We start GSM network at home

In this article I would like to describe in detail how I managed to launch my own GSM network using Osmocom and modest investments in equipment.

The instructions on the official website are outdated and I had to spend quite a lot of time adapting them. Fortunately, all the problems were solved, and if you strictly follow the tips below, then you will succeed.
')
As a result, we will launch an experimental 2G cellular network within the room with support for SMS and voice calls, without GPRS. It can be used to study the operation and interaction of devices and components of a GSM network, without interfering with commercial cellular networks.


Cycle articles:

We start GSM network at home
Analysis of GSM network traffic in Wireshark
Add GPRS to your home GSM network
Practical examples of attacks inside the GSM network

Attention!
The author does not bear any responsibility for the actions of other users, their interference with commercial GSM networks and damage to their own equipment. Before you start anything, make sure you understand what you are doing.

UPD: If you encounter problems when building or using my configuration files, I recommend installing everything you can from the Nightly Builds deb packages to a newer OS. To build osmocombb (jolly / testing) branches, you will need the old toolchain, which I wrote about later in the text. I installed everything on Debian 9 (32 bits), there are no problems with libdbi and something else, install the dependencies that apt offers. When building a toolchain, there may be problems with texinfo. The axilirator script already has a couple of patches for this, but for Debian 9, I needed more edits to gcc / doc / gcc.texi.

Iron and Soft

Iron

• Computer with installed 32-bit Ubuntu 14.04 (not virtualka)
• 2 phones on the TI Calypso chipset (Motorola c113, c118, c123, ...)
• 2 USB-TTL converter
• 2 wires (2.5 mm jack + jumpers)

Soft

• OsmocomBB based transceivers
• OsmoBTS Base Station
• OsmoBSC based base station controller
• MSC, HLR, SMS center based on OsmoNTIB

We are buying

Phones based on the TI Calypso chipset will be the easiest to search for free classified ads in your city. The price varies from 300 to 700 rubles, depending on the state and availability of the charger. The probability of buying a phone in Russia designed for western GSM bands is very small, but if you decide to buy it abroad, I recommend paying attention to GSM working bands. You need phones that work with 900 MHz and 1800 MHz, if you live in Russia.

The list of supported models can be found here .

Perhaps there are other compatible phones, in particular, the Motorola c113 and c113a are fully compatible with OsmocomBB, although not presented on the official website.

No SIM cards needed.



USB-TTL converters can run on CP2102, FT232 or PL2303 chips.

I recommend using the CP2102 because with the help of a specialized utility you can make this converter work at non-standard speeds, which is required for some OsmocomBB branches.

You can buy it from 100 rubles on ebay or aliexpress, or 2-3 times more expensive in more or less large electronics stores. The second option is preferable if you do not want to wait.

The wire connecting the computer to the phone may look different, but I recommend to buy a 2.5 mm jack in the radio parts store


UPD: In the photo, as you noticed later, a jack with 4 pins is depicted, you need from 3, the most ordinary!

and wires with connectors, like those that are often used for Arduino or Raspberry Pi.


In the absence of a second, you can think of something different. Your task is to connect the terminals Tx, Rx, GND of the converter with the jack contacts as follows:

TxD connect to jack tip
RxD connect to the middle jack contact
GND connect to the bottom of the jack.

You can take a bundle of three wires, bite off connectors from one end and solder the remaining wires with connectors on one end to the jack terminals.

Please note that to start a network with voice call support, you need 2 phones, 2 converters and 2 ready wires.

Unobvious problem

After buying a jack, make sure that it can be inserted into the headset jack to the end. Otherwise, you may get errors due to unreliable connection with the phone or not have it at all.

Jackies, which are most often sold in stores of radio components, are not inserted into the slot to the end, because They interfere with the case (your / phone).





To make sure that the jack enters to the end, you can get the phone out of the case and try inserting the jack.



If you later realized that the case interferes with the jack, you will have to arm with pliers and a file, turn on your wits and change the case of the jack or phone so that the contact is reliable.

You can check the reliability of the connection with PuTTY. You can find the COM port number by looking in the Device Manager.



We connect the phone to the computer via a USB-TTL converter and the assembled wire, briefly press the power button and the message @ftmtoolerror should appear among other characters in the PuTTY window.

The same can be done under Linux using minicom.

Installation

As stated at the beginning, I recommend using Ubuntu 14.04, the 32-bit version of it. It is possible that you will be able to install everything on 64-bit Ubuntu 16.04, but then you will have to solve all dependency problems yourself during installation and compatibility with the Osmocom project branches.

Also, you can try to use a virtual machine, but I never managed to get a stable connection on the guest OS. Problems may arise at the level of USB port virtualization.

You can use a virtual machine to work with osmocombb and its individual applications, but when it comes to launching a GSM network, I advise you not to use virtualization.

Install the basic packages we need to build Osmocom.

apt-get install build-essential libtool libtalloc-dev shtool autoconf automake git-core pkg-config make gcc libpcsclite-dev

libosmocore

git clone git://git.osmocom.org/libosmocore.git
cd libosmocore/
autoreconf -i
./configure
make
make install
ldconfig -i

toolchain

- toolchain. , osmocombb, .

, , toolchain, -.

git clone https://github.com/axilirator/gnu-arm-installer.git
cd gnu-arm-installer
apt-get install libgmp3-dev libmpfr-dev libx11-6 libx11-dev flex bison libncurses5 libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev texinfo
./download.sh
./build.sh

, . 3 .

PATH, /root/osmocom/gnu-arm-installer/install/bin

vi /etc/bash.bashrc
add in the end
export PATH=$PATH:/root/osmocom/gnu-arm-installer/install/bin

osmocombb

Master- GSM , , , RSSI cell_log (. ).

- , src/target/firmware/Makefile :

CFLAGS += -DCONFIG_TX_ENABLE

git clone git://git.osmocom.org/osmocom-bb.git osmocombb
cd osmocombb/src
make

FFT

wget http://www.fftw.org/fftw-3.3.6-pl2.tar.gz
tar -xvzf fftw-3.3.6-pl2.tar.gz
cd fftw-3.3.6-pl2
./configure --enable-threads --enable-float
make
make install 
ldconfig

libosmo-dsp

git clone git://git.osmocom.org/libosmo-dsp.git
cd libosmo-dsp/
autoreconf -i
./configure
make
make install
ldconfig

osmocombb OsmoBTS

git clone git://git.osmocom.org/osmocom-bb.git trx
cd trx/
git checkout jolly/testing
cd src/

target/firmware/Makefile

CFLAGS += -DCONFIG_TX_ENABLE

:

make HOST_layer23_CONFARGS=--enable-transceiver

libdbi sqlite

apt-get install sqlite3 libsqlite3-dev libsctp-dev

: sourceforge.net/projects/libdbi/files/libdbi/libdbi-0.8.3

tar -xvzf libdbi-0.8.3.tar.gz
cd libdbi-0.8.3
autogen.sh
./configure --disable-docs
make
make install
ldconfig
cd ..

: sourceforge.net/projects/libdbi-drivers/files/libdbi-drivers/libdbi-drivers-0.8.3

tar -xvzf libdbi-drivers-0.8.3.tar.gz
cd libdbi-drivers-0.8.3

, HLR. .

vi drivers/sqlite3/dbd_sqlite3.c

_dbi_internal_error_handler _dbd_internal_error_handler.

:

./autogen.sh
./configure --disable-docs --with-sqlite3 --with-sqlite3-dir=/usr/bin --with-dbi-incdir=/usr/local/include
make
make install
ldconfig

ORTP

wget http://download.savannah.gnu.org/releases/linphone/ortp/sources/ortp-0.22.0.tar.gz
tar -xvf ortp-0.22.0.tar.gz
cd ortp-0.22.0/
./autogen.sh
./configure
make
make install
ldconfig

libosmo-abis

git clone git://git.osmocom.org/libosmo-abis.git
cd libosmo-abis
autoreconf -i
./configure
make
make install
ldconfig

libosmo-netif

git clone git://git.osmocom.org/libosmo-netif.git
cd libosmo-netif
autoreconf -i
./configure
make
make install
ldconfig

OpenBSC

apt-get install libssl0.9.8 libssl-dev
ldconfig
git clone git://git.osmocom.org/openbsc.git
cd openbsc/openbsc/
autoreconf -i
./configure
make
make install

OsmoBTS

git clone git://git.osmocom.org/osmo-bts.git
cd osmo-bts
autoreconf -i
./configure --enable-trx
make
make install

Osmocom root, /root/.osmocom

mkdir /root/.osmocom;cd /root/.osmocom
touch ~/.osmocom/osmo-bts.cfg
touch ~/.osmocom/open-bsc.cfg

:

• OsmoNTIB
• , .

osmo-bts.cfg open-bsc.cfg .

(band) GSM ARFCN.

ARFCN — .
ARFCN RSSI, osmocombb, cell_log.

, GSM . , , band.

, . Calypso BTS SCH bursts . ( ), .

ARFCN band , OsmoNTIB .

.

ls -l /dev/ttyUSB*

ttyUSB0 ttyUSB1.

.

osmocon . compal_e86 e87 c123xor, - .

cd /root/osmocom/trx/src
host/osmocon/osmocon -m c123xor -p /dev/ttyUSB0 -s /tmp/osmocom_l2 -c target/firmware/board/compal_e88/trx.highram.bin -r 99

, . TRX.

cd /root/osmocom/trx/src
host/osmocon/osmocon -m c123xor -p /dev/ttyUSB1 -s /tmp/osmocom_l2.2 -c target/firmware/board/compal_e88/trx.highram.bin -r 99

, . TRX.

BTS

ARFCN , . , RSSI cell_log.

cd /root/osmocom/trx/src/host/layer23/src/transceiver/
./transceiver -a ARFCN -2 -r 99

MSC, HLR -

cd /root/.osmocom
osmo-nitb -c ~/.osmocom/open-bsc.cfg -l ~/.osmocom/hlr.sqlite3 -P -C --debug=DRLL:DCC:DMM:DRR:DRSL:DNM

cd /root/.osmocom
osmo-bts-trx --debug DRSL:DOML:DLAPDM -r 99

GSM !

, . 00101 TestNet. .

- , , .

USSD *#100#.

OsmoNTIB

telnet localhost 4242

OsmoBTS

telnet localhost 4241

. , wireshark.

UPD: GPRS

!

UPD: — ( ) Pentestit Security Conference : « GSM».

UPD: Osmocom defcon.ru/wireless-security/4716