May 24, 2015 at 23:00Introducing OsmocomBB: 0x02 Hardware
Hi% username%! To work with OsmocomBB, you need certain equipment on the basis of which the software part works, namely: a transceiver, your computer acting as a server, and a cable connecting them to each other. In the role of a transceiver (transreceiver) most often acts as a regular cell phone, which runs custom firmware. A TTL-USB converter may be required to connect the phone to the computer. Following the instructions published on the project’s website, more precisely, collecting information in pieces, you can assemble a working hardware complex, but at this stage a novice researcher of GSM networks may encounter many pitfalls. Let's deal with everything in order.Navigation
Transreceiver
It all started in 2010 when Osmocom developers completed the bulk of OpenBSC. There was a need to implement the client part of the GSM protocol. Then there were two development paths: either implement a transceiver device based on new equipment, or use a ready-made solution. Motorola phones based on the Calypso chipset were selected as the hardware platform : C123, C118, C121. Why exactly Calypso? The fact is that the specifications of this chipset at one time safely leaked to the Internet and are available to this day.
The process of disassembling the firmware began, and in the same year the first commit appeared in the project repository. Later, the project was ported to phones with the same chipset, such as Sony Ericsson J100i, Pirelli DP-L10, Neo 1973, Neo Freerunner and some other Motorola C and V series phones. You can read more about supported platforms on the Hardware / Phones project page .
Data transfer from a cell phone (ms) to a base station (BTS) is carried out in several stages. First, a transmission event is generated by the central processor and transmitted to a signal processing processor (DSP), which captures the signal directly from the microphone and transmits to the hardware modulator. After modulation, the signal is converted from digital to analog, amplified and through the switch goes to the antenna, with which it is transmitted on the air. The signal reception process is reverse, only in this case the signal is filtered, and demodulation is performed programmatically on the DSP.
The question arises: is it possible to run OsmocomBB on modern phones?
Unfortunately not. The first problem is secure boot. It's no secret that in many devices there is a bootloader that launches firmware, and cell phones are no exception. In most cases, the bootloader is “locked” and does not allow loading third-party firmware. There is the possibility of unlocking the bootloader, but there is a more serious problem. Drivers and specifications for DSP processors are closed and available only to a few.
So, fly in the ointment number two. These phones are not so easy to find. They were produced in the second half of the zero years, and at the moment they can be found either on aliexpress, or on ebay, or on avito in neighboring cities. The third option is most relevant, because instead of the ordered osmophone, an article may come. I managed to get only three compatible phones: two C118 and one C115, so I will talk about working with them. C118 is built on the platform E88, C115 - on the E87. Both are 99.9% identical, according to the developers of the project. A little photo shoot:
Another important detail. In the USA, Canada, Africa and some Latin American countries, GSM operates in the 850/1900 MHz bands. US standard phones were produced for them. For standard frequency ranges, the EU standard was issued. The OsmocomBB project was originally designed for the EU standard, but some craftsmen were able to modify the source code and run firmware on US phones. In any case, I recommend adhering to the EU standard. How to distinguish them? We look at the geographic location of the seller. You can also just check the phone’s performance on our networks by simply calling someone.
Wires and Converters
The phones in question have a serial port, the conclusions of which are located on the board. Which is pretty funny, the headset port also acts as a serial port and can be used to debug the original firmware (service menu ** 16379 #) and communicate with the bootloader. When the phone starts, the built-in bootloader sends a request to download the firmware via the serial port, and if no one answers it, then the firmware is loaded from the flash memory.
You can purchase a ready-made cable on the sysmocom website, but it’s not interesting, because you can assemble it yourself. You will need a 2.5 mm jack (about 5 p), three wires, a converter (about 150 p on aliexpress) and the ability to solder. All this stuff costs no more than 200 rubles and is much cheaper than 13 euros. And here I recall Arduino, which already has a USB-TTL converter on board. So I did when I was just starting to get acquainted with the project. On my freeduino (domestic clone) the FT232RL was wired, which faithfully served as my router restorer (sometimes a killer). He successfully received bootloader messages, but did not allow downloading firmware. Therefore, it is best to purchase a separate converter from the list published in the Hardware / SerialCable section .The most suitable converters are based on the FT232 chipset. They "out of the box" allow you to use non-standard data transfer speeds and work quite stably. The next recommended chipset is CP2102, which I use myself. Converters based on it are not expensive and, after firmware, also allow the use of non-standard speeds. Firmware instructions can be found in the Hardware / CP210xTutorial section . PL2303 is suitable for a limited range of tasks, as it does not know how to work at high speeds, and sometimes it loads the firmware every other time.
As for the jack, the long-distance contact is TxD, the middle is RxD, and the rest is GND. It is necessary to solder carefully so as not to overheat anything, and upon completion, check the resistance of each contact with a multimeter. After that, you can check the functionality of the cable.
# 1. Выключаем телефон
# 2. Соединяем его с компьютером
# 3. Если у Вас нет minicom, устанавливаем:
$ sudo apt-get install minicom
# 4. Запускаем в режиме настройки
$ sudo minicom -s
# 5. Идем в "Настройка последовательного порта".
# Выбираем свой порт, который можно найти в выводе команды ls /dev/ | grep tty
# Скорость 115200, стоповые биты: 8-N-1.
# После этого нажимаем "Enter", затем "Esc".
# 6. Однократно (не зажимая) нажмите кнопку включения телефона.
# Если появится строка @ftmtoolerror, значит Вы готовы идти дальше.
List of possible errors:
- Jack contacts burned when soldering. This is possible, therefore it is better to purchase several jacks at once and check the resistance of each contact.
- Wrong converter. Check the chipset labeling: FT232 and FT232RL are not always the same thing. If the chipset is the one you need, you can perform a small diagnosis by closing Rx and Tx with each other. At the same time, everything that you send to the serial port should be returned back.
- The phone is hanging at the download stage. Remove and then reinsert the battery.
Multiple phones
For operation of the main OsmocomBB modules one telephone is enough. However, to run BTS you will need at least two. The base station should send out beacon packets that signal its presence and help the phones connect to it. Network performance while sending beacon packets and processing user connections on one phone is disastrously small. Also, when sniffing GSM traffic, it is better to get at least two phones: one listens for service messages for the subscriber being listened, the other switches to its frequencies and records the conversation.
Bonus!
