January 2012 - baseband-devel - lists.osmocom.org

Engagetted !

by Sébastien Lorquet

http://www.engadget.com/2010/12/29/researchers-eavesdrop-on-encrypted-gsm-c… Congrats!

6 months, 1 week

5
5
0 0

Please can anyone advise me - FMTOOL Error and no further processing

by Raz Sharif

Dear all, I vae the C115 with a T1 USB to Serial cable with the Prolific chipset. When i run osmocon i get :- an its just sits there with no further processing. ./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/loader.compalram.bin read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 got 1 bytes from modem, data looks like: 00 . got 2 bytes from modem, data looks like: 2f 00 /. got 1 bytes from modem, data looks like: 1b . got 3 bytes from modem, data looks like: f6 02 00 ... got 1 bytes from modem, data looks like: 41 A got 1 bytes from modem, data looks like: 01 . got 1 bytes from modem, data looks like: 40 @ Received PROMPT1 from phone, responding with CMD got 1 bytes from modem, data looks like: 66 f got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6d m got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6c l Received FTMTOOL from phone, ramloader has aborted got 1 bytes from modem, data looks like: 65 e got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 00 . got 1 bytes from modem, data looks like: 00 . I think the cable is ok as when i run my fingers on the tip i get random Zeros so it appears to be talking to the cable. Also when i tried to run Mobile i get the :- even though i created the Mobile.cfg file in /etc/osmoco Failed to parse the config file: '/home/raz/.osmocom/bb/mobile.cfg' Please check or create config file using: 'touch /home/raz/.osmocom/bb/mobile.cfg' I have spent some hours researching the lists and trying various things to no avail but I want to continue until I resolve this issues and use this great stack to learn about the GSM network. Please advise. Great full for any help or pointers but this maybe a timing issue that is difficult to debug. Thanks Raz

7 years, 11 months

5
6
0 0

cell re-selection

by Andreas.Eversberg

hi, i did a lot of resarch and testing on cell selection and re-selection process the last two week. the cell selection process, network selection process (manual and automatic) and mobility management process were already implemented in OsmocomBB a long time, but turned out to be buggy and incomplete. i made test drives to check the process and debugged it. the re-selection process is new. it is used to track surrounding cells while listening to the BCCH of the current cell (camping on a cell). special extension to the layer1 firmare is used to measure neighbour cells. if an neighbour cell becomes 'better', the mobile switches to that cell, depening on different criteria. now it is possible to move with OsmocomBB. the re-selection process is not handover! handover is a process where a phone switches between cells while doing a call. handover is one next step to implement. the process is a little more complex, because it requires not only neighbour cell measurements, but also syncing to them without interrupting the traffic channel. most layer 3 stuff of handover is already implemented. if you like to play and test your moving OsmocomBB, you can check out the "jolly/roaming" branch. it contains the extension to layer1, as well as sim reader and fixes from "sylvain/testing" branch. use both "mobile" and "layer1" firmware from this branch. in order to see some process at VTY, you can do: enable monitor network 1 (continously display the strongest cell and neighbour cells) show ms 1 (to see current states) show neighbour-cells 1 (to see a more detailed current list of neighbours) andreas

8 years, 1 month

3
3
0 0

AW: The call has been rejected

by Andreas.Eversberg

hi josephli, > Read stored BA list mnc=01 the mobile application stores the last cells and neighbour cells (band allocation) of each network. this way the scanning is much faster when restarting. because you use the SIM card with MNC == 02 the first time, there is no band allocation stored for that. the mobile will do a full scan in this case. > while the sim card service I am tesing is actually with mnc 00 and 02. i know that MNC == 0 will not work until i commited improvements of cell selection process last sunday. you should retry that, but first try with an MNC > 0. can you provide debug output when trying a call? also can you provide VTY output of "show ms" before you make the call? regards, andreas

11 years

3
2
0 0

status report layer1 and layer23

by Andreas.Eversberg

hi, i just fixed some locking issues the last days. fix will follow. it took a bit longer, because there were some race conditions. it took up to about one hour until it crashed. my way to detect the area where the crash happened, was to turn on buzzer before that area, and turn it off after that area. after many hours of approximation, i finally found out that the major crash happend during _talloc_zero. (first it looks for a free memory chunk, then it allocates it.) since it can be called from all contexts (main, irq, fiq), it need to be locked against any interrupt, otherwise the memory chunk can be assigned multiple times. (the process of _talloc_free is "atomic" and requires no locking.) because it seems pretty stable, i think it is time to merge some branches into the master. (i made a 6 hours call yesterday. and no crash after bugfix ever since.) i will do that together with sylvain, if we find the time this weekend. currently i use the jolly/voice together with the sylvain/traffic branch. i am able to use an isdn phone togehter with linux-call-router and make/receive calls. audio is passed both ways. i think this is a stage where it actually become "usable". (if not moving arround.) one of my major work for the next weeks/months will be the neighbour cell measurement, cell re-selection, and handover. this is essential when moving with the phone. regards, andreas

11 years

2
1
0 0

cp2102 (betemcu, B75937)

by lonelysurfer

...a never ending story: i have a working ftdi-ttl, but the cp2102-adapters (http://www.ebay.de/itm/USB-2-0-to-UART-TTL-6PIN-Module-Serial-Converter-CP2…) with the same cable dont work under ubuntu or windows. if i rub the top of the 2.55mm with my finger random data appears. but the loader doesnt upload the firmware. i used the txd, rxd and gnd pins and checked the connections with a multimeter. i tested -m c123xor, -m c123 and the default firmware. flashing custom baudrates was no problem. rivers are installed correctly (stady ttyusb0 under ubuntu/ com1 under win). is there any hint? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/cp2102-betemcu-B75937-tp3489336p… Sent from the baseband-devel mailing list archive at Nabble.com.

11 years, 9 months

3
4
0 0

Receiving on TS=1 ?

by Sylvain Munaut

Hi, I've hacked something together to quickly test non-combined CCCH. However, I've hit a problem when trying to receive anything on another timeslot than 0. The TX side seems to work fine as the BTS can see my location update request and answers with a reject, but on the MS side, I never see the reject and wireshark only shows invalid incohrent data on the RX. The frames for SDCCH/8 show really nothing valid (looks like random bytes), things like 09 80 7f 47 49 06 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 47 d5 2d 06 1e 00 00 69 7c a0 91 3d 22 ff ab fe 6c 4f 56 4f 36 ... while the frames for the associated SAACH show at least something gsm-like : 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b but that's not quite a SI5/6 ... To RX/TX on TS=1, I just delayed the RX/TX window by 625 bits (4 * 156.25) when I'm in dedicated channel mode by chaning the 'start' in l1s_tx_win_ctrl / l1s_rx_win_ctrl Is there something else that should be done ? Cheers, Sylvain

11 years, 9 months

2
5
0 0

burst_ind and TCH

by Mad

Hi Sylvain, hi list! I'm experimenting with burst_ind and TCHs right now and ran into some problem I couldn't solve yet. After receiving an Assignment Command for a hopping TCH/F I call l1ctl_tx_dm_est_req_h1() with all necessary parameters and tch_mode GSM48_CMODE_SPEECH_V1 or _EFR. After that I do get burst indications containing the received bits on up- and downlink for the active arfcn on each consecutive frame number. BUT the rx level measurements are most of the time very low and sporadic higher, surely not from that nearby bts and the very close cellphone. It looks like the layer1 doesn't "hit" the right timeslot on the right arfcn at the right time. There are some possible sources of error leading to that, like hopping parameters, channel number and MA list. But I checked these and I took all of them directly from the ASS CMD, the MA as word list in ascending order, like in layer23 IMM ASS handling. The specific AC doesn't have any specialties like Starting Time or "before time" parameters. So my question is if there is some obvious pitfall I'm missing and are there any suggestions how to debug that? Regards, Mad

11 years, 9 months

4
5
0 0

bursts****.dat

by Victor P

Hi, I am trying to use burst_ind branch of osmocom. I have noticed that layer23 creates bursts****.dat files when it indicates uplink. What data are written to these files and what should I use to see its data? Thank you.

11 years, 10 months

5
6
0 0

Use OsmocomBB as OpenBTS / airprobe clock generator

by Harald Welte

Hi! Recently we've had the idea of using OsmocomBB with a simple firmware that synchronizes to an existing GSM networks FCCH and use the resulting 13MHz clock to drive the USRP for airprobe or OpenBTS. Ideally, we would even use the Calypso-internal PLL (for ARM or DSP) to multiply it up to the required 52 MHz. However, neither the Openmoko nor the Compal/Motorola phones expose any of the 3 clock output pads :( So the only choice is to use something along the lines of the http://focus.ti.com/docs/prod/folders/print/cdcvf25084.html as a quad clock multiplier and attach it to the CLK13OUT signal of the phone. The chip is available for 9 USD in single quantities at digikey, and possibly cheaper at other sources. Combined with a sub-20EUR phone it might be a very cheap but still accurate frequency source for OpenBTS - at least as long as there are any commercial gsm networks available. Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

12 years, 1 month

8
17
0 0

osmocombb and usrp

by Paul Lambert

Hello, I have a ursp1 working fine and I want to use my c123 to conenct to it with osmocombb. Now I face some problems. First of all I have no sim, so I do: sim testcard 1 001 01 The usrp runs a testnetwork (001 01) I don't know how I can associate with the usrp. I tried: network search (lot of output and also my testnet) network show (nothing happens) network select 1 001 01: Network not in list! Any idea what I'm doing wrong? Would be really Cool if i could use opensource only. With best regards, Paul

12 years, 2 months

3
3
0 0

RSSI firmware

by Dario Lombardo

Hello everybody I'm trying to use the RSSI firmware on a c118 and c115. Both of them give me this error host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor target/firmware/board/compal_e88/rssi.compalram.bin got 1 bytes from modem, data looks like: 04 . got 1 bytes from modem, data looks like: 81 . got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A got 1 bytes from modem, data looks like: 01 . got 1 bytes from modem, data looks like: 40 @ Received PROMPT1 from phone, responding with CMD The maximum file size is 64kBytes (65535 bytes) read_file(target/firmware/board/compal_e88/rssi.compalram.bin) failed with -27 Do I need to do something different to load this FW or simply my phones have no enough room for it? Thanks for your help. Dario.

12 years, 2 months

5
7
0 0

[PATCH 2/2] rearm_timer: update run-time and re-activate

by Christian Vogel

Instead of calling schedule_timer() inside the callback (which causes list-reshuffling) just call rearm_timer(self,milliseconds) to have it re-execute after the specified time. --- src/target/firmware/comm/timer.c | 6 ++++++ src/target/firmware/include/comm/timer.h | 1 + 2 files changed, 7 insertions(+), 0 deletions(-) diff --git a/src/target/firmware/comm/timer.c b/src/target/firmware/comm/timer.c index 6a649ae..d135e24 100644 --- a/src/target/firmware/comm/timer.c +++ b/src/target/firmware/comm/timer.c @@ -63,6 +63,12 @@ void schedule_timer(struct osmo_timer_list *timer, int milliseconds) add_timer(timer); } +void rearm_timer(struct osmo_timer_list *timer, int milliseconds) +{ + timer->expires = jiffies + ((milliseconds * TIMER_HZ) / 1000); + timer->active = 1; +} + void del_timer(struct osmo_timer_list *timer) { if (timer->in_list) { diff --git a/src/target/firmware/include/comm/timer.h b/src/target/firmware/include/comm/timer.h index db7d1a5..6ca51b5 100644 --- a/src/target/firmware/include/comm/timer.h +++ b/src/target/firmware/include/comm/timer.h @@ -60,6 +60,7 @@ extern unsigned long volatile jiffies; */ void add_timer(struct osmo_timer_list *timer); void schedule_timer(struct osmo_timer_list *timer, int miliseconds); +void rearm_timer(struct osmo_timer_list *timer, int milliseconds); void del_timer(struct osmo_timer_list *timer); int timer_pending(struct osmo_timer_list *timer); -- 1.7.0.4

12 years, 2 months

2
1
0 0

[PATCH 1/2] printf: Hack to support gcc printf() optimization

by Christian Vogel

gcc optimizes printf("x") to putchar('x'), but we #define putchar to be something else. Now lib/printf.c defines a putchar() function that always prints on the sercomm port, it will break uart consoles. --- src/target/firmware/lib/printf.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/src/target/firmware/lib/printf.c b/src/target/firmware/lib/printf.c index a4fc687..887b5b4 100644 --- a/src/target/firmware/lib/printf.c +++ b/src/target/firmware/lib/printf.c @@ -17,3 +17,19 @@ int printf(const char *fmt, ...) return r; } + +/* HACK: we define putchar to be sercomm_putchar, + * but gcc optimizes printf("x") to putchar('x') + * so it will generate a call to the function putchar(). + * + * Note: This will break non-sercomm consoles! + */ + +#ifdef putchar +#undef putchar + +int putchar(char c){ + return sercomm_putchar(c); +} + +#endif -- 1.7.0.4

12 years, 2 months

1
0
0 0

mobile DTMF timing

by mad

Hi list, hi Jolly, I just tested the DTMF support on a real network and discovered that the timeout of 70ms for receiving the Start DTMF ACK is too short. The consequences are many repeated Start DTMF messages, never received ACKs and no tone is played. Using a timer value of 170ms in mnccms.c:759 fixes this for that network. Unfortunately I didn't found - or overlooked - a mandatory timeout value for Ta in TS 23.014 which the MSC has to meet. Is that undefined in the standard and where came the 70ms from? Regards, Mad

12 years, 3 months

2
2
0 0

Re: Linux + u-boot port to MT6235

by Victor Rojas

Nacesito temas y confaguracion

12 years, 3 months

1
0
0 0

Creating unique features for a real OsmocomBB phone

by alphaflux

A novel feature would be direct connections to other OsmocomBB handsets that are in range. So not only handsets communicate with towers but a handset also listens to announcements of compatible handsets within range. Reason is to have free communication between different buildings, floors, rooms.

12 years, 3 months

6
5
0 0

Re: Creating unique features for a real OsmocomBB phone

by Dave Schmidt

> why should two phones use uplink frequency to communicate directly > together? why not using downlink frequency? Because in most if not all counties transmission on downlink frequency requires a license? (Sorry and please correct me if this is some obvious nonsense... to me, the original proposal was looking quite nonsensial because of this, but I'd love to learn if I'm wrong...) Dave.

12 years, 3 months

3
2
0 0

Asterisk GSM channel driver?

by Tim Ehlers

Hi, I have seen, that there are channel driver for the DECT project, where you can connect your DECT handset to the Asterisk PBX. There is also somehow a possibility to connect a mobile GSM phone via openBSC and asterisk. But has somebody thought about just connecting the osmocombb mobile phone (which is connected to a public mobile network [or openBSC]) to asterisk? I would think of making a call through a channel driver, osmocombb is doing a call like "call ms number", but instead of using mike and speaker asterisk would send the already in GSM-codec modulated voice data through the serial port (maybe it would needed to use the non-standard USB-TTL version to handle full duplex GSM speech). And layer1 of osmocombb could send that nearly untouched on the air. For incoming calls this could be similar + signalling the call through the channel driver. Has somebody already thought of that? Would that be a achieveable task or is it technically impossible? Thanks Tim

12 years, 3 months

2
2
0 0

read Kc with osmocombb

by Tim Ehlers

Hi, today I seached for a possibility to read the temporary session key "Kc" from my phone in osmocombb. I did not find a function. So I used the function, which writes SMS into sms.txt to write the Kc. Since I never used the Kc to decode something I would like to ask if I did it correct this way: --- old/host/layer23/src/mobile/subscriber.c 2012-01-10 17:06:40.000000000 +0100 +++ new/host/layer23/src/mobile/subscriber.c 2012-01-19 23:52:36.000000000 +0100 @@ -60,6 +60,39 @@ return NULL; } +static int gsm_kc(struct osmocom_ms *ms, uint8_t *kc) +{ + const char osmocomkc[] = ".osmocom/bb/kc.txt"; + int len; + const char *home; + char *kc_file; + FILE *fp; + + home = getenv("HOME"); + if (!home) { +fail: + fprintf(stderr, "Can't deliver SMS, be sure to create '%s' in " + "your home directory.\n", osmocomkc); + return NULL; + } + len = strlen(home) + 1 + sizeof(osmocomkc); + kc_file = talloc_size(l23_ctx, len); + if (!kc_file) + goto fail; + snprintf(kc_file, len, "%s/%s", home, osmocomkc); + + fp = fopen(kc_file, "a"); + if (!fp) + goto fail; + fprintf(fp, "%s %02X%02X%02X%02X%02X%02X%02X%02X\n", ms->name, kc[0], kc[1], kc[2], kc[3], kc[4], kc[5], kc[6], kc[7], kc[8]); + fclose(fp); + + talloc_free(kc_file); + + return 0; +} + + static char *sim_decode_bcd(uint8_t *data, uint8_t length) { int i, j = 0; @@ -377,6 +410,7 @@ subscr->key_seq = data[8] & 0x07; LOGP(DMM, LOGL_INFO, "received KEY from SIM\n"); + gsm_kc(subscr->ms, subscr->key); return 0; } Maybe it would be a better way to implement a function in VTY. BTW, am I wrong or why did nobody do that until present? Thanks Tim

12 years, 3 months

2
2
0 0

[PATCH] Switch to new gpsd API

by Paul Wise

--- src/host/layer23/src/common/gps.c | 26 +++++++++++++------------- 1 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/host/layer23/src/common/gps.c b/src/host/layer23/src/common/gps.c index 38aae2c..2bdfb97 100644 --- a/src/host/layer23/src/common/gps.c +++ b/src/host/layer23/src/common/gps.c @@ -56,7 +56,7 @@ static struct osmo_fd gps_bfd; #ifdef _HAVE_GPSD -static struct gps_data_t* gdata; +static struct gps_data_t gdata; int osmo_gpsd_cb(struct osmo_fd *bfd, unsigned int what) { @@ -66,25 +66,25 @@ int osmo_gpsd_cb(struct osmo_fd *bfd, unsigned int what) g.valid = 0; /* gps is offline */ - if (gdata->online) + if (gdata.online) goto gps_not_ready; /* gps has no data */ - if (gps_waiting(gdata)) + if (gps_waiting(&gdata, 500)) goto gps_not_ready; /* polling returned an error */ - if (gps_poll(gdata)) + if (gps_read(&gdata)) goto gps_not_ready; /* data are valid */ - if (gdata->set & LATLON_SET) { + if (gdata.set & LATLON_SET) { g.valid = 1; - g.gmt = gdata->fix.time; + g.gmt = gdata.fix.time; tm = localtime(&g.gmt); diff = time(NULL) - g.gmt; - g.latitude = gdata->fix.latitude; - g.longitude = gdata->fix.longitude; + g.latitude = gdata.fix.latitude; + g.longitude = gdata.fix.longitude; LOGP(DGPS, LOGL_INFO, " time=%02d:%02d:%02d %04d-%02d-%02d, " "diff-to-host=%d, latitude=%do%.4f, longitude=%do%.4f\n", @@ -111,16 +111,15 @@ int osmo_gpsd_open(void) gps_bfd.when = BSC_FD_READ; gps_bfd.cb = osmo_gpsd_cb; - gdata = gps_open(g.gpsd_host, g.gpsd_port); - if (gdata == NULL) { + if (gps_open(g.gpsd_host, g.gpsd_port, &gdata) == -1) { LOGP(DGPS, LOGL_ERROR, "Can't connect to gpsd\n"); return -1; } - gps_bfd.fd = gdata->gps_fd; + gps_bfd.fd = gdata.gps_fd; if (gps_bfd.fd < 0) return gps_bfd.fd; - if (gps_stream(gdata, WATCH_ENABLE, NULL) == -1) { + if (gps_stream(&gdata, WATCH_ENABLE, NULL) == -1) { LOGP(DGPS, LOGL_ERROR, "Error in gps_stream()\n"); return -1; } @@ -139,7 +138,8 @@ void osmo_gpsd_close(void) osmo_fd_unregister(&gps_bfd); - gps_close(gdata); + gps_stream(&gdata, WATCH_DISABLE, NULL); + gps_close(&gdata); gps_bfd.fd = -1; /* -1 or 0 indicates: 'close' */ } -- 1.7.7.3

12 years, 3 months

6
9
0 0

Strange issues booting layer1

by EMP

Hi all I have compiled osmocombb and everything seems ok. Now i'm having a strange issue which I can replicate across a number of phones. Using a C118 I could boot everything and run the mobile app. Using a C139 I could do the same. However, now the phones dont seem to want to boot? I start everything up (after running the mobile app a few times, stopping the phone and PC etc) and then when I press the Power Off key, nothing happens. It just refuses to download anything. Am wondering if i'm damaging the phones somehow as its now two phones that will no longer start via the USB cable. The phones boot the normal phone firmware fine but wont respond to osmocom. Guess i'm just curious as to others thoughts as i'm unsure where its breaking?

12 years, 3 months

1
0
0 0

GSM 7bit encoding/decoding

by Tim Ehlers

Hello, since I had problems with german umlauts when receiving (and probably also when sending) SMS, I looked today in the gsm translating part in libosmocore. I first noticed a problem, when sending "NETZ Number" to "4636" in O2 network, you get a response SMS saying in which network the number is located. Using osmocombb, I get: [SMS from 66399] Sehr geehrter Kunde, die angefragte Nummer ist im Netz von o2 aktiv (Angabe ohne Gew§hr). So the umlaut "ae" is converted to "§". The problem seems to be in the convert table in src/shared/libosmocore/src/gsm/gsm_utils.c, which is not bijective. "Ae" in gsm7 is "0x7b" and must be converted to latin1 "0xe4". Looking in gsm_7bit_alphabet at place "0xe4", the is "0x7b". But there is also an "0x7b" at place "0xa7", which comes first and is indeed "§". So the question is, are there mistakes in the table or is there a reason for the double entries? Thanks Tim

12 years, 3 months

1
1
0 0

Paging Request3 - not standard compliant? o2-germany

by Stefan Bauer

Good evening, according to EN 300 940 - V7.7.1 - Digital cellular telecommunications system (Phase 2+); Mobile radio interface layer 3 specification (GSM 04.08 version 7.7.1 Release 1998) 9.1.24 Paging request type 3 such requests shall only address MSs by T/MSIs but i notice Type3-Requests with IMSI in o2-germany network. <0001> app_ccch_scan.c:378 Paging3: Normal paging chan n/a to imsi M(2261022118380XX) What do i miss? Stefan

12 years, 3 months

2
1
0 0

Re: 3GPP - paging references

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Sylvain Munaut <246tnt(a)gmail.com> Gesendet: Fr 13.01.2012 18:24 Betreff: Re: 3GPP - paging references An: baseband-devel(a)lists.osmocom.org; > >> Are you talking about a hardware modification of the motorola phone > > > > http://bb.osmocom.org/trac/wiki/Hardware/FilterReplacement > > Note that to receive a phone only a few meters next to you, it's not > necessary. The filters aren't that good. Thank to you point this out. I'm not interested in traffic from other phones. What i miss from the wiki or maybe just havent found yet is a statement whether i need to modify osmocom's default firmware to see uplink-traffic? (i want to see the MS response to a paging call) to understand the process of the imm.ass from BTS. Have a nice weekend stefan

12 years, 3 months

1
0
0 0

AW: Re: 3GPP - paging references

by Stefan Bauer

Hi Peter, I just use the motorola to listen to my providers arcfn. Then i watch for traffic from my regular non-osmocom cell phone operating in the same cell. Are you talking about a hardware modification of the motorola phone to receive also uplink or just some software 'tuning'? I'm the transmitter in my case. Thank you Stefan ----- Ursprüngliche Nachricht ----- Von: Peter Stuge <peter(a)stuge.se> Gesendet: Freitag, 13. Januar 2012 14:47 An: baseband-devel(a)lists.osmocom.org Betreff: Re: 3GPP - paging references Stefan Bauer wrote: > I could match the informations from imm.ass (downlink) against the > paging response (uplink) on sdcch right? Anyway i still see no way > to listen to uplink traffic on sdcch without usrp-hardware. You already know what you send. If you want to listen to what someone else sends you indeed need a receiver. The Motorola phone can be modified to receive also uplink, but if the transmitter is far away it might not work anyway. //Peter

12 years, 3 months

3
2
0 0

AW: Re: Re: 3GPP - paging references

by Stefan Bauer

My information is from 'decoding gsm' master thesis from glendrange, hove, hvideberg (2010) norwegian university of science and technology, page 92, figure 5.4. I,m getting closer to understand the process of assignment if i understand you correctly now. I could match the informations from imm.ass (downlink) against the paging response (uplink) on sdcch right? Anyway i still see no way to listen to uplink traffic on sdcch without usrp-hardware. Greetings stefan ----- Ursprüngliche Nachricht ----- Von: Sylvain Munaut <246tnt(a)gmail.com> Gesendet: Freitag, 13. Januar 2012 14:12 An: Stefan Bauer <stefan.bauer(a)cubewerk.de> Cc: baseband-devel(a)lists.osmocom.org Betreff: Re: Re: 3GPP - paging references Hi, > I just red that if early assignment is used (non-oascu) in a ms terminating call, there is no channel request on RACH by ms. ??? !!! ??? Where would you have read that in the spec ? > I still dont quite get then howto match imsi/tmsi to an immediate assignment. You can't ... I just said so in the previous mails ... There is no indication in the imm.ass that would allow you to know for which mobile identity a channel is intended. You can only know if it matches _your_ request (by matching time and random reference) Cheers, Sylvain

12 years, 3 months

3
2
0 0

AW: Re: 3GPP - paging references

by Stefan Bauer

Sylvain, I just red that if early assignment is used (non-oascu) in a ms terminating call, there is no channel request on RACH by ms. I still dont quite get then howto match imsi/tmsi to an immediate assignment. stefan ----- Ursprüngliche Nachricht ----- Von: Sylvain Munaut <246tnt(a)gmail.com> Gesendet: Donnerstag, 12. Januar 2012 18:30 An: Stefan Bauer <stefan.bauer(a)cubewerk.de> Cc: baseband-devel(a)lists.osmocom.org Betreff: Re: 3GPP - paging references Hi, > In detail how can i match the paging for my specific imsi/tmsi to the data-channel assignment? You can't ... There is no relation between paging and the channel assignment. When the phone sees he's being paged, he will initiate the channel request procedure. He sends a RACH at a given time fn with a random reference (8bits). And then he looks for assignement matching his RACH (i.e. the time fn and random reference are repeated back by the network in the assignment so that a phone knows the channel was for it). Cheers, Sylvain

12 years, 3 months

2
1
0 0

Re: 3GPP - paging references

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Joshua Lackey <jl(a)thre.at> Gesendet: Fr 13.01.2012 01:09 Betreff: Re: AW: Re: 3GPP - paging references An: Stefan Bauer <stefan.bauer(a)cubewerk.de>; > On 01/12/2012 01:05 PM, Stefan Bauer wrote: > > Hi, > > > > Well thank you for your answer. I thought i could simply call my phone, the > network would page it and i would have the imsi/tmsi. As i'm in a very busy > cell, there are huge amounts of pagings. I have to rethink my first idea. > > Call yourself 10 times. The TMSI that appears 10 times will be yours. > (With a high probability anyway.) Hi Jushua, i don't see a way to really narrow this down by this "technique". For example in my cell, the paging traffic is very high, so there are always several pagings with the same amount. Also if i do 10 calls, i do not get put through after the first paging-request on all attempts so this is not quite precise. Am i wrong? Stefan

12 years, 3 months

1
0
0 0

AW: 3GPP - paging references

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Sylvain Munaut <246tnt(a)gmail.com> > When the phone sees he's being paged, he will initiate the channel > request procedure. > > He sends a RACH at a given time fn with a random reference (8bits). > And then he looks for assignement matching his RACH (i.e. the time fn > and random reference are repeated back by the network in the > assignment so that a phone knows the channel was for it). Sylvain, so it goes like this: ? 1. BSC starts paging MS by either TMSI/IMSI (Paging1: Normal paging chan any to imsi M(262073948077454)) 2. MS sends channel request procedure to BSC over RACH (MS uses special(random) parameters inside this request) (is there a way to see the RACH-traffic in the "air" with regular tools?) 3. BSC sends Immediate Assignment message to MS and repeates the random parameters from request (GSM48 IMM ASS (ra=0x0f, chan_nr=0x49, ARFCN=667, TS=1, SS=1, TSC=5)) Greetings Stefan

12 years, 3 months

1
0
0 0

AW: Re: 3GPP - paging references

by Stefan Bauer

Hi, Well thank you for your answer. I thought i could simply call my phone, the network would page it and i would have the imsi/tmsi. As i'm in a very busy cell, there are huge amounts of pagings. I have to rethink my first idea. Stefan ----- Ursprüngliche Nachricht ----- Von: Sylvain Munaut <246tnt(a)gmail.com> Gesendet: Donnerstag, 12. Januar 2012 18:28 An: Stefan Bauer <stefan.bauer(a)cubewerk.de> Cc: baseband-devel(a)lists.osmocom.org Betreff: Re: 3GPP - paging references Hi, > In detail how can i match the paging for my specific imsi/tmsi to the data-channel assignment? You can't ... There is no relation between paging and the channel assignment. When the phone sees he's being paged, he will initiate the channel request procedure. He sends a RACH at a given time fn with a random reference (8bits). And then he looks for assignement matching his RACH (i.e. the time fn and random reference are repeated back by the network in the assignment so that a phone knows the channel was for it). Cheers, Sylvain

12 years, 3 months

1
0
0 0

3GPP - paging references

by Stefan Bauer

Dear developers & users, can somebody please provide further documents to understand how paging works? In detail how can i match the paging for my specific imsi/tmsi to the data-channel assignment? I dont see my tmsi/imsi as reference in the data-channel request-frame in wireshark nor in the output of ccch_scan. I guess i have to do some math :) Thank you. Stefan

12 years, 3 months

2
1
0 0

Bounce action notification

by mailman＠lists.osmocom.org

This is a Mailman mailing list bounce action notice: List: baseband-devel Member: fabian(a)auth.se Action: Subscription disabled. Reason: Excessive or fatal bounces. The triggering bounce notice is attached below. Questions? Contact the Mailman site administrator at mailman(a)lists.osmocom.org.

12 years, 3 months

1
0
0 0

Creating a real usable phone using OsmocomBB

by Harald Welte

Hi all! I've mentioned this before, and I keep getting back to it: With all the great work that has been put into OsmocomBB, we are "at an arms lengh" away from being able to create a true Free Software mobile phone. We already have the hardware drivers, protocol stack and even the 'mobile' program which can be used for making and receiving voice calls and sending/receiving SMS text messages on real GSM networks! While the journey has been a lot of fun and everyone involved has learned a lot, we have so far been catering mstly about "scratching our own itch", i.e. implementing what we needed in order to satisfy our ego and/or to implement the ideas we had regarding cellular security. I believe we cannot miss the bigger opportunity here to put our code into bigger use: To create something like a very simple GSM feature phone. When we look at various areas of computing like Operating Systems or Web browsers, Free Software is not just "the hobby project catching up" with the vendors of proprietary software. Free Software can compete. In the cellular area, we have still not managed to even implement the most basic GSM feature phone that existed 15 years ago using proprietary software. We need to work on closing that gap. We need to show that a small community of Free Software developers can actually implement what teams of hundreds of engineers did in a proprietary software setting 15 years ago - despite all the lack of hardware documentation or any kind of positive feedback from the cellular chipset, handset or operator industry. If we don't at least get a 2G GSM cellphone implemented now, it will probably not happen before 2G networks become insignificant in large parts of the world. This is a call to all hands, please support this project! Regards, Harald == Technical aspects == I believe the first major decision is whether we focus on 1) the Openmoko FreeRunner / Neo1973 phones Advantages: * large screen for UI with bells and whistles * lots of RAM and Flash, even script languages or compilation on the device itself possible * second processor doesn't require us to run stack + UI on once CPU * easier debugging of UI * various existing telephony middleware and phone dialer UI projects of which hopefully one could be recycled or 2) the Motorola/Compal C1xx phones Advantags: * many more phones available, even after our software is released * lower cost of the individual phone * less power consumption due to only one small ARM7 core * smaller screen also means less fancy UI requirements Problems: * full stack + UI needs to run on calypso (L2/L3) and we'd probably some kind of RTOS like NuttX instead of our 'bare iron' code. ==== What we need in any case ==== * power management on the baseband processor through all of the stack (though it's mostly a driver/L1 kind of thing) == Summary / Opinion == It seems like running the OsmocomBB layer1 + 'mobile' as-is on the Openmoko baseband + application processor might be the quicker road to progress. Sure, the power consumption will be horrible as the AP will have to be woken up for each and every SI message, neighbor cell measurment or paging request that ew see comining in in our paging group (even in idle mode). But then, there is always the negative impact of using a relatively complex system, with two processors, a complex software stack (Linux, X11, toolkit, etc.) on one of them, etc. On the other hand, using the C1xx phones will result in a much more widely available result. The phones can still be bought in batches of 1,000 units, and they are small enough for lots of people to carry around. Furthermore, the battery lifetime is far beyond anything you would ever be able to achieve on a power-hungry smartphone platform. I believe it would be the "smart' solution, as it means we need to get everything integrated, etc. What does the community on this list think? Which way shoul we go? But maybe the best thing is to actually stat working on the power management aspects, as we will need them in both cases. Happy hacking, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

12 years, 3 months

14
27
0 0

Control Update Location with osmocom

by Todor Pirov

Hi All, I'd like to know if it is possible to control with osmocom the UL requests sent from the handsets. More specifically the interval between the UL request iterations when there is no response from the HLR. Also is it possible to simulate manual registration to the network i.e. keep sending UL to the same network after the 4th UL has timed out? I guess this could be a function of the baseband chip itself but some settings are controlled by the firmware. BR, Todor

12 years, 3 months

1
0
0 0

AW: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Sylvain Munaut <246tnt(a)gmail.com> > Damnit, I forgot to enable TX ... sorry about that. > > http://minus.com/mbiuqRunDm Sylvain, now it behaves much more stable!! That is awesome. Thank you. What have you changed / what was the issue? Now I'm in the network only with a single disconnect since a few minutes. I also had the chance to make a phone-call now. Stefan

12 years, 3 months

4
4
0 0

Re: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Sylvain Munaut <246tnt(a)gmail.com> > I didn't change anything, I just compiled the git. > > For some unknown reason, some ARM toolchain produce "half working" > binaries ... we have no idea why that happens. For me, i'm happy now as i can debug and test this gsm stuff further. thank you again. > What's the toolchain you use ? Well, i just used the following sources and put them together: wget http://www.gnuarm.com/binutils-2.17.tar.bz2 wget http://www.gnuarm.com/gcc-4.1.1.tar.bz2 wget http://www.gnuarm.com/newlib-1.14.0.tar.gz wget http://www.gnuarm.com/insight-6.5.tar.bz2 wget http://ftp.gnu.org/gnu/gdb/gdb-6.7.tar.bz2 According to some german howto from here: http://www.alphapogo.de/ > Could you send be the binary you compiled ? Sure - please find the binary here: http://www.plzk.de/layer1.compalram.bin 4479603075372ce89c215178a9ad48f3 layer1.compalram.bin Stefan

12 years, 3 months

2
1
0 0

Re: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Sylvain Munaut <246tnt(a)gmail.com> Gesendet: Mo 09.01.2012 14:12 Betreff: Re: random net disconn. - o2 germany - motorola c123 + c140 An: Stefan Bauer <stefan.bauer(a)cubewerk.de>; CC: baseband-devel(a)lists.osmocom.org; > > thank you for your time. Here is the L1-log: > > > > http://www.plzk.de/layer1.log > > Could you retry with this layer1 firmware : > > http://minus.com/mdAV5dFRb I just tried it. No luck. It seems, that this FW lacks TX-support? http://www.plzk.de/layer1-newFW.log Stefan

12 years, 3 months

2
1
0 0

AW: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Sylvain Munaut <246tnt(a)gmail.com> Gesendet: Mo 09.01.2012 12:37 Betreff: Re: random net disconn. - o2 germany - motorola c123 + c140 An: Stefan Bauer <stefan.bauer(a)cubewerk.de>; CC: baseband-devel(a)lists.osmocom.org; > > Is it possible, that i miss an important part in my setup? To be honest, i > followed quite strictly all the informations in the public wiki. > > Post the L1 logs (from osmocon) ... because the log you post contain > no low level information whatsoever (those happen on the phone and not > on the pc software). thank you for your time. Here is the L1-log: http://www.plzk.de/layer1.log Stefan

12 years, 3 months

2
1
0 0

AW: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Stefan Bauer <stefan.bauer(a)cubewerk.de> > I moved closer to the cell. I got associated to the cell with much better > quality. Then the channel switch was initiated by the software - without luck - > logs attached: I tested another provider. This time Vodafone. The rx-quality is even better: (my cell #33 is -64) <0004> gsm322.c:4783 Measurement result for ARFCN 16: -95 <0004> gsm322.c:4783 Measurement result for ARFCN 20: -93 <0004> gsm322.c:4783 Measurement result for ARFCN 21: -96 <0004> gsm322.c:4783 Measurement result for ARFCN 22: -92 <0004> gsm322.c:4783 Measurement result for ARFCN 25: -92 <0004> gsm322.c:4783 Measurement result for ARFCN 33: -64 <0004> gsm322.c:4783 Measurement result for ARFCN 34: -84 <0004> gsm322.c:4783 Measurement result for ARFCN 43: -87 <0004> gsm322.c:4783 Measurement result for ARFCN 44: -86 <0004> gsm322.c:4783 Measurement result for ARFCN 48: -81 <0004> gsm322.c:4783 Measurement result for ARFCN 49: -94 <0004> gsm322.c:4783 Measurement result for ARFCN 82: -94 <0004> gsm322.c:4783 Measurement result for ARFCN 86: -74 <0004> gsm322.c:4783 Measurement result for ARFCN 87: -93 <0004> gsm322.c:4783 Measurement result for ARFCN 88: -92 <0004> gsm322.c:4783 Measurement result for ARFCN 95: -92 <0004> gsm322.c:4783 Measurement result for ARFCN 123: -84 <0004> gsm322.c:4783 Measurement result for ARFCN 124: -79 <0004> gsm322.c:4691 RLA_C of serving cell: -55 <0004> gsm322.c:374 A (RLA_C (-55) - RXLEV_ACC_MIN (-106)) = 51 <0004> gsm322.c:376 B (MS_TXPWR_MAX_CCH (33) - p (33)) = 0 <0004> gsm322.c:377 C1 (A - MAX(B,0)) = 51 <0004> gsm322.c:400 C2 = C1 - CELL_RESELECT_OFFSET (0) = 51 (special case) <0004> gsm322.c:4746 #1 ARFCN=33 RLA_C=-64 <0004> gsm322.c:4746 #2 ARFCN=86 RLA_C=-75 <0004> gsm322.c:4746 #3 ARFCN=124 RLA_C=-80 <0004> gsm322.c:4746 #4 ARFCN=48 RLA_C=-82 <0004> gsm322.c:4746 #5 ARFCN=123 RLA_C=-82 <0004> gsm322.c:4746 #6 ARFCN=34 RLA_C=-83 <0004> gsm322.c:4569 Syncing to new neighbour cell 33. For unknown reasons, the sync fails again: <0003> gsm322.c:469 Sync to ARFCN=33 rxlev=-68 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2937 Channel synched. (ARFCN=33, snr=16, BSIC=25) <0001> gsm322.c:2958 using DSC of 90 <0004> gsm322.c:4640 Synced to neighbour cell 33. <0003> gsm322.c:692 Starting CS timer with 2 seconds. <0003> gsm48_rr.c:4941 Channel provides data. <0001> gsm48_rr.c:1887 New SYSTEM INFORMATION 2 <0001> sysinfo.c:719 New SYSTEM INFORMATION 3 (mcc 262 mnc 01 lac 0x430a) <0001> gsm48_rr.c:2012 Changing CCCH_MODE to 1 <0003> gsm322.c:702 stopping pending CS timer. <0003> gsm322.c:2567 Relevant sysinfo of neighbour cell is now received or updated. <0004> gsm322.c:4661 Read from neighbour cell 33 (rxlev -68). <0004> gsm322.c:4569 Syncing to new neighbour cell 86. <0003> gsm322.c:469 Sync to ARFCN=86 rxlev=-78 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2980 Channel sync error, try again <0003> gsm322.c:469 Sync to ARFCN=86 rxlev=-78 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2993 Channel sync error. <0003> gsm322.c:2998 free sysinfo ARFCN=86 <0004> gsm322.c:4640 Failed to sync to neighbour cell 86. <0004> gsm322.c:4569 Syncing to new neighbour cell 124. <0003> gsm322.c:469 Sync to ARFCN=124 rxlev=-83 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2980 Channel sync error, try again <0003> gsm322.c:469 Sync to ARFCN=124 rxlev=-83 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2993 Channel sync error. <0003> gsm322.c:2998 free sysinfo ARFCN=124 <0004> gsm322.c:4640 Failed to sync to neighbour cell 124. <0004> gsm322.c:4569 Syncing to new neighbour cell 48. <0003> gsm322.c:469 Sync to ARFCN=48 rxlev=-83 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2980 Channel sync error, try again <0003> gsm322.c:469 Sync to ARFCN=48 rxlev=-83 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2993 Channel sync error. <0003> gsm322.c:2998 free sysinfo ARFCN=48 <0004> gsm322.c:4640 Failed to sync to neighbour cell 48. <0004> gsm322.c:4569 Syncing to new neighbour cell 123. <0003> gsm322.c:469 Sync to ARFCN=123 rxlev=-85 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2980 Channel sync error, try again <0003> gsm322.c:469 Sync to ARFCN=123 rxlev=-85 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2993 Channel sync error. <0003> gsm322.c:2998 free sysinfo ARFCN=123 <0004> gsm322.c:4640 Failed to sync to neighbour cell 123. <0004> gsm322.c:4569 Syncing to new neighbour cell 34. <0003> gsm322.c:469 Sync to ARFCN=34 rxlev=-86 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2980 Channel sync error, try again <0003> gsm322.c:469 Sync to ARFCN=34 rxlev=-86 (No sysinfo yet, ccch mode NONE) <0003> gsm322.c:2993 Channel sync error. <0003> gsm322.c:2998 free sysinfo ARFCN=34 <0004> gsm322.c:4640 Failed to sync to neighbour cell 34. <0004> gsm322.c:4122 Re-select using access class with Emergency class. <0004> gsm322.c:4142 Checking cell of ARFCN 33 for cell re-selection. <0004> gsm322.c:374 A (RLA_C (-64) - RXLEV_ACC_MIN (-106)) = 42 <0004> gsm322.c:376 B (MS_TXPWR_MAX_CCH (33) - p (33)) = 0 <0004> gsm322.c:377 C1 (A - MAX(B,0)) = 42 <0004> gsm322.c:400 C2 = C1 - CELL_RESELECT_OFFSET (0) = 42 (special case) <0004> gsm322.c:4198 -> Cell of is in the same LA, so CRH = 0 <0004> gsm322.c:4142 Checking cell of ARFCN 86 for cell re-selection. <0004> gsm322.c:4164 Skip cell: There are no system informations available. <0004> gsm322.c:4142 Checking cell of ARFCN 124 for cell re-selection. <0004> gsm322.c:4164 Skip cell: There are no system informations available. <0004> gsm322.c:4142 Checking cell of ARFCN 48 for cell re-selection. <0004> gsm322.c:4164 Skip cell: There are no system informations available. <0004> gsm322.c:4142 Checking cell of ARFCN 123 for cell re-selection. <0004> gsm322.c:4164 Skip cell: There are no system informations available. <0004> gsm322.c:4142 Checking cell of ARFCN 34 for cell re-selection. <0004> gsm322.c:4164 Skip cell: There are no system informations available. <0004> gsm322.c:4624 Syncing back to serving cell <0003> gsm322.c:463 Sync to ARFCN=46 rxlev=-56 (Sysinfo, ccch mode NON-COMB) <0001> gsm48_rr.c:679 MON: no cell info <0003> gsm322.c:2980 Channel sync error, try again <0003> gsm322.c:463 Sync to ARFCN=46 rxlev=-56 (Sysinfo, ccch mode NON-COMB) <0003> gsm322.c:2980 Channel sync error, try again <0003> gsm322.c:463 Sync to ARFCN=46 rxlev=-56 (Sysinfo, ccch mode NON-COMB) <0003> gsm322.c:2993 Channel sync error. <0003> gsm322.c:2998 free sysinfo ARFCN=46 <0003> gsm322.c:3005 Unselect cell due to sync error! <0003> gsm322.c:498 Unselecting serving cell. <0003> gsm322.c:3072 Loss of CCCH, Trigger re-selection. <0003> gsm322.c:4035 (ms 1) Event 'EVENT_CELL_RESEL' for Cell selection in state 'C7 camped on any cell' <0003> gsm322.c:823 new state 'C7 camped on any cell' -> 'C8 any cell re-selection' <0003> gsm322.c:4334 Checking cell with ARFCN 33 for cell re-selection. (C2 = 42) <0003> gsm322.c:4334 Checking cell with ARFCN 86 for cell re-selection. (C2 = 0) <0003> gsm322.c:4345 Skip cell: not suitable and/or allowable. <0003> gsm322.c:4334 Checking cell with ARFCN 124 for cell re-selection. (C2 = 0) <0003> gsm322.c:4345 Skip cell: not suitable and/or allowable. <0003> gsm322.c:4334 Checking cell with ARFCN 48 for cell re-selection. (C2 = 0) <0003> gsm322.c:4345 Skip cell: not suitable and/or allowable. <0003> gsm322.c:4334 Checking cell with ARFCN 123 for cell re-selection. (C2 = 0) <0003> gsm322.c:4345 Skip cell: not suitable and/or allowable. <0003> gsm322.c:4334 Checking cell with ARFCN 34 for cell re-selection. (C2 = 0) <0003> gsm322.c:4345 Skip cell: not suitable and/or allowable. <0003> gsm322.c:4372 Best neighbour cell with ARFCN 33 selected. (normal priority) <0003> gsm322.c:4405 Scanning ARFCN 33 of neighbour cell during cell reselection. <0003> gsm322.c:469 Sync to ARFCN=33 rxlev=-68 (No sysinfo yet, ccch mode NONE) <0005> gsm48_mm.c:4329 (ms 1) Received 'MM_EVENT_LOST_COVERAGE' event in state MM IDLE, limited service <0005> gsm48_mm.c:1059 Selecting PLMN SEARCH state, because no cell selected. <0005> gsm48_mm.c:912 new MM IDLE state limited service -> PLMN search Is it possible, that i miss an important part in my setup? To be honest, i followed quite strictly all the informations in the public wiki. Stefan

12 years, 3 months

2
1
0 0

AW: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Stefan Bauer <stefan.bauer(a)cubewerk.de> > I'm gonna try to move closer to the BTS tomorrow and collect some informations. > If the quality stays poor, i can only attach an additional antenna to the phone. Ok - here is the status - not quite surprising: I moved closer to the cell. I got associated to the cell with much better quality. Then the channel switch was initiated by the software - without luck - logs attached: http://www.plzk.de/mobile2.log Any idea why the channel sync fails several times and even the fallback switch to the serving cell at the end? I have doubts that it is an antenna/RX-issue. If i use the motorola with original firmware, i have no issues and can immediately start a phone-call. Thank you in advance Stefan

12 years, 3 months

1
0
0 0

Re: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Harald Welte <laforge(a)gnumonks.org> > Are you sure your other phones are using O2 in GSM mode, not 3G? It > could be that the other phones use 3G and thus have better coverage > indication. Hi Harald, i have a pretty old nokia phone (6310) and it's only able to do GSM. That was used for my comparison. > > Is it possible, that my provider does not like the random imei-feature > > of osmocom? > > That might very well be, but is completley unrelated to a RF signal > level as it is measured by your phone (which leads to the problem you > are observing). I'm gonna try to move closer to the BTS tomorrow and collect some informations. If the quality stays poor, i can only attach an additional antenna to the phone. Thank you. Stefan

12 years, 3 months

1
0
0 0

Re: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Holger Hans Peter Freyther <holger(a)freyther.de> Gesendet: So 08.01.2012 17:03 Betreff: Re: random net disconn. - o2 germany - motorola c123 + c140 An: baseband-devel(a)lists.osmocom.org; > On 01/08/2012 04:27 PM, Stefan Bauer wrote: > > > > > PING. Nobody with an idea on my issue? > > What about you? Reading the log, do you see anything that looks weird? E.g. > how likely is it that you simply have bad coverage of O2 for GSM in the area > you are. What do you think about log entries like this? Well, the coverage is perfect with my other cell phones at the exactly same position in my office. Is it possible, that my provider does not like the random imei-feature of osmocom? Is it best practise to use the real sim and not only extracting the key from original sim and fake it? thank you Stefan

12 years, 3 months

2
1
0 0

Re: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- > Hi Peter, > > please find the log-file of mobile here: > > http://www.plzk.de/mobile.log PING. Nobody with an idea on my issue? Regards Stefan

12 years, 3 months

2
1
0 0

Re: random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

-----Ursprüngliche Nachricht----- Von: Peter Stuge <peter(a)stuge.se> Gesendet: Sa 07.01.2012 00:31 Betreff: Re: random net disconn. - o2 germany - motorola c123 + c140 An: baseband-devel(a)lists.osmocom.org; > Stefan Bauer wrote: > > serious problems to keep in my operators network (o2 germany - > > 262 07) longer than a few seconds. > > Can you crank up the logging to max and share the logs from a clean > start of connection through disconnect? Hi Peter, please find the log-file of mobile here: http://www.plzk.de/mobile.log I hope this will bring some light into my problem. Thank you in advance Stefan

12 years, 3 months

1
0
0 0

Linux + u-boot port to MT6235

by Marcin Mielczarczyk

Hi All! That's true, I managed to run U-Boot on MT6235, but linux kernel is not fully functional yet (it's fresh stuff as I managed to ran it on Tuesday and then I was off to conference). For MT6235 development I chose Sciphone G2, which is pretty cheap. After some time I managed to download code to SRAM (just 64KB) using MTK's FlashTool. MTK FlashTool communicates over UART directly with MT6235 bootloader and sends its own chunk of code (about 58KB) which is executed in SRAM and communicates with FlashTool. I found on pudn.com some pack to customize code loaded by FlashTool, thanks to which I could download my own code to SRAM (without JTAG). The problem was that it had to be linked with some security libraries which occupied about 56KB and not much memory left for my own code. Then I decided to try find JTAG pins to get all control on MT6235. That took me sometime, but finally I succeeded. The other bigger issue was initializing DRAM controller to be able to download bigger code (linux kernel + uboot) to external RAM. In sciphone there is problem that all interesting chips are under metal shield which is pretty havily soldered. In this case I couldn't read what kind of RAM memory is mounted without destroying the board (I don't have such soldering machine which could unsolder so big metal shield). Thanks to JTAG I could attach to target and then dump DRAM controller registers from processor running MTK's software, but setting these values after processor start and configuration of PLL didn't work. I decided to disassemble bootloader which could show me how DRAM controller is initialized and how code fron NAND is loaded (to be able to flash U-Boot and kernel to NAND so MT6235 will start my code automatically and I will not have to use JTAG). Currently I have knowledge how internal MT6235 bootloader is loading code from memory during startup and I also extracted procedure of DRAM controller initialization. Thanks to that I'm able to run U-Boot from the very begining of processor startup. The problem is that I have just one piece of Sciphone G2 and I don't want to flash it yet to not break existing code in it. Thanks to running device I'm able to attach with JTAG and check how peripherals are configured (i.e. LCD, MMC, etc.). I have backup of flash, but I'm not 100% sure if I will flash it back, phone will startup. That's why I bought second piece of Sciphone G2 and should receive it today or on Tuesday (this Monday is holiday in Poland). In this case I'll flash U-Boot to NAND and try to make it working. Then we could load the rest of code from U-Boot (to RAM or NAND over serial). You can see how my setup looks on attached picture. The good thing about it is that the same bootloader is used in MT622x, so it should be fairly easy to do the same on phones based on that SoCs (but unfortuantely it's just ARM7). If it comes to code, of course I can share it on "git.osmocom.org". Currently it's just basic port of U-Boot and not much for linux kernel, but I'm working on this now so I'll push it when it'll be ready. Currently I'm working on driver for NAND memory for U-Boot, so we could flash linux kernel. When that will be ready I'll push the code. Then I'll switch to linux kernel and when it'll be functional I also push the code. At this stage you will not need to have JTAG and you could load the code over serial in U-Boot. If it comes to GSM I didn't work with it before. I actualy worked 6 months in L2/3 team for LTE (on RRC) but it's different story. That could be really outstanding thing if we could run first phone ever with whole code open (from BB up to APP). BR, Marcin

12 years, 3 months

13
37
0 0

random net disconn. - o2 germany - motorola c123 + c140

by Stefan Bauer

Dear developers and users, i would like to know the current status of osmocom-bb on the motorola c123 and c140. I have both phones available and serious problems to keep in my operators network (o2 germany - 262 07) longer than a few seconds. I'm using my real sim (sim reader) but the quality seems to be very poor with that kind of devices. Are there any known problems? With several other devices (non osmocom firmware) and the same sim i have no problems at the same location. thanks in advance Stefan

12 years, 3 months

2
1
0 0

Newbie DSP Questions

by Avner Ezra

Hi I'm newbie in DSP and SDR, but I'm really interested in this matter and I want to learn. I have bunch of questions which has short answers, if you can please answer them in easy terms and words, so I can understand them well. I hope this thread will help a lot of other newbies to understand DSP stuff better. I have a Linux with every needed tools like osmocomm, gnuradio, openbts, kalibrate, uhd drivers, ... and USRP N210 hardware ready. Everything works normal and well. A) Sometimes when I scan a network bandwidth like GSM1800 using kalibrate, I see some channels like 820, 538, etc. When I re-scan, I cannot find them. Does this mean that kalibrate finds a channel when a mobile handset has a live conversation or sms send or receive in progress? or what? B) I want to wideband capture for example 125 ARFCN. It needs 25MHz bandwidth which USRP N210 can handle and stream it easily. Even AFAIK I can double this number and capture 250 ARFCN using single N210 (50MHz, in USRPN210 data sheet it says it's capable of streaming 50MHz wide signals). How can I wideband capture 125 ARFCNs? I tried to do it using: ./uhd_rx_cfile.py -f `arfcncalc -a 512 -b 1800 -d` --samp-rate=25000000 -N 200000000 -g 70 b1.cfile What I understood and decided to write such command above: B-1) arfcncalc calculates frequency of first GSM1800 channel (512 ARFCN) which is start point (in above command) B-2) Sampling Rate is the bandwidth I want to capture, in our case it's 25MHz means 125 ARFCN which each ARFCN has 200kHz bandwidth B-3) 200M samples will be received (-N parameter) B-4) Gain value is 70, means it will boost antennas to maximum power to receive signals, I think USRPN210 max. gain is 80 B-5) My decimation rate here using 25M sampling rate and USRP N210 which has 100MHz ADC, will be 4. So if I decided to read cfile I have to use 4 as decimation rate. Please explain and tell me if I'm correct or wrong about above statements. Does this will work and I'll have a 125 ARFCN from 512 to 637 ARFCNs captures into b1.cfile? If so why in http://gnuradio.org/doc/doxygen-3.4/classusrp__source__base.html#adf8529d74… documentation, it says set_rx_freq should set center of frequency, so for example if you want to capture from 512 to 637, you should set frequency to frequency of ARFCN 574? C) How can I seperate and process 200khz by 200khz channels in wideband captured file? Thank you so much for your time Your help and answers will solve problem of a lot of newbies like me. Best Wishes

12 years, 3 months

4
4
0 0

phones are not working

by Akib Sayyed

hello guys i am facing problem with registering phone on network what i am using cellphone: motorola c139 cable : FDTI FT232RL cable given on ccc aug ++++++++++++++++++++++++++++++++++++++++ command used to load ./host/osmocon/osmocon -m c140xor -p /dev/ttyUSB0 -c ./target/firmware/board/compal_e86/layer1.highram.bin ./target/firmware/board/compal_e86/chainload.compalram.bin ++++++++++++++++++++++++++++++++++++++++ show ms 1 command o/p MS '1' is up, MM connection active IMEI: 000000000000000 IMEISV: 0000000000000000 IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=404 MNC=90 (India, AirTel) cell selection state: connected mode 1 ARFCN=613(DCS) MCC=404 MNC=90 LAC=0x0c2f CELLID=0x0aa2 (India, AirTel) radio ressource layer state: connection pending mobility management layer state: wait for RR connection (location updating) ++++++++++++++++++++++++++++++++++++++++ other tools tried : celllog works fine ++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++ Other issue details getting error FTM_TOOL error what i am using cellphone: motorola c123 cable : FDTI FT232RL cable given on ccc aug ++++++++++++++++++++++++++++++++++++++++ command used to load ./host/osmocon/osmocon -m c123xor -p /dev/ttyUSB0 ./target/firmware/board/compal_e88/layer1.compalram.bin ++++++++++++++++++++++++++++++++++++++++ here is log of error from c123 root@akib-laptop:~/osmocom_org/osmocom-bb/src# ./host/osmocon/osmocon -m c123xor -p /dev/ttyUSB0 ./target/firmware/board/compal_e88/layer1.compalram.bin got 1 bytes from modem, data looks like: 00 . got 2 bytes from modem, data looks like: 04 81 .. got 4 bytes from modem, data looks like: 1b f6 02 00 .... got 1 bytes from modem, data looks like: 41 A got 1 bytes from modem, data looks like: 01 . got 1 bytes from modem, data looks like: 40 @ Received PROMPT1 from phone, responding with CMD read_file(./target/firmware/board/compal_e88/layer1.compalram.bin): file_size=55840, hdr_len=4, dnload_len=55847 got 1 bytes from modem, data looks like: 1b . got 1 bytes from modem, data looks like: f6 . got 1 bytes from modem, data looks like: 02 . got 1 bytes from modem, data looks like: 00 . got 1 bytes from modem, data looks like: 41 A got 1 bytes from modem, data looks like: 02 . got 1 bytes from modem, data looks like: 43 C Received PROMPT2 from phone, starting download handle_write(): 4096 bytes (4096/55847) handle_write(): 4096 bytes (8192/55847) handle_write(): 4096 bytes (12288/55847) handle_write(): 4096 bytes (16384/55847) handle_write(): 4096 bytes (20480/55847) handle_write(): 4096 bytes (24576/55847) handle_write(): 4096 bytes (28672/55847) handle_write(): 4096 bytes (32768/55847) handle_write(): 4096 bytes (36864/55847) handle_write(): 4096 bytes (40960/55847) handle_write(): 4096 bytes (45056/55847) handle_write(): 4096 bytes (49152/55847) handle_write(): 4096 bytes (53248/55847) handle_write(): 2599 bytes (55847/55847) handle_write(): finished got 1 bytes from modem, data looks like: 1b . got 1 bytes from modem, data looks like: f6 . got 1 bytes from modem, data looks like: 02 . got 1 bytes from modem, data looks like: 00 . got 1 bytes from modem, data looks like: 45 E got 1 bytes from modem, data looks like: 53 S got 1 bytes from modem, data looks like: 16 . Received DOWNLOAD NACK from phone, something went wrong :( got 1 bytes from modem, data looks like: 66 f got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6d m got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6c l Received FTMTOOL from phone, ramloader has aborted got 1 bytes from modem, data looks like: 65 e got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 72 r ^C +++++++++++++++++++++++ Note: phones are locked to perticular provider -- Akib Sayyed Matrix-Shell akibsayyed(a)gmail.com akibsayyed(a)matrixshell.com Mob:- +91-966-514-2243

12 years, 3 months

1
0
0 0

[osmocom-bb] [PATCH] Update .gitignore file for libosmocore

by Paul Wise

--- src/shared/libosmocore/.gitignore | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/src/shared/libosmocore/.gitignore b/src/shared/libosmocore/.gitignore index c77c750..5e75539 100644 --- a/src/shared/libosmocore/.gitignore +++ b/src/shared/libosmocore/.gitignore @@ -50,3 +50,6 @@ doc/html.tar src/crc*gen.c include/osmocom/core/crc*gen.h + +build-host +build-target -- 1.7.7.3

12 years, 3 months

2
4
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel January 2012