Hello Philipp,
On Mon, 20 Jul 2009 18:39:47 +0200, "dexter" <zero-kelvin(a)gmx.de> wrote:
>
> We have a Toy-Spectrum-Analyser here, so i have measured the output of
> our BS-11 when initalized with -f 123
>
> http://www.root.runningserver.com/pub/openbsc_spektralanalyse.png
>
Not sure what you are measuring on peak one and two, but channel 123
should be 959.6 MHz, this is most certainly the third peak. There might
be small signals (e.g. from the oscillator of the BS-11) on other
frequencies, but they should be much smaller than the main signal.
I don't know what the specification for a BTS allows as level for
emitting on other frequencies, so I can't give you any numbers how
strong those other signals can be.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hi folks.
We have a Toy-Spectrum-Analyser here, so i have measured the output of
our BS-11 when initalized with -f 123
http://www.root.runningserver.com/pub/openbsc_spektralanalyse.png
Why are there 2 carriers emitted by the BTS?
I thought that openBSC uses only one TRX. I have verfied that the
carrier must be emitted by the BTS. If i stop the BTS the carrier
vanishes and the T-Mobile carrier comes through (much weaker, of cause)
I have no explaination for this effect, can anyone give me a hint?
regards
Philipp
Hi Andreas,
since youre experience with mISDN is much better than mine,
can you comment on the status of mISDNdebugtool? As it seems, Eric is having
some problems using it. Also, in current mISDNuser.git (socket branch),
it doesn't compile since mISDNdebugtool.h is missing.
What we're trying to do is to generate pcap files that we can throw at wireshark.
Thanks in advance,
--
- Harald Welte <laforge(a)gnumonks.org> http://gnumonks.org/
============================================================================
We all know Linux is great...it does infinite loops in 5 seconds. -- Linus
Hello Eric,
On Thu, 16 Jul 2009 17:53:53 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> Yes I would like to make the cell phone answer as fast as possible but
> without the need of a user interaction. So I am trying to get RACH as fast
> as possible and I think the paging function is the most suitable for this. A
> RACH for each frame would be really nice. At least one RACH out of 2 frames,
> then i can have at least 1 RACH per 10 ms.
I don't think you have much influence on setting the paging reorganisation
mode, this is done by the BTS when it detects that something has changed
with paging (the BTS can detect it by looking for changes in the SYSTEM
INFORMATION messages). I did a quick test with a nanoBTS 1800, if for
example BS_PA_MFRMS is changed, the BTS will activate the paging
reorganisation mode while switching the parameter. I can confirm that
with the Nokia Network Monitor, it displays the page mode and indicates
"paging reorganisation" for a short amount of time (about one second).
You can try to constantly switch the SYSTEM INFORMATION data related to
paging, but I don't know if this will help with what you want to do.
Also please note that I have not tried it with the BS-11.
Best regard,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Eric,
On Thu, 16 Jul 2009 15:44:21 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> I don't know if the mobile phone will answer everytimes if i try to do a
> paging on it for each successive frame. Or if he will answer the first time
> and ignore the other paging requests after.
Maybe you can explain what you want to achieve, this might help to give
an answere.
I initially thought you want to measure the standby time of the phone,
this is why posted the information about the BS_PA_MFRMS parameter,
it usually determines the standby time (if BS_PA_MFRMS is maximum,
you usually get the longest standby time).
But now it seem you want the phone to react as fast as possible on
a paging request, but maybe I don't understand what you want to do.
Best regards,
Dieter
PS: The calculation of the paging group is done by OpenBSC and not
by the BTS.
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello Eric,
On Wed, 15 Jul 2009 11:00:14 +0200, "Eric Cathelinaud" <e.cathelinaud(a)googlemail.com> wrote:
>
> I was just thinking about performing a recursive paging in order to see how
> much time I have until the battery of a mobile phone run out.
> Does anyone know if the mobile phone answers at every paging or if it
> doesn't "listen" all the time? I think it listens periodically. If anyone
> can give me a clue, that would be appreciated.
This is an excerpt from a posting to another mainling list, I just
quote it because I don't want to repeat what I already wrote:
> - The phone is in "idle" mode (no speech/data traffic)
> and periodically receives the paging channel (PCH) to
> find out if its being called. Further the phone measures
> the signal strength of neighbor cells and every now
> and then (not that frequent as the above actions)
> receives the cell information in the broadcast common
> control channel (BCCH) of the serving cell and of
> at most six neighbor cells with the strongest signal.
....
> - The time between receiving the PCH is determined by a
> parameter of the serving cell (BS_PA_MFRMS, range 2 to 9).
> Its measured in 51-multiframes until the PCH for the phone
> repeats (if you want to know the details have a look at
> the GSM specs ;-) . The length of a 51-multiframe is
> 235.8 ms, this means the time between receiving the PCH
> is in the range 471.9 ms to 2122.2 ms. In this time the
> idle phone most of the time sleeps or receives the BCCH
> of the serving cell or one of the neighbor cells with
> the strongest signal (at most six).
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
2009/7/10 Harald Welte <laforge(a)gnumonks.org>
On Thu, Jul 09, 2009 at 01:18:05PM +0200, Eric Cathelinaud wrote:
> > Hi everybody
> >
> > I just would like to be sure that the paging is only sent on TS0 with
> > OpenBSC, that is to say PCH (which is on CCCH) is only sent on TS0.
> > I read that it could be sent on more time slots (TS2, TS4 and TS6 also)
> in
> > the GSM specifications. Is it the case in the soft or you just keep the
> > normal multiplexage setting (TS0 only for CCCH+BCCH, 1 slot for dedicated
> > channels and 6 slots for the traffic channels)?
>
> we only run one timeslot (TS0) for the CCCH (and thus the PCH). Using more
> timeslots is only required in really large BTS with many TRX - not a case
> we particularly care about right now.
>
> --
> - Harald Welte <laforge(a)gnumonks.org>
> http://laforge.gnumonks.org/
>
> ============================================================================
> "Privacy in residential applications is a desirable marketing option."
> (ETSI EN 300 175-7 Ch. A6)
>
Ok thanks
I was just thinking about performing a recursive paging in order to see how
much time I have until the battery of a mobile phone run out.
Does anyone know if the mobile phone answers at every paging or if it
doesn't "listen" all the time? I think it listens periodically. If anyone
can give me a clue, that would be appreciated.
Eric Cathelinaud
Hello Harald,
On Sun, 12 Jul 2009 16:02:11 +0200, "Harald Welte" <laforge(a)gnumonks.org> wrote:
>
> Thanks a lot for your investigation. Are you planning to take it beyond the
> hack and do a clean implementation that we can merge at some point?
To implement it in a clean way in my opinion requires some discussion
about how to do it so that it fits into the architecture:
- When do the authentication, most certainly during the first
Loacation Update, but when else ?
- Where to store the subscriber Ki for authentication and the
information about which algorithm is used ? Also store for each
subscriber if authentication and/or encryption should to be used.
- Where to cache Kc, its not necessary to authenticate every time when
encryption for a channel is turned on. Kc from a previous
authentication can be used several times.
- Where to turn on encryption, every time a channel is allocated ?
Those are just a few thoughts. I guess discussion about the details
probably takes longer than if you or Holger implement it during your
ongoing work on OpenBSC. Currently you both are the main people working
on OpenBSC at several places of the implementation and a clean integration
of authentication and encryption affects a lot of those places too. I am
reluctant to interfere here, not because of the time it takes (its not
that much) but because any changes should fit to what you plan to
do. If anyone want to see the technical details, I can provide them,
its rather simple and straightforward.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
Hello,
I did a few tests with Authentication and Encryption. Its just
a quick hack and nothing which can be integrated into OpenBSC
in a clean way but the process was rather straightforward:
- For my tests I used the location update request.
- I sent the AUTHENTICATION REQUEST to the MS.
- When I received the AUTHENTICATION RESPONSE from the MS, I
compared SRES with the expected value. If the expected value
was received, I send the ENCRYPTION COMMAND with Kc to the
BTS. If the wrong SRES was received, I send an AUTHENTICATION
REJECT to the MS.
- The BTS will now send the CIPHERING MODE COMMAND to
the MS and activate encryption.
- The CIPHERING MODE COMPLETE command from the MS will already
be received encrypted.
I have not recorded the RF traffic to check if encryption is really
enabled. But the Nokia Netmonitor indicated encryption, additionally
if I send the wrong Kc in the ENCRYPTION COMMAND, the location update
does not complete.
I have not tested speech traffic yet, but it most certainly works the
same way.
One thing which might be interesting is how to get SRES and Kc because
the A3/A8 algorithm on the SIM is usually not known. There are a few ways
how to do it:
- one could record a few results from a SIM and only send RAND values
where the pre-recorded results are known.
- the SIM communication could be intercepted (for example with a
device like the "Turbo Lite" from www.bladox.com) and if the APDU for
authentication is sent, one can run its own A3/A8 algorithm instead of
the one from the card.
- if one has a SIM with the broken and known COMP128, its possible
to find Ki so that the authentication response from the card can
be calculated.
- Test SIMs (for GSM Test Equipment) have implemented a know
A3/A8 algorithm (XOR) and so the authentication response can
be calculated.
- One can buy one of those SIM clone cards (they are called Super-SIM
Magic-SIM, 16in1 SIM or similar). They are of not much use for official
networks because only a few (if any) providers use COMP128 any more
and this is the algorithm those card implement (and expect it to be in
the card which should be cloned). You can buy such SIM cards rather cheap
(around 5 Euro). They usually come with a software (Windows) which allows
to set the IMSI and Ki for COMP128. So you have a card with a know
A3/A8 algorithm (COMP128) and a know Ki.
I used one of those SIM clone cards for my experiments, the SIM worked
fine in an older Nokia 3310 (at least for this test). I don't know how
well it will work in other phones but for this rathe low price its
probably worth a try.
Best regards,
Dieter
--
Dieter Spaar, Germany spaar(a)mirider.augusta.de
