Add GPRS to your home GSM network
The third article from the cycle will show how to investigate the work of packet data in GSM networks using Osmocom. In other words, we will distribute the Internet from a laptop to subscribers of our home network based on two osmocombb-compatible phones and analyze TCP / IP traffic.
Cycle articles:
We start GSM network at home
Analysis of GSM network traffic in Wireshark
Add GPRS to your home GSM network
Practical examples of attacks inside the GSM network
')
To work you need a network, the creation of which is described here . Also, I recommend to get acquainted with the second article of the cycle.
For those who have not yet begun to build the infrastructure for the home network, I suggest not to build all the components of osmocom manually, but try installing the ready-made nightly builds packages . They are available for Debian and Ubuntu distributions. Repositories are listed by the link above. Theoretically, the installation of this method should be easier and without any problems, but I myself did not try.
First, let's decide what we need to change in our home network in order to add GPRS support.
The whole process is described in the instructions on the official website, which is quite relevant.
Under the link you will find the following scheme:
Let us analyze in order.
PDCH is Packet Data Channel. For transmission of packet data, a special type of logical channel must be used. So far, we have used TCH / H to serve voice calls. We will need to replace TCH / H with PDCH. We will lose the ability to call, but we do not need to buy more phones.
nanoBTS - we will use OsmoBTS in conjunction with two osmocombb-compatible phones to create a base station, as we did before.
osmo-nitb - This will require a minimum configuration to activate the GPRS service, as well as have to rebuild osmo-nitb with osmo-sgsn support.
osmo-sgsn - Serving GPRS Support Node. In fact, the core of the GPRS network, analogue MSC for voice calls.
I copy the list of functions from Wikipedia :
ggsn - GPRS Gateway Support Node. This node is located on the border between the GPRS Core network (GTP) and the Internet. It is easy to assemble and connect to the rest of the osmocom modules.
In this diagram, another PCU component is missing - Packet Control Unit .
The PCU performs some BSC functions, but only for packet data. To implement it, osmo-pcu will be used.
In the diagram below, the PCU is present:
I remind you that my configuration files are stored in /root/.osmocom. As in the first article, they will be attached at the end. Before using the configuration files, you need to enter the correct IP addresses instead of VIRTUAL_IP and BASIC_IP, as well as GSM900 or DCS1800 instead of the RANGE and the ARFCN number instead of the CHANNEL.
It is assumed that all components will work on the same device, so we will need to create a virtual interface for the network adapter. The IP addresses for GGSN and SGSN must be different. My home network is 192.168.1.0/24, the IP address of my main Wi-Fi interface is 192.168.1.37 and the IP address 192.168.1.250 is not busy, so I set it as virtual.
Also, you will need to allow transit packets and configure NAT, since we will “distribute” the Internet to all network subscribers. (The network 192.168.0.0/24 does not need to be changed, it will be assigned to the tun0 interface, which will appear when you start all the components of the GPRS infrastructure).
It is clear that such a configuration will not survive the reboot, but there are ways that are easily searched in a search engine to fix these settings.
Install osmo-pcu
Configuring osmo-nitb
Run osmo-nitb, connect to VTY and execute commands.
Stop osmo-nitb.
Install ggsn
Install osmo-sgsn
Install the dependencies and rebuild osmo-nitb to enable osmo-sgsn support.
Configuring osmo-sgsn
Customize ggsn
Configure osmo-pcu
Possible problems
They say that there may be problems with DNS traffic, then it is recommended to add another rule to iptables. I had no such problems.
Also make sure that your device has at least one APN access point added in the GPRS settings, otherwise the phone may not try to get a GPRS service from the operator at all.
Run osmo-nitb
Run ggsn
Run sgsn
We start transceivers and osmo-bts
Instead of SCH_CHANNEL, you need as before to set the ARFCN where the commercial base station beacon channel is located with a stable signal.
Run the osmo-pcu
You should see something similar in the osmo-pcu console.
And in the osmo-nitb console this
Please note that when working in such a network, your phone thinks that it is roaming and packet data in roaming is often disabled. Therefore, nothing will work if you do not allow GPRS in roaming in the settings of your phone.
Now, when connecting to the network, you should see similar entries in the console with osmo-pcu
And the authorization entry in the osmo-sgsn console
And when you activate the GRPS service on your phone, you will see that the data transfer has begun.
Pay attention to the fact that the speed of data transmission in GPRS is very low, at the same time, modern phones immediately begin the process of checking for updates, mail, and news when they access the network. All your applications are starting to update their data. This can make it difficult for you to open something in the browser, since, in addition to low bandwidth, packet loss can occur.
You can fix the situation by restricting access to the machine that distributes the Internet to the subnet 192.168.0.0/24 (tun0), leaving only some resources available.
In order for wireshark to automatically parse GPRS traffic, you need to add port 23000 in the GPRS-NS protocol settings.
Having connected to the network, I will listen to the wlan0 interface and study the traffic.
We see GSM packets (note the ASCII representation of the data. It is clear that this is an HTTP request)
Here you can also find classic TCP / IP traffic, such as HTTP or DNS requests. You can use the gprs-ns filter. Note the nesting of TCP / IP protocols in GSM protocols.
DNS
HTTP
Naturally, we also have classic TCP / IP traffic that already goes directly from wlan0 to the Internet.
And at this stage we get full control over the traffic and can conduct a full range of MitM attacks against subscribers of our GSM network.
In the case of creating a fake base station, a connected subscriber becomes unavailable for calls from outside and in the standard configuration can no longer call someone from his phone book, but he will have Internet access and he is likely to try to use it. Here he can be attacked by an attacker.
In the next article we will look at practical examples of attacks on GSM network subscribers who have connected to a fake base station.
Cycle articles:
We start GSM network at home
Analysis of GSM network traffic in Wireshark
Add GPRS to your home GSM network
Practical examples of attacks inside the GSM network
')
Training
To work you need a network, the creation of which is described here . Also, I recommend to get acquainted with the second article of the cycle.
For those who have not yet begun to build the infrastructure for the home network, I suggest not to build all the components of osmocom manually, but try installing the ready-made nightly builds packages . They are available for Debian and Ubuntu distributions. Repositories are listed by the link above. Theoretically, the installation of this method should be easier and without any problems, but I myself did not try.
Theory
First, let's decide what we need to change in our home network in order to add GPRS support.
The whole process is described in the instructions on the official website, which is quite relevant.
Under the link you will find the following scheme:
Let us analyze in order.
PDCH is Packet Data Channel. For transmission of packet data, a special type of logical channel must be used. So far, we have used TCH / H to serve voice calls. We will need to replace TCH / H with PDCH. We will lose the ability to call, but we do not need to buy more phones.
nanoBTS - we will use OsmoBTS in conjunction with two osmocombb-compatible phones to create a base station, as we did before.
osmo-nitb - This will require a minimum configuration to activate the GPRS service, as well as have to rebuild osmo-nitb with osmo-sgsn support.
osmo-sgsn - Serving GPRS Support Node. In fact, the core of the GPRS network, analogue MSC for voice calls.
I copy the list of functions from Wikipedia :
- control the delivery of data packets to users;
- interaction with the register of own subscribers of the HLR network or authentication (verification of permission for a request by users of the service); the mechanism coincides with the authentication mechanism in GSM;
- monitoring online users;
- GSM frame conversion into formats used by the TCP / IP protocols of the global computer network Internet;
- registration or "attachment" (attachment) of subscribers, again "appeared" in the network coverage area;
- data encryption; The encryption algorithm in GPRS technology (GEA1, GEA2, GEA3) is different from the encryption algorithms in GSM (A5 / 1, A5 / 2, A5 / 3), but developed on the basis of them;
- collection of incoming billing information, sending it to the main office, etc.
ggsn - GPRS Gateway Support Node. This node is located on the border between the GPRS Core network (GTP) and the Internet. It is easy to assemble and connect to the rest of the osmocom modules.
In this diagram, another PCU component is missing - Packet Control Unit .
The PCU performs some BSC functions, but only for packet data. To implement it, osmo-pcu will be used.
In the diagram below, the PCU is present:
Modifying the network
I remind you that my configuration files are stored in /root/.osmocom. As in the first article, they will be attached at the end. Before using the configuration files, you need to enter the correct IP addresses instead of VIRTUAL_IP and BASIC_IP, as well as GSM900 or DCS1800 instead of the RANGE and the ARFCN number instead of the CHANNEL.
It is assumed that all components will work on the same device, so we will need to create a virtual interface for the network adapter. The IP addresses for GGSN and SGSN must be different. My home network is 192.168.1.0/24, the IP address of my main Wi-Fi interface is 192.168.1.37 and the IP address 192.168.1.250 is not busy, so I set it as virtual.
ifconfig wlan0:0 192.168.1.250 Also, you will need to allow transit packets and configure NAT, since we will “distribute” the Internet to all network subscribers. (The network 192.168.0.0/24 does not need to be changed, it will be assigned to the tun0 interface, which will appear when you start all the components of the GPRS infrastructure).
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A POSTROUTING -s 192.168.0.0/24 -t nat -o wlan0 -j MASQUERADE
It is clear that such a configuration will not survive the reboot, but there are ways that are easily searched in a search engine to fix these settings.
Install osmo-pcu
git clone git://git.osmocom.org/osmo-pcu.git cd osmo-pcu autoreconf -i ./configure make make install cd .. ldconfig osmo-pcu -h
Configuring osmo-nitb
Run osmo-nitb, connect to VTY and execute commands.
telnet 127.0.0.1 4242 en conf t network bts 0 gprs mode gprs gprs routing area 0 gprs cell bvci 2 gprs nsei 101 gprs nsvc 0 nsvci 101 gprs nsvc 0 local udp port 23000 gprs nsvc 0 remote udp port 23000 gprs nsvc 0 remote ip 192.168.1.250 trx 0 timeslot 1 phys_chan_config pdch end write file
Stop osmo-nitb.
Install ggsn
git clone git://git.osmocom.org/openggsn.git cd openggsn autoreconf -i ./configure make make install ldconfig
Install osmo-sgsn
Install the dependencies and rebuild osmo-nitb to enable osmo-sgsn support.
apt-get install libc-ares-dev
cd openbsc/openbsc/ make clean autoreconf -fi ./configure make make install ldconfig cd ../.. ggsn -h osmo-sgsn -h
Configuring osmo-sgsn
cd /root/.osmocom touch osmo_sgsn.cfg osmo-sgsn telnet localhost 4245 en conf t sgsn gtp local-ip 192.168.1.250 ggsn 0 remote-ip 192.168.1.37 ggsn 0 gtp-version 1 auth-policy accept-all end conf t ns encapsulation udp local-ip 192.168.1.250 encapsulation udp local-port 23000 encapsulation framerelay-gre enabled 0 end write file exit
Customize ggsn
cd /root/.osmocom touch ggsn.conf vi ggsn.conf #TAG: listen # Specifies the local IP address to listen to listen 192.168.1.37 # TAG: dynip # Dynamic IP address pool. # Used for allocation of dynamic IP address when address is not given # by HLR. # If this option is not given then the net option is used as a substitute. # dynip 192.168.254.0/24 # TAG: pcodns1/pcodns2 # Protocol configuration option domain name system server 1 & 2. pcodns1 8.8.8.8 pcodns2 8.8.4.4
Configure osmo-pcu
cd /root/.osmocom touch osmo-pcu.conf osmo-pcu -c /root/.osmocom/osmo-pcu.conf telnet localhost 4240 en conf t pcu flow-control-interval 10 cs 2 alloc-algorithm dynamic alpha 0 gamma 0 write file exit
Possible problems
They say that there may be problems with DNS traffic, then it is recommended to add another rule to iptables. I had no such problems.
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 53 -j DNAT --to-dest 8.8.8.8
Also make sure that your device has at least one APN access point added in the GPRS settings, otherwise the phone may not try to get a GPRS service from the operator at all.
Launch
Run osmo-nitb
cd /root/.osmocom osmo-nitb -s -c /root/.osmocom/open-bsc.cfg -l /root/.osmocom/hlr.sqlite3 -P -C --debug=DSQL:DLSMS:DRLL:DCC:DMM:DRR:DMSC:DHO:DGPRS:DNS:DLLC:DCTRL
Run ggsn
cd /root/.osmocom ggsn -c /root/.osmocom/ggsn.conf -f -d
Run sgsn
cd /root/.osmocom osmo-sgsn -c /root/.osmocom/osmo_sgsn.cfg -d DRLL:DCC:DMM:DRR:DNM:DMSC:DHO:DGPRS:DNS:DLLC:DCTRL
We start transceivers and osmo-bts
cd /root/osmocom/trx/src host/osmocon/osmocon -m c123xor -p /dev/ttyUSB0 -s /tmp/osmocom_l2 -c target/firmware/board/compal_e88/trx.highram.bin -r 99 cd /root/osmocom/trx/src host/osmocon/osmocon -m c123xor -p /dev/ttyUSB1 -s /tmp/osmocom_l2.2 -c target/firmware/board/compal_e88/trx.highram.bin -r 99 cd /root/osmocom/trx/src/host/layer23/src/transceiver/ ./transceiver -a SCH_ -2 -r 99 cd /root/.osmocom osmo-bts-trx --debug DRSL:DOML:DLAPDM -r 99
Instead of SCH_CHANNEL, you need as before to set the ARFCN where the commercial base station beacon channel is located with a stable signal.
Run the osmo-pcu
cd /root/.osmocom osmo-pcu -c /root/.osmocom/osmo-pcu.conf
You should see something similar in the osmo-pcu console.
And in the osmo-nitb console this
Please note that when working in such a network, your phone thinks that it is roaming and packet data in roaming is often disabled. Therefore, nothing will work if you do not allow GPRS in roaming in the settings of your phone.
Now, when connecting to the network, you should see similar entries in the console with osmo-pcu
And the authorization entry in the osmo-sgsn console
And when you activate the GRPS service on your phone, you will see that the data transfer has begun.
Pay attention to the fact that the speed of data transmission in GPRS is very low, at the same time, modern phones immediately begin the process of checking for updates, mail, and news when they access the network. All your applications are starting to update their data. This can make it difficult for you to open something in the browser, since, in addition to low bandwidth, packet loss can occur.
You can fix the situation by restricting access to the machine that distributes the Internet to the subnet 192.168.0.0/24 (tun0), leaving only some resources available.
Traffic Analysis in Wireshark
In order for wireshark to automatically parse GPRS traffic, you need to add port 23000 in the GPRS-NS protocol settings.
Having connected to the network, I will listen to the wlan0 interface and study the traffic.
We see GSM packets (note the ASCII representation of the data. It is clear that this is an HTTP request)
Here you can also find classic TCP / IP traffic, such as HTTP or DNS requests. You can use the gprs-ns filter. Note the nesting of TCP / IP protocols in GSM protocols.
DNS
HTTP
Naturally, we also have classic TCP / IP traffic that already goes directly from wlan0 to the Internet.
And at this stage we get full control over the traffic and can conduct a full range of MitM attacks against subscribers of our GSM network.
In the case of creating a fake base station, a connected subscriber becomes unavailable for calls from outside and in the standard configuration can no longer call someone from his phone book, but he will have Internet access and he is likely to try to use it. Here he can be attacked by an attacker.
In the next article we will look at practical examples of attacks on GSM network subscribers who have connected to a fake base station.
Configuration files
ggsn.conf
#TAG: listen
# Specifies the local IP address to listen to
listen MAIN_IP
# TAG: dynip
# Dynamic IP address pool.
# Address for address is not given
# by HLR.
# This option is used as a substitute.
# dynip 192.168.254.0/24
# TAG: pcodns1 / pcodns2
# Protocol configuration option domain name system server 1 & 2.
pcodns1 8.8.8.8
pcodns2 8.8.4.4
# Specifies the local IP address to listen to
listen MAIN_IP
# TAG: dynip
# Dynamic IP address pool.
# Address for address is not given
# by HLR.
# This option is used as a substitute.
# dynip 192.168.254.0/24
# TAG: pcodns1 / pcodns2
# Protocol configuration option domain name system server 1 & 2.
pcodns1 8.8.8.8
pcodns2 8.8.4.4
open-bsc.cfg
!
! OpenBSC (0.15.0.796-8254) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level rll everything
logging level cc everything
logging level mm everything
logging level rr everything
logging level rsl everything
logging level nm everything
logging level mncc notice
logging level pag notice
logging level meas notice
logging level sccp notice
logging level msc notice
logging level mgcp notice
logging level ho notice
logging level db notice
logging level ref notice
logging level gprs debug
logging level ns info
logging level bssgp debug
logging level llc debug
logging level sndcp debug
logging level nat notice
logging level ctrl notice
logging level smpp debug
logging level filter debug
logging level ranap debug
logging level sua debug
logging level pcu debug
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
log file OsmoBSC.log
logging filter all 0
logging color 1
logging print category 0
logging timestamp 1
logging level all info
logging level rll notice
logging level cc notice
logging level mm notice
logging level rr notice
logging level rsl notice
logging level nm info
logging level mncc notice
logging level pag notice
logging level meas notice
logging level sccp notice
logging level msc notice
logging level mgcp notice
logging level ho notice
logging level db notice
logging level ref notice
logging level gprs debug
logging level ns info
logging level bssgp debug
logging level llc debug
logging level sndcp debug
logging level nat notice
logging level ctrl notice
logging level smpp debug
logging level filter debug
logging level ranap debug
logging level sua debug
logging level pcu debug
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
stats interval 5
!
line vty
no login
!
e1_input
e1_line 0 driver ipa
e1_line 0 port 0
no e1_line 0 keepalive
network
network country code 1
mobile network code 1
short name Pentestit
long name Pentestit
auth policy accept-all
authorized-regexp. *
location updating reject cause 13
encryption a5 0
neci 1
paging any use tch 0
rrlp mode none
mm info 1
handover 0
handover window rxlev averaging 10
handover window rxqual averaging 1
handover window rxlev neighbor averaging 10
handover power budget interval 6
handover power budget hysteresis 3
handover maximum distance 9999
timer t3101 10
timer t3103 0
timer t3105 40
timer t3107 0
timer t3109 0
timer t3111 0
timer t3113 60
timer t3115 0
timer t3117 0
timer t3119 0
timer t3122 10
timer t3141 0
dyn_ts_allow_tch_f 0
subscriber-keep-in-ram 0
bts 0
type sysmobts
description calypso
band RANGE
cell_identity 0
location_area_code 1
base_station_id_code 63
ms max power 0
cell reselection hysteresis 4
rxlev access min 0
periodic location update 30
radio-link-timeout 32
channel allocator ascending
rach tx integer 9
rach max transmission 7
channel-descrption attach 1
channel-descrption bs-pa-mfrms 5
channel-descrption bs-ag-blks-res 1
early-classmark-sending forbidden
ip.access unit_id 1801 0
oml ip.access stream_id 255 line 0
neighbor-list mode automatic
codec-support fr amr
amr tch-h modes 0
amr tch-h start-mode 1
gprs mode gprs
gprs 11bit_rach_support_for_egprs 0
gprs routing area 0
gprs network-control-order nc0
gprs cell bvci 2
gprs cell timer blocking-timer 3
gprs cell timer blocking-retries 3
gprs cell timer unblocking-retries 3
gprs cell timer reset-timer 3
gprs cell timer reset-retries 3
gprs cell timer suspend-timer 10
gprs cell timer suspend-retries 3
gprs cell timer resume-timer 10
gprs cell timer resume-retries 3
gprs cell timer capability-update-timer 10
gprs cell timer capability-update-retries 3
gprs nsei 101
gprs ns timer tns-block 3
gprs ns timer tns-block-retries 3
gprs ns timer tns-reset 3
gprs ns timer tns-reset-retries 3
gprs ns timer tns-test 30
gprs ns timer tns-alive 3
gprs ns timer tns-alive-retries 10
gprs nsvc 0 nsvci 101
gprs nsvc 0 local udp port 23000
gprs nsvc 0 remote udp port 23000
gprs nsvc 0 remote ip VIRTUAL_IP
gprs nsvc 1 nsvci 0
gprs nsvc 1 local udp port 0
gprs nsvc 1 remote udp port 0
gprs nsvc 1 remote ip 0.0.0.0
no force-combined-si
trx 0
rf_locked 0
arfcn CANAL
nominal power 23
max_power_red 99
rsl e1 tei 0
timeslot 0
phys_chan_config CCCH + SDCCH4
hopping enabled 0
timeslot 1
phys_chan_config PDCH
hopping enabled 0
timeslot 2
phys_chan_config TCH / H
hopping enabled 0
timeslot 3
phys_chan_config TCH / H
hopping enabled 0
timeslot 4
phys_chan_config TCH / H
hopping enabled 0
timeslot 5
phys_chan_config TCH / H
hopping enabled 0
timeslot 6
phys_chan_config TCH / H
hopping enabled 0
timeslot 7
phys_chan_config TCH / H
hopping enabled 0
mncc-int
default-codec tch-f amr
default-codec tch-h amr
nitb
subscriber-create-on-demand
assign-tmsi
! OpenBSC (0.15.0.796-8254) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level rll everything
logging level cc everything
logging level mm everything
logging level rr everything
logging level rsl everything
logging level nm everything
logging level mncc notice
logging level pag notice
logging level meas notice
logging level sccp notice
logging level msc notice
logging level mgcp notice
logging level ho notice
logging level db notice
logging level ref notice
logging level gprs debug
logging level ns info
logging level bssgp debug
logging level llc debug
logging level sndcp debug
logging level nat notice
logging level ctrl notice
logging level smpp debug
logging level filter debug
logging level ranap debug
logging level sua debug
logging level pcu debug
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
log file OsmoBSC.log
logging filter all 0
logging color 1
logging print category 0
logging timestamp 1
logging level all info
logging level rll notice
logging level cc notice
logging level mm notice
logging level rr notice
logging level rsl notice
logging level nm info
logging level mncc notice
logging level pag notice
logging level meas notice
logging level sccp notice
logging level msc notice
logging level mgcp notice
logging level ho notice
logging level db notice
logging level ref notice
logging level gprs debug
logging level ns info
logging level bssgp debug
logging level llc debug
logging level sndcp debug
logging level nat notice
logging level ctrl notice
logging level smpp debug
logging level filter debug
logging level ranap debug
logging level sua debug
logging level pcu debug
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
stats interval 5
!
line vty
no login
!
e1_input
e1_line 0 driver ipa
e1_line 0 port 0
no e1_line 0 keepalive
network
network country code 1
mobile network code 1
short name Pentestit
long name Pentestit
auth policy accept-all
authorized-regexp. *
location updating reject cause 13
encryption a5 0
neci 1
paging any use tch 0
rrlp mode none
mm info 1
handover 0
handover window rxlev averaging 10
handover window rxqual averaging 1
handover window rxlev neighbor averaging 10
handover power budget interval 6
handover power budget hysteresis 3
handover maximum distance 9999
timer t3101 10
timer t3103 0
timer t3105 40
timer t3107 0
timer t3109 0
timer t3111 0
timer t3113 60
timer t3115 0
timer t3117 0
timer t3119 0
timer t3122 10
timer t3141 0
dyn_ts_allow_tch_f 0
subscriber-keep-in-ram 0
bts 0
type sysmobts
description calypso
band RANGE
cell_identity 0
location_area_code 1
base_station_id_code 63
ms max power 0
cell reselection hysteresis 4
rxlev access min 0
periodic location update 30
radio-link-timeout 32
channel allocator ascending
rach tx integer 9
rach max transmission 7
channel-descrption attach 1
channel-descrption bs-pa-mfrms 5
channel-descrption bs-ag-blks-res 1
early-classmark-sending forbidden
ip.access unit_id 1801 0
oml ip.access stream_id 255 line 0
neighbor-list mode automatic
codec-support fr amr
amr tch-h modes 0
amr tch-h start-mode 1
gprs mode gprs
gprs 11bit_rach_support_for_egprs 0
gprs routing area 0
gprs network-control-order nc0
gprs cell bvci 2
gprs cell timer blocking-timer 3
gprs cell timer blocking-retries 3
gprs cell timer unblocking-retries 3
gprs cell timer reset-timer 3
gprs cell timer reset-retries 3
gprs cell timer suspend-timer 10
gprs cell timer suspend-retries 3
gprs cell timer resume-timer 10
gprs cell timer resume-retries 3
gprs cell timer capability-update-timer 10
gprs cell timer capability-update-retries 3
gprs nsei 101
gprs ns timer tns-block 3
gprs ns timer tns-block-retries 3
gprs ns timer tns-reset 3
gprs ns timer tns-reset-retries 3
gprs ns timer tns-test 30
gprs ns timer tns-alive 3
gprs ns timer tns-alive-retries 10
gprs nsvc 0 nsvci 101
gprs nsvc 0 local udp port 23000
gprs nsvc 0 remote udp port 23000
gprs nsvc 0 remote ip VIRTUAL_IP
gprs nsvc 1 nsvci 0
gprs nsvc 1 local udp port 0
gprs nsvc 1 remote udp port 0
gprs nsvc 1 remote ip 0.0.0.0
no force-combined-si
trx 0
rf_locked 0
arfcn CANAL
nominal power 23
max_power_red 99
rsl e1 tei 0
timeslot 0
phys_chan_config CCCH + SDCCH4
hopping enabled 0
timeslot 1
phys_chan_config PDCH
hopping enabled 0
timeslot 2
phys_chan_config TCH / H
hopping enabled 0
timeslot 3
phys_chan_config TCH / H
hopping enabled 0
timeslot 4
phys_chan_config TCH / H
hopping enabled 0
timeslot 5
phys_chan_config TCH / H
hopping enabled 0
timeslot 6
phys_chan_config TCH / H
hopping enabled 0
timeslot 7
phys_chan_config TCH / H
hopping enabled 0
mncc-int
default-codec tch-f amr
default-codec tch-h amr
nitb
subscriber-create-on-demand
assign-tmsi
osmo_sgsn.cfg
!
! OsmoSGSN (0.15.0.796-8254) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level mm notice
logging level pag notice
logging level meas notice
logging level ref notice
logging level gprs debug
logging level ns info
logging level bssgp debug
logging level llc debug
logging level sndcp debug
logging level slhc debug
logging level ranap debug
logging level sua debug
logging level v42bis debug
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
stats interval 5
!
line vty
no login
!
ns
timer tns-block 3
timer tns-block-retries 3
timer tns-reset 3
timer tns-reset-retries 3
timer tns-test 30
timer tns-alive 3
timer tns-alive-retries 10
encapsulation udp local-ip VIRTUAL_IP
encapsulation udp local-port 23000
encapsulation framerelay-gre enabled 0
bssgp
sgsn
gtp local-ip VIRTUAL_IP
ggsn 0 remote-ip MAIN_IP
ggsn 0 gtp-version 1
auth-policy accept-all
gsup oap-id 0
! apn * ggsn 0
no cdr filename
cdr interval 600
timer t3312 600
timer t3322 6
timer t3350 6
timer t3360 6
timer t3370 6
timer t3313 30
timer t3314 44
timer t3316 44
timer t3385 8
timer t3386 8
timer t3395 8
timer t3397 8
no compression rfc1144
no compression v42bis
! OsmoSGSN (0.15.0.796-8254) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level mm notice
logging level pag notice
logging level meas notice
logging level ref notice
logging level gprs debug
logging level ns info
logging level bssgp debug
logging level llc debug
logging level sndcp debug
logging level slhc debug
logging level ranap debug
logging level sua debug
logging level v42bis debug
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
stats interval 5
!
line vty
no login
!
ns
timer tns-block 3
timer tns-block-retries 3
timer tns-reset 3
timer tns-reset-retries 3
timer tns-test 30
timer tns-alive 3
timer tns-alive-retries 10
encapsulation udp local-ip VIRTUAL_IP
encapsulation udp local-port 23000
encapsulation framerelay-gre enabled 0
bssgp
sgsn
gtp local-ip VIRTUAL_IP
ggsn 0 remote-ip MAIN_IP
ggsn 0 gtp-version 1
auth-policy accept-all
gsup oap-id 0
! apn * ggsn 0
no cdr filename
cdr interval 600
timer t3312 600
timer t3322 6
timer t3350 6
timer t3360 6
timer t3370 6
timer t3313 30
timer t3314 44
timer t3316 44
timer t3385 8
timer t3386 8
timer t3395 8
timer t3397 8
no compression rfc1144
no compression v42bis
osmo-bts.cfg
!
! OsmoBTS (0.4.0.463-e91c) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level rsl info
logging level oml info
logging level rll notice
logging level rr notice
logging level meas notice
logging level pag info
logging level l1c info
logging level l1p info
logging level dsp debug
logging level pcu notice
logging level ho notice
logging level trx notice
logging level loop notice
logging level abis notice
logging level rtp notice
logging level sum notice
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
log file OsmoBTS.log
logging filter all 0
logging color 1
logging print category 0
logging timestamp 1
logging level all everything
logging level rsl info
logging level oml info
logging level rll notice
logging level rr notice
logging level meas notice
logging level pag info
logging level l1c info
logging level l1p info
logging level dsp debug
logging level pcu notice
logging level ho notice
logging level trx notice
logging level loop notice
logging level abis notice
logging level rtp notice
logging level sum notice
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
line vty
no login
!
e1_input
e1_line 0 driver ipa
e1_line 0 port 0
no e1_line 0 keepalive
phy 0
osmotrx ip 127.0.0.1
osmotrx fn-advance 30
osmotrx rts-advance 5
instance 0
slotmask 1 1 0 0 0 0 0 0
bts 0
band RANGE
ipa unit-id 1801 0
oml remote-ip 127.0.0.1
rtp jitter-buffer 0
paging queue-size 200
paging lifetime 0
uplink-power-target -75
min-qual-rach 50
min-qual-norm -5
ms-power-loop -65
timing-advance-loop
setbsic
trx 0
power-ramp max-initial 0 mdBm
power-ramp step-size 2000 mdB
power-ramp step-interval 1
ms-power-control dsp
phy 0 instance 0
! OsmoBTS (0.4.0.463-e91c) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level rsl info
logging level oml info
logging level rll notice
logging level rr notice
logging level meas notice
logging level pag info
logging level l1c info
logging level l1p info
logging level dsp debug
logging level pcu notice
logging level ho notice
logging level trx notice
logging level loop notice
logging level abis notice
logging level rtp notice
logging level sum notice
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
log file OsmoBTS.log
logging filter all 0
logging color 1
logging print category 0
logging timestamp 1
logging level all everything
logging level rsl info
logging level oml info
logging level rll notice
logging level rr notice
logging level meas notice
logging level pag info
logging level l1c info
logging level l1p info
logging level dsp debug
logging level pcu notice
logging level ho notice
logging level trx notice
logging level loop notice
logging level abis notice
logging level rtp notice
logging level sum notice
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
line vty
no login
!
e1_input
e1_line 0 driver ipa
e1_line 0 port 0
no e1_line 0 keepalive
phy 0
osmotrx ip 127.0.0.1
osmotrx fn-advance 30
osmotrx rts-advance 5
instance 0
slotmask 1 1 0 0 0 0 0 0
bts 0
band RANGE
ipa unit-id 1801 0
oml remote-ip 127.0.0.1
rtp jitter-buffer 0
paging queue-size 200
paging lifetime 0
uplink-power-target -75
min-qual-rach 50
min-qual-norm -5
ms-power-loop -65
timing-advance-loop
setbsic
trx 0
power-ramp max-initial 0 mdBm
power-ramp step-size 2000 mdB
power-ramp step-interval 1
ms-power-control dsp
phy 0 instance 0
osmo-pcu.conf
!
! Osmo-PCU (0.2.915-241f5) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level csn1 info
logging level l1if info
logging level rlcmac notice
logging level rlcmacdata notice
logging level rlcmacdl notice
logging level rlcmacul notice
logging level rlcmacsched notice
logging level rlcmacmeas info
logging level ns info
logging level bssgp info
logging level pcu notice
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
stats interval 5
!
line vty
no login
!
pcu
flow-control-interval 10
cs 2
cs max 4
cs threshold 10 33
cs downgrade-threshold 200
cs link-quality-ranges cs1 6 cs2 5 8 cs3 7 13 cs4 12
mcs max 9
window-size 64 0
queue idle-ack-delay 10
queue codel
alloc-algorithm dynamic
alpha 0
gamma 0
dl-tbf-idle-time 2000
! Osmo-PCU (0.2.915-241f5) configuration saved from vty
!!!
!
log stderr
logging filter all 1
logging color 1
logging print category 0
logging timestamp 0
logging level all everything
logging level csn1 info
logging level l1if info
logging level rlcmac notice
logging level rlcmacdata notice
logging level rlcmacdl notice
logging level rlcmacul notice
logging level rlcmacsched notice
logging level rlcmacmeas info
logging level ns info
logging level bssgp info
logging level pcu notice
logging level lglobal notice
logging level llapd notice
logging level linp notice
logging level lmux notice
logging level lmi notice
logging level lmib notice
logging level lsms notice
logging level lctrl notice
logging level lgtp notice
logging level lstats notice
logging level lgsup notice
logging level loap notice
logging level lss7 notice
logging level lsccp notice
logging level lsua notice
logging level lm3ua notice
!
stats interval 5
!
line vty
no login
!
pcu
flow-control-interval 10
cs 2
cs max 4
cs threshold 10 33
cs downgrade-threshold 200
cs link-quality-ranges cs1 6 cs2 5 8 cs3 7 13 cs4 12
mcs max 9
window-size 64 0
queue idle-ack-delay 10
queue codel
alloc-algorithm dynamic
alpha 0
gamma 0
dl-tbf-idle-time 2000
Source: https://habr.com/ru/post/334100/
All Articles