Differences

This shows you the differences between two versions of the page.

--- project:srsranda [2023/12/06 21:21] – [LTE sniffing download and upload via SDR] abyssal
+++ project:srsranda [2025/03/13 14:21] (current) – fix templatere plugin invocation root
@@ Line 1: / Line 1: @@
 ====== SrsRANda ======
-{{template>infobox|
+{{template>~infobox|
 name=Srsranda|
 image=srsranda_project_logo.png?200||
@@ Line 24: / Line 24: @@
 **BE WARNED, this project is NIGHTMARE level of difficulty** to get things running.
+I repeat, **NIGHTMARE difficulty**. Still somehow easier than ''brmlelect''.
 ===== Why the name SrsRANda =====
@@ Line 52: / Line 54: @@
 ===== Radios supported (SDRs), currently available =====
-  * 1x ADALM PLUTO SDR (56 MHz bandwidth)
+  * 1x ADALM PLUTO SDR (56 MHz bandwidth) - note this [[https://www.quantulum.co.uk/blog/private-lte-with-analog-adalm-pluto/#|requires FW reflashing, rebuild SoapySDR and possibly using external clock]], otherwise wonky due to lack of timestamping and bad oscillator Rakon 513371 with an accuracy of +/- 25ppm (should be +/- 0.25ppm for LTE), avoiding sluggish original IIO daemon
-  * 2x HackRF (20 MHz bandwidth, only half-duplex)
+  * 2x HackRF (20 MHz bandwidth, only half-duplex, not suitable for some functions)
   * 1x BladeRF (112 MHz bandwidth)
   * 1-2x LimeSDR (61.44 MHz per RX/TX port, so 2x61.4MHz RX; 2 RX and 2 TX ports, RX ports have 3 antennas each, TX ports have 2 antennas each)
-  * 1x LimeSDR mini
+  * 1x LimeSDR mini (not tested yet)
 Currently working with Pluto, HackRF and LimeSDR.
+<note>
+Pluto is not supported out-of-the-box. It has drifting oscillator and no timestamping. There is a fix (requires flashing firmware, rebuild of soapy, changing or using GPSDO as clock) - [[https://www.quantulum.co.uk/blog/private-lte-with-analog-adalm-pluto/ | blog detailing changes required ]].
+</note>
 **Antennas in use:**
@@ Line 272: / Line 278: @@
 </code>
-==== Running ENB (base station) ====
+==== Running eNB (base station) ====
-Use ''srsenb'' command. Needs to have config correct, otherwise you'll get shitton of errors, like shown below (ENB not yet configured properly, one of missing parts are TX antenna names)
+First, ''srsepc'' is needed which runs non-radio part of LTE Core Network. This includes [[https://docs.srsran.com/projects/4g/en/latest/usermanuals/source/srsepc/source/1_epc_intro.html | database of users, HHS, MME and SP-GW internet gateway]].
-Example of **incorrect** output:
+You need to run it as root because it create TUN/TAP interface. Seems to work in docker.
+Default DB contains only few entries, if you want different MCC, MNC, LAC, TAC, PCI, you'll have to add it to DB/config.
+<code>
+# srsepc
+Built in Release mode using commit fa56836b1 on branch master.
+---  Software Radio Systems EPC  ---
+Couldn't open , trying /root/.config/srsran/epc.conf
+Reading configuration file /root/.config/srsran/epc.conf...
+Couldn't open user_db.csv, trying /root/.config/srsran/user_db.csv
+HSS Initialized.
+MME S11 Initialized
+MME GTP-C Initialized
+MME Initialized. MCC: 0xf001, MNC: 0xff01
+SPGW GTP-U Initialized.
+SPGW S11 Initialized.
+SP-GW Initialized.
+Received S1 Setup Request.
+S1 Setup Request - eNB Name: srsenb01, eNB id: 0xZZZ
+S1 Setup Request - MCC:ZZZ, MNC:ZZ
+S1 Setup Request - TAC ZZZZ, B-PLMN 0xf110
+S1 Setup Request - Paging DRX v128
+Sending S1 Setup Response
+SCTP Association Shutdown. Association: 82
+Deleting eNB context. eNB Id: 0xZZZ
+...
+</code>
+Then use ''srsenb'' on the same machine to run the SDR part of network
-TODO: get ENB working
 <code>
 % srsenb
-Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so libsrsran_rf_zmq.so
+$ ./srsenb/src/srsenb
+Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so
 Inactive RF plugins:
 ---  Software Radio Systems LTE eNodeB  ---
-Couldn't open , trying [...]/.config/srsran/enb.conf
+Couldn't open , trying /home/gnuradio/.config/srsran/enb.conf
-Reading configuration file [...]/.config/srsran/enb.conf...
+Reading configuration file /home/gnuradio/.config/srsran/enb.conf...
-Couldn't open sib.conf, trying [...]/.config/srsran/sib.conf
+Couldn't open sib.conf, trying /home/gnuradio/.config/srsran/sib.conf
-Couldn't open rr.conf, trying [...]/.config/srsran/rr.conf
+Couldn't open rr.conf, trying /home/gnuradio/.config/srsran/rr.conf
-Couldn't open rb.conf, trying [...]/.config/srsran/rb.conf
+Couldn't open rb.conf, trying /home/gnuradio/.config/srsran/rb.conf
 WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application.
 Failed to `mlockall`: {}
-Built in Release mode using commit fa56836b1 on branch master.
+Built in Release mode using commit ec29b0c1f on branch master.
 Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
 Opening 1 channels in RF device=default with args=default
-connect(): Connection refused
+Supported RF device list: UHD soapy file
-Supported RF device list: UHD soapy zmq file
 Trying to open RF device 'UHD'
-Failed to initiate S1 connection. Attempting reconnection in 10 seconds
+[INFO] [UHD] linux; GNU C++ version 11.2.0; Boost_107400; UHD_4.1.0.5-3
-[INFO] [UHD] linux; GNU C++ version 9.2.1 20200304; Boost_107100; UHD_3.15.0.0-2build5
 [INFO] [LOGGING] Fastpath logging disabled at runtime.
+[ERROR] avahi_client_new() failed: Daemon not running
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[ERROR] avahi_client_new() failed: Daemon not running
+[WARNING] Unable to scan ip: -19
 Opening USRP channels=1, args:
 [INFO] [UHD RF] RF UHD Generic instance constructed
+[ERROR] avahi_client_new() failed: Daemon not running
+[WARNING] Unable to scan ip: -19
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[INFO] [UHDSoapyDevice] Make connection: 'LimeSDR-USB [USB 3.0] 9060B00492D13'
+[INFO] [UHDSoapyDevice] Reference clock 30.72 MHz
+[INFO] [UHDSoapyDevice] Device name: LimeSDR-USB
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[INFO] [UHDSoapyDevice] Reference: 30.72 MHz
+[INFO] [UHDSoapyDevice] LMS7002M register cache: Disabled
+[INFO] [UHDSoapyDevice] RX LPF configured
-RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.
+[INFO] [UHDSoapyDevice] RX LPF configured
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] TX LPF configured
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
+[INFO] [UHDSoapyDevice] TX LPF configured
 RF device 'UHD' successfully opened
-[...]/prog/Pluto-SDR_projects/docker-persistent/srsRAN_4G.new_with_GUI/lib/src/phy/rf/rf_uhd_imp.cc:315: UHD unhandled event code 64
+Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
+Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
+Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
 Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
 ==== eNodeB started ===
 Type <t> to view trace
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] RX LPF configured
-[INFO] [UHDSoapyDevice] Using format CF32.
+[INFO] [UHDSoapyDevice] RX LPF configured
-Setting frequency: DL=2680.0 Mhz, UL=2560.0 MHz for cc_idx=0 nof_prb=50
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
-[ERROR] [UHD RF] UHDSoapyRxStream::issue_stream_cmd() = -5
+[INFO] [UHDSoapyDevice] TX LPF configured
+[INFO] [UHDSoapyDevice] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
+[INFO] [UHDSoapyDevice] TX LPF configured
+Setting frequency: ...
+[INFO] [UHDSoapyDevice] Tx calibration finished
+[INFO] [UHDSoapyDevice] Rx calibration finished
+[INFO] [UHD RF] Tx while waiting for EOB, timed out... 64.2848 >= 64.2843. Starting new burst...
 </code>
+TODO: signal drifted
 ===== Waterfall examples for UE (cellphones) and ENB (base stations) =====
@@ Line 356: / Line 407: @@
 ===== LTE sniffing =====
-==== LTE sniffing download and upload via SDR ====
+==== LTE sniffing downlink and uplink via SDR ====
 These experiments were carried out using 3 SDR radios:
@@ Line 363: / Line 414: @@
   * Lime SDR
   * Hack RF
+Only LimeSDR seems to work with LTESniffer and only in downlink mode (ENB->UE) which is still enough to get lot of control messages and metadata. Remember you need to use UHD >= 4.0 and avoid using srsRAN from system, use the one included in LTESniffer.
+Example output showing a UE (phone) disconnecting from ENB and losing security context where it can be attacked by fake base station (such ENB can be made from srsENB).
+{{:project:ltesniffer_limesdr_downlink.png?800|}}
+Uplink requires 2 RX chains because modulation of UE needs to be bruteforced (it's secret value, but only few values are possible). LimeSDR theoretically could be used, but would require code change and preparation for the clock sync. At the moment only USRP X310 or two USRP B200 with GPSDO are known to work. LimeSDR can be flashed to work as USRP B200, but you'd need two without changing code (also it's not the main branch, but separate multi-usrp branch in LTESniffer)
 I obtained uplink/downlink of my own phone's LTE channels using [[https://apkpure.com/cellular-z/make.more.r2d2.cellular_z | Cellular Z]] application. Each channel is 20 MHz wide.
-MHz is bandwidth that fits Pluto SDR, Lime SDR and also HackRF.
+=== LTE channel sniff manual without decode ===
+MHz is LTE channel bandwidth that fits Pluto SDR, Lime SDR and also HackRF.
 Used tools: [[https://www.sdrpp.org/| SDR++]] and HackRF's Portapack. Antennas used were mostly [[https://cz.mouser.com/ProductDetail/960-TG.30.8113|Taoglas 700-2700 MHz +3.8 dBi]], along with few others 700-2700 multiband antennas.