SlideShare une entreprise Scribd logo

Osmocom

0
0xDEADC0DE
TechnologieBusiness
1  sur  22
Télécharger pour lire hors ligne
Opensource GSM baseband firmware
Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
The core network OpenBSC 1995 2008
The phone OsmocomBB ?
GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
Backup slides
GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here

Recommandé

Gsm architecture
Gsm architecture Gsm architecture
Gsm architecture Ramraj Vaishnav
 
Base Transceiver Station
Base Transceiver StationBase Transceiver Station
Base Transceiver StationShubham Singhal
 
02 channel concept
02 channel concept02 channel concept
02 channel conceptTempus Telcosys
 
Xilinxaxi uart16550
Xilinxaxi uart16550Xilinxaxi uart16550
Xilinxaxi uart16550Moorthy Venkatachalam
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveAmiq Consulting
 
134170437 directed-retry-decision-libre
134170437 directed-retry-decision-libre134170437 directed-retry-decision-libre
134170437 directed-retry-decision-libreSyed Zahid Shah
 
Call Forwarding
Call ForwardingCall Forwarding
Call ForwardingAkash Agrawal
 
Verification Challenges and Methodologies
Verification Challenges and MethodologiesVerification Challenges and Methodologies
Verification Challenges and MethodologiesDr. Shivananda Koteshwar
 

Recommandé

Gsm architecture
Gsm architecture Gsm architecture
Gsm architecture Ramraj Vaishnav
 
Base Transceiver Station
Base Transceiver StationBase Transceiver Station
Base Transceiver StationShubham Singhal
 
02 channel concept
02 channel concept02 channel concept
02 channel conceptTempus Telcosys
 
Xilinxaxi uart16550
Xilinxaxi uart16550Xilinxaxi uart16550
Xilinxaxi uart16550Moorthy Venkatachalam
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveAmiq Consulting
 
134170437 directed-retry-decision-libre
134170437 directed-retry-decision-libre134170437 directed-retry-decision-libre
134170437 directed-retry-decision-libreSyed Zahid Shah
 
Call Forwarding
Call ForwardingCall Forwarding
Call ForwardingAkash Agrawal
 
Verification Challenges and Methodologies
Verification Challenges and MethodologiesVerification Challenges and Methodologies
Verification Challenges and MethodologiesDr. Shivananda Koteshwar
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application ToolkitByeongweon Moon
 
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration3GPP SON Series: SON in 3GPP Release-8 – Self-configuration
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration3G4G
 
QoS in 5G You Tube_Pourya Alinezhad
QoS in 5G You Tube_Pourya AlinezhadQoS in 5G You Tube_Pourya Alinezhad
QoS in 5G You Tube_Pourya AlinezhadPourya Alinezhad
 
Lessons Learned: Implementing VoLTE Roaming
Lessons Learned: Implementing VoLTE Roaming Lessons Learned: Implementing VoLTE Roaming
Lessons Learned: Implementing VoLTE Roaming Syniverse
 
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...Amazon Web Services Korea
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration FlowHouman Sadeghi Kaji
 
DDR3
DDR3DDR3
DDR3Jishnu Rajeev
 
Introduction to trace viewer
Introduction to trace viewerIntroduction to trace viewer
Introduction to trace viewerLaura Villarreal
 
05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manual05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manualtharinduwije
 
14 gsm bss network kpi (call setup time) optimization manual[1].doc
14 gsm bss network kpi (call setup time) optimization manual[1].doc14 gsm bss network kpi (call setup time) optimization manual[1].doc
14 gsm bss network kpi (call setup time) optimization manual[1].doctharinduwije
 
Gsm basics
Gsm basicsGsm basics
Gsm basicsAnil Tyagi
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjilSatish Jadav
 
Sdcch drop rate
Sdcch drop rateSdcch drop rate
Sdcch drop rateBENAIAD Abdellah
 
Drive test 1
Drive test 1Drive test 1
Drive test 1Syed Muhammad Zaidi
 
Sdcch drop rate
Sdcch drop rateSdcch drop rate
Sdcch drop rateTerra Sacrifice
 
3G: Ch4 UMTS protocol stack & physical layer
3G: Ch4 UMTS protocol stack & physical layer3G: Ch4 UMTS protocol stack & physical layer
3G: Ch4 UMTS protocol stack & physical layerahmed abou alkhair
 
Gsm hosr
Gsm hosrGsm hosr
Gsm hosrDevmani Yadav
 
Kernel Features for Reducing Power Consumption on Embedded Devices
Kernel Features for Reducing Power Consumption on Embedded DevicesKernel Features for Reducing Power Consumption on Embedded Devices
Kernel Features for Reducing Power Consumption on Embedded DevicesRyo Jin
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotwareAlexander Chemeris
 

Contenu connexe

Tendances

HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application ToolkitByeongweon Moon
 
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration3GPP SON Series: SON in 3GPP Release-8 – Self-configuration
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration3G4G
 
QoS in 5G You Tube_Pourya Alinezhad
QoS in 5G You Tube_Pourya AlinezhadQoS in 5G You Tube_Pourya Alinezhad
QoS in 5G You Tube_Pourya AlinezhadPourya Alinezhad
 
Lessons Learned: Implementing VoLTE Roaming
Lessons Learned: Implementing VoLTE Roaming Lessons Learned: Implementing VoLTE Roaming
Lessons Learned: Implementing VoLTE Roaming Syniverse
 
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...Amazon Web Services Korea
 
Introduction to trace viewer
Introduction to trace viewerIntroduction to trace viewer
Introduction to trace viewerLaura Villarreal
 
05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manual05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manualtharinduwije
 
14 gsm bss network kpi (call setup time) optimization manual[1].doc
14 gsm bss network kpi (call setup time) optimization manual[1].doc14 gsm bss network kpi (call setup time) optimization manual[1].doc
14 gsm bss network kpi (call setup time) optimization manual[1].doctharinduwije
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjilSatish Jadav
 
3G: Ch4 UMTS protocol stack & physical layer
3G: Ch4 UMTS protocol stack & physical layer3G: Ch4 UMTS protocol stack & physical layer
3G: Ch4 UMTS protocol stack & physical layerahmed abou alkhair
 
Kernel Features for Reducing Power Consumption on Embedded Devices
Kernel Features for Reducing Power Consumption on Embedded DevicesKernel Features for Reducing Power Consumption on Embedded Devices
Kernel Features for Reducing Power Consumption on Embedded DevicesRyo Jin
 

Tendances (20)

HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application Toolkit
 
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration3GPP SON Series: SON in 3GPP Release-8 – Self-configuration
3GPP SON Series: SON in 3GPP Release-8 – Self-configuration
 
QoS in 5G You Tube_Pourya Alinezhad
QoS in 5G You Tube_Pourya AlinezhadQoS in 5G You Tube_Pourya Alinezhad
QoS in 5G You Tube_Pourya Alinezhad
 
Lessons Learned: Implementing VoLTE Roaming
Lessons Learned: Implementing VoLTE Roaming Lessons Learned: Implementing VoLTE Roaming
Lessons Learned: Implementing VoLTE Roaming
 
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
AWS CLOUD 2018- 인공지능 보안 위협 감지 서비스 Amazon GuardDuty를 포함한 AWS 보안 신규 기능 업데이트 (임기...
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
 
DDR3
DDR3DDR3
DDR3
 
Introduction to trace viewer
Introduction to trace viewerIntroduction to trace viewer
Introduction to trace viewer
 
05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manual05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manual
 
14 gsm bss network kpi (call setup time) optimization manual[1].doc
14 gsm bss network kpi (call setup time) optimization manual[1].doc14 gsm bss network kpi (call setup time) optimization manual[1].doc
14 gsm bss network kpi (call setup time) optimization manual[1].doc
 
Gsm basics
Gsm basicsGsm basics
Gsm basics
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
 
1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil1.training lte ran kpi & counters rjil
1.training lte ran kpi & counters rjil
 
Sdcch drop rate
Sdcch drop rateSdcch drop rate
Sdcch drop rate
 
Drive test 1
Drive test 1Drive test 1
Drive test 1
 
Sdcch drop rate
Sdcch drop rateSdcch drop rate
Sdcch drop rate
 
3G: Ch4 UMTS protocol stack & physical layer
3G: Ch4 UMTS protocol stack & physical layer3G: Ch4 UMTS protocol stack & physical layer
3G: Ch4 UMTS protocol stack & physical layer
 
Gsm hosr
Gsm hosrGsm hosr
Gsm hosr
 
Kernel Features for Reducing Power Consumption on Embedded Devices
Kernel Features for Reducing Power Consumption on Embedded DevicesKernel Features for Reducing Power Consumption on Embedded Devices
Kernel Features for Reducing Power Consumption on Embedded Devices
 

En vedette

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotwareAlexander Chemeris
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityArturo Filastò
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack EvolutionPositive Hack Days
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
 

En vedette (9)

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and security
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
Abusing Calypso Phones
Abusing Calypso PhonesAbusing Calypso Phones
Abusing Calypso Phones
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 
Imsi catcher
Imsi catcherImsi catcher
Imsi catcher
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
 

Similaire à Osmocom

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENTomasz Janicki
 
Rtos ameba
Rtos amebaRtos ameba
Rtos amebaJou Neo
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012JJ Wu
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin VernouxHackito Ergo Sum
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950eTamer Ajaj
 
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Ardavan Pedram
 
LPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERLPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERsravannunna24
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computeryclinda666
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller manish080
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Hsien-Hsin Sean Lee, Ph.D.
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EPengpeng Song
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetDlip Nyk
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1Aziz Alaoui
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1Daud Suleiman
 
Some questions and answers on lte radio interface
Some questions and answers on lte radio interfaceSome questions and answers on lte radio interface
Some questions and answers on lte radio interfaceThananan numatti
 

Similaire à Osmocom (20)

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - EN
 
Final
FinalFinal
Final
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950e
 
42
4242
42
 
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
 
LPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERLPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLER
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computer
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air Interface
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheet
 
Microcontroller 8051
Microcontroller 8051Microcontroller 8051
Microcontroller 8051
 
Mobile Broadband
Mobile BroadbandMobile Broadband
Mobile Broadband
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 
Some questions and answers on lte radio interface
Some questions and answers on lte radio interfaceSome questions and answers on lte radio interface
Some questions and answers on lte radio interface
 

Dernier

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Osmocom

  • 2. Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
  • 3. Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
  • 4. Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
  • 5. GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
  • 6. Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
  • 7. GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
  • 8. The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
  • 9. The core network OpenBSC 1995 2008
  • 10. The phone OsmocomBB ?
  • 11. GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
  • 12. GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
  • 13. Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
  • 14. Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
  • 15. Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
  • 16. OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
  • 17. Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
  • 18. Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
  • 19. Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
  • 21. GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
  • 22. Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here