Skip to content

W00t3k/Awesome-Cellular-Hacking

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Awesome Cellular Hacking - Complete Collection 2025

A comprehensive curated list of resources for 2G/3G/4G/5G cellular security research and analysis

This repository consolidates community knowledge in the cellular security space, including exploits, research papers, tools, and educational resources. The goal is to preserve and organize important security research that might otherwise become difficult to find.

⚠️ Disclaimer: This information is intended for educational and defensive security research purposes only. Use responsibly and in compliance with applicable laws and regulations.

📋 Table of Contents

🏗️ Rogue Base Stations

GSM/CDMA Traffic Impersonation and Interception

🆕 Recent Updates (2024-2025)

Latest Base Station Software & Tools

🛠️ Software & Tools

Base Station Software

Software Description Link
OpenBTS (2024 Reloaded) Linux application using SDR to present 3GPP air interface (Updated for modern systems) GitHub
OpenBTS (Original) Original Range Networks implementation SourceForge
YateBTS GSM/GPRS radio access network implementation Website
srsRAN Project Open-source 5G O-RAN CU/DU software suite GitHub
srsRAN 4G Open-source 4G software radio suite GitHub
OpenAirInterface Complete 4G/5G protocol stack implementation Website

Configuration Guides

Analysis Tools

  • LTE-Cell-Scanner - LTE cell detection and analysis
  • gr-gsm - GSM analysis with GNU Radio
  • IMSI-Catcher Detector - Android app for detecting IMSI catchers
  • QCSuper - Capture 2G-4G traffic using Qualcomm phones
  • 5GBaseChecker - Tool for detecting vulnerabilities in 5G baseband implementations (2024)
  • FALCON LTE - Fast Analysis of LTE Control Channels for real-time analysis
  • Kalibrate - GSM base station scanner and frequency calibration tool
  • LTE Sniffer - Open-source LTE downlink/uplink eavesdropper
  • OsmocomBB - Free firmware for mobile phone baseband processors
  • Modmobmap - Mobile network mapping
  • Modmobjam - Mobile jamming research

🔧 Hardware Setup

USRP Installation on Linux

# Add Ettus Research repository
sudo add-apt-repository ppa:ettusresearch/uhd
sudo apt-get update

# Install UHD drivers and tools
sudo apt-get install libuhd-dev libuhd003 uhd-host

# Find connected devices
uhd_find_devices

# Download firmware images
cd /usr/lib/uhd/utils/
./uhd_images_downloader.py

# Test device connection
sudo uhd_usrp_probe

Expected Output

[INFO] [UHD] linux; GNU C++ version 7.4.0; Boost_106501; UHD_3.14.1.1-release
[INFO] [B200] Detected Device: B*****
[INFO] [B200] Operating over USB 3.
[INFO] [B200] Initialize CODEC control...
[INFO] [B200] Initialize Radio control...
[INFO] [B200] Performing register loopback test...
[INFO] [B200] Register loopback test passed

SDR Hardware Options

Hardware Frequency Range Bandwidth Price Range Use Case Link
Ettus Research (USRP)
USRP B210 70 MHz - 6 GHz 61.44 MHz $2,100 Professional development, 2x2 MIMO Ettus
USRP B200mini 70 MHz - 6 GHz 61.44 MHz $775 Compact USRP B-series Ettus
USRP N210 DC - 6 GHz 25 MHz $1,700 High-performance networked SDR Ettus
USRP N320 1 MHz - 6 GHz 200 MHz $8,000 High-end networked 2x2 MIMO Ettus
USRP X310 DC - 6 GHz 160 MHz $6,000 High-performance desktop/rack Ettus
USRP X410 1 MHz - 7.2 GHz 400 MHz $15,000 Latest high-performance 4x4 MIMO Ettus
USRP X440 30 MHz - 4 GHz 1.6 GHz $25,000+ Latest 8x8 MIMO RFSoC platform Ettus
USRP E320 70 MHz - 6 GHz 56 MHz $4,000 Embedded 2x2 MIMO SDR Ettus
Nuand (BladeRF)
BladeRF 2.0 xA4 47 MHz - 6 GHz 61.44 MHz $420 Budget 2x2 MIMO development Nuand
BladeRF 2.0 xA9 47 MHz - 6 GHz 61.44 MHz $720 High FPGA resources, 2x2 MIMO Nuand
BladeRF x40 (Legacy) 300 MHz - 3.8 GHz 40 MHz $400 Entry-level legacy model Nuand
Great Scott Gadgets
HackRF One 1 MHz - 6 GHz 20 MHz $350 Budget TX/RX development GSG
YARD Stick One 300-348, 391-464, 782-928 MHz 2.5 MHz $110 Sub-GHz IoT frequencies GSG
Lime Microsystems
LimeSDR USB 100 kHz - 3.8 GHz 61.44 MHz $289 Open-source 2x2 MIMO Lime Micro
LimeSDR Mini 10 MHz - 3.5 GHz 30.72 MHz $139 Compact LimeSDR variant Lime Micro
LimeSDR Mini 2.0 10 MHz - 3.5 GHz 30.72 MHz $169 Updated with ECP5 FPGA Lime Micro
LimeSDR X3 Various bands Up to 61.44 MHz $3,000+ Professional 3x transceiver PCIe Lime Micro
Analog Devices
PlutoSDR 325 MHz - 3.8 GHz 20 MHz $150 Education and learning platform Analog Devices
RTL-SDR Blog
RTL-SDR V3 500 kHz - 1.75 GHz 3.2 MHz $35 Ultra-budget RX-only scanner RTL-SDR
RTL-SDR V4 500 kHz - 1.75 GHz 3.2 MHz $40 Latest RTL-SDR with R828D RTL-SDR
Airspy
Airspy R2 24 MHz - 1.8 GHz 10 MHz $200 High-performance VHF/UHF scanner Airspy
Airspy Mini 24 MHz - 1.8 GHz 6 MHz $99 Compact Airspy in dongle format Airspy
Airspy HF+ Discovery 9 kHz - 31 MHz, 60-260 MHz 768 kHz $169 Dedicated HF reception Airspy
SDRplay
RSP1A 1 kHz - 2 GHz 10 MHz $119 Wideband general purpose SDRplay
RSPdx 1 kHz - 2 GHz 10 MHz $299 Professional features, dual antenna SDRplay
Red Pitaya
STEMlab 125-14 DC - 60 MHz 50 MHz $600 HF transceiver, lab instrument Red Pitaya
STEMlab 122-16 DC - 50 MHz Variable $625 High-resolution HF SDR/scope Red Pitaya

Common SDR Issues & Troubleshooting

Issue Possible Causes
Device not detected Improper firmware, USB connection issues
Poor signal quality Incorrect antennas, wrong frequency configuration
Connection failures Wrong SIM, incorrect MCC/MNC codes
Performance issues Virtualized platform limitations, wrong SDR firmware

🔬 Testing & Research Methodologies

Modern Baseband Fuzzing (2024)

  • Budget-Friendly Baseband Fuzzing Setup - DefCon 32 2024

    Guidelines for building cost-effective baseband fuzzing rigs using Software Defined Radios (SDRs). Includes methods for:

    • Firmware acquisition and reverse engineering
    • Using Large Language Models to accelerate protocol parser development
    • Testing automotive ECUs, payment terminals, and mobile devices
    • Practical vulnerability assessment in ISP networks

Vulnerability Research Tools

  • 5GBaseChecker - Automated 5G baseband vulnerability detection
  • certmitm - TLS hacking tool for finding insecure implementations

⚔️ Attack Vectors

Radio Jamming Attacks

From NIST SP 800-187:

  • Smart Jamming: Targeted channel interference timed to avoid detection
  • Dumb Jamming: Broadband noise transmission across frequency ranges
  • UE Interface Jamming: Preventing UE signaling to eNodeB
  • eNodeB Interface Jamming: Disrupting base station communications

5G Security Research

LTE/4G Security Research

🎤 Conference Talks

Black Hat 2024

  • 5G Baseband Vulnerability Research by Penn State

    Researchers from Pennsylvania State University presented findings about 12 vulnerabilities in 5G basebands made by Samsung, MediaTek, and Qualcomm, affecting phones by Google, OPPO, OnePlus, Motorola, and Samsung. They released 5GBaseChecker tool on GitHub for vulnerability research.

DefCon 32 (2024)

  • Economizing Mobile Network Warfare: Budget-Friendly Baseband Fuzzing by Janne Taponen

    Explores the role of Software Defined Radios (SDRs) in making baseband fuzzing accessible and affordable. Covers building cost-effective baseband fuzzing rigs, using Large Language Models to accelerate protocol parser development, and discovering vulnerabilities in device radio access network (RAN) interfaces across automotive ECUs, payment terminals, cellular modems, and mobile phones.

Black Hat 2022

Black Hat 2021

TROOPERS 2013

Additional Conference Resources

📚 Research Papers

NDSS 2025

  • Starshields for iOS: Navigating the Security Cosmos in Satellite Communication

    First comprehensive security analysis of Apple's satellite communication features for iPhones. Researchers reverse-engineered Apple's proprietary satellite protocol, analyzed security/privacy properties, demonstrated restriction bypasses, and created a simulation testbed. Covers Emergency SOS, Find My, roadside assistance, and iMessage/SMS over satellite.

2024 Research

  • 5GBaseChecker Tool Release - Penn State University

    Open-source tool for detecting vulnerabilities in 5G baseband implementations. Used to discover 12 critical vulnerabilities in Samsung, MediaTek, and Qualcomm basebands.

📊 Equipment & Hardware

Research Equipment Used in "Over The Air Baseband Exploit"

Component Purpose Link
Ettus USRP B210 Software Defined Radio Product Page
srsENB 4G/5G Base Station Software GitHub
Open5GS 5G Core Network GitHub
sysmo-usim-tool SIM Programming Project Page
pysim SIM Analysis Tool GitHub
CoIMS VoLTE Testing Play Store
Docker Open5GS Containerized Core Tutorial

🛡️ Detection & Defense

🚨 Protection from Stingrays & IMSI Catchers

  • CellGuard - NEW 2024 🔥

    Advanced iOS app that detects rogue base stations and cellular attacks targeting iPhones. Analyzes baseband packets in real-time to identify suspicious activities and IMSI catchers. Developed by SEEMOO lab with cutting-edge research into cellular surveillance detection.

    • Real-time baseband packet analysis
    • Suspicious activity detection algorithms
    • Integration with Apple Cell Location Database
    • TestFlight beta available for testing
    • Website & Documentation
    • TestFlight Beta

IMSI Catcher Detection & Research

Security Alerts & Advisories

📱 Cellular IoT & NB-IoT Security

🛰️ Satellite-Cellular Integration

🏢 Private 5G Network Security

🌐 Network Slicing & Edge Security

🚗 Automotive & Industrial Cellular

🔍 Forensics & Investigation

🚨 Vulnerability Disclosure

💳 SIM Security

🏢 SS7 & Telecom Infrastructure

📡 Surveillance Technology

Stingray/IMSI Catchers

🆕 Recent CVEs & Updates

🌍 International Research

🎓 Training & Education

🏭 Vendor-Specific Research

🌐 Roaming & Interconnect Security

🔗 Resources

Development & Analysis Tools

Research Collections

Legal & Regulatory

📚 Additional Reading

🤝 Contributing

This is a community-driven project. To contribute:

  1. Fork the repository
  2. Add your resources with proper descriptions
  3. Ensure links are working and content is relevant
  4. Submit a pull request with a clear description

⚖️ Legal Notice

This repository is for educational and research purposes only. Users are responsible for complying with all applicable laws and regulations. The maintainers do not endorse or encourage any illegal activities.


Last Updated: June 2025
Maintainer: @W00t3k

If you find broken links or have resources to add, please open an issue or submit a pull request.

Releases

No releases published

Packages

No packages published