Roll Your Own Tracking

December 8, 2020 by Matthew Carlson 35 Comments

The smartphone is perhaps the signature device of our modern lives. For most of the population it is never more than an arm’s length away, it’s on your person more than any other device in your life. Smartphones are packed with all sorts of radios and ways to communicate wireless. [Amine Mansouri] built an ESP8266 based tracking device that takes advantage of this.

Most WiFi-enabled devices will send out “probe requests” frames trying to search for the SSIDs they were connected to. These packets contain the device MAC address as well as the SSIDs you’ve connected to. Using about 12 components, [Amine] laid out a small board in Eagle. By putting the ESP8266 in monitor mode, the probe frames can be logged and uploaded. The code can be updated OTA making it easy to service while in the field.

With permission from his local library, eight repeater boards were scattered throughout the building to forward the probe packets to where the tracker could pick them up. A simple web interface was built that allows the library to figure out how many people are in the library and how often they frequent the premises.

While an awesome project with open-source code on Github, it is important to stress how important is it to get permission to do this kind of tracking. While some phones implement MAC randomization, there are still many out in the wild that don’t. While this is similar to another project that listens to radio signals to determine the coming and going of ships and planes, tracking people with this sort of granularity is in a different category altogether.

Thanks [Amine] for sending this one in!

Nerfnet Tunnels TCP/IP Over NRF24L01 Radios

December 4, 2020 by Tom Nardi 31 Comments

There’s an excellent chance you’ve already worked with the nRF24L01. These little modules are an easy and cheap way to shuffle data across a 2.4 GHz radio link at a respectable rate, making them great for remote control projects. But after seeing that others had experimenting with using these radios to transmit digital audio, [Andrew Rossignol] got to wondering if some software trickery could push the envelope even further.

The result is nerfnet, a Linux program that allows you to tunnel TCP/IP over a pair of nRF24L01 modules. The link appears as a virtual interface, meaning everything happens transparently as far as other programs are concerned. Anything that uses TCP/IP to communicate on Linux can take advantage of this low-cost link, albeit at speeds that most of us haven’t had to deal with in decades.

Though it’s not quite as bad as you might think. Latency is around 50 ms, and after some tweaks, [Andrew] has been able to squeeze almost 300 Kbps out of the link. That’s more than enough for terminal work, and some light audio and video streaming isn’t out of the question.

In terms of range, he was able to maintain a fairly reliable connection at a distance of up to 60 meters (200 feet) outdoors. It might not sound like much, but again, you’ve got to take the cost of these radios into account. If you’re looking to SSH into a Raspberry Pi weather station you’ve got in the backyard, a pair of these could get the job done for just a couple of bucks.

The blog post [Andrew] has put together explains the software in fantastic detail if you’re interested in the nuts and bolts of it all. But if you just want to play around with the idea, you just need to connect some nRF24L01 modules to a pair of Raspberry Pis with short SPI wires to cut down any interference, and follow the instructions. Ideally the radios would have external antennas, but it’s not strictly required.

We’ve seen these modules pushed into service as impromptu Bluetooth Low Energy transmitters in the past, but nothing quite like this. While the latency and bandwidth offered by this technique might seem antiquated to modern eyes, it could be the perfect dedicated communication channel for your sensors, smart devices, or home automation projects.

Continue reading “Nerfnet Tunnels TCP/IP Over NRF24L01 Radios” →

E-Ink Calendar Paves A Path For All

November 19, 2020 by Matthew Carlson 5 Comments

[Martin Fasani] has set out to build a beautiful low power E-Ink Calendar he can hang on his wall. But perhaps more importantly, the work he has done makes it easier for everyone in the future to have a e-ink display. Many battery-powered e-ink projects connect to some server, download a bitmap image, display the new image, and then go into a deep sleep power mode. [Martin’s] project is no different, but it uses a handy microservice that does the conversion and rendering for you.

The firmware for this ESP32/ESP32S2 based calendar is open sourced on GitHub, with a version based on the Arduino framework as well as the native ESP-IDF framework. One particularly fantastic part of the firmware is a C++ component called CalEPD that drives e-paper displays. CalEPD extends the Adafruit_GFX class and is broken out in a separate repo, making it easy to consume on other projects. Since this supports dozens of different e-paper displays, this simplifies the process of building a calendar with different screens. The firmware includes a Bluetooth setup flow from a smartphone or tablet. This means you can quickly configure how often it wakes up, what it queries, and other important features.

The hardware shown in the demo video has a 7.5″ Waveshare screen with 800 x 400 resolution nestled inside a 3D-printed shell. There is also a 5,000 mAh battery with an ESP32 TinyPICO powering the whole system. The TinyPICO was picked for its incredible deep sleep power consumption. All this fits into a frame just 11 mm thick, for which STL files are available. [Martin] continues to work on this calendar display and has recently added support for FocalTech touch panel controllers. We’re excited to see where he takes it next!

This isn’t the first e-ink display project we’ve seen but this is a great reference to build your own. If you need another good starting point, this weather display might give you that little bit of inspiration you need.

Continue reading “E-Ink Calendar Paves A Path For All” →

Wireless Earphones And Getting Them Back After They Fall On Tram Tracks

November 13, 2020 by Maya Posch 34 Comments

Over the past years, the trend has become to ditch anything with wires. This has led to many people dropping wired earphones and headphones for wireless (Bluetooth) versions. Yet along with the freedom from having the wires snagged on something and having earphones painfully torn out of your ears comes the very real risk of having them drop out of your ears to land potentially very inconvenient.

In Japan this has led to a big issue for railway companies, where throngs of commuters will often accidentally drop possessions onto the tracks. Staff members will then use a mechanical claw (‘magic hand’) to fetch them without having to risk their life by jumping down. With small items such as wireless earphones, this is however not so easy. With 947 cases of dropped earphones in the period of July-September in just the Tokyo area, this has led to desperate staff members coming up with new methods of easily retrieving the small gadgets.

Solutions range from putting something sticky like tape at the end of a stick, to modifying vacuum cleaners. Most recently Tokyo railway company JR East has collaborated with Panasonic to develop a vacuum cleaner-like device that is especially designed to easily retrieve such small items from the tracks, according to the Japan Times article.

The embedded video (also found after the break) from a Japanese broadcaster describes the issue in detail, along with tips on how to properly wear earphones so that they’re far less likely to fall out when you’re waiting on the tram or walking down the street. While it’s possible to fetch your dropped wireless earphones from the tracks, having someone step on it right after it falls out of your ear on the street is less easy to recover from.

Continue reading “Wireless Earphones And Getting Them Back After They Fall On Tram Tracks” →

Automated Tools For WiFi Cracking

September 30, 2020 by Danie Conradie 8 Comments

Knowing how WiFi networks can be attacked is a big part of properly securing them, and the best way to learn about it is to (legally) run some attacks. [Matt Agius] has been going down the WiFi-cracking rabbit hole, and in the process created Pwnagotchi Tools to automate the actual password cracking part.

The first step in cracking a WiFi network is to record the handshake that gets exchanged when a client connects to an access point. This has been made very simple thanks to Pwnagotchi, which turns a Raspberry Pi into an automated handshake collection tool and Pwnagothi Tools helps to automate the steps that follow. It downloads the handshakes (pcap files) from the pwnagotchi, and converts it to pmkid/hccapx files to use with the hashcat password recovery tool. Hashcat scripts can then be generated for the actual cracking using any of the attacks that [Matt] has compiled. WPA/WPA2 is slow to crack and requires a lot of processing power, so [Matt] also added the option to automatically provision AWS GPU instances to run the cracking task in the cloud. It also keeps track of the status of each of the handshakes being cracked.

As wireless networks and IoT devices become more pervasive, it’s important to know the dangers, and how to protect against them. WiFi and Bluetooth security is probably the easiest to learn about, but other networks are just as vulnerable when an RTL-SDR is used. Another option Flipper Zero, a hacking gadget for Sub-1 GHz networks inspired by Pwnagotchi, which recently hit $4.8 million in its Kickstarter campaign.

A Battery To Add A Tingling Sensation To Your Tweets

September 27, 2020 by Sven Gregori 28 Comments

Internet-connected sex toys are a great way to surprise your partner from work (even the home office) or for spicing up long-distance relationships. For some extra excitement, they also add that thrill of potentially having all your very sensitive private data exposed to the public — but hey, it’s not our place to kink-shame. However, their vulnerability issues are indeed common enough to make them regular guests in security conferences, so what better way to fight fire with fire than simply inviting the whole of Twitter in on your ride? Well, [Space Buck] built just the right device for that: the Double-Oh Battery, an open source LiPo-cell-powered ESP32 board in AA battery form factor as drop-in replacement to control a device’s supply voltage via WiFi.

Battery and PCB visualization — Double-Oh Battery with all the components involved

In their simplest and cheapest form, vibrating toys are nothing more than a battery-powered motor with an on-off switch, and even the more sophisticated ones with different intensity levels and patterns are usually limited to the same ten or so varieties that may eventually leave something to be desired. To improve on that without actually taking the devices apart, [Space Buck] initially built the Slot-in Manipulator of Output Levels, a tiny board that squeezed directly onto the battery to have a pre-programmed pattern enabling and disabling the supply voltage — or have it turned into an alarm clock. But understandably, re-programming patterns can get annoying in the long run, so adding WiFi and a web server seemed the logical next step. Of course, more functionality requires more space, so to keep the AA battery form factor, the Double-Oh Battery’s PCB piggybacks now on a smaller 10440 LiPo cell.

But then, where’s the point of having a WiFi-enabled vibrator with a web server — that also happens to serve a guestbook — if you don’t open it up to the internet? So in some daring experiments, [Space Buck] showcased the project’s potential by hooking it up to his Twitter account and have the announcement tweet’s likes and retweets take over the control, adding a welcoming element of surprise, no doubt. Taking this further towards Instagram for example might be a nice vanity reward-system improvement as well, or otherwise make a great gift to send a message to all those attention-seeking people in your circle.

All fun aside, it’s an interesting project to remote control a device’s power supply, even though its application area might be rather limited due to the whole battery nature, but the usual Sonoff switches may seem a bit unfitting here. If this sparked your interest in lithium-based batteries, check out [Lewin Day]’s beginner guide and [Bob Baddeley]’s deeper dive into their chemistry.

ESP8266 Turned Secretive WiFi Probe Request Sniffer

September 20, 2020 by Danie Conradie 21 Comments

When a Wi-Fi device is switched on, it starts spewing out probe requests to try and find a familiar access point. These probe requests contain the device’s MAC address and the SSID of the hotspot it’s looking for, which can potentially be used to identify a specific device and where it’s been. After experimenting with these probe requests, [Amine Mehdi Mansouri] has created OpenMAC, a tiny ESP8266 based sniffer that could be hidden anywhere.

The device consists of an ESP-07S module, a regulator circuit for getting power from a USB-C connector, and a button for power cycling. An external antenna is required for the module, which can be selected based on the size or gain requirements for a specific deployment. [Amine] tested the OpenMAC at a local library (with permission), in combination with a number of his own little Wi-Fi repeaters to expand the reach of the network. All the recorded MAC addresses were logged to a server, where the data can be used for traffic analysis in and around the library, or even for tracking and locating specific devices.

This is nothing new, and is relatively common technique used for gathering information in retail locations, and could be also be used for more nefarious purposes. Newer versions of iOS, Android, and Windows 10 feature MAC address randomization which can limit the ability to track devices in this manner, but it isn’t always activated.

We’ve seen a number of projects that exploit probe requests. FIND-LF can be used for locating devices in your home, and Linger fools probe requests sniffers by replaying previously recorded requests.