In August of this year I spent a week in Las Vegas, NV at DEFCON and BSidesLV working and absorbing the brains, and returned with a Nuand BladeRF and an RTL2832U software defined radios. My interest in the airwaves goes back to my grad school research into wireless radiation and the implications of being able to sniff information from many many data sources. This is something we can see in Google's wardriving mapping vehicles that use our wifi networks to create hyper-granular views of neighborhoods, and again in Facebook's use of geo-co-location to discern citizens from each other across swaths of public space. And, at the time, spoofing pokemon go seemed more easily done than wrangling drones. Because of the legality of spoofing, and given that I live beneath the approach path for a major airport, I did neither. DON'T DO THIS OUTSIDE OF A FARADAY CAGE! Wrap a shoebox in foil or chicken wire, anything to prevent signals from escaping. This is nothing to mess with, in 2016, fake GPS set my clock back to 2014, with no way to fix it.
Building off of research done at Black Hat conference in 2015 and on Takuji Ebinuma's gps-sdr-sim, I wanted to attempt to simulte GPS signals with the new BladeRF. The SDR board works on OS X and linux, but this uses a raspberry bi running the latest GUI-less lite img from Raspian. Dependencies were easy enough to install, and Ebinuma's tool includes a script that can easily set values on the BladeRF. The most difficult part of the process was finding and compiling the latest RINEX and NNEA GGA Stream. Both are published daily by NASA here. Beware, according to Ebinuma's readme:
"These files are then used to generate the simulated pseudorange and Doppler for the GPS satellites in view. This simulated range data is then used to generate the digitized I/Q samples for the GPS signal. HackRF and bladeRF require 2.6 MHz sample rate, while the USRP2 requires 2.5 MHz (an even integral decimator of 100 MHz). The simulation start time can be specified if the corresponding set of ephemerides is available. Otherwise the first time of ephemeris in the RINEX navigation file is selected. The maximum simulation duration time is defined by USER_MOTION_SIZE to prevent the output file from getting too large."
Now let's build all of the utilities we'll need to manage the BladeRF. It won't be much, but we'll add a few packages that can be used for other purposes. Download firmware and bitstream from
https://github.com/Nuand/bladeRF/releases. If you want to build gnu radio and gr-osmosdr, use
sudo add-apt-repository ppa:bladerf/bladerf sudo apt-get update sudo apt-get install bladerf // get header files for gnuradio and gr-osmosdr sudo apt-get install libbladerf-dev
Let's build the gps sim package. It uses GCC Gnu Compiler Collection which comes standard on *nix OSes but may need an update via
git clone https://github.com/osqzss/gps-sdr-sim cd gps-sdr-sim //Build with GCC gcc gpssim.c -lm -O3 -o gps-sdr-sim
Usage: gps-sdr-sim [options] Options: -e <gps_nav> RINEX navigation file for GPS ephemerides (required) -u <user_motion> User motion file (dynamic mode) -g <nmea_gga> NMEA GGA stream (dynamic mode) -l <location> Lat,Lon,Hgt (static mode) e.g. 30.286502,120.032669,100 -t <date,time> Scenario start time YYYY/MM/DD,hh:mm:ss -T <date,time> Overwrite TOC and TOE to scenario start time -d <duration> Duration [sec] (max: 300) -o <output> I/Q sampling data file (default: gpssim.bin) -s <frequency> Sampling frequency [Hz] (default: 2600000) -b <iq_bits> I/Q data format [1/8/16] (default: 16) -i Disable ionospheric delay for spacecraft scenario -v Show details about simulated channels
Now we can pull some RINEX data and use it to extrapolate a location based on the trajectories of the satellites in the ephemerides file. The black hat presentation covers the mathematics of calculating this location much more in depth. This data is extremely important because it will override unknown phone functionality that relies upon information from the GPS satellites, this almost permanently blasted my phone back to 2014, the year of the ephemerides data. The easiest way to get the latest GPS data file is to visit
ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2016/brdc, with the latest file today being
ftp://cddis.gsfc.nasa.gov/gnss/data/daily/2016/brdc/brdc2590.16n.Z. Now we are ready to feed the program a coordinate to broadcast, or a CSV of a route made on google earth or map maker.
In either two terminal windows to the raspi or by piping the commands into the background with
&, execute both:
gps-sdr-sim -e brdc3540.14n -l <coords> (i.e. 30.286502,120.032669,100)
bladeRF-cli -s bladerf.script
This will configure the BladeRF and start to transmit the GPS coordinates:
set frequency 1575.42M set samplerate 2.6M set bandwidth 2.5M set txvga1 -25 cal lms cal dc tx tx config file=gpssim.bin format=bin tx start
Success!! Where I am is not where I am.