diff options
author | Harald Welte <laforge@gnumonks.org> | 2009-06-10 05:40:52 +0800 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2009-06-10 05:40:52 +0800 |
commit | 13e10daa330ea2b699c9aa9d14b3adbd01111fd6 (patch) | |
tree | bf9144f9cf625baab472492b3047970cab14ef83 /openbsc/src/bsc_hack.c | |
parent | f7c43524cfc6e30a0223d3aaff89fe955d6e5146 (diff) |
move openbsc into its own subdirectory
Diffstat (limited to 'openbsc/src/bsc_hack.c')
-rw-r--r-- | openbsc/src/bsc_hack.c | 1159 |
1 files changed, 1159 insertions, 0 deletions
diff --git a/openbsc/src/bsc_hack.c b/openbsc/src/bsc_hack.c new file mode 100644 index 000000000..7aa8b9aef --- /dev/null +++ b/openbsc/src/bsc_hack.c @@ -0,0 +1,1159 @@ +/* A hackish minimal BSC (+MSC +HLR) implementation */ + +/* (C) 2008-2009 by Harald Welte <laforge@gnumonks.org> + * (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org> + * All Rights Reserved + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include <unistd.h> +#include <stdlib.h> +#include <stdio.h> +#include <stdarg.h> +#include <time.h> +#include <string.h> +#include <errno.h> +#include <signal.h> +#include <fcntl.h> +#include <sys/stat.h> + +#define _GNU_SOURCE +#include <getopt.h> + +#include <openbsc/db.h> +#include <openbsc/timer.h> +#include <openbsc/gsm_data.h> +#include <openbsc/gsm_04_08.h> +#include <openbsc/select.h> +#include <openbsc/abis_rsl.h> +#include <openbsc/abis_nm.h> +#include <openbsc/debug.h> +#include <openbsc/misdn.h> +#include <openbsc/telnet_interface.h> +#include <openbsc/paging.h> +#include <openbsc/e1_input.h> +#include <openbsc/signal.h> + +/* global pointer to the gsm network data structure */ +static struct gsm_network *gsmnet; + +/* MCC and MNC for the Location Area Identifier */ +static int MCC = 1; +static int MNC = 1; +static int LAC = 1; +static int ARFCN = HARDCODED_ARFCN; +static int cardnr = 0; +static int release_l2 = 0; +static enum gsm_bts_type BTS_TYPE = GSM_BTS_TYPE_BS11; +static const char *database_name = "hlr.sqlite3"; + +/* The following definitions are for OM and NM packets that we cannot yet + * generate by code but we just pass on */ + +// BTS Site Manager, SET ATTRIBUTES + +/* + Object Class: BTS Site Manager + Instance 1: FF + Instance 2: FF + Instance 3: FF +SET ATTRIBUTES + sAbisExternalTime: 2007/09/08 14:36:11 + omLAPDRelTimer: 30sec + shortLAPDIntTimer: 5sec + emergencyTimer1: 10 minutes + emergencyTimer2: 0 minutes +*/ + +unsigned char msg_1[] = +{ + 0xD0, 0x00, 0xFF, 0xFF, 0xFF, + NM_ATT_BS11_ABIS_EXT_TIME, 0x07, + 0xD7, 0x09, 0x08, 0x0E, 0x24, 0x0B, 0xCE, + 0x02, + 0x00, 0x1E, + NM_ATT_BS11_SH_LAPD_INT_TIMER, + 0x01, 0x05, + 0x42, 0x02, 0x00, 0x0A, + 0x44, 0x02, 0x00, 0x00 +}; + +// BTS, SET BTS ATTRIBUTES + +/* + Object Class: BTS + BTS relat. Number: 0 + Instance 2: FF + Instance 3: FF +SET BTS ATTRIBUTES + bsIdentityCode / BSIC: + PLMN_colour_code: 7h + BS_colour_code: 7h + BTS Air Timer T3105: 4 ,unit 10 ms + btsIsHopping: FALSE + periodCCCHLoadIndication: 1sec + thresholdCCCHLoadIndication: 0% + cellAllocationNumber: 00h = GSM 900 + enableInterferenceClass: 00h = Disabled + fACCHQual: 6 (FACCH stealing flags minus 1) + intaveParameter: 31 SACCH multiframes + interferenceLevelBoundaries: + Interference Boundary 1: 0Ah + Interference Boundary 2: 0Fh + Interference Boundary 3: 14h + Interference Boundary 4: 19h + Interference Boundary 5: 1Eh + mSTxPwrMax: 11 + GSM range: 2=39dBm, 15=13dBm, stepsize 2 dBm + DCS1800 range: 0=30dBm, 15=0dBm, stepsize 2 dBm + PCS1900 range: 0=30dBm, 15=0dBm, stepsize 2 dBm + 30=33dBm, 31=32dBm + ny1: + Maximum number of repetitions for PHYSICAL INFORMATION message (GSM 04.08): 20 + powerOutputThresholds: + Out Power Fault Threshold: -10 dB + Red Out Power Threshold: - 6 dB + Excessive Out Power Threshold: 5 dB + rACHBusyThreshold: -127 dBm + rACHLoadAveragingSlots: 250 ,number of RACH burst periods + rfResourceIndicationPeriod: 125 SACCH multiframes + T200: + SDCCH: 044 in 5 ms + FACCH/Full rate: 031 in 5 ms + FACCH/Half rate: 041 in 5 ms + SACCH with TCH SAPI0: 090 in 10 ms + SACCH with SDCCH: 090 in 10 ms + SDCCH with SAPI3: 090 in 5 ms + SACCH with TCH SAPI3: 135 in 10 ms + tSync: 9000 units of 10 msec + tTrau: 9000 units of 10 msec + enableUmLoopTest: 00h = disabled + enableExcessiveDistance: 00h = Disabled + excessiveDistance: 64km + hoppingMode: 00h = baseband hopping + cellType: 00h = Standard Cell + BCCH ARFCN / bCCHFrequency: 1 +*/ + +unsigned char msg_2[] = +{ + 0x41, NM_OC_BTS, 0x00, 0xFF, 0xFF, + NM_ATT_BSIC, HARDCODED_BSIC, + NM_ATT_BTS_AIR_TIMER, 0x04, + NM_ATT_BS11_BTSLS_HOPPING, 0x00, + NM_ATT_CCCH_L_I_P, 0x01, + NM_ATT_CCCH_L_T, 0x00, + NM_ATT_BS11_CELL_ALLOC_NR, NM_BS11_CANR_GSM, + NM_ATT_BS11_ENA_INTERF_CLASS, 0x01, + NM_ATT_BS11_FACCH_QUAL, 0x06, + /* interference avg. period in numbers of SACCH multifr */ + NM_ATT_INTAVE_PARAM, 0x1F, + NM_ATT_INTERF_BOUND, 0x0A, 0x0F, 0x14, 0x19, 0x1E, 0x7B, + NM_ATT_CCCH_L_T, 0x23, + NM_ATT_GSM_TIME, 0x28, 0x00, + NM_ATT_ADM_STATE, 0x03, + NM_ATT_RACH_B_THRESH, 0x7F, + NM_ATT_LDAVG_SLOTS, 0x00, 0xFA, + NM_ATT_BS11_RF_RES_IND_PER, 0x7D, + NM_ATT_T200, 0x2C, 0x1F, 0x29, 0x5A, 0x5A, 0x5A, 0x87, + NM_ATT_BS11_TSYNC, 0x23, 0x28, + NM_ATT_BS11_TTRAU, 0x23, 0x28, + NM_ATT_TEST_DUR, 0x01, 0x00, + NM_ATT_OUTST_ALARM, 0x01, 0x00, + NM_ATT_BS11_EXCESSIVE_DISTANCE, 0x01, 0x40, + NM_ATT_BS11_HOPPING_MODE, 0x01, 0x00, + NM_ATT_BS11_PLL, 0x01, 0x00, + NM_ATT_BCCH_ARFCN, 0x00, HARDCODED_ARFCN/*0x01*/, +}; + +// Handover Recognition, SET ATTRIBUTES + +/* +Illegal Contents GSM Formatted O&M Msg + Object Class: Handover Recognition + BTS relat. Number: 0 + Instance 2: FF + Instance 3: FF +SET ATTRIBUTES + enableDelayPowerBudgetHO: 00h = Disabled + enableDistanceHO: 00h = Disabled + enableInternalInterCellHandover: 00h = Disabled + enableInternalIntraCellHandover: 00h = Disabled + enablePowerBudgetHO: 00h = Disabled + enableRXLEVHO: 00h = Disabled + enableRXQUALHO: 00h = Disabled + hoAveragingDistance: 8 SACCH multiframes + hoAveragingLev: + A_LEV_HO: 8 SACCH multiframes + W_LEV_HO: 1 SACCH multiframes + hoAveragingPowerBudget: 16 SACCH multiframes + hoAveragingQual: + A_QUAL_HO: 8 SACCH multiframes + W_QUAL_HO: 2 SACCH multiframes + hoLowerThresholdLevDL: (10 - 110) dBm + hoLowerThresholdLevUL: (5 - 110) dBm + hoLowerThresholdQualDL: 06h = 6.4% < BER < 12.8% + hoLowerThresholdQualUL: 06h = 6.4% < BER < 12.8% + hoThresholdLevDLintra : (20 - 110) dBm + hoThresholdLevULintra: (20 - 110) dBm + hoThresholdMsRangeMax: 20 km + nCell: 06h + timerHORequest: 3 ,unit 2 SACCH multiframes +*/ + +unsigned char msg_3[] = +{ + 0xD0, NM_OC_BS11_HANDOVER, 0x00, 0xFF, 0xFF, + 0xD0, 0x00, + 0x64, 0x00, + 0x67, 0x00, + 0x68, 0x00, + 0x6A, 0x00, + 0x6C, 0x00, + 0x6D, 0x00, + 0x6F, 0x08, + 0x70, 0x08, 0x01, + 0x71, 0x10, 0x10, 0x10, + 0x72, 0x08, 0x02, + 0x73, 0x0A, + 0x74, 0x05, + 0x75, 0x06, + 0x76, 0x06, + 0x78, 0x14, + 0x79, 0x14, + 0x7A, 0x14, + 0x7D, 0x06, + 0x92, 0x03, 0x20, 0x01, 0x00, + 0x45, 0x01, 0x00, + 0x48, 0x01, 0x00, + 0x5A, 0x01, 0x00, + 0x5B, 0x01, 0x05, + 0x5E, 0x01, 0x1A, + 0x5F, 0x01, 0x20, + 0x9D, 0x01, 0x00, + 0x47, 0x01, 0x00, + 0x5C, 0x01, 0x64, + 0x5D, 0x01, 0x1E, + 0x97, 0x01, 0x20, + 0xF7, 0x01, 0x3C, +}; + +// Power Control, SET ATTRIBUTES + +/* + Object Class: Power Control + BTS relat. Number: 0 + Instance 2: FF + Instance 3: FF +SET ATTRIBUTES + enableMsPowerControl: 00h = Disabled + enablePowerControlRLFW: 00h = Disabled + pcAveragingLev: + A_LEV_PC: 4 SACCH multiframes + W_LEV_PC: 1 SACCH multiframes + pcAveragingQual: + A_QUAL_PC: 4 SACCH multiframes + W_QUAL_PC: 2 SACCH multiframes + pcLowerThresholdLevDL: 0Fh + pcLowerThresholdLevUL: 0Ah + pcLowerThresholdQualDL: 05h = 3.2% < BER < 6.4% + pcLowerThresholdQualUL: 05h = 3.2% < BER < 6.4% + pcRLFThreshold: 0Ch + pcUpperThresholdLevDL: 14h + pcUpperThresholdLevUL: 0Fh + pcUpperThresholdQualDL: 04h = 1.6% < BER < 3.2% + pcUpperThresholdQualUL: 04h = 1.6% < BER < 3.2% + powerConfirm: 2 ,unit 2 SACCH multiframes + powerControlInterval: 2 ,unit 2 SACCH multiframes + powerIncrStepSize: 02h = 4 dB + powerRedStepSize: 01h = 2 dB + radioLinkTimeoutBs: 64 SACCH multiframes + enableBSPowerControl: 00h = disabled +*/ + +unsigned char msg_4[] = +{ + 0xD0, NM_OC_BS11_PWR_CTRL, 0x00, 0xFF, 0xFF, + NM_ATT_BS11_ENA_MS_PWR_CTRL, 0x00, + NM_ATT_BS11_ENA_PWR_CTRL_RLFW, 0x00, + 0x7E, 0x04, 0x01, + 0x7F, 0x04, 0x02, + 0x80, 0x0F, + 0x81, 0x0A, + 0x82, 0x05, + 0x83, 0x05, + 0x84, 0x0C, + 0x85, 0x14, + 0x86, 0x0F, + 0x87, 0x04, + 0x88, 0x04, + 0x89, 0x02, + 0x8A, 0x02, + 0x8B, 0x02, + 0x8C, 0x01, + 0x8D, 0x40, + 0x65, 0x01, 0x00 // set to 0x01 to enable BSPowerControl +}; + + +// Transceiver, SET TRX ATTRIBUTES (TRX 0) + +/* + Object Class: Transceiver + BTS relat. Number: 0 + Tranceiver number: 0 + Instance 3: FF +SET TRX ATTRIBUTES + aRFCNList (HEX): 0001 + txPwrMaxReduction: 00h = 30dB + radioMeasGran: 254 SACCH multiframes + radioMeasRep: 01h = enabled + memberOfEmergencyConfig: 01h = TRUE + trxArea: 00h = TRX doesn't belong to a concentric cell +*/ + +unsigned char msg_6[] = +{ + 0x44, NM_OC_RADIO_CARRIER, 0x00, 0x00, 0xFF, + NM_ATT_ARFCN_LIST, 0x01, 0x00, HARDCODED_ARFCN /*0x01*/, + NM_ATT_RF_MAXPOWR_R, 0x00, + NM_ATT_BS11_RADIO_MEAS_GRAN, 0x01, 0xFE, + NM_ATT_BS11_RADIO_MEAS_REP, 0x01, 0x01, + NM_ATT_BS11_EMRG_CFG_MEMBER, 0x01, 0x01, + NM_ATT_BS11_TRX_AREA, 0x01, 0x00, +}; + +static unsigned char nanobts_attr_bts[] = { + NM_ATT_INTERF_BOUND, 0x55, 0x5b, 0x61, 0x67, 0x6d, 0x73, + /* interference avg. period in numbers of SACCH multifr */ + NM_ATT_INTAVE_PARAM, 0x06, + /* conn fail based on SACCH error rate */ + NM_ATT_CONN_FAIL_CRIT, 0x00, 0x02, 0x01, 0x10, + NM_ATT_T200, 0x1e, 0x24, 0x24, 0xa8, 0x34, 0x21, 0xa8, + NM_ATT_MAX_TA, 0x3f, + NM_ATT_OVERL_PERIOD, 0x00, 0x01, 10, /* seconds */ + NM_ATT_CCCH_L_T, 10, /* percent */ + NM_ATT_CCCH_L_I_P, 1, /* seconds */ + NM_ATT_RACH_B_THRESH, 10, /* busy threshold in - dBm */ + NM_ATT_LDAVG_SLOTS, 0x03, 0xe8, /* rach load averaging 1000 slots */ + NM_ATT_BTS_AIR_TIMER, 128, /* miliseconds */ + NM_ATT_NY1, 10, /* 10 retransmissions of physical config */ + NM_ATT_BCCH_ARFCN, HARDCODED_ARFCN >> 8, HARDCODED_ARFCN & 0xff, + NM_ATT_BSIC, HARDCODED_BSIC, +}; + +static unsigned char nanobts_attr_radio[] = { + NM_ATT_RF_MAXPOWR_R, 0x0c, /* number of -2dB reduction steps / Pn */ + NM_ATT_ARFCN_LIST, 0x00, 0x02, HARDCODED_ARFCN >> 8, HARDCODED_ARFCN & 0xff, +}; + +static unsigned char nanobts_attr_e0[] = { + 0x85, 0x00, + 0x81, 0x0b, 0xbb, /* TCP PORT for RSL */ +}; + +/* Callback function to be called whenever we get a GSM 12.21 state change event */ +int nm_state_event(enum nm_evt evt, u_int8_t obj_class, void *obj, + struct gsm_nm_state *old_state, struct gsm_nm_state *new_state) +{ + struct gsm_bts *bts; + struct gsm_bts_trx *trx; + struct gsm_bts_trx_ts *ts; + + /* This is currently only required on nanoBTS */ + + switch (evt) { + case EVT_STATECHG_OPER: + switch (obj_class) { + case NM_OC_SITE_MANAGER: + bts = container_of(obj, struct gsm_bts, site_mgr); + if (old_state->operational != 2 && new_state->operational == 2) { + abis_nm_opstart(bts, NM_OC_SITE_MANAGER, 0xff, 0xff, 0xff); + } + break; + case NM_OC_BTS: + bts = obj; + if (new_state->availability == 5) { + abis_nm_set_bts_attr(bts, nanobts_attr_bts, + sizeof(nanobts_attr_bts)); + abis_nm_opstart(bts, NM_OC_BTS, + bts->bts_nr, 0xff, 0xff); + abis_nm_chg_adm_state(bts, NM_OC_BTS, + bts->bts_nr, 0xff, 0xff, + NM_STATE_UNLOCKED); + } + break; + case NM_OC_CHANNEL: + ts = obj; + trx = ts->trx; + if (new_state->availability == 5) { + if (ts->nr == 0 && trx == trx->bts->c0) + abis_nm_set_channel_attr(ts, NM_CHANC_BCCH_CBCH); + else + abis_nm_set_channel_attr(ts, NM_CHANC_TCHFull); + abis_nm_opstart(trx->bts, NM_OC_CHANNEL, + trx->bts->bts_nr, trx->nr, ts->nr); + abis_nm_chg_adm_state(trx->bts, NM_OC_CHANNEL, + trx->bts->bts_nr, trx->nr, ts->nr, + NM_STATE_UNLOCKED); + } + break; + default: + break; + } + break; + default: + //DEBUGP(DMM, "Unhandled state change in %s:%d\n", __func__, __LINE__); + break; + } + return 0; +} + +/* Callback function to be called every time we receive a 12.21 SW activated report */ +static int sw_activ_rep(struct msgb *mb) +{ + struct abis_om_fom_hdr *foh = msgb_l3(mb); + struct gsm_bts_trx *trx = mb->trx; + + switch (foh->obj_class) { + case NM_OC_BASEB_TRANSC: + /* TRX software is active, tell it to initiate RSL Link */ + abis_nm_ipaccess_msg(trx->bts, 0xe0, NM_OC_BASEB_TRANSC, + trx->bts->bts_nr, trx->nr, 0xff, + nanobts_attr_e0, sizeof(nanobts_attr_e0)); + abis_nm_opstart(trx->bts, NM_OC_BASEB_TRANSC, + trx->bts->bts_nr, trx->nr, 0xff); + abis_nm_chg_adm_state(trx->bts, NM_OC_BASEB_TRANSC, + trx->bts->bts_nr, trx->nr, 0xff, + NM_STATE_UNLOCKED); + break; + case NM_OC_RADIO_CARRIER: + abis_nm_set_radio_attr(trx, nanobts_attr_radio, + sizeof(nanobts_attr_radio)); + abis_nm_opstart(trx->bts, NM_OC_RADIO_CARRIER, + trx->bts->bts_nr, trx->nr, 0xff); + abis_nm_chg_adm_state(trx->bts, NM_OC_RADIO_CARRIER, + trx->bts->bts_nr, trx->nr, 0xff, + NM_STATE_UNLOCKED); + break; + } + return 0; +} + +/* Callback function to be called every time we receive a signal from NM */ +static int nm_sig_cb(unsigned int subsys, unsigned int signal, + void *handler_data, void *signal_data) +{ + switch (signal) { + case S_NM_SW_ACTIV_REP: + return sw_activ_rep(signal_data); + default: + break; + } + return 0; +} + +static void bootstrap_om_nanobts(struct gsm_bts *bts) +{ + /* We don't do callback based bootstrapping, but event driven (see above) */ +} + +static void bootstrap_om_bs11(struct gsm_bts *bts) +{ + struct gsm_bts_trx *trx = &bts->trx[0]; + + /* stop sending event reports */ + abis_nm_event_reports(bts, 0); + + /* begin DB transmission */ + abis_nm_bs11_db_transmission(bts, 1); + + /* end DB transmission */ + abis_nm_bs11_db_transmission(bts, 0); + + /* Reset BTS Site manager resource */ + abis_nm_bs11_reset_resource(bts); + + /* begin DB transmission */ + abis_nm_bs11_db_transmission(bts, 1); + + abis_nm_raw_msg(bts, sizeof(msg_1), msg_1); /* set BTS SiteMgr attr*/ + abis_nm_raw_msg(bts, sizeof(msg_2), msg_2); /* set BTS attr */ + abis_nm_raw_msg(bts, sizeof(msg_3), msg_3); /* set BTS handover attr */ + abis_nm_raw_msg(bts, sizeof(msg_4), msg_4); /* set BTS power control attr */ + + /* Connect signalling of bts0/trx0 to e1_0/ts1/64kbps */ + abis_nm_conn_terr_sign(trx, 0, 1, 0xff); + abis_nm_raw_msg(bts, sizeof(msg_6), msg_6); /* SET TRX ATTRIBUTES */ + + /* Use TEI 1 for signalling */ + abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x01); + abis_nm_set_channel_attr(&trx->ts[0], NM_CHANC_SDCCH_CBCH); + +#ifdef HAVE_TRX1 + /* TRX 1 */ + abis_nm_conn_terr_sign(&bts->trx[1], 0, 1, 0xff); + /* FIXME: TRX ATTRIBUTE */ + abis_nm_establish_tei(bts, 0, 0, 1, 0xff, 0x02); +#endif + + /* SET CHANNEL ATTRIBUTE TS1 */ + abis_nm_set_channel_attr(&trx->ts[1], NM_CHANC_TCHFull); + /* Connect traffic of bts0/trx0/ts1 to e1_0/ts2/b */ + abis_nm_conn_terr_traf(&trx->ts[1], 0, 2, 1); + + /* SET CHANNEL ATTRIBUTE TS2 */ + abis_nm_set_channel_attr(&trx->ts[2], NM_CHANC_TCHFull); + /* Connect traffic of bts0/trx0/ts2 to e1_0/ts2/c */ + abis_nm_conn_terr_traf(&trx->ts[2], 0, 2, 2); + + /* SET CHANNEL ATTRIBUTE TS3 */ + abis_nm_set_channel_attr(&trx->ts[3], NM_CHANC_TCHFull); + /* Connect traffic of bts0/trx0/ts3 to e1_0/ts2/d */ + abis_nm_conn_terr_traf(&trx->ts[3], 0, 2, 3); + + /* SET CHANNEL ATTRIBUTE TS4 */ + abis_nm_set_channel_attr(&trx->ts[4], NM_CHANC_TCHFull); + /* Connect traffic of bts0/trx0/ts4 to e1_0/ts3/a */ + abis_nm_conn_terr_traf(&trx->ts[4], 0, 3, 0); + + /* SET CHANNEL ATTRIBUTE TS5 */ + abis_nm_set_channel_attr(&trx->ts[5], NM_CHANC_TCHFull); + /* Connect traffic of bts0/trx0/ts5 to e1_0/ts3/b */ + abis_nm_conn_terr_traf(&trx->ts[5], 0, 3, 1); + + /* SET CHANNEL ATTRIBUTE TS6 */ + abis_nm_set_channel_attr(&trx->ts[6], NM_CHANC_TCHFull); + /* Connect traffic of bts0/trx0/ts6 to e1_0/ts3/c */ + abis_nm_conn_terr_traf(&trx->ts[6], 0, 3, 2); + + /* SET CHANNEL ATTRIBUTE TS7 */ + abis_nm_set_channel_attr(&trx->ts[7], NM_CHANC_TCHFull); + /* Connect traffic of bts0/trx0/ts7 to e1_0/ts3/d */ + abis_nm_conn_terr_traf(&trx->ts[7], 0, 3, 3); + + /* end DB transmission */ + abis_nm_bs11_db_transmission(bts, 0); + + /* Reset BTS Site manager resource */ + abis_nm_bs11_reset_resource(bts); + + /* restart sending event reports */ + abis_nm_event_reports(bts, 1); +} + +static void bootstrap_om(struct gsm_bts *bts) +{ + fprintf(stdout, "bootstrapping OML for BTS %u\n", bts->nr); + + switch (bts->type) { + case GSM_BTS_TYPE_BS11: + bootstrap_om_bs11(bts); + break; + case GSM_BTS_TYPE_NANOBTS_900: + case GSM_BTS_TYPE_NANOBTS_1800: + bootstrap_om_nanobts(bts); + break; + default: + fprintf(stderr, "Unable to bootstrap OML: Unknown BTS type %d\n", bts->type); + } +} + +static int shutdown_om(struct gsm_bts *bts) +{ + /* stop sending event reports */ + abis_nm_event_reports(bts, 0); + + /* begin DB transmission */ + abis_nm_bs11_db_transmission(bts, 1); + + /* end DB transmission */ + abis_nm_bs11_db_transmission(bts, 0); + + /* Reset BTS Site manager resource */ + abis_nm_bs11_reset_resource(bts); + + return 0; +} + +static int shutdown_net(struct gsm_network *net) +{ + int i; + for (i = 0; i < net->num_bts; i++) { + int rc; + rc = shutdown_om(&net->bts[i]); + if (rc < 0) + return rc; + } + + return 0; +} + +struct bcch_info { + u_int8_t type; + u_int8_t len; + const u_int8_t *data; +}; + +/* +SYSTEM INFORMATION TYPE 1 + Cell channel description + Format-ID bit map 0 + CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 + RACH Control Parameters + maximum 7 retransmissions + 8 slots used to spread transmission + cell not barred for access + call reestablishment not allowed + Access Control Class = 0000 +*/ +static u_int8_t si1[] = { + /* header */0x55, 0x06, 0x19, + /* ccdesc */0x04 /*0x00*/, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /*0x01*/, + /* rach */0xD5, 0x00, 0x00, + /* s1 reset*/0x2B +}; + +/* + SYSTEM INFORMATION TYPE 2 + Neighbour Cells Description + EXT-IND: Carries the complete BA + BA-IND = 0 + Format-ID bit map 0 + CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + NCC permitted (NCC) = FF + RACH Control Parameters + maximum 7 retransmissions + 8 slots used to spread transmission + cell not barred for access + call reestablishment not allowed + Access Control Class = 0000 +*/ +static u_int8_t si2[] = { + /* header */0x59, 0x06, 0x1A, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* ncc */0xFF, + /* rach*/0xD5, 0x00, 0x00 +}; + +/* +SYSTEM INFORMATION TYPE 3 + Cell identity = 00001 (1h) + Location area identification + Mobile Country Code (MCC): 001 + Mobile Network Code (MNC): 01 + Location Area Code (LAC): 00001 (1h) + Control Channel Description + Attach-detach: MSs in the cell are not allowed to apply IMSI attach /detach + 0 blocks reserved for access grant + 1 channel used for CCCH, with SDCCH + 5 multiframes period for PAGING REQUEST + Time-out T3212 = 0 + Cell Options BCCH + Power control indicator: not set + MSs shall not use uplink DTX + Radio link timeout = 36 + Cell Selection Parameters + Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection + max.TX power level MS may use for CCH = 2 <- according to GSM05.05 39dBm (max) + Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters + Half rate support (NECI): New establishment causes are not supported + min.RX signal level for MS = 0 + RACH Control Parameters + maximum 7 retransmissions + 8 slots used to spread transmission + cell not barred for access + call reestablishment not allowed + Access Control Class = 0000 + SI 3 Rest Octets + Cell Bar Qualify (CBQ): 0 + Cell Reselect Offset = 0 dB + Temporary Offset = 0 dB + Penalty Time = 20 s + System Information 2ter Indicator (2TI): 0 = not available + Early Classmark Sending Control (ECSC): 0 = forbidden + Scheduling Information is not sent in SYSTEM INFORMATION TYPE 9 on the BCCH +*/ +static u_int8_t si3[] = { + /* header */0x49, 0x06, 0x1B, + /* cell */0x00, 0x01, + /* lai */0x00, 0xF1, 0x10, 0x00, 0x01, + /* desc */0x01, 0x03, 0x00, + /* option*/0x28, + /* selection*/0x62, 0x00, + /* rach */0xD5, 0x00, 0x00, + /* reset*/0x80, 0x00, 0x00, 0x2B +}; + +/* +SYSTEM INFORMATION TYPE 4 + Location area identification + Mobile Country Code (MCC): 001 + Mobile Network Code (MNC): 01 + Location Area Code (LAC): 00001 (1h) + Cell Selection Parameters + Cell reselect hysteresis = 6 dB RXLEV hysteresis for LA re-selection + max.TX power level MS may use for CCH = 2 + Additional Reselect Parameter Indication (ACS) = only SYSTEM INFO 4: The SI rest octets, if present, shall be used to derive the value of PI and possibly C2 parameters + Half rate support (NECI): New establishment causes are not supported + min.RX signal level for MS = 0 + RACH Control Parameters + maximum 7 retransmissions + 8 slots used to spread transmission + cell not barred for access + call reestablishment not allowed + Access Control Class = 0000 + Channel Description + Type = SDCCH/4[2] + Timeslot Number: 0 + Training Sequence Code: 7h + ARFCN: 1 + SI Rest Octets + Cell Bar Qualify (CBQ): 0 + Cell Reselect Offset = 0 dB + Temporary Offset = 0 dB + Penalty Time = 20 s +*/ +static u_int8_t si4[] = { + /* header */0x41, 0x06, 0x1C, + /* lai */0x00, 0xF1, 0x10, 0x00, 0x01, + /* sel */0x62, 0x00, + /* rach*/0xD5, 0x00, 0x00, + /* var */0x64, 0x30, 0xE0, HARDCODED_ARFCN/*0x01*/, 0x80, 0x00, 0x00, + 0x2B, 0x2B, 0x2B +}; + +/* + SYSTEM INFORMATION TYPE 5 + Neighbour Cells Description + EXT-IND: Carries the complete BA + BA-IND = 0 + Format-ID bit map 0 + CA-ARFCN Bit 124...001 (Hex): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +*/ + +static u_int8_t si5[] = { + /* header without l2 len*/0x06, 0x1D, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +}; + +// SYSTEM INFORMATION TYPE 6 + +/* +SACCH FILLING + System Info Type: SYSTEM INFORMATION 6 + L3 Information (Hex): 06 1E 00 01 xx xx 10 00 01 28 FF + +SYSTEM INFORMATION TYPE 6 + Cell identity = 00001 (1h) + Location area identification + Mobile Country Code (MCC): 001 + Mobile Network Code (MNC): 01 + Location Area Code (LAC): 00001 (1h) + Cell Options SACCH + Power control indicator: not set + MSs shall not use uplink DTX on a TCH-F. MS shall not use uplink DTX on TCH-H. + Radio link timeout = 36 + NCC permitted (NCC) = FF +*/ + +static u_int8_t si6[] = { + /* header */0x06, 0x1E, + /* cell id*/ 0x00, 0x01, + /* lai */ 0x00, 0xF1, 0x10, 0x00, 0x01, + /* options */ 0x28, + /* ncc */ 0xFF, +}; + + + +static const struct bcch_info bcch_infos[] = { + { + .type = RSL_SYSTEM_INFO_1, + .len = sizeof(si1), + .data = si1, + }, { + .type = RSL_SYSTEM_INFO_2, + .len = sizeof(si2), + .data = si2, + }, { + .type = RSL_SYSTEM_INFO_3, + .len = sizeof(si3), + .data = si3, + }, { + .type = RSL_SYSTEM_INFO_4, + .len = sizeof(si4), + .data = si4, + }, +}; + +static_assert(sizeof(si1) == sizeof(struct gsm48_system_information_type_1), type1) +static_assert(sizeof(si2) == sizeof(struct gsm48_system_information_type_2), type2) +static_assert(sizeof(si3) == sizeof(struct gsm48_system_information_type_3), type3) +static_assert(sizeof(si4) >= sizeof(struct gsm48_system_information_type_4), type4) +static_assert(sizeof(si5) == sizeof(struct gsm48_system_information_type_5), type5) +static_assert(sizeof(si6) >= sizeof(struct gsm48_system_information_type_6), type6) + +/* set all system information types */ +static int set_system_infos(struct gsm_bts_trx *trx) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(bcch_infos); i++) { + rsl_bcch_info(trx, bcch_infos[i].type, + bcch_infos[i].data, + bcch_infos[i].len); + } + rsl_sacch_filling(trx, RSL_SYSTEM_INFO_5, si5, sizeof(si5)); + rsl_sacch_filling(trx, RSL_SYSTEM_INFO_6, si6, sizeof(si6)); + + return 0; +} + +/* + * Patch the various SYSTEM INFORMATION tables to update + * the LAI + */ +static void patch_tables(struct gsm_bts *bts) +{ + u_int8_t arfcn_low = bts->trx[0].arfcn & 0xff; + u_int8_t arfcn_high = (bts->trx[0].arfcn >> 8) & 0x0f; + /* covert the raw packet to the struct */ + struct gsm48_system_information_type_3 *type_3 = + (struct gsm48_system_information_type_3*)&si3; + struct gsm48_system_information_type_4 *type_4 = + (struct gsm48_system_information_type_4*)&si4; + struct gsm48_system_information_type_6 *type_6 = + (struct gsm48_system_information_type_6*)&si6; + struct gsm48_loc_area_id lai; + + gsm0408_generate_lai(&lai, bts->network->country_code, + bts->network->network_code, + bts->location_area_code); + + /* assign the MCC and MNC */ + type_3->lai = lai; + type_4->lai = lai; + type_6->lai = lai; + + /* patch ARFCN into BTS Attributes */ + msg_2[74] &= 0xf0; + msg_2[74] |= arfcn_high; + msg_2[75] = arfcn_low; + nanobts_attr_bts[42] &= 0xf0; + nanobts_attr_bts[42] |= arfcn_high; + nanobts_attr_bts[43] = arfcn_low; + + /* patch ARFCN into TRX Attributes */ + msg_6[7] &= 0xf0; + msg_6[7] |= arfcn_high; + msg_6[8] = arfcn_low; + nanobts_attr_radio[5] &= 0xf0; + nanobts_attr_radio[5] |= arfcn_high; + nanobts_attr_radio[6] = arfcn_low; + + type_4->data[2] &= 0xf0; + type_4->data[2] |= arfcn_high; + type_4->data[3] = arfcn_low; + + /* patch Control Channel Description 10.5.2.11 */ + type_3->control_channel_desc = bts->chan_desc; + + /* patch BSIC */ + msg_2[6] = bts->bsic; + nanobts_attr_bts[sizeof(nanobts_attr_bts)-1] = bts->bsic; +} + + +static void bootstrap_rsl(struct gsm_bts_trx *trx) +{ + fprintf(stdout, "bootstrapping RSL for BTS/TRX (%u/%u) " + "using MCC=%u MNC=%u\n", trx->nr, trx->bts->nr, MCC, MNC); + set_system_infos(trx); +} + +void input_event(int event, enum e1inp_sign_type type, struct gsm_bts_trx *trx) +{ + switch (event) { + case EVT_E1_TEI_UP: + switch (type) { + case E1INP_SIGN_OML: + bootstrap_om(trx->bts); + break; + case E1INP_SIGN_RSL: + bootstrap_rsl(trx); + break; + default: + break; + } + break; + case EVT_E1_TEI_DN: + fprintf(stderr, "Lost some E1 TEI link\n"); + /* FIXME: deal with TEI or L1 link loss */ + break; + default: + break; + } +} + +static int bootstrap_bts(struct gsm_bts *bts) +{ + bts->location_area_code = LAC; + bts->trx[0].arfcn = ARFCN; + + /* Control Channel Description */ + memset(&bts->chan_desc, 0, sizeof(struct gsm48_control_channel_descr)); + bts->chan_desc.att = 1; + bts->chan_desc.ccch_conf = RSL_BCCH_CCCH_CONF_1_C; + bts->chan_desc.bs_pa_mfrms = RSL_BS_PA_MFRMS_5; + bts->chan_desc.t3212 = 0; + + patch_tables(bts); + + paging_init(bts); + + if (bts->type == GSM_BTS_TYPE_BS11) { + struct gsm_bts_trx *trx = &bts->trx[0]; + set_ts_e1link(&trx->ts[0], 0, 1, 0xff); + set_ts_e1link(&trx->ts[1], 0, 2, 1); + set_ts_e1link(&trx->ts[2], 0, 2, 2); + set_ts_e1link(&trx->ts[3], 0, 2, 3); + set_ts_e1link(&trx->ts[4], 0, 3, 0); + set_ts_e1link(&trx->ts[5], 0, 3, 1); + set_ts_e1link(&trx->ts[6], 0, 3, 2); + set_ts_e1link(&trx->ts[7], 0, 3, 3); +#ifdef HAVE_TRX1 + /* TRX 1 */ + trx = &bts->trx[1]; + set_ts_e1link(&trx->ts[0], 0, 1, 0xff); + set_ts_e1link(&trx->ts[1], 0, 2, 1); + set_ts_e1link(&trx->ts[2], 0, 2, 2); + set_ts_e1link(&trx->ts[3], 0, 2, 3); + set_ts_e1link(&trx->ts[4], 0, 3, 0); + set_ts_e1link(&trx->ts[5], 0, 3, 1); + set_ts_e1link(&trx->ts[6], 0, 3, 2); + set_ts_e1link(&trx->ts[7], 0, 3, 3); +#endif + } + + return 0; +} + +static int bootstrap_network(void) +{ + struct gsm_bts *bts; + + /* initialize our data structures */ + gsmnet = gsm_network_init(2, BTS_TYPE, MCC, MNC); + if (!gsmnet) + return -ENOMEM; + + gsmnet->name_long = "OpenBSC"; + gsmnet->name_short = "OpenBSC"; + + bts = &gsmnet->bts[0]; + bootstrap_bts(bts); + + if (db_init(database_name)) { + printf("DB: Failed to init database. Please check the option settings.\n"); + return -1; + } + printf("DB: Database initialized.\n"); + + if (db_prepare()) { + printf("DB: Failed to prepare database.\n"); + return -1; + } + printf("DB: Database prepared.\n"); + + telnet_init(gsmnet, 4242); + + register_signal_handler(SS_NM, nm_sig_cb, NULL); + + /* E1 mISDN input setup */ + if (BTS_TYPE == GSM_BTS_TYPE_BS11) { + gsmnet->num_bts = 1; + return e1_config(bts, cardnr, release_l2); + } else { + /* FIXME: do this dynamic */ + bts->ip_access.site_id = 1801; + bts->ip_access.bts_id = 0; + bts = &gsmnet->bts[1]; + bootstrap_bts(bts); + bts->ip_access.site_id = 1800; + bts->ip_access.bts_id = 0; + return ipaccess_setup(gsmnet); + } +} + +static void create_pcap_file(char *file) +{ + mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; + int fd = open(file, O_WRONLY|O_TRUNC|O_CREAT, mode); + + if (fd < 0) { + perror("Failed to open file for pcap"); + return; + } + + e1_set_pcap_fd(fd); +} + +static void print_usage() +{ + printf("Usage: bsc_hack\n"); +} + +static void print_help() +{ + printf(" Some useful help...\n"); + printf(" -d option --debug=DRLL:DCC:DMM:DRR:DRSL:DNM enable debugging\n"); + printf(" -s --disable-color\n"); + printf(" -n --network-code number(MNC) \n"); + printf(" -c --country-code number (MCC) \n"); + printf(" -L --location-area-code number (LAC) \n"); + printf(" -f --arfcn number The frequency ARFCN\n"); + printf(" -l --database db-name The database to use\n"); + printf(" -a --authorize-everyone Allow everyone into the network.\n"); + printf(" -r --reject-cause number The reject cause for LOCATION UPDATING REJECT.\n"); + printf(" -p --pcap file The filename of the pcap file\n"); + printf(" -t --bts-type type The BTS type (bs11, nanobts900, nanobts1800)\n"); + printf(" -C --cardnr number For bs11 select E1 card number other than 0\n"); + printf(" -R --release-l2 Releases mISDN layer 2 after exit, to unload driver.\n"); + printf(" -h --help this text\n"); +} + +static void handle_options(int argc, char** argv) +{ + while (1) { + int option_index = 0, c; + static struct option long_options[] = { + {"help", 0, 0, 'h'}, + {"debug", 1, 0, 'd'}, + {"disable-color", 0, 0, 's'}, + {"network-code", 1, 0, 'n'}, + {"country-code", 1, 0, 'c'}, + {"location-area-code", 1, 0, 'L'}, + {"database", 1, 0, 'l'}, + {"authorize-everyone", 0, 0, 'a'}, + {"reject-cause", 1, 0, 'r'}, + {"pcap", 1, 0, 'p'}, + {"arfcn", 1, 0, 'f'}, + {"bts-type", 1, 0, 't'}, + {"cardnr", 1, 0, 'C'}, + {"release-l2", 0, 0, 'R'}, + {"timestamp", 0, 0, 'T'}, + {0, 0, 0, 0} + }; + + c = getopt_long(argc, argv, "hc:n:d:sar:p:f:t:C:RL:l:T", + long_options, &option_index); + if (c == -1) + break; + + switch (c) { + case 'h': + print_usage(); + print_help(); + exit(0); + case 's': + debug_use_color(0); + break; + case 'd': + debug_parse_category_mask(optarg); + break; + case 'n': + MNC = atoi(optarg); + break; + case 'c': + MCC = atoi(optarg); + break; + case 'L': + LAC = atoi(optarg); + break; + case 'f': + ARFCN = atoi(optarg); + break; + case 'l': + database_name = strdup(optarg); + break; + case 'a': + gsm0408_allow_everyone(1); + break; + case 'r': + gsm0408_set_reject_cause(atoi(optarg)); + break; + case 'p': + create_pcap_file(optarg); + break; + case 't': + BTS_TYPE = parse_btstype(optarg); + break; + case 'C': + cardnr = atoi(optarg); + break; + case 'R': + release_l2 = 1; + break; + case 'T': + debug_timestamp(1); + break; + default: + /* ignore */ + break; + } + } +} + +static void signal_handler(int signal) +{ + fprintf(stdout, "signal %u received\n", signal); + + switch (signal) { + case SIGHUP: + case SIGABRT: + shutdown_net(gsmnet); + break; + default: + break; + } +} + +int main(int argc, char **argv) +{ + int rc; + + /* parse options */ + handle_options(argc, argv); + + /* seed the PRNG */ + srand(time(NULL)); + + rc = bootstrap_network(); + if (rc < 0) + exit(1); + + signal(SIGHUP, &signal_handler); + signal(SIGABRT, &signal_handler); + + while (1) { + bsc_select_main(0); + } +} |