2G Base Station Tutorial - Part Three: Catch IMSIs, Tap Data, Edit Welcome SMS, Voice Call Listening

It's been a while since I have visited any topic relating to GSM cellular technology in my videos, but many of my viewers have been requesting an in-depth tutorial on how exactly to deploy a 2G base station transceiver using software defined radio.

Using a BladeRF xA4 and some software for Linux called YateBTS, it is possible to operate a small experimental cellular network which will allow two mobile phones in your lab environment to make telephone calls, send SMS messages and browse the internet via a GPRS data connection.

Join me in part three today, where I demonstrate how to use YateBTS as an IMSI catcher. After that, I show my viewers how to tap useful information from the 2G base station using Wireshark. I also detail how the YateBTS welcome SMS can be changed to something less conspicuous.

Towards the end of the video, I illustrate the possibility of recording and decoding phone calls being conducted over the 2G base station using gr-gsm and an RTL-SDR. And finally, I demonstrate a theoretical method of getting less secure cellular devices to attach to YateBTS.

I am unsure if there will be a part four installment of this video series at the moment. I did promise my viewers that I would give out some troubleshooting hints and tips (believe me, you're going need them if you want to play around with YateBTS!) If that happens in the future, I'll see you then. If not, that will conclude my 2G base station series for now.

Thanks very much for watching!


DISCLAIMER:

Deploying experimental cellular base stations using software defined radios will require you to transmit signals on portions of the radio frequency spectrum that you are not permitted to use. This CAN and WILL cause destructive interference to licensed radio services operating on those frequencies. I WON'T be held responsible for any legal trouble you get yourself into because you got a knock on the door from the spectrum regulation authority in your country. It is advisable to NEVER follow this tutorial, EVER!


HARDWARE:

- BladeRF 2.0 Micro xA4 software defined radio
- Quad-band cellular 90-degree SMA antenna x 2
- Samsung S8 and S9 mobile phones
- Sysmocom SysmoISIM-SJA2 SIM cards x 2
- Custom dual-Xeon CPU server PC


SOFTWARE:

- DragonOS FocalX R35 (bootable USB thumb drive)
- YateBTS RC-2 (Nuand fork)


COMMANDS:

(Substitute heart ♥ symbol for 'greater-than' sign)
sudo yate -vvvvv 2♥&1 | grep "clipping"

telnet 127.0.0.1 5038

sniffer on

sniffer filter user.register

output on

sudo wireshark -k -Y '!icmp && gsmtap' -i lo

sudo wireshark -k -i sgsntun

featherpad /usr/local/share/yate/scripts/nipc.js

firefox localhost/nipc/custom_sms.php

grgsm_capture -f 935.2M -s 1e6 -g 30 ~/capture_f935.2M_s1e6.cfile

grgsm_decode -p -v -c ~/capture_f935.2M_s1e6.cfile -f 935.2M -s 1e6 -m TCHF -t 4 -o ~/speech.au.gsm

grgsm_decode -p -v -c ~/capture_f935.2M_s1e6.cfile -f 935.2M -s 1e6 -m TCHF -t 5 -o ~/speech.au.gsm

./yatebts_telnet.sh | grep -B 4 "location-area-not-allowed"

./change_mcc_mnc.sh