then
/
gps_spoofing
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
46 KiB
Tree: ad89383ea5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ad89383ea5'
${ noResults }
gps_spoofing/README.md

2.4 KiB
Raw Blame History

gps_spoofing

How to fool your GPS enabled devices using Software Defined Radio, in this case using the HackRF One. This guide is written for Arch linux. But should be relatively consistent with other platforms.

installing

you could build gps-sdr-sim from scratch, but I choose to use the binary provided by the 'blackarch' distro's repository.

Prerequisits

 $ curl -O https://blackarch.org/strap.sh  
 $ chmod +x strap.sh
 $ sudo ./strap.sh (installing the keyring step takes a few minutes)
 $ sudo pacman -Syyu (update pacman sources etc. although stap.sh already seems to take care of this)
 $ sudo pacman -S blackarch-radio (just install all the radio stuff (1Gb))
 $ sudo modprobe hackrf (load the hackrf kernel module/driver)
 $ hackrf_info  (see if you can see your hack rf one)

Download the latest brdc file from here: ftp://cddis.gsfc.nasa.gov/gnss/data/daily (for example: ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2020/brdc/brdc1460.20g.Z)

Extract the compressed file in a place you will remember

Generate simulated motion file

Generate binary file to be transmitted by hackrf:

 $ gps-sdr-sim -b 8 -e ~/LOCATION_OF_YOUR_BRDC/brdc1460.20n -l 45.803304,12.133697,100

The default option generates a 300sec (5 min) 'motion' file. This can be increased by using using the '-d' option. The last part is the location of your choosing (lat, long, altitude). This will run for 300 seconds and generate a 'gpssim.bin' file. NOTE the lat/long/alt should not contain any spaces, only commas.

Spoof location

To transmit your spoofed gps position using the hackrf use the follwing command:

 $ hackrf_transfer -t ~/LOCATION_OF_YOUR_BIN_FILE/gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0

The motion file only simulates for a given period (-d), luckily hackrf_transfer can repeat the transmission with the '-R' switch! (see: https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf)

Enjoy!

Test results

Vulnurable devices tested (no need to switch of wifi, gsm etc, works out of the box):

  • iPhone 6, running iOS 12.4.4
  • Samsung s10e, running Anroid 10

Improvements

Combine with fake wifi access points from desired location geo-ap database such as WiGLE (https://api.wigle.net/) or here https://www.mylnikov.org/archives/1170