GSM SMS Base Station Experiment Based on OpenBTS

Ner0p1r

2023-02-21

Research

HAM, Hardware

For learning and communication purposes only! Any illegal use of this technology is strictly prohibited! Violators will be held responsible for the consequences!
The setup tutorial is omitted (you can find a lot of them online). This is a long post, and I will slowly fill it in later. Since I’m not a communications major, please forgive any shortcomings.

Pre

Ubuntu 20.04.03 (LTS)
a53
osmocom-bb
- Need to configure arm cross compilation environment
libosmocore
libosmo-dsp
libtalloc-dev (lib talloc)
OpenBTS 2.8p

For more information about the osmocom-bb branch, see Branches - OsmocomBB - Open Source Mobile Communications

I choose sylvain/testing

It is possible to turn Calypso based phone into a small BTS. The transceiver application and corresponding firmware should be used in OpenBTS or OsmoBTS setup. See CalypsoBTS for details.

Dependencies required by osmocom-bb

libtalloc-dev libtirpc-dev libfftw3-3 libfftw3-dev libfftw3-doc autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-dev libncurses5-dev libtool shtool autoconf git-core pkg-config make gcc libpcsclite-dev gnutls-dev libmnl-dev libsctp-dev

If the following error occurs

/root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:32:23: error: conflicting types for ‘int64_t’    32 | typedef long long int int64_t;       |                       ^~~~~~~ In file included from /usr/include/stdint.h:34,                  from /usr/lib/gcc/x86_64-linux-gnu/9/include/stdint.h:9,                  from /root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:19,                  from ../../include/osmocom/core/signal.h:4,                  from ../../src/signal.c:21: /usr/include/x86_64-linux-gnu/bits/stdint-intn.h:27:19: note: previous declaration of ‘int64_t’ was here    27 | typedef __int64_t int64_t;       |                   ^~~~~~~ In file included from ../../include/osmocom/core/signal.h:4,                  from ../../src/signal.c:21: /root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:33:32: error: conflicting types for ‘uint64_t’

Open osmocom-bb/src/target/firmware/include/stdint.h and modify it as shown below.

After making the modifications, run ./configure and then make .

Specifically, set up an ARM cross-compilation environment, compile libosmocore and libosmo-dsp, and then build OpenBTS.

Simply put, a fake base station uses a black market device to simulate the signal of a nearby base station. By hijacking information such as the IMEI (International Mobile Subscriber Identity), criminals can then launch a series of attacks using the phone’s IMEI.

Enabling BTS to support Chinese messaging

Refer to Axelle Apvrille’s paper “OpenBTS for Dummies”

OpenBTS does not support sending Chinese characters by default. Forcing it to do so will result in garbled text.

If you want OpenBTS to send Chinese, you must modify the source code yourself, open the file /OpenBTS/CLI/CLI.cpp, add

https://github.com/fairwaves/openbts-2.8/commit/faf14b0e9ad4673b64d28e2038bdab90d69fcefb

/** Submit an SMS for delivery to an IMSI. */
int sendsmspdu(int argc, char** argv, ostream& os)
{
	if (argc<4) return BAD_NUM_ARGS;

	char *IMSI = argv[1];
	char *srcAddr = argv[2];
	string rest = "";
	for (int i=3; i<argc; i++) rest = rest + argv[i]; //+ " ";
	const char *txtBuf = rest.c_str();

	if (!isIMSI(IMSI)) {
		os << "Invalid IMSI. Enter 15 digits only."; return BAD_VALUE; } Control::TransactionEntry *transaction = new Control::TransactionEntry( gConfig.getStr("SIP.Proxy.SMS").c_str(), GSM::L3MobileIdentity(IMSI), NULL, GSM::L3CMServiceType::MobileTerminatedShortMessage, GSM::L3CallingPartyBCDNumber(srcAddr), GSM::Paging, txtBuf); transaction->messageType("application/vnd.3gpp.sms");
	Control::initiateMTTransaction(transaction,GSM::SDCCHType,30000);
	os << "message submitted for delivery" << endl;
	return SUCCESS;
}

and

1	addCommand("sendsmspdu", sendsmspdu, "IMSI src# PDU message... -- send PDU SMS to IMSI, addressed from source number src#.");

Then just write a simple pdu script, you can refer to python-smspdu for modification

This sends an SMS to IMSI 208304424439206, from 24567, with text ”Test”.
Finally, it is also possible to have phone send SMS to each other:

Register the phone. This step must be done if you get this error in smqueue logs (and the corresponding
SMS on your phone):

How to Defend

If you notice your phone is being throttled, immediately turn off your mobile network. If the network shows OpenBTS or GSM (G network), change your environment and reconnect to a nearby base station.
Enable 2FA

Forensic Analysis of Legacy Logs

样本名：2016.log

MD5：61aa4478bb128f8ea6736e09f26c4f24

Size: 538 MB (564,635,221 Bytes)

Sample data

Jun  4 06:25:23 ubuntu openbts: INFO 3075847888 OpenBTS.cpp:483:main: received command "addsms 1401834316 10651086117 0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101" from

Based on the encryption code of the system publicly available online, reverse engineer the decryption script.

<?php
function decode($s)
{
    $l = strlen($s);
    if ($l % 16 != 0)
        return '';
    $s = str_base_convert($s, 2, 16);
    $s = hex2bin($s);
    $s = mb_convert_encoding($s, 'UTF-8', 'UCS-2');
    return $s;
}

Sample #1

0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101

decrypt

幸福其实很简单：口渴了喝杯水润润喉，烦恼时听听音乐轻轻松，疲倦时在椅上打个盹，安静里拿起手机发条短信提醒你：天亮了，好起床了！祝你每天好心情

Sample #2

1000110110000101010111100000001001100101001101101001010011110110011111001111101101111110110111111111111100001100100010011110011001011100010011111001100100010000100110010110111001110000101110011000001111011100011111001111101101111110110111111111111100001100011101010001110001010100110000010101100101110110100000110011011001100101001101101001010011110110100010111011111001011001000001111111111100001100011001110000100101010001011100110110010100110110100101001111011001110110100001001001010111101110100110001001100001101011001000101000111111001110010101001010100010001011111000100110010100110110100101001111011001001110000100110101101110110110000000000011000100000000001101010000000000110110000000000011000000000000001101010000000000111000000000000011100000000000001110000000000000110101000000000011001000000000001100010101000101101000010110010101011110001011101111100101100100000111010100011110110101110111111011010100111111100001011100100111100101001110111101110000000000110010000000000011011000000000001100000000000000110000010101000010101110001111110110111001010100000000010110110101100001111011101000010111010000000110

decrypt

超市收银系统，触屏餐饮点菜系统，甜品奶茶收银设备，有关收银的问题欢迎咨询收银专家156***521（已码）全套设备凭短信特价2600含进销存管理

Sample #3

decrypt

超市收银系统，触屏餐饮点菜系统，甜品奶茶收银设备，有关收银的问题欢迎咨询收银专家156***21全套设备凭短信特价2600含进销存管理

Sample #4

01110101000111110101010001111101010110011000001001101100101100111111111100001100011101010010100001011111111010110100111001010000011001000100011001101110001000011111111100011011010011101011101001110101000111110101100110000010011010110100110011111111000011000111010100101000011010001010011001100000111100110101010000011111010101010011000111111111000110110110010111100101010110110101000001011001100000100101110001110001111111110000110001110101001010000101001010101010010100101001101101100101000000000111011001111011111111110001101101011100100000010110011100001000010110011000001001100010000011111111111100001100011101010010100001110111000111110101111111000011011011110001010001111110110011101111111100011011011000100001000001010010100111110101100110000010010100010100100111111111000011000111010100101000010011101101100001010001111110101001000111000111011001000101100011111111000110110101001111001011011000001100010101011001100000100110100000010001111111110000110001110101001010000111011100011111100010111101101001010100011101010110001010100100001100000000001001011110001110000110000001101000011001110000100001101110111000010101001000011001010011101000111110000010101100010110111011100001010100100001100101010001110010111111111100001100010011110101010101011111110001010101100100101010100011111100011110001011101000011000111110000011001100000000001001110101001010000101011101100110100000110110000101110110100001000101111111000011111111110000110010001101011100000101111001111000011110011000111101110110100001001000110111101111111111110000110001100001001111110100111101100000010111111110101101001110010100000110001111100001010101110010100001100010010010111111111100001100010110010111110110001111110100001000111010101011100011111011100101110101010110011111111100001100010111100111100001111001100011110111011011111000010011110011010010001101011100001111111100000001

decrypt

生命如河，用快乐摆渡；人生如歌，用梦想吟唱；日子如山，用努力攀登；岁月如戏，用真心演绎；成功如光，用付出采摘；友情如树，用真诚呵护。常恨月满则亏花满则凋，何必太过计较。用坦荡的心，走幸福的路，愿你快乐握在手，好运身边留，幸福相伴走！

Sample #5

01110011110011010110000011011100010011101000011011111111000011001000000011111101011000101110010101100111000010011111111100011011010011101101100001010001111110100100111010000110111111110000110001100111000010010101011011011110011000101010010111111111000110111000110101110000100011111100011101001110100001101111111100001100010011100000110101010100000011100110000010010100001100000000001001100111000010110101001111001011111111110000110001100001001111110100111101100000100011010111000001011001011111010111010100011111010101000111110101110110100001000110101111001111010011100000000001101011011001011111111100001100010111100111100001111001100011110101111111101011010011100101000001101011110011110100111000000000010110010010100111111111000000010100111000001101011001100010111101101011110011111000111101101110100000100111001110010110001100111001000011111101011001101001011001001110101110101111111100001100010011100000110101100110001011110110101111001111011100100100011101001110010011000100111010010001100100001111110101001110000010111001011011101000111111110000110001100101111000100111000100110110010100011011001101011011100110100100111000001101010011101000011001010100011111011000111111010000011101101000010001010011101110110101010000010001111111110000110010010000101000110101110000110001100011100000111110001110000011110101101110011110010110111001111001010111001100001000110101110000010110010111110101101011110011110100111000000000010110010010100111111111000011001000101111110111011101101111100001001111111000011111111100011010011000100001000101110110100001000111100101011101011110011000111101100110001011110110011100000000011101110001111101110110100001001111111100000001

decrypt

珍惜了，能拥有；付出了，有回报；走过了，不后悔。朋友，愿你走好生命的每一步，幸福快乐每一天！不是每轮艳阳都暖人，不是每片乌云都下雨，既然决定不了命运的去向，那就踏踏实实地走好每一天，请相信：我的祝福是最真的！

Sample #6

10001011110110100100111010100100010100110101010110001110101010110101100101110011010110001110101111111111000011000000000000110010000000000011000000000000001011010000000000110011000000000011010101011100100000011111111100001100000000000101000100000000010100010000000000110011000000000011001000000000001101100000000000110101000000000011100100000000001110000000000000111000000000000011100100000000001101100000000000100000

decrypt

诚交单身女士，20-35岁，QQ3*****

Sample #7

010011101100101001011001001010011001011000110101100101101110100000000000001000000000000000110010000000000011000111111111010111100000000000110010000000000011100000100001000000111111111100001100100110001100111001010010100110111111111100011010100010010111111101010011010101111001100011001110000000000011001001111110101001111111111100001100011011100111111101011110101001101111111100011010000000000011100100000000001100000000000000100101111111110000110010010110010011010110110000110100011010011000001001110011100001111111111100011010000000000011011100000000001100000000000000100101001100000000001001100110000011100101100100101001010011100010110110010110111010001111111100001100000000000011001000000000001100100000000000101101000000000011001000000000001101010010000100000011100110001100111001010010100110111111111100011010010011100001110001010011010101111001100011001110010111111010111010011000110011100000000000100000

decrypt

今天阵雨 21～28℃，风力：西南风2级，湿度：90%，降水概率：70%。明天中雨，22-25℃风力：东南风微风

Pre

How to Defend

Forensic Analysis of Legacy Logs

Sample #1

Sample #2

Sample #3

Sample #4

Sample #5

Sample #6

Sample #7

Reference