toughbunny Posted August 27, 2014 Author Share Posted August 27, 2014 Hi everyone, I'm back from summer, and although I don't have most of the stuff, I no have the sdr's. There are two questions that come to mind: 1) I'll be able to figure this out once I have my MMDS downconverter, but does anybody know how often a device sends out a wifi connection request? This would be helpful for figuring out the servo speed. 2) Does anybody know how strong that connection request signal is? I'm assuming not very strong, meaning that even with a good antenna like the long-range cantenna in the video, I would only have about 200 meters of range. Thanks! Quote Link to comment Share on other sites More sharing options...
fugu Posted September 26, 2014 Share Posted September 26, 2014 I have a question, why can't we just use 1 sensor to triangulate an RF source, if we move the source around? Quote Link to comment Share on other sites More sharing options...
barry99705 Posted September 26, 2014 Share Posted September 26, 2014 I have a question, why can't we just use 1 sensor to triangulate an RF source, if we move the source around? You can. It just takes longer. Quote Link to comment Share on other sites More sharing options...
cooper Posted September 26, 2014 Share Posted September 26, 2014 Actually, I believe that only works reliably when your source remains stationary and your sensor moves around. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted September 26, 2014 Share Posted September 26, 2014 Actually, I believe that only works reliably when your source remains stationary and your sensor moves around. No, you can still find a moving target, it just takes longer, though it does help if they are stationary every now and then. I've helped track down animals with radio tracking collars on them with a single receiver. Quote Link to comment Share on other sites More sharing options...
cooper Posted September 26, 2014 Share Posted September 26, 2014 Oh yeah, of course. In that case you don't so much want to know where they are, you just want to know which way to move to close the gap between source and receiver. Is it still fair to call it triangulation then, though? Quote Link to comment Share on other sites More sharing options...
fugu Posted September 26, 2014 Share Posted September 26, 2014 i was thinking of coming up with a "least squares" algorithm for finding a solution to this problem using a single sensor. In this case I think i'd probably have to assume a stationary source to find a solution, at least to make the program simple enough to function at first. It might be able to be modified to track a moving target, but adding variables or diminsions can greatly decrease the change that this algorithm will converge on a solution. Quote Link to comment Share on other sites More sharing options...
cooper Posted September 26, 2014 Share Posted September 26, 2014 I looked up least squares on wikipedia and stopped reading halfway through the intro. I don't see how this can be used for this situation but I might not be understanding everything about the concept. We have effectively 2 values that we can determine: signal strength and direction. You use the strength to hone in on the direction, and where it maxes out you have both. Strength can give you somewhat of an idea of what the distance might be, but atmospheric factors make the value unreliable not to mention the fact that you don't know the strength with which your source is transmitting, which is itself a variable. Let's assume for now that all radios would transmit at the same strength within your target area. Because of the remaining unreliability (atmospheric, terrain, other), your direction will be a bit unreliable aswell. If the terrain within which you're scanning is new to you, it'll be harder to determine approximate distance based on signal strength. You'll need to put a controlled source in a number of places in the terrain before starting and make a few measurements. After that I would think you'd be within the 'educated guess' range and possibly better. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted September 26, 2014 Share Posted September 26, 2014 Oh yeah, of course. In that case you don't so much want to know where they are, you just want to know which way to move to close the gap between source and receiver. Is it still fair to call it triangulation then, though? Well since we had to capture the animal, yes it is still called triangulation. You're still triangulating their location. This is also called fox and hound in the ham community. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted September 26, 2014 Share Posted September 26, 2014 I looked up least squares on wikipedia and stopped reading halfway through the intro. I don't see how this can be used for this situation but I might not be understanding everything about the concept. We have effectively 2 values that we can determine: signal strength and direction. You use the strength to hone in on the direction, and where it maxes out you have both. Strength can give you somewhat of an idea of what the distance might be, but atmospheric factors make the value unreliable not to mention the fact that you don't know the strength with which your source is transmitting, which is itself a variable. Let's assume for now that all radios would transmit at the same strength within your target area. Because of the remaining unreliability (atmospheric, terrain, other), your direction will be a bit unreliable aswell. If the terrain within which you're scanning is new to you, it'll be harder to determine approximate distance based on signal strength. You'll need to put a controlled source in a number of places in the terrain before starting and make a few measurements. After that I would think you'd be within the 'educated guess' range and possibly better. Signal strength should never be factored in. It's too ambiguous of a factor. Environmental settings will change it. Even the equipment used will affect it. No two radios transmit at the exact same power. They get close, and that's all that's needed. Same with recieve sensitivity. Quote Link to comment Share on other sites More sharing options...
fugu Posted September 27, 2014 Share Posted September 27, 2014 So my idea involes nonlinear least squares regression, which can be multidimensional and handle multible variables; wikipedia is not that great at explaining this, and although has more infomation IMHO wolfram is as hard to follow as a math teacher is. (hxxp://mathworld.wolfram.com/NonlinearLeastSquaresFitting.html). From what I've gathered: 10^(RSSI/10) = 10^(EIRP/10)* (c/(4*pi*f))^2 * (1/(x^2+y^2+z^2)). some of these are known in abundance like RSSI , f, and part of the x, y, and z's, AND some of these are unknown like the EIRP and the other part of the x, y ,and z's. Nonlinear regression requires a guess value for the unknowns. if the guess values are close enough then the algorithm will converge on the solution that best fits this equation, calculating the best fit values for EIRP and the x, y, z of the source signal. One problem with this is coming up with an initial guess set of parameters from the data that is collected, that is just close enough to keep the algorithm from diverging when the program is run. Quote Link to comment Share on other sites More sharing options...
fugu Posted September 27, 2014 Share Posted September 27, 2014 So this code is not yet functional, but I'm hoping to work more on it (the z coordinate is messed up). The Matrix code that goes along with it is also broken in parts but it's working for what I need it for. And I get to make use of the netcat pastebin featured last week on hak5 yay! http://termbin.com/hrjn Quote Link to comment Share on other sites More sharing options...
cooper Posted September 27, 2014 Share Posted September 27, 2014 (edited) My php is rusty, but that last line in the first for-loop of your code reads $input_array[] = array($S_i, $x_i, $y_i, $z_i); Isn't that a re-assignment of the same variable? In other words, shouldn't this be done outside the loop or only on the last iteration? Why did you name a function 'J'? If anything, your math skills are a step above mine right now. Edited September 27, 2014 by Cooper Quote Link to comment Share on other sites More sharing options...
fugu Posted September 27, 2014 Share Posted September 27, 2014 i just pick php as my default cause I know it probably better that most other languages except for maybe bash. That line in python might read input_array.append([S_i, x_i, y_i, z_i]); it's the 2 little brackets next to the $input_array variable. is building up sort of a a 2D array for all the data one might be collecting from a senor, which I don't have right now, so I'm faking the data in that loop. I add a little noise to the RSSI variable, also, so it behaves a little bit more like real world data. The function "J" is a tricky one, it's really were the magic happens, it is where the Jacobian Matrix is created. This is a matrix of 1st-order deritives of the equation that I started with, and populated with all the fake data I created. So, in the example, we have 10 fake data points and 4 unknown variables, so the Jacobian matrix is a 10x4 matrix. I also think that this is were the problem is in the algorithm. I probably did the math wrong on the deritives. I'm not that smart in math, some math guy name Gauss came up with this a long time ago, and I'm just trying to copy him:) Quote Link to comment Share on other sites More sharing options...
fugu Posted September 28, 2014 Share Posted September 28, 2014 (edited) Ok, I havn't done any strigent testing on this yet, but from what I can tell it works. (http://termbin.com/aug8) the results target values => array ( 0 => -20, 1 => 3, 2 => 4, 3 => 0.5, ) initial guess values => array ( 0 => -18.5, 1 => 2.8, 2 => 4.2, 3 => 0.7, ) final values => array ( 0 => -20.084988695677, 1 => 2.9135452656805, 2 => 3.8889743416155, 3 => 0.49322017558866, ) 2.954425842552E-16 I was missing some variables and I had the deritives messed up. I also substituted the EIRP ($Eio) variable with it's linear equivilant ($Efo) to make the numbers come out smoother. also 10 data points was not enough to get consistant results so I make 100 points now for testing.EDIT: I just changed all the initial guess values to 0.0, and it still converges target values => array ( 0 => -20, 1 => 3, 2 => 4, 3 => 0.5, ) initial guess values => array ( 0 => 0, 1 => 0, 2 => 0, 3 => 0, ) final values => array ( 0 => -20.033286684618, 1 => 3.1267942833894, 2 => 3.9592060929975, 3 => 0.63538010259819, ) 1.2444712182315E-16 Edited September 28, 2014 by fugu Quote Link to comment Share on other sites More sharing options...
cooper Posted September 28, 2014 Share Posted September 28, 2014 Impressive! Quote Link to comment Share on other sites More sharing options...
fugu Posted September 29, 2014 Share Posted September 29, 2014 a slight modification, (http://termbin.com/afo9). this uses a different formulation for the free space path loss, which is better for dipole emmitters. there is a zenith angle dependency for transmition of radio waves from an emmitter so its not exactly 1/r^2 but really (sin(theta)/r)^2. this assumes the emmitter is verticly oreinted. Quote Link to comment Share on other sites More sharing options...
hak5fan84 Posted October 1, 2014 Share Posted October 1, 2014 There are a few programs and tools that do some of the above suggestions: http://www.cs.ru.ac.za/research/g03w0418/honours/ http://securitystartshere.org/page-training-oswa-assistant.htm#moocherhunter but the best is my personal toy: http://wifi-investigator.com/about Quote Link to comment Share on other sites More sharing options...
toughbunny Posted March 24, 2015 Author Share Posted March 24, 2015 Hi again! Sorry about the *really* long silence. I finally got my act together and ordered the first downconverter/antenna. I got it running basically by hacking some wires together, so I would have been surprised to get a signal at all, but I looked at the signal from the 2422MHz channel in gqrx and got this attached result: This was with the stock omnidirectional antenna; I haven't built my cantennas yet. As you can see in the picture, it looks like some sort of amplitude modulation. Does anybody recognize from the picture what precise encoding technique that is, and if they do, some existing software library to demodulate it in real time (in order to get the MAC address of the device)? I'm really sorry about the long silence, again. Thanks! P.S. Fugu, thanks for writing that software, but much to my dismay, when I tried to check it out, it appeared to no longer be on termbin. Quote Link to comment Share on other sites More sharing options...
toughbunny Posted March 24, 2015 Author Share Posted March 24, 2015 Shoot, I guess I still haven't figured out how to properly post pictures. Here it is, in a size that is legible: Quote Link to comment Share on other sites More sharing options...
toughbunny Posted March 25, 2015 Author Share Posted March 25, 2015 Here is maybe a better picture: As you can see there are now multiple distinct peaks. Quote Link to comment Share on other sites More sharing options...
toughbunny Posted March 25, 2015 Author Share Posted March 25, 2015 Sh!t I'm sorry I should learn how to use the forum one of these days. I'll just post the important part of what I've been posting in the last 12 hours here: Hi again! Sorry about the *really* long silence. I finally got my act together and ordered the first downconverter/antenna. I got it running basically by hacking some wires together, so I would have been surprised to get a signal at all, but I looked at the signal from the 2400MHz channel in gqrx and got this attached result: This was with the stock omnidirectional antenna; I haven't built my cantennas yet. As you can see in the picture, it looks like some sort of amplitude modulation. Does anybody recognize from the picture what precise encoding technique that is, and if they do, some existing software library to demodulate it in real time (in order to get the MAC address of the device)? I'm really sorry about the long silence, again. Thanks! P.S. Fugu, thanks for writing that software, but much to my dismay, when I tried to check it out, it appeare to no longer be on termbin. Quote Link to comment Share on other sites More sharing options...
toughbunny Posted March 25, 2015 Author Share Posted March 25, 2015 And here's the picture: Thanks! Quote Link to comment Share on other sites More sharing options...
toughbunny Posted March 26, 2015 Author Share Posted March 26, 2015 Hey everyone, So I just figured out that if I make the noise floor really high, I get waterfalls like these: I guess my question is a) Does anybody recognize what kind of signal this is? Is it wifi? If so how is it modulated? and b) Do you know of any software (maybe based on gnuradio?) that is able to demodulate it? I'm beginning to think that maybe my sdr doesn't have enough bandwidth to demodulate a wifi signal, so do you think I should just treat it as a blip instead? Thanks! Quote Link to comment Share on other sites More sharing options...
metatron Posted March 30, 2015 Share Posted March 30, 2015 Could just get the phone to connect to your base station and then send a continues stream of text to it, then just listen for it, or look for the person pissed off with their phone. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.