4G GPS Tracker Reverse Engineering - GPS Digital Signal Decoding
Вставка
- Опубліковано 25 чер 2024
- In this video, we take a look at the GPS module of a Chinese 4G GPS tracker.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity - Наука та технологія
Hello Matt are you intersted in sponsorship?
Thanks for the offer but I won't be doing any sponsorships on this channel. Actually all content is sponsored... by Me 😁😂
@@mattbrwn Oh okay, i know, i've watached your videos. The reason why i got touch with you is that our partner is same as you, which is Zach's Tech Turf, he also has his own shops, but also builds a sponsored ad with us. Anyway, thank you for your reply. Hope we can work together one day!
You’ve got to be one of the most underrated hardware hacking channels. Couple of questions. 1. What got you into hardware hacking 2. What’s the best way to learn?
1. I like Linux and took apart random used electronics and figured out how they work.
2. I suggest the same path as above. Find a device that interests you and try to figure out how it works.
I'll add a 3rd that helped me:
3. Keep reading even if you don't understand it all.
After a while, it'll all come together when you're trying things out. Or you might come across a seemingly insignificant piece of info & you'll shoot off like you been doimg this for years.
And a extrs thought before posting: FAFO ain't just for the negative things. I imagine that's how humans advanced over they millennias.
It's amazing, I would have killed for the functionality of a modern $10 Logic Analyzer 20 years ago.
Now you only need to transfer the NMEA data to the 4G chip and make it send out to your phone, so that the whole tracker would work as advertised and not only by cell tower positions...
Great series so far, thx a lot for showing!
👍👍👍
I wonder why they even bother including the GPS module in the first place if they aren't using it. They could cut the cost quite a bit (and power consumption too) by just not having the GPS module if they aren't even going to use it.
@@jearlblah5169 No idea...maybe it was planned to use it like that and something went wrong with the programming, remember the chip is switchable to what position data is used, GPS or cell tower. They could have placed an order, were delivered with the wrong specs and couldn't return them. So they sold the whole batch to the actual seller, not writing off the cost...
🤷♂
The term commonly used to when talking about the different positioning systems-GPS, Galileo, GLONASS, Beidu, NAVIC, QZSS-is "constellations". As a general term, the industry calls satellite navigation GNSS (Global Navigation Satellite Systems). Technically, "GPS" is only the US Global Position System. You'd say "this GNSS module supports a number of constellations". I find "GNSS" to be a mouthful, and continue to use "GPS" in informal settings.
"Neema" for NEMA is correct.
I'm enjoying this series. I've spent a lot of time reverse engineering the internals of some older Trimble receivers, so it's interesting to see others digging in GPS tech as well.
16:07 lol i love this round about way to get the NMEA messages into your script! when i've messed with these little off the shelf GPS modules, i simply make up a d sub mini cable that i pin for the RS-422 to usb dongle i have (why doesn't 422 have standard pins...) and then i just plug my dongle into my lab PC and then i solder or clip the dsub mini cable to the module and connect them. this lets me use putty to connect directly to the serial traffic. sometimes i will use an arduino to read the serial data too. the 422 dongles can be really expensive, so i've also done it with the classic startech 232 dongle. people don't now how insanely useful startech is lol. when you are using a UART to USB dongle with windows you also open up the massive amounts of code that work with com ports so you can do anything you want very easily using either putty or any software library (i usually go with .NET because i'm lazy).
9600/115200 8N1 are **the** standard today... I haven't seen other parity than none for ages.
Yeah, almost nothing uses a parity bit just like almost nothing uses flow control. They exist in the spec, but no one bothers because the communication is already reliable "enough" for 99% of applications.
@@KNfLrPn flow control was used to stop transmission when buffers were full, that could happen for computers with 1KB of RAM, with modern computers, the buffer is never ever going to get full, even the GPS itself probably has enough RAM so that at 9600 the buffer will never get full, it probably has a CPU in the Mhz scale, as everything else has one.
@@monad_tcp the problem with flow control on the 16550 UART inside every PC made since the the ’80s is that the flow control is on the wrong end of the FIFO. When a device says “stop”, the UART will still drain the 16 byte FIFO out the serial port before it stops transmitting. For device designers, this made flow control very unpredictable, so they would instead design around it.
I remember when doing but bang serial ports with PIC MCUs, the lack of flow control meant I had no choice but to process serial bytes in the few microseconds of spare time I had during the stop bit, before I had to go back to polling for the next start bit.
GN: Combined GNSS position, for example, GPS and GLONASS.
Love the new audio quality. Huge upgrade!
fyi for anyone wondering about the "GN" Id, that means GNSS which the term for all satellite positioning systems. it gets confusing, but GPS often means the american system (also called navstar by old people). GLONASS is the russian one. when people say "GPS" they often mean "GNS" or just any generic position system. That said, the GNS message should always have GN as its ID because only GNSS receivers should be sending that message. different receivers will support different features and may or may not send different NMEA messages. GNS is pretty common though i think for modern all in one modules that include a little antenna and the receiver on one tiny board.
as for the ! for a message start, i've never run into that before. it seems to be specific to AIS and it shows up in some NMEA documentation but not others. most of the documentation i have says the ONLY valid message start is $ with the ONLY valid message end being CRLF. your code should just ignore messages that have invalid characters though.
also if anyone wants to start playing with NMEA messages in software, i highly recommend paying close attention to the "valid" field of any message because some receivers will send seemingly valid data that is actually invalid because tracking has been lost (they may repeat the last known position with and invalid flag set). And then you always, always want to check the checksum field. you can get an error in a message that will change a single character but still be a valid message, and if you don't catch it by using the checksum then you are screwed lol.
Yeah that GN prefix threw me off since it wasn't on the Wikipedia page
I was missing WAAS on that wiki list.
That's the US version of GLONAS, Galileo etc.
@@samuraidriver4x4 WAAS is more like DPGS in that its a terrestrial system that just augments navstar. Off the top of my head, DGPS does have an indicator in NMEA though because its incredibly useful to know if your receiver is using an augmented system or not. its kind of wild how insanely accurate DGPS can get using garbage accuracy GPS from the 90's lol. chances are you won't ever run into DGPS or WAAS receivers doing hobby stuff though because DGPS is kind of dead (and requires a usually extremely expensive fee) and WAAS is only going to show up in very expensive aviation receivers.
that said, it would be pretty wild to see a tracker that uses WAAS along with GNS and everything else (cell, shortwave, etc). those kinds of trackers are usually VERY expensive and require hefty yearly fees, but they also often come with a recovery team who's cost is included. those kinds of trackers usually have 5 to 10 year batteries and get welded into the frame of expensive equipment like huge tractors. there are some really funny youtube videos of recovery teams tracking down receivers
5:15 i worked with this type of GPS stuff for a while, and i heard both "NEE-mah" and "EN-EM-EE-AY". i usually said the letters out (EN EM EE AY) because there is a completely different system called NEMA that covers things like power cord plug shapes. Its pretty standard to see NMEA over either RS-232 or 422 with 1 Hz messages at 9600 baud with no parity bit. i never needed a parity bit because any broken message would result in a bad character in the NMEA message and my code would handle that as a bad NMEA message altogether and it would put the software into a "bad message" state which just threw the message out and waited for the start of the next message.
you can't really use NMEA 1Hz message for nav stuff, but it can still be really useful for a lot of other things. you can make a clock on steroids that uses navstar's messages to find the date and time. i think its actually easier than using the radio clock stuff lol. a lot of off the shelf GPS modules include a 1 ppm signal too which can extremely useful for writing lazy power efficient code
Love your content Matt. Keep up the good work!
uhhh... i have never seen the automation with sigrok cli. That is a nice touch!
Camera video quality and lighting so much better in this one! Also your eye line to the camera is almost perfect. I know how awkward it feels to stare directly into a lens... 😬
Haha thanks! I actually got a camera where I have a preview screen that I can flip around and look at. I just still have the instinct to look at myself in OBS instead... Trying to break it
@@mattbrwn It's so hard. Whenever I'm in work meetings I just stare at my own camera feed unless I tear my eyes away 😂.
Great content, great explanation, so fascinating. Thank you very much.
You are using GPS, from you analyzer I can tell you are on planet earth.
Crap you got me
hell yeah! i been waiting on this one!
GN means it's combining multiple sources, i read that on the german wikipedia entry for NMEA, which for some reason is much more comprehensive than the english version
Great video!
8:00 Behold! The new GTX L76K!
Hey Matt, I love your videos.
I am not sure if this is a big ask, but I was wondering if you could make a brief video about how to make custom router with linux.
Also could you maybe make a video about your test network setup.
Thanks for the videos bro, I always look forward to watching them.
Oh we *know* where your secret laboratory is! We're keeping close watch on you efforts to break free from Big Brother systems...
You'll never take me alive 😂
@@mattbrwn Haha! Keep up the good work, I'm actually learning something!! I've always wanted to build a tracker, with my own firmware so i could control the position sample rate and limit power consumption. I'm good with microcontrollers and C, so it's the GPS chip and power/battery circuits that I'm still learning up.. I'd definitely appreciate hearing about power control for battery-op applications like trackers!
is it using logic analyser an overkill? You could just use usb-ttl/uart converter since the uart physical level protocol is standard here
Even if the logic analyzer is USB2, it's sometimes better to plug it into USB3. Usually the controller chip is a better quality and can handle the higher speeds more reliably.
I have to say you seem to be making this way more complicated than it needs to be - if I was looking at a GPS module the first thing I would do would be to look at the TXD with a scope to try and figure out what the baud rate was, then hook up a USB serial module to capture the data. Using sigrok and writing scripts in Python to capture the data is a bit like using a very large hammer to crack a nut. Especially since the datasheet for the module is available and it suggests t hat the only format the module supports is NMEA.
as a hacker, if you can have a tool that can do it all, you can carry less gear on the field and be ready for the unexpected, as some times datasheets are not available.
Challenge for you for next video, disable GLONASS positioning in that module 😉.
Yeah the docs mention you can do that 😁
looking at the PMTK/PQ proprietary message input next?
Another amazing video, what brand of needle are you using? the arms on mine are horrible and never stay where I place them
Just the stock needles that came with the PCBite probes. Yeah sometimes I also have issues getting them to stay where I want especially under the microscope
I have written a python script that let's me plot different devices that send standard NMEA data on Google maps, along with all the other info you would want. If you get a shell on this thing I'm buying it.
Hey I am watching your series and it really great thanks for all these,
I have a question I am try to learn analysing with a tv decoder I want to get data from where I thought UART but the thing is it has really really tiny holes, where i cant do soldering do you have any experience with these kind of stuff?
Hop over to our discord and drop us a picture of what you are talking about. But they make really small wire and micro soldering pencils for small work like that
@@mattbrwn oh i will thanks
f more than one constellation is in the solution, the NMEA Talker ID is output as GN
Where to buy a replacement battery?
Sir this is a Wendy's
are they sending the data to the UART of the 4G module or did they simply get hit by the chip shortage and just opt to simply not include the MCU making the GPS a pointless battery drain?
What are those flexy opposable arms called?
PCBite probes :)
Will challenge rainbolt to find your location based on the shadow of your window
Why not just use a cheap uart interface instead of a logic analyzer and all the parsing scripts. For the sake of education, nice, practicality, hell no.
I think we now know why the gps module isn't connected to anything in that device - the cell tower is more accurate.
Why not censor the sensitive gps data in post?
I hate video editing.
Are you able to add figures in my bank account?
Lol
So this tracker uses GPS or cellular tracking? Im confused 😅
AFAIK the tracker is cellular because the GPS chip which does track GPS isn't connected to the cellular modem.
@@dfgaJK Yeah that's how I understood it too. Goes beyond me though why they still put the GPS chip on there if they don't use it, but did bother to remove that central processor 🤔 Maybe so they're technically not lying about the device having a GPS sensor...
@@WilcovanBeijnum chip shortage maybe
@@dfgaJK Then what is the point that it is installed there?
Is the manufacturer so stupid?
@@dfgaJKbut not gps chip shortage? KEKW
No gps location for weirdos? 😢
First lol