Tutorials/GPS Spoofing/Hardware
Using Software Defied Radio (SDR) to simulate GPS signals.
NOTE: THIS IS POSSIBLY NOT ALLOWED IN YOUR COUNTRY FOR GOOD REASONS
Prerequisites
Hardware
- computer with linux (Debian) or OSX(?)
- SDR transceiver capable of transmitting on > 1500Mhz (USRP, HackRF, BladeRF, LimeSDR, LimeSDR Mini, PlutoSDR)
Software
- gps_sdr_sim
Installation (Debian)
Generating GPS Signal using HackRF and Debian
Adding HackRF Support
$ sudo apt-update $ sudo apt install gnuradio libhackrf0 hackrf libhackrf-dev
Hook up your HackRF and see if its recognized:
$ hackrf_info
You should see something like:
Found HackRF board. Board ID Number: 2 (HackRF One) Firmware Version: 2015.07.2 Part ID Number: 0xa000cw898 0x09898908 (redacted) Serial Number: 000000000 0000 00 00000000 (redacted
GPS sim (Download + compile)
$ git clone https://github.com/osqzss/gps-sdr-sim.git $ cd gps-sdr-sim $ make
Making gps sim only takes a few seconds.
Generate simulated motion file
Download the latest brdc file from here: [1](ftp://cddis.gsfc.nasa.gov/gnss/data/daily) (for example: ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2020/brdc/brdc1460.20g.Z)
Extract the compressed file in a place you will remember
Generate binary file to be transmitted by hackrf:
$ ./gps-sdr-sim -b 8 -e ~/LOCATION_OF_YOUR_BRDC/brdc1460.20n -l 45.803304,12.133697,100
The default option generates a 300sec (5 min) 'motion' file. This can be increased by using using the '-d' option. The last part is the location of your choosing (lat, long, altitude). This will run for 300 seconds and generate a 'gpssim.bin' file. **NOTE** the lat/long/alt should not contain any spaces, only commas.
Spoof location
To transmit your spoofed gps position using the hackrf use the follwing command:
$ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
The motion file only simulates for a given period (-d), luckily hackrf_transfer can repeat the transmission with the '-R' switch!
$ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0 -R
Installing on Arch
You could build gps-sdr-sim from scratch (very quick, recommended), but I choose to use the binary provided by the 'blackarch' distro's repository.
Prerequisites
$ curl -O https://blackarch.org/strap.sh $ chmod +x strap.sh $ sudo ./strap.sh (installing the keyring step takes a few minutes) $ sudo pacman -Syyu (update pacman sources etc. although stap.sh already seems to take care of this) $ sudo pacman -S blackarch-radio (just install all the radio stuff (1Gb)) $ sudo modprobe hackrf (load the hackrf kernel module/driver) $ hackrf_info (see if you can see your hack rf one)
Example 1: Displacing a Tier E-Scooter
Disclaimer: tested in faraday cage, not in public
Workflow:
- Generate motion file for a position WITHIN the service area of TIER
- Transfer using HackRF
- Wait until you phone is displaced according to the simulated motion
- Open the TIER.app and Rent a scooter in your vicinity
- The moment you rent it the scooter will be displaced
- Immediately end the rental, the scooter will remain displaced and your money refunded
Observations
- You can only spoof location within the service area and current city.
* Although there is a GPS antenna in the scooter, only the user's phone GPS is used.
* The location is only updated by people renting it. Nope, its constantly updating
- Since it all happens on the user/client side, this opens up the possibility for software based location spoofing. For example using an Android phone (https://www.xda-developers.com/fake-android-location/ )
Caveats
Newer devices such as iPhone 10 can not be spoofed (yet). It seems they noy only us GPS (US) but also other posititioning systems on different frequencies: Galileo (EU), GLONASS (RU) (and BeidDou (CN)?). Vulnerable devices tested (no need to switch of wifi, gsm etc, works out of the box):
- iPhone 6, running iOS 12.4.4
- Samsung s10e, running Anroid 10
Not Vulnerable (also not with wifi disabled):
- iPhone SE (2nd gen)
- iPhone X
Improvements / Troubleshooting
- Calibrate your HackRF clock.
- Use external TCXO: https://forums.hak5.org/topic/38290-gps-simulator/ + https://www.nooelec.com/store/tiny-tcxo.html
- Combine with fake wifi access points from desired location geo-ap database such as WiGLE (https://api.wigle.net/) or here https://www.mylnikov.org/archives/1170