Running OpenBTS with the Nuand bladeRF on Ubuntu (The Definitive and Step by Step Guide)
From:https://blog.strcpy.info/2016/11/16/running-openbts-with-the-nuand-bladerf-on-ubuntu-the-definitive-guide/
I have a personal interest in GSM technology and its derivatives, mainly in security aspects related to such technologies. Due to this particular interest, I end up having to attend discussion forums, mailing list, and IRC channelsrelated to these technologies.
The problem is that lately, in these vehicles of share information and knowledge, there is a significant increase in messages that indicate the dissatisfaction by part of the community regarding the way in which the folks behind the YateBTS are conducting the project.
Complaints from the community are diverse. There are complaints due to the team of the YateBTS removing previously existing and necessary functionalities, by the attempt to conduct the project through obscurity, lack of support and or resolution of doubts, and even allegations that staff behind the project is only interested in making profits by selling the commercial version.
As I know that not all GSM enthusiasts and researchers know how to program and add your own features to YateBTS project, I decided to write this article in an attempt to provide a secound option of GSM study and research to the community. Now, using the OpenBTS v5.0 (a software-based GSM access point), the already known Nuand bladeRF x40 (a relatively accessible and low cost full duplex SDR) and the Ubuntu 12.04.5 LTS Precise Pangolin (a Debian-based Linux operating system).
One more time, I would like to thank all the pioneering hackers and researchers who started the studies related to previously closed GSM technology.
I would like to particular thank Matthew Hickey from MDSec for the “GreedyBTS – Hacking Adventures in GSM” work, to Nuand Team by the article “Minimalistic build and run test for OpenBTS 5” and to Juan Pablo by the article “Should you need OpenBTS on your bladeRF“.All these works served as the basis for my research and gave me inspiration for writing this article.
So, let’s start the “hands on”!
Ubuntu Operating System
The first thing to do is to download and install theUbuntu 12.04.5 LTS (Precise Pangolin) image on the system.
NOTE: In my environment implementation I used a 32-bit version of Ubuntu 12.04.5 LTS (Precise Pangolin).
After install the Ubuntu operating system it is time to log in to the system and add the necessary Personal Package Archives (PPAs) repositories.
Adding the Required Repositories
You must add the necessary Personal Package Archives (PPAs) repositoriesto the environment.
[email protected]:~$ sudo su
[email protected]:/home/openbts# add-apt-repository -y ppa:git-core/ppa
[email protected]:/home/openbts# add-apt-repository -y ppa:chris-lea/zeromq
[email protected]:/home/openbts# add-apt-repository -y ppa:chris-lea/libsodium
[email protected]:/home/openbts# add-apt-repository -y ppa:bladerf/bladerf
[email protected]:/home/openbts# add-apt-repository -y ppa:ettusresearch/uhd
Installing Dependencies
After install the PPAs repositories you must installthe necessary dependencies to the environment.
[email protected]:/home/openbts# apt-get update
[email protected]:/home/openbts# apt-get -y install git autoconf automake libtool debhelper dpkg-dev sqlite3 libsqlite3-dev g++ libusb-1.0-0-dev
[email protected]:/home/openbts# apt-get -y install libortp-dev libortp8 libosip2-dev libreadline-dev libncurses5-dev libgsm1-dev cdbs libsqlite0-dev
[email protected]:/home/openbts# apt-get -y install unixodbc unixodbc-dev libssl-dev libsrtp0-dev libsqliteodbc uuid-dev libjansson-dev libxml2-dev
[email protected]:/home/openbts# apt-get -y install libboost1.48-all-dev libzmq3-dev libzmq3 python-zmq libsodium13 bladerf libbladerf-dev
[email protected]:/home/openbts# apt-get -y install libuhd-dev libuhd003 uhd-host
[email protected]:/home/openbts# apt-get autoremove
NOTE: Thelibsrtp0, libsrtp0, andlibsrtp0-dev are required, however, they are automatically installed as dependencies of the packages described above.
Plugging the Nuand bladeRF x40
Now you will plug the Nuand bladeRF x40 into one of the USB ports of the computer to ensure that it is being properly detected.
[email protected]:/home/openbts# dmesg
[ 2092.437659] usb 1-1.2: New USB device found, idVendor=1d50, idProduct=6066
[ 2092.437679] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2092.437692] usb 1-1.2: Product: bladeRF
[ 2092.437704] usb 1-1.2: Manufacturer: Nuand
[ 2092.437716] usb 1-1.2: SerialNumber: 4c132c8ba43e0c4d922418a29a1ce207
Nuand bladeRF x40 Firmware
After making sure that the Nuan bladeRF x40 is being properly detected, it is time todownload and install the Nuand bladeRF x40 firmware v1.9.1.
[email protected]:/home/openbts# wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.9.1.img
[email protected]:/home/openbts# bladeRF-cli -f bladeRF_fw_v1.9.1.img -v verbose
After install firmware v1.9.1, unplug the Nuand bladeRF x40 from USB port and plug it again to start the device with the new firmware.
Nuand bladeRF x40 FPGA
After start the Nuand bladeRF x40 with the firmware v1.9.1, it is time to download the Nuand bladeRF x40 FPGA v0.1.2 and set the device to have its FPGA loaded automatically.
[email protected]:/home/openbts# wget -c http://www.nuand.com/fpga/v0.1.2/hostedx40.rbf
[email protected]:/home/openbts# bladeRF-cli -L hostedx40.rbf -v verbose
After this procedure, unplug the Nuand bladeRF x40 from USB port and plug it again to start the device with the FPGA v0.1.2 auto loaded.
Now is time to check installed versions of bladeRF-cli, libbladeRF, Nuand bladeRF x40 firmware and Nuand bladeRF x40 FPGA.
[email protected]:/home/openbts# bladeRF-cli -i
bladeRF> version
bladeRF-cli version: 1.4.0-2016.06-1-ppaprecise
libbladeRF version: 1.7.2-2016.06-1-ppaprecise
Firmware version: 1.9.1
FPGA version: 0.1.2
bladeRF>
Exit from bladeRF prompt typing ‘quit’.
OpenBTS and the Transceiver
For the OpenBTS to work with the Nuand bladeRF x40 some changes to the OpenBTS source code are required, as well the build and use of a specific transceiver that can be found in older versions of YateBTS.
But don’t worry! To make the implementation easier as possible, I created a repository in GitHub with the already patched source code of OpenBTS v5.0 (with all its required libraries and tools), as well the patched source code of YateBTS v5.0.1 that contains the correct version of the transceiver that should be builded and used.
[email protected]:/home/openbts# git clone https://github.com/strcpyblog/OpenBTS-Nuand-bladeRF.git
Building and Installing the A5/3 Call Encryption Library
After clone the “OpenBTS-Nuand-bladeRF” repository using Git, you now need to build and install the A5/3 Call Encryption Library (liba53).
[email protected]:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# make
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# make install
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# ldconfig
Building and Installing the Coredumper Library
OpenBTS uses the Coredumper Shared Library to produce meaningful debugging information if OpenBTS crashes.
So, you now need to build and install the Coredumper Library (libcoredumper).
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# cd ../libcoredumper
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# ./build.sh
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# dpkg -i *.deb
Building and Installing the Transceiver
For OpenBTS to work with the Nuand bladeRF x40 you need to build and install the transceiver.
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# cd ../../YateBTS-v5.0.1/mbts/Peering
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# make
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# cd ../TransceiverRAD1
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# make
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# cp -p transceiver-bladerf ../../../OpenBTS-v5.0/openbts/apps
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# cd ../../../OpenBTS-v5.0/openbts/apps
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ln -s transceiver-bladerf transceiver
Building OpenBTS Source Code
With transceiver builded and installed it is time to build the OpenBTS v5.0 source code.
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# cd ..
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# ./autogen.sh
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# ./configure --with-uhd
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# make
Configuring OpenBTS
With OpenBTS built you now need to configure it to run correctly.
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# mkdir /etc/OpenBTS
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# sqlite3 -init apps/OpenBTS.example.sql /etc/OpenBTS/OpenBTS.db ".quit"
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# cp -p apps/rsyslogd.OpenBTS.conf /etc/rsyslog.d/OpenBTS.conf
Building and Installing the Subscriber Registry and Sipauthserve
It’s important to install Subscriber Registry and Sipauthserver (the SIP authorization server for registration traffic) to be able to launch OpenBTS.
Subscriber Registry controls database of subscriber information and works as HLR (Home Location Registry). You will not be able to have a usable system without it.
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# cd ../subscriberRegistry
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# ./autogen.sh
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# ./configure
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# make
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# sqlite3 -init apps/sipauthserve.example.sql /etc/OpenBTS/sipauthserve.db ".quit"
Building and Installing Smqueue
Smqueue is the store-and-forward message service packaged with OpenBTS.
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# cd ../smqueue
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# autoreconf -i
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# ./configure
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# make
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# sqlite3 -init smqueue/smqueue.example.sql /etc/OpenBTS/smqueue.db ".quit"
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# mkdir -p /var/lib/OpenBTS
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# touch /var/lib/OpenBTS/smq.cdr
Building and Installing Asterisk
Asterisk is a software implementation of a telephone Private Branch Exchange (PBX) and is the “standard” OpenBTS PBX.
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# cd ../asterisk
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# ./build.sh
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# dpkg -i *.deb
Configuring Asterisk
With Asterisk installed you now need to configure it to run correctly.
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# cd ../asterisk-config
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# mkdir -p /var/lib/asterisk/sqlite3dir
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# mkdir -p /var/lib/asterisk/sounds/en
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p en/*.gsm /var/lib/asterisk/sounds/en
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p *.conf /etc/asterisk
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p *.ini /etc
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# chown -R asterisk:asterisk /var/lib/asterisk/sqlite3dir
Starting OpenBTS
After this long process it is time to start OpenBTS.
To do this you will need to execute the following commands (each on its own Terminal window) in the following order:
1 – ./smqueue
[email protected]:~$ sudo su
[email protected]:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue/smqueue
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue/smqueue# ./smqueue
ALERT 29938:29938 2016-11-16T06:22:07.0 smqueue.cpp:2798:main: smqueue (re)starting
smqueue logs to syslogd facility LOCAL7, so there's not much to see here
2 – ./sipauthserve
[email protected]:~$ sudo su
[email protected]:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry/apps
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry/apps# ./sipauthserve
ALERT 29948:29948 2016-11-16T06:22:19.5 sipauthserve.cpp:328:main: ./sipauthserve (re)starting
3 – ./asterisk
[email protected]:~$ sudo su
[email protected]:/home/openbts# asterisk -vvv
If Asterisk was set up correctly you should see a bunch of messages andthe lines:
...
func_channel.so => (Channel information dialplan functions)
== Registered application 'WaitUntil'
app_waituntil.so => (Wait until specified time)
== Registered custom function 'ENUMRESULT'
== Registered custom function 'ENUMQUERY'
== Registered custom function 'ENUMLOOKUP'
== Registered custom function 'TXTCIDNAME'
func_enum.so => (ENUM related dialplan functions)
Asterisk Ready.
4 – ./OpenBTS
[email protected]:~$ sudo su
[email protected]:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ./OpenBTS
If OpenBTS was set up correctly you should see a bunch of messages and the lines:
...
1479288481.102512 3072931584:
Starting the system...
ALERT 30274:30281 2016-11-16T06:28:06.1 OpenBTS.cpp:174:startTransceiver: starting transceiver ./transceiver with 1 ARFCNs
1479288491.590588 3072931584:
system ready
1479288491.590639 3072931584:
use the OpenBTSCLI utility to access CLI
1479288491.590796 3072931584: OpenBTSCLI network socket support for tcp:49300
OpenBTS>
5 – ./OpenBTSCLI
[email protected]:~$ sudo su
[email protected]:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps
[email protected]:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ./OpenBTSCLI
OpenBTS Command Line Interface (CLI) utility
Copyright 2012, 2013, 2014 Range Networks, Inc.
Licensed under GPLv2.
Includes libreadline, GPLv2.
Connecting to 127.0.0.1:49300...
Remote Interface Ready.
Type:
"help" to see commands,
"version" for version information,
"notices" for licensing information,
"quit" to exit console interface.
OpenBTS>
After executing all the commands described above you will have something like this:
Configuring the GSM BTS Operability
Now you can start to configure the BTS using the OpenBTS Command Line Interface (CLI) utility.
For the GSM BTS operability you need to set the following values:
OpenBTS> config GSM.Radio.Band 900
OpenBTS> config GSM.Radio.C0 51
OpenBTS> config GSM.Identity.MCC 001
OpenBTS> config GSM.Identity.MNC 01
OpenBTS> config GSM.Radio.PowerManager.MaxAttenDB 35
OpenBTS> config GSM.Radio.PowerManager.MinAttenDB=35
Allowing Subscribers
You need to allow subscribers phones to connect to the GSM BTS.
OpenBTS> config Control.LUR.OpenRegistration .*
NOTE: Take care with .* regular expression.
Tapping
You can activate GSM and GPRS Tapping. With these options enabled you can capture GSM (signaling) and GPRS (signaling and traffic) in L1/L2 interfaces viaGSMTAP.
OpenBTS> config Control.GSMTAP.GSM 1
OpenBTS> config Control.GSMTAP.GPRS 1
At this point the minimal GSM configuration needed is done and you must have a operational GSM BTS.
Now you need to configure the GPRS seetings to provide data connection (Internet).
Configuring the GPRS BTS Operability
First we need to configure the NAT with IPTABLES.
[email protected]:~$ sudo su
[email protected]:/home/openbts# sysctl -w net.ipv4.ip_forward=1
[email protected]:/home/openbts# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
NOTE: Replace the eth0 network interface with the environment network interface connected to the Internet.
Now, for the GPRS operability you need to set the following values:
OpenBTS> config GPRS.Enable 1
OpenBTS> config GGSN.Firewall.Enable 0
OpenBTS> config GGSN.MS.IP.Base 192.168.1.20
OpenBTS> config GGSN.MS.IP.MaxCount 5
Connecting Phones
You will manually connect the phones to the GSM BTS selecting the “Test PLMN 1-1” Network ID in the network list.
In the example shown here, the Network ID is “Test PLMN 1-1” due to the values “GSM.Identity.MCC 001” and “GSM.Identity.MNC 01”,previously configured.
NOTE: Valid MCC and MNCvalues can be found here.
After the phone are successfully authenticated to the GSM network , a welcome message containing the phone IMSI will be received via SMS.
A phone connected to “Test PLMN 1-1” GSM BTS and using the data connection through GPRS (Internet).
Final Notes
I hope after read this article you can successfully run the OpenBTS with the Nuand bladeRF x40.
If you have any questions feel free to contact me.
And remember… Share the knowledge and keep on hacking!
References
- http://openbts.org/w/index.php?title=BuildInstallRun
- http://blog.mdsec.co.uk/2014/11/44con-2014-greedybts-hacking-adventures.html
- https://github.com/Nuand/bladeRF/wiki/Minimalistic-build-and-run-test-for-OpenBTS-5
- https://imjuanpablo.wordpress.com/2015/02/14/should-you-need-openbts-on-your-bladerf
- http://linux.net.pk/blog/poor-mans-gsm-bts-nuands-bladerf-openbts-5-setup-instructions