Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / 9898188ca793b138340927fc93f0dbb2baa304a8 / . / src / bsc_hack.c
blob: 2c6d164913cac17eb89a09cae22793451d65e6de [file] [log] [blame]
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]1/* A hackish minimal BSC (+MSC +HLR) implementation */
2
3/* (C) 2008 by Harald Welte <laforge@gnumonks.org>
Holger Freyther219518d2009-01-02 22:04:43 +0000[diff] [blame]4 * (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]5 * All Rights Reserved
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 */
22
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]23#include <unistd.h>
24#include <stdlib.h>
25#include <stdio.h>
26#include <stdarg.h>
27#include <time.h>
28#include <string.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]29#include <errno.h>
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]30#include <signal.h>
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]31#include <fcntl.h>
32#include <sys/stat.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]33
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]34#define _GNU_SOURCE
35#include <getopt.h>
36
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]37#include <openbsc/db.h>
38#include <openbsc/timer.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]39#include <openbsc/gsm_data.h>
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]40#include <openbsc/gsm_04_08.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]41#include <openbsc/select.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]42#include <openbsc/abis_rsl.h>
43#include <openbsc/abis_nm.h>
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]44#include <openbsc/debug.h>
Holger Freyther5677ae32008-12-27 09:41:03 +0000[diff] [blame]45#include <openbsc/misdn.h>
Holger Freyther219518d2009-01-02 22:04:43 +0000[diff] [blame]46#include <openbsc/telnet_interface.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]47
48/* global pointer to the gsm network data structure */
49static struct gsm_network *gsmnet;
50
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]51/* MCC and MNC for the Location Area Identifier */
52static int MCC = 1;
53static int MNC = 1;
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]54static int ARFCN = HARDCODED_ARFCN;
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]55static const char *database_name = "hlr.sqlite3";
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]56
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]57/* The following definitions are for OM and NM packets that we cannot yet
58 * generate by code but we just pass on */
59
60// BTS Site Manager, SET ATTRIBUTES
61
62/*
63 Object Class: BTS Site Manager
64 Instance 1: FF
65 Instance 2: FF
66 Instance 3: FF
67SET ATTRIBUTES
68 sAbisExternalTime: 2007/09/08 14:36:11
69 omLAPDRelTimer: 30sec
70 shortLAPDIntTimer: 5sec
71 emergencyTimer1: 10 minutes
72 emergencyTimer2: 0 minutes
73*/
74
75unsigned char msg_1[] =
76{
77 0xD0, 0x00, 0xFF, 0xFF, 0xFF, 0x91, 0x07, 0xD7, 0x09, 0x08, 0x0E, 0x24,
78 0x0B, 0xCE, 0x02, 0x00, 0x1E, 0xE8, 0x01, 0x05, 0x42, 0x02, 0x00, 0x0A, 0x44,
79 0x02, 0x00, 0x00
80};
81
82// BTS, SET BTS ATTRIBUTES
83
84/*
85 Object Class: BTS
86 BTS relat. Number: 0
87 Instance 2: FF
88 Instance 3: FF
89SET BTS ATTRIBUTES
90 bsIdentityCode / BSIC:
91 PLMN_colour_code: 7h
92 BS_colour_code: 7h
93 BTS Air Timer T3105: 4 ,unit 10 ms
94 btsIsHopping: FALSE
95 periodCCCHLoadIndication: 255sec
96 thresholdCCCHLoadIndication: 100%
97 cellAllocationNumber: 00h = GSM 900
98 enableInterferenceClass: 00h = Disabled
99 fACCHQual: 6 (FACCH stealing flags minus 1)
100 intaveParameter: 31 SACCH multiframes
101 interferenceLevelBoundaries:
102 Interference Boundary 1: 0Ah
103 Interference Boundary 2: 0Fh
104 Interference Boundary 3: 14h
105 Interference Boundary 4: 19h
106 Interference Boundary 5: 1Eh
107 mSTxPwrMax: 11
108 GSM range: 2=39dBm, 15=13dBm, stepsize 2 dBm
109 DCS1800 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
110 PCS1900 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
111 30=33dBm, 31=32dBm
112 ny1:
113 Maximum number of repetitions for PHYSICAL INFORMATION message (GSM 04.08): 20
114 powerOutputThresholds:
115 Out Power Fault Threshold: -10 dB
116 Red Out Power Threshold: - 6 dB
117 Excessive Out Power Threshold: 5 dB
118 rACHBusyThreshold: -127 dBm
119 rACHLoadAveragingSlots: 250 ,number of RACH burst periods
120 rfResourceIndicationPeriod: 125 SACCH multiframes
121 T200:
122 SDCCH: 044 in 5 ms
123 FACCH/Full rate: 031 in 5 ms
124 FACCH/Half rate: 041 in 5 ms
125 SACCH with TCH SAPI0: 090 in 10 ms
126 SACCH with SDCCH: 090 in 10 ms
127 SDCCH with SAPI3: 090 in 5 ms
128 SACCH with TCH SAPI3: 135 in 10 ms
129 tSync: 9000 units of 10 msec
130 tTrau: 9000 units of 10 msec
131 enableUmLoopTest: 00h = disabled
132 enableExcessiveDistance: 00h = Disabled
133 excessiveDistance: 64km
134 hoppingMode: 00h = baseband hopping
135 cellType: 00h = Standard Cell
136 BCCH ARFCN / bCCHFrequency: 1
137*/
138
139unsigned char msg_2[] =
140{
141 0x41, 0x01, 0x00, 0xFF, 0xFF, 0x09, 0x3F, 0x0A, 0x04, 0x61, 0x00, 0x0B,
142 0xFF, 0x0C, 0x64, 0x62, 0x00, 0x66, 0x00, 0x6E, 0x06, 0x18, 0x1F, 0x19,
143 0x0A, 0x0F, 0x14, 0x19, 0x1E, 0x7B, 0x0B, 0x23, 0x14, 0x28, 0x00, 0x04,
144 0x03, 0x2A, 0x7F, 0x2B, 0x00, 0xFA, 0x8F, 0x7D, 0x33, 0x2C, 0x1F, 0x29,
145 0x5A, 0x5A, 0x5A, 0x87, 0x94, 0x23, 0x28, 0x95, 0x23, 0x28, 0x35, 0x01,
146 0x00, 0x46, 0x01, 0x00, 0x58, 0x01, 0x40, 0xC5, 0x01, 0x00, 0xF2, 0x01,
147 0x00, 0x08, 0x00, HARDCODED_ARFCN/*0x01*/,
148};
149
150// Handover Recognition, SET ATTRIBUTES
151
152/*
153Illegal Contents GSM Formatted O&M Msg
154 Object Class: Handover Recognition
155 BTS relat. Number: 0
156 Instance 2: FF
157 Instance 3: FF
158SET ATTRIBUTES
159 enableDelayPowerBudgetHO: 00h = Disabled
160 enableDistanceHO: 00h = Disabled
161 enableInternalInterCellHandover: 00h = Disabled
162 enableInternalIntraCellHandover: 00h = Disabled
163 enablePowerBudgetHO: 00h = Disabled
164 enableRXLEVHO: 00h = Disabled
165 enableRXQUALHO: 00h = Disabled
166 hoAveragingDistance: 8 SACCH multiframes
167 hoAveragingLev:
168 A_LEV_HO: 8 SACCH multiframes
169 W_LEV_HO: 1 SACCH multiframes
170 hoAveragingPowerBudget: 16 SACCH multiframes
171 hoAveragingQual:
172 A_QUAL_HO: 8 SACCH multiframes
173 W_QUAL_HO: 2 SACCH multiframes
174 hoLowerThresholdLevDL: (10 - 110) dBm
175 hoLowerThresholdLevUL: (5 - 110) dBm
176 hoLowerThresholdQualDL: 06h = 6.4% < BER < 12.8%
177 hoLowerThresholdQualUL: 06h = 6.4% < BER < 12.8%
178 hoThresholdLevDLintra : (20 - 110) dBm
179 hoThresholdLevULintra: (20 - 110) dBm
180 hoThresholdMsRangeMax: 20 km
181 nCell: 06h
182 timerHORequest: 3 ,unit 2 SACCH multiframes
183*/
184
185unsigned char msg_3[] =
186{
187 0xD0, 0xA1, 0x00, 0xFF, 0xFF, 0xD0, 0x00, 0x64, 0x00, 0x67, 0x00, 0x68,
188 0x00, 0x6A, 0x00, 0x6C, 0x00, 0x6D, 0x00, 0x6F, 0x08, 0x70, 0x08, 0x01,
189 0x71, 0x10, 0x10, 0x10, 0x72, 0x08, 0x02, 0x73, 0x0A, 0x74, 0x05, 0x75,
190 0x06, 0x76, 0x06, 0x78, 0x14, 0x79, 0x14, 0x7A, 0x14, 0x7D, 0x06, 0x92,
191 0x03, 0x20, 0x01, 0x00, 0x45, 0x01, 0x00, 0x48, 0x01, 0x00, 0x5A, 0x01,
192 0x00, 0x5B, 0x01, 0x05, 0x5E, 0x01, 0x1A, 0x5F, 0x01, 0x20, 0x9D, 0x01,
193 0x00, 0x47, 0x01, 0x00, 0x5C, 0x01, 0x64, 0x5D, 0x01, 0x1E, 0x97, 0x01,
194 0x20, 0xF7, 0x01, 0x3C,
195};
196
197// Power Control, SET ATTRIBUTES
198
199/*
200 Object Class: Power Control
201 BTS relat. Number: 0
202 Instance 2: FF
203 Instance 3: FF
204SET ATTRIBUTES
205 enableMsPowerControl: 00h = Disabled
206 enablePowerControlRLFW: 00h = Disabled
207 pcAveragingLev:
208 A_LEV_PC: 4 SACCH multiframes
209 W_LEV_PC: 1 SACCH multiframes
210 pcAveragingQual:
211 A_QUAL_PC: 4 SACCH multiframes
212 W_QUAL_PC: 2 SACCH multiframes
213 pcLowerThresholdLevDL: 0Fh
214 pcLowerThresholdLevUL: 0Ah
215 pcLowerThresholdQualDL: 05h = 3.2% < BER < 6.4%
216 pcLowerThresholdQualUL: 05h = 3.2% < BER < 6.4%
217 pcRLFThreshold: 0Ch
218 pcUpperThresholdLevDL: 14h
219 pcUpperThresholdLevUL: 0Fh
220 pcUpperThresholdQualDL: 04h = 1.6% < BER < 3.2%
221 pcUpperThresholdQualUL: 04h = 1.6% < BER < 3.2%
222 powerConfirm: 2 ,unit 2 SACCH multiframes
223 powerControlInterval: 2 ,unit 2 SACCH multiframes
224 powerIncrStepSize: 02h = 4 dB
225 powerRedStepSize: 01h = 2 dB
226 radioLinkTimeoutBs: 64 SACCH multiframes
227 enableBSPowerControl: 00h = disabled
228*/
229
230unsigned char msg_4[] =
231{
232 0xD0, 0xA2, 0x00, 0xFF, 0xFF, 0x69, 0x00, 0x6B, 0x00, 0x7E, 0x04, 0x01,
233 0x7F, 0x04, 0x02, 0x80, 0x0F, 0x81, 0x0A, 0x82, 0x05, 0x83, 0x05, 0x84,
234 0x0C, 0x85, 0x14, 0x86, 0x0F, 0x87, 0x04, 0x88, 0x04, 0x89, 0x02, 0x8A,
235 0x02, 0x8B, 0x02, 0x8C, 0x01, 0x8D, 0x40, 0x65, 0x01, 0x00 // set to 0x01 to enable BSPowerControl
236};
237
238
239// Transceiver, SET TRX ATTRIBUTES (TRX 0)
240
241/*
242 Object Class: Transceiver
243 BTS relat. Number: 0
244 Tranceiver number: 0
245 Instance 3: FF
246SET TRX ATTRIBUTES
247 aRFCNList (HEX): 0001
248 txPwrMaxReduction: 00h = 0dB
249 radioMeasGran: 254 SACCH multiframes
250 radioMeasRep: 01h = enabled
251 memberOfEmergencyConfig: 01h = TRUE
252 trxArea: 00h = TRX doesn't belong to a concentric cell
253*/
254
255unsigned char msg_6[] =
256{
257 0x44, 0x02, 0x00, 0x00, 0xFF, 0x05, 0x01, 0x00, HARDCODED_ARFCN /*0x01*/, 0x2D,
258 0x00, 0xDC, 0x01, 0xFE, 0xDD, 0x01, 0x01, 0x9B, 0x01, 0x01, 0x9F, 0x01, 0x00,
259};
260
261
262static void bootstrap_om(struct gsm_bts *bts)
263{
264 struct gsm_bts_trx *trx = &bts->trx[0];
265
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]266 fprintf(stdout, "bootstrapping OML\n");
267
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]268 /* stop sending event reports */
269 abis_nm_event_reports(bts, 0);
270
271 /* begin DB transmission */
272 abis_nm_db_transmission(bts, 1);
273
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]274 /* end DB transmission */
275 abis_nm_db_transmission(bts, 0);
276
277 /* Reset BTS Site manager resource */
278 abis_nm_reset_resource(bts);
279
280 /* begin DB transmission */
281 abis_nm_db_transmission(bts, 1);
282
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]283 abis_nm_raw_msg(bts, sizeof(msg_1), msg_1); /* set BTS SiteMgr attr*/
284 abis_nm_raw_msg(bts, sizeof(msg_2), msg_2); /* set BTS attr */
285 abis_nm_raw_msg(bts, sizeof(msg_3), msg_3); /* set BTS handover attr */
286 abis_nm_raw_msg(bts, sizeof(msg_4), msg_4); /* set BTS power control attr */
287
288 /* Connect signalling of bts0/trx0 to e1_0/ts1/64kbps */
289 abis_nm_conn_terr_sign(trx, 0, 1, 0xff);
290 abis_nm_raw_msg(bts, sizeof(msg_6), msg_6); /* SET TRX ATTRIBUTES */
291
292 /* Use TEI 1 for signalling */
293 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x01);
294 abis_nm_set_channel_attr(&trx->ts[0], NM_CHANC_SDCCH_CBCH);
295#if 0
296 /* TRX 1 */
297 abis_nm_conn_terr_sign(&bts->trx[1], 0, 1, 0xff);
298 /* FIXME: TRX ATTRIBUTE */
299 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x02);
300#endif
301
302 /* SET CHANNEL ATTRIBUTE TS1 */
303 abis_nm_set_channel_attr(&trx->ts[1], 0x09);
304 /* Connect traffic of bts0/trx0/ts1 to e1_0/ts2/b */
305 abis_nm_conn_terr_traf(&trx->ts[1], 0, 2, 1);
306
307 /* SET CHANNEL ATTRIBUTE TS2 */
308 abis_nm_set_channel_attr(&trx->ts[2], 0x09);
309 /* Connect traffic of bts0/trx0/ts2 to e1_0/ts2/c */
310 abis_nm_conn_terr_traf(&trx->ts[2], 0, 2, 2);
311
312 /* SET CHANNEL ATTRIBUTE TS3 */
313 abis_nm_set_channel_attr(&trx->ts[3], 0x09);
314 /* Connect traffic of bts0/trx0/ts3 to e1_0/ts2/d */
315 abis_nm_conn_terr_traf(&trx->ts[3], 0, 2, 3);
316
317 /* SET CHANNEL ATTRIBUTE TS4 */
318 abis_nm_set_channel_attr(&trx->ts[4], 0x09);
319 /* Connect traffic of bts0/trx0/ts4 to e1_0/ts3/a */
320 abis_nm_conn_terr_traf(&trx->ts[4], 0, 3, 0);
321
322 /* SET CHANNEL ATTRIBUTE TS5 */
323 abis_nm_set_channel_attr(&trx->ts[5], 0x09);
324 /* Connect traffic of bts0/trx0/ts5 to e1_0/ts3/b */
325 abis_nm_conn_terr_traf(&trx->ts[5], 0, 3, 1);
326
327 /* SET CHANNEL ATTRIBUTE TS6 */
328 abis_nm_set_channel_attr(&trx->ts[6], 0x09);
329 /* Connect traffic of bts0/trx0/ts6 to e1_0/ts3/c */
330 abis_nm_conn_terr_traf(&trx->ts[6], 0, 3, 2);
331
332 /* SET CHANNEL ATTRIBUTE TS7 */
333 abis_nm_set_channel_attr(&trx->ts[7], 0x09);
334 /* Connect traffic of bts0/trx0/ts7 to e1_0/ts3/d */
335 abis_nm_conn_terr_traf(&trx->ts[7], 0, 3, 3);
336
337 /* end DB transmission */
338 abis_nm_db_transmission(bts, 0);
339
340 /* Reset BTS Site manager resource */
341 abis_nm_reset_resource(bts);
342
343 /* restart sending event reports */
344 abis_nm_event_reports(bts, 1);
345}
346
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]347static int shutdown_om(struct gsm_bts *bts)
348{
349 /* stop sending event reports */
350 abis_nm_event_reports(bts, 0);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]351
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]352 /* begin DB transmission */
353 abis_nm_db_transmission(bts, 1);
354
355 /* end DB transmission */
356 abis_nm_db_transmission(bts, 0);
357
358 /* Reset BTS Site manager resource */
359 abis_nm_reset_resource(bts);
360
361 return 0;
362}
363
364static int shutdown_net(struct gsm_network *net)
365{
366 int i;
367 for (i = 0; i < net->num_bts; i++) {
368 int rc;
369 rc = shutdown_om(&net->bts[i]);
370 if (rc < 0)
371 return rc;
372 }
373
374 return 0;
375}
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]376
377struct bcch_info {
378 u_int8_t type;
379 u_int8_t len;
380 const u_int8_t *data;
381};
382
383/*
384SYSTEM INFORMATION TYPE 1
385 Cell channel description
386 Format-ID bit map 0
387 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
388 RACH Control Parameters
389 maximum 7 retransmissions
390 8 slots used to spread transmission
391 cell not barred for access
392 call reestablishment not allowed
393 Access Control Class = 0000
394*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]395static u_int8_t si1[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]396 /* header */0x55, 0x06, 0x19,
397 /* ccdesc */0x04 /*0x00*/, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /*0x01*/,
399 /* rach */0xD5, 0x00, 0x00,
400 /* s1 reset*/0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]401};
402
403/*
404 SYSTEM INFORMATION TYPE 2
405 Neighbour Cells Description
406 EXT-IND: Carries the complete BA
407 BA-IND = 0
408 Format-ID bit map 0
409 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
410 NCC permitted (NCC) = FF
411 RACH Control Parameters
412 maximum 7 retransmissions
413 8 slots used to spread transmission
414 cell not barred for access
415 call reestablishment not allowed
416 Access Control Class = 0000
417*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]418static u_int8_t si2[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]419 /* header */0x59, 0x06, 0x1A,
420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
421 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
422 /* ncc */0xFF,
423 /* rach*/0xD5, 0x00, 0x00
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]424};
425
426/*
427SYSTEM INFORMATION TYPE 3
428 Cell identity = 00001 (1h)
429 Location area identification
430 Mobile Country Code (MCC): 001
431 Mobile Network Code (MNC): 01
432 Location Area Code (LAC): 00001 (1h)
433 Control Channel Description
434 Attach-detach: MSs in the cell are not allowed to apply IMSI attach /detach
435 0 blocks reserved for access grant
436 1 channel used for CCCH, with SDCCH
437 5 multiframes period for PAGING REQUEST
438 Time-out T3212 = 0
439 Cell Options BCCH
440 Power control indicator: not set
441 MSs shall not use uplink DTX
442 Radio link timeout = 36
443 Cell Selection Parameters
444 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
Harald Welte3b2ec422008-12-29 04:11:14 +0000[diff] [blame]445 max.TX power level MS may use for CCH = 2 <- according to GSM05.05 39dBm (max)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]446 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
447 Half rate support (NECI): New establishment causes are not supported
448 min.RX signal level for MS = 0
449 RACH Control Parameters
450 maximum 7 retransmissions
451 8 slots used to spread transmission
452 cell not barred for access
453 call reestablishment not allowed
454 Access Control Class = 0000
455 SI 3 Rest Octets
456 Cell Bar Qualify (CBQ): 0
457 Cell Reselect Offset = 0 dB
458 Temporary Offset = 0 dB
459 Penalty Time = 20 s
460 System Information 2ter Indicator (2TI): 0 = not available
461 Early Classmark Sending Control (ECSC): 0 = forbidden
462 Scheduling Information is not sent in SYSTEM INFORMATION TYPE 9 on the BCCH
463*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]464static u_int8_t si3[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]465 /* header */0x49, 0x06, 0x1B,
466 /* cell */0x00, 0x01,
467 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
468 /* desc */0x01, 0x03, 0x00,
469 /* option*/0x28,
470 /* selection*/0x62, 0x00,
471 /* rach */0xD5, 0x00, 0x00,
472 /* reset*/0x80, 0x00, 0x00, 0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]473};
474
475/*
476SYSTEM INFORMATION TYPE 4
477 Location area identification
478 Mobile Country Code (MCC): 001
479 Mobile Network Code (MNC): 01
480 Location Area Code (LAC): 00001 (1h)
481 Cell Selection Parameters
482 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
483 max.TX power level MS may use for CCH = 2
484 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
485 Half rate support (NECI): New establishment causes are not supported
486 min.RX signal level for MS = 0
487 RACH Control Parameters
488 maximum 7 retransmissions
489 8 slots used to spread transmission
490 cell not barred for access
491 call reestablishment not allowed
492 Access Control Class = 0000
493 Channel Description
494 Type = SDCCH/4[2]
495 Timeslot Number: 0
496 Training Sequence Code: 7h
497 ARFCN: 1
498 SI Rest Octets
499 Cell Bar Qualify (CBQ): 0
500 Cell Reselect Offset = 0 dB
501 Temporary Offset = 0 dB
502 Penalty Time = 20 s
503*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]504static u_int8_t si4[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]505 /* header */0x41, 0x06, 0x1C,
506 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
507 /* sel */0x62, 0x00,
508 /* rach*/0xD5, 0x00, 0x00,
509 /* var */0x64, 0x30, 0xE0, HARDCODED_ARFCN/*0x01*/, 0x80, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]510 0x2B, 0x2B, 0x2B
511};
512
513/*
514 SYSTEM INFORMATION TYPE 5
515 Neighbour Cells Description
516 EXT-IND: Carries the complete BA
517 BA-IND = 0
518 Format-ID bit map 0
519 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
520*/
521
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]522static u_int8_t si5[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]523 /* header without l2 len*/0x06, 0x1D,
524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]526};
527
528// SYSTEM INFORMATION TYPE 6
529
530/*
531SACCH FILLING
532 System Info Type: SYSTEM INFORMATION 6
533 L3 Information (Hex): 06 1E 00 01 xx xx 10 00 01 28 FF
534
535SYSTEM INFORMATION TYPE 6
536 Cell identity = 00001 (1h)
537 Location area identification
538 Mobile Country Code (MCC): 001
539 Mobile Network Code (MNC): 01
540 Location Area Code (LAC): 00001 (1h)
541 Cell Options SACCH
542 Power control indicator: not set
543 MSs shall not use uplink DTX on a TCH-F. MS shall not use uplink DTX on TCH-H.
544 Radio link timeout = 36
545 NCC permitted (NCC) = FF
546*/
547
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]548static u_int8_t si6[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]549 /* header */0x06, 0x1E,
550 /* cell id*/ 0x00, 0x01,
551 /* lai */ 0x00, 0xF1, 0x10, 0x00, 0x01,
552 /* options */ 0x28,
553 /* ncc */ 0xFF,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]554};
555
556
557
558static const struct bcch_info bcch_infos[] = {
559 {
560 .type = RSL_SYSTEM_INFO_1,
561 .len = sizeof(si1),
562 .data = si1,
563 }, {
564 .type = RSL_SYSTEM_INFO_2,
565 .len = sizeof(si2),
566 .data = si2,
567 }, {
568 .type = RSL_SYSTEM_INFO_3,
569 .len = sizeof(si3),
570 .data = si3,
571 }, {
572 .type = RSL_SYSTEM_INFO_4,
573 .len = sizeof(si4),
574 .data = si4,
575 },
576};
577
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]578static_assert(sizeof(si1) == sizeof(struct gsm48_system_information_type_1), type1)
579static_assert(sizeof(si2) == sizeof(struct gsm48_system_information_type_2), type2)
580static_assert(sizeof(si3) == sizeof(struct gsm48_system_information_type_3), type3)
581static_assert(sizeof(si4) >= sizeof(struct gsm48_system_information_type_4), type4)
Harald Welte104604e2008-12-28 16:36:11 +0000[diff] [blame]582static_assert(sizeof(si5) == sizeof(struct gsm48_system_information_type_5), type5)
583static_assert(sizeof(si6) >= sizeof(struct gsm48_system_information_type_6), type6)
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]584
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]585/* set all system information types */
586static int set_system_infos(struct gsm_bts *bts)
587{
588 int i;
589
590 for (i = 0; i < ARRAY_SIZE(bcch_infos); i++) {
591 rsl_bcch_info(bts, bcch_infos[i].type,
592 bcch_infos[i].data,
593 bcch_infos[i].len);
594 }
595 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_5, si5, sizeof(si5));
596 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_6, si6, sizeof(si6));
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]597
598 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]599}
600
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]601/*
602 * Patch the various SYSTEM INFORMATION tables to update
603 * the LAI
604 */
605static void patch_tables(struct gsm_bts *bts)
606{
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]607 u_int8_t arfcn_low = ARFCN & 0xff;
608 u_int8_t arfcn_high = (ARFCN >> 8) & 0x0f;
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]609 /* covert the raw packet to the struct */
610 struct gsm48_system_information_type_3 *type_3 =
611 (struct gsm48_system_information_type_3*)&si3;
612 struct gsm48_system_information_type_4 *type_4 =
613 (struct gsm48_system_information_type_4*)&si4;
614 struct gsm48_system_information_type_6 *type_6 =
615 (struct gsm48_system_information_type_6*)&si6;
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]616 struct gsm48_loc_area_id lai;
617
618 gsm0408_generate_lai(&lai, bts->network->country_code,
619 bts->network->network_code, bts->location_area_code);
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]620
621 /* assign the MCC and MNC */
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]622 type_3->lai = lai;
623 type_4->lai = lai;
624 type_6->lai = lai;
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]625
626 /* patch ARFCN */
627 msg_2[74] &= 0xf0;
628 msg_2[74] |= arfcn_high;
629 msg_2[75] = arfcn_low;
630
631 msg_6[7] &= 0xf0;
632 msg_6[7] |= arfcn_high;
633 msg_6[8] = arfcn_low;
634
635 type_4->data[2] &= 0xf0;
636 type_4->data[2] |= arfcn_high;
637 type_4->data[3] = arfcn_low;
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]638}
639
640
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]641static void bootstrap_rsl(struct gsm_bts *bts)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]642{
Harald Welteb84e2f42008-12-28 23:42:04 +0000[diff] [blame]643 fprintf(stdout, "bootstrapping RSL MCC=%u MNC=%u\n", MCC, MNC);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]644 set_system_infos(bts);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]645}
646
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]647static void mi_cb(int event, struct gsm_bts *bts)
648{
649 switch (event) {
650 case EVT_E1_OML_UP:
651 bootstrap_om(bts);
652 break;
653 case EVT_E1_RSL_UP:
654 bootstrap_rsl(bts);
655 break;
656 default:
657 /* FIXME: deal with TEI or L1 link loss */
658 break;
659 }
660}
661
662static int bootstrap_network(void)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]663{
664 struct gsm_bts *bts;
665
666 /* initialize our data structures */
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]667 gsmnet = gsm_network_init(1, MCC, MNC);
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]668 if (!gsmnet)
669 return -ENOMEM;
Harald Weltef5cbab72008-12-30 18:00:15 +0000[diff] [blame]670
671 gsmnet->name_short = "25C3";
672 gsmnet->name_long = "25C3 GSM";
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]673 bts = &gsmnet->bts[0];
674 bts->location_area_code = 1;
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]675 bts->trx[0].arfcn = ARFCN;
676 patch_tables(bts);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]677
Holger Freyther219518d2009-01-02 22:04:43 +0000[diff] [blame]678 telnet_init(gsmnet, 4242);
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]679 if (mi_setup(bts, 0, mi_cb) < 0)
680 return -EIO;
681
682 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]683}
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]684
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]685
686static void create_pcap_file(char *file)
687{
688 mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
689 int fd = open(file, O_WRONLY|O_TRUNC|O_CREAT, mode);
690
691 if (fd < 0) {
692 perror("Failed to open file for pcap");
693 return;
694 }
695
696 mi_set_pcap_fd(fd);
697}
698
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]699static void print_usage()
700{
701 printf("Usage: bsc_hack\n");
702}
703
704static void print_help()
705{
706 printf(" Some useful help...\n");
707 printf(" -d option --debug=DRLL:DCC:DMM:DRR:DRSL:DNM enable debugging\n");
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]708 printf(" -s --disable-color\n");
709 printf(" -n --network-code number(MNC) \n");
710 printf(" -c --country-code number (MCC) \n");
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]711 printf(" -f --arfcn number The frequency ARFCN\n");
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]712 printf(" -l --database db-name The database to use\n");
Holger Freyther89824fc2008-12-30 16:18:18 +0000[diff] [blame]713 printf(" -a --authorize-everyone Allow everyone into the network.\n");
Holger Freythere97f7fb2008-12-31 18:52:11 +0000[diff] [blame]714 printf(" -r --reject-cause number The reject cause for LOCATION UPDATING REJECT.\n");
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]715 printf(" -p --pcap file The filename of the pcap file\n");
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]716 printf(" -h --help this text\n");
717}
718
719static void handle_options(int argc, char** argv)
720{
721 while (1) {
722 int option_index = 0, c;
723 static struct option long_options[] = {
724 {"help", 0, 0, 'h'},
725 {"debug", 1, 0, 'd'},
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]726 {"disable-color", 0, 0, 's'},
727 {"network-code", 1, 0, 'n'},
728 {"country-code", 1, 0, 'c'},
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]729 {"database", 1, 0, 'l'},
Holger Freyther89824fc2008-12-30 16:18:18 +0000[diff] [blame]730 {"authorize-everyone", 0, 0, 'a'},
Holger Freythere97f7fb2008-12-31 18:52:11 +0000[diff] [blame]731 {"reject-cause", 1, 0, 'r'},
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]732 {"pcap", 1, 0, 'p'},
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]733 {"arfcn", 1, 0, 'f'},
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]734 {0, 0, 0, 0}
735 };
736
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]737 c = getopt_long(argc, argv, "hc:n:d:sar:p:f:",
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]738 long_options, &option_index);
739 if (c == -1)
740 break;
741
742 switch (c) {
743 case 'h':
744 print_usage();
745 print_help();
746 exit(0);
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]747 case 's':
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]748 debug_use_color(0);
749 break;
750 case 'd':
751 debug_parse_category_mask(optarg);
752 break;
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]753 case 'n':
754 MNC = atoi(optarg);
755 break;
756 case 'c':
757 MCC = atoi(optarg);
758 break;
Harald Welte98981882009-01-06 18:59:11 +0000[diff] [blame^]759 case 'f':
760 ARFCN = atoi(optarg);
761 break;
Harald Welte8965da42009-01-06 18:09:02 +0000[diff] [blame]762 case 'l':
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]763 database_name = strdup(optarg);
764 break;
Holger Freyther89824fc2008-12-30 16:18:18 +0000[diff] [blame]765 case 'a':
766 gsm0408_allow_everyone(1);
767 break;
Holger Freythere97f7fb2008-12-31 18:52:11 +0000[diff] [blame]768 case 'r':
769 gsm0408_set_reject_cause(atoi(optarg));
770 break;
Holger Freyther9a3ee0f2009-01-02 00:40:15 +0000[diff] [blame]771 case 'p':
772 create_pcap_file(optarg);
773 break;
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]774 default:
775 /* ignore */
776 break;
777 }
778 }
779}
780
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]781static void signal_handler(int signal)
782{
783 fprintf(stdout, "signal %u received\n", signal);
784
785 switch (signal) {
786 case SIGHUP:
787 case SIGABRT:
788 shutdown_net(gsmnet);
789 break;
790 default:
791 break;
792 }
793}
794
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]795int main(int argc, char **argv)
796{
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]797 /* parse options */
798 handle_options(argc, argv);
799
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame]800 if (db_init(database_name)) {
Harald Welte75a983f2008-12-27 21:34:06 +0000[diff] [blame]801 printf("DB: Failed to init database. Please check the option settings.\n");
802 return 1;
803 }
804 printf("DB: Database initialized.\n");
805
806 if (db_prepare()) {
807 printf("DB: Failed to prepare database.\n");
808 return 1;
809 }
810 printf("DB: Database prepared.\n");
811
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]812 bootstrap_network();
813
Harald Welted1252502009-01-01 01:50:32 +0000[diff] [blame]814 signal(SIGHUP, &signal_handler);
815 signal(SIGABRT, &signal_handler);
816
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]817 while (1) {
818 bsc_select_main();
819 }
820}