February 2012 - baseband-devel

Engagetted !

by Sébastien Lorquet

http://www.engadget.com/2010/12/29/researchers-eavesdrop-on-encrypted-gsm-c… Congrats!

6 months, 1 week

5
5
0 0

Sniffing GPRS

by canarion

Hi, After compiling osmocom-bb and apply sylvain/burst_ind branch and gprs_multi.patch, I execute it and try to sniff gprs traffic. I loaded the layer1 into my C139 and I obtained an ARFCN code (883). When I run ccch_scan -a 883 I get the next result: opyright (C) 2010 Harald Welte <laforge(a)gnumonks.org> Contributions by Holger Hans Peter Freyther License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Failed to connect to '/tmp/osmocom_sap'. Failed during sap_open(), no SIM reader <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(1476410343) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(1207963561) <0001> app_ccch_scan.c:400 Paging1: Normal paging chan tch/f to TMSI M(0x1ad1cda) <0001> app_ccch_scan.c:403 Paging2: Normal paging chan tch/f to TMSI M(0x41ae98f9) <0001> app_ccch_scan.c:426 Paging3: Normal paging chan n/a to imsi M(214031385056117) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3306441249) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214031482053520) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214036185306441) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4207880193) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4135931713) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4214223105) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3388536385) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(134915836) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3961436929) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4229756769) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(531909) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214034185316455) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3829437761) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214033485554660) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3639403521) <0001> app_ccch_scan.c:105 SI1 received. <0001> app_ccch_scan.c:464 unknown PCH/AGCH type 0x00 <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3827744513) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(335734299) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3561969409) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4294310401) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3698994241) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3682615617) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(67866789) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4003487553) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3770351169) <0001> app_ccch_scan.c:400 Paging1: Normal paging chan tch/f to TMSI M(0x41ae98f9) <0001> app_ccch_scan.c:403 Paging2: Normal paging chan tch/f to TMSI M(0x1ad1cda) <0001> app_ccch_scan.c:426 Paging3: Normal paging chan n/a to imsi M(214031385056117) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3306441249) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214031482053520) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214036185306441) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4102036289) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4135931713) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214032485273805) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3798414145) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(134915836) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3988859137) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3735175681) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(531909) <0001> app_ccch_scan.c:248 GSM48 IMM ASS (ra=0x78, chan_nr=0x0f, HSN=24, MAIO=1, TS=7, SS=0, TSC=1) Dropping frame with 55 bit errors <000c> l1ctl.c:238 Dropping frame with 55 bit errors <000c> l1ctl.c:290 BURST IND: @(830928 = 0626/20/36) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830928 = 0626/20/36) (-110 dBm, SNR 8) <000c> l1ctl.c:290 BURST IND: @(830929 = 0626/21/37) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830929 = 0626/21/37) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830930 = 0626/22/38) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830930 = 0626/22/38) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830931 = 0626/23/39) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830931 = 0626/23/39) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830932 = 0626/24/40) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830932 = 0626/24/40) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830933 = 0626/25/41) (-105 dBm, SNR 8, UL, SACCH) <000c> l1ctl.c:290 BURST IND: @(830933 = 0626/25/41) (-107 dBm, SNR 5, SACCH) <000c> l1ctl.c:290 BURST IND: @(830934 = 0626/00/42) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830934 = 0626/00/42) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830935 = 0626/01/43) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830935 = 0626/01/43) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830936 = 0626/02/44) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830936 = 0626/02/44) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830937 = 0626/03/45) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830937 = 0626/03/45) ( -89 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830938 = 0626/04/46) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830938 = 0626/04/46) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830939 = 0626/05/47) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830939 = 0626/05/47) ( -82 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830940 = 0626/06/48) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830940 = 0626/06/48) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830941 = 0626/07/49) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830941 = 0626/07/49) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830942 = 0626/08/50) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830942 = 0626/08/50) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830943 = 0626/09/00) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830943 = 0626/09/00) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830944 = 0626/10/01) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830944 = 0626/10/01) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830945 = 0626/11/02) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830945 = 0626/11/02) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830947 = 0626/13/04) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830947 = 0626/13/04) ( -84 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830948 = 0626/14/05) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830948 = 0626/14/05) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830949 = 0626/15/06) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830949 = 0626/15/06) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830950 = 0626/16/07) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830950 = 0626/16/07) ( -89 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830951 = 0626/17/08) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830951 = 0626/17/08) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830952 = 0626/18/09) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830952 = 0626/18/09) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830953 = 0626/19/10) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830953 = 0626/19/10) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830954 = 0626/20/11) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830954 = 0626/20/11) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830955 = 0626/21/12) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830955 = 0626/21/12) (-106 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830956 = 0626/22/13) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830956 = 0626/22/13) (-107 dBm, SNR 5) <000c> l1ctl.c:290 BURST IND: @(830957 = 0626/23/14) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830957 = 0626/23/14) (-106 dBm, SNR 2) <000c> l1ctl.c:290 BURST IND: @(830958 = 0626/24/15) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830958 = 0626/24/15) (-108 dBm, SNR 1) <000c> l1ctl.c:290 BURST IND: @(830959 = 0626/25/16) (-106 dBm, SNR 2, UL, SACCH) <000c> l1ctl.c:290 BURST IND: @(830959 = 0626/25/16) (-109 dBm, SNR 5, SACCH) <000c> l1ctl.c:290 BURST IND: @(830960 = 0626/00/17) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830960 = 0626/00/17) (-108 dBm, SNR 3) <000c> l1ctl.c:290 BURST IND: @(830961 = 0626/01/18) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830961 = 0626/01/18) (-106 dBm, SNR 2) <000c> l1ctl.c:290 BURST IND: @(830962 = 0626/02/19) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830962 = 0626/02/19) (-108 dBm, SNR 3) <000c> l1ctl.c:290 BURST IND: @(830963 = 0626/03/20) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830963 = 0626/03/20) (-107 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830964 = 0626/04/21) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830964 = 0626/04/21) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830965 = 0626/05/22) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830965 = 0626/05/22) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830966 = 0626/06/23) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830966 = 0626/06/23) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830967 = 0626/07/24) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830967 = 0626/07/24) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830968 = 0626/08/25) (-107 dBm, SNR 6, UL) <000c> l1ctl.c:290 BURST IND: @(830968 = 0626/08/25) (-109 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830969 = 0626/09/26) (-101 dBm, SNR 6, UL) But it stop to capture frames, seems to be left in a standby state and I don't know why that is. With gprsdecode I can see the next image in the wireshark: http://baseband-devel.722152.n3.nabble.com/file/n3712433/wireshark-capture.… If someone knows what is the problem, please tell me. Thanks in advance. Cheers, Dani -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Sniffing-GPRS-tp3712433p3712433.… Sent from the baseband-devel mailing list archive at Nabble.com.

7 years, 4 months

8
12
0 0

Please can anyone advise me - FMTOOL Error and no further processing

by Raz Sharif

Dear all, I vae the C115 with a T1 USB to Serial cable with the Prolific chipset. When i run osmocon i get :- an its just sits there with no further processing. ./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/loader.compalram.bin read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 got 1 bytes from modem, data looks like: 00 . got 2 bytes from modem, data looks like: 2f 00 /. got 1 bytes from modem, data looks like: 1b . got 3 bytes from modem, data looks like: f6 02 00 ... got 1 bytes from modem, data looks like: 41 A got 1 bytes from modem, data looks like: 01 . got 1 bytes from modem, data looks like: 40 @ Received PROMPT1 from phone, responding with CMD got 1 bytes from modem, data looks like: 66 f got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6d m got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6c l Received FTMTOOL from phone, ramloader has aborted got 1 bytes from modem, data looks like: 65 e got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 00 . got 1 bytes from modem, data looks like: 00 . I think the cable is ok as when i run my fingers on the tip i get random Zeros so it appears to be talking to the cable. Also when i tried to run Mobile i get the :- even though i created the Mobile.cfg file in /etc/osmoco Failed to parse the config file: '/home/raz/.osmocom/bb/mobile.cfg' Please check or create config file using: 'touch /home/raz/.osmocom/bb/mobile.cfg' I have spent some hours researching the lists and trying various things to no avail but I want to continue until I resolve this issues and use this great stack to learn about the GSM network. Please advise. Great full for any help or pointers but this maybe a timing issue that is difficult to debug. Thanks Raz

7 years, 11 months

5
6
0 0

cell re-selection

by Andreas.Eversberg

hi, i did a lot of resarch and testing on cell selection and re-selection process the last two week. the cell selection process, network selection process (manual and automatic) and mobility management process were already implemented in OsmocomBB a long time, but turned out to be buggy and incomplete. i made test drives to check the process and debugged it. the re-selection process is new. it is used to track surrounding cells while listening to the BCCH of the current cell (camping on a cell). special extension to the layer1 firmare is used to measure neighbour cells. if an neighbour cell becomes 'better', the mobile switches to that cell, depening on different criteria. now it is possible to move with OsmocomBB. the re-selection process is not handover! handover is a process where a phone switches between cells while doing a call. handover is one next step to implement. the process is a little more complex, because it requires not only neighbour cell measurements, but also syncing to them without interrupting the traffic channel. most layer 3 stuff of handover is already implemented. if you like to play and test your moving OsmocomBB, you can check out the "jolly/roaming" branch. it contains the extension to layer1, as well as sim reader and fixes from "sylvain/testing" branch. use both "mobile" and "layer1" firmware from this branch. in order to see some process at VTY, you can do: enable monitor network 1 (continously display the strongest cell and neighbour cells) show ms 1 (to see current states) show neighbour-cells 1 (to see a more detailed current list of neighbours) andreas

8 years, 1 month

3
3
0 0

AW: The call has been rejected

by Andreas.Eversberg

hi josephli, > Read stored BA list mnc=01 the mobile application stores the last cells and neighbour cells (band allocation) of each network. this way the scanning is much faster when restarting. because you use the SIM card with MNC == 02 the first time, there is no band allocation stored for that. the mobile will do a full scan in this case. > while the sim card service I am tesing is actually with mnc 00 and 02. i know that MNC == 0 will not work until i commited improvements of cell selection process last sunday. you should retry that, but first try with an MNC > 0. can you provide debug output when trying a call? also can you provide VTY output of "show ms" before you make the call? regards, andreas

11 years

3
2
0 0

status report layer1 and layer23

by Andreas.Eversberg

hi, i just fixed some locking issues the last days. fix will follow. it took a bit longer, because there were some race conditions. it took up to about one hour until it crashed. my way to detect the area where the crash happened, was to turn on buzzer before that area, and turn it off after that area. after many hours of approximation, i finally found out that the major crash happend during _talloc_zero. (first it looks for a free memory chunk, then it allocates it.) since it can be called from all contexts (main, irq, fiq), it need to be locked against any interrupt, otherwise the memory chunk can be assigned multiple times. (the process of _talloc_free is "atomic" and requires no locking.) because it seems pretty stable, i think it is time to merge some branches into the master. (i made a 6 hours call yesterday. and no crash after bugfix ever since.) i will do that together with sylvain, if we find the time this weekend. currently i use the jolly/voice together with the sylvain/traffic branch. i am able to use an isdn phone togehter with linux-call-router and make/receive calls. audio is passed both ways. i think this is a stage where it actually become "usable". (if not moving arround.) one of my major work for the next weeks/months will be the neighbour cell measurement, cell re-selection, and handover. this is essential when moving with the phone. regards, andreas

11 years

2
1
0 0

Can't compile after last pull

by Dario Lombardo

I've pulled git repo today, but the RSSI firmware gets an error. apps/rssi/main.c: In function `main': apps/rssi/main.c:896: warning: 'a' might be used uninitialized in this function apps/rssi/main.c:896: warning: 'e' might be used uninitialized in this function CC board/compal_e88/rssi.compalram.manifest.o LD board/compal_e88/rssi.compalram.elf OBJ board/compal_e88/rssi.compalram.bin CC board/compal_e88/rssi.highram.manifest.o LD board/compal_e88/rssi.highram.elf OBJ board/compal_e88/rssi.highram.bin CC board/compal_e88/rssi.e88loader.manifest.o LD board/compal_e88/rssi.e88loader.elf OBJ board/compal_e88/rssi.e88loader.bin CC board/compal_e88/rssi.e88flash.manifest.o LD board/compal_e88/rssi.e88flash.elf OBJ board/compal_e88/rssi.e88flash.bin CC board/compal_e86/rssi.compalram.manifest.o LD board/compal_e86/rssi.compalram.elf arm-elf-ld: region LRAM is full (board/compal_e86/rssi.compalram.elf section .data) make[1]: *** [board/compal_e86/rssi.compalram.elf] Error 1 make[1]: Leaving directory src/target/firmware' make: *** [firmware] Error 2 $ git pull Already up-to-date. $ Anyone experiencing the same issue?

11 years, 4 months

9
11
0 0

cp2102 (betemcu, B75937)

by lonelysurfer

...a never ending story: i have a working ftdi-ttl, but the cp2102-adapters (http://www.ebay.de/itm/USB-2-0-to-UART-TTL-6PIN-Module-Serial-Converter-CP2…) with the same cable dont work under ubuntu or windows. if i rub the top of the 2.55mm with my finger random data appears. but the loader doesnt upload the firmware. i used the txd, rxd and gnd pins and checked the connections with a multimeter. i tested -m c123xor, -m c123 and the default firmware. flashing custom baudrates was no problem. rivers are installed correctly (stady ttyusb0 under ubuntu/ com1 under win). is there any hint? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/cp2102-betemcu-B75937-tp3489336p… Sent from the baseband-devel mailing list archive at Nabble.com.

11 years, 9 months

3
4
0 0

Receiving on TS=1 ?

by Sylvain Munaut

Hi, I've hacked something together to quickly test non-combined CCCH. However, I've hit a problem when trying to receive anything on another timeslot than 0. The TX side seems to work fine as the BTS can see my location update request and answers with a reject, but on the MS side, I never see the reject and wireshark only shows invalid incohrent data on the RX. The frames for SDCCH/8 show really nothing valid (looks like random bytes), things like 09 80 7f 47 49 06 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 47 d5 2d 06 1e 00 00 69 7c a0 91 3d 22 ff ab fe 6c 4f 56 4f 36 ... while the frames for the associated SAACH show at least something gsm-like : 03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b but that's not quite a SI5/6 ... To RX/TX on TS=1, I just delayed the RX/TX window by 625 bits (4 * 156.25) when I'm in dedicated channel mode by chaning the 'start' in l1s_tx_win_ctrl / l1s_rx_win_ctrl Is there something else that should be done ? Cheers, Sylvain

11 years, 9 months

2
5
0 0

burst_ind and TCH

by Mad

Hi Sylvain, hi list! I'm experimenting with burst_ind and TCHs right now and ran into some problem I couldn't solve yet. After receiving an Assignment Command for a hopping TCH/F I call l1ctl_tx_dm_est_req_h1() with all necessary parameters and tch_mode GSM48_CMODE_SPEECH_V1 or _EFR. After that I do get burst indications containing the received bits on up- and downlink for the active arfcn on each consecutive frame number. BUT the rx level measurements are most of the time very low and sporadic higher, surely not from that nearby bts and the very close cellphone. It looks like the layer1 doesn't "hit" the right timeslot on the right arfcn at the right time. There are some possible sources of error leading to that, like hopping parameters, channel number and MA list. But I checked these and I took all of them directly from the ASS CMD, the MA as word list in ascending order, like in layer23 IMM ASS handling. The specific AC doesn't have any specialties like Starting Time or "before time" parameters. So my question is if there is some obvious pitfall I'm missing and are there any suggestions how to debug that? Regards, Mad

11 years, 9 months

4
5
0 0

bursts****.dat

by Victor P

Hi, I am trying to use burst_ind branch of osmocom. I have noticed that layer23 creates bursts****.dat files when it indicates uplink. What data are written to these files and what should I use to see its data? Thank you.

11 years, 10 months

5
6
0 0

Reliablility problem in current git?

by Tim Ehlers

Hi, I have a git clone from 23.01.2012 and a current git clone. When I compile both and use the mobile appliation, I have a strange problem in the current code. Very often I can't send USSD codes (and maybe also can't communicate in other ways; USSD is the costless way to check whether I am connected or not). Ok, this is what I do: I send "service 1 *#21#", wait the answer and the string "% On Network, normal service: Germany, O2". Then send it again and so on. With the old code, I reliable get the answer e.g. "% Status: deactivated". With the new code, I very often (sometime already when trying first time) get nothing back and after some seconds only "% Service connection terminated.". Can someone confirm this behavior? Thanks Tim

12 years

4
20
0 0

Use OsmocomBB as OpenBTS / airprobe clock generator

by Harald Welte

Hi! Recently we've had the idea of using OsmocomBB with a simple firmware that synchronizes to an existing GSM networks FCCH and use the resulting 13MHz clock to drive the USRP for airprobe or OpenBTS. Ideally, we would even use the Calypso-internal PLL (for ARM or DSP) to multiply it up to the required 52 MHz. However, neither the Openmoko nor the Compal/Motorola phones expose any of the 3 clock output pads :( So the only choice is to use something along the lines of the http://focus.ti.com/docs/prod/folders/print/cdcvf25084.html as a quad clock multiplier and attach it to the CLK13OUT signal of the phone. The chip is available for 9 USD in single quantities at digikey, and possibly cheaper at other sources. Combined with a sub-20EUR phone it might be a very cheap but still accurate frequency source for OpenBTS - at least as long as there are any commercial gsm networks available. Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

12 years, 1 month

8
17
0 0

[nuttx-bb] how to integrate nuttx-bb into upstream nuttx.

by Denis 'GNUtoo' Carikli

Hi, Nuttx is BSD licensed while osmocom-bb's src/target/firmware is GPLv2(or later). Mixing GPlv2 and BSD code is legally possible. As I understand it the whole work becomes GPLv2 when the code is mixed, the BSD part however can be used independently of the GPL part if you strip out the GPL part and the BSD copyright headers have to remain intact. The problem is that upstream(nuttx) will unlikely accept GPL code as-is for inclusion in nuttx. However there is a misc directory for software made under different licenses such as applications or drivers(there is one GPL driver for the rtl8187x wifi chipsets). To use the driver the user is expected to run a script that install the driver in nuttx normal source code directory. The list of files touched by the patches mades on top of nuttx and their licenses is listed here: http://bb.osmocom.org/trac/wiki/nuttx-bb/code-audit Basically the GPL parts are composed by : * the irq * the timer * the clock * the uart some of the related files have the following authors(can be combined together): * Harald Welte * Stefan Richter * Ingo Albrecht I guess Stefan Richter and Ingo Albrecht will be hard to reach. So I wonder what's the best thing to do. Denis.

12 years, 1 month

3
4
0 0

[PATCH] Added option for mobile-app to bind to other interfaces than localhost.

by Tim Ehlers

Signed-off-by: Tim Ehlers <osmocom(a)ehlers.info> --- .../layer23/include/osmocom/bb/common/l23_app.h | 1 + .../layer23/include/osmocom/bb/mobile/app_mobile.h | 2 +- src/host/layer23/src/common/main.c | 11 ++++++++++- src/host/layer23/src/mobile/app_mobile.c | 4 ++-- src/host/layer23/src/mobile/main.c | 13 ++++++++++--- .../include/osmocom/vty/telnet_interface.h | 1 + src/shared/libosmocore/src/vty/telnet_interface.c | 11 ++++++++++- 7 files changed, 35 insertions(+), 8 deletions(-) diff --git a/src/host/layer23/include/osmocom/bb/common/l23_app.h b/src/host/layer23/include/osmocom/bb/common/l23_app.h index e4c5d55..0b9994c 100644 --- a/src/host/layer23/include/osmocom/bb/common/l23_app.h +++ b/src/host/layer23/include/osmocom/bb/common/l23_app.h @@ -10,6 +10,7 @@ enum { L23_OPT_TAP = 4, L23_OPT_VTY = 8, L23_OPT_DBG = 16, + L23_OPT_VTYIP = 32, }; /* initialization, called once when starting the app, before entering diff --git a/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h b/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h index 4010a68..351dec3 100644 --- a/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h +++ b/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h @@ -4,7 +4,7 @@ char *config_dir; int l23_app_init(int (*mncc_recv)(struct osmocom_ms *ms, int, void *), - const char *config_file, uint16_t vty_port); + const char *config_file, const char *vty_ip, uint16_t vty_port); int l23_app_exit(void); int l23_app_work(int *quit); int mobile_delete(struct osmocom_ms *ms, int force); diff --git a/src/host/layer23/src/common/main.c b/src/host/layer23/src/common/main.c index eb47b26..59cee03 100644 --- a/src/host/layer23/src/common/main.c +++ b/src/host/layer23/src/common/main.c @@ -56,6 +56,7 @@ static char *sap_socket_path = "/tmp/osmocom_sap"; struct llist_head ms_list; static struct osmocom_ms *ms = NULL; static char *gsmtap_ip = NULL; +static char *vty_ip = "127.0.0.1"; unsigned short vty_port = 4247; int (*l23_app_work) (struct osmocom_ms *ms) = NULL; @@ -106,6 +107,10 @@ static void print_help() if (options & L23_OPT_DBG) printf(" -d --debug Change debug flags.\n"); + if (options & L23_OPT_VTYIP) + printf(" -u --vty-ip The VTY IP to bind telnet to. " + "(default %s)\n", vty_ip); + if (app && app->cfg_print_help) app->cfg_print_help(); } @@ -122,13 +127,14 @@ static void build_config(char **opt, struct option **option) {"sap", 1, 0, 'S'}, {"arfcn", 1, 0, 'a'}, {"gsmtap-ip", 1, 0, 'i'}, + {"vty-ip", 1, 0, 'u'}, {"vty-port", 1, 0, 'v'}, {"debug", 1, 0, 'd'}, }; app = l23_app_info(); - *opt = talloc_asprintf(l23_ctx, "hs:S:a:i:v:d:%s", + *opt = talloc_asprintf(l23_ctx, "hs:S:a:i:v:d:u:%s", app && app->getopt_string ? app->getopt_string : ""); len = ARRAY_SIZE(long_options); @@ -174,6 +180,9 @@ static void handle_options(int argc, char **argv) case 'i': gsmtap_ip = optarg; break; + case 'u': + vty_ip = optarg; + break; case 'v': vty_port = atoi(optarg); break; diff --git a/src/host/layer23/src/mobile/app_mobile.c b/src/host/layer23/src/mobile/app_mobile.c index da388b2..d911ab3 100644 --- a/src/host/layer23/src/mobile/app_mobile.c +++ b/src/host/layer23/src/mobile/app_mobile.c @@ -352,7 +352,7 @@ static struct vty_app_info vty_info = { /* global init */ int l23_app_init(int (*mncc_recv)(struct osmocom_ms *ms, int, void *), - const char *config_file, uint16_t vty_port) + const char *config_file, const char *vty_ip, uint16_t vty_port) { struct telnet_connection dummy_conn; int rc = 0; @@ -376,7 +376,7 @@ int l23_app_init(int (*mncc_recv)(struct osmocom_ms *ms, int, void *), } } vty_reading = 0; - telnet_init(l23_ctx, NULL, vty_port); + telnet_init_dynif(l23_ctx, NULL, vty_ip, vty_port); if (rc < 0) return rc; printf("VTY available on port %u.\n", vty_port); diff --git a/src/host/layer23/src/mobile/main.c b/src/host/layer23/src/mobile/main.c index 89c9b94..312bcd6 100644 --- a/src/host/layer23/src/mobile/main.c +++ b/src/host/layer23/src/mobile/main.c @@ -52,6 +52,7 @@ void *l23_ctx = NULL; struct llist_head ms_list; static char *gsmtap_ip = 0; struct gsmtap_inst *gsmtap_inst = NULL; +static char *vty_ip = "127.0.0.1"; unsigned short vty_port = 4247; int debug_set = 0; char *config_dir = NULL; @@ -88,6 +89,8 @@ static void print_help() printf(" Some help...\n"); printf(" -h --help this text\n"); printf(" -i --gsmtap-ip The destination IP used for GSMTAP.\n"); + printf(" -u --vty-ip The VTY IP to telnet to. " + "(default %s)\n", vty_ip); printf(" -v --vty-port The VTY port number to telnet to. " "(default %u)\n", vty_port); printf(" -d --debug Change debug flags. default: %s\n", @@ -104,6 +107,7 @@ static void handle_options(int argc, char **argv) static struct option long_options[] = { {"help", 0, 0, 'h'}, {"gsmtap-ip", 1, 0, 'i'}, + {"vty-ip", 1, 0, 'u'}, {"vty-port", 1, 0, 'v'}, {"debug", 1, 0, 'd'}, {"daemonize", 0, 0, 'D'}, @@ -111,7 +115,7 @@ static void handle_options(int argc, char **argv) {0, 0, 0, 0}, }; - c = getopt_long(argc, argv, "hi:v:d:Dm", + c = getopt_long(argc, argv, "hi:u:v:d:Dm", long_options, &option_index); if (c == -1) break; @@ -125,6 +129,9 @@ static void handle_options(int argc, char **argv) case 'i': gsmtap_ip = optarg; break; + case 'u': + vty_ip = optarg; + break; case 'v': vty_port = atoi(optarg); break; @@ -226,9 +233,9 @@ int main(int argc, char **argv) config_dir = dirname(config_dir); if (use_mncc_sock) - rc = l23_app_init(mncc_recv_socket, config_file, vty_port); + rc = l23_app_init(mncc_recv_socket, config_file, vty_ip, vty_port); else - rc = l23_app_init(NULL, config_file, vty_port); + rc = l23_app_init(NULL, config_file, vty_ip, vty_port); if (rc) exit(rc); diff --git a/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h b/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h index 2de4f19..65a1dd9 100644 --- a/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h +++ b/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h @@ -47,6 +47,7 @@ struct telnet_connection { }; int telnet_init(void *tall_ctx, void *priv, int port); +int telnet_init_dynif(void *tall_ctx, void *priv, const char *ip, int port); void telnet_exit(void); diff --git a/src/shared/libosmocore/src/vty/telnet_interface.c b/src/shared/libosmocore/src/vty/telnet_interface.c index 167acc1..bbc0791 100644 --- a/src/shared/libosmocore/src/vty/telnet_interface.c +++ b/src/shared/libosmocore/src/vty/telnet_interface.c @@ -18,6 +18,7 @@ * */ +#include <arpa/inet.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdlib.h> @@ -59,6 +60,14 @@ static struct osmo_fd server_socket = { */ int telnet_init(void *tall_ctx, void *priv, int port) { + int rc; + rc = telnet_init_dynif(tall_ctx, priv, "127.0.0.1", port); + + return rc; +} + +int telnet_init_dynif(void *tall_ctx, void *priv, const char *ip, int port) +{ struct sockaddr_in sock_addr; int fd, rc, on = 1; @@ -78,7 +87,7 @@ int telnet_init(void *tall_ctx, void *priv, int port) memset(&sock_addr, 0, sizeof(sock_addr)); sock_addr.sin_family = AF_INET; sock_addr.sin_port = htons(port); - sock_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + sock_addr.sin_addr.s_addr = inet_addr(ip); rc = bind(fd, (struct sockaddr*)&sock_addr, sizeof(sock_addr)); if (rc < 0) { -- 1.7.1

12 years, 1 month

3
2
0 0

neighbour cells

by jolly

hi, i improved the generation of neighbour cells of openbsc. the patch is committed at origin/jolly/rtpmux. it generated the system information messages of neighbour cells in the same and in other bands. depending on the location of the bcch and the neighbour cells, the messages SI 2/5 and optionally SI 2bis/5bis and SI 2ter/5ter are generated. i have tested it with several configurations. i would like to commit it to master. any suggestions? regards, andreas

12 years, 1 month

1
0
0 0

unbreak nuttx-bb and add support for compal_e88 phones

by Denis 'GNUtoo' Carikli

Hi, Alan Carvalho de Assis and me have been working on making nuttx-bb work on our phones( I've a gta02 and he has a Motorola W220) and here are the patches(against nuttx-bb). To try it, clone nuttx-bb and osmocom-bb, put it in the same directory and keep the name of the osmocom-bb directory. Then put the gnuarm(for 64bit) or the codesourcery(for 32bit) in your path(there is a problem with gnuarm for 32bit). Compile osmocom-bb as usual(cd osmocom-bb/src && make). Then go in nuttx-bb directory and do: cd nuttx/tools/ ./configure.sh compal_e88/nsh #for for compal_e88( gta02 and Motorola W220). ./configure.sh compal_e99/nsh #we need testers for compal_e99, we don't have one. cd ../ make That will create a nuttx.bin, load it as usual(like any other firmware for your calypso). Then the following will appear: Finished, sent 63 blocks in total Received block ack from phone Sending checksum: 0x66 Checksum on phone side matches, let's branch to your code Branching to 0x00820000 Received branch ack, your code is running now! NuttShell (NSH) To send commands to the shell you need to run loadwriter.py that is included in the source code at: nuttx/drivers/sercomm/loadwriter.py The list of commands can be found by typing help. Denis.

12 years, 2 months

4
7
0 0

set sm-rp-oa in gsm411_sms.c

by ondra2000＠centrum.cz

Hello, I need to set originating address in MO SMS (SM submit, SM-RP-OA field)... I found this field in src/host/layer23/src/mobile/gsm411_sms.c --> /* no orig Address */ data = (uint8_t *)msgb_put(msg, 1); data[0] = 0x00; /* originator length == 0 */ Field has 0 length. Can anybody pleas help me how to set this field to some MSISDN...I know that there must be some fields for TON,NPI, number ... but I don't know how to write these fields into source code... With this change i want to find out how MSC behave when is field SM-RP-OA set to some real MSISDN. Thank you! Andrew

12 years, 2 months

2
2
0 0

set sm-RP-OA in gsm411_sms.c

by ondra2000＠centrum.cz

Hello, I need to set originating address in MO SMS (SM-RP-OA)... I found this field in src/host/layer23/src/mobile/gsm411_sms.c --> /* no orig Address */ data = (uint8_t *)msgb_put(msg, 1); data[0] = 0x00; /* originator length == 0 */ Field has 0 length. Can anybody pleas help me how to set this field to some MSISDN...I know that there must be some fields for TON,NPI, number ... but I don't know how to write these fields into source code... With this change i want to find out how MSC behave when is field SM-RP-OA set to some real MSISDN. Thank you! Andrew

12 years, 2 months

1
0
0 0

nuxttx-bb issues

by Denis 'GNUtoo' Carikli

hi, Me and Alan Carvalho de Assis tried nuttx-bb on the calypso and we failed to get any serial or sercomm output. The setup: ------------ 1) clone the following repository(or add as remote and checkout the correct branch): git://git.osmocom.org/osmocom-bb git://gitorious.org/gnutoo-s-for-upstream-osmocom-bb-and-nuttx-bb/nuttx-bb- gta02.git osmocom-bb and nuttx-bb-gta02 must be in the same directory. nuttx-bb-gta02 has 2 small patches made by me. One is for fixing compilation. And the other one is the result of a diff between compal_e99's init.c and the gta02's init.c 2) setup the toolchain: we didn't use gnuarm toolchain because it gave that when compiling nuttx-bb: arm-elf-ld: ERROR: /home/gnutoo/temp/osmo/nuttx-bb-gta02/nuttx/../../osmocom- bb/src/target/firmware/comm/libcomm.a(sercomm.o) uses hardware FP, whereas /home/gnutoo/temp/osmo/nuttx-bb-gta02/nuttx/nuttx uses software FP So we tried the arm-2010.09 codesourcey we put it in the path. 3) compile osmocom-bb: cd osmocom-bb/src make clean make cd ../../ 3) compile nuttx-bb: cd nuttx-bb-gta02/nuttx cd tools ./configure.sh compal_e99/nsh cd ../ make CROSSDEV="arm-none-eabi-" clean make CROSSDEV="arm-none-eabi-" that gives a file named nuttx.bin Then I tried it to load on my om-gta02: scp nuttx.bin root(a)192.168.7.2: ssh root(a)192.168.7.2 root@om-gta02:~# /etc/init.d/dbus-1 stop Stopping system message bus: root@om-gta02:~# /etc/init.d/xserver-nodm stop Stopping XServer root@om-gta02:~# osmocon -i 13 -m romload -p /dev/ttySAC0 nuttx.bin and on another console: ssh root(a)192.168.7.2 root@om-gta02:~# echo 1 > /sys/bus/platform/devices/gta02-pm-gsm.0/download root@om-gta02:~# echo 0 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on root@om-gta02:~# echo 1 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on which results in the following on the first console: [...] Finished, sent 63 blocks in total Received block ack from phone Sending checksum: 0xf6 Checksum on phone side matches, let's branch to your code Branching to 0x00820000 Received branch ack, your code is running now! but nothing on sercomm. And nothing on IRDA serial port either.... and IRDA serial cable works too: if I do that again: root@om-gta02:~# echo 0 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on root@om-gta02:~# echo 1 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on I get the default modem software messages on the serial port... Previously I tried to print on the IRDA serial port with: cons_puts("HELLO WORLD\n\n"); in apps/examples/hello/main.c and of course enabling the hello world application in the apps config. Nothing was printed either.... here's the app config: CONFIGURED_APPS += examples/hello in apps/.config And here's the diff for the application: diff --git a/apps/examples/hello/main.c b/apps/examples/hello/main.c index 308603f..db55ac3 100644 --- a/apps/examples/hello/main.c +++ b/apps/examples/hello/main.c @@ -58,7 +58,10 @@ int user_start(int argc, char *argv[]) { - printf("Hello, World!!\n"); - return 0; + while (1){ + cons_puts("HELLO WORLD\n"); + printf("Hello, World!!\n"); + } + return 0; } Alan Carvalho de Assis tried on features phones and not on the gta02 with the same result... Denis.

12 years, 2 months

2
1
0 0

[PATCH] Added option for mobile-app to bind to other interfaces than localhost. Signed-off-by: Tim Ehlers <osmocom@ehlers.info>

by Tim Ehlers

--- .../layer23/include/osmocom/bb/common/l23_app.h | 1 + .../layer23/include/osmocom/bb/mobile/app_mobile.h | 2 +- src/host/layer23/src/common/main.c | 11 ++++- src/host/layer23/src/mobile/app_mobile.c | 4 +- src/host/layer23/src/mobile/main.c | 13 ++++- .../include/osmocom/vty/telnet_interface.h | 1 + src/shared/libosmocore/src/vty/telnet_interface.c | 45 ++++++++++++++++++++ 7 files changed, 70 insertions(+), 7 deletions(-) diff --git a/src/host/layer23/include/osmocom/bb/common/l23_app.h b/src/host/layer23/include/osmocom/bb/common/l23_app.h index e4c5d55..0b9994c 100644 --- a/src/host/layer23/include/osmocom/bb/common/l23_app.h +++ b/src/host/layer23/include/osmocom/bb/common/l23_app.h @@ -10,6 +10,7 @@ enum { L23_OPT_TAP = 4, L23_OPT_VTY = 8, L23_OPT_DBG = 16, + L23_OPT_VTYIP = 32, }; /* initialization, called once when starting the app, before entering diff --git a/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h b/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h index 4010a68..351dec3 100644 --- a/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h +++ b/src/host/layer23/include/osmocom/bb/mobile/app_mobile.h @@ -4,7 +4,7 @@ char *config_dir; int l23_app_init(int (*mncc_recv)(struct osmocom_ms *ms, int, void *), - const char *config_file, uint16_t vty_port); + const char *config_file, const char *vty_ip, uint16_t vty_port); int l23_app_exit(void); int l23_app_work(int *quit); int mobile_delete(struct osmocom_ms *ms, int force); diff --git a/src/host/layer23/src/common/main.c b/src/host/layer23/src/common/main.c index eb47b26..59cee03 100644 --- a/src/host/layer23/src/common/main.c +++ b/src/host/layer23/src/common/main.c @@ -56,6 +56,7 @@ static char *sap_socket_path = "/tmp/osmocom_sap"; struct llist_head ms_list; static struct osmocom_ms *ms = NULL; static char *gsmtap_ip = NULL; +static char *vty_ip = "127.0.0.1"; unsigned short vty_port = 4247; int (*l23_app_work) (struct osmocom_ms *ms) = NULL; @@ -106,6 +107,10 @@ static void print_help() if (options & L23_OPT_DBG) printf(" -d --debug Change debug flags.\n"); + if (options & L23_OPT_VTYIP) + printf(" -u --vty-ip The VTY IP to bind telnet to. " + "(default %s)\n", vty_ip); + if (app && app->cfg_print_help) app->cfg_print_help(); } @@ -122,13 +127,14 @@ static void build_config(char **opt, struct option **option) {"sap", 1, 0, 'S'}, {"arfcn", 1, 0, 'a'}, {"gsmtap-ip", 1, 0, 'i'}, + {"vty-ip", 1, 0, 'u'}, {"vty-port", 1, 0, 'v'}, {"debug", 1, 0, 'd'}, }; app = l23_app_info(); - *opt = talloc_asprintf(l23_ctx, "hs:S:a:i:v:d:%s", + *opt = talloc_asprintf(l23_ctx, "hs:S:a:i:v:d:u:%s", app && app->getopt_string ? app->getopt_string : ""); len = ARRAY_SIZE(long_options); @@ -174,6 +180,9 @@ static void handle_options(int argc, char **argv) case 'i': gsmtap_ip = optarg; break; + case 'u': + vty_ip = optarg; + break; case 'v': vty_port = atoi(optarg); break; diff --git a/src/host/layer23/src/mobile/app_mobile.c b/src/host/layer23/src/mobile/app_mobile.c index da388b2..d911ab3 100644 --- a/src/host/layer23/src/mobile/app_mobile.c +++ b/src/host/layer23/src/mobile/app_mobile.c @@ -352,7 +352,7 @@ static struct vty_app_info vty_info = { /* global init */ int l23_app_init(int (*mncc_recv)(struct osmocom_ms *ms, int, void *), - const char *config_file, uint16_t vty_port) + const char *config_file, const char *vty_ip, uint16_t vty_port) { struct telnet_connection dummy_conn; int rc = 0; @@ -376,7 +376,7 @@ int l23_app_init(int (*mncc_recv)(struct osmocom_ms *ms, int, void *), } } vty_reading = 0; - telnet_init(l23_ctx, NULL, vty_port); + telnet_init_dynif(l23_ctx, NULL, vty_ip, vty_port); if (rc < 0) return rc; printf("VTY available on port %u.\n", vty_port); diff --git a/src/host/layer23/src/mobile/main.c b/src/host/layer23/src/mobile/main.c index 89c9b94..312bcd6 100644 --- a/src/host/layer23/src/mobile/main.c +++ b/src/host/layer23/src/mobile/main.c @@ -52,6 +52,7 @@ void *l23_ctx = NULL; struct llist_head ms_list; static char *gsmtap_ip = 0; struct gsmtap_inst *gsmtap_inst = NULL; +static char *vty_ip = "127.0.0.1"; unsigned short vty_port = 4247; int debug_set = 0; char *config_dir = NULL; @@ -88,6 +89,8 @@ static void print_help() printf(" Some help...\n"); printf(" -h --help this text\n"); printf(" -i --gsmtap-ip The destination IP used for GSMTAP.\n"); + printf(" -u --vty-ip The VTY IP to telnet to. " + "(default %s)\n", vty_ip); printf(" -v --vty-port The VTY port number to telnet to. " "(default %u)\n", vty_port); printf(" -d --debug Change debug flags. default: %s\n", @@ -104,6 +107,7 @@ static void handle_options(int argc, char **argv) static struct option long_options[] = { {"help", 0, 0, 'h'}, {"gsmtap-ip", 1, 0, 'i'}, + {"vty-ip", 1, 0, 'u'}, {"vty-port", 1, 0, 'v'}, {"debug", 1, 0, 'd'}, {"daemonize", 0, 0, 'D'}, @@ -111,7 +115,7 @@ static void handle_options(int argc, char **argv) {0, 0, 0, 0}, }; - c = getopt_long(argc, argv, "hi:v:d:Dm", + c = getopt_long(argc, argv, "hi:u:v:d:Dm", long_options, &option_index); if (c == -1) break; @@ -125,6 +129,9 @@ static void handle_options(int argc, char **argv) case 'i': gsmtap_ip = optarg; break; + case 'u': + vty_ip = optarg; + break; case 'v': vty_port = atoi(optarg); break; @@ -226,9 +233,9 @@ int main(int argc, char **argv) config_dir = dirname(config_dir); if (use_mncc_sock) - rc = l23_app_init(mncc_recv_socket, config_file, vty_port); + rc = l23_app_init(mncc_recv_socket, config_file, vty_ip, vty_port); else - rc = l23_app_init(NULL, config_file, vty_port); + rc = l23_app_init(NULL, config_file, vty_ip, vty_port); if (rc) exit(rc); diff --git a/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h b/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h index 2de4f19..65a1dd9 100644 --- a/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h +++ b/src/shared/libosmocore/include/osmocom/vty/telnet_interface.h @@ -47,6 +47,7 @@ struct telnet_connection { }; int telnet_init(void *tall_ctx, void *priv, int port); +int telnet_init_dynif(void *tall_ctx, void *priv, const char *ip, int port); void telnet_exit(void); diff --git a/src/shared/libosmocore/src/vty/telnet_interface.c b/src/shared/libosmocore/src/vty/telnet_interface.c index 167acc1..d74ec09 100644 --- a/src/shared/libosmocore/src/vty/telnet_interface.c +++ b/src/shared/libosmocore/src/vty/telnet_interface.c @@ -18,6 +18,7 @@ * */ +#include <arpa/inet.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdlib.h> @@ -101,6 +102,50 @@ int telnet_init(void *tall_ctx, void *priv, int port) return 0; } +int telnet_init_dynif(void *tall_ctx, void *priv, const char *ip, int port) +{ + struct sockaddr_in sock_addr; + int fd, rc, on = 1; + + tall_telnet_ctx = talloc_named_const(tall_ctx, 1, + "telnet_connection"); + + /* FIXME: use new socket.c code of libosmocore */ + fd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); + + if (fd < 0) { + LOGP(0, LOGL_ERROR, "Telnet interface socket creation failed\n"); + return fd; + } + + setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); + + memset(&sock_addr, 0, sizeof(sock_addr)); + sock_addr.sin_family = AF_INET; + sock_addr.sin_port = htons(port); + sock_addr.sin_addr.s_addr = inet_addr(ip); + + rc = bind(fd, (struct sockaddr*)&sock_addr, sizeof(sock_addr)); + if (rc < 0) { + LOGP(0, LOGL_ERROR, "Telnet interface failed to bind\n"); + close(fd); + return rc; + } + + rc = listen(fd, 0); + if (rc < 0) { + LOGP(0, LOGL_ERROR, "Telnet interface failed to listen\n"); + close(fd); + return rc; + } + + server_socket.data = priv; + server_socket.fd = fd; + osmo_fd_register(&server_socket); + + return 0; +} + extern struct host host; static void print_welcome(int fd) -- 1.7.1

12 years, 2 months

2
1
0 0

[PATCH] bind VTY to other interfaces than localhost

by Tim Ehlers

Hi, in some usecases, for people knowing what they are doing, it maybe an advantage to control osmocombb over the network. Since the VTY is already network capable, it just needs to bind to an alternative network interface than localhost. Here is a patch for layer23 (mobile), having an option "-u" (because -v is the port). Passing "-u 0.0.0.0" would bind to any interface. If you think it is useful, please commit it in the git. Cheers Tim

12 years, 2 months

4
4
0 0

Network registration fails

by To Beat

Hi I've a problem with the mobile application since ~1 month. Registering in the network always fails and I don't have any idea why. It used to work in the past, but currently it is not working. Independently from the osmocom version i use (even the version from december 2011 which had worked once now always fail). I am using a C123 with an ftdi cable and the testing branch from sylvain. I tried sim cards for Vodafone/O2/Eplus. The related outputs/logs are the following: Output on telnet interface: OsmocomBB# % (MS 1) % Searching network... % (MS 1) % Trying to registering with network... layer 1 output: http://pastebin.com/c0AhJ3gt mobile app output: http://pastebin.com/vP0YPfpT Any suggestions are appreciated! greetings Philip

12 years, 2 months

2
1
0 0

USSD Commands

by Abdul Hakeem

Hello, Does anyone have a comprehensive list of USSD commands (either at the MS and server sides ), or a link to such a resource ? Regards, Abdul Hakeem

12 years, 2 months

1
0
0 0

Problem with decoding.

by Jaka Hudoklin

Hello. I'm trying to figure out what am i doing wrong for days, and i can't. I'm doing GSM security research for my university. I sniffed A5/1 encrypted bursts of my mobile phone with known KC. The example of burst output is below(C-cyphertext, P-plaintext, F- decoded data): > C 2310735 > 111000010011011101110001010111110100001010101111110001110100011010011011101100101100010010011011010100101111100111 > P 2310735 > 100000000001110111010100000000000001000011011101000000001000000000010101110100000100000010000101010111010101000010 > C 2310736 > 101110101001101010010111111111101010111001111001001110011000011111011001010010010111110010010000111000111011100011 > P 2310736 > 101011111111010101010001100000101010111111010101000100001010111110111101110100010010100010111011111101010001001010 > C 2310737 > 100011010101111101001111011110111010100001010010100010010110000010111110001011010010100111101000011110010100100101 > P 2310737 > 000100010111010100010000101000010100011101010000000010100001000101110101010000000000100001000111010101000000001010 > C 2310738 > 100011100100110101110100001001001111110110110000001101100110001101100011011000011011111111011100101110100000101111 > P 2310738 > 010100001000101011101101010101010100001010111111110101110100000010101010101011010101010100001000101010101101110101 > F 1 22 9 6 32 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b > C 2310752 > 110011010101101010011000000101011010111000001111110111011101011010111101110101000101101001110001000000100000101011 > P 2310752 > 111000101001100101011000011010100001110010100101111101010011000111000111011100110001111110111100000111110100000101 > C 2310753 > 011010111101000101101001001111001001100001101010001011110111011000010101100001000100101010100110110100001000110111 > P 2310753 > 000011111011011101100101100000101011111000100110110001010110010011101111111011000000110010011110001011011000010010 > C 2310754 > 011011000011001100000110001110000011010100000101100000011111101100101000011001001010100001011100001011111011001011 > P 2310754 > 100000010010110101010001101110110100000110011101010111100010100000001001010101011001001001100010101101110100101010 > C 2310755 > 001001010111101010011010100110100011101001010101010010001011111101001000000111101101001011001111001001010001010011 > P 2310755 > 111001001001100011101001100100110100100000110010100110011101010000101010010010101011010001011000000001001100101111 > F 5 3 3 3 2d 6 1e 7 1e 92 f3 14 0 3b 97 88 2b 2b 2b 2b 2b 2b 2b As you can see frames are decoded correctly and they are correctly displayed in wireshark. If i put XOR-ed value betwene cyprtext and plaintext-> keystream to kraken, i don't get any usefull results only the ones that do not produce correct KC. i calculate frame count correctly, because i test it with data from http://lists.lists.reflextor.com/pipermail/a51/2010-July/000803.html. Kraken works correctly for me since i can get correct kc with keystream from http://lists.lists.reflextor.com/pipermail/a51/2010-July/000688.html. The ouput bursts in example above are written using following lines of code: for (i=0; i<57; i++) fprintf( app_state.fh, "%d", bt[i] ); for (i=59; i<116; i++) fprintf( app_state.fh, "%d", bt[i] ); where bt is generated using: osmo_pbit2ubit_ext(bt, 0, bi->bits, 0, 57, 0); osmo_pbit2ubit_ext(bt, 59, bi->bits, 57, 57, 0); Can you help me identify why can't i correctly crack bursts? Thanks!

12 years, 2 months

3
3
0 0

osmocombb and usrp

by Paul Lambert

Hello, I have a ursp1 working fine and I want to use my c123 to conenct to it with osmocombb. Now I face some problems. First of all I have no sim, so I do: sim testcard 1 001 01 The usrp runs a testnetwork (001 01) I don't know how I can associate with the usrp. I tried: network search (lot of output and also my testnet) network show (nothing happens) network select 1 001 01: Network not in list! Any idea what I'm doing wrong? Would be really Cool if i could use opensource only. With best regards, Paul

12 years, 2 months

3
3
0 0

changing key as security feature in osmocom?

by Tim Ehlers

Hi, I just saw the talk of Karsten Nohl at 28C3 and ask myself if it would be possible to trigger a new session key (KC) after every e.g. Call,SMS,USSD and silent SMS :) for next event. I mean it seems that e.g. in O2 Network in germany the key never changes, only when turning off and on the phone and after many events. For O2 it maybe enough to reconnect to the network? I really would like to get a somewhat secure GSM connection for my anchor mobile at home (remotely controlled from the PC) for my nationwide homezone (BWHZ), using osmocombb. :) Has anyone a suggestion, idea? Thanks Tim

12 years, 2 months

3
10
0 0

libosmocore re-sync

by Harald Welte

FYI, I have committed a 'git-subtree' update of libosmocore to osmocom-bb earlier today. It seemed non-intrusive to me, as most of the changes were in testing and gsm 08.08 code, both of which are not used in the ARM-target builds. Nonetheless, if you experience strange new problems, the libosmocore update might be a possible cause. The update was required due to a __attribute((packed)) fix by Andreas to some GSM 04.08 structures... -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

12 years, 2 months

1
0
0 0

USSD Traffic analysis

by ty

Hallo all. I have been playing around with OsmoscomBB for GSM voice traffic and capture. My interested has now stemmed into USSD traffic. Whenever I initiate a ussd session, I get the error "Session Terminated". Has anyone attempted to capture ussd sessions using the Motorola C123 or do I need specialized equipment for this? Also, am looking into researching more into ussd because here in Africa, specifically Kenya, there is a proliferation of financial services over USSD and this begs the question just how secure is it? If anyone on the list might have done a bit of digging around I'd really love to share learnings and insights. -ty

12 years, 2 months

2
3
0 0

Patch: Automatically run osmoload from osmocon

by Christian Vogel

Hi, I'm getting kind of annoyed by the new >64k firmwares that need to be loaded via osmoload. Included patch #2 adds a "-a" option to osmocon that runs an arbitrary script after the main firmware has been successfully uploaded to the phone. This script could, for example, then handle upload of a second stage firmware via osmoload. Also layer23 could be started here just before uploading layer1. The script will be given the socket, serial port, loader method (c123xor...) and main firmware as arguments, those can be used to distinguish several phones that are connected to the same PC. Example usage (using attached osmoload.sh script): osmocon -p /dev/ttyUSB0 -m c155 -a .../osmoload.sh \ .../board/compal_e99/loader.compalram.bin Received DOWNLOAD ACK from phone, your code is running now! OSMOCOM Loader (revision osmocon_v0.0.0-1299-g7c08201) (---- 2 second delay ----) [osmoload.sh] Socket is /tmp/osmocom_loader, port is /dev/ttyUSB0. [osmoload.sh] Loader method was c155. [osmoload.sh] New firmware will be osmocom-bb/src/target/firmware/board/compal_e99/rssi.highram.bin. Received pong. Loading 75472 bytes of memory to address 0x820000 from file osmocom-bb/src/target/firmware/board/compal_e99/rssi.highram.bin .................................................................. Chris

12 years, 2 months

2
2
0 0

[PATCH 2/2] osmocon: Option -a runs program/script on upload

by Christian Vogel

The program option "-a program" runs the specified program or script after a ACK from the phone has been received. This can be used to trigger uploading the second-stage firmware with osmoload after the osmocom loader has successfully been run on the phone. --- src/host/osmocon/osmocon.c | 76 ++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 74 insertions(+), 2 deletions(-) diff --git a/src/host/osmocon/osmocon.c b/src/host/osmocon/osmocon.c index b3eaedb..eefbed2 100644 --- a/src/host/osmocon/osmocon.c +++ b/src/host/osmocon/osmocon.c @@ -30,6 +30,7 @@ #include <stdint.h> #include <fcntl.h> #include <errno.h> +#include <signal.h> #include <termios.h> #include <sys/ioctl.h> #include <sys/types.h> @@ -178,6 +179,19 @@ struct dnload { static struct dnload dnload; static struct osmo_timer_list tick_timer; +/* Information needed for callback on successful program upload to mobile. + * Only active if ack_prog_info.progname != NULL. */ + +#define ACK_PROG_TIMER_DELAY 2000000 +static struct osmo_timer_list ack_prog_timer; +struct ack_prog_info { + char *progname; + char *sockname; + char *serialdev; + char * const *envp; +}; +static struct ack_prog_info ack_prog_info = { NULL }; + /* Compal ramloader specific */ static const uint8_t phone_prompt1[] = { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x01, 0x40 }; static const uint8_t dnload_cmd[] = { 0x1b, 0xf6, 0x02, 0x00, 0x52, 0x01, 0x53 }; @@ -823,6 +837,9 @@ static int handle_read(void) dnload.write_ptr = dnload.data; dnload.expect_hdlc = 1; + if(ack_prog_info.progname) + osmo_timer_schedule(&ack_prog_timer,0,ACK_PROG_TIMER_DELAY); + /* check for romloader chainloading mode used as a workaround * for the magic on the C139/C140 and J100i */ if (dnload.chainload_filename != NULL) { @@ -1202,6 +1219,7 @@ dnload_mode_to_str(enum dnload_mode mode){ "\t\t [ -m {c123,c123xor,c140,c140xor,c155,romload,mtk} ]\n" \ "\t\t [ -c /to-be-chainloaded-file.bin ]\n" \ "\t\t [ -i beacon-interval (mS) ]\n" \ + "\t\t [ -a program-to-be-run-after-upload-ack ]\n" \ "\t\t file.bin\n\n" \ "* Open serial port /dev/ttyXXXX (connected to your phone)\n" \ "* Perform handshaking with the ramloader in the phone\n" \ @@ -1401,7 +1419,46 @@ void parse_debug(const char *str) } } -int main(int argc, char **argv) +/* timer callback function that gets triggered after ACK + * for successful program upload has been received from the phone + */ + +void +ack_prog_callback(void *p) +{ + pid_t chld; + char *argv[]={ + ack_prog_info.progname, + ack_prog_info.sockname, + ack_prog_info.serialdev, + (char*)dnload_mode_str[dnload.mode], + dnload.filename, + NULL + }; + int i; + + signal(SIGCHLD,SIG_IGN); + + if((chld=fork()) != 0){ /* ---- in parent ---- */ + if(chld == -1) + perror("fork()"); + else + fprintf(stderr,"Running %s on ack.\n", + ack_prog_info.progname); + return; + }; + + /* ---- in child ---- */ + for(i=3;i<1024;i++) + close(i); + + execve(ack_prog_info.progname,argv,ack_prog_info.envp); + perror(ack_prog_info.progname); + exit(1); +} + +int +main(int argc, char **argv,char **envp) { int opt, flags; uint32_t tmp_load_address = ROMLOAD_ADDRESS; @@ -1414,7 +1471,7 @@ int main(int argc, char **argv) dnload.previous_filename = NULL; dnload.beacon_interval = DEFAULT_BEACON_INTERVAL; - while ((opt = getopt(argc, argv, "d:hl:p:m:c:s:i:v")) != -1) { + while ((opt = getopt(argc, argv, "d:hl:p:m:c:s:i:va:")) != -1) { switch (opt) { case 'p': serial_dev = optarg; @@ -1444,6 +1501,9 @@ int main(int argc, char **argv) case 'i': dnload.beacon_interval = atoi(optarg) * 1000; break; + case 'a': + ack_prog_info.progname = optarg; + break; case 'h': default: usage(argv[0]); @@ -1451,12 +1511,23 @@ int main(int argc, char **argv) } } + if (argc <= optind) { dnload.filename = NULL; } else { dnload.filename = argv[optind]; } + if(ack_prog_info.progname){ + fprintf(stderr,"Will run %s on successful upload.\n", + ack_prog_info.progname); + ack_prog_info.sockname = (char*)loader_un_path; + ack_prog_info.serialdev = serial_dev; + ack_prog_info.envp = envp; + ack_prog_timer.cb = ack_prog_callback; + ack_prog_timer.data = &ack_prog_info; + } + dnload.serial_fd.fd = osmo_serial_init(serial_dev, MODEM_BAUDRATE); if (dnload.serial_fd.fd < 0) { fprintf(stderr, "Cannot open serial device %s\n", serial_dev); @@ -1520,3 +1591,4 @@ int main(int argc, char **argv) exit(0); } + -- 1.7.0.4 --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="osmoload_sh.txt" #!/bin/bash socket="$1" port="$2" method="$3" main_fw="$4" fw_dir="${main_fw%/*}" new_fw="${fw_dir}/rssi.highram.bin" osmoload="$OSMOCOM_ROOT/osmocom-bb/src/host/osmocon/osmoload" tag="[${0##*/}]" echo "Environment:" env if ! [ -x "$osmoload" ] ; then echo "$tag *** $osmoload not found/not executable." >&2 exit 1 fi if ! [ -f "$new_fw" ] ; then echo "$tag *** $new_fw not found." >&2 exit 1 fi echo "$tag Socket is $socket, port is $port." >&2 echo "$tag Loader method was $method." >&2 echo "$tag New firmware will be $new_fw." >&2 MAX_PINGS=5 N=0 while [ "$N" -lt "$MAX_PINGS" ] ; do N="$(( $N + 1 ))" $osmoload -l $socket ping if [ "$?" == 0 ] ; then break fi done if [ "$N" -ge $MAX_PINGS ] ; then echo "$tag *** could not ping phone!" >&2 exit 1 fi $osmoload -l $socket memload 0x820000 $new_fw if [ "$?" != 0 ] ; then echo "$tag *** could not upload firmware!" >&2 exit 1 fi $osmoload -l $socket jump 0x820000 if [ "$?" != 0 ] ; then echo "$tag *** could not run firmware!" >&2 exit 1 fi --X1bOJ3K7DJ5YkBrT--

12 years, 2 months

1
0
0 0

[PATCH 1/2] osmocon: array of download-method names

by Christian Vogel

An array of method names for the parser methods (c123xor, mtk, ...) has been introduced, so that we can easily convert back and forth. --- src/host/osmocon/osmocon.c | 39 ++++++++++++++++++++++++--------------- 1 files changed, 24 insertions(+), 15 deletions(-) diff --git a/src/host/osmocon/osmocon.c b/src/host/osmocon/osmocon.c index fc29506..b3eaedb 100644 --- a/src/host/osmocon/osmocon.c +++ b/src/host/osmocon/osmocon.c @@ -126,6 +126,16 @@ enum dnload_mode { MODE_INVALID, }; +const char * const dnload_mode_str[]={ + [MODE_C123]="c123", + [MODE_C123xor]="c123xor", + [MODE_C140]="c140", + [MODE_C140xor]="c140xor", + [MODE_C155]="c155", + [MODE_ROMLOAD]="romload", + [MODE_MTK]="mtk", +}; + struct dnload { enum dnload_state state; enum romload_state romload_state; @@ -1170,24 +1180,21 @@ static int serial_read(struct osmo_fd *fd, unsigned int flags) static int parse_mode(const char *arg) { - if (!strcasecmp(arg, "c123")) - return MODE_C123; - else if (!strcasecmp(arg, "c123xor")) - return MODE_C123xor; - else if (!strcasecmp(arg, "c140")) - return MODE_C140; - else if (!strcasecmp(arg, "c140xor")) - return MODE_C140xor; - else if (!strcasecmp(arg, "c155")) - return MODE_C155; - else if (!strcasecmp(arg, "romload")) - return MODE_ROMLOAD; - else if (!strcasecmp(arg, "mtk")) - return MODE_MTK; + int i; + for(i=0;i<MODE_INVALID;i++) + if(!strcasecmp(arg,dnload_mode_str[i])) + return i; return MODE_INVALID; } +const char * +dnload_mode_to_str(enum dnload_mode mode){ + if(mode < 0 || mode >= MODE_INVALID) + return "invalid"; + return dnload_mode_str[mode]; +} + #define HELP_TEXT \ "[ -v | -h ] [ -d [t][r] ] [ -p /dev/ttyXXXX ]\n" \ "\t\t [ -s /tmp/osmocom_l2 ]\n" \ @@ -1414,8 +1421,10 @@ int main(int argc, char **argv) break; case 'm': dnload.mode = parse_mode(optarg); - if (dnload.mode == MODE_INVALID) + if (dnload.mode == MODE_INVALID){ + fprintf(stderr,"Invalid download mode!\n"); usage(argv[0]); + } break; case 's': layer2_un_path = optarg; -- 1.7.0.4 --X1bOJ3K7DJ5YkBrT Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0002-osmocon-Option-a-runs-program-script-on-upload.patch"

12 years, 2 months

1
0
0 0

Power-savvy GSM network (was: gsm322.c Bug Fix Patch)

by Alexander Chemeris

Hi Kurtis, (I'm changing subject to the actual topic of this discussion) Yes, I quickly looked through your code. Looks like a big hack right now, but I guess it's meant to be a hack at this point :) So, your idea is to manipulate Tx power of a BTS to cover only actually working handsets, if I understand correctly. It's not possible to do with a normal GSM phone, because phone does not transmit until it sees a beacon. So you want to create a "wake up BTS" channel to get around. Am I following your logic correctly? It does look like an interesting idea if could be done dirt-cheap. But how do you plan to do paging in this system? I see the only way - to use the same "wake up channel", but in other direction. So basically you have a network-specific "default" ARFCN which is used when no active BTS is in range. All communications are first tried on this ARFCN and only then on other ones. Right? On Thu, Feb 2, 2012 at 22:43, Kurtis Heimerl <kheimerl(a)cs.berkeley.edu> wrote: > This is part of my thesis work at Cal, yes. Range is not in any way involved. > > That's roughly the use case, areas where there are too few users to > keep a BTS in constant use. Our designs allow the power usage to scale > with the number of users, rather than sit at a fixed output, as they > do now. The BTS side is simple; the osmocom side is complicated. We > have a handset that can wakeup a sleeping tower, or a "wakeup button" > device which only transmits when a button is pressed. That thing is ~5 > bucks and can probably be attached to the back of a legacy phone in > case we can't convince a large manufacturer to incorporate our changes > into the baseband. > > Anyhow, the code is online if you're interested in looking at our > progress (https://github.com/kheimerl). It's nowhere near ready, but > you're a very knowledgeable guy, and I'd be happy to hear your > opinions on any of our designs. > > On Thu, Feb 2, 2012 at 10:37 AM, Alexander Chemeris > <alexander.chemeris(a)gmail.com> wrote: >> Is it a part of your TIER university work? >> I wonder about use cases for this. >> >> One use case I see is when you have a BTS which is rarely used, like >> in a desert and you don't want it to work all the time. What use cases >> do you plan to use it for? >> >> On Thu, Feb 2, 2012 at 22:03, Kurtis Heimerl <kheimerl(a)cs.berkeley.edu> wrote: >>> >>> Yeah, and we have that working. >>> >>> On Thu, Feb 2, 2012 at 12:56 AM, Alexander Chemeris >>> <alexander.chemeris(a)gmail.com> wrote: >>> > On Thu, Feb 2, 2012 at 12:08, Kurtis Heimerl <kheimerl(a)cs.berkeley.edu> wrote: >>> >> I think I looked at that... I'll give you some context. >>> >> >>> >> We've modified osmocom to "wakeup" a specific tower at a specific >>> >> ARFCN. >>> > >>> > Interesting. Do you mean you send some packet to a "sleeping" BTS to wake it up? >>> > >>> > -- >>> > Regards, >>> > Alexander Chemeris. >> >> >> >> >> -- >> Regards, >> Alexander Chemeris. -- Regards, Alexander Chemeris.

12 years, 2 months

3
3
0 0

Re: Operator name in cell_log log file

by Andreas Eversberg

Dario Lombardo wrote: > Why doesn't cell_log write the operator name in its log file? Is there > any issue related to it? > Attached a patch to log operator name and country. > Dario. hi dario, the reason for that is that cell_log only logs the raw data. later it can be decoded (e.g. by gsmmap tool) with all the info you like. decoding things like "operator" could lead to the following problems when they are stored in the log file: - operator names may change - list of operators may have wrong names or is incomplete - decoding functions may have bugs, so they might output wrong results - decoding several informations would inflate the log file - someone using the log file may not care about operator names in the past we had a bug in the frequency list decoder. after i fixed it, i just parsed my log file again and got the right frequencies. if you need to know what operators you have in your log, i suggest to write a tool that parses the log file and outputs a list of operator infos and other infos you like. look at "gsmmap" to see how it is done. regards, andreas

12 years, 2 months

1
0
0 0

develop a software radio front end

by Jerry Giant

Proposal to develop a software front end Hi, list. --Intro: After watching ccc camp videos, I bought myself a moto c118 and run the Osmocom-bb software on it. It's great fun to get a free software running on proprietary hardware, and so much could be learned from the source code. But what to do when the gray market stock sold out, or some one want to pick up the task of implementing the hardware in a open source fashion? OpenBTS used USRP to implement its radio, but USRP is aged, and it's documentation and price is not so friendly as I see. If further sub projects of osmocom matured, still we have to stick on the hacking hardware would not be so fun. To better the integrity and usefulness of the whole project, we can design and build a software radio front end for osmocom project. Interested? --Background: I am a Chinese electronic engineer working at small company in China, working on machine vision, now our product is building a FPGA/TI DSP based embedded device. I have some free time to learn and very interested in build a software radio front end. --Initial Thought: The goal of build a Osmocom Software Radio Kit, is to build a multipurpose radio front end which compatible to All or Most air interfaces now osmocom is interested. Interfacing an emulated Calypso DSP interface is way to reuse the code, or build another L1 dedicated for OSRK is an option. The hardware spec could be much better than USRP as vendor's products line evolved, but OSRK better to be mobile, has modular RF power amplifier interface, and battery powered. --Hardware Specification: Let get started.

12 years, 2 months

3
2
0 0

RSSI firmware

by Dario Lombardo

Hello everybody I'm trying to use the RSSI firmware on a c118 and c115. Both of them give me this error host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor target/firmware/board/compal_e88/rssi.compalram.bin got 1 bytes from modem, data looks like: 04 . got 1 bytes from modem, data looks like: 81 . got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A got 1 bytes from modem, data looks like: 01 . got 1 bytes from modem, data looks like: 40 @ Received PROMPT1 from phone, responding with CMD The maximum file size is 64kBytes (65535 bytes) read_file(target/firmware/board/compal_e88/rssi.compalram.bin) failed with -27 Do I need to do something different to load this FW or simply my phones have no enough room for it? Thanks for your help. Dario.

12 years, 2 months

5
7
0 0

gsm322.c Bug Fix Patch

by Kurtis Heimerl

Just a quick bug fix to gsm322.c. Basically, there were two commands in an "else" block without brackets, causing the "end = 1023+299" command to execute regardless of the state of index.

12 years, 2 months

4
8
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel February 2012