To be able to perform proper research on cellular devices a dedicated network is a core prerequisite. As with any kind of technical research many strange connections will be established throughout testing. Even in times of Text Message / SMS flatrates sending 10.000 messages might show up as a red flag somewhere in an operator’s network and violate a mobile subscription. The same applies to the typical challenges of port scanning via public networks. Even though you might be scanning your own device, the packets travel through some transport network and might be matched with some attack signature. As such working in an own “offline” environment creates flexibility and prevents trouble.

This page gives an overview of the network that I usually work with when doing cellular testing.


The nanoBTS is a simple 2G basestation. They’re cheap to get (if you get lucky), due the job and are further documented here - nanoBTS

A short hint: If using the setup professionally, have a look at the SysmoBTS. They’re by far more flexible!

SIM Cards

Most mobile devices need a SIM card to function. The SIM card contains the devices IMSI, which in turn contains the networks MCC and MNC. In 262 01 1234567890 for example 262 is the Mobile Country Code for Germany, 01 is the Mobile Network Code for T-Mobile and the remaining ten digits are the actual subscriber id. The last block may be between one and ten digits long. More information on the SIM cards I work with can be found here - SIM cards.


Calls in the lab are initially routed internally. A link from the openBSC NITB [Network in the Box] forwards each call to an asterisk call router. The dial rules in asterisk then either route the calls back to the BSC or forward through the PSTN Uplink.

As uplink I use an account from sipgate. As such external calls are forwarded to sipgate as VoIP calls by the asterisk and the hit the PSTN. Detailed information can be found here - SIP Uplink.

Text Messages

Text messages are handled by the internal SMSC integrated in openBSC in NITB mode. All messages logged in the internal HLR database. Messages can be sent via simple scripts as described here - Sending Text Messages.

Data / IP

Using the SGSN and GGSN slow GPRS and EDGE connections can be established. Although no high data transfer rates can be expected, it is sufficient for throttled port scanning and allowing the client devices to access the Internet.


Managing the network can be performed with multiple local terminals / CLIs. For client management the SimpleHLR PHP script is very helpful. Alternatively osmo-oohmi can be used.

Setup Instructions

Setup instructions can be found here - Lab Setup. The old instructions are here

Wired Setup

Actually using RF for setting up a custom cellular network is usually against the law. As such certain physical measures become necessary. A possible solution is discussed here.