This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/baseband-devel@lists.osmocom.org/.
\subsection{How to synchronize the GSM TDMA multiplex} As part of the BCCH, the BTS not only sends the FCCH but also the Synchronization CHannel (SCH). The Synchronization channel indicates the current GSM time / frame number (skipping the 3 least significant bits). By using this received GSM time and incrementing it every time the GSM bit-clock timer wraps at the beginning of a new TDMA frame, the GSM time is synchronized. Understanding the multiple layers of time multiplex such as the 26/51 multiframe, superframe and hyperframe, the L1 can multiplex and demultiplex all the logical channels of GSM. \section{Miscellaneous Topics} \subsection{GPRS} GPRS was the first packet switched extension to GSM. In fact, it is much more its entirely own mobile network, independent of GSM. The only parts shared are the GSM modulation scheme (GMSK) and time multiplex, in order to ensure peaceful coexistence between them. The L1 and L2 protocols are very different (and much more complex) than GSM. So while the phone baseband hardware did not need any modifications for a basic GPRS enabled phone, the software needed to be extended quite a lot. \subsection{EDGE} EDGE is a very small incremental step to GPRS. It reuses all of the time multiplex and protocol stack, but introduces a new modulation: Offset 8-PSK instead of GMSK to increase the bandwidth that can be transmitted. Offset 8-PSK is used (as opposed to simple 8-PSK) to avoid zero-crossings in the modulator output. So while the software modifications from GPRS to EDGE are minimal, the 8PSK modulation scheme has a significant impact on the DSP, ABB and even RF PA design. \subsection{UMTS} UMTS (sometimes called WCDMA) is an entirely separate cellular network technology. Its physical layer, modulation schemes, encoding, frequency bands, channel spacing are entirely different, as is the Layer1. UMTS Layer2 has some resemblance to the GPRS Layer2. UMTS Layer3 for Mobility Management and Call Control are very similar to GSM. Given the vast physical layer and L1 differences, a UMTS phone hardware design significantly differs from what has been described in this document. Notwithstanding, all known commercial UMTS phone chipsets as of today still include a full GSM modem in hardware and software to remain backwards-compatible. \subsection{Dual-SIM and Triple-SIM phones} In recent years, a large number of so-called {\em Dual-SIM} or even {\em Triple-SIM} phones have entered the market, particularly in China and other parts of East Asia. Those phones come in various flavours. Some of them simply have a multiplexer that allows electrical switching between multiple SIM card slots. This is similar to replacing the SIM card in a phone, just without the manual process of mechanically removing/inserting the card. As a result, you can only use one of the two SIMs at any time. The more sophisticated Dual-SIM phones have two complete phones in one case. Yes, that's right! They contain two full GSM phone chipsets, i.e. 2 antennas, 2 rf frontends, 2 analog basebands, 2 digital basebands, ... However, they use the same trick as smartphones: One of the two basebands does not have keypad or display and is simply a GSM modem connected via serial line to the other baseband processor. So if a smartphone (as defined in this document) is a GSM modem connected to a PDA in one case, a Dual-SIM phone is a GSM modem connected to a feature phone in one case. Triple-SIM phones often combine the two approaches, i.e. they contain two complete GSM baseband chips, but three SIM slots that can be switched among the base bands. Only two SIMs can be active at the same time. \subsection{Powerful feature phones} Feature phones are becoming more and more powerful. However, their comparatively lower market price cannot afford a full-blown smartphone design with its two independent processors and the associated design complexity. Thus, more and more hardware peripherals are added to the only processor left in the phone: The baseband processor. Such peripherals include sophisticated camera interfaces, high-resolution color display controllers, TV output, touchscreen controllers, audio and video codecs and even interfaces for mobile TV reception. However, all of those features are still implemented on a fairly weak ARM7 or ARM9 CPU core (compared to ARM11 and Cortex-A8 in the smartphone market). They also lack a real operating system and still run on top of a real-time microkernel intended for much less complex systems. They almost always lack any form of memory protection or multiple address spaces. This makes them more prone to security issues as there is no privilege separation between the GSM protocol stack and the applications, or between the applications themselves. \subsection{Security features} There are several (sometimes conflicting) security requirements that apply to mobile phones. Interestingly, the security features are typically used to protect some industry interest against the interest of the customer. There are very few security features in a phone that are meant to protect the user or his interests. \subsubsection{IMEI - The hardware serial number} The International Mobile Equipment Identifier (IMEI) uniquely identifies a GSM phone. It is a globally unique serial number which is programmed into the phone non-volatile memory (Flash or EEPROM) during the production process. There are no particular security features used to store the IMEI. Once you are able to write to flash and have found it, it can be changed. \subsubsection{The SIM Card} The SIM card is a cryptographic smart card that stores the secret key used for authenticating the user to the GSM network (Ki). The Ki is never released by the card, and as such copying (cloning) of the SIM is prevented. Furthermore, the SIM stores the International Mobile Subscriber Identity (ISMI). The IMSI is not encrypted or protected in some way. There is no security channel on the connection between the SIM card and the baseband MCU. Furthermore, there is no way how the MCU can securely identify/authenticate the SIM itself. Physical access to the SIM card slot allows sniffing and/or modification of the communication between MCU and SIM. \subsubsection{SIM or Operator Locking} GSM is an international standard. This ensures interoperability, i.e. any phone can be used on any network. However, in some cases, the vendors of a GSM phone want to restrict this interoperability and lock a phone to one specific network, or even lock it to a particular SIM. Those locks are implemented by software only, i.e. the MCU software will instruct the GSM protocol stack not to register with a network unless its network operator code is a certain factory-programmed network number. As such, techniques for circumventing those locks have become commonplace. It's somewhat of an ongoing race between the phone makers and the phone-unlockers. The industry invents ever more complex methods of obfuscating their locks in the software, while the phone-unlockers reverse engineer those bits for each and every phone model after some time. \subsubsection{DBB firmware signatures} In order to protect the operator and phone manufacturers peculiar business models based on SIM or operator locking, some vendors extended their baseband software with cryptographic signatures. Only if the correct signature is present in a software update, the bootloader program will accept the new software. However, there are more or less invasive hardware-related approaches in circumventing those signature checks, such as hardware debugging interfaces like JTAG, or replacing the external flash memory components. More recently, GSM chipset vendors introduced features such as hardware-assisted software signature checks. In this case a master key hash might be present in DBB-internal fuses, together with a signature-verifying boot loader in DBB-internal mask ROM. As the root of the chain of trust is moving deeper into the hardware, it becomes more difficult for anyone to make software modifications to the DBB. Especially with tighter integration, where RAM and FLASH are no longer present as discrete components but part of a multi-chip-package, the number of options are becoming more limited. On the other hand, an ever more complex baseband software stack is opening up many more options for exploiting software vulnerabilities. Given the lack of a proper/modern operating system with privilege separation and virtual memory, such exploits immediately give away full access to all aspects of the respective DBB. \section{Personal rant on the closedness of the GSM industry} The GSM industry is one of the most closed areas of computing that I've encountered so far. It is very hard to get any hard technical information out of them. All they like to spread is high-level marketing information, but they're very reluctant when it comes down to hard technical facts on their products. If you want to build a phone, you need to buy a GSM chipset for your product. There are only very few companies that offer such chipsets. The classic suppliers are Infineon, Texas Instruments, ST/Ericsson, ADI (now MediaTek) and Freescale. The GSM handset products they sell are not generally available and distributed like other electronic component they manufacture. If you need a Microcontroller/SoC, a power management IC, a Wifi or Bluetooth chip, RFID reader ASIC, you simply approach the respective distributors and order them. You get your samples directly from Digikey. This is impossible for GSM (or other cellphone) chipsets. For some reason those chips are sold only to hand-picked manufacturers. If you want to qualify, you have to subscribe to at least six-digit annual purchasing quantities. And in order for them to believe you, you have to cough up a significant NRE (non-refundable engineering fee). This has been reported as high as a seven-digit US\$ amount and is to make sure that even if you end up buying less chips than you indicate, the chipset maker will still have your upfront NRE money and keep it. And if you buy your way into that select club of cellphone makers, what you get from the chipset maker is typically not all too impressive either. The documentation you get is incomplete, i.e. it alone would not enable you as a cellphone maker to make any use of the hardware, unless you license the software (drivers, GSM protocol stack, ...) from the chipset maker, too. On the software side, most of the technologically interesting bits (like the protocol stack) are provided as binary-only libraries, you only get source code to some parts of the systems, i.e. some hardware drivers that might need modification for your particular phone electrical design. That GSM protocol stack was not written by the chipset maker either. They simply license a stack from one of the estimated 4 or 5 organizations who have ever implemented a commercial GSM protocol stack. It is not like the GSM protocols were some kind of military secret. They are a published international standard, freely accessible for anyone. So why does everybody in that industry think that there is a need to be so secretive? Having spent a significant part of the last 6 years with reverse engineering of various aspects of mobile phones in order to understand them better and do write software tools for security analysis, I still don't understand this secrecy. All the various vendors do more or less the same. The fundamental architecture of a GSM baseband chip is the same, whether you buy it from TI, Infineon or from MediaTek. {\em They all cook with water}, like we Germans tend to say. The details like the particular DSP vendor or whether you use a traditional IF, zero-IF or low-IF analog baseband differ. But from whom do they want to hide it? If people like myself with a personal interest in the technical aspects of mobile phones can figure it out in a relatively short time, then I'm sure the competiton of those chipset makers can, too. In much less time, if they actually care. This closedness of the cellular industry is one of the reasons why there has been very little innovation in the baseband firmware throughout the last decades. Innovation can only happen by very few players. Source code bugs can only be found and fixed by very few developers at even fewer large corporations. No chance for a small start-up to innovate, like they can in the sphere of the internet. It is fundamentally also the reason why the traditional phone makers have been losing market share to newcomers to the mobile sphere like Apple with its iPhone or Google with its Android platform. Those innovations really only happened on the application processor on high-end smartphones. The closed GSM baseband processor had to be accompanied by an independent application processor running a real operating system, with real processes, memory management, shared libraries, memory protection, virtual memory spaces, user-installable applications, etc. They still don't happen on the baseband processor, which is as closed as it was 15 years ago. \end{document} --3V7upXqbjpZ4EhLz--