Hi again,
I'm currently in the train, so forgive me posting the initial TODO list
to the mailing list rather than the wiki.
I'll put it in the wiki soon. If you want to take on of the items, just let
me know!
What I think we have to do before HAR is as follows:
== Actual code ==
=== absolutely required ===
* finish and test the SMS implementation [Harald]
* make sure we enable MS power control and impose a global limit of
100mW for the uplink (MS->BSC) direction by means of the MS POWER IE's
and the BCCH information. That sounds like something for Dieter to
figure out, especially since he has measurement equipment ;)
* test dual-BTS-on-single-E1-card config [Harald]
** up to now, we have only tested with two nanoBTS, not BS-11 !
* test dual-TRX operation of BS-11 on OpenBSC [Stefan/Daniel, can you do that?]
** channel allocator can be tweaked to give 2nd TRX a preference for debugging
[I'll add those to trac, since they are really important]
=== optional ===
* implement a 'provisioning mode' to OpenBSC that
** acccepts every new IMSI the first time we see it
** sends a SMS with a auth token to that mobile
** disconnects that mobile immediately
* implement a web site / cgi script
** once user enters correct tuple of ISMI + auth code, we
*** assign him a number (user cannot choose, we assign)
*** set authorized=1 in the sql table
* implement a web site bug tracker for user bug reports
** the should include detailed information about the phone model,
his phone number and the exact timestamp, so we can match it in
the pcap's
* add more introspection code for the VTY interface to explore the run-time
data structures in OpenBSC
* implement different TCH assignment schemes (early / very early / OCASU)
* do we really want a SDCCH/8 or is SDCCH/4 for each BTS sufficient?
* some more testing with two BTS
* in case we call a user who is currently offline/busy, generate SMS
about missed call and store it in the SMS table
* web interface ideas
** SMS gateway where people can send SMS from the web site
*** SMS spam function for us in case we want to inform users about something
** simplistic phone book
* enhance vty interface with administrative functions such as
** ability to close arbitrary channels (i.e. terminate a call)
** ability to kick-ban a user out of the network
*** set authorized=0
*** perform authentication procedure with reject at its end
* make sure we store all the 'this phone was registerd before to MCC/MNC/LAC'
from the LOC UPD REQ data
* make sure we really store the classmark1/2/3 together with IMEI in SQL table
== Things to bring to the event ==
* spectrum analyzer [from CCCB]
* stable OCXO reference to calibrate BS-11 internal clock
** this could be done before the event, but Harald has no precision clock source
* trace mobiles / monitor mode mobiles (if anyone has some)
* some poles to which we can mount the BS-11 ?
== Misc ==
* draft 'usage terms & conditions' to be put on the registration web site
and the HAR2009 wiki, indicating
** all signalling and traffic data will be stored for R&D purpose
** we do not employ authentication and/or encryption
** we do not provide any service guarantee
** this is for evaluation+testing only
** no handover/roaming and/or external calls
** no warranty for any damage to MS, SIM, ...
** IMSI/IMEI information will not be disclosed by us, but people can sniff it
Regards,
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hi, I'm a long time lurker into this project and I've wondered something for
a bit of time.Knowing that we can use an ip.access nanoBTS to work on
OpenBSC, why not adapt OpenBSC for UMA (unlicensed mobile access)
standards?
I know over here in the US we currently use UMA with T-Mobile over WiFi to
communicate back to the T-Mobile servers and eventually off to the GSM and
regular ol' networks.
http://www.umatechnology.org/specifications/index.htm is the UMA
specification, and to my knowledge T-Mobile US's @Home service uses the
1.0.3 protocol revision.
To me it seems like it'd be trivial to make a derived copy of OpenBSC with
UMA support up and running, but I'd like some other thoughts into this
matter. I'm not a programmer by any means here, so if this is impossible,
well, then so be it.
-DC
Hello Harald,
Should the plugin you added for Wireshark decode almost all messages or
not? Cause on the OML layer a lot of OML messages are not decoded, is
this behaviour normal?
I now try to follow the communication flow, but can't seem to understand
the multiple OML messages. It starts with 0x00, than a datalen and than
protocol (0xFF) and than it starts with 0x80, 0x80,.... But I can't find
0x80 (messagetype) in OpenBSC source. I've checked ipaccess.h and
ipaccess.c, but nothing...maybe I lokked at the wrong place.
Hello David,
On Wed, 29 Jul 2009 11:02:15 -0700, "David A. Burgess" <dburgess(a)jcis.net> wrote:
>
> So you can jailbreak an iPhone and get direct access to L3 to run a
> DOS? That would be very interesting if it were true, but I suspect
> it's just horseshit put in there to deceive the court, which isn't
> hard to do in technology cases.
I don't think its that easy (if it would be, why not modify the TSM30
instead which should be much easier). I just found it very interesting
that Apple uses it as an argument. Of course such arguments are also bad
for opening the phone GSM stack to a larger group of people (if this ever
happens) or developing an open source GSM phone stack which could be
used for anything else than research.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Nordin,
On Tue, 07 Jul 2009 14:08:22 +0200, "Nordin" <bouchtaoui(a)gmail.com> wrote:
>
> I have good news now, I'm able to register to our bts manually. What I
> did is download the latest openbsc sources and compiled the whole
> project, that's it. I downloaded the project using git via port 80, I
> posted a mail about that. So I guess the GPRS in the Rest Octets have
> nothing to do, just the SIs were not complete. I'll analyze what went
> wrong with the SIs.
You don't mention which git branch you use, so its probably the
master branch. If you look at the recent changes you will notice
that the SYSTEM INFORMATION 3 and 4 rest octets are now set to the
padding bytes which means they contain no information (which also
means no GPRS). So this is the most important part where you have
to look for differences.
I can confirm that a HTC Touch Pro will not register to the BTS
if the GPRS indication is set, it will register if it is not set.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Philipp,
On Sun, 26 Jul 2009 21:43:22 +0200, "dexter" <zero-kelvin(a)gmx.de> wrote:
>
> I have no experience in those things, i never connected a sender and a
> receiver directly for measurement proposes. I am afraid to damage BTS
> and/or MS by trying the first solution.
If you want to connect the BTS and an MS directly, you have to use
an attenuator to reduce the signal to some "reasonable" level. To
give you some numbers about "reasonable": The maximum RF output level
of two different GSM tester which are intended for direct connection
to an MS are -14 dBm for one of them and -40 dBm for the other. To be
on the safe side I would make sure that the level is below -40 dBm,
this is more than enough for good receiption (poor receiption is around
-100 dBm). If the signal is too strong, you can damage the MS and/or BTS.
Please note that I have not tried to connect a BTS and an MS yet, my
experience comes from the GSM testers only.
One problem I see with this approach is how to handle the separate
RX and TX connectors of the BS-11.
> What do you think, what would you do? How do you ensure that you do not
> interfere with the with the official GSM networks? I think sometimes it
> would be very nice to make 100% sure that no HF signals leave the desktop.
I you can't make sure that no RF signal is emitted, you can at least try
to cause as little trouble as possible:
- use a GSM channel which is not used by an official network, make sure
that there is at least one free guard channel in between the channel
you use and the official channels.
- set the power level of the BTS to its minimum (0.03 Watt for the BS-11)
and set the NM_ATT_RF_MAXPOWR_R attribute to its maximum (6 for the
BS-11). For the BS-11 the RF output level should then be around 1 dBm.
- If you want to further reduce the BTS power, you can put an attenuator
between antenna and TX output.
- for the MS make sure that the power class is as low as possible when
activatig a channel.
- set the power for RACH access to a low level (in SYSTEM INFORMATION
TYPE 3 and 4).
- use an MCC and MNC which is not an official one.
- only allow a know MS to register on your network.
- To make sure that normal MSs won't be able to see your network,
you can set the cell to "barred". However you then need a special
MS to test, for example the Nokia Network Monitor allows to
set the MS in a mode which allows to access barred cells. And
with a special Test SIM it should be possible to access such
a cell with other phones too (the "cell test" operation mode
has to be enabled on the SIM).
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Harald,
On Wed, 29 Jul 2009 16:55:23 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> Great! can you please provide one FR and one EFR pcap file for Andreas
> Eversberg? It's probably best to replace the two corrupted files that I've
> attached to the nanoBTS wiki-page.
I am not sure if my two FR and EFR cpatures are good examples for the
Wiki, the call is from one person only (me) counting numbers and saying
"Hello Test" or similar things and you hear the voice on both channels
because the two phones are close to each other. Of course they are
good enough as an example for implementing the RTP media feature. So
let me know if I shall provide them to Andreas only (Andreas, shall
I send them to you as email, they are about 240 KByte as ZIP file ?).
> You do have a wiki account, I assume.
I don't think so, at least I have not yet requested an account.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Harald,
On Wed, 29 Jul 2009 15:48:32 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> I'm telling you, OpenBSC's RTP proxy works fine. I've just made another call
> and there are no drop-outs of .8 seconds or anything like that.
I am sure that the proxy is working, I never doubt that. I guess for some
reason Wireshark is just missing the data. I was joking about Windows
versus Linux performance, but maybe this was not clear enough.
> As all it uses is the sockets API, i.e. the very same calls that the
> input/ipaccess.c module already uses, I think it should be very easy to make it
> build using the posix compatibility of cygwin.
I tried it in the meantime. No problem at all. The git version works
as expected and Wireshark does not miss any packets here, each call
is about 30 seconds. I tried it with EFR and FR, Wireshark can
save the RTP payload, for EFR I had to convert the data first so
that they fit to the GSM 06.35 reference implementation (they use
a strange format which stores every bit into two bytes). For FR,
Toast can convert the payload immediately. Tested on Windows XP
and cygwin, Wireshark and bsc_hack running on the same machine.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi!
Please note:
===========================
commit d46299da00f923b24043aa37fa2bae17ffcc1ff7
make channel allocator policy multi-TRX aware
For now, we assume that TRX1 (and higher) all have a TCH/F configuration
on all of their timeslots
commit 67b4c30a9de972d199830bba5535e934bd47ac0f
complete TRX1 support for BS11
* remove old HAVE_TRX1 definition, replace it with '-1' commandline argument
* make sure we actually configure the OML TRX attributes with a different
ARFCN than TRX0
* make sure we configure timeslot 0 of TRX1 also in TCH/F mode
This code is untested, but if you have a dual-trx BS-11, and the second TRX
is activated, you should be able to run bsc_hack with the -1 option to enable
and use the second trx. It works like this:
* TRX1 shares E1 timeslot 0 for signalling
* TRX1 RSL link uses TEI2 (TRX0 uses 1)
* TRX1 on ARFCN+2, i.e. if you have TRX0 on 122, TRX1 will be 124
===========================
I'm very happy if somebody wans to test this. First of all, it is important
to see if there are any error messages during OML and RSL brigup, and if
the TEI2 link is actually established from mISDN.
If you want to actually use the second TRX, you will either have to make sure
all TCH/H on TRX0 are used (establish sufficient simultaneous calls), or
hack chan_alloc.c to give a preference to TRX1, or to do round-robin or
whatever :)
Regards,
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hello Harald,
On Wed, 29 Jul 2009 14:43:12 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> If you're interested, you can certainly try for yourself with your nanoBTS...
>
You are joking, right ? How should it work on my Windows machine if it
does not work on Linux ;-) ?
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Nordin,
On Wed, 29 Jul 2009 11:51:59 +0200, "Nordin" <bouchtaoui(a)gmail.com> wrote:
>
> I can't find a good link about how several MSs on one ARFCN can send and
> receive speech data.
Have a look at the following, the first is a general introduction with
good references to the GSM specification, the second is about speech
coding:
http://en.wikipedia.org/wiki/Um_Interfacehttp://www.gsmfordummies.com/encoding/encoding.shtml
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Harald,
On Wed, 29 Jul 2009 12:33:59 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> The FR pcap file is attached to this mail. I'll also put it to the nanoBTS wiki
> page, like the EFR capture before. I hope this helps you to decode the voice
> samples.
Decoding with Toast would work fine but there is the same problem, lots
of missing packets. If I look at the capture timestamps, there seem to
miss about 0.8 seconds of data at regular intervals (the first disruption
is at packet number 681, the next at 710, 742, ...). These are also the
positions where the Wireshark RTP analysis complains about wrong sequence
numbers.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Harald,
On Tue, 28 Jul 2009 20:58:46 CEST, "Dieter Spaar" <spaar(a)mirider.augusta.de> wrote:
>
> I just took a quick look at the dump with Wireshark, its possible to
> safe the raw RTP payload from within Wireshark and it looks OK (31-byte
> EFR packages starting with 0xC in the high nibble). However I have
> no ready-made EFR decoder available so I can't decode the speech.
I did play a little bit with the EFR reference implementation from
GSM 06.35. Its possible to convert the data and I can understand a few
words (a "Yes" at the beginning and a "Bye" at the end). However it seems
that several RTP packages are missing, also the RTP Analysis Tool of
Wireshark says so (according to it more than 80% is missing). Anyway,
basically EFR decoding seems to work as expected.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi guys,
I read Goller's documentation "About the GSM-Dm-Channels", but I'm a bit
confused about something.
I understand that one TDMA frame has a period of 4.615 ms and consists
of 8 Time slots, each of a period of 576.9 us. When a MS registers to
the BTS, it gets one Time-slot, but how is speech transfered? Normally
the Fs (samplefrequency) is 8 KHz, this means every 128 us one byte
sample. If I have one timeslot of let's say 577 us , than there is a gap
of 7 other timeslots, which makes a 4 ms gap. Also the speech data is
compressed. How is that damn speech data multiplexed with other MSs and
finally received on the other side as 8 bit samplevalue at a rate of 128
us (8 KHz).
It gets fuzzy to me, cause I wrote a microcontroller project which,
among other things, samples audio and than transfered to a GSM module.
This is done at 8 KHz samplerate, so how is that done when I have only
one TimeSlot of 577 us every 4 ms period?
I can't find a good link about how several MSs on one ARFCN can send and
receive speech data.
Thank you.
Hi!
Using git version 58ca5b7ae70365c1285b2ea0cb3c3370a8f108a9 of openbsc,
plus the patch from the attachment, I was able to do a V1 (FR) call,
not only EFR.
The FR pcap file is attached to this mail. I'll also put it to the nanoBTS wiki
page, like the EFR capture before. I hope this helps you to decode the voice
samples.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
> If everything works fine at HAR, we can do the bigger/better version
at 26C3,
> at least if we can somehow find more than the 2-3 nanoBTS1800 that we
currently
> have - at least for a couple of days.
hi harald,
i am looking forward to be at 26C3. i doubt that we can get a frequency
for a test network on the 900 band, because all frequencies are assigned
to GSM operators. therefore only nanoBTS1800 can be run legaly with a
test license of "bundesnetzagentur". currently the application interface
does not support audio streams of the nanoBTS, so other networks
(ISDN/DECT/SIP) cannot be connected yet. i would like to finish audio
processing for nanoBTS. can you provide me with some pcap files? a short
complete call (few seconds) of one rtp session (including setup, some
spoken words, and termination) would help. also the call must be made
with full rate codec, so i can test the playload on the GSM codec i
have. (not the enhanced full rate codec)
regards,
andreas
Hi!
For those who are planning to attend HAR2009 (http://har2009.org/):
We have just received regulatory approval for four ARFCN in the GSM900 band
during HAR2009. The Power on each ARFCN for BTS and MS is restricted to 100mW.
There are also some GSM1800 ARFCN's that we can use with up to 200mW, though
I don't yet know their values and how many.
I have created a wiki page at https://wiki.har2009.org/page/GSM
for further coordination of GSM related activities at HAR2009.
It would be great to know which other OpenBSC users/hackers will be present
at the event. As there are multiple things that I'm planning to do at HAR2009,
I would be happy about any help that I might get from you guys.
Basically there will be
* A 'stable' GSM network with BS-11 and OpenBSC for people to test
their phone interoperability with OpenBSC by making/receiving calls and
SMS.
* A nanoBTS1800 for use by OpenBSC hackers only to test/fix OpenBSC stuff
before putting it on the BS-11 'stable' network
* work on airprobe.
Especially for the 'stable' network, there is a lot of help required, among
others:
* physical setup of the BS-11
* registration of mobile phones into the network. It would probably be good
to have a setup where people can plug their SIM into a SIM card reader
(or phone that can read the IMSI). We can then create the SQL entry with
their IMSI and extension.
* making sure the network runs and OpenBSC / hfcmulti gets restarted in case
something hangs.
Please just respond to this mail if you want to help in any way.
Regards,
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hello Harald,
On Tue, 28 Jul 2009 19:18:52 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> Using this mode, I have created a pcap file with OML+RSL bringup, followed by
> one call between two MS (extn. 1005 calls 1003) where all RTP/RTCP packets are
> visible. The call uses EFR, since that is hardcoded in many places all over
> OpenBSC at the moment.
>
> The pcap file is available from
> http://bs11-abis.gnumonks.org/trac/attachment/wiki/nanoBTS/ipaccess-startup…
I just took a quick look at the dump with Wireshark, its possible to
safe the raw RTP payload from within Wireshark and it looks OK (31-byte
EFR packages starting with 0xC in the high nibble). However I have
no ready-made EFR decoder available so I can't decode the speech.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi!
While writing the RTP proxy, I've been playing with the ip.access RTP related
code for quite a bit. This is as far as I have understood it so far:
Setting up a voice call (for one MS)
* sending IPACCESS_BIND via RSL, specifying
* the GSM channel number IE
* the IP speech mode IE, indicating
* 0x1- : uni-directional, rx-only
* 0x-1 : EFR (0: FR, 2: AMR)
* receiving IPACCESS_BIND_ACK via RSL, specifying
* the GSM channel number IE
* the ip.access connection identifier
* the locally-bound UDP port for RTP
* the locally-bound IP address for RTP
* optionally: the RTP payload type
* sending IPACCESS_CONNECT via RSL, specifying
* the GSM channel number IE
* the ip.access connection identifier (from BIND_ACK)
* the remote UDP port number for RTP
* the remote IP address for RTP
* the IP speech mode IE, indicating
* 0x0-: bi-directional
* 0x-1: EFR (0: FR, 2: AMR)
* optionally: the RTP payload type, if BIND_CAK specified it
Misc observations:
* if BIND is called with IP speech mode IE 0x10 (uni-directional FR), then no
RTP payload type is returned in BIND_ACK. Instead, the standard type for GSM
06.10 (0x03) is used in the packets.
* I'm not sure which RTP payload type (and IP speech mode) is which, i.e. if
the payload type of BIND/BIND_ACK specifies "expect this payload type for
incoming packets" or "use this payload type for all RTP packets originated by
this side"
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hello Eric,
On Fri, 17 Jul 2009 17:52:17 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> If nothing possible I will try to deal with the 470ms period.
> Can you tell me if the mobile will RACH at each paging request or if it can
> miss some?
If the MS receives a paging request for itself and is allowed to access
the network, than it will start the immediate assign procedure (The details
are in GSM 04.08, a good overview with reference to the specification is at
http://en.wikipedia.org/wiki/Um_Interface, many thanks to David Burgess for
writing it down). The MS will not react on further paging request as long as
the immediate assign procedure is running.
> I already saw in OpenBSC that the paging request is sometimes send more than
> once for a call so I am not sure. May be it could be something to fixe in
> the code? Or the phone sometimes doesn't react as it should?
The BSC can't be sure that a single paging request is received by the
MS so it (optionally) has to repeat it (there can be distortions, weak
signal and so on).
> Normally the RACH is sent 3 time slots after the paging request right?
I don't think so, the RACH is always on TS0 of the uplink (at least this
is how I understand it) and the PCH is not necessarily on TS0 (depending
on the configuration). The reaction of the MS surley depends on the
firmware/hardware of the phone and how fast it works, so you don't
have a fixed delay. The MS usually has enough time to react, the
T3113 timer defines how long to wait for a PAGING RESPONSE and than
optionally repeat the paging request (if and how often the paging
request is repeated, is not defined in the specification). I don't
have exact numbers for the T3113 timer because its up to network,
but common values seems to be around 5 seconds.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Eric,
On Thu, 23 Jul 2009 11:35:33 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> I would like to ask another question. I can see on which time slot the burst
> is sent but i can't see the frame and the multiframe number. Is it available
> somewhere?
Not in the Abis communication, its the BTS which cares about frames
but not the BSC. For the nanoBTS it is most certainly possible to get
debug traces from the debug port (but probably not on Abis) which
contain the frame number, but I am not aware that the same is possible
for the BS-11.
If you are interested in this low-level Layer 1 stuff, you might have
a look at OpenBTS, you can adjust nearly everything or trace at a really
low level.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi folks, I hope this finds you all in the best of health. As a start, I have read some basic GSM articles and went through bsc_hack.c. Few questions are bugging me and I would appreciate some info regarding them:
(1) With which type(s) of BTS does OpenBSC work?
(2) What is OML NM?
(3) What is the best way to follow the path in the code in case of a call?
Thanks.
_________________________________________________________________
Show them the way! Add maps and directions to your party invites.
http://www.microsoft.com/windows/windowslive/products/events.aspx
Hello Nordin,
On Mon, 27 Jul 2009 14:11:56 +0200, "Nordin" <bouchtaoui(a)gmail.com> wrote:
>
> I downloaded the latest developer's Wireshark 1.1.3, with no result. I
> know it's easy asking for an Abis-parser, but I thought there was a
> patch for it.
If you take one of the latest daily automated Wireshark builds it
will work, even on Windows. No need to compile the sources if
you don't want to. I use "1.3.0-SVN-29061" and it contains Harald's
patch for the nanoBTS.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi,
I am trying to deal with wireshark to understand what happening in each
function in the code.
It says that the file seems to be corrupted:
"The capture files appears to be damaged or corrupted. (libpcap: LAPD file
has a 15-byte packet, too small to have even a LAPD pseudo-header)"
Is it a problem?
I still can read the Abis communication.
I saw that some rsl packets are malformed. Is it coming from a missing
implementation in the code that need to be fixed?
Thanks
Eric
>On Thu, Jul 23, 2009 at 12:26:14AM +0200, Harald Welte wrote:
>> Hi again,
>>
>> I'm currently in the train, so forgive me posting the initial TODO
list
>> to the mailing list rather than the wiki.
>
>this is now at http://bs11-abis.gnumonks.org/trac/wiki/HAR2009
Check out Eventphone. They run DECT network. Why not linking to their
network? I am not at HAR, but I can help setting it up. An extra E1 card
is required to link to Eventphone's machine...
http://www.eventphone.de/guru/?language=de
Hi!
So for everyone who has problems with BS-11 clock accuracy,
what would be the theoretical straight-forward way to solve the
problem, is to replace the 32.768MHz crystal oscillator on the E1
card with a OCXO of the same frequency.
So what we're looking for is an OCXO with +/- 0.05ppm or higher stability for
3.3V power supply. Unfortunately I was not able to find one at that
frequency, even digikey doesn't have one.
If anyone can find a source for a OCXO in the abovementioned
parameter range (and small quantities), I think quite a number of people would
be interested in buying one and connecting it to their E1 boards. Any help
is much appreciated.
Thanks!
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hi!
For finishing proper SMS support, I need supoprt for transactions. Similar
to Call Control, SMS can also have a number of different transactions
active of any time.
Before my changes, the transactions were tied to call control, which is
obviously not good if that code is to be reused from SMS.
Also, the transaction was linked to the gsm_network as well as the gsm_lchan.
I think both are somehow wrong.
Why are they not a property of the network? Because a transaction always
belongs to a 'MM entity' (gsm spec language), or a gsm_subscriber in openbsc
terminology. That subscriber then is part of a gsm_network.
And why are they not part of a gsm_lchan? Because a transaction can be
initiated on one lchan and then move to another lchan, e.g. in case a SMS is
sent just before a call is made, where we start on an SDCCH and might continue
on a SACCH. I will keep the lchan pointer in the meaning of 'current lchan
through which we transmit messages to the remote MM entity'.
Tying the transaction to the subscriber neatly addresses both of those
issues.
Regards,
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hi everyone, I am new to OpenBSC and I think the best way to contribute to it is to get to know the source code first. I would appreciate any help regarding how to begin understanding the source code. And what are the main features of the code? What is the best approach to start learning OpenBSC. And is there any good material on OpenBSC.?
Thanks.
_________________________________________________________________
Share your memories online with anyone you want.
http://www.microsoft.com/middleeast/windows/windowslive/products/photos-sha…
Hello Harald,
On Wed, 22 Jul 2009 23:49:00 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> Even with two BTS at two TRX (exercising all our four ARFCN), the total call
> capacity is not more than 13 simultanesous MS-to-MS calls (since each call
> requires two timeslots). Yes we could do half-rate, but we have no software
> support for that so far.
You have the adjacent channels 121 to 124 for GSM 900 ? As far as I am
aware, adjacent channels will disturb each other. From what I know,
real networks usually have one free guard channel in between. So at
least the configuration of using adjacent channels should be checked
in advance (but you don't know how well different phones behave).
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
> can you comment on the status of mISDNdebugtool? As it seems, Eric is
having
> some problems using it. Also, in current mISDNuser.git (socket
branch),
> it doesn't compile since mISDNdebugtool.h is missing.
hi,
sorry for the late answer.
i don't exactly know what this was for. i think it was used to debug the
driver itself. to actually log frames from isdn interface and write a
pcap file you need misdn_log.
for logging first card use "misdn_log" or "misdn_log -c0". for writing
pcap file use "misdn_log -c0 -w <file>"
this connects to given isdn interface and shows transmitted data also.
it must be started AFTER the application or it will set the mode to
TE-mode. so first run bsc_hack, then start misdn_log.
andreas
Hello Stefan,
On Wed, 22 Jul 2009 19:36:16 +0200, "Stefan Schmidt" <stefan(a)datenfreihafen.org> wrote:
>
> Hmm, if we would calculate with 200 cards we would have ~80 USD costs for them.
> Maybe not the baddest thing. Let's wait to what conclusion we come here before
> going ahead. A technical solution that let the user handle the registration on
> it's own is still my favorit. Sadly we can't estimate how many subscribers we
> will get. :)
I don't know if you get a better price if you buy such a large amount of
the SIM cards, but I would ask.
One advantage of handing out SIM cards: You can play with authentication
and encryption if you want to. The A3/A8 algorithm in the SIM cards seems
to be different from COMP128-V1 (at least with the SIM I tested) so you
cannot retrieve Ki. However you could run the authentication in advance
and record a few challenge-reponse pairs and use them later.
And if you take one Euro as deposit for the SIM, you might get them
back or don't care if not.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Stefan,
On Wed, 22 Jul 2009 18:32:28 +0200, "Stefan Schmidt" <stefan(a)datenfreihafen.org> wrote:
>
> Hmm, another idea pops up into my mind right now. Any chance we can get a big
> bunch of pre paid SIMs without money on the account? If we would get some 100s
> of them we could prepare them in advance and just hand out to the people.
Kai Muenz mentioned it on the list already, there are GSM SIMs available
at http://www.dealextreme.com/details.dx/sku.16159. 10 pieces cost $US 3.94
including shipping. If you don't mind about a Chinese SIM Toolkit Menu which
you can't read and also don't mind to remove a little bit of glue from
some of the SIMs, they are fine for this purpose.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Philipp,
On Mon, 20 Jul 2009 20:19:16 CEST, "Dieter Spaar" <spaar(a)mirider.augusta.de> wrote:
>
> Not sure what you are measuring on peak one and two, but channel 123
> should be 959.6 MHz, this is most certainly the third peak. There might
> be small signals (e.g. from the oscillator of the BS-11) on other
> frequencies, but they should be much smaller than the main signal.
In the meantime I did check with my spectrum analyzer. There is
indeed a signal coming from the BS-11, even if nothing else is
connected to the BS-11 (no serial connection, no E1). The signal
starts to be emitted after the firmware download is complete.
I could measure the signal at 942.4 MHz, the level is about -42 dBm
(cable connection from the spectrum analyzer to TRX0, low-quality
cable). The signal strength does not depend on the power amplifier
setting, I wonder where it comes from (some internal oscillator
working at that frequency ?). The signal is not very strong, so
it should not cause major trouble (besides disturbing a weak
signal which might be there from an "official" source if you
are close to the BS-11).
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Philipp,
On Mon, 20 Jul 2009 18:39:47 +0200, "dexter" <zero-kelvin(a)gmx.de> wrote:
>
> We have a Toy-Spectrum-Analyser here, so i have measured the output of
> our BS-11 when initalized with -f 123
>
> http://www.root.runningserver.com/pub/openbsc_spektralanalyse.png
>
Not sure what you are measuring on peak one and two, but channel 123
should be 959.6 MHz, this is most certainly the third peak. There might
be small signals (e.g. from the oscillator of the BS-11) on other
frequencies, but they should be much smaller than the main signal.
I don't know what the specification for a BTS allows as level for
emitting on other frequencies, so I can't give you any numbers how
strong those other signals can be.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi folks.
We have a Toy-Spectrum-Analyser here, so i have measured the output of
our BS-11 when initalized with -f 123
http://www.root.runningserver.com/pub/openbsc_spektralanalyse.png
Why are there 2 carriers emitted by the BTS?
I thought that openBSC uses only one TRX. I have verfied that the
carrier must be emitted by the BTS. If i stop the BTS the carrier
vanishes and the T-Mobile carrier comes through (much weaker, of cause)
I have no explaination for this effect, can anyone give me a hint?
regards
Philipp
Hi Andreas,
since youre experience with mISDN is much better than mine,
can you comment on the status of mISDNdebugtool? As it seems, Eric is having
some problems using it. Also, in current mISDNuser.git (socket branch),
it doesn't compile since mISDNdebugtool.h is missing.
What we're trying to do is to generate pcap files that we can throw at wireshark.
Thanks in advance,
--
- Harald Welte <laforge(a)gnumonks.org> http://gnumonks.org/
============================================================================
We all know Linux is great...it does infinite loops in 5 seconds. -- Linus
Hello Eric,
On Thu, 16 Jul 2009 17:53:53 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> Yes I would like to make the cell phone answer as fast as possible but
> without the need of a user interaction. So I am trying to get RACH as fast
> as possible and I think the paging function is the most suitable for this. A
> RACH for each frame would be really nice. At least one RACH out of 2 frames,
> then i can have at least 1 RACH per 10 ms.
I don't think you have much influence on setting the paging reorganisation
mode, this is done by the BTS when it detects that something has changed
with paging (the BTS can detect it by looking for changes in the SYSTEM
INFORMATION messages). I did a quick test with a nanoBTS 1800, if for
example BS_PA_MFRMS is changed, the BTS will activate the paging
reorganisation mode while switching the parameter. I can confirm that
with the Nokia Network Monitor, it displays the page mode and indicates
"paging reorganisation" for a short amount of time (about one second).
You can try to constantly switch the SYSTEM INFORMATION data related to
paging, but I don't know if this will help with what you want to do.
Also please note that I have not tried it with the BS-11.
Best regard,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Eric,
On Thu, 16 Jul 2009 15:44:21 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> I don't know if the mobile phone will answer everytimes if i try to do a
> paging on it for each successive frame. Or if he will answer the first time
> and ignore the other paging requests after.
Maybe you can explain what you want to achieve, this might help to give
an answere.
I initially thought you want to measure the standby time of the phone,
this is why posted the information about the BS_PA_MFRMS parameter,
it usually determines the standby time (if BS_PA_MFRMS is maximum,
you usually get the longest standby time).
But now it seem you want the phone to react as fast as possible on
a paging request, but maybe I don't understand what you want to do.
Best regards,
Dieter
PS: The calculation of the paging group is done by OpenBSC and not
by the BTS.
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Eric,
On Wed, 15 Jul 2009 11:00:14 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> I was just thinking about performing a recursive paging in order to see how
> much time I have until the battery of a mobile phone run out.
> Does anyone know if the mobile phone answers at every paging or if it
> doesn't "listen" all the time? I think it listens periodically. If anyone
> can give me a clue, that would be appreciated.
This is an excerpt from a posting to another mainling list, I just
quote it because I don't want to repeat what I already wrote:
> - The phone is in "idle" mode (no speech/data traffic)
> and periodically receives the paging channel (PCH) to
> find out if its being called. Further the phone measures
> the signal strength of neighbor cells and every now
> and then (not that frequent as the above actions)
> receives the cell information in the broadcast common
> control channel (BCCH) of the serving cell and of
> at most six neighbor cells with the strongest signal.
....
> - The time between receiving the PCH is determined by a
> parameter of the serving cell (BS_PA_MFRMS, range 2 to 9).
> Its measured in 51-multiframes until the PCH for the phone
> repeats (if you want to know the details have a look at
> the GSM specs ;-) . The length of a 51-multiframe is
> 235.8 ms, this means the time between receiving the PCH
> is in the range 471.9 ms to 2122.2 ms. In this time the
> idle phone most of the time sleeps or receives the BCCH
> of the serving cell or one of the neighbor cells with
> the strongest signal (at most six).
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
2009/7/10 Harald Welte <laforge(a)gnumonks.org>
On Thu, Jul 09, 2009 at 01:18:05PM +0200, Eric Cathelinaud wrote:
> > Hi everybody
> >
> > I just would like to be sure that the paging is only sent on TS0 with
> > OpenBSC, that is to say PCH (which is on CCCH) is only sent on TS0.
> > I read that it could be sent on more time slots (TS2, TS4 and TS6 also)
> in
> > the GSM specifications. Is it the case in the soft or you just keep the
> > normal multiplexage setting (TS0 only for CCCH+BCCH, 1 slot for dedicated
> > channels and 6 slots for the traffic channels)?
>
> we only run one timeslot (TS0) for the CCCH (and thus the PCH). Using more
> timeslots is only required in really large BTS with many TRX - not a case
> we particularly care about right now.
>
> --
> - Harald Welte <laforge(a)gnumonks.org>
> http://laforge.gnumonks.org/
>
> ============================================================================
> "Privacy in residential applications is a desirable marketing option."
> (ETSI EN 300 175-7 Ch. A6)
>
Ok thanks
I was just thinking about performing a recursive paging in order to see how
much time I have until the battery of a mobile phone run out.
Does anyone know if the mobile phone answers at every paging or if it
doesn't "listen" all the time? I think it listens periodically. If anyone
can give me a clue, that would be appreciated.
Eric Cathelinaud
Hello Harald,
On Sun, 12 Jul 2009 16:02:11 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> Thanks a lot for your investigation. Are you planning to take it beyond the
> hack and do a clean implementation that we can merge at some point?
To implement it in a clean way in my opinion requires some discussion
about how to do it so that it fits into the architecture:
- When do the authentication, most certainly during the first
Loacation Update, but when else ?
- Where to store the subscriber Ki for authentication and the
information about which algorithm is used ? Also store for each
subscriber if authentication and/or encryption should to be used.
- Where to cache Kc, its not necessary to authenticate every time when
encryption for a channel is turned on. Kc from a previous
authentication can be used several times.
- Where to turn on encryption, every time a channel is allocated ?
Those are just a few thoughts. I guess discussion about the details
probably takes longer than if you or Holger implement it during your
ongoing work on OpenBSC. Currently you both are the main people working
on OpenBSC at several places of the implementation and a clean integration
of authentication and encryption affects a lot of those places too. I am
reluctant to interfere here, not because of the time it takes (its not
that much) but because any changes should fit to what you plan to
do. If anyone want to see the technical details, I can provide them,
its rather simple and straightforward.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello,
I did a few tests with Authentication and Encryption. Its just
a quick hack and nothing which can be integrated into OpenBSC
in a clean way but the process was rather straightforward:
- For my tests I used the location update request.
- I sent the AUTHENTICATION REQUEST to the MS.
- When I received the AUTHENTICATION RESPONSE from the MS, I
compared SRES with the expected value. If the expected value
was received, I send the ENCRYPTION COMMAND with Kc to the
BTS. If the wrong SRES was received, I send an AUTHENTICATION
REJECT to the MS.
- The BTS will now send the CIPHERING MODE COMMAND to
the MS and activate encryption.
- The CIPHERING MODE COMPLETE command from the MS will already
be received encrypted.
I have not recorded the RF traffic to check if encryption is really
enabled. But the Nokia Netmonitor indicated encryption, additionally
if I send the wrong Kc in the ENCRYPTION COMMAND, the location update
does not complete.
I have not tested speech traffic yet, but it most certainly works the
same way.
One thing which might be interesting is how to get SRES and Kc because
the A3/A8 algorithm on the SIM is usually not known. There are a few ways
how to do it:
- one could record a few results from a SIM and only send RAND values
where the pre-recorded results are known.
- the SIM communication could be intercepted (for example with a
device like the "Turbo Lite" from www.bladox.com) and if the APDU for
authentication is sent, one can run its own A3/A8 algorithm instead of
the one from the card.
- if one has a SIM with the broken and known COMP128, its possible
to find Ki so that the authentication response from the card can
be calculated.
- Test SIMs (for GSM Test Equipment) have implemented a know
A3/A8 algorithm (XOR) and so the authentication response can
be calculated.
- One can buy one of those SIM clone cards (they are called Super-SIM
Magic-SIM, 16in1 SIM or similar). They are of not much use for official
networks because only a few (if any) providers use COMP128 any more
and this is the algorithm those card implement (and expect it to be in
the card which should be cloned). You can buy such SIM cards rather cheap
(around 5 Euro). They usually come with a software (Windows) which allows
to set the IMSI and Ki for COMP128. So you have a card with a know
A3/A8 algorithm (COMP128) and a know Ki.
I used one of those SIM clone cards for my experiments, the SIM worked
fine in an older Nokia 3310 (at least for this test). I don't know how
well it will work in other phones but for this rathe low price its
probably worth a try.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi!
JFYI: My dissector for the Abis-IP adaption layer of ip.access has been merged
into wireshark (as of svn revision 29059).
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hi everybody
I just would like to be sure that the paging is only sent on TS0 with
OpenBSC, that is to say PCH (which is on CCCH) is only sent on TS0.
I read that it could be sent on more time slots (TS2, TS4 and TS6 also) in
the GSM specifications. Is it the case in the soft or you just keep the
normal multiplexage setting (TS0 only for CCCH+BCCH, 1 slot for dedicated
channels and 6 slots for the traffic channels)?
Thanks
Eric Cathelinaud
Hello Nordin,
On Tue, 07 Jul 2009 16:31:36 +0200, "Nordin" <bouchtaoui(a)gmail.com> wrote:
>
> But this means that your HTC needs more relevant GPRS settings before
> deciding to register. So it than searches for altenatives, but since the
> BA list is empty it starts all over again and the whole process repeats,
> which might result in a long procedure before it gives up. This is what
> it might could be the reason, I'm not sure.
If the GPRS Indicator is set, SYSTEM INFORMATION 13 is needed to
describe the GPRS properties. But SYSTEM INFORMATION 13 is not set
yet (not possible for the BS-11 anyway) so the phone won't find it.
Probably some phones don't care about it but some others insist to
find it before going to register.
This is probably one of the many places where there is no rule in
the specification what should be done in such a situation so its
up to the developer of the firmware (the phone could register and
return an error only when GPRS is actually needed for a data
connection). Of course I don't mean that the specification is
incomplete, it just expects that certain things are done "right"
(who would expect that people outside of the mobile phone industry
play with a BTS ;-).
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Nordin,
On Mon, 06 Jul 2009 12:00:27 +0200, "Nordin" <bouchtaoui(a)gmail.com> wrote:
>
> I tried the parameters as you suggested for SI 1 as well as SI3, but
> with no success. But I'm still curious if someone else on the list
> registered a PDA-like mobilephone (with GPRS support) to his BTS
> (BS11/nanoBTS1800). If so, I would like to try out his/her SI's settings.
>
With the modification I have sent I can register a HTC Touch Pro to
the BS11 and the nanoBTS 1800. If GPRS is set in SYSTEM INFORMATION 3,
the phone will not register.
The process is a bit unstable, if the phone is powered on, the
location update works as expected, if I try to register manually,
it sometime fails without actually communication with the BTS.
I don't know the reason for this behaviour yet.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello guys,
I made a repository for the OpenBSC project, see:
http://repo.or.cz/w/openbsc.git
Now you can update/clone the project from
http://repo.or.cz/r/openbsc.git, like this:
git clone http://repo.or.cz/r/openbsc.git
It will be updated every hour (mirror mode).
I needed that because our firewall blocks the git port 9418.
Thank you for the tip Holger Freyther :)
If you have any questions, don't hestitate to ask.