silent 30C3 preroll titles
applause
Travis Goodspeed: First I need to apologize
for typesetting this in OpenOffice.
I know that the text looks
like a ransome note.
But that's what happens
when you don't use LaTex.
I'd also like to give a shoutout call,
Mallnarf (?) is here, and our
Dinosaur rock band.
laughs, applause
We are a Christian rock band - we are
called 'Jesus lives in the ISS', and
we know that he's always watching us,
but we think that it's easier for him
to hear our prayers when he's, you
know, in an orbit that passes over us.
So we need this orbital tracking
to know when to pray!
As I'm sure you can guess I'm not
recognized as a legal minority religion
in Germany. I'd also like to thank Skytee
and Fabienne (?)(?)(?) and Adami Lori
and Jim (?)(?)(?) for some
prior satellite tracking work,
and the skuby crew (?) at Dartmouth
College for all sorts of fun
whenever I bounce out there.
This is the mission patch
of the Southern Appalachians Space Agency.
applause and cheers
This was drawn by Scot Biben and there are
a few pieces of my people's native culture
that I need to point out here. On the
right the little Dinosaur type thing
with it's finger going out, you might
call him E.T. but we call these things
'buggers'. They're like this tall, and
they're green and that's why the man
on the left has a shotgun.
laughter
Because he doesn't want to be abducted.
You got a satellite dish in the middle,
and it's sitting on sinter blocks because
that's also a piece of my people's
native culture. There's a moonshine still
in the background. That's kind of like
Waldcubbet (?) You make it at home, and
from corn. And then there's the mountain...
A piece, it looks like there are snowpeaks
on those mountain tops. But our mountains
aren't tall enough to have snow. These are
actually that we've blown off the leads
in the mountains, for coal mining.
Which is another piece of my people's
native culture. And at the top, in space
you can see the ISS, and you can see
a banana, and you can see what I think is
a bulb. This is to signify space trash.
I mean there's a lot of stuff up there.
And, you know' it's symbolism that matters
in these things, you know? At BerlinSides,
in May of 2012 I did a lecture on
reverse engineering the SPOT Connect. The
SPOT Connect is a litte hockey puck type thing
– this is what it looks like. And these
things are great. It weighs a bit more
than your cell phone, but it runs off of
a couple of batteries, it connects
to your phone via Bluetooth. Originally
these were emergency locator beacons.
So if you're going hiking...
Have any of you seen the movie where
the guy has to cut off his arm with a dull
knife? If you're hiking and you don't want
allow you to tweet, and make Facebook posts.
laughs, laughter
the same experience, you buy one of these
things. And then there's an emergency button
you can push, that transmits your GPS
coordinates via satellite to rescue workers.
But that was boring, so they had to add
social media. laughs, laughter
So in addition to keeping you from chewing
off your own arm this device will also
The idea is as you're running – here I'm
crossing the Schuylkill River in Philadelphia
and the Android phone on the left is
making a post. And I did an article
on reverse-engineering the Bluetooth
side of these things. Because... I use
a weird brand of phone that Microsoft
killed off, and I'm terribly bitter about it.
But I also figured out the physical layer.
And that's what this diagram shows.
This transmits 1.6125 GHz. And it
sends a pseudo-random stream, so
each one of these zeros is a long chunk
where it's bouncing back and forth
between 2 different frequencies And
the same for the ones. But the way
that the pattern works is that it switches
the signal whenever it is going from
the 0 signal to the 1 signal. And
internally, there are these little pops
that you can actually identify on
a Software Defined Radio recording.
And this is how you can reverse-engineer
the signal that the SPOT Connect is
sending up to its satellite network.
Everything is clear text on this.
And it's completely unencrypted.
It just has your serial number, your GPS
coordinates, and a bit of ASCII text.
If you listen on this frequency and you
have the correct recording software
you can actually watch all of the SPOT
Connect messages that are transmitting up
from your location. And this would be
great except that this is designed for
hiking in areas where there's no cell
phone service. So having an antenna
on the uplink frequency is kind of
useless. You know you would actually
have to go out to a national park, find
some guy who is about to chew his arm off,
and then you could listen to his uplink
where he is like tweeting: "Hey I'm gonna
chew my arm off", you know?
laughter
So that's great as a proof of concept,
but it's not really anything practical.
The current state of that was that I knew
the protocol and I could sniff the uplinks.
But I wanted to sniff the downlinks. So
it's easy for me to get the thing that
goes up to the satellite. But what I wanted
was what comes down from the satellite.
And that requires a satellite dish. But
a geo-stationary dish isn't good enough
because the satellites that run this
network – there are a lot of them,
it's called the Globalstar network.
They fly really low across the earth,
and they fly across the earth in very
tight, very fast orbits. So they move
from horizon to horizon in 15 to 20
minutes. Which means that you either need
like a sweat shop army of kids trying to
aim the satellite dish as it's going across.
Or you need to make
it computer-controlled.
Stepping back from the SPOT Connect for
a little bit, and discussing some prior research.
Adam Laurie did some work with
geostationary satellites. These are
the satellites that stay in one position
in the sky. He gave 2 sets of talks
– one in 2008 and the second in 2010.
And he used a DVB-S card connected
to a satellite dish with a diseqc motor,
so that it could move the satellite dish
left and right, in order to scan a region
of the horizon. His tool is publicly
available, it's called satmap. You
can grab it at this URL. And then
after he finds a signal, he has a feed
scanner. Normally when you use
Satellite TV you provider gives you
a listing of the frequencies, and
your provider gives you an exact orbital
position to aim your satellite dish at.
But Adam's tool allows you to scan to see
which frequencies are in use, and which
protocols are in use, once you've correctly
aimed your dish. And he also describes
a technique for moving your dish left and
right while doing this in order to identify
where the satellites are. This recording
here is from a re-implementation
that I made of Adam's work, in order to
catch up with it. In this diagram the x-axis
shows the azimuth, that shows how far left
or right my satellite dish has moved.
And then the y-axis shows the frequency.
And all of these dots are strong signals.
So every vertical bar in which you see
chunks of frequencies, that's a satellite.
But these stay in the same position. So
it's easy for me to repeat this experiment.
It's easy for me to re-run it, and to find
the same satellites in the same position.
It's easy to debug this. But it can't move
in elevation. This diagram is actually
a very small slice of the sky. We're
looking at a single line, maybe
10 degrees across. Maybe only 5 degrees
across. So hacking Ku-band
– the television satellites – has the
advantage that you can use cheap
standardized hardware. I bought one of
these DVB-S cards in Mauerpark, in Berlin
for 3 Euro. You can use standardized
disecq motors, you can buy them at
a satellite TV shop. TV signals come with
video feeds, so you can actually see
pictures. There was a scandal ca.
4..5 years ago, where they were finding
drone [control] feeds that were being
bounced across these satellites.
In the nineties it was very popular to
listen to the sort of unedited sections
of interviews, when people would be
interviewed over a satellite, before
Skype and such things became options.
And there are also networking signals here
using TCP/IP packets. So you can actually
turn your DVB-S card into promiscuous
ethernet adapter, and start sniffing
all of the traffic that comes across.
This is also a great way to get free
downlink bandwidth. Because you can just
flood packets at an address that, you know,
will be routed to you, or several addresses,
and then you sniff it out as the legitimate
receiver ignores them. But it also has
some disadvantages. It only works with
geostationary satellites. If the satellite
is not staying in the same position
relative to the ground then you can't
track it. Your dish also moves very
slowly. And it only moves left and right.
It won't move up and down. And you're
limited to standardized signals.
While it's great that you get video and
TCP/IP you're never going to get anything
weird. You're not gonna get any mobile
data, you're not going to get any
Brazilian truck-drivers – we will get to
those in a bit. laughs
I misspoke, you actually will get Brazilian
truck-drivers in this. So I bought
a satellite dish. One of the best things
about living in America is that you can
buy industrial hardware cheap as dirt
on ebay. I know things aren't likely
used to being a cat XXXX by human children
anymore. But this satellite dish here
on the left – the one in the radome –
that's my dish. And to the right,
that's the boat that it came from.
applause
This came from a military ship.
But the dish itself is also available
for civilian use on very large yachts. The
dish itself is a Felcom 81 and it was
intended for use with a network called
Inmarsat. Imarsat allows for
telephone connections, and also data
connections when you're on a boat.
So if the crew wants to call home
or wants to go to AOL Keywords
or whatever was popular back when
this was common they could do that.
And the dish was desgined to sit
at the very top of a ships' mast.
The reason why is that at the top of
the mast there aren't any obstructions
– it has a clear view of the sky in all
directions. But there's a complication
with being on the top of the mast. Which
is that the ship is rocking beneath you
and you're moving more than the rest the
ship. So they have stepper motors for
azimuth, elevation and tilt. And then
they have spinning gyroscopes.
Back before the iPhone there was this dark,
dark time when gyroscopes actually spun.
And this is the sort of gyroscope that
it has. It actually has 4 of them so
that it can measure its movement. And then
it has a control computer. So the idea is
that the dish itself can be moved while
remaining absolutely stable with regard to
the gyroscopes. So it compensates for
the rocking of the ship beneath it as it's
targeting a stationary satellite.
In America this costs 250 Dollars, but
it's electronics equipment. So while you
think that would only be a 180 Euro
it's more like 2500. And that's before
import duties and it being impounded.
We also have this lovely culture in which
people love excuses to use their trucks.
So the guy that I bought this from offered
to deliver it to my home from the 200 dollars.
It was an 11 hour drive. But if you wanted
this you'd have to bring it back in your
carry-on luggage, and it could be awkward.
I got this dish and I decided I had to do
something with it. So I created the
Southern Appalachians Space Agency.
I'm from the state of Tennessee, formerly
known as the State of Franklin until
North Carolina invaded us. It's ok,
I know Europeans suck at history.
laughs
laughter
Now I'm trying to think of how to show
you on a map where Tennessee is
without having a map but, you know, it's
okay I know you suck at geography and
we forget (?)
From audience: It's very
near Texas, to the north.
Travis: Texas is our first colony. But
it's actually a decent drive to the east.
Due east (?). You don't
actually have to go anyways.
So what I did was I took these motors
which were designed to be able to move
the satellite dish to compensate
for the rocking the ship and
I re-purposed them to track through
the sky while the ground is stable.
We don't have very many earthquakes in
Tennessee. The last one that we had
made rivers run the wrong direction. But
it's okay – it's a geography thing. So
this allows me to track things that
are moving through the sky. But it
doesn't actually matter where they're
moving in the sky because that's
just a software problem. So in addition to
tracking objects that are in low-earth orbit
by a software patch I can also track things
that are in deep space. It's not much harder
to track deep space probes or stars than
it is to track items in low-earth orbit.
And then I added a software defined radio
which allows me to record a signal now
and demodulate it later. Which is necessary
if you intend to reverse-engineer a signal.
Because a lot of the downlinks from these
satellites are completely non... completely
undocumented. And being able to tune in to
the right frequency is only half of it.
You also need a recording of sufficient
quality that you can reverse-engineer
after the fact. We are sort of spoiled by
software defined radios. When doing
software defined radio work we usually
have a very good signal to work from.
So having high quality signals for later
reverse-engineering is necessary.
I really wanted to be able to identify
undocumented downlinks for low-earth orbit
in the same way that we already do this
for geo-stationary orbit, using tools
like the ones that Adam Loria and Jin XXX
made. So I built a software framework
as a collection of Python daemons. And
these run across a home area network
in my house. There's a Beaglebone inside
of the Radome. And an x86 server
in the house. Or AMD64, whatever the kids
call it these days. And then I used Postgres
for coordination. So that all of these
daemons can talk to each other without...
without me really caring which machine
they're on. So for maintenance I can have
my laptop pretending to be the dish,
and can have stepper motors on my desk,
and I can watch them spin, and I can even
make a model of the dish and swap these
components in and out without the rest of
the network being confused. This also
allows for sequal (?) injec... attacks to
physically move my dish. Which is why the
Sassin (?) network is not on one of those
fancy WEB 2.0 things. Because of you could
inject, say, update targets at Namical's (?)
Voyager 1. Then my dish would physically
move and start tracking Voyager 1
through the sky. Voyager 2 doesn't
actually come into the sky because of
my position in the Northern hemisphere.
So, it's okay, I know you suck at geography.
But Voyager 1 is going up, and Voyager 2
is going down. There's a Realtek
Software Defined Radio for the radio
reception. Although these things
are garbage. So I'm in the process of
replacing this for the HackRF. There's
also an EiBot board for motor control.
We'll get back to that in a minute.
And there's an Inertial Measurement Unit
from Vectornerve (?) which actually measures
using the fancy MEMS gyroscopes and
a MEMS compass how I'm moving.
This isn't accurate enough to target the
dish, so instill (?) the counting steps
to move the dish. But it is accurate
enough to tell me when my belts
have broken. Or when I'm up
against the physical obstruction.
This is skytee helping me out with the
dish. He's zip-tying it. Because, you know
we know everything about duct tape where
I come from, but we know nothing
about zip ties. So I had to bring in
a German engineer.
laughter
We call him a Gerry wigger (?) but, you know...
This is the satellite dish itself. And you
can sort of see in this photograph
where we've strapped on the equipment.
There's like an embillica (?) cord. Or more
like a spinal column that actually runs up
the back of the dish. So we just added
new cables onto that line. And then
zip-tied them in place. And skytee came up
with all these crazy ideas like that
we should use chains and zip-ties
to make sure that the cables don't tear
themselves out. And that worked
tremendoudly well in practice. So, as this
thing spins around by the original design
there's a ring connector that all of the
signals go through. That all of the
networking goes through. That all of the
rest goes through. And that worked
in the nineties because it had no reason
to send anything faster than 9600 baud.
But with the modern signals going across
it - I need 100MBit/s or even GB ethernet.
That's not enough. I need more than
2 wires. So there's a cable that comes
across it, and then I rely on the
software to keep it from wrapping
that cable around itself. So it can only
move, say, 400 degrees around.
But that's still more than a full circle.
So by stopping halfway and moving back
I can prevent it from getting stacked (?).
We've got the Beaglebone on the left,
in the middle there's a USB hub, and
on the right is the motor controller.
The Beaglebone runs Debian Linux. And
takes care of sending the software defined
radio recordings over the network. It also
takes care of updating the motor positions
to be the ones that the database declares
should be current. The stepper motors
themselves are the originals that the dish
was designed with. And they're running
to an EiBot Board. The EiBot board was
intended for plotting on Easter eggs
laughs
I feel, you know... is that neat?
laughs
applause
So you can actually aim a satellite dish
that's as tall as you are, with of these
fancy motors using less sophisticated
equipment than what's used
in a 3D printer. Don't panic, though.
It's a hell of a lot more reliable
than a 3D printer. But we needed
some sort of backup. In addition
to the inertial measurement unit telling
us when the device had snagged itself.
It would also help to have a visual
queue. Because the satellite dish
sits in Tennessee, and while I love my
home town, and, you know I'm very
proud of being Tennesseean it's also
a long way to travel when you need
to re-orient the dish. Using an
accelerometer it's easy enough
to correct the elevation. Because you can
use the accelerometer as a level, and
you can use that to tell how high up the
dish is pointing, at an absolute scale.
But the compass isn't very accurate. So
instead, as a backup we have a webcam
that's taped to the top. Taping
is my people's native culture.
We have it taped to the top, and then
it's pointing backwards. So this gives us
like a rear view camera, from the
dish's position. So as the dish sits
inside of its radome... - junk cars in the XXX
are also my people's native tradition!
So the dish sits there next to my
brother's Toyota Supra. And that thing,
you know, that thing flies as soon as it
gets an engine put back in it. So it is -
sits there and it's moving. But externally
you can't see where it is. Which means
that I can't call my family in Tennessee
and blackmail them into - yet again -
looking at my dish to tell where it's
pointed. There are bolts that hold this
down. It takes half an hour to remove the
lid, another half an hour to put it back on.
So instead we took the radome...
that's Frank, he's my cat.
Give a "Cheers!" for Frank!
applause and cheers
Yeah, we had such a great time with Frank.
And we never knew that she was pregnant.
If you happen to need kittens and wanna
pay the custom's fees I'll hook you up!
So then we took tape and ran tape down the
edges of the radome, and then marked it.
So from the markings you can tell
which clock position the back
of the satellite dish is pointing at. So
if you point the dish towards 12:00
you know that you're roughly at 6:00,
so you know that it's pointing South.
And then you can sort of scan the sky
for a stationary target, and navigate
off of that, to recover your position.
Software-wise... Remember,
the whole thing runs through Postgres,
so I just tunnel the Postgres over SSH,
and then I wrote a Python client that
displays the satellite positions and
the satellite state in PiGame (?). This is
intended for making those games (?)
really see the rabbit. And the rabbit
jumps on the other rabbit. But it... works!
And it works perfectly well enough
to target the dish. Because all that
this software has to do is plot the
positions of the satellites, and
give orders back to the database when
I click on a satellite, or click on a position.
It can also display stars. So the red
items are satellites which are not selected.
The green item is Ghost3 (?) which is
the satellite that I'm targeting. And then
the white items are stars in the sky. Now
this is a plot in which the azimuth is
on the X axis, and the elevation is on the
Y axis. But I can also arrange it into
a polar plot. Which sort of gives me an
upside-down view of the satellite dish
looking at the sky. I doubt you can read
it, but just above the green circle
in the center, that's Polaris which is the
North star. It's also weird because,
you know, working on this, you know,
I thought that I got really good at astronomy
until I realized that I only knew what the
stars looked like during the day.
laughter
laughs
And it being PiGame (?) you can actually
run it on a mobile device. So the same client
that runs on my laptop can also run
on my Nokia N900. laughs
applause
A significant portion of the GUI client for
this was written while stuck on the U-Bahn,
connected over 3G, SSH through, and just
using emacs on the phone. laughter
laughs
applause
If you're one of those people who needs to
complain about the N900 being too old,
it also runs on the N9. And then,
you can take the data out of this, and run it through scientific software. In addition of the software defined radio recordings themselves being dumped out to a text file or a binary file on disk you can also dump out things like the received signal strength indicators (RSSI). So this is a screenshot in which I'm identifying different satellites that I've seen in the sky. Based upon their downlink signal peaks. You can see the noise floor there, at the bottom, and then there's a rather strong signal on the left. And a weaker neverware (?) signal on the right.
The daemons that build this up... you need an orbit prediction daemon.
Because you need to know where the satellites are, and where they're going, and where they will be by the time you get to them. You need to update the orbits themselves.
LEO satellites are described in TLE files. These are called 'Two Line Entry'. And they're called Two Line Entry because they're three lines long. laughter
But this format isn't incredibly accurate for satellites that correct their orbit. So you need a daemon that grounds the new files from spacetrack and this is just a matter of a recursive
you also need motor control because you need to move the dish physically to
and then you need radio daemons to
and then after that you start to take software recorderings of that
So for orbit prediction i began with a DOS program that had been ported to Unix called predict. This works but it's garbage. It only supports 20 stars
because it's designed for astronomy photographers that want to take pictures of things
because otherwise you have to set an alarm clock for the half-hour pass where you can record them.
So i managed to track every single item in geostat orbit this thick ring here is the clarke-bell of all geostationary satellites as viewed from my northern hemisphere [?]
All IPC is running through this PostreSQL
you then send it simple commands, like SM,3000,500,-400
And then it will count that out, and send me back an OK. If i want to disable the motors, i'll send them em,0,0
EM,1,1 will enable both motors in 1/16s
You can see the motors themselves with the belts and the geartrains. This thing on the right would probably be illegal for me to turn on
The belts and stuff need to be measured to figure out what the reduction is
the IMU unit , this vectornav vn100 is a
it costs 500$ which was more than all of the other components together.
Now for position calculation, the elevation itself comes from the IMU. The azimuth
so the accelerometer will drift while the compass will be confused by the magnetic fields while the
and the IMU will be come of a backup how to make it reliable, but at the moment the position
The radio daomens. The first is a spectrum analyzer. It just measures the strength of the frequency
the downlink recorder dumps the IQ values
directly to an NFS share.
Client GUI is PyGame
Also notes these faint blue lines are positions where i saw particularly strong signals
I'm running out of time by these markers. Does this mean we skip Q&A or that I get kicked off of stage?
It takes SDR, it can provide maps of used different satellites in the sky.
I'd also like to make other ground stations. The software that I wrote should be portable
Another way that you can do it, the way that it's traditionally done to track stationary satellites is with a YAGI antenna
This is my van, my van is amazing. applause
Thanks to nick farr. I had a bit to much too drink in
But you want a news-van. And I said Hell yes, I want a news van!
But most importantly, it does SECAM
This is the control panel,
and that's my talk!
applause
Herald: Thank you so much. There
actually is time for Q&A now.
Travis: Well, first I'd like to introduce
you to my cat. If we could go back
to the prior image. This is Frank! We
didn't know it at that time, but
Frank was not dead when this picture was
taken. If you'd like kittens get in touch.
Okay. Are there any questions?
Question: Great talk. What's the most
interesting signal you decoded so far?
Travis: At the moment I'm sort of stuck
at the L band range. Because of filters
that I have yet to remove. So everything
gets attenuated, and becomes annoyingly
quiet outside of the 1.5..1.6 -ish range.
The Globalstar network is what I'm most
interested in targeting next. I cam't wait
to see what people are tweeting
while they should be enjoying nature.
Herald: Is there a question
from the internet?
Signal Angel: Yeah, the internet has
many questions. So first one was:
Is there really no authentication or
encryption on the Q band IP services?
So you can just spoof at will? And can the
birds see the physical leakage and of
the source accurately enough to find who
is spoofing?
Travis: I'm not an expert in Ku band. The...
for the downlink the bird has no clue
as to the location of the dish. Because
you're only listening. They can roughly
figure out your geographic area because...
they need to figure out where
the spot beam is going. So they might know
whether you're in, say, Germany or
in France. But they won't know whether
you're in Heidelberg or Mannheim.
They do have forms of authentication for
many satellite networks. Satellite TV
is one of the best-protected network
services. Because of the satellite wars
in the 90's. In which TV pirates would
fight back and forth with smart card
designers. But there are also many
unencrypted links. And there are...
because of standard protocols those
are particularly easy to find in Ku band.
Question: You've been talking about
using RTLSDR from osmocom.
And you were talking about your spectrum
analysis program. Is this one working
with RTLSDR?
Travis: So... RTLSDR... so I'm using
the RTLSDR not the osmo-sdr.
Which are separate. The spectrum
analyzer is working with the RTLSDR.
My complaint about the RTLSDR is that
when you have a strong signal next to
a weak signal the weak signal is
utterly useless for interpretation.
Question: Okay. Thank you.
Herald: Another question
from the internet?
Signal Angel: Okay, next question from the
internet is: how do you record the radio signal
from the dish, at what sampling rate?
Travis: The RTLSDR samples at 2 million
samples per second. As soon as I switch it
over to the HackRF, well, we're having
20 million samples per second.
The sampling rate can be reduced once
the bandwidth of the signal is known.
For radio (?) storage. And the recordings
can also be compressed.
But it's still a hell of a lot of storage.
Herald: Any other questions?
Signal Angel: The internet
has more questions...
Herald: Okay...
Signal Angel: Did you look into obtaining
a capacity of IBAN with copper (?), as used
for the rotary gentries in CT scanners?
Those can apparently transmit contactless
several GBytes per
second, bi-directionally.
Travis: I've not looked into those.
It seemed better to have an Umbellaco (?)
cable and to be careful not to snap it.
The whole thing was done for a budget
of less than 2000 Dollars, and can be
recreated for less than a budget of 1000
[Dollars]. And they... so we tried to avoid
fancy parts. The local radio shack loved
us because we'd swing in and buy all sorts
of crazy stuff. As soon as we told them
that we wanted the satellite dish to
dance Gangnam style...
laughs
laughter
Thank you Carnaugh(?)
applause
silent postroll titles
subtitles created by c3subtitles.de
in the year 2017. Join, and help us!