Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Rayhunter

Rayhunter Logo - An Orca taking a bite out of a cellular signal bar

Rayhunter is a project for detecting IMSI catchers, also known as cell-site simulators or stingrays. It's designed to run on a cheap mobile hotspot called the Orbic RC400L, but thanks to community efforts can support some other devices as well.

It's also designed to be as easy to install and use as possible, regardless of your level of technical skills. This guide should provide you all you need to acquire a compatible device, install Rayhunter, and start catching IMSI catchers.

To learn more about the aim of the project, and about IMSI catchers in general, please check out our introductory blog post. Otherwise, check out the installation guide to get started.

LEGAL DISCLAIMER: Use this program at your own risk. We believe running this program does not currently violate any laws or regulations in the United States. However, we are not responsible for civil or criminal liability resulting from the use of this software. If you are located outside of the US please consult with an attorney in your country to help you assess the legal risks of running this program.

Good Hunting!

Installing Rayhunter

So, you've got one of the supported devices, and are ready to start catching IMSI catchers. You have two options for installing Rayhunter:

Installing from the latest release

Make sure you've got one of Rayhunter's supported devices. These instructions have only been tested on macOS and Ubuntu 24.04. If they fail, you will need to install Rayhunter from source.

  1. Download the latest rayhunter-vX.X.X-PLATFORM.zip from the Rayhunter releases page for your platform:

    • for Linux on x64 architecture: linux-x64
    • for Linux on ARM64 architecture: linux-aarch64
    • for Linux on armv7/v8 (32-bit) architecture: linux-armv7
    • for MacOS on Intel (old macbooks) architecture: macos-intel
    • for MacOS on ARM (M1/M2 etc.) architecture: macos-arm
    • for Windows: windows-x86_64

  2. Decompress the rayhunter-vX.X.X-PLATFORM.zip archive. Open the terminal and navigate to the folder. (Be sure to replace X.X.X with the correct version number!)

    unzip ~/Downloads/rayhunter-vX.X.X-PLATFORM.zip
cd ~/Downloads/rayhunter-vX.X.X-PLATFORM

  3. Turn on your device by holding the power button on the front.

    • For the Orbic, connect the device using a USB-C cable.
    • For TP-Link, connect to its network using either WiFi or USB Tethering.

  4. Run the installer:

    # On MacOS, you must first remove the quarantine bit
xattr -d com.apple.quarantine installer

    Then run the installer:

    ./installer orbic
# or: ./installer tplink
# or: ./installer wingtech

    The device will restart multiple times over the next few minutes.

    You will know it is done when you see terminal output that says Testing Rayhunter... done

  5. Rayhunter should now be running! You can verify this by viewing Rayhunter's web UI. You should also see a green line flash along the top of top the display on the device.

Troubleshooting

  • On MacOS if you encounter an error that says "No Orbic device found," it may because you have the "Allow accessories to connect" security setting set to "Ask for approval." You may need to temporarily change it to "Always" for the script to run. Make sure to change it back to a more secure setting when you're done.
./installer --help
./installer util --help

Installing from the latest release (Windows)

Windows support in Rayhunter's installer is a work-in-progress. Depending on the device, the installation instructions differ.

  1. Connect the device via WiFi or USB Tethering -- you should be able to view the TP-Link admin page on http://192.168.0.1.
  2. Download the latest release (must be at least 0.3.0) for windows-x86_64, and unpack the zipfile.
  3. Open PowerShell or CMD in that extracted folder, the installer: ./installer tplink
  4. Follow the instructions on the screen, if there are any.

Orbic

  1. Connect the device to your computer using the provided USB cable.

  2. Install the Zadig WinUSB driver installer.

  3. Open Zadig, click options->show all devices

    Zadig

  4. Select 'RNDIS (Interface 0)'

    Zadig

  5. Click 'install driver' and wait for it to finish.

  6. Download the latest rayhunter-vX.X.X-windows-x86_64.zip from the Rayhunter releases page. The version you download will have numbers instead of X

  7. Unzip rayhunter-vX.X.X-windows-x86_64 .

  8. Open a powershell terminal by pressing Win+R and typing powershell and hitting enter.

  9. Type cd ~\Downloads\rayhunter-v<x.x.x>-windows-x86_64 (Replace <x.x.x> with the Rayhunter version you just unzipped) and hit enter.

  10. Run the install script: .\installer.exe orbic and hit enter.

    • The device will restart multiple times over the next few minutes.
    • You will know it is done when you see terminal output that says checking for rayhunter server...success!

  11. Rayhunter should now be running! You can verify this by following the instructions below to view the web UI. You should also see a green line flash along the top of top the display on the device.

Installing from source

Building Rayhunter from source, either for development or because the install script doesn't work on your system, involves a number of external dependencies. Unless you need to do this, we recommend you use our compiled builds.

  • Install nodejs/npm, which is required to build Rayhunter's web UI
    • Make sure to build the site with pushd daemon/web && npm install && npm run build && popd before building Rayhunter. If you're working directly on the frontend, npm run dev will allow you to test a local frontend with hot-reloading (use http://localhost:5173 instead of http://localhost:8080).
  • Install ADB on your computer using the instructions above, and make sure it's in your terminal's PATH
    • You can verify if ADB is in your PATH by running which adb in a terminal. If it prints the filepath to where ADB is installed, you're set! Otherwise, try following one of these guides:
  • Install curl on your computer to run the install scripts. It is not needed to build binaries.

Install Rust targets

Install Rust the usual way. Then,

  • install the cross-compilation target for the device Rayhunter will run on:
rustup target add armv7-unknown-linux-musleabihf
  • install the statically compiled target for your host machine to build the binary installer serial.
# check which toolchain you have installed by default with
rustup show
# now install the correct variant for your host platform, one of:
rustup target add aarch64-unknown-linux-musl
rustup target add armv7-unknown-linux-musleabi
rustup target add x86_64-unknown-linux-musl
rustup target add aarch64-apple-darwin
rustup target add x86_64-apple-darwin
rustup target add x86_64-pc-windows-gnu

Now you can root your device and install Rayhunter by running:

# Profile can be changed to 'firmware-devel' when building for development.
# Build time will decrease at the expense of binary size.
cargo build --bin rayhunter-daemon --target armv7-unknown-linux-musleabihf --profile firmware

cargo build --bin rootshell --target armv7-unknown-linux-musleabihf --profile firmware

# Replace 'orbic' with your device type if different.
# A list possible values can be found with 'cargo run --bin installer help'.
cargo run --bin installer orbic

If you're on Windows or can't run the install scripts

  • Root your device on Windows using the instructions here: https://xdaforums.com/t/resetting-verizon-orbic-speed-rc400l-firmware-flash-kajeet.4334899/#post-87855183
  • Build the web UI using cd bin/web && npm install && npm run build
  • Push the scripts in scripts/ to /etc/init.d on device and make a directory called /data/rayhunter using adb shell (and sshell for your root shell if you followed the steps above)
  • You also need to copy config.toml.in to /data/rayhunter/config.toml. Uncomment the device line and set the value to your device type if necessary.
  • Then run ./make.sh, which will build the binary, push it over adb, and restart the device. Once it's restarted, Rayhunter should be running!

Updating Rayhunter

Great news: if you've successfully installed Rayhunter, you already know how to update it! Our update process is identical to the installation process: simply repeat the steps for installing Rayhunter via a release or from source.

Configuration

Rayhunter can be configured through web user interface or by editing /data/rayhunter/config.toml on the device.

rayhunter_config

Through web UI you can set:

  • Device UI Level, which defines what Rayhunter shows on device's built-in screen. Device UI Level could be:
    • Invisible mode: Rayhunter does not show anything on the built-in screen
    • Subtle mode (colored line): Rayhunter shows green line if there are no warnings, red line if there are warnings (warnings could be checked through web UI) and white line if Rayhunter is not recording
    • Demo mode (orca gif), which shows image of orca fish and colored line
    • EFF logo, which shows EFF logo and and colored line.
  • Device Input Mode, which defines behaviour of built-in power button of the device. Device Input Mode could be:
    • Disable button control: built-in power button of the device is not used by Rayhunter;
    • Double-tap power button to start/stop recording: double clicking on a built-in power button of the device stops and immediatelly restarts the recording. This could be useful if Rayhunter's heuristichs is triggered and you get the red line, and you want to "reset" the past warnings. Normally you can do that through web UI, but sometimes it is easier to double tap on power button.
  • Colorblind Mode enables color blind mode (blue line is shown instead of green line, red line remains red). Please note that this does not cover all types of color blindness, but switching green to blue should be about enough to differentiate the color change for most types of color blindness.
  • With Analyzer Heuristic Settings you can switch on or off built-in Rayhunter heuristics. Some heuristics are experimental or can trigger a lot of false positive warnings in some networks (our tests have shown that some heuristics have different behaviour in US or European networks). In that case you can decide whether you would like to have the heuristics that trigger a lot of false positives on or off. Please note that we are constantly improving and adding new heuristics, so new release may reduce false positives in existing heuristics as well.

If you prefer editing config.toml file, you need to obtain a shell on your Orbic or TP-Link device and edit the file manually. You can view the default configuration file on a GitHub.

Uninstalling

Orbic

To uninstall Rayhunter, power on your Orbic device and connect to it via USB. Then, start a rootshell on it by running adb shell, followed by rootshell.

Once in a rootshell, run:

echo 3 > /usrdata/mode.cfg
rm -rf /data/rayhunter /etc/init.d/rayhunter-daemon /bin/rootshell.sh
reboot

Your device is now Rayhunter-free, and should no longer be in a rooted ADB-enabled mode.

  1. Run ./installer util tplink-start-telnet
  2. Telnet into the device telnet 192.168.0.1
  3. rm /data/rayhunter /etc/init.d/rayhunter_daemon
  4. update-rc.d rayhunter_daemon remove
  5. (hardware revision v4.0+ only) In Settings > NAT Settings > Port Triggers in TP-Link's admin UI, remove any leftover port triggers.

UZ801

  1. (Optional): Back up the qmdl folder with all of the captures: adb pull /data/rayhunter/qmdl .
  2. Run adb shell to get a root shell on the device
  3. Delete the /data/rayhunter folder: rm -rf /data/rayhunter
  4. Modify the initmifiservice.sh script to remove the rayhunter startup line:
mount -o remount,rw /system
busybox vi /system/bin/initmifiservice.sh

Then type 999G (shift+g), then type dd. Then press the colon key (:) and type wq. Finally, press Enter. 4. Lastly, run setprop persist.sys.usb.config rndis. 5. Type reboot to reboot the device.

Using Rayhunter

Once installed, Rayhunter will run automatically whenever your device is running. You'll see a green line on top of the device's display to indicate that it's running and recording. The line will turn red once a potential IMSI catcher has been found, until the device is rebooted or a new recording is started through the web UI.

Rayhunter_0 5 0

It also serves a web UI that provides some basic controls, such as being able to start/stop recordings, download captures, delete captures, and view heuristic analyses of captures.

The web UI

You can access this UI in one of two ways:

  • Connect over WiFi: Connect your phone/laptop to your device's WiFi network and visit http://192.168.1.1:8080 (orbic) or http://192.168.0.1:8080 (tplink).

    Click past your browser warning you about the connection not being secure, Rayhunter doesn't have HTTPS yet.

    On the Orbic, you can find the WiFi network password by going to the Orbic's menu > 2.4 GHz WIFI Info > Enter > find the 8-character password next to the lock 🔒 icon. On the TP-Link, you can find the WiFi network password by going to the TP-Link's menu > Advanced > Wireless > Basic Settings.

  • Connect over USB (Orbic): Connect your device to your laptop via USB. Run adb forward tcp:8080 tcp:8080, then visit http://localhost:8080.

    • For this you will need to install the Android Debug Bridge (ADB) on your computer, you can copy the version that was downloaded inside the releases/platform-tools/ folder to somewhere else in your path or you can install it manually.
    • You can find instructions for doing so on your platform here, (don't worry about instructions for installing it on a phone/device yet).
    • On MacOS, the easiest way to install ADB is with Homebrew: First install Homebrew, then run brew install android-platform-tools.

  • Connect over USB (TP-Link): Plug in the TP-Link and use USB tethering to establish a network connection. ADB support can be enabled on the device, but the installer won't do it for you.

Key shortcuts

As of Rayhunter verion 0.3.3, you can start a new recording by double-tapping the power button. Any current recording will be stopped and a new recording will be started, resetting the red line as well. This feature is disabled by default since Rayhunter version 0.4.0 and needs to be enabled through configuration.

Heuristics

Rayhunter includes several analyzers to detect potential IMSI catcher activity. These can be enabled and disabled in your configuration file.

Available Analyzers

IMSI Requested

This analyser tests whether the eNodeB sends an IMSI Identity Request NAS message.

Mobile network primarily requests IMSI number from mobile device during initial network attachment or when the network cannot identify the mobile device by its temporary identification (TMSI - Temporary Mobile Subscriber Identity or GUTI - Globally Unique Temporary Identifier in 4G/5G terminology).

IMSI request therefore usually happens when you first turn the device on especially after it has been off for a long time. Another possibility is, that you reboot your mobile device and your temporary ID expired. Sometimes temporary identification can expire if you have been in an area where there is absolutely no connection to your service provider or after you left your device on an airplane mode and then reconnect to the network (especially being disconnected for a long time). IMSI could also be requested when you connect to a new network (for instance for roaming), when you swap she SIM card or when your device moves to a new Tracking Area or Location Area and the network can not map the temporary identification to your device. IMSI number can also be requested after core network reboot.

It should also be noted that the network periodically reassigns your device new temporary identification to enhance security and avoid tracking, but in that cases usually does not request IMSI.

However, if you get this warning at a time when you have been steadily connected to towers and the device has been on for a while, this could be a sign of IMSI catcher use.

Connection Release/Redirected Carrier 2G Downgrade

This analyser tests if a base station releases your device's connection and redirects your device to a 2G base station. This heuristics is useful, because many commercial IMSI catchers operate in a such way that they downgrade connection to 2G where they can intercept the communication (by performing man-in-the-middle attack).

This heuristic is the most useful in the United States or other countries where there are no more operating 2G base stations. See Wikipedia page on past 2G networks for information about your country. In countries where 2G is still in service (such as most of EU), this heuristics may trigger false positives. In that case you should consider disabling it. However this heuristics has been vastly improved to reduce false positive warnings and new tests in European networks show that false positives are vastly reduced.

LTE SIB6/7 Downgrade

This analyser tests if LTE base station is broadcasting a SIB type 6 and 7 messages which include 2G/3G frequencies with higher priorities.

SIB (System Information Block) Type 6 and 7 are specific types of broadcast messages sent by the base station (eNodeB in 4G networks) to mobile devices. They contain essential radio-related configuration parameters to help mobile device perform cell reselection.

IMSI catchers exploit the fact that many SIB broadcast messages are not encrypted or authenticated. This allows them to pretend to be a legitimate cell by broadcasting fake system information in order to force mobile devices to downgrade from more secure 4G (LTE) to less secure 2G (GSM) network and then steal IMSI and/or perform man-in-the-middle attack. That is why this is also called a downgrade attack.

SIB6 is used for cell reselecion to CDMA2000 systems which are not supported by many modern mobile phones, and SIB7 Provides the mobile device with information to perform cell reselection to GSM/EDGE networks. Therefore SIB6 messages are quite rare, while malformed SIB7 messages are much more frequent in practice.

Null Cipher

This analyser tests whether the cell suggests using a null cipher (EEA0) in the RRC layer. That means that encryption between your mobile device and base station is turned off.

Normally this should never happen, because null cipher is used almost exclusively for testing and debugging in labs or in controlled environments. Sometimes null cipher is used if encryption negotiation fails or isn’t supported (however in most networks this should not be the case). Also, some regulations allow unencrypted communications in specific emergency cases.

The general rule is, that null cipher should never be used in commercial deployments, except in very controlled conditions (e.g., test labs) or in a very specific regulatory-approved use cases.

On the other hand, IMSI catchers often use null cipher to avoid setting up secure contexts (because they lack valid keys) and/or to trick mobile device into using unencrypted links (which makes eavesdropping easier).

NAS Null Cipher

This analyser tests whether the security mode command at the NAS layer suggests using a null cipher (EEA0). This would usually only happen after a mobile device has successfully authenticated with the MME (Mobility Management Entity - core network component that handles signaling and control) but still it shouldn't happen at all. This could be indicative of an attack though using SS7 (Signaling System 7 - a set of telecommunication protocols used to set up and manage calls and other services) to get key material from the HLR (Home Location Register - a database in mobile telecommunications networks that stores subscriber information) of the mobile phone for a successful authentication.

It could also indicate an IMSI catcher which is connected to the mobile network MME and HLR through cooperation between government and telecom provider. Or it could be a false positive if the telecom provider is intending to use null ciphers (if encryption is illegal in some country, or they have some misconfiguration of the network), however this should be very rare case.

Incomplete SIB

This analyser tests whether the SIB1 message contains a complete SIB chain (SIB3, SIB5, etc.). A legitimate SIB1 message should contain timing information for at least 2 additional SIBs (SIB3, 4, and 5 being the most common) but a fake base station will often not bother to send additional SIBs beyond 1 and 2 (i. e. some IMSI catchers send just SIB1 and one additional SIB).

On its own this might just be a misconfigured base station (though we have only seen it in the wild under suspicious circumstances) but combined with other heuristics such as IMSI Requested detection it should be considered as a strong indicator of malicious activity.

How we analyze a capture

TODO

Supported devices

Be sure to check your location's supported frequencies against a device page before obtaining a device.

These devices have been extensively tested by the core developers and are widely used. Use one of these devices if you can.

DeviceRecommended region
Orbic RC400LAmericas
TP-Link M7350Africa, Europe, Middle East

The TP-Link M7350 also works in the Americas but is usually more expensive.

device_regions Derivative work of this file by Maximillian Dörrbecker licensed CC BY-SA 2.5

2. Functional devices

Rayhunter is confirmed to work on these devices.

DeviceRecommended region
Wingtech CT2MHS01Americas
Tmobile TMOHS1Americas
TP-Link M7310Africa, Europe, Middle East
PinePhone and PinePhone ProGlobal
FY UZ801Asia, Europe

Adding new devices

Rayhunter was built and tested primarily on the Orbic RC400L mobile hotspot, but the community has been working hard at adding support for other devices. Theoretically, if a device runs a Qualcomm modem and exposes a /dev/diag interface, Rayhunter may work on it.

If you have a device in mind which you'd like Rayhunter to support, please open a discussion on our Github!

Orbic RC400L

The Orbic RC400L is an inexpensive LTE modem primarily designed for the US market, and the original device for which Rayhunter is developed.

You can buy an Orbic using bezos bucks, or on eBay.

Please check whether the Orbic works in your country, and whether the Orbic RC400L supports the right frequency bands for your purpose before buying.

Supported Bands

FrequencyBand
5G (wideband,midband,nationwide)n260/n261, n77, n2/5/48/66
4G2/4/5/12/13/48/66
Global & Roamingn257/n78
Wifi 2.4Ghzb/g/n
Wifi 5Ghza/ac/ax
Wifi 6🮱

Obtaining a shell

After running through the installation procedure, you can obtain a root shell by running adb shell or ./installer util shell. Then, inside of that shell you can run /bin/rootshell to obtain "fakeroot."

TP-Link M7350

Supported in Rayhunter since version 0.3.0.

The TP-Link M7350 supports many more frequency bands than Orbic and therefore works in Europe and also in some Asian and African countries.

Hardware versions

The TP-Link comes in many different hardware versions. Support for installation varies:

  • 1.0, 2.0: Not supported, devs are not able to obtain a device
  • 3.0, 3.2, 5.0, 5.2, 7.0, 8.0: Tested, no known issues since 0.3.0.
  • 6.2: One user reported it is working, not tested
  • 4.0: Manual firmware downgrade required (issue)
  • 9.0: Working since 0.3.2.

TP-Link versions newer than 3.0 have cyan packaging and a color display. Version 3.0 has a one-bit display and white packaging.

You can find the exact hardware version of each device under the battery or next to the barcode on the outer packaging, for example V3.0 or V5.2.

When filing bug reports, particularly with the installer, please always specify the exact hardware version.

You can get your TP-Link M7350 from:

Installation & Usage

Follow the release installation guide. Substitute ./installer orbic for ./installer tplink in other documentation. The Rayhunter UI will be available at http://192.168.0.1:8080.

Obtaining a shell

Unlike on Orbic, the installer will not enable ADB. Instead, you can obtain a root shell with the following command:

./installer util tplink-start-telnet
telnet 192.168.0.1

Display states

If your device has a color display, Rayhunter will show the same red/green/white line at the top of the display as it does on Orbic, each color meaning "warning"/"recording"/"paused" respectively. See Using Rayhunter.

If your device has a one-bit (black-and-white) display, Rayhunter will instead show an emoji to indicate status:

  • ! means "warning (potential IMSI catcher)"
  • :) (smiling) means "recording"
  • : (face with no mouth) means "paused"

Power-saving mode/sleep

By default the device will go to sleep after N minutes of no devices being connected. In that mode it will also turn off connections to cell phone towers. In order for Rayhunter to record continuously, you have to turn off this sleep mode in TP-Link's admin panel (go to Advanced - Power Saving) or keep e.g. your phone connectd on the TP-Link's WiFi.

Port triggers

On hardware revisions starting with v4.0, the installer will modify settings to add two port triggers. You can look at Settings > NAT Settings > Port Triggers in TP-Link's admin UI to see them.

  1. One port trigger "rayhunter-root" to launch the telnet shell. This is only needed for installation, and can be removed after upgrade. You can reinstall it using ./installer util tplink-start-telnet.
  2. One port trigger "rayhunter-daemon" to auto-start Rayhunter on boot. If you remove this, Rayhunter will have to be started manually from shell.

For more information on the device and instructions on how to install Rayhunter without an installer (i.e. manually), please see rayhunter-tplink-m7350

TP-Link M7310

Supported in Rayhunter since version 0.4.0.

The TP-Link M7310 works similarly to the M7350 and is essentially an older, more expensive version of it. The installation procedure is identical, ./installer tplink.

Hardware version v1.0 has been successfully tested, later versions may work as well.

Tmobile TMOHS1

The Tmobile TMOHS1 hotspot is a Qualcomm mdm9607-based device with many similarities to the Wingtech CT2MHS01 hotspot. The TMOHS1 has no screen, only 5 LEDs, two of which are RGB.

Hardware

Cheap used versions of the device can be found easily on Ebay, and also from these sellers:

Rayhunter has been tested on:

WT_INNER_VERSION=SW_Q89527AA1_V045_M11_TMO_USR_MP
WT_PRODUCTION_VERSION=TMOHS1_00.05.20
WT_HARDWARE_VERSION=89527_1_11

Please consider sharing the contents of your device's /etc/wt_version file here.

Supported bands

The TMOHS1 is primarily an ITU Region 2 device, although Bands 5 (CLR) and 41 (BRS) may be suitable for roaming in Region 3.

According to FCC ID 2APXW-TMOHS1 Test Report No. I20Z61602-WMD02 (part 1, part 2), the TMOHS1 supports the following LTE bands:

BandFrequency
21900 MHz (PCS)
41700 MHz (AWS-1)
5850 MHz (CLR)
12700 MHz (LSMH)
251900 MHz (E-PCS)
26850 MHz (E-CLR)
412500 MHz (BRS)
661700 MHz (E-AWS)
71600 MHz (USDD)

Installing

Connect to the TMOHS1's network over wifi or usb tethering.

The device will not accept web requests until after the default password is changed. If you have not previously logged in, log in using the default password printed under the battery and change the admin password.

Then run the installer:

./installer tmobile --admin-password Admin0123! # replace with your own password

LED modes

Rayhunter stateLED indicator
RecordingSignal LED slowly blinks blue.
PausedWiFi LED blinks white.
Warning DetectedSignal LED slowly blinks red.

Obtaining a shell

Even when rayhunter is running, for security reasons the TMOHS1 will not have telnet or adb enabled during normal operation.

Use either command below to enable telnet or adb access:

./installer util tmobile-start-telnet --admin-password Admin0123!
telnet 192.168.0.1

./installer util tmobile-start-adb --admin-password Admin0123!
adb shell

UZ801

The UZ801 is a 4G/LTE USB modem which is built on top of a Qualcomm Snapdragon 410 (MSM8916, with MDM8916 modem.) It does not have a screen, but it does have LEDs which can be used to signal the same status as the green/red bar on the Orbic hotspot. It uses a custom Android-based firmware with limited coreutils. More information about this device can be found here

It is worth noting that even though the Snapdragon 410 is a quad-core SoC, the CPU has only 2 of the cores enabled on the stock Android-based firmware, probably to avoid overheating as they did not exactly engineer any cooling solution. Regardless, even with 2 disabled cores there is plenty of compute overhead. There are 384MB of RAM on the SoC, and 4GB of eMMC in the form of an SK Hynix NAND flash chip located external to the SoC.

Rayhunter has been tested on UZ801 devices with firmware supporting USB debugging backdoor access. It is not certain whether all of the sticks that use this board will be compatible with the automated installer, or even with any alternative manual installation method. Please consider sharing your device's firmware version and hardware information here to help improve compatibility.

Where to purchase

There are several option to purchase this device:

  1. AliExpress:
  1. eBay:
  1. Amazon:

Supported bands

The UZ801 supports various LTE bands depending on the specific hardware revision and carrier customization. Check your device specifications for the exact band support.

The most frequent bands found on these devices are LTE bands 1/3/5/8/20. In the US, this means that Verizon's band 5 towers are the only towers that this device could communicate with in its normal usage as an LTE modem. Research on whether Qualcomm diagnostic tools can be used to write new band support into the NVRAM is pending.

Installing

With the device fully booted (i.e. beaming a wifi network, blue LED, etc.) and plugged into the computer that is performing the installation, run:

./installer uz801

Note: The default IP for UZ801 is typically 192.168.100.1; if yours differs, use the --admin-ip argument to specify it.

LED modes

Rayhunter stateLED indicator
RecordingGreen LED solid on
PausedWiFi (blue) LED solid on
Warning DetectedRed LED solid on

Note: Unlike the TMOHS1, the UZ801 uses solid LED indicators instead of blinking patterns.

Obtaining a shell

The UZ801 supports ADB access after the USB debugging backdoor is activated.

adb shell

Device-specific notes

The UZ801 uses a unique installation process that activates a hidden USB debugging backdoor.

The installation process works as follows:

  1. Activates the USB debugging backdoor via HTTP AJAX request
  2. Waits for device reboot and ADB availability
  3. Uses ADB to install rayhunter files and modify the startup script
  4. Launches rayhunter daemon automatically
  • The UZ801 does not symlink busybox for some core system utils, for some reason. Please use busybox <utility_name>, e.g. busybox df -h.
  • USB debugging must be activated via the web backdoor before ADB access is possible (this is required only once.) The installer does this already.
  • The device uses /system/bin/initmifiservice.sh as the main startup script.

Wingtech CT2MHS01

Supported in Rayhunter since version 0.4.0.

The Wingtech CT2MHS01 hotspot is a Qualcomm mdm9650-based device with a screen available for US$15-35. This device is often used as a base platform for white labeled versions like the T-Mobile TMOHS1. AT&T branded versions of the hotspot seem to be the most abundant.

Supported bands

There are likely variants of the device for all three ITU regions.

According to FCC ID 2APXW-CT2MHS01 Test Report No. I20N02441-RF-LTE, the ITU Region 2 American version of the device supports the following LTE bands:

BandFrequency
21900 MHz (PCS)
5850 MHz (CLR)
12700 MHz (LSMH)
14700 MHz (USMH)
302300 MHz (WCS)
661700 MHz (E-AWS)

Note that Band 5 (850 MHz, CLR) is suitable for roaming in ITU regions 2 and 3.

Hardware

Wingtechs are abundant on ebay and can also be found on Amazon:

Installing

Connect to the Wingtech's network over wifi or usb tethering, then run the installer:

./installer wingtech --admin-password 12345678  # replace with your own password

Obtaining a shell

Even when Rayhunter is running, for security reasons the Wingtech will not have telnet or adb enabled during normal operation.

Use either command below to enable telnet or adb access:

./installer util wingtech-start-telnet --admin-password 12345678
telnet 192.168.1.1

./installer util wingtech-start-adb --admin-password 12345678
adb shell

Developing

The device has a framebuffer-driven screen at /dev/fb0 that behaves similarly to the Orbic RC400L, although the userspace program displaygui refreshes the screen significantly more often than on the Orbic. This causes the green line on the screen to subtly flicker and only be displayed during some frames. Subsequent work to fully control the display without removing the OEM interface is desired.

Rayhunter has been tested on:

WT_INNER_VERSION=SW_Q89323AA1_V057_M10_CRICKET_USR_MP
WT_PRODUCTION_VERSION=CT2MHS01_0.04.55
WT_HARDWARE_VERSION=89323_1_20

Please consider sharing the contents of your device's /etc/wt_version file here.

Troubleshooting

My hotspot won't turn on after rebooting when installing over WiFi

Reinsert the battery and turn the device back on, Rayhunter should be installed and running. Sometimes the Wingtech hotspot gets stuck off and ignores the power button after a reboot until the battery is reseated.

You do not need to run the installer again.

You'll likely see the following messages, where the installer is stuck at Testing rayhunter ... .

Starting telnet ... ok
Connecting via telnet to 192.168.1.1 ... ok
Sending file /data/rayhunter/config.toml ... ok
Sending file /data/rayhunter/rayhunter-daemon ... ok
Sending file /etc/init.d/rayhunter_daemon ... ok
Rebooting device and waiting 30 seconds for it to start up.
Testing rayhunter ...

If you eventually see:

Testing rayhunter ...
Failed to install rayhunter on the Wingtech CT2MHS01

Caused by:
    0: error sending request for url (http://192.168.1.1:8080/index.html)
    1: client error (Connect)
    2: tcp connect error: Network is unreachable (os error 101)
    3: Network is unreachable (os error 101)

Make sure your computer is connected to the hotspot's wifi network.

PinePhone and PinePhone Pro

The PinePhone and PinePhone Pro both use a Qualcomm mdm9607 modem as part of their Quectel EG25-G LTE module. The EG25-G has global LTE band support and contains a GNSS positioning module. Rayhunter does not currently make direct use of GNSS.

The modem is fully capable of running Rayhunter, but lacks both a screen and a network connection. The modem exposes an AT interface that can enable adb.

Hardware

Supported bands

BandFrequency
12100 MHz (IMT)
21900 MHz (PCS)
31800 MHz (DCS)
41700 MHz (AWS-1)
5850 MHz (CLR)
72600 MHz (IMT-E)
8900 MHz (E-GSM)
12700 MHz (LSMH)
13700 MHz (USMH)
18850 MHz (LSMH)
19850 MHz (L800)
20800 MHz (DD)
251900 MHz (E-PCS)
26850 MHz (E-CLR)
28700 MHz (APT)
382600 MHz (IMT-E)
39850 MHz (E-CLR)
402300 MHz (S-Band)
412500 MHz (BRS)

Note that the Quectel EG25-G does not support LTE band 48 (CBRS 3500MHz), used in the US for unlicensed 4G/5G connectivity.

Installing

Download and extract the installer on a shell on the PinePhone itself. Unlike other Rayhunter installers, this has to be run on the device itself. Then run:

./installer pinephone

Accessing Rayhunter

Because the modem does not have its own display or network interface, Rayhunter is only accessible on the pinephone by forwarding tcp over adb.

adb forward tcp:8080 tcp:8080

Shell access

Use this command to enable adb access:

./installer util pinephone-start-adb
adb shell

Power saving (disable adb)

The modem won't be able to sleep (power save) with adb enabled, even if Rayhunter is stopped. Disable adb with the following command:

./installer util pinephone-stop-adb

Support, Feedback, and Community

If you're using Rayhunter (or trying to), we'd love to hear from you! Check out one of the following forums for contacting the Rayhunter developers and community:

  • If you've received a Rayhunter warning and would like to help us with our research, please send your Rayhunter data captures (QMDL and PCAP logs) to us at our Signal username ElectronicFrontierFoundation.90 with the following information: capture date, capture location, device, device model, and Rayhunter version. If you're unfamiliar with Signal, feel free to check out our Security Self Defense guide on it.
  • If you're having issues installing or using Rayhunter, please open an issue on our Github repo.
  • If you'd like to propose a feature, heuristic, or device for Rayhunter, start a discussion in our Github repo
  • For anything else, join us in the #rayhunter or #rayhunter-developers channel of EFF's Mattermost instance to chat!

Frequently Asked Questions

Do I need an active SIM card to use Rayhunter?

It Depends. Operation of Rayhunter does require the insertion of a SIM card into the device, but whether that SIM card has to be currently active for our tests to work is still under investigation. If you want to use the device as a hotspot in addition to a research device an active plan would of course be necessary, however we have not done enough testing yet to know whether an active subscription is required for detection. If you want to test the device with an inactive SIM card, we would certainly be interested in seeing any data you collect, and especially any runs that trigger an alert!

Help, Rayhunter's line is red! What should I do?

Unfortunately, the circumstances that might lead to a positive cell site simulator (CSS) signal are quite varied, so we don't have a universal recommendation for how to deal with the a positive signal. Depending on your circumstances and threat model, you may want to turn off your phone until you are out of the area (or put it on airplane mode) and tell your friends to do the same!

If you've received a Rayhunter warning and would like to help us with our research, please send your Rayhunter data captures (QMDL and PCAP logs) to us at our Signal username ElectronicFrontierFoundation.90 with the following information: capture date, capture location, device, device model, and Rayhunter version. If you're unfamiliar with Signal, feel free to check out our Security Self Defense guide on it.

Please note that this file may contain sensitive information such as your IMSI and the unique IDs of cell towers you were near which could be used to ascertain your location at the time.

Should I get a locked or unlocked orbic device? What is the difference?

If you want to use a non-Verizon SIM card you will probably need an unlocked device. But it's not clear how locked the locked devices are nor how to unlock them, we welcome any experimentation and information regarding the use of unlocked devices.

How do I re-enable USB tethering after installing Rayhunter?

Make sure USB tethering is also enabled in the Orbic's UI, and then run the following commands:

./installer util shell "echo 9 > /usrdata/mode.cfg"
./installer util shell reboot

To disable tethering again:

./installer util shell "echo 3 > /usrdata/mode.cfg"
./installer util shell reboot

See /data/usb/boot_hsusb_composition for a list of USB modes and Android USB gadget settings.

How do I disable the WiFi hotspot on the Orbic RC400L?

To disable both WiFi bands:

adb shell
/bin/rootshell -c "sed -i 's/<wlan><Feature><state>1<\/state>/<wlan><Feature><state>0<\/state>/g' /usrdata/data/usr/wlan/wlan_conf_6174.xml && reboot"

To re-enable WiFi:

adb shell
/bin/rootshell -c "sed -i 's/<wlan><Feature><state>0<\/state>/<wlan><Feature><state>1<\/state>/g' /usrdata/data/usr/wlan/wlan_conf_6174.xml && reboot"