summaryrefslogtreecommitdiffstats
path: root/Tex/Content/Appendix.tex
blob: 4aa96b9f685aa6ab2030e04799b1e6c5aec0548b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
\chapter{GSM}
\section{Interfaces}
\label{sec:interfaces}
The following table contains a brief description of the interfaces used inside a GSM network.
On the upper part the interfaces for the Network Subsystem are listed and on the lower part the interfaces for the Base Station Subsystem can be found.

\begin{table}[h!]
\centering
\begin{tabular}{lll}
\toprule
Name			&Between					&Function\\
\midrule
$A$				&MSC $\leftrightarrow$ BSS	&BSS management data for Mobility Management\\
				&							&and Call Control\\
$B$				&MSC $\leftrightarrow$ VLR	&MSC receives data about MSs in the current area\\
				&							& and sends data from Location Updates\\
$C$				&MSC $\leftrightarrow$ HLR	&MSC can request routing data during call setup\\
				&							&and send \eg charging information\\
$D$				&HLR $\leftrightarrow$ VLR	&Exchange of location-dependent subscriber data\\
				&							&and updating the HLR (MSRN \etc)\\
$E$				&MSC $\leftrightarrow$ MSC	&Executing a Handover when subscriber changes\\
				&							&to a new MSC\\
$F$				&MSC $\leftrightarrow$ EIR	&Checking white-/grey- and blacklists before\\
				&							&giving access to the network\\
$G$				&VLR $\leftrightarrow$ VLR	&Connects VLR of different MSCs to exchange\\
				&							&subscriber data during a handover\\
\midrule
$A_\text{bis}$	&BSC $\leftrightarrow$ BTS	&BSC receives data from MS via the BTS\\
$U_m$			&BTS $\leftrightarrow$ MS	&Registration procedure, call data \etc as well\\
				&							&as broadcast information about the network\\
				&							&and the base station\\
\bottomrule
\end{tabular}
\caption{Interface found in the GSM network.}
\end{table}

\newpage
\section{Channel Combinations}
\label{sec:combinations}
The following table contains the possible combinations of channels inside the different Multiframes.
The respective frame type is also indicated in the lower part of the table.
\begin{table}[h!]
\centering
\begin{tabular}{lccccccccc}
\toprule
					&M1&M2&M3&M4&M5&M6&M7&M8&M9\\
\midrule
TCH/F				&\cellcolor[gray]{0.7}&&&&&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}\\
TCH/H				&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&&&\\
TCH/H				&&&\cellcolor[gray]{0.7}&&&&&&\\
BCCH				&&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&\\
FCCH				&&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&\\
SCH					&&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&\\
CCCH				&&&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&\\
SDCCH				&&&&&\cellcolor[gray]{0.7}&&\cellcolor[gray]{0.7}&&\\
SACCH				&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&\cellcolor[gray]{0.7}&&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}\\
FACCH				&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&\cellcolor[gray]{0.7}&&&&&\cellcolor[gray]{0.7}&\\
\midrule
Multiframe Type		&26&26&26&51&51&51&51&26&26\\
\bottomrule
\end{tabular}
\caption{Possible mappings of channels onto Multiframes}
\end{table}

\chapter{OsmocomBB}
This section contains general information about how to operate and setup the OsmocomBB framework and the Motorola C123.
\section{Installation}
\label{sec:osmo_install}
The environment used for this project was a Thinkpad X220 Tablet running Xubuntu Linux 11.10.
The instructions should work for any other distribution of the Ubuntu product palette.

\begin{enumerate}
	\item Build libraries must be installed on the operating system to enable compiling libraries.
\begin{verbatim}
sudo apt-get install libtool shtool autoconf git-core
pkg-config make gcc wget
\end{verbatim}
	\item The GNU Arm cross compiler toolchain needs to be installed so the firmware for the Motorola C123 can be built.
	It will be added as a repository to \texttt{sources} so it can be easily removed if it is not required any more.
	\begin{verbatim}
sudo add-apt-repository ppa:bdrung/bsprak
sudo apt-get update
sudo apt-get install arm-elf-toolchain
	\end{verbatim}
	\item The source code needs to be obtained.
	This can be either done by checking out the latest version of the framework from the developers, or by using the code on the CD.
\begin{verbatim}
git clone git://git.osmocom.org/osmocom-bb.git
\end{verbatim}
	\item At this point some firmwares had build errors, therefore we will compile only the firmware for the Calypso board used by the Motorola C123.
	This constraint might not be necessary if a newer version of the framework is used.
	In the \texttt{src} directory of the OsmocomBB framework the build process can be started.
	\begin{verbatim}
make BOARDS=compal_e88
	\end{verbatim}
	\item If a new version of OsmocomBB is used, the extra code from this project must be included in the build.
	The three files \texttt{catcher.c}, \texttt{app\_catcher.c} and \texttt{pch\_scan.c} must be moved to \path{osmocom-bb/src/host/layer23/src/misc} and the \texttt{Makefile.am} must be edited to include the new code.
	\begin{verbatim}
bin_PROGRAMS = bcch_scan ... cbch_sniff catcher \
				pch_scan
catcher_LDADD = $(LDADD) -lm
catcher_SOURCES = ../common/main.c app_catcher.c \ 
	catcher.c ../../../gsmmap/geo.c
pch_scan_SOURCES = ../common/main.c pch_scan.c rslms.c
	\end{verbatim}
\end{enumerate}

\section{Usage}
\label{sec:osmo_usage}
To use a program written in the framework, the Motorola C123 needs to be flashed with the custom firmware.
This can be done with the \texttt{osmocon} application. 
\begin{verbatim}
cd src/host/osmocon

sudo ./osmocon -p /dev/ttyUSB0 -m c123xor
../../target/firmware/board/compal_e88/layer1.compalram.bin
\end{verbatim}
After \texttt{osmocon} is started and running any application can be started with root privileges.
\begin{verbatim}
cd ../layer23/src/misc/
sudo ./catcher
\end{verbatim}
The \texttt{pch\_scan} program requires an ARFCN as an input.
For example, to conduct a scan on the PCH of ARFCN 127 one would call:
\begin{verbatim}
sudo ./pch_scan -a 127
\end{verbatim}
\newpage

\section{Serial Cable Schematics}
\label{sec:osmo_serial_schematics}
A T191 unlock cable used to connect the Motorola C123 can either be obtained by ordering it from one of the mentioned stores or by building it from scratch.
These are the schematics required for building the unlock cable taken from a GSM Blog \footnote{GSM Box Schematics, \url{http://gsmringtonefree.blogspot.de/} [Online; Accessed 05.2012]}, which features images of many more cables for different brands.
\vfill
\begin{figure}[h!]
\includegraphics[width=.9\textwidth]{../Images/t191cable}
\caption{Serial cable schematics.}
\end{figure}
\vfill
\chapter{IMSI Catcher Detection System}
This section will cover some code related topics of the ICDS.

\section{Extextions}
\label{sec:extensions}
Rules, evaluators and filters are implemented in a way that new modules can be added quickly by way of inheritance and instantiating them in the constructor of the controller so they are known to the system.
The following example shows how to implement a new rule and add it to the system.
This exemplary process is nearly the same for filters and evaluators.

At first this base class has to be derived.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting}
class Rule:
    #set whether the rule should be used by the 
    #controller
    is_active = False
    #string that will identify the rule in the report
    identifier = 'Rule'

    #the logic of the rule, will be called by controller
    def check(self, arfcn, base_station_list):
        return RuleResult.CRITICAL
\end{lstlisting}
\end{minipage}\\\\

The new rule class needs to override the check method to do something meaningful.
The identifier should also be set to a proper value.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting}
class MyRule (Rule):
    identifier = 'My own Rule'
    def check(self,arfcn, base_station_list):
        result = RuleResult.CRITICAL
        #do some logic here and set result 
        return result
\end{lstlisting}
\end{minipage}\\\\
\texttt{arfcn} and \texttt{base\_station\_list} are given to the check method by the controller.
The first parameter is the ARFCN of the base station to which the evaluation will be applied.
The second one is a list of all the base stations with complete information as far as it has been
obtained by the ICDS.
After it has been implemented it can be instantiated and added to the list of active rules in the 
constructor of the controller.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting}
class PyCatcherController:
    ...
    def __init__ (self):
        ...
        self.my_rule = MyRule()
        self.my_rule.is_active = True
        self._rules.add(self._my_rule)
        ...
\end{lstlisting}
\end{minipage}
\newpage
\section{Example Configuration}
\label{sec:example_config}
This example configuration has been used for the evaluation in the Freiburg area.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting}
#Core Configuration -----------------------------------

#Settings for the Motorola C123 .
Device_settings = { 'mobile_device' : '/dev/ttyUSB0',
                    'xor_type' : 'c123xor',
                    'firmware' : 'compal_e88',
                   }

#Location of the osmocom library.
Osmocon_lib = '''/home/tom/imsi-catcher-detection/Src/
osmolib/src'''

#Generates commands from location and device settings.
#Does normally not have to be edited.
Commands = {'osmocon_command' : [Osmocon_lib + 
    '/host/osmocon/osmocon', 
    '-p', Device_settings['mobile_device'], 
    '-m', Device_settings['xor_type'], 
    Osmocon_lib + '/target/firmware/board/' 
    + Device_settings['firmware']
    + '/layer1.compalram.bin'],
    'scan_command' : [Osmocon_lib 
    + '/host/layer23/src/misc/catcher'],
    'pch_command' : [Osmocon_lib 
    + '/host/layer23/src/misc/pch_scan'],
}

#Rules Configuration ------------------------------------

#A list of providers that should be taken as legitimate.
Provider_list = ['T-Mobile', 'O2', 'Vodafone', 'E-Plus']



#-----------Continues on next page-----------------------
\end{lstlisting}
\end{minipage}\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting}
#Countries where the given providers have presence.
Provider_Country_list = {
    'T-Mobile':'Germany',
    'O2':'Germany',
    'Vodafone':'Germany',
    'E-Plus':'Germany'
}

#Comma separated list of LACs that can be observed in the
#given area.
LAC_mapping = {
    'T-Mobile' : [21014,21015],
    'O2' : [50945],
    'Vodafone' : [793],
    'E-Plus' : [138,588]
}

#Frequency intervals that are registered to the 
#given providers.
ARFCN_mapping = {
    'T-Mobile' : [(13,49),(81, 102),(122,124),(587,611)],
    'O2' : [(0,0),(1000,1023),(637,723)],
    'Vodafone' : [(1,12),(50,80),(103,121),(725,751)],
    'E-Plus' : [(975,999),(777,863)]
}

#How much % the LAC of a base station can deviate from
#the median before throwing an error (range 0 to 1 where
#0 means no tolerance).
LAC_threshold = 0

#How much % the rx level is allowed to be away from the
#interval located in the Location Area Database
DB_RX_threshold = 0.05

#How much % the rx is allowed to change during the course
#of a scan.
CH_RX_threshold = 0.02

#-------------Continues on next page---------------------


\end{lstlisting}
\end{minipage}\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting}
#How much Pagings per 10s are required to give an Ok 
#rating
Pagings_per_10s_threshold = 20

#How many hopping assignments are required to give
#an Ok rating
Assignment_limit = 0

#PCH Parameters -----------------------------------------

#How often a failed PCH scan should retry
PCH_retries = 5

#Time the PCH is scanned during Operation in 
#User Mode
USR_timeout = 15

#Evaluator Configuration -------------------------------

#This configuration separates the different groups of
#rules from one another.

Rule_Groups = [
    ['Provider Check', 'Country Provider Mapping',
     'ARFCN Mapping', 'LAC Mapping', 'Unique CellID'],
    
    ['LAC Median Deviation', 'Neighbourhood Structure', 
    'Pure Neighbourhoods', 'Fully Discovered 
    Neighbourhoods'],
    
    ['Local Area Database','CellID Database'],
    
    ['LAC Change Rule','rx Change Rule'],
    
    ['PCH Scan']
]

#-------------Continues on next page---------------------
\end{lstlisting}
\end{minipage}\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting}
#Database Configuration --------------------------------

#The API key for OpenCellID.
#Can be freely obtained by registering on the web site. 
Open_Cell_ID_Key = 'd7a5bc3f21b44d4bf93d1ec2b3f83dc4'

#Path to the folder where databases should be saved to or
#loaded from. The ICDS will look in this folder if data-
#bases are available.
Database_path = '''/home/tom/imsi-catcher-detection/Src
/PyCatcher/Databases/'''
\end{lstlisting}
\end{minipage}

\chapter{System Information}
\label{sec:system_infos}
The following pages contain parsed System Information Messages of type 1--4  for reference \cite{protocols1999}.
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/sysinfo1}
\caption{System Information 1 Message}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/sysinfo2}
\caption{System Information 2 Message}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/sysinfo3}
\caption{System Information 3 Message}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/sysinfo4}
\caption{System Information 4 Message}
\end{figure}
\chapter{Evaluation Data}
\section{Rx and LAC Change Test}
\label{sec:lac_change_test}
The following table contains the two configurations that have been used to test the LAC Change and rx Change Rules.
Config 6 is identical to the configuration used on the base station and thus only triggers the rx Change Rule.
Config 5 has a different LAC than the original base station and thus was used to test the former one.
Additionally the rx Change Rule is also triggered for this configuration.
\begin{table}[h!]
\centering
\begin{tabular}{lll}
\toprule
			&Config 5		&Config 6\\
\midrule
ARFCN		&877			&877\\
ShortName	&23				&23\\
MCC			&262			&262\\
MNC			&23				&23\\
LAC			&666			&4711\\
Cell ID		&1800			&1800\\
Neighbours	&806, 815, 817,	&806, 815, 817, \\
			& 818, 823, 880	&818, 823, 880		\\
\bottomrule
\end{tabular}
\caption{Configurations used for the rx\,/\,LAC Change Rules test.}
\end{table}
\newpage
\section{Database Rules Test}
\label{sec:long_term_test}
The following table contains the two configurations used to test the Database Rules.
Config 6 is the same as before.
It is used to check whether the Local Area Database Rule can find the difference in reception for the replaced base station.
Config 7 features a new CID and is thus used to check if the Cell ID Database Rule is operating correctly.
\begin{table}[h!]
\centering
\begin{tabular}{lll}
\toprule
			&Config 6		&Config 7\\
\midrule
ARFCN		&877			&877\\
ShortName	&23				&23\\
MCC			&262			&262\\
MNC			&23				&23\\
LAC			&4711			&4711\\
Cell ID		&1800			&666\\
Neighbours	&806, 815, 817,	&806, 815, 817, \\
			& 818, 823, 880	&818, 823, 880		\\
\bottomrule
\end{tabular}
\caption{Configurations used for the Database Rules test.}
\end{table}