LTE OPEN
eNodeB for USRP
A Quick Look at srsLTE with a USRP B200
Now that my B200 is up and running, I wanted to see if we could get this thing transmitting like a real basestation. I was really excited after seeing GSM messages with gr-gsm, and after poking around I saw a few really interesting open source LTE projects. There was OpenLTE, srsLTE, and OpenAirInterface. I decided to go with srsLTE since a few of my friends have mentioned OpenLTE can be hard to compile. Also, the srsLTE is based in part on some of the security components from OpenLTE.
https://www.softwareradiosystems.com/products/#1487679541239-2fe07ae1-8661
What I like best about srsLTE is the ease of install—and the ease of use! It was truly easy to build and make the project, as well as edit the .conf files to my liking. I was really impressed by the details and configuration the .conf files offered and how intuitive it was to change PLMNs and EARFCNs. For the rest of this post, I’ll go over the basics of getting the system up and running, exploring some of the .conf files, and peek into what the LTE S1AP interface logs srsLTE has to offer.
Setting up the System
Setting up the system was as easy as reading the GitHub page. I won’t steal all the excitement, but after you successfully install everything there are config files that get generated @ ~./config/srsLTE. The files are:
* drb.conf [For settings QCI (Quality Control Indicators) for the LTE Service]
* enb.conf [eNodeB radio settings]
* epc.conf [epc (Evolved Packet Core) this is the AUC, HSS, and other goodies]
* mbms.conf [MBMS (Multimedia Broadcast Multicast Service) also known as LTE Broadcast, this allows multiple users to stream the same data simultaneously.]
* rr.conf [Radio Resource]
* sib.conf [SIB (System Information Block) used to control over the air parameters needed for UE and phones to connect.]
* ue.conf [UE (User Equipment) this is for the srsUE script that turns the SDR into a phone that can connect to other base stations]
* user_db.csv [This is the database where a user’s SIM information is required to be able to connect to the service]
After the files are built, we’ll set up a connection to the EPC (evolved packet core) talking to the larger Internet. When the EPC is launched, a separate interface is made on your computer. It’s called srs_spgw_sgi and it’s created with a GW IP of: 172.16.0.1 and a /24 bit subnet. For the most part, you don’t have to worry about this because it should just work. I’ve noticed problems with network-manager and the creation/deletion of interfaces, just as a heads-up. What’s nice about srsLTE is that it has a built-in script that allows this interface to route out to your eth0 or eno1 interface, which is usually your primary Internet access. It’s called srsepc_if_masq.sh.
The three most important files to get a system up and running are the enb.conf, epc.conf, and users.db.
The first one we’ll look at is the enb.conf.
#####################################################################
# srsENB configuration file
#####################################################################
#####################################################################
# eNB configuration
#
# enb_id: 20-bit eNB identifier.
# cell_id: 8-bit cell identifier.
# tac: 16-bit Tracking Area Code.
# mcc: Mobile Country Code
# mnc: Mobile Network Code
# mme_addr: IP address of MME for S1 connnection
# gtp_bind_addr: Local IP address to bind for GTP connection
# s1c_bind_addr: Local IP address to bind for S1AP connection
# n_prb: Number of Physical Resource Blocks (6,15,25,50,75,100)
# tm: Transmission mode 1-4 (TM1 default)
# nof_ports: Number of Tx ports (1 port default, set to 2 for TM2/3/4)
#
#####################################################################
[enb]
enb_id = 0x19B
cell_id = 0x01
phy_cell_id = 1
tac = 0x0007
mcc = 310
mnc = 01
mme_addr = 127.0.1.100
gtp_bind_addr = 127.0.1.1
s1c_bind_addr = 127.0.1.1
n_prb = 50
#tm = 4
#nof_ports = 2
#####################################################################
# eNB configuration files
#
# sib_config: SIB1, SIB2 and SIB3 configuration file
# note: when enabling mbms, use the sib.conf.mbsfn configuration file which includes SIB13
# rr_config: Radio Resources configuration file
# drb_config: DRB configuration file
#####################################################################
[enb_files]
sib_config = sib.conf
rr_config = rr.conf
drb_config = drb.conf
#####################################################################
# RF configuration
#
# dl_earfcn: EARFCN code for DL
# tx_gain: Transmit gain (dB).
# rx_gain: Optional receive gain (dB). If disabled, AGC if enabled
#
# Optional parameters:
# dl_freq: Override DL frequency corresponding to dl_earfcn
# ul_freq: Override UL frequency corresponding to dl_earfcn (must be set if dl_freq is set)
# device_name: Device driver family. Supported options: "auto" (uses first found), "UHD" or "bladeRF"
# device_args: Arguments for the device driver. Options are "auto" or any string.
# Default for UHD: "recv_frame_size=9232,send_frame_size=9232"
# Default for bladeRF: ""
# #time_adv_nsamples: Transmission time advance (in number of samples) to compensate for RF delay
# from antenna to timestamp insertion.
# Default "auto". B210 USRP: 100 samples, bladeRF: 27.
# burst_preamble_us: Preamble length to transmit before start of burst.
# Default "auto". B210 USRP: 400 us, bladeRF: 0 us.
#####################################################################
[rf]
dl_earfcn = 3150
tx_gain = 80
#rx_gain = 50
#device_name = auto
# For best performance in 2x2 MIMO and >= 15 MHz use the following device_args settings:
# USRP B210: pass num_recv_frames=64,num_send_frames=64
#device_args = auto
#time_adv_nsamples = auto
#burst_preamble_us = auto
#####################################################################The two most important sections here are the [enb] and [rf] sections. The others have been cut off as they are more advanced and are not required for a basic transmission and UE connection to the B200.
In the eNodeB we can see there are settings for the Cell ID, TAC, Physical Cell ID, MCC, MNC, and all that other good identifying stuff. For me I choose to set the MCC/MNC to 310/010. I did this largely because this is how my IMSI is configured. When configuring SIMs, the IMSI almost always starts with the MCC/MNC as the initial values in the string.
Following up the:
mme_addr = 127.0.1.100
gtp_bind_addr = 127.0.1.1
s1c_bind_addr = 127.0.1.1
These IP addresses do not need to be changed. These are part of the EPC interface that was created and mentioned above.
n_prb = 50
This is the number of physical resource blocks used. 50 prb equates to 10Mhz of BW. If you would like to look more into this niviuk.free.fr has an awesome visual representation of the PRB’s and how they correlate to the transmitted BW.
In the [rf] section we can set the EARFCN to whatever we like. Once again, I recommend niviuk.free.fr for choosing the best channels. What I like best about this is that from what I can see, all LTE bands are supported. We’ll see later that srsLTE does the conversion automagically to the appropriate DL & UL frequency in MHz.
You can also choose to comment out the rx_gain. By doing so, you can set the rf_gain to AGC which stands for automatic gain control. This is nice if you plan on walking away from your work station from time to time with the connected UE. The tx_gain can only be set before srsENB is run.
And…like most .conf files, you have to make sure you are only editing/saving this file BEFORE you run “$ sudo srsENB”.
#####################################################################
# srsEPC configuration file
#####################################################################
#####################################################################
# MME configuration
#
# mme_code: 8-bit MME code identifies the MME within a group.
# mme_group: 16-bit MME group identifier.
# tac: 16-bit Tracking Area Code.
# mcc: Mobile Country Code
# mnc: Mobile Network Code
# apn: Set Access Point Name (APN)
# mme_bind_addr: IP bind addr to listen for eNB S1-MME connnections
# dns_addr: DNS server address for the UEs
# encryption_algo: Preferred encryption algorithm for NAS layer
# (default: EEA0, support: EEA1, EEA2)
# integrity_algo: Preferred integrity protection algorithm for NAS
# (default: EIA1, support: EIA1, EIA2 (EIA0 not support)
# paging_timer: Value of paging timer in seconds (T3413)
#
#####################################################################
[mme]
mme_code = 0x1a
mme_group = 0x0001
tac = 0x0007
mcc = 310
mnc = 01
mme_bind_addr = 127.0.1.100
apn = srsapn
dns_addr = 8.8.8.8
encryption_algo = EEA0
integrity_algo = EIA1
paging_timer = 2
#####################################################################
# HSS configuration
#
# db_file: Location of .csv file that stores UEs information.
#
#####################################################################
[hss]
db_file = user_db.csv
#####################################################################
# SP-GW configuration
#
# gtpu_bind_addr: GTP-U bind address.
# sgi_if_addr: SGi TUN interface IP address.
# sgi_if_name: SGi TUN interface name.
# max_paging_queue: Maximum packets in paging queue (per UE).
#
#####################################################################
[spgw]
gtpu_bind_addr = 127.0.1.100
sgi_if_addr = 172.16.0.1
sgi_if_name = srs_spgw_sgi
max_paging_queue = 100
####################################################################
# PCAP configuration
#
# Packets are captured to file in the compact format decoded by
# the Wireshark s1ap dissector and with DLT 150.
# To use the dissector, edit the preferences for DLT_USER to
# add an entry with DLT=150, Payload Protocol=s1ap.
#
# enable: Enable or disable the PCAP.
# filename: File name where to save the PCAP.
#
####################################################################
Also similar to the eNodeB file configuration, I cut off some of the logging and pcap (used for Wireshark) sections that aren’t necessary for this discussion.
In the [mme] configuration I set the MCC/MNC to 310/010 for consistency sake and I set the DNS to 8.8.8.8 (The Google DNS service IP).
And that’s really all you have to configure for the EPC config file!
#
# .csv to store UE's information in HSS
# Kept in the following format: "Name,Auth,IMSI,Key,OP_Type,OP,AMF,SQN,QCI,IP_alloc"
#
# Name: Human readable name to help distinguish UE's. Ignored by the HSS
# IMSI: UE's IMSI value
# Auth: Authentication algorithm used by the UE. Valid algorithms are XOR
# (xor) and MILENAGE (mil)
# Key: UE's key, where other keys are derived from. Stored in hexadecimal
# OP_Type: Operator's code type, either OP or OPc
# OP/OPc: Operator Code/Cyphered Operator Code, stored in hexadecimal
# AMF: Authentication management field, stored in hexadecimal
# SQN: UE's Sequence number for freshness of the authentication
# QCI: QoS Class Identifier for the UE's default bearer.
# IP_alloc: IP allocation stratagy for the SPGW.
# With 'dynamic' the SPGW will automatically allocate IPs
# With a valid IPv4 (e.g. '172.16.0.2') the UE will have a statically assigned IP.
#
# Note: Lines starting by '#' are ignored and will be overwritten
ue1,xor,001010123456789,00112233445566778899aabbccddeeff,opc,63bfa50ee6523365ff14c1f45f88737d,9001,000000000008,7,dynamic
ue2,mil,310019005002099,00112233445566778899aabbccddeeff,opc,f36b656c918d9ac7100fe60b3b55155d,8000,000000018cf3,7,dynamic
For setting up the HSS (home subscriber server), known as the user_db.csv file, we’ll need to provision a SIM. My best advice for this is to look around on the internet for you favorite programmable SIM and software. SIM programming is difficult for a reason, as it’s the heart toward gaining any kind of cellular service. The two most important pieces of setting up the file are your KI and OPC. Make sure that whatever you program those to be you place in this file. The other arguments, from my experience, can be ignored. You can try to increment the SQN number if it’s arbitrarily low, but you shouldn’t have to touch it.
LETS RUN IT!
$ sudo srsEPC (In terminal #1)
$ sudo srsENB (in terminal #2)
You’ll see when setting the EARFCN to 3150, the software chose the correct DL and UL frequency (2660 MHz / 2540 MHz).
We also see that as soon as we started the eNodeB that we got traffic on the RACH (Random Access Channel). The reason for this is because I have already attached and detached multiple phones to this system, and the phones have memory. In reality you’ll need to search for a given network on your phone before it can attempt to attach to the system.
AND THERE IT IS! (Captured with an Anritsu BTS Master)
Aaaannnnnndddddd with averaging…(oooooo so pretty)…
We should see the following after a successful attach to the network in the epc terminal logs. We see the UL NAS: Received Attach Complete message, the EPS Bearer’s being given out, and the Sending EMM Information message.
…and in the enb terminal logs we should see the RACH. Note that you’ll see logs of RACHs…and this may be from other phones attempting to connect to you network. You’ll also see disconnecting as the eNodeB or the UE stop attempting to establish a connection for a unprovisioned SIM/network combo.
Another fun thing to do is to type t in the terminal for the enb and see the resource blocks in action! The above capture was taken during a speed test. From the results I was able to see ~30Mbps in the DL and 8.8Mbps in the UL, which isn’t bad given my poor Internet service.
Going Forward
srsLTE is an amazing starting point, and I’m super excited about exploring this further and seeing its full potential. It’s fun making a quasi Wi-Fi access point using an LTE BTS. I’ll be looking closer at srsLTE and watching how it develops. Stay tuned for more projects!
Thanks for reading,
Eric
Related Posts
1 thought on “A Quick Look at srsLTE with a USRP B200”