Hello Paul,
On Wed, 02 Dec 2009 22:36:53 +0000, s4dd@losers.yore.ma wrote:
Any help you guys could give is much appreciated!
I think the problem is the "Invalid Channel Combination!!!" error message. Try to change "phys_chan_config" of timeslot 1 from "SDCCH8" to "TCH/F". From my understanding of verify_chan_comb() "SDCCH8" is not allowed on the same TRX that already has "CCCH+SDCCH4" so I wonder why it is set in the config file (this only applies to the BS11). Sorry, I don't have a ready BS11 configuration at hand right now, so I can't test it.
Best regards, Dieter
Dieter -
I don't know if that's valid by the spec or not, but it's part of a pretty standard configuration in IMSI-catchers: CCCH+SDCCH4 + 6*SDCCH8 + TCH/F. That maximizes location updating capacity and leaves one TCH/F for other ... mischief. Most of those IMSI-catchers are based on commercial mini/nano-BTS equipment.
-- David
On Dec 3, 2009, at 8:26 AM, Dieter Spaar wrote:
Hello Paul,
On Wed, 02 Dec 2009 22:36:53 +0000, s4dd@losers.yore.ma wrote:
Any help you guys could give is much appreciated!
I think the problem is the "Invalid Channel Combination!!!" error message. Try to change "phys_chan_config" of timeslot 1 from "SDCCH8" to "TCH/F". From my understanding of verify_chan_comb() "SDCCH8" is not allowed on the same TRX that already has "CCCH+SDCCH4" so I wonder why it is set in the config file (this only applies to the BS11). Sorry, I don't have a ready BS11 configuration at hand right now, so I can't test it.
Best regards, Dieter -- Dieter Spaar, Germany spaar@mirider.augusta.de
David A. Burgess Kestrel Signal Processing, Inc.
On Thu, Dec 03, 2009 at 01:07:56AM -0800, David A. Burgess wrote:
I don't know if that's valid by the spec or not, but it's part of a pretty standard configuration in IMSI-catchers: CCCH+SDCCH4 + 6*SDCCH8 + TCH/F. That maximizes location updating capacity and leaves one TCH/F for other ... mischief. Most of those IMSI-catchers are based on commercial mini/nano-BTS equipment.
Unfortunately that combination is not supported by either the BS-11 nor the ip.access nanoBTS. Maybe they have a special BTS firmware image for the nanoBTS to do that...
Are there any plans for OpenBSC supporting 3G? Cause I've heard ip.access also sells nanoBTSs for 3G.
On Fri, Dec 04, 2009 at 01:06:27PM +0100, Nordin wrote:
Are there any plans for OpenBSC supporting 3G? Cause I've heard ip.access also sells nanoBTSs for 3G.
yes, they have 3G devices, but I suspect they are even more expensive. I have not yet seen one.
Dieter and me have been playing with different 3G hardware that is available cheaper, but we had to postpone any future work on it due to the fact that the RANAP protocol is ASN.1 in PER aligned encoding and there are no open source tools for C that support this. In fact, the only tools for that encoding that we could find were for Erlang.
So until somebody implements some tools for that encoding, it's unlikely that we will be able to continue. I think for Dieter, Holger and myself currently other topics like GPRS support and working on a MS-side stack have higher preference.
However, if somebody had useable asn.1 tools for PER unaligned, to be used in C language, I'm more than happy to work on 3G support. It's not all that different from GSM anyway, just many things were renamed ;)
Interesting observation on the nanoBTS because I have definitely seen it used that way. I am fairly certain that the CellXion DX/GX systems, marketed by Datong and at the heart of the MMI v. CellXion lawsuit, were based on the IP Access nanoBTS. Even if I'm wrong on that particular model, I am sure that I have seen IP Access equipment used in that configuration.
That was a few years ago, though. Is it possible that IP Access changed their firmware at some point to make IMSI-catching more difficult?
On Dec 3, 2009, at 9:50 PM, Harald Welte wrote:
On Thu, Dec 03, 2009 at 01:07:56AM -0800, David A. Burgess wrote:
I don't know if that's valid by the spec or not, but it's part of a pretty standard configuration in IMSI-catchers: CCCH+SDCCH4 + 6*SDCCH8 + TCH/F. That maximizes location updating capacity and leaves one TCH/F for other ... mischief. Most of those IMSI-catchers are based on commercial mini/nano-BTS equipment.
Unfortunately that combination is not supported by either the BS-11 nor the ip.access nanoBTS. Maybe they have a special BTS firmware image for the nanoBTS to do that...
--
- Harald Welte laforge@gnumonks.org http://
laforge.gnumonks.org/
====== "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
David A. Burgess Kestrel Signal Processing, Inc.
Hello Dieter,
I think the problem is the "Invalid Channel Combination!!!" error message. Try to change "phys_chan_config" of timeslot 1 from "SDCCH8" to "TCH/F". From my understanding of verify_chan_comb() "SDCCH8" is not allowed on the same TRX that already has "CCCH+SDCCH4" so I wonder why it is set in the config file (this only applies to the BS11). Sorry, I don't have a ready BS11 configuration at hand right now, so I can't test it.
I'll give this a go and response ASAP!
-Paul
Hello again gents,
I think the problem is the "Invalid Channel Combination!!!" error message. Try to change "phys_chan_config" of timeslot 1 from "SDCCH8" to "TCH/F". From my understanding of verify_chan_comb() "SDCCH8" is not allowed on the same TRX that already has "CCCH+SDCCH4" so I wonder why it is set in the config file (this only applies to the BS11). Sorry, I don't have a ready BS11 configuration at hand right now, so I can't test it.
I'll give this a go and response ASAP!
-Paul
So, having changed the appropriate line in the default config the "Invalid Channel" error is not generated, however still no joy on viewing the mobile network from an ME. Here is the latest output from bsc_hack and the openbsc.cfg being used:
bsc_hack output:
DB: Database initialized. DB: Database prepared. e1_reconfig_bts(0) e1_reconfig_ts(0,0,0) e1_reconfig_ts(0,0,1) e1_reconfig_ts(0,0,2) e1_reconfig_ts(0,0,3) e1_reconfig_ts(0,0,4) e1_reconfig_ts(0,0,5) e1_reconfig_ts(0,0,6) e1_reconfig_ts(0,0,7) 1 device found id: 0 Dprotocols: 00000018 Bprotocols: 0000000e protocol: 4 nrbchan: 30 name: hfc-e1.1 activate bchan activate bchan bootstrapping OML for BTS 0 <0020> abis_nm.c:1724 Set BTS Attr (bts=0) <0020> abis_nm.c:1741 Set TRX Attr (bts=0,trx=0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=1) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=1) E1=(0,2,1) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=2) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=2) E1=(0,2,2) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=3) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=3) E1=(0,2,3) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=4) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=4) E1=(0,3,0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=5) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=5) E1=(0,3,1) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=6) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=6) E1=(0,3,2) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=7) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=7) E1=(0,3,3) <0020> abis_nm.c:606 OC=SITE MANAGER(00) INST=(ff,ff,ff) Software Activated Report <0020> abis_nm.c:985 LMT Event LOGON Level=2 Username=FACTORY bootstrapping RSL for BTS/TRX (0/0) using MCC=1 MNC=1 BSIC=63 TSC=7 <0020> abis_nm.c:985 LMT Event LOGOFF Level=2 Username=FACTORY
****************************************************************
openbsc.cfg:
! ! OpenBSC configuration saved from vty ! ! password foo ! line vty no login ! network network country code 1 mobile network code 1 short name OpenBSC long name OpenBSC timer t3101 10 timer t3113 60 bts 0 type bs11 band GSM900 cell_identity 1 location_area_code 1 training_sequence_code 7 base_station_id_code 63 oml e1 line 0 timeslot 1 sub-slot full oml e1 tei 25 trx 0 arfcn 123 rsl e1 line 0 timeslot 1 sub-slot full rsl e1 tei 1 timeslot 0 phys_chan_config CCCH+SDCCH4 e1 line 0 timeslot 1 sub-slot full timeslot 1 phys_chan_config TCH/F e1 line 0 timeslot 2 sub-slot 1 timeslot 2 phys_chan_config TCH/F e1 line 0 timeslot 2 sub-slot 2 timeslot 3 phys_chan_config TCH/F e1 line 0 timeslot 2 sub-slot 3 timeslot 4 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 0 timeslot 5 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 1 timeslot 6 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 2 timeslot 7 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 3
*************************************************
Any other ideas/things to try/etc. would be greatly appreciated!
-Paul
Hello again gents,
I think the problem is the "Invalid Channel Combination!!!" error message. Try to change "phys_chan_config" of timeslot 1 from "SDCCH8" to "TCH/F". From my understanding of verify_chan_comb() "SDCCH8" is not allowed on the same TRX that already has "CCCH+SDCCH4" so I wonder why it is set in the config file (this only applies to the BS11). Sorry, I don't have a ready BS11 configuration at hand right now, so I can't test it.
I'll give this a go and response ASAP!
-Paul
So, having changed the appropriate line in the default config the "Invalid Channel" error is not generated, however still no joy on viewing the mobile network from an ME. Here is the latest output from bsc_hack and the openbsc.cfg being used:
bsc_hack output:
DB: Database initialized. DB: Database prepared. e1_reconfig_bts(0) e1_reconfig_ts(0,0,0) e1_reconfig_ts(0,0,1) e1_reconfig_ts(0,0,2) e1_reconfig_ts(0,0,3) e1_reconfig_ts(0,0,4) e1_reconfig_ts(0,0,5) e1_reconfig_ts(0,0,6) e1_reconfig_ts(0,0,7) 1 device found id: 0 Dprotocols: 00000018 Bprotocols: 0000000e protocol: 4 nrbchan: 30 name: hfc-e1.1 activate bchan activate bchan bootstrapping OML for BTS 0 <0020> abis_nm.c:1724 Set BTS Attr (bts=0) <0020> abis_nm.c:1741 Set TRX Attr (bts=0,trx=0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=1) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=1) E1=(0,2,1) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=2) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=2) E1=(0,2,2) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=3) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=3) E1=(0,2,3) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=4) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=4) E1=(0,3,0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=5) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=5) E1=(0,3,1) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=6) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=6) E1=(0,3,2) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=7) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=7) E1=(0,3,3) <0020> abis_nm.c:606 OC=SITE MANAGER(00) INST=(ff,ff,ff) Software Activated Report <0020> abis_nm.c:985 LMT Event LOGON Level=2 Username=FACTORY bootstrapping RSL for BTS/TRX (0/0) using MCC=1 MNC=1 BSIC=63 TSC=7 <0020> abis_nm.c:985 LMT Event LOGOFF Level=2 Username=FACTORY
****************************************************************
openbsc.cfg:
! ! OpenBSC configuration saved from vty ! ! password foo ! line vty no login ! network network country code 1 mobile network code 1 short name OpenBSC long name OpenBSC timer t3101 10 timer t3113 60 bts 0 type bs11 band GSM900 cell_identity 1 location_area_code 1 training_sequence_code 7 base_station_id_code 63 oml e1 line 0 timeslot 1 sub-slot full oml e1 tei 25 trx 0 arfcn 123 rsl e1 line 0 timeslot 1 sub-slot full rsl e1 tei 1 timeslot 0 phys_chan_config CCCH+SDCCH4 e1 line 0 timeslot 1 sub-slot full timeslot 1 phys_chan_config TCH/F e1 line 0 timeslot 2 sub-slot 1 timeslot 2 phys_chan_config TCH/F e1 line 0 timeslot 2 sub-slot 2 timeslot 3 phys_chan_config TCH/F e1 line 0 timeslot 2 sub-slot 3 timeslot 4 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 0 timeslot 5 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 1 timeslot 6 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 2 timeslot 7 phys_chan_config TCH/F e1 line 0 timeslot 3 sub-slot 3
*************************************************
Any other ideas/things to try/etc. would be greatly appreciated!
-Paul
On Thu, Dec 03, 2009 at 09:55:04PM +0000, s4dd@losers.yore.ma wrote:
bootstrapping OML for BTS 0 <0020> abis_nm.c:1724 Set BTS Attr (bts=0) <0020> abis_nm.c:1741 Set TRX Attr (bts=0,trx=0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=1) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=1) E1=(0,2,1) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=2) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=2) E1=(0,2,2) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=3) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=3) E1=(0,2,3) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=4) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=4) E1=(0,3,0) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=5) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=5) E1=(0,3,1) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=6) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=6) E1=(0,3,2) <0020> abis_nm.c:1821 Set Chan Attr (bts=0,trx=0,ts=7) <0020> abis_nm.c:1704 CONNECT TERR TRAF Um=(bts=0,trx=0,ts=7) E1=(0,3,3) <0020> abis_nm.c:606 OC=SITE MANAGER(00) INST=(ff,ff,ff) Software Activated Report <0020> abis_nm.c:985 LMT Event LOGON Level=2 Username=FACTORY bootstrapping RSL for BTS/TRX (0/0) using MCC=1 MNC=1 BSIC=63 TSC=7 <0020> abis_nm.c:985 LMT Event LOGOFF Level=2 Username=FACTORY
This means you never get to the "bootstrapping RSL" point. The organization and maintenance layer seems to work fine in both ways (the REPORT is from the BTS, the other messages are sent from OpenBSC). However, the RSL link does not seem to come up... you could experiment with generating a pcap file from openbsc and send that along with your bug report.
On Sun, Dec 06, 2009 at 10:49:34AM +0530, Harald Welte wrote:
<0020> abis_nm.c:985 LMT Event LOGON Level=2 Username=FACTORY bootstrapping RSL for BTS/TRX (0/0) using MCC=1 MNC=1 BSIC=63 TSC=7 <0020> abis_nm.c:985 LMT Event LOGOFF Level=2 Username=FACTORY
This means you never get to the "bootstrapping RSL" point. The organization and maintenance layer seems to work fine in both ways (the REPORT is from the BTS, the other messages are sent from OpenBSC). However, the RSL link does not seem to come up... you could experiment with generating a pcap file from openbsc and send that along with your bug report.
Erm, I must have been too tired to see the line in your log. Forget my comment, it actually gets to the "bootstrapping RSL".
-
David A. Burgess -
Dieter Spaar -
Harald Welte -
Nordin -
Paul Dolan -
s4dd@losers.yore.ma