Tuesday 4 October 2011

Over The Air 2011: OpenBTS - Open Source GSM

Will Rogers, Senior Consultant at Detica

  • Open Base Transceiver Station: http://openbts.sourceforge.net/
  • software implementation of radio towers
  • USRP: universal software radio peripheral
  • written in C++ on top of GNU Radio
  • fairly stable – maintained by Free Software Foundation
  • only acts as an access point – doesn’t simulate entire mobile network
    • another project: OpenBSC does more
  • but, can translate GSM into VOIP – Asterix
  • originally built by David Burgess (Range Networks) and Harvind Samra
    • Range Networks building commercial implementations (e.g. Femtocells)
  • originally designed for:
  • enables GSM network for $1/month per subscriber
  • hardly uses any power
  • range depends on antenna & height
    • Burning Man covered 5km – with a microwave backhaul
  • supports handset registration
    • requires no pre-provisioning
    • get a text with a code – reply and your IMSI gets added to the asterix
  • some branches support USSD (free data)
  • requirements:
    • hardware:
      • can run the whole thing in a VM
      • USB (for USRP 1), or ethernet (for USRP 2)
    • software:
      • most linuxes (Ubuntu well supported)
      • GNUradio
      • Asterix PBX
  • USRP was chosen as it was available, but it’s not really designed for GSM
    • better to have multiple of 13MHz clock
    • daughterboards available for various RF frequencies
    • need to have GSM-specific one
  • resources
  • channels
    • default is one logical channel for control
    • everything else (7) for voice
    • that means 7 simultaneous handset calls at once
      • e.g. 3 on-network conversations + one outbound
    • if you want more then you need multiple BTS units
    • if want SMS then need to steal a voice channel for control
  • SMS messages need routing, so OpenBTS includes smsqueue which forwards messages
  • limitations
    • doesn’t support live handover of calls
    • no data support (GPRS or Edge)
    • no way of supporting roaming or billing
    • 3G/UMTS boxes are available, but not yet open source
      • OpenBSC may get there first
    • doesn’t support encryption
  • use CC/MNC of 001/01 – these are the test values
  • OpenBTS console has various commands
    • timsi lists connected IMSIs and IMEIs
    • testcall creates a UDP connection to the phone
      • you can then send Layer 3 packets
    • sendrrlp sends a request for location (as mandated by US Gov)
      • can provide info about cell tower locations and phone will calculate location itself

No comments: