Friday, March 21, 2014

OsmocomBB+OpenBTS+GSM={Calypso Chipset/Motorola C123} *USB+2.5mm Jack

BTS------------Base Transiever Station
GSM-----------Global System for Mobile Communications, originally Group Spécial Mobile
OsmocomBB---Firmware to run in our Calypso Based Device (Motorola C123)
USB to 2.5mm Jack cable (I will show you how to make this)


  • What I am doing.
  • What are my objectives.
  • Why the above equipment.
  • Why am I doing this.
  • What do I get out of this.


What I am doing

I will be creating a BTS with the cheapest hardware equipment available to do this.

What are my objectives

Read above and then think of what a BTS can do.

Why the above Equipment

  • Ummmm coz its really cheap (the equipment)
  • Coz I want a BTS really bad (the things you can exploit research with this)
  • Coz testing IPV4/IPV6/TCP..... is too overrated and and everyone is doing it... who will do GSM

Why am I doing this (now am just repeating myself)

What do I get out of this

Everything and Nothing ----> yes its every bit of knowledge till where i stop and its nothing since I know Telcos will probably ignore my rant :(

..... ok lets get rolling.

REQUIREMENTS:
Hardware: 
  1. PC
  2. Calypso Chipset Supported Device (Motorola c113,c115,118.....)
  3. USB to 2.5mm Jack cable
Software:
  1. *nix Based OS
  2. OsmocomBB
  3. OpenBTS

STEPS
  1. Install OpenBTS (and Asterisk)
  2. Install OsmocomBB
  3. Configure Everything
  4. Create USB -2.5 mm Jack* am not going to go into this.... its a pain i dont want to remember  (not that its very hard ... its just i burnt a finger and probably someones house while at it)
  5. Test
  6. and......play



  1. Install OpenBTS (and Asterisk)

Well this has so many ways to do this, from compiling the source and if you have Ubuntu 12.04 (I did this also on  7.3 (wheezy) 64-bit) x86-64 architecture as your OS Debian packages exist to do this , you need also to install this as a first:

autoconf
libtool
libosip2
libortp
libusb-1.0
g++
sqlite3
libsqlite3-dev (sipauthserve only)
libreadline6-dev
libncurses5-dev


sudo apt-get install autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-dev libncurses5-dev

Well after that the following downloaded packages need to be installed (N.B the packages you are about to install are specific for UHD ----USRP Hardware Driver---- devices)

sudo dpkg -i a53_1.0-1_amd64.deb
sudo dpkg -i openbts-public_3.2_amd64.deb
sudo dpkg -i smqueue-public_3.2_amd64.deb 
sudo dpkg -i sipauthserve-public_3.2_amd64.deb

Running OpenBTS

(from OpenBTS root)
cd /OpenBTS
sudo ./OpenBTS

You should see something like this..... well if you have your devices connected and configured


system ready
use the OpenBTSCLI utility to access CLI

And if you scan for GSM towers on your phone, you should see a 00101 (test) network. If you try to attach, it will reject you. This is because OpenBTS, by default, only allows registered handsets to connect. As we are not running our registration server (sipauthserve) no phones will camp. From here, we should look at a few OpenBTS configuration variables. Connect to OpenBTS with the OpenBTSCLI command:

(from OpenBTS root) 
cd /OpenBTS 
sudo ./OpenBTSCLI

Once you have OpenBTS up and running, you need to change the following configuration parameters in the database (/etc/OpenBTS/OpenBTS.db):

Control.GSMTAP.TargetIP = 127.0.0.1
GSM.Radio.NeedBSIC = 1
GSM.Radio.Band = 1800
GSM.CellSelection.Neighbors =           (set to empty string)
GSM.RACH.MaxRetrans = 3
GSM.RACH.TxInteger = 8
GSM.Radio.C0 = <your ARFCN (see note)>
Control.LUR.OpenRegistration = ^63905.*$   (note: in this example only IMSIs with MCC 639 and the MNC 05 will be allowed to register to the network, change that accordingly)
Warning: Only set GSM.Radio.C0 to an ARFCN you have a valid license for.

Installing OsmocomBB

this part is really fun but also very tricky especially if you don't have an arm cross compiler (this enables us to compile the arm code to firmwares for the software to be loaded in to the calypso based device read (Motorola C123)

so here is a good place to start :

am guessing you have done the necessary, many people ask me where the usb to 2.5 mm cable is available for purchase and i would say here

now that we have nearly everything done, play around with Osmocom if its your first time.... clearly if you need to know what it does i would suggest you go to my PDFs link and get more info on the 2G networks before doing anything past what you are doing.


Now.... this is how to work a BTS from the cheap device.....

P.S you need to do a filter replacement as such and in-case you destroy your board like i also did you will need to do... this look at photo





"When attempting this for the first try, I soldered / desoldered components a few times and ended up destroying the pads and traces so much that there was no way I could put the original filters or balun back on the PCB.

So in a last attempt to make the phone do something, I tried something a little unorthodox (actually proposed by h0rizon on IRC :). Instead of doing a proper unbalanced to balanced signal convesion, I just connected one of the RITA balanced line to the ground using a DC blocking cap. And then connected the other balanced line to the input via a capacitor as well. For DCS1800 you need to add a capacitor of your own, but for EGSM, there is a capacitor in the input SAW matching that does the trick so you only need a wire.

The quite dirty results is shown on the side. It's ugly but it actually works ... The signal is maybe distorded or a litte more noisy, that has yet to be determined. So if you screw up, you can always fall back to this :)

"
cited from http://246tnt.com/gsm/rx_filter.html



4 comments:

Ranjit Pillai(InDi3MInD) said...

Hi,
Great to see that openBTS can be implemented using motorola c123. I always thought that it required some UHD -- USRP device.
In the blog you are installing packages specific for UHD, why do you need that when no UHD is used? I also got the point that you used filter to make BTS out of a cheap device(here its motorola c123).

Unknown said...
This comment has been removed by the author.
Unknown said...

I thought that this wouldn't be possible, comparable to the way cable modems can't transmit on the downstream frequency used by other cable modems

peter said...

nice post

Post a Comment

Dynamic Binary Instrumentation (pt2)

Quick how to: After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/andro...