A Rogue BTS can be beneficial, here I will show you how to install one and how to configure your network for security research.
First, let’s update our system, I will use a Debian Buster for RPI3 with 1G of RAM and a BladeRF xA9.
Step 1 – Requirements
Build your own rogue GSM
Pack List | Price | Link |
RPI3 – 1 GB RAM | 100 | |
RPI4 Case | 30 | |
BladeRF xA9 | 780 | |
BladeRF Case | 20 | |
BladeRF Antennas | 4 x 25 | |
Power Supply | 35 | |
SD Card 128GB | 20 | |
USB SIM Card Reader | 45 | |
Blank SIM Cards | 50 | |
GSM phone Unlocked | ||
Power Bank 28000 mAmp | 40 |
rfs@offensive-wireless:~ $ sudo su
root@offensive-wireless:/root# apt-get -y update && apt-get -y upgrade
rfs@offensive-wireless:~ $ uname -a
Linux offensive-wireless 5.10.103-v7+ #1529 SMP Tue Mar 8 12:21:37 GMT 2022 armv7l GNU/Linux
Step 2 – Configure Blade RF for Yate
In order to install all necessary dependencies we need to add the bladerf repository in our system, as root run the following commands:
Now it’s time to install the necessary dependencies.
rfs@offensive-wireless:~ $ sudo apt-get install libusb-1.0-0-dev libusb-1.0-0 build-essential cmake libncurses5-dev libtecla1 libtecla-dev pkg-config git wget doxygen help2man pandoc python-setuptools python-dev swig libccid pcscd pcsc-tools python-pyscard libpcsclite1 unzip firefox-esr xserver-xorg lightdm xfce4 automake matchbox-keyboard iptables-persistent
rfs@yatebts:~ $ sudo apt install libbladerf-dev
Clone the git hub bladerf repo into our system and go inside the respective folder.
rfs@yatebts:~ $ git clone https://github.com/Nuand/bladeRF.git
rfs@yatebts:~ $ cd bladeRF
Validate libusb and libusb-dev versions installed
Remember to validate this or you will have a lot of problems using BladeRF.
rfs@offensive-wireless:~/bladeRF $ dpkg -s libusb-1.0-0 libusb-1.0-0-dev
rfs@offensive-wireless:~/bladeRF $ cd host/
rfs@offensive-wireless:~/bladeRF/host $ mkdir build
rfs@offensive-wireless:~/bladeRF/host/build $ cd build
rfs@offensive-wireless:~/bladeRF/host/build $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../
rfs@offensive-wireless:~/bladeRF/host/build $ sudo addgroup bladerf
rfs@offensive-wireless:~/bladeRF/host/build $ sudo usermod -a -G bladerf rfs
rfs@offensive-wireless:~/bladeRF/host/build $ make && sudo make install && sudo ldconfig
rfs@offensive-wireless:~$ bladeRF-cli
Connected the BladeRF device to raspberry and verify if is working:
rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -p
Backend: libusb
Serial: f12ce1037830a1b27f3ceeba1f521413
USB Bus: 4
USB Address: 8
rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -i
bladeRF> help
... (Help text shown here ) ...
bladeRF> info
Serial #: f12ce1037830a1b27f3ceeba1f521413
VCTCXO DAC calibration: 0x894e
FPGA size: 40 KLE
FPGA loaded: no
USB bus: 2
USB address: 3
USB speed: SuperSpeed
Backend: libusb
Instance: 0
bladeRF> version
bladeRF-cli version: 0.11.0-git-58c3ff4
libbladeRF version: 0.16.1-git-58c3ff4
Firmware version: 1.7.1-git-ca697ee
FPGA version: Unknown (FPGA not loaded)
Step 3 – Install a Rogue BTS for fun and profit
Before start installing the packages let’s create a group for Yate and add our user to that group.
rfs@offensive-wireless:~ $ sudo addgroup yate
rfs@offensive-wireless:~ $ sudo usermod -a -G yate rfs
Create a new folder to store all BTS data
rfs@offensive-wireless:~ $ mkdir YateBTS
rfs@offensive-wireless:~ $ cd YateBTS
Download the packages from Nuand repo dedicated to BladeRF, this step is critical using this package is easy to set up BladeRF with YateBTS.
Decompress the file into our new folder:
rfs@offensive-wireless:~/YateBTS $ tar xvf yate-rc-3.tar.gz
How to Install Yate
rfs@offensive-wireless:~/YateBTS $ sudo mv yate /usr/src
rfs@offensive-wireless:~/YateBTS $ sudo mv yatebts /usr/src
rfs@offensive-wireless:~/YateBTS $ sudo mv *.rbf /usr/share/nuand/bladeRF
rfs@offensive-wireless:~/YateBTS $ cd /usr/src/yate
rfs@offensive-wireless:~/usr/src/yate $ ./autogen.sh
rfs@offensive-wireless:~/usr/src/yate $ ./configure --prefix=/usr/local
rfs@offensive-wireless:~/usr/src/yate $ make
rfs@offensive-wireless:~/usr/src/yate $ sudo make install
rfs@offensive-wireless:~/usr/src/yate $ sudo make install-noapi
rfs@offensive-wireless:~/usr/src/yate $ sudo ldconfig
rfs@offensive-wireless:~/usr/src/yate $ cd ..
Install Yate BTS
rfs@offensive-wireless:~/usr/src/$ cd yatebts
rfs@offensive-wireless:~/usr/src/yatebts$ ./autogen.sh
rfs@offensive-wireless:~/usr/src/yatebts$ ./configure --prefix=/usr/local
rfs@offensive-wireless:~/usr/src/yatebts$ make
rfs@offensive-wireless:~/usr/src/yatebts$ sudo make install
rfs@offensive-wireless:~/usr/src/yatebts$ sudo ldconfig
rfs@offensive-wireless:~/usr/src/yatebts$ cd ..
rfs@offensive-wireless:~/usr/src/$ sudo mkdir -p /usr/share/nuand/bladeRF
Step 4 – Configuring YateBTS
rfs@offensive-wireless:~/usr/src/$ sudo touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.conf
rfs@offensive-wireless:~/usr/src/$ sudo chown rfs:yate /usr/local/etc/yate/*.conf
rfs@offensive-wireless:~/usr/src/$ sudo chmod g+w /usr/local/etc/yate/*.conf
rfs@dell:~/Downloads/YateBTS/yatebts$ bladeRF-cli -l /usr/src/Nuand/bladeRF/hostedxA9.rbf
If everything works its time to start our BTS
rfs@dell:~/Downloads/YateBTS/yatebts$ yate -v
rfs@dell:~/Downloads/YateBTS/yatebts$ telnet localhost 5038
Setup Network In a Box – NIB
rfs@offensive-wireless:~/ $ sudo apt-get install -y apache2 php libusb-1.0-0 libusb-1.0-0-d* libusb-1.0-0-dev libgsm1 libgsm1-dev
rfs@offensive-wireless:~/PySIM/pysim $ cd /var/www/html
rfs@offensive-wireless:/var/www/html $ sudo ln -s /usr/local/share/yate/nipc_web nipc
rfs@offensive-wireless:/var/www/html $ sudo chmod -R a+w /usr/local/share/yate
sudo vi /etc/systemd/system/yate.service
[Unit]
Description=RFS Yate BTS
After=network.target
StartLimitIntervalSec=0[Service]
[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/usr/local/bin/yate -s
[Install]
WantedBy=multi-user.target
rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl start yate
rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl enable yate
Step 5 – Provisioning SIM Cards
In order to
How to Install PySIM
rfs@offensive-wireless:~/YateBTS $ sudo apt-get install libpcsclite-dev
rfs@offensive-wireless:~ $ mkdir PySIM
rfs@offensive-wireless:~ $ cd PySIM/
rfs@offensive-wireless:~/PySIM $ git clone git://git.osmocom.org/pysim.git
rfs@offensive-wireless:~/PySIM $ sudo apt-get install python3-pyscard python3-serial python3-pip python3-yaml
rfs@offensive-wireless:~/PySIM/pysim $ pip3 install -r requirements.txt
How to Configure a Magic SIM
rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-read.py -d /dev/ttyUSB0
rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-prog.py -d /dev/ttyUSB0 -n RFS -x 268 -y 07 -i 901990000000018 -s 8988211110000110000 -o 398198093111279FB1FC74BE07059FEF -k 1D8B2562B772549F20D0F42003EAA6FA
rfs@offensive-wireless:~/PySIM $ sudo cp -R pysim/ /usr/src/
rfs@offensive-wireless:~/PySIM $ cd /usr/local/bin
rfs@offensive-wireless:/usr/local/bin $ sudo ln -s /usr/src/pysim/pySim-prog.py pySim-prog.py
rfs@offensive-wireless:/usr/local/bin $ sudo vi /usr/local/share/yate/nipc_web/config.php
<?php
$pysim_path = "/usr/bin/pysim";
?>
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl daemon-reload
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl restart yate
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl status yate
After all is done you can start capture GSM signals from our BTS using a RTL-SDR.
My next article will be about systems and methods for identifying rogue base stations, for now, you can check my other article about ZigBee Sniffing.
Leave a Reply