Building a GSM network with open source
by Andrew Back
Over the last few years open source technology has enabled mobile phone networks to be set up on a shoestring budget at hacker conferences, on a tiny Pacific island and at a festival in the Nevada desert. Andrew Back takes a look at how this has been made possible and at what's involved in building a GSM network using OpenBTS and OpenBSC.
The origins of the Global System for Mobile Communications (GSM) can be traced back to the early 1980s, and to agreements between European nations seeking network interoperability through a standards-based replacement for incompatible first generation networks. The initial GSM specifications were published in 1990 and networks were deployed soon after, with the GSM Association (GSMA) being set up in 1995 to drive standardisation and to promote the system.
The development of GSM has been led by incumbent telcos, large system integrators and multinational equipment providers, and its arcane terminology and formidable catalogue of specifications spread across more than 1,100 PDFs are not for the faint hearted. The comprehensive standards and recommendations produced cover everything from wireless protocols and voice codecs, to subscriber records and encryption. Many of these have been made freely available via the ETSI and 3GPP standards bodies, while some – for example, those detailing the encryption algorithms used for call privacy – are restricted to GSMA members.
The GSMA has been described as "one of the most powerful organisations in the world" – it boasts a membership of around 800 mobile operators across 220 countries, and entry to this prestigious club is a privilege and not a right, with subscriptions starting at an eye-watering £9,000 per year.
Fortunately, bewildering complexity and incomplete access to standards were not enough to dissuade a handful of determined open source developers, and thanks to them there are now two low cost routes to setting up a GSM network.
It's fair to say that, with their background in signals intelligence and direct experience of working with GSM, OpenBTS developers Harvind Samra and David A. Burgess had a significant head start. And it's almost certainly this rare insight that guided them in their eminently pragmatic approach to solving the problem at hand: rather than toiling to create a full and complete implementation of the labyrinthine GSM architecture, they chose to treat it as a black box and to focus their efforts on the part that sits between a mobile and base station – the air interface or "Um" in GSM parlance. With this implemented, much of the remaining GSM hierarchy was deemed unnecessary and was dispensed with, and internet protocols such as SIP used in favour of their more esoteric GSM counterparts.
The next stroke of genius came in their approach to engineering the air interface. In a proprietary base transceiver station (BTS) this would typically be done via a heady mix of analogue and digital circuitry that takes cares of things such as time division multiplex, complex modulation and high accuracy timing. However, in OpenBTS these and many other tasks are handled in the digital domain and by software running on a commodity processor. This move massively simplified hardware requirements and made just about everything a software problem, as opposed to one of reasonably advanced electronic engineering involving many specialist parts.
Jacqueline Mpala used OpenBTS as part of her bachelor's degree in engineering at the University of Zambia, when looking to find a cost-effective communication system for use in rural areas and that would run off solar power and via an internet connection. She explains: "I acquired a laboratory kit since it was just for my project. It comprised of the USRP and an 8G PC. The total cost was about 1800 euros". She went on to say: "The configurations were easy once I learnt a few basics about Linux – I need to mention here that this was my first time with Linux but I got the hang of it in no time. I followed the configuration step by step as outlined in the manual online and I was able to make calls within my own network." Suggesting a positive outcome from her research she concludes: "OpenBTS could be used for rural communication since both the capex and opex is very low."
In support of their strategy to implement the bare minimum of GSM and to use internet standards where possible, the Asterisk soft-switch is used in place of the mobile switching centre (MSC) that would normally sit in the GSM network core. This allows for switching to be distributed over multiple switches, provides transcoding to and from GSM voice codecs, and in effect turns mobile handsets into SIP endpoints. Sqlite3 is used to manage a registry of subscribers, a store-and-forward system is provided to sit alongside Asterisk to support SMS messaging, and tools are supplied for configuring the base station and provisioning subscribers.
OpenBTS bridges the analogue and digital domains with a device that is akin to an extremely high-bandwidth sound card, and this digital radio hardware presents an interface such as USB2 or Gigabit Ethernet to a Linux host running the software. RF is presented at the other side and, depending on which particular hardware is being used and the transmit power required, some additional analogue components may be needed between here and the antenna. Where this is the case these tend to be simple circuits such as power amplifiers and filters.
The original set up for OpenBTS made use of the Universal Software Radio Peripheral (USRP) that was designed as a hardware companion to GNU Radio, the open source toolkit for creating software-defined radio systems. When combined with basic PC and RF components that can be picked up on the surplus market, this enables the creation of a GSM base station at a cost of somewhere in the order of £1,000-£2,000.
In discussing the project to build a GSM network at MadLab, co-founder Dave Mee, explains:
"GSM is the most pervasive network system in the world, yet largely people don't understand – or have access to – its inner workings. The test network will allow many new people from outside established industry to explore the potential of GSM as well as better understand its magic. We'll be organising structured hack days, allowing any interested parties – from software developers to service designers, knitters to bio engineers, to get involved and look at new ways of working with GSM and possible new uses and projects that can feed both the cultural and commercial sectors in future."
Support has since been added for new and enhanced versions of the USRP, and for turnkey hardware that is provided by Range Networks – the company founded by the OpenBTS developers to provide commercial products and services based on the technology.
Development of OpenBTS started in August 2007, and one year and approximately 10,000 lines of C++ later the first pilot took place at Burning Man, where around 120 phone calls were connected to 95 numbers across North America. The team has since returned to the festival each year with an improved system, and in 2010 they made their first permanent install on the island country of Niue and provided its 1,400 or so inhabitants with their first ever mobile phone service.
More recently, and in the somewhat less exotic environs of the North of England, efforts are under way to construct a GSM test network at Manchester hackerspace, MadLab. The initiative is being led by Senior Engineer at Voxeo Labs, Tim Panton – an IP telephony expert, and now OpenBTS veteran, having been closely involved with the Niue and Burning Man installs, among others.