summaryrefslogtreecommitdiff
path: root/2010/gsm_foss-mt2010/section-openbts.tex
blob: 3675e85bba10108091d6dc1b3a286f52f9297b17 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
\subsection{OpenBTS}

\begin{frame}{What is OpenBTS?}
\begin{itemize}
	\item is {\em NOT} a BTS in the typical GSM sense
	\item is better described as a GSM-Um to SIP gateway
	\item implements the GSM Um (air interface) as SDR
	\item uses the USRP hardware as RF interface
	\item does not implement any of BSC, MSC, HLR, etc.
	\item bridges the GSM Layer3 protocol onto SIP
	\item uses SIP switch (like Asterisk) for switching calls + SMS
	\item is developed as C++ program and runs on Linux + MacOS
\end{itemize}
\end{frame}

\begin{frame}{What is OpenBTS?}
\begin{itemize}
	\item Open implementation of Um L1 \& L2, an all-software BTS.
	\item L1/L2 design based on an object-oriented dataflow approach.
	\item Includes L3 RR functions normally found in BSC.
	\item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network.  L3 is like an ISDN/SIP gateway.
	\item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Pagent at Def Con).
\end{itemize}
\end{frame}

\begin{frame}{OpenBTS Hardware}
OpenBTS supports the following SDR hardware
\begin{itemize}
	\item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards
	\begin{itemize}
		\item Modification for external clock input recommended
		\item External 52 MHz precision clock recommended
	\end{itemize}
	\item Kestrel Signal Processing / Range Networks custom radio
	\item Close Haul Communications / GAPfiller (work in progress)
	\item Ported to other radios by other clients.
\end{itemize}
\end{frame}


\begin{frame}{OpenBTS History + Tests}
\begin{itemize}
	\item Started work in Aug 2007, first call in Jan 2008, first SMS in Dec 2008.
	\item First public release in September 2008, assigned to FSF in Oct 2008.
	\item Ran 3-sector 3-TRX system with 10,000-20,000 handsets at Sept 2009 Burning Man event in Nevada.
	\item Ran 2-sector 5-TRX system with 40,000 handsets at Sept 2010 Burning Man event in Nevada.
	\item Release 2.5 is about 13k lines of C++.
	\item Part of GNU Radio project, distributed under AGPLv3.
	\item Range Networks launched in Sept 2010 to produce commercial products and distributions.
\end{itemize}
\end{frame}


\begin{frame}{Burning Man 2010 Tower Base}
\begin{figure}[h]
	\centering
	\includegraphics[width=85mm]{OBTSBM2010.jpg}
\end{figure}
\end{frame}

%\subsection{Clocking}
%
%\begin{frame}{OpenBTS USRP Clocking}{Clock Stability}
%\begin{itemize}
%	\item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy
%	\item GSM requires 20ppb carrier clock accuracy
%	\item possible solutions
%	\begin{itemize}
%		\item use external VCTCXO clocking module 
%		\item use external OCXO clocking module
%		\item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks
%	\end{itemize}
%	\item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900
%\end{itemize}
%\end{frame}


%\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock}
%\begin{itemize}
%	\item The USRP master clock is 64 Mhz
%	\item In GSM, all clocks are derived from 13 MHz
%	\item Thus, a poly-phase re-sampler is part of SDR software
%	\item Alternative: use 52 MHz (13 MHz * 4) external clock
%	\item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz
%	\begin{itemize}
%		\item Make sure to never use the wrong transceiver for your clock!
%	\end{itemize}
%\end{itemize}
%\end{frame}

%\begin{frame}{OpenBTS USRP Clocking}{Software Calibration}
%Basic idea: Use real GSM cell as clock source
%\begin{itemize}
%	\item Implemented by the {\em Kalibrator} ({\tt kal}) program
%	\item Acquire the FCCH burst of a real GSM cell
%	\item Measure the clock difference between USRP XO and that cell
%	\item Use the computed error as offset to USRP up/downconverter
%	\item However, temperature and other drift will make clocks go out of sync over time
%	\item Can only be used if a real-world GSM network is within range
%\end{itemize}
%\end{frame}

%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example}
%\begin{block}{Example of running {\tt kal}}
%\begin{lstlisting}
%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u
%USRP side: B
%FPGA clock: 52000000
%Decimation: 192
%Antenna: RX2
%Sample rate: 270833.343750
%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444)
%\end{lstlisting}
%\end{block}
%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp}
%\end{frame}


%\begin{frame}<handout:0>{OpenBTS}
%        Demonstration
%\end{frame}


%\begin{frame}{OpenMS}
%\begin{itemize}
%	\item Subscriber side stack based on OpenBTS.
%	\item Called MS, but just a BTS stack with data flows reversed and a different RR control logic.
%	\item Behavior is more like a passive interceptor that can also transmit.
%	\item Release 1.0 supports non-hopping multi-ARFCN networks.
%	\item Most L3 control logic provided by the end user.
%	\item A platform for
%	\begin{itemize}
%		\item passive interceptors
%		\item custom subscriber-side applications
%		\item environment analysis
%		\item intelligent jamming
%	\end{itemize}
%\end{itemize}
%\end{frame}

personal git repositories of Harald Welte. Your mileage may vary