NanoBTS » History » Version 5
laforge, 02/19/2016 10:48 PM
add minimal info about RTP/RTCP as well as rsl-ipaccess.patch
| 1 | 1 | laforge | The ip.access nanoBTS are small BTS with an A-bis over IP interface. RSL and OML are encapsulated in a single TCP session, whereas the TRAU frames on the actual TCH seem to be inside RTP/UDP. |
|---|---|---|---|
| 2 | |||
| 3 | == A-bis over IP protocol == |
||
| 4 | |||
| 5 | This is the description of the A-bis over IP protocol as we have reverse engineered it by looking at protocol traces between a commercial BSC and a nanoBTS. We did not and do not have access to the protocol specification of ip.access. |
||
| 6 | |||
| 7 | 2 | laforge | === Common Header === |
| 8 | 1 | laforge | |
| 9 | |||
| 10 | 2 | laforge | Inside the TCP and UDP packets connection, every message is prefixed by a three-byte header: |
| 11 | 1 | laforge | {{{ |
| 12 | struct ipaccess_head { |
||
| 13 | u_int8_t zero; |
||
| 14 | u_int8_t len; |
||
| 15 | u_int8_t proto; |
||
| 16 | } __attribute__ ((packed)); |
||
| 17 | }}} |
||
| 18 | |||
| 19 | where the first byte is zero, the second byte indicates the length of the message payload following the header, and the third byte indicates the protocol. The following protocol values have been observed: |
||
| 20 | |||
| 21 | * 0x00 RSL messages as per GSM 08.58 |
||
| 22 | * 0xfe ip.access specific messages |
||
| 23 | * 0xff OML messages as per GSM 12.21 |
||
| 24 | |||
| 25 | The ip.access specific messages that we have seen are of the following message types (message type is the first byte behind the ipaccess_head): |
||
| 26 | * 0x00 PING (from BTS to BSC) |
||
| 27 | * 0x01 PONG (from BSC to BTS), indicates that the link is still alive |
||
| 28 | * 0x04 Identity Get (from BSC to BTS) |
||
| 29 | * 0x05 Identity Response (from BTS to BSC) |
||
| 30 | * 0x06 Identity confirm (both ways, BTS->BSC is a request, BSC->BTS is acknowledgement) |
||
| 31 | 2 | laforge | |
| 32 | === OML Signalling Link === |
||
| 33 | |||
| 34 | After obtaining an IP address from DHCP, the nanoBTS will attempt to make TCP connections to a IP address and port number pre-configured in the device. The standard port seems to be 3002. |
||
| 35 | |||
| 36 | ==== vendor-specific OML messages ==== |
||
| 37 | |||
| 38 | vendor-specific OML messages use a specific format but are closely following the spirit of GSM TS 12.21. |
||
| 39 | |||
| 40 | Look at the ''abis_nm_ipaccess_msg()'' function in ''abis_nm.c'' if you want to know the details. |
||
| 41 | |||
| 42 | === RSL Signalling Link === |
||
| 43 | |||
| 44 | There is a vendor-specific OML command 0xe0, which basically corresponds to what the usual ''Connect Terrestrial Signalling'' does. Instead of connecting te RSL link to a specific TEI on a E1 timeslot, it connects the RSL link to a specified TCP port (and optionally IP address). |
||
| 45 | |||
| 46 | After this command is issued (and acknowledged by 0xe1), the BTS will initiate a TCP connection to the specified TCP port. |
||
| 47 | 1 | laforge | |
| 48 | 3 | laforge | ==== vendor-specific RSL messages ==== |
| 49 | |||
| 50 | There are a couple of vendor-specific RSL messages extending 08.58 to accommodate the IP-based link. |
||
| 51 | |||
| 52 | They all use the GSM 08.85 message discriminator 0x7e |
||
| 53 | |||
| 54 | ===== 0x70 BIND ===== |
||
| 55 | |||
| 56 | This command binds a given on-air timeslot to a BTS-local RTP port. |
||
| 57 | |||
| 58 | Attributes: |
||
| 59 | * 0x01 GSM 08.58 Channel Number (same as BIND) |
||
| 60 | |||
| 61 | ===== 0x71 BIND ACK ===== |
||
| 62 | |||
| 63 | This message (BTS->BSC) acknowledges the BTS-local bind. |
||
| 64 | |||
| 65 | Attributes: |
||
| 66 | * 0x01 GSM 08.58 Channel Number (same as BIND) |
||
| 67 | * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes. |
||
| 68 | * 0xf3 local RTP port number, fixed length 2 bytes |
||
| 69 | * 0xf5 local IP address, fixed length 4 bytes |
||
| 70 | * 0xfc unknown, fixed length 1 byte, content 0x7f |
||
| 71 | |||
| 72 | ===== 0x73 CONNECT ===== |
||
| 73 | |||
| 74 | This command (BSC->BTS) instructs the BTS to connect a given GSM channel (timeslot) to the remote end |
||
| 75 | |||
| 76 | Attributes: |
||
| 77 | * 0x01 GSM 08.58 Channel Number (on-air timeslot) |
||
| 78 | * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes. |
||
| 79 | * 0xf0 remote IP address, fixed length 4 bytes |
||
| 80 | * 0xf1 remote RTP port number, fixed length 2 bytes |
||
| 81 | * 0xf4 unknown, fixed length 1 byte, content 0x01 |
||
| 82 | * 0xfc unknown, fixed length 1 byte, content 0x7f |
||
| 83 | |||
| 84 | ===== 0x74 CONNECT ACK ===== |
||
| 85 | |||
| 86 | This message (BTS->BCS) confirms the successful CONNECT operation |
||
| 87 | |||
| 88 | Attributes: |
||
| 89 | * 0x01 GSM 08.58 Channel Number (on-air timeslot) |
||
| 90 | * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes. |
||
| 91 | |||
| 92 | ===== 0x76 DISCONNECT INDICATION ===== |
||
| 93 | |||
| 94 | This message (BTS->BSC) indicates a terminated RTP connection |
||
| 95 | |||
| 96 | Attributes: |
||
| 97 | * 0x01 GSM 08.58 Channel Number (on-air timeslot) |
||
| 98 | * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes. |
||
| 99 | * 0xf6 unknown, TLV with one byte length, content zero |
||
| 100 | * 0x1a GSM 08.58 Cause |
||
| 101 | |||
| 102 | |||
| 103 | 1 | laforge | === TRAU link === |
| 104 | |||
| 105 | Not yet reverse engineered. |
||
| 106 | 4 | laforge | |
| 107 | 5 | laforge | There are streams of RTP-in-UDP packets to the ''remote IP'' and ''remote port'' that were indicated by the ''CONNECT'' message in RSL. |
| 108 | |||
| 109 | There are also regular RTCP packets on the port number plus 1. |
||
| 110 | |||
| 111 | ==== RTP ==== |
||
| 112 | |||
| 113 | The packets are according to RFC1889 (RTP Version 2), the payload type is set to 127, which is a dynamically allocated payload type. |
||
| 114 | |||
| 115 | They have sequence number and timestamp as well as 31 bytes of payload. It seems the payload first 4 bits are always 0xC, reducing |
||
| 116 | the actual payload to 30.5 bytes. A EFR/FR speech frame consists of 32.5 bytes, however. |
||
| 117 | |||
| 118 | Any additional information about the content/encoding of the payload would be appreciated. |
||
| 119 | |||
| 120 | ==== RTCP ==== |
||
| 121 | |||
| 122 | It seems that about every 3 seconds there is a RTCP packet, containing a source description and sender report. |
||
| 123 | |||
| 124 | 4 | laforge | == Wireshark dissector == |
| 125 | |||
| 126 | We have developed a dissector for the popular wireshark network protocol analyzer. The patch can be found at this location in our svn: http://bs11-abis.gnumonks.org/trac/browser/trunk/wireshark/abisip.patch |
||
| 127 | 5 | laforge | |
| 128 | Furthermore, there is a patch for adding the ip.access specific RSL extensions to the packet-rsl.c dissector at http://bs11-abis.gnumonks.org/trac/browser/trunk/wireshark/rsl-ipaccess.patch |
||
| 129 | 4 | laforge | |
| 130 | Once the code has stabilized more, we plan to submit this for inclusion into wireshark mainline. |
