baseband-devel February 2014

baseband-devel@lists.osmocom.org

15 participants
28 discussions

Start a nNew thread

Engagetted !

by Sébastien Lorquet

http://www.engadget.com/2010/12/29/researchers-eavesdrop-on-encrypted-gsm-c… Congrats!

8 months, 3 weeks

Sniffing GPRS

by canarion

Hi, After compiling osmocom-bb and apply sylvain/burst_ind branch and gprs_multi.patch, I execute it and try to sniff gprs traffic. I loaded the layer1 into my C139 and I obtained an ARFCN code (883). When I run ccch_scan -a 883 I get the next result: opyright (C) 2010 Harald Welte <laforge(a)gnumonks.org> Contributions by Holger Hans Peter Freyther License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Failed to connect to '/tmp/osmocom_sap'. Failed during sap_open(), no SIM reader <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(1476410343) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(1207963561) <0001> app_ccch_scan.c:400 Paging1: Normal paging chan tch/f to TMSI M(0x1ad1cda) <0001> app_ccch_scan.c:403 Paging2: Normal paging chan tch/f to TMSI M(0x41ae98f9) <0001> app_ccch_scan.c:426 Paging3: Normal paging chan n/a to imsi M(214031385056117) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3306441249) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214031482053520) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214036185306441) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4207880193) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4135931713) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4214223105) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3388536385) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(134915836) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3961436929) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4229756769) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(531909) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214034185316455) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3829437761) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214033485554660) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3639403521) <0001> app_ccch_scan.c:105 SI1 received. <0001> app_ccch_scan.c:464 unknown PCH/AGCH type 0x00 <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3827744513) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(335734299) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3561969409) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4294310401) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3698994241) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3682615617) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(67866789) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4003487553) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3770351169) <0001> app_ccch_scan.c:400 Paging1: Normal paging chan tch/f to TMSI M(0x41ae98f9) <0001> app_ccch_scan.c:403 Paging2: Normal paging chan tch/f to TMSI M(0x1ad1cda) <0001> app_ccch_scan.c:426 Paging3: Normal paging chan n/a to imsi M(214031385056117) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3306441249) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214031482053520) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214036185306441) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4102036289) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4135931713) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214032485273805) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3798414145) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(134915836) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3988859137) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3735175681) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(531909) <0001> app_ccch_scan.c:248 GSM48 IMM ASS (ra=0x78, chan_nr=0x0f, HSN=24, MAIO=1, TS=7, SS=0, TSC=1) Dropping frame with 55 bit errors <000c> l1ctl.c:238 Dropping frame with 55 bit errors <000c> l1ctl.c:290 BURST IND: @(830928 = 0626/20/36) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830928 = 0626/20/36) (-110 dBm, SNR 8) <000c> l1ctl.c:290 BURST IND: @(830929 = 0626/21/37) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830929 = 0626/21/37) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830930 = 0626/22/38) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830930 = 0626/22/38) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830931 = 0626/23/39) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830931 = 0626/23/39) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830932 = 0626/24/40) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830932 = 0626/24/40) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830933 = 0626/25/41) (-105 dBm, SNR 8, UL, SACCH) <000c> l1ctl.c:290 BURST IND: @(830933 = 0626/25/41) (-107 dBm, SNR 5, SACCH) <000c> l1ctl.c:290 BURST IND: @(830934 = 0626/00/42) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830934 = 0626/00/42) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830935 = 0626/01/43) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830935 = 0626/01/43) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830936 = 0626/02/44) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830936 = 0626/02/44) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830937 = 0626/03/45) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830937 = 0626/03/45) ( -89 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830938 = 0626/04/46) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830938 = 0626/04/46) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830939 = 0626/05/47) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830939 = 0626/05/47) ( -82 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830940 = 0626/06/48) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830940 = 0626/06/48) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830941 = 0626/07/49) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830941 = 0626/07/49) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830942 = 0626/08/50) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830942 = 0626/08/50) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830943 = 0626/09/00) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830943 = 0626/09/00) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830944 = 0626/10/01) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830944 = 0626/10/01) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830945 = 0626/11/02) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830945 = 0626/11/02) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830947 = 0626/13/04) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830947 = 0626/13/04) ( -84 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830948 = 0626/14/05) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830948 = 0626/14/05) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830949 = 0626/15/06) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830949 = 0626/15/06) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830950 = 0626/16/07) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830950 = 0626/16/07) ( -89 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830951 = 0626/17/08) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830951 = 0626/17/08) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830952 = 0626/18/09) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830952 = 0626/18/09) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830953 = 0626/19/10) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830953 = 0626/19/10) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830954 = 0626/20/11) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830954 = 0626/20/11) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830955 = 0626/21/12) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830955 = 0626/21/12) (-106 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830956 = 0626/22/13) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830956 = 0626/22/13) (-107 dBm, SNR 5) <000c> l1ctl.c:290 BURST IND: @(830957 = 0626/23/14) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830957 = 0626/23/14) (-106 dBm, SNR 2) <000c> l1ctl.c:290 BURST IND: @(830958 = 0626/24/15) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830958 = 0626/24/15) (-108 dBm, SNR 1) <000c> l1ctl.c:290 BURST IND: @(830959 = 0626/25/16) (-106 dBm, SNR 2, UL, SACCH) <000c> l1ctl.c:290 BURST IND: @(830959 = 0626/25/16) (-109 dBm, SNR 5, SACCH) <000c> l1ctl.c:290 BURST IND: @(830960 = 0626/00/17) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830960 = 0626/00/17) (-108 dBm, SNR 3) <000c> l1ctl.c:290 BURST IND: @(830961 = 0626/01/18) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830961 = 0626/01/18) (-106 dBm, SNR 2) <000c> l1ctl.c:290 BURST IND: @(830962 = 0626/02/19) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830962 = 0626/02/19) (-108 dBm, SNR 3) <000c> l1ctl.c:290 BURST IND: @(830963 = 0626/03/20) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830963 = 0626/03/20) (-107 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830964 = 0626/04/21) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830964 = 0626/04/21) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830965 = 0626/05/22) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830965 = 0626/05/22) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830966 = 0626/06/23) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830966 = 0626/06/23) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830967 = 0626/07/24) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830967 = 0626/07/24) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830968 = 0626/08/25) (-107 dBm, SNR 6, UL) <000c> l1ctl.c:290 BURST IND: @(830968 = 0626/08/25) (-109 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830969 = 0626/09/26) (-101 dBm, SNR 6, UL) But it stop to capture frames, seems to be left in a standby state and I don't know why that is. With gprsdecode I can see the next image in the wireshark: http://baseband-devel.722152.n3.nabble.com/file/n3712433/wireshark-capture.… If someone knows what is the problem, please tell me. Thanks in advance. Cheers, Dani -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Sniffing-GPRS-tp3712433p3712433.… Sent from the baseband-devel mailing list archive at Nabble.com.

8 years, 7 months

"Type not handled! 40" gprsdecode

by George Andguladze

Hey there, I bumped into this error when testing gprsdecode from srldabs.de When I try the sample .dat files provided from srlabs.de it works fine though. Any hints? Kind Regards George AndguladzeSenior Software EngineerBusiness Management Technology www.bmt.ge

8 years, 7 months

layer2/3 ported to target? paging attack code?

by Craig Comstock

Hey, I finally watched Nico's talk "let me answer that for you" and heard him say he ported layer2/3 to target. Also found a mailing list message about him cleaning it up and putting it up on git and sending it to a few folks. Did that code ever get shared? Would be cool to play around with and is certainly something I would eventually want to accomplish for my project of making a phone that works by itself. -Craig

8 years, 11 months

Please can anyone advise me - FMTOOL Error and no further processing

by Raz Sharif

Dear all, I vae the C115 with a T1 USB to Serial cable with the Prolific chipset. When i run osmocon i get :- an its just sits there with no further processing. ./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/loader.compalram.bin read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 got 1 bytes from modem, data looks like: 00 . got 2 bytes from modem, data looks like: 2f 00 /. got 1 bytes from modem, data looks like: 1b . got 3 bytes from modem, data looks like: f6 02 00 ... got 1 bytes from modem, data looks like: 41 A got 1 bytes from modem, data looks like: 01 . got 1 bytes from modem, data looks like: 40 @ Received PROMPT1 from phone, responding with CMD got 1 bytes from modem, data looks like: 66 f got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6d m got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6c l Received FTMTOOL from phone, ramloader has aborted got 1 bytes from modem, data looks like: 65 e got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 00 . got 1 bytes from modem, data looks like: 00 . I think the cable is ok as when i run my fingers on the tip i get random Zeros so it appears to be talking to the cable. Also when i tried to run Mobile i get the :- even though i created the Mobile.cfg file in /etc/osmoco Failed to parse the config file: '/home/raz/.osmocom/bb/mobile.cfg' Please check or create config file using: 'touch /home/raz/.osmocom/bb/mobile.cfg' I have spent some hours researching the lists and trying various things to no avail but I want to continue until I resolve this issues and use this great stack to learn about the GSM network. Please advise. Great full for any help or pointers but this maybe a timing issue that is difficult to debug. Thanks Raz

9 years, 1 month

cell re-selection

by Andreas.Eversberg

hi, i did a lot of resarch and testing on cell selection and re-selection process the last two week. the cell selection process, network selection process (manual and automatic) and mobility management process were already implemented in OsmocomBB a long time, but turned out to be buggy and incomplete. i made test drives to check the process and debugged it. the re-selection process is new. it is used to track surrounding cells while listening to the BCCH of the current cell (camping on a cell). special extension to the layer1 firmare is used to measure neighbour cells. if an neighbour cell becomes 'better', the mobile switches to that cell, depening on different criteria. now it is possible to move with OsmocomBB. the re-selection process is not handover! handover is a process where a phone switches between cells while doing a call. handover is one next step to implement. the process is a little more complex, because it requires not only neighbour cell measurements, but also syncing to them without interrupting the traffic channel. most layer 3 stuff of handover is already implemented. if you like to play and test your moving OsmocomBB, you can check out the "jolly/roaming" branch. it contains the extension to layer1, as well as sim reader and fixes from "sylvain/testing" branch. use both "mobile" and "layer1" firmware from this branch. in order to see some process at VTY, you can do: enable monitor network 1 (continously display the strongest cell and neighbour cells) show ms 1 (to see current states) show neighbour-cells 1 (to see a more detailed current list of neighbours) andreas

9 years, 4 months

Set fixed TMSI and Kc

by Simian Denson

Hi, in the osmocom bb mobile.cfg I don't see any posibility to set a fixed Kc encryption key and the tmsi. How could I achieve that osmocom uses my defined Kc and tmsi? cheers, Simian

9 years, 4 months

Baseband: MS '1' is up, service is limited

by Hoàng Mạnh Hùng

Hi all, *I connected, sent and made call successful with osmocombb (with real IMSI and IMEI). But, now, I get error, always be rejected:* OsmocomBB# show ms MS '1' is up, service is limited IMEI: 357337016773249 IMEISV: 3573370167732490 IMEI generation: fixed automatic network selection state: A0 null cell selection state: PLMN search radio ressource layer state: idle mobility management layer state: MM idle, PLMN search OsmocomBB# % (MS 1) % Trying to registering with network... *in my config file (/root/.osmocom/bb/mobile.cfg)**:* ! ! OsmocomBB () configuration saved from vty !! ! line vty no login ! gps device /dev/ttyACM0 gps baudrate default no gps enable ! no hide-default ! ms 1 layer2-socket /tmp/osmocom_l2 sap-socket /tmp/osmocom_sap sim reader network-selection-mode auto imei 357337016773249 0 imei-fixed emergency-imsi 452040399998391 sms-service-center +84980200030 no call-waiting no auto-answer no force-rekey no clip no clir tx-power auto no simulated-delay no stick location-updating neighbour-measurement codec full-speed prefer codec half-speed no abbrev support sms a5/1 a5/2 p-gsm e-gsm r-gsm gsm-850 dcs pcs class-900 4 class-850 4 class-dcs 1 class-pcs 1 channel-capability sdcch+tchf+tchh full-speech-v1 full-speech-v2 half-speech-v1 min-rxlev -106 dsc-max 90 no skip-max-per-band exit test-sim imsi 001010000000000 ki xor 00 00 00 00 00 00 00 00 00 00 00 00 no barred-access no rplmn hplmn-search foreign-country exit no shutdown exit ! Anyone help me???, thanks a lot! -- Thanks and Best Regards -- From: Hoàng Mạnh Hùng

10 years, 1 month

Location update problems on Motorola C118

by Maciej Grela

Hi, I'm trying to run the latest osmocom-bb git on a Motorola C118 phone. After a minor problem with the build (as you may've noticed in the patch I've sent). I got to the point of successfuly running layer1 on the phone and the mobile app on the PC (I have also enabled TX). The process seems to be stuck on trying to perform a location update. The status of the ms is always either: show ms MS '1' is up, MM connection active IMEI: 000000000000000 IMEISV: 0000000000000000 IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=104 MNC=002 (104, 002) cell selection state: connected mode 1 ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9 (104, 002) radio ressource layer state: connection pending mobility management layer state: wait for RR connection (location updating) OsmocomBB> or show ms MS '1' is up, service is limited (pending) IMEI: 000000000000000 IMEISV: 0000000000000000 IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=104 MNC=002 (104, 002) cell selection state: C3 camped normally ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9 (104, 002) radio ressource layer state: idle mobility management layer state: MM idle, attempting to update OsmocomBB> I think, that because of this I can't make any calls or send sms (all the requests are being rejected): OsmocomBB# call 1 <X> call 1 <X> OsmocomBB# % (MS 1) % Call has been rejected The log information from mobile when it's trying to do a location update is show below: <000b> gsm48_rr.c:2174 PAGING REQUEST 1 <000b> gsm48_rr.c:2141 IMSI 260021964220249 (not for us) <000b> gsm48_rr.c:2132 TMSI fd82a501 (not for us) <000e> gsm48_mm.c:344 Location update retry <0005> gsm48_mm.c:345 timer T3211 (loc. upd. retry delay) has fired <0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_TIMEOUT_T3211' event in state MM IDLE, attempting to update <000e> gsm48_mm.c:2199 Perform location update (MCC 104, MNC 002 LAC 0xb00f) <0005> gsm48_mm.c:2333 LOCATION UPDATING REQUEST <0005> gsm48_mm.c:2355 using LAI (mcc 104 mnc 002 lac 0xb00f) <0005> gsm48_mm.c:2363 using TMSI 0x28a3d62e <0005> gsm48_mm.c:914 new state MM IDLE, attempting to update -> wait for RR connection (location updating) <0001> gsm48_rr.c:5428 (ms 1) Message 'RR_EST_REQ' received in state idle (sapi 0) <000e> gsm48_rr.c:1318 Establish radio link due to mobility management request <0003> gsm322.c:4037 (ms 1) Event 'EVENT_LEAVE_IDLE' for Cell selection in state 'C3 camped normally' <0003> gsm322.c:823 new state 'C3 camped normally' -> 'connected mode 1' <0003> gsm322.c:3653 Going to camping (normal) ARFCN 19. <0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB) <0001> gsm48_rr.c:366 new state idle -> connection pending <0001> gsm48_rr.c:1465 CHANNEL REQUEST: 00 (Location Update with NECI) <0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17) <0001> gsm322.c:2959 using DSC of 90 <0003> gsm48_rr.c:4816 Channel provides data. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 5) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 0 ra 0x0e) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 4) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x07) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38 TS 2 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38 TS 2 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 3) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x0f) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 2) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x01) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1 SS 3 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1 SS 3 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 1) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x0a) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 1 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 0) <0001> gsm48_rr.c:1605 Done with sending RANDOM ACCESS bursts <0001> gsm48_rr.c:836 starting T3126 with 5.000 seconds <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x0a chan_nr 0x41 ARFCN 19 TS 1 SS 0 TSC 1) <0001> gsm48_rr.c:2393 request 0a matches but not frame number (IMM.ASS fn=22,6,30 != RACH fn=22,5,25) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1 SS 1 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1 SS 1 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-77 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1 SS 4 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1 SS 4 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38 TS 3 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38 TS 3 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 3 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38 TS 1 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38 TS 1 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:765 timer T3126 has fired <000e> gsm48_rr.c:770 Requesting channel failed <0001> gsm48_rr.c:366 new state connection pending -> idle <0003> gsm322.c:4037 (ms 1) Event 'EVENT_RET_IDLE' for Cell selection in state 'connected mode 1' <0003> gsm322.c:3565 Selecting ARFCN 19. after LOC.UPD. <0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB) <0003> gsm322.c:823 new state 'connected mode 1' -> 'C3 camped normally' <0005> gsm48_mm.c:3902 (ms 1) Received 'RR_REL_IND' from RR in state wait for RR connection (location updating) (sapi 0) <0005> gsm48_mm.c:2732 RR link released after loc. upd. <000e> gsm48_mm.c:2676 Location update failed <000e> gsm48_mm.c:2686 Try location update later <0005> gsm48_mm.c:2688 Loc. upd. failed, retry #0 <0005> gsm48_mm.c:413 starting T3211 (loc. upd. retry delay) with 15.0 seconds <0005> gsm48_mm.c:1143 We are camping normally as returning to MM IDLE <0005> gsm48_mm.c:1159 Loc. upd. allowed. <0005> gsm48_mm.c:919 new state wait for RR connection (location updating) -> MM IDLE, location updating needed <0005> gsm48_mm.c:909 new MM IDLE state location updating needed -> attempting to update <0005> gsm48_mm.c:2215 Loc. upd. already pending. <0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_CELL_SELECTED' event in state MM IDLE, attempting to update <0005> gsm48_mm.c:2215 Loc. upd. already pending. <0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17) <0001> gsm322.c:2959 using DSC of 90 Can you provide me any hints on how to debug this ? Why is the location update failing constantly ? Thanks in advance for your help. Best regards, Maciej Grela

10 years, 8 months

Osmovom-BB on Raspberry Pi

by Richard Menedetter

Hi All Just wanted to confirm that I got Osmocom-BB up and running on a Raspberry Pi. I did not use the GPIO UART pins but USB <-> serial converters. I tried Motorola C118 and C155 with success. Everything you need is already described: http://bb.osmocom.org/trac/wiki/GnuArmToolchain http://bb.osmocom.org/trac/wiki/libosmocore http://bb.osmocom.org/trac/wiki/Software/GettingStarted?redirectedfrom=Gett… My previous problem seems to have been a not fully compatible crosscompiled toolchain. (it worked mostly, but I could not log-in to a cell and the spectrum view crashed on the RSSI Firmware. Also if you want transmit capability (or flashing) then you need to activate those features in the makefile. Thanks Sylvain (confirming c118 will work) and all others who are involved!! PS: Any news on the "emulated BTS" that has been presented at last years chaos communication congress? I have 2 C118s + 1 normal USB serial dongle + 1 capable of burst ind. I hope this will suffice to also run also a possible future 1 trasmit phone + 1 receive phone configuration. I assume that even without the filter change it should be enough to send a few meters of distance.

11 years

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel February 2014