%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 OpenBSC %size 5 Running Your own GSM Network %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Why? Why would you run your own GSM network? For the same reason you might run other networks To learn and experiment with technology To boldly go where no [free] man has gone before ;) Practical demonstration of known GSM security problems Raise public awareness abut GSM [in]security thus increase the incentive for the market to improve %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Legal Disclaimer Legal Disclaimer Don't try this at home! GSM operates on LICENSED spectrum Thus, you need approval from the regulatory authority Only use BTS with dummy load! Don't interfere with the operators! Our software is strictly for research purpose only %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Network Architecture The Hitchhikers Guide to the GSM Network unfortunately does not exist The GSM related literature is typically too high-level The GSM protocol specifications are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Network Architecture GSM is a bit-synchronous network it draws many analogies from ISDN and SDN layer 2 modelled after Q.921 / LAPD call signalling modelled Q.931 but: many more protocols for mobility management, radio resources, ... like all traditional Telco protocols: Intelligence in the network, not in the end nodes. GSM is a TDMA "nightmare" e.g. you never know from/for whom data is without the timing context %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Network Architecture MS Mobile Station (your Phone) BTS Base Transceiver Station BSC Base Station Controller MSC Mobile Switching Center HLR/VLR Home/Visitor Location Register %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Base Transceiver Station BTS As the name indicates "transceiver" Handles Layer 1 and some parts of RF layer2 Modulation/Demodulation Time Multiplex, scheduling of frames Is not a "Base Station", i.e. not self-contained True 'slave' to the BSC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Base Station Controller BSC Base Station Controller Handles most of the actual decision making really controls most aspects of BTSs handles intra-BSC cell handover %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Mobile Switching Center MSC Mobile Switching Center Handles Actual switching of the calls Interworking with ISDN or POTS Inter-BSC cell handover HLR/VLR Home/Visitor Location Register Handles database of local / roaming subscribers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Um interface MS <-> BTS Interface is called Um layer 2: LAPD derived; called LAPDm layer 3: GSM 04.08 RR / MM / CC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface BSC <-> BTS Interface is called A-bis has the following control layers on E1 TS1 L2ML (Layer 2 Management) TEI management similar to ISDN OML (Organization & Maintenance) System parameters, events RSL (Radio Subsystem Layer) has encoded voice data (TRAU frames) on other E1 TS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface %image "2_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface %image "3_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM A-bis interface Abis RSL contains messages for Radio Link Layer (RLL) Dedicated Channel (DCHAN) Common Channel (CCHAN) Transceiver (TRX) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network GSM Mobile Switching Center Abis RSL Radio Link Layer contains messages for Call Control (CC) Mobility Management (MM) Radio Resource (RR) Short Message Service (SMS) mostly specified in GSM TS 04.08 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS Siemens BS-11 microBTS plain old 2G (GSM voice calls, CSD) one or two TRX, 30mW to 2W each, GSM900 two E1 interfaces (for daisy-chaining) documentation under NDA, but 99.9% of the A-bis protocol available from GSM specs See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL) RS232 serial port for Local Maintenance Terminal LMT software proprietary under NDA not needed for operation of the BTS bs11_config is a FOSS replacement %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "1_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "p1010012_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "p1010013_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS %image "p1010020_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS First steps with the Siemens BS-11 Harald bought a BS-11 on e-Bay in 2006 Started to read some specs (08.5x) about A-bis Started to build cables for E1 and power Bought HFC-E1 PCI card Bought Elmi EGM35 Abis analyzer (e-Bay once again) Contacted with other people who also bought BS-11 Found somebody who could provide Abis traces Never really had time due to Openmoko and other projects %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The Siemens BS-11 microBTS Further steps with the Siemens BS-11 Dieter bought a BS-11 09/2008 Bought HFC-E1 PCI card Started development based on HFC-E1 reference driver code Found somebody who could provide Abis traces Made very quick progress %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network BS11-Init BS11-Init (09/2008) Chip cologne HFC-E1 reference code for DOS polling, no interrupts ported to Windows and Linux (mmap of HFC registers to userspace) proof-of-concept code based on challenge-response handles TEI assignment, brings OML and RSL up allows for location update and paging of single phone %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network BS11-Init %image "4_small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network From BS11-Init to OpenBSC From BS11-Init to OpenBSC (12/2008) get L2ML to work with mISDN mainline mISDN doesn't deal with multiple SAPIs and fixed TEI learn how new sockets-based mISDN API works come up with event-driven architecture, single sleect loop, no threads, ... At 25C3: add libdbi/sqlite database for "HLR" get paging to work, support for configurable network ID debugging + stabilization with > 1000 test users ;) IMSI + IMEI skimming %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network OpenBSC takes off (2009) implementation of more features SMS store-and-forward switching stable voice calls (FR and EFR codec) support for more than one transceiver per BTS support for multiple BTS cisco-like console interface support for more BTS models (ip.access nanoBTS) interface to traditional E1 (using linux call router) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network OpenBSC takes off (2009) fixing tons of bugs and stability issues don't rely on the phone behaving properly (e.g. timeouts) fix plenty of resource leaks (RAM) fix plenty of resource leaks like on-air channels finally uncover the last bits of the Siemens a-bis extensions %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network OpenBSC status today OpenBSC is a 'gsm network in a box' no need for separate MSC/HLR/VLR/AUC/SMSC Capabilities operation of a network with > 400 users multiple BTS with each multiple TRX voice calls and SMS implementation fairly complete no in-call handover (only in idle mode) no GPRS (yet), no EDGE (yet) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network OpenBSC future Separation between BSC and MSC Support actual A interface (over SCCP) allows us to be used with real MSC Support for GPRS + EDGE (with proper BTS) Routing of calls between E1 and IP/RTP based BTS Interfaces for external apps such as Scapy packet injection %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM Network License from Agentschap Telecom Stichting Hxx applied for a GSM test license license permits us to use 4 ARFCN's Transmit power of 100mW on each ARFCN antenna height restricted to 3m in case operators get interference, we have to shut down %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM Network Two BS-11, each two TRX BTS0 runs on ARFCN 121 and 123 (LAC 1) BTS1 runs on ARFCN 124 and 122 (LAC 2) Antennas mounted back-to-back to a tree on top of a hill Two BTS share single E1 link in multi-drop mode %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM BTS's %image "har2009-bs11_at_tree.small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 BTS Antennas %image "har2009-bs11_antennas.small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 BTS Antennas %image "har2009-bs11_antennas2.small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM Network One Linux PC with OpenBSC uses mISDN driver for HFC-E1 card 60m of CAT5 cable runs E1 to the Network ID: NCC 204 (NL), MNC 42 Typical CPU usage < 5% Typical RAM usage < 3MB RSS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 OpenBSC %image "har2009-gsm_tent.small.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM Network Registration procedure Your phone tries to use 204-42 or NL-42 When we first see a particular IMSI we send a SMS with auth token and URL we kick phone off the network You go to the URL indicated and enter your token we mark the IMSI as authorized in our HLR DB You try to register to the network again we let the phone on our network %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM Network How can I use the network make and receive calls to/from other registered phones send and receive SMS to/from other registered phones How can I play with the network use airprobe or other tools to eavesdrop on GSM protocol we don't use any crypto nor frequency hopping we don't do SMS filtering, i.e. you can send any RPDU to any other phone %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM Network Helps us to test OpenBSC under higher load already fixed several important software bugs Helps us to obtain real-world protocol traces Helps us to explore [in]compabibilities with certain phones %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network The HAR2009 GSM Network Statistics More than 1100 phones tried to use our network More than 450 phones completed registration More than 1000 SMS sent (use more bandwidth!) More than FIXME attempted voice calls More than FIXME established voice calls %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Links OpenBSC http://openbsc.gnumonks.org/ 3GPP / ETSI GSM Specs http://www.3gpp.org/ Priv-Doz. Dr.-Ing Joachim Goeller http://www2.informatik.hu-berlin.de/~goeller THC GSM Wiki http://wiki.thc.org/gsm OpenBTS http://gnuradio.org/trac/wiki/OpenBTS %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Thanks Thanks to zecke, alphaone, Stefan, Jan for their work on OpenBSC W. for his extensive A-bis protocol traces and MA-10 Dieter Spaar for his most excellent input Karsten Keil for mISDN Andreas Eversberg for LCR interface and HFC-E1 driver Stichting Hxx for getting the license all the voluntary testers at HAR2009 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running Your Own GSM Network Thanks LIVE DEMO