Hey there, I bumped into this error when testing gprsdecode from srldabs.de When I try the sample .dat files provided from srlabs.de it works fine though. Any hints?
Kind Regards
George AndguladzeSenior Software EngineerBusiness Management Technology
www.bmt.ge
Hey, I finally watched Nico's talk "let me answer that for you" and heard him say he ported layer2/3 to target.
Also found a mailing list message about him cleaning it up and putting it up on git and sending it to a few folks.
Did that code ever get shared? Would be cool to play around with and is certainly something I would eventually want to accomplish for my project of making a phone that works by itself.
-Craig
Dear all, I vae the C115 with a T1 USB to Serial cable with the Prolific
chipset.
When i run osmocon i get :- an its just sits there with no further
processing.
./osmocon -p /dev/ttyUSB0 -m c123xor
../../target/firmware/board/compal_e88/loader.compalram.bin
read_file(../../target/firmware/board/compal_e88/loader.compalram.bin):
file_size=17120, hdr_len=4, dnload_len=17127
read_file(../../target/firmware/board/compal_e88/loader.compalram.bin):
file_size=17120, hdr_len=4, dnload_len=17127
got 1 bytes from modem, data looks like: 00 .
got 2 bytes from modem, data looks like: 2f 00 /.
got 1 bytes from modem, data looks like: 1b .
got 3 bytes from modem, data looks like: f6 02 00 ...
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
got 1 bytes from modem, data looks like: 66 f
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6d m
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6c l
Received FTMTOOL from phone, ramloader has aborted
got 1 bytes from modem, data looks like: 65 e
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 00 .
I think the cable is ok as when i run my fingers on the tip i get random
Zeros so it appears to be talking to the cable.
Also when i tried to run Mobile i get the :- even though i created the
Mobile.cfg file in /etc/osmoco
Failed to parse the config file: '/home/raz/.osmocom/bb/mobile.cfg'
Please check or create config file using: 'touch
/home/raz/.osmocom/bb/mobile.cfg'
I have spent some hours researching the lists and trying various things to
no avail but I want to continue until I resolve this issues and use this
great stack to learn about the GSM network.
Please advise.
Great full for any help or pointers but this maybe a timing issue that is
difficult to debug.
Thanks
Raz
hi,
i did a lot of resarch and testing on cell selection and re-selection
process the last two week.
the cell selection process, network selection process (manual and
automatic) and mobility management process were already implemented in
OsmocomBB a long time, but turned out to be buggy and incomplete. i made
test drives to check the process and debugged it.
the re-selection process is new. it is used to track surrounding cells
while listening to the BCCH of the current cell (camping on a cell).
special extension to the layer1 firmare is used to measure neighbour
cells. if an neighbour cell becomes 'better', the mobile switches to
that cell, depening on different criteria. now it is possible to move
with OsmocomBB.
the re-selection process is not handover! handover is a process where a
phone switches between cells while doing a call. handover is one next
step to implement. the process is a little more complex, because it
requires not only neighbour cell measurements, but also syncing to them
without interrupting the traffic channel. most layer 3 stuff of handover
is already implemented.
if you like to play and test your moving OsmocomBB, you can check out
the "jolly/roaming" branch. it contains the extension to layer1, as well
as sim reader and fixes from "sylvain/testing" branch. use both "mobile"
and "layer1" firmware from this branch.
in order to see some process at VTY, you can do:
enable
monitor network 1 (continously display the strongest cell and neighbour
cells)
show ms 1 (to see current states)
show neighbour-cells 1 (to see a more detailed current list of
neighbours)
andreas
Hi,
in the osmocom bb mobile.cfg I don't see any posibility to set a fixed
Kc encryption key and the tmsi.
How could I achieve that osmocom uses my defined Kc and tmsi?
cheers,
Simian
Hi all,
*I connected, sent and made call successful with osmocombb (with real IMSI
and IMEI).
But, now, I get error, always be rejected:*
OsmocomBB# show ms
MS '1' is up, service is limited
IMEI: 357337016773249
IMEISV: 3573370167732490
IMEI generation: fixed
automatic network selection state: A0 null
cell selection state: PLMN search
radio ressource layer state: idle
mobility management layer state: MM idle, PLMN search
OsmocomBB#
% (MS 1)
% Trying to registering with network...
*in my config file (/root/.osmocom/bb/mobile.cfg)**:*
!
! OsmocomBB () configuration saved from vty
!!
!
line vty
no login
!
gps device /dev/ttyACM0
gps baudrate default
no gps enable
!
no hide-default
!
ms 1
layer2-socket /tmp/osmocom_l2
sap-socket /tmp/osmocom_sap
sim reader
network-selection-mode auto
imei 357337016773249 0
imei-fixed
emergency-imsi 452040399998391
sms-service-center +84980200030
no call-waiting
no auto-answer
no force-rekey
no clip
no clir
tx-power auto
no simulated-delay
no stick
location-updating
neighbour-measurement
codec full-speed prefer
codec half-speed
no abbrev
support
sms
a5/1
a5/2
p-gsm
e-gsm
r-gsm
gsm-850
dcs
pcs
class-900 4
class-850 4
class-dcs 1
class-pcs 1
channel-capability sdcch+tchf+tchh
full-speech-v1
full-speech-v2
half-speech-v1
min-rxlev -106
dsc-max 90
no skip-max-per-band
exit
test-sim
imsi 001010000000000
ki xor 00 00 00 00 00 00 00 00 00 00 00 00
no barred-access
no rplmn
hplmn-search foreign-country
exit
no shutdown
exit
!
Anyone help me???, thanks a lot!
--
Thanks and Best Regards
--
From: Hoàng Mạnh Hùng
Hi,
I'm trying to run the latest osmocom-bb git on a Motorola C118 phone.
After a minor problem with the build (as you may've noticed in the
patch I've sent). I got to the point of successfuly running layer1 on
the phone and the mobile app on the PC (I have also enabled TX). The
process seems to be stuck on trying to perform a location update. The
status of the ms is always either:
show ms
MS '1' is up, MM connection active
IMEI: 000000000000000
IMEISV: 0000000000000000
IMEI generation: fixed
automatic network selection state: A1 trying RPLMN
MCC=104 MNC=002 (104, 002)
cell selection state: connected mode 1
ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9
(104, 002)
radio ressource layer state: connection pending
mobility management layer state: wait for RR connection (location updating)
OsmocomBB>
or
show ms
MS '1' is up, service is limited (pending)
IMEI: 000000000000000
IMEISV: 0000000000000000
IMEI generation: fixed
automatic network selection state: A1 trying RPLMN
MCC=104 MNC=002 (104, 002)
cell selection state: C3 camped normally
ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9
(104, 002)
radio ressource layer state: idle
mobility management layer state: MM idle, attempting to update
OsmocomBB>
I think, that because of this I can't make any calls or send sms (all
the requests are being rejected):
OsmocomBB# call 1 <X>
call 1 <X>
OsmocomBB#
% (MS 1)
% Call has been rejected
The log information from mobile when it's trying to do a location
update is show below:
<000b> gsm48_rr.c:2174 PAGING REQUEST 1
<000b> gsm48_rr.c:2141 IMSI 260021964220249 (not for us)
<000b> gsm48_rr.c:2132 TMSI fd82a501 (not for us)
<000e> gsm48_mm.c:344 Location update retry
<0005> gsm48_mm.c:345 timer T3211 (loc. upd. retry delay) has fired
<0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_TIMEOUT_T3211' event
in state MM IDLE, attempting to update
<000e> gsm48_mm.c:2199 Perform location update (MCC 104, MNC 002 LAC 0xb00f)
<0005> gsm48_mm.c:2333 LOCATION UPDATING REQUEST
<0005> gsm48_mm.c:2355 using LAI (mcc 104 mnc 002 lac 0xb00f)
<0005> gsm48_mm.c:2363 using TMSI 0x28a3d62e
<0005> gsm48_mm.c:914 new state MM IDLE, attempting to update -> wait
for RR connection (location updating)
<0001> gsm48_rr.c:5428 (ms 1) Message 'RR_EST_REQ' received in state
idle (sapi 0)
<000e> gsm48_rr.c:1318 Establish radio link due to mobility management request
<0003> gsm322.c:4037 (ms 1) Event 'EVENT_LEAVE_IDLE' for Cell
selection in state 'C3 camped normally'
<0003> gsm322.c:823 new state 'C3 camped normally' -> 'connected mode 1'
<0003> gsm322.c:3653 Going to camping (normal) ARFCN 19.
<0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB)
<0001> gsm48_rr.c:366 new state idle -> connection pending
<0001> gsm48_rr.c:1465 CHANNEL REQUEST: 00 (Location Update with NECI)
<0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17)
<0001> gsm322.c:2959 using DSC of 90
<0003> gsm48_rr.c:4816 Channel provides data.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 5)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 0 ra 0x0e)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 4)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x07)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38
TS 2 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38
TS 2 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 3)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x0f)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 2)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x01)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1
SS 3 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1
SS 3 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 1)
<0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no
S(lots) 55 ra 0x0a)
<0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm)
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 1 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 0)
<0001> gsm48_rr.c:1605 Done with sending RANDOM ACCESS bursts
<0001> gsm48_rr.c:836 starting T3126 with 5.000 seconds
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x0a chan_nr 0x41 ARFCN 19 TS 1
SS 0 TSC 1)
<0001> gsm48_rr.c:2393 request 0a matches but not frame number
(IMM.ASS fn=22,6,30 != RACH fn=22,5,25)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1
SS 1 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1
SS 1 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-77 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1
SS 4 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1
SS 4 TSC 1)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38
TS 3 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38
TS 3 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 3 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38
TS 1 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT:
<0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38
TS 1 SS 0 TSC 0)
<0001> gsm48_rr.c:2503 Request, but not for us.
<0001> gsm48_rr.c:2225 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:2170 PAGING ignored, we are not camping.
<0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9
<0001> gsm48_rr.c:765 timer T3126 has fired
<000e> gsm48_rr.c:770 Requesting channel failed
<0001> gsm48_rr.c:366 new state connection pending -> idle
<0003> gsm322.c:4037 (ms 1) Event 'EVENT_RET_IDLE' for Cell selection
in state 'connected mode 1'
<0003> gsm322.c:3565 Selecting ARFCN 19. after LOC.UPD.
<0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB)
<0003> gsm322.c:823 new state 'connected mode 1' -> 'C3 camped normally'
<0005> gsm48_mm.c:3902 (ms 1) Received 'RR_REL_IND' from RR in state
wait for RR connection (location updating) (sapi 0)
<0005> gsm48_mm.c:2732 RR link released after loc. upd.
<000e> gsm48_mm.c:2676 Location update failed
<000e> gsm48_mm.c:2686 Try location update later
<0005> gsm48_mm.c:2688 Loc. upd. failed, retry #0
<0005> gsm48_mm.c:413 starting T3211 (loc. upd. retry delay) with 15.0 seconds
<0005> gsm48_mm.c:1143 We are camping normally as returning to MM IDLE
<0005> gsm48_mm.c:1159 Loc. upd. allowed.
<0005> gsm48_mm.c:919 new state wait for RR connection (location
updating) -> MM IDLE, location updating needed
<0005> gsm48_mm.c:909 new MM IDLE state location updating needed ->
attempting to update
<0005> gsm48_mm.c:2215 Loc. upd. already pending.
<0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_CELL_SELECTED' event
in state MM IDLE, attempting to update
<0005> gsm48_mm.c:2215 Loc. upd. already pending.
<0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17)
<0001> gsm322.c:2959 using DSC of 90
Can you provide me any hints on how to debug this ? Why is the
location update failing constantly ?
Thanks in advance for your help.
Best regards,
Maciej Grela
Hi All
Just wanted to confirm that I got Osmocom-BB up and running on a Raspberry Pi.
I did not use the GPIO UART pins but USB <-> serial converters.
I tried Motorola C118 and C155 with success.
Everything you need is already described:
http://bb.osmocom.org/trac/wiki/GnuArmToolchainhttp://bb.osmocom.org/trac/wiki/libosmocorehttp://bb.osmocom.org/trac/wiki/Software/GettingStarted?redirectedfrom=Gett…
My previous problem seems to have been a not fully compatible crosscompiled toolchain. (it worked mostly, but I could not log-in to a cell and the spectrum view crashed on the RSSI Firmware.
Also if you want transmit capability (or flashing) then you need to activate those features in the makefile.
Thanks Sylvain (confirming c118 will work) and all others who are involved!!
PS: Any news on the "emulated BTS" that has been presented at last years chaos communication congress?
I have 2 C118s + 1 normal USB serial dongle + 1 capable of burst ind.
I hope this will suffice to also run also a possible future 1 trasmit phone + 1 receive phone configuration.
I assume that even without the filter change it should be enough to send a few meters of distance.
I'm at the point w/ flashing firmware where I feel like I need to use a debugger w/ JTAG. I figured I could probably use serial line logging somehow but JTAG seems better and I should learn it anyway.
Has anyone pried open the shield on a c139/c140 and tried attaching to the JTAG test points that are just inside the shield next to the test points which are accessible via the battery compartment?
Attached is simple patch which adds little-endian & big-endian macro to move bytes to
and from multibyte integer types like uint16_t, uint32_t etc.
Some of this code is used right away in msgb.h but it will also be used in kasumi
implementation later on.
--
best regards,
Max, http://fairwaves.ru
Hello.
Attached is a trivial patch which breaks existing GPRS cipher API of libosmocore by
switching from fixed 64-bit length Kc to variable-length.
There are several justifications for that:
- compliance with ETSI TS 155.22 (GEA4 - 128 bits Kc) and all further versions
- similarity to existing auth api (osmocom/crypt/auth.h uses 128 bits as well)
- nobody uses this API anyway (except my other patches with GEA)
- patch breaks nothing within libosmocore (make check succeeds) and openbsc (uses
gea0 only)
That's why I think next libosmocore version should apply this patch and change unused
API before someone actually start using it and makes transition more difficult.
--
best regards,
Max, http://fairwaves.ru
Hi all,
I have been experimenting for a while now with the EMI firmware. My goal is creating a controlled interference for an experiment.
My current setup is the following:
- one osmo phone with the EMI firmware transmitting on a single time slot
- one USRP2 at the receiving side
I use GNURadio for sampling and Matlab for post-processing.
My problem is that once I analyse the received bursts in Matlab I am not able to decode its content. I expect to see the same sequence repeated over time since Dummy Burst are being transmitted as detailed in the wiki. However, this is not the case.
After going through the code I am not sure how the transmitted sequence is generated, neither the cyphering sequence used.
Could you help me with these issues?
Thanks,
Enrique
dexter <zero-kelvin(a)gmx.de> wrote:
> It's time Again!
> This is the announcement for the next Osmocom Berlin meeting.
> Tomorrow, 8pm @ CCC Berlin, Marienstr. 11, 10117 Berlin
Are there any Osmocom/GSM/etc hackers in California, USA, anywhere
around Los Angeles or San Diego? Perhaps we can have our own local
meetings too, like the Berliners do? If there is any interest, I
would be happy to host.
VLR,
SF
Hi All.
It's time Again!
This is the announcement for the next Osmocom Berlin meeting.
Tomorrow, 8pm @ CCC Berlin, Marienstr. 11, 10117 Berlin
There is no formal presentation scheduled for this meeting.
If you are interested to show up, feel free to do so. There is no
registration required. The meeting is free as in "free beer", despite
no actual free beer being around.
I am looking forward to see you there!
regards.
Philipp
hello LSX,
Thanks for your input
I am using sylvain/testing branch, and trx was compiled correctly
On Mon, Feb 24, 2014 at 8:31 AM, LSX <289039690(a)qq.com> wrote:
>
> 这个文章我测试过,到时测试的时候不是用的这个分支,是用的jolly/testing这个分支,能搜索到openbts,信号,但无法注册基站。我就搞到这一步。
>
>
> ------------------ Original ------------------
> *From:* "Hassan Mourad";
> *Date:* 2014年2月24日(星期一) 下午2:21
> *To:* "baseband-devel";
> *Subject:* Osmocom Trx with OpenBTS
>
> Hi Guys,
>
> So I was trying to use my osmocom phone as a transceiver for openBTS.
>
> I followed the procedures indicated in this link "
> bb.osmocom.org/trac/wiki/Software/Transceiver" and was able to
> successfully load trx.compalram.bin on the phone, connect openBTS to it and
> sync the clock to the strongest cell around
>
> I got the output attached from openBTS
>
> For some reason however when I search for the network I am unable to find
> it.
>
> I can not figure out what exactly is going on here and I was wondering if
> any one can help
>
> One thing to point out is that I was never able to set the below value to
> the suggested value as it was not in OpenBTSs configuration options. I am
> not sure if this has been deprecated or replaced by any other options
>
> GSM.CellSelection.Neighbors = (set to empty string)
>
>
> Any help would be appreciated
>
> Starting the system...
> ALERT 139961385809696 07:54:21.0 TRXManager.cpp:434:powerOff: POWEROFF
> failed with status -1
> 50
> 41
> 1
> <0012> l1ctl.c:351 Reset received: Starting sync.
> <0012> l1ctl.c:308 Sync acquired, wait for BCCH ...
> <0011> trx.c:190 TRX CLK Indication 2119409
> <0011> trx.c:190 TRX CLK Indication 2119460
> <0011> trx.c:190 TRX CLK Indication 2119511
> <0011> trx.c:190 TRX CLK Indication 2119562
> <0011> trx.c:190 TRX CLK Indication 2119613
> <0011> trx.c:190 TRX CLK Indication 2119664
> <0011> trx.c:190 TRX CLK Indication 2119715
> <0011> trx.c:190 TRX CLK Indication 2119766
> <0011> trx.c:190 TRX CLK Indication 2119817
> <0011> trx.c:190 TRX CLK Indication 2119868
> <0011> trx.c:190 TRX CLK Indication 2119919
> <0011> trx.c:190 TRX CLK Indication 2119970
> <0011> trx.c:190 TRX CLK Indication 2120021
> <0011> trx.c:190 TRX CLK Indication 2120072
> <0011> trx.c:190 TRX CLK Indication 2120123
> <0011> trx.c:190 TRX CLK Indication 2120174
> <0011> trx.c:190 TRX CLK Indication 2120225
> <0011> trx.c:190 TRX CLK Indication 2120276
> <0011> trx.c:190 TRX CLK Indication 2120327
> <0011> trx.c:190 TRX CLK Indication 2120378
> <0011> trx.c:419 TRX Control recv: |READFACTORY|sdrsn|
> <0011> trx.c:432 [!] No handlers found for command 'READFACTORY'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP READFACTORY -1|
> ALERT 139961385809696 07:54:26.0 TRXManager.cpp:595:getFactoryCalibration:
> READFACTORY failed with status -1
> <0011> trx.c:419 TRX Control recv: |RXTUNE|899200|
> <0011> trx.c:331 Setting C0 ARFCN to 46 (GSM900)
> <0011> trx.c:220 TRX Control send: |RSP RXTUNE 0 899200|
> <0011> trx.c:419 TRX Control recv: |TXTUNE|944200|
> <0011> trx.c:220 TRX Control send: |RSP TXTUNE 0 944200|
> <0011> trx.c:419 TRX Control recv: |SETBSIC|2|
> <0011> trx.c:220 TRX Control send: |RSP SETBSIC 0|
> <0011> trx.c:419 TRX Control recv: |SETMAXDLY|4|
> <0011> trx.c:220 TRX Control send: |RSP SETMAXDLY 0 4|
> <0011> trx.c:419 TRX Control recv: |SETRXGAIN|0|
> <0011> trx.c:220 TRX Control send: |RSP SETRXGAIN 0 0|
> <0011> trx.c:419 TRX Control recv: |POWERON||
> <0011> trx.c:220 TRX Control send: |RSP POWERON 0|
> <0011> trx.c:419 TRX Control recv: |SETPOWER|0|
> <0011> trx.c:220 TRX Control send: |RSP SETPOWER 0 0|
> <0011> trx.c:419 TRX Control recv: |SETSLOT|0 5|
> <0011> trx.c:220 TRX Control send: |RSP SETSLOT 0 5|
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:512 TRX Data 2120429:0:0:a06a94a2530140e0502112a56884a0
> <0011> trx.c:512 TRX Data 2120430:0:0:118a5328040142e042a04a81a80600
> <0011> trx.c:512 TRX Data 2120431:0:0:51a9402542006075080182102042a0
> <0011> trx.c:512 TRX Data 2120432:0:0:4424400420400a65a8022052a07800
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:512 TRX Data 2120382:0:0:a05f550a04dd106a017d008015d020
> <0011> trx.c:512 TRX Data 2120383:0:0:2ebf548abbf502eaadd548aeff4400
> <0011> trx.c:512 TRX Data 2120388:0:0:a05f550a04dd106a017d008015d020
> <0011> trx.c:512 TRX Data 2120389:0:0:2ebf548abbf502eaadd548aeff4400
> <0011> trx.c:512 TRX Data 2120390:0:0:047d148847740a6517554000754020
> <0011> trx.c:512 TRX Data 2120391:0:0:44a3ef550a3af5716aabf512aae5d0
> <0011> trx.c:512 TRX Data 2120392:0:0:a05f550a04dd106a017d008015d020
> <0011> trx.c:512 TRX Data 2120393:0:0:2ebf548abbf502eaadd548aeff4400
> <0011> trx.c:512 TRX Data 2120394:0:0:047d148847740a6517554000754020
> <0011> trx.c:512 TRX Data 2120395:0:0:44a3ef550a3af5716aabf512aae5d0
> <0011> trx.c:512 TRX Data 2120384:0:0:047d148847740a6517554000754020
> <0011> trx.c:512 TRX Data 2120385:0:0:44a3ef550a3af5716aabf512aae5d0
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
> <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
> response
> <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
> <0011> trx.c:512 TRX Data 2120398:0:0:811d500a01fd40e845d40284155020
> <0011> trx.c:512 TRX Data 2120399:0:0:abff40aafff4026bffd500aadd4080
> <0011> trx.c:512 TRX Data 2120400:0:0:01f5508115d50a651f510801755020
> <0011> trx.c:512 TRX Data 2120401:0:0:10aabdd500aefd7102ab75108bbd50
> 1393221266.065242 139961385809696:
> system ready
>
> 1393221266.065285 139961385809696:
> use the OpenBTSCLI utility to access CLI
>
> <0011> trx.c:190 TRX CLK Indication 2120429
> <0011> trx.c:512 TRX Data 2120520:0:0:c096d65290454478404e00a504f460
> <0011> trx.c:512 TRX Data 2120521:0:0:868be1626f34806bbab501039959f0
> <0011> trx.c:512 TRX Data 2120522:0:0:1dcd716a92124d6d017d44b88d80e0
> <0011> trx.c:512 TRX Data 2120523:0:0:b54b391645229df90a9295874176f0
> <0011> trx.c:512 TRX Data 2120524:0:0:c096d65290454478404e00a504f460
> <0011> trx.c:512 TRX Data 2120525:0:0:868be1626f34806bbab501039959f0
> <0011> trx.c:512 TRX Data 2120526:0:0:1dcd716a92124d6d017d44b88d80e0
> <0011> trx.c:512 TRX Data 2120527:0:0:b54b391645229df90a9295874176f0
> <0011> trx.c:512 TRX Data 2120571:0:0:c096d65290454478404e00a504f460
> <0011> trx.c:512 TRX Data 2120572:0:0:868be1626f34806bbab501039959f0
> <0011> trx.c:512 TRX Data 2120573:0:0:1dcd716a92124d6d017d44b88d80e0
> <0011> trx.c:512 TRX Data 2120574:0:0:b54b391645229df90a9295874176f0
> <0011> trx.c:512 TRX Data 2120473:0:0:c096d65290454478404e00a504f460
> <0011> trx.c:512 TRX Data 2120474:0:0:868be1626f34806bbab501039959f0
> <0011> trx.c:512 TRX Data 2120475:0:0:1dcd716a92124d6d017d44b88d80e0
> <0011> trx.c:512 TRX Data 2120476:0:0:b54b391645229df90a9295874176f0
> <0011> trx.c:512 TRX Data 2120480:0:0:82d854472b9d417c613c4347d79a20
> <0011> trx.c:512 TRX Data 2120481:0:0:4183fbb006f782fa8b53440fe87df0
> <0011> trx.c:512 TRX Data 2120482:0:0:272d65f8c01e98e20cba2298934190
>
>
>
> --
> Sincerely
> Hassan Mourad
>
--
Sincerely
Hassan Mourad
Hi Guys,
So I was trying to use my osmocom phone as a transceiver for openBTS.
I followed the procedures indicated in this link "
bb.osmocom.org/trac/wiki/Software/Transceiver" and was able to successfully
load trx.compalram.bin on the phone, connect openBTS to it and sync the
clock to the strongest cell around
I got the output attached from openBTS
For some reason however when I search for the network I am unable to find
it.
I can not figure out what exactly is going on here and I was wondering if
any one can help
One thing to point out is that I was never able to set the below value to
the suggested value as it was not in OpenBTSs configuration options. I am
not sure if this has been deprecated or replaced by any other options
GSM.CellSelection.Neighbors = (set to empty string)
Any help would be appreciated
Starting the system...
ALERT 139961385809696 07:54:21.0 TRXManager.cpp:434:powerOff: POWEROFF
failed with status -1
50
41
1
<0012> l1ctl.c:351 Reset received: Starting sync.
<0012> l1ctl.c:308 Sync acquired, wait for BCCH ...
<0011> trx.c:190 TRX CLK Indication 2119409
<0011> trx.c:190 TRX CLK Indication 2119460
<0011> trx.c:190 TRX CLK Indication 2119511
<0011> trx.c:190 TRX CLK Indication 2119562
<0011> trx.c:190 TRX CLK Indication 2119613
<0011> trx.c:190 TRX CLK Indication 2119664
<0011> trx.c:190 TRX CLK Indication 2119715
<0011> trx.c:190 TRX CLK Indication 2119766
<0011> trx.c:190 TRX CLK Indication 2119817
<0011> trx.c:190 TRX CLK Indication 2119868
<0011> trx.c:190 TRX CLK Indication 2119919
<0011> trx.c:190 TRX CLK Indication 2119970
<0011> trx.c:190 TRX CLK Indication 2120021
<0011> trx.c:190 TRX CLK Indication 2120072
<0011> trx.c:190 TRX CLK Indication 2120123
<0011> trx.c:190 TRX CLK Indication 2120174
<0011> trx.c:190 TRX CLK Indication 2120225
<0011> trx.c:190 TRX CLK Indication 2120276
<0011> trx.c:190 TRX CLK Indication 2120327
<0011> trx.c:190 TRX CLK Indication 2120378
<0011> trx.c:419 TRX Control recv: |READFACTORY|sdrsn|
<0011> trx.c:432 [!] No handlers found for command 'READFACTORY'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP READFACTORY -1|
ALERT 139961385809696 07:54:26.0 TRXManager.cpp:595:getFactoryCalibration:
READFACTORY failed with status -1
<0011> trx.c:419 TRX Control recv: |RXTUNE|899200|
<0011> trx.c:331 Setting C0 ARFCN to 46 (GSM900)
<0011> trx.c:220 TRX Control send: |RSP RXTUNE 0 899200|
<0011> trx.c:419 TRX Control recv: |TXTUNE|944200|
<0011> trx.c:220 TRX Control send: |RSP TXTUNE 0 944200|
<0011> trx.c:419 TRX Control recv: |SETBSIC|2|
<0011> trx.c:220 TRX Control send: |RSP SETBSIC 0|
<0011> trx.c:419 TRX Control recv: |SETMAXDLY|4|
<0011> trx.c:220 TRX Control send: |RSP SETMAXDLY 0 4|
<0011> trx.c:419 TRX Control recv: |SETRXGAIN|0|
<0011> trx.c:220 TRX Control send: |RSP SETRXGAIN 0 0|
<0011> trx.c:419 TRX Control recv: |POWERON||
<0011> trx.c:220 TRX Control send: |RSP POWERON 0|
<0011> trx.c:419 TRX Control recv: |SETPOWER|0|
<0011> trx.c:220 TRX Control send: |RSP SETPOWER 0 0|
<0011> trx.c:419 TRX Control recv: |SETSLOT|0 5|
<0011> trx.c:220 TRX Control send: |RSP SETSLOT 0 5|
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:512 TRX Data 2120429:0:0:a06a94a2530140e0502112a56884a0
<0011> trx.c:512 TRX Data 2120430:0:0:118a5328040142e042a04a81a80600
<0011> trx.c:512 TRX Data 2120431:0:0:51a9402542006075080182102042a0
<0011> trx.c:512 TRX Data 2120432:0:0:4424400420400a65a8022052a07800
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:512 TRX Data 2120382:0:0:a05f550a04dd106a017d008015d020
<0011> trx.c:512 TRX Data 2120383:0:0:2ebf548abbf502eaadd548aeff4400
<0011> trx.c:512 TRX Data 2120388:0:0:a05f550a04dd106a017d008015d020
<0011> trx.c:512 TRX Data 2120389:0:0:2ebf548abbf502eaadd548aeff4400
<0011> trx.c:512 TRX Data 2120390:0:0:047d148847740a6517554000754020
<0011> trx.c:512 TRX Data 2120391:0:0:44a3ef550a3af5716aabf512aae5d0
<0011> trx.c:512 TRX Data 2120392:0:0:a05f550a04dd106a017d008015d020
<0011> trx.c:512 TRX Data 2120393:0:0:2ebf548abbf502eaadd548aeff4400
<0011> trx.c:512 TRX Data 2120394:0:0:047d148847740a6517554000754020
<0011> trx.c:512 TRX Data 2120395:0:0:44a3ef550a3af5716aabf512aae5d0
<0011> trx.c:512 TRX Data 2120384:0:0:047d148847740a6517554000754020
<0011> trx.c:512 TRX Data 2120385:0:0:44a3ef550a3af5716aabf512aae5d0
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:419 TRX Control recv: |NOHANDOVER|0|
<0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty
response
<0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1|
<0011> trx.c:512 TRX Data 2120398:0:0:811d500a01fd40e845d40284155020
<0011> trx.c:512 TRX Data 2120399:0:0:abff40aafff4026bffd500aadd4080
<0011> trx.c:512 TRX Data 2120400:0:0:01f5508115d50a651f510801755020
<0011> trx.c:512 TRX Data 2120401:0:0:10aabdd500aefd7102ab75108bbd50
1393221266.065242 139961385809696:
system ready
1393221266.065285 139961385809696:
use the OpenBTSCLI utility to access CLI
<0011> trx.c:190 TRX CLK Indication 2120429
<0011> trx.c:512 TRX Data 2120520:0:0:c096d65290454478404e00a504f460
<0011> trx.c:512 TRX Data 2120521:0:0:868be1626f34806bbab501039959f0
<0011> trx.c:512 TRX Data 2120522:0:0:1dcd716a92124d6d017d44b88d80e0
<0011> trx.c:512 TRX Data 2120523:0:0:b54b391645229df90a9295874176f0
<0011> trx.c:512 TRX Data 2120524:0:0:c096d65290454478404e00a504f460
<0011> trx.c:512 TRX Data 2120525:0:0:868be1626f34806bbab501039959f0
<0011> trx.c:512 TRX Data 2120526:0:0:1dcd716a92124d6d017d44b88d80e0
<0011> trx.c:512 TRX Data 2120527:0:0:b54b391645229df90a9295874176f0
<0011> trx.c:512 TRX Data 2120571:0:0:c096d65290454478404e00a504f460
<0011> trx.c:512 TRX Data 2120572:0:0:868be1626f34806bbab501039959f0
<0011> trx.c:512 TRX Data 2120573:0:0:1dcd716a92124d6d017d44b88d80e0
<0011> trx.c:512 TRX Data 2120574:0:0:b54b391645229df90a9295874176f0
<0011> trx.c:512 TRX Data 2120473:0:0:c096d65290454478404e00a504f460
<0011> trx.c:512 TRX Data 2120474:0:0:868be1626f34806bbab501039959f0
<0011> trx.c:512 TRX Data 2120475:0:0:1dcd716a92124d6d017d44b88d80e0
<0011> trx.c:512 TRX Data 2120476:0:0:b54b391645229df90a9295874176f0
<0011> trx.c:512 TRX Data 2120480:0:0:82d854472b9d417c613c4347d79a20
<0011> trx.c:512 TRX Data 2120481:0:0:4183fbb006f782fa8b53440fe87df0
<0011> trx.c:512 TRX Data 2120482:0:0:272d65f8c01e98e20cba2298934190
--
Sincerely
Hassan Mourad
Hi all,
I am new on this open source community.
I am a looking for a "basic" open source code that would be compliant with the UMTS standard. By basic I mean, I would simply try to manipulate my RTL2832u-based DVB-T dongle (on a R-PI) to make it reaching let's say the neighborhood cell IDs plus their corresponding receive power.
Maybe I am stupid, but despite the time I have spent on the websites and while there is a lot of very interesting stuffs related to GSM/GPRS/LTE standards: I could not find anything compliant. Even AT command would sound good to me in a first time.
Thanks for your answers or even for any clue,
Cheers,
Sébastien
Hi Michael,
It is my intention to share an image and speed the process
up for other researchers interested in GSM attacks and building simulations
in their labs. At this time there are code changes I want to expand upon
before I do (predominantly cosmetic changes and making it more feature
useful from the python script). I am also hoping that enhanced detection of
fakeBTS attacks will be expanded upon by the osmocom-bb toolkit (the launch
of the detection capability occurred in December 2013 at CCC.) which would
sufficiently detect anyone attempting to use tools of this nature in an
illegal way. Most of the work I did can be recreated from the slides
previously provided. If you are interested in the E100 platform, I spent
alot of time exploring its capabilities and re-compiling packages. I first
started trying to build the firmware from scratch with some discussion
occurring between myself and the firmware developer at Ettus, eventually it
became easier to customize the firmware provided by Ettus - the most
difficult change being a cross-compiled kernel to enable netfilter so that
IP routing became practical thus allowing for GPRS capabilities. I also had
issues with the OpenBTS 52MTransceiver application in the more recent
commits as significant overhaul has begun on changing its capabilities. I
eventually settled on r6718 version as this provided GPRS capabilities and
also was the last version functioning with the 52MTransceiver application.
Most of the firmware I had to rebuild from source including things not
available in package repos such as libpcap, asterisk (w/ODBC), odbc,
libsqlite and python to get the capabilities I needed to demonstrate the
practical elements of a GSM attack from an embedded device. I will be
releasing the firmware image as soon as I tidy up some of my python code
and detection tools become more effective. If you do really need the image
for some research purpose then please e-mail me directly and I will gladly
share a copy with you providing I can understand better your requirement
for needing an off-the-shelf attack tool for GSM.
Kind Regards,
Matthew
On Fri, Feb 14, 2014 at 3:53 PM, Michael Mooradian <
mooradianm(a)nkiengineering.com> wrote:
> Mathew,
>
> Is there any chance you will post the GreedyBTS E100 image online, or
> maybe even a screen capture demonstration of it working? I am very
> interested in how you were able to handle making the E100 run more
> efficiently. Also impressive is how you were able to script some very
> useful commands into your shell script. I would be very interested in how
> you were able to group all of it together.
>
> Thank you for any feedback you can give,
>
> Michael
>
>
> On Fri, Feb 7, 2014 at 5:12 AM, Hacker Fantastic <
> hackerfantastic(a)googlemail.com> wrote:
>
>> Hi all,
>> My first attempt to send this email didn't appear to succeed so I
>> am re-sending without attachment. Here is a copy of some slides
>> https://github.com/HackerFantastic/Public/blob/master/presentations/mwri_la… wrote for a presentation on security weaknesses within GSM. I used an
>> Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday
>> cage and presented on how these attacks work to better understand them for
>> defensive purposes. I was able to use the E100 as a generic IP-router after
>> I cross-compiled a new kernel with netfilter enabled and also I had to
>> recompile a number of the packages such as Asterisk to enable ODBC and
>> improved SQLite support, I also had to make some changes to Python and its
>> modules. I used GNURadio 3.6.4 and I had to compile a specific version of
>> the OpenBTS code as the recent transceiver application did not function
>> with the E100. I was able to get the E100 to work as a GSM/GPRS router and
>> do real-time call placement etc. I got it to function with real-time
>> support and wrote a small script to provision new devices by watching the
>> syslog and adding to the SQLite database.
>>
>> I also used osmocom-bb to do things like use gnuplot and graph the
>> channel usage although the code is extremely ugly! I took RSSI measurements
>> over a period of time into images and then tied them together for a movie,
>> it isn't quite realtime but it makes pretty graphs. I mentioned how you
>> could implement the MS side of the GSM stack using the osmocom project and
>> as such am sharing the slides with the osmocom list.
>>
>> Just goes to show how mighty things come in small packages! Hope this
>> material is useful to others on the list who may also be trying similar
>> experiments. I ended up creating a firmware image that could be used to dd
>> and boot an E100 but at this time I do not plan on hosting it for download
>> unless there is sufficient interest. If you need it for some reason drop me
>> an e-mail.
>>
>> Here is an example of the output of the greedyBTS script. As an example
>> my code plays "Rick Astley - never going to give you up" when a user places
>> a phone call and they have been provisioned with service. All of this work
>> was done in a faraday cage which I obtained from Ramsey electronics which
>> had very good frequency attenuation graph from 0mhz all the way to 1ghz.
>>
>> root@usrp-e1xx:~# ./launch.sh
>> Launching asterisk
>> Launching HLR SMS
>> Launching OpenBTS
>> Launching Greedy BTS..
>>
>> 888 888 d8
>> e88 888 888,8, ,e e, ,e e, e88 888 Y8b Y888P 888 88e d88 dP"Y
>> d888 888 888 " d88 88b d88 88b d888 888 Y8b Y8P 888 888b d88888 C88b
>> Y888 888 888 888 , 888 , Y888 888 Y8b Y 888 888P 888 Y88D
>> "88 888 888 "YeeP" "YeeP" "88 888 888 888 88" 888 d,dP
>> , 88P 888 pDK++
>>
>> "8",P" 888
>>
>>
>> [+] Current CELL configuration
>> [-] ==========================
>> [-] Shortname: 'Noone'
>> [-] MCC: 901 MNC: 70 C0 ARFCN: 51
>> [-] LAC: 3336 ARFCN's: 1 BAND: 900
>> [-]
>> [-] Radio Power
>> [-] ===========
>> [-] RxGain: 47 MaxPower: 10 MinPower: 0
>>
>> --> help
>>
>> [+] HELP SCREEN
>>
>> [-] dump imei - lists all identified IMEI
>>
>> [-] dump assoc - lists all IMEI+IMSI associations
>>
>> [-] dump imsi - lists all identified IMSI
>>
>> [-] dump save - store a record of all identities
>>
>> [-] start service - provide service to IMSI & log traffic
>>
>> [-] show service - show all provisioned phones
>>
>> [-] stop service - deletes an identified IMSI from HLR
>>
>> [-] calls - provide call collection statistics
>>
>> [-] sms - provide sms collection statistics
>>
>> [!] gprs - provide gprs collection statistics
>>
>> [-] cellconfig - configure cell parameters for spoofing
>>
>> [-] cellinfo - dump information on current cell
>>
>> [-] cellshow - list short codes for common cells
>>
>> [!] sounddial - play a sound recording to an IMSI
>>
>> [!] spoofsms - send a spoof SMS message to an IMSI
>>
>> [!] trunksetup - display current SIP trunk details
>>
>> [-] verbose - turn on real time tracing
>>
>> [-] exit - leave without shutdown
>>
>> [-] shutdown - bye!
>>
>> --> dump imei
>>
>> [+] Dumping seen handset IMEI
>>
>> [-] 1: IMEI359209002648230
>>
>> [-] 2: IMEI358622002760070
>>
>> [-] 3: IMEI350694801239040
>>
>> [-] Total IMEI identified 3
>>
>> --> dump imsi
>>
>> [+] Dumping IMSI capture results
>>
>> [-] 1: IMSI901700000002484
>>
>> [-] 2: IMSI901700000002486
>>
>> [-] 3: IMSI901700000002488
>>
>> [-] Total IMSI identified 3
>>
>> --> dump assoc
>>
>> [+] Dumping IMSI/IMEI association
>>
>> [-] 1 IMEI:358622002760070 used IMSI901700000002486
>>
>> [-] 2 IMEI:350694801239040 used IMSI901700000002488
>>
>> [-] Total associations 2
>>
>> --> show service
>>
>> [+] Displaying all provisioned IMSI
>>
>> [-] 1: exten: 2100 user: IMSI001010000000000
>>
>> [-] 2: exten: 2339 user: IMSI901700000002484
>>
>> [-] Total subscriber count 2
>>
>> --> stop service
>>
>> [+] Deleting IMSI from HLR
>>
>> [-] Enter IMSI: IMSI901700000002484
>>
>> [-] Deleted IMSI901700000002484
>>
>> --> help
>>
>> [+] HELP SCREEN
>>
>> [-] dump imei - lists all identified IMEI
>>
>> [-] dump assoc - lists all IMEI+IMSI associations
>>
>> [-] dump imsi - lists all identified IMSI
>>
>> [-] dump save - store a record of all identities
>>
>> [-] start service - provide service to IMSI & log traffic
>>
>> [-] show service - show all provisioned phones
>>
>> [-] stop service - deletes an identified IMSI from HLR
>>
>> [-] calls - provide call collection statistics
>>
>> [-] sms - provide sms collection statistics
>>
>> [!] gprs - provide gprs collection statistics
>>
>> [-] cellconfig - configure cell parameters for spoofing
>>
>> [-] cellinfo - dump information on current cell
>>
>> [-] cellshow - list short codes for common cells
>>
>> [!] sounddial - play a sound recording to an IMSI
>>
>> [!] spoofsms - send a spoof SMS message to an IMSI
>>
>> [!] trunksetup - display current SIP trunk details
>>
>> [-] verbose - turn on real time tracing
>>
>> [-] exit - leave without shutdown
>>
>> [-] shutdown - bye!
>>
>> --> dump imei
>>
>> [+] Dumping seen handset IMEI
>>
>> [-] 1: IMEI359209002648230
>>
>> [-] 2: IMEI358622002760070
>>
>> [-] 3: IMEI350694801239040
>>
>> [-] Total IMEI identified 3
>>
>> --> dump imsi
>>
>> [+] Dumping IMSI capture results
>>
>> [-] 1: IMSI901700000002484
>>
>> [-] 2: IMSI901700000002486
>>
>> [-] 3: IMSI901700000002488
>>
>> [-] Total IMSI identified 3
>>
>> --> dump assoc
>>
>> [+] Dumping IMSI/IMEI association
>>
>> [-] 1 IMEI:358622002760070 used IMSI901700000002486
>>
>> [-] 2 IMEI:350694801239040 used IMSI901700000002488
>>
>> [-] Total associations 2
>>
>> --> dump save
>>
>> [+] Saving IMSI capture results
>>
>> [+] Saving seen handset IMEI
>>
>> [+] Saving IMSI/IMEI association
>>
>> [-] logfile stored as 'greedybts.log'
>>
>> --> shutdown
>>
>> root@usrp-e1xx:~# cat greedybts.log
>>
>> [-] 1: IMSI901700000002484
>>
>> [-] 2: IMSI901700000002486
>>
>> [-] 3: IMSI901700000002488
>>
>> [-] Total IMSI identified 3
>>
>> [-] 1: IMEI359209002648230
>>
>> [-] 2: IMEI358622002760070
>>
>> [-] 3: IMEI350694801239040
>>
>> [-] Total IMEI identified 3
>>
>> [-] 1 IMEI:358622002760070 used IMSI901700000002486
>>
>> [-] 2 IMEI:350694801239040 used IMSI901700000002488
>>
>> [-] Total associations 2
>>
>>
>> Kind Regards,
>> Matthew
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>>
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Openbts-discuss mailing list
>> Openbts-discuss(a)lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openbts-discuss
>>
>>
>
>
> --
>
> Michael Mooradian
> Nathan Kunes Inc.
> 5055 North Harbor Drive, Suite 230
> San Diego, CA 92106619-822-1045 MAIN619-553-3076 DIRECT619-997-7055 CELL619-221-1235 FAXmooradianm(a)nkiengineering.com
>
>
--
Matthew Hickey
Tel: +44 7543 661237
Web: http://blog.hackerfantastic.com
Please visit my website for blog postings, status updates and project
information.
Hi all,
My first attempt to send this email didn't appear to succeed so I
am re-sending without attachment. Here is a copy of some slides
https://github.com/HackerFantastic/Public/blob/master/presentations/mwri_la…
wrote for a presentation on security weaknesses within GSM. I used an
Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday
cage and presented on how these attacks work to better understand them for
defensive purposes. I was able to use the E100 as a generic IP-router after
I cross-compiled a new kernel with netfilter enabled and also I had to
recompile a number of the packages such as Asterisk to enable ODBC and
improved SQLite support, I also had to make some changes to Python and its
modules. I used GNURadio 3.6.4 and I had to compile a specific version of
the OpenBTS code as the recent transceiver application did not function
with the E100. I was able to get the E100 to work as a GSM/GPRS router and
do real-time call placement etc. I got it to function with real-time
support and wrote a small script to provision new devices by watching the
syslog and adding to the SQLite database.
I also used osmocom-bb to do things like use gnuplot and graph the channel
usage although the code is extremely ugly! I took RSSI measurements over a
period of time into images and then tied them together for a movie, it
isn't quite realtime but it makes pretty graphs. I mentioned how you could
implement the MS side of the GSM stack using the osmocom project and as
such am sharing the slides with the osmocom list.
Just goes to show how mighty things come in small packages! Hope this
material is useful to others on the list who may also be trying similar
experiments. I ended up creating a firmware image that could be used to dd
and boot an E100 but at this time I do not plan on hosting it for download
unless there is sufficient interest. If you need it for some reason drop me
an e-mail.
Here is an example of the output of the greedyBTS script. As an example my
code plays "Rick Astley - never going to give you up" when a user places a
phone call and they have been provisioned with service. All of this work
was done in a faraday cage which I obtained from Ramsey electronics which
had very good frequency attenuation graph from 0mhz all the way to 1ghz.
root@usrp-e1xx:~# ./launch.sh
Launching asterisk
Launching HLR SMS
Launching OpenBTS
Launching Greedy BTS..
888 888 d8
e88 888 888,8, ,e e, ,e e, e88 888 Y8b Y888P 888 88e d88 dP"Y
d888 888 888 " d88 88b d88 88b d888 888 Y8b Y8P 888 888b d88888 C88b
Y888 888 888 888 , 888 , Y888 888 Y8b Y 888 888P 888 Y88D
"88 888 888 "YeeP" "YeeP" "88 888 888 888 88" 888 d,dP
, 88P 888 pDK++
"8",P" 888
[+] Current CELL configuration
[-] ==========================
[-] Shortname: 'Noone'
[-] MCC: 901 MNC: 70 C0 ARFCN: 51
[-] LAC: 3336 ARFCN's: 1 BAND: 900
[-]
[-] Radio Power
[-] ===========
[-] RxGain: 47 MaxPower: 10 MinPower: 0
--> help
[+] HELP SCREEN
[-] dump imei - lists all identified IMEI
[-] dump assoc - lists all IMEI+IMSI associations
[-] dump imsi - lists all identified IMSI
[-] dump save - store a record of all identities
[-] start service - provide service to IMSI & log traffic
[-] show service - show all provisioned phones
[-] stop service - deletes an identified IMSI from HLR
[-] calls - provide call collection statistics
[-] sms - provide sms collection statistics
[!] gprs - provide gprs collection statistics
[-] cellconfig - configure cell parameters for spoofing
[-] cellinfo - dump information on current cell
[-] cellshow - list short codes for common cells
[!] sounddial - play a sound recording to an IMSI
[!] spoofsms - send a spoof SMS message to an IMSI
[!] trunksetup - display current SIP trunk details
[-] verbose - turn on real time tracing
[-] exit - leave without shutdown
[-] shutdown - bye!
--> dump imei
[+] Dumping seen handset IMEI
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
--> dump imsi
[+] Dumping IMSI capture results
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
--> dump assoc
[+] Dumping IMSI/IMEI association
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
--> show service
[+] Displaying all provisioned IMSI
[-] 1: exten: 2100 user: IMSI001010000000000
[-] 2: exten: 2339 user: IMSI901700000002484
[-] Total subscriber count 2
--> stop service
[+] Deleting IMSI from HLR
[-] Enter IMSI: IMSI901700000002484
[-] Deleted IMSI901700000002484
--> help
[+] HELP SCREEN
[-] dump imei - lists all identified IMEI
[-] dump assoc - lists all IMEI+IMSI associations
[-] dump imsi - lists all identified IMSI
[-] dump save - store a record of all identities
[-] start service - provide service to IMSI & log traffic
[-] show service - show all provisioned phones
[-] stop service - deletes an identified IMSI from HLR
[-] calls - provide call collection statistics
[-] sms - provide sms collection statistics
[!] gprs - provide gprs collection statistics
[-] cellconfig - configure cell parameters for spoofing
[-] cellinfo - dump information on current cell
[-] cellshow - list short codes for common cells
[!] sounddial - play a sound recording to an IMSI
[!] spoofsms - send a spoof SMS message to an IMSI
[!] trunksetup - display current SIP trunk details
[-] verbose - turn on real time tracing
[-] exit - leave without shutdown
[-] shutdown - bye!
--> dump imei
[+] Dumping seen handset IMEI
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
--> dump imsi
[+] Dumping IMSI capture results
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
--> dump assoc
[+] Dumping IMSI/IMEI association
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
--> dump save
[+] Saving IMSI capture results
[+] Saving seen handset IMEI
[+] Saving IMSI/IMEI association
[-] logfile stored as 'greedybts.log'
--> shutdown
root@usrp-e1xx:~# cat greedybts.log
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
Kind Regards,
Matthew
Hi all,
Here is a copy of some slides I wrote for a presentation on
security weaknesses within GSM. I used an Ettus E100 to develop a malicious
BTS and GSM related attacks in a Faraday cage and presented on how these
attacks work to better understand them for defensive purposes. I was able
to use the E100 as a generic IP-router after I cross-compiled a new kernel
with netfilter enabled and also I had to recompile a number of the packages
such as Asterisk to enable ODBC and improved SQLite support, I also had to
make some changes to Python and its modules. I used GNURadio 3.6.4 and I
had to compile a specific version of the OpenBTS code as the recent
transceiver application did not function with the E100. I was able to get
the E100 to work as a GSM/GPRS router and do real-time call placement etc.
I got it to function with real-time support and wrote a small script to
provision new devices by watching the syslog and adding to the SQLite
database.
I also used osmocom-bb to do things like use gnuplot and graph the channel
usage although the code is extremely ugly! I took RSSI measurements over a
period of time into images and then tied them together for a movie, it
isn't quite realtime but it makes pretty graphs. I mentioned how you could
implement the MS side of the GSM stack using the osmocom project and as
such am sharing the slides here.
Just goes to show how mighty things come in small packages! Hope this
material is useful to others on the list who may also be trying similar
experiments. I ended up creating a firmware image that could be used to dd
and boot an E100 but at this time I do not plan on hosting it for download
unless there is sufficient interest. If you need it for some reason drop me
an e-mail.
Kind Regards,
Matthew
Dear all,
Time has come to fill out the "Talks/Discussions/Workshop / Hacking"
section of the wiki page.
If you have something you'd like to present, talk about or hack on,
add it there. A simple descriptive title along with an estimated
duration is enough.
I guess we'll collect those for 2/3 weeks and then start making the schedule.
Cheers,
Sylvain