Openmoko

During my work on airprobe and OsmocomBB I've been wondering why you see paging by IMSI in real-world GSM networks. A quick recap: The IMSI is the world-wide unique serial number of your SIM. Since it is easy to identify and track people, the TMSI ... [More] was introduced as a temporary identifier that is frequently re-allocated over encrypted channels. The only reason for the TMSI to exist is to prevent tracking of a subscriber by watching where his IMSI appears on the paging channel. According to the theory, the IMSI is only used when first registering to any GSM network. At that time, a TMSI is allocated to the SIM card in the phone, and this TMSI is used for the next transaction(s). Later, this TMSI is re-allocated and re-allocated, but the IMSI shouldn't show up again in any paging requests. Even if you switch mobile networks (i.e. in the roaming case), you would once send the IMSI as part of a LOCATION UPDATE REQUEST or IDENTITY RESPONSE, but the network has no need to page the SIM by IMSI. So far the theory. If you look at the Paging Channel (PCH) of cells in real-world networks, you see a significant (10-20%) amount of paging requests that contain paging by IMSI. This seems strange on first sight, given the theory described above. I have the following plausible explanation for this: The VLR keeping the IMSI-TMSI mappings doesn't have non-volatile storage. This means at a VLR restart, all the TMSI allocations will be lost, and the network has to resort to paging by IMSI. The VLR has a limited amount of RAM, which can store a limited number of IMSI-TMSI mappings. Especially if the operator is interested in saving money, the amount of memory is insufficient for all subscribers in the network. This means, the VLR will expire some old entries in the mapping table to store new entries. Thus, mobile phones whose last transaction with the GSM network was relatively long ago are likely candidates for such VLR expiration. Once a phone for an expired entry needs to be paged again, paging will happen by IMSI. Last, but not least: GSM networks do not page a phone by the last known cell, but by the last known location area of the phone. A location area might be relatively big. This means that at any cell you will see a lot of paging messages, even for phones that are not even anywhere near this cell. If there is no response within the location area, the MSC might decide to do paging on a larger radius, possibly the entire MSC area. Since such MSC-wide paging is likely to occur for phones that haven't shown activity for a long time (and thus might have moved or disappeared without properly unregistering from the network), those are the exact same phones for which the IMSI-TMSI mappings have expired from the VLR. Thus, the rate of paging-by-IMSI looks disproportionately high. So the relatively high percentage of paging by IMSI vs. TMSI should not be taken as a measurement with regard to the total number of transactions or even the total number of subscribers. It is simply the mechanics of the network resulting in a distortion of those figures caused by phones that have never properly unregistered from the network. [Less]

I've just returned back from the First OpenBTS workshop held by David Burgess and hosted by Dieter Spaar in south-east Bavaria (Germany). While I'm not involved with OpenBTS so far (except from using it occasionally), I still thought the community ... [More] surrounding Free Software / Open Source in the GSM field is small enough to make me participate. On the request of the participants, I also did a short demonstration of both OpenBSC and OsmocomBB. And just like I managed to crash OpenBTS by accidentally sending invalid messages, my OpenBSC demo crashed at some point [due to a not-yet-known bug regarding SMS delivery. I suppose the intrusive changes of the BSC/MSC split are to be blamed for that. But I don't mind, we need that split... I definitely had a great time meeting the participants of the workshop. There definitely is a very diverse crowd with equally diverse reasons for their interest in using and/or deploying OpenBTS. Finally, there was a chance to discuss the need for a common 'application interface' in both OpenBSC and OpenBTS. Using that interface, external applications (e.g. implementing USSD or RRLP) could be written in a way to work with both OpenBTS and OpenBSC. I hope we can get started on this soon and remove another bit of fragmentation in what is already a fairly small special interest community... Given the excellent weather conditions, the motorbike ride to and from the venue went fine - despite being at 650 km distance from my home. [Less]

I am very excited by the Qt Quick technology and I have finally found a reason to use it and gain some experience with it and want to report from my first hours of exploring it. The first time I have seen Declarative UI was with Enlightenment and the ... [More] Edje framework. I liked it so much that I registered Epicenter five years ago. The plan was to create a handheld framework using declarative UI.Now Qt Quick is not just a copy cat of Edje but adds some nice improvements over it. The first one is the usage of Javascript instead of the C like language, better integration with Qt's Object Model (properties) and libraries/plugins. From my observation at Openmoko, our developers kept a set of C preprocessor macros around to do coming things with edje with Quick it seems to be better as one can import libraries and such.The most common mistake I have made so far is dealing with the width/heigh of an Item. In my case I created an Item, placed a MouseArea (to deal with user input) of the size of the parent (anchors.fill: arent) in it and then also add some Text (as sibling). Now it appears possible that the Text is bigger than the parent item. For performance reasons no clipping is done by default so it renders just fine, just clicking doesn't work. Which is bringing me to my debug trick...I place a Rectangle { anchors.fill: parent; color: 'blue' } inside my item and then I actually see where it is. Another nice thing would be an Xray view showing the border of each item, their id but only in black and white. My solutions for this problem so far (from my first hours of using it) is to either use a Row/Column which seems to get the widh/heigt updated based on its children, or in some cases place a width/height inside the Item itself.This is bringing me to the biggest issue with the qmlviewer and also an idea on how to resolve it... In the last couple of month's I started to contribute to GNU Smalltalk and looking more into Self, Smalltalk-80 and such. The clever Xerox PARC people invented Model-View-Controller as part of Smalltalk-80, Qt adopted some parts of it with Qt4. In the meantime something called Morphic emerged. Morphich is a direct-manipulation User Interface. This means one is creating the UI inside a running UI by composing it from simple objects (just like Quick). In contrast to it one can inspect each element and interact with it, change it at runtime without restarting. This allows faster changes, and easier debugging in case something goes wrong. E.g. it easily answers the question of what is the width of that?So for the immediate future I would like to see something like the WebKit inspector emerge for QML. This would allow to inspect the scene graph, change it from the console, has some simple hit testing to inspect one element, has the JavaScript Debugger and Profiler available, the timeline... and I am pretty sure to not be the first one to want it. [Less]

Retenez bien le nom de cet homme, c'est à mon sens un véritable visionnaire. Pranav Mistry, jeune assistant chercheur au MIT, s'intéresse depuis des années aux méthodes permettant de rapprocher le monde numérique et le monde matériel.Ses solutions ... [More] sont à la fois simples et géniales. Dans cette conférence de novembre 2009, les 5 premières minutes où il explique sa démarche et ses idées précédentes sont déjà fort intéressantes. Mais la suite est tout simplement ahurissante !Son dernier projet, nommé sixthsense, s'émancipe du traditionnel écran-clavier-souris en associant une webcam, un picoprojecteur et un téléphone mobile à des applications bien spécifiques.Le résultat (indescriptible) dépasse la réalité augmentée telle qu'on la conçoit actuellement car cela permet de projeter des informations digitales sur des objets réels et de faire interagir les deux univers.On a l'impression de plonger de l'autre côté du miroir - plutôt que c'est le miroir qui vient refléter nos données sur la réalité ! Cerise sur le gâteau, son souhait est de partager ses découvertes avec le plus grand nombre à grâce aux logiciels opensources et à des procédés matériels peu coûteux. Plus d'informations sur : http://www.pranavmistry.com/projects/sixthsense/ [Less]

This week’s book is Brave New World by Aldous Huxley: A dystopian novel predicting the future under the extreme dehumanizing effects of scientific and mass-production “progress”.  And I must begin by saying that, as a work of literature (for me at ... [More] least) it’s extremely hard to dissect! Like many great thinkers, far ahead of their time, Huxley novel received nearly universal criticism from his contemporary critics. Now, it is considered one of the greatest novels of the 20th century. 632 years after Henry Ford first mass-produced the Model T, begins Huxley’s story. Stability of the State (called the World State in the novel) is maintained though biological engineering and psychological conditional. Citizens are not born, they’re “hatched” to fill specific societal roles. Everything and everyone is planned, controlled, and exploited as a form of State utility. Here’s Mustapha Mond, the “Controller” of the Western European zone, describing the World State: “In a properly organized society like ours, nobody has any opportunities for being noble or heroic. Conditions have got to be thoroughly unstable before the occasion can arise. When there are wars, where there are divided allegiances, where there are temptations to be resisted, objects of love to be fought for or defended – there, obviously, nobility and heroism have some sense. But there aren’t any wars nowadays. The greatest care is taken to prevent you from loving anyone too much. There’s no such thing as a divided allegiance; you’re so conditioned that you can’t help doing what you ought to do. Beyond the confines of the World State, exists reservations with populations of “savages” – those few whom still engage in love, child birth, and die of old age. At its core, Brave New World, is a tale of one Savage, named John, that is brought back into the World State and becomes deeply disillusioned. Both a satirical look and a blueprint of a possible future, we a made witness to a world run amuck with totalitarianism and scientific propaganda. Take this passage, for example, where the Savage is speaking to a Controller: “Isn’t there something in living dangerously?” “There’s a great deal in it,” the Controller replied. “Men and women must have their adrenals stimulated from time to time.” “What?” questioned the Savage, uncomprehending. “It’s one of the conditions of perfect health. That’s why we’ve made the V.P.S. treatments compulsory.” “V.P.S.?” “Violent Passion Surrogate. Regularly once a month. We flood the whole system with adrenin. It’s the complete physiological equivalent of fear and rage. All the tonic effects of murdering Desdemona and being murdered by Othello, without any of the inconveniences.” “But I like the inconveniences.” “We don’t,” said the Controller. “We prefer to do things comfortably.” “But I don’t want comfort. I want God, I want poetry, I want real danger, I want freedom, I want goodness. I want sin.” “In fact,” said Mustapha Mond, “you’re claiming the right to be unhappy.” “All right then,” said the Savage defiantly, “I’m claiming the right to be unhappy.” I find Brave New World fascinating perhaps because Huxley is a such deeply pessimistic man and I am such the optimist. His morbid fixation with the economic realities of his time (1930s) and he deep rejection of the theories of J.M. Keynes makes for an incredibly thought provoking view of future societies. Especially for somebody like myself, who would be a contributor to his dim view of the future. But what exactly his view of the future is, after reading this book, I feel is quite ambiguous. Satire and political commentary are simply woven so tightly together that I struggle to unwind the difference. But that’s exactly why the book is so powerful and exiting to read! If any of this interests you, and you would like to read this book, tell three people about my company’s latest project, WikiReader, and then send me an email. Before next week, I’ll chose a name from random, and send the winner my book. Shipping, anywhere in the world, is on me. [Less]

Hi,with some more debugging and fun with wireshark scripting and looking a pretty obvious issue has been resolved. Now GPRS for us is actually using IP, UDP, NS (some simple address and type of the messages), BSSGP (protocol between SGSN and BSS) and ... [More] for actual data there is LLC at the end of the BSSGP. The LLC is part of the BSSGP payload as TLV (Tag, Length, Value).I created a simple setup that worked. It involved getting the traffic from the BTS, relayed with a simple smalltalk script (I had to do some fixes to GNU Smalltalk), and then send it to another SGSN. With a small variation of sending the data through our proxy I made the nanoBTS crash.From observations I found that the other SGSN is padding the FLOW-CONTROL-BVC-ACK and FLOW-CONTROL-MS-ACK packets to 28 bytes, but padding/not padding had no effect on the crash.The next observation was (before I tried doing it manually) that I now have each packet twice, once coming from the SGSN and how it looks after our proxy, apparently the proxy truncated the UDP packets....So what errors have happened?The nanoBTS accesses random memory with short LLC frames and crashes, instead of crashing it should send a STATUS (I think BSSGP) returning our The wireshark BSSGP dissector does not check the size of the LLC frame (I created a bug report with a patch)..The proxy code was not reading the whole datagram and we had to increase the size, according to the spec the maximum size is 1600 byte for Framerelay... we now have a slightly bigger message... [Less]

During the last couple of days, I've been adding the bits required to support frequency-hopping BTSs in OpenBSC. Now everything looks great in the protocol traces - but unfortunately it still doesn't work, at least not with the Siemens BS-11 that I ... [More] have access to. Will continue to try to make it work. The big advantage of having a hopping BTS under our control is that we can define the hopping sequence - something quite useful once we get to the point where we'd like to add frequency hopping to the telephone-side stack (OsmocomBB). The good news is that I had to fix lots of bugs in the A-bis OML dissector for wireshark that I wrote some time ago. It's now much more complete and definitely a big step further towards eventually getting it included in wireshark mainline. [Less]

One of the big news of the last week is Apples leak of 114,000 iPad customer records including the e-mail address and ICCID While that leak is certainly a big issue in itself, there are some people, most notably Chris Paget, who claim that this is ... [More] much more serious than generally assumed. The main claim here seems to be that ...in order to translate an ICCID into an IMSI, you need to query the HLR. I have been reading GSM protocol specifications on every level for the past years, and never have I seen the ICCID being mentioned anywhere. The GSM specifications do not require this information to be stored in the HLR, and the MAP protocol (used on the C interface between MSC and HLR, see 3GPP TS 29.002) does not even know how to encode/specify it. Also, there is no technical need for it. The ICCID is never used nor needed in any part of the GSM protocol. Also, the GSM network typically doesn't store any information that is not absolutely necessary for its operation. The only identifier of a SIM card that the network protocols care about is the IMSI. So unless the US operators in question have either some kind of proprietary extensions to both their HLR and the MAP protocol, there is to the best of my knowledge no way how you can relate the ICCID to the IMSI. And thus, as a result, the IMSI-catcher attack described will not work since you don't know the IMSI of the SIM card (associated with the customer record) that you want to catch. If anyone can show me hard technical facts about ICCIDs being used in the HLRs of the operators in question, I am happy to post here I was wrong. Otherwise, I would hope everyone else could also come down to the hard technical facts, i.e. which particular MAP message is used for this alleged ICCID-to-IMSI query. [Less]

This week’s book, “Ingenious Gadgets” by Maurice Collins, is just pure and whimsical fun: Fascinated by eccentric contraptions powered by anything other than electricity, Collins has been collecting “gadgets” for over 30 years. Most items span the ... [More] time period starting from the Great Exhibition of 1851 to the Festival of Britain in 1951. Organized in categories with names like “The Working Day” to “The Stuff of Life” to “Body and Soul” and more, this book with inspire and provoke laughter – in equally heavy doses. Here are three of my favorites: 1. Clockwork fly scarer With a “wing” span of one meter (3ft), this clockwork propeller revolves at a very slow pace over the dining table to scare away flies. The large spring, when fully wound, has enough energy to keep revolving for 15 minutes! 2. Sight restorer A late 19th century gadget that proclaims to increase your vision. All you have to do is apply the two cups against the eyes, press the central air puffer and the resulting massage would do the trick. The instructions also suggest that no excessive drinking or eating and plenty of sleep should occur at the same time as the treatment. 3. Bread cutter This gadget, from the US Great Depression era of the 1930s, was created to help money go a bit further. Place an already thin slice of bread into this cutter and it will cut it in half again. Ingenious, albeit a tad depressing… What’s the fundamental question of the items in his collection? Does it solve an everyday problem making a task simpler, quicker or easier. Collins is especially keen on gadgets that perform their function better than those sold in the 21st century that do the same thing. All the items in his collection are a testament to those creative minds that spend their time and money trying to solve everyday problems. If any of this interests you, and you would like to read this book, tell three people about my company’s latest project, WikiReader, and then send me an email. Before next week, I’ll chose a name from random, and send the winner my book. Shipping, anywhere in the world, is on me. [Less]

Due to excessive spam in #gta02-core blog (mostly porn links) I'm enabling comment moderation. I'm sure you understand.Álvaro