OpenBTS Network Ramon Torres IIT

GSM Network using OpenBTS

Ramon Torres Gomez A20314467 5/9/2014

[email protected] Project Report 1 OpenBTS Network Ramon Torres IIT

Abstract

This paper describes how to create a small cellular GSM network using openBTS software. This paper will explain what openBTS is and the other necessary elements used for this project. It will explain the functionality of those elements and how they are connected. This paper will also explain how to install openBTS and other open-software programs like asterisk and how to configure them. An architecture of the GSM network will be explained and compared with the architecture of the openBTS network. It will also explain some other projects that can be done with openBTS. This paper doesn’t explain in depth Asterisk or other openBTS configurations.

[email protected] Project Report 2 OpenBTS Network Ramon Torres IIT

Table of Contents

Contents GSM Network using OpenBTS ...... 1 Abstract ...... 2 Table of Contents ...... 3 Introduction ...... 4 GSM ...... 4 OpenBTS…………………………………………………………………………………7 OpenBTS Network………………………………………………………………………8 Testing ...... 13 Future Projects……..………………………………………………………………….13 Conclusions…………………………………………………………………………….13 References…………………………………………………………………………….14 Appendices…………………………………………………………………………….14

[email protected] Project Report 3 OpenBTS Network Ramon Torres IIT

Introduction

GSM (Global System for Mobile Communications) is a 2G cellular network. It was a network that provided a good voice service but it didn’t include data service. The network that I am going to build will provide a similar functionality as a 2G network. Even though the architecture of the openBTS network is very different from the GSM network architecture will have elements with similar functionalities as the 2G network elements. From my point of view, the openBTS network architecture has more similarities with the 4G network because it is IP based. The goal of this project is to create a small GSM network using open software. What I am going to do is connecting 2 OpenBTS systems (2 base stations) and be able to call from one base station to another using cellphones. Cellphones will be able to do mobility (moving from one base station to another) and handover (while a call is taking place the cell phone moves to another base station and the new base station has to manage the call).

GSM

An explanation of GSM and how it works will help understand the way my project works. GSM is a cellular network that provides a voice, SMS service and other additional services like Emergency calls The GSM goal was to support services similar to PSTN services and provide a digital air interface.

GSM Architecture

This picture represents a basic concept of the GSM architecture. As you can see the air interface is composed by BTSs. Each BTS will represent a cell, which is their coverage area. A group of BTS managed by a BSC represent a location area. Finally BSC’s are managed by a MSC and this element will connect the GSM network to other networks like the PSTN

[email protected] Project Report 4 OpenBTS Network Ramon Torres IIT

Figure 1: GSM Architecture

Label all figures .g. Figure 1:

This picture represents a more detailed architecture of a GSM network. Besides ME, BTS BSC and MSC it include the registers that the network requires: HLR, VLR, EIR and AuC. As we can see the BTS and the BSC represent the Base Station System (BSS) and the MSC and the registers represent the Core Network. Figure 2: Detailed GSM Architecture

[email protected] Project Report 5 OpenBTS Network Ramon Torres IIT

GSM Elements

MS (Mobile System) It is composed by the Mobile Equipment (ME) and the SIM card. There are some important terms related to the mobile system that we need to know: IMEI, MSISDN, IMSI and TMSI. The IMEI (International Mobile Equipment Identity) is a number used to identify the mobile equipment (ME), the terminal itself. The MSISDN (Mobile Suscriber ISDN) is the MS phone number. IMSI (International Mobile Suscriber Identity) is a number assigned to each MS by the network so the network can identify all the MS. TMSI (Temporary Mobile Suscriber Identity) has the same functionality as the IMSI but TMSI is a temporal number that is changed periodically.

BTS (Base Station) The BTS contains the radio components that provide the RF air interface. Its functions are channel coding and decoding, rate adaptation, encryption, paging and uplink signal measurement.

BSC (Base Station Controller) The BSC controls groups of BTS and manages the radio channels. It manages control messages from and to the MS. It also does encryption, paging, traffic measurement, authentication, location update and manages handover.

MSC (Mobile Switching Center) Is the telephone switching office for MS. Provides a service to mobiles located within a certain geographic coverage area. It is the interface to the BSS and to the PSTN. Controls call set up, routing procedures, collects billing data, compiles traffic statistics and controls the location registration and handover procedure.

HLR (Home Location Register) Is a register that contains data subscribers data. It contains the IMSI of each MS, authentication parameters, services that each MS is subscribed to and special routing information. It also contains the current subscriber status, temporary roaming number and the associated VLR.

AuC (Authentication Center) This entity works together with the HLR to perform MS authentication. It handles all the security associated with subscribers.

VLR (Visited Location Register) This register has a function similar to HLR. It is a problem that the cellphone has to send his IMSI every time it has to authenticate, so the network will assign to the MS a temporary ID called TMSI. The TMSI is stored in the VLR. VLR controls MSRN (Mobile Station Roaming Numbers) and handover when it is produced in the same MSC. Typically there is one VLR per MSC.

[email protected] Project Report 6 OpenBTS Network Ramon Torres IIT

EIR (Equipment Identity Register) It consists on a centralized database for validating the IMEI. EIR contains lists of IMEIs and classifies them in three ways: White List when IMEIs are valid, Black List when IMEIS are invalid (stolen) or Grey List when IMEI are suspicious or have problems.

OpenBTS

What is openBTS?

OpenBTS (Open Based Transceiver Station) is a software based GSM access point allowing standard GSM-compatible mobile phones to be used as SIP endpoints in Voice over IP (VOIP) networks. It has the same functionality as the BTS of a GSM Network.

OpenBTS Architecture

To understand how openBTS works we first have to have a look at the layers architecture of GSM Figure 3: Protocol Layers of GSM

We can see that BTS has 3 layers: TDMA, LAPDm and RR. It also has a layer 0 that would be the physical layer (Radio Interface). Layer 1 is TDMA (Time Division Multiplexing Access). TDMA is the procedure where each physical channel (frequency) is divided into time-slots so users can share a frequency using different time slots to communicate. Layer 2 is LAPDm (Link Access Procedure on Dm Channel) which is a GSM version of LAPD from ISDN. Layer 3 is RR (Radio Resource) and manages the allocation, configuration and connection of radio channels. OpenBTS contains those 3 layers and for the physical layer (layer 0) we have to connect a USRP to the OpenBTS. OpenBTS doesn’t have any connection with BSC and MSC.

[email protected] Project Report 7 OpenBTS Network Ramon Torres IIT

OpenBTS Network

With an OpenBTS system we can connect cellphones to the network and make calls between them but, how can we connect two openBTS systems and simulate a real GSM network with all its components? How can we do mobility and handover? We need to add elements that provide the functionality of a BSC, MSC and the core registers.

I found out 2 ways of creating this network. The first that I saw consisted on using openBSC open-software. The second way came up on April 2014, when the OpenBTS project launched OpenBTS version 4.0. This version allows you to connect two or more OpenBTS systems using Asterisk and experience mobility and handover. With version 2.8 you can do mobility but not handover.

Using OpenBSC

OpenBSC is the name of a software that emulates the BSC element of a GSM network. It has been developed by Osmocom, which is not the same company that developed OpenBTS. Connecting this element to OpenBTS will help emulate a real network. Osmocom OpenBSC was designed to be connected to commercial BTSs and the idea is to connect it to OpenBTS. The problem of this method is that OpenBTS and OpenBSC are developed by different companies so they are not compatible with each other and I will need to modify the source code. Figure 4: Protocol Layers for Open-source Network

As you can see in the picture we will need to combine openBTS with other BTS software from Osmocom. The USRP will be at layer 0 and it will be connected to OpenBTS and to OsmoUSRP at layer 1. OpenBTS will be located at layer 1 and 2 because the layer 3 functionality will be managed by OsmoBTS. OsmoBTS will be connected to OpenBSC with any kind of problem because they were developed to work together.

[email protected] Project Report 8 OpenBTS Network Ramon Torres IIT

Figure 5: Physical architecture 1

Using Asterisk With OpenBTS version 2.8 you can connect 2 OpenBTS systems using Asterisk. This version allows you to make calls from different base stations and do mobility but not handover. On April was released version 4.0 and with this version is possible to do handover. The architecture will be very simple. Asterisk will have the functionality of a BSC and some of the registers like the HLR and the AuC. Asterisk will route the calls from one base station to another and will transfer the call if the handover is produced. Figure 6: Logical architecture:

Figure 7: Physical architecture 2 [email protected] Project Report 9 OpenBTS Network Ramon Torres IIT

This is the provisional physical architecture of my project, still can be changes in the second BTS. What we have now is Server 1 with openBTS and Asterisk installed and a USRP. The second BTS can be built as it is described in the Server 2 or we can substitute the Server 2 and the USRP with a RangeNetworks OpenBTS. Figure 8: Physical Architecture 3

Testing We can test USRP air interface in some different ways The first one is getting a Linux OS and install AirProbe. This program contains 3 main subprojects: acquisition, demodulation and analysis. Acquisition is responsible of receiving and digitalizing the air interface. Demodulation module will translate the signal processed by acquisition into bits. Analysis contains all the protocol parsing and decoding capabilities. We can use wireshark to analyze the traces. [email protected] Project Report 10 OpenBTS Network Ramon Torres IIT

Here we can see some examples of ladder diagrams about signaling between a cellphone and a base station: Figure 8: Cell-phone authentication and TMSI allocation

Figure 9: Call origin Figure 10: SMS sent

[email protected] Project Report 11 OpenBTS Network Ramon Torres IIT

Figure 11: SMS received

This is how the ladder diagram looks, now we are going to have a look on how are the traces of some messages sent: Figure 12: MM location updating request, at figure 8

[email protected] Project Report 12 OpenBTS Network Ramon Torres IIT

Figure 13: RR paging request, at figure 11

Future Projects

Besides creating a small network we can also connect a OpenBTS system to NG911. For this purpose we can use Asterisk to route the calls from a cellphone to NG911 and we can test the SIP messages using Wireshark. It would be interesting to compare the messages from the cellphone using Airprobe and see the translation to SIP observing traces captured by Wireshark. We will have to create an extension in Asterisk so every time a cell phone dials that extension the call is routed to NG911.

Conclusions This semester I have been finding out the ways of doing this project and I think that I will do it with Asterisk and using OpenBTS version 4.0. The other way to do this (Figure 5 Physical Architecture 1) is too complex because you need to modify the source code and make OpenBTS and OpenBSC compatible and I think that is no longer necessary to use OpenBSC having OpenBTS version 4.0. Most of the information for doing this project is taken from the OpenBTS manual so I think this project will be ready for July 25th.

[email protected] Project Report 13 OpenBTS Network Ramon Torres IIT

References http://openbsc.osmocom.org/trac/wiki/OpenBSC http://wush.net/trac/rangepublic/wiki/WikiStart#HowdoIgetstarted http://scholar.lib.vt.edu/theses/available/etd-05082012- 141540/unrestricted/Cooper_TA_T_2012.pdf GSM information taken from course ITMO 542: Wireless Communications http://www.wu.ece.ufl.edu/projects/wirelessVideo/project/GNU_Radio_USRP/how_to_te st_USRP.html http://ntnu.diva-portal.org/smash/get/diva2:355716/FULLTEXT01.pdf

Appendices

OpenBTS Installation In a Ubuntu OS, introduce the following commands This is for get the last version:

svn co http://wush.net/svn/range/software/public

The following command is for getting the necessary libraries

sudo apt-get install autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6- dev libncurses5-dev

OpenBTS should, in principle, build and run on any Unix-like operating system, including 64-bit. However, in practice, most of our development is done on Ubuntu 10 or 12.04 LTS systems, so these are best-supported.

Range Networks RAD1

Building for Range equipment is easiest, as it has no external dependencies. Just run the following commands:

cd openbts/trunk

autoreconf -i

./configure

[email protected] Project Report 14 OpenBTS Network Ramon Torres IIT

make

With the build resolved, you'll need to build and link the transceiver appropriate for your hardware. For a Range Networks basestation unit these links are

(from OpenBTS root)

cd apps

make

ln -s ../TransceiverRAD1/transceiver .

ln -s ../TransceiverRAD1/ezusb.ihx .

ln -s ../TransceiverRAD1/fpga.rbf .

Building OpenBTS

OpenBTS should, in principle, build and run on any Unix-like operating system, including 64-bit. However, in practice, most of our development is done on Ubuntu 10 or 12.04 LTS systems, so these are best-supported.

Range Networks RAD1

Building for Range equipment is easiest, as it has no external dependencies. Just run the following commands:

cd openbts/trunk

autoreconf -i

./configure

make

With the build resolved, you'll need to build and link the transceiver appropriate for your hardware. For a Range Networks basestation unit these links are

(from OpenBTS root)

[email protected] Project Report 15 OpenBTS Network Ramon Torres IIT

cd apps

make

ln -s ../TransceiverRAD1/transceiver .

ln -s ../TransceiverRAD1/ezusb.ihx .

ln -s ../TransceiverRAD1/fpga.rbf .

[email protected] Project Report 16