I have a personal interest in GSM technology and its derivatives, mainly in security aspects related to such technologies. Due to this particular interest, I end up having to attend discussion forums, mailing list, and IRC channels related to these technologies.



The problem is that lately, in these vehicles of share information and knowledge, there is a significant increase in messages that indicate the dissatisfaction by part of the community regarding the way in which the folks behind the YateBTS are conducting the project.



Complaints from the community are diverse. There are complaints due to the team of the YateBTS removing previously existing and necessary functionalities, by the attempt to conduct the project through obscurity, lack of support and or resolution of doubts, and even allegations that staff behind the project is only interested in making profits by selling the commercial version.



As I know that not all GSM enthusiasts and researchers know how to program and add your own features to YateBTS project, I decided to write this article in an attempt to provide a secound option of GSM study and research to the community. Now, using the OpenBTS v5.0 (a software-based GSM access point), the already known Nuand bladeRF x40 (a relatively accessible and low cost full duplex SDR) and the Ubuntu 12.04.5 LTS Precise Pangolin (a Debian-based Linux operating system).



One more time, I would like to thank all the pioneering hackers and researchers who started the studies related to previously closed GSM technology.

I would like to particular thank Matthew Hickey from MDSec for the “GreedyBTS – Hacking Adventures in GSM” work, to Nuand Team by the article “Minimalistic build and run test for OpenBTS 5” and to Juan Pablo by the article “Should you need OpenBTS on your bladeRF“. All these works served as the basis for my research and gave me inspiration for writing this article.

So, let’s start the “hands on”!

Ubuntu Operating System



The first thing to do is to download and install the Ubuntu 12.04.5 LTS (Precise Pangolin) image on the system.

NOTE: In my environment implementation I used a 32-bit version of Ubuntu 12.04.5 LTS (Precise Pangolin).



After install the Ubuntu operating system it is time to log in to the system and add the necessary Personal Package Archives (PPAs) repositories.

Adding the Required Repositories



You must add the necessary Personal Package Archives (PPAs) repositories to the environment.

openbts@strcpy.info:~$ sudo su root@strcpy.info:/home/openbts# add-apt-repository -y ppa:git-core/ppa root@strcpy.info:/home/openbts# add-apt-repository -y ppa:chris-lea/zeromq root@strcpy.info:/home/openbts# add-apt-repository -y ppa:chris-lea/libsodium root@strcpy.info:/home/openbts# add-apt-repository -y ppa:bladerf/bladerf root@strcpy.info:/home/openbts# add-apt-repository -y ppa:ettusresearch/uhd

Installing Dependencies

After install the PPAs repositories you must install the necessary dependencies to the environment.

root@strcpy.info:/home/openbts# apt-get update root@strcpy.info:/home/openbts# apt-get -y install git autoconf automake libtool debhelper dpkg-dev sqlite3 libsqlite3-dev g++ libusb-1.0-0-dev root@strcpy.info:/home/openbts# apt-get -y install libortp-dev libortp8 libosip2-dev libreadline-dev libncurses5-dev libgsm1-dev cdbs libsqlite0-dev root@strcpy.info:/home/openbts# apt-get -y install unixodbc unixodbc-dev libssl-dev libsrtp0-dev libsqliteodbc uuid-dev libjansson-dev libxml2-dev root@strcpy.info:/home/openbts# apt-get -y install libboost1.48-all-dev libzmq3-dev libzmq3 python-zmq libsodium13 bladerf libbladerf-dev root@strcpy.info:/home/openbts# apt-get -y install libuhd-dev libuhd003 uhd-host root@strcpy.info:/home/openbts# apt-get autoremove

NOTE: The libsrtp0, libsrtp0, and libsrtp0-dev are required, however, they are automatically installed as dependencies of the packages described above.



Plugging the Nuand bladeRF x40

Now you will plug the Nuand bladeRF x40 into one of the USB ports of the computer to ensure that it is being properly detected.

root@strcpy.info:/home/openbts# dmesg [ 2092.437659] usb 1-1.2: New USB device found, idVendor=1d50, idProduct=6066 [ 2092.437679] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 2092.437692] usb 1-1.2: Product: bladeRF [ 2092.437704] usb 1-1.2: Manufacturer: Nuand [ 2092.437716] usb 1-1.2: SerialNumber: 4c132c8ba43e0c4d922418a29a1ce207

Nuand bladeRF x40 Firmware

After making sure that the Nuan bladeRF x40 is being properly detected, it is time to download and install the Nuand bladeRF x40 firmware v1.9.1.

root@strcpy.info:/home/openbts# wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.9.1.img root@strcpy.info:/home/openbts# bladeRF-cli -f bladeRF_fw_v1.9.1.img -v verbose

After install firmware v1.9.1, unplug the Nuand bladeRF x40 from USB port and plug it again to start the device with the new firmware.



Nuand bladeRF x40 FPGA



After start the Nuand bladeRF x40 with the firmware v1.9.1, it is time to download the Nuand bladeRF x40 FPGA v0.1.2 and set the device to have its FPGA loaded automatically.

root@strcpy.info:/home/openbts# wget -c http://www.nuand.com/fpga/v0.1.2/hostedx40.rbf root@strcpy.info:/home/openbts# bladeRF-cli -L hostedx40.rbf -v verbose

After this procedure, unplug the Nuand bladeRF x40 from USB port and plug it again to start the device with the FPGA v0.1.2 auto loaded.

Now is time to check installed versions of bladeRF-cli, libbladeRF, Nuand bladeRF x40 firmware and Nuand bladeRF x40 FPGA.

root@strcpy.info:/home/openbts# bladeRF-cli -i bladeRF> version bladeRF-cli version: 1.4.0-2016.06-1-ppaprecise libbladeRF version: 1.7.2-2016.06-1-ppaprecise Firmware version: 1.9.1 FPGA version: 0.1.2 bladeRF>

Exit from bladeRF prompt typing ‘quit’.

OpenBTS and the Transceiver



For the OpenBTS to work with the Nuand bladeRF x40 some changes to the OpenBTS source code are required, as well the build and use of a specific transceiver that can be found in older versions of YateBTS.



But don’t worry! To make the implementation easier as possible, I created a repository in GitHub with the already patched source code of OpenBTS v5.0 (with all its required libraries and tools), as well the patched source code of YateBTS v5.0.1 that contains the correct version of the transceiver that should be builded and used.

root@strcpy.info:/home/openbts# git clone https://github.com/strcpyblog/OpenBTS-Nuand-bladeRF.git

Building and Installing the A5/3 Call Encryption Library

After clone the “OpenBTS-Nuand-bladeRF” repository using Git, you now need to build and install the A5/3 Call Encryption Library (liba53).

root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53 root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# make root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# make install root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# ldconfig

Building and Installing the Coredumper Library



OpenBTS uses the Coredumper Shared Library to produce meaningful debugging information if OpenBTS crashes.

So, you now need to build and install the Coredumper Library (libcoredumper).



root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# cd ../libcoredumper root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# ./build.sh root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# dpkg -i *.deb

Building and Installing the Transceiver



For OpenBTS to work with the Nuand bladeRF x40 you need to build and install the transceiver.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# cd ../../YateBTS-v5.0.1/mbts/Peering root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# make root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# cd ../TransceiverRAD1 root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# make root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# cp -p transceiver-bladerf ../../../OpenBTS-v5.0/openbts/apps root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# cd ../../../OpenBTS-v5.0/openbts/apps root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ln -s transceiver-bladerf transceiver

Building OpenBTS Source Code



With transceiver builded and installed it is time to build the OpenBTS v5.0 source code.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# cd .. root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# ./autogen.sh root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# ./configure --with-uhd root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# make

Configuring OpenBTS

With OpenBTS built you now need to configure it to run correctly.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# mkdir /etc/OpenBTS root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# sqlite3 -init apps/OpenBTS.example.sql /etc/OpenBTS/OpenBTS.db ".quit" root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# cp -p apps/rsyslogd.OpenBTS.conf /etc/rsyslog.d/OpenBTS.conf

Building and Installing the Subscriber Registry and Sipauthserve



It’s important to install Subscriber Registry and Sipauthserver (the SIP authorization server for registration traffic) to be able to launch OpenBTS.

Subscriber Registry controls database of subscriber information and works as HLR (Home Location Registry). You will not be able to have a usable system without it.



root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# cd ../subscriberRegistry root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# ./autogen.sh root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# ./configure root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# make root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# sqlite3 -init apps/sipauthserve.example.sql /etc/OpenBTS/sipauthserve.db ".quit"

Building and Installing Smqueue



Smqueue is the store-and-forward message service packaged with OpenBTS.



root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# cd ../smqueue root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# autoreconf -i root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# ./configure root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# make root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# sqlite3 -init smqueue/smqueue.example.sql /etc/OpenBTS/smqueue.db ".quit" root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# mkdir -p /var/lib/OpenBTS root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# touch /var/lib/OpenBTS/smq.cdr

Building and Installing Asterisk

Asterisk is a software implementation of a telephone Private Branch Exchange (PBX) and is the “standard” OpenBTS PBX.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# cd ../asterisk root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# ./build.sh root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# dpkg -i *.deb

Configuring Asterisk

With Asterisk installed you now need to configure it to run correctly.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# cd ../asterisk-config root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# mkdir -p /var/lib/asterisk/sqlite3dir root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# mkdir -p /var/lib/asterisk/sounds/en root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p en/*.gsm /var/lib/asterisk/sounds/en root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p *.conf /etc/asterisk root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p *.ini /etc root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# chown -R asterisk:asterisk /var/lib/asterisk/sqlite3dir

Starting OpenBTS

After this long process it is time to start OpenBTS.

To do this you will need to execute the following commands (each on its own Terminal window) in the following order:

1 – ./smqueue

openbts@strcpy.info:~$ sudo su root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue/smqueue root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue/smqueue# ./smqueue ALERT 29938:29938 2016-11-16T06:22:07.0 smqueue.cpp:2798:main: smqueue (re)starting smqueue logs to syslogd facility LOCAL7, so there's not much to see here

2 – ./sipauthserve

openbts@strcpy.info:~$ sudo su root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry/apps root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry/apps# ./sipauthserve ALERT 29948:29948 2016-11-16T06:22:19.5 sipauthserve.cpp:328:main: ./sipauthserve (re)starting

3 – ./asterisk

openbts@strcpy.info:~$ sudo su root@strcpy.info:/home/openbts# asterisk -vvv

If Asterisk was set up correctly you should see a bunch of messages and the lines:

... func_channel.so => (Channel information dialplan functions) == Registered application 'WaitUntil' app_waituntil.so => (Wait until specified time) == Registered custom function 'ENUMRESULT' == Registered custom function 'ENUMQUERY' == Registered custom function 'ENUMLOOKUP' == Registered custom function 'TXTCIDNAME' func_enum.so => (ENUM related dialplan functions) Asterisk Ready.

4 – ./OpenBTS

openbts@strcpy.info:~$ sudo su root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ./OpenBTS

If OpenBTS was set up correctly you should see a bunch of messages and the lines:

... 1479288481.102512 3072931584: Starting the system... ALERT 30274:30281 2016-11-16T06:28:06.1 OpenBTS.cpp:174:startTransceiver: starting transceiver ./transceiver with 1 ARFCNs 1479288491.590588 3072931584: system ready 1479288491.590639 3072931584: use the OpenBTSCLI utility to access CLI 1479288491.590796 3072931584: OpenBTSCLI network socket support for tcp:49300 OpenBTS>

5 – ./OpenBTSCLI

openbts@strcpy.info:~$ sudo su root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ./OpenBTSCLI OpenBTS Command Line Interface (CLI) utility Copyright 2012, 2013, 2014 Range Networks, Inc. Licensed under GPLv2. Includes libreadline, GPLv2. Connecting to 127.0.0.1:49300... Remote Interface Ready. Type: "help" to see commands, "version" for version information, "notices" for licensing information, "quit" to exit console interface. OpenBTS>

After executing all the commands described above you will have something like this:



Configuring the GSM BTS Operability

Now you can start to configure the BTS using the OpenBTS Command Line Interface (CLI) utility.



For the GSM BTS operability you need to set the following values:

OpenBTS> config GSM.Radio.Band 900 OpenBTS> config GSM.Radio.C0 51 OpenBTS> config GSM.Identity.MCC 001 OpenBTS> config GSM.Identity.MNC 01 OpenBTS> config GSM.Radio.PowerManager.MaxAttenDB 35 OpenBTS> config GSM.Radio.PowerManager.MinAttenDB 35

Allowing Subscribers

You need to allow subscribers phones to connect to the GSM BTS.

OpenBTS> config Control.LUR.OpenRegistration .*

NOTE: Take care with .* regular expression.

Tapping

You can activate GSM and GPRS Tapping. With these options enabled you can capture GSM (signaling) and GPRS (signaling and traffic) in L1/L2 interfaces via GSMTAP.

OpenBTS> config Control.GSMTAP.GSM 1 OpenBTS> config Control.GSMTAP.GPRS 1

At this point the minimal GSM configuration needed is done and you must have a operational GSM BTS.

Now you need to configure the GPRS seetings to provide data connection (Internet).

Configuring the GPRS BTS Operability

First we need to configure the NAT with IPTABLES.

openbts@strcpy.info:~$ sudo su root@strcpy.info:/home/openbts# sysctl -w net.ipv4.ip_forward=1 root@strcpy.info:/home/openbts# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

NOTE: Replace the eth0 network interface with the environment network interface connected to the Internet.

Now, for the GPRS operability you need to set the following values:

OpenBTS> config GPRS.Enable 1 OpenBTS> config GGSN.Firewall.Enable 0 OpenBTS> config GGSN.MS.IP.Base 192.168.1.20 OpenBTS> config GGSN.MS.IP.MaxCount 5

Connecting P hones



You will manually connect the phones to the GSM BTS selecting the “Test PLMN 1-1” Network ID in the network list.

In the example shown here, the Network ID is “Test PLMN 1-1” due to the values “GSM.Identity.MCC 001” and “GSM.Identity.MNC 01”, previously configured.

NOTE: Valid MCC and MNC values can be found here.

After the phone are successfully authenticated to the GSM network , a welcome message containing the phone IMSI will be received via SMS.

A phone connected to “Test PLMN 1-1” GSM BTS and using the data connection through GPRS (Internet).

Final Notes



I hope after read this article you can successfully run the OpenBTS with the Nuand bladeRF x40.

If you have any questions feel free to contact me.



And remember… Share the knowledge and keep on hacking!



References