BSC Hack
bsc_hack is the program executable name of OpenBSC. We call it that way, since it is still pretty much a big hack, despite having gone a long way in quite a short amount of time.
Configuration
OpenBSC has a configuration file. The default config file name is openbsc.cfg in the current working directory of the bsc_hack process.
You can specify an alternate config file location by using the --config-file command line argument.
There are several example configuration files in the openbsc discribution:
- openbsc.cfg.1-1: Configuration for one BS-11 with a single TRX
- openbsc.cfg.1-2: Configuration for one BS-11 with two TRX
- openbsc.cfg.2-2: Configuration for two BS-11 (multi-drop) with two TRX each
- openbsc.cfg.nanobts: Configuration for a nanoBTS 1800
For more information, plase see the bsc_hack_VTY reference.
Command Reference
netzing@btsDev:~/openbsc/openbsc/src> ./bsc_hack --help Usage: bsc_hack Some useful help... -h --help this text -d option --debug=DRLL:DCC:DMM:DRR:DRSL:DNM enable debugging -s --disable-color -c --config-file filename The config file to use. -l --database db-name The database to use -r --reject-cause number The reject cause for LOCATION UPDATING REJECT. -p --pcap file The filename of the pcap file -T --timestamp Prefix every log line with a timestamp
BS-11
you will see something like
DB: Database initialized.
DB: Database prepared.
1 device found
id: 0
Dprotocols: 00000018
Bprotocols: 0000000e
protocol: 4
nrbchan: 30
name: hfc-e1.1
activate bchan
bootstrapping OML
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=0)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=1)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,1) E1=(0,2,1)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=2)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,2) E1=(0,2,2)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=3)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,3) E1=(0,2,3)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=4)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,4) E1=(0,3,0)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=5)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,5) E1=(0,3,1)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=6)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,6) E1=(0,3,2)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1376 Set Chan Attr (bts=0,trx=0,ts=7)
Thu Feb 19 04:22:48 2009 <0020> abis_nm.c:1315 CONNECT TERR TRAF Um=(0,0,7) E1=(0,3,3)
bootstrapping RSL MCC=1 MNC=1
ip.access nanoBTS
we assume you have a nanoBTS configured with its primary OML link to the IP address of your Linux PC.
After starting bsc_hack will just wait for your nanoBTS to connect, which can take quite a while.
Dealing with the HLR
We currently use a quite simple sqlite3 database for the HLR. In fact, it is more than just a HLR, since it actually stores entries even about any subscriber or phone that tries to log into your network.
We obtain the IMSI and IMEI of every LOCATION UPDATING REQUEST, and then if neccessary create a new entry for the equipment as well as the subscribers in the respective tables.
The schama looks like:
CREATE TABLE Equipment (id INTEGER PRIMARY KEY AUTOINCREMENT, created TIMESTAMP NOT NULL, updated TIMESTAMP NOT NULL, imei NUMERIC UNIQUE NOT NULL, name TEXT); CREATE TABLE EquipmentWatch (id INTEGER PRIMARY KEY AUTOINCREMENT, created TIMESTAMP NOT NULL, updated TIMESTAMP NOT NULL, subscriber_id NUMERIC NOT NULL, equipment_id NUMERIC NOT NULL, UNIQUE (subscriber_id, equipment_id) ); CREATE TABLE Meta (id INTEGER PRIMARY KEY AUTOINCREMENT, key TEXT UNIQUE NOT NULL, value TEXT NOT NULL); CREATE TABLE Subscriber (id INTEGER PRIMARY KEY AUTOINCREMENT, created TIMESTAMP NOT NULL, updated TIMESTAMP NOT NULL, imsi NUMERIC UNIQUE NOT NULL, name TEXT, extension TEXT UNIQUE, authorized INTEGER NOT NULL DEFAULT 0, tmsi TEXT UNIQUE, lac INTEGER NOT NULL DEFAULT 0);
If the subscrber.authorized field is set to '1', then we allocate a TMSI and answer with LOCATION UPDATING ACCEPT. Otherwise, we send a regular LOCATION UPDATING REJECT to refuse the mobile to roam to our network. You can change the reject cause using --reject-cause.
You can allow everyone to join your network by using the auth policy accept config file option.
Authorizing a particular IMSI
To authorize your mobile station you will need to execute the following comand:
$ sqlite3 hlr.sqlite update Subscriber set authorized=1 where imsi=YOUR_IMSI;
Assigning an extension number IMSI
In order to call a phone, you need to assign an extension number (phone number) for the IMSI.
In the following example, we assign the extension number 4444:
$ sqlite3 hlr.sqlite update Subscriber set extension=4444 where imsi=YOUR_IMSI;
finding IMEIs for a given IMSI
$ sqlite3 hlr.sqlite select equipment.imei from equipment,equipmentwatch,subscriber where equipmentwatch.equipment_id=equipment.id and subscriber.id=equipmentwatch.subscriber_id and subscriber.imsi=YOUR_IMSI;
Using the telnet interface
You can telnet to port 4242 of the machine that runs bsc_hack and try some of the commands.
If you type the commands enable and configure terminal, you can interactively enter commands in the same syntax as the configuration file. For more information, plase see the bsc_hack_VTY reference.
Common Problems
Failed to init database
$ ./bsc_hack DB: Failed to create connection. DB: Failed to init database. Please check the option settings.
This is most likely caused by one of the following problems
- the sqlite3 backend for DBD (dbd-sqlite3) has not been installed
- bsc_hack does not have write permissions to the local directory
