How To Commute for Free

Saturday, February 21, 2026

Table of Contents

Let me be clear before we dive in: I don’t ride for free, and I don’t condone fare evasion. I’m sharing this because I believe in transparency and education. Not because I want to teach you how to freeload.

The New System in a Nutshell

DSB, Denmark’s national railway company, recently rolled out a shiny new digital ticketing system. The idea is simple: you check in at your departure station, take your train, and check out when you arrive. The app calculates the distance you traveled and charges you accordingly. No more fumbling with a Mifare card.

Sounds great in theory. But the moment I heard about it, my first thought was: how can i break this?

Especially since DSB doesn’t have the cleanest track record: a serious vulnerability in their Rejsekort system had already been exposed years prior.

There’s one important detail: when you check in, the app generates a QR code that refreshes every few seconds. Ticket inspectors on board scan this code. So simply not checking in isn’t an option. You’d have nothing to show when they come.

The Concept

Here’s the idea that came to mind: GPS spoofing.

What if you could trick the app into thinking you never left the station? You check in, board the train, ride. but as far as the app knows, you’re still standing on the platform where you started.

You’d still have the regenerating QR code to show to ticket inspectors. Everything looks legit on their end.

Then, when you arrive at your destination, you check out. The app sees that your start and end location are identical, zero distance traveled, and charges you nothing.

First Attempt

I rooted an Android phone using Magisk and installed a stack of modules to make it work:

• HideMockLocation (LSPosed module) — to hide the fact that I was faking my GPS
• PlayIntegrityFork and SafetyNet Fix — to bypass root detection

With those in place, I installed a GPS mocking app and disabled Google Location Sharing, Location Accuracy, and Wi-Fi and Bluetooth scanning in the phone’s settings. I also enabled Developer Options and selected the mocking app as the mock location provider.

Everything was ready. I installed DSB’s new Rejsekort app, fired up the location spoofer, and …

Denied. The app refused to work unless Google Location Sharing, Location Accuracy, and Wi-Fi and Bluetooth scanning were all enabled. It was actively checking for these settings — a decent first line of defense.

Second Attempt

I discovered something interesting: DSB still had their older app available on the Play Store: DSB app. It also had the same check-in/check-out functionality.

I tried the same spoofing setup against it and… it worked.

The older app didn’t enforce the same location setting requirements. It happily accepted the spoofed GPS coordinates.

Now for the real test. I checked in at a station, let’s call it Station A, and boarded a train while my phone’s GPS was pinned to Station A. Mid-journey, a ticket inspector came through, scanned my QR code, and everything checked out. No issues.

I arrived at Station B, checked out, still spoofing my location as Station A, and the result?

Zero charge. The app calculated zero distance. It worked.

Limitations & Caveats

Before anyone gets too excited, this exploit isn’t bulletproof:

If more than 30 minutes passed between check-in and check-out, the system would charge you regardless. So long-distance trips were off the table.

More importantly, ticket inspectors can view your previous trips. If every single one of your trips starts and ends at the same station, that’s going to raise some suspicion. Still, for short trips? It worked perfectly.