Hacker News new | past | comments | ask | show | jobs | submit login
Building a GSM BTS Using the BladeRF, RPi and YateBTS (strcpy.info)
96 points by Voyage on Apr 25, 2016 | hide | past | web | favorite | 44 comments

BTS = "Base transceiver station", it's not mentioned in the article.

had to google that before I got to your comment. Thanks, though.

Just be careful, might be deemed unlawful in your location...

I can't emphasize this enough if you're in the States. This is something that the FCC takes very seriously. There are hundreds of billions of dollars corporations have thrown at just to get rights to little chunks of spectrum (and as one would imagine, I'm sure their lobbyists have Tom Wheeler on speed-dial). This information has been out there for ages but this is the first time I've seen a single source with all of the information in aggregate. (I've toyed with putting up a similar page myself, but opted not to just to avoid the unwanted federal attention). If you do this on the nominal 850 for any significant amount of time, you're going to be at best convicted of a federal crime with a long duration of probation after spending an egregious amount of money on defense counsel fees. You could realistically serve jail-time (it wouldn't be hard to convince a jury to convict someone by claiming your transmission compromised emergency-comms, and if little Tiffany from Connecticut was abducted, how could her Amber alert propagate through the networks?!)

There's a lot of amazing stuff which is incredibly accessible for such a low amount of money (spectrum analyzers with amazing VBW for 1/20th the price you'd pay 10 years ago, hell, the whole SDR scene), but there's really no Tor you can hide behind. Our civil servants might not be the brightest of the bunch, but they can triangulate a transceiver I'd imagine. If you choose to do this, broadcast in the ISM band around 912, and you should be safe..ish if you keep your broadcast under a watt. I love playing with gear but there are safer ways to get your jollies. As someone who did his share of foolhardy things in my youth, I could see myself as a precocious teenager doing something dumb like this - if you're that 15 year old reading this - don't. There are tons of fun things to do out there with a way, way lower risk factor. (If you really want to play with things you shouldn't, the modern power grid is filled with a mesh network, broadcasting your power consumption to the peers in your network. It's on RF, and as such they have to legally disclose the nature of the broadcasts to the government, and those databases are public. Have fun ;))

There was a defcon talk where the speaker did set his BTS to the same frequency as was allowed for ham radio or somesuch, which might be legal...but I very much doubt that :D

Think it was this one


If the transmission was encrypted, it would have also been illegal on the amateur bands [1]. This isn't 90s crypto-war paranoia; the concern about encryption is that if transmissions on the amateur bands are allowed to be obscured, unscrupulous individuals (say, taxi companies), could flood the amateur bands with commercial transmissions rather than pay for a share of the commercial bands. This goes against the open, public intent behind amateur bands, and takes away bandwidth from amateur users (read: the public, you and me). The FCC is looking out for us.

Radio spectrum is a finite resource. If you look at a chart [2] of US Frequency allocations, amateur radio operators have been given the right to transmit on a relatively massive fraction of the physically available spectrum. It would easily be worth billions if it were commercial. Instead, due to the quirks of history, the public has been given wondrous access to the airwaves. It's a public resource, like a park, and it's the Grand Canyon, it's Yellowstone, it's Yosemite. As hackers we have to respect it, and we have to protect it by using it responsibly. We need to get licensed, and we need to educate others so we can avoid a tragedy of the commons. Illegal transmissions are like litter. If we don't follow the rules and treat the amateur spectrum well, the FCC could plausibly decide to auction it off. It's not like there isn't pressure to do so. Demonstrating a DIY BTS is very cool, but at least have the decency to test it in a faraday cage. Don't litter in my park.

Amateur radio is fun, and it's one of the original electronics hacker activities. Get licensed, assemble a few simple electronic components, and talk to someone else (often like you), potentially thousands of miles away. All without reliance on any extant communications infrastructure. How cool is that? It's a tremendous way to learn about physics and electronics, and there are many exciting things happening with digital transmissions. It's a magical thing when you hear a foreign voice coming from your speaker, carried from a transmitter a continent away. Learn, build, and have (responsible) fun in the park!

1. https://www.law.cornell.edu/cfr/text/47/97.113

2. https://www.ntia.doc.gov/files/ntia/publications/2003-alloch...

Interesting. Never heard this argument. I'd counter by saying WiFi bands are encrypted but commercial use hasnt swampee them. So not sure how likely the scenario is.

Nonetheless, I'd be up for discussing escrowed, authenticated encryption or key retention with random civil audits. That would be better than nothing. They could have an auditor that's nog a cop get the keys to certain transmissions to check them. Only forwarded to authorities if criminal activity is found. This would let us retain privacy quite a bit while mitigating issue you mentioned.

I think part of it is that WiFi (2.4ghz and 5ghz) are both not very penetrating compared to most of the amateur bands (sub 1ghz). That means that long range commercial use of them would be very difficult. This is why companies like Time Warner, who are trying to use them for commercial wifi end up installing special modems/routers in customers homes to be able to accomplish the task.

Ham operators can run 1.5kW on the 2 GHz wifi band.

We can, but the norm (and law via FCC part 97) is for one to use "the minimum power necessary to carry out the desired communications." So if you need 1.5kW to reach your wifi robot on the other side of the valley, go for it, but otherwise quieter is the rule. There's a subculture of hams who try to see how far away they can make contacts on minimal power (miles per milliwatt). It's not unheard of to make trans-Atlantic contacts using 100mW, by bouncing the signal off the ionosphere. It's possibly to reach most of the globe on 25W via PSK31, with sound cards handling the signal processing.

"It's not unheard of to make trans-Atlantic contacts using 100mW, by bouncing the signal off the ionosphere. It's possibly to reach most of the globe on 25W via PSK31, with sound cards handling the signal processing."

That's freaking wild. I remember my brief forays into the subject also had me fascinated with the idea of meteor burst communication where I was bouncing stuff off exploding meteors. Haha. With further digging, the source of my first link was surprising:



The second wasn't as DTIC is one of the most badass, if little-known, resources for technical information. Obscure, but great, insights buried in that organizations records.

If you're interested in some of the latest in low-power digital communication, check out the software of Joe Taylor, K1JT: http://physics.princeton.edu/pulsar/k1jt/

If his name seems familiar, it's because it's the same Joe Taylor who was awarded the 1993 Nobel Prize in Physics (for his radioastronomy work on pulsars):


Thanks for the link. Pretty badass. Bookmarking it and passing it along.

Suddenly makes less sense then.

Ahhhh. That makes sense. Maybe a multi-year trial is in order.

It's not really an argument that can be countered - in-the-clear operation is a regulation and fact of life that every amateur operator knows and must abide by.

Clearly, I meant in a presentation to the FCC that tries to change the regulations.

Unencrypted communication (flag A5/0) is also supported on GSM systems.

My understanding is that many countries that wanted GSM systems (and ham communications) think encryption is tantamount to devil worship.

Indeed. If radio is where you want to get your jollies, then ham radio should be your thing.

> at best convicted of a federal crime with a long duration of probation after spending an egregious amount of money on defense counsel fees.

Convicted felon never looks good on a job app

> This is something that the FCC takes very seriously. There are hundreds of billions of dollars corporations have thrown at just to get rights to little chunks of spectrum (and as one would imagine, I'm sure their lobbyists have Tom Wheeler on speed-dial).

Although those corporations have been a bit cheeky - collusive - with some of those auctions.


Everyone always gets so excited over this. "Holy cow guys, be careful! The FCC will pwn you forever if you even think about running this code!"

A cell tower is elevated, outdoors, transmits +10 W, and runs 24/7.

Your BladeRF is likely to be indoors at ground level, has an output power of about 10 mW. You aren't going to get very far with that. You'll likely have problems detecting the signal over 100 meters, much less connecting and using it.

It may be illegal, but if you aren't causing interference you'll have a hard time getting caught. That being said, yes. Check your local laws. If you do cause a problem and it's tracked down to you, expect to have some serious legal issues.

And the FCC hands out $10,000+ fines like candy for violations. Criminal proceedings are unlikely.

Right, but if you mess up your install, you could deny someone the ability to call 911 (because they're connected to your rogue network, and because I don't think 911 can be provided on a rogue network).

That would be bad.

I'm a newbie at radio (though starting to get into it). What would be the main use-case for this GSM BTS? I mean, does it act like a femto and provide increased signal strength in/around your home? Or is this the kind of thing that is merely fun to build (though unlikely to operate to due fcc-related restrictions)??

The main use case would be getting into trouble with the authorities.

However, there are a few sub-cases (most of which will still in part fall under the first one)

a) Educational - you can learn a lot about how telecom networks actually work by playing around with your own BTS. However, it would be advisable to do so in a place where your emissions don't interfere with other, legit operators - say, in a mine or something. (I am not being flippant here).

b) Nefarious, non-state: it is trivial to trick any compatible cell phone into connecting to your rogue BTS instead of one belonging to the victim's carrier. This could be done transparently to the victim - ie. you forward his call data to the network at large, MitM-ing him and monitoring his conversations.

c) Nefarious, state actor: Much the same purpose as b), though presumably a (legit) state actor would be able to just serve the telco with a warrant to get at the same data - the exception being, of course, if you were operating on someone else's turf - say, you are some intelligence service operating abroad, eavesdropping on another state's principal actors, for instance.

d) Fun (closely related to a) above) - say, in particular if you operated in an area with no effective RF licencing regime (failed states and offshore springing to mind), you could effectively become your own cell phone carrier, for instance while hosting a conference on a vessel in international waters, allowing participants to use their handsets to get in touch with each other. This option could be utilized either with or without a gateway to the global phone network.

Got it, ok, thanks.

One use case is the GSM network ran on Chaos Communication Congress hacker conference in Hamburg. They created an internal network for the attendees to - among other reasons - communicate for free:


I would say mainly for learning, as long as you first have enough knowledge to set it up to not be detectable outside your property.

But as it develops, it could be useful for building networks in developing countries, or for deploying emergency networks as it will be far lower cost than commercial equipment.

I tried saving this page to the internet archive (in case the blog goes down) but it seems that the owner doesn't allow bots to index/cache/mirror his content.

Archive.is works perfectly fine: https://archive.is/rFOLB

(This is because it's an archiving machine designed for people; it will x-forwarded-for your IP address to the target site as if it were a proxy)

Interestingly, I was able to save the article to Pocket. I guess the Pocket bot doesn't respect robots.txt [0]. :)

Also, did anyone else notice that the title-text for paragraphs (specifically, each <span> element) is in Portuguese? i.e. If you hover over a sentence in the article, the title-text displays its Portuguese translation.

[0] https://blog.strcpy.info/robots.txt

I saved it at Instagram just fine.

I'm very noob to this kind of networks. My question is how to get a phone (without a sim card -as far as I can tell-) to authenticate to your new BTS ?

Basically if the phone cannot find a BTS for its normal carrier, it will ask the other BTS that it can find if it can connect. There normally isn't any authentication done to see if the BTS is legit.

This is also what the police stingray devices take advantage of.

You need a GSM Core Network[1]. For more details, you can take a look at HLR and AuC components which are responsible for authentication.

[1] https://en.wikipedia.org/wiki/Network_switching_subsystem#Au...

Basically (as has been pointed out below), authentication is more of an issue in the opposite direction - when the GSM spec was hammered out, carriers were concerned with rogue handsets, not that someone, somewhere would set up a rogue network (as the package in the article pretty much is, at least from the perspective of the established carriers.)

In NMT networks, for instance, ghost handsets were a major issue - you could register onto the network and place calls and the operator would have nowhere to send the bill.

Not such a good idea for ordering pizza, but great for lengthy international calls.

Here in Norway I seem to recall that our national telco simply blocked calls from the NMT cellular network to a number of countries on the assumption that any call placed would be fraudulent, anyway.

The network could blindly accept any phone, and distinguish by IMEI (phone identification) instead of IMSI (subscriber identification), I think. But as the former doesn't have any cryptographical authentication, it's trivially easy to spoof a different identity.

To have "proper" user authentication, you could just buy blank SIM cards which you can provision with keys and identification as you see fit.


The phones have SIM cards (subscriber identification modules). However, they are not authenticated by this network to see if they are paying customers or whatever because this is an experiment.

How does YateBTS compare to Osmocom?

Has anyone seen an SDR based 'cellphone' type device out of curiosity?

Huh, his RPi3 came out of the box with heat sinks?

There are several kits (like the Canokit) that come with them.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact