OpenBSC is the current name for a software program that started with the name bs11-abis.

What is OpenBSC

It is a BSC (Base Station Controller) side implementation of the A-bis protocol, as implemented in the GSM Technical Specification 08.5x and 12.21. It implements a minimal subset of the BSC, MSC and HLR. It does not implement ant of the interfaces (like the A and B interfaces) between the higher-order GSM network components.

The goal of the project is to

  • provide a basis for experimentation and security research with GSM from the network side
  • document, publicized and point out any security related issues that we find as part of that
  • learn more about GSM networks on a lower level, particularly the practical aspects with real-world equipment

We are not interested in

  • building a stable/reliable BSC/MSC for deployment in actual networks
  • building something that follows the GSM spec to the last detail
  • disrupting actual commercial GSM network

Requirements

OpenBSC runs only on Linux systems and requires a E1 interface card compatible with mISDN

It requires a GSM BTS. The only currently tested configurations are with a Siemens BS-11 microBTS or a ip.access nanoBTS.

Source code

You can check out the source code via 

git clone git://bs11-abis.gnumonks.org/openbsc.git

or browse it at http://bs11-abis.gnumonks.org/trac/browser

Mailing list

There's a developer mailing list called openbsc@… Subscription is available at http://lists.gnumonks.org/mailman/listinfo/openbsc/

IRC (Internet Relay Chat)

irc.freenode.net/#openbsc

Project status

Things that work

  • OML? Initialization of the BTS
  • RSL? bringup, channel allocation, Channel required / Immediate Assign
  • Very simplistic HLR implemented as sqlite database
  • Non-secure Authentication using IMEI?/IMSI? and regular SIM cards.
  • IMEI?/IMSI? skimming of all phones that try to register with OpenBSC
  • SMS? reception and SMS? sending (simplistic, not possible to route them yet)
  • Transmission of MM INFO packets with operator name and local time / timezone
  • Extremely simplistic call control for MO (Mobile Originated) and MT (Mobile Terminated) calls
  • TCH/F support
  • paging of mobiles that are registered to the BTS
  • signalling of mobile-originated and mobile-terminated calls
  • processing/switching of calls from one phone to another
  • demultiplex of the four 16k sub-channels with voice data contained in one E1 timeslot
  • support for multiple TRX in one BTS

Things that are implemented but don't work yet or aren't tested yet

  • GPRS support (SGSN + GGSN inside OpenBSC)
  • Support the use of A3/A8 and A5/1 (we need SIM cards with known Ki, e.g. simulated SIM cards)

Things being worked at

  • GPS/DCF77 disciplined quartz reference for the HFC-E1 card (via HS-Esslingen, Student Research Project)

Things that are missing

  • Cell Broadcast
  • transcoding of voice data
  • TCH/H voice calls (in standalone config)
  • CSD? calls
  • handover between multiple BTS
  • emergency call handling
  • Discontinuous TX and RX (DTX? / DRX?) support

Authors

OpenBSC was mainly developed by Harald Welte. Contributions by Holger Freyther, Stefan Schmidt, Daniel Willmann, Jan Luebbe, Thomas Seiler and Andreas Eversberg.

Special thanks to Dieter Spaar for BS11-Init? and tons of feedback and comments, without which we would not have been able to make progress as quickly as we did.