From zielonka.markus at googlemail.com Sat Jan 3 15:45:16 2009 From: zielonka.markus at googlemail.com (Markus Zielonka) Date: Sat, 3 Jan 2009 16:45:16 +0100 Subject: Neu / New Message-ID: <4be23f950901030745g77e972fegc368163625922962@mail.gmail.com> Hallo / Hello i am new here. :) Bye Markus -- Markus Zielonka Tel.: +49(0)32 224040302 Fax.: +49(0)1805 06034504323 _______________________________________________ OpenBSC mailing list OpenBSC at lists.gnumonks.org https://lists.gnumonks.org/mailman/listinfo/openbsc From laforge at gnumonks.org Mon Jan 5 20:32:00 2009 From: laforge at gnumonks.org (Harald Welte) Date: Tue, 6 Jan 2009 05:32:00 +0900 Subject: [PATCH] user-configurable ARFCN Message-ID: <20090105203200.GF7838@prithivi.gnumonks.org> Hi! One of the most important features missing is the ability to run on a user-configured ARFCN (frequency). This patch should fix the problem, but I didn't apply it since I cannot test right now while travelling. zecke, daniel: Can you please test 1) if the patch doesn't break anything (i.e. if no '-f' parameter is specified, it should continue to use ARFCN 123) 2) if the '-f' commandline argument works, e.g. running the BTS on ARFCN 122 or similar. Regards, -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: bsc_hack-no_fixed_arfcn.patch Type: text/x-diff Size: 2284 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ OpenBSC mailing list OpenBSC at lists.gnumonks.org https://lists.gnumonks.org/mailman/listinfo/openbsc From zecke at selfish.org Mon Jan 5 22:03:19 2009 From: zecke at selfish.org (Holger Freyther) Date: Mon, 5 Jan 2009 23:03:19 +0100 Subject: [PATCH] user-configurable ARFCN In-Reply-To: <20090105203200.GF7838@prithivi.gnumonks.org> References: <20090105203200.GF7838@prithivi.gnumonks.org> Message-ID: <200901052303.19256.zecke@selfish.org> On Monday 05 January 2009 21:32:00 Harald Welte wrote: > Hi! > > One of the most important features missing is the ability to run on a > user-configured ARFCN (frequency). This patch should fix the problem, > but I didn't apply it since I cannot test right now while travelling. > > zecke, daniel: Can you please test > > 1) if the patch doesn't break anything (i.e. if no '-f' parameter is > specified, it should continue to use ARFCN 123) > > 2) if the '-f' commandline argument works, e.g. running the BTS on > ARFCN 122 or similar. I will test this tomorrow night. z. _______________________________________________ OpenBSC mailing list OpenBSC at lists.gnumonks.org https://lists.gnumonks.org/mailman/listinfo/openbsc From marcus.specht.bs11 at openmvno.org Tue Jan 6 16:16:26 2009 From: marcus.specht.bs11 at openmvno.org (Marcus Specht) Date: Tue, 06 Jan 2009 17:16:26 +0100 Subject: legal Message-ID: <1231258586.2649.11.camel@eee> Hi all, what ist the best/fastest way to get a license from Bundesnetzagentur? Thanks Marcus -- Marcus Specht open|MVNO c/o Cyber-Dynamix Gesellschaft f?r Systemintegration GmbH Heiner-Stuhlfauth-Str. 28 90480 N?rnberg Tel.: 0911 / 1809105 Fax.: 0911 / 1809109 Gesch?ftsf?hrer: Heiko Thierbach, Gerhard Feder Sitz der Gesellschaft ist N?rnberg Amtsgericht N?rnberg, HRB 16704 Ust-Id.-Nr. DE204640808 ------------------------------------------------------------------------------ Diese Nachricht ist eine nicht ?ffentliche Mitteilung. Sollten Sie diese Nachricht versehentlich erhalten haben und nicht der gew?nschte Empf?nger sein, so bitten wir Sie, diese Nachricht zu l?schen, keine Kopien anzufertigen und nicht weiterzuleiten. Bitte informieren Sie uns per eMail ?ber den Zustellungsfehler und entschuldigen Sie die Unannehmlichkeit. Bitte beachten Sie: Unabh?ngig vom Inhalt stellt diese Nachricht keinerlei vertragliche Verpflichtung, Zusicherung, Bestellung, Angebot oder ?hnliches dar, solange keine schriftliche Best?tigung von uns vorliegt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: -------------- next part -------------- _______________________________________________ OpenBSC mailing list OpenBSC at lists.gnumonks.org https://lists.gnumonks.org/mailman/listinfo/openbsc From zecke at selfish.org Sat Jan 10 00:40:33 2009 From: zecke at selfish.org (Holger Freyther) Date: Sat, 10 Jan 2009 01:40:33 +0100 Subject: TMSI's and Identity theft? Message-ID: <200901100140.33626.zecke@selfish.org> Hey Guys, I'm currently implementing the CM Service Request of GSM 04.08 and I wonder about the following: 1.) Some phones send us the TMSI of their current network 2.) One can ask the phone for the IMEISV/IMSI 3.) One can accept the LOCATION UPDATING REQUEST (or wait) 4.) A rogue MS could now request a channel with the BTS of the original network 5.) Could send a CM Service Request with the TMSI of the original phone and claim to not support A5 and such... 6.) Could initiate a call on the behalf of the other phone...? 7.) What is IMSI detached, I have not yet seen it... but it could solve such things? So far I have only seen TMSI reallocation complete messages... what am I missing? These messages are not encrypted right? One just would need to know the right channel/paging group and such? Is this known? plausible? totally off? z. _______________________________________________ OpenBSC mailing list OpenBSC at lists.gnumonks.org https://lists.gnumonks.org/mailman/listinfo/openbsc From laforge at gnumonks.org Sat Jan 10 03:38:54 2009 From: laforge at gnumonks.org (Harald Welte) Date: Sat, 10 Jan 2009 12:38:54 +0900 Subject: TMSI's and Identity theft? In-Reply-To: <200901100140.33626.zecke@selfish.org> References: <200901100140.33626.zecke@selfish.org> Message-ID: <20090110033854.GC4222@prithivi.gnumonks.org> On Sat, Jan 10, 2009 at 01:40:33AM +0100, Holger Freyther wrote: > Hey Guys, > > I'm currently implementing the CM Service Request of GSM 04.08 and I wonder > about the following: > > 1.) Some phones send us the TMSI of their current network > 2.) One can ask the phone for the IMEISV/IMSI > 3.) One can accept the LOCATION UPDATING REQUEST (or wait) > 4.) A rogue MS could now request a channel with the BTS of the original > network > 5.) Could send a CM Service Request with the TMSI of the original phone and > claim to not support A5 and such... > 6.) Could initiate a call on the behalf of the other phone...? I think this would work, if * we had a MS that we could fully control. * the old network would accept the sudden classmark change for no A5 support, which in fact also depends on the cell itself. I would assume that most BTS in real-world netwokrs never announce that they support A5/0 > 7.) What is IMSI detached, I have not yet seen it... but it could solve such The IMSI ATTACH/DETACH procedure is an optional procedure that the BTS can demand by setting some flag in SYSTEM INFORMATION on the BCCH. If enabled, the MS will use a special IMSI ATTACH flag in the location update, and it has to send an IMSI DETACH message before it is switched off. Not sure how useful that really is... but I definitely want support for it in OpenBSC (optionally). Probably time for a config file ;) > what am I missing? These messages are not encrypted right? One just would need > to know the right channel/paging group and such? Is this known? plausible? > totally off? The messages are not encrypted, no. The 'right channel' is the PCH of the other cell. The cell info we get from the LOCATION UPDATING REQUEST (mcc/mnc/lac). The paging group we can calculate from the IMSI. I think the ability to downgrade to A5/0 is the major flaw of this attack. Even if networks allow that now, it's a very simple BSC firmware upgrade to fix it. -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From spaar at mirider.augusta.de Sat Jan 10 08:15:49 2009 From: spaar at mirider.augusta.de (Dieter Spaar) Date: Sat, 10 Jan 2009 08:15:49 Subject: TMSI's and Identity theft? Message-ID: <49685935.mirider@mirider.augusta.de> On Sat, 10 Jan 2009 12:38:54 +0900, "Harald Welte" wrote: > The IMSI ATTACH/DETACH procedure is an optional procedure that the BTS can > demand by setting some flag in SYSTEM INFORMATION on the BCCH. > > If enabled, the MS will use a special IMSI ATTACH flag in the location update, > and it has to send an IMSI DETACH message before it is switched off. Not sure > how useful that really is... but I definitely want support for it in OpenBSC > (optionally). Probably time for a config file ;) As I understand it, the IMSI Attach/Detach, which is signaled by the ATT flag in SYS_INFO 3 is used to keep track if a phone is actually available. (IMSI Attach is used when the phone is turned on and IMSI Detach when it is turned off). This way the network does not need to page the phone if it knows that it is turned off and can immediately signal to the caller that the phone is not available. If I remember, the ATT flag is not set in the BS11_Init sample code. Best regards, Dieter -- Dieter Spaar, Germany spaar at mirider.augusta.de From laforge at gnumonks.org Sat Jan 10 02:15:19 2009 From: laforge at gnumonks.org (Harald Welte) Date: Sat, 10 Jan 2009 11:15:19 +0900 Subject: commitlog mailingliste Message-ID: <20090110021519.GB4222@prithivi.gnumonks.org> Hi! I have created openbsc-commits at lists.gnumonks.org which carries all commits to our svn server. I thought some people might like to receive all the diffs in their inbox to stay up-to-date with the code... Cheers, -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From mbradley.jr at gmail.com Wed Jan 14 20:37:57 2009 From: mbradley.jr at gmail.com (Michael Bradley Jr) Date: Wed, 14 Jan 2009 21:37:57 +0100 Subject: svn Message-ID: <496E4D25.8060706@gmail.com> Hi, did subscribe to the list, got a password and now trying to get the svn trunk with zero success! What are the required credentials since my email & the provided password won't help Cheers, Mike From laforge at gnumonks.org Thu Jan 15 15:30:41 2009 From: laforge at gnumonks.org (Harald Welte) Date: Thu, 15 Jan 2009 23:30:41 +0800 Subject: svn In-Reply-To: <496E4D25.8060706@gmail.com> References: <496E4D25.8060706@gmail.com> Message-ID: <20090115153040.GS4500@prithivi.gnumonks.org> On Wed, Jan 14, 2009 at 09:37:57PM +0100, Michael Bradley Jr wrote: > Hi, > > did subscribe to the list, got a password and now trying to get the svn trunk with zero success! > What are the required credentials since my email & the provided password > won't help please use http for anonymous checkout. We only use https for write-enabled accounts for people with commit-access. e.g. $ svn co http://bs11-abis.gnumonks.org/svn/trunk/openbsc should work just fine -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From dburgess at jcis.net Sat Jan 17 03:13:25 2009 From: dburgess at jcis.net (David A. Burgess) Date: Fri, 16 Jan 2009 19:13:25 -0800 Subject: No subject Message-ID: <98CD8FB7-3584-4270-8329-84291629ECCD@jcis.net> Holger, Harald - I've been observing TMSI-handling bugs in GSM handsets for a while and saw a really good one last night, so I'm going to offer some comments here. > On Sat, Jan 10, 2009 at 01:40:33AM +0100, Holger Freyther wrote: > > Hey Guys, > > > > I'm currently implementing the CM Service Request of GSM 04.08 > and I wonder > > about the following: > > > > 1.) Some phones send us the TMSI of their current network > > 2.) One can ask the phone for the IMEISV/IMSI > > 3.) One can accept the LOCATION UPDATING REQUEST (or wait) > > 4.) A rogue MS could now request a channel with the BTS of the > original > > network > > 5.) Could send a CM Service Request with the TMSI of the > original phone and > > claim to not support A5 and such... > > 6.) Could initiate a call on the behalf of the other phone...? > > I think this would work, if > * we had a MS that we could fully control. > * the old network would accept the sudden classmark change for no > A5 support, > which in fact also depends on the cell itself. I would assume > that most > BTS in real-world netwokrs never announce that they support A5/0 According to GSM 02.07 Section 2, all GSM handsets are required support A5/1 and A5/2. According to GSM 02.09 Section 3.3, the network is SUPPOSED to deny service to any handset that doesn't support either A5/1 or A5/2. I'd be curious to see who's enforcing that, though. And any prudent operator will do an authentication at the start of a call, even for A5/0. Again, I'd be curious to see who's really doing it, but I'll bet most European operators do. You may not need to fully controlled a handset to do this, though. This is where TMSI handling bugs come into play. Last night, I was playing with a Treo 650. Having last registered in an AT&T network, the Treo sent a location updating request to my system (MNC=910, MCC=55) using that AT&T TMSI, which it is not supposed to do. I removed the SIM and cycled power. THAT should have cleared the old TMSI, but it came back to register by TMSI again. I sent a location updating accept, without sending a new TMSI. THAT should have cleared the old TMSI, but when I tried to place a mobile-oridinated call the Treo sent the same old AT&T-assigned TMSI in the CM service request. I am certain that if I had assigned a new TMSI to this handset and then switched off my system, that Treo would have taken my TMSI back the the AT&T network and tried to use it there. I suspect this kind of bug is fairly common and may be exploitable by a rogue network, even if only to expose the IMSI-TMSI relationships in the real carrier's BSC. As Harald points out, the attack described in the original e-mail should not work in a properly managed network. But I'll wager that most of the world's networks are not properly managed. -- David David A. Burgess OpenBTS on the web: http://openbts.sourceforge.net http://openbts.blogspot.com http://en.wikipedia.org/wiki/OpenBTS http://www.gnuradio.org/trac/wiki/OpenBTS From laforge at gnumonks.org Sat Jan 17 08:09:53 2009 From: laforge at gnumonks.org (Harald Welte) Date: Sat, 17 Jan 2009 16:09:53 +0800 Subject: your mail In-Reply-To: <98CD8FB7-3584-4270-8329-84291629ECCD@jcis.net> References: <98CD8FB7-3584-4270-8329-84291629ECCD@jcis.net> Message-ID: <20090117080953.GB10954@prithivi.gnumonks.org> Hi David, great to see that you are also following this list, your iput and experience is greatly appreciated. On Fri, Jan 16, 2009 at 07:13:25PM -0800, David A. Burgess wrote: > You may not need to fully controlled a handset to do this, though. [...] Thanks for pointin this out. Maybe holger has an interest to try something like this - I personally am not too interested to play with regular 'closed' phones. We are currently discussing the various options we have for building a "fully controlled handset". I think it is the logical conclusion to projects like OpenBTS and OpenBSC... I don't want to talk too much at this early point, but I'm confident that we'll come up with something useful later this year, based on commercially available GSM transeiver and analog baseband chips. Using somethng like USRP for the MS side is nice for a handful of researchers who already have one, but not really an option for most hackers in the community who are used to only invest in cheap equipment like a wifi card + free software drivers + protocol stack. We'll see. I'll keep you posted about our progress. We're still in early planning, but have the right kind of people for hardware/firmware/software and access to the required resources/documents and components. Regards, -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From holger at kernreaktor.org Mon Jan 19 09:15:17 2009 From: holger at kernreaktor.org (Holger Adams) Date: Mon, 19 Jan 2009 10:15:17 +0100 Subject: Documentation of the BS-11 - what do we know? Message-ID: <497444A5.7070503@kernreaktor.org> Hello Everybody, as we all know, the documentation of the BS-11 is under NDA. Harald said, the BTS respects 99.9% of the A-bis 3GPP standardization. So my questions are: 1) What's the part of the 0.1% we don't know? Which part differs from the specs? 2) During the 25c3 talk there was mentioned that the BTS uses ~6 DSPs and a bunch of uCs. What kind of DSPs and uCs are used (well Siemens... I guess some creepy 8051/C16x/... and Motorola stuff)? Regards, Holger -- () Holger Adams, /\ WWW: http://www.kernreaktor.org From laforge at gnumonks.org Mon Jan 19 10:45:24 2009 From: laforge at gnumonks.org (Harald Welte) Date: Mon, 19 Jan 2009 18:45:24 +0800 Subject: Documentation of the BS-11 - what do we know? In-Reply-To: <497444A5.7070503@kernreaktor.org> References: <497444A5.7070503@kernreaktor.org> Message-ID: <20090119104524.GD21483@prithivi.gnumonks.org> Hi! Dieter has already responded to it, so let me just add one statement bwlow On Mon, Jan 19, 2009 at 10:15:17AM +0100, Holger Adams wrote: > as we all know, the documentation of the BS-11 is under NDA. Please note that the documentation is only about setup/configuration/installation of the unit, we have never at any given point in time received any documentation about the BS-11 protocol or BS-11 specific A-bis extensions. So the kind of documentation is 'system administration' type, not 'software developer' type documentation. Therefore, you are really not missing anything without those docs. -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From spaar at mirider.augusta.de Mon Jan 19 11:00:15 2009 From: spaar at mirider.augusta.de (Dieter Spaar) Date: Mon, 19 Jan 2009 11:00:15 Subject: Documentation of the BS-11 - what do we know? Message-ID: <49745d3f.mirider@mirider.augusta.de> Hello Holger, The following is what I can say, Harald might add more or correct me: On Mon, 19 Jan 2009 10:15:17 +0100, "Holger Adams" wrote: > > as we all know, the documentation of the BS-11 is under NDA. Harald > said, the BTS respects 99.9% of the A-bis 3GPP standardization. So my > questions are: > > 1) What's the part of the 0.1% we don't know? Which part differs from > the specs? There are Siemens specific commands for configuring the BS-11. They are not documented and also not included in the NDA documentation. The important commands are however going to become part of OpenBSC. Harald is currently working on a tool for configuring the BS-11, it is based on analyzing what the configuration tool (under NDA) is sending over the wire. So you will most certainly find all the required information in OpenBSC soon. > 2) During the 25c3 talk there was mentioned that the BTS uses ~6 DSPs > and a bunch of uCs. What kind of DSPs and uCs are used (well Siemens... > I guess some creepy 8051/C16x/... and Motorola stuff)? Its nothing from the more common stuff. The microcontrollers are from the HPC family from National Semiconductor, the DSPs are from the DSP16 family from Lucent. My guess is that the HPC was mainly used in the telcommunication area, for the DSP16 there was at least one more common analog modem around which uses it. BTW, the information about the microcontrollers and the DSPs is also not contained in the NDA documentation, so this is no secret what I am writing here. Best regards, Dieter -- Dieter Spaar, Germany spaar at mirider.augusta.de From laforge at gnumonks.org Mon Jan 19 10:47:47 2009 From: laforge at gnumonks.org (Harald Welte) Date: Mon, 19 Jan 2009 18:47:47 +0800 Subject: Documentation of the BS-11 - what do we know? In-Reply-To: <49745d3f.mirider@mirider.augusta.de> References: <49745d3f.mirider@mirider.augusta.de> Message-ID: <20090119104747.GE21483@prithivi.gnumonks.org> On Mon, Jan 19, 2009 at 11:00:15AM +0000, Dieter Spaar wrote: > There are Siemens specific commands for configuring the BS-11. They > are not documented and also not included in the NDA documentation. > The important commands are however going to become part of OpenBSC. > Harald is currently working on a tool for configuring the BS-11, > it is based on analyzing what the configuration tool (under NDA) > is sending over the wire. So you will most certainly find all the > required information in OpenBSC soon. the code and tool is already in svn, if you build openbsc it will now build a program called 'bs11-config'. however, due to the fact that I'm still on travels in Taiwan, I currently don't have access to any system to test the code. So I would assume that the tool is tested and known-to-be-working towards the first week of February. I will also write some documentation for the tool and put it in the wiki. So far, the source code of the last pages of abis_nm.c as well as the bs11_config.c file should enable you to understand what kind of things it does. Regards, -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From holger at kernreaktor.org Mon Jan 19 12:10:28 2009 From: holger at kernreaktor.org (Holger Adams) Date: Mon, 19 Jan 2009 13:10:28 +0100 Subject: Documentation of the BS-11 - what do we know? In-Reply-To: <49745d3f.mirider@mirider.augusta.de> References: <49745d3f.mirider@mirider.augusta.de> Message-ID: <49746DB4.9080108@kernreaktor.org> Hi Dieter, > The following is what I can say, Harald might add more or correct me: > > On Mon, 19 Jan 2009 10:15:17 +0100, "Holger Adams" wrote: >> as we all know, the documentation of the BS-11 is under NDA. Harald >> said, the BTS respects 99.9% of the A-bis 3GPP standardization. So my >> questions are: >> >> 1) What's the part of the 0.1% we don't know? Which part differs from >> the specs? > > There are Siemens specific commands for configuring the BS-11. They > are not documented and also not included in the NDA documentation. > The important commands are however going to become part of OpenBSC. > Harald is currently working on a tool for configuring the BS-11, > it is based on analyzing what the configuration tool (under NDA) > is sending over the wire. So you will most certainly find all the > required information in OpenBSC soon. If you need some help in the near future (as soon our equipment arrives, orders left the building today... or at least they should): we have full equipped and licensed GSM-E1-Analyzers. I think we can provide some traces if required (I know that Harald has shoot an ELMI-Abis-Analyzer at EBay, just for notice). Best Regards, Holger -- () Holger Adams, /\ WWW: http://www.kernreaktor.org From spaar at mirider.augusta.de Mon Jan 19 14:10:44 2009 From: spaar at mirider.augusta.de (Dieter Spaar) Date: Mon, 19 Jan 2009 14:10:44 Subject: Documentation of the BS-11 - what do we know? Message-ID: <497489e4.mirider@mirider.augusta.de> Hello Holger, > If you need some help in the near future (as soon our equipment arrives, > orders left the building today... or at least they should): we have full > equipped and licensed GSM-E1-Analyzers. I think we can provide some > traces if required (I know that Harald has shoot an ELMI-Abis-Analyzer > at EBay, just for notice). Good to know that. What about a GSM Analyzer for the Air Interface :-) ? In the moment ISDN E1 traces are not that important because its under control of OpenBSC anyway. The traces of the Siemens specific configuration commands were done on the RS232 interface of the BS-11, the configuration software under NDA uses RS232 only, at least I don't have any other BS-11 specific software which uses the ISDN interface. I anyone has access to a real GSM Abis Interface and can provide traces of a working network this could be very interesting to have a look at. And for tracing the GSM air inteface with cheap equipment, well, lets hope that we can get something for that in the future... Best regards, Dieter -- Dieter Spaar, Germany spaar at mirider.augusta.de From holger at kernreaktor.org Mon Jan 19 18:03:11 2009 From: holger at kernreaktor.org (Holger Adams) Date: Mon, 19 Jan 2009 19:03:11 +0100 Subject: Documentation of the BS-11 - what do we know? In-Reply-To: <497489e4.mirider@mirider.augusta.de> References: <497489e4.mirider@mirider.augusta.de> Message-ID: <4974C05F.7050806@kernreaktor.org> Hello Dieter, > I anyone has access to a real GSM Abis Interface and can provide traces > of a working network this could be very interesting to have a look at. > > And for tracing the GSM air inteface with cheap equipment, well, lets > hope that we can get something for that in the future... Couldn't we use a GNU-Radio combined with the GSM-HF-RX? We had a student research project which used that with Wireshark. I think I could borrow it for a few days and sniff some stuff at our lab. Just tell me what sequences you need. But first I have to write some exams, no hands-on-hardware until they are finished ;-) Best Regards, Holger -- | Holger Adams, | WWW: http://www.kernreaktor.org From spaar at mirider.augusta.de Mon Jan 19 19:39:51 2009 From: spaar at mirider.augusta.de (Dieter Spaar) Date: Mon, 19 Jan 2009 19:39:51 Subject: Documentation of the BS-11 - what do we know? Message-ID: <4974d707.mirider@mirider.augusta.de> Hello Holger, > Couldn't we use a GNU-Radio combined with the GSM-HF-RX? We had a > student research project which used that with Wireshark. I think I could > borrow it for a few days and sniff some stuff at our lab. Just tell me > what sequences you need. You mean the USRP ? As far as I know its no big problem to save the raw RF data with it but there is no easy-to-use software yet to get nice traces from those data (e.g. extract all the different channels like BCCH, CCCH and so on) which for example could be used to see the messages between the BTS and the phone. I am not interested in the traffic (speech or data), just the signaling on the Air-Interface would be nice to have. But lets see what the future brings, projects like airprobe.org might fill this gap. Best regards, Dieter -- Dieter Spaar, Germany spaar at mirider.augusta.de From laforge at gnumonks.org Wed Jan 21 02:53:04 2009 From: laforge at gnumonks.org (Harald Welte) Date: Wed, 21 Jan 2009 10:53:04 +0800 Subject: GSM Um protocol analysis In-Reply-To: <4974d707.mirider@mirider.augusta.de> References: <4974d707.mirider@mirider.augusta.de> Message-ID: <20090121025304.GK3791@prithivi.gnumonks.org> On Mon, Jan 19, 2009 at 07:39:51PM +0000, Dieter Spaar wrote: > > Couldn't we use a GNU-Radio combined with the GSM-HF-RX? We had a > > student research project which used that with Wireshark. I think I could > > borrow it for a few days and sniff some stuff at our lab. Just tell me > > what sequences you need. > > You mean the USRP ? As far as I know its no big problem to save the > raw RF data with it but there is no easy-to-use software yet to get > nice traces from those data (e.g. extract all the different channels > like BCCH, CCCH and so on) which for example could be used to see the > messages between the BTS and the phone. I am not interested in the > traffic (speech or data), just the signaling on the Air-Interface would > be nice to have. But lets see what the future brings, projects like > airprobe.org might fill this gap. Well, it's not easy-to-use, but I have that entire chain working here (USRP+gnuradio+gsm-tvoid+wireshark). However, many receive errors due to very limited demodulation, no working equalizer, sometimes looses sync, etc. But depending on signal quality you can actually capture and decode CCCH + multiple SDCCH/8 timeslots (if there are any) on C0 of a BTS. However, one of the bigger problems is that it is purely unidirectional, i.e. you only get the downlink but not the uplink from the phone. To do that, you would need two DBSRX or two RFX900 frontends and much more unwritten code. And yes, hopefully with airprobe.org those problems will be resolved at some point. For OpenBSC this is not a top priority, since we never had any problems with the air interface so far. We have the BS-11 taking care of that, and so far there is no reason to believe it is doing anything wrong on the Um side of things.. and the Abis side we can completely dump and decode, either with a commercial Abis analyzier (Wandel+Goltermann MA10) or by just looking at the pcap files that OpenBSC can create thanks to zeckes' patches. Regards from Taipei, -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: