About sniff multi bursts in a frame, CCCH_CONF

Sylvain Munaut 246tnt at gmail.com
Mon Sep 26 06:10:17 UTC 2011


>        the bts arround me uses MultiCCCH, it's CCCH_CONF = 110 (6), so it uses TS0, TS2, TS4 and TS6 in a frame for PCH/AGCH.

Mmm ,interesting, I had never seen that option being used before. What
network is this.

>        but the burst_ind only CCCH-CONF 0 & 1 are supported, it can sniff TS0 only, so only catch 1/4 IMM ASS for me.
>        my OWN phone, it's just not in TS0 (i use nokia netmonitor to check it), so i can't catch it at all (phones use IMSI to decide page group).

Well, it's your own phone (or any known target phone), you know the
IMSI, hence the paging group ...


>        i think the bottleneck is the DSP, as the DSP task (ALLC_DSP_TASK) can only process one TS of a frame (it's enough for phone),
>        i think maybe backup/restore the DSP task variable patch needed, i'm new to the DSP disassemble and patch, anyone can help? thanks

That's gonna be _very_ hard, the DSP uses _plenty_ of global variables ...

But OTOH, instead of using the normal 'RX task', you can use the sniff
task to listen to the CCCH. The sniff task will _not_ do the channel
decoding (i.e. you'll have to call xcch_decode to get the actual 23
bytes L2 frame), but it can sniff up to 4 bursts in a frame. just look
at how sdcch sniffing is done, it currently sniff 2 timeslot 0 & 3 (to
get DL & UL).

This way you won't need any hard DSP patching, just a minor patch on
the firmware to convert CCCH listening to burst_ind (leave the BCCH
task as-it is, just mod the CCCH). And then a patch in the host app to
call xcch_decode appropriately and feed the results 'as if' it cames
from the phone directly.

Cheers,

    Sylvain




More information about the baseband-devel mailing list