DragonOS Focal LTE Cell Search, Crocodile Hunter, and Cell Scanner w/ bladeRF (bladeRFxA9, b205mini)
Вставка
- Опубліковано 9 лют 2025
- This video shows how to use three different LTE tools within DragonOS Focal. Since the bladeRFxA9 was used, a modified version of LTE Cell Scanner was downloaded and used instead of the built in version. I should note that after making this video it would appear that the developer of LTE Cell Scanner (the fork) may have fixed LTE Cell Scanner within the last few days or so to work with the updated libbladerf. I'll have to check and see.
I used srsLTE and a b205mini to create the enodeb, while the bladeRFxA9 performed the scanner functions. Of the three tools, Crocodile Hunter is by far the most advanced. I recommend fully setting it up with GPS and using both Wigle/Open Cell ID connection information.
In the next video we'll take a look at using some of the same tools with the HackRF One.
Hardware:
bladeRFxA9 (xA4 will also work)
b205mini
Topics Covered:
Setup srsLTE enodeb / default settings
Use the srsLTE cell search example
Basic setup and use of Crocodile Hunter
Download and use the modified LTE Cell Scanner tool w/ bladeRF
Tools:
github.com/srs...
github.com/EFF...
www.opencellid...
wigle.net/
github.com/Jia...
drive.google.c...
Definitely a big blue like for showing us the fun we can have with Crocidile Hunter. A croc jammer would be interesting, but big big trouble if one gets caught doing countermeasures on a stingray.
Sorry for noob question but i dont understand whats hat can you do with this info now for what is it ? You scanned it and now?
If I recall, main purpose is to perform scans/surveys and attempt to find anomalies, fake base stations etc.
Hey there is it possible to scan LTE with a normal SDR or do I need to upgrade to something like a bladeRF or USRP
You can scan with rtlsdr/hackrf to some extent.
Lte cell scanner is packed in dragon.
@@cemaxecuter7783Thanks for all the information, just bought a USPR x300 so everything I want to do should be possible now
hey, awesome video, thanks very much for sharing it!! i'm new into sdr and i have question, do you connect which antenna in the bladeRF to do this search?
I have a couple of these antennas which cover most if not all of the cellular bands
www.nuand.com/product/tri-band-antenna/
But I also have some I got off eBay, important thing is to make sure the connector is right. Should be I think SMA male connector like the Triband ones.
Even the antenna that comes with the rtlsdr will work for like the 700-900 MHz ranges
@cemaxecuter Thank you for the answer and atention. You recommend any antenna to create a long range LTE base station? i'm live in a quite remote area and i'm looking for right equipment, good that you said that need to be a SMA connector, i almost bought a wrong ubiquiti antenna with just ethernet connector.
I’ve not tried anything long range, but probably some sort of lte patch antenna or yagi?
Hi friends, can I use LTE_Cell_Scannner with USRP B210?
From that projects GitHub page it mentions “USRP: Only with Matlab and GNU Octave”, but I don’t think it’ll work directly with any of the generated binaries. You can however use the cell scanner that’s sitting in /usr/src/srsRAN-release_22_04/build/lib/examples
That’s from memory so double check the file path.
@@cemaxecuter7783 Thank you for your help, sir. You have been a great help to my study.
I follow your tutorial, but have a problem like this
File "./crocodilehunter.py", line 21, in
import coloredlogs, verboselogs
ModuleNotFoundError: No module named 'coloredlogs'
Can you help me?
You make sure to look at the DragonOS readme in the same directory? I think you may just need to activate the python virtual environment before running based on the error you’re showing.
Sorry for the noob question but is it possible to do this with a limesdr?
Actually, yes it is. I’ve ran croc hunter with the LimeSDR mini. The cell srsLTE example should work as well. Only thing that wouldn’t work is the last LtE cell search tool as that’s for just the hackrf bladerf. I think there’s another video I uploaded that shows croc hunter with LimeSDR. I’ll look for it ASAP.
Don’t make the change I do to croc hunter where I altered files and remade it cause I just did that for the bladeRF.
@@cemaxecuter7783 thanks for the quick reply I've been learning about sdr over the past couple days and I'm hooked! Your videos have been incredibly helpful, thank you!
No problem, hope they’re helping! I’ve been meaning to get a LimeSDR again, like the full one. I wanted to try a few more things with it.
They have been a huge help, I'd be way more lost without them, lol! I got lucky someone I work with had a lime and a nesdr that they are letting me play with. I will be buying a couple of my own soon.
Thanks for the content.I believe my neighbor has a imsi catcher/fake cell tower,can I track it's location with this method?It'll be greatly appreciated if u provide me some feedback, once again thanks
Perhaps, but there’s various cell gsm/lte scanners in DragonOS so it would probably take some work to see what’s around you and then compare to known and legal towers.
Thank you very much,it'll take time to learn but your content provides great guidance.God bless
I was running DragonOS Crocodile Hunter with a B200Mini earlier today but it didn't always run successfully. I tried to run it tonight and it doesn't seem to be able to load the FPGA. I suspect the B200 is no longer working properly - maybe I fried the card. My question is would I be better off getting a BladeRFxA9 instead of replacing the B200Mini? My goal is to detect and decode basic LTE cell site information - CellID, RSSI, SNR, RSRQ,...I have a HackRF One and can run Cell Scanner and LTE-Tracker but the information returned is limited. Thanks, Gil
That’s interesting, what if you run uhd_find_devices before running Croc hunter? Does the mini load the fpga then? I have the b205mini, it’s a good card. I dislike the connector mainly due to how fragile it seems, but besides that it’s really worked great. I’ve also had the bladerfxA4 which worked with Croc hunter and I now have the xa9. I think unless you needed the ability to run bladerf-wiphy that you’d be perfectly fun with the xa4 for Croc hunter. There’s like one small change to the Croc hunter code to make it run better with the bladerf but that’s super easy to do.
@@cemaxecuter7783 uhd_find_devices sees the B200 mini and returns serial number. I tried Crocodile hunter again and it has the following error after trying to load the FPGA image:
08:39:17 default - WARNING srsUE has exited unexpectedly
* 08:39:17 default - WARNING It's dying words were: [INFO] [B200] Loading FPGA image: /usr/share/uhd/images/usrp_b200mini_fpga.bin...
Then when I run Crocodile Hunter again it doesn't see the B200 and tries to load BladeRF:
* 08:47:03 default - DEBUG [INFO] [UHD] linux; GNU C++ version 9.2.1 20200304; Boost_107100; UHD_3.15.0.0-2build5
* 08:47:04 default - DEBUG Error opening UHD: code 11
* 08:47:04 default - DEBUG Unable to open device: No devices available
* 08:47:04 default - DEBUG No compatible RF frontend found
* 08:47:04 default - DEBUG Error opening rf
* 08:47:05 default - DEBUG - Scanning 1 EARFCNs
* 08:47:05 default - DEBUG Opening RF device...
* 08:47:05 default - DEBUG Opening USRP with args:
* 08:47:05 default - DEBUG Opening bladeRF...
When I first set this up, Crocodile Hunter would run and I would see the green LED flash on the RX B200 mini. Now it can't load the FPGA or can't see the card. That 's why thought the card was fried.
I ordered the BladeRFxA4 yesterday. Hopefully I'll have better results. I'm going to try to find a utility to do a complete test on the B200 mini
I ran uhd_usrp_probe and the results look OK as far as I could tell. I also ran ./benchmark_rate --rx_rate 10e6 --tx_rate 10e6 but the results indicated drops and overruns occurred which I believe is a problem.
Benchmark rate summary:
Num received samples: 43264702
Num dropped samples: 959
Num overruns detected: 959
Num transmitted samples: 41793480
Num sequence errors (Tx): 0
Num sequence errors (Rx): 0
Num underruns detected: 10235
Num late commands: 0
Num timeouts (Tx): 2
Num timeouts (Rx): 0
This is on the same computer, same USB port and USB 3 as previously used with Croc hunter? Trying to think what else would be an issue.
@@cemaxecuter7783 Same PC. Not sure if I used the same USB ports each time.
It looks like I only have USB 2 ports on this computer:
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 004: ID 0bda:0138 Realtek Semiconductor Corp. RTS5138 Card Reader Controller
Bus 001 Device 003: ID 04f2:b1d8 Chicony Electronics Co., Ltd 1.3M Webcam
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Odd the B200mini kind of worked at first.
I'm guessing I need a new PC with USB 3 ports?
I'm using ./cell_search under srsLTE-release_18_12 with a HackRF One. I've run several successful searches on different bands but when I try searching Band 41 or 71, I get an Error: Invalid band 71 Error getting EARFCN list. Is it possible to modify the EARCFN list to include B41 and B71?
How about cell search under the 20.04 folder or if your using the latest DragonOS Focal the 21.04 folder? Maybe in one of the source files somewhere would need modified and then rebuilt. I think if I recall the 18.12 folder was meant to go along with the srslte sniffer.
I installed DragonOS_Focal_PublicR15. Under /usr/src/ , I see an srsRAN-release_21_04_pre folder but it doesn't work with Cellsearch. Is 20.04 in a different directory?
In /usr/src/srsRan-release_21_04_pre/build/lib/examples is the cell search tool. However, I just tried and while band 41 works, 71,72,73 do not.
What you can do on R15 is go into /usr/src/LTE-Cell-Scanner/ and run ./CellSearch-hackRF -s 663e6 -e 698e6 to search the 71 band as an example
success! Thank you