OpenBTS: BladeRF YateBTS
Building a portable GSM BTS using the Nuand bladeRF, Raspberry Pi and YateBTS (The Definitive and Step by Step Guide)
I was always amazed when I read articles published by some hackers related to GSM technology. However, playing with GSM technologies was not cheap until the arrival of Software Defined Radios (SDRs), besides not being something easy to be implemented.
After reading various articles related to GSM BTS, I noticed that there were a lot of inconsistent and or incomplete information related to the topic.
From this, I decided to write this article, detailing and describing step by step the building process of a portable and operational GSM BTS.
Before starting with the “hands on”, I would like to thank all the pioneering hackers and researchers who started the studies related to previously closed GSM technology.
In particular I would like to thank Karsten Nohl (this guy is ninja) for all the excellent publications related to GSM hacking (take a look at what he did using the SS7 protocol) and Simone Margaritelli to the article entitled “How To Build Your Own Rogue GSM BTS For Fun And Profit“, which I used as a basis for my first successful GSM BTS implementation.
0001 Hardware and Price
A Nuand bladeRF x40 USB 3.0 Software Defined Radio. Price: $420.00 Two Quad-band Cellular Duck Antennas SMA. Price: $15,9 A Raspberry Pi 3 Model B Kit. Price: $69,99 A Anker Astro E7 26800mAh Portable Charger (optional). Price: $54,99
Raspberry Pi Operating System and Initial Configuration
0002
The first thing to do is to download, unpack and install the RASPBIAN Jessie Lite (Version: March 2016, Release date: 2016-03-18, Kernel version 4.1) image to the MicroSD card.
0003
blog@strcpy.info:/home/blog/$ wget -c http://vx2-downloads.raspberrypi.org/raspbian_lite/images/raspbian_lite-2016-03-18/2016-03-18-raspbian-jessie-lite.zip blog@strcpy.info:/home/blog/$ unzip 2016-03-18-raspbian-jessie-lite.zip blog@strcpy.info:/home/blog/$ dd if=2016-03-18-raspbian-jessie-lite.img of=/dev/Your_MicroSD_Device
After install the image on the MicroSD card it’s time to plug it into the Raspberry Pi, boot the device and start the initial configuration.
NOTE: You must to know the IP address assigned to Raspberry Pi. In this example the IP addrees assigned to Raspberry Pi will be 192.168.0.10.
blog@strcpy.info:/home/blog/$ ssh pi@192.168.0.10 pi@192.168.0.10's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Apr 22 15:00:30 2016 from strcpy.info pi@raspberry:~$
NOTE: In Raspbian the default user is pi with the password raspberry.
Now that you are logged into the Raspberry Pi, you will run the configuration commands as the superuser.
Let’s start by expanding the filesystem (root partition).
pi@raspberry:~$ sudo su root@raspberrypi:/home/pi# raspi-config
0004
0005
After restart the Raspberry Pi you can start the dependencies installation process. Installing Dependencies
You must install the necessary dependencies to the environment.
blog@strcpy.info:/home/blog/$ ssh pi@192.168.0.10 pi@raspberry:~$ sudo su root@raspberry:/home/pi# apt-get update root@raspberry:/home/pi# apt-get -y install git telnet apache2 php5 libusb-1.0-0 libusb-1.0-0-dbg libusb-1.0-0-dev libgsm1 libgsm1-dev cmake automake
Plugging the Nuand bladeRF x40
Now you will plug the Nuand bladeRF x40 into one of the USB ports of the Raspberry Pi to ensure that it is being properly detected.
root@raspberry:/home/pi# dmesg [ 2092.437659] usb 1-1.2: New USB device found, idVendor=1d50, idProduct=6066 [ 2092.437679] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 2092.437692] usb 1-1.2: Product: bladeRF [ 2092.437704] usb 1-1.2: Manufacturer: Nuand [ 2092.437716] usb 1-1.2: SerialNumber: 4c132c8ba43e0c4d922418a29a1ce207
Nuand bladeRF Source Code
Download and install the Nuand bladeRF source code.
root@raspberry:/home/pi# cd /tmp root@raspberry:/tmp# wget -c https://github.com/Nuand/bladeRF/archive/master.zip root@raspberry:/tmp# unzip master.zip root@raspberry:/tmp# cd bladeRF-master root@raspberry:/tmp/bladeRF-master# cd host root@raspberry:/tmp/bladeRF-master/host# mkdir build root@raspberry:/tmp/bladeRF-master/host# cd build root@raspberry:/tmp/bladeRF-master/host/build# cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../ root@raspberry:/tmp/bladeRF-master/host/build# make -j4 root@raspberry:/tmp/bladeRF-master/host/build# make install > install.log root@raspberry:/tmp/bladeRF-master/host/build# ldconfig
Nuand bladeRF x40 Firmware
Download and install the Nuand bladeRF x40 firmware v1.9.1.
root@raspberry:/tmp/SubversiveBTS/yatebts# cd /tmp root@raspberry:/tmp/# wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.9.1.img root@raspberry:/tmp/# bladeRF-cli -f bladeRF_fw_v1.9.1.img -v verbose
After install the firmware v1.9.1, unplug the Nuand bladeRF x40 from Raspberry Pi USB port and plug it again to start the device with the new firmware.
Now is time to check installed versions of bladeRF-cli, libbladeRF, Nuand bladeRF x40 firmware and Nuand bladeRF x40 FPGA.
root@raspberry:/tmp/# bladeRF-cli -i bladeRF> version
bladeRF-cli version: 1.3.1-git-unknown libbladeRF version: 1.6.1-git-unknown
Firmware version: 1.9.1 FPGA version: Unknown (FPGA not loaded)
bladeRF>
Exit from bladeRF prompt typing ‘quit’. Yate and YateBTS (SubversiveBTS) Source Code
To create the GSM BTS you will need to download and install the Yate and YateBTS, both open source softwares.
Thanks to Simone Margaritelli you don’t need to waste time to find out which versions of Yate and YateBTS are compatible with Nuand bladeRF x40. Simone Margaritelli created a GitHub repository with the correct versions of both.
NOTE: I created a GitHub repository with copies of the correct versions originally provided by Simone Margaritelli.
root@raspberry:/tmp/bladeRF-master/host/build# cd /tmp root@raspberry:/tmp# git clone https://github.com/strcpyblog/SubversiveBTS.git root@raspberry:/tmp# cd SubversiveBTS/yate root@raspberry:/tmp/SubversiveBTS/yate# ./autogen.sh root@raspberry:/tmp/SubversiveBTS/yate# ./configure --prefix=/usr/local root@raspberry:/tmp/SubversiveBTS/yate# make -j4 root@raspberry:/tmp/SubversiveBTS/yate# make install > install.log root@raspberry:/tmp/SubversiveBTS/yate# ldconfig root@raspberry:/tmp/SubversiveBTS/yate# cd /tmp/SubversiveBTS/yatebts root@raspberry:/tmp/SubversiveBTS/yatebts# ./autogen.sh root@raspberry:/tmp/SubversiveBTS/yatebts# ./configure --prefix=/usr/local root@raspberry:/tmp/SubversiveBTS/yatebts# make -j4 root@raspberry:/tmp/SubversiveBTS/yatebts# make install > install.log root@raspberry:/tmp/SubversiveBTS/yatebts# ldconfig
Network in a Box (NIB) Web GUI
Create a symlink to the NIB Web GUI into Apache WWW folder and grant write permission to the configuration files.
root@raspberry:/tmp/SubversiveBTS/yatebts# cd /var/www/html root@raspberry:/var/www/html# ln -s /usr/local/share/yate/nib_web nib root@raspberry:/var/www/html# chmod -R a+w /usr/local/etc/yate
Configuring the GSM BTS Operability
Now you can access the Network in a Box (NIB) Web GUI from browser and start to configure the BTS.
NOTE: Browse to the address http://192.168.0.10/nib.
For the GSM BTS operability you need to set the following values:
Radio.Band=900 Radio.C0=75 Identity.MCC=001 Identity.MNC=01 Radio.PowerManager.MaxAttenDB=35 Radio.PowerManager.MinAttenDB=35
0006
Apparently, in public version of the YateBTS, set the value “Identity.ShortName” will have no effect. According to information, set this value only has an effect on the commercial version of the YateBTS.
In the OpenBTS set this value will work perfectly.
Therefore, changing the value “Identity.ShortName=SubversiveBTS” will have no effect.
How about we write a patch for this? :) Allowing Subscribers
You need to allow subscribers phones to connect to the GSM BTS.
0007
NOTE: Take care with .* regular expression. Tapping
You can activate GSM and GPRS Tapping. With these options enabled you can capture GSM (signaling) and GPRS (signaling and traffic) in L1/L2 interfaces via GSMTAP.
0008
At this point the minimal GSM configuration needed is done and you must have a operational GSM BTS.
Now you need to configure the GPRS seetings to provide data connection (Internet).
Believe me, the GPRS data connection is too slow. :( Configuring the GPRS BTS Operability
First you need to configure the NAT with IPTABLES.
root@raspberry:/var/www/html# iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
NOTE: Replace the wlan0 network interface with the Raspberry Pi network interface connected to the Internet.
Now, for the GPRS operability we need to set the following values:
Firewall.Enable=no firewall MS.IP.Base=192.168.1.20 MS.IP.MaxCount=5
0010 Starting the BTS
It’s time to start the BTS executing the command:
root@raspberry:/# yate -s
If everything was set up correctly, you should see a bunch of messages and the lines:
... Release 5.0.1 formal build date Apr 22 2016 rev Starting MBTS... Yate engine is initialized and starting up on GhostBTS RTNETLINK answers: File exists MBTS ready
Connecting Phones
You will manually connect the phones to the GSM BTS selecting the “Test PLMN 1-1” Network ID in the network list.
In the example shown here, the Network ID is “Test PLMN 1-1” due to the values “Identity.MCC=001” and “Identity.MNC=01”, previously configured.
0012
NOTE: Valid MCC and MNC values can be found here.
After the phones are successfully authenticated to the GSM network , a welcome message containing the allocated number will be received via SMS.
0013.JPG
NOTE: You can change the welcome message by editing the file: /usr/local/share/yate/scripts/nib.js
0014 Subscribers
In this section you can manage the details related to the subscribers of the BTS.
0011
Here you can see the online subscribers. 0012Real Tests
SMS exchange between two phones connected to “Test PLMN 1-1” GSM BTS.
Call between two phones connected to “Test PLMN 1-1” GSM BTS.
A phone connected to “Test PLMN 1-1” GSM BTS and using the data connection through GPRS (Internet).
Final Notes
I hope after read this article you can successfully implement your own GSM BTS.
Play with the configuration files, read about this topic, try to search more information about it, discuss and the most important… Share the knowledge! References
http://wiki.yatebts.com/index.php/Main_Page https://github.com/Nuand/bladeRF/wiki/Setting-up-Yate-and-YateBTS-with-the-bladeRF https://imjuanpablo.wordpress.com/2015/02/14/should-you-need-openbts-on-your-bladerf https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit http://linux.net.pk/blog/poor-mans-gsm-bts-nuands-bladerf-openbts-5-setup-instructions https://discourse.criticalengineering.org/t/howto-gsm-base-station-with-the-beaglebone-black-debian-gnu-linux-and-a-usrp/56 https://github.com/Nuand/bladeRF/wiki/Minimalistic-build-and-run-test-for-OpenBTS-5 https://www.raspberrypi.org/documentation/installation/installing-images/linux.md http://www.circuitbasics.com/raspberry-pi-basics-setup-without-monitor-keyboard-headless-mode/