Dear all, I vae the C115 with a T1 USB to Serial cable with the Prolific
chipset.
When i run osmocon i get :- an its just sits there with no further
processing.
./osmocon -p /dev/ttyUSB0 -m c123xor
../../target/firmware/board/compal_e88/loader.compalram.bin
read_file(../../target/firmware/board/compal_e88/loader.compalram.bin):
file_size=17120, hdr_len=4, dnload_len=17127
read_file(../../target/firmware/board/compal_e88/loader.compalram.bin):
file_size=17120, hdr_len=4, dnload_len=17127
got 1 bytes from modem, data looks like: 00 .
got 2 bytes from modem, data looks like: 2f 00 /.
got 1 bytes from modem, data looks like: 1b .
got 3 bytes from modem, data looks like: f6 02 00 ...
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
got 1 bytes from modem, data looks like: 66 f
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6d m
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6c l
Received FTMTOOL from phone, ramloader has aborted
got 1 bytes from modem, data looks like: 65 e
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 00 .
I think the cable is ok as when i run my fingers on the tip i get random
Zeros so it appears to be talking to the cable.
Also when i tried to run Mobile i get the :- even though i created the
Mobile.cfg file in /etc/osmoco
Failed to parse the config file: '/home/raz/.osmocom/bb/mobile.cfg'
Please check or create config file using: 'touch
/home/raz/.osmocom/bb/mobile.cfg'
I have spent some hours researching the lists and trying various things to
no avail but I want to continue until I resolve this issues and use this
great stack to learn about the GSM network.
Please advise.
Great full for any help or pointers but this maybe a timing issue that is
difficult to debug.
Thanks
Raz
hi,
i did a lot of resarch and testing on cell selection and re-selection
process the last two week.
the cell selection process, network selection process (manual and
automatic) and mobility management process were already implemented in
OsmocomBB a long time, but turned out to be buggy and incomplete. i made
test drives to check the process and debugged it.
the re-selection process is new. it is used to track surrounding cells
while listening to the BCCH of the current cell (camping on a cell).
special extension to the layer1 firmare is used to measure neighbour
cells. if an neighbour cell becomes 'better', the mobile switches to
that cell, depening on different criteria. now it is possible to move
with OsmocomBB.
the re-selection process is not handover! handover is a process where a
phone switches between cells while doing a call. handover is one next
step to implement. the process is a little more complex, because it
requires not only neighbour cell measurements, but also syncing to them
without interrupting the traffic channel. most layer 3 stuff of handover
is already implemented.
if you like to play and test your moving OsmocomBB, you can check out
the "jolly/roaming" branch. it contains the extension to layer1, as well
as sim reader and fixes from "sylvain/testing" branch. use both "mobile"
and "layer1" firmware from this branch.
in order to see some process at VTY, you can do:
enable
monitor network 1 (continously display the strongest cell and neighbour
cells)
show ms 1 (to see current states)
show neighbour-cells 1 (to see a more detailed current list of
neighbours)
andreas
hi josephli,
> Read stored BA list mnc=01
the mobile application stores the last cells and neighbour cells (band
allocation) of each network. this way the scanning is much
faster when restarting. because you use the SIM card with MNC == 02 the
first time, there is no band allocation stored for that. the mobile will
do a full scan in this case.
> while the sim card service I am tesing is actually with mnc 00 and 02.
i know that MNC == 0 will not work until i commited improvements of cell
selection process last sunday. you should retry that, but first try with
an MNC > 0.
can you provide debug output when trying a call?
also can you provide VTY output of "show ms" before you make the call?
regards,
andreas
hi,
i just fixed some locking issues the last days. fix will follow. it took
a bit longer, because there were some race conditions. it took up to
about one hour until it crashed. my way to detect the area where the
crash happened, was to turn on buzzer before that area, and turn it off
after that area. after many hours of approximation, i finally found out
that the major crash happend during _talloc_zero. (first it looks for a
free memory chunk, then it allocates it.) since it can be called from
all contexts (main, irq, fiq), it need to be locked against any
interrupt, otherwise the memory chunk can be assigned multiple times.
(the process of _talloc_free is "atomic" and requires no locking.)
because it seems pretty stable, i think it is time to merge some
branches into the master. (i made a 6 hours call yesterday. and no crash
after bugfix ever since.) i will do that together with sylvain, if we
find the time this weekend.
currently i use the jolly/voice together with the sylvain/traffic
branch. i am able to use an isdn phone togehter with linux-call-router
and make/receive calls. audio is passed both ways. i think this is a
stage where it actually become "usable". (if not moving arround.)
one of my major work for the next weeks/months will be the neighbour
cell measurement, cell re-selection, and handover. this is essential
when moving with the phone.
regards,
andreas
I've pulled git repo today, but the RSSI firmware gets an error.
apps/rssi/main.c: In function `main':
apps/rssi/main.c:896: warning: 'a' might be used uninitialized in this
function
apps/rssi/main.c:896: warning: 'e' might be used uninitialized in this
function
CC board/compal_e88/rssi.compalram.manifest.o
LD board/compal_e88/rssi.compalram.elf
OBJ board/compal_e88/rssi.compalram.bin
CC board/compal_e88/rssi.highram.manifest.o
LD board/compal_e88/rssi.highram.elf
OBJ board/compal_e88/rssi.highram.bin
CC board/compal_e88/rssi.e88loader.manifest.o
LD board/compal_e88/rssi.e88loader.elf
OBJ board/compal_e88/rssi.e88loader.bin
CC board/compal_e88/rssi.e88flash.manifest.o
LD board/compal_e88/rssi.e88flash.elf
OBJ board/compal_e88/rssi.e88flash.bin
CC board/compal_e86/rssi.compalram.manifest.o
LD board/compal_e86/rssi.compalram.elf
arm-elf-ld: region LRAM is full (board/compal_e86/rssi.compalram.elf
section .data)
make[1]: *** [board/compal_e86/rssi.compalram.elf] Error 1
make[1]: Leaving directory src/target/firmware'
make: *** [firmware] Error 2
$ git pull
Already up-to-date.
$
Anyone experiencing the same issue?
...a never ending story:
i have a working ftdi-ttl, but the cp2102-adapters
(http://www.ebay.de/itm/USB-2-0-to-UART-TTL-6PIN-Module-Serial-Converter-CP2…)
with the same cable dont work under ubuntu or windows.
if i rub the top of the 2.55mm with my finger random data appears. but the
loader doesnt upload the firmware.
i used the txd, rxd and gnd pins and checked the connections with a
multimeter.
i tested -m c123xor, -m c123 and the default firmware. flashing custom
baudrates was no problem.
rivers are installed correctly (stady ttyusb0 under ubuntu/ com1 under win).
is there any hint?
--
View this message in context: http://baseband-devel.722152.n3.nabble.com/cp2102-betemcu-B75937-tp3489336p…
Sent from the baseband-devel mailing list archive at Nabble.com.
Hi,
I've hacked something together to quickly test non-combined CCCH.
However, I've hit a problem when trying to receive anything on another
timeslot than 0.
The TX side seems to work fine as the BTS can see my location update
request and answers with a reject, but on the MS side, I never see the
reject and wireshark only shows invalid incohrent data on the RX.
The frames for SDCCH/8 show really nothing valid (looks like random
bytes), things like
09 80 7f 47 49 06 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09 00 47 d5 2d 06 1e 00 00 69 7c a0 91 3d 22 ff ab fe 6c 4f 56 4f 36
...
while the frames for the associated SAACH show at least something gsm-like :
03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
but that's not quite a SI5/6 ...
To RX/TX on TS=1, I just delayed the RX/TX window by 625 bits (4 *
156.25) when I'm in dedicated channel mode by chaning the 'start' in
l1s_tx_win_ctrl / l1s_rx_win_ctrl
Is there something else that should be done ?
Cheers,
Sylvain
Hi Sylvain, hi list!
I'm experimenting with burst_ind and TCHs right now and ran
into some problem I couldn't solve yet.
After receiving an Assignment Command for a hopping TCH/F I
call l1ctl_tx_dm_est_req_h1() with all necessary parameters
and tch_mode GSM48_CMODE_SPEECH_V1 or _EFR.
After that I do get burst indications containing the received
bits on up- and downlink for the active arfcn on each
consecutive frame number.
BUT the rx level measurements are most of the time very low
and sporadic higher, surely not from that nearby bts and the
very close cellphone.
It looks like the layer1 doesn't "hit" the right timeslot
on the right arfcn at the right time.
There are some possible sources of error leading to that, like
hopping parameters, channel number and MA list.
But I checked these and I took all of them directly from the
ASS CMD, the MA as word list in ascending order, like in layer23
IMM ASS handling.
The specific AC doesn't have any specialties like Starting Time
or "before time" parameters.
So my question is if there is some obvious pitfall I'm missing
and are there any suggestions how to debug that?
Regards,
Mad
Hi,
I am trying to use burst_ind branch of osmocom. I have noticed that layer23 creates bursts****.dat files when it indicates uplink. What data are written to these files and what should I use to see its data? Thank you.
Hi,
I have a git clone from 23.01.2012 and a current git clone.
When I compile both and use the mobile appliation, I have a strange
problem in the current code. Very often I can't send USSD codes (and maybe
also can't communicate in other ways; USSD is the costless way to check
whether I am connected or not).
Ok, this is what I do: I send "service 1 *#21#", wait the answer and the
string "% On Network, normal service: Germany, O2". Then send it again and
so on.
With the old code, I reliable get the answer e.g. "% Status: deactivated".
With the new code, I very often (sometime already when trying first time)
get nothing back and after some seconds only "% Service connection
terminated.".
Can someone confirm this behavior?
Thanks
Tim
Hi!
Recently we've had the idea of using OsmocomBB with a simple firmware
that synchronizes to an existing GSM networks FCCH and use the resulting
13MHz clock to drive the USRP for airprobe or OpenBTS.
Ideally, we would even use the Calypso-internal PLL (for ARM or DSP) to
multiply it up to the required 52 MHz. However, neither the Openmoko
nor the Compal/Motorola phones expose any of the 3 clock output pads :(
So the only choice is to use something along the lines of the
http://focus.ti.com/docs/prod/folders/print/cdcvf25084.html
as a quad clock multiplier and attach it to the CLK13OUT signal of the
phone.
The chip is available for 9 USD in single quantities at digikey, and
possibly cheaper at other sources. Combined with a sub-20EUR phone it
might be a very cheap but still accurate frequency source for OpenBTS -
at least as long as there are any commercial gsm networks available.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hi,
Nuttx is BSD licensed while osmocom-bb's src/target/firmware is GPLv2(or
later).
Mixing GPlv2 and BSD code is legally possible.
As I understand it the whole work becomes GPLv2 when the code is mixed,
the BSD part however can be used independently of the GPL part if you strip
out the GPL part and the BSD copyright headers have to remain intact.
The problem is that upstream(nuttx) will unlikely accept GPL code as-is for
inclusion in nuttx.
However there is a misc directory for software made under different licenses
such as applications or drivers(there is one GPL driver for the rtl8187x wifi
chipsets).
To use the driver the user is expected to run a script that install the driver
in nuttx normal source code directory.
The list of files touched by the patches mades on top of nuttx and their
licenses is listed here:
http://bb.osmocom.org/trac/wiki/nuttx-bb/code-audit
Basically the GPL parts are composed by :
* the irq
* the timer
* the clock
* the uart
some of the related files have the following authors(can be combined
together):
* Harald Welte
* Stefan Richter
* Ingo Albrecht
I guess Stefan Richter and Ingo Albrecht will be hard to reach.
So I wonder what's the best thing to do.
Denis.
hi,
i improved the generation of neighbour cells of openbsc. the patch is
committed at origin/jolly/rtpmux.
it generated the system information messages of neighbour cells in the
same and in other bands. depending on the location of the bcch and the
neighbour cells, the messages SI 2/5 and optionally SI 2bis/5bis and SI
2ter/5ter are generated.
i have tested it with several configurations. i would like to commit it
to master. any suggestions?
regards,
andreas
Hi,
Alan Carvalho de Assis and me have been working on making nuttx-bb
work on our phones( I've a gta02 and he has a Motorola W220) and
here are the patches(against nuttx-bb).
To try it, clone nuttx-bb and osmocom-bb, put it in the same
directory and keep the name of the osmocom-bb directory.
Then put the gnuarm(for 64bit) or the codesourcery(for 32bit)
in your path(there is a problem with gnuarm for 32bit).
Compile osmocom-bb as usual(cd osmocom-bb/src && make).
Then go in nuttx-bb directory and do:
cd nuttx/tools/
./configure.sh compal_e88/nsh #for for compal_e88( gta02 and Motorola W220).
./configure.sh compal_e99/nsh #we need testers for compal_e99, we don't have one.
cd ../
make
That will create a nuttx.bin, load it as usual(like any other firmware for
your calypso).
Then the following will appear:
Finished, sent 63 blocks in total
Received block ack from phone
Sending checksum: 0x66
Checksum on phone side matches, let's branch to your code
Branching to 0x00820000
Received branch ack, your code is running now!
NuttShell (NSH)
To send commands to the shell you need to run loadwriter.py
that is included in the source code at:
nuttx/drivers/sercomm/loadwriter.py
The list of commands can be found by typing help.
Denis.
Hello,
I need to set originating address in MO SMS (SM submit, SM-RP-OA field)... I found this field in src/host/layer23/src/mobile/gsm411_sms.c -->
/* no orig Address */
data = (uint8_t *)msgb_put(msg, 1);
data[0] = 0x00; /* originator length == 0 */
Field has 0 length. Can anybody pleas help me how to set this field to some MSISDN...I know that there must be some fields for TON,NPI, number ... but I don't know how to write these fields into source code...
With this change i want to find out how MSC behave when is field SM-RP-OA set to some real MSISDN.
Thank you!
Andrew
Hello,
I need to set originating address in MO SMS (SM-RP-OA)... I found this field in src/host/layer23/src/mobile/gsm411_sms.c -->
/* no orig Address */
data = (uint8_t *)msgb_put(msg, 1);
data[0] = 0x00; /* originator length == 0 */
Field has 0 length. Can anybody pleas help me how to set this field to some MSISDN...I know that there must be some fields for TON,NPI, number ... but I don't know how to write these fields into source code...
With this change i want to find out how MSC behave when is field SM-RP-OA set to some real MSISDN.
Thank you!
Andrew
hi,
Me and Alan Carvalho de Assis tried nuttx-bb on the calypso and we failed to
get any serial or sercomm output.
The setup:
------------
1) clone the following repository(or add as remote and checkout the correct
branch):
git://git.osmocom.org/osmocom-bbgit://gitorious.org/gnutoo-s-for-upstream-osmocom-bb-and-nuttx-bb/nuttx-bb-
gta02.git
osmocom-bb and nuttx-bb-gta02 must be in the same directory.
nuttx-bb-gta02 has 2 small patches made by me.
One is for fixing compilation.
And the other one is the result of a diff between compal_e99's init.c and the
gta02's init.c
2) setup the toolchain:
we didn't use gnuarm toolchain because it gave that when compiling nuttx-bb:
arm-elf-ld: ERROR: /home/gnutoo/temp/osmo/nuttx-bb-gta02/nuttx/../../osmocom-
bb/src/target/firmware/comm/libcomm.a(sercomm.o) uses hardware FP, whereas
/home/gnutoo/temp/osmo/nuttx-bb-gta02/nuttx/nuttx uses software FP
So we tried the arm-2010.09 codesourcey
we put it in the path.
3) compile osmocom-bb:
cd osmocom-bb/src
make clean
make
cd ../../
3) compile nuttx-bb:
cd nuttx-bb-gta02/nuttx
cd tools
./configure.sh compal_e99/nsh
cd ../
make CROSSDEV="arm-none-eabi-" clean
make CROSSDEV="arm-none-eabi-"
that gives a file named nuttx.bin
Then I tried it to load on my om-gta02:
scp nuttx.bin root(a)192.168.7.2:
ssh root(a)192.168.7.2
root@om-gta02:~# /etc/init.d/dbus-1 stop
Stopping system message bus: root@om-gta02:~# /etc/init.d/xserver-nodm stop
Stopping XServer
root@om-gta02:~# osmocon -i 13 -m romload -p /dev/ttySAC0 nuttx.bin
and on another console:
ssh root(a)192.168.7.2
root@om-gta02:~# echo 1 > /sys/bus/platform/devices/gta02-pm-gsm.0/download
root@om-gta02:~# echo 0 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on
root@om-gta02:~# echo 1 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on
which results in the following on the first console:
[...]
Finished, sent 63 blocks in total
Received block ack from phone
Sending checksum: 0xf6
Checksum on phone side matches, let's branch to your code
Branching to 0x00820000
Received branch ack, your code is running now!
but nothing on sercomm.
And nothing on IRDA serial port either....
and IRDA serial cable works too:
if I do that again:
root@om-gta02:~# echo 0 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on
root@om-gta02:~# echo 1 >/sys/bus/platform/devices/gta02-pm-gsm.0/power_on
I get the default modem software messages on the serial port...
Previously I tried to print on the IRDA serial port with:
cons_puts("HELLO WORLD\n\n");
in apps/examples/hello/main.c and of course enabling the hello world
application in the apps config.
Nothing was printed either....
here's the app config:
CONFIGURED_APPS += examples/hello
in apps/.config
And here's the diff for the application:
diff --git a/apps/examples/hello/main.c b/apps/examples/hello/main.c
index 308603f..db55ac3 100644
--- a/apps/examples/hello/main.c
+++ b/apps/examples/hello/main.c
@@ -58,7 +58,10 @@
int user_start(int argc, char *argv[])
{
- printf("Hello, World!!\n");
- return 0;
+ while (1){
+ cons_puts("HELLO WORLD\n");
+ printf("Hello, World!!\n");
+ }
+ return 0;
}
Alan Carvalho de Assis tried on features phones and not on the gta02 with the
same result...
Denis.
Hi,
in some usecases, for people knowing what they are doing, it maybe an
advantage to control osmocombb over the network. Since the VTY is already
network capable, it just needs to bind to an alternative network interface
than localhost.
Here is a patch for layer23 (mobile), having an option "-u" (because -v is
the port). Passing "-u 0.0.0.0" would bind to any interface.
If you think it is useful, please commit it in the git.
Cheers
Tim
Hi
I've a problem with the mobile application since ~1 month. Registering in the network always fails and I don't have any idea why. It used to work in the past, but currently it is not working. Independently from the osmocom version i use (even the version from december 2011 which had worked once now always fail).
I am using a C123 with an ftdi cable and the testing branch from sylvain. I tried sim cards for Vodafone/O2/Eplus.
The related outputs/logs are the following:
Output on telnet interface:
OsmocomBB#
% (MS 1)
% Searching network...
% (MS 1)
% Trying to registering with network...
layer 1 output:
http://pastebin.com/c0AhJ3gt
mobile app output:
http://pastebin.com/vP0YPfpT
Any suggestions are appreciated!
greetings
Philip
Hello,
Does anyone have a comprehensive list of USSD commands (either at the MS and
server sides ), or a link to such a resource ?
Regards,
Abdul Hakeem
Hello.
I'm trying to figure out what am i doing wrong for days, and i can't. I'm
doing GSM security research for my university.
I sniffed A5/1 encrypted bursts of my mobile phone with known KC. The
example of burst output is below(C-cyphertext, P-plaintext, F- decoded
data):
> C 2310735
> 111000010011011101110001010111110100001010101111110001110100011010011011101100101100010010011011010100101111100111
> P 2310735
> 100000000001110111010100000000000001000011011101000000001000000000010101110100000100000010000101010111010101000010
> C 2310736
> 101110101001101010010111111111101010111001111001001110011000011111011001010010010111110010010000111000111011100011
> P 2310736
> 101011111111010101010001100000101010111111010101000100001010111110111101110100010010100010111011111101010001001010
> C 2310737
> 100011010101111101001111011110111010100001010010100010010110000010111110001011010010100111101000011110010100100101
> P 2310737
> 000100010111010100010000101000010100011101010000000010100001000101110101010000000000100001000111010101000000001010
> C 2310738
> 100011100100110101110100001001001111110110110000001101100110001101100011011000011011111111011100101110100000101111
> P 2310738
> 010100001000101011101101010101010100001010111111110101110100000010101010101011010101010100001000101010101101110101
> F 1 22 9 6 32 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
> C 2310752
> 110011010101101010011000000101011010111000001111110111011101011010111101110101000101101001110001000000100000101011
> P 2310752
> 111000101001100101011000011010100001110010100101111101010011000111000111011100110001111110111100000111110100000101
> C 2310753
> 011010111101000101101001001111001001100001101010001011110111011000010101100001000100101010100110110100001000110111
> P 2310753
> 000011111011011101100101100000101011111000100110110001010110010011101111111011000000110010011110001011011000010010
> C 2310754
> 011011000011001100000110001110000011010100000101100000011111101100101000011001001010100001011100001011111011001011
> P 2310754
> 100000010010110101010001101110110100000110011101010111100010100000001001010101011001001001100010101101110100101010
> C 2310755
> 001001010111101010011010100110100011101001010101010010001011111101001000000111101101001011001111001001010001010011
> P 2310755
> 111001001001100011101001100100110100100000110010100110011101010000101010010010101011010001011000000001001100101111
> F 5 3 3 3 2d 6 1e 7 1e 92 f3 14 0 3b 97 88 2b 2b 2b 2b 2b 2b 2b
As you can see frames are decoded correctly and they are correctly
displayed in wireshark.
If i put XOR-ed value betwene cyprtext and plaintext-> keystream to kraken,
i don't get any usefull results only the ones that do not produce correct
KC. i calculate frame count correctly, because i test it with data from
http://lists.lists.reflextor.com/pipermail/a51/2010-July/000803.html.
Kraken works correctly for me since i can get correct kc with keystream
from http://lists.lists.reflextor.com/pipermail/a51/2010-July/000688.html.
The ouput bursts in example above are written using following lines of code:
for (i=0; i<57; i++)
fprintf( app_state.fh, "%d", bt[i] );
for (i=59; i<116; i++)
fprintf( app_state.fh, "%d", bt[i] );
where bt is generated using:
osmo_pbit2ubit_ext(bt, 0, bi->bits, 0, 57, 0);
osmo_pbit2ubit_ext(bt, 59, bi->bits, 57, 57, 0);
Can you help me identify why can't i correctly crack bursts?
Thanks!
Hello,
I have a ursp1 working fine and I want to use my c123 to conenct to it
with osmocombb.
Now I face some problems. First of all I have no sim, so I do:
sim testcard 1 001 01
The usrp runs a testnetwork (001 01)
I don't know how I can associate with the usrp. I tried:
network search (lot of output and also my testnet)
network show (nothing happens)
network select 1 001 01: Network not in list!
Any idea what I'm doing wrong? Would be really Cool if i could use
opensource only.
With best regards,
Paul
Hi,
I just saw the talk of Karsten Nohl at 28C3 and ask myself if it would be
possible to trigger a new session key (KC) after every e.g. Call,SMS,USSD
and silent SMS :) for next event.
I mean it seems that e.g. in O2 Network in germany the key never changes,
only when turning off and on the phone and after many events.
For O2 it maybe enough to reconnect to the network? I really would like to
get a somewhat secure GSM connection for my anchor mobile at home
(remotely controlled from the PC) for my nationwide homezone (BWHZ),
using osmocombb. :)
Has anyone a suggestion, idea?
Thanks
Tim
FYI, I have committed a 'git-subtree' update of libosmocore to
osmocom-bb earlier today. It seemed non-intrusive to me, as most of the
changes were in testing and gsm 08.08 code, both of which are not used
in the ARM-target builds.
Nonetheless, if you experience strange new problems, the libosmocore
update might be a possible cause.
The update was required due to a __attribute((packed)) fix by Andreas to
some GSM 04.08 structures...
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hallo all.
I have been playing around with OsmoscomBB for GSM voice traffic and
capture. My interested has now stemmed into USSD traffic. Whenever I
initiate a ussd session, I get the error "Session Terminated". Has anyone
attempted to capture ussd sessions using the Motorola C123 or do I need
specialized equipment for this?
Also, am looking into researching more into ussd because here in Africa,
specifically Kenya, there is a proliferation of financial services over
USSD and this begs the question just how secure is it? If anyone on the
list might have done a bit of digging around I'd really love to share
learnings and insights.
-ty
Hi,
I'm getting kind of annoyed by the new >64k firmwares that need
to be loaded via osmoload. Included patch #2 adds a "-a" option
to osmocon that runs an arbitrary script after the main firmware
has been successfully uploaded to the phone.
This script could, for example, then handle upload of a second
stage firmware via osmoload. Also layer23 could be started here
just before uploading layer1.
The script will be given the socket, serial port, loader method
(c123xor...) and main firmware as arguments, those can be used
to distinguish several phones that are connected to the same PC.
Example usage (using attached osmoload.sh script):
osmocon -p /dev/ttyUSB0 -m c155 -a .../osmoload.sh \
.../board/compal_e99/loader.compalram.bin
Received DOWNLOAD ACK from phone, your code is running now!
OSMOCOM Loader (revision osmocon_v0.0.0-1299-g7c08201)
(---- 2 second delay ----)
[osmoload.sh] Socket is /tmp/osmocom_loader, port is /dev/ttyUSB0.
[osmoload.sh] Loader method was c155.
[osmoload.sh] New firmware will be
osmocom-bb/src/target/firmware/board/compal_e99/rssi.highram.bin.
Received pong.
Loading 75472 bytes of memory to address 0x820000 from file
osmocom-bb/src/target/firmware/board/compal_e99/rssi.highram.bin
..................................................................
Chris
Hi Kurtis,
(I'm changing subject to the actual topic of this discussion)
Yes, I quickly looked through your code. Looks like a big hack right
now, but I guess it's meant to be a hack at this point :)
So, your idea is to manipulate Tx power of a BTS to cover only
actually working handsets, if I understand correctly. It's not
possible to do with a normal GSM phone, because phone does not
transmit until it sees a beacon. So you want to create a "wake up BTS"
channel to get around. Am I following your logic correctly?
It does look like an interesting idea if could be done dirt-cheap. But
how do you plan to do paging in this system? I see the only way - to
use the same "wake up channel", but in other direction. So basically
you have a network-specific "default" ARFCN which is used when no
active BTS is in range. All communications are first tried on this
ARFCN and only then on other ones. Right?
On Thu, Feb 2, 2012 at 22:43, Kurtis Heimerl <kheimerl(a)cs.berkeley.edu> wrote:
> This is part of my thesis work at Cal, yes. Range is not in any way involved.
>
> That's roughly the use case, areas where there are too few users to
> keep a BTS in constant use. Our designs allow the power usage to scale
> with the number of users, rather than sit at a fixed output, as they
> do now. The BTS side is simple; the osmocom side is complicated. We
> have a handset that can wakeup a sleeping tower, or a "wakeup button"
> device which only transmits when a button is pressed. That thing is ~5
> bucks and can probably be attached to the back of a legacy phone in
> case we can't convince a large manufacturer to incorporate our changes
> into the baseband.
>
> Anyhow, the code is online if you're interested in looking at our
> progress (https://github.com/kheimerl). It's nowhere near ready, but
> you're a very knowledgeable guy, and I'd be happy to hear your
> opinions on any of our designs.
>
> On Thu, Feb 2, 2012 at 10:37 AM, Alexander Chemeris
> <alexander.chemeris(a)gmail.com> wrote:
>> Is it a part of your TIER university work?
>> I wonder about use cases for this.
>>
>> One use case I see is when you have a BTS which is rarely used, like
>> in a desert and you don't want it to work all the time. What use cases
>> do you plan to use it for?
>>
>> On Thu, Feb 2, 2012 at 22:03, Kurtis Heimerl <kheimerl(a)cs.berkeley.edu> wrote:
>>>
>>> Yeah, and we have that working.
>>>
>>> On Thu, Feb 2, 2012 at 12:56 AM, Alexander Chemeris
>>> <alexander.chemeris(a)gmail.com> wrote:
>>> > On Thu, Feb 2, 2012 at 12:08, Kurtis Heimerl <kheimerl(a)cs.berkeley.edu> wrote:
>>> >> I think I looked at that... I'll give you some context.
>>> >>
>>> >> We've modified osmocom to "wakeup" a specific tower at a specific
>>> >> ARFCN.
>>> >
>>> > Interesting. Do you mean you send some packet to a "sleeping" BTS to wake it up?
>>> >
>>> > --
>>> > Regards,
>>> > Alexander Chemeris.
>>
>>
>>
>>
>> --
>> Regards,
>> Alexander Chemeris.
--
Regards,
Alexander Chemeris.
Dario Lombardo wrote:
> Why doesn't cell_log write the operator name in its log file? Is there
> any issue related to it?
> Attached a patch to log operator name and country.
> Dario.
hi dario,
the reason for that is that cell_log only logs the raw data. later it
can be decoded (e.g. by gsmmap tool) with all the info you like.
decoding things like "operator" could lead to the following problems
when they are stored in the log file:
- operator names may change
- list of operators may have wrong names or is incomplete
- decoding functions may have bugs, so they might output wrong results
- decoding several informations would inflate the log file
- someone using the log file may not care about operator names
in the past we had a bug in the frequency list decoder. after i fixed
it, i just parsed my log file again and got the right frequencies.
if you need to know what operators you have in your log, i suggest to
write a tool that parses the log file and outputs a list of operator
infos and other infos you like. look at "gsmmap" to see how it is done.
regards,
andreas
Proposal to develop a software front end
Hi, list.
--Intro:
After watching ccc camp videos, I bought myself a moto c118 and run
the Osmocom-bb software on it. It's great fun to get a free software
running on proprietary hardware, and so much could be learned from
the source code. But what to do when the gray market stock sold out,
or some one want to pick up the task of implementing the hardware in a
open source fashion?
OpenBTS used USRP to implement its radio, but USRP is aged, and it's
documentation and price is not so friendly as I see.
If further sub projects of osmocom matured, still we have to stick on
the hacking hardware would not be so fun. To better the integrity and
usefulness of the whole project, we can design and build a software
radio front end for osmocom project.
Interested?
--Background:
I am a Chinese electronic engineer working at small company in China,
working on machine vision, now our product is building a FPGA/TI DSP
based embedded device. I have some free time to learn and very
interested in build a software radio front end.
--Initial Thought:
The goal of build a Osmocom Software Radio Kit, is to build a
multipurpose radio front end which compatible to All or Most air
interfaces now osmocom is interested. Interfacing an emulated Calypso
DSP interface is way to reuse the code, or build another L1 dedicated
for OSRK is an option. The hardware spec could be much better than
USRP as vendor's products line evolved, but OSRK better to be mobile,
has modular RF power amplifier interface, and battery powered.
--Hardware Specification:
Let get started.
Hello everybody
I'm trying to use the RSSI firmware on a c118 and c115. Both of them give
me this error
host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor
target/firmware/board/compal_e88/rssi.compalram.bin
got 1 bytes from modem, data looks like: 04 .
got 1 bytes from modem, data looks like: 81 .
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
The maximum file size is 64kBytes (65535 bytes)
read_file(target/firmware/board/compal_e88/rssi.compalram.bin) failed with
-27
Do I need to do something different to load this FW or simply my phones
have no enough room for it?
Thanks for your help.
Dario.
Just a quick bug fix to gsm322.c. Basically, there were two commands
in an "else" block without brackets, causing the
"end = 1023+299"
command to execute regardless of the state of index.