CDMA2000 was one of the protocols defined for 3G networks and is now years out of date and being phased out worldwide. Nevertheless, there are still vast numbers of phones that will happily connect to it, creating an opportunity for hackers seeking to run their own cellular networks. [Chrismoos] recently made this endeavour significantly easier by releasing 1xBTS, a Rust implementation of the lower three layers of a CDMA2000 network.
The lowest layer of the stack is an SDR for the actual radio communications. It’s been tested with the USRP B200 and B210, the LimeSDR Mini 2, and the BladeRF Micro 2.0. The code might work with certain other SDRs using the SoapySDR abstraction layer. The SDR is controlled by the base station (BTS) software, which, in turn, is controlled by the base station controller (BSC) over an Abis link. The BSC manages channels and mobile device associations, and exchanges frames with the mobile switching center (MSC), which handles message switching.
The stack includes standard 3G verification; before a handset can authenticate to the network, its details must be added to the home location register (HLR). Once authenticated, the handset can access all standard services: inbound and outbound voice calls via a SIP gateway, inbound and outbound SMS, and data packet transfers. A web dashboard provides a convenient management platform that includes packet tracing.
It should be noted that using this carelessly is legally hazardous; radio transmissions are strictly regulated in most countries, particularly in the cellular bands. If you’d still like to run your own cell network, we’ve also seen a few other efforts, such as this 4G implementation, this 1G recreation, and a GSM network made for a hacker camp.