Sniffing a GPSMap60CSX to find the local oscillator

Well everyone just rambled on, so I figured I'd get out the spectrum
analyzer and see what could be sniffed.

I tried to detect a Garmin GPSMap60CSx. The claim is the GPSMap60CSX
uses the SiRFStar III. The local for the chipset is 1571.424Mhz. L1 is
1575.42. So the goal is to look for a low side mixer leaking beneath the
actual GPS signal.

Since this mixer is nearly in the GPS band, the easiest thing to use for
an antenna is a GPS antenna. I was given a passive GPS antenna years
ago, and of course I never used it. Hey, it was passive. Hooking it up
doesn't get the GPS signal (beneath the noise floor of the spectrum
analyzer), but sure gets lots of L-band cellular, plus that annoying
smart meter that pings around 1.2GHz.

The next step was to hook up an active GPS antenna. This was an
interesting experiment in it's own right since I never looked at the
output of a GPS antenna. The active antenna is a HAG-240, good for 37dB.
That brought the GPS signal up to -75dbm. No mixer signal detected.

If you think about it, given the proximity of the mixer frequency to the
actual GPS signal, you would be a fool to leak a lot of mixer. It would
desense the receiver. The Sift III implementations I found on the net
(not necessarily how it is done in the Garmin) use a LNA and SAW filter
cascaded. This should have decent isolation.

As I expected, sniffing the local is simply not the way to detect a GPS.
I would still go with the NLJD.

On 2011-12-03 02:37 , miso wrote:

Thanks. Interesting. However, GPS antennas are not, themselves, very
sensitive. For the device I was thinking about, I was thinking of a
larger and more sensitive antenna array.

If that doesn't do it, how would a NLJD be implemented? Would one fire
a narrow band signal towards the search area?

Would this be illegal in the sense of being a potential GPS jamming signal?

--
"I see!" said the blind man as he picked up his hammer and saw.

On 12/3/2011 7:26 AM, Alan Browne wrote:

A GPS antenna certainly isn't direction. That would defeat the purpose.
But we're talking close proximity to the GPS too.

Most of the NLJDs use ISM frequencies to keep them license free. They
wouldn't be jamming the GPS, but rather you transmit on a frequency that
is legal.

You need a very pure signal because you are looking for harmonics. You
can't have the source's harmonics swamp the harmonics from the DUT. This
is what probably keeps the amateur from rolling their own NLJD.

This guy is rolling his own:

I'm not so sure about this 2nd harmonic versus 3rd harmonic measurement.
Generally with diodes involved, you are getting odd harmonics. But I
can't argue with the notion since all the leading brands measure 2nd and
3rd.

If I had to roll one myself, and presuming the 3rd harmonic is good
enough, I'd put the test signal around 1.2GHZ and look for the harmonic
with a COTS C-band LNB and a spectrum analyzer. You can get cheap
portable L-band spectrum analyzers that are used in satellite work.
[L-band is the "baseband" so to speak of satellite. You generate L-band
and then upload to the bird with a BUC, and you download from the bird
with a LNB(F) which outputs L-band.] I suppose once you actually saw
some harmonics from a DUT, you might build a simple detector.

One thing you know for sure is the harmonics are locked to the source.
That means if the frequency synthesizer was built properly, you could
have mixers already on frequency to demod the harmonics. Essentially
zero-beat. That means you would have to AM the source, but that is no
big deal. You would probably AM it with a Gilbert cell rather than make
all sorts of spurs with a conventional diode mixer. If a Gilbert cell
can't be done at that frequency, just modulate the transconductance of a
RF grade BJT.

The big advantage to using a COTS LNB(F) is you have the amp already
built. Ah wait, the problem with that is the mixer in the the LNB(F)
isn't very accurate. OK, you would need a LNA for C-band. Less common,
but not unheard of. There are websites where people have modified
LNB(F)s to LNAs.


I'd say a used L-band spectrum analyzer would be less work, though you
couldn't make a commercial product like that.

This Russian firm is using a C-band source and receiving on 7-ish GHz
(don't know that band) and Ku.



The idea here is it is easier for the microwaves to penetrate "holes in
the armor" so to speak.

On 2011-12-03 19:31 , miso wrote:

I never suggested it was. The notion of an array is to get higher
sensitivity.


Thanks. I'll pass that on. I misunderstood that the NLJD had to be at
the same freq as the receiver. Now it's clear, anything that causes a
bounce off the components in the receiver should do it.

The downside here is that almost all cars have a GPS receiver in them
(whether it's used or not - it's part of the standard antenna package).

--
"I see!" said the blind man as he picked up his hammer and saw.

The beauty of the NLJD is it is frequency independent of the bug that
you are looking for. The bad news is it will find any diode with a wire
connected to it.

The SIRF chipset looks like it is single conversion. Firing up google,
it seems there are double conversion GPSs. So the possibilities of
sniffing frequencies are plenty.

A quick check of parts 15 indicates you can't build a GPS jammer
legally. You could operate near the GPS frequencies and that might cause
the GPS to fail.
http://transition.fcc.gov/Bureaus/Engineering_Technology/Documents/bulletins/oet63/oet63rev.pdf

The use of a cellular phone to send the data is easy to sniff.

I have the original version of this unit, basically before it could be
bought online. It isn't very sophisticated, but it will sniff a phone or
key fob at close distance. It will detect aircraft radar miles away, but
only with the LED. That is, you see the ping.

At $160, you are half way there to a use L-band spectrum analyzer.