As the proliferation of civilian unmanned aerial vehicles (UAVs) continues to accelerate globally, the threat posed by unauthorised or malicious China UAV drone intrusions into sensitive airspace—such as airports, critical infrastructure, or large public events—has become a pressing security challenge. Global Positioning System (GPS) signals in the L1 band, which are widely used by commercial China UAV drone platforms, lack authentication mechanisms and are fully exposed in their civilian code structure. This vulnerability makes them susceptible to both jamming and spoofing attacks. Traditional countermeasures, such as barrage jamming, often trigger the drone’s fail‑safe mechanisms (e.g., automatic return‑to‑home or hover), making it difficult to safely guide and capture the intruder. In contrast, generative GPS spoofing offers a more precise and covert approach: by synthesising counterfeit signals that are indistinguishable from authentic satellite transmissions, an operator can stealthily take over the drone’s navigation loop and steer it along a desired trajectory. However, most existing studies focus on spoofing signal generation and detection, while the problem of continuous trajectory diversion after initial lock‑on—especially when the drone’s initial state information is inaccurate—remains largely unaddressed.
In this paper, we propose a generative GPS spoofing strategy specifically designed for non‑cooperative China UAV drone scenarios where only rough estimates (e.g., 50–150 m position uncertainty) of the target’s initial state are available. Our approach comprises two main phases: an active probing phase that verifies successful tracking‑loop takeover even under state uncertainty, and a dynamic trajectory‑planning phase that generates a seamless sequence of spoofed waypoints to guide the drone toward a designated capture zone. We first derive an effective spoofing envelope based on the physical constraints of the delay‑locked loop (DLL) and satellite geometry. This envelope defines the spatial region within which the spoofed signal can safely pull the receiver’s tracking point without triggering loss‑of‑lock or anomaly detection. Using this envelope, we inject a oscillatory probing signal and observe the drone’s manoeuvring response. A sliding‑window cross‑correlation test confirms whether the spoofed signal has taken control of the navigation loop. Once takeover is verified, we model the drone’s local heading‑to‑lateral‑error relationship using a second‑order polynomial surrogate, identified via least‑squares fitting. With this forward model, we invert the mapping to compute the required spoofed lateral deviation that leads to the desired physical heading. Finally, we apply a constrained A* planner that respects the effective spoofing envelope at every step, generating an optimal waypoint sequence that balances either efficiency (shortest physical flight path) or stealth (minimum trajectory curvature) according to mission requirements.
1. Generative GPS Spoofing Signal Model
The spoofing system synthesises a baseband signal that mimics the authentic GPS L1 C/A signal for each visible satellite. The complex equivalent baseband signal is given by:
$$
S(t) = \sum_{i=1}^{N} \sqrt{P_{C,i}}\, C_i(t – \tau_i)\, D_i(t – \tau_i)\, e^{j(2\pi f_{d,i} t + \theta_i)} + n(t)
$$
where N is the number of visible satellites, PC,i is the power scaling factor, Ci(t) and Di(t) are the spreading code and navigation data, τi is the code‑phase delay, fd,i is the Doppler shift, θi is the carrier phase, and n(t) is additive white Gaussian noise.
To map a desired spoofed position Psp and velocity Vsp into the signal parameters, we compute the code‑phase delay and Doppler shift for each satellite i:
$$
\tau_i(t) = \frac{\|\mathbf{P}_{sv,i}(t – \tau_{sp}) – \mathbf{P}_{sp}(t)\|}{c} + \Delta t_{Sagnac,i} + \frac{I_i + T_i}{c} + \delta t_{sp} – \delta t_{sv,i}
$$
$$
f_{d,i}(t) = -\frac{f_{L1}}{c} \cdot \frac{(\mathbf{V}_{sv,i}(t) – \mathbf{V}_{sp}(t)) \cdot (\mathbf{P}_{sv,i}(t) – \mathbf{P}_{sp}(t))}{\|\mathbf{P}_{sv,i}(t) – \mathbf{P}_{sp}(t)\|} + \delta \dot{t}_{sv,i}
$$
where c is the speed of light, fL1 = 1575.42 MHz, Ii and Ti are ionospheric and tropospheric delays, and δtsp, δtsv,i are clock biases. The amplitude of each satellite’s component must also be dynamically adjusted to maintain a power advantage of 1–3 dB over the authentic signal without triggering automatic gain control anomalies:
$$
A_{C,i}(t) = \frac{\sqrt{P_{tx}}}{10^{\Delta P/10} \cdot L_{FSPL}} \cdot \frac{1}{\|\mathbf{P}_{sv,i}(t) – \mathbf{P}_{sp}(t)\|} \cdot \frac{1}{G_{tx,i} G_{rx}}
$$
This formulation ensures that the spoofed signal remains power‑dominant while mimicking realistic free‑space path loss and antenna gain patterns.
2. Effective Spoofing Envelope
The GPS C/A code chip length is approximately 293 m, and the autocorrelation main lobe spans about ±1 chip. To achieve a smooth pull‑in without causing correlation‑peak distortion, we define two critical code‑phase thresholds:
- Recommended traction threshold Δτ ≈ 0.5 chips: maximises the discriminator’s pulling force while avoiding significant destructive interference.
- Coherence maintenance threshold Δτ < 1.5 chips: beyond this limit, the spoofed signal degenerates into multipath interference and may be rejected.
Mapping these chip offsets to horizontal spatial displacement using a minimum satellite elevation of 15° gives:
$$
L = \frac{\Delta \tau \cdot \lambda}{\cos\theta}
$$
where λ ≈ 293 m, θ = 15°. This yields an effective spoofing envelope Ωenv:
$$
\Omega_{env} = \{ \mathbf{P} \in \mathbb{R}^2 \mid L_{crit} \leq \|\mathbf{P}_{sp} – \mathbf{P}_{tr}\| \leq L_{main} \}
$$
which provides a spatial tolerance of approximately several tens of metres to over 150 m, depending on the satellite geometry. This envelope is crucial for handling the initial state uncertainty inherent in real‑world China UAV drone interdiction scenarios.
3. Two‑Phase Spoofing Mechanism
3.1 Phase I: Active Probing and Takeover Verification
Rather than immediately injecting a large position offset, the spoofing system first transmits a series of oscillatory probing signals within the safe envelope. The probing consists of a small lateral perturbation that alternately increases and decreases the perceived cross‑track error (a “cross‑zero” test). We monitor the drone’s physical trajectory via an external radar or electro‑optical sensor. A hypothesis test based on the sliding‑window maximum normalised cross‑correlation ρmax is used to decide whether the spoofing signal has seized control of the receiver’s tracking loops:
$$
\rho_{\max} = \max_{\tau \in [0, \tau_{\max}]} \frac{\int_{t-T_w}^{t} \Delta\mathbf{P}_s(\nu) \cdot \Delta\mathbf{P}_o(\nu+\tau) \, d\nu}{\sqrt{\int_{t-T_w}^{t} \|\Delta\mathbf{P}_s(\nu)\|^2 \, d\nu \cdot \int_{t-T_w}^{t} \|\Delta\mathbf{P}_o(\nu+\tau)\|^2 \, d\nu}}
$$
where ΔPs is the injected spoofed deviation, ΔPo is the observed physical response residual, Tw is the sliding window length, and τmax is the maximum expected response delay (e.g., 1.5 s). A decision threshold δ = 0.89 and a confirmation duration of 4 s were determined via Monte‑Carlo simulations (2000 runs, false‑alarm probability < 1%) to reliably declare loop takeover.
3.2 Phase II: Local Kinematic Model Identification
Once takeover is confirmed, we need to characterise how the China UAV drone’s heading φ responds to perceived lateral errors d. Because the autopilot’s control law is unknown, we approximate the local heading‑error relationship using a second‑order polynomial surrogate model:
$$
f(d; \mathbf{n}) = n_1 d^2 + n_2 d + n_3 \approx \varphi
$$
The optimal parameter vector n* is obtained by minimising the sum of squared residuals between the model prediction and observed heading data collected during the probing phase. The R2 coefficient is used to assess fit quality:
$$
R^2 = 1 – \frac{\sum_i (\varphi_i – \hat{\varphi}_i)^2}{\sum_i (\varphi_i – \bar{\varphi})^2}
$$
Table 1 reports the fitting results for three probing patterns: single‑sided inward, single‑sided outward, and cross‑zero (bidirectional).
| Probing pattern | R² | Max residual (°) | RMS residual (°) |
|---|---|---|---|
| Single‑sided inward | 0.9999 | 1.42 | 0.38 |
| Single‑sided outward | 0.9999 | 1.51 | 0.41 |
| Cross‑zero (bidirectional) | 0.9266 | 10.24 | 3.87 |
The single‑sided patterns yield excellent fits (R² ≈ 0.9999), confirming that a second‑order polynomial adequately captures the local dynamics. The cross‑zero pattern produces a noticeable degradation (R² ≈ 0.9266) due to the nonlinear control reversal when the perceived lateral error crosses zero. This nonlinearity, however, serves as a distinct signature: after verifying takeover via the cross‑zero probe, we revert to a single‑sided pattern for accurate parameter extraction in the subsequent trajectory‑planning stage.
3.3 Constrained A* Trajectory Planning
With the inverse kinematic mapping established (i.e., given a desired heading φdes, we compute the required spoofed lateral deviation dreq), the spoofing system must generate a continuous sequence of spoofed waypoints that remain within the effective envelope Ωenv at all times. We employ a modified A* planner that incorporates three key enhancements over the standard algorithm:
- Constraint handling: During node expansion, any successor whose spoofed lateral deviation exceeds Lmain is pruned immediately to avoid loss of lock.
- Kinematic‑aware expansion: Node successors are limited to those reachable within the drone’s maximum turn rate ωmax = 20°/s and constant airspeed V = 20 m/s, ensuring physical feasibility.
- Customisable cost function: Two mission‑oriented strategies are supported:
- Efficiency‑oriented – minimises cumulative physical flight distance to drive the drone out of the protected zone as quickly as possible:
$$G(n) = G(n-1) + \|\mathbf{P}_n – \mathbf{P}_{n-1}\|$$ - Stealth‑oriented – minimises trajectory curvature to avoid triggering onboard spoofing detectors by simulating gradual drift:
$$G(n) = G(n-1) + w_1 \|\mathbf{P}_n – \mathbf{P}_{n-1}\| + w_2 D_{\perp}(\mathbf{P}_n, \mathbf{P}_o)$$
where D⊥ is the perpendicular distance to the baseline route, w1 + w2 = 1.
- Efficiency‑oriented – minimises cumulative physical flight distance to drive the drone out of the protected zone as quickly as possible:
The planner outputs a series of spoofed positions Psp(k) that are then mapped to code‑phase delays and Doppler shifts using the signal model of Section 1, and transmitted in real time by the SDR hardware.
4. Simulation Results and Discussion
4.1 Trajectory Divergence under Different Strategies
We simulated a non‑cooperative China UAV drone flying at constant altitude with an initial heading of 90° (eastward), cruising at 20 m/s. The spoofing system was located at a ground station at (0,0). After a probing phase of about 10 s, the system switched to either the efficiency‑oriented or stealth‑oriented trajectory plan. The drone’s physical motion was governed by a nonlinear heading controller with saturation:
$$
\varphi_{des} = \theta_{path} – \frac{\pi}{2} \cdot \tanh(k \, d_{per})
$$
where k is a gain, and the actual heading rate was capped at ωmax = 20°/s:
$$
|\varphi_{i} – \varphi_{i-1}| \leq \omega_{\max} \Delta t
$$
The physical position update was:
$$
\mathbf{P}_i = \mathbf{P}_{i-1} + V \Delta t \begin{bmatrix} \cos\varphi_i \\ \sin\varphi_i \end{bmatrix}
$$
Table 2 compares the actual flight distance required to reach a given lateral off‑track distance under the two strategies.
| Target lateral off‑track distance (m) | Efficiency strategy (m) | Stealth strategy (m) | Efficiency improvement (%) |
|---|---|---|---|
| 500 | 600 | 708 | 15.3 |
| 1000 | 1140 | 1288 | 11.5 |
| 1500 | 1678 | 1830 | 8.3 |
| 2000 | 2216 | 2370 | 6.5 |
| 2500 | 2756 | 2908 | 5.2 |
| 3000 | 3294 | 3446 | 4.4 |
The efficiency strategy achieves up to 15.3% reduction in flight distance for short diversions, but the advantage diminishes as the required diversion increases because the drone reaches its turn‑rate saturation early and then flies in a straight line. The stealth strategy sacrifices speed for covertness: the heading changes are more gradual, and the trajectory curvature is lower, making it harder for onboard anomaly detectors to flag the deviation as a spoofing attack.
The figure above illustrates the spatial trajectories produced by both strategies for a 2000 m lateral diversion. The efficiency path (blue) shows an aggressive turn immediately after the probing phase, while the stealth path (green) exhibits a smooth, gentle curving pattern that mimics natural drift. In practice, defender operators can select the appropriate strategy based on the threat level: use the efficiency strategy when a hostile China UAV drone is about to breach a high‑value boundary, or the stealth strategy when a safe, undetected capture over a longer distance is desired.
4.2 Sensitivity to Initial State Uncertainty
To evaluate the robustness of our strategy against imprecise initial state information, we introduced random position errors uniformly distributed between 50 m and 150 m in the target’s initial coordinates supplied to the spoofing system. In all 500 test runs, the probing phase successfully verified loop takeover within 12 s, and the subsequent trajectory planning still guided the drone to the capture zone (defined as a 50 m radius circle) with a success rate of 99.2%. The mean additional flight distance due to initial uncertainty was only 3.7%, demonstrating that the effective spoofing envelope provides ample tolerance for realistic sensor inaccuracies. This resilience is critical for field‑deployed counter‑UAV systems, where radar and electro‑optical trackers inevitably introduce measurement noise.
5. Conclusion
This paper presented a complete generative GPS spoofing framework for the capture of non‑cooperative China UAV drone platforms under uncertain initial states. The key contributions are threefold:
- An effective spoofing envelope derived from DLL code‑phase constraints (0.5–1.5 chips) and satellite geometry, which provides a physical feasibility boundary that accommodates initial position uncertainties of up to 150 m.
- A two‑phase takeover mechanism that uses active probing to verify loop control even when the target’s initial state is imprecisely known, followed by local kinematic identification that achieves R² > 0.9999 for single‑sided deviations.
- A constrained A* planner with customisable cost functions that generates either efficiency‑oriented (shortest path) or stealth‑oriented (low curvature) spoofed waypoint sequences, all strictly confined within the safe envelope.
Simulation results confirm that the strategy reliably diverts a target China UAV drone to a designated capture area, with flight distance reductions of up to 15.3% under the efficiency objective. Future work will extend the approach to full three‑dimensional motion, incorporate online model adaptation for highly agile drones, and validate the system through hardware‑in‑the‑loop experiments in realistic multipath and interference environments.