I have some questions:
1) When I start bsc_hack bsc_init.c first establishes OML link and
initializes the bts then it establishes RSL link and bts starts
broadcasting. However, it takes so much time to start the bts. Instead of
this I want to do the following: it establishes OML link at the beginning
and only once, then when i want to start broadcasting it establishes just
the RSL link and bts will start faster since i don't have to wait for OML
link. What should be done for this?
2) If i send one or two word messages from telnet interface it is okay. But
if i send a longer message the phone could't receive the end of the message
correctly(last words may be incomplete). Did any one encounter with this
problem? What is wrong with me?
3) Could I send SMS in which extension of the sender is text not integer.
For example, i want to send an information SMS that this is a test network.
For this purpose i want to send an SMS from 'OpenBSC'. I set the extension
of the first subscriber in database as text and tried to send the SMS but
SMS wasn't delivered. What should i do?
4) Can i add SMS externally to SMS table of database?
Thanks.
Jason
Hi!
With the help of graphviz, I have written a small perl-based tool that
allows you to generate ladder diagrams. It can be found at
git://git.osmocom.org/gen_ladder.git
For your reference, I'm attaching a sample input and output file.
The bent/curved arrows are a result of graphviz trying to indicate
that the message is between e.g. MS and MSC and 'bypasses' BTS and BSC.
I'm still waiting for somebody with more graphviz skills to make this an
option.
Hope this is useful for some of you...
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Dear sir
I am new to openbsc.I have two NanoBTS(165cu).I'm facing some difficulty
which I'm summarizing below
I'm using Ubuntu10.04
1) Can we proceed with one nanobts.?
2)I've configured bts ip,unit id, oml ip of one bts.But not able to get the
firmware.
How to get it and configure for NanoBTS??
3)how to run openbsc ??
Please suggest the procedure to run the openbsc.
Thanks
Hi!
Collin Mulliner, Tobias Engel and myself have been meeting yesterday to
discuss a generic application interface for OpenBSC.
They are both doing security analysis and want to achieve a clean way
how an external application can get access to a more or less transparent
communication channel to the phone.
The purpose of this is to be able to send intentionally malformed
packets to the mobile phone GSM stack at various different levels within
the stack.
As of now, they have both hacked some custom code into openbsc that gets
them half way where they want to be - but not quite all the way.
The requirements can be summarized as follows:
1) Ability to establish a SDCCH or TCH channel by paging the phone
As of now, the 'silent call' feature from the VTY already does this.
2) Ability to send arbitrary layer3 protocol messages to the phone
Adding this is relatively easy (use rsl_sendmsg on the lchan from the
silent call)
3) Ability to receive responses from the phone, as well as error
conditions such as 'readio link failure'. We don't have a solution
for this yet, and we also have no clean way to identify what might
be a response from the phone to the external app, and what might
be a message from the phone to the normal network code in OpenBSC
4) Ability to selectively disable partial protocol handling in
OpenBSC. Let's say you want to play with the mobile phone call
control implementation. In this case, you want to make sure all CC
related messages go from/to the external program and not from the
regular OpenBSC network code.
So what I've been thinking of as a solution to the problem:
* store a bypass_flags bitmask related to the subscriber structure,
where we indicate values such as BYPASS_RR, BYPASS_MM, BYPASS_CC,
BYPASS_SAPI3.
* if we process an incoming message from the MS in gsm0408_rcvmsg(),
we check if a bypass flag matching the message is found. If yes,
forward the message to the external program
* if we want to send a message from our own protocol stack to the MS,
we check if a bypass flag matching the message is found. If yes,
we drop the message that we were about to send.
* any messages received from the application will be forwarded to the MS
The application interface protocol will likely have a close resemblance
to RSL RLL. We need to exchange the following primitives with the
application, like:
* ESTABLISH REQUEST -- app requests a channel be established to MS (by IMSI)
* ESTABLISH CONFIRM -- network confirms a channel has been established
* ESTABLISH INDICATION -- network tells app connection was made by MS
* [UNIT] DATA REQUEST -- app requests data to be sent to MS
* [UNIT] DATA INDICATION -- network indicates data was received from MS
* ERROR INDICATION -- network tells app something went wrong
* RELEASE REQUEST -- app asks network to release channel
* RELEASE CONFIRM -- net tells app that channel was released (as rqd)
* RELEASE INDICATION -- net tells app that channel was released (by MS)
The channel_number of RSL (indicating on-air timeslot) doesn't make much
sense in this context, of course.
The link_identifier on the other hand is great as it allows the app to
indicate SDCCH/FACCH or SACCH as well as the SAPI.
The actual RSL-like protocol would be encapsulated by UDP and available
on a socket of the MSC.
What do you think?
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
Hello everybody,
after setting up a nanoBTS with OpenBSC/SGSN/GGSN,
I had some troubles trying to connect my smartphone
to the GPRS cell.
Investigating the BTS-to-SGSN traffic, I saw that the
frames sent by the SGSN were all marked with the same
N(U) value (at LLC layer), the value was 0.
With some debug, I found that the there was a mismatch
in the TLLI storage, used to keep the status of attached
terminals.
The mentioned code is contained in gprs_llc.c, involving
LL Entity functions and gprs_llc_tx_ui().
/* look-up or create the LL Entity for this (TLLI, SAPI) tuple
*/ lle = lle_by_tlli_sapi(msgb_tlli(msg), sapi);
if (!lle) {
struct gprs_llc_llme *llme;
LOGP(DLLC, LOGL_ERROR, "LLC TX: unknown TLLI 0x%08x, "
"creating LLME on the fly\n", msgb_tlli(msg));
llme = llme_alloc(msgb_tlli(msg));
lle = &llme->lle[sapi];
}
The TX function uses the previously received TLLI to
lookup for the LLE. The lle_by_tlli_sapi() performs the
search, but preliminary it applies a foreign2local TLLI
conversion to ensure to have a local one.
Since no valid entry for the searched TLLI is found,
a new one is created. And the problem is here.
The new entry has the foreign TLLI.
Next time the lookup fails again, and a new entry is created.
This way, the counter N(U) is always reset, and the
mobile do not recognize the message sequence and no attach
is possible.
My question is about foreign and local TLLIs.
I patched the lookup, avoiding the conversion, so that the
LLE is found and everything works fine... but...
What is the sense of the conversion?
Should the TLLI be always stored as a local one?
Can this problem be solved with another foreign2local
while allocating new entries?
Actually, my problem has been solved with that workaround.
But I'm curious to know what is the right way.
Hope somebody can answer :)
Thanks.
Cheers,
LM
This Femtocell looks both from a pricing point of view as from a hardware
point of view very interesting. Now that the integration in OpenBSC looks
very promising it would become a good alternative for the more expensive
ip.access picocells. It seems that these HSL femtocell can not be bought
without first investing in the developers pack from HSL which cost as much
as 7000$. Does anyone know how to obtain one of these cells for a
reasonable price? Are they already deployed by operators?
Looking at the internal hardware, it may even become a substitute for the
USRP's....
hello list,
i'd like you to go with me thru my setup of 2 bs11 and verify it. it looks like this:
E1 E1
PC------BTS0------BTS1
let's begin with the bs11_config outputs
bts0:
LMT LOGON: ACK
PHASE: 3 Normal MBCCU0: Load MBCCU1: No Load Abis-link: Restoring
BS11 ATTRIBUTES:
BS-11 ESN PCB Serial Number: 001104
BS-11 ESN Hardware Code Number: 135-2044/03.07
BS-11 ESN Firmware Code Number: 135-2044/03.07
PLL Set Value=1006, Work Value=1038
SITE MANAGER ATTRIBUTES:
E1 Channel: Port=0 Timeslot=1 (Full Slot)
TEI: 25
BS11 Line Interface ATTRIBUTES:
PLL Mode: Standalone
BS11 CCLK ATTRIBUTES:
CCLK Accuracy: High (1)
CCLK Type=0
BS11 Power Amplifier 0 ATTRIBUTES:
TRX Power: 30mW (GSM)
BPORT0 ATTRIBUTES:
Line Configuration: Multi-Drop (1)
BPORT1 ATTRIBUTES:
Line Configuration: Multi-Drop (1)
LMT LOGOFF: ACK
and that's bts1:
LMT LOGON: ACK
PHASE: 3 Normal MBCCU0: Load MBCCU1: No Load Abis-link: Restoring
BS11 ATTRIBUTES:
BS-11 ESN PCB Serial Number: 001112
BS-11 ESN Hardware Code Number: 135-2044/03.03
BS-11 ESN Firmware Code Number: 135-2044/03.03
PLL Set Value=1073, Work Value=1073
SITE MANAGER ATTRIBUTES:
E1 Channel: Port=1 Timeslot=17 (Full Slot)
TEI: 25
BS11 Line Interface ATTRIBUTES:
PLL Mode: Standalone
BS11 CCLK ATTRIBUTES:
CCLK Accuracy: High (1)
CCLK Type=0
BS11 Power Amplifier 0 ATTRIBUTES:
TRX Power: 30mW (GSM)
BPORT0 ATTRIBUTES:
Line Configuration: Star (0)
BPORT1 GET ATTR NACK <--- do i have to worry about his?
LMT LOGOFF: ACK
here we go with openbsc.cfg. i use only trx0 of each bts. don't ask why i did something like this or like that, i just adapted the openbsc.cfg-file from the packet to my timeslots configured
!
! OpenBSC configuration saved from vty
! !
password foo
!
line vty
no login
!
network
network country code 262
mobile network code 10
short name Y-Phone
long name Yodaphone
handover 1
bts 0
type bs11
band GSM900
cell_identity 1
location_area_code 1
training_sequence_code 7
base_station_id_code 63
oml e1 line 0 timeslot 1 sub-slot full
oml e1 tei 25 <-- i use tei 25 for the oml of bts1, too. correct?
trx 0
arfcn 121
max_power_red 0
rsl e1 line 0 timeslot 1 sub-slot full <-- the same e1 timeslot for oml is used here for the ccch.
rsl e1 tei 1 | correct?
timeslot 0 | i'd say weird
phys_chan_config CCCH+SDCCH4 |
e1 line 0 timeslot 1 sub-slot full <--
timeslot 1
phys_chan_config TCH/F
e1 line 0 timeslot 2 sub-slot 1
timeslot 2
phys_chan_config TCH/F
e1 line 0 timeslot 2 sub-slot 2
timeslot 3
phys_chan_config TCH/F
e1 line 0 timeslot 2 sub-slot 3
timeslot 4
phys_chan_config TCH/F
e1 line 0 timeslot 3 sub-slot 0
timeslot 5
phys_chan_config TCH/F
e1 line 0 timeslot 3 sub-slot 1
timeslot 6
phys_chan_config TCH/F
e1 line 0 timeslot 3 sub-slot 2
timeslot 7
phys_chan_config TCH/F
e1 line 0 timeslot 3 sub-slot 3
bts 1
type bs11
band GSM900
location_area_code 2
training_sequence_code 7
base_station_id_code 63
oml e1 line 0 timeslot 17 sub-slot full <-- harald told me line has to be 0, but i dont understand why. i configured 2 fragments on the misdn driver, with d-channel on ts 1 and 17, the rest b-channels. each fragment is a device,right? (0 and 1). Each device corresponds to a port in bs11_config and a line here, right ?
oml e1 tei 25 <-- here again: all oml e1 teis identical?
trx 0
arfcn 122
max_power_red 0
rsl e1 line 0 timeslot 17 sub-slot full
rsl e1 tei 2
timeslot 0
phys_chan_config CCCH+SDCCH4 <--here we go with line(=port=id) 1, since fragment 2 starts ad device id 1 on e1 ts 17 as d-channel
e1 line 1 timeslot 17 sub-slot full
timeslot 1
phys_chan_config SDCCH8
e1 line 1 timeslot 18 sub-slot 1
timeslot 2
phys_chan_config TCH/F
e1 line 1 timeslot 18 sub-slot 2
timeslot 3
phys_chan_config TCH/F
e1 line 1 timeslot 18 sub-slot 3
timeslot 4
phys_chan_config TCH/F
e1 line 1 timeslot 19 sub-slot 0
timeslot 5
phys_chan_config TCH/F
e1 line 1 timeslot 19 sub-slot 1
timeslot 6
phys_chan_config TCH/F
e1 line 1 timeslot 19 sub-slot 2
timeslot 7
phys_chan_config TCH/F
e1 line 1 timeslot 19 sub-slot 3
and for the final: the output of bsc_hack during start:
2 devices found
id: 0
Dprotocols: 00000018
Bprotocols: 0000000e
protocol: 4
nrbchan: 14
name: hfc-e1.1-1
activate bchan
activate bchan
DB: Database initialized.
DB: Database prepared.
since line 1 isnt used for bts1 oml, only device id 0 with d-channel on ts 1 is activated. but im quite sure this is a mistake, i need 2 devices for 2 bts. right?
this config dont work at all. bts1 not recognised, bts0 is recognised but cant handle calls. the handys are callable and ring, but no data is transmitted.
please give me as much feedback as possible
mni tnx
T.
--
Wer Rechtschreibfehler findet, darf sie behalten!
hello,
my 2nd bs11 has no load on trx0. may someone give me a bit more detailed
information than on openbsc.org how to create trx0?
tnx in advance
T.
--
Wer Rechtschreibfehler findet, darf sie behalten!
>You would have to talk to the manufacturer and its distributors about
>this. I have no commercial or other relationship with the manufacturer.
I myself tried this route as I'm a student looking for an inexpensive
way to work with OpenBSC, but...
1: they require a mutual shared NDA before they'll even talk prices;
2: they claim it REQUIRES their proprietary BSC software and thus you
must purchase a femtocell developer kit including their A-bis specs
and a bunch of stuff you don't need, inflating the price; and
3: they only offer their NDA to companies -- individuals and students
need not apply.
4: ... but they DO ship internationally -- GSM1800 only.
But looking at the /only/ price they mention - $7200 US for two
femtocells and all the software -- why bother? You're better off
buying two, maybe three NanoBTS for that price.
And I also seem to question my own point #2 -- they first tell me "If
you do want to use the HSL Femtocell with an alternative to the HSL
BSC..." and then in the latest mail "... our femtocell is designed to
be used with our own BSC" making it seem as if you're not supposed to
be taking it elsewhere.
Le sigh.
-DC
