4G LTE base station built using GNURADIO+OPENLTE+SDR (upper)

0x00 Preface

`

In the context of the large-scale development of mobile Internet, the popularity of smartphones and the popularity of various internet applications, resulting in a geometric increase in the demand for wireless networks, resulting in increasingly fierce competition between mobile operators. However, due to a variety of factors such as tariff reduction, operators from the user gains are slowly reduced, while for the reduction of flavor and wireless network upgrade investment continues to increase, but revenue growth is slow. To ensure long-term profitability growth, operators must throttle.

SDR software Define Radio software-defined radio can be used to achieve the base station signal processing function as far as possible through the software, using a common hardware platform can quickly achieve signal modulation and demodulation, coding operations, SDR for the existing communication system construction provides a new idea, to the technical research and development to reduce costs, and provides a faster way to implement it. (Refer to LTE system comparison based on open source SDR)

Can SDR break the monopoly of traditional operators in the communications industry?

It is also noteworthy that the security enthusiasts have been concerned about the safety of Base station communications since the issue of 2G GSM attacks from several years ago to the recent LTE 4G security issues at foreign security conferences.

In this context, foreign openlte open source projects become a hot topic.

Openlte is an open source project of 3GPP Communication protocol implemented under the Linux system using Gnuradio Software development package, which mainly realizes the function of a simple 4G base station. We'll share how to build and use Openlte later in the article.

As for the use of Bladerf to build GSM base station content can be read:

GSM BTS Hacking: Building base stations with Bladerf and open source BTS 5

GSM Hacking: Using Bladerf, Raspberry Pi, yatesbts to build a portable GSM base station

Demo:

Small Encyclopedia:

2G network refers to the second generation of wireless cellular telephone communication Protocol, which is represented by the digitization of wireless communication, and is capable of narrowband data communication. Common 2G Wireless Communication protocol has GSM frequency division multiple access (GPRS and Edge and CDMA) transmission speed is very slow.

3G Network is the third generation of wireless cellular communication protocol, mainly on the basis of 2G development of high-bandwidth data communications, and improve the security of voice calls. The 3G general data communication bandwidth is above 500kb/s. At present 3G commonly used has 3 kinds of standard: WCDMA, CDMA2000, TD-SCDMA, speed is relatively fast, can be very good to meet the needs of mobile Internet.

4G network refers to the fourth generation of wireless cellular telephony protocol, which includes Td-lte and fdd-lte two formats, is a 3G and WLAN in one and capable of transmitting high-quality video images and image transmission quality comparable to HDTV technology products. 4G system can download at 100Mbps speed, 2000 times times faster than dial-up internet, upload speed can reach 20Mbps, and can meet the requirements of almost all users of wireless services.

So what's the difference between 2G, 3G, and 4G in terms of security? For the user, 2G, 3G, 4G network The biggest difference is the speed of transmission different.

0X01 Environment Construction

Os:ubuntu

Gnuradio 3.7

Bladerf

Hackrf

1.1 Bladerf

1.1.1 Drive

mkdir bladeRF
wget -c https://github.com/Nuand/bladeRF/archive/master.zip
unzip master.zip
cd bladeRF-master
cd host
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../
make -j4
make install > install.log
ldconfig

1.1.2 Bladerf Firmware

wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.8.0.img
bladeRF-cli -f bladeRF_fw_v1.8.0.img -v verbose

1.2 Gnuradio

mkdir gnuradio
cd gnurdio
wget http://www.sbrac.org/files/build-gnuradio
chmod a+x build-gnuradio
./build-gnuradio –v
sudo apt-get install libpolarssl-dev 

0x02

The above steps need to rely on more packages, want to lazy children's shoes can use Gnuradio released Ubuntu LiveCD, Inside has been set up Gnuradio, Hackrf, Bladerf, USRP, Gqrx, RTL-SDR and other listed SDR required environment. Use this method to avoid installing the vast majority of pits that are encountered in the system environment.

Download Link: Http://gnuradio.org/redmine/projects/gnuradio/wiki/GNURadioLiveDVD

2.1 Compiling Openlte (file list)

wget http://ufpr.dl.sourceforge.net/project/openlte/openlte_v00-19-04.tgz  ／／（目前最新版）
tar zxvf openlte_v00-19-04.tgz
cd openlte_v00-19-04/
mkdir build
cd build
sudo cmake ../
sudo make
sudo make install

0X03 Search nearby base stations

Insert SDR device, here I use Bladerf (test a bit hackrf also can use, but because HACKRF uses USB 2.0 to transmit data, its efficiency is much lower than bladerf, the conditional classmate can use USRP):

Osmocom_fft--samp-rate 80000000

Openlte will generate the executable file in the build directory after the compilation is complete:

cd LTE_fdd_dl_scan
./LTE_fdd_dl_scan

Create a new terminal and telnet into the Openlte terminal interface:

Telnet 127.0.0.1 20000

The Telnet side performs a start scan:

Lte_fdd_dl_scan will scan the FCN value in the Dl_earfcn_list list: from 25 to 575

ARFCN: Absolute Wireless channel number (Absolute Radio Frequency channel NUMBER–ARFCN), is in the GSM wireless system, used to identify the special RF channel numbering scheme, I believe that sniffing GSM SMS children's shoes for it is not unfamiliar. The ARFCN in 4G LTE is called EARFCN.

3.1 Search Telecom FDD LTE network: (Telnet side)

write band 1
help
start

3.2 Search China Unicom FDD LTE network: (Telnet side)

stop
write band 3
start

3.3 Close search: (telnet side)

Shutdown

3.4 Mobile, Unicom, telecom td-lte bands and Fdd-lte partial bands:

0X04 Conclusion

The first part of the article mainly share how to build Openlte and scan the nearby base station signal, in the following content will be based on the Openlte official wiki share openlte other functions of the use. such as Lte_fdd_enodeb's hairpin, add user features:

0x05 Reference & Thanks

Mobile security:practical attacks using cheap equipment

Huang _hitb paper:lte redirection forcing T argeted LTE Cellphone into Unsafe Network

OpenLTE:sourceforge.net

Openlte WIKI

Openlte Open source Code structure analysis (a)

Openlte Open source Code structure analysis (II.)

LTE system comparison based on open source SDR

Original connection: http://www.freebuf.com/articles/wireless/108417.html

4G LTE base station built using GNURADIO+OPENLTE+SDR (upper)