Very few companies produce GPS chips. Most devices that include GPS capability do not bother to reinvent the wheel, but instead elect to integrate an existing GPS processing chip. It's unlikely the GPS module is integrated with the processor core of this thing. Since it is likely separate, it would be fun to probe the PCB with a logic analyzer to see if there are any exposed serial (or possibly I2C, SPI) traces relaying the NMEA sentences[1] from the GPS module to the processor. If so, false locations could presented by severing the traces and soldering on a synthetic serial (or I2C, SPI) feed at the right logic level (probably 3.3V), from a microcontroller or computer. The hacked feed could even read a real-time clock to "play back" a stored path of locations every day. Attaching an external data feed is likely as simple as dragging a box cutter over the right traces (data, ground) to disrupt them, and then soldering on some 30 gauge wire to the same traces (after sanding off the soldermask and silkscreen). Since most GPS modules output constantly without any control lines, so there may not even be a control scheme to reverse engineer.
Note to those designing trackers: if you want to make it difficult, use a board with internal layers and keep the GPS nets on the interior of the board. Doesn't make splicing impossible[2], but it would up the difficulty.
It would be fun injecting fake paths to some NSA datacenter, a military supplier IC foundry, Area 51, and CIA HQ. The people monitoring him may draw some strange conclusions.
theres a main processor which is way overpowered (the big TQFP part) which is covered by a plug-in 2G GSM/GPRS modem. You can 'sniff' the modem control pins, its almost certainly the standard plain 'AT' command set used for these modems, at 9600 or 57600 baud, 3.3V logic
The plug in module looks a lot like a SIM300 or Spreadtrum 5100b. It probably had an IMEI sticker that was pulled off. Theres probably a dozen makers of nearly identical modems during that time period. This one looks fairly old since its a plug-in type. I'd guess the GSM module is at least 5 yrs old
On the other side is a standard 32-pin NAND flash, you could desolder and then use a NAND-reader kit (google etc) to suck the data off. its probably just the GPS coordinates stored between modem data uploads.
SIM holder, some crystals, power circuitry, and a (95% sure) uBlox GPS - the uBlox have that funny shape and pinout. uBlox have high sensitivity so a good choice! unclear which generation this us, they're up to Neo-8. You could decap it to find out.
probably the most fun could be had by first figuring out the RX/TX pins from the microcontroller to the GSM/GPRS module, then soldering thin wires to that and listening with a UART TTL cable. Put in a new SIM, wait a few seconds for the GSM module to get onto the cell network, then quickly faraday it up and see what website, IP address or phone number the micro is trying to connect to. ymmv tho, might just be a random drop point.
(theres a bunch of chips with no clear markings, could be motion/accel/gyro or other sensors - @ioerror if you post up the #s on each chip it'll be easier to tell! :)
edit: i thought about the huge coin cell battery backup. its a bit odd, quite large sized! if its well designed, the microcontroller will detect that the battery has been disconnected, and while on backup coin cell power quickly erase the NAND flash and microcontroller memory :(
If the coin battery is used as a RC circuit switch to wipe memory what are the chances that it has already been wiped? It's been 7 days off power.
The large power drain of the CPU could indicate this off-shelf product is meant to be installed, rather than attached with battery? Which could indicate a product as someone else linked to: http://www.miniinthebox.com/es/gps-v103b-sms-gprs-gps-sistem...
I'd be curious if any code were installed on the GSM module since many of these provide jvm's or python interpretors. Then again, what they heck is this 120 pin CPU for.
If the thing still has power it is worth keeping it alive without the SIM.
PS. Azul=Blue Negro=Black Marron=Brown Blanco=White in spanish
A friend of mine hired someone to gather data on his cheating wife. A device that looked similar to this was used on her car. $400 for a month of real-time location data. Maybe this has nothing to do with conference this person was attending.
I agree, there is a company in my city that will hook a device up to the car battery and place it in a discrete location. They mostly deal with fleet management but some of their business is from spouses tracking each other.
There a "funny" story about a wife bringing in a vehicle that her husband had brought in earlier.
I guess it's a sad world when I breathe a sigh of relief upon seeing that this didn't take place in the US.
I like how the agency gummed over the chip silkscreens so you can't see what chips they're using. Even though it's obvious that one is flash, another is a GPS module, and the third is the micro. And it appears that some scraping will show you the part numbers anyway. Amateur hour.
Would be interesting if they could lift any prints from the tape on this newest one and publish them. I can't imagine it's easy to apply duct tape with gloves on.
The goop on the chips is the funniest part - I've taken apart various bits of equipment (mostly from China) and they often attempt to obscure the part numbers to obfuscate, but even they know to grind/laser them off instead of putting goop on top... and it's still possible to figure out what they are just by their package and pinouts.
The low integration of the design suggests that it's probably at least 5 or more years old; these days, all that functionality would fit in 3-4 tiny BGA ICs.
The vendor obscures the chips because they sell these devices to agencies for thousands of dollars on government purchase orders. It wouldn't do for the customer to discover they could build these things for less than $100 in parts that anyone can order from anywhere.
"If it's gonna be a amateur night, I want a hundred thousand dollars. I want it upfront. I want it in a bank account. I want another $100,000 when you get the case."
During the ' Troubles' in Northern Ireland, chassis inspection mirrors were a common sight.
These were large convex mirrors mounted horizontally on castors and with a long handle. They were slid under the car to look for suspicious packages that may have been attached covertly with malicious intent.
Very quick to use and were widely issued to individuals who might have been at risk. So it was common to see people using them each morning before heading off to work ( by a different route each day of course ).
Sounds like there might be a new market for them.... I should have bought a few hundred when they were being sold as surplus!
"With malicious intent" in this case usually meant an explosive device designed to kill the driver of the vehicle for anyone reading who might not get the context.
I think one of the first things I'd try when finding such a device on my premises would be to try and login to the self-service portal of the mobile carrier that issued the SIM card. At least in the case of my phone-service provider (I'm also located in the EU) this uses the phone number, and a password which can be requested by SMS...
In the case of my provider, the permission to use the self-service portal which include the possibility to view/change billing addresses and shows all the numbers active on a contract, can, of course, be enabled/disabled per telephone number. But it will be worth a try...
looks like Private Investigator catalog equipment in the states. Big, clunky, and built to suit a million different uses. Dev board + sensors + 3g = a million different reconfigurable spy toys.
Although I hope it's a three-letter agency, because that'd make me a bit less frightened of them.
Also, I don't know why everyone is up-in-arms about the solder job quality. Rip apart a Chinese Futaba-knockoff RC transmitter, dash cam, or counterfeit Lenovo/Apple power-brick for similar quality (and that stuff is everywhere). All that anyone cares about is that it passed the bench test. (who cares if it burns up later?)
According to the media article linked on the submission, the activist was stopped for a "routine search" of the car for more than one hour on the frontier with France by spanish national police (CNP). One week ago she was stopped again near the city were this convention took place.
So yeah, even if this is private investigator grade hardware, according to the info available it would not surprise me if this was either CNP (police) or CNI (our joke version of the CIA).
It would be interesting to figure out where the data is being sent. It could probably be done in a variety of ways (JTAG? Replace the SIM card and setup a fake GSM base station? Check your local laws...).
It would be pretty ironic if they routed through Tor...
I'd second a motion for scraping off the big chips to get some part numbers, to make it easier to get pinouts to hook up probes and other ways to get it to give up its electronic secrets. Though I am rather unplussed with the soldering job there, and personally would disavow soldering such a mess. Big blobs of solder, real crappy joints, and even a few spots that look heat damaged. More than a bit of me is surprised it even worked in the first place.
All the more evidence that this was some sort of "PI" or other private party, not a government agency (on top of the very amateurish construction from hacked together parts).
This looks pretty amateur. I'd be asking if there is a specific private sector company that takes an interest in this activist, and has hired a cheap, shady private investigator.
The device was probably SMS'ing location data. There might still be log data in the device that could be extracted via a serial port.
Based on the way it's laid out and all the unpopulated headers I'm almost wondering if this is a GSM dev board that someone makes that's paired with a GPS daughter card they make. It doesn't look quite as purpose built for a tracking application as I would expect, if it was i'd expect it to be far more compact and have very few test points and headers for the controller. In fact I'd expect they'd probably use a smaller controller too to help cut down on power usage, since they've got the large flash chip they can probably store all the data and send it in burst rather than keep the GSM modem powered up all the time which would let it last far longer in the field.
In fact even the soldering for the power wires to the strange battery array board looks rather amaturish. I'm not sure I'd chalk this up to any agency that's got much of a budget for this kind of thing. I think it's likely to be some other activist group that's in disagreement with this one and wants to dig up dirt (Private Eye maybe?)
Edit: correction, what I thought was a bunch of batteries on a board looks like it's actually the magnets that held it in place on the car. D'oh. Either way it still looks odd that it's built like a set of development boards by a chip manufacturer.
Seriously, these things can be bought COTS in WAY better shape for 35€ ( http://www.pearl.de/a-PX3490-1511.shtml ). If you want to hide it, just wrap it in black tape. I wonder who chose to self-build this thing with cheap-ass kits being available...
[+] [-] tomkinstinch|11 years ago|reply
Note to those designing trackers: if you want to make it difficult, use a board with internal layers and keep the GPS nets on the interior of the board. Doesn't make splicing impossible[2], but it would up the difficulty.
1. http://aprs.gids.nl/nmea/ 2. http://www.circuitrework.com/guides/4-2-6.shtml
[+] [-] markrages|11 years ago|reply
[1] http://www.labsat.co.uk
[+] [-] jonmrodriguez|11 years ago|reply
[+] [-] pj_mukh|11 years ago|reply
[+] [-] X-combinator|11 years ago|reply
http://ericpetersautos.com/2014/05/13/heebie-jeebies/
[+] [-] BoppreH|11 years ago|reply
[+] [-] new299|11 years ago|reply
[+] [-] vonuebelgarten|11 years ago|reply
[+] [-] huhtenberg|11 years ago|reply
Or you can use the good old seal-the-whole-thing-with-a-coat-of-epoxy approach.
[+] [-] ladyada|11 years ago|reply
theres a main processor which is way overpowered (the big TQFP part) which is covered by a plug-in 2G GSM/GPRS modem. You can 'sniff' the modem control pins, its almost certainly the standard plain 'AT' command set used for these modems, at 9600 or 57600 baud, 3.3V logic
The plug in module looks a lot like a SIM300 or Spreadtrum 5100b. It probably had an IMEI sticker that was pulled off. Theres probably a dozen makers of nearly identical modems during that time period. This one looks fairly old since its a plug-in type. I'd guess the GSM module is at least 5 yrs old
On the other side is a standard 32-pin NAND flash, you could desolder and then use a NAND-reader kit (google etc) to suck the data off. its probably just the GPS coordinates stored between modem data uploads.
SIM holder, some crystals, power circuitry, and a (95% sure) uBlox GPS - the uBlox have that funny shape and pinout. uBlox have high sensitivity so a good choice! unclear which generation this us, they're up to Neo-8. You could decap it to find out.
probably the most fun could be had by first figuring out the RX/TX pins from the microcontroller to the GSM/GPRS module, then soldering thin wires to that and listening with a UART TTL cable. Put in a new SIM, wait a few seconds for the GSM module to get onto the cell network, then quickly faraday it up and see what website, IP address or phone number the micro is trying to connect to. ymmv tho, might just be a random drop point.
(theres a bunch of chips with no clear markings, could be motion/accel/gyro or other sensors - @ioerror if you post up the #s on each chip it'll be easier to tell! :)
edit: i thought about the huge coin cell battery backup. its a bit odd, quite large sized! if its well designed, the microcontroller will detect that the battery has been disconnected, and while on backup coin cell power quickly erase the NAND flash and microcontroller memory :(
[+] [-] cyphunk|11 years ago|reply
The large power drain of the CPU could indicate this off-shelf product is meant to be installed, rather than attached with battery? Which could indicate a product as someone else linked to: http://www.miniinthebox.com/es/gps-v103b-sms-gprs-gps-sistem...
I'd be curious if any code were installed on the GSM module since many of these provide jvm's or python interpretors. Then again, what they heck is this 120 pin CPU for.
If the thing still has power it is worth keeping it alive without the SIM.
PS. Azul=Blue Negro=Black Marron=Brown Blanco=White in spanish
[+] [-] dplarson|11 years ago|reply
[+] [-] tacoman|11 years ago|reply
[+] [-] makenova|11 years ago|reply
[+] [-] tsotha|11 years ago|reply
[+] [-] e40|11 years ago|reply
[+] [-] jrockway|11 years ago|reply
I like how the agency gummed over the chip silkscreens so you can't see what chips they're using. Even though it's obvious that one is flash, another is a GPS module, and the third is the micro. And it appears that some scraping will show you the part numbers anyway. Amateur hour.
[+] [-] kevin_thibedeau|11 years ago|reply
http://www.wired.com/2011/11/gps-tracker-times-two/ http://www.wired.com/2010/10/fbi-tracking-device/
Would be interesting if they could lift any prints from the tape on this newest one and publish them. I can't imagine it's easy to apply duct tape with gloves on.
[+] [-] cloudwalking|11 years ago|reply
Edit: this is downvoted, but a similar comment with the same link, posted 10 minutes later, is upvoted? I don't understand.
[+] [-] userbinator|11 years ago|reply
The low integration of the design suggests that it's probably at least 5 or more years old; these days, all that functionality would fit in 3-4 tiny BGA ICs.
[+] [-] gnu8|11 years ago|reply
[+] [-] rsync|11 years ago|reply
[+] [-] godgod|11 years ago|reply
[deleted]
[+] [-] dingaling|11 years ago|reply
These were large convex mirrors mounted horizontally on castors and with a long handle. They were slid under the car to look for suspicious packages that may have been attached covertly with malicious intent.
Very quick to use and were widely issued to individuals who might have been at risk. So it was common to see people using them each morning before heading off to work ( by a different route each day of course ).
Sounds like there might be a new market for them.... I should have bought a few hundred when they were being sold as surplus!
[+] [-] pja|11 years ago|reply
[+] [-] Symbiote|11 years ago|reply
http://en.wikipedia.org/wiki/Chronology_of_Continuity_Irish_...
http://en.wikipedia.org/wiki/Timeline_of_Real_Irish_Republic...
[+] [-] cnvogel|11 years ago|reply
In the case of my provider, the permission to use the self-service portal which include the possibility to view/change billing addresses and shows all the numbers active on a contract, can, of course, be enabled/disabled per telephone number. But it will be worth a try...
[+] [-] furyg3|11 years ago|reply
[+] [-] SpaceInvader|11 years ago|reply
[+] [-] serf|11 years ago|reply
Although I hope it's a three-letter agency, because that'd make me a bit less frightened of them.
Also, I don't know why everyone is up-in-arms about the solder job quality. Rip apart a Chinese Futaba-knockoff RC transmitter, dash cam, or counterfeit Lenovo/Apple power-brick for similar quality (and that stuff is everywhere). All that anyone cares about is that it passed the bench test. (who cares if it burns up later?)
[+] [-] kh_hk|11 years ago|reply
So yeah, even if this is private investigator grade hardware, according to the info available it would not surprise me if this was either CNP (police) or CNI (our joke version of the CIA).
[+] [-] comboy|11 years ago|reply
[+] [-] tlrobinson|11 years ago|reply
It would be pretty ironic if they routed through Tor...
[+] [-] Sanddancer|11 years ago|reply
[+] [-] JoeAltmaier|11 years ago|reply
[+] [-] JshWright|11 years ago|reply
[+] [-] fyrabanks|11 years ago|reply
[+] [-] doctorshady|11 years ago|reply
[+] [-] logicallee|11 years ago|reply
[+] [-] Zigurd|11 years ago|reply
The device was probably SMS'ing location data. There might still be log data in the device that could be extracted via a serial port.
[+] [-] callahad|11 years ago|reply
[+] [-] simcop2387|11 years ago|reply
In fact even the soldering for the power wires to the strange battery array board looks rather amaturish. I'm not sure I'd chalk this up to any agency that's got much of a budget for this kind of thing. I think it's likely to be some other activist group that's in disagreement with this one and wants to dig up dirt (Private Eye maybe?)
Edit: correction, what I thought was a bunch of batteries on a board looks like it's actually the magnets that held it in place on the car. D'oh. Either way it still looks odd that it's built like a set of development boards by a chip manufacturer.
[+] [-] mschuster91|11 years ago|reply
[+] [-] lambeosaurus|11 years ago|reply
[+] [-] pmccall777|11 years ago|reply
[+] [-] nickysielicki|11 years ago|reply
[+] [-] boklm|11 years ago|reply
[+] [-] icco|11 years ago|reply