Cellular Network Infrastructure » Radio Access Network » OsmoBSC

[[PageOutline]]

The ip.access nanoBTS are small BTS with an A-bis over IP interface.  It's about the size of a WiFi access point.

There are multiple variants of the nanoBTS, most notably

 * the nanoBTS 900 for GSM900

  * supports FR, EFR, AMR(HR) speech codecs

  * supports TCH/F and TCH/H based telephony

  * supports GPRS

 * the nanoBTS 1800 for GSM1800, plus a GSM1900 variant thereof (almost identical hardware)

  * they support EDGE in addition to GPRS

A more detailed list of known nanoBTS models can be found at [wiki:nanoBTS_Models].

The A-bis over IP interface is spoken over a  100-base-TX Ethernet as physical layer.  Power over Ethernet (PoE) is used as

a power supply to the nanoBTS.

A-bis RSL and OML are encapsulated by a small additional header; each run in their own TCP session.  Instead of A-bis TRAU frames, the actual TCH speech data is inside RTP/UDP.  Details are indicated below.

The OpenBSC project has never received any protocol specification or other detailed information about the [wiki:nanoBTS_Internals nanoBTS hardware].  All information here and in the source code was derived by looking at protocol traces of actual nanoBTS installations.

== Deploying a new nanoBTS ==

The unconfigured ip.access nanoBTS needs to be configured as follows

 * The BTS is configued to automatically obtain an IP address via DHCP

 * The BTS is listening on UDP port 3006 for broadcast packets (e.g. should be found by ipaccess-find)

  * a typical response by ipaccess-find will be

{{{

Trying to find ip.access BTS by broadcast UDP...

MAC Address='00:01:02:03:04:05'  IP Address='192.168.100.123'  Unit ID='65535/0/0'  Location 1=''  Location 2='BTS_NBT131G'  Equipment Version='165a029_55'  Software Version='168a302_v142b13d0'  Unit Name='nbts-00-02-95-00-4E-B3'  Serial Number='00123456'  

}}}

 * The BTS is listening on TCP port 3006 for incoming Abis-over-IP connections. This is called ''Secondary OML Link''

 * The BTS has an unconfigured Unit ID (65535/0/0) and will refuse to work until a Unit ID has been set

 * You can set the Unit ID and Primarly OML IP using ipaccess-config as follows:

{{{

$ ./ipaccess-config -u 1801/0/0 -o 192.168.100.11 -r 192.168.100.122

ipaccess-config (C) 2009 by Harald Welte

This is FREE SOFTWARE with ABSOLUTELY NO WARRANTY

Trying to connect to ip.access BTS ...

OML link established

setting Unit ID to '1801/0/0'

setting primary OML link IP to '192.168.100.11'

restarting BTS

Thu Apr 30 18:18:48 2009 <0020> abis_nm.c:2016 IPACCESS(0xf0): SET NVATTR ACK

Thu Apr 30 18:18:48 2009 <0020> abis_nm.c:2016 IPACCESS(0xf0): SET NVATTR ACK

}}}

 * Once a Unit ID and the Primary OML link IP address has been set, the BTS will try to connect to the BSC (tcp port 3002)

{{{

18:22:49.801584 IP 192.168.100.122.48000 > 192.168.100.11.3002: Flags [S], seq 3405259716, win 16000, options [mss 1460], length 0

}}}

=== nanoBTS multi-TRX Setup ===

The nanoBTS can be operated in so-called ''multi-TRX'' mode, where you can run multiple units as multiple transceivers of one

BTS instead of each unit  being a BTS in itself.  The advantage of this is that you save capacity, as every BTS only needs one

timeslot for BCCH/CCCH, even if it has multiple transceivers.

To use this mode, a set of special cables are used to connect the nanoBTS stack:

 * The TIB cable (two RJ69 plugs with a slight dent milled away), connecting TIB OUT of one BTS with TIB IN of the other

 * A RF cable, connecting the AUX plug of one BTS with the hidden connector between the cooling fins on the back

You can stack a total of up to four nanoBTS this way.

To make the units behave as members of an actual stack, you have to set their unit IDs accordingly:

 * The Location and BTS part (first and second) have to be identical among all BTS in a stack

 * The TRX id needs to be 0 for the first, and 1...3 for the others, respectively

 * So e.g. TRX0 = 23/0/0 and TRX1 = 23/0/1

On the [wiki:OpenBSC] software side, you simply configure a BTS with multiple TRX, similar to a BS-11 dual-TRX setup.

== A-bis over IP protocol ==

This is the description of the A-bis over IP protocol as we have reverse engineered it by looking at protocol traces between a commercial BSC and a nanoBTS.  We did not and do not have access to the protocol specification of ip.access.

=== Common Header ===

Inside the TCP and UDP packets connection, every message is prefixed by a three-byte header:

{{{

struct ipaccess_head {

        u_int16_t len; /* network byte order */

        u_int8_t proto;

} __attribute__ ((packed));

}}}

where the first byte is zero, the second byte indicates the length of the message payload following the header, and the third byte indicates the protocol.  The following protocol values have been observed:

 * 0x00 RSL messages as per GSM 08.58

 * 0xfe ip.access specific messages

 * 0xff OML messages as per GSM 12.21

The ip.access specific messages that we have seen are of the following message types (message type is the first byte behind the ipaccess_head):

 * 0x00 PING (from BTS to BSC)

 * 0x01 PONG (from BSC to BTS), indicates that the link is still alive

 * 0x04 Identity Get (from BSC to BTS)

 * 0x05 Identity Response (from BTS to BSC)

 * 0x06 Identity confirm (both ways, BTS->BSC is a request, BSC->BTS is acknowledgement)

=== OML Signalling Link ===

After obtaining an IP address from DHCP, the nanoBTS will attempt to make TCP connections to a IP address and port number pre-configured in the device.  The standard port seems to be 3002.

==== vendor-specific OML messages ====

vendor-specific OML messages use a specific format but are closely following the spirit of GSM TS 12.21.

Look at the ''abis_nm_ipaccess_msg()'' function in ''abis_nm.c'' if you want to know the details.

=== RSL Signalling Link ===

There is a vendor-specific OML command 0xe0, which basically corresponds to what the usual ''Connect Terrestrial Signalling'' does.  Instead of connecting te RSL link to a specific TEI on a E1 timeslot, it connects the RSL link to a specified TCP port (and optionally IP address).

After this command is issued (and acknowledged by 0xe1), the BTS will initiate a TCP connection to the specified TCP port.

==== vendor-specific RSL messages ====

There are a couple of vendor-specific RSL messages extending 08.58 to accommodate the IP-based link.

They all use the GSM 08.85 message discriminator 0x7e

===== 0x70 Create Connection (CRCX in MGCP terms) =====

This command binds a given on-air timeslot to a BTS-local RTP port.

Attributes:

 * 0x01 GSM 08.58 Channel Number (same as BIND)

===== 0x71 Create Connection (CRCX in MGCP terms) ACK =====

This message (BTS->BSC) acknowledges the BTS-local bind.

Attributes:

 * 0x01 GSM 08.58 Channel Number (same as BIND)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

 * 0xf3 local RTP port number, fixed length 2 bytes

 * 0xf5 local IP address, fixed length 4 bytes

 * 0xfc unknown, fixed length 1 byte, content 0x7f

===== 0x73 Modify Connection (MDCX in MGCP terms) =====

This command (BSC->BTS) instructs the BTS to connect a given GSM channel (timeslot) to the remote end

Attributes:

 * 0x01 GSM 08.58 Channel Number (on-air timeslot)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

 * 0xf0 remote IP address, fixed length 4 bytes

 * 0xf1 remote RTP port number, fixed length 2 bytes

 * 0xf4 unknown, fixed length 1 byte, content 0x01

 * 0xfc unknown, fixed length 1 byte, content 0x7f

===== 0x74 Modify Connection (MDCX in MGCP terms) ACK =====

This message (BTS->BCS) confirms the successful CONNECT operation

Attributes:

 * 0x01 GSM 08.58 Channel Number (on-air timeslot)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

===== 0x76 DISCONNECT INDICATION =====

This message (BTS->BSC) indicates a terminated RTP connection

Attributes:

 * 0x01 GSM 08.58 Channel Number (on-air timeslot)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

 * 0xf6 unknown, TLV with one byte length, content zero

 * 0x1a GSM 08.58 Cause

=== TRAU link ===

Not yet reverse engineered.

There are streams of RTP-in-UDP packets to the ''remote IP'' and ''remote port'' that were indicated by the ''CONNECT'' message in RSL.

There are also regular RTCP packets on the port number plus 1.

==== RTP ====

The packets are according to RFC1889 (RTP Version 2), the payload type is set to 127, which is a dynamically allocated payload type.

They have sequence number and timestamp as well as 31 bytes of payload.  It seems the payload first 4 bits are always 0xC, reducing

the actual payload to 30.5 bytes.

As it seems, the FR and EFR RTP payload format follows the specification in section 4.5.8 and 4.5.9 of RFC3551 (

see http://www.ietf.org/rfc/rfc3551.txt)

==== RTCP ====

It seems that about every 3 seconds there is a RTCP packet, containing a source description and sender report.

== Wireshark dissector ==

We have developed a dissector for the popular wireshark network protocol analyzer.   The dissector has been merged into

the current wireshak development versions.

Furthermore, there is a patch for adding the ip.access specific RSL extensions to the packet-rsl.c dissector at http://bs11-abis.gnumonks.org/trac/browser/wireshark/rsl-ipaccess.patch

There's also a A-bis OML dissector plugin available from http://bs11-abis.gnumonks.org/trac/browser/wireshark/abis_oml.patch

Once the code has stabilized more, we plan to submit this for inclusion into wireshark mainline.

== Firmware Format ==

The file format is called "SDP" and it is a container that contain other SDP parts. To my knowledge the separate subparts are for separate functionality (e.g. bootcode) and for the different ProcessingUnits. It appears that only the first SDP header is stripped and that the remain is sent as one part to the BTS.

The outer SDP header appears to be

{{{

struct header1 {

    char header[4] = " SDP";

    char version[4] = { 0x10, 0x02, 0x0, 0x0 };

    u_int32_t total_header_length; // (bigendian)

    u_int32_t total_file_length;    // (bigendian)

    char string[20]; // up to 20 chars for a string;

    ... stuff not yet understood, but it appears to list the compatible bts

    ... it also includes a date string (viewable in a hex editor)

};

}}}

At the end of the total_header_length there is another " SDP" start with a similar header...

{{{

struct header2 {

     char header[4] = " SDP";

     char version[4] = { 0x10, 0x20, 0x0, 0x0 };

     ... not understood yet...

};

}}}

== Telnet Debug Port ==

When you set the NVRAM flag 0x400 (e.g. using {{{ipaccess-config -n 0x400/0x400 BTS_IP}}}), a special telnet console will

be activated on TCP port 3210 of the nanoBTS.

However, there is some kind of shared-secret challenge-response MD5 authentication required - otherwise the BTS will simply

disconnect you after a few seconds.

We have implemented a modified telnet client to add support for this challenge-response mode, and you can obtain it from

{{{

git clone git://openbsc.gnumonks.org:libtelnet.git

}}}

Simply build this package using normal autotools (it also needs the openssl-devel package for MD5) and type

{{{

./util/ipaccess-telnet BTS_IP 3210

}}}

and you are connected to it.