brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Projects » SrsRANda
project:srsranda

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
project:srsranda [2023/12/06 18:24] – [Images of SDRs and antennas' setup] abyssalproject:srsranda [2024/05/27 17:17] (current) – [Radios supported (SDRs), currently available] Pluto needs FW reflash and external clock for LTE abyssal
Line 23: Line 23:
   * ENB = base station (BTS)   * ENB = base station (BTS)
  
 +**BE WARNED, this project is NIGHTMARE level of difficulty** to get things running.
 +
 +I repeat, **NIGHTMARE difficulty**. Still somehow easier than ''brmlelect''.
  
 ===== Why the name SrsRANda ===== ===== Why the name SrsRANda =====
Line 44: Line 47:
  
   * [[https://www.srsran.com/4g|SrsRAN 4G]] - setup of SrsRAN 4G, general info   * [[https://www.srsran.com/4g|SrsRAN 4G]] - setup of SrsRAN 4G, general info
 +
 +Almost all software listed below is based on SrsRAN 4G, be warned that things like Falcon have modified version of SrsRAN
 +
 +**Extremely hard, nightmare mode** to configure correctly (see below).
  
 ===== Radios supported (SDRs), currently available ===== ===== Radios supported (SDRs), currently available =====
  
-  * 1x ADALM PLUTO SDR (56 MHz bandwidth) +  * 1x ADALM PLUTO SDR (56 MHz bandwidth) - note this [[https://www.quantulum.co.uk/blog/private-lte-with-analog-adalm-pluto/#|requires FW reflashing, rebuild SoapySDR and possibly using external clock]], otherwise wonky due to lack of timestamping and bad oscillator Rakon 513371 with an accuracy of +/- 25ppm (should be +/- 0.25ppm for LTE), avoiding sluggish original IIO daemon 
-  * 2x HackRF (24 MHz bandwidth, only half-duplex)+  * 2x HackRF (20 MHz bandwidth, only half-duplex)
   * 1x BladeRF (112 MHz bandwidth)   * 1x BladeRF (112 MHz bandwidth)
-  * 1-2x LimeSDR (61.44 MHz, 4 RX/TX antennas+  * 1-2x LimeSDR (61.44 MHz per RX/TX port, so 2x61.4MHz RX; 2 RX and 2 TX ports, RX ports have 3 antennas each, TX ports have 2 antennas each)
   * 1x LimeSDR mini   * 1x LimeSDR mini
  
 +Currently working with Pluto, HackRF and LimeSDR.
 +
 +**Antennas in use:**
 +
 +  * 12x [[https://cz.mouser.com/ProductDetail/960-TG.30.8113| Taoglas TG.30.8113 700-2700 +6.8 dBi multiband]] - seriously have look at their [[https://cz.mouser.com/datasheet/2/398/TG_30_8113-3137551.pdf|datasheet]], it's incredible
 +  * one 700-2700 MHz, copper body, around +5 dBi
 +  * one 700-2700 Mhz light coiled antenna, maybe +3 dBi
 ===== Software ===== ===== Software =====
  
Line 59: Line 73:
   * [[https://openlte.sourceforge.net/|OpenLTE page for 3G/4G]]   * [[https://openlte.sourceforge.net/|OpenLTE page for 3G/4G]]
   * [[https://github.com/mgp25/OpenLTE|OpenLTE GitHub]]   * [[https://github.com/mgp25/OpenLTE|OpenLTE GitHub]]
-  * [[https://github.com/kit-cel/gr-lte|gr-lte]] - this is pain, as gnuradio 3.7 is needed, you need to use Osmocom Source for your SDR, use docker 3.7 gnuradio image+  * [[https://github.com/kit-cel/gr-lte|gr-lte]] - this is pain, as gnuradio 3.7 is needed, you need to use Osmocom Source for your SDR, use docker 3.7 gnuradio image, complete PITA to use
   * [[https://github.com/SysSec-KAIST/LTESniffer| LTESniffer - An Open-source LTE Downlink/Uplink Eavesdropper]] - builds and runs on Ubuntu 20.04, hard to config for Pluto (SDR with more antennas necessary for complete functionality)   * [[https://github.com/SysSec-KAIST/LTESniffer| LTESniffer - An Open-source LTE Downlink/Uplink Eavesdropper]] - builds and runs on Ubuntu 20.04, hard to config for Pluto (SDR with more antennas necessary for complete functionality)
-  * [[https://github.com/falkenber9/falcon | FALCON - Fast Analysis of LTE Control channels]] - built on Ubuntu 20.04, but probably will need to buy BladeRF as well+  * [[https://github.com/falkenber9/falcon | FALCON - Fast Analysis of LTE Control channels]] - built on Ubuntu 20.04, but needs multiple RX antennas to work fully, Lime or Blade SDR necessary, not yet fully working
   * [[https://github.com/git-artes/docker-gnuradio|Docker gnuradio 3.7, 3.8, 3.9 and 3.10 builds]] - they work, but it's fucking Docker, but at least works   * [[https://github.com/git-artes/docker-gnuradio|Docker gnuradio 3.7, 3.8, 3.9 and 3.10 builds]] - they work, but it's fucking Docker, but at least works
   * [[https://www.mathworks.com/help/supportpkg/plutoradio/ug/lte-receiver-using-sdr-pluto.html|Matlab demo on how to decode LTE with Pluto SDR]] - not tested yet   * [[https://www.mathworks.com/help/supportpkg/plutoradio/ug/lte-receiver-using-sdr-pluto.html|Matlab demo on how to decode LTE with Pluto SDR]] - not tested yet
Line 260: Line 274:
 </code> </code>
  
-==== Running ENB (base station) ====+==== Running eNB (base station) ====
  
-Use ''srsenb'' commandNeeds to have config correct, otherwise you'll get shitton of errorslike shown below (ENB not yet configured properlyone of missing parts are TX antenna names)+First, ''srsepc'' is needed which runs non-radio part of LTE Core NetworkThis includes [[https://docs.srsran.com/projects/4g/en/latest/usermanuals/source/srsepc/source/1_epc_intro.html | database of usersHHSMME and SP-GW internet gateway]].
  
-Example of **incorrect** output:+You need to run it as root because it create TUN/TAP interface. Seems to work in docker. 
 + 
 +Default DB contains only few entries, if you want different MCC, MNC, LAC, TAC, PCI, you'll have to add it to DB/config. 
 + 
 +<code> 
 +# srsepc 
 + 
 +Built in Release mode using commit fa56836b1 on branch master. 
 + 
 + 
 +---  Software Radio Systems EPC  --- 
 + 
 +Couldn't open , trying /root/.config/srsran/epc.conf 
 +Reading configuration file /root/.config/srsran/epc.conf... 
 +Couldn't open user_db.csv, trying /root/.config/srsran/user_db.csv 
 +HSS Initialized. 
 +MME S11 Initialized 
 +MME GTP-C Initialized 
 +MME Initialized. MCC0xf001, MNC: 0xff01 
 +SPGW GTP-U Initialized. 
 +SPGW S11 Initialized. 
 +SP-GW Initialized. 
 +Received S1 Setup Request. 
 +S1 Setup Request - eNB Name: srsenb01, eNB id: 0xZZZ 
 +S1 Setup Request - MCC:ZZZ, MNC:ZZ 
 +S1 Setup Request - TAC ZZZZ, B-PLMN 0xf110 
 +S1 Setup Request - Paging DRX v128 
 +Sending S1 Setup Response 
 +SCTP Association Shutdown. Association: 82 
 +Deleting eNB context. eNB Id: 0xZZZ 
 +... 
 +</code> 
 + 
 +Then use ''srsenb'' on the same machine to run the SDR part of network
  
-TODO: get ENB working 
  
 <code> <code>
 % srsenb  % srsenb 
-Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so libsrsran_rf_zmq.so+$ ./srsenb/src/srsenb  
 +Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so
 Inactive RF plugins:  Inactive RF plugins: 
 ---  Software Radio Systems LTE eNodeB  --- ---  Software Radio Systems LTE eNodeB  ---
  
-Couldn't open , trying [...]/.config/srsran/enb.conf +Couldn't open , trying /home/gnuradio/.config/srsran/enb.conf 
-Reading configuration file [...]/.config/srsran/enb.conf... +Reading configuration file /home/gnuradio/.config/srsran/enb.conf... 
-Couldn't open sib.conf, trying [...]/.config/srsran/sib.conf +Couldn't open sib.conf, trying /home/gnuradio/.config/srsran/sib.conf 
-Couldn't open rr.conf, trying [...]/.config/srsran/rr.conf +Couldn't open rr.conf, trying /home/gnuradio/.config/srsran/rr.conf 
-Couldn't open rb.conf, trying [...]/.config/srsran/rb.conf+Couldn't open rb.conf, trying /home/gnuradio/.config/srsran/rb.conf
 WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application. WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application.
 Failed to `mlockall`: {} Failed to `mlockall`: {}
-Built in Release mode using commit fa56836b1 on branch master.+Built in Release mode using commit ec29b0c1f on branch master.
  
 Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
 Opening 1 channels in RF device=default with args=default Opening 1 channels in RF device=default with args=default
-connect(): Connection refused +Supported RF device list: UHD soapy file
-Supported RF device list: UHD soapy zmq file+
 Trying to open RF device 'UHD' Trying to open RF device 'UHD'
-Failed to initiate S1 connection. Attempting reconnection in 10 seconds +[INFO] [UHD] linux; GNU C++ version 11.2.0Boost_107400UHD_4.1.0.5-3
-[INFO] [UHD] linux; GNU C++ version 9.2.1 20200304Boost_107100UHD_3.15.0.0-2build5+
 [INFO] [LOGGING] Fastpath logging disabled at runtime. [INFO] [LOGGING] Fastpath logging disabled at runtime.
- +[ERROR] avahi_client_new() failedDaemon not running 
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.+[ERROR] avahi_client_new(failed: Daemon not running 
 +[WARNING] Unable to scan ip: -19
  
 Opening USRP channels=1, args:  Opening USRP channels=1, args: 
 [INFO] [UHD RF] RF UHD Generic instance constructed [INFO] [UHD RF] RF UHD Generic instance constructed
 +[ERROR] avahi_client_new() failed: Daemon not running
 +[WARNING] Unable to scan ip: -19
  
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy+[INFO] [UHDSoapyDevice] Make connection'LimeSDR-USB [USB 3.0] 9060B00492D13' 
- +[INFO] [UHDSoapyDevice] Reference clock 30.72 MHz 
- +[INFO] [UHDSoapyDevice] Device name: LimeSDR-USB 
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy+[INFO] [UHDSoapyDevice] Reference30.72 MHz 
- +[INFO] [UHDSoapyDevice] LMS7002M register cache: Disabled 
- +[INFO] [UHDSoapyDevice] RX LPF configured 
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0)Device or resource busy+[INFO] [UHDSoapyDevice] RX LPF configured 
- +[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4thfilter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active 
-[INFO] [UHDSoapyDevice] Using format CF32+[INFO] [UHDSoapyDevice] TX LPF configured 
-[INFO] [UHDSoapyDevice] Using format CF32.+[INFO] [UHDSoapyDevice] Filter calibratedFilter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active 
 +[INFO] [UHDSoapyDevice] TX LPF configured
 RF device 'UHD' successfully opened RF device 'UHD' successfully opened
-[...]/prog/Pluto-SDR_projects/docker-persistent/srsRAN_4G.new_with_GUI/lib/src/phy/rf/rf_uhd_imp.cc:315UHD unhandled event code 64+Warning: Failed to create thread with real-time priorityCreating it with normal priority: Operation not permitted 
 +Warning: Failed to create thread with real-time priorityCreating it with normal priorityOperation not permitted 
 +Warning: Failed to create thread with real-time priority. Creating it with normal priorityOperation not permitted
 Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
  
 ==== eNodeB started === ==== eNodeB started ===
 Type <t> to view trace Type <t> to view trace
-[INFO] [UHDSoapyDevice] Using format CF32+[INFO] [UHDSoapyDevice] RX LPF configured 
-[INFO] [UHDSoapyDevice] Using format CF32+[INFO] [UHDSoapyDevice] RX LPF configured 
-Setting frequency: DL=2680.0 Mhz, UL=2560.0 MHz for cc_idx=0 nof_prb=50 +[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHzPreemphasis filter not active 
-[ERROR] [UHD RF] UHDSoapyRxStream::issue_stream_cmd() -5+[INFO] [UHDSoapyDevice] TX LPF configured 
 +[INFO] [UHDSoapyDevice] Filter calibratedFilter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active 
 +[INFO] [UHDSoapyDevice] TX LPF configured 
 +Setting frequency: ... 
 +[INFO] [UHDSoapyDevice] Tx calibration finished 
 +[INFO] [UHDSoapyDevice] Rx calibration finished 
 +[INFO] [UHD RF] Tx while waiting for EOB, timed out... 64.2848 >64.2843. Starting new burst...
 </code> </code>
 +
 +TODO: signal drifted
  
 ===== Waterfall examples for UE (cellphones) and ENB (base stations) ===== ===== Waterfall examples for UE (cellphones) and ENB (base stations) =====
Line 344: Line 403:
 ===== LTE sniffing ===== ===== LTE sniffing =====
  
-==== LTE sniffing download and upload via SDR ====+==== LTE sniffing downlink and uplink via SDR ====
  
 These experiments were carried out using 3 SDR radios: These experiments were carried out using 3 SDR radios:
Line 352: Line 411:
   * Hack RF   * Hack RF
  
-I obtained uplink/downlink of my own phone's LTE channels using [[https://apkpure.com/cellular-z/make.more.r2d2.cellular_z | Cellular Z]] application. Each channel is 20 MHz wide.+Only LimeSDR seems to work with LTESniffer and only in downlink mode (ENB->UE) which is still enough to get lot of control messages and metadataRemember you need to use UHD >= 4.0 and avoid using srsRAN from system, use the one included in LTESniffer.
  
-Cellular Z sample screenshot:+Example output showing a UE (phone) disconnecting from ENB and losing security context where it can be attacked by fake base station (such ENB can be made from srsENB).
  
-{{:project:cellular_z_bands.png?300|}}+{{:project:ltesniffer_limesdr_downlink.png?800|}}
  
-20 MHz is bandwidth that fits Pluto SDR, Lime SDR and also HackRF.+Uplink requires 2 RX chains because modulation of UE needs to be bruteforced (it's secret value, but only few values are possible). LimeSDR theoretically could be used, but would require code change and preparation for the clock sync. At the moment only USRP X310 or two USRP B200 with GPSDO are known to work. LimeSDR can be flashed to work as USRP B200, but you'd need two without changing code (also it's not the main branch, but separate multi-usrp branch in LTESniffer) 
 + 
 +I obtained uplink/downlink of my own phone's LTE channels using [[https://apkpure.com/cellular-z/make.more.r2d2.cellular_z | Cellular Z]] application. Each channel is 20 MHz wide. 
 + 
 +=== LTE channel sniff manual without decode === 
 + 
 +20 MHz is LTE channel bandwidth that fits Pluto SDR, Lime SDR and also HackRF.
  
 Used tools: [[https://www.sdrpp.org/| SDR++]] and HackRF's Portapack. Antennas used were mostly [[https://cz.mouser.com/ProductDetail/960-TG.30.8113|Taoglas 700-2700 MHz +3.8 dBi]], along with few others 700-2700 multiband antennas. Used tools: [[https://www.sdrpp.org/| SDR++]] and HackRF's Portapack. Antennas used were mostly [[https://cz.mouser.com/ProductDetail/960-TG.30.8113|Taoglas 700-2700 MHz +3.8 dBi]], along with few others 700-2700 multiband antennas.
Line 364: Line 429:
 Example of download and upload as seen on frequency spectrum, this is uplink channel, but since TCP/IP requires sending data back, download is visible on uplink channel as well: Example of download and upload as seen on frequency spectrum, this is uplink channel, but since TCP/IP requires sending data back, download is visible on uplink channel as well:
  
-**Download**+**Download, recorded with PlutoSDR and LimeSDR** 
 + 
 +Hence 20 MHz vs 61 MHz bandwidth difference
  
 {{:project:pluto_sdr_download.png?800|}} {{:project:pluto_sdr_download.png?800|}}
  
-**Upload**+{{:project:limesdr_lte_download.png?800|}} 
 + 
 +**Upload, recorded with PlutoSDR and LimeSDR** 
 + 
 +Hence again 20 MHz vs 61 MHz bandwidth difference
  
 {{:project:pluto_sdr_upload.png?800|}} {{:project:pluto_sdr_upload.png?800|}}
 +
 +{{:project:limesdr_lte_upload.png?800|}}
  
 ===== Images of SDRs and antennas' setup  ===== ===== Images of SDRs and antennas' setup  =====
Line 384: Line 457:
 **LimeSDR photo TODO** **LimeSDR photo TODO**
  
 +===== LTE Cell tracker HOWTO  =====
  
project/srsranda.1701887086.txt.gz · Last modified: 2023/12/06 18:24 by abyssal