1
99:59:59,999 --> 99:59:59,999
silent 30C3 preroll titles
2
99:59:59,999 --> 99:59:59,999
applause
3
99:59:59,999 --> 99:59:59,999
Travis Goodspeed: First I need
to apologize for typesetting this
4
99:59:59,999 --> 99:59:59,999
in OpenOffice. I know that the
text looks like a ransome note.
5
99:59:59,999 --> 99:59:59,999
But that's what happens
when you don't use LaTex.
6
99:59:59,999 --> 99:59:59,999
I'd also like to give a shoutout
call, mallnarf (?) is here,
7
99:59:59,999 --> 99:59:59,999
and our Dinosaur rock band.
8
99:59:59,999 --> 99:59:59,999
laughs, applause
9
99:59:59,999 --> 99:59:59,999
We're a Christian rock band - we're
called 'Jesus lives in the ISS' and
10
99:59:59,999 --> 99:59:59,999
we know that he is always watching us,
but we think that it's easier for him
11
99:59:59,999 --> 99:59:59,999
to hear our prayers when
he's, you know, in an orbit
12
99:59:59,999 --> 99:59:59,999
that passes over us. So we need to use
orbital tracking to know when to pray!
13
99:59:59,999 --> 99:59:59,999
laughter
14
99:59:59,999 --> 99:59:59,999
As I'm sure you can guess I'm not
recognized as a legal minority religion
15
99:59:59,999 --> 99:59:59,999
in Germany. I'd also like to thank skytee
16
99:59:59,999 --> 99:59:59,999
and Fabienne Serrière and Adam Laurie
17
99:59:59,999 --> 99:59:59,999
and Jim Geovedi for some
prior satellite tracking work,
18
99:59:59,999 --> 99:59:59,999
and the scooby crew (?) at Dartmouth
College for all sorts of fun
19
99:59:59,999 --> 99:59:59,999
whenever I bounce out there.
This is the mission patch
20
99:59:59,999 --> 99:59:59,999
of the Southern Appalachian
Space Agency (SASA).
21
99:59:59,999 --> 99:59:59,999
applause and cheers
22
99:59:59,999 --> 99:59:59,999
This was drawn by Scot Biben (?) and there are
a few pieces of my people's native culture
23
99:59:59,999 --> 99:59:59,999
that I need to point out here. On the
right the little Dinosaur type thing
24
99:59:59,999 --> 99:59:59,999
with his finger going out, you might
call him E.T. but we call these things
25
99:59:59,999 --> 99:59:59,999
'buggers'. They are like this tall, and
they are green and that's why the man
26
99:59:59,999 --> 99:59:59,999
on the left has a shotgun.
laughter
27
99:59:59,999 --> 99:59:59,999
Because he doesn't want to be abducted.
You got a satellite dish in the middle
28
99:59:59,999 --> 99:59:59,999
and it's sitting on sinter blocks because
that's also a piece of my people's
29
99:59:59,999 --> 99:59:59,999
native culture. There's a moonshine
still in the background.
30
99:59:59,999 --> 99:59:59,999
That's kind of like Waldcubbet (?), you
make it at home and from corn.
31
99:59:59,999 --> 99:59:59,999
And then there's the mountain... a piece,
it looks like there are snowpeaks
32
99:59:59,999 --> 99:59:59,999
on those mountain tops. But our mountains
aren't tall enough to have snow.
33
99:59:59,999 --> 99:59:59,999
These are actually that we've blown off
the lids of the mountains for coal mining.
34
99:59:59,999 --> 99:59:59,999
Which is another piece of
my people's native culture.
35
99:59:59,999 --> 99:59:59,999
And at the top, in space you can see
the ISS, and you can see a banana,
36
99:59:59,999 --> 99:59:59,999
and you can see what I think is a bulb.
This is to signify space trash.
37
99:59:59,999 --> 99:59:59,999
I mean there's a lot of stuff up there.
And, you know it's symbolism that matters
38
99:59:59,999 --> 99:59:59,999
in these things, you know?
39
99:59:59,999 --> 99:59:59,999
At BerlinSides, in May of 2012
40
99:59:59,999 --> 99:59:59,999
I did a lecture on reverse
engineering the SPOT Connect.
41
99:59:59,999 --> 99:59:59,999
The SPOT Connect is a litte
hockey puck type thing
42
99:59:59,999 --> 99:59:59,999
– this is what it looks like.
And these things are great.
43
99:59:59,999 --> 99:59:59,999
It weighs a bit more than your cell phone
but it runs off of a couple of batteries,
44
99:59:59,999 --> 99:59:59,999
it connects to your phone by Bluetooth.
45
99:59:59,999 --> 99:59:59,999
Originally these were emergency locator
beacons. So if you're going hiking...
46
99:59:59,999 --> 99:59:59,999
have any of you seen the movie where
the guy has to cut off his arm
47
99:59:59,999 --> 99:59:59,999
with a dull knife? If you're hiking and
you don't want that same experience
48
99:59:59,999 --> 99:59:59,999
you buy one of these things. And
then there's an emergency button
49
99:59:59,999 --> 99:59:59,999
you can push that transmits your
GPS coordinates by satellite
50
99:59:59,999 --> 99:59:59,999
to rescue workers. But that was boring,
so they had to add social media.
51
99:59:59,999 --> 99:59:59,999
laughs, laughter
52
99:59:59,999 --> 99:59:59,999
So in addition to keeping you
from chewing off your own arm
53
99:59:59,999 --> 99:59:59,999
this device will also allow you to
tweet and make Facebook posts.
54
99:59:59,999 --> 99:59:59,999
laughs, laughter
55
99:59:59,999 --> 99:59:59,999
The idea is that as you're running...
here I'm crossing the Schuylkill River
56
99:59:59,999 --> 99:59:59,999
in Philadelphia and the Android
phone on the left is making a post.
57
99:59:59,999 --> 99:59:59,999
And I did an article on reverse-
engineering the Bluetooth side
58
99:59:59,999 --> 99:59:59,999
of these things. Because... I use a weird
brand of phone that Microsoft killed off,
59
99:59:59,999 --> 99:59:59,999
and I'm terribly bitter about it. But
I also figured out the physical layer.
60
99:59:59,999 --> 99:59:59,999
And that's what this diagram shows.
This transmits at 1.6125 GHz.
61
99:59:59,999 --> 99:59:59,999
And it sends a pseudo-random stream, so
each one of these zeros is a long chunk
62
99:59:59,999 --> 99:59:59,999
where it's bouncing back and forth
between 2 different frequencies.
63
99:59:59,999 --> 99:59:59,999
And the same for the ones.
But the way that the pattern works
64
99:59:59,999 --> 99:59:59,999
is that it switches the signal whenever
it is going from the 0 signal
65
99:59:59,999 --> 99:59:59,999
to the 1 signal. And internally, there are
these little pops that you can actually
66
99:59:59,999 --> 99:59:59,999
identify on a Software Defined Radio
recording. And this is how you can
67
99:59:59,999 --> 99:59:59,999
reverse-engineer the signal that
the SPOT Connect is sending up
68
99:59:59,999 --> 99:59:59,999
to its satellite network.
69
99:59:59,999 --> 99:59:59,999
Everything is clear text on this.
And it's completely unencrypted.
70
99:59:59,999 --> 99:59:59,999
It just has your serial number, your GPS
coordinates, and a bit of ASCII text.
71
99:59:59,999 --> 99:59:59,999
So if you listen on this frequency and
you have the correct recording software
72
99:59:59,999 --> 99:59:59,999
you can actually watch all of the SPOT
Connect messages that are transmitting
73
99:59:59,999 --> 99:59:59,999
up from your location. And this would be
great except that this is designed for
74
99:59:59,999 --> 99:59:59,999
hiking in areas where there's no cell
phone service. So having an antenna
75
99:59:59,999 --> 99:59:59,999
on the uplink frequency is kind of
useless. You know you would actually
76
99:59:59,999 --> 99:59:59,999
have to go out to a national park, find
some guy who is about to chew his arm off,
77
99:59:59,999 --> 99:59:59,999
and then you could listen to his uplink
where he is like tweeting: "Hey, I'm gonna
78
99:59:59,999 --> 99:59:59,999
chew my arm off", you know?
laughter
79
99:59:59,999 --> 99:59:59,999
So that's great as a proof of concept
but it's not really anything practical.
80
99:59:59,999 --> 99:59:59,999
The current state of that was that I knew
the protocol and I could sniff the uplinks.
81
99:59:59,999 --> 99:59:59,999
But I wanted to sniff the downlinks. So
it's easy for me to get the thing that
82
99:59:59,999 --> 99:59:59,999
goes up to the satellite. But what I wanted
was what comes down from the satellite.
83
99:59:59,999 --> 99:59:59,999
And that requires a satellite dish. But
a geo-stationary dish isn't good enough
84
99:59:59,999 --> 99:59:59,999
because the satellites that run this
network – there are a lot of them,
85
99:59:59,999 --> 99:59:59,999
it's called the Globalstar network,
they fly really low across the earth,
86
99:59:59,999 --> 99:59:59,999
and they fly across the earth in very
tight, very fast orbits. So they'll move
87
99:59:59,999 --> 99:59:59,999
from horizon to horizon in 15 to 20
minutes. Which means that you either need
88
99:59:59,999 --> 99:59:59,999
like a sweat shop army of kids
trying to aim the satellite dish
89
99:59:59,999 --> 99:59:59,999
as it's going across or you need
to make it computer-controlled.
90
99:59:59,999 --> 99:59:59,999
Stepping back from the SPOT
Connect for a little bit, and
91
99:59:59,999 --> 99:59:59,999
discussing some prior research.
Adam Laurie did some work
92
99:59:59,999 --> 99:59:59,999
with geostationary satellites.
These are the satellites that stay
93
99:59:59,999 --> 99:59:59,999
in one position in the sky.
He gave two sets of talks
94
99:59:59,999 --> 99:59:59,999
– one in 2008 and the second in
2010. And he used a DVB-S card
95
99:59:59,999 --> 99:59:59,999
connected to a satellite dish with
a diseqc motor, so that it could move
96
99:59:59,999 --> 99:59:59,999
the satellite dish left and right in order
to scan a region of the horizon.
97
99:59:59,999 --> 99:59:59,999
His tool is publicly available,
it's called satmap.
98
99:59:59,999 --> 99:59:59,999
You can grab it at this URL.
99
99:59:59,999 --> 99:59:59,999
And then after he finds a signal he has
a feed scanner. Normally when you use
100
99:59:59,999 --> 99:59:59,999
Satellite TV you provider gives you
a listing of the frequencies, and
101
99:59:59,999 --> 99:59:59,999
your provider gives you an exact orbital
position to aim your satellite dish at.
102
99:59:59,999 --> 99:59:59,999
But Adam's tool allows you to scan to
see which frequencies are in use and
103
99:59:59,999 --> 99:59:59,999
which protocols are in use, once
you've correctly aimed your dish.
104
99:59:59,999 --> 99:59:59,999
And he also describes a technique
for moving your dish left and right
105
99:59:59,999 --> 99:59:59,999
while doing this in order to
identify where the satellites are.
106
99:59:59,999 --> 99:59:59,999
This recording here is from
a re-implementation that I made
107
99:59:59,999 --> 99:59:59,999
of Adam's work, in order to
catch up with it. In this diagram
108
99:59:59,999 --> 99:59:59,999
the x-axis - because you move left
and right - that shows the azimuth,
109
99:59:59,999 --> 99:59:59,999
that shows how far left or right my
satellite dish has moved. And then
110
99:59:59,999 --> 99:59:59,999
the y-axis shows the frequency. And
all of these dots are strong signals.
111
99:59:59,999 --> 99:59:59,999
So every vertical bar in which you see
chunks of frequencies, that's a satellite.
112
99:59:59,999 --> 99:59:59,999
But these stay in the same position. So
it's easy for me to repeat this experiment.
113
99:59:59,999 --> 99:59:59,999
It's easy for me to re-run it, and to find
the same satellites in the same position.
114
99:59:59,999 --> 99:59:59,999
It's easy to debug this.
But it can't move in elevation.
115
99:59:59,999 --> 99:59:59,999
This diagram is actually
a very small slice of the sky.
116
99:59:59,999 --> 99:59:59,999
We're looking at a single line,
maybe 10 degrees across.
117
99:59:59,999 --> 99:59:59,999
Maybe only 5 degrees across.
118
99:59:59,999 --> 99:59:59,999
So hacking Ku-band – the television
satellites – has the advantage
119
99:59:59,999 --> 99:59:59,999
that you can use cheap standardized
hardware. I bought one of these DVB-S cards
120
99:59:59,999 --> 99:59:59,999
in Mauerpark, in Berlin for 3 Euro. You
can use standardized disecq motors,
121
99:59:59,999 --> 99:59:59,999
you can buy them at a satellite TV shop.
122
99:59:59,999 --> 99:59:59,999
TV signals come with video feeds
so you can actually see pictures.
123
99:59:59,999 --> 99:59:59,999
There was a scandal about 4..5 years
ago where they were finding
124
99:59:59,999 --> 99:59:59,999
drone [control] feeds that were being
bounced across these satellites.
125
99:59:59,999 --> 99:59:59,999
In the nineties it was very popular to
listen to the sort of unedited sections
126
99:59:59,999 --> 99:59:59,999
of interviews, when people would
be interviewed over a satellite,
127
99:59:59,999 --> 99:59:59,999
before Skype and such
things became options. And
128
99:59:59,999 --> 99:59:59,999
there are also networking signals here
using TCP/IP packets. So you can actually
129
99:59:59,999 --> 99:59:59,999
turn your DVB-S card into
a promiscuous ethernet adapter,
130
99:59:59,999 --> 99:59:59,999
and start sniffing all of the traffic that
comes across. This is also a great way
131
99:59:59,999 --> 99:59:59,999
to get free downlink bandwidth. Because
you can just flood packets at an address
132
99:59:59,999 --> 99:59:59,999
that, you know, will be routed to
you, or several addresses, and
133
99:59:59,999 --> 99:59:59,999
then you sniff it out as the
legitimate receiver ignores them.
134
99:59:59,999 --> 99:59:59,999
But it also has some disadvantages. It
only works for geostationary satellites.
135
99:59:59,999 --> 99:59:59,999
If the satellite is not staying in the
same position relative to the ground
136
99:59:59,999 --> 99:59:59,999
then you can't track it. Your
dish also moves very slowly.
137
99:59:59,999 --> 99:59:59,999
And it only moves left and right.
It won't move up and down.
138
99:59:59,999 --> 99:59:59,999
And you're limited to standardized
signals. So while it's great that you get
139
99:59:59,999 --> 99:59:59,999
video and TCP/IP you're never
going to get anything weird.
140
99:59:59,999 --> 99:59:59,999
You're not gonna get any mobile
data, you're not going to get any
141
99:59:59,999 --> 99:59:59,999
Brazilian truck-drivers – we'll
get to those in a bit. laughs
142
99:59:59,999 --> 99:59:59,999
I misspoke, you actually will get
Brazilian truck-drivers in this.
143
99:59:59,999 --> 99:59:59,999
So I bought a satellite dish. One of the
best things about living in America is
144
99:59:59,999 --> 99:59:59,999
that you can buy industrial
hardware cheap as dirt on ebay.
145
99:59:59,999 --> 99:59:59,999
I know things aren't likely used to being
a cat bite to (?)(?) human children anymore.
146
99:59:59,999 --> 99:59:59,999
But this satellite dish here on
the left – the one in the radome –
147
99:59:59,999 --> 99:59:59,999
that's my dish. And to the right,
that's the boat that it came from.
148
99:59:59,999 --> 99:59:59,999
applause
laughs
149
99:59:59,999 --> 99:59:59,999
This came from a military ship.
But the dish itself is also available
150
99:59:59,999 --> 99:59:59,999
for civilian use on very large yachts.
151
99:59:59,999 --> 99:59:59,999
The dish itself is a Felcom 81 and it
was intended for use with a network
152
99:59:59,999 --> 99:59:59,999
called Inmarsat. Inmarsat allows
for telephone connections,
153
99:59:59,999 --> 99:59:59,999
and also data connections when you're on
a boat. So if the crew wants to call home
154
99:59:59,999 --> 99:59:59,999
or wants to go to AOL Keywords
155
99:59:59,999 --> 99:59:59,999
or whatever was popular back when
this was common they could do that.
156
99:59:59,999 --> 99:59:59,999
And the dish was designed to sit
at the very top of a ship's mast.
157
99:59:59,999 --> 99:59:59,999
The reason why is that at the top of
the mast there aren't any obstructions
158
99:59:59,999 --> 99:59:59,999
– it has a clear view of the sky in all
directions. But there's a complication
159
99:59:59,999 --> 99:59:59,999
with being on the top of the mast. Which
is that the ship is rocking beneath you
160
99:59:59,999 --> 99:59:59,999
and you're moving more
than the rest the ship.
161
99:59:59,999 --> 99:59:59,999
So they have stepper motors
for azimuth, elevation and tilt.
162
99:59:59,999 --> 99:59:59,999
And then they have spinning gyroscopes.
Back before the iPhone there was
163
99:59:59,999 --> 99:59:59,999
this dark, dark time when
gyroscopes actually spun.
164
99:59:59,999 --> 99:59:59,999
And this is the sort of gyroscope that
it has. It actually has 4 of them so
165
99:59:59,999 --> 99:59:59,999
that it can measure its movement.
166
99:59:59,999 --> 99:59:59,999
And then it has a control computer. So the
idea is that the dish itself can be moved
167
99:59:59,999 --> 99:59:59,999
while remaining absolutely stable
with regard to the gyroscopes.
168
99:59:59,999 --> 99:59:59,999
So it compensates for the rocking of
the ship beneath it as it's targeting
169
99:59:59,999 --> 99:59:59,999
a stationary satellite.
In America this costs 250 dollars
170
99:59:59,999 --> 99:59:59,999
but it's electronics equipment, so while
you think that would only be a 180 Euro
171
99:59:59,999 --> 99:59:59,999
it's more like 2500. And that's before
import duties and it being impounded.
172
99:59:59,999 --> 99:59:59,999
We also have this lovely culture in which
people love excuses to use their trucks.
173
99:59:59,999 --> 99:59:59,999
So the guy that I bought this from offered
to deliver it to my home for only $200.
174
99:59:59,999 --> 99:59:59,999
It was an 11-hour drive.
175
99:59:59,999 --> 99:59:59,999
But if you wanted this you'd have to
bring it back in your carry-on luggage
176
99:59:59,999 --> 99:59:59,999
and that could be awkward.
177
99:59:59,999 --> 99:59:59,999
I got this dish and I decided I had
to do something with it. So I created
178
99:59:59,999 --> 99:59:59,999
the Southern Appalachian Space Agency.
I'm from the state of Tennessee,
179
99:59:59,999 --> 99:59:59,999
formerly known as the State of Franklin
until North Carolina invaded us.
180
99:59:59,999 --> 99:59:59,999
It's ok, I know Europeans suck at history.
181
99:59:59,999 --> 99:59:59,999
laughs
laughter and applause
182
99:59:59,999 --> 99:59:59,999
Now I'm trying to think of how to show
you on a map where Tennessee is
183
99:59:59,999 --> 99:59:59,999
without having a map. But, you know, it's
okay, I know you suck at geography
184
99:59:59,999 --> 99:59:59,999
and will forget it soon (?)
185
99:59:59,999 --> 99:59:59,999
From audience: It's very
near Texas, to the north.
186
99:59:59,999 --> 99:59:59,999
Travis: Texas is our first colony. But
it's actually a decent drive to the east.
187
99:59:59,999 --> 99:59:59,999
Due east (?). You don't
actually have to go it anyways.
188
99:59:59,999 --> 99:59:59,999
So what I did was I took these motors
which were designed to be able to move
189
99:59:59,999 --> 99:59:59,999
the satellite dish to compensate
for the rocking the ship and
190
99:59:59,999 --> 99:59:59,999
I re-purposed them to track through
the sky while the ground is stable.
191
99:59:59,999 --> 99:59:59,999
We don't have very many earthquakes in
Tennessee. The last one that we had
192
99:59:59,999 --> 99:59:59,999
made rivers run the wrong direction.
But it's okay – it's a geography thing.
193
99:59:59,999 --> 99:59:59,999
laughs
So this allows me to track things
194
99:59:59,999 --> 99:59:59,999
that are moving through the sky.
But it doesn't actually matter
195
99:59:59,999 --> 99:59:59,999
where they're moving in the sky because
that's just a software problem.
196
99:59:59,999 --> 99:59:59,999
So in addition to tracking objects that
are in low-earth orbit by a software patch
197
99:59:59,999 --> 99:59:59,999
I can also track things that are in deep
space. It's not much harder to track
198
99:59:59,999 --> 99:59:59,999
deep space probes or stars than it
is to track items in low-earth orbit.
199
99:59:59,999 --> 99:59:59,999
And then I added a software defined radio
which allows me to record a signal now
200
99:59:59,999 --> 99:59:59,999
and then demodulate it later.
Which is necessary if you intend
201
99:59:59,999 --> 99:59:59,999
to reverse-engineer a signal. Because
a lot of the downlinks from these satellites
202
99:59:59,999 --> 99:59:59,999
are completely non... completely
undocumented. And being able
203
99:59:59,999 --> 99:59:59,999
to tune in to the right frequency is only
half of it. You also need a recording
204
99:59:59,999 --> 99:59:59,999
of sufficient quality that you can
reverse-engineer it after the fact.
205
99:59:59,999 --> 99:59:59,999
We're sort of spoiled by software
defined radios in that when doing
206
99:59:59,999 --> 99:59:59,999
software defined radio work we usually
have a very good signal to work from.
207
99:59:59,999 --> 99:59:59,999
So having high quality signals for later
reverse-engineering is necessary.
208
99:59:59,999 --> 99:59:59,999
I really wanted to be able to identify
undocumented downlinks for low-earth orbit
209
99:59:59,999 --> 99:59:59,999
in the same way that we already
do this for geo-stationary orbit
210
99:59:59,999 --> 99:59:59,999
using tools like the ones that Adam
Laurie and Jim Geovedi made.
211
99:59:59,999 --> 99:59:59,999
So I built a software framework as
a collection of Python daemons.
212
99:59:59,999 --> 99:59:59,999
And these run across a home
area network in my house.
213
99:59:59,999 --> 99:59:59,999
There's a Beaglebone inside of the Radome.
214
99:59:59,999 --> 99:59:59,999
And an x86 server in the house. Or AMD64,
whatever the kids call it these days.
215
99:59:59,999 --> 99:59:59,999
And then I used Postgres for coordination.
So that all of these daemons can talk
216
99:59:59,999 --> 99:59:59,999
to each other without... without me really
caring which machine they're on.
217
99:59:59,999 --> 99:59:59,999
So for maintenance I can have my
laptop pretending to be the dish,
218
99:59:59,999 --> 99:59:59,999
and I can have stepper motors on my desk,
and I can watch them spin, and I can even
219
99:59:59,999 --> 99:59:59,999
make a model of the dish and swap these
components in and out without the rest of
220
99:59:59,999 --> 99:59:59,999
the network being confused. This also
allows for sequal (?) injection attacks to
221
99:59:59,999 --> 99:59:59,999
physically move my dish. Which is why the
Sassin (?) network is not on one of those
222
99:59:59,999 --> 99:59:59,999
fancy WEB 2.0 things. Because of you could
inject, say, "UPDATE target SET name=
223
99:59:59,999 --> 99:59:59,999
'VOYAGER 1'". Then my dish would physically
move and start tracking Voyager 1
224
99:59:59,999 --> 99:59:59,999
through the sky. Voyager 2
225
99:59:59,999 --> 99:59:59,999
doesn't actually come into the sky because
of my position in the Northern hemisphere.
226
99:59:59,999 --> 99:59:59,999
So, it's okay, I know you suck at
geography. But Voyager 1 is going up,
227
99:59:59,999 --> 99:59:59,999
and Voyager 2 is going down.
228
99:59:59,999 --> 99:59:59,999
There's a Realtek Software Defined Radio
for the radio reception. Although
229
99:59:59,999 --> 99:59:59,999
these things are garbage. So I'm in the
process of replacing this for the HackRF.
230
99:59:59,999 --> 99:59:59,999
There's also an EiBot board for motor
control. We'll get back to that in a minute.
231
99:59:59,999 --> 99:59:59,999
And there's an Inertial Measurement Unit
from VectorNav which actually measures
232
99:59:59,999 --> 99:59:59,999
using the fancy MEMS gyroscopes and
a MEMS compass how I'm moving.
233
99:59:59,999 --> 99:59:59,999
This isn't accurate enough to target the
dish, so I'm still counting steps
234
99:59:59,999 --> 99:59:59,999
to move the dish. But it is accurate
enough to tell me when my belts
235
99:59:59,999 --> 99:59:59,999
have broken. Or when I'm up
against the physical obstruction.
236
99:59:59,999 --> 99:59:59,999
This is skytee helping
me out with the dish.
237
99:59:59,999 --> 99:59:59,999
He's zip-tying it. Because, you know
we know everything about duct tape
238
99:59:59,999 --> 99:59:59,999
where I come from, but we know nothing
about zip ties. So I had to bring in
239
99:59:59,999 --> 99:59:59,999
a German engineer.
laughter
240
99:59:59,999 --> 99:59:59,999
We call him a Gerry wigger (?) but, you know...
241
99:59:59,999 --> 99:59:59,999
This is the satellite dish itself. And you
can sort of see in this photograph
242
99:59:59,999 --> 99:59:59,999
where we've strapped on the equipment.
There's like an embillica (?) cord.
243
99:59:59,999 --> 99:59:59,999
Or more like a spinal column that actually
runs up the back of the dish. So we just
244
99:59:59,999 --> 99:59:59,999
added new cables onto that line.
And then zip-tied them in place.
245
99:59:59,999 --> 99:59:59,999
And skytee came up with all these
crazy ideas like that we should use
246
99:59:59,999 --> 99:59:59,999
chains and zip-ties to make sure that the
cables don't tear themselves out. And
247
99:59:59,999 --> 99:59:59,999
that worked tremendously well in practice.
So, as this thing spins around,
248
99:59:59,999 --> 99:59:59,999
by the original design there's a ring
connector that all of the signals
249
99:59:59,999 --> 99:59:59,999
go through. That all of the networking
goes through. That all of the rest
250
99:59:59,999 --> 99:59:59,999
goes through. And that worked in the
nineties because it had no reason
251
99:59:59,999 --> 99:59:59,999
to send anything faster than 9600 baud.
252
99:59:59,999 --> 99:59:59,999
But with the modern signals going across
it - I need 100MBit/s or even GB ethernet.
253
99:59:59,999 --> 99:59:59,999
That's not enough. I need more than
2 wires. So there's a cable that comes
254
99:59:59,999 --> 99:59:59,999
across it, and then I rely on the
software to keep it from wrapping
255
99:59:59,999 --> 99:59:59,999
that cable around itself. So it can only
move, say, 400 degrees around.
256
99:59:59,999 --> 99:59:59,999
But that's still more than a full circle.
So by stopping halfway and moving back
257
99:59:59,999 --> 99:59:59,999
I can prevent it from getting stacked (?).
We've got the Beaglebone on the left,
258
99:59:59,999 --> 99:59:59,999
in the middle there's a USB hub, and
on the right is the motor controller.
259
99:59:59,999 --> 99:59:59,999
The Beaglebone runs Debian Linux. And
takes care of sending the software defined
260
99:59:59,999 --> 99:59:59,999
radio recordings over the network. It also
takes care of updating the motor positions
261
99:59:59,999 --> 99:59:59,999
to be the ones that the database declares
should be current. The stepper motors
262
99:59:59,999 --> 99:59:59,999
themselves are the originals that the dish
was designed with. And they're running
263
99:59:59,999 --> 99:59:59,999
to an EiBot Board. The EiBot board was
intended for plotting on Easter eggs
264
99:59:59,999 --> 99:59:59,999
laughs
I feel, you know... is that neat?
265
99:59:59,999 --> 99:59:59,999
laughs
applause
266
99:59:59,999 --> 99:59:59,999
So you can actually aim a satellite dish
that's as tall as you are, with of these
267
99:59:59,999 --> 99:59:59,999
fancy motors using less sophisticated
equipment than what's used
268
99:59:59,999 --> 99:59:59,999
in a 3D printer. Don't panic, though.
It's a hell of a lot more reliable
269
99:59:59,999 --> 99:59:59,999
than a 3D printer. But we needed
some sort of backup. In addition
270
99:59:59,999 --> 99:59:59,999
to the inertial measurement unit telling
us when the device had snagged itself.
271
99:59:59,999 --> 99:59:59,999
It would also help to have a visual
queue. Because the satellite dish
272
99:59:59,999 --> 99:59:59,999
sits in Tennessee, and while I love my
home town, and, you know I'm very
273
99:59:59,999 --> 99:59:59,999
proud of being Tennesseean it's also
a long way to travel when you need
274
99:59:59,999 --> 99:59:59,999
to re-orient the dish. Using an
accelerometer it's easy enough
275
99:59:59,999 --> 99:59:59,999
to correct the elevation. Because you can
use the accelerometer as a level, and
276
99:59:59,999 --> 99:59:59,999
you can use that to tell how high up the
dish is pointing, at an absolute scale.
277
99:59:59,999 --> 99:59:59,999
But the compass isn't very accurate. So
instead, as a backup we have a webcam
278
99:59:59,999 --> 99:59:59,999
that's taped to the top. Taping
is my people's native culture.
279
99:59:59,999 --> 99:59:59,999
We have it taped to the top, and then
it's pointing backwards. So this gives us
280
99:59:59,999 --> 99:59:59,999
like a rear view camera, from the
dish's position. So as the dish sits
281
99:59:59,999 --> 99:59:59,999
inside of its radome... - junk cars in the XXX
are also my people's native tradition!
282
99:59:59,999 --> 99:59:59,999
So the dish sits there next to my
brother's Toyota Supra. And that thing,
283
99:59:59,999 --> 99:59:59,999
you know, that thing flies as soon as it
gets an engine put back in it. So it is -
284
99:59:59,999 --> 99:59:59,999
sits there and it's moving. But externally
you can't see where it is. Which means
285
99:59:59,999 --> 99:59:59,999
that I can't call my family in Tennessee
and blackmail them into - yet again -
286
99:59:59,999 --> 99:59:59,999
looking at my dish to tell where it's
pointed. There are bolts that hold this
287
99:59:59,999 --> 99:59:59,999
down. It takes half an hour to remove the
lid, another half an hour to put it back on.
288
99:59:59,999 --> 99:59:59,999
So instead we took the radome...
that's Frank, he's my cat.
289
99:59:59,999 --> 99:59:59,999
Give a "Cheers!" for Frank!
290
99:59:59,999 --> 99:59:59,999
applause and cheers
291
99:59:59,999 --> 99:59:59,999
Yeah, we had such a great time with Frank.
And we never knew that she was pregnant.
292
99:59:59,999 --> 99:59:59,999
If you happen to need kittens and wanna
pay the custom's fees I'll hook you up!
293
99:59:59,999 --> 99:59:59,999
So then we took tape and ran tape down the
edges of the radome, and then marked it.
294
99:59:59,999 --> 99:59:59,999
So from the markings you can tell
which clock position the back
295
99:59:59,999 --> 99:59:59,999
of the satellite dish is pointing at. So
if you point the dish towards 12:00
296
99:59:59,999 --> 99:59:59,999
you know that you're roughly at 6:00,
so you know that it's pointing South.
297
99:59:59,999 --> 99:59:59,999
And then you can sort of scan the sky
for a stationary target, and navigate
298
99:59:59,999 --> 99:59:59,999
off of that, to recover your position.
Software-wise... Remember,
299
99:59:59,999 --> 99:59:59,999
the whole thing runs through Postgres,
so I just tunnel the Postgres over SSH,
300
99:59:59,999 --> 99:59:59,999
and then I wrote a Python client that
displays the satellite positions and
301
99:59:59,999 --> 99:59:59,999
the satellite state in PiGame (?). This is
intended for making those games (?)
302
99:59:59,999 --> 99:59:59,999
really see the rabbit. And the rabbit
jumps on the other rabbit. But it... works!
303
99:59:59,999 --> 99:59:59,999
And it works perfectly well enough
to target the dish. Because all that
304
99:59:59,999 --> 99:59:59,999
this software has to do is plot the
positions of the satellites, and
305
99:59:59,999 --> 99:59:59,999
give orders back to the database when
I click on a satellite, or click on a position.
306
99:59:59,999 --> 99:59:59,999
It can also display stars. So the red
items are satellites which are not selected.
307
99:59:59,999 --> 99:59:59,999
The green item is Ghost3 (?) which is
the satellite that I'm targeting. And then
308
99:59:59,999 --> 99:59:59,999
the white items are stars in the sky. Now
this is a plot in which the azimuth is
309
99:59:59,999 --> 99:59:59,999
on the X axis, and the elevation is on the
Y axis. But I can also arrange it into
310
99:59:59,999 --> 99:59:59,999
a polar plot. Which sort of gives me an
upside-down view of the satellite dish
311
99:59:59,999 --> 99:59:59,999
looking at the sky. I doubt you can read
it, but just above the green circle
312
99:59:59,999 --> 99:59:59,999
in the center, that's Polaris which is the
North star. It's also weird because,
313
99:59:59,999 --> 99:59:59,999
you know, working on this, you know,
I thought that I got really good at astronomy
314
99:59:59,999 --> 99:59:59,999
until I realized that I only knew what the
stars looked like during the day.
315
99:59:59,999 --> 99:59:59,999
laughter
laughs
316
99:59:59,999 --> 99:59:59,999
And it being PiGame (?) you can actually
run it on a mobile device. So the same client
317
99:59:59,999 --> 99:59:59,999
that runs on my laptop can also run
on my Nokia N900. laughs
318
99:59:59,999 --> 99:59:59,999
applause
319
99:59:59,999 --> 99:59:59,999
A significant portion of the GUI client for
this was written while stuck on the U-Bahn,
320
99:59:59,999 --> 99:59:59,999
connected over 3G, SSH through, and just
using emacs on the phone. laughter
321
99:59:59,999 --> 99:59:59,999
laughs
applause
322
99:59:59,999 --> 99:59:59,999
If you're one of those people who needs to
complain about the N900 being too old,
323
99:59:59,999 --> 99:59:59,999
it also runs on the N9. And then,
324
99:59:59,999 --> 99:59:59,999
you can take the data out of this,
and run it through scientific software.
325
99:59:59,999 --> 99:59:59,999
In addition of the software defined radio
recordings themselves being dumped out
326
99:59:59,999 --> 99:59:59,999
to a text file or a binary file on disk
you can also dump out things like
327
99:59:59,999 --> 99:59:59,999
the received signal strength indicators
(RSSI). So this is a screenshot in which
328
99:59:59,999 --> 99:59:59,999
I'm identifying different satellites that
I've seen in the sky. Based upon
329
99:59:59,999 --> 99:59:59,999
their downlink signal peaks. You can see
the noise floor there, at the bottom,
330
99:59:59,999 --> 99:59:59,999
and then there's a rather strong signal on
the left. And a weaker neverware (?) signal
331
99:59:59,999 --> 99:59:59,999
on the right. Now, the daemons that build
this up... you need an orbit prediction daemon.
332
99:59:59,999 --> 99:59:59,999
Because you need to know where the
satellites are, and where they're going,
333
99:59:59,999 --> 99:59:59,999
and where they will be by
the time you get to them.
334
99:59:59,999 --> 99:59:59,999
You need to update the orbits themselves.
335
99:59:59,999 --> 99:59:59,999
LEO satellites are described in TLE files.
336
99:59:59,999 --> 99:59:59,999
These are called 'Two Line Entry'. And
they're called Two Line Entry because
337
99:59:59,999 --> 99:59:59,999
they're three lines long.
laughter
338
99:59:59,999 --> 99:59:59,999
These were originally used by Norad for
inter-continental ballistic missile tracking.
339
99:59:59,999 --> 99:59:59,999
And because a ballistic missile is
basically in orbit, it's just that that
340
99:59:59,999 --> 99:59:59,999
orbit happens to collide with the earth.
341
99:59:59,999 --> 99:59:59,999
But this format isn't terribly accurate
for satellites that adjust their own orbit.
342
99:59:59,999 --> 99:59:59,999
So anything that has fuel, or has engines,
or changes mass will vary it's position.
343
99:59:59,999 --> 99:59:59,999
And this also doesn't account for drag.
Because, you know, the missile itself,
344
99:59:59,999 --> 99:59:59,999
you know it goes up it goes down, it's
not orbiting enough for the light drag
345
99:59:59,999 --> 99:59:59,999
in the upper atmosphere to matter. But for
a satellite it does. So these Two Line Entries
346
99:59:59,999 --> 99:59:59,999
will work for a matter of days or maybe
a couple of weeks. But they don't last
347
99:59:59,999 --> 99:59:59,999
longer than that. So you need a daemon
that grounds (?) the new files from spacetrack.
348
99:59:59,999 --> 99:59:59,999
And this is just a matter of like
a recursive WGET, and then
349
99:59:59,999 --> 99:59:59,999
parsing the files. And that still needs
to be done. You also need motor control,
350
99:59:59,999 --> 99:59:59,999
because you need to move the dish
physically to track your target.
351
99:59:59,999 --> 99:59:59,999
You need input for the Inertial
Measurement Unit. This comes over
352
99:59:59,999 --> 99:59:59,999
a low voltage serial port. And then
you need radio daemons to handle
353
99:59:59,999 --> 99:59:59,999
spectrum analysis or downlink recording.
And, these, you'll have several of them,
354
99:59:59,999 --> 99:59:59,999
you have to swap them out. So you'll begin
by using the spectrum analyzer to identify
355
99:59:59,999 --> 99:59:59,999
that your aim is accurate, that you're
accurately tracking the targets
356
99:59:59,999 --> 99:59:59,999
well enough to get a recording from
them. And then after that you begin
357
99:59:59,999 --> 99:59:59,999
to take software defined recordings off
them. And, eventually, you might have
358
99:59:59,999 --> 99:59:59,999
a standalone application that parses what
you're receiving. Such as the Osmocom guys
359
99:59:59,999 --> 99:59:59,999
did with OpenGMR. So for orbit prediction
I began with a DOS program that had been
360
99:59:59,999 --> 99:59:59,999
ported to Unix, called 'predict'.
And this works, but it's garbage.
361
99:59:59,999 --> 99:59:59,999
It only supports 20 satellites plus the
sun, the moon, Venus and Mars.
362
99:59:59,999 --> 99:59:59,999
But no other planets because it's designed
for astronomy photographers who want
363
99:59:59,999 --> 99:59:59,999
to get a picture of something as it comes
over the horizon. You know, I need
364
99:59:59,999 --> 99:59:59,999
to track hundreds of targets. And then
write a script to opportunistically pick
365
99:59:59,999 --> 99:59:59,999
the ones that I want to record.
Because otherwise you have to like set
366
99:59:59,999 --> 99:59:59,999
an alarm clock for the half-hour pass in
which you can play with something.
367
99:59:59,999 --> 99:59:59,999
That software does allow you to query the
results by UDP, though. So you can just
368
99:59:59,999 --> 99:59:59,999
send it a flood of request packets,
then it will flood back with the data
369
99:59:59,999 --> 99:59:59,999
you're looking for. So I switched to
a library called PiFM which allows you
370
99:59:59,999 --> 99:59:59,999
to track hundreds of birds. It has no UDP
nonsense. It will also calculate satellites,
371
99:59:59,999 --> 99:59:59,999
planets and stars. And the really nifty (?)
thing about this is that you tell it...
372
99:59:59,999 --> 99:59:59,999
you know, it being a library you tell it
when to update the individual object
373
99:59:59,999 --> 99:59:59,999
that you're interested in. So you can
update objects that are out of view
374
99:59:59,999 --> 99:59:59,999
or uninteresting more slowly than the
ones that you care about.
375
99:59:59,999 --> 99:59:59,999
So I managed to track every single
item in geo-stationary orbit.
376
99:59:59,999 --> 99:59:59,999
This thick ring here is the clarke-bell(?)
of all satellites in geo-stationary orbit
377
99:59:59,999 --> 99:59:59,999
as viewed from my Southern horizon.
applause
378
99:59:59,999 --> 99:59:59,999
The Two Line Entry files you can get
freely from CELESTRAK.COM.
379
99:59:59,999 --> 99:59:59,999
So this is just a simple script that grabs
them and then inserts them.
380
99:59:59,999 --> 99:59:59,999
And the prediction daemon will actually
select them as it is loading up.
381
99:59:59,999 --> 99:59:59,999
This all inter process communication is
running through this Postgres database.
382
99:59:59,999 --> 99:59:59,999
And this daemon can be moved to
a different machine if I needed
383
99:59:59,999 --> 99:59:59,999
more computing power, or anything like
that. The motor control demon...
384
99:59:59,999 --> 99:59:59,999
well, the Eibot board is designed to take
stepper motor commands. It shows up
385
99:59:59,999 --> 99:59:59,999
as USB Serial device on Linux. So as
I plug it in to the Beaglebone it appears
386
99:59:59,999 --> 99:59:59,999
as /dev/ttyACM0. And the baud rate doesn't
matter. Because this is a USB device.
387
99:59:59,999 --> 99:59:59,999
You could then send it simple commands.
Like 'SM,3000,500,-400' means that I wanna
388
99:59:59,999 --> 99:59:59,999
move a stepper motor for 3000 ms. I want
the first motor to move 500 forwards,
389
99:59:59,999 --> 99:59:59,999
that's UP, and the second one to move
400 LEFT which is backwards 400 steps.
390
99:59:59,999 --> 99:59:59,999
And then it will count that out, and
then it sends me back an OK.
391
99:59:59,999 --> 99:59:59,999
If I want to disable the motors, I send
'EM,0,0'. This allows the motors to be
392
99:59:59,999 --> 99:59:59,999
freely spun. Because normally a stepper
motor will physically hold its position,
393
99:59:59,999 --> 99:59:59,999
you need to turn them off in
order to slide the dish around.
394
99:59:59,999 --> 99:59:59,999
'EM,1,1' will enable both motors
in 1/16-of-a-step mode.
395
99:59:59,999 --> 99:59:59,999
Stepper motors can do fractional
steps because they're
396
99:59:59,999 --> 99:59:59,999
holding themselves in position.
397
99:59:59,999 --> 99:59:59,999
You can see the motors themselves
with the belts and the geartrain.
398
99:59:59,999 --> 99:59:59,999
This thing on the right would probably
be illegal for me to turn on.
399
99:59:59,999 --> 99:59:59,999
The thing on the right is a 250 W amplifier.
400
99:59:59,999 --> 99:59:59,999
The stepper motors themselves just have
6 wires. In a lot of 3D printer type stuff
401
99:59:59,999 --> 99:59:59,999
they ignore the middle two. So you just
drop (?) off the middle two wires, you run
402
99:59:59,999 --> 99:59:59,999
the other four to your stepper
controller, and you're good to go.
403
99:59:59,999 --> 99:59:59,999
The belts and stuff need to be measured
in order to figure out exactly
404
99:59:59,999 --> 99:59:59,999
what the georeduction (?) is. Because you
need to know how many steps form a degree.
405
99:59:59,999 --> 99:59:59,999
The IMU unit, this Vectornav VN100 (?),
it's a MEMS gyroscope and accelerometer
406
99:59:59,999 --> 99:59:59,999
and a compass in a single box.
It costs $500 which was
407
99:59:59,999 --> 99:59:59,999
more than all of the other
equipment put together.
408
99:59:59,999 --> 99:59:59,999
The compass is confused by the stepper
motors because the compass is measuring
409
99:59:59,999 --> 99:59:59,999
magnetic fields. So you need to
mount this physically as far away
410
99:59:59,999 --> 99:59:59,999
from the stepper motors as possible. And
the gyroscope is confused by motor jerk (?)
411
99:59:59,999 --> 99:59:59,999
which is a shame because stepper motors
work as a series of jerks (?) rather than
412
99:59:59,999 --> 99:59:59,999
as a single consistent motion. And the
accelerometer is confused by gimble lock,
413
99:59:59,999 --> 99:59:59,999
so you have to switch it to
a quaternian (?) mode in order to get
414
99:59:59,999 --> 99:59:59,999
consistent values out of it. And if I had
to do this over again I'd really try
415
99:59:59,999 --> 99:59:59,999
to drop this piece of garbage. But it's
a lovely technology when it works.
416
99:59:59,999 --> 99:59:59,999
some laughter
417
99:59:59,999 --> 99:59:59,999
Now for position calculations, the
elevation itself comes from the IMU.
418
99:59:59,999 --> 99:59:59,999
The azimuth comes from the motor daemon.
This is because the accelerometer
419
99:59:59,999 --> 99:59:59,999
can very accurately tell which way
the earth's gravity is pulling it
420
99:59:59,999 --> 99:59:59,999
whereas the accelerometer has to integrate
jerks (?) over time in order to figure out
421
99:59:59,999 --> 99:59:59,999
its position. So the
accelerometer will drift
422
99:59:59,999 --> 99:59:59,999
and the compass will be confused by the
magnetic fields while the elevation is
423
99:59:59,999 --> 99:59:59,999
just a single accelerometer
that doesn't drift.
424
99:59:59,999 --> 99:59:59,999
And the IMU will become
a backup for these things
425
99:59:59,999 --> 99:59:59,999
in order to figure out how to make
it reliable. But at the moment
426
99:59:59,999 --> 99:59:59,999
the position measurement is infinitely
more reliable. The tilt motor
427
99:59:59,999 --> 99:59:59,999
I'm not using at present because on
a ship that's rocking it's necessary
428
99:59:59,999 --> 99:59:59,999
to tilt the dish. On a satellite dish
that's staying still the only useful
429
99:59:59,999 --> 99:59:59,999
tilting the dish is so that you can follow
the arc of a satellite through the sky
430
99:59:59,999 --> 99:59:59,999
by only moving a single motor.
Photopgrapher do this when they're
431
99:59:59,999 --> 99:59:59,999
trying to get long exposures of moving
satellites. At the moment my software
432
99:59:59,999 --> 99:59:59,999
doesn't support this feature. But
if it turns out to be necessary
433
99:59:59,999 --> 99:59:59,999
to get higher quality
recordings I might add it.
434
99:59:59,999 --> 99:59:59,999
The radio daemons. The
first is a spectrum analyzer.
435
99:59:59,999 --> 99:59:59,999
This just measures the signal strength
on each frequency. And it does it by the
436
99:59:59,999 --> 99:59:59,999
power spectral density function.
437
99:59:59,999 --> 99:59:59,999
And the strength itself will
vary with the position error.
438
99:59:59,999 --> 99:59:59,999
So this allows you to figure out how
far off you are by sort of testing,
439
99:59:59,999 --> 99:59:59,999
by overshooting just a little bit,
or undershooting just a little bit
440
99:59:59,999 --> 99:59:59,999
to center on your target. The downlink
recorder dumps the IQ values
441
99:59:59,999 --> 99:59:59,999
in the software defined radio
directly to an NFS share,
442
99:59:59,999 --> 99:59:59,999
which can later be decoded and
read and reverse-engineered.
443
99:59:59,999 --> 99:59:59,999
We've got a whole table of spectrum
data. And then I plot that in a tool
444
99:59:59,999 --> 99:59:59,999
called Viewpoints which NASA releases
for dealing with giant scatterplots
445
99:59:59,999 --> 99:59:59,999
in multiple dimensions. Each view takes
two dimensions, and it's tons of fun.
446
99:59:59,999 --> 99:59:59,999
The client GUI is this PyGame. I have
Postgres for communications, and
447
99:59:59,999 --> 99:59:59,999
the server does all the heavy lifting,
so the Beaglebone itself never has
448
99:59:59,999 --> 99:59:59,999
to do anything complicated with
regards to software defined radio.
449
99:59:59,999 --> 99:59:59,999
This is also about these faint blue lines
are positions at which I've seen
450
99:59:59,999 --> 99:59:59,999
particularly strong signals in order to
identify which satellites are active
451
99:59:59,999 --> 99:59:59,999
and which ones are inactive.
Because satellites die over time.
452
99:59:59,999 --> 99:59:59,999
And particularly useful targets, we're
reverse-engineering satellites that are
453
99:59:59,999 --> 99:59:59,999
out-of-commission or outdated.
I'm running out of time by these markers.
454
99:59:59,999 --> 99:59:59,999
Does this mean that we're skipping
questions, or does that mean that
455
99:59:59,999 --> 99:59:59,999
I need to be off the stage?
mumbling to stage
456
99:59:59,999 --> 99:59:59,999
Not having Q&A, okay. So today I get
accurate tracking of satellites.
457
99:59:59,999 --> 99:59:59,999
And this thing can run unattended 24h
a day for months without maintenance.
458
99:59:59,999 --> 99:59:59,999
Like I said: it's nothing like a 3D printer.
laughter
459
99:59:59,999 --> 99:59:59,999
It takes software defined radio
recordings, it can provide maps
460
99:59:59,999 --> 99:59:59,999
of views of different satellites in the
sky. The next step is I want to publish
461
99:59:59,999 --> 99:59:59,999
a 'port scan' of the entire sky. So which
frequencies are in use on which birds,
462
99:59:59,999 --> 99:59:59,999
for every bird that ever comes above
Tennessee, on every downlink that fits
463
99:59:59,999 --> 99:59:59,999
my antenna. As well as a database
of software defined radio recordings.
464
99:59:59,999 --> 99:59:59,999
If anyone would care to donate a truckload
of disks - that might be handy.
465
99:59:59,999 --> 99:59:59,999
I'd also like to make other ground
stations. The software that I've written
466
99:59:59,999 --> 99:59:59,999
ought to be portable to new hardware.
So there's nothing that should keep you
467
99:59:59,999 --> 99:59:59,999
from being able to port this to run on
your own dish. And I have a large yard,
468
99:59:59,999 --> 99:59:59,999
so I could conceivably have
a dozen of these things.
469
99:59:59,999 --> 99:59:59,999
Another way that you can do it, and
the way that it's traditionally done
470
99:59:59,999 --> 99:59:59,999
for stationary (?)(?)(?) satellites is having
Yagis or other loosely directional antennas
471
99:59:59,999 --> 99:59:59,999
in order to receive the signals.
I went with a dish because I wanted
472
99:59:59,999 --> 99:59:59,999
more selectivity. I wanted to be able to
get reverse-engineerable recordings
473
99:59:59,999 --> 99:59:59,999
rather than intentional ones for which
I already knew the downlink protocol.
474
99:59:59,999 --> 99:59:59,999
So this is my van, my van is amazing.
475
99:59:59,999 --> 99:59:59,999
applause
476
99:59:59,999 --> 99:59:59,999
Thanks to Nick Farr. I had a bit too
much to drink in Montreal and
477
99:59:59,999 --> 99:59:59,999
I called Nick Farr and I said: "Nick,
I want a dukw", like these amphibious
478
99:59:59,999 --> 99:59:59,999
troop transport vehicles. And Nick
said: "Sorry, I can't get you one but
479
99:59:59,999 --> 99:59:59,999
you want a news-van. And I said:
"Hell yeah, I want a news van!"
480
99:59:59,999 --> 99:59:59,999
So - this pole in the background, that's
not a lighting pole. That's actually
481
99:59:59,999 --> 99:59:59,999
part of the van.
laughter
482
99:59:59,999 --> 99:59:59,999
This is the antenna retracted. This mast
goes up 20m by pneumatic power.
483
99:59:59,999 --> 99:59:59,999
There's an air compressor in the back.
Here is the control panel, there's
484
99:59:59,999 --> 99:59:59,999
an air-conditioned office in the middle.
laughter
485
99:59:59,999 --> 99:59:59,999
laughs
This has four 19" server racks as well
486
99:59:59,999 --> 99:59:59,999
as A/V equipment that was left over.
I was particularly excited about
487
99:59:59,999 --> 99:59:59,999
the video monitor which supports PAL
which you folks are familiar with,
488
99:59:59,999 --> 99:59:59,999
NTSC or "Never The Same Color"
which is my people's native culture...
489
99:59:59,999 --> 99:59:59,999
laughter
But most importantly, it does SECAM,
490
99:59:59,999 --> 99:59:59,999
the system essentially contrary
to the American method.
491
99:59:59,999 --> 99:59:59,999
laughter and applause
laughs
492
99:59:59,999 --> 99:59:59,999
So in addition to my radio equipment
I'm adding my Soviet PDP-11 which was...
493
99:59:59,999 --> 99:59:59,999
laughs
...and that's not a joke. I have a Soviet
494
99:59:59,999 --> 99:59:59,999
PDP-11 thanks to the kind folks at the
Positive Hacking Days conference.
495
99:59:59,999 --> 99:59:59,999
This is the control panel,
and that's my talk!
496
99:59:59,999 --> 99:59:59,999
applause
497
99:59:59,999 --> 99:59:59,999
Herald: Thank you so much. There
actually is time for Q&A now.
498
99:59:59,999 --> 99:59:59,999
Travis: Well, first I'd like to introduce
you to my cat. If we could go back
499
99:59:59,999 --> 99:59:59,999
to the prior image. This is Frank!
We didn't know it at that time, but
500
99:59:59,999 --> 99:59:59,999
Frank was not dead when this picture was
taken. If you'd like kittens get in touch!
501
99:59:59,999 --> 99:59:59,999
Okay. Are there any questions?
502
99:59:59,999 --> 99:59:59,999
Question: Great talk. What's the most
interesting signal you decoded so far?
503
99:59:59,999 --> 99:59:59,999
Travis: At the moment I'm sort of stuck
at the L band range. Because of filters
504
99:59:59,999 --> 99:59:59,999
that I have yet to remove. So everything
gets attenuated, and becomes annoyingly
505
99:59:59,999 --> 99:59:59,999
quiet outside of the 1.5..1.6 -ish range.
The Globalstar network is what I'm most
506
99:59:59,999 --> 99:59:59,999
interested in targeting next. I cam't wait
to see what people are tweeting
507
99:59:59,999 --> 99:59:59,999
while they should be enjoying nature.
508
99:59:59,999 --> 99:59:59,999
Herald: Is there a question
from the internet?
509
99:59:59,999 --> 99:59:59,999
Signal Angel: Yeah, the internet has
many questions. So first one was:
510
99:59:59,999 --> 99:59:59,999
Is there really no authentication or
encryption on the Q band IP services?
511
99:59:59,999 --> 99:59:59,999
So you can just spoof at will? And can the
birds see the physical leakage and of
512
99:59:59,999 --> 99:59:59,999
the source accurately enough to find who
is spoofing?
513
99:59:59,999 --> 99:59:59,999
Travis: I'm not an expert in Ku band. The...
for the downlink the bird has no clue
514
99:59:59,999 --> 99:59:59,999
as to the location of the dish. Because
you're only listening. They can roughly
515
99:59:59,999 --> 99:59:59,999
figure out your geographic area because...
they need to figure out where
516
99:59:59,999 --> 99:59:59,999
the spot beam is going. So they might know
whether you're in, say, Germany or
517
99:59:59,999 --> 99:59:59,999
in France. But they won't know whether
you're in Heidelberg or Mannheim.
518
99:59:59,999 --> 99:59:59,999
They do have forms of authentication for
many satellite networks. Satellite TV
519
99:59:59,999 --> 99:59:59,999
is one of the best-protected network
services. Because of the satellite wars
520
99:59:59,999 --> 99:59:59,999
in the 90's. In which TV pirates would
fight back and forth with smart card
521
99:59:59,999 --> 99:59:59,999
designers. But there are also many
unencrypted links. And there are...
522
99:59:59,999 --> 99:59:59,999
because of standard protocols those
are particularly easy to find in Ku band.
523
99:59:59,999 --> 99:59:59,999
Question: You've been talking about
using RTLSDR from osmocom.
524
99:59:59,999 --> 99:59:59,999
And you were talking about your spectrum
analysis program. Is this one working
525
99:59:59,999 --> 99:59:59,999
with RTLSDR?
526
99:59:59,999 --> 99:59:59,999
Travis: So... RTLSDR... so I'm using
the RTLSDR not the osmo-sdr.
527
99:59:59,999 --> 99:59:59,999
Which are separate. The spectrum
analyzer is working with the RTLSDR.
528
99:59:59,999 --> 99:59:59,999
My complaint about the RTLSDR is that
when you have a strong signal next to
529
99:59:59,999 --> 99:59:59,999
a weak signal the weak signal is
utterly useless for interpretation.
530
99:59:59,999 --> 99:59:59,999
Question: Okay. Thank you.
531
99:59:59,999 --> 99:59:59,999
Herald: Another question
from the internet?
532
99:59:59,999 --> 99:59:59,999
Signal Angel: Okay, next question from the
internet is: how do you record the radio signal
533
99:59:59,999 --> 99:59:59,999
from the dish, at what sampling rate?
534
99:59:59,999 --> 99:59:59,999
Travis: The RTLSDR samples at 2 million
samples per second. As soon as I switch it
535
99:59:59,999 --> 99:59:59,999
over to the HackRF, well, we're having
20 million samples per second.
536
99:59:59,999 --> 99:59:59,999
The sampling rate can be reduced once
the bandwidth of the signal is known.
537
99:59:59,999 --> 99:59:59,999
For radio (?) storage. And the recordings
can also be compressed.
538
99:59:59,999 --> 99:59:59,999
But it's still a hell of a lot of storage.
539
99:59:59,999 --> 99:59:59,999
Herald: Any other questions?
540
99:59:59,999 --> 99:59:59,999
Signal Angel: The internet
has more questions...
541
99:59:59,999 --> 99:59:59,999
Herald: Okay...
542
99:59:59,999 --> 99:59:59,999
Signal Angel: Did you look into obtaining
a capacity of IBAN with copper (?), as used
543
99:59:59,999 --> 99:59:59,999
for the rotary gentries in CT scanners?
Those can apparently transmit contactless
544
99:59:59,999 --> 99:59:59,999
several GBytes per
second, bi-directionally.
545
99:59:59,999 --> 99:59:59,999
Travis: I've not looked into those.
It seemed better to have an Umbellaco (?)
546
99:59:59,999 --> 99:59:59,999
cable and to be careful not to snap it.
547
99:59:59,999 --> 99:59:59,999
The whole thing was done for a budget
of less than 2000 Dollars, and can be
548
99:59:59,999 --> 99:59:59,999
recreated for less than a budget of 1000
[Dollars]. And they... so we tried to avoid
549
99:59:59,999 --> 99:59:59,999
fancy parts. The local radio shack loved
us because we'd swing in and buy all sorts
550
99:59:59,999 --> 99:59:59,999
of crazy stuff. As soon as we told them
that we wanted the satellite dish to
551
99:59:59,999 --> 99:59:59,999
dance Gangnam style...
laughs
552
99:59:59,999 --> 99:59:59,999
laughter
553
99:59:59,999 --> 99:59:59,999
Thank you Carnaugh(?)
554
99:59:59,999 --> 99:59:59,999
applause
555
99:59:59,999 --> 99:59:59,999
silent postroll titles
556
99:59:59,999 --> 99:59:59,999
subtitles created by c3subtitles.de
in the year 2017. Join, and help us!