1. Opensource GSM baseband
firmware

2. Why ?
● Free kernels, free OSes, free WiFi drivers, free
GPU drivers, free RFID readers, free software
radio, why not free cellphone firmware ?
● Challenge the „secret sauce” vendor attitude
● Cellphone network security research
● Disruptive competition
● Knowledge is power

3. Roadblocks
● The cellphone chipset industry is very closed
(even phone manufacturers don't get chipset
programming information)
● The cellphone network equipment industry is
dominated by 4 major players (and even more
closed)
● There is no „padawan” learning path
● GSM protocol stacks are not shipped in the
mainline kernel
● The government creeps in everywhere in the telco
world

4. Why GSM ?
Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards
● Simple but usable
● Deployed worldwide
● Hackable & abundant hardware
● GSM bands propagate very nicely

5. GSM Radio interface (3)
Logical channels
● BCCH, SCH, FCCH
● RACH, PCH, AGCH
● SACCH, FACCH
● SDCCH
● TCH/F, TCH/H
● AAARGHCH, WTFCH

6. Osmocom project
openBSC
BB (baseband)
http://osmocom.org/ DECT
TETRA
GMR
Open OP25
Source
MObile
COMmunications

7. GSM Network
OpenBSC
OpenBTS
OsmocomBB
BTS – Base Transciever Station (the tower)
BSC – Base Station Controller (the brain)
MSC – Mobile Switching Controller (the router)
HLR – Home Location Register (/etc/passwd)
MS – Mobile Station
POTS – Plain Old Phone System

8. The BTS
OpenBTS
Source: http://openbts.sourceforge.net/
2009
1998

9. The core network
OpenBSC
1995
2008

10. The phone
OsmocomBB
?

11. GSM radio Interface (1)
Frames & physical channels
Source: http://www.tele-servizi.com/janus/engfield2.html

12. GSM Radio Interface (2)
Bursts
Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29

13. Anatomy of a cellphone (1)
Motorola C118 aka Compal E88 aka GTA0x
RFFE Rita (TRF6151)
ABB (ADC + DAC) Iota (TWL3025)
DBB (DSP + MCU) Calypso (G2 C035)
RFFE – RF Frontend
ABB – Analog Baseband
LCD, KBD, etc. DBB – Digital Baseband
MCU – Microcontroller Unit

14. Anatomy of a cellphone (2)
RFCLK == 26 MHz APC – Automatic Power Correction
TSP – Time Serial Port AFC – Automatic Frequency Correction
BSP – Baseband Serial Port I/Q – modulation stuff you don't need to know ;-)
USP – uController Serial Port VCO – Voltage Controlled Oscillator
GSM/DCS/PCS – these are frequency bands

15. Anatomy of a cellphone (3)
Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign

16. OsmocomBB features
● Supports Calypso chipset, found inside:
Motorola C115/C117 (Compal E87)
Motorola C123/C121/C118 (Compal E88)
Motorola C139/C140 (Compal E86)
Motorola C155 (Compal E99)
Openmoko GTA01/GTA02
● Low-level RF drivers & synchronous TDMA
● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC)
● RS232-HDLC connection to PC for debugging
● RX-only by default

17. Osmocom-bb code structure
osmocom-bb/src/
target/firmware/
rf/
RFFE abb/
calypso/
ABB dsp.c
tsp.c
tpu.c
DSP TSP TPU clock.c
sim.c
uart.c
API RAM flash/
osmocom-bb/host/
osmoload
Flash DPLL layer23
ARM
SIM
SRAM HDLC over RS232
ULPD GEA UART
Calypso SoC

18. Demo !
Plan:
0. Downloading and building the
code
Start the osmocom-bb on the
cellphone
1. Login to a network
2. Make a call, receive a call
3. Send and receive SMS.

19. Where do we go from here ?
● Handover support
● GPRS support
● Multi-SIM capability
● More Calypso phones (http://www.myphone.pl ?)
● Mediatek MTK6235 support – GSM L1 stack in
the kernel possible
● Compliance testing & certification

20. Backup slides

21. GSM sux, let's try WCDMA
● What about Reverse engineering WCDMA
baseband firmware ?
http://events.ccc.de/congress/2011/Fahrplan/ev
ents/4735.en.html
● Maybe a SDR LTE base station ?
http://bellard.org/lte/ (not public yet)

22. Other opensource radiocomm
projects
● OpenBSC
● OpenDECT
● OpenTETRA
● OpenGMR
● OpenOP25
● Put your pet radio interface here