Mobility Testbed Development (OpenBTS Testbed) and its Integration with VoIIT, WebRTC & NG-911 Testbeds
90/100
Sushma Sitaram A20137272 May 09, 2014 1
Table of Contents
1 Abstract ...... 2 2 Introduction ...... 3 3 Goals Of The Project ...... 3 4 Milestones Of The Project ...... 4 5 Infrastructure Needed...... 4 6 GSM Architecture ...... 5 7 Openbts Application Suite ...... 6 8 Logical Diagram ...... 7 9 Physical Diagram ...... 8 10 Execution Of The Project...... 9 10.1 Testbed Setup ...... 9 10.2 Initial Testing ...... 10 10.3 Openbts Configurations ...... 10 10.4 Asterisk Configurations ...... 11 10.5 Run Asterisk...... 11 10.6 Phone Settings & Network Access ...... 12 11 Challenges Faced ...... 12 12 Functionalities & Ladder Diagrams ...... 13 12.1 Authentication ...... 13 12.2 Location Update ...... 14 12.3 Call Control ...... 15 13 Tasks To Be Carried Out Next ...... 15 14 Conclusions ...... 16 REFERENCES ...... 17
CWID: A20137272 Project Report - Final [email protected] 2
1 Abstract
This project aims to develop a GSM testbed implemented using Range Network’s OpenBTS Development Kit and attempt its integration with other existing testbeds- VoIIT, WebRTC and NG-911, developed at the Real Time Communications (RTC) Lab. The integrated system would serve as an excellent testbed for conducting research and educational experiments.
In this report, the major milestones set for the project, the infrastructure needed for setting up the GSM testbed, steps followed to implement the designed testbed whilst closely following the project goals and the challenges faced during the implementation, would be discussed in detail. Along with listing out the future work, the possible solutions to existing limitations are also suggested. Also, upon successful completion of the integration of the various testbeds, the probable usage scenarios of the integrated testbed are also indicated.
CWID: A20137272 Project Report - Final [email protected] 3
2 Introduction
OpenBTS (Open Base Transceiver Station) is a software-based GSM access point, allowing standard GSM-compatible mobile phones to be used as SIP endpoints in Voice over IP (VOIP) networks [1]. OpenBTS is an open-source software developed and maintained by Range Networks [4]. The Range Networks’ OpenBTS Development Kit is used to build the GSM testbed. OpenBTS eliminates the need for complex and expensive GSM core components and replaces them with modern VoIP network components. IIT’s RTC Lab has a fully operational VoIP system called VoIIT. WebRTC APIs enables users to share information (video, voice, data) between web browsers, without installing any plug-in. IIT’s RTC Lab has developed a WebRTC testbed. Next Generation 911 (NG911) refers to an initiative aimed at updating the 911 service. In addition to calling 911 from a phone, it intends to enable the public to transmit text, images, video and data to the 911 center. IIT’s RTC Lab has developed a NG-911 testbed. The integration of the different testbeds is to be attempted. The integrated system will serve as an excellent testbed to carry out SIP and GSM performance evaluation lab experiments. It will also facilitate students of the VoIP and data networks class to better understand GSM and VoIP functionalities by conducting lab experiments.
3 Goals of the Project
The overall goal of the project is to build a testbed with the OpenBTS GSM base station and integrate it with other existing testbeds at IIT, viz. VoIIT, WebRTC and NG-911. The integrated system is to be used for testing and analyzing the behavior and performance of cellular networks & SIP.
The following activities are involved in the project:
. To study the feasibility of integrating OpenBTS testbed with VoIIT, NG-911, WebRTC testbeds. . To design a GSM testbed with the Range Networks’ OpenBTS Development Kit: 5150 series. . To configure and setup the GSM system to be able to make calls between mobile phones, between a softphone and mobile phone using the service provided by the OpenBTS network. . The accuracy and correct working of the testbed to be ensured by performing Location Update tests, mobile originated and mobile terminated calls. . To integrate the fully functional and tested OpenBTS testbed with existing VoIIT testbed. . To integrate the fully functional and tested OpenBTS testbed with existing NG-911 testbed. . To integrate the fully functional and tested OpenBTS testbed with existing WebRTC testbed.
CWID: A20137272 Project Report - Final [email protected] 4
. Connect phones to the OpenBTS GSM network and test the integrated system by placing calls and testing the handling, routing, behavior and performance of the calls between the GSM and SIP network interfaces. . To sniff the air interface using “AirProbe” software during different stages like: Location Update, Mobile Originated Call and Mobile Terminated Call. Observe the authentication procedure and also compare the messages captured at the air interface with those mentioned in the GSM specifications. . Another branch of this project would be to connect two such GSM base stations to a base station controller implemented using OpenBSC software.
4 Milestones of the Project
The project has been divided into several milestones which are as follows:
. Develop a low cost & easy to install private GSM network testbed using Range Networks’ OpenBTS Development Kit . Integrate the testbed with existing VoIIT, NG-911 and WebRTC testbeds . Connect 2 OpenBTS base stations to a Base Station Controller implemented using OpenBSC software . The integrated system would be used for research purposes, by conducting tests to study the behavior and performance of cellular networks & SIP . The integrated system would also be used for educational purposes, by students of the data networks and VoIP classes . Applications are both research and educational
5 Infrastructure Needed
The following are the infrastructure needed in executing this project:
. OpenBTS Application Suite A complete OpenBTS C2.8 installation comprises of several distinct applications [2]: 1. OpenBTS – The actual OpenBTS application, containing most of the GSM stack above the radio modem. 2. Transceiver – The software radio modem and hardware control interface. 3. Asterisk – The VoIP PBX or “softswitch”. 4. Smqueue – The RFC-3428 store-and-forward server for text messaging. 5. Subscriber Registry – A database of subscriber information that replaces both the Asterisk, SIP registry and the GSM Home Location Register (HLR). The subscriber registry servers usually form a hierarchy with the top-level server holding the full database and level-level servers caching recently accessed records [2]. . Unlocked GSM Handsets + SIM cards . Antenna: The Range Networks Development kit is connected to an antenna for transmission and reception of radio waves
CWID: A20137272 Project Report - Final [email protected] 5
. DC Power Supply: A 12V DC power supply is used to power up the base station. The power supply used is a 12V-15V variable power supply and caution must be taken to never exceed 12V! . Ethernet switches and cables for network connections . PC with Linux OS and Asterisk installed: A softphone (twinkle) installed on a separate PC running Asterisk, is interfaced to the OpenBTS development kit through an Ethernet interface. This is used to make calls from the softphone to the mobile phone and vice versa . Console: A console is hooked onto the OpenBTS development kit for changing the default settings initially
6 GSM Architecture
Figure 1: Traditional GSM Architecture
The traditional GSM architecture as shown in Figure 1 comprises of the following components:
. Mobile Station (MS): The MS consists of the physical equipment, such as the radio transceiver, display and digital signal processors, and the SIM card. It provides the air interface to the user in GSM networks [3]. . Base Station Subsystem (BSS): It consists of two parts . Base Transceiver Station (BTS): It houses the radio transceivers that define a cell and handles the radio link protocols with the MS. . Base Station Controller (BSC): It manages the radio resources for one or more BTSs. It handles radio channel setup, frequency hopping, and handovers. The BSC is the connection between the mobile and the MSC. . BTS and the BSC communicate across the specified Abis interface CWID: A20137272 Project Report - Final [email protected] 6
. Network Switching Subsystem (NSS): It consists of the following functional elements . Mobile Switching Center (MSC): performs the switching of calls between the mobile and other fixed or mobile network users, as well as the management of mobile services such as authentication . Authentication Center (AuC): It is a protected database that stores a copy of the secret key stored in each subscriber's SIM card, which is used for authentication and ciphering of the radio channel. . Home Location Register (HLR): It is a database used for storage and management of subscriptions. . Visitor Location Register (VLR): It is a database that contains temporary information about subscribers that is needed by the MSC in order to service visiting subscribers.
. Equipment Identity Register (EIR): It is a database that contains a list of all valid mobile equipment on the network. The International Mobile Equipment Identity (IMEI) identifies an MS [3]. . Gateway MSC (GMSC): It connects the MSC to the PSTN and other fixed and mobile networks.
7 OpenBTS Application Suite
Figure 2: OpenBTS Application Suite [2]
CWID: A20137272 Project Report - Final [email protected] 7
The OpenBTS Application Suite as seen from Figure 2 is composed of a Digital Radio hardware and a few softwares such as the Transceiver, OpenBTS, Subscriber Registry and Asterisk, which were introduced in section 5. The interconnections of each of the component in the OpenBTS application suite along with the protocols/ interfaces used are shown in full detail in Figure 2. The functionality of each of these components along with their role in creating a GSM network is discussed in detail in the next section.
8 Logical Diagram
Figure 3: OpenBTS Testbed Logical Architecture
From the logical architecture it could be observed that the OpenBTS testbed comprises of: . Mobile Station (MS): Traditional GSM handset along with a SIM card. No changes need to be made to the handset. Any unlocked handset with a standard GSM SIM card should work. . Range Networks OpenBTS Development Kit: The OpenBTS Development Kit comes with the OpenBTS Application Suite referred to in Figure 2 consisting of a Digital Radio hardware and a few softwares used to implement a GSM network Full-band digital radio hardware along with transceiver radio modem software and the OpenBTS software forms the Base Station Subsystem
CWID: A20137272 Project Report - Final [email protected] 8
Asterisk, an open source Private Branch Exchange (PBX) performs the role of a Mobile Switching Center (MSC), i,e. switches call between the mobile network and the SIP network Subscriber Registry, a database of subscriber information that replaces both the Asterisk, SIP registry and the GSM Home Location Register (HLR). The subscriber registry servers usually form a hierarchy with the top-level server holding the full database and level-level servers caching recently accessed records
9 Physical Diagram
Figure 4: OpenBTS Testbed Physical Architecture
In the physical architecture of the testbed shown in Figure 4, it could be seen that the OpenBTS Development Kit is connected to a 12V DC power supply. A console is hooked onto the Development Kit for initial setup. A PC running Ubuntu is connected to the OpenBTS through an Ethernet connection. The OpenBTS is accessed from the PC via SSH. Mobile Stations connect to the BSS via the Um radio interface. All the testbeds are to be interconnected via an Ethernet Switch.
CWID: A20137272 Project Report - Final [email protected] 9
10 Execution of the Project
The execution of the project closely follows the goals of the project listed in Section 3. Understanding the OpenBTS Development Kit components becomes the primary step. The manual provided by Range network serves as the only source of literature. A detailed study of the manual was done in the previous semester (Fall 2013) and is highly recommended for those working on the project in the future.
10.1 Testbed Setup
A test bed design was formulated as discussed in Sections 8 & 9.
A 12V DC power supply is required to power up the OpenBTS Development Kit. A power cable us used to connect the OpenBTS Development Kit to the power supply. The four leads on the power cable are color coded and must follow the color sequence White – Black – Green – Red, from left to right. The connections are shown in Figure 5. The power supply used is a 12V-15V variable DC power supply. The Voltage setting knob must be at the minimum value and caution must be taken as to not exceed the input voltage greater than 12V as it could blow off the hardware components.
Figure 5: 12V DC Power Supply
A console was connected to the OpenBTS Development Kit for initial setup. After turning on the DC power supply, a red light glows in the OpenBTS Development Kit. This must be followed by turning ON the OpenBTS Development Kit power knob. A green light in addition to the red light glows indicating the powering up of the device. The booting of the Operating System (Ubuntu 10.04) can be observed through the connected console. The OpenBTS Development Kit has the below login credentials: i. Username – openbts ii. Password – openbts
CWID: A20137272 Project Report - Final [email protected] 10
After logging in into the OpenBTS Application Suite, it was configured to bear the IP address of 10.200.180.21 with a subnet mask of 255.255.0.0. A separate computer was installed with Ubuntu 12.04 LTS Operating System. The latest version of Asterisk was installed and a softphone, Twinkle was installed and configured with the local Asterisk configurations. This computer was configured with the IP address of 10.200.180.22 with a subnet mask of 255.255.0.0. The computer was connected to the OpenBTS Development Kit through an Ethernet interface. The sip.conf and extensions.conf Asterisk configurations were modified to incorporate the entries of the softphone and the mobile phone. This completed the OpenBTS Testbed lab setup which is as shown below in Figure 6
Figure 6: OpenBTS Lab Setup
10.2 Initial Testing
The “ping” command was used to ping the OpenBTS. A successful “ping” operation ensured that the connectivity was correct. A remote connection to the OpenBTS through an external computer was made using the SSH protocol. Upon successful remote connection, the directory structure was visible with the “ls” command.
10.3 OpenBTS Configurations
OpenBTS C2.8 uses a set of sqlite3 database files to make its configuration and status information available to external applications. Parameters that control the OpenBTS Application are stored in a database table called the “Configuration Table”. The OpenBTS CLI “config” and “unconfig” commands are used to edit the configuration table in real time. Configuration changes from the CLI are written back to the OpenBTS.db database and are persistent. The CLI script is executed with the command: “./CLI”.
CWID: A20137272 Project Report - Final [email protected] 11
To set a configuration the “config” command is used with the below format was used: config
10.4 Asterisk Configurations
An entry of the phone number and the International Mobile Subscriber Identity (IMSI) has been made into the sip-buddies table. The database was located at: /var/lib/asterisk/sqlite3dir/sqlite3.db
An “insert” command was used to make an entry into the sip-buddies table. An “update” command was used to update/ modify any of the values. The sip.conf and extensions.conf found under: /etc/asterisk were edited to have entries for the softphone and the mobile phone.
10.5 Run Asterisk
The Asterisk CLI found at: /var/run/asterisk was run in verbose mode to view the messages interactions between the phone and the network.
After all the configuration changes were made, it is a required and important step to restart the OpenBTS.
CWID: A20137272 Project Report - Final [email protected] 12
10.6 Phone Settings & Network Access
An unlocked GSM phone, Samsung A777 was used for the experiment. SIM card was inserted into the SIM card slot of the phone. Upon power on, under settings/connectivity/select a network, the option must be changed from “automatic” to “manual”. The available networks are scanned using “Network Selection” option. Amongst a list of available network the OpenBTS network must come up as seen in Figure 7
Figure 7: Samsung A777 Phone listing the OpenBTS Network
Since Open Registration was enabled during the initial testing phase, when the ”select” button on the phone is clicked, the network must be selected, user authenticated and given access to the network.
However, in reality there were some difficulties faced which will be discussed in the following section.
11 Challenges Faced
Upon successfully modifying the OpenBTS and Asterisk configurations of the OpenBTS Development Kit, it was restarted. The mobile phone, Samsung A777 was powered on. Under the “Network Selection” option, the OpenBTS network lists as “Test1-1”. When the network was selected using the “Select” key, there was an error in the phone saying CWID: A20137272 Project Report - Final [email protected] 13
“Connection Failed”. Also, no log information was found in the Asterisk console running in verbose mode. As a troubleshooting step the air interface was sniffed with the AirProbe software. However, there were no packets detected, implying no activity between the mobile phone and the network.
It seemed like one/ all of the following possibilities were most likely the cause(s) for the OpenBTS to not function as expected:
. Handset could be locked and incompatible with all GSM networks . This possibility was eliminated, after a successful call was made using the same handset after it was connected to another network making use of the SDR device and OpenBTS setup provided to us by Martin O’Shield of WindyCitySDR. If the phone was locked to a provider, it shouldn’t have been able to get access to the other test network and make a phone call through it.
. Incorrect working of the OpenBTS Development Kit, which is not assigning a channel upon channel request by the handset, for signaling. This could be due to a faulty hardware or corrupt software. . This possibility wasn’t ruled out even after several tests carried out under Mr. Martin’s guidance . This seems like the most logical explanation to why the phone is not getting access to the OpenBTS Network. . If the reason is due to corrupt software, it may be an indication that we need to get an upgrade of the OpenBTS software to OpenBTS 4.0
12 Functionalities & Ladder Diagrams
A few GSM functionalities have been discussed along with their ladder diagrams. These functionalities will be implemented and tested for, once the initial set up of the OpenBTS Network under Open Registration is successful.
12.1 Authentication The authentication procedure in OpenBTS is exactly the same as in traditional GSM networks. The only change being that the OpenBTS now replaces BSS and Registry replaces MSC + AuC + HLR
The ladder diagram is as shown in Figure 8
CWID: A20137272 Project Report - Final [email protected] 14
Figure 8: Authentication in OpenBTS
12.2 Location Update Location update is mapped to SIP REGISTER request. This is as shown below in Figure 9.
Figure 9: Location Update [2]
The OpenBTS receives the location update request. It maps it to a SIP REGISTER message and forwards the request to the Registry which plays the functionality of a registrar and a database. Just like the Location Update request triggers a SIP REGISTER request, a 200 OK response triggers a Location Update Accept response.
CWID: A20137272 Project Report - Final [email protected] 15
12.3 Call Control
The mobile originated and terminated call flow are as shown below in Figure 10. The call set up request is mapped to a SIP INVITE request. In a mobile terminated call scenario, the SIP switch forwards the incoming SIP INVITE request to the OpenBTS. OpenBTS translates this INVITE request to a call set up request initiated by PAGING request. Once the connection is confirmed, the CONNECT message is translated to a 200 OK response to the requesting SIP switch. The OpenBTS also issues a CONNECT ACK to the MS. The call flow between the SIP switch and the OpenBTS would be RTP and between the OpenBTS and the MS, it would be GSM traffic. This is how a GSM call is handled as a SIP call by the VoIP network. A similar set of message mapping happens in the case of a mobile originated call too.
Figure 10: Call Control [2]
13 Tasks to be Carried out Next
Once the problems in the OpenBTS Development Kit have been identified and rectified, the steps defined in section 10.05 and 10.06 have to be carried out under Open Registration to ascertain that the Development Kit passes the initial test. This should provide a successful network connection, meaning, network access given to the phone and showing the OpenBTS cellular signal strength on the status bar of the phone.
Disable Open Registration functionality as discussed in section 10.03. Update the Asterisk tables and configuration files with the correct value of the IMSI. It has been found out that the IMSI of the “Porta SIM” used for the experiments is:
CWID: A20137272 Project Report - Final [email protected] 16
310260549200145. This information needs to be updated in all the places discussed in sections 10.04. Restart OpenBTS and repeat the procedure discussed in section 10.06.
If all the information entered is correct, the mobile station (handset + SIM card) must be authenticated and given access. Location update tests mentioned in the OpenBTS manual [2] could be performed. Also Mobile Originated and Mobile Terminated calls, calls between 2 mobile phones, a softphone and a mobile phone, will make sure that the OpenBTS testbed is working as intended.
This will open the gate to the next major milestone of integrating OpenBTS testbed with the VoIIT, WebRTC and NG-911 testbeds. Also a similar setup could be replicated, giving two GSM base station setups, which could then be connected to a base station controller, implemented using OpenBSC software.
Also, a programmable SIM card kit, “Super SIM” which was purchased, needs to be programmed with an IMSI, phone number and other details of choice through the “SIM- MAX” software. This software runs on Windows. More details could be obtained at [5]. This software could also be used to obtain the IMSI of other SIM cards plugged into an adapter provided, then connecting the adapter to the Windows computer though an USB interface and running the software.
14 Conclusions
Though the OpenBTS testbed was successfully designed and implemented, it appears that not having the OpenBTS Development Kit work as intended and as claimed by the OpenBTS manual, being a major bottleneck. This is preventing further development work on the testbed and implementing the integration with other testbeds. Hopefully, with the OpenBTS Development Kit being rectified, it will clear the way to all the planned and proposed milestones of this project and make the integration of all the four testbeds a reality!
CWID: A20137272 Project Report - Final [email protected] 17
REFERENCES
[1] http://en.wikipedia.org/wiki/OpenBTS
[2] Range Networks, “5150 Series: GSM/ SIP Access Points - Specifications, Installation & Operation”, Doc. Rev. 4
[3] http://www.tutorialspoint.com/gsm/gsm_architecture.htm
[4] http://openbts.org
[5] http://www.nowgsm.com/supersim.htm
CWID: A20137272 Project Report - Final [email protected]