~~META: status = active &relation firstimage = :project:projectlogo.png ~~

Project is aimed at creation of SDR (software-defined radio) to demodulate, decode 4G/5G/LTE, and understand own LTE newtork.

• UE = cell (phone)
• ENB = base station (BTS)

It's word play on two things:

• SrsRAN (one of the projects it will be mainly based on)
• “sranda” in CZ/SK means “fun” in EN

Thus, SrsRANda means “fun with SrsRAN”, or “fun with LTE RAN via SrsRAN”

To create understanding of LTE, do UDP sink into Wireshark, also maybe create own tiny LTE network somewhere in radio-proof basement.

I made following logo in about 7 minutes in GIMP, it's TODO, just copypasta of 2 images and piece of text.

• SrsRAN 4G - setup of SrsRAN 4G, general info

Almost all software listed below is based on SrsRAN 4G, be warned that things like Falcon have modified version of SrsRAN

Extremely hard, nightmare mode to configure correctly (see below).

• 1x ADALM PLUTO SDR (56 MHz bandwidth)
• 2x HackRF (20 MHz bandwidth, only half-duplex)
• 1x BladeRF (112 MHz bandwidth)
• 1-2x LimeSDR (61.44 MHz, 2 RX and 2 TX ports, RX ports have 3 antennas each, TX ports have 2 antennas each)
• 1x LimeSDR mini

Antennas in use:

• 12x Taoglas 700-2700 +6.8 dBi multiband - seriosly have look at their datasheet, it's incredible
• one 700-2700 MHz, copper body, around +5 dBi
• one 700-2700 Mhz light coiled antenna, maybe +3 dBi

• SrsRAN 4G - UE works, ENB TODO
• Open BTS/Cell tracker - works
• OpenLTE page for 3G/4G
• OpenLTE GitHub
• gr-lte - this is pain, as gnuradio 3.7 is needed, you need to use Osmocom Source for your SDR, use docker 3.7 gnuradio image, complete PITA to use
• LTESniffer - An Open-source LTE Downlink/Uplink Eavesdropper - builds and runs on Ubuntu 20.04, hard to config for Pluto (SDR with more antennas necessary for complete functionality)
• FALCON - Fast Analysis of LTE Control channels - built on Ubuntu 20.04, but needs multiple RX antennas to work fully, Lime or Blade SDR necessary, not yet fully working
• Docker gnuradio 3.7, 3.8, 3.9 and 3.10 builds - they work, but it's fucking Docker, but at least works
• Matlab demo on how to decode LTE with Pluto SDR - not tested yet
• others TODO

UHD can be used for many devices, such as Pluto, LimeSDR, HackRF, etc.

PlutoSDR (iio and UHD):

% iio_info -s               
Available contexts:
	0: (ucsi_source_psy_USBC000:001,iwlwifi_1,pch_cannonlake,BAT0,AC,ucsi_source_psy_USBC000:002,coretemp,thinkpad,nvme,acpitz on LENOVO) [local:]
        1: 0456:b673 (Analog Devices Inc. PlutoSDR (ADALM-PLUTO)), serial=XXXX [usb:1.16.5]


% uhd_find_devices 
[INFO] [UHD] linux; GNU C++ version 9.2.1 20200304; Boost_107100; UHD_3.15.0.0-2build5
--------------------------------------------------
-- UHD Device 0
--------------------------------------------------
Device Address:
    serial: 
    default_input: False
    default_input: True
    default_output: False
    default_output: True
    device: PlutoSDR
    device_id: 0
    device_id: 6
    driver: audio
    driver: plutosdr
    label: PlutoSDR #0 usb:1.16.5
    label: default
    label: hw:HDA Intel PCH,0
    type: soapy
    uri: usb:1.16.5

Running IIO Oscilloscope with debug:

• you MUST delete all config files, otherwise it will error and segfault

rm -f ~/.osc_profile.ini && /opt/iio-oscilloscope/bin/osc -u ip:10.3.1.7

Example output (clipped, there are bunch of warnings) :

Found plugin: CN0508
Found plugin: AD5628-1
Found plugin: ADRV9009
Found plugin: FMCADC3
Found plugin: SCPI
Found plugin: LIDAR
Found plugin: XMW
Found plugin: ad9739a
Found plugin: Partial Reconfiguration
Found plugin: CN0357
Found plugin: FMComms5
Found plugin: AD9371
Found plugin: FMComms6
Found plugin: Spectrum Analyzer
Found plugin: CN0540
Could not find expected iio devices
Found plugin: Debug
Found plugin: AD9371 Advanced
Found plugin: FMComms1
Found plugin: FMCOMMS11
Found plugin: AD6676
Found plugin: AD936X
Found plugin: AD936X Advanced
Found plugin: Motor Control
Found plugin: DAQ1/2/3
Found plugin: DMM
Found plugin: DAC Data Manager
Updating widgets...
Updating FIR filter...

It's buggy as hell, but there are options to fine-tune your Pluto. Screenshot of the debug menu (IIO Oscilloscope app) :

Difficulty level: nightmare

For SrsRAN install, you need to have CMake and bunch of other tools to install (this is without SrsGUI) :

• install intro
• accepted drivers - UHD, SoapySDR, BladeRF (ZeroMQ is just for testing streams)
• PlutoSDR is known to work, LimeSDR is known to work (tested), BladeRF should work also out-of-the-box (USRP as well)
• it is difficult to select working driver
• I suggest copying driver string into driver_args of gqrx to ~/.config/srsran/ue.conf

PlutoSDR needs magic argument like:

device_args = driver=plutosdr,usb_direct=1,timestamp_every=1920,loopback=0

Note that for PlutoSDR, you can connect it via USB device string or LAN string (LAN is preferred, because it does not change on each run)

LimeSDR device arguments look like this:

device_args = driver=lime,soapy=0,serial=0009070602470D0F,rxant=LNAL,txant=BAND1

USRP is maybe the radio it was designed to work wit, but LimeSDR and ADALM PLUTO (Pluto SDR) works. Config is not easy, it's nightmare difficulty.

BladeRF was not yet tested, it's TODO, but that should be easiest to make this work.

LimeSDR is the second best. If you get the device string right, it works awesome.

PlutoSDR works, but getting the device args string right is also nightmare.

HackRF should work I guess, not yet got that far.

This is for UE (mobile/client), for ENB (base station, it should be similar, antenna config is important for both RX/TX).

Difficulty level: nightmare

Use srsue command. Needs to have config correct, otherwise you'll get shitton of errors, like error -5 repeated 153000 times.

Example of correct output, note that srsran expects first argument to be config file, otherwise defaults to ~/.config/srsran/ue.conf:

TODO: Pluto might need FW change with usb_direct=1, not sure about it yet. LimeSDR should not require any FW changes.

Dots when running mean it's looking for ENB (base station).

Important: you MUST have correctly configured antenna names in config, otherwise you're SOL.

% srsue 
Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so libsrsran_rf_zmq.so
Inactive RF plugins: 
Couldn't open , trying [...]/.config/srsran/ue.conf
Reading configuration file [...]/.config/srsran/ue.conf...
WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application.
Failed to `mlockall`: 12
Built in Release mode using commit fa56836b1 on branch master.

Opening 1 channels in RF device=soapy with args=driver=plutosdr,usb_direct=1,timestamp_every=1920,loopback=0
Supported RF device list: UHD soapy zmq file
Soapy has found device #0: device=PlutoSDR, driver=plutosdr, label=PlutoSDR #0 usb:1.28.5, uri=usb:1.28.5, 
Selecting Soapy device: 0
[INFO] Opening PlutoSDR #0 usb:1.28.5...
Setting up Rx stream with 1 channel(s)
[INFO] Using format CF32.
[INFO] Auto setting Buffer Size: 524288
[INFO] Set MTU Size: 524288
Setting up Tx stream with 1 channel(s)
[INFO] Using format CF32.
[INFO] Has direct TX copy: 1
[INFO] Auto setting Buffer Size: 32768
[INFO] Set MTU Size: 32768
Available device sensors: 
 - xadc_temp0
 - xadc_voltage0
 - xadc_voltage1
 - xadc_voltage2
 - xadc_voltage3
 - xadc_voltage4
 - xadc_voltage5
 - xadc_voltage6
 - xadc_voltage7
 - xadc_voltage8
 - adm1177_current0
 - adm1177_voltage0
 - ad9361-phy_temp0
 - ad9361-phy_voltage2
Available sensors for Rx channel 0: 
State of gain elements for Rx channel 0 (AGC supported):
 - PGA: 32.00 dB
State of gain elements for Tx channel 0 (AGC not supported):
 - PGA: 79.00 dB
Rx antenna set to A_BALANCED
Tx antenna set to A
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Waiting PHY to initialize ... Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
done!
Attaching UE...
Starting plot for worker_id=0
[INFO] Has direct RX copy: 1
[INFO] Auto setting Buffer Size: 32768
[INFO] Set MTU Size: 32768
........................

Use srsenb command. Needs to have config correct, otherwise you'll get shitton of errors, like shown below (ENB not yet configured properly, one of missing parts are TX antenna names)

Example of incorrect output:

TODO: get ENB working

% srsenb 
Active RF plugins: libsrsran_rf_uhd.so libsrsran_rf_soapy.so libsrsran_rf_zmq.so
Inactive RF plugins: 
---  Software Radio Systems LTE eNodeB  ---

Couldn't open , trying [...]/.config/srsran/enb.conf
Reading configuration file [...]/.config/srsran/enb.conf...
Couldn't open sib.conf, trying [...]/.config/srsran/sib.conf
Couldn't open rr.conf, trying [...]/.config/srsran/rr.conf
Couldn't open rb.conf, trying [...]/.config/srsran/rb.conf
WARNING: cpu0 scaling governor is not set to performance mode. Realtime processing could be compromised. Consider setting it to performance mode before running the application.
Failed to `mlockall`: {}
Built in Release mode using commit fa56836b1 on branch master.

Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted
Opening 1 channels in RF device=default with args=default
connect(): Connection refused
Supported RF device list: UHD soapy zmq file
Trying to open RF device 'UHD'
Failed to initiate S1 connection. Attempting reconnection in 10 seconds
[INFO] [UHD] linux; GNU C++ version 9.2.1 20200304; Boost_107100; UHD_3.15.0.0-2build5
[INFO] [LOGGING] Fastpath logging disabled at runtime.

RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.

Opening USRP channels=1, args: 
[INFO] [UHD RF] RF UHD Generic instance constructed

RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.


RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.


RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.

[INFO] [UHDSoapyDevice] Using format CF32.
[INFO] [UHDSoapyDevice] Using format CF32.
RF device 'UHD' successfully opened
[...]/prog/Pluto-SDR_projects/docker-persistent/srsRAN_4G.new_with_GUI/lib/src/phy/rf/rf_uhd_imp.cc:315: UHD unhandled event code 64
Warning: Failed to create thread with real-time priority. Creating it with normal priority: Operation not permitted

==== eNodeB started ===
Type <t> to view trace
[INFO] [UHDSoapyDevice] Using format CF32.
[INFO] [UHDSoapyDevice] Using format CF32.
Setting frequency: DL=2680.0 Mhz, UL=2560.0 MHz for cc_idx=0 nof_prb=50
[ERROR] [UHD RF] UHDSoapyRxStream::issue_stream_cmd() = -5

Example waves, waterfall captured from air. Both uplink and downlink. LTE is mixed with GSM, unfortunately.

LTE should be at frequencies 800/900 MHz, 1800/1900 MHz and 2100 MHz, but check ČTÚ band allocations, each cell provider has own channel maps.

Is it a dogshit in Vibram sholesole mess? YES

This is signal from base stations (ENB) to telephones (UE).

This is signal from telephones (UE) to base stations (ENB).

TODO LTE Cell tracker

These experiments were carried out using 3 SDR radios:

• Pluto SDR
• Lime SDR
• Hack RF

I obtained uplink/downlink of my own phone's LTE channels using Cellular Z application. Each channel is 20 MHz wide.

Cellular Z sample screenshot:

20 MHz is bandwidth that fits Pluto SDR, Lime SDR and also HackRF.

Used tools: SDR++ and HackRF's Portapack. Antennas used were mostly Taoglas 700-2700 MHz +3.8 dBi, along with few others 700-2700 multiband antennas.

Example of download and upload as seen on frequency spectrum, this is uplink channel, but since TCP/IP requires sending data back, download is visible on uplink channel as well:

Download, recorded with PlutoSDR and LimeSDR

Hence 20 MHz vs 61 MHz bandwidth difference

Upload, recorded with PlutoSDR and LimeSDR

Hence again 20 MHz vs 61 MHz bandwidth difference

PlutoSDR with Taoglas antennas

HackRF with Taoglas antenna

LimeSDR photo TODO