NotPike Posted July 12, 2016 Posted July 12, 2016 (edited) I'm going to dive down the rabbit hole and make my own personal base station using a BladeRF and YatesBTS. Has anyone else tried doing this? https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/ (Not a good Tutorial) http://yatebts.com/ Edited July 13, 2016 by NotPike Replaced the video to DefCon's channel instead of where ever it was Quote
NotPike Posted July 13, 2016 Author Posted July 13, 2016 (edited) Ok! So here's what I found out so far. Yate and YateBTS is a software implementation of a GSM/GPRS radio access network that has the capability to convert GSM traffic to VoIP. GSM (Global System for Mobile Communications) in short this is the technology being used to transmit and receive voice and text. GPRS (General Packet Radio Service) is a packet oriented mobile data service. This is how you get your Internet on a 2g or 3g cell network. GSM and GPRS are legacy now due to LTE (Long-Term Evelution) becoming the slandered for all cell phones. It's old tech but it's still supported by most if not all modern cell phones. One advantage to GSM is for the attacker is how you can set the base station to communicate everything in clear text. I like to think of this as being downgrade attack but TBH it was a struggle for me to make my cell authenticate with my base station. Seams like my phone preferred LTE over GSM so go figure lol. I had to configure my phone manually to make it connect. Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task. One limitation about using YateBTS is that any device that connects to the network will only exist in that network unless you configure outgoing SIP. When you connect to the base station your phone will be assigned a new phone number and will only be able to communicate with other devices on the network. Another downside about using a SIP service is that all outgoing calls will have a different phone number which makes call backs difficult. For my transceiver I'm using a BladeRF X115. I love this thing, no complaints, it's been working like a dream! You can do the same with a USRP or LimeSDR(when they come out), you just need something that's full duplex. Below is a tutorial I used to install all the software needed to run the BladeRF. https://github.com/Nuand/bladeRF/wiki/Getting-Started%3A-Linux Installing Yate and YateBTS. I used the tutorial provided by Nuand (the company who makes the BladeRF) https://github.com/Nuand/bladeRF/wiki/Setting-up-Yate-and-YateBTS-with-the-bladeRF Last but not least I used this tutorial to learn about the use and configuration of YateBTS. You have a choice in using a web UI or giving it commands threw telnet. It also explains how to route your Internet traffic threw YateBTS so your connected device will have GPRS capabilities. Kinda sad but I got more satisfaction browsing the Internet threw my own personal 3g network then seeing the web threw fiber :/. https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/ Future plans. Find a SIP service so I can make phone calls and text messages outside of the local network. Route the original phone numbers threw SIP Create personal SIM cards for my own network ????? Hack the Gibson This is barely scratching the surface of GSM poking. If you have any advice or questions about making a base station please let me know. Bonus points! Here's a paper about GSM surveillance that goes into grater detail about MSI-catcher's and using YateBTS to accomplish this. https://homepages.staff.os3.nl/~delaat/rp/2015-2016/p86/report.pdf Edited July 13, 2016 by NotPike added photos Quote
NotPike Posted July 13, 2016 Author Posted July 13, 2016 (edited) Here's a quick and dirty python script I'm using with to transmit a my call sign over the Yard Stick One. I'm using MOD_ASK_OOK modulation to transmit in Morse code in binary. Kinda a redundant way to explain it being that Morse code is binary lol. Basically a dash is interpreted as 011 and a dot will be seen as 01. See the example below. K K 1 2 3 4 -.- -.- .---- ..--- ...-- ....- 01101011 01101011 01011011011011 0101011011011 010101011011 01010101011 Old school tech but it works. Here's a converter if you want to find out what your call sign is in Morse code https://cryptii.com/morsecode/binary #!/usr/bin/python2.7 from rflib import * import time print("What Freq do you want to TX on? Ex. 925.2e6") freq = input("Freq: ") print("Time inbetween transmissions in sec? Ex. 600 = 10min") sec = input("Time: ") def callsign(f,t): d = RfCat() d.setFreq(f) d.setMdmModulation(MOD_ASK_OOK) d.setMdmDRate(250) d.setMaxPower() while True: print("Transmitting callsign on "+str(f)+"Hz") d.RFxmit("01101011 01101011 01011011011011 0101011011011 010101011011 01010101011") #binary morce of KK1234 print("Hit Ctl-C to stop") for i in range(t): #Timer time.sleep(1) callsign(freq,sec) Edited July 13, 2016 by NotPike I goofed on the morce code Quote
NotPike Posted September 4, 2016 Author Posted September 4, 2016 On 8/31/2016 at 0:02 PM, Ret0n said: Awesome job and write up! Thanks! I hope to do more soon. Quote
§@₪ↁɱ@₪ Posted October 6, 2016 Posted October 6, 2016 Love me some radio waves too! Very nice tutorial! Quote
NotPike Posted October 12, 2016 Author Posted October 12, 2016 (edited) On 10/6/2016 at 11:52 AM, §@₪ↁɱ@₪ said: Love me some radio waves too! Very nice tutorial! :3 Edited October 12, 2016 by NotPike Quote
ranchu Posted April 14, 2017 Posted April 14, 2017 NotPike, Thanks a lot for this interesting post. Can you please explain what the idea of using the transmission with Yard Stick One? Is it just to make sure that there is no interference ? Does it matter if the base station is encrypted or not for the ineterferece ? " Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task." Thx Quote
NotPike Posted April 22, 2017 Author Posted April 22, 2017 On 4/14/2017 at 7:37 AM, ranchu said: NotPike, Thanks a lot for this interesting post. Can you please explain what the idea of using the transmission with Yard Stick One? Is it just to make sure that there is no interference ? Does it matter if the base station is encrypted or not for the ineterferece ? " Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task." Thx The YSO transmitting my FCC ID in the background just to keep this little operation legal. Also making it encrypted will be violating my ham license. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.