Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.
Enter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.
But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.
We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.
The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!
When you think of WiFi in projects it’s easy to get into the rut of assuming the goal is to add WiFi to something. This particular build actually brings WiFi awareness to you, in terms of sniffing what’s going on with the signals around you and displaying them for instant feedback.
[0miker0] is working on the project as his entry in the Square Inch Project. It’s an adapter board that has a footprint for the 2×4 pin header of an ESP8266-01 module, and hosts the components and solder pads for a 128×64 OLED display. These are becoming rather ubiquitous and it’s not hard to figure out why. They’re relatively inexpensive, low-power, high-contrast, and require very few support components. From the schematic in the GitHub Repo it looks like 5 resistors and 7 caps.
The video below shows off two firmware modes so far. The first is an AP scan that reads out some information, the second is a weather-display program. Anyone who’s worked with the ESP modules knows that they have the potential to gather all kinds of data about WiFi signals — one of our favorite demos of this is when [cnlohr] used it to create a 3d light painted map of his WiFi signal strength. Chuck a rechargeable LiPo on this thing, tweak the example code for your needs, and you have a new gadget for wardriving-nouveau.
Continue reading “WiFi Fob Acquaints OLED with ESP”
When [Edward Snowden] smeared the internet with classified NSA documents, it brought to light the many spying capabilities our government has at its disposal. One the most interesting of these documents is known as the ANT catalog. This 50 page catalog, now available to the public, reads like a mail order form where agents can simply select the technology they want and order it. One of these technologies is called the Sparrow II, and a group of hackers at Hyperion Bristol has attempted to create their own version.
The Sparrow II is an aerial surveillance platform designed to map and catalog WiFi access points. Think wardriving from a UAV. Now, if you were an NSA agent, you could just order yourself one of these nifty devices from the ANT catalog for a measly 6 grand. However, if you’re like most of us, you can use the guidance from Hyperion Bristol to make your own.
They start off with a Raspi, a run-of-the-mill USB WiFi adapter, a Ublox GY-NEO6MV2 GPS Module, and a 1200 mAh battery to power it all. Be sure to check out the link for full details.
Thanks to [Joe] for the tip!
Def Con speaker [pukingmonkey] has spent quite a bit of time studying methods government and law enforcement use to track private citizens’ vehicles on the roads. One of the major tracking methods is E-ZPass, an electronic toll collection system used in several states around the country. [pukingmonkey] cracked open his E-ZPass tag to find a relatively basic circuit. In his DEF CON presentation (PDF), he notes you shouldn’t do this to your own tag, as tags are legally not the property of the user.
The tag uses a 3.6 volt long life battery to operate. When idle, the tag only draws 8 microamps. During reads, current draw jumps to 0.3 mA. Armed with this information, it was relatively simple to add a current detecting circuit that outputs a pulse on tag reads. Pulses are then fed into a toy cow, which lights up and “Moos” on each read.
Continue reading “Modified E-ZPass detects reads far from toll booths”
[Corrosion] sent in a tip about the Weaponised Auditing Response System he built inside a suitcase that, “has all the tools (and then some) for a wireless assault”.
The WARS is equipped with two WiFi adapters and two bluetooth adapters for all the wardriving and bluejacking anyone could ever want. [Corrosion] also included a 4 channel, 2.4GHz video scanner for warviewing. Everything runs off of a 12 inch netbook that will eventually run linux, and we’re really liking the 1970s suitcase aesthetic the WARS has – it looks like [Corrosion] is about to step into the set of a Beastie Boys video.
We were wondering about including a long range RFID sniffing antenna (PDF warning) behind the monitor of the suitcase’s monitor and asked [Corrosion] about it. He said it sounded doable, but is out of funds at the moment, so if you know how to build a cheap RFID antenna with a 50 foot range, drop [Corrosion] a line.
There’s a video demo with some stills of the build included after the break.
Continue reading “A suitcase for all your wardriving needs”
[Kyle] was digging through a box of junk he had lying around when he came across an old USB Bluetooth dongle. He stopped using it ages ago because he was unsatisfied with the limited range of Bluetooth communications.
He was going to toss it back into the box when an idea struck him – he had always been a fan of WiFi wardriving, why not try doing the same thing with Bluetooth? Obviously the range issue comes into play yet again, so he started searching around for ways to boost his Bluetooth receiver’s range.
He dismantled the dongle and found that the internal antenna was a simple metal strip. He didn’t think there would be any harm in trying to extend the antenna, so he soldered an alligator clip to the wire and connected the CB antenna in his truck. His laptop sprung to life instantly, picking up his phone located about 100 feet away in his house. He took the show on the road and was able to pick up 27 different phones set in discoverable mode while sitting in the parking lot of a fast food chain.
While it does work, we’re pretty sure that the CB antenna isn’t the most ideal extension of the Bluetooth radio. We would love to see what kind of range he would get with a properly tuned antenna.
Keep reading to see a quick demonstration of his improvised long-range Bluetooth antenna.
Continue reading “Long-range Bluetooth wardriving rig”
Ah the beauty of watching molten solder pull SMD components into place. Yeah, we’ve seen it before, but for some reason it never gets old.
The glory days of wardriving are certainly behind us but if you’re still hunting in certain areas for access points you can leave the laptop at home. A homebrew program called Road Dog can turn your PSP into a WiFi search device. You must be able to run custom code to use this app.
Ferrofluid is our friend. But having grown up watching the Terminator and Hellraiser movies we can’t help being a little creeped out by the effects seen in this movie.
Follow along with the NASA astronauts in this 20 minute HD tour of the international space station. It’s a cramped place to live but we can’t help thinking that it looks incredibly clean. After all, where would the dirt come from?
How are your woodworking skills? Can you take a wooden block and turn it on a lathe until you have a lampshade 1/32″ thick? We’d love to see how these are made, but imagine the artist’s reaction when hours of labor are ruined by a minuscule amount of misplaced pressure on a carving tool. Patience, we’ll learn it some day!
This video from the past that is about the future of travel does leave us wondering why our cars don’t have built-in radar for poor visibility? We’ve already realized the rear-view-mirror-tv-picture, but we’re going to need your help before the flying police/fire/ambulance-mobile is a common sight. Oh, the fun of seeing a high-tech push-button selector 3:30 into the video. Perhaps the touch-screen was a bit beyond the vision of the time.
Sometimes you have so many servants you need to find creative things for them to do. Only the most discriminating of the super-rich employ a person whose sole responsibility is to erase and redraw the hands of a clock each minute. This video is obviously a result of the global recession as the live time-keeper has been let go; a looping recording took his job!
Last time we checked in with [Marco Tempest] he was syncing video over multiple iPhones. Now he’s at it again with an augmented reality setup. A camera picks up some IR LEDs in a canvas and translates that into information for a video projector. We’d call this a trick, but it’s certainly not magic.