GPS Spoofing

Warning

Depending on the country your in, it might be illegal to transmit on the GPS frequencies, so don’t …!

Prerequisites

GPS-SDR-SIM

Fetch and build https://github.com/osqzss/gps-sdr-sim 

gcc gpssim.c -lm -O3 -o gps-sdr-sim -DUSER_MOTION_SIZE=10000

The USER_MOTION_SIZE parameter, sets the amount of samples for simulation files.

Fetch a GPS Broadcast Ephemeris File

The ephermis file contains a list of the estimated positions of the GPS satellites.

The file can be fetched from cdis.nasa.gov . The page you will reach, contains a list of years, from 1992. The next page is a list of numbers starting from 001 and representing a counter for the days in the year. The next level gives us a few different folders with different letters, openly said, I haven’t yet had a look at the exact meaning. A good friend tested the different files and recommened the files ending in n, i.e. brdc0530.21n.gz. Download and unpack the file :)

Generating the signal file

To generate the signal file we need the ephemeris file passed by the -e brdc0530.21n parameter, the position we want to spoof via the -l 53.891883, 8.686840 parameter and the date/time information via the -t 2021/02/22,13:37:11 parameter. The output file is set via the -o 20210222_133711_gps.bin. As I’m currently on a HackRF, I also need to set the I/Q format to 8bit using the -b 8 parameter and the sample rate to 2.6MHz by the -s 2600000 parameter.

./gps-sdr-sim -e brdc0530.21n -b 8 -s 2600000 -l 53.891883, 8.686840 -t 2021/02/22,13:37:11 -o 20210222_133711_gps.bin

Transmiting

To actually transmit the file, with a HackRF, we need to use hackrf_transfer.

hackrf_transfer -t 20210222_133711_gps.bin -f 1575420000 -s 2600000 -a 0 -x 30

-t 20210222_133711_gps.bin is used to select the file, -f 1575420000 sets the frequency for GPS, -s 2600000 sets the sample rate and is the same as when generating the file. The last to parameters might come in handy during trouble shooting. -a enables or disables the RX/TX amplifier and `-x sets the TX VGA gain and accepts values between 0dB and 47dB.

Choosing an Antenna

GPS runs at 1575,42MHz and thus has a wavelength of 190,42mm or 19,04cm. Thus we need an antenna somewhere around there or half the length. As we’re not aiming at broadcasting long distances the antenna doesn’t have to be perfect, but this explicit setup seems very fragile on the transmission side. WiFi antennas are too far off and won’t properly work, but GSM antennas for something between 800MHz and 900MHz do a pretty good job.

My Setup Doesn’t Work

Mine doesn’t either! :P At least not always. GPS antennas are very sensitive and GPS signals very weak. Thus it’s especially hard to hit the correct the transmission power and distance to the receiver. I regulary run into an issue where two satellites are visible, then two others and I just can’t get a lock…

When your setup doesn’t work, vary the distance between sender and receiver and try to play with the transmission settings on the SDR. Als, lock out real GPS signals as good as possible.