Open purvajoshi1 opened 9 months ago
Hi @purvajoshi1 currently, we use configuration files from OpenAirInterface. You can change n78.106.conf
config. file to work with X310: https://github.com/asset-group/5ghoul-5g-nr-attacks/blob/master/configs/5gnr_gnb/n78.106.conf
You can replace it with another config. file provided by OAI instead: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/0afa3f3193f77ce718148ca48cbf18b321d1cf23/ci-scripts/conf_files/gnb.band78.sa.fr1.106PRB.2x2.usrpn310.conf
Note that you'd need to change this line to match the IP address of your X310: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/0afa3f3193f77ce718148ca48cbf18b321d1cf23/ci-scripts/conf_files/gnb.band78.sa.fr1.106PRB.2x2.usrpn310.conf#L247
Thanks for the information! Can you provide further guidance on why the base station process might crash/stop despite updating the config for the X300? I'm assuming you don't need to rebuild 5ghoul or anything to use the modified configs.
The command I am testing with...
sudo bin/5g_fuzzer --MCC=001 --MNC=010 --GlobalTimeout=false --EnableMutation=false --BaseStationConfigFile n78.106.X300.conf
I have also tested connectivity with the USRP X300 within the release-5g container using the following cmds (suggested by the USRP docs):
/usr/local/lib/uhd/examples/rx_ascii_art_dft --freq 98e6 --rate 5e6 --gain 20 --bw 5e6 --ref-lvl -30
...
uhd_find_devices
Both of which are providing the expected cmd output.
Hi @micahflack you can try passing another argument (--BaseStationArguments
) to 5g_fuzzer as shown bellow:
sudo bin/5g_fuzzer --MCC=001 --MNC=010 --GlobalTimeout=false --EnableMutation=false --BaseStationConfigFile n78.106.X300.conf --BaseStationArguments="--sa --usrp-tx-thread-config 1 --tune-offset 30000000 --continuous-tx"
Otherwise I'd suggest that you try manually running OAI inside the container to check what errors logs you get from it.
cd ./3rd-party/oai_5g_sa/cmake_targets/ran_build/nr-softmodem
sudo ./nr-softmodem -O ../../../../../configs/n78.106.X300.conf --sa --usrp-tx-thread-config 1 -E --continuous-tx
Thanks! I ran the last command that you shared and this was the following output:
user@devmint:~/wdissector/3rd-party/oai_5g_sa/cmake_targets/ran_build/build$ sudo ./nr-softmodem -O ~/wdissector/configs/5gnr_gnb/n78.106.conf --sa --usrp-tx-thread-config 1 -E --continuous-tx
CMDLINE: "./nr-softmodem" "-O" "/home/user/wdissector/configs/5gnr_gnb/n78.106.conf" "--sa" "--usrp-tx-thread-config" "1" "-E" "--continuous-tx" [CONFIG] get parameters from libconfig /home/user/wdissector/configs/5gnr_gnb/n78.106.conf [LIBCONFIG] Path for include directive set to: /home/user/wdissector/configs/5gnr_gnb [LIBCONFIG] /home/user/wdissector/3rd-party/oai_5g_sa/common/config/libconfig/config_libconfig.c 562 file /home/user/wdissector/configs/5gnr_gnb/n78.106.conf - line 293: syntax error
[CONFIG] function config_libconfig_init returned -1 [CONFIG] /home/user/wdissector/3rd-party/oai_5g_sa/common/config/config_load_configmodule.c 337 config module "libconfig" couldn't be loaded [CONFIG] debug flags: 0x00300000
-----Help for section config : 002 entries------ --debugflags: lte-softmodem -O [config mode]<:dbgl[debugflags]><:incp[path]> debugflags can also be defined in the config section of the config file debugflags: mask, 1->print parameters, 2->print memory allocations debug messages 4->print command line processing debug messages incp parameter can be used to define the include path used for config files (@include directive) defaults is set to the path of the main config file. --tmpdir:
-------------------------------------------------------------------- [CONFIG] config_get, section log_config skipped, config module not properly initialized [LOG] init aborted, configuration couldn't be performedlog init done Reading in command-line options [CONFIG] config_get, section (null) skipped, config module not properly initialized [CONFIG] config_get, section (null) skipped, config module not properly initialized nokrnmod bit enabled Getting configuration failed user@devmint:~/wdissector/3rd-party/oai_5g_sa/cmake_targets/ran_build/build$ sudo ./nr-softmodem -O ~/wdissector/configs/5gnr_gnb/n78.106.conf --sa --usrp-tx-thread-config 1 -E --continuous-tx CMDLINE: "./nr-softmodem" "-O" "/home/user/wdissector/configs/5gnr_gnb/n78.106.conf" "--sa" "--usrp-tx-thread-config" "1" "-E" "--continuous-tx" [CONFIG] get parameters from libconfig /home/user/wdissector/configs/5gnr_gnb/n78.106.conf [LIBCONFIG] Path for include directive set to: /home/user/wdissector/configs/5gnr_gnb [LIBCONFIG] /home/user/wdissector/3rd-party/oai_5g_sa/common/config/libconfig/config_libconfig.c 562 file /home/user/wdissector/configs/5gnr_gnb/n78.106.conf - line 293: syntax error
[CONFIG] function config_libconfig_init returned -1 [CONFIG] /home/user/wdissector/3rd-party/oai_5g_sa/common/config/config_load_configmodule.c 337 config module "libconfig" couldn't be loaded [CONFIG] debug flags: 0x00300000
-----Help for section config : 002 entries------ --debugflags: lte-softmodem -O [config mode]<:dbgl[debugflags]><:incp[path]> debugflags can also be defined in the config section of the config file debugflags: mask, 1->print parameters, 2->print memory allocations debug messages 4->print command line processing debug messages incp parameter can be used to define the include path used for config files (@include directive) defaults is set to the path of the main config file. --tmpdir:
-------------------------------------------------------------------- [CONFIG] config_get, section log_config skipped, config module not properly initialized [LOG] init aborted, configuration couldn't be performedlog init done Reading in command-line options [CONFIG] config_get, section (null) skipped, config module not properly initialized [CONFIG] config_get, section (null) skipped, config module not properly initialized nokrnmod bit enabled Getting configuration failed
The error suggests something to do with syntax in the n78.106.X300.conf
file. I compared the file after running the bin/5g_fuzzer
and noticed that the plmn_list
is getting modified, however, it does not finish writing changes and leaves the line truncated.
Expected contents (from OAI provided config):
plmn_list = ({ mcc = 001; mnc = 010; mnc_length = 3; snssaiList = ({ sst = 1, sd = 0xffffff }) });
Contents after running bin/5g_fuzzer
:
plmn_list = ({ mcc = 001
So, as a heads up to others... In order for the bin/5g_fuzzer
to make modifications to the config, you need to make sure that the formatting/spacing is the same as the config provided by the developers here.
X300 config used: gnb.band78.sa.fr1.106PRB.usrpn310.conf
When running the fuzzer, the base station process doesn't repeatedly crash - but it now seems to be hanging or waiting for something since the "gNB started" message does not appear either.
Is there maybe an option within the 5g_fuzzer for more verbose outputs from the OAI?
edit: I forgot to mention that the nr-softmodem cmd worked after fixing the config plmn format issue; but I haven't figured out the base station process stopping yet
Some log files for context...
sudo bin/5g_fuzzer --MCC=001 --MNC=010 --GlobalTimeout=false --EnableMutation=false --BaseStationConfigFile n78.106.X300.conf --BaseStationArguments="--sa --usrp-tx-thread-config 1 --tune-offset 30000000 --continuous-tx"
Logical Cores: 16
Assigned CPUSET:
0, 1, 2, 3, 4, 5, 6, 7,
Disabling Core dump for this process: ulimit -c 0
sh: 1: ulimit: Illegal option -q
[ParseArgs] "MCC" unchanged ("001")
[ParseArgs] "MNC" unchanged ("010")
[ParseArgs] "GlobalTimeout" unchanged (false)
[ParseArgs] "EnableMutation" unchanged (false)
[ParseArgs] "BaseStationConfigFile" unchanged ("n78.106.X300.conf")
[ParseArgs] "BaseStationArguments" unchanged ("--sa --usrp-tx-thread-config 1 --tune-offset 30000000 --continuous-tx")
[33;1m[Modules] Loading C++ Modules at "modules/exploits/5gnr_gnb"
[33;1m[Modules] --> mac_sch_mtk_rrc_setup_crash_6.so loaded
[33;1m[Modules] --> mac_sch_mtk_rrc_setup_crash_7.so loaded
[33;1m[Modules] --> mac_sch_rrc_setup_crash.so loaded
[33;1m[Modules] --> mac_sch_mtk_rrc_setup_crash_4.so loaded
[33;1m[Modules] --> mac_sch_mac_rlc_crash.so loaded
[33;1m[Modules] --> mac_sch_rrc_reconfiguration_crash.so loaded
[33;1m[Modules] --> mac_sch_nas_unknown_pdu_crash.so loaded
[33;1m[Modules] --> mac_sch_mtk_rlc_crash.so loaded
[33;1m[Modules] --> mac_sch_rrc_setup_crash_var.so loaded
[33;1m[Modules] --> mac_sch_mtk_rrc_setup_crash_3.so loaded
[33;1m[Modules] --> mac_sch_mtk_rrc_setup_crash_2.so loaded
[33;1m[Modules] --> mac_sch_mtk_rrc_setup_crash_1.so loaded
[Modules] 12/12 Modules Compiled / Loaded
[Modules] All modules using prefix
----------LTE Fuzzer----------
[33;1mLoading Model...
Model Loaded!
[33;1m[Machine] Layer:"NAS"
[Machine] --> States:0, Transitions:0
[33;1m[Machine] Layer:"RRC"
[Machine] --> States:0, Transitions:0
[33;1m[Machine] Layer:"RLC"
[Machine] --> States:0, Transitions:0
[33;1m[Machine] Layer:"MAC-NR"
[Machine] --> States:0, Transitions:0
[33;1m[Machine] Total States: 38
[33;1m[Machine] Total Transitions: 308
[Monitor] ERROR: ADB Could not connect to device UWEUW4XG8XCA8PWS
[33;1m[SHMDriver] SHM:/tmp/wshm, Channel:0, Mode:1, MQUEUE:/wshm
[33;1m[SHMDriver] SHM:/tmp/wshm, Channel:1, Mode:1
[33;1m[SHMDriver] SHM:/tmp/wshm, Channel:2, Mode:1
[33;1m[SHMDriver] SHM:/tmp/wshm, Channel:3, Mode:1
[33;1m[SHMDriver] SHM:/tmp/wshm, Channel:4, Mode:1
[33;1m[SHMDriver] SHM:/tmp/wshm, Channel:5, Mode:1
[33;1m[SHMDriver] SHM:/tmp/wshm, Channel:6, Mode:1
[Open5GS] Adding IMSI 001010000000001 with K=00112233445566778899AABBCCDDEEFF, OPC=00112233445566778899AABBCCDDEEFF, APN=default
[Open5GS] Adding IMSI 001010100011321 with K=12345678901234567890123456789012, OP=12345678901234561234567890123456, APN=default
[Open5GS] Adding IMSI 001010000064950 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001010000064951 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001020000064951 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001010000064952 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001010000064953 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 999700000064959 with K=5FBC6D9274D7D3F03E32B12DBF582424, OPC=32B95812161923774B71D508A1D4D3B6, APN=internet
[Open5GS] Adding IMSI 901700000039907 with K=33CD0E15C56301487706C843E5BC53C1, OPC=3E91AD887FB569F4A68EEB8282872B0F, APN=internet
[Open5GS] Adding IMSI 222010000039900 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=internet
[Open5GS] Adding IMSI 208950000039900 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=internet
[Open5GS] Adding IMSI 525070000039900 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=internet
[Open5GS] Adding IMSI 222010100000002 with K=0c2d427dc188ed0284c4dd0fde705060, OPC=64f4f96c49dfac6a89b45dfa15574a75, APN=internet
[Open5GS] Adding IMSI 901700000039908 with K=E5EB44B93317E84EBA206EF962A29D8C, OPC=4242F3B4D58A5DA39336E1F8CB643B2A, APN=internet
[Open5GS] Subscribers registered to core network: 14
./3rd-party/hostapd/idemptables -A INPUT -i ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD ! -i ogstun -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD -i ogstun ! -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -t nat -A POSTROUTING -s 45.45.0.0/16 ! -o ogstun -j MASQUERADE
[GlobalTimeout] Not enabled in config. file
[33;1m[AnomalyReport] Added Logging Sink: PacketLogger
[33;1m[AnomalyReport] Added Logging Sink: SvcReportSender
[33;1m[USBHubControl] Disabled in config. file
[ReportSender] Credentials file not found: modules/reportsender/credentials.json
[ReportSender] Ready
[33;1m[Optimizer] Optimization disabled. Using default population:
[33;1m--------------------------------------------------------
[33;1m[Optimizer] Iter=1 Params=[0.2,0.2,0.2,0.2,0.2,0.2,...,0.2]
[33;1m[Optimizer] Fitness=1e+06 Adj. Fitness=-1e+06
[33;1m--------------------------------------------------------
[33;1m[Optimizer] Initialized with X Size=293, Population Size=5
[Main] Fuzzing not enabled! Running only target reconnection
[33;1m[PacketHandler] Added "proto:nas-5gs", Dir:0, Realtime:0, TID:17810
[33;1m[PacketHandler] Added "proto:nas-5gs", Dir:1, Realtime:0, TID:17811
[33;1m[PacketHandler] Added "proto:pdcp-nr-framed", Dir:0, Realtime:1, TID:17812
[33;1m[PacketHandler] Added "proto:pdcp-nr-framed", Dir:1, Realtime:1, TID:17813
[33;1m[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:17815
[33;1m[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:17821
[33;1m[PacketHandler] Added "proto:mac-nr-framed", Dir:1, Realtime:0, TID:17822
[!] Base-Station process stopped
[!] Open5GS stopped
[ModemManager] Process stopped
[33;1m[PacketHandler] Stopping Threads
[SignalHandler] Exiting 5g_fuzzer
sudo ./nr-softmodem -O ../../../../../configs/n78.106.X300.conf --sa --usrp-tx-thread-config 1 -E --continuous-tx
[HW] # /dev/cpu_dma_latency set to 2 us
[0m[ENB_APP] nfapi running mode: MONOLITHIC
[0m[GNB_APP] Getting GNBSParams
[0m[93m[GNB_APP] [SHM] SHM not started
[0m[93m[GNB_APP] [duplication] Create dup socket
[0m[93m[GNB_APP] [duplication] Start dup thread
[0m[ITTI] Starting itti queue: TASK_UNKNOWN as task 0
[0m[ITTI] Starting itti queue: TASK_TIMER as task 1
[0m[ITTI] Starting itti queue: TASK_L2L1 as task 2
[0m[ITTI] Starting itti queue: TASK_BM as task 3
[0m[ITTI] Starting itti queue: TASK_PHY_ENB as task 4
[0m[ITTI] Starting itti queue: TASK_MAC_ENB as task 5
[0m[ITTI] Starting itti queue: TASK_MAC_GNB as task 6
[0m[ITTI] Starting itti queue: TASK_RLC_ENB as task 7
[0m[ITTI] Starting itti queue: TASK_RRC_ENB_NB_IoT as task 8
[0m[ITTI] Starting itti queue: TASK_PDCP_ENB as task 9
[0m[ITTI] Starting itti queue: TASK_PDCP_GNB as task 10
[0m[ITTI] Starting itti queue: TASK_DATA_FORWARDING as task 11
[0m[ITTI] Starting itti queue: TASK_END_MARKER as task 12
[0m[ITTI] Starting itti queue: TASK_RRC_ENB as task 13
[0m[ITTI] Starting itti queue: TASK_RRC_GNB as task 14
[0m[ITTI] Starting itti queue: TASK_RAL_ENB as task 15
[0m[ITTI] Starting itti queue: TASK_S1AP as task 16
[0m[ITTI] Starting itti queue: TASK_NGAP as task 17
[0m[ITTI] Starting itti queue: TASK_X2AP as task 18
[0m[ITTI] Starting itti queue: TASK_M2AP_ENB as task 19
[0m[ITTI] Starting itti queue: TASK_M2AP_MCE as task 20
[0m[ITTI] Starting itti queue: TASK_M3AP as task 21
[0m[ITTI] Starting itti queue: TASK_M3AP_MME as task 22
[0m[ITTI] Starting itti queue: TASK_M3AP_MCE as task 23
[0m[ITTI] Starting itti queue: TASK_SCTP as task 24
[0m[ITTI] Starting itti queue: TASK_ENB_APP as task 25
[0m[ITTI] Starting itti queue: TASK_GNB_APP as task 26
[0m[ITTI] Starting itti queue: TASK_MCE_APP as task 27
[0m[ITTI] Starting itti queue: TASK_MME_APP as task 28
[0m[ITTI] Starting itti queue: TASK_PHY_UE as task 29
[0m[ITTI] Starting itti queue: TASK_MAC_UE as task 30
[0m[ITTI] Starting itti queue: TASK_RLC_UE as task 31
[0m[ITTI] Starting itti queue: TASK_PDCP_UE as task 32
[0m[ITTI] Starting itti queue: TASK_RRC_UE as task 33
[0m[ITTI] Starting itti queue: TASK_RRC_NRUE as task 34
[0m[ITTI] Starting itti queue: TASK_NAS_UE as task 35
[0m[ITTI] Starting itti queue: TASK_RAL_UE as task 36
[0m[ITTI] Starting itti queue: TASK_GTPV1_U as task 37
[0m[ITTI] Starting itti queue: TASK_CU_F1 as task 38
[0m[ITTI] Starting itti queue: TASK_DU_F1 as task 39
[0m[ITTI] Starting itti queue: TASK_CUCP_E1 as task 40
[0m[ITTI] Starting itti queue: TASK_CUUP_E1 as task 41
[0m[ITTI] Starting itti queue: TASK_RRC_UE_SIM as task 42
[0m[ITTI] Starting itti queue: TASK_RRC_GNB_SIM as task 43
[0m[ITTI] Starting itti queue: TASK_RRC_NSA_UE as task 44
[0m[ITTI] Starting itti queue: TASK_RRC_NSA_NRUE as task 45
[0m[ITTI] Starting itti queue: TASK_NAS_NRUE as task 46
[0m[OPT] OPT disabled
[0m[HW] Version: Branch: Abrev. Hash: Date:
[0m[NR_PHY] PRB blacklist
[0m[NR_PHY] RC.gNB = 0x55edf34b22f0
[0m[NR_PHY] RC.gNB[0] = 0x7f3fccea3010
[0m[NR_PHY] Copying 0 blacklisted PRB to L1 context
[0m[PHY] l1_north_init_gNB() RC.nb_nr_L1_inst:1
[0m[PHY] Installing callbacks for IF_Module - UL_indication
[0m[MAC] Allocating shared L1/L2 interface structure for instance 0 @ 0x55edf34ed4b0
[0m[PHY] l1_north_init_gNB() RC.gNB[0] installing callbacks
[0m[ITTI] Created Posix thread TASK_SCTP
[0m[X2AP] X2AP is disabled.
[0m[PHY] gNB_app_task() Task ready initialize structures
[0m[ITTI] Created Posix thread TASK_GNB_APP
[0m[NR_RRC] Creating NR RRC gNB Task
[0m[NR_PHY] PRB blacklist
[0m[NR_PHY] Copying 0 blacklisted PRB to L1 context
[0m[PHY] l1_north_init_gNB() RC.nb_nr_L1_inst:1
[0m[PHY] Installing callbacks for IF_Module - UL_indication
[0m[PHY] l1_north_init_gNB() RC.gNB[0] installing callbacks
[0m[1;31m[PHY] No prs_config configuration found..!!
[0m[MAC] [MAIN] Init function start:nb_nr_macrlc_inst=1
[0m[ITTI] Created Posix thread TASK_RRC_GNB
[0m[NR_RRC] Entering main loop of NR_RRC message task
[0m[PHY] Initializing gNB 0 single_thread_flag:1
[0m[PHY] Initializing gNB 0
[0m[PHY] Registering with MAC interface module (before 0x55edf34ed4b0)
[0m[PHY] Installing callbacks for IF_Module - UL_indication
[0m[PHY] Registering with MAC interface module (after 0x55edf34ed4b0)
[0m[PHY] Setting indication lists
[0m[PHY] [nr-gnb.c] gNB structure allocated
[0m[PHY] Installing callbacks for IF_Module - UL_indication
[0m[NR_MAC] PUSCH Target 220, PUCCH Target 200, PUCCH Failure 10, PUSCH Failure 10
[0m[PHY] gNB_app_task() RC.nb_nr_L1_inst:1
[0m[PHY] l1_north_init_gNB() RC.nb_nr_L1_inst:1
[0m[PHY] Installing callbacks for IF_Module - UL_indication
[0m[PHY] l1_north_init_gNB() RC.gNB[0] installing callbacks
[0m[GNB_APP] Allocating gNB_RRC_INST for 1 instances
[0m[PHY] gNB_app_task() RC.nb_nr_inst:1 RC.nrrrc:0x7f3fc400ebd0
[0m[PHY] gNB_app_task() Creating RRC instance RC.nrrrc[0]:0x7f3fc400ebf0 (1 of 1)
[0m[RRC] Read in ServingCellConfigCommon (PhysCellId 0, ABSFREQSSB 621312, DLBand 78, ABSFREQPOINTA 620040, DLBW 106,RACH_TargetReceivedPower -104
[0m[NR_MAC] NR band duplex spacing is 0 KHz (nr_bandtable[37].band = 78)
[0m[NR_MAC] NR band 78, duplex mode TDD, duplex spacing = 0 KHz
[0m[NR_RRC] Setting node_type to ngran_gNB
[0m[GNB_APP] pdsch_AntennaPorts N1 1
[0m[GNB_APP] pdsch_AntennaPorts N2 1
[0m[GNB_APP] pdsch_AntennaPorts XP 2
[0m[GNB_APP] pusch_AntennaPorts 2
[0m[GNB_APP] minTXRXTIME 2
[0m[GNB_APP] SIB1 TDA 1
[0m[GNB_APP] Do CSI-RS 0
[0m[GNB_APP] Do SRS 0
[0m[GNB_APP] 256 QAM: may be on
[0m[GNB_APP] SDAP layer is disabled
[0m[GNB_APP] Data Radio Bearer count 1
[0m[GNB_APP] RRC starting with node type 2
[0m[GNB_APP] Sending configuration message to NR_RRC task
[0m[NR_RRC] [gNB 0] Received NRRRC_CONFIGURATION_REQ : 0x7f3fc400fa10
[0m[NR_RRC] [FRAME 00000][gNB][MOD 00][RNTI 0] Init...
[0m[NR_MAC] NR band duplex spacing is 0 KHz (nr_bandtable[37].band = 78)
[0m[NR_MAC] NR band 78, duplex mode TDD, duplex spacing = 0 KHz
[0m[NR_RRC] [FRAME 00000][gNB][MOD 00][RNTI 0] Checking release
[0m[NR_RRC] do_SIB23_NR, size 9
[0m[NR_RRC] Done init_NR_SI
[0m[NR_MAC] Configuring common parameters from NR ServingCellConfig
[0m[NR_MAC] config_common() dl_BandwidthP:40
[0m[NR_MAC] NR band duplex spacing is 0 KHz (nr_bandtable[37].band = 78)
[0m[NR_MAC] Computing frequency (pointA 620040 => 3300600 KHz (freq_min 3300000 KHz, NR band 78 N_OFFs 620000))
[0m[NR_MAC] config_common() dl_BandwidthP:40
[0m[NR_MAC] NR band duplex spacing is 0 KHz (nr_bandtable[37].band = 78)
[0m[NR_MAC] Computing frequency (pointA 620040 => 3300600 KHz (freq_min 3300000 KHz, NR band 78 N_OFFs 620000))
[0m[NR_MAC] NR band duplex spacing is 0 KHz (nr_bandtable[37].band = 78)
[0m[NR_MAC] NR band 78, duplex mode TDD, duplex spacing = 0 KHz
[0m[NR_MAC] Set RX antenna number to 2, Set TX antenna number to 2 (num ssb 1: 80000000,0)
[0m[NR_MAC] Setting TDD configuration period to 6
[0m[NR_MAC] TDD has been properly configurated
[0m[PHY] DL frequency 3319680000 Hz, UL frequency 3319680000 Hz: band 78, uldl offset 0 Hz
[0m[32m[PHY] Configuring MIB for instance 0, : (Nid_cell 0,DL freq 3319680000, UL freq 3319680000)
[0m[PHY] Initializing frame parms for mu 1, N_RB 106, Ncp 0
[0m[93m[PHY] Init: N_RB_DL 106, first_carrier_offset 900, nb_prefix_samples 108,nb_prefix_samples0 132, ofdm_symbol_size 1536
[0m[PHY] Doing symbol rotation calculation for gNB TX/RX, f0 3319680000.000000 Hz, Nsymb 28
[0m[PHY] Symbol rotation 0/28 => tl 0.000000 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 1/28 => tl 0.000036 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 2/28 => tl 0.000072 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 3/28 => tl 0.000108 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 4/28 => tl 0.000143 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 5/28 => tl 0.000179 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 6/28 => tl 0.000215 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 7/28 => tl 0.000250 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 8/28 => tl 0.000286 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 9/28 => tl 0.000322 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 10/28 => tl 0.000357 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 11/28 => tl 0.000393 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 12/28 => tl 0.000429 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 13/28 => tl 0.000464 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 14/28 => tl 0.000500 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 15/28 => tl 0.000536 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 16/28 => tl 0.000572 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 17/28 => tl 0.000608 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 18/28 => tl 0.000643 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 19/28 => tl 0.000679 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 20/28 => tl 0.000715 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 21/28 => tl 0.000750 (32767,0) (0.000000)
[0m[PHY] Symbol rotation 22/28 => tl 0.000786 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 23/28 => tl 0.000822 (32767,0) (0.000000)
[0m[PHY] Symbol rotation 24/28 => tl 0.000857 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 25/28 => tl 0.000893 (32767,0) (1.000000)
[0m[PHY] Symbol rotation 26/28 => tl 0.000929 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 27/28 => tl 0.000964 (32767,0) (1.000000)
[0m[PHY] Doing symbol rotation calculation for gNB TX/RX, f0 3319680000.000000 Hz, Nsymb 28
[0m[PHY] Symbol rotation 0/28 => tl 0.000000 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 1/28 => tl 0.000036 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 2/28 => tl 0.000072 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 3/28 => tl 0.000108 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 4/28 => tl 0.000143 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 5/28 => tl 0.000179 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 6/28 => tl 0.000215 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 7/28 => tl 0.000250 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 8/28 => tl 0.000286 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 9/28 => tl 0.000322 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 10/28 => tl 0.000357 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 11/28 => tl 0.000393 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 12/28 => tl 0.000429 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 13/28 => tl 0.000464 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 14/28 => tl 0.000500 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 15/28 => tl 0.000536 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 16/28 => tl 0.000572 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 17/28 => tl 0.000608 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 18/28 => tl 0.000643 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 19/28 => tl 0.000679 (32767,-1) (0.000000)
[0m[PHY] Symbol rotation 20/28 => tl 0.000715 (-32767,0) (0.500000)
[0m[PHY] Symbol rotation 21/28 => tl 0.000750 (32767,0) (0.000000)
[0m[PHY] Symbol rotation 22/28 => tl 0.000786 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 23/28 => tl 0.000822 (32767,0) (0.000000)
[0m[PHY] Symbol rotation 24/28 => tl 0.000857 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 25/28 => tl 0.000893 (32767,0) (1.000000)
[0m[PHY] Symbol rotation 26/28 => tl 0.000929 (-32767,-1) (0.500000)
[0m[PHY] Symbol rotation 27/28 => tl 0.000964 (32767,0) (1.000000)
[0m[PHY] Timeshift symbol rotation 0 => (32767,0) 0.000000
[0m[PHY] Timeshift symbol rotation 1 => (32721,1742) -0.053178
[0m[PHY] Timeshift symbol rotation 2 => (32582,3478) -0.106356
[0m[PHY] Timeshift symbol rotation 3 => (32351,5205) -0.159534
[0m[PHY] Timeshift symbol rotation 4 => (32028,6917) -0.212712
[0m[PHY] Timeshift symbol rotation 5 => (31616,8610) -0.265890
[0m[PHY] Timeshift symbol rotation 6 => (31113,10278) -0.319068
[0m[PHY] Timeshift symbol rotation 7 => (30523,11918) -0.372246
[0m[PHY] Timeshift symbol rotation 8 => (29846,13523) -0.425424
[0m[PHY] Timeshift symbol rotation 9 => (29085,15090) -0.478602
[0m[PHY] gNB 0 configured
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 0 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 1 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 2 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 3 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 4 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 5 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 6 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 7 DL 1 UL 1
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 8 DL 0 UL 1
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 9 DL 0 UL 1
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 10 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 11 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 12 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 13 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 14 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 15 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 16 DL 1 UL 0
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 17 DL 1 UL 1
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 18 DL 0 UL 1
[0m[NR_MAC] In rrc_mac_config_req_gNB: slot 19 DL 0 UL 1
[0m[NR_RRC] [FRAME 00000][gNB][MOD 00][RNTI 0] gNB:OPENAIR NR RRC IN....
[0mCMDLINE: "./3rd-party/oai_5g_sa/cmake_targets/ran_build/build/nr-softmodem" "-O" "/home/user/wdissector/configs/5gnr_gnb/n78.106.X300.conf" "--nsa" "--usrp-tx-thread-config" "1" "-E" "--continuous-tx"
[CONFIG] get parameters from libconfig /home/user/wdissector/configs/5gnr_gnb/n78.106.X300.conf [LIBCONFIG] Path for include directive set to: /home/user/wdissector/configs/5gnr_gnb
[CONFIG] function config_libconfig_init returned 0
[CONFIG] config module libconfig loaded
[LIBCONFIG] config: 2/2 parameters successfully set, (2 to default value)
[CONFIG] debug flags: 0x00000000
[LIBCONFIG] log_config: 3/3 parameters successfully set, (1 to default value)
[LIBCONFIG] log_config: 54/54 parameters successfully set, (47 to default value)
[LIBCONFIG] log_config: 54/54 parameters successfully set, (54 to default value)
[LIBCONFIG] log_config: 16/16 parameters successfully set, (16 to default value)
[LIBCONFIG] log_config: 16/16 parameters successfully set, (16 to default value)
log init done
Reading in command-line options
[LIBCONFIG] (root): 36/36 parameters successfully set, (32 to default value)
[LIBCONFIG] (root): 6/6 parameters successfully set, (5 to default value)
[LIBCONFIG] (root): 2/2 parameters successfully set, (0 to default value)
[LIBCONFIG] THREAD_STRUCT.[0]: 2/2 parameters successfully set, (0 to default value)
[LIBCONFIG] THREAD_STRUCT.[0]: 2/2 parameters successfully set, (0 to default value)
[CONFIG] parallel_conf is set to 0
[CONFIG] worker_conf is set to 1
Configuration: nb_rrc_inst 1, nb_nr_L1_inst 1, nb_ru 1
[SHM] Disabled
[SHM] Disabled
[LIBCONFIG] TTracer: 3/3 parameters successfully set, (3 to default value)
configuring for RAU/RRU
CPU Freq is 2.904126
[LIBCONFIG] opt: 3/3 parameters successfully set, (3 to default value)
[LIBCONFIG] (root): 2/2 parameters successfully set, (0 to default value)
[LIBCONFIG] gNBs.[0]: 28/28 parameters successfully set, (19 to default value)
[LIBCONFIG] L1s.[0]: 16/16 parameters successfully set, (13 to default value)
Initializing northbound interface for L1
[LIBCONFIG] eNBs.[0]: 1/1 parameters successfully set, (1 to default value)
[LIBCONFIG] gNBs.[0]: 1/1 parameters successfully set, (1 to default value)
[LIBCONFIG] (root): 2/2 parameters successfully set, (0 to default value)
[LIBCONFIG] gNBs.[0]: 28/28 parameters successfully set, (19 to default value)
[LIBCONFIG] L1s.[0]: 16/16 parameters successfully set, (13 to default value)
Initializing northbound interface for L1
[LIBCONFIG] list prs_config not found in config file /home/user/wdissector/configs/5gnr_gnb/n78.106.X300.conf
[LIBCONFIG] MACRLCs.[0]: 33/33 parameters successfully set, (27 to default value)
[LIBCONFIG] gNBs.[0]: 28/28 parameters successfully set, (19 to default value)
[LIBCONFIG] (root): 2/2 parameters successfully set, (0 to default value)
[LIBCONFIG] gNBs.[0]: 28/28 parameters successfully set, (19 to default value)
[LIBCONFIG] MACRLCs.[0]: 33/33 parameters successfully set, (27 to default value)
NFAPI MODE:MONOLITHIC
START MAIN THREADS
RC.nb_nr_L1_inst:1
Initializing gNB threads single_thread_flag:1 wait_for_sync:0
wait_gNBs()
Waiting for gNB L1 instances to all get configured ... sleeping 50ms (nb_nr_sL1_inst 1)
[LIBCONFIG] (root): 2/2 parameters successfully set, (0 to default value)
[LIBCONFIG] gNBs.[0]: 28/28 parameters successfully set, (19 to default value)
[LIBCONFIG] gNBs.[0].pdcch_ConfigSIB1.[0]: 2/2 parameters successfully set, (0 to default value)
[LIBCONFIG] gNBs.[0].servingCellConfigCommon.[0]: 60/60 parameters successfully set, (10 to default value)
[LIBCONFIG] list gNBs.[0].servingCellConfigDedicated not found in config file /home/user/wdissector/configs/5gnr_gnb/n78.106.X300.conf
NRRRC 0: Southbound Transport local_mac
[LIBCONFIG] gNBs.[0].plmn_list.[0]: 3/3 parameters successfully set, (0 to default value)
[LIBCONFIG] security: 4/4 parameters successfully set, (0 to default value)
DL frequency 3319680000: band 78, UL frequency 3319680000
gNB L1 are configured
About to Init RU threads RC.nb_RU:1
Initializing RU threads
configuring RU from file
[LIBCONFIG] RUs.[0]: 41/41 parameters[PHY] Setting clock source to internal
[0m[PHY] Setting time source to internal
[0m[PHY] number of L1 instances 1, number of RU 1, number of CPU cores 16
[0m[1;31m[PHY] DJP - delete code above this /home/user/wdissector/3rd-party/oai_5g_sa/executables/nr-ru.c:1757
[0m[PHY] Copying frame parms from gNB in RC to gNB 0 in ru 0 and frame_parms in ru
[0m[PHY] Starting ru_thread 0
[0m[PHY] Initializing RU proc 0 (,synch_to_ext_device),
[0m[PHY] Starting RU 0 (,synch_to_ext_device),
[0m[PHY] Initializing frame parms for mu 1, N_RB 106, Ncp 0
[0m[93m[PHY] Init: N_RB_DL 106, first_carrier_offset 900, nb_prefix_samples 108,nb_prefix_samples0 132, ofdm_symbol_size 1536
[0m[PHY] fp->scs=30000
[0m[PHY] fp->ofdm_symbol_size=1536
[0m[PHY] fp->nb_prefix_samples0=132
[0m[PHY] fp->nb_prefix_samples=108
[0m[PHY] fp->slots_per_subframe=2
[0m[PHY] RU Thread pool size 2
[0m[PHY] fp->samples_per_subframe_wCP=43008
[0m[PHY] fp->samples_per_frame_wCP=430080
[0m[PHY] fp->samples_per_subframe=46080
[0m[PHY] fp->samples_per_frame=460800
[0m[PHY] RU thread-pool core string -1,-1
[0m[PHY] fp->dl_CarrierFreq=3319680000
[0m[PHY] fp->ul_CarrierFreq=3319680000
[0m[PHY] Setting RF config for N_RB 106, NB_RX 2, NB_TX 2
[0m[PHY] Channel 0: setting tx_gain offset 0, rx_gain offset 68, tx_freq 3319680000 Hz, rx_freq 3319680000 Hz, tune_offset 0 Hz, sample_rate 46080000 Hz
[0m[PHY] Channel 1: setting tx_gain offset 0, rx_gain offset 68, tx_freq 3319680000 Hz, rx_freq 3319680000 Hz, tune_offset 0 Hz, sample_rate 46080000 Hz
[0m[PHY] Initializing RU signal buffers (if_south local RF) nb_tx 2, nb_rx 2
[0m[PHY] [INIT] common.txdata[0] = 0x7f3fc882a040 (1843200 bytes,sf_extension 0)
[0m[PHY] [INIT] common.txdata[0] = 0x7f3fc882a040
[0m[PHY] [INIT] common.txdata[1] = 0x7f3fc8667040 (1843200 bytes,sf_extension 0)
[0m[PHY] [INIT] common.txdata[1] = 0x7f3fc8667040
[0m[PHY] nb_tx 2
[0m[PHY] rxdata_7_5kHz[0] 0x7f3fc822c040 for RU 0
[0m[PHY] rxdata_7_5kHz[1] 0x7f3fc8177040 for RU 0
[0m[PHY] [INIT] common.txdata_BF= 0x7f3fb4000a20 (16 bytes)
[0m[PHY] txdataF_BF[0] 0x7f3fd5981040 for RU 0
[0m[PHY] txdataF_BF[1] 0x7f3fd5956040 for RU 0
[0m[PHY] rxdataF[0] 0x7f3fc8122040 for RU 0
[0m[PHY] rxdataF[1] 0x7f3fc80cd040 for RU 0
[0m[PHY] Waiting for RUs to be configured ... RC.ru_mask:01
[0m[PHY] [INIT] nr_phy_init_RU() ru->num_gNB:1
[0m[HW] openair0_cfg[0].sdr_addrs == 'type=x300,addr=192.168.10.2,clock_source=internal,time_source=internal'
[0m[HW] openair0_cfg[0].clock_source == '0' (internal = 0, external = 1)
[0m[HW] UHD version 4.4.0.HEAD-0-8e54b58d (4.4.0)
[0m[HW] Checking for USRP with args type=x300,addr=192.168.10.2,clock_source=internal,time_source=internal
[0m[INFO] [UHD] linux; GNU C++ version 7.5.0; Boost_106501; UHD_4.4.0.HEAD-0-8e54b58d
[HW] Found USRP x300
[0mnet.core.rmem_max = 33554432
net.core.wmem_max = 33554432
[INFO] [X300] X300 initialization sequence...
[INFO] [X300] Maximum frame size: 1472 bytes.
[INFO] [X300] Radio 1x clock: 184.32 MHz
[93m[HW] Clock source set in both usrp_args and in clock_source, ingnoring the latter!
[0m[93m[HW] Time source set in both usrp_args and in time_source, ingnoring the latter!
[0m successfully set, (29 to default value)
Set RU mask to 1
Creating RC.ru[0]:0x55edf34efd40
Setting function for RU 0 to gNodeB_3GPP
[RU 0] Setting nr_flag 0, nr_band 78, nr_scs_for_raster 1
[RU 0] Setting half-slot parallelization to 1
configuring ru_id 0 (start_rf 0x55edefa708b0)
create a thread for core -1
create a thread for core -1
Number of Threads=2
wait RUs
[LIBCONFIG] device.recplay: 8/8 parameters successfully set, (8 to default value)
[LIBCONFIG] device: 1/1 parameters successfully set, (1 to default value)
[LIBCONFIG] loader: 2/2 parameters successfully set, (2 to default value)
[LIBCONFIG] loader.oai_device: 2/2 parameters successfully set, (1 to default value)
shlib_path liboai_device.so
[LOADER] library liboai_device.so successfully loaded
Found USRP x300
-- Using calibration table: calib_table_x310
[HW] device_init() sample_rate:46080000
[0m[HW] cal 0: freq 3500000000.000000, offset 77.000000, diff 180320000.000000
[0m[HW] cal 1: freq 2660000000.000000, offset 81.000000, diff 659680000.000000
[0m[HW] cal 2: freq 2300000000.000000, offset 81.000000, diff 1019680000.000000
[0m[HW] cal 3: freq 1880000000.000000, offset 82.000000, diff 1439680000.000000
[0m[HW] cal 4: freq 816000000.000000, offset 85.000000, diff 2503680000.000000
[0m[HW] RX Gain 0 68.000000 (77.000000) => -9.000000 (max 37.500000)
[0m[HW] cal 0: freq 3500000000.000000, offset 77.000000, diff 180320000.000000
[0m[HW] cal 1: freq 2660000000.000000, offset 81.000000, diff 659680000.000000
[0m[HW] cal 2: freq 2300000000.000000, offset 81.000000, diff 1019680000.000000
[0m[HW] cal 3: freq 1880000000.000000, offset 82.000000, diff 1439680000.000000
[0m[HW] cal 4: freq 816000000.000000, offset 85.000000, diff 2503680000.000000
[0m[HW] RX Gain 1 68.000000 (77.000000) => -9.000000 (max 37.500000)
[0m[HW] USRP TX_GAIN:31.50 gain_range:31.50 tx_gain:0.00
[0m[HW] USRP TX_GAIN:31.50 gain_range:31.50 tx_gain:0.00
[0m[HW] Actual master clock: 184.320000MHz...
[0m[HW] Actual clock source internal...
[0m[HW] Actual time source internal...
[0m[HW] RF board max packet size 364, size for 100µs jitter 4608
[0m[HW] rx_max_num_samps 364
[0m[HW] setting rx channel 0
[0m[HW] setting rx channel 1
[0m[WARNING] [0/Radio#1] Attempting to set tick rate to 0. Skipping.
[WARNING] [0/Radio#1] Attempting to set tick rate to 0. Skipping.
[WARNING] [0/Radio#0] Attempting to set tick rate to 0. Skipping.
[HW] RX Channel 0
[0m[HW] Actual RX sample rate: 46.080000MSps...
[0m[HW] Actual RX frequency: 3.319680GHz...
[0m[HW] Actual RX gain: 0.000000...
[0m[HW] Actual RX bandwidth: 40.000000M...
[0m[HW] Actual RX antenna: RX2...
[0m[HW] RX Channel 1
[0m[HW] Actual RX sample rate: 46.080000MSps...
[0m[HW] Actual RX frequency: 3.319680GHz...
[0m[HW] Actual RX gain: 0.000000...
[0m[HW] Actual RX bandwidth: 40.000000M...
[0m[HW] Actual RX antenna: RX2...
[0m[HW] TX Channel 0
[0m[HW] Actual TX sample rate: 46.080000MSps...
[0m[HW] Actual TX frequency: 3.319680GHz...
[0m[HW] Actual TX gain: 31.500000...
[0m[HW] Actual TX bandwidth: 40.000000M...
[0m[HW] Actual TX antenna: TX/RX...
[0m[HW] Actual TX packet size: 364
[0m[HW] TX Channel 1
[0m[HW] Actual TX sample rate: 46.080000MSps...
[0m[HW] Actual TX frequency: 1.292160GHz...
[0m[HW] Actual TX gain: 31.500000...
[0m[HW] Actual TX bandwidth: 40.000000M...
[0m[HW] Actual TX antenna: TX/RX...
[0m[HW] Actual TX packet size: 364
[0mUsing Device: Single USRP:
Device: X-Series Device
Mboard 0: X300
RX Channel: 0
RX DSP: 0
RX Dboard: A
RX Subdev: SBX-120 RX
RX Channel: 1
RX DSP: 1
RX Dboard: B
RX Subdev: UBX RX
TX Channel: 0
TX DSP: 0
TX Dboard: A
TX Subdev: SBX-120 TX
TX Channel: 1
TX DSP: 1
TX Dboard: B
TX Subdev: UBX TX
[HW] Device timestamp: 0.047806...
[0m[HW] [RAU] has loaded USRP X300 device.
[0m[PHY] RU 0 Setting N_TA_offset to 600 samples (factor 1.500000, UL Freq 3300600, N_RB 106, mu 1)
[0m[PHY] Signaling main thread that RU 0 is ready, sl_ahead 6
[0m[PHY] RUs configured
[0m[PHY] init_eNB_afterRU() RC.nb_nr_inst:1
[0m[PHY] RC.nb_nr_CC[inst:0]:0x7f3fccea3010
[0m[PHY] [gNB 0] phy_init_nr_gNB() About to wait for gNB to be configured
[0m[PHY] Initialise nr transport
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 0/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 1/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 2/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 3/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 4/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 5/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 6/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 7/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 8/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 9/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 10/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 11/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 12/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 13/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 14/16
[0m[PHY] Allocating Transport Channel Buffers for PUCCH 15/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 0/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 1/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 2/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 3/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 4/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 5/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 6/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 7/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 8/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 9/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 10/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 11/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 12/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 13/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 14/16
[0m[PHY] Allocating Transport Channel Buffers for SRS 15/16
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 0/8
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 1/8
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 2/8
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 3/8
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 4/8
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 5/8
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 6/8
[0m[PHY] Allocating Transport Channel Buffers for ULSCH 7/8
[0m[PHY] Mapping RX ports from 1 RUs to gNB 0
[0m[PHY] gNB->num_RU:1
[0m[PHY] Attaching RU 0 antenna 0 to gNB antenna 0
[0m[PHY] Attaching RU 0 antenna 1 to gNB antenna 1
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 0/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 1/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 2/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 3/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 4/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 5/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 6/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 7/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 0/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 1/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 2/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 3/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 4/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 5/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 6/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Allocating Transport Channel Buffers for DLSCH 7/8
[0m[PHY] Allocating 28 segments (MAX 36, N_PRB 106)
[0m[PHY] Creating thread for TX reordering and dispatching to RU
[0msetup_RU_buffers: frame_parms = 0x55edf34f57f0
waiting for sync (ru_thread,-1/0x55edf06462d4,0x55edf1347ba0,0x55edf134f640)
RC.ru_mask:00
ALL RUs READY!
RC.nb_RU:1
ALL RUs ready - init gNBs
Not NFAPI mode - call init_eNB_afterRU()
[LIBCONFIG] loader.dfts: 2/2 parameters successfully set, (1 to default value)
shlib_path libdfts.so
[LOADER] library libdfts.so successfully loaded
[LIBCONFIG] loader.ldpc: 2/2 parameters successfully set, (1 to default value)
shlib_path libldpc.so
[LOADER] library libldpc.so successfully loaded
create a thread for core -1
create a thread for core -1
create a thread for core -1
create a thread for core -1
create a thread for core -1
create a thread for core -1
create a thread for core -1
create a thread for core -1
Number of Threads=8
waiting for sync (L1_stats_thread,-1/0x55edf06462d4,0x55edf1347ba0,0x55edf134f640)
ALL RUs ready - ALL gNBs ready
Sending sync to all threads
Entering ITTI signals handler
TYPE <CTRL-C> TO TERMINATE
got sync (L1_stats_thread)
got sync (ru_thread)
[HW] current pps at 0.000000, starting streaming at 1.000000
[0m[PHY] RU 0 rf device ready
[0m[PHY] RU 0 RF started opp_enabled 0
[0m[PHY] tx write thread ready
[0minitializing tx write thread
end of tx write thread
sleep...
sleep...
sleep...
sleep...
sleep...
sleep...
sleep...
sleep...
sleep...
sleep...
sleep...
sleep...
DDOOsleep...
sleep...
sleep...
O
uhd_usrp_probe --args "type=x300,addr=192.168.10.2"
[INFO] [UHD] linux; GNU C++ version 7.5.0; Boost_106501; UHD_4.4.0.HEAD-0-8e54b58d
[INFO] [X300] X300 initialization sequence...
[INFO] [X300] Maximum frame size: 1472 bytes.
[INFO] [X300] Radio 1x clock: 200 MHz
_____________________________________________________
/
| Device: X-Series Device
| _____________________________________________________
| /
| | Mboard: X300
| | revision: 6
| | product: 30518
| | mac-addr0: 00:80:2f:19:b3:26
| | mac-addr1: 00:80:2f:19:b3:27
| | gateway: 192.168.10.1
| | ip-addr0: 192.168.10.2
| | subnet0: 255.255.255.0
| | ip-addr1: 192.168.20.2
| | subnet1: 255.255.255.0
| | ip-addr2: 192.168.30.2
| | subnet2: 255.255.255.0
| | ip-addr3: 192.168.40.2
| | subnet3: 255.255.255.0
| | serial: 307A17A
| | FW Version: 6.1
| | FPGA Version: 39.1
| | FPGA git hash: 92c09f7
| | RFNoC capable: Yes
| |
| | Time sources: internal, external, gpsdo
| | Clock sources: internal, external, gpsdo
| | Sensors: ref_locked
| _____________________________________________________
| /
| | RFNoC blocks on this device:
| |
| | * 0/DDC#0
| | * 0/DDC#1
| | * 0/DUC#0
| | * 0/DUC#1
| | * 0/Radio#0
| | * 0/Radio#1
| | * 0/Replay#0
| _____________________________________________________
| /
| | Static connections on this device:
| |
| | * 0/SEP#0:0==>0/DUC#0:0
| | * 0/DUC#0:0==>0/Radio#0:0
| | * 0/Radio#0:0==>0/DDC#0:0
| | * 0/DDC#0:0==>0/SEP#0:0
| | * 0/Radio#0:1==>0/DDC#0:1
| | * 0/DDC#0:1==>0/SEP#1:0
| | * 0/SEP#2:0==>0/DUC#1:0
| | * 0/DUC#1:0==>0/Radio#1:0
| | * 0/Radio#1:0==>0/DDC#1:0
| | * 0/DDC#1:0==>0/SEP#2:0
| | * 0/Radio#1:1==>0/DDC#1:1
| | * 0/DDC#1:1==>0/SEP#3:0
| | * 0/SEP#4:0==>0/Replay#0:0
| | * 0/Replay#0:0==>0/SEP#4:0
| | * 0/SEP#5:0==>0/Replay#0:1
| | * 0/Replay#0:1==>0/SEP#5:0
| _____________________________________________________
| /
| | TX Dboard: 0/Radio#0
| | ID: SBX-120 (0x0082)
| | Serial: 30854D9
| | _____________________________________________________
| | /
| | | TX Frontend: 0
| | | Name: SBX-120 TX
| | | Antennas: TX/RX, CAL
| | | Sensors: lo_locked
| | | Freq range: 400.000 to 4400.000 MHz
| | | Gain range PGA0: 0.0 to 31.5 step 0.5 dB
| | | Bandwidth range: 120000000.0 to 120000000.0 step 0.0 Hz
| | | Connection Type: QI
| | | Uses LO offset: No
| _____________________________________________________
| /
| | RX Dboard: 0/Radio#0
| | ID: SBX-120 (0x0083)
| | Serial: 30854D9
| | _____________________________________________________
| | /
| | | RX Frontend: 0
| | | Name: SBX-120 RX
| | | Antennas: TX/RX, RX2, CAL
| | | Sensors: lo_locked
| | | Freq range: 400.000 to 4400.000 MHz
| | | Gain range PGA0: 0.0 to 31.5 step 0.5 dB
| | | Bandwidth range: 120000000.0 to 120000000.0 step 0.0 Hz
| | | Connection Type: IQ
| | | Uses LO offset: No
| _____________________________________________________
| /
| | TX Dboard: 0/Radio#1
| | ID: UBX-160 v1 (0x0079)
| | Serial: 30891D4
| | _____________________________________________________
| | /
| | | TX Frontend: 0
| | | Name: UBX TX
| | | Antennas: TX/RX, CAL
| | | Sensors: lo_locked
| | | Freq range: 10.000 to 6000.000 MHz
| | | Gain range PGA0: 0.0 to 31.5 step 0.5 dB
| | | Bandwidth range: 160000000.0 to 160000000.0 step 0.0 Hz
| | | Connection Type: QI
| | | Uses LO offset: No
| _____________________________________________________
| /
| | RX Dboard: 0/Radio#1
| | ID: UBX-160 v1 (0x007a)
| | Serial: 30891D4
| | _____________________________________________________
| | /
| | | RX Frontend: 0
| | | Name: UBX RX
| | | Antennas: TX/RX, RX2, CAL
| | | Sensors: lo_locked
| | | Freq range: 10.000 to 6000.000 MHz
| | | Gain range PGA0: 0.0 to 31.5 step 0.5 dB
| | | Bandwidth range: 160000000.0 to 160000000.0 step 0.0 Hz
| | | Connection Type: IQ
| | | Uses LO offset: No
uhd_find_devices
[INFO] [UHD] linux; GNU C++ version 7.5.0; Boost_106501; UHD_4.4.0.HEAD-0-8e54b58d
--------------------------------------------------
-- UHD Device 0
--------------------------------------------------
Device Address:
serial: 307A17A
addr: 192.168.10.2
fpga: HG
name:
product: X300
type: x300
I ran the nr-softmodem within gdb to debug the segmentation fault that occurs, and it was apparently caused by...
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:463
463 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
So, the issue is with OpenAirInterface for sure. I'll add the backtrace from the crash on my other machine in a moment. In the meantime, it appears that someone else has experienced this issue before and reported it to OAI git...
nr-softmodem: reproducible segfault in libuhd with Ettus N310 SDR (including proposed fix)
With commit #2338 it looks like they fixed the bug, which was about 6 months ago. I'll try rebuilding 5ghoul with a newer release of OAI and see if that resolves the compatibility with the X300.
Backtrace for nr-softmodem using the X300.
sudo ./nr-softmodem -O ~/wdissector/configs/5gnr_gnb/n78.106.X300.conf --sa --usrp-tx-thread-config 1 -E --continuous-tx
(gdb) backtrace
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:463
#1 0x00007fffccc8dcfd in uhd::transport::rx_streamer_impl<uhd::rfnoc::chdr_rx_data_xport, false>::recv(uhd::ref_vector<void*> const&, unsigned long, uhd::rx_metadata_t&, double, bool) () from /usr/local/lib/libuhd.so.4.4.0
#2 0x00007fffcd9227c8 in trx_usrp_read (device=<optimized out>, ptimestamp=<optimized out>, buff=<optimized out>, nsamps=<optimized out>, cc=16)
at /home/user/wdissector/3rd-party/oai_5g_sa/radio/USRP/USERSPACE/LIB/usrp_lib.cpp:697
#3 0x0000555555c78016 in rx_rf (ru=0x555557ed2a60, frame=<optimized out>, slot=0x7fffddffa898)
at /home/user/wdissector/3rd-party/oai_5g_sa/executables/nr-ru.c:648
#4 0x0000555555c7f5ff in ru_thread (param=0x555557ed2a60) at /home/user/wdissector/3rd-party/oai_5g_sa/executables/nr-ru.c:1206
#5 0x00007ffff779a6db in start_thread (arg=0x7fffddffb700) at pthread_create.c:463
#6 0x00007ffff58b561f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Rather than using a newer release version, I used the provided patch instead.
(./3rd-party/oai_5g_sa/radio/USRP/USERSPACE/LIB/usrp_lib.cpp of OAI), in line 697:
for (int i=0; i<cc; i++) buff_ptrs.push_back(buff_tmp[i]+samples_received);
- samples_received += s->rx_stream->recv(buff_ptrs, nsamps, s->rx_md);
+ samples_received += s->rx_stream->recv(buff_ptrs, nsamps-samples_received, s->rx_md);
} else {
This allows the nr-softmodem to proceed without segfaulting, however, another error occurs... [ERROR_CODE_OVERFLOW]...
sleep...
sleep...
[PHY] tx_reorder_thread started
[HW] [recv] received 6197 samples out of 23040
[HW] Time: 2.10148 s
ERROR_CODE_OVERFLOW (Overflow)
[PHY] rx_rf: Asked for 23040 samples, got 6197 from USRP
[PHY] problem receiving samples
-Type <RET> for more, q to quit, c to continue without paging--
Thread 11 "ru_thread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffddffb700 (LWP 80203)]
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:466
466 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb)
(gdb)
(gdb)
(gdb) backtrace
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:466
#1 0x00007fffccc8dcfd in uhd::transport::rx_streamer_impl<uhd::rfnoc::chdr_rx_data_xport, false>::recv(uhd::ref_vector<void*> const&, unsigned long, uhd::rx_metadata_t&, double, bool) () from /usr/local/lib/libuhd.so.4.4.0
#2 0x00007fffcd9227cd in trx_usrp_read (device=<optimized out>, ptimestamp=<optimized out>, buff=<optimized out>, nsamps=<optimized out>, cc=16)
at /home/user/wdissector/3rd-party/oai_5g_sa/radio/USRP/USERSPACE/LIB/usrp_lib.cpp:698
#3 0x0000555555c78016 in rx_rf (ru=0x555557ed2a60, frame=<optimized out>, slot=0x7fffddffa898)
at /home/user/wdissector/3rd-party/oai_5g_sa/executables/nr-ru.c:648
#4 0x0000555555c7f5ff in ru_thread (param=0x555557ed2a60) at /home/user/wdissector/3rd-party/oai_5g_sa/executables/nr-ru.c:1206
#5 0x00007ffff779a6db in start_thread (arg=0x7fffddffb700) at pthread_create.c:463
#6 0x00007ffff58b561f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
This issue is also known to OAI #606 - USRP X310: nr-softmodem gives ERROR_CODE_OVERFLOW.
Besides the initial segfault issue - it looks like our configuration with the 1G/10G interface on the X300 is incorrect. If I find the solution, I will let you all know.
Our X300 is now working! It turns out that our configuration for the 10G interface was incorrect. After rereading the USRP Hardware Driver and USRP Manual, and then checking the SFP+ connectors used, I noticed that I was using an 1G SFP+ connector on the 10G Port 1. So, if you are experiencing connectivity issues with the USRP or see [ERROR_CODE_OVERFLOW], double check your interfaces.
Assuming your interfaces are connected correctly, you still need to do the following steps to use the X300:
Adding the patch and rebuilding OAI is really easy, just do the following:
(./3rd-party/oai_5g_sa/radio/USRP/USERSPACE/LIB/usrp_lib.cpp of OAI)
:
for (int i=0; i<cc; i++) buff_ptrs.push_back(buff_tmp[i]+samples_received);
- samples_received += s->rx_stream->recv(buff_ptrs, nsamps, s->rx_md);
+ samples_received += s->rx_stream->recv(buff_ptrs, nsamps-samples_received, s->rx_md);
} else {
cd /home/user/wdissector/3rd-party/oai_5g_sa/cmake_targets/
./build_oai -c -C
./build_oai -I --gNB --nrUE -w USRP
Here is the config that we used: n78.106.X300.conf.txt
You should then be able to run the 5ghoul fuzzer or attacks!
sudo bin/5g_fuzzer --MCC=001 --MNC=010 --GlobalTimeout=false --EnableMutation=false --BaseStationConfigFile n78.106.X300.conf --BaseStationArguments="--sa --usrp-tx-thread-config 1 --tune-offset 30000000 --continuous-tx"
We got our N310 to work as well - same process as before with the X300.
Here is the conf used: n78.106.n310.conf.txt
edit: double check your USRP address! our addr here is 192.168.20.2, but your addr will likely be different!
@micahflack Thanks a lot and sorry for the delay. Since we don't have other SDRs, it's a bit difficult for us to troubleshoot on our end. However, will certainly add your changes to the repo to enable support for both X300 and N310. Thanks a lot for your work 👍
@micahflack by the way, did you have to run uhd_images_downloader before doing the tests with those SDRs?
Hi @Matheus-Garbelini @micahflack : I have changed the configuration file and also edited the cpp file in the LIB folder. I am still not able to get output. When I tried with B210 everything worked well, but when I reconnected N310 there was an empty pcap file and fuzzer was not able to start UE. If you help me it would be great and I will be available for remote desktop also. Let me know. Thanks in advance.
@Matheus-Garbelini no worries! I'm more than happy to help contribute - this is a really cool tool/project.
I think I needed to update the firmware/image on the X300/N310 to match the libuhd version used by the 5ghoul container, but I didn't have any issues hopping between versions.
uhd_usrp_probe --args="type=x300,addr=192.168.40.2"
My coworker and I have noticed that the TX/RX for RF A and RF B will stop transmitting without producing any errors/warnings, so, I will look into this and let y'all know what I find.
@purvajoshi1 after editing the cpp file did you rebuild OAI? If you restart/stop the docker without committing the changes, you will have to do it again at every startup of the container. Otherwise, I would double check your interface setup with the N310 as well. When the base station process would repeatedly stop for us, it was because of UNDER/OVERFLOW errors and it just couldn't see the USRP; use the following cmd to narrow down the problem... uhd_usrp_probe --args="type=n3xx,addr=192.168.40.2"
(share the cmd output here)
edit: corrected the "type" used for the cmd - n3xx, not x300
Hi @micahflack @Matheus-Garbelini : Many thanks for your response. For more details, I attached the screenshots here. The issue is that the fuzzer stops at some point and when I start GUI, I do not have anything in the TX RX session. I changed the usrp.cpp file, I changed the SDR_ADDR and also changed the configuration file. Still, I am not able to solve the issue. Kindly look and help me. Email address: purva.joshi@phd.unipi.it
I have an X310 here with 10Gb connections and I just got new programmable sims in. Probably a perfect time to follow the discussion above and try to replicate.
Hi,
I have gone through the details and I have USRP N310 with Ubuntu 18.04. I want to ask If I need to change any configuration files or if I should continue with the given source files. Hope to hear back from you soon. Thank you.
Best, Purva Joshi