OpenBTS Network Ramon Torres IIT

GSM Network using OpenBTS

Ramon Torres Gomez

A20314467
5/9/2014

rtorresg@hawk.iit.edu Project Report 1

OpenBTS Network Ramon Torres IIT

Abstract
This paper describes how to create a small cellular GSM network using openBTS
software. This paper will explain what openBTS is and the other necessary elements used
for this project. It will explain the functionality of those elements and how they are
connected. This paper will also explain how to install openBTS and other open-software
programs like asterisk and how to configure them. An architecture of the GSM network
will be explained and compared with the architecture of the openBTS network. It will
also explain some other projects that can be done with openBTS. This paper doesnt
explain in depth Asterisk or other openBTS configurations.

rtorresg@hawk.iit.edu Project Report 2

OpenBTS Network Ramon Torres IIT

Table of Contents

Contents
GSM Network using OpenBTS ............................................................................. 1
Abstract................................................................................................................. 2
Table of Contents.................................................................................................. 3
Introduction ........................................................................................................... 4
GSM...................................................................................................................... 4
OpenBTS7
OpenBTS Network8
Testing ................................................................................................................ 13
Future Projects...13
Conclusions.13
References.14
Appendices.14

rtorresg@hawk.iit.edu Project Report 3

OpenBTS Network Ramon Torres IIT

Introduction
GSM (Global System for Mobile Communications) is a 2G cellular network. It was a
network that provided a good voice service but it didnt include data service. The
network that I am going to build will provide a similar functionality as a 2G network.
Even though the architecture of the openBTS network is very different from the GSM
network architecture will have elements with similar functionalities as the 2G network
elements. From my point of view, the openBTS network architecture has more
similarities with the 4G network because it is IP based.
The goal of this project is to create a small GSM network using open software. What I am
going to do is connecting 2 OpenBTS systems (2 base stations) and be able to call from
one base station to another using cellphones. Cellphones will be able to do mobility
(moving from one base station to another) and handover (while a call is taking place the
cell phone moves to another base station and the new base station has to manage the call).

GSM
An explanation of GSM and how it works will help understand the way my project
works. GSM is a cellular network that provides a voice, SMS service and other additional
services like Emergency calls The GSM goal was to support services similar to PSTN
services and provide a digital air interface.

GSM Architecture

This picture represents a basic concept of the GSM architecture. As you can see the air
interface is composed by BTSs. Each BTS will represent a cell, which is their coverage
area. A group of BTS managed by a BSC represent a location area. Finally BSCs are
managed by a MSC and this element will connect the GSM network to other networks
like the PSTN

rtorresg@hawk.iit.edu Project Report 4

OpenBTS Network Ramon Torres IIT

Figure 1: GSM Architecture

Label all figures .g. Figure 1: <caption>

This picture represents a more detailed architecture of a GSM network. Besides ME, BTS
BSC and MSC it include the registers that the network requires: HLR, VLR, EIR and
AuC. As we can see the BTS and the BSC represent the Base Station System (BSS) and
the MSC and the registers represent the Core Network.
Figure 2: Detailed GSM Architecture

rtorresg@hawk.iit.edu Project Report 5

OpenBTS Network Ramon Torres IIT

GSM Elements

MS (Mobile System)
It is composed by the Mobile Equipment (ME) and the SIM card. There are some
important terms related to the mobile system that we need to know: IMEI, MSISDN,
IMSI and TMSI.
The IMEI (International Mobile Equipment Identity) is a number used to identify the
mobile equipment (ME), the terminal itself.
The MSISDN (Mobile Suscriber ISDN) is the MS phone number.
IMSI (International Mobile Suscriber Identity) is a number assigned to each MS by the
network so the network can identify all the MS.
TMSI (Temporary Mobile Suscriber Identity) has the same functionality as the IMSI but
TMSI is a temporal number that is changed periodically.

BTS (Base Station)

The BTS contains the radio components that provide the RF air interface. Its functions
are channel coding and decoding, rate adaptation, encryption, paging and uplink signal
measurement.

BSC (Base Station Controller)

The BSC controls groups of BTS and manages the radio channels. It manages control
messages from and to the MS. It also does encryption, paging, traffic measurement,
authentication, location update and manages handover.

MSC (Mobile Switching Center)

Is the telephone switching office for MS. Provides a service to mobiles located within a
certain geographic coverage area. It is the interface to the BSS and to the PSTN. Controls
call set up, routing procedures, collects billing data, compiles traffic statistics and
controls the location registration and handover procedure.

HLR (Home Location Register)

Is a register that contains data subscribers data. It contains the IMSI of each MS,
authentication parameters, services that each MS is subscribed to and special routing
information. It also contains the current subscriber status, temporary roaming number and
the associated VLR.

AuC (Authentication Center)

This entity works together with the HLR to perform MS authentication. It handles all the
security associated with subscribers.

VLR (Visited Location Register)

This register has a function similar to HLR. It is a problem that the cellphone has to send
his IMSI every time it has to authenticate, so the network will assign to the MS a
temporary ID called TMSI. The TMSI is stored in the VLR. VLR controls MSRN
(Mobile Station Roaming Numbers) and handover when it is produced in the same MSC.
Typically there is one VLR per MSC.

rtorresg@hawk.iit.edu Project Report 6

OpenBTS Network Ramon Torres IIT

EIR (Equipment Identity Register)

It consists on a centralized database for validating the IMEI. EIR contains lists of IMEIs
and classifies them in three ways: White List when IMEIs are valid, Black List when
IMEIS are invalid (stolen) or Grey List when IMEI are suspicious or have problems.

OpenBTS

What is openBTS?

OpenBTS (Open Based Transceiver Station) is a software based GSM access point
allowing standard GSM-compatible mobile phones to be used as SIP endpoints in Voice
over IP (VOIP) networks. It has the same functionality as the BTS of a GSM Network.

OpenBTS Architecture

To understand how openBTS works we first have to have a look at the layers architecture
of GSM
Figure 3: Protocol Layers of GSM

We can see that BTS has 3 layers: TDMA, LAPDm and RR. It also has a layer 0 that
would be the physical layer (Radio Interface).
Layer 1 is TDMA (Time Division Multiplexing Access). TDMA is the procedure where
each physical channel (frequency) is divided into time-slots so users can share a
frequency using different time slots to communicate.
Layer 2 is LAPDm (Link Access Procedure on Dm Channel) which is a GSM version of
LAPD from ISDN.
Layer 3 is RR (Radio Resource) and manages the allocation, configuration and
connection of radio channels.
OpenBTS contains those 3 layers and for the physical layer (layer 0) we have to connect
a USRP to the OpenBTS. OpenBTS doesnt have any connection with BSC and MSC.

rtorresg@hawk.iit.edu Project Report 7

OpenBTS Network Ramon Torres IIT

OpenBTS Network

With an OpenBTS system we can connect cellphones to the network and make calls
between them but, how can we connect two openBTS systems and simulate a real GSM
network with all its components? How can we do mobility and handover? We need to
add elements that provide the functionality of a BSC, MSC and the core registers.

I found out 2 ways of creating this network. The first that I saw consisted on using
openBSC open-software. The second way came up on April 2014, when the OpenBTS
project launched OpenBTS version 4.0. This version allows you to connect two or more
OpenBTS systems using Asterisk and experience mobility and handover. With version
2.8 you can do mobility but not handover.

Using OpenBSC

OpenBSC is the name of a software that emulates the BSC element of a GSM network. It
has been developed by Osmocom, which is not the same company that developed
OpenBTS. Connecting this element to OpenBTS will help emulate a real network.
Osmocom OpenBSC was designed to be connected to commercial BTSs and the idea is
to connect it to OpenBTS.
The problem of this method is that OpenBTS and OpenBSC are developed by different
companies so they are not compatible with each other and I will need to modify the
source code.
Figure 4: Protocol Layers for Open-source Network

As you can see in the picture we will need to combine openBTS with other BTS software
from Osmocom. The USRP will be at layer 0 and it will be connected to OpenBTS and to
OsmoUSRP at layer 1. OpenBTS will be located at layer 1 and 2 because the layer 3
functionality will be managed by OsmoBTS. OsmoBTS will be connected to OpenBSC
with any kind of problem because they were developed to work together.

rtorresg@hawk.iit.edu Project Report 8

OpenBTS Network Ramon Torres IIT

Figure 5: Physical architecture 1

Using Asterisk
With OpenBTS version 2.8 you can connect 2 OpenBTS systems using Asterisk. This
version allows you to make calls from different base stations and do mobility but not
handover. On April was released version 4.0 and with this version is possible to do
handover.
The architecture will be very simple. Asterisk will have the functionality of a BSC and
some of the registers like the HLR and the AuC. Asterisk will route the calls from one
base station to another and will transfer the call if the handover is produced.
Figure 6: Logical architecture:

Figure 7: Physical architecture 2

rtorresg@hawk.iit.edu Project Report 9

OpenBTS Network Ramon Torres IIT

This is the provisional physical architecture of my project, still can be changes in the
second BTS. What we have now is Server 1 with openBTS and Asterisk installed and a
USRP. The second BTS can be built as it is described in the Server 2 or we can substitute
the Server 2 and the USRP with a RangeNetworks OpenBTS.
Figure 8: Physical Architecture 3

Testing
We can test USRP air interface in some different ways
The first one is getting a Linux OS and install AirProbe. This program contains 3 main
subprojects: acquisition, demodulation and analysis.
Acquisition is responsible of receiving and digitalizing the air interface.
Demodulation module will translate the signal processed by acquisition into bits.
Analysis contains all the protocol parsing and decoding capabilities. We can use
wireshark to analyze the traces.

rtorresg@hawk.iit.edu Project Report 10

OpenBTS Network Ramon Torres IIT

Here we can see some examples of ladder diagrams about signaling between a cellphone
and a base station:
Figure 8: Cell-phone authentication and TMSI allocation

Figure 9: Call origin Figure 10: SMS sent

rtorresg@hawk.iit.edu Project Report 11

OpenBTS Network Ramon Torres IIT

Figure 11: SMS received

This is how the ladder diagram looks, now we are going to have a look on how are the
traces of some messages sent:
Figure 12: MM location updating request, at figure 8

rtorresg@hawk.iit.edu Project Report 12

OpenBTS Network Ramon Torres IIT

Figure 13: RR paging request, at figure 11

Future Projects

Besides creating a small network we can also connect a OpenBTS system to NG911. For
this purpose we can use Asterisk to route the calls from a cellphone to NG911 and we can
test the SIP messages using Wireshark. It would be interesting to compare the messages
from the cellphone using Airprobe and see the translation to SIP observing traces
captured by Wireshark. We will have to create an extension in Asterisk so every time a
cell phone dials that extension the call is routed to NG911.

Conclusions
This semester I have been finding out the ways of doing this project and I think that I will
do it with Asterisk and using OpenBTS version 4.0. The other way to do this (Figure 5
Physical Architecture 1) is too complex because you need to modify the source code and
make OpenBTS and OpenBSC compatible and I think that is no longer necessary to use
OpenBSC having OpenBTS version 4.0.
Most of the information for doing this project is taken from the OpenBTS manual so I
think this project will be ready for July 25th.

rtorresg@hawk.iit.edu Project Report 13

 OpenBTS Network Ramon Torres IIT

References
http://openbsc.osmocom.org/trac/wiki/OpenBSC
http://wush.net/trac/rangepublic/wiki/WikiStart#HowdoIgetstarted
http://scholar.lib.vt.edu/theses/available/etd-05082012-
141540/unrestricted/Cooper_TA_T_2012.pdf
GSM information taken from course ITMO 542: Wireless Communications
http://www.wu.ece.ufl.edu/projects/wirelessVideo/project/GNU_Radio_USRP/how_to_te
st_USRP.html
http://ntnu.diva-portal.org/smash/get/diva2:355716/FULLTEXT01.pdf

Appendices
OpenBTS Installation
In a Ubuntu OS, introduce the following commands
This is for get the last version:

svn co http://wush.net/svn/range/software/public

The following command is for getting the necessary libraries

sudo apt-get install autoconf libtool libosip2-dev libortp-dev

libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-
dev libncurses5-dev

OpenBTS should, in principle, build and run on any Unix-like operating system,
including 64-bit. However, in practice, most of our development is done on Ubuntu
10 or 12.04 LTS systems, so these are best-supported.

Range Networks RAD1

Building for Range equipment is easiest, as it has no external dependencies. Just run
the following commands:

cd openbts/trunk

autoreconf -i

./configure

rtorresg@hawk.iit.edu Project Report 14

 OpenBTS Network Ramon Torres IIT

make

With the build resolved, you'll need to build and link the transceiver appropriate for
your hardware. For a Range Networks basestation unit these links are

(from OpenBTS root)

cd apps

make

ln -s ../TransceiverRAD1/transceiver .

ln -s ../TransceiverRAD1/ezusb.ihx .

ln -s ../TransceiverRAD1/fpga.rbf .

Building OpenBTS

OpenBTS should, in principle, build and run on any Unix-like operating system,
including 64-bit. However, in practice, most of our development is done on Ubuntu
10 or 12.04 LTS systems, so these are best-supported.

Range Networks RAD1

Building for Range equipment is easiest, as it has no external dependencies. Just run
the following commands:

cd openbts/trunk

autoreconf -i

./configure

make

With the build resolved, you'll need to build and link the transceiver appropriate for
your hardware. For a Range Networks basestation unit these links are

(from OpenBTS root)

rtorresg@hawk.iit.edu Project Report 15

OpenBTS Network Ramon Torres IIT

cd apps

make

ln -s ../TransceiverRAD1/transceiver .

ln -s ../TransceiverRAD1/ezusb.ihx .

ln -s ../TransceiverRAD1/fpga.rbf .

rtorresg@hawk.iit.edu Project Report 16