SlideShare una empresa de Scribd logo

Osmocom

0
0xDEADC0DE
TecnologíaEmpresariales
1 de 22
Descargar para leer sin conexión
Opensource GSM baseband firmware
Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
The core network OpenBSC 1995 2008
The phone OsmocomBB ?
GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
Backup slides
GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here

Recomendados

Burst
BurstBurst
Burst
Azlin lolin
 
UMTS core network and its evolution
UMTS core network and its evolutionUMTS core network and its evolution
UMTS core network and its evolution
Naveen Jakhar, I.T.S
 
Multi Carrier Modulation OFDM & FBMC
Multi Carrier Modulation OFDM & FBMCMulti Carrier Modulation OFDM & FBMC
Multi Carrier Modulation OFDM & FBMC
Vetrivel Chelian
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS Security
Sohaib Altaf
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
Mohd Nazir Shakeel
 
IS-95 Cdma
IS-95 CdmaIS-95 Cdma
IS-95 Cdma
yogesh singh
 
Mac
MacMac
Mac
Vrince Vimal
 
Handover
HandoverHandover
Handover
Manish Srivastava
 

Recomendados

Burst
BurstBurst
Burst
Azlin lolin
 
UMTS core network and its evolution
UMTS core network and its evolutionUMTS core network and its evolution
UMTS core network and its evolution
Naveen Jakhar, I.T.S
 
Multi Carrier Modulation OFDM & FBMC
Multi Carrier Modulation OFDM & FBMCMulti Carrier Modulation OFDM & FBMC
Multi Carrier Modulation OFDM & FBMC
Vetrivel Chelian
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS Security
Sohaib Altaf
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
Mohd Nazir Shakeel
 
IS-95 Cdma
IS-95 CdmaIS-95 Cdma
IS-95 Cdma
yogesh singh
 
Mac
MacMac
Mac
Vrince Vimal
 
Handover
HandoverHandover
Handover
Manish Srivastava
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) Networks
Naveen Kumar
 
cellular wireless networks
cellular wireless networkscellular wireless networks
cellular wireless networks
chiju chinnu
 
Cellular technologies and security
Cellular technologies and securityCellular technologies and security
Cellular technologies and security
undergraduate
 
Full gsm overview (modified)
Full gsm overview (modified)Full gsm overview (modified)
Full gsm overview (modified)
Advanced group of Institutions
 
GSM Architecture
GSM ArchitectureGSM Architecture
GSM Architecture
koonlay
 
3 g rf_opt_process_ppt
3 g rf_opt_process_ppt3 g rf_opt_process_ppt
3 g rf_opt_process_ppt
Hatim100
 
Final2
Final2Final2
Final2
Srinivas k
 
Basic dt gsm ok
Basic dt gsm okBasic dt gsm ok
Basic dt gsm ok
bonaruce
 
Wireless sensor network
Wireless sensor networkWireless sensor network
Wireless sensor network
deawoo Kim
 
Nokia kpi and_core_optimization
Nokia kpi and_core_optimizationNokia kpi and_core_optimization
Nokia kpi and_core_optimization
debasish goswami
 
LTE RF Planning Tool - Atoll
LTE RF Planning Tool - AtollLTE RF Planning Tool - Atoll
LTE RF Planning Tool - Atoll
Justin MA (馬嘉昌)
 
Network Planning and Optimization
Network Planning and OptimizationNetwork Planning and Optimization
Network Planning and Optimization
mathurrohitji
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air Interface
Spiros Louvros
 
Cellular Networks Presentation in distributed systems, Mobile Networks
Cellular Networks Presentation in distributed systems, Mobile NetworksCellular Networks Presentation in distributed systems, Mobile Networks
Cellular Networks Presentation in distributed systems, Mobile Networks
Ahmad Yar
 
Gsm optimization
Gsm optimizationGsm optimization
Gsm optimization
Ahmed Ramadan
 
Wireless sensor networks
Wireless sensor networksWireless sensor networks
Wireless sensor networks
Zaahir Salam
 
Mimo
MimoMimo
Mimo
Virak Sou
 
Mobile communication concepts
Mobile communication conceptsMobile communication concepts
Mobile communication concepts
THANDAIAH PRABU
 
Wireless LANs(IEEE802.11) Architecture
Wireless LANs(IEEE802.11) Architecture Wireless LANs(IEEE802.11) Architecture
Wireless LANs(IEEE802.11) Architecture
Raj vardhan
 
Beamforming
BeamformingBeamforming
Beamforming
madan mohan
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
Alexander Chemeris
 

Más contenido relacionado

La actualidad más candente

GSM Architecture
GSM ArchitectureGSM Architecture
GSM Architecture
koonlay
 

La actualidad más candente (20)

Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) Networks
 
cellular wireless networks
cellular wireless networkscellular wireless networks
cellular wireless networks
 
Cellular technologies and security
Cellular technologies and securityCellular technologies and security
Cellular technologies and security
 
Full gsm overview (modified)
Full gsm overview (modified)Full gsm overview (modified)
Full gsm overview (modified)
 
GSM Architecture
GSM ArchitectureGSM Architecture
GSM Architecture
 
3 g rf_opt_process_ppt
3 g rf_opt_process_ppt3 g rf_opt_process_ppt
3 g rf_opt_process_ppt
 
Final2
Final2Final2
Final2
 
Basic dt gsm ok
Basic dt gsm okBasic dt gsm ok
Basic dt gsm ok
 
Wireless sensor network
Wireless sensor networkWireless sensor network
Wireless sensor network
 
Nokia kpi and_core_optimization
Nokia kpi and_core_optimizationNokia kpi and_core_optimization
Nokia kpi and_core_optimization
 
LTE RF Planning Tool - Atoll
LTE RF Planning Tool - AtollLTE RF Planning Tool - Atoll
LTE RF Planning Tool - Atoll
 
Network Planning and Optimization
Network Planning and OptimizationNetwork Planning and Optimization
Network Planning and Optimization
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air Interface
 
Cellular Networks Presentation in distributed systems, Mobile Networks
Cellular Networks Presentation in distributed systems, Mobile NetworksCellular Networks Presentation in distributed systems, Mobile Networks
Cellular Networks Presentation in distributed systems, Mobile Networks
 
Gsm optimization
Gsm optimizationGsm optimization
Gsm optimization
 
Wireless sensor networks
Wireless sensor networksWireless sensor networks
Wireless sensor networks
 
Mimo
MimoMimo
Mimo
 
Mobile communication concepts
Mobile communication conceptsMobile communication concepts
Mobile communication concepts
 
Wireless LANs(IEEE802.11) Architecture
Wireless LANs(IEEE802.11) Architecture Wireless LANs(IEEE802.11) Architecture
Wireless LANs(IEEE802.11) Architecture
 
Beamforming
BeamformingBeamforming
Beamforming
 

Destacado

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
Positive Hack Days
 

Destacado (9)

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and security
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
Abusing Calypso Phones
Abusing Calypso PhonesAbusing Calypso Phones
Abusing Calypso Phones
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 
Imsi catcher
Imsi catcherImsi catcher
Imsi catcher
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
 

Similar a Osmocom

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - EN
Tomasz Janicki
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012
JJ Wu
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950e
Tamer Ajaj
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computer
yclinda666
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller
manish080
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Pengpeng Song
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheet
Dlip Nyk
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
Aziz Alaoui
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
Daud Suleiman
 

Similar a Osmocom (20)

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - EN
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
Final
FinalFinal
Final
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950e
 
42
4242
42
 
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
 
LPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERLPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLER
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computer
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheet
 
Microcontroller 8051
Microcontroller 8051Microcontroller 8051
Microcontroller 8051
 
Mobile Broadband
Mobile BroadbandMobile Broadband
Mobile Broadband
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 
Some questions and answers on lte radio interface
Some questions and answers on lte radio interfaceSome questions and answers on lte radio interface
Some questions and answers on lte radio interface
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Osmocom

  • 2. Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
  • 3. Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
  • 4. Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
  • 5. GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
  • 6. Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
  • 7. GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
  • 8. The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
  • 9. The core network OpenBSC 1995 2008
  • 10. The phone OsmocomBB ?
  • 11. GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
  • 12. GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
  • 13. Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
  • 14. Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
  • 15. Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
  • 16. OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
  • 17. Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
  • 18. Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
  • 19. Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
  • 21. GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
  • 22. Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here