OsmoSGSN: OsmoSGSN GPRS encryption support

Added by laforge 6 months ago

All the years since OsmoSGSN came first into existance, it never had gained GPRS encryption support. While the original code had been written with encryption in mind, and libosmocore even contained a plugin infrastructure for GPRS encryption plugins, nobody had so far connected the dots, figured out the bugs in the existing code and made it fully work.

Thanks to analysis by Dieter Spaar and Max Suraev, we now have a functional implementation of GPRS encryption in OsmoSGSN. The SGSN contains the core infrastructure for it, while encyption is handled via libosmocore. A GEA3 implementation has just been merged to libosmocore - we also have experimentally verified operation with GEA1 + GEA2, but unfortunately no public documentation / implementation of those security by obscurity algorithms is available yet.

In terms of the SGSN changes required: Most have been merged, while some are still in the gerrit review process, see

Cellular Infrastructure: Osmocom Wireshark improvements for AMR and Osmux

Added by laforge 6 months ago

Over the past weeks, Osmocom developer Daniel Willmann has been working on various improvements/extensions of the popular wireshark dissector in the context of using it with (Osmocom) GSM networks.

The extensions include:
  • support for playback of AMR from captured RTP streams (using libopencore-amrnb)
  • extend RTP jitter/delay statistics for AMR-RTP as used in A-bis/IP and A/IP
  • a new dissector for the Osmux (Osmocom Multiplex) protocol
  • statistics support for the Osmux protocol.

The above features allow for much better analysis of any voice plane related issues in Osmocom GSM networks.

All related changes can be found in and we are actively submitting them to mainline wireshark at this point.

OsmocomTETRA: Student sentenced to jail for showing TETRA insecurity

Added by laforge 8 months ago

According to some news report, including this report at softpedia, a 26 year old student at the Faculty of Criminal Justice and Security in Maribor, Slovenia has received a suspended prison sentence for finding flaws in Slovenian police and army TETRA network using OsmocomTETRA.

If a TETRA network (like any other network) is configured with broken security, then the people responsible for configuring and operating that network are to be blamed, and not the researcher who invests his personal time and effort into demonstrating that police radio communications safety is broken. On the outside, the court sentence really sounds like "shoot the messenger". They should instead have jailed the people responsible for deploying such an insecure network in the first place, as well as those responsible for not doing the most basic air-interface interception tests before putting such a network into production.

According to all reports, the student had shared the results of his research with the authorities and there are public detailed reports from 2015, like the report (in Slovenian) at

Cellular Infrastructure: migration from trac to redmine completed

Added by laforge 10 months ago

The Osmocom project has migrated from an aging infrastructure consisting of multiple trac instances to a new environment using redmine.

Using redmine allows us to create a comprehensive hierarchy of nested projects, and allows projects to be shifted around in that hierarchy after the fact, as well as cross-project issue (=ticket) relationships. This fits our development much better than what we had before.

Over the past five weeks, the content of the affected was imported and manually reviewed/edited/migrated. You may still find some pages with erroneous formatting or other issues. If you do, please consider registering an account and fixing it yourself, or notifying the respective project mailing list ( in case of doubt) about the issue you've encountered.

Specifically, this includes the old sites:

More details can be found in Harald's blog post at

Cellular Infrastructure: TelcoSecDay: Importance of FOSS for cellular security

Added by laforge 10 months ago

Yesterday the Osmocom project founder Harald Welte presented about Open Source Network Elements for Security Analysis of Mobile Networks at the Troopers 2016 TelcoSecDay.

The main topics addressed by this presentation are:

  • Importance of Free and Open Source Software implementations of cellular network protocol stacks / interfaces / network elements for applied telecom security research
  • The progress we've made at Osmocom over the last eight years.
  • An overview about our current efforts to implement at 3G Network similar to the existing 2G/2.5G/2.75G implementations.

There are no audio or video recordings of this session.

Slides are available at

Cellular Infrastructure: Osmocom User Manuals released publicly

Added by laforge 11 months ago

Today, sysmocom GmbH has announced the public availability of a set of freely available user manuals for a range of Osmocom software projects for operation of Free Software based cellular networks.

The sysmocom-created user manuals had so far been available only to customers of sysmocom GmbH, but are now made publicly available to all users of Osmocom software.

The release includes user manuals and VTY command line reference manuals for the OpenBSC flavors OsmoBSC and OsmoNITB, as well as OsmoBTS, OsmoPCU and OsmoSGSN.

Both PDF rendered versions, as well as the asciidoc source code is made available under the GNU Free Documentation License (GFDL).

The PDF renderings of the latest version of the manuals are available from, while the asciidoc source code is available from The PDF versions are also linked directly from the respective project wiki pages on

Cellular Infrastructure: Rhizomatica hackathon on rural GSM based on Osmocom

Added by laforge 11 months ago

Rhizomatica Hackathon in Oaxaca, Mexico

Rhizomatica's goal is to increase access to mobile telecommunications to people without (affordable) coverage. This is done by helping people build and manage their own networks. Currently 16 villages around Oaxaca that have no regular GSM coverage are operating their own GSM network.

Those installations are using the Osmocom Open Source software stack including OsmoBTS and OpenBSC's OsmoNITB.

The recent hackathon by Rhizomatica brought together many different parties involved in community cellular networks from around Oaxaca as well as Nicaragua and Brazil. For this occasion Osmocom project member Daniel was asked to attend in order to hold a workshop on OpenBSC as well as help with problems setting up networks throughout the hackathon. The results were demo sites being successfully set up as well as discussions on future improvements.

During the hackathon, one of the deployments in a village was visited, providing opportunity not only to have a look at the installation, but also to talk to the municipal government operating the network.

Seeing the software we constantly improve being used to bring remote communities closer together was very uplifting.

We hope for many more such deployments, where Open Source Mobile Communications software is used to make a real difference by providing affordable telecommunications services.

For more information about Rhizomatica, see

OpenBSC: OsmoDevCon from March 27 through March 30, 2015

Added by laforge 11 months ago

Dear fellow Osmcoom developers,

it is my pleasure to finally announce the date + venue of OsmoDevCon2015:

  • Date: March 27 through March 30, 2015
  • Place: IN-Berlin, Lehrter Str. 53, Berlin

Like last year, this is an event for developers of the various Osmocom proejects. Reservation and confirmation of reservation is required.

The event is free of charge. The Room is made available by ​IN-Berlin e.V., an Internet related non-profit organization. Lunch catering will be sponsored (so far by sysmocom GmbH, but if any other sponsors come up, we are happy to share the cost).

So all you have to cover is your own travel + accomodation costs, as well as breakfast and dinner. If you are an active developer and cannot afford travel/accomodation, please let me know and I'll see if we can do something about it.

If you would like to attend, please send a message to ​​ applying for registration of the event. The registration deadline is February 20, i.e. one week from now.

There is no detailed schedule of talks yet. I will start a separate discussion suggesting / collecting topics in the next couple of days.

More information is (and will be made) available at OsmoDevCon2015

Further discussion regarding the event should be directed at the mailing list, to avoid cross-posting over the various project-specific lists.

Best regards and happy hacking,


OpenBSC: Status Report on Osmocom's 3G Support

Added by laforge 12 months ago

3G is dead, you may think. From the perspective of large scale operators, that may well be the case, but this is precisely the reason why Open Source support for 3G is becoming increasingly interesting: when the focus for earning money shifts towards LTE infrastructure, the threshold for setting up 3G networks is becoming easier to surpass for everyone else.

We are implementing Iuh support in the Osmocom stack, mostly carried out by employees of sysmocom GmbH1, with highly appreciated (yet undisclosed) external backing.

Iu support in Osmocom will allow using a femto-cell aka hNodeB as BTS, thus enabling UMTS voice (IuCS) and data (IuPS) connectivity using FOSS software from the core network right up to the femto-cell's ethernet jack.

Here is an ASCII art overview of our current aim:

        +------------+           +--------+          +----------+
 UE <-->| hNodeB     |<--Iuh---->| HNB-GW |<--IuCS-->| OsmoCSCN |
 UE <-->| femto cell |     ...-->|        |    ...-->|          |
        |            |           |        |          +----------+
        +------------+<--GTP-U   |        |
                              \  |        |          +------+           +------+
                              |  |        |<--IuPS-->| SGSN |<--GTP-C-->| GGSN |
                              |  +--------+    ...-->|      |   GTP-U-->|      |
                              |                      +------+  /        +------+

                      Iuh                         IuCS/IuPS

NAS                   +----+----+                 +----+----+
Non-Access Stratum    | CC | MM |                 | CC | MM |
- - - - - - - - - - - +----+----+-------+         +----+----+
                      | RANAP   |       |    H    | RANAP   |
Access Stratum        +---------+ HNBAP |    N    +---------+ - - SCCP USER SAP
                      | RUA     |       |    B    | SUA     |  \
                      +---------+-------+    -    +---------+  |
                      |        SCTP     |    G    | SCTP    |  } SIGTRAN
                      +-----------------+    W    +---------+  |
                      |        IP       |         | IP      |  /
                      +-----------------+         +---------+

UE (User Endpoint) MS (Mobile Subscriber) mobile device
CSCN (Circuit Switched Core Network) == OsmoNITB without BSC
(Source: ​ )

3G Data Status

The best news first: in our lab, Daniel has successfully established the first functional UMTS data link!

In other words, the two GTP paths

hNodeB --Iuh--> HNB-GW --IuPS--> SGSN --GTP-C--> GGSN
hNodeB --GTP-U--> GGSN
are already functional in a basic fashion. To test it, you would need to checkout various branches in various git repositories. These shall soon be merged to the respective master branches, but currently, that would be:

  • libasn1c: master
  • asn1c: aper-prefix
  • libosmocore: master
  • libosmo-netif: sysmocom/sctp
  • libosmo-sccp: laforge/wip
  • osmo-iuh: master
  • openbsc: daniel/gprs-iu

3G Voice Status

The voice link (IuCS) still needs some work before even the attempt of a location update will make sense. The point here is that previously, OsmoNITB would combine the roles of BSC with the MSC and further core network components. For Iuh, though, the BSC role is actually embedded in the hNodeB, and thus we are aiming to split the BSC part off of OsmoNITB.

The result will be called OsmoCSCN, CSCN meaning Circuit-Switched-Core-Network, which lives in openbsc.git/openbsc/src/osmo-cscn/ (branch sysmocom/cscn).

OsmoCSCN comprises of "only" the MSC and further CN components. It will feature an IuCS interface, as well as, eventually, a proper A-interface towards 2G BSCs, thus obsoleting the OsmoNITB at some point.

Implementing OsmoCSCN is mostly my task, and after sinking some time into training my eye on the fine line between BSC and MSC, I've finally started actual development with the dawn of 2016.

3G in a Nutshell

Let me illustrate some details of the Iu interfaces. The following is basically Harald's 3G talk at the 32c32, but with the sheer abundance of complexity it can't hurt to read it in prose.


The HNB-GW, i.e. the HomeNodeB Gateway, merely reads the CN-DomainIndicator from the RUA layer, which says whether the frame is for voice or data comms (IuCS or IuPS). It then sends the actual RANAP payload either to the OsmoCSCN or the OsmoSGSN. The HNB-GW is implemented in osmo-iuh/src/hnbgw.c, compiling as osmo-hnbgw, and is (mostly?) complete.

An interesting factoid is that for an hNodeB, the GTP-Control handshaking goes via the HNB-GW, while the packet user data actually goes directly to/from the hNodeB and the GGSN.


HNBAP is merely the protocol employed to register an hNodeB with the HomeNodeB Gateway. After HNBAP is done, the hNodeB sends RANAP-over-RUA, which the HNB-GW happily passes on to the proper consumers.


Typically, the IuCS and IuPS interfaces would talk this layering of protocols:

  SCCP  <--- note
  M3UA  <--- note

We do have SCCP support in Osmocom, but so far only for "connectionless" messages (like your standard UDP datagrams). Iu now adds the need for establishing and tearing down connections (like TCP).

However, since SUA does the same as SCCP-over-M3UA and is simpler to implement, our HNB-GW talks SUA towards IuCS and IuPS:

  SUA   <--- note

To support third-party MSC and SGSN components, we would either add SCCP-over-M3UA capability, or simply use an external signalling gateway that supports both M3UA and SUA (should be possible e.g. with osmo_ss73).

Various SIGTRAN implementations:

                   |     simplest
                   |       |
                   v       v
  | SCCP | SCCP |      |     |
  +------+------+ SCCP |     |
  | MTP3 | MTP3 |      |     |
  +------+------+------+ SUA |
  | MTP2 |      |      |     |
  +------+ M2UA | M3UA |     |
  | M2PA |      |      |     |
  |           SCTP           |
  |            IP            |

ASN1 Convolutions

RANAP, RUA and HNBAP, which make up the Iuh interface, are ASN1 encoded. Fair enough, but their ASN1 encoding uses APER, and heavily employs Information Object Classes (which basically means it wraps ASN1 encoded binary data in ASN1 IEs, with several levels of depth). In consequence, the libre asn1c compiler as-is unfortunately is not capable of generating de-/encoders for UMTS. The proprietary ffasn1c is capable of that, and we could publish the ffasn1c generated code without licensing problems, but we'd highly prefer to empower the FOSS community with the ability to modify and fix the ASN1 de-/encoders independently of proprietary software.

The great news is that Eurecom4 has worked on supporting both APER and the nested ASN1 structures ("Information Object Classes") in asn1c, and we are able to use their solutions in a FOSS way. With some fixes added, we have both their APER support and their pythonic solution for nested ASN1 available in Osmocom's libasn1c and asn1c git repositories5.

Another problem with the Iuh ASN1 is that various type names are identical across RANAP, RUA and HNBAP, while their encodings differ. This causes type name collisions in the code generated by asn1c, hence we have added prefixing support to our version of asn1c. This simply means that each RANAP-related type name or function begins with "ranap_", and RUA names begin with "rua_", thus avoiding any and all name collisions between those protocols. See osmo-iuh/include/osmocom/ranap/ and ../rua/.

It could be more beautiful, but the bottom line is that we now have fully free/libre support for Iuh ASN1 encodings. Cheers!


Osmocom is on a clear trajectory towards full 3G support, empowering remote communities and small to medium businesses worldwide. Work is ongoing, but the really hard problems have already been solved. Stay tuned!

External References

1 ​

2 ​

3 ​

4 ​

5 See ​ and ​


Also available in: Atom