1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
|
% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
\documentclass{beamer}
% This file is a solution template for:
% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice.
\mode<presentation>
{
\usetheme{Warsaw}
% or ...
\setbeamercovered{transparent}
% or whatever (possibly just delete it)
}
\usepackage[english]{babel}
% or whatever
\usepackage[latin1]{inputenc}
% or whatever
\usepackage{times}
\usepackage[T1]{fontenc}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.
\usepackage{listings}
\title{GSM Workout}
\subtitle
{Improving GSM protocol analysis}
\author{Harald Welte}
\institute
{gnumonks.org\\gpl-violations.org\\OpenBSC\\airprobe.org\\hmw-consulting.de}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.
\date[foss.in/2009] % (optional, should be abbreviation of conference name)
{FOSS.in conference, December 2009, Bangalore/India}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
% yourself) who are reading the slides online
\subject{Free Software}
% This is only inserted into the PDF information catalog. Can be left
% out.
% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:
% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}
% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
% \begin{frame}<beamer>{Outline}
% \tableofcontents[currentsection,currentsubsection]
% \end{frame}
%}
% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command:
%\beamerdefaultoverlayspecification{<+->}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\begin{frame}{Outline}
\tableofcontents
% You might wish to add the option [pausesections]
\end{frame}
% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution:
% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
% 15 and 30 frames, all told.
% - A conference audience is likely to know very little of what you
% are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
% enough. Leave out details, even if it means being less precise than
% you think necessary.
% - If you omit details that are vital to the proof/implementation,
% just say so once. Everybody will be happy with that.
\begin{frame}{The FOSS.in/2009 GSM workout}
What do we want to achieve?
\begin{itemize}
\item improve airprobe.org GSM protocol analyzer
\item improve wireshark protocol dissectors for GSM
\end{itemize}
\end{frame}
\begin{frame}{The FOSS.in/2009 GSM workout}
What skills do you need?
\begin{itemize}
\item general underestanding about communications protocols
\item wireshark usage and preferrably wireshark dissector architecture
\item GSM protocol knowledge not really required
\end{itemize}
\end{frame}
\section{airprobe.org}
\begin{frame}{airprobe architecture}
\begin{itemize}
\item Software to receive GSM off the air
\begin{itemize}
\item implements GSM layer 0 and 1, sometimes 2
\item many implementations available in airprobe.org
\item gsm-receiver and gsm-tvoid most popular
\end{itemize}
\item Intermediate data formate to pass information to protocol analyzer
\item Actual protocol analyzers like
\begin{itemize}
\item gsmdecode, part of airprobe
\item wireshark.org project
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Intermediate data formats}
\begin{itemize}
\item Intermediate data formate to pass information between GSM receiver and actual protocol analyzer
\begin{itemize}
\item hex bytes for every layer 2 or layer 3 message, or
\item PCAP file with GSM encapsulation type, or
\item some non-standard frames through tun/tap device, or
\item GSMTAP header (like wiretap) inside UDP packets over loopback device
\end{itemize}
\end{itemize}
\end{frame}
\section{GSM Um interface}
\begin{frame}{Understanding Um}{Overview}
% Following GSM 04.03 Section 4
%\small{
\begin{itemize}
\item Modeled after the U interface of ISDN
\item Broadcast channels: SCH, BCCH, FCCH
\item Common channels: CCCH (PCH \& AGCH), RACH
\item Dedicated Channels:
\begin{description}[Dm]
\item[Dm] SDCCH, FACCH, SACCH
\item[Bm] TCH/H, TCH/F
\end{description}
\end{itemize}
\end{frame}
\begin{frame}{Understanding Um}{Channels \& Layers}
\begin{figure}[h]
\centering
\includegraphics[width=100mm]{GSMLayers.pdf}
\end{figure}
\end{frame}
\subsection{Time Division Multiplex}
\begin{frame}{Understanding Um}{TDM Structure}
\begin{itemize}
\item ARFCN (Absolute Radio Freq.~Chan.~Num.)-- A 270,833 Hz radio channel. ARFCNs within a BTS numbered C0, C1, etc.
\item 8 timeslots per frame on each ARFCN, numbered T0..T7.
\item ``physical channel'' -- one slot on one ARFCN, designated C0T0, C0T1, C1T5, etc.
\item Physical channel TDM follows a 26- or 52-frame multiframe, carrying multiple logical channels.
\end{itemize}
\end{frame}
\begin{frame}{Understanding Um --TDM Example}
\begin{figure}[h]
\centering
\includegraphics[width=90mm]{26Multiframe.pdf}
\caption{Example of traffic channel TDM}
\end{figure}
\end{frame}
\subsection{Logical Channels}
\begin{frame}{Understanding Um}{The Beacon}
The beacon is always on C0T0 and always constant full power
\begin{description}[CCCH]
\item[SCH] (Sync.) -- TDM timing and reduced BTS identity
\item[FCCH] (Freq.~Corr.) -- Fine frequency synchronization
\item[BCCH] (Broadcast Control) -- Cell configuration and neighbor list
\item[CCCH] (Common Control) -- a set of unicast channels
\begin{description}[AGCH]
\item[PCH] paging channel for network-originated transactions
\item[AGCH] access grant channel
\item[RACH] uplink access request
\end{description}
\end{description}
\end{frame}
\begin{frame}{Understanding Um}{SCH -- Synchronization CHannel}
\begin{itemize}
\item First channel acquired by a handset
\item T1, T2, T3' -- TDM clocks for GSM frame number
\item BCC -- 3 bits, identifies BTS in the local group
\item NCC -- 3 bits, identifies network within a region
\item BSIC is NCC:BCC
\end{itemize}
\end{frame}
\begin{frame}{Understanding Um}{BCCH -- Broadcast Control CHannel}
\begin{itemize}
\item Second channel acquired by the handset.
\item A repeating cycle of system information messages.
\begin{description}[Type 4]
\item[Type 1] ARFCN set
\item[Type 2] Neighbor list
\item[Type 3] Cell/Network identity, CCCH configuration
\item[Type 4] Network identity, cell selection parameters
\item[GPRS] adds a few more (7, 9, 13, 16, 17)
\end{description}
\end{itemize}
\end{frame}
\begin{frame}{Understanding Um}{CCCH -- Common Control CHannel}
\begin{description}[AGCH]
\item[PCH] Paging
\begin{itemize}
\item Unicast. Handsets addressed by IMSI or TMSI, never IMEI.
\item Handset sees paging request and then requests service on RACH.
\end{itemize}
\item[RACH] Random Access
\begin{itemize}
\item Handset requests channel with RACH burst, 8-bit tag.
\end{itemize}
\item[AGCH] Access Grant
\begin{itemize}
\item BTS answers on AGCH, echoing tag and timestamp.
\end{itemize}
\end{description}
\end{frame}
\begin{frame}{Understanding Um}{Dm Channels}
\begin{description}[SDCCH]
\item[SDCCH] Most heavily used control channel: registration, SMS transfers, call setup in many networks. Payload rate of 0.8 kb/s.
\item[FACCH] Blank and burst channel steals bandwidth from traffic. Used for in-call signaling, call setup in some networks. Payload rate up to 9.2 kb/s on TCH/F.
\item[SACCH] Low rate channel muxed onto every other logical channel type. Used for timing/power control, measurement reports and in-call SMS transfers.
\end{description}
\end{frame}
\begin{frame}{Frequency Hopping}
\begin{itemize}
\item Intended to improve radio performance through diversity in fading and interference
\item Two ways to implement hopping
\begin{itemize}
\item Baseband hopping: $N$ fixed-frequency transceivers are connected to $N$ baseband processors through a switch or commutator. Allows CA of $N$ ARFCNs. C0 can be in the CA.
\item Synthesizer hopping: Each of $N$ baseband processors connects to a dedicated transceiver. This requires transceivers that can be retuned and settled in less than 30~$\mu$s. Allows CA to have $\gg N$ ARFNCs. C0 is not in the CA.
\end{itemize}
\item Some networks implement synchronous hopping to prevent collisions of hopping bursts from neighboring cells.
\end{itemize}
\end{frame}
\begin{frame}{Frequency Hopping Parameters}
A {\em hopping sequence} is an ordered list of ARFCNs used by a given physical channel (PCH), synced to the GSM frame clock.
Each PCH can have an independent hopping sequence.
\begin{description}[MAIO]
\item[CA] Cell Allocation, set of ARFCNs used for hopping in BTS
\item[HSN] Hopping Sequence Number, parameter used in pseudorandom algorithm generating hopping sequence
\item[MA] Mobile Allocation, subset of CA used by a particular PCH
\item[MAIO] MA Index Offset, offset added to hopping sequence when indexing MA.
\end{description}
\begin{itemize}
\item CA is the same for every PCH in the BTS
\item HSN, MA and MAIO can be different for every PCH, usually only MAIO is unique
\end{itemize}
\end{frame}
\subsection{The Layers of the Um Interface}
\begin{frame}{Understanding Um}{The Layers}
The Layers are not exactly the ISO model, but a similar theme.
\begin{description}
\item[L1] The radiomodem, TDM and FEC functions
\item[L2] Frame segmentation and retransmission
\item[L3] Connection \& mobility management
\item[L4] Relay functions between BSC and other entities
\end{description}
\end{frame}
\begin{frame}{Understanding Um}{The Layers}
\begin{figure}[h]
\centering
\includegraphics[width=85mm]{L2Figure.pdf}
\caption{Layers of a Dm channel}
\end{figure}
\end{frame}
\subsection{Um Layer 1}
\begin{frame}{Understanding Um}{L1}
\begin{itemize}
\item Analog radio path (transceiver, amplifiers, duplexer, antenna)
\item{GMSK or GMSK/EDGE radiomodem (``L0'')}
\item{TDM to define logical channels}
\item{FEC (Forward Error Correction)}
\begin{itemize}
\item{Rate-1/2 convolutional code is typical.}
\item{40-bit Fire code parity word on most control channels.}
\item{4-burst or 8-burst interleaving is typical.}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{L1 Overview (see handout)}
\begin{figure}[h]
\centering
\includegraphics[width=50mm]{UmL1Overview.pdf}
\end{figure}
\end{frame}
\begin{frame}{Um L1 Interleaving}
\begin{itemize}
\item Every GSM data frame is spread over 4 or 8 radio bursts.
\begin{itemize}
\item 4-burst block interleave on most channels
\item 8-burst diagonal interleave on TCHs
\end{itemize}
\item Loss of one burst means 1/4 or 1/8 missing channel bits, scattered throughout a frame.
\item Allows a slow-hopping system to achieve many performance gains associated with fast-hopping.
\end{itemize}
\end{frame}
\subsection{Um Layer 2}
\begin{frame}{Understanding Um}{L2}
\begin{itemize}
\item L1 drops frames, but L3 assumes a reliable link.
\item L1 uses fixed-length frames, but L3 uses variable-length messages.
\item L2 (Data Link Layer) bridges the gap with segmentation, sequencing and retransmission.
\item ISDN uses LAPD for L2, derived from HDLC, derived from SDLC, dating back to IBM's SNA mainframe networks.
\end{itemize}
\end{frame}
\begin{frame}{Understanding Um}{L2}
\begin{itemize}
\item{LAPDm on Dm channels, a HDLC derivative, similar to ISDN's LAPD but simplified.}
\item{LLC on GPRS channels, another HDLC derivative.}
\item{GSM defines no L2 in Bm channels.}
\begin{itemize}
\item{Speech/fax are just media and have no L2.}
\item{CSD typically used with PPP for L2.}
\end{itemize}
\end{itemize}
\end{frame}
\section{TODO}
\subsection{GSMTAP}
\begin{frame}{GSMTAP Interface}
It's important to find the right level of the GSMTAP interface
\begin{itemize}
\item If we simply pass every GSM burst, then wireshark would need to do the burst-rerassembly, forward error correction, etc - something it traditionally doesn't do
\item If we pass every Layer 2 Frame (23 bytes)
\begin{itemize}
\item burst decoding, reassembly, etc. is done in receiver
\item however, every burst might have different RF parameters like ARFCN, RX level, error rate, ...
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[containsverbatim]{Current GSMTAP Header}
\tiny{
\begin{lstlisting}
struct gsmtap_hdr {
u_int8_t version; /* version, set to 0x01 currently */
u_int8_t hdr_len; /* length in number of 32bit words */
u_int8_t type; /* see GSMTAP_TYPE_* */
u_int8_t timeslot; /* timeslot (0..7 on Um) */
u_int16_t arfcn; /* ARFCN (frequency) */
u_int8_t noise_db; /* noise figure in dB */
u_int8_t signal_db; /* signal level in dB */
u_int32_t frame_number; /* GSM Frame Number (FN) */
u_int8_t burst_type; /* Type of burst, see above */
u_int8_t antenna_nr; /* Antenna Number */
u_int16_t res; /* reserved for future use (RFU) */
} __attribute__((packed));
\end{lstlisting}
}
\end{frame}
\subsection{ip.access wireshark dissectors}
\begin{frame}{ip.access wireshark dissectors}
\begin{itemize}
\item ip.access wrote some wireshark dissectors against an old wireshark version
\item they never submtited them upstream, but we have the source under GPL
\item meanwhile, upstream wireshark has parts of that functionality
\item we now need to port those old dissectors to current wireshark
\end{itemize}
\end{frame}
\begin{frame}{ip.access wireshark dissectors}
\begin{itemize}
\item IPA protocol as encapsulation layer
\begin{itemize}
\item different implementation in upstream (packet-gsm\_ipa.c)
\item maybe some few bits missing from upstream
\item port the missing bits from ip.access to upstream
\end{itemize}
\item GSM 12.21 (A-bis OML)
\begin{itemize}
\item different implementation in openbsc (abis-oml.patch)
\item quite a number of bits missing from upstream
\item BTS vendor specific decoding preference needed
\end{itemize}
\item GSM 08.58 (A-bis RSL)
\begin{itemize}
\item different implementation in upstream (packet-rsl.c)
\item many ip.access specific bits missing
\item port the missing bits from ip.access to upstream
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{ip.access wireshark dissectors}
\begin{itemize}
\item IPA IML (internal management link)
\begin{itemize}
\item no implementation in upstream
\item simply merge it into current upstream
\end{itemize}
\item RTP Multiplex (packet-rtp\_mux.c)
\begin{itemize}
\item no implementation in upstream
\item simply merge it into current upstream
\end{itemize}
\item GSM CSD (packet-gsm\_csd.c)
\begin{itemize}
\item no implementation in upstream
\item simply merge it into current upstream
\end{itemize}
\end{itemize}
\end{frame}
\end{document}
|