Very few companies produce GPS chips. Most devices that include GPS capability do not bother to reinvent the wheel, but instead elect to integrate an existing GPS processing chip. It's unlikely the GPS module is integrated with the processor core of this thing. Since it is likely separate, it would be fun to probe the PCB with a logic analyzer to see if there are any exposed serial (or possibly I2C, SPI) traces relaying the NMEA sentences[1] from the GPS module to the processor. If so, false locations could presented by severing the traces and soldering on a synthetic serial (or I2C, SPI) feed at the right logic level (probably 3.3V), from a microcontroller or computer. The hacked feed could even read a real-time clock to "play back" a stored path of locations every day. Attaching an external data feed is likely as simple as dragging a box cutter over the right traces (data, ground) to disrupt them, and then soldering on some 30 gauge wire to the same traces (after sanding off the soldermask and silkscreen). Since most GPS modules output constantly without any control lines, so there may not even be a control scheme to reverse engineer.<p>Note to those designing trackers: if you want to make it difficult, use a board with internal layers and keep the GPS nets on the interior of the board. Doesn't make splicing impossible[2], but it would up the difficulty.<p>1. <a href="http://aprs.gids.nl/nmea/" rel="nofollow">http://aprs.gids.nl/nmea/</a>
2. <a href="http://www.circuitrework.com/guides/4-2-6.shtml" rel="nofollow">http://www.circuitrework.com/guides/4-2-6.shtml</a>
<a href="http://imgur.com/a/Z1hyd" rel="nofollow">http://imgur.com/a/Z1hyd</a> has a few parts labeled<p>theres a main processor which is way overpowered (the big TQFP part) which is covered by a plug-in 2G GSM/GPRS modem. You can 'sniff' the modem control pins, its almost certainly the standard plain 'AT' command set used for these modems, at 9600 or 57600 baud, 3.3V logic<p>The plug in module looks a lot like a SIM300 or Spreadtrum 5100b. It probably had an IMEI sticker that was pulled off. Theres probably a dozen makers of nearly identical modems during that time period. This one looks fairly old since its a plug-in type. I'd guess the GSM module is at least 5 yrs old<p>On the other side is a standard 32-pin NAND flash, you could desolder and then use a NAND-reader kit (google etc) to suck the data off. its probably just the GPS coordinates stored between modem data uploads.<p>SIM holder, some crystals, power circuitry, and a (95% sure) uBlox GPS - the uBlox have that funny shape and pinout. uBlox have high sensitivity so a good choice! unclear which generation this us, they're up to Neo-8. You could decap it to find out.<p>probably the most fun could be had by first figuring out the RX/TX pins from the microcontroller to the GSM/GPRS module, then soldering thin wires to that and listening with a UART TTL cable. Put in a new SIM, wait a few seconds for the GSM module to get onto the cell network, then quickly faraday it up and see what website, IP address or phone number the micro is trying to connect to. ymmv tho, might just be a random drop point.<p>(theres a bunch of chips with no clear markings, could be motion/accel/gyro or other sensors - @ioerror if you post up the #s on each chip it'll be easier to tell! :)<p>edit: i thought about the huge coin cell battery backup. its a bit odd, quite large sized! if its well designed, the microcontroller will detect that the battery has been disconnected, and while on backup coin cell power quickly erase the NAND flash and microcontroller memory :(
A friend of mine hired someone to gather data on his cheating wife. A device that looked similar to this was used on her car. $400 for a month of real-time location data. Maybe this has nothing to do with conference this person was attending.
I guess it's a sad world when I breathe a sigh of relief upon seeing that this didn't take place in the US.<p>I like how the agency gummed over the chip silkscreens so you can't see what chips they're using. Even though it's obvious that one is flash, another is a GPS module, and the third is the micro. And it appears that some scraping will show you the part numbers anyway. Amateur hour.
During the ' Troubles' in Northern Ireland, chassis inspection mirrors were a common sight.<p>These were large convex mirrors mounted horizontally on castors and with a long handle. They were slid under the car to look for suspicious packages that may have been attached covertly with malicious intent.<p>Very quick to use and were widely issued to individuals who might have been at risk. So it was common to see people using them each morning before heading off to work ( by a different route each day of course ).<p>Sounds like there might be a new market for them.... I should have bought a few hundred when they were being sold as surplus!
I think one of the first things I'd try when finding such a device on my premises would be to try and login to the self-service portal of the mobile carrier that issued the SIM card. At least in the case of my phone-service provider (I'm also located in the EU) this uses the phone number, and a password which can be requested by SMS...<p>In the case of my provider, the permission to use the self-service portal which include the possibility to view/change billing addresses and shows all the numbers active on a contract, can, of course, be enabled/disabled per telephone number. But it will be worth a try...
looks like Private Investigator catalog equipment in the states. Big, clunky, and built to suit a million different uses. Dev board + sensors + 3g = a million different reconfigurable spy toys.<p>Although I hope it's a three-letter agency, because that'd make me a bit less frightened of them.<p>Also, I don't know why everyone is up-in-arms about the solder job quality. Rip apart a Chinese Futaba-knockoff RC transmitter, dash cam, or counterfeit Lenovo/Apple power-brick for similar quality (and that stuff is <i>everywhere</i>). All that anyone cares about is that it passed the bench test. (who cares if it burns up later?)
It would be interesting to figure out where the data is being sent. It could probably be done in a variety of ways (JTAG? Replace the SIM card and setup a fake GSM base station? Check your local laws...).<p>It would be pretty ironic if they routed through Tor...
I'd second a motion for scraping off the big chips to get some part numbers, to make it easier to get pinouts to hook up probes and other ways to get it to give up its electronic secrets. Though I am rather unplussed with the soldering job there, and personally would disavow soldering such a mess. Big blobs of solder, real crappy joints, and even a few spots that look heat damaged. More than a bit of me is surprised it even worked in the first place.
This looks pretty amateur. I'd be asking if there is a specific private sector company that takes an interest in this activist, and has hired a cheap, shady private investigator.<p>The device was probably SMS'ing location data. There might still be log data in the device that could be extracted via a serial port.
Based on the way it's laid out and all the unpopulated headers I'm almost wondering if this is a GSM dev board that someone makes that's paired with a GPS daughter card they make. It doesn't look quite as purpose built for a tracking application as I would expect, if it was i'd expect it to be far more compact and have very few test points and headers for the controller. In fact I'd expect they'd probably use a smaller controller too to help cut down on power usage, since they've got the large flash chip they can probably store all the data and send it in burst rather than keep the GSM modem powered up all the time which would let it last far longer in the field.<p>In fact even the soldering for the power wires to the strange battery array board looks rather amaturish. I'm not sure I'd chalk this up to any agency that's got much of a budget for this kind of thing. I think it's likely to be some other activist group that's in disagreement with this one and wants to dig up dirt (Private Eye maybe?)<p>Edit: correction, what I thought was a bunch of batteries on a board looks like it's actually the magnets that held it in place on the car. D'oh. Either way it still looks odd that it's built like a set of development boards by a chip manufacturer.
Seriously, these things can be bought COTS in WAY better shape for 35€ ( <a href="http://www.pearl.de/a-PX3490-1511.shtml" rel="nofollow">http://www.pearl.de/a-PX3490-1511.shtml</a> ). If you want to hide it, just wrap it in black tape. I wonder who chose to self-build this thing with cheap-ass kits being available...
An article in Spanish:
<a href="http://www.eldiario.es/turing/vigilancia_y_privacidad/dispositivo-rastreador-pusieron-activista-privacidad_0_363964058.html" rel="nofollow">http://www.eldiario.es/turing/vigilancia_y_privacidad/dispos...</a>
Looks different than the FBI one iFixit tore down at least: <a href="https://www.ifixit.com/Teardown/Tracking+Device+Teardown/5250" rel="nofollow">https://www.ifixit.com/Teardown/Tracking+Device+Teardown/525...</a>