It started as a small challenge. “I challenge you to make a Base-Station image for embedded devices” dared me my friend Simone, and I decided he is right and it’s time for a BladeRF Base-station image targeting the armhf architecture. While googling on the subject, I found others struggling with same problems I did, and I also found some developers asking “why even do it [compiling BTS for embedded]”. My answer to those developers will be:
(a) Because we can!
(b) Today’s embedded devices are more powerful than yesterday’s BTS. We have Quad-Core with 8GB-RAM ARM devices, perfectly suitable for running a base-station.
(c) HackRF, BladeRF, USRP, and other RF gadgets alike, are the perfect combo for embedded systems, and even osmo-trx is specifically crafted for ARM devices.
Starting the build process, I initially went with those two tutorials and followed all steps – including compiling uhd – just for the fun of it (even on a 32 cpu’s machine its time consuming), and got everything working, but the image size grew to a monstrous 3gb. I decided to make a separate image with the binaries only, which was a reasonable 1.3gb big. But then I decided to do it the right way – make debian package for each project, and thus build myself a really tiny image using debootstrap and my packages. Coming from Arch Linux, I’m not a big fan of debian packaging, so there is still plenty of room for improvements. Once I packaged everything, I ended up with an armhf image I can chroot-to from most of my ARM-based devices, and enjoy running Asterisk, OpenBTS, Yate, YateBTS using my HackRF or BladeRF from mobile. Here is how you can do it yourself in 2 steps:
1. Set up an ARM build system and prepare debian packages & repository for armhf architecture.
get the sources to build armhf packages, including the armhf-specific patches (removing google-coredumper, for example.)
git clone https://github.com/z4ziggy/zebts.git
we’re getting the sources on the host system since chroot/qemu-arm has some weird networking issues (among others)
./build.sh get_src
create ext2 image, 20GB size, and install debian sid on
dd if=/dev/zero of=zebts.build.img seek=20G bs=1 count=0 mke2fs -F zebts.build.img mount -o loop zebts.build.img mnt qemu-debootstrap --no-check-gpg --arch=armhf sid mnt ftp://ftp.debian.org/debian/
copy needed files to chroot’ed system and unmount
cp pkg.lst mnt/root cp -a src mnt/root mkdir mnt/root/debs umount mnt
chroot the build system and install build dependencies
./chroot.sh zebts.build.img echo -e "deb http://ftp.debian.org/debian sid main\ndeb-src http://ftp.debian.org/debian sid main\n" > /etc/apt/sources.list apt-get update apt-get install `cat /root/pkg.lst`
build debian packages in a curtain order and install them – this WILL take a few hours
cd /root/src for d in bladeRF hackrf liba53 airspy osmo-trx yate yatebts openbts smqueue smqueue/SR; do (cd $d; dpkg-buildpackage -b -j32; dpkg -i ../*.deb && mv ../*.deb /root/debs); done exit
you might have a few left-over processes hanging on your mount. we can safely kill them and unmount
lsof -t mnt/ | xargs kill -9 umount mnt{/dev,}
prepare a debian repository
mount -o loop zebts.build.img mnt (cd mnt/root/debs && dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz) cp mnt/root/debs/* debs/ umount mnt
2. Set up a minimal embedded BTS image
create tiny ext2 image, 1GB size, and install debian sid on
dd if=/dev/zero of=zebts.tiny.img seek=1G bs=1 count=0 mke2fs -F zebts.tiny.img mount -o loop zebts.tiny.img mnt qemu-debootstrap --no-check-gpg --arch=armhf sid mnt ftp://ftp.debian.org/debian/
bind the debs/ directory to where we will chroot next
mount -o bind debs mnt/mnt
chroot the tiny image, install our packages and cleanup
./chroot.sh zebts.tiny.img echo -e "deb http://ftp.debian.org/debian sid main\ndeb-src http://ftp.debian.org/debian sid main\n" > /etc/apt/sources.list echo -e "deb file:/mnt ./\n" >> /etc/apt/sources.list apt-get update apt-get install airspy bladerf bladerf-firmware-fx3 bladerf-fpga-hostedx115 bladerf-fpga-hostedx40 hackrf liba53 openbts osmo-trx smqueue yate yatebts sipauthserve asterisk apt-get clean exit
you will have a few left-over processes hanging on your mount. we can safely kill them and unmount
lsof -t mnt/ | xargs kill -9 umount mnt{/mnt,/dev,}
shrink the image to minimum size
resize2fs -M zebts.tiny.img
Thats it. To test your new tiny ARM image, use
./chroot.sh zebts.tiny.img
You can download my own tiny image from here, but I have to worn you – I will keep it updated only as long as I’ll be using it, which might won’t be long. For history reasons, you can still use the old method for compiling everything yourself (including uhd, gnuradio, openbts, etc) using the build.sh script.
helo did you can run openbts on mobile(android) .
And is it able to connect a phone to it.
I made an ARM image which i’ve chroot’ed it.
The android was connected to the bladerf via GTA cable with power extension.
And I only tested SMS, but calls should be working also with proper APN configuration.
Well thanks for arm iamge.
how about speed..
will it hang..
how much is cost .
running from android (ARM) will provide you decent performance with several connections. And try it for yourself to see if it hangs, and regarding costs – google for your desired hw.
and i want to know about rtl sdr like things..
Is rtl sdr able to capture gsm uplink
some can, some can’t, depends on the SDR itself. again, google is your best friend 😉
1..is there any gui in android.or will it show connected device info.
2.Is calls working….
3.
no gui, all textual/cli, and calls/sms are working.
working with these kinda stuff is still a bit techie, but lotta fun 😉
Can i just install this on a laptop and just use a GSM or 3G/4G Adapter/Dongle ? Or something like that? I understand it wont be ass good, but could it work just at home, perhaps testing it on my neighbours and so ?
And is it possible to use for Wifi as well? Either just Wifi signals, or with a GSM/3G Adapter for connecting to The GSM Network and then connect with my phone via Wifi ? And if just Wifi, can i use it too spoof Wifi connections, or as a man in the middle attack? So they connect to my “Node” trough a tunnel where i can sniff all the data?
This is obsolete. Please refer to https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/ for a more updated info.
And WIFI MiTM is outside the scope of this article. I suggest google for this.