Hacker News new | ask | show | jobs
by makomk 4705 days ago
Traditionally, I believe receivers had to lock onto the civilian GPS signal before even trying to lock the encrypted military GPS.

Besides, encryption doesn't stop you from receiving the existing signal and repeating it with a well-tuned delay, which is all you really need to do to fake GPS...
2 comments
VLM 4705 days ago
"I believe receivers had to lock onto the civilian GPS signal before even trying to lock the encrypted military GPS."

That's the old fashioned P(Y) code that they dumped because it sucked and went to the M code that doesn't need P(C) first.

P(Y) code sucked because aside from needing to sync to P(C) first, they fed in the encryption stream at a varying, yet slow enough rate that you essentially got dozens of "known plaintext" packets reporting the same position using the same code. So if you could sync up to the W feed rate, even if you couldn't figure out what it said, you could get a better position after gathering enough data. Then again, for something like a cruise missile while in flight, taking 15 minutes while stationary isn't really all that useful.

The whole design of GPS is an interesting window into tradeoffs between accuracy and time as seen in the 70s. Given enough time you can always average something stationary to ridiculous precision. However the whole thing was designed so strategic weapons in motion couldn't average enough measurements in time to be useful at a strategic weapon level unless you had the .mil keys...

The wikipedia article is kinda interesting.

I currently/used to do stuff in the ham radio microwave bands kinda bracketing the GPS signal, one of those "infinite spare time" projects to program a FPGA to decode my own GPS. Why? Because I can. Right up there with making my own ADS-B receiver which is actually a lot easier on the digital side and about the same level of difficulty on the RF side, more or less.

link
shabble 4705 days ago
Have you seen the "Homemade GPS Receiver" project?[1]

I imagine it'd be a whole lot easier if you already have gear to receive and sample the RF side, but still an interesting challenge.

Don't forget to implement CoCom restrictions :)

[1] http://www.holmea.demon.co.uk/GPS/Main.htm

link
VLM 4705 days ago
Yeah that project is right at, or perhaps very slightly beyond, my abilities at this time. Which is what makes it such a good project!

My favorite part of this implementation is it shows the cutting edge of modern FPGA development style, where you have soft cores and smart peripherals and the boundary is extremely fluid and blurry between them. Is that in the softcore or "discrete" logic in the FPGA? Well it depends which version of the bitstream you load into the FPGA... In the future this is how all microcontroller and video card and motherboard and such development will be done... you want a different ratio of shaders to anti-aliasing tech, or a new "hardware" supported codec, well just upload a different bitstream... May as well get used to the future of hardware development now rather than waiting.

link
jevinskie 4705 days ago
I wanted to make a GPS simulator for testing my high altitude balloon's receiver to make sure it works over 15km altitude, or whatever the limit usually is. I think I gave up when I couldn't figure out how I would build the RF side. I think I got the CA PRNG code working. =)

https://github.com/jevinskie/jevps/blob/master/ca.py

Edit: I think I remember the issue. I started out thinking I just had to create a signal at 1.023 MHz, easy to do with an FPGA right? But then I realized that I would need to generate a much higher frequency signal so I could phase shift the different satellite's CA codes before adding them together. Am I correct in my thinking?

link
VLM 4705 days ago
So.. if you can squirt out that C/A stream from your python code at 1.023 megabits/sec all you really are asking for is a COTS BPSK modulator (minicircuits ZFAS-2000?) and a COTS L1 signal around 1.5 GHz to drive the mod.

I have built N5AC microwave synth kits and I did not find it hard, but I've been doing this stuff since the 80s, so... I believe you can buy a COTS ApolLO-I board for your L1 signal. I donno if 1575.50 would be close enough. The smaller the .. forget the name but it boils down to the "tuning step" ... the worse the phase noise. So generating an exact 1575.42 will have MUCH ickier phase noise possibly impacting the PSK data itself. So is it better to have a noisy signal or be somewhat off frequency? I donno. COTS it'll probably have the VFO tuned to be "ideal" for ham radio guys around 1152 MHz but you'll want it a little higher, which it can do with a different smd 0204 sized inductor, but its going to take some soldering not just literally COTS.

There's more than one way to skin a cat and there's certainly a zillion ways to generate a stable-ish microwave signal. For that matter a BPSK mod is not exactly exotic material, but if there's a containerized COTS model for $65 its hard to find the motivation to hack up my own. Maybe you could trade time for money and build one out of 10 cents of junk parts, but it'll take time and gear to align and tune just right.

Note signal levels... You probably can't feed any ole LO directly into any ole modulator and expect the power levels to magically match up. And the levels the mod wants are probably not the levels of "whatever" your P/N code generator is outputing.

Do testing in a shielded cage to avoid an unfortunate appearance on the TV news.

Don't forget that you've just built a C/A generator but without a nav code (at like all of 50 bps, so slow even an arduino could do it...) all you're going to do is confuse the heck out of a RX.... I think... Which might be interesting to watch all in itself. The wikipedia article is hilarious because its kinda disinfo. As if you need to wander around asking weird questions like where to buy a "modulo 2 adder"... umm hint thats a pretty basic logic gate but if you can't figure that out, well... as if an actual devoted adversary would be slowed down by kinda intentionally weird terminology.

I think a harder problem that generating "a" more or less valid C/A stream and "a" more or less valid nav message, is generating them with actual reasonable real world data to simulate being over 15 km altitude or whatever, and them scale it up to do at least 4 of those signals at once.

Probably an interesting noob-level RX countermeasure would be you need at least 4 to get a fix, so lazy people are just going to generate 4, probably in idea geometry with weird unlikely visibility (like the four you hear are all over the sky but just bad luck you can't see another eight, yeah right) Another one would be watching signal strengths, which will vary "twinkle like stars" for real satellites but lazy synthesizers will not vary. Finally unless you go GPSDO (OH the IRONY) synth route, the homemade clocks the RX hears will probably be driftier than the real satellites.

link
jevinskie 4705 days ago
Wow, awesome post! I like COTS but I also like soldering and being cheap. =)

I think my main confusion is how do I add the 4 channels together before I spit the signal out to the RF side? If they are all in phase, would it weird out the receiver because you're not going to see that in the real world? Would I have to have 4 output levels corresponding to how many channels are outputting a high level (1) during that chip/clock cycle? If them being in phase freaks out the receiver, maybe I could output the signal at 4.092 MHz and phase shift each channel by 1/4 chip/clock cycle? I was CompE so my RF/signal skills are almost zilch. =)

Good point about the cage, with the crazy low power of GPS signals, it is probably a lot easier to cause interference than with other signals.

And yes, "modulo 2 adder" is a bit verbose! =P

link
VLM 4704 days ago
They're not going to be in phase. Note that if phase relationship is important, at those frequencies cable length being identical is rather important. But its not relevant to this problem.

One big confusion in the electrical world is people use the same noun for audio "mixers" which are as linear as possible, and RF "mixers" which are as non-linear as possible. They do different things. linear mixers you could say superimpose signals without changing them. Much like pumping up the gain on a CD should not distort the sound on a mic at a "DJ" mixer. nonlinear mixers add and subtract signal frequencies from each other and what came in shouldn't come out at all. in fact a BPSK mod is a kind of balanced mixer, with peculiar TTL compatible (or 3.3v or whatever) levels of course.

You want a 4-port combiner. Most passives have a reciprocal path, a 4-port splitter usually makes a decent 4-port combiner. Think of the gadget that probably splits you cable TV signal in your house. They're electrically and mechanically simple. And relatively cheap. Also they are somewhat lossy. Good luck passively splitting a signal 4 ways with less than 6 dB of loss. And something is warming the resistors in there, so its going to be worse. Conversely yes you combine multiple signals there will be internal loss but the aggregate output will be higher. This is kind of the whole point of a class B or class AB amplifier... what if you took two perfectly good signals, 180 degrees out of phase, and (sorta) mixed them (using baluns), well you get very near twice the power out. Think of putting the whole works in a calorimeter... 4 zero dBm sources will heat it up just as fast combined or separate.

Aviation GPS "around 1.5 GHz" works pretty well despite being feet/inches away from a couple watt radar transponder around 1090 MHz or whatever it is exactly for ADS-B. Physically zorching it sounds unlikely. Distortion to the point of un demod ability is however possible. If you generate enough signal to overload it, attenuators are cheap. High power is expensive. If you're screwing around at "workbench range" you're not going to pay $XXX to generate multiple watts of power so you're not going to need multiple watt rated attenuators to reduce the sig level to something reasonable. Cost scales WAY beyond quadratically, like exponential at microwave freqs for a given tech type. Stuff working around a hundredth of a watt aka 10 dBm is going to be very cheap compared to stuff rated for old fashioned weather radars at kilowatts.

My suggestion is make what amounts to exactly one working satellite. Then make three more.

I don't think you can feed all four digital signals into the same BPSK mod by doing weird things with the clock rate, modulation does not work that way.

What you're building is vaguely reminiscent of a cable TV headend. Both in block diagram and actual wiring. Of course its been a long time since BPSK was cutting edge in CATV. If you think of BPSK as no amplitude modulation and either 180 or 0 degree phase modulation depending on 0 or 1 being input, well, a 256QAM signal is just 16 equally spaced levels of amplitude modulation and 16 equally spaced levels of phase modulation, sorta kinda a grown up cousin of the BPSK modulation in GPS signals. And 256QAM is sort of cutting edge for CATV. Anyway you could do worse than looking at a wiring diagram of a CATV headend WRT mods and digital sources and combiners and such.

Find your local ham radio VHF/UHF microwave club / community. Don't bother with the 160meter low band guys (well, not for this particular individual project, I mean) By the time you're done you'll know quite a bit about RF and might gain a new interesting hobby. Reading several "microwave handbook/project" ham radio books at the library would probably be as good a place to start as any. You could do worse than some chapters of the ARRL handbook to start.

Analog is fun. People will tell you the world is digital, but even their digital ckts are fundamentally analog. And if analog is fun, RF is just magic. A craft not a science at the higher levels.

link
stanfordkid 4705 days ago
Well that would only work if they are using the most simplistic encryption on the planet (i.e an XOR cipher or something like that). In general replaying the same data through an encryption algorithm should not result in the same encrypted result being generated. Thus if you were to replay the existing signal it should decrypt to nonsense.
link
VLM 4705 days ago
You've sort of described kind of how some auth systems work around MITM by having a bidirectional conversation with salt while sharing a the same clock and talking about timestamps during their bidirectional conversations. That doesn't work very well in a broadcast environment where your only source of timestamps is the MITM and technology exists such that the MITM sounds just as good, but louder, than the genuine other guy.

You'd be surprised how many people think GPS is a bidirectional protocol like DME/TACAN or an aircraft radar transponder. Its actually a heck of a lot more like the old fashioned TRANSIT sats or VOR or LORAN or OMEGA, with a thin smear of spread spectrum on top to reduce the impact of simplistic jamming and it sends more metadata on top of the nav data than pretty much anything ever invented.

link
shabble 4705 days ago
Speaking of OMEGA, there's a Navy training film from 1969 on Youtube[1] which explains some of the theory and is helpful in understanding where GPS came from.

[1] https://www.youtube.com/watch?v=7mFAemn1pSw

link
jevinskie 4704 days ago
Wow, that is a really elegant, quite low-tech way of positioning!
link
jevinskie 4705 days ago
The parent isn't talking about MITMing the signal to modify it, just to delay/buffer it. No need to decrypt/encrypt. If you could delay the signals from different satellites by different amounts, would that not also change the position?
link