May 10, 2015 at 19:27

Introducing OsmocomBB: 0x01 Introduction

  • Tutorial
image
OsmocomBB is a project whose goal is the free (Open Source) implementation of the GSM protocol stack. OsmocomBB provides firmware source code for compatible phones, as well as software for their interaction with a computer. In this series of articles I will try to describe the most interesting features, subtleties, and errors that may arise when working with this software. Interested I invite you to cat!

Navigation



Despite the fact that today the leader in the market of mobile operating networks is an open and free Android system, the drivers for interacting with DSP are proprietary. Instead of saying whether this is good or bad, I’ll tell you what opportunities open up when using free software in this area:

  • Education
    GSM is an open standard developed by the ETSI community, but only a few, in addition to developers of cellular equipment, understand in detail the principles of interaction between the phone and the cellular network. The development and implementation of software that runs on the side of a cell phone requires knowledge of the material, which is quite difficult to find in books or the description of the standard. One of these topics is the implementation of the synchronization of the phone and the base station using the TDMA method (Time Division Multiple Access). Another “problematic” topic is the optimization of energy consumption in order to save battery power.
  • Research
    Any research in the field of cellular communications, especially security research, requires both theoretical knowledge and a free, sufficiently documented implementation of the basic protocol stack. It is entirely possible that manufacturers of cellular communications equipment are in no way interested in any research that, in addition, could adversely affect their market position. Therefore, they do everything possible to hide the details of the operation of their equipment from curious researchers. Based on the knowledge of GSM protocols and freely available software, more and more people can conduct research that does not require close ties with the mobile communications industry.
  • Security and privacy
    Most people are aware of possible threats when connecting to the Internet and use antivirus programs, firewalls and firewalls to protect their computers. But what about mobile phones? Almost constantly, your phone, the DSP module of which is controlled by some closed-source software, is connected to a public GSM wireless network created by the nearest base station. Any sufficiently complex software may contain errors, or specially left backdoors that anyone can use. Unlike closed source software, free software provides a higher level of security, since the source code is readable by anyone interested in this person.

The OsmocomBB project comes to the rescue.

Osmocom Community


The Osmocom community is developing several Open Source projects at once, such as:
  • OpenBSC - implementation of the protocol stack and elements of the GSM / 3GPP standards, with which you can organize your cellular network;
  • OsmocomDECT - a free implementation of the protocol stack of the DECT standard, on the basis of which most stationary cordless phones work;
  • SIMTrace - equipment and software for passive monitoring of traffic between a SIM card and a telephone;
  • OsmoSDR is a cheap SDR receiver capable of receiving GSM, TETRA, GMR-1 signals and the like.

The community is also researching wireless security. Detailed information can be found on their website: osmocom.org . Unfortunately, the information on the site is poorly structured, and sometimes in general at the TODO stage. You can find out a lot of information about the project and useful things if you look at their performances at various conferences.

OsmocomBB Project


Immediately after the completion of the main part of the OpenBSC project in 2010, it became necessary to implement the client part of the GSM standard protocols. The developers chose the Calypso chipset, due to the availability of its specifications. The project was repeatedly presented at several conferences, where the speakers were accompanied by thunderous applause.
The project is developed on the basis of the Git version control system and consists of several branches, in which emphasis is placed on certain features.

So, in order, what do you need to run OsmocomBB?

  • Compatible phone based on Calypso or MediaTek chipset
    A list of supported models can be found here . The main emphasis is on Motorola C123 / C121 / C118 (E88) and Motorola C155 (E99), so it is recommended to purchase them. Neo 1973 (GTA01) and Neo Freerunner (GTA02) phones are also supported by Open Source. In more detail about where to get a compatible phone and how to make sure that this is exactly what you need, I will tell in the second part.
  • Replacing filters and antenna (optional)
    If you plan to use the phone as a passive sniffer of GSM traffic or want to launch a small base station based on it, you will have to order additional details and demonstrate the skill of accurate soldering. The fact is that incoming traffic (downlink), not intended for this phone, is discarded by special filters. In order to get around this, a little surgical intervention is required, which is described here: Filter Replacement . However, these actions require responsibility and understanding of what is happening on the part of the reader, since broadcasting on GSM frequencies requires a license, and violation of the confidentiality of traffic of subscribers is prosecuted by the legislation of the Russian Federation. :( I will also try to tell you more about this in the following parts of this series.
  • USB-TTL cable and converter
    The telephone is connected to the computer via a serial port and a USB-TTL converter. Compatible Motorola phones use the 2.5 mm jack standard headset port for this purpose. Here you have two options: either order a ready-made cable on the sysmocom.de website (10-15 euros) or somewhere else, or do it yourself by spending only on a jack, wires and a converter (about 200 rubles with aliexpress). I will tell you more about how to solder the cable, about the intricacies of choosing a converter and the rake that you can step on, in the second part.
  • Computer running Unix-like OS
    It is assumed that the reader is at least at a basic level familiar with Unix-like operating systems. The source assembly process will be described using the Ubuntu Linux 14.04 LTS distribution as an example. A stable Internet access channel is also desirable.
  • Patience, skill, ability to search for information on the Internet
    There is a high probability that you will encounter errors during source assembly or when connecting the phone. This is a normal occurrence. You should carefully read the error messages, and use the search more often: perhaps someone has already encountered such problems. Also very useful knowledge of English at a basic level. In each of the following parts I will describe possible errors and how to resolve them.


What can be done with OsmocomBB?


  • GSM traffic sniffing
    Packets transmitted over the air of GSM networks can be captured, analyzed (for example, using Wireshark), and even decrypted. The phone will transfer all the captured traffic to your computer. Here is one of the cheapest GSM sniffers that allows you to perform security research and testing.
  • Launch a small base station
    If you've ever heard of SDR devices such as USRP , then you must have heard of their price. OsmocomBB compatible phone with soldered filters is a cheap alternative, allowing you to run your cellular network within the room.
  • RSSI (Receive Signal Strength Indication)
    It is possible to monitor the signal level on different channels of the cellular network. For this, a special firmware of the same name is used.
  • Stress Testing for Wireless Equipment (EMI)
    That sounds impressive. Special EMI firmware allows you to generate software-defined interference in order to test the stability of various wireless equipment, such as amplifiers and walkie-talkies. more about this is written here .
  • SIM Reader
    Using special libraries, you can interact with the SIM card through the same phone. As you know, a SIM card is a rather complex device that may contain security flaws. There is even a SIMtester SIM card security testing project .
  • Launching a Small NuttX Operating System
    The Osmocom community has managed to port Nuttx's RTOS system to run on OsmocomBB compatible phones. In one of the following articles I will talk about this in more detail.
  • Calls and SMSs
    Despite the above list of features, the phone remains a telephone, and under the control of the mobile program from the OsmocomBB package, it can make / receive voice calls, receive and send SMS messages and execute DTMF commands.


What to see, read?


Firstly, the basics of the GSM standard, namely the process of sharing access between subscribers, cellular network infrastructure, encryption standards ... In general, the more the better. :)

Having brewed a pot of tea and a mug of ravioli, you can watch interesting presentations by the developers of the project:



Conclusion


As a conclusion, I provide interesting links to articles by other authors:


UPD 06/23/2017:
In connection with the ongoing stream of questions, such as: “Will there be a continuation?”, I give my short answer - there will be. But I can’t say how soon. Currently, I am supporting other Osmocom projects, as well as actively porting OsmocomBB to SDR platforms like USRP or UmTRX.

As soon as opportunities and free time appear, I will try to cover the following topics:

  • What is wrong with A5 / 1 encryption?
  • Using OsmocomBB to audit cellular network security
  • How to stop being afraid and start writing your own code for OsmocomBB
  • The future of OsmocomBB: transition to SDR

Channel Release Indication;)
Tags:

Also popular now: