We’ve seen quite a few DIY 2G networks over the years, but the 4G field has been relatively barren. Turns out, there’s an open source suite called srsRAN that lets you use an SDR for setting up an LTE network, and recently, we’ve found a blog post from [MaFrance351] (Google Translate) that teaches you everything you could need to know if you ever wanted to launch a LTE network for your personal research purposes.
For a start, you want a reasonably powerful computer, a transmit-capable full-duplex software defined radio (SDR), suitable antennas, some programmable SIM cards, and a few other bits and pieces like SIM card programmers and LTE-capable smartphones for testing purposes. Get your hardware ready and strap in, as [MaFrance351] guides you through setting up your own base station, with extreme amounts of detail outlining anything you could get caught up on.
First, get DragonOS set up — that’ll help you avoid compiling srsRAN from scratch. Then, treat yourself to a short guide on editing srsRAN config files. Having done that, connect your SDR, and run a few commands. This is enough to have your LTE network show up in the list of available networks on your phone.
Of course, you won’t be able to connect to it yet — that’s where the SIM cards come into play. Flash them with your network’s ID and a few other parameters, add your SIM into the srsRAN database, plug it in, and see your network’s name appear on the phone’s home screen. Setting up a data connection is just a few commands away, too, as evidenced by a fair few SpeedTest screenshots!
There’s plenty of fun things you could achieve with such a base station: reverse-engineering of proprietary technology, security research, and probing for vulnerabilities through WWAN interfaces rarely considered as an attack surface. Maybe you could even set up your own cell network — if you ever go sailing in neutral waters, that is.
In case you’re not aware, operating such a network is illegal for basically any hacker reading this article — and it will be easy for your country’s relevant agencies to catch you in the act. As such, grab your Faraday cages and lead-lined fridges, and make sure that you don’t cause any illegal interference if you do end up exploring this path.
We’ve generally seen 2G base stations over the years, but with the sunset of 2G, those have only been useful in an increasingly low number of countries, and, every once in a while, a hacker camp. Need to debug your DIY network at some point? Grab an LTE sniffer!
Band 48 is CBRS in USA. You could in theory operate on it without legal issue?
Yep. CBRS is very lightly licensed and there is now a decent amount of LTE and 5G NR base station equipment directly targeting it.
And in Europe, Band 40 is in amateur radio range, too – and could probably be operated in a similar way, as Hamnet does.
Burning man led the way with OpenBTS.
https://www.leg.ba/the-burning-man-private-networks/
Actually I think led the way in learning about the value of deep tread tires
Nope if you need that kind of tire out there you are driving when you shouldn’t be and destroying the road for everyone else.
OpenBTS was 2008.
We had private cell networks running at Def Con going back at least as far as 2005.
Though most were probably pirate networks…
It was a different age…
Grounded copper lined box for Faraday cage.
If you know some tribes w an unused 2.5zGHz license, you might be able to do some good. Will you find 2.5GHz capable handsets?
In Europe the 2.5-2.6GHz band is in wide use for LTE, so yes.
These have been around for quite a while, I built an Open Air Interface (OAI) 4G base station over 4 years ago with permission from a local network operator for some spectrum. Similarly, various SIM tools around to program your own cards to use in phones, and OAI also provide a core network.
Once you’ve got all that running you probably need some extra hardware to get the RF tuned as transmit powers can be rather tricky to get right.
The SRS guys also have a NR (5G) base station support … and full guides how to setup on their own doc website.
Older LTE base station equipment, usually single band or limited bandwidth is going to scrap now as they get changed out for multi-band radios, higher PA efficiencies, or other improvements. These could be 40W to 100W base stations, or 5W small cells. But these will use the vendor’s (Huawei, Ericsson, Nokia, Samsung, etc) proprietary protocols for control. CPRI then eCPRI. Some small cells have built in BBU, which would make creating your own cell site easier talking to it rather than baseband to the radio. Now carriers are playing with Open RAN and OvRAN using open protocol radios and standardized eCPRI. Most carriers are playing with this. With published eCPRI, your own LTE cell site could be achievable. Unless you have access to carrier scrap, including antennas, power, RF lines, 25 Gbps SFP’s, it would still be expensive to accomplish for an experimenter. VoIP and data over WiFi (or WiFi calling through your carrier) seems a lot easier to accomplish in places where the cellular sun doesn’t shine!