OsmocomBB compatible phone (Motorola c113/115/118/123)
CP2102 cable (can be found here)
TyphonOS (read this is you havent, or directly head to downloading)
TyphonOS (read this is you havent, or directly head to downloading)
Setup:
Boot up the OS(live or install)
Boot up the OS(live or install)
All the softwares referenced here are already installed.
To run an OsmocomBB application on the phone, you must first find
out what interface your CP2102 cable is connected to. Run this command:
dmesg | grep tty
If you want to run it on ttyUSB0 (and I propose that you do) remove
all USB devices and plug the CP2102 cable in first. The CP2102 cable will
automatically move to /dev/ttyUSB0. To run it on other interfaces, modify the
firmware upload string appropriately.
You can now upload firmware on the phone and observe output.
From
the /rf/osmocom-bb/src/host/osmocon/ directory, run:
sudo ./osmocon -d tr -p /dev/ttyUSB0 -m c123xor
–c ../../target/firmware/board/compal_e88/rssi.highram.bin
Then, with the phone powered off, press the power button once briefly
and wait for the firmware to load onto the phone.
As it loads, the screen output should look like this:
RSSI stands for Received Strength Signal Indicator and is can be
used to identify the strongest ARFCN in the area. This is important as the BTS
needs to sync with the strongest legitimate BTS in order to receive
configuration information.
Once done exploring the RSSI app, there are plenty more applications
that you can run which are beyond the scope of this document. However, feel
free to explore them to further your understanding on the OsmocomBB platform.
Running
After installing everything, we can now run
the full system.
Plug in the calypso phone with the CP2102
cable, and ensure that it is on ttyUSB0 before proceeding. Note: Charge the
phone to its fullest as the power cable interferes with transmission.
From the /rf/osmocom-bb/src/host/osmocon/ directory run the trx
application with the following code (on one line):
sudo ./osmocon -p /dev/ttyUSB0 -m c123xor -c
../../target/firmware/board/compal_e88/trx.highram.bin
../../target/firmware/board/compal_e88/chainload.compalram.bin
Then press the power button on the phone briefly to load the
application.
From the /rf/public/smqueue/trunk/smqueue directory run the smqueue
application with the following code:
sudo ./smqueue
From the /rf/public/subscriberRegistry/trunk directory, run the
sipauthserve application with the following code:
sudo ./sipauthserve
Finally, from the /rf/public/openbts/trunk/apps directory, run the
OpenBTS application with the following code:
sudo ./OpenBTS
After a few seconds, the OpenBTS terminal (top right) will look like
this indicating that syncing has taken place and it is transmitting:
If you had set your MCC and MNC to that of a legitimate network
operator, the 2G phones in the area will begin connecting to your fake base
station. If you left it as the default then you will see a name either “Test”
or “Range” or "Safaricom [this is not legal by the way assuming you spoofed the name too]" when perform a manual search on your phone.
The above setup creates a fakeBTS (IMSI catcher) and works as a spoofed Mobile Network.
On the next setup we will work on how to send SMSs and even spoof some messages alphanumeric address and all.
On the next setup we will work on how to send SMSs and even spoof some messages alphanumeric address and all.
