1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
Running
Your own
GSM Network
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
Dieter Spaar <spaar@mirider.augusta.de>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Why?
Why would you run your own GSM network?
For the same reason you might run other networks
To learn and experiment with technology
To boldly go where no [free] man has gone before ;)
Practical demonstration of known GSM security problems
Raise public awareness abut GSM [in]security
thus increase the incentive for the market to improve
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Legal Disclaimer
Legal Disclaimer
Don't try this at home!
GSM operates on LICENSED spectrum
Thus, you need approval from the regulatory authority
Only use BTS with dummy load!
Don't interfere with the operators!
Our software is strictly for research purpose only
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Network Architecture
The Hitchhikers Guide to the GSM Network
unfortunately does not exist
The GSM related literature
is typically too high-level
The GSM protocol specifications
are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Network Architecture
GSM is a bit-synchronous network
it draws many analogies from ISDN and SDN
layer 2 modelled after Q.921 / LAPD
call signalling modelled Q.931
but: many more protocols for mobility management, radio resources, ...
like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
GSM is a TDMA "nightmare"
e.g. you never know from/for whom data is without the timing context
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Network Architecture
MS
Mobile Station (your Phone)
BTS
Base Transceiver Station
BSC
Base Station Controller
MSC
Mobile Switching Center
HLR/VLR
Home/Visitor Location Register
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Base Transceiver Station
BTS
As the name indicates "transceiver"
Handles
Layer 1 and some parts of RF layer2
Modulation/Demodulation
Time Multiplex, scheduling of frames
Is not a "Base Station", i.e. not self-contained
True 'slave' to the BSC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Base Station Controller
BSC
Base Station Controller
Handles
most of the actual decision making
really controls most aspects of BTSs
handles intra-BSC cell handover
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Mobile Switching Center
MSC
Mobile Switching Center
Handles
Actual switching of the calls
Interworking with ISDN or POTS
Inter-BSC cell handover
HLR/VLR
Home/Visitor Location Register
Handles
database of local / roaming subscribers
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
BSC <-> BTS Interface
is called A-bis
has the following control layers on E1 TS1
L2ML (Layer 2 Management)
TEI management similar to ISDN
OML (Organization & Maintenance)
System parameters, events
RSL (Radio Subsystem Layer)
has encoded voice data (TRAU frames) on other E1 TS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
%image "2_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
%image "3_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
Abis RSL
contains messages for
Radio Link Layer (RLL)
Dedicated Channel (DCHAN)
Common Channel (CCHAN)
Transceiver (TRX)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Mobile Switching Center
Abis RSL Radio Link Layer
contains messages for
Call Control (CC)
Mobility Management (MM)
Radio Resource (RR)
Short Message Service (SMS)
mostly specified in GSM TS 04.08
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
Siemens BS-11 microBTS
plain old 2G (GSM voice calls, CSD)
one or two TRX, 30mW to 2W each, GSM900
two E1 interfaces (for daisy-chaining)
documentation under NDA, but
99.9% of the A-bis protocol available from GSM specs
See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
RS232 serial port for Local Maintenance Terminal
LMT software proprietary under NDA
not needed for operation of the BTS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "1_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "p1010012_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "p1010013_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "p1010020_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
First steps with the Siemens BS-11
Harald bought a BS-11 on e-Bay in 2006
Started to read some specs (08.5x) about A-bis
Started to build cables for E1 and power
Bought HFC-E1 PCI card
Bought Elmi EGM35 Abis analyzer (e-Bay once again)
Contacted with other people who also bought BS-11
Found somebody who could provide Abis traces
Never really had time due to Openmoko and other projects
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
Further steps with the Siemens BS-11
Dieter bought a BS-11 09/2008
Bought HFC-E1 PCI card
Started development based on HFC-E1 reference driver code
Found somebody who could provide Abis traces
Made very quick progress
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
BS11-Init
BS11-Init (09/2008)
Chip cologne HFC-E1 reference code for DOS
polling, no interrupts
ported to Windows and Linux (mmap of HFC registers to userspace)
proof-of-concept code based on challenge-response
handles TEI assignment, brings OML and RSL up
allows for location update and paging of single phone
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
BS11-Init
%image "4_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
From BS11-Init to OpenBSC
From BS11-Init to OpenBSC (12/2008)
get L2ML to work with mISDN
mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
learn how new sockets-based mISDN API works
come up with event-driven architecture, single sleect loop, no threads, ...
At 25C3:
add libdbi/sqlite database for "HLR"
get paging to work, support for configurable network ID
debugging + stabilization with > 1000 test users ;)
IMSI + IMEI skimming
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Work at 25C3
IMSI+IMEI skimming
very simple:
phones with automatic network selection pick strongest network
they send LOCATION UPDATE REQUEST
we send IDENTITY REQUEST IMSI + IMEISV
they send IMSI + IMEISV
we store this in the databasa
and then send LOCATION UPDATE REJECT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Work at 25C3
Mobile Originated Call
once a MS is registered, we can
dial a number from the MS
allocate and establish a TCH/F
deal with the Signalling and get into Connect
unfortunately, code for handling voice streams not finished
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Work at 25C3
Mobile Originated SMS
once a MS is registered, we can
send a SMS
parse + acknowledge SMS PDU data
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Work at 25C3
The Egypt simulation
apparently GPS is illegal in mobile phones in Egypt
"Egypt detection" implemented by checking if any surrounding cells are with Egypt country code
phones don't even have to register to our BTS!
so if we claim to be e.g. MobiNil, phones will shut off their GPS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Other GSM related FOSS
Other GSM related FOSS
OpenBTS
100% Software Defined Radio bsed on USRP + gnuradio
implements entire RF+layer1/2/3 and interfacing to SIP/Asterisk
much more than just a BTS!!
some code overlap with OpenBSC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Links
OpenBSC
http://openbsc.gnumonks.org/
3GPP / ETSI GSM Specs
http://www.3gpp.org/
Priv-Doz. Dr.-Ing Joachim Goeller
http://www2.informatik.hu-berlin.de/~goeller
THC GSM Wiki
http://wiki.thc.org/gsm
OpenBTS
http://gnuradio.org/trac/wiki/OpenBTS
Harald's branch of gsm-tvoid, etc
git://git.gnumonks.org/gsm.git
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Thanks
Thanks to
zecke, alphaone, Stefan for their work on OpenBSC
W. for his extensive A-bis protocol traces and MA-10
all the voluntary testers at 25C3
Karsten Keil for mISDN
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Thanks
LIVE DEMO
|
