W00t3k
Awesome-Cellular-Hacking

Awesome-Cellular-Hacking

Last updated Jul 10, 2026
3.9k
Stars
665
Forks
1
Issues
+102
Stars/day
Attention Score
98
Language breakdown
No language data available.
โ–ธ Files click to expand
README

Awesome Cellular Hacking

A comprehensive curated list of resources for 2G/3G/4G/5G cellular security research and analysis

This repository consolidates community knowledge in the cellular security space, including exploits, research papers, tools, and educational resources. The goal is to preserve and organize important security research that might otherwise become difficult to find.

Disclaimer: This information is intended for educational and defensive security research purposes only. Use responsibly and in compliance with applicable laws and regulations.

Table of Contents


Getting Started

New to cellular security research? This section outlines the recommended path for building foundational skills.

Skill Levels

Beginner (passive listening only)

  • Hardware: RTL-SDR V3 or V4 ($35-$40), a laptop running Linux
  • Software: GNU Radio, GQRX, gr-gsm
  • First project: Scan and decode GSM frames passively using gr-gsm and Wireshark
  • Reading: NIST SP 800-187 LTE Security Guide
Intermediate (active research lab)
  • Hardware: HackRF One or LimeSDR Mini ($139-$350), programmable SIM cards (sysmoUSIM), a spare Android device
  • Software: srsRAN 4G, Open5GS or Free5GC, OsmocomBB
  • First project: Build a private LTE network in a Faraday cage and connect a test device
  • Reading: srsRAN documentation, Open5GS tutorials
Advanced (protocol fuzzing and baseband research)
  • Hardware: USRP B210 or BladeRF 2.0, multiple test devices
  • Software: 5GBaseChecker, LTEFuzz, BaseBridge, SigPloit
  • Focus areas: Baseband fuzzing, RAN-Core interface testing, SS7/Diameter signaling

Lab Setup Checklist

  • [ ] Linux host (Ubuntu 22.04 or 24.04 recommended)
  • [ ] UHD drivers installed and device recognized (uhdfinddevices)
  • [ ] Faraday cage or RF shielding for active transmissions
  • [ ] Programmable SIM cards (sysmoUSIM-SJA2 or similar)
  • [ ] Dedicated test devices (not your daily driver)
  • [ ] Isolated network environment (no production network access)

Key Concepts to Understand First


Rogue Base Stations

GSM/CDMA Traffic Impersonation and Interception

Guide to creating a portable GSM BTS for private networks or security testing. Covers technical setup using relatively inexpensive hardware. Tutorial for setting up a 4G/LTE Evil Twin base station using srsRAN and USRP SDR devices. Detailed analysis of GSM base station impersonation using SDR and open source tools. Step-by-step guide for using RTL-SDR to analyze GSM signals with GR-GSM/Airprobe and Wireshark. NCC Group research on GSM/GPRS interception capabilities for penetration testing engagements.

Recent Updates (2024-2025)

New Research (2025)

Researchers disclosed 119 vulnerabilities (97 CVEs) across seven LTE and three 5G implementations including Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, srsRAN. Every flaw can be used to persistently disrupt city-wide cellular communications. Some require no SIM card โ€” a single unauthenticated packet can crash an MME or AMF. KAIST researchers identified a new class of uplink attacks against LTE core networks. Unlike traditional downlink attacks, these work through legitimate base stations and can affect anyone in the same MME coverage area. All four tested implementations (Open5GS, srsRAN, Amarisoft, Nokia) were vulnerable. New research on exploiting protocol tunneling in 5G networks to cross network boundaries and reach components that should be isolated. Bridges the gap between over-the-air and emulation-based testing for cellular baseband firmware analysis. Comprehensive classification of attacks across orchestration, virtualization, and inter-slice communication layers in 5G. In-depth review of PHY layer attack surface in 4G/5G: jamming, spoofing, eavesdropping, pilot contamination, and current SDR-based research tooling.

Base Station Software and Tools (Updated)

  • OpenBTS 2024 Reloaded โ€” Updated for modern UHD drivers and Ubuntu 22.04/24.04
  • OpenAirInterface (OAI) โ€” Complete 3GPP Release-15+ implementation with active 5G development
  • LimeNET CrowdCell โ€” Network-in-a-box with integrated LimeSDR for small cell deployments
  • Amarisoft LTEENB/gNB โ€” Professional-grade LTE/5G NR base station software
  • DragonOS โ€” Ubuntu-based SDR distro with cellular tools pre-installed
  • Magma Core Network โ€” Meta's distributed packet core, now under the Linux Foundation
  • 5GBaseChecker โ€” Automated 5G baseband vulnerability detection tool

Software and Tools

Base Station Software

| Software | Description | Link | |----------|-------------|------| | OpenBTS (2024 Reloaded) | Updated Linux SDR-based GSM air interface for modern systems | GitHub | | OpenBTS (Original) | Range Networks implementation | SourceForge | | YateBTS | GSM/GPRS radio access network implementation | Website | | srsRAN Project | Open-source 5G O-RAN CU/DU software suite | GitHub | | srsRAN 4G | Open-source 4G software radio suite | GitHub | | OpenAirInterface | Complete 4G/5G protocol stack | Website | | Free5GC | Open-source 5G core network implementation | GitHub | | Kamailio | Open-source SIP server used in IMS/VoLTE labs | Website |

Configuration Guides

Analysis Tools

  • LTE-Cell-Scanner โ€” LTE cell detection and analysis
  • gr-gsm โ€” GSM analysis with GNU Radio
  • IMSI-Catcher Detector โ€” Android app for detecting IMSI catchers
  • QCSuper โ€” Capture 2G-4G traffic using Qualcomm phones
  • 5GBaseChecker โ€” Automated 5G baseband vulnerability detection (Penn State, 2024)
  • FALCON LTE โ€” Fast analysis of LTE control channels in real-time
  • Kalibrate โ€” GSM base station scanner and frequency calibration
  • LTE Sniffer โ€” Open-source LTE downlink/uplink eavesdropper
  • OsmocomBB โ€” Free firmware for mobile phone baseband processors
  • Modmobmap โ€” Mobile network mapping
  • Modmobjam โ€” Mobile jamming research tool
  • CITesting โ€” Systematic testing of context integrity violations in LTE core networks (KAIST, 2025)
  • SigPloit โ€” SS7/Diameter/GTP/SIP signaling security testing framework
  • LTEFuzz โ€” LTE protocol fuzzer from KAIST, predecessor to CITesting; generates malformed NAS/RRC messages
  • Crocodile Hunter โ€” EFF open-source tool for detecting rogue cell towers by wardriving
  • SCAT โ€” Signaling Collection and Analysis Tool; captures diagnostic logs from Qualcomm and Samsung basebands
  • ss7map โ€” SS7 network exposure mapping by P1 Security
  • Diameter EAP Tool (DET) โ€” Diameter protocol fuzzing and testing
  • Osmocom Suite โ€” Complete open-source GSM/GPRS stack: osmo-nitb, osmo-bts, osmo-sgsn, osmo-msc and more

Hardware Setup

USRP Installation on Linux

# Add Ettus Research repository
sudo add-apt-repository ppa:ettusresearch/uhd
sudo apt-get update

Install UHD drivers and tools

sudo apt-get install libuhd-dev libuhd003 uhd-host

Find connected devices

uhdfinddevices

Download firmware images

cd /usr/lib/uhd/utils/ ./uhdimagesdownloader.py

Test device connection

sudo uhdusrpprobe

SDR Hardware Options

| Hardware | Frequency Range | Bandwidth | Price Range | Use Case | Link | |----------|----------------|-----------|-------------|----------|------| | Ettus Research (USRP) | | | | | | | USRP B210 | 70 MHz - 6 GHz | 61.44 MHz | $2,100 | Professional development, 2x2 MIMO | Ettus | | USRP B200mini | 70 MHz - 6 GHz | 61.44 MHz | $775 | Compact USRP B-series | Ettus | | USRP N210 | DC - 6 GHz | 25 MHz | $1,700 | High-performance networked SDR | Ettus | | USRP N320 | 1 MHz - 6 GHz | 200 MHz | $8,000 | Networked 2x2 MIMO | Ettus | | USRP X310 | DC - 6 GHz | 160 MHz | $6,000 | High-performance desktop/rack | Ettus | | USRP X410 | 1 MHz - 7.2 GHz | 400 MHz | $15,000 | Latest high-performance 4x4 MIMO | Ettus | | USRP X440 | 30 MHz - 4 GHz | 1.6 GHz | $25,000+ | Latest 8x8 MIMO RFSoC platform | Ettus | | USRP E320 | 70 MHz - 6 GHz | 56 MHz | $4,000 | Embedded 2x2 MIMO SDR | Ettus | | Nuand (BladeRF) | | | | | | | BladeRF 2.0 xA4 | 47 MHz - 6 GHz | 61.44 MHz | $420 | Budget 2x2 MIMO development | Nuand | | BladeRF 2.0 xA9 | 47 MHz - 6 GHz | 61.44 MHz | $720 | High FPGA resources, 2x2 MIMO | Nuand | | BladeRF x40 (Legacy) | 300 MHz - 3.8 GHz | 40 MHz | $400 | Entry-level legacy model | Nuand | | Great Scott Gadgets | | | | | | | HackRF One | 1 MHz - 6 GHz | 20 MHz | $350 | Budget TX/RX development | GSG | | YARD Stick One | 300-348, 391-464, 782-928 MHz | 2.5 MHz | $110 | Sub-GHz IoT frequencies | GSG | | Lime Microsystems | | | | | | | LimeSDR USB | 100 kHz - 3.8 GHz | 61.44 MHz | $289 | Open-source 2x2 MIMO | Lime Micro | | LimeSDR Mini | 10 MHz - 3.5 GHz | 30.72 MHz | $139 | Compact LimeSDR variant | Lime Micro | | LimeSDR Mini 2.0 | 10 MHz - 3.5 GHz | 30.72 MHz | $169 | Updated with ECP5 FPGA | Lime Micro | | LimeSDR X3 | Various bands | Up to 61.44 MHz | $3,000+ | Professional 3x transceiver PCIe | Lime Micro | | Analog Devices | | | | | | | PlutoSDR | 325 MHz - 3.8 GHz | 20 MHz | $150 | Education and learning platform | Analog Devices | | RTL-SDR Blog | | | | | | | RTL-SDR V3 | 500 kHz - 1.75 GHz | 3.2 MHz | $35 | Ultra-budget RX-only scanner | RTL-SDR | | RTL-SDR V4 | 500 kHz - 1.75 GHz | 3.2 MHz | $40 | Latest with R828D tuner | RTL-SDR | | Airspy | | | | | | | Airspy R2 | 24 MHz - 1.8 GHz | 10 MHz | $200 | High-performance VHF/UHF scanner | Airspy | | Airspy Mini | 24 MHz - 1.8 GHz | 6 MHz | $99 | Compact Airspy in dongle format | Airspy | | Airspy HF+ Discovery | 9 kHz - 31 MHz, 60-260 MHz | 768 kHz | $169 | Dedicated HF reception | Airspy | | SDRplay | | | | | | | RSP1A | 1 kHz - 2 GHz | 10 MHz | $119 | Wideband general purpose | SDRplay | | RSPdx | 1 kHz - 2 GHz | 10 MHz | $299 | Professional features, dual antenna | SDRplay | | Red Pitaya | | | | | | | STEMlab 125-14 | DC - 60 MHz | 50 MHz | $600 | HF transceiver, lab instrument | Red Pitaya | | STEMlab 122-16 | DC - 50 MHz | Variable | $625 | High-resolution HF SDR/scope | Red Pitaya |

Common SDR Issues and Troubleshooting

| Issue | Possible Causes | |-------|----------------| | Device not detected | Improper firmware, USB connection issues | | Poor signal quality | Incorrect antennas, wrong frequency configuration | | Connection failures | Wrong SIM, incorrect MCC/MNC codes | | Performance issues | Virtualized platform limitations, wrong SDR firmware |


Testing and Research Methodologies

Modern Baseband Fuzzing (2024-2025)

Covers building cost-effective baseband fuzzing rigs using SDRs, using LLMs to accelerate protocol parser development, and testing automotive ECUs, payment terminals, and mobile devices. Domain-informed fuzzing approach targeting RAN-Core interfaces. Discovered 119 vulnerabilities across ten network implementations. Framework that bridges over-the-air and emulation-based testing for cellular baseband firmware.

Vulnerability Research Tools

  • 5GBaseChecker โ€” Automated 5G baseband vulnerability detection
  • CITesting โ€” Context integrity violation testing for LTE core networks
  • certmitm โ€” TLS implementation testing tool

Attack Vectors

Radio Jamming Attacks

From NIST SP 800-187:

  • Smart Jamming โ€” Targeted channel interference timed to avoid detection
  • Dumb Jamming โ€” Broadband noise across frequency ranges
  • UE Interface Jamming โ€” Preventing UE signaling to eNodeB
  • eNodeB Interface Jamming โ€” Disrupting base station communications

5G Security Research

LTE/4G Security Research


Conference Talks

ACM CCS 2025

New class of uplink attacks against LTE core networks that work through legitimate base stations โ€” no rogue BTS required. All four tested implementations were vulnerable, including commercial systems from Nokia and Amarisoft. Demonstrates how attackers can use protocol tunneling to traverse network boundaries and reach isolated 5G components.

IEEE S&P 2025

New framework for cellular baseband firmware security testing that combines emulation and OTA testing approaches.

Black Hat USA 2024

Researchers disclosed 12 vulnerabilities in 5G basebands from Samsung, MediaTek, and Qualcomm, affecting devices from Google, OPPO, OnePlus, Motorola, and Samsung. Accompanied by the release of the 5GBaseChecker tool.

DefCon 32 (2024)

Making baseband fuzzing accessible with affordable SDR hardware. Covers LLM-assisted protocol parser development and vulnerability discovery across automotive ECUs, payment terminals, and cellular modems.

Black Hat USA 2022

Black Hat USA 2021

Black Hat USA 2020

Additional Conference Resources


Research Papers

2025

KAIST's CITesting tool runs thousands of test cases against LTE core implementations, dwarfing the 31-case coverage of prior tooling (LTEFuzz). All four tested implementations contained CIV vulnerabilities. First comprehensive security analysis of Apple's satellite communication features. Researchers reverse-engineered the proprietary protocol, demonstrated restriction bypasses, and built a simulation testbed covering Emergency SOS, Find My, roadside assistance, and iMessage over satellite.

2024

119 vulnerabilities, 97 CVEs, across ten implementations. Any one of them enables city-wide disruption of cellular communications. Comprehensive review of PHY-layer attack surface covering eavesdropping, jamming, spoofing, pilot contamination, and SDR-based research frameworks. Open-source tool for detecting vulnerabilities in 5G baseband implementations. Used to find 12 critical bugs in Samsung, MediaTek, and Qualcomm chipsets.

2019-2023

Three new attack classes exploiting unprotected device capability information: identification, bidding-down, and battery drain.

Equipment and Hardware

Research Equipment Used in "Over The Air Baseband Exploit"

| Component | Purpose | Link | |-----------|---------|------| | Ettus USRP B210 | Software Defined Radio | Product Page | | srsENB | 4G/5G Base Station Software | GitHub | | Open5GS | 5G Core Network | GitHub | | sysmo-usim-tool | SIM Programming | Project Page | | pysim | SIM Analysis Tool | GitHub | | CoIMS | VoLTE Testing | Play Store | | Docker Open5GS | Containerized Core | Tutorial |


Detection and Defense

Protection from Stingrays and IMSI Catchers

iOS app that detects rogue base stations by analyzing baseband packets in real-time. Integrates with the Apple Cell Location Database for anomaly detection. Website โ€” TestFlight Beta

IMSI Catcher Detection and Research

Security Advisories


Cellular IoT and NB-IoT Security


Satellite-Cellular Integration


Private 5G Network Security


Network Slicing and Edge Security


Automotive and Industrial Cellular


Forensics and Investigation


Vulnerability Disclosure


SIM Security


SS7 and Telecom Infrastructure

SS7 Attack Research

SS7/Diameter Testing Tools

  • SigPloit โ€” Modular testing framework for SS7, Diameter, GTP, and SIP; covers location tracking, call/SMS interception, and DoS scenarios
  • ss7map โ€” Automated SS7 network topology and exposure mapper
  • SCTP scanner โ€” Discovers SCTP-based SS7 endpoints on IP networks

Surveillance Technology

Stingray / IMSI Catchers


Recent CVEs and Updates


International Research


Training and Education


Vendor-Specific Research


Roaming and Interconnect Security


Resources

Development and Analysis Tools

Research Collections

Legal and Regulatory

Additional Reading


Community

Mailing Lists and Forums

IRC and Chat

  • Osmocom IRC โ€” #osmocom on libera.chat; real-time support for Osmocom tools
  • DEF CON RF Village โ€” Annual RF hacking community track at DEF CON

Conferences to Follow

  • DEF CON โ€” RF Village, Wireless Village, and main track cellular talks
  • Black Hat USA/Europe โ€” Regular cellular/baseband research presentations
  • WiSec โ€” ACM Conference on Security and Privacy in Wireless and Mobile Networks
  • IEEE S&P / CCS / USENIX Security โ€” Top-tier academic venue for cellular security papers
  • HITB โ€” Regular telecom security talks

Contributing

Fork the repo, add resources with descriptions, verify links are active, and submit a pull request with context on what was added.

Legal Notice

This repository is for educational and research purposes only. Users are responsible for complying with all applicable laws and regulations. The maintainers do not endorse or encourage illegal activities.


Last Updated: March 2026 Maintainer: @W00t3k

Broken links or new resources? Open an issue or submit a PR.

๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท W00t3k/Awesome-Cellular-Hacking ยท Updated daily from GitHub