Building Your Own 4G LTE Base Station

Phone connected to the DIY LTE network playing a YouTube video, with antennas in the background

We’ve seen quite a few DIY 2G networks over the years, but the 4G field has been relatively barren. Turns out, there’s an open source suite called srsRAN that lets you use an SDR for setting up an LTE network, and recently, we’ve found a blog post from [MaFrance351] (Google Translate) that teaches you everything you could need to know if you ever wanted to launch a LTE network for your personal research purposes.

For a start, you want a reasonably powerful computer, a transmit-capable full-duplex software defined radio (SDR), suitable antennas, some programmable SIM cards, and a few other bits and pieces like SIM card programmers and LTE-capable smartphones for testing purposes. Get your hardware ready and strap in, as [MaFrance351] guides you through setting up your own base station, with extreme amounts of detail outlining anything you could get caught up on.

First, get DragonOS set up — that’ll help you avoid compiling srsRAN from scratch. Then, treat yourself to a short guide on editing srsRAN config files. Having done that, connect your SDR, and run a few commands. This is enough to have your LTE network show up in the list of available networks on your phone.

Of course, you won’t be able to connect to it yet — that’s where the SIM cards come into play. Flash them with your network’s ID and a few other parameters, add your SIM into the srsRAN database, plug it in, and see your network’s name appear on the phone’s home screen. Setting up a data connection is just a few commands away, too, as evidenced by a fair few SpeedTest screenshots!

There’s plenty of fun things you could achieve with such a base station: reverse-engineering of proprietary technology, security research, and probing for vulnerabilities through WWAN interfaces rarely considered as an attack surface. Maybe you could even set up your own cell network — if you ever go sailing in neutral waters, that is.

In case you’re not aware, operating such a network is illegal for basically any hacker reading this article — and it will be easy for your country’s relevant agencies to catch you in the act. As such, grab your Faraday cages and lead-lined fridges, and make sure that you don’t cause any illegal interference if you do end up exploring this path.

We’ve generally seen 2G base stations over the years, but with the sunset of 2G, those have only been useful in an increasingly low number of countries, and, every once in a while, a hacker camp. Need to debug your DIY network at some point? Grab an LTE sniffer!

14 thoughts on “Building Your Own 4G LTE Base Station

    1. OpenBTS was 2008.
      We had private cell networks running at Def Con going back at least as far as 2005.
      Though most were probably pirate networks…
      It was a different age…

  1. Grounded copper lined box for Faraday cage.

    If you know some tribes w an unused 2.5zGHz license, you might be able to do some good. Will you find 2.5GHz capable handsets?

  2. These have been around for quite a while, I built an Open Air Interface (OAI) 4G base station over 4 years ago with permission from a local network operator for some spectrum. Similarly, various SIM tools around to program your own cards to use in phones, and OAI also provide a core network.
    Once you’ve got all that running you probably need some extra hardware to get the RF tuned as transmit powers can be rather tricky to get right.

  3. Older LTE base station equipment, usually single band or limited bandwidth is going to scrap now as they get changed out for multi-band radios, higher PA efficiencies, or other improvements. These could be 40W to 100W base stations, or 5W small cells. But these will use the vendor’s (Huawei, Ericsson, Nokia, Samsung, etc) proprietary protocols for control. CPRI then eCPRI. Some small cells have built in BBU, which would make creating your own cell site easier talking to it rather than baseband to the radio. Now carriers are playing with Open RAN and OvRAN using open protocol radios and standardized eCPRI. Most carriers are playing with this. With published eCPRI, your own LTE cell site could be achievable. Unless you have access to carrier scrap, including antennas, power, RF lines, 25 Gbps SFP’s, it would still be expensive to accomplish for an experimenter. VoIP and data over WiFi (or WiFi calling through your carrier) seems a lot easier to accomplish in places where the cellular sun doesn’t shine!

    1. Goof points, RF Dude. The eCPRI interfaces are now open (products in networks) with several manufacturers participating in the 5G Open RAN interoperability framework. NEC, Fujitsu, Mavenir, Nokia, Parallel Wireless, Altiostar, all have open interfaces to the DU and CU meaning any of the aforementioned RUs will communicate to any DU – CU combo.. and with the core

  4. I live in Canberra, the capital city of Australia. I have a letter from the Network Team of Telstra, our biggest telecommunications provider, specifically saying that no, 4G doesn’t work at my house. No 5G either. When they turn off 3G at the end of the month I will be screwed.*

    Telstra is a former national telco, so the infrastructure was built by Australian taxes, before being sold off at the end of the 20th century. It sees to me like I have a moral obligation to build my own network, and if the regulators come after me, it’s further proof that they are in the pockets of our telcos. Are you listening, ACMA? I’m gonna build my own 4G cell because nobody else will. Come get me.

    * The landline is no better. The 1970s copper in my area is congested as hell, even worse when it rains. Borderline impossible to work from home, which we were REQUIRED to do in 2020/2021. https://en.wikipedia.org/wiki/National_Broadband_Network

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.