DragonOS Focal Adding GSM BTS calls + testing Rogue BTS (LimeSDR mini, HackRF, Osmo-NITB)
In this video I show how to setup DragonOS Focal and Osmo-mgw for voice calls. Config file contents are pasted at the bottom of this page.
I also show how to use kalibrate for the HackRF to locate the GSM BTS channel followed by gr-gsm livemon and Wireshark to look at the actual GSM data going across the loopback device.
I then show some testing of a rogue BTS that allows automatic interaction with attached phones using Osmo-NITB and Osmo-nitb-scripts, all of which I plan to include in a future DragonOS related release.
Hardware:
– LimeSDR Mini
– HackRF
– Samsung Galaxy 3
– Samsung Galaxy 4
Topics covered:
– Setting up the Osmo-mgw and related tools for GSM voice calls
– Using Kal and the HackRF
– Using gr-gsm and the HackRF
– Setting up Osmo-NITB and the RougeBTS scrips
Tools:
– https://osmocom.org/projects/osmobsc/wiki
– https://github.com/scateu/kalibrate-hackrf
– https://github.com/velichkov/gr-gsm
– https://github.com/DrLafa/osmo-nitb-scripts
Twitter: @cemaxecuter
This video demonstration is for instructional/training purposes only. If you duplicate this you the user assume full responsibly and liability to clear your radio operation with local and federal agencies and guidelines.
*Osmo-mgw config content as shown in the video
mgcp
bind ip 127.0.0.1
rtp port-range 4002 16000
rtp bind-ip 127.0.0.1
rtp ip-probing
rtp ip-tos 184
bind port 2427
sdp audio payload number 98
sdp audio payload name GSM
number endpoints 31
loop 0
force-realloc 1
rtcp-omit
rtp-patch ssrc
rtp-patch timestamp
Views : 5060
GSM
