Breaking

Gotta Catch ‘Em All! – WORLDWIDE! (or how to spoof GPS to cheat at Pokémon GO)

The moment, when your team leader asks you to cheat at Pokémon GO…everyone knows it, right? No? Well, I do 😉

GPS Spoofing Setup
GPS Spoofing Setup

As I’m not a gamer, the technical part was of much more interest – that’s the real gaming for me.
So, challenge accepted!

In the past I was often fiddling around with SDR (Software Defined Radio), started with DVB-T sticks some years ago. When I came to ERNW in 2014 I got in touch with Michael Ossman’s great HackRF One for the first time, and subsequently my thesis was based on SDR.

WARNING: In most countries transmitting on these frequencies is prohibited by law! As satellite’s GPS signals are very weak while receiving on earth, transmitted signals with the HackRF will be very strong in comparison – use attenuators and/or shielding boxes, as GPS receivers of navigation systems are very sensitive! Don’t abuse this knowledge, it’s just a proof of concept!

Okay, now that you’ve all read and understood this, back to our technical topic!

Short summary? It’s easy. Pretty easy.
I already knew that there was some tool in the wild since last year. After asking uncle Google, I came across “GPS-SDR-SIM” by Takuji Ebinuma and to be honest I didn’t expect a working tool. Way off the mark! The tool compiled quite well on my machine and really works like a charm. You just have to follow the instructions in the readme to make it work.
By setting up the HackRF in transfer mode, I initially “jammed” the whole GPS L1 band. I’ve used some phones running Android to check the GPS signal with some GPS test app. Before transmitting, I received a few satellites in my lab; when transmission was started, the phones lost contact to every satellite’s signal.
I’ve already reckoned on this, as the HackRF’s internal clock (~30ppm) is much too vague. This means, it isn’t as precise as needed by GPS and that is, why the HackRF acted like a jammer, not faking satellites here.
Now, you’ve got two options:

GPS Fix
GPS Fix

The first is, to use kalibrate-hackrf, which uses the frequency correction channel (FCCH) of the GSM network to calculate an average error in ppm (parts per million). This would be the easiest way. As the master branch of HackRF on Github currently doesn’t support a ppm correction, there is already a pull request, which adds the option “-C” for error correction rate. I didn’t give it a try, yet – but I hope this will work for you, guys.
The second option, and also my preferred one, is to use an external clock that is much more precise than the internal one. Mostly this option makes use of a TCXO, which is a temperature compensated oscillator and has a precision of +/- 1 or 2.5ppm. There are already some parts available in online shops, which were designed for the HackRf. If you’re the DIY-/hacker-type of cheater, you’ll also find some gerbers in GPS-SDR-SIMs “extclk”-folder 😉
As I had no TCXO lying around, I made use of our function generator and set up a 10MHz square wave signal with 3Vpp.
Starting the transmission again, the fake satellites immediately came up with a strong signal (you should use attenuators to weaken the signal and also keep in mind local law!). A few minutes later I’ve got a fix on all of my devices.
A hint from my side: This works much better, if you disable the A-GPS (Assisted GPS) features of your device. Don’t know, what I’m talking about? Either go in flight mode or disable in your phone’s location settings the use of the mobile network and WIFI/BT. While using a GPS app on your phone, you could also delete your A-GPS data if supported by the app.

Now, just start Pokémon GO and see your avatar walking/standing around in the wild.
But…this is boring, isn’t it? Just anywhere…not where you wanted to be?

So, prepare for the next step: Plotting routes.
In the “satgen” called folder of GPS-SDR-SIM is another application, which could be compiled with the same settings as the main app itself. After compiling, just follow the instructions in the readme file.
Starting the transmission again, you’ll find your avatar walking around on your own route 🙂

That’s it!

Well, to be honest…you can’t stop anywhere 😛 Catching Pokémon isn’t that easy doing it this way 😉 This still needs some code to improve it. Maybe you’ll make your avatar move on your smartphone by hitting the cursors on your laptop’s keyboard 😉 But that’s all still up in the air…have fun!

Cheerio,
Stefan

Comments

    1. Here, the standard ANT500 of the HackRF was used. It is not intended for the frequency range GPS uses, so the signal is much weaker. As range was never the aim of this PoC, ANT500 was okay.

Comments are closed.