{"id":13579295,"url":"https://github.com/mgp25/OpenLTE","last_synced_at":"2025-04-05T20:33:45.744Z","repository":{"id":41502805,"uuid":"122372793","full_name":"mgp25/OpenLTE","owner":"mgp25","description":"An open source 3GPP LTE implementation. ","archived":false,"fork":false,"pushed_at":"2021-02-21T19:34:29.000Z","size":29877,"stargazers_count":228,"open_issues_count":0,"forks_count":84,"subscribers_count":20,"default_branch":"master","last_synced_at":"2024-11-05T17:49:30.200Z","etag":null,"topics":["gnuradio","lte","openlte","sdr","usim","usrp"],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mgp25.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-02-21T18:00:36.000Z","updated_at":"2024-11-04T15:53:16.000Z","dependencies_parsed_at":"2022-08-10T02:35:10.153Z","dependency_job_id":null,"html_url":"https://github.com/mgp25/OpenLTE","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgp25%2FOpenLTE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgp25%2FOpenLTE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgp25%2FOpenLTE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgp25%2FOpenLTE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mgp25","download_url":"https://codeload.github.com/mgp25/OpenLTE/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247399874,"owners_count":20932876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gnuradio","lte","openlte","sdr","usim","usrp"],"created_at":"2024-08-01T15:01:38.144Z","updated_at":"2025-04-05T20:33:40.735Z","avatar_url":"https://github.com/mgp25.png","language":"C++","funding_links":[],"categories":["\u003ca name=\"cpp\"\u003e\u003c/a\u003eC++"],"sub_categories":[],"readme":"# Open\u003cimg src=\"https://raw.githubusercontent.com/mgp25/OpenLTE/master/assets/lte.png\" width=50\u003e\n\nOpenLTE is an open source implementation of the 3GPP LTE specifications. \n\nThis is a clone of [https://sourceforge.net/p/openlte](https://sourceforge.net/p/openlte).\n\n### Contents\n\n* [Prerequesites](#prerequisites)\n* [Installation](#installation)\n\t- [Setup your computer](#setup-your-computer)\n\t- [Installing GNURadio with UHD](#installing-gnuradio-with-uhd)\n\t- [Installing OpenLTE](#installing-openlte)\n* [Running OpenLTE eNodeB](#running-openlte-enodeb)\n* [OpenLTE Tx Configuration](#openlte-tx-configuration)\n* [Wireshark Configuration](#wireshark-configuration)\n* [Programming your own USIM card](#programming-your-own-usim-card)\n\t- [Prerequisites](#prerequisites)\n\t- [Providers](#providers)\n\t- [Get the SIM programmer](#get-the-sim-programmer)\n\t- [Get the software (PySIM, PCSCd, Pyscard)](#get-the-software-pysim-pcscd-pyscard)\n\t- [Programming the SIM card](#programming-the-sim-card)\n\t- [Adding subscribers](#adding-subscribers)\n* [Test captures](#test-captures)\n\n### Attack implementations\n\nSome attacks implemented by [@onkarmumbrekar](https://github.com/onkarmumbrekar) can be found in the different branches:\n\n- akabypass\n- attach_reject\n- dos_tau_reject_dualcase\n- dos_tau_reject\n- malformed_detach\n- numb_attack\n- service_reject_on_tau\n- tau_numb_attack\n\n## Prerequisites\n\n\n- USB 3.0 interface\n- Modern multicore CPU (Intel Core i5, Core i7 or equivalent with SSE4.1 SSE4.2 and AVX support)\n- UHD driver installed (for Ettus SDRs)\n- GNURADIO\n\n\n## Installation\n\n### Setup your computer\n\nOpenLTE is not only requiring a huge amount of processing power, but it also requires a very low latency due its need to transmit/receive a radio frame every 1ms. If there is any delay in the processing, the system will not going to be able respond in time and will lose samples. Therefor it is recommended to switch of any CPU and/or system features (mostly in your BIOS) which can cause any delays or can slow down the so called context switching time. Intel SpeedStep, deep and deeper sleep states etc. should be turned off. Especially with high bandwidth setups (10, 15 and 20MHz) it is recommended to swtich off the GUI on linux. There is also a low latency edition of the linux kernel, but at this point there is no absolute proof that it actually helps with OpenLTE.\n\n### Installing GNURadio with UHD\n\nWith an Ettus radio (B200, B210) you will need the latest UHD driver besides GNURadio:\n\n`sudo apt-get install libuhd-dev libuhd003 uhd-host`\n\nI recomend not to use the binary version but to compile to code with UHD like the following:\n\nAs a non-root user, give the following command:\n\n```\nmkdir gnuradio\ncd gnurdio\nwget http://www.sbrac.org/files/build-gnuradio\nchmod a+x build-gnuradio\n\n./build-gnuradio -v\n```\n\nYou will be asked for the root password by the install script. **The whole procedure can take up to 3 hours!** It will download GNURadio , UHD and all the necessary dependencies.\n\nCheck the communication with your Ettus SDR:\nConnect your SDR to one of the USB3 interfaces, and run:\n\n`uhd_usrp_probe`\n\nThe software will load the FPGA code to your device, and queries your device. If you done everything right, you should see something similar:\n\n```\nlinux; GNU C++ version 4.8.2; Boost_105400; UHD_003.008.001-42-g8c87a524\n\n-- Operating over USB 3.\n-- Initialize CODEC control...\n-- Initialize Radio control...\n-- Performing register loopback test... pass\n-- Performing CODEC loopback test... pass\n-- Asking for clock rate 32.000000 MHz...\n-- Actually got clock rate 32.000000 MHz.\n-- Performing timer loopback test... pass\n-- Setting master clock rate selection to 'automatic'.\n _____________________________________________________\n /\n| Device: B-Series Device\n| _____________________________________________________\n| /\n| | Mboard: B200\n| | revision: 4\n| | product: 1\n| | serial: F54xxx\n| | FW Version: 7.0\n| | FPGA Version: 4.0\n| |\n| | Time sources: none, internal, external, gpsdo\n| | Clock sources: internal, external, gpsdo\n| | Sensors: ref_locked\n| | _____________________________________________________\n| | /\n| | | RX DSP: 0\n| | | Freq range: -16.000 to 16.000 MHz\n| | _____________________________________________________\n| | /\n| | | RX Dboard: A\n| | | _____________________________________________________\n| | | /\n| | | | RX Frontend: A\n| | | | Name: FE-RX2\n| | | | Antennas: TX/RX, RX2\n| | | | Sensors:\n| | | | Freq range: 50.000 to 6000.000 MHz\n| | | | Gain range PGA: 0.0 to 73.0 step 1.0 dB\n| | | | Connection Type: IQ\n| | | | Uses LO offset: No\n| | | _____________________________________________________\n| | | /\n| | | | RX Codec: A\n| | | | Name: B200 RX dual ADC\n| | | | Gain Elements: None\n| | _____________________________________________________\n| | /\n| | | TX DSP: 0\n| | | Freq range: -16.000 to 16.000 MHz\n| | _____________________________________________________\n| | /\n| | | TX Dboard: A\n| | | _____________________________________________________\n| | | /\n| | | | TX Frontend: A\n| | | | Name: FE-TX2\n| | | | Antennas: TX/RX\n| | | | Sensors:\n| | | | Freq range: 50.000 to 6000.000 MHz\n| | | | Gain range PGA: 0.0 to 89.8 step 0.2 dB\n| | | | Connection Type: IQ\n| | | | Uses LO offset: No\n| | | _____________________________________________________\n| | | /\n| | | | TX Codec: A\n| | | | Name: B200 TX dual DAC\n| | | | Gain Elements: None\n```\n\n\n## Installing OpenLTE\n\n**Dependencies:**\n\n`sudo apt-get install libpolarssl-dev`\n\n**Build and install:**\n\n```\nmkdir build\ncd build \u0026\u0026 cmake ..\nmake\n```\n\n(Optional):\n\n`sudo make install`\n\n## Running OpenLTE eNodeB\n\n**First terminal window:**\n\nDo not close this windows during operation!\n\n`LTE_fdd_enodeb`\n\nOutput:\n\n```\nlinux; GNU C++ version 4.8.2; Boost_105400; UHD_003.008.001-42-\ng8c87a524\n*** LTE FDD ENB ***\nPlease connect to control port 30000\n```\n\n**Second terminal:**\n\nThis is the control interface of the eNodeB.\n\n`telnet 127.0.0.1 30000`\n\nOutput:\n\n```\nTrying 127.0.0.1...\nConnected to 127.0.0.1.\nEscape character is '^]'.\n*** LTE FDD ENB ***\nType help to see a list of commands\n```\n\n**Third terminal (Optional):**\n\nThis command will provide debug log messages.\n\n`telnet 127.0.0.1 30001`\n\n## OpenLTE Tx Configuration\n\n**Tx configuration:**\n\n```\nwrite band 20\nwrite bandwidth 5\nwrite dl_earfcn 6300\nwrite mcc 214\nwrite mnc 12\nwrite n_ant 1\nwrite rx_gain 30\nwrite tx_gain 86\n```\n\n## Wireshark configuration\n\n`Edit -\u003e Preferences -\u003e Protocols -\u003e DLT_USER -\u003e Edit…`\n`Click ‘+’ -\u003e DLT = User 0 and Payload protocol = mac-lte-framed`\n\n## Programming your own USIM card\n\n### Prerequisites\n\n`sudo apt-get install python-pip`\n\n```\nsudo python -m pip install serial pycrypto\n```\n\n### Providers\n\n**sysmoUSIM-SJS1 4FF/nano SIM + USIM Card (10-pack):**\n\n[http://shop.sysmocom.de/products/sysmousim-sjs1-4ff](http://shop.sysmocom.de/products/sysmousim-sjs1-4ff)\n\n### Get the SIM programmer\n\nYou need a SIM card programmer which is compatible with the PCSC application on Linux. To have a more or less complete list of the compatible devices, please visit this page:\n\n[http://pcsclite.alioth.debian.org/ccid/supported.html](http://pcsclite.alioth.debian.org/ccid/supported.html)\n\nDon't forget that you need a programmer with APDU support. Personally we use **SCM Microsystems Inc. SCR 3310**, you can find it and many of the above list on Ebay.\n\n### Get the software (PySIM, PCSCd, Pyscard)\n\n**First install dependencies:**\n\n`sudo apt-get install pcscd pcsc-tools libccid libpcsclite-dev`\n\nConnect your SIM card reader, plug thhe programmable SIM card in, and check connectivity by running the following command:\n\n`sudo pcsc_scan`\n\nIf your reader and card got recognized, you will see something similar:\n\n```\nPC/SC device scanner\nV 1.4.22 (c) 2001-2011, Ludovic Rousseau \u003cludovic.rousseau@free.fr\u003e\nCompiled with PC/SC lite version: 1.8.10\nUsing reader plug'n play mechanism\nScanning present readers...\n0: OMNIKEY AG CardMan 3121 01 00\n\nWed Dec 24 14:56:32 2014\nReader 0: OMNIKEY AG CardMan 3121 01 00\n Card state: Card inserted,\n ATR: 3B 9F 95 80 1F C7 80 31 E0 73 FE 21 13 57 12 29 11 02 01 00 00 C2\n\nATR: 3B 9F 95 80 1F C7 80 31 E0 73 FE 21 13 57 12 29 11 02 01 00 00 C2\n+ TS = 3B --\u003e Direct Convention\n+ T0 = 9F, Y(1): 1001, K: 15 (historical bytes)\n TA(1) = 95 --\u003e Fi=512, Di=16, 32 cycles/ETU\n 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz =\u003e 156250 bits/s\n TD(1) = 80 --\u003e Y(i+1) = 1000, Protocol T = 0\n-----\n TD(2) = 1F --\u003e Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following\n-----\n TA(3) = C7 --\u003e Clock stop: no preference - Class accepted by the card: (3G) A 5V B 3V C 1.8V\n+ Historical bytes: 80 31 E0 73 FE 21 13 57 12 29 11 02 01 00 00\n Category indicator byte: 80 (compact TLV data object)\n Tag: 3, len: 1 (card service data byte)\n Card service data byte: E0\n - Application selection: by full DF name\n - Application selection: by partial DF name\n - BER-TLV data objects available in EF.DIR\n - EF.DIR and EF.ATR access services: by GET RECORD(s) command\n - Card with MF\n Tag: 7, len: 3 (card capabilities)\n Selection methods: FE\n - DF selection by full DF name\n - DF selection by partial DF name\n - DF selection by path\n - DF selection by file identifier\n - Implicit DF selection\n - Short EF identifier supported\n - Record number supported\n Data coding byte: 21\n - Behaviour of write functions: proprietary\n - Value 'FF' for the first byte of BER-TLV tag fields: invalid\n - Data unit in quartets: 2\n Command chaining, length fields and logical channels: 13\n - Logical channel number assignment: by the card\n - Maximum number of logical channels: 4\n Tag: 5, len: 7 (card issuer's data)\n Card issuer data: 12 29 11 02 01 00 00\n+ TCK = C2 (correct checksum)\n\nPossibly identified card (using /usr/share/pcsc/smartcard_list.txt):\n3B 9F 95 80 1F C7 80 31 E0 73 FE 21 13 57 12 29 11 02 01 00 00 C2\n sysmocom sysmoUSIM-GR1\n http://sysmocom.de/\n```\n\nHit `Ctrl+C` to exit `pcsc_scan`.\n\n### Pyscard\n\nNow you need to download and install Pyscard:\n\n[http://pyscard.sourceforge.net/](http://pyscard.sourceforge.net/)\n\nDownload and extract the latest Pyscard version:\n\n[https://sourceforge.net/projects/pyscard/files/pyscard/](https://sourceforge.net/projects/pyscard/files/pyscard/)\n\nGo to the extracted Pyscard folder (where the setup.py file is located) and run the following command:\n\n`sudo /usr/bin/python setup.py build_ext install`\n\n### PySIM\n\nNow get the code of PySIM:\n\n```\ngit clone git://git.osmocom.org/pysim pysim\ncd pysim\n```\n\nand run the `/pySim-read.py` to read your card:\n\n`./pySim-read.py`\n\nif you done everything allright, you will see something similar:\n\n```\nReading ...\nICCID: 8901901550000123456\nIMSI: 901550000123456\nSMSP: fffffffffffffffffffffffffdffffffffffffffffffffffff069186770700f9ffffffffffffffff\nACC: ffff\nMSISDN: Not available\nDone !\n```\n\nSometimes it is necessary to give the program the number of the card programmer:\n\n`./pySim-read.py -p 0` or `./pySim-read.py -p 1`\n\nNow we are ready to program the USIM finally! :-)\n\n### Sysmo USIM Tool\n\nGet Sysmo USIM tool:\n\n`git clone git://git.sysmocom.de/sysmo-usim-tool`\n\nWe will need: `sysmo-usim-tool.sjs1.py`\n\n### Programming the SIM card\n\n**Important:**\n\n\nIn order to program the USIM cards, you must use the `zecke/tmp2` branch of Pysim. Please note that with the `zecke/tmp2` branch you can program but cannot read the cards. If you want to read the cards you will need to swtich back to the `master` branch. **If you are not using the** `zecke/tmp2` **branch or you are not giving the ADM1 pin correctly, you can permanently damage your card!!!**\n\nTo change branch to `zecke/tmp2`, use this command:\n\n`git checkout zecke/tmp2`\n\nExample to program a SysmoUSIM-SJS1 card:\n\n```\n./pySim-prog.py -p 0 --mcc 101 --mnc 02 -t sysmoUSIM-SJS1 --imsi 101020000000003 --iccid 8988211000000012345 --ki 8BAF473F2F8FD09487CCCBD7097C6862 --pin-adm 53770832\n```\n\n**IMPORTANT:** Where `-a` is the part where you need to give the `ADM1` for this specific SIM card. Again, if you are not using the `zecke/tmp2` branch or not giving the proper `ADM1` pin when you try to program the Sysmo-USIm S1J1 SIMs, you will likely end up with a permamnently damaged card!\n\nNow lets set MILENAGE algorithm and the OP.\n\n`./sysmo-usim-tool.sjs1.py --adm1 ADM1_KEY --set-op LTE_DEFAULT_OP_CODE -T MILENAGE:MILENAGE`\n\nOpenLTE has a default OP code, which is:\n\n`OP=63bfa50ee6523365ff14c1f45f88737d`\n\nIn case you want to change this value with your own, you need to edit `liblte/src/liblte_security.cc` and edit the OP value (this will require to compile OpenLTE again to make this change effective):\n\n```c\nstatic const uint8 OP[16] = {0x63,0xBF,0xA5,0x0E,0xE6,0x52,0x33,0x65,\n0xFF,0x14,0xC1,0xF4,0x5F,0x88,0x73,0x7D};\n```\n\nIn this fork we have set OP value to:\n\n```c\nstatic const uint8 OP[16] = {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,\n0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11};\n```\n\n`OP=11111111111111111111111111111111`\n\n**Reference:** [Specification of the MILENAGE algorithm - 3GPP TS 35.206](http://www.etsi.org/deliver/etsi_ts/135200_135299/135206/14.00.00_60/ts_135206v140000p.pdf)\n\n**Reference:** [Sysmo USIM Manual](https://www.sysmocom.de/manuals/sysmousim-manual.pdf)\n\n### Adding subscribers\n\nPreviously we created our own USIM cards and we know the Ki key and the IMSI for these cards.\n\nNow we need to add them to the subscriber registry.\n\nStart `LTE_fdd_enodeb` and log in to the control interface:\n\n`telnet 127.0.0.1 30000`\n\nThese are the commands for adding, deleting and listing subscribers:\n\n```\nadd_user imsi=\u003cimsi\u003e imei=\u003cimei\u003e k=\u003ck\u003e - Adds a user to the HSS (\u003cimsi\u003e and \u003cimei\u003e are 15 decimal digits, and \u003ck\u003e is 32 hex digits)\ndel_user imsi=\u003cimsi\u003e - Deletes a user from the HSS\nprint_users - Prints all the users in the HSS\n```\n\nTo add a subscriber use the following command [k is the Ki key!]:\n\n\n`add_user imsi=901550000123456 imei=864217022123456 k=D360C2591DE1BF61A11014C33D012246`\n\nThe terminal will respond with an `ok` if there were no mistypes in the syntax.\n\nYou can list the already added subscribers with:\n\n`print_users`\n\nYou can delete the previously added subscriber with:\n\n`del_user imsi=901550000123456`\n\n**Note that the first 3 digits of IMSI is the MCC** (or Mobile Country Code) **and the two digits after the MCC is the MNC** (or Mobile Network Code). In the above example the MCC is 901 and the MNC is 55. It is not necessary but helps the Mobile Station a lot to set the MCC/MNC of your LTE network as your programmed SIM cards dictates. You can change the IMSI value during the SIM card programming stage also to match the specification of a test network: `MCC=001` and `MNC=01`.\n\nPlease, note that you will need to setup an APN on your device in order to successfully have data connectivity. We will add indications on how to achieve this as far as our work progresses.\n\n**You should NEVER use the MCC/MNC configuration of a commercial provider!**\n\n\n## Test Captures\n\nIn the `Test capture` folder there is a capture that is compatible with the `LTE_fdd_dl_file_scan` application. To use this capture with the octave receiver, use the following octave commands:\n\n```octave\nfid = fopen(\"/path/to/LTE_test_file_int8.bin\", \"r\");\niq_vec = fread(fid, inf, \"int8\");\niq_split_vec = reshape(iq_vec, 2, []);\nlte_fdd_dl_receive(iq_split_vec(1,:) + i*iq_split_vec(2,:));\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgp25%2FOpenLTE","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmgp25%2FOpenLTE","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgp25%2FOpenLTE/lists"}