-
Researching communications systemsThe Osmocom project
Non-osmocom projects
osmocom.org - FOSS for mobile commscommunity based Free / Open
Source Software for
communications
Harald Welte
gnumonks.orghmw-consulting.desysmocom GmbH
Nov 26, 2017, KNF-Kongress
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Outline
1 Researching communications systems
2 The Osmocom project
3 Non-osmocom projects
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
About the speaker
Using + toying with Linux since 1994Kernel / bootloader / driver
/ firmware development since1999IT security expert, focus on
network protocol securityFormer core developer of Linux packet
filternetfilter/iptablesBoard-level Electrical EngineeringAlways
looking for interesting protocols (RFID, DECT,GSM)OpenEXZ, OpenPCD,
Openmoko, OpenBSC,OsmocomBB, OsmoSGSN
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
The Rolle of FOSS
What this talk is about
Implementing GSM/GPRS/3G network elements as FOSSApplied
Protocol ArchaeologyDoing all of that on top of Linux (in
userspace)From two nerds with a BTS off e-bay to a
communityproject, several companies and real-world
deploymentsaround the globe
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
The Rolle of FOSS
Research in TCP/IP/Ethernet
Assume you want to do some research in the
TCP/IP/Ethernetcommunications area,
you use off-the-shelf hardware (x86, Ethernet card)you start
with the Linux / *BSD stackyou add the instrumentation you needyou
make your proposed modificationsyou do some testingyou write your
paper and publish the results
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
The Rolle of FOSS
Research in (mobile) communications
Assume it is 2008 (before Osmocom) and you want to do
someresearch in mobile comms
there is no FOSS implementation of any of the protocols
orfunctional entitiesalmost no university has a test lab with the
requiredequipment. And if they do, it is black boxes that you
cannotmodify according to your research requirementsyou turn away
at that point, or you cannot work on reallyexciting stuffonly
chance is to partner with commercial company, whoputs you under
NDAs and who wants to profit from yourresearch
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
The Rolle of FOSS
Running small (mobile) networks
Assume it is 2008 (before Osmocom) and you want to run asmall
cellular network for research, education, testing. You
go to Ericsson/Huawei/ZTE/Nokia/Alcatel/...spend lots of time
convincing them that youâĂŹre aneligible customerspend a
six-digit figure for even the most basic full networkend up with
black boxes that you can neither study orimprove
WTF?I used FOSS protocol stacks for the Internet since 1994and
hacked on them since 1999. I knew a better world.
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
The Rolle of FOSS
GSM/3G vs. Internet
ObservationBoth GSM/3G and TCP/IP protocol specs are
publiclyavailableThe Internet protocol stack (Ethernet/Wifi/TCP/IP)
receiveslots of scrutinyGSM networks are as widely deployed as the
InternetYet, GSM/3G protocols receive no such scrutiny!
There are reasons for that:GSM industry is extremely closed (and
closed-minded)Only about 4 closed-source protocol stack
implementationsGSM chipset makers never release any
hardwaredocumentation
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
The Rolle of FOSS
GSM is more than phone calls
Listening to phone calls is boring...Machine-to-Machine (M2M)
communication
BMW can unlock/open your car via GSMAlarm systems often report
via GSMSmart Metering (Utility companies)GSM-R / European Train
Control SystemVending machines report that their cash box is
fullControl if wind-mills supply power into the gridTransaction
numbers for electronic banking
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
Enter Osmocom
In 2008, two crazy Germans (Dieter Spaar + yours truly)started
to write FOSS for GSM.
to boldly go where no FOSS hacker has gone beforewhere protocol
stacks are deepand acronyms are plentifulwe went from bs11-abis to
bsc_hack to OpenBSC toOsmoNITB + OsmoBSCmany other projects were
createdfinally leading to the Osmocom umbrella project
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
Siemens BS-11 via ebay
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
Simplifying the GSM Network
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
Osmocom / osmocom.org
Osmocom == Open Soruce Mobile CommunicationsClassic
collaborative, community-driven FOSS projectGathers creative people
who want to explore thisindustry-dominated closed mobile
communications worldcommunication via mailing lists, IRCsoure code
in git, information in trac/wikihttp://osmocom.org/
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OpenBSC
first Osmocom projectImplements GSM A-bis interface towards
BTSPrimarily supports sysmoBTS and ip.access nanoBTSLimited support
for some Siemens, Ericsson and NokiaBTS modelscan implement only
BSC function (osmo-bsc) or a fullyautonomous self-contained GSM
network (osmo-nitb) thatrequires no external
MSC/VLR/AUC/HLR/EIRdeployed in (at least) > 300 installations
world-wide,commercial and research
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
First OpenBSC test installation (HAR 2009)
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
Osmocom Cellular Network use cases
can be used either as pure BSC (A-over-IP)suitable for operators
with existing core(MSC/VLR/HLR/AUC)easy integration into existing
infrastructure
or together with OsmoMSC, OsmoHLR to form a NetworkIn The
Box
suitable for private / autonomous small networks (PBXstyle)no
dependency on any other external componentconnect to the outside
via ISDN or VoIP (using linux callrouter,
osmo-sip-connector)off-shore drilling rigs, underground mining,
alternative toPMR
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmoPCU / OsmoSGSN / OsmoGGSN
extends the Osmocom based network from GSM toGPRS/EDGE by
implementing the classic PCU, SGSN andGGSN functional
entitiesOsmoGGSN based on pre-existing OpenGGSN code thatwas
abandoned by original authorWorks only with BTSs that provides Gb
interface, likesysmoBTS or nanoBTSSuitable for research only, not
production ready
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmoSGSN / OsmoGGSN use cases
Testing of M2M devices using your ownBTS+SGSN+GGSNMobile malware
research (analyze cellular data traffic ofapps)Any type of GPRS
related researchTeaching, training on mobile data
protocols/interfaces(RLC, MAC, LLC, SNDCP, BSSGP, NS, GTP, etc.)3G
/ 3.5G support since 2016 by means of IuPS interface
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmoBTS
OpenBSC/OsmoNITB takes care of BTS and higherelementsOsmoBTS
implements a BTS with A-bis/IP back-haul toOpenBSCDeveloped
primarily for sysmoBTS hardwarePorted to various other hardware,
even by some BTSvendors!
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
Osmocom 3G
OsmoBTS,PCU,BSC,MSC,HLR,SGSN,GGSN developedfor 2G/2.5G/2.75Gin
2015/2016, we added 3G/3.5G supportOsmoMSC got IuCS
interfaceOsmoSGSN got IuPS interfaceOsmoHLR got support for 3G
mutual authenticationOsmoHNBGW for talking Iuh to femtocells
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
Osmocom Cellular Network in 2017
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomBB
Full baseband processor firmware implementation of amobile phone
(MS)We re-use existing phone hardware and re-wrote the L1,L2, L3
and higher level logicHigher layers reuse code from OpenBSC
whereverpossibleUsed in a number of universities and other
researchcontexts
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomBB use cases
Applied security research on InfrastructureFuzzing / exploiting
of protocol parsers on network sideRACH denial of serviceCheck if
networks use random paddingDetect IMSI catchers or other fals base
stationsAssess GSM network (operator) security level
Study + learn how a GSM stack / phone workProtocol tracing of
your own transactions with the network
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomTETRA
SDR implementation of a TETRA radio-modem(PHY/MAC)Rx is fully
implemented, Tx only partialCan be used for air interface
interceptionAccompanied by wireshark dissectors for the
TETRAprotocol stack
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomTETRA use cases
Analysis/assessment of TETRA network securityLearn how TETRA
works on teh lowest levels (L1, MAC,L3)Protocol analysis / sniffing
/ intercepting unencryptednetworks
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomGMR
ETSI GMR (Geo Mobile Radio) is "GSM for satellites"GMR-1 used by
Thuraya satellite networkOsmocomGMR implements SDR based radiomodem
+PHY/MAC (Rx)Partial wireshark dissectors for the protocol
stackReverse engineered implementation of GMR-A5 cryptoSpeech codec
is proprietary, still needs reverseengineering
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomGMR use cases
Analysis/assessment of GMR/Thuraya security (there isnone)Learn
and understnad how satellite telephony L1 andprotocol workActual
interception of SMS + dataVoice still difficult due to proprietary
undocumented codec
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomDECT
ETSI DECT (Digital European Cordless Telephony) is usedin
millions of cordless phonesdeDECTed.org project started with open
source protocolanalyzers and demonstrated many
vulnerabilitiesOsmocomDECT is an implementation of the DECThardware
drivers and protocols for the Linux kernelIntegrates with
Asterisk
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomOP25
APCO25 is Professional PMR system used in the USCan be compared
to TETRA in EuropeOsmocomOP25 is again SDR receiver + protocol
analyzerUse cases like OsmocomTETRA
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmoSDR
small, low-power / low-cost USB SDR hardwarehigher bandwidth
than FunCubeDonglePromuch lower cost than USRPOpen
HardwareDeveloper units available
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
rtl-sdr
re-purpose a USD 20 DVB-T USB dongle based onRealtek
chipsetdeactivate/bypass DVB-T demodulator / MPEG decoderpass
baseband samples via high-speed USB into PCno open hardware, but
Free Software
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
OsmocomSIMTRACE
Hardware protocol tracer for SIM - phone interfaceWireshark
protocol dissector for SIM-ME protocol (TS11.11)Can be used for SIM
Application development / analysisAlso capable of SIM card
emulation and man-in-the-middleattacks
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
osmo_ss7, osmo_map, signerl
Erlang-language SS7 implementation (MTP3, SCCP,TCAP, MAP)SIGTRAN
variants (M2PA, M2UA, M3UA and SUA)Enables us to interface with
GSM/UMTS inter-operatorcore networkAlready used in production in
some really nastyspecial-purpose protocol translators (think of NAT
for SS7)
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
osmo_ss7, osmo_map, signerl use cases
Implement GSM/3G core network elements (HLR,
SCF,etc.)Applications that interact with GSM/3G core
networkelementsMostly useful for small MVNOs or other operators
whohave requirements that cannot be fulfilled with
off-the-shelfproprietary equipment.
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Osmocom sub-projects
More Osmocom projects
Have a look at http://git.osmcoom.org/100 public git
repositories / projects at this point
way too many to cover here in this talkOften RTFS, no
manual/docs
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
The OpenBTS Um - SIP bridge
OpenBTS is a SDR implementation of GSM Um radiointerfacedirectly
bridges to SIP/RTP, no A-bis/BSC/A/MSCsuitable for research on air
interface, but very different fromtraditional GSM networkswork is
being done to make it interoperable with OpenBSC
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
airprobe.org
SDR implementation of Um sniffersuitable for receiving GSM Um
downlink and uplinkpredates all of the other projectsmore or less
abandoned at this point
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
xgoldmon
extract all GSM/GPRS and even 3G protocol messagesfrom your
Samsung Galaxy 2, Galaxy 3, Note 2, Nexusphone via USBfeed them
into your PC running xgoldmonforward them from xgoldmon via GSMTAP
into wiresharkhttps://github.com/2b-as/xgoldmon
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
sysmocom GmbHsystems for mobile communications
small company, started by two Osmocom developers
inBerlinprovides commercial R&d and support for
professionalusers of Osmocom softwaredevelops + sells products like
sysmoBTS (inexpensive,small-form-factor, OpenBSC compatible
BTS)runs a small webshop for Osmocom related hardwareitems like
SIMtrace
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
Where do we go from here?
Now that we have GSM, GPRS, EGPRS, UMTS: LTE, ofcourseRe-using
femtocells in creative waysProprietary PMR systems
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
Call for contributions
Don’t you agree that classic Internet/TCP/IP is boring andhas
been researched to death?There are many more communications systems
out thereNever trust the industry, they only care about selling
theirstuffLets democratize access to those communication
systemsBecome a contributor or developer today!Join our mailing
lists, use/improve our codefor OsmocomBB you only need a EUR 20
phone to start
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
Thanks
I’d like to thank the many Osmocom developers andcontributors,
especially
Dieter SpaarHolger FreytherAndreas EversbergSylvain MunautNeels
Hofmeyr
Also, thanks to CEPT for permitting the GSM specs to bewritten
in English (not French, the official Language of theinternational
postal system)
Harald Welte osmocom.org - FOSS for mobile comms
-
Researching communications systemsThe Osmocom project
Non-osmocom projects
Future projects
Thanks
Thanks for your attention. I hope we have time for
Q&A.EOF.
Harald Welte osmocom.org - FOSS for mobile comms
Researching communications systemsThe Rolle of FOSS
The Osmocom projectOsmocom sub-projects
Non-osmocom projectsFuture projects