Table of Contents
SrsRANda
~~META: status = active &relation firstimage = :project:projectlogo.png ~~
Introduction
Project is aimed at creation of SDR (software-defined radio) to demodulate, decode 4G/5G/LTE, and understand own LTE newtork.
- UE = cell (phone)
- ENB = base station (BTS)
BE WARNED, this project is NIGHTMARE level of difficulty to get things running.
I repeat, NIGHTMARE difficulty. Still somehow easier than brmlelect.
Why the name SrsRANda
It's word play on two things:
- SrsRAN (one of the projects it will be mainly based on)
- “sranda” in CZ/SK means “fun” in EN
Thus, SrsRANda means “fun with SrsRAN”, or “fun with LTE RAN via SrsRAN”
Goal
To create understanding of LTE, do UDP sink into Wireshark, also maybe create own tiny LTE network somewhere in radio-proof basement.
I made following logo in about 7 minutes in GIMP, it's TODO, just copypasta of 2 images and piece of text.
Links
- SrsRAN 4G - setup of SrsRAN 4G, general info
Almost all software listed below is based on SrsRAN 4G, be warned that things like Falcon have modified version of SrsRAN
Extremely hard, nightmare mode to configure correctly (see below).
Radios supported (SDRs), currently available
- 1x ADALM PLUTO SDR (56 MHz bandwidth)
- 2x HackRF (20 MHz bandwidth, only half-duplex)
- 1x BladeRF (112 MHz bandwidth)
- 1-2x LimeSDR (61.44 MHz per RX/TX port, so 2×61.4MHz RX; 2 RX and 2 TX ports, RX ports have 3 antennas each, TX ports have 2 antennas each)
- 1x LimeSDR mini
Currently working with Pluto, HackRF and LimeSDR.
Antennas in use:
- 12x Taoglas TG.30.8113 700-2700 +6.8 dBi multiband - seriously have look at their datasheet, it's incredible
- one 700-2700 MHz, copper body, around +5 dBi
- one 700-2700 Mhz light coiled antenna, maybe +3 dBi
Software
- SrsRAN 4G - UE works, ENB TODO
- Open BTS/Cell tracker - works
- gr-lte - this is pain, as gnuradio 3.7 is needed, you need to use Osmocom Source for your SDR, use docker 3.7 gnuradio image, complete PITA to use
- LTESniffer - An Open-source LTE Downlink/Uplink Eavesdropper - builds and runs on Ubuntu 20.04, hard to config for Pluto (SDR with more antennas necessary for complete functionality)
- FALCON - Fast Analysis of LTE Control channels - built on Ubuntu 20.04, but needs multiple RX antennas to work fully, Lime or Blade SDR necessary, not yet fully working
- Docker gnuradio 3.7, 3.8, 3.9 and 3.10 builds - they work, but it's fucking Docker, but at least works
- Matlab demo on how to decode LTE with Pluto SDR - not tested yet
- others TODO
Finding your devices
UHD can be used for many devices, such as Pluto, LimeSDR, HackRF, etc.
PlutoSDR (iio and UHD):
% iio_info -s
Available contexts:
0: (ucsi_source_psy_USBC000:001,iwlwifi_1,pch_cannonlake,BAT0,AC,ucsi_source_psy_USBC000:002,coretemp,thinkpad,nvme,acpitz on LENOVO) [local:]
1: 0456:b673 (Analog Devices Inc. PlutoSDR (ADALM-PLUTO)), serial=XXXX [usb:1.16.5]
% uhd_find_devices
[INFO] [UHD] linux; GNU C++ version 9.2.1 20200304; Boost_107100; UHD_3.15.0.0-2build5
--------------------------------------------------
-- UHD Device 0
--------------------------------------------------
Device Address:
serial:
default_input: False
default_input: True
default_output: False
default_output: True
device: PlutoSDR
device_id: 0
device_id: 6
driver: audio
driver: plutosdr
label: PlutoSDR #0 usb:1.16.5
label: default
label: hw:HDA Intel PCH,0
type: soapy
uri: usb:1.16.5
Running IIO Oscilloscope with debug:
- you MUST delete all config files, otherwise it will error and segfault
rm -f ~/.osc_profile.ini && /opt/iio-oscilloscope/bin/osc -u ip:10.3.1.7
Example output (clipped, there are bunch of warnings) :
Found plugin: CN0508 Found plugin: AD5628-1 Found plugin: ADRV9009 Found plugin: FMCADC3 Found plugin: SCPI Found plugin: LIDAR Found plugin: XMW Found plugin: ad9739a Found plugin: Partial Reconfiguration Found plugin: CN0357 Found plugin: FMComms5 Found plugin: AD9371 Found plugin: FMComms6 Found plugin: Spectrum Analyzer Found plugin: CN0540 Could not find expected iio devices Found plugin: Debug Found plugin: AD9371 Advanced Found plugin: FMComms1 Found plugin: FMCOMMS11 Found plugin: AD6676 Found plugin: AD936X Found plugin: AD936X Advanced Found plugin: Motor Control Found plugin: DAQ1/2/3 Found plugin: DMM Found plugin: DAC Data Manager Updating widgets... Updating FIR filter...
IIO debug menu
It's buggy as hell, but there are options to fine-tune your Pluto. Screenshot of the debug menu (IIO Oscilloscope app) :
Installation
Difficulty level: nightmare
For SrsRAN install, you need to have CMake and bunch of other tools to install (this is without SrsGUI) :
- accepted drivers - UHD, SoapySDR, BladeRF (ZeroMQ is just for testing streams)
- PlutoSDR is known to work, LimeSDR is known to work (tested), BladeRF should work also out-of-the-box (USRP as well)
- it is difficult to select working driver
- I suggest copying driver string into
driver_argsofgqrxto~/.config/srsran/ue.conf
PlutoSDR needs magic argument like:
device_args = driver=plutosdr,usb_direct=1,timestamp_every=1920,loopback=0
Note that for PlutoSDR, you can connect it via USB device string or LAN string (LAN is preferred, because it does not change on each run)
LimeSDR device arguments look like this:
device_args = driver=lime,soapy=0,serial=0009070602470D0F,rxant=LNAL,txant=BAND1
USRP is maybe the radio it was designed to work wit, but LimeSDR and ADALM PLUTO (Pluto SDR) works. Config is not easy, it's nightmare difficulty.
BladeRF was not yet tested, it's TODO, but that should be easiest to make this work.
LimeSDR is the second best. If you get the device string right, it works awesome.
PlutoSDR works, but getting the device args string right is also nightmare.
HackRF should work I guess, not yet got that far.
This is for UE (mobile/client), for ENB (base station, it should be similar, antenna config is important for both RX/TX).
Running
Difficulty level: nightmare
Running UE (cellphone)
Use srsue command. Needs to have config correct, otherwise you'll get shitton of errors, like error -5 repeated 153000 times.
Example of correct output, note that srsran expects first argument to be config file, otherwise defaults to ~/.config/srsran/ue.conf:
TODO: Pluto might need FW change with usb_direct=1, not sure about it yet. LimeSDR should not require any FW changes.
Dots when running mean it's looking for ENB (base station).
Important: you MUST have correctly configured antenna names in config, otherwise you're SOL.
% srsue Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so libsrsran_rf_zmq.so Inactive RF plugins: Couldn't open , trying [...]/.config/srsran/ue.conf Reading configuration file [...]/.config/srsran/ue.conf... WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application. Failed to `mlockall`: 12 Built in Release mode using commit fa56836b1 on branch master. Opening 1 channels in RF device=soapy with args=driver=plutosdr,usb_direct=1,timestamp_every=1920,loopback=0 Supported RF device list: UHD soapy zmq file Soapy has found device #0: device=PlutoSDR, driver=plutosdr, label=PlutoSDR #0 usb:1.28.5, uri=usb:1.28.5, Selecting Soapy device: 0 [INFO] Opening PlutoSDR #0 usb:1.28.5... Setting up Rx stream with 1 channel(s) [INFO] Using format CF32. [INFO] Auto setting Buffer Size: 524288 [INFO] Set MTU Size: 524288 Setting up Tx stream with 1 channel(s) [INFO] Using format CF32. [INFO] Has direct TX copy: 1 [INFO] Auto setting Buffer Size: 32768 [INFO] Set MTU Size: 32768 Available device sensors: - xadc_temp0 - xadc_voltage0 - xadc_voltage1 - xadc_voltage2 - xadc_voltage3 - xadc_voltage4 - xadc_voltage5 - xadc_voltage6 - xadc_voltage7 - xadc_voltage8 - adm1177_current0 - adm1177_voltage0 - ad9361-phy_temp0 - ad9361-phy_voltage2 Available sensors for Rx channel 0: State of gain elements for Rx channel 0 (AGC supported): - PGA: 32.00 dB State of gain elements for Tx channel 0 (AGC not supported): - PGA: 79.00 dB Rx antenna set to A_BALANCED Tx antenna set to A Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted Waiting PHY to initialize ... Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted done! Attaching UE... Starting plot for worker_id=0 [INFO] Has direct RX copy: 1 [INFO] Auto setting Buffer Size: 32768 [INFO] Set MTU Size: 32768 ........................
Running eNB (base station)
First, srsepc is needed which runs non-radio part of LTE Core Network. This includes database of users, HHS, MME and SP-GW internet gateway.
You need to run it as root because it create TUN/TAP interface. Seems to work in docker.
Default DB contains only few entries, if you want different MCC, MNC, LAC, TAC, PCI, you'll have to add it to DB/config.
# srsepc Built in Release mode using commit fa56836b1 on branch master. --- Software Radio Systems EPC --- Couldn't open , trying /root/.config/srsran/epc.conf Reading configuration file /root/.config/srsran/epc.conf... Couldn't open user_db.csv, trying /root/.config/srsran/user_db.csv HSS Initialized. MME S11 Initialized MME GTP-C Initialized MME Initialized. MCC: 0xf001, MNC: 0xff01 SPGW GTP-U Initialized. SPGW S11 Initialized. SP-GW Initialized. Received S1 Setup Request. S1 Setup Request - eNB Name: srsenb01, eNB id: 0xZZZ S1 Setup Request - MCC:ZZZ, MNC:ZZ S1 Setup Request - TAC ZZZZ, B-PLMN 0xf110 S1 Setup Request - Paging DRX v128 Sending S1 Setup Response SCTP Association Shutdown. Association: 82 Deleting eNB context. eNB Id: 0xZZZ ...
Then use srsenb on the same machine to run the SDR part of network
% srsenb
$ ./srsenb/src/srsenb
Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so
Inactive RF plugins:
--- Software Radio Systems LTE eNodeB ---
Couldn't open , trying /home/gnuradio/.config/srsran/enb.conf
Reading configuration file /home/gnuradio/.config/srsran/enb.conf...
Couldn't open sib.conf, trying /home/gnuradio/.config/srsran/sib.conf
Couldn't open rr.conf, trying /home/gnuradio/.config/srsran/rr.conf
Couldn't open rb.conf, trying /home/gnuradio/.config/srsran/rb.conf
WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application.
Failed to `mlockall`: {}
Built in Release mode using commit ec29b0c1f on branch master.
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Opening 1 channels in RF device=default with args=default
Supported RF device list: UHD soapy file
Trying to open RF device 'UHD'
[INFO] [UHD] linux; GNU C++ version 11.2.0; Boost_107400; UHD_4.1.0.5-3
[INFO] [LOGGING] Fastpath logging disabled at runtime.
[ERROR] avahi_client_new() failed: Daemon not running
[ERROR] avahi_client_new() failed: Daemon not running
[WARNING] Unable to scan ip: -19
Opening USRP channels=1, args:
[INFO] [UHD RF] RF UHD Generic instance constructed
[ERROR] avahi_client_new() failed: Daemon not running
[WARNING] Unable to scan ip: -19
[INFO] [UHDSoapyDevice] Make connection: 'LimeSDR-USB [USB 3.0] 9060B00492D13'
[INFO] [UHDSoapyDevice] Reference clock 30.72 MHz
[INFO] [UHDSoapyDevice] Device name: LimeSDR-USB
[INFO] [UHDSoapyDevice] Reference: 30.72 MHz
[INFO] [UHDSoapyDevice] LMS7002M register cache: Disabled
[INFO] [UHDSoapyDevice] RX LPF configured
[INFO] [UHDSoapyDevice] RX LPF configured
[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
[INFO] [UHDSoapyDevice] TX LPF configured
[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
[INFO] [UHDSoapyDevice] TX LPF configured
RF device 'UHD' successfully opened
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
==== eNodeB started ===
Type <t> to view trace
[INFO] [UHDSoapyDevice] RX LPF configured
[INFO] [UHDSoapyDevice] RX LPF configured
[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
[INFO] [UHDSoapyDevice] TX LPF configured
[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
[INFO] [UHDSoapyDevice] TX LPF configured
Setting frequency: ...
[INFO] [UHDSoapyDevice] Tx calibration finished
[INFO] [UHDSoapyDevice] Rx calibration finished
[INFO] [UHD RF] Tx while waiting for EOB, timed out... 64.2848 >= 64.2843. Starting new burst...
TODO: signal drifted
Waterfall examples for UE (cellphones) and ENB (base stations)
Example waves, waterfall captured from air. Both uplink and downlink. LTE is mixed with GSM, unfortunately.
LTE should be at frequencies 800/900 MHz, 1800/1900 MHz and 2100 MHz, but check ČTÚ band allocations, each cell provider has own channel maps.
Is it a dogshit in Vibram sholesole mess? YES
ENB/BTS waterfall
This is signal from base stations (ENB) to telephones (UE).
UE/cellphone waterfall
This is signal from telephones (UE) to base stations (ENB).
LTE tracker: BTS and cell search + tracking
TODO LTE Cell tracker
LTE sniffing
LTE sniffing downlink and uplink via SDR
These experiments were carried out using 3 SDR radios:
- Pluto SDR
- Lime SDR
- Hack RF
Only LimeSDR seems to work with LTESniffer and only in downlink mode (ENB→UE) which is still enough to get lot of control messages and metadata. Remember you need to use UHD >= 4.0 and avoid using srsRAN from system, use the one included in LTESniffer.
Example output showing a UE (phone) disconnecting from ENB and losing security context where it can be attacked by fake base station (such ENB can be made from srsENB).
Uplink requires 2 RX chains because modulation of UE needs to be bruteforced (it's secret value, but only few values are possible). LimeSDR theoretically could be used, but would require code change and preparation for the clock sync. At the moment only USRP X310 or two USRP B200 with GPSDO are known to work. LimeSDR can be flashed to work as USRP B200, but you'd need two without changing code (also it's not the main branch, but separate multi-usrp branch in LTESniffer)
I obtained uplink/downlink of my own phone's LTE channels using Cellular Z application. Each channel is 20 MHz wide.
LTE channel sniff manual without decode
20 MHz is LTE channel bandwidth that fits Pluto SDR, Lime SDR and also HackRF.
Used tools: SDR++ and HackRF's Portapack. Antennas used were mostly Taoglas 700-2700 MHz +3.8 dBi, along with few others 700-2700 multiband antennas.
Example of download and upload as seen on frequency spectrum, this is uplink channel, but since TCP/IP requires sending data back, download is visible on uplink channel as well:
Download, recorded with PlutoSDR and LimeSDR
Hence 20 MHz vs 61 MHz bandwidth difference
Upload, recorded with PlutoSDR and LimeSDR
Hence again 20 MHz vs 61 MHz bandwidth difference
Images of SDRs and antennas' setup
PlutoSDR with Taoglas antennas
HackRF with Taoglas antenna
LimeSDR photo TODO