OsmocomBB compatible phone (Motorola c113/115/118/123)
CP2102 cable (can be found here)
TyphonOS (read this is you havent, or directly head to downloading)
TyphonOS (read this is you havent, or directly head to downloading)
Setup:
Boot up the OS(live or install)
Boot up the OS(live or install)
All the softwares referenced here are already installed.
To run an OsmocomBB application on the phone, you must first find
out what interface your CP2102 cable is connected to. Run this command:
dmesg | grep tty
If you want to run it on ttyUSB0 (and I propose that you do) remove
all USB devices and plug the CP2102 cable in first. The CP2102 cable will
automatically move to /dev/ttyUSB0. To run it on other interfaces, modify the
firmware upload string appropriately.
You can now upload firmware on the phone and observe output.
From
the /rf/osmocom-bb/src/host/osmocon/ directory, run:
sudo ./osmocon -d tr -p /dev/ttyUSB0 -m c123xor
–c ../../target/firmware/board/compal_e88/rssi.highram.bin
Then, with the phone powered off, press the power button once briefly
and wait for the firmware to load onto the phone.
As it loads, the screen output should look like this:
RSSI stands for Received Strength Signal Indicator and is can be
used to identify the strongest ARFCN in the area. This is important as the BTS
needs to sync with the strongest legitimate BTS in order to receive
configuration information.
Once done exploring the RSSI app, there are plenty more applications
that you can run which are beyond the scope of this document. However, feel
free to explore them to further your understanding on the OsmocomBB platform.
Running
After installing everything, we can now run
the full system.
Plug in the calypso phone with the CP2102
cable, and ensure that it is on ttyUSB0 before proceeding. Note: Charge the
phone to its fullest as the power cable interferes with transmission.
From the /rf/osmocom-bb/src/host/osmocon/ directory run the trx
application with the following code (on one line):
sudo ./osmocon -p /dev/ttyUSB0 -m c123xor -c
../../target/firmware/board/compal_e88/trx.highram.bin
../../target/firmware/board/compal_e88/chainload.compalram.bin
Then press the power button on the phone briefly to load the
application.
From the /rf/public/smqueue/trunk/smqueue directory run the smqueue
application with the following code:
sudo ./smqueue
From the /rf/public/subscriberRegistry/trunk directory, run the
sipauthserve application with the following code:
sudo ./sipauthserve
Finally, from the /rf/public/openbts/trunk/apps directory, run the
OpenBTS application with the following code:
sudo ./OpenBTS
After a few seconds, the OpenBTS terminal (top right) will look like
this indicating that syncing has taken place and it is transmitting:
If you had set your MCC and MNC to that of a legitimate network
operator, the 2G phones in the area will begin connecting to your fake base
station. If you left it as the default then you will see a name either “Test”
or “Range” or "Safaricom [this is not legal by the way assuming you spoofed the name too]" when perform a manual search on your phone.
The above setup creates a fakeBTS (IMSI catcher) and works as a spoofed Mobile Network.
On the next setup we will work on how to send SMSs and even spoof some messages alphanumeric address and all.
On the next setup we will work on how to send SMSs and even spoof some messages alphanumeric address and all.
22 comments:
I guess there are some contraints for your typhon OS VM... I cannot install it since I have no DELL computer...
http://s21.postimg.org/5eyyxgoyv/Capture.jpg
Hi John, kind apologies for the alternative link provided, thank you.
Hi, Where is the updated link? :)
@nyoike For running this rogue BTS is there any hardware change required to the compal e_88 mobile (in my case Motorola c123) or will this work without any hardware changes.
Hi no need to modify the hardware ina anyway , regards
Very Great tutorial.
helo
when i run
sudo ./smqueue and sudo ./OpenBTS
this happen
sudo: ./OpenBTS: command not found
now ihave this problem
1466481246.655900 139761363961664:
Starting the system...
ALERT 139761363961664 06:54:11.6 TRXManager.cpp:434:powerOff: POWEROFF failed with status -1
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:151:startTransceiver: cannot find ./transceiver
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:156:startTransceiver: Transceiver quit with status 256. Exiting.1466481246.655900 139761363961664:
Starting the system...
ALERT 139761363961664 06:54:11.6 TRXManager.cpp:434:powerOff: POWEROFF failed with status -1
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:151:startTransceiver: cannot find ./transceiver
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:156:startTransceiver: Transceiver quit with status 256. Exiting.
" when perform a manual search on your phone. ". to ensure that automatically connect to my bts?
I am reading you fantastic post. I have your typhon iso livecd that i try with motorola c123 /i have 4 c123/. Can you give more info on sniffing calls/sms with osmocom platform?
Ali Shageri
(from OpenBTS root)
cd apps
make
ln -s ../TransceiverRAD1/transceiver .
ln -s ../TransceiverRAD1/ezusb.ihx .
ln -s ../TransceiverRAD1/fpga.rbf .
How can I fix it
1466481246.655900 139761363961664:
Starting the system...
ALERT 139761363961664 06:54:11.6 TRXManager.cpp:434:powerOff: POWEROFF failed with status -1
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:151:startTransceiver: cannot find ./transceiver
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:156:startTransceiver: Transceiver quit with status 256. Exiting.1466481246.655900 139761363961664:
Starting the system...
ALERT 139761363961664 06:54:11.6 TRXManager.cpp:434:powerOff: POWEROFF failed with status -1
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:151:startTransceiver: cannot find ./transceiver
EMERG 139761363175168 06:54:11.8 OpenBTS.cpp:156:startTransceiver: Transceiver quit with status 256. Exitin
Hi! It is for the phone to rewire filters?
if I type this:
sudo ./osmocon -d tr -p /dev/ttyUSB0 -m c123xor –c ../../target/firmware/board/compal_e88/rssi.highram.bin
opening file: No such file or directory
hmm, whats wrong?
this is the output###
root@peseta3-VirtualBox:/RF/osmocom-bb/src/host/osmocon# dmesg | grep tty[ 4.758683] console [tty0] enabled
[ 175.499398] usb 1-2: cp210x converter now attached to ttyUSB0
root@peseta3-VirtualBox:/RF/osmocom-bb/src/host/osmocon# sudo ./osmocon -d tr -p /dev/ttyUSB0 -m c123xor –c ../../target/firmware/board/compal_e88/rssi.highram.bin
got 2 bytes from modem, data looks like: 04 81 ..
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
opening file: No such file or directory
can you help me?
root@peseta3-VirtualBox:/RF/osmocom-bb/src/host/osmocon#
Help,please!)
Starting the system...
ALERT 3074529024 22:47:02.8 TRXManager.cpp:434:powerOff: POWEROFF failed with status -1
EMERG 3073948480 22:47:02.8 OpenBTS.cpp:156:startTransceiver: Transceiver quit with status 256. Exiting.
can you help me?
Helló! How to install?? Thanks!
Only Dell computer? Any hack? Thanks!
I have the same problem than others, this:
Starting the system...
ALERT 3074529024 22:47:02.8 TRXManager.cpp:434:powerOff: POWEROFF failed with status -1
EMERG 3073948480 22:47:02.8 OpenBTS.cpp:156:startTransceiver: Transceiver quit with status 256. Exiting.
I linked this:
ln -s ../TransceiverRAD1/transceiver .
ln -s ../TransceiverRAD1/ezusb.ihx .
ln -s ../TransceiverRAD1/fpga.rbf .
But i have the problem anyway.
Can u help me? Thanks.
link for Motorola C118/123 online buy
Post a Comment