3G SDR system review v20181024

Demo:
Wiki: https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_unicornteam https://cn0xroot.com/2017/04/11/getting-started-with-3g-ip-access-nano3gopenbscosmocom-bb-part-1/

软件源切换到国内中科大:

sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
sudo vim /etc/apt/sources.list
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.ustc.edu.cn/ubuntu/ xenial main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial main main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial-security main restricted universe multiverse

安装依赖:

sudo apt-get install git libghc-gnutls-dev build-essential gcc g++ make automake autoconf libtool pkg-config libtalloc-dev libpcsclite-dev libortp-dev libsctp-dev libssl-dev libdbi-dev libdbd-sqlite3 libsqlite3-dev libpcap-dev libc-ares-dev sqlite3
wget http://download-mirror.savannah.gnu.org/releases/linphone/ortp/sources/ortp-0.22.0.tar.gz
tar -xvf ortp-0.22.0.tar.gz
cd ortp-0.22.0/
./configure
make
sudo make install
sudo ldconfig

下载编译脚本

wget https://osmocom.org/attachments/download/2726/3G-config-example.tar

tar -xvf

下载osmocom 2017年7月份之前的代码: osmocom_build 2017

解压后在build目录中执行clone and build,编译2017年的代码版本。

若要使用最新的代码,需参考 https://osmocom.org/projects/cellular-infrastructure/wiki/Osmocom_Network_In_The_Box

最后安装rxvt-unicode终端:

sudo apt-get install rxvt-unicode

查找 ip.access nano3G IP

cd openbsc/openbsc/src/ipaccess

Snip20181028_4

sudo ./abisip-find $网卡名称

abisip-find会向当前网段发出广播数据包,当ip.access nano3G 设备接收到该数据包会做出响应并返回自身IP地址:

Snip20181028_5

修改run 目录下配置文件:

网络结构:

ubuntu ens33网卡ip:192.168.99.234 

ip.access nano3G:192.168.99.163
run.sh
dev=网卡名称  (如虚拟机ens33)
addr:改成ubuntu net映射IP
run.sh 配置案例:
#!/usr/bin/env bash

#enable_tcpdump=yes

dev=ens33

# If you'd like to get rid of all SMS still pending from a previous run:
#sqlite3 sms.db "delete from sms"

addr="192.168.99.8"
if [ -z "$(ip a | fgrep "$addr/32")" ]; then
  echo "sudo ip addr add $addr/32 dev $dev"
  sudo ip addr add $addr/32 dev $dev
  sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
  sudo iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
fi

logdir="current_log"
mkdir -p "$logdir"

term() {
  title="$2"
  if [ -z "$title" ]; then
    title="$(basename $@)"
  fi
  exec urxvt -title "CN:$title" -e sh -c "export LD_LIBRARY_PATH='/usr/local/lib'; $1; echo; while true; do echo 'q Enter to close'; read q_to_close; if [ \"x\$q_to_close\" = xq ]; then break; fi; done"
}

if [ -n "$enable_tcpdump" ]; then
  sudo tcpdump -i eth0 -n -w current_log/eth0.single.pcap -U not port 22 &
  sudo tcpdump -i lo -n -w current_log/lo.single.pcap -U not port 22 &
fi

hnbgw="osmo-hnbgw"
msc="osmo-msc"
sgsn="osmo-sgsn -c osmo-sgsn.cfg"
ggsn="sudo LD_LIBRARY_PATH=/usr/local/lib ggsn -f -c ggsn.conf --statedir=$PWD"
mgcp="osmo-bsc_mgcp -c mgcp.cfg"
hlr="LD_LIBRARY_PATH=/usr/local/lib osmo-hlr -c osmo-hlr.cfg"

term "$ggsn" GGSN &
sleep .2
term "$hlr" HLR &
sleep .2
term "$sgsn" SGSN &
sleep .2
term "$mgcp" MGCP &
sleep .2
term "$msc" MSC &
sleep 2
term "$hnbgw" HNBGW &

#echo enter to send MT SMS
#read enter_to_send
#echo subscriber id 2 sms sender id 1 send testsmstext | nc -x localhost 4254

echo enter to close
read enter_to_close

if [ -n "$enable_tcpdump" ]; then
  kill %1 %2 %3 %4 %5 %6 %7 %8
else
  kill %1 %2 %3 %4 %5 %6
fi
killall osmo-msc
killall osmo-sgsn
killall osmo-hnbgw
killall osmo-bsc_mgcp
killall osmo-hlr

if [ -n "$enable_tcpdump" ]; then
  sudo killall tcpdump
fi

set +e
cp \
    ggsn.conf \
    osmo-msc.cfg \
    osmo-sgsn.cfg \
    mgcp.cfg \
    osmo-hnbgw.cfg \
    osmo-hlr.cfg \
    "$logdir"

echo
echo enter name to save log
read log_name
if [ -n "$log_name" ]; then
  mkdir -p log
  newlogdir="log/$log_name"
else
  mkdir -p autolog
  newlogdir="autolog/log_$(date +%Y-%m-%d_%H-%M-%S)"
fi

if [ -n "$enable_tcpdump" ]; then
  mergecap -w "$logdir/trace.pcap" "$logdir/"*.single.pcap
  #rm "$logdir/"*.single.pcap
fi

if [ -x "$newlogdir" ]; then
  echo "already exists, move it manually: $newlogdir"
else
  echo mv "$logdir" "$newlogdir"
  mv "$logdir" "$newlogdir"
  mkdir -p "$logdir"
  logdir="$newlogdir"
fi
if [ -e lastlog ]; then
  rm lastlog
fi
ln -s "$logdir" lastlog

ggsn.conf:

原始配置文件:

# TAG: listen
# Specifies the local IP address to listen to
listen 192.168.0.133
#TAG:net
net 192.168.42.0/24

监听的IP修改成ubuntu的网卡NET映射的IP地址(在run脚本中的那个IP),UE 手机端的网段可改成192.168.88.0/24:

# TAG: listen
# Specifies the local IP address to listen to
listen 192.168.99.8
#TAG:net
net 192.168.88.0/24
mgcp.cfg
log stderr
logging print extended-timestamp 1
logging level all debug
logging filter all 1
log file current_log/mgcp.log
logging filter all 1
logging color 1
logging print category 1
logging timestamp 1
logging print extended-timestamp 1
logging level all debug
mgcp
local ip 192.168.0.132
bind ip 192.168.0.132
bind port 2427
rtp base 4000
rtp force-ptime 20
sdp audio payload number 98
sdp audio payload name AMR/8000
number endpoints 31
no rtcp-omit
! Accepting RTP streams from any base station. To limit RTP streams to one
! specific base station, use:
!bts ip 192.168.0.124

local IP、bind IP修改成ubuntu 的IP地址,BTS IP修改成ip.access nano3G 的IP:

local ip 192.168.99.234
bind ip 192.168.99.234
!bts ip 192.168.99.163
osmo-hnbgw.cfg
log file current_log/hnbgw.log
logging filter all 1
logging color 1
logging print category 1
logging timestamp 1
logging print extended-timestamp 1
logging level all debug
hnbgw
iuh
local-ip 192.168.0.132
hnbap-allow-tmsi 1

local-ip 修改成ubuntu IP:

local-ip 192.168.99.234
osmo-msc.cfg
!
! OpenMSC configuration saved from vty
!
password foo
!
line vty
 no login
!
network
 network country code 901
 mobile network code 98
 short name OsmoMSC
 long name OsmoMSC
 auth policy closed
 location updating reject cause 13
 encryption a5 0
 rrlp mode none
 mm info 1
! handover 0
! handover window rxlev averaging 10
! handover window rxqual averaging 1
! handover window rxlev neighbor averaging 10
! handover power budget interval 6
! handover power budget hysteresis 3
! handover maximum distance 9999
! timer t3101 10
! timer t3103 0
! timer t3105 0
! timer t3107 0
! timer t3109 4
! timer t3111 0
! timer t3113 60
! timer t3115 0
! timer t3117 0
! timer t3119 0
! timer t3141 0
msc
  mgcpgw remote-ip 192.168.0.132
! iu rab-assign-addr-enc v4raw
! no assign-tmsi
log stderr
 logging print extended-timestamp 1
 logging level all debug
 logging filter all 1
 logging print category 1
log file current_log/msc.log
 logging filter all 1
 logging color 1
 logging print category 1
 logging timestamp 1
 logging print extended-timestamp 1
 logging level all debug

MCC、MNC改成:901、70 ,mgcpgw改成ubuntu IP:

 network country code 901
 mobile network code 70
 mgcpgw remote-ip 192.168.99.234
osmo-sgsn.cfg
!
! Osmocom SGSN configuration
!
!
line vty
 no login
!
sgsn
 gtp local-ip 192.168.0.132
 ggsn 0 remote-ip 192.168.0.133
 !auth-policy accept-all
 auth-policy remote
 gsup remote-ip 127.0.0.1
 gsup remote-port 2222
! iu rab-assign-addr-enc v4raw
!
ns
 timer tns-block 3
 timer tns-block-retries 3
 timer tns-reset 3
 timer tns-reset-retries 3
 timer tns-test 30
 timer tns-alive 3
 timer tns-alive-retries 10
 encapsulation udp local-ip 127.0.0.1
 encapsulation udp local-port 23000
 encapsulation framerelay-gre enabled 0
!
bssgp
!
log stderr
 logging print extended-timestamp 1
 logging level all debug
 logging filter all 1
log file current_log/sgsn.log
 logging filter all 1
 logging color 1
 logging print category 1
 logging timestamp 1
 logging print extended-timestamp 1
 logging level all debug

gtp 修改成ubuntu IP,ggsn修改成Ubuntu NET映射IP

 gtp local-ip 192.168.99.234
 ggsn 0 remote-ip 192.168.99.8

注册用户:

参考 https://osmocom.org/projects/cellular-infrastructure/wiki/Getting_Started_with_3G#Subscriber-Configuration

Once off, the HLR database needs to be created using the file osmo-hlr/sql/hlr.sql:

sqlite3 hlr.db < osmo-hlr/sql/hlr.sql

This hlr.db needs to be found by the osmo-hlr binary — either place it in the current working directory when launching osmo-hlr, or use the osmo-hlr -l my/hlr.db commandline option to pass a specific path.

Update the HLR database to add your IMSIs

$ sqlite3 hlr.db 
sqlite> insert into subscriber (imsi, msisdn) values ('901700000099999', '999');
sqlite> select id, imsi from subscriber;
2342|901700000099999
sqlite> insert into auc_3g (subscriber_id, algo_id_3g, k, opc) values (2342, 5, '0102030405060708090a0b0c0d0e0f00', 'f0e0d0c0b0a090807060504030201000');

The numbers (except ‘5’) are freely chosen and will all differ for you:

  • 901700000099999: IMSI of your USIM.
  • 999: MSISDN, i.e. the subscriber’s telephone number. Your choice.
  • 2342: the automatically created subscriber id, probably 1 for you.
  • 5: use Milenage. see enum osmo_auth_algo in libosmocore’s crypt/auth.h
  • ‘0102030405060708090a0b0c0d0e0f00’: KI, you got it with your USIM
  • ‘f0e0d0c0b0a090807060504030201000’: OPC, you got it with your USIM

在run目录下执行:

sudo sqlite3 hlr.db

sqlite> insert into subscriber (imsi, msisdn) values ('901700000014929', '999');

检测是否写入成功:

sqlite> select id, imsi from subscriber;
1|901700000014929

返回一个数值1 跟IMSI号码

sqlite> insert into auc_3g (subscriber_id, algo_id_3g, k, opc) values (1, 5, ‘265C321361DD2AA305AFC359419DEBCC’, ‘BA808742C98AC651A5F595F387FF4BA4’);

配置IP.access nano 3G:

telnet 192.168.99.163 8090

dmi>

# PLMN Id == MCC + MNC
set mcc="901" 
set mnc="70" 

# [uarfcnDownlink, 1900 MHz band], [scramblingCode], [dummyCellId]
set rfParamsCandidateList=({9800, 401, 1})

# [lac], [rac]
set lacRacCandidateList=({10422, (99)})
set hnbGwAddress="192.168.99.196" 
action 2061
action 1216
action establishPermanentHnbGwConnection
set csgAccessMode=CSG_ACCESS_MODE_OPEN_ACCESS

 

最后通过run目录下的run.sh启动3G基站:

Snip20181028_1

手机搜索网络:

WechatIMG7

WechatIMG1

通过wireshark抓取手机端所有流量:

Snip20181028_2

Note:本文为HITB 2018 Beijing培训文档

发表评论

Please log in using one of these methods to post your comment:

WordPress.com 徽标

您正在使用您的 WordPress.com 账号评论。 注销 /  更改 )

Google photo

您正在使用您的 Google 账号评论。 注销 /  更改 )

Twitter picture

您正在使用您的 Twitter 账号评论。 注销 /  更改 )

Facebook photo

您正在使用您的 Facebook 账号评论。 注销 /  更改 )

Connecting to %s