%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 Running Your own GSM Network %center %size 4 by Harald Welte Dieter Spaar %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Why? Why would you run your own GSM network? For the same reason you might run other networks To learn and experiment with technology To boldly go where no [free] man has gone before ;) Practical demonstration of known GSM security problems Raise public awareness abut GSM [in]security thus increase the incentive for the market to improve %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Legal Disclaimer Legal Disclaimer Don't try this at home! GSM operates on LICENSED spectrum Thus, you need approval from the regulatory authority Only use BTS with dummy load! Don't interfere with the operators! Our software is strictly for research purpose only %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Network Architecture The Hitchhikers Guide to the GSM Network unfortunately does not exist The GSM related literature is typically too high-level The GSM protocol specifications are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Network Architecture GSM is a bit-synchronous network it draws many analogies from ISDN and SDN layer 2 modelled after Q.921 / LAPD call signalling modelled Q.931 but: many more protocols for mobility management, radio resources, ... like all traditional Telco protocols: Intelligence in the network, not in the end nodes. GSM is a TDMA "nightmare" e.g. you never know from/for whom data is without the timing context %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Network Architecture MS Mobile Station (your Phone) BTS Base Transceiver Station BSC Base Station Controller MSC Mobile Switching Center HLR/VLR Home/Visitor Location Register %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Base Transceiver Station BTS As the name indicates "transceiver" Handles Layer 1 and some parts of RF layer2 Modulation/Demodulation Time Multiplex, scheduling of frames Is not a "Base Station", i.e. not self-contained True 'slave' to the BSC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Base Station Controller BSC Base Station Controller Handles most of the actual decision making really controls most aspects of BTSs handles intra-BSC cell handover %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Mobile Switching Center MSC Mobile Switching Center Handles Actual switching of the calls Interworking with ISDN or POTS Inter-BSC cell handover HLR/VLR Home/Visitor Location Register Handles database of local / roaming subscribers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface BSC <-> BTS Interface is called A-bis has the following control layers on E1 TS1 L2ML (Layer 2 Management) TEI management similar to ISDN OML (Organization & Maintenance) System parameters, events RSL (Radio Subsystem Layer) has encoded voice data (TRAU frames) on other E1 TS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface %image "2_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface %image "3_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface Abis RSL contains messages for Radio Link Layer (RLL) Dedicated Channel (DCHAN) Common Channel (CCHAN) Transceiver (TRX) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Mobile Switching Center Abis RSL Radio Link Layer contains messages for Call Control (CC) Mobility Management (MM) Radio Resource (RR) Short Message Service (SMS) mostly specified in GSM TS 04.08 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS Siemens BS-11 microBTS plain old 2G (GSM voice calls, CSD) one or two TRX, 30mW to 2W each, GSM900 two E1 interfaces (for daisy-chaining) documentation under NDA, but 99.9% of the A-bis protocol available from GSM specs See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL) RS232 serial port for Local Maintenance Terminal LMT software proprietary under NDA not needed for operation of the BTS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "1_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "p1010012_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "p1010013_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "p1010020_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS First steps with the Siemens BS-11 Harald bought a BS-11 on e-Bay in 2006 Started to read some specs (08.5x) about A-bis Started to build cables for E1 and power Bought HFC-E1 PCI card Bought Elmi EGM35 Abis analyzer (e-Bay once again) Contacted with other people who also bought BS-11 Found somebody who could provide Abis traces Never really had time due to Openmoko and other projects %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS Further steps with the Siemens BS-11 Dieter bought a BS-11 09/2008 Bought HFC-E1 PCI card Started development based on HFC-E1 reference driver code Found somebody who could provide Abis traces Made very quick progress %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network BS11-Init BS11-Init (09/2008) Chip cologne HFC-E1 reference code for DOS polling, no interrupts ported to Windows and Linux (mmap of HFC registers to userspace) proof-of-concept code based on challenge-response handles TEI assignment, brings OML and RSL up allows for location update and paging of single phone %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network BS11-Init %image "4_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network From BS11-Init to OpenBSC From BS11-Init to OpenBSC (12/2008) get L2ML to work with mISDN mainline mISDN doesn't deal with multiple SAPIs and fixed TEI learn how new sockets-based mISDN API works come up with event-driven architecture, single sleect loop, no threads, ... At 25C3: add libdbi/sqlite database for "HLR" get paging to work, support for configurable network ID debugging + stabilization with > 1000 test users ;) IMSI + IMEI skimming %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Work at 25C3 IMSI+IMEI skimming very simple: phones with automatic network selection pick strongest network they send LOCATION UPDATE REQUEST we send IDENTITY REQUEST IMSI + IMEISV they send IMSI + IMEISV we store this in the databasa and then send LOCATION UPDATE REJECT %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Work at 25C3 Mobile Originated Call once a MS is registered, we can dial a number from the MS allocate and establish a TCH/F deal with the Signalling and get into Connect unfortunately, code for handling voice streams not finished %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Work at 25C3 Mobile Originated SMS once a MS is registered, we can send a SMS parse + acknowledge SMS PDU data %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Work at 25C3 The Egypt simulation apparently GPS is illegal in mobile phones in Egypt "Egypt detection" implemented by checking if any surrounding cells are with Egypt country code phones don't even have to register to our BTS! so if we claim to be e.g. MobiNil, phones will shut off their GPS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Other GSM related FOSS Other GSM related FOSS OpenBTS 100% Software Defined Radio bsed on USRP + gnuradio implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk much more than just a BTS!! some code overlap with OpenBSC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Links OpenBSC http://openbsc.gnumonks.org/ 3GPP / ETSI GSM Specs http://www.3gpp.org/ Priv-Doz. Dr.-Ing Joachim Goeller http://www2.informatik.hu-berlin.de/~goeller THC GSM Wiki http://wiki.thc.org/gsm OpenBTS http://gnuradio.org/trac/wiki/OpenBTS Harald's branch of gsm-tvoid, etc git://git.gnumonks.org/gsm.git %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Thanks Thanks to zecke, alphaone, Stefan for their work on OpenBSC W. for his extensive A-bis protocol traces and MA-10 all the voluntary testers at 25C3 Karsten Keil for mISDN %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Thanks LIVE DEMO