1 /* Bootstrapping GSM - taken from bsc_hack.c */
3 /* (C) 2008-2009 by Harald Welte <laforge@gnumonks.org>
4 * (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
41 #include <openbsc/gsm_data.h>
42 #include <openbsc/gsm_04_08.h>
43 #include <openbsc/db.h>
44 #include <openbsc/timer.h>
45 #include <openbsc/select.h>
46 #include <openbsc/abis_rsl.h>
47 #include <openbsc/abis_nm.h>
48 #include <openbsc/debug.h>
49 #include <openbsc/misdn.h>
50 #include <openbsc/telnet_interface.h>
51 #include <openbsc/paging.h>
52 #include <openbsc/e1_input.h>
53 #include <openbsc/signal.h>
56 static enum gsm_band BAND = GSM_BAND_900;
58 /* The following definitions are for OM and NM packets that we cannot yet
59 * generate by code but we just pass on */
61 // BTS Site Manager, SET ATTRIBUTES
64 Object Class: BTS Site Manager
69 sAbisExternalTime: 2007/09/08 14:36:11
71 shortLAPDIntTimer: 5sec
72 emergencyTimer1: 10 minutes
73 emergencyTimer2: 0 minutes
76 unsigned char msg_1[] =
78 NM_MT_BS11_SET_ATTR, NM_OC_SITE_MANAGER, 0xFF, 0xFF, 0xFF,
79 NM_ATT_BS11_ABIS_EXT_TIME, 0x07,
80 0xD7, 0x09, 0x08, 0x0E, 0x24, 0x0B, 0xCE,
83 NM_ATT_BS11_SH_LAPD_INT_TIMER,
85 0x42, 0x02, 0x00, 0x0A,
86 0x44, 0x02, 0x00, 0x00
89 // BTS, SET BTS ATTRIBUTES
97 bsIdentityCode / BSIC:
100 BTS Air Timer T3105: 4 ,unit 10 ms
102 periodCCCHLoadIndication: 1sec
103 thresholdCCCHLoadIndication: 0%
104 cellAllocationNumber: 00h = GSM 900
105 enableInterferenceClass: 00h = Disabled
106 fACCHQual: 6 (FACCH stealing flags minus 1)
107 intaveParameter: 31 SACCH multiframes
108 interferenceLevelBoundaries:
109 Interference Boundary 1: 0Ah
110 Interference Boundary 2: 0Fh
111 Interference Boundary 3: 14h
112 Interference Boundary 4: 19h
113 Interference Boundary 5: 1Eh
115 GSM range: 2=39dBm, 15=13dBm, stepsize 2 dBm
116 DCS1800 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
117 PCS1900 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
120 Maximum number of repetitions for PHYSICAL INFORMATION message (GSM 04.08): 20
121 powerOutputThresholds:
122 Out Power Fault Threshold: -10 dB
123 Red Out Power Threshold: - 6 dB
124 Excessive Out Power Threshold: 5 dB
125 rACHBusyThreshold: -127 dBm
126 rACHLoadAveragingSlots: 250 ,number of RACH burst periods
127 rfResourceIndicationPeriod: 125 SACCH multiframes
130 FACCH/Full rate: 031 in 5 ms
131 FACCH/Half rate: 041 in 5 ms
132 SACCH with TCH SAPI0: 090 in 10 ms
133 SACCH with SDCCH: 090 in 10 ms
134 SDCCH with SAPI3: 090 in 5 ms
135 SACCH with TCH SAPI3: 135 in 10 ms
136 tSync: 9000 units of 10 msec
137 tTrau: 9000 units of 10 msec
138 enableUmLoopTest: 00h = disabled
139 enableExcessiveDistance: 00h = Disabled
140 excessiveDistance: 64km
141 hoppingMode: 00h = baseband hopping
142 cellType: 00h = Standard Cell
143 BCCH ARFCN / bCCHFrequency: 1
146 static unsigned char bs11_attr_bts[] =
148 NM_ATT_BSIC, HARDCODED_BSIC,
149 NM_ATT_BTS_AIR_TIMER, 0x04,
150 NM_ATT_BS11_BTSLS_HOPPING, 0x00,
151 NM_ATT_CCCH_L_I_P, 0x01,
152 NM_ATT_CCCH_L_T, 0x00,
153 NM_ATT_BS11_CELL_ALLOC_NR, NM_BS11_CANR_GSM,
154 NM_ATT_BS11_ENA_INTERF_CLASS, 0x01,
155 NM_ATT_BS11_FACCH_QUAL, 0x06,
156 /* interference avg. period in numbers of SACCH multifr */
157 NM_ATT_INTAVE_PARAM, 0x1F,
158 NM_ATT_INTERF_BOUND, 0x0A, 0x0F, 0x14, 0x19, 0x1E, 0x7B,
159 NM_ATT_CCCH_L_T, 0x23,
160 NM_ATT_GSM_TIME, 0x28, 0x00,
161 NM_ATT_ADM_STATE, 0x03,
162 NM_ATT_RACH_B_THRESH, 0x7F,
163 NM_ATT_LDAVG_SLOTS, 0x00, 0xFA,
164 NM_ATT_BS11_RF_RES_IND_PER, 0x7D,
165 NM_ATT_T200, 0x2C, 0x1F, 0x29, 0x5A, 0x5A, 0x5A, 0x87,
166 NM_ATT_BS11_TSYNC, 0x23, 0x28,
167 NM_ATT_BS11_TTRAU, 0x23, 0x28,
168 NM_ATT_TEST_DUR, 0x01, 0x00,
169 NM_ATT_OUTST_ALARM, 0x01, 0x00,
170 NM_ATT_BS11_EXCESSIVE_DISTANCE, 0x01, 0x40,
171 NM_ATT_BS11_HOPPING_MODE, 0x01, 0x00,
172 NM_ATT_BS11_PLL, 0x01, 0x00,
173 NM_ATT_BCCH_ARFCN, 0x00, HARDCODED_ARFCN/*0x01*/,
176 // Handover Recognition, SET ATTRIBUTES
179 Illegal Contents GSM Formatted O&M Msg
180 Object Class: Handover Recognition
185 enableDelayPowerBudgetHO: 00h = Disabled
186 enableDistanceHO: 00h = Disabled
187 enableInternalInterCellHandover: 00h = Disabled
188 enableInternalIntraCellHandover: 00h = Disabled
189 enablePowerBudgetHO: 00h = Disabled
190 enableRXLEVHO: 00h = Disabled
191 enableRXQUALHO: 00h = Disabled
192 hoAveragingDistance: 8 SACCH multiframes
194 A_LEV_HO: 8 SACCH multiframes
195 W_LEV_HO: 1 SACCH multiframes
196 hoAveragingPowerBudget: 16 SACCH multiframes
198 A_QUAL_HO: 8 SACCH multiframes
199 W_QUAL_HO: 2 SACCH multiframes
200 hoLowerThresholdLevDL: (10 - 110) dBm
201 hoLowerThresholdLevUL: (5 - 110) dBm
202 hoLowerThresholdQualDL: 06h = 6.4% < BER < 12.8%
203 hoLowerThresholdQualUL: 06h = 6.4% < BER < 12.8%
204 hoThresholdLevDLintra : (20 - 110) dBm
205 hoThresholdLevULintra: (20 - 110) dBm
206 hoThresholdMsRangeMax: 20 km
208 timerHORequest: 3 ,unit 2 SACCH multiframes
211 unsigned char msg_3[] =
213 NM_MT_BS11_SET_ATTR, NM_OC_BS11_HANDOVER, 0x00, 0xFF, 0xFF,
223 0x71, 0x10, 0x10, 0x10,
233 0x92, 0x03, 0x20, 0x01, 0x00,
248 // Power Control, SET ATTRIBUTES
251 Object Class: Power Control
256 enableMsPowerControl: 00h = Disabled
257 enablePowerControlRLFW: 00h = Disabled
259 A_LEV_PC: 4 SACCH multiframes
260 W_LEV_PC: 1 SACCH multiframes
262 A_QUAL_PC: 4 SACCH multiframes
263 W_QUAL_PC: 2 SACCH multiframes
264 pcLowerThresholdLevDL: 0Fh
265 pcLowerThresholdLevUL: 0Ah
266 pcLowerThresholdQualDL: 05h = 3.2% < BER < 6.4%
267 pcLowerThresholdQualUL: 05h = 3.2% < BER < 6.4%
269 pcUpperThresholdLevDL: 14h
270 pcUpperThresholdLevUL: 0Fh
271 pcUpperThresholdQualDL: 04h = 1.6% < BER < 3.2%
272 pcUpperThresholdQualUL: 04h = 1.6% < BER < 3.2%
273 powerConfirm: 2 ,unit 2 SACCH multiframes
274 powerControlInterval: 2 ,unit 2 SACCH multiframes
275 powerIncrStepSize: 02h = 4 dB
276 powerRedStepSize: 01h = 2 dB
277 radioLinkTimeoutBs: 64 SACCH multiframes
278 enableBSPowerControl: 00h = disabled
281 unsigned char msg_4[] =
283 NM_MT_BS11_SET_ATTR, NM_OC_BS11_PWR_CTRL, 0x00, 0xFF, 0xFF,
284 NM_ATT_BS11_ENA_MS_PWR_CTRL, 0x00,
285 NM_ATT_BS11_ENA_PWR_CTRL_RLFW, 0x00,
302 0x65, 0x01, 0x00 // set to 0x01 to enable BSPowerControl
306 // Transceiver, SET TRX ATTRIBUTES (TRX 0)
309 Object Class: Transceiver
314 aRFCNList (HEX): 0001
315 txPwrMaxReduction: 00h = 30dB
316 radioMeasGran: 254 SACCH multiframes
317 radioMeasRep: 01h = enabled
318 memberOfEmergencyConfig: 01h = TRUE
319 trxArea: 00h = TRX doesn't belong to a concentric cell
322 static unsigned char bs11_attr_radio[] =
324 NM_ATT_ARFCN_LIST, 0x01, 0x00, HARDCODED_ARFCN /*0x01*/,
325 NM_ATT_RF_MAXPOWR_R, 0x00,
326 NM_ATT_BS11_RADIO_MEAS_GRAN, 0x01, 0x05,
327 NM_ATT_BS11_RADIO_MEAS_REP, 0x01, 0x01,
328 NM_ATT_BS11_EMRG_CFG_MEMBER, 0x01, 0x01,
329 NM_ATT_BS11_TRX_AREA, 0x01, 0x00,
332 static unsigned char nanobts_attr_bts[] = {
333 NM_ATT_INTERF_BOUND, 0x55, 0x5b, 0x61, 0x67, 0x6d, 0x73,
334 /* interference avg. period in numbers of SACCH multifr */
335 NM_ATT_INTAVE_PARAM, 0x06,
336 /* conn fail based on SACCH error rate */
337 NM_ATT_CONN_FAIL_CRIT, 0x00, 0x02, 0x01, 0x10,
338 NM_ATT_T200, 0x1e, 0x24, 0x24, 0xa8, 0x34, 0x21, 0xa8,
340 NM_ATT_OVERL_PERIOD, 0x00, 0x01, 10, /* seconds */
341 NM_ATT_CCCH_L_T, 10, /* percent */
342 NM_ATT_CCCH_L_I_P, 1, /* seconds */
343 NM_ATT_RACH_B_THRESH, 10, /* busy threshold in - dBm */
344 NM_ATT_LDAVG_SLOTS, 0x03, 0xe8, /* rach load averaging 1000 slots */
345 NM_ATT_BTS_AIR_TIMER, 128, /* miliseconds */
346 NM_ATT_NY1, 10, /* 10 retransmissions of physical config */
347 NM_ATT_BCCH_ARFCN, HARDCODED_ARFCN >> 8, HARDCODED_ARFCN & 0xff,
348 NM_ATT_BSIC, HARDCODED_BSIC,
351 static unsigned char nanobts_attr_radio[] = {
352 NM_ATT_RF_MAXPOWR_R, 0x0c, /* number of -2dB reduction steps / Pn */
353 NM_ATT_ARFCN_LIST, 0x00, 0x02, HARDCODED_ARFCN >> 8, HARDCODED_ARFCN & 0xff,
356 static unsigned char nanobts_attr_e0[] = {
358 0x81, 0x0b, 0xbb, /* TCP PORT for RSL */
361 /* Callback function to be called whenever we get a GSM 12.21 state change event */
362 int nm_state_event(enum nm_evt evt, u_int8_t obj_class, void *obj,
363 struct gsm_nm_state *old_state, struct gsm_nm_state *new_state)
366 struct gsm_bts_trx *trx;
367 struct gsm_bts_trx_ts *ts;
369 /* This is currently only required on nanoBTS */
372 case EVT_STATECHG_OPER:
374 case NM_OC_SITE_MANAGER:
375 bts = container_of(obj, struct gsm_bts, site_mgr);
376 if (old_state->operational != 2 && new_state->operational == 2) {
377 abis_nm_opstart(bts, NM_OC_SITE_MANAGER, 0xff, 0xff, 0xff);
381 bts = (struct gsm_bts *)obj;
382 if (new_state->availability == 5) {
383 abis_nm_set_bts_attr(bts, nanobts_attr_bts,
384 sizeof(nanobts_attr_bts));
385 abis_nm_opstart(bts, NM_OC_BTS,
386 bts->bts_nr, 0xff, 0xff);
387 abis_nm_chg_adm_state(bts, NM_OC_BTS,
388 bts->bts_nr, 0xff, 0xff,
393 ts = (struct gsm_bts_trx_ts *)obj;
395 if (new_state->availability == 5) {
396 if (ts->nr == 0 && trx == trx->bts->c0)
397 abis_nm_set_channel_attr(ts, NM_CHANC_BCCH_CBCH);
399 abis_nm_set_channel_attr(ts, NM_CHANC_TCHFull);
400 abis_nm_opstart(trx->bts, NM_OC_CHANNEL,
401 trx->bts->bts_nr, trx->nr, ts->nr);
402 abis_nm_chg_adm_state(trx->bts, NM_OC_CHANNEL,
403 trx->bts->bts_nr, trx->nr, ts->nr,
412 //DEBUGP(DMM, "Unhandled state change in %s:%d\n", __func__, __LINE__);
418 /* Callback function to be called every time we receive a 12.21 SW activated report */
419 static int sw_activ_rep(struct msgb *mb)
421 struct abis_om_fom_hdr *foh = (struct abis_om_fom_hdr *)msgb_l3(mb);
422 struct gsm_bts_trx *trx = mb->trx;
424 switch (foh->obj_class) {
425 case NM_OC_BASEB_TRANSC:
426 /* TRX software is active, tell it to initiate RSL Link */
427 abis_nm_ipaccess_msg(trx->bts, 0xe0, NM_OC_BASEB_TRANSC,
428 trx->bts->bts_nr, trx->nr, 0xff,
429 nanobts_attr_e0, sizeof(nanobts_attr_e0));
430 abis_nm_opstart(trx->bts, NM_OC_BASEB_TRANSC,
431 trx->bts->bts_nr, trx->nr, 0xff);
432 abis_nm_chg_adm_state(trx->bts, NM_OC_BASEB_TRANSC,
433 trx->bts->bts_nr, trx->nr, 0xff,
436 case NM_OC_RADIO_CARRIER:
437 abis_nm_set_radio_attr(trx, nanobts_attr_radio,
438 sizeof(nanobts_attr_radio));
439 abis_nm_opstart(trx->bts, NM_OC_RADIO_CARRIER,
440 trx->bts->bts_nr, trx->nr, 0xff);
441 abis_nm_chg_adm_state(trx->bts, NM_OC_RADIO_CARRIER,
442 trx->bts->bts_nr, trx->nr, 0xff,
449 /* Callback function for NACK on the OML NM */
450 static int oml_msg_nack(int mt)
452 if (mt == NM_MT_SET_BTS_ATTR_NACK) {
453 fprintf(stderr, "Failed to set BTS attributes. That is fatal. "
454 "Was the bts type and frequency properly specified?\n");
461 /* Callback function to be called every time we receive a signal from NM */
462 static int nm_sig_cb(unsigned int subsys, unsigned int signal,
463 void *handler_data, void *signal_data)
466 case S_NM_SW_ACTIV_REP:
467 return sw_activ_rep((struct msgb *)signal_data);
469 return oml_msg_nack((int)signal_data);
476 static void bootstrap_om_nanobts(struct gsm_bts *bts)
478 /* We don't do callback based bootstrapping, but event driven (see above) */
481 static void bootstrap_om_bs11(struct gsm_bts *bts)
483 struct gsm_bts_trx *trx = bts->c0;
485 /* stop sending event reports */
486 abis_nm_event_reports(bts, 0);
488 /* begin DB transmission */
489 abis_nm_bs11_db_transmission(bts, 1);
491 /* end DB transmission */
492 abis_nm_bs11_db_transmission(bts, 0);
494 /* Reset BTS Site manager resource */
495 abis_nm_bs11_reset_resource(bts);
497 /* begin DB transmission */
498 abis_nm_bs11_db_transmission(bts, 1);
500 abis_nm_raw_msg(bts, sizeof(msg_1), msg_1); /* set BTS SiteMgr attr*/
501 abis_nm_set_bts_attr(bts, bs11_attr_bts, sizeof(bs11_attr_bts));
502 abis_nm_raw_msg(bts, sizeof(msg_3), msg_3); /* set BTS handover attr */
503 abis_nm_raw_msg(bts, sizeof(msg_4), msg_4); /* set BTS power control attr */
505 /* Connect signalling of bts0/trx0 to e1_0/ts1/64kbps */
506 abis_nm_conn_terr_sign(trx, 0, 1, 0xff);
507 abis_nm_set_radio_attr(trx, bs11_attr_radio, sizeof(bs11_attr_radio));
509 /* Use TEI 1 for signalling */
510 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x01);
511 abis_nm_set_channel_attr(&trx->ts[0], NM_CHANC_SDCCH_CBCH);
515 abis_nm_conn_terr_sign(&bts->trx[1], 0, 1, 0xff);
516 /* FIXME: TRX ATTRIBUTE */
517 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x02);
520 /* SET CHANNEL ATTRIBUTE TS1 */
521 abis_nm_set_channel_attr(&trx->ts[1], NM_CHANC_TCHFull);
522 /* Connect traffic of bts0/trx0/ts1 to e1_0/ts2/b */
523 abis_nm_conn_terr_traf(&trx->ts[1], 0, 2, 1);
525 /* SET CHANNEL ATTRIBUTE TS2 */
526 abis_nm_set_channel_attr(&trx->ts[2], NM_CHANC_TCHFull);
527 /* Connect traffic of bts0/trx0/ts2 to e1_0/ts2/c */
528 abis_nm_conn_terr_traf(&trx->ts[2], 0, 2, 2);
530 /* SET CHANNEL ATTRIBUTE TS3 */
531 abis_nm_set_channel_attr(&trx->ts[3], NM_CHANC_TCHFull);
532 /* Connect traffic of bts0/trx0/ts3 to e1_0/ts2/d */
533 abis_nm_conn_terr_traf(&trx->ts[3], 0, 2, 3);
535 /* SET CHANNEL ATTRIBUTE TS4 */
536 abis_nm_set_channel_attr(&trx->ts[4], NM_CHANC_TCHFull);
537 /* Connect traffic of bts0/trx0/ts4 to e1_0/ts3/a */
538 abis_nm_conn_terr_traf(&trx->ts[4], 0, 3, 0);
540 /* SET CHANNEL ATTRIBUTE TS5 */
541 abis_nm_set_channel_attr(&trx->ts[5], NM_CHANC_TCHFull);
542 /* Connect traffic of bts0/trx0/ts5 to e1_0/ts3/b */
543 abis_nm_conn_terr_traf(&trx->ts[5], 0, 3, 1);
545 /* SET CHANNEL ATTRIBUTE TS6 */
546 abis_nm_set_channel_attr(&trx->ts[6], NM_CHANC_TCHFull);
547 /* Connect traffic of bts0/trx0/ts6 to e1_0/ts3/c */
548 abis_nm_conn_terr_traf(&trx->ts[6], 0, 3, 2);
550 /* SET CHANNEL ATTRIBUTE TS7 */
551 abis_nm_set_channel_attr(&trx->ts[7], NM_CHANC_TCHFull);
552 /* Connect traffic of bts0/trx0/ts7 to e1_0/ts3/d */
553 abis_nm_conn_terr_traf(&trx->ts[7], 0, 3, 3);
555 /* end DB transmission */
556 abis_nm_bs11_db_transmission(bts, 0);
558 /* Reset BTS Site manager resource */
559 abis_nm_bs11_reset_resource(bts);
561 /* restart sending event reports */
562 abis_nm_event_reports(bts, 1);
565 static void bootstrap_om(struct gsm_bts *bts)
567 fprintf(stdout, "bootstrapping OML for BTS %u\n", bts->nr);
570 case GSM_BTS_TYPE_BS11:
571 bootstrap_om_bs11(bts);
573 case GSM_BTS_TYPE_NANOBTS_900:
574 case GSM_BTS_TYPE_NANOBTS_1800:
575 bootstrap_om_nanobts(bts);
578 fprintf(stderr, "Unable to bootstrap OML: Unknown BTS type %d\n", bts->type);
582 static int shutdown_om(struct gsm_bts *bts)
584 /* stop sending event reports */
585 abis_nm_event_reports(bts, 0);
587 /* begin DB transmission */
588 abis_nm_bs11_db_transmission(bts, 1);
590 /* end DB transmission */
591 abis_nm_bs11_db_transmission(bts, 0);
593 /* Reset BTS Site manager resource */
594 abis_nm_bs11_reset_resource(bts);
599 int shutdown_net(struct gsm_network *net)
603 llist_for_each_entry(bts, &net->bts_list, list) {
605 rc = shutdown_om(bts);
616 const u_int8_t *data;
620 SYSTEM INFORMATION TYPE 1
621 Cell channel description
623 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
624 RACH Control Parameters
625 maximum 7 retransmissions
626 8 slots used to spread transmission
627 cell not barred for access
628 call reestablishment not allowed
629 Access Control Class = 0000
631 static u_int8_t si1[] = {
632 /* header */0x55, 0x06, 0x19,
633 /* ccdesc */0x04 /*0x00*/, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /*0x01*/,
635 /* rach */0xD5, 0x00, 0x00,
639 static u_int8_t *gsm48_si1(struct gsm_bts_conf *conf)
641 static u_int8_t si[23];
644 memset(&si, 0, sizeof(si));
650 /* ccdesc 10.5.2.1b.2 (bit map 0 format) */
651 for (i = 0; i < conf->arfcn_len; i++) {
652 if (conf->arfcn_list[i] <= 124 && conf->arfcn_list[i] > 0) {
653 bit = (conf->arfcn_list[i] - 1) & 7;
654 octet = (conf->arfcn_list[i] -1) / 8;
655 si[18 - octet] |= (1 << bit);
659 si[19] = (conf->max_trans << 6);
660 si[19] |= (conf->tx_integer << 2);
661 si[19] |= (conf->cell_barr << 1);
663 si[20] = (conf->ec << 2);
664 for (i = 0; i < conf->ac_len; i++) {
665 if (conf->ac_list[i] <= 15 && conf->ac_list[i] != 10) {
666 bit = conf->ac_list[i] & 7;
667 octet = conf->ac_list[i] / 8;
668 si[21 - octet] |= (1 << bit);
675 if (memcmp(&si1, &si, sizeof(si)))
676 printf("SI1 does not match default template.\n");
682 SYSTEM INFORMATION TYPE 2
683 Neighbour Cells Description
684 EXT-IND: Carries the complete BA
687 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
688 NCC permitted (NCC) = FF
689 RACH Control Parameters
690 maximum 7 retransmissions
691 8 slots used to spread transmission
692 cell not barred for access
693 call reestablishment not allowed
694 Access Control Class = 0000
696 static u_int8_t si2[] = {
697 /* header */0x59, 0x06, 0x1A,
698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
701 /* rach*/0xD5, 0x00, 0x00
704 static u_int8_t *gsm48_si2(struct gsm_bts_conf *conf)
706 static u_int8_t si[23];
709 memset(&si, 0, sizeof(si));
715 /* ncdesc 10.5.2.22 */
716 si[3] = (ba_ind << 4);
717 for (i = 0; i < conf->ncell_arfcn_len; i++) {
718 if (conf->ncell_arfcn_list[i] <= 124 && conf->ncell_arfcn_list[i] > 0) {
719 bit = (conf->ncell_arfcn_list[i] - 1) & 7;
720 octet = (conf->ncell_arfcn_list[i] -1) / 8;
721 si[18 - octet] |= (1 << bit);
727 si[20] = (conf->max_trans << 6);
728 si[20] |= (conf->tx_integer << 2);
729 si[20] |= (conf->cell_barr << 1);
731 si[21] = (conf->ec << 2);
732 for (i = 0; i < conf->ac_len; i++) {
733 if (conf->ac_list[i] <= 15 && conf->ac_list[i] != 10) {
734 bit = conf->ac_list[i] & 7;
735 octet = data->ac_list[i] / 8;
736 si[22 - octet] |= (1 << bit);
741 if (memcmp(&si2, &si, sizeof(si)))
742 printf("SI2 does not match default template.\n");
749 SYSTEM INFORMATION TYPE 3
750 Cell identity = 00001 (1h)
751 Location area identification
752 Mobile Country Code (MCC): 001
753 Mobile Network Code (MNC): 01
754 Location Area Code (LAC): 00001 (1h)
755 Control Channel Description
756 Attach-detach: MSs in the cell are not allowed to apply IMSI attach /detach
757 0 blocks reserved for access grant
758 1 channel used for CCCH, with SDCCH
759 5 multiframes period for PAGING REQUEST
762 Power control indicator: not set
763 MSs shall not use uplink DTX
764 Radio link timeout = 36
765 Cell Selection Parameters
766 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
767 max.TX power level MS may use for CCH = 2 <- according to GSM05.05 39dBm (max)
768 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
769 Half rate support (NECI): New establishment causes are not supported
770 min.RX signal level for MS = 0
771 RACH Control Parameters
772 maximum 7 retransmissions
773 8 slots used to spread transmission
774 cell not barred for access
775 call reestablishment not allowed
776 Access Control Class = 0000
778 Cell Bar Qualify (CBQ): 0
779 Cell Reselect Offset = 0 dB
780 Temporary Offset = 0 dB
782 System Information 2ter Indicator (2TI): 0 = not available
783 Early Classmark Sending Control (ECSC): 0 = forbidden
784 Scheduling Information is not sent in SYSTEM INFORMATION TYPE 9 on the BCCH
786 static u_int8_t si3[] = {
787 #warning nicht 0x59 == 22 octets + length
788 /* header */0x49, 0x06, 0x1B,
789 /* cell */0x00, 0x01,
790 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
791 /* desc */0x01, 0x03, 0x00,
793 /* selection*/0x62, 0x00,
794 /* rach */0xD5, 0x00, 0x00,
795 /* rest */0x80, 0x00, 0x00, 0x2B
798 static u_int8_t *gsm48_si3(struct gsm_net *net, struct gsm_bts_conf *conf)
800 static u_int8_t si[23];
803 memset(&si, 0, sizeof(si));
814 gsm0408_generate_lai(&si[5], network->country_code,
815 network->network_code,
816 conf->location_area_code);
818 si[10] = conf->att << 6;
819 si[10] |= conf->bs_ag_blks_res << 3;
820 si[10] |= conf->ccch_conf;
821 si[11] = conf->bs_pa_mfrms;
822 si[12] = conf->t3212_decihours;
823 /* option 10.5.2.3 */
824 si[13] = conf->pwrc << 6;
825 si[13] |= conf->dtx << 4;
826 si[13] |= conf->rl_timeout;
827 /* selection 10.5.2.4 */
828 si[14] = conf->csel_hyst << 5;
829 si[14] |= conf->ms_txpwr_max_cch;
830 si[15] = conf->acs << 7;
831 si[15] |= conf->neci << 6;
832 si[15] |= conf->rxlev_access_min;
834 si[16] = (conf->max_trans << 6);
835 si[16] |= (conf->tx_integer << 2);
836 si[16] |= (conf->cell_barr << 1);
838 si[17] = (conf->ec << 2);
839 for (i = 0; i < conf->ac_len; i++) {
840 if (conf->ac_list[i] <= 15 && conf->ac_list[i] != 10) {
841 bit = conf->ac_list[i] & 7;
842 octet = data->ac_list[i] / 8;
843 si[18 - octet] |= (1 << bit);
850 SYSTEM INFORMATION TYPE 4
851 Location area identification
852 Mobile Country Code (MCC): 001
853 Mobile Network Code (MNC): 01
854 Location Area Code (LAC): 00001 (1h)
855 Cell Selection Parameters
856 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
857 max.TX power level MS may use for CCH = 2
858 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
859 Half rate support (NECI): New establishment causes are not supported
860 min.RX signal level for MS = 0
861 RACH Control Parameters
862 maximum 7 retransmissions
863 8 slots used to spread transmission
864 cell not barred for access
865 call reestablishment not allowed
866 Access Control Class = 0000
870 Training Sequence Code: 7h
873 Cell Bar Qualify (CBQ): 0
874 Cell Reselect Offset = 0 dB
875 Temporary Offset = 0 dB
878 static u_int8_t si4[] = {
879 /* header */0x41, 0x06, 0x1C,
880 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
882 /* rach*/0xD5, 0x00, 0x00,
883 /* var */0x64, 0x30, 0xE0, HARDCODED_ARFCN/*0x01*/, 0x80, 0x00, 0x00,
888 SYSTEM INFORMATION TYPE 5
889 Neighbour Cells Description
890 EXT-IND: Carries the complete BA
893 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
896 static u_int8_t si5[] = {
897 /* header without l2 len*/0x06, 0x1D,
898 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
899 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
902 static u_int8_t *gsm48_si5(int ba, u_int8_t *arfcn_list, int arfcn_len)
904 static u_int8_t si[18];
907 memset(&si, 0, sizeof(si));
914 for (i = 0; i < arfcn_len; i++) {
915 if (arfcn_list[i] <= 124 && arfcn_list[i] > 0) {
916 bit = (arfcn_list[i] - 1) & 7;
917 octet = (arfcn_list[i] -1) / 8;
918 si[17 - octet] |= (1 << bit);
923 if (memcmp(&si5, &si, sizeof(si)))
924 printf("SI5 does not match default template.\n");
930 // SYSTEM INFORMATION TYPE 6
934 System Info Type: SYSTEM INFORMATION 6
935 L3 Information (Hex): 06 1E 00 01 xx xx 10 00 01 28 FF
937 SYSTEM INFORMATION TYPE 6
938 Cell identity = 00001 (1h)
939 Location area identification
940 Mobile Country Code (MCC): 001
941 Mobile Network Code (MNC): 01
942 Location Area Code (LAC): 00001 (1h)
944 Power control indicator: not set
945 MSs shall not use uplink DTX on a TCH-F. MS shall not use uplink DTX on TCH-H.
946 Radio link timeout = 36
947 NCC permitted (NCC) = FF
950 static u_int8_t si6[] = {
951 /* header */0x06, 0x1E,
952 /* cell id*/ 0x00, 0x01,
953 /* lai */ 0x00, 0xF1, 0x10, 0x00, 0x01,
960 static const struct bcch_info bcch_infos[] = {
980 static_assert(sizeof(si1) == sizeof(struct gsm48_system_information_type_1), type1)
981 static_assert(sizeof(si2) == sizeof(struct gsm48_system_information_type_2), type2)
982 static_assert(sizeof(si3) == sizeof(struct gsm48_system_information_type_3), type3)
983 static_assert(sizeof(si4) >= sizeof(struct gsm48_system_information_type_4), type4)
984 static_assert(sizeof(si5) == sizeof(struct gsm48_system_information_type_5), type5)
985 static_assert(sizeof(si6) >= sizeof(struct gsm48_system_information_type_6), type6)
987 /* set all system information types */
988 static int set_system_infos(struct gsm_bts_trx *trx)
996 u_int8_t arfcn_list[8];
998 arfcn_list[0] = trx->arfcn;
999 _si1 = gsm48_si1(arfcn_list, 1, 3, 5, 0, 1, 0, NULL, 0);
1001 memset(arfcn_list, 0, sizeof(arfcn_list));
1002 arfcn_list[0] = trx->arfcn;
1003 arfcn_list[1] = 112;
1010 _si2 = gsm48_si2(0, arfcn_list, 8, 0xff, 3, 5, 0, 1, 0, NULL, 0);
1011 _si5 = gsm48_si5(0, arfcn_list, 8);
1013 rsl_bcch_info(trx, RSL_SYSTEM_INFO_1, _si1, 23);
1014 rsl_bcch_info(trx, RSL_SYSTEM_INFO_2, _si2, 23);
1015 // rsl_bcch_info(trx, RSL_SYSTEM_INFO_3, _si3, );
1016 // rsl_bcch_info(trx, RSL_SYSTEM_INFO_4, _si4, );
1018 for (i = 2; i < ARRAY_SIZE(bcch_infos); i++) {
1019 rsl_bcch_info(trx, bcch_infos[i].type,
1023 rsl_sacch_filling(trx, RSL_SYSTEM_INFO_5, _si5, 18);
1024 rsl_sacch_filling(trx, RSL_SYSTEM_INFO_6, si6, sizeof(si6));
1027 for (i = 0; i < ARRAY_SIZE(bcch_infos); i++) {
1028 rsl_bcch_info(trx, bcch_infos[i].type,
1032 rsl_sacch_filling(trx, RSL_SYSTEM_INFO_5, si5, sizeof(si5));
1033 rsl_sacch_filling(trx, RSL_SYSTEM_INFO_6, si6, sizeof(si6));
1039 * Patch the various SYSTEM INFORMATION tables to update
1042 static void patch_tables(struct gsm_bts *bts)
1044 u_int8_t arfcn_low = bts->c0->arfcn & 0xff;
1045 u_int8_t arfcn_high = (bts->c0->arfcn >> 8) & 0x0f;
1046 /* covert the raw packet to the struct */
1047 struct gsm48_system_information_type_3 *type_3 =
1048 (struct gsm48_system_information_type_3*)&si3;
1049 struct gsm48_system_information_type_4 *type_4 =
1050 (struct gsm48_system_information_type_4*)&si4;
1051 struct gsm48_system_information_type_6 *type_6 =
1052 (struct gsm48_system_information_type_6*)&si6;
1053 struct gsm48_loc_area_id lai;
1055 gsm0408_generate_lai(&lai, bts->network->country_code,
1056 bts->network->network_code,
1057 bts->location_area_code);
1059 /* assign the MCC and MNC */
1064 /* patch ARFCN into BTS Attributes */
1065 bs11_attr_bts[69] &= 0xf0;
1066 bs11_attr_bts[69] |= arfcn_high;
1067 bs11_attr_bts[70] = arfcn_low;
1068 nanobts_attr_bts[42] &= 0xf0;
1069 nanobts_attr_bts[42] |= arfcn_high;
1070 nanobts_attr_bts[43] = arfcn_low;
1072 /* patch ARFCN into TRX Attributes */
1073 bs11_attr_radio[2] &= 0xf0;
1074 bs11_attr_radio[2] |= arfcn_high;
1075 bs11_attr_radio[3] = arfcn_low;
1076 nanobts_attr_radio[5] &= 0xf0;
1077 nanobts_attr_radio[5] |= arfcn_high;
1078 nanobts_attr_radio[6] = arfcn_low;
1080 type_4->data[2] &= 0xf0;
1081 type_4->data[2] |= arfcn_high;
1082 type_4->data[3] = arfcn_low;
1084 /* patch Control Channel Description 10.5.2.11 */
1085 type_3->control_channel_desc = bts->chan_desc;
1088 bs11_attr_bts[1] = bts->bsic;
1089 nanobts_attr_bts[sizeof(nanobts_attr_bts)-1] = bts->bsic;
1093 static void bootstrap_rsl(struct gsm_bts_trx *trx)
1095 fprintf(stdout, "bootstrapping RSL for BTS/TRX (%u/%u) "
1096 "using MCC=%u MNC=%u\n", trx->nr, trx->bts->nr, trx->bts->network->country_code, trx->bts->network->network_code);
1097 set_system_infos(trx);
1100 void input_event(int event, enum e1inp_sign_type type, struct gsm_bts_trx *trx)
1105 case E1INP_SIGN_OML:
1106 bootstrap_om(trx->bts);
1108 case E1INP_SIGN_RSL:
1116 fprintf(stderr, "Lost some E1 TEI link\n");
1117 /* FIXME: deal with TEI or L1 link loss */
1124 static int bootstrap_bts(struct gsm_bts *bts, int lac, int arfcn)
1127 bts->location_area_code = lac;
1128 bts->c0->arfcn = arfcn;
1130 /* Control Channel Description */
1131 memset(&bts->chan_desc, 0, sizeof(struct gsm48_control_channel_descr));
1132 bts->chan_desc.att = 1;
1133 bts->chan_desc.ccch_conf = RSL_BCCH_CCCH_CONF_1_C;
1134 bts->chan_desc.bs_pa_mfrms = RSL_BS_PA_MFRMS_5;
1135 bts->chan_desc.t3212 = 0;
1141 if (bts->type == GSM_BTS_TYPE_BS11) {
1142 struct gsm_bts_trx *trx = bts->c0;
1143 set_ts_e1link(&trx->ts[0], 0, 1, 0xff);
1144 set_ts_e1link(&trx->ts[1], 0, 2, 1);
1145 set_ts_e1link(&trx->ts[2], 0, 2, 2);
1146 set_ts_e1link(&trx->ts[3], 0, 2, 3);
1147 set_ts_e1link(&trx->ts[4], 0, 3, 0);
1148 set_ts_e1link(&trx->ts[5], 0, 3, 1);
1149 set_ts_e1link(&trx->ts[6], 0, 3, 2);
1150 set_ts_e1link(&trx->ts[7], 0, 3, 3);
1154 set_ts_e1link(&trx->ts[0], 0, 1, 0xff);
1155 set_ts_e1link(&trx->ts[1], 0, 2, 1);
1156 set_ts_e1link(&trx->ts[2], 0, 2, 2);
1157 set_ts_e1link(&trx->ts[3], 0, 2, 3);
1158 set_ts_e1link(&trx->ts[4], 0, 3, 0);
1159 set_ts_e1link(&trx->ts[5], 0, 3, 1);
1160 set_ts_e1link(&trx->ts[6], 0, 3, 2);
1161 set_ts_e1link(&trx->ts[7], 0, 3, 3);
1168 struct gsm_network *bootstrap_network(int (*mncc_recv)(struct gsm_network *, int, void *), gsm_bts_type bts_type, int mcc, int mnc, int lac, int arfcn, int cardnr, int release_l2, char *name_short, char *name_long, char *database_name, int allow_all)
1170 struct gsm_network *gsmnet;
1171 struct gsm_bts *bts;
1174 case GSM_BTS_TYPE_NANOBTS_1800:
1175 if (arfcn < 512 || arfcn > 885) {
1176 fprintf(stderr, "GSM1800 channel must be between 512-885.\n");
1180 case GSM_BTS_TYPE_BS11:
1181 case GSM_BTS_TYPE_NANOBTS_900:
1182 /* Assume we have a P-GSM900 here */
1183 if (arfcn < 1 || arfcn > 124) {
1184 fprintf(stderr, "GSM900 channel must be between 1-124.\n");
1188 case GSM_BTS_TYPE_UNKNOWN:
1189 fprintf(stderr, "Unknown BTS. Please use the --bts-type switch\n");
1193 /* initialize our data structures */
1194 gsmnet = gsm_network_init(mcc, mnc, mncc_recv);
1198 gsmnet->name_long = name_long;
1199 gsmnet->name_short = name_short;
1201 bts = gsm_bts_alloc(gsmnet, bts_type, HARDCODED_TSC, HARDCODED_BSIC);
1202 bootstrap_bts(bts, lac, arfcn);
1204 if (db_init(database_name)) {
1205 printf("DB: Failed to init database. Please check the option settings.\n");
1208 printf("DB: Database initialized.\n");
1211 printf("DB: Failed to prepare database.\n");
1214 printf("DB: Database prepared.\n");
1216 telnet_init(gsmnet, 4242);
1218 register_signal_handler(SS_NM, nm_sig_cb, NULL);
1220 /* E1 mISDN input setup */
1221 if (bts_type == GSM_BTS_TYPE_BS11) {
1222 gsmnet->num_bts = 1;
1223 if (e1_config(bts, cardnr, release_l2))
1226 /* FIXME: do this dynamic */
1227 bts->ip_access.site_id = 1801;
1228 bts->ip_access.bts_id = 0;
1230 bts = gsm_bts_alloc(gsmnet, bts_type, HARDCODED_TSC, HARDCODED_BSIC);
1231 bootstrap_bts(bts, lac, arfcn);
1232 bts->ip_access.site_id = 1800;
1233 bts->ip_access.bts_id = 0;
1234 if (ipaccess_setup(gsmnet))
1239 gsm0408_allow_everyone(1);
1244 static void create_pcap_file(char *file)
1246 mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
1247 int fd = open(file, O_WRONLY|O_TRUNC|O_CREAT, mode);
1250 perror("Failed to open file for pcap");
projects / lcr.git / blob