Home

OpenBTS for dummies

1. Software Version BOOST 1 48 0 2 GnuRadio 3 42 kal 0 4 1 libaudio dev 1 9 3 libosip2 dev 3 3 0 OpenBTS 2 8 from the source repository OS Xubuntu Precise 12 04 1 LTS SDCC 2 9 0 Yate 4 3 1 alphal Table 3 My own software configuration for OpenBTS 2 8 Software Version Asterisk 1 4 21 BOOST 1 44 0 GnuRadio 3 2 2 GSL 1 14 kal 0 3 libosip2 3 3 0 OpenBTS 2 6 x built from sources OS Debian 5 0 Lenny SDCC 2 9 0 Table 4 My own software configuration for OpenBTS 2 6 4 2 1 Compiling GnuRadio I use GnuRadio 3 2 2 which is compatible with OpenBTS 2 5 4 Lacassine and OpenBTS 2 6 0 Mamou But you may wish to build the newer GnuRadio 3 3 not supported by OpenBTS 2 5 4 Lacassine The compiling procedure is the same anyway 1 Install Boost download from sourceforge bootstrap sh show libraries bootstrap sh with libraries thread date_time program_options bjam prefix opt boost_1_44_0 builds locally in home work boost_1_44_0 home work boost_1_44_0 stage lib bjam prefix opt boost_1_44_0 install 2 Install SDCC from sources Beware the installation procedure overwrites in usr local bin and share so backup things you might need in there 3 Install GSL from sources Do not use the gs1 bin package Page 11 OpenBTS for dummies 4 2 OpenBTS 2 6 4 SOFTWARE 4 Install other required packages apt get install python numpy python gt4 lib
2. 0 00000 0 eee eee eee 38 10 19What s my phone number 2 ee 38 10 20Can I change my phone number 39 11 Acknowledgements 39 Page 2 OpenBTS for dummies 3 HARDWARE 1 What is OpenBTS brief Litteraly OpenBTS is an open Base Transceiver Station where a BTS is the telecom equipment the closesest to the mobile phone See the nice GSM network diagram in Ale09 On an end user point of view with OpenBTS GSM phones can call each other send SMS to each other etc From an inner perspective OpenBTS s Wikipedia page Wik explains it quite well OpenBTS replaces the traditional GSM operator network switching subsystem infrastructure from the Base Transceiver Station BTS upwards Instead of forwarding call traffic through to an oper ator s mobile switching centre MSC the calls are terminated on the same box by forwarding the data onto the Asterisk PBX via SIP and Voice over IP VoIP From an administrator s point of view OpenBTS consists of a Universal Software Radio Peripheral USRP board connected on a USB port of a Linux box running Asterisk GnuRadio and OpenBTS 2 Want to skip to configuration of OpenBTS Get a Development Kit As the rest of this document will show setting up an OpenBTS takes some time You have to 1 get the right hardware components 2 hunt for an appropriate 52Mhz clock 3 sweat on some fine soldering 4 compile multiple libraries and possibly fix numerous dependencies
3. server Make sure values in both databases match Table 5 My personal configuration of OpenBTS P2 8 databases Page 19 OpenBTS for dummies 5 3 Configuring 2 6 5 CONFIGURATION 5 3 1 Control OpenRegistration Soptional Control OpenRegistration but then it probably better not to leave it as such because this allows any phone to register to your system Caleb Pal remarks that this could introduce legal issues someone tries to dial the emergency number can t connect etc Set the mobile country code and network code in OpenBTS You should be particularly cautious not to use anything a real operator is already using Country codes are listed at WMC Network codes are listed at WMN 001 test country code GSM MCC 001 01 test code GSM MNC 01 The MCC and MNC need not match the ones of your SIMs MagicSIMs but if you set your MagicSIM to a particular unused MCC MNC then it s obviously a good idea to configure the same MCC MNC in OpenBTS config Set the GSM band and channel You do not need to set the uplink or downlink frequency GSM Band 1800 Sstatic GSM Band GSM ARFCN 880 Sstatic GSM ARFCN Notify end users you do not support emergency calls GSM RACH AC 0x400 Control NormalRegistrationWelcomeMessage Normal Registration Message Welcome to OpenBTS AGPLv3 openbts sf net We do not support emergency calls Your IMSI is smqueue Disable ipv6 for smqueue not
4. 10 Troubleshooting You must not use the stock 64Mhz clock that comes with USRP1 If you do be prepared for several errors failing to register and strange behaviour There has been so many problems with that clock that the maintainers have chosen to remove support for those clocks soon to be done and the mailing list will probably not help you with it Use a good 52Mhz clock and then come back to the troubleshooting section 10 1 Can you help me can I send you an email As I said in the introduction I am an OpenBTS newbie My job is about reverse engineering detection and research of mobile viruses which is quite loosely related So probably no I can t help you and no please don t email me directly for questions on OpenBTS It s not that I don t want to help but that I can t The best way to get an answer is to post on the OpenBTS mailing list ML If by luck I know the answer P11 answer on the list 10 2 Do I need a patch for OpenBTS P2 8 No currently no patch is needed for that version Only for 2 6 Good news 10 3 usrp_fft is very slow In my case this occurred in two situations a when I had forgotten to apply the 52Mhz patch to GnuRadio see section 9 1 in that case usrp_fft was really very very slow and b when I check the button to keep the peaks or average Also make sure you applied the usrp_fft patch section 9 2 10 4 Impossible to set the frequency to xxxx Mhz In my case this occurred w
5. 2 Control LUR OpenRegistration Message This is the welcome SMS message which is sent when an un provisioned phone attaches to the network You can customize the message The keys for the auto provisioning service by SMS are available in the smqueue database Typically check that SC Register Code has the same value as Control LUR OpenRegistration ShortCode Other messages are defined in the smqueue database such as the SMS messages to send when the handset requests a phone number which is already taken SC Register Msg TakenA or B or when it fails SC Register Msg ErrorA or B etc When a phone which is already provisioned attaches to the OpenBTS network this consists in a normal registration In that case the keys are Control LUR NormalRegistration ShortCode 0000 by default and Con trol LUR NormalRegistration Message Finally if a phone fails to register the concerned keys are Control LUR FailedRegistration ShortCode 1000 by default and Control LUR FailedRegistration Message Page 17 OpenBTS for dummies 5 3 Configuring 2 6 5 CONFIGURATION 5 2 8 Logs In OpenBTS 2 8 logs are re directed to the syslogd daemon on the local7 facility So you have to configure syslog appropriately For instance on Ubuntu in etc rsyslog d OpenBTS conf we tell the system to write all local7 facility logs to file var log OpenBTS log local7 var log OpenBTS Then restart the syslog daemon log sudo service rsyslog r
6. 5 patch the software and configure to match your needs and setup 6 etc If you don t have that time or skills but have a budget around 5 000 USD you should probably consider to purchase Range Network s development kit http www rangenetworks com store It comes with an appropriate clock daugtherboards a pre configured release of OpenBTS etc 3 Hardware 3 1 Requirements This is what you need to get OpenBTS up and running Prices are approximate e Computer Basically any computer should do the work The only thing which is really required is a USB port to plug the USRP board but all computers usually have that e USRP 1 This board see Figure 3 can be purchased from Ettus Research https www ettus com product details USRP PKG for 700 USD It includes an Altera Cyclone FPGA OpenBTS also works with other boards such as USRP2 B100 N200 E100 See the wiki Ran Page 3 OpenBTS for dummies 3 2 My personal configuration 3 gt HARDWARE 3 2 Figure 1 SIM Max card Figure 2 SIM card reader writer Daughterboard s I use a single daughterboard but for coverage and quality of signals it is better to use 2 daughterboards Select the daughterboard you need according to the GSM band you want to use RFX 900 for GSM 850 900 RFX 1800 for GSM 1800 1900 Price from Ettus 275 USD https www ettus com product details RFX1800 Actually you might consider buying a RFX1800 in all cases because it is easy to ch
7. you deserve your bottle of wine with French smelly cheese whenever you come and see us in France I also wish to thank Alexandre Becoulet for installing the 52Mhz clock on the USRP This was far beyond my skills and he kindly accepted to do it besides his own work I would also thank the OpenBTS mailing list in particular Sylvain Munaut Alexander Chemeris Kurtis Heimerl Caleb Pal Ralph Schmid but several other people too who kindly answered my inquiries and keep the mailing list active Finally thanks to David Maciejak for the nice macro pictures of the USRP SIM card and reader References Ale09 Alexsander Loula OpenBTS Installation and Configuration Guide May 2009 v0 1 ARCO5 ARCEP Les acteurs non soumis la d claration 2005 http www arcep fr index php id 8055 c7795 Aub Aubraux Arfen calculator http www aubraux com design arfcn calculator php BM09 FAQ for the Burning Man 2009 Papa Legba Test Network 2009 http sourceforge net apps trac openbts wiki OpenBTS BM2009FAQ BTS Building Installing and Running OpenBTS https wush net trac rangepublic wiki BuildInstallRun Com CTS Electronic Components Cts model cb3 and cb3lv doc no 008 0256 0 Eri04 Ericsson Radio Waves and Health In building solutions 2004 http www ericsson com ericsson corporate_responsibility health files English EN_brochure_ Inbuilding_solutions_2004 paf Evo Evozi Android Device ID http
8. 32 9 4 Single daughterboard patch oaoa ee 33 10 Troubleshooting 35 10 1 Can you help me can I send you an email 2 0 o o e 35 10 2 Do I need a patch for OpenBTS P2 8 o oo 35 10 3 UsTp tit 18 VEL SI WO a aa E A a Bede ba a 35 10 4 Impossible to set the frequency to xxxx Mhz o e e e 35 10 5 OpenBTS logs say TX fails to tune 2 a 36 10 6 OpenBTS logs complain about not being able to set the RX or TX gaM 36 10 7 OpenBTS complains no transceiver process is found but system is ready 36 10 8 Some of my phones fail to see the OpenBTS network o o e 36 10 9 My phone sees the OpenBTS network but fails to register 2 0 o 36 10 10Pve got a 64Mhz clock and my phones are not registering o o 36 10 11 Where did you buy your cheap clock o oo e e 36 10 12Pve got a RFX 1800 daughterboard but would like to use the 900Mhz band 37 10 13Pve done everything just the same as you but it s not working o 37 10 14smqueue reports an error Address already in USE o o e 37 10 15smqueue crashes oc ea eooea ee ee ee 37 10 16smqueue complains Failed to read queue from file savedqueue txt 0 37 10 17smqueue complains sh asterisk command not found 04 38 10 181 get ortp warning Error in OpenBTS
9. Calibrating the clock Kal is a tool to calibrate the clock The latest version v0 4 1 Lacb does not work with GnuRadio 3 2 only GnuRadio 3 3 so you must retrieve an older version from the mailing list Laca If the clock source is not adjustable kal will tell you how much your clock is off by but you will be unable to do anything about it 6 3 1 Kal v3 To compile kal install libncurses5 dev apt get install libncurses5 dev Then run kal kal f 1783800000 F 52000000 R A USRP side A FPGA clock 52000000 Decimation 192 Antenna RX2 Sample rate 270833 343750 error fcch not detected in 20 frames From Caleb Pal The fech error indicate the power level is too low to detect the FCCH and calculate timing offset Try using an ARFCN of a commercial tower that has a strong er signal in your area Page 23 OpenBTS for dummies 7 USING OPENBTS 6 3 2 Kalibrate v0 4 1 With Kal v0 4 1 sudo kal R A A 0 v s DCS kal Scanning for DCS 1800 base stations DCS 1800 chan 647 1832 2 Mhz 996kHz power 874 13 This means that my clock runs 996kHz faster than a clock of a base station running at ARFCN 647 Then we can calculate the offsets sudo kal v c 647 b DCS kal Calculating clock frequency offset Using DCS 1800 channel 647 1832 Mhz offset 1 964 45 offset 2 1143 18 offset Ser LOA 53 7 Using OpenBTS 71 IMSI SIM cards are identified by their IMSI 7 1 1
10. be bought for 45 50 euros and Konrad Meier reported he used it successfully Page 6 OpenBTS for dummies 3 7 Installing the clock 3 HARDWARE need ppm at most 0 1 ppm Original 64 00 Mhz clock on USRP1 Ecliptek XX017 ClockTamer 3 75 1137 0 28 ppm 240 USD 1 2 Mhz FA SY 1 10 160 E 20 40 to 3 3 V 39 50 eu Mhz ppm 85 C ros FA SY 2 10 215 0 7 V 45 50 eu Mhz ros KT1612 16 52MHz 0 5 ppm 30 to 0 8V TCXO 85 C KT2520 13 52 Mhz 0 5 ppm 1 30 to 0 8V 2 54 eu P52 ppm 85 C ros ECW24TA Andy Fung s 52 Mhz 1ppm 1 ppm 20 to 13 USD custom chip max 70 C Table 2 Clocks for USRP 1 e KT2520P52ECW24TA from fr mouser com ic cheap and has been reported to work with OpenBTS Its stability frequency is 0 5ppm which is a bit too much but may work e KT1612 has been announced Kyo12 but isn t in sold yet e actually used another solution a chip bought by Andy Fung for approximately 13 USD in China It looks like it is a TCXO from Shenzhen Jiexing Weiye Electronics but I am actually unsure Itsspecifications are listed at Table 1 and the description at Figure 4 Please note however that this component might not work in your case because according to Alexander Chemeris Usually oscillators with 1 ppm staibility is a kind of lottery because frequency offset may easily become too high for many phones to find your
11. have 2 standard handsets register to the OpenBTS network and enable calls and SMS messaging between them But nothing ever basic with OpenBTS so let s detail how to do that Select a GSM band and ARFCN In France handsets use 900 Mhz or 1800Mhz Check for your country on this map http www worldtimezone com gsm html Then choose an ARFCN channel which 1s not used see section 6 1 to check that for your band A list of all channels with the uplink and downlink frequencies they correspond to is available from http gnuradio org redmine attachments download 115 all_gsm_channels_arfcn txt For people with a not so good clock frequency it is advisable to select the lowest band and channel This is why in my case I selected 900 Mhz and channel 1 Enable open registration if you want any phone that selects the OpenBTS network to be able to join It is also possible to limit registration to only some specific IMSIs Assign a phone number to each registered handset I do this through SMS based auto provisioning If a handset registers for the first time he sends a SMS to the auto provisioning service with his desired phone number If the number is available it is assigned to the handset Allow a phone to call another one To do so the PBX has to route the call and thus get SIP information for the user Believe it or not but that s a higher level function for Asterisk Netb and you need to install Asterisk RealTime for tha
12. people using 52Mhz clock 4 in OpenBTS P2 8 check that you did that from OpenBTS root cd apps ln s Transceiver52M transceiver 10 14 smqueue reports an error Address already in use Disable ipv6 on the Linux box and the error should disappear 10 15 smqueue crashes smqueue crashes with the following message cannot find configuration value Log Alarms Max terminate called after throwing an instance of ConfigurationTableKeyNotFound Aborted The message gives you the answer add a Log Alarms Max entry to smqueue config for example set to 10 10 16 smqueue complains Failed to read queue from file savedqueue txt This is a warning not a fatal error Smqueue will still run Create savedqueue txt in the smqueue directory to remove the warning next times Page 37 OpenBTS for dummies 10 17 smqueue complains sh asterisk command not found 10 TROUBLESHOOTING R seau indisp 15 21 Messages d Modifier 10 janv 2013 16 04 2 queued 1 registering cell 0 1 15120 7 phonenum 81167 at Jan 10 16 04 21 hh 15 janv 2013 10 51 a 1 queued cell 0 1 IMSI208 7 phonenum 81167 at Jan 15 10 52 08 x 15 ianv 2013 11 41 Envover Figure 18 SMS response to 411 status service In Figure the phone number is 81167 the IMST is starting by 208 and the cell ID is 10 10 17 smqueue complains sh asterisk command not found Are you running smqueue as
13. 0 RX_TXN 0 m_uTx gt _write_fpga_reg 40 0 m_uTx gt _write_fpga_reg 42 0 m_uTx gt set_pga 0 m_uTx gt pga_max should be 20dB m_uTx gt set_pga 1 m_uTx gt pga_max m_uTx gt set_pga 0 m_uTx gt pga_min should be 20dB m_uTx gt set_pga 1 m_uTx gt pga_min m_uTx gt set_mux 0x00000098 5 LOG INFO lt lt TX pgas lt lt m_uTx gt pga 0 lt lt lt lt m_uTx gt pga 1 writeLock unlock if skipRx writeLock lock m_uRx gt _write_fpga_reg FR_ATR_MASK_0 3 3 0 m_uRx gt _write_fpga_reg FR_ATR_TXVAL_0 33 0 m_uRx gt _write_fpga_reg FR_ATR_RXVAL_0 33 0 m_uRx gt _write_fpga_reg FR_ATR_MASK_0 13 0 m_uRx gt _write_fpga_reg FR_ATR_TXVAL_0 1 3 0 m_uRx gt _write_fpga_reg FR_ATR_RXVAL_0 1 3 0 m_uRx gt _write_fpga_reg 41 0 m_uRx gt _write_fpga_reg 43 0 m_uRx gt _write_oe 1 POWER_UP RX_TXN ENABLE Oxffff m_uRx gt write_io 1 POWER_UP RX_TXN ENABLE POWER_UP RX_TXN ENABLE m_uRx gt write_io 1 0 RX2_RX1N using Tx Rx m_uRx gt write_io 1 RX2_RX1N RX2_RX1N using Rx2 URxX gt set_adc_buffer_bypass 2 true uRx gt set_adc_buffer_bypass 3 true Rx gt set_pga 2 m_uRx gt pga_max should be 20dB Rx gt set_pga 3 m_uRx gt pga_max m_uRx gt set_mux 0x00000032 m_uRx gt _w
14. 7 08 14 44 45 870543535 0200 126 8 126 8 static const unsigned CP2 7 static const unsigned CPl 7 static const unsigned DIVSEL 0 static const unsigned DIV2 1 static const unsigned freq mult 2 unsigned DIV2 unsigned freq_mult static const unsigned CPGAIN 0 static const float minFreq 800e6 static const float maxFreq 1000e6 9 4 Single daughterboard patch On OpenBTS 2 6 if you are using the USRP with a single daughterboard and not two daughterboards you need to patch OpenBTS to have all work done on the same daughterboard Note the patch below modifies the USRPDevice files in the Transceiver directory If you are using a 52Mhz this directory is not used it s the Transceiver52M directory you need to patch On OpenBTS 2 8 you don t need any patch to use the USRP with a single daughterboard but you must specify it at compilation configure with usrpl with singledb make openbts 2 6 0Mamou Transceiver52M USRPDevice cpp 2010 11 07 02 06 29 643681105 0100 singleRFX900_2 6 0Mamou Transceiver52M USRPDevice cpp 2010 11 12 20 11 18 695717220 0100 133 17 133 17 if R 0 return false writeLock lock m_uRx gt _write_spi 0 SPI_ENABLE_RX_B SPI_FMT_MSB SPI_FMT_HDR_O m_uRx gt _write_spi 0 SPI_ENABLE_RX_A SPI_FMT_MSB SPI_
15. FMT_HDR_O write_it R amp 0x3 1 m_uRx gt _write_spi 0 SPI_ENABLE_RX_B SPI_FMT_MSB SPI_FMT_HDR_O m_uRx gt _write_spi 0 SPI_ENABLE_RX_A SPI_FMT_MSB SPI_FMT_HDR_O write_it control 0x3 0 usleep 10000 m_uRx gt _write_spi 0 SPI_ENABLE_RX_B SPI_FMT_MSB SPI_FMT_HDR_O m_uRx gt _write_spi 0 SPI_ENABLE_RX_A SPI_FMT_MSB SPI_FMT_HDR_O write_it N 70x3 2 writeLock unlock if m_uRx gt read_io 1 amp PLL_LOCK_DETECT return true if m_uRx gt read_io 1 amp PLL_LOCK_DETECT return true if m_uRx gt read_io 0 amp PLL_LOCK_DETECT return true if m_uRx gt read_io 0 amp PLL_LOCK_DETECT return true Page 33 OpenBTS for dummies 9 4 Single daughterboard patch 9 PATCHES FOR OPENBTS 2 6 return false AR 249 34 249 34 power up and configure daughterboards m_uTx gt _write_oe 0 0 0xffff m_uTx gt _write_oe 0 POWER_UP RX_TXN ENABLE Oxffff m_uTx gt write_io 0 POWER_UP RX_TXN POWER_UP RX_TXN ENABLE m_uTx gt write_io 0 ENABLE RX_TXN ENABLE m_uTx gt write_io 0 ENABLE ENABLE RX_TX POWER_UP power up inverted x m_uTx gt _write_fpga_reg FR_ATR_MASK_0 0 RX_TXN ENABLE m_uTx gt _write_fpga_reg FR_ATR_TXVAL_0 0 0 ENABLE m_uTx gt _write_fpga_reg FR_ATR_RXVAL_0
16. Get your IMSI If you already have an operational SIM card and want to use it in OpenBTS you must retrieve its IMSI To do so there are several solutions e Python script in Ale09 e Install a IMSI retrieving application on the phone Symbian v9 and Install New Beware that application wants to send an application registration SMS Put the mobile offline if you do not want to send that SMS Android Install Android Device ID Evo e From OpenBTS itself Turn off the handset remove and replace the battery then try to register Look at OpenBTS s logs e AT commands Issue the AT CIMI command Page 24 OpenBTS for dummies 7 2 Running OpenBTS 7 USING OPENBTS 7 1 2 Set your IMSI If you are using a Magic SIM you can program it to use a given IMSI using pySIM Mun Plug the USB card writer and SIM to your computer Set the following e argument x for the mobile country code e argument y for the mobile network code e argument d for the USB drive the card writer is connected to e argument t set to auto to automatically detect the card s type pySim py n 26C3 c 49 x 001 y 01 t auto z Random string here j 0 d dev ttyUSBO Generated card parameters gt Name 2003 gt SMSP 00495 gt ICCID 8949262 gt MCC MNC 001 01 gt IMSI OO LOTA RATA gt Ki 6ealce93440 Autodetected card type fakemagicsim Programming Done 7 2 Running OpenBTS If you ha
17. IMSIs to accept In my case is the regexp to accept any IMSI Contro LUR OpenRegistration 101 openbts Default value for the auto ShortCode provisioning SMS short code GSM Identity MCC 001 openbts Mobile country code Default value is 001 GSM Identity MNC 01 openbts Mobile network code Default value is 01 GSM Identity ShortName Fortinet openbts This is the name of the network as it may appear on some phones GSM Radio Band 900 openbts This is the GSM band GSM Radio CO 1 openbts This is the ARFCN channel GSM RACH AC 1024 openbts No sup port for emergency calls SC Info Code 411 smqueue Default value for the status short code When you send a SMS to that short code it answers with your current phone number and IMSI SC Register Code 101 smqueue Default value for the auto provisioning SMS short code SC Register Digits Min 5 smqueue Minimum digits for a valid phone number SIP Proxy SMS 127 0 0 1 5063 openbts IP address and port to be used for the SIP SMS proxy In my case I use smqueue so port 5063 and not Yate SIP Proxy Speech 127 0 0 1 5060 openbts Use the same IP address and port as for the PBX In my case Yate is running on the same host on port 5060 default SubscriberRegistry db var lib asterisk subscriber Default location for the sub sqlite3dir sqlite3 db registry scriber registry database SubscriberRegistry Port 5064 openbts and Default value used by the SIP sipauthserve authentication and registry
18. OpenBTS for dummies Axelle Apvrille Fortinet January 15 2013 Abstract This document is to be seen as a guideline or a collection of notes for newbies to OpenBTS who struggle to get it working or are lost in the wiki pages and wonder where to start Mostly I detail here how I got it to work on my side from step to step with answers I found to a few issues I faced or my understanding of the problem I am very very far from being an OpenBTS expert So please feel free to send in corrections and also understand that I am probably unable to help you on your specific OpenBTS issues If you need some more help your best choice is certainly to read and read again the OpenBTS wiki Ran the user manual Netc and to subscribe to the mailing list ML Contents 1 What is OpenBTS brief 3 2 Want to skip to configuration of OpenBTS Get a Development Kit 3 3 Hardware 3 Sid REQUITEMENTS Ssss sss a ued Ses ap ee yond oP Say ety Bede eM ke Ska A Po dh ed Mea a 3 3 2 My personal configuration 2 2 ee 4 3 3 From the USRP kit to the USRP newbies only o o e e 4 Sid COCKS att ts O A Pn a iS EE ok ole 8 Wea As aan 5 3 5 DoIreally need another clock 2 2 a 5 3 0 S2Mhzclocks 0 do ira Se d eh Bs Boh ES Ol ea ee es i eS 6 3 7 Installing the clock s gr atine aa a e e a a aa ae ee 7 3 6 Software Patches sai a e o we ae ee IB ad at A 9 4 Software 9 4 1 OpenBYS P2 8 users be be Pe EER ee BAe e
19. SMS The exact message depends on the config uration of OpenBTS openbts config Send back the phone number you wish to use by SMS to the special registration short number By default it s 101 but that depends on configuration of course SC Register Code see 5 2 7 This is what you typically see in the logs OpenBTS sends an SMS asking you to send your desired phone number by SMS bounce_message Bouncing 378 vypfd from IMSI208123456789012 to 2103 Cannot determine return address bouncing message Text your phone number to 101 to register and try again If that phone number is already in use or if you are already assigned a given phone number OpenBTS will let you know For example in the case below phone with IMSI 208123456789012 was already assigned phone number 2102 Got SMS 273 lnobw from IMSI208123456789012 for 101 Responding with 202 Queued Short code SMS 101 2102 answering Your phone is already registered as e You are ready to use the phones You can try the echo service dial 600 by default or dial 2102 to call another phone see Figure 15 You can also get system status by dialing 411 by default Page 27 OpenBTS for dummies 7 4 Registering to the OpenBTS network 7 USING OPENBTS L FOpenBTS Y a Silencieux n ai Eam Lo swisscom mobile Go far Come dose Figure 13 The phone has registered to the OpenBTS network gt 4 Gre OO D Search Internet an
20. YSTRING GSM Radio Band The first three databases may also be edited from the OpenBTSCLI client interface using the config or unconfig command config GSM Radio Band 900 Some of these changes can be dynamically taken into account Others requires the corresponding daemon to be restarted The OpenBTS client interface usually warns when this is the case 5 2 2 GSM parameters There are only few GSM parameters to set in a default configuration e GSM Radio Band As stated in section 5 2 I set it to 900 e GSM Radio CO The ARFCN channel 1 in my case That s all for a default and basic configuration By default the network does not support for emergency calls soGSM RACH AC is set to 0x0400 i e 1024 Additionally note that the OpenBTS network will appear to phones as 001 01 which is GSM Identity MCC followed by GSM Identity MNC You may want to change those test MCC MNC Or you may want to appear un der your country code set GSM Identity ShowCountry not working in my case or under a given customized name GSM Identity ShortName 5 2 3 SMS to be handled by smqueue Due to a bug currently it is not possible to have Yate handle SMS messages So I decided to use smqueue It is perfectly possible to use Yate just for voice calls and smqueue for SMS messages On a configuration point of view this is no more than pointing the SIP Proxy SMS key to the right port By default smqueue runs on port 5063 s
21. across sip conf and extensions conf 6 Testing GnuRadio 6 1 USRP Benchmark Connect the USRP to the computer compile GnuRadio and then export LD_LIBRARY_PATH opt boost_1_44_0 lib usr local lib LD_LIBRARY PATH cd usr local share gnuradio examples usrp usrp_benchmark_usb py The script tests USB throughput You should see several OKs See Ale09 for an example 6 2 USRP FFT The usrp fft tool in GnuRadio is useful to test the USRP responds correctly and also to check whether a given frequency is used or not export LD_LIBRARY_PATH opt boost_1_44_0 lib usr local lib LD_ LIBRARY PATH S usr local bin usrp_fft py Page 21 OpenBTS for dummies 6 2 USRP FFT 6 TESTING GNURADIO JSRP O Average Avg Alpha 0 1000 Erf in NA A Ty ae T 2 o v 3 a E lt O 20 dB div Ref Level Autoscale 1 7825 x 1 7835 1 784 Frequency GHz Stop Zenter freq Gain 45 aq 1 7838G are Jecim 16 Fs USB 3 25M Flex 1800 Rx MIMO B Analog BB 1 781G DDC 2 8M OK Figure 6 Frequency 1783 8 Mhz is not used Let s see how to check if a given channel is available First we need to pick up an available channel for GSM 1800 Aub provides a GSM 1800 uplink and downlink table For example if we select channel 880 this corre spond to uplink frequency 1783 8 Mhz and downlink frequency 1878 8 Mhz To use this channel we need to check those f
22. ange a RFX1800 into a RFX900 firmware flash no hardware modification whereas changing a RFX900 into a RFX1800 requires a hardware modication removing an ISM filter Antenna 1 antenna per daughterboard Be sure to select an antenna that matches your daughterboard Can be purchased from Ettus for 35 USD 52 Mhz clock Most of the time this is required but check out Section 3 4 for more information Mobile phones Obviously you need one at least It must be unlocked And you need to be able to manually select a network for that phone see Figure 12 SIM cards and of course one SIM card per mobile phone It is possible to use a standard SIM card the one you use in your own mobile phone or you can buy a programmable SIM card see Figure 1 Search for something like Super SIM SIM MAX Magic SIM 12in1 or 16in1 SIM on the web For each SIM card you need to know its IMSI section 7 1 explains how to get it On eBay such SIM cards are sold for approximately 1 USD Magic SIM card reader writer If you use Magic SIM cards you need to card reader and writer to program the SIM card see Figure 2 This usually costs only a few bucks My personal configuration My personal configuration is listed at Table 1 3 3 From the USRP kit to the USRP newbies only The USRP usually ships in a kit but it is very easy to mount Just need a screwdriver You can do it even if you are a hardware dummy 1 screw the mainboard onto
23. aster_clock_freq 52000000 d_db 2 In usrp host lib legacy usrp_standard cc line 1024 should be commented out assert dac_rate 128000000 In usrp host lib legacy db_flexrf cc line 179 should read return 52e6 _refclk_divisor Page 31 OpenBTS for dummies 9 2 usrp_fft patch for 52Mhz 9 PATCHES FOR OPENBTS 2 6 9 2 usrp_fft patch for 52Mhz This patch adds support for 52Mhz clocks for the usrp_fft GnuRadio tool Once applied you may specify the F option to set the clock s frequency 52000000 diff git a gr utils src python usrp_fft py b gr utils src python usrp_fft py index eda9bd5 3bf4ec2 100755 a gr utils src python usrp_fft py b gr utils src python usrp_fft py 61 6 61 8 class app_top_block stdgui2 std_top_block help select Rx Antenna only on RFX series boards parser add_option d decim type int default 16 help set fgpa decimation rate to DECIM default default parser add_option F fpga freq type eng_float default None sE help set USRP reference clock frequency to FPGA_FREQ F metavar FPGA_FREQ parser add_option f freq type eng_float default None help set frequency to FREQ metavar FREQ parser add_option g gain type eng_float default None 99 6 101 9 class app_top_block stdgui2 std_top_block contains 2 Rx paths with halfband filters and 2 tx paths the default self u
24. ck for yourselves As far as health is concerned there are two different limits to understand e RF exposure guildelines are established by the ICNIRP For 1800Mhz frequencies they limit exposure to 0 08 W kg IEE98 In practice the maximum RF exposure levels of a 1 W antenna are already below ICNIRP limits at less than 10cm Eri04 OpenBTS uses a 100mW so even smaller antenna so the RF exposure should even be below e Electromagnetic interferences The limit is set to 3 V m for non life supporting equipment such as the OpenBTS In practice for a 100mW this limit is met at 40cm or more This means that further than 40cm there should be only very little risk that the antenna can cause electromagnetic interference with sensitive equipments such as a pacemaker or hearing aids Conclusion having the OpenBTS at 40cm or more of anybody should be really safe 9 Patches for OpenBTS 2 6 As far as I know there are no required patches for OpenBTS 2 8 Don t know how to patch Please read the manual for the patch command Usually you ll end up doing something like this cd openbts directory patch p2 lt mypatch diff 9 1 52Mhz patch for GnuRadio This patch is described at Gnua If you followed the steps in 4 2 1 normally you should have patched your sources If not then you absolutely must do it if you are using a 52Mhz clock In usrp host lib legacy usrp_basic cc line 116 should read d_verbose false d_fpga_m
25. d My content t No calendar entries today 1 WLAN scanning off Calling 2102 Figure 15 The phone is calling another one a Message texte I 1 1 0000 Ctre de r ponse d fini De Welcome to OpenBTS AGPLv3 ope IMSI is IMSI Options Retour Figure 14 Welcome message sent to the phone a aw 3 3 a Search Internet and My content t1 No calendar entries today 1 WLAN scanning off calling Figure 16 The phone is receiving a call OpenBTS for dummies 7 5 TMSIs 7 USING OPENBTS 7 5 TMSIs Once phones have registered you should be able to list the Temporary Mobile Subscriber Identities TMSI The TMSI list is available from the OpenBTS console which is accessible from the OpenBTSCLI in 2 8 or directly in OpenBTS in 2 6 OpenBTS gt tmsis TMSI IMSI IMEI age used Ox4ce547c0 20812345678901 13h 84s 0x4ce547c1 20811111111111 13h 113h N Lhe bh hh y Eh 2 TMSIs in table If you want phones to re register clear the TMSI table 7 6 Sending SMS It is possible to send SMS from the OpenBTS console or have phones send each other SMS messages 7 6 1 From the console OpenBTS P2 8 There is a dedicated console in the client interface OpenBTSCLI Use commands sendsms or sendsimple sendsms lt IMSI gt lt sourceAddress gt sendsimple lt IMSI gt lt sourceAddress gt Quoting the wiki The difference between these is that sendsms operates direc
26. doxygen enable gnuradio cor nable gr wxgui enable gruel nable gr utils enable gr usrp nable gr qtgui make and then make install if you specified a system directory make install must be done from root Idconfig 6 Add a USRP group and assign user to that group addgroup usrp addgroup work usrp Page 12 OpenBTS for dummies 4 2 OpenBTS 2 6 4 SOFTWARE 7 Write USRP rules file etc udev rules d 10 usrp rules Ale09 ACTION add BUS usb SYSFS idVendor fffe SYSFS idProduct 0002 GROUP usrp MODE 0660 Once you have completed those steps successfully it is a good idea to test your USRP to see if everything is working as expected see section 6 4 2 2 Compiling OpenBTS To compile OpenBTS follow those steps 1 install libosip2 3 3 0 from sources If you do not intend to use smqueue SMS you can install the Debian package libosip2 dev But if you need smqueue you ll have to recompile a newer version install other requirements apt get install libortp7 asterisk For OpenBTS 2 8 you also need libusb 1 0 apt get install libusb 1 0 0 dev or compile from sources you might have to link boost to local include ln s opt boost_1_44_0 include boost usr local include boost set your library path to export LD_LIBRARY_PATH opt boost_1_44_0 lib usr local lib SLD_LIBRARY_PATH Patching for old sources only this is no longer required for curr
27. ds til Request Destination SIP URL for 48 keagw Got SMS 200 Response 48 keagw Got 200 response for sent msg 48 keagw in state 7 Deleting sent message and the SMS should appear on 2103 phone E Text message 2 1 9 From D soot Reply cntr defined Hello Figure 17 The phone received an SMS 7 7 Sniffing GSM packets Re compile and install a recent version of Wireshark e g 1 4 2 on the capture host 8 Miscellaneous 8 1 Legal restrictions Disclaimer I am absolutely not an expert in this area please check for yourselves Page 30 OpenBTS for dummies 8 2 Health 9 PATCHES FOR OPENBTS 2 6 Authorities usually regulate the use of some GSM bandwidths You should check in your country what is authorized if you need a test license or must use a given channel etc In France the use of GSM bandwidths is regulated by the ARCEP For limited internal test cases the use of GSM frequencies is allowed ARCOS Les acteurs non soumis la d claration des exploitants de r seaux internes c est dire enti rement tablis sur une m me propri t sans emprunter ni le domaine public y compris hertzien ni une propri t tierce Ainsi les r seaux tablis par exemple dans les h tels et les centres commerciaux priv s sont exempts de d claration Please check for yourselves 8 2 Health Disclaimer I am absolutely not an expert in this area please che
28. e A 9 AD OpenBSD sco cece Gos ke alba ee ech OR we Rk ak aE ih on Hw tad 10 5 Configuration 15 Sid BasicsStepss be eS aks oye tes ay a hed ae Aen tty Sed sts Sek Boke Ges Bh oh dy eh a SA ty a 15 52 CONSUL Ss ta praia a ded tke de rta Sanne abate eh aged 15 5 3 Configuring 2 6 A a ee ae ee es eae 18 CONTENTS CONTENTS 6 Testing GnuRadio 21 6 SUSRP Benchmark i ies a iy eae aa E OR Dn hae a Gee gk a te Be Aa RR 21 6 2 USRR FET 4 603 oh toe arg ds Bend Mars BURRS oe eR ee eS ee BAe Bd i Be 21 6 3 Calibrating the clok iii eee ee i A SE ed 23 7 Using OpenBTS 24 Ms AMS ites a itd o PAN Ate te hobs o we debate coe thai te ohh Mage a Bide oi BEN Mey dido 24 22 Running Open BTS eat ads a ae Bite Lea ad LAA aa bie nd le A 25 7 3 Having phone scan for the OpenBTS network o e e 26 7 4 Registering to the OpenBTS network 2 0 0 00 0000 eee ee ee 27 LI MISTS i AS wale Wee Be AS Site ee ats OO Dene ee ee OO Geet 29 TO Sending MS caia ao Be ete te AEE Be Hee ahs ee id eke Se GET da 29 Ta Snithing GSM packets e 24 oe bende bao ea Ds A es a OP A aed 30 8 Miscellaneous 30 8 1 Legal restrictions seii Be ae AA a ee ae SE og SE E A 30 8 20 Health aia Secs oe sh dog ed PB A A e Be Oe ie ee aie GO ee 31 9 Patches for OpenBTS 2 6 31 9 1 52Mhz patch for GnuRadio 31 9 2 susrp tit patch for S2MhzZ 2 04 cp a AA a al ae aie Bed Ae de 32 93 GSM T800 patch ai a arn one tek E ca ll A eh ace A a hae
29. e single daughterboard patch I am using a single daughter board See section 9 4 10 10 Ive got a 64Mhz clock and my phones are not registering Please do get a 52Mhz clock see section 3 4 My understanding is that it hardly never works with 64 Mhz 10 11 Where did you buy your cheap clock As I said in section 3 4 I got it from Andy Fung who got it from a local Chinese retailer and unfortunately we don t have any better references for it except the specifications copy pasted in this document I m afraid I can t help you find such a clock but I m sure there should be others Page 36 OpenBTS for dummies 10 12 I ve got a RFX 1800 daughterboard but would like to use the 900Mhz band0 TROUBLESHOOTING 10 12 Pve got a RFX 1800 daughterboard but would like to use the 900Mhz band You don t need to buy another daughterboard it s possible to flash the hardware From RFX1800 to RFX900 sudo burn db eeprom A force t rfx900 TX_A OK RX_A OK or B for side B And back sudo burn db eeprom A forc t rfx1800 10 13 I ve done everything just the same as you but it s not working I m sorry to hear that Besides getting help from the OpenBTS mailing list ML I would recommend you check 1 if you are on OpenBTS 2 6 you have applied all software patches 4 2 switch your phones to manual GSM only network research 3 in OpenBTS 2 6 the OpenBTS config file uses the Transceiver52M directory for
30. ed in my case 7 close the enclosure actually I suggest to leave it open to be able to check everything is connected fine 8 use the USB cable to connect the USRP to your computer 9 connect the power supply cable to power Have a look at Ettus s web site to see what the USRP looks like in the end Figure 3 3 4 Clocks 3 5 Do I really need another clock The USRP board ships with a 64Mhz clock but Gnub explains why it is insufficient in most situations From an end user perspective basically the risk is that the phones will be unable to see the OpenBTS network So basically you need to buy a very good quality TCXO 52Mhz clock and modify your USRP to use it The stability of the clock s frequency is particularly important and it is amplified with bands because for instance an error of 0 05ppm corresponds to 45Mhz for low bands 800 900Mhz but to 90Mhz for high bands 1800 1900Mhz For proper use with OpenBTS people recommend a stability of 0 05 ppm or at least better than 0 1ppm A clock with a stability of ppm might be suitable especially in lower bands it s a matter of luck gt ppm stands for parts per million Page 5 OpenBTS for dummies 3 6 52Mhz clocks 3 HARDWARE Figure 3 USRP 1 Rev 4 5 with additional 52Mhz clock A clock with a stability of SOppm like the original USRP1 clock Com is nearly sure not to be Actually unless you are using REX900 and are very lucky y
31. enBTS CLI e SOPENBTS_DIR openbts trunk apps OpenBTSCLI 7 3 Having phone scan for the OpenBTS network Power on your mobile phone and force it to use the OpenBTS network e Nokia Go to tools Figure 9 settings Figure 10 then phone Figure 11 then network Figure 12 Select GSM only not dual mode nor 3G and select operator manually not automatically e iPhone Go to Settings then Operator and manually scan for available operators e Android Go to Settings Wireless and networks Mobile networks and then Operator selection e Windows Mobile Go to Settings then Phone then Network then select manual scan and select OpenBTS e For other phones see BMO09 Wait for a while while the phone is scanning available networks You should see the OpenB TS network popup Select it Page 26 OpenBTS for dummies 7 4 Registering to the OpenBTS network 7 USING OPENBTS 1 Phone A Network me YN ATTE 0 ao Fit Call Network mode SS ree 7 Call divert 8 callbarring Operator selection Figure 11 Phone settings Figure 12 Network settings 7 4 Registering to the OpenBTS network Once you have selected the OpenBTS network OpenBTS will register your phone depending on its configura tion With open registration and SMS auto provisioning this is what happens NB This is only an example and depends on your config e Wait the OpenBTS network should send you a welcome
32. ent downloads if you are using a RFX1800 daughterboard not RFX 900 you must patch the sources See section 9 3 recent snapshots from the git repository do not need this If you are using a 64Mhz clock stock patch Transceiver USRPDevice files If you are using 52Mhz clock patch Transceiver52M USRPDevice files On OpenBTS 2 6 x if you are using a single daughterboard you must apply yet another patch Make sure your daughterboard in on side A See section 9 4 Again if you are using a 64Mhz patch the Transceiver USRPDevice files If you are using 52Mhz clock patch TransceiverS2M USRPDevice files On OpenBTS 2 8 no need to patch but you must specify you are using a single daughterboard when compiling see later download the sources Do not download the OpenBTS package openbts 2 6 0Mamou tar gz as it is already obsolete On the contrary get the sources from git Tm not absolutely certain this is required Page 13 OpenBTS for dummies 4 2 OpenBTS 2 6 4 SOFTWARE git clone git openbts git sourceforge net gitroot openbts openbts If you want to use the achemeris sms split branch then do git branch a git checkout origin achemeris sms split OpenBTS UHD is also a good choice because it has a single branch where all work is merged git clone git github com ttsou openbts uhd git For OpenBTS 2 8 get the sources from svn co http wush net svn range software public 8 build OpenBTS Do autoreco
33. estart Then the log level of each file can be configured such as CallControl cpp SMSControl cpp INFO a INFO RadioResource cpp DEBUG nt cpp DEBUG ryp cpp INFO Log Level Log Level Log Level Log Level GSML2LAPDm cpp INFO Log Level MobilityManageme Log Level SubscriberRegist Log Level SIPEngine cpp DE BUG 5 3 Configuring 2 6 The OpenBTS configuration file is located in the apps directory openbts config See also Ale09 Use the default configuration file with the following customization e There are two log files Log FileName for global logging and for TRX logging For TRX logging beware that setting the level to DEBUG will cause very heavy logging Log Level INFO Log FileName openbts26 log Sstatic Log FileName TRX LogLevel INFO Sstatic TRX LoglLevel TRX LogFileName TRX26 log Sstatic TRX LogFileName e If you are using a 52Mhz modify the TRX path to Transceiver52M transceiver e Open registration for a first test TRX Path TRX Path Sstatic TRX Path Transceiver transceiver Transceiver52M transceiver Page 18 OpenBTS for dummies 5 3 Configuring 2 6 5 CONFIGURATION KEYSTRING VALUESTRING Database Comment Control LUR OpenRegistration openbts Do this to enable open regis tration for any IMSI The value string corresponds to a regexp of
34. hen I had forgotten to apply the 52Mhz patch to GnuRadio see section 9 1 Page 35 OpenBTS for dummies 10 5 OpenBTS logs say TX fails to tune 10 TROUBLESHOOTING 10 5 OpenBTS logs say TX fails to tune In my case this occurred when I had not applied the GSM 1800 patch see section 9 3 10 6 OpenBTS logs complain about not being able to set the RX or TX gain In my case this occurred when the OpenBTS configuration file was wrong and was using the Transceiver directory instead of Transceiver52M 52Mhz clocks TRX Path Transceiver52M transceiver 10 7 OpenBTS complains no transceiver process is found but system is ready You get this log with OpenBTS 2 8 ALERT TRXManager cpp 406 powerOn POWERON failed with status 1 transceiver no process found system ready This log is ok It looks for an old running transceiver first As it doesn t find it it reports no process found But as in the end it says system ready everything is fine In doubt check that you did that from OpenBTS root cd apps ln s Transceiver52M transceiver 10 8 Some of my phones fail to see the OpenBTS network This could be a clock issue Check your clock matches the requirements and see http gnuradio org redmine projects gnuradio wiki OpenBTSClocks for why this might affect the network visibility to mobile phones 10 9 My phone sees the OpenBTS network but fails to register In my case this occurred when I had not applied th
35. network e Use aclock generator in your lab Table 2 summarizes each option 3 7 Installing the clock Mounting a new 52Mhz clock on an USRP requires a few skills in electronics If you do not have the proper equipment soldering station etc and skills some components are very small try and get it done by someone Page 7 OpenBTS for dummies 3 7 Installing the clock 3 HARDWARE i i i yane 8 Pin Assignment i i 1 1 VC NC Bee 15 l 7 GND r 8 OUT i 14 VOC C 5 0 3 3VDC z Figure 4 52 Mhz clock oscillator specifications else The steps to install a new clock are the following The labels R2039 etc are written on the USRP s board check where all components are before starting e Prepare the USRP to use an external clock Gnua Difficult step Move R2029 to R2030T This disables the onboard clock R2029 R2030 is a 0 ohm resistor Difficult step Move C925 to C926 Remove C924 NB I did not need a SMA connector in J2001 nor J2002 e Connect the new 52Mhz clock this step is specific to the clock I chose Glue the 52MHz Crystal Oscillator on the USRP mainboard Solder the red wire Vcc and connected it to the 3 3V power source Solder the black wire ground and connected it to the ground point For example choose one of the ground pin of J2002 Solder the white wire 52MHz and connected it the C927 Note 1 When you solder the wires make sure the wires are
36. nf fi configure S make For OpenBTS UHD do configure enable usrpl instead of just configure For OpenBTS 2 8 if you are using a single daughterboard on side A don t forget to specify it configure with usrpl with singledb make 4 2 3 Compiling smqueue To have mobile phones in your network send SMS to each other smqueue included in OpenBTS must be running In the main branch smqueue is included in the OpenBTS package but it is not compiled when you build OpenBTS You must manually invoke smqueue s Makefile cd smqueue make f Makefile standalone Building smqueue requires libosip2 version 3 3 0 or greater Install it or 1t will fail to build Also you might need g v4 3 In the achemeris sms split branch smque is automatically compiled when OpenBTS is Page 14 OpenBTS for dummies 5 CONFIGURATION 5 Configuration 5 1 Basic steps The configuration of OpenBTS mainly consists on the following parameters setting the GSM band setting the ARFCN channel for this band configuring registration of subscribers configuring logs if required With OpenBTS 2 6 those parameters typically go into configuration files editable with any text editor whereas in 2 8 they have been moved to SQLite databases editable with standard SQLite tools sqlite3 or GUIs such as sqliteman or via the OpenBTS client interface OpenBTSCLD 5 2 Configuring 2 8 My personal goal for OpenBTS is quite basic
37. not touching the shell of the crystal it is a metal case otherwise you may create a short circuit Note2 The legs of the crystal chip are long Might need to cut 2 3 out of the legs Page 8 OpenBTS for dummies 3 8 Software patches 4 SOFTWARE X m 3 10 2006 FLEK or T e Ettus serei LUC I zt a a o o SN PEJ TE R2029 CIAO mrri _ D Figure 5 Close shot of the 52 Mhz clock on the USRP 3 8 Software patches Using a 52Mhz requires a few modification of GnuRadio and OpenBTS software and configuration file I will detail those later see Section 9 1 and 9 2 but keep this in mind 4 Software The major components you need for OpenBTS are a Linux operating system It might be portable to other Unix systems haven t tried An Ubuntu or a Debian is typically a good choice e GnuRadio e aSIP PBX such as Asterisk FreeSwitch or Yate e OpenBTS 4 1 OpenBTS P2 8 The documentation is online BTS and probably kept up to date more than this doc Note that source code of OpenBTS P2 8 also ships with a user manual in doc Netc This report does not deal with the commercial version of OpenBTS OpenBTS C 2 8 Page 9 OpenBTS for dummies 4 2 OpenBTS 2 6 4 SOFTWARE 4 1 1 Building Basically the steps are 1 Download OpenBTS from the source repository svn co http wush net svn range software public 2 Download and install requirements BTS mentions sud
38. o SIP Proxy SMS should be 127 0 0 1 5063 Page 16 OpenBTS for dummies 5 2 Configuring 2 8 5 CONFIGURATION 5 2 4 Yate The installation and configuration of Yate is detailed at Netd To run yate then do sudo yate vvvv where each v adds to verboseness 5 2 5 Changing the phone number of a given handset Imagine handset with IMSI20000 is assigned phone number 0610203040 and you want to change to 06100000 To do so you just have to modify the two tables inside the PBX database sqlite3 db UPDATE sip_buddies SET callerid 06100000 where callerid 0610203040 UPDATE dialdata_table SET exten 06100000 where callerid 0610203040 The minimum and maximum digits for a phone number are specified by SC Register Digits Min and SC Register Digits in the smqueue database To be able to set 12345 as a valid phone number be sure to change SC Register Digits Min to 5 5 2 6 Echo service By default the Echo service is not configured on yate but it is very simple to add In usr local etc yate regexroute conf add in the default section default 600 conf echo echo tru Then any handset dialing 600 will get the Echo service 5 2 7 Registration Open registration means that registration is open to unknown handsets that select the OpenBTS network It is configured by 2 keys in databases in the OpenBTS 1 Control LUR OpenRegistration ShortCode By default this is set to 101
39. o apt get install autoconf libtool libosip2 dev libortp dev libusb 1 0 0 dev g sgqlite3 libsqlite3 dev erlang libreadline6 dev libboost all dev In my case I also had to add sudo apt get install sdcc libaudio dev sqliteman asterisk 3 Compile GnuRadio Unfortunately the documentation reflects the procedure for newer versions whereas for USRP1 we need to use a version between 3 3 0 and before 3 5 0 I managed to compile with configur nable usrp disable usrp2 disable volk make make install Note that in my case I have a USRP1 not USRP2 and volk has issues on 64 bit systems so I disabled it 4 Compile OpenBTS as indicated online BTS As I am using USRP1 with a single daughterboard I need to specify it autoreconf 1 configure with usrpl with singledb make For 2 6 users you ll notice the OpenBTS repository now comprises several components in addition to the OpenBTS core such as smqueue a subscriber registry a client interface for OpenBTS 5 As stipulated in BTS copy the sample SQlite databases to etc OpenBTS for example There are a few other things to do such as e link to the correct transceiver in OpenBTS and std_inband rbf see BTS e create a directory named var run OpenBTS Table 3 lists my personal configuration 4 2 OpenBTS 2 6 My old software config for OpenBTS 2 6 is listed at Table 4 Page 10 OpenBTS for dummies 4 2 OpenBTS 2 6 4 SOFTWARE
40. ou will require a better clock than the standard one that ships with the USRP board There has been so many problems with the stock 64Mhz clock that the maintainers have chosen to soon discontinue support for those clocks You need a 52Mhz clock or you re on your own i e don t expect any help from the maintainers or the mailing list 3 6 52Mhz clocks The possible solutions are e atone time Kestrel Signal Processing http kestrelsignalprocessing mybigcommerce com categories OpenBTS Hardware used to sell a clock for 150 USD It s now out of stock e FairWave s Clock Tamer http shop fairwaves ru clock tamer has a clock for 240 USD It was sold out re approvisioned and now again out of stock should be back in stock in Febrary 2013 The long term stability is 0 28ppm but as the clock can be re calibrated usually people use it for a couple of months and then re calibrate to keep the accuracy in the lt 0 01ppm e FA SY1 Gral0 http www box73 de product_info php products_id 1869 can be bought for 39 5 euros The price is attractive but the voltage output is too high the distribution chip AD9513 only copes up to 2V max so here with a voltage output of 3 3V it is too high As such there are strong risks to damage the USRP Hac12 unless you are using an old USRP board which supports 3 3V See the mailing list ML for several threads on the matter e FA SY2 http www box73 de product_info php products_id 1870 can
41. qwt5 qt4 dev qt4 dev tools python qwt3d qt4 libqwtplot3d qt4 dev python qt4 dev libxt dev libaudio dev libpng dev libxi dev libxrender dev libxrandr dev libfreetype6 dev libfontconfig dev python lxml python cheetah oss compat swig g automakel 9 libtool libusb dev A libsd11 2 dev python wxgtk2 8 guile 1 8 dev A libgt4 dev python opengl fftw3 dev 5 Install GnuRadio 3 2 2 download the sources if you are using a 52Mhz clock there are two patches to apply The most important one is detailed in section 9 1 or Gnua Additionally you should patch the usrp_fft tool included in GnuRadio to add a new command line option to set the clock s frequency See section 9 2 set your library path to export LD_LIBRARY_PATH opt boost_1_44_0 lib usr local 1lib LD_LIBRARY PATH configure specifying to use boost configure with boost opt boost_1_44_0 It is possible to specify only the components you really need to build Actually this is what I tried initially but in the end I think it is a bad idea because you always end up using a component you hadn t expected to and need to recompile it later Your choice but you have been warned configure with boost opt boost_1_44_0 disable all components enable usrp enable omnithread enable mblock nable pmt nable gnuradio examples Y enable docs enable
42. rchive forum php forum_ name openbts discuss Mun Sylvain Munaut pySIM http git osmocom org gitweb p pysim git a summary Neta Range Networks Asterisk Realtime Configuration https wush net trac rangepublic wiki sqlie30DBC Netb Range Networks Installing and Configuring Asterisk https wush net trac rangepublic wiki asteriskConfig Netc Range Networks OpenBTS P2 8 Users Manual Doc Rev 1 Netd Range Networks Yate Config https wush net trac rangepublic wiki yateConfig New Phonelnfo http www newlc com en phoneinfo Ran RangeNetworks OpenBTS Public Release https wush net trac rangepublic wiki Wik OpenBTS https secure wikimedia org wikipedia en wiki OpenBTS WMC List of mobile country codes https secure wikimedia org wikipedia en wiki List_ of_mobile_country_codes WMN Mobile Network Code https secure wikimedia org wikipedia en wiki Mobile_Network_Code Page 40 OpenBTS for dummies
43. requencies are not used by someone else Launch usrp_fft py as root and make sure OpenBTS is not running usrp_fft py f 1 78386 You should get a relatively flat curve such as Figure 6 if the frequency is not used If it is pick up another channel To test the USRP responds correctly simulate use of the uplink and downlink frequencies usrp_siggen py f 1783 8M Using TX d board A Flex 1800 Tx MIMO B uU Do not bother about the uU oOs you may see as output Ham08 explains their meaning 2 9 a audio sound card O overrun PC not keeping up with received data from usrp or audio card U underrun PC not providing data quickly enough aUaU audio underrun not enough samples ready to send to sound card sink uUuU USRP underrun not enough sample ready to send to USRP sink tOuO USRP overrun USRP samples dropped because they weren t read in time Check you see a peak at the corresponding frequency as in Figure 7 Do the same for the downlink frequency Page 22 OpenBTS for dummies 6 3 Calibrating the clock 6 TESTING GNURADIO USRP FFT O 10 dB div 0 cal li il Nha ge gt Lec A AAC a 1 7825 1 783 1 7835 1 784 1 7845 1 785 Frequency GHz Center freq Gain 45 I mE Decim 16 Fs USB 3 25M Flex 1800 Rx MIMO B Analog BB 1 781G DDC 2 8M OK Amplitude dB 60 Figure 7 Frequency 1783 8 Mhz is used 6 3
44. rite_oe 0 0 0xffff m_uRx gt _write_oe 0 POWER_UP RX2_RXIN ENABLE Oxffff m_uRx gt write_io 0 ENABLE RX2_RX1N ENABLE RX2_RX1N POWER_UP power up inverted x m_uRx gt set_adc_buffer_bypass 0 true m_uRx gt set_adc_buffer_bypass 1 true m_uRx gt set_pga 0 m_uRx gt pga_max should be 20dB m_uRx gt set_pga 1 m_uRx gt pga_max m_uRx gt set_mux 0x00000010 writeLock unlock FIXME This should be configurable setRxGain 47 maxRxGain 312 8 312 8 if m_uTx return false a a secs 3 E Page 34 OpenBTS for dummies 10 TROUBLESHOOTING power down m_uTx gt write_io m_uRx gt write_io m_uTx gt write_io m_uRx gt write_io 0 POWER_UP RX_TXN POWER_UP RX_TXN ENABLE 1 POWER_UP POWER_UP ENABLE 0 POWER_UP POWER_UP ENABLE 0 POWER_UP POWER_UP ENABLE r r delete currData 361 8 361 7 m_uRx gt set_pga 2 0 m_uRx gt set_pga 3 0 z m_uRx gt write_aux_dac 1 0 int ceil 1 2 0 02 dB rfMax 4096 0 3 3 m_uRx gt write_aux_dac 0 0 int ceil 1 2 0 02 dB rfMax 4096 0 3 3 LOG DEBUG lt lt Setting DAC voltage to lt lt 1 2 0 02 dB rfMax lt lt lt lt int ceil 1 2 0 02 dB rfMax 4096 0 3 3
45. root Usually it does not find asterisk because the process is not root and can t access it Asterisk is typically located in usr sbin asterisk 10 18 I get ortp warning Error in OpenBTS Honestly I don t know what that is but I was told I shouldn t bother 10 19 What s my phone number With OpenBTS 2 8 once registered send a SMS to 411 status The answer provides your phone number IMSI cell ID If 411 is not working check the value of SC Info Code in the smqueue database and text that number From a terminal an alternative is to look into the subscriber registry dialdata_table table sqlite3 var lib asterisk sgqlite3dir sqlite3 db sqlite gt dump dialdata_table PRAGMA foreign_keys OFF BEGIN TRANSACTION CREATE TABLE dialdata_table id INTEGER exten VARCHAR 40 NOT NULL DEFAULT dial VARCHAR 128 NOT NULL DEFAULT PRIMARY KEY id Page 38 OpenBTS for dummies 10 20 Can I change my phone number REFERENCES INSERT INTO dialdata_table VALUES 1 2100 IMSI00101XX INSERT INTO dialdata_table VALUES 2 06123456 IMSI2083xXxX 10 20 Can I change my phone number Yes See 5 2 5 for that 11 Acknowledgements I definetely need to thank Andy Fung for helping me with OpenBTS Andy helped step by step understand and build the whole system not to mention he sent me his spare 52Mhz clock Yes Andy
46. s play google com store apps details id com evozi deviceid Gnua OpenBTS Clock Modifications http gnuradio org redmine wiki gnuradio OpenBTSClockModifications Gnub OpenBTS Clocks http gnuradio org redmine projects gnuradio wiki OpenBTSClocks Page 39 OpenBTS for dummies REFERENCES REFERENCES Gra10 Norbert Graubner Baumappe zum FA Synthesizer FA SY 2010 http www funkamateur de http www box73 de download bausaet ze BX 026 pdf Hac12 RIP FA SY1 or how we fried RFX 900 2012 http www hack4fun eu 2012 04 rip fa sy 1 or how we fried rfx900 Ham08 Firas Abbas Hamza The USRP under 1 5X Magnifying Lens June 2008 http www scribd com doc 9688095 USRP Documentation IEE98 IEEE IEEE Standard for Safety Levels with Respect to Human Exposure to Radio Frequency Electro magnetic Fields 3 kHz to 300 GHz 1998 http www icnirp org documents emfgdl pdf Kyo12 Kyocera KYOCERA Develops New TCXO for Mobile Communications Handsets with Industry Leading Low Phase Noise and World s Smallest Size September 2012 http global kyocera com news 2012 0902_yama html Laca Joshua Lackey Kal v0 3 http sourceforge net mailarchive attachment php 1ist_name openbts discuss message_id AANLkTimOp6tMUb690aCtoEaf5x71ZPVZeYiAryEGCTAKS 40mail gmail comscounter 1 Lacb Joshua Lackey Kalibrate http thre at kalibrate ML OpenBTS Discuss mailing list http sourceforge net maila
47. t along with unixodbc and sqliteodbc Neta I preferred to install Yate far simpler in my opinion even though I had no previous experience with Yate Allow a phone to send SMS messages to another one I rely on smqueue for sending and receiving SMS Enable logging so that you understand what s happening when there s a failure Be aware that intensive logging will however burden your host and may impact call quality for instance Echo service Optionally the Echo service can be configured to test call quality It s a particular short code service that a handset dials and then gets the echo of his own voice Page 15 OpenBTS for dummies 5 2 Configuring 2 8 5 CONFIGURATION 5 2 1 Databases Most configuration parameters correspond to a given key value pair in a database There are different databases all in SQLite format e the OpenBTS database By default in etc OpenBTS OpenBTS db e the SIP authorization and registration database By default in etc OpenBTS sipauthserve db e the smqueue database By default in etc OpenBTS smqueue db e the PBX database By default in var lib asterisk sqlite3dir sqlite3 db Despite the name this database is not dedicated to Asterisk It is also used by Yate for instance The databases may be edited using the traditional SQLite tools such as sqliteman GUD or sqlite3 Unix command Example of configuration modification sqlite3 OpenBTS db UPDATE CONFIG SET VALUESTRING 900 WHERE KE
48. the black enclosure no it won t ruin it But backup your SIM contacts and SMS Page 4 OpenBTS for dummies 3 4 Clocks 3 HARDWARE Type Specifications Computer Dell Optiplex 170L with a 2 4 Ghz processor and 1 Go RAM USRP USRP 1 Rev 4 5 board bought from www ettus com Daughterboard 1 RFX 1800 1 5 2 1 GHz Transceiver 100 mW output Antenna VERT 900 824 960 MHz 1710 1990 MHz Quad band Cellular PCS and ISM Band Vertical Antenna 3dBi Gain 9 Inches Works with WBX RFX900 RFX1800 Clock TXCO 52 00Mhz frequency stability 1 max ppm aging 1 max ppm opera tional temperature 20 to 70 C Costs approximately 13 USD SIM Card Reader Writer 12in1 SIM Card USB Card Reader Writer Copier Cloner GSM Bought from www lpowershop com for approximately 14 USD 2 Mobile phones Nokia 6680 and Nokia N95 Table 1 Hardware specifications 2 on the mainboard screw the special screws which make sure the daughterboards are elevated just right above the mainboard 3 connect the RFX daughterboard If a single board make sure to connect it on side A notice the words RXA and TXA on the right of the board when you are facing the USRP 4 install and connect the ventilator to the motherboard 5 screw the RF cables on the daughterboard and have them go to the enclosure s front panel 6 screw the antenna to the RF cable that matches TX RX of the daughterboard The other RF cable is unus
49. tly in the SMS control layers of OpenBTS while sendsimple operates by sending an RFC 3428 SIP MESSAGE packet to the OpenBTS SIP port OpenBTS 2 6 The console is directly accessible from the OpenBTS command prompt Yet OpenBTS gt sendsms 208123456789012 24567 blah blah From the OpenBTS 2 6 achemeris sms split branch the sendsms command is enhanced as follows OpenBTS achemeris gt sendsms 208123456789012 24567 0000 enter text to send Hello from console message submitted for delivery where e 208123456789012 is the IMSI of the phone to send the SMS to e 24567 is the source phone number does not need to exist unless you expect an answer Page 29 OpenBTS for dummies 7 7 Sniffing GSM packets 8 MISCELLANEOUS e 0000 is the number of the SMSC not sure this is used yet In OpenBTS 2 6 achemeris sms split branch it is possible to send an SMS PDU OpenBTS achemeris gt sendsmsrpdu 208304424439206 24567 enter text to send 014603a1000000138003a121f 30000117042711404e104d4f29c0e message submitted for delivery This sends an SMS to IMSI 208304424439206 from 24567 with text Test 7 6 2 SMS from one phone to another Of course the phones must be registered and be assigned a phone number Also be sure to have the smqueue daemon running and watch the logs For example below 2102 is sending a SMS to 2103 Got SMS 48 keagw from IMSI208123456789012 for 2103 Responding with 202 Queued 75 secon
50. to complain about binding to the address Configuration of smqueue is located in smqueue smqueue config The default configuration is usually okay except for add Log Alarms Max 10 otherwise smqueue crashes in some circumstances such as sending a regis tration SMS create a savedqueue txt in the smqueue directory run smqueue as root Indeed smqueue launches asterisk and tries to read files such as etc asterisk sip conf which are usually only accessible to root Page 20 OpenBTS for dummies 6 TESTING GNURADIO 5 3 2 Asterisk configuration See also Ale09 You need to set two files etc asterisk extensions conf and etc asterisk sip conf Basically at the end of extensions conf add one extension per mobile phone you want to add to your net work sip local exten gt 2102 1 Macro dialSIP IMSI208123456789012 exten gt 2103 1 Macro dialSIP IMSI208555555555555 The numbers 2102 and 2103 are the phone numbers to call the first mobile phone dial 2102 To call the second phone number dial 2103 Of course you can change the number The tag IMSI208123456789012 is like a name for your SIM card It must match the tag specified in sip conf In sip conf add one tag per SIM card IMSI208123456789012 Axelle SIM card IMSI canreinvite no type friend context sip external allow gsm host dynamic The tag acts as a section name You can change it as long as you use the same name
51. usrp source_c which options which decim_rate options decim if options fpga_freg is not None self u set_fpga_master_clock_freg long options fpga_freg if options rx_subdev_spec is None options rx_subdev_spec pick_subdevice self u self u set_mux usrp determine_rx_mux value self u options rx_subdev_spec 9 3 GSM 1800 patch Recent snapshots taken from the OpenBTS git repository do not need this patch any longer This patch is to use OpenBTS with RFX 1800 daughterboards It is not required e for RFX900 daughterboards e for recent snapshots of OpenBTS e g from the git repository it works straight away Note the patch below modifies the USRPDevice files in the Transceiver directory If you are using a 52Mhz this directory is not used it s the Transceiver52M directory you need to patch Transceiver USRPDevice cpp 2010 02 25 10 12 28 000000000 0100 Transceiver USRPDevice cpp 2010 07 08 15 01 00 334544272 0200 Qe 59 7 59 14 unsigned N double xactual_freq if freq lt 1 2e9 DIV2 1 freq mult 2 else DIV2 0 Page 32 OpenBTS for dummies 9 4 Single daughterboard patch 9 PATCHES FOR OPENBTS 2 6 freq_mult 1 float phdet_freq 64 0e6 R_DIV int desired_n int round freg freg_mult phdet_freq xactual_freq desired_n phdet_freq freq_mult Transceiver USRPDevice h 2010 02 25 10 12 28 000000000 0100 Transceiver USRPDevice h 2010 0
52. ve completed all previous steps you can now start using OpenBTS Plug the OpenBTS box It s better to put it 40cm away see Section 8 2 however do not lock it too far away 7 2 1 OpenBTS 2 6 Run the OpenBTS daemon and the smqueue messaging queue Smqueue needs to run as root apps OpenBTS sudo smqueue smqueue 7 2 2 OpenBTS 2 8 There are several daemons to start as root e smqueue handles SMS e sipauthserve subscriber registry e OpenBTS the main OpenBTS daemon e OpenBTSCLL its client interface Page 25 OpenBTS for dummies 7 3 Having phone scan for the OpenBTS network 7 USING OPENBTS y Menu e Tools e a gy 9 Contacts Messaging Maps Bluetooth WLAN wiz Sync y ON N a Y El aon a Ee Music Gallery vi ntr Profiles Settings Figure 8 Application menu Figure 9 Tools menu I personally like to start all of these in a seperate window bin bash OPENBTS_DIR YOUR OPENBTS PATH echo OpenBTS launcher script if S id u 0 then echo This script must be run as root 1 gt amp 2 exit 1 fi mkdir p var run OpenBTS I Settings A X g General 7 Phone b A IA Connecti Figure 10 Settings menu xterm n Smqueue e SOPENBTS_DIR smqueue trunk smqueue smqueue amp xterm n SipAuth e SOPENBTS_DIR subscriberRegistry trunk sipauthserve xterm n OpenBTS e cd SOPENBTS_DIR openbts trunk apps amp amp OpenBTS amp xterm n Op

OpenBTS for dummies

Contents

Download Pdf Manuals

Related Search

Related Contents