1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
OpenBSC
%size 5
Running Your own
GSM Network
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Why?
Why would you run your own GSM network?
For the same reason you might run other networks
To learn and experiment with technology
To boldly go where no [free] man has gone before ;)
Practical demonstration of known GSM security problems
Raise public awareness abut GSM [in]security
thus increase the incentive for the market to improve
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Legal Disclaimer
Legal Disclaimer
Don't try this at home!
GSM operates on LICENSED spectrum
Thus, you need approval from the regulatory authority
Only use BTS with dummy load!
Don't interfere with the operators!
Our software is strictly for research purpose only
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Network Architecture
The Hitchhikers Guide to the GSM Network
unfortunately does not exist
The GSM related literature
is typically too high-level
The GSM protocol specifications
are publicly available but _very_ comprehensive (1,108 PDFs, 414MByte)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Network Architecture
GSM is a bit-synchronous network
it draws many analogies from ISDN and SDN
layer 2 modelled after Q.921 / LAPD
call signalling modelled Q.931
but: many more protocols for mobility management, radio resources, ...
like all traditional Telco protocols: Intelligence in the network, not in the end nodes.
GSM is a TDMA "nightmare"
e.g. you never know from/for whom data is without the timing context
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Network Architecture
MS
Mobile Station (your Phone)
BTS
Base Transceiver Station
BSC
Base Station Controller
MSC
Mobile Switching Center
HLR/VLR
Home/Visitor Location Register
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Base Transceiver Station
BTS
As the name indicates "transceiver"
Handles
Layer 1 and some parts of RF layer2
Modulation/Demodulation
Time Multiplex, scheduling of frames
Is not a "Base Station", i.e. not self-contained
True 'slave' to the BSC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Base Station Controller
BSC
Base Station Controller
Handles
most of the actual decision making
really controls most aspects of BTSs
handles intra-BSC cell handover
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Mobile Switching Center
MSC
Mobile Switching Center
Handles
Actual switching of the calls
Interworking with ISDN or POTS
Inter-BSC cell handover
HLR/VLR
Home/Visitor Location Register
Handles
database of local / roaming subscribers
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Um interface
MS <-> BTS Interface
is called Um
layer 2: LAPD derived; called LAPDm
layer 3: GSM 04.08 RR / MM / CC
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
BSC <-> BTS Interface
is called A-bis
has the following control layers on E1 TS1
L2ML (Layer 2 Management)
TEI management similar to ISDN
OML (Organization & Maintenance)
System parameters, events
RSL (Radio Subsystem Layer)
has encoded voice data (TRAU frames) on other E1 TS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
%image "2_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
%image "3_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM A-bis interface
Abis RSL
contains messages for
Radio Link Layer (RLL)
Dedicated Channel (DCHAN)
Common Channel (CCHAN)
Transceiver (TRX)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
GSM Mobile Switching Center
Abis RSL Radio Link Layer
contains messages for
Call Control (CC)
Mobility Management (MM)
Radio Resource (RR)
Short Message Service (SMS)
mostly specified in GSM TS 04.08
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
Siemens BS-11 microBTS
plain old 2G (GSM voice calls, CSD)
one or two TRX, 30mW to 2W each, GSM900
two E1 interfaces (for daisy-chaining)
documentation under NDA, but
99.9% of the A-bis protocol available from GSM specs
See TS 04.08 (RLL), 12.21 (OML), 08.58 (RSL)
RS232 serial port for Local Maintenance Terminal
LMT software proprietary under NDA
not needed for operation of the BTS
bs11_config is a FOSS replacement
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "1_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "p1010012_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "p1010013_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
%image "p1010020_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
First steps with the Siemens BS-11
Harald bought a BS-11 on e-Bay in 2006
Started to read some specs (08.5x) about A-bis
Started to build cables for E1 and power
Bought HFC-E1 PCI card
Bought Elmi EGM35 Abis analyzer (e-Bay once again)
Contacted with other people who also bought BS-11
Found somebody who could provide Abis traces
Never really had time due to Openmoko and other projects
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The Siemens BS-11 microBTS
Further steps with the Siemens BS-11
Dieter bought a BS-11 09/2008
Bought HFC-E1 PCI card
Started development based on HFC-E1 reference driver code
Found somebody who could provide Abis traces
Made very quick progress
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
BS11-Init
BS11-Init (09/2008)
Chip cologne HFC-E1 reference code for DOS
polling, no interrupts
ported to Windows and Linux (mmap of HFC registers to userspace)
proof-of-concept code based on challenge-response
handles TEI assignment, brings OML and RSL up
allows for location update and paging of single phone
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
BS11-Init
%image "4_small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
From BS11-Init to OpenBSC
From BS11-Init to OpenBSC (12/2008)
get L2ML to work with mISDN
mainline mISDN doesn't deal with multiple SAPIs and fixed TEI
learn how new sockets-based mISDN API works
come up with event-driven architecture, single sleect loop, no threads, ...
At 25C3:
add libdbi/sqlite database for "HLR"
get paging to work, support for configurable network ID
debugging + stabilization with > 1000 test users ;)
IMSI + IMEI skimming
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
OpenBSC takes off (2009)
implementation of more features
SMS store-and-forward switching
stable voice calls (FR and EFR codec)
support for more than one transceiver per BTS
support for multiple BTS
cisco-like console interface
support for more BTS models (ip.access nanoBTS)
interface to traditional E1 (using linux call router)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
OpenBSC takes off (2009)
fixing tons of bugs and stability issues
don't rely on the phone behaving properly (e.g. timeouts)
fix plenty of resource leaks (RAM)
fix plenty of resource leaks like on-air channels
finally uncover the last bits of the Siemens a-bis extensions
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
OpenBSC status today
OpenBSC is a 'gsm network in a box'
no need for separate MSC/HLR/VLR/AUC/SMSC
Capabilities
operation of a network with > 400 users
multiple BTS with each multiple TRX
voice calls and SMS implementation fairly complete
no in-call handover (only in idle mode)
no GPRS (yet), no EDGE (yet)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
OpenBSC future
Separation between BSC and MSC
Support actual A interface (over SCCP)
allows us to be used with real MSC
Support for GPRS + EDGE (with proper BTS)
Routing of calls between E1 and IP/RTP based BTS
Interfaces for external apps such as Scapy packet injection
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM Network
License from Agentschap Telecom
Stichting Hxx applied for a GSM test license
license permits us to use 4 ARFCN's
Transmit power of 100mW on each ARFCN
antenna height restricted to 3m
in case operators get interference, we have to shut down
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM Network
Two BS-11, each two TRX
BTS0 runs on ARFCN 121 and 123 (LAC 1)
BTS1 runs on ARFCN 124 and 122 (LAC 2)
Antennas mounted back-to-back to a tree on top of a hill
Two BTS share single E1 link in multi-drop mode
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM BTS's
%image "har2009-bs11_at_tree.small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 BTS Antennas
%image "har2009-bs11_antennas.small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 BTS Antennas
%image "har2009-bs11_antennas2.small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM Network
One Linux PC with OpenBSC
uses mISDN driver for HFC-E1 card
60m of CAT5 cable runs E1 to the
Network ID: NCC 204 (NL), MNC 42
Typical CPU usage < 5%
Typical RAM usage < 3MB RSS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 OpenBSC
%image "har2009-gsm_tent.small.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM Network
Registration procedure
Your phone tries to use 204-42 or NL-42
When we first see a particular IMSI
we send a SMS with auth token and URL
we kick phone off the network
You go to the URL indicated and enter your token
we mark the IMSI as authorized in our HLR DB
You try to register to the network again
we let the phone on our network
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM Network
How can I use the network
make and receive calls to/from other registered phones
send and receive SMS to/from other registered phones
How can I play with the network
use airprobe or other tools to eavesdrop on GSM protocol
we don't use any crypto nor frequency hopping
we don't do SMS filtering, i.e. you can send any RPDU to any other phone
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM Network
Helps us to test OpenBSC under higher load
already fixed several important software bugs
Helps us to obtain real-world protocol traces
Helps us to explore [in]compabibilities with certain phones
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
The HAR2009 GSM Network
Statistics
More than 1100 phones tried to use our network
More than 450 phones completed registration
More than 1000 SMS sent (use more bandwidth!)
More than FIXME attempted voice calls
More than FIXME established voice calls
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Links
OpenBSC
http://openbsc.gnumonks.org/
3GPP / ETSI GSM Specs
http://www.3gpp.org/
Priv-Doz. Dr.-Ing Joachim Goeller
http://www2.informatik.hu-berlin.de/~goeller
THC GSM Wiki
http://wiki.thc.org/gsm
OpenBTS
http://gnuradio.org/trac/wiki/OpenBTS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Thanks
Thanks to
zecke, alphaone, Stefan, Jan for their work on OpenBSC
W. for his extensive A-bis protocol traces and MA-10
Dieter Spaar for his most excellent input
Karsten Keil for mISDN
Andreas Eversberg for LCR interface and HFC-E1 driver
Stichting Hxx for getting the license
all the voluntary testers at HAR2009
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Running Your Own GSM Network
Thanks
LIVE DEMO
|
