baseband-devel February 2014

baseband-devel@lists.osmocom.org

15 participants
28 discussions

c139/c140 jtag anyone?
by Craig Comstock 19 May '14

19 May '14

I'm at the point w/ flashing firmware where I feel like I need to use a debugger w/ JTAG. I figured I could probably use serial line logging somehow but JTAG seems better and I should learn it anyway. Has anyone pried open the shield on a c139/c140 and tried attaching to the JTAG test points that are just inside the shield next to the test points which are accessible via the battery compartment?

2 3

[PATCH] Add generic LE/BE load/store uint type convertors and use them in msgb
by ☎ 10 Mar '14

10 Mar '14

Attached is simple patch which adds little-endian & big-endian macro to move bytes to and from multibyte integer types like uint16_t, uint32_t etc. Some of this code is used right away in msgb.h but it will also be used in kasumi implementation later on. -- best regards, Max, http://fairwaves.ru

4 22

[PATCH] RFC - change GPRS cipher API
by ☎ 07 Mar '14

07 Mar '14

Hello. Attached is a trivial patch which breaks existing GPRS cipher API of libosmocore by switching from fixed 64-bit length Kc to variable-length. There are several justifications for that: - compliance with ETSI TS 155.22 (GEA4 - 128 bits Kc) and all further versions - similarity to existing auth api (osmocom/crypt/auth.h uses 128 bits as well) - nobody uses this API anyway (except my other patches with GEA) - patch breaks nothing within libosmocore (make check succeeds) and openbsc (uses gea0 only) That's why I think next libosmocore version should apply this patch and change unused API before someone actually start using it and makes transition more difficult. -- best regards, Max, http://fairwaves.ru

2 7

EMI firmware: Decoding Dummy frames
by Enrique Saez Gil 27 Feb '14

27 Feb '14

Hi all, I have been experimenting for a while now with the EMI firmware. My goal is creating a controlled interference for an experiment. My current setup is the following: - one osmo phone with the EMI firmware transmitting on a single time slot - one USRP2 at the receiving side I use GNURadio for sampling and Matlab for post-processing. My problem is that once I analyse the received bursts in Matlab I am not able to decode its content. I expect to see the same sequence repeated over time since Dummy Burst are being transmitted as detailed in the wiki. However, this is not the case. After going through the code I am not sure how the transmitted sequence is generated, neither the cyphering sequence used. Could you help me with these issues? Thanks, Enrique

1 0

Osmocom/GSM hacking local groups in places other than Germany
by msokolov＠ivan.Harhan.ORG 25 Feb '14

25 Feb '14

dexter <zero-kelvin(a)gmx.de> wrote: > It's time Again! > This is the announcement for the next Osmocom Berlin meeting. > Tomorrow, 8pm @ CCC Berlin, Marienstr. 11, 10117 Berlin Are there any Osmocom/GSM/etc hackers in California, USA, anywhere around Los Angeles or San Diego? Perhaps we can have our own local meetings too, like the Berliners do? If there is any interest, I would be happy to host. VLR, SF

2 1

TOMORROW: Osmocom Berlin User Group meeting
by dexter 25 Feb '14

25 Feb '14

Hi All. It's time Again! This is the announcement for the next Osmocom Berlin meeting. Tomorrow, 8pm @ CCC Berlin, Marienstr. 11, 10117 Berlin There is no formal presentation scheduled for this meeting. If you are interested to show up, feel free to do so. There is no registration required. The meeting is free as in "free beer", despite no actual free beer being around. I am looking forward to see you there! regards. Philipp

1 0

Re: Osmocom Trx with OpenBTS
by Hassan Mourad 24 Feb '14

24 Feb '14

hello LSX, Thanks for your input I am using sylvain/testing branch, and trx was compiled correctly On Mon, Feb 24, 2014 at 8:31 AM, LSX <289039690(a)qq.com> wrote: > > 这个文章我测试过，到时测试的时候不是用的这个分支，是用的jolly/testing这个分支，能搜索到openbts，信号，但无法注册基站。我就搞到这一步。 > > > ------------------ Original ------------------ > *From:* "Hassan Mourad"; > *Date:* 2014年2月24日(星期一) 下午2:21 > *To:* "baseband-devel"; > *Subject:* Osmocom Trx with OpenBTS > > Hi Guys, > > So I was trying to use my osmocom phone as a transceiver for openBTS. > > I followed the procedures indicated in this link " > bb.osmocom.org/trac/wiki/Software/Transceiver" and was able to > successfully load trx.compalram.bin on the phone, connect openBTS to it and > sync the clock to the strongest cell around > > I got the output attached from openBTS > > For some reason however when I search for the network I am unable to find > it. > > I can not figure out what exactly is going on here and I was wondering if > any one can help > > One thing to point out is that I was never able to set the below value to > the suggested value as it was not in OpenBTSs configuration options. I am > not sure if this has been deprecated or replaced by any other options > > GSM.CellSelection.Neighbors = (set to empty string) > > > Any help would be appreciated > > Starting the system... > ALERT 139961385809696 07:54:21.0 TRXManager.cpp:434:powerOff: POWEROFF > failed with status -1 > 50 > 41 > 1 > <0012> l1ctl.c:351 Reset received: Starting sync. > <0012> l1ctl.c:308 Sync acquired, wait for BCCH ... > <0011> trx.c:190 TRX CLK Indication 2119409 > <0011> trx.c:190 TRX CLK Indication 2119460 > <0011> trx.c:190 TRX CLK Indication 2119511 > <0011> trx.c:190 TRX CLK Indication 2119562 > <0011> trx.c:190 TRX CLK Indication 2119613 > <0011> trx.c:190 TRX CLK Indication 2119664 > <0011> trx.c:190 TRX CLK Indication 2119715 > <0011> trx.c:190 TRX CLK Indication 2119766 > <0011> trx.c:190 TRX CLK Indication 2119817 > <0011> trx.c:190 TRX CLK Indication 2119868 > <0011> trx.c:190 TRX CLK Indication 2119919 > <0011> trx.c:190 TRX CLK Indication 2119970 > <0011> trx.c:190 TRX CLK Indication 2120021 > <0011> trx.c:190 TRX CLK Indication 2120072 > <0011> trx.c:190 TRX CLK Indication 2120123 > <0011> trx.c:190 TRX CLK Indication 2120174 > <0011> trx.c:190 TRX CLK Indication 2120225 > <0011> trx.c:190 TRX CLK Indication 2120276 > <0011> trx.c:190 TRX CLK Indication 2120327 > <0011> trx.c:190 TRX CLK Indication 2120378 > <0011> trx.c:419 TRX Control recv: |READFACTORY|sdrsn| > <0011> trx.c:432 [!] No handlers found for command 'READFACTORY'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP READFACTORY -1| > ALERT 139961385809696 07:54:26.0 TRXManager.cpp:595:getFactoryCalibration: > READFACTORY failed with status -1 > <0011> trx.c:419 TRX Control recv: |RXTUNE|899200| > <0011> trx.c:331 Setting C0 ARFCN to 46 (GSM900) > <0011> trx.c:220 TRX Control send: |RSP RXTUNE 0 899200| > <0011> trx.c:419 TRX Control recv: |TXTUNE|944200| > <0011> trx.c:220 TRX Control send: |RSP TXTUNE 0 944200| > <0011> trx.c:419 TRX Control recv: |SETBSIC|2| > <0011> trx.c:220 TRX Control send: |RSP SETBSIC 0| > <0011> trx.c:419 TRX Control recv: |SETMAXDLY|4| > <0011> trx.c:220 TRX Control send: |RSP SETMAXDLY 0 4| > <0011> trx.c:419 TRX Control recv: |SETRXGAIN|0| > <0011> trx.c:220 TRX Control send: |RSP SETRXGAIN 0 0| > <0011> trx.c:419 TRX Control recv: |POWERON|| > <0011> trx.c:220 TRX Control send: |RSP POWERON 0| > <0011> trx.c:419 TRX Control recv: |SETPOWER|0| > <0011> trx.c:220 TRX Control send: |RSP SETPOWER 0 0| > <0011> trx.c:419 TRX Control recv: |SETSLOT|0 5| > <0011> trx.c:220 TRX Control send: |RSP SETSLOT 0 5| > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:512 TRX Data 2120429:0:0:a06a94a2530140e0502112a56884a0 > <0011> trx.c:512 TRX Data 2120430:0:0:118a5328040142e042a04a81a80600 > <0011> trx.c:512 TRX Data 2120431:0:0:51a9402542006075080182102042a0 > <0011> trx.c:512 TRX Data 2120432:0:0:4424400420400a65a8022052a07800 > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:512 TRX Data 2120382:0:0:a05f550a04dd106a017d008015d020 > <0011> trx.c:512 TRX Data 2120383:0:0:2ebf548abbf502eaadd548aeff4400 > <0011> trx.c:512 TRX Data 2120388:0:0:a05f550a04dd106a017d008015d020 > <0011> trx.c:512 TRX Data 2120389:0:0:2ebf548abbf502eaadd548aeff4400 > <0011> trx.c:512 TRX Data 2120390:0:0:047d148847740a6517554000754020 > <0011> trx.c:512 TRX Data 2120391:0:0:44a3ef550a3af5716aabf512aae5d0 > <0011> trx.c:512 TRX Data 2120392:0:0:a05f550a04dd106a017d008015d020 > <0011> trx.c:512 TRX Data 2120393:0:0:2ebf548abbf502eaadd548aeff4400 > <0011> trx.c:512 TRX Data 2120394:0:0:047d148847740a6517554000754020 > <0011> trx.c:512 TRX Data 2120395:0:0:44a3ef550a3af5716aabf512aae5d0 > <0011> trx.c:512 TRX Data 2120384:0:0:047d148847740a6517554000754020 > <0011> trx.c:512 TRX Data 2120385:0:0:44a3ef550a3af5716aabf512aae5d0 > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| > <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty > response > <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| > <0011> trx.c:512 TRX Data 2120398:0:0:811d500a01fd40e845d40284155020 > <0011> trx.c:512 TRX Data 2120399:0:0:abff40aafff4026bffd500aadd4080 > <0011> trx.c:512 TRX Data 2120400:0:0:01f5508115d50a651f510801755020 > <0011> trx.c:512 TRX Data 2120401:0:0:10aabdd500aefd7102ab75108bbd50 > 1393221266.065242 139961385809696: > system ready > > 1393221266.065285 139961385809696: > use the OpenBTSCLI utility to access CLI > > <0011> trx.c:190 TRX CLK Indication 2120429 > <0011> trx.c:512 TRX Data 2120520:0:0:c096d65290454478404e00a504f460 > <0011> trx.c:512 TRX Data 2120521:0:0:868be1626f34806bbab501039959f0 > <0011> trx.c:512 TRX Data 2120522:0:0:1dcd716a92124d6d017d44b88d80e0 > <0011> trx.c:512 TRX Data 2120523:0:0:b54b391645229df90a9295874176f0 > <0011> trx.c:512 TRX Data 2120524:0:0:c096d65290454478404e00a504f460 > <0011> trx.c:512 TRX Data 2120525:0:0:868be1626f34806bbab501039959f0 > <0011> trx.c:512 TRX Data 2120526:0:0:1dcd716a92124d6d017d44b88d80e0 > <0011> trx.c:512 TRX Data 2120527:0:0:b54b391645229df90a9295874176f0 > <0011> trx.c:512 TRX Data 2120571:0:0:c096d65290454478404e00a504f460 > <0011> trx.c:512 TRX Data 2120572:0:0:868be1626f34806bbab501039959f0 > <0011> trx.c:512 TRX Data 2120573:0:0:1dcd716a92124d6d017d44b88d80e0 > <0011> trx.c:512 TRX Data 2120574:0:0:b54b391645229df90a9295874176f0 > <0011> trx.c:512 TRX Data 2120473:0:0:c096d65290454478404e00a504f460 > <0011> trx.c:512 TRX Data 2120474:0:0:868be1626f34806bbab501039959f0 > <0011> trx.c:512 TRX Data 2120475:0:0:1dcd716a92124d6d017d44b88d80e0 > <0011> trx.c:512 TRX Data 2120476:0:0:b54b391645229df90a9295874176f0 > <0011> trx.c:512 TRX Data 2120480:0:0:82d854472b9d417c613c4347d79a20 > <0011> trx.c:512 TRX Data 2120481:0:0:4183fbb006f782fa8b53440fe87df0 > <0011> trx.c:512 TRX Data 2120482:0:0:272d65f8c01e98e20cba2298934190 > > > > -- > Sincerely > Hassan Mourad > -- Sincerely Hassan Mourad

3 3

Osmocom Trx with OpenBTS
by Hassan Mourad 24 Feb '14

24 Feb '14

Hi Guys, So I was trying to use my osmocom phone as a transceiver for openBTS. I followed the procedures indicated in this link " bb.osmocom.org/trac/wiki/Software/Transceiver" and was able to successfully load trx.compalram.bin on the phone, connect openBTS to it and sync the clock to the strongest cell around I got the output attached from openBTS For some reason however when I search for the network I am unable to find it. I can not figure out what exactly is going on here and I was wondering if any one can help One thing to point out is that I was never able to set the below value to the suggested value as it was not in OpenBTSs configuration options. I am not sure if this has been deprecated or replaced by any other options GSM.CellSelection.Neighbors = (set to empty string) Any help would be appreciated Starting the system... ALERT 139961385809696 07:54:21.0 TRXManager.cpp:434:powerOff: POWEROFF failed with status -1 50 41 1 <0012> l1ctl.c:351 Reset received: Starting sync. <0012> l1ctl.c:308 Sync acquired, wait for BCCH ... <0011> trx.c:190 TRX CLK Indication 2119409 <0011> trx.c:190 TRX CLK Indication 2119460 <0011> trx.c:190 TRX CLK Indication 2119511 <0011> trx.c:190 TRX CLK Indication 2119562 <0011> trx.c:190 TRX CLK Indication 2119613 <0011> trx.c:190 TRX CLK Indication 2119664 <0011> trx.c:190 TRX CLK Indication 2119715 <0011> trx.c:190 TRX CLK Indication 2119766 <0011> trx.c:190 TRX CLK Indication 2119817 <0011> trx.c:190 TRX CLK Indication 2119868 <0011> trx.c:190 TRX CLK Indication 2119919 <0011> trx.c:190 TRX CLK Indication 2119970 <0011> trx.c:190 TRX CLK Indication 2120021 <0011> trx.c:190 TRX CLK Indication 2120072 <0011> trx.c:190 TRX CLK Indication 2120123 <0011> trx.c:190 TRX CLK Indication 2120174 <0011> trx.c:190 TRX CLK Indication 2120225 <0011> trx.c:190 TRX CLK Indication 2120276 <0011> trx.c:190 TRX CLK Indication 2120327 <0011> trx.c:190 TRX CLK Indication 2120378 <0011> trx.c:419 TRX Control recv: |READFACTORY|sdrsn| <0011> trx.c:432 [!] No handlers found for command 'READFACTORY'. Empty response <0011> trx.c:220 TRX Control send: |RSP READFACTORY -1| ALERT 139961385809696 07:54:26.0 TRXManager.cpp:595:getFactoryCalibration: READFACTORY failed with status -1 <0011> trx.c:419 TRX Control recv: |RXTUNE|899200| <0011> trx.c:331 Setting C0 ARFCN to 46 (GSM900) <0011> trx.c:220 TRX Control send: |RSP RXTUNE 0 899200| <0011> trx.c:419 TRX Control recv: |TXTUNE|944200| <0011> trx.c:220 TRX Control send: |RSP TXTUNE 0 944200| <0011> trx.c:419 TRX Control recv: |SETBSIC|2| <0011> trx.c:220 TRX Control send: |RSP SETBSIC 0| <0011> trx.c:419 TRX Control recv: |SETMAXDLY|4| <0011> trx.c:220 TRX Control send: |RSP SETMAXDLY 0 4| <0011> trx.c:419 TRX Control recv: |SETRXGAIN|0| <0011> trx.c:220 TRX Control send: |RSP SETRXGAIN 0 0| <0011> trx.c:419 TRX Control recv: |POWERON|| <0011> trx.c:220 TRX Control send: |RSP POWERON 0| <0011> trx.c:419 TRX Control recv: |SETPOWER|0| <0011> trx.c:220 TRX Control send: |RSP SETPOWER 0 0| <0011> trx.c:419 TRX Control recv: |SETSLOT|0 5| <0011> trx.c:220 TRX Control send: |RSP SETSLOT 0 5| <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:512 TRX Data 2120429:0:0:a06a94a2530140e0502112a56884a0 <0011> trx.c:512 TRX Data 2120430:0:0:118a5328040142e042a04a81a80600 <0011> trx.c:512 TRX Data 2120431:0:0:51a9402542006075080182102042a0 <0011> trx.c:512 TRX Data 2120432:0:0:4424400420400a65a8022052a07800 <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:512 TRX Data 2120382:0:0:a05f550a04dd106a017d008015d020 <0011> trx.c:512 TRX Data 2120383:0:0:2ebf548abbf502eaadd548aeff4400 <0011> trx.c:512 TRX Data 2120388:0:0:a05f550a04dd106a017d008015d020 <0011> trx.c:512 TRX Data 2120389:0:0:2ebf548abbf502eaadd548aeff4400 <0011> trx.c:512 TRX Data 2120390:0:0:047d148847740a6517554000754020 <0011> trx.c:512 TRX Data 2120391:0:0:44a3ef550a3af5716aabf512aae5d0 <0011> trx.c:512 TRX Data 2120392:0:0:a05f550a04dd106a017d008015d020 <0011> trx.c:512 TRX Data 2120393:0:0:2ebf548abbf502eaadd548aeff4400 <0011> trx.c:512 TRX Data 2120394:0:0:047d148847740a6517554000754020 <0011> trx.c:512 TRX Data 2120395:0:0:44a3ef550a3af5716aabf512aae5d0 <0011> trx.c:512 TRX Data 2120384:0:0:047d148847740a6517554000754020 <0011> trx.c:512 TRX Data 2120385:0:0:44a3ef550a3af5716aabf512aae5d0 <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:419 TRX Control recv: |NOHANDOVER|0| <0011> trx.c:432 [!] No handlers found for command 'NOHANDOVER'. Empty response <0011> trx.c:220 TRX Control send: |RSP NOHANDOVER -1| <0011> trx.c:512 TRX Data 2120398:0:0:811d500a01fd40e845d40284155020 <0011> trx.c:512 TRX Data 2120399:0:0:abff40aafff4026bffd500aadd4080 <0011> trx.c:512 TRX Data 2120400:0:0:01f5508115d50a651f510801755020 <0011> trx.c:512 TRX Data 2120401:0:0:10aabdd500aefd7102ab75108bbd50 1393221266.065242 139961385809696: system ready 1393221266.065285 139961385809696: use the OpenBTSCLI utility to access CLI <0011> trx.c:190 TRX CLK Indication 2120429 <0011> trx.c:512 TRX Data 2120520:0:0:c096d65290454478404e00a504f460 <0011> trx.c:512 TRX Data 2120521:0:0:868be1626f34806bbab501039959f0 <0011> trx.c:512 TRX Data 2120522:0:0:1dcd716a92124d6d017d44b88d80e0 <0011> trx.c:512 TRX Data 2120523:0:0:b54b391645229df90a9295874176f0 <0011> trx.c:512 TRX Data 2120524:0:0:c096d65290454478404e00a504f460 <0011> trx.c:512 TRX Data 2120525:0:0:868be1626f34806bbab501039959f0 <0011> trx.c:512 TRX Data 2120526:0:0:1dcd716a92124d6d017d44b88d80e0 <0011> trx.c:512 TRX Data 2120527:0:0:b54b391645229df90a9295874176f0 <0011> trx.c:512 TRX Data 2120571:0:0:c096d65290454478404e00a504f460 <0011> trx.c:512 TRX Data 2120572:0:0:868be1626f34806bbab501039959f0 <0011> trx.c:512 TRX Data 2120573:0:0:1dcd716a92124d6d017d44b88d80e0 <0011> trx.c:512 TRX Data 2120574:0:0:b54b391645229df90a9295874176f0 <0011> trx.c:512 TRX Data 2120473:0:0:c096d65290454478404e00a504f460 <0011> trx.c:512 TRX Data 2120474:0:0:868be1626f34806bbab501039959f0 <0011> trx.c:512 TRX Data 2120475:0:0:1dcd716a92124d6d017d44b88d80e0 <0011> trx.c:512 TRX Data 2120476:0:0:b54b391645229df90a9295874176f0 <0011> trx.c:512 TRX Data 2120480:0:0:82d854472b9d417c613c4347d79a20 <0011> trx.c:512 TRX Data 2120481:0:0:4183fbb006f782fa8b53440fe87df0 <0011> trx.c:512 TRX Data 2120482:0:0:272d65f8c01e98e20cba2298934190 -- Sincerely Hassan Mourad

1 0

RE: Welcome to the "baseband-devel" mailing list
by Sébastien 21 Feb '14

21 Feb '14

Hi all, I am new on this open source community. I am a looking for a "basic" open source code that would be compliant with the UMTS standard. By basic I mean, I would simply try to manipulate my RTL2832u-based DVB-T dongle (on a R-PI) to make it reaching let's say the neighborhood cell IDs plus their corresponding receive power. Maybe I am stupid, but despite the time I have spent on the websites and while there is a lot of very interesting stuffs related to GSM/GPRS/LTE standards: I could not find anything compliant. Even AT command would sound good to me in a first time. Thanks for your answers or even for any clue, Cheers, Sébastien

1 0

Re: [Openbts-discuss] OpenBTS / E100 & GSM attacks.
by Hacker Fantastic 14 Feb '14

14 Feb '14

Hi Michael, It is my intention to share an image and speed the process up for other researchers interested in GSM attacks and building simulations in their labs. At this time there are code changes I want to expand upon before I do (predominantly cosmetic changes and making it more feature useful from the python script). I am also hoping that enhanced detection of fakeBTS attacks will be expanded upon by the osmocom-bb toolkit (the launch of the detection capability occurred in December 2013 at CCC.) which would sufficiently detect anyone attempting to use tools of this nature in an illegal way. Most of the work I did can be recreated from the slides previously provided. If you are interested in the E100 platform, I spent alot of time exploring its capabilities and re-compiling packages. I first started trying to build the firmware from scratch with some discussion occurring between myself and the firmware developer at Ettus, eventually it became easier to customize the firmware provided by Ettus - the most difficult change being a cross-compiled kernel to enable netfilter so that IP routing became practical thus allowing for GPRS capabilities. I also had issues with the OpenBTS 52MTransceiver application in the more recent commits as significant overhaul has begun on changing its capabilities. I eventually settled on r6718 version as this provided GPRS capabilities and also was the last version functioning with the 52MTransceiver application. Most of the firmware I had to rebuild from source including things not available in package repos such as libpcap, asterisk (w/ODBC), odbc, libsqlite and python to get the capabilities I needed to demonstrate the practical elements of a GSM attack from an embedded device. I will be releasing the firmware image as soon as I tidy up some of my python code and detection tools become more effective. If you do really need the image for some research purpose then please e-mail me directly and I will gladly share a copy with you providing I can understand better your requirement for needing an off-the-shelf attack tool for GSM. Kind Regards, Matthew On Fri, Feb 14, 2014 at 3:53 PM, Michael Mooradian < mooradianm(a)nkiengineering.com> wrote: > Mathew, > > Is there any chance you will post the GreedyBTS E100 image online, or > maybe even a screen capture demonstration of it working? I am very > interested in how you were able to handle making the E100 run more > efficiently. Also impressive is how you were able to script some very > useful commands into your shell script. I would be very interested in how > you were able to group all of it together. > > Thank you for any feedback you can give, > > Michael > > > On Fri, Feb 7, 2014 at 5:12 AM, Hacker Fantastic < > hackerfantastic(a)googlemail.com> wrote: > >> Hi all, >> My first attempt to send this email didn't appear to succeed so I >> am re-sending without attachment. Here is a copy of some slides >> https://github.com/HackerFantastic/Public/blob/master/presentations/mwri_la… wrote for a presentation on security weaknesses within GSM. I used an >> Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday >> cage and presented on how these attacks work to better understand them for >> defensive purposes. I was able to use the E100 as a generic IP-router after >> I cross-compiled a new kernel with netfilter enabled and also I had to >> recompile a number of the packages such as Asterisk to enable ODBC and >> improved SQLite support, I also had to make some changes to Python and its >> modules. I used GNURadio 3.6.4 and I had to compile a specific version of >> the OpenBTS code as the recent transceiver application did not function >> with the E100. I was able to get the E100 to work as a GSM/GPRS router and >> do real-time call placement etc. I got it to function with real-time >> support and wrote a small script to provision new devices by watching the >> syslog and adding to the SQLite database. >> >> I also used osmocom-bb to do things like use gnuplot and graph the >> channel usage although the code is extremely ugly! I took RSSI measurements >> over a period of time into images and then tied them together for a movie, >> it isn't quite realtime but it makes pretty graphs. I mentioned how you >> could implement the MS side of the GSM stack using the osmocom project and >> as such am sharing the slides with the osmocom list. >> >> Just goes to show how mighty things come in small packages! Hope this >> material is useful to others on the list who may also be trying similar >> experiments. I ended up creating a firmware image that could be used to dd >> and boot an E100 but at this time I do not plan on hosting it for download >> unless there is sufficient interest. If you need it for some reason drop me >> an e-mail. >> >> Here is an example of the output of the greedyBTS script. As an example >> my code plays "Rick Astley - never going to give you up" when a user places >> a phone call and they have been provisioned with service. All of this work >> was done in a faraday cage which I obtained from Ramsey electronics which >> had very good frequency attenuation graph from 0mhz all the way to 1ghz. >> >> root@usrp-e1xx:~# ./launch.sh >> Launching asterisk >> Launching HLR SMS >> Launching OpenBTS >> Launching Greedy BTS.. >> >> 888 888 d8 >> e88 888 888,8, ,e e, ,e e, e88 888 Y8b Y888P 888 88e d88 dP"Y >> d888 888 888 " d88 88b d88 88b d888 888 Y8b Y8P 888 888b d88888 C88b >> Y888 888 888 888 , 888 , Y888 888 Y8b Y 888 888P 888 Y88D >> "88 888 888 "YeeP" "YeeP" "88 888 888 888 88" 888 d,dP >> , 88P 888 pDK++ >> >> "8",P" 888 >> >> >> [+] Current CELL configuration >> [-] ========================== >> [-] Shortname: 'Noone' >> [-] MCC: 901 MNC: 70 C0 ARFCN: 51 >> [-] LAC: 3336 ARFCN's: 1 BAND: 900 >> [-] >> [-] Radio Power >> [-] =========== >> [-] RxGain: 47 MaxPower: 10 MinPower: 0 >> >> --> help >> >> [+] HELP SCREEN >> >> [-] dump imei - lists all identified IMEI >> >> [-] dump assoc - lists all IMEI+IMSI associations >> >> [-] dump imsi - lists all identified IMSI >> >> [-] dump save - store a record of all identities >> >> [-] start service - provide service to IMSI & log traffic >> >> [-] show service - show all provisioned phones >> >> [-] stop service - deletes an identified IMSI from HLR >> >> [-] calls - provide call collection statistics >> >> [-] sms - provide sms collection statistics >> >> [!] gprs - provide gprs collection statistics >> >> [-] cellconfig - configure cell parameters for spoofing >> >> [-] cellinfo - dump information on current cell >> >> [-] cellshow - list short codes for common cells >> >> [!] sounddial - play a sound recording to an IMSI >> >> [!] spoofsms - send a spoof SMS message to an IMSI >> >> [!] trunksetup - display current SIP trunk details >> >> [-] verbose - turn on real time tracing >> >> [-] exit - leave without shutdown >> >> [-] shutdown - bye! >> >> --> dump imei >> >> [+] Dumping seen handset IMEI >> >> [-] 1: IMEI359209002648230 >> >> [-] 2: IMEI358622002760070 >> >> [-] 3: IMEI350694801239040 >> >> [-] Total IMEI identified 3 >> >> --> dump imsi >> >> [+] Dumping IMSI capture results >> >> [-] 1: IMSI901700000002484 >> >> [-] 2: IMSI901700000002486 >> >> [-] 3: IMSI901700000002488 >> >> [-] Total IMSI identified 3 >> >> --> dump assoc >> >> [+] Dumping IMSI/IMEI association >> >> [-] 1 IMEI:358622002760070 used IMSI901700000002486 >> >> [-] 2 IMEI:350694801239040 used IMSI901700000002488 >> >> [-] Total associations 2 >> >> --> show service >> >> [+] Displaying all provisioned IMSI >> >> [-] 1: exten: 2100 user: IMSI001010000000000 >> >> [-] 2: exten: 2339 user: IMSI901700000002484 >> >> [-] Total subscriber count 2 >> >> --> stop service >> >> [+] Deleting IMSI from HLR >> >> [-] Enter IMSI: IMSI901700000002484 >> >> [-] Deleted IMSI901700000002484 >> >> --> help >> >> [+] HELP SCREEN >> >> [-] dump imei - lists all identified IMEI >> >> [-] dump assoc - lists all IMEI+IMSI associations >> >> [-] dump imsi - lists all identified IMSI >> >> [-] dump save - store a record of all identities >> >> [-] start service - provide service to IMSI & log traffic >> >> [-] show service - show all provisioned phones >> >> [-] stop service - deletes an identified IMSI from HLR >> >> [-] calls - provide call collection statistics >> >> [-] sms - provide sms collection statistics >> >> [!] gprs - provide gprs collection statistics >> >> [-] cellconfig - configure cell parameters for spoofing >> >> [-] cellinfo - dump information on current cell >> >> [-] cellshow - list short codes for common cells >> >> [!] sounddial - play a sound recording to an IMSI >> >> [!] spoofsms - send a spoof SMS message to an IMSI >> >> [!] trunksetup - display current SIP trunk details >> >> [-] verbose - turn on real time tracing >> >> [-] exit - leave without shutdown >> >> [-] shutdown - bye! >> >> --> dump imei >> >> [+] Dumping seen handset IMEI >> >> [-] 1: IMEI359209002648230 >> >> [-] 2: IMEI358622002760070 >> >> [-] 3: IMEI350694801239040 >> >> [-] Total IMEI identified 3 >> >> --> dump imsi >> >> [+] Dumping IMSI capture results >> >> [-] 1: IMSI901700000002484 >> >> [-] 2: IMSI901700000002486 >> >> [-] 3: IMSI901700000002488 >> >> [-] Total IMSI identified 3 >> >> --> dump assoc >> >> [+] Dumping IMSI/IMEI association >> >> [-] 1 IMEI:358622002760070 used IMSI901700000002486 >> >> [-] 2 IMEI:350694801239040 used IMSI901700000002488 >> >> [-] Total associations 2 >> >> --> dump save >> >> [+] Saving IMSI capture results >> >> [+] Saving seen handset IMEI >> >> [+] Saving IMSI/IMEI association >> >> [-] logfile stored as 'greedybts.log' >> >> --> shutdown >> >> root@usrp-e1xx:~# cat greedybts.log >> >> [-] 1: IMSI901700000002484 >> >> [-] 2: IMSI901700000002486 >> >> [-] 3: IMSI901700000002488 >> >> [-] Total IMSI identified 3 >> >> [-] 1: IMEI359209002648230 >> >> [-] 2: IMEI358622002760070 >> >> [-] 3: IMEI350694801239040 >> >> [-] Total IMEI identified 3 >> >> [-] 1 IMEI:358622002760070 used IMSI901700000002486 >> >> [-] 2 IMEI:350694801239040 used IMSI901700000002488 >> >> [-] Total associations 2 >> >> >> Kind Regards, >> Matthew >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Managing the Performance of Cloud-Based Applications >> >> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. >> Read the Whitepaper. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk >> _______________________________________________ >> Openbts-discuss mailing list >> Openbts-discuss(a)lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openbts-discuss >> >> > > > -- > > Michael Mooradian > Nathan Kunes Inc. > 5055 North Harbor Drive, Suite 230 > San Diego, CA 92106619-822-1045 MAIN619-553-3076 DIRECT619-997-7055 CELL619-221-1235 FAXmooradianm(a)nkiengineering.com > > -- Matthew Hickey Tel: +44 7543 661237 Web: http://blog.hackerfantastic.com Please visit my website for blog postings, status updates and project information.

4 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel February 2014