Geekly Articles each Day
📜 ⬆️ ⬇️

Introducing OsmocomBB: 0x02 Hardware

Hi% username%! To work with OsmocomBB, you need certain equipment on the basis of which the software part works, namely: a receiving-transmitting device, your computer acting as a server, and a cable connecting them to each other. The role of a transceiver is most often an ordinary cell phone, which runs custom firmware. A TTL-USB converter may be required to connect the phone to a computer. Following the instructions published on the project website, more precisely, collecting information in pieces, you can collect a working hardware complex, but at this stage a lot of pitfalls can be encountered by a novice GSM network researcher. Let's look at everything in order.

Navigation



Transreceiver




It all started in 2010, when Osmocom developers finished the main part of OpenBSC. There was a need to implement the client part of the GSM protocol. Then there were two ways of development: either to realize a transceiver device based on new equipment, or to use a ready-made solution. Motorola phones based on the Calypso chipset were chosen as the hardware platform: C123, C118, C121. Why Calypso? The fact is that the specifications of this chipset successfully leaked to the Internet at one time and are still available today.

The process of disassembling the firmware began, and in the same year the first commit appeared in the project repository. Later, the project was ported to phones with the same chipset, such as the Sony Ericsson J100i, Pirelli DP-L10, Neo 1973, Neo Freerunner, and some more Motorola C-series and V phones. For more information about supported platforms, see the Hardware / Phones project page.
')


Data transmission from a cell phone (ms) to a base station (BTS) is carried out in several stages. First, the transmission event is generated by the central processor and transmitted to the signal processing processor (DSP), which captures the signal directly from the microphone and transmits to the hardware modulator. After modulation, the signal is converted from digital to analog, amplified and fed through a switch to the antenna, through which it is transmitted over the air. The process of receiving the signal is reversed, only in this case the signal is filtered, and the demodulation is performed programmatically on the DSP.

The question arises: is it possible to run OsmocomBB on modern phones?

Unfortunately not. The first problem is the secure boot. It's no secret that in many devices there is a bootloader that runs the firmware, and cell phones are no exception. In most cases, the loader is “locked” and does not allow loading third-party firmware. There is a possibility of unlocking the bootloader, but there is a more serious problem. Drivers and DSP processor specifications are closed and available to only a few.

So, fly in the ointment number two. These phones are not so easy to find. They were released in the second half of the zero years, and at the moment they can be found either on aliexpress, or on ebay, or on avito in the neighboring cities. The third option is the most relevant, since instead of the ordered osmofon, an odd job may come. I managed to get only three compatible phones: two C118 and one C115, so I will talk about working with them. 118 is built on the platform E88, 115 - on the E87. Both are 99.9% identical, according to project developers. A little photo shoot:





Another important detail. In the USA, Canada, Africa and some Latin American countries, GSM operates in the 850/1900 MHz bands. For them were produced phones standard US. For standard frequency bands, the EU standard was produced. The OsmocomBB project was originally designed for the EU standard, but some craftsmen managed to modify the source code and run the firmware on US phones. In any case, I recommend to adhere to the EU standard. How to distinguish them? We look at the geographical position of the seller. You can just as easily check the performance of the phone in our networks by simply calling someone.

Wires and Converters




The phones in question have a serial port, the pins of which are located on the board. What is quite funny, the port of the headset also acts as a sequential port and can be used to debug the original firmware (service menu ** 16379 #) and communicate with the bootloader. When the phone starts, the built-in loader sends a request to download the firmware via the serial port, and if no one answers it, then the firmware is loaded from the flash-memory.

You can purchase a ready-made cable on the sysmocom website, but this is not interesting, because you can assemble it yourself. You will need 2.5 millimeter jack (about 5p), three wires, a converter (about 150p on aliexpress) and the ability to solder. All this kindness costs no more than 200 rubles and is much cheaper than 13 euros. And here I remember the Arduino, which already has a USB-TTL converter onboard. So I did when I first began to get acquainted with the project. On my freeduino (a domestic clone), the FT232RL was unsoldered, which faithfully served as my rebuilder of routers (sometimes a killer). He successfully received the bootloader messages, but did not allow downloading the firmware. Therefore, it is best to purchase a separate converter from the list published in the Hardware / SerialCable section .

The most suitable converters are based on the FT232 chipset. They “out of the box” allow the use of non-standard data transfer rates and work quite stably. The next recommended chipset is the CP2102, which I use myself. Converters based on it are not expensive, and after flashing they also allow using non-standard speeds. Instructions on the firmware can be found in the section Hardware / CP210xTutorial . PL2303 is suitable for a limited range of tasks, since it does not know how to work at high speeds, and sometimes it loads the firmware through time.

As for the jack, the farthest contact is TxD, the middle one is RxD, and the rest is GND. It is necessary to solder carefully, so as not to overheat anything, and at the end to check the resistance of each contact with a multimeter. After that, you can check the performance of the cable.

# 1.   # 2.     # 3.     minicom, : $ sudo apt-get install minicom # 4.     $ sudo minicom -s # 5.   "  ". #   ,       ls /dev/ | grep tty #  115200,  : 8-N-1. #    "Enter",  "Esc". # 6.  ( )    . #    @ftmtoolerror,     .

List of possible errors:


Multiple phones


For the operation of the main modules OsmocomBB just one phone. However, to run BTS you need at least two. The base station should send out beacon-packets that signal its presence and help the phones connect to it. Network performance while simultaneously sending beacon packets and processing user connections on the same phone is catastrophically low. Also, when sniffing GSM traffic, it is better to acquire at least two phones: one listens to service messages for the subscriber being listened to, the other switches to its frequencies and records the conversation.

Bonus!




Navigation


Source: https://habr.com/ru/post/258661/

More articles:


All Articles