A Rogue BTS can be beneficial, here I will show you how to install one and how to configure your network for security research.
First, let’s update our system, I will use a Debian Buster for RPI3 with 1G of RAM and a BladeRF xA9.
Table of Contents
Step 1 – Requirements
Build your own rogue GSM
| Pack List | Price | Link |
| RPI3 – 1 GB RAM | 100 | |
| RPI4 Case | 30 | |
| BladeRF xA9 | 780 | |
| BladeRF Case | 20 | |
| BladeRF Antennas | 4 x 25 | |
| Power Supply | 35 | |
| SD Card 128GB | 20 | |
| USB SIM Card Reader | 45 | |
| Blank SIM Cards | 50 | |
| GSM phone Unlocked | ||
| Power Bank 28000 mAmp | 40 |
rfs@offensive-wireless:~ $ sudo suroot@offensive-wireless:/root# apt -y update && apt-get -y upgraderfs@offensive-wireless:~ $ uname -a
Linux offensive-wireless 5.10.103-v7+ #1529 SMP Tue Mar 8 12:21:37 GMT 2022 armv7l GNU/LinuxStep 2 – Configure Blade RF for Yate
In order to install all necessary dependencies we need to add the bladerf repository in our system, as root run the following commands:
Now it’s time to install the necessary dependencies.
rfs@offensive-wireless:~ $ sudo apt -y install libusb-1.0-0-dev libusb-1.0-0
build-essential cmake libncurses5-dev libtecla1 libtecla-dev pkg-config git wget doxygen help2man pandoc python-setuptools python-dev-is-python2 swig libccid pcscd pcsc-tools python3-pyscard libpcsclite1 unzip xserver-xorg lightdm xfce4 automake matchbox-keyboard iptables-persistent libcurl4-openssl-dev
rfs@yatebts:~ $ sudo apt install libbladerf-devClone the git hub bladerf repo into our system and go inside the respective folder.
rfs@yatebts:~ $ git clone https://github.com/Nuand/bladeRF.git
rfs@yatebts:~ $ cd bladeRFValidate libusb and libusb-dev versions installed
Remember to validate this or you will have a lot of problems using BladeRF.
rfs@offensive-wireless:~/bladeRF $ dpkg -s libusb-1.0-0 libusb-1.0-0-dev
rfs@offensive-wireless:~/bladeRF $ cd host/rfs@offensive-wireless:~/bladeRF/host $ mkdir build
rfs@offensive-wireless:~/bladeRF/host/build $ cd buildrfs@offensive-wireless:~/bladeRF/host/build $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../rfs@offensive-wireless:~/bladeRF/host/build $ sudo addgroup bladerf
rfs@offensive-wireless:~/bladeRF/host/build $ sudo usermod -a -G bladerf rfsrfs@offensive-wireless:~/bladeRF/host/build $ make && sudo make install && sudo ldconfigrfs@offensive-wireless:~$ bladeRF-cli
Connected the BladeRF device to raspberry and verify if is working:
rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -p
Backend: libusb
Serial: f12ce1037830a1b27f3ceeba1f521413
USB Bus: 4
USB Address: 8rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -i
bladeRF> help
... (Help text shown here ) ...
bladeRF> info
Serial #: f12ce1037830a1b27f3ceeba1f521413
VCTCXO DAC calibration: 0x894e
FPGA size: 40 KLE
FPGA loaded: no
USB bus: 2
USB address: 3
USB speed: SuperSpeed
Backend: libusb
Instance: 0
bladeRF> version
bladeRF-cli version: 0.11.0-git-58c3ff4
libbladeRF version: 0.16.1-git-58c3ff4
Firmware version: 1.7.1-git-ca697ee
FPGA version: Unknown (FPGA not loaded)Step 3 – Install a Rogue BTS for fun and profit
Before start installing the packages let’s create a group for Yate and add our user to that group.
rfs@offensive-wireless:~ $ sudo addgroup yate
rfs@offensive-wireless:~ $ sudo usermod -a -G yate rfsCreate a new folder to store all BTS data
rfs@offensive-wireless:~ $ mkdir YateBTS
rfs@offensive-wireless:~ $ cd YateBTSDownload the packages from Nuand repo dedicated to BladeRF, this step is critical using this package is easy to set up BladeRF with YateBTS.
rfs@offensive-wireless:~/YateBTS $ wget https://nuand.com/downloads/yate-rc-3.tar.gzDecompress the file into our new folder:
rfs@offensive-wireless:~/YateBTS $ tar xvf yate-rc-3.tar.gzHow to Install Yate
rfs@offensive-wireless:~/YateBTS $ sudo mv yate /usr/src
rfs@offensive-wireless:~/YateBTS $ sudo mv yatebts /usr/src
rfs@offensive-wireless:~/YateBTS $ sudo mkdir -p /usr/share/nuand/bladeRF
rfs@offensive-wireless:~/YateBTS $ sudo mv *.rbf /usr/share/nuand/bladeRF rfs@offensive-wireless:~/YateBTS $ cd /usr/src/yaterfs@offensive-wireless:~/usr/src/yate $ ./autogen.shrfs@offensive-wireless:~/usr/src/yate $ ./configure --prefix=/usr/localrfs@offensive-wireless:~/usr/src/yate $ make
rfs@offensive-wireless:~/usr/src/yate $ sudo make install
rfs@offensive-wireless:~/usr/src/yate $ sudo make install-noapirfs@offensive-wireless:~/usr/src/yate $ sudo ldconfigrfs@offensive-wireless:~/usr/src/yate $ cd ..Install Yate BTS
rfs@offensive-wireless:~/usr/src/$ cd yatebtsrfs@offensive-wireless:~/usr/src/yatebts$ ./autogen.sh
rfs@offensive-wireless:~/usr/src/yatebts$ ./configure --prefix=/usr/localrfs@offensive-wireless:~/usr/src/yatebts$ make
rfs@offensive-wireless:~/usr/src/yatebts$ sudo make install
rfs@offensive-wireless:~/usr/src/yatebts$ sudo ldconfigrfs@offensive-wireless:~/usr/src/yatebts$ cd ..
rfs@offensive-wireless:~/usr/src/$ sudo mkdir -p /usr/share/nuand/bladeRF
Step 4 – Configuring YateBTS
rfs@offensive-wireless:~/usr/src/$ sudo touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.confrfs@offensive-wireless:~/usr/src/$ sudo chown rfs:yate /usr/local/etc/yate/*.conf
rfs@offensive-wireless:~/usr/src/$ sudo chmod g+w /usr/local/etc/yate/*.confrfs@dell:~/Downloads/YateBTS/yatebts$ bladeRF-cli -l /usr/src/Nuand/bladeRF/hostedxA9.rbfIf everything works its time to start our BTS
rfs@dell:~/Downloads/YateBTS/yatebts$ yate -vrfs@dell:~/Downloads/YateBTS/yatebts$ telnet localhost 5038
Setup Network In a Box – NIB
rfs@offensive-wireless:~/ $ sudo apt-get install -y apache2 php libusb-1.0-0 libusb-1.0-0-d* libusb-1.0-0-dev libgsm1 libgsm1-devrfs@offensive-wireless:~/PySIM/pysim $ cd /var/www/html
rfs@offensive-wireless:/var/www/html $ sudo ln -s /usr/local/share/yate/nipc_web nipc
rfs@offensive-wireless:/var/www/html $ sudo chmod -R a+w /usr/local/share/yate
sudo vi /etc/systemd/system/yate.service[Unit]
Description=RFS Yate BTS
After=network.target
StartLimitIntervalSec=0[Service]
[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/usr/local/bin/yate -s
[Install]
WantedBy=multi-user.target
rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl start yate
rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl enable yateStep 5 – Provisioning SIM Cards
In order to
How to Install PySIM
rfs@offensive-wireless:~/YateBTS $ sudo apt-get install libpcsclite-dev
rfs@offensive-wireless:~ $ mkdir PySIM
rfs@offensive-wireless:~ $ cd PySIM/
rfs@offensive-wireless:~/PySIM $ git clone git://git.osmocom.org/pysim.gitrfs@offensive-wireless:~/PySIM $ sudo apt-get install python3-pyscard python3-serial python3-pip python3-yamlrfs@offensive-wireless:~/PySIM/pysim $ pip3 install -r requirements.txtHow to Configure a Magic SIM
rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-read.py -d /dev/ttyUSB0
rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-prog.py -d /dev/ttyUSB0 -n RFS -x 268 -y 07 -i 901990000000018 -s 8988211110000110000 -o 398198093111279FB1FC74BE07059FEF -k 1D8B2562B772549F20D0F42003EAA6FA
rfs@offensive-wireless:~/PySIM $ sudo cp -R pysim/ /usr/src/
rfs@offensive-wireless:~/PySIM $ cd /usr/local/bin
rfs@offensive-wireless:/usr/local/bin $ sudo ln -s /usr/src/pysim/pySim-prog.py pySim-prog.pyrfs@offensive-wireless:/usr/local/bin $ sudo vi /usr/local/share/yate/nipc_web/config.php<?php
$pysim_path = "/usr/bin/pysim";
?>
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl daemon-reload
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl restart yate
rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl status yateAfter all is done you can start capture GSM signals from our BTS using a RTL-SDR.
My next article will be about systems and methods for identifying rogue base stations, for now, you can check my other article about ZigBee Sniffing.
