I’m going to do a writeup myself of the gory details (where to find the current ephemeris data etc) etc - but I got the LimeSDR to transmit fake-gps to a bluetooth/gps device and got it to show my location as being at work while I’m at home. Took a little finessing but it’s working fine!
To allay any fears of disruption to navigation - the gps receiver has to be about an inch away from my antenna to get enough signal strength
Nice! Once you’ve done this, let me know if you’d like a wiki login so that you can add a few details. Otherwise I’d be happy to do this. Hoping to get all these great projects and demos etc. documented, so that it’s easier for others to reproduce and use them as a starting point in their own projects.
being the topic is not new, there are number of studies which were made regarding the ephemeris data and other details as well as methods of transmission and tools used. have a look at the following number of papers. Virus Bulletin 2016 presentation on GPS spoofing and countermeasures
getting real time ephemeris might be a bit of a challenge also it looks like NASA ftp archive started providing them with a less lag comparing to what it used to be. Hope it helps… keep the good things coming!
Some of them can be challenging - was trying to spoof Waikiki Beach last night and finally found recent (hour or so old) data from ‘gold’ (JPL) - gold040u.17n - 40th day of the year, u is 20 hours Z or 3PM here, 2017 and n for gps data, at ftp -p cddis.gsfc.nasa.gov:/pub/gps/data/hourly/2017/040/20/ It’s actually fun to watch the time lock on to what you pick and you can even see how much of the broadcast is left - I’m using the 300 sec default length, which creates a 5.6G file to transmit.
Chewing on how to spoof cell phones, as they appear to use a combo of coarse (tower) and gps location and could not get gps to override the course location on mine - have not had much time to play however.
Some time ago I saw services where the network operator would provide a rough fix based on, I assumed, the RSSI at multiple towers (could be TDOA?). Maybe there are now public databases that would enable a client-side app on the handset to resolve its position? I honestly have no idea, but would be interesting to find out.
When experimenting with spoofing GPS data for mobile phones using HackRF i found that the phone’s GPS receivers are not as forgiving to the boards clock drift as standalone units from U-Blox. I believe Mr. Takuji Ebinuma also reflected it in his blog. I think LimeSDR has a more stable clock, something to the order of 2.5ppm. This normally should be good enough. The cell phones most likely rely on an Assisted GPS system to improve the standard performance of the GPS in poor conditions. It uses the approximate nearest cell tower location to request almanac and current ephemerides trough a web service. It drastically speeds up the initial fix. The way to check if A-GPS is a culprit is to switch it off in the settings as well as switch the phone to the airplane mode, essentially cutting off the cell tower and data assistance.
Andrew - where should I post experience with gps spoofing on the wiki, under Software / Applications? Was honing the process today and simulated visiting Trinity college, at least on my bluetooth gps device.
If you need better frequency stability, 10 MHz External Ref In works. I had to use LimeSuite to turn it on, but once enabled, it remained working until the board was power cycled.
Got it - spoofed location to a Galaxy S4 - had to get a really good signal but it eventually got the fix. Airplane mode / shutdown, remove battery / power up and use GPS Test, saw sats near immediate but getting the fix was tricky.
Tested with gps-sdr-sim -b 16 and short file source and that works also - too soon to say if any better or not - with a ishort-to-complex before the sink, altho the bb data file is twice as big.
Amazingly, once there is a gps fix on the LimeSDR I can walk several rooms away and it stays locked (gain 20, or -32 attenuation PAD), then of course real sv’s (satellites) start to show up too.
I just now realized that the GPS fakeout can be used to get around COCOM limits. Very interesting work.
This blog post led me to the rocket tracking work:
You already tested it with rockets? Or do you mean something else? I never knew about COCOM until I read that. I knew that DoD used to just switch off GPS entirely. Then they went to another trick (which I can’t remember the name for) where they diminished the accuracy.
Surveyors and others could use differential GPS to get improved accuracy/precision. Then WAAS appeared (Wide Area Augmentation System) and is what’s used now to improve accuracy/precision for civilian use. I think most heavies still have inertial guidance systems.
I havent been able to get this to work. I get error:
INFO] Make connection: ‘LimeSDR-USB [USB 3.0] 9070602460A1D’
[INFO] Reference clock 30.72 MHz
[INFO] Device name: LimeSDR-USB
[INFO] Reference: 3.072e+07 MHz
[INFO] LMS7002M calibration values caching Disable
[INFO] Filter calibrated. Filter order-4th, filter bandwidth set to 7.5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
[INFO] TX LPF configured
Press Enter to quit: e[1me[31m[ERROR] MCU error code(5): Loopback signal weak: not connected/insufficient gain?e[0m
