Project

General

Profile

Actions

Emi-firmware » History » Revision 16

« Previous | Revision 16/18 (diff) | Next »
jolly, 02/19/2016 10:49 PM


OsmocomBB EMI Firmware

[[Image(emi-firmware:emi_main.jpg)]]

Introduction

OsmocomBB EMI is a tool to generate GSM RF interferences. It can be used to test how GSM radiation affects other equipment, e.g. amplifiers, radios and wireless devices. It is capable of transmitting in all regular GSM bands (1800, 1900, 850, 900), up-link and down-link. Because it only transmits, no filter rework is required. There are several test patterns, from SDCCH on a single time slot to PDCH on 5 time lots.

Branch

Check out jolly/emi branch of OsmocomBB GIT. It contains the EMI app and Sylvain's TRX hack, which is required to transmit multiple bursts per frame.

Settings

Use left function key (left button below display) to toggle between DCS1800 and PCS1900 band. This is only required for ARFCN rage from 512 to 810.

Use right function key to toggle between up-link (interference of a mobile station) and down-link (interference of a base station).

To change ARFCN, enter digits and acknowledge with right function key. Press or hold right or left cursor buttons to adjust current selected ARFCN.

Press the menu button (black center button) to select a test pattern (scroll up and down) and acknowledge with the right function key. Test patterns are:

  • SDCCH
  • TCH/F (1-5 time slots)
  • TCH/H
  • TCH/F (TCH/H) using DTX
  • PDCH download (sending acknowledgments)
  • PDCH upload (1-5 time slots)
  • RACH (single Access Burst)

Operation

Note: This device transmits at frequencies that require a license in most countries. Only use this device, if you have a license for the selected ARFCN or if you use it inside a Faraday cage

Press the green button (off-hook) to start transmitter. The transmit power is shown.

Turn off transmitter by pressing green button again or by pressing red button (on-hook).

To increase or decrease TX power, press or hold up and down cursor buttons.

RACH Burst

In case of test pattern "RACH", real Access Bursts can be transmitted. Access bursts are shorter than Normal Burst. When this test pattern is selected, transmit power is always shown on the display, but nothing is transmitted. To transmit a single Access Burst, press the green button (off-hook). Whenever the green button is pressed again, an Access Burst is transmitted.

Simulation

When transmitter is on, the transmitted bursts can be made audible on the phone's buzzer. To increase volume, press or hold # key. To decrease, press or hold * key.

Remote Control

Remote control can be performed by using 'osmocli', a special command line tool or the echo command or own applications.

Osmo-CLI

After running EMI-App on the phone, stop osmocon, if running, and run osmocli. Enter 'help' and 'template help' for a list of commands:

src/host/osmocon/osmocli -p /dev/ttyUSB0
help
Available commands:
help                this text
arfcn <ARFCN>       Absolute radio frequency number
dcs                 Use DCS1800 for ARFCN 512..810
pcs                 Use PCS1900 for ARFCN 512..810
uplink              Use uplink bands
downlink            Use downlink bands
template <template> Select template, use 'template help' for a list.
power <dBm> | off   Set transmitter power 0..30
volume 0..10        Set buzzer volume

template help
Available templates:
template sdcch - SDCCH
template tchf - TCH/F
template tchf2 - TCH/F (2 TS)
template tchf3 - TCH/F (3 TS)
template tchf4 - TCH/F (4 TS)
template tchf5 - TCH/F (5 TS)
template tchh - TCH/H
template dtx - TCH/F(H) DTX
template pdchack - PDCH (ack)
template pdch - PDCH
template pdch2 - PDCH (2 TS)
template pdch3 - PDCH (3 TS)
template pdch4 - PDCH (4 TS)
template pdch5 - PDCH (5 TS)
template rach - RACH

echo

Alternatively the echo command can be used:

stty -F /dev/ttyUSB0 115200
echo -ne "~\012\003power 0~" >/dev/ttyUSB0

The phone should start transmitting with power level 0.

Own application

The following sequence must be sent via serial at 115200 baud 8n1, to form a valid command:

0x7e 0x0a 0x03 <command as ASCII code> 0x7e

Example "power 0":

0x7e 0x0a 0x03 0x70 0x6f 0x77 0x65 0x72 0x20 0x30 0x7e

Restrictions

  • GSM 850 and 900 will not allow to go down lower than 4 dBm, even if displayed so.
  • TX power of patters with multiple times lots will always be 30 dBm (about 1 Watts).
  • Access Bursts are always sent on up-link bands.
  • The bursts, except for Access Bursts do not carry valid data, they are just Dummy Bursts.

Burst Templates (informative)

Note: '*' represents transmission, '-' represents no transmission. Each character represents one frame.

When SDCCH is selected, two alternating 51-multiframes are transmitted in a loop: (The 4 bursts on the left represent SDCCH, the 4 bursts to the right represent SACCH.)

---------------****----------------------------****
---------------****--------------------------------

When TCH/F is selected, a 26-multiframe is transmitted in a loop: (Each block of 12 bursts represent 3 interleaved TCH frames, the first single burst represent SACCH, the second single burst represents IDLE burst.)

************ * ************ -

When TCH/H is selected, a 26-multiframe is transmitted in a loop: (Both blocks of 12 bursts represent 3 interleaved TCH frames, the first single burst represent SACCH, the second single burst represents IDLE burst.)

*-*-*-*-*-*- * *-*-*-*-*-*- -

When TCH/F / TCH/H DTX is selected, a 26-multiframe is transmitted in a loop: (Both blocks of 12 bursts are IDLE due to DTX, the first single burst represent SACCH, the second single burst represents IDLE burst.)

------------ * ------------ -

When PDCH (ack) is selected, the following 52-multiframes are transmitted in a loop: (This a download scenario, where only acknowledgement packets are transmitted. Each block of 12 bursts represent 3 MAC blocks, the single bursts represent the PTCCH/U.)

************ * ****-------- - ****----**** - ------------ -
------------ - ----****---- - ------------ - ----****---- -
----******** - ************ - ****-------- - ****----**** -
------------ - ------------ - ----****---- - ------------ -
----****---- - ----******** - ************ - ****-------- -
****----**** - ------------ - ------------ - ----****---- -
------------ - ------------ - ------------ - ------------ -
****-------- - ------------ - ****-------- - ----******** -
************ * ****-------- - ****-------- - ****-------- -
------------ - --------**** - ------------ - ------------ -
----****---- - ------------ - ----****---- - ----******** -
************ - ****-------- - ****----**** - ------------ -
------------ - ----****---- - ------------ - ------------ -
****-------- - ------------ - ****-------- - ************ -
************ - ****-------- - ********---- - ------------ -
------------ - ****-------- - ------------ - ****-------- -
************ * ********---- - ------------ - ********---- -
------------ - ------------ - ****-------- - ------------ -
****-------- - ************ - ************ - ****-------- -
********---- - ------------ - ------------ - ****-------- -
------------ - --------**** - ------------ - ------------ -
----****---- - ------------ - ----****---- - ----******** -
************ - ****-------- - ****----**** - ------------ -
------------ - ----****---- - ------------ - ----****---- -
----******** * ************ - ****-------- - ****----**** -
------------ - ------------ - ----****---- - ------------ -
------------ - ****-------- - ------------ - ****-------- -
************ - ********---- - ------------ - ********---- -
------------ - ------------ - ****-------- - ------------ -
--------**** - ------------ - ----****---- - --------**** -
************ - ********---- - --------**** - ****-------- -
------------ - --------**** - ------------ - ----****---- -

When PDCH is selected, the following 52-multiframes are transmitted in a loop: (This an upload scenario, where packets are transmitted. Each block of 12 bursts represent 3 MAC blocks, the single bursts represent the PTCCH/U.)

************ * ************ - ************ - ************ -
************ - ************ - ************ - ************ -
************ - ************ - ************ - ************ -
************ - ************ - ************ - ************ -
************ - ************ - ************ - ************ -
************ - ************ - ************ - ************ -
************ - ************ - ************ - ************ -
************ - ************ - ************ - ************ -
Files (1)
emi_main.jpg View emi_main.jpg 24.2 KB EMI main screen jolly, 09/30/2013 08:33 AM

Updated by jolly about 8 years ago · 16 revisions

Add picture from clipboard (Maximum size: 48.8 MB)