Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Published in: Technology, Business
  • Be the first to comment


  1. 1. Opensource GSM baseband firmware
  2. 2. Why ?● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ?● Challenge the „secret sauce” vendor attitude● Cellphone network security research● Disruptive competition● Knowledge is power
  3. 3. Roadblocks● The cellphone chipset industry is very closed (even phone manufacturers dont get chipset programming information)● The cellphone network equipment industry is dominated by 4 major players (and even more closed)● There is no „padawan” learning path● GSM protocol stacks are not shipped in the mainline kernel● The government creeps in everywhere in the telco world
  4. 4. Why GSM ?Source:● Simple but usable● Deployed worldwide● Hackable & abundant hardware● GSM bands propagate very nicely
  5. 5. GSM Radio interface (3) Logical channels● BCCH, SCH, FCCH● RACH, PCH, AGCH● SACCH, FACCH● SDCCH● TCH/F, TCH/H● AAARGHCH, WTFCH
  6. 6. Osmocom project openBSC BB (baseband) DECT TETRA GMROpen OP25 Source MObile COMmunications
  7. 7. GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
  8. 8. The BTS OpenBTS Source: 20091998
  9. 9. The core network OpenBSC1995 2008
  10. 10. The phone OsmocomBB ?
  11. 11. GSM radio Interface (1)Frames & physical channels Source:
  12. 12. GSM Radio Interface (2) BurstsSource:
  13. 13. Anatomy of a cellphone (1)Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
  14. 14. Anatomy of a cellphone (2)RFCLK == 26 MHz APC – Automatic Power CorrectionTSP – Time Serial Port AFC – Automatic Frequency CorrectionBSP – Baseband Serial Port I/Q – modulation stuff you dont need to know ;-)USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
  15. 15. Anatomy of a cellphone (3)Source:
  16. 16. OsmocomBB features● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02● Low-level RF drivers & synchronous TDMA● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC)● RS232-HDLC connection to PC for debugging● RX-only by default
  17. 17. Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.cAPI RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIMSRAM HDLC over RS232 ULPD GEA UART Calypso SoC
  18. 18. Demo !Plan:0. Downloading and building thecodeStart the osmocom-bb on thecellphone1. Login to a network2. Make a call, receive a call3. Send and receive SMS.
  19. 19. Where do we go from here ?● Handover support● GPRS support● Multi-SIM capability● More Calypso phones ( ?)● Mediatek MTK6235 support – GSM L1 stack in the kernel possible● Compliance testing & certification
  20. 20. Backup slides
  21. 21. GSM sux, lets try WCDMA● What about Reverse engineering WCDMA baseband firmware ? ents/4735.en.html● Maybe a SDR LTE base station ? (not public yet)
  22. 22. Other opensource radiocomm projects● OpenBSC● OpenDECT● OpenTETRA● OpenGMR● OpenOP25● Put your pet radio interface here