Running OpenBTS with the Nuand bladeRF on Ubuntu (The Definitive and Step by Step Guide)

From：https://blog.strcpy.info/2016/11/16/running-openbts-with-the-nuand-bladerf-on-ubuntu-the-definitive-guide/

I have a personal interest in GSM technology and its derivatives, mainly in security aspects related to such technologies. Due to this particular interest, I end up having to attend discussion forums, mailing list, and IRC channelsrelated to these technologies.

The problem is that lately, in these vehicles of share information and knowledge, there is a significant increase in messages that indicate the dissatisfaction by part of the community regarding the way in which the folks behind the YateBTS are conducting the project.

Complaints from the community are diverse. There are complaints due to the team of the YateBTS removing previously existing and necessary functionalities, by the attempt to conduct the project through obscurity, lack of support and or resolution of doubts, and even allegations that staff behind the project is only interested in making profits by selling the commercial version.

As I know that not all GSM enthusiasts and researchers know how to program and add your own features to YateBTS project, I decided to write this article in an attempt to provide a secound option of GSM study and research to the community. Now, using the OpenBTS v5.0 (a software-based GSM access point), the already known Nuand bladeRF x40 (a relatively accessible and low cost full duplex SDR) and the Ubuntu 12.04.5 LTS Precise Pangolin (a Debian-based Linux operating system).

One more time, I would like to thank all the pioneering hackers and researchers who started the studies related to previously closed GSM technology.

I would like to particular thank Matthew Hickey from MDSec for the “GreedyBTS – Hacking Adventures in GSM” work, to Nuand Team by the article “Minimalistic build and run test for OpenBTS 5” and to Juan Pablo by the article “Should you need OpenBTS on your bladeRF“.All these works served as the basis for my research and gave me inspiration for writing this article.

So, let’s start the “hands on”!

Ubuntu Operating System

The first thing to do is to download and install theUbuntu 12.04.5 LTS (Precise Pangolin) image on the system.

NOTE: In my environment implementation I used a 32-bit version of Ubuntu 12.04.5 LTS (Precise Pangolin).

After install the Ubuntu operating system it is time to log in to the system and add the necessary Personal Package Archives (PPAs) repositories.

Adding the Required Repositories

You must add the necessary Personal Package Archives (PPAs) repositoriesto the environment.

openbts@strcpy.info:~$ sudo su
root@strcpy.info:/home/openbts# add-apt-repository -y ppa:git-core/ppa
root@strcpy.info:/home/openbts# add-apt-repository -y ppa:chris-lea/zeromq
root@strcpy.info:/home/openbts# add-apt-repository -y ppa:chris-lea/libsodium
root@strcpy.info:/home/openbts# add-apt-repository -y ppa:bladerf/bladerf
root@strcpy.info:/home/openbts# add-apt-repository -y ppa:ettusresearch/uhd

Installing Dependencies

After install the PPAs repositories you must installthe necessary dependencies to the environment.

root@strcpy.info:/home/openbts# apt-get update
root@strcpy.info:/home/openbts# apt-get -y install git autoconf automake libtool debhelper dpkg-dev sqlite3 libsqlite3-dev g++ libusb-1.0-0-dev
root@strcpy.info:/home/openbts# apt-get -y install libortp-dev libortp8 libosip2-dev libreadline-dev libncurses5-dev libgsm1-dev cdbs libsqlite0-dev
root@strcpy.info:/home/openbts# apt-get -y install unixodbc unixodbc-dev libssl-dev libsrtp0-dev libsqliteodbc uuid-dev libjansson-dev libxml2-dev
root@strcpy.info:/home/openbts# apt-get -y install libboost1.48-all-dev libzmq3-dev libzmq3 python-zmq libsodium13 bladerf libbladerf-dev
root@strcpy.info:/home/openbts# apt-get -y install libuhd-dev libuhd003 uhd-host
root@strcpy.info:/home/openbts# apt-get autoremove

NOTE: Thelibsrtp0, libsrtp0, andlibsrtp0-dev are required, however, they are automatically installed as dependencies of the packages described above.

Plugging the Nuand bladeRF x40

Now you will plug the Nuand bladeRF x40 into one of the USB ports of the computer to ensure that it is being properly detected.

root@strcpy.info:/home/openbts# dmesg
[ 2092.437659] usb 1-1.2: New USB device found, idVendor=1d50, idProduct=6066
[ 2092.437679] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2092.437692] usb 1-1.2: Product: bladeRF
[ 2092.437704] usb 1-1.2: Manufacturer: Nuand
[ 2092.437716] usb 1-1.2: SerialNumber: 4c132c8ba43e0c4d922418a29a1ce207

Nuand bladeRF x40 Firmware

After making sure that the Nuan bladeRF x40 is being properly detected, it is time todownload and install the Nuand bladeRF x40 firmware v1.9.1.

root@strcpy.info:/home/openbts# wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.9.1.img
root@strcpy.info:/home/openbts# bladeRF-cli -f bladeRF_fw_v1.9.1.img -v verbose

After install firmware v1.9.1, unplug the Nuand bladeRF x40 from USB port and plug it again to start the device with the new firmware.

Nuand bladeRF x40 FPGA

After start the Nuand bladeRF x40 with the firmware v1.9.1, it is time to download the Nuand bladeRF x40 FPGA v0.1.2 and set the device to have its FPGA loaded automatically.

root@strcpy.info:/home/openbts# wget -c http://www.nuand.com/fpga/v0.1.2/hostedx40.rbf
root@strcpy.info:/home/openbts# bladeRF-cli -L hostedx40.rbf -v verbose

After this procedure, unplug the Nuand bladeRF x40 from USB port and plug it again to start the device with the FPGA v0.1.2 auto loaded.

Now is time to check installed versions of bladeRF-cli, libbladeRF, Nuand bladeRF x40 firmware and Nuand bladeRF x40 FPGA.

root@strcpy.info:/home/openbts# bladeRF-cli -i
bladeRF> version

  bladeRF-cli version:        1.4.0-2016.06-1-ppaprecise
  libbladeRF version:         1.7.2-2016.06-1-ppaprecise

  Firmware version:           1.9.1
  FPGA version:               0.1.2

bladeRF>

Exit from bladeRF prompt typing ‘quit’.

OpenBTS and the Transceiver

For the OpenBTS to work with the Nuand bladeRF x40 some changes to the OpenBTS source code are required, as well the build and use of a specific transceiver that can be found in older versions of YateBTS.

But don’t worry! To make the implementation easier as possible, I created a repository in GitHub with the already patched source code of OpenBTS v5.0 (with all its required libraries and tools), as well the patched source code of YateBTS v5.0.1 that contains the correct version of the transceiver that should be builded and used.

root@strcpy.info:/home/openbts# git clone https://github.com/strcpyblog/OpenBTS-Nuand-bladeRF.git

Building and Installing the A5/3 Call Encryption Library

After clone the “OpenBTS-Nuand-bladeRF” repository using Git, you now need to build and install the A5/3 Call Encryption Library (liba53).

root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# make
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# make install
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# ldconfig

Building and Installing the Coredumper Library

OpenBTS uses the Coredumper Shared Library to produce meaningful debugging information if OpenBTS crashes.

So, you now need to build and install the Coredumper Library (libcoredumper).

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/liba53# cd ../libcoredumper
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# ./build.sh
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# dpkg -i *.deb

Building and Installing the Transceiver

For OpenBTS to work with the Nuand bladeRF x40 you need to build and install the transceiver.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# cd ../../YateBTS-v5.0.1/mbts/Peering
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# make
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/libcoredumper# cd ../TransceiverRAD1
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# make
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# cp -p transceiver-bladerf ../../../OpenBTS-v5.0/openbts/apps
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/YateBTS-v5.0.1/mbts/TransceiverRAD1# cd ../../../OpenBTS-v5.0/openbts/apps
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps#  ln -s transceiver-bladerf transceiver

Building OpenBTS Source Code

With transceiver builded and installed it is time to build the OpenBTS v5.0 source code.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# cd ..
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# ./autogen.sh
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# ./configure --with-uhd
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# make

Configuring OpenBTS

With OpenBTS built you now need to configure it to run correctly.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# mkdir /etc/OpenBTS
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# sqlite3 -init apps/OpenBTS.example.sql /etc/OpenBTS/OpenBTS.db ".quit"
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# cp -p apps/rsyslogd.OpenBTS.conf /etc/rsyslog.d/OpenBTS.conf

Building and Installing the Subscriber Registry and Sipauthserve

It’s important to install Subscriber Registry and Sipauthserver (the SIP authorization server for registration traffic) to be able to launch OpenBTS.

Subscriber Registry controls database of subscriber information and works as HLR (Home Location Registry). You will not be able to have a usable system without it.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts# cd ../subscriberRegistry
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# ./autogen.sh
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# ./configure
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# make
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# sqlite3 -init apps/sipauthserve.example.sql /etc/OpenBTS/sipauthserve.db ".quit"

Building and Installing Smqueue

Smqueue is the store-and-forward message service packaged with OpenBTS.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry# cd ../smqueue
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# autoreconf -i
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# ./configure
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# make
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# sqlite3 -init smqueue/smqueue.example.sql /etc/OpenBTS/smqueue.db ".quit"
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# mkdir -p /var/lib/OpenBTS
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# touch /var/lib/OpenBTS/smq.cdr

Building and Installing Asterisk

Asterisk is a software implementation of a telephone Private Branch Exchange (PBX) and is the “standard” OpenBTS PBX.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue# cd ../asterisk
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# ./build.sh
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# dpkg -i *.deb

Configuring Asterisk

With Asterisk installed you now need to configure it to run correctly.

root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk# cd ../asterisk-config
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# mkdir -p /var/lib/asterisk/sqlite3dir
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# mkdir -p /var/lib/asterisk/sounds/en
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p en/*.gsm /var/lib/asterisk/sounds/en
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p *.conf /etc/asterisk
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# cp -p *.ini /etc
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/asterisk-config# chown -R asterisk:asterisk /var/lib/asterisk/sqlite3dir

Starting OpenBTS

After this long process it is time to start OpenBTS.
To do this you will need to execute the following commands (each on its own Terminal window) in the following order:

1 – ./smqueue

openbts@strcpy.info:~$ sudo su
root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue/smqueue
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/smqueue/smqueue# ./smqueue
ALERT 29938:29938 2016-11-16T06:22:07.0 smqueue.cpp:2798:main: smqueue (re)starting
smqueue logs to syslogd facility LOCAL7, so there's not much to see here

2 – ./sipauthserve

openbts@strcpy.info:~$ sudo su
root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry/apps
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/subscriberRegistry/apps# ./sipauthserve
ALERT 29948:29948 2016-11-16T06:22:19.5 sipauthserve.cpp:328:main: ./sipauthserve (re)starting

3 – ./asterisk

openbts@strcpy.info:~$ sudo su
root@strcpy.info:/home/openbts# asterisk -vvv

If Asterisk was set up correctly you should see a bunch of messages andthe lines:

...
 func_channel.so => (Channel information dialplan functions)
  == Registered application 'WaitUntil'
 app_waituntil.so => (Wait until specified time)
  == Registered custom function 'ENUMRESULT'
  == Registered custom function 'ENUMQUERY'
  == Registered custom function 'ENUMLOOKUP'
  == Registered custom function 'TXTCIDNAME'
 func_enum.so => (ENUM related dialplan functions)
Asterisk Ready.

4 – ./OpenBTS

openbts@strcpy.info:~$ sudo su
root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ./OpenBTS

If OpenBTS was set up correctly you should see a bunch of messages and the lines:

...
1479288481.102512 3072931584:
Starting the system...
ALERT 30274:30281 2016-11-16T06:28:06.1 OpenBTS.cpp:174:startTransceiver: starting transceiver ./transceiver with 1 ARFCNs
1479288491.590588 3072931584:
system ready

1479288491.590639 3072931584:
use the OpenBTSCLI utility to access CLI

1479288491.590796 3072931584: OpenBTSCLI network socket support for tcp:49300

OpenBTS>

5 – ./OpenBTSCLI

openbts@strcpy.info:~$ sudo su
root@strcpy.info:/home/openbts# cd OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps
root@strcpy.info:/home/openbts/OpenBTS-Nuand-bladeRF/OpenBTS-v5.0/openbts/apps# ./OpenBTSCLI
OpenBTS Command Line Interface (CLI) utility
Copyright 2012, 2013, 2014 Range Networks, Inc.
Licensed under GPLv2.
Includes libreadline, GPLv2.
Connecting to 127.0.0.1:49300...
Remote Interface Ready.
Type:
 "help" to see commands,
 "version" for version information,
 "notices" for licensing information,
 "quit" to exit console interface.
OpenBTS>

After executing all the commands described above you will have something like this:

Configuring the GSM BTS Operability

Now you can start to configure the BTS using the OpenBTS Command Line Interface (CLI) utility.

For the GSM BTS operability you need to set the following values:

OpenBTS> config GSM.Radio.Band 900
OpenBTS> config GSM.Radio.C0 51
OpenBTS> config GSM.Identity.MCC 001
OpenBTS> config GSM.Identity.MNC 01
OpenBTS> config GSM.Radio.PowerManager.MaxAttenDB 35
OpenBTS> config GSM.Radio.PowerManager.MinAttenDB=35

Allowing Subscribers

You need to allow subscribers phones to connect to the GSM BTS.

OpenBTS> config Control.LUR.OpenRegistration .*

NOTE: Take care with .* regular expression.

Tapping

You can activate GSM and GPRS Tapping. With these options enabled you can capture GSM (signaling) and GPRS (signaling and traffic) in L1/L2 interfaces viaGSMTAP.

OpenBTS> config Control.GSMTAP.GSM 1
OpenBTS> config Control.GSMTAP.GPRS 1

At this point the minimal GSM configuration needed is done and you must have a operational GSM BTS.

Now you need to configure the GPRS seetings to provide data connection (Internet).

Configuring the GPRS BTS Operability

First we need to configure the NAT with IPTABLES.

openbts@strcpy.info:~$ sudo su
root@strcpy.info:/home/openbts# sysctl -w net.ipv4.ip_forward=1
root@strcpy.info:/home/openbts# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

NOTE: Replace the eth0 network interface with the environment network interface connected to the Internet.

Now, for the GPRS operability you need to set the following values:

OpenBTS> config GPRS.Enable 1
OpenBTS> config GGSN.Firewall.Enable 0
OpenBTS> config GGSN.MS.IP.Base 192.168.1.20
OpenBTS> config GGSN.MS.IP.MaxCount 5

Connecting Phones

You will manually connect the phones to the GSM BTS selecting the “Test PLMN 1-1” Network ID in the network list.

In the example shown here, the Network ID is “Test PLMN 1-1” due to the values “GSM.Identity.MCC 001” and “GSM.Identity.MNC 01”,previously configured.

NOTE: Valid MCC and MNCvalues can be found here.

After the phone are successfully authenticated to the GSM network , a welcome message containing the phone IMSI will be received via SMS.

A phone connected to “Test PLMN 1-1” GSM BTS and using the data connection through GPRS (Internet).

 

Final Notes

I hope after read this article you can successfully run the OpenBTS with the Nuand bladeRF x40.

If you have any questions feel free to contact me.

And remember… Share the knowledge and keep on hacking!

References

• http://openbts.org/w/index.php?title=BuildInstallRun
• http://blog.mdsec.co.uk/2014/11/44con-2014-greedybts-hacking-adventures.html
• https://github.com/Nuand/bladeRF/wiki/Minimalistic-build-and-run-test-for-OpenBTS-5
• https://imjuanpablo.wordpress.com/2015/02/14/should-you-need-openbts-on-your-bladerf
• http://linux.net.pk/blog/poor-mans-gsm-bts-nuands-bladerf-openbts-5-setup-instructions