
Use an Android phone and an USRP (GNURadio) to create a GSM "Cell" (BTS) - biafra
http://www.tombom.co.uk/blog/?p=144
======
mctavjb9
In actual fact, this demonstration is not breaking any laws (and bears no
resemblance to sodomy). There are two GSM bands in the US, 850 and 1900 MHz.
Chris Paget, in spite of having a UK domain, lives in the Bay Area. His
Android demo used RF hardware operating in the 900 MHz ISM band, which does
not require a license provided the transmit power is less than 30 dBm (1W) as
per FCC part 15. The maximum transmit power of the USRP hardware is ~23 dBm.
Ergo, not illegal.

Other posters have made reference to Special Temporary Authority that one can
apply for from the FCC in order to legally operate radio experiments in
licensed spectrum. A relevant example is the OpenBTS GSM network at Burning
Man-- <http://openbts.sourceforge.net/FieldTest3/STAGrant.pdf>

The so-called "GSM guard band" between the DECT cordless phone band and the
DCS1800 European GSM band being opened up in Western Europe. Unlicensed low-
power GSM installations have in fact been legalized in the Netherlands. This
swath of spectrum, 1781.7-1785 MHz paired with 1876.7-1880 MHz, was also
auctioned off for cheap to 12 companies in the UK by Ofcom (the British
equivalent to the FCC) in 2006.

OpenBTS and OpenBSC are complementary but not cooperative (at least not yet)
projects. The Base Transceiver Station (BTS) and Base Station Controller (BSC)
are different key components in a GSM network. For clarification, see:
[http://gnuradio.org/redmine/wiki/gnuradio/OpenBTSFAQ#What-
is...](http://gnuradio.org/redmine/wiki/gnuradio/OpenBTSFAQ#What-is-the-
relationship-between-OpenBTS-and-OpenBSC)

OpenBTS currently supports GSM full rate voice and SMS and allows GSM phone to
connect to the telephone network via SIP using Asterisk or FreeSwitch. OpenBSC
supports GPRS inasmuch as the commercial BTS (e.g., the ip.access nanoBTS)
connected to it supports GPRS.

~~~
dedward
Forgive my ignorance - if the demo operates in the 900Mhz ISM band, how would
any GPS phone be able to connect to it?

~~~
mctavjb9
Almost all GSM phones sold in the past 4-5 years are quad-band phones-- 850
MHz/1900 MHz (US, Canada, a few other places), and 900 MHz/1800 MHz (Europe,
Asia, Africa).

An iPhone in the US, for instance, connects to AT&T for voice calls on the 850
or 1900 MHz bands, depending on what chunk of spectrum the carrier owns in the
caller's particular location. If Joe Caller got on a plane to Europe, the
phone might roam onto a GSM900 network. But in the US, part of the 900 MHz
European GSM band happens to be allocated to ISM.

What people experimenting with OpenBTS in the US tend to do is test with old
900/1800 MHz-only phones that can be procured for a pittance on eBay. That
way, they're guaranteed not to connect to AT&T or T-Mobile.

As a sidenote, before the GSM carriers started upgrading to 3G networks, most
GSM phones didn't actually have GPS chips. Sprint & Verizon (CDMA) phones did,
because GPS timing information is a crucial part of the standard (see
<http://alumni.cs.ucr.edu/~saha/stuff/cdma_gps.htm> for gory details).

------
pilif
This is really impressive. Even more so because at least for me GSM still has
this mysterious "only the big guys can do it" feeling which IP, routing and
servers lost a long time ago for me.

Is this the beginning of GSM hacking for the normal people (for a loose
definition of normal of course)?

~~~
CaptainMcCrank
It is interesting, but I think it is a dead end. The concept is possible
because GSM doesn't require mutual authentication. Consequently, devices can
"relatively" easily attach to a tower, if a bunch of circumstances are true.

Umts requires mutual authentication, so any devices that will connect must be
preconfigured to do so. This means that attaching to your own tower becomes a
lot less simple: each device must be configured to work with your own cloud.

I think it is a dead end because gsm will be phased out eventually. This is
only "easy" today because many phones are dual stacked gsm/umts.

OpenBTS really started some interesting work in this space, but I think
openBSC is the more advanced (and less approachable) soloution. OpenBSC
recently reported some small ability to support a little bit of GPRS. Without
GPRS support, there is no ability to do data on your phoney tower.
Unfortunately, the hardware on openBSC is less accessible.

------
melito
Nice share, biafra. You should start a telephone company in Cambodia.

The story is they had this at burning man a few years ago. Great technology
for setting up little "communal" nodes in different parts of the world.

Could easily be abused. Would probably drive the cost up.

If shared between a small group though, could be a cost effective way to
bridge small&remote communities across the world.

Could diversify our internets.

------
nzmsv
Forgive my ignorance, but what are the legal issues with running your own GSM
cell? Is there a legal way to operate in the licensed part of the spectrum?

~~~
dedward
There sure is, but not without obtaining the appropriate license first.

Broadcasting on licensed frequencies without a license is generally not legal,
and can carry stiff penalties, especially if it ends up tying up a licensed
operators staff in tracking down the rogue transmitter and they decide to go
after you for punitive damages as well.

There is probably (I'm not versed in US law) a type of developer license you
can apply for to be allowed to operate on those frequencies within certain
specific power limits at a specific location - otherwise nobody would be able
to design or experiment with them.

