Demo:Wiki: https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_unicornteam https://cn0xroot.com/2017/04/11/getting-started-with-3g-ip-access-nano3gopenbscosmocom-bb-part-1/
软件源切换到国内中科大:
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak sudo vim /etc/apt/sources.list
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释 deb https://mirrors.ustc.edu.cn/ubuntu/ xenial main restricted universe multiverse # deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial main main restricted universe multiverse deb https://mirrors.ustc.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse # deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial-updates main restricted universe multiverse deb https://mirrors.ustc.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse # deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial-backports main restricted universe multiverse deb https://mirrors.ustc.edu.cn/ubuntu/ xenial-security main restricted universe multiverse # deb-src https://mirrors.ustc.edu.cn/ubuntu/ xenial-security main restricted universe multiverse
安装依赖:
sudo apt-get install git libghc-gnutls-dev build-essential gcc g++ make automake autoconf libtool pkg-config libtalloc-dev libpcsclite-dev libortp-dev libsctp-dev libssl-dev libdbi-dev libdbd-sqlite3 libsqlite3-dev libpcap-dev libc-ares-dev sqlite3
wget http://download-mirror.savannah.gnu.org/releases/linphone/ortp/sources/ortp-0.22.0.tar.gz
tar -xvf ortp-0.22.0.tar.gz cd ortp-0.22.0/ ./configure make sudo make install sudo ldconfig
下载编译脚本
wget https://osmocom.org/attachments/download/2726/3G-config-example.tar
tar -xvf
下载osmocom 2017年7月份之前的代码: osmocom_build 2017
解压后在build目录中执行clone and build,编译2017年的代码版本。
若要使用最新的代码,需参考 https://osmocom.org/projects/cellular-infrastructure/wiki/Osmocom_Network_In_The_Box
最后安装rxvt-unicode终端:
sudo apt-get install rxvt-unicode
查找 ip.access nano3G IP
cd openbsc/openbsc/src/ipaccess
sudo ./abisip-find $网卡名称
abisip-find会向当前网段发出广播数据包,当ip.access nano3G 设备接收到该数据包会做出响应并返回自身IP地址:
修改run 目录下配置文件:
网络结构:
ubuntu ens33网卡ip:192.168.99.234 ip.access nano3G:192.168.99.163
run.sh
dev=网卡名称 (如虚拟机ens33) addr:改成ubuntu net映射IP
run.sh 配置案例:
#!/usr/bin/env bash
#enable_tcpdump=yes
dev=ens33
# If you'd like to get rid of all SMS still pending from a previous run:
#sqlite3 sms.db "delete from sms"
addr="192.168.99.8"
if [ -z "$(ip a | fgrep "$addr/32")" ]; then
echo "sudo ip addr add $addr/32 dev $dev"
sudo ip addr add $addr/32 dev $dev
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
fi
logdir="current_log"
mkdir -p "$logdir"
term() {
title="$2"
if [ -z "$title" ]; then
title="$(basename $@)"
fi
exec urxvt -title "CN:$title" -e sh -c "export LD_LIBRARY_PATH='/usr/local/lib'; $1; echo; while true; do echo 'q Enter to close'; read q_to_close; if [ \"x\$q_to_close\" = xq ]; then break; fi; done"
}
if [ -n "$enable_tcpdump" ]; then
sudo tcpdump -i eth0 -n -w current_log/eth0.single.pcap -U not port 22 &
sudo tcpdump -i lo -n -w current_log/lo.single.pcap -U not port 22 &
fi
hnbgw="osmo-hnbgw"
msc="osmo-msc"
sgsn="osmo-sgsn -c osmo-sgsn.cfg"
ggsn="sudo LD_LIBRARY_PATH=/usr/local/lib ggsn -f -c ggsn.conf --statedir=$PWD"
mgcp="osmo-bsc_mgcp -c mgcp.cfg"
hlr="LD_LIBRARY_PATH=/usr/local/lib osmo-hlr -c osmo-hlr.cfg"
term "$ggsn" GGSN &
sleep .2
term "$hlr" HLR &
sleep .2
term "$sgsn" SGSN &
sleep .2
term "$mgcp" MGCP &
sleep .2
term "$msc" MSC &
sleep 2
term "$hnbgw" HNBGW &
#echo enter to send MT SMS
#read enter_to_send
#echo subscriber id 2 sms sender id 1 send testsmstext | nc -x localhost 4254
echo enter to close
read enter_to_close
if [ -n "$enable_tcpdump" ]; then
kill %1 %2 %3 %4 %5 %6 %7 %8
else
kill %1 %2 %3 %4 %5 %6
fi
killall osmo-msc
killall osmo-sgsn
killall osmo-hnbgw
killall osmo-bsc_mgcp
killall osmo-hlr
if [ -n "$enable_tcpdump" ]; then
sudo killall tcpdump
fi
set +e
cp \
ggsn.conf \
osmo-msc.cfg \
osmo-sgsn.cfg \
mgcp.cfg \
osmo-hnbgw.cfg \
osmo-hlr.cfg \
"$logdir"
echo
echo enter name to save log
read log_name
if [ -n "$log_name" ]; then
mkdir -p log
newlogdir="log/$log_name"
else
mkdir -p autolog
newlogdir="autolog/log_$(date +%Y-%m-%d_%H-%M-%S)"
fi
if [ -n "$enable_tcpdump" ]; then
mergecap -w "$logdir/trace.pcap" "$logdir/"*.single.pcap
#rm "$logdir/"*.single.pcap
fi
if [ -x "$newlogdir" ]; then
echo "already exists, move it manually: $newlogdir"
else
echo mv "$logdir" "$newlogdir"
mv "$logdir" "$newlogdir"
mkdir -p "$logdir"
logdir="$newlogdir"
fi
if [ -e lastlog ]; then
rm lastlog
fi
ln -s "$logdir" lastlog
ggsn.conf:
原始配置文件:
# TAG: listen # Specifies the local IP address to listen to listen 192.168.0.133 #TAG:net net 192.168.42.0/24
监听的IP修改成ubuntu的网卡NET映射的IP地址(在run脚本中的那个IP),UE 手机端的网段可改成192.168.88.0/24:
# TAG: listen # Specifies the local IP address to listen to listen 192.168.99.8 #TAG:net net 192.168.88.0/24
mgcp.cfg
log stderr logging print extended-timestamp 1 logging level all debug logging filter all 1 log file current_log/mgcp.log logging filter all 1 logging color 1 logging print category 1 logging timestamp 1 logging print extended-timestamp 1 logging level all debug mgcp local ip 192.168.0.132 bind ip 192.168.0.132 bind port 2427 rtp base 4000 rtp force-ptime 20 sdp audio payload number 98 sdp audio payload name AMR/8000 number endpoints 31 no rtcp-omit ! Accepting RTP streams from any base station. To limit RTP streams to one ! specific base station, use: !bts ip 192.168.0.124
local IP、bind IP修改成ubuntu 的IP地址,BTS IP修改成ip.access nano3G 的IP:
local ip 192.168.99.234 bind ip 192.168.99.234 !bts ip 192.168.99.163
osmo-hnbgw.cfg
log file current_log/hnbgw.log logging filter all 1 logging color 1 logging print category 1 logging timestamp 1 logging print extended-timestamp 1 logging level all debug hnbgw iuh local-ip 192.168.0.132 hnbap-allow-tmsi 1
local-ip 修改成ubuntu IP:
local-ip 192.168.99.234
osmo-msc.cfg
! ! OpenMSC configuration saved from vty ! password foo ! line vty no login ! network network country code 901 mobile network code 98 short name OsmoMSC long name OsmoMSC auth policy closed location updating reject cause 13 encryption a5 0 rrlp mode none mm info 1 ! handover 0 ! handover window rxlev averaging 10 ! handover window rxqual averaging 1 ! handover window rxlev neighbor averaging 10 ! handover power budget interval 6 ! handover power budget hysteresis 3 ! handover maximum distance 9999 ! timer t3101 10 ! timer t3103 0 ! timer t3105 0 ! timer t3107 0 ! timer t3109 4 ! timer t3111 0 ! timer t3113 60 ! timer t3115 0 ! timer t3117 0 ! timer t3119 0 ! timer t3141 0 msc mgcpgw remote-ip 192.168.0.132 ! iu rab-assign-addr-enc v4raw ! no assign-tmsi log stderr logging print extended-timestamp 1 logging level all debug logging filter all 1 logging print category 1 log file current_log/msc.log logging filter all 1 logging color 1 logging print category 1 logging timestamp 1 logging print extended-timestamp 1 logging level all debug
MCC、MNC改成:901、70 ,mgcpgw改成ubuntu IP:
network country code 901 mobile network code 70 mgcpgw remote-ip 192.168.99.234
osmo-sgsn.cfg
! ! Osmocom SGSN configuration ! ! line vty no login ! sgsn gtp local-ip 192.168.0.132 ggsn 0 remote-ip 192.168.0.133 !auth-policy accept-all auth-policy remote gsup remote-ip 127.0.0.1 gsup remote-port 2222 ! iu rab-assign-addr-enc v4raw ! ns timer tns-block 3 timer tns-block-retries 3 timer tns-reset 3 timer tns-reset-retries 3 timer tns-test 30 timer tns-alive 3 timer tns-alive-retries 10 encapsulation udp local-ip 127.0.0.1 encapsulation udp local-port 23000 encapsulation framerelay-gre enabled 0 ! bssgp ! log stderr logging print extended-timestamp 1 logging level all debug logging filter all 1 log file current_log/sgsn.log logging filter all 1 logging color 1 logging print category 1 logging timestamp 1 logging print extended-timestamp 1 logging level all debug
gtp 修改成ubuntu IP,ggsn修改成Ubuntu NET映射IP
gtp local-ip 192.168.99.234 ggsn 0 remote-ip 192.168.99.8
注册用户:
参考 https://osmocom.org/projects/cellular-infrastructure/wiki/Getting_Started_with_3G#Subscriber-Configuration
Once off, the HLR database needs to be created using the file
osmo-hlr/sql/hlr.sql:sqlite3 hlr.db < osmo-hlr/sql/hlr.sqlThis hlr.db needs to be found by the osmo-hlr binary — either place it in the current working directory when launching osmo-hlr, or use the
osmo-hlr -l my/hlr.dbcommandline option to pass a specific path.Update the HLR database to add your IMSIs
$ sqlite3 hlr.db sqlite> insert into subscriber (imsi, msisdn) values ('901700000099999', '999'); sqlite> select id, imsi from subscriber; 2342|901700000099999 sqlite> insert into auc_3g (subscriber_id, algo_id_3g, k, opc) values (2342, 5, '0102030405060708090a0b0c0d0e0f00', 'f0e0d0c0b0a090807060504030201000');The numbers (except ‘5’) are freely chosen and will all differ for you:
- 901700000099999: IMSI of your USIM.
- 999: MSISDN, i.e. the subscriber’s telephone number. Your choice.
- 2342: the automatically created subscriber id, probably 1 for you.
- 5: use Milenage. see enum osmo_auth_algo in libosmocore’s crypt/auth.h
- ‘0102030405060708090a0b0c0d0e0f00’: KI, you got it with your USIM
- ‘f0e0d0c0b0a090807060504030201000’: OPC, you got it with your USIM
在run目录下执行:
sudo sqlite3 hlr.db
sqlite> insert into subscriber (imsi, msisdn) values ('901700000014929', '999');
检测是否写入成功:
sqlite> select id, imsi from subscriber; 1|901700000014929
返回一个数值1 跟IMSI号码
sqlite> insert into auc_3g (subscriber_id, algo_id_3g, k, opc) values (1, 5, ‘265C321361DD2AA305AFC359419DEBCC’, ‘BA808742C98AC651A5F595F387FF4BA4’);
配置IP.access nano 3G:
telnet 192.168.99.163 8090
dmi>
# PLMN Id == MCC + MNC
set mcc="901"
set mnc="70"
# [uarfcnDownlink, 1900 MHz band], [scramblingCode], [dummyCellId]
set rfParamsCandidateList=({9800, 401, 1})
# [lac], [rac]
set lacRacCandidateList=({10422, (99)})
set hnbGwAddress="192.168.99.196"
action 2061
action 1216
action establishPermanentHnbGwConnection
set csgAccessMode=CSG_ACCESS_MODE_OPEN_ACCESS
最后通过run目录下的run.sh启动3G基站:
手机搜索网络:
通过wireshark抓取手机端所有流量:
Note:本文为HITB 2018 Beijing培训文档
雪碧 0xroot | RadioHub | IoT RF Hardware Hacking | 博观而约取 厚积而薄发 