You are on page 1of 44

Contents 1 Introduction to OpenBTS: 4 1.1 What is a Base Transceiver Station: 4 2 overall architecture and implementation plan of the OpenBTS.

6 2.1 Typical upstream data flow in the GSM air interface of the OpenBTS: 6 2.2 Typical downstream data flow in the GSM air interface of the OpenBTS : 3 Coding: Use of Objects, Threads and C++ 7 3.1 Threads 7 3.2 Namespaces 8 3.3 Optimization 8 3.4 Testing and Consistency Checking 8 3.5 C++ Tools 8 3.6 Wrappers 8 3.7 Vector Classes9 3.8 Interthead Classes 9 3.9 Important C++ Object Hierarchies 9 3.10 Data Transfer Object Classes 9 3.11 Logical Channel Structure and Subclasses 10 4 Time Domain Mutliplexing (TDM) Sublayer11 5 Software Transceiver 11 6 Global GSM Object 12 6.1 Global Configuration Information 12 6.2 LCH Creation, Allocation and Deallocation 12 7 Use of SIP and Asterisk 13 8 OpenBts Modules-Files: 13 8.1 AsteriskConfig 13 8.2 CommonLib 13 8.3 Control 13 8.3.1 Introduction 13 8.3.2 CallControl.cpp: 14 8.3.3 DCCHDispatch.cpp 20 8.3.4 MobilityManagement.cpp 21 8.3.5 SMSControl.cpp 21 8.3.6 ControlCommon.cpp: 22 8.3.7 ControlCommon.h: 22 8.4 GSM 23 8.4.1 Introduction: 23 8.4.2 GSM layer 3: 23 8.4.2.2.2 L3 MM messages 27 8.4.3 GSM layer 2: 31 8.4.4 LAYER 1 : 32 8.5 SIP 34 8.6 SMS 34 8.7 TRXManager 34 8.8 Transceiver 34 8.9 apps 34 8.9.1 OpenBTS.config 34 8.9.2 OpenBTS.cpp 34 8.10 doc 34 8.11 tests 34 8.12 Smqueue 34

8.13 CLI 35 8.13.1 What is the function of the command line interpreter? 8.13.2 Some of the supported commands in OpenBTS: 35 8.14 HLR 36 8.14.1 What is a home location register ? 36 8.14.2 HLR in Open BTS : 36 9 Compiling and running OpenBTS: 38 9.1 Hardware used: 38 9.2 Software used:38 9.3 Important notes before GNU radio setup 38 9.3.1 GNU radio dependencies: 38 9.3.2 Other useful packages 39 9.4 GNU radio setup 39 9.5 Testing the WBX 42 9.6 Compiling and running openbts 42 Tables: Table 1-L3 RR messages 24 Table 2- L3 RR messages (cont.) 25 Table 3-L3 MM messages 27 Table 4-L3 CC messages 29 Table 5-some of the supported commands in OpenBTS Figures: Figure 1-MOC sequence diagram for L3 messages 16 Figure 2-MOC sequence diagram 17 Figure 3-MTC sequence diagram for L3 messages 19 Figure 4-MTC sequence diagram 19 Figure 5-successful result for GNU radio configuration

35

35

41

List of abbreviations:
RR MM CC BTS CLI HLR MOC MTC Radio Resource Mobility Management Call Control Base Transceiver Station Command Line Interpreter Home Location Register Mobile Originated Call Mobile Terminated Call

Software Architecture of the OpenBTS

1 Introduction to OpenBTS
OpenBTS is an open-source Unix application that uses the Universal Software Radio Peripheral (USRP) to present a GSM air interface ("Um") to standard GSM handset and uses the Asterisk software PBX to connect calls. The combination of the ubiquitous GSM air interface with VoIP backhaul could form the basis of a new type of cellular network that could be deployed and operated at substantially lower cost than existing technologies in green fields in the developing world [1] In plain language, we are working on a new kind of cellular network that can be installed and operated at about 1/10 the cost of current technologies, but that will still be compatible with most of the handsets that are already in the market. This technology can also be used in private network applications (wireless PBX, rapid deployment, etc. ) at much lower cost and complexity than conventional cellular[1] . Telecom industry is one of the rapidly growing industries all over the world. The entrance of opensource team into the telecom industry made a revolutionized change in the industry. Asterisk was a typical example for it which was a featured PBX for home users, enterprises, VoIP service providers and telecoms in such a low cost that anyone even imagined. Asterisk is both an Open Source Community and a commercial product from Digium[1] . Now again another open source coming which allows standard GSM-compatible mobile phones to make telephone calls without using existing telecommunication providers networks. ie we can build up our own network just like vodafone, airtel or any. The project was started by HarvindSamra and David A. Burgess and named it as OpenBTS. . OpenBTS is notable for being the first free software implementation of the industry-standard GSM protocol stack[1] .

1.1 What is a Base Transceiver Station:


A normal GSM network working is as follows. The end point of the system will be BTS (Base Transceiver Station) which send radio frequency signal to and from mobile devices or a modem. The BTS comes under BSC(Base station Controller) with makes the communication between there radio signals with MSC/VLR. The MSC/VLR is responsible to authenticate the user against the database (HLR Home Location Register, AuC -Authentication Center), call setup and call routing. A typical GSM network diagram is shown below[1] .

The OpenBTS replaces the entire setup with USRP(Universal Software Radio Peripheral), and a computer as hardware. USRP to receive and transmit the GSM signaling(GNURadio is the driver software for this),OpenBTS package play the role of MSC/VLR and Asterisk software PBX will be used to connect calls. The below diagram shows a typical OpenBTS network[1] .

Potential applications include: rural/village telephony and text messaging cellular coverage in remote areas (e. g. ships, oil rigs) law enforcement and security operations rapidly deployable emergency communications network emulation and handset testing.

2 overall architecture and implementation plan of the OpenBTS. [1]


The general shape of the OpenBTS is a collection of parallel logical channels, defined in GSM04. 03. Each channel, in turn, is built from layers that roughly follow the OSI standard model. (We say roughly because GSM predates the OSI model. )GSM 04. 01 Section 7 gives an initial overview of these layers. As per GSM 04.01 Section 7. 3, the layers of the air interface Um are: L1, PHYSICAL LAYER, the radio modem, time-division multipexing, and error-correcting coding, GSM 04. 04 and GSM 05.xx series L2, DATA LINK LAYER, link layer addressing, segmentation and retransmission (LAPDm), GSM 04. 05 and 04.06, ITU-T Q. 921. L3, L3, signaling and connection management, GSM 04. 07, 04.08, 04.10, 04.11, 04.12 and ITU-T Q. 931. When describing these layers we will refer to the low side of the layer as the side the interfaces closer to the hardware and the high side as the side that interfaces to higher-level functions. In a BTS, the low-to-high direction is uplink and the high-to-low direction is downlink. In the MS, those labels are reversed.

2.1

Typical upstream data flow in the GSM air interface of the OpenBTS:

1. Radio bursts arrive at the USRP and are digitized. The resulting samples are transferred to the transceiver software in the host CPU in time-tagged USB packets, using the standard USRP interface. 2. The transceiver syncs the USRP timetags with the GSM master clock, isolates each radio burst and demodulates it into a vector of symbol likelihoods (soft symbols). The modulation format is defined in GSM 05. 04 and the burst formats are described in GSM 05. 02 Section 5. 2. 3. The soft symbol vector for each radio burst is timetagged with the GSM frame clock and transferred to the GSM stack via a datagram interface. 4. In the GSM stack, the TDM sublayer (of L1) demultiplexes each bust according to its timetag and sends it to the appropriate logical channel. 5. The logical channel passes each burst into its L1 FEC processor according to the rules of GSM 05. 02. 6. The L1 FEC processor performs the FEC decoding described in GSM 05. 03. The output is a sequence of L2 frames taken by the logical channel and sent up to an L2 processor. 7. The L2 processor runs the LAPDm state machine that performs acknowledgments, retransmissions and segmentation. This state machine is defined implicitly in GMS 04. 06 and given explicitly in ITU-T Q. 921. When an incoming L3 frame has been verified and assembled, it is placed into a queue for consumption by L3. In the course of operation, LAPDm also injects L2 frames into the downstream flow for acknowledgment and retransmission requests.

8. In L3, a dispatch function determines the message protocol and type and calls the appropriate control function to deserialize the message and act on its content, generally producing an L3 response on the downlink. These control functions also interact with the outside world via SIP and other protocols.

2.2 Typical downstream data flow in the GSM air interface of the OpenBTS :
1. In L3, a control function generates an L3 message, serializes the message into an L3 frame and sends it into the logical channel, which in turn passes it down to L2. 2. The L2 processor breaks the L2 frame into segments, wraps each segment in an L2 frame. Each L2 frame is sent down to L1 according to the LAPDm state machine of GSM 04. 06 and ITU-T Q. 921.LAPDm may also generate additional L2 frames on its own according to its acknowledgment and retransmission rules. 3. The L1 FEC processor encodes each L2 frame according to the rules of GSM 05. 03, generating four outgoing radio bursts. Each radio burst is timetagged with its intended transmission time according to the TDM rules of GSM 05. 02. These bursts are passed on to the TDM interface. 4. The downstream TDM sublayer is just a mutex-controlled socket interface where the radio bursts from L1 are reformatted into messages on the transceivers datagram interface. 5. Upon arriving in the transceiver, the outgoing radio bursts are sorted into a priority queue according to transmission time. Bursts are pulled from the queue as they become ready for transmission and the modulated according to GSM 05. 04. The modulated waveform samples are sent to the USRP over the standard timetagged USB interface. If no burst is ready for transmission at a given time the transceiver generates an appropriate filling sequence. 6. In the USRP the samples are converted to an analog waveform for transmission over the radio channel.

3 Coding: Use of Objects, Threads and C++


The OpenBTS software is written in C++ and should be portable to any 32-bit Unix system. Initial supported platforms will be Fedora and Darwin, but there is no reason for the resulting system not to be portable to other Unix variants. In the interest of simplicity, compactness and efficiency, limit our use of allocated memory, multiple inheritance, templates and standard library container to the greatest degree practical.

3.1 Threads
The implementation of the OpenBTS makes use of the POSIX thread library, pthreads. For those unfamiliar with threads or who have an aversion to them, this may seem frightening and strange, but the effect of this approach is to greatly simplify the code in each layer of the BTS. You can have N threads each with K states or one thread with KN states. We choose the former. The price of threads is discipline in the use of synchronized interthread communication. Do use mutexes. Do not just use volatiles. The general rule is that single-state transformational operations are performed with direct calls while multi-state machines, especially those with internal timeout behaviors, have their own threads

and accept their inputs over FIFOs. The threads and FIFOs may be hidden inside the state machine objects. This approach allows the state machines to be decoupled, greatly simplifying the code.

3.2 Namespaces
The OpenBTS will use the following namespaces: GSM The GSM L1-L2 stack and L3 messages. SIP The SIP stack. Control The GSM/SIP hybrid control layer. SMS used to add the SMS function SMqueue Commandline a name space for the command line interface

3.3 Optimization
From prior experience with several software radio systems, we expect that the bulk of the computational load in the OpenBTS will be in the software transceiver and L1 FEC decoding. Thats because L2 frames arrive at a maximum rate of about 50 Hz while radio burst are transacted at about 200 Hz and GSM channel symbols must be processed at 271 kHz. For the rural telecom application, optimization of beacon generation and RACH detection is also important since the BTS is expected to sit largely idle most of the time. Theres not a lot of point in optimizing most of the rest of the code for speed. Instead, the rest of the system should be optimized for space to minimize cache misses in the computationally intensive code.

3.4 Testing and Consistency Checking


The full BTS will be a complex system that will be nearly impossible to debug if the individual components are not tested in isolation prior to integration. 2 To enforce good testing practices, we recommend the following: Use assert() calls liberally to insure internal consistency. Do not continue once an unresolvable error condition is identified. Build unit test fixtures for every component in the system. Do not check in code that does not pass the unit tests. It would be especially nice if someone could automate this testing process. If you know theres a potential problem in a piece of code, use a FIXME comment. If you leave something undone, use a TODO comment. Use the bug tracking system. Thats why its there.

3.5 C++ Tools


Part of what will let us build an efficient BTS quickly is careful choice of underlying tools.

3.6 Wrappers
The project uses a set of simple wrapper classes that give object-oriented interfaces for some pthreads and stdlib mechanisms. These include wrappers for threads, signals, recursive mutexes, and C time-of-day facilities. These wrappers simplify the use of these facilities by including standard allocation and initialization steps that are common across the application.

3.7 Vector Classes


The Vector template is a fixed size array that offers simple pointer-based access. The key feature of the Vector subclass is the ability to create aliases, where multiple Vector objects share the same physical block of memory. These aliases can also have different offsets into the common block, forming subvectors. The underlying mechanism is a C array. The SoftVector is used to represent symbol likelihood vectors used in soft input and soft output Viterbi coders and decoders. The BitVector is a Vector class for serialization and deserialization of packed bitfields. The SignalVector and ComplexVector are are numeric classes used in the GMSK modem.

3.8 Interthead Classes


Most interthread communication is mediated through special container classes with built-in synchronization controls. The InterthreadQueue class is a thread-safe pointer FIFO that supports non-blocking writes, nonblocking reads and blocking reads with a timeout. The underlying mechanism is a singly-linked list with head and tail pointers having no maximum size. The normal use of the InterthreadQueue is to allocate an object and then put the pointer into the queue. The reader is responsible for deleting the pointer. For fixed-size objects used in this manner, a special-purpose allocator can reduce overhead. The InterthreadMap class is a thread-safe associative array that includes a blocking read that waits for the arrival of a specified key. The underlying mechanism is std::map.

3.9 Important C++ Object Hierarchies


The OpenBTS will use C++ object classes and inheritance. There are a few object hierarchies of particular interest: Layer Processor Classes. These objects implement the layers L1-L3 of the air interface. Data Transfer Classes. These are the objects that are used for interlayer communication. Most are BitVector subclasses. Logical Channel Classes. These objects define the L1-L2 logical channels between the MS and the BTS control functions. L3 Message and Element Classes. These are used to serialize and deserialize the messages of GSM 04. 08.

3.10 Data Transfer Object Classes


The interlayer communication uses these object classes: RadioBurst. Carries a radio burst of GSM 05. 02 Section 5. 2 along with timestamp. TxBurst. Used for downlink radio bursts to be transmitted. Carries hard-valued channel bits and transmit power level relative to full scale on the given ARFCN. The timestamp indicates the intended transmission time. RxBurst. Used for received uplink radio bursts. Carries soft-value channel bit estimates, RSSI, and receive timing error. The timestamp indicates the arrival time of the burst.

L2Frame. Carries an L1-L2 interlayer primitive. Optionally carries a data link layer frame as described in GSM 04. 06 Section 2 and a restriction on the placement of the data in the TDM structure. L3Frame. Carries an L2-L3 interlayer primitive. Optionally carries the serialized bits of a single, complete L3 message from GSM 04. 08 Section 9.

3.11 Logical Channel Structure and Subclasses


Following the OSI model, each logical channel is processed in three layers: L1, L2, L3. Each layer is represented by an object (a layer processor) that has read and write methods on its high and low sides. These objects are persistent over the life of the application. In the normal course of the OpenBTS application, the destructors for these classes should never be invoked. The layer processor classes are: L1FECEncoder. Accepts L2Frame objects, encodes them into TxBurst objects. Algorithms defined in GSM 05. 03. L1FECDecoder. Accepts RxBursts from the TDM sublayer and processes them into L2Frame objects. Algorithms defined in GSM 05. 03. L1FEC. A container for a channels L1FECEncoder and L1FECDecoder. L2LAPDm. The L2LAPDm transacts L2Frame objects with L1 and L3Frame objects with L3. Implements the LAPDm state machine as described in GSM 04.06 and ITU-T Q. 921. L3StateMachine. The L3StateMachine transacts L3Frame objects with L2. Implements the protocols of GSM 04. 08 and also interfaces with SIP entities. BCH (broadcast channels) SCH FCCH BCCH NDCCH (non-dedicated control channels) CCCH (downlink unicast) RACH (uplink shared) DCCH (dedicated control channels, Dm) SDCCH SACCH FACCHF (full rate) TCHF (full rate speech, GSM 06. 10, Bm). Many traffic channel classes are ignored here, as are half-rate channels. They are not a priority in a first release.

4 Time Domain Mutliplexing (TDM) Sublayer


The TDM sublayer forms the interface between the physical channels on the transceiver interface and the logical channels in the higher layers. It implements the rules of GSM 05. 02. All LCHs on an ARFCN share a common TDM sublayer. In the uplink side, the TDM sublayer accepts all of the RxBurst objects from a single ARFCN and demultiplexes them according to their frame count timestamps into a table of LogicalChannel objects. In the downlink side, the multiplexing layer is a pass-through to the transceiver interface, but with mutex controls and serialization.

5 Software Transceiver
The software transceiver includes the subband tuner, GMSK modems and the master GSM symbol clock for the air interface. Its low side interface transfers raw baseband samples to and from the USRP. Its high side interface transfers RxBurst and TxBurst objects to and from the GSM stack and transacts control commands and clock values. To compensate for latency in the stack and interface, the GSM frame clock value reported to the GSM stack is advanced slightly. The timing reference for the GSM symbol clock is the sample clock in the USRP, as is standard in most software radio designs. For the uplink, the software transceiver has information about which timeslots and frame positions carry active channels and it demodulates only those active parts of the signal. It timestamps each TxBurst according to the frame clock value when the burst arrived. For the downlink, the timestamp on anTxBurst indicates the time at which a radio burst is to be transmitted. If a downlink radio burst is not available for transmission when the GSM clock reaches a given value, the transceiver generates an appropriate filler pattern based on the clock value. TxBursts can be sent over this interface out of order, with the transceiver interface sorting them prior to transmission. If the TxBursts indicated time has passed, the burst is discarded and the clock advance value is adjusted to prevent further late bursts. This adjustment is in one direction and quickly settles to an appropriate value for the system. Because the software transceiver links with the GPLd USRP driver, it is compiled as a separate application and communicates with the rest of the GSM stack over a UDP interface. Expressed in terms of a base port, B, the UDP ports used for the transceiver interface are: master clock interface on port B control interface for ARFCN N on port B + 2N + 1 data interface for ARFCN N on port B + 2N + 2 The protocol on the master clock interface has a single message that periodically indicates the current value of the BTS master clock, with an additional advance to compensate for latency. This message is an unacknowledged indication from the transceiver to the GSM stack. These are human-readable ASCII messages sent once per superframe and whenever the clock advance value is adjusted.

The protocol on the per-ARFCN control interface has commands for power control, tuning and configuration of the channel combination on each slot. Each command has a corresponding response for integrity on the UDP link. The are human-readable ASCII messages. The protocol on the per-ARFCN data interface uses binary messages to convey RxBurst and TxBurst objects with one burst per UDP packet to minimize latency. There are no acknowledgments on this interface because there is no point in retransmitting packets in a lowlatency realtime link. Eventually, we will replace to USRP driver with non-GPL code and replace this socket protocol with a direct method interface just like the interface on every other layer and sublayer object in the system.

6 Global GSM Object


There is a single global object of the class GSM::Configuration, called gBTS, that acts as a collection point for the complete state and configuration of the access points GSM stack. This object is created during initialization and never destroyed.

6.1 Global Configuration Information


The global object gBTS keeps all of the BTS configuration parameters and state for the cell, including ARFCN set, cell ID, LAC, etc. This information is used to fill system information messages on the BCCH and SACCH and is readily available to the control layer.

6.2 LCH Creation, Allocation and Deallocation


The gBTS object tracks all of the existing LogicalChannel objects in the system in an allocation pool. The allocator includes methods to create new LogicalChannel objects and add them to the pool as the BTSs channel combinations are configured on start-up. Once created, these LogicalChannel objects are persistent over the life of the application. When a control layer function determines that it needs a new logical channel for a transaction, it invokes the channel allocator to find an available LogicalChannel object of the proper type in the pool. Channel availability is defined by a set of Z. 100-type timers in L1: T3101, T3107, T3109 and T3111, described in GSM 04. 08 Section 11. 1. 2. If any timer is expired, the channel is available. Once identified, the channel is opened, reseting the channel state and starting T3101 or T3107. This timer change moves the channel to the non-available state. The channel is then given to the calling control layer function for use in a transaction. Normally, at the end of the transaction the channel is closed from above with a release primitive that passes down to L1, starting T3111. Once T3111 expires, the channel becomes available for reuse. In an abnormal release (a dropped connection), one of the other timers will expire instead. T3107 or T3101 will expire if the MS fails to pick up an assigned channel at the start of a transaction. T3109 will expire if the uplink signal is lost during a transaction. Any any case, one of the timers will expire, moving the channel to the available state. It should be stressed that this mechanism does not create or destroy LogicalChannel objects. It manages a pool of long-lived objects that are recycled for different transactions, just like the radio channels themselves.

7 Use of SIP and Asterisk


One of the keys to simplifying the OpenBTS is to push as much of the control layer as possible into the Asterisk PBX. To that end, we will use Asterisk for nearly all call control functions and as an integral part of mobility management. The simplest way to do this in a first release is to use subscriber IMSIs as SIP user names and to present each GSM handset to Asterisk as a SIP client. The OpenBTS control layer (L3) largely exists to perform mapping operations: GSM location updates get mapped to SIP registrations. Call connection transactions get mapped to corresponding SIP transactions. Since GSM call control is very similar to H. 323 and ISDN/Q. 931 call control, theres very little that is mysterious or novel about this mapping. GSM traffic channels get mapped to RTP channels. Again, the mapping is obvious and the only tricky piece of engineering is latency control. Only radio resource operations are fully terminated in the OpenBTS itself, with the RR control layer providing the functional equivalent of a BSC. Everything else maps to SIP and eventually terminates in Asterisk, with the Asterisk network providing the functional equivalent of an MSC. This is network in a box with Asterisk replacing the SS7 parts.

8 OpenBts Modules-Files:
8.1 AsteriskConfig
Asterisk configuration files for use with OpenBTS.

8.2 CommonLib
Common-use libraries, mostly C++ wrappers for basic facilities.

8.3 Control
8.3.1 Introduction Control functions carry out the various procedures described in GSM 04. 08 Sections 3-5. These functions are called in L3. access grant (GSM 04. 08 Section 3. 3. 1) paging (GSM 04. 08 Section 3. 3. 2) location updating (GSM 04. 08 Section 4. 4) mobile-terminated call setup (GSM 04. 08 Section 5. 2. 1) mobile-originated call setup (GSM 04. 08 Section 5. 2. 2) mobile-terminated call disconnect (GSM 04. 08 Section 5. 4. 4) mobile-originated call disconnect (GSM 04. 08 Section 5. 4. 3) E-MOC -- Emergency Mobile Originated Connect (mobile calling out) This is the minimum transaction set to support telephony. These transactions are run by these toplevel control functions:

AccessGrantor sends out SDCCH Immediate Assignments on the CCCH. It is invoked from the RACH dispatcher and returns when the assignment has been delivered. Its arguments are the tag and timestamp of a RACH Channel Request message. Pager sends out paging messages. It is invoked from the SIP stack whenever an INVITE message arrives and returns when the subscriber IMSI has been enqueued for paging on the CCCH. Its argument is a reference to an IMSI. LocationUpdater runs the registration transaction of GSM 04. 08 Section 4. 4. It is invoked by the SDCCH dispatcher when a Location Updating Request is received and returns when the transaction is complete. Its argument is a reference to an SDCCH LogicalChannel where the transaction is carried out. MTCConnector starts a mobile terminated call and returns when the call is cleared. It is invoked by the SDCCH dispatcher when a Paging Response is received. It continues the SIP transaction started by the INVITE message that triggered the corresponding Paging Request. Its argument is a reference to an SDCCH LogicalChannel where the transaction will start. It allocates a TCH/FACCH as part of the transaction. It calls CallManager once the call is connected. MOCConnector starts a mobile originated call (MOC) and returns when the call is cleared. It is invoked by the SDCCH dispatcher when a CM Service Request is received. Its argument is a reference to an SDCCH LogicalChannel where the transaction will start. It allocates a TCH/FACCH as part of the transaction. It calls CallManager once the call is connected. CallManager runs a call once the setup transaction is complete. It processes any L3 messages that arrive while the call is in progress and invokes functions as needed for the call disconnection state machines. Most control layer functions return boolean values indicating whether or not the transaction ended during the function call. For example, a function for some call control sub-procedure will return a boolean indicating whether or not the call was cleared during the sub-procedure. Most control layer functions take a LogicalChannel reference as an argument E-MOC -- Emergency Mobile Originated Connect used for handling emergency calls.

8.4
8.4.1 CallControl.cpp: 8.4.1.1 What is implemented?

Mobile originated call procedure Mobile terminated call procedure Emergency calls Test calls 8.4.1.2 Mobile originated call:

A mobile originated call is initiated by the MS. In the open source version, we will skip the authentication steps and simply respond to the CM Service Request with a CM Service Accept or Reject.

8.4.1.2.1 Steps of mobile originated call? CM Service Request (MM, 9.2.9)1, decode. This message indicates to the BTS that the phone will require ISDN-style (connection-oriented) services.

CM Service Accept (MM, 9.2.5), encode. This message allows us to bypass authentication and proceed directly to ISDN-style/Q.931call control.

CM Service Reject (MM, 9.2.6), encode. This message is sent to reject service if the call setup cannot be performed for some reason, such as an lack of available traffic channels.

Setup (CC, 9.3.23), decode. Simply skip unsupported elements based on T and L fields when parsing. This message triggers an INVITE message to the Asterisk server that starts the hybrid Q.931/SIP call setup procedure.

Call Proceeding (CC, 9.3.3), encode.

Assignment Command (RR, 9.1.2), encode. This message moves the transaction from the SDCCH to the TCH/FACCH.

Assignment Complete (RR, 9.1.3), decode. This is the first message sent from the phone on the newly assigned TCH/FACCH.

GSM 04.08

Alerting (CC, 9.3.1), encode. This message corresponds to the SIP 180 Ringing message.

Progress (CC, 9.3.17), encode. This message is needed to keep the connection alive when Asterisk delays are large. It is similar in purpose to the SIP 100 Trying message.

Connect (CC, 9.3.5), encode. This message corresponds to the SIP 200 OK message.

Connect Acknowledge (CC, 9.3.6), decode. This message corresponds to the SIP ACK message.

8.4.1.2.2 MOC sequence diagram:

ASTERISK

BTS CM Service Request CM Service Accept setup send INVITE() call proceeding assignment command Assignment Complete alerting progress send ok() send ACK for OK connect connect acknowlege

MS

Figure 1-MOC sequence diagram for L3 messages

8.4.1.2.3 How it is implemented in OpenBTS ?

Mobile originated call is implemented in OpenBTS in the file CallControl.cpp & CallControl.h through the two functions MOCStarter which implements the MOC sequence until the transaction is moved from the SDCCH to the TCH/FACCH & MOCController which implements the rest of the MOC sequence

8.4.1.2.4 Sequence of functions' call:

OpenBTS

DCCHDispatch

MobilityManagement

CallControl

main() DCCHDispatcher () CMServiceResponder () MOCStarter()

MOCController()

Figure 2-MOC sequence diagram

8.5 8.6
8.6.1.1 Mobile terminated call: A mobile terminated call is a call that is received by the MS. In the open source version, we will skip the authentication steps by sending a CM Service Accept or Reject after receiving the Paging Response.

8.6.1.1.1 Steps of mobile terminated call?

Paging Request Type 1 (RR, 9.1.22), encode. This message is sent whenever a SIP

INVITE message arrives from Asterisk.

paging response (RR, 9.1.22) , decode

Setup (CC, 9.3.23), encode. This message carries the content of the SIP INVITE message to the phone. Call Confirmed (CC, 9.3.2), decode. Assignment Command (RR, 9.1.2), encode. Assignment Complete (RR, 9.1.3), decode. Alerting (CC, 9.3.1), decode. Progress (CC, 9.3.17), encode. Connect (CC, 9.3.5), decode. Connect Acknowledge (CC, 9.3.6), encode

8.6.1.1.2 MTC sequence diagram

BTS Paging Request Type 1 Paging Response setup call confirmed assignment command Assignment Complete alerting progress connect connect acknowlege

MS

Figure 3-MTC sequence diagram for L3 messages

8.6.1.1.3 How it is implemented in OpenBTS ?

Mobile terminated call is implemented in OpenBTS in the file CallControl.cpp & CallControl.h through the two functions MTCStarter which implements the MTC sequence until the transaction is moved from the SDCCH to the TCH/FACCH & MTCController which implements the rest of the MTC sequence 8.6.1.1.4 Sequence of functions' call:

OpenBTS

DCCHDispatch

MobilityManagement

CallControl

main() DCCHDispatcher () CMServiceResponder () MTCStarter()

MTCController()

Figure 4-MTC sequence diagram

8.6.2 DCCHDispatch.cpp 8.6.2.1 What is implemented?

Dispatcher for messages passing through DCCH Dispatcher for RR messages passing through DCCH Dispatcher for MM messages passing through DCCH

8.6.2.2 Important functions:

1- void Control::DCCHDispatcher(LogicalChannel *DCCH)

persistent-thread control function for the DCCH

2- void DCCHDispatchRR(const L3RRMessage* req, LogicalChannel *DCCH)

Dispatch the appropriate controller for a Radio Resource message

3-void DCCHDispatchMM(const L3MMMessage* req, LogicalChannel *DCCH)

Dispatch the appropriate controller for a Mobility

management message

8.6.3 MobilityManagement.cpp 8.6.3.1 What is implemented:

Imsi detach Location update A handler for CM service request sending the welcome message 8.6.3.2 Important functions:

1-void Control::CMServiceResponder(const L3CMServiceRequest* cmsrq, LogicalChannel* DCCH)

Controller for CM Service requests, dispatches out to multiple possible transaction controllers

2- void Control::IMSIDetachController(const L3IMSIDetachIndication* idi, LogicalChannel* DCCH)

Controller for the IMSI Detach transaction

3void Control::LocationUpdatingController(const SDCCHLogicalChannel* SDCCH)

L3LocationUpdatingRequest*

lur,

Controller for the Location Updating transaction

4-bool sendWelcomeMessage(const SDCCHLogicalChannel* SDCCH)

char*

messageName,

const

char*

shortCodeName,

Send a given welcome message from a given short code

8.6.4 SMSControl.cpp

8.6.4.1 What is implemented:

methods to handle sending SMS between the BTS and a MS Mobile Originated Short Message Service controller Mobile Terminated Short Message Service controller

8.6.4.2 Important functions:

void Control::MOSMSController(const L3CMServiceRequest *req, LogicalChannel *LCH) Mobile Originated Short Message Service controller void Control::MTSMSController(TransactionEntry& transaction, LogicalChannel *LCH) Mobile Terminated Short Message Service controller

8.6.5 ControlCommon.cpp: 8.6.5.1 What is implemented: Functions that are used to update the transaction table or search for a certain mobile identifier in it. Functions that resolve a mobile identity to get the corresponding IMSI and maybe the corresponding TMSI for the retrieved IMSI. 8.6.6 ControlCommon.h: This file contains the prototype definitions for the functions implemented in the .CPP files mentioned above.

8.7 GSM
8.7.1 Introduction: The GSM stack is divided into 3 layers, we will discuss each layer briefly and how it is implemented in the Open BTS project, first the document starts by discussing L3 messages and their classification into 3 types RR ,MM and CC , a brief description for L2LAPDm protocol is found in section 3 and finally the document describes how L1 is implemented in the OpenBTS project. 8.7.2 GSM layer 3: Messages sent between the BTS and the MS are described in GSM layer 3 and they are called GSM layer 3 messages they are used in debugging problems during communication between BTS and MS. 8.7.2.1 Imperative part of L3 messages: The imperative part of a standard L3 message is composed a header possibly followed by mandatory standard IEs having the format V or LV. For further details on L3 messages please see GSM 04.07 clause 11. 8.7.2.2 L3 messages in OpenBTS: Forming and parsing L3 messages are implemented in the following files: GSML3Message.cpp GSML3Message.h

Some important functions: void L3Message::write(L3Frame& dest) const writes a l3 message (header skip indicator , pd , message type then calls the function that writes the l3 message's body. GSM::L3Message* GSM::parseL3(const GSM::L3Frame& source) Parses l3 messages and determines which type is it(RR,MM,CC) There are three main types of L3 messages which are implemented in the Open BTS project: radio resource messages mobility management messages call control messages

These messages are used in debugging problems occurring during the communication between the BTS and the MS and they are logged through the logging file of the project. These messages are described in the ETSI GSM standard 04.08 clause 9.

8.7.2.2.1 L3 RR messages

Table 1-L3 RR messages

Table 2- L3 RR messages (cont.)

8.7.2.2.1.1 L3 RR messages in Open BTS:

system information types 1-9 system information types 13, 16 and 17 Paging Response Paging Request Type 1 Measurement Report Assignment Complete Immediate Assignment Immediate Assignment Reject Assignment Command Assignment Failure Channel Release Channel Mode Modify Channel Mode Modify Acknowledge GPRS Suspension Request Classmark Change RR Status

8.7.2.2.1.2 Files that implement L3 RR messages in OpenBTS:

GSML3RRMessages.cpp GSML3RRMessages.h GSML3RRElements.cpp GSML3RRElements.h

The first two files contain functions that are responsible for structuring the RR messages as specified in the standards , they also provide parsing methods for messages that come from the MS as a response for any of the RR messages. Each message is implemented by a function that is responsible for structuring the message and is named like that messagename::writebody( ) For incoming messages that need to be parsed the message is named like that messagename::parsebody( ) Example: Parsing the page response message which is initiated by the MS as a response for any of the following RR messages : Paging request type 1 Paging request type 2 Paging request type 3

The other two files provide methods to ease dealing with the elements that form the RR messages.

8.7.2.2.2 L3 MM messages

Table 3-L3 MM messages

8.7.2.2.2.1 L3 MM messages implemented in Open BTS:

IMSI Detach Indication CM Service Request CM Service Accept CM Service Reject CM Service Abort CM Re-establishment Request Identity Response Identity Request MM Information Location Updating Accept

Location Updating Reject Location Updating Request MM Status

8.7.2.2.2.2 Files that implement L3 MM messages in OpenBTS:

GSML3MMMessages.cpp GSML3MMMessages.h GSML3MMElements.cpp GSML3MMElements.h

The first two files contain functions that are responsible for structuring the MM messages as specified in the standards. Each message is implemented by a function that is responsible for structuring the message and is named like that messagename::writebody( ). The other two files provide methods to ease dealing with the elements that form the MM messages.

8.7.2.3 L3 CC messages

Table 4-L3 CC messages

8.7.2.3.1.1 L3 CC messages implemented in Open BTS:

Alerting Connect Disconnect Connect Acknowledge Release Complete Setup Emergency Setup CC Status Call Confirmed Call Proceeding Start DTMF Start DTMF Reject Start DTMF Acknowledge Stop DTMF Stop DTMF Acknowledge Hold Hold Reject

8.7.2.3.1.2 Files that implement L3 CCmessages in OpenBTS:

GSML3CCMessages.cpp GSML3CCMessages.h GSML3CCElements.cpp GSML3CCElements.h

The first two files contain functions that are responsible for structuring the CC messages as specified in the standards. Each message is implemented by a function that is responsible for structuring the message and is named like that messagename::writebody( ) The other two files provide methods to ease dealing with the elements that form the CC messages.

8.7.3 GSM layer 2:

Layer 2 in the GSM stack the data-link layer. Across the Um interface, the data-link layer is a modified version of the Link access protocol for the D channel (LAP-D) protocol used in ISDN, called Link access protocol on the Dm channel (LAP-Dm) Note: The term Dm channel is used for convenience to designate the collection of all the various signaling channels required in the GSM system. It is implemented through the following files : GSML2LAPDm.cpp GSML2LAPDm.h GSMTransfer.h GSMTransfer.cpp

The first two files implement the algorithms and the state machines of the LAPDM protocol. The other two files implement methods for structuring and formatting L2 meesages. For further details on L2 LAPDM please see GSM 04.06 .

8.7.4 LAYER 1 : Represents the physical layer of the GSM stack. Maps physical channel into logical channels. Sends and receives bits from the transceiver module. Interfaces with the transceiver through the transceiver manager module. The interface with the transceiver is through a UDP port to ensure portability and modularity for both modules. 8.7.4.1 LAYER 1 in OpenBTS:

Layer 1 is implemented through the following files : GSML1FEC.cpp GSML1FEC.h GSMLogicalChannel.h GSMLogicalChannel.cpp GSMTDMA.h GSMTDMA.cpp

The GSML1FEC.h file contains the classes representing encoders and decoders for different logical channels here are some of them: class L1Encoder Abstract class for L1 encoders. In most subclasses, writeHighSide() drives the processing. class L1Decoder An abstract class for L1 decoders. writeLowSide() drives the processing. class L1FEC The L1FEC encapsulates an encoder and decoder. class RACHL1Decoder L1 decoder for Random Access (RACH). class XCCHL1Decode Abstract L1 decoder for most control channels class SDCCHL1Decoder L1 decoder for the SDCCH. class SACCHL1Decoder L1 decoder for the SACCH The GSML1FEC.h file implements the encoders and decoders for the various logical channels and also the L1 FEC which is an encapsulated encoder and decoder. The GSML1FEC.cpp file contains some important functions such as:

void FCCHL1Encoder::generate() BCCHL1Encoder::generate() void SCHL1Encoder::generate() void RACHL1Decoder::serviceLoop()

The first three functions are called through service loops ,they run continuously until the looping condition is violated , these functions are responsible for sending the data sent by the logical channel calling it example : void FCCHL1Encoder::generate() Responsible for sending the zero burst which is sent on the FCCH logical channel as specified in the GSM standards. The fourth function has a service loop pulls RACH bursts from a FIFO and sends them to the decoder. GSMLogicalChannel.h & GSMLogicalChannel.cpp provide classes and methods to deal with the logical channels in general such as open & close or constructors and service loops that weren't mentioned in GSML1FEC.cpp and GSML1FEC.h. GSMTDMA.h & GSMTDMA.cpp channels. 8.7.4.2 Other important files are responsible for mapping logical channels into physical

GSMCommon.cpp GSMCommon.h GSMConfig.cpp GSMConfig.h GSMSAPMux.cpp GSMSAPMux.h

GSMCommon.cpp and GSMCommon.h contain some important functions which set the uplink and downlink frequencies and calculate the current frame number besides other functions. GSMConfig.cpp and GSMConfig.h contain the GSMConfig class which holds the GSM configuration parameters such as:

network color code basestation color code GSM operating band copy of the BTS master clock Encoded L2 frames to be sent on the BCCH Encoded L3 frames to be sent on the SACCH GSMSAPMux.cpp and GSMSAPMux.h implement methods needed for dealing with a SAPMUX. 8.7.4.3 What is a SAPMUX?

A SAPMux is a multipexer the connects a single L1 to multiple L2s. A "service access point" in GSM/ISDN is analogous to port number in IP. GSM allows up to 4 SAPs, although only two are presently used.

See GSM 04.05 5.2 for an introduction.

8.8 SIP
Components of the SIP state machines used by the control layer.

8.9 SMS
The SMS stack.

8.10 TRXManager
The interface between the GSM stack and the radio.

8.11 Transceiver
The software transceiver and specific installation tests.

8.12 apps
OpenBTS application binaries , these folder contains some important files such as: 8.12.1 OpenBTS.config Through this file you can alter all systems configurations such as the GSM band(900/1800) ,the logging files path , which transceiver to use (52 MHZ/64 MHZ) , . Etc. 8.12.2 OpenBTS.cpp Contains initializations for some objects then implements the main function of the project

8.13 doc
Projects documentation.

8.14 tests
Test fixtures for subsets of OpenBTS components.

8.15 Smqueue
RFC-3428 store-and-forward server for SMS.

8.16 CLI
8.16.1 What is the function of the command line interpreter? It receives a command from the user through the command line interface, checks if it is a valid one and if so it executes this command. It can also be used to get help about any of the available commands.

8.16.2 Some of the supported commands in OpenBTS:

command Loglevel

Help [level] -- get/set the logging level, one of {ERROR, ALARM, WARN, NOICE, INFO, DEBUG, DEEPDEBUG}. <path> -- set the logging file's path.

Setlogfile

Printtmsis [\"clear\"] -- print/clear the TMSI table Sendsms cellID send SMS to <IMSI>, addressed from <src>, after prompting [MCC MNC LAC CI] -- get/set location area identity (MCC, MNC, LAC) and cell ID (CI)

Table 5-some of the supported commands in OpenBTS

The command line interpreter is implemented through the following two files: CLI.cpp CLI.h

8.17 HLR
8.17.1 What is a home location register ? The home location register (HLR) is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network. There can be several logical, and physical, HLRs per public land mobile network (PLMN), though one international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only one logical HLR (which can span several physical nodes) at a time. The HLRs store details of every SIM card issued by the mobile phone operator. Each SIM has a unique identifier called an IMSI which is the primary key to each HLR record 8.17.2 HLR in Open BTS :

HLR in Open BTS is implemented through the following files : 1- HLR.cpp 2-HLR.h Open BTS does its calls through ASTERISK so the HLR implemented in Open BTS records data related to ASTERISK such as the registration IP .

Here are some of the important functions in this subsystem and their description:

1-virtual char* getIMSI(const char* ISDN) =0; Resolve an ISDN or other numeric address to an IMSI.

2-virtual char* getCLIDLocal(const char* IMSI) =0; Given an IMSI, return the local CLID, which should be a numeric address

3-virtual char* getCLIDGlobal(const char* IMSI) =0; Given an IMSI, return the global CLID, which should be a numeric address.

4-virtual char* getRegistrationIP(const char* IMSI) =0;

Given an IMSI, return the IP address of the most recent registration.

5-virtual Status addUser(const char* IMSI, const char* CLID) =0; Add a new user to the HLR. 6-virtual Status addAddress(const char* IMSI, const char* ISDN) =0; Add an address for a user.

9 Compiling and running OpenBTS:


9.1 Hardware used:
USRP WBX daughter board 2 antennas for tx and rx Your PC or laptop

9.2 Software used:


LINUX operating system(ubuntu 10.10) GNU radio 3.3.0 Open BTS software version 2.6 ttsou expanded daughter board support Python 2.6 GRC 1.3

9.3 Important notes before GNU radio setup


If you have gnuradio 3.2 then you should completely remove it Wbx doesn't work with gnuradio before 3.3 openbts 2.5.4 lacassine doesn't work with gnuradio 3.3.0 (not sure)

9.3.1 GNU radio dependencies:

You need to install these packages before installing GNU radio: python-dev FFTW 3.X (fftw3, fftw3-dev) cppunit (libcppunit and libcppunit-dev)

libboost (for GNU radio 3.3.0 install libboost 1.40) libusb and libusb-dev wxWidgets (wx-common) and wxPython (python-wxgtk2.8) python-numpy (via python-numpy-ext) (for SVN on or after 2007-May-28) ALSA (alsa-base, libasound2 and libasound2-dev) Qt (libqt3-mt-dev for versions earlier than 8.04; version 4(libqtcore4-libqtgui4) works for 8.04 and later) SDL (libsdl-dev) GSL GNU Scientific Library (libgsl0-dev >= 1.10 required for SVN trunk, not in binary repositories for 7.10 and earlier) SWIG (1.3.31 or newer required) Edgy or previous: requires installation from source Feisty or newer: use the standard package install (swig) QWT and QWT PLot3d libraries (optional for Qt Gui)

9.3.2 Other useful packages

doxygen (for creating documentation from source code) octave (from "universe")

9.4 GNU radio setup


Install guile Install sdcc Install JACK,libjack-dev Install libosip Install libqtgui4,python-qt4,libgnuradio-qtgui0,python-gnuradio-qtgui

Install Python-lxml,Python-Cheetah ==> for grc Install libortp-dev ==> for OpenBts code configure Cd GNU radio Enable ./configure:type 3.3.0/usrp2/firmware Enable ./configure.gui ./configure Make Sudo make install chmod a+x ./configure in gnuradio-3.3.0 and gnuradio-

If the configuration is successful the following message should appear on the terminal:

Figure 5-successful result for GNU radio configuration

After ./ configure you should make sure that gr-usrp compnent was successfully installed You should make sure that the make command doesn't result in any error

Install GRC 1.3 from synaptic package manager Set the pythonpath and the LD_LIBRARY path as follows: Cd home/<username> Gedit .bashrc Write the following lines at the end of the .bashrc file export LD_LIBRARY_PATH=/usr/local/lib export PYTHONPATH=usr/local/lib/python2.6/site-packages To make sure that these paths were changed type the following command in the terminal: Env Go to usr/local/share/gnuradio/grc/freedesktop Run grc If you get an error telling you that the python or ld_library paths are not installed correctly then make sure that python-gnuradio is installed

9.5 Testing the WBX


Connect the usrp Type lsusrp in the terminal

9.6 Compiling and running openbts


copy these files into ur code's directory: all files in /usr/share/libtool/config/ except the softlinks config.sub and config.guess copy config.sub and config.guess from /usr/share/misc to ur code's directory

Type the following commands in the terminal:

1-aclocal 2-autoconf

3-autoheader 4-automake 5-./configure 6-make 7-sudo make install 8-cp OpenBTS.config.example OpenBTS.config 9- alter the required settings in OpenBTS.config(mcc= 602 ,mnc= 04 or greater,arfcn =20) 10-cd apps 11-./OpenBTS

Now start searching for the OpenBTS network

10 REFERENCES
[1] The Open BTS Project, David A. Burgess, Harvind S. Samra, August 3, 2008. [2] Mobile radio interface layer 3 specification, GSM 04.08 version 7.7.1 Release 1998

You might also like