1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
* why?
** security research
** demonstration of known theoretical problems
** publci awareness about GSM [in]security
* legal disclaimer
** don't try this at home
** ownership of devices: ok, operation: not ok, licensed spectrum
** test licenses by Bundesnetzagentur
* introduction to gsm network architecture
** MS, BTS, BSC, MSC, HLR, VLR
** "ISDN on steroids" (q.921 / q.931 as base for call control)
** intelligence in the network, not the terminal
** bit-synchronous network, like SDH
** A-bis as interface between BTS and BSC
* more details about A-bis interface
** functional split BTS / BSC
** low-level A-bis (timeslots / sub-slots)
** A-bis protocol in GSM specs (04.08, 12.21, 08.58)
*** Page 10, 08.58
** structure of voice data in TRAU frames
* Introducing the BS-11
** features (1-2 TRX, 30mW-2W, GSM900)
** 2 E1 interface (1 to BSC, 1 for daisy-chaining)
** BS11 documentation
*** documentation under NDA, not available publicly
*** 99% of A-bis protocol in GSM specs (04.08, 12.21, 08.58)
** photographs (big picture, connector panel, internal overview)
** serial port for LMT, proprietary software
*** needed commands (TX power, timeslot for RSL/OML, TEI)
* first steps with BS-11
** bought BS-11 on eBay (now 74 units)
** A-bis protocol analyzer
** Helpful anonymous person helped us with
*** A-bis traces between Siemens BSC
*** Wandel+Goltermann MA-10 protocol analyzer
* BS11-Init (09/2008)
** ChipCologne HFC-E1 reference code for DOS
** polling, no interrupts
** ported to Windows and Linux (mmap of E1 to userspace)
** proof-of-concept code based on challenge-response
* from BS11-Init to OpenBSC (12/2008)
** get Layer2 to work (mISDN mainline doesn't deal with multiple SAPIs and fixed TEIs)
** learn how to use new sockets-based mISDN API
** send and receive first OML packets
** come up with event-driven architecture, single select loop, no threads, ...
** 25C3: add libdbi/sqlite database backend for "HLR"
** 25C3: get paging to work, support for configurable network ID
** 25C3: debugging/stabilization with > 1000 test users ;)
** 25C3: IMSI+IMEI skimming
* other FOSS projects related to GSM
** OpenBTS
** gssm / gsm-tvoid / gsmsp
* availability of BS-11
** remember: you need a HFC-E1, and shipping of 48kg
** import/ownership restrictions at your place of residence!
* short demo (10-15min)
** IMSI/IMEI snooping
** ringtone demonstration
* links
** OpenBSC http://openbsc.gnumonks.org
** toast
** 3GPP (http://www.3gpp.org/) / ETSI (http://www.etsi.org/)
** Goeller homepage (http://www2.informatik.hu-berlin.de/~goeller)
** THC Wiki (http://wiki.thc.org/gsm)
** OpenBTS (http://openbts.sourceforge.net/) + gnuradio wiki
** Harald's branch of gsm-tvoid, etc (git://git.gnumonks.org/gsm.git)
|
