Literature Review:
A Private Cellphone Network
David Brown
28/05/2012
1
Contents
1 Introduction 4
2 The OpenBTS Project 4
3 The GSM Network 5
3.1 Why GSM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4 GNURadio 6
5 SIP and Asterisk 6
6 Setting Up an OpenBTS Network 7
6.1 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . 76.2 Assembling the USRP . . . . . . . . . . . . . . . . . . . . . . . . 86.3 The External Clock . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.3.1 Installing the Clock . . . . . . . . . . . . . . . . . . . . . 96.3.2 Software Patches . . . . . . . . . . . . . . . . . . . . . . . 9
6.4 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . 96.5 Installing and Con�guring GnuRadio . . . . . . . . . . . . . . . . 106.6 Installing OpenBTS . . . . . . . . . . . . . . . . . . . . . . . . . 126.7 Installing Smqueue . . . . . . . . . . . . . . . . . . . . . . . . . . 136.8 Testing GnuRadio . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.8.1 USRP Benchmark . . . . . . . . . . . . . . . . . . . . . . 136.8.2 USRP FFT . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.9 Con�guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156.9.1 OpenBTS Con�guration . . . . . . . . . . . . . . . . . . . 156.9.2 Get IMSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 166.9.3 Con�gure Asterisk . . . . . . . . . . . . . . . . . . . . . . 186.9.4 smqueue . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7 Using OpenBTS 18
7.1 Registering a Phone . . . . . . . . . . . . . . . . . . . . . . . . . 187.2 Sending an SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 197.3 TMSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197.4 Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.4.1 Sending and Receiving SMS messages from your Application 197.4.2 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . 21
8 Legal Issues 22
8.1 Testing with Hardware . . . . . . . . . . . . . . . . . . . . . . . . 23
9 The Future of OpenBTS 23
10 Plan of Action 26
2
11 Conclusion 26
References 26
List of Algorithms
1 usrp_�t patch for 52Mhz . . . . . . . . . . . . . . . . . . . . . . 102 Install Boost - Linux Terminal Commands . . . . . . . . . . . . . 113 Install required packages for GnuRadio - Linux Terminal Command 114 Python script to retrieve IMSI . . . . . . . . . . . . . . . . . . . 175 Permissions to add to AndroidManifest.xml . . . . . . . . . . . . 196 sendSMS Algorithm (Java) . . . . . . . . . . . . . . . . . . . . . 207 <receiver> element . . . . . . . . . . . . . . . . . . . . . . . . . . 208 SMSReciever class . . . . . . . . . . . . . . . . . . . . . . . . . . 21
List of Figures
1 OpenBTS System Overview . . . . . . . . . . . . . . . . . . . . . 42 Main components of a GSM network . . . . . . . . . . . . . . . . 53 GNURadio framework . . . . . . . . . . . . . . . . . . . . . . . . 64 Frequency 1783.8 MHz is not used [12] . . . . . . . . . . . . . . . 145 Frequency 1783.8 MHZ is used [12] . . . . . . . . . . . . . . . . . 15
List of Tables
1 Apvrille's software con�guration . . . . . . . . . . . . . . . . . . 112 Plan of Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3
1 Introduction
The OpenBTS project is an attempt to create a low cost, open-source GSMnetwork. The goal is to use a software radio e.g. USRP1 to present an Um(GSM Air Interface) to standard GSM handsets. It then uses a SIP softswitchor PBX e.g. Asterisk to interface calls [4].
Development on OpenBTS began in mid-2007 with the �rst public releaseunder the GPLv3 license coming in September 2008. The initial developers wereHarvind Samra and David Burgess [14].
2 The OpenBTS Project
According to [15, 17, 13], the OpenBTS project is an e�ort to construct anopen-source Unix application that uses the Universal Software Radio Peripheral(USRP) to present a GSM air interface ( also known as an �Um�) to standardGSM handsets and uses the Asterisk VoIP PBX to connect calls.
Axelle Apvrille [12] describes OpenBTS, from an end-users point of view, asan application that allows GSM (Global System for Communication) phones tocall and SMS each other. From an administrator's point of view, she describesOpenBTS as consisting of a USRP connected via a USB port to a Linux boxthat is running Asterisk, GnuRadio and OpenBTS.
Abdul Azad [13] agrees with the above in stating that the project was origi-nally built to implement a GSM air interface that supports normal GSM hand-sets at far cheaper costs than the current commercial systems.
Loula [17]explains this further. The USRP is used to receive and transmitthe GSM signaling. The GNURadio is the free software development toolkitthat is used to do this. It provides the signal processing runtime and processingblocks to implement the software radios. Asterisk is used to interface the GSMcalls between terminals on the network.
Figure 1: OpenBTS System Overview
OpenBTS is written in C++. Fedora and Darwin were the initial supportedplatforms, but the system should be portable to all other Unix variants [15].
4
3 The GSM Network
Alexsander Loula [17] describes a GSM network as being a complex systemconsisting of a number of components (see �gure 2), with the last section beingthe Base Transceiver Station (BTS).
Figure 2: Main components of a GSM network
Transmitting and receiving the Radio Frequency (RF) signals to and fromthe user terminals is the responsibility of the BTS. As depicted in �gure 1, theBTSs are controlled by a Base Station Controller (BSC). This in turn is con-nected to a Mobile Switching Centre/Visitor Location Register, whose respon-sibility it is to authenticate users against the database (HLR - Home LocationRegister, AuC - Authentication Centre) [17].
3.1 Why GSM?
David Burgess and Harvind Samra [15], the founders of the OpenBTS project,describe �ve main reasons for building a GSM stack:
1. The USRP can be easily adapted to perform the role of a GSM transceiverand, if reworked, the hardware can be used as a carrier-grade radio for usein a software BTS.
2. From experience, they knew that a GSM protocol stack, including thesoftware radio, could be implemented in less than 15000 lines of C++code.
3. Much of the need for network infrastructure can be eliminated by movingthe telephone switching functions, calling features and mobility manage-ment functions into a software PBX (Asterisk).
4. Every year, rich nations discard many functional GSM handsets that couldbe reused in developing countries.
5. The cost of service in o�-grid environments can be substantially reducedas, with good hardware design and economical software design, a low-capacity GSM cell can be run from micro wind turbines or solar panels.
5
Figure 3: GNURadio framework
The founders state that they chose GSM over the newer CDMA as it is a proventechnology and 80% of the world's carriers still use it. The GSM speci�cationis also publicly available and most of the important patents will soon expire.CDMA, on the other hand, is highly valued intellectual property and getting acopy of the speci�cation costs several hundred dollars. It's physical layers arealso too complex for an inexpensive all-software radio and do not scale well [15].
4 GNURadio
�GNURadio is a free software toolkit licensed under the GPL for implementingsoftware-de�ned radios� [19].
Although a port, providing limited functionality, has been produced for Win-dows, general GNUradio support is for Linux. According to [19], GNURadiouses a graph to represent a transceiver; the vertices are the signal processingblocks and the data �ow between them is represented by the edges. There areseveral building blocks for information and signal processing included in thepackage.
Valerio [19] states that the graphs are built and run in Python while thelower-level programming, e.g. the creation of the blocks, is done in C++.SWIG2 is used as the interface between the high and low levels. The frameworkis depicted in �gure 3.
According to [19], GNURadio allows engineers to implement a number oftechnologies in the software domain although there are certain limitations thatcan arise and the process can be tedious.
5 SIP and Asterisk
Azad [13] de�nes Asterisk as an IP PBX with integrated VoIP gateway, callcentre system, conference bridge and voice mail server. He states that theAsterisk PBX is used for all call control functions as well as certain mobility
6
management tasks and that it makes use of subscriber IMSIs as Session InitiationProtocol (SIP) usernames. This is backed up by [15], which states that theAsterisk PBX is used for nearly all call control functions. It is also an essentialpart of the mobility management. By pushing as much of the control layer asis possible into the Asterisk PBX, Asterisk is instrumental in the simpli�cationof OpenBTS. To do this, the subscriber IMSIs (International Mobile SubscriberIdentity) are used as SIP usernames. Each GSM handset is then presented toAsterisk as a SIP client [15, 13].
According to [15], OpenBTS's control layer is largely there to perform map-ping operations:
• �GSM location updates get mapped to SIP registrations�
• �Call connection transactions get mapped to corresponding SIP transac-tions�
• �GSM tra�c channels get mapped to RTP channels�
6 Setting Up an OpenBTS Network
OpenBTS has a number of hardware and software dependencies that must beinstalled and con�gured before the network can be used.
6.1 Hardware Requirements
In her guide to installing and using an OpenBTS network [12], Axelle Apvrillelists the following items as requirements for getting OpenBTS up and running(Loula's installation guide [17] provides similar hardware requirements):
• A computer with a USB port where the USRP board can be plugged in.
• USRP 1 - can be purchased from Ettus research for 700 USD [8].
• One or two Daughterboards. Apvrille makes use of a single daughterboard,but recommends using two for better coverage and quality of signals. Thedaughterboard should be chosen according to the targeted GSM bandi.e. the RFX 900 board should be chosen for GSM 850/900 and so on.Despite this, Apvrille suggests buying the RFX1800 regardless of whichGSM band you are targeting as it is simple to convert an RFX1800 into anRFX900 (it requires no hardware modi�cations), but di�cult to convertan RFX900 into an RFX1800 (requires hardware modi�cation - removingan ISM �lter).
• An antenna per daughterboard is required. The antenna must match thedaughterboard.
• 52 MHz External clock.
7
• At least one unlocked mobile phone, which allows the user to manuallyselect the network to connect to.
• One SIM card per phone
• A Magic SIM card reader/writer if Magic SIM cards are being used.
In his experiment, [13] used the USRP-N210 - also made by Ettus Corporation.
6.2 Assembling the USRP
The USRP is hardware that allows general purpose computers to be used as highbandwidth software radios [17]. The USRP does not arrive fully assembled, butis nonetheless easy to put together. Apvrille lays out the following steps[12]:
1. Screw the mainboard onto the black enclosure.
2. On the mainboard, screw the special screws which make sure the daughter-boards are elevated slightly above the mainboard.
3. Connect the RFX daughterboard. If a single board, make sure to connectit on side A (notice the words RXA and TXA) on the right of the boardwhen you are facing the USRP.
4. Install and connect the ventilator to the motherboard.
5. Screw the RF cables on the daughterboard and have them go to the enclo-sure's front panel.
6. Screw the antenna to the RF cable that matches TX/RX of the daughter-board.
7. Close the enclosure (it can be left open as to be able to check that every-thing is connected �ne).
8. Use the USB cable to connect the USRP to your computer.
9. Connect the power supply cable to power.
6.3 The External Clock
Azad [13] states that his experiment found that the onboard clock stability ofthe USRP is not where it needs to be and often loses synchronization with theOpenBTS application when trying to register multiple phones simultaneously.According to [12], unless you are using the RFX 900 daughterboard and arelucky, you will run into problems with the onboard 64 MHz clock. In fact, therehave been so many problems with the onboard clock that the maintainers havedecided to discontinue support for it. If you are not using a 52 MHz clock, youwill not receive help from the maintainers or the mailing list [12].
8
6.3.1 Installing the Clock
Installing the external clock will require some skill in electronics. Apvrille sug-gests that someone who has some experience and the right equipment shouldmount it. She lays out the steps for installing the clock in [12]:
• Modify the USRP to allow it to use an external clock
1. Disable the onboard clock. Move R2029 to R2030T (R2029/R2030is a 0-ohm resistor.
2. Move C925 to C926.
3. Remove C924
• Connect the 52 MHz external clock
The steps involved in connecting the clock are speci�c to the chosen clock.Herman Maritz [18] adds a step onto the beginning of this process (con�rmedby gnuradio.org [9]):
• Solder MSA connector to J2001
6.3.2 Software Patches
A few software and con�guration modi�cations of GnuRadio and OpenBTS arerequired to utilize a 52 MHz clock [12, 9].
• Line 116 of usrp/host/lib/legacy/usrp_basic.cc should read:
d_verbose (false), d_fpga_master_clock_freq(52000000), d_db(2)
• Line 179 of usrp/host/lib/legacy/db_�exrf.cc should read:
return 52e6/_refclk_divisor();
• Line 1024 of usrp/host/lib/legacy/usrp_standard.cc should be commentedout.
Optionally [12], you can also apply the usrp_�t patch (see algorithm 1), whichallows you to set the clocks frequency with the -F option.
6.4 Software Requirements
According to [12, 17], the major software components needed to set up theOpenBTS network are:
• Linux - Apvrille uses Debian 5.0 Lenny, but also recommends Ubuntu.
• GnuRadio
• Asterisk
• OpenBTS
The software con�guration used in [12] is depicted in table 1.
9
Algorithm 1 usrp_�t patch for 52Mhz
diff --git a/gr-utils/src/python/usrp_fft.py b/gr-utils/src/
python/usrp_fft.py
index eda9bd5..3bf4ec2 100755
--- a/gr-utils/src/python/usrp_fft.py
+++ b/gr-utils/src/python/usrp_fft.py
@@ -61,6 +61,8 @@ class app_top_block(stdgui2.std_top_block):
help="select Rx Antenna (only on RFX-series boards)")
parser.add_option("-d", "--decim", type="int", default=16,
help="set fgpa decimation rate to DECIM [default=%default]")
+ parser.add_option("-F", "--fpga-freq", type="eng_float",
+ default=None, + help="set USRP reference clock frequency to
+ FPGA_FREQ", + metavar="FPGA_FREQ")
parser.add_option("-f", "--freq", type="eng_float",
default=None, help="set frequency to FREQ", metavar="FREQ")
parser.add_option("-g", "--gain", type="eng_float",
default=None, @@ -99,6 +101,9 @@ class
app_top_block(stdgui2.std_top_block):
#contains 2 Rx paths with halfband filters and 2 tx paths
(the default)
self.u = usrp.source_c(which=options.which, decim_rate=
options.decim)
+ if options.fpga_freq is not None:
+ self.u.set_fpga_master_clock_freq(long(options.fpga_freq))
+
if options.rx_subdev_spec is None:
options.rx_subdev_spec = pick_subdevice(self.u)
self.u.set_mux(usrp.determine_rx_mux_value(self.u, options.rx_
subdev_spec))
6.5 Installing and Con�guring GnuRadio
There are a number of other packages that must be installed, before GnuRadiocan be installed. According to [12], they can be installed as follows :
1. Install Boost: see algorithm 2 for the commands used for version 1.44.0 ofBoost)
2. Install SDCC (Small Device C Compiler).
3. Install GSL (GNU Scienti�c Library).
4. Install other required packages (see algorithm 3)
Apvrille [12] provides the following instructions for installing GnuRadio 3.2.2:
1. Download the GnuRadio sources
10
SOFTWARE VERSION
Asterisk 1.4.2.1BOOST 1.44.0GnuRadio 3.2.2GSL 1.19kal 0.3libosip2 3.3.0OpenBTS 2.6.x - built from sourcesOS Debian 5.0 LennySDCC 2.9.0
Table 1: Apvrille's software con�guration
Algorithm 2 Install Boost - Linux Terminal Commands
./bootstrap.sh --show-libraries
./bootstrap.sh --with-libraries=thread,date_time,program_option
./bjam --prefix=/opt/boost_1_44_0
• builds locally in:
/home/work/boost_1_44_0
/home/wor/boost_1_44_0/stage/lib
./bjam --prefix=/opt/boost_1_44_0 install
Algorithm 3 Install required packages for GnuRadio - Linux Terminal Com-mand
apt-get install python-numpy \
python-qt4 libqwt5-qt4-dev qt4-dev-tools \
python-qwt3d-qt4 \
libqwtplot3d-qt4-dev python-qt4-dev \
libxt-dev libaudio-dev libpng-dev \
libxi-dev libxrender-dev libxrandr-dev \
libfreetype6-dev libfontconfig-dev \
python-lxml python-cheetah oss-compat \
swig g++ automake1.9 libtool libusb-dev \
libsdl1.2-dev python-wxgtk2.8 guile-1.8-dev \
libqt4-dev python-opengl fftw3-dev
2. If using an external 52MHz clock, apply the patches detailed in section2.3.2.
3. In the case of [12], the library path is set as follows: (this will, again, beversion dependent)
export LD_LIBRARY_PATH=/opt/boost_1_44_0/lib:\
11
/usr/local/lib:$LD_LIBRARY_PATH
4. Con�gure specifying to use Boost:
./configure --with-boost=/opt/boost_1_44_0
5. make and then make install GnuRadio
6. ldcon�g - � ldcon�g creates the necessary links and cache to the most recentshared libraries found in the directories speci�ed on the command line, inthe �le /etc/ld.so.conf, and in the trusted directories (/lib and /usr/lib).�[3]
Once GnuRadio is installed, a USRP group must be added to it and a user mustbe assigned to the group. Apvrille [12] does it as follows:
addgroup usrp
addgroup work usrp
Lastly, [12] states that the USRP rules �le must be written:
ACTION==�add�, BUS==�usb�, SYSFS{idVendor}==�fffe�,
SYSFS{idProduct}==�0002�, GROUP:=�usrp�, MODE:=�0660�
GnuRadio should now be installed.
6.6 Installing OpenBTS
As with GnuRadio, there are a number of steps that must be carried out beforeOpenBTS can be installed. Apvrille [12] lists them as follows:
1. Install libosip2-3.3.0 from sources.
2. Install other requirements:
apt-get install libortp7-* asterisk
3. Boost may have to be linked to local/include
ln -s /opt/boost_1_44_0/include/boost /usr/local/include/boost
4. Library path must be set to:
export LD_LIBRARY_PATH=/opt/boost_1_44_0/lib: \
/usr/local/lib:$LD_LIBRARY_PATH
5. Download the OpenBTS Sources (if you are using old sources and theRFX1800 or a single daughterboard, there are patches to apply). Or, getthe sources from git:
12
git clone git://openbts.git.sourceforge.net/gitroot/openbts/openbts
Another solution is to use the achemeris/sms-split
branch:
$ git branch -a
$ git checkout origin/achemeris/sms-split
Apvrille suggests OpenBTS-UHD as a good choice as it has
a single branch where all work is merged.
$ git clone git://github.com/ttsou/openbts-uhd.git
Once these steps have been taken, OpenBTS must be built [12]:
$ autoreconf -fi
$ ./configure
$ make
If using OpenBTS-UHD, do:
./configure --enable-usrp1
in place of:
./configure
6.7 Installing Smqueue
Smqueue must be running to allow mobile phones to send SMSs to each other onthe OpenBTS network. In the achemeris/sms split branch, smqueue is compiledwith OpenBTS is. It is included in the OpenBTS package in the main branchtoo, but it is not compiled when OpenBTS is built and, as such, smqueue'sMake�le must be manually invoked [12]:
cd ./smqueue
make -f Makefile.standalone
The building of smqueue will fail unless libosip 3.3.0 or greater is installed. Youmay also require g++ 4.3.
6.8 Testing GnuRadio
Apvrille [12] runs the following tests to test her setup (note: the following testswere run using the software versions from [12]):
6.8.1 USRP Benchmark
Connect the USRP to the computer, compile GNURadio and, after entering thefollowing commands (which will run a python script to test USB throughput),you should see several �OKs�:
13
Figure 4: Frequency 1783.8 MHz is not used [12]
$ export LD_LIBRARY_PATH=/opt/boost_1_44_0/lib: \
/usr/local/lib:$LD_LIBRARY_PATH
$ cd /usr/local/share/gnuradio/examples/usrp
$ ./usrp_benchmark_usb.py
6.8.2 USRP FFT
The usrp_�t tool is contained within GNURadio and is a useful tool to testthat the USRP responds correctly and whether a given frequency is being used.To run it:
$ export LD_LIBRARY_PATH=/opt/boost_1_44_0/lib: \
/usr/local/lib:$LD_LIBRARY_PATH
$ /usr/local/bin/usrp_fft.py
To check whether a frequency (1783.8 MHz is used as the uplink frequency inthe following example) is being used:
$ usrp_fft.py -f 1.7838G &
If the frequency is not being used, you should get a relatively �at curve, asrepresented in �gure 4.You can simulate the use of the uplink and downlink frequencies to test if theUSRP responds correctly by entering the following into the CLI:
$ usrp_siggen.py -f 1783.8M
14
Figure 5: Frequency 1783.8 MHZ is used [12]
When running this there should be a peak at the corresponding frequency (See�gure 5). Run the same command for the downlink frequency.
Loula [17] runs similar tests on his setup, but with older versions of thesoftware.
6.9 Con�guration
6.9.1 OpenBTS Con�guration
Apvrille [12, 17] modi�es the default con�guration �le as follows:
• There are two log �les; one for global logging and one for TRX logging.They can be set as follows:
Log.Level INFO
Log.FileName openbts26.log #for openbts v2.6
$static Log.FileName
..
TRX.LogLevel INFO
$static TRX.LogLevel
TRX.LogFileName TRX26.log
$static TRX.LogFileName
• If using a 52MHz clock, the TRX path must be modi�ed:
#TRX.Path ../Transceiver/transceiver
TRX.Path ../Transciever52M/transceiver
$static TRX.Path
15
• When setting the mobile country code and network code, one must becareful not to use anything that real operator is using.
# test country code = 001
GSM.MCC 001
# test network code = 01
GSM.MNC 01
#The MCC and MNC don't have to match those of the SIMs
• The GSM band and channel must be set according to what you plan onusing. Apvrille sets them to:
GSM.Band 1800
$static GSM.Band
GSM.ARFCN 880
$static GSM.ARFCN
• Lastly, Apvrille adds a modi�cation that noti�es end-users that emergencycalls are not supported:
GSM.RACH.AC 0x400
...
Control.NormalRegistrationWelcomeMessage Normal Registration Message.
Welcome to OpenBTS! AGPLv3 openbts.sf.net. We do not support emergency
calls. Your IMSI is
6.9.2 Get IMSI
Phone registration in OpenBTS is based on the IMSI number stored in theSIM card and as such the IMSI must be retrieved before you can use the theSIM with OpenBTS . There are several options for retrieving a SIM cards IMSI(International Mobile Subscriber Identity). Apvrille [12] suggests using eitherthe Python script supplied by [17] (see algorithm 4) or installing an applicationon your mobile phone to retrieve it. Loula's script requires that the pythonserial module be installed to control the phone over serial (USB or RS-232)through AT commands[17]:
sudo apt-get install python-serial
Save the �le (e.g. as �getimsi.py�) and make it executable:
sudo chmod +x getimsi.py
Connect a phone with AT commands through serial port capabilities and runthe script:
./getimsi.py
The ouptut will give you the IMSI, e.g.:
IMSI: 724311320422052
16
Algorithm 4 Python script to retrieve IMSI
# !/usr/bin/env python
# Coded by Alexsander Loula
import serial, string
def readuntilok(s):
ol=[]
while 1:
c=s.read()
if not c:
break
ol.append(c)
ostring=��.join(ol)
if len(ol)>3 and ostring[-4:]==�OK\r\n�:
break
return ostring
def cmd(s,cmd):
s.write(cmd+�\r�)
r=readuntilok(s)
r=r.split(�\n�)
for i in range(len(r)):
r[i]=r[i][:-1]
return r
### INIT Serial Port
ser=serial.Serial('/dev/ttyACMO',115200,timeout=3)
ser.write('ATZ\r')
line=ser.read(10)
### Read IMSI
imsi = cmd(ser, 'AT+CIMI')[1]
imsi = imsi.split()[-1]
imsi = 'IMSI: ' + imsi[1:16]
print imsi
### Close Serial Port
ser.close()
17
6.9.3 Con�gure Asterisk
The IMSI is used to con�gure Asterisk. There are two Asterisk �les that needto be set: �/etc/asterisk/extensions.conf� and �/etc/asterisk/-sip.conf� [17, 12].
• First backup the two �les [17]
• Apvrille [12] states that one extension per mobile must be added to �ex-tensions.conf� and this is backed up by [17]:
exten => 2102,1,Macro(dialSIP,724311320422052)
• In the �sip.conf� �le, one tag per SIM must be added [17, 12]:
[724311320422052]; <- The IMSI is used as a SIP user ID
canreinvite=no
type=friend
context=sip-external
allow=gsm
host=dynamic
• Restart Asterisk
sudo /etc/init.d/asterisk restart
6.9.4 smqueue
According to Apvrille [12], to get smqueue working correctly, ipv6 must bedisabled (stops smqueue for complaining about binding to an address) and afew minor changes need to be made in the �smqueue.con�g� �le:
• In certain circumstances (�such as sending a registration SMS �), smqueuewill crash unless the following line is added:
Log.Alarms.Max 10
• Create a text �le called �savedqueue.txt� in the �./smqueue� directory
• smqueue must be run as root
7 Using OpenBTS
7.1 Registering a Phone
To register a phone, plug in the USRP and execute OpenBTS [17, 12]:
./apps/OpenBTS
Switch on the mobile phone and force the phone to use the OpenBTS network.Loula [17] gives an example of what you should see on the OpenBTS CLI atphone registration on page 16 of his �OpenBTS Installation and Con�gurationGuide�.
18
7.2 Sending an SMS
To test SMS capability, enter the following from the OpenBTS console [12]:
OpenBTS> sendsms 208123456789012 24567
blah blah
where 208123456789012 is the IMSI of the phone to send the SMS to and 24567is the source phone number.
If two phones are registered on the network, they should now be able to sendSMSs to each other in the same manner as you would on your usual network[12];
7.3 TMSI
It is possible to view the Temporary Mobile Subscriber Identities (TMSI) of allthe phones registered on the network:
OpenBTS> tmsi
7.4 Android
According to their website, Android is currently the most popular mobile plat-form in the world [1]. This is backed up by [16], who states that Android iscurrently the �No. 1 smartphone operating system�.
7.4.1 Sending and Receiving SMS messages from your Application
The following is an example, gleaned from [7], in which an Android applicationis created, using Java in Eclipse, that can send and receive SMSs.
Once a new Android project is created, the AndroidManifest.xml �le mustbe modi�ed (see algorithm 5), adding the permissions:
• SEND_SMS; and
• RECEIVE_SMS
Algorithm 5 Permissions to add to AndroidManifest.xml
<uses-permission android:name="android.permission.SEND_SMS">
</uses-permission>
<uses-permission android:name="android.permission.RECEIVE_SMS">
</uses-permission>
The following Java code to send an SMS via an Android application is putforward by [7]:
19
Algorithm 6 sendSMS Algorithm (Java)
private void sendSMS(String phoneNumber, String message)
{
PendingIntent pi = PendingIntent.getActivity(this,
0, new Intent(this, SMS.class), 0);
SmsManager sms = SmsManager.getDefault();
sms.sendTextMessage(phoneNumber, null, message,
pi, null);
}
It is also possible to intercept incoming messages from within your applicationby using a BroadcastReciever object [7].
The <receiver> element must be added to the AndroidManifest.xml �le sothat incoming SMSs can be intercepted:
Algorithm 7 <receiver> element<receiver android:name=".SmsReceiver">
<intent-filter>
<action android:name=
"android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
Having done this, a new class - perhaps called SMSReceiver - that extendsBroadcastReceiver must be added and the onReceive() method must be over-written [7] (see algorithm 8).
20
Algorithm 8 SMSReciever classimport android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.telephony.gsm.SmsMessage;
import android.widget.Toast;
public class SmsReceiver extends BroadcastReceiver
{
@Override
public void onReceive(Context context, Intent intent)
{
//---get the SMS message passed in---
Bundle bundle = intent.getExtras();
SmsMessage[] msgs = null;
String str = "";
if (bundle != null)
{
//---retrieve the SMS message received---
Object[] pdus = (Object[]) bundle.get("pdus");
msgs = new SmsMessage[pdus.length];
for (int i=0; i<msgs.length; i++)
{
msgs[i] = SmsMessage.createFromPdu((byte[])pdus[i]);
str += "SMS from " + msgs[i].getOriginatingAddress();
str += " :";
str += msgs[i].getMessageBody().toString();
str += "\n";
}
//---display the new SMS message---
Toast.makeText(context, str, Toast.LENGTH_SHORT).show();
}
}
}
7.4.2 Data Storage
According to [2], there are �ve main options to be considered when selecting ameans to store persistent application data:
21
• Shared Preferences
Shared preferences allows for private primitive data to be stored in key-valuepairs. Primitive data refers to: booleans, �oats, ints, longs, and strings. Thisdata will persist, even if a session is killed.
• Internal Storage
Internal storage allows for private data to be saved directly to the device'sinternal memory. These �les can only be accessed by your application andwhen your application is uninstalled, the �les are removed.
• External Storage
All Android devices support some kind of shared external storage. This can bein the form of internal storage or removable storage media such as an SD card.Files saved to the external storage are world-readable and can be modi�ed by theuser when they enable USB mass storage to transfer �les on a computer.
• SQLite Database
SQLITE databases are fully supported by the Android OS.
• Network Connection
The network can be used to retrieve data from web-based services.
8 Legal Issues
According to [12], certain GSM bandwidths are regulated by authorities. Reg-ulations may vary depending on the country you are working in. Users shouldcheck what is authorized in their country if they require a test license or a givenchannel etc. Burgess et al. [15] agree with [12] on this matter, stating that radiotransmissions are regulated everywhere on the planet. It is highly recommendedthat, before using any radio equipment or any of the OpenBTS software, theuser checks the local telecom and radio regulations [15]. According to [15]:
1. If you are transmitting in a licensed band and your transmissions are de-tectable more than a few metres away then you are probably breaking thelaw.
2. If you are receiving signals from a licensed public network in su�cient vol-ume to comprehend conversations, determine the contexts of data trans-missions or determine the identities of users then you are probably breakingthe law.
3. If you are outside of North America and Europe and using VoIP over apublic network, you may be breaking the law.
22
The OpenBTS project is, so much as possible, licensed under the BSD license.Some modules are subject to the GPL, for example, �parts of the system thatlink to the USRP drivers� [15].
The 3rd Generation Partnership Project (3GPP) of the European Telecom-munications Standards Institute (ETSI) controls the GSM standard. There areabout 200 patents on important parts of the standard, held by ETSI membercompanies. To use GSM commercially, a license must be arranged with theholders of these patents [15, 13].
Abul Azad [13] con�rms the statements made above, saying that, dependingon where you implement the OpenBTS network, one needs to understand thatthere may be a number of legal implications that must �rst be addressed.
8.1 Testing with Hardware
Many good software unit-testing tools are provided by the OpenBTS team, butthe only real way to verify whether the network is really working or not is to testit with real phones. For this you need an RF testing environment that allowsyou to test your network legally [15]:
1. Closed RF Environments
An environment in which all signals are contained within Faraday cagesor cables [15].
2. ISM Bands
Certain parts of the world will allow up to 1W of transmission in unlicensedbands, allowing for a low range GSM network to be constructed.
3. Limited Power
It may be possible, depending on regulations in the area, to operate theBTS at very low power over a range of a couple of metres. Unfortunately,this strategy may add a few hundred dollars to the price of the developmentkit as you will need a preamp on the input of the USRP. This is becausethe receiver on the USRP is not very sensitive and if the transmit poweron the handset is too low, the receiver will not receive the uplink signal[15].
4. Fallow Spectrum
In rural areas there are plenty of open ARFCNs that you may be able toget temporary or experimental licenses for [15].
9 The Future of OpenBTS
According to [15], which was written in 2008, the next steps for the OpenBTSproject (once the basic GSM stack was operational) were to add:
1. TMSI support to allow partial anonymization of subscribers;
23
2. SMS text messaging;
3. Handovers;
4. Half-rate services;
5. Other vocoders;
6. Multiple ARFCNs (Absolute radio-frequency channel number);
7. Frequency hopping;
8. GPRS; and
9. EDGE
A number of these have since been achieved including TMSI support and SMStext messaging [12]. As of July 2011, GPRS and EDGE were still not supported[11], but in late October, 2011, on a forum on SourceForge, Alexander Chemerisand Ivan Kluchnikov announced that they had begun work on a GPRS imple-mentation for OpenBTS. They also made their code available, but warned thatit was only for those wanting to participate in the development and was notready to be implemented yet [5].
According to gnuradio.org [10], which is one of the main resources for OpenBTSdocumentation, the current plan or �ToDo list� for OpenBTS public release isas follows:
• Create more documentation
� This includes manuals and tutorials and any other form of documen-tation the OpenBTS community might �nd useful.
• Test OpenBTS against the standard conformance tests
� Mainly the GSM and SIP conformance tests
• Create wider support for audio codecs
� Enhanced Full-Rate (EFR);
� Half-Rate (HR); and
� Adaptive Multi-Rate (AMR)
• Add authentication support
• Add encryption support
• Integrate the Home Location Register (HLR) with traditional GSM HLRs
• Add support for data transfer services
� GPRS (as mentioned above, this is currently in progress)
24
� EGPRS (or EDGE)
� CSD
• Certain parts of the system need to be optimized
� The transceiver is computationally intensive, many malloc calls needto be eliminated, and the general architecture needs to be optimized
• Add handover support
� GSM-side handover support needs to be added
� SIP-side handover support needs to be added
• Add more SMS functionality
� Delivery reports
� The �more Messages to Send� �ag should be handled in the SMSTransport Layer. Increased SMS sending e�ciency can be gained inthe common case of multi-part SMSs if the channel is not shut downwhen this �ag is set.
• Support for DTX should be added
� Discontinuous transmission refers to the means by which, �when apause is detected during a voice call, the radio transmissions for theduration of the pause are discontinued or suspended � [6].
� According to [6], DTX can:
∗ reduce interference
∗ reduce the power consumption of hand-held terminals
• Improvements and integration with external services can be added toUSSD (Unstructured Supplementary Service Data)
• Add 3G/IMS (IP Multimedia Subsystem) core network integration
• Improve internal CLI
• Improve RRLP (Radio resource location services protocol) support
• Improve logging facility
• Create a web-interface for the con�guration, control and monitoring ofOpenBTS
25
10 Plan of Action
Task Date completed by
Finish Android App (�RUAtLectures�) 15 June 2012Install OpenBTS and operate it with 3G dongle 23 July 2012Install GnuRadio and all its dependencies 23 July 2012Prepare and present Seminar 2 presentation 24 July 2012Operate OpenBTS with USRP 10 September 2012Submit Short Paper 17 September 2012Complete Lecture Theatre System 30 September 2012Prepare and present Seminar 3 presentation 29 October 2012Complete and submit thesis 2 November 2012Complete website 5 November 2012Complete Oral Examination 21 November 2012
Table 2: Plan of Action
11 Conclusion
OpenBTS attempts to provide an open-source GSM network at a fraction of thecost of what today's carriers provide. It works with GNURadio, Asterisk andthe USRP hardware in its attempt to do this.
Installing OpenBTS is a fairly complex and demanding task. Once it is upand running, however, making use of the system (registering phones, makingcalls and sending SMSs) is fairly simple.
Unfortunately, depending on the country, OpenBTS has certain legal issuesthat need �rst be looked into if one wants to set up a network.
As Android is currently the most popular smartphone OS in the world, itmakes for a good choice when selecting a platform on which to create a mobileapplication. It allows applications to receive the most exposure, it is simple todevelop on, and it o�ers a variety of data storage options depending on needsof the user.
OpenBTS is still far from complete and developers are encouraged to getinvolved in it's development. To this end, a �ToDo list� has been placed on [10].
References
[1] Android - Discover Android. Online. Available from: http://www.
android.com/about/.
[2] Data Storage | Android Developers. Online. Available from: http://
developer.android.com/guide/topics/data/data-storage.html.
[3] ldcon�g(8) - Linux man page. Online. Available from: view-source:http://linux.die.net/man/8/ldconfig.
26
[4] rangepublic. Online. Available from: http://wush.net/trac/
rangepublic.
[5] SourceForge.net: OpenBTS: openbts-discuss. Online. Available from:http://sourceforge.net/mailarchive/forum.php?thread_name=
CA%2BQHiD9g96fPe5cFRV%3D-w%3DPg7aSQ0d7nj-JyYfgeodzENgq7bg%
40mail.gmail.com&forum_name=openbts-discuss.
[6] Discontinuous Transmission. Online, 2008. Available from:http://wireless.agilent.com/rfcomms/refdocs/gsm/gprsla_gen_
bse_dtx.html.
[7] SMS Messaging in Android. Online, 2009. Available from: http://
mobiforge.com/developing/story/sms-messaging-android.
[8] Ettus Research. Online, 2012. Available from: https://www.ettus.com/.
[9] GNU Radio - OpenBTSClockModi�cations - gnuradio.org. Online, 2012.Available from: http://gnuradio.org/redmine/projects/gnuradio/
wiki/OpenBTSClockModifications.
[10] GNU Radio - OpenBTSPlan - gnuradio.org. Online, 2012. Avail-able from: http://gnuradio.org/redmine/projects/gnuradio/wiki/
OpenBTSPlan.
[11] Ahmed Fouad Ahmed Marzban, Ahmed Sayed Mohamed Ali, M.
O. D. A. M. A.-E. M. O. Importing open-bts software on beagleboard,July 2011.
[12] Apvrille, A. Openbts for dummies, August 2011.
[13] Azad, A. Open bts implementation with universal software radio periph-eral, 2011.
[14] Burgess, D. Low Cost Cellular Networks with OpenBTS. Online, 2010.Available from: http://timreview.ca/article/332.
[15] David A. Burgess, H. S. S. The open bts project, August 2008.
[16] Efrati, A. Google Shifts Tack on Android. Online, May2012. Available from: http://online.wsj.com/article/
SB10001424052702304371504577406511931421118.html.
[17] Loula, A. Openbts installation and con�guration guide v0.1, May 2009.
[18] Maritz, H. OPENBTS FIX: CONNECT EXTERNAL CLOCKTO USRP. Online: ttp://gsm.posterous.com/openbts-�x-connect-external-clock-to-usrp. Available from: http://gshm.posterous.com/
openbts-fix-connect-external-clock-to-usrp.
27
[19] Valerio, D. Open source software-de�ned radio: A survey on gnura-dio and its applications. Tech. rep., Telecommunications Research Center,Vienna, 2008.
28
![[eBook] OpenBTS Guide](https://cdn.vdocuments.net/doc/165x107/55cf9463550346f57ba1abfd/ebook-openbts-guide.jpg)
