Tagged: GNSS

Nils Reviews our RTL-SDR Blog L-Band Active Patch Antenna

Over on his blog Nils Schiffhauer (DK8OK) has recently uploaded a review of our RTL-SDR Blog Active L-Band Patch Antenna (original site is down - archive.org link). This is a satellite patch antenna designed for experimenters who want to receive Inmarsat, Iridium, GPS and other GNSS signals. It covers 1525 - 1660 MHz. (Please note it does not cover GOES or other L-band weather satellites as these are much weaker signals that require a dish). The antenna comes as a set with mounting hardware and extension cable and can be purchased on our store for $49.95 including free worldwide shipping to most countries.

In his review Nils tests the patch antenna with his wideband BladeRF software defined radio showing a wide 60 MHz of bandwidth being received. He then goes on to show it being used to receive AERO, via the JAERO decoder, and STD-C via the Tekmanoid decoder.

We want to take this opportunity to pre-announce that due to rising shipping costs the price of this antenna set will be going up by $10 in early 2022. Before the price raise we will put out another post, but if you are interested in one we'd recommend picking one up soon.

Nils tests the water resistance of the antenna.

Two reviews of our new L-Band Patch Antenna + Stock Update

Last month we released our new L-band active patch antenna for sale, and not too long after we had a review from Frugal Radio praising it. We now have two more YouTube reviews available to share.

The first is from Tech Minds who does a teardown and demonstrates it receiving and decoding the Inmarsat STD-C NCS channel, receiving and decoding GPS and receiving Iridium signals. The second is from Mike Ladd from SDRplay, who tests it with an SDRplay RSP1A software defined radio. He shows that the patch works perfectly with an RSP1A, and demonstrates it receiving and decoding STD-C while mounted on the dash of his vehicle.

L-Band Patch Stock Availability Note: We note that we are already close to selling out of the first batch of these units as they sold much faster than expected! New sales of this patch are currently backordered but we expect to have a few more units from this first batch available by the end of next week. Also the freighter with Amazon USA stock should be arriving any day now, but it could still take a few weeks to get through the port and reach the warehouse due to the current port delays.

The second production batch of this antenna might still be a while away due to the electronic component shortage crisis occurring now, so if you were thinking about picking one up, please order ASAP.

RTL-SDR BLOG L-BAND Patch Antenna Version 2 - Inmarsat - Iridium - GPS

SDRplay RSP1a - RTL SDR Blog L-Band Patch antenna

Preorder Sale: Active L-Band 1525-1660 Inmarsat and Iridium Patch Back In Stock for $44.95

We have just received stock of our new L-band active patch antenna design. The antenna is designed for receiving RHCP L-band satellites such as Inmarsat, Iridium, GPS and other satellites that transmit between 1525 - 1660 MHz (please note that you cannot use it for weak signals that require a dish like HRPT or GOES). The antenna comes as a set with a large suction cup, 3M RG174 extension cable and bendable tripod to help with mounting. Preorder pricing is US$44.95 including free worldwide shipping to most countries shipped from our warehouse in Shanghai. At the end of this week (extended for one more week!) pricing will rise to the standard cost of US$49.95. Amazon stock will require time, and won't be in for at least 6+ weeks.

Please see our store to order the unit

Like our previous patch design, this is an actively amplified antenna as it contains a built in low noise amplifier which takes power from a 3.3 - 5V bias tee. This power is available from from our RTL-SDR Blog V3 dongles, and other SDRs like the Airspy, HackRF and SDRplay. It also has a built in SAW filter after the LNA to help reduce terrestrial interference.

Compared to the previous design the new patch is larger (175 x 175 mm) with higher gain and wider radiation pattern. This allows for much easier pointing of the antenna and for much stronger signals. The upper frequency range has also been extended to 1660 MHz from 1625 MHz. The included suction cup is also much larger allowing for the patch to point at more angles without being restricted by the window. The patch is enclosed within a new weatherproof plastic enclosure. 

L-Band Patch with Accessories
L-Band Patch Mounting Examples

The screenshots below show the patch receiving various signals like AERO, STD-C and Iridium

Inmarsat Reception
Inmarsat Reception
Airspy Showing Patch Bandwidth
GPS "hump" visible

Usage Tips

  • The antenna should be used with one meter or more of coax cable. It may perform poorly if the RTL-SDR is placed right at the antenna due to interference. If you want to run very long cable, then low loss coax should be used. 
  • The patch can be used flat, or angled towards the satellite. Angling it towards the satellite will yield significantly higher gain.
  • If you have very strong cell phone interference in your area, try using the patch a bit lower to the ground, and use buildings to block the interfering signal.
  • If you want to mount this on a car roof, you can use a standard mag-mount camera adapter.
  • When using the suction cup, ensure you wipe down the cup and the window surface before sticking it on. Have a backup plan in case the suction fails.

What can you do with this antenna?

Investigating the Galileo Satellite Navigation System Outage with a LimeSDR

Galileo is a European Union owned satellite navigation system. Galileo was created so that the EU does not need to rely on the US GPS or the Russian GLONASS satellites, as there is no guarantee that these systems won't be purposely turned off or degraded by their governments at any time.

Unfortunately since July 11 the Galileo system has been out of service. Not much information about the outage has been provided, but it appears to be related to problems with the Italian ground based Precise Timing Facility which consists of two ultra high precision atomic clocks that keep the Galileo systems' reference time. (We note that recently within the last few hours of this post, most satellites seem to have come back into operational status, but the EGSA website still reports an outage.)

Over on his blog, Daniel Estevez has been using his LimeSDR and a small patch antenna to gather some more information about the outage directly from the Galileo satellites. His investigations found that the modulation and signal itself are still working correctly. However, by using the GNSS-SDR software to investigate the signal data he was able to obtain the ephemeris, and see that the ephemeris is stuck in the past. The ephemeris data is used to calculate compensations for orbital drift and without frequent ephermis updates, orbital errors add up within hours resulting in poor positioning accuracy. In order to generate the ephermis, the Precise Timing Facility must be operational.

Daniel's post goes into further technical details about the information he's collected, and it's definitely an interesting read. One interesting bit of information that you can read from his post explains why the service has gone from initially just heavily degraded accuracy from July 11, to completely nonsense results from July 15 onwards.

Running a Tesla Model 3 on Autopilot off the Road with GPS Spoofing

Regulus is a company that deals with sensor security issues. In one of their latest experiments they've performed GPS spoofing with several SDRs to show how easy it is to divert a Tesla Model 3 driving on autopilot away from it's intended path. Autopilot is Tesla's semi-autonomous driving feature, which allows the car to decide it's own turns and lane changes using information from the car's cameras, Google Maps and it's Global Navigation Satellite System (GNSS) sensors. Previously drivers had to confirm upcoming lane changes manually, but a recent update allows this confirmation to be waived.

The Regulus researchers noted that the Tesla is highly dependent on GNSS reliability, and thus were able to use an SDR to spoof GNSS signals causing the Model 3 to perform dangerous maneuvers like "extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability". Regarding exiting at the wrong location they write:

Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away— slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.

In addition, they also tested spoofing on a Model S and found there to be a link between the car's navigation system and the automatically adjustable air suspension system. It appears that the Tesla adjusts it's suspension depending on the type of road it's on which is recorded in it's map database.

In their work they used a ADALM PLUTO SDR ($150) for their jamming tests, and a bladeRF SDR ($400) for their spoofing tests. Their photos also show a HackRF.

Regulus are also advertising that they are hosting a Webinar on July 11, 2019 at 09:00PM Jerusalen time. During the webinar they plan to talk about their Tesla 3 spoofing work and release previously unseen footage.

GPS/GNSS spoofing is not a new technique. In the past we've posted several times about it, including stories about using GPS spoofing to cheat at Pokémon Go, misdirect drivers using Google Maps for navigation, and even a story about how the Russian government uses GPS spoofing extensively.

Some SDR tools used to spoof the Tesla Model 3.
Some SDR tools used to spoof the Tesla Model 3.

Extensive Russian GPS Spoofing Exposed in Report

Recently a US non-profit known as the Center of Advanced Defense (C4ADS) released a report titled "Exposing GPS Spoofing in Russia and Syria". In the report C4ADS detail how GPS and Global Navigation Satellite Systems (GNSS) spoofing is used extensively by Russia for VIP protection, strategic facility protection and for airspace denial in combat zones such as Syria. Using simple analysis methods that civilians can use, they were able to detect multiple spoofing events. 

GNSS spoofing involves creating a much stronger fake GNSS signal that receivers lock on to, instead of the actual positioning satellites. The fake signal is used to either jam GNSS signals, or report an incorrect location of the spoofers choice.

In the report, C4ADS mention how they used AIS data to identify 9,883 instances of GNSS spoofing which affected 1,311 commercial vessels since the beginning of February 2016. AIS is a marine vessel tracking system similar to the ADS-B tracking system that is used on aircraft. It works by broadcasting on board GPS data to nearby ships for collision avoidance. Although they don't appear to mention their AIS data sources, sites like marinetraffic.com collect and aggregate AIS data submitted by volunteer stations. By looking for anomalies in the collected AIS data, such as ships suddenly appearing at airports, they are able to determine when GNSS spoofing events occurred. 

An airport is chosen by Russia as the spoofed location presumably because most commercial drone manufacturers do not allow their drones to fly when their GPS shows them near an airport. This prevents commercial drones from being able to fly in spoofed areas.

C4ADS Research shows GPS spoofing detected via AIS data
C4ADS Research shows GPS spoofing detected via AIS data

Using AIS data, the researchers were also able to determine that the Russian president uses GNSS spoofing to create a bubble of protection around him. During a visit to the Kerch Bridge in annexed Crimea the researchers found that some vessels near his location suddenly began appearing at a nearby airport. Similar events were detected at multiple other visits by the Russian president.

Another interesting method they used to determine GNSS anomalies was to look at position heatmaps derived from fitness tracking apps. These phone/smart watch apps are often used by runners to log a route and to keep track of distance ran, speeds etc. The researchers found that runners going through central Moscow would sometimes suddenly appear to be at one of two Moscow airports. 

In a previous post we showed how Amungo Navigation's NUT4NT+ system was used to detect and locate GPS anomalies at the Kremlin. The C4ADS report also notes how several other Russian government facilities also show signs of GPS anomalies. Of interest, from photos they also saw that the Kremlin has an 11-element direction finding array which could be used to locate civilian drone controllers.

Finally, in the last sections they show how C4ADS and UT Austin used a GPS receiver on board the International Space Station (ISS) to monitor a GPS spoofer at an airbase in Syria. Using Doppler analysis they were able to determine the location of the spoofer and confirm that it is likely the cause of multiple complaints of GPS interference by marine vessels in the area.

C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data
C4ADS and UT Texas determine the location of a GPS spoofer in Syria via ISS GPS data

The BBC also ran a story on this which is available here.

NUT2NT+ Crowdfunding: Open Source GNSS RF-to-bits Receiver

Back in May 2018 we first posted about Amungo Navigation's NUT4NT+ project, which is a four channel global navigation satellite system (GNSS) board based on the NT1065 chip. With the right antenna, it is capable of receiving any navigation satellite including GPS, GLONASS, Galileo, BeiDou, IRNSS, and QZSS. With access to multiple satellite systems, the positioning resolution can be down to the centimeter.

Currently Crowd Funding now on CrowdSupply is the NUT2NT+, which is their low cost 2-input GNSS board. Early bird units are going for $250 (12 units left at the time of posting), with the normal price being $320. Compared to their previous legacy version it has an FPGA, TCXO, bias tee and other improvements. They write:

NUT2NT+ hardware is open source, as is the software - giving the user the ability to set a receiver’s modes and frequencies, to capture all signals continuously, and to have complete control over primary processing features.

Several startups and large companies offer proprietary GNSS positioning solutions and even mobile GNSS software-defined receivers. But a closed ecosystem reduces accessibility for an enthusiast or professional developer, and it limits what a user can do with their hardware. We are happy to bring NUT2NT+ to the world as an open source option.

We note that this is an advanced device for developers and experimenters, but the possible applications they write about such as precision positioning for autonomous vehicles and black box logging are quite interesting.

NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.
NUT2NT+ with RA125 antenna for precision positioning of autonomous vehicles.

Their higher end four channel input version (which appears to only be for sale via contact on their website at the moment) can be used as a coherent receiver which can locate sources of GPS jamming via an augmented reality app. In our previous post we highlighted how they were able to find the location of the GPS jammer/spoofers famously active around the Russian Kremlin buildings.

XNZR is searching for Moscow GPS Spoofing Anomaly

Detecting GPS Jammers In Augmented Reality

The NT1065 is an all-in-one 4-channel global navigation satellite system (GNSS) receiver chip. It is highly versatile and can receive and decode multiple navigation satellites such as GPS, GLONASS, Galileo, BeiDou, IRNSS and QZSS. Being able to receive so many satellites, it is capable of centimeter level positioning.

The team at Amungo Navigation have taken this chip and have created a product called the NUT4NT+ which is essentially a development board for the NT1065, and all the software for signal processing with it is provided as open source software. In the near future they are planning to begin fundraising for the product over on the crowd funding site CrowdSupply.

One very interesting application that they have been developing with a device similar to the NUT5NT+ is a GPS Jammer/Spoofer detector system which they call the Amungo XNZR. This is a combined 4-channel GNSS receiver and 4-antenna GNSS antenna system built into a small package that fits onto the back of an Android tablet. When connected to the software it uses augmented reality (AR) to show you exactly where GPS jammers are in the vicinity by using coherent signal processing. If you're not familiar with AR, this is the technique of overlaying digital data/images on top of a live real world camera view.

Detecting a Kremlin GPS Spoofer in Augmented Reality
Detecting a Kremlin GPS Spoofer in Augmented Reality

In the video below they take their XNZR detector to Varvarka Street in Moscow Russia and determine the location of a GPS spoofer in the vicinity. 

More information about their product can be found on their homepage, and on various interesting forum posts by someone from the company that detail some of their experiments. Note that the forum posts are in Russian, but Google Translate can be used to translate the text.

XNZR is searching for Moscow GPS Spoofing Anomaly