Setting up Yate and YateBTS with the bladeRF

nullnei edited this page Jul 5, 2017 · 15 revisions

Table of Contents


This guide is a quick and unofficial guide on creating a test setup of Null Team's Yate and YateBTS with the bladeRF. The goals of this guide are to:

  • Install Yate and YateBTS for use as non-root user in a yate group in /usr/local/
  • Verify basic "Network-in-a-Box" functionality by placing a call or sending an SMS message between two devices.
This guide is not intended to be comprehensive nor a replacement for any of the official Yate documentation; it is only intended to test a small fraction of the plethora of features provided by Yate.

While the Nuand team and bladeRF community are generally willing to help answer Yate & YateBTS questions, please note that the official resources listed below will likely better expedite any troubleshooting you need to do.


As with all SDR development, you are responsible for ensuring that you operate only within bands for which you are licensed. When performing laboratory experiments, an RF test enclosure is highly recommended to ensure a system under test does not yield out-of-band emissions that might interfere with licensed network operators.



A USB 3.0 connection is preferred.

If you are on a USB 2.0 port and encounter errors (as evidenced by varying timestamp "jumps"), it may be the case that the system is not keeping up with the sample rate. Be sure to review the Transceiver Scheduling Priority section below, if you plan on using USB 2.0.

SIM card & Handset

A simple and inexpensive test setup can be achieved using a blank SIM card, a SIM card writer, and low-cost cellular device.

This "16 in 1 Super SIM" has been verified to work properly (alternative source on ebay). These all appear to come preprogrammed with the IMSI 001010123456789. To configure the sim card, please see this page about PySIM.

Plenty of quad-band GSM devices are available online. One such device that has been tested with the above SIM card is the BLU Q170T.

Build tools

To build Yate and YateBTS, basic knowledge of how to use GNU Autotools and GCC is required. Please refer to your Linux distribution's documentation for information on how to install these. If you plan to check out the latest source code, Subversion is required.

libbladeRF is no longer required

In the past, a transceiver implementation was provided with Yate-BTS that was dependent upon libbladeRF. Yate now provides bladeRF support that is not dependent upon libbladeRF. Additionally, Yate provides tested bladeRF FPGA images. Therefore, it is no longer required to build and install libbladeRF, the bladeRF-cli, or download FPGA images.

However, bladeRF-cli and libbladeRF installation is useful for diagnostics, to verify basic device operation, and to update firmware.

Users familiar with Yate-BTS will note that there is no transceiver-bladerf to place in the ybts.conf file. Instead, the ybladerf.conf file may be used to performed fine-grained configuration of the bladeRF, with respect to Yate.

If you do not have libbladeRF installed, you will still need to create and add an /etc/udev/rules.d/88-nuand.rules file to ensure your user has permissions to access a bladeRF device. Below is an example file, which assumes your user is in the plugdev group. (Using a yate group could also suffice, as this group is used later in this guide.)

Setting up a yate group

This guide assumes one wants to run Yate as a non-root user, and uses a yate group to allow a non-root user to edit the various configuration files that will be manipulated at runtime.

First create a yate group:

sudo addgroup yate

Add your user to this group. Change myuser to your user name.

sudo usermod -a -G yate myuser

udev rule

A udev rule is required to ensure a user can access the bladeRF hardware.

If you have previously installed and used libbladeRF and/or the bladeRF-cli, you may skip this. These provide an 88-nuand.rules udev rule.

Otherwise, create an /etc/udev/rules.d/90-yate.rules file, containing:

# nuand bladeRF
ATTR{idVendor}=="1d50", ATTR{idProduct}=="6066", MODE="660", GROUP="yate"

After creating this file, run the following command:

sudo udevadm control --reload-rules

If the device is plugged in prior to this, ensure it is unplugged and re-connected at this time.

After logging out and back in, you should see yate listed when you run the groups command.

Fetching Yate and Yate-BTS

Download pages

You can download the latest releases here:


The below commands may be used to check out the Yate and YateBTS repositories into a ~/software/null directory:

mkdir ~/software/null/
cd ~/software/null
svn checkout yate
svn checkout yatebts

If you already have the repositories checked out from a previous build, you can simply update them:

cd ~/software/null/yate
svn update

cd ~/software/null/yatebts
svn update

Building and Installing Yate & YateBTS


First, configure the build to install into usr/local:

cd ~/software/null/yate
./configure --prefix=/usr/local

Next, build Yate:


If all went well, install it:

sudo make install
sudo ldconfig


This procedure should look quite similar.

cd ~/software/null/yatebts
./configure --prefix=/usr/local




sudo make install
sudo ldconfig

Configuring Yate & YateBTS

To configure Yate & YateBTS to run as a non-root user, we need to change a few permissions and configuration options.

Group Write Permissions

First, we'll create a few files that Yate will fill in with defaults:

sudo touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.conf

Next, allow users of the yate group to modify configuration files:

sudo chown root:yate /usr/local/etc/yate/*.conf
sudo chmod g+w /usr/local/etc/yate/*.conf

Required Configuration Items

While a majority of the configuration items will fall back to default values, there are a few items that the BTS operator is responsible for configuring correctly in /usr/local/etc/yate/ybts.conf

  • Radio.Band
  • Radio.C0
  • Identity.MCC
See the comments above each of these items for valid values. If not already clear, these are required to configure for the BTS to operate in the correct band, ARFCN, and country code.

Scheduling Priority

On some slower machines or when using USB 2.0 ports, you may see reports of "timestamp jumps" resulting from RX overruns. If this is the case, first ensure your CPU Governor is set to "performance" and that power settings are not limiting your CPU frequency. If problems persist, note that YateBTS provides the ability to increase the scheduling priority of the transceiver tasks.

Increasing the priority (i.e., decreasing its niceness) of a process generally requires additional privileges. We can edit the /etc/security/limits.conf file to grant users of the yate this ability by adding the following lines:

@yate hard nice -20
@yate hard rtprio 99

Note that you may need to adjust these values per your situation, preferences, or policies. The below graphic, from ATAD #21, illustrates the meaning of the priority values:

HIGH PRIORITY – – – – – > – – – – – > – – – – – > – – – – – > – – – – LEAST PRIORITY
| real time priority (static priority) |       nice value (dynamic priority)       |
|   99 ............ 50 ............ 1  | -20 ..... -10 ..... 0 ...... 10 ...... 19 |

The transceiver scheduling priority can be set in the [transceiver] of the /usr/local/etc/yate/ybts.conf file:


SNMP Port Numbers

Non-privileged users cannot bind sockets on ports lower than 1024. Therefore, we must change the SNMP ports. (Note that clients will need to be aware of this, if you plan to use SNMP.)

To do this, edit /usr/local/etc/yate/ysnmpagent.conf and look for the following lines:


Uncomment these by removing the preceding ; character, and set these to available ports greater than or equal to 1024. For example:


Running Yate


At this point, you should be able to plug in a bladeRF and run yate. When doing so, you should see LEDs on the bladeRF begin to blink. This indicates that the device's FPGA has been loaded and is in use.

Note that you use -v, -vv, -vvv, and so on to enable increasing degrees of verbosity.

Registering Devices

One simple way to allow a device to register is by placing its IMSI in the regexp field in /usr/local/etc/yate/subscribers.conf. As noted by the comments in this file, using a regular expression for IMSIs prevents one from utilizing 2G/3G authentication features; thus, this is suitable only for initial testing.

If you previously programmed your SIM, you should already know the IMSI such that you can place it in the regexp field.

If you are unsure or find that your device is not registering, you can use the NIB telnet interface to list rejected devices, as shown below.

With yate running:

telnet localhost 5038

Once connected, one can list registered devices.

nib list registered

Rejected devices can also be listed. If your device is not registering and is in this list, it implies that it is not properly entered in subscribers.conf

nib list rejected

For example, suppose your devices have IMSIs ranging from 001010123456780 to 001010123456789. You could use the following regexp:


While Yate is running, this change can be applied via the telnet interface, using the following command:

nib reload

Within a few minutes of registering the device should receive a text message noting its assigned phone number.

Testing Devices

The Yate NIB setup includes an ELIZA chat bot that you can communicate with by sending SMS messages to 35492. This is a good way to test use of a single device.

After registering a second device, you should be able to send SMS messages and connect a call between two devices.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.