[{"data":1,"prerenderedAt":1668},["ShallowReactive",2],{"/setting-up-private-lte-5g-lab/":3,"related-setting-up-private-lte-5g-lab":1667},{"id":4,"title":5,"author":6,"authorName":6,"category":6,"date":6,"description":6,"extension":7,"image":6,"imageAlt":6,"lastModified":6,"meta":8,"readingTime":6,"severity":6,"stem":1665,"__hash__":1666,"body":9},"articles/setting-up-private-lte-5g-lab.md","Setting Up Private Lte 5g Lab",null,"md",{"body":9},{"type":10,"value":11,"toc":1656},"minimark",[12,15,20,24,38,41],[13,14],"hr",{},[16,17,19],"h2",{"id":18},"title-setting-up-a-private-lte5g-environmentdescription-telcosec-private-5g-security-research-lab-setup-usrp-b210-hardware-open5gs-srsran-faraday-cage-requirements-and-rf-legal-compliance-step-by-step-guidedate-2024-03-03lastmodified-2026-05-15author-ruben-f-silvaauthorname-telcosec-researchcategory-transmissions_attacksseverity-mediumimage-imagesarticlesprivate-lab-herowebpimagealt-private-5g-lab-setup-for-security-research-sdr-and-hardware-provisioningreadingtime-22","title: \"Setting up a Private LTE/5G Environment\"\ndescription: \"TelcoSec private 5G security research lab setup: USRP B210 hardware, Open5GS, srsRAN, Faraday cage requirements, and RF legal compliance step-by-step guide.\"\ndate: \"2024-03-03\"\nlastModified: \"2026-05-15\"\nauthor: \"Ruben F. Silva\"\nauthorName: \"TelcoSec Research\"\ncategory: \"TRANSMISSIONS_ATTACKS\"\nseverity: \"MEDIUM\"\nimage: \"/images/articles/private-lab-hero.webp\"\nimageAlt: \"Private 5G Lab Setup for Security Research - SDR and Hardware Provisioning\"\nreadingTime: 22",[21,22,23],"p",{},"Getting hands-on experience in telecommunications security is notoriously difficult. Unlike web application hacking, where environments can be spun up in Docker with a single command, cellular protocols operate in licensed spectrum and require specialized hardware. The barrier to entry — regulatory compliance, expensive SDR hardware, and arcane protocol knowledge — has historically limited telecom security research to well-funded nation-state programs and a handful of academic groups.",[21,25,26,27,32,33,37],{},"That barrier is falling. Open-source 5G implementations, affordable software-defined radios, and containerized core networks have democratized access to cellular security research infrastructure. A functional 4G/5G test environment can now be built for under $2,000, enabling independent researchers to study everything from ",[28,29,31],"a",{"href":30},"/signaling/ss7/","SS7"," vulnerabilities interception to ",[28,34,36],{"href":35},"/baseband-exploitation-modern-smartphones/","baseband exploitation in smartphones"," without touching a single production network.",[21,39,40],{},"This guide provides a comprehensive, step-by-step methodology for building a research-grade private LTE and 5G SA lab — from hardware procurement and RF shielding through core network deployment, SIM provisioning, and security research applications.",[42,43,46,47,54,72,76,79,84,87,235],"info-callout",{"type":44,"title":45},"hazard","Legal Compliance Warning","\nOperating cellular equipment in licensed spectrum without a license is illegal in virtually all jurisdictions. A Faraday cage or RF-shielded enclosure is mandatory to prevent signal leakage and avoid interference with commercial networks. Violation can result in significant fines and criminal prosecution from spectrum regulators (FCC in the US, Ofcom in the UK, ARCEP in France). Always verify your local regulations before transmitting.\n\n",[48,49],"lead-magnet",{"ctaTitle":50,"description":51,"tag":52,"title":53},"GET BOM LIST","Download the complete Bill of Materials and wiring diagrams for a production-grade 5G SA research lab (PDF).","lab_lead_magnet","BLUEPRINT: 5G Lab Hardware BOM",[21,55,56,57,61,62,66,67,71],{},"In this guide, we will walk through setting up a basic ",[28,58,60],{"href":59},"/5g-network-security-architecture/","5G Standalone"," (SA) and 4G LTE lab using accessible Software-Defined Radios (SDRs) and open-source core network implementations. For context on the protocols and network functions deployed here, refer to our ",[28,63,65],{"href":64},"/vulnerabilities-in-5g-sba/","5G SBA vulnerabilities"," research and ",[28,68,70],{"href":69},"/signaling/diameter/","Diameter"," security analysis.",[16,73,75],{"id":74},"hardware","I. Hardware Requirements",[21,77,78],{},"Building a lab requires balancing cost against capability. The following sections detail the three critical hardware components: radio hardware, compute infrastructure, and user equipment.",[80,81,83],"h3",{"id":82},"sdr","1. The Software-Defined Radio (SDR)",[21,85,86],{},"The SDR acts as your Base Station (eNodeB for 4G, gNodeB for 5G). SDR selection is the single most consequential hardware decision — it determines which protocols you can run, signal stability, and maximum bandwidth.",[88,89,90,118],"table",{},[91,92,93],"thead",{},[94,95,96,100,103,106,109,112,115],"tr",{},[97,98,99],"th",{},"SDR",[97,101,102],{},"Price Range",[97,104,105],{},"Full Duplex",[97,107,108],{},"Max Bandwidth",[97,110,111],{},"LTE Support",[97,113,114],{},"5G NR Support",[97,116,117],{},"Recommendation",[119,120,121,145,167,190,214],"tbody",{},[94,122,123,127,130,133,136,139,142],{},[124,125,126],"td",{},"RTL-SDR v3",[124,128,129],{},"$25-35",[124,131,132],{},"No (RX only)",[124,134,135],{},"2.4 MHz",[124,137,138],{},"Sniffing only",[124,140,141],{},"No",[124,143,144],{},"Passive monitoring only",[94,146,147,150,153,156,159,162,164],{},[124,148,149],{},"HackRF One",[124,151,152],{},"$300-350",[124,154,155],{},"No (half-duplex)",[124,157,158],{},"20 MHz",[124,160,161],{},"Unstable",[124,163,141],{},[124,165,166],{},"2G/3G research",[94,168,169,172,175,178,181,184,187],{},[124,170,171],{},"bladeRF 2.0 micro",[124,173,174],{},"$480-750",[124,176,177],{},"Yes",[124,179,180],{},"56 MHz",[124,182,183],{},"Good",[124,185,186],{},"Basic NSA",[124,188,189],{},"Budget active lab",[94,191,192,195,198,200,202,205,208],{},[124,193,194],{},"USRP B210",[124,196,197],{},"$800-1,200",[124,199,177],{},[124,201,180],{},[124,203,204],{},"Excellent",[124,206,207],{},"SA & NSA",[124,209,210],{},[211,212,213],"strong",{},"Recommended standard",[94,215,216,219,222,224,227,229,232],{},[124,217,218],{},"USRP X310",[124,220,221],{},"$4,000-6,000",[124,223,177],{},[124,225,226],{},"160 MHz",[124,228,204],{},[124,230,231],{},"Full SA",[124,233,234],{},"Professional/multi-cell",[42,236,239,240,245,246,252,280,284,287,292,396,402,406,409,429,432,436,439,474,477,479,483,486,490,620,624,717,786,788,792,796,799,802,807,810,814,817,821,824,828,831,846,849,853,855,861,865,870,874,879,883,888,892,897],{"type":237,"title":238},"note","SDR Selection Guidance","\nFor serious security research — especially [baseband exploitation in smartphones](/baseband-exploitation-modern-smartphones/) and protocol analysis — the ",[241,242,194],"span",{"className":243},[244],"text-glow"," is the minimum viable platform. It provides the stable full-duplex operation required by LTE and 5G timing requirements, while remaining affordable for independent researchers.\n\n",[21,247,248,251],{},[211,249,250],{},"Antennas:"," Match your antennas to your target frequencies. Common research bands:",[253,254,255,262,268,274],"ul",{},[256,257,258,261],"li",{},[211,259,260],{},"LTE Band 7 (2.6 GHz):"," Widely used in European deployments",[256,263,264,267],{},[211,265,266],{},"LTE Band 3 (1.8 GHz):"," Global mid-band coverage",[256,269,270,273],{},[211,271,272],{},"5G n78 (3.5 GHz):"," Primary 5G NR mid-band globally",[256,275,276,279],{},[211,277,278],{},"5G n77 (3.3-4.2 GHz):"," Extended C-band range",[80,281,283],{"id":282},"compute-node","2. The Compute Node",[21,285,286],{},"You need a dedicated machine to run the Core Network and the RAN software simultaneously. Virtualization adds latency that disrupts real-time radio processing, so bare-metal is preferred for the RAN component.",[288,289,291],"h4",{"id":290},"minimum-specifications","Minimum Specifications",[88,293,294,310],{},[91,295,296],{},[94,297,298,301,304,307],{},[97,299,300],{},"Component",[97,302,303],{},"LTE-Only Lab",[97,305,306],{},"5G SA Lab",[97,308,309],{},"Multi-Cell Lab",[119,311,312,326,340,354,368,382],{},[94,313,314,317,320,323],{},[124,315,316],{},"CPU",[124,318,319],{},"4 cores, 3.0 GHz",[124,321,322],{},"8 cores, 3.5 GHz",[124,324,325],{},"16 cores, 3.5 GHz",[94,327,328,331,334,337],{},[124,329,330],{},"RAM",[124,332,333],{},"8 GB",[124,335,336],{},"16 GB",[124,338,339],{},"32 GB",[94,341,342,345,348,351],{},[124,343,344],{},"Storage",[124,346,347],{},"50 GB SSD",[124,349,350],{},"100 GB NVMe",[124,352,353],{},"500 GB NVMe",[94,355,356,359,362,365],{},[124,357,358],{},"USB",[124,360,361],{},"USB 3.0 (essential)",[124,363,364],{},"USB 3.0",[124,366,367],{},"USB 3.0 + 10GbE",[94,369,370,373,376,379],{},[124,371,372],{},"OS",[124,374,375],{},"Ubuntu 22.04 LTS",[124,377,378],{},"Ubuntu 22.04/24.04 LTS",[124,380,381],{},"Ubuntu 24.04 LTS",[94,383,384,387,390,393],{},[124,385,386],{},"Kernel",[124,388,389],{},"Default",[124,391,392],{},"Low-latency kernel",[124,394,395],{},"Real-time kernel",[21,397,398,401],{},[211,399,400],{},"Critical:"," USB 3.0 is non-negotiable. USB 2.0 cannot sustain the data rates required by the USRP B210 (>30 MB/s continuous), causing sample drops that crash the RAN stack.",[80,403,405],{"id":404},"rf-shielding","3. RF Shielding",[21,407,408],{},"Before any transmission, you must contain your signal. Options range from DIY to professional:",[253,410,411,417,423],{},[256,412,413,416],{},[211,414,415],{},"Budget (~$200-500):"," A small Faraday tent or repurposed RF-shielded box (e.g., Ramsey STE-2300). Sufficient for single-cell labs with output power \u003C0 dBm.",[256,418,419,422],{},[211,420,421],{},"Standard (~$1,000-3,000):"," Professional RF shielded enclosure with >80 dB attenuation. Suitable for multi-cell configurations and higher power research.",[256,424,425,428],{},[211,426,427],{},"Professional (~$10,000+):"," Walk-in anechoic chamber with >100 dB attenuation. Required for calibrated measurements and emissions testing.",[21,430,431],{},"Always validate your shielding effectiveness with a spectrum analyzer before transmitting. Even minor shield leakage at commercial cellular frequencies can trigger regulatory enforcement.",[80,433,435],{"id":434},"user-equipment","4. User Equipment (UE)",[21,437,438],{},"You need devices to connect to your private network and tools to provision them.",[253,440,441,451,457,463],{},[256,442,443,446,447,450],{},[211,444,445],{},"Rooted Android Phones:"," A rooted Google Pixel or OnePlus device is ideal. Root access is required to lock the phone to specific bands, read ",[28,448,449],{"href":35},"baseband research"," (using tools like MobileInsight or SCAT), and change network APNs.",[256,452,453,456],{},[211,454,455],{},"Commercial 5G Modules:"," Quectel RM500Q or Sierra Wireless EM9191 provide industrial-grade 5G SA connectivity with AT command access for scripted testing.",[256,458,459,462],{},[211,460,461],{},"Programmable SIM Cards:"," Standard carrier SIMs are locked with secret keys. You must purchase programmable sysmoISIM-SJA5 cards (or similar blank SIMs) and a PC/SC-compliant smart card reader/writer.",[256,464,465,468,469,473],{},[211,466,467],{},"SIM Programming Tools:"," ",[470,471,472],"code",{},"pySim-shell"," (from the Osmocom project) is the standard open-source tool for ISIM provisioning.",[475,476],"diagrams-private-lab-setup-diagram",{},[13,478],{},[16,480,482],{"id":481},"software","II. Software Stack Selection",[21,484,485],{},"The open-source telecom ecosystem is robust. The following table compares the major options:",[80,487,489],{"id":488},"core-network-comparison","Core Network Comparison",[88,491,492,511],{},[91,493,494],{},[94,495,496,499,502,505,508],{},[97,497,498],{},"Feature",[97,500,501],{},"Open5GS",[97,503,504],{},"free5GC",[97,506,507],{},"MagmaCore",[97,509,510],{},"OpenAirInterface (OAI)",[119,512,513,529,544,558,573,589,603],{},[94,514,515,518,521,524,527],{},[124,516,517],{},"Language",[124,519,520],{},"C",[124,522,523],{},"Go",[124,525,526],{},"Python/C++",[124,528,520],{},[94,530,531,534,537,540,542],{},[124,532,533],{},"4G EPC",[124,535,536],{},"✅ Full",[124,538,539],{},"❌",[124,541,536],{},[124,543,536],{},[94,545,546,549,551,553,556],{},[124,547,548],{},"5G Core",[124,550,536],{},[124,552,536],{},[124,554,555],{},"✅ Partial",[124,557,536],{},[94,559,560,563,566,568,571],{},[124,561,562],{},"Web UI",[124,564,565],{},"✅ Subscriber Mgmt",[124,567,539],{},[124,569,570],{},"✅ Orchestrator",[124,572,539],{},[94,574,575,578,581,584,586],{},[124,576,577],{},"Kubernetes",[124,579,580],{},"✅ Helm charts",[124,582,583],{},"✅ Native",[124,585,583],{},[124,587,588],{},"✅ Basic",[94,590,591,594,596,598,600],{},[124,592,593],{},"Documentation",[124,595,204],{},[124,597,183],{},[124,599,183],{},[124,601,602],{},"Technical",[94,604,605,608,611,614,617],{},[124,606,607],{},"Best For",[124,609,610],{},"Security research",[124,612,613],{},"Cloud-native research",[124,615,616],{},"Edge/private nets",[124,618,619],{},"Standards compliance",[80,621,623],{"id":622},"ran-software-comparison","RAN Software Comparison",[88,625,626,641],{},[91,627,628],{},[94,629,630,632,635,638],{},[97,631,498],{},[97,633,634],{},"srsRAN 4G",[97,636,637],{},"srsRAN Project (5G)",[97,639,640],{},"OAI RAN",[119,642,643,656,668,680,691,702],{},[94,644,645,648,651,654],{},[124,646,647],{},"LTE",[124,649,650],{},"✅ Full eNB + UE",[124,652,653],{},"✅ Via 4G module",[124,655,536],{},[94,657,658,661,664,666],{},[124,659,660],{},"5G NSA",[124,662,663],{},"✅",[124,665,663],{},[124,667,663],{},[94,669,670,673,675,678],{},[124,671,672],{},"5G SA",[124,674,539],{},[124,676,677],{},"✅ Full gNB",[124,679,536],{},[94,681,682,685,687,689],{},[124,683,684],{},"USRP Support",[124,686,583],{},[124,688,583],{},[124,690,583],{},[94,692,693,696,698,700],{},[124,694,695],{},"ZMQ (Virtual)",[124,697,663],{},[124,699,663],{},[124,701,663],{},[94,703,704,706,709,714],{},[124,705,607],{},[124,707,708],{},"LTE research",[124,710,711],{},[211,712,713],{},"5G SA security",[124,715,716],{},"Standards research",[718,719,725,761],"grid",{"className":720},[721,722,723,724],"grid-cols-1","md:grid-cols-2","gap-6","my-8",[726,727,737,747,754],"div",{"className":728},[729,730,731,732,733,734,735,736],"bg-[#050B14]","p-6","border","border-[var(--border)]","group","hover:border-[var(--primary)]","transition-colors","relative",[738,739],"absolute",{":right-0":740,":top-0":740,"className":741},"true",[742,743,744,745,746],"w-8","h-8","bg-gradient-to-bl","from-[var(--primary)]/20","to-transparent",[80,748,750,753],{"id":749},"core-network-open5gs",[241,751,752],{},">"," Core Network (Open5GS)",[21,755,756,757,760],{},"Written in C, highly performant, supports both 4G EPC and ",[28,758,759],{"href":64},"5G Core SBA",", and has an intuitive web UI for subscriber management. Widely adopted in the security research community with extensive documentation and active maintainer support.",[726,762,764,767,773],{"className":763},[729,730,731,732,733,734,735,736],[738,765],{":right-0":740,":top-0":740,"className":766},[742,743,744,745,746],[80,768,770,772],{"id":769},"radio-access-network-srsran",[241,771,752],{}," Radio Access Network (srsRAN)",[21,774,775,776,780,781,785],{},"The premier open-source ",[28,777,779],{"href":778},"/glossary/#radio-access-network-ran","RAN"," implementation. It supports 4G, 5G NSA, and 5G SA and connects natively with USRP hardware. The ZMQ virtual radio driver enables software-only testing without any SDR hardware — ideal for initial ",[28,782,784],{"href":783},"/telecom-penetration-testing-methodologies/","protocol fuzzing",".",[13,787],{},[16,789,791],{"id":790},"implementation","III. Step-by-Step Implementation",[80,793,795],{"id":794},"prepare-host","Step 1: Prepare the Host System",[21,797,798],{},"Configure your Ubuntu host for real-time radio processing:",[21,800,801],{},"\u003CCodeBlock\nlanguage=\"bash\"\nis-terminal\ncode=\"  # Install low-latency kernel for stable radio operation\nsudo apt install linux-lowlatency",[803,804,806],"h1",{"id":805},"disable-cpu-frequency-scaling-prevents-sample-drops","Disable CPU frequency scaling (prevents sample drops)",[21,808,809],{},"sudo cpupower frequency-set -g performance",[803,811,813],{"id":812},"set-real-time-scheduling-limits-for-the-srsran-process","Set real-time scheduling limits for the srsRAN process",[21,815,816],{},"echo '@srsran - rtprio 99' | sudo tee -a /etc/security/limits.conf\necho '@srsran - memlock unlimited' | sudo tee -a /etc/security/limits.conf",[803,818,820],{"id":819},"verify-usb-30-connectivity-for-usrp","Verify USB 3.0 connectivity for USRP",[21,822,823],{},"lsusb -t | grep -i ettus\">",[80,825,827],{"id":826},"program-sim","Step 2: Program your SIM Cards",[21,829,830],{},"Before broadcasting, you need SIM cards provisioned with known cryptographic keys that match your core network configuration.",[832,833,834,837,843],"ol",{},[256,835,836],{},"Insert the blank sysmoISIM-SJA5 into your PC/SC reader",[256,838,839,840,842],{},"Use ",[470,841,472],{}," from the Osmocom project",[256,844,845],{},"Program the following critical values:",[21,847,848],{},"\u003CCodeBlock\nlanguage=\"bash\"\nis-terminal\ncode=\"  # Install pySim\npip3 install pysim",[803,850,852],{"id":851},"program-a-test-sim-card","Program a test SIM card",[21,854,472],{},[856,857,858],"blockquote",{},[21,859,860],{},"select MF\nselect ADF.USIM",[803,862,864],{"id":863},"write-imsi-test-plmn-00101-is-the-standard-for-research-networks","Write IMSI (test PLMN 00101 is the standard for research networks)",[856,866,867],{},[21,868,869],{},"update_binary EF.IMSI 001010123456789",[803,871,873],{"id":872},"write-ki-128-bit-authentication-key-keep-secret","Write Ki (128-bit authentication key — KEEP SECRET)",[856,875,876],{},[21,877,878],{},"update_binary EF.Ki 00112233445566778899aabbccddeeff",[803,880,882],{"id":881},"write-opc-derived-from-operators-master-op-key","Write OPc (derived from operator's master OP key)",[856,884,885],{},[21,886,887],{},"update_binary EF.OPc aabbccddeeff00112233445566778899",[803,889,891],{"id":890},"verify-the-programmed-values","Verify the programmed values",[856,893,894],{},[21,895,896],{},"read_binary EF.IMSI\"\n/>",[42,898,901,902,906,909,912,916,925,929,932,935,964,968,971,974,977,980,983,986,990,993,996,1000,1003,1007,1011,1015,1019,1023,1027,1031,1046,1048,1052,1055,1059,1062,1065,1069,1072,1076,1080,1084,1088,1092,1096,1099,1138,1142,1149,1180,1184,1190,1201,1203,1207,1329,1331,1335,1338,1341,1348,1354,1369,1372,1379,1381,1385,1489,1491,1495,1502,1508,1514,1526,1538,1558,1560,1564,1582,1585,1614,1627,1648],{"type":899,"title":900},"warning","Key Management","\nThe Ki and OPc are the root cryptographic secrets for subscriber authentication. In a production network, compromise of these keys enables [SIM cloning](/sim-cloning-and-sim-swap-attacks/) and complete identity takeover. In your lab, document these values securely — you'll need them when registering the subscriber in Open5GS.\n\n",[80,903,905],{"id":904},"deploy-open5gs","Step 3: Deploy Open5GS",[21,907,908],{},"Open5GS can be easily installed via package managers on Ubuntu:",[21,910,911],{},"\u003CCodeBlock\nlanguage=\"bash\"\nis-terminal\ncode=\"  # Add Open5GS repository and install\nsudo add-apt-repository ppa:open5gs/latest\nsudo apt update\nsudo apt install open5gs",[803,913,915],{"id":914},"install-the-web-ui-for-subscriber-management","Install the web UI for subscriber management",[21,917,918,919,924],{},"curl -fsSL ",[28,920,921],{"href":921,"rel":922},"https://deb.nodesource.com/setup_20.x",[923],"nofollow"," | sudo -E bash -\nsudo apt install nodejs\ncd /usr/lib/node_modules/open5gs\nnpm ci\nnpm run build",[803,926,928],{"id":927},"start-core-network-services","Start core network services",[21,930,931],{},"sudo systemctl start open5gs-mmed   # 4G MME\nsudo systemctl start open5gs-amfd   # 5G AMF\nsudo systemctl start open5gs-smfd   # Session Management\nsudo systemctl start open5gs-upfd   # User Plane\nsudo systemctl start open5gs-nrfd   # NRF (Service Discovery)\">",[21,933,934],{},"Configure the core:",[832,936,937,943,946,957],{},[256,938,939,940],{},"Access the Web UI at ",[470,941,942],{},"http://localhost:9999",[256,944,945],{},"Add a new subscriber using the exact IMSI, Ki, and OPc values programmed onto the SIM",[256,947,948,949,952,953,956],{},"Configure the APN to ",[470,950,951],{},"internet"," with an IPv4 pool (e.g., ",[470,954,955],{},"10.45.0.0/16",")",[256,958,959,960],{},"For 5G SA: Configure the S-NSSAI (SST: 1, SD: optional) matching your ",[28,961,963],{"href":962},"/5g-network-slicing-security/","slice configuration",[80,965,967],{"id":966},"configure-srsran","Step 4: Configure and Run srsRAN",[21,969,970],{},"For 5G SA, use the srsRAN Project gNB:",[21,972,973],{},"\u003CCodeBlock\nlanguage=\"yaml\"\nfilename=\"gnb.yaml\"\ncode=\"  # srsRAN 5G SA gNB Configuration\ngnb_id: 1\ngnb_id_bit_length: 22",[21,975,976],{},"amf:\naddr: 127.0.0.5       # Open5GS AMF address\nbind_addr: 127.0.0.1",[21,978,979],{},"ru_sdr:\ndevice_driver: uhd     # USRP Hardware Driver\ndevice_args: type=b200  # USRP B210\nsrate: 23.04           # Sample rate (MHz)\ntx_gain: 50\nrx_gain: 40",[21,981,982],{},"cell_cfg:\ndl_arfcn: 632628       # 5G NR ARFCN for n78 (3.5 GHz)\nband: 78\nchannel_bandwidth_MHz: 20\ncommon_scs: 30         # Subcarrier spacing (kHz)\nplmn: '00101'          # Test PLMN\ntac: 7",[21,984,985],{},"pdcch:\ncommon:\nss0_index: 0\ncoreset0_index: 12\ndedicated:\nss2_type: common\ndci_format_0_1_and_1_1: false\">",[80,987,989],{"id":988},"connection","Step 5: The Connection",[21,991,992],{},"Start the stack in the correct order:",[21,994,995],{},"\u003CCodeBlock\nlanguage=\"bash\"\nis-terminal\ncode=\"  # 1. Start Open5GS services (if not already running)\nsudo systemctl start open5gs-nrfd open5gs-amfd open5gs-smfd open5gs-upfd",[803,997,999],{"id":998},"_2-start-the-gnb-5g-sa-requires-sudo-for-real-time-scheduling","2. Start the gNB (5G SA) — requires sudo for real-time scheduling",[21,1001,1002],{},"sudo gnb -c gnb.yaml",[803,1004,1006],{"id":1005},"_3-insert-programmed-sim-into-ue-and-search-for-networks","3. Insert programmed SIM into UE and search for networks",[803,1008,1010],{"id":1009},"watch-the-gnb-terminal-for","Watch the gNB terminal for:",[803,1012,1014],{"id":1013},"rrc-setup-request-ue-gnb","- RRC Setup Request (UE → gNB)",[803,1016,1018],{"id":1017},"nas-registration-request-ue-amf","- NAS Registration Request (UE → AMF)",[803,1020,1022],{"id":1021},"authentication-5g-aka-exchange","- Authentication (5G-AKA) exchange",[803,1024,1026],{"id":1025},"pdu-session-establishment","- PDU Session Establishment",[803,1028,1030],{"id":1029},"data-flow-active","- DATA FLOW ACTIVE\">",[21,1032,1033,1034,1037,1038,1041,1042,1045],{},"Insert your programmed SIM into your Android device and search for networks. On the device, you may need to manually select the ",[470,1035,1036],{},"00101"," network or lock to Band n78 using engineering mode. Watch the srsRAN terminal output: you should see the UE send an ",[470,1039,1040],{},"RRC Setup Request",", perform ",[28,1043,1044],{"href":59},"5G-AKA mutual authentication"," with the AMF/AUSF, and establish a PDU session. Once active, the UE will receive an IP from your configured pool and have internet access through your lab.",[13,1047],{},[16,1049,1051],{"id":1050},"research","IV. Security Research Applications",[21,1053,1054],{},"Once your lab is stable, the real work begins. You own the infrastructure end-to-end, allowing you to execute research scenarios that would be illegal or impossible on production networks.",[80,1056,1058],{"id":1057},"traffic-capture","1. Protocol Analysis and Traffic Capture",[21,1060,1061],{},"Run Wireshark on the compute node to capture and decrypt signaling traffic:",[21,1063,1064],{},"\u003CCodeBlock\nlanguage=\"bash\"\nis-terminal\ncode=\"  # Capture S1AP signaling (4G) or NGAP signaling (5G SA)\nsudo tshark -i lo -f 'sctp' -w /tmp/5g_signaling.pcap",[803,1066,1068],{"id":1067},"decode-nas-messages-from-the-pcap","Decode NAS messages from the PCAP",[21,1070,1071],{},"tshark -r /tmp/5g_signaling.pcap -Y 'ngap || nas-5gs' -T json",[803,1073,1075],{"id":1074},"key-protocol-layers-to-analyze","Key protocol layers to analyze:",[803,1077,1079],{"id":1078},"ngap-gnb-amf-signaling-ran-level","- NGAP: gNB ↔ AMF signaling (RAN-level)",[803,1081,1083],{"id":1082},"nas-5gs-ue-amf-signaling-authentication-registration","- NAS-5GS: UE ↔ AMF signaling (authentication, registration)",[803,1085,1087],{"id":1086},"pfcp-smf-upf-session-control-n4-interface","- PFCP: SMF ↔ UPF session control (N4 interface)",[803,1089,1091],{"id":1090},"gtp-u-user-plane-tunneling-n3-interface","- GTP-U: User plane tunneling (N3 interface)\">",[80,1093,1095],{"id":1094},"core-fuzzing","2. Core Network Fuzzing",[21,1097,1098],{},"Write Python scripts to modify authentication vectors or send malformed NAS packets directly into the Open5GS AMF to look for crashes. Key fuzzing targets:",[253,1100,1101,1107,1113,1132],{},[256,1102,1103,1106],{},[211,1104,1105],{},"NAS Registration Messages:"," Malformed SUCI, invalid NSSAI, oversized PDU session requests",[256,1108,1109,1112],{},[211,1110,1111],{},"NGAP Procedures:"," Invalid UE context IDs, malformed handover commands",[256,1114,1115,468,1123,1126,1127,1131],{},[211,1116,1117,1118,1122],{},"HTTP/2 ",[28,1119,1121],{"href":1120},"/glossary/#service-based-architecture-sba","SBA"," APIs:",[28,1124,1125],{"href":64},"BOLA attacks, mass assignment"," against the ",[28,1128,1130],{"href":1129},"/glossary/#network-repository-function-nrf","NRF",", UDM, and AUSF",[256,1133,1134,1137],{},[211,1135,1136],{},"PFCP Session Management:"," Invalid TEID values, session modification overflows",[80,1139,1141],{"id":1140},"baseband-research","3. RAN and Baseband Research",[21,1143,1144,1145,1148],{},"Intercept the downlink traffic from srsRAN and modify the ASN.1 encoded messages to trigger buffer overflows in the smartphone's ",[28,1146,1147],{"href":35},"baseband processor",":",[253,1150,1151,1157,1163,1174],{},[256,1152,1153,1156],{},[211,1154,1155],{},"RRC Fuzzing:"," Modify SystemInformationBlock messages to include deeply nested ASN.1 structures",[256,1158,1159,1162],{},[211,1160,1161],{},"NAS Pre-Auth Fuzzing:"," Send malformed messages before mutual authentication completes — the baseband must process these without protection",[256,1164,1165,1168,1169,1173],{},[211,1166,1167],{},"Paging Channel Analysis:"," Test ",[28,1170,1172],{"href":1171},"/imsi-catchers-and-rogue-base-stations/","IMSI catchers"," scenarios by broadcasting paging messages for specific IMSIs",[256,1175,1176,1179],{},[211,1177,1178],{},"Downgrade Attacks:"," Force UEs to fall back from 5G to 4G/3G/2G by manipulating RRC release messages",[80,1181,1183],{"id":1182},"slice-testing","4. Slice Security Testing",[21,1185,1186,1187,1148],{},"Configure multiple S-NSSAI entries in Open5GS and test ",[28,1188,1189],{"href":962},"5G network slicing security",[253,1191,1192,1195,1198],{},[256,1193,1194],{},"Register UEs to different slices and attempt cross-slice data access",[256,1196,1197],{},"Test NSSAI spoofing by modifying the requested NSSAI in the NAS Registration Request",[256,1199,1200],{},"Verify that QoS isolation holds under load (one slice should not impact another's throughput)",[13,1202],{},[16,1204,1206],{"id":1205},"troubleshooting","V. Troubleshooting Guide",[88,1208,1209,1222],{},[91,1210,1211],{},[94,1212,1213,1216,1219],{},[97,1214,1215],{},"Symptom",[97,1217,1218],{},"Likely Cause",[97,1220,1221],{},"Solution",[119,1223,1224,1242,1256,1270,1281,1295,1309],{},[94,1225,1226,1229,1232],{},[124,1227,1228],{},"\"No UHD devices found\"",[124,1230,1231],{},"USB 2.0 port or missing UHD driver",[124,1233,1234,1235,1238,1239],{},"Install ",[470,1236,1237],{},"uhd-host",", use USB 3.0, run ",[470,1240,1241],{},"uhd_find_devices",[94,1243,1244,1247,1250],{},[124,1245,1246],{},"Sample rate errors / \"O\" overflows",[124,1248,1249],{},"CPU too slow or frequency scaling",[124,1251,1252,1253],{},"Install low-latency kernel, set ",[470,1254,1255],{},"cpupower performance",[94,1257,1258,1261,1264],{},[124,1259,1260],{},"UE shows \"No Service\"",[124,1262,1263],{},"PLMN mismatch or wrong band",[124,1265,1266,1267,1269],{},"Verify ",[470,1268,1036],{}," in both gNB config and SIM, check antenna frequency",[94,1271,1272,1275,1278],{},[124,1273,1274],{},"Authentication failure",[124,1276,1277],{},"Ki/OPc mismatch",[124,1279,1280],{},"Verify SIM values match Open5GS subscriber entry exactly",[94,1282,1283,1286,1289],{},[124,1284,1285],{},"PDU Session fails",[124,1287,1288],{},"APN/DNN mismatch",[124,1290,1291,1292,1294],{},"Ensure APN is ",[470,1293,951],{}," in both UE and Open5GS config",[94,1296,1297,1300,1303],{},[124,1298,1299],{},"No internet after attach",[124,1301,1302],{},"Missing IP forwarding",[124,1304,1305,1308],{},[470,1306,1307],{},"sysctl net.ipv4.ip_forward=1"," and configure NAT/masquerade",[94,1310,1311,1314,1317],{},[124,1312,1313],{},"gNB crashes on start",[124,1315,1316],{},"Port conflict or AMF unreachable",[124,1318,1319,1320,1323,1324,1328],{},"Check ",[470,1321,1322],{},"127.0.0.5:38412"," is bound by ",[28,1325,1327],{"href":1326},"/glossary/#access-and-mobility-management-function-amf","AMF",", verify SCTP connectivity",[13,1330],{},[16,1332,1334],{"id":1333},"docker-deployment","VI. Dockerized Deployment (Alternative)",[21,1336,1337],{},"For faster iteration and reproducibility, the entire core network can be containerized:",[21,1339,1340],{},"\u003CCodeBlock\nlanguage=\"yaml\"\nfilename=\"docker-compose-5gc.yaml\"\ncode=\"  # Minimal Open5GS 5G Core via Docker Compose\nversion: '3.8'\nservices:\nnrf:\nimage: open5gs/open5gs:latest\ncommand: open5gs-nrfd\nnetworks:\n5gc:\nipv4_address: 10.33.33.10",[21,1342,1343,1344,1347],{},"amf:\nimage: open5gs/open5gs:latest\ncommand: open5gs-amfd\nports:\n- '38412:38412/sctp'  # NGAP (gNB connection)\ndepends_on: ",[241,1345,1346],{},"nrf","\nnetworks:\n5gc:\nipv4_address: 10.33.33.11",[21,1349,1350,1351,1353],{},"smf:\nimage: open5gs/open5gs:latest\ncommand: open5gs-smfd\ndepends_on: ",[241,1352,1346],{},"\nnetworks:\n5gc:\nipv4_address: 10.33.33.12",[21,1355,1356,1357,1360,1361,1364,1365,1368],{},"upf:\nimage: open5gs/open5gs:latest\ncommand: open5gs-upfd\ncap_add: ",[241,1358,1359],{},"NET_ADMIN","\ndevices: ",[241,1362,1363],{},"'/dev/net/tun'","\ndepends_on: ",[241,1366,1367],{},"smf","\nnetworks:\n5gc:\nipv4_address: 10.33.33.13",[21,1370,1371],{},"networks:\n5gc:\ndriver: bridge\nipam:\nconfig:\n- subnet: 10.33.33.0/24\">",[21,1373,1374,1375,1378],{},"This approach is ideal for ",[28,1376,1377],{"href":64},"5G SBA security"," where you need to rapidly deploy, modify, and tear down core configurations.",[13,1380],{},[16,1382,1384],{"id":1383},"references","VII. Authoritative References",[1386,1387,1390],"glass-panel",{"className":1388},[730,1389],"bg-black/20",[253,1391,1392,1409,1425,1441,1457,1473],{},[256,1393,1394,1400,1404],{},[211,1395,1396,1399],{},[241,1397,1398],{},"01"," 3GPP TS 38.331",[1401,1402,1403],"em",{},"NR; Radio Resource Control (RRC) protocol specification",[28,1405,1408],{"href":1406,"rel":1407},"https://www.3gpp.org/dynareport?code=38331.htm",[923],"3GPP TS 38.331 – 5G NR RRC Protocol →",[256,1410,1411,1417,1420],{},[211,1412,1413,1416],{},[241,1414,1415],{},"02"," NIST SP 800-187",[1401,1418,1419],{},"Guide to LTE Security",[28,1421,1424],{"href":1422,"rel":1423},"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-187.pdf",[923],"NIST SP 800-187 4G/LTE Security Guide →",[256,1426,1427,1433,1436],{},[211,1428,1429,1432],{},[241,1430,1431],{},"03"," srsRAN Project",[1401,1434,1435],{},"Open-source 4G/5G software radio suite",[28,1437,1440],{"href":1438,"rel":1439},"https://docs.srsran.com/en/latest/",[923],"srsRAN Documentation →",[256,1442,1443,1449,1452],{},[211,1444,1445,1448],{},[241,1446,1447],{},"04"," Open5GS Documentation",[1401,1450,1451],{},"Open-source 5G Core and EPC",[28,1453,1456],{"href":1454,"rel":1455},"https://open5gs.org/open5gs/docs/",[923],"Open5GS Documentation →",[256,1458,1459,1465,1468],{},[211,1460,1461,1464],{},[241,1462,1463],{},"05"," Osmocom pySim",[1401,1466,1467],{},"Open-source SIM/USIM/ISIM card provisioning",[28,1469,1472],{"href":1470,"rel":1471},"https://osmocom.org/projects/pysim/wiki",[923],"Osmocom pySIM Documentation →",[256,1474,1475,1481,1484],{},[211,1476,1477,1480],{},[241,1478,1479],{},"06"," 3GPP TS 33.501",[1401,1482,1483],{},"Security architecture and procedures for 5G system",[28,1485,1488],{"href":1486,"rel":1487},"https://www.3gpp.org/dynareport?code=33501.htm",[923],"3GPP TS 33.501 – 5G Security Architecture →",[13,1490],{},[16,1492,1494],{"id":1493},"faq","VIII. Frequently Asked Questions",[1496,1497,1499],"faq-item",{"title":1498},"Do I really need a USRP B210 for a basic lab?",[21,1500,1501],{},"While budget SDRs like HackRF can work for passive sniffing and basic 2G/3G experiments, the USRP B210 is strongly recommended for creating a stable LTE or 5G network. It supports full-duplex operation, which is critical for the strict timing requirements of modern cellular protocols. Half-duplex SDRs cannot maintain the continuous uplink/downlink required for stable UE attachment.",[1496,1503,1505],{"title":1504},"Can I use any SIM card for my lab?",[21,1506,1507],{},"No, commercial SIM cards are locked with secret keys (Ki/OPc) that you cannot read or extract. You need programmable SIM cards (like sysmoISIM-SJA5) and a PC/SC-compliant card reader to configure the specific keys that match your core network settings. The keys programmed on the SIM must exactly match the subscriber entry in Open5GS.",[1496,1509,1511],{"title":1510},"Is it legal to run cellular frequencies in my house?",[21,1512,1513],{},"Operating cellular equipment in licensed spectrum without a license is illegal in virtually all jurisdictions. You must use a Faraday cage or RF-shielded enclosure to prevent your signal from leaking out. Verify your local regulations — some countries allow very low power (\u003C0.1 mW) emissions without a license, but this should be validated with a spectrum analyzer.",[1496,1515,1517],{"title":1516},"Can I test 5G SA without any hardware SDR?",[21,1518,1519,1520,1523,1524,785],{},"Yes. srsRAN supports a ZMQ (ZeroMQ) virtual radio driver that replaces the physical SDR with a software-based radio interface. Combined with the srsRAN UE simulator, you can run a complete 5G SA stack — gNB, Core, and UE — entirely in software on a single machine. This is ideal for ",[28,1521,1522],{"href":64},"SBA API testing"," and ",[28,1525,784],{"href":783},[1496,1527,1529],{"title":1528},"How do I capture and analyze encrypted NAS messages?",[21,1530,1531,1532,1534,1535,1537],{},"In your lab, you control the authentication keys, so you can decrypt NAS traffic. Configure Wireshark with the K_NAS_enc and K_NAS_int keys derived from the 5G-AKA procedure. Open5GS logs these keys when debug logging is enabled. For production network analysis, see our ",[28,1533,31],{"href":30}," vulnerabilities and ",[28,1536,70],{"href":69}," protocol research on signaling interception.",[1496,1539,1541],{"title":1540},"What research can I do without any hardware at all?",[21,1542,1543,1544,1547,1548,1552,1553,1523,1555,1557],{},"Without any hardware, you can still deploy Open5GS and free5GC in Docker, run srsRAN with ZMQ virtual radios, and test ",[28,1545,1546],{"href":64},"5G SBA API vulnerabilities",", ",[28,1549,1551],{"href":1550},"/vulnerabilities-in-5g-sba#nrf-poisoning","NRF poisoning",", and core network fuzzing. Hardware is only required for over-the-air ",[28,1554,36],{"href":35},[28,1556,1172],{"href":1171}," research.",[13,1559],{},[16,1561,1563],{"id":1562},"conclusion-next-steps","Conclusion & Next Steps",[21,1565,1566,1567,1570,1571,1547,1574,1577,1578,1581],{},"A private lab is an indispensable tool for serious telecommunications security research. By utilizing open-source cores and accessible SDRs, security teams can safely execute scenarios ranging from simple ",[28,1568,1569],{"href":1171},"IMSI catching"," to complex ",[28,1572,1573],{"href":35},"zero-click baseband exploits",[28,1575,1576],{"href":64},"5G SBA API attacks",", and ",[28,1579,1580],{"href":962},"cross-slice isolation testing"," — all without leaving the confines of their test bench.",[21,1583,1584],{},"The recommended progression for lab-based research:",[832,1586,1587,1593,1599,1608],{},[256,1588,1589,1592],{},[211,1590,1591],{},"Start with software-only:"," Deploy Open5GS + srsRAN with ZMQ virtual radios",[256,1594,1595,1598],{},[211,1596,1597],{},"Add SDR hardware:"," USRP B210 for over-the-air testing in a shielded enclosure",[256,1600,1601,1604,1605,1607],{},[211,1602,1603],{},"Expand scope:"," Multi-cell configurations, ",[28,1606,70],{"href":69}," interconnect testing, baseband fuzzing",[256,1609,1610,1613],{},[211,1611,1612],{},"Automate:"," CI/CD pipelines for regression testing of core network security patches",[21,1615,1616,1617,1621,1622,1626],{},"Don't have the time to build and maintain a physical lab? TelcoSec provides fully-virtualized, pre-configured 5G simulation environments directly via our Academy. Explore our ",[28,1618,1620],{"href":1619},"/projects/tools/","TelcoSec protocol analysis tools"," for telecom-specific testing frameworks, or browse the ",[28,1623,1625],{"href":1624},"/projects/library/","TelcoSec research library"," for additional attack methodologies.",[726,1628,1634,1635,1634,1643],{"className":1629},[1630,1631,1632,1633,724],"flex","flex-col","sm:flex-row","gap-4","\n  ",[1636,1637,1642],"nuxt-link",{"to":1638,"className":1639},"/services/",[1640,1641],"btn-terminal-fill","text-center","REQUEST LAB ASSESSMENT",[1636,1644,1647],{"to":783,"className":1645},[1646,1641],"btn-terminal","PENTEST METHODOLOGY →",[1649,1650],"telecom-security-cta",{"title":1651,"description":1652,"ctalink":1653,"ctatext":1654,"context":1655},"SCALE YOUR RESEARCH LAB?","Take your private lab to the next level with our Academy modules on Evolved Packet Core (EPC) orchestration and protocol fuzzing. Access pre-configured Open5GS/srsRAN images and private 5G SA lab instances.","https://app.telcosec.net/api/auth/login","BUILD PRIVATE LTE 5G CORE LABS [→]","lab_setup",{"title":1657,"searchDepth":1658,"depth":1658,"links":1659},"",2,[1660,1661],{"id":18,"depth":1658,"text":19},{"id":74,"depth":1658,"text":75,"children":1662},[1663],{"id":82,"depth":1664,"text":83},3,"setting-up-private-lte-5g-lab","-5e2HrGWMBnjnDOSOs7fl-84Sm72mvf0wIh7ma5_XwY",[],1782059596569]