A few weeks ago, China launched the final satellite in its BeiDou-3 satellite positioning system. Didn’t know that China had its own GPS? How about Europe’s Galileo, Russia’s GLONASS, or Japan’s QZSS? There’s a whole world of GPS-alikes out there. Let’s take a look.
The entire world has come to depend on satellite navigation systems in the forty or so years since the first Global Positioning System satellites took to orbit. Modern economies have been built on the presumption that people and assets can be located to within a meter or better anywhere on, above, or even slightly under the surface of the planet. For years, GPS was the only way to do that, but billions have been sunk into fielding other global navigation systems, achieving a measure of independence from GPS and to putting in place some badly needed redundancy in case of outages, like that suffered by the European Union’s Galileo system recently.
The problem with Galileo, the high-accuracy public access location system that’s optimized for higher latitudes, seems to be resolved as of this writing. The EU has been tight-lipped about the outage, however, leaving investigation into its root cause to a few clever hackers armed with SDRs and comprehensive knowledge of exactly how a constellation of satellites can use the principles of both general and special relativity to point you to your nearest Starbucks.
Forgive the click bait headline, but the latest work from [Marco Bartolucci] and [José A. del Peral-Rosado] is really great. They’re using multiple HackRFs, synchronized together, with hybrid positioning algorithms to derive more precise localization accuracy. (PDF)
Like all SDRs, the HackRF can be used to solve positioning problems using WIFi, Bluetooth, 3G, 4G, and GNSS. Multiple receivers can also be used, but this requires synchronization for time-based or frequency-based ranging. [Bartolucci] and [Peral-Rosado] present a novel solution for synchronizing these HackRFs using a few convenient ports available on the board, a bit of CPLD hacking, and a GNSS receiver with a 1 pps output.
This is technically two hacks in one, the first being a sort of master and slave setup between two HackRFs. Using the Xilinx XC2C64A CPLD on board the HackRF, [Bartolucci] and [Peral-Rosado] effectively chain two devices together. The synchronization error is below one sampling period, and more than two HackRFs can be chained together with the SYNC_IN port of each connected together in parallel. Read more about it in their pull request to the HackRF codebase.
This simplest technique will not work if the HackRF receivers must be separated, which brings us to the second hack. [Bartolucci] and [Peral-Rosado] present another option in that case: using the 1 pps output of a GNNS receiver for the synchronization pulse. As long as both HackRFs can see the sky, they can act as one. Very cool!
Since Pokemon Go blew up the world a couple of weeks ago we’ve been trying to catch ’em all. Not the Pokemon; we’ve been trying to collect all the hardware hacks, and in particular the most complete GPS spoofing hack. We are now ready to declare the first Grandmaster GPS spoofing hack for Pokemon Go. It broadcasts fake GPS signals to your phone allowing the player to “walk around” the real world using a gaming joystick.
Just about everything about this looks right to us. They’re transmitting radio signals and are doing the responsible thing by using an RF shield box that includes a GPS antenna. Hardware setup means popping the phone inside and hooking up the signal generator and GPS evaluation hardware. Google Earth then becomes the navigation interface — a joystick allows for live player movements, coordinates are converted to GPS signals which are transmitted inside of the box.
Now, we did say “just about right”. First off, that RF shielding box isn’t going to stop your fake GPS signals when you leave the lid open (done so they can get at the phone’s touchscreen). That can probably be forgiven for the prototype version, but it’s that accelerometer data that is a bigger question mark.
When we looked at the previous SDR-based RF spoofing and the Xcode GPS cheats for Pokemon Go there were a number of people leaving comments that Niantic, the devs responsible for Pokemon Go, will eventually realize you’re cheating because accelerometer data doesn’t match up to the amount of GPS movement going on. What do you think? Is this app sophisticated enough to pick up on this type of RF hacking?