Mac OSX 编译 LeanSDR

LeanSDR:Lightweight, portable software-defined radio

git clone http://github.com/pabr/leansdr.git
cd leansdr/src/apps

LeanSDR在使用过程中需要使用X11图形框架,首次在OSX编译LeanSDR会有报错:

g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leandvb.cc -lX11 -o leandvb  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       leandvb.cc       -o leandvb
In file included from leandvb.cc:17:
../leansdr/gui.h:16:10: fatal error: 'X11/X.h' file not found
#include <X11/X.h>
         ^
1 error generated.
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leansdrscan.cc -lX11 -o leansdrscan  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       leansdrscan.cc       -o leansdrscan
leansdrscan.cc:115:10: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
        if ( nr < 0 ) fatal("read");
             ~~ ^ ~
1 warning generated.
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
leansdrscan.cc:115:10: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare]
        if ( nr < 0 ) fatal("read");
             ~~ ^ ~
1 warning generated.
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leansdrcat.cc -lX11 -o leansdrcat  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       leansdrcat.cc       -o leansdrcat
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leantsgen.cc -lX11 -o leantsgen  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       leantsgen.cc       -o leantsgen
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leanchansim.cc -lX11 -o leanchansim  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       leanchansim.cc       -o leanchansim
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)
g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leandvbtx.cc -lX11 -o leandvbtx  ||  \
    g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable       leandvbtx.cc       -o leandvbtx
ld: library not found for -lX11
clang: error: linker command failed with exit code 1 (use -v to see invocation)

查找X11目录

sudo find / -name "X.h"
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Tk.framework/Versions/8.4/Headers/X11/X.h
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Tk.framework/Versions/8.5/Headers/X11/X.h
find: /dev/fd/cn0xroot: No such file or directory
find: /dev/fd/cn0xroot: No such file or directory
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/Tk.framework/Versions/8.5/Headers/X11/X.h
/opt/local/include/X11/X.h
/opt/local/share/doc/boost/libs/coroutine/example/cpp03/asymmetric/X.h
/opt/metasploit-framework/embedded/include/X11/X.h
/opt/X11/include/X11/X.h
/System/Library/Frameworks/Tk.framework/Versions/8.4/Headers/X11/X.h
/System/Library/Frameworks/Tk.framework/Versions/8.5/Headers/X11/X.h

解决方案:修改Makefile

APPS = leandvb leansdrscan
APPS += leansdrcat leantsgen leanchansim leandvbtx

all: $(APPS)

clean:
rm -f $(APPS)

DEPS = ../leansdr/*.h

CXXFLAGS = -O3 -I.. -I/opt/X11/include -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable

%: %.cc $(DEPS)
g++ $(CXXFLAGS) -DGUI $< -lX11 -L/opt/X11/lib -o $@ || \
g++ $(CXXFLAGS) $< -o $@

EMBED_FLAGS= -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable \
-Ofast -mfpu=neon -funsafe-math-optimizations -fsingle-precision-constant

leandvb.embedded: leandvb.cc $(DEPS)
g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -static -o $@ || \
g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -o $@
make

Usage

leandvb --help
Usage: leandvb [options]  < IQ  > TS
Demodulate DVB-S I/Q on stdin, output MPEG packets on stdout

Input options:
  --u8           Input format is 8-bit unsigned (rtl_sdr, default)
  --f32          Input format is 32-bit float (gqrx)
  -f HZ          Input sample rate (default: 2.4e6)
  --loop         Repeat (stdin must be a file)
  --inbuf N      Additional input buffering (samples)

Preprocessing options:
  --anf N        Number of birdies to remove (default: 1)
  --derotate HZ  For use with --fd-pp, otherwise use --tune
  --resample     Resample baseband (CPU-intensive)
  --resample-rej K  Aliasing rejection (default: 10)
  --decim N      Decimate baseband (causes aliasing)
  --cnr          Measure CNR (requires samplerate>3*symbolrate)
  --fd-pp NUM    Dump preprocessed IQ data to file descriptor

DVB-S options:
  --sr HZ        Symbol rate (default: 2e6)
  --tune HZ      Bias frequency for demodulation
  --drift        Track frequency drift beyond safe limits
  --standard S   DVB-S (default), DVB-S2 (not implemented)
  --const C      QPSK (default), BPSK .. 32APSK (DVB-S2 only)
  --cr N/D       Code rate 1/2 (default) .. 7/8 .. 9/10
  --fastlock     Synchronize more aggressively (CPU-intensive)
  --sampler      nearest, linear, rrc
  --rrc-steps N  RRC interpolation factor
  --rrc-rej K    RRC filter rejection (defaut:10)
  --roll-off A   RRC roll-off (default: 0.35)
  --viterbi      Use Viterbi (CPU-intensive)
  --hard-metric  Use Hamming distances with Viterbi

Compatibility options:
  --hdlc         Expect HDLC frames instead of MPEG packets
  --packetized   Output 16-bit length prefix (default: as stream)

General options:
  --buf-factor   Buffer size factor (default:4)
  --hq           Maximize sensitivity
                 (Enables all CPU-intensive features)
  --hs           Maximize throughput (QPSK CR1/2 only)
                 (Disables all preprocessing)

UI options:
  -h             Display this help message and exit
  -v             Output debugging info at startup and exit
  -d             Output debugging info during operation
  --fd-info NUM  Output demodulator status to file descriptor
  --fd-const NUM Output constellation and symbols to file descr
  --gui          Show constellation and spectrum (X11)
  --duration S   Width of timeline plot (default: 60)
  --linger       Keep GUI running after EOF

Testing options:
  --awgn STDDEV  Add white gaussian noise (slow)
eanchansim --help
Usage: leanchansim [options]  < IQ.in  > IQ.out
Simulate an imperfect communication channel.

Input options:
  --iu8              Interpret stdin as complex unsigned char
  --if32             Interpret stdin as complex float
  -f Hz              Specify sample rate
  --loop             Repeat (stdin must be a file)

Gain options:
  --scale FACTOR     Multiply by constant

Drift options:
  --lo HZ            Specify nominal LO frequency
  --ppm PPM          Specify LO accuracy
  --drift-period S   Drift +-ppm every S seconds
  --drift-rate R     Drift with maximum rate R (Hz/s)
  --drift2-amp HZ    Add secondary drift (range in Hz)
  --drift2-freq HZ   Add secondary drift (rate in Hz)

Noise options:
  --awgn STDDEV      Add white gaussian noise (dB)

Output options:
  --ou8              Output as complex unsigned char
  --of32             Output as complex float
leandvbtx --help
Usage: leandvbtx [options]  < TS  > IQ
Modulate MPEG packets into a DVB-S baseband signal
Output float complex samples

Options:  -f INTERP[/DECIM]        Samples per symbols (default: 2)
  --roll-off R             RRC roll-off (defalt: 0.35)
  --power P                Output power (dB)
  --agc                    Better regulation of output power
  -v                       Verbose output
leansdrcat --help
Usage: leansdrcat [options]
Forward from stdin to stdout at constant rate.

Options:
  --block      Pause when stdout is busy (default: '#' on stderr)
  --nonblock   Silently ignore when stdout is busy
  --cbr R      Set rate in bits per second
  --cbr8 R     Set rate in bytes per second
  --cbr16 R    Set rate in 16-bit words per second
  --cbr32 R    Set rate in 32-bit words per second
  --cbr64 R    Set rate in 64-bit words per second
  -h           Display this help message and exit
leansdrscan --help
Usage: leansdrscan [options]  [program settings]
Run , cycling through combinations of settings.
Example: 'leansdrscan -v cat -n,-e' will feed stdin through 'cat -n' and 'cat -e' alternatively.

Options:
  -h              Print this message
  -v              Verbose
  --timeout N     Next settings if no output within N seconds
  --rewind        Rewind input (stdin must be a file)
  --probesize N   Forward only N bytes (with --rewind)
leantsgen --help
Usage: leantsgen [-c PACKETCOUNT]
Output numbered MPEG TS packets on stdout.

Example

rtl_sdr -g 0 -f 315e6 -s 1000000 /tmp/test.ts
leandvb --gui -v -d -f 1000e3 --sr 500e3 --cr 1/2 --derotate -4500 --anf 0 < /tmp/test.ts > mpeg.ts

Snip20170920_11

https://www.rtl-sdr.com/transmitting-dvb-s-with-a-plutosdr-and-receiving-it-with-an-rtl-sdr/

http://www.pabr.org/radio/leandvb/leandvb.en.html

LimeSDR Getting Started Quickly | LimeSDR上手指南

Author:雪碧 0xroot@360 Unicorn Team

文章首发地址:http://bobao.360.cn/learning/detail/3721.html

0x00 概览

LimeSDR部分特性: USB 3.0 ; 4 x Tx 发射天线接口 6 x Rx 接收天线接口;

可用于Wi-Fi, GSM, UMTS, LTE, LoRa, Bluetooth, Zigbee, RFID等开发测试环境中。

RTL电视棒、HackRF、BladeRF、USRP、LimeSDR参数对比表:

Snip20170410_13

HackRF One的价格,性能参数却能跟BladeRF甚至USRP媲美!

LimeSDR核心组件:

Lime_suite_comps

先上几张特写:

主板长10cm,算上USB接口11.5cm: 长

主板宽5.7cm: 宽 相对于HackRF、BladeRF、USRP这三款主流SDR硬件(USRP mini除外),体积已经很小巧了。LimeSDR其体积实测只有一个iPhone5s的体积大小!

当插上USB供电后,除了上图显示的两颗绿色LED灯,还有一颗一闪一闪的红色LED灯也在工作。

接下来将分一键快速安装和源码编译安装来使用LimeSDR硬件,推荐使用源码编译安装。

0x01 Mac OSX

1.1 搭建开发环境

Mac OSX当中强烈推荐通过Mac Port 搭建SDR环境,配合源码编译达到最佳效果。

1.通过AppStore安装Xcode https://itunes.apple.com/cn/app/xcode/id497799835?mt=12

2.下载安装 XQuartz/X11 http://xquartz.macosforge.org/landing

3.下载安装 MacPorts https://trac.macports.org/wiki/InstallingMacPorts

sudo port search sdr
Snip20170408_11.png
sudo port install rtl-sdr hackrf  bladeRF uhd gnuradio gqrx gr-osmosdr gr-fosphor

完成之后便可从GayHub上clone源码并进行编译安装。

1.2 源码编译LimeSuite

git clone https://github.com/myriadrf/LimeSuite.git
cd LimeSuite
mkdir builddir && cd builddir
cmake ../
make -j4
sudo make install

1.3 源码编译UHD驱动&&增加UHD对LimeSDR的支持

jocover基于UHD给LimeSDR开发了LimeSDR的驱动支持OpenUSRP,把LimeSDR来模拟成USRP B210来使用。

git clone https://github.com/EttusResearch/uhd.git
cd uhd/host/lib/usrp
git clone https://github.com/jocover/OpenUSRP.git
echo "INCLUDE_SUBDIRECTORY(OpenUSRP)">>CMakeLists.txt
mkdir build && cd build
cmake ..
make -j4
sudo make install

1.4 添加环境变量

echo 'export UHD_MODULE_PATH=/usr/lib/uhd/modules' >> ~/.bashrc

如果用的是iTerm2+zsh则执行:

echo 'export UHD_MODULE_PATH=/usr/lib/uhd/modules' >> ~/.zshrc

1.5 检测LimeSDR模拟USRP是否成功:

LimeSDR模拟成USRP B210之后最终的效果跟USRP是一样的:

uhd_find_devices

Snip20170408_10.png

Snip20170408_7.png

uhd_usrp_probe
Mac OS; Clang version 8.1.0 (clang-802.0.38); Boost_105900; UHD_003.010.001.001-MacPorts-Release

Using OpenUSRP
[WARNING] Gateware version mismatch!
  Expected gateware version 2, revision 8
  But found version 2, revision 6
  Follow the FW and FPGA upgrade instructions:
  http://wiki.myriadrf.org/Lime_Suite#Flashing_images
  Or run update on the command line: LimeUtil --update

[INFO] Estimated reference clock 30.7195 MHz
[INFO] Selected reference clock 30.720 MHz
[INFO] LMS7002M cache /Users/cn0xroot/.limesuite/LMS7002M_cache_values.db
MCU algorithm time: 10 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 163 ms
MCU algorithm time: 1 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 104 ms
MCU algorithm time: 1 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 167 ms
MCU algorithm time: 1 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 104 ms
  _____________________________________________________
 /
|       Device: B-Series Device
|     _____________________________________________________
|    /
|   |       Mboard: B210
|   |   revision: 4
|   |   product: 2
|   |   serial: 243381F
|   |   FW Version: 3
|   |   FPGA Version: 2.6
|   |
|   |   Time sources:  none, internal, external
|   |   Clock sources: internal, external
|   |   Sensors: ref_locked
|   |     _____________________________________________________
|   |    /
|   |   |       RX DSP: 0
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       RX DSP: 1
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       RX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Frontend: A
|   |   |   |   Name: FE-RX1
|   |   |   |   Antennas: TX/RX, RX2
|   |   |   |   Sensors: temp, lo_locked, rssi
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 76.0 step 1.0 dB
|   |   |   |   Bandwidth range: 1000000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Frontend: B
|   |   |   |   Name: FE-RX2
|   |   |   |   Antennas: TX/RX, RX2
|   |   |   |   Sensors: temp, lo_locked, rssi
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 76.0 step 1.0 dB
|   |   |   |   Bandwidth range: 1000000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Codec: A
|   |   |   |   Name: B210 RX dual ADC
|   |   |   |   Gain Elements: None
|   |     _____________________________________________________
|   |    /
|   |   |       TX DSP: 0
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       TX DSP: 1
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       TX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Frontend: A
|   |   |   |   Name: FE-TX1
|   |   |   |   Antennas: TX/RX
|   |   |   |   Sensors: temp, lo_locked
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 89.8 step 0.2 dB
|   |   |   |   Bandwidth range: 800000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Frontend: B
|   |   |   |   Name: FE-TX2
|   |   |   |   Antennas: TX/RX
|   |   |   |   Sensors: temp, lo_locked
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 89.8 step 0.2 dB
|   |   |   |   Bandwidth range: 800000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Codec: A
|   |   |   |   Name: B210 RX dual ADC
|   |   |   |   Gain Elements: None

➜  ~

1.6 捕获遥控信号

osmocom_fft -F -f 315e6 -s 2e6

Snip20170410_14.png

0x02 Ubuntu

2.1 更新软件包

sudo add-apt-repository -y ppa:myriadrf/drivers
sudo apt-get update
apt-cache search sdr

apt-Cache.jpg

2.2 安装SDR常用软件:

sudo apt-get update
sudo apt-get install git
sudo apt-get install python-pip

pip install --upgrade pip
pip install git+https://github.com/gnuradio/pybombs.git

pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git 
pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git

pybombs prefix init /usr/local -a myprefix -R gnuradio-default
pybombs install gqrx gr-osmosdr uhd

2.3 安装Lime_Suite所需依赖包

#packages for soapysdr available at myriadrf PPA
sudo add-apt-repository -y ppa:myriadrf/drivers
sudo apt-get update

#install core library and build dependencies
sudo apt-get install git g++ cmake libsqlite3-dev

#install hardware support dependencies
sudo apt-get install libsoapysdr-dev libi2c-dev libusb-1.0-0-dev

#install graphics dependencies
sudo apt-get install libwxgtk3.0-dev freeglut3-dev

接下来的源码编译过程与在OSX下源码编译过程一样:

2.4 源码编译LimeSuite

git clone https://github.com/myriadrf/LimeSuite.git
cd LimeSuite
mkdir builddir && cd builddir
cmake ../
make -j4
sudo make install

make install

执行LimeSuiteGUI启动LimeSDR的软件图形化界面:

LimeSuiteGUI

2.5 源码编译UHD驱动&&增加UHD对LimeSDR的支持

源码编译UHD+OpenUSRP

git clone https://github.com/EttusResearch/uhd.git
cd uhd/host/lib/usrp
git clone https://github.com/jocover/OpenUSRP.git
echo "INCLUDE_SUBDIRECTORY(OpenUSRP)">>CMakeLists.txt
cd ../../
mkdir build && cd build
cmake ..
make -j4
sudo make install
sudo ldconfig

2.6 添加环境变量

echo 'export UHD_MODULE_PATH=/usr/lib/uhd/modules' >> ~/.bashrc

2.7 GNURadio使用测试

wget http://www.0xroot.cn/SDR/signal-record.grc
gnuradio-companion signal-record.grc

此幻灯片需要JavaScript支持。

0x03 Reference

http://www.cnx-software.com/2016/04/29/limesdr-open-source-hardware-software-defined-radio-goes-for-199-and-up-crowdfunding/

https://wiki.myriadrf.org/Lime_Suite

http://linuxgizmos.com/open-source-sdr-sbc-runs-snappy-ubuntu-on-cyclone-v/

Getting started with 3G | ip.access nano3G+OpenBSC+Osmocom-bb Part 1

c7ak_5_u0aan1co

English Version could be find at Osmocom.org

https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_–_unicornteam

0x01环境搭建

PC:Ubuntu16.04

HardWare:ip.access nano3G

SoftWare:Osmocom

1.1 安装交叉编译环境

sudo apt-get update

sudo apt-get install libtool shtool autoconf git-core pkg-config make gcc build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 libncurses5-dbg libusb-0.1-4 libpcsclite1 libccid pcscd libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev libpcsclite-dev 
sudo ldconfig

mkdir osm
cd osm
mkdir build install src
wget http://bb.osmocom.org/trac/raw-attachment/wiki/GnuArmToolchain/gnu-arm-build.3.sh
cd src
wget http://ftp.gnu.org/gnu/gcc/gcc-4.8.2/gcc-4.8.2.tar.bz2
wget http://ftp.gnu.org/gnu/binutils/binutils-2.21.1a.tar.bz2
wget ftp://sources.redhat.com/pub/newlib/newlib-1.19.0.tar.gz

cd ..
chmod +x gnu-arm-build.3.sh
sudo bash gnu-arm-build.3.sh

1.2 设置交叉编译环境变量

cd install/bin
pwd

vi ~/./.bashrc
export PATH=$PATH:/home/$username(change this to your name)/osm/install/bin

#save and quit
source ~/.bashrc

0x02 源码编译CalypsoBTS

2.1 编译libosmo-dsp

git clone git://git.osmocom.org/libosmo-dsp.git
cd libosmo-dsp/
autoreconf -i
./configure
make
sudo make install
cd ..

2.2 编译osmocom-bb

git clone git://git.osmocom.org/osmocom-bb.git trx
cd trx/
git checkout jolly/testing
cd src/

# 需要 TX 功能支持
# 取消target/firmware/Makefile代码中'CFLAGS += -DCONFIG_TX_ENABLE' 前边的注释
# 并在make时启用transceiver功能支持
make HOST_layer23_CONFARGS=--enable-transceiver 

2.3 安装依赖包

sudo apt-get install sqlite3 libdbi-dev libdbd-sqlite3 libsctp-dev

2.4 编译 Ortp

wget http://download.savannah.gnu.org/releases/linphone/ortp/sources/ortp-0.22.0.tar.gz
tar -xvf ortp-0.22.0.tar.gz
cd ortp-0.22.0/
./configure
make
sudo make install
sudo ldconfig
cd ..

2.5 编译libosmo-abis

git clone git://git.osmocom.org/libosmo-abis.git
cd libosmo-abis
autoreconf -i
./configure
make
sudo make install
sudo ldconfig
cd ..

2.6 编译libosmo-netif

git clone git://git.osmocom.org/libosmo-netif.git
cd libosmo-netif/
autoreconf -i
./configure
make
sudo make install
sudo ldconfig
cd ..

2.7 编译openbsc

编译Openbsc时需用到PCAP库文件,编译前先搜索&安装依赖包:

apt-cache search PCAP
sudo pat-get install libpcap-dev libpcap0.8 libpcap0.8-dbg libpcap0.8-dev
sudo ldconfig

git clone git://git.osmocom.org/openbsc.git
cd openbsc/openbsc/
autoreconf -i
./configure
make
sudo make install
cd ../..
git clone git://git.osmocom.org/openbsc.git
cd openbsc/openbsc/
autoreconf -i
./configure
make
sudo make install
cd ../..

2.8 编译osmo-bts

git clone git://git.osmocom.org/osmo-bts.git
cd osmo-bts
autoreconf -i
./configure --enable-trx
make
sudo make install
cd ..

2.9 创建OpenBSC配置文件

#如果配置文件不存在需要先创建 Create the configuration folder if it isn't exist yet
mkdir ~/.osmocom
cd ~/.osmocom
touch ~/.osmocom/open-bsc.cfg
touch ~/.osmocom/osmo-bts.cfg

0x03 源码编译Cellular Infrastructure

3.1 克隆源码

git clone git://git.osmocom.org/libosmocore
git clone git://git.osmocom.org/libosmo-abis
git clone git://git.osmocom.org/openbsc
git clone git://git.osmocom.org/libosmo-netif
git clone git://git.osmocom.org/libosmo-sccp
git clone git://git.osmocom.org/libsmpp34
git clone git://git.osmocom.org/openggsn

3.2 下载&执行自动编译脚本

wget https://osmocom.org/attachments/download/2438/build_2G.sh
chmod 777  build_2G.sh
sudo bash build_2G.sh

0x04 配置OpenBSC

4.1 启动BTS

终端1:

osmo-nitb -c ~/.osmocom/open-bsc.cfg -l ~/.osmocom/hlr.sqlite3 -P -C --debug=DRLL:DCC:DMM:DRR:DRSL:DNM

终端2:

telnet localhost 4242

2017-04

4.2 配置IP

PC

IP:192.168.31.147 (通过WiFi连接)

路由器

IP:192.168.31.1

3G Access Point

IP:未知

方法1:进入路由后台,查找3G Access Point IP

network

方法2:通过abissip-find找到3G Access Point IP

cd openbsc/openbsc/src/ipaccess
#or
cd openbsc/openbsc/build-2G/src/ipaccess

sudo ./abisip-find

ipfind

4.3 Telnet连入3G Access Point

telnet 3G Access Point's IP 8090

telnet

4.4 SSH连入

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.31.136
password:newsys

snip20170411_21

ipaccess-config

init3@0xroot:~/osm/openbsc/openbsc/src/ipaccess$ ./ipaccess-config --help
ipaccess-config (C) 2009-2010 by Harald Welte and others
This is FREE SOFTWARE with ABSOLUTELY NO WARRANTY

Usage: ipaccess-config IP_OF_BTS
Commands for writing to the BTS:
  -u --unit-id UNIT_ID        Set the Unit ID of the BTS
  -o --oml-ip IP        Set primary OML IP (IP of your BSC)
  -i --ip-address IP/MASK    Set static IP address + netmask of BTS
  -g --ip-gateway IP        Set static IP gateway of BTS
  -r --restart            Restart the BTS (after other operations)
  -n --nvram-flags FLAGS/MASK    Set NVRAM attributes
  -S --nvattr-set FLAG    Set one additional NVRAM attribute
  -U --nvattr-unset FLAG    Set one additional NVRAM attribute
  -l --listen TESTNR        Perform specified test number
  -L --Listen TEST_NAME        Perform specified test
  -s --stream-id ID        Set the IPA Stream Identifier for OML
  -d --software FIRMWARE    Download firmware into BTS

Miscellaneous commands:
  -h --help            this text
  -H --HELP            Print parameter details.
  -f --firmware FIRMWARE    Provide firmware information
  -w --write-firmware        This will dump the firmware parts to the filesystem. Use with -f.
  -p --loop            Loop the tests executed with the --listen command.

ipaccess-proxy

init3@0xroot:~/osm/openbsc/openbsc/src/ipaccess$ ./ipaccess-proxy --help
Usage: ipaccess-proxy [options]
 ipaccess-proxy is a proxy BTS.
 -h --help. This help text.
 -l --listen IP. The ip to listen to.
 -b --bsc IP. The BSC IP address.
 -g --gprs IP. Take GPRS NS from that IP.

 -s --disable-color. Disable the color inside the logging message.
 -e --log-level number. Set the global loglevel.
 -T --timestamp. Prefix every log message with a timestamp.
 -V --version. Print the version of OpenBSC.

0x05 Reference

https://osmocom.org/projects/cellular-infrastructure/wiki/Build_from_Source

http://osmocom.org/projects/baseband/wiki/CalypsoBTS

https://osmocom.org/projects/cellular-infrastructure/wiki/Getting_Started_with_3G

https://osmocom.org/projects/osmocscn/wiki/Osmocom_3G_-_Getting_Started/3

https://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G

Metasploit的射频收发器功能 | Metasploit’s RF Transceiver Capabilities

https://community.rapid7.com/community/metasploit/blog/2017/03/21/metasploits-rf-transceiver-capabilities

物联网兴起

我们花费大量时间来监控我们的企业网络,并使用许多工具来检测异常的行为。我们不断地扫描漏洞、公布测试。然而,我们经常不能认识到自己网络,和家庭中的小型(有时是大型)物联网(IoT)设备。令人震惊的是,考虑到它们的普遍性 – 这些设备并不是容易被测试的。

RF:(无线射频识别(RadioFrequency))一般指无线射频

虽然很困难,在技术上,可以通过其以太网侧的连接来发现和识别这其中的部分IoT设备。但这不能让我们全面了解这些设备对消费者或企业带来的风险。当仅评估以太网连接的设备时,您可能会错过对企业安全造成重大影响的无线系统。无线网络通常会控制警报系统、监控、门禁、机房HVAC控制等诸多领域。

这给我们带来了一个非常关键的问题:如何真正确定这些设备的风险?

从最基础开始:

  • 这些连接的设备能做什么?
  • 这些设备的作用范围是多少?
  • 设备是否具有无线功能?

传统上,我们经常对802.11无线网络执行周期扫描,以确保接入点是否安全,网络流量是否过大。我们可以监控并创建堆叠的AP以防止他们某一个挂掉或者被附近电磁干扰。当然,如果你问:其它频率的无线频段呢?而这恰恰是我们要研究的领域和方向。

也许您由于其他原因使用非802.11标准以外的其他无线电频。遥控车库门?RFID读卡器、无线安全系统、Zigbee控制灯或HVAC系统等。

这些设备的频率范围是多少?它们是否加密受保护?当受到干扰时会发生什么?在封闭或开放的状态下是否失败?

无法有效地回答这些问题,是我们发布Metasploit硬件桥射频(RF)收发器的真正原因,也说明为什么我们认为这将是安全研究人员和渗透测试人员了解其实际攻击面的关键工具。

现在,安全团队将能够对公司的安全状况进行更真实的评估。能够测试物理安全控制,并更好地了解物联网及其他设备的安全性。

以安全研究的名义进行的大部分活动可能是有争议的或难以理解的。 但RF测试肯定是正确的,随着我们看到越来越多的技术利用RF通信,研究领域变得越来越多和越普遍。

对安全测试领域开发的任何技术最常见的批评是:容易被攻击者利用。安全圈有个常见的反应:如果已经被攻击者利用,那我们唯有了解黑客在做什么、有效地模拟攻击方法,并展示攻击潜在的影响,才能采取必要的措施来阻止他们。

这是Metasploit背后的逻辑,以及驱动了Rapid7大规模的漏洞研究工作。这也是RF 收发器出现的原因。我们坚信,RF测试是漏洞测试非常重要的的一部分(虽然目前仍被忽视),随着物联网生态系统的发展,射频测试的重要性将会持续增加。

我们有这样一个案例,2016年,Rapid7的Jay Radcliffe公布了强生公司Animas OneTouch Ping胰岛素泵的多个漏洞。

https://v.qq.com/iframe/player.html?vid=h0387fb90nt&width=986&height=739.5&auto=0攻击演示过程

普通的泵具有血糖仪,其通过专有无线管理协议中的无线电频作为遥控器。泵和遥控器之间的通信以明文而非加密的形式传输。这为攻击者创造了机会,使用适当的技术手段和资源来欺骗短距离遥控器将触发未经授权的胰岛素注射。

虽然Jay认为攻击者利用这些漏洞的可能性比较低,但可能会严重伤害使用该技术的患者。幸运的是,Jay及时发现了这个问题,并给强生公司提出建议,通知病患者使其减轻风险。 如若没有RF测试,这些漏洞可能一直存在,患者将无法做出选择来保护自己。

Status-1
REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
PUMP: 00 00 FF 00 1A D1 81 81 ........
REMOTE: 20 00 0E 00 BF DB CC 6F ......o
PUMP: 03 00 F1 04 16 B9 B9 87 2C 01 00 00 ........,...
REMOTE: 03 00 F8 00 31 FD C9 EE ....1...
PUMP: 03 00 07 04 88 76 DA DD 2C 01 00 00 .....v..,...
REMOTE: 03 00 12 00 F0 30 0E FC .....0..
PUMP: 20 00 ED 12 E7 BC 93 43 01 01 27 05 26 02 8F 00 ......C..'.&...
PUMP: 57 45 45 4B 44 41 59 00 00 00 WEEKDAY...
PUMP: 05 00 EA 00 D5 8F 84 B3

样本数据包

工作原理

在解释其工作原理之前,需做一个简单申明: Rapid7不销售RF测试所需的硬件。您可以在任何地方获得。比如:Hacker Warehouse,Hak5,淘宝,京东,亚马逊或任何无线设备的电子商店。

使用射频(RF)收发器,安全专家能够制作并监控不同的RF数据包,以正确识别和访问公司内除以太网以外的无线网络系统。

第一个RF收发器版本支持TI cc11xx低功耗Sub-1GHz射频收发器。 RF收发器可以调整设备来识别和调制解码信号。甚至可以创建短时间的干扰来识别故障状态。该版本还提供了与TI cc11xx芯片组流行的RfCat python框架兼容的完整API。如果您现有的程序使用RfCat,您可以轻易的将它们移植到Metasploit中。此版本附带两个后置模块:基于暴力破解的振幅调制(rfpwnon) 和 通用发射器(transmitter)。

如何使用RF Transceiver

使用新的RF 收发器需要购买像Rard Stick One这样兼容RfCat的设备。 然后下载最新的RfCat驱动程序,在这些驱动程序中,会有一个rfcat_msfrelay。这是RfCat中Metasploit Framework的中继服务器,运行在附属的RfCat兼容设备系统上。

您可以连接硬件桥:

$./msfconsole -q
msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run

[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600
[+] HWBridge session established
[*] HW Specialty: {"rftransceiver"=>true} Capabilities: {"cc11xx"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 hwbridge cmd/hardware rftransceiver 127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...

hwbridge > status
[*] Operational: Yes
[*] Device: YARDSTICKONE
[*] FW Version: 450
[*] HW Version: 0348

要了解有关RF Transceiver的更多信息,在这里下载最新的Metasploit:

https://www.rapid7.com/products/metasploit/download/community

The rise of the Internet of Things

We spend a lot of time monitoring our corporate networks. We have many tools to detect strange behaviors. We scan for vulnerabilities. We measure our exposure constantly. However, we often fail to recognize the small (and sometimes big) Internet of Things (IoT) devices that are all around our network, employees, and employees’ homes. Somewhat alarmingly – considering their pervasiveness — these devices aren’t always the easiest to test.

Though often difficult, it is technically possible to find and identify some of these IoT devices via their Ethernet side connection. But that doesn’t always give us a full picture of the risk these devices present to consumers or organizations. When assessing only Ethernet connected devices you can miss the wireless world that can have a major impact on the security of your organization. Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas.

Which leaves us with one very critical question: how do you really determine the risk of these devices?

Let’s start with the basics:

  • What do these connected devices do?
  • What is the range of exposure of these devices?
  • Does the device have wireless capabilities?

Traditionally, we often perform perimeter scans of our 802.11 wireless networks to ensure our Access Points are secure and the network bleed isn’t too large. We can monitor these Access Points (APs) to create overlap in case one goes down or gets interference from a nearby kitchen microwave.

However, if you’re asking yourself, “but what about the rest of the wireless spectrum?” that’s exactly the position we found ourselves in.

Radio, radio, everywhere

Chances are your company and employees are already using many other radio frequencies (RFs) outside of the standard 802.11 network for various reasons. Perhaps you have a garage door with a wireless opener? Company vehicle key fobs? Not to mention RFID card readers, wireless security systems, Zigbee controlled lights, or HVAC systems.

What are the ranges for these devices? Are they encrypted or protected? What happens when they receive interference? Do they fail in a closed or open state?

The inability to effectively answer these questions (easily or even at all) is the very reason we are releasing the RFTransceiver extension for Metasploit’s Hardware Bridge, and why we think this will be a critical tool for security researchers and penetration testers in understanding the actual attack surface.

Now, security teams will be able to perform a much broader assessment of a company’s true security posture. They will be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.

Sunlight is the best disinfectant

Much of the activity undertaken in the name of security research can be contentious, divisive, or hard to understand. This is certainly true of RF testing, an area of research becoming both more prevalent and increasingly necessary as we see more and more technologies leveraging RF communications.

The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.

This is the logic behind Metasploit, as well as what drives Rapid7’s extensive vulnerability research efforts. It is also the reasoning behind the RFTransceiver. We strongly believe that RF testing is an incredibly important – though currently often overlooked – component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.

To provide an example of this kind of testing, in 2016, Rapid7’s Jay Radcliffe disclosed vulnerabilities in Johnson & Johnson’s Animas OneTouch Ping insulin pump. The popular pump has a blood glucose meter that serves as a remote control via radio frequency in a proprietary wireless management protocol. Communications between the pump and the remote control are sent in cleartext, rather than being encrypted. This creates an opportunity for an attacker with the right technical skills and resources, opportunity, and motive to spoof the Meter Remote and trigger unauthorized insulin injections.

While Jay considered the likelihood of an attacker exploiting these vulnerabilities in the wild to be quite low, it could seriously harm a patient using the technology. Fortunately, Jay’s research uncovered the problem and he was able to work with Johnson & Johnson to notify patients and advise them of ways to mitigate the risk. Without RF testing, these vulnerabilities would have continued to go unnoticed, and patients would not have the opportunity to make informed choices to protect themselves.

How it works

Just one quick author’s note before we get into the ‘how-to’ portion. Rapid7 does not sell the hardware required to perform RF testing. The required hardware can be found at any number of places, including Hacker Warehouse, Hak5, or any electronics store that carries software defined radios or RF transmitter hobbyist equipment.

With the RFTransceiver, security pros have the ability to craft and monitor different RF packets to properly identify and access a company’s wireless systems beyond Ethernet accessible technologies.

The first RFTransceiver release supports the TI cc11xx Low-Power Sub-1GHz RF Transceiver. The RFTransceiver extension makes it possible to tune your device to identify and demodulate signals. You can even create short bursts of interference to identify failure states. This release provides a full API that is compatible with the popular RfCat python framework for the TI cc11xx chipsets. If you have existing programs that use RfCat you should be able to port those into Metasploit without much difficulty. This release comes with two post modules: an Amplitude Modulation based brute forcer (rfpwnon) and a generic transmitter (transmitter).

How to use RFTransceiver

Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device like the Yard Stick One. Then download the latest RfCat drivers, included with those drivers you will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

Then you can connect with the hardware bridge:

./msfconsole -q

msf > use auxiliary/client/hwbridge/connect

msf auxiliary(connect) > run

[*] Attempting to connect to 127.0.0.1...

[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600

[+] HWBridge session established

[*] HW Specialty: {"rftransceiver"=>true}  Capabilities: {"cc11xx"=>true}

[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge

[!]          could have real world consequences.  Use this module in a controlled testing

[!]          environment and with equipment you are authorized to perform testing on.

[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions

Active sessions

===============

Id  Type                   Information    Connection

--  ----                   -----------    ----------

1   hwbridge cmd/hardware  rftransceiver  127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf auxiliary(connect) > sessions -i 1

[*] Starting interaction with 1...

hwbridge > status

[*] Operational: Yes

[*] Device: YARDSTICKONE

[*] FW Version: 450

[*] HW Version: 0348

To learn more about the RFTransceiver, you can download the latest Metasploit here: https://www.rapid7.com/products/metasploit/download/community/