Opensource GSM baseband firmware

Why ?

● Free kernels, free OSes, free WiFi drivers, free GPU drivers, free RFID readers, free software radio, why not free cellphone firmware ?

● Challenge the „secret sauce” vendor attitude● Cellphone network security research● Disruptive competition● Knowledge is power

Roadblocks

● The cellphone chipset industry is very closed (even phone manufacturers don't get chipset programming information)

● The cellphone network equipment industry is dominated by 4 major players (and even more closed)

● There is no „padawan” learning path● GSM protocol stacks are not shipped in the

mainline kernel● The government creeps in everywhere in the telco

world

Why GSM ?

● Simple but usable● Deployed worldwide● Hackable & abundant hardware● GSM bands propagate very nicely

Source: http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards

GSM Radio interface (3)Logical channels

● BCCH, SCH, FCCH● RACH, PCH, AGCH● SACCH, FACCH● SDCCH● TCH/F, TCH/H● AAARGHCH, WTFCH

Osmocom project

OpenSource

MObileCOMmunications

http://osmocom.org/

openBSC

BB (baseband)

DECT

TETRA

GMR

OP25

GSM Network

BTS – Base Transciever Station (the tower)BSC – Base Station Controller (the brain)MSC – Mobile Switching Controller (the router)HLR – Home Location Register (/etc/passwd)MS – Mobile StationPOTS – Plain Old Phone System

OpenBSC

OpenBTS

OsmocomBB

The BTS

Source: http://openbts.sourceforge.net/

OpenBTS

2009

1998

The core networkOpenBSC

1995

2008

The phone

?

OsmocomBB

GSM radio Interface (1)Frames & physical channels

Source: http://www.tele-servizi.com/janus/engfield2.html

GSM Radio Interface (2)Bursts

Source: http://www.scholarpedia.org/article/Global_system_for_mobile_communications_%28GSM%29

Anatomy of a cellphone (1)

RFFE

ABB (ADC + DAC)

DBB (DSP + MCU)

LCD, KBD, etc.

Iota (TWL3025)

Rita (TRF6151)

Calypso (G2 C035)

RFFE – RF FrontendABB – Analog BasebandDBB – Digital BasebandMCU – Microcontroller Unit

Motorola C118 aka Compal E88 aka GTA0x

Anatomy of a cellphone (2)

RFCLK == 26 MHzTSP – Time Serial PortBSP – Baseband Serial PortUSP – uController Serial Port

APC – Automatic Power CorrectionAFC – Automatic Frequency CorrectionI/Q – modulation stuff you don't need to know ;-)VCO – Voltage Controlled OscillatorGSM/DCS/PCS – these are frequency bands

Anatomy of a cellphone (3)

Source: http://bb.osmocom.org/trac/wiki/TypicalCalypsoModemDesign

OsmocomBB features

● Supports Calypso chipset, found inside:

Motorola C115/C117 (Compal E87)

Motorola C123/C121/C118 (Compal E88)

Motorola C139/C140 (Compal E86)

Motorola C155 (Compal E99)

Openmoko GTA01/GTA02● Low-level RF drivers & synchronous TDMA● GSM Layer 2 (LAPDm) and Layer 3 (RR/MM/CC)● RS232-HDLC connection to PC for debugging● RX-only by default

Osmocom-bb code structureosmocom-bb/src/

target/firmware/rf/abb/calypso/

dsp.ctsp.ctpu.cclock.csim.cuart.c

flash/osmocom-bb/host/

osmoloadlayer23

RFFE

ABB

DSP

ARM

API RAM

TSP TPU

SRAM

Flash DPLL

GEAULPD UART

SIM

Calypso SoC

HDLC over RS232

Demo !

Plan:

0. Downloading and building the codeStart the osmocom-bb on the cellphone1. Login to a network2. Make a call, receive a call3. Send and receive SMS.

Where do we go from here ?

● Handover support● GPRS support● Multi-SIM capability● More Calypso phones (http://www.myphone.pl ?)● Mediatek MTK6235 support – GSM L1 stack in

the kernel possible● Compliance testing & certification

Backup slides

GSM sux, let's try WCDMA

● What about Reverse engineering WCDMA baseband firmware ?http://events.ccc.de/congress/2011/Fahrplan/events/4735.en.html

● Maybe a SDR LTE base station ? http://bellard.org/lte/ (not public yet)

Other opensource radiocomm projects

● OpenBSC● OpenDECT● OpenTETRA● OpenGMR● OpenOP25● Put your pet radio interface here