WIRELESS VILLAGE - "It's not Wi-Fi": Reverse engineering and managing radio signals

WIRELESS VILLAGE - "It's not Wi-Fi": Reverse engineering and managing radio signals
Its not wifi stories in wireless RE
the hello boys and girls. welcome to the wireless village and welcome to the tarp that dominic in our and i are about to give. i'm rice.
and i'm dominic yes and spent thirteen hours and slash l three play with them like france which i was really have is going to work and it very smoothly words and then i spoiled it by going after getting my name out. and don't make this rust going to talk about it's not wife by which is largely about why this reverse engineering and what you do with signals you might find that kind of non-standard and and things like that and there are some pictures of us on the slides. in provocative poses because i mean we still can do this through roddick interpretive dance we can i really come on the icon and you want to move on when i was going second and out why.
this point in the weekend. so it's so this took as idea came out a few weeks ago when ross rust e-mail be to say happy it's not why friday which is celebrating the second anniversary of a of very very very long e-mail for the two of us had with someone who we met for a mailing list who. to was really really keen to show us captures of these with signals they were saying and these with signals what kind of play fairly common they were relatively strong women away he when we saw the stuff that we have all seen in recognize over and over and part of the frustration was the stubbornness of the. to all who was seeking not just advice from us but from a lot of other people to include some of the other wizards in the space like drag worn and my cost men and it just went on and on a is so in other words he was like shopping for an answer that placated his particular narrative rate he was looking for. someone to come from his assumption that he discovered something nefarious from the government and and i will happen on this this given days at some point he just sense this this this cap to join capture fall through here and and or go to coatings of it my own has not been work is why five so k. ok let's not why. if i can you can you help me with the analysis let's get past the its wife i think it was my life i have what you see what you mean that lets get past the its wife i hang and it's like well because it's not like fight this is not why five will likely be wife i don't think we can get across this may yet anyway so so you receive tells me to celebrate this every year but he did once. sami a fifty one page p.d.f. of failure also said the signal some screenshots of which appear in this talk and also that was a risky click of a p.d.f. to open because of trevose good speech has taught us anything that p.d. of can be very dangerous if you had to have been sent around thirty three hundred people so i mean that this is a great fit. king it's actually like get me so invested in proving to you that you're wrong on the internet. and then yeah and then send me a p.d.f. and all click on not so it at the end of the day we both felt that those as common narrative about people seeking assistance on signals and things that they were trying to decode i saw this thing and what i do with it. so this is essentially going to be our advice to everyone else in the room when you do come across something that you don't necessarily recognize and how to approach it and what i'm probably going to suggest that you do with it other than beating yourself into the wall had first yet and and it's also kind of sets down some ideas of what you can do before you ask for help and that's not. not to say we or other people on super willing to help you but if you sense if you send the screen shots of a with signal icon ticket from the screen shot while much this war is about that were about to do that i can't really describe it from the screen shot like it there are a lot of things you can do to help yourself before you help us for help and their law.
of extra information that might have when i provide support for the open source software my first question to a lot of users is what are you trying to achieve because usually what they're trying to solve this problem acts and they can also be a problem x. and i saw from next fall in the west but that solutions from next dozen so problem whitehall know they say. but originally i was trying to so problem why like why didn't you also be about problem when the first place because his the lake two minute one line solution to back but we spent three days going around to so problematic because you thought it would flow from what it's called the x.y. problem is a website about it and it's. it's frustrating because it's a waste of everybody's time including the person looking for help exactly so when it comes to all things wireless radio and so on so forth it starts with your antenna and it starts with your equipment and it starts with how we're going to start observing the signals many folks trite.
but in my experience of approach wireless communications because why fires wireless well there's actually a whole bunch of abstraction layers between when you receive that packet on the wire or via the colonel space from what's actually happening in the radio interface so when people start using their articles or. or any one of the other permutations of capabilities are out there to start receiving signals there's some very basic things that they have to get sorted out in the first place and this is an old picture from a not talk that drag born and zero myself a given many years ago and it was a with the. tell us the r.'s like the little things that could buy on amazon when he popped open the magnetic bottom of an there was a high probability that the actual antenna feed line was not actually connected to the antenna itself so when people plug it in like i don't see anything except for noise and clocks or whatever else because the physical interface. was this connected there's other things to consider as well some things that would become readily apparent to you if you've got a ham radio operators license so i strongly suggest that you consider that if you have it before but things along the lines of harmonics to attenuation to be a mismatch antenna system. more importantly grounding noise and static and every single time i watch the red it threads of artie less the are like what's a signal and i see a lot of other forms was like was a signal and a lot of the times it comes back to these last few points where there's either bad grounding issue or there's some noise from a. clock sources on their it could be a random harmonic that comes up there or just general static and static base discharges that just causes a spike in your face so what i promote to people is to read these various resources there's two of them there on you can search these terms and fine.
and these free publications that talk about how to properly build a radio receiving station and this is a ham radio one of one sort of thing like you've ever built a hand shack need to make sure that your grounds are good in the of lighting suppression has lighting wants to be your friend don't be lightning's friend will get to that moment but the navy put out a our if i. and book that is absolutely fantastic as it also comes with some really poignant indirect examples such as common noise sources to just one to show it will not let the site somewhere off to its for everyone who fail to get a picture of those your else and i'll make a tweet on the twitter account for your this village will put up some less so.
you can get hold of this information so one of the more common ones is the actual computer that you're using to observe the signals from so who has a power supply on the computer that kind of looks like this where you have a metal case and then the power plug itself as a plastic pluck that's a noise source that plug should actually be metal. in order to make sure that all your grounds are tied together this is called b f g not like in the game quake is a barrier feeding ground. and the other component for people who build ham shacks and such they don't typically pay attention to the problems associated with mismatched metals so you have a ground right outside copper or steal obscene zinc as well and people mismatch the metal types and what you end up having over a period of time is well whether. he gets to it starts to rust starts to fall apart and this is great picture of a grounding rod at the cell phone tower site that was throwing all kinds of wonky harmonics annoy is just from that everything else about the radio equipment was fine and functional it was the ground to the earth ground that a little bit of water and whether got into and said. operated the cap and it turned out that they had mismatched metals that created some rust and that particular fractures so you get a pay attention to some really interesting details and it typically always comes back to your physical capture source your physical air.
as i mentioned lightning wants to be your friend do not be lightning's friend proper ground suppression for lightning strikes for any long term equipment they are going to put an is absolutely critical for the safety of yourself as well as everyone around you to your left is the internet cable for a wife i. for a system that i manage that struck by lightning the radio system survived and the suppression system took the brunt of the strike but it turned that even a cable into the small little brittle twig and when i went back to replace everything it snapped it was kind of freaky. to the right is a picture of shared to me from a couple of days ago from a friend of ours whose house got struck by lightning and had catastrophic severe damage to their house they are still there or not they haven't lived in their house for a couple of months because they're still have to replace repair all the wiring damage associated with. a lightning strike to the house so lightning may find you may not find you do if it does find you be ready for is ultimately what i'm trying to get at so when a lightning strike comes down the had these feelings that come up a strike that can happen a mile away from you can create so much energy inside the wiring of structure in your house as well as your radio systems. systems that can cause damage and still be life threatening so you still need to be very very careful with your grounding systems and infrastructure when it comes to wobble four and is angry farts.
right that's just what my friends. a spat on its ok that was it. right so we're going to we look at some signals eve you've set up the a s. t. are you so you receive a you been being kind of pulling down pulling down to a t.v. looking the spectrum plots was full of what i thought so the first question is is it wife i. are you absolutely sure it's not wife i are you sure it's not bluetooth you really sure how about something else that's really really common in homes smart meters weather stations some the you absolutely sure it's none of those things that someone else's already reverse engineer had so that you don't have to do it. go back for this list a second time and make sure specifically that point of a seven you show your the first person to reverse engineer this. and this happens on michael spin and i reverse engineer the control protocol for some tiny little like ten fifteen or quite cultures a couple years ago and as we were doing that we. looked up the. we looked up the code from the packet like a lightning sequence and we googled it see if it was common for a given radio system and we found a project where some people had already reverse engineer that very system so we we managed to find someone else who have done this thing with google the name of the. when we looked up like various other details about it but as soon as we put in like a ten bites of hacks string it was a unique enough such time that we just found the code and they were kind of halfway through the project we were halfway through the projects we were able to combine our efforts and and we managed to publish respect for them to go influence it but because it's really likely that some. somewhere someone on get hope house like some half assed code to do the thing that you're trying to do but let's assume that you have found something unusual you bought a new device specifically for this someone's built the transmitters someone to take upon was a c.t.f.. there were going so you're looking at all to get a chance to lead diligently slow and now i thought to have as well.
let let's start to look at how we identify things what we're looking at in the in the plot what frequency are we on right now someone shouted out or was that i don't lose and i see just throw a piece of plastic out of the s.s. ok yet plastic. yet so it's a black bags to calm the got to find. so this is to add to forget has and and might this is one a screen shots from the document and so obviously i've been told repeatedly this is not why fight but. if you look at that little yellow dip in the middle of the bright red horizontal lines that's really common in wife on what what happens when you look at a was full of life by his its twenty metres wide his high powered and in the middle there is a little debt in power this is really common for a while for over fifty and one for which is. much anything you going to be saying these days. and that's really gone and it but also you you can use that will dip in the middle to work out where the center of his and the center of it is it about two for one to make us which is the middle of a wife i channel its two point four because it's noisy its high powered it's a anyway his first he is definitely wife i. this poses no wife i dominant does not why i'm sorry a while i saw next one. also from the same document what you know is no notes on this one you again stages a set too high is you are getting less information out that waterfall because you cannot differentiate between noisy in and no quiet signals from everyone was from.
more and more and more dynamic range and then they get their gain settings incorrect and completely destroy their ability to differentiate between loud and quite signals so play around with your going settings make it look a little bit more like this one in this one this guy actually goes games that is quite right.
maybe a little low but the fun and you can see those big white white things across hopefully my bill seem like us a there are some very wise and a promotion or question a screen shot that suffer someone noticed that though yeah yeahs not that's not my laptop that is johnny long as no tech acting things like entering my head right now so so that these. very white why bad things they're all so why fight it's not my five but if you see these little these little ones these little shorter like narrow once very quick packets all over the place that's bluetooth a toll just not want to find that is glued to it and i can tell you categorically oslo to that's i mean it's a looks likely to a whole. it's around likely to have spent so long looking a bluetooth signals in these things that's does a bluetooth sicko don't bother trying to reverse the i mean feel free that their vote rigging do it is for people who have heard that with bluetooth so on i didn't but it's not it's not something unusual you need to reverse engineer you need to go to the bluetooth. the or download the spec and read the speck of how to put together and if you want to have us and generic don't try in reverse engineer a thing like that and i know because that's where my most cases came from. this one this does not wife i was a small parade of mobility scooters i'm pretty sure they hear from me old use anyway. oakley dhobley thing anyway i am so so this screen shot is the person put this in turn it. to claim i think this is helping point works. how how stock of high. i. how stuck on the stage are you ok it. ok i'm just going to keep going. det con folks everyone stay frosty i was there was nothing he said. the worst thing is like this is really solid now this is shaken up so this is going to know the one on the floor get wing so this was going for now to whoever gets the next question right and the uk so so this was to shake your beer not a baby this. wow this is the i'm glad you are so this is this it was sent to us as part of that same fifty one page report and they said this is this is a microwave oven. and they're probably not run that is a microwave oven but i can tell you from the screen shot someone has grabbed to the frequency florida just been willing around because these are at the like this is not a radio system it's like saying goes do this is not to isn't back and forth that just for yeah all they've been wiggling their antenna around move it around. sounds sons moving yet something is moving around like it is really obvious from all of the screen shots that this person is like i've the unsure of what they're looking at or actively lying to us now is not why the problem is this individual chose both pods they chose to. they chose to be unsure about what they're looking at but be so over confident about what they were looking at that that they actively lloyds lied to us when they're asking for help so if you see something like this think about what might be causing it have you just been playing with again stages have just been playing with the tuna let it settle for of it is this radio system something this. this periodic is this radio system something this course because you just put a bag of popcorn in the microwave is this. have you heard it was going in nuclear tesla he made all these kind of crazy things and one of them is like a ghost voice box sort of a pass a radio system when you put your hand near it would gets make different sounds and all this up and pick other pick up other atmospheric radio conditions as well. you mess with again settings incorrectly and you put your hand right up near the antenna you can also just as easily she said like that so few laptops in your lap and your dongle as off to your lap. the. you may end up show saying just like shifting yourself a little bit is some variance unknown amplitude and some the signals have come by or even some frequency offsets around because you are a body of water last minute know yet especially at two point four gigawatts i mean i saw friends. dragone said somewhat find out what's the stars cons and he he talks about how the wife i worked perfectly until the people arrive here if as the most big why five building sex of me and eight you are going to throw off two point four because i mean there's a reason it's not a chunk of the frequencies back. from the the f.c.c. involved various other organized organizations around the world want to charge people extortion amounts for licences and because it's terrible that's why we get to use it for wife i put the unlicensed bonds are also because we get to do amazing amazing area absolute would have time so we're quarter of the wind so when not a quarter of the way into.
the slide no room that so if if you definitely definitely want to reverse engineer signals like if we've got to the point where of convince you that you know what wife looks like and you know what those who looks like and you know a microwave oven looks like an f.m. broke us radio and all these things then we're at the point where we need. it's all looking to the tools we can use so twenty dollars you can pick will tell us the odd angle. almost anyone here will show you how to to use it. if you want a bit more high performance s.t.r. the hacker of one plate or refuse to pay if you want to radio dongle this not as the r.c. don't have to think about that messy and look section yardstick one are a cat there are various right on this is a crazy fly radio for to 1.4 has sometimes hacker but the combat edges can be modified to do it is where oh there's a bit. both should remember that one because i was working. we did that highly everybody to and then on their right hand side of the slow because and tools various different different tools for looking at signals other in real time offline for identifying signals their these to your els f.c.c. die always a little happiness script thing i wrote once if you want. the horrible job scripts look at how it's run it allows you to take the f.c.c. id fun the back of a device s.e.c. die i afford such that the c.r.d. will show you the f.c.c. filings fell apart that device so immediately you will know what frequencies on probably if you read the test report what it's been with is or what his motivation. that is or any of that sort of stuff and seek id wiki is a group of people who put together signals on the wiki and identify them and they say i found this out four point three gigabytes its this why his a screen shot his are captured so whatever those are you assemble all you have a waterfall screen shot of a no go as far as didn't have. knowing where it is where they have observed that from it's a very powerful resource so if you're just like looking for something you go there first to see if anyone also seen the exact same thing which is going to save you a ton of effort and and this is also goes back to that a you show someone hasn't tried to reverse engineer before you and maybe a few fine. and on that you'll find someone else's got a little bit further than you or they've got some ideas like a better catch the new have or they know how to clean a capture all they have had ideas all they can say well i saw it in the us but a no one's ever seen outside of us ok well maybe a saying this licence within the united states or so on so far so. and so like an example of some of the softer of coders that are out there everyone has seen the program r.t.l. for thirty three you have this but number better in your head than i do but how many different devices has it gotten it approximately so on sale for thirty three i actually look this up about fifteen minutes guy if you look at that get how page also forty. that thirty three has the code is built into it for one hundred and seven different devices high pressure sensors remote cuba century systems because weather stations extend my motivation and of the home alternation temperature senses so you have. wallace them sat in your house that connects back to your boiler that things probably using four three three megahertz if it's its older and why five its model right and so depending on where you get from so there's a fair chance this thing already understands a smart meters these sorts of things it has code in in there for a whole bunch. these things and there's a fair chance of someone implements the radio system if an iphone building a temperature sensor that i want to be wallace i'm not going to invent my radio price go i'm going to buy and off the shelf are of solution and therefore it's probably going to be an almost identical packet format to something the article for the full thirty three already supports so you may not know what may have river. essentially the thing you're generous reverse engineer before but they mean they may have reversed into something with an almost identical pocket format or attend school or nave all similar style of communication say modulation same check some all that sort of thing and you don't have to worry about that stuff you've just got to find something that all. here for thirty three supports and and then just modified. and then the the other stuff we're site is also the left than which is an f.m. brokaw sti code for it it's like and losses to get those water for plots this software out there i mean also less the auto calm has a list of software that supports the auto s.t.r. don't go and eighty's huge in his stuff two satellites weather satellite. it's up on screen. this stuff to the tools for across location a body in the us via a all that stuff so if you if you step up from not so so you can do that for twenty bucks twenty books and all that everything we thought about was free software download it as a good test to just start with to see that thing hasn't been reversed already four. yourself to israel effort sort of a first a gadget which i don't know that we mention this is so i work for one of the work for a school graduates who manufacture the hacker f. but i would generally prefer if you're unsure about which best deal to buy you should buy the twenty dollar also s.t.r. and work out what you need because until you know. so whether you need why frequency range where the need to hide dynamic range with you need by sampling high sampling rate transmit and receive or just received and to you can work out what it is you want from an s.d.r. i don't want you to come bought a necessary always when you to come by apart and i love you all to buy a product that that are necessary. everyone knew it was sort of his if it's wrong for you because it actually doesn't change anything in terms of achieving what you want to achieve so it's all change the side to the journalist are often say hackworth fair enough. but you can use the radio and loads and loads of people have written really cool tools for going right ago and they wrote them with late really powerful expensive as the oz years ago and now you get to pick up a late three hundred dollar s.t.r. and you get to implement like a pager system and tie a page. the network or like just some systems on a on a plater at things like this you can implement used again its software you can go and download pipe bombs fergie radio has a huge number of packages and at that the mostly just work out the box with a fair amount of reading love documentation lot of reading lot of reading it. and the other thing is like also become a fifty it's even better with foster mode. it's even better if you can record the catches from there and open up an inspector i'm a mike my don't worry you have mentioned again a minute oia don't go anywhere gender us reacted so universal ready to hackers a tool that have used a couple of times in order to a start working on like i've got a sample of stuff and i want.
start looking at it you know there's a lot of documentation others as a storage as a way file and you know open it up and audacity and then pull out a ruler and put scots to as catch tape on your display in his day in ways that universal radio hacker has really broken down the process for me into. two main three steps in one tool which is fantastic and your three steps are you got to be able to get that signal and start figuring out what the different types of way forms you're dealing with are you dealing with manchester and coating and if you are going to be fun but their once you start getting that bite stream.
orbitz stream out of being able to turn that but stream into meaningful data you still do it inside that same tool and if you're working with a system which euro lawfully able to communicate with your able to then generate generate data back in order to test to make sure that what it is you're working on is actually really and truly working. it has taken to remember getting into this stuff many many years ago and one of the tools of used was bob line and this tool was suggested by many many folks and bottom line is an interesting you know first time experience like being.
the three year old and getting on a mountain bike for the first time in your parents saying go and shoving downhill high have a very dark childhood anyway as the. the first time i used it. figured out how to start navigating the tool and pulling the date and also in a minute for as are fresher but also talking to my cost and before grace got gadgets with a hacker rest are getting really really crazy was back with the job record and the aisles looking at my alarm system like what am i look at that and started going through the exact same. areas that were sharing with the us to how we got to figure out what we're doing so bottom line it's useful law still use it. the the thing about it is that has course not.
the i've never updated i'm told it has a greater than fifty make a pass anyone correct me say yes now is the truth is. ok better version does work better so i don't have the beta version so what i do is i still take the capture fallen use d.d. to break it up in the fifty megabytes segments because it won't processing thing beyond that and it is the version that i have and. in the example that i have for you is already quite small so the other things that you have to do with it is a make sure that you select a watcher its two channels because you got your i q opposed to it and his and eight that on site in a day.
the stream and then when he opened it up you get this as a screen shot for your fifty mag sample and clicking on as little funny or get used to that the but this is a fantastic screen shot of a nuke signal from a car key chain and as you zoom in the old way of doing.
it was too you know take that and put your laptop on the side or takes can chat and rotate the image and you know pull out some graph paper or some other really really painful thing so i really recommend using other tools but it's still a very useful one to be able to use. in order to try to determine where a certain nuances are with the signal of the other ones are kind of being a bit difficult with the and some of those nuances can be clear start and end of a a transmission for certain things and so on so forth.
so yet so so for a while we were talking about the shortcomings of bloodline away with what can i actually knew my hands in the second so i'm going to allow house move again this is why i don't know if anyone so we speak yesterday but at some point someone else had to use me as a mike stand. holder front yard to have ever known as i later in the men's room so spectrum inspection was a to over in kind of to address some of the shortcomings in board line it is free and open source it was written by michael to this i mean you can say on my stand up to. yeah. thank you sir. so for years and years everyone was focused on that sort of thing to me and everyone else is ever in any software and it's just really nice girl to do it to mike because he's actually he's a lovely lovely guy but he's also a little bit shy about this so you should go to him later and now asking more than spectrum. actually he's happy to talk about what i'm saying this because i genuinely believe it's true but is happy to talk about it and also if you have issues with it raised them on get help. oh wait i love them of this yet have the right this is this is going to be quick this is how to reverse engineer something within spectrum realistically this is the bit of the talk that you might care about most a once you're done with all run thing about someone else's already done this before you so you can hope that for me ok this is a captcha.
fall i took from going to radio call last year when it was one of the c.t.f. to capture all of a pager must have been closer to the screen a minute so so of load up in spectrum.
unlike board line which were. russell saying you have to turn your laptop on the side to get the way round you want this thing has frequently on the vertical axis and time on the horizontal axis move which is you have turned out candy somewhere well i am struggling with. actually on nov it. are they are. here is some data this looks really promising its bright brightly coloured data in a kind of see a sea of kind of background noise i can play with my power settings on the side so that kind the pops out nicely and we get rid of some of the blow around the edges because radio transmitters on what cheap radio. such as and and this thing is the cheapest of the cheap radio transmitters i mean you can buy this thing i wasn't that is no f.c.c. certified. it is and i took it upon is so great. but was so you want to make you want to kind of get rid of more than one point two most greens if you can see it you want to diminish some of these these loads of it played by turning up the max power and this should be fine and then what we should be able to do is at a drive plot and which people pull it down to the center frequency. sharing this in a little bear come scroll down to the bottom makes it appears beneath it was. here goes. america's looks much better that does not all about much better. what this work we tested at five minutes ago and on this is a good service anything. ok. i'm cheap book. now that is what added hey mike my using your musical to wrong and i feel bad about this because you and i you sat me down and told me how to do this a minute ago anyway so i have got this dr paul the bottom and this is the amplitude of the signal and it just looks significantly worse than it did ten minutes ago but also. the work was actor says.
and you know that that looks like it's of things so but that's the more courses and it's not quite lining up so it's probably go marcus the with wrong so let's assume it's a bit more narrow that looks good mix well if we could use a mouse. the kid i told him i may go all right so what i've done as i have lined up a lot of these these a vertical lines in here with the with the symbols of the bottom and then i can just keep increasing number of courses and seeing if it wants a it lines up with the transitions every time that means of probably found where we change between ones and zeros what we switch bits in the signal and i can just keep going. i wish and on. they go area i can just keep going and any kind of keep going you can once again but that further and so you can kind of a justice so it's a bit more correct across the whole thing and looks pretty good so i can now do as i can i can right click on us again and i can add a threshold plot and all that does it says. this will set a minimum value was somebody and will threshold it to the binary one his error. and yet because i screwed up the power settings. so go. i am not get computers. ok so what we've end up with hair is if way. of this way. some people and then at the bottom we've got a binary plot and that looks very similar stamp that the plot because we've got such a clean signal but really it's just the threshold of the and she put any way and then i click on this one more time and i do extract symbols to stand out and minimize this and what you'll notice on the screen right here i've got.
i'll hear what it would make it bigger hot i don't remember how to do this. there you go. what unites us as it does the binary of those symbols cutting edge because points to stand out so i've gone from a signal that was just another to capture that i grabbed us and in a couple of minutes i've got binary output for one of the packets now i can repeat that for every packet that i find enough. while i can look to see if that the same if it's repeating transmissions if it's modifying it's changing them i can let see if their code numbers does it look like if we have different transmissions over time does it look like they've got different see all season to section a lot of analysis i can do want to want to get a bit but i'm no longer worrying about radio at this point all and looking at his pocket data. and this was a pager system and i was a number eight on the page or and i was able to just pull out the appropriate filled in the binary modify a retrenchment i make one of the other pages boss and that one points in the c.t.f. and it was a super simple as a soup simple challenge once he knew how to use the tools but i've just gone through. in what to three minutes year any probably took me a couple of hours to get it right and to make sure that i was receiving the right thing and spend some time universe evening wife i and and all sorts of other things but once you learn how to use the tools that son that's an s.d.r. jones that you might find in water c.t.f. all that something you might find when you buy a device. and it takes it takes minutes with a tool that can spectrum so as a fantastic piece of software and i highly recommend which one of these is actually that we are the rest of this is mostly you know that and then what we do is we take the same data we take so now we know i've received or it so i know what frequency was on.
i have determined there was ample achieve more joy to it being frequency much related i just would have seen. two levels in that in a plot and i could have just done exactly the same thing but applied to write court for frequency modulation. so you can eyeball that you don't even there's no there's no kind of magic automated method for determining what is you just libel that and you learned over time by analysing more and more samples get i get the dates right out of if i have over two in spectrum.
at the side here i have my simple period i have my data right have my bit period and i can use that to then program on it.
i can use that to program don't know this is the odds they want this is our have kept this is the allstate one transmission code and so or receiving could sorry and so this will just configure those values i've just determined from in spectrum into the outset one dongle i will then use that use that likes. that going i will leave that part in school running and it would just dump every pack it sees to the screen for me i just automated the process that i took three minutes to complete manually and it's just going to happen for me and and it's going to do those things the screen and is this this is it this is all the piping coating that file this all you need set the was just doesn't include. well as set the set the values of the into a modem for what you're trying to receive and then it would just give them to you and at that point you can leave it running overnight as people play around with this thing or whatever you need to come back to and do your analysis on it later easy peasy limits wheezy yeah but sometimes you can do even more than half that sometimes you want to potentially keep. mark of devices that are coming on to it yet exactly so is going to be well. so there was a year and the wonderful world of that is inside my head and the dark creature corners of fun bags and unicorns the project. came. but out of my head started couple years ago and i call it so close again and that the purpose of it was as my wife and i just moved to new house is pretty far back in the property line and i wanted to know who and what was coming up my property to ascertain whether or not i need to put pants on or not and of my mother in law was coming. but to visit then pants off. so on so forth so the purpose of it was to start off with why find this was during the time period in which devices when they probed for wireless networks it was still mostly use their true mac address so some of the still works but isn't entirely true but the wireless network ideas that are there that they are probing for over and over. over and over can still be used to be unique enough in order to determine who's device that is if you know who is physically or house the other cool thing that i have actually added to it over time with some bluetooth stuff some t p m s stuff i'm working on a mass and alternator thing with r.t.l. s d r's and what is now allowed me to determine his. not just who is coming but even mail services like that fed ex just show up as at the same fed ex guy that's not creepy so my wife of beth made me build in a time period which this information would decay just from organic capture until i flagged as someone who i wanted to track and identify and that part. it is important in a moment so it's a no the terms bates based upon to work so small home small office in his intelligence and i built on a budget and with that ref resource that we had mentioned earlier with the sick id a wiki that was in very very important for me to be able to use in order to help. interpret some signals that i was getting from the article s.d.r. to determine whether or not it was worth my time to put and to try to record that particular on the transmission.
first steps first you've got a collector baseline of everything the have gotten around to this is some of the things about the antenna farm that i haven't on my attic and garage in other places have the festive coli colin your coaxial antenna on your right and that used to live in a window for a long time and beth said get that out of here. he said but it's festive and loss that argument.
so the. i finally got a rudimentary system in place that was doing why find bluetooth and little bit of a t p m s and it was really really interesting for a couple reasons from the bluetooth side i had no idea there have so many tickle me elmos of my neighborhood. and that was fun the other thing was one halloween came around i notice that i had a lot of neighbors whether as societies of the home address well so you know you think about it you set your s.s. idea of your home address was out your own wallets we know your address but now i know it's you with your device and where you live based upon. on the network that your probing for so i turned that into an entity is tracking a neighbor who's dog was dedicated in our yard. so that was a fun interaction but what was really important was a problem that my neighbors were having and they were noticing as i live in one of those neighborhoods where people leave their cars on locked in their houses on locked and it's like i won't be the low hanging fruit i'm obviously not the low hanging fruit but they. are and that's a lifestyle and i'm not going to try to our your change that but they were noticing that they would have anything from like fifty cents to what ultimately ended up being one hundred eighty dollars overnight stolen from the car they leave their wallet their phone their laptops and all that sort of stuff and what i later determined out of it was that criminals know that when things are stolen that are electronic they can be disabled and track but. cash is king and we have a question of like you know did you talk to your kids do you need to have a scare talk with your kids are your kids stealing i think it's your kids not wife i was so anyways. i created operation catch the fucker and originally it was just let stand up a surveillance camera i do a lot of hunting so people when they work at night they can act like deer and some regards so i set up a camera had to move his car over in the driveway and put some blind spots in the air. areas so the guy would when the at the time it in knows a guy but when he came through he would you know feel that those little bit more comfortable to his car was set the camera up on like. it's friday evening and.
well he showed up that evening and this is not the identifying photo there's better ones of him but he's coming up to the car and he's like got a flashlight in his hand you see bodies like strobing it because he now sees this thing there that he hasn't seen before and in the first day we got him on the car coming up to the car and looking at it that that's got to. school so we showed it to the detectives they recognize who he was because he was a frequent customer and the during the interview process as i suggested to the detectives that you get a warrant for the phone to get the bluetooth and mac address offer the phone because i happen to have this we're dataset. that i've been running for like over a year and it's totally not creepy it's fine. and let's see what happens and ago ok well the guy consented they didn't need a war and sure enough i gave in the back address iran and the data set and thing i got hits every single night that there was a reported thefts in my neighborhood and that was awesome i was like this this thing augmented my normal surveillance camera system. so that i was cool and i was also the purpose of the project for me was to get back into writing packet decoders and. sniffers and see and all that stuff and drag warned this was the other thing that the dominant and i were reflected upon is like there's a lot of mike's who work in the radio space my career schama osman and it just keeps going on and on and on so anyone know what my costume and looks like. not awesome and simon a drag on my car shot are only one person this is old man why fine and old man why fi couple years ago and i were talking about my project and that i had written a whole web you i do it in your database in system and then he reached out to me because i may have killed.
project by revamping all of his men and a new data aggregation service and functionality with the web un which is awesome i'm ok with this have been working with them suggestions and we all have put code and but mike is awesome of that's his patriotic and please you if you never get a chance. the sea and at least support his beer fund by signing up for that right so his met our see one i believe just when out yelling last week he put out release candidate for this new version is a complete rewrite a mostly right eights it's going to wait you are now instead of that that can only encourages you.
why the bunch. it's got a whole bunch of nonsense yet also in us not come on it's ok so yet it but is really really fantastic as now you can run it on any kind of hardware so like though the demonstration over there is running on a raspberry pies zero that is monitoring everything in this room and a way that you just play. get into a device without actually having to compete bigger at the just i think is meant by local and you're off to the races but there's also some other things about kismet in conversation with the soho second stuff and i haven't totally started putting in sensor code into it yet because you know time money energy and. sleep and it wasn't until recently that reached out to my cousin hey just how hard is it to you know i have a thing i want kids meant doing just that thing as i saw that your do an article for thirty three with it and all these other sort of a project sane. this and see the jury rapidly wrapping it and python and just firing it added it's like that looks awesome easing is no. so we're going to come to step through that process as to why it's a no but it makes a lot of sense.
so the other modules that are in there that you may not necessarily know are things about zig bee there's r.t.l. for thirty three so those like hundred and nine ish hundred and seven and other devices weather stations and on stuff are going to be invested in kismet u.a.b. drone systems are in their there's the wave and that that's. just what what's there right now just no pull it down now to get them pilot your easy as easy and good to go the other thing that mike wanted to relate to everyone is a he is a writer a fantastic writer of fantastic documentary of his code and instructions and the link on the bottom is. is linked to. the developer source information that explains all the different data types that you could ever want to know about it in great detail and some folks will say hey just look at the code there's your example he provides a visual examples inside of it as well it's just the guy is overly thoughtful and a very good way for everyone to be able to pick it up and run with it. so you shed having developed code for casement before the for the unity of projects are uncomfortable casual x. songs so. having had. historically it's really really easy with his documentation things so they don't be if you do get to the stage way you are you found something you want to monitor you think this might be a great back and to monitor this thing and you need to get your code into it. don't be afraid of adding co tickets meets super straightforward his help and documentation so with that you are writing code for his met is for the next few slides is going to be a lot like how you draw this damn now you know you draw two concentric circles on the next you know you gotta for canal. staring you in the face of but there's some things i'm going to talk to you about that are the important things to consider the codes already there for and the docking patients already there for you to be able to fill in the blanks with but these are the parallels and the things consider when you decide to go into writing your own sensors and telemetry so the background for the importance of me. doing this is that for the west village hopefully by smoke on all have an electronic bad either finishes prototyping are available where you'll be able to play most of our c.t.f. from the bad for both wife i bluetooth and software to find radio so that's my goal don't hold me to it so first that you have to define a. the physical interface you have to define a physical layer kismet doesn't know what you're giving it and it's written in c. plus plus so you're going to have to define something so it can ingest that data and nowhere to have take the square pag and all that sort of stuff and once you've you know mentally got that construct around. i had the next few steps stuff start falling into place the other thing that is absolutely important to take a look at the demo code for dealing with tracking of the packets as they're coming in and tracking of the devices this is easily done it's just a couple of lines of code that you can just copy and paste and rename to fit for the device that you're looking to try to monitor. but those are absolutely incredible critical in order for kids meant to know what has just been given to it so it knows where to put those various bits of the data step to. awaits i got a head myself so i thought for the constructs and c. plus plus so when i was like you know you have a bite stream and kismet doesn't know what to do with that if you've ever written a pack it's never before and see you may remember lippi cap and you have struck for a packet i just got a packet. what part of the packages the ip addresses this of t.c.p. or u.d.p. and then you have those variously of various defines frocks same sort of concept so on the right of the strain is the radio tap patter radio tap hatter that defines everything that goes into that particular interface you'll have to define something very very similar so you give it a name. the type and then you know kind of a bit of an awesome. so step to then you can even write some python and the python piece is going to be the glue that goes from the output of the tool that you just wrote and shoves it into kismet and the closer to jaison that you make your tool easier this will be for you so less quickly talk about r.t.l. for thirty three when he. on it from the command line this is the jaison that bar sound edgy in the consul you get the time of the brand of us model so on so forth and then the actual values and from the sea plus plus side you can take a look at the head or fall and you see inside of it that there's pretty much the exact same things he defined the different types of devices that are coming in. and via jaison and then the components of that code are all identical amongst all those different things is to shoving it into a different market so you know which bucket the then later pull it from right so that's the hatter side and these are exactly like each one of those functions are pretty much exactly the same from each other but if you take. i remember the jaison you can have multiple different types of values form already knowledge to see plus plus side kismet just got a packet just got this you know blob of data that just came and was going to do with it so it's going to take that jason field split up and then follow whichever object class that it is going to. need to execute could on in order to shove it into whatever container needs to run and it's pretty much that simple to do the r.t.l. for thirty three code in c. plus plus for both the hatter and the a source code itself is almost because of tabs and that spaces and you know beautiful a form. added things and all that sort of stuff it's probably about one hundred twenty lines of code it's not that complex. now in the python side specifically with r.t.l. for thirty three there's this of function for message queuing. that is unique to that particular application so mike rapid that into it as well and that from the python side you define your python source and you get to know and i going to use this particular message transport medium in or to shut across or not and if you are then it has its other known could base know. to execute without against that and then finally you just say i want to open a device and then it just takes the output from standard and and than just shoved into kismet for you in life speech so it's pretty much easy peasy limits wheezy like that that looks a little bit scary and a little bit difficult.
like his stupidly helpful on that's the documentation is way more verbose but those are the main concepts and constructs you got this data stream come in and kismet needs to know how to compartmentalise it into the different types of objects the objects are very well and that documented and identified for you in your classes for both the public and private bonus and then you. to shove the date around and it's a copy paste for the most part of that particular function and that's that have been that if your planner with a whole nation will you find something at home like anything with that i'll sale for three thirty three were expanding the existing to if you can get into the article for thirty three to you have to rise zero code. to get into casement because it's been done for you if you can you can leverage an existing to help its its it's mostly done for you and if you get if you ever want to get stuff into casement to get that kind of looking going to regularly all sick dragone questions over oil see the last game of casual question about. some variable blake go away and make breakfast and come back and be like a thirty one response which is sleek now been integrated into the docks the be a code sniff it like the he's so helpful in somalia is a bit confusing i think smoking cessation i fix my coat i fix your code you know when you're an idiot. and i would like that yeah i'm like i should tell you feel like an idiot but he never said i kind of like a bit like you have not really sure what the day but yeah so of his so helpful if you have to do want to get stuff into casement but if you wanted to discover the reverse engineering thing to download and spectrum might walters has run away. to hear your aunt's your questions but he will be around and you'll be around tomorrow anand the super sub begin to reverse engineering things as well as means we have some experience in it so if anyone does have anything that kind of hacking on a working on a moment let's note and i'm happy to talk about it and remember it's not why fi.
get very rarely wife and they have very early life and that's our top that's that's also quit done. there are took office yes there is talk after us wonder why some the busy he said.