# Triangulation

## Recommended Posts

Hi everyone,

I'm back from summer, and although I don't have most of the stuff, I no have the sdr's. There are two questions that come to mind:

1) I'll be able to figure this out once I have my MMDS downconverter, but does anybody know how often a device sends out a wifi connection request? This would be helpful for figuring out the servo speed.

2) Does anybody know how strong that connection request signal is? I'm assuming not very strong, meaning that even with a good antenna like the long-range cantenna in the video, I would only have about 200 meters of range.

Thanks!

##### Share on other sites

• 5 weeks later...
• Replies 94
• Created

#### Posted Images

I have a question, why can't we just use 1 sensor to triangulate an RF source, if we move the source around?

##### Share on other sites

I have a question, why can't we just use 1 sensor to triangulate an RF source, if we move the source around?

You can. It just takes longer.

##### Share on other sites

Actually, I believe that only works reliably when your source remains stationary and your sensor moves around.

##### Share on other sites

Actually, I believe that only works reliably when your source remains stationary and your sensor moves around.

No, you can still find a moving target, it just takes longer, though it does help if they are stationary every now and then. I've helped track down animals with radio tracking collars on them with a single receiver.

##### Share on other sites

Oh yeah, of course. In that case you don't so much want to know where they are, you just want to know which way to move to close the gap between source and receiver.

Is it still fair to call it triangulation then, though?

##### Share on other sites

i was thinking of coming up with a "least squares" algorithm for finding a solution to this problem using a single sensor. In this case I think i'd probably have to assume a stationary source to find a solution, at least to make the program simple enough to function at first. It might be able to be modified to track a moving target, but adding variables or diminsions can greatly decrease the change that this algorithm will converge on a solution.

##### Share on other sites

I looked up least squares on wikipedia and stopped reading halfway through the intro. I don't see how this can be used for this situation but I might not be understanding everything about the concept.

We have effectively 2 values that we can determine: signal strength and direction. You use the strength to hone in on the direction, and where it maxes out you have both. Strength can give you somewhat of an idea of what the distance might be, but atmospheric factors make the value unreliable not to mention the fact that you don't know the strength with which your source is transmitting, which is itself a variable. Let's assume for now that all radios would transmit at the same strength within your target area. Because of the remaining unreliability (atmospheric, terrain, other), your direction will be a bit unreliable aswell. If the terrain within which you're scanning is new to you, it'll be harder to determine approximate distance based on signal strength. You'll need to put a controlled source in a number of places in the terrain before starting and make a few measurements. After that I would think you'd be within the 'educated guess' range and possibly better.

##### Share on other sites

Oh yeah, of course. In that case you don't so much want to know where they are, you just want to know which way to move to close the gap between source and receiver.

Is it still fair to call it triangulation then, though?

Well since we had to capture the animal, yes it is still called triangulation. You're still triangulating their location. This is also called fox and hound in the ham community.
##### Share on other sites

I looked up least squares on wikipedia and stopped reading halfway through the intro. I don't see how this can be used for this situation but I might not be understanding everything about the concept.

We have effectively 2 values that we can determine: signal strength and direction. You use the strength to hone in on the direction, and where it maxes out you have both. Strength can give you somewhat of an idea of what the distance might be, but atmospheric factors make the value unreliable not to mention the fact that you don't know the strength with which your source is transmitting, which is itself a variable. Let's assume for now that all radios would transmit at the same strength within your target area. Because of the remaining unreliability (atmospheric, terrain, other), your direction will be a bit unreliable aswell. If the terrain within which you're scanning is new to you, it'll be harder to determine approximate distance based on signal strength. You'll need to put a controlled source in a number of places in the terrain before starting and make a few measurements. After that I would think you'd be within the 'educated guess' range and possibly better.

Signal strength should never be factored in. It's too ambiguous of a factor. Environmental settings will change it. Even the equipment used will affect it. No two radios transmit at the exact same power. They get close, and that's all that's needed. Same with recieve sensitivity.
##### Share on other sites

So my idea involes nonlinear least squares regression, which can be multidimensional and handle multible variables; wikipedia is not that great at explaining this, and although has more infomation IMHO wolfram is as hard to follow as a math teacher is. (hxxp://mathworld.wolfram.com/NonlinearLeastSquaresFitting.html). From what I've gathered:

10^(RSSI/10) = 10^(EIRP/10)* (c/(4*pi*f))^2 * (1/(x^2+y^2+z^2)).

some of these are known in abundance like RSSI , f, and part of the x, y, and z's, AND some of these are unknown like the EIRP and the other part of the x, y ,and z's. Nonlinear regression requires a guess value for the unknowns. if the guess values are close enough then the algorithm will converge on the solution that best fits this equation, calculating the best fit values for EIRP and the x, y, z of the source signal. One problem with this is coming up with an initial guess set of parameters from the data that is collected, that is just close enough to keep the algorithm from diverging when the program is run.

##### Share on other sites

So this code is not yet functional, but I'm hoping to work more on it (the z coordinate is messed up). The Matrix code that goes along with it is also broken in parts but it's working for what I need it for. And I get to make use of the netcat pastebin featured last week on hak5 yay!

##### Share on other sites

My php is rusty, but that last line in the first for-loop of your code reads

`\$input_array[] = array(\$S_i, \$x_i, \$y_i, \$z_i);`

Isn't that a re-assignment of the same variable? In other words, shouldn't this be done outside the loop or only on the last iteration?

Why did you name a function 'J'?

If anything, your math skills are a step above mine right now.

Edited by Cooper
##### Share on other sites

i just pick php as my default cause I know it probably better that most other languages except for maybe bash.

That line in python might read

`input_array.append([S_i, x_i, y_i, z_i]);`
it's the 2 little brackets next to the \$input_array variable. is building up sort of a a 2D array for all the data one might be collecting from a senor, which I don't have right now, so I'm faking the data in that loop. I add a little noise to the RSSI variable, also, so it behaves a little bit more like real world data. The function "J" is a tricky one, it's really were the magic happens, it is where the Jacobian Matrix is created. This is a matrix of 1st-order deritives of the equation that I started with, and populated with all the fake data I created. So, in the example, we have 10 fake data points and 4 unknown variables, so the Jacobian matrix is a 10x4 matrix. I also think that this is were the problem is in the algorithm. I probably did the math wrong on the deritives. I'm not that smart in math, some math guy name Gauss came up with this a long time ago, and I'm just trying to copy him:)
##### Share on other sites

Ok, I havn't done any strigent testing on this yet, but from what I can tell it works. (http://termbin.com/aug8) the results

```target values => array ( 0 => -20, 1 => 3, 2 => 4, 3 => 0.5, )
initial guess values => array ( 0 => -18.5, 1 => 2.8, 2 => 4.2, 3 => 0.7, )
final values => array ( 0 => -20.084988695677, 1 => 2.9135452656805, 2 => 3.8889743416155, 3 => 0.49322017558866, )
2.954425842552E-16
```
I was missing some variables and I had the deritives messed up. I also substituted the EIRP (\$Eio) variable with it's linear equivilant (\$Efo) to make the numbers come out smoother. also 10 data points was not enough to get consistant results so I make 100 points now for testing.

EDIT: I just changed all the initial guess values to 0.0, and it still converges

```target values => array ( 0 => -20, 1 => 3, 2 => 4, 3 => 0.5, )
initial guess values => array ( 0 => 0, 1 => 0, 2 => 0, 3 => 0, )
final values => array ( 0 => -20.033286684618, 1 => 3.1267942833894, 2 => 3.9592060929975, 3 => 0.63538010259819, )
1.2444712182315E-16
```
Edited by fugu

Impressive!

##### Share on other sites

a slight modification, (http://termbin.com/afo9). this uses a different formulation for the free space path loss, which is better for dipole emmitters. there is a zenith angle dependency for transmition of radio waves from an emmitter so its not exactly 1/r^2 but really (sin(theta)/r)^2. this assumes the emmitter is verticly oreinted.

##### Share on other sites

• 5 months later...

Hi again!

Sorry about the *really* long silence. I finally got my act together and ordered the first downconverter/antenna. I got it running basically by hacking some wires together, so I would have been surprised to get a signal at all, but I looked at the signal from the 2422MHz channel in gqrx and got this attached result: This was with the stock omnidirectional antenna; I haven't built my cantennas yet. As you can see in the picture, it looks like some sort of amplitude modulation. Does anybody recognize from the picture what precise encoding technique that is, and if they do, some existing software library to demodulate it in real time (in order to get the MAC address of the device)? I'm really sorry about the long silence, again.

Thanks!

P.S. Fugu, thanks for writing that software, but much to my dismay, when I tried to check it out, it appeared to no longer be on termbin.

##### Share on other sites

Shoot, I guess I still haven't figured out how to properly post pictures. Here it is, in a size that is legible:

##### Share on other sites

Here is maybe a better picture:

As you can see there are now multiple distinct peaks.

##### Share on other sites

Sh!t I'm sorry I should learn how to use the forum one of these days. I'll just post the important part of what I've been posting in the last 12 hours here:

Hi again!

Sorry about the *really* long silence. I finally got my act together and ordered the first downconverter/antenna. I got it running basically by hacking some wires together, so I would have been surprised to get a signal at all, but I looked at the signal from the 2400MHz channel in gqrx and got this attached result: This was with the stock omnidirectional antenna; I haven't built my cantennas yet. As you can see in the picture, it looks like some sort of amplitude modulation. Does anybody recognize from the picture what precise encoding technique that is, and if they do, some existing software library to demodulate it in real time (in order to get the MAC address of the device)? I'm really sorry about the long silence, again.

Thanks!

P.S. Fugu, thanks for writing that software, but much to my dismay, when I tried to check it out, it appeare to no longer be on termbin.

##### Share on other sites

And here's the picture:

Thanks!

##### Share on other sites

Hey everyone,

So I just figured out that if I make the noise floor really high, I get waterfalls like these:

I guess my question is a) Does anybody recognize what kind of signal this is? Is it wifi? If so how is it modulated?

and b) Do you know of any software (maybe based on gnuradio?) that is able to demodulate it?

I'm beginning to think that maybe my sdr doesn't have enough bandwidth to demodulate a wifi signal, so do you think I should just treat it as a blip instead?

Thanks!

##### Share on other sites

Could just get the phone to connect to your base station and then send a continues stream of text to it, then just listen for it, or look for the person pissed off with their phone.

## Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

×   Pasted as rich text.   Paste as plain text instead

Only 75 emoji are allowed.

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×

×