Building your own Rogue GSM Basestation with a BladeRF

Over on his blog author Simone Margaritelli has added a tutorial that shows how to set up a bladeRF to act as a GSM basestation (cell tower). Having your own GSM basestation allows you to create your own private and free GSM network, or for more malicious illegal users it can allow you to create a system for intercepting peoples calls and data. Simone stresses that it is well known that GSM security is broken (and is probably broken by design), and now it is about time that these flaws were fixed.

In his tutorial he uses a single bladeRF x40 and a Raspberry Pi 3 as the processing hardware. The bladeRF is a $420 transmit and receive capable software defined radio with a tuning range of 300 MHz – 3.8 GHz and 12-bit ADC. He also uses a battery pack which makes the whole thing portable. The software used is Yate and YateBTS which is open source GSM basestation software. Installation as shown in the tutorial is as simple as doing a git clone, running a few compilation lines and doing some simple text configuration. Once set up mobile phones will automatically connect to the basestation due to the design of GSM.

Once setup you can go further and create your own private GSM network, or make the whole thing act as a “man-in-the-middle” proxy to a legitimate GSM USB dongle, which would allow you to sniff the traffic on anyone who unknowingly connects to your basestation. This is similar to how a “Stingray” operates, which is a IMSI-catcher device used by law enforcement to intercept and track GSM communications. More information on using the bladeRF as an IMSI catcher with YateBTS can be found in this white paper.

bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.
bladeRF x40, Raspberry Pi 3 and a battery pack. Running a GSM basestation.
Tweet55
Share
Reddit
Vote
Email
55 Shares

A Good Quickstart Guide for RTL-SDR Linux Users

Recently we found this excellent quick start guide by Kenn Ranous which shows how to set up various RTL-SDR related software programs on (Debian) Linux. The guide shows how to install the drivers, how to install and set up GQRX, CubicSDR, dump1090, Virtual Radar Server, QSpectrum Analyzer and SDR Trunk.

If you are struggling with getting an RTL-SDR to work on a Linux system then this should be a very good starting point.

The guide can be found on Kenn’s blog at https://ranous.wordpress.com/rtl-sdr4linux.

rtlsdr_linux_qsg

Tweet41
Share
Reddit30
Vote
Email
71 Shares

YouTube Tutorial about using the BladeRF for Several Experiments

On YouTube user CrazyDanishHacker has been uploading some tutorial videos showing how to perform several experiments with the BladeRF. Some things he shows are GPS spoofing, broadcasting digital TV, getting 124 MHz bandwidth, using spectrum painter and how to use the BladeRF on Windows 10, Kali Linux and Ubuntu.

You might remember CrazyDanishHacker from our previous post where we posted about his in depth YouTube tutorial on GSM sniffing and cracking. That series now appears to be complete ending on episode #16 of his software defined radio series. The BladeRF tutorials start on episode #17.

The bladeRF is a $420 software defined radio which is capable of transmit and receive. It uses a LimeMicro LMS6002D chip, which has a 12-bit ADC and a tuning range of 300 MHz – 3.8 GHz. Along with the HackRF we eventually expect that it will be superseded by the upcoming LimeSDR.

BladeRF + SDR# on Windows 10 - Software Defined Radio Series #17

Tweet11
Share
Reddit
Vote
Email
11 Shares

RTLSDR4Everyone: Preliminary Review of the ThumbNet N3 Prototype

A few weeks ago we posted about ThumbNets announcement of their new N3 RTL-SDR dongles. The main theme of their new dongles is lower noise as can be seen by their decision to disable the on board switch mode power supply and add an external power port for powering the dongle from a clean power supply.

Akos from the RTLSDR4Everyone blog received a prototype sample of the N3 for an initial review. In his review he shows some close up shots of the N3 PCB, and does a quick test on receiving some signals. His screenshots show that the noise floor is indeed very low, and that many noisy spurs are eliminated or at least significantly reduced.

Once ThumbNet release their actual commercial units we intend to produce our own review as well.

ThumbSat is a company hoping to enable experimenters to get low cost mini satellites into orbit for about $20k. To support the need for global RX of these satellites they have the ThumbNet project which utilizes RTL-SDR dongles as the receiver. They aim to provide schools and eligible volunteers around the world with free RX hardware to receive and record the data coming from these satellites.

generic_vs_thumbnet
Generic RTL-SDR and the ThumbNet N3

 

Tweet
Share
Reddit
Vote
Email

FPGAs for DSP and Software-Defined Radio: Short Course at UCLA

The University of California, Los Angeles is hosting a 3-day hands on short course on using SDR’s like the RTL-SDR with FPGA hardware and MATLAB Simulink. This is a course with a high knowledge pre-requisite, so you will likely need qualifications and/or knowledge equivalent to a bachelors in Electrical/Computer Engineering to be able to understand the material. It is mainly intended for DSP and Communications Engineers, HDL designers, FPGAs engineers, RF engineers, and systems engineers. The course runs for 3 days between 10 – 12 October. The main blurb of the course is described below:

One of the main aims of this course is to demonstrate the workflow required to take floating point Simulink receivers (such as the ones presented in the book) and target them onto SDR hardware. This means converting to fixed point, generating HDL code, and then packaging it into something that can be deployed to ZynqSDR hardware.

In this short course we will present, review, simulate then implement real-time DSP enabled software defined radios (SDR) on laptops, Raspberry Pis, Xilinx (Zynq) SoC FPGAs with RF transceivers. The design, simulation and implementation will take the form of a complete model based design work-flow from within MathWork’s MATLAB and Simulink software tools. The course will ensure attendees are educated in key relevant multi-rate DSP algorithms and techniques, in communications modulation methods, quadrature/QAM transceiver designs, and timing and synchronisation. The first part of the course will educate on DSP and communications, followed by a second part on FPGA systems implementation (focussing on Xilinx Zynq SoC) and introduce MathWorks Embedded and HDL Coder methods for hardware targeting. In the third and final part of the course we will develop real-time ‘desktop’ implementations of SDR transceivers using a model based design flow. We will start with floating point designs, which will evolve to fixed point, and then undergo final code generation stages with the Embedded and HDL Coder packages prior to FPGA deployment..

All attendees on the course will use (and take home!) an RTL-SDR device (which tunes from 25MHz to 1.75GHz) and have access to a Raspberry Pi and Zynq SDR kits in class hosting the RTL-SDR device and a wideband FMComms RF card respectively. The class format will be 40% lecture, 20% live SDR demonstration and 40% hands-on ‘desptop SDR’ using software and SDR hardware. 

This course is related to the desktopsdr.com text book which was released September 2015. The physical copy of the book can be purchased on Amazon, or downloaded for free in pdf form on their desktopsdr.com website.

Download the book at desktopsdr.com
Download the book at desktopsdr.com
Tweet16
Share
Reddit
Vote
Email
16 Shares

Introduction to Signal Analysis Baltimore-DC Course Live Stream and Recorded Videos

Earlier in the month we posted about the “Unallocated Space” free four week class on signal analysis taking place in the Baltimore-DC area. The course has now started and they are live streaming the lectures and saving them on YouTube. The first two classes have already passed, and two videos are uploaded.

The first class went over installing the RTL-SDR as well as showing a few examples of decoding some signals. The second class covers various modulation types and digital encoding schemes. They show how to learn how to identify various digital signals by listening to them and viewing them on the waterfall. The class slides are also available on links placed in the video description.

The third and fourth classes have not yet streamed. The third class will be live streamed on October 4, 7PM local time. Visit their YouTube channel for the videos. 

Introduction to Signal Analysis Week 1

Introduction to Signal Analysis Week 2

Tweet29
Share
Reddit
Vote
Email
29 Shares

Titus II Expression of Interest Form Available Now

Earlier in the month we posted about the Titus II SDR. The Titus II is an upcoming full SDR solution, including a wideband 100 kHz to 2 GHz SDR, Android tablet with touchscreen and speakers. They write that the price will be under $100 USD.

The High Frequency Co-Ordination Conference (HFCC) is a group active in informal co-ordination of frequency channels used in short wave broadcasting. The HFCC appear to be helping with the release of the Titus II, and they now have an online expression of interest form available on their Titus II page. The form is labelled “Pre-order”, but there is no payment or contract present, so it is more like an expression of interest. They write:

The Titus II – an Android tablet computer with wideband SDR receiver – was unveiled for the first time at the B16 HFCC/ASBU conference in Miami, Florida, 22-26 August 2016.

The receiver has been the result of cooperation between Trans World Radio (TWR) and PantronX.

The HFCC is assisting in collecting the demand/pre-orders.

Availability: Pre-production batch – 4Q/2016, regular production – 1Q/2017

Price: Under 100USD plus shipping and local duty/taxes not included

Payment methods: Wire transfer for larger quantities, PayPal works too, but the buyers would need to add PayPal bank fees

An initial order sufficient to start the production has already been placed and production will start irrespective of the amount pre-ordered via this page. Pre-order is not binding and you are NOT asked to send any advanced payment or credit card number to secure the pre-order.

titus-2-big

[First seen on swling.com]

Tweet
Share
Reddit
Vote
Email

More Reports and Tests on the RTL-SDR V3

Recently we sent document author “D. B. Gain” a sample RTL-SDR V3, so that he could write a review and guide on it. The guide is now available at http://www.udxf.nl/ute-info.html, and the link to the guide is labelled “The RTL-SDR V3” and is under the “HOW TO …” section. The guide reviews the V3 and tests it out on reception of HF signals. He uses an off center fed dipole up around 30ft, RG6 cable TV coax feedlink and a Barker and Williamson 30 MHz low pass filter. He write this valuable piece of advice:

The larger the antenna system, the greater the gain – usually. It doesn’t take too much RF to overload the V3 dongle, so a 20ft piece of wire will do better than say a 430ft wire loop atop some phone poles. Use an attenuator if you have one. Remember the issue with AMBC swamping where AM stations pop up in various parts of the HF spectrum and use a preselector and/or attenuator if you can. Shortwave broadcast stations can also create spurs in the V3. Some radio parts houses carry a variable attenuator meant for cable TV or VCR player use that can be employed at HF with the use of some F to UHF or whatever connector your antenna system employs adaptor, this can be installed in the antenna system and adjusted to result in least usable signal getting to the V3, which assures best dynamic range. Then one would adjust the FFT Spectrum gain in your SDR control app of choice to best level on a quiet band, say 14MHz. This will ensure you don’t have to mess with adjusting the gain on lower frequency bands just to keep the band noise baseline above the bottom of the FFT window.

Mr. “Gain” has also uploaded several other screenshots of the V3 in action on HF in this gallery.

The RTL-SDR V3 receiving ham radio signals on 40m.
The RTL-SDR V3 receiving ham radio signals on 40m.

Mikael Dagman (SA6BSS) also wrote in to let us know about how he’s been using the V3 to receive WSPR. He writes:

For an experiment I have set up a SDR play and a RTL blog v3 dongle fed from the same antenna (butternut hf9) through an antenna splitter, grabbing Qrss signals on 40m, on the v3 I added a bpf. The v3 is run from SDR sharp q-branch RTL AGC on and both radios feeding separete instances of spectrum labs, doing wspr as the same time on both radios, there I hardly any difference, maby one spot out of ten the rsp get 1 db more in sn . Without the filter on the v3 its completely falling apart but with the filter inline I am more then impressed!!

I will stay on 40m for a couple of days trying to catch a ZL station tx:ing with 1.1W Qrss with the v3, (that’s 16000 km away) I will then qsy to 30m with the v3 where there is more signals to look at.

Spectrum available here http://www.qsl.net/sa6bss/
You see that bottom spectrum have the name RTL upper left corner.

Over on YouTube Leif (SM5BSZ) has also uploaded a video where he compares the performance of the RTL-SDR V3 with the Airspy+SpyVerter. Of course the V3 cannot compete with the higher end Airspy, but still performs decently enough for a beginner. If you are strapped for time, the results are concluded at about 28 minutes.

Tweet17
Share
Reddit
Vote
Email
17 Shares