Uploaded by0xDEADC0DE
PDF, PPTX5,448 views

Osmocom

This document discusses open sourcing GSM baseband firmware to allow for free cellphone firmware, security research of cellphone networks, and disruptive competition. It notes challenges include closed chipset and network equipment industries and lack of learning materials. It promotes GSM due to its simplicity, worldwide deployment, and hackable hardware. It introduces the Osmocom project which produces open source GSM baseband software and describes its features and code structure.

Embed presentation

Download as PDF, PPTX
Opensource GSM baseband firmware
Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
The core network OpenBSC 1995 2008
The phone OsmocomBB ?
GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
Backup slides
GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here

More Related Content

PPT
Ericsson 2 g ran optimization complete training
bysekit123
 
DOC
138078380 gsm-timers
byadebisi adebambo
 
PDF
5G Interview Questions: 50 Questions on Spectrum
by3G4G
 
PPTX
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
byFwdays
 
PPTX
Kubernates vs Openshift: What is the difference and comparison between Opensh...
byjeetendra mandal
 
PPT
Call flows
byShweta Kumar PMP, ACC, CSM, CSPO
 
PDF
76125491 2 g-ericsson-recommended-parameters-g10
byRakesh Singh
 
PDF
Case analysis call drop
byTerra Sacrifice
 
Ericsson 2 g ran optimization complete training
bysekit123
 
138078380 gsm-timers
byadebisi adebambo
 
5G Interview Questions: 50 Questions on Spectrum
by3G4G
 
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
byFwdays
 
Kubernates vs Openshift: What is the difference and comparison between Opensh...
byjeetendra mandal
 
Call flows
byShweta Kumar PMP, ACC, CSM, CSPO
 
76125491 2 g-ericsson-recommended-parameters-g10
byRakesh Singh
 
Case analysis call drop
byTerra Sacrifice
 

What's hot

PPTX
5gc call flow
byKoorosh Hoveyda
 
PPTX
Ue introduction
byJamesFun
 
PPTX
Csfb (circuit switch fall back)
byRishi Mahajan
 
PDF
IPsec for IMS
byHossein Yavari
 
PDF
huawei-lte-kpi-ref
byAbd Yehia
 
PPT
dokumen.tips_ericsson-lte-throughput-troubleshooting-techniques_SUPERRRRRRR.ppt
byLibaBali
 
PPT
Zte 3g
byKishore Kandi
 
PPT
Basic GSM Call Flows
byemyl97
 
PPT
Layer 3 messages (2G)
byAbdulrahman Fady
 
PDF
Report on Repeat Call Rate as Network KPI
byAnant Jain
 
PPT
Huawei parameter strategy v1.4 1st dec
byKetut Widya
 
PDF
04. lte kpi in lte radio network
byDani Indra Kumara
 
PPTX
Gsm architecture, gsm network identities, network cases, cell planning, and c...
byZorays Solar Pakistan
 
PPTX
Lte default and dedicated bearer / VoLTE
bymanish_sapra
 
PPS
International roaming technical view
byRawand Jaf
 
PPTX
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
byAIRCOM International
 
PPS
Roaming VAS (optimal routing)
byRawand Jaf
 
PPT
GSM Channel concept and SDCCH
byDeepak Joshi
 
PPTX
NSA Mobility Managment.pptx
byErayUyanik
 
DOC
10 gsm bss network kpi (uplink downlink balance) optimization manual[1].doc
bytharinduwije
 
5gc call flow
byKoorosh Hoveyda
 
Ue introduction
byJamesFun
 
Csfb (circuit switch fall back)
byRishi Mahajan
 
IPsec for IMS
byHossein Yavari
 
huawei-lte-kpi-ref
byAbd Yehia
 
dokumen.tips_ericsson-lte-throughput-troubleshooting-techniques_SUPERRRRRRR.ppt
byLibaBali
 
Zte 3g
byKishore Kandi
 
Basic GSM Call Flows
byemyl97
 
Layer 3 messages (2G)
byAbdulrahman Fady
 
Report on Repeat Call Rate as Network KPI
byAnant Jain
 
Huawei parameter strategy v1.4 1st dec
byKetut Widya
 
04. lte kpi in lte radio network
byDani Indra Kumara
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
byZorays Solar Pakistan
 
Lte default and dedicated bearer / VoLTE
bymanish_sapra
 
International roaming technical view
byRawand Jaf
 
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
byAIRCOM International
 
Roaming VAS (optimal routing)
byRawand Jaf
 
GSM Channel concept and SDCCH
byDeepak Joshi
 
NSA Mobility Managment.pptx
byErayUyanik
 
10 gsm bss network kpi (uplink downlink balance) optimization manual[1].doc
bytharinduwije
 

Viewers also liked

PDF
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
by44CON
 
PDF
29c3 OpenBTS workshop - Hardware and sotware
byAlexander Chemeris
 
PDF
Crash course of Mobile (SS7) privacy and security
byArturo Filastò
 
PDF
Mobile Network Attack Evolution
byPositive Hack Days
 
PDF
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
byLuca Bongiorni
 
PDF
Abusing Calypso Phones
byPositive Hack Days
 
PPT
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
byLuca Bongiorni
 
ODP
Imsi catcher
byTri Sumarno
 
PDF
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
byLuca Bongiorni
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
by44CON
 
29c3 OpenBTS workshop - Hardware and sotware
byAlexander Chemeris
 
Crash course of Mobile (SS7) privacy and security
byArturo Filastò
 
Mobile Network Attack Evolution
byPositive Hack Days
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
byLuca Bongiorni
 
Abusing Calypso Phones
byPositive Hack Days
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
byLuca Bongiorni
 
Imsi catcher
byTri Sumarno
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
byLuca Bongiorni
 

Similar to Osmocom

ZIP
David A. Burgess's Presentation at eComm 2009
byeCommConf
 
PDF
Constrained-Random Thoughts on Advanced Constrained-Random Thoughts on Advanc...
byDVClub
 
PDF
Aardoom apr-2008
byObsidian Software
 
PDF
DefCon 2012 - Sub-1 GHz Radio Frequency Security
byMichael Smith
 
PPT
4 gsm net architecture by Praveen Kumar Prabhat
byprabhat_praveen
 
PDF
Open bts guide_en_v0.1
byAziz Alaoui
 
PDF
Open bts guide_en_v0.1
byDaud Suleiman
 
PDF
JSR82: Past, Present and Future
bySean O'Sullivan
 
PDF
From Silicon to Software - IIT Madras
byAanjhan Ranganathan
 
PDF
Reuse Your Old Personal Gsm Phone For Sms Control And Monitoring
byIonela
 
PPTX
LTE Components Drive Multimode Mobile Broadband
byEneaSoftware
 
PPT
Gsm based m2 m system design & implementation using p soc
bySharat Chandra
 
PDF
CommSEC - InterLINK products line (EN)
byiBLio
 
PDF
통신시스템(Gsm network)
by영기 김
 
PDF
OpenPicus FlyPort Technology Introduction
byopenPicus
 
PDF
FM-RDS developments at CRC
byJean-Michel Bouffard
 
PDF
OSINT RF Reverse Engineering by Marc Newlin
byEC-Council
 
PDF
Interfacing old mobile phone siemens nokiasony ericsson with pic or arduino c...
byAymen Lachkhem
 
PPTX
Digiplant colloquim
byTyler Belle
 
PDF
Product Flyer YADE - Board
byDaniela Palombo
 
David A. Burgess's Presentation at eComm 2009
byeCommConf
 
Constrained-Random Thoughts on Advanced Constrained-Random Thoughts on Advanc...
byDVClub
 
Aardoom apr-2008
byObsidian Software
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
byMichael Smith
 
4 gsm net architecture by Praveen Kumar Prabhat
byprabhat_praveen
 
Open bts guide_en_v0.1
byAziz Alaoui
 
Open bts guide_en_v0.1
byDaud Suleiman
 
JSR82: Past, Present and Future
bySean O'Sullivan
 
From Silicon to Software - IIT Madras
byAanjhan Ranganathan
 
Reuse Your Old Personal Gsm Phone For Sms Control And Monitoring
byIonela
 
LTE Components Drive Multimode Mobile Broadband
byEneaSoftware
 
Gsm based m2 m system design & implementation using p soc
bySharat Chandra
 
CommSEC - InterLINK products line (EN)
byiBLio
 
통신시스템(Gsm network)
by영기 김
 
OpenPicus FlyPort Technology Introduction
byopenPicus
 
FM-RDS developments at CRC
byJean-Michel Bouffard
 
OSINT RF Reverse Engineering by Marc Newlin
byEC-Council
 
Interfacing old mobile phone siemens nokiasony ericsson with pic or arduino c...
byAymen Lachkhem
 
Digiplant colloquim
byTyler Belle
 
Product Flyer YADE - Board
byDaniela Palombo
 

Recently uploaded

PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
apidays New York 2025 | AI in Application Security
byapidays
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
final.pdf
byomarbishtawi04
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 

Osmocom

  • 1.
  • 2.
    Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
  • 3.
    Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
  • 4.
    Why GSM ? Source:http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
  • 5.
    GSM Radio interface(3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
  • 6.
    Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
  • 7.
    GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
  • 8.
    The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
  • 9.
    The core network OpenBSC 1995 2008
  • 10.
    The phone OsmocomBB ?
  • 11.
    GSM radio Interface(1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
  • 12.
    GSM Radio Interface(2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
  • 13.
    Anatomy of acellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
  • 14.
    Anatomy of acellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
  • 15.
    Anatomy of acellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
  • 16.
    OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
  • 17.
    Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
  • 18.
    Demo ! Plan: 0. Downloadingand building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
  • 19.
    Where do wego from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
  • 20.
  • 21.
    GSM sux, let'stry WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
  • 22.
    Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here