If you’re wondering how to get a better signal on your cellphone, or just want to set up your own private cell network, this one is for you. It’s a GSM base station made with a BeagleBone Black and a not too expensive software defined radio board.
The key component of this build is obviously the software defined radio. [Julian] is using a USRP B200 radio for this project. It’s not cheap, but it is a very nice piece of hardware capable of doing just about anything with GNU Radio. This board is controlled by a BeagleBone Black, a pretty cheap solution that puts the total cost of the hardware somewhere around $750.
The software side of the build is mostly handled by OpenBTS, the open source project for the software part of a cell station. This controls the transceiver, makes calls and SMS, and all the backend stuff every other cell station does. OpenBTS also includes support for Asterisk, the software of choice for PBX and VoIP setups. Running this allows you to make calls and send texts with your SDR-equipped, Internet-enabled BeagleBone Black anywhere on the planet.
Have fun trying to get a spectrum licence for this.
It should be outlawed before criminals start using sets like that.
Because outlawing things alway stops criminals from using them…
It must not be impossible, a few cons have got test spectrum for the last few years using their own dedicated SIMS. It really does depend on who controls the spectrum.
https://events.ccc.de/congress/2013/wiki/Static:GSM
It’s tighter than a fish’s butt hole in Australia. The only way we got approval for trailing OpenBTS in Australian Antarctic territory (Antarctica FFS!) was by special ministerial approval.
Acutally the 4G spectrum should be opening up a bit more in remote/regional areas:
http://www.acma.gov.au/Industry/Spectrum/Spectrum-projects/1800-MHz-band/responses-to-1800-mhz-a-shared-strategy-issues-paper-1-and-2
I’m going to try and OpenBTS up and running…
everything is tight here on the prison colony
You’ve got that right. AT&T and Verizon are the biggest cons of all time!
Depends where you live. If you form a company you could quite easily get a low powered development license in most of Europe.
Chris Paget had a talk about GSM ISMI catchers on Defcon 18, where he amongst other things mentions the spectrum rules (in the US).
https://www.youtube.com/watch?v=xKihq1fClQg&t=8m26s
So in the US you (at least technically) legally could run a GSM station.
You beat me to it!
*Kristin Paget
Anyone can do it for free in the Netherlands:
(dutch) http://tweakers.net/nieuws/86938/iedereen-mag-in-nederland-gsm-of-4g-netwerk-opzetten.html
This can’t be legal.
100% legal as long as you keep it in a well-shielded EMC test chamber, in most countries. That is, if you had enough money to start a telco company.
Am I the only one thinking how much the price of a IMSI-catcher has dropped. Like 20 years ago it would have been a large 7 figure sum.
Well done! Now make it under $100 and the games are on!
Watch “Wideband GSM Sniffing [27C3]” and pick up a few debugging devices for GSM (about 19 mins in, but you should watch the whole video). It really does depend on what your “games” is, as to exactly what hardware you use.
Is HackRF capable of doing the same thing?
Short answer probably. The HackRF is half duplex it can either receive or transmit – https://www.kickstarter.com/projects/mossmann/hackrf-an-open-source-sdr-platform/comments?cursor=4074602#comment-4074601
Even with a custom firmware GSM downlink and uplink are typically 35MHz each, the HackRF by design does 20MHz, because of HighSpeed USB 2.0.
But in the article it does say that a RTL SDR could be used, which is rx and only 2.4MHz.
“UHD capable Ettus USRP or RTL SDR solution (this HOWTO assumes the former – yes they’re expensive)”
The downlink band itself is quite wide, but the actual GSM carrier itself has a bandwidth of 270KHz. If you can sample 1-2MHz you can do it.
The base station absolutely needs full duplex.
My understanding was that the RTL chipset was limited to 1.7GHz.
The RTLSDRs come with a few different tuners which have different freq ranges.
The separation between the Uplink and Downlink for GSM 850 and 900 is 45MHz. As dodo said the carrier is about 270kHz.
The HackRF’s crystal clock is too inaccurate to be used for basestation applications. The HackRF also lacks any sort of method of timestamping RX and TX samples, most SDRs such as the B200 and bladeRF use FPGAs to achieve that.
Still to expensive… but it seems promising for doing funny stuff… http://www.slideshare.net/iazza/dcm-final-23052013fullycensored
Spelling out acronyms the first time they’re used prevents readers from having to go to another website to look them up. GSM – Global System for Mobile Communications
Definitely worthy of HaD. Amazing.
Awesome! Now this caught my attention as something to follow. It’s probably one of the most innovative and thought provoking articles I’ve read on HAD in ages.
i want the AMPS version of this.
Why? So you can use obsolete hardware?
The USRP B200 is way too expensive for what it is, I spent half as much getting OpenBTS running on a RaspberryPi with a bladeRF.
The B200 is $25 more expensive than the comparable bladeRF, has a much better front-end, a far larger user community, and a highly respected company behind it.
Two questions, perhaps naive:
1. If this setup and a cellular device were operated in a shielded environment, would it prevent the system from interfering with cell phones outside the shielded environment?
2. Assuming proper shielding, would operating the setup without an FCC license still be illegal in the US?
As long as the shielding is attenuating the generated frequency range and harmonics below the noise floor on the other side of the shielding. But if there was a fault/failure in your shielding then you will have problems.
See the example given of a microwave oven screen @ https://en.wikipedia.org/wiki/Electromagnetic_shielding
And watch https://www.youtube.com/watch?v=5N1C3WB8c0o @ 11:30 mins the bit about adding a microwave oven.
Thanks Truth, that’s a cool video. I’m a bit surprised that the shielding around a microwave leaks so much. Good enough for consumer use, but insufficient around highly sensitive equipment.
That is pretty cool!
i need this. i need a device that can enable me offer telecom service from the coverage range of 30km using a small cell network device. please any one tell me where i can get this device which every configuration is made is just for me to setup the device and start earning with the device which will enable only call and sms.
Hi, could someone please tell me where I can get the hardware equipment? I have to try it out.
How do you get a hold of a test SIM to connect a cell phone with the sdr basestation?