awesome-telco

A curated list of telco resources and projects.

Contents

• SIM: USIM, SIM, eSIM
• UE: phones, modems apps
• RAN: 2G, 3G, 4G, 5G
• Core: EPC, MME, SGW, PGW
• Interco: IMS, SBC, Diameter
• Protocols: Libraries, Frameworks
• Infrastructure: SDN and NFV management software
• Security: Papers and talks around telco security
• Organizations: Orgs and forums working on telcos hardware/software
• Docs: Documentations and standards
• Decks: Powerpoints and great slides
• Tweets: Relevant tweets and link to social networks
• Issues: interesting issues on bugtrackers
• Mailings-lists : ML, slack and other forums
• Lab: tooling for telco labs

SIMCards

• PySIM - Tool to program sim card. Useful to manage and program blank SIM cards such as the sysmocom ones.
• SIMTrace - Osmocom SIMtrace is a hardware device and associated firmware + host software to trace the communication between phone and SIM card.
• SIMTester - SIMtester assess SIM card security in two dimensions : Cryptanalytic attack surface, Application attack surface.

UE

4G

• srsUE - UE 4G modem part of the srsLTE project.
• OAI UE - Open Air Interface RAN 4G eNB/ 5G gNB to use on SDR-based radios.
• Amarisoft - Commercial UE Emulator by Amarisoft, company co-founded by Bellard on his original LTE software modem work.
• LTE-CellScanner - This is a collection of tools to locate and track LTE basestation cells using very low performance RF front ends.
• LTE-CellScanner-SDR-X - An OpenCL accelerated TDD/FDD LTE Scanner (from rtlsdr/hackRF/bladeRF A/D samples to PDSCH output and RRC SIB messages decoded).

Diagnostics, Monitor mode

• SCAT - this application parses diagnostic messages of Qualcomm and Samsung baseband through USB, and generates a stream of GSMTAP packet containing cellular control plane messages.
• QCSuper - QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G radio frames, among other things.
• Network Signal Guru - Android app able to parse Diag output from QC modem and display a lot of data for engineering field work.
• Snoopsnitch - an opensource project focused on collecting data on existing network by performing passive and active tests and recovering the event through the DIAG protocol on a rooted Android phone.
• Diag-parser - Parse the Qualcomm DIAG format and convert 2G, 3G and 4G radio messages to Osmocom GSMTAP for analysis in wireshark and other utilities.
• LTE_monitor_c2xx - The purpose of LTE_monitor_c2xx is to provide a LTE message debugging solution for Samsung C2xx-based chipsets.
• XGoldmon - xgoldmon is a small tool to convert the messages output by the USB logging mode of phones with Intel/Infineon XGold baseband processor.
• Modmobmap - Modmobmap is a python tool aimed to retrieve information of cellular networks, targeting Xgold baseband process.

RAN

RRH

• O-RAN Software and seed code - The O-RAN Software Community (SC) is a collaboration between the O-RAN Alliance and Linux Foundation with the mission to support the creation of software for the Radio Access Network (RAN). Introduction to O-RAN in a LF video.

5G

• OAI NR - 5GNR related branch of the OAI code. You can follow the weekly updates to stay up to date.

4G

• OAI eNB/ gNB - Open Air Interface RAN 4G eNB / 5G NR gNB to use on SDR-based radios.
• srsLTE - srsLTE eNB 4G to use on SDR-based radios.
• OpenLTE - OpenLTE is an open source implementation of the 3GPP LTE specifications from Ben Wojtowicz.

3G

• OpenUMTS - 3G NodeB

2G

• OpenBTS - 2G BTS with SDR-based radios.
• YateBTS - 2G BTS with SDR-based radios.
• OsmoTRX - fork of OpenBTS tranceiver to use on SDR-based radios.
• OsmoBTS - Open Source GSM BTS (Base Transceiver Station) with A-bis/IP interface.

PHY

• gr-osmoSDR - Unified gnuradio input/output block for a variety of SDR devices, including FUNcube Dongle, OsmoSDR, RTL-SDR, MSi2500, SDRplay, SDR-IQ, AirSpy, rad10, HackRF, bladeRF, USSRP/UHD, UMtrx, RedPitaya, FreeSRP.
• USRP B210 - SDR Radio kit compatible with most of the SDR-based software modem implementations.
• Kalibrate - Kalibrate, or kal, can scan for GSM base stations in a given frequency band and can use those GSM base stations to calculate the local oscillator frequency offset.

Core

5G

• IITB 5G SBA PoC - Prototyping and Load Balancing the Service Based Architecture of 5G Core using NFV - research paper from IITB
• Free5GC - The free5GC is an open-source project for 5th generation (5G) mobile core network. Based on NextEPC.

4G

• OAI EPC - MME and HSS functions from the OAI projects.
• NextEPC - R13 4G EPC core with independent MME, HSS, SGW, PGW, PCRF functions. github
• Open5gs - R14 4G EPC core with independent MME, HSS, SGW, PGW, PCRF functions. Follow-up of NextEPC. github
• Magma - Rearchitected core network with access gateway (MME+P/SGW), federation gateway for auth (S6a) and billing (Gx, Gy). Initiated by FB on a the OAI EPC code base.
• C3PO - HSS, CDF, CTF, PCRF around Cassandra DB, and backed by hardware security through SGX from the OMEC.
• NGIC-RTC - Control User Plane Separated (CUPS) architecture 3GPP TS23501 based implementation of EPC Service and Packet Gateway functions (SGW, PGW) from the OMEC.
• OpenMME - OpenMME is a grounds up implementation of the Mobility Management Entity EPC S1 front end to the Cell Tower (eNB) from the OMEC.
• srsEPC - light-weight LTE core network implementation with MME, HSS and S/P-GW.
• corenet - Minimal 3G and LTE / EPC core network using Pycrate library.
• erGW - This is a 3GPP GGSN and PDN-GW implemented in Erlang.
• vEPC IITB - vEPC is a simple virtualized form of Long Term Evolution Evolved Packet Core (LTE EPC) from IITB india.

3G

• OsmoHNBGW - An Open Source implenentation of a HNB-GW (HomeNodeB-Gateway), implementing the Iuh, IuCS and IuPS interfaces. It aggregates the Iuh links from femtocells (hNodeBs) and presents them as regular IuCS and IuPS towards MSC and SGSN.

2G

• OpenBSC - OsmoBSC is an Open Source BSC (GSM Base Station Controller) with A-bis/IP and A/IP interface. It supports a variety of BTS Vendors/Models, including some Siemens, Nokia, Ericsson and ip.access models.
• OsmoMSC - It provides a 3GPP AoIP interface towards BSCs like OsmoBSC as well as 3GPP IuCS towards RNCs or HNB-GWs like OsmoHNBGW as well as GSUP towards OsmoHLR.

OSS/BSS

• Sigscale OCS - SigScale OCS includes a 3GPP AAA server function for authentication, authorization and accounting (AAA) of subscribers using DIAMETER or RADIUS protocols.
• Bodastage CE - Boda Telecom Suite - Community Edition (BTS-CE) is an open source telecommunication network management platform for various RAN providers. github

Interco

SBC, IMS

• Freeswitch - Popular SIP stack that could be used as Session Border Controller (SBC)
• IMS Clearwater - Clearwater is an open source implementation of IMS (the IP Multimedia Subsystem).
• Kamalio - SIP stack used for VoLTE and SBC.
• go-eventsocket - FreeSWITCH Event Socket library for the Go programming language.

SS7

• Restcomm SS7 - Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment.
• SigGW - Open Source Signaling Firewall for SS7, Diameter filtering, antispoof and antisniff.

smpp

• go-smpp - This is an implementation of SMPP 3.4 for Go, based on the original smpp34 from Kevin Patel.
• Selenium SMPPSim - (software disappeared) - possible mirror here.

Protocols

GTP

• Kernel GTP-U - This is an implementation of the GTP-U (user plane) inside the Linux kernel.
• go-GTP - Package gtp provides simple and painless handling of GTP(GPRS Tunneling Protocol), implemented in the Go Programming Language.

SCTP

• go-SCTP - Stream Control Transmission Protocol (SCTP) in Go.
• usrsctp - This is a userland SCTP stack supporting FreeBSD, Linux, Mac OS X and Windows.
• PySCTP - PySCTP - SCTP bindings for Python.

Diameter

• go-diameter - Package go-diameter is an implementation of the Diameter Base Protocol RFC 6733 and a stack for the Go programming language.
• jdiameter - RestComm jDiameter provides an Open Source Java implementation of the Diameter standard for Authentication, Authorization, and Accounting (AAA).
• Diafuzzer - Diameter fuzzer, based on specifications of Diameter applications following rfc 3588 / 6733 from Orange.

SCCP

• go-SCCP - Package sccp provides simple and painless handling of SCCP(Signaling Connection Control Part) in SS7/SIGTRAN stack, implemented in the Go Programming Language.
• libosmo-sccp - SCCP Library

Dataplane acceleration

• OVS - Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.
• FD.io - FD.io is a vector processing engine (VPP). VPP processes a number of packets in parallel instead of one at a time thus significantly improving packet throughput.
• DPDK - DPDK is the Data Plane Development Kit that consists of libraries to accelerate packet processing workloads running on a wide variety of CPU architectures. Vista Creek (FPGA-based baseband accelerator) support has been added to DPDK.

Others

• OpenFAPI - Open-nFAPI is implementation of the Small Cell Forum's network functional API or nFAPI for short. nFAPI defines a network protocol that is used to connect a Physical Network Function (PNF) running LTE Layer 1 to a Virtual Network Function (VNF) running LTE layer 2 and above.
• Pycrate - the successor of the libmich library that is used to encode and decode data structures, including ASN.1 used in cellular protocol.
• csdr - csdr is a command line tool to carry out DSP tasks for Software Defined Radio.
• OGSLib - state machine and utilities functions for NextEPC and Open5gs
• DIAGLibrary - a JNI library that implement a DIAG protocol parser under C code to be used under Android or Linux.

Infrastructure

NFV, Openstack

• Openstack Kolla - Production ready containers and Ansible tools for deploying an Openstack cluster to run NFV functions.
• SNAPS-openstack - Openstack deployment to be used on SNAPS booted machine from Cablelabs.
• OPNFV - The OPNFV project addresses a number of aspects in the development of a consistent virtualisation platform including common hardware requirements, software architecture, MANO and applications.

Containers, Kubernetes

• Kubernetes KubeADM - Deployment tool to create Kubernetes cluster.
• Intel Multus CNI plugin - Multus CNI is a container network interface (CNI) plugin for Kubernetes that enables attaching multiple network interfaces to pods from Intel.
• Intel SRVIOV/DPDK CNI plugin - SR-IOV CNI plugin works with SR-IOV device plugin for VF allocation for a container.
• Nokia Danm - TelCo grade network management in a Kubernetes cluster from Nokia.
• SNAPS-kubernetes - Kubernetes deployment to be used on SNAPS booted machine from Cablelabs.
• Free5GC on kubeCORD - This project is for deploying Free5GC on kubeCORD.

Baremetal management

• SNAPS-boot - Baremetal cluster management solution to prepare for a Openstack or k8s deployment from Cablelabs.
• MAAS - Self-service, remote installation of Windows, CentOS, ESXi and Ubuntu on real servers turns your data center into a bare-metal cloud - Metal As A Service.

Security

Videos and papers

• Exploiting Possible 5G Vulnerabilities a blog post on the 3G/4G blog about the latest HITB talk describing attack in 5G.
• USENIX19 Hiding in Plain Signal:Physical Signal Overshadowing Attack on LTE - SigOver - Overriding LTE broadcast message using signal capture effect and good enough time synchronization.
• HITB talk : 4G LTE Man in the Middle Attack with a Hacked Femtocell - high level talk on hacking 4G smallcell, sourcing, tools, opportunities including on S1 gateway.
• Vulnerabilities in 5G New vulnerabilities in 5G Security Architecture & Countermeasures.
• QPSI-2019-LTEFuzz - Security analysis of the LTE control plane with LTEFuzz, talk regarded at QPSI Product Security Summit.
• LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE - Talk about LTE vulnerability research at NDSS 2018.
• SS7: Locate. Track. Manipulate. - Talk about SS7 vulnerability at 31C3.
• SS7map : mapping vulnerability of the international mobile roaming infrastructure - Talk about SS7 vulnerability and introduction to SS7map at 31C3.
• Advanced interconnect attacks - Talk about GTP interconnection security at Chaos Communication Camp 2015.
• Mobile Data Interception from the Interconnection Link - Talk about Diameter interconnection security at 34C3.

Writeups

• How the CCC Camp 2019 LTE network works - write up on reusing commercial Ericsson 4G units.
• GSM capture, analysis and decoding - four posts series on GSM cellular signal analysis.

Organizations

• Osmocom Umbrella for numerous opensource mobile communications projects.
• Sysmocom Store frontend for sysmocom, company providing product, support and services not only related to Osmocom.
• Telecom Infra Project - FB initiated project to create an equivalent of the OpenCompute project in the telco space.

Docs

• Wireless frequency bands - Come for the frequency calculator, stay for the cellular other resources.
• ShareTechNote - an impressive repo of knowledge for the cellular telco world.
• 3GPP specs - 3GPP specs.
• CNTT - set of reference specifications for NFVI coming from several telcos (Vodafone, Telstra, Orange mentionned as authors).

Slides

• Kubernetes networking in the telco space

Tweets

• srsLTE 2G CSFB and PCAP fixes

Issues

• SCTP Kubernetes support
• SRSENB: Add SIB7 (GERAN neighbor) support

Mailing-lists

• OpenBSC
• OAI-user
• OAI-devel
• OAI-corenetwork-user
• OAI-corenetwork-devel

Lab

remote control

• OpenSTF - Enable remote control of phone over ADB over an HTML5 interfaces.
• Vyzor - A window to your Android, streaming Android UI through ADB in a Google Chrome Browser app.

GPS, Time

• GPS-SDR-SIM - GPS signal generator with a SDR radio and ephemeris files.
• Tools for MT3339 - Ephemeris injector for MT3339-based GPS chipset

License

MIT