OpenBSC

openbsc@lists.osmocom.org

10 participants
4277 discussions

Proposed OpenBSC application interface
by Harald Welte 16 Feb '11

16 Feb '11

Hi! Collin Mulliner, Tobias Engel and myself have been meeting yesterday to discuss a generic application interface for OpenBSC. They are both doing security analysis and want to achieve a clean way how an external application can get access to a more or less transparent communication channel to the phone. The purpose of this is to be able to send intentionally malformed packets to the mobile phone GSM stack at various different levels within the stack. As of now, they have both hacked some custom code into openbsc that gets them half way where they want to be - but not quite all the way. The requirements can be summarized as follows: 1) Ability to establish a SDCCH or TCH channel by paging the phone As of now, the 'silent call' feature from the VTY already does this. 2) Ability to send arbitrary layer3 protocol messages to the phone Adding this is relatively easy (use rsl_sendmsg on the lchan from the silent call) 3) Ability to receive responses from the phone, as well as error conditions such as 'readio link failure'. We don't have a solution for this yet, and we also have no clean way to identify what might be a response from the phone to the external app, and what might be a message from the phone to the normal network code in OpenBSC 4) Ability to selectively disable partial protocol handling in OpenBSC. Let's say you want to play with the mobile phone call control implementation. In this case, you want to make sure all CC related messages go from/to the external program and not from the regular OpenBSC network code. So what I've been thinking of as a solution to the problem: * store a bypass_flags bitmask related to the subscriber structure, where we indicate values such as BYPASS_RR, BYPASS_MM, BYPASS_CC, BYPASS_SAPI3. * if we process an incoming message from the MS in gsm0408_rcvmsg(), we check if a bypass flag matching the message is found. If yes, forward the message to the external program * if we want to send a message from our own protocol stack to the MS, we check if a bypass flag matching the message is found. If yes, we drop the message that we were about to send. * any messages received from the application will be forwarded to the MS The application interface protocol will likely have a close resemblance to RSL RLL. We need to exchange the following primitives with the application, like: * ESTABLISH REQUEST -- app requests a channel be established to MS (by IMSI) * ESTABLISH CONFIRM -- network confirms a channel has been established * ESTABLISH INDICATION -- network tells app connection was made by MS * [UNIT] DATA REQUEST -- app requests data to be sent to MS * [UNIT] DATA INDICATION -- network indicates data was received from MS * ERROR INDICATION -- network tells app something went wrong * RELEASE REQUEST -- app asks network to release channel * RELEASE CONFIRM -- net tells app that channel was released (as rqd) * RELEASE INDICATION -- net tells app that channel was released (by MS) The channel_number of RSL (indicating on-air timeslot) doesn't make much sense in this context, of course. The link_identifier on the other hand is great as it allows the app to indicate SDCCH/FACCH or SACCH as well as the SAPI. The actual RSL-like protocol would be encapsulated by UDP and available on a socket of the MSC. What do you think? Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

3 9

"Dial up networking" config
by Chris Rankine 15 Feb '11

15 Feb '11

For our ongoing experiment, we are hoping to tether some laptops onto the EDGE connection, either through a USB style dongle or a USB cord into a phone that allows it to be treated like a modem (And for some old school phones, maybe even a Serial port connection). These situations require a number to be dialed, what I believe is a USSD code, and sometimes a username and password to be entered. I am not talking about newer smart phones where the connection is sometimes shared using advanced drivers. Has anyone been able to do this with OpenBSC? Chris Rankine

2 1

Ericsson RBS2308 support / Status on LAPD
by Harald Welte 15 Feb '11

15 Feb '11

Hi all, Some people have been working together in order to finally start with support of the Ericsson RBS2308 (and similar models) in OpenBSC. The biggest issue so far is bringing up the actualy LAPD on the E1/T1 link. It seems Ericsson is using some dynamic timeslot configuration between BSC and BTS, so unlike e.g. Siemens, you cannot explicitly configure the OML E1 timeslot on the BTS using local configuration tools. The current working assumption is: Somehow the BSC produces bit-patterns on the E1 link and uses them to let the BTS know where to start LAPD for OML. One contributor was friendly enough to do raw bit-traces of a Racal 6113 connected to the Ericsson RBS, and they look like this: Racal to BTS Initialization openbsc:/etc/dahdi# cat /dev/dahdi/1 | hexdump 0000000 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa * 00092e0 aaaa aaaa aaaa aaaa aaaa aaaa aaaa 55aa 00092f0 ffff ffff ffff ffff ffff ffff ffff ffff * 0009600 ffff ffff ffff ffff ffff ffff ffff 7e7e 0009610 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e * 00096b0 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 5f7e 00096c0 3e5f 49ce cfef cfcf cfcf cfcf cfcf cfcf 00096d0 cfcf cfcf cfcf cfcf cfcf cfcf cfcf cfcf * I've written a small C program to do soft-hdlc decode. * a pattern of alternating bits (0xaa) * a pattern of all-1 bits(0xff) * a sequence of FLAG symbols (01111110) * a HDLC message FA 7D 7F 4E F2, which is a TEI=62/SAPI=62 SABME (SAPI 62 / TEI62 is configured for OML on the BTS) The interesting part is: 1) this is a SABME from BSC to BTS, whereas GSM 08.56 specifically says the BTS is the TE and the BSC the NT 2) we have not seen any TEI manager related messages(L2ML) Keep alives afterwards, about every 8 seconds 001d5e0 cfcf cfcf cfcf ebcb 04e4 a805 f323 f3f3 001d5f0 f3f3 f3f3 f3f3 f3f3 f3f3 f3f3 f3f3 f3f3 * 0031630 f3f3 f2f3 f9fa 0101 086a fcfc fcfc fcfc 0031640 fcfc fcfc fcfc fcfc fcfc fcfc fcfc fcfc * 0045680 fcfc fcfc fcfc fcfc fcfc fcfc bebe 4040 0045690 825a 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f 00456a0 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f * 00596e0 3f3f 2f3f 90af 1610 8fa0 cfcf cfcf cfcf 00596f0 cfcf cfcf cfcf cfcf cfcf cfcf cfcf cfcf * 006d730 cfcf cfcf cfcf cfcf cbcf e4eb 0504 23a8 006d740 f3f3 f3f3 f3f3 f3f3 f3f3 f3f3 f3f3 f3f3 * 0081790 faf2 01f9 6a01 fc08 fcfc fcfc fcfc fcfc 00817a0 fcfc fcfc fcfc fcfc fcfc fcfc fcfc fcfc * 00957e0 fcfc fcfc fcfc befc 40be 5a40 3f82 3f3f 00957f0 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f 3f3f If you decode this, you get FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 21 AC (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) If we look at the BTS to Racal 6113 side: Initialization openbsc:/etc/dahdi# cat /dev/dahdi/1 | hexdump 0000000 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 * 000fe00 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e5e7 f3f5 000fe10 1039 f971 f9f9 f9f9 f9f9 f9f9 f9f9 f9f9 000fe20 f9f9 f9f9 f9f9 f9f9 f9f9 f9f9 f9f9 f9f9 * Keep Alives, every 8 seconds 0023e40 f9f9 f9f9 f9f9 f9f9 f9f9 7c7d 8080 04b5 0023e50 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e * 0037ea0 5f5f 2020 412d 9f1f 9f9f 9f9f 9f9f 9f9f 0037eb0 9f9f 9f9f 9f9f 9f9f 9f9f 9f9f 9f9f 9f9f * 004bef0 9f9f 9f9f 9f9f 9f9f 979f c8d7 0b08 4750 004bf00 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 * 005ff40 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 f5e5 005ff50 02f2 d402 f911 f9f9 f9f9 f9f9 f9f9 f9f9 005ff60 f9f9 f9f9 f9f9 f9f9 f9f9 f9f9 f9f9 f9f9 * 0073fa0 f9f9 f9f9 f9f9 7c7d 8080 04b5 7e7e 7e7e 0073fb0 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e * 0087ff0 7e7e 7e7e 7e7e 7e7e 7e7e 7e7e 5f7e 205f 0088000 2d20 1f41 9f9f 9f9f 9f9f 9f9f 9f9f 9f9f 0088010 9f9f 9f9f 9f9f 9f9f 9f9f 9f9f 9f9f 9f9f * 009c050 9f9f 9f9f 979f c8d7 0b08 4750 e7e7 e7e7 009c060 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 e7e7 * Decoded, we get: FA 7D 73 60 3A (LAPD UA) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 25 25 AD 20 (LAPD unknown??) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) FA 7D 01 01 AD 20 (LAPD RR) So as a summary, it seems that 1) the BSC applies some magic pattern (0xaa / 0xff) 2) the BSC establishes the LAPD session for OML TEI/SAPI 3) there is no L2ML, contrary to lots of Ericsson Abis documentation that you can find online. We'll continue our attempts and see if we can get the OML up... -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

2 10

data
by Hans Witvliet 12 Feb '11

12 Feb '11

This is probably completely off-topic, but can thoses nano-bts also be used for data, instead of voice? I don't mean sms, but access to email and so-on. It is not about performance, but being able to test gsm-dongles for wireless internet. (not wifi) Hans

2 1

creating primary trx
by Thomas Ansorg 11 Feb '11

11 Feb '11

hello my 2nd bs-11(bts 1) has a defective trx0, so no c0 can be created. lets have a look at gsm_bts_trx_alloc in gsm_data.c: i changed trx->bts = bts; trx->nr = bts->num_trx++; trx->nm_state.administrative = NM_STATE_UNLOCKED; to trx->bts = bts; if(bts->nr == 1) {trx->nr = 1;} else {trx->nr = bts->num_trx++;} trx->nm_state.administrative = NM_STATE_UNLOCKED; in gsm_bts_alloc, the primary trx should be created then, in the case of bts 1 starting at trx1, since trx0 dont exist unfortunately, i get a general protection fault :-( hints very velcome! T. -- Wer Rechtschreibfehler findet, darf sie behalten!

1 0

CCCH on C0?
by Thomas Ansorg 09 Feb '11

09 Feb '11

hi list, i came over line 523 in gsm_data.h: /* CCCH is on C0 */ struct gsm_bts_trx *c0; could this be the reason why a bs-11 without aktivated trx0 dont work / isnt seen by handy? T. -- Wer Rechtschreibfehler findet, darf sie behalten!

2 1

Question about Dahdi system.conf
by Gus Bourg 09 Feb '11

09 Feb '11

Hi, I've been playing with Dahdi and OpenBSC (I have an old T100P card) and something I'm a little confused about is what is the proper configuration for system.conf? Does dahdi itself take care of the hdlc/lapd signalling (in which case I'd expect the signalling channel to be set as dchan in /etc/dahdi/system.conf) or is openbsc taking care of the hdlc/lapd signalling (in which case I'd expect the signalling channel to be set as clear)? Thanks, Gus Bourg

3 2

OpenBSC DAHDI support now in master
by Harald Welte 06 Feb '11

06 Feb '11

Hi! Today I've been working on improving + cleaning up the DAHDI work that had been done last year by Xavier Carcelle and Matthew Fredrickson, which in turn uses some simplistic LAPD implementation by Oystein Homelien. It now seems to be working fine, at least for my TE110P card and a BS-11 in 2-TRX configuration. Haven't tried multi-drop yet. All you need to do is to * make sure your dahdi/user.h is found in the include path * build openbsc * configure your /etc/dahdi/system.conf according to your T1/E1 physical setup * check that dahdi_tool shows no Alarms for the physical line * use e.g. openbsc.cfg.1-1 as sample and change 'e1_line 0 driver misdn' to 'e1_line 0 driver dahdi' Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

2 1

[ANN] Config file change with mISDN / BS-11
by Harald Welte 06 Feb '11

06 Feb '11

Notice to all OpenBSC users with mISDN / BS-11: I've had to introduce some new config file statements in order for the upcoming DAHDI support. This means if you update beyond git revision 3016d9f299ea4cfc8961376d20862b9418cfb059, openbsc will not start with an old 'openbsc.cfg' file. You will have to add the following two lines to make it work again (like shonw in the new openbsc.cfg.1-1): ============== e1_input e1_line 0 driver misdn ============== Sorry for that inconvenience. Regards, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

1 0

[semi-OT] iPhone SIM access via AT+CSIM
by Jens David 05 Feb '11

05 Feb '11

Hello all, I am trying to implement a bluetooth RSAP daemon for the iPhone platform. I read your description on http://openbsc.osmocom.org/trac/wiki/A5_GSM_AT_tricks . Unfortunately it does not seem to work on my phone. It always returns error code 0x6E00 for class 0xA0 (GSM application) commands: > AT+CSIM=14,"A0A40000023F00" > +CSIM: 4,"6E00" Which iPhone version and "baseband" firmware was used when doing these experiments? Any further tips? By the way, it is better to use one of the virtual serial lines, e.g. /dev/dlci.spi-baseband.extra_13 to access the X-Gold 608 when doing normal stuff rather than using the real UART interfaces (/dev/tty.debug etc.) because one does not need to unload CommCenter to have a reliable connection. --j -- Jens David, DG1KJD jens.david(a)jens-david-consulting.com http://www.jens-david-consulting.com

2 2

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

OpenBSC