Open Source Mobile Communications

I've merged the DECT tree with the Linux 3.5 release. Experimental support for US-DECT for the UPCS band will also be pushed out soon.

This is the announcement for the latest incarnation of our bi-weekly Osmocom Berlin meeting.

August 8, 8pm @ CCC Berlin, Marienstr. 11, 10113 Berlin

The schedule is as follows:

20:00 Contemporary smartphone hardware architecture (Harald)

• Harald will be talking about hardware architecture of modern smartphones.

21:00 Informal discussions

• Demo of OsmoPCU on sysmoBTS
• Status of new SMSC
• Planning phase of custom calypso board

If you are interested to show up, feel free to do so. There is no registration required. If the initial part is not interesting to you, feel free to join us later at 21:00. The meeting is free as in "free beer", despite no actual free beer being around ;)

Osmocom-BB team member Sylvain Munaut gave a talk at PHDays 2012 about abusing the calypso phones.

It mostly focus on the technical details of the DSP hacking that was done previously to use those phones as passive sniffer and demonstrates some more hacking to turn those phones into BTS.

The talk video is available ​here and the slides are available ​here

There are something like 16 units of OsmoSDR that we have produce and which are able to sell to interested developers.

However, as there are only 16 units right now, and as the firmware and host software is in a barely usable but incomplete state, we would like to make sure that those 16 units get sold to people who actually have an interest (and expect to have at least some time time!) to fix and improve the current shortcomings.

So if you want to be among the first 16, I suggest you contact me at Harald Welte <laforge@…> and include a short description of who you are (if you are not a Osmocom regular) as well as some incidcation that you are actually going to work on improving the code. If you already know an area that you'd like to work on, please state that, too.

The price will be 180 EUR incl. VAT (that's 151.26 EUR without), i.e. the same price as for the units that will later be sold openly.

I have put together a wiki page with the current status at Status to make you aware where we are and what is missing.

Thanks in advance for your willingness to be early users and help us to improve the codebase.

While the OsmoSDR is still not available, some Osmocom team members (notably Steve Markgraf) have been hacking away on an alternative least-cost solution: rtl-sdr.

So what is rtl-sdr? It is a creative form of using consumer-grade DVB-T USB receivers, turning them into fully-fledged software defined radios.

Those DVB-T receivers supported by rtl-sdr are based on the Realtek RTL2832U chipset plus a tuner IC like the Elonics E4000.

The RTL2832U has some undocumented commands/registers, by which it can be placed into a mode where it simply forwards the unprocessed raw baseband samples (up to 2.8 MS/s 8-bit I+Q) via high-speed USB into the PC, where they are routed into gnuradio.

At a street price of about USD 20 to USD 25, they are undoubtedly the most capable low-cost SDR hardware that can be bought. So now there is really no more excuse for anyone to not learn gnuradio. You don't have to buy a USRP, not even a FCDP or an OsmoSDR: A USD 20 device is all that's needed for receiving signals like GSM, GMR, DECT, TETRA, APCO25 and many others.

All the current patches that were pending in the sylvain/gmr branch of our osmocom Wireshark tree have now been merged into the official trunk. Thanks to the Wireshark folks for reviewing them and merging them quickly.

What's supported :

• BCCH partial support (segment 1/2A/3A fully dissected)
• CCCH partial support (all messages ever seen on Thuraya are supported)
• RR partial support (all messages ever seen on Thuraya are supported)
• MM/CC forwarded to GSM dissectors and are mostly correct

The sylvain/gmr branch will now be removed but may re-appear in the future if new dissectors are written. Basically if we have new gmr stuff pending inclusion it'll be in that branch, and if the branch doesn't exist it just means the official trunk contains everything so far.

Osmo-GMR now has support for cipher stream generation. This allows to see past the CIPHER MODE COMMAND in the examples (I will put the key along with the demo files soon).

You can see the actual code in the git : ​http://cgit.osmocom.org/cgit/osmo-gmr/commit/?id=c70e5208d5a0daa9b3ff77c28f54d97f549d90f2

The algorithm was re-implemented by the Osmo-GMR team based on the reversing work done at the University of Bochum by a team comprised of Benedikt Driessen, Ralf Hund, Carsten Willems, Christof Paar, and Thorsten Holz. The Osmo-GMR team actually contributed in the late stages of this work by providing real world captures to validate the reversed algorithm and the attacks.

On February 2nd 2012, researchers Be­ne­dikt Dries­sen und Ralf Hund of the University of Bochum will report on their analysis of the GMR-1 and GMR-2 ciphers.

According to the abstract ​, the cipher used in GMR-1 and thus Thuraya is more or less the same than GSM's A5/2, and can be broken at similar complexity (i.e. almost none).

OsmocomBB team member Andreas Eversberg has been working on a new RSSI monitor firmware application within OsmocomBB.

Using this firmware, it is possible to monitor the RSSI of individual ARFCNs or even the entire spectrum.

Depending on the hardware capabilities (e.g. Hardware/FilterReplacement), it is also possible to measure the uplink RSSI.

More details are available at rssi.bin.

The current status of this firmware is available from the laforge/monitor branch in git, but is expected to be merged soon into master.

At ​28c3, the OsmoSDR team was busy verifying the hardware design on the first prototypes.

The result can be summarized as:

• SAM3U is working, enumerates on USB and can be programmed via SAM-BA
• E4K tuner driver is working
• Si570 driver is working
• FPGA can be flashed via JTAG bit-banging from SAM3U
• FPGA and SAM3U can speak via SPI

However, there are at least two bugs:

• USB socket footprint pin-out was mirrored
• clock output level of Si570 doesn't match FPGA clock input specs (amplitude too low)

The issues have been worked around, and firmware + FPGA development has made progress.