openbts+sw1

Contents

1 Introduction to OpenBTS: 4

1.1 What is a Base Transceiver Station: 4

2 overall architecture and implementation plan of the OpenBTS. 6

2.1 Typical “upstream” data flow in the GSM air interface of the OpenBTS: 6

2.2 Typical “downstream” data flow in the GSM air interface of the OpenBTS : 7

3 Coding: Use of Objects, Threads and C++ 7

3.1 Threads 7

3.2 Namespaces 8

3.3 Optimization 8

3.4 Testing and Consistency Checking 8

3.5 C++ Tools 8

3.6 Wrappers 8

3.7 Vector Classes 9

3.8 Interthead Classes 9

3.9 Important C++ Object Hierarchies 9

3.10 Data Transfer Object Classes 9

3.11 Logical Channel Structure and Subclasses 10

4 Time Domain Mutliplexing (TDM) Sublayer 11

5 Software Transceiver 11

6 Global GSM Object 12

6.1 Global Configuration Information 12

6.2 LCH Creation, Allocation and Deallocation 12

7 Use of SIP and Asterisk 13

8 OpenBts Modules-Files: 13

8.1 AsteriskConfig 13

8.2 CommonLib 13

8.3 Control 13

8.3.1 Introduction 13

8.3.2 CallControl.cpp: 14

8.3.3 DCCHDispatch.cpp 20

8.3.4 MobilityManagement.cpp 21

8.3.5 SMSControl.cpp 21

8.3.6 ControlCommon.cpp: 22

8.3.7 ControlCommon.h: 22

8.4 GSM 23

8.4.1 Introduction: 23

8.4.2 GSM layer 3: 23

8.4.2.2.2 L3 MM messages 27

8.4.3 GSM layer 2: 31

8.4.4 LAYER 1 : 32

8.5 SIP 34

8.6 SMS 34

8.7 TRXManager 34

8.8 Transceiver 34

8.9 apps 34

8.9.1 OpenBTS.config 34

8.9.2 OpenBTS.cpp 34

8.10 doc 34

8.11 tests 34

8.12 Smqueue 34

8.13 CLI 35

8.13.1 What is the function of the command line interpreter? 35

8.13.2 Some of the supported commands in OpenBTS: 35

8.14 HLR 36

8.14.1 What is a home location register ? 36

8.14.2 HLR in Open BTS : 36

9 Compiling and running OpenBTS: 38

9.1 Hardware used: 38

9.2 Software used: 38

9.3 Important notes before GNU radio setup 38

9.3.1 GNU radio dependencies: 38

9.3.2 Other useful packages 39

9.4 GNU radio setup 39

9.5 Testing the WBX 42

9.6 Compiling and running openbts 42

Tables:

Table 1-L3 RR messages 24

Table 2- L3 RR messages (cont.) 25

Table 3-L3 MM messages 27

Table 4-L3 CC messages 29

Table 5-some of the supported commands in OpenBTS 35

Figures:

Figure 1-MOC sequence diagram for L3 messages 16

Figure 2-MOC sequence diagram 17

Figure 3-MTC sequence diagram for L3 messages 19

Figure 4-MTC sequence diagram 19

Figure 5-successful result for GNU radio configuration 41

List of abbreviations:

RR Radio Resource

MM Mobility Management

CC Call Control

BTS Base Transceiver Station

CLI Command Line Interpreter

HLR Home Location Register

MOC Mobile Originated Call

MTC Mobile Terminated Call

Software Architecture of the OpenBTS

1 Introduction to OpenBTS OpenBTS is an open-source Unix application that uses the Universal Software Radio Peripheral

(USRP) to present a GSM air interface ("Um") to standard GSM handset and uses the Asterisk®

software PBX to connect calls. The combination of the ubiquitous GSM air interface with VoIP

backhaul could form the basis of a new type of cellular network that could be deployed and

operated at substantially lower cost than existing technologies in green fields in the developing

world [1]

In plain language, we are working on a new kind of cellular network that can be installed and

operated at about 1/10 the cost of current technologies, but that will still be compatible with most of

the handsets that are already in the market. This technology can also be used in private network

applications (wireless PBX, rapid deployment, etc. ) at much lower cost and complexity than

conventional cellular[1] .

Telecom industry is one of the rapidly growing industries all over the world. The entrance of open-

source team into the telecom industry made a revolutionized change in the industry. Asterisk was a

typical example for it which was a featured PBX for home users, enterprises, VoIP service

providers and telecoms in such a low cost that anyone even imagined. Asterisk is both an Open

Source Community and a commercial product from Digium[1] .

Now again another open source coming which allows standard GSM-compatible mobile phones to

make telephone calls without using existing telecommunication providers’ networks. ie we can

build up our own network just like vodafone, airtel or any. The project was started by

HarvindSamra and David A. Burgess and named it as OpenBTS. . OpenBTS is notable for being

the first free software implementation of the industry-standard GSM protocol stack[1] .

1.1 What is a Base Transceiver Station:

A normal GSM network working is as follows. The end point of the system will be BTS (Base

Transceiver Station) which send radio frequency signal to and from mobile devices or a modem.

The BTS comes under BSC(Base station Controller) with makes the communication between there

radio signals with MSC/VLR. The MSC/VLR is responsible to authenticate the user against the

database (HLR – Home Location Register, AuC -Authentication Center), call setup and call routing.

A typical GSM network diagram is shown below[1] .

http://bipinb.com/www.asterisk.org

The OpenBTS replaces the entire setup with USRP(Universal Software Radio Peripheral), and a

computer as hardware. USRP to receive and transmit the GSM signaling(GNURadio is the driver

software for this),OpenBTS package play the role of MSC/VLR and Asterisk software PBX will be

used to connect calls. The below diagram shows a typical OpenBTS network[1] .

Potential applications include:

rural/village telephony and text messaging

cellular coverage in remote areas (e. g. ships, oil rigs)

law enforcement and security operations

rapidly deployable emergency communications

network emulation and handset testing.

2 overall architecture and implementation plan of the OpenBTS. [1] The general shape of the OpenBTS is a collection of parallel “logical channels”, defined in GSM04.

03. Each channel, in turn, is built from layers that roughly follow the OSI standard model. (We say

“roughly” because GSM predates the OSI model. )GSM 04. 01 Section 7 gives an initial overview

of these layers.

As per GSM 04.01 Section 7. 3, the layers of the air interface Um are:

• L1, “PHYSICAL LAYER”, the radio modem, time-division multipexing, and error-correcting

coding, GSM 04. 04 and GSM 05.xx series

• L2, “DATA LINK LAYER”, link layer addressing, segmentation and retransmission (LAPDm),

GSM 04. 05 and 04.06, ITU-T Q. 921.

• L3, “L3”, signaling and connection management, GSM 04. 07, 04.08, 04.10, 04.11, 04.12 and

ITU-T Q. 931.

When describing these layers we will refer to the “low” side of the layer as the side the interfaces

closer to the hardware and the “high” side as the side that interfaces to higher-level functions. In a

BTS, the low-to-high direction is “uplink” and the high-to-low direction is “downlink”. In the MS,

those labels are reversed.

2.1 Typical “upstream” data flow in the GSM air interface of the OpenBTS: 1. Radio bursts arrive at the USRP and are digitized. The resulting samples are transferred to the

transceiver software in the host CPU in time-tagged USB packets, using the standard USRP

interface.

2. The transceiver syncs the USRP timetags with the GSM master clock, isolates each radio burst

and demodulates it into a vector of symbol likelihoods (“soft symbols”). The modulation format is

defined in GSM 05. 04 and the burst formats are described in GSM 05. 02 Section 5. 2.

3. The soft symbol vector for each radio burst is timetagged with the GSM frame clock and

transferred to the GSM stack via a datagram interface.

4. In the GSM stack, the TDM sublayer (of L1) demultiplexes each bust according to its timetag

and sends it to the appropriate logical channel.

5. The logical channel passes each burst into its L1 FEC processor according to the rules of GSM

05. 02.

6. The L1 FEC processor performs the FEC decoding described in GSM 05. 03. The output is a

sequence of L2 frames taken by the logical channel and sent up to an L2 processor.

7. The L2 processor runs the LAPDm state machine that performs acknowledgments,

retransmissions and segmentation. This state machine is defined implicitly in GMS 04. 06 and

given explicitly in ITU-T Q. 921. When an incoming L3 frame has been verified and assembled, it

is placed into a queue for consumption by L3. In the course of operation, LAPDm also injects L2

frames into the downstream flow for acknowledgment and retransmission requests.

8. In L3, a dispatch function determines the message protocol and type and calls the appropriate

control function to deserialize the message and act on its content, generally producing an L3

response on the downlink. These control functions also interact with the outside world via SIP and

other protocols.

2.2 Typical “downstream” data flow in the GSM air interface of the OpenBTS :

1. In L3, a control function generates an L3 message, serializes the message into an L3 frame and

sends it into the logical channel, which in turn passes it down to L2.

2. The L2 processor breaks the L2 frame into segments, wraps each segment in an L2 frame. Each

L2 frame is sent down to L1 according to the LAPDm state machine of GSM 04. 06 and ITU-T Q.

921.LAPDm may also generate additional L2 frames on its own according to its acknowledgment

and retransmission rules.

3. The L1 FEC processor encodes each L2 frame according to the rules of GSM 05. 03, generating

four outgoing radio bursts. Each radio burst is timetagged with its intended transmission time

according to the TDM rules of GSM 05. 02. These bursts are passed on to the TDM interface.

4. The downstream TDM sublayer is just a mutex-controlled socket interface where the radio bursts

from L1 are reformatted into messages on the transceiver’s datagram interface.

5. Upon arriving in the transceiver, the outgoing radio bursts are sorted into a priority queue

according to transmission time. Bursts are pulled from the queue as they become ready for

transmission and the modulated according to GSM 05. 04. The modulated waveform samples are

sent to the USRP over the standard timetagged USB interface. If no burst is ready for transmission

at a given time the transceiver generates an appropriate filling sequence.

6. In the USRP the samples are converted to an analog waveform for transmission over the radio

channel.

3 Coding: Use of Objects, Threads and C++ The OpenBTS software is written in C++ and should be portable to any 32-bit Unix system. Initial

supported platforms will be Fedora and Darwin, but there is no reason for the resulting system not

to be portable to other Unix variants. In the interest of simplicity, compactness and efficiency,

limit our use of allocated memory, multiple inheritance, templates and standard library container to

the greatest degree practical.

3.1 Threads The implementation of the OpenBTS makes use of the POSIX thread library, pthreads. For those

unfamiliar with threads or who have an aversion to them, this may seem frightening and strange, but

the effect of this approach is to greatly simplify the code in each layer of the BTS. You can have N

threads each with K states or one thread with KN states. We choose the former. The price of

threads is discipline in the use of synchronized interthread communication. Do use mutexes. Do

not just use volatiles.

The general rule is that single-state transformational operations are performed with direct calls

while multi-state machines, especially those with internal timeout behaviors, have their own threads

and accept their inputs over FIFOs. The threads and FIFOs may be hidden inside the state machine

objects. This approach allows the state machines to be decoupled, greatly simplifying the code.

3.2 Namespaces

The OpenBTS will use the following namespaces:

GSM – The GSM L1-L2 stack and L3 messages.

SIP – The SIP stack.

Control – The GSM/SIP hybrid control layer.

SMS used to add the SMS function

SMqueue

Commandline a name space for the command line interface

3.3 Optimization

From prior experience with several software radio systems, we expect that the bulk of the

computational load in the OpenBTS will be in the software transceiver and L1 FEC decoding.

That’s because L2 frames arrive at a maximum rate of about 50 Hz while radio burst are transacted

at about 200 Hz and GSM channel symbols must be processed at 271 kHz. For the rural telecom

application, optimization of beacon generation and RACH detection is also important since the BTS

is expected to sit largely idle most of the time. There’s not a lot of point in optimizing most of the

rest of the code for speed. Instead, the rest of the system should be optimized for space to minimize

cache misses in the computationally intensive code.

3.4 Testing and Consistency Checking The full BTS will be a complex system that will be nearly impossible to debug if the individual

components are not tested in isolation prior to integration. 2 To enforce good testing practices, we

recommend the following:

• Use assert() calls liberally to insure internal consistency. Do not continue once an unresolvable

error condition is identified.

• Build unit test fixtures for every component in the system. Do not check in code that does not

pass the unit tests. It would be especially nice if someone could automate this testing process.

• If you know there’s a potential problem in a piece of code, use a “FIXME” comment. If you leave

something undone, use a “TODO” comment.

• Use the bug tracking system. That’s why it’s there.

3.5 C++ Tools Part of what will let us build an efficient BTS quickly is careful choice of underlying tools.

3.6 Wrappers

The project uses a set of simple wrapper classes that give object-oriented interfaces for some

pthreads and stdlib mechanisms. These include wrappers for threads, signals, recursive mutexes,

and C time-of-day facilities. These wrappers simplify the use of these facilities by including

standard allocation and initialization steps that are common across the application.

3.7 Vector Classes The Vector template is a fixed size array that offers simple pointer-based access. The key feature of

the Vector subclass is the ability to create “aliases”, where multiple Vector objects share the same

physical block of memory. These aliases can also have different offsets into the common block,

forming subvectors. The underlying mechanism is a C array. The SoftVector is used to represent

symbol likelihood vectors used in soft input and soft output Viterbi coders and decoders. The

BitVector is a Vector class for serialization and deserialization of packed bitfields. The

SignalVector and ComplexVector are are numeric classes used in the GMSK modem.

3.8 Interthead Classes Most interthread communication is mediated through special container classes with built-in

synchronization controls.

The InterthreadQueue class is a thread-safe pointer FIFO that supports non-blocking writes,

nonblocking reads and blocking reads with a timeout. The underlying mechanism is a singly-linked

list with head and tail pointers having no maximum size. The normal use of the InterthreadQueue is

to allocate an object and then put the pointer into the queue. The reader is responsible for deleting

the pointer. For fixed-size objects used in this manner, a special-purpose allocator can reduce

overhead.

The InterthreadMap class is a thread-safe associative array that includes a blocking read that waits

for the arrival of a specified key. The underlying mechanism is std::map.

3.9 Important C++ Object Hierarchies The OpenBTS will use C++ object classes and inheritance. There are a few object hierarchies of

particular interest:

• Layer Processor Classes. These objects implement the layers L1-L3 of the air interface.

• Data Transfer Classes. These are the objects that are used for interlayer communication. Most

are BitVector subclasses.

• Logical Channel Classes. These objects define the L1-L2 logical channels between the MS and

the BTS control functions.

• L3 Message and Element Classes. These are used to serialize and deserialize the messages of

GSM 04. 08.

3.10 Data Transfer Object Classes The interlayer communication uses these object classes:

• RadioBurst. Carries a radio burst of GSM 05. 02 Section 5. 2 along with timestamp.

– TxBurst. Used for downlink radio bursts to be transmitted. Carries hard-valued channel bits and

transmit power level relative to full scale on the given ARFCN. The timestamp indicates the

intended transmission time.

– RxBurst. Used for received uplink radio bursts. Carries soft-value channel bit estimates, RSSI,

and receive timing error. The timestamp indicates the arrival time of the burst.

• L2Frame. Carries an L1-L2 interlayer primitive. Optionally carries a data link layer frame as

described in GSM 04. 06 Section 2 and a restriction on the placement of the data in the TDM

structure.

• L3Frame. Carries an L2-L3 interlayer primitive. Optionally carries the serialized bits of a single,

complete L3 message from GSM 04. 08 Section 9.

3.11 Logical Channel Structure and Subclasses Following the OSI model, each logical channel is processed in three layers: L1, L2, L3. Each layer

is represented by an object (a layer processor) that has read and write methods on its high and low

sides. These objects are persistent over the life of the application. In the normal course of the

OpenBTS application, the destructors for these classes should never be invoked.

The layer processor classes are:

• L1FECEncoder. Accepts L2Frame objects, encodes them into TxBurst objects. Algorithms

defined in GSM 05. 03.

• L1FECDecoder. Accepts RxBursts from the TDM sublayer and processes them into L2Frame

objects. Algorithms defined in GSM 05. 03.

• L1FEC. A container for a channel’s L1FECEncoder and L1FECDecoder.

• L2LAPDm. The L2LAPDm transacts L2Frame objects with L1 and L3Frame objects with L3.

Implements the LAPDm state machine as described in GSM 04.06 and ITU-T Q. 921.

• L3StateMachine. The L3StateMachine transacts L3Frame objects with L2. Implements the

protocols of GSM 04. 08 and also interfaces with SIP entities.

• BCH (broadcast channels)

– SCH

– FCCH

– BCCH

• NDCCH (non-dedicated control channels)

– CCCH (downlink unicast)

– RACH (uplink shared)

• DCCH (dedicated control channels, Dm)

– SDCCH

– SACCH

– FACCHF (full rate)

• TCHF (full rate speech, GSM 06. 10, Bm). Many traffic channel classes are ignored here, as are

half-rate channels. They are not a priority in a first release.

4 Time Domain Mutliplexing (TDM) Sublayer The TDM sublayer forms the interface between the physical channels on the transceiver interface

and the logical channels in the higher layers. It implements the rules of GSM 05. 02. All LCHs on

an ARFCN share a common TDM sublayer. In the uplink side, the TDM sublayer accepts all of the

RxBurst objects from a single ARFCN and demultiplexes them according to their frame count

timestamps into a table of LogicalChannel objects. In the downlink side, the multiplexing layer is a

pass-through to the transceiver interface, but with mutex controls and serialization.

5 Software Transceiver The software transceiver includes the subband tuner, GMSK modems and the master GSM symbol

clock for the air interface. Its low side interface transfers raw baseband samples to and from the

USRP. Its high side interface transfers RxBurst and TxBurst objects to and from the GSM stack

and transacts control commands and clock values. To compensate for latency in the stack and

interface, the GSM frame clock value reported to the GSM stack is advanced slightly. The timing

reference for the GSM symbol clock is the sample clock in the USRP, as is standard in most

software radio designs.

For the uplink, the software transceiver has information about which timeslots and frame positions

carry active channels and it demodulates only those active parts of the signal. It timestamps each

TxBurst according to the frame clock value when the burst arrived.

For the downlink, the timestamp on anTxBurst indicates the time at which a radio burst is to be

transmitted. If a downlink radio burst is not available for transmission when the GSM clock

reaches a given value, the transceiver generates an appropriate filler pattern based on the clock

value. TxBursts can be sent over this interface out of order, with the transceiver interface sorting

them prior to transmission. If the TxBurst’s indicated time has passed, the burst is discarded and

the clock advance value is adjusted to prevent further late bursts. This adjustment is in one

direction and quickly settles to an appropriate value for the system.

Because the software transceiver links with the GPL’d USRP driver, it is compiled as a separate

application and communicates with the rest of the GSM stack over a UDP interface. Expressed in

terms of a base port, B, the UDP ports used for the transceiver interface are:

• master clock interface on port B

• control interface for ARFCN N on port B + 2N + 1

• data interface for ARFCN N on port B + 2N + 2

The protocol on the master clock interface has a single message that periodically indicates the

current value of the BTS master clock, with an additional advance to compensate for latency. This

message is an unacknowledged indication from the transceiver to the GSM stack. These are

human-readable ASCII messages sent once per superframe and whenever the clock advance value

is adjusted.

The protocol on the per-ARFCN control interface has commands for power control, tuning and

configuration of the channel combination on each slot. Each command has a corresponding

response for integrity on the UDP link. The are human-readable ASCII messages.

The protocol on the per-ARFCN data interface uses binary messages to convey RxBurst and

TxBurst objects with one burst per UDP packet to minimize latency. There are no

acknowledgments on this interface because there is no point in retransmitting packets in a low-

latency realtime link.

Eventually, we will replace to USRP driver with non-GPL code and replace this socket protocol

with a direct method interface just like the interface on every other layer and sublayer object in the

system.

6 Global GSM Object There is a single global object of the class GSM::Configuration, called gBTS, that acts as a

collection point for the complete state and configuration of the access point’s GSM stack. This

object is created during initialization and never destroyed.

6.1 Global Configuration Information

The global object gBTS keeps all of the BTS configuration parameters and state for the cell,

including ARFCN set, cell ID, LAC, etc. This information is used to fill system information

messages on the BCCH and SACCH and is readily available to the control layer.

6.2 LCH Creation, Allocation and Deallocation The gBTS object tracks all of the existing LogicalChannel objects in the system in an allocation

pool. The allocator includes methods to create new LogicalChannel objects and add them to the

pool as the BTS’s channel combinations are configured on start-up. Once created, these

LogicalChannel objects are persistent over the life of the application.

When a control layer function determines that it needs a new logical channel for a transaction, it

invokes the channel allocator to find an available LogicalChannel object of the proper type in the

pool. Channel availability is defined by a set of Z. 100-type timers in L1: T3101, T3107, T3109

and T3111, described in GSM 04. 08 Section 11. 1. 2. If any timer is expired, the channel is

available. Once identified, the channel is opened, reseting the channel state and starting T3101 or

T3107. This timer change moves the channel to the non-available state. The channel is then given

to the calling control layer function for use in a transaction.

Normally, at the end of the transaction the channel is closed from above with a “release” primitive

that passes down to L1, starting T3111. Once T3111 expires, the channel becomes available for

reuse. In an abnormal release (a dropped connection), one of the other timers will expire instead.

T3107 or T3101 will expire if the MS fails to pick up an assigned channel at the start of a

transaction. T3109 will expire if the uplink signal is lost during a transaction. Any any case, one of

the timers will expire, moving the channel to the available state.

It should be stressed that this mechanism does not create or destroy LogicalChannel objects. It

manages a pool of long-lived objects that are recycled for different transactions, just like the radio

channels themselves.

7 Use of SIP and Asterisk One of the keys to simplifying the OpenBTS is to push as much of the control layer as possible into

the Asterisk PBX. To that end, we will use Asterisk for nearly all call control functions and as

an integral part of mobility management. The simplest way to do this in a first release is to use

subscriber IMSIs as SIP user names and to present each GSM handset to Asterisk as a SIP client.

The OpenBTS control layer (L3) largely exists to perform mapping operations:

• GSM location updates get mapped to SIP registrations.

• Call connection transactions get mapped to corresponding SIP transactions. Since GSM call

control is very similar to H. 323 and ISDN/Q. 931 call control, there’s very little that is mysterious

or novel about this mapping.

• GSM traffic channels get mapped to RTP channels. Again, the mapping is obvious and the only

tricky piece of engineering is latency control.

Only radio resource operations are fully terminated in the OpenBTS itself, with the RR control layer

providing the functional equivalent of a BSC. Everything else maps to SIP and eventually

terminates in Asterisk, with the Asterisk network providing the functional equivalent of an MSC.

This is “network in a box” with Asterisk replacing the SS7 parts.

8 OpenBts Modules-Files:

8.1 AsteriskConfig Asterisk configuration files for use with OpenBTS.

8.2 CommonLib

Common-use libraries, mostly C++ wrappers for basic facilities.

8.3 Control

8.3.1 Introduction

Control functions carry out the various procedures described in GSM 04. 08 Sections 3-5. These

functions are called in L3.

access grant (GSM 04. 08 Section 3. 3. 1)

paging (GSM 04. 08 Section 3. 3. 2)

location updating (GSM 04. 08 Section 4. 4)

mobile-terminated call setup (GSM 04. 08 Section 5. 2. 1)

mobile-originated call setup (GSM 04. 08 Section 5. 2. 2)

mobile-terminated call disconnect (GSM 04. 08 Section 5. 4. 4)

mobile-originated call disconnect (GSM 04. 08 Section 5. 4. 3)

E-MOC -- Emergency Mobile Originated Connect (mobile calling out)

This is the minimum transaction set to support telephony. These transactions are run by these top-

level control functions:

• AccessGrantor sends out SDCCH Immediate Assignments on the CCCH. It is invoked from the

RACH dispatcher and returns when the assignment has been delivered. Its arguments are the tag

and timestamp of a RACH Channel Request message.

• Pager sends out paging messages. It is invoked from the SIP stack whenever an INVITE message

arrives and returns when the subscriber IMSI has been enqueued for paging on the CCCH. Its

argument is a reference to an IMSI.

• LocationUpdater runs the registration transaction of GSM 04. 08 Section 4. 4. It is invoked by

the SDCCH dispatcher when a Location Updating Request is received and returns when the

transaction is complete. Its argument is a reference to an SDCCH LogicalChannel where the

transaction is carried out.

• MTCConnector starts a mobile terminated call and returns when the call is cleared. It is invoked

by the SDCCH dispatcher when a Paging Response is received. It continues the SIP transaction

started by the INVITE message that triggered the corresponding Paging Request. Its argument is a

reference to an SDCCH LogicalChannel where the transaction will start. It allocates a

TCH/FACCH as part of the transaction. It calls CallManager once the call is connected.

• MOCConnector starts a mobile originated call (MOC) and returns when the call is cleared. It is

invoked by the SDCCH dispatcher when a CM Service Request is received. Its argument is a

reference to an SDCCH LogicalChannel where the transaction will start. It allocates a

TCH/FACCH as part of the transaction. It calls CallManager once the call is connected.

• CallManager runs a call once the setup transaction is complete. It processes any L3 messages

that arrive while the call is in progress and invokes functions as needed for the call disconnection

state machines.

Most control layer functions return boolean values indicating whether or not the transaction ended

during the function call. For example, a function for some call control sub-procedure will return a

boolean indicating whether or not the call was cleared during the sub-procedure. Most control layer

functions take a LogicalChannel reference as an argument

E-MOC -- Emergency Mobile Originated Connect used for handling emergency calls.

8.4

8.4.1 CallControl.cpp:

8.4.1.1 What is implemented?

Mobile originated call procedure

Mobile terminated call procedure

Emergency calls

Test calls

8.4.1.2 Mobile originated call:

A mobile originated call is initiated by the MS. In the open source version, we will skip the

authentication steps and simply respond to the CM Service Request with a CM Service Accept or

Reject.

8.4.1.2.1 Steps of mobile originated call?

– CM Service Request (MM, 9.2.9)1, decode. This message indicates to the BTS that the

phone will require ISDN-style (connection-oriented) services.

– CM Service Accept (MM, 9.2.5), encode. This message allows us to bypass authentication

and proceed directly to ISDN-style/Q.931call control.

– CM Service Reject (MM, 9.2.6), encode. This message is sent to reject service if the call

setup cannot be performed for some reason, such as an lack of available traffic channels.

– Setup (CC, 9.3.23), decode. Simply skip unsupported elements based on T and L fields

when parsing. This message triggers an INVITE message to the Asterisk server that

starts the hybrid Q.931/SIP call setup procedure.

– Call Proceeding (CC, 9.3.3), encode.

– Assignment Command (RR, 9.1.2), encode. This message moves the transaction from

the SDCCH to the TCH/FACCH.

– Assignment Complete (RR, 9.1.3), decode. This is the first message sent from the phone

on the newly assigned TCH/FACCH.

1 GSM 04.08

– Alerting (CC, 9.3.1), encode. This message corresponds to the SIP 180 Ringing message.

– Progress (CC, 9.3.17), encode. This message is needed to keep the connection alive when

Asterisk delays are large. It is similar in purpose to the SIP 100 Trying message.

– Connect (CC, 9.3.5), encode. This message corresponds to the SIP 200 OK message.

– Connect Acknowledge (CC, 9.3.6), decode. This message corresponds to the SIP ACK

message.

8.4.1.2.2 MOC sequence diagram:

BTS MS

CM Service Request

CM Service Accept

setup

call proceeding

assignment command

Assignment Complete

alerting

connect

connect acknowlege

progress

ASTERISK

send INVITE()

send ok()

send ACK for OK

Figure 1-MOC sequence diagram for L3 messages

8.4.1.2.3 How it is implemented in OpenBTS ?

Mobile originated call is implemented in OpenBTS in the file CallControl.cpp & CallControl.h

through the two functions MOCStarter which implements the MOC sequence until the transaction

is moved from the SDCCH to the TCH/FACCH & MOCController which implements the rest of

the MOC sequence

8.4.1.2.4 Sequence of functions' call:

DCCHDispatchOpenBTS CallControlMobilityManagement

main()

DCCHDispatcher ()

CMServiceResponder ()

MOCStarter()

MOCController()

Figure 2-MOC sequence diagram

8.5

8.6

8.6.1.1 Mobile terminated call:

A mobile terminated call is a call that is received by the MS. In the open source version, we will

skip the authentication steps by sending a CM Service Accept or Reject after receiving the Paging

Response.

8.6.1.1.1 Steps of mobile terminated call?

– Paging Request Type 1 (RR, 9.1.22), encode. This message is sent whenever a SIP

INVITE message arrives from Asterisk.

paging response (RR, 9.1.22) , decode

– Setup (CC, 9.3.23), encode. This message carries the content of the SIP INVITE message

to the phone.

– Call Confirmed (CC, 9.3.2), decode.

– Assignment Command (RR, 9.1.2), encode.

– Assignment Complete (RR, 9.1.3), decode.

– Alerting (CC, 9.3.1), decode.

– Progress (CC, 9.3.17), encode.

– Connect (CC, 9.3.5), decode.

Connect Acknowledge (CC, 9.3.6), encode

8.6.1.1.2 MTC sequence diagram

BTS MS

Paging Request Type 1

Paging Response

setup

call confirmed

assignment command

Assignment Complete

alerting

connect

connect acknowlege

progress

Figure 3-MTC sequence diagram for L3 messages

8.6.1.1.3 How it is implemented in OpenBTS ?

Mobile terminated call is implemented in OpenBTS in the file CallControl.cpp & CallControl.h

through the two functions MTCStarter which implements the MTC sequence until the transaction

is moved from the SDCCH to the TCH/FACCH & MTCController which implements the rest of

the MTC sequence

8.6.1.1.4 Sequence of functions' call:

DCCHDispatchOpenBTS CallControlMobilityManagement

main()

DCCHDispatcher ()

CMServiceResponder ()

MTCStarter()

MTCController()

Figure 4-MTC sequence diagram

8.6.2 DCCHDispatch.cpp

8.6.2.1 What is implemented?

Dispatcher for messages passing through DCCH

Dispatcher for RR messages passing through DCCH

Dispatcher for MM messages passing through DCCH

8.6.2.2 Important functions:

1- void Control::DCCHDispatcher(LogicalChannel *DCCH)

persistent-thread control function for the DCCH

2- void DCCHDispatchRR(const L3RRMessage* req, LogicalChannel *DCCH)

Dispatch the appropriate controller for a Radio Resource message

3-void DCCHDispatchMM(const L3MMMessage* req, LogicalChannel *DCCH)

Dispatch the appropriate controller for a Mobility management message

8.6.3 MobilityManagement.cpp

8.6.3.1 What is implemented:

Imsi detach

Location update

A handler for CM service request

sending the welcome message


1-void Control::CMServiceResponder(const L3CMServiceRequest* cmsrq, LogicalChannel*

DCCH)

Controller for CM Service requests, dispatches out to multiple possible transaction controllers

2- void Control::IMSIDetachController(const L3IMSIDetachIndication* idi, LogicalChannel*

DCCH)

Controller for the IMSI Detach transaction

3- void Control::LocationUpdatingController(const L3LocationUpdatingRequest* lur,

SDCCHLogicalChannel* SDCCH)

Controller for the Location Updating transaction

4-bool sendWelcomeMessage(const char* messageName, const char* shortCodeName,

SDCCHLogicalChannel* SDCCH)

Send a given welcome message from a given short code

8.6.4 SMSControl.cpp


methods to handle sending SMS between the BTS and a MS

Mobile Originated Short Message Service controller

Mobile Terminated Short Message Service controller


void Control::MOSMSController(const L3CMServiceRequest *req, LogicalChannel *LCH)

Mobile Originated Short Message Service controller

void Control::MTSMSController(TransactionEntry& transaction, LogicalChannel *LCH)

Mobile Terminated Short Message Service controller

8.6.5 ControlCommon.cpp:


Functions that are used to update the transaction table or search for a certain mobile

identifier in it.

Functions that resolve a mobile identity to get the corresponding IMSI and maybe the

corresponding TMSI for the retrieved IMSI.

8.6.6 ControlCommon.h:

This file contains the prototype definitions for the functions implemented in the .CPP files

mentioned above.

8.7 GSM

8.7.1 Introduction:

The GSM stack is divided into 3 layers, we will discuss each layer briefly and how it is

implemented in the Open BTS project, first the document starts by discussing L3 messages and

their classification into 3 types RR ,MM and CC , a brief description for L2LAPDm protocol is

found in section 3 and finally the document describes how L1 is implemented in the OpenBTS

project.

8.7.2 GSM layer 3:

Messages sent between the BTS and the MS are described in GSM layer 3 and they are called GSM

layer 3 messages they are used in debugging problems during communication between BTS and

MS.

8.7.2.1 Imperative part of L3 messages:

The imperative part of a standard L3 message is composed a header possibly followed by

mandatory standard IEs having the format V or LV.

For further details on L3 messages please see GSM 04.07 clause 11.

8.7.2.2 L3 messages in OpenBTS:

Forming and parsing L3 messages are implemented in the following files:

GSML3Message.cpp

GSML3Message.h

Some important functions:

void L3Message::write(L3Frame& dest) const

writes a l3 message (header skip indicator , pd , message type then calls the function that

writes the l3 message's body.

GSM::L3Message* GSM::parseL3(const GSM::L3Frame& source)

Parses l3 messages and determines which type is it(RR,MM,CC)

There are three main types of L3 messages which are implemented in the Open BTS project:

radio resource messages

mobility management messages

call control messages

These messages are used in debugging problems occurring during the communication between the

BTS and the MS and they are logged through the logging file of the project.

These messages are described in the ETSI GSM standard 04.08 clause 9.

8.7.2.2.1 L3 RR messages

Table 1-L3 RR messages

Table 2- L3 RR messages (cont.)

8.7.2.2.1.1 L3 RR messages in Open BTS:

system information types 1-9

system information types 13, 16 and 17

Paging Response

Paging Request Type 1

Measurement Report

Assignment Complete

Immediate Assignment

Immediate Assignment Reject

Assignment Command

Assignment Failure

Channel Release

Channel Mode Modify

Channel Mode Modify Acknowledge

GPRS Suspension Request

Classmark Change

RR Status

8.7.2.2.1.2 Files that implement L3 RR messages in OpenBTS:

GSML3RRMessages.cpp

GSML3RRMessages.h

GSML3RRElements.cpp

GSML3RRElements.h

The first two files contain functions that are responsible for structuring the RR messages as

specified in the standards , they also provide parsing methods for messages that come from the MS

as a response for any of the RR messages.

Each message is implemented by a function that is responsible for structuring the message and is

named like that messagename::writebody( )

For incoming messages that need to be parsed the message is named like that

messagename::parsebody( )

Example:

Parsing the page response message which is initiated by the MS as a response for any of the

following RR messages :

Paging request type 1



The other two files provide methods to ease dealing with the elements that form the RR messages.

8.7.2.2.2 L3 MM messages

Table 3-L3 MM messages

8.7.2.2.2.1 L3 MM messages implemented in Open BTS:

IMSI Detach Indication

CM Service Request

CM Service Accept

CM Service Reject

CM Service Abort

CM Re-establishment Request

Identity Response

Identity Request

MM Information

Location Updating Accept

Location Updating Reject

Location Updating Request

MM Status

8.7.2.2.2.2 Files that implement L3 MM messages in OpenBTS:

GSML3MMMessages.cpp

GSML3MMMessages.h

GSML3MMElements.cpp

GSML3MMElements.h

The first two files contain functions that are responsible for structuring the MM messages as

specified in the standards.


named like that messagename::writebody( ).

The other two files provide methods to ease dealing with the elements that form the MM messages.

8.7.2.3 L3 CC messages

Table 4-L3 CC messages

8.7.2.3.1.1 L3 CC messages implemented in Open BTS:

Alerting

Connect

Disconnect

Connect Acknowledge

Release Complete

Setup

Emergency Setup

CC Status

Call Confirmed

Call Proceeding

Start DTMF

Start DTMF Reject

Start DTMF Acknowledge

Stop DTMF

Stop DTMF Acknowledge

Hold

Hold Reject

8.7.2.3.1.2 Files that implement L3 CCmessages in OpenBTS:

GSML3CCMessages.cpp

GSML3CCMessages.h

GSML3CCElements.cpp

GSML3CCElements.h

The first two files contain functions that are responsible for structuring the CC messages as

specified in the standards.


named like that messagename::writebody( )

The other two files provide methods to ease dealing with the elements that form the CC messages.

8.7.3 GSM layer 2:

Layer 2 in the GSM stack the data-link layer. Across the Um interface, the data-link layer is a

modified version of the Link access protocol for the D channel (LAP-D) protocol used in ISDN,

called Link access protocol on the Dm channel (LAP-Dm)

Note: The term Dm channel is used for convenience to designate the collection of all the various

signaling channels required in the GSM system.

It is implemented through the following files :

GSML2LAPDm.cpp

GSML2LAPDm.h

GSMTransfer.h

GSMTransfer.cpp

The first two files implement the algorithms and the state machines of the LAPDM protocol.

The other two files implement methods for structuring and formatting L2 meesages.

For further details on L2 LAPDM please see GSM 04.06 .

8.7.4 LAYER 1 :

Represents the physical layer of the GSM stack.

Maps physical channel into logical channels.

Sends and receives bits from the transceiver module.

Interfaces with the transceiver through the transceiver manager module.

The interface with the transceiver is through a UDP port to ensure portability and modularity for

both modules.

8.7.4.1 LAYER 1 in OpenBTS:

Layer 1 is implemented through the following files :

GSML1FEC.cpp

GSML1FEC.h

GSMLogicalChannel.h

GSMLogicalChannel.cpp

GSMTDMA.h

GSMTDMA.cpp

The GSML1FEC.h file contains the classes representing encoders and decoders for different logical

channels here are some of them:

class L1Encoder

Abstract class for L1 encoders.

In most subclasses, writeHighSide() drives the processing.

class L1Decoder

An abstract class for L1 decoders.

writeLowSide() drives the processing.

class L1FEC

The L1FEC encapsulates an encoder and decoder.

class RACHL1Decoder

L1 decoder for Random Access (RACH).

class XCCHL1Decode

Abstract L1 decoder for most control channels

class SDCCHL1Decoder

L1 decoder for the SDCCH.

class SACCHL1Decoder

L1 decoder for the SACCH

The GSML1FEC.h file implements the encoders and decoders for the various logical channels and

also the L1 FEC which is an encapsulated encoder and decoder.

The GSML1FEC.cpp file contains some important functions such as:

void FCCHL1Encoder::generate()

BCCHL1Encoder::generate()

void SCHL1Encoder::generate()

void RACHL1Decoder::serviceLoop()

The first three functions are called through service loops ,they run continuously until the looping

condition is violated , these functions are responsible for sending the data sent by the logical

channel calling it

example : void FCCHL1Encoder::generate()

Responsible for sending the zero burst which is sent on the FCCH logical channel as specified in

the GSM standards.

The fourth function has a service loop pulls RACH bursts from a FIFO and sends them to the

decoder.

GSMLogicalChannel.h & GSMLogicalChannel.cpp provide classes and methods to deal with

the logical channels in general such as open & close or constructors and service loops that weren't

mentioned in GSML1FEC.cpp and GSML1FEC.h.

GSMTDMA.h & GSMTDMA.cpp are responsible for mapping logical channels into physical

channels.

8.7.4.2 Other important files

GSMCommon.cpp

GSMCommon.h

GSMConfig.cpp

GSMConfig.h

GSMSAPMux.cpp

GSMSAPMux.h

GSMCommon.cpp and GSMCommon.h contain some important functions which set the uplink and

downlink frequencies and calculate the current frame number besides other functions.

GSMConfig.cpp and GSMConfig.h contain the GSMConfig class which holds the GSM

configuration parameters such as:

network color code

basestation color code

GSM operating band

copy of the BTS master clock

Encoded L2 frames to be sent on the BCCH

Encoded L3 frames to be sent on the SACCH

GSMSAPMux.cpp and GSMSAPMux.h implement methods needed for dealing with a SAPMUX.

8.7.4.3 What is a SAPMUX?

A SAPMux is a multipexer the connects a single L1 to multiple L2s.

A "service access point" in GSM/ISDN is analogous to port number in IP.

GSM allows up to 4 SAPs, although only two are presently used.

See GSM 04.05 5.2 for an introduction.

8.8 SIP

Components of the SIP state machines used by the control layer.

8.9 SMS

The SMS stack.

8.10 TRXManager The interface between the GSM stack and the radio.

8.11 Transceiver The software transceiver and specific installation tests.

8.12 apps OpenBTS application binaries , these folder contains some important files such as:

8.12.1 OpenBTS.config

Through this file you can alter all system’s configurations such as the GSM band(900/1800) ,the

logging file’s path , which transceiver to use (52 MHZ/64 MHZ) , …. Etc.

8.12.2 OpenBTS.cpp

Contains initializations for some objects then implements the main function of the project

8.13 doc Project’s documentation.

8.14 tests Test fixtures for subsets of OpenBTS components.

8.15 Smqueue RFC-3428 store-and-forward server for SMS.

8.16 CLI

8.16.1 What is the function of the command line interpreter?

It receives a command from the user through the command line interface, checks if it is a valid one

and if so it executes this command.

It can also be used to get help about any of the available commands.

8.16.2 Some of the supported commands in OpenBTS:

command Help

Loglevel [level] -- get/set the logging level, one of {ERROR, ALARM, WARN, NOICE, INFO,

DEBUG, DEEPDEBUG}.

Setlogfile <path> -- set the logging file's path.

Printtmsis [\"clear\"] -- print/clear the TMSI table

Sendsms send SMS to <IMSI>, addressed from <src>, after prompting

cellID [MCC MNC LAC CI] -- get/set location area identity (MCC, MNC, LAC) and cell ID

(CI)

Table 5-some of the supported commands in OpenBTS

The command line interpreter is implemented through the following two files:

CLI.cpp

CLI.h

8.17 HLR

8.17.1 What is a home location register ?

The home location register (HLR) is a central database that contains details of each mobile phone

subscriber that is authorized to use the GSM core network. There can be several logical, and

physical, HLRs per public land mobile network (PLMN), though one international mobile

subscriber identity (IMSI)/MSISDN pair can be associated with only one logical HLR (which can

span several physical nodes) at a time.

The HLRs store details of every SIM card issued by the mobile phone operator. Each SIM has a

unique identifier called an IMSI which is the primary key to each HLR record

8.17.2 HLR in Open BTS :

HLR in Open BTS is implemented through the following files :

1- HLR.cpp

2-HLR.h

Open BTS does its calls through ASTERISK so the HLR implemented in Open BTS records data

related to ASTERISK such as the registration IP .

Here are some of the important functions in this subsystem and their description:

1-virtual char* getIMSI(const char* ISDN) =0;

Resolve an ISDN or other numeric address to an IMSI.

2-virtual char* getCLIDLocal(const char* IMSI) =0;

Given an IMSI, return the local CLID, which should be a numeric address

3-virtual char* getCLIDGlobal(const char* IMSI) =0;

Given an IMSI, return the global CLID, which should be a numeric address.

4-virtual char* getRegistrationIP(const char* IMSI) =0;

Given an IMSI, return the IP address of the most recent registration.

5-virtual Status addUser(const char* IMSI, const char* CLID) =0;

Add a new user to the HLR.

6-virtual Status addAddress(const char* IMSI, const char* ISDN) =0;

Add an address for a user.

9 Compiling and running OpenBTS:

9.1 Hardware used:

USRP

WBX daughter board

2 antennas for tx and rx

Your PC or laptop

9.2 Software used:

LINUX operating system(ubuntu 10.10)

GNU radio 3.3.0

Open BTS software version 2.6 ttsou expanded daughter board support

Python 2.6

GRC 1.3

9.3 Important notes before GNU radio setup

If you have gnuradio 3.2 then you should completely remove it

Wbx doesn't work with gnuradio before 3.3

openbts 2.5.4 lacassine doesn't work with gnuradio 3.3.0 (not sure)

9.3.1 GNU radio dependencies:

You need to install these packages before installing GNU radio:

python-dev

FFTW 3.X (fftw3, fftw3-dev)

cppunit (libcppunit and libcppunit-dev)

libboost (for GNU radio 3.3.0 install libboost 1.40)

libusb and libusb-dev

wxWidgets (wx-common) and wxPython (python-wxgtk2.8)

python-numpy (via python-numpy-ext) (for SVN on or after 2007-May-28)

ALSA (alsa-base, libasound2 and libasound2-dev)

Qt (libqt3-mt-dev for versions earlier than 8.04; version 4(libqtcore4-libqtgui4) works for 8.04 and

later)

SDL (libsdl-dev)

GSL GNU Scientific Library (libgsl0-dev >= 1.10 required for SVN trunk, not in binary

repositories for 7.10 and earlier)

SWIG (1.3.31 or newer required)

Edgy or previous: requires installation from source

Feisty or newer: use the standard package install (swig)

QWT and QWT PLot3d libraries (optional for Qt Gui)

9.3.2 Other useful packages

doxygen (for creating documentation from source code)

octave (from "universe")

9.4 GNU radio setup

Install guile

Install sdcc

Install JACK,libjack-dev

Install libosip

Install libqtgui4,python-qt4,libgnuradio-qtgui0,python-gnuradio-qtgui

Install Python-lxml,Python-Cheetah ==> for grc

Install libortp-dev ==> for OpenBts code configure

Cd GNU radio

Enable ./configure:type “chmod a+x ./configure” in gnuradio-3.3.0 and gnuradio-

3.3.0/usrp2/firmware

Enable ./configure.gui

./configure

Make

Sudo make install

If the configuration is successful the following message should appear on the terminal:

Figure 5-successful result for GNU radio configuration

After ./ configure you should make sure that gr-usrp compnent was successfully installed

You should make sure that the make command doesn't result in any error

Install GRC 1.3 from synaptic package manager

Set the pythonpath and the LD_LIBRARY path as follows:

Cd home/<username>

Gedit .bashrc

Write the following lines at the end of the .bashrc file

export LD_LIBRARY_PATH=/usr/local/lib

export PYTHONPATH=usr/local/lib/python2.6/site-packages

To make sure that these paths were changed type the following command in the terminal:

Env

Go to usr/local/share/gnuradio/grc/freedesktop

Run grc

If you get an error telling you that the python or ld_library paths are not installed correctly then

make sure that python-gnuradio is installed

9.5 Testing the WBX

Connect the usrp

Type lsusrp in the terminal

9.6 Compiling and running openbts

copy these files into ur code's directory:

all files in /usr/share/libtool/config/ except the softlinks config.sub and config.guess

copy config.sub and config.guess from /usr/share/misc to ur code's directory

Type the following commands in the terminal:

1-aclocal

2-autoconf

3-autoheader

4-automake

5-./configure

6-make

7-sudo make install

8-cp OpenBTS.config.example OpenBTS.config

9- alter the required settings in OpenBTS.config(mcc= 602 ,mnc= 04 or greater,arfcn =20)

10-cd apps

11-./OpenBTS

Now start searching for the OpenBTS network

10 REFERENCES

[1] The Open BTS Project, David A. Burgess, Harvind S. Samra, August 3, 2008.

[2] Mobile radio interface layer 3 specification, GSM 04.08 version 7.7.1 Release 1998

openbts+sw1

Documents

home location

cm service

cm service

readable ascii

command line

master clock

dedicated

outgoing radio