Jump to content

Recommended Posts

I'm going to dive down the rabbit hole and make my own personal base station using a BladeRF and YatesBTS. Has anyone else tried doing this?

https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/  (Not a good Tutorial)

http://yatebts.com/

Edited by NotPike
Replaced the video to DefCon's channel instead of where ever it was
Link to post
Share on other sites

Ok! So here's what I found out so far.

Yate and YateBTS is a software implementation of a GSM/GPRS radio access network that has the capability to convert GSM traffic to VoIP.

  • GSM (Global System for Mobile Communications) in short this is the technology being used to transmit and receive voice and text.
  • GPRS (General Packet Radio Service) is a packet oriented mobile data service. This is how you get your Internet on a 2g or 3g cell network.

GSM and GPRS are legacy now due to LTE (Long-Term Evelution) becoming the slandered for all cell phones. It's old tech but it's still supported by most if not all modern cell phones. One advantage to GSM is for the attacker is how you can set the base station to communicate everything in clear text. I like to think of this as being downgrade attack but TBH it was a struggle for me to make my cell authenticate with my base station. Seams like my phone preferred LTE over GSM so go figure lol. I had to configure my phone manually to make it connect. Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task. One limitation about using YateBTS is that any device that connects to the network will only exist in that network unless you configure outgoing SIP. When you connect to the base station your phone will be assigned a new phone number and will only be able to communicate with other devices on the network. Another downside about using a SIP service is that all outgoing calls will have a different phone number which makes call backs difficult.

20160713_051948_zpsi6br8kiz.jpg

For my transceiver I'm using a BladeRF X115. I love this thing, no complaints, it's been working like a dream! You can do the same with a USRP or LimeSDR(when they come out), you just need something that's full duplex.  Below is a tutorial I used to install all the software needed to run the BladeRF.

https://github.com/Nuand/bladeRF/wiki/Getting-Started%3A-Linux

 

Installing Yate and YateBTS. I used the tutorial provided by Nuand (the company who makes the BladeRF)

https://github.com/Nuand/bladeRF/wiki/Setting-up-Yate-and-YateBTS-with-the-bladeRF

 

Last but not least I used this tutorial to learn about the use and configuration of YateBTS. You have a choice in using a web UI or giving it commands threw telnet. It also explains how to route your Internet traffic threw YateBTS so your connected device will have GPRS capabilities. Kinda sad but I got more satisfaction browsing the Internet threw my own personal 3g network then seeing the web threw fiber :/.

https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/

 

Future plans.

  • Find a SIP service so I can make phone calls and text messages outside of the local network.
  • Route the original phone numbers threw SIP
  • Create personal SIM cards for my own network
  • ?????
  • Hack the Gibson

 

This is barely scratching the surface of GSM poking. If you have any advice or questions about making a base station please let me know.

 

Bonus points! Here's a paper about GSM surveillance that goes into grater detail about MSI-catcher's and using YateBTS to accomplish this.

https://homepages.staff.os3.nl/~delaat/rp/2015-2016/p86/report.pdf

 

 

Edited by NotPike
added photos
Link to post
Share on other sites

Here's a quick and dirty python script I'm using with to transmit a my call sign over the Yard Stick One. I'm using MOD_ASK_OOK modulation to transmit in Morse code in binary. Kinda a redundant way to explain it being that Morse code is binary lol. Basically a dash is interpreted as  011 and a dot will be seen as 01. See the example below.

   K        K           1              2             3           4
  -.-      -.-        .----          ..---         ...--       ....-
01101011 01101011 01011011011011 0101011011011 010101011011 01010101011

Old school tech but it works. Here's a converter if you want to find out what your call sign is in Morse code https://cryptii.com/morsecode/binary

 

#!/usr/bin/python2.7

from rflib import *
import time

print("What Freq do you want to TX on? Ex. 925.2e6")
freq = input("Freq: ")
print("Time inbetween transmissions in sec? Ex. 600 = 10min")
sec = input("Time: ")

def callsign(f,t):
    d = RfCat()
    d.setFreq(f)
    d.setMdmModulation(MOD_ASK_OOK)
    d.setMdmDRate(250)
    d.setMaxPower()

    while True:
        print("Transmitting callsign on "+str(f)+"Hz")  
        d.RFxmit("01101011 01101011 01011011011011 0101011011011 010101011011 01010101011") #binary morce of KK1234
        print("Hit Ctl-C to stop")

        for i in range(t): #Timer
            time.sleep(1)

callsign(freq,sec)

 

Edited by NotPike
I goofed on the morce code
Link to post
Share on other sites
  • 1 month later...
  • 1 month later...
  • 6 months later...

NotPike,

Thanks a lot for this interesting post.

Can you please explain what the idea of using the transmission with Yard Stick One? Is it just to make sure that there is no interference ? Does it matter if the base station is encrypted or not for the ineterferece ?

" Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task."

Thx

Link to post
Share on other sites
  • 2 weeks later...
On 4/14/2017 at 7:37 AM, ranchu said:

NotPike,

Thanks a lot for this interesting post.

Can you please explain what the idea of using the transmission with Yard Stick One? Is it just to make sure that there is no interference ? Does it matter if the base station is encrypted or not for the ineterferece ?

" Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task."

Thx

 

The YSO transmitting my FCC ID in the background just to keep this little operation legal. Also making it encrypted will be violating my ham license.  

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...