Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / 8965da4fde00babb0b8d4fe78cb759937fb54571 / . / src / bsc_hack.c
blob: 2e559c00e9ec96826fa7d338db9a73feaff0c03a [file] [log] [blame]
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]1/* A hackish minimal BSC (+MSC +HLR) implementation */
2
3/* (C) 2008 by Harald Welte <laforge@gnumonks.org>
Holger Freyther219518d2009-01-02 22:04:43 +0000[diff] [blame]4 * (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]5 * All Rights Reserved
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 */
22
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]23#include <unistd.h>
24#include <stdlib.h>
25#include <stdio.h>
26#include <stdarg.h>
27#include <time.h>
28#include <string.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]29#include <errno.h>
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]30#include <signal.h>
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]31#include <fcntl.h>
32#include <sys/stat.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]33
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]34#define _GNU_SOURCE
35#include <getopt.h>
36
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]37#include <openbsc/db.h>
38#include <openbsc/timer.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]39#include <openbsc/gsm_data.h>
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]40#include <openbsc/gsm_04_08.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]41#include <openbsc/select.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]42#include <openbsc/abis_rsl.h>
43#include <openbsc/abis_nm.h>
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]44#include <openbsc/debug.h>
Holger Freyther5677ae32008-12-27 09:41:03 +0000[diff] [blame]45#include <openbsc/misdn.h>
Holger Freyther219518d2009-01-02 22:04:43 +0000[diff] [blame]46#include <openbsc/telnet_interface.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]47
48/* global pointer to the gsm network data structure */
49static struct gsm_network *gsmnet;
50
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]51/* MCC and MNC for the Location Area Identifier */
52static int MCC = 1;
53static int MNC = 1;
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]54static const char *database_name = "hlr.sqlite3";
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]55
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]56/* The following definitions are for OM and NM packets that we cannot yet
57 * generate by code but we just pass on */
58
59// BTS Site Manager, SET ATTRIBUTES
60
61/*
62 Object Class: BTS Site Manager
63 Instance 1: FF
64 Instance 2: FF
65 Instance 3: FF
66SET ATTRIBUTES
67 sAbisExternalTime: 2007/09/08 14:36:11
68 omLAPDRelTimer: 30sec
69 shortLAPDIntTimer: 5sec
70 emergencyTimer1: 10 minutes
71 emergencyTimer2: 0 minutes
72*/
73
74unsigned char msg_1[] =
75{
76 0xD0, 0x00, 0xFF, 0xFF, 0xFF, 0x91, 0x07, 0xD7, 0x09, 0x08, 0x0E, 0x24,
77 0x0B, 0xCE, 0x02, 0x00, 0x1E, 0xE8, 0x01, 0x05, 0x42, 0x02, 0x00, 0x0A, 0x44,
78 0x02, 0x00, 0x00
79};
80
81// BTS, SET BTS ATTRIBUTES
82
83/*
84 Object Class: BTS
85 BTS relat. Number: 0
86 Instance 2: FF
87 Instance 3: FF
88SET BTS ATTRIBUTES
89 bsIdentityCode / BSIC:
90 PLMN_colour_code: 7h
91 BS_colour_code: 7h
92 BTS Air Timer T3105: 4 ,unit 10 ms
93 btsIsHopping: FALSE
94 periodCCCHLoadIndication: 255sec
95 thresholdCCCHLoadIndication: 100%
96 cellAllocationNumber: 00h = GSM 900
97 enableInterferenceClass: 00h = Disabled
98 fACCHQual: 6 (FACCH stealing flags minus 1)
99 intaveParameter: 31 SACCH multiframes
100 interferenceLevelBoundaries:
101 Interference Boundary 1: 0Ah
102 Interference Boundary 2: 0Fh
103 Interference Boundary 3: 14h
104 Interference Boundary 4: 19h
105 Interference Boundary 5: 1Eh
106 mSTxPwrMax: 11
107 GSM range: 2=39dBm, 15=13dBm, stepsize 2 dBm
108 DCS1800 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
109 PCS1900 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
110 30=33dBm, 31=32dBm
111 ny1:
112 Maximum number of repetitions for PHYSICAL INFORMATION message (GSM 04.08): 20
113 powerOutputThresholds:
114 Out Power Fault Threshold: -10 dB
115 Red Out Power Threshold: - 6 dB
116 Excessive Out Power Threshold: 5 dB
117 rACHBusyThreshold: -127 dBm
118 rACHLoadAveragingSlots: 250 ,number of RACH burst periods
119 rfResourceIndicationPeriod: 125 SACCH multiframes
120 T200:
121 SDCCH: 044 in 5 ms
122 FACCH/Full rate: 031 in 5 ms
123 FACCH/Half rate: 041 in 5 ms
124 SACCH with TCH SAPI0: 090 in 10 ms
125 SACCH with SDCCH: 090 in 10 ms
126 SDCCH with SAPI3: 090 in 5 ms
127 SACCH with TCH SAPI3: 135 in 10 ms
128 tSync: 9000 units of 10 msec
129 tTrau: 9000 units of 10 msec
130 enableUmLoopTest: 00h = disabled
131 enableExcessiveDistance: 00h = Disabled
132 excessiveDistance: 64km
133 hoppingMode: 00h = baseband hopping
134 cellType: 00h = Standard Cell
135 BCCH ARFCN / bCCHFrequency: 1
136*/
137
138unsigned char msg_2[] =
139{
140 0x41, 0x01, 0x00, 0xFF, 0xFF, 0x09, 0x3F, 0x0A, 0x04, 0x61, 0x00, 0x0B,
141 0xFF, 0x0C, 0x64, 0x62, 0x00, 0x66, 0x00, 0x6E, 0x06, 0x18, 0x1F, 0x19,
142 0x0A, 0x0F, 0x14, 0x19, 0x1E, 0x7B, 0x0B, 0x23, 0x14, 0x28, 0x00, 0x04,
143 0x03, 0x2A, 0x7F, 0x2B, 0x00, 0xFA, 0x8F, 0x7D, 0x33, 0x2C, 0x1F, 0x29,
144 0x5A, 0x5A, 0x5A, 0x87, 0x94, 0x23, 0x28, 0x95, 0x23, 0x28, 0x35, 0x01,
145 0x00, 0x46, 0x01, 0x00, 0x58, 0x01, 0x40, 0xC5, 0x01, 0x00, 0xF2, 0x01,
146 0x00, 0x08, 0x00, HARDCODED_ARFCN/*0x01*/,
147};
148
149// Handover Recognition, SET ATTRIBUTES
150
151/*
152Illegal Contents GSM Formatted O&M Msg
153 Object Class: Handover Recognition
154 BTS relat. Number: 0
155 Instance 2: FF
156 Instance 3: FF
157SET ATTRIBUTES
158 enableDelayPowerBudgetHO: 00h = Disabled
159 enableDistanceHO: 00h = Disabled
160 enableInternalInterCellHandover: 00h = Disabled
161 enableInternalIntraCellHandover: 00h = Disabled
162 enablePowerBudgetHO: 00h = Disabled
163 enableRXLEVHO: 00h = Disabled
164 enableRXQUALHO: 00h = Disabled
165 hoAveragingDistance: 8 SACCH multiframes
166 hoAveragingLev:
167 A_LEV_HO: 8 SACCH multiframes
168 W_LEV_HO: 1 SACCH multiframes
169 hoAveragingPowerBudget: 16 SACCH multiframes
170 hoAveragingQual:
171 A_QUAL_HO: 8 SACCH multiframes
172 W_QUAL_HO: 2 SACCH multiframes
173 hoLowerThresholdLevDL: (10 - 110) dBm
174 hoLowerThresholdLevUL: (5 - 110) dBm
175 hoLowerThresholdQualDL: 06h = 6.4% < BER < 12.8%
176 hoLowerThresholdQualUL: 06h = 6.4% < BER < 12.8%
177 hoThresholdLevDLintra : (20 - 110) dBm
178 hoThresholdLevULintra: (20 - 110) dBm
179 hoThresholdMsRangeMax: 20 km
180 nCell: 06h
181 timerHORequest: 3 ,unit 2 SACCH multiframes
182*/
183
184unsigned char msg_3[] =
185{
186 0xD0, 0xA1, 0x00, 0xFF, 0xFF, 0xD0, 0x00, 0x64, 0x00, 0x67, 0x00, 0x68,
187 0x00, 0x6A, 0x00, 0x6C, 0x00, 0x6D, 0x00, 0x6F, 0x08, 0x70, 0x08, 0x01,
188 0x71, 0x10, 0x10, 0x10, 0x72, 0x08, 0x02, 0x73, 0x0A, 0x74, 0x05, 0x75,
189 0x06, 0x76, 0x06, 0x78, 0x14, 0x79, 0x14, 0x7A, 0x14, 0x7D, 0x06, 0x92,
190 0x03, 0x20, 0x01, 0x00, 0x45, 0x01, 0x00, 0x48, 0x01, 0x00, 0x5A, 0x01,
191 0x00, 0x5B, 0x01, 0x05, 0x5E, 0x01, 0x1A, 0x5F, 0x01, 0x20, 0x9D, 0x01,
192 0x00, 0x47, 0x01, 0x00, 0x5C, 0x01, 0x64, 0x5D, 0x01, 0x1E, 0x97, 0x01,
193 0x20, 0xF7, 0x01, 0x3C,
194};
195
196// Power Control, SET ATTRIBUTES
197
198/*
199 Object Class: Power Control
200 BTS relat. Number: 0
201 Instance 2: FF
202 Instance 3: FF
203SET ATTRIBUTES
204 enableMsPowerControl: 00h = Disabled
205 enablePowerControlRLFW: 00h = Disabled
206 pcAveragingLev:
207 A_LEV_PC: 4 SACCH multiframes
208 W_LEV_PC: 1 SACCH multiframes
209 pcAveragingQual:
210 A_QUAL_PC: 4 SACCH multiframes
211 W_QUAL_PC: 2 SACCH multiframes
212 pcLowerThresholdLevDL: 0Fh
213 pcLowerThresholdLevUL: 0Ah
214 pcLowerThresholdQualDL: 05h = 3.2% < BER < 6.4%
215 pcLowerThresholdQualUL: 05h = 3.2% < BER < 6.4%
216 pcRLFThreshold: 0Ch
217 pcUpperThresholdLevDL: 14h
218 pcUpperThresholdLevUL: 0Fh
219 pcUpperThresholdQualDL: 04h = 1.6% < BER < 3.2%
220 pcUpperThresholdQualUL: 04h = 1.6% < BER < 3.2%
221 powerConfirm: 2 ,unit 2 SACCH multiframes
222 powerControlInterval: 2 ,unit 2 SACCH multiframes
223 powerIncrStepSize: 02h = 4 dB
224 powerRedStepSize: 01h = 2 dB
225 radioLinkTimeoutBs: 64 SACCH multiframes
226 enableBSPowerControl: 00h = disabled
227*/
228
229unsigned char msg_4[] =
230{
231 0xD0, 0xA2, 0x00, 0xFF, 0xFF, 0x69, 0x00, 0x6B, 0x00, 0x7E, 0x04, 0x01,
232 0x7F, 0x04, 0x02, 0x80, 0x0F, 0x81, 0x0A, 0x82, 0x05, 0x83, 0x05, 0x84,
233 0x0C, 0x85, 0x14, 0x86, 0x0F, 0x87, 0x04, 0x88, 0x04, 0x89, 0x02, 0x8A,
234 0x02, 0x8B, 0x02, 0x8C, 0x01, 0x8D, 0x40, 0x65, 0x01, 0x00 // set to 0x01 to enable BSPowerControl
235};
236
237
238// Transceiver, SET TRX ATTRIBUTES (TRX 0)
239
240/*
241 Object Class: Transceiver
242 BTS relat. Number: 0
243 Tranceiver number: 0
244 Instance 3: FF
245SET TRX ATTRIBUTES
246 aRFCNList (HEX): 0001
247 txPwrMaxReduction: 00h = 0dB
248 radioMeasGran: 254 SACCH multiframes
249 radioMeasRep: 01h = enabled
250 memberOfEmergencyConfig: 01h = TRUE
251 trxArea: 00h = TRX doesn't belong to a concentric cell
252*/
253
254unsigned char msg_6[] =
255{
256 0x44, 0x02, 0x00, 0x00, 0xFF, 0x05, 0x01, 0x00, HARDCODED_ARFCN /*0x01*/, 0x2D,
257 0x00, 0xDC, 0x01, 0xFE, 0xDD, 0x01, 0x01, 0x9B, 0x01, 0x01, 0x9F, 0x01, 0x00,
258};
259
260
261static void bootstrap_om(struct gsm_bts *bts)
262{
263 struct gsm_bts_trx *trx = &bts->trx[0];
264
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]265 fprintf(stdout, "bootstrapping OML\n");
266
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]267 /* stop sending event reports */
268 abis_nm_event_reports(bts, 0);
269
270 /* begin DB transmission */
271 abis_nm_db_transmission(bts, 1);
272
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]273 /* end DB transmission */
274 abis_nm_db_transmission(bts, 0);
275
276 /* Reset BTS Site manager resource */
277 abis_nm_reset_resource(bts);
278
279 /* begin DB transmission */
280 abis_nm_db_transmission(bts, 1);
281
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]282 abis_nm_raw_msg(bts, sizeof(msg_1), msg_1); /* set BTS SiteMgr attr*/
283 abis_nm_raw_msg(bts, sizeof(msg_2), msg_2); /* set BTS attr */
284 abis_nm_raw_msg(bts, sizeof(msg_3), msg_3); /* set BTS handover attr */
285 abis_nm_raw_msg(bts, sizeof(msg_4), msg_4); /* set BTS power control attr */
286
287 /* Connect signalling of bts0/trx0 to e1_0/ts1/64kbps */
288 abis_nm_conn_terr_sign(trx, 0, 1, 0xff);
289 abis_nm_raw_msg(bts, sizeof(msg_6), msg_6); /* SET TRX ATTRIBUTES */
290
291 /* Use TEI 1 for signalling */
292 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x01);
293 abis_nm_set_channel_attr(&trx->ts[0], NM_CHANC_SDCCH_CBCH);
294#if 0
295 /* TRX 1 */
296 abis_nm_conn_terr_sign(&bts->trx[1], 0, 1, 0xff);
297 /* FIXME: TRX ATTRIBUTE */
298 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x02);
299#endif
300
301 /* SET CHANNEL ATTRIBUTE TS1 */
302 abis_nm_set_channel_attr(&trx->ts[1], 0x09);
303 /* Connect traffic of bts0/trx0/ts1 to e1_0/ts2/b */
304 abis_nm_conn_terr_traf(&trx->ts[1], 0, 2, 1);
305
306 /* SET CHANNEL ATTRIBUTE TS2 */
307 abis_nm_set_channel_attr(&trx->ts[2], 0x09);
308 /* Connect traffic of bts0/trx0/ts2 to e1_0/ts2/c */
309 abis_nm_conn_terr_traf(&trx->ts[2], 0, 2, 2);
310
311 /* SET CHANNEL ATTRIBUTE TS3 */
312 abis_nm_set_channel_attr(&trx->ts[3], 0x09);
313 /* Connect traffic of bts0/trx0/ts3 to e1_0/ts2/d */
314 abis_nm_conn_terr_traf(&trx->ts[3], 0, 2, 3);
315
316 /* SET CHANNEL ATTRIBUTE TS4 */
317 abis_nm_set_channel_attr(&trx->ts[4], 0x09);
318 /* Connect traffic of bts0/trx0/ts4 to e1_0/ts3/a */
319 abis_nm_conn_terr_traf(&trx->ts[4], 0, 3, 0);
320
321 /* SET CHANNEL ATTRIBUTE TS5 */
322 abis_nm_set_channel_attr(&trx->ts[5], 0x09);
323 /* Connect traffic of bts0/trx0/ts5 to e1_0/ts3/b */
324 abis_nm_conn_terr_traf(&trx->ts[5], 0, 3, 1);
325
326 /* SET CHANNEL ATTRIBUTE TS6 */
327 abis_nm_set_channel_attr(&trx->ts[6], 0x09);
328 /* Connect traffic of bts0/trx0/ts6 to e1_0/ts3/c */
329 abis_nm_conn_terr_traf(&trx->ts[6], 0, 3, 2);
330
331 /* SET CHANNEL ATTRIBUTE TS7 */
332 abis_nm_set_channel_attr(&trx->ts[7], 0x09);
333 /* Connect traffic of bts0/trx0/ts7 to e1_0/ts3/d */
334 abis_nm_conn_terr_traf(&trx->ts[7], 0, 3, 3);
335
336 /* end DB transmission */
337 abis_nm_db_transmission(bts, 0);
338
339 /* Reset BTS Site manager resource */
340 abis_nm_reset_resource(bts);
341
342 /* restart sending event reports */
343 abis_nm_event_reports(bts, 1);
344}
345
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]346static int shutdown_om(struct gsm_bts *bts)
347{
348 /* stop sending event reports */
349 abis_nm_event_reports(bts, 0);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]350
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]351 /* begin DB transmission */
352 abis_nm_db_transmission(bts, 1);
353
354 /* end DB transmission */
355 abis_nm_db_transmission(bts, 0);
356
357 /* Reset BTS Site manager resource */
358 abis_nm_reset_resource(bts);
359
360 return 0;
361}
362
363static int shutdown_net(struct gsm_network *net)
364{
365 int i;
366 for (i = 0; i < net->num_bts; i++) {
367 int rc;
368 rc = shutdown_om(&net->bts[i]);
369 if (rc < 0)
370 return rc;
371 }
372
373 return 0;
374}
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]375
376struct bcch_info {
377 u_int8_t type;
378 u_int8_t len;
379 const u_int8_t *data;
380};
381
382/*
383SYSTEM INFORMATION TYPE 1
384 Cell channel description
385 Format-ID bit map 0
386 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
387 RACH Control Parameters
388 maximum 7 retransmissions
389 8 slots used to spread transmission
390 cell not barred for access
391 call reestablishment not allowed
392 Access Control Class = 0000
393*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]394static u_int8_t si1[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]395 /* header */0x55, 0x06, 0x19,
396 /* ccdesc */0x04 /*0x00*/, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /*0x01*/,
398 /* rach */0xD5, 0x00, 0x00,
399 /* s1 reset*/0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]400};
401
402/*
403 SYSTEM INFORMATION TYPE 2
404 Neighbour Cells Description
405 EXT-IND: Carries the complete BA
406 BA-IND = 0
407 Format-ID bit map 0
408 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
409 NCC permitted (NCC) = FF
410 RACH Control Parameters
411 maximum 7 retransmissions
412 8 slots used to spread transmission
413 cell not barred for access
414 call reestablishment not allowed
415 Access Control Class = 0000
416*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]417static u_int8_t si2[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]418 /* header */0x59, 0x06, 0x1A,
419 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
421 /* ncc */0xFF,
422 /* rach*/0xD5, 0x00, 0x00
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]423};
424
425/*
426SYSTEM INFORMATION TYPE 3
427 Cell identity = 00001 (1h)
428 Location area identification
429 Mobile Country Code (MCC): 001
430 Mobile Network Code (MNC): 01
431 Location Area Code (LAC): 00001 (1h)
432 Control Channel Description
433 Attach-detach: MSs in the cell are not allowed to apply IMSI attach /detach
434 0 blocks reserved for access grant
435 1 channel used for CCCH, with SDCCH
436 5 multiframes period for PAGING REQUEST
437 Time-out T3212 = 0
438 Cell Options BCCH
439 Power control indicator: not set
440 MSs shall not use uplink DTX
441 Radio link timeout = 36
442 Cell Selection Parameters
443 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
Harald Welte3b2ec422008-12-29 04:11:14 +0000[diff] [blame]444 max.TX power level MS may use for CCH = 2 <- according to GSM05.05 39dBm (max)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]445 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
446 Half rate support (NECI): New establishment causes are not supported
447 min.RX signal level for MS = 0
448 RACH Control Parameters
449 maximum 7 retransmissions
450 8 slots used to spread transmission
451 cell not barred for access
452 call reestablishment not allowed
453 Access Control Class = 0000
454 SI 3 Rest Octets
455 Cell Bar Qualify (CBQ): 0
456 Cell Reselect Offset = 0 dB
457 Temporary Offset = 0 dB
458 Penalty Time = 20 s
459 System Information 2ter Indicator (2TI): 0 = not available
460 Early Classmark Sending Control (ECSC): 0 = forbidden
461 Scheduling Information is not sent in SYSTEM INFORMATION TYPE 9 on the BCCH
462*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]463static u_int8_t si3[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]464 /* header */0x49, 0x06, 0x1B,
465 /* cell */0x00, 0x01,
466 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
467 /* desc */0x01, 0x03, 0x00,
468 /* option*/0x28,
469 /* selection*/0x62, 0x00,
470 /* rach */0xD5, 0x00, 0x00,
471 /* reset*/0x80, 0x00, 0x00, 0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]472};
473
474/*
475SYSTEM INFORMATION TYPE 4
476 Location area identification
477 Mobile Country Code (MCC): 001
478 Mobile Network Code (MNC): 01
479 Location Area Code (LAC): 00001 (1h)
480 Cell Selection Parameters
481 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
482 max.TX power level MS may use for CCH = 2
483 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
484 Half rate support (NECI): New establishment causes are not supported
485 min.RX signal level for MS = 0
486 RACH Control Parameters
487 maximum 7 retransmissions
488 8 slots used to spread transmission
489 cell not barred for access
490 call reestablishment not allowed
491 Access Control Class = 0000
492 Channel Description
493 Type = SDCCH/4[2]
494 Timeslot Number: 0
495 Training Sequence Code: 7h
496 ARFCN: 1
497 SI Rest Octets
498 Cell Bar Qualify (CBQ): 0
499 Cell Reselect Offset = 0 dB
500 Temporary Offset = 0 dB
501 Penalty Time = 20 s
502*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]503static u_int8_t si4[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]504 /* header */0x41, 0x06, 0x1C,
505 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
506 /* sel */0x62, 0x00,
507 /* rach*/0xD5, 0x00, 0x00,
508 /* var */0x64, 0x30, 0xE0, HARDCODED_ARFCN/*0x01*/, 0x80, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]509 0x2B, 0x2B, 0x2B
510};
511
512/*
513 SYSTEM INFORMATION TYPE 5
514 Neighbour Cells Description
515 EXT-IND: Carries the complete BA
516 BA-IND = 0
517 Format-ID bit map 0
518 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
519*/
520
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]521static u_int8_t si5[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]522 /* header without l2 len*/0x06, 0x1D,
523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]525};
526
527// SYSTEM INFORMATION TYPE 6
528
529/*
530SACCH FILLING
531 System Info Type: SYSTEM INFORMATION 6
532 L3 Information (Hex): 06 1E 00 01 xx xx 10 00 01 28 FF
533
534SYSTEM INFORMATION TYPE 6
535 Cell identity = 00001 (1h)
536 Location area identification
537 Mobile Country Code (MCC): 001
538 Mobile Network Code (MNC): 01
539 Location Area Code (LAC): 00001 (1h)
540 Cell Options SACCH
541 Power control indicator: not set
542 MSs shall not use uplink DTX on a TCH-F. MS shall not use uplink DTX on TCH-H.
543 Radio link timeout = 36
544 NCC permitted (NCC) = FF
545*/
546
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]547static u_int8_t si6[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]548 /* header */0x06, 0x1E,
549 /* cell id*/ 0x00, 0x01,
550 /* lai */ 0x00, 0xF1, 0x10, 0x00, 0x01,
551 /* options */ 0x28,
552 /* ncc */ 0xFF,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]553};
554
555
556
557static const struct bcch_info bcch_infos[] = {
558 {
559 .type = RSL_SYSTEM_INFO_1,
560 .len = sizeof(si1),
561 .data = si1,
562 }, {
563 .type = RSL_SYSTEM_INFO_2,
564 .len = sizeof(si2),
565 .data = si2,
566 }, {
567 .type = RSL_SYSTEM_INFO_3,
568 .len = sizeof(si3),
569 .data = si3,
570 }, {
571 .type = RSL_SYSTEM_INFO_4,
572 .len = sizeof(si4),
573 .data = si4,
574 },
575};
576
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]577static_assert(sizeof(si1) == sizeof(struct gsm48_system_information_type_1), type1)
578static_assert(sizeof(si2) == sizeof(struct gsm48_system_information_type_2), type2)
579static_assert(sizeof(si3) == sizeof(struct gsm48_system_information_type_3), type3)
580static_assert(sizeof(si4) >= sizeof(struct gsm48_system_information_type_4), type4)
Harald Welte104604e2008-12-28 16:36:11 +0000[diff] [blame]581static_assert(sizeof(si5) == sizeof(struct gsm48_system_information_type_5), type5)
582static_assert(sizeof(si6) >= sizeof(struct gsm48_system_information_type_6), type6)
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]583
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]584/* set all system information types */
585static int set_system_infos(struct gsm_bts *bts)
586{
587 int i;
588
589 for (i = 0; i < ARRAY_SIZE(bcch_infos); i++) {
590 rsl_bcch_info(bts, bcch_infos[i].type,
591 bcch_infos[i].data,
592 bcch_infos[i].len);
593 }
594 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_5, si5, sizeof(si5));
595 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_6, si6, sizeof(si6));
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]596
597 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]598}
599
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]600/*
601 * Patch the various SYSTEM INFORMATION tables to update
602 * the LAI
603 */
604static void patch_tables(struct gsm_bts *bts)
605{
606 /* covert the raw packet to the struct */
607 struct gsm48_system_information_type_3 *type_3 =
608 (struct gsm48_system_information_type_3*)&si3;
609 struct gsm48_system_information_type_4 *type_4 =
610 (struct gsm48_system_information_type_4*)&si4;
611 struct gsm48_system_information_type_6 *type_6 =
612 (struct gsm48_system_information_type_6*)&si6;
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]613 struct gsm48_loc_area_id lai;
614
615 gsm0408_generate_lai(&lai, bts->network->country_code,
616 bts->network->network_code, bts->location_area_code);
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]617
618 /* assign the MCC and MNC */
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]619 type_3->lai = lai;
620 type_4->lai = lai;
621 type_6->lai = lai;
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]622}
623
624
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]625static void bootstrap_rsl(struct gsm_bts *bts)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]626{
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]627 fprintf(stdout, "bootstrapping RSL MCC=%u MNC=%u\n", MCC, MNC);
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]628 patch_tables(bts);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]629 set_system_infos(bts);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]630}
631
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]632static void mi_cb(int event, struct gsm_bts *bts)
633{
634 switch (event) {
635 case EVT_E1_OML_UP:
636 bootstrap_om(bts);
637 break;
638 case EVT_E1_RSL_UP:
639 bootstrap_rsl(bts);
640 break;
641 default:
642 /* FIXME: deal with TEI or L1 link loss */
643 break;
644 }
645}
646
647static int bootstrap_network(void)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]648{
649 struct gsm_bts *bts;
650
651 /* initialize our data structures */
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]652 gsmnet = gsm_network_init(1, MCC, MNC);
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]653 if (!gsmnet)
654 return -ENOMEM;
Harald Weltef5cbab72008-12-30 18:00:15 +0000[diff] [blame]655
656 gsmnet->name_short = "25C3";
657 gsmnet->name_long = "25C3 GSM";
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]658 bts = &gsmnet->bts[0];
659 bts->location_area_code = 1;
660 bts->trx[0].arfcn = HARDCODED_ARFCN;
661
Holger Freyther219518d2009-01-02 22:04:43 +0000[diff] [blame]662 telnet_init(gsmnet, 4242);
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]663 if (mi_setup(bts, 0, mi_cb) < 0)
664 return -EIO;
665
666 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]667}
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]668
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]669
670static void create_pcap_file(char *file)
671{
672 mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
673 int fd = open(file, O_WRONLY|O_TRUNC|O_CREAT, mode);
674
675 if (fd < 0) {
676 perror("Failed to open file for pcap");
677 return;
678 }
679
680 mi_set_pcap_fd(fd);
681}
682
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]683static void print_usage()
684{
685 printf("Usage: bsc_hack\n");
686}
687
688static void print_help()
689{
690 printf(" Some useful help...\n");
691 printf(" -d option --debug=DRLL:DCC:DMM:DRR:DRSL:DNM enable debugging\n");
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]692 printf(" -s --disable-color\n");
693 printf(" -n --network-code number(MNC) \n");
694 printf(" -c --country-code number (MCC) \n");
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]695 printf(" -l --database db-name The database to use\n");
Holger Freyther89824fc2008-12-30 16:18:18 +0000[diff] [blame]696 printf(" -a --authorize-everyone Allow everyone into the network.\n");
Holger Freythere97f7fb2008-12-31 18:52:11 +0000[diff] [blame]697 printf(" -r --reject-cause number The reject cause for LOCATION UPDATING REJECT.\n");
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]698 printf(" -p --pcap file The filename of the pcap file\n");
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]699 printf(" -h --help this text\n");
700}
701
702static void handle_options(int argc, char** argv)
703{
704 while (1) {
705 int option_index = 0, c;
706 static struct option long_options[] = {
707 {"help", 0, 0, 'h'},
708 {"debug", 1, 0, 'd'},
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]709 {"disable-color", 0, 0, 's'},
710 {"network-code", 1, 0, 'n'},
711 {"country-code", 1, 0, 'c'},
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]712 {"database", 1, 0, 'l'},
Holger Freyther89824fc2008-12-30 16:18:18 +0000[diff] [blame]713 {"authorize-everyone", 0, 0, 'a'},
Holger Freythere97f7fb2008-12-31 18:52:11 +0000[diff] [blame]714 {"reject-cause", 1, 0, 'r'},
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]715 {"pcap", 1, 0, 'p'},
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]716 {0, 0, 0, 0}
717 };
718
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]719 c = getopt_long(argc, argv, "hc:n:d:sar:p:",
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]720 long_options, &option_index);
721 if (c == -1)
722 break;
723
724 switch (c) {
725 case 'h':
726 print_usage();
727 print_help();
728 exit(0);
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]729 case 's':
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]730 debug_use_color(0);
731 break;
732 case 'd':
733 debug_parse_category_mask(optarg);
734 break;
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]735 case 'n':
736 MNC = atoi(optarg);
737 break;
738 case 'c':
739 MCC = atoi(optarg);
740 break;
Harald Welte8965da42009-01-06 18:09:02 +0000[diff] [blame^]741 case 'l':
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]742 database_name = strdup(optarg);
743 break;
Holger Freyther89824fc2008-12-30 16:18:18 +0000[diff] [blame]744 case 'a':
745 gsm0408_allow_everyone(1);
746 break;
Holger Freythere97f7fb2008-12-31 18:52:11 +0000[diff] [blame]747 case 'r':
748 gsm0408_set_reject_cause(atoi(optarg));
749 break;
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]750 case 'p':
751 create_pcap_file(optarg);
752 break;
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]753 default:
754 /* ignore */
755 break;
756 }
757 }
758}
759
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]760static void signal_handler(int signal)
761{
762 fprintf(stdout, "signal %u received\n", signal);
763
764 switch (signal) {
765 case SIGHUP:
766 case SIGABRT:
767 shutdown_net(gsmnet);
768 break;
769 default:
770 break;
771 }
772}
773
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]774int main(int argc, char **argv)
775{
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]776 /* parse options */
777 handle_options(argc, argv);
778
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]779 if (db_init(database_name)) {
Harald Welte75a983f2008-12-27 21:34:06 +0000[diff] [blame]780 printf("DB: Failed to init database. Please check the option settings.\n");
781 return 1;
782 }
783 printf("DB: Database initialized.\n");
784
785 if (db_prepare()) {
786 printf("DB: Failed to prepare database.\n");
787 return 1;
788 }
789 printf("DB: Database prepared.\n");
790
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]791 bootstrap_network();
792
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]793 signal(SIGHUP, &signal_handler);
794 signal(SIGABRT, &signal_handler);
795
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]796 while (1) {
797 bsc_select_main();
798 }
799}