0. Reference
This document is for educational and defensive security research purposes only.
All techniques described herein are analyzed in a controlled lab environment using your own equipment and licensed test SIMs. Applying any of these techniques to real-world cellular infrastructure, third-party devices, or spectrum you do not own is illegal under US federal law, including:
- 47 U.S.C. § 333 — Prohibits interference with radio communications. RF jamming is illegal for all private parties and state/local law enforcement with no exceptions. The FCC has imposed fines exceeding $34 million for marketing jamming devices.
- 47 U.S.C. § 301 — Requires an FCC license to transmit on licensed spectrum. Operating a fake base station (eNodeB/gNB) on live cellular frequencies without authorization violates this statute.
- 47 U.S.C. § 605 — Prohibits unauthorized interception of radio communications not intended for the recipient.
- 18 U.S.C. § 2511 (Wiretap Act) — Prohibits intentional interception of electronic communications, including voice (VoLTE/RTP) and data.
- 18 U.S.C. § 1029 — Prohibits fraud involving access devices. SIM cards are federally defined access devices; cloning, unauthorized key extraction, and related acts are federal crimes.
- 18 U.S.C. § 1030 (CFAA) — Prohibits unauthorized access to computer systems, including telecom signaling infrastructure (Diameter, GTP, SBI APIs).
Lab use requirements: All radio experiments must be conducted in an RF-shielded environment (Faraday cage) using test SIMs provisioned in your own Open5GS/srsRAN lab. No transmission on live cellular bands is permitted without an FCC experimental license.
This document does not constitute legal advice. Consult a licensed attorney before conducting any security research involving radio spectrum or telecommunications infrastructure.
For a hands‑on, lab‑oriented understanding of 3G/4G/5G (similar to Open5GS docs), use resources that combine architecture explanations with runnable cores/RAN and realistic topologies.open5gs
Open‑source core & RAN stacks
-
Open5GS Documentation – full 4G/5G core (EPC/5GC) with user’s guide, tutorials, lab setups, Kubernetes deployments, roaming, SBI mTLS, and monitoring examples.open5gs
-
UERANSIM – open‑source 5G/LTE UE and RAN simulator that pairs well with Open5GS for end‑to‑end attach, PDU sessions, and traffic tests (often used in “My first 5G Core : Open5GS and UERANSIM”).open5gs
-
srsRAN – open‑source 4G/5G RAN and UE stack; works with Open5GS and includes eUPF/eBPF sample integrations.open5gs
-
OpenAirInterface – full RAN and UE implementations, with sample configs for Open5GS EPC/5GC integration.open5gs
Lab‑focused 4G/5G tutorials
-
My first 5G Core : Open5GS and UERANSIM – step‑by‑step guide to building a minimal 5G core plus simulated RAN/UE, covering registration, PDU sessions, and traffic generation.open5gs
-
Open5GS EPC & OpenAirInterface UE/RAN Sample configuration – concrete 4G EPC lab tying MME/SGW/PGW with OAI eNodeB/UE.open5gs
-
Open5GS 5GC & UERANSIM UE/RAN Sample Configuration – 5G SA lab with AMF/SMF/UPF and UERANSIM gNB/UE, good for tracing NAS, NGAP, and GTP‑U.open5gs
Cloud‑native / Kubernetes deployments
-
Open5GS on Amazon Elastic Kubernetes Service – shows how to run 5GC/EPC on EKS with appropriate networking and storage.open5gs
-
Kubernetes Open5GS Deployment – generic k8s configs and patterns for deploying core components as microservices.open5gs
-
Building a Cloud‑Native 5G Roaming Architecture with Open5GS – multi‑operator topology, roaming NFs, and SBI‑based interconnection.open5gs
-
@gradiant helm charts – opinionated Helm charts for Open5GS and related components.open5gs
-
@gradiant operator – Kubernetes operator for managing 5G core lifecycle declaratively.open5gs
Advanced core topics
-
5G Core SBI mTLS Using External Certificate PKI – concrete config for securing service‑based interfaces via mutual TLS.open5gs
-
5G SCTP LoadBalancer Using LoxiLB – demonstrates SCTP‑aware load‑balancing for N2/N3 using @loxilb data‑plane LB.open5gs
-
5G Frame Routing and Frame Routing – examples for steering user‑plane traffic across multiple UPFs.open5gs
-
VPP‑UPF with DPDK – higher‑performance UPF implementation and integration notes.open5gs
-
UERANSIM with eUPF(eBPF/XDP UPF) and srsRAN with eUPF(eBPF/XDP UPF) – eBPF/XDP‑based UPF labs for programmable data‑plane experiments.open5gs
LTE/EPC and interworking specifics
-
Basics of EPC/LTE Online Charging (OCS) – explains online charging flows and Diameter interactions in LTE cores.open5gs
-
Diameter Routing Agents - Part 1, Part 2, Part 3 – multi‑part series on building and using DRAs between core elements.open5gs
-
OsmoMSC and Open5GS MME – SGs Interface for CSCF / InterRAT Handover and Sending SMS in Open5GS LTE Networks using the SGs Interface and OsmoMSC – show CSFB/SMS over SGs and inter‑RAT details.open5gs
-
VoLTE and SMS Configuration for docker_open5gs – practical VoLTE/SMS core configuration in containerized setups.open5gs
If helpful, a next step could be a staged path like: UERANSIM+Open5GS on a single VM → add srsRAN/OAI with SDR → migrate to k8s with the gradiant charts/operator, tying each lab back to the 3GPP architecture concepts.
- https://open5gs.org/open5gs/docs/
- https://open5gs.org/open5gs/docs/guide/01-quickstart/
- https://medium.com/rahasak/5g-core-network-setup-with-open5gs-and-ueransim-cd0e77025fd7
- https://gitlab.eurecom.fr/oai/openairinterface5g/-/tree/develop/doc
- https://github.com/aligungr/UERANSIM/wiki/Tutorials-and-Other-Resources
- https://docs.srsran.com/en/latest/
- https://github.com/aligungr/UERANSIM
- https://github.com/niloysh/open5gs-k8s
- https://gradiant.github.io/5g-charts/
- https://github.com/open5gs/open5gs/discussions/2259
- https://docs.loxilb.io/perf/
- https://docs.loxilb.io/main/
- https://docs.fra.me/platform/networking/sga/sga-install/
- https://qiita.com/s5uishida/items/fc5f4e1c394c9f5dd181
- https://www.lcnpl.com/downloads/LCN-DRA.pdf