Miscellaneous Projects » Mobile (in)Security

[[PageOutline]]

= RRLP =

RRLP is the ''Radio Resource LCS (Location Service) Protocol'' as specified first in GSM TS 04.31

It allows the GSM network operator to obtain very precise location information about a mobile phone,

much more precise than is required for normal operation of the cellular network.

The use of RRLP has been specified for emergency calls.  However, nothing in its specification

restricts its use to this application.

In all known phones, RRLP operation is completely invisible to the user of the phone.

As GSM networks do not need to authenticate themselves, anyone can run a ''false BTS'' attack and

successively obtain precise position information on a given mobile phone.

The popular Free Software implementations of the GSM network [http://openbsc.osmocom.org/ OpenBSC] 

and [http://openbts.sourceforge.net/ OpenBTS] both support RRLP inquiries to mobile phones

Contrary to the user-plane based [wiki:SUPL], RRLP works entirely in the signaling plane of the network.  As such, the

RRLP protocol level is not accessible to user applications on a phone.  For a discussion of RRLP, SUPL

and the various different location measurement methods for mobile phones, please check this excellent

article: http://www.gpsworld.com/gps/wireless-choices-lbs-control-plane-and-user-plane-architectures-1576

== RRLP Modes ==

RRLP operates in different ''modes''.

=== MS-based GPS ===

In this method, the phone operates a stand-alone GPS receiver like it can be found in personal navigation devices.

The GPS receiver will do the regular GPS receive process, i.e.

 * iterate over the list of 64 possible scrambling codes and acquire the C/A signal

 * decode the actual data signal modulated onto the C/A carrier

 * measure the timing difference of arrival (TDOA) of the various satellite signals

 * compute a location estimate (GPS coordinates) based on the measurements

This complete GPS position fix is then communicated to the SMLC inside the GSM core network.

==== Assistance Data ====

Most RRLP capable phones will request GPS assistance data from the network.

The operation of the GPS receiver is similar to the regular MS-based GPS aporach described above,

however the GPS receiver is now an A-GPS receiver that already knows the almanac/ephemeris data and

can thus much more quickly acquire the signal.

[http://git.osmocom.org/gitweb?p=osmocom-lcs.git;a=summary osmocom-lcs.git] contains a program

that obtains the ephemeris data from an u-blox GPS receiver and structures/encodes it in the format

needed by RRLP

=== MS-assisted GPS ===

In MS-assisted GPS, the MS does not compute the actual location.  Instead, the location/position

of the phone is computed in the SMLC (part of the GSM core network).

The SMLC provides detailed information about the current GPS signal to the phone, such as:

 * which satellites are currently in the visible part of the hemisphere (and implicitly their scrambling code)

 * the expected ''doppler shift'' observed at the MS location, caused by satellite movement relative to MS

 * the expected ''code phase'', i.e. the difference between a specified GSM bit and the GPS signal chip / bit

 * the azimuth and elevation of the satellite

Based on this information, the phone does not have to do a full search/acquisition like a stand-alone GPS receiver.

Instead, it can do a very narrow search for each satellite in question, as it already knows

 * at which doppler shift / range to expect the signal

 * which pseudo-random scrambling sequence to use

 * a very narrow position within the scrambling sequence

This significantly reduces the need for cross-correlation inside the phone.

=== E-OTD ===

FIXME