GSM Network using OpenBTS - IIT School of Applied · PDF [email protected] Project Report 1 GSM Network using OpenBTS Ramon Torres Gomez ... This picture represents a basic

OpenBTS Network Ramon Torres IIT

[email protected] Project Report 1

GSM Network using OpenBTS

Ramon Torres Gomez

A20314467

5/9/2014



Abstract

This paper describes how to create a small cellular GSM network using openBTS

software. This paper will explain what openBTS is and the other necessary elements used

for this project. It will explain the functionality of those elements and how they are

connected. This paper will also explain how to install openBTS and other open-software

programs like asterisk and how to configure them. An architecture of the GSM network

will be explained and compared with the architecture of the openBTS network. It will

also explain some other projects that can be done with openBTS. This paper doesn’t

explain in depth Asterisk or other openBTS configurations.



Table of Contents

Contents GSM Network using OpenBTS ............................................................................. 1 Abstract ................................................................................................................. 2 Table of Contents .................................................................................................. 3 Introduction ........................................................................................................... 4 GSM ...................................................................................................................... 4 OpenBTS…………………………………………………………………………………7 OpenBTS Network………………………………………………………………………8 Testing ................................................................................................................ 13 Future Projects……..………………………………………………………………….13 Conclusions…………………………………………………………………………….13 References…………………………………………………………………………….14 Appendices…………………………………………………………………………….14



Introduction GSM (Global System for Mobile Communications) is a 2G cellular network. It was a

network that provided a good voice service but it didn’t include data service. The

network that I am going to build will provide a similar functionality as a 2G network.

Even though the architecture of the openBTS network is very different from the GSM

network architecture will have elements with similar functionalities as the 2G network

elements. From my point of view, the openBTS network architecture has more

similarities with the 4G network because it is IP based.

The goal of this project is to create a small GSM network using open software. What I am

going to do is connecting 2 OpenBTS systems (2 base stations) and be able to call from

one base station to another using cellphones. Cellphones will be able to do mobility

(moving from one base station to another) and handover (while a call is taking place the

cell phone moves to another base station and the new base station has to manage the call).

GSM An explanation of GSM and how it works will help understand the way my project

works. GSM is a cellular network that provides a voice, SMS service and other additional

services like Emergency calls The GSM goal was to support services similar to PSTN

services and provide a digital air interface.

GSM Architecture

This picture represents a basic concept of the GSM architecture. As you can see the air

interface is composed by BTSs. Each BTS will represent a cell, which is their coverage

area. A group of BTS managed by a BSC represent a location area. Finally BSC’s are

managed by a MSC and this element will connect the GSM network to other networks

like the PSTN



Figure 1: GSM Architecture

Label all figures .g. Figure 1: <caption>

This picture represents a more detailed architecture of a GSM network. Besides ME, BTS

BSC and MSC it include the registers that the network requires: HLR, VLR, EIR and

AuC. As we can see the BTS and the BSC represent the Base Station System (BSS) and

the MSC and the registers represent the Core Network.

Figure 2: Detailed GSM Architecture



GSM Elements MS (Mobile System)

It is composed by the Mobile Equipment (ME) and the SIM card. There are some

important terms related to the mobile system that we need to know: IMEI, MSISDN,

IMSI and TMSI.

The IMEI (International Mobile Equipment Identity) is a number used to identify the

mobile equipment (ME), the terminal itself.

The MSISDN (Mobile Suscriber ISDN) is the MS phone number.

IMSI (International Mobile Suscriber Identity) is a number assigned to each MS by the

network so the network can identify all the MS.

TMSI (Temporary Mobile Suscriber Identity) has the same functionality as the IMSI but

TMSI is a temporal number that is changed periodically.

BTS (Base Station)

The BTS contains the radio components that provide the RF air interface. Its functions

are channel coding and decoding, rate adaptation, encryption, paging and uplink signal

measurement.

BSC (Base Station Controller)

The BSC controls groups of BTS and manages the radio channels. It manages control

messages from and to the MS. It also does encryption, paging, traffic measurement,

authentication, location update and manages handover.

MSC (Mobile Switching Center) Is the telephone switching office for MS. Provides a service to mobiles located within a

certain geographic coverage area. It is the interface to the BSS and to the PSTN. Controls

call set up, routing procedures, collects billing data, compiles traffic statistics and

controls the location registration and handover procedure.

HLR (Home Location Register)

Is a register that contains data subscribers data. It contains the IMSI of each MS,

authentication parameters, services that each MS is subscribed to and special routing

information. It also contains the current subscriber status, temporary roaming number and

the associated VLR.

AuC (Authentication Center)

This entity works together with the HLR to perform MS authentication. It handles all the

security associated with subscribers.

VLR (Visited Location Register)

This register has a function similar to HLR. It is a problem that the cellphone has to send

his IMSI every time it has to authenticate, so the network will assign to the MS a

temporary ID called TMSI. The TMSI is stored in the VLR. VLR controls MSRN

(Mobile Station Roaming Numbers) and handover when it is produced in the same MSC.

Typically there is one VLR per MSC.



EIR (Equipment Identity Register)

It consists on a centralized database for validating the IMEI. EIR contains lists of IMEIs

and classifies them in three ways: White List when IMEIs are valid, Black List when

IMEIS are invalid (stolen) or Grey List when IMEI are suspicious or have problems.

OpenBTS What is openBTS? OpenBTS (Open Based Transceiver Station) is a software based GSM access point

allowing standard GSM-compatible mobile phones to be used as SIP endpoints in Voice

over IP (VOIP) networks. It has the same functionality as the BTS of a GSM Network.

OpenBTS Architecture To understand how openBTS works we first have to have a look at the layers architecture

of GSM

Figure 3: Protocol Layers of GSM

We can see that BTS has 3 layers: TDMA, LAPDm and RR. It also has a layer 0 that

would be the physical layer (Radio Interface).

Layer 1 is TDMA (Time Division Multiplexing Access). TDMA is the procedure where

each physical channel (frequency) is divided into time-slots so users can share a

frequency using different time slots to communicate.

Layer 2 is LAPDm (Link Access Procedure on Dm Channel) which is a GSM version of

LAPD from ISDN.

Layer 3 is RR (Radio Resource) and manages the allocation, configuration and

connection of radio channels.

OpenBTS contains those 3 layers and for the physical layer (layer 0) we have to connect

a USRP to the OpenBTS. OpenBTS doesn’t have any connection with BSC and MSC.

http://en.wikipedia.org/wiki/Mobile_phone

http://en.wikipedia.org/wiki/Session_Initiation_Protocol

http://en.wikipedia.org/wiki/Voice_over_IP

http://en.wikipedia.org/wiki/Voice_over_IP



OpenBTS Network With an OpenBTS system we can connect cellphones to the network and make calls

between them but, how can we connect two openBTS systems and simulate a real GSM

network with all its components? How can we do mobility and handover? We need to

add elements that provide the functionality of a BSC, MSC and the core registers.

I found out 2 ways of creating this network. The first that I saw consisted on using

openBSC open-software. The second way came up on April 2014, when the OpenBTS

project launched OpenBTS version 4.0. This version allows you to connect two or more

OpenBTS systems using Asterisk and experience mobility and handover. With version

2.8 you can do mobility but not handover.

Using OpenBSC OpenBSC is the name of a software that emulates the BSC element of a GSM network. It

has been developed by Osmocom, which is not the same company that developed

OpenBTS. Connecting this element to OpenBTS will help emulate a real network.

Osmocom OpenBSC was designed to be connected to commercial BTSs and the idea is

to connect it to OpenBTS.

The problem of this method is that OpenBTS and OpenBSC are developed by different

companies so they are not compatible with each other and I will need to modify the

source code.

Figure 4: Protocol Layers for Open-source Network

As you can see in the picture we will need to combine openBTS with other BTS software

from Osmocom. The USRP will be at layer 0 and it will be connected to OpenBTS and to

OsmoUSRP at layer 1. OpenBTS will be located at layer 1 and 2 because the layer 3

functionality will be managed by OsmoBTS. OsmoBTS will be connected to OpenBSC

with any kind of problem because they were developed to work together.



Figure 5: Physical architecture 1

Using Asterisk With OpenBTS version 2.8 you can connect 2 OpenBTS systems using Asterisk. This

version allows you to make calls from different base stations and do mobility but not

handover. On April was released version 4.0 and with this version is possible to do

handover.

The architecture will be very simple. Asterisk will have the functionality of a BSC and

some of the registers like the HLR and the AuC. Asterisk will route the calls from one

base station to another and will transfer the call if the handover is produced.

Figure 6: Logical architecture:

Figure 7: Physical architecture 2



This is the provisional physical architecture of my project, still can be changes in the

second BTS. What we have now is Server 1 with openBTS and Asterisk installed and a

USRP. The second BTS can be built as it is described in the Server 2 or we can substitute

the Server 2 and the USRP with a RangeNetworks OpenBTS.

Figure 8: Physical Architecture 3

Testing We can test USRP air interface in some different ways

The first one is getting a Linux OS and install AirProbe. This program contains 3 main

subprojects: acquisition, demodulation and analysis.

Acquisition is responsible of receiving and digitalizing the air interface.

Demodulation module will translate the signal processed by acquisition into bits.

Analysis contains all the protocol parsing and decoding capabilities. We can use

wireshark to analyze the traces.



Here we can see some examples of ladder diagrams about signaling between a cellphone

and a base station:

Figure 8: Cell-phone authentication and TMSI allocation

Figure 9: Call origin Figure 10: SMS sent



Figure 11: SMS received

This is how the ladder diagram looks, now we are going to have a look on how are the

traces of some messages sent:

Figure 12: MM location updating request, at figure 8



Figure 13: RR paging request, at figure 11

Future Projects Besides creating a small network we can also connect a OpenBTS system to NG911. For

this purpose we can use Asterisk to route the calls from a cellphone to NG911 and we can

test the SIP messages using Wireshark. It would be interesting to compare the messages

from the cellphone using Airprobe and see the translation to SIP observing traces

captured by Wireshark. We will have to create an extension in Asterisk so every time a

cell phone dials that extension the call is routed to NG911.

Conclusions This semester I have been finding out the ways of doing this project and I think that I will

do it with Asterisk and using OpenBTS version 4.0. The other way to do this (Figure 5

Physical Architecture 1) is too complex because you need to modify the source code and

make OpenBTS and OpenBSC compatible and I think that is no longer necessary to use

OpenBSC having OpenBTS version 4.0.

Most of the information for doing this project is taken from the OpenBTS manual so I

think this project will be ready for July 25th

.



References http://openbsc.osmocom.org/trac/wiki/OpenBSC

http://wush.net/trac/rangepublic/wiki/WikiStart#HowdoIgetstarted

http://scholar.lib.vt.edu/theses/available/etd-05082012-

141540/unrestricted/Cooper_TA_T_2012.pdf

GSM information taken from course ITMO 542: Wireless Communications

http://www.wu.ece.ufl.edu/projects/wirelessVideo/project/GNU_Radio_USRP/how_to_te

st_USRP.html

http://ntnu.diva-portal.org/smash/get/diva2:355716/FULLTEXT01.pdf

Appendices OpenBTS Installation In a Ubuntu OS, introduce the following commands

This is for get the last version:

svn co http://wush.net/svn/range/software/public

The following command is for getting the necessary libraries

sudo apt-get install autoconf libtool libosip2-dev libortp-dev

libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-

dev libncurses5-dev

OpenBTS should, in principle, build and run on any Unix-like operating system,

including 64-bit. However, in practice, most of our development is done on Ubuntu 10 or 12.04 LTS systems, so these are best-supported.

Range Networks RAD1

Building for Range equipment is easiest, as it has no external dependencies. Just run

the following commands:

cd openbts/trunk

autoreconf -i

./configure

http://openbsc.osmocom.org/trac/wiki/OpenBSC

http://wush.net/trac/rangepublic/wiki/WikiStart#HowdoIgetstarted



make

With the build resolved, you'll need to build and link the transceiver appropriate for

your hardware. For a Range Networks basestation unit these links are

(from OpenBTS root)

cd apps

make

ln -s ../TransceiverRAD1/transceiver .

ln -s ../TransceiverRAD1/ezusb.ihx .

ln -s ../TransceiverRAD1/fpga.rbf .

Building OpenBTS

OpenBTS should, in principle, build and run on any Unix-like operating system,

including 64-bit. However, in practice, most of our development is done on Ubuntu 10 or 12.04 LTS systems, so these are best-supported.

Range Networks RAD1

Building for Range equipment is easiest, as it has no external dependencies. Just run

the following commands:

cd openbts/trunk

autoreconf -i

./configure

make

With the build resolved, you'll need to build and link the transceiver appropriate for

your hardware. For a Range Networks basestation unit these links are

(from OpenBTS root)



cd apps

make

ln -s ../TransceiverRAD1/transceiver .

ln -s ../TransceiverRAD1/ezusb.ihx .

ln -s ../TransceiverRAD1/fpga.rbf .

Documents

GSM Network using OpenBTS - IIT School of Applied · PDF [email protected] Project Report 1 GSM Network using OpenBTS Ramon Torres Gomez ... This picture represents a basic