Hacking with libosmocore, osmo-bts and osmo-bts-trx code: a few questions.

evilsocket evilsocket at gmail.com
Tue Apr 5 06:59:32 UTC 2016


Dear all

I'm an independent mobile security researcher and coder from Italy
(therefore, forgive me if my English will cause you a
headache), I've been reading GSM specs for quite a few months now and
studying openbts, yatebts and osmo* source code for a few days due to a
GSM related project I'd really like to realize.
I have few questions to ask, but first let me explain my main objective.

I'm working on something like ScaPy ( an ip packet injection and
manipulation framework ) but for GSM, on a higher level what I want to
create is a C library which would allow developers to do something like
(forgive the pseudo-crappy programming and the oversimplification, I
just want to highlight what I'm looking for):

Passive / Sniffing concept:

  open(sdr-device)
  while(running) {
    data  = read_and_demodulate
    burst = osmo_something_decode(data)
    dump(data)
  }
  close(sdr-device)

Injection concept:

  imsi = "1234456..."
  open(sdr-device)
  data = osmo_encode_packet( IMSI_DETACH, imsi )
  osmo_write( sdr-device, data )
  close(sdr-device)

( I know I'm not considering synchronization, not really interested in
that, the user would implement his own logic )

My point is that GSM is not "that hard" with the right tools, but
currently there're no such tools and I think it's such a shame because
it should be open to the users exactly as TCP/IP is.

Now to the questions:

A. Is the low-level communication ( from raw to basic demodulated bursts
) with SDR devices still handled by omso-bts-trx? If not, what's
handling the physical layer?
B. Could you point me to the right direction I'd need to take in order
to extend the code to support Nuand's BladeRF devices ( the only one I
have and the only one I can afford right now )?
C. Do you have simple (even incomplete) code examples for both the
"concepts" I've exposed ? I find your documentation to be really great,
but for higher level understanding people need usage examples.

Any piece of code, reference link, guidance, answer or whatever info
will be great.

Thanks,
Simone 'evilsocket' Margaritelli



More information about the OpenBSC mailing list