
Building a GSM BTS Using the BladeRF, RPi and YateBTS - Voyage
https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/
======
codebeaker
BTS = "Base transceiver station", it's not mentioned in the article.

~~~
BillyParadise
had to google that before I got to your comment. Thanks, though.

------
kabouseng
Just be careful, might be deemed unlawful in your location...

~~~
iheartmemcache
I can't emphasize this enough if you're in the States. This is something that
the FCC takes _very_ seriously. There are hundreds of billions of dollars
corporations have thrown at just to get rights to little chunks of spectrum
(and as one would imagine, I'm sure their lobbyists have Tom Wheeler on speed-
dial). This information has been out there for ages but this is the first time
I've seen a single source with all of the information in aggregate. (I've
toyed with putting up a similar page myself, but opted not to just to avoid
the unwanted federal attention). If you do this on the nominal 850 for any
significant amount of time, you're going to be at best convicted of a federal
crime with a long duration of probation after spending an egregious amount of
money on defense counsel fees. You could realistically serve jail-time (it
wouldn't be hard to convince a jury to convict someone by claiming your
transmission compromised emergency-comms, and if little Tiffany from
Connecticut was abducted, how could her Amber alert propagate through the
networks?!)

There's a lot of amazing stuff which is incredibly accessible for such a low
amount of money (spectrum analyzers with amazing VBW for 1/20th the price
you'd pay 10 years ago, hell, the whole SDR scene), but there's really no Tor
you can hide behind. Our civil servants might not be the brightest of the
bunch, but they can triangulate a transceiver I'd imagine. If you choose to do
this, broadcast in the ISM band around 912, and you should be safe..ish if you
keep your broadcast under a watt. I love playing with gear but there are safer
ways to get your jollies. As someone who did his share of foolhardy things in
my youth, I could see myself as a precocious teenager doing something dumb
like this - if you're that 15 year old reading this - don't. There are tons of
fun things to do out there with a way, way lower risk factor. (If you really
want to play with things you shouldn't, the modern power grid is filled with a
mesh network, broadcasting your power consumption to the peers in your
network. It's on RF, and as such they have to legally disclose the nature of
the broadcasts to the government, and those databases are public. Have fun ;))

~~~
kabouseng
There was a defcon talk where the speaker did set his BTS to the same
frequency as was allowed for ham radio or somesuch, which _might_ be
legal...but I very much doubt that :D

Think it was this one

[https://www.youtube.com/watch?v=xKihq1fClQg](https://www.youtube.com/watch?v=xKihq1fClQg)

~~~
tomkinstinch
If the transmission was encrypted, it would have also been illegal on the
amateur bands [1]. This isn't 90s crypto-war paranoia; the concern about
encryption is that if transmissions on the amateur bands are allowed to be
obscured, unscrupulous individuals (say, taxi companies), could flood the
amateur bands with commercial transmissions rather than pay for a share of the
commercial bands. This goes against the open, public intent behind amateur
bands, and takes away bandwidth from amateur users (read: the public, you and
me). The FCC is looking out for us.

Radio spectrum is a finite resource. If you look at a chart [2] of US
Frequency allocations, amateur radio operators have been given the right to
transmit on a relatively _massive_ fraction of the physically available
spectrum. It would easily be worth _billions_ if it were commercial. Instead,
due to the quirks of history, the public has been given wondrous access to the
airwaves. It's a public resource, like a park, and it's the Grand Canyon, it's
Yellowstone, it's Yosemite. As hackers we have to respect it, and we have to
protect it by using it responsibly. We need to get licensed, and we need to
educate others so we can avoid a tragedy of the commons. Illegal transmissions
are like litter. If we don't follow the rules and treat the amateur spectrum
well, the FCC could plausibly decide to auction it off. It's not like there
isn't pressure to do so. Demonstrating a DIY BTS is very cool, but at least
have the decency to test it in a faraday cage. Don't litter in my park.

Amateur radio is fun, and it's one of the original electronics hacker
activities. Get licensed, assemble a few simple electronic components, and
talk to someone else (often like you), potentially _thousands of miles away_.
All without reliance on any extant communications infrastructure. How cool is
that? It's a tremendous way to learn about physics and electronics, and there
are many exciting things happening with digital transmissions. It's a magical
thing when you hear a foreign voice coming from your speaker, carried from a
transmitter a continent away. Learn, build, and have (responsible) fun in the
park!

1\.
[https://www.law.cornell.edu/cfr/text/47/97.113](https://www.law.cornell.edu/cfr/text/47/97.113)

2\.
[https://www.ntia.doc.gov/files/ntia/publications/2003-alloch...](https://www.ntia.doc.gov/files/ntia/publications/2003-allochrt.pdf)

~~~
nickpsecurity
Interesting. Never heard this argument. I'd counter by saying WiFi bands are
encrypted but commercial use hasnt swampee them. So not sure how likely the
scenario is.

Nonetheless, I'd be up for discussing escrowed, authenticated encryption or
key retention with random civil audits. That would be better than nothing.
They could have an auditor that's nog a cop get the keys to certain
transmissions to check them. Only forwarded to authorities if criminal
activity is found. This would let us retain privacy quite a bit while
mitigating issue you mentioned.

~~~
simcop2387
I think part of it is that WiFi (2.4ghz and 5ghz) are both not very
penetrating compared to most of the amateur bands (sub 1ghz). That means that
long range commercial use of them would be very difficult. This is why
companies like Time Warner, who are trying to use them for commercial wifi end
up installing special modems/routers in customers homes to be able to
accomplish the task.

~~~
madengr
Ham operators can run 1.5kW on the 2 GHz wifi band.

~~~
tomkinstinch
We _can_ , but the norm (and law via FCC part 97) is for one to use "the
minimum power necessary to carry out the desired communications." So if you
need 1.5kW to reach your wifi robot on the other side of the valley, go for
it, but otherwise quieter is the rule. There's a subculture of hams who try to
see how far away they can make contacts on minimal power (miles per
milliwatt). It's not unheard of to make trans-Atlantic contacts using 100mW,
by bouncing the signal off the ionosphere. It's possibly to reach most of the
globe on 25W via PSK31, with sound cards handling the signal processing.

~~~
nickpsecurity
"It's not unheard of to make trans-Atlantic contacts using 100mW, by bouncing
the signal off the ionosphere. It's possibly to reach most of the globe on 25W
via PSK31, with sound cards handling the signal processing."

That's freaking wild. I remember my brief forays into the subject also had me
fascinated with the idea of meteor burst communication where I was bouncing
stuff off exploding meteors. Haha. With further digging, the source of my
first link was surprising:

[https://www.nsa.gov/public_info/_files/cryptologic_quarterly...](https://www.nsa.gov/public_info/_files/cryptologic_quarterly/meteo_burst.pdf)

[http://www.dtic.mil/dtic/tr/fulltext/u2/a228641.pdf](http://www.dtic.mil/dtic/tr/fulltext/u2/a228641.pdf)

The second wasn't as DTIC is one of the most badass, if little-known,
resources for technical information. Obscure, but great, insights buried in
that organizations records.

~~~
tomkinstinch
If you're interested in some of the latest in low-power _digital_
communication, check out the software of Joe Taylor, K1JT:
[http://physics.princeton.edu/pulsar/k1jt/](http://physics.princeton.edu/pulsar/k1jt/)

If his name seems familiar, it's because it's the same Joe Taylor who was
awarded the 1993 Nobel Prize in Physics (for his radioastronomy work on
pulsars):

[http://www.nobelprize.org/nobel_prizes/physics/laureates/199...](http://www.nobelprize.org/nobel_prizes/physics/laureates/1993/taylor-
bio.html)

~~~
nickpsecurity
Thanks for the link. Pretty badass. Bookmarking it and passing it along.

------
mxuribe
I'm a newbie at radio (though starting to get into it). What would be the main
use-case for this GSM BTS? I mean, does it act like a femto and provide
increased signal strength in/around your home? Or is this the kind of thing
that is merely fun to build (though unlikely to operate to due fcc-related
restrictions)??

~~~
lb1lf
The main use case would be getting into trouble with the authorities.

However, there are a few sub-cases (most of which will still in part fall
under the first one)

a) Educational - you can learn a lot about how telecom networks actually work
by playing around with your own BTS. However, it would be advisable to do so
in a place where your emissions don't interfere with other, legit operators -
say, in a mine or something. (I am not being flippant here).

b) Nefarious, non-state: it is trivial to trick any compatible cell phone into
connecting to your rogue BTS instead of one belonging to the victim's carrier.
This could be done transparently to the victim - ie. you forward his call data
to the network at large, MitM-ing him and monitoring his conversations.

c) Nefarious, state actor: Much the same purpose as b), though presumably a
(legit) state actor would be able to just serve the telco with a warrant to
get at the same data - the exception being, of course, if you were operating
on someone else's turf - say, you are some intelligence service operating
abroad, eavesdropping on another state's principal actors, for instance.

d) Fun (closely related to a) above) - say, in particular if you operated in
an area with no effective RF licencing regime (failed states and offshore
springing to mind), you could effectively become your own cell phone carrier,
for instance while hosting a conference on a vessel in international waters,
allowing participants to use their handsets to get in touch with each other.
This option could be utilized either with or without a gateway to the global
phone network.

~~~
mxuribe
Got it, ok, thanks.

------
etucexe
Article looks a lot like this: [https://evilsocket.net/2016/03/31/how-to-
build-your-own-rogu...](https://evilsocket.net/2016/03/31/how-to-build-your-
own-rogue-gsm-bts-for-fun-and-profit/)

------
po1nter
I tried saving this page to the internet archive (in case the blog goes down)
but it seems that the owner doesn't allow bots to index/cache/mirror his
content.

~~~
striking
Archive.is works perfectly fine:
[https://archive.is/rFOLB](https://archive.is/rFOLB)

(This is because it's an archiving machine designed for people; it will
x-forwarded-for your IP address to the target site as if it were a proxy)

------
Raed667
I'm very noob to this kind of networks. My question is how to get a phone
(without a sim card -as far as I can tell-) to authenticate to your new BTS ?

~~~
extrapickles
Basically if the phone cannot find a BTS for its normal carrier, it will ask
the other BTS that it can find if it can connect. There normally isn't any
authentication done to see if the BTS is legit.

This is also what the police stingray devices take advantage of.

------
gioele
How does YateBTS compare to Osmocom?

------
deutronium
Has anyone seen an SDR based 'cellphone' type device out of curiosity?

------
teekert
Huh, his RPi3 came out of the box with heat sinks?

~~~
jandrese
There are several kits (like the Canokit) that come with them.

