
GPS tracking device found on an activist's car - SpaceInvader
https://people.torproject.org/~ioerror/skunkworks/forensics/valencia-tracking-device/
======
tomkinstinch
Very few companies produce GPS chips. Most devices that include GPS capability
do not bother to reinvent the wheel, but instead elect to integrate an
existing GPS processing chip. It's unlikely the GPS module is integrated with
the processor core of this thing. Since it is likely separate, it would be fun
to probe the PCB with a logic analyzer to see if there are any exposed serial
(or possibly I2C, SPI) traces relaying the NMEA sentences[1] from the GPS
module to the processor. If so, false locations could presented by severing
the traces and soldering on a synthetic serial (or I2C, SPI) feed at the right
logic level (probably 3.3V), from a microcontroller or computer. The hacked
feed could even read a real-time clock to "play back" a stored path of
locations every day. Attaching an external data feed is likely as simple as
dragging a box cutter over the right traces (data, ground) to disrupt them,
and then soldering on some 30 gauge wire to the same traces (after sanding off
the soldermask and silkscreen). Since most GPS modules output constantly
without any control lines, so there may not even be a control scheme to
reverse engineer.

Note to those designing trackers: if you want to make it difficult, use a
board with internal layers and keep the GPS nets on the interior of the board.
Doesn't make splicing impossible[2], but it would up the difficulty.

1\. [http://aprs.gids.nl/nmea/](http://aprs.gids.nl/nmea/) 2\.
[http://www.circuitrework.com/guides/4-2-6.shtml](http://www.circuitrework.com/guides/4-2-6.shtml)

~~~
markrages
The enterprising hacker could always use a LabSat[1] device to play back a
bogus GPS trace. No physical connection to the board is required.

[1] [http://www.labsat.co.uk](http://www.labsat.co.uk)

~~~
rbanffy
It's so much easier to just keep passing it around to your friends so they can
attach it to as many different cars (or other kinds of vehicle) as possible.

Imagine what your fans in government would think if the logs of your car
included long periods over water or a trip to the stratosphere or a trek
through the woods. Or they decided to find you once you decided to seemingly
leave civilization behind to discover you turned into a bear. An angry bear
with a GPS collar.

~~~
tsotha
I think I'd try to pop it into the wheel well of the nearest police car.

~~~
rbanffy
That would probably give the police enough reason to arrest you. I prefer
feeding a disjoint set of movements made by random people.

~~~
tsotha
Arrest you for what?

The other option would be to find a long-haul truck.

~~~
rbanffy
I'm sure tampering with a police car is illegal and that police forces are
famous for their lack of sense of humour. They won't take this lightly.

~~~
tsotha
This is one of those instances where if you get caught they'll arrest you but
you probably won't get charged. At least where I live, if it went to court
your attorney could spend all kinds of time exploring where it came from,
which is something the government would rather not talk about.

------
ladyada
[http://imgur.com/a/Z1hyd](http://imgur.com/a/Z1hyd) has a few parts labeled

theres a main processor which is way overpowered (the big TQFP part) which is
covered by a plug-in 2G GSM/GPRS modem. You can 'sniff' the modem control
pins, its almost certainly the standard plain 'AT' command set used for these
modems, at 9600 or 57600 baud, 3.3V logic

The plug in module looks a lot like a SIM300 or Spreadtrum 5100b. It probably
had an IMEI sticker that was pulled off. Theres probably a dozen makers of
nearly identical modems during that time period. This one looks fairly old
since its a plug-in type. I'd guess the GSM module is at least 5 yrs old

On the other side is a standard 32-pin NAND flash, you could desolder and then
use a NAND-reader kit (google etc) to suck the data off. its probably just the
GPS coordinates stored between modem data uploads.

SIM holder, some crystals, power circuitry, and a (95% sure) uBlox GPS - the
uBlox have that funny shape and pinout. uBlox have high sensitivity so a good
choice! unclear which generation this us, they're up to Neo-8. You could decap
it to find out.

probably the most fun could be had by first figuring out the RX/TX pins from
the microcontroller to the GSM/GPRS module, then soldering thin wires to that
and listening with a UART TTL cable. Put in a new SIM, wait a few seconds for
the GSM module to get onto the cell network, then quickly faraday it up and
see what website, IP address or phone number the micro is trying to connect
to. ymmv tho, might just be a random drop point.

(theres a bunch of chips with no clear markings, could be motion/accel/gyro or
other sensors - @ioerror if you post up the #s on each chip it'll be easier to
tell! :)

edit: i thought about the huge coin cell battery backup. its a bit odd, quite
large sized! if its well designed, the microcontroller will detect that the
battery has been disconnected, and while on backup coin cell power quickly
erase the NAND flash and microcontroller memory :(

~~~
cyphunk
If the coin battery is used as a RC circuit switch to wipe memory what are the
chances that it has already been wiped? It's been 7 days off power.

The large power drain of the CPU could indicate this off-shelf product is
meant to be installed, rather than attached with battery? Which could indicate
a product as someone else linked to:
[http://www.miniinthebox.com/es/gps-v103b-sms-gprs-gps-
sistem...](http://www.miniinthebox.com/es/gps-v103b-sms-gprs-gps-sistema-de-
seguimiento-de-vehiculo-tracker_p1034847.html)

I'd be curious if any code were installed on the GSM module since many of
these provide jvm's or python interpretors. Then again, what they heck is this
120 pin CPU for.

If the thing still has power it is worth keeping it alive without the SIM.

PS. Azul=Blue Negro=Black Marron=Brown Blanco=White in spanish

------
tacoman
A friend of mine hired someone to gather data on his cheating wife. A device
that looked similar to this was used on her car. $400 for a month of real-time
location data. Maybe this has nothing to do with conference this person was
attending.

~~~
makenova
I agree, there is a company in my city that will hook a device up to the car
battery and place it in a discrete location. They mostly deal with fleet
management but some of their business is from spouses tracking each other.
There a "funny" story about a wife bringing in a vehicle that her husband had
brought in earlier.

~~~
tacoman
A family member works for a large chain of car dealerships. They regularly buy
vehicles at auction. It's not uncommon that they find trackers on the
vehicles. Here's a picture of one he sent me to play with a couple years ago.

The battery pack on the left, and the tracker on the right were in a magnetic
Pelican case attached to the underside of a black Escalade. The sim in the
tracker was from some US MVNO that I didn't recognize.

[https://i.imgur.com/VLzTPt4.jpg](https://i.imgur.com/VLzTPt4.jpg)

------
jrockway
I guess it's a sad world when I breathe a sigh of relief upon seeing that this
didn't take place in the US.

I like how the agency gummed over the chip silkscreens so you can't see what
chips they're using. Even though it's obvious that one is flash, another is a
GPS module, and the third is the micro. And it appears that some scraping will
show you the part numbers anyway. Amateur hour.

~~~
kevin_thibedeau
This has already happened in the US. Pretty galling that the FBI requested one
to be returned:

[http://www.wired.com/2011/11/gps-tracker-times-
two/](http://www.wired.com/2011/11/gps-tracker-times-two/)
[http://www.wired.com/2010/10/fbi-tracking-
device/](http://www.wired.com/2010/10/fbi-tracking-device/)

Would be interesting if they could lift any prints from the tape on this
newest one and publish them. I can't imagine it's easy to apply duct tape with
gloves on.

~~~
alexnking
The first article mentions a Supreme Court case in 2011 to "determine if
authorities can track U.S. citizens with GPS vehicle trackers without a
warrant" \- anyone know what that case was or how it was decided?

~~~
vermontdevil
9-0 unanimous that the police must have a warrant prior to using a GPS vehicle
tracker. The reasonings differ among the justices but the vote was unanimous.

[http://en.wikipedia.org/wiki/United_States_v._Jones_%282012%...](http://en.wikipedia.org/wiki/United_States_v._Jones_%282012%29)

~~~
_delirium
The split in reasons did lead to the fundamental question being sort of
dodged. The majority opinion decided the case on quite narrow grounds: that
the physical installation of the GPS device violated the 4th amendment,
because installing it involved tampering with someone's personal property (the
car) without a warrant. Four justices would have gone further and argued it
would require a warrant to operate such a GPS tracker regardless of how it was
installed, but the majority left that question unanswered.

------
dingaling
During the ' Troubles' in Northern Ireland, chassis inspection mirrors were a
common sight.

These were large convex mirrors mounted horizontally on castors and with a
long handle. They were slid under the car to look for suspicious packages that
may have been attached covertly with malicious intent.

Very quick to use and were widely issued to individuals who might have been at
risk. So it was common to see people using them each morning before heading
off to work ( by a different route each day of course ).

Sounds like there might be a new market for them.... I should have bought a
few hundred when they were being sold as surplus!

~~~
Symbiote
Are they not still needed? Considering the most recent car bomb in Northern
Ireland was in November...

[http://en.wikipedia.org/wiki/Chronology_of_Continuity_Irish_...](http://en.wikipedia.org/wiki/Chronology_of_Continuity_Irish_Republican_Army_actions#2014)

[http://en.wikipedia.org/wiki/Timeline_of_Real_Irish_Republic...](http://en.wikipedia.org/wiki/Timeline_of_Real_Irish_Republican_Army_actions#2014)

~~~
dingaling
I assume they are still in use, but much less obviously than when I was
growing-up and about half the folk on our road had one!

If you go along narrow country roads in NI you can find many of the mirrors
re-purposed in a vertical orientation opposite blind-exits, as they give a
fisheye-type view of the road either side of the junction.

------
cnvogel
I think one of the first things I'd try when finding such a device on my
premises would be to try and login to the self-service portal of the mobile
carrier that issued the SIM card. At least in the case of my phone-service
provider (I'm also located in the EU) this uses the phone number, and a
password which can be requested by SMS...

In the case of my provider, the permission to use the self-service portal
which include the possibility to view/change billing addresses and shows all
the numbers active on a contract, can, of course, be enabled/disabled per
telephone number. But it will be worth a try...

~~~
furyg3
A very good idea. Although someone intelligent enough to rig this up almost
certainly bought a pre-paid SIM with cash.

~~~
angry_octet
Really? It is much more likely that it was bought with an offical police
purchasing department credit card directly from the carrier. For them, it
isn't illegal, and governments control cash pretty tightly.

------
SpaceInvader
Reddit thread:
[https://www.reddit.com/r/gadgets/comments/2y5q5g/help_us_ide...](https://www.reddit.com/r/gadgets/comments/2y5q5g/help_us_identify_this_found_gsmgps_tracking_device/)

------
serf
looks like Private Investigator catalog equipment in the states. Big, clunky,
and built to suit a million different uses. Dev board + sensors + 3g = a
million different reconfigurable spy toys.

Although I hope it's a three-letter agency, because that'd make me a bit less
frightened of them.

Also, I don't know why everyone is up-in-arms about the solder job quality.
Rip apart a Chinese Futaba-knockoff RC transmitter, dash cam, or counterfeit
Lenovo/Apple power-brick for similar quality (and that stuff is _everywhere_
). All that anyone cares about is that it passed the bench test. (who cares if
it burns up later?)

~~~
kh_hk
According to the media article linked on the submission, the activist was
stopped for a "routine search" of the car for more than one hour on the
frontier with France by spanish national police (CNP). One week ago she was
stopped again near the city were this convention took place.

So yeah, even if this is private investigator grade hardware, according to the
info available it would not surprise me if this was either CNP (police) or CNI
(our joke version of the CIA).

~~~
tsotha
Why pay extra if you don't have to? Looks perfectly serviceable to me.

~~~
kh_hk
Was pointing out we should not rule out any government agency just for the
quality of the setup. I find it hard to believe that an activist would be
targeted by a private investigator.

~~~
tsotha
I agree, however "activist" is only part of her identity. This could easily be
a jealous lover.

------
tlrobinson
It would be interesting to figure out where the data is being sent. It could
probably be done in a variety of ways (JTAG? Replace the SIM card and setup a
fake GSM base station? Check your local laws...).

It would be pretty ironic if they routed through Tor...

~~~
eli
It should be relatively easy to pop the SIM card out and use an off the shelf
forensics tool. Those things have like 64kb of storage. At the least you'd get
the phone's number and IMEI.

~~~
tomkinstinch
Not sure forensics tools are needed; getting the phone number and IMEI should
be a Hayes command[1] away. Throw the SIM into something like a Telit GM862
(which runs Python) and you have a full scriptable phone. I played with that
module seven years ago and there are bound to be better ones now.

1\.
[http://en.m.wikipedia.org/wiki/Hayes_command_set](http://en.m.wikipedia.org/wiki/Hayes_command_set)

------
Sanddancer
I'd second a motion for scraping off the big chips to get some part numbers,
to make it easier to get pinouts to hook up probes and other ways to get it to
give up its electronic secrets. Though I am rather unplussed with the
soldering job there, and personally would disavow soldering such a mess. Big
blobs of solder, real crappy joints, and even a few spots that look heat
damaged. More than a bit of me is surprised it even worked in the first place.

------
JoeAltmaier
Uh, any smart phone? Many/most of us are being tracked.

~~~
JshWright
All the more evidence that this was some sort of "PI" or other private party,
not a government agency (on top of the very amateurish construction from
hacked together parts).

~~~
TrevorJ
I thought the same thing.

------
Zigurd
This looks pretty amateur. I'd be asking if there is a specific private sector
company that takes an interest in this activist, and has hired a cheap, shady
private investigator.

The device was probably SMS'ing location data. There might still be log data
in the device that could be extracted via a serial port.

------
callahad
Cool! Free SIM card with data!

~~~
antr
No pin number required?

~~~
seba_dos1
Even if there's PIN on SIM, tracker must be able to unlock it, and given that
GSM module is a pretty common one operated via AT commands over serial line
you can easily get it from there.

------
simcop2387
Based on the way it's laid out and all the unpopulated headers I'm almost
wondering if this is a GSM dev board that someone makes that's paired with a
GPS daughter card they make. It doesn't look quite as purpose built for a
tracking application as I would expect, if it was i'd expect it to be far more
compact and have very few test points and headers for the controller. In fact
I'd expect they'd probably use a smaller controller too to help cut down on
power usage, since they've got the large flash chip they can probably store
all the data and send it in burst rather than keep the GSM modem powered up
all the time which would let it last far longer in the field.

In fact even the soldering for the power wires to the strange battery array
board looks rather amaturish. I'm not sure I'd chalk this up to any agency
that's got much of a budget for this kind of thing. I think it's likely to be
some other activist group that's in disagreement with this one and wants to
dig up dirt (Private Eye maybe?)

Edit: correction, what I thought was a bunch of batteries on a board looks
like it's actually the magnets that held it in place on the car. D'oh. Either
way it still looks odd that it's built like a set of development boards by a
chip manufacturer.

~~~
sliverstorm
I have similar thoughts, it really seems rather like overkill. Either an old
device or not a purpose-built tracker. Very large, and holy cow is that a
TQFP-144? I've built local-storage trackers before with DIP-8 chips. I've not
implemented GSM, but I'd be pretty surprised if a modern GPS+GSM tracker
required this much horsepower.

Not to mention the board layout is pretty good, and because the GPS & GSM are
integrated the layout engineer probably had to know a thing or two about
routing antennas- while as you point out the solder job is quite amateur.

~~~
userbinator
That appears to be a TQFP-120, and there aren't that many MCUs available in
that package; I'm almost willing to bet it's a Renesas/Fujitsu part.

GPS + GSM modules are available (now - maybe not when this thing was designed)
which would shrink the whole tracker down to one module, a few voltage
regulators and related passives, and a battery:

[http://wm.sim.com/producten.aspx?id=1058](http://wm.sim.com/producten.aspx?id=1058)

------
mschuster91
Seriously, these things can be bought COTS in WAY better shape for 35€ (
[http://www.pearl.de/a-PX3490-1511.shtml](http://www.pearl.de/a-PX3490-1511.shtml)
). If you want to hide it, just wrap it in black tape. I wonder who chose to
self-build this thing with cheap-ass kits being available...

~~~
maxerickson
Your link is not based on GPS, is not waterproof, only has 1 week of battery
(if it doesn't transmit any locations).

------
lambeosaurus
I want to write some code that will take these systems and send bogus GPS data
the spells out FUCK YOU.

~~~
psykovsky
Or Dickbutt...

------
pmccall777
They missed a golden opportunity to attach the device to a politician, high
ranking official, or executive's car.

~~~
lotharbot
Or more simply, just throw it in the back of a passing pickup truck (like in
"Short Circuit", when Number 5 realizes he's being tracked by a beacon in his
vehicle. Unfortunately I can't find the clip on youtube.)

~~~
FranOntanaya
Good luck finding a pickup in Valencia, though.

------
nickysielicki
Shouldn't it be possible to open that thing up and see where/who it's
reporting the data to?

------
boklm
An article in Spanish:
[http://www.eldiario.es/turing/vigilancia_y_privacidad/dispos...](http://www.eldiario.es/turing/vigilancia_y_privacidad/dispositivo-
rastreador-pusieron-activista-privacidad_0_363964058.html)

------
icco
Looks different than the FBI one iFixit tore down at least:
[https://www.ifixit.com/Teardown/Tracking+Device+Teardown/525...](https://www.ifixit.com/Teardown/Tracking+Device+Teardown/5250)

------
chinathrow
Any words on the IMEI in use? Maybe some nice folks can then leak some info.

------
skwuent
Forget Tesla, _that_ is what a real hacker's car looks like.

------
unable
Better call Saul

------
throwawayaway
soon these will be built in, a great win for humanity.

~~~
throwawayaway
i guess all the downvotes mean gps transponders won't be built in then!

that's how it works isn't it?

~~~
dingaling
What do you mean by "GPS transponders"?

A transponder replies to an interrogation with a squitter response.

Navstar satellites zip along merrily broadcasting to anyone who will listen (
regardless of the receiver's ability to process the signal ). You as an
intending user don't communicate with them at all.

In the receiver there is no transmission capability related to GPS. Why would
there be? The only uplink to which Navstar sats will listen is that from
Boeing's system control center ( or presumably a spoof thereof ).

