1 /* Bootstrapping GSM - taken from bsc_hack.c */
3 /* (C) 2008-2009 by Harald Welte <laforge@gnumonks.org>
4 * (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
41 #include <openbsc/openbsc.h>
42 #include <openbsc/gsm_data.h>
43 #include <openbsc/gsm_04_08.h>
44 #include <openbsc/db.h>
45 #include <openbsc/timer.h>
46 #include <openbsc/select.h>
47 #include <openbsc/abis_rsl.h>
48 #include <openbsc/abis_nm.h>
49 #include <openbsc/debug.h>
50 #include <openbsc/misdn.h>
51 #include <openbsc/telnet_interface.h>
52 #include <openbsc/paging.h>
53 #include <openbsc/e1_input.h>
55 /* The following definitions are for OM and NM packets that we cannot yet
56 * generate by code but we just pass on */
58 // BTS Site Manager, SET ATTRIBUTES
61 Object Class: BTS Site Manager
66 sAbisExternalTime: 2007/09/08 14:36:11
68 shortLAPDIntTimer: 5sec
69 emergencyTimer1: 10 minutes
70 emergencyTimer2: 0 minutes
73 unsigned char msg_1[] =
75 0xD0, 0x00, 0xFF, 0xFF, 0xFF,
76 NM_ATT_BS11_ABIS_EXT_TIME, 0x07, 0xD7, 0x09, 0x08, 0x0E, 0x24, 0x0B, 0xCE,
79 0x42, 0x02, 0x00, 0x0A,
80 0x44, 0x02, 0x00, 0x00
83 // BTS, SET BTS ATTRIBUTES
91 bsIdentityCode / BSIC:
94 BTS Air Timer T3105: 4 ,unit 10 ms
96 periodCCCHLoadIndication: 1sec
97 thresholdCCCHLoadIndication: 0%
98 cellAllocationNumber: 00h = GSM 900
99 enableInterferenceClass: 00h = Disabled
100 fACCHQual: 6 (FACCH stealing flags minus 1)
101 intaveParameter: 31 SACCH multiframes
102 interferenceLevelBoundaries:
103 Interference Boundary 1: 0Ah
104 Interference Boundary 2: 0Fh
105 Interference Boundary 3: 14h
106 Interference Boundary 4: 19h
107 Interference Boundary 5: 1Eh
109 GSM range: 2=39dBm, 15=13dBm, stepsize 2 dBm
110 DCS1800 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
111 PCS1900 range: 0=30dBm, 15=0dBm, stepsize 2 dBm
114 Maximum number of repetitions for PHYSICAL INFORMATION message (GSM 04.08): 20
115 powerOutputThresholds:
116 Out Power Fault Threshold: -10 dB
117 Red Out Power Threshold: - 6 dB
118 Excessive Out Power Threshold: 5 dB
119 rACHBusyThreshold: -127 dBm
120 rACHLoadAveragingSlots: 250 ,number of RACH burst periods
121 rfResourceIndicationPeriod: 125 SACCH multiframes
124 FACCH/Full rate: 031 in 5 ms
125 FACCH/Half rate: 041 in 5 ms
126 SACCH with TCH SAPI0: 090 in 10 ms
127 SACCH with SDCCH: 090 in 10 ms
128 SDCCH with SAPI3: 090 in 5 ms
129 SACCH with TCH SAPI3: 135 in 10 ms
130 tSync: 9000 units of 10 msec
131 tTrau: 9000 units of 10 msec
132 enableUmLoopTest: 00h = disabled
133 enableExcessiveDistance: 00h = Disabled
134 excessiveDistance: 64km
135 hoppingMode: 00h = baseband hopping
136 cellType: 00h = Standard Cell
137 BCCH ARFCN / bCCHFrequency: 1
140 unsigned char msg_2[] =
142 0x41, 0x01, 0x00, 0xFF, 0xFF,
144 NM_ATT_BTS_AIR_TIMER, 0x04,
145 NM_ATT_BS11_BTSLS_HOPPING, 0x00,
146 NM_ATT_CCCH_L_I_P, 0x01,
147 NM_ATT_CCCH_L_T, 0x00,
148 NM_ATT_BS11_CELL_ALLOC_NR, 0x00,
149 NM_ATT_BS11_ENA_INTERF_CLASS, 0x00,
150 NM_ATT_BS11_FACCH_QUAL, 0x06,
151 NM_ATT_INTAVE_PARAM, 0x1F,
152 NM_ATT_INTERF_BOUND, 0x0A, 0x0F, 0x14, 0x19, 0x1E, 0x7B,
153 NM_ATT_CCCH_L_T, 0x23,
154 NM_ATT_GSM_TIME, 0x28, 0x00,
155 NM_ATT_ADM_STATE, 0x03,
156 NM_ATT_RACH_B_THRESH, 0x7F,
157 NM_ATT_LDAVG_SLOTS, 0x00, 0xFA,
158 NM_ATT_BS11_RF_RES_IND_PER, 0x7D,
159 NM_ATT_T200, 0x2C, 0x1F, 0x29, 0x5A, 0x5A, 0x5A, 0x87,
160 NM_ATT_BS11_TSYNC, 0x23, 0x28,
161 NM_ATT_BS11_TTRAU, 0x23, 0x28,
162 NM_ATT_TEST_DUR, 0x01, 0x00,
163 NM_ATT_OUTST_ALARM, 0x01, 0x00,
164 NM_ATT_BS11_EXCESSIVE_DISTANCE, 0x01, 0x40,
165 NM_ATT_BS11_HOPPING_MODE, 0x01, 0x00,
166 NM_ATT_BS11_PLL, 0x01, 0x00,
167 NM_ATT_BCCH_ARFCN, 0x00, HARDCODED_ARFCN/*0x01*/,
170 // Handover Recognition, SET ATTRIBUTES
173 Illegal Contents GSM Formatted O&M Msg
174 Object Class: Handover Recognition
179 enableDelayPowerBudgetHO: 00h = Disabled
180 enableDistanceHO: 00h = Disabled
181 enableInternalInterCellHandover: 00h = Disabled
182 enableInternalIntraCellHandover: 00h = Disabled
183 enablePowerBudgetHO: 00h = Disabled
184 enableRXLEVHO: 00h = Disabled
185 enableRXQUALHO: 00h = Disabled
186 hoAveragingDistance: 8 SACCH multiframes
188 A_LEV_HO: 8 SACCH multiframes
189 W_LEV_HO: 1 SACCH multiframes
190 hoAveragingPowerBudget: 16 SACCH multiframes
192 A_QUAL_HO: 8 SACCH multiframes
193 W_QUAL_HO: 2 SACCH multiframes
194 hoLowerThresholdLevDL: (10 - 110) dBm
195 hoLowerThresholdLevUL: (5 - 110) dBm
196 hoLowerThresholdQualDL: 06h = 6.4% < BER < 12.8%
197 hoLowerThresholdQualUL: 06h = 6.4% < BER < 12.8%
198 hoThresholdLevDLintra : (20 - 110) dBm
199 hoThresholdLevULintra: (20 - 110) dBm
200 hoThresholdMsRangeMax: 20 km
202 timerHORequest: 3 ,unit 2 SACCH multiframes
205 unsigned char msg_3[] =
207 0xD0, 0xA1, 0x00, 0xFF, 0xFF,
217 0x71, 0x10, 0x10, 0x10,
227 0x92, 0x03, 0x20, 0x01, 0x00,
242 // Power Control, SET ATTRIBUTES
245 Object Class: Power Control
250 enableMsPowerControl: 00h = Disabled
251 enablePowerControlRLFW: 00h = Disabled
253 A_LEV_PC: 4 SACCH multiframes
254 W_LEV_PC: 1 SACCH multiframes
256 A_QUAL_PC: 4 SACCH multiframes
257 W_QUAL_PC: 2 SACCH multiframes
258 pcLowerThresholdLevDL: 0Fh
259 pcLowerThresholdLevUL: 0Ah
260 pcLowerThresholdQualDL: 05h = 3.2% < BER < 6.4%
261 pcLowerThresholdQualUL: 05h = 3.2% < BER < 6.4%
263 pcUpperThresholdLevDL: 14h
264 pcUpperThresholdLevUL: 0Fh
265 pcUpperThresholdQualDL: 04h = 1.6% < BER < 3.2%
266 pcUpperThresholdQualUL: 04h = 1.6% < BER < 3.2%
267 powerConfirm: 2 ,unit 2 SACCH multiframes
268 powerControlInterval: 2 ,unit 2 SACCH multiframes
269 powerIncrStepSize: 02h = 4 dB
270 powerRedStepSize: 01h = 2 dB
271 radioLinkTimeoutBs: 64 SACCH multiframes
272 enableBSPowerControl: 00h = disabled
275 unsigned char msg_4[] =
277 0xD0, 0xA2, 0x00, 0xFF, 0xFF,
278 NM_ATT_BS11_ENA_MS_PWR_CTRL, 0x00,
279 NM_ATT_BS11_ENA_PWR_CTRL_RLFW, 0x00,
296 0x65, 0x01, 0x00 // set to 0x01 to enable BSPowerControl
300 // Transceiver, SET TRX ATTRIBUTES (TRX 0)
303 Object Class: Transceiver
308 aRFCNList (HEX): 0001
309 txPwrMaxReduction: 00h = 30dB
310 radioMeasGran: 254 SACCH multiframes
311 radioMeasRep: 01h = enabled
312 memberOfEmergencyConfig: 01h = TRUE
313 trxArea: 00h = TRX doesn't belong to a concentric cell
316 unsigned char msg_6[] =
318 0x44, 0x02, 0x00, 0x00, 0xFF,
319 NM_ATT_ARFCN_LIST, 0x01, 0x00, HARDCODED_ARFCN /*0x01*/,
320 NM_ATT_RF_MAXPOWR_R, 0x00,
321 NM_ATT_BS11_RADIO_MEAS_GRAN, 0x01, 0xFE,
322 NM_ATT_BS11_RADIO_MEAS_REP, 0x01, 0x01,
323 NM_ATT_BS11_EMRG_CFG_MEMBER, 0x01, 0x01,
324 NM_ATT_BS11_TRX_AREA, 0x01, 0x00,
327 static unsigned char nanobts_attr_bts[] = {
328 NM_ATT_INTERF_BOUND, 0x55, 0x5b, 0x61, 0x67, 0x6d, 0x73,
329 NM_ATT_INTAVE_PARAM, 0x06,
330 NM_ATT_CONN_FAIL_CRIT, 0x00, 0x02, 0x01, 0x10,
331 NM_ATT_T200, 0x1e, 0x24, 0x24, 0xa8, 0x34, 0x21, 0xa8,
333 NM_ATT_OVERL_PERIOD, 0x00, 0x01, 10, /* seconds */
334 NM_ATT_CCCH_L_T, 10, /* percent */
335 NM_ATT_CCCH_L_I_P, 1, /* seconds */
336 NM_ATT_RACH_B_THRESH, 0x0a,
337 NM_ATT_LDAVG_SLOTS, 0x03, 0xe8,
338 NM_ATT_BTS_AIR_TIMER, 0x80,
340 NM_ATT_BCCH_ARFCN, HARDCODED_ARFCN >> 8, HARDCODED_ARFCN & 0xff,
344 static unsigned char nanobts_attr_radio[] = {
345 NM_ATT_RF_MAXPOWR_R, 0x0c,
346 NM_ATT_ARFCN_LIST, 0x00, 0x02, HARDCODED_ARFCN >> 8, HARDCODED_ARFCN & 0xff,
349 static unsigned char nanobts_attr_e0[] = {
351 0x81, 0x0b, 0xbb, /* TCP PORT for RSL */
354 int nm_state_event(enum nm_evt evt, u_int8_t obj_class, void *obj,
355 struct gsm_nm_state *old_state, struct gsm_nm_state *new_state)
358 struct gsm_bts_trx *trx;
359 struct gsm_bts_trx_ts *ts;
361 /* This is currently only required on nanoBTS */
364 case EVT_STATECHG_OPER:
366 case NM_OC_SITE_MANAGER:
367 bts = container_of(obj, struct gsm_bts, site_mgr);
368 if (old_state->operational != 2 && new_state->operational == 2) {
369 abis_nm_opstart(bts, NM_OC_SITE_MANAGER, 0xff, 0xff, 0xff);
373 bts = (struct gsm_bts *)obj;
374 if (new_state->availability == 5) {
375 abis_nm_set_bts_attr(bts, nanobts_attr_bts,
376 sizeof(nanobts_attr_bts));
377 abis_nm_opstart(bts, NM_OC_BTS,
378 bts->nr, 0xff, 0xff);
379 abis_nm_chg_adm_state(bts, NM_OC_BTS,
384 case NM_OC_RADIO_CARRIER:
385 trx = (struct gsm_bts_trx *)obj;
386 if (new_state->availability == 3) {
387 abis_nm_set_radio_attr(trx, nanobts_attr_radio,
388 sizeof(nanobts_attr_radio));
389 abis_nm_opstart(trx->bts, NM_OC_RADIO_CARRIER,
390 trx->bts->nr, trx->nr, 0xff);
391 abis_nm_chg_adm_state(trx->bts, NM_OC_RADIO_CARRIER,
392 trx->bts->nr, trx->nr, 0xff,
397 ts = (struct gsm_bts_trx_ts *)obj;
398 trx = (struct gsm_bts_trx *)ts->trx;
399 if (new_state->availability == 5) {
400 if (ts->nr == 0 && trx == trx->bts->c0)
401 abis_nm_set_channel_attr(ts, NM_CHANC_BCCH_CBCH);
403 abis_nm_set_channel_attr(ts, NM_CHANC_TCHFull);
404 abis_nm_opstart(trx->bts, NM_OC_CHANNEL,
405 trx->bts->nr, trx->nr, ts->nr);
406 abis_nm_chg_adm_state(trx->bts, NM_OC_CHANNEL,
407 trx->bts->nr, trx->nr, ts->nr,
411 case NM_OC_BASEB_TRANSC:
412 trx = container_of(obj, struct gsm_bts_trx, bb_transc);
413 if (new_state->availability == 5) {
414 abis_nm_ipaccess_msg(trx->bts, 0xe0, NM_OC_BASEB_TRANSC,
415 trx->bts->nr, trx->nr, 0xff,
416 nanobts_attr_e0, sizeof(nanobts_attr_e0));
417 abis_nm_opstart(trx->bts, NM_OC_BASEB_TRANSC,
418 trx->bts->nr, trx->nr, 0xff);
419 abis_nm_chg_adm_state(trx->bts, NM_OC_BASEB_TRANSC,
420 trx->bts->nr, trx->nr, 0xff,
426 case EVT_STATECHG_ADM:
427 DEBUGP(DMM, "Unhandled state change in %s:%d\n", __func__, __LINE__);
433 static void bootstrap_om_nanobts(struct gsm_bts *bts)
435 /* We don't do callback based bootstrapping, but event driven (see above) */
438 static void bootstrap_om_bs11(struct gsm_bts *bts)
440 struct gsm_bts_trx *trx = &bts->trx[0];
442 /* stop sending event reports */
443 abis_nm_event_reports(bts, 0);
445 /* begin DB transmission */
446 abis_nm_bs11_db_transmission(bts, 1);
448 /* end DB transmission */
449 abis_nm_bs11_db_transmission(bts, 0);
451 /* Reset BTS Site manager resource */
452 abis_nm_bs11_reset_resource(bts);
454 /* begin DB transmission */
455 abis_nm_bs11_db_transmission(bts, 1);
457 abis_nm_raw_msg(bts, sizeof(msg_1), msg_1); /* set BTS SiteMgr attr*/
458 abis_nm_raw_msg(bts, sizeof(msg_2), msg_2); /* set BTS attr */
459 abis_nm_raw_msg(bts, sizeof(msg_3), msg_3); /* set BTS handover attr */
460 abis_nm_raw_msg(bts, sizeof(msg_4), msg_4); /* set BTS power control attr */
462 /* Connect signalling of bts0/trx0 to e1_0/ts1/64kbps */
463 abis_nm_conn_terr_sign(trx, 0, 1, 0xff);
464 set_ts_e1link(&trx->ts[0], 0, 1, 0xff);
465 abis_nm_raw_msg(bts, sizeof(msg_6), msg_6); /* SET TRX ATTRIBUTES */
467 /* Use TEI 1 for signalling */
468 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x01);
469 abis_nm_set_channel_attr(&trx->ts[0], NM_CHANC_SDCCH_CBCH);
473 abis_nm_conn_terr_sign(&bts->trx[1], 0, 1, 0xff);
474 /* FIXME: TRX ATTRIBUTE */
475 abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x02);
478 /* SET CHANNEL ATTRIBUTE TS1 */
479 abis_nm_set_channel_attr(&trx->ts[1], NM_CHANC_TCHFull);
480 /* Connect traffic of bts0/trx0/ts1 to e1_0/ts2/b */
481 set_ts_e1link(&trx->ts[1], 0, 2, 1);
482 abis_nm_conn_terr_traf(&trx->ts[1], 0, 2, 1);
484 /* SET CHANNEL ATTRIBUTE TS2 */
485 abis_nm_set_channel_attr(&trx->ts[2], NM_CHANC_TCHFull);
486 /* Connect traffic of bts0/trx0/ts2 to e1_0/ts2/c */
487 set_ts_e1link(&trx->ts[2], 0, 2, 2);
488 abis_nm_conn_terr_traf(&trx->ts[2], 0, 2, 2);
490 /* SET CHANNEL ATTRIBUTE TS3 */
491 abis_nm_set_channel_attr(&trx->ts[3], NM_CHANC_TCHFull);
492 /* Connect traffic of bts0/trx0/ts3 to e1_0/ts2/d */
493 set_ts_e1link(&trx->ts[3], 0, 2, 3);
494 abis_nm_conn_terr_traf(&trx->ts[3], 0, 2, 3);
496 /* SET CHANNEL ATTRIBUTE TS4 */
497 abis_nm_set_channel_attr(&trx->ts[4], NM_CHANC_TCHFull);
498 /* Connect traffic of bts0/trx0/ts4 to e1_0/ts3/a */
499 set_ts_e1link(&trx->ts[4], 0, 3, 0);
500 abis_nm_conn_terr_traf(&trx->ts[4], 0, 3, 0);
502 /* SET CHANNEL ATTRIBUTE TS5 */
503 abis_nm_set_channel_attr(&trx->ts[5], NM_CHANC_TCHFull);
504 /* Connect traffic of bts0/trx0/ts5 to e1_0/ts3/b */
505 set_ts_e1link(&trx->ts[5], 0, 3, 1);
506 abis_nm_conn_terr_traf(&trx->ts[5], 0, 3, 1);
508 /* SET CHANNEL ATTRIBUTE TS6 */
509 abis_nm_set_channel_attr(&trx->ts[6], NM_CHANC_TCHFull);
510 /* Connect traffic of bts0/trx0/ts6 to e1_0/ts3/c */
511 set_ts_e1link(&trx->ts[6], 0, 3, 2);
512 abis_nm_conn_terr_traf(&trx->ts[6], 0, 3, 2);
514 /* SET CHANNEL ATTRIBUTE TS7 */
515 abis_nm_set_channel_attr(&trx->ts[7], NM_CHANC_TCHFull);
516 /* Connect traffic of bts0/trx0/ts7 to e1_0/ts3/d */
517 set_ts_e1link(&trx->ts[7], 0, 3, 3);
518 abis_nm_conn_terr_traf(&trx->ts[7], 0, 3, 3);
520 /* end DB transmission */
521 abis_nm_bs11_db_transmission(bts, 0);
523 /* Reset BTS Site manager resource */
524 abis_nm_bs11_reset_resource(bts);
526 /* restart sending event reports */
527 abis_nm_event_reports(bts, 1);
530 static void bootstrap_om(struct gsm_bts *bts)
532 fprintf(stdout, "bootstrapping OML\n");
535 case GSM_BTS_TYPE_BS11:
536 bootstrap_om_bs11(bts);
538 case GSM_BTS_TYPE_NANOBTS_900:
539 case GSM_BTS_TYPE_NANOBTS_1800:
540 bootstrap_om_nanobts(bts);
543 fprintf(stderr, "Unable to bootstrap OML: Unknown BTS type %d\n", bts->type);
547 static int shutdown_om(struct gsm_bts *bts)
549 /* stop sending event reports */
550 abis_nm_event_reports(bts, 0);
552 /* begin DB transmission */
553 abis_nm_bs11_db_transmission(bts, 1);
555 /* end DB transmission */
556 abis_nm_bs11_db_transmission(bts, 0);
558 /* Reset BTS Site manager resource */
559 abis_nm_bs11_reset_resource(bts);
567 const u_int8_t *data;
571 SYSTEM INFORMATION TYPE 1
572 Cell channel description
574 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
575 RACH Control Parameters
576 maximum 7 retransmissions
577 8 slots used to spread transmission
578 cell not barred for access
579 call reestablishment not allowed
580 Access Control Class = 0000
582 static u_int8_t si1[] = {
583 /* header */0x55, 0x06, 0x19,
584 /* ccdesc */0x04 /*0x00*/, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /*0x01*/,
586 /* rach */0xD5, 0x00, 0x00,
591 SYSTEM INFORMATION TYPE 2
592 Neighbour Cells Description
593 EXT-IND: Carries the complete BA
596 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
597 NCC permitted (NCC) = FF
598 RACH Control Parameters
599 maximum 7 retransmissions
600 8 slots used to spread transmission
601 cell not barred for access
602 call reestablishment not allowed
603 Access Control Class = 0000
605 static u_int8_t si2[] = {
606 /* header */0x59, 0x06, 0x1A,
607 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
608 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
610 /* rach*/0xD5, 0x00, 0x00
614 SYSTEM INFORMATION TYPE 3
615 Cell identity = 00001 (1h)
616 Location area identification
617 Mobile Country Code (MCC): 001
618 Mobile Network Code (MNC): 01
619 Location Area Code (LAC): 00001 (1h)
620 Control Channel Description
621 Attach-detach: MSs in the cell are not allowed to apply IMSI attach /detach
622 0 blocks reserved for access grant
623 1 channel used for CCCH, with SDCCH
624 5 multiframes period for PAGING REQUEST
627 Power control indicator: not set
628 MSs shall not use uplink DTX
629 Radio link timeout = 36
630 Cell Selection Parameters
631 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
632 max.TX power level MS may use for CCH = 2 <- according to GSM05.05 39dBm (max)
633 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
634 Half rate support (NECI): New establishment causes are not supported
635 min.RX signal level for MS = 0
636 RACH Control Parameters
637 maximum 7 retransmissions
638 8 slots used to spread transmission
639 cell not barred for access
640 call reestablishment not allowed
641 Access Control Class = 0000
643 Cell Bar Qualify (CBQ): 0
644 Cell Reselect Offset = 0 dB
645 Temporary Offset = 0 dB
647 System Information 2ter Indicator (2TI): 0 = not available
648 Early Classmark Sending Control (ECSC): 0 = forbidden
649 Scheduling Information is not sent in SYSTEM INFORMATION TYPE 9 on the BCCH
651 static u_int8_t si3[] = {
652 /* header */0x49, 0x06, 0x1B,
653 /* cell */0x00, 0x01,
654 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
655 /* desc */0x01, 0x03, 0x00,
657 /* selection*/0x62, 0x00,
658 /* rach */0xD5, 0x00, 0x00,
659 /* reset*/0x80, 0x00, 0x00, 0x2B
663 SYSTEM INFORMATION TYPE 4
664 Location area identification
665 Mobile Country Code (MCC): 001
666 Mobile Network Code (MNC): 01
667 Location Area Code (LAC): 00001 (1h)
668 Cell Selection Parameters
669 Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection
670 max.TX power level MS may use for CCH = 2
671 Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters
672 Half rate support (NECI): New establishment causes are not supported
673 min.RX signal level for MS = 0
674 RACH Control Parameters
675 maximum 7 retransmissions
676 8 slots used to spread transmission
677 cell not barred for access
678 call reestablishment not allowed
679 Access Control Class = 0000
683 Training Sequence Code: 7h
686 Cell Bar Qualify (CBQ): 0
687 Cell Reselect Offset = 0 dB
688 Temporary Offset = 0 dB
691 static u_int8_t si4[] = {
692 /* header */0x41, 0x06, 0x1C,
693 /* lai */0x00, 0xF1, 0x10, 0x00, 0x01,
695 /* rach*/0xD5, 0x00, 0x00,
696 /* var */0x64, 0x30, 0xE0, HARDCODED_ARFCN/*0x01*/, 0x80, 0x00, 0x00,
701 SYSTEM INFORMATION TYPE 5
702 Neighbour Cells Description
703 EXT-IND: Carries the complete BA
706 CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
709 static u_int8_t si5[] = {
710 /* header without l2 len*/0x06, 0x1D,
711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
715 // SYSTEM INFORMATION TYPE 6
719 System Info Type: SYSTEM INFORMATION 6
720 L3 Information (Hex): 06 1E 00 01 xx xx 10 00 01 28 FF
722 SYSTEM INFORMATION TYPE 6
723 Cell identity = 00001 (1h)
724 Location area identification
725 Mobile Country Code (MCC): 001
726 Mobile Network Code (MNC): 01
727 Location Area Code (LAC): 00001 (1h)
729 Power control indicator: not set
730 MSs shall not use uplink DTX on a TCH-F. MS shall not use uplink DTX on TCH-H.
731 Radio link timeout = 36
732 NCC permitted (NCC) = FF
735 static u_int8_t si6[] = {
736 /* header */0x06, 0x1E,
737 /* cell id*/ 0x00, 0x01,
738 /* lai */ 0x00, 0xF1, 0x10, 0x00, 0x01,
745 static const struct bcch_info bcch_infos[] = {
765 static_assert(sizeof(si1) == sizeof(struct gsm48_system_information_type_1), type1)
766 static_assert(sizeof(si2) == sizeof(struct gsm48_system_information_type_2), type2)
767 static_assert(sizeof(si3) == sizeof(struct gsm48_system_information_type_3), type3)
768 static_assert(sizeof(si4) >= sizeof(struct gsm48_system_information_type_4), type4)
769 static_assert(sizeof(si5) == sizeof(struct gsm48_system_information_type_5), type5)
770 static_assert(sizeof(si6) >= sizeof(struct gsm48_system_information_type_6), type6)
772 /* set all system information types */
773 static int set_system_infos(struct gsm_bts_trx *trx)
777 for (i = 0; i < ARRAY_SIZE(bcch_infos); i++) {
778 rsl_bcch_info(trx, bcch_infos[i].type,
782 rsl_sacch_filling(trx, RSL_SYSTEM_INFO_5, si5, sizeof(si5));
783 rsl_sacch_filling(trx, RSL_SYSTEM_INFO_6, si6, sizeof(si6));
791 static void bsc_hack_channel_allocated(struct gsm_lchan *lchan) {
795 * Patch the various SYSTEM INFORMATION tables to update
798 static void patch_tables(struct gsm_bts *bts)
800 u_int8_t arfcn_low = bts->trx[0].arfcn & 0xff;
801 u_int8_t arfcn_high = (bts->trx[0].arfcn >> 8) & 0x0f;
802 /* covert the raw packet to the struct */
803 struct gsm48_system_information_type_3 *type_3 =
804 (struct gsm48_system_information_type_3*)&si3;
805 struct gsm48_system_information_type_4 *type_4 =
806 (struct gsm48_system_information_type_4*)&si4;
807 struct gsm48_system_information_type_6 *type_6 =
808 (struct gsm48_system_information_type_6*)&si6;
809 struct gsm48_loc_area_id lai;
811 gsm0408_generate_lai(&lai, bts->network->country_code,
812 bts->network->network_code, bts->location_area_code);
814 /* assign the MCC and MNC */
819 /* patch ARFCN into BTS Attributes */
821 msg_2[74] |= arfcn_high;
822 msg_2[75] = arfcn_low;
823 nanobts_attr_bts[42] &= 0xf0;
824 nanobts_attr_bts[42] |= arfcn_high;
825 nanobts_attr_bts[43] = arfcn_low;
827 /* patch ARFCN into TRX Attributes */
829 msg_6[7] |= arfcn_high;
830 msg_6[8] = arfcn_low;
831 nanobts_attr_radio[5] &= 0xf0;
832 nanobts_attr_radio[5] |= arfcn_high;
833 nanobts_attr_radio[6] = arfcn_low;
835 type_4->data[2] &= 0xf0;
836 type_4->data[2] |= arfcn_high;
837 type_4->data[3] = arfcn_low;
839 /* patch Control Channel Description 10.5.2.11 */
840 type_3->control_channel_desc = bts->chan_desc;
844 static void bootstrap_rsl(struct gsm_bts_trx *trx)
846 fprintf(stdout, "bootstrapping RSL MCC=%u MNC=%u\n", trx->bts->network->country_code, trx->bts->network->network_code);
847 set_system_infos(trx);
850 void input_event(int event, enum e1inp_sign_type type, struct gsm_bts_trx *trx)
856 bootstrap_om(trx->bts);
866 fprintf(stderr, "Lost some E1 TEI link\n");
867 /* FIXME: deal with TEI or L1 link loss */
874 void *bootstrap_network(int (*mncc_recv)(void *, int, void *),int bts_type, int mcc, int mnc, int lac, int arfcn, int cardnr, int release_l2, char *name_short, char *name_long, char *hlr, int allow_all)
877 struct gsm_network *gsmnet;
881 fprintf(stderr, "DB: Failed to init HLR database '%s'. Please check the option settings.\n", hlr);
885 fprintf(stderr, "DB: Failed to prepare database.\n");
889 /* seed the PRNG for TMSI */
892 /* initialize our data structures */
893 gsmnet = gsm_network_init(1, (gsm_bts_type)bts_type, mcc, mnc, mncc_recv);
897 gsmnet->name_long = name_long;
898 gsmnet->name_short = name_short;
899 bts = &gsmnet->bts[0];
900 bts->location_area_code = lac;
901 bts->trx[0].arfcn = arfcn;
903 /* Control Channel Description */
904 memset(&bts->chan_desc, 0, sizeof(struct gsm48_control_channel_descr));
905 bts->chan_desc.att = 1;
906 bts->chan_desc.ccch_conf = RSL_BCCH_CCCH_CONF_1_C;
907 bts->chan_desc.bs_pa_mfrms = RSL_BS_PA_MFRMS_5;
908 bts->chan_desc.t3212 = 0;
913 bts->paging.channel_allocated = bsc_hack_channel_allocated;
915 telnet_init(gsmnet, 4242);
917 /* E1 mISDN input setup */
918 if (bts_type == GSM_BTS_TYPE_BS11) {
919 if (e1_config(bts, cardnr, release_l2))
927 gsm0408_allow_everyone(1);
932 int shutdown_net(void *network)
934 struct gsm_network *net = (struct gsm_network *)network;
936 for (i = 0; i < net->num_bts; i++) {
938 rc = shutdown_om(&net->bts[i]);