In association with heise online

Testing operation

With our standalone network configured we can now proceed to testing. The OsmocomBB project provides a handy network monitor firmware that can be loaded onto certain handsets, and the image shows this tuned to ARFCN 540 and confirming our basic network configuration.

Zoom Network monitor firmware displaying configuration details

In order to be able to provision handsets with network authentication and support for encryption we need to know the secret key, or “Ki” in GSM terminology, that is stored on the SIM card. For obvious reasons we cannot read this back from a typical SIM, and for testing purposes we'll make use of “16-in-1 Super SIM” cards and a SIM card programmer.

Programmer SIM
Zoom Super SIM card and a SIM card programmer
The programmer appears as a USB serial port and the Pysim tool is used to program SIMs:

./ -d /dev/ttyUSB0 -n OpenBSC -c 44 -x 001 -y 01 -i 001010000000053 -s 1234567890000000003

Here we have provided the serial port, a network name of OpenBSC, a country code of 44, and mobile country and network codes of 001 and 01 to indicate a test network. We have specified the IMSI with the -i option and -s indicates the serial number we want to give to the SIM. The output of this command will include a randomly generated value for Ki.

OpenBSC NITB provides a VTY command line interface similar to those provided by Ethernet and IP network equipment, which can be used for configuration and logging. At this point it would be useful to connect to the VTY and to enable copious logging. This can be done from the sysmoBTS shell prompt with:

# telnet localhost 4242
OpenBSC> logging enable
OpenBSC> logging filter all 1
OpenBSC> logging level all debug

It's possible to filter the logging output based on an attribute such as an IMSI and what the second command does is turn filtering off. The last one says that we want to set logging for every subsystem to debug level (lots of information!)

If we were running Pysim on the same host as OpenBSC NITB we could have specified an additional option to update the HLR database. Since we are not we can just switch the handset on and when it attempts a Location Update Request (to connect to the network) this will fail and it will be added to the HLR database with a default status of unauthorised.

Unauthorised handset rejected
Zoom An as yet unauthorised handset attempts a Location Update Request and is rejected

Now that we have an HLR entry for our subscriber we can update this to authorise them, set a friendly name, allocate an extension — so called because the NITB mode is akin to a GSM PBX — and set the Ki value as output earlier by the Pysim tool.

OpenBSC> enable
OpenBSC# subscriber id 1 authorized 1
OpenBSC# subscriber id 1 name Bill
OpenBSC# subscriber id 1 extension 1003
OpenBSC# subscriber id 1 a3a8 comp128v1 177155ec5fd0201cd98b9ab4f810bb02

If we turn the handset off and back on again we should now see that the Location Update Request is successful and we are provided with network service.

a successful Location Update
Zoom Handset 1003 performs a successful Location Update

Following which we can use the show subscriber command to see that the HLR record has been updated with additional parameters that are used in providing service:

OpenBSC# show subscriber id 1

Next: Hello, H Open Readers!

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit