A Rogue BTS can be very useful, here I will show you how to install one and how to configure your our network for security research.

First let’s update our system, I will be using a Debian Buster for RPI3 with 1G of RAM and a BladeRF xA9.

Table of Contents

Rogue BTS
Rogue BTS

Step 1 – Requirements

Build your own rogue GSM

Pack ListPriceLink
RPI3 – 1 GB RAM100€
RPI4 Case30€
BladeRF xA9780€
BladeRF Case20€
BladeRF Antennas4 x 25€
Power Supply35€
SD Card 128GB20€
USB SIM Card Reader45€
Blank SIM Cards50€
GSM phone Unlocked
Power Bank 28000 mAmp40€
[Free] Rogue BTS: What you need to know
[email protected]:~ $ sudo su
[email protected]:/root# apt-get -y update && apt-get -y upgrade
[email protected]:~ $ uname -a
Linux offensive-wireless 5.10.103-v7+ #1529 SMP Tue Mar 8 12:21:37 GMT 2022 armv7l GNU/Linux

Step 2 – Configure Blade RF for Yate

In order to install all necessary dependencies we need to add the bladerf repository in our system, as root run the following commands:

Now it’s time to install the necessary dependencies.

[email protected]:~ $ sudo apt-get install libusb-1.0-0-dev libusb-1.0-0 build-essential cmake libncurses5-dev libtecla1 libtecla-dev pkg-config git wget doxygen help2man pandoc python-setuptools python-dev swig libccid pcscd pcsc-tools python-pyscard libpcsclite1 unzip firefox-esr xserver-xorg lightdm xfce4 automake matchbox-keyboard iptables-persistent
[email protected]:~ $ sudo apt install libbladerf-dev

Clone the git hub bladerf repo into our system and go inside the respective folder.

[email protected]:~ $ git clone https://github.com/Nuand/bladeRF.git
[email protected]:~ $ cd bladeRF

Validate libusb and libusb-dev versions installed

Remember to validate this or you will have a lot of problems using BladeRF.

[email protected]:~/bladeRF $ dpkg -s libusb-1.0-0 libusb-1.0-0-dev
[Free] Rogue BTS: What you need to know
[email protected]:~/bladeRF $ cd host/
[email protected]:~/bladeRF/host $ mkdir build
[email protected]:~/bladeRF/host/build $ cd build
[email protected]:~/bladeRF/host/build $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../
[email protected]:~/bladeRF/host/build $ sudo addgroup bladerf
[email protected]:~/bladeRF/host/build $ sudo usermod -a -G bladerf rfs
[email protected]:~/bladeRF/host/build $ make && sudo make install && sudo ldconfig
[email protected]:~$ bladeRF-cli
[Free] Rogue BTS: What you need to know

Connected the BladeRF device into raspberry and verify if is working:

[email protected]:~/bladeRF/host/build $ bladeRF-cli -p
    Backend:        libusb
    Serial:         f12ce1037830a1b27f3ceeba1f521413
    USB Bus:        4
    USB Address:    8
[email protected]:~/bladeRF/host/build $ bladeRF-cli -i

bladeRF> help

... (Help text shown here ) ...

bladeRF> info

  Serial #:                 f12ce1037830a1b27f3ceeba1f521413                          
  VCTCXO DAC calibration:   0x894e
  FPGA size:                40 KLE
  FPGA loaded:              no
  USB bus:                  2
  USB address:              3
  USB speed:                SuperSpeed
  Backend:                  libusb
  Instance:                 0

bladeRF> version
  bladeRF-cli version:        0.11.0-git-58c3ff4
  libbladeRF version:         0.16.1-git-58c3ff4

  Firmware version:           1.7.1-git-ca697ee
  FPGA version:               Unknown (FPGA not loaded)

Step 3 – Install a Rogue BTS for fun and profit

Before start installing the packages let’s create a group for yate and add our user to that group.

[email protected]:~ $ sudo addgroup yate
[email protected]:~ $ sudo usermod -a -G yate rfs

Create a new folder to store all BTS data

[email protected]:~ $ mkdir YateBTS
[email protected]:~ $ cd YateBTS

Download the packages from Nuand repo dedicated to BladeRF, this step is critical using this package is easy to setup BladeRF with YateBTS.

[email protected]:~/YateBTS $ wget https://nuand.com/downloads/yate-rc-3.tar.gz

Decompress the file into our new folder:

[email protected]:~/YateBTS $ tar xvf yate-rc-3.tar.gz

How to Install Yate

[email protected]:~/YateBTS $ sudo mv yate /usr/src
[email protected]:~/YateBTS $ sudo mv yatebts /usr/src
[email protected]:~/YateBTS $ sudo mv *.rbf /usr/share/nuand/bladeRF 
[email protected]:~/YateBTS $ cd /usr/src/yate
[email protected]:~/usr/src/yate $ ./autogen.sh
[email protected]:~/usr/src/yate $ ./configure --prefix=/usr/local
[email protected]:~/usr/src/yate $ make
[email protected]:~/usr/src/yate $ sudo make install
[email protected]:~/usr/src/yate $ sudo make install-noapi
[email protected]wireless:~/usr/src/yate $ sudo ldconfig
[email protected]:~/usr/src/yate $ cd ..

Install Yate BTS

[email protected]:~/usr/src/$ cd yatebts
[email protected]:~/usr/src/yatebts$ ./autogen.sh
[email protected]:~/usr/src/yatebts$ ./configure --prefix=/usr/local
[email protected]:~/usr/src/yatebts$ make
[email protected]:~/usr/src/yatebts$ sudo make install
[email protected]:~/usr/src/yatebts$ sudo ldconfig
[email protected]:~/usr/src/yatebts$ cd ..
[email protected]:~/usr/src/$ sudo mkdir -p /usr/share/nuand/bladeRF

Step 4 – Configuring YateBTS

[email protected]:~/usr/src/$ sudo touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.conf

[email protected]:~/usr/src/$ sudo chown rfs:yate /usr/local/etc/yate/*.conf
[email protected]:~/usr/src/$ sudo chmod g+w /usr/local/etc/yate/*.conf
[email protected]:~/Downloads/YateBTS/yatebts$ bladeRF-cli -l /usr/src/Nuand/bladeRF/hostedxA9.rbf

If everything works its time to start our BTS

[email protected]:~/Downloads/YateBTS/yatebts$ yate -v
[email protected]:~/Downloads/YateBTS/yatebts$ telnet localhost 5038
[Free] Rogue BTS: What you need to know

Setup Network In a Box – NIB

[email protected]:~/ $ sudo apt-get install -y apache2 php libusb-1.0-0 libusb-1.0-0-d* libusb-1.0-0-dev libgsm1 libgsm1-dev
[email protected]:~/PySIM/pysim $ cd /var/www/html
[email protected]:/var/www/html $ sudo ln -s /usr/local/share/yate/nipc_web nipc
[email protected]:/var/www/html $ sudo chmod -R a+w /usr/local/share/yate
[Free] Rogue BTS: What you need to know
[Free] Rogue BTS: What you need to know 14
sudo vi /etc/systemd/system/yate.service
Description=RFS Yate BTS

ExecStart=/usr/local/bin/yate -s

[email protected]:/usr/bin/pysim $ sudo systemctl start yate
[email protected]:/usr/bin/pysim $ sudo systemctl enable yate

Step 5 – Provisioning SIM Cards

In order to

How to Install PySIM

 [email protected]:~/YateBTS $ sudo apt-get install libpcsclite-dev
[Free] Rogue BTS: What you need to know
[email protected]:~ $ mkdir PySIM
[email protected]:~ $ cd PySIM/
[email protected]:~/PySIM $ git clone git://git.osmocom.org/pysim.git
[email protected]:~/PySIM $ sudo apt-get install python3-pyscard python3-serial python3-pip python3-yaml
[email protected]:~/PySIM/pysim $ pip3 install -r requirements.txt

How to Configure a Magic SIM

[email protected]:~/PySIM/pysim $ ./pySim-read.py -d /dev/ttyUSB0
[Free] Rogue BTS: What you need to know
[email protected]:~/PySIM/pysim $ ./pySim-prog.py -d /dev/ttyUSB0 -n RFS -x 268 -y 07 -i 901990000000018 -s 8988211110000110000 -o 398198093111279FB1FC74BE07059FEF -k 1D8B2562B772549F20D0F42003EAA6FA
[Free] Rogue BTS: What you need to know
[email protected]:~/PySIM $ sudo cp -R pysim/ /usr/src/
[email protected]:~/PySIM $ cd /usr/local/bin
[email protected]:/usr/local/bin $ sudo ln -s /usr/src/pysim/pySim-prog.py pySim-prog.py
[email protected]:/usr/local/bin $ sudo vi /usr/local/share/yate/nipc_web/config.php
$pysim_path = "/usr/bin/pysim";
[Free] Rogue BTS: What you need to know

[Free] Rogue BTS: What you need to know

[email protected]:~/PySIM/pysim $ sudo systemctl daemon-reload
[email protected]:~/PySIM/pysim $ sudo systemctl restart yate
[email protected]:~/PySIM/pysim $ sudo systemctl status yate

bladeRF 2.0 micro xA9

After all done you can start capture GSM signals from our BTS using a RTL-SDR.

My next article will be about systems and methods for identifying rogue base stations, for now you can check my other article about ZigBee Sniffing.

Categorized in: