frame}{Gnuradio blocks and flow graphs} +\begin{description}[flow graph] + \item[block] represents one element of signal processing + \begin{itemize} + \item filters, adders, transforms, decoders, hardware interfaces + \end{itemize} + \item[flow graph] defines routing of signals and interconnection of blocks + \begin{itemize} + \item Think of it as the {\em plumbing} between the blocks + \end{itemize} +\end{description} +Data passing between blocks can be of any C++ data type +\end{frame} + +\begin{frame}{GRC flow graph for Wideband FM} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{grc_wbfm.png} +\end{figure} +\end{frame} + +\begin{frame}{GRC flow graph for SSB} +\begin{figure}[h] + \centering + \includegraphics[width=100mm]{ssb_rcv_grc.png} +\end{figure} +\end{frame} + + +\subsection{Gnuradio sinks and sources} + +\begin{frame}{Gnuradio sinks and sources} +\begin{description}[source] + \item[sink] special block that consumes data + \begin{description}[hardware sinks] + \item[hardware sinks] USRP, Sound card, COMEDI + \item[software sinks] Scope UI, UDP port, Video card + \end{description} + \item[source] special block that sources data + \begin{description}[hardware sources] + \item[hardware sources] USRP, Sound card, COMEDI + \item[software sources] Noise source, File, UDP port + \end{description} +\end{description} +Every flow graph needs at least one sink and one source! +\end{frame} + +\section{Finally: rtl-sdr} + +\subsection{The Realtek RTL2832U and its primary application} + +\begin{frame}{Realtek RTL2832U based DVB-T receivers} +\begin{itemize} + \item Realtek RTL2832U based DVB-T receivers are cheaply + available on the market (USD 20) + \item RTL2832U implements ADC, DVB-T demodulator and high-speed + USB device + \item Normal mode of operation includes full DVB-T receiver + inside RTL2832U hardware and only sends MPEG2-TS via USB + \item Realtek released GPL-licensed Linux kernel driver for + watching TV (not mainline style, but at least GPL) + \item Realtek released limited manual to V4L developers +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U based devices: EzTV 668} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{ezcap_top.jpg} +\end{figure} +\end{frame} + +\begin{frame}{RTL2832U based devices: Hama nano1} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{hama_nano1.jpg} +\end{figure} +\end{frame} + +\begin{frame}{RTL2832U based devices} +\begin{itemize} + \item more than 20 different devices from various vendors + \item Brand names include ezcap, Hama, Terratec, Compro, GTek, Lifeview, Twintech, Dexatek, Genius, Gigabyte, Dikom, Peak, Sveon + \item all based on the identical RTL2832U reference design + \item only major difference is mechanical shape/size and silicon +tuner used. Best tuner we know is Elonics E4000 (high frequency range) +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U FM and DAB radio} +\begin{itemize} + \item Some people realized certain windows drivers for RTL2832U + based products implement FM Radio, others even DAB + \item Linux driver had no FM radio or DAB support + \item Realtek-disclosed limited data sheet didn't mention it + either + \item Sniffing USB protocol on Windows revealed that raw samples + are passed from ADC over USB, FM or DAB demodulation + happens in x86 software. + \item Realtek didn't provide documentation or source code for + this on request +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U towards rtl-sdr} +\begin{itemize} + \item Reverse engineering the USB protocol and replaying certain + commands from custom libusb based code was able to trigger the raw + sample transmission + \item remaining Realtek driver provided information on how to + use the I2C controller to control the tuner frontend + \item Harald already developed Elonics E4000 driver for + osmo-sdr, which could be re-cycled + \item Tuning to arbitrary frequencies allows digitizing spectrum + of any communications system within the tuner range +\end{itemize} +\end{frame} + +\begin{frame}{RTL2832U towards rtl-sdr} +\begin{itemize} + \item {\em librtlsdr} contains the major part of the driver + \item {\em rtl\_sdr} command line capture tool + \item {\em gr-osmosdr} gnuradio source block + \item Homepage: http://sdr.osmocom.org/trac/wiki/rtl-sdr + \item libusb is portable, there even are pre-built windows + binaries +\end{itemize} +\end{frame} + +\subsection{Some of the software supporting rtl-sdr} + +\begin{frame}{rtl-sdr software support} +\begin{itemize} + \item gnuradio (of course), using gr-osmosdr + \item gr-pocsag (POCSAG pagers) + \item simple\_fm\_rcv (FM receiver) + \item python-librtlsdr / pyrtlsdr (generic python bindings) + \item QtRadio + \item qgrx + \item rtl\_fm + \item SDR\# + \item gr-air-modes + \item tetra\_demod\_fft (TETRA radio) + \item airprobe (GSM receiver) +\end{itemize} +\end{frame} + +\begin{frame}{Free Software SDR Receivers} +Full FOSS receivers/demodulators/decoders available for +\begin{itemize} + \item Old analog modes like AM/FM/WFM/SSB + \item DAB (Digital Audio Broadcasting) + \item GSM downlink + uplink (airprobe) + \item TETRA downlink (OsmocomTETRA) + \item ETSI GMR / Thuraya (OsmocomGMR) + \item P25 (OsmocomOP25) + \item AIS (Maritime transponders) + \item Gen2 UHF RFID + \item DECT (Digital European Cordless Telephony) +\end{itemize} +\end{frame} + + +\begin{frame}{Who needs all of this?} +\begin{itemize} + \item Students learning about digital signal processing + \item Radio Amateurs + \item Communications (security) resarchers + \item Anyone interested in building their own software radio + receivers +\end{itemize} +This is of course not the 100k / million quantity consumer mass market. +But nonetheless, definitely thousands to tens of thousands +\end{frame} + +\subsection{Signal Plots} + +\begin{frame}{rtl-sdr: Multi-Carrier TETRA} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{tetra.png} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr: ETSI GMR (Thuraya Satphone)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{rtl-sdr-gmr.png} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr: GPS (after filter / LNA)} +\begin{figure}[h] + \centering + \includegraphics[width=110mm]{gps-sps2048e3.png} +\end{figure} +\end{frame} + +\begin{frame}{rtl-sdr: inmarsat (after LNA)} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{inmarsat.png} +\end{figure} +\end{frame} + + +\begin{frame}{Thanks} +I'd like to thank the many Osmocom developers and contributors, +especially +\begin{itemize} + \item Steve Markgraf + \item Dimitri Stolnikov + \item Hoernchen + \item Sylvain Munaut +\end{itemize} +also, Realtek for providing at least some (DVB oriented) documentation +and for releasing GPL licensed code for their hardware in the first +place. +\end{frame} + + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} diff --git a/2012/rtlsdr-freedomhec2012/ssb_rcv_grc.png b/2012/rtlsdr-freedomhec2012/ssb_rcv_grc.png new file mode 100644 index 0000000..c79e086 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/ssb_rcv_grc.png differ diff --git a/2012/rtlsdr-freedomhec2012/tetra.png b/2012/rtlsdr-freedomhec2012/tetra.png new file mode 100644 index 0000000..7873cb2 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/tetra.png differ diff --git a/2012/rtlsdr-freedomhec2012/usrp-block-diagram.png b/2012/rtlsdr-freedomhec2012/usrp-block-diagram.png new file mode 100644 index 0000000..c79faf8 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/usrp-block-diagram.png differ diff --git a/2012/rtlsdr-freedomhec2012/usrp_board_photo.jpg b/2012/rtlsdr-freedomhec2012/usrp_board_photo.jpg new file mode 100644 index 0000000..0471cc4 Binary files /dev/null and b/2012/rtlsdr-freedomhec2012/usrp_board_photo.jpg differ -- cgit v1.2.3