OsmocomBB is an Free Software / Open Source GSM Baseband software implementation. It consists of 3 elements:
- Firmware running on the baseband chip of a compatible Mobile Phone such as a Motorola C115. Normally this is the GSM Layer 1 (physical layer) firmware
- A communication process (osmocon) running on a Unix host which relays communication between GSM Layer 2/3 (Data Link and Network layers) applications and the GSM Layer 1 firmware running on the Phone using a serial cable connection
- GSM Layer 2/3 applications which run also run on the Unix host
The easy way to think of OsmocomBB is a physical NIC card (Mobile Phone and baseband firmware) with a host driver (osmocon) which can be accessed by GSM applications.
The beauty of OsmocomBB is that (ignoring the cost of the Unix host) a compatible Motorola Mobile Phone and USB serial cable can be bought on eBay for less than £10. A £30 Raspberry Pi (http://www.raspberrypi.org/) can even be used as the Unix Host.
Playing with GSM and access to GSM Layer 1 does not come any cheaper than that!
osmocon is responsible for downloading custom baseband firmware into the phone. After downloading a firmware image, osmocon turns into an High-Level Data Link Control (HDLC) mulitplexer/demultiplexer allowing for multichannel communication with the phone.
When using the GSM Layer 1 firmware GSM L1CTL messages are received via a USB serial port by osmocon, which demultiplexes the different data streams and passes L1CTL on via a unix domain socket into whatever GSM Layer 2/3 application is running (e.g. mobile, cell_log, ccch_scan, bcch_scan, cbch_sniff or other naughty GSM applications such as RACHell).
./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/layer1.compalram.bin
mobile is a L2/L3 application that implements most of the behavior of a regular GSM telephone but is extended in many ways. The mobile application is used in combination with the layer1.bin firmware.
ccch_scan is a L2/L3 application that can sync to a carrier ARFCN then logs power measurement and GSM Common Control Channel (CCCH) information such as Paging Requests and Immediate Assignments. Like mobile, ccch_scan is also used in combination with the layer1.bin firmware.
./osmocom-bb/src/host/layer23/src/misc/ccch_scan -a 512
As an alternative to the GSM Layer 1 firmware, the RSSI firmware can be downloaded. RSSI is an application that can be used to monitor the received signal indication (RSSI) of ARFCNs or the entire spectrum. RSSI is too big to be loaded directly so it has to be chainloaded e. g. osmocom first loads a little chainloader binary which in turn is used load actual payload (big RSSI binary) specified via “-c” option:
./osmocom-bb/src/host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor -c ./osmocom-bb/src/target/firmware/board/compal_e88/rssi.highram.bin ./osmocom-bb/src/target/firmware/board/compal_e88/chainload.compalram.bin
YouTube demo here …