Open Source Mobile Communications

According to some news report, including this report at softpedia, a 26 year old student at the Faculty of Criminal Justice and Security in Maribor, Slovenia has received a suspended prison sentence for finding flaws in Slovenian police and army TETRA network using OsmocomTETRA.

If a TETRA network (like any other network) is configured with broken security, then the people responsible for configuring and operating that network are to be blamed, and not the researcher who invests his personal time and effort into demonstrating that police radio communications safety is broken. On the outside, the court sentence really sounds like "shoot the messenger". They should instead have jailed the people responsible for deploying such an insecure network in the first place, as well as those responsible for not doing the most basic air-interface interception tests before putting such a network into production.

According to all reports, the student had shared the results of his research with the authorities and there are public detailed reports from 2015, like the report (in Slovenian) at https://podcrto.si/vdor-v-komunikacijo-policije-razkril-hude-varnostne-ranljivosti-sistema-tetra/.

The Osmocom project has migrated from an aging infrastructure consisting of multiple trac instances to a new environment using redmine.

Using redmine allows us to create a comprehensive hierarchy of nested projects, and allows projects to be shifted around in that hierarchy after the fact, as well as cross-project issue (=ticket) relationships. This fits our development much better than what we had before.

Over the past five weeks, the content of the affected was imported and manually reviewed/edited/migrated. You may still find some pages with erroneous formatting or other issues. If you do, please consider registering an account and fixing it yourself, or notifying the respective project mailing list (openbsc@lists.osmocom.org in case of doubt) about the issue you've encountered.

Specifically, this includes the old sites:

• http://bb.osmocom.org/ (OsmocomBB)
• http://openbsc.osmocom.org/ (OpenBSC, OsmoBTS, OsmoBSC, OsmoNITB, OsmoSGSN, ...)
• http://tetra.osmocom.org/ (OsmocomTETRA)
• http://simtrace.osmocom.org/ (Osmocom SIMtrace)
• http://security.osmocom.org/
• http://gmr.osmocom.org/ (OsmocomGMR)
• http://sdr.osmocom.org/ (OsmoSDR, rtl-sdr, ...)

More details can be found in Harald's blog post at http://laforge.gnumonks.org/blog/20160221-osmocom-redmine/

Yesterday the Osmocom project founder Harald Welte presented about Open Source Network Elements for Security Analysis of Mobile Networks at the Troopers 2016 TelcoSecDay.

The main topics addressed by this presentation are:

• Importance of Free and Open Source Software implementations of cellular network protocol stacks / interfaces / network elements for applied telecom security research
• The progress we've made at Osmocom over the last eight years.
• An overview about our current efforts to implement at 3G Network similar to the existing 2G/2.5G/2.75G implementations.

There are no audio or video recordings of this session.

Slides are available at http://git.gnumonks.org/index.html/laforge-slides/plain/2016/telcosecday/foss-gsm.html

The Osmocom manual collection has received a new member, the OsmoPCU Gb protocol specification, which documents the Gb/IP interface provided by OsmoPCU and its NS and BSSGP protocol implementations.

The new manual is available from http://ftp.osmocom.org/docs/latest/osmopcu-gb.pdf

Today, sysmocom GmbH has announced the public availability of a set of freely available user manuals for a range of Osmocom software projects for operation of Free Software based cellular networks.

The sysmocom-created user manuals had so far been available only to customers of sysmocom GmbH, but are now made publicly available to all users of Osmocom software.

The release includes user manuals and VTY command line reference manuals for the OpenBSC flavors OsmoBSC and OsmoNITB, as well as OsmoBTS, OsmoPCU and OsmoSGSN.

Both PDF rendered versions, as well as the asciidoc source code is made available under the GNU Free Documentation License (GFDL).

The PDF renderings of the latest version of the manuals are available from http://ftp.osmocom.org/docs/latest/, while the asciidoc source code is available from http://git.osmocom.org/osmo-gsm-manuals/. The PDF versions are also linked directly from the respective project wiki pages on http://projects.osmocom.org/

Rhizomatica Hackathon in Oaxaca, Mexico¶

Rhizomatica's goal is to increase access to mobile telecommunications to people without (affordable) coverage. This is done by helping people build and manage their own networks. Currently 16 villages around Oaxaca that have no regular GSM coverage are operating their own GSM network.

Those installations are using the Osmocom Open Source software stack including OsmoBTS and OpenBSC's OsmoNITB.

The recent hackathon by Rhizomatica brought together many different parties involved in community cellular networks from around Oaxaca as well as Nicaragua and Brazil. For this occasion Osmocom project member Daniel was asked to attend in order to hold a workshop on OpenBSC as well as help with problems setting up networks throughout the hackathon. The results were demo sites being successfully set up as well as discussions on future improvements.

During the hackathon, one of the deployments in a village was visited, providing opportunity not only to have a look at the installation, but also to talk to the municipal government operating the network.

Seeing the software we constantly improve being used to bring remote communities closer together was very uplifting.

We hope for many more such deployments, where Open Source Mobile Communications software is used to make a real difference by providing affordable telecommunications services.

For more information about Rhizomatica, see http://rhizomatica.org/

Dear fellow Osmcoom developers,

it is my pleasure to finally announce the date + venue of OsmoDevCon2015:

• Date: March 27 through March 30, 2015
• Place: IN-Berlin, Lehrter Str. 53, Berlin

Like last year, this is an event for developers of the various Osmocom proejects. Reservation and confirmation of reservation is required.

The event is free of charge. The Room is made available by ​IN-Berlin e.V., an Internet related non-profit organization. Lunch catering will be sponsored (so far by sysmocom GmbH, but if any other sponsors come up, we are happy to share the cost).

So all you have to cover is your own travel + accomodation costs, as well as breakfast and dinner. If you are an active developer and cannot afford travel/accomodation, please let me know and I'll see if we can do something about it.

If you would like to attend, please send a message to ​​laforge@gnumonks.org applying for registration of the event. The registration deadline is February 20, i.e. one week from now.

There is no detailed schedule of talks yet. I will start a separate discussion suggesting / collecting topics in the next couple of days.

More information is (and will be made) available at OsmoDevCon2015

Further discussion regarding the event should be directed at the osmocom-event-orga@lists.osmocom.org mailing list, to avoid cross-posting over the various project-specific lists.

Best regards and happy hacking,

Harald

3G is dead, you may think. From the perspective of large scale operators, that may well be the case, but this is precisely the reason why Open Source support for 3G is becoming increasingly interesting: when the focus for earning money shifts towards LTE infrastructure, the threshold for setting up 3G networks is becoming easier to surpass for everyone else.

We are implementing Iuh support in the Osmocom stack, mostly carried out by employees of sysmocom GmbH¹, with highly appreciated (yet undisclosed) external backing.

Iu support in Osmocom will allow using a femto-cell aka hNodeB as BTS, thus enabling UMTS voice (IuCS) and data (IuPS) connectivity using FOSS software from the core network right up to the femto-cell's ethernet jack.

Here is an ASCII art overview of our current aim:

        +------------+           +--------+          +----------+
 UE <-->| hNodeB     |<--Iuh---->| HNB-GW |<--IuCS-->| OsmoCSCN |
 UE <-->| femto cell |     ...-->|        |    ...-->|          |
        |            |           |        |          +----------+
        +------------+<--GTP-U   |        |
                              \  |        |          +------+           +------+
                              |  |        |<--IuPS-->| SGSN |<--GTP-C-->| GGSN |
                              |  +--------+    ...-->|      |   GTP-U-->|      |
                              |                      +------+  /        +------+
                              \_______________________________/

                      Iuh                         IuCS/IuPS

NAS                   +----+----+                 +----+----+
Non-Access Stratum    | CC | MM |                 | CC | MM |
- - - - - - - - - - - +----+----+-------+         +----+----+
                      | RANAP   |       |    H    | RANAP   |
Access Stratum        +---------+ HNBAP |    N    +---------+ - - SCCP USER SAP
                      | RUA     |       |    B    | SUA     |  \
                      +---------+-------+    -    +---------+  |
                      |        SCTP     |    G    | SCTP    |  } SIGTRAN
                      +-----------------+    W    +---------+  |
                      |        IP       |         | IP      |  /
                      +-----------------+         +---------+

UE (User Endpoint) MS (Mobile Subscriber) mobile device
CSCN (Circuit Switched Core Network) == OsmoNITB without BSC
(Source: ​http://git.osmocom.org/osmo-iuh/tree/doc/protocols_around_hnbgw.txt )

3G Data Status¶

The best news first: in our lab, Daniel has successfully established the first functional UMTS data link!

In other words, the two GTP paths

hNodeB --Iuh--> HNB-GW --IuPS--> SGSN --GTP-C--> GGSN
hNodeB --GTP-U--> GGSN
are already functional in a basic fashion. To test it, you would need to checkout various branches in various git repositories. These shall soon be merged to the respective master branches, but currently, that would be:

• libasn1c: master
• asn1c: aper-prefix
• libosmocore: master
• libosmo-netif: sysmocom/sctp
• libosmo-sccp: laforge/wip
• osmo-iuh: master
• openbsc: daniel/gprs-iu

3G Voice Status¶

The voice link (IuCS) still needs some work before even the attempt of a location update will make sense. The point here is that previously, OsmoNITB would combine the roles of BSC with the MSC and further core network components. For Iuh, though, the BSC role is actually embedded in the hNodeB, and thus we are aiming to split the BSC part off of OsmoNITB.

The result will be called OsmoCSCN, CSCN meaning Circuit-Switched-Core-Network, which lives in openbsc.git/openbsc/src/osmo-cscn/ (branch sysmocom/cscn).

NOTE from the future: OsmoCSCN has since been renamed to OsmoMSC!

OsmoCSCN comprises of "only" the MSC and further CN components. It will feature an IuCS interface, as well as, eventually, a proper A-interface towards 2G BSCs, thus obsoleting the OsmoNITB at some point.

Implementing OsmoCSCN is mostly my task, and after sinking some time into training my eye on the fine line between BSC and MSC, I've finally started actual development with the dawn of 2016.

3G in a Nutshell¶

Let me illustrate some details of the Iu interfaces. The following is basically Harald's 3G talk at the 32c3², but with the sheer abundance of complexity it can't hurt to read it in prose.

HNB-GW¶

The HNB-GW, i.e. the HomeNodeB Gateway, merely reads the CN-DomainIndicator from the RUA layer, which says whether the frame is for voice or data comms (IuCS or IuPS). It then sends the actual RANAP payload either to the OsmoCSCN or the OsmoSGSN. The HNB-GW is implemented in osmo-iuh/src/hnbgw.c, compiling as osmo-hnbgw, and is (mostly?) complete.

An interesting factoid is that for an hNodeB, the GTP-Control handshaking goes via the HNB-GW, while the packet user data actually goes directly to/from the hNodeB and the GGSN.

HNBAP¶

HNBAP is merely the protocol employed to register an hNodeB with the HomeNodeB Gateway. After HNBAP is done, the hNodeB sends RANAP-over-RUA, which the HNB-GW happily passes on to the proper consumers.

SIGTRAN¶

Typically, the IuCS and IuPS interfaces would talk this layering of protocols:

  CC/MM
  RANAP
  SCCP  <--- note
  M3UA  <--- note
  SCTP
  IP

We do have SCCP support in Osmocom, but so far only for "connectionless" messages (like your standard UDP datagrams). Iu now adds the need for establishing and tearing down connections (like TCP).

However, since SUA does the same as SCCP-over-M3UA and is simpler to implement, our HNB-GW talks SUA towards IuCS and IuPS:

  CC/MM
  RANAP
  SUA   <--- note
  SCTP
  IP

To support third-party MSC and SGSN components, we would either add SCCP-over-M3UA capability, or simply use an external signalling gateway that supports both M3UA and SUA (should be possible e.g. with osmo_ss7³).

Various SIGTRAN implementations:

                IuCS/IuPS
                  usual
                   |     simplest
                   |       |
                   v       v
  +------+------+------+-----+
  | SCCP | SCCP |      |     |
  +------+------+ SCCP |     |
  | MTP3 | MTP3 |      |     |
  +------+------+------+ SUA |
  | MTP2 |      |      |     |
  +------+ M2UA | M3UA |     |
  | M2PA |      |      |     |
  +------+------+------+-----+
  |           SCTP           |
  +--------------------------+
  |            IP            |
  +--------------------------+

ASN1 Convolutions¶

RANAP, RUA and HNBAP, which make up the Iuh interface, are ASN1 encoded. Fair enough, but their ASN1 encoding uses APER, and heavily employs Information Object Classes (which basically means it wraps ASN1 encoded binary data in ASN1 IEs, with several levels of depth). In consequence, the libre asn1c compiler as-is unfortunately is not capable of generating de-/encoders for UMTS. The proprietary ffasn1c is capable of that, and we could publish the ffasn1c generated code without licensing problems, but we'd highly prefer to empower the FOSS community with the ability to modify and fix the ASN1 de-/encoders independently of proprietary software.

The great news is that Eurecom⁴ has worked on supporting both APER and the nested ASN1 structures ("Information Object Classes") in asn1c, and we are able to use their solutions in a FOSS way. With some fixes added, we have both their APER support and their pythonic solution for nested ASN1 available in Osmocom's libasn1c and asn1c git repositories⁵.

Another problem with the Iuh ASN1 is that various type names are identical across RANAP, RUA and HNBAP, while their encodings differ. This causes type name collisions in the code generated by asn1c, hence we have added prefixing support to our version of asn1c. This simply means that each RANAP-related type name or function begins with "ranap_", and RUA names begin with "rua_", thus avoiding any and all name collisions between those protocols. See osmo-iuh/include/osmocom/ranap/ and ../rua/.

It could be more beautiful, but the bottom line is that we now have fully free/libre support for Iuh ASN1 encodings. Cheers!

Conclusion¶

Osmocom is on a clear trajectory towards full 3G support, empowering remote communities and small to medium businesses worldwide. Work is ongoing, but the really hard problems have already been solved. Stay tuned!

External References

¹ ​http://sysmocom.de

² ​https://media.ccc.de/v/32c3-7412-running_your_own_3g_3_5g_network

³ ​http://git.osmocom.org/erlang/osmo_ss7

⁴ ​http://www.eurecom.fr

⁵ See ​http://git.osmocom.org/libasn1c/ and ​http://git.osmocom.org/asn1c/log/?h=aper-prefix

This is the announcement for the re-incarnation of our bi-weekly OsmocomMeeting/Berlin meeting.

Dec 09, 8pm @ CCC Berlin, Marienstr. 11, 10117 Berlin

There is no formal presentation this time, but

• there will be SIMtrace equipment in case somebody wants to play with it
• there will be a sysmoBTS with OsmoBTS, OsmoPCU, OsmoNITB, OsmoSGSN and OpenGGSN if somebody wants to play with it
• The meeting is open to anyone interested in mobile communications. You do not have to be involved with the Osmocom projects in order to attend. Anyone interested in mobile communications protocols is welcome.

If you are interested to show up, feel free to do so. The meeting is "free as in free beer", despite no actual free beer being around ;)

GMR-1 uses an undocumented codec in the AMBE family and as such Osmo-GMR didn't have any implementation of it and converting TCH3 frames to actual audio wasn't possible.

Now, after quite a bit of effort to figure things out, I'm pleased to announce that an open-source decoder is available. It's not perfect and doesn't match the quality of the official decoder but it does produce intelligible voice and will have to do for now.

It's currently available in a separate 'sylvain/codec' branch in the git but should be merged into master soon after a last review of the code.