Gsm bts Hacking: Use BladeRF and open source BTS 5 to build base stations

Source: Internet
Author: User

Gsm bts Hacking: Use BladeRF and open source BTS 5 to build base stations


Citation
If you have purchased Nuand (official) BladeRF x40, you can run OpenBTS on it and enter instructions to complete some tasks. In general, HackRF is the most widely covered SDR board. Almost all of its information is open-source, and even contains KiCad files. The disadvantage is that it does not have an FPGA and uses a low-speed USB2 interface. The accuracy of ADC/DAC is relatively low.
When using the bladeRF card, pay attention to two "Images": firmware image and FPGA image. The two are two different concepts. However, the industry is not the same, and sometimes the two are confused. In general, firmware refers to software embedded in hardware devices and stored in read-only memory (ROM) or flash memory (flash), which is generally not easy to modify, the modified operation is called "refresh ). The term "firmware" was initially related to Microcode, but the source code in bladeRF is an embedded C program. FPGA's full name is a programmable gate array, and its door circuit and register connection can be programmed and reconstructed. Its source program is generally a hardware description language (HDL), and a binary file is obtained through synthesis and other steps. On the bladeRF board, FPGA is just an Altera chip. When there is no built-in non-volatile storage, the FPGA image needs to be reloaded every time it is powered on. This is the case with bladeRF. So when you get the board, there is a firmware on it, but there is no FPGA image. The following sections describe how to refresh the firmware, load/update the FPGA image, and automatically load the FPGA image when using bladeRF. Note: Sometimes, to avoid confusion, FPGA images are called FPGA bit streams or FPGA configurations (because they are connected to components such as door circuits ).
The tools and technologies described in this article are offensive. Please use them properly and legally.
System:
Ubuntu 12.04 LTS Server (32-bit)
Upgrade git
Sudo apt-get install software-properties-common python-software-propertiessudo add-apt-repository ppa: git-core/ppa (press enter to continue) sudo apt-get updatesudo apt-get install git
Install some prerequisite software packages.
After the settings, start the installation.
Copy and paste the following code and run it. The installation will begin:
 

sudo apt-get install $(    wget -qO - https://raw.githubusercontent.com/RangeNetworks/dev/master/build.sh | \    grep installIfMissing | \    grep -v "{" | \    cut -f2 -d" ")

Another installation method is to search for the text file IFMissing in all files, and then install it using the apt-get command. Of course, you can also directly operate through the program code.
It is worth noting that two installation packages will fail during installation (libzmq3 & libzmq3-devel)-but can be installed directly in Ubuntu.
$ Sudo add-apt-repository ppa: chris-lea/zeromq
$ Sudo apt-get update
$ Sudo apt-get install libzmq3-dbg libzmq3-dev
The next step is to install uhd, and pay attention to GNURadio. Running the following command will execute the installation. Of course it takes some time, and it depends on your computer.
Wget http://www.sbrac.org/files/build-gnuradio & chmod a + x./build-gnuradio &./build-gnuradio
Once the execution is completed, you will receive a message indicating a failure or success. If the installation fails, you can reinstall it and view the relevant information to solve the problem. The software related to OpenBTS will be installed and configured below, including: libgsm1-dev, asterisk-dev, asterisk-config. Install
$ Sudo apt-get install libgsm1-dev asterisk-dev asterisk-config
Of course, you can choose whether to install libusb. Note that it is not libusbx. You can download the installation package from www.libusb.org and copy it to the/usr/src directory. Back up the/usr/lib/x86_64-linux-gnu/libusb. so original file and overwrite it.
Install OpenBTS
After completing the above steps, install it now.
1. Create a directory for it (OpenBTS) (based on the actual situation)
2. Install and run it.
 

#!/bin/bashgit clone https://github.com/RangeNetworks/openbts.gitgit clone https://github.com/RangeNetworks/smqueue.gitgit clone https://github.com/RangeNetworks/subscriberRegistry.git#From here and downwards you can copy&paste (that's why the ';' are for)for D in *; do (    echo $D;    echo "=======";    cd $D;    git clone https://github.com/RangeNetworks/CommonLibs.git;    git clone https://github.com/RangeNetworks/NodeManager.git);done;git clone https://github.com/RangeNetworks/libcoredumper.git;git clone https://github.com/RangeNetworks/liba53.git

3. Create libcoredumper
Cd libcoredumper;./build. sh & \ sudo dpkg-I *. deb; cd ..
4. Create liba53
Cd liba53; make & \ sudo make install; cd ..;
5. check out "YateBTS" in the same directory"
Svn checkout http://voip.null.ro/svn/yatebts/trunk yatebts
6. Next, remove the FPGA (automatically loaded) information and load and open it.
Vim./yatebts/mbts/TransceiverRAD1/bladeRFDevice. cpp
From # ifdef (108 rows) to # endif (129 rows), this is empty and should be left as a backup later.
7. Change the directory (YateBTS) and run autogen. sh.
$ Cd opbts/yatebts
$./Autogen. sh
8. In this way, you can create a configuration file. If you run and configure the script immediately, an error will occur and the search YATE information will appear. Therefore, you must enable the configuration first.
$ Vim configure
Can I find as_fn_err $? Can I find the $ LINENO variable (Open Source Software Yate) and replace it? So proceed to the next step.
9. reconfigure
./Configure
10. In this case, two file directories, YateBTS, are required.
A) Peering
$ Cd/home/openbts/obts/yatebts/mbts/Peering $ make
B) TransceiverRAD1
$ Cd/home/openbts/obts/yatebts/mbts/TransceiverRAD1 $ make
11. Copy two files to the OpenBTS file directory.

$ Cd .. $ cp./yatebts/mbts/TransceiverRAD1/transceiver-bladerf openbts/apps/$ cd openbts/apps/$ ln-sf transceiver-bladerf transceiver
12. Compile OpenBTS
$ Cd/home/openbts/obts/openbts $./autogen. sh $./configure -- with-uhd $ make
13. Modify the SQL-lite software library (bladeRF) in the next step.
Vim/home/openbts/obts/openbts/apps/OpenBTS. example. SQL
Query and replace the following information
Complete and proceed to the next step
14. Create the OpenBTS configuration directory
$ Sudo mkdir/etc/OpenBTS
15. install the software library under the OpenBTS directory
$ Sudo sqlite3-init./apps/OpenBTS. example. SQL/etc/OpenBTS. db ". quit"
16. Once completed, you can test it by running the following command:
$ Sqlite3/etc/OpenBTS. db. dump
If you see a large amount of output data information, it indicates that it is successful. Next step
17. Run OpenBTS using commands
$ Cd/home/openbts/obts/openbts/apps
$ Sudo./OpenBTS
If you see the system start, your base station is ready and starts it. If you use a mobile phone to search for nearby networks, the test information for testing the PLMN Network (00101) should appear ).


18. If you start the test above, exit openBTS and install the user Registry (sipauthserve and smqueue), you need to run openBTS. Without this, the mobile phone will not connect to the test network.
19. For the user registry, you must create a file directory, that is,/var/lib/asterisk/sqlite3dir.
$ Sudo mkdir-p/var/lib/asterisk/sqlite3dir
20. Create sipauthserve
$ Cd subscriberRegistry $./autogen. sh $./configure $ make
In the/home/openbts/obts/subscriberRegistry/apps directory, create
21. Configure sipauthserve in the next step.
$ Cd/home/openbts/obts/subscriberRegistry $ sudo sqlite3-init subscriberRegistry. example. SQL/etc/OpenBTS/sipauthserve. db ". quit"
22. Install SMQUEUE in the next step. It is associated with the SubscriberRegistry. h file. You can fix it in its directory.
$ Cd/home/openbts/obts/smqueue $ ln-s/home/openbts/obts/subscriberRegistry/SR $ autoreconf-I $./configure $ make
23. Once completed, you need to modify its configuration file
$ Cd/home/openbts/obts/smqueue $ sudo sqlite3-init smqueue/smqueue. example. SQL/etc/OpenBTS/smqueue. db ". quit"
BladeRF firmware upgrade and FPGA image loading
24. Upgrade the firmware at https://github.com/nuand/bladerf/wiki/upgrading-bladerf-firmware.
25. Download the image (FPGA) at http://www.nuand.com/fpga.php)
26. Load FPGA Images
$ BladeRF-cli-L
Please be patient in this step. Don't stop it suddenly. Don't turn the Board into bricks.
27. After that, start running the previously configured service.
$ Cd/home/openbts/obts/smqueue $ sudo. /smqueue & $ cd/home/openbts/obts/subscriberRegistry/apps $ sudo. /sipauthserve & $ cd/home/openbts/obts/openbts/apps $ sudo. /OpenBTS &
28. Start OpenBTSCLI
$ Cd/home/openbts/obts/openbts/apps/$ sudo./OpenBTSCLI
29. By default, OpenBTS does not accept additional registration information.
A) enter your mobile phone's IMSI (International Mobile User identification code)
B) set all IMSI numbers to be registered.
Config Control. LUR. OpenRegistration .*
In this way, all the mobile phones in the signal range will be connected to your configured base station, including (Sister or Old Wang next door ).
Now you can search for the base station network on your mobile phone. You can call the service phone number (600 for the author) for testing (Asterisk ).

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.