Skip to content

Latest commit

 

History

History
executable file
·
221 lines (177 loc) · 5.48 KB

README.md

File metadata and controls

executable file
·
221 lines (177 loc) · 5.48 KB

OpenBTS 5.0 with "testcall"

This repo consists of:

  • OpenBTS 5.0 with the implemented testcall function (removed since OpenBTS 2.8 for security reasons)
  • 3 Fuzzing Scripts

Motiviation

Security through obscurity is just wrong.

Thats why I re-implemented the function in the newest OpenBTS and I am making it publicly available. Besides that, the function can provide great insights for security specialists into baseband processor of mobile devices. It will improve the security and will reveal flaws in the implementation of baseband processors.

The discussion on the "testcall" subject by the creators can be found here.

Installation guide OpenBTS + Testcall

This guide provides a step-by-step manual to install OpenBTS 5.0 with the "Testcall" function and the capability to fuzz a mobile device. The guide also covers any libraries or additional programs to be able to run OpenBTS. The guide starts from scratch and assumes the use of BladeRF. Other SDR's are also supported by OpenBTS and can be installed using the manufacturers guide.

Setting up a virtual machine with Ubuntu:

step 1: Install VMware workstation 12 player from: https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
Step 2: Download Ubuntu from  http://www.ubuntu.com/download/desktop
Step 3: Createa a Virtual machine with the downloaded Ubuntu iso
Step 4: After the installation start Ubuntu.
sudo apt-get install autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 
libsqlite3-dev erlang libreadline6-dev libncurses5-dev git dpkg-dev debhelper libssl-dev cmake

Clone the OpenBTS and Testcall Git repositories.

% OpenBTS
git clone https://github.com/RangeNetworks/dev
% TestCall
git clone https://github.com/Djimmer/obts

Go to the OpenBTS folder, dev/

% Download all of the components
./clone.sh

cd libcoredumper;
./build.sh && \
   sudo dpkg -i *.deb;
cd ..
cd liba53;
make && \
   sudo make install;
cd ..;

cd NodeManager;
./install_libzmq.sh 

Installing bladeRF.

sudo add-apt-repository ppa:bladerf/bladerf
sudo apt-get update
sudo apt-get install bladerf

Install Yate.

sudo svn checkout http://voip.null.ro/svn/yate/trunk yate
cd yate/
sudo ./autogen.sh
sudo ./configure
sudo make install-noapi

Install YateBTS.

wget http://voip.null.ro/tarballs/yatebts4/yate-bts-4.0.2-1.tar.gz
tar -xzf yate-bts-4.0.2-1.tar.gz
cd yate-bts/
./autogen.sh
./configure

Install libbladeRF

//Install the package...
sudo apt-get install libbladerf-dev
//... or build and install from source
git clone https://github.com/Nuand/bladeRF.git
cd bladeRF/host
mkdir -p build
cd build
cmake ../
make
sudo make install
sudo ldconfig

Create a transceiver suitable for the bladeRF.

cd yate-bts/mbts/Peering/
make

cd ../TransceiverRAD1
sudo nano Makefile

PROGS_BRF := transceiver-bladerf
ifneq (no,no)
FILES:= \$(FILES) firmware.img hostedx40.rbf hostedx115.rbf
PROGS:= $(PROGS) $(PROGS_BRF)
endif

Change to ifneq (yes,no) and save.

make
// if at this point you get an error like "libbladeRF.h: No such file or directory 
// compilation terminated" then you didn't install the libbladeRF tools

cp transceiver-bladerf ../../../dev/openbts/apps/
cd ../../../dev/openbts/apps/
ln -sf transceiver-bladerf transceiver

Import the Testcall code into OpenBTS

cd obts/
cp -r CLI/ ../dev/openbts/
cp -r Control/ ../dev/openbts/
cp -r GSM ../dev/openbts/
cp -r Fuzzer ../dev/openbts/

Install UHD & libboost

sudo apt-get install libuhd-dev libuhd003 uhd-host
sudo apt-get install libboost-dev

Install OpenBTS

cd dev/openbts
./autogen.sh
./configure --with-uhd
make

Initialize the OpenBTS database

sudo mkdir /etc/OpenBTS
sudo sqlite3 -init ./apps/OpenBTS.example.sql /etc/OpenBTS/OpenBTS.db ".quit"
Test this by running:

sqlite3 /etc/OpenBTS/OpenBTS.db .dump

In order to run OpenBTS some additional programs are required: Subscriber Registery and Smqueue.

Installing Subscriber Registery:

sudo mkdir -p /var/lib/asterisk/sqlite3dir

cd dev/subscriberRegistry/
./autogen.sh
./configure
make

sudo sqlite3 -init sipauthserve.penBTS/sipauthserve.db ".quit"
//? Is the line above correct?
//should it not be sudo sqlite3 -init test.sipauthserve/sipauthserve.db.init ".quit"
//or is there a specia "penBTS" init script or should "penBTS" be "openBTS"?

sudo ./apps/sipauthserve

Installing Smqueue:

cd dev/smqueue/
./autogen.sh
./configure
make

sudo mkdir /var/lib/OpenBTS
sudo touch /var/lib/OpenBTS/smq.cdr

sudo ./smqueue

To start OpenBTS

cd dev/openbts/apps
sudo ./OpenBTS

cd dev/subscriberRegistry/apps
sudo ./sipauthserve

cd dev/smqueue/smqueue
sudo ./smqueue

Fuzzing

First start OpenBTS and call the testcall function.

Start OpenBTS
Connect and Register a mobile device
testcall IMSI 
     where IMSI is the IMSI of the mobile device

This will take a moment. OpenBTS is now listening on UDP and will send any received data to the mobile device. To start the actual fuzzing you have to run one of the three scripts:

cd obts/FUZZER/
./simple_fuzzer.py
or
./smart_fuzzer.py
or
./smarter_fuzzer.py

More information on the fuzzing settings and the differences between the scripts can be found here.