Introducing OsmocomBB: 0x01 Introduction

OsmocomBB is a project whose goal is the free (Open Source) implementation of the GSM protocol stack. OsmocomBB provides the source code of the firmware for compatible phones, as well as software for their interaction with the computer. In this series of articles I will try to describe the most interesting features, subtleties and errors that may arise when working with this software. I invite interested under the cat!

Navigation

• 0x01 Introduction
• 0x02 Hardware
• 0x03 Software

Despite the fact that today the market leader in the mobile operating network is an open and free Android system, the drivers for interacting with DSP are proprietary. Instead of saying, than it is good or bad, I will tell you what opportunities open when using free software in this area:

• Education

  GSM is an open standard developed by the ETSI community, but few, apart from developers of cellular communication equipment, understand in detail the principles of interaction between a telephone and a cellular network. Development and implementation of software working on the side of a cell phone requires knowledge of the material, which is rather difficult to find in books or standard description. One of these topics is the implementation of synchronization of the phone and the base station using the TDMA (Time Division Multiple Access) method. Another “problem” topic is the optimization of energy consumption in order to save battery power.
  

• Research

  Any research in the field of cellular communication, especially security research, requires both theoretical knowledge and a free, well-documented implementation of the basic protocol stack. It is possible that the manufacturers of cellular communication equipment are not interested in any research, which, in addition, may adversely affect their position in the market. Therefore, they are doing everything possible to hide the details of the work of their equipment from curious researchers. Based on GSM protocol knowledge and freely available software, more and more people can do research that does not require close ties to the cellular industry.
  

• Security and Privacy

  Most people have an idea of ​​potential threats when connecting to the Internet and use anti-virus programs, firewalls and firewalls to protect their computers. But what about mobile phones? Almost constantly, your phone, whose DSP module is controlled by some software with closed source code, is connected to a public GSM wireless network created by the nearest base station. Any rather complex software may contain errors or specially left backdoors, which can be used by anyone. In contrast, and proprietary software, free provides a higher level of security, since the source code is readable to anyone interested in this.
  

The OsmocomBB project comes to the rescue.

Osmocom Community

The Osmocom community is engaged in the development of several Open Source projects at once, such as:

• OpenBSC - implementation of the protocol stack and GSM / 3GPP standard elements, with which you can organize your cellular network;
  
• OsmocomDECT - a free implementation of the DECT standard protocol stack, on the basis of which most landline cordless telephones work;
  
• SIMTrace - equipment and software for passive monitoring of traffic between the SIM-card and the phone;
  
• OsmoSDR is a cheap SDR receiver capable of receiving GSM, TETRA, GMR-1 and similar signals.
  

The community is also engaged in wireless security research. Detailed information can be found on their website: osmocom.org . Unfortunately, the information on the site is poorly structured, and in some places in general at the TODO stage. A lot of information about the project and useful things can be found if you look at their speeches at various conferences.
')

OsmocomBB Project

Immediately after completing work on the main part of the OpenBSC project in 2010, it became necessary to implement the client part of the GSM standard protocols. The developers chose the Calypso chipset, due to the availability of its specifications. The project was repeatedly presented at several conferences, where the speakers were accompanied by stormy applause.
The project is developed on the basis of the Git version control system and consists of several branches, which emphasize certain opportunities.

So, in order, what do you need to run OsmocomBB?

• Compatible Phone Based on Calypso or MediaTek Chipset

  A list of supported models can be found here . The main focus is on the Motorola C123 / C121 / C118 (E88) and Motorola C155 (E99), so it is recommended to purchase them. Also supported are Open Source phones Neo 1973 (GTA01) and Neo Freerunner (GTA02). In more detail about where to get a compatible phone and how to make sure that this is exactly what you need, I will tell in the second part.
  

• Filter replacement and antenna (optional)

  If you plan to use the phone as a passive GSM traffic sniffer or you want to launch a small base station based on it, you will have to order additional parts and show skill in careful soldering. The fact is that incoming traffic (downlink), not intended for this phone, is rejected by special filters. In order to get around this, you need a small surgical procedure, which is described here: Filter Replacement . However, these actions require responsibility and understanding of what is happening on the part of the reader, since broadcasting on GSM frequencies requires a license, and violation of the confidentiality of subscriber traffic is pursued by the legislation of the Russian Federation. :( In more detail about it as I will try to tell in the following parts of this cycle.
  

• USB-TTL cable and converter

  The phone communicates with the computer via a serial port and a USB-TTL converter. Compatible Motorola phones use the 2.5 mm jack headset port for this purpose. Here you have two options: either order a ready-made cable on the sysmocom.de website (10-15 euros) or anywhere else, or make it yourself, spending only jack, wires and a converter (about 200 rubles from aliexpress). In more detail about how to solder a cable, about subtleties of a choice of the converter and a rake on which it is possible to step, I will tell in the second part.
  

• Computer running Unix-like OS

  It is assumed that the reader is at least at a basic level familiar with Unix-like operating systems. The process of building sources will be described on the example of the Ubuntu Linux 14.04 LTS distribution. It is also desirable to have a stable channel of access to the Internet.
  

• Patience, skill, ability to search for information on the Internet

  There is a high probability that you will encounter errors during the source build or when the phone is connected. This is normal. You should carefully read the error messages, and often use the search: perhaps someone already had such problems. Also very useful knowledge of English at a basic level. In each of the following parts I will describe the possible errors and how to eliminate them.
  

What can be done with OsmocomBB?

• GSM traffic sniffing

  Packets transmitted over GSM networks can be captured, analyzed (for example, using Wireshark), and even decrypted. The phone will transfer all captured traffic to your computer. This is one of the cheapest GSM sniffers, allowing you to perform security research and testing.
  

• Starting a small base station

  If you have ever heard of SDR devices , such as USRP , then you probably heard about their price. OsmocomBB compatible phone with soldered filters is a cheap alternative that allows you to run your cellular network within the room.
  

• RSSI (Received Signal Strength Indication)

  It is possible to monitor the signal level on different channels of the cellular network. To do this, use the special firmware of the same name.
  

• Wireless Stress Testing (EMI)

  It sounds impressive. Special EMI firmware allows you to generate software-defined interference in order to test the stability of various wireless equipment, such as amplifiers and radios. more about this is written here .
  

• SIM Reader

  Using special libraries, you can interact with your SIM card through the same phone. As you know, a SIM card is a rather complicated device that may contain security flaws. There is even a project to test the security of SIMtester SIM cards.
  

• Run a small operating system NuttX

  The Osmocom community managed to port the Nuttx RTOS system for launch on OsmocomBB compatible phones. In one of the following articles I will tell about it in more detail.
  

• Calls and SMS

  Despite the list of possibilities listed above, the phone remains a telephone, and under the control of the mobile program from the OsmocomBB package, it can make / receive voice calls, receive and send SMS messages, and execute DTMF commands.
  

What to see, read?

Firstly, the fundamentals of the GSM standard, namely the process of sharing access between subscribers, cellular network infrastructure, encryption standards ... In general, the more, the better. :)

Brewing a pot of tea and a mug of dumplings, you can see interesting performances of the project developers:

• PHDays 2012 - Abusing Calypso talk
  
• 29C3 GSM: Cell phone network review
  
• Further hacks on the Calypso platform
  
• Let me answer that for you
  
• Wideband GSM Sniffing [27C3]
  

Conclusion

As a conclusion, I provide interesting links to articles by other authors:

• We start GSM network at home
• MiTM Mobile Contest: How Mobile Phone Broke on PHDays V
• HackerSIM: Debriefing

UPD 06.23.2017:
In connection with the ongoing stream of questions, such as: “Will there be a continuation?”, I give my short answer - it will be. But I can not say how soon. At the moment I am engaged in supporting other Osmocom projects, as well as actively working on porting OsmocomBB to SDR platforms, such as USRP or UmTRX.

As soon as opportunities and free time appear, I will try to highlight the following topics:

• What is wrong with A5 / 1 encryption?
• Using OsmocomBB for security audit of cellular networks
• How to stop being afraid and start writing your code for OsmocomBB
• The future of OsmocomBB: transition to SDR

Channel Release Indication;)