Giving my Raspberry Pi LTE Connectivity - 4G LTE IoT Test Lab

Added: 2026-05-05

[00:00:00]What's up everybody? This is Matt Brown with another IoT hacking video. Today we are going to discuss how to connect up our Linux PC to a 4G LTE network. This is a part of an ongoing series that we've been doing on this channel talking about LTE technology and its application to the world of IoT device security. In our first video, we talked about how to use a softwaredefined radio to host a test cell phone network. And in our in our second video, we talked about how to program SIM cards in order to provide that authentication from a piece of user equipment, a client device in the LTE terminology to the cell phone tower running on our software defined radio.

[00:00:46]And in this video, we are going to dive into that client side piece, the user equipment, the the cell phone, the IoT device that is going to connect to the cell phone tower and send IPbased data over that connection. And so, uh, if you are new to this channel, welcome. My name is Matt Brown. I perform IoT device penetration testing in my day job and I also like to provide free educational content to you, my viewers, in my free time. And if that all sounds fun to you, hit the subscribe button. It really helps the channel out and helps to get this message and this content out to more people. And if you want to be around more like-minded people that enjoy tinkering with things, hacking on devices and hardware, check out the link in the description to our Discord channel, and that will uh get you into our server, the IoT hacker hideout, where we have all sorts of cool collaboration, talk about tools, talk about devices we're working on, and just have a fun time. So, check that all out.

[00:01:51]And with all that out of the way, let's dive into our video. So, in our video today, we need in order to connect up our our Linux system to a 4G network, we need a modem that is going to going to do that communication. And so, this is the device here on the screen from SixFab. That is a hat that usually sits on a Raspberry Pi, but you can also connect it via USB like we're going to.

[00:02:17]And it's got a SIM card slot. And then you'll notice that it has an empty mini PCIe slot for our cell modem. And so today we're going to be using this device and we're going to be using this specific LTE module from TLET. And this is a a standard plain old LTE modem as opposed to LTEM sometimes called you know cat one or uh or the newer kind of uh NB IoT protocols that are used in a lot of IoT devices. We are going to have more on that later in the channel. So again definitely subscribe because I am working on some cool software to do some interactions with that technology. So stay tuned on that. But uh today we're just doing regular LTE protocol. And so uh we're going to need one of those to plug in. And then we're going to need some software on the Linux side. And this is the piece of software that we will be using. This is the GitHub project for lib QMI. QMI is the Qualcomm MSM interface protocol. This is the protocol that lets you know us, you know, transfer data to uh the to the modem from the Linux side. And so there is this CLI to tool uh QMI CLI which we will be using to perform that interaction all in a little bit. So before we do that let's head over to the workbench and get another quick look at our setup that we have here. So this is going to look similar to our first two videos here. So we have our our USRP software defined radio that is connect up connected to some attenuators. those reduce uh the power that's being transmitted between the radio and our cell modem here. And so we're going to zoom in and take a good look at our cell modem here. There you can see we have the SIM card. Not going to talk about the programming today because we talked about that in the last video. Uh here we have the modem and plugged into the main antenna slot is the cord coming from our our radio. And then I have the div uh one just connected up here free. this is not going to be used uh by us. And then we have the USB cord here that is connected to our Raspberry Pi. So in our shell today, most of the time we're going to be interacting as this Raspberry Pi and connecting up to the cell phone network that is going to be run on our host Linux PC. So just want you to kind of get a visualization of what's going on. We're going to have the Raspberry Pi acting as the client device talking to the the radio, the cell phone tower. And so, uh, we talked about this software before, but we're going to be using the project SRS RAN in order to perform the backend part of the of the cell phone protocol and the radio tower part in order to emulate a a 4G LTE network. So before we start that, we're not going to go deep dive into that, but I do want to show you one change that I made to the user DB config from our previous video. And this will just let us know why we're seeing what we're seeing when we connect up to the LTE network. So before what I had, so this is these are all like the the key information for that is programmed into the SIM card that is in our cell modem.

[00:05:43]It's it's all here in this user database. And so one thing that I've changed is this last field. It used to say dynamic where it would just dynamically allocate an IP address to the user equipment. In this case, we have hardcoded, we've statically assigned this IP to this specific SIM card configuration. So we should reliably get assigned that IP address every time. And so we are going to run that EPC. Again, the EPC is the data center backend systems that usually run in a data center from your cell phone provider. And we are going to start the ENB, which is the software that runs on the radio tower itself. And so, we're going to start that all up and let it sit there. And then we're going to pop over to our Raspberry Pi shell here. And the first thing I want to do is I'm actually going to look in D message in order to see uh when the device recognized our modem. And so right here you'll notice that it has identified a device that it calls a GSM modem. It's it's an LTE modem, but uh this is how it looks on Linux. And so you'll notice that it has uh it has provided five different of these TTY USB interfaces. These are various you know diagnostic control and data interfaces that uh allow you to connect up and do different things to this cell modem. The one that we're going to interact with with is the third interface which happens to be TTYUSB2.

[00:07:24]And so we are going to run picocom here and we're going to connect up to that interface because this is the AT command interface. So we can type at which is kind of the the the most simple AT command that you can type and it will come back with okay. So this this kind of tells us okay we are we have identified the AT command interface to the cell modem and now we're going to run a couple of different commands. I think this one is going to fail, but just stick with me here. Okay, so uh in order in order to not immediately have it connect to our network, which okay, I'm just coming over here to confirm it has not yet connected. I actually put it into into airplane mode. And so, uh, so this command here that I'm going to run, I'm you can put it into a certain, you know, mode of functionality. And if you put a equals 4 here, that's putting it into airplane mode. Uh, one is to turn the radio on.

[00:08:25]So, I'm going to turn the radio on. And I expect actually that this command has already been like saved in the modem.

[00:08:31]So, I expect after I run this, it's going to instantly connect over here.

[00:08:38]And it has. So, here you go. So it says user connected and then on on the radio side and up here on the kind of the data center backend side you can see that a bunch of stuff has come here and it has specifically allocated that statically uh assigned IP to our modem. So it is connected it's attached and it's ready to go.

[00:09:02]So, and again that's because that SIM card that correlates to that user DB CSV file uh the keys match and they are able to authenticate each other. LTE both the user equipment and the cell tower they do a mutual authentication. So both of them are authenticating the other party.

[00:09:20]So now we're going to run some quick uh diagnostic commands to see uh if we're online. This this one result here tells me that we are connected and we're connected to our home network. If we were roaming, if we were like connected and attached, but roaming, you'd get a slightly different uh code. It wouldn't be one. That's what that one means. Now, we're going to grab the IP address of our system from the modem using these commands. And again, as expected, the modem has accepted this assignment of 10.8.0.2. too. And there's another command that gives us even more network information here. It tells us the APN name that we're connected to is NMAT.

[00:10:04]That's the private APN that I'm hosting over here on this radio. And then we have the IP address again. And this is an odd format, but it has the IP address and then separated by a dot. It has the subnet mask. So, this is a slash30 network. This is the subnet mask. And again, we have Oh, no. Sorry, that's not I was going to say again, but this is the gateway. So, this is the is the IP address of the gateway and then you have DNS server one and two. It's only giving out one DNS server, but there we go, the Google DNS server. And so, uh, it is all connected up and ready to go from the modems perspective.

[00:10:43]Linux does is not ready to go. The Linux side of things is not ready to go, right? Because when we do this, we're communicating over the U from the Raspberry Pi over the USB cable to the modem. So the modem is connected to our network. It has an IP. It's ready to communicate. But we need to let our Linux side know about that now. So what we're going to do is let's go ahead and run if config. And it is not there as expected. So I'm going to run dash A to show all interfaces, even the ones that are not up yet. And so right here we see the WAN0 interface. That is the interface associated with the cell modem that is connected up. So one of the things we're going to do, which I'm pretty sure is already set on mine. Uh we're we're running down. It's it was already down, is we're going to run this command here, which is going to echo the character Y into this uh spot in the driver. This is going to tell this this QMI driver to run in raw IP mode. And so that's just uh it knows how to do uh raw IP packets.

[00:11:48]There will not be a a MAC layer as as we've seen before when when we looked in Wireshark. There were no there was no data link layer. There was no MAC address associated with with anything when you're doing this kind of communication. It's it's kind of like a tunnel interface. So uh now we're going to bring that interface up and we are going to flush out any existing IP address that could have been there and we are going to set the IP. So if we got a different IP from uh from those at commands when we read out what IP address our modem got signed, we would have to you'd have to put that in here.

[00:12:23]So if you're following along at home, your mileage may vary about what IP you need to set.

[00:12:29]And then we're going to run this command to use the QMI CLI to tell it how to connect up to this interface here, which is another one of those interfaces that is exposed by the modem. And it's telling it like, hey, we're starting a network. The APN is NMAT and the IP type is IP4, IPv4. Uh, and then this other flag. And we're going to we're going to run that command. And now we should be ready to go. Okay, our interface is up.

[00:13:04]It has an IP address. And now what we're going to do is I'm going to go over in Wireshark and I'm going to sniff on the cell network side. So this interface that gets created by SRS Rand. This is uh SRS SPGW SGI if you can't read it because it's super small text. And we're going to wait and we're going to listen on the cell network side for packets. And so what we're going to do is we're actually going to run a ping command here. And we're going to use this flag that you usually don't use. Uh we're going to explicitly tell it to use the WAN0 interface. And that's because on my system here, actually, you know what?

[00:13:44]We're going to get rid of this for a minute. Let's look at our route table.

[00:13:49]Okay. So right now the only time it will route a packet to the cell network is when it is inside of that little slash30 network that is the local network. If we were you could set a default route. Uh just be aware that if you're SSH in like I am, you might lose your SSH connectivity. And so, uh, you need to you need to, you know, configure that the right way or add some ex exceptions in your routes. Uh, but your mileage may vary. If you're using just like a like the HDMI interface on your Raspberry Pi, then you would not have that problem.

[00:14:28]So, I'm not going to add this as a default route. And as a way to get around that for this demo, I'm going to just be explicitly telling ping to route these packets to the Cloudflare DNS server where that we're going to ping over the cell interface. So we're going to do that and then we're going to go look in Wireshark from the cell network side. And we see it we see we see the data. It is going it's going it's going over you know our Raspberry Pi is sending that data through to the modem and that modem is sending it through this wire to our software defined radio which is pretty cool in my opinion. So uh we're going to do one more thing here which is kind of cool. Let's let's run a curl command. So curl has a pretty similar uh in interface here that we can that we can kind of use here. Let's let's just uh have it go to example.acample.com.

[00:15:27]So we can curl with an explicit interface here. And so we send that command.

[00:15:36]And it doesn't like it. That's fun.

[00:15:42]Oh, I bet I bet it doesn't like the DNS lookup. That's so funny.

[00:15:50]All right. Well, well, we're not going to do that now. Okay. Okay. There's one more thing I'm going to test. This is This is We're just doing this live here.

[00:15:58]Okay. It doesn't accept ICMP on the gateway. So, anyway, as you can see, we were clearly able to uh get it to connect and everything. I'm wondering if it disconnected. Nope, it didn't. Uh, okay. We're getting another We're getting some kind of weird error. But as you can see, we were able to send our ping packets over that interface, which we can't anymore. So, we're having some kind of problem. But as you can see, uh we were able to for a moment there uh send data from our Linux side uh over to over the cell modem to the internet. And uh I'm sure I'm sure this is some weird uh quirk in my radio setup that uh that made that stop working, but most of the time it's pretty rock solid. Trust me.

[00:16:42]Uh, and then the other way that you can use this, right, is if I had like an AT&T, if I had a real cell network SIM card, I can just hook up the normal LTE antenna and uh, I put it close to my window because I'm in a basement and I don't have great signal, but you can communicate to cell phone towers from Linux out to the world with this setup.

[00:17:02]So, uh, hope you enjoyed this video. As always, have a great