= BSC Hack =

''bsc_hack'' is the program executable name of [wiki:OpenBSC]. We call it that way, since it is still pretty much a big hack, despite having
gone a long way in quite a short amount of time.

Configuration

Currently, there is no configuration file. A lot of the configuration is thus compiled-in. Almost all of the values that you might want to
tweak are inside the bsc_hack.c file itself, where you can find things like the BCCH filling (SYSTEM INFORMATION) messages and the like.

Reference

=== BS-11 ===

Basically, there are currently just two modes of operation supported {{{
$ ./bsc_hack -t bs11 --arfcn 123
}}}
will assume you have a [wiki:BS11 BS-11] connected to the first mISDN E1 card and have configured * OML signalling on the full 64kbps E1 timeslot 1 * verify this by [wiki:bs11_config] ''query'' * make sure you pass '''dslot=1''' when loading hfcmulti.ko * OML TEI 25 * verify this by [wiki:bs11_config] ''query''

you will see something like {{{
DB: Database initialized.
DB: Database prepared.
1 device found
id: 0
Dprotocols: 00000018
Bprotocols: 0000000e
protocol: 4
nrbchan: 30
name: hfc-e1.1
activate bchan
bootstrapping OML
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=0)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=1)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,1) E1=(0,2,1)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=2)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,2) E1=(0,2,2)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=3)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,3) E1=(0,2,3)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=4)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,4) E1=(0,3,0)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=5)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,5) E1=(0,3,1)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=6)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,6) E1=(0,3,2)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=7)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,7) E1=(0,3,3)
bootstrapping RSL MCC=1 MNC=1
}}}

=== ip.access nanoBTS === {{{
$ ./bsc_hack -t nanogsm900 --arfcn 122
}}}
will assume you have a [wiki:nanoBTS] configured with its primary OML link to the IP address of your Linux PC.

After starting bsc_hack will just wait for your nanoBTS to connect, which can take quite a while.

NOTE: Due to some problems with OML initialization after the first boot of a nanoBTS, you may have to re-start bsc_hack a number of times
until you get it working.

=== Options ===

{{{
Usage: bsc_hack
Some useful help...
-d option --debug=DRLL:DCC:DMM:DRR:DRSL:DNM enable debugging
-s --disable-color
-n --network-code number(MNC)
-c --country-code number (MCC)
-f --arfcn number The frequency ARFCN
-l --database db-name The database to use
-a --authorize-everyone Allow everyone into the network.
-r --reject-cause number The reject cause for LOCATION UPDATING REJECT.
-p --pcap file The filename of the pcap file
-t --bts-type type The BTS type (bs11, nanobts900, nanobts1800)
-h --help this text
}}}

Dealing with the HLR

We currently use a quite simple sqlite3 database for the HLR. In fact, it is more than just a HLR, since it actually stores
entries even about any subscriber or phone that tries to log into your network.

We basically obtain the IMSI and IMEI of every LOCATION UPDATING REQUEST, and then if neccessary create a new entry for the equipment
as well as the subscribers in the respective tables.

{{{
CREATE TABLE Equipment (id INTEGER PRIMARY KEY AUTOINCREMENT, created TIMESTAMP NOT NULL, updated TIMESTAMP NOT NULL, imei NUMERIC UNIQUE NOT NULL, name TEXT);
CREATE TABLE EquipmentWatch (id INTEGER PRIMARY KEY AUTOINCREMENT, created TIMESTAMP NOT NULL, updated TIMESTAMP NOT NULL, subscriber_id NUMERIC NOT NULL, equipment_id NUMERIC NOT NULL, UNIQUE (subscriber_id, equipment_id) );
CREATE TABLE Meta (id INTEGER PRIMARY KEY AUTOINCREMENT, key TEXT UNIQUE NOT NULL, value TEXT NOT NULL);
CREATE TABLE Subscriber (id INTEGER PRIMARY KEY AUTOINCREMENT, created TIMESTAMP NOT NULL, updated TIMESTAMP NOT NULL, imsi NUMERIC UNIQUE NOT NULL, name TEXT, extension TEXT UNIQUE, authorized INTEGER NOT NULL DEFAULT 0, tmsi TEXT UNIQUE, lac INTEGER NOT NULL DEFAULT 0);
}}}

If the subscrber.authorized field is set to '1', then we allocate a TMSI and answer with LOCATION UPDATING ACCEPT. Otherwise, we send
a regular LOCATION UPDATING REJECT to refuse the mobile to roam to our network. You can change the reject cause using ''--reject-cause''.

You can allow everyone to join your network by using the ''--authorize-everyone'' commandline opion.

To authorize your mobile station you will need to execute the following comand:

{{{
sqlite3 hlr.sqlite
update Subscriber set authorized=1 where imsi=YOUR_IMSI;
}}}

Using the telnet interface

You can telnet to port 4242 of the machine that runs bsc_hack and try some of the commands.

We are planning a lot of work in this area, so documenting the old commands will not be very productive.