1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
\section{OpenBTS, airprobe and wireshark}
\subsection{OpenBTS Introduction}
\begin{frame}{What is OpenBTS?}
\begin{itemize}
\item is {\em NOT} a BTS in the typical GSM sense
\item is better described as a GSM-Um to SIP gateway
\item implements the GSM Um (air interface) as SDR
\item uses the USRP hardware as RF interface
\item does not implement any of BSC, MSC, HLR, etc.
\item bridges the GSM Layer3 protocol onto SIP
\item uses SIP switch (like Asterisk) for switching calls + SMS
\item is developed as C++ program and runs on Linux + MacOS
\end{itemize}
\end{frame}
\begin{frame}{What is OpenBTS?}
\begin{itemize}
\item Open implementation of Um L1 \& L2, an all-software BTS.
\item L1/L2 design based on an object-oriented dataflow approach.
\item Includes L3 RR functions normally found in BSC.
\item Uses SIP PBX for MM and CC functions, eliminating the conventional GSM network. L3 is like an ISDN/SIP gateway.
\item Intended for use in low-cost and rapidly-deployed communications networks, but can be used for experiments (including by Chris Paget at Def Con).
\end{itemize}
\end{frame}
\begin{frame}{OpenBTS Hardware}
OpenBTS supports the following SDR hardware
\begin{itemize}
\item Ettus USRP(1) with two RFX 900 or RFX 1800 daughter boards
\begin{itemize}
\item Modification for external clock input recommended
\item External 52 MHz precision clock recommended
\end{itemize}
\item Kestrel Signal Processing / Range Networks custom radio
\item Close Haul Communications / GAPfiller (work in progress)
\item Ported to other radios by other clients
\end{itemize}
\end{frame}
\begin{frame}{OpenBTS History + Tests}
\begin{itemize}
\item Started work in August 2007, first call in January 2008, first SMS in December 2008.
\item First public release in September 2008, assigned to FSF in October 2008.
\item Tested 3-sector system with 10,000-20,000 handsets at September 2009 Burning Man event in Nevada.
\item Tested 2-sector system with 40,000 handsets at September 2010 Burning Man event in Nevada.
\item Release 2.5 is about 13k lines of C++.
\item Part of GNU Radio project, distributed under GPLv3 (>= 2.6: AGPLv3)
\end{itemize}
\end{frame}
\begin{frame}{OpenBTS Software Architecture}
\begin{itemize}
\item {\tt Transceiver} program
\begin{itemize}
\item SDR processing for Layer 0
\item BTS-side GSM Um Layer 1 implementation
\item sends GSM burst data via UDP socket
\end{itemize}
\item {\tt OpenBTS} program
\begin{itemize}
\item GSM Um Layer 2 (04.06) + 3 (04.08) implementation
\item SIP UA implementation
\item GSM Layer 3 CC to SIP bridge implementation
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{OpenBTS GSM <-> SIP mapping}
\begin{itemize}
\item Location Updates mapped to SIP registration
\begin{itemize}
\item Use IMSI as SIP user name
\end{itemize}
\item Call Control mapped to SIP transactions
\begin{itemize}
\item relatively straight-forward
\end{itemize}
\item GSM Traffic Channels mapped to RTP channels
\begin{itemize}
\item No transcoding inside OpenBTS, FR/EFR messages are simply relayed
\end{itemize}
\item SMS mapped to SIP messaging according to RFC 3428
\begin{itemize}
\item A separate {\tt smqueue} daemon implements store+forward
\end{itemize}
\end{itemize}
\end{frame}
%\subsection{Clocking}
\begin{frame}{OpenBTS USRP Clocking}{Clock Stability}
\begin{itemize}
\item USRP has regular XO (Crystal Oscillator) with 20ppm accuracy
\item GSM requires 20ppb carrier clock accuracy
\item possible solutions
\begin{itemize}
\item use external VCTCXO clocking module
\item use external OCXO clocking module
\item use a software calibration program comparing USRP XO with real GSM BTS carrier clocks
\end{itemize}
\item due to clock multiplication, absolute error in GSM1800 is higher than in GSM900
\end{itemize}
\end{frame}
\begin{frame}{OpenBTS USRP Clocking}{64 MHz vs. 52 MHz clock}
\begin{itemize}
\item The USRP master clock is 64 Mhz
\item In GSM, all clocks are derived from 13 MHz
\item Thus, a poly-phase re-sampler is part of SDR software
\item Alternative: use 52 MHz (13 MHz * 4) external clock
\item OpenBTS has two transceiver programs, one for each 64 MHz and 52 MHz
\begin{itemize}
\item Make sure to never use the wrong transceiver for your clock!
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{OpenBTS USRP Clocking}{Software Calibration}
Basic idea: Use real GSM cell as clock source
\begin{itemize}
\item Implemented by the {\em Kalibrator} ({\tt kal}) program
\item Acquire the FCCH burst of a real GSM cell
\item Measure the clock difference between USRP XO and that cell
\item Use the computed error as offset to USRP up/downconverter
\item However, temperature and other drift will make clocks go out of sync over time
\item Can only be used if a real-world GSM network is within range
\end{itemize}
\end{frame}
%\begin{frame}[fragile]{OpenBTS USRP Clocking}{Kalibrator Example}
%\begin{block}{Example of running {\tt kal}}
%\begin{lstlisting}
%[openBTS@openBTS kal-0.2]# ./kal -f 946600000 -u
%USRP side: B
%FPGA clock: 52000000
%Decimation: 192
%Antenna: RX2
%Sample rate: 270833.343750
%average [min, max] (range, stddev) -2197.789062 [-2431, -1843] (588, 146.761444)
%\end{lstlisting}
%\end{block}
%The value {\bf -2198 should be used as FREQOFF constant in Transceiver/USRPDevice.cpp}
%\end{frame}
\begin{frame}{OpenBTS -- ``Nevada Test Site'' \& 21m Mast}
\begin{figure}[h]
\centering
\includegraphics[width=85mm]{NevadaTestSite.jpg}
\end{figure}
\end{frame}
\begin{frame}{Burning Man 2010 Tower Base}
\begin{figure}[h]
\centering
\includegraphics[width=85mm]{OBTSBM2010.jpg}
\end{figure}
\end{frame}
%\begin{frame}<handout:0>{OpenBTS}
% Demonstration
%\end{frame}
\begin{frame}{OpenMS}
\begin{itemize}
\item Subscriber side stack based on OpenBTS.
\item Called MS, but just a BTS stack with data flows reversed and a different RR control logic.
\item Behavior is more like a passive interceptor that can also transmit.
\item Release 1.0 supports non-hopping multi-ARFCN networks.
\item Most L3 control logic provided by the end user.
\item A platform for
\begin{itemize}
\item passive interceptors
\item custom subscriber-side applications
\item environment analysis
\item intelligent jamming
\end{itemize}
\item NOT Open Source
\end{itemize}
\end{frame}
|