Jump to content

GPS Simulator


Recommended Posts

So, besides tricking the Sea Shadow from 007 Tomorrow Never Dies to sail into Chinese waters to obtain broadcasting rights in China... Has anyone else tried spoofing a GPS reserver? (BTW Mil GPS sats and receivers use encryption which makes it a bit tricky to spoof, they can downgrade to a non encrypted link just in case you where woundering.)

https://github.com/osqzss/gps-sdr-sim

Currently I'm failing at this TBH. I'm using the Hackrf as my SDR platform and after doing some research I found that the oscillator has a torrence of 20 PPM. This means while I'm transmitting at 1.57542Ghz my frequency deviates +- 31508.4Hz. This makes it a bit tricky finding the sweet spot to transmit on. I found that others had success with the Hackrf when they added an external oscillator to set the timing to at least 1 PPM. While I wait for my oscillator to come in the mail I wanted to know if anyone else tried doing this.

-=Disclaimer=-

Don't be a jerk and keep it legal. Use a dead load or create a close circuit to prevent interfering with other's GPS receivers.

Edited by NotPike
Link to comment
Share on other sites

  • 2 weeks later...

-=UPDATE=-

Success! I'm now a Bond villain!

So here's what I did. I bought myself an external oscillator from Ebay (link below) that advertised 0.5 PPM. No idea if it's actually 0.5 PPM but I'll find out latter when a buddy of mine lends me his frequency counter.  This board attaches to the P22 GPIO header on the Hackrf making it act as the external clock. You can check the external clock by running...

hackrf_si5351c -n 0 -r

If it works, it will return "[ 0] -> 0x01"

If no external clock is detected, it will return "[ 0] -> 0x51"

20160525_024831_zpszvtoyo3a.jpg

 

To generate the signal file, I used a bit rate of 8 and download an updated GPS broadcast ephemeris file(brdc1280.16n). You can download these files here.

./gps-sdr-sim -b 8 -e brdc1280.16n -l 40.712800,-74.005900,100

To transmit.

sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0

 

Being a good "citizen" I made a closed circuit with an USRP1 to use as my GPS receiver. I'm also using 51db worth of attenuator's to keep the load from braking the USRP1.

 

Ebay TCXO clock PPM 0.1-PPM 0.5 for hackrf one

Edited by NotPike
  • Upvote 2
Link to comment
Share on other sites

Guest Josef K

This is really cool!  GPS spoofing is high on my to-do list for some time now.  Replay is not very difficult, but synthesizing a GPS signal is.  I have seen the DefCon23 presentation by Lin Huang and Qing Yang about GPS spoofing, but to be honest, I didn't understand it very well.

I was not aware of this tool.  However, I don't have a HackRF but a Rad1o, the CCC summer camp badge, that is essentially a HackRF clone.  The Rad1o does not support a clock input, so I cannot connect the TCXO.

Have you considered using Kalibrate-hackrf before you bought the TCXO?

-Paul.

Link to comment
Share on other sites

TBH I learned about finding your offset using Kal or comparing your signal to a known source after I bought the oscillator lol. (I'm dumb some times). I got it anyway just to save myself the trouble in the future. The original writer of the GPS-SDR-SIM software stated that it can be done with out the TCXO. I'll give it a try again and see if I can do this with out the extra oscillator. :)

Link to comment
Share on other sites

  • 3 months later...
  • 1 month later...

Here we go. I have been meaning to make this post for a while now. I have parts needed and worked through some bumps to get this working. It keeps it pretty localized, approximately 15 foot range with line of sight.

WARNING! MAY BE ILLEGAL IN YOUR AREA. Check all regulations that apply to you. I am not responsible for your actions. Don't be that guy/gal, keep it in safe test environments.

Software:

Linux SDR distribution. I use Kali and installed the SDR tools.

apt update && apt upgrade -y && apt dist-upgrade -y && apt install kali-linux-sdr

https://github.com/osqzss/gps-sdr-sim

http://www.labsat.co.uk/index.php/en/free-gps-nmea-simulator-software

Hardware:

1x HackRF One https://hakshop.com/collections/wireless-gear/products/hackrf?variant=701314117

1x Board design https://github.com/osqzss/gps-sdr-sim/tree/master/extclk

1x TCXO http://www.digikey.com/product-detail/en/FOX924B-10.000/631-1067-1-ND/1024772

1x Ceramic Capacitor http://www.digikey.com/product-detail/en/murata-electronics-north-america/GRM219R61A105KA01D/490-5760-1-ND/2771955

1x Header Pins http://www.digikey.com/product-detail/en/amphenol-fci/67997-412HLF/609-3244-ND/1878517

1x Passive Antenna for GPS http://www.digikey.com/product-search/en?keywords=TS.07.0113

1x 30 db RF attenuator. I purchased one off ebay. Specs: SMA male - SMA Female, 30 dB, 50 Ohm, 2W max power, DC to 6 GHz

Soldering Iron, Flux, Solder, etc.

Getting it working:

Construct the board using the pictures from the github as a reference: https://github.com/osqzss/gps-sdr-sim/blob/master/extclk/hackrf_tcxo.jpg

Connect your RF attenuator and GPS antenna to the HackRF.

After you have checked all your solder joints for the external clock, see if the hackRF will detect the clock via https://github.com/mossmann/hackrf/wiki/HackRF-One

Quote

External Clock Interface (CLKIN and CLKOUT)

HackRF One produces a 10 MHz clock signal on CLKOUT. The signal is a 10 MHz square wave from 0 V to 3 V intended for a high impedance load.

The CLKIN port on HackRF One is a high impedance input that expects a 0 V to 3 V square wave at 10 MHz. Do not exceed 3.3 V or drop below 0 V on this input. Do not connect a clock signal at a frequency other than 10 MHz (unless you modify the firmware to support this). You may directly connect the CLKOUT port of one HackRF One to the CLKIN port of another HackRF One.

HackRF One uses CLKIN instead of the internal crystal when a clock signal is detected on CLKIN. The switch to or from CLKIN only happens when a transmit or receive operation begins.

To verify that a signal has been detected on CLKIN, use hackrf_si5351c -n 0 -r. The expected output with a clock detected is [ 0] -> 0x01. The expected output with no clock detected is [ 0] -> 0x51.

Git clone https://github.com/osqzss/gps-sdr-sim and follow the instructions to compile.

Go into the satgen directory and run make as well.

Download a brdc*.*n.Z from ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2016/brdc/ and unzip the file.

In order to get this working with the HackRF, you need to use the -b flag with a value of 8. Here is a modified example from the github page:

./gps-sdr-sim -b 8 -e brdc3540.14n -l 37.808880,-122.410167,216 -o StaticLocation.bin

This runs the program using -b 8 for the HackRF, -e for the historic GPS ephemeris data (This cannot do current day, but yesterday's compiled file should work. Read up more on that if you are interested.), -l for gps location and the last number is the altitude in meters, -o for output.bin file. The max duration for gps-sdr-sim is 300 seconds. If you use the default/max 300 seconds, it will generate a ~1.5 GB output.bin file. Keep this in mind if you are saving multiple locations. If you forget to use the -o option, it will create gpssim.bin.

From there you can broadcast that .bin file with HackRF using the following command:

hackrf_transfer -f 1575420000 -s 2600000 -a 1 -x 0 -R -t OutputFile.bin

Use hackrf_tansfer -h to know what all the options do.

You may notice that your phone will not accept the GPS broadcast. The first thing to do is enable "Device Only" GPS mode. Do not use High Accuracy. I also had to use an app (GPS Status) in order to clear my A-GPS cache. Then I use a different app (GPS Test) in order to see if my phone gets a GPS lock. I usually leave the phone in airplane mode with WiFi turned off in order for GPS Status to clear the cache and not auto-download A-GPS data. Then I will run GPS Test and wait for a lock before turning on WiFi.

Garmin GPS units and similarly other devices shouldn't have an issue detecting your GPS signals.

Creating Paths:

You can create a path using Google Earth and saving out the path into a KML. Using that SatGen program, you can load the KML and it will show you some options you can manipulate, and also a crude picture of your path.

satgen.JPG

You can manipulate some of the options to your liking and hit the preview button to have it refresh and show your new speed graph. When you are happy, click "Generate NMEA" and save that file.

Move that file over to the gps-sim-sdr/satgen directory and run the program which you should have compiled earlier to convert the NMEA to a user motion file for gps-sdr-sim.

./nmea2um 
Usage: nmea2um <nmea_gga> <user_motion>

Once you have your user motion file created. You can use that in the gps-sdr-sim using the -u option.

./gps-sdr-sim -b 8 -e brdc2980.16n -u Hak5_Usermotion -o Hak5example.bin

Notice the total time at the bottom of the SatGen program 111.40 seconds. You will need to keep it under 300 seconds to work with gps-sdr-sim. You can modify gps-sdr-sim to increase the max number of seconds by editing USER_MOTION_SIZE in gpssim.h and then recompile with gcc. Use caution as this will allow you to create very large files. The default of 300 seconds caps approximately 1.5 GB.

From there it's a matter of transmitting the .bin file like before.

hackrf_transfer -f 1575420000 -s 2600000 -a 1 -x 0 -R -t Hak5example.bin

Cheers!

 

http://mr-protocol.blogspot.com/2016/11/hackrf-one-gps-simulation.html

  • Upvote 1
Link to comment
Share on other sites

  • 1 month later...
On 5/25/2016 at 6:36 AM, NotPike said:

 

To generate the signal file, I used a bit rate of 8 and download an updated GPS broadcast ephemeris file(brdc1280.16n). You can download these files here.


./gps-sdr-sim -b 8 -e brdc1280.16n -l 40.712800,-74.005900,100

 

I was playing with the same git repo, was hoping you could explain to me what the broadcast ephemeris is exactly.. i am using the one that came with the repo, brdc3540.14n with pretty good success.. whats the difference with the file you are using, why did you use it and what is its purpose.. sorry im a nube jamesbond villian.. p.s. im using a bladeRFx40

Onus

Link to comment
Share on other sites

The ephemeris data I pulled down is more recent. the brdc files are technically "past" data of the location of the satellites. Here is some more info on the file:

https://cddis.nasa.gov/Data_and_Derived_Products/GNSS/broadcast_ephemeris_data.html

The files are re-generated daily. My brother's iPhone thought the date was October instead of December. Played hell on his certs and basically made it unable to do much. Thought it was pretty funny, so just make sure you use this all in a test environment.

Also, since you have a BladRF, you may want to check out this github: https://github.com/osqzss/bladeGPS

Quote

Very crude experimental implimentation of gps-sdr-sim for real-time signal generation. The code works with bladeRF and has been tested on Windows only.

 

  • Upvote 1
Link to comment
Share on other sites

  • 5 years later...
On 5/25/2016 at 12:36 PM, NotPike said:

-=UPDATE=-

Success! I'm now a Bond villain!

So here's what I did. I bought myself an external oscillator from Ebay (link below) that advertised 0.5 PPM. No idea if it's actually 0.5 PPM but I'll find out latter when a buddy of mine lends me his frequency counter.  This board attaches to the P22 GPIO header on the Hackrf making it act as the external clock. You can check the external clock by running...

hackrf_si5351c -n 0 -r

If it works, it will return "[ 0] -> 0x01"

If no external clock is detected, it will return "[ 0] -> 0x51"

http://i446.photobucket.com/albums/qq190/e1000basetx/20160525_024831_zpszvtoyo3a.jpg

 

To generate the signal file, I used a bit rate of 8 and download an updated GPS broadcast ephemeris file(brdc1280.16n). You can download these files here.

./gps-sdr-sim -b 8 -e brdc1280.16n -l 40.712800,-74.005900,100

To transmit.

sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0

 

Being a good "citizen" I made a closed circuit with an USRP1 to use as my GPS receiver. I'm also using 51db worth of attenuator's to keep the load from braking the USRP1.

 

Ebay TCXO clock PPM 0.1-PPM 0.5 for hackrf one

Hi

On my HackRF software I don't have the following command hackrf_si5351c. When use hackrf_debug --s15351c -n 0 -r the return value is 0x50 and not 0x01. 

Thanks

Link to comment
Share on other sites

  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...