OpenLTE
An open source 3GPP LTE implementation.
Install / Use
/learn @mgp25/OpenLTEREADME
Open<img src="https://raw.githubusercontent.com/mgp25/OpenLTE/master/assets/lte.png" width=50>
OpenLTE is an open source implementation of the 3GPP LTE specifications.
This is a clone of https://sourceforge.net/p/openlte.
Contents
- Prerequesites
- Installation
- Running OpenLTE eNodeB
- OpenLTE Tx Configuration
- Wireshark Configuration
- Programming your own USIM card
- Test captures
Attack implementations
Some attacks implemented by @onkarmumbrekar can be found in the different branches:
- akabypass
- attach_reject
- dos_tau_reject_dualcase
- dos_tau_reject
- malformed_detach
- numb_attack
- service_reject_on_tau
- tau_numb_attack
Prerequisites
- USB 3.0 interface
- Modern multicore CPU (Intel Core i5, Core i7 or equivalent with SSE4.1 SSE4.2 and AVX support)
- UHD driver installed (for Ettus SDRs)
- GNURADIO
Installation
Setup your computer
OpenLTE is not only requiring a huge amount of processing power, but it also requires a very low latency due its need to transmit/receive a radio frame every 1ms. If there is any delay in the processing, the system will not going to be able respond in time and will lose samples. Therefor it is recommended to switch of any CPU and/or system features (mostly in your BIOS) which can cause any delays or can slow down the so called context switching time. Intel SpeedStep, deep and deeper sleep states etc. should be turned off. Especially with high bandwidth setups (10, 15 and 20MHz) it is recommended to swtich off the GUI on linux. There is also a low latency edition of the linux kernel, but at this point there is no absolute proof that it actually helps with OpenLTE.
Installing GNURadio with UHD
With an Ettus radio (B200, B210) you will need the latest UHD driver besides GNURadio:
sudo apt-get install libuhd-dev libuhd003 uhd-host
I recomend not to use the binary version but to compile to code with UHD like the following:
As a non-root user, give the following command:
mkdir gnuradio
cd gnurdio
wget http://www.sbrac.org/files/build-gnuradio
chmod a+x build-gnuradio
./build-gnuradio -v
You will be asked for the root password by the install script. The whole procedure can take up to 3 hours! It will download GNURadio , UHD and all the necessary dependencies.
Check the communication with your Ettus SDR: Connect your SDR to one of the USB3 interfaces, and run:
uhd_usrp_probe
The software will load the FPGA code to your device, and queries your device. If you done everything right, you should see something similar:
linux; GNU C++ version 4.8.2; Boost_105400; UHD_003.008.001-42-g8c87a524
-- Operating over USB 3.
-- Initialize CODEC control...
-- Initialize Radio control...
-- Performing register loopback test... pass
-- Performing CODEC loopback test... pass
-- Asking for clock rate 32.000000 MHz...
-- Actually got clock rate 32.000000 MHz.
-- Performing timer loopback test... pass
-- Setting master clock rate selection to 'automatic'.
_____________________________________________________
/
| Device: B-Series Device
| _____________________________________________________
| /
| | Mboard: B200
| | revision: 4
| | product: 1
| | serial: F54xxx
| | FW Version: 7.0
| | FPGA Version: 4.0
| |
| | Time sources: none, internal, external, gpsdo
| | Clock sources: internal, external, gpsdo
| | Sensors: ref_locked
| | _____________________________________________________
| | /
| | | RX DSP: 0
| | | Freq range: -16.000 to 16.000 MHz
| | _____________________________________________________
| | /
| | | RX Dboard: A
| | | _____________________________________________________
| | | /
| | | | RX Frontend: A
| | | | Name: FE-RX2
| | | | Antennas: TX/RX, RX2
| | | | Sensors:
| | | | Freq range: 50.000 to 6000.000 MHz
| | | | Gain range PGA: 0.0 to 73.0 step 1.0 dB
| | | | Connection Type: IQ
| | | | Uses LO offset: No
| | | _____________________________________________________
| | | /
| | | | RX Codec: A
| | | | Name: B200 RX dual ADC
| | | | Gain Elements: None
| | _____________________________________________________
| | /
| | | TX DSP: 0
| | | Freq range: -16.000 to 16.000 MHz
| | _____________________________________________________
| | /
| | | TX Dboard: A
| | | _____________________________________________________
| | | /
| | | | TX Frontend: A
| | | | Name: FE-TX2
| | | | Antennas: TX/RX
| | | | Sensors:
| | | | Freq range: 50.000 to 6000.000 MHz
| | | | Gain range PGA: 0.0 to 89.8 step 0.2 dB
| | | | Connection Type: IQ
| | | | Uses LO offset: No
| | | _____________________________________________________
| | | /
| | | | TX Codec: A
| | | | Name: B200 TX dual DAC
| | | | Gain Elements: None
Installing OpenLTE
Dependencies:
sudo apt-get install libpolarssl-dev
Build and install:
mkdir build
cd build && cmake ..
make
(Optional):
sudo make install
Running OpenLTE eNodeB
First terminal window:
Do not close this windows during operation!
LTE_fdd_enodeb
Output:
linux; GNU C++ version 4.8.2; Boost_105400; UHD_003.008.001-42-
g8c87a524
*** LTE FDD ENB ***
Please connect to control port 30000
Second terminal:
This is the control interface of the eNodeB.
telnet 127.0.0.1 30000
Output:
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
*** LTE FDD ENB ***
Type help to see a list of commands
Third terminal (Optional):
This command will provide debug log messages.
telnet 127.0.0.1 30001
OpenLTE Tx Configuration
Tx configuration:
write band 20
write bandwidth 5
write dl_earfcn 6300
write mcc 214
write mnc 12
write n_ant 1
write rx_gain 30
write tx_gain 86
Wireshark configuration
Edit -> Preferences -> Protocols -> DLT_USER -> Edit…
Click ‘+’ -> DLT = User 0 and Payload protocol = mac-lte-framed
Programming your own USIM card
Prerequisites
sudo apt-get install python-pip
sudo python -m pip install serial pycrypto
Providers
sysmoUSIM-SJS1 4FF/nano SIM + USIM Card (10-pack):
http://shop.sysmocom.de/products/sysmousim-sjs1-4ff
Get the SIM programmer
You need a SIM card programmer which is compatible with the PCSC application on Linux. To have a more or less complete list of the compatible devices, please visit this page:
http://pcsclite.alioth.debian.org/ccid/supported.html
Don't forget that you need a programmer with APDU support. Personally we use SCM Microsystems Inc. SCR 3310, you can find it and many of the above list on Ebay.
Get the software (PySIM, PCSCd, Pyscard)
First install dependencies:
sudo apt-get install pcscd pcsc-tools libccid libpcsclite-dev
Connect your SIM card reader, plug thhe programmable SIM card in, and check connectivity by running the following command:
sudo pcsc_scan
If your reader and card got recognized, you will see something similar:
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.10
Using reader plug'n play mechanism
Scanning present readers...
0: OMNIKEY AG CardMan 3121 01 00
Wed Dec 24 14:56:32 2014
Reader 0: OMNIKEY AG CardMan 3121 01 00
Card state: Card inserted,
ATR: 3B 9F 95 80 1F C7 80 31 E0 73 FE 21 13 57 12 29 11 02 01 00 00 C2
ATR: 3B 9F 95 80 1F C7 80 31 E0 73 FE 21 13 57 12 29 11 02 01 00 00 C2
+ TS = 3B --> Direct Convention
+ T0 = 9F, Y(1): 1001, K: 15 (historical bytes)
TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
TD(2) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
TA(3) = C7 --> Clock stop: no preference - Class accepted by the card: (3G) A 5V B 3V C 1.8V
+ Historical bytes: 80 31 E0 73 FE 21 13 57 12 29 11 02 01 00 00
Category indicator byte: 80 (compact TLV data object)
Tag: 3, len: 1 (card service data byte)
Card service data byte: E0
- Application selection: by full DF name
- Application selection: by partial DF name
- BER-TLV data objects available in EF.DIR
- EF.DIR and EF.ATR access services: by GET RECORD(s) command
- Card with MF
Tag: 7, len: 3 (card capabilities)
Selection methods: FE
- DF selection by full DF name
- DF selection by partial DF name
- DF selection by path
- DF selection by file identifier
- Implicit DF selection
- Short EF identifier supported
- Record number supported
Data coding byte: 21
- Behaviour of write functions: proprietary
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 2
Command chaining, length fields and logical channels: 13
