Jump to content
Hak5 Forums
NotPike

Personal Cell Phone Base Station

Recommended Posts

I'm going to dive down the rabbit hole and make my own personal base station using a BladeRF and YatesBTS. Has anyone else tried doing this?

https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/  (Not a good Tutorial)

http://yatebts.com/

Edited by NotPike
Replaced the video to DefCon's channel instead of where ever it was

Share this post


Link to post
Share on other sites

Ok! So here's what I found out so far.

Yate and YateBTS is a software implementation of a GSM/GPRS radio access network that has the capability to convert GSM traffic to VoIP.

  • GSM (Global System for Mobile Communications) in short this is the technology being used to transmit and receive voice and text.
  • GPRS (General Packet Radio Service) is a packet oriented mobile data service. This is how you get your Internet on a 2g or 3g cell network.

GSM and GPRS are legacy now due to LTE (Long-Term Evelution) becoming the slandered for all cell phones. It's old tech but it's still supported by most if not all modern cell phones. One advantage to GSM is for the attacker is how you can set the base station to communicate everything in clear text. I like to think of this as being downgrade attack but TBH it was a struggle for me to make my cell authenticate with my base station. Seams like my phone preferred LTE over GSM so go figure lol. I had to configure my phone manually to make it connect. Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task. One limitation about using YateBTS is that any device that connects to the network will only exist in that network unless you configure outgoing SIP. When you connect to the base station your phone will be assigned a new phone number and will only be able to communicate with other devices on the network. Another downside about using a SIP service is that all outgoing calls will have a different phone number which makes call backs difficult.

20160713_051948_zpsi6br8kiz.jpg

For my transceiver I'm using a BladeRF X115. I love this thing, no complaints, it's been working like a dream! You can do the same with a USRP or LimeSDR(when they come out), you just need something that's full duplex.  Below is a tutorial I used to install all the software needed to run the BladeRF.

https://github.com/Nuand/bladeRF/wiki/Getting-Started%3A-Linux

 

Installing Yate and YateBTS. I used the tutorial provided by Nuand (the company who makes the BladeRF)

https://github.com/Nuand/bladeRF/wiki/Setting-up-Yate-and-YateBTS-with-the-bladeRF

 

Last but not least I used this tutorial to learn about the use and configuration of YateBTS. You have a choice in using a web UI or giving it commands threw telnet. It also explains how to route your Internet traffic threw YateBTS so your connected device will have GPRS capabilities. Kinda sad but I got more satisfaction browsing the Internet threw my own personal 3g network then seeing the web threw fiber :/.

https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/

 

Future plans.

  • Find a SIP service so I can make phone calls and text messages outside of the local network.
  • Route the original phone numbers threw SIP
  • Create personal SIM cards for my own network
  • ?????
  • Hack the Gibson

 

This is barely scratching the surface of GSM poking. If you have any advice or questions about making a base station please let me know.

 

Bonus points! Here's a paper about GSM surveillance that goes into grater detail about MSI-catcher's and using YateBTS to accomplish this.

https://homepages.staff.os3.nl/~delaat/rp/2015-2016/p86/report.pdf

 

 

Edited by NotPike
added photos
  • Upvote 1

Share this post


Link to post
Share on other sites

Here's a quick and dirty python script I'm using with to transmit a my call sign over the Yard Stick One. I'm using MOD_ASK_OOK modulation to transmit in Morse code in binary. Kinda a redundant way to explain it being that Morse code is binary lol. Basically a dash is interpreted as  011 and a dot will be seen as 01. See the example below.

   K        K           1              2             3           4
  -.-      -.-        .----          ..---         ...--       ....-
01101011 01101011 01011011011011 0101011011011 010101011011 01010101011

Old school tech but it works. Here's a converter if you want to find out what your call sign is in Morse code https://cryptii.com/morsecode/binary

 

#!/usr/bin/python2.7

from rflib import *
import time

print("What Freq do you want to TX on? Ex. 925.2e6")
freq = input("Freq: ")
print("Time inbetween transmissions in sec? Ex. 600 = 10min")
sec = input("Time: ")

def callsign(f,t):
    d = RfCat()
    d.setFreq(f)
    d.setMdmModulation(MOD_ASK_OOK)
    d.setMdmDRate(250)
    d.setMaxPower()

    while True:
        print("Transmitting callsign on "+str(f)+"Hz")  
        d.RFxmit("01101011 01101011 01011011011011 0101011011011 010101011011 01010101011") #binary morce of KK1234
        print("Hit Ctl-C to stop")

        for i in range(t): #Timer
            time.sleep(1)

callsign(freq,sec)

 

Edited by NotPike
I goofed on the morce code
  • Upvote 1

Share this post


Link to post
Share on other sites
On 10/6/2016 at 11:52 AM, §@₪ↁɱ@₪ said:

Love me some radio waves too! Very nice tutorial!

:3

tumblr_inline_o7sj53LYF71r98lni_500_zpsv

Edited by NotPike

Share this post


Link to post
Share on other sites

NotPike,

Thanks a lot for this interesting post.

Can you please explain what the idea of using the transmission with Yard Stick One? Is it just to make sure that there is no interference ? Does it matter if the base station is encrypted or not for the ineterferece ?

" Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task."

Thx

Share this post


Link to post
Share on other sites
On 4/14/2017 at 7:37 AM, ranchu said:

NotPike,

Thanks a lot for this interesting post.

Can you please explain what the idea of using the transmission with Yard Stick One? Is it just to make sure that there is no interference ? Does it matter if the base station is encrypted or not for the ineterferece ?

" Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task."

Thx

 

The YSO transmitting my FCC ID in the background just to keep this little operation legal. Also making it encrypted will be violating my ham license.  

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×