SlideShare a Scribd company logo

Osmocom

0
0xDEADC0DE

This document discusses open sourcing GSM baseband firmware to allow for free cellphone firmware, security research of cellphone networks, and disruptive competition. It notes challenges include closed chipset and network equipment industries and lack of learning materials. It promotes GSM due to its simplicity, worldwide deployment, and hackable hardware. It introduces the Osmocom project which produces open source GSM baseband software and describes its features and code structure.

1 of 22
Download to read offline
Opensource GSM baseband firmware
Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
The core network OpenBSC 1995 2008
The phone OsmocomBB ?
GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
Backup slides
GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here

Recommended

gsm layer 3 messages
gsm layer 3 messages gsm layer 3 messages
gsm layer 3 messages
Jorge Genes Forcadell
 
GSM Idle Mode Behavior
GSM Idle Mode BehaviorGSM Idle Mode Behavior
GSM Idle Mode Behavior
Md Mustafizur Rahman
 
2 g data performance dimensioning ,planning & optimization
2 g data performance dimensioning ,planning & optimization2 g data performance dimensioning ,planning & optimization
2 g data performance dimensioning ,planning & optimization
Vusal Suleymanov
 
Channel failure rate above defined threshold
Channel failure rate above defined thresholdChannel failure rate above defined threshold
Channel failure rate above defined threshold
aabaap
 
2G Optimization
2G Optimization2G Optimization
2G Optimization
Melika Poursamar
 
5G Sandardization
5G Sandardization5G Sandardization
5G Sandardization
Yi-Hsueh Tsai
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flow
Alfred Ongere
 
10-paging-optimization_compress.pdf
10-paging-optimization_compress.pdf10-paging-optimization_compress.pdf
10-paging-optimization_compress.pdf
WaroodALHadhrami
 

Recommended

gsm layer 3 messages
gsm layer 3 messages gsm layer 3 messages
gsm layer 3 messages
Jorge Genes Forcadell
 
GSM Idle Mode Behavior
GSM Idle Mode BehaviorGSM Idle Mode Behavior
GSM Idle Mode Behavior
Md Mustafizur Rahman
 
2 g data performance dimensioning ,planning & optimization
2 g data performance dimensioning ,planning & optimization2 g data performance dimensioning ,planning & optimization
2 g data performance dimensioning ,planning & optimization
Vusal Suleymanov
 
Channel failure rate above defined threshold
Channel failure rate above defined thresholdChannel failure rate above defined threshold
Channel failure rate above defined threshold
aabaap
 
2G Optimization
2G Optimization2G Optimization
2G Optimization
Melika Poursamar
 
5G Sandardization
5G Sandardization5G Sandardization
5G Sandardization
Yi-Hsueh Tsai
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flow
Alfred Ongere
 
10-paging-optimization_compress.pdf
10-paging-optimization_compress.pdf10-paging-optimization_compress.pdf
10-paging-optimization_compress.pdf
WaroodALHadhrami
 
Bsc configuration
Bsc configurationBsc configuration
Bsc configuration
Alberto Garcia
 
Kpi 2g troubleshootin
Kpi 2g troubleshootinKpi 2g troubleshootin
Kpi 2g troubleshootin
Abd Yehia
 
Network Planning and Optimization
Network Planning and OptimizationNetwork Planning and Optimization
Network Planning and Optimization
mathurrohitji
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
Rawand Jaf
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSM
virender123243
 
How to analyse sdcch drop due to
How to analyse sdcch drop due toHow to analyse sdcch drop due to
How to analyse sdcch drop due to
Ishanu Chakrabarty
 
Gsm interfaces
Gsm interfacesGsm interfaces
Gsm interfaces
Sai Sankar Gochhayat
 
IMS presentation
IMS presentationIMS presentation
IMS presentation
Anirudh Yadav
 
Gsm bss kpi analysis
Gsm bss kpi analysisGsm bss kpi analysis
Gsm bss kpi analysis
Hassan Imam
 
Call flow
Call flowCall flow
Call flow
Telebeansolutions
 
Drive test final
Drive test finalDrive test final
Drive test final
Yaser Al-Abdali
 
Ims architecture white_paper
Ims architecture white_paperIms architecture white_paper
Ims architecture white_paper
Divyansh Gupta
 
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationNokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
mohammed khairy
 
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_networkHuawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Julio Santana
 
MSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdfMSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdf
ssuseraab3a8
 
Kpi in telecommunication
Kpi in telecommunicationKpi in telecommunication
Kpi in telecommunication
baluiabrows
 
Events in tems products
Events in tems productsEvents in tems products
Events in tems products
To Anh
 
02 umts network architecturenew
02 umts network architecturenew02 umts network architecturenew
02 umts network architecturenew
sivakumar D
 
Mpr mss 1 c_user_manual (Alcatel Lucent)
Mpr mss 1 c_user_manual (Alcatel Lucent)Mpr mss 1 c_user_manual (Alcatel Lucent)
Mpr mss 1 c_user_manual (Alcatel Lucent)
engramjadislam78
 
Self-Configuration and Self-Optimization Network
Self-Configuration and Self-Optimization NetworkSelf-Configuration and Self-Optimization Network
Self-Configuration and Self-Optimization Network
Praveen Kumar
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
Alexander Chemeris
 

More Related Content

What's hot

Bsc configuration
Bsc configurationBsc configuration
Bsc configuration
Alberto Garcia
 
Kpi 2g troubleshootin
Kpi 2g troubleshootinKpi 2g troubleshootin
Kpi 2g troubleshootin
Abd Yehia
 
Network Planning and Optimization
Network Planning and OptimizationNetwork Planning and Optimization
Network Planning and Optimization
mathurrohitji
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
Rawand Jaf
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSM
virender123243
 
How to analyse sdcch drop due to
How to analyse sdcch drop due toHow to analyse sdcch drop due to
How to analyse sdcch drop due to
Ishanu Chakrabarty
 
Gsm interfaces
Gsm interfacesGsm interfaces
Gsm interfaces
Sai Sankar Gochhayat
 
IMS presentation
IMS presentationIMS presentation
IMS presentation
Anirudh Yadav
 
Gsm bss kpi analysis
Gsm bss kpi analysisGsm bss kpi analysis
Gsm bss kpi analysis
Hassan Imam
 
Call flow
Call flowCall flow
Call flow
Telebeansolutions
 
Drive test final
Drive test finalDrive test final
Drive test final
Yaser Al-Abdali
 
Ims architecture white_paper
Ims architecture white_paperIms architecture white_paper
Ims architecture white_paper
Divyansh Gupta
 
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationNokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
mohammed khairy
 
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_networkHuawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Julio Santana
 
MSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdfMSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdf
ssuseraab3a8
 
Kpi in telecommunication
Kpi in telecommunicationKpi in telecommunication
Kpi in telecommunication
baluiabrows
 
Events in tems products
Events in tems productsEvents in tems products
Events in tems products
To Anh
 
02 umts network architecturenew
02 umts network architecturenew02 umts network architecturenew
02 umts network architecturenew
sivakumar D
 
Mpr mss 1 c_user_manual (Alcatel Lucent)
Mpr mss 1 c_user_manual (Alcatel Lucent)Mpr mss 1 c_user_manual (Alcatel Lucent)
Mpr mss 1 c_user_manual (Alcatel Lucent)
engramjadislam78
 
Self-Configuration and Self-Optimization Network
Self-Configuration and Self-Optimization NetworkSelf-Configuration and Self-Optimization Network
Self-Configuration and Self-Optimization Network
Praveen Kumar
 

What's hot (20)

Bsc configuration
Bsc configurationBsc configuration
Bsc configuration
 
Kpi 2g troubleshootin
Kpi 2g troubleshootinKpi 2g troubleshootin
Kpi 2g troubleshootin
 
Network Planning and Optimization
Network Planning and OptimizationNetwork Planning and Optimization
Network Planning and Optimization
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSM
 
How to analyse sdcch drop due to
How to analyse sdcch drop due toHow to analyse sdcch drop due to
How to analyse sdcch drop due to
 
Gsm interfaces
Gsm interfacesGsm interfaces
Gsm interfaces
 
IMS presentation
IMS presentationIMS presentation
IMS presentation
 
Gsm bss kpi analysis
Gsm bss kpi analysisGsm bss kpi analysis
Gsm bss kpi analysis
 
Call flow
Call flowCall flow
Call flow
 
Drive test final
Drive test finalDrive test final
Drive test final
 
Ims architecture white_paper
Ims architecture white_paperIms architecture white_paper
Ims architecture white_paper
 
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentationNokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
Nokia gsm-kpi-analysis-based-on-daily-monitoring-basis-presentation
 
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_networkHuawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
Huawei antenna tdd-8_t8r_antenna_maximize_potentials_of_network
 
MSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdfMSC(-S) R12 configuration (2).pdf
MSC(-S) R12 configuration (2).pdf
 
Kpi in telecommunication
Kpi in telecommunicationKpi in telecommunication
Kpi in telecommunication
 
Events in tems products
Events in tems productsEvents in tems products
Events in tems products
 
02 umts network architecturenew
02 umts network architecturenew02 umts network architecturenew
02 umts network architecturenew
 
Mpr mss 1 c_user_manual (Alcatel Lucent)
Mpr mss 1 c_user_manual (Alcatel Lucent)Mpr mss 1 c_user_manual (Alcatel Lucent)
Mpr mss 1 c_user_manual (Alcatel Lucent)
 
Self-Configuration and Self-Optimization Network
Self-Configuration and Self-Optimization NetworkSelf-Configuration and Self-Optimization Network
Self-Configuration and Self-Optimization Network
 

Viewers also liked

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
Alexander Chemeris
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and security
Arturo Filastò
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
Positive Hack Days
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Luca Bongiorni
 
Abusing Calypso Phones
Abusing Calypso PhonesAbusing Calypso Phones
Abusing Calypso Phones
Positive Hack Days
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
Luca Bongiorni
 
Imsi catcher
Imsi catcherImsi catcher
Imsi catcher
Tri Sumarno
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
Luca Bongiorni
 

Viewers also liked (9)

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and security
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
Abusing Calypso Phones
Abusing Calypso PhonesAbusing Calypso Phones
Abusing Calypso Phones
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 
Imsi catcher
Imsi catcherImsi catcher
Imsi catcher
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
 

Similar to Osmocom

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - EN
Tomasz Janicki
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
Jim Geovedi
 
Final
FinalFinal
Final
Amir Sherman
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
Jou Neo
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012
JJ Wu
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
Hackito Ergo Sum
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950e
Tamer Ajaj
 
42
4242
42
srimoorthi
 
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Ardavan Pedram
 
LPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERLPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLER
sravannunna24
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computer
yclinda666
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air Interface
Spiros Louvros
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller
manish080
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Hsien-Hsin Sean Lee, Ph.D.
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Pengpeng Song
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheet
Dlip Nyk
 
Microcontroller 8051
Microcontroller 8051Microcontroller 8051
Microcontroller 8051
Denish Vaniyawala
 
Mobile Broadband
Mobile BroadbandMobile Broadband
Mobile Broadband
Fanny Mlinarsky
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
Aziz Alaoui
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
Daud Suleiman
 

Similar to Osmocom (20)

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - EN
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
Final
FinalFinal
Final
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950e
 
42
4242
42
 
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
 
LPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERLPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLER
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computer
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air Interface
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheet
 
Microcontroller 8051
Microcontroller 8051Microcontroller 8051
Microcontroller 8051
 
Mobile Broadband
Mobile BroadbandMobile Broadband
Mobile Broadband
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 

Recently uploaded

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 

Recently uploaded (20)

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 

Osmocom

  • 2. Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
  • 3. Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
  • 4. Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
  • 5. GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
  • 6. Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
  • 7. GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
  • 8. The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
  • 9. The core network OpenBSC 1995 2008
  • 10. The phone OsmocomBB ?
  • 11. GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
  • 12. GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
  • 13. Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
  • 14. Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
  • 15. Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
  • 16. OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
  • 17. Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
  • 18. Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
  • 19. Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
  • 21. GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
  • 22. Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here