1xBTS – A new Rust project makes it easier to build a CDMA2000 3G setup, opening both experimentation and new security concerns.
Running a personal cellular network is getting easier for hobbyists, and that includes the risky side: enabling devices to connect to a legacy 3G protocol that many phones still support.
CDMA2000—one of the protocols defined for 3G networks—is now years out of date and is being phased out worldwide.. Even so, there remain large numbers of handsets that can still “happily” connect to it.. That persistence creates an opening for attackers who want to stand up their own cellular infrastructure. since there are still real-world targets able to attach to older network behavior.
In this context, [Chrismoos] has released 1xBTS, a Rust implementation focused on the lower three layers of a CDMA2000 network.. The project aims to lower the barrier for people attempting to build their own base station-style setup. which can be useful for research and experimentation. but also raises the stakes for anyone concerned about how legacy telecom stacks can be abused.
At the heart of the system is software that coordinates radio transmission. supported by an SDR used for the actual over-the-air communications.. The implementation has been tested with multiple SDR platforms, including the USRP B200 and B210, LimeSDR Mini 2, and BladeRF Micro 2.0.. The code may also work with other SDRs that integrate via the SoapySDR abstraction layer.
The radio isn’t controlled in isolation.. In the 1xBTS design. the SDR is managed by the base station (BTS) software. and that BTS software can. in turn. be managed by a base station controller (BSC) using an Abis link.. The BSC is responsible for handling channels and managing associations with mobile devices.. Frames are then exchanged with the mobile switching center (MSC). which performs message switching—an architectural separation that mirrors how cellular networks are commonly organized.
Beyond the radio plumbing, the stack includes standard 3G verification behavior.. Before a handset can authenticate to the network. the handset’s details need to be added to the home location register (HLR).. Once authentication succeeds, the handset can use typical services expected of that network class.
For voice and messaging. the system supports inbound and outbound voice calls through a SIP gateway. along with inbound and outbound SMS.. For mobile data, the stack includes data packet transfers as well.. The goal appears to be a reasonably complete, testable environment rather than a purely theoretical radio experiment.
To make operation more practical, there is a web dashboard intended to serve as a management platform. That dashboard includes packet tracing, which is likely to be valuable for debugging and for inspecting how traffic flows through the different parts of the network stack.
However, the project comes with an important warning: running such equipment carelessly can be legally hazardous.. In most countries, radio transmissions are strictly regulated, especially within licensed cellular bands.. That means any attempt to operate a personal network must be handled with appropriate permissions and compliance. even if the purpose is research.
While 1xBTS targets CDMA2000. it also sits alongside a broader pattern of hobbyist cellular recreations—efforts have previously included a 4G implementation. a 1G recreation. and even a GSM network created for a hacker camp.. Together, these show how quickly telecom experimentation can spread, and why security teams keep paying attention to legacy connectivity.
The deeper implication is that “phased out” doesn’t always mean “gone.” As long as handsets still connect and verification workflows still exist. any tool that makes building network infrastructure easier can become a lever for both legitimate experimentation and malicious interference.. That tension is likely to define the conversation around projects like 1xBTS: powerful for learning. but requiring careful governance because the radio layer is where real-world risk lives.
For readers following this space. the project underscores a practical lesson for security: telecom ecosystems are long-lived. and even older protocols can remain reachable.. The ability to authenticate and route services through software-defined components means investigators—and attackers—can focus on behavior at the network edge. including how devices are verified. associated. and granted access to services like voice. SMS. and packet data.
CDMA2000 3G network 1xBTS SDR cybersecurity Rust telecom