GSM Network using OpenBTS

Similar documents
The GSM and GPRS network T /301

Mobile Communications

Global System for Mobile Communication Technology

2 System introduction

GSM Architecture Training Document

How To Understand The Gsm And Mts Mobile Network Evolution

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

GSM GPRS. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides)

Mobile Communications Chapter 4: Wireless Telecommunication Systems slides by Jochen Schiller with modifications by Emmanuel Agu

1 Introduction. 2 Assumptions. Implementing roaming for OpenBTS

Lecture overview. History of cellular systems (1G) GSM introduction. Basic architecture of GSM system. Basic radio transmission parameters of GSM

Wireless and Mobile Network Architecture

!!! "# $ % & & # ' (! ) * +, -!!. / " 0! 1 (!!! ' &! & & & ' ( ' 3 ' Giuseppe Bianchi

Global System for Mobile Communications (GSM)

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

Theory and Practice. IT-Security: GSM Location System Syslog XP 3.7. Mobile Communication. December 18, GSM Location System Syslog XP 3.

Mobile Wireless Overview

2G/3G Mobile Communication Systems

Global System for Mobile Communication (GSM)

Wireless Telecommunication Systems GSM, GPRS, UMTS. GSM as basis of current systems Satellites and

Wireless Cellular Networks: 1G and 2G

GSM Architecture and Interfaces

Wireless and Mobile Network Architecture

Wireless Mobile Telephony

GSM - Global System for Mobile Communications

Mobile Computing. Basic Call Calling terminal Network Called terminal 10/25/14. Public Switched Telephone Network - PSTN. CSE 40814/60814 Fall 2014

GSM BASICS GSM HISTORY:

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

GSM Network Structure and Network Planning. Contents: Dipl.- Ing. Reiner Stuhlfauth, ROHDE & SCHWARZ; Training Centre

GSM System Architecture

Integration of Open-Source GSM Networks

GSM Databases. Virginia Location Area HLR Vienna Cell Virginia BSC. Virginia MSC VLR

MAP/C SEND ROUTING INFO FOR SM. Destination Mobile Number. Obtain the SS7 address of the MSC VLR currently serving the specified Mobile Number

Mobility Management 嚴 力 行 高 雄 大 學 資 工 系

The Global System for Mobile communications (GSM) Overview

In this Lecture" Access method CDMA" Mobile and Sensor Systems Lecture 2: Mobile Medium Access Control Layer and Telecommunications

SPYTEC 3000 The system for GSM communication monitoring

2G Mobile Communication Systems

Chapter 10 VoIP for the Non-All-IP Mobile Networks

Global System for Mobile Communication (GSM)

9.1 Introduction. 9.2 Roaming

-The equipment was limited to operate only within the boundaries of each country. -The market for each mo bile equipment was limited.

GSM System. Global System for Mobile Communications

Analysis of GSM Network for Different Transmission Powers

CS Cellular and Mobile Network Security: GSM - In Detail

Handoff in GSM/GPRS Cellular Systems. Avi Freedman Hexagon System Engineering

Catching and Understanding GSM-Signals

Telecommunication Systems (GSM) Mobile Communications (Ch 4) John Schiller, Addison-Wesley

Cellular Technology Sections 6.4 & 6.7

GSM and IN Architecture

OpenBTS and the Future of Cellular Networks

Provides a communication link between MS and MSC; Manages DB for MS location. Controls user connection. Transmission.

GSM GSM TECHNICAL December 1996 SPECIFICATION Version 5.0.0

Mobile Communications Chapter 4: Wireless Telecommunication Systems

How To Test Gsm Cell Phone Network On A Cell Phone

GSM v. CDMA: Technical Comparison of M2M Technologies

MRN 6 GSM part 1. Politecnico di Milano Facoltà di Ingegneria dell Informazione. Mobile Radio Networks Prof. Antonio Capone

Indian Journal of Advances in Computer & Information Engineering Volume.1 Number.1 January-June 2013, Academic Research Journals.

Cellular Network Organization

Cellular Network Organization. Cellular Wireless Networks. Approaches to Cope with Increasing Capacity. Frequency Reuse

Mobile Application Part protocol implementation in OPNET

Chapter 6 Wireless and Mobile Networks

CS Fallback Function for Combined LTE and 3G Circuit Switched Services

Mobile Services (ST 2010)

Mobile & Wireless Networking. Lecture 5: Cellular Systems (UMTS / LTE) (1/2) [Schiller, Section 4.4]

RADIUS. Brief brochure. Product Purpose

Worldwide attacks on SS7 network

How To Connect Gsm To Ip On A Gsm Network On A Pnet On A Microsoft Cell Phone On A Pc Or Ip On An Ip Onc (Gsm) On A Network On An Iph (Gms) On An

Evaluating GSM A5/1 security on hopping channels

1. Introduction: The Evolution of Mobile Telephone Systems

The Network Layer Layer 3

An Example of Mobile Forensics

EAP-SIM Authentication using Interlink Networks RAD-Series RADIUS Server

Dimensioning and Deployment of GSM Networks

How To Understand The Performance Of A Cell Phone Network

GSM Network and Services

GSM Channels. Physical & Logical Channels. Traffic and Control Mutltiframing. Frame Structure

EP A1 (19) (11) EP A1 (12) EUROPEAN PATENT APPLICATION. (43) Date of publication: Bulletin 2006/26

M E M O R A N D U M. Wireless Roaming Services for Emergency Medical Facilities

Wireless Access of GSM

Development of Wireless Networks

GSM and Similar Architectures Lesson 07 GSM Radio Interface, Data bursts and Interleaving

Over the PSTN... 2 Over Wireless Networks Network Architecture... 3

Security of phone communications

GSM Network Architecture, Channelisation, Signalling and Call Processing

LTE Tutorial GSM Tutorial i

OpenBTS Development Kit

Cellular Backhaul: Extending the Edge of the Network November 2008

Authentication and Secure Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography

Mobility and cellular networks

U.S. Patent Appl. No. 13/ filed September 28, 2011 NETWORK ADDRESS PRESERVATION IN MOBILE NETWORKS TECHNICAL FIELD

Security in cellular-radio access networks

ETSI ETR 363 TECHNICAL January 1997 REPORT

Professional Development Kit Series

Solution for Non-Repudiation in GSM WAP Applications

Chapter 3: WLAN-GPRS Integration for Next-Generation Mobile Data Networks

Voice over IP Probe! for Network Operators and! Internet Service Providers

Roadmap for Establishing Interoperability of Heterogeneous Cellular Network Technologies -3-

Bölüm 8. GSM. 6 Milyar mobil telefon kullanıcısı (2011 sonu)* Dünya nüfusu 7 Milyar!

DraftEN V7.0.1 ( )

Transcription:

GSM Network using OpenBTS Ramon Torres Gomez A20314467 5/9/2014 rtorresg@hawk.iit.edu Project Report 1

Abstract This paper describes how to create a small cellular GSM network using openbts software. This paper will explain what openbts is and the other necessary elements used for this project. It will explain the functionality of those elements and how they are connected. This paper will also explain how to install openbts and other open-software programs like asterisk and how to configure them. An architecture of the GSM network will be explained and compared with the architecture of the openbts network. It will also explain some other projects that can be done with openbts. This paper doesn t explain in depth Asterisk or other openbts configurations. rtorresg@hawk.iit.edu Project Report 2

Table of Contents Contents GSM Network using OpenBTS... 1 Abstract... 2 Table of Contents... 3 Introduction... 4 GSM... 4 OpenBTS 7 OpenBTS Network 8 Testing... 13 Future Projects...13 Conclusions.13 References.14 Appendices.14 rtorresg@hawk.iit.edu Project Report 3

Introduction GSM (Global System for Mobile Communications) is a 2G cellular network. It was a network that provided a good voice service but it didn t include data service. The network that I am going to build will provide a similar functionality as a 2G network. Even though the architecture of the openbts network is very different from the GSM network architecture will have elements with similar functionalities as the 2G network elements. From my point of view, the openbts network architecture has more similarities with the 4G network because it is IP based. The goal of this project is to create a small GSM network using open software. What I am going to do is connecting 2 OpenBTS systems (2 base stations) and be able to call from one base station to another using cellphones. Cellphones will be able to do mobility (moving from one base station to another) and handover (while a call is taking place the cell phone moves to another base station and the new base station has to manage the call). GSM An explanation of GSM and how it works will help understand the way my project works. GSM is a cellular network that provides a voice, SMS service and other additional services like Emergency calls The GSM goal was to support services similar to PSTN services and provide a digital air interface. GSM Architecture This picture represents a basic concept of the GSM architecture. As you can see the air interface is composed by BTSs. Each BTS will represent a cell, which is their coverage area. A group of BTS managed by a BSC represent a location area. Finally BSC s are managed by a MSC and this element will connect the GSM network to other networks like the PSTN rtorresg@hawk.iit.edu Project Report 4

Figure 1: GSM Architecture Label all figures.g. Figure 1: <caption> This picture represents a more detailed architecture of a GSM network. Besides ME, BTS BSC and MSC it include the registers that the network requires: HLR, VLR, EIR and AuC. As we can see the BTS and the BSC represent the Base Station System (BSS) and the MSC and the registers represent the Core Network. Figure 2: Detailed GSM Architecture rtorresg@hawk.iit.edu Project Report 5

GSM Elements MS (Mobile System) It is composed by the Mobile Equipment (ME) and the SIM card. There are some important terms related to the mobile system that we need to know: IMEI, MSISDN, IMSI and TMSI. The IMEI (International Mobile Equipment Identity) is a number used to identify the mobile equipment (ME), the terminal itself. The MSISDN (Mobile Suscriber ISDN) is the MS phone number. IMSI (International Mobile Suscriber Identity) is a number assigned to each MS by the network so the network can identify all the MS. TMSI (Temporary Mobile Suscriber Identity) has the same functionality as the IMSI but TMSI is a temporal number that is changed periodically. BTS (Base Station) The BTS contains the radio components that provide the RF air interface. Its functions are channel coding and decoding, rate adaptation, encryption, paging and uplink signal measurement. BSC (Base Station Controller) The BSC controls groups of BTS and manages the radio channels. It manages control messages from and to the MS. It also does encryption, paging, traffic measurement, authentication, location update and manages handover. MSC (Mobile Switching Center) Is the telephone switching office for MS. Provides a service to mobiles located within a certain geographic coverage area. It is the interface to the BSS and to the PSTN. Controls call set up, routing procedures, collects billing data, compiles traffic statistics and controls the location registration and handover procedure. HLR (Home Location Register) Is a register that contains data subscribers data. It contains the IMSI of each MS, authentication parameters, services that each MS is subscribed to and special routing information. It also contains the current subscriber status, temporary roaming number and the associated VLR. AuC (Authentication Center) This entity works together with the HLR to perform MS authentication. It handles all the security associated with subscribers. VLR (Visited Location Register) This register has a function similar to HLR. It is a problem that the cellphone has to send his IMSI every time it has to authenticate, so the network will assign to the MS a temporary ID called TMSI. The TMSI is stored in the VLR. VLR controls MSRN (Mobile Station Roaming Numbers) and handover when it is produced in the same MSC. Typically there is one VLR per MSC. rtorresg@hawk.iit.edu Project Report 6

EIR (Equipment Identity Register) It consists on a centralized database for validating the IMEI. EIR contains lists of IMEIs and classifies them in three ways: White List when IMEIs are valid, Black List when IMEIS are invalid (stolen) or Grey List when IMEI are suspicious or have problems. OpenBTS What is openbts? OpenBTS (Open Based Transceiver Station) is a software based GSM access point allowing standard GSM-compatible mobile phones to be used as SIP endpoints in Voice over IP (VOIP) networks. It has the same functionality as the BTS of a GSM Network. OpenBTS Architecture To understand how openbts works we first have to have a look at the layers architecture of GSM Figure 3: Protocol Layers of GSM We can see that BTS has 3 layers: TDMA, LAPDm and RR. It also has a layer 0 that would be the physical layer (Radio Interface). Layer 1 is TDMA (Time Division Multiplexing Access). TDMA is the procedure where each physical channel (frequency) is divided into time-slots so users can share a frequency using different time slots to communicate. Layer 2 is LAPDm (Link Access Procedure on Dm Channel) which is a GSM version of LAPD from ISDN. Layer 3 is RR (Radio Resource) and manages the allocation, configuration and connection of radio channels. OpenBTS contains those 3 layers and for the physical layer (layer 0) we have to connect a USRP to the OpenBTS. OpenBTS doesn t have any connection with BSC and MSC. rtorresg@hawk.iit.edu Project Report 7

OpenBTS Network With an OpenBTS system we can connect cellphones to the network and make calls between them but, how can we connect two openbts systems and simulate a real GSM network with all its components? How can we do mobility and handover? We need to add elements that provide the functionality of a BSC, MSC and the core registers. I found out 2 ways of creating this network. The first that I saw consisted on using openbsc open-software. The second way came up on April 2014, when the OpenBTS project launched OpenBTS version 4.0. This version allows you to connect two or more OpenBTS systems using Asterisk and experience mobility and handover. With version 2.8 you can do mobility but not handover. Using OpenBSC OpenBSC is the name of a software that emulates the BSC element of a GSM network. It has been developed by Osmocom, which is not the same company that developed OpenBTS. Connecting this element to OpenBTS will help emulate a real network. Osmocom OpenBSC was designed to be connected to commercial BTSs and the idea is to connect it to OpenBTS. The problem of this method is that OpenBTS and OpenBSC are developed by different companies so they are not compatible with each other and I will need to modify the source code. Figure 4: Protocol Layers for Open-source Network As you can see in the picture we will need to combine openbts with other BTS software from Osmocom. The USRP will be at layer 0 and it will be connected to OpenBTS and to OsmoUSRP at layer 1. OpenBTS will be located at layer 1 and 2 because the layer 3 functionality will be managed by OsmoBTS. OsmoBTS will be connected to OpenBSC with any kind of problem because they were developed to work together. rtorresg@hawk.iit.edu Project Report 8

Figure 5: Physical architecture 1 Using Asterisk With OpenBTS version 2.8 you can connect 2 OpenBTS systems using Asterisk. This version allows you to make calls from different base stations and do mobility but not handover. On April was released version 4.0 and with this version is possible to do handover. The architecture will be very simple. Asterisk will have the functionality of a BSC and some of the registers like the HLR and the AuC. Asterisk will route the calls from one base station to another and will transfer the call if the handover is produced. Figure 6: Logical architecture: Figure 7: Physical architecture 2 rtorresg@hawk.iit.edu Project Report 9

This is the provisional physical architecture of my project, still can be changes in the second BTS. What we have now is Server 1 with openbts and Asterisk installed and a USRP. The second BTS can be built as it is described in the Server 2 or we can substitute the Server 2 and the USRP with a RangeNetworks OpenBTS. Figure 8: Physical Architecture 3 Testing We can test USRP air interface in some different ways The first one is getting a Linux OS and install AirProbe. This program contains 3 main subprojects: acquisition, demodulation and analysis. Acquisition is responsible of receiving and digitalizing the air interface. Demodulation module will translate the signal processed by acquisition into bits. Analysis contains all the protocol parsing and decoding capabilities. We can use wireshark to analyze the traces. rtorresg@hawk.iit.edu Project Report 10

Here we can see some examples of ladder diagrams about signaling between a cellphone and a base station: Figure 8: Cell-phone authentication and TMSI allocation Figure 9: Call origin Figure 10: SMS sent rtorresg@hawk.iit.edu Project Report 11

Figure 11: SMS received This is how the ladder diagram looks, now we are going to have a look on how are the traces of some messages sent: Figure 12: MM location updating request, at figure 8 rtorresg@hawk.iit.edu Project Report 12

Figure 13: RR paging request, at figure 11 Future Projects Besides creating a small network we can also connect a OpenBTS system to NG911. For this purpose we can use Asterisk to route the calls from a cellphone to NG911 and we can test the SIP messages using Wireshark. It would be interesting to compare the messages from the cellphone using Airprobe and see the translation to SIP observing traces captured by Wireshark. We will have to create an extension in Asterisk so every time a cell phone dials that extension the call is routed to NG911. Conclusions This semester I have been finding out the ways of doing this project and I think that I will do it with Asterisk and using OpenBTS version 4.0. The other way to do this (Figure 5 Physical Architecture 1) is too complex because you need to modify the source code and make OpenBTS and OpenBSC compatible and I think that is no longer necessary to use OpenBSC having OpenBTS version 4.0. Most of the information for doing this project is taken from the OpenBTS manual so I think this project will be ready for July 25 th. rtorresg@hawk.iit.edu Project Report 13

References http://openbsc.osmocom.org/trac/wiki/openbsc http://wush.net/trac/rangepublic/wiki/wikistart#howdoigetstarted http://scholar.lib.vt.edu/theses/available/etd-05082012-141540/unrestricted/cooper_ta_t_2012.pdf GSM information taken from course ITMO 542: Wireless Communications http://www.wu.ece.ufl.edu/projects/wirelessvideo/project/gnu_radio_usrp/how_to_te st_usrp.html http://ntnu.diva-portal.org/smash/get/diva2:355716/fulltext01.pdf Appendices OpenBTS Installation In a Ubuntu OS, introduce the following commands This is for get the last version: svn co http://wush.net/svn/range/software/public The following command is for getting the necessary libraries sudo apt-get install autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6- dev libncurses5-dev OpenBTS should, in principle, build and run on any Unix-like operating system, including 64-bit. However, in practice, most of our development is done on Ubuntu 10 or 12.04 LTS systems, so these are best-supported. Range Networks RAD1 Building for Range equipment is easiest, as it has no external dependencies. Just run the following commands: cd openbts/trunk autoreconf -i./configure rtorresg@hawk.iit.edu Project Report 14

make With the build resolved, you'll need to build and link the transceiver appropriate for your hardware. For a Range Networks basestation unit these links are (from OpenBTS root) cd apps make ln -s../transceiverrad1/transceiver. ln -s../transceiverrad1/ezusb.ihx. ln -s../transceiverrad1/fpga.rbf. Building OpenBTS OpenBTS should, in principle, build and run on any Unix-like operating system, including 64-bit. However, in practice, most of our development is done on Ubuntu 10 or 12.04 LTS systems, so these are best-supported. Range Networks RAD1 Building for Range equipment is easiest, as it has no external dependencies. Just run the following commands: cd openbts/trunk autoreconf -i./configure make With the build resolved, you'll need to build and link the transceiver appropriate for your hardware. For a Range Networks basestation unit these links are (from OpenBTS root) rtorresg@hawk.iit.edu Project Report 15

cd apps make ln -s../transceiverrad1/transceiver. ln -s../transceiverrad1/ezusb.ihx. ln -s../transceiverrad1/fpga.rbf. rtorresg@hawk.iit.edu Project Report 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information