Home Projects Spoofing GPS With an SDR

Spoofing GPS With an SDR

What You’ll Need

  • A HackRF, LimeSDR, BladeRF, or PlutoSDR. These SDRs can transmit.
  • If using a HackRF, make sure you have a TCXO (Temperature Controlled Crystal Oscillator).
  • A Linux VM or Host.

Note: Both flags on this project can be found without using an SDR, but without an SDR with transmit abilities, you cannot actually spoof GPS.

Note 2: Only spoof GPS in safe environments far away from roadways, boats, and aircraft which may be dependent on functioning GPS systems. Interfering with navigational systems is a serious (and very fun) crime with hefty penalties.

Getting The Software

To start, make sure you have all dependencies necessary installed. This includes packages for your SDR as well as gnu radio. I am running on Arch with a HackRF, so the packages I installed are the following:

sudo pacman -S base-devel hackrf gnuradio gnuradio-osmosdr

Now, we’re going to download gps-sdr-sim from github. The project can be found here: https://github.com/osqzss/gps-sdr-sim

mkdir gps-spoof
cd gps-spoof
git clone https://github.com/osqzss/gps-sdr-sim.git
cd gps-sdr-sim

Although this project uses gnuradio, it also has components written in C. Therefore, we’ll need to compile it.

make

There should be a gps-sdr-sim binary in the directory.

Getting the Daily GPS Broadcast Ephemeris File

Before spoofing GPS satellites, the software needs to know where the GPS satellites should be. NASA keeps tracks of all GPS (and GLONASS) locations in RINEX navigation files.

Download the most recent navigation files from here: https://cddis.nasa.gov/archive/gnss/data/daily/

Note: Registration is free, but required.

Click on the current year.

The next page lists the days of the year starting from 1. Select the largest number. This is the current day.

Select ##n.

Now, find the latest file starting with “brdc” and download it into the gps-sdr-sim directory.

Screenshot showing an example file to download.

Expand the downloaded RINEX navigation file.

gunzip brdc<VARIES>n.gz

Flag 1

Run more on the RINEX navigation file you downloaded to view the top of the file. The flag is covered in green.

more brdc<VARIES>n
The flag is covered by the green box. It’s at the top of the file downloaded.

Generating Raw IQ Data to Transmit

Go to Google Maps (https://maps.google.com/) and find a place you would like to trick a GPS device into believing it is. Right click to find the coordinates. For this example, I’ll use the latitude and longitude for Nashville, Tennessee: 36.16598363988784, -86.78167782570753.

Right clicking on Google Maps gives the coordinates for any location.

Now run the following command. Replace <RINEX_FILE> with the name of the brdc*n file you downloaded. And replace <COORDS> with the coordinates you wish you use.

./gps-sdr-sim -e <RINEX_FILE> -b 8 -l <COORDS>,100

So, let’s say I downloaded “brdc2260.21n” and wanted to spoof my location to be in Nashville, I would type the following:

./gps-sdr-sim -e brdc2260.21n -b 8 -l 36.16598363988784,-86.78167782570753,100

The program will run for a while, and output a 1.5 gigabyte file named gpssim.bin in the directory.

Flag 2

The program will output text while running. The flag is the third word printed. It’s under the green box in the screenshot.

The second flag is under the green box.

Broadcasting the Spoofed GPS Data

Hook up a broadcast antenna suited for 1575.42 megahertz. If using a dipole antenna, each leg should be 45.27 millimeters in length. Then use the appropriate software to send the gpssim.bin raw IQ data to the SDR.

HackRF users can use the following command:

hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0

LimeSDR users can use the following command:

limeplayer -s 1000000 -b 1 -d 2047 -g 0.1 < ../circle.1b.1M.bin

BladeRF users can use the following commands written to bladerf.script:

set frequency 1575.42M
set samplerate 2.6M
set bandwidth 2.5M
set txvga1 -25
cal lms
cal dc tx
tx config file=gpssim.bin format=bin
tx start

Then run…

bladeRF-cli -s bladerf.script

PlutoSDR users can run the following command (network configuration for frequency, etc… may be necessary):

plutoplayer -t gpssim.bin

Tips for Spoofing GPS on Phones

Open up your favorite mapping application and put your phone into airplane mode. It may take a minute or two for your phone to sync up with the spoofed GPS signal. Turn on wifi again, but try to keep cellular turned off. Cell towers sync up with navigational satellites as well.

References

The gps-sdr-sim Github Page: https://github.com/osqzss/gps-sdr-sim

NASA CDDIS Broadcast Ephemeris Data Page: https://cddis.nasa.gov/Data_and_Derived_Products/GNSS/broadcast_ephemeris_data.html

Fake GPS With a HackRF One: https://slowmin.com/fake-gps-with-a-hackrf-one/