Login
SDR (Signals Intelligence) for Hackers: Building a Low- Cost, Private 4G LTE Network
Welcome back, my aspiring cyberwarriors!
New technological developments in recent years has made it possible to build a private cellular network at very low cost. This can be useful to many organizations who place their privacy at a premium such as firms engaged in research and development of intellectual property (IP) or law firms, to name but a few.. You can read here how the Mexican drug cartels built their own private cellular network to evade both law enforcement and competitors snooping.
This article was written by one of our most advanced students, Astra. Astra is an ardent supporter of Ukraineβs freedom and an advanced student of low cost cellular networks.
If you want to learn more about setting up a private 4G LTE network, enroll in our SDR for Hackers: Building a Private 4G Network!
In this article, he will demonstrate how to build your own 4G LTE network!
LTE Networks
The concept of private LTE itself is not new. There are ready-made solutions that allow you to lease frequencies and deploy such network at your enterprise. But, of course, all this equipment is not suitable for a one-time testing experience, so we will launch a network based on SDR.
If in the world of open-source stacks GSM is ruled by Osmocom, then here in 4G LTE the undoubted leader isΒ srsRAN. This is a completely open-source software that with minimum configuration allows us launching this kind of network.
srsRAN can be built from source, but I recommend using DragonOS, which has already been mentioned many times by OTW, where this software is already included in the distribution.
There is also another similar project which is LibreCellular that uses slightly different hardware, but the key concept is the same of srsRAN.
How LTE works
Β
Letβs understand how this network (RAN, Radio Access Network) works.
It is a network that utilizes frequencies more efficiently and provides much faster performance compared to GSM and 3G.
It consists of three key components:
EPC (Evolved Packet Core)
This the operatorβs core network. Its main component is the MME (Mobility Management Unit), through which all signaling traffic from UEs (User Equipment) passes. This node is responsible for service transfer, calling, authentication and many other operations. Its other parts are the billing service and gateways (service and packet), which provide data exchange between parts of the network and other networks. Connected to the core network is the HSS (Home Subscriber Server), a secure database where encryption keys and subscriber information are stored. In a GSM network, the role of this node is played by the home register (HLR).
eNBs (eNodeB).
These are the base stations. LTE operates in a wide range of frequencies, from 450 to 2600 MHz. Their use varies from country to country, as some of these frequencies are already reserved for something else. Like GSM, there are channel numbers here too β the E-UTRA Absolute Radio Frequency Channel Number (EARFCN).
The whole spectrum of frequencies is divided into broad sections (LTE bands), the choice of which differs from country to country.
UE (User Equipment).
These are the devices that connect to the network such as phones and modems.
What does it take to get your own LTE network up and running?
In order to reproduce everything that I will be describing below, you will require some specific hardware and specific configuration.
For this test you will need:
1)Β Β Β Β Β A linux and a windows machine.
2)Β Β Β Β Β A full duplex SDR with proper antennas. B210, BladeRF, and LimeSDR are suitable.
3)Β Β Β Β Β A sim card reader
4)Β Β Β Β Β Programmable LTE USIM cards
5)Β Β Β Β Β An android smartphone
Letβs startΒ
Boot into DragonOS and plug in the SDR.
Navigate to the /etc/srsran folder.
dragonos> cd /etc/srsan
Youβll find the configuration files there.
dragonos > ls -l
In the enb.conf file we will modify two parameters: MCC and MNC
These parameters are identical to those used in GSM networks β they are country code and network code. Normally, we should use some arbitrary values, but the problem is that most phones refuse to work when they see strange values for network. Thatβs why we need to specify the MCC of the country we live in or use the 999 which is the value for private enterprise networks. With regards the network code (MNC) make sure to set one that doesnβt belong to any operator working in your country.
Β
Β
[enb]
enb_id = 0x19B
mcc = 999
mnc = 01
mme_addr = 127.0.1.100
gtp_bind_addr = 127.0.1.1
s1c_bind_addr = 127.0.1.1
s1c_bind_port = 0
n_prb = 50
#tm = 4
#nof_ports = 2
Β
Β
Modify the epc.conf file in the same way:
Β
[mme]
mme_code = 0x1a
mme_group = 0x0001
tac = 0x0007
mcc = 999
mnc = 01
mme_bind_addr = 127.0.1.100
apn = srsapn
dns_addr = 8.8.8.8
encryption_algo = EEA0
integrity_algo = EIA1
paging_timer = 2
request_imeisv = false
lac = 0x0006
full_net_name = astra00011
short_net_name = astra00011
Β
Now in two separate terminal run first sudo srsepc and then sudo srsenb.
Now take your phone and go to search for networks manually. If we are lucky weβll see a network, depending on which values you set, starting with 99913. If we try to connect to this network, we will surely fail β the phone will connect a bit and then give a sad βNo serviceβ.
Itβs all about authentication. That is what we are going to deal with now.
Β
Fire up a windows machine and plug in the sim card reader. Insert a blank sim into the reader.
I am using a non open source software to read/write on sims. There are other options such as pysim.
Once the sim card is read, we can proceed writing the required parameters.
The key parameters required by srsRAN are the IMSI, KI and OPC.
The first field to fill in is to write value for ICCID. The ICCID number should be a unique 19 digit identifier for the SIM card itself. It should composed by the following:
Β
| Field | Description | Example |
| Major Industry Identifier | Always set 89 for telecommunication purposes | 89 |
| Country Code | 2 or 3 digit country code as defined by byΒ ITU-TΒ recommendationΒ E.164. | 01 |
| Issuer Identifier | 1 to 4 digits. Usually the MNC code. | 23 |
| Individual Account Identifier | Variable account identification number. | 000000000001 |
Next we need to generate an IMSI (international mobile subscriber identity) number. This 15 digit number is used to uniquely identifier each user of a cellular network.
| Field | Description | Example |
| MCC | Mobile Country Code | 999 |
| MNC | Mobile Network Code | 23 |
| Individual Account Identifier | Account identifier (usually the same as the one in the ICCID but chopped here to stay in the 15 digit limit) | 0000000001 |
Next step is to generate the KI value (subscriber key), which is known only by the subscriber and network and used to authenticate the device on the network. We also need to generate a OPC (operator code derived) value.
I used the following script to generate 128-bit values for both Ki and OPC:
Then fill in the last parameters which consists in:
PLMNwAct: A user-managed list of preferred Public Land Mobile Networks (PLMNs) ranked by priority, along with the corresponding access technologies (2G/3G/4G/5G, etc.).
Β
OPLMNwAct: An operator-controlled version of the user-preferred PLMN list mentioned above.
Β
HPLMNwAct: The Home PLMN, including the specified access technology, identifies the network associated with the subscriberβs identity, represented as a combination of Mobile Country Code (MCC) and Mobile Network Code (MNC) with the access technology included.
Β
EHPLMN: A list of Equivalent Home PLMNs. Networks in this list are treated as equivalent to the home network, meaning the device wonβt consider itself roaming when connected to them. This field can be useful, for example, when operators merge, allowing each to include the otherβs
Β
PLMNΒ in this list (though the original source for this suggestion could not be verified).
Β
FPLMN: A list of forbidden PLMNs that the device should not automatically attempt to register with. This can be used to avoid all specified localΒ public mobile networks.
If everything was correctly set up, once you insert your programmed sim card in your smartphone, you should be able to see something like this in the network parameters:
Notice that we still donβt have any mobile connection (top right corner icon)
Lastly, we need to choose the radio frequency for transmission and reception, which is conveniently represented by an EARFCN (Evolved-UTRA Absolute Radio Frequency Number). srsRAN supports exclusively FDD (Frequency Division Duplexing), where the mobile deviceβs downlink and uplink operate on separate frequencies. By specifying the downlink EARFCN, srsRAN can determine the corresponding downlink frequency. This can be done in the /etc/srsran configuration folder in the rr.conf file.
The final step to complete the whole configuration is edit the user_data.csv file. This file includes the SIM card identity that we previously configured. This file is utilized by the Home Subscriber Service (HSS). The information programmed into the SIM cards is now necessary for operation.
Keep in mind that srsRAN does not support calls and SMS, only internet connectivity. Calls are possible with VoLTE but this involves additional components such as the IP Multimedia Subsystem (IMS) that srsRAN does not natively include.
Nowβs the time to raise our 4G LTE network:
In two separate terminals type:
>sudo srsepc
followed by
sudo srsenb
Success! We have our own private 4G LTE network!
Summary
It is now possible to create your own 4G LTE network with low cost components and a bit of expertise! These networks can be invaluable to those who place a high priority upon privacy and confidentiality. This is key in a era where competitors or nation state actors may be inside your mobile carrierβs system.
To learn more about SDR (Signals Intelligence), join our SDR (Signals Intelligence) program or our Subscriber Pro training package.
