Build Your Own GSM Base Station For Fun And Profit

Over the last few years, news that police, military, and intelligence organizations use portable cellular phone surveillance devices – colloquially known as the ‘Stingray’ – has gotten out, despite their best efforts to keep a lid on the practice. There are legitimate privacy and legal concerns, but there’s also some fun tech in mobile cell-phone stations.

Off-the-shelf Stingray devices cost somewhere between $16,000 and $125,000, far too rich for a poor hacker’s pocketbook. Of course, what the government can do for $100,000, anyone else can do for five hundred. Here’s how you build your own Stingray using off the shelf hardware.

[Simone] has been playing around with a brand new BladeRF x40, a USB 3.0 software defined radio that operates in full duplex. It costs $420. This, combined with two rubber duck antennas, a Raspberry Pi 3, and a USB power bank is all the hardware you need. Software is a little trickier, but [Simone] has all the instructions.

Of course, if you want to look at the less legitimate applications of this hardware, [Simone]’s build is only good at receiving/tapping/intercepting unencrypted GSM signals. It’s great if you want to set up a few base stations at Burning Man and hand out SIM cards like ecstasy, but GSM has encryption. You won’t be able to decrypt every GSM signal this system can see without a little bit of work.

Luckily, GSM is horribly, horribly broken. At CCCamp in 2007, [Steve Schear] and [David Hulton] started building a rainbow table of the A5 cyphers that is used on a GSM network between the handset and tower. GSM cracking is open source, and there are flaws in GPRS, the method GSM networks use to relay data transmissions to handsets. In case you haven’t noticed, GSM is completely broken.

Thanks [Justin] for the tip.

A Comparison of Hacker Friendly SDRs

In the market for a software defined radio? [Taylor Killian] wrote a comprehensive comparison of several models that are within the price range of amateurs and hobbyists.

You can get started with SDR using a $20 TV tuner card, but there’s a lot of limitations. These cards only work as receivers, are limited to a small chunk of the radio spectrum, and have limited bandwidth and sample rates. The new SDRs on the market, including the bladeRF, HackRF, and USRP offerings are purpose built for SDR experimentation. You might want an SDR to set up a cellular base station at Burning Man, scan Police and Fire radio channels, or to track ships.

[Taylor] breaks down the various specifications of each radio, and discusses the components used in each SDR in depth. In the end, the choice depends on what you want to do and how much you’re willing to spend. This breakdown should help you choose a hacker friendly SDR.

bladeRF, your next software defined radio

By now you might have a bit weary of your small and inexpensive TV tuner dongle software defined radio. Yes, using a USB TV dongle is a great introduction to SDR, but it has limited bandwidth, limited frequency range, and can’t transmit. Enter the bladeRF, the SDR that makes up for all the shortcomings of a USB dongle, and also serves as a great wireless development platform.

The bladeRF is able to receive and transmit on any frequency between 300 MHz and 3.8 GHz. This, along with a powerful FPGA, ARM CPU, and very good ADCs and DACs makes it possible to build your own software defined WiFi adapter, Bluetooth module, ZigBee radio, GPS receiver, or GSM and 4G LTE modem.

It’s an impressive bit of kit, but it doesn’t exactly come cheap; the bladeRF is available on the Kickstarter for $400. The folks behind the bladeRF seem to be doing things right, though, and are using their Kickstarter windfall for all the right things like a USB vendor ID.

There’s a video of two bladeRFs being used as a full duplex modem. You can check that out after the break.

Continue reading “bladeRF, your next software defined radio”