We Declare The Grandmaster Of Pokemon Go GPS Cheats

Since Pokemon Go blew up the world a couple of weeks ago we’ve been trying to catch ’em all. Not the Pokemon; we’ve been trying to collect all the hardware hacks, and in particular the most complete GPS spoofing hack. We are now ready to declare the first Grandmaster GPS spoofing hack for Pokemon Go. It broadcasts fake GPS signals to your phone allowing the player to “walk around” the real world using a gaming joystick.

Just about everything about this looks right to us. They’re transmitting radio signals and are doing the responsible thing by using an RF shield box that includes a GPS antenna. Hardware setup means popping the phone inside and hooking up the signal generator and GPS evaluation hardware. Google Earth then becomes the navigation interface — a joystick allows for live player movements, coordinates are converted to GPS signals which are transmitted inside of the box.

Now, we did say “just about right”. First off, that RF shielding box isn’t going to stop your fake GPS signals when you leave the lid open (done so they can get at the phone’s touchscreen). That can probably be forgiven for the prototype version, but it’s that accelerometer data that is a bigger question mark.

When we looked at the previous SDR-based RF spoofing and the Xcode GPS cheats for Pokemon Go there were a number of people leaving comments that Niantic, the devs responsible for Pokemon Go, will eventually realize you’re cheating because accelerometer data doesn’t match up to the amount of GPS movement going on. What do you think? Is this app sophisticated enough to pick up on this type of RF hacking?

[via /r/electronics]

47 thoughts on “We Declare The Grandmaster Of Pokemon Go GPS Cheats

      1. I wonder if the NSA would freak out seeing a cell phone GPS location report in from inside White Sands, or any other “Sensitive” area. Seems like a way to get yourself on one of those lists that “doesn’t exist”.

          1. Yeah, i wouldn’t try this.

            IMHO the real question is: Why did the guys that wrote the game put Pokemons in Area51 and other forbidden areas? To annoy people “there a pokemons you will never be able to catch”, to identify people that have legal access to these areas, to provoke people trying to enter these areas, …??

  1. Very impressive hack.

    Re: Accelerometer data – very unlikely.

    There are thousands of different variants of android devices, all with crappy sensors. It was long ago realized with Ingress that relying on sensor data to complement your location is an almost impossible task. Far too much dirty data.

    Also keep in mind that the game also works on iOS, where sensor/hardware data access is a lot more limited.

    Furthermore how many people can do this? It’d be silly to put any effort into trying to stop people from doing RF based GPS spoofing when there are far, far more simpler ways to spoof your location via software that need attention first.

    1. I do wonder if it would work well enough to see “player is moving according to GPS” yet “accelerometer is reporting no change at all”. If they detect your phone is just sitting on a desk but you’re strolling around New York City on GPS then there could be a clue.

      1. But then a trivial workaround would be to add a couple vibration motors to the box… or turn on the phone’s vibe motor… or just put the whole thing on a running washer/dryer.

          1. My phone for example don’t have a gyro, so if the try to take the data from it, what would happend? Or maybe the accelerometer is broken yet the rest of the phone still works?

  2. Back before the whole thing was shut down, I played online poker quite a bit. The lengths to which those sites went to quell cheating (mostly through collision detection and trying to prevent robot players) were legendary. That made sense because real money was at stake.

    Pokéman Go? Not so much. Niantic’s sole motivation would be to prevent cheaters from griefing regular players.

    1. I got chatting to a pro online poker player on holiday last year, he was telling me it’s fairly common to have representatives from poker sites come and sit with a player to prove they can play as well as their stats suggest they can.

    1. I disagree. This is a great “gateway drug” to learning about using RF lab hardware. The point isn’t to cheat at Pokemon, the point is to apply technology in a different way and learn something while you’re at it. That’s why I love this hack.

      That said, yes, doing this in software can accomplish the same feat of learning something.

  3. A joystick is nice, but I think it is easier to use the mouse. Last week I wrote a small hack for this: a NodeJS server, which serves a Google Maps webpage and when you click on it, the NodeJS server program prints the latitude and longitude on stdout. You can still zoom and pan the map, so you can really do some long distance jumps :-) Then I hacked gps-sdr-sim program, which was featured in the last Poemon Go GPS spoofing Hackaday article. It reads the GPS coordinate from stdin (in a second thread) and continuously generates the fake GPS data for the HackRF transfer program. I wrote it to a fifo file, which the HackRF program could read then. All details here:

    https://github.com/osqzss/gps-sdr-sim/issues/41

    Couldn’t really test it so far, because I don’t have a good enough external oscillator and the internal oscillator works very sporadically (sometimes when I use some freezing spray it works for some seconds, and then stops working again). But I have already ordered a precision internal TCXO oscillator for my HackRF :-) As the original author of gps-sdr-sim wrote, another improvement would be to simulate movement, because the devices might get confused if you move suddenly for a long distance.

    PS: be careful if you play with spoofing GPS signals. Besides good shielding so that not other devices are affected, my iPhone needed an hour to re-calibrate to the real satellites. During this time it said that there was no GPS signal and the clock was wrong, because the gps-sdr-sim program didn’t send the right time and looks like the iPhone uses the date and time from the GPS signal.

    1. Any RF shielding box good enough to keep the fake GPS signals inside would be good enough to block WiFi and cellphone signals from getting in, as well as out.

      It would have to be feeding such data in and out via USB OTG, or with a repeater connected to an antenna outside the box.

    2. Keep in mind GPS signals are so faint they are actually below the noise floor of background radiation. Shielding enough to block them while allowing stronger cell signals through shouldn’t be difficult.

    1. Honestly, they’d be better off playing any other Pokemon game. (I get the whole “feeling left out” aspect though)

      I’m a huge Pokemon fan from way back, but Pokemon GO is just not a very good game.
      I wish I could quit playing it though!

  4. A week or two ago, I made what I believe to be an interesting point on Twitter that started as a prediction, and then a follow up point once someone actually had a working hardware hack, that is as follows: Pokemon Go has single-handledy made it possible for someone with a few hundred dollars for an SDR, and not a lot of skill, to take down consumer, commercial and even some military unmanned air systems via GPS spoofing, much in the same way that the RQ-170 (AKA ‘The Beast of Kandahar’), a top secret/classified aircraft at the time, was taken down by Iran. Now in all likelihood, they were using ‘military’ GPS on that craft, and as such, the equipment needed is nearly exclusively owned and operated by military, but everything from your neighbors Phantom 4, to Amazon Delivery Drones (When they become an actual ‘thing’) to even some military aircraft like the Raven, will be affected by this at a very basic level. Now sure, you can disable GPS and assume manual control (so long as the attacker isnt jamming 2.4ghz, the most common control frequency for consumer UAS), but how many Phantom operators actually know how to do that?
    TL;DR: Pokemon Go has opened up yet another can of worms, and this hack (albeit using certified test gear to lower the chance of the FCC getting on their arse), just goes to show it. The same thing has been achieved to varying degrees with BladeRFs, HackRFs, etc, which can be gotten for under $500.
    Very few people would have attempted to do this, much less made it public and released source code, without being lazy/cheating in Pokemon Go being a goal.
    Cheating at video games prompting real world security issues…not the first time this has happened ;) Interesting times we’re in.

      1. There is still a fair bit of knowledge required to operate that, that the ‘layman’ doesnt have. I guess what I was getting at, is that it has been made so incredibly simple, that a 10 year old could probably do it =P
        But yeah, valid point on the basics being around…now we’ll just see it with shiny, point and click GUIs =P

    1. The GPS satellite is owned by the military, if there was a war or interference they would switch it so that it responds to military equipment.

      Nothing critical should rely on GPS.

    2. This is a big risk in the maritime industry. Most modern ships rely too heavily on electronic charts with GPS positioning which make them vulnerable to GPS hacks. A few years ago UT Austin Researchers demonstrated this in an experiment where spoof GPS signals were transmitted to a $80m Super Yacht taking it off course without alerting the crew or raising any alarms. If you were to do this to an oil tanker and divert it towards a reef you can guess what will probably happen next. Also a useful tool for pirates.

      Though I will say that I don’t think the release of pokemon go will increase this risk by any measurable means, unless the games is really popular in Somalia that is.

  5. I tried Pokemon GO to see if there’s much in my small town. There’s not, so I uninstalled it. There’s also no way to fully exit it without using Force Stop and when the servers are overloaded it puts a misleading error message on screen saying it can’t locate you, while it’s showing your precise position on the map.

    What’s surprising is the game doesn’t make the simple check to see if Mock Locations is enabled on an Android phone. The Carl’s Jr. app that gives points for checking in at their restaurants does that and won’t run until that’s turned off.

    1. It absolutely does check for mock locations on android phones. The consequence? An error message on screen saying it can’t locate you, while showing your precise (mock) position on the map..

      1. Tip for mocking the location:
        1. Use a fakeGPS app and engage the location.
        2. Forcibly stop the fakeGPS app.
        3. Start PokemonGO app and forcibly top it.
        4. Start PokemonGO app again and voila, for few seconds (approx 30 secs) you are on the spoofed location. Enjoy :)

    1. The GPS satellites are owned by the military, if there was a war or interference they would switch them so that they only respond to military equipment.

      Nothing critical should rely on GPS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s