Creating your own GSM Network with LimeSDR

DISCLAIMER: This procedure is highly ilegal basically anywhere in the world. Be sure to run this in a closed RF environment (aka Faraday Cage)

This article works with any LimeSDR version.

[ Also available at https://lucasteske.dev/2019/12/creating-your-own-gsm-network-with-limesdr/ ]

For this example we will use the Osmocom GSM Stack in the NITB (Network in the box) mode. In this mode the phones connected to you BTS will be able to call each other and send SMS messages. There is also the Interconnect mode in which the BSC (Base Station Controller) connects to a ISDN or IPBX (for example Asterisk) to manage the connected phones. You can check the different modes here: https://osmocom.org/projects/openbsc/wiki/OpenBSC#Configurations-Modes

For this article I will be using a Ubuntu 18.04 LTS as operating system since there are pre-compiled packages from LimeMicro that helps a lot. It should run in any linux distribution provided that it has the required packages and / or you compile the missing ones. I might make a tutorial later about how to install from the source code but for now I will stick to the pre-compiled packages.

Installing the required packages

The first thing we need to do is to install all required packages. LimeMicro did a nice work and gathered everything pre compiled in their PPAs. So let’s add them first:

Let’s also add the osmocom binary builds:

Then we can install required packages:

These packages are:

  • osmocom-nitb => Network in a Box Package. Contains all needed stuff for managing GSM Network
  • osmo-bts-trx => The Base Transceiver Station software that manages how the network packets will be sent.
  • osmo-trx-lms => The LimeSDR “frontend” for the BTS. This is the piece of software that actually communicates with LimeSDR
  • limesuite => The software and driver for the LimeSDR

Updating the LimeSDR Firmware

It is a good pratice to check if your LimeSDR firmware is up to date. To check and update if needed, you only need to run:

It should do everything that is needed to update

Creating the configuration files

There are few files that need to be created. Let’s first start with the OpenBSC config file openbsc.cfg:

There are several parameters here, but I will only describe the ones you might want to change:

  • network country code => That is the MCC of the network operator. It says in which country the operator is operating. For example: 724 is Brazil
  • mobile network code => That is the MNC of the network operator. It says which network operator it is. Every mobile network operator has its own MNC (some of them have more than one).
  • short name => The Short name of the network operator
  • long name => The Long Name of the network operator
  • auth policy => How we will accept the phones that are trying to connect.

Be careful setting these settings specially with a accept-all policy. If you set to an existing mobile operator, any phone that is close to your LimeSDR will connect to it. The names of the operator (at least in a Android Device) only appears after connecting to it.

That openbsc.cfg file will be used by osmo-nitb software. The next file is osmo-bts.cfg

The only importante parameter here to take care is band. Make sure is the same as in openbsc.cfg file. The next one is osmo-trx.cfg which will be used by osmo-trx-lms:

There are not much to change here. If you’re using a multi-port LimeSDR (like LimeSDR USB or PCIe) you can change the parameter tx-path and rx-path to the desired paths.

Running the software stack

There are a few programs to run to get the BTS working. You should run all of them from the folder you created the configuration files.

The first one we should run is osmo-trx-lms . This one should be ran as root to enable high priority scheduling (specially needed if you’re running a small SBC like a Raspberry PI).

The second one is the osmo-nitb which is the base station controller. This one doesn’t need to be ran as root.

And the last software is the osmo-bts-trx which handles the transceiver

Now your base station should be running.

Testing the Base Station

The best way to test is to have a custom simcard like this one:

Sysmocom Custom Simcard http://shop.sysmocom.de/products/sysmousim-sjs1-4ff

But since we set the BTS to accept-all mode, you can just go to your phone network settings and select the created network. That will work fine if you have an Android phone which allows you to select custom networks:

List of networks in an Android Phone. Here the 72470 network I just created

Here is the network I just created with MCC 724 and MNC 70. In some simcards it is required that the MCC is the same as sim country (for example here it only shows if the network is at 724).

After connecting to the network, the name should appear instead of the MCC+MNC code:

HUEBRNetwork showing in the list

Listing Subscribers

There is a simple python script to list the subscribers. What it does is to open the sqlite database and do a simple query and print.

https://gist.github.com/racerxdl/4981f64c17361f5a3a684cda286f21f4

The IMSI field is unique to that phone / simcard combination. That’s the number you can use to track a specific user around the world. The extension is the assigned phone number for that specific phone.

Sending SMS

There are two scripts I found in the internet to send SMS. They basically selects the IMSI from the sqlite database the Osmo stack creates and then connects through the telnet interface to issue the desired commands. One of them is sms_broadcast.py:

This one is pretty simple to use:

This will send an SMS to all connected devices as it was the source number.

Another option is to target a single user:

This one generates a random source number and sends the specified message n times.

There are several stuff you can do by just issuing direct commands to OpenBSC telnet interface. Their full document is available at https://ftp.osmocom.org/docs/latest/osmobsc-vty-reference.pdf

Bottom Line

I hope you all liked this article. It took me a while to write that (I had been really busy since H2HC) but I think it has enough information for anyone to start playing with it. Just remember to do it wisely and with care. That’s not only highly illegal anywhere but can also do harmful things to existing mobile networks. Using a custom MCC+MNC codes should avoid interfering in existing mobile networks, but remember the frequencies involved requires a license to use.

Programming, Hacking, SDR, Satellites. Basically everything technology related. Everything is also posted on my site https://lucasteske.dev/