Tagged: GPS

Detecting Hidden GPS Trackers via Electromagnetic Unintentional Emissions with a HackRF

Researchers from Hunan University, Boise State, and UT Arlington have published a paper called "GPSBuster" (PDF link), demonstrating how a HackRF One can sniff out covert GPS trackers by their unintended electromagnetic radiation. Hidden trackers are hard to find since they only receive satellite signals and may store coordinates locally rather than transmit. Instead of looking for transmissions, GPSBuster targets side-channel leakage from the tracker's mixed-signal SoC, specifically the coupling between the quartz oscillator, local oscillator, and mixer used to downconvert the 1575.42 MHz L1 signal.

The team found that an active tracker leaks two characteristic spectra: a low band around 26 to 104 MHz and a high band around 1545 to 1625 MHz, each with a strong peak and evenly spaced harmonics. The low band reflects coupling between the quartz oscillator (typically 26 MHz) and the IF, while the high band contains LO plus IF spacing that always sums to 1575.42 MHz, giving a database-free detection rule. The setup consists of a HackRF, an NFP-3 near-field probe, and a 35 dB LNA. The use of the near-field probe means that sweeping the probe over an area to find the tracker is necessary, and the maximum detection range was 0.61 m.

Tested against the top 10 trackers available on a popular online marketplace, GPSBuster hit a 98.4% detection rate, working through plastic, cotton, canvas, and leather, and alongside phones, laptops, and speakers. It also extended to L1+L5 modules like the Quectel LC29H series, and even metal-shielded chips still leaked enough via PCB traces to be picked up.

Covert GPS Tracker Detection with a HackRF and Near Field Probe
Covert GPS Tracker Detection with a HackRF and Near Field Probe
GPSBuster Field Prototype
GPSBuster Field Prototype

Scott Manley Explains GPS Jamming & Spoofing and Why & Who is Causing It

In recent years GPS spoofing and jamming have become quite commonplace. Recently popular YouTuber Scott Manley uploaded a video explaining exactly what GPS spoofing and jamming is and explains a bit about who is doing it and why.

In the video Scott explains how aircraft now routinely use GPS as a dominant navigational sensor and how some commercial flights have been suspended due to GPS jamming. Scott explains how ADS-B data can be used to determine the source of GPS jamming (via gpsjam.org) and shows hotspots stemming from Russia. He goes on to show how drone shows have also failed in China either due to GPS jamming by rival companies or due to Chinese military warship jamming. Scott then explains a bit about GPS and how jamming and spoofing work.

GPS Jamming & Spoofing - How Does It Work, And Who's Doing It?

Gypsum: A Software-Defined GPS Receiver written in Python + A Writeup on How it Was Made

Thank you to RTL-SDR.COM reader Lee. who found a recently released program called "gypsum" which enables an RTL-SDR or HackRF to be used as a GPS Receiver when combined with a GPS antenna. Phillip Tennen, the author of Gypsum notes that Gypsum can obtain a fix within 60 seconds from a cold start and that it has no dependencies apart from numpy. We want to note that it appears that Gpysum has no live decoding ability yet, as it works from pre-recorded GNU Radio IQ files.

In the past, we've shown in a tutorial how GPS can be received and decoded with GNSS-SDRLIB and RTKLIB on Windows. The new Gypsum software should work on Linux and MacOS too.

What's more, Phillip has written an incredible 4-part writeup on how Gypsum was implemented from scratch. In the write-up, Phillip introduces GPS and explains how it can even work with such weak signals that appear below the thermal noise floor. He then goes on to explain how the detected signal is decoded and turned into positional information, and how challenging it was to propagate the accurate timing information that calculating a solution requires. The write-up is presented with clear visualizations to help readers intuitively gain an understanding of the advanced concepts involved.

Gypsum GPS Satellite Tracking Dashboard GUI
Gypsum GPS Satellite Tracking Dashboard GUI

DragonOS: Running GNSS-SDR and Obtaining a GPS Position with an RTL-SDR and Patch Antenna

Over on his YouTube channel Aaron who created and maintains the DragonOS SDR Linux distribution, has uploaded a video demonstrating how to use the GNSS-SDR software together with an RTL-SDR and patch antenna to obtain a live GPS position.

Previously we had only seen a Windows method involving GNSS-SDRLIB and RTKNAVI working as GNSS-SDR on Linux seemed impossible to get running. However, Aaron managed to find a working RTL-SDR configuration for GNSS-SDR which made it come alive. This is great as now GNSS-SDR should be able to run on a portable single board computer like a Raspberry Pi.

The video is a tutorial that shows how to install all the required dependencies, how to compile GNSS-SDR, how to configure it for an RTL-SDR, and how to use it with our RTL-SDR Blog L-band patch antenna.

DragonOS FocalX Setup GNSS-SDR and Obtain GPS Position w/ RTLSDR (Patch Antenna, WarDragon)

Receiving Unintentional Voice Transmissions from GPS Satellites

Over on dereksgc's YouTube channel we've discovered a few more recent interesting videos from his satellite decoding series that people may be interested in. One from two weeks ago shows how it's possible to receive voice transmissions on navigation satellites such as GPS.

Many navigational and meteorological satellites carry a search and rescue (SAR) repeater which is intended to receive UHF emergency locator beacons and rebroadcast them in the L-band or higher. However the repeaters appear to be picking up all sorts of other signals from the ground, including voice transmissions. Dereksgc notes that the theory is that there are some land based communications systems in some countries that are sharing frequencies that emergency locator beacons use, or that malicious pirates may be actively using these SAR repeaters for their own communications.

Dereksgc shows examples of retransmitted signals on the Beidou, GLONASS and Elektro-L satellite downlinks at 1.5442 GHz and at 2.226 MHz for the GPS satellites. He also shows what sort of satellite dish and feed setup you need. In the video he uses a HackRF as the SDR, but you could also use an RTL-SDR for the satellites that transmit at 1.5442 GHz.

Receiving voice transmissions from GPS satellites || Satellite reception pt.10

Mapping GPS/GNSS Interference Through ADS-B Data

Websites like adsbexchange.com log ADS-B aircraft tracking data from contributors located all over the world and aggregate it all onto a single map. Typically an RTL-SDR is the receiver of choice for contributors receiving ADS-B signals. One piece of data that is recorded with each packet is GPS/GNSS accuracy.

Over on Twitter John Wiseman @lemonodor has been using the aggregated ADS-B data provided by adsbexchange to highlight regions where ADS-B GPS inaccuracies are significant. This may allow us to use crowd sourced data to detect regions of GPS interference or jamming. In one of his latest findings he noted extreme GPS inaccuracy that noticed around the Baltic regions (Poland, Lithuania, Latvia, Kaliningrad).

As John and others reported in subsequent Tweets, this GPS interference was noticed by others too, with some flights needing to be cancelled or needing to return during their journey, and a NOTAM warning being issued to pilots regarding the interference. Reuters also reported on the GPS disturbance a few days later.

NOTAM: GPS INTERFERENCE DETECTED IN THE EASTERN PARTS OF HELSINKI FIR. AFFECTED AREA SECTOR N, SFC-FL200

It is well known that Russia routinely utilizes GPS spoofing or jamming around Kremlin landmarks, sensitive areas and during military operations. However, others noted that NATO exercises in the Baltic could also be the cause.

To further add to this story, the satellite intelligence operator Hawkeye 360 also recently detected significant GPS interference within or around Ukraine.

Hawkeye360 Detects GPS Interference near or within Ukraine.

Nils Reviews our RTL-SDR Blog L-Band Active Patch Antenna

Over on his blog Nils Schiffhauer (DK8OK) has recently uploaded a review of our RTL-SDR Blog Active L-Band Patch Antenna (original site is down - archive.org link). This is a satellite patch antenna designed for experimenters who want to receive Inmarsat, Iridium, GPS and other GNSS signals. It covers 1525 - 1660 MHz. (Please note it does not cover GOES or other L-band weather satellites as these are much weaker signals that require a dish). The antenna comes as a set with mounting hardware and extension cable and can be purchased on our store for $49.95 including free worldwide shipping to most countries.

In his review Nils tests the patch antenna with his wideband BladeRF software defined radio showing a wide 60 MHz of bandwidth being received. He then goes on to show it being used to receive AERO, via the JAERO decoder, and STD-C via the Tekmanoid decoder.

We want to take this opportunity to pre-announce that due to rising shipping costs the price of this antenna set will be going up by $10 in early 2022. Before the price raise we will put out another post, but if you are interested in one we'd recommend picking one up soon.

Nils tests the water resistance of the antenna.

SignalsEverywhere tests our RTL-SDR Blog Active L-Band Patch Antenna

Sarah from the SignalsEverywhere YouTube channel is back this week with a video review and demonstration of our RTL-SDR Blog Active L-Band patch antenna, which is designed for receiving Inmarsat and Iridium satellites between 1525 - 1660 MHz with an RTL-SDR or other bias tee capable SDR.

In the video Sarah demonstrates the patch antenna in action running in SDR++, discusses some of the features and compares it against another patch antenna. She goes on to briefly show JAERO receiving and decoding an 8400bps AERO voice channel.

If you're interested, this antenna has also been reviewed by Frugal Radio, Tech Minds, and Mike from SDRplay

The patch is currently in stock in our store for $49.95 shipped worldwide, or on Amazon USA for US customers. We note that previous problems (as explained in our earlier post) with cracks in the plastic in the latest batch with grey enclosures have been resolved now, and units shipping now are without defect.

What can you do with this antenna?

The Best L Band Antenna for The Money PERIOD