29C3 – Further hacks on the Calypso platform

In this presentation from the just concluded 29C3 conference in Hamburg, Germany, speaker Sylvain Munaut explains how to turn a cellphone into a BTS.

The Calypso baseband and its companion chips are used on the Motorola C123 among other and are now well known for being supported by the Osmocom-BB open source GSM baseband implementation. A couple years ago, it was hacked a little further by using it as a raw bits capture device allowing the interception of GSM traffic very cheaply.

This talk will present some further work on that platform, showing that just because a device wasn’t design for a given task doesn’t mean it can’t do it. More specifically how you can hack this phone to act as a GSM basestation and broadcast your own network.

For additional info on hacking the Motorola C123, see the OsmocomBB C123 page.

Join the Conversation


  1. well, the last events 27c3,28c3 and deepsec talks from these guys have been full of shit about all code they have and which they say they will release and then afterward they don,t release it after all.And Yes I am talking about their maximal-stripped down osmocombb-version , so much for opensource.And their mail-forum is a joke,harassing many newbies asking polite questions. Why expect newbies to be able to reinvent the wheel?Osmocom: If authorithies have forced you to not post your findings, then just say so on your web-page. As it is now, it more looks like a closed fan-club.

    1. I think you have the wrong idea about the whole project. If you have spent some time reading the wiki, the whole purpose of the project is not sniffing or doing illegal stuff. I hope you have heared that listening to other peoples phone calls is illegal. If you will spend some time with this project, you will find out that this is the most interesting project at the moment. It’s exactly what you said. Reinventing the wheel. In the last 30 years or so, this is the only project who can affect so many people. We are talking about billions of users who still use GSM and this will be used for 20 years more. This project is to make a totally free baseband implementation of GSM and make phone calls more secure.
      Also I do not think that the people of osmocom are harrasing anyone. Myself, who am always in the IRC, spend a lot of time explaining to new people about the project and help them on how to start. But most of new people are asking the same big question “How to sniff”. Well…that’s not going to happen. But if you want to learn how GSM works, this is the best place in the right time to be.

      1. Totally agree.

        I am also following the osmocom-bb mailing list and the only posters who are “harassed” are the ones who keep whining about “when will you release the sniffing code” or even try to get that by detoured questions. It was clearly stated from the beginning that this code would NEVER be released.

        All the other code is opensource and available from here: http://cgit.osmocom.org/cgit/

        GSM specs ARE VERY complex
        Osmocom is a complex project
        it’s not a “firefox/vlc” class project, ready to use for anyone
        it’s a bunch of very interesting code implementing complex protocols whose implementation were kept hidden for years.
        Anyone wanting to become involved in the project has to read the source and work to understand it. It’s not a ready to use project with downloadable and packaged binaries for linux, windows and mac.

        and I don’t think these are polite newbie questions:

        But this is a polite answer, the poster was not harassed:

    2. 1) The only presentation done at deepsec in 2010 didn’t mention anything about code availability AFAIR. I’ve always said the imsi detach attack was trivial to implement for anyone familiar with GSM (and by trivial, it’s really 30 sec !). And the sniff demo at deepsec used the _exact_ code that has been in the burst_ind branch.

      2) At 27C3, it was made very clear what was available and what not in the follow-up mail. The only piece that wasn’t published and should have been was audio convesion tool (the one I used was based on code I couldn’t publish because of license issue, so I had to rewrite it) and I got so fed up with all the harassement at the time from people like you that I just dropped all work on that …

      For the main branch of osmocom-bb, all the info and code is on wiki/git. For the sniffing code, I don’t expect newbies to re-invent the wheel … I expect them not to use it, it’s been clearly targetted at GSM security researcher.

      3) At 28C3, the only thing the osmocom team showed was the Osmo-GMR project and everything is available on the git. Some other people might have shown stuff using the C123 but that’s not from osmocom. Since the code is available, other research team are basing their attack on our codebase and what to publish or not is their decision.

      4) About “harassing newbies”. If you clearly show that you didn’t take a few moment out of your day to read the doc and mailing list, why should be take time out of ours to help you ? The wiki has a list of “pre-requirement” that should be full-filled before even trying to run osmocom-bb, it’s not targetted at users that just booted an ubuntu CD for the first time. When learning to swim you don’t just jump in the middle of the atlantic and try swimming to shore …

    1. In anycase you’re always better off with an USRP. It’s a much more flexible and powerful device. Given it’s about 50 times as expensive, it comes as no surprise. And if you don’t like those projects, don’t use them … no one is forcing you.

  2. helo..
    I like to help coding..

    but my confusions came from hardware level
    1.is hackrf able to do openbts.
    2.is an andruoid phone used as host.
    3..is hardware available for low price for sodents like me.
    4. I will buy motorola if openbts works on it.
    4 . but i stucks because what hw modify i should do in motorola.

    there are no info regarding these

Leave a comment

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.