Tagged: wifi

ESP32-Div: An ESP32 Based Swiss Army Knife for Wireless Networks

On his blog, Cifer has posted about a new device that he's created called "ESp32-Div." ESP32-Div is a multi-featured wireless analysis device for WiFi, Bluetooth, 2.4 GHz, and sub-GHz signals. While ESP32-Div is not based on SDR technology, it is still an interesting device for wireless hackers to discuss.

ESP32-Div can monitor WiFi packets, spam fake WiFi access points, scan for deauth attacks, and scan nearby WiFi networks. For Bluetooth, it can jam, scan, spoof, and cause unintended behaviours on Apple devices via spoofing the AirDrop function. It can also be used as a general 2.4 GHz scanner and jammer. Finally, it can perform replay attacks and jam signals for sub-GHz signals.

The device consists of a custom PCB with an ESP32 and a built-in battery pack. A piggybacking shield adds 3x NRF24 modules for the 2.4 GHz features and a CC1101 module for the sub-GHz features.

Obviously, functions like jamming and spoofing are highly illegal in most countries, but it is interesting to see the capabilities available to anyone with these cheap chips and the right software.

ESP32-DIV: Your Swiss Army Knife for Wireless Networks

ESPARGOS: An ESP32 Phased Array for Seeing WiFi

Recently, Florian Euchner, a research assistant at the Institute of Telecommunications at the University of Stuttgart, has released information about a project called ESPARGOS that he has been working on. ESPARGOS is a phased array of many patch antennas, each connected to an ESP32 WiFi microcontroller. Phased arrays enable interesting things like radio direction finding.

Combined with a bit of code, Florian can not only determine the direction of arrival of WiFi signals but, with enough patch elements, also create a live heatmap of the WiFi source overlayed on top of the video. We note that ESPARGUS is not based on software-defined radio, however, the overall concept and implementation are quite similar to KrakenSDR.

In the video embedded below, Florian explains the system and demonstrates it in action. He shows how the WiFi signal from a device can be visualized, how it can be used to track movement of the device behind a wall, how reflections from a directional antenna can be seen, how a device can be triangulated with multiple arrays. Finally Florian also shows how a device can be located with a single array, even in a high multipath environment after a neural network is trained on the environment.

Florian writes:

More information is available on the project website of the ESP32 antenna array "ESPARGOS": https://espargos.net/

Source code for Python library + demos: https://github.com/ESPARGOS/pyespargos (directory "demos/camera" for "WiFi camera" demo)

As a research assistant at the Institute of Telecommunications at the University of Stuttgart, I work on multi-antenna systems like (distributed) massive MIMO, with a focus on wireless channel measurement platforms and algorithms for processing channel measurements (classical and deep learning-based).

One day, my (incredibly talented) colleague Marc Gauger suggested to use ultra low-cost ESP32 chips instead of software defined radios for channel measurements. I was highly sceptical at first, but when he showed me a minimalistic prototype he had soldered together, I was intrigued by the idea of being able to demonstrate my algorithms in real time using WiFi signals. In a series of Bachelor's / Research theses, my excellent students Tim Schneider, David Engelbrecht and David Kellner helped me develop the ESP32 antenna array "ESPARGOS".

Measured CSI dataset used for AoA / TDoA visualization: https://espargos.net/datasets/data/espargos-0005/
AoA / TDoA localization source code (needs some minor modifications to be applied to espargos-0005 dataset): https://github.com/Jeija/ToA-AoA-Augmented-ChannelCharting/
Channel Charting source code for the animation in the video: 
https://github.com/Jeija/Geodesic-Uncertainty-Loss-ChannelCharting
Tutorial on Channel Charting: https://dichasus.inue.uni-stuttgart.de/tutorials/tutorial/dissimilarity-metric-channelcharting/

This ESP32 Antenna Array Can See WiFi

We note that while the software is open source, the array hardware itself is not. Florian has noted in a comment on his YouTube video that he is preparing a manufacturing run for ESPARGOS.

I am now preparing a manufacturing run for ESPARGOS. This involves some PCB redesigns to make the design more mass-manufacturable and to get the cost further down, and to get it certified. This will obviously take some time, but I will make sure to keep you updated. You can use the button on the website https://espargos.net/ to sign up for email updates, and I will also post updates via YouTube community notes.

DragonOS: BladeRF-wiphy Demonstration

Recently we posted about bladeRF-wiphy which is open source code that can turn a bladeRF software defined radio into a software defined WiFi access point. The bladeRF 2.0 is a relatively low cost SDR which costs $420 for the low end version. It is capable of both transmit and receive (2x2 MIMO) with a 47 MHz to 6 GHz frequency range and 61.44 MHz sampling rate.

Over on YouTube Aaron who created DragonOS has uploaded a video demonstrating bladeRF-wiphy in action. He writes:

This video demonstrates Nuand’s new open source 802.11 modem/FPGA available for the bladeRFxA9. Everything will be Pre included in DragonOS Focal to setup an open AP and hopefully whatever’s required for use within Kismet.

Minor configuration is needed for the open AP, while Kismet integration should be pretty straight forward.

This is an awesome addition to the bladeRF and I look forward to seeing what else is possible with this new open source 802.11 compatible modem!

DragonOS Focal BladeRF-wiphy w/ Open Wi-Fi AP and Splash page (bladeRFxA9)

bladeRF-wiphy: Open Source WiFi Access Point on a BladeRF

Back in August 2020 we posted about OpenWiFi , an open source implementation of the full IEEE802.11/Wi-Fi stack for FPGA and SDR combo board. Recently the team at Nuand have released their own WiFi implementation called "bladeRF-wiphy" for their bladeRF 2.0 software defined radio. The code is implemented in VHDL, which runs directly on the bladeRF's on board micro xA9 FPGA.

The bladeRF-wiphy project is an open-source IEEE 802.11 compatible software defined radio VHDL modem. The modem is able to modulate and demodulate 802.11 packets (the protocol WiFi is based on), and run directly on the bladeRF 2.0 micro xA9’s FPGA.

The bladeRF-wiphy coupled with Linux mac80211 allows the bladeRF 2.0 micro xA9 to become a software defined radio 802.11 access point! 802.11 packets (PDUs) are modulated and demodulated directly on the FPGA, so only 802.11 packets are transferred between the FPGA and libbladeRF.

OpenWiFi: Open Source FPGA and SDR Based WiFi Implementation

OpenWiFi is a Linux mac80211 compatible full-stack IEEE802.11/Wi-Fi design based on an FPGA and SDR (Software Defined Radio). It aims to be the first full open source implementation of the entire WiFi stack. While the current design does not provide any feature benefits over commercial closed source chips, it is beneficial from an education standpoint, and also from a security view as any open source FPGA code can be verified to not have backdoors. The SDRs used in the project are typically not ones seen on this blog as they mostly exist on research dev boards optimized for the 2.4 GHz band.

Recently the FOSDEM 2020 conference talks from February 2020 have been released on YouTube and a talk titled Opensource "Wi-Fi chip design" and Linux drivers by Xianjun Jiao was uploaded. The talk explains OpenWiFi in detail, and why or why not you might want to use it. 

Individuals, SMEs, opensource communities and big companies have shown big interests on the openwifi project. They also asked many questions, such as MIMO support, CSI information support, roadmap and opensource license consideration. One new interesting message, which is not expected before, is that: People are willing to pay more for a WiFi chip not because the chip’s performance is better but just because they can check the chip silicon source code (Verilog/VHDL/C) on github if they have privacy/security concern. So far, not any commercial WiFi chip discloses their silicon source code. After the FOSDEM, the project has reached 545 stars on github.

Openwifi talk at FOSDEM 2020

Testing the Electrosense Up/Downconverter Expansion Board For 0 – 6 GHz

The Electrosense network is an open source project aiming to deploy radio spectrum sensors worldwide. The idea is to help analyze and understand radio spectrum usage across the globe. Each sensor consists of an RTL-SDR, Raspberry Pi and an optional downconverter to receive the higher bands. If you're interested we wrote an overview of the project in a previous post

Recently we received a sample of their Up/Downconverter expansion board which is used to expand the frequency range of the RTL-SDR to 0 MHz to 6 GHz. The converter board is entirely open source with the design files available on GitHub. The team note that they are also working on a V2 version which will be cheaper and smaller. The schematic and Firmware for the V2 is also available right now, but it is still under early testing and may change.

The board is not for sale, however you can apply to be considered for a free unit if you want to host your own Electrosense node and meet their criteria. If you do not you can still produce the board yourself. The team mention that the design is easily hand soldered, but there are a few difficult LGA components like the PLL, crystals and mixer which require a heat gun to solder. A the same time they also note that it is possible to get PCB manufacture and SMT assembly done for you for dirt cheap by PCB prototype companies like JLC PCB. 

The Expansion Up/Downconverter Board

The converter board has 4-input SMA ports (only 3 are used) and one output port which connects to the RTL-SDR. The first input port is for the HF antenna input. This input connects to the circuit which converts 0 - 30 MHz into a higher frequency which can be received by the RTL-SDR. The second port is simply a pass through for the standard 24 MHz - 1.766 GHz range of a normal SDR. The third port is unused, and the fourth port connects the antenna to the downconverter circuit which allows us to receive from 1.766 GHz to 6 GHz.

The Electrosense Converter Board

Continue reading

Using a HackRF to Investigate Why WiFi on the Raspberry Pi 4 Doesn’t work when Running HDMI at 1440p

The Raspberry Pi 4 launched with it's fair share of problems, but a new problem seems to have been recently discovered and documented. It turns out that the Pi 4's WiFi stops working when running at a screen resolution of specifically 1440p.

Suspecting interference generated by the HDMI clock, Mike Walters (@assortedhackery) used a HackRF and a near field probe antenna to investigate. By placing the near field probe on the Raspberry Pi 4's PCB and running a screen at 1440p resolution he discovered a large power spike showing up at 2.415 GHz. This interferes directly with 2.4 GHz WiFi Channel 1.

An article by ExtremeTech article notes:

There’s a giant spike that could easily interfere with Channel 1 of a Wi-Fi adapter. So why is this happening? Because a 2560×1440@60Hz has a pixel clock of 241.5MHz and has a TMDS (transition-minimized differential signaling) clock of 2.415GHz, according to Hector Martin (@Marcan42). And what frequency does the RBP4 use for Wi-Fi? 2.4GHz. Which means… outputting on HDMI over 1440p can cause interference in a Wi-Fi channel.

The ExtremeTech article also notes that this problem is not unique to the Raspberry Pi 4 only. It turns out that USB 3.0 hardware is to blame, and this problem has occurred before with USB3.0 hard driver and on some MacBooks.

While the interference appears to be localized to the near field around the Pi4 PCB, we suspect that you could use TempestSDR to remotely eavesdrop on the Pi 4's video output if the interfering signal was boosted.

A Low Cost 2.4 GHz Downconverter from off the Shelf Dev Boards

Over on GitHub Ian Wraith has released his design and microcontroller code for a low cost 2.4 GHz downconverter circuit. A downconverter is a hardware device that shifts the signals that it receives into a lower frequency band. This is useful in the case of RTL-SDRs and Airspy SDRs, as their maximum frequency range is only 1.7 GHz. Ian's 2.4 GHz downconverter reduces those 2.4 GHz signals down to 1 GHz, which can then be received with his Airspy.

Rather than designing a circuit from scratch, Ian's design makes use of several very cheap Chinese evaluation/development boards that he found on eBay. It costs of a mixer board, oscillator board, and an STM32 development board for controlling the oscillator board via SPI. The whole set of hardware cost him less than £30 (~37 USD).

After spending some time working through the difficulties in programming the SPI interface on the STM32 board, he was able to get the downconverter circuit fully working. He notes that he's been able to receive WiFi, Zigbee, Bluetooth and ISM band signals at 2.4 GHz, as well as 3G and 4G cellular signals at 2.6 GHz.

Ian Wraith's Downconverter consisting of three off the shelf cheap Chinese eBay boards.
Ian Wraith's Downconverter consisting of three off the shelf cheap Chinese eBay boards.