Agreed. When I started playing with this, the hardware was $1,800 but the newer instant SDR kit from Ettus is only $675 now. I'm guessing the price will continue to drop.

We really need more videos of this genre. This sort of detailed videos are so rare. Everyone wants to hack wireless but no one goes to details like you do

Yes, the Instant SDR kit from Ettus is a great way to get started. That will work great for OpenBTS. I didn't need to change antennas - I'm just using the same Vert900 antennas shown at the beginning for all the demos in this video.

@athosuk Correct. The deal is you buy a N210 (essentially the FPGA) and you get a radio transmit / receive board and antennas that work within the bands you need. (for GSM, usually 850Mhz, 900Mhz, 1.8Ghz or 1.9Ghz) The radio board I got for my N210 was the WBX which gives you 50Mhz - 2.2Ghz at 100mw. I also have the RFX900 in my two E100s which only cover 800Mhz - 1Ghz but transmit at 200mw. Obviously you will also need a computer to run OpenBTS!

Both but in this case, Ethernet. The older USRP devices are USB based. The N210 supports "UHD" which is Ethernet based.

Its actually a very active project. With falling prices on the hardware required, I'm sure we will see much more.

The N210 is an Ethernet connected device while the B100 from the Instant SDR Kit is a USB device so the big difference is the bandwidth you have between the radio and the computer. The FPGA is also bigger in the N210 as well but that won't matter for OpenBTS. Either can be used for OpenBTS so if you are just starting / testing, I'd suggest the Instant SDR Kit.

So happy to see someone who is working with the openbst project

You can get a Rubidium frequency standard for less than the cost of the USRP, I would highly recommend using one for holdover when the GPS fails if you're operating a GSM station for real. You can get one that goes on the PPS line between your GPS and your clock consumer, so the setup is practically identical to using GPS but with holdover.

In short, yes. You may come across SIMs that let you connect to a test network though. LMK when you get a working system.

@swedishvolvo No, you don't make calls to the public phone network through another phone. A VoIP provider presumably gives you phone numbers which you assign to handsets and then they make calls through the OpenBTS setup which connects to Asterisk on the host computer which connects to your VoIP provider. I hadn't assumed "other phones" in your original post meant the public telephone network only.

@whyteks Yes, on the Nexus One it does. In fact I have a T-Mobile SIM in one of the phones. I can pick my test network, camp to it and then shut down the network and then just pick T-Mobile and it camps there without a restart. After you have done this once, the phone sees my test network as a preferred network and I don't even have to select it. On other phones, things may not be so simple - camping is up to the phone, not the BTS.

Thanks. The airbands are just AM transmissions from 118-136.975 MHz. (steps of 25 kHz) The examples included in GNURadio include AM transmit / receive logic so it should just be a matter of tuning to get it going. (don't just transmit on these frequencies though - lives are obviously at stake!) There are some interesting ADS-B examples on Github as well. (receive only - also for good reason!) I don't know if I'll have time to make a video about them though - I'm working on an LTE example first!

@010675dario That's correct. The only reason you should need an external clock is if you wanted to coordinate a number of devices or use the device you have in conjunction with a public network.

Thanks for the feedback. I did another video called "Software Radio / Data Tunneling" as well.

I keep answering this question over and over - please read the comments before posting. 1 block with this radio but you can go up to 35km with the proper radio add-on.

It wasn't easy - I had lots of help from the core OpenBTS team. These days, however, it is much better supported. I believe it compiles out of the box now.

Hi Anders, nice video! I have a question if I want to do the same I need to buy USRP N210, WBX Board, cable MCX, power supply, ethernet cable and two antenas or there is something else. Thanks for your support!

@Dusty696969 Yes, you can listen but no you can't understand it - GSM transmissions are encrypted. However, if you run your own BTS and handsets decide to camp to that, you obviously have access to calls that way. It is legal to buy these in the US, but it generally isn't legal to run them on public frequencies. As with any transmitter in licensed frequencies, you need to check with the FCC and make sure you comply with regulations. The URL where you can get these is in the description.

The RFX900 will work - I have several implementations that use those. You will get slightly better signal at higher power with the RFX900. You can assume that whatever is written for the USRP N210 will work on the USRP N200 as far as OpenBTS is concerned. Best of luck with your project!

This setup didn't have it but yes, there is support for it. Its called GPRS though it is fairly under-developed at this point. (think EDGE support) Alternatively, the commercial version of OpenBTS by Range Networks supports up to 3G I believe.

@whyteks I'm sure separate boards would be better but the WBX is sufficiently isolated. I haven't had a problem yet.

You need Asterisk to manage phone calls. You can swap in Cisco Call Manager or FreeSWITCH or essentially any other SIP server that you control. OpenBTS basically converts GSM to SIP and back although the SIP stack is fairly bare-bones.

Thanks for the reply. I shall check it out. How do i ensure that no transmission happens even (just to be safe). I do own a receiver and listen using a licensed device though.

@gabrielflautista I'm not using a USRP2 here - the N210 is a UHD device. I compiled OpenBTS on a Mac and drive the N210 via Ethernet. I wouldn't suggest trying to use a Mac unless you really know what you are doing. Using a Linux machine would be better to start with.

I don't know exactly but I'm fairly sure there isn't room on the FPGA to run multiple instances together. That said, most of the GSM "stuff" is done in software on the host - the radio is just moving frames back and forth off the air. Lately I've been using OsmoBTS on this hardware - most of my experiments relate to that these days.

Yes, the Instant SDR Kit from Ettus will work just fine.

@gabrielflautista OpenBTS works fine with the USRP / USRP2 radios - that is supported in the main codebase. Support for the UHD interface is less common and AFAIK only supported in Thomas Tsau's openbts-uhd git repo.

If they are associated with your OpenBTS instance, yes. If they are associated with a public BTS such as AT&T, technically you could hear them but they are encrypted, so no.

@010675dario You would have to use more USRPs to get more concurrent calls. Of course as soon as you have more than one USRP, clock differentials become a problem so you'll probably also want to use an external clock. Fortunately, Ettus hardware supports reference clock inputs as well as MIMO operation.

thanks for the super fast reply. By the way, did you use a SIM max card for your setup or a regular SIM. My TMobile device can't seem to pickup the openBTS network.

@whyteks Yes, get the GPS kit if you can. I don't have skew enough in my clock to require cold boot but who's to say you won't too? GPS is the best way to be sure. I wouldn't think the Nexus One would connect to a test network (yes, I'm running a test network in a test country) but I wouldn't have expected it to reconnect automatically when a "real" network was also available. Seems handsets tend to ignore the test flags and happily camp away! Almost can't count how many foreign IMSIs camp!

@010675dario Up to 7 because that's how many calls you can get in the spectrum the radio tunes to. Its a limit of the GSM spec.

In this case I'm using 900 MHz but all 4 GSM bands work. There is a second open source GSM BTS project that also works on the same hardware called OsmoBTS. In my opinion it works a bit better than OpenBTS but both are in active production environments around the world.

BTW, I would not assume this project is illegal unless you are interfering with normal cellular operation - femtocells are widely available both independently and sold directly by virtually every major carrier. This device doesn't run more power than those appliances - and probably less.

Thanks Chief. While parking i just realized that the remote i use for the gate runs 433 mHz. So may be that can be another project i can work upon.

There is a strong chance your USB Ethernet adapter doesn't auto-cross the transmit and receive lines. If the Windows route doesn't work, get a crossed Ethernet cable.

I've been working with the Osmocombb project. The hardware was cheaper, I don't have the cash to get a usrp just yet. Always love working with this stuff. I watched a few of your videos and like the layout. high quality/well done.

@anders94 Yes camping is up to the phone, and most if not all phones have an easy network selection process. but as you explain so well, if the USRP clock is well off, after a cold boot and camping to openBTS, the phone may not be able to find it's home network without a reset. It's interesting your Nexus see's your BTS as preferred, as that's NOT actually something that I would want. I think I will get the GPS Kit anyway.

You should plug the Ethernet directly into your laptop. You have to use a crossed Ethernet cable or have an Ethernet port that auto-crosses. (like the ones built into the MacBook Pro) Through a switch will work but you don't want stray traffic contending for bandwidth between your computer and the USRP.

Wow. That's pretty amazing. I think I might need to get one of these. Could this decode something like analog video, for example fastscan ATV or security cameras? Or would that simply be too large in terms of bandwidth?

@digilk Make sure you have a direct connection from your n210 to your computer - use a cross cable if your computer's ethernet port doesn't auto-cross - and put any static address (192.168.1.10 for example) on your linux machine so the interface is marked up.

I don't think it supports the USRP Hardware Driver (UHD) Interface.. but any thoughts on using a LimeSDR with OpenBTS? What is the purpose of the FIR filter before the WBFM Receive PLL? When would you use the Low-Pass filter Block instead? I've seen examples where the input signal is multiplied by a cosine wave (-1.75Mhz) in order to the zero IF and spike... is that what the FIR filter is for? Also any idea why the STEREO "WBFM Receiver PLL" block has been deprecated in favor of the (MONO?) "WBFM Receiver"? To implement a STEREO receiver using the new block seems to require quite a few more blocks.. I assume for proper 19khz pilot decoding, RDS, etc?

@smawis Yes you can make calls to the standard telephone network. All you need is some VoIP connection to it. Think of OpenBTS as a GSM to SIP gateway so if you pair it with Asterisk that is already on the PSTN, you can just use GSM handsets instead of VoIP phones and make calls / receive calls. I have OpenBTS also going with FreeSWITCH which functions similarly. I don't have docs but there are resources in the net that are reasonably good. Best of luck on your research.

This was pre OpenBTS 2.8 - version 2.6 I think - I don't remember exactly. If you have the N210, I'd suggest the latest / greatest version of P2.8.

@athosuk Nope, just the radio, the antennas and the WBX boards that run in the cellular frequencies.

oh ok. I actually build that last night, but I didn't know I had to rebuild gnuradio to have it show up. I'll rebuild gnuradio and see if it shows up. Thanks.

You will get the IMSI (SIM number) but not the phone's "default operator network". You don't get the phone's number either.

Hi Anders, Thanks for this very informative video. It answered a lot of "getting started" questions I had. I really want to do this project, as I have a lot of experience with Asterisk and I also have a large collection of cell phones that I'd really like to put to use. I have my eye on Ettus' Instant SDR kit, but I'm concerned about the clock issue you mentioned in the video. Will it work with the internal stock clock? All I'll be doing is making calls and sending texts... no handoffs. Thanks!

Nice video Anders, you show it all working, as you say - if you set it up right. Are you using the UHD version of OpenBTS there without gnuradio? You mention some of the issues with the handsets internal clocks, but did you have any of these notorious clocking problems that happen with the USRP1 with it's default clock, or would you say the N210 + WBX board is a working solution out of the box?

@syirrus depends on the radio board you use. I get about 2 blocks with mine but in theory you can go 35km.

Yes, that can be made to work. The default USRP clock is 64Mhz so to use a 52Mhz clock, there are two things you have to do - a hardware fix (simple soldering) and possibly some source file changes and a recompile. For more info on that, have a look at: gnuradio. org/redmine/projects/gnuradio/wiki/OpenBTSClockModifications

Actually, it's -$100 for just the card off the $850 price. The sma connectors, DIP to Cable assembly and periodic PCB antennas only cost $100, but just the card still costs $750. Still much less then the $1500 for a N200 or $1700 for the N210. So what do you think?

If I was reasonably confident this was a solid alternative to the FLEX radios, it would be an ideal hobby device - incredible ham radio features and lots of other hobby projects to boot - but I don't know how fully-featured it would be for ham radio out of the box.

@whyteks I'm using Thomas Tsou's OpenBTS-UHD repo on github so no GNURadio for the BTS stuff: github.com/ttsou/openbts-uhd.git Of course the FM radio and frequency sweep demos are GNURadio. (gnuradio-companion for that) I'd say the clock that comes with the N210 and the E100 I also have here work perfectly right out of the box. An N210 + WBX + antenna should be all the gear you need with a Linux box (or Mac in my case) to have a great working setup.

Hi great vid. I have a USRP1 and I'm having clock issues. Can you recommend a place for me to order a 52mhz clock? Thanks.

Just make sure there is no TX block. I fly helicopters so I have the same hardware / radio license.

@anders94 Thanks Anders! I have read that there were issues using the USRP1 and one daughterboard - the RFX900 or 1800. The issues were to do with TX/RX channel isolation. so the recommended configuration with that box now is two daughterboards, one TX and one for RX. Do you know if the WBX would suffer the same problem?

That depends on the transmitter you are using. If I were to run this one outside, it would probably cover several city blocks. I have a more powerful transmitter that would do a little more and you could purchase a significantly more powerful transmitter that would give you the range of a normal BTS. (up to 40Km) However, this requires licensing in most places in the world. You would also have to shield the radio so you don't get lots of crosstalk.

If you don't intend to handoff, the clock won't be an issue for you. In very rare circumstances, the internal clock you get won't be good enough. Very rare though.

Without question you can get a suitable setup under $3000. The embedded Ettus E100 is $1,300 and the USB connected Ettus B100 is $650. Either of those would replace the $1,700 N210. They come at the cost of less bandwidth (USB) and less CPU power (E100) but they are great for testing. Also watch Fairwaves (fairwaves.ru) for some very interesting alternatives out soon. Those should retain the bandwidth for less cost than the Ettus devices.

Thanks for posting this....fantastic! I read that a license is not needed in this band because the transmit power is below a certain threshold. Is it true that this is kosher fcc-wise?

Yes, you can do cognitive radio and energy sensing with the N210 - it would be a good device for that. I don't know anything about how it would work with Windows 7 though - I'd suggest you run Linux to work with the N210 personally because that is the most popular platform. I don't think I follow your other questions... Once you get a working system though, I might be able to help more. Best of luck with it.

Very nice. I would be interested to see regular segments as time goes by regarding USRP. I would like to see some examples of satellite applications using USRP. Thank you.

@whyteks Yup, that's it. In fact to get it to work reliably, I typically put the transceiver in the next room because it is so strong.

The number of phones you can connect is practically unlimited, but the number of phones that can be in a call at any one time is 7. That means if they are calling each other, you can have 3 calls at the same time. (6 phones in 3 calls and 1 phone without another it can call) But if you have a SIP provider and the phones all call people on the regular phone network, you can do 7 concurrent calls.

@mrafiq26 Yes, the USRP2 will work as well.

Hey Anders. Loving your videos! I have been working with the USRP over FM channels for some time (both transmit and receive) and I tried snooping around live GSM channels to get some data dump. I could go any further for decryption etc. because of software issues . I want to do my Btech project on this and I wanted to know is their anyway we can compare the USRP BTS and the GSM module functionality on the same FPGA , but using a GSM module? any other interesting GSM experiments you could share?

@anders94 Wow - is this just with the WBX board and those VERT900 antennas in your lab? You must be getting a fairly decent signal out of it then.

Hello Anders, thank you very much for your quick reply. My main purpose to use usrp+gnuradio is with openbts. Months ago i purchased a usrp1 with+2wbx. I was unable to find in the local market the "infamous" 52MHz cristal clock. I purchased a lot from a provider in China but they did not work properly on my usrp, i was just able to scan the gsm bts antennas around me, but unable to register my unlocked handset to my openbts cell.

Hello I like your videos I’d like to see more but I have a question for you do you know where I can possibly find the software for USRP

There is a good chance the transceiver isn't finding your radio hardware. Ask on the OpenBTS mailing list on this one and show them your logs.

Thanks for the reply, very cool project! Its just a shame the radios are so expensive!

Great Job! please can you tell me what version of software you used....I have a usrp ettus n210. Thanks

@greatJeaorb It depends. You need to check with the FCC to make sure you are compliant in your area. The power is low (and can be turned down even more with a software setting) so it is usually OK but you have to make sure. In the end, you are responsible for making sure you aren't breaking the law!

Thanks for your quick response. I will take that into consideration. Much appreciated!

It can be programmed for a number of things. Thats why its using the term programable

do this installation require a particular version of ubuntu???

Whats the difference between the N210 and the USRP Instant SDR Kit -- B100 ? How easy is it with the B100 to set up a complete GSM cell base station? Can it do the same as the N210 Thanks for your time. Great video!

Thank you for the video! You said in your video that you have a 'WBX Receiver' and 'WBX Transcevier' in the box or was this a slip of the tongue and WBX kit comes as 2 boards, a Receiver and Transmitter?

By default, OpenBTS accepts any SIM but you can easily scope it down to just the SIMs you want.

I was wondering if I need some blank SIM cards and a SIM programmer. Thanks again!

The plateaus on the FM signals you found actually look like HDRadio IBOC carriers, you should try to find an HDRadio capable radio or GNURadio template to decode it!

I'd ask this question on the GNURadio users mailing list.

Most expensive access point ever - sounds like a lot of fun though!

@swedishvolvo Right, unless I connected Asterisk to other phones or a VoIP provider.

I was wondering what determines the amount of simultaneous calls you can place on the usrp, is there any modifications you can make to increase this (via usrp, or more powerful computer)? Thank you for the awesome video.

OpenBTS can not break A5/1 though decrypting A5/1 isn't all that hard these days. Like any radio transmissions, GSM transmissions dissipate with distance. You can only expect to reliably receive GSM radio transmissions at roughly 40km distance.

Although they can see the network, bad timing may not allow them to connect. Try a timing source like GPS... I'm sorry I don't have any other suggestions.

Great quick Video Anders. I had a favor to ask, can you please make another video that shows step by step with the Asterisk and OpenBTS in how to setup up phone numbers and basic commands. Im here to learn from you , if you can make a tutorial video, it would be fantastic.

Oh yeah. You're right. Thanks! I have a Ettus N210 and SBX daughterboard. And I want use them to make an wifi acces ponit

Hey, Please share more information (links) about how you hooked up asterisk, openbts and smsqueue.

Hello and thanks for the video it really helps to start getting an idea what is possible to to do. Do you know if the same results can be achieved with the USRP Instant SDR Kit (USRP Instant SDR B100 Bundle - B100 + WBX Bundle (50-2200MHz) + LiveUSB) ? What antennas are you using, do you need to swap them from the GSM tests to the FM radio frequency?

ok, i guess you are right. Still maybe you can answer this questions. Isnt a gnuradio easily detected by the governent, if you use it for illegal purposes, and dont you need a special Licence to use it in the frequence that is needed for gsm sniffing?

I used a dead SIM that wasn't configured to be accepted on any public networks. (I have a stack of them) But you should be able to use just about any SIM. There is a chance your phone tries to camp to T-Mobile (because that SIM is configured to do that) and therefore not trying to connect to anything else. Try another SIM if you can.

i really appreciate your presentation. Thank for this great job. I want to have an idea about the best module i can choose for test with a good price, and the description of the other modules and the difference between them, i am studying telecomunication, and i want to test it...if you have a link for me i am waiting, thanks a lot.

One could have a lot of fun with this! I want one!

Hi, i'm starting my journey with the USRP so i'm trying to understand the basics. I'm not an expert on telecomunications, but i'm trying to do my masters thesis with an USRP but for another purpose. I had a lot of troubles installing the USRP on my PC (windows) but i guess i finally made it. I want to ask you if you can available that gnuradio file that you've done for FM radio, or at least tell me the parameters for the variable filter_taps, so I can see if everythings ok. Thank you very much

@anders94 Anders, Thanks so much for responding to me here, I'm sorry to bombard you with questions, but you're the only person I've found who actually has one of these things, and as I'm about to shell out nearly $2.5K, actually, about to recommend that someone else does, which is worse!.. I have another question. were you able to get your phones to camp to your openBTS and then go back to their home net and then camp to openBTS again without a cold restart?

@gauravpride1985 Using gnu radio, you build flowchart-like programs visually that get compiled and sent to the FPGA on the radio. The most common non-visual way to do the same thing is based in python, so I suppose this is the direct answer to your first question. The development daughterboards I use here are defined here: ettus.com/downloads/ettus_daughterboards.pdf