[Free] How to Install a Rogue BTS: What you need to know

[Free] How to Install a Rogue BTS: What you need to know


5 min read

A Rogue BTS can be beneficial, here I will show you how to install one and how to configure your network for security research.

First, let’s update our system, I will use a Debian Buster for RPI3 with 1G of RAM and a BladeRF xA9.

Table of Contents

Rogue BTS

Step 1 – Requirements

Build your own rogue GSM

Pack List





RPI4 Case


BladeRF xA9


BladeRF Case


BladeRF Antennas

4 x 25

Power Supply


SD Card 128GB


USB SIM Card Reader


Blank SIM Cards


GSM phone Unlocked

Power Bank 28000 mAmp


rfs@offensive-wireless:~ $ sudo su

root@offensive-wireless:/root# apt-get -y update && apt-get -y upgrade

rfs@offensive-wireless:~ $ uname -a Linux offensive-wireless 5.10.103-v7+ #1529 SMP Tue Mar 8 12:21:37 GMT 2022 armv7l GNU/Linux

Step 2 – Configure Blade RF for Yate

In order to install all necessary dependencies we need to add the bladerf repository in our system, as root run the following commands:

Now it’s time to install the necessary dependencies.

rfs@offensive-wireless:~ $ sudo apt-get install libusb-1.0-0-dev libusb-1.0-0 build-essential cmake libncurses5-dev libtecla1 libtecla-dev pkg-config git wget doxygen help2man pandoc python-setuptools python-dev swig libccid pcscd pcsc-tools python-pyscard libpcsclite1 unzip firefox-esr xserver-xorg lightdm xfce4 automake matchbox-keyboard iptables-persistent

rfs@yatebts:~ $ sudo apt install libbladerf-dev

Clone the git hub bladerf repo into our system and go inside the respective folder.

rfs@yatebts:~ $ git clone github.com/Nuand/bladeRF.git rfs@yatebts:~ $ cd bladeRF

Validate libusb and libusb-dev versions installed

Remember to validate this or you will have a lot of problems using BladeRF.

rfs@offensive-wireless:~/bladeRF $ dpkg -s libusb-1.0-0 libusb-1.0-0-dev

rfs@offensive-wireless:~/bladeRF $ cd host/

rfs@offensive-wireless:~/bladeRF/host $ mkdir build rfs@offensive-wireless:~/bladeRF/host/build $ cd build

rfs@offensive-wireless:~/bladeRF/host/build $ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../

rfs@offensive-wireless:~/bladeRF/host/build $ sudo addgroup bladerf rfs@offensive-wireless:~/bladeRF/host/build $ sudo usermod -a -G bladerf rfs

rfs@offensive-wireless:~/bladeRF/host/build $ make && sudo make install && sudo ldconfig

rfs@offensive-wireless:~$ bladeRF-cli


Connected the BladeRF device to raspberry and verify if is working:

rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -p Backend: libusb Serial: f12ce1037830a1b27f3ceeba1f521413 USB Bus: 4 USB Address: 8

rfs@yatebts:~/bladeRF/host/build $ bladeRF-cli -i

bladeRF> help

... (Help text shown here ) ...

bladeRF> info

Serial #: f12ce1037830a1b27f3ceeba1f521413
VCTCXO DAC calibration: 0x894e FPGA size: 40 KLE FPGA loaded: no USB bus: 2 USB address: 3 USB speed: SuperSpeed Backend: libusb Instance: 0

bladeRF> version bladeRF-cli version: 0.11.0-git-58c3ff4 libbladeRF version: 0.16.1-git-58c3ff4

Firmware version: 1.7.1-git-ca697ee FPGA version: Unknown (FPGA not loaded)

Step 3 – Install a Rogue BTS for fun and profit

Before start installing the packages let’s create a group for Yate and add our user to that group.

rfs@offensive-wireless:~ $ sudo addgroup yate rfs@offensive-wireless:~ $ sudo usermod -a -G yate rfs

Create a new folder to store all BTS data

rfs@offensive-wireless:~ $ mkdir YateBTS rfs@offensive-wireless:~ $ cd YateBTS

Download the packages from Nuand repo dedicated to BladeRF, this step is critical using this package is easy to set up BladeRF with YateBTS.

rfs@offensive-wireless:~/YateBTS $ wget nuand.com/downloads/yate-rc-3.tar.gz

Decompress the file into our new folder:

rfs@offensive-wireless:~/YateBTS $ tar xvf yate-rc-3.tar.gz

How to Install Yate

rfs@offensive-wireless:~/YateBTS $ sudo mv yate /usr/src rfs@offensive-wireless:~/YateBTS $ sudo mv yatebts /usr/src rfs@offensive-wireless:~/YateBTS $ sudo mv *.rbf /usr/share/nuand/bladeRF

rfs@offensive-wireless:~/YateBTS $ cd /usr/src/yate

rfs@offensive-wireless:~/usr/src/yate $ ./autogen.sh

rfs@offensive-wireless:~/usr/src/yate $ ./configure --prefix=/usr/local

rfs@offensive-wireless:~/usr/src/yate $ make rfs@offensive-wireless:~/usr/src/yate $ sudo make install rfs@offensive-wireless:~/usr/src/yate $ sudo make install-noapi

rfs@offensive-wireless:~/usr/src/yate $ sudo ldconfig

rfs@offensive-wireless:~/usr/src/yate $ cd ..

Install Yate BTS

rfs@offensive-wireless:~/usr/src/$ cd yatebts

rfs@offensive-wireless:~/usr/src/yatebts$ ./autogen.sh rfs@offensive-wireless:~/usr/src/yatebts$ ./configure --prefix=/usr/local

rfs@offensive-wireless:~/usr/src/yatebts$ make rfs@offensive-wireless:~/usr/src/yatebts$ sudo make install rfs@offensive-wireless:~/usr/src/yatebts$ sudo ldconfig

rfs@offensive-wireless:~/usr/src/yatebts$ cd .. rfs@offensive-wireless:~/usr/src/$ sudo mkdir -p /usr/share/nuand/bladeRF

Step 4 – Configuring YateBTS

rfs@offensive-wireless:~/usr/src/$ sudo touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.conf

rfs@offensive-wireless:~/usr/src/$ sudo chown rfs:yate /usr/local/etc/yate/.conf rfs@offensive-wireless:~/usr/src/$ sudo chmod g+w /usr/local/etc/yate/.conf

rfs@dell:~/Downloads/YateBTS/yatebts$ bladeRF-cli -l /usr/src/Nuand/bladeRF/hostedxA9.rbf

If everything works its time to start our BTS

rfs@dell:~/Downloads/YateBTS/yatebts$ yate -v

rfs@dell:~/Downloads/YateBTS/yatebts$ telnet localhost 5038

Setup Network In a Box – NIB

rfs@offensive-wireless:~/ $ sudo apt-get install -y apache2 php libusb-1.0-0 libusb-1.0-0-d* libusb-1.0-0-dev libgsm1 libgsm1-dev

rfs@offensive-wireless:~/PySIM/pysim $ cd /var/www/html rfs@offensive-wireless:/var/www/html $ sudo ln -s /usr/local/share/yate/nipc_web nipc

rfs@offensive-wireless:/var/www/html $ sudo chmod -R a+w /usr/local/share/yate

sudo vi /etc/systemd/system/yate.service

[Unit] Description=RFS Yate BTS After=network.target StartLimitIntervalSec=0[Service]

[Service] Type=simple Restart=always RestartSec=1 User=root ExecStart=/usr/local/bin/yate -s

[Install] WantedBy=multi-user.target

rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl start yate rfs@offensive-wireless:/usr/bin/pysim $ sudo systemctl enable yate

Step 5 – Provisioning SIM Cards

In order to

How to Install PySIM

rfs@offensive-wireless:~/YateBTS $ sudo apt-get install libpcsclite-dev

rfs@offensive-wireless:~ $ mkdir PySIM rfs@offensive-wireless:~ $ cd PySIM/ rfs@offensive-wireless:~/PySIM $ git clone git://git.osmocom.org/pysim.git

rfs@offensive-wireless:~/PySIM $ sudo apt-get install python3-pyscard python3-serial python3-pip python3-yaml

rfs@offensive-wireless:~/PySIM/pysim $ pip3 install -r requirements.txt

How to Configure a Magic SIM

rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-read.py -d /dev/ttyUSB0

rfs@offensive-wireless:~/PySIM/pysim $ ./pySim-prog.py -d /dev/ttyUSB0 -n RFS -x 268 -y 07 -i 901990000000018 -s 8988211110000110000 -o 398198093111279FB1FC74BE07059FEF -k 1D8B2562B772549F20D0F42003EAA6FA

rfs@offensive-wireless:~/PySIM $ sudo cp -R pysim/ /usr/src/ rfs@offensive-wireless:~/PySIM $ cd /usr/local/bin rfs@offensive-wireless:/usr/local/bin $ sudo ln -s /usr/src/pysim/pySim-prog.py pySim-prog.py

rfs@offensive-wireless:/usr/local/bin $ sudo vi /usr/local/share/yate/nipc_web/config.php

<?php $pysim_path = "/usr/bin/pysim"; ?>

rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl daemon-reload rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl restart yate rfs@offensive-wireless:~/PySIM/pysim $ sudo systemctl status yate

bladeRF 2.0 micro xA9

After all is done you can start capture GSM signals from our BTS using a RTL-SDR.

My next article will be about systems and methods for identifying rogue base stations, for now, you can check my other article about ZigBee Sniffing.