Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Opensource GSM baseband firmware
  2. 2. Why ?● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ?● Challenge the „secret sauce” vendor attitude● Cellphone network security research● Disruptive competition● Knowledge is power
  3. 3. Roadblocks● The cellphone chipset industry is very closed (even phone manufacturers dont get chipset programming information)● The cellphone network equipment industry is dominated by 4 major players (and even more closed)● There is no „padawan” learning path● GSM protocol stacks are not shipped in the mainline kernel● The government creeps in everywhere in the telco world
  4. 4. Why GSM ?Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards● Simple but usable● Deployed worldwide● Hackable & abundant hardware● GSM bands propagate very nicely
  5. 5. GSM Radio interface (3) Logical channels● BCCH, SCH, FCCH● RACH, PCH, AGCH● SACCH, FACCH● SDCCH● TCH/F, TCH/H● AAARGHCH, WTFCH
  6. 6. Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMROpen OP25 Source MObile COMmunications
  7. 7. GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
  8. 8. The BTS OpenBTS Source: http://openbts.sourceforge.net/ 20091998
  9. 9. The core network OpenBSC1995 2008
  10. 10. The phone OsmocomBB ?
  11. 11. GSM radio Interface (1)Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
  12. 12. GSM Radio Interface (2) BurstsSource: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
  13. 13. Anatomy of a cellphone (1)Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
  14. 14. Anatomy of a cellphone (2)RFCLK == 26 MHz APC – Automatic Power CorrectionTSP – Time Serial Port AFC – Automatic Frequency CorrectionBSP – Baseband Serial Port I/Q – modulation stuff you dont need to know ;-)USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
  15. 15. Anatomy of a cellphone (3)Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
  16. 16. OsmocomBB features● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02● Low-level RF drivers & synchronous TDMA● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC)● RS232-HDLC connection to PC for debugging● RX-only by default
  17. 17. Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.cAPI RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIMSRAM HDLC over RS232 ULPD GEA UART Calypso SoC
  18. 18. Demo !Plan:0. Downloading and building thecodeStart the osmocom-bb on thecellphone1. Login to a network2. Make a call, receive a call3. Send and receive SMS.
  19. 19. Where do we go from here ?● Handover support● GPRS support● Multi-SIM capability● More Calypso phones (http://www.myphone.pl ?)● Mediatek MTK6235 support – GSM L1 stack in the kernel possible● Compliance testing & certification
  20. 20. Backup slides
  21. 21. GSM sux, lets try WCDMA● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
  22. 22. Other opensource radiocomm projects● OpenBSC● OpenDECT● OpenTETRA● OpenGMR● OpenOP25● Put your pet radio interface here