OpenBSC February 2018

openbsc@lists.osmocom.org

14 participants
26 discussions

Pysim error: SW match failed
by Martin Nagy 16 Aug '25

16 Aug '25

Hi all, After buying a super Sim Kit (16 in 1) from China, I tried the reader (green PCB inside a blue transparent plastic case with a blue LED) and SIM (identified as a fakesupersim) with pysim tool. However i am getting the following error: /pySim-prog.py -n 26C3 -c 49 -x 262 -y 42 -z 1234 -j 1 -t auto Insert card now (or CTRL-C to cancel) Autodetected card type fakemagicsim Generated card parameters : > Name : 26C3 > SMSP : e1ffffffffffffffffffffffff058100945555ffffffffffff000000 > ICCID : 8949262427518313026 > MCC/MNC : 262/42 > IMSI : 262422461512085 > Ki : 7b74741a1ee14337ec23f9ab92a13648 > OPC : ccd867d60797d8d45354a51b3ef568ff Programming ... Traceback (most recent call last): File "./pySim-prog.py", line 530, in <module> card.program(cp) File "/home/nadicek/pysim/pysim/pySim/cards.py", line 231, in program self._scc.update_binary('6f30', hplmn + 'ff' * (tl-3)) File "/home/nadicek/pysim/pysim/pySim/commands.py", line 53, in update_binary return self._tp.send_apdu_checksw(pdu) File "/home/nadicek/pysim/pysim/pySim/transport/__init__.py", line 87, in send_apdu_checksw raise RuntimeError("SW match failed ! Expected %s and got %s." % (sw.lower(), rv[1])) RuntimeError: SW match failed ! Expected 9000 and got 9804. I checked mailing lists and haven’t found anybody who had similar problem with pysim. Also I have tried forcing different models of SIM, but nothing is working. Obviously I can remove this check from the script file (__init__.py in /pySim/transport), however somebody had a reason to put such condition there. I would like to ask if it is safe to remove that line of code and the purpose of that line of code. Thanks a lot and best regards Martin

3 3

Re: Help with sccp library
by mosbah abdelkader 07 Jul '25

07 Jul '25

> I don't understand. This callback will be called with data you need to write > to the network. In case of MTP Level3 you will need to wrap that around the > msgb you got. I means: is the interaction with mtp3 layer implemented (is sending sccp data by mtp3 implemented by the library?)? Also, what about the reception of data from mtp3 layer. is that implemented in the sccp lib. I am asking these questions because I see the code of mtp3 in the lib but no significant call is present in the sccp part of the lib. Thank you for your help.

4 3

dynamic traffic channels
by Neels Hofmeyr 20 May '25

20 May '25

On Tue, Jun 28, 2016 at 10:05:28AM +0200, Harald Welte wrote: > [translated from german] > is it certain that we switch a channel to PDCH only when > gprs mode != none? A TS can be GSM_PCHAN_TCH_F_PDCH; those are the only ones for which we send a PDCH ACT message. We send a PDCH ACT message - during init (CHANNEL OML's state changed to enabled -> send PDCH ACT), - and upon channel release ack when pchan == GSM_PCHAN_TCH_F_PDCH. So the question is, when we receive a channel release ack, could that be the PDCH release and we switch PDCH right back on by accident? No, because we only receive a chan rel ack when the *TCH/F* is being released. That is because the PDCH release is initiated "internally" from the PDCH DEACT, and thus this condition in common/rsl.c rsl_tx_rf_rel_ack() catches on, which existed before dyn PDCH: if (lchan->rel_act_kind != LCHAN_REL_ACT_RSL) { LOGP(DRSL, LOGL_NOTICE, "%s not sending REL ACK\n", gsm_lchan_name(lchan)); return 0; } In rsl_rx_rf_chan_rel() the rel_act_kind is set to LCHAN_REL_ACT_RSL, but not in the rsl_rx_dyn_pdch(). This is analogous to the ip.access way -- the ip.access nanobts replies to a PDCH DEACT with a PDCH DEACT ACK and doesn't send a separate channel release ack. Maybe we could set rel_act_kind to some new LCHAN_REL_ACT_IPAC_DYN_PDCH for clarity? (But we shouldn't actually send a release ack, to stay compatible.) Even though it works as-is, we should indeed add another flag check: - We do check the flags that no ACT/DEACT is already pending; - And we do send a PDCH DEACT only if ts->flags & TS_F_PDCH_ACTIVE; - But we would send a PDCH ACT despite ts->flags & TS_F_PDCH_ACTIVE. This should never happen, but it would make sense to ensure that. ~Neels

3 5

GSM 04.08 L2 pseudo length in ACCH System Information messages
by Vadim Yanitskiy 12 Mar '18

12 Mar '18

Hi everyone, I few days ago, during some usual R&D process, I noticed the following messages, appearing in the log output of OsmocomBB/mobile application: "ACCH message type 0xXX unknown." The network, a phone was connected to, was may own and based on more or less recent versions of OsmoNiTB, OsmoBTS, and OsmoTRX. Despite I used to see such messages before, I didn't pay too much attention. But this time I've decided to figure out, what's wrong there... The source of such messages is the gsm48_rr.c / gsm48_rr_rx_acch(): static int gsm48_rr_rx_acch(struct osmocom_ms *ms, struct msgb *msg) { // ... struct gsm48_system_information_type_header *sih = msgb_l3(msg); // ... switch (sih->system_information) { case GSM48_MT_RR_SYSINFO_5: return gsm48_rr_rx_sysinfo5(ms, msg); case GSM48_MT_RR_SYSINFO_5bis: return gsm48_rr_rx_sysinfo5bis(ms, msg); case GSM48_MT_RR_SYSINFO_5ter: return gsm48_rr_rx_sysinfo5ter(ms, msg); case GSM48_MT_RR_SYSINFO_6: return gsm48_rr_rx_sysinfo6(ms, msg); default: LOGP(DRR, LOGL_NOTICE, "ACCH message type 0x%02x unknown.\n", sih->system_information); return -EINVAL; } } To get I bit more details, I modified this function to print the whole L3 payload, and got some interesting results. As it turned out, the payloads were shifted one byte left - there was no 'l2_plen', which is assumed by: /* Section 9.1.3x System information Type header */ struct gsm48_system_information_type_header { uint8_t l2_plen; uint8_t rr_protocol_discriminator :4, skip_indicator:4; uint8_t system_information; } __attribute__ ((packed)); So, my first idea was that this is a bug of OsmocomBB, that would be fairly easy to fix, so after a quick look at the GSM 04.08 specification I wrote (and merged :/) this: https://gerrit.osmocom.org/#/c/5204/ And everything was great, until I connected a 'patched' mobile to a commercial mobile network... And all SI messages during a dedicated connection were false-identified as SI5ter. This seemed strange to me, so I decided to compare a SI message from commercial network with a message captured in my own one: https://habrastorage.org/webt/t8/zs/vv/t8zsvvjjglzfisnjqlnnsy4kgas.png And this confused me even more, then I've expected. Why there is 0x49? Wireshark false-identified this message as something related to SMS... What if this is exactly the 'l2_plen' assumed in OsmocomBB before? I looked at the specifications again, and found out that initially I refered an outdated 5.3.0 version, which was the first link in Google: http://www.etsi.org/deliver/etsi_gts/04/0408/05.03.00_60/gsmts_0408v050300p… while the latest one is 7.21.0: http://www.etsi.org/deliver/etsi_ts/100900_100999/100940/07.21.00_60/ts_100… So, I compared the 9.1.37-40 sections of both versions, and bingo! In the higher version ACCH System Information messages do have the 'L2 Pseudo Length' (10.5.2.19) field. Finally, what I've learned: - OsmocomBB / mobile follows the new version here (with l2_plen); - OsmoNiTB generates the ACCH SI messages without the l2_plen; - Recent Wireshark versions fail to decode the ACCH SI messages with l2_plen, while older ones are able to do that; - I should not merge the changes so quick. My questions are: - Which way of composing the SI messages is correct? - If both are correct, how to parse them correctly? - Should we change OsmoNiTB / OsmoBSC to follow the latest specs? And of course, I have to revert the change I've merged. With best regards, Vadim Yanitskiy.

2 1

Submissions for OsmoDevCon 2018
by Harald Welte 04 Mar '18

04 Mar '18

Dear Osmocom community, it's already end of January and OsmoDevCon 2018 in April is getting closer and closer. As indicated before, I would like to group the topics by days and put together at least a rough framework shcedule, so that people with specific interests don't have to be present for four full days to make sure they don't miss anything. So I'd like to re-invite all attendees to consider adding a topic/porposal to the wiki page at https://osmocom.org/projects/osmo-dev-con/wiki/OsmoDevCon2018#section-9 so that we can group different topic areas and put together a rough schedule outline. A proposal doesn't mean you have to give a talk. It could be anything, including * a talk that you would want to listen to, and you're looking for somebody to give it * a discussion about a certain topic * a workshop / hands on session * lightning talks? Like any community event, OsmoDevCon lives by its contributors. I can't wait to hear about all the things you've been up to. Thanks! Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

1 1

A5/1 Encryption Enabled - Programmable SIM unable to camp
by Ron 01 Mar '18

01 Mar '18

Hi All, Does anyone tried enabling the A5/1 Encryption using osmo-bsc and osmo-msc? We are using an UPBOARD with the following elements; osmo-bsc, osmo-bts-trx and osmo-trx in it; and a NUC with osmo-hlr, osmo-msc, osmo-mgcp, and osmo-stp. Both servers are using Ubuntu 16.04 OS. We enabled the a5/1 encryption in both osmo-bsc and osmo-msc. Then provisioned the programmable SIM to osmo-hlr with aud2g comp128v1 auth. OsmoHLR# subscriber imsi 515941234567890 show ID: 9 IMSI: 515941234567890 MSISDN: 09271234567 2G auth: COMP128v1 KI=00112233445566778899aabbccddeeff We are not really sure what causes the LOCUP Reject. Can anyone help us with this issue? Attached are the configuration used during the testing and a trace taken during the testing. Best Regard, Ron Menez ron.menez(a)entropysolution.com<mailto:ron.menez@entropysolution.com>

2 3

UMTRX - Missing IMEI in the Identity Request
by Ron 28 Feb '18

28 Feb '18

Hi All, We have encountered an issue in latching/phone camping using UMTRX and OSMOCOM elements. During the registration process, encryption command fails since the OsmoBSC/BTS does not provide the IMEI in the Identity Request. Note that the Mobile core only permits a5/1 encryption. This issue is not encountered using ETTUS B210 with same version of OSMOCOM elements and same configuration files. May we know if this is a known issue? The UHD version used is the UHD_003.010.002.HEAD-3-g122bfae1 and the UMTRX Driver used is1.0.3-128-93d4343. We used the URL below in installing the driver and module of UMTRX: https://umtrx.org/applications/driver/ Best Regard, Ron Menez ron.menez(a)entropysolution.com<mailto:ron.menez@entropysolution.com>

2 1

trxcon, fake-trx and osmo-bts-trx: Simulating TA + Power Control
by Harald Welte 28 Feb '18

28 Feb '18

This is picking up on a discussion that fixeria and I have had in https://gerrit.osmocom.org/#/c/6846 so far. The goal is to be able to fully test the timing advance and power control loops in unmodified osmo-bts-trx (from the BTS_Tests.ttcn test suite). For this, we need: * fake_trx must be able to insert additional false "delay" * fake_trx must be able to insert additional false "path loss" Let's look at TOA/timing first: 1) Implementation of TA in fake_trx * MS sets timing advance via L1CTL * trxcon translates this into SETTA command to fake_trx * fake_trx stores this curernt TA value (in bit periods) * fake_trx initializes the per-burst TOA (in 1/256th symbol periods) to the negative of those values when converting from Tx to Rx burst format, before feeding to osmo-bts-trx 2) implementation of "fake delay" in fake_trx * test case at any time requests fake_trx to apply a "fake delay" (in 1/256th symbol periods) * fake_trx stores this signed 16bit value * fake_trx applies this fake_delay value when converting uplink Tx bursts to Rx bursts, after having applied the timing advance. So a typical exchange between MS and BTS looks like this: * testcase instructs fake_trx to apply fake_delay of 512 (2 bit periods) * MS sends RACH burst with no timing advance at all * fake_trx applies TA=0 and adds fake_delay value (512), resulting in reported timing value of 512 in the bursts passed to osmo-bts-trx * osmo-bts-trx detects '512' and forwards this as timing offset to the BSC * BSC will allocate a channel, and instruct MS to use TA=2 on it * MS sends SETTA=2 to fake_trx * any bursts from MS in fake_trx are processed as follows: ** set toa=-256*2=-512 (TA value of 2) ** add fake_delay: toa=-512 (result of above) + 512 (fake delay) = 0 * osmo-bts-trx receives bursts with toa=0, i.e. timing advance loop is balanced When the MS is moving further away, we can simulate this by: * testcase sends fake_delay=1024 to fake_trx * uplink bursts now are processed in fake_trx as: ** set toa=-256*2=-512 (TA value of 2) ** add fake_delay: toa=-512 (result of above) + 1024 (fake delay) = +512 * osmo-bts-trx receives bursts with toa=512, reports this to timing advance loop code * TA loop code will result in SACCH downlink L1 header to contain TA=4 (not just 2 like before) * MS will send "SETTA 4" to fake_trx * uplink bursts now are processed in fake_trx as: ** set toa=-256*4=-1024 (TA value of 4) ** add fake_delay: toa=-1024 (result of above) + 1024 (fake delay) = 0 * loop is balanced again For RSSI processing it's slightly more complicated: * fake_trx would need to know the nominal transmit power of both MS and BTS. This could be from config file, command line argument or some control commands. For this example, let's assume MS nominal power is +30dBm and BTS +23 dBm * fake_trx will have some "SET PATH LOSS" command by which the test case can tell it about the path loss it shall apply (in uplink and/or downlink direction) * fake_trx receives "SET PATH LOSS 110" for 110dB path loss * uplink burst processing then looks like this ** fake_trx knows MS nominal power is +30 dBm ** fake_trx subtracts the attenuation value from the Tx Burst Data header (e.g. 10 dB) ** fake_trx computes +30 (nominal power) -10 (burst attenuation) - 110 (path loss) = -90 dBm ** fake_trx reports -87dBm RSSI in the uplink burst to osmo-bts-trx * downlink burst processing then looks like this ** fake_trx knows of BTS transmit power level is 23dBm ** fake_trx reads attenuation from tx burst header (e.g. 0dB) ** fake_trx computes +23 (nominal power) -0 (burst attenuation) - 110 (path loss) = -87 dBm ** fake_trx reports Rx bursts with -87dBm RSSI to trxcon I hope this makes sense. Comments welcome. -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

1 0

Help with GPRS and new split stack
by Rafael Diniz 27 Feb '18

27 Feb '18

Hi all, I'm running the new split stack on a LC 15 (osmo-bts and osmo-pcu from stock LC15, and osmo-bsc, osmo-msc, osmo-stp, osmo-hlr, ... from debian 9 armv7l nightly in a chroot). osmo-sgsn gives me: 0180225034309988 DGPRS <000f> gprs_subscriber.c:714 SUBSCR(250026920931392) Received GSUP message OSMO_GSUP_MSGT_SEND_AUTH_INFO_ERROR 20180225034309988 DGPRS <000f> gprs_subscriber.c:470 SUBSCR(250026920931392) Send authentication info has failed with cause 2, handled as: Permission denied 20180225034309988 DGPRS <000f> gprs_subscriber.c:478 SUBSCR(250026920931392) GPRS send auth info req failed, access denied, GMM cause = 'IMSI unknown in HLR' (2) 20180225034309988 DGPRS <000f> gprs_subscriber.c:828 SUBSCR(250026920931392) Updating subscriber authentication info 20180225034309988 DMM <0002> gprs_sgsn.c:726 MM(250026920931392/e550701e) Subscriber data update 20180225034309988 DMM <0002> sgsn_auth.c:219 MM(250026920931392/e550701e) Updating authorization (unknown -> authenticate) 20180225034309988 DMM <0002> sgsn_auth.c:236 MM(250026920931392/e550701e) Missing auth tuples, authorization not possible 20180225034309988 DMM <0002> sgsn_auth.c:248 MM(250026920931392/e550701e) Got authorization update: state unknown -> rejected 20180225034309988 DMM <0002> gprs_gmm.c:1140 MM(250026920931392/e550701e) Not authorized, rejecting ATTACH REQUEST with cause 'IMSI unknown in HLR' (2) 20180225034309988 DMM <0002> gprs_gmm.c:489 MM(250026920931392/e550701e) <- GPRS ATTACH REJECT: IMSI unknown in HLR 20180225034309988 DMM <0002> gprs_gmm.c:313 MM(250026920931392/e550701e) Cleaning MM context due to GPRS ATTACH REJECT osmo-hlr: 20180225034401485 DAUC <0003> db_auc.c:129 IMSI='250026920931392': No 2G Auth Data 20180225034401485 DAUC <0003> db_auc.c:165 IMSI='250026920931392': No 3G Auth Data 20180225034401485 DAUC <0003> hlr.c:79 250026920931392: IMSI known, but has no auth data; Returning slightly inaccurate cause 'IMSI Unknown' via GSUP But I added the IMSIs in the HLR. Which kind of auth data should I put to a SIM card from a mainstream carrier? Thanks, Rafael Diniz

2 4

Approach to system testing for Osmocom stack
by Holger Freyther 25 Feb '18

25 Feb '18

Hi, the lua binding code was added to be able to automate OpenBSC tests. In theory we should be able to do this for SMS and UpdateLocation (call handling with MNCC exposing is left as a todo) but in practice we miss a piece of software to coordinate this and run the test. We miss it because it is an interesting problem but also I lost time on switching countries, learning new tricks at a project... The basic testing structure looks easy as well. We want to define the number of concurrent subscribers (0, 10, 100, 1000, n) and to make it simple a single test (UL, send SMS, t) and execute the same test for each subscriber and call it a success if y% of tests succeed within time T. The way to measure this is easy as well. The lua script would print some data (e.g. the name of the ms) when it starts and completes. For some degrees of freedom I don't have a good idea.. and feedback is welcome. I am not sure if I should spawn, configure, add subscribers, a flavor of Osmocom cellular? I look into having some set of templates for the config, the stack to launch and in concept it looks awfully similar to something the GSM tester is doing. Shall we leave virtbts/cellular to the Osmocom tester and just focus on coordinating mobile? My feeling is to leave this to the Osmo GSM tester. If we have n subscribers I would launch m copies of "mobile" (but run multiple MS in a single binary). So with 4 MS per mobile process and 10k subs we would end with 2.5k processes + many log messages coming from each. Would that scale with python? Should we look into doing this one in Go? Or can some of GSM tester be used (the template part)? I would probably design this concurrently with Go(besides being the first). any ideas/comments? holger

4 12

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

OpenBSC February 2018