Skip to main content

Building a portable GSM BTS using the Nuand bladeRF, Raspberry Pi and YateBTS (The Definitive and Step by Step Guide)

https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/

Building a portable GSM BTS using the Nuand bladeRF, Raspberry Pi and YateBTS (The Definitive and Step by Step Guide)

I was always amazed when I read articles published by some hackers related to GSM technology. However, playing with GSM technologies was not cheap until the arrival of Software Defined Radios (SDRs), besides not being something easy to be implemented.
After reading various articles related to GSM BTS, I noticed that there were a lot of inconsistent and or incomplete information related to the topic.
From this, I decided to write this article, detailing and describing step by step the building process of a portable and operational GSM BTS.
Before starting with the “hands on”, I would like to thank all the pioneering Hackers and Researchers who started the studies related to previously closed GSM technology.
In particular I would like to thank Karsten Nohl (this guy is Ninja) for all the excellent publications related to GSM Hacking (take a look at what he did using the SS7 protocol) and Simone Margaritelli to the article entitled “How To Build Your Own Rogue GSM BTS For Fun And Profit“, which I used as a basis for my first successful GSM BTS implementation.
0001

Hardware and Price

Raspberry Pi Operating System and Initial Configuration

0002
The first thing to do is to download, unpack and install the RASPBIAN Jessie Lite (Version: March 2016, Release date: 2016-03-18, Kernel version 4.1) image to the MicroSD card.
0003
blog@strcpy.info:/home/blog/$ wget -c http://vx2-downloads.raspberrypi.org/raspbian_lite/images/raspbian_lite-2016-03-18/2016-03-18-raspbian-jessie-lite.zip
blog@strcpy.info:/home/blog/$ unzip 2016-03-18-raspbian-jessie-lite.zip
blog@strcpy.info:/home/blog/$ dd if=2016-03-18-raspbian-jessie-lite.img of=/dev/Your_MicroSD_Device
After installing the image on the MicroSD card it’s time to plug it into the Raspberry Pi, boot the device and start the initial configuration.
NOTE: You must to know the IP address assigned to Raspberry Pi.
In this example the IP addrees assigned to Raspberry Pi will be 192.168.0.10.
blog@strcpy.info:/home/blog/$ ssh pi@192.168.0.10
pi@192.168.0.10's password:  


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Apr 22 15:00:30 2016 from strcpy.info
pi@raspberry:~ $
NOTE: In Raspbian the default user is pi with the password raspberry.
Now that you are logged into the Raspberry Pi, you will run the configuration commands as the superuser.

Let’s start by expanding the filesystem (root partition).
pi@raspberry:~ $ sudo su
root@raspberrypi:/home/pi# raspi-config
0004
0005
After restart the Raspberry Pi you can start the dependencies installation process.

Installing Dependencies

You must install the necessary dependencies to the environment.
blog@strcpy.info:/home/blog/$ ssh pi@192.168.0.10
pi@raspberry:~ $ sudo su
root@raspberry:/home/pi# apt-get update
root@raspberry:/home/pi# apt-get install git telnet apache2 php5 libusb-1.0-0 libusb-1.0-0-dbg libusb-1.0-0-dev cmake automake

Plugging the Nuand bladeRF x40

Now you will plug the Nuand bladeRF x40 into one of the USB ports of the Raspberry Pi to ensure that it is being properly detected.
root@raspberry:/home/pi# dmesg
[ 2092.437659] usb 1-1.2: New USB device found, idVendor=1d50, idProduct=6066
[ 2092.437679] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2092.437692] usb 1-1.2: Product: bladeRF
[ 2092.437704] usb 1-1.2: Manufacturer: Nuand
[ 2092.437716] usb 1-1.2: SerialNumber: 4c132c8ba43e0c4d922418a29a1ce207

Nuand bladeRF Source Code

Download and install the Nuand bladeRF source code.
root@raspberry:/home/pi# cd /tmp
root@raspberry:/tmp# wget -c https://github.com/Nuand/bladeRF/archive/master.zip
root@raspberry:/tmp# unzip master.zip
root@raspberry:/tmp# cd bladeRF-master
root@raspberry:/tmp/bladeRF-master# cd host
root@raspberry:/tmp/bladeRF-master/host# mkdir build
root@raspberry:/tmp/bladeRF-master/host# cd build
root@raspberry:/tmp/bladeRF-master/host/build# cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../
root@raspberry:/tmp/bladeRF-master/host/build# make -j4
root@raspberry:/tmp/bladeRF-master/host/build# make install > install.log
root@raspberry:/tmp/bladeRF-master/host/build# ldconfig

Yate and YateBTS (SubversiveBTS) Source Code

To create the GSM BTS you will need to download and install the Yate and YateBTS, both open source softwares.

Thanks to Simone Margaritelli you don’t need to waste time to find out which versions of Yate and YateBTS are compatible with Nuand bladeRF x40. Simone Margaritelli created a GitHub repository with the correct versions of both.

NOTE: I created a GitHub repository with copies of the correct versions originally provided by Simone Margaritelli.

root@raspberry:/tmp/bladeRF-master/host/build# cd /tmp
root@raspberry:/tmp# git clone https://github.com/strcpyblog/SubversiveBTS.git
root@raspberry:/tmp# cd SubversiveBTS/yate
root@raspberry:/tmp/SubversiveBTS/yate# ./autogen.sh
root@raspberry:/tmp/SubversiveBTS/yate# ./configure --prefix=/usr/local
root@raspberry:/tmp/SubversiveBTS/yate# make -j4
root@raspberry:/tmp/SubversiveBTS/yate# make install > install.log
root@raspberry:/tmp/SubversiveBTS/yate# ldconfig
root@raspberry:/tmp/SubversiveBTS/yate# cd /tmp/SubversiveBTS/yatebts
root@raspberry:/tmp/SubversiveBTS/yatebts# ./autogen.sh
root@raspberry:/tmp/SubversiveBTS/yatebts# ./configure --prefix=/usr/local
root@raspberry:/tmp/SubversiveBTS/yatebts# make -j4
root@raspberry:/tmp/SubversiveBTS/yatebts# make install > install.log
root@raspberry:/tmp/SubversiveBTS/yatebts# ldconfig

Nuand bladeRF x40 Firmware

Download and install the Nuand bladeRF x40 firmware v1.8.0.
root@raspberry:/tmp/SubversiveBTS/yatebts# cd /tmp
root@raspberry:/tmp/# wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.8.0.img
root@raspberry:/tmp/# bladeRF-cli -f bladeRF_fw_v1.8.0.img -v verbose
After install firmware v1.8.0, unplug the Nuand bladeRF x40 from Raspberry Pi USB port and plug it again to start the device with the new firmaware.
Now is time to check installed versions of bladeRF-cli, libbladeRF, Nuand bladeRF x40 firmware and Nuand bladeRF x40 FPGA.
root@raspberry:/tmp/# bladeRF-cli -i
bladeRF> version

  bladeRF-cli version:        1.3.1-git-unknown
  libbladeRF version:         1.6.1-git-unknown

  Firmware version:           1.8.0
  FPGA version:               Unknown (FPGA not loaded)

bladeRF>
Exit from bladeRF prompt typing ‘quit’.

Network in a Box (NIB) Web GUI

Create a symlink to the NIB Web GUI into Apache WWW folder and grant write permission to the configuration files.

root@raspberry:/tmp/# cd /var/www/html
root@raspberry:/var/www/html# ln -s /usr/local/share/yate/nib_web nib
root@raspberry:/var/www/html# chmod -R a+w /usr/local/etc/yate

Configuring the GSM BTS Operability

Now you can access the Network in a Box (NIB) Web GUI from browser and start to configure the BTS.
NOTE: Open your browser at the address http://192.168.0.10/nib.
For the GSM BTS operability you need to set the following values:
Radio.Band=900
Radio.C0=75
Identity.MCC=001
Identity.MNC=01
Radio.PowerManager.MaxAttenDB=35
Radio.PowerManager.MinAttenDB=35
0006
Apparently, in public version of the YateBTS, set the value “Identity.ShortName” will have no effect. According to information, set this value only has an effect on the commercial version of the YateBTS.

In the OpenBTS seetting this value will work perfectly.
Therefore, changing the value “Identity.ShortName=SubversiveBTS” will have no effect.
How about we write a patch for this?  :)

Allowing Subscribers

You need to allow subscribers phones to connect to the GSM BTS.
0007
NOTE: Take care with .* regular expression.

Tapping

You can activate GSM and GPRS Tapping. With these options enabled you can capture GSM (signaling) and GPRS (signaling and traffic) in L1/L2 interfaces via GSMTAP.
0008
At this point the minimal GSM configuration needed is done and you must have a operational GSM BTS.
Now you need to configure the GPRS seetings to provide data connection (Internet).
Believe me, the GPRS data connection is too slow. :(

Configuring the GPRS BTS Operability

First we need to configure the NAT with IPTABLES.
root@raspberry:/var/www/html# iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
NOTE: Change the wlan0 with your connected Raspberry Pi network interface. 
Now, for the GPRS operability we need to set the following values:
Firewall.Enable=no firewall
MS.IP.Base=192.168.1.20
MS.IP.MaxCount=5
0010

Starting the BTS

It’s time to start the BTS executing the command:
root@raspberry:/# yate -s
If everything was set up correctly, you should see a bunch of messages and the lines:
...
Release 5.0.1 formal build date Apr 22 2016 rev
Starting MBTS...
Yate engine is initialized and starting up on GhostBTS
RTNETLINK answers: File exists
MBTS ready

Connecting Phones

You will manually connect the phones to the GSM BTS selecting the “Test ID PLMN 1-1” Network ID in the network list.
In the example shown here, the Network ID is “Test ID PLMN 1-1” due to the values “Identity.MCC =001” and “Identity.MNC =01”, previously configured.
NOTE: Valid MCC and MNC values can be found here.
0012
After the phones are successfully authenticated to the GSM network , a welcome message containing the allocated number will be received via SMS.
0013.JPG
NOTE: You can change the welcome message by editing the file: /usr/local/share/yate/scripts/nib.js
0014

Subscribers

In this section you can manage the details related to the subscribers of the BTS.

0011
Here you can see the online subscribers.

0012Real Tests

SMS exchange between two phones connected to “Test ID PLMN 1-1” GSM BTS.


Call between two phones connected to “Test ID PLMN 1-1” GSM BTS.


A phone connected to “Test ID PLMN 1-1” GSM BTS and using the data connection through GPRS (Internet).


Final Notes

I hope after read this article you can successfully implement your own GSM BTS.

Play with the configuration files, read about this topic, try to search more information about it, discuss and the most important… Share the knowledge!

References

Comments

Popular posts from this blog

The Difference Between LEGO MINDSTORMS EV3 Home Edition (#31313) and LEGO MINDSTORMS Education EV3 (#45544)

http://robotsquare.com/2013/11/25/difference-between-ev3-home-edition-and-education-ev3/ This article covers the difference between the LEGO MINDSTORMS EV3 Home Edition and LEGO MINDSTORMS Education EV3 products. Other articles in the ‘difference between’ series: * The difference and compatibility between EV3 and NXT ( link ) * The difference between NXT Home Edition and NXT Education products ( link ) One robotics platform, two targets The LEGO MINDSTORMS EV3 robotics platform has been developed for two different target audiences. We have home users (children and hobbyists) and educational users (students and teachers). LEGO has designed a base set for each group, as well as several add on sets. There isn’t a clear line between home users and educational users, though. It’s fine to use the Education set at home, and it’s fine to use the Home Edition set at school. This article aims to clarify the differences between the two product lines so you can decide which...

Let’s ban PowerPoint in lectures – it makes students more stupid and professors more boring

https://theconversation.com/lets-ban-powerpoint-in-lectures-it-makes-students-more-stupid-and-professors-more-boring-36183 Reading bullet points off a screen doesn't teach anyone anything. Author Bent Meier Sørensen Professor in Philosophy and Business at Copenhagen Business School Disclosure Statement Bent Meier Sørensen does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. The Conversation is funded by CSIRO, Melbourne, Monash, RMIT, UTS, UWA, ACU, ANU, ASB, Baker IDI, Canberra, CDU, Curtin, Deakin, ECU, Flinders, Griffith, the Harry Perkins Institute, JCU, La Trobe, Massey, Murdoch, Newcastle, UQ, QUT, SAHMRI, Swinburne, Sydney, UNDA, UNE, UniSA, UNSW, USC, USQ, UTAS, UWS, VU and Wollongong. ...

Logic Analyzer with STM32 Boards

https://sysprogs.com/w/how-we-turned-8-popular-stm32-boards-into-powerful-logic-analyzers/ How We Turned 8 Popular STM32 Boards into Powerful Logic Analyzers March 23, 2017 Ivan Shcherbakov The idea of making a “soft logic analyzer” that will run on top of popular prototyping boards has been crossing my mind since we first got acquainted with the STM32 Discovery and Nucleo boards. The STM32 GPIO is blazingly fast and the built-in DMA controller looks powerful enough to handle high bandwidths. So having that in mind, we spent several months perfecting both software and firmware side and here is what we got in the end. Capturing the signals The main challenge when using a microcontroller like STM32 as a core of a logic analyzer is dealing with sampling irregularities. Unlike FPGA-based analyzers, the microcontroller has to share the same resources to load instructions from memory, read/write th...