Dear all, I vae the C115 with a T1 USB to Serial cable with the Prolific
chipset.
When i run osmocon i get :- an its just sits there with no further
processing.
./osmocon -p /dev/ttyUSB0 -m c123xor
../../target/firmware/board/compal_e88/loader.compalram.bin
read_file(../../target/firmware/board/compal_e88/loader.compalram.bin):
file_size=17120, hdr_len=4, dnload_len=17127
read_file(../../target/firmware/board/compal_e88/loader.compalram.bin):
file_size=17120, hdr_len=4, dnload_len=17127
got 1 bytes from modem, data looks like: 00 .
got 2 bytes from modem, data looks like: 2f 00 /.
got 1 bytes from modem, data looks like: 1b .
got 3 bytes from modem, data looks like: f6 02 00 ...
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
got 1 bytes from modem, data looks like: 66 f
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6d m
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6c l
Received FTMTOOL from phone, ramloader has aborted
got 1 bytes from modem, data looks like: 65 e
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 00 .
I think the cable is ok as when i run my fingers on the tip i get random
Zeros so it appears to be talking to the cable.
Also when i tried to run Mobile i get the :- even though i created the
Mobile.cfg file in /etc/osmoco
Failed to parse the config file: '/home/raz/.osmocom/bb/mobile.cfg'
Please check or create config file using: 'touch
/home/raz/.osmocom/bb/mobile.cfg'
I have spent some hours researching the lists and trying various things to
no avail but I want to continue until I resolve this issues and use this
great stack to learn about the GSM network.
Please advise.
Great full for any help or pointers but this maybe a timing issue that is
difficult to debug.
Thanks
Raz
hi,
i did a lot of resarch and testing on cell selection and re-selection
process the last two week.
the cell selection process, network selection process (manual and
automatic) and mobility management process were already implemented in
OsmocomBB a long time, but turned out to be buggy and incomplete. i made
test drives to check the process and debugged it.
the re-selection process is new. it is used to track surrounding cells
while listening to the BCCH of the current cell (camping on a cell).
special extension to the layer1 firmare is used to measure neighbour
cells. if an neighbour cell becomes 'better', the mobile switches to
that cell, depening on different criteria. now it is possible to move
with OsmocomBB.
the re-selection process is not handover! handover is a process where a
phone switches between cells while doing a call. handover is one next
step to implement. the process is a little more complex, because it
requires not only neighbour cell measurements, but also syncing to them
without interrupting the traffic channel. most layer 3 stuff of handover
is already implemented.
if you like to play and test your moving OsmocomBB, you can check out
the "jolly/roaming" branch. it contains the extension to layer1, as well
as sim reader and fixes from "sylvain/testing" branch. use both "mobile"
and "layer1" firmware from this branch.
in order to see some process at VTY, you can do:
enable
monitor network 1 (continously display the strongest cell and neighbour
cells)
show ms 1 (to see current states)
show neighbour-cells 1 (to see a more detailed current list of
neighbours)
andreas
Hi,
in the osmocom bb mobile.cfg I don't see any posibility to set a fixed
Kc encryption key and the tmsi.
How could I achieve that osmocom uses my defined Kc and tmsi?
cheers,
Simian
Hi,
I'm trying to run the latest osmocom-bb git on a Motorola C118 phone.
After a minor problem with the build (as you may've noticed in the
patch I've sent). I got to the point of successfuly running layer1 on
the phone and the mobile app on the PC (I have also enabled TX). The
process seems to be stuck on trying to perform a location update. The
status of the ms is always either:
show ms
MS '1' is up, MM connection active
IMEI: 000000000000000
IMEISV: 0000000000000000
IMEI generation: fixed
automatic network selection state: A1 trying RPLMN
MCC=104 MNC=002 (104, 002)
cell selection state: connected mode 1
ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9
(104, 002)
radio ressource layer state: connection pending
mobility management layer state: wait for RR connection (location updating)
OsmocomBB>
or
show ms
MS '1' is up, service is limited (pending)
IMEI: 000000000000000
IMEISV: 0000000000000000
IMEI generation: fixed
automatic network selection state: A1 trying RPLMN
MCC=104 MNC=002 (104, 002)
cell selection state: C3 camped normally
ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9
(104, 002)
radio ressource layer state: idle
mobility management layer state: MM idle, attempting to update
OsmocomBB>
I think, that because of this I can't make any calls or send sms (all
the requests are being rejected):
OsmocomBB# call 1 <X>
call 1 <X>
OsmocomBB#
% (MS 1)
% Call has been rejected
The log information from mobile when it's trying to do a location
update is show below:
<000b> gsm48_rr.c:2174 PAGING REQUEST 1
<000b> gsm48_rr.c:2141 IMSI 260021964220249 (not for us)
<000b> gsm48_rr.c:2132 TMSI fd82a501 (not for us)
<000e> gsm48_mm.c:344 Location update retry
<0005> gsm48_mm.c:345 timer T3211 (loc. upd. retry delay) has fired
<0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_TIMEOUT_T3211' event
in state MM IDLE, attempting to update
<000e> gsm48_mm.c:2199 Perform location update (MCC 104, MNC 002 LAC 0xb00f)
<0005> gsm48_mm.c:2333 LOCATION UPDATING REQUEST
<0005> gsm48_mm.c:2355 using LAI (mcc 104 mnc 002 lac 0xb00f)
<0005> gsm48_mm.c:2363 using TMSI 0x28a3d62e
<0005> gsm48_mm.c:914 new state MM IDLE, attempting to update -> wait
for RR connection (location updating)
<0001> gsm48_rr.c:5428 (ms 1) Message 'RR_EST_REQ' received in state
idle (sapi 0)
<000e> gsm48_rr.c:1318 Establish radio link due to mobility management request
<0003> gsm322.c:4037 (ms 1) Event 'EVENT_LEAVE_IDLE' for Cell
selection in state 'C3 camped normally'
<0003> gsm322.c:823 new state 'C3 camped normally' -> 'connected mode 1'
<0003> gsm322.c:3653 Going to camping (normal) ARFCN 19.
<0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB)
<0001> gsm48_rr.c:366 new state idle -> connection pending
<0001> gsm48_rr.c:1465 CHANNEL REQUEST: 00 (Location Update with NECI)
<0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17)
<0001> gsm322.c:2959 using DSC of 90
<0003> gsm48_rr.c:4816 Channel provides data.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 5)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 0 ra 0x0e)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 4)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x07)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38
TS 2 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38
TS 2 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 3)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x0f)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 2)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x01)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1
SS 3 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1
SS 3 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 1)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x0a)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 1 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 0)
<0001> gsm48_rr.c:1605 Done with sending RANDOM ACCESS bursts
<0001> gsm48_rr.c:836 starting T3126 with 5.000 seconds
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x0a chan_nr 0x41 ARFCN 19 TS 1
SS 0 TSC 1)
<0001> gsm48_rr.c:2393 request 0a matches but not frame number
(IMM.ASS fn=22,6,30 != RACH fn=22,5,25)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1
SS 1 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1
SS 1 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-77 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1
SS 4 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1
SS 4 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38
TS 3 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38
TS 3 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 3 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38
TS 1 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38
TS 1 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:765 timer T3126 has fired
<000e> gsm48_rr.c:770 Requesting channel failed
<0001> gsm48_rr.c:366 new state connection pending -> idle
<0003> gsm322.c:4037 (ms 1) Event 'EVENT_RET_IDLE' for Cell selection
in state 'connected mode 1'
<0003> gsm322.c:3565 Selecting ARFCN 19. after LOC.UPD.
<0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB)
<0003> gsm322.c:823 new state 'connected mode 1' -> 'C3 camped normally'
<0005> gsm48_mm.c:3902 (ms 1) Received 'RR_REL_IND' from RR in state
wait for RR connection (location updating) (sapi 0)
<0005> gsm48_mm.c:2732 RR link released after loc. upd.
<000e> gsm48_mm.c:2676 Location update failed
<000e> gsm48_mm.c:2686 Try location update later
<0005> gsm48_mm.c:2688 Loc. upd. failed, retry #0
<0005> gsm48_mm.c:413 starting T3211 (loc. upd. retry delay) with 15.0 seconds
<0005> gsm48_mm.c:1143 We are camping normally as returning to MM IDLE
<0005> gsm48_mm.c:1159 Loc. upd. allowed.
<0005> gsm48_mm.c:919 new state wait for RR connection (location
updating) -> MM IDLE, location updating needed
<0005> gsm48_mm.c:909 new MM IDLE state location updating needed ->
attempting to update
<0005> gsm48_mm.c:2215 Loc. upd. already pending.
<0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_CELL_SELECTED' event
in state MM IDLE, attempting to update
<0005> gsm48_mm.c:2215 Loc. upd. already pending.
<0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17)
<0001> gsm322.c:2959 using DSC of 90
Can you provide me any hints on how to debug this ? Why is the
location update failing constantly ?
Thanks in advance for your help.
Best regards,
Maciej Grela
So far three persons have indicated their interest to join
a meeting at my place.
Considering the time it takes to drive to my place, it
probably makes sense to have the meeting at the weekend
(either Saturday or Sunday) so that there is more time
for the meeting itself. I can suggest one of the following
dates for the first meeting, somewhere between 10:00 to
18:00 on each day:
25.8. (Sa) or 26.8. (Su)
1.9. (Sa) or 2.9. (Su)
8.9. (Sa) or 9.9. (Su)
So please let me know when you have time and also make
suggestions in which Osmocom topic you are interested
in so that we can have some sort of agenda for the
meeting to make best use of the time.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
hi josephli,
> Read stored BA list mnc=01
the mobile application stores the last cells and neighbour cells (band
allocation) of each network. this way the scanning is much
faster when restarting. because you use the SIM card with MNC == 02 the
first time, there is no band allocation stored for that. the mobile will
do a full scan in this case.
> while the sim card service I am tesing is actually with mnc 00 and 02.
i know that MNC == 0 will not work until i commited improvements of cell
selection process last sunday. you should retry that, but first try with
an MNC > 0.
can you provide debug output when trying a call?
also can you provide VTY output of "show ms" before you make the call?
regards,
andreas
hi,
i just fixed some locking issues the last days. fix will follow. it took
a bit longer, because there were some race conditions. it took up to
about one hour until it crashed. my way to detect the area where the
crash happened, was to turn on buzzer before that area, and turn it off
after that area. after many hours of approximation, i finally found out
that the major crash happend during _talloc_zero. (first it looks for a
free memory chunk, then it allocates it.) since it can be called from
all contexts (main, irq, fiq), it need to be locked against any
interrupt, otherwise the memory chunk can be assigned multiple times.
(the process of _talloc_free is "atomic" and requires no locking.)
because it seems pretty stable, i think it is time to merge some
branches into the master. (i made a 6 hours call yesterday. and no crash
after bugfix ever since.) i will do that together with sylvain, if we
find the time this weekend.
currently i use the jolly/voice together with the sylvain/traffic
branch. i am able to use an isdn phone togehter with linux-call-router
and make/receive calls. audio is passed both ways. i think this is a
stage where it actually become "usable". (if not moving arround.)
one of my major work for the next weeks/months will be the neighbour
cell measurement, cell re-selection, and handover. this is essential
when moving with the phone.
regards,
andreas
Hi ,List:
search some materials, find that the decode method of AFS convolutional
code is different from the EFS`, it use RSC, and need SOVA(soft output
viterbi algorithm). am i right?
--
View this message in context: http://baseband-devel.722152.n3.nabble.com/is-the-Viterbi-decode-for-the-AF…
Sent from the baseband-devel mailing list archive at Nabble.com.
I've pulled git repo today, but the RSSI firmware gets an error.
apps/rssi/main.c: In function `main':
apps/rssi/main.c:896: warning: 'a' might be used uninitialized in this
function
apps/rssi/main.c:896: warning: 'e' might be used uninitialized in this
function
CC board/compal_e88/rssi.compalram.manifest.o
LD board/compal_e88/rssi.compalram.elf
OBJ board/compal_e88/rssi.compalram.bin
CC board/compal_e88/rssi.highram.manifest.o
LD board/compal_e88/rssi.highram.elf
OBJ board/compal_e88/rssi.highram.bin
CC board/compal_e88/rssi.e88loader.manifest.o
LD board/compal_e88/rssi.e88loader.elf
OBJ board/compal_e88/rssi.e88loader.bin
CC board/compal_e88/rssi.e88flash.manifest.o
LD board/compal_e88/rssi.e88flash.elf
OBJ board/compal_e88/rssi.e88flash.bin
CC board/compal_e86/rssi.compalram.manifest.o
LD board/compal_e86/rssi.compalram.elf
arm-elf-ld: region LRAM is full (board/compal_e86/rssi.compalram.elf
section .data)
make[1]: *** [board/compal_e86/rssi.compalram.elf] Error 1
make[1]: Leaving directory src/target/firmware'
make: *** [firmware] Error 2
$ git pull
Already up-to-date.
$
Anyone experiencing the same issue?
The last changes in the airprobe svn seem to be 17 months ago. I was
wondering whether airprobe is assumed to be stable, without need for
further development, has been superseded by a different toolkit or if it
has been abandonded.
Hello.
Right now MCC and MNC value in ./mobile app are printed as hex but without 0x - this
is confusing and inconsistent.
Attached patch fix that although I'm still puzzled why value printed by "show
subscriber 1" looks like hex representation - see example below (with patch applied).
Note that 0x385 == 901 and 0x046 == 70
I suspect misuse of gsm48_decode_lai()\gsm48_encode_lai() but unable to pinpoint
location yet.
show subscriber 1
Mobile Subscriber of MS '1':
IMSI: 901701282457741
ICCID: 8901901702282374810
Service Provider Name: Magic
SMS Service Center Address: 0015555
Status: U1_UPDATED IMSI detached
LAI: MCC 385 MNC 046 LAC 0x03e8 (385, 046)
Key: sequence 0 31 64 7e 4c e1 dc 48 00
Registered PLMN: MCC 385 MNC 046 (385, 046)
Access barred cells: no
Access classes: C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12 C13 C14 C15
List of preferred PLMNs:
MCC |MNC
-------+-------
901 |070 (901, 070)
List of forbidden PLMNs:
MCC |MNC |cause
-------+-------+-------
106 |003 |#255 (106, 003)
106 |007 |#255 (106, 007)
--
best regards,
Max, http://fairwaves.ru
Is there anyone who is selling Nano BTS of Ip Access please let me know.
--
Akib Sayyed
Matrix-Shell
akibsayyed(a)gmail.com
akibsayyed(a)matrixshell.com
Mob:- +91-966-514-2243
Hi list,
Regarding the interesting video from Russia(Positive hacking days 2012) where Sylvain demonstrates av proof of concept bts, is it a dsp patch
of the osmocombb firmware before one uploads to the c123 phones that one has to do? The tasks then are modified in this patch or also elsewhere?
And then one removes and replaces a tranceiver-code in openbts sourcecode?
[I have tried the tacooper version of osmo-bts but that that code-approach is for the sysmo-bts, althoug the osmocombb phone proof of concept bts is mentioned in the tacooper thesis online]
Regards
Erich
On Sun, Oct 21, 2012 at 10:02:40PM +0800, xuewenyao wrote:
> hi,
Hi again,
> i didn't realize the difference, not because i'm on the take side, but because i never thought about holding the data as my own asset. it should not be that complicated.
My point is, if you ask people to do things for you you need to give them a
reason of why they should help you. E.g. if you have a survey you might
say that a randomly selected participant will win a 25 Euro voucher from
Amazon. Now I don't ask you to buy things from Anazon but to think about
why people should help you.
One of the reason (non monetary) is to create a "database" that will be
available to the community. A good example is the "terminal-profile"[1]
initiative started by Kevin. He created a script (forkable) to query the
terminal profile, there are clear instructions how to use it and it
automatically uploads the data to a database. The database is publicly
accessible and the whole content can be downloaded.
Do you notice the difference? With Kevin's approach the whole community will
benefit, with your request only you will benefit.
>
> i'm newbie here, but i do try to contribut if i can, and will continune to do so. it is not fare to judge me like that!
Well, time will tell and I am happy to correct myself in case you make any
contribution (detailed bug report, work in the wiki, bug fixes in the source).
cheers
holger
[1] https://terminal-profile.osmocom.org/
On Sun, Oct 21, 2012 at 08:35:42PM +0800, xuewenyao wrote:
Hi,
well this is a community and it works by everyone giving a little
and the track record of academics is heavily on the taking side.
And your request sounds like another 'academic' that wants to take
without providing any benefit to the project and as you notice I am
not very happy with that.
> i'm not sure what you mean by license. the result won't be a software, so gpl is not suitable. i think all thesis are open to public.
Well, your thesis can have a copyright as well (you could even decide
to not publish it at all). You can also decide to publish the raw data
you collect on the way. Given the fact that you didn't consider this means
that you are more on the take side.
> i'm a student in bremen. i just thought it will help me to gain some extra points. but i guess it's not a good idea to do so.
On Sun, Oct 21, 2012 at 05:18:06PM +0800, xuewenyao wrote:
> hi,
>
> it will be part of my thesis. if you are interested, i will of course upload it when it's finished
This only answers one question. What is the license? How will you reward
people that help you? How does this benefit the osmocomBB project?
What is the name of your thesis? Where are you enrolled? Who is your
advisor?
holger
Hi all,
I try to study the GSM core network setups of different providers. Therefore, tracelog of gsm providers from different countries is needed. I’m seeking your help for sending me some tracelog with two actions: making a phone call (MO) and sending a sms (MO). It should take no more than 2,3 minintes. Please tell me the provider and the country when you are sending me the tracelog.
Thanks,
Hi,
i'm trying to use osmocom-bb to send sms and make phone call with real sim of provider.
i succeeded once in recognizing my pay-and-go sim card.
but now i'm not lucky anymore
here is wat is on screen:
<000f> sim.c:1223 init SIM client
<0006> gsm48_cc.c:63 init Call Control
<0007> gsm480_ss.c:231 init SS
<0017> gsm411_sms.c:63 init SMS
<0001> gsm48_rr.c:5479 init Radio Ressource process
<0005> gsm48_mm.c:1315 init Mobility Management process
<0005> gsm48_mm.c:1037 Selecting PLMN SEARCH state, because no SIM.
<0002> gsm322.c:5025 init PLMN process
<0003> gsm322.c:5026 init Cell Selection process
<0003> gsm322.c:5083 Read stored BA list (mcc=0ce mnc=001 0ce, 001)
<0003> gsm322.c:5083 Read stored BA list (mcc=0ce mnc=014 0ce, 014)
<0003> gsm322.c:5083 Read stored BA list (mcc=0ce mnc=0x00a 0ce, 0x00a)
Mobile '1' initialized, please start phone now!
VTY available on port 4247.
<0005> subscriber.c:601 Requesting SIM file 0x2fe2
<000f> sim.c:209 got new job: SIM_JOB_READ_BINARY (handle=00000004)
<000f> sim.c:697 go MF
<000f> sim.c:241 SELECT (file=0x3f00)
<000f> sim.c:187 sending APDU (class 0xa0, ins 0xa4)
<000f> sim.c:876 received APDU (len=0 sw1=0x00 sw2=0x00)
<000f> sim.c:952 command failed
<000f> sim.c:151 sending result to callback function (type=1)
<0005> subscriber.c:657 SIM reading failed
<0005> gsm48_mm.c:4379 (ms 1) Received 'MMR_NREG_REQ' event
<0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_IMSI_DETACH' event in state MM IDLE, PLMN search
<0005> gsm48_mm.c:1839 IMSI has been detached.
<0005> gsm48_mm.c:1088 Not camping, wait for CS process to camp, it sends us CELL_SELECTED then.
<0002> gsm322.c:3917 (ms 1) Event 'EVENT_SIM_REMOVE' for manual PLMN selection in state 'M0 null'
<000e> gsm322.c:1614 SIM is removed
<0002> gsm322.c:1615 Switch on without SIM.
<0002> gsm322.c:814 new state 'M0 null' -> 'M5 no SIM inserted'
<0003> gsm322.c:4037 (ms 1) Event 'EVENT_SIM_REMOVE' for Cell selection in state 'C0 null'
<0003> gsm322.c:823 new state 'C0 null' -> 'C6 any cell selection'
can anyone help?
Sorry to those who receive this message twice.
I hope Osmocom community finds this small effort interesting as well.
---------- Forwarded message ----------
From: Alexander Chemeris <alexander.chemeris(a)gmail.com>
Date: Fri, Oct 19, 2012 at 5:15 PM
Subject: Open-source telecom T-shirts
To: umtrx <umtrx(a)lists.osmocom.org>, openbts-discuss(a)lists.sourceforge.net
Hi all,
We're thinking about making T-shirts with open-source telecom. I've
posted a call for ideas in my OpenBTS blog - please contribute.
Telecom needs more openness and you could help us promote this!
http://openbts.chemeris.ru/2012/10/reklama-open-source-telecom/
We plan to give them for free to the first 10-20 UmTRX buyers. Then
you'll be able to buy them from our web-shop or from one of our
friends and distributors.
If you proposal gets printed, you'll get a free T-shirt as well.
PS If you know a good online T-shirt printing service in US or Europe
- drop me a line. I've never done this in US/Europe before.
--
Regards,
Alexander Chemeris.
CEO, Fairwaves LLC / ООО УмРадио
http://fairwaves.ru
--
Regards,
Alexander Chemeris.
CEO, Fairwaves LLC / ООО УмРадио
http://fairwaves.ru
Hi.
In "struct mframe_sched_item" in target/firmware/layer1/mframe_sched.c both 'modulo'
and 'frame_nr' defined as uint16_t. This seems like big space waste considering tight
memory environment we're working in.
On irc it was suggested that the reason for this is either data alignment or safety
concerns.
Does structure alignment matters in this case? If so - how exactly?
Is it possible for 'modulo' to be bigger than 255?
Is it possible for 'frame_nr' to be bigger than 255?
--
best regards,
Max, http://fairwaves.ru
This is a Mailman mailing list bounce action notice:
List: baseband-devel
Member: tianxing(a)timelink.com.hk
Action: Subscription disabled.
Reason: Excessive or fatal bounces.
The triggering bounce notice is attached below.
Questions? Contact the Mailman site administrator at
mailman(a)lists.osmocom.org.
Hello folks.
I have this GSM module called SIM900D. It has several interesting
capabilites.
1. It has builtin commands AT+SIMEI (guess what it does) and
AT*CELLLOCK
(ARFCN lock).
2. It, as far as I know, does not check firmware signature.
3. It has an API (called "Embedded AT") which can be called from the
customer's module running on the same CPU (ARM926EJS).
4. Non-stripped firmware ELFs are available, together with the
descriptions of public API.
Here is a (Russian) page with all of the relevant datasheets collected.
Datasheets are in English.
http://www.mt-system.ru/catalog/dokumentacija-na-gsm-modemy-simcom
See also:
http://www.geekonfire.com/wiki/index.php?title=GPRS_Shield%EF%BC%88SIM900%E…
ftp://ftp.macrogroup.ru/Support/SimCom/Firmware/Sim900/Sim900D
--
WBR, Peter Zotov.
Hello List
I am studying to start multiple ccch_scan simultaneously,but I meet some
problem.
I do as following:
1.I have two C118, caonnect them to the same computer
2.dump the sniffer rom
./osmocon -p /dev/ttyUSB0 -s /tmp/osmocom_l2_0 -m c123xor ./sniffer.bin
./osmocon -p /dev/ttyUSB1 -s /tmp/osmocom_l2_1 -m c123xor ./sniffer.bin
3.start the ccch_scan of burst_ind
./ccch_scan -s /tmp/osmocom_l2_0 -a *** -i 127.0.0.1
./ccch_scan -s /tmp/osmocom_l2_0 -a *** -i 127.0.0.1
but there is always one ccch_scan
give the following output after some time.
<0001> app_ccch_scan.c:296 GSM48 IMM ASS (ra=0x99, chan_nr=0x40, HSN=47,
MAIO=4, TS=0, SS=0, TSC=2)
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
Unknown SI
I think it is an syn problem, maybe caused by the usb bus. does anyone have
the idea?
thanks!
--
View this message in context: http://baseband-devel.722152.n3.nabble.com/the-sync-of-multiple-ccch-scan-i…
Sent from the baseband-devel mailing list archive at Nabble.com.
Hi all!
I *think* Harald is pretty busy and also unlikely to attend
prospective meeting tomorrow.
Also there is bank holiday tomorrow in Germany and at least
I personally will use that to stay away from technology for
a bit, so I won't come.
Nevertheless, I thought I'd write this email to remind
people that in theory there is a meeting tomorrow and
discuss if other people attend.
I personally would propose to shift the meeting to next week
(for purely selfish reasons ;).
As far as I know, there is no formal presentation tomorrow.
Anyway, will anyone attend tomorrow or is everyone in favor
of shifting a week?
In case it takes place, for the people who did not attend so
far, the usual snippet from Harald's mails:
Oct 3, 8pm @ CCC Berlin, Marienstr. 11, 10113 Berlin
If you are interested to show up, feel free to do so. There is no
registration required. The meeting is free as in "free beer", despite
no actual free beer being around.
Cheers
Nico
On Mon, 8 Oct 2012 06:54:06 +0000 (UTC), "John Case" <case(a)SDF.ORG> wrote:
>
> What about the HP8922P ? Does that also have the spectrum analyzer built
> in ?
I don't know the various variants of the HP8922. But the sepctrum analyzer
is an optional hardware in the unit, it is called "Option 006" for the
HP8922M (on my units the option is printed on the serial number
label on the back).
Best regards,
DIeter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello John,
On Mon, 8 Oct 2012 05:59:07 +0000 (UTC), "John Case" <case(a)SDF.ORG> wrote:
>
> So do I understand that by itself, the unit handles 900 and 850, and the
> add-on gives it 1800 and 1900 ?
The HP8922M can't simulate a GSM-850 network, only GSM-900 (E-GSM is
also possible). The optional extension unit adds GSM-1800 and GSM-1900.
However it is possible to generate various GSM test signals on the
whole frequency range the HP8922M supports (10 MHz to 1000 MHz for
the HP8922M alone) which includes GSM-850. This is uselful for
Layer-1 development like it was done for OsmocomBB.
And as hint: look for a HP8922M which has the optional spectrum analyzer
built in, it can be very usefull sometimes.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
There are a lot of HP/Agilent 8922M units for sale very cheap (less than
US $500).
I know that these devices can simulate a GSM base station, but does that
simulation occur over the air, or do I need to connect my handset I am
testing to the 8922M with a cable ?
I know I need to get a 8322A expansion for the unit - any other details I
should look out for ?
Also, what is an equivalent test unit for WCDMA (3g) base station
simulation (I know these will be more expensive).
Thanks.
Hello.
I'm trying to load RSSI firmware into my c123 phone. It's too big to be loaded
directly so it should be chainloaded. Unfortunately chainloading is almost
undocumented (or I failed to locate the documentation :)
As far as I understood it we use chainloader (small one) so it would load actual
payload (big one).
I've disabled size check in src/host/osmocon/osmocon.c:270 and recompiled latest git.
After that I've tried following:
./osmocom-bb/src/host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor -c
./osmocom-bb/src/target/firmware/board/compal_e88/rssi.highram.bin
./osmocom-bb/src/target/firmware/board/compal_e88/chainload.compalram.bin
but got only eternal stream of "Sending Calypso romloader beacon..."
Could you help me to figure out proper image names?
What's the meaning of -c option: the file to be loaded (big one)?
And as a last argument we supply actual chainloader (small one)?
--
best regards,
Max, http://fairwaves.ru
Enthused by the successes of Dieter and Eisencah I have been trying to compile Osmocom under Windows XP using Cygwin and arm-elf-gcc4.6.3 dbsed on the website instructions.
Osmocom compiles ok until the last portion. Then it gives some errors (as in TXT file attached).
Can anyone please indicate what I am doing wrong. I am writing here after long experimenting to ensure that all dependencies have been included, etc.
Can I also request Dieter and Eisencah to share their tips for the rest of us who wish to work on the Windows platform. Thanks in advance.
B.
=================================
eisencah eisenach
Reply | Threaded
Nov 06, 2010; 7:50pm Re: osmocom on windows
25 posts Hello everybody.
Managed to compile the osmocom program under windows.
Could anyone send me the image for the "Hello word" program so I could try to download it into the phone (haven't got to the part where I compile the firmware bit I would want to see osmocom work).
Cheers,
Mihai.
er SpaarReply | Threaded | More Oct 07, 2010; 3:51pmRe: osmocom on windows
36 posts In reply to this post by eisencah eisenach
Hello Peter,
On Thu, 7 Oct 2010 11:54:28 +0200, "Peter Stuge" <[hidden email]> wrote:
>
> Does e.g. the CodeSourcery toolchain really need Cygwin? That would
> suck.
I don't know CodeSourcery, I use GNU ARM directly from www.gnuarm.com.
According to the CodeSourcery FAQ, they do not require Cygwin.
Are there any benefit using CodeSourcery ? I had issues in the past
with the firmware using a different GNU ARM version, so I switched
back to 4.0.2 which seems to be the same other use on Linux and
so far it works OK.
You don't seem to like Cygwin, my experience with it is not that bad,
OpenBSC (not with GPRS yet due to the need for the TUN device), OsmocomBB,
GNUradio and Airprobe run with minor adjustments (just to name GSM
related stuff I use under Cygwin).
Best regards,
Dieter
--
Dieter Spaar, Germany
Hi,
i'd like to suggest to introduce "Subject" tagging for the osmocom
mailing lists.
Almost all ml i'm subscribed are Subject tagged with [MailingListName]
prepended to the subject.
Hope can be considered a nice suggestion, to improve the usability of mlist.
-naif
Hello,
I've picked up what appears to be most of a Rohde & Schwarz TS8916B
GSM Type Approval system (CRTC02 equipment, a Sofimation SOFI05 radio
channel/fading simulator and various RF switching) and wondered if it
may be of use in testing the baseband. Or can everything we would want
to test be done using simple MS test equipment and/or a BTS with
OpenBSC?
I did also wonder whether it would be possible to use this to try and
achieve type approval, but realise that even if the rest of the
hardware could be gathered together it would be a huge learning curve
and even then maybe you have to be accredited/authorised for TA (or
other challenges would prevent this). In any case, I thought it worth
asking the question before it is split up.
Regards,
Andrew
PS. Some photos are at:
http://www.flickr.com/photos/carrierdetect/sets/72157631692365280/with/8054…
The digital units are PCs running DOS and tests are written in C and
compiled to run on DSP boards (2x TX + 2x RX per CRTC02 digital unit)
which drive the attached analogue units. GPIB is used for control
between these and to also control the SOFI, RF switches and other
equipment that is missing (a signal generator and a second SOFI at
least).
--
Andrew Back
http://carrierdetect.com
Usually a reference platform is something for developers and is not widely
distributed. With android, the reference platform is a mass market device
in the hands of millions of people worldwide.
So, if there is a goal of a completely open phone - FaiF all the way
through - why isn't one of the nexus phones a natural target for reverse
engineering and spec-leaking ?
One of the issues with the calypso chipset that I have seen discussed here
is what OS to run on the upper layers of the phone - and this is a
non-issue, since the nexus phones have been designed from the ground up to
run linux. Even if you decline to put android specifically on it, you
could run any other variant you like.
I am not trivializing the work that has gone into calypso, and I realize
that different nexus variants may have totally different baseband
components, so you would have to choose one specific nexus model ... but
isn't the real difficulty simply the secrecy of the specs of the chipset,
and leaked specs solve the problem whether it is a 2G calypso or a 4G OMAP
?
Denis 'GNUtoo' Carikli писал 04.10.2012 15:07:
> On Thu, 04 Oct 2012 14:53:08 +0400
> Peter Zotov <whitequark(a)whitequark.org> wrote:
>
> Did you check what the modem transport was(shared memory, high speed
> serial etc...)?
>
> Denis.
Sorry for the second letter. I just verified the GPS issue with
grindars.
He says that BP does not communicate with GPS chip directly; both UART
and GPIO of the GPS chip are connected to AP. The only thing that will
not work with BP off is GSM A-GPS, which is trivially replaced if you
have WiFi connectivity or cellular data.
--
WBR, Peter Zotov.
Denis 'GNUtoo' Carikli писал 04.10.2012 15:07:
> On Thu, 04 Oct 2012 14:53:08 +0400
> Peter Zotov <whitequark(a)whitequark.org> wrote:
>
>> Denis 'GNUtoo' Carikli писал 04.10.2012 14:26:
>> > On Thu, 4 Oct 2012 00:32:48 +0200
>> > Peter Stuge <peter(a)stuge.se> wrote:
>> >
>> >> John Case wrote:
>> >> > the real trick I am interested is isolating (or at least
>> >> > controlling) the interaction between the baseband processor and
>> >> the
>> >> > application processor. Using a computer with a USB dongle
>> gives
>> >> me
>> >> > that control ... would I have that same level of control if we
>> >> > had free software running on the baseband processor, or is
>> there
>> >> > still additional bleeding possible simpy by virtue of being
>> >> > built into the computer ?
>> >>
>> >> In a smartphone it's almost not possible to distinguish the
>> >> "computer" from the "GSM modem" anymore, because of how the
>> >> hardware is constructed, so yes.
>> > In some yes, in some no... it depend on how the smartphone was
>> > designed:
>> >
>> > On one end some smartphones (openmoko GTA02,golden delicious
>> > GTA04), the
>> > baseband is isolated(tough on GTA04 it has access to a GPS with no
>> > antenna(so it can't work)) . And on the other end there are
>> > smartphones
>> > with qualcomm System on a chip...where the modem and the CPU are
>> in
>> > a single chip:
>> > The modem part has the audio DSP connected to it, the GPS.
>> > And the baseband uses shared RAM memory and shared NAND(if I
>> > remember well)...
>> > And I'm not sure but maybe the baseband is even needed for booting
>> > the
>> > main CPU...
>> >
>> > There are also systems in between like the galaxy S/Neuxs S that
>> > uses shared memory but do not have other problems...
>>
>> In addition to the above, there are some phones where baseband is
>> completely
>> submissive to the AP, namely Galaxy SII. Basically it's exactly the
>> same
>> as the USB dongle situation, but the dongle is integrated on the
>> phone's
>> PCB.
> Did you check what the modem transport was(shared memory, high speed
> serial etc...)?
>
> Denis.
HSIC. It's basically USB but with a slightly altered physical layer to
acommodate the unusual topology.
http://www.synopsys.com/dw/dwtb/hsic_usb2_device/hsic_usb2_device.html
There is no shared memory or, in fact, any other connections between BP
and interfaces of the phone. Audio is transferred via the same USB, for
example.
GPS technically has some relation with the BP, I'm not absolutely sure
which precisely, but you can a) upload reference SiRF firmware to the
GPS,
thus rendering any changes Samsung put to the latter void and b) AP
controls !RESET pins of both GPS and BP. It's trivial to not allow both
to
run simultaneously.
--
WBR, Peter Zotov.
Denis 'GNUtoo' Carikli писал 04.10.2012 14:26:
> On Thu, 4 Oct 2012 00:32:48 +0200
> Peter Stuge <peter(a)stuge.se> wrote:
>
>> John Case wrote:
>> > the real trick I am interested is isolating (or at least
>> > controlling) the interaction between the baseband processor and
>> the
>> > application processor. Using a computer with a USB dongle gives
>> me
>> > that control ... would I have that same level of control if we had
>> > free software running on the baseband processor, or is there still
>> > additional bleeding possible simpy by virtue of being built into
>> > the computer ?
>>
>> In a smartphone it's almost not possible to distinguish the
>> "computer" from the "GSM modem" anymore, because of how the
>> hardware is constructed, so yes.
> In some yes, in some no... it depend on how the smartphone was
> designed:
>
> On one end some smartphones (openmoko GTA02,golden delicious GTA04),
> the
> baseband is isolated(tough on GTA04 it has access to a GPS with no
> antenna(so it can't work)) . And on the other end there are
> smartphones
> with qualcomm System on a chip...where the modem and the CPU are in a
> single chip:
> The modem part has the audio DSP connected to it, the GPS.
> And the baseband uses shared RAM memory and shared NAND(if I remember
> well)...
> And I'm not sure but maybe the baseband is even needed for booting
> the
> main CPU...
>
> There are also systems in between like the galaxy S/Neuxs S that uses
> shared memory but do not have other problems...
In addition to the above, there are some phones where baseband is
completely
submissive to the AP, namely Galaxy SII. Basically it's exactly the
same
as the USB dongle situation, but the dongle is integrated on the
phone's
PCB.
>
> Denis.
--
WBR, Peter Zotov.
> First, stay away from Qualcomm-based phones. In them the baseband controls
> all physical memory, as documented in the Replicant project, and thus has
> control over the application processor (the "unix computer").
Ok. So what I am shooting for is a firewall between the baseband
processor and the application processor, and I was indeed correct that in
a "real" mobile phone there is a lot of bleeding between the two.
> Second, even Infineon-based phones are not completely safe, however you can
> use Replicant on the Nexus S, and thus there is no proprietary binaries (on
> the Unix side) and less risk of meddling from a third party. However, this
> won't prevent a baseband exploit from doing evil stuff. In addition there
> are Android vulnerabilities constantly appearing, last one as you may have
> heard concerned the SGS3's NFC stack.
Well, that is why I said "unix computer" and not specifically android - if
I am running a computer (like a samsung galaxy player) then I could do
something besides android, and perhaps gain quite a bit of control.
> Finally, the scenario you suggest (connecting a 3G USB modem) to a computer
> seems very impractical although it adds a layer of safety since the
> microphone will be fully under the control of the system you trust. However
> battery life will probably be very, very short as compared to your current
> 2G phone.
Yes, ok. Battery life is bad, as well as the physical logistics of
connecting a full sized USB dongle to a micro-USB port, etc.
> By the way, as documented in presentations at CCC, Blackhat, etc. GSM
> networks are not safe, there are multiple vulnerabilities ranging from
> offline decryption of comms to active mitm attacks. 3G networks use
> stronger, mutual authentication and do not suffer from this. In several
> phones, such as the Nexus S, you can force the network mode to 3G only and
> therefore have a better level of security.
Yes, but the real trick I am interested is isolating (or at least
controlling) the interaction between the baseband processor and the
application processor. Using a computer with a USB dongle gives me that
control ... would I have that same level of control if we had free
software running on the baseband processor, or is there still additional
bleeding possible simpy by virtue of being built into the computer ?
Also, just for my own notes, what is the industry term for "making changes
to application processor side of customers handset?" I have heard of some
regular examples of how carriers update things and enforce changes to
phones in this way (or relock them ?) but what is the term for that
behavior ?
Thanks.
I use an old 2G dumbphone.
I would like to switch and begin carrying a unix computer with me, but two
things bother me:
1. When cellular device is added to computer, and integrated in a deep way
(as it is in an android phone) there seem to me a lot of instances where
the computer is subservient to the cellular partsof the phone. I am
thinking about things like carrier published updates to applications and
carrier updates to SIM data, etc. - I want to participate on the mobile
phone network, but I do not want the carrier to have any access to my unix
computer. It seems to me that they have a lot of access, though, when I
use something like an android phone.
2. Exploits ... baseband exploits, mobie network exploits, forced dialing,
speaker/mic toggling, root exploits like I saw described from rogue
cellsites at defcon 2 years ago ... I want nothing to do with this.
So my current thought is to not buy a phone at all, but instead buy a unix
computer - perhaps the samsung galaxy player ? It is a near-clone of
Samsung i9000, but without any phone hrdware (but it does have speaker and
mic, so you could use it as a very nice SIP device). And my idea is that
when I do not have WIFI access, I could connect a USB GSM modem to this
unix computer and use the GSM modem ONLY for data, and connect SIP calls
that way.
My questions:
1. Am I correct that embedding the mobile components into the computer
(like in a mobile phone) give my carrier many more vectors for accessing
the computer side of things, and ive "mallory" many more vectors for
attack ? I spoke very generally above about those methods - what are the
actual names for these behaviors ?
2. Am I correct that if I connect a external GSM modem to my unix
computer, I am nullifying most of these, and I am not giving my carrier
any abiity to update/examine/alter/access my unix computer .... and am
also avoiding things like secretly enabling the microphone, baseband
exploits, etc. ?
Any additional thoughts on using a computer instead of a phone, and then
adding a GSM modem when that is the only way to get SIP connectivity ?
Thanks.
Maciej Grela писал 02.10.2012 02:00:
>> My colleague/friend Sergey Gridassov[1] has been developing a
>> replacement
>> RIL[2]
>> for SGS2 and found everything of the above. He probably won't be
>> posting to
>> this list because he's not a native English speaker, but if there is
>> enough
>> interest (and it seems that there is), I could prepare and post the
>> relevant
>> instructions. It's pretty trivial actually.
>>
>
> Please do publish them. This is pretty cool.
>
> Regards,
> Maciej Grela
Assuming you know C, consider this code:
https://github.com/grindars/android_hardware_samsung_freeril/blob/jellybean…
The boot process is IROM->PSI->EBL->SecureImage. Authenticity of PSI is
not checked.
He has verified this by changing the magic constant 0xDEADDEAD and
booting PSI.
Speaking about 0xDEADDEAD, it's a command ID which makes the PSI make a
complete
RAM dump. So, then he has sent the modified command and successfully
obtained a
dump.
The rest should be obvious from the source.
--
WBR, Peter Zotov.