{"id":214,"date":"2018-06-01T00:15:04","date_gmt":"2018-06-01T04:15:04","guid":{"rendered":"https:\/\/freezion.com\/?p=214"},"modified":"2018-06-01T00:15:04","modified_gmt":"2018-06-01T04:15:04","slug":"how-to-run-your-own-cell-tower","status":"publish","type":"post","link":"https:\/\/freezion.com\/?p=214","title":{"rendered":"How To Run Your Own Cell Tower"},"content":{"rendered":"

This post is a collection of notes from about 2 years ago. I keep meaning to post them, but keep getting busy and not having time to get around to editing them for clarity and\/or currency, but I keep wanting to reference them, so I’m finally just going to dump them here as-is.<\/p>\n

NOTE<\/span><\/strong>: doing this may be illegal in your jurisdiction. Specifically, using the radio frequencies required for this to work could potentially be a federal offense (in the US). Be sure you understand the legalities before following this guide, etc.<\/p>\n

Also note<\/strong>: this is specifically for GSM network cell traffic. If you are looking for something other than GSM, things are going to be different.<\/p>\n

And with that all said, the following basically takes you from “I just installed Ubuntu” to “I have cell phones calling\/texting each other through my ‘tower'” in roughly 10 minutes using a BladeRF and a laptop.<\/p>\n

Equipment<\/span><\/h2>\n
    \n
  • [ 1 ] of Lenovo Y50-70 Laptop: http:\/\/shop.lenovo.com\/us\/en\/laptops\/lenovo\/y-series\/y50\/<\/li>\n
  • [ 1 ] of BladeRF x40: https:\/\/www.nuand.com\/blog\/product\/bladerf-x40\/<\/li>\n
  • [ 1 ] of BladeRF case: https:\/\/www.nuand.com\/blog\/product\/bladerf-case\/<\/li>\n
  • [ 2 ] of Superbat 5dbi 700-2600Mhz 4G LTE Omni Directional Antenna: http:\/\/amazon.com\/Superbat-700-2600Mhz-Directional-Antenna-Connector\/dp\/B00FE7KMYS<\/li>\n<\/ul>\n

    NOTE: OS used for this project was Linux Mint 17.3 – KDE Spin<\/em><\/p>\n

    $ cat \/etc\/lsb-release\nDISTRIB_ID=LinuxMint\nDISTRIB_RELEASE=17.3\nDISTRIB_CODENAME=rosa\nDISTRIB_DESCRIPTION=\"Linux Mint 17.3 Rosa\"\n\n$ uname -srp\nLinux 3.19.0-32-generic x86_64\n<\/code><\/pre>\n
    Getting BladeRF Running<\/span><\/h2>\n
      \n
    • Add your username to the plugdev and dialout groups<\/li>\n<\/ul>\n
      $ sudo usermod -a -G plugdev <username>\n$ sudo usermod -a -G dialout <username>\n<\/code><\/pre>\n
        \n
      • Install the bladeRF PPA and required software packages<\/li>\n<\/ul>\n
        $ sudo add-apt-repository ppa:bladerf\/bladerf\n$ sudo apt-get update\n$ sudo apt-get install bladerf libbladerf-dev bladerf-firmware-fx3 bladerf-fpga-hostedx40\n<\/code><\/pre>\n
          \n
        • Create a ~\/.Nuand\/bladeRF directory<\/li>\n
        • Store the FPGA image in the bladeRF directory so it can be autoloaded<\/li>\n<\/ul>\n
          $ mkdir -p ~\/.Nuand\/bladeRF\n$ cd ~\/.Nuand\/bladeRF\n$ wget http:\/\/hoopycat.com\/bladerf_builds\/latest\/artifacts\/hostedx40.rbf\n<\/code><\/pre>\n
          *NOTE: since we installed the FPGA from the bladeRF PPA, you could also just link to that from your bladeRF directory instead:<\/p>\n
          $ ln -s \/usr\/share\/Nuand\/bladeRF\/hostedx40.rbf ~\/.Nuand\/bladeRF\n<\/code><\/pre>\n
            \n
          • Grab the latest firmware image<\/li>\n<\/ul>\n
            $ wget http:\/\/hoopycat.com\/bladerf_builds\/latest\/artifacts\/firmware.img\n<\/code><\/pre>\n
              \n
            • Plug the bladeRF in<\/li>\n
            • Verify the system sees the device<\/li>\n<\/ul>\n
              $ dmesg | grep usb\n...\n[\u00a0\u00a0992.744233] usb 2-2: New USB device found, idVendor=1d50, idProduct=6066\n[\u00a0\u00a0992.744235] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3\n[\u00a0\u00a0992.744237] usb 2-2: Product: bladeRF\n[\u00a0\u00a0992.744239] usb 2-2: Manufacturer: Nuand\n[\u00a0\u00a0992.744240] usb 2-2: SerialNumber: d1c8b59ff5d36d39d43af24eaca005a3\n...\n<\/code><\/pre>\n
                \n
              • Verify the system recognizes the bladeRF (using bladeRF-cli):<\/li>\n<\/ul>\n
                $ bladeRF-cli -p\n\n\u00a0\u00a0Backend:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0libusb\n\u00a0\u00a0Serial:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0d1c8b59ff5d36d39d43af24eaca005a3\n\u00a0\u00a0USB Bus:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a02\n\u00a0\u00a0USB Address:\u00a0\u00a0\u00a0\u00a02\n\n$ bladeRF-cli -i\n[INFO @ version_compat.c:116] FPGA version (v0.4.1) is newer than entries in libbladeRF's compatibility table. Please update libbladeRF if problems arise.\n\nbladeRF> info\n\u00a0\u00a0Serial #:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0d1c8b59ff5d36d39d43af24eaca005a3\n\u00a0\u00a0VCTCXO DAC calibration:\u00a0\u00a0\u00a00x8ea1\n\u00a0\u00a0FPGA size:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a040 KLE\n\u00a0\u00a0FPGA loaded:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0yes\n\u00a0\u00a0USB bus:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a02\n\u00a0\u00a0USB address:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a05\n\u00a0\u00a0USB speed:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SuperSpeed\n\u00a0\u00a0Backend:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0libusb\n\u00a0\u00a0Instance:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00\n<\/code><\/pre>\n
                  \n
                • Update the firmware on the bladeRF<\/li>\n<\/ul>\n
                  $\u00a0\u00a0cd \/usr\/share\/Nuand\/bladeRF\/\n$\u00a0\u00a0bladeRF-cli --flash-firmware .\/firmware.img\n<\/code><\/pre>\n
                  Install Yate<\/span><\/h2>\n
                    \n
                  • Checkout the source code from SVN and compile<\/li>\n<\/ul>\n
                    $ mkdir svn\n$ cd svn\/\n$ svn checkout http:\/\/voip.null.ro\/svn\/yate\/trunk yate\n$ cd yate\/\n$ .\/autogen.sh\n$ .\/configure\n$ sudo make install\n$ which -a yate-config\n\/usr\/local\/bin\/yate-config\n<\/code><\/pre>\n
                    Install YateBTS<\/span><\/h2>\n
                      \n
                    • Checkout the source code from SVN and compile<\/li>\n<\/ul>\n
                      $ cd ..\n$ svn checkout http:\/\/voip.null.ro\/svn\/yatebts\/trunk yatebts\n$ cd yatebts\/\n$ .\/autogen.sh\n$ .\/configure\n$ sudo make install\n<\/code><\/pre>\n
                        \n
                      • Pickup the new libraries<\/li>\n<\/ul>\n
                        $ sudo ldconfig\n<\/code><\/pre>\n
                        Configure YateBTS<\/h2>\n
                          \n
                        • Setup the GSM band information by setting the following values in the configuration file:<\/li>\n<\/ul>\n
                          $ sudo vi \/usr\/local\/etc\/yate\/ybts.conf\n...\nRadio.Band=1800\nRadio.C0=512\n...\nRadio.PowerManager.MaxAttenDB=40\nRadio.PowerManager.MinAttenDB=40\n<\/code><\/pre>\n
                          Run YateBTS<\/span><\/h3>\n
                            \n
                          • Run the yate binary as root<\/li>\n<\/ul>\n
                            $ sudo yate -vvvvvv\nYate (23748) is starting Tue Oct 20 14:03:52 2015\n2015-10-20_14:03:52.041354 <ALL> Plugin::Plugin(\"filetransfer\",false) [0x7f0204349880]\nLoaded module File Transfer\n2015-10-20_14:03:52.041441 <ALL> Plugin::Plugin(\"tonedetect\",false) [0x7f0204139300]\nLoaded module ToneDetector\n2015-10-20_14:03:52.041509 <ALL> Plugin::Plugin(\"fileinfo\",false) [0x7f0203f30c40]\nLoaded module FileInfo\n2015-10-20_14:03:52.041603 <ALL> Plugin::Plugin(\"extmodule\",false) [0x7f0203d259c0]\nLoaded module ExtModule\n2015-10-20_14:03:52.041916 <ALL> Plugin::Plugin(\"javascript\",true) [0x7f0203b11640]\nLoaded module Javascript\n2015-10-20_14:03:52.041998 <ALL> Plugin::Plugin(\"moh\",false) [0x7f0203694440]\nLoaded module MOH\n2015-10-20_14:03:52.042148 <ALL> Plugin::Plugin(\"isaccodec\",false) [0x7f020348a780]\nLoaded module iSAC floating point - based on WebRTC iSAC library version 4.3.0 (SPL version 1.2.0)\n2015-10-20_14:03:52.042348 <ALL> Plugin::Plugin(\"iax\",false) [0x7f020324e5c0]\nLoaded module YIAX\n2015-10-20_14:03:52.042522 <ALL> Plugin::Plugin(\"yrtp\",false) [0x7f0203012280]\nLoaded module YRTP\n2015-10-20_14:03:52.042643 <ALL> Plugin::Plugin(\"cdrfile\",true) [0x7f0202deb240]\nLoaded module CdrFile\n2015-10-20_14:03:52.042750 <ALL> Plugin::Plugin(\"gsmcodec\",false) [0x7f0202be6180]\nLoaded module GSM - based on libgsm-1.0.10\n2015-10-20_14:03:52.042836 <ALL> Plugin::Plugin(\"regexroute\",false) [0x7f02027d1f80]\nLoaded module RegexRoute\n2015-10-20_14:03:52.042914 <ALL> Plugin::Plugin(\"callgen\",false) [0x7f02025c58c0]\nLoaded module Call Generator\n2015-10-20_14:03:52.042975 <ALL> Plugin::Plugin(\"pbx\",false) [0x7f02023ba540]\nLoaded module PBX\n2015-10-20_14:03:52.043061 <ALL> Plugin::Plugin(\"conf\",false) [0x7f02021b34c0]\nLoaded module Conference\n2015-10-20_14:03:52.043150 <ALL> Plugin::Plugin(\"rmanager\",false) [0x7f0201fa4900]\nLoaded module RManager\n2015-10-20_14:03:52.043240 <ALL> Plugin::Plugin(\"wave\",false) [0x7f0201d949c0]\nLoaded module WaveFile\n2015-10-20_14:03:52.043326 <ALL> Plugin::Plugin(\"analyzer\",false) [0x7f0201b83480]\nLoaded module Analyzer\n2015-10-20_14:03:52.043401 <ALL> Plugin::Plugin(\"stun\",false) [0x7f0201978400]\nLoaded module YSTUN\n2015-10-20_14:03:52.043652 <ALL> Plugin::Plugin(\"sip\",false) [0x7f020176d980]\nLoaded module SIP Channel\n2015-10-20_14:03:52.043754 <ALL> Plugin::Plugin(\"callfork\",false) [0x7f02015084c0]\nLoaded module Call Forker\n2015-10-20_14:03:52.043824 <ALL> Plugin::Plugin(\"dumb\",false) [0x7f02012fd200]\nLoaded module DumbChannel\n2015-10-20_14:03:52.043895 <ALL> Plugin::Plugin(\"cdrbuild\",false) [0x7f02010f63c0]\nLoaded module CdrBuild\n2015-10-20_14:03:52.043978 <ALL> Plugin::Plugin(\"gvoice\",false) [0x7f0200ee94c0]\nLoaded module GVoice\n2015-10-20_14:03:52.044048 <ALL> Plugin::Plugin(\"enumroute\",false) [0x7f0200ce3240]\n2015-10-20_14:03:52.044810 <ALL> Plugin::Plugin(\"jingle\",false) [0x7f0200adbac0]\nLoaded module YJingle\n2015-10-20_14:03:52.044949 <ALL> Plugin::Plugin(\"msgsniff\",false) [0x7f0200646540]\nLoaded module MsgSniffer\n2015-10-20_14:03:52.045010 <ALL> Plugin::Plugin(\"cdrcombine\",false) [0x7f02004409c0]\nLoaded module CdrCombine\n2015-10-20_14:03:52.045128 <ALL> Plugin::Plugin(\"ilbccodec\",false) [0x7f020023a080]\nLoaded module iLBC - based on iLBC reference library\n2015-10-20_14:03:52.045223 <ALL> Plugin::Plugin(\"socks\",true) [0x7f0200017a80]\nLoaded module YSOCKS\n2015-10-20_14:03:52.045369 <ALL> Plugin::Plugin(\"ilbcwebrtc\",false) [0x7f01ffe00600]\nLoaded module iLBC - based on WebRTC iLBC library version 1.1.1\n2015-10-20_14:03:52.045465 <ALL> Plugin::Plugin(\"tone\",false) [0x7f01ffbe8680]\nLoaded module ToneGen\n2015-10-20_14:03:52.045484 <tone:ALL> Building comfort noise at level -10\n2015-10-20_14:03:52.045537 <tone:ALL> Building tone of 1336 + 941 Hz\n2015-10-20_14:03:52.046160 <tone:ALL> Building tone of 1209 + 697 Hz\n2015-10-20_14:03:52.046751 <tone:ALL> Building tone of 1336 + 697 Hz\n2015-10-20_14:03:52.047344 <tone:ALL> Building tone of 1477 + 697 Hz\n2015-10-20_14:03:52.047936 <tone:ALL> Building tone of 1209 + 770 Hz\n2015-10-20_14:03:52.048536 <tone:ALL> Building tone of 1336 + 770 Hz\n2015-10-20_14:03:52.049135 <tone:ALL> Building tone of 1477 + 770 Hz\n2015-10-20_14:03:52.049737 <tone:ALL> Building tone of 1209 + 852 Hz\n2015-10-20_14:03:52.050321 <tone:ALL> Building tone of 1336 + 852 Hz\n2015-10-20_14:03:52.050906 <tone:ALL> Building tone of 1477 + 852 Hz\n2015-10-20_14:03:52.051496 <tone:ALL> Building tone of 1209 + 941 Hz\n2015-10-20_14:03:52.052086 <tone:ALL> Building tone of 1477 + 941 Hz\n2015-10-20_14:03:52.052677 <tone:ALL> Building tone of 1633 + 697 Hz\n2015-10-20_14:03:52.053268 <tone:ALL> Building tone of 1633 + 770 Hz\n2015-10-20_14:03:52.053867 <tone:ALL> Building tone of 1633 + 852 Hz\n2015-10-20_14:03:52.054458 <tone:ALL> Building tone of 1633 + 941 Hz\n2015-10-20_14:03:52.055048 <tone:ALL> Building tone of 2000 + 125 Hz\n2015-10-20_14:03:52.056957 <tone:ALL> Building tone of 2000 modulated by 1000 Hz\n2015-10-20_14:03:52.059324 <tone:ALL> Building tone of 2010 Hz\n2015-10-20_14:03:52.059486 <tone:ALL> Building tone of 1780 Hz\n2015-10-20_14:03:52.059799 <ALL> Plugin::Plugin(\"mux\",true) [0x7f01ff9d8640]\nLoaded module MUX\n...\n<\/code><\/pre>\n
                            Use Yate Telnet Interface<\/span><\/h2>\n
                              \n
                            • Telnet to port 5038 on the host running YateBTS<\/li>\n<\/ul>\n
                              telnet 127.0.0.1 5038\nTrying 127.0.0.1...\nConnected to 127.0.0.1.\nEscape character is '^]'.\nYATE 5.5.1-devel1 r6056 (http:\/\/YATE.null.ro) ready on localhost.\n<\/code><\/pre>\n
                                \n
                              • Get a list of registered devices<\/li>\n<\/ul>\n
                                nib list registered\nIMSI\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MSISDN\n--------------- ---------------\n<\/code><\/pre>\n
                                  \n
                                • Get a list of rejected devices<\/li>\n<\/ul>\n
                                  nib list rejected\nIMSI\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0No attempts register\n--------------- ---------------\n001010000000002\u00a0\u00a0\u00a0\u00a02\n<\/code><\/pre>\n
                                    \n
                                  • Observe rejections in the yate debug output:<\/li>\n<\/ul>\n
                                    2015-10-20_14:18:33.424894 <ybts-signalling:INFO> Received [0xcd0240]\n-----\nPrimitive: PhysicalInfo\nInfo: 0\nConnection: 3\n\n<PhysicalInfo>TA=0 TE=3.000 UpRSSI=1 TxPwr=33 DnRSSIdBm=-83 time=1445365112.943<\/PhysicalInfo>\n-----\n2015-10-20_14:18:33.425026 <ybts-signalling:INFO> Received [0xcd0240]\n-----\nPrimitive: L3Message\nInfo: 0\nConnection: 3\n\n<MM>\n\n\u00a0\u00a0<SkipIndicator>0<\/SkipIndicator>\n\u00a0\u00a0<NSD>0<\/NSD>\n\u00a0\u00a0<Message type=\"LocationUpdatingRequest\">\n\u00a0\u00a0\u00a0\u00a0<LocationUpdatingType>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<FOR>false<\/FOR>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<LUT>normal-location-updating<\/LUT>\n\u00a0\u00a0\u00a0\u00a0<\/LocationUpdatingType>\n\u00a0\u00a0\u00a0\u00a0<CipheringKeySequenceNumber>no-key\/reserved<\/CipheringKeySequenceNumber>\n\u00a0\u00a0\u00a0\u00a0<LAI>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<PLMNidentity>00101<\/PLMNidentity>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<LAC>fffe<\/LAC>\n\u00a0\u00a0\u00a0\u00a0<\/LAI>\n\u00a0\u00a0\u00a0\u00a0<MobileStationClassmark>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<RFPowerCapability>class1<\/RFPowerCapability>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<RevisionLevel>GSM-phase2<\/RevisionLevel>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<Flags>ES-IND<\/Flags>\n\u00a0\u00a0\u00a0\u00a0<\/MobileStationClassmark>\n\u00a0\u00a0\u00a0\u00a0<MobileIdentity>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<IMSI>001010000000002<\/IMSI>\n\u00a0\u00a0\u00a0\u00a0<\/MobileIdentity>\n\u00a0\u00a0<\/Message>\n<\/MM>\n-----\n2015-10-20_14:18:33.425160 <ybts-signalling:ALL> Added connection (0x7f01d4001330,3) [0xcd0240]\n2015-10-20_14:18:33.425180 <ybts-mm:ALL> Handling LocationUpdatingRequest conn=3: ident=IMSI\/001010000000002\nLAI=00101_fffe [0xcd0620]\n2015-10-20_14:18:33.425194 <ybts-mm:ALL> Added UE (0x7f01d4002b10) TMSI= IMSI=001010000000002 [0xcd0620]\n2015-10-20_14:18:33.425206 <ybts-signalling:ALL> Connection 3 set UE (0x7f01d4002b10) TMSI= IMSI=001010000000\n002 [0x7f01d4001330]\n2015-10-20_14:18:33.425233 <ybts-signalling:INFO> Sending [0xcd0240]\n-----\nPrimitive: L3Message\nInfo: 0\nConnection: 3\n\n<MM>\n\u00a0\u00a0<Message type=\"IdentityRequest\">\n\u00a0\u00a0\u00a0\u00a0<IdentityType>IMEI<\/IdentityType>\n\u00a0\u00a0<\/Message>\n<\/MM>\n-----\n2015-10-20_14:18:33.456519 <gsmtrx:ALL> ARFCN[0]: Slot 0. Excessive TOA error=-3 peak\/mean=3.21735 count=1 [0\nx7f01d8016150]\n2015-10-20_14:18:33.796915 <gsmtrx:ALL> ARFCN[0]: Slot 6. Excessive TOA errors 8 [0x7f01d8016150]\n2015-10-20_14:18:33.875678 <gsmtrx:ALL> ARFCN[0]: Slot 6. Excessive TOA error=-5 peak\/mean=3.09984 count=1 [0\nx7f01d8016150]\n2015-10-20_14:18:34.045461 <gsmtrx:ALL> ARFCN[0]: Slot 5. Excessive TOA error=-5 peak\/mean=3.8067 count=12 [0\nx7f01d8016150]\n2015-10-20_14:18:34.116751 <gsmtrx:INFO> ARFCN[0]: Slot 0. Receiver clipping 1.81203 dB (FN=189757) count=17\n[0x7f01d8016150]\n2015-10-20_14:18:34.130972 <ybts-signalling:INFO> Received [0xcd0240]\n-----\nPrimitive: PhysicalInfo\nInfo: 0\nConnection: 3\n\n<PhysicalInfo>TA=3 TE=-1.000 UpRSSI=1 TxPwr=30 DnRSSIdBm=-83 time=1445365112.931<\/PhysicalInfo>\n-----\n2015-10-20_14:18:34.131057 <ybts-signalling:INFO> Received [0xcd0240]\n-----\nPrimitive: L3Message\nInfo: 0\nConnection: 3\n\n<MM>\n\u00a0\u00a0<SkipIndicator>0<\/SkipIndicator>\n\u00a0\u00a0<NSD>1<\/NSD>\n\u00a0\u00a0<Message type=\"IdentityResponse\">\n\u00a0\u00a0\u00a0\u00a0<MobileIdentity>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<IMEI>358300080209030<\/IMEI>\n\u00a0\u00a0\u00a0\u00a0<\/MobileIdentity>\n\u00a0\u00a0<\/Message>\n<\/MM>\n-----\n2015-10-20_14:18:34.131165 <ybts:ALL> Started location updating thread for (0x7f01d4002b10) TMSI= IMSI=001010\n000000002 [0x7f01d4001b70]\n2015-10-20_14:18:34.131317 <nib:INFO> Got user.register for imsi='001010000000002', tmsi=''\n2015-10-20_14:18:34.131425 <ybts:ALL> Location updating thread for (0x7f01d4002b10) TMSI= IMSI=00101000000000\n2 terminated [0x7f01d4001b70]\n2015-10-20_14:18:34.131439 <ybts-mm:ALL> UE (0x7f01d4002b10) TMSI= IMSI=001010000000002 register failed [0xcd\n0620]\n2015-10-20_14:18:34.131469 <ybts-signalling:INFO> Sending [0xcd0240]\n-----\nPrimitive: L3Message\nInfo: 0\nConnection: 3\n\n<MM>\n\u00a0\u00a0<Message type=\"LocationUpdatingReject\">\n\u00a0\u00a0\u00a0\u00a0<RejectCause>location-area-not-allowed<\/RejectCause>\n\u00a0\u00a0<\/Message>\n<\/MM>\n-----\n2015-10-20_14:18:34.131520 <ybts-signalling:ALL> Releasing connection (0x7f01d4001330,3) [0xcd0240]\n2015-10-20_14:18:34.131530 <ybts-signalling:INFO> Sending [0xcd0240]\n-----\nPrimitive: ConnRelease\nInfo: 0\nConnection: 3\n-----\n<\/code><\/pre>\n
                                    Setting Wildcard Subscriber (IMSI Catcher Mode)<\/span><\/h3>\n
                                      \n
                                    • \n
                                      Edit \/usr\/local\/etc\/yate\/subscribers.conf and set the following:
                                      \n\u00a0\u00a0* country_code=1 ; 1 for US, 44 for UK
                                      \n\u00a0\u00a0* regexp=.* ; catch all the things!<\/p>\n<\/li>\n
                                    • \n
                                      Start yate<\/p>\n<\/li>\n<\/ul>\n
                                      $ yate -v\n<\/code><\/pre>\n
                                        \n
                                      • Verify registered devices using telnet interface<\/li>\n<\/ul>\n
                                        $ telnet 127.0.0.1 5038\nTrying 127.0.0.1...\nConnected to 127.0.0.1.\nEscape character is '^]'.\nYATE 5.5.1-devel1 r6056 (http:\/\/YATE.null.ro) ready on localhost.\n\nnib list registered\nIMSI\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MSISDN\n--------------- ---------------\n001010000000002\u00a0\u00a0\u00a010000002\n\n<\/code><\/pre>\n
                                        SIM card setup<\/span><\/h3>\n
                                          \n
                                        • Install the pre-requisite packages<\/li>\n<\/ul>\n
                                          $ sudo apt-get install python-setuptools swig python-dev libpcsclite-dev pcsc-tools\n<\/code><\/pre>\n
                                            \n
                                          • Run pcsc_scan, then plug the device in, and insert a SIM card<\/li>\n<\/ul>\n
                                            $ pcsc_scan\nPC\/SC device scanner\nV 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>\nCompiled with PC\/SC lite version: 1.8.11\nUsing reader plug'n play mechanism\nScanning present readers...\nWaiting for the first reader...\nScanning present readers...\n0: MSI StarReader SMART [Smart Card Reader Interface] (20070818000000000) 00 00\nTue Oct 20 19:26:25 2015\nReader 0: MSI StarReader SMART [Smart Card Reader Interface] (20070818000000000) 00 00\n<\/code><\/pre>\n
                                              \n
                                            • Download and compile pyscard<\/li>\n<\/ul>\n
                                              $ wget 'http:\/\/downloads.sourceforge.net\/project\/pyscard\/pyscard\/pyscard%201.7.0\/pyscard-1.7.0.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpyscard%2F%3Fsource%3Dtyp_redirect&ts=1445382598&use_mirror=iweb'\n$ tar zxvf pyscard-1.9.0.tar.gz\n$ cd pyscard-1.9.0\n$ sudo python setup.py build_ext install\n<\/code><\/pre>\n
                                                \n
                                              • Clone the pySim repository<\/li>\n<\/ul>\n
                                                $ git clone git:\/\/git.osmocom.org\/pysim pysim\n<\/code><\/pre>\n
                                                Setting up SIP<\/span><\/h3>\n
                                                  \n
                                                • Install Asterisk<\/li>\n<\/ul>\n
                                                  $ sudo apt-get install asterisk asterisk-core-sounds-en* asterisk-moh-opsound-* asterisk-mp3 asterisk-mysql mysql-server postgresql postgresql-cont\nrib asterisk-voicemail asterisk-doc libmyodbc oidentd\n<\/code><\/pre>\n
                                                    \n
                                                  • Install Kamailio SIP proxy software<\/li>\n<\/ul>\n
                                                    $ sudo apt-get install kamailio kamailio-geoip-modules\n<\/code><\/pre>\n
                                                      \n
                                                    • Acquire a SIP account with a provider, ideally with a DID
                                                      \n\u00a0\u00a0* I used voip.ms, and created 2 DIDs, both routed to a single SIP URI (the main account I created when registering)
                                                      \n\u00a0\u00a0* Make sure you set up e911 registration so if anyone on your tower dials 911 the call gets routed and 911 data populated.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
                                                      This post is a collection of notes from about 2 years ago. I keep meaning to post them, but…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[21,22,39,43],"class_list":["post-214","post","type-post","status-publish","format-standard","hentry","category-hacking","tag-hacking","tag-howto","tag-mobile","tag-pentest"],"_links":{"self":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=214"}],"version-history":[{"count":0,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/214\/revisions"}],"wp:attachment":[{"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}