baseband-devel

baseband-devel@lists.osmocom.org

1 participants
2002 discussions

Re: [airprobe-main] Cell phone tracking using ss7 hlr lookups
by Karsten Nohl 26 Feb '10

26 Feb '10

Hi Yanis, I'm CCing the OsmoconBB list who could perhaps help setup a MSC-GPS data collector. On Feb 22, 2010, at 8:09 PM, Yanis Pavlidis wrote: > Hi all, > > not exactly related to airprobe itself, but I am sure people on this > list could answer my question. > So, after reading Tobias Engels' presentation on 25c3 ( http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-… > ), I found out you can perform an HLR lookup and come up with the > current MSC number that "controls" the connection of the subscriber, > for any subscriber. Yes, every telco company and VoIP provider with SS7 access in the world always knows where you are. Scary. > My question is, is this MSC number, visible from the mobile phone > side? If yes, somebody could actually wardrive, to get the MSC > number-to-location mapping? > Can airprobe, or OpenBTS help? Creating the {MSC -> location} mapping database would be a very worthwhile exercise. The data collection would have to happen from phones. Either we create an application for one of the popular phone platforms (Symbian, Android, iPhone). Anybody on the list knows if these phones expose the MSC number to application software? Alternative, the Osmocon project could probably expose the MSC information easily. The project is still in early stages and it will take a few months until a collector software could be running. I wonder if any of the supported Motorola phones have GPS? > Forgive my ignorance on all-things-gsm, I am just beginning exploring! Thanks for bringing up the topic! > Thanks all, > Yanis Cheers, -Karsten

5 4

Where to start?
by Huseyin Turan 24 Feb '10

24 Feb '10

Hi; It is really a good work. Congratulations... I hope to develop in this project. Although I do not have any experience about microcontroller development and gsm, I think I can do. I can develop with C or C++. Does anyone suggest me any document, site to start? Thanks...

1 0

some links for Nokia N95
by Benjamin Hagemann 24 Feb '10

24 Feb '10

Hello together, I have collected some informations / links for Nokia N95 and similar topics. Maybe some of them are good enough for the wiki. http://www.nokiaport.de/n95info/?id=processor http://www.nokiaport.de/n95info/?id=pcb http://www.phonewreck.com/wiki/index.php?title=Nokia_N95#Bill_of_Materials RF Transceiver: STMicroelectronics #4380206 Quad-band GSM/GPRS/EDGE, Dual-band UMTS/HSPDA (Unmarked) http://www.phonewreck.com/wiki/images/thumb/8/85/Nokia_N95_pcb_back.jpg/800… http://www.phonewreck.com/wiki/images/thumb/4/4b/Nokia_N95_pcb_front.jpg/80… http://www2.electronicproducts.com/Nokia_N95-whatsinside_text-61.aspx "Under the Hood: Hot 3G phone owes debt to analog" http://www.eetimes.com/showArticle.jhtml?articleID=202800251 http://i.cmpnet.com/eet/news/07/10/DC1500_UTH_1_PG_36.gif Nokia disassembly (Nokia N Gage, N96, N95 8GB, N95, N85, N82, N81 8GB, N80, E90, E71, http://www.gsm-extreme.net/showthread.php?t=25493 OMAP2420 -> ARM11, TMS320C55x DSP, ... http://focus.ti.com/paramsearch/docs/parametricsearch.tsp?family=dsp&sectio… http://focus.ti.com/docs/prod/folders/print/tms320c55.html # Improving 32-Channel DTMF Decoders in PBX Systems Using the TMS320C5x DSP (HTM, 8 KB) 486 views 01 Jun 1996 Read Abstract http://focus.ti.com/general/docs/litabsmultiplefilelist.tsp?literatureNumbe… # Use of the TMS320C5x Internal Oscillator With External Crystals or Resonators (HTM, 8 KB) 404 views 01 Jul 1995 Read Abstract http://focus.ti.com/general/docs/litabsmultiplefilelist.tsp?literatureNumbe… http://focus.ti.com/dsp/docs/dspfindtoolswresults.tsp?sectionId=3&tabId=162… DSP/BIOS 5.x Real-Time Operating System DSPBIOS5 LANsEND LANsEnd uCLinux LEOs® (Linux Embedded Operating System) OSEck http://software-dl.ti.com/dsps/dsps_public_sw/sdo_sb/targetcontent/index.ht… http://software-dl.ti.com/dsps/dsps_public_sw/sdo_sb/targetcontent/dspbios/… http://software-dl.ti.com/dsps/dsps_public_sw/sdo_sb/targetcontent/dspbios/… http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.85.1703&rep=rep1&t… Trends in Hardware Architecture for Mobile Devices Dr. Margarita Esponda Institut für Informatik Freie Universität Berlin Takustr. 9 14195 Berlin November 2004 Page 11: 2.3 Modern DSP Architectures 2.3.1 The TMS320C55 series Page 13: 2.3.2 The TigerSHARK Architecture Page 14: 3 Moving from voice to data centric systems 3.1 Hybrid Processors http://pdf1.alldatasheet.com/datasheet-pdf/view/29043/TI/TMS320C50.html TCS Modem http://www.worldlogic.com.hk/tcs_versions.html http://en.wikipedia.org/wiki/Base_Band_5 Nokia BB5 General information ;) http://forum.gsmhosting.com/vbb/showthread.php?s=34c3b939b47546c9d6c523bb36… Nokia SIM Lock Server (SL-1, SL-2, SL-3) http://www.nokiaport.de/index.php?mid=&pid=dct http://www.nokiaport.de/forum/thread.php?threadid=4666&sid=cf6be43b2f93404b… "Added support for RAPIDO SL_2 based models (al phones who is unlocked by credits with DK, MT, UB)" http://www.gsm-forum.eu/latest-files-shared-nokia/28691-nokia-free-unlock-r… http://www.gsm2back.com/2009/04/hot-free-unlock-rapido-bb5-plus.html http://www.mygsmbd.com/bb5-nokia-base-band-5/914-bb5-contact-service-trun-o… http://www.gsmchevli.com/support/ http://www.gsmchevli.com/support/BANDLOCK/ http://www.gsmchevli.com/support/BB5PM/N95-1/ -- kind regards, Benny gpg 0xFC505AB0 jabber benny(a)benny.de sip benny(a)benny.de

2 2

AW: Phone acting as a BTS
by Andreas.Eversberg 24 Feb '10

24 Feb '10

>> But I guess you can use two MSs, one for transmit and one for receive to >> overcome this limitation. Is there any problems with this approach other >> then good clock synchronization? > >You need a very good clock sync :) But that's something that could be >tried I guess. maybe.. you could sync the "receiver phone" to the "transmitter phone" by using one timeslot. (TS7) or you could sync the receiver phone to a nearby bts and use a control line on the serial link to sync the transmitter phone to the receiver phone. (you need to cross-connect the serial ports on the phones for signalling anyway.) andreas

1 0

Re: Phone acting as a BTS
by Sylvain Munaut 24 Feb '10

24 Feb '10

> But I guess you can use two MSs, one for transmit and one for receive to > overcome this limitation. Is there any problems with this approach other > then good clock synchronization? You need a very good clock sync :) But that's something that could be tried I guess. > PS Looking at pictures of ip.access Nanostation we didn't find any duplexers. > How does it work then? Or have we just missed duplexers on the photos? Nope, no duplexers. There is a TX antenna and a RX antenna. I think they are patch antenna that don't radiate sideways so that they don't leak into one another. There is also a massive chunk of metal between them to isolate :) Sylvain

1 0

Re: Phone acting as a BTS
by Dieter Spaar 24 Feb '10

24 Feb '10

Hello Sylvain, On Wed, 24 Feb 2010 00:06:54 +0100, "Sylvain Munaut" <246tnt(a)gmail.com> wrote: > > Since the beginning, I'm wondering if it would be possible to turn one > of those cheap phone into a BTS. I'm n ot talking a full featured BTS > and the mod will involve hardwares changes obviously. > The more I look at it and the more I think it might work. No, I'm not > crazy, please bear with me until the end of this post :) No, you are not crazy, to be true I thought about it for a while too ;-) It all depends on what you want to do. Just transmitting a C0 so that other phones nearby would recognize the new BTS should be rather easy. You can synhronize on an offical network to adjust the clock, the clock should be stable enough for a while so that other phones can detect the new BTS. There should also be no severe limitations from any filter when transmitting. You are probably out of the specification for the transceiver and maybe the power amplifier but the power should still be good enough to cover an area large enough for experiments. Transmitting the required SBs and FBs should not be too difficult, the DSP cannot generate them, however its rather easy to programm the ABB with the raw bits of a burst. Receiving is more difficult. The filters will influence the signal quite a lot, however it should be still possible to receive strong signals without the requirement for a hardware modification. I already did a few experiments to find out how far the transceiver could be tuned out of range, for GSM-900 I was able to detect the frequency bursts of a 840 Mhz signal with about 40 dBm less strength than receiving a similar signal inside the GSM-900 band. 840 Mhz would be more than enough for receiving uplink signals in GSM-900. I did not yet tried it for the transmitter, however I expect that it can be used to transmit downlink frequencies too. Just as an example for the influence of the filter: The Openmoko Freerunner uses a Calypso based Tri-Band GSM modem, its available for GSM-900 or GSM-850, the difference is mainly a different filter in the RX path. However you can still use the GSM-850 variant with GSM-900 if you are close enough to the BTS. One real problem for the "phone as a BTS" idea is the detection of the RACH bursts. You most certainly cannot use the DSP "as is" for this task because it does not know about the special RACH burst. It would probably require some modification (patches) to the DSP if you want to detect and handle them. Best regards, Dieter -- Dieter Spaar, Germany spaar(a)mirider.augusta.de

1 0

Phone acting as a BTS
by Sylvain Munaut 24 Feb '10

24 Feb '10

Hi, Since the beginning, I'm wondering if it would be possible to turn one of those cheap phone into a BTS. I'm n ot talking a full featured BTS and the mod will involve hardwares changes obviously. The more I look at it and the more I think it might work. No, I'm not crazy, please bear with me until the end of this post :) So, what are the obstacles (taking the C118 as an example): * RX filters : Obviously you would need to remove one and replace it with one for the good band. I would only replace one of them so that you can use the 900 band for BTS and the 1800 band for MS for example (so that you can still listen to a official bts and calibrate the clock). * RX/TX switch Those have ports that have frequency bands ... but .. do they really filter that much ? * MS can't TX/RX simultaneously. I think you can take advantage of the fact. Imagine that you only ever allocate channels on TS0,1 & 2. ( BCCH+SDCCH/4 + 2*TCH/F ), you could divide your time like this : TS0 - Capture FCCH of a nearby station to calibrate local vcxo TS1 - Our BTS TS0 TX TS2 - Our BTS TS1 TX TS3 - Our BTS TS2 TX TS4 - Our BTS TS0 RX TS5 - Our BTS TS1 RX TS6 - Our BTS TS2 RX TS7 - nothing ... But this can still be a battery powered handheld BTS :) Sylvain

2 1

Calypso status update
by Harald Welte 23 Feb '10

23 Feb '10

Hi! I've done a day of bugfixing today, mostly regarding the timing and sequencing of the TPU window during receive (and transmit). The biggest new feature is the #define TPU_DEBUG which will transfer the content of the TPU RAM to the host PC every time tpu_enable(1) is called. There's a TPU debugger (tpu_debug.c) as part of osmocon which receives, decodes and prints the TPU instructions. This way you can clearly see the exact sequence (and timing) of the commands that are executed by the TPU. What turned out to be the major problem that I was hunting most of the day: Whe first did the downlink calibration (BLDCAL), then waited for a specific time, and then enabled the downlink path (BDLENA). This worked fine so far. I then added code to disable the TRF6151 after the downlink path is closed (twl3025_downlink(0)). Suddenly not a single burst was received anymore. Now the sequence of events seems correct, at least in the little testing I did. Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

3 3

introduce myself
by Andreas.Eversberg 23 Feb '10

23 Feb '10

hi there, my name is andreas eversberg. i worked for the mISDN and openbsc project before. after joining the openbsc project, i mainly worked on the call control protocol and the application interface, as well as E1 kernel driver improvements for openbsc. i expanded my linux-call-router application to be able to link with openbsc, so both become a mobile network, as used on the 26c3. i like to put my experience into the osmocomBB project. therfore i started working on the layer 3 "call control" (network layer, mobile side) already. (TS 04.08) the application interface is almost identical, so osmocomBB can be used with linux-call-router also. the next goal is to implement "radio ressource" protocol and "mobility management" protocol (real state machine), and i hope to get help with that. all three protocols are required to do voice calls. my motivations for joining the project are at the moment: - having a cool (graphical) network monitor - backup line for PBX, PBX in a car. - attaching (virtual) test SIM via phone's menu - changing IMEI via phone's menu i hope this project make as much phun as openbsc. andreas

2 1

Re: Memory Leaking. _talloc_zero panics
by Harald Welte 21 Feb '10

21 Feb '10

On Sun, Feb 21, 2010 at 06:03:08PM +0100, Sylvain Munaut wrote: > > I will think about how to solve this. Either we introduce some busy-waiting > > until more space is available, or I will try to fill existing buffers even > > beyond the end-of-line. > > I've seen the commit to fill up the msgb more. But this exposed > another bug in msgb I think. > The headroom allocation doesn't work AFAICT. In msgb.h there is : > > static inline int msgb_tailroom(const struct msgb *msgb) > { > return (msgb->data + msgb->data_len) - msgb->tail; > } you are right, it should be msgb->head + msgb->data_len, I've fixed that now. I've also changed to busy-wait until we have msgb's available again. dsp_dump and hello_world as well as l1test seem to work again now. It's all still a big hack and later we need to determine if we're called from a context that supports busy-waiting at all. Imagine this code being executed from the FIQ context, while new memory will always only be available from IRQ context (UART Tx FIFO interrupt): We will deadlock. Cheers, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel