How to Install a Rogue BTS

A Rogue BTS can be beneficial, here I will show you how to install one and how to configure your network for security research.

First, let’s update our system, I will use a Debian Buster for RPI3 with 1G of RAM and a BladeRF xA9.

Step 1 – Requirements

Build your own rogue GSM

Pack ListPriceLink
RPI3 – 1 GB RAM100
RPI4 Case30
BladeRF xA9780
BladeRF Case20
BladeRF Antennas4 x 25
Power Supply35
SD Card 128GB20
USB SIM Card Reader45
Blank SIM Cards50
GSM phone Unlocked
Power Bank 28000 mAmp40

rfs@offensive-wireless:~ $ sudo su

root@offensive-wireless:/root# apt-get -y update && apt-get -y upgrade

rfs@offensive-wireless:~ $ uname -a
Linux offensive-wireless 5.10.103-v7+ #1529 SMP Tue Mar 8 12:21:37 GMT 2022 armv7l GNU/Linux

Step 2 – Configure Blade RF for Yate

In order to install all necessary dependencies we need to add the bladerf repository in our system, as root run the following commands:

Now it’s time to install the necessary dependencies.

rfs@offensive-wireless:~ $ sudo apt-get install libusb-1.0-0-dev libusb-1.0-0 build-essential cmake libncurses5-dev libtecla1 libtecla-dev pkg-config git wget doxygen help2man pandoc python-setuptools python-dev swig libccid pcscd pcsc-tools python-pyscard libpcsclite1 unzip firefox-esr xserver-xorg lightdm xfce4 automake matchbox-keyboard iptables-persistent

rfs@yatebts:~ $ sudo apt install libbladerf-dev

Clone the git hub bladerf repo into our system and go inside the respective folder.

rfs@yatebts:~ $ git clone https://github.com/Nuand/bladeRF.git
rfs@yatebts:~ $ cd bladeRF

Validate libusb and libusb-dev versions installed

Remember to validate this or you will have a lot of problems using BladeRF.

rfs@offensive-wireless:~/bladeRF $ dpkg -s libusb-1.0-0 libusb-1.0-0-dev

rfs@offensive-wireless:~/bladeRF $ cd host/

rfs@offensive-wireless:~/bladeRF/host $ mkdir build
rfs@offensive-wireless:~/bladeRF/host/build $ cd build
rfs@offensive-wireless:~/bladeRF/host/build $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../
rfs@offensive-wireless:~/bladeRF/host/build $ sudo addgroup bladerf
rfs@offensive-wireless:~/bladeRF/host/build $ sudo usermod -a -G bladerf rfs
rfs@offensive-wireless:~/bladeRF/host/build $ make && sudo make install && sudo ldconfig
rfs@offensive-wireless:~$ bladeRF-cli

Connected the BladeRF device to raspberry and verify if is working:

rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -p
    Backend:        libusb
    Serial:         f12ce1037830a1b27f3ceeba1f521413
    USB Bus:        4
    USB Address:    8
rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -i

bladeRF> help

... (Help text shown here ) ...

bladeRF> info

  Serial #:                 f12ce1037830a1b27f3ceeba1f521413                          
  VCTCXO DAC calibration:   0x894e
  FPGA size:                40 KLE
  FPGA loaded:              no
  USB bus:                  2
  USB address:              3
  USB speed:                SuperSpeed
  Backend:                  libusb
  Instance:                 0

bladeRF> version
  bladeRF-cli version:        0.11.0-git-58c3ff4
  libbladeRF version:         0.16.1-git-58c3ff4

  Firmware version:           1.7.1-git-ca697ee
  FPGA version:               Unknown (FPGA not loaded)

Step 3 – Install a Rogue BTS for fun and profit

Before start installing the packages let’s create a group for Yate and add our user to that group.

rfs@offensive-wireless:~ $ sudo addgroup yate
rfs@offensive-wireless:~ $ sudo usermod -a -G yate rfs

Create a new folder to store all BTS data

rfs@offensive-wireless:~ $ mkdir YateBTS
rfs@offensive-wireless:~ $ cd YateBTS

Download the packages from Nuand repo dedicated to BladeRF, this step is critical using this package is easy to set up BladeRF with YateBTS.

Decompress the file into our new folder:

rfs@offensive-wireless:~/YateBTS $ tar xvf yate-rc-3.tar.gz

How to Install Yate

rfs@offensive-wireless:~/YateBTS $ sudo mv yate /usr/src
rfs@offensive-wireless:~/YateBTS $ sudo mv yatebts /usr/src
rfs@offensive-wireless:~/YateBTS $ sudo mv *.rbf /usr/share/nuand/bladeRF 
rfs@offensive-wireless:~/YateBTS $ cd /usr/src/yate
rfs@offensive-wireless:~/usr/src/yate $ ./autogen.sh
rfs@offensive-wireless:~/usr/src/yate $ ./configure --prefix=/usr/local
rfs@offensive-wireless:~/usr/src/yate $ make
rfs@offensive-wireless:~/usr/src/yate $ sudo make install
rfs@offensive-wireless:~/usr/src/yate $ sudo make install-noapi
rfs@offensive-wireless:~/usr/src/yate $ sudo ldconfig
rfs@offensive-wireless:~/usr/src/yate $ cd ..

Install Yate BTS

rfs@offensive-wireless:~/usr/src/$ cd yatebts
rfs@offensive-wireless:~/usr/src/yatebts$ ./autogen.sh
rfs@offensive-wireless:~/usr/src/yatebts$ ./configure --prefix=/usr/local
rfs@offensive-wireless:~/usr/src/yatebts$ make
rfs@offensive-wireless:~/usr/src/yatebts$ sudo make install
rfs@offensive-wireless:~/usr/src/yatebts$ sudo ldconfig
rfs@offensive-wireless:~/usr/src/yatebts$ cd ..
rfs@offensive-wireless:~/usr/src/$ sudo mkdir -p /usr/share/nuand/bladeRF

Step 4 – Configuring YateBTS

rfs@offensive-wireless:~/usr/src/$ sudo touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.conf
rfs@offensive-wireless:~/usr/src/$ sudo chown rfs:yate /usr/local/etc/yate/*.conf
rfs@offensive-wireless:~/usr/src/$ sudo chmod g+w /usr/local/etc/yate/*.conf
rfs@dell:~/Downloads/YateBTS/yatebts$ bladeRF-cli -l /usr/src/Nuand/bladeRF/hostedxA9.rbf

If everything works its time to start our BTS

rfs@dell:~/Downloads/YateBTS/yatebts$ yate -v
rfs@dell:~/Downloads/YateBTS/yatebts$ telnet localhost 5038

Setup Network In a Box – NIB

rfs@offensive-wireless:~/ $ sudo apt-get install -y apache2 php libusb-1.0-0 libusb-1.0-0-d* libusb-1.0-0-dev libgsm1 libgsm1-dev
rfs@offensive-wireless:~/PySIM/pysim $ cd /var/www/html
rfs@offensive-wireless:/var/www/html $ sudo ln -s /usr/local/share/yate/nipc_web nipc
rfs@offensive-wireless:/var/www/html $ sudo chmod -R a+w /usr/local/share/yate
sudo vi /etc/systemd/system/yate.service
[Unit]
Description=RFS Yate BTS
After=network.target
StartLimitIntervalSec=0[Service]

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/usr/local/bin/yate -s

[Install]
WantedBy=multi-user.target
rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl start yate
rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl enable yate

Step 5 – Provisioning SIM Cards

In order to

How to Install PySIM

 rfs@offensive-wireless:~/YateBTS $ sudo apt-get install libpcsclite-dev

rfs@offensive-wireless:~ $ mkdir PySIM
rfs@offensive-wireless:~ $ cd PySIM/
rfs@offensive-wireless:~/PySIM $ git clone git://git.osmocom.org/pysim.git
rfs@offensive-wireless:~/PySIM $ sudo apt-get install python3-pyscard python3-serial python3-pip python3-yaml
rfs@offensive-wireless:~/PySIM/pysim $ pip3 install -r requirements.txt

How to Configure a Magic SIM

rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-read.py -d /dev/ttyUSB0

rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-prog.py -d /dev/ttyUSB0 -n RFS -x 268 -y 07 -i 901990000000018 -s 8988211110000110000 -o 398198093111279FB1FC74BE07059FEF -k 1D8B2562B772549F20D0F42003EAA6FA

rfs@offensive-wireless:~/PySIM $ sudo cp -R pysim/ /usr/src/
rfs@offensive-wireless:~/PySIM $ cd /usr/local/bin
rfs@offensive-wireless:/usr/local/bin $ sudo ln -s /usr/src/pysim/pySim-prog.py pySim-prog.py
rfs@offensive-wireless:/usr/local/bin $ sudo vi /usr/local/share/yate/nipc_web/config.php
<?php
$pysim_path = "/usr/bin/pysim";
?>


rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl daemon-reload
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl restart yate
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl status yate

bladeRF 2.0 micro xA9

After all is done you can start capture GSM signals from our BTS using a RTL-SDR.

My next article will be about systems and methods for identifying rogue base stations, for now, you can check my other article about ZigBee Sniffing.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *