[Hackrf-dev] Current, reasonably priced external clock?

Ulf Bertilsson ulf.daniel.bertilsson at gmail.com
Tue Nov 8 09:04:12 EST 2016 

Im mostly active on twitter on handle @uber_security if you want to share experience. I have several related posts using gpssim.

Here some suggestions.

Make an small faradaycage that fits the hackrf unit and an gps unit.

Use hack_transfeer at say 443mhz (safe band) and send gpssim at that frequency.

Use an rtlsdr or like unit and verify _no_ signal get out of the cage.

Then test at gps freq keeping things somewhat safe.

Try viewing tx as an loaded weapon, and having good rutines are healthy.

Ie, I newer have antenna connected while setting up sw etc.

Note the legal aspect of jamming.

Might I ask you try something simpler like say an jam/replay attack towards carkeys ?

Very useful learning before aiming at critical infrastructure ;-)

Your ways seems to be "glitch it" and see what's happen, rather that the moral legal stuff. How you going to measure/note results?

Find an forum/env to share ideas at least before you try :-)

Don't let me moral you down tho.

Sendt fra min iPhone

> Den 8. nov. 2016 kl. 14.02 skrev Mark Lachniet <mark at lachniet.com>:
> 
> Thank you Ulf and Adam for taking pity on me and giving me so much actionable advice.  I'll give the Kalibrate / PPM adjustment ideas a whirl.
> 
> Geesh, those attenuators are expensive at $45 ea.  In the mean time I'll use the crappiest antenna I can find (or none?) and make sure the amp is turned off to minimize the chance of an airplane falling on my head.  Or maybe my wife will FINALLY agree to let me Faraday the basement.  I must have enough old tinfoil helmets around to do that by now :)
> To get around the cell tower triangulation and crowd-sourced hotspots, even I wouldn't be so bold as to try to jam them but I do wonder what would happen to navigation systems if there were an overwhelming number of hotspots and towers appearing that it couldn't figure out.  Like flooding an old switch with too many MAC addresses, maybe it would just give up on those 2 crutches and revert to the  spoofed signal?  Or possibly try to find hotspots that geolocate to your supposed location and replay those to give it supplemental false proof?  Might be worth trying, though the results would probably vary by implementation.  Might be an       interesting test of various code.  Who knows, might find something interesting security-wise.  
> -Mark
> 
>> On 11/8/2016 6:57 AM, Ulf Bertilsson wrote:
>> I use patched hackrf_transfeer that support ppm correction.
>> 
>> Works just fine with gps spoofing.
>> 
>> Sendt fra min iPhone
>> 
>> Den 7. nov. 2016 kl. 23.14 skrev Adam Blanquart <ablanquart at gmail.com>:
>> 
>>> Mark,
>>> 
>>> The best ones you can find for a low price are, ironically, ones that are synchronized via GPS.  Of course, if you're working on spoofing GPS - that's not going to help.  The good news is that the HackRF can actually be calibrated via software to increase the accuracy enough to fool _most_ GPS devices.  Check out Wang Kang's "kalibrate" for HackRF, it should help you get up and running.  Again, this will work for most GPS devices; phones can be a bit trickier since they also use triangulation and crowd-sourced Wifi mapping to establish location.  
>>> 
>>> If the software doesn't work out for you - the cheapest way is to attach a more accurate TCXO directly to your HackRF.  Check out Takuji Ebinuma's TCXO modification- it's a part of his gps-sdr-sim project, which you can use for the actual spoofing.  I've made this modification to my hackRF and it works great!  I do have a portapack, however, and had to solder directly to the bottom of the               board.  It still fits in the case :)
>>> 
>>> As you are probably already aware, you need to VERY careful when spoofing GPS, whitehat or not.  It's become such an integral part of our lives that messing with it can have serious consequences.  I use a small antenna (linked below) along with a 20dB attenuator.
>>> 
>>> - Adam Blanquart (overflow)
>>> 
>>> Kalibrate for hackRF
>>> https://github.com/scateu/kalibrate-hackrf.
>>> 
>>> gpr-sdr-sim
>>> https://github.com/osqzss/gps-sdr-sim
>>> 
>>> TCXO mod
>>> https://github.com/osqzss/gps-sdr-sim/commit/d8eab7ede71168d131f3803d84d9bf8dbb34f4df
>>> 
>>> Antenna
>>> http://www.digikey.com/product-search/en?keywords=TS.07.0113
>>> 
>>> In-Line 20dB Attenuator:
>>> http://www.digikey.com/product-search/en/rf-if-and-rfid/attenuators/3539493?k=H12150-ND
>>> 
>>> That should get you going in the right direction (no pun intended).  I got into the SDR world because I was interested in GPS spoofing, so if you have any other questions, feel free to give me a shout...
>>> 
>>> 
>>> 
>>>> On Mon, Nov 7, 2016 at 11:00 AM, Mark Lachniet <mark at lachniet.com> wrote:
>>>> Who knew it would be so obscure.  I guess everyone is using nice desktop sized clock signal generators?
>>>> 
>>>> I really want one that will run on 12v DC current if possible.  Potentially to make a HackRF/Pineapple/TXCO clock combo that could run on the 12v of a car after I stuff it in the dashboard out of sight.  Maybe even with a cell phone/CAM+OBDii add-on for remotely fiddling with car telemetry.  It would be hilarious to prank someone so their car shuts down whenever they get near the local police department and then have their in-car GPS tell them they were at Starbucks or something.  (white hat PoC of course, no I would never actually do this to anyone  in production except maybe myself in an empty parking lot for yucks)
>>>> 
>>>> -Mark
>>>> 
>>>>> On 11/7/2016 12:10 PM, Kevin Maxson wrote:
>>>>> I bought two of them. Neither worked. The seller didn't speak much English, couldn't give me specs, couldn't tell me a pin out. They offered to refund $8 of my $35.
>>>>> 
>>>>> You want them? All yours.
>>>>> 
>>>>> ./kevin
>>>>> 📱
>>>>> 
>>>>> On Nov 7, 2016, at 10:58 AM, justin.broos <justin.broos at gmail.com> wrote:
>>>>> 
>>>>>> Ebay,  Amazon have one that ultimately ships from some Chinese manufacturer off of aliexpress / alibaba . The plug in module is $20 iirc.  The description claims to output a 1ppm 10mhz source but no info about the tcxo is listed so who knows; I have equipment at work that could measure but don't have the knowledge of setting it up.  If you do opt for this route,  it would be interesting to know if the module works as advertised as I'm still on the fence to buy it . 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Sent from my T-Mobile 4G LTE Device
>>>>>> 
>>>>>> -------- Original message --------
>>>>>> From: Mark Lachniet <mark at lachniet.com>
>>>>>> Date: 11/3/16 13:04 (GMT-07:00)                                     
>>>>>> To: hackrf-dev at greatscottgadgets.com
>>>>>> Subject: [Hackrf-dev] Current, reasonably priced external clock?
>>>>>> 
>>>>>> Hello all, my apologies for asking a question that I know has been asked 
>>>>>> in months past, but it has been long enough that there might be new 
>>>>>> options, and some of the previous answers seemed more towards 
>>>>>> development than plug-n-play.
>>>>>> 
>>>>>> I'm very new to SDR (and radio in general) and just learning the ropes.  
>>>>>> I was trying to do a PoC on the GPS spoofing using my HackRF and had 
>>>>>> limited success.  I got my Nuvi to                                   lock in randomly a little bit but no 
>>>>>> real love.  I read that another person needed the external clock in 
>>>>>> order to get good results.  I'd like                                   to buy a simple and inexpensive one 
>>>>>> that is fairly plug-n-play.  Can anyone recommend a specific model and 
>>>>>> vendor to purchase from that doesn't require such tasks as soldering?
>>>>>> 
>>>>>> I've got a nice long list of other questions but as I'm new and ignorant 
>>>>>> I'll hold onto those for a while on the off chance I can figure them out 
>>>>>> and appear less needy in the long run :)
>>>>>> 
>>>>>> Thank you for your time and consideration,
>>>>>> Mark
>>>>>> 
>>>>>> _______________________________________________
>>>>>> HackRF-dev mailing list
>>>>>> HackRF-dev at greatscottgadgets.com
>>>>>> https://pairlist9.pair.net/mailman/listinfo/hackrf-dev
>>>>>> _______________________________________________
>>>>>> HackRF-dev mailing list
>>>>>> HackRF-dev at greatscottgadgets.com
>>>>>> https://pairlist9.pair.net/mailman/listinfo/hackrf-dev
>>>> 
>>>> 
>>>> _______________________________________________
>>>> HackRF-dev mailing list
>>>> HackRF-dev at greatscottgadgets.com
>>>> https://pairlist9.pair.net/mailman/listinfo/hackrf-dev
>>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> ADAM BLANQUART | ablanquart at gmail.com | 
>>> _______________________________________________
>>> HackRF-dev mailing list
>>> HackRF-dev at greatscottgadgets.com
>>> https://pairlist9.pair.net/mailman/listinfo/hackrf-dev
>> 
>> 
>> _______________________________________________
>> HackRF-dev mailing list
>> HackRF-dev at greatscottgadgets.com
>> https://pairlist9.pair.net/mailman/listinfo/hackrf-dev
> 
> _______________________________________________
> HackRF-dev mailing list
> HackRF-dev at greatscottgadgets.com
> https://pairlist9.pair.net/mailman/listinfo/hackrf-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist9.pair.net/pipermail/hackrf-dev/attachments/20161108/8255b507/attachment.html>

More information about the HackRF-dev mailing list