OK .... (oh am gonna pay for this i know)

Now stop asking me for free internet, i mean for real, is it so hard to think as a hacker? come on, you want something... you make it happen right... after my last post on how to get free internet people have always asked how do i save myself from the issue of the modem disconnecting after 10 minutes or so.... (applies to CDMA only)

Now heres a good hack:

• use a dialer that supports auto/re-connect pppd and wvdial are my best dialers since i am a *nix till i die so...
• create a bash/batch script calling reconnect 
• use a fully connected system.... multiple modems
• use a fully connected system.... multiple modems that interchange after one disconnects to pick the other up,
• use a fully connected system.... multiple modems that interchange after one disconnects to pick the other up and changes the data/traffic route
• use a fully connected system.... multiple modems that interchange after one disconnects to pick the other up and changes the data route and also allows the data/traffic to be persistent on a specific device/modem....

We good? alright

I will show the following methods.

• Bash script to check what modem/device has highest speed(read connected)
• after that change route to currently connected modem (read highest speed)
• finally make sure the above connections can be used e.g to stream a video (very difficult...but not impossible)

Script:

as i said, i use wvdial alot so .... calling to modems with wvdial

 sudo wvdialconf
[sudo] password for taecode0h: 
Editing `/etc/wvdial.conf'.

Scanning your serial ports for a modem.

Modem Port Scan<*1>: S0   S1   S2   S3   
ttyACM0<*1>: ATQ0 V1 E1 -- failed with 2400 baud, next try: 9600 baud
ttyACM0<*1>: ATQ0 V1 E1 -- failed with 9600 baud, next try: 115200 baud
ttyACM0<*1>: ATQ0 V1 E1 -- and failed too at 115200, giving up.


Sorry, no modem was detected!  Is it in use by another program?
Did you configure it properly with setserial?

Please read the FAQ at http://alumnit.ca/wiki/?WvDial

this command checks for the modem on the system then after that writes it to the config fie that is /etc/wvdial.conf

now we can replicate the same config file as we will use the same settings as both modems are of the same company, with that said we will also be required to use a different serial port for the second modem depending on what it finds: .....

 taecode0h@r41nsec:~$ sudo wvdialconf
Editing `/etc/wvdial.conf'.

Scanning your serial ports for a modem.

Modem Port Scan<*1>: S0   S1   S2   S3   
ttyACM0<*1>: ATQ0 V1 E1 -- OK
ttyACM0<*1>: ATQ0 V1 E1 Z -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM0<*1>: Modem Identifier: ATI -- MF192-T-1.0.0
ttyACM0<*1>: Speed 4800: AT -- OK
ttyACM0<*1>: Speed 9600: AT -- OK
ttyACM0<*1>: Speed 19200: AT -- OK
ttyACM0<*1>: Speed 38400: AT -- OK
ttyACM0<*1>: Speed 57600: AT -- OK
ttyACM0<*1>: Speed 115200: AT -- OK
ttyACM0<*1>: Speed 230400: AT -- OK
ttyACM0<*1>: Speed 460800: AT -- OK
ttyACM0<*1>: Max speed is 460800; that should be safe.
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM1<*1>: ATQ0 V1 E1 -- OK
ttyACM1<*1>: ATQ0 V1 E1 Z -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM1<*1>: Modem Identifier: ATI -- MF192-T-1.0.0
ttyACM1<*1>: Speed 4800: AT -- OK
ttyACM1<*1>: Speed 9600: AT -- OK
ttyACM1<*1>: Speed 19200: AT -- OK
ttyACM1<*1>: Speed 38400: AT -- OK
ttyACM1<*1>: Speed 57600: AT -- OK
ttyACM1<*1>: Speed 115200: AT -- OK
ttyACM1<*1>: Speed 230400: AT -- OK
ttyACM1<*1>: Speed 460800: AT -- OK
ttyACM1<*1>: Max speed is 460800; that should be safe.
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM2<*1>: ATQ0 V1 E1 -- OK
ttyACM2<*1>: ATQ0 V1 E1 Z -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM2<*1>: Modem Identifier: ATI -- MF192-T-1.0.0
ttyACM2<*1>: Speed 4800: AT -- OK
ttyACM2<*1>: Speed 9600: AT -- OK
ttyACM2<*1>: Speed 19200: AT -- OK
ttyACM2<*1>: Speed 38400: AT -- OK
ttyACM2<*1>: Speed 57600: AT -- OK
ttyACM2<*1>: Speed 115200: AT -- OK
ttyACM2<*1>: Speed 230400: AT -- OK
ttyACM2<*1>: Speed 460800: AT -- OK
ttyACM2<*1>: Max speed is 460800; that should be safe.
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 Z -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB0<*1>: Modem Identifier: ATI -- Manufacturer: +GMI: HUAWEI TECHNOLOGIES CO., LTD
ttyUSB0<*1>: Speed 9600: AT -- OK
ttyUSB0<*1>: Max speed is 9600; that should be safe.
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB1<*1>: ATQ0 V1 E1 -- failed with 2400 baud, next try: 9600 baud
ttyUSB1<*1>: ATQ0 V1 E1 -- failed with 9600 baud, next try: 9600 baud
ttyUSB1<*1>: ATQ0 V1 E1 -- and failed too at 115200, giving up.
ttyUSB2<*1>: ATQ0 V1 E1 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 Z -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB2<*1>: Modem Identifier: ATI -- Manufacturer: +GMI: HUAWEI TECHNOLOGIES CO., LTD
ttyUSB2<*1>: Speed 9600: AT -- OK
ttyUSB2<*1>: Max speed is 9600; that should be safe.
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK

Found an USB modem on /dev/ttyACM0.
Modem configuration written to /etc/wvdial.conf.
ttyACM0<Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyACM1<Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyACM2<Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyUSB0<Info>: Speed 9600; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyUSB2<Info>: Speed 9600; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"

As you can see it did find two modems .... forget the part u see the mf-192 its a GSM type i was using to illustrate this, again it only shows one was found but clearly two have according to the terminal one one ttyUSB0 and on ttyACM0 with that said...

leego... save another config file /etc/wvdial2.conf edit the required parts and finally set it out to roll,

now the script.

modem_route=$(
for iface in `ifconfig -a | grep ppp | awk '{print $1; }'`; do
    echo $iface = `ping -I $iface -c 1 -q 8.8.8.8 | grep avg | awk -F/ '{print $5;}'`
done | sort -k 3 -rn | head -n 1
)

logger "Setting new route from candidate: $modem_route"

ip route del default
ip route add default dev `echo $modem_route | awk '{print $1;}'`

now this pings google dns server to check speed and also disconnection depending on the ping TTL and also changes the route between the two modem routes as you can see on the last two lines.

now next thing is to dial both modems.... this is done with the following command 

sudo wvdial -C /etc/wvdial.conf

calls first^ modem 

sudo wvdial -C /etc/wvdial2.conf

calls second^ modem

oww run a cron job to call the script every- i dont know people say cron jobs cant run every second but hey... people also say hacking is hard :) 

with that said...  more configurations can be done to induct a smoother flow on the internet like streaming media and also on allowing media required to pass on a specific device to be as such unchanged :)

do i need to go deeper than this sure... but come on should i do all this for you?

if yes ... wait for it... THIS IS FOR EDUCATIONAL PURPOSES ONLY how to configure routes.


sorta looks like this now huh

                                                                ________
                                          +------------+        /
                                          |            |       |
                            +-------------+ Modem 1 +-------
        __                  |             |            |     /
    ___/  \_         +------+-------+     +------------+    |
  _/        \__      |     if1      |                      /
 /             \     |              |                      |
|YoBox          -----+ Script       |                      |Internet
 \_           __/    |              |                      |
   \__     __/       |     if2      |                      \
      \___/          +------+-------+     +------------+    |
                            |             |            |     \
                            +-------------+ Modem 2 +-------
                                          |            |       |
                                          +------------+        \________

OsmocomBB+OpenBTS+GSM={Calypso Chipset/Motorola C123} *USB+2.5mm Jack

BTS------------Base Transiever Station
GSM-----------Global System for Mobile Communications, originally Group Spécial Mobile
OsmocomBB---Firmware to run in our Calypso Based Device (Motorola C123)
USB to 2.5mm Jack cable (I will show you how to make this)

• What I am doing.
• What are my objectives.
• Why the above equipment.
• Why am I doing this.
• What do I get out of this.

What I am doing

I will be creating a BTS with the cheapest hardware equipment available to do this.

What are my objectives

Read above and then think of what a BTS can do.

Why the above Equipment

• Ummmm coz its really cheap (the equipment)
• Coz I want a BTS really bad (the things you can exploit research with this)
• Coz testing IPV4/IPV6/TCP..... is too overrated and and everyone is doing it... who will do GSM

Why am I doing this (now am just repeating myself)

What do I get out of this

Everything and Nothing ----> yes its every bit of knowledge till where i stop and its nothing since I know Telcos will probably ignore my rant :(

..... ok lets get rolling.

REQUIREMENTS:
Hardware: 

1. PC
2. Calypso Chipset Supported Device (Motorola c113,c115,118.....)
3. USB to 2.5mm Jack cable

Software:

1. *nix Based OS
2. OsmocomBB
3. OpenBTS

STEPS

1. Install OpenBTS (and Asterisk)
2. Install OsmocomBB
3. Configure Everything
4. Create USB -2.5 mm Jack* am not going to go into this.... its a pain i dont want to remember  (not that its very hard ... its just i burnt a finger and probably someones house while at it)
5. Test
6. and......play

1. Install OpenBTS (and Asterisk)

Well this has so many ways to do this, from compiling the source and if you have Ubuntu 12.04 (I did this also on  7.3 (wheezy) 64-bit) x86-64 architecture as your OS Debian packages exist to do this , you need also to install this as a first:

autoconf
libtool
libosip2
libortp
libusb-1.0
g++
sqlite3
libsqlite3-dev (sipauthserve only)
libreadline6-dev
libncurses5-dev

sudo apt-get install autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-dev libncurses5-dev

Well after that the following downloaded packages need to be installed (N.B the packages you are about to install are specific for UHD ----USRP Hardware Driver---- devices)

sudo dpkg -i a53_1.0-1_amd64.deb

sudo dpkg -i openbts-public_3.2_amd64.deb

sudo dpkg -i smqueue-public_3.2_amd64.deb 

sudo dpkg -i sipauthserve-public_3.2_amd64.deb

Running OpenBTS

(from OpenBTS root)

cd /OpenBTS

sudo ./OpenBTS

You should see something like this..... well if you have your devices connected and configured

system ready
use the OpenBTSCLI utility to access CLI

And if you scan for GSM towers on your phone, you should see a 00101 (test) network. If you try to attach, it will reject you. This is because OpenBTS, by default, only allows registered handsets to connect. As we are not running our registration server (sipauthserve) no phones will camp. From here, we should look at a few OpenBTS configuration variables. Connect to OpenBTS with the OpenBTSCLI command:

(from OpenBTS root) 

cd /OpenBTS 

sudo ./OpenBTSCLI

Once you have OpenBTS up and running, you need to change the following configuration parameters in the database (/etc/OpenBTS/OpenBTS.db):

Control.GSMTAP.TargetIP = 127.0.0.1
GSM.Radio.NeedBSIC = 1
GSM.Radio.Band = 1800
GSM.CellSelection.Neighbors =           (set to empty string)
GSM.RACH.MaxRetrans = 3
GSM.RACH.TxInteger = 8
GSM.Radio.C0 = <your ARFCN (see note)>
Control.LUR.OpenRegistration = ^63905.*$   (note: in this example only IMSIs with MCC 639 and the MNC 05 will be allowed to register to the network, change that accordingly)

Warning: Only set GSM.Radio.C0 to an ARFCN you have a valid license for.

Installing OsmocomBB

this part is really fun but also very tricky especially if you don't have an arm cross compiler (this enables us to compile the arm code to firmwares for the software to be loaded in to the calypso based device read (Motorola C123)

so here is a good place to start :

am guessing you have done the necessary, many people ask me where the usb to 2.5 mm cable is available for purchase and i would say here

now that we have nearly everything done, play around with Osmocom if its your first time.... clearly if you need to know what it does i would suggest you go to my PDFs link and get more info on the 2G networks before doing anything past what you are doing.


Now.... this is how to work a BTS from the cheap device.....

P.S you need to do a filter replacement as such and in-case you destroy your board like i also did you will need to do... this look at photo

"When attempting this for the first try, I soldered / desoldered components a few times and ended up destroying the pads and traces so much that there was no way I could put the original filters or balun back on the PCB.

So in a last attempt to make the phone do something, I tried something a little unorthodox (actually proposed by h0rizon on IRC :). Instead of doing a proper unbalanced to balanced signal convesion, I just connected one of the RITA balanced line to the ground using a DC blocking cap. And then connected the other balanced line to the input via a capacitor as well. For DCS1800 you need to add a capacitor of your own, but for EGSM, there is a capacitor in the input SAW matching that does the trick so you only need a wire.

The quite dirty results is shown on the side. It's ugly but it actually works ... The signal is maybe distorded or a litte more noisy, that has yet to be determined. So if you screw up, you can always fall back to this :)

" cited from http://246tnt.com/gsm/rx_filter.html

RF-hacking.... Yes Radio Frequency SPECIFICALLY, GSM

So do I start with explaining every single bit? because this is one hell of a lengthy topic.

OK lets start here:

GSM:
Most common network/protocol in the mobile industry (around 75% of mobile users)
Established around 1999
Very common
(was/is) Very Expensive Debugging devices
(had) Very little Documentation

Equipment:

MS-----------Mobile Station=Mobile Equipment + Sim Card
BTS----------Base Transmission Station
BSC----------Base Station Controller

here is a basic illustration of the GSM network



So with this we have a huge playing field, I know this is rather new to many people and since GSM was a very hushed on project it means the documentation available is either too heavy for people to indulge in or too un-detailed, so starting of from the really simple works out there i will try to bridge this lines the best way i can.

so my next post will explain how to do "DEBUGGING" on this network with very simple easy to afford tools (note afford not get)

Here are the things that we can achieve as of now.

Access the air interface between the phone and BTS
Access HLR via SS7 hacks and pay services (later on)

So what will we learn from all this:

1. HOW IN/SECURE GSM NETWORKS REALLY ARE
2. HOW TO BREAK THIS SECURITY
3. HOW TO DO MAN IN THE MIDDLE ATTACKS ON THIS NETWORKS
4. HOW TO INTERCEPT DATA ON THIS NETWORKS
5. HOW TO SETUP BASE TRANSMISSION STATIONS
6. HOW TO ACCESS SIM APPLICATIONS\
7. HOW TO CLONE/HACK SIM CARDS
8. HOW TO CREATE OUR OWN GSM NETWORKS COMPLETE WITH :

• Personalised simcards
• sim applications
• secure network rules and protocols
• effective services 
• really cheap call rates (i know i will probably be killed for this so if you dont hear from me... ahem)

So with that... why dont we dive in..... start from the next post about the debugging devices.