Russian adventures OpenBTS

I still have not seen that the phone shows the lack of encryption in the network. Even when testing OpenBTS, which does not support encryption. In fact, until recently I did not even know what to call the specification is recommended to do so. I learned about it on 26C3 of the sensational report Karsten Nola (Kartsen Nohl) and Chris Paige (Chris Paget) and the consequent discussion. It is said that some phones do not know how to show icon lack of encryption, and the rest do not show, because this feature is blocked by an overwhelming majority of operators by setting a special bit in the SIM-card. Here's how it is described in the specification GSM 02.07 Normative Annex B.1.26:

Ciphering Indicator

The ciphering indicator feature allows the ME to detect that ciphering is not switched on and to indicate this to the user, as defined in GSM 02.09.

The ciphering indicator feature may be disabled by the home network operator setting data in the «administrative data» field (EF _AD) in the SIM, as defined in GSM 11.11.

If this feature is not disabled by the SIM, then whenever a connection is in place, which is, or becomes unenciphered, an indication shall be given to the user.

Ciphering itself is unaffected by this feature, and the user can choose how to proceed.

In my free translation:

Indicator encryption

Indicator encryption allows ME (Mobile Equipment, mobile equipment, ie mobile phone) to determine that encryption is not enabled and report it to the user, as defined in the specification GSM 02.09.

Inlikator encryption may be blocked by domestic telecoms operator (ie operator, which produces the SIM-card), setting the field "administrative data» (EF _AD) on the SIM-card, as defined by the specification GSM 11.11.

If the light is not SIM-locked, then the connection that already or just will not be encrypted, must be accompanied by an indicator of the lack of encryption.

Of course encryption is not affected by this

The indicator does not affect the encryption itself, and the user himself decides how he act.

Also, this "feature" is mentioned in GSM 02.09 Section 3.3.3:

Functional requirements

...

The ME has to check if the user data confidentiality is switched on using one of the seven algorithms as defined in GSM 02.07. In the event that the ME detects that this is not the case, or ceases to be the case (eg during handover), then an indication is given to the user.

This ciphering indicator feature may be disabled by the SIM (see GSM 11.11).

In case the SIM does not support the feature that disables the ciphering indicator, then the ciphering indicator feature in the ME shall be enabled by default.

The nature of the indicator and the trigger points for its activation are for the ME manufacturer to decide.

During the establishment of a call the trigger point shall be at call initiation at the latest. In the case of handover the trigger point shall be the completion of handover at the latest.

The manufacturer may provide the means to enable the user to temporarily disable the feature. This should be done in such a way that the user can protect it from misuse.

In my free translation:

Functional

...

ME has to check whether your protect your privacy, one of the seven algorithms defined in the specification GSM 02.07. If it is not, or has ceased to be so (for example, in the case of transfer of connection (handover'a)), the user is an indicator.

Ability to display an indicator fishrovaniya may be banned SIM-card (see spetsifikatsaiyu GSM 11.11).

In case the SIM-card does not support the ban encryption indicator, the ability to display an indicator of encryption must be enabled by default.

The essence of the indicator and the point of its inclusion are determined by the manufacturer ME.

During installation the connection point should be included indicating no later than the initialization call. In the case of transfer sodineniya point inclusion indication should be no later than the completion of the transfer connection.

Manufacturer may give oplzovatelyu to temporarily disable this feature is to be in such a way that the user can protect her from the wrong (Log) use.

Well, in the specification GSM 11.11 Section 10.3.18 describes the actual format for storing the flag to the SIM-card. It is called the OFM and is stored in the low bit of the third byte field EF _AD (Administrative data). In the specifications for GSM its value for some reason not rashifrovyvaetsya, and more Within the specifications, such as 3GPP TS 31.103 Section 4.2.5 of its value is clearly written:

The OFM bit is used to control the Ciphering Indicator as specified in TS 22.101 [21].

Ie

Bit OFM is used to control the Indicator of encryption, as described in the specification TS 22.101.

So, with adapter for reading SIM-cards or smart cards should be possible to check this bit, as if programmed SIM-cards - remove it and check whether the phone shows the lack of encryption when connecting to OpenBTS. What I'm going to do soon.

If you have a SIM-card, try to read this bit on your SIM-card. Let's see whether all the operators hide the indicator encryption?

PS Thanks Sylvain Munaut for something that gave a clear reference to the place in the standard, where this "feature" is described.

Some time ago the bug-fix release OpenBTS 2.5.3. Everyone enjoy the previous versions are urged to update. Archives of the source is traditionally available on the SourceForge download page.

All good communication:)

(Again, not about 26S3)

It seems our cellular operators, seriously decided to expand into emerging markets.

With a theatrical delay of 5 minutes a consortium of VimpelCom (Beeline brand) and Alfa Group has applied to participate in the competition for privatization of Zamtel (Cell-Z) - the third largest cellular operator of Zambia, from 200 thousand against 700 thousand subscribers for MTN and 3 million from Zain.

In this case the total population of almost 12 million people, the literacy rate is even decent - 80% (estimated 2003), but the average income of all US $ 1,150 per year, although the majority of the population lives on less than US $ 360 per year. Since electricity is traditionally the problem - many base stations are powered by diesel generators, and Huawei is very proud of the fact that he was able twice to reduce consumption of diesel in the base stations of its production in Zambia.

Turns almost ideal pattern for implementing solutions to OpenBTS. With such a small scope of the existing network of docking with the SIP should not cause big problems. Using the correct equipment c OpenBTS would do without diesel generators at all, solely by solar panels and windmills. But the use of open products and modular architecture gives superior flexibility.

PS Yes, now OpenBTS not yet ready for mass deployment. But a year later, when he obrastet all the necessary capabilities and when arrives through the "proper equipment", the best solution for such implementations will not be found. "Proper equipment is already being developed by several teams (including ours), and capabilities are added with enviable speed. So wait, soon on your screens ...

PS The Internet domain Zambia - ZM.

Remember, until recently, even in Moscow, to connect to the internet it was only possible through a home network, created by enthusiasts? And the first time only enthusiasts and enjoyed them, but ordinary people to the Internet was not the case. Apparently this is the natural course of history, when available access to the Internet first appeared in the local communities, "for friends".

Here are a couple examples from the distant (from us) places where the Internet - it is still a luxury, not a "conveyance". Marcelo Balisteri mailing list Village Telco presented his video about Parque On Line - a small "provider", provider of Internet in the slums of Brazil:

Parque On Line

The second example - from a fresh blog entries by David Rowe: Baboons, Mesh networks, and Community. He talks about the mesh-network in Scarborough (near Cape Town, South Africa), through which the people of this small town have an opportunity to gain access to the Internet. Even for free, if you are willing to have a lower priority than paying subscribers.

Interestingly, in both cases it is business, but business is not greedy, thinking not only about money but about people. Socio-oriented business.

PS In the next entry will share experiences about our very interesting visit to the CCC.

C 27 to 30 December we Berlin - to 26-m Chaos Communication Congress (26C3). The event promises to be interesting and rich. It will be there to talk about GSM in general and in particular OpenBTS - Harald Welte (project leader OpenBSC) promises to run for Congress while the local GSM network, for fans of GSM will be allocated a special place for dialogue, experimentation and collaboration, and the list of lectures is such lectures:

1. Playing with the GSM RF Interface
2. Using OpenBSC for fuzzing of GSM handsets
3. GSM: SRSLY?

I also speak there with Lightning Talk and introduce our reference generator to the public.

All who remain at home safely this time, we may envy. ;)

PS However, all performances will be available in the online video of the Congress, and a couple of months - in a good quality are available for download on the site.

Published in the network videotape of Steve Songa (Steve Song) on TEDx, in which he tells about the Village Telco and Mesh Potato, innovation in the modern world, telecommunication operators and that, why now have the opportunity to radically change the situation with a constraint on the African continent. His analysis of modern trends in the development of communications, he brings to the 4 search phrases:

1) Tinkering is the new Inventing
2) Emergence is the new Order
3) Quantity is the new Quality
4) Atoms are the new Bits

http://www.vimeo.com/7924369 (video, English)

http://www.slideshare.net/ssong/village-telco-tedx-newtown (slides, English)

About the Village Telco

Village Telco - a non-profit open source project, funded by the Shuttleworth Foundation, and aimed at radically reducing the cost of communication for the inhabitants of the African continent. Here it competes with OpenBTS, or having similar objectives, but in my opinion, these projects are rather complementary. And this is confirmed by the warm relations between the representatives of both projects.

This is not exactly news, but let it be. :)

With the gracious permission of the author (Joshua Lackey), I reliznul kal-0.2. Kalibrator, popularly known as 'kal', - a utility for verifying the accuracy and stability of the reference generator of your USRP. As a reference frequency used by the next sync with your base station. But the frequency of the base station you have to pick yourself. ;) You can use any phone with the included NetMonitor, or USRP in spectrum analyzer mode (usrp_fft.py).

Difference kal-0.2 from kal-0.1 the ability to choose a side USRP (A or B) and antenna (RX / TX and RX2).

Released a new release OpenBTS 2.5.1. Archives of the source is traditionally available on the SourceForge download page. Release 2.5 contains a few bugs and was almost immediately replaced by 2.5.1, so do not be surprised. :)

Also fixes a large number of problems in this release present OpenBTS SMS-server smqueue, written by John Gilmore (John Gilmore), co-founder of the EFF. The server implements the RFC3428 store-and-Forward SIP-server.

Note that when you upgrade from 2.4 to update the registration information Asterisk. Now SIP-names which are registered mobile phones, beginning with the letters «IMSI». Ie phone with IMSI 310410186585295 would be recorded under the SIP-called «IMSI310410186585295».

Release contains a transceiver to work with the standard USRP 64MGts with supporting clock, and to work with the reference clock 52MGts. Всем настоятельно рекомендуется использовать именно 52МГц опорные часы, так как трансивер для 64МГц развиваться дальше не будет и хранится только для того, чтобы людям проще было начать экспериментировать.

(Russian version of the post here)

Some time ago at OpenBTS and gnuradio mailing Lists We announced a new Universal clocking board for usrp. One of it's ample features is an ability to drive USRP at 52MHz with enough stability to run OpenBTS smoothly. This week we finally received manufactured PCBs and are in process of preparing testing samples. Main batch of PCB will be passed to population soon and we hope to make them available for shipping in the beginning of December.

Here are some PCB pictures for now:

Universal Clocking Unit for USRP - PCB

Universal Clocking Unit for USRP is so tiny with all its features!

Universal Clocking Unit for USRP - positioning

(native English version is here)

Some time ago on the mailing lists and OpenBTS GnuRadio we announced a universal reference (clock) generator for the USRP, which can be used, including, for the clock on the USRP 52MGts - recommended mode of operation for OpenBTS. This week we finally got to the factory board and will soon begin the installation of the first test specimens. Willing to pay, I hope we will be able to invite all interested persons somewhere in early December. :)

And yet - some photos:

The reference generator for the USRP - PCB

The reference generator for the USRP received only a tiny

The reference generator for the USRP - something like this it will be located on the USRP.

After announcing to all his friends to collect old phones, we began to collect his clothing collection. And behold, they brought us a miracle. Car GSM-phone from Motorola, judging by the Internet are staged in the old BMW. And maybe in other cars. But looks impressive: an all-metal body, the abundance of discrete components, power components. Power seems to have had a maksmalnaya - 8W. SIM-card is used more full-size, the size of a standard smart card (for the receiver it is located on the picture to the right, under the card, poukrugly protrusion in the body - it is excavated for the fingers, the better to get it).

It is a pity that we got it without the tube. Since the buttons and display located on it, then up the phone without completely functional. Friends, if someone have a stray tube to such a call - we invite her to visit us! :)

And now this photo:

Motorola SUF1321A car-phone inside

Motorola SUF1321A car-phone bottom

Released bug-fix release OpenBTS 2.4.1, which includes a pack of my bug fixes, memory access and a patch from Christian Meier correcting the bug in the formation of SMS.

Available for download an archive or via SourceForge svn.

And we turn to the trapping bugs in the upcoming 2.5, to accelerate its release in open access.

I must say that despite the fact that all the GPL-projects are equal, some are more equal. In other words, GPL-projects may be more open and less open. And OpenBTS is just less open-source project. How can this be, because the license says that all source code should be available? Yes, it is available, but only when you start to distribute the product based on these source codes. Ie while you're developing, you can keep your changes to yourself and no one to show. Or show, but limited. And it will be under the license. Such conditions are logical, but sometimes can lead to strange consequences.

If you look at the download page OpenBTS, you will find version 1.6 (New Iberia) - this is the version that Kestrel SP released in April this year, nearly six months ago. From the official blog of the project can be found that at Burning Man 2009, they used the version 2.5, which they have worked well and they are good for the festival debugged. Moreover, the official wiki of the project is compatible with your phone list for version 2.4.

Где же эти версии 2.4 и 2.5? А они доступны только «активным разработчикам» из сообщества и коммерческим клиентам Kestrel SP. Why? Дэвид объясняет — компании требуются средства на существование и клиенты готовы платить за то, чтобы первыми получить доступ к той или иной функциональности. Активные разработчики же могут быть приравнены к клиентам, потому что экономят время и деньги компании. Кроме того, — Дэвид об этом не говорит, но это очевидно, — таким образом несколько затрудняется жизнь тем, кто хочет взять софт на халяву и продать под своим брендом. В принципе, всё выглядит достаточно логично, если бы не несколько «но». Допустим, человек начинает осваиваться в проекте, делает первые тесты и тут же находит и первые баги в проекте. У него есть варианты — (1) игнорировать баг, если он не сильно мешает, (2) сообщить о нём в рассылку или в трекер проекта и (3) исправить его и отправить в проект патч. Для проекта наиболее полезен вариант (3) — проект совершенно бесплатно получает исправление, до которого у основных разработчиков не дошли руки или который редко встречается. От вариантов (1) и (2) проекту по большому счёту ни холодно, ни жарко. Но вспомним, что человек работает со старой версией и знает об этом. И в этом случае у него очень слабая мотивация исправлять найденный баг — раз разработчики пишут, что у них всё прекрасно работает, значит они, наверное, его уже исправили и можно просто подождать, пока они не выложат в общий доступ новую версию. Не делать же, действительно, двойную работу, которая будет потом никому не нужна — разработчики наверняка предпочтут своё исправление бага, чем какое-то стороннее. В итоге, многие ошибки, которые могли бы быть исправлены силами сообщества, разработчики вынуждены исправлять сами, тратя своё время (и деньги).

There is another aspect of the problem. It turns out that the community give a version of which is certainly worse than working, and at the same time say that everything works fine (but the new version!). People put this version, try to get it to work, and they are not very successful, they spend a lot of time and effort in trying to understand what is wrong - in fact wrote that everything works. Then they say: "Here's a newer version, we'll be adding it to open access, it may be better to work. They are trying - and everything really starts to work better. How then feel these people? So, as if they were thrown. Not the most useful sense, when you work with open-source project.

PS Yes, we have received from David to the testing version 2.4 and 2.5. First results are encouraging - now all of our test Siemens'y safely connect and work. More information about the new test results - in the following positions.

Итак, позавчера, в субботу, мы провели первое тестирование собранной нами системы с разными моделями телефонов. До этого нам приходилось ограничиваться только теми телефонами, что есть у нас — несколькими старыми Siemens'ми, парой Nokia (N78 и 6021) и моим Asus P750 (на WM6). В домашних тестах:

• Asus p750 подключаться отказывался (правда пробовали всего несколько раз).
• Обе Nokia подключались и работали. 6021 мы подключали через стандартный поиск сети, а N78 через «BTS test» — блокировку канала ( ARFCN ) на используемый нашей станцией.
• Однажды нам удалось подключить тестовый Siemens, он счастливо работал, ещё три или четыре раза отключился-подключился, нормально звонил. Мы обрадовались, пошли обедать, а когда вернулись — он уже не подключался.

В субботу проходила первая осенняя встреча Клуба ЗПШ и мы не преминули воспользоваться этим для тестирования нашей системы с более разнообразным набором телефонов. В тестах участвовали ещё несколько телефонов Nokia разной степени древности, два телефона Sony Ericsson, одна Motorola и два iPhone (2G и 3G). (спасибо всем, кто отдавал свои телефоны в наши руки! :) ) Результат — все телефоны Nokia успешно подключились и работали без проблем. Все остальные телефоны видели нашу сеть, но подключиться к ней не могли. Интересным исключением оказался iPhone 2G, который, к нашему удивлению, спокойно подключился к нашей сети. Однако при попытке позвонить на него с другого телефона (Nokia 6021) звук шёл только в одном направлении — на iPhone было хорошо слышно, что говорилось в Nokia, но в Nokia была полная тишина. К сожалению у нас не было времени подробно разбираться с этим глюком — может быть проблема на самом деле связана с SIP-частью и не имеет отношения к iPhone. При следующей возможности потестировать с iPhone попробуем разобраться в причинах такого поведения.

Вывод для тех, кто хочет поднять у себя OpenBTS — для первых тестов лучше использовать телефоны Nokia. Они не так привередливы к точности часов БС и с ними вы быстрее получите хоть что-то работающее. Можно попробовать использовать и iPhone 2G, но для них у нас пока нет большой статистики.

В целом создаётся впечатление, что мы столкнулись со знаменитой проблемой неточных часов , не смотря на то, что мы использовали стабильный малошумящий генератор собственной пайки. Нам пока не понятны причины возникших проблем — возможно виноваты какие-то наводки, которые вносят фазовый шум. К сожалению, аппаратура, на которой это можно проверить, достаточно дорога, чтобы иметь её дома «просто так» и нам приходится двигаться практически на ощупь. Если у вас есть осциллограф с полосой пропускания не меньше 500МГц, высокостабильный малошумящий генератор частот на 52Мгц или 64МГц (фазовые шумы <<-60dbc на 1khz, стабильность лучше 1ppm) или высокостабильный частотометр (точность <<0.1ppm) и вы не против пустить к ним двух человек с маленькой базовой станцией, :) вы сильно облегчите нам процесс отладки.

Напоследок, фотография с ещё одного нашего выездного теста — в подвале у меня на даче.

Тест в подвале

Идея заключалась в том, что в отсутствие сигналов других сетей телефон в первую очередь попробует подключаться к нашей БС и, соответственно, будет синхронизировать свои часы в первую очередь с ней, что должно уменьшить требования к точности часов БС. Но то ли изоляция сигнала вышки МТС, стоящей напротив, был слишком слабым, то ли наше предположение не верно, но за полчаса тестирования ни один телефон Siemens так и не смог к нам подключиться.

Это блог, в котором мы будем писать о наших успехах в работе с OpenBTS , а так же обо всех интересных вещах, которые мы находим по дороге. Добро пожаловать в этот маленький русскоязычный островок открытой GSM связи. :)

PS Если вы тоже решили погрузиться в мир открытой GSM связи и вам есть о чём рассказать — мы с удовольствием пригласим вас к участию в этом блоге. Пишите!