osmo-gmr: Intro to receiving GMR-1 satphonesfiles.meetup.com/18094742/osmo_gmr_cyberspectrum_… · · 2016-09-22osmo-gmr: Intro to receiving GMR-1 satphones Sylvain Munaut CyberSpectrum,

Introduction GMR-1 GMR-1 Reception Final words

osmo-gmr: Intro to receiving GMR-1 satphones

Sylvain Munaut

CyberSpectrum, September, 2016

Sylvain Munaut osmo-gmr: Intro to receiving GMR-1 satphones


Introduction



Outline

1 Introduction

2 GMR-1

3 GMR-1 Reception

4 Final words



About the speaker

Linux and free software ”geek” since 1999

M.Sc. in C.S. + some E.E.

General orientation towards low level

Embedded, Kernel, Drivers and suchHardware (Digital stuff, FPGA or RF)

Interest in various telecom and SDR projects for several years

Osmocom projects (OpenBSC, Osmocom-BB, ...)Gnuradio stuff (fosphor, gr-iqbal, #528, ...)

In my spare time



What is GMR ?

”GEO-Mobile Radio Interface”(GEO stands for Geostationary Earth Orbit)

ETSI standard for satellite phones

Heavily based on GSM

Multiple standards :GMR-1 (ETSI TS 101 376)

GMR-1 (the one described in this talk)GmPRSGMR-1 3G

GMR-2 (ETSI TS 101 377)



Deployment

GMR-1Thuraya

Thuraya 2 (44E) and Thuraya 3 (98.5E)Main focus of our attention so far

MexSat

New !Visible from the US

Potential others :

EchoStar Mobile, SkyTerra, TerreStar, ICO

(Inmarsat R-BGAN)

GMR-2

Inmarsat ”IsatPhone”ACes



Comparison to GSMFeatures

New names

BTS → GTS, BSC → GSC, BSS → GSS, ...MS → MES(-MS)

New Specialized features

Terminal-to-Terminal callsHigh Penetration Alerting (HPA)

Tight links to GPS

Almanac and Ephemeris sent by the satellitePosition reported in RACH (Channel Request)

New speech codec: AMBE

”New” cipher



Comparison to GSMProtocol Stack

Layer 0/1: Completely different

Different bursts and TDMA multiplex / multi-frameDifferent modulationMore channels types

Layer 2: LAPSat vs LAPDm

Both simplified version of LAPDShorter headerk=16 window size for outstanding unacknowledged segments

Layer 3:

RR differentMM/CM common

Same core network

Packet Data:

RLC/MAC differentLLC and above common/shared



GMR-1



Physical layerFrequencies

Spot beam coverageL-band

Downlink: 1525 to 1560 MHzUplink: 1626.5 to 1660.5 MHzDivided in 1087 ARFCN (channel pairs) of 31.250 kHzLHCP (Thuraya / MexSat)

S-band

Downlink: 2170 to 2200 MHzUplink: 1980 to 2020 MHz960 / 1280 carriers of 31.250 kHz used independently in DL/UL

Feeder Links

C-band (DL: 3.400 to 4.200 GHz / UL: 5.850 to 6.725 GHz)Ku-band (12 to 18 GHz)No specifications



Physical layerTDMA

Fully synchronous

Base symbol rate: 23.4k

Bursts occupy several consecutive timeslots (2, 3, 6, 9)



Physical layerFCCH: ”X” marks the spot (beam)

Dual Chirp waveform over 3 timeslots

Synchronization steps

1 Rough position by correlating with reference dual chirp2 FFT peak of window multiplied by reference up-chirp → f13 FFT peak of window multiplied by reference down-chirp → f24 Derive time alignement error from f1 − f25 Derive frequency error from f1 + f2

Two variants:

FCCH: GMR-1FCCH3: GMR1 3G



Physical layerNormal Bursts

π/4-CQPSK

BCCH, DC2, DC6,NT3, NT6, NT9,RACH

π/4-CBPSK

DC12 (GMR-1 3G)

π/4-CBPSK

FACCH3 andSDCCH



Physical layerOther Bursts

Other modulations used

6-PSK for BACH (HPA)π/4-DBPSK for DKAB

GmPRS and GMR-1 3G packet channels (PNB):

New modulations: π/2-CBPSK, 16-APSK, 32-APSKNew symbol rates: 1x, 2x, 4x, 5x

6-PSK π/2-CBPSK 16-APSK 32-APSK



Physical layerWhat it looks like



GMR-1 Reception



ReceptionAntenna

Lots of options

Requirements:

Centered around 1.54 GHzPreferably directional (good gain)LHCP for Thuraya & MexSat

Tested so far:

Offset DishHelical AntennaBiquadPatch



ReceptionFilter / LNA

Both optional

But can help a lot

Low Noise Amplifier:

Helps with fainter beamsLNA-23-BP from dg0ve, modified GPS LNA, LNA4ALL, ...

Filter:

Prevents out-of-band signals from saturating reception chainCustom made L-band cavity filterSAW filter from phone



ReceptionCapture hardware

Off-the-air capture tool using gr-osmosdr

Supports many radio hardware

USRP, BladeRF, HackRF, rtl-sdr, ...

Requirements:Higher bandwidth is better

Narrow channels (32 kHz)but need to hop around for traffic channels

Tuning to the appropriate frequency range

Can be an issue for some R820T tuner based radios

GNURadio support

Although you could use FIFO with file source tooor do your own channelization



Osmocom GMRArchitecture

FIFO

FIFO

FIFO

...

SDR Channelization

gmr1_rx_lband.py

PacketDemodulation

Decoding

gmr1_rx_live

Wiresharkgsmtap



Osmocom GMRAcquisition / Channelization

utils/gmr1 rx lband.py

Based on GNURadio

Simultaneous synchronized captures of several ARFCN

Channelizing and resampling

Topology selected based on # of ARFCNs

Freq-xlating FIR filtersPFB

File output

Use mkfifo to feed live



Osmocom GMRPacket demodulation & decoding

Use sylvain/live or sylvain/gmr-1-3g branches

Will be merged in master at some pointBut I still do git push -f to it ATM

Contains a whole library of primitives

Burst DSP: libosmo-dspGMR-1 sync & modem: src/sdr/*

GMR-1 channel coding: src/l1/*

GMR-1 codec: src/codec/*

And ”demo” apps:

gmr1 rx / gmr1 rx live

gmr1 ambe decode



Osmocom GMRPacket parsing

wireshark FTW !

GSMTap extended with GMR-1 support

Current state:

LAPSat dissection: completeBCCH dissection: partial (CSN-1 is annoying)CCCH dissection: All messages seen so farRR dissection: All messages seen so farCM/MM forwarded to GSM dissectorSome unknown / undocumented messages



A word about C-band

...



Final words



Resources

OsmocomGMR: http://gmr.osmocom.org/

Specs

GMR1 Specs: http://pda.etsi.org/pda/queryform.asp

GSM Specs: http://webapp.etsi.org/key/queryform.asp

28C3 talk: ”Introducing Osmo-GMR”

Intro talkhttps://events.ccc.de/congress/2011/Fahrplan/events/4688.en.html

https://media.ccc.de/v/28c3-4688-en-introducing_osmo_gmr

31C3 talk: ”osmo-gmr: What’s up with sat-phones ?”

Details about voice codec and crypto breakhttps://events.ccc.de/congress/2014/Fahrplan/events/6267.html

https://media.ccc.de/v/31c3_-_6267_-_en_-_saal_g_-_201412271600_-_

osmo-gmr_what_s_up_with_sat-phones_-_sylvain_munaut


http://gmr.osmocom.org/

http://pda.etsi.org/pda/queryform.asp

http://webapp.etsi.org/key/queryform.asp

https://events.ccc.de/congress/2011/Fahrplan/events/4688.en.html

https://media.ccc.de/v/28c3-4688-en-introducing_osmo_gmr

https://events.ccc.de/congress/2014/Fahrplan/events/6267.html

https://media.ccc.de/v/31c3_-_6267_-_en_-_saal_g_-_201412271600_-_osmo-gmr_what_s_up_with_sat-phones_-_sylvain_munaut

https://media.ccc.de/v/31c3_-_6267_-_en_-_saal_g_-_201412271600_-_osmo-gmr_what_s_up_with_sat-phones_-_sylvain_munaut


Thanks

Dimitri ”horizon” Stolnikov

”trango” / @usa satcom

Nate ”mybit” Temple


Documents

osmo-gmr: Intro to receiving GMR-1 satphonesfiles.meetup.com/18094742/osmo_gmr_cyberspectrum_… · · 2016-09-22osmo-gmr: Intro to receiving GMR-1 satphones Sylvain Munaut CyberSpectrum,