Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-mgw / 3b2ec4261fb53238718f70719756626c49deb091 / . / src / bsc_hack.c
blob: 3d5d6dff36be2f5709a892e6ab6d88fb51c4cff8 [file] [log] [blame]
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]1/* A hackish minimal BSC (+MSC +HLR) implementation */
2
3/* (C) 2008 by Harald Welte <laforge@gnumonks.org>
4 * All Rights Reserved
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 */
21
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]22#include <unistd.h>
23#include <stdlib.h>
24#include <stdio.h>
25#include <stdarg.h>
26#include <time.h>
27#include <string.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]28#include <errno.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]29
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]30#define _GNU_SOURCE
31#include <getopt.h>
32
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]33#include <openbsc/db.h>
34#include <openbsc/timer.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]35#include <openbsc/gsm_data.h>
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]36#include <openbsc/gsm_04_08.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]37#include <openbsc/select.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]38#include <openbsc/abis_rsl.h>
39#include <openbsc/abis_nm.h>
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]40#include <openbsc/debug.h>
Holger Freyther5677ae32008-12-27 09:41:03 +0000[diff] [blame]41#include <openbsc/misdn.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]42
43/* global pointer to the gsm network data structure */
44static struct gsm_network *gsmnet;
45
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]46/* MCC and MNC for the Location Area Identifier */
47static int MCC = 1;
48static int MNC = 1;
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]49static const char *database_name = "hlr.sqlite3";
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]50
51
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]52/* The following definitions are for OM and NM packets that we cannot yet
53 * generate by code but we just pass on */
54
55// BTS Site Manager, SET ATTRIBUTES
56
57/*
58 Object Class: BTS Site Manager
59 Instance 1: FF
60 Instance 2: FF
61 Instance 3: FF
62SET ATTRIBUTES
63 sAbisExternalTime: 2007/09/08 14:36:11
64 omLAPDRelTimer: 30sec
65 shortLAPDIntTimer: 5sec
66 emergencyTimer1: 10 minutes
67 emergencyTimer2: 0 minutes
68*/
69
70unsigned char msg_1[] =
71{
72 0xD0, 0x00, 0xFF, 0xFF, 0xFF, 0x91, 0x07, 0xD7, 0x09, 0x08, 0x0E, 0x24,
73 0x0B, 0xCE, 0x02, 0x00, 0x1E, 0xE8, 0x01, 0x05, 0x42, 0x02, 0x00, 0x0A, 0x44,
74 0x02, 0x00, 0x00
75};
76
77// BTS, SET BTS ATTRIBUTES
78
79/*
80 Object Class: BTS
81 BTS relat. Number: 0
82 Instance 2: FF
83 Instance 3: FF
84SET BTS ATTRIBUTES
85 bsIdentityCode / BSIC:
86 PLMN_colour_code: 7h
87 BS_colour_code: 7h
88 BTS Air Timer T3105: 4 ,unit 10 ms
89 btsIsHopping: FALSE
90 periodCCCHLoadIndication: 255sec
91 thresholdCCCHLoadIndication: 100%
92 cellAllocationNumber: 00h = GSM 900
93 enableInterferenceClass: 00h = Disabled
94 fACCHQual: 6 (FACCH stealing flags minus 1)
95 intaveParameter: 31 SACCH multiframes
96 interferenceLevelBoundaries:
97 Interference Boundary 1: 0Ah
98 Interference Boundary 2: 0Fh
99 Interference Boundary 3: 14h
100 Interference Boundary 4: 19h
101 Interference Boundary 5: 1Eh
102 mSTxPwrMax: 11
103 GSM range: 2=39dBm, 15=13dBm, stepsize 2 dBm
104 DCS1800 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
105 PCS1900 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
106 30=33dBm, 31=32dBm
107 ny1:
108 Maximum number of repetitions for PHYSICAL INFORMATION message (GSM 04.08): 20
109 powerOutputThresholds:
110 Out Power Fault Threshold: -10 dB
111 Red Out Power Threshold: - 6 dB
112 Excessive Out Power Threshold: 5 dB
113 rACHBusyThreshold: -127 dBm
114 rACHLoadAveragingSlots: 250 ,number of RACH burst periods
115 rfResourceIndicationPeriod: 125 SACCH multiframes
116 T200:
117 SDCCH: 044 in 5 ms
118 FACCH/Full rate: 031 in 5 ms
119 FACCH/Half rate: 041 in 5 ms
120 SACCH with TCH SAPI0: 090 in 10 ms
121 SACCH with SDCCH: 090 in 10 ms
122 SDCCH with SAPI3: 090 in 5 ms
123 SACCH with TCH SAPI3: 135 in 10 ms
124 tSync: 9000 units of 10 msec
125 tTrau: 9000 units of 10 msec
126 enableUmLoopTest: 00h = disabled
127 enableExcessiveDistance: 00h = Disabled
128 excessiveDistance: 64km
129 hoppingMode: 00h = baseband hopping
130 cellType: 00h = Standard Cell
131 BCCH ARFCN / bCCHFrequency: 1
132*/
133
134unsigned char msg_2[] =
135{
136 0x41, 0x01, 0x00, 0xFF, 0xFF, 0x09, 0x3F, 0x0A, 0x04, 0x61, 0x00, 0x0B,
137 0xFF, 0x0C, 0x64, 0x62, 0x00, 0x66, 0x00, 0x6E, 0x06, 0x18, 0x1F, 0x19,
138 0x0A, 0x0F, 0x14, 0x19, 0x1E, 0x7B, 0x0B, 0x23, 0x14, 0x28, 0x00, 0x04,
139 0x03, 0x2A, 0x7F, 0x2B, 0x00, 0xFA, 0x8F, 0x7D, 0x33, 0x2C, 0x1F, 0x29,
140 0x5A, 0x5A, 0x5A, 0x87, 0x94, 0x23, 0x28, 0x95, 0x23, 0x28, 0x35, 0x01,
141 0x00, 0x46, 0x01, 0x00, 0x58, 0x01, 0x40, 0xC5, 0x01, 0x00, 0xF2, 0x01,
142 0x00, 0x08, 0x00, HARDCODED_ARFCN/*0x01*/,
143};
144
145// Handover Recognition, SET ATTRIBUTES
146
147/*
148Illegal Contents GSM Formatted O&M Msg
149 Object Class: Handover Recognition
150 BTS relat. Number: 0
151 Instance 2: FF
152 Instance 3: FF
153SET ATTRIBUTES
154 enableDelayPowerBudgetHO: 00h = Disabled
155 enableDistanceHO: 00h = Disabled
156 enableInternalInterCellHandover: 00h = Disabled
157 enableInternalIntraCellHandover: 00h = Disabled
158 enablePowerBudgetHO: 00h = Disabled
159 enableRXLEVHO: 00h = Disabled
160 enableRXQUALHO: 00h = Disabled
161 hoAveragingDistance: 8 SACCH multiframes
162 hoAveragingLev:
163 A_LEV_HO: 8 SACCH multiframes
164 W_LEV_HO: 1 SACCH multiframes
165 hoAveragingPowerBudget: 16 SACCH multiframes
166 hoAveragingQual:
167 A_QUAL_HO: 8 SACCH multiframes
168 W_QUAL_HO: 2 SACCH multiframes
169 hoLowerThresholdLevDL: (10 - 110) dBm
170 hoLowerThresholdLevUL: (5 - 110) dBm
171 hoLowerThresholdQualDL: 06h = 6.4% < BER < 12.8%
172 hoLowerThresholdQualUL: 06h = 6.4% < BER < 12.8%
173 hoThresholdLevDLintra : (20 - 110) dBm
174 hoThresholdLevULintra: (20 - 110) dBm
175 hoThresholdMsRangeMax: 20 km
176 nCell: 06h
177 timerHORequest: 3 ,unit 2 SACCH multiframes
178*/
179
180unsigned char msg_3[] =
181{
182 0xD0, 0xA1, 0x00, 0xFF, 0xFF, 0xD0, 0x00, 0x64, 0x00, 0x67, 0x00, 0x68,
183 0x00, 0x6A, 0x00, 0x6C, 0x00, 0x6D, 0x00, 0x6F, 0x08, 0x70, 0x08, 0x01,
184 0x71, 0x10, 0x10, 0x10, 0x72, 0x08, 0x02, 0x73, 0x0A, 0x74, 0x05, 0x75,
185 0x06, 0x76, 0x06, 0x78, 0x14, 0x79, 0x14, 0x7A, 0x14, 0x7D, 0x06, 0x92,
186 0x03, 0x20, 0x01, 0x00, 0x45, 0x01, 0x00, 0x48, 0x01, 0x00, 0x5A, 0x01,
187 0x00, 0x5B, 0x01, 0x05, 0x5E, 0x01, 0x1A, 0x5F, 0x01, 0x20, 0x9D, 0x01,
188 0x00, 0x47, 0x01, 0x00, 0x5C, 0x01, 0x64, 0x5D, 0x01, 0x1E, 0x97, 0x01,
189 0x20, 0xF7, 0x01, 0x3C,
190};
191
192// Power Control, SET ATTRIBUTES
193
194/*
195 Object Class: Power Control
196 BTS relat. Number: 0
197 Instance 2: FF
198 Instance 3: FF
199SET ATTRIBUTES
200 enableMsPowerControl: 00h = Disabled
201 enablePowerControlRLFW: 00h = Disabled
202 pcAveragingLev:
203 A_LEV_PC: 4 SACCH multiframes
204 W_LEV_PC: 1 SACCH multiframes
205 pcAveragingQual:
206 A_QUAL_PC: 4 SACCH multiframes
207 W_QUAL_PC: 2 SACCH multiframes
208 pcLowerThresholdLevDL: 0Fh
209 pcLowerThresholdLevUL: 0Ah
210 pcLowerThresholdQualDL: 05h = 3.2% < BER < 6.4%
211 pcLowerThresholdQualUL: 05h = 3.2% < BER < 6.4%
212 pcRLFThreshold: 0Ch
213 pcUpperThresholdLevDL: 14h
214 pcUpperThresholdLevUL: 0Fh
215 pcUpperThresholdQualDL: 04h = 1.6% < BER < 3.2%
216 pcUpperThresholdQualUL: 04h = 1.6% < BER < 3.2%
217 powerConfirm: 2 ,unit 2 SACCH multiframes
218 powerControlInterval: 2 ,unit 2 SACCH multiframes
219 powerIncrStepSize: 02h = 4 dB
220 powerRedStepSize: 01h = 2 dB
221 radioLinkTimeoutBs: 64 SACCH multiframes
222 enableBSPowerControl: 00h = disabled
223*/
224
225unsigned char msg_4[] =
226{
227 0xD0, 0xA2, 0x00, 0xFF, 0xFF, 0x69, 0x00, 0x6B, 0x00, 0x7E, 0x04, 0x01,
228 0x7F, 0x04, 0x02, 0x80, 0x0F, 0x81, 0x0A, 0x82, 0x05, 0x83, 0x05, 0x84,
229 0x0C, 0x85, 0x14, 0x86, 0x0F, 0x87, 0x04, 0x88, 0x04, 0x89, 0x02, 0x8A,
230 0x02, 0x8B, 0x02, 0x8C, 0x01, 0x8D, 0x40, 0x65, 0x01, 0x00 // set to 0x01 to enable BSPowerControl
231};
232
233
234// Transceiver, SET TRX ATTRIBUTES (TRX 0)
235
236/*
237 Object Class: Transceiver
238 BTS relat. Number: 0
239 Tranceiver number: 0
240 Instance 3: FF
241SET TRX ATTRIBUTES
242 aRFCNList (HEX): 0001
243 txPwrMaxReduction: 00h = 0dB
244 radioMeasGran: 254 SACCH multiframes
245 radioMeasRep: 01h = enabled
246 memberOfEmergencyConfig: 01h = TRUE
247 trxArea: 00h = TRX doesn't belong to a concentric cell
248*/
249
250unsigned char msg_6[] =
251{
252 0x44, 0x02, 0x00, 0x00, 0xFF, 0x05, 0x01, 0x00, HARDCODED_ARFCN /*0x01*/, 0x2D,
253 0x00, 0xDC, 0x01, 0xFE, 0xDD, 0x01, 0x01, 0x9B, 0x01, 0x01, 0x9F, 0x01, 0x00,
254};
255
256
257static void bootstrap_om(struct gsm_bts *bts)
258{
259 struct gsm_bts_trx *trx = &bts->trx[0];
260
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]261 fprintf(stdout, "bootstrapping OML\n");
262
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]263 /* stop sending event reports */
264 abis_nm_event_reports(bts, 0);
265
266 /* begin DB transmission */
267 abis_nm_db_transmission(bts, 1);
268
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]269 /* end DB transmission */
270 abis_nm_db_transmission(bts, 0);
271
272 /* Reset BTS Site manager resource */
273 abis_nm_reset_resource(bts);
274
275 /* begin DB transmission */
276 abis_nm_db_transmission(bts, 1);
277
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]278 abis_nm_raw_msg(bts, sizeof(msg_1), msg_1); /* set BTS SiteMgr attr*/
279 abis_nm_raw_msg(bts, sizeof(msg_2), msg_2); /* set BTS attr */
280 abis_nm_raw_msg(bts, sizeof(msg_3), msg_3); /* set BTS handover attr */
281 abis_nm_raw_msg(bts, sizeof(msg_4), msg_4); /* set BTS power control attr */
282
283 /* Connect signalling of bts0/trx0 to e1_0/ts1/64kbps */
284 abis_nm_conn_terr_sign(trx, 0, 1, 0xff);
285 abis_nm_raw_msg(bts, sizeof(msg_6), msg_6); /* SET TRX ATTRIBUTES */
286
287 /* Use TEI 1 for signalling */
288 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x01);
289 abis_nm_set_channel_attr(&trx->ts[0], NM_CHANC_SDCCH_CBCH);
290#if 0
291 /* TRX 1 */
292 abis_nm_conn_terr_sign(&bts->trx[1], 0, 1, 0xff);
293 /* FIXME: TRX ATTRIBUTE */
294 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x02);
295#endif
296
297 /* SET CHANNEL ATTRIBUTE TS1 */
298 abis_nm_set_channel_attr(&trx->ts[1], 0x09);
299 /* Connect traffic of bts0/trx0/ts1 to e1_0/ts2/b */
300 abis_nm_conn_terr_traf(&trx->ts[1], 0, 2, 1);
301
302 /* SET CHANNEL ATTRIBUTE TS2 */
303 abis_nm_set_channel_attr(&trx->ts[2], 0x09);
304 /* Connect traffic of bts0/trx0/ts2 to e1_0/ts2/c */
305 abis_nm_conn_terr_traf(&trx->ts[2], 0, 2, 2);
306
307 /* SET CHANNEL ATTRIBUTE TS3 */
308 abis_nm_set_channel_attr(&trx->ts[3], 0x09);
309 /* Connect traffic of bts0/trx0/ts3 to e1_0/ts2/d */
310 abis_nm_conn_terr_traf(&trx->ts[3], 0, 2, 3);
311
312 /* SET CHANNEL ATTRIBUTE TS4 */
313 abis_nm_set_channel_attr(&trx->ts[4], 0x09);
314 /* Connect traffic of bts0/trx0/ts4 to e1_0/ts3/a */
315 abis_nm_conn_terr_traf(&trx->ts[4], 0, 3, 0);
316
317 /* SET CHANNEL ATTRIBUTE TS5 */
318 abis_nm_set_channel_attr(&trx->ts[5], 0x09);
319 /* Connect traffic of bts0/trx0/ts5 to e1_0/ts3/b */
320 abis_nm_conn_terr_traf(&trx->ts[5], 0, 3, 1);
321
322 /* SET CHANNEL ATTRIBUTE TS6 */
323 abis_nm_set_channel_attr(&trx->ts[6], 0x09);
324 /* Connect traffic of bts0/trx0/ts6 to e1_0/ts3/c */
325 abis_nm_conn_terr_traf(&trx->ts[6], 0, 3, 2);
326
327 /* SET CHANNEL ATTRIBUTE TS7 */
328 abis_nm_set_channel_attr(&trx->ts[7], 0x09);
329 /* Connect traffic of bts0/trx0/ts7 to e1_0/ts3/d */
330 abis_nm_conn_terr_traf(&trx->ts[7], 0, 3, 3);
331
332 /* end DB transmission */
333 abis_nm_db_transmission(bts, 0);
334
335 /* Reset BTS Site manager resource */
336 abis_nm_reset_resource(bts);
337
338 /* restart sending event reports */
339 abis_nm_event_reports(bts, 1);
340}
341
342
343
344struct bcch_info {
345 u_int8_t type;
346 u_int8_t len;
347 const u_int8_t *data;
348};
349
350/*
351SYSTEM INFORMATION TYPE 1
352 Cell channel description
353 Format-ID bit map 0
354 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
355 RACH Control Parameters
356 maximum 7 retransmissions
357 8 slots used to spread transmission
358 cell not barred for access
359 call reestablishment not allowed
360 Access Control Class = 0000
361*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]362static u_int8_t si1[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]363 /* header */0x55, 0x06, 0x19,
364 /* ccdesc */0x04 /*0x00*/, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
365 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /*0x01*/,
366 /* rach */0xD5, 0x00, 0x00,
367 /* s1 reset*/0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]368};
369
370/*
371 SYSTEM INFORMATION TYPE 2
372 Neighbour Cells Description
373 EXT-IND: Carries the complete BA
374 BA-IND = 0
375 Format-ID bit map 0
376 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
377 NCC permitted (NCC) = FF
378 RACH Control Parameters
379 maximum 7 retransmissions
380 8 slots used to spread transmission
381 cell not barred for access
382 call reestablishment not allowed
383 Access Control Class = 0000
384*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]385static u_int8_t si2[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]386 /* header */0x59, 0x06, 0x1A,
387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
389 /* ncc */0xFF,
390 /* rach*/0xD5, 0x00, 0x00
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]391};
392
393/*
394SYSTEM INFORMATION TYPE 3
395 Cell identity = 00001 (1h)
396 Location area identification
397 Mobile Country Code (MCC): 001
398 Mobile Network Code (MNC): 01
399 Location Area Code (LAC): 00001 (1h)
400 Control Channel Description
401 Attach-detach: MSs in the cell are not allowed to apply IMSI attach /detach
402 0 blocks reserved for access grant
403 1 channel used for CCCH, with SDCCH
404 5 multiframes period for PAGING REQUEST
405 Time-out T3212 = 0
406 Cell Options BCCH
407 Power control indicator: not set
408 MSs shall not use uplink DTX
409 Radio link timeout = 36
410 Cell Selection Parameters
411 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
Harald Welte3b2ec422008-12-29 04:11:14 +0000[diff] [blame^]412 max.TX power level MS may use for CCH = 2 <- according to GSM05.05 39dBm (max)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]413 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
414 Half rate support (NECI): New establishment causes are not supported
415 min.RX signal level for MS = 0
416 RACH Control Parameters
417 maximum 7 retransmissions
418 8 slots used to spread transmission
419 cell not barred for access
420 call reestablishment not allowed
421 Access Control Class = 0000
422 SI 3 Rest Octets
423 Cell Bar Qualify (CBQ): 0
424 Cell Reselect Offset = 0 dB
425 Temporary Offset = 0 dB
426 Penalty Time = 20 s
427 System Information 2ter Indicator (2TI): 0 = not available
428 Early Classmark Sending Control (ECSC): 0 = forbidden
429 Scheduling Information is not sent in SYSTEM INFORMATION TYPE 9 on the BCCH
430*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]431static u_int8_t si3[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]432 /* header */0x49, 0x06, 0x1B,
433 /* cell */0x00, 0x01,
434 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
435 /* desc */0x01, 0x03, 0x00,
436 /* option*/0x28,
437 /* selection*/0x62, 0x00,
438 /* rach */0xD5, 0x00, 0x00,
439 /* reset*/0x80, 0x00, 0x00, 0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]440};
441
442/*
443SYSTEM INFORMATION TYPE 4
444 Location area identification
445 Mobile Country Code (MCC): 001
446 Mobile Network Code (MNC): 01
447 Location Area Code (LAC): 00001 (1h)
448 Cell Selection Parameters
449 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
450 max.TX power level MS may use for CCH = 2
451 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
452 Half rate support (NECI): New establishment causes are not supported
453 min.RX signal level for MS = 0
454 RACH Control Parameters
455 maximum 7 retransmissions
456 8 slots used to spread transmission
457 cell not barred for access
458 call reestablishment not allowed
459 Access Control Class = 0000
460 Channel Description
461 Type = SDCCH/4[2]
462 Timeslot Number: 0
463 Training Sequence Code: 7h
464 ARFCN: 1
465 SI Rest Octets
466 Cell Bar Qualify (CBQ): 0
467 Cell Reselect Offset = 0 dB
468 Temporary Offset = 0 dB
469 Penalty Time = 20 s
470*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]471static u_int8_t si4[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]472 /* header */0x41, 0x06, 0x1C,
473 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
474 /* sel */0x62, 0x00,
475 /* rach*/0xD5, 0x00, 0x00,
476 /* var */0x64, 0x30, 0xE0, HARDCODED_ARFCN/*0x01*/, 0x80, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]477 0x2B, 0x2B, 0x2B
478};
479
480/*
481 SYSTEM INFORMATION TYPE 5
482 Neighbour Cells Description
483 EXT-IND: Carries the complete BA
484 BA-IND = 0
485 Format-ID bit map 0
486 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
487*/
488
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]489static u_int8_t si5[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]490 /* header without l2 len*/0x06, 0x1D,
491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]493};
494
495// SYSTEM INFORMATION TYPE 6
496
497/*
498SACCH FILLING
499 System Info Type: SYSTEM INFORMATION 6
500 L3 Information (Hex): 06 1E 00 01 xx xx 10 00 01 28 FF
501
502SYSTEM INFORMATION TYPE 6
503 Cell identity = 00001 (1h)
504 Location area identification
505 Mobile Country Code (MCC): 001
506 Mobile Network Code (MNC): 01
507 Location Area Code (LAC): 00001 (1h)
508 Cell Options SACCH
509 Power control indicator: not set
510 MSs shall not use uplink DTX on a TCH-F. MS shall not use uplink DTX on TCH-H.
511 Radio link timeout = 36
512 NCC permitted (NCC) = FF
513*/
514
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]515static u_int8_t si6[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]516 /* header */0x06, 0x1E,
517 /* cell id*/ 0x00, 0x01,
518 /* lai */ 0x00, 0xF1, 0x10, 0x00, 0x01,
519 /* options */ 0x28,
520 /* ncc */ 0xFF,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]521};
522
523
524
525static const struct bcch_info bcch_infos[] = {
526 {
527 .type = RSL_SYSTEM_INFO_1,
528 .len = sizeof(si1),
529 .data = si1,
530 }, {
531 .type = RSL_SYSTEM_INFO_2,
532 .len = sizeof(si2),
533 .data = si2,
534 }, {
535 .type = RSL_SYSTEM_INFO_3,
536 .len = sizeof(si3),
537 .data = si3,
538 }, {
539 .type = RSL_SYSTEM_INFO_4,
540 .len = sizeof(si4),
541 .data = si4,
542 },
543};
544
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]545static_assert(sizeof(si1) == sizeof(struct gsm48_system_information_type_1), type1)
546static_assert(sizeof(si2) == sizeof(struct gsm48_system_information_type_2), type2)
547static_assert(sizeof(si3) == sizeof(struct gsm48_system_information_type_3), type3)
548static_assert(sizeof(si4) >= sizeof(struct gsm48_system_information_type_4), type4)
Harald Welte104604e2008-12-28 16:36:11 +0000[diff] [blame]549static_assert(sizeof(si5) == sizeof(struct gsm48_system_information_type_5), type5)
550static_assert(sizeof(si6) >= sizeof(struct gsm48_system_information_type_6), type6)
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]551
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]552/* set all system information types */
553static int set_system_infos(struct gsm_bts *bts)
554{
555 int i;
556
557 for (i = 0; i < ARRAY_SIZE(bcch_infos); i++) {
558 rsl_bcch_info(bts, bcch_infos[i].type,
559 bcch_infos[i].data,
560 bcch_infos[i].len);
561 }
562 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_5, si5, sizeof(si5));
563 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_6, si6, sizeof(si6));
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]564
565 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]566}
567
568static void activate_traffic_channels(struct gsm_bts_trx *trx)
569{
570 int i;
571
572 /* channel 0 is CCCH */
573 for (i = 1; i < 8; i++)
574 rsl_chan_activate_tch_f(&trx->ts[i]);
575}
576
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]577/*
578 * Patch the various SYSTEM INFORMATION tables to update
579 * the LAI
580 */
581static void patch_tables(struct gsm_bts *bts)
582{
583 /* covert the raw packet to the struct */
584 struct gsm48_system_information_type_3 *type_3 =
585 (struct gsm48_system_information_type_3*)&si3;
586 struct gsm48_system_information_type_4 *type_4 =
587 (struct gsm48_system_information_type_4*)&si4;
588 struct gsm48_system_information_type_6 *type_6 =
589 (struct gsm48_system_information_type_6*)&si6;
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]590 struct gsm48_loc_area_id lai;
591
592 gsm0408_generate_lai(&lai, bts->network->country_code,
593 bts->network->network_code, bts->location_area_code);
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]594
595 /* assign the MCC and MNC */
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]596 type_3->lai = lai;
597 type_4->lai = lai;
598 type_6->lai = lai;
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]599}
600
601
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]602static void bootstrap_rsl(struct gsm_bts *bts)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]603{
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]604 fprintf(stdout, "bootstrapping RSL MCC=%u MNC=%u\n", MCC, MNC);
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]605 patch_tables(bts);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]606 set_system_infos(bts);
607
608 /* FIXME: defer this until the channels are used */
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]609 //activate_traffic_channels(&bts->trx[0]);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]610}
611
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]612static void mi_cb(int event, struct gsm_bts *bts)
613{
614 switch (event) {
615 case EVT_E1_OML_UP:
616 bootstrap_om(bts);
617 break;
618 case EVT_E1_RSL_UP:
619 bootstrap_rsl(bts);
620 break;
621 default:
622 /* FIXME: deal with TEI or L1 link loss */
623 break;
624 }
625}
626
627static int bootstrap_network(void)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]628{
629 struct gsm_bts *bts;
630
631 /* initialize our data structures */
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]632 gsmnet = gsm_network_init(1, MCC, MNC);
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]633 if (!gsmnet)
634 return -ENOMEM;
635
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]636 bts = &gsmnet->bts[0];
637 bts->location_area_code = 1;
638 bts->trx[0].arfcn = HARDCODED_ARFCN;
639
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]640 if (mi_setup(bts, 0, mi_cb) < 0)
641 return -EIO;
642
643 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]644}
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]645
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]646static void print_usage()
647{
648 printf("Usage: bsc_hack\n");
649}
650
651static void print_help()
652{
653 printf(" Some useful help...\n");
654 printf(" -d option --debug=DRLL:DCC:DMM:DRR:DRSL:DNM enable debugging\n");
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]655 printf(" -s --disable-color\n");
656 printf(" -n --network-code number(MNC) \n");
657 printf(" -c --country-code number (MCC) \n");
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]658 printf(" -l --database db-name The database to use\n");
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]659 printf(" -h --help this text\n");
660}
661
662static void handle_options(int argc, char** argv)
663{
664 while (1) {
665 int option_index = 0, c;
666 static struct option long_options[] = {
667 {"help", 0, 0, 'h'},
668 {"debug", 1, 0, 'd'},
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]669 {"disable-color", 0, 0, 's'},
670 {"network-code", 1, 0, 'n'},
671 {"country-code", 1, 0, 'c'},
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]672 {"database", 1, 0, 'l'},
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]673 {0, 0, 0, 0}
674 };
675
Holger Freyther33a61842008-12-28 16:57:19 +0000[diff] [blame]676 c = getopt_long(argc, argv, "hc:n:d:s",
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]677 long_options, &option_index);
678 if (c == -1)
679 break;
680
681 switch (c) {
682 case 'h':
683 print_usage();
684 print_help();
685 exit(0);
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]686 case 's':
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]687 debug_use_color(0);
688 break;
689 case 'd':
690 debug_parse_category_mask(optarg);
691 break;
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]692 case 'n':
693 MNC = atoi(optarg);
694 break;
695 case 'c':
696 MCC = atoi(optarg);
697 break;
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]698 case 'l':
699 database_name = strdup(optarg);
700 break;
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]701 default:
702 /* ignore */
703 break;
704 }
705 }
706}
707
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]708static struct timer_list pag_timer;
709
710/* handles uppercase decimal and hexadecimal */
711static u_int8_t char2bcd(char c)
712{
713 if (c <= '9')
714 return c - '0';
715 else
716 return c - 'A';
717}
718
719static int string_to_mi(u_int8_t *mi, const char *string,
720 u_int8_t type)
721{
722 u_int8_t *cur = mi+3;
723
724 mi[0] = GSM48_IE_MOBILE_ID;
725 //mi[1] = TMSI_LEN;
726 mi[2] = type & GSM_MI_TYPE_MASK;
727
728 if (strlen(string) & 0x01)
729 mi[2] |= char2bcd(*string++) << 4;
730 else
731 mi[2] |= 0xf0;
732
733 while (*string && *(string+1))
734 *cur++ = char2bcd(*string++) | (char2bcd(*string++) << 4);
735
736 mi[1] = cur - mi;
737
738 return cur - mi;
739}
740
741static const char *nokia_imsi = "7240311131388";
742static const char *rokr_imsi = "4660198001300";
743
744void pag_timer_cb(void *data)
745{
746 struct gsm_bts *bts = &gsmnet->bts[0];
747 u_int8_t mi[128];
748 struct gsm_subscriber _subscr, *subscr = &_subscr;
749 unsigned int paging_group, mi_len;
750 u_int64_t num_imsi;
751 const char *imsi = nokia_imsi;
752
753 printf("FEUER\n");
754
755#if 1
756 memset(subscr, 0, sizeof(*subscr));
757 strcpy(subscr->imsi, imsi);
758 db_get_subscriber(GSM_SUBSCRIBER_IMSI, subscr);
759 if (!subscr)
760 return;
761
762 mi_len = generate_mid_from_tmsi(mi, strtoul(subscr->tmsi, NULL, 10));
763#else
764 mi_len = string_to_mi(mi, imsi, GSM_MI_TYPE_IMSI);
765#endif
766
767 num_imsi = strtoull(imsi, NULL, 10);
768 paging_group = get_paging_group(num_imsi, 1, 3);
769
Harald Welte65e74cc2008-12-29 01:55:35 +0000[diff] [blame]770#if 0
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]771 for (paging_group = 0; paging_group < 3; paging_group++)
772 rsl_paging_cmd(bts, paging_group, mi_len, mi, RSL_CHANNEED_TCH_F);
773
774 schedule_timer(&pag_timer, 10, 0);
Harald Welte65e74cc2008-12-29 01:55:35 +0000[diff] [blame]775#endif
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]776}
777
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]778int main(int argc, char **argv)
779{
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]780 /* parse options */
781 handle_options(argc, argv);
782
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]783 if (db_init(database_name)) {
Harald Welte75a983f2008-12-27 21:34:06 +0000[diff] [blame]784 printf("DB: Failed to init database. Please check the option settings.\n");
785 return 1;
786 }
787 printf("DB: Database initialized.\n");
788
789 if (db_prepare()) {
790 printf("DB: Failed to prepare database.\n");
791 return 1;
792 }
793 printf("DB: Database prepared.\n");
794
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]795 bootstrap_network();
796
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]797 pag_timer.cb = pag_timer_cb;
798 schedule_timer(&pag_timer, 10, 0);
799
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]800 while (1) {
801 bsc_select_main();
802 }
803}