Emi-firmware » History » Version 15
jolly, 02/19/2016 10:49 PM
| 1 | 1 | jolly | = OsmocomBB EMI Firmware = |
|---|---|---|---|
| 2 | |||
| 3 | 2 | jolly | [[Image(emi-firmware:emi_main.jpg)]] |
| 4 | |||
| 5 | 1 | jolly | == Introduction == |
| 6 | |||
| 7 | 9 | jolly | OsmocomBB EMI is a tool to generate GSM RF interferences. It can be used to test how GSM radiation affects other equipment, e.g. amplifiers, radios and wireless devices. It is capable of transmitting in all regular GSM bands (1800, 1900, 850, 900), up-link and down-link. Because it only transmits, no filter rework is required. There are several test patterns, from SDCCH on a single time slot to PDCH on 5 time lots. |
| 8 | 1 | jolly | |
| 9 | 6 | jolly | == Branch == |
| 10 | 4 | jolly | |
| 11 | 9 | jolly | Check out jolly/emi branch of OsmocomBB GIT. It contains the EMI app and Sylvain's TRX hack, which is required to transmit multiple bursts per frame. |
| 12 | 4 | jolly | |
| 13 | 1 | jolly | == Settings == |
| 14 | |||
| 15 | 9 | jolly | Use left function key (left button below display) to toggle between DCS1800 and PCS1900 band. This is only required for ARFCN rage from 512 to 810. |
| 16 | 1 | jolly | |
| 17 | 9 | jolly | Use right function key to toggle between up-link (interference of a mobile station) and down-link (interference of a base station). |
| 18 | 1 | jolly | |
| 19 | 9 | jolly | To change ARFCN, enter digits and acknowledge with right function key. Press or hold right or left cursor buttons to adjust current selected ARFCN. |
| 20 | 1 | jolly | |
| 21 | 11 | jolly | Press the menu button (black center button) to select a test pattern (scroll up and down) and acknowledge with the right function key. Test patterns are: |
| 22 | |||
| 23 | * SDCCH |
||
| 24 | * TCH/F (1-5 time slots) |
||
| 25 | * TCH/H |
||
| 26 | * TCH/F (TCH/H) using DTX |
||
| 27 | * PDCH download (sending acknowledgments) |
||
| 28 | * PDCH upload (1-5 time slots) |
||
| 29 | * RACH (single Access Burst) |
||
| 30 | 1 | jolly | |
| 31 | == Operation == |
||
| 32 | 2 | jolly | |
| 33 | 14 | jolly | '''Note: This device transmits at frequencies that require a license in most countries. Only use this device, if you have a license for the selected ARFCN or if you use it inside a Faraday cage''' |
| 34 | 1 | jolly | |
| 35 | Press the green button (off-hook) to start transmitter. The transmit power is shown. |
||
| 36 | |||
| 37 | Turn off transmitter by pressing green button again or by pressing red button (on-hook). |
||
| 38 | |||
| 39 | To increase or decrease TX power, press or hold up and down cursor buttons. |
||
| 40 | 8 | jolly | |
| 41 | ==== RACH Burst ==== |
||
| 42 | |||
| 43 | 9 | jolly | In case of test pattern "RACH", real Access Bursts can be transmitted. Access bursts are shorter than Normal Burst. When this test pattern is selected, transmit power is always shown on the display, but nothing is transmitted. To transmit a single Access Burst, press the green button (off-hook). Whenever the green button is pressed again, an Access Burst is transmitted. |
| 44 | 1 | jolly | |
| 45 | == Simulation == |
||
| 46 | |||
| 47 | When transmitter is on, the transmitted bursts can be made audible on the phone's buzzer. To increase volume, press or hold # key. To decrease, press or hold * key. |
||
| 48 | 4 | jolly | |
| 49 | 15 | jolly | == Remote Control == |
| 50 | |||
| 51 | Remote control can be performed by using 'osmocli', a special command line tool or the echo command or own applications. |
||
| 52 | |||
| 53 | ==== Osmo-CLI ==== |
||
| 54 | |||
| 55 | After running EMI-App on the phone, stop osmocon, if running, and run osmocli. Enter 'help' and 'template help' for a list of commands: |
||
| 56 | |||
| 57 | {{{ |
||
| 58 | src/host/osmocon/osmocli -p /dev/ttyUSB0 |
||
| 59 | help |
||
| 60 | Available commands: |
||
| 61 | help this text |
||
| 62 | arfcn <ARFCN> Absolute radio frequency number |
||
| 63 | dcs Use DCS1800 for ARFCN 512..810 |
||
| 64 | pcs Use PCS1900 for ARFCN 512..810 |
||
| 65 | uplink Use uplink bands |
||
| 66 | downlink Use downlink bands |
||
| 67 | template <template> Select template, use 'template help' for a list. |
||
| 68 | power <dBm> | off Set transmitter power 0..30 |
||
| 69 | volume 0..10 Set buzzer volume |
||
| 70 | |||
| 71 | template help |
||
| 72 | Available templates: |
||
| 73 | template sdcch - SDCCH |
||
| 74 | template tchf - TCH/F |
||
| 75 | template tchf2 - TCH/F (2 TS) |
||
| 76 | template tchf3 - TCH/F (3 TS) |
||
| 77 | template tchf4 - TCH/F (4 TS) |
||
| 78 | template tchf5 - TCH/F (5 TS) |
||
| 79 | template tchh - TCH/H |
||
| 80 | template dtx - TCH/F(H) DTX |
||
| 81 | template pdchack - PDCH (ack) |
||
| 82 | template pdch - PDCH |
||
| 83 | template pdch2 - PDCH (2 TS) |
||
| 84 | template pdch3 - PDCH (3 TS) |
||
| 85 | template pdch4 - PDCH (4 TS) |
||
| 86 | template pdch5 - PDCH (5 TS) |
||
| 87 | template rach - RACH |
||
| 88 | }}} |
||
| 89 | |||
| 90 | ==== echo ==== |
||
| 91 | |||
| 92 | Alternatively the echo command can be used: |
||
| 93 | |||
| 94 | {{{ |
||
| 95 | stty -F /dev/ttyUSB0 115200 |
||
| 96 | echo -ne "~\012\003power 0~" >/dev/ttyUSB0 |
||
| 97 | }}} |
||
| 98 | |||
| 99 | The phone should start transmitting with power level 0. |
||
| 100 | |||
| 101 | ==== Own application ==== |
||
| 102 | |||
| 103 | The following sequence must be sent via serial at 115200 baud 8n1, to form a valid command: |
||
| 104 | |||
| 105 | {{{ |
||
| 106 | 0x7e 0x0a 0x03 <command as ASCII code> 0x7e |
||
| 107 | }}} |
||
| 108 | |||
| 109 | Example "power 0": |
||
| 110 | |||
| 111 | {{{ |
||
| 112 | 0x7e 0x0a 0x03 0x70 0x6f 0x77 0x65 0x72 0x20 0x30 0x7e |
||
| 113 | }}} |
||
| 114 | |||
| 115 | 4 | jolly | == Restrictions == |
| 116 | |||
| 117 | 5 | jolly | * GSM 850 and 900 will not allow to go down lower than 4 dBm, even if displayed so. |
| 118 | 10 | jolly | * TX power of patters with multiple times lots will always be 30 dBm (about 1 Watts). |
| 119 | * Access Bursts are always sent on up-link bands. |
||
| 120 | 14 | jolly | * The bursts, except for Access Bursts do not carry valid data, they are just Dummy Bursts. |
| 121 | 12 | jolly | |
| 122 | == Burst Templates (informative) == |
||
| 123 | |||
| 124 | Note: '*' represents transmission, '-' represents no transmission. Each character represents one frame. |
||
| 125 | |||
| 126 | 13 | jolly | When SDCCH is selected, two alternating 51-multiframes are transmitted in a loop: (The 4 bursts on the left represent SDCCH, the 4 bursts to the right represent SACCH.) |
| 127 | 12 | jolly | |
| 128 | {{{ |
||
| 129 | ---------------****----------------------------**** |
||
| 130 | ---------------****-------------------------------- |
||
| 131 | }}} |
||
| 132 | |||
| 133 | |||
| 134 | 13 | jolly | When TCH/F is selected, a 26-multiframe is transmitted in a loop: (Each block of 12 bursts represent 3 interleaved TCH frames, the first single burst represent SACCH, the second single burst represents IDLE burst.) |
| 135 | 12 | jolly | |
| 136 | {{{ |
||
| 137 | 13 | jolly | ************ * ************ - |
| 138 | 12 | jolly | }}} |
| 139 | |||
| 140 | |||
| 141 | 13 | jolly | When TCH/H is selected, a 26-multiframe is transmitted in a loop: (Both blocks of 12 bursts represent 3 interleaved TCH frames, the first single burst represent SACCH, the second single burst represents IDLE burst.) |
| 142 | 12 | jolly | |
| 143 | {{{ |
||
| 144 | 13 | jolly | *-*-*-*-*-*- * *-*-*-*-*-*- - |
| 145 | 12 | jolly | }}} |
| 146 | |||
| 147 | |||
| 148 | 13 | jolly | When TCH/F / TCH/H DTX is selected, a 26-multiframe is transmitted in a loop: (Both blocks of 12 bursts are IDLE due to DTX, the first single burst represent SACCH, the second single burst represents IDLE burst.) |
| 149 | 12 | jolly | |
| 150 | {{{ |
||
| 151 | 13 | jolly | ------------ * ------------ - |
| 152 | 12 | jolly | }}} |
| 153 | |||
| 154 | |||
| 155 | 13 | jolly | When PDCH (ack) is selected, the following 52-multiframes are transmitted in a loop: (This a download scenario, where only acknowledgement packets are transmitted. Each block of 12 bursts represent 3 MAC blocks, the single bursts represent the PTCCH/U.) |
| 156 | 12 | jolly | |
| 157 | {{{ |
||
| 158 | ************ * ****-------- - ****----**** - ------------ - |
||
| 159 | ------------ - ----****---- - ------------ - ----****---- - |
||
| 160 | ----******** - ************ - ****-------- - ****----**** - |
||
| 161 | ------------ - ------------ - ----****---- - ------------ - |
||
| 162 | ----****---- - ----******** - ************ - ****-------- - |
||
| 163 | ****----**** - ------------ - ------------ - ----****---- - |
||
| 164 | ------------ - ------------ - ------------ - ------------ - |
||
| 165 | ****-------- - ------------ - ****-------- - ----******** - |
||
| 166 | ************ * ****-------- - ****-------- - ****-------- - |
||
| 167 | ------------ - --------**** - ------------ - ------------ - |
||
| 168 | ----****---- - ------------ - ----****---- - ----******** - |
||
| 169 | ************ - ****-------- - ****----**** - ------------ - |
||
| 170 | ------------ - ----****---- - ------------ - ------------ - |
||
| 171 | ****-------- - ------------ - ****-------- - ************ - |
||
| 172 | ************ - ****-------- - ********---- - ------------ - |
||
| 173 | ------------ - ****-------- - ------------ - ****-------- - |
||
| 174 | ************ * ********---- - ------------ - ********---- - |
||
| 175 | ------------ - ------------ - ****-------- - ------------ - |
||
| 176 | ****-------- - ************ - ************ - ****-------- - |
||
| 177 | ********---- - ------------ - ------------ - ****-------- - |
||
| 178 | ------------ - --------**** - ------------ - ------------ - |
||
| 179 | ----****---- - ------------ - ----****---- - ----******** - |
||
| 180 | ************ - ****-------- - ****----**** - ------------ - |
||
| 181 | ------------ - ----****---- - ------------ - ----****---- - |
||
| 182 | ----******** * ************ - ****-------- - ****----**** - |
||
| 183 | ------------ - ------------ - ----****---- - ------------ - |
||
| 184 | ------------ - ****-------- - ------------ - ****-------- - |
||
| 185 | ************ - ********---- - ------------ - ********---- - |
||
| 186 | ------------ - ------------ - ****-------- - ------------ - |
||
| 187 | --------**** - ------------ - ----****---- - --------**** - |
||
| 188 | ************ - ********---- - --------**** - ****-------- - |
||
| 189 | ------------ - --------**** - ------------ - ----****---- - |
||
| 190 | }}} |
||
| 191 | |||
| 192 | |||
| 193 | 13 | jolly | When PDCH is selected, the following 52-multiframes are transmitted in a loop: (This an upload scenario, where packets are transmitted. Each block of 12 bursts represent 3 MAC blocks, the single bursts represent the PTCCH/U.) |
| 194 | 12 | jolly | |
| 195 | {{{ |
||
| 196 | ************ * ************ - ************ - ************ - |
||
| 197 | ************ - ************ - ************ - ************ - |
||
| 198 | ************ - ************ - ************ - ************ - |
||
| 199 | ************ - ************ - ************ - ************ - |
||
| 200 | ************ - ************ - ************ - ************ - |
||
| 201 | ************ - ************ - ************ - ************ - |
||
| 202 | ************ - ************ - ************ - ************ - |
||
| 203 | ************ - ************ - ************ - ************ - |
||
| 204 | }}} |
