Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / bde361064ae41d35b10ee44abf38ce867c858725 / . / src / bsc_hack.c
blob: 3076758ef7a45e7f0b4ebf5ffd286f9e2eda0033 [file] [log] [blame]
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]1/* A hackish minimal BSC (+MSC +HLR) implementation */
2
3/* (C) 2008 by Harald Welte <laforge@gnumonks.org>
4 * All Rights Reserved
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 */
21
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]22#include <unistd.h>
23#include <stdlib.h>
24#include <stdio.h>
25#include <stdarg.h>
26#include <time.h>
27#include <string.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]28#include <errno.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]29
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]30#define _GNU_SOURCE
31#include <getopt.h>
32
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]33#include <openbsc/db.h>
34#include <openbsc/timer.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]35#include <openbsc/gsm_data.h>
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]36#include <openbsc/gsm_04_08.h>
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]37#include <openbsc/select.h>
Harald Welte8470bf22008-12-25 23:28:35 +0000[diff] [blame]38#include <openbsc/abis_rsl.h>
39#include <openbsc/abis_nm.h>
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]40#include <openbsc/debug.h>
Holger Freyther5677ae32008-12-27 09:41:03 +0000[diff] [blame]41#include <openbsc/misdn.h>
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]42
43/* global pointer to the gsm network data structure */
44static struct gsm_network *gsmnet;
45
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]46/* MCC and MNC for the Location Area Identifier */
47static int MCC = 1;
48static int MNC = 1;
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame^]49static const char *database_name = "hlr.sqlite3";
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]50
51
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]52/* The following definitions are for OM and NM packets that we cannot yet
53 * generate by code but we just pass on */
54
55// BTS Site Manager, SET ATTRIBUTES
56
57/*
58 Object Class: BTS Site Manager
59 Instance 1: FF
60 Instance 2: FF
61 Instance 3: FF
62SET ATTRIBUTES
63 sAbisExternalTime: 2007/09/08 14:36:11
64 omLAPDRelTimer: 30sec
65 shortLAPDIntTimer: 5sec
66 emergencyTimer1: 10 minutes
67 emergencyTimer2: 0 minutes
68*/
69
70unsigned char msg_1[] =
71{
72 0xD0, 0x00, 0xFF, 0xFF, 0xFF, 0x91, 0x07, 0xD7, 0x09, 0x08, 0x0E, 0x24,
73 0x0B, 0xCE, 0x02, 0x00, 0x1E, 0xE8, 0x01, 0x05, 0x42, 0x02, 0x00, 0x0A, 0x44,
74 0x02, 0x00, 0x00
75};
76
77// BTS, SET BTS ATTRIBUTES
78
79/*
80 Object Class: BTS
81 BTS relat. Number: 0
82 Instance 2: FF
83 Instance 3: FF
84SET BTS ATTRIBUTES
85 bsIdentityCode / BSIC:
86 PLMN_colour_code: 7h
87 BS_colour_code: 7h
88 BTS Air Timer T3105: 4 ,unit 10 ms
89 btsIsHopping: FALSE
90 periodCCCHLoadIndication: 255sec
91 thresholdCCCHLoadIndication: 100%
92 cellAllocationNumber: 00h = GSM 900
93 enableInterferenceClass: 00h = Disabled
94 fACCHQual: 6 (FACCH stealing flags minus 1)
95 intaveParameter: 31 SACCH multiframes
96 interferenceLevelBoundaries:
97 Interference Boundary 1: 0Ah
98 Interference Boundary 2: 0Fh
99 Interference Boundary 3: 14h
100 Interference Boundary 4: 19h
101 Interference Boundary 5: 1Eh
102 mSTxPwrMax: 11
103 GSM range: 2=39dBm, 15=13dBm, stepsize 2 dBm
104 DCS1800 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
105 PCS1900 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
106 30=33dBm, 31=32dBm
107 ny1:
108 Maximum number of repetitions for PHYSICAL INFORMATION message (GSM 04.08): 20
109 powerOutputThresholds:
110 Out Power Fault Threshold: -10 dB
111 Red Out Power Threshold: - 6 dB
112 Excessive Out Power Threshold: 5 dB
113 rACHBusyThreshold: -127 dBm
114 rACHLoadAveragingSlots: 250 ,number of RACH burst periods
115 rfResourceIndicationPeriod: 125 SACCH multiframes
116 T200:
117 SDCCH: 044 in 5 ms
118 FACCH/Full rate: 031 in 5 ms
119 FACCH/Half rate: 041 in 5 ms
120 SACCH with TCH SAPI0: 090 in 10 ms
121 SACCH with SDCCH: 090 in 10 ms
122 SDCCH with SAPI3: 090 in 5 ms
123 SACCH with TCH SAPI3: 135 in 10 ms
124 tSync: 9000 units of 10 msec
125 tTrau: 9000 units of 10 msec
126 enableUmLoopTest: 00h = disabled
127 enableExcessiveDistance: 00h = Disabled
128 excessiveDistance: 64km
129 hoppingMode: 00h = baseband hopping
130 cellType: 00h = Standard Cell
131 BCCH ARFCN / bCCHFrequency: 1
132*/
133
134unsigned char msg_2[] =
135{
136 0x41, 0x01, 0x00, 0xFF, 0xFF, 0x09, 0x3F, 0x0A, 0x04, 0x61, 0x00, 0x0B,
137 0xFF, 0x0C, 0x64, 0x62, 0x00, 0x66, 0x00, 0x6E, 0x06, 0x18, 0x1F, 0x19,
138 0x0A, 0x0F, 0x14, 0x19, 0x1E, 0x7B, 0x0B, 0x23, 0x14, 0x28, 0x00, 0x04,
139 0x03, 0x2A, 0x7F, 0x2B, 0x00, 0xFA, 0x8F, 0x7D, 0x33, 0x2C, 0x1F, 0x29,
140 0x5A, 0x5A, 0x5A, 0x87, 0x94, 0x23, 0x28, 0x95, 0x23, 0x28, 0x35, 0x01,
141 0x00, 0x46, 0x01, 0x00, 0x58, 0x01, 0x40, 0xC5, 0x01, 0x00, 0xF2, 0x01,
142 0x00, 0x08, 0x00, HARDCODED_ARFCN/*0x01*/,
143};
144
145// Handover Recognition, SET ATTRIBUTES
146
147/*
148Illegal Contents GSM Formatted O&M Msg
149 Object Class: Handover Recognition
150 BTS relat. Number: 0
151 Instance 2: FF
152 Instance 3: FF
153SET ATTRIBUTES
154 enableDelayPowerBudgetHO: 00h = Disabled
155 enableDistanceHO: 00h = Disabled
156 enableInternalInterCellHandover: 00h = Disabled
157 enableInternalIntraCellHandover: 00h = Disabled
158 enablePowerBudgetHO: 00h = Disabled
159 enableRXLEVHO: 00h = Disabled
160 enableRXQUALHO: 00h = Disabled
161 hoAveragingDistance: 8 SACCH multiframes
162 hoAveragingLev:
163 A_LEV_HO: 8 SACCH multiframes
164 W_LEV_HO: 1 SACCH multiframes
165 hoAveragingPowerBudget: 16 SACCH multiframes
166 hoAveragingQual:
167 A_QUAL_HO: 8 SACCH multiframes
168 W_QUAL_HO: 2 SACCH multiframes
169 hoLowerThresholdLevDL: (10 - 110) dBm
170 hoLowerThresholdLevUL: (5 - 110) dBm
171 hoLowerThresholdQualDL: 06h = 6.4% < BER < 12.8%
172 hoLowerThresholdQualUL: 06h = 6.4% < BER < 12.8%
173 hoThresholdLevDLintra : (20 - 110) dBm
174 hoThresholdLevULintra: (20 - 110) dBm
175 hoThresholdMsRangeMax: 20 km
176 nCell: 06h
177 timerHORequest: 3 ,unit 2 SACCH multiframes
178*/
179
180unsigned char msg_3[] =
181{
182 0xD0, 0xA1, 0x00, 0xFF, 0xFF, 0xD0, 0x00, 0x64, 0x00, 0x67, 0x00, 0x68,
183 0x00, 0x6A, 0x00, 0x6C, 0x00, 0x6D, 0x00, 0x6F, 0x08, 0x70, 0x08, 0x01,
184 0x71, 0x10, 0x10, 0x10, 0x72, 0x08, 0x02, 0x73, 0x0A, 0x74, 0x05, 0x75,
185 0x06, 0x76, 0x06, 0x78, 0x14, 0x79, 0x14, 0x7A, 0x14, 0x7D, 0x06, 0x92,
186 0x03, 0x20, 0x01, 0x00, 0x45, 0x01, 0x00, 0x48, 0x01, 0x00, 0x5A, 0x01,
187 0x00, 0x5B, 0x01, 0x05, 0x5E, 0x01, 0x1A, 0x5F, 0x01, 0x20, 0x9D, 0x01,
188 0x00, 0x47, 0x01, 0x00, 0x5C, 0x01, 0x64, 0x5D, 0x01, 0x1E, 0x97, 0x01,
189 0x20, 0xF7, 0x01, 0x3C,
190};
191
192// Power Control, SET ATTRIBUTES
193
194/*
195 Object Class: Power Control
196 BTS relat. Number: 0
197 Instance 2: FF
198 Instance 3: FF
199SET ATTRIBUTES
200 enableMsPowerControl: 00h = Disabled
201 enablePowerControlRLFW: 00h = Disabled
202 pcAveragingLev:
203 A_LEV_PC: 4 SACCH multiframes
204 W_LEV_PC: 1 SACCH multiframes
205 pcAveragingQual:
206 A_QUAL_PC: 4 SACCH multiframes
207 W_QUAL_PC: 2 SACCH multiframes
208 pcLowerThresholdLevDL: 0Fh
209 pcLowerThresholdLevUL: 0Ah
210 pcLowerThresholdQualDL: 05h = 3.2% < BER < 6.4%
211 pcLowerThresholdQualUL: 05h = 3.2% < BER < 6.4%
212 pcRLFThreshold: 0Ch
213 pcUpperThresholdLevDL: 14h
214 pcUpperThresholdLevUL: 0Fh
215 pcUpperThresholdQualDL: 04h = 1.6% < BER < 3.2%
216 pcUpperThresholdQualUL: 04h = 1.6% < BER < 3.2%
217 powerConfirm: 2 ,unit 2 SACCH multiframes
218 powerControlInterval: 2 ,unit 2 SACCH multiframes
219 powerIncrStepSize: 02h = 4 dB
220 powerRedStepSize: 01h = 2 dB
221 radioLinkTimeoutBs: 64 SACCH multiframes
222 enableBSPowerControl: 00h = disabled
223*/
224
225unsigned char msg_4[] =
226{
227 0xD0, 0xA2, 0x00, 0xFF, 0xFF, 0x69, 0x00, 0x6B, 0x00, 0x7E, 0x04, 0x01,
228 0x7F, 0x04, 0x02, 0x80, 0x0F, 0x81, 0x0A, 0x82, 0x05, 0x83, 0x05, 0x84,
229 0x0C, 0x85, 0x14, 0x86, 0x0F, 0x87, 0x04, 0x88, 0x04, 0x89, 0x02, 0x8A,
230 0x02, 0x8B, 0x02, 0x8C, 0x01, 0x8D, 0x40, 0x65, 0x01, 0x00 // set to 0x01 to enable BSPowerControl
231};
232
233
234// Transceiver, SET TRX ATTRIBUTES (TRX 0)
235
236/*
237 Object Class: Transceiver
238 BTS relat. Number: 0
239 Tranceiver number: 0
240 Instance 3: FF
241SET TRX ATTRIBUTES
242 aRFCNList (HEX): 0001
243 txPwrMaxReduction: 00h = 0dB
244 radioMeasGran: 254 SACCH multiframes
245 radioMeasRep: 01h = enabled
246 memberOfEmergencyConfig: 01h = TRUE
247 trxArea: 00h = TRX doesn't belong to a concentric cell
248*/
249
250unsigned char msg_6[] =
251{
252 0x44, 0x02, 0x00, 0x00, 0xFF, 0x05, 0x01, 0x00, HARDCODED_ARFCN /*0x01*/, 0x2D,
253 0x00, 0xDC, 0x01, 0xFE, 0xDD, 0x01, 0x01, 0x9B, 0x01, 0x01, 0x9F, 0x01, 0x00,
254};
255
256
257static void bootstrap_om(struct gsm_bts *bts)
258{
259 struct gsm_bts_trx *trx = &bts->trx[0];
260
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]261 fprintf(stdout, "bootstrapping OML\n");
262
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]263 /* stop sending event reports */
264 abis_nm_event_reports(bts, 0);
265
266 /* begin DB transmission */
267 abis_nm_db_transmission(bts, 1);
268
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]269 /* end DB transmission */
270 abis_nm_db_transmission(bts, 0);
271
272 /* Reset BTS Site manager resource */
273 abis_nm_reset_resource(bts);
274
275 /* begin DB transmission */
276 abis_nm_db_transmission(bts, 1);
277
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]278 abis_nm_raw_msg(bts, sizeof(msg_1), msg_1); /* set BTS SiteMgr attr*/
279 abis_nm_raw_msg(bts, sizeof(msg_2), msg_2); /* set BTS attr */
280 abis_nm_raw_msg(bts, sizeof(msg_3), msg_3); /* set BTS handover attr */
281 abis_nm_raw_msg(bts, sizeof(msg_4), msg_4); /* set BTS power control attr */
282
283 /* Connect signalling of bts0/trx0 to e1_0/ts1/64kbps */
284 abis_nm_conn_terr_sign(trx, 0, 1, 0xff);
285 abis_nm_raw_msg(bts, sizeof(msg_6), msg_6); /* SET TRX ATTRIBUTES */
286
287 /* Use TEI 1 for signalling */
288 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x01);
289 abis_nm_set_channel_attr(&trx->ts[0], NM_CHANC_SDCCH_CBCH);
290#if 0
291 /* TRX 1 */
292 abis_nm_conn_terr_sign(&bts->trx[1], 0, 1, 0xff);
293 /* FIXME: TRX ATTRIBUTE */
294 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x02);
295#endif
296
297 /* SET CHANNEL ATTRIBUTE TS1 */
298 abis_nm_set_channel_attr(&trx->ts[1], 0x09);
299 /* Connect traffic of bts0/trx0/ts1 to e1_0/ts2/b */
300 abis_nm_conn_terr_traf(&trx->ts[1], 0, 2, 1);
301
302 /* SET CHANNEL ATTRIBUTE TS2 */
303 abis_nm_set_channel_attr(&trx->ts[2], 0x09);
304 /* Connect traffic of bts0/trx0/ts2 to e1_0/ts2/c */
305 abis_nm_conn_terr_traf(&trx->ts[2], 0, 2, 2);
306
307 /* SET CHANNEL ATTRIBUTE TS3 */
308 abis_nm_set_channel_attr(&trx->ts[3], 0x09);
309 /* Connect traffic of bts0/trx0/ts3 to e1_0/ts2/d */
310 abis_nm_conn_terr_traf(&trx->ts[3], 0, 2, 3);
311
312 /* SET CHANNEL ATTRIBUTE TS4 */
313 abis_nm_set_channel_attr(&trx->ts[4], 0x09);
314 /* Connect traffic of bts0/trx0/ts4 to e1_0/ts3/a */
315 abis_nm_conn_terr_traf(&trx->ts[4], 0, 3, 0);
316
317 /* SET CHANNEL ATTRIBUTE TS5 */
318 abis_nm_set_channel_attr(&trx->ts[5], 0x09);
319 /* Connect traffic of bts0/trx0/ts5 to e1_0/ts3/b */
320 abis_nm_conn_terr_traf(&trx->ts[5], 0, 3, 1);
321
322 /* SET CHANNEL ATTRIBUTE TS6 */
323 abis_nm_set_channel_attr(&trx->ts[6], 0x09);
324 /* Connect traffic of bts0/trx0/ts6 to e1_0/ts3/c */
325 abis_nm_conn_terr_traf(&trx->ts[6], 0, 3, 2);
326
327 /* SET CHANNEL ATTRIBUTE TS7 */
328 abis_nm_set_channel_attr(&trx->ts[7], 0x09);
329 /* Connect traffic of bts0/trx0/ts7 to e1_0/ts3/d */
330 abis_nm_conn_terr_traf(&trx->ts[7], 0, 3, 3);
331
332 /* end DB transmission */
333 abis_nm_db_transmission(bts, 0);
334
335 /* Reset BTS Site manager resource */
336 abis_nm_reset_resource(bts);
337
338 /* restart sending event reports */
339 abis_nm_event_reports(bts, 1);
340}
341
342
343
344struct bcch_info {
345 u_int8_t type;
346 u_int8_t len;
347 const u_int8_t *data;
348};
349
350/*
351SYSTEM INFORMATION TYPE 1
352 Cell channel description
353 Format-ID bit map 0
354 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
355 RACH Control Parameters
356 maximum 7 retransmissions
357 8 slots used to spread transmission
358 cell not barred for access
359 call reestablishment not allowed
360 Access Control Class = 0000
361*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]362static u_int8_t si1[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]363 /* header */0x55, 0x06, 0x19,
364 /* ccdesc */0x04 /*0x00*/, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
365 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /*0x01*/,
366 /* rach */0xD5, 0x00, 0x00,
367 /* s1 reset*/0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]368};
369
370/*
371 SYSTEM INFORMATION TYPE 2
372 Neighbour Cells Description
373 EXT-IND: Carries the complete BA
374 BA-IND = 0
375 Format-ID bit map 0
376 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
377 NCC permitted (NCC) = FF
378 RACH Control Parameters
379 maximum 7 retransmissions
380 8 slots used to spread transmission
381 cell not barred for access
382 call reestablishment not allowed
383 Access Control Class = 0000
384*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]385static u_int8_t si2[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]386 /* header */0x59, 0x06, 0x1A,
387 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
389 /* ncc */0xFF,
390 /* rach*/0xD5, 0x00, 0x00
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]391};
392
393/*
394SYSTEM INFORMATION TYPE 3
395 Cell identity = 00001 (1h)
396 Location area identification
397 Mobile Country Code (MCC): 001
398 Mobile Network Code (MNC): 01
399 Location Area Code (LAC): 00001 (1h)
400 Control Channel Description
401 Attach-detach: MSs in the cell are not allowed to apply IMSI attach /detach
402 0 blocks reserved for access grant
403 1 channel used for CCCH, with SDCCH
404 5 multiframes period for PAGING REQUEST
405 Time-out T3212 = 0
406 Cell Options BCCH
407 Power control indicator: not set
408 MSs shall not use uplink DTX
409 Radio link timeout = 36
410 Cell Selection Parameters
411 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
412 max.TX power level MS may use for CCH = 2
413 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
414 Half rate support (NECI): New establishment causes are not supported
415 min.RX signal level for MS = 0
416 RACH Control Parameters
417 maximum 7 retransmissions
418 8 slots used to spread transmission
419 cell not barred for access
420 call reestablishment not allowed
421 Access Control Class = 0000
422 SI 3 Rest Octets
423 Cell Bar Qualify (CBQ): 0
424 Cell Reselect Offset = 0 dB
425 Temporary Offset = 0 dB
426 Penalty Time = 20 s
427 System Information 2ter Indicator (2TI): 0 = not available
428 Early Classmark Sending Control (ECSC): 0 = forbidden
429 Scheduling Information is not sent in SYSTEM INFORMATION TYPE 9 on the BCCH
430*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]431static u_int8_t si3[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]432 /* header */0x49, 0x06, 0x1B,
433 /* cell */0x00, 0x01,
434 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
435 /* desc */0x01, 0x03, 0x00,
436 /* option*/0x28,
437 /* selection*/0x62, 0x00,
438 /* rach */0xD5, 0x00, 0x00,
439 /* reset*/0x80, 0x00, 0x00, 0x2B
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]440};
441
442/*
443SYSTEM INFORMATION TYPE 4
444 Location area identification
445 Mobile Country Code (MCC): 001
446 Mobile Network Code (MNC): 01
447 Location Area Code (LAC): 00001 (1h)
448 Cell Selection Parameters
449 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
450 max.TX power level MS may use for CCH = 2
451 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
452 Half rate support (NECI): New establishment causes are not supported
453 min.RX signal level for MS = 0
454 RACH Control Parameters
455 maximum 7 retransmissions
456 8 slots used to spread transmission
457 cell not barred for access
458 call reestablishment not allowed
459 Access Control Class = 0000
460 Channel Description
461 Type = SDCCH/4[2]
462 Timeslot Number: 0
463 Training Sequence Code: 7h
464 ARFCN: 1
465 SI Rest Octets
466 Cell Bar Qualify (CBQ): 0
467 Cell Reselect Offset = 0 dB
468 Temporary Offset = 0 dB
469 Penalty Time = 20 s
470*/
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]471static u_int8_t si4[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]472 /* header */0x41, 0x06, 0x1C,
473 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
474 /* sel */0x62, 0x00,
475 /* rach*/0xD5, 0x00, 0x00,
476 /* var */0x64, 0x30, 0xE0, HARDCODED_ARFCN/*0x01*/, 0x80, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]477 0x2B, 0x2B, 0x2B
478};
479
480/*
481 SYSTEM INFORMATION TYPE 5
482 Neighbour Cells Description
483 EXT-IND: Carries the complete BA
484 BA-IND = 0
485 Format-ID bit map 0
486 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
487*/
488
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]489static u_int8_t si5[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]490 /* header without l2 len*/0x06, 0x1D,
491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]493};
494
495// SYSTEM INFORMATION TYPE 6
496
497/*
498SACCH FILLING
499 System Info Type: SYSTEM INFORMATION 6
500 L3 Information (Hex): 06 1E 00 01 xx xx 10 00 01 28 FF
501
502SYSTEM INFORMATION TYPE 6
503 Cell identity = 00001 (1h)
504 Location area identification
505 Mobile Country Code (MCC): 001
506 Mobile Network Code (MNC): 01
507 Location Area Code (LAC): 00001 (1h)
508 Cell Options SACCH
509 Power control indicator: not set
510 MSs shall not use uplink DTX on a TCH-F. MS shall not use uplink DTX on TCH-H.
511 Radio link timeout = 36
512 NCC permitted (NCC) = FF
513*/
514
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]515static u_int8_t si6[] = {
Holger Freyther4d505472008-12-28 16:32:42 +0000[diff] [blame]516 /* header */0x06, 0x1E,
517 /* cell id*/ 0x00, 0x01,
518 /* lai */ 0x00, 0xF1, 0x10, 0x00, 0x01,
519 /* options */ 0x28,
520 /* ncc */ 0xFF,
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]521};
522
523
524
525static const struct bcch_info bcch_infos[] = {
526 {
527 .type = RSL_SYSTEM_INFO_1,
528 .len = sizeof(si1),
529 .data = si1,
530 }, {
531 .type = RSL_SYSTEM_INFO_2,
532 .len = sizeof(si2),
533 .data = si2,
534 }, {
535 .type = RSL_SYSTEM_INFO_3,
536 .len = sizeof(si3),
537 .data = si3,
538 }, {
539 .type = RSL_SYSTEM_INFO_4,
540 .len = sizeof(si4),
541 .data = si4,
542 },
543};
544
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]545static_assert(sizeof(si1) == sizeof(struct gsm48_system_information_type_1), type1)
546static_assert(sizeof(si2) == sizeof(struct gsm48_system_information_type_2), type2)
547static_assert(sizeof(si3) == sizeof(struct gsm48_system_information_type_3), type3)
548static_assert(sizeof(si4) >= sizeof(struct gsm48_system_information_type_4), type4)
Harald Welte104604e2008-12-28 16:36:11 +0000[diff] [blame]549static_assert(sizeof(si5) == sizeof(struct gsm48_system_information_type_5), type5)
550static_assert(sizeof(si6) >= sizeof(struct gsm48_system_information_type_6), type6)
Holger Freyther24287b62008-12-28 16:32:41 +0000[diff] [blame]551
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]552/* set all system information types */
553static int set_system_infos(struct gsm_bts *bts)
554{
555 int i;
556
557 for (i = 0; i < ARRAY_SIZE(bcch_infos); i++) {
558 rsl_bcch_info(bts, bcch_infos[i].type,
559 bcch_infos[i].data,
560 bcch_infos[i].len);
561 }
562 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_5, si5, sizeof(si5));
563 rsl_sacch_filling(bts, RSL_SYSTEM_INFO_6, si6, sizeof(si6));
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]564
565 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]566}
567
568static void activate_traffic_channels(struct gsm_bts_trx *trx)
569{
570 int i;
571
572 /* channel 0 is CCCH */
573 for (i = 1; i < 8; i++)
574 rsl_chan_activate_tch_f(&trx->ts[i]);
575}
576
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]577/*
578 * Patch the various SYSTEM INFORMATION tables to update
579 * the LAI
580 */
581static void patch_tables(struct gsm_bts *bts)
582{
583 /* covert the raw packet to the struct */
584 struct gsm48_system_information_type_3 *type_3 =
585 (struct gsm48_system_information_type_3*)&si3;
586 struct gsm48_system_information_type_4 *type_4 =
587 (struct gsm48_system_information_type_4*)&si4;
588 struct gsm48_system_information_type_6 *type_6 =
589 (struct gsm48_system_information_type_6*)&si6;
590
591 /* assign the MCC and MNC */
592 gsm0408_generate_lai(&type_3->lai, bts->network->country_code,
593 bts->network->network_code, bts->location_area_code);
594 gsm0408_generate_lai(&type_4->lai, bts->network->country_code,
595 bts->network->network_code, bts->location_area_code);
596 gsm0408_generate_lai(&type_6->lai, bts->network->country_code,
597 bts->network->network_code, bts->location_area_code);
598}
599
600
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]601static void bootstrap_rsl(struct gsm_bts *bts)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]602{
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]603 fprintf(stdout, "bootstrapping RSL\n");
Holger Freytherb9ddfd02008-12-28 16:32:45 +0000[diff] [blame]604 patch_tables(bts);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]605 set_system_infos(bts);
606
607 /* FIXME: defer this until the channels are used */
Harald Welte702d8702008-12-26 20:25:35 +0000[diff] [blame]608 //activate_traffic_channels(&bts->trx[0]);
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]609}
610
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]611static void mi_cb(int event, struct gsm_bts *bts)
612{
613 switch (event) {
614 case EVT_E1_OML_UP:
615 bootstrap_om(bts);
616 break;
617 case EVT_E1_RSL_UP:
618 bootstrap_rsl(bts);
619 break;
620 default:
621 /* FIXME: deal with TEI or L1 link loss */
622 break;
623 }
624}
625
626static int bootstrap_network(void)
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]627{
628 struct gsm_bts *bts;
629
630 /* initialize our data structures */
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]631 gsmnet = gsm_network_init(1, MCC, MNC);
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]632 if (!gsmnet)
633 return -ENOMEM;
634
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]635 bts = &gsmnet->bts[0];
636 bts->location_area_code = 1;
637 bts->trx[0].arfcn = HARDCODED_ARFCN;
638
Harald Weltead384642008-12-26 10:20:07 +0000[diff] [blame]639 if (mi_setup(bts, 0, mi_cb) < 0)
640 return -EIO;
641
642 return 0;
Harald Welte52b1f982008-12-23 20:25:15 +0000[diff] [blame]643}
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]644
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]645static void print_usage()
646{
647 printf("Usage: bsc_hack\n");
648}
649
650static void print_help()
651{
652 printf(" Some useful help...\n");
653 printf(" -d option --debug=DRLL:DCC:DMM:DRR:DRSL:DNM enable debugging\n");
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]654 printf(" -s --disable-color\n");
655 printf(" -n --network-code number(MNC) \n");
656 printf(" -c --country-code number (MCC) \n");
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame^]657 printf(" -l --database db-name The database to use\n");
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]658 printf(" -h --help this text\n");
659}
660
661static void handle_options(int argc, char** argv)
662{
663 while (1) {
664 int option_index = 0, c;
665 static struct option long_options[] = {
666 {"help", 0, 0, 'h'},
667 {"debug", 1, 0, 'd'},
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]668 {"disable-color", 0, 0, 's'},
669 {"network-code", 1, 0, 'n'},
670 {"country-code", 1, 0, 'c'},
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame^]671 {"database", 1, 0, 'l'},
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]672 {0, 0, 0, 0}
673 };
674
Holger Freyther33a61842008-12-28 16:57:19 +0000[diff] [blame]675 c = getopt_long(argc, argv, "hc:n:d:s",
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]676 long_options, &option_index);
677 if (c == -1)
678 break;
679
680 switch (c) {
681 case 'h':
682 print_usage();
683 print_help();
684 exit(0);
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]685 case 's':
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]686 debug_use_color(0);
687 break;
688 case 'd':
689 debug_parse_category_mask(optarg);
690 break;
Holger Freytherefde7fb2008-12-28 14:14:56 +0000[diff] [blame]691 case 'n':
692 MNC = atoi(optarg);
693 break;
694 case 'c':
695 MCC = atoi(optarg);
696 break;
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame^]697 case 'l':
698 database_name = strdup(optarg);
699 break;
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]700 default:
701 /* ignore */
702 break;
703 }
704 }
705}
706
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]707static struct timer_list pag_timer;
708
709/* handles uppercase decimal and hexadecimal */
710static u_int8_t char2bcd(char c)
711{
712 if (c <= '9')
713 return c - '0';
714 else
715 return c - 'A';
716}
717
718static int string_to_mi(u_int8_t *mi, const char *string,
719 u_int8_t type)
720{
721 u_int8_t *cur = mi+3;
722
723 mi[0] = GSM48_IE_MOBILE_ID;
724 //mi[1] = TMSI_LEN;
725 mi[2] = type & GSM_MI_TYPE_MASK;
726
727 if (strlen(string) & 0x01)
728 mi[2] |= char2bcd(*string++) << 4;
729 else
730 mi[2] |= 0xf0;
731
732 while (*string && *(string+1))
733 *cur++ = char2bcd(*string++) | (char2bcd(*string++) << 4);
734
735 mi[1] = cur - mi;
736
737 return cur - mi;
738}
739
740static const char *nokia_imsi = "7240311131388";
741static const char *rokr_imsi = "4660198001300";
742
743void pag_timer_cb(void *data)
744{
745 struct gsm_bts *bts = &gsmnet->bts[0];
746 u_int8_t mi[128];
747 struct gsm_subscriber _subscr, *subscr = &_subscr;
748 unsigned int paging_group, mi_len;
749 u_int64_t num_imsi;
750 const char *imsi = nokia_imsi;
751
752 printf("FEUER\n");
753
754#if 1
755 memset(subscr, 0, sizeof(*subscr));
756 strcpy(subscr->imsi, imsi);
757 db_get_subscriber(GSM_SUBSCRIBER_IMSI, subscr);
758 if (!subscr)
759 return;
760
761 mi_len = generate_mid_from_tmsi(mi, strtoul(subscr->tmsi, NULL, 10));
762#else
763 mi_len = string_to_mi(mi, imsi, GSM_MI_TYPE_IMSI);
764#endif
765
766 num_imsi = strtoull(imsi, NULL, 10);
767 paging_group = get_paging_group(num_imsi, 1, 3);
768
769 for (paging_group = 0; paging_group < 3; paging_group++)
770 rsl_paging_cmd(bts, paging_group, mi_len, mi, RSL_CHANNEED_TCH_F);
771
772 schedule_timer(&pag_timer, 10, 0);
773}
774
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]775int main(int argc, char **argv)
776{
Holger Freytherb332f612008-12-27 12:46:51 +0000[diff] [blame]777 /* parse options */
778 handle_options(argc, argv);
779
Holger Freytherbde36102008-12-28 22:51:39 +0000[diff] [blame^]780 if (db_init(database_name)) {
Harald Welte75a983f2008-12-27 21:34:06 +0000[diff] [blame]781 printf("DB: Failed to init database. Please check the option settings.\n");
782 return 1;
783 }
784 printf("DB: Database initialized.\n");
785
786 if (db_prepare()) {
787 printf("DB: Failed to prepare database.\n");
788 return 1;
789 }
790 printf("DB: Database prepared.\n");
791
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]792 bootstrap_network();
793
Harald Welte255539c2008-12-28 02:26:27 +0000[diff] [blame]794 pag_timer.cb = pag_timer_cb;
795 schedule_timer(&pag_timer, 10, 0);
796
Harald Weltef6b7a902008-12-26 00:05:11 +0000[diff] [blame]797 while (1) {
798 bsc_select_main();
799 }
800}