 Well hello boys and girls, welcome to the wireless village and welcome to the talk that Dominic and I are about to give. I'm Russ, I'm Dominic. Yes. And it's been 13 hours since my last shell. Sorry, I was playing with the microphone switch and I was really hoping it was going to work and it very smoothly worked and then I spoiled it by going yes after getting my name out. I'm Dominic, this is Russ. We're going to talk about It's Not Wifi which is largely about wireless reverse engineering and what you do with signals you might find that are kind of non-standard and things like that. And there are some pictures of us on the slides and provocative poses because I mean we still can do this through a rather interpretive dance. I really can't. I can't. Do you want to move on? No, I was just going to say I can't bend that way at least at this point in the weekend. So this talk idea came out a few weeks ago when Russ emailed me to say Happy It's Not Wifi Day, which is celebrating the second anniversary of a very, very, very long email thread the two of us had with someone who we'd met via a mailing list who was really, really keen. To show us captures of these weird signals they were saying and these weird signals were kind of like fairly common. They were relatively strong no matter where he went. It's stuff that we have all seen and recognized over and over and part of the frustration was the stubbornness of the individual who was seeking not just advice from us but from a lot of other people to include some of the other wizards in the space like Dragorn and Mike Osterman. It just went on and on. So in other words he was like shopping for an answer that placated his particular narrative. Right. He was looking for someone to confirm his assumption that he discovered something nefarious from the government and what happened on this given day is at some point he just sends this giant capture file through and audio decodings of it. Audio is not going to work. It's Wi-Fi. But it's not Wi-Fi. Can you help me with the analysis? Let's get past the It's Wi-Fi thing. But it's not Wi-Fi. What do you mean? Let's get past the It's Wi-Fi thing. And he's like well because it's not Wi-Fi. It's not Wi-Fi. Well why can't it be Wi-Fi? I don't think we can get past this mate. Anyway, so Russ emails me to celebrate this every year but he did once send me a 51 page PDF of his analysis of this signal. Some screenshots of which would appear in this talk. And also that was a risky click of a PDF to open because if Travis Goodspeed has taught us anything that PDFs can be a very dangerous type of document to send around to random people. This is a great phishing attack actually. Get me so invested in proving to you that you're wrong on the internet. And then send me a PDF and I'll click on that. So at the end of the day we both felt that there was this common narrative about people seeking assistance on signals and things that they were trying to decode. I saw this thing and what do I do with it? So this is essentially going to be our advice to everyone else in the room when you do come across something that you don't necessarily recognize and how to approach it. And what I'm probably going to suggest that you do with it other than beating yourself into the wall head first. And this also kind of sets down some ideas of what you can do before you ask for help. And that's not to say we or other people aren't super willing to help you. But if you send me screenshots of a weird signal I can't decode it from the screenshot. Well actually that's not true because we're about to do that. But I can't really decode it from the screenshot. There are a lot of things you can do to help yourself before you ask for help and there are a lot of extra information. When I provide support for open source software my first question to a lot of users is what are you trying to achieve? Because usually what they're trying to solve is problem X and they come and ask me about problem X and I solve problem X for them and they say well that solution to problem X doesn't solve problem Y. And I was like well no. But originally I was trying to solve problem Y and like why didn't you ask me about problem Y in the first place because here's the like two minute one line solution to that. But we spent three days going round to solve problem X because you thought it would solve problem Y. It's called the XY problem. There's a website about it. And it's just frustrating because it's a waste of everybody's time including the person looking for help. Exactly. So when it comes to all things wireless, radio and so on and so forth it starts with your antenna. And it starts with your equipment and it starts with how you're going to start observing the signals. Many folks try in my experience approach wireless communications because Wi-Fi is wireless. Well there's actually a whole bunch of abstraction layers between when you receive that packet on the wire or via the kernel space from what's actually happening in the radio interface. So when people start using their RTLs or any one of the other permutations and capabilities that are out there to start receiving signals, there's some very basic things that they have to get sorted out in the first place. And this is an old picture from a talk that Dragorn and Zero and myself had given many years ago and it was with the RTLs DRs like the little things that you could buy on Amazon when you popped open the magnetic bottom of them there was a high probability that the actual antenna feed line was not actually connected to the antenna itself. So when people plug it in like I don't see anything except for noise and clocks or whatever because the physical interface was disconnected. There's other things to consider as well. Some things that would become readily apparent to you if you've got a ham radio operators license so I strongly suggest that you consider that if you haven't before but things along the lines of harmonics to attenuation to a mismatched antenna system and more importantly grounding noise and static and every single time I've watched the Reddit threads of RTLs DR like what's the signal and I see a lot of other forums where it's like what's the signal and a lot of the times it comes back to these last few points where there's either a bad grounding issue or there's some noise from a clock source that's on there. It could be a random harmonic that comes up there or just general static and static based discharges that just causes a spike in your interface. So what I promote to people is to read these various resources. There's two of them there. You can search these terms and find these free publications that talk about how to properly build a radio receiving station and this is a ham radio one on one sort of thing like if you've ever built a ham shack you need to make sure that your grounds are good and you have lightning suppression because lightning wants to be your friend. Don't be lightning's friend and we'll get to that in a moment but the Navy put out a RFI handbook that is absolutely fantastic because it also comes with some really poignant and direct examples such as common noise sources. We'll upload the slides somewhere afterwards for everyone who failed to get a picture of those URLs. I'll make a tweet on the Twitter account for the wireless village. We'll put it up somewhere so that you can get hold of this information. So one of the more common ones is the actual computer that you're using to observe the signals from. So who has a power supply on the computer that kind of looks like this where you have a metal case and then the power plug itself is a plastic plug. That's a noise source. That plug should actually be metal in order to make sure that all your grounds are tied together. This is called BFG not like in the game Quake. It's a barrier feed and ground. And the other component for people who build ham shacks and such they don't typically pay attention to the problems associated with mismatched metals. So you have a ground rod outside, copper or steel. I've seen zinc as well and people mismatch the metal types and what you end up having over a period of time is well whether it gets to it starts to rust, starts to fall apart and this is a great picture of a grounding rod at a cell phone tower site that was throwing all kinds of wonky harmonics and noise. Just from that everything else about the radio equipment was fine and functional. It was the ground to the earth ground that a little bit of water and weather got into and separated the cap and it turned out that they had mismatched metals that created some rust and that particular fracture. So you got to pay attention to some really interesting details and it typically always comes back to your physical capture source, your physical layer. As I mentioned lightning wants to be your friend, do not be lightning's friend. Proper ground suppression for lightning strikes for any long term equipment that you're going to put in is absolutely critical for the safety of yourself as well as everyone around you. To your left is the ethernet cable for a Wi-Fi antenna for a system that I managed that got struck by lightning. The radio system survived and the suppression system took the brunt of the strike but it turned that ethernet cable into this small little brittle twig and when I went back to replace everything it snapped. It was kind of freaky. To the right is a picture shared to me from a couple of days ago from a friend of ours whose house got struck by lightning and had catastrophic severe damage to their house. They are still, they're not, they haven't lived in their house for a couple of months because they're still having to replace and repair all the wiring damage associated with a lightning strike to the house. So lightning may find you, it may not find you. If it does find you be ready for it is ultimately what I'm trying to get at. So when a lightning strike comes down you have these feelers that come up. A strike that can happen a mile away from you can create so much energy inside the wiring infrastructure in your house as well as your radio systems systems that it can cause damage and still be life-threatening. So you still need to be very very careful with your grounding systems and infrastructure when it comes to Thor and his angry farts. All right, let's, uh, do you want to swap microphones? I spat on it. Okay, that was... All right, so we're gonna, we're gonna look at some signals. You've, you've set up your SDR, you've set up your receiver, you've been, been kind of pulling down, pulling down data, you've been looking at spectrum plots, waterfalls whatever. So the first question is, is it Wi-Fi? Are you absolutely sure it's not Wi-Fi? Are you sure it's not Bluetooth? Are you really sure? How about something else that's really, really common in homes? Smart meters? Weather stations? Some of the, are you absolutely sure it's none of those things that someone else has already reverse engineered so that you don't have to do it? Go back through this list a second time and make sure, specifically like point number seven, are you sure you're the first person trying to reverse engineer this? Uh, and, and this happens to us all. Mike Osman and I reverse engineered the control protocol for some tiny little, um, like 10, $15 quadcopters a couple years ago. And as we were doing that, we, um, looked up the, uh, um, we looked up the, uh, like a, a code from the packet, like a, a whitening sequence and we googled it to see if it was common for a given radio system and we found a project where, uh, some people had already reverse engineered that very, um, system. So we, we managed to find someone else who'd already done this thing. We'd googled the name of the system. We'd looked up like various other details about it, but as soon as we put in like a 10 bytes of hex string, it was a unique enough search term that we just found that code and they were kind of halfway through the project and we were halfway through the project and we were able to combine our efforts and, and we managed to publish a spec for them to go and implement it. But, but there's, it's really likely that somewhere someone on GitHub has like some half ass code to do the thing that you're trying to do. But let's assume that you have found something unusual. You've bought a new device specifically for this. Um, someone's built a transmitter, someone you're taking part in a wireless CTF. Um, huh. There we go. So you're looking at wall tool. Did I, did I jump two slides? No, never mind. I thought I have as well. Um, let, let's start to look at how we identify things. What we're looking at in the, in the plot. What, what frequency are we on right now? Someone shouted out. Who was that? All right. Don't lose an eye. Just throw a piece of plastic at them. Yeah, that's just kind. Oh, okay. Yep. It's plastic. Yeah, it's a, it's a black badge to a con that you gotta find. Um, so this is two, uh, 2.4 gigahertz and, and like, this is one of those screenshots from that document. And so obviously I've been told repeatedly this is not Wi-Fi. But if you look at that little yellow dip in the middle of the bright red horizontal lines, that's really common in Wi-Fi. What, what happens when you look at a, uh, waterfall plot of Wi-Fi is it's 20 megahertz wide, it is high powered, and in the middle there is a little dip in power. This is really common for, well, for OFDM Wi-Fi, which is pretty much anything you're going to be seeing these days. Um, and that's really common. And it, but also you, you can use that little dip in the middle to work out where the center of it is. And the center of it is at about 2412 megahertz, which is the middle of a Wi-Fi channel. It's 2.4 gigahertz, it's noisy, it's high powered, it's a, anyway. It's bursty. It is definitely Wi-Fi. Uh, this person. But that's not Wi-Fi. Dominic, that's not Wi-Fi. Oh, sorry. Yeah. Uh, so, so our next one, uh, also from the same document, what you'll note is, oh, note on this one, your gain stages are set too high. It is, you're getting less information out of that waterfall because you cannot differentiate between, uh, noisy and, uh, quiet signals. Right. Everyone searches for more and more and more dynamic range, and then they get their gain settings incorrect and completely destroy their ability to differentiate between loud and quiet signals. So, play around with your gain settings, make it look a little bit more like this one. In this one, this guy actually got his gain settings quite right. Uh, maybe a little low, but they're fine. And you can see those big, wide, wide things across. Uh, hopefully you might be able to see my cursor. There are some very wide, and a promotion request in that screenshot. That's the first time I noticed that. Oh, yeah, yeah. That's not, that's not my laptop. That is, Johnny Long's no tech hacking thing is like triggering in my head right now. So, so, but these very wide, wide band things, they're also Wi-Fi. It's not Wi-Fi. But if you see these little, these little ones, these little shorter, uh, like narrow ones, very quick packets all over the place. That's Bluetooth. I told you it's not Wi-Fi. That is Bluetooth. And I can tell you categorically that's Bluetooth. That's, I mean, it's, it looks like Bluetooth. It hops around like Bluetooth. I've spent so long looking at Bluetooth signals in these, in these things. That's, that's a Bluetooth signal. Don't bother trying to reverse it. I mean, feel free. They have a great meeting on Wednesdays for people who have dealt with Bluetooth so long like it doesn't. But, but it's not, uh, it's not something unusual that you need to go and reverse engineer. You need to go to the, to Bluetooth.org, download the spec and read the spec of how it's put together and if you want to reverse engineer it. Don't try and reverse engineer a thing like that. Uh, and I know because that's where my master's thesis came from. Um, this one, this, that's not Wi-Fi. Uh, there's a small parade of mobility scooters and I'm pretty sure they're here for me. Oh jeez. Um, anyway, uh, let's jump. Um, Oakley, Doakley. Anyway, so, so this, uh, this screenshot is the, the person put this in to, uh, to claim. I think this is how Bitcoin works. How, how stuck, ah, how stuck on the stage are you? Okay. Okay, I'm just gonna keep going. Uh, welcome to Def Con folks. Everyone stay frosty. I, do you know the worst, the worst thing is like this is really solid now. This is shaken up. So, uh, this is getting thrown out. No, no. The one on the floor is getting winged. So this one's getting thrown out to whoever gets the next question, right? Um, uh, okay. So, so this was, this was. Shake your beer, not a baby. This. Wow. This is, I have no idea. Um, so this is, this is was sent to us as part of that same 51 page report and they said, this is, this is a microwave oven and they're probably not wrong that it is a microwave oven. But I can tell you from the screenshot, someone has grabbed the frequency slider and just been wiggling it around because these are, like, this is not a radio system. Yeah, it's like someone just do this. Took the tuner and went back and forth, back and forth. Yeah. Or they've been wiggling their antenna around, moving it around. Sometimes moving. Yeah. Something is moving around. Like it is really obvious from all of these screenshots that this person is like either unsure of what they're looking at or actively lying to us. Now. It's not wifi. The problem is this individual chose both paths. They chose to, they chose to be unsure about what they're looking at, but be so over confident about what they were looking at that, that they actively lied, lied to us when they're asking for help. So if you see something like this, think about what might be causing it. Have you just been playing with the game stages? Have you just been playing with the tuner? Let it settle for a bit. Is this radio system something that's, that's periodic? Is this radio system something that's caused because you just put a bag of popcorn in the microwave? Is this? Have you all heard of this guy named Nikola Tesla? He made all these kind of crazy things and one of them was like a ghost voice box, sort of a passive radio system. When you put your hand near it, it would make different sounds and all that stuff and it would pick up other atmospheric radio conditions as well. Well, if you mess with your game settings incorrectly and you put your hand right up near the antenna, you can also just as easily see something like that. So if your laptop's in your lap and your dongle is off to your lap, what you may end up seeing just from like shifting yourself a little bit is some variance in amplitude and some of the signals that come by or even some frequency offsets that kick around. Because you are a body of water last I knew. Oh yeah, especially at 2.4 gigahertz. I mean, so our friend, our friend Dragon, sets up Wi-Fi networks for various cons and he talks about how the Wi-Fi works perfectly until the people arrive and he refers to them as big Wi-Fi absorbing sacks of meat. And like, you are going to throw off 2.4 gigahertz. I mean, there's a reason it's not a chunk of the frequency spectrum that the FCC and various other organizations around the world want to charge people extortion amounts for licenses in because it's terrible. That's why we get to use it for Wi-Fi, but the unlicensed bands are awesome because we get to do amazing things with them. Yeah, absolutely. How are we doing for time? We're a quarter of the way in. Oh, well, we're not a quarter of the way into the slides. No, but we'll round through on. Okay. So if you definitely, definitely want to reverse engineer signals, like if we've got to the point where I've convinced you that you know what Wi-Fi looks like and you know what Bluetooth looks like and you know what a microwave oven looks like and FM broadcast radio and all these things, then we're at the point where we need to start looking at the tools we can use. So $20, you can pick up an RTL-SDR dongle. Almost anyone here will show you how to use it. If you want a bit more high performance SDR, you got Hacker F1, Blade RF, USRP. If you want a radio dongle that's not an SDR, so you don't have to think about that messy analog section, Yardstick One, RF Cat. There are various radio dongles. There's a crazy fly radio dongle for 2.4 gigahertz. Sometimes Hacker Con badges can be modified to do it as well. Yeah, oh, there's an Ubertooth. I should remember that one, because I work on it. I think you deleted that. Yeah, I probably did. And then on the right hand side of this slide we've got some tools, various different tools for looking at signals, either in real time or offline for identifying signals. There are the two URLs, FCC.io is a little hacky script thing I wrote once. If you want to see horrible JavaScript, look at how it's written. But it allows you to take the FCC ID you find in the back of a device. FCC.io forward slash that FCC ID will show you the FCC filings for that device. So immediately you will know what frequency it's on. Probably if you read the test report, what it's bandwidth is, or what its modulation method is, or any of that sort of stuff. And CIGID Wiki is a group of people who put together signals on a Wiki and identify them. And they say, I found this at 4.3 gigahertz. It's this wide. Here's a screenshot. Here's a capture, whatever. There's an audio sample. Yeah, they have a waterfall screenshot of it. And if they go as far as identifying where it is and where they've observed it from, it's a very powerful resource. So if you're just like looking for something, you could go there first to see if anyone else has seen the exact same thing, which is going to save you a ton of effort. And this also goes back to that. Are you sure someone hasn't tried to reverse engineer it before you? And maybe if you find it on there, you'll find someone else who's got a little bit further than you, or they've got some ideas, or they've got a better capture than you have, or they had a cleaner capture, or they have had ideas, or they can say, well, I saw it in the US, but no one's ever seen it outside of the US. Okay, well, maybe it's something that's licensed within the United States, or so on and so forth. Yeah, so like an example of some of the software decoders that are out there, everyone has seen the program RTL-433. You have this number better in your head than I do, but how many different devices has it got in it approximately? So RTL-433, I actually looked this up about 15 minutes ago. If you look at the GitHub page, RTL-433 has decoders built into it for 107 different devices, tire pressure sensors, remote keyless entry systems for cars, weather stations, X10 home automation, and other home automation, temperature sensors, so you have a wireless thermostat in your house that connects back to your boiler. That thing's probably using 433 megahertz if it's older and Wi-Fi if it's modern, and so depending on who you get it from, so there's a fair chance this thing already understands it, smart meters, these sorts of things. It has code in there for a whole bunch of these things, and there's a fair chance if someone implements a radio system, if I'm building a temperature sensor that I want to be wireless, I'm not gonna invent my own radio protocol, I'm gonna buy an off-the-shelf RF solution, and therefore it's probably gonna be an almost identical packet format to something that RTL-433 already supports. So no one may have reverse engineered the thing you're trying to reverse engineer before, but they may have reverse engineered something with an almost identical packet format or a similar style of communication, same modulation, same checksum, all that sort of thing, and you don't have to worry about that stuff, you've just got to find something that RTL-433 supports and then just modify it. And then the other stuff on the other side is RTL-FM, which is an FM broadcast decoder for it, there's analyzers to get those waterfall plots, there's software out there. RTL-SDR.com has a list of software that supports the RTL-SDR dongle, and it is huge and there's stuff to do with satellites, weather satellites as I've put on screen, there's stuff to do with, there's tools for aircraft location, ADS-B, ADS-B, all that stuff. So if you step up from not, so you can do that for 20 bucks, 20 bucks and all that, everything we talked about was free software, you just go download it. And it's a good test to just start with to see if that thing hasn't been reversed already for yourself. There's no effort sort of first step. Yeah, actually, I don't know that we mentioned this at the start. I work for Great Scott Gadgets who manufactures the HackRF. But I would generally prefer, if you're unsure about which SDR to buy, you should buy the $20 RTL-SDR and work out what you need, because until you know whether you need a wide frequency range, whether you need high dynamic range, whether you need high sampling rate, transmit and receive or just receive, until you can work out what it is you want from an SDR, I don't want you to come and buy it. I don't necessarily always want you to come and buy our product. I mean, I'd love you all to buy our product, but I don't necessarily want you to buy our product if it's wrong for you, because it actually doesn't gain you anything in terms of achieving what you want to achieve. So I changed the slide to be general SDR rather than say HackRF. Fair enough. But you can use GNU radio and loads and loads of people have written really cool tools for GNU radio and they wrote them with like really powerful, expensive SDRs years ago and now you get to pick up a like $300 SDR and you get to implement like a pager system, an entire pager network, or like GSM systems on a Blade RF, things like this, you can implement it and it's again, it's software you can go and download. PiBombs for GNU radio has a huge number of packages in it that mostly just work out of the box with a fair amount of reading, a lot of documentation. A lot of reading. A lot of reading. The other thing is like Osmocom FFT, it's even better with phospho mode. It's even better if you then record the captures from there and open them up and in spectrum. Hey Mike. Hi Mike. Don't worry, you get mentioned again. In a minute. Oh yeah. Don't go anywhere. Do you want to do universal radio hacker? So universal radio hacker is a tool that I've used a couple of times in order to start working on like, I've got a sample of stuff and I want to start looking at it. You know, there's a lot of documentation out there that says, hey, store it as a wave file and you know, open it up in audacity and then pull out a ruler and put Scotch tape on your display and it's bleh. Anyways, universal radio hacker has really broken down the process for me into the main three steps in one tool, which is fantastic. And your three steps are, you gotta be able to get that signal in and start figuring out what the different types of waveforms you're dealing with. Are you dealing with Manchester encoding? And if you are, it's going to be fun. But then once you start getting that bit stream or bit stream out, being able to turn that bit stream into meaningful data, you can still do it inside that same tool. And if you are working with a system in which you're lawfully able to communicate with, you're able to then generate data back in order to test to make sure that what it is you're working on is actually really and truly working. It has taken, I remember getting into this stuff many, many years ago and one of the tools that I used was Bodline. And this tool was suggested by many, many folks. And Bodline, it's an interesting first time experience. It's like being a three year old and getting on a mountain bike for the first time and your parents saying go. And shoving you downhill, I have a very dark childhood. Anyways, the first time I used it, I figured out how to start navigating the tool on pulling the data in and I'll show you in a minute as a refresher. But I was talking to my cost man before Grace got gadgets with a hack RF started getting really, really crazy. It was back with the job breaker. And I was looking at my alarm system and like, what am I looking at? And started going through the exact same experience that we're sharing with you as to how we got to figure out what we're doing. So Bodline, it's useful, I still use it. The thing about it is that it has quirks. And I've never updated, I'm told it has a greater than 50 meg capacity. Anyone correct me? Say yes now? Is it true? Is, okay, beta version does work better. So I don't have the beta version. So what I do is I still take the capture file and use DD to break it up into 50 megabyte segments because it won't process anything beyond that. And at least the version that I have. And the example that I have for you is already quite small. So the other things that you have to do with it is make sure that you select quadrature. It's two channels because you got your INQ components to it. And it's an eight bit unsigned data stream. And then when you open it up, you get this as a screenshot for your 50 meg sample. And clicking on it is a little funny. You'll get used to that. But this is a fantastic screenshot of a nuke signal from a car key chain. And as you zoom in, the old way of doing it was to take that and put your laptop on the side or take a screenshot and rotate the image and pull out some graph paper or some other really, really painful thing. So I really recommend using other tools, but it's still a very useful one to be able to use in order to try to determine where certain nuances are with the signal, if the other ones are kind of being a little bit difficult with you. And some of those nuances can be the clear start and end of a transmission for certain things and so on and so forth. So yeah, so for a while we were talking about the shortcomings of board line. Oh wait, we swap in. I'm actually gonna need my hands in a second. Wow, that was smooth. Okay, this is, I don't know if anyone saw me speak yesterday, but at some point someone else had to use me as a mic stand. I'm good, thank you. Are you gonna hold it for now? Yeah, I'll hold it for a moment. I'll see you later in the men's room. So in Spectrum, in Spectrum was a tool written kind of to address some of the shortcomings in board line. It is free and open source. It was written by Mike Walters. I mean, you can see it. Come on, Mike, stand up. Yeah! Thank you, sir. And so for years and years, everyone in the Wilders Village has done that sort of thing to me and everyone else who's ever written any software and it's just really nice to be able to do it to Mike because he's actually, he's a lovely, lovely guy, but he's also a little bit shy about this. So you should go to him later and ask him all about in Spectrum. Give him a hug. He's actually, he's happy to talk about, I'm saying this because I genuinely believe it's true, but he's happy to talk about it and things like that. Also, if you have issues with it, raise them on GitHub. Oh wait, I'm gonna do a live demo of this. Yep, live demo. All right, this is gonna be quick. This is how to reverse engineer something within Spectrum. Realistically, this is the bit of the talk that you might care about most once you're done with all our ranting about someone else has already done this before you. So you can hold that for me. Okay, this is a capture file I took from GNU RadioCon last year where there was this wireless CTF. It's a capture of a pager. You have to lean closer to the screen in a minute. So I've loaded it up in Spectrum. Unlike Boardline, which Russ was saying, you have to kinda turn your laptop on the side to get it the way around you want. This thing puts frequently on the vertical axis and time on the horizontal axis, which is, yeah, turns out handy. Somewhere, wow, I am struggling. Wow, actually I'm nerving, mate. Okay, all right. Here is some data. This looks really promising. It's brightly colored data in a kind of sea of background noise. I can play with my power settings on the side so that it kind of pops out nicely and we get rid of some of the blur around the edges because radio transmitters aren't like cheap radio transmitters and this thing is the cheapest of the cheap radio transmitters. I mean, you can buy this thing on Amazon but it is not FCC certified. It is and I took it apart and it's not great. But so you wanna kinda get rid of, I don't know why I'm pointing at my screens if you can see it. You wanna kinda diminish some of these lobes a bit by turning up the max power and this should be fine and then what we should be able to do is add a derived plot. It's an amplitude plot. Pull it down to the center frequency. Chewing this in a little bit and come scroll all the way down to the bottom here because it appears beneath it. Now that's... There it goes. There it goes. That looks much better. That does not look that much better. Why did this work when we tested it five minutes ago and not now? Because it didn't sacrifice anything. Okay, amplitude plot. No, that is what I added. Hey, Mike, I'm using your tool wrong and I feel bad about this because you and I, you sat me down and taught me how to do this a minute ago. Anyway, so I've got this derived plot at the bottom and this is the amplitude of the signal and it just looks significantly worse than it did 10 minutes ago but it'll still work. Let's add cursors and that looks like it's a thing so let's add some more cursors and it's not quite lining up so I've probably got my cursor width wrong so let's assume it's a bit more narrow. That looks good. That looks, well, if I could use a mouse, that would look good. There you go. All right, so what I've done is I've lined up a lot of these vertical lines in here with the symbols at the bottom and then I can just keep increasing my number of cursors and seeing if it lines up with the transitions every time. That means I've probably found where we change between ones and zeros where we switch bits in the signal and I can just keep going. I wish I hadn't done that. There you go. There we go, I can just keep going and it kind of keeps going. You can, once you get a bit further into it, you can kind of adjust it so it's a bit more correct across the whole thing and that looks pretty good. So what I can now do is I can right click on this again and I can add a threshold plot and all that does is it says, we'll set a minimum value, we'll set a value and we'll threshold it to binary, one or zero. And yeah, because I screwed up the power settings. There we go. I am not good at computers. There we go, okay, so what we've ended up with here is if I go for this way, we've got an amplitude plot and then at the bottom we've got a binary plot and that looks very similar to the amplitude plot because we've got such a clean signal but really it's just a threshold of the amplitude plot anyway. And then I right click on this one more time and I do extract symbols to standard out and I minimize this and what you'll notice on the screen right here, I've got, wow, what, make it bigger. I don't remember how to do this in, there you go. What you'll notice is it dumped the binary of those symbols, cutting it at the cursor points to standard out. So I've gone from a signal that was just an arbitrary capture that I grabbed and in a couple of minutes I've got binary output for one of the packets. Now I can repeat that for every packet that I find in that file. I can look to see if they're the same, if it's repeating transmissions, if it's modifying, if it's changing them. I can look to see if there are code numbers. Does it look like, if we have different transmissions over time, does it look like they've got different CRCs at a section? So a lot of analysis I can do once I get to bits but I'm no longer worrying about radio. At this point, all I'm looking at is packet data and this was a pager system and there was a number written on the pager and I was able to just pull that out of the appropriate field in the binary, modify it, retransmit it and make one of the other pagers buzz. And that one points in the CTF. And it was a super simple, it was a super simple challenge once you knew how to use the tools but I mean I've just gone through it in, what, two or three minutes? Yeah, yeah. I mean it probably took me a couple of hours to get it right and to make sure that I was receiving the right thing and spent some time receiving Wi-Fi and all sorts of other things but once you learn how to use the tools, that's an SDR challenge that you might find in a wireless CTF or that's something you might find when you buy a device and it takes minutes with a tool like InSpectrum. So that's a fantastic piece of software and I highly recommend it. Which one of these is actually, there we go. All right, the rest of this is mostly you mate. No, you've got that. And then what we do is we take the same data, we take, so now we know, I've received it, right? So I know what frequency it was on. I've determined that it was amplitude modulated. If it had been frequency modulated, I just would have seen two levels in that plot and I could have just done exactly the same thing but applied a derived plot for frequency modulation. So it, and you can eyeball it. You don't even, there's no kind of magic automated method for determining what it is. You just eyeball that and you learn it over time by analyzing more and more samples. I get the data rate out of it. If I tab over to InSpectrum, at the side here, I have my symbol period, I have my data rate, I have my bit period and I can use that to then program, damn it. I can use that to program a dongle. This is the yardstick one, this is RFCAT, this is the yardstick one transmission code and so, or receiving code, sorry. And so this will just configure those values I've just determined from InSpectrum into the yardstick one dongle. I will then use that, like set that going, I will leave that Python script running and it will just dump every packet it sees to the screen for me. I've just automated the process that I took three minutes to complete manually and it's just gonna happen for me and it's gonna dump those things to the screen and it is this, this is it. This is all the Python code in that file. Like this is all you need. Set the, well I guess there's an include at the top. But set the values of the interim modem for what you're trying to receive and then it will just give them to you and at that point you can leave it running overnight as people play around with this thing or whenever you need to, come back to it and do your analysis on it later. Easy peasy, lemon squeezy. Yeah, but sometimes you want to do even more with that after that. Sometimes you want to potentially keep track of devices that are coming around everywhere. Yeah exactly, so Russ is gonna talk to you about that. So there was a, in the wonderful world that is inside my head and the dark creature corners of fun bags and unicorns. Their project came out of my head that I started a couple years ago and I call it SoHose again. And the purpose of it was, is my wife and I just moved to a new house. It's pretty far back in the property line and I wanted to know who and what was coming up in my property to ascertain whether or not I needed to put pants on or not. And if my mother-in-law was coming to visit then pants off, so on and so forth. So the purpose of it was to start off with Wi-Fi and this was during the time period in which devices when they probed for wireless networks they would still mostly use their true MAC address. So some of this still works but isn't entirely true but the wireless network IDs that are there that they are probing for over and over and over can still be used to be unique enough in order to determine whose device it is if you know who is physically at your house. The other cool thing that I eventually added to it over time was some Bluetooth stuff, some TPMS stuff. I'm working on a mass and alternator thing with RTL-SDRs and what has now allowed me to determine is not just who is coming but even mail services. Like did FedEx just show up? Is it the same FedEx guy? That's not creepy. So my wife, Beth made me build in a time period in which this information would decay just from organic capture until I flagged it as someone who I wanted to track and identify and that part is important in a moment. So the term is based upon two words, so host, small home, small office, signals, intelligence and I built it on a budget and with that resource that we had mentioned earlier with the SIG ID wiki, that was very, very important for me to be able to use in order to help interpret some of the signals that I was getting from the RTL-SDR to determine whether or not it was worth my time to put in to try to record that particular transmission. First steps first, you gotta collect your baseline of everything that you have going around you. This is some of the things about the antenna farm that I have in my attic and garage and other places. Have the festive collinear coaxial antenna on your right and that used to live in a window for a long time and Beth said get that out of here and I said but it's festive and lost that argument. So I finally got a rudimentary system in place that was doing wifi and Bluetooth and a little bit of TPMS and it was really, really interesting for a couple of reasons. From the Bluetooth side, I had no idea there are so many tickle me elbows in my neighborhood. And that was fun. The other thing was when Halloween came around, I noticed that I had a lot of neighbors who had their SSIDs of their home address. Well, so you think about it, you set your SSID of your home address, well is that your home, well we know your address but now I know it's you with your device and where you live based upon the network that you're probing for. So I turned that into an entity, I was tracking a neighbor whose dog was defecating in our yard. So that was a fun interaction. But what was really important was a problem that my neighbors were having and they were noticing, so I live in one of those neighborhoods where people leave their cars unlocked and their houses unlocked and it's like I won't be the lower hanging fruit, I'm obviously not the lower hanging fruit but they are and that's a lifestyle and I'm not gonna try to argue or change that but they were noticing that they would have anything from like 50 cents to what ultimately ended up being $180 overnight stolen from the car. They leave their wallet, their phone, their laptops and all that sort of stuff and what I later determined out of it was that criminals know that when things are stolen that are electronic they can be disabled and tracked but cash is king. And we had the question of like, did you talk to your kids? Do you need to have the scare talk with your kids? Are your kids stealing? I think it's your kids, it's not wifi. So anyways, I created Operation Catch the Fucker and originally it was just let's stand up a surveillance camera, I do a lot of hunting so people when they work at night they kind of act like deer in summer guards so I set up a camera, had to move his car over in the driveway and I put some blind spots in the area so the guy would when, at the time I didn't know it was a guy but when he came through he would feel that it was a little bit more comfortable to hit the car. Well I set the camera up on like a Friday evening and well he showed up that evening and this is not the identifying photo, there's better ones of him but he's coming up to the car and he's like got a flashlight in his hand that you see but he's like strobing it cause he now sees this thing there that he hasn't seen before and in the first day we got him on the car like coming up to the car and looking at it and that was kind of cool so we showed it to the detectives, they recognized who he was cause he was a frequent customer and during the interview process I suggested to the detectives that you get a warrant for the phone to get the Bluetooth and Mac address off of the phone cause I happen to have this weird data set that I've been running for like over a year and it's totally not creepy, it's fine. And let's see what happens and they go okay well the guy consented they didn't need a warrant and sure enough he gave me the Mac address, I ran it in the data set and ding I got hits every single night that there was a reported theft in my neighborhood and that was awesome, I was like this thing augmented my normal surveillance camera system so that was cool and I was also the purpose of the project for me was to get back into writing packet decoders and sniffers and C and all that stuff and Dragorn this was the other thing that Dominic and I were reflecting upon it was like there's a lot of mics who work in the radio space there's Mike Kershaw, Mike Ossman it just keeps going on and on and on so anyone know what Mike Ossman looks like? Not Ossman, sorry, okay, Dragorn, Mike Kershaw all right, only one person this is old man wifi and old man wifi a couple years ago and I were talking about my project and that I had written a whole web UI to it and you know data basing system and then he reached out to me and goes I may have killed your project by revamping all of Kismet and they knew data aggregation service and functionality with a web UI which is awesome, I'm okay with this been working with him on suggestions and we all put code in but Mike is awesome that's his Patreon please if you never get a chance to see him at least support his beer fund by signing up for that all right, so Kismet RC1 I believe just went out yeah, like last week he put out a release candidate for this new version it's a complete rewrite or mostly rewrite it's got a web UI now instead of that that come on it's got a whole bunch of incurses it's got a whole bunch of nonsense oh goodness come on, it's okay so yeah, but it's really, really fantastic because now you can run it on any kind of hardware so like the demonstration over there is running on a Raspberry Pi Zero that is monitoring everything in this room in a way that you just plug it into a device without actually having to configure it and you just type in Kismet.local you're off to the races but there's also some other things about Kismet in conversation with the SOHO second stuff and I haven't totally started putting in sensor code into it yet because time, money, energy and sleep and it wasn't until recently that I reached out to Mike and said hey, just how hard is it to I have a thing, I want Kismet to ingest that thing I saw that you're doing RTL 433 with it and all these other sort of projects saying it's like I see that you're wrapping it in Python and just firing it at it it's like that looks awesome and easy, it goes nope so we're going to kind of step through that process as to why it's a nope but it makes a lot of sense so the other modules that are in there that you may not necessarily know are things about ZigBee there's RTL 433 so there's like 109-ish, 107-ish other devices, weather stations and all that stuff are going to be ingested in Kismet UAV drone systems are in there, there's Z-Wave and that's just what's there right now just pull it down out of git, compile it you're easy and good to go the other thing that Mike wanted to relay to everyone is that he is a writer, a fantastic writer a fantastic documenter of his code and instructions and the link on the bottom is the link to the developer source information that explains all the different data types that you could ever want to know about it in great detail and some folks will say, hey just look at the code there's your example, he provides additional examples inside of it as well it's just the guy is overly thoughtful in a very good way for everyone to be able to pick it up and run with it so you should yeah, having developed code for Kismet before for the Ubertooth project sorry I've gone through a more casual, relaxed stance so having developed Kismet code for the Ubertooth project historically it's really really easy with his documentation and things so like don't be, if you do get to the stage where you are, you've found something that you want to monitor you think Kismet might be a great backend to monitor this thing and you need to get your code into it like don't be afraid of adding code to Kismet it's super straightforward with his kind of help and documentation so with that writing code for Kismet is for the next few slides it's gonna be a little bit like how you draw this damn owl you draw two concentric circles and the next thing you know you got a freaking owl staring you in the face but there's some things I'm going to talk to you about that are the important things to consider the code's already there for and the documentation's already there for you to be able to fill in the blanks with but these are the parallels and the things to consider when you decide to go into writing your own sensors and telemetry so the background, the importance of me doing this is that for the wireless village hopefully by Shmucon, I'll have an electronic badge either finished in its prototyping or available where you'll be able to play most of our CTF from the badge for both Wi-Fi, Bluetooth and software defined radio so that's my goal don't hold me to it so first step you have to define a physical interface you have to define a physical layer Kismet doesn't know what you're giving it and it's written in C++ so you're going to have to define something so it can ingest that data and know where to take the square peg and all that sort of stuff and once you've mentally got that construct around your head the next few steps start falling into place the other thing that is absolutely important is to take a look at the demo code for dealing with tracking of the packets as they're coming in and tracking of the devices this is easily done it's just a couple of lines of code that you can just copy and paste and rename to fit for the device that you're looking to try to monitor but those are absolutely critical in order for Kismet to know what has just been given to it so it knows where to put those various bits of data step two oh wait sorry I got a head of myself so thoughts for the constructs and C++ so when I was like you know you have a byte stream and Kismet doesn't know what to do with that if you've ever written a packet sniffer before and see you may remember a libpcap and you have the struct for a packet alright I just got a packet what part of the packet is the IP address is this TCP or UDP and then well you have those variously defined structs same sort of concept so on the right of the screen is the radio tap header that defines everything that goes into that particular interface you'll have to define something very very similar so you give it a name, a type and then you know kind of a bit of an offset so step two then you can even write some Python and the Python piece is going to be the glue that goes from the output of the tool that you just wrote and shoves it into Kismet and the closer to JSON that you make your tool the easier this will be for you so let's quickly talk about RTL 433 when you run it from the command line this is the JSON that it barfs out at you in the console you got the time, the brand, OS model so on so forth and then the actual values from the C++ side you can take a look at the header file and you see inside of it that there's pretty much the exact same things you define the different types of devices that are coming in via JSON and then the components of that code are all identical amongst all those different things it's just shoving it into a different bucket so you know which bucket to then later pull it from all right so that's the header side and these are exactly like each one of those functions are pretty much exactly the same from each other but if you take remember the JSON you can have multiple different types of values for them all righty now on the C++ side Kismet just got a packet it just got this blob of data that just came in what is it going to do with it so it's going to take that JSON field split it up and then follow whichever object class that it is going to need to execute code on in order to just shove it into whatever container it needs to run in it's pretty much that simple to do the RTL 433 code in C++ for both the header and the source code itself is almost because of tabs and not spaces and you know beautifully formatted things and all that sort of stuff it's probably about 120 lines of code it's not that complex now on the Python side specifically with RTL 433 there's this function for message queuing that is unique to that particular application so Mike wrapped that into it as well and that you know from the Python side you define your Python source and you give it a you know am I going to use this particular message transport medium in order to shove it across or not and if you are then it has its other known code base in order to execute with that against that and then finally you just say I want to open a device and then it just takes the output from standard in and then just shoves it into Kismet for you and life is peachy so it's pretty much easy peasy lemon squeezy like that looks a little bit scary and a little bit difficult Mike is stupidly helpful on this the documentation is way more verbose but those are the main concepts and constructs you got this data stream coming in Kismet needs to know how to compartmentalize it into the different types of objects the objects are very well documented and identified for you in your classes for both public and private components and then you just shove the data around and it's a copy paste for the most part of that particular function and that's that I was gonna say if you're playing around with like home automation or you find something at home like anything with that RTL-433 where you're expanding the existing tool if you can get it into the RTL-433 tool you have to write zero code to get it into Kismet because it's been done for you like if you can leverage an existing tool it's mostly done for you and if you ever wanna get stuff into Kismet to get that kind of login going I regularly ask Dragon questions over IRC I'll ask him a casual question about some variable like go away and make breakfast and come back and there'll be like a 30 line response which is like now being integrated into the docs there'll be a code snippet like he's so helpful and he's like oh yeah that is a bit confusing I fixed my documentation I fixed my code I fixed your code and you're an idiot yeah yeah but without being like that yeah yeah I'm like I should well you feel like an idiot but he never says that can I buy you a bit? like yeah I'm not really sure what to do but yeah so he's super helpful if you ever do you wanna get stuff into Kismet but if you wanna do just kind of the reverse engineering thing go down like in spectrum Mike Walters has run away so he doesn't have to hear your answer your questions but he will be around and he'll be around tomorrow and he's super super good at reverse engineering things as well as we have some experience in it so if anyone does have anything they're kind of hacking on or working on at the moment let's know and I'll be happy to talk to you about it and remember it's not Wi-Fi yeah very rarely Wi-Fi yeah very rarely Wi-Fi that's our talk that's our talk we're done I is there is there a talk after us? yes there is a talk after us I wonder why something got busy yeah