SlideShare ist ein Scribd-Unternehmen logo

Osmocom

0
0xDEADC0DE
TechnologieBusiness
1 von 22
Downloaden Sie, um offline zu lesen
Opensource GSM baseband firmware
Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
The core network OpenBSC 1995 2008
The phone OsmocomBB ?
GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
Backup slides
GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here

Empfohlen

2G optimization_with_optima
2G optimization_with_optima2G optimization_with_optima
2G optimization_with_optimaZIZI Yahia
 
05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manual05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manualtharinduwije
 
Wcdma Core Network Introduction
Wcdma Core Network IntroductionWcdma Core Network Introduction
Wcdma Core Network Introductionguest1f85dd
 
Ericsson optimization opti
Ericsson optimization optiEricsson optimization opti
Ericsson optimization optiTerra Sacrifice
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flowMohd Nazir Shakeel
 
Part 3 optimization 3G
Part 3 optimization 3GPart 3 optimization 3G
Part 3 optimization 3GHenry Chikwendu
 
zte umts-cs-call-drop-analysis-guide-zte
zte umts-cs-call-drop-analysis-guide-ztezte umts-cs-call-drop-analysis-guide-zte
zte umts-cs-call-drop-analysis-guide-zte3ggprs
 
GSM Channel Concept
GSM Channel ConceptGSM Channel Concept
GSM Channel ConceptMd Mustafizur Rahman
 

Empfohlen

2G optimization_with_optima
2G optimization_with_optima2G optimization_with_optima
2G optimization_with_optimaZIZI Yahia
 
05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manual05 gsm bss network kpi (tch congestion rate) optimization manual
05 gsm bss network kpi (tch congestion rate) optimization manualtharinduwije
 
Wcdma Core Network Introduction
Wcdma Core Network IntroductionWcdma Core Network Introduction
Wcdma Core Network Introductionguest1f85dd
 
Ericsson optimization opti
Ericsson optimization optiEricsson optimization opti
Ericsson optimization optiTerra Sacrifice
 
Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flowMohd Nazir Shakeel
 
Part 3 optimization 3G
Part 3 optimization 3GPart 3 optimization 3G
Part 3 optimization 3GHenry Chikwendu
 
zte umts-cs-call-drop-analysis-guide-zte
zte umts-cs-call-drop-analysis-guide-ztezte umts-cs-call-drop-analysis-guide-zte
zte umts-cs-call-drop-analysis-guide-zte3ggprs
 
GSM Channel Concept
GSM Channel ConceptGSM Channel Concept
GSM Channel ConceptMd Mustafizur Rahman
 
GSM Idle Mode Behavior
GSM Idle Mode BehaviorGSM Idle Mode Behavior
GSM Idle Mode BehaviorMd Mustafizur Rahman
 
Core cs overview (1)
Core cs overview (1)Core cs overview (1)
Core cs overview (1)Rashid Khan
 
Huawei wcdma ran10.0 overview
Huawei wcdma ran10.0 overviewHuawei wcdma ran10.0 overview
Huawei wcdma ran10.0 overviewRiadh Bachrouch
 
Gsm Originating Call Flow
Gsm Originating Call FlowGsm Originating Call Flow
Gsm Originating Call FlowDeepak Sharma
 
03 gsm bss network kpi (sdcch congestion rate) optimization manual
03 gsm bss network kpi (sdcch congestion rate) optimization manual03 gsm bss network kpi (sdcch congestion rate) optimization manual
03 gsm bss network kpi (sdcch congestion rate) optimization manualtharinduwije
 
2G Optimization
2G Optimization2G Optimization
2G OptimizationMelika Poursamar
 
Sdcch drop rate
Sdcch drop rateSdcch drop rate
Sdcch drop rateBENAIAD Abdellah
 
Huawei wcdma traffic counter
Huawei wcdma traffic counterHuawei wcdma traffic counter
Huawei wcdma traffic counterSARKHEEL
 
Enhanced fast dormancy ran 16
Enhanced fast dormancy ran 16Enhanced fast dormancy ran 16
Enhanced fast dormancy ran 16Nicolae Prisacaru
 
Tems layer3_messages
Tems layer3_messagesTems layer3_messages
Tems layer3_messagesbadgirl3086
 
Final2
Final2Final2
Final2Srinivas k
 
Ericsson 2 g ran optimization complete training
Ericsson 2 g ran optimization complete trainingEricsson 2 g ran optimization complete training
Ericsson 2 g ran optimization complete trainingsekit123
 
Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting Assim Mubder
 
Ericsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranEricsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranThananan numatti
 
08102014_Huawei handovers-handover-algo
08102014_Huawei handovers-handover-algo08102014_Huawei handovers-handover-algo
08102014_Huawei handovers-handover-algoherobinh
 
Complete umts call flow
Complete umts call flowComplete umts call flow
Complete umts call flowsivakumar D
 
Sdcch
SdcchSdcch
SdcchDeepak Sharma
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSMvirender123243
 
Basic of teleom gsm
Basic of teleom gsmBasic of teleom gsm
Basic of teleom gsmKartik Kalpande Patil
 
Umts networkprotocolsandcompletecallflows_01242
Umts networkprotocolsandcompletecallflows_01242Umts networkprotocolsandcompletecallflows_01242
Umts networkprotocolsandcompletecallflows_01242Stanley Oforbuike
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotwareAlexander Chemeris
 

Weitere ähnliche Inhalte

Was ist angesagt?

Core cs overview (1)
Core cs overview (1)Core cs overview (1)
Core cs overview (1)Rashid Khan
 
Huawei wcdma ran10.0 overview
Huawei wcdma ran10.0 overviewHuawei wcdma ran10.0 overview
Huawei wcdma ran10.0 overviewRiadh Bachrouch
 
Gsm Originating Call Flow
Gsm Originating Call FlowGsm Originating Call Flow
Gsm Originating Call FlowDeepak Sharma
 
03 gsm bss network kpi (sdcch congestion rate) optimization manual
03 gsm bss network kpi (sdcch congestion rate) optimization manual03 gsm bss network kpi (sdcch congestion rate) optimization manual
03 gsm bss network kpi (sdcch congestion rate) optimization manualtharinduwije
 
Huawei wcdma traffic counter
Huawei wcdma traffic counterHuawei wcdma traffic counter
Huawei wcdma traffic counterSARKHEEL
 
Enhanced fast dormancy ran 16
Enhanced fast dormancy ran 16Enhanced fast dormancy ran 16
Enhanced fast dormancy ran 16Nicolae Prisacaru
 
Tems layer3_messages
Tems layer3_messagesTems layer3_messages
Tems layer3_messagesbadgirl3086
 
Ericsson 2 g ran optimization complete training
Ericsson 2 g ran optimization complete trainingEricsson 2 g ran optimization complete training
Ericsson 2 g ran optimization complete trainingsekit123
 
Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting Assim Mubder
 
Ericsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranEricsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranThananan numatti
 
08102014_Huawei handovers-handover-algo
08102014_Huawei handovers-handover-algo08102014_Huawei handovers-handover-algo
08102014_Huawei handovers-handover-algoherobinh
 
Complete umts call flow
Complete umts call flowComplete umts call flow
Complete umts call flowsivakumar D
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSMvirender123243
 
Umts networkprotocolsandcompletecallflows_01242
Umts networkprotocolsandcompletecallflows_01242Umts networkprotocolsandcompletecallflows_01242
Umts networkprotocolsandcompletecallflows_01242Stanley Oforbuike
 

Was ist angesagt? (20)

GSM Idle Mode Behavior
GSM Idle Mode BehaviorGSM Idle Mode Behavior
GSM Idle Mode Behavior
 
Core cs overview (1)
Core cs overview (1)Core cs overview (1)
Core cs overview (1)
 
Huawei wcdma ran10.0 overview
Huawei wcdma ran10.0 overviewHuawei wcdma ran10.0 overview
Huawei wcdma ran10.0 overview
 
Gsm Originating Call Flow
Gsm Originating Call FlowGsm Originating Call Flow
Gsm Originating Call Flow
 
03 gsm bss network kpi (sdcch congestion rate) optimization manual
03 gsm bss network kpi (sdcch congestion rate) optimization manual03 gsm bss network kpi (sdcch congestion rate) optimization manual
03 gsm bss network kpi (sdcch congestion rate) optimization manual
 
2G Optimization
2G Optimization2G Optimization
2G Optimization
 
Sdcch drop rate
Sdcch drop rateSdcch drop rate
Sdcch drop rate
 
Huawei wcdma traffic counter
Huawei wcdma traffic counterHuawei wcdma traffic counter
Huawei wcdma traffic counter
 
Enhanced fast dormancy ran 16
Enhanced fast dormancy ran 16Enhanced fast dormancy ran 16
Enhanced fast dormancy ran 16
 
Tems layer3_messages
Tems layer3_messagesTems layer3_messages
Tems layer3_messages
 
Final2
Final2Final2
Final2
 
Ericsson 2 g ran optimization complete training
Ericsson 2 g ran optimization complete trainingEricsson 2 g ran optimization complete training
Ericsson 2 g ran optimization complete training
 
Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting
 
Ericsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranEricsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utran
 
08102014_Huawei handovers-handover-algo
08102014_Huawei handovers-handover-algo08102014_Huawei handovers-handover-algo
08102014_Huawei handovers-handover-algo
 
Complete umts call flow
Complete umts call flowComplete umts call flow
Complete umts call flow
 
Sdcch
SdcchSdcch
Sdcch
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSM
 
Basic of teleom gsm
Basic of teleom gsmBasic of teleom gsm
Basic of teleom gsm
 
Umts networkprotocolsandcompletecallflows_01242
Umts networkprotocolsandcompletecallflows_01242Umts networkprotocolsandcompletecallflows_01242
Umts networkprotocolsandcompletecallflows_01242
 

Andere mochten auch

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotwareAlexander Chemeris
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityArturo Filastò
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack EvolutionPositive Hack Days
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
 

Andere mochten auch (9)

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware29c3 OpenBTS workshop - Hardware and sotware
29c3 OpenBTS workshop - Hardware and sotware
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and security
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
Abusing Calypso Phones
Abusing Calypso PhonesAbusing Calypso Phones
Abusing Calypso Phones
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 
Imsi catcher
Imsi catcherImsi catcher
Imsi catcher
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
 

Ähnlich wie Osmocom

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENTomasz Janicki
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
Rtos ameba
Rtos amebaRtos ameba
Rtos amebaJou Neo
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012JJ Wu
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin VernouxHackito Ergo Sum
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950eTamer Ajaj
 
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Ardavan Pedram
 
LPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERLPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERsravannunna24
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computeryclinda666
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller manish080
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Hsien-Hsin Sean Lee, Ph.D.
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EPengpeng Song
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetDlip Nyk
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1Aziz Alaoui
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1Daud Suleiman
 

Ähnlich wie Osmocom (20)

Prezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - ENPrezentacja_Profil_Portfolio - EN
Prezentacja_Profil_Portfolio - EN
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
Final
FinalFinal
Final
 
Rtos ameba
Rtos amebaRtos ameba
Rtos ameba
 
Tablet in 2012
Tablet in 2012Tablet in 2012
Tablet in 2012
 
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
 
docslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950edocslide.us_rnc-3820-presentation-55844f36a950e
docslide.us_rnc-3820-presentation-55844f36a950e
 
42
4242
42
 
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
Custom Computer Engine for Optimizing for the Inner kernel of Matrix Multipli...
 
LPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLERLPC 2148 ARM MICROCONTROLLER
LPC 2148 ARM MICROCONTROLLER
 
SBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board ComputerSBC6020 SAM9G20 based Single Board Computer
SBC6020 SAM9G20 based Single Board Computer
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air Interface
 
8051microcontroller
8051microcontroller 8051microcontroller
8051microcontroller
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
 
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T EVoice Over U M T S Evolution From W C D M A, H S P A To L T E
Voice Over U M T S Evolution From W C D M A, H S P A To L T E
 
X tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheetX tel gsm-wcdma-datasheet
X tel gsm-wcdma-datasheet
 
Microcontroller 8051
Microcontroller 8051Microcontroller 8051
Microcontroller 8051
 
Mobile Broadband
Mobile BroadbandMobile Broadband
Mobile Broadband
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 
Open bts guide_en_v0.1
Open bts guide_en_v0.1Open bts guide_en_v0.1
Open bts guide_en_v0.1
 

Kürzlich hochgeladen

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 

Kürzlich hochgeladen (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 

Osmocom

  • 2. Why ? ● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ? ● Challenge the „secret sauce” vendor attitude ● Cellphone network security research ● Disruptive competition ● Knowledge is power
  • 3. Roadblocks ● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information) ● The cellphone network equipment industry is dominated by 4 major players (and even more closed) ● There is no „padawan” learning path ● GSM protocol stacks are not shipped in the mainline kernel ● The government creeps in everywhere in the telco world
  • 4. Why GSM ? Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards ● Simple but usable ● Deployed worldwide ● Hackable & abundant hardware ● GSM bands propagate very nicely
  • 5. GSM Radio interface (3) Logical channels ● BCCH, SCH, FCCH ● RACH, PCH, AGCH ● SACCH, FACCH ● SDCCH ● TCH/F, TCH/H ● AAARGHCH, WTFCH
  • 6. Osmocom project openBSC BB (baseband) http://osmocom.org/ DECT TETRA GMR Open OP25 Source MObile COMmunications
  • 7. GSM Network OpenBSC OpenBTS OsmocomBB BTS – Base Transciever Station (the tower) BSC – Base Station Controller (the brain) MSC – Mobile Switching Controller (the router) HLR – Home Location Register (/etc/passwd) MS – Mobile Station POTS – Plain Old Phone System
  • 8. The BTS OpenBTS Source: http://openbts.sourceforge.net/ 2009 1998
  • 9. The core network OpenBSC 1995 2008
  • 10. The phone OsmocomBB ?
  • 11. GSM radio Interface (1) Frames & physical channels Source: http://www.tele-servizi.com/janus/engfield2.html
  • 12. GSM Radio Interface (2) Bursts Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29
  • 13. Anatomy of a cellphone (1) Motorola C118 aka Compal E88 aka GTA0x RFFE Rita (TRF6151) ABB (ADC + DAC) Iota (TWL3025) DBB (DSP + MCU) Calypso (G2 C035) RFFE – RF Frontend ABB – Analog Baseband LCD, KBD, etc. DBB – Digital Baseband MCU – Microcontroller Unit
  • 14. Anatomy of a cellphone (2) RFCLK == 26 MHz APC – Automatic Power Correction TSP – Time Serial Port AFC – Automatic Frequency Correction BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-) USP – uController Serial Port VCO – Voltage Controlled Oscillator GSM/DCS/PCS – these are frequency bands
  • 15. Anatomy of a cellphone (3) Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign
  • 16. OsmocomBB features ● Supports Calypso chipset, found inside: Motorola C115/C117 (Compal E87) Motorola C123/C121/C118 (Compal E88) Motorola C139/C140 (Compal E86) Motorola C155 (Compal E99) Openmoko GTA01/GTA02 ● Low-level RF drivers & synchronous TDMA ● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC) ● RS232-HDLC connection to PC for debugging ● RX-only by default
  • 17. Osmocom-bb code structure osmocom-bb/src/ target/firmware/ rf/ RFFE abb/ calypso/ ABB dsp.c tsp.c tpu.c DSP TSP TPU clock.c sim.c uart.c API RAM flash/ osmocom-bb/host/ osmoload Flash DPLL layer23 ARM SIM SRAM HDLC over RS232 ULPD GEA UART Calypso SoC
  • 18. Demo ! Plan: 0. Downloading and building the code Start the osmocom-bb on the cellphone 1. Login to a network 2. Make a call, receive a call 3. Send and receive SMS.
  • 19. Where do we go from here ? ● Handover support ● GPRS support ● Multi-SIM capability ● More Calypso phones (http://www.myphone.pl ?) ● Mediatek MTK6235 support – GSM L1 stack in the kernel possible ● Compliance testing & certification
  • 21. GSM sux, let's try WCDMA ● What about Reverse engineering WCDMA baseband firmware ? http://events.ccc.de/congress/2011/Fahrplan/ev ents/4735.en.html ● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)
  • 22. Other opensource radiocomm projects ● OpenBSC ● OpenDECT ● OpenTETRA ● OpenGMR ● OpenOP25 ● Put your pet radio interface here