Cellular Network Infrastructure » Radio Access Network » OsmoBSC

The ip.access nanoBTS are small BTS with an A-bis over IP interface.  It's about the size of a WiFi access point.

There are multiple variants of the nanoBTS, most notably

 * the nanoBTS900 for GSM900

  * supports FR, EFR, AMR speech codecs

  * supports TCH/F and TCH/H based telephony

  * supports GPRS

 * the nanoBTS1800 for GSM1800, plus a GSM1900 variant thereof (almost identical hardware)

  * they support EDGE in addition to GPRS

The A-bis over IP interface is spoken over a  100-base-TX Ethernet as physical layer.  Power over Ethernet (PoE) is used as

a power supply to the nanoBTS.

A-bis RSL and OML are encapsulated by a small additional header; each run in their own TCP session.  Instead of A-bis TRAU frames, the actual TCH speech data is inside RTP/UDP.  Details are indicated below.

The OpenBSC project has never received any protocol specification or other detailed information about the nanoBTS hardware.  All

information here and in the source code was derived by looking at protocol traces of actual nanoBTS installations.

== Deploying a new nanoBTS ==

The unconfigured ip.access nanoBTS needs to be configured as follows

 * The BTS is configued to automatically obtain an IP address via DHCP

 * The BTS is listening on UDP port 3006 for broadcast packets (e.g. should be found by ipaccess-find)

  * a typical response by ipaccess-find will be

{{{

Trying to find ip.access BTS by broadcast UDP...

MAC Address='00:01:02:03:04:05'  IP Address='192.168.100.123'  Unit ID='65535/0/0'  Location 1=''  Location 2='BTS_NBT131G'  Equipment Version='165a029_55'  Software Version='168a302_v142b13d0'  Unit Name='nbts-00-02-95-00-4E-B3'  Serial Number='00123456'  

}}}

 * The BTS is listening on TCP port 3006 for incoming Abis-over-IP connections. This is called ''Secondary OML Link''

 * The BTS has an unconfigured Unit ID (65535/0/0) and will refuse to work until a Unit ID has been set

 * You can set the Unit ID and Primarly OML IP using ipaccess-config as follows:

{{{

$ ./ipaccess-config -u 1801/0/0 -o 192.168.100.11 -r 192.168.100.122

ipaccess-config (C) 2009 by Harald Welte

This is FREE SOFTWARE with ABSOLUTELY NO WARRANTY

Trying to connect to ip.access BTS ...

OML link established

setting Unit ID to '1801/0/0'

setting primary OML link IP to '192.168.100.11'

restarting BTS

Thu Apr 30 18:18:48 2009 <0020> abis_nm.c:2016 IPACCESS(0xf0): SET NVATTR ACK

Thu Apr 30 18:18:48 2009 <0020> abis_nm.c:2016 IPACCESS(0xf0): SET NVATTR ACK

}}}

 * Once a Unit ID and the Primary OML link IP address has been set, the BTS will try to connect to the BSC (tcp port 3002)

{{{

18:22:49.801584 IP 192.168.100.122.48000 > 192.168.100.11.3002: Flags [S], seq 3405259716, win 16000, options [mss 1460], length 0

}}}

== A-bis over IP protocol ==

This is the description of the A-bis over IP protocol as we have reverse engineered it by looking at protocol traces between a commercial BSC and a nanoBTS.  We did not and do not have access to the protocol specification of ip.access.

=== Common Header ===

Inside the TCP and UDP packets connection, every message is prefixed by a three-byte header:

{{{

struct ipaccess_head {

        u_int16_t len; /* network byte order */

        u_int8_t proto;

} __attribute__ ((packed));

}}}

where the first byte is zero, the second byte indicates the length of the message payload following the header, and the third byte indicates the protocol.  The following protocol values have been observed:

 * 0x00 RSL messages as per GSM 08.58

 * 0xfe ip.access specific messages

 * 0xff OML messages as per GSM 12.21

The ip.access specific messages that we have seen are of the following message types (message type is the first byte behind the ipaccess_head):

 * 0x00 PING (from BTS to BSC)

 * 0x01 PONG (from BSC to BTS), indicates that the link is still alive

 * 0x04 Identity Get (from BSC to BTS)

 * 0x05 Identity Response (from BTS to BSC)

 * 0x06 Identity confirm (both ways, BTS->BSC is a request, BSC->BTS is acknowledgement)

=== OML Signalling Link ===

After obtaining an IP address from DHCP, the nanoBTS will attempt to make TCP connections to a IP address and port number pre-configured in the device.  The standard port seems to be 3002.

==== vendor-specific OML messages ====

vendor-specific OML messages use a specific format but are closely following the spirit of GSM TS 12.21.

Look at the ''abis_nm_ipaccess_msg()'' function in ''abis_nm.c'' if you want to know the details.

=== RSL Signalling Link ===

There is a vendor-specific OML command 0xe0, which basically corresponds to what the usual ''Connect Terrestrial Signalling'' does.  Instead of connecting te RSL link to a specific TEI on a E1 timeslot, it connects the RSL link to a specified TCP port (and optionally IP address).

After this command is issued (and acknowledged by 0xe1), the BTS will initiate a TCP connection to the specified TCP port.

==== vendor-specific RSL messages ====

There are a couple of vendor-specific RSL messages extending 08.58 to accommodate the IP-based link.

They all use the GSM 08.85 message discriminator 0x7e

===== 0x70 BIND =====

This command binds a given on-air timeslot to a BTS-local RTP port.

Attributes:

 * 0x01 GSM 08.58 Channel Number (same as BIND)

===== 0x71 BIND ACK =====

This message (BTS->BSC) acknowledges the BTS-local bind.

Attributes:

 * 0x01 GSM 08.58 Channel Number (same as BIND)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

 * 0xf3 local RTP port number, fixed length 2 bytes

 * 0xf5 local IP address, fixed length 4 bytes

 * 0xfc unknown, fixed length 1 byte, content 0x7f

===== 0x73 CONNECT =====

This command (BSC->BTS) instructs the BTS to connect a given GSM channel (timeslot) to the remote end

Attributes:

 * 0x01 GSM 08.58 Channel Number (on-air timeslot)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

 * 0xf0 remote IP address, fixed length 4 bytes

 * 0xf1 remote RTP port number, fixed length 2 bytes

 * 0xf4 unknown, fixed length 1 byte, content 0x01

 * 0xfc unknown, fixed length 1 byte, content 0x7f

===== 0x74 CONNECT ACK =====

This message (BTS->BCS) confirms the successful CONNECT operation

Attributes:

 * 0x01 GSM 08.58 Channel Number (on-air timeslot)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

===== 0x76 DISCONNECT INDICATION =====

This message (BTS->BSC) indicates a terminated RTP connection

Attributes:

 * 0x01 GSM 08.58 Channel Number (on-air timeslot)

 * 0xf8 unknown, maybe something like local RTP instance number, fixed length two bytes.

 * 0xf6 unknown, TLV with one byte length, content zero

 * 0x1a GSM 08.58 Cause

=== TRAU link ===

Not yet reverse engineered.

There are streams of RTP-in-UDP packets to the ''remote IP'' and ''remote port'' that were indicated by the ''CONNECT'' message in RSL.

There are also regular RTCP packets on the port number plus 1.

==== RTP ====

The packets are according to RFC1889 (RTP Version 2), the payload type is set to 127, which is a dynamically allocated payload type.

They have sequence number and timestamp as well as 31 bytes of payload.  It seems the payload first 4 bits are always 0xC, reducing

the actual payload to 30.5 bytes.

As it seems, the FR and EFR RTP payload format follows the specification in section 4.5.8 and 4.5.9 of RFC3551 (

see http://www.ietf.org/rfc/rfc3551.txt)

==== RTCP ====

It seems that about every 3 seconds there is a RTCP packet, containing a source description and sender report.

== Wireshark dissector ==

We have developed a dissector for the popular wireshark network protocol analyzer.   The dissector has been merged into

the current wireshak development versions.  For older versions, the patch can be found in our git tree or at this location: http://bs11-abis.gnumonks.org/trac/browser/wireshark/abisip.patch

Furthermore, there is a patch for adding the ip.access specific RSL extensions to the packet-rsl.c dissector at http://bs11-abis.gnumonks.org/trac/browser/wireshark/rsl-ipaccess.patch

There's also a A-bis OML dissector plugin available from http://bs11-abis.gnumonks.org/trac/browser/wireshark/abis_oml.patch

Once the code has stabilized more, we plan to submit this for inclusion into wireshark mainline.