Why ?● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ?● Challenge the „secret sauce” vendor attitude● Cellphone network security research● Disruptive competition● Knowledge is power
Roadblocks● The cellphone chipset industry is very closed (even phone manufacturers dont get chipset programming information)● The cellphone network equipment industry is dominated by 4 major players (and even more closed)● There is no „padawan” learning path● GSM protocol stacks are not shipped in the mainline kernel● The government creeps in everywhere in the telco world
Why GSM ?Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards● Simple but usable● Deployed worldwide● Hackable & abundant hardware● GSM bands propagate very nicely
GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
The BTS OpenBTS Source: http://openbts.sourceforge.net/ 20091998
GSM radio Interface (1)Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
GSM Radio Interface (2) BurstsSource: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
Anatomy of a cellphone (1)Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
Anatomy of a cellphone (2)RFCLK == 26 MHz APC – Automatic Power CorrectionTSP – Time Serial Port AFC – Automatic Frequency CorrectionBSP – Baseband Serial Port I/Q – modulation stuff you dont need to know ;-)USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
Anatomy of a cellphone (3)Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
OsmocomBB features● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02● Low-level RF drivers & synchronous TDMA● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC)● RS232-HDLC connection to PC for debugging● RX-only by default
Demo !Plan:0. Downloading and building thecodeStart the osmocom-bb on thecellphone1. Login to a network2. Make a call, receive a call3. Send and receive SMS.
Where do we go from here ?● Handover support● GPRS support● Multi-SIM capability● More Calypso phones (http://www.myphone.pl ?)● Mediatek MTK6235 support – GSM L1 stack in the kernel possible● Compliance testing & certification
GSM sux, lets try WCDMA● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
Other opensource radiocomm projects● OpenBSC● OpenDECT● OpenTETRA● OpenGMR● OpenOP25● Put your pet radio interface here
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.