Mobile Security Research Lab — Equipment Guide
🔧 Mobile Security Research Lab — Equipment Guide
Your Actual Stack
- Google Pixel 9 — Rooted UE (subscriber-side testing)
- LibreSDR B210mini — AD9361 SDR, 70MHz–6GHz, 2R2T (UHD/USRP B210 compatible)
- OpenSourceSDRLab FlipperZero5G — Cellular multi-tool expansion for Flipper Zero
Hardware Breakdown
LibreSDR B210mini — AD9361
This is a USRP B210 clone — and AD9361 is the gold standard chip for telecom research
graph TD
subgraph "LibreSDR B210mini Specs"
S1["Chip: AD9361\nAnalog Devices RF SoC\nSame as real USRP B210"]
S2["Frequency: 70MHz – 6GHz\n✅ Covers ALL 5G Sub-6 bands\nn77/n78/n79 (3.3–4.2GHz)\nn41 (2.5GHz) · n25/n66 (1.7–2.2GHz)"]
S3["2R2T\n2x Receive + 2x Transmit\nFull MIMO capable"]
S4["Interface: USB 3.0\nUHD (USRP Hardware Driver)\nDrop-in for srsRAN / OAI / GNU Radio"]
end
subgraph "vs LimeSDR"
L1["LimeSDR max: 3.8GHz\n❌ Misses n77/n78 5G NR bands"]
L2["LimeSuite driver\nless mature in srsRAN 5G"]
end
S2 -->|"Covers more"| L1
S4 -->|"Better support"| L2
style S2 fill:#2E75B6,color:#fff
style S4 fill:#1F3864,color:#fff
style L1 fill:#C00000,color:#fffWhy AD9361 / B210 is the preferred chip for this work:
- srsRAN's primary tested hardware is USRP B-series (AD9361)
- OpenAirInterface (OAI) — first-class B210 support
- UHD driver is the most stable in GNU Radio and srsRAN
- 6GHz ceiling covers every 5G Sub-6 deployment band globally
FlipperZero5G Expansion Board (OpenSourceSDRLab)
Cellular multi-tool — extends Flipper Zero with 5G/4G protocol interaction
graph LR
subgraph "FlipperZero5G Capabilities"
F1["📡 NR / LTE Cell Scanner\nScan active cells\nread PLMN · band · ARFCN"]
F2["📋 IMSI / IMEI Operations\nSubscriber identity\ninteractions"]
F3["📶 NAS Protocol Interaction\nAttach · detach\nregistration testing"]
F4["🔍 Passive Monitoring\nCell information\nenumeration"]
F5["🔗 Works Alongside\nB210mini for\nactive attacks"]
end
FLIP["Flipper Zero\n+ 5G Board"] --> F1
FLIP --> F2
FLIP --> F3
FLIP --> F4
FLIP --> F5
style FLIP fill:#1F3864,color:#fff
style F2 fill:#E36209,color:#fff
style F3 fill:#E36209,color:#fffPractical use in engagements:
- Quick cell scanning without booting full srsRAN stack
- Walk-up recon of target network bands and PLMNs
- Portable — fits in pocket; B210mini needs laptop
- Complements B210mini: use Flipper for passive recon, B210mini for active attacks
Full Lab Architecture (Corrected)
flowchart TD
subgraph "RF Layer"
B210["📡 LibreSDR B210mini\nAD9361 · 70MHz–6GHz\n2R2T · USB 3.0 → Laptop"]
FLIP["🐬 FlipperZero + 5G Board\nPortable cell scanner\nNAS interaction"]
ANT["🔌 Band Antennas\n700MHz · 1.9GHz\n3.5GHz (n78) dipoles"]
FAR["🛡️ Faraday Enclosure\n⚠️ Required before TX"]
end
subgraph "Laptop — Software Stack"
UHD["UHD Driver\n(USRP Hardware Driver)\nB210mini talks natively"]
SRSENB["srsRAN 4G eNB\n+ srsRAN Project 5G gNB"]
OAI["OpenAirInterface\nalternative to srsRAN\nbetter LTE-M/NB-IoT"]
CORE["Open5GS\n4G EPC + 5G SA Core"]
GNU["GNU Radio\nPassive sniff + analysis"]
WIRESH["Wireshark\nNAS decode · GTP"]
end
subgraph "UE Layer"
PIX["📱 Pixel 9\nPrimary rooted UE\nReal + test SIMs"]
UESIM["UERANSIM\nSoftware UE\nNAS fuzzing"]
end
B210 --> UHD
UHD --> SRSENB
UHD --> OAI
UHD --> GNU
SRSENB <--> CORE
FAR --> PIX
FAR --> B210
PIX --> UESIM
style B210 fill:#1F3864,color:#fff
style FAR fill:#C00000,color:#fff
style FLIP fill:#2E75B6,color:#fffSoftware Stack — B210mini Specific Install
UHD Driver (Drop-in B210 Support)
# Ubuntu/Debian — UHD from Ettus PPA (official)
sudo add-apt-repository ppa:ettusresearch/uhd
sudo apt update
sudo apt install libuhd-dev uhd-host
# Download firmware images (required for B210)
sudo uhd_images_downloader
# Plug in B210mini via USB 3.0, then test
uhd_find_devices
# Expected: ---------------------------------------------------
# -- UHD Device 0
# -- Device Address (type=b200)
# -- serial: <your serial>
uhd_usrp_probe # full hardware report — should show AD9361 RFIC
USB 3.0 Required
B210mini needs USB 3.0 for full bandwidth. USB 2.0 will cause severe sample drops with srsRAN. Use a USB 3.0 port or powered USB 3.0 hub.
srsRAN 4G with B210mini
git clone https://github.com/srsran/srsRAN_4G.git
cd srsRAN_4G && mkdir build && cd build
cmake ../ -DCMAKE_BUILD_TYPE=Release
make -j$(nproc) && sudo make install
# enb.conf — B210mini specific RF section
[rf]
dl_earfcn = 1575 # Band 3 (1800MHz) — change to target band
tx_gain = 40
rx_gain = 40
device_name = uhd # ← key: use uhd not lime
device_args = "" # B210mini auto-detected via UHD
srate = 11.52e6 # 10 MHz bandwidth (adjust to 15.36 for 15MHz)
srsRAN Project — 5G NR gNB with B210mini
git clone https://github.com/srsran/srsRAN_Project.git
cd srsRAN_Project && mkdir build && cd build
cmake ../ -DCMAKE_BUILD_TYPE=Release -DENABLE_EXPORT=ON -DENABLE_UHD=ON
make -j$(nproc)
# gnb.yml — B210mini 5G NR config
ru_sdr:
device_driver: uhd # UHD = B210mini
device_args: type=b200 # target B200-series
tx_gain: 50
rx_gain: 50
srate: 23.04 # 20MHz bandwidth for 5G NR
otw_format: sc12
cell_cfg:
dl_arfcn: 640000 # n78 band (3.5GHz) — most common 5G
band: 78
channel_bandwidth_MHz: 20
common_scs: 30 # 30kHz subcarrier spacing for FR1
plmn: "00101" # test PLMN — use target MCC/MNC for engagement
tac: 7
OpenAirInterface (Alternative Stack)
# OAI is stronger for advanced NAS testing and IoT protocol research
git clone https://gitlab.eurecom.fr/oai/openairinterface5g.git
cd openairinterface5g
source oaienv
cd cmake_targets
./build_oai -I # install deps
./build_oai -w USRP --eNB --UE # build with UHD/USRP support
# OAI has better support for:
# • LTE-M / NB-IoT (IoT attack surface)
# • Advanced NAS manipulation
# • Detailed RRC protocol control
Secondary Device — Qualcomm UE for SCAT
The Core Distinction
The B210mini gives you the network side of every NAS exchange — you see everything the gNB sends and receives. What it can't give you is the modem's internal view — what the Pixel 9's baseband actually does with those messages. That gap only matters for one specific research mode:
| Research Goal | Pixel 9 + B210mini | Pixel 5 + SCAT | Verdict |
|---|---|---|---|
| Downgrade validation (5G→4G→3G) | ✅ gNB sees full NAS exchange | Same + modem confirm | B210mini sufficient |
| Identity-exposure validation | ✅ gNB sees attach identity behavior | Same + modem confirm | B210mini sufficient |
| Auth bypass / null cipher | ✅ Control gNB + Open5GS AMF | Modem-side trace | B210mini sufficient |
| NAS fuzzing → crash detected | ⚠️ See crash outcome, not cause | ✅ SCAT stream at trigger | Need Pixel 5 |
| Baseband vuln (CVE-grade) | ❌ Can't pinpoint crash trigger | ✅ Exact NAS state at crash | Need Pixel 5 |
| Carrier app / real network | ✅ Pixel 9 (enrolled, newer OS) | ❌ Wrong tool | Pixel 9 only |
Rule of thumb: Use the Pixel 9 + B210mini for running attacks. Add a Pixel 5 when you shift from executing attacks to finding the specific NAS message that crashes a modem — that's baseband vulnerability research.
Recommended Second Device — Pixel 5
| Device | Chip | Modem | 5G NR | 4G LTE | SCAT | Cost |
|---|---|---|---|---|---|---|
| Pixel 5 ✅ | Snapdragon 765G | X52 | Sub-6 (n77/n78) | ✅ | ✅ Full | ~$80 used |
| Pixel 4a (5G) | Snapdragon 765G | X52 | Sub-6 | ✅ | ✅ Full | ~$80 used |
| Pixel 4a (standard) | Snapdragon 730G | X15 | ❌ LTE only | ✅ | ✅ LTE only | ~$50 used |
Pixel 5 is preferred: Snapdragon 765G / X52 modem supports both 5G NR Sub-6 and LTE, aligns directly with the B210mini's n78 configuration, straightforward Google bootloader unlock, and is one of the better-supported devices in SCAT and QCSuper.
QCSuper — Live Modem DIAG Stream to Wireshark
# Install QCSuper (https://github.com/P1sec/QCSuper)
pip3 install qcsuper
# Pixel 5 connected via USB, rooted, ADB enabled:
qcsuper --adb --wireshark-live # live Wireshark feed — open Wireshark first
qcsuper --adb --pcap-dump diag_$(date +%s).pcap # capture to file for post-analysis
# In Wireshark — key display filters:
# nas-5gs → 5G NAS messages (registration, auth, PDU session)
# nas-eps → 4G/LTE NAS messages
# nr-rrc → 5G Radio Resource Control
# rrc-lte → 4G RRC
Crash Correlation Workflow — Fuzzing + SCAT
Scenario: UERANSIM sends malformed NAS messages, looking for baseband crash
srsRAN gNB log: [T+0ms] Sent: Security Mode Command (EEA0/EIA0 — null cipher)
[T+2ms] UE dropped — RRC timeout (no response)
[T+2ms] ← All you see without SCAT. Something crashed.
SCAT stream: [T+0ms] Modem received: Security Mode Command
[T+1ms] Modem state: SECURITY_MODE_PENDING → EXCEPTION
[T+1ms] Diagnostic stream terminated — baseband reset triggered
[T+1ms] ← Exact trigger visible. Root cause identified.
Without SCAT: "The UE crashed during security mode negotiation"
With SCAT: "Null-cipher Security Mode Command (EEA0+EIA0) triggers modem
exception at state SECURITY_MODE_PENDING — reproducible CVE."
The SCAT stream turns a "something crashed" observation into a reportable finding.
Attack Capability Matrix — Your Full Stack
graph TD
subgraph "✅ Full Capability"
A1["Rogue gNB / eNB\nB210mini + srsRAN\nAll Sub-6 5G bands"]
A2["IMSI Catching\nAll 2G/3G/4G/5G bands\n70MHz–6GHz coverage"]
A3["Downgrade Attack\n5G→4G→3G/2G\nweak cipher enforcement"]
A4["NAS Auth Bypass\nUERANSIM + Open5GS\nvs your own gNB"]
A5["AMF/SMF DoS Fuzzing\nCustom NAS state machine\nPenn State method"]
A6["Cell Recon (portable)\nFlipperZero5G\nno laptop needed"]
A7["App-layer MITM\nPixel 9 + Burp + Frida"]
A8["n77/n78 5G NR\nB210mini hits 3.5GHz\nLimeSDR couldn't"]
end
subgraph "⚠️ Needs Second Device for Full Depth"
B1["Live modem DIAG stream\nSCAT partial on Tensor G4\nPixel 5 + QCSuper closes this gap"]
B2["Baseband crash correlation\nNeed modem-side view\nto turn crash → CVE"]
B3["MIMO beamforming\n2R2T available but\nsrsRAN uses 1R1T by default"]
end
subgraph "❌ Out of Scope (hardware limit)"
C1["mmWave 5G\nn258/n260 (24–40GHz)\nAD9361 max is 6GHz"]
end
style A1 fill:#2E75B6,color:#fff
style A2 fill:#2E75B6,color:#fff
style A8 fill:#2E75B6,color:#fff
style B1 fill:#E36209,color:#fff
style C1 fill:#C00000,color:#fff| Attack (from Threat Model) | Hardware Used | Status |
|---|---|---|
| Rogue gNB — all 5G Sub-6 bands | B210mini + srsRAN Project | ✅ Ready |
| IMSI Catcher (4G/5G) | B210mini + srsRAN eNB | ✅ Ready |
| Downgrade to 2G null cipher | B210mini + srsRAN (GSM mode) | ✅ Ready |
| NAS auth bypass fuzzing | UERANSIM + Open5GS | ✅ Ready |
| AMF/SMF crash (Penn State) | UERANSIM custom NAS | ✅ Ready |
| Passive cell scan / PLMN recon | FlipperZero5G | ✅ Ready |
| Carrier app MITM / hook | Pixel 9 + Burp + Frida | ✅ Ready |
| n78 5G NR (3.5GHz) coverage | B210mini (6GHz ceiling) | ✅ Ready |
| SS7 boundary validation | Gateway/provider review + approved lab | ⚠️ Needs SS7 scope and evidence |
| Live modem DIAG stream | Pixel 5 + QCSuper + SCAT | ⚠️ Needs Pixel 5 (~$80) |
| Baseband crash → CVE correlation | Pixel 5 + SCAT (modem-side view) | ⚠️ Needs Pixel 5 (~$80) |
| mmWave 5G testing | USRP X410 | ❌ Hardware limit |
Recommended Band Configuration for US Engagements
| Carrier | Primary 5G Bands | EARFCN / NR-ARFCN | B210mini DL Freq |
|---|---|---|---|
| T-Mobile | n41 (2.5GHz), n71 (600MHz) | 520000, 123400 | 2500MHz, 617MHz |
| AT&T | n77 (3.7GHz), n14 (700MHz) | 649980, 384000 | 3700MHz, 758MHz |
| Verizon | n77 (3.7GHz), n5 (850MHz) | 649980, 875 | 3700MHz, 869MHz |
| All | n78 (3.5GHz) global standard | 640000 | 3500MHz |
# Quick scan target carrier bands with GNU Radio
# Use gr-lte / gr-gsm for passive LTE/GSM scanning
sudo apt install gr-gsm gr-lte
# Scan for LTE cells (B210mini)
grgsm_livemon_headless --args="uhd" --frequency=1930e6 # AT&T Band 2
grgsm_livemon_headless --args="uhd" --frequency=2140e6 # T-Mobile Band 4
# Or use Flipper Zero + 5G board for quick field scan before setting up laptop
Immediate Setup Checklist
Do these BEFORE any RF transmission
Cross-References
Related Notes
- Support_Hardware_Pixel9 — Pixel 9 root + tool setup
- Theory_Threat_Model — Full threat model this lab supports
- Research_NAS_Fuzzing — Penn State NAS attacks to replicate
Sources: Ettus Research USRP B200 Series Documentation · AD9361 Datasheet (Analog Devices) · srsRAN Documentation · OpenAirInterface5G GitLab · OpenSourceSDRLab FlipperZero5G