Being able to accurately determine your location anywhere on the planet is a useful technological trick. But when tracking isn’t done by you, but to you—without your knowledge or consent—it’s a violation of your privacy. That’s why at EFF we’ve long fought against dragnet surveillance, mobile device tracking, and warrantless GPS tracking.

Several weeks ago, an EFF supporter brought her car to a mechanic, and found a mysterious device wired into her car under her driver's seat. This supporter, who we’ll call Sarah (not her real name), sent us an email asking if we could determine whether this device was a GPS tracker, and if so, who might have installed it. Confronted with a mystery that could also help us learn more about tracking, our team got to work.

Sarah sent us detailed pictures of the device. It was a black and gray box, about four inches long, with a bundle of 6 wires coming out of one end. On one side, the words “THIS SIDE DOWN” were printed in block letters, next to three serial numbers. 

First, we wanted to confirm that this was, in fact, a GPS device. We started by searching for the device’s FCC ID in the FCC’s database. Each device that has a radio transmitter or receiver is required to have an FCC ID. With that ID you can find manuals, pictures, and even internal schematics on any device the FCC has reviewed.

The FCC search confirmed that the device was a GPS tracker sold under the brand name “Apollo,” and made by a company called M-Labs. According to the manual, the Apollo can track a car’s location, then send the location to a server over a cellular connection. The manual also said the Apollo had a special type of port for communicating with the device, known as a UART serial port. Using this port, we could interact with the device in order to find out more about it.

A quick web search search also revealed that a number of people all over the US had found these exact devices in their cars. Some people believed the GPS trackers  were being installed by dealerships for repossession, or by rental car companies for fleet tracking.

We told Sarah what we had found, and agreed that with direct access to the GPS tracker, we might be able to find out when it had been installed, and therefore who had installed it. If it was installed at the time she bought the car, or before that time, then it could have been installed by the dealership. If it was installed after that date, then it's possible that Sarah had a stalker who had installed the device. The device was put in the mail and sent to our offices.

A few days later we received the Apollo and got to work. The first step was to pry off the case and get access to the internal components. We wanted to find the UART connectors, which would give us the ability to get diagnostic information out of the Apollo’s cellular modem. 

Typically UART comes in a series of four pins, or at least four holes in a row, but this board didn’t have anything like that. Looking closer, we noticed that there were some very tiny contact pads labeled ART1, RX, and TX. We decided to start there.  

Let’s take a step back and discuss why getting access to the UART port was so important. UART stands for Universal Asynchronous Receiver and Transmitter. It is both hardware, and a protocol. The UART protocol lets you receive input and output over  common copper wires by sending and receiving bits one at a time, encoded by either high or low voltage (the technical term for this is a “serial bus.”) The hardware interface is typically 4 connections: voltage, ground, receive (rx), and transmit (tx). Put simply, the UART connection lets you interact with the hardware as if you had a keyboard and monitor attached directly to it.

To connect to the UART bus on the GPS device we used a fun little tool called a “Bus Pirate.” The Bus Pirate lets you connect to different hardware interfaces, including UART, and turns them into a USB interface that you can connect to with your computer. 

We connected the Bus Pirate to a computer and gingerly held its wire probes against the contact points labeled RX and TX on the board, and set the Bus Pirate to connect over UART. The Bus Pirate sprang to life and returned the following:

����3�����f��������b���{= ^����H���������x�������?���������������������������������~�����������H�?� �?����a�����>���8�8�����N'?0 ����~ ���� �s�2��G����

It was nothing but gibberish. We decided to try using different baud rates, that is, the rate at which symbols are transmitted in an electronic communication. We finally discovered that an 115200 baud rate was what was needed to get coherent communication from the device.

In between lines of more gibberish, we saw some readable text pop up:

�����x���� V�� ����D������~��L����"����������Bƀ����3����>3�(P�K� P�����                                                                                                                                                
@�������� ���0���_����q������� �� �B!�� [�
FW:2.4.3; BIN:1.1.95T; MEID:A100005B46F154
IP:10.90.1.52:3078; LPORT:3078
RI:0,0,0; DTE:0,0,0,0,0,0; DI:0; HB:0; NR:2940,0,0; RS:0,900
���������CI��}��������|>0o��������P D���39@��                                                                                                   
   
��    �K��G���_������                                                                                                                       
��C�� �����: �����(�����@���

Success! We finally had some data out of the GPS device, but why was it still surrounded by garbage data?  For the answer to this, we have to look again at how UART works. Since UART is just measuring voltage differences on the RX and TX pins, anything that interferes with those voltages will change the input and output. In this case, an EFF team member’s hand was holding the Bus Pirate pin to the transmit connector of the GPS device, and that was creating extra interference, which then got interpreted as data coming from the GPS device, causing the garbled output.

Next, we soldered an RX and TX wire directly onto the GPS board and connected it to the Bus Pirate. After turning on the GPS device again, the output came out clean!

FW:2.4.3; BIN:1.1.95T; MEID:A100005B46F154
IP:10.90.1.52:3078; LPORT:3078
RI:0,0,0; DTE:0,0,0,0,0,0; DI:0; HB:0; NR:2940,0,0;

Now that we had a connection we could communicate with the Apollo’s cellular modem by typing what are called “AT commands.” AT commands are the standard way that humans and machines can interact with a cellular modem. They are called AT commands because they universally start with the letters “AT.” For example: the command “ATD” would let you dial a number, and the command “ATA” would answer an incoming call.

We entered a basic AT command to determine whether things were working, and got nothing back. We tried several more AT commands and still nothing. We had been hoping to at least get an error code back but the cursor sat there, blinking at us like a patient dog, not understanding a word of what we were saying.

After several more hours of cursing, reading docs, banging our heads against the wall, and self medicating, we figured out the problem: we hadn’t connected the ground pin. The UART connection was incomplete. Our carefully typed AT commands were not being sent to the waiting GPS device. Not wanting to get out the soldering iron again, we carefully placed a ground wire from the Bus Pirate onto the ground plane of the GPS device. It worked! We were able to send AT commands and get back data.

FW:2.4.3; BIN:1.1.95T; MEID:A100005B46F154
IP:10.90.1.52:3078; LPORT:3078
RI:0,0,0; DTE:0,0,0,0,0,0; DI:0; HB:0; NR:2940,0,0; RS:0,90000,0
Ready
ATZONRS
ERROR
ATZ
OK
AT+IONRS
ERROR
AT+IONRS?
ERROR
AT+IONVO
ERROR
AT+IONVO?
17569

The manual for the Apollo listed several special built-in AT commands for retrieving data. Under certain conditions, the device would generate a report of its activities, including its location history. This report is also what gets sent to the GPS tracker’s owner. We hoped that the report would also contain information about when and where the Apollo was first activated.

We tried various commands for several hours, trying to get a report out of the GPS device. All of our attempts failed. The documentation for the device was severely lacking. We wrote to M-Labs, the manufacturing company, hoping they would kindly send us a better manual, but never heard back.  Eventually we tried a command which would tell us the number of miles on the device’s “virtual odometer.” The answer: 17569, apparently the number of miles this device has traveled.

Now we were getting somewhere. If our supporter Sarah had driven this car less than 17,000 miles, we could be certain it was installed before she had the car.

We called Sarah and told her the news. We asked how many miles were on the car? Unfortunately, Sarah had driven the car 29,000 miles since buying it, and she had bought it new, with less than 200 miles on it. This would seem to lead to an unsettling conclusion: could our supporter have a stalker?

Our odometer finding wasn’t a sure thing, though. Given the sparse documentation, we couldn’t be sure how accurate the virtual odometer was, or even how it worked. There was also the possibility that the device could have been reset at some point. We were going to need more information for a definitive answer to this mystery.

We tried once again to get the report out. Several more days and several hundred curse words later, we still couldn’t devise a way to get the GPS to print the report that the manual promised. We began to believe the report would contain all the answers we were looking for—perhaps even the answers to life, the universe, and everything. We had tried every command and every trick we could think of. Staring at a dead end, we decided it was time to take the low tech approach.

Sarah said that when she first found the device she had asked her dealership if they ever installed GPS devices in the cars they sold. Dealership employees swore that they had never done such a thing. While we couldn’t know for sure if that was true, it was a mechanic from that dealership who first found the device, so we were inclined to believe them.

Sarah also mentioned that the car had been transferred from another Audi dealership in Orange County, California, when she bought it. Could they be the culprits? We called the original dealership and asked if they were familiar with this hardware or if they install GPS devices in their customers' cars. The dealership told us that they used to work with a company called Sky Link to install anti-theft devices, but didn’t activate them unless the buyer paid for the service. Could this be an explanation for this rogue GPS device?

We wanted to confirm that this device did indeed belong to Sky Link. Looking at their website it seemed to have not been updated in years. It even contained a widget for Adobe Flash, a very old way of creating animation on websites. Still, there was a customer service number.

We called Sky Link and asked if they could confirm whether this was one of their devices. The car’s VIN (Vehicle Identification Number) wasn’t in their database as having ever been activated. We had one last idea. We gave them the serial number of the hardware, and asked if it had ever been a part of their supply chain at all.

Turns out, it had. The GPS device was bought by the dealership, but it was never activated. At last, we had proof that this was a device installed by the dealership.  We called Sarah to share the good news. She was very glad to find out that she didn’t have a stalker.

While we regrettably can’t spend this kind of time investigating every tech mystery that an EFF supporter has, we decided to take on this case because there was a lot we could learn. We learned about UART and the hidden consoles that are built in to many hardware devices. And we were reminded that sometimes a low tech approach is better than a high tech one for solving a mystery. Sometimes you can hack your way to solving a problem, and sometimes you can solve it by calling the right people and asking the right questions.

Another question lingers: Is the sky-link GPS device still sending location data back to a Sky Link server? If so, could it be accessed by an employee, or someone who activates the device in the future? We were unable to reach Sky Link to get a confirmation either way, but it's a concerning possibility. Given how many people have been surprised to find this specific GPS tracker in their cars (as mentioned above) it’s possible that many car dealerships are installing these devices without proper customer notification. Those GPS devices could one day enable misuses or abuses. If you have found a device like this in your car, or if you work for Sky Link or a similar company, we would be interested to hear from you.

Tags