No subject

Fri Jan 29 12:01:00 UTC 2016

\subsection{How to synchronize the GSM TDMA multiplex}

As part of the BCCH, the BTS not only sends the FCCH but also the
Synchronization CHannel (SCH).  The Synchronization channel indicates the
current GSM time / frame number (skipping the 3 least significant bits).
By using this received GSM time and incrementing it every time the GSM bit-clock
timer wraps at the beginning of a new TDMA frame, the GSM time is synchronized.

Understanding the multiple layers of time multiplex such as the 26/51
multiframe, superframe and hyperframe, the L1 can multiplex and demultiplex all
the logical channels of GSM.

\section{Miscellaneous Topics}


GPRS was the first packet switched extension to GSM.  In fact, it is much more
its entirely own mobile network, independent of GSM.  The only parts shared are
the GSM modulation scheme (GMSK) and time multiplex, in order to ensure peaceful
coexistence between them.

The L1 and L2 protocols are very different (and much more complex) than GSM.

So while the phone baseband hardware did not need any modifications for a basic
GPRS enabled phone, the software needed to be extended quite a lot.


EDGE is a very small incremental step to GPRS.  It reuses all of the time
multiplex and protocol stack, but introduces a new modulation: Offset
8-PSK instead of GMSK to increase the bandwidth that can be transmitted.
Offset 8-PSK is used (as opposed to simple 8-PSK) to avoid
zero-crossings in the modulator output.

So while the software modifications from GPRS to EDGE are minimal, the 8PSK
modulation scheme has a significant impact on the DSP, ABB and even RF
PA design.


UMTS (sometimes called WCDMA) is an entirely separate cellular network
technology.  Its physical layer, modulation schemes, encoding, frequency
bands, channel spacing are entirely different, as is the Layer1.

UMTS Layer2 has some resemblance to the GPRS Layer2.

UMTS Layer3 for Mobility Management and Call Control are very similar to GSM.

Given the vast physical layer and L1 differences, a UMTS phone hardware design
significantly differs from what has been described in this document.

Notwithstanding, all known commercial UMTS phone chipsets as of today still
include a full GSM modem in hardware and software to remain

\subsection{Dual-SIM and Triple-SIM phones}

In recent years, a large number of so-called {\em Dual-SIM} or even {\em
Triple-SIM} phones have entered the market, particularly in China and other
parts of East Asia.

Those phones come in various flavours.  Some of them simply have a multiplexer
that allows electrical switching between multiple SIM card slots.  This is
similar to replacing the SIM card in a phone, just without the manual process
of mechanically removing/inserting the card.  As a result, you can only use one
of the two SIMs at any time.

The more sophisticated Dual-SIM phones have two complete phones in one case.  Yes,
that's right!  They contain two full GSM phone chipsets, i.e. 2 antennas, 2 rf
frontends, 2 analog basebands, 2 digital basebands, ...

However, they use the same trick as smartphones:  One of the two basebands does
not have keypad or display and is simply a GSM modem connected via serial line
to the other baseband processor.

So if a smartphone (as defined in this document) is a GSM modem connected to a
PDA in one case, a Dual-SIM phone is a GSM modem connected to a feature phone
in one case.

Triple-SIM phones often combine the two approaches, i.e. they contain two
complete GSM baseband chips, but three SIM slots that can be switched among
the base bands.  Only two SIMs can be active at the same time.

\subsection{Powerful feature phones}

Feature phones are becoming more and more powerful.  However, their
comparatively lower market price cannot afford a full-blown smartphone design
with its two independent processors and the associated design complexity.

Thus, more and more hardware peripherals are added to the only processor left
in the phone: The baseband processor.  Such peripherals include sophisticated
camera interfaces, high-resolution color display controllers, TV output,
touchscreen controllers, audio and video codecs and even interfaces for mobile
TV reception.

However, all of those features are still implemented on a fairly weak ARM7 or
ARM9 CPU core (compared to ARM11 and Cortex-A8 in the smartphone market).  They
also lack a real operating system and still run on top of a real-time
microkernel intended for much less complex systems.  They almost always lack
any form of memory protection or multiple address spaces.  This makes them
more prone to security issues as there is no privilege separation between
the GSM protocol stack and the applications, or between the applications

\subsection{Security features}

There are several (sometimes conflicting) security requirements that
apply to mobile phones.  Interestingly, the security features are
typically used to protect some industry interest against the interest of
the customer.  There are very few security features in a phone that are
meant to protect the user or his interests.

\subsubsection{IMEI - The hardware serial number}

The International Mobile Equipment Identifier (IMEI) uniquely identifies
a GSM phone.  It is a globally unique serial number which is programmed
into the phone non-volatile memory (Flash or EEPROM) during the
production process.  There are no particular security features used to
store the IMEI.  Once you are able to write to flash and have found it,
it can be changed.

\subsubsection{The SIM Card}

The SIM card is a cryptographic smart card that stores the secret key
used for authenticating the user to the GSM network (Ki).  The Ki is
never released by the card, and as such copying (cloning) of the SIM
is prevented.

Furthermore, the SIM stores the International Mobile Subscriber Identity
(ISMI).  The IMSI is not encrypted or protected in some way.

There is no security channel on the connection between the SIM card and
the baseband MCU.  Furthermore, there is no way how the MCU can securely
identify/authenticate the SIM itself.  Physical access to the SIM card
slot allows sniffing and/or modification of the communication between
MCU and SIM.

\subsubsection{SIM or Operator Locking}

GSM is an international standard.  This ensures interoperability, i.e.
any phone can be used on any network.

However, in some cases, the vendors of a GSM phone want to restrict this
interoperability and lock a phone to one specific network, or even lock
it to a particular SIM.

Those locks are implemented by software only, i.e. the MCU software will
instruct the GSM protocol stack not to register with a network unless
its network operator code is a certain factory-programmed network number.

As such, techniques for circumventing those locks have become
commonplace.  It's somewhat of an ongoing race between the phone makers
and the phone-unlockers.  The industry invents ever more complex methods
of obfuscating their locks in the software, while the phone-unlockers
reverse engineer those bits for each and every phone model after some

\subsubsection{DBB firmware signatures}

In order to protect the operator and phone manufacturers peculiar
business models based on SIM or operator locking, some vendors
extended their baseband software with cryptographic signatures.  Only
if the correct signature is present in a software update, the bootloader
program will accept the new software.

However, there are more or less invasive hardware-related approaches in
circumventing those signature checks, such as hardware debugging
interfaces like JTAG, or replacing the external flash memory components.

More recently, GSM chipset vendors introduced features such as
hardware-assisted software signature checks.  In this case a master key
hash might be present in DBB-internal fuses, together with a
signature-verifying boot loader in DBB-internal mask ROM.  As the root
of the chain of trust is moving deeper into the hardware, it becomes
more difficult for anyone to make software modifications to the DBB.

Especially with tighter integration, where RAM and FLASH are no longer
present as discrete components but part of a multi-chip-package, the
number of options are becoming more limited.

On the other hand, an ever more complex baseband software stack is
opening up many more options for exploiting software vulnerabilities.
Given the lack of a proper/modern operating system with privilege
separation and virtual memory, such exploits immediately give away
full access to all aspects of the respective DBB.

\section{Personal rant on the closedness of the GSM industry}

The GSM industry is one of the most closed areas of computing that I've
encountered so far.  It is very hard to get any hard technical
information out of them.  All they like to spread is high-level
marketing information, but they're very reluctant when it comes down to
hard technical facts on their products.

If you want to build a phone, you need to buy a GSM chipset for your
product.  There are only very few companies that offer such chipsets.
The classic suppliers are Infineon, Texas Instruments, ST/Ericsson, ADI
(now MediaTek) and Freescale.

The GSM handset products they sell are not generally available and
distributed like other electronic component they manufacture.  If you
need a Microcontroller/SoC, a power management IC, a Wifi or Bluetooth
chip, RFID reader ASIC, you simply approach the respective distributors
and order them.  You get your samples directly from Digikey.

This is impossible for GSM (or other cellphone) chipsets.  For some
reason those chips are sold only to hand-picked manufacturers.  If you
want to qualify, you have to subscribe to at least six-digit annual
purchasing quantities.  And in order for them to believe you, you have
to cough up a significant NRE (non-refundable engineering fee).  This
has been reported as high as a seven-digit US\$ amount and is to make
sure that even if you end up buying less chips than you indicate, the
chipset maker will still have your upfront NRE money and keep it.

And if you buy your way into that select club of cellphone makers, what
you get from the chipset maker is typically not all too impressive
either.   The documentation you get is incomplete, i.e. it alone would
not enable you as a cellphone maker to make any use of the hardware,
unless you license the software (drivers, GSM protocol stack, ...) from
the chipset maker, too.

On the software side, most of the technologically interesting bits (like
the protocol stack) are provided as binary-only libraries, you only get
source code to some parts of the systems, i.e. some hardware drivers
that might need modification for your particular phone electrical

That GSM protocol stack was not written by the chipset maker either.
They simply license a stack from one of the estimated 4 or 5
organizations who have ever implemented a commercial GSM protocol stack.

It is not like the GSM protocols were some kind of military secret.
They are a published international standard, freely accessible for
anyone.  So why does everybody in that industry think that there is
a need to be so secretive?

Having spent a significant part of the last 6 years with reverse
engineering of various aspects of mobile phones in order to understand
them better and do write software tools for security analysis, I still
don't understand this secrecy.

All the various vendors do more or less the same.  The fundamental
architecture of a GSM baseband chip is the same, whether you buy it from
TI, Infineon or from MediaTek.  {\em They all cook with water}, like we
Germans tend to say.  The details like the particular DSP vendor or
whether you use a traditional IF, zero-IF or low-IF analog baseband
differ.  But from whom do they want to hide it?  If people like myself
with a personal interest in the technical aspects of mobile phones can
figure it out in a relatively short time, then I'm sure the competiton
of those chipset makers can, too.  In much less time, if they actually

This closedness of the cellular industry is one of the reasons why there
has been very little innovation in the baseband firmware throughout the
last decades.  Innovation can only happen by very few players.  Source
code bugs can only be found and fixed by very few developers at even
fewer large corporations.  No chance for a small start-up to innovate,
like they can in the sphere of the internet.

It is fundamentally also the reason why the traditional phone makers
have been losing market share to newcomers to the mobile sphere like
Apple with its iPhone or Google with its Android platform.

Those innovations really only happened on the application processor on
high-end smartphones.  The closed GSM baseband processor had to be
accompanied by an independent application processor running a real 
operating system, with real processes, memory management, shared
libraries, memory protection, virtual memory spaces, user-installable
applications, etc.

They still don't happen on the baseband processor, which is as closed as
it was 15 years ago.



More information about the baseband-devel mailing list