Differences

This shows you the differences between two versions of the page.

--- project:srsranda [2023/12/06 16:50] – [LTE sniffing download and upload via SDR] abyssal
+++ project:srsranda [2025/03/13 14:21] (current) – fix templatere plugin invocation root
@@ Line 1: / Line 1: @@
 ====== SrsRANda ======
-{{template>infobox|
+{{template>~infobox|
 name=Srsranda|
 image=srsranda_project_logo.png?200||
@@ Line 23: / Line 23: @@
   * ENB = base station (BTS)
+**BE WARNED, this project is NIGHTMARE level of difficulty** to get things running.
+I repeat, **NIGHTMARE difficulty**. Still somehow easier than ''brmlelect''.
 ===== Why the name SrsRANda =====
@@ Line 44: / Line 47: @@
   * [[https://www.srsran.com/4g|SrsRAN 4G]] - setup of SrsRAN 4G, general info
+Almost all software listed below is based on SrsRAN 4G, be warned that things like Falcon have modified version of SrsRAN
+**Extremely hard, nightmare mode** to configure correctly (see below).
 ===== Radios supported (SDRs), currently available =====
-  * 1x ADALM PLUTO SDR (56 MHz bandwidth)
+  * 1x ADALM PLUTO SDR (56 MHz bandwidth) - note this [[https://www.quantulum.co.uk/blog/private-lte-with-analog-adalm-pluto/#|requires FW reflashing, rebuild SoapySDR and possibly using external clock]], otherwise wonky due to lack of timestamping and bad oscillator Rakon 513371 with an accuracy of +/- 25ppm (should be +/- 0.25ppm for LTE), avoiding sluggish original IIO daemon
-  * 2x HackRF (24 MHz bandwidth, only half-duplex)
+  * 2x HackRF (20 MHz bandwidth, only half-duplex, not suitable for some functions)
   * 1x BladeRF (112 MHz bandwidth)
-  * 1-2x LimeSDR (61.44 MHz, 4 RX/TX antennas
+  * 1-2x LimeSDR (61.44 MHz per RX/TX port, so 2x61.4MHz RX; 2 RX and 2 TX ports, RX ports have 3 antennas each, TX ports have 2 antennas each)
-  * 1x LimeSDR mini
+  * 1x LimeSDR mini (not tested yet)
+Currently working with Pluto, HackRF and LimeSDR.
+<note>
+Pluto is not supported out-of-the-box. It has drifting oscillator and no timestamping. There is a fix (requires flashing firmware, rebuild of soapy, changing or using GPSDO as clock) - [[https://www.quantulum.co.uk/blog/private-lte-with-analog-adalm-pluto/ | blog detailing changes required ]].
+</note>
+**Antennas in use:**
+  * 12x [[https://cz.mouser.com/ProductDetail/960-TG.30.8113| Taoglas TG.30.8113 700-2700 +6.8 dBi multiband]] - seriously have look at their [[https://cz.mouser.com/datasheet/2/398/TG_30_8113-3137551.pdf|datasheet]], it's incredible
+  * one 700-2700 MHz, copper body, around +5 dBi
+  * one 700-2700 Mhz light coiled antenna, maybe +3 dBi
 ===== Software =====
@@ Line 59: / Line 77: @@
   * [[https://openlte.sourceforge.net/|OpenLTE page for 3G/4G]]
   * [[https://github.com/mgp25/OpenLTE|OpenLTE GitHub]]
-  * [[https://github.com/kit-cel/gr-lte|gr-lte]] - this is pain, as gnuradio 3.7 is needed, you need to use Osmocom Source for your SDR, use docker 3.7 gnuradio image
+  * [[https://github.com/kit-cel/gr-lte|gr-lte]] - this is pain, as gnuradio 3.7 is needed, you need to use Osmocom Source for your SDR, use docker 3.7 gnuradio image, complete PITA to use
   * [[https://github.com/SysSec-KAIST/LTESniffer| LTESniffer - An Open-source LTE Downlink/Uplink Eavesdropper]] - builds and runs on Ubuntu 20.04, hard to config for Pluto (SDR with more antennas necessary for complete functionality)
-  * [[https://github.com/falkenber9/falcon | FALCON - Fast Analysis of LTE Control channels]] - built on Ubuntu 20.04, but probably will need to buy BladeRF as well
+  * [[https://github.com/falkenber9/falcon | FALCON - Fast Analysis of LTE Control channels]] - built on Ubuntu 20.04, but needs multiple RX antennas to work fully, Lime or Blade SDR necessary, not yet fully working
   * [[https://github.com/git-artes/docker-gnuradio|Docker gnuradio 3.7, 3.8, 3.9 and 3.10 builds]] - they work, but it's fucking Docker, but at least works
   * [[https://www.mathworks.com/help/supportpkg/plutoradio/ug/lte-receiver-using-sdr-pluto.html|Matlab demo on how to decode LTE with Pluto SDR]] - not tested yet
@@ Line 260: / Line 278: @@
 </code>
-==== Running ENB (base station) ====
+==== Running eNB (base station) ====
-Use ''srsenb'' command. Needs to have config correct, otherwise you'll get shitton of errors, like shown below (ENB not yet configured properly, one of missing parts are TX antenna names)
+First, ''srsepc'' is needed which runs non-radio part of LTE Core Network. This includes [[https://docs.srsran.com/projects/4g/en/latest/usermanuals/source/srsepc/source/1_epc_intro.html | database of users, HHS, MME and SP-GW internet gateway]].
-Example of **incorrect** output:
+You need to run it as root because it create TUN/TAP interface. Seems to work in docker.
+Default DB contains only few entries, if you want different MCC, MNC, LAC, TAC, PCI, you'll have to add it to DB/config.
+<code>
+# srsepc
+Built in Release mode using commit fa56836b1 on branch master.
+---  Software Radio Systems EPC  ---
+Couldn't open , trying /root/.config/srsran/epc.conf
+Reading configuration file /root/.config/srsran/epc.conf...
+Couldn't open user_db.csv, trying /root/.config/srsran/user_db.csv
+HSS Initialized.
+MME S11 Initialized
+MME GTP-C Initialized
+MME Initialized. MCC: 0xf001, MNC: 0xff01
+SPGW GTP-U Initialized.
+SPGW S11 Initialized.
+SP-GW Initialized.
+Received S1 Setup Request.
+S1 Setup Request - eNB Name: srsenb01, eNB id: 0xZZZ
+S1 Setup Request - MCC:ZZZ, MNC:ZZ
+S1 Setup Request - TAC ZZZZ, B-PLMN 0xf110
+S1 Setup Request - Paging DRX v128
+Sending S1 Setup Response
+SCTP Association Shutdown. Association: 82
+Deleting eNB context. eNB Id: 0xZZZ
+...
+</code>
+Then use ''srsenb'' on the same machine to run the SDR part of network
-TODO: get ENB working
 <code>
 % srsenb
-Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so libsrsran_rf_zmq.so
+$ ./srsenb/src/srsenb
+Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so
 Inactive RF plugins:
 ---  Software Radio Systems LTE eNodeB  ---
-Couldn't open , trying [...]/.config/srsran/enb.conf
+Couldn't open , trying /home/gnuradio/.config/srsran/enb.conf
-Reading configuration file [...]/.config/srsran/enb.conf...
+Reading configuration file /home/gnuradio/.config/srsran/enb.conf...
-Couldn't open sib.conf, trying [...]/.config/srsran/sib.conf
+Couldn't open sib.conf, trying /home/gnuradio/.config/srsran/sib.conf
-Couldn't open rr.conf, trying [...]/.config/srsran/rr.conf
+Couldn't open rr.conf, trying /home/gnuradio/.config/srsran/rr.conf
-Couldn't open rb.conf, trying [...]/.config/srsran/rb.conf
+Couldn't open rb.conf, trying /home/gnuradio/.config/srsran/rb.conf
 WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application.
 Failed to `mlockall`: {}
-Built in Release mode using commit fa56836b1 on branch master.
+Built in Release mode using commit ec29b0c1f on branch master.
 Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
 Opening 1 channels in RF device=default with args=default
-connect(): Connection refused
+Supported RF device list: UHD soapy file
-Supported RF device list: UHD soapy zmq file
 Trying to open RF device 'UHD'
-Failed to initiate S1 connection. Attempting reconnection in 10 seconds
+[INFO] [UHD] linux; GNU C++ version 11.2.0; Boost_107400; UHD_4.1.0.5-3
-[INFO] [UHD] linux; GNU C++ version 9.2.1 20200304; Boost_107100; UHD_3.15.0.0-2build5
 [INFO] [LOGGING] Fastpath logging disabled at runtime.
+[ERROR] avahi_client_new() failed: Daemon not running
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[ERROR] avahi_client_new() failed: Daemon not running
+[WARNING] Unable to scan ip: -19
 Opening USRP channels=1, args:
 [INFO] [UHD RF] RF UHD Generic instance constructed
+[ERROR] avahi_client_new() failed: Daemon not running
+[WARNING] Unable to scan ip: -19
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[INFO] [UHDSoapyDevice] Make connection: 'LimeSDR-USB [USB 3.0] 9060B00492D13'
+[INFO] [UHDSoapyDevice] Reference clock 30.72 MHz
+[INFO] [UHDSoapyDevice] Device name: LimeSDR-USB
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[INFO] [UHDSoapyDevice] Reference: 30.72 MHz
+[INFO] [UHDSoapyDevice] LMS7002M register cache: Disabled
+[INFO] [UHDSoapyDevice] RX LPF configured
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[INFO] [UHDSoapyDevice] RX LPF configured
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] TX LPF configured
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
+[INFO] [UHDSoapyDevice] TX LPF configured
 RF device 'UHD' successfully opened
-[...]/prog/Pluto-SDR_projects/docker-persistent/srsRAN_4G.new_with_GUI/lib/src/phy/rf/rf_uhd_imp.cc:315: UHD unhandled event code 64
+Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
+Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
+Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
 Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
 ==== eNodeB started ===
 Type <t> to view trace
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] RX LPF configured
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] RX LPF configured
-Setting frequency: DL=2680.0 Mhz, UL=2560.0 MHz for cc_idx=0 nof_prb=50
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
-[ERROR] [UHD RF] UHDSoapyRxStream::issue_stream_cmd() = -5
+[INFO] [UHDSoapyDevice] TX LPF configured
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
+[INFO] [UHDSoapyDevice] TX LPF configured
+Setting frequency: ...
+[INFO] [UHDSoapyDevice] Tx calibration finished
+[INFO] [UHDSoapyDevice] Rx calibration finished
+[INFO] [UHD RF] Tx while waiting for EOB, timed out... 64.2848 >= 64.2843. Starting new burst...
 </code>
+TODO: signal drifted
 ===== Waterfall examples for UE (cellphones) and ENB (base stations) =====
@@ Line 344: / Line 407: @@
 ===== LTE sniffing =====
-==== LTE sniffing download and upload via SDR ====
+==== LTE sniffing downlink and uplink via SDR ====
 These experiments were carried out using 3 SDR radios:
@@ Line 352: / Line 415: @@
   * Hack RF
-I obtained uplink/downlink of my own phone's LTE channels using [[https://apkpure.com/cellular-z/make.more.r2d2.cellular_z | Cellular Z]] application. Each channel is 20 MHz wide.
+Only LimeSDR seems to work with LTESniffer and only in downlink mode (ENB->UE) which is still enough to get lot of control messages and metadata. Remember you need to use UHD >= 4.0 and avoid using srsRAN from system, use the one included in LTESniffer.
-Cellular Z sample screenshot:
+Example output showing a UE (phone) disconnecting from ENB and losing security context where it can be attacked by fake base station (such ENB can be made from srsENB).
-{{:project:cellular_z_bands.png?300|}}
+{{:project:ltesniffer_limesdr_downlink.png?800|}}
-MHz is bandwidth that fits Pluto SDR, Lime SDR and also HackRF.
+Uplink requires 2 RX chains because modulation of UE needs to be bruteforced (it's secret value, but only few values are possible). LimeSDR theoretically could be used, but would require code change and preparation for the clock sync. At the moment only USRP X310 or two USRP B200 with GPSDO are known to work. LimeSDR can be flashed to work as USRP B200, but you'd need two without changing code (also it's not the main branch, but separate multi-usrp branch in LTESniffer)
+I obtained uplink/downlink of my own phone's LTE channels using [[https://apkpure.com/cellular-z/make.more.r2d2.cellular_z | Cellular Z]] application. Each channel is 20 MHz wide.
+=== LTE channel sniff manual without decode ===
+MHz is LTE channel bandwidth that fits Pluto SDR, Lime SDR and also HackRF.
 Used tools: [[https://www.sdrpp.org/| SDR++]] and HackRF's Portapack. Antennas used were mostly [[https://cz.mouser.com/ProductDetail/960-TG.30.8113|Taoglas 700-2700 MHz +3.8 dBi]], along with few others 700-2700 multiband antennas.
@@ Line 364: / Line 433: @@
 Example of download and upload as seen on frequency spectrum, this is uplink channel, but since TCP/IP requires sending data back, download is visible on uplink channel as well:
-**Download**
+**Download, recorded with PlutoSDR and LimeSDR**
+Hence 20 MHz vs 61 MHz bandwidth difference
 {{:project:pluto_sdr_download.png?800|}}
-**Upload**
+{{:project:limesdr_lte_download.png?800|}}
+**Upload, recorded with PlutoSDR and LimeSDR**
+Hence again 20 MHz vs 61 MHz bandwidth difference
 {{:project:pluto_sdr_upload.png?800|}}
+{{:project:limesdr_lte_upload.png?800|}}
 ===== Images of SDRs and antennas' setup  =====
@@ Line 382: / Line 459: @@
 {{:project:hackrf_with_taoglas_antenna.jpeg?600|}}
-**LimeSDR before Taoglas antennas arrived, now populated all RX channels with Taoglas**
+**LimeSDR photo TODO**
-{{:project:lime_sdr_before_adding_taoglas_antennas.jpg?600|}}
+===== LTE Cell tracker HOWTO  =====