<i>silent 30C3 preroll titles</i>

<i>applause</i>

Travis Goodspeed: First I need to apologize
for typesetting this in OpenOffice.

I know that the text looks
like a ransome note.

But that's what happens
when you don't use LaTex.

I'd also like to give a shoutout call,
Mallnarf (?) is here, and our

Dinosaur rock band.
<i>laughs, applause</i>

We are a Christian rock band - we are
called 'Jesus lives in the ISS', and

we know that he's always watching us,
but we think that it's easier for him

to hear our prayers when he's, you
know, in an orbit that passes over us.

So we need this orbital tracking
to know when to pray!

As I'm sure you can guess I'm not
recognized as a legal minority religion

in Germany. I'd also like to thank Skytee
and Fabienne (?)(?)(?) and Adami Lori

and Jim (?)(?)(?) for some
prior satellite tracking work,

and the skuby crew (?) at Dartmouth
College for all sorts of fun

whenever I bounce out there.
This is the mission patch

of the Southern Appalachians Space Agency.

<i>applause and cheers</i>

This was drawn by Scot Biben and there are
a few pieces of my people's native culture

that I need to point out here. On the
right the little Dinosaur type thing

with it's finger going out, you might
call him E.T. but we call these things

'buggers'. They're like this tall, and
they're green and that's why the man

on the left has a shotgun.
<i>laughter</i>

Because he doesn't want to be abducted.
You got a satellite dish in the middle,

and it's sitting on sinter blocks because
that's also a piece of my people's

native culture. There's a moonshine still
in the background. That's kind of like

Waldcubbet (?) You make it at home, and
from corn. And then there's the mountain...

A piece, it looks like there are snowpeaks
on those mountain tops. But our mountains

aren't tall enough to have snow. These are
actually that we've blown off the leads

in the mountains, for coal mining.
Which is another piece of my people's

native culture. And at the top, in space
you can see the ISS, and you can see

a banana, and you can see what I think is
a bulb. This is to signify space trash.

I mean there's a lot of stuff up there.
And, you know' it's symbolism that matters

in these things, you know? At BerlinSides,
in May of 2012 I did a lecture on

reverse engineering the SPOT Connect. The
SPOT Connect is a litte hockey puck type thing

– this is what it looks like. And these
things are great. It weighs a bit more

than your cell phone, but it runs off of
a couple of batteries, it connects

to your phone via Bluetooth. Originally
these were emergency locator beacons.

So if you're going hiking...
Have any of you seen the movie where

the guy has to cut off his arm with a dull
knife? If you're hiking and you don't want

allow you to tweet, and make Facebook posts.
<i>laughs, laughter</i>

the same experience, you buy one of these
things. And then there's an emergency button

you can push, that transmits your GPS
coordinates via satellite to rescue workers.

But that was boring, so they had to add
social media. <i>laughs, laughter</i>

So in addition to keeping you from chewing
off your own arm this device will also

The idea is as you're running – here I'm
crossing the Schuylkill River in Philadelphia

and the Android phone on the left is
making a post. And I did an article

on reverse-engineering the Bluetooth
side of these things. Because... I use

a weird brand of phone that Microsoft
killed off, and I'm terribly bitter about it.

But I also figured out the physical layer.
And that's what this diagram shows.

This transmits 1.6125 GHz. And it
sends a pseudo-random stream, so

each one of these zeros is a long chunk
where it's bouncing back and forth

between 2 different frequencies And
the same for the ones. But the way

that the pattern works is that it switches
the signal whenever it is going from

the 0 signal to the 1 signal. And
internally, there are these little pops

that you can actually identify on
a software defined radio recording.

And this is how you can reverse-engineer
the signal that the SPOT Connect is

sending up to its satellite network.

Everything is clear text on this.
And it's completely unencrypted.

It just has your serial number, your GPS
coordinates, and a bit of ASCII text.

If you listen on this frequenzy and have the correct recording software

you can actually watch all the spot connect messages that are transmitting up from your location

this be great except that this is designed for hiking in areas where there's no cell phone service

So having an antenna on the uplink freq is kind of useless.

you know you actually have to go out to a national park find some guy who is about to chew his arm and

then you could listen to his uplink where he is liked reading hey I'm gonna chew my arm of you know <i>laughing</i>

So that's great as a proof of concept, but it's not really anything practical.

the current stated that was that I knew the protocol and I could sniff the uplinks, but I wanted to sniff the downlinks.

It's easy to get the thing that goes up to the satellite, but I wanted to get that what comes down from the satellite.

and that requires a a satellite dish

but a geostationary dish isn't good enough

because the satellites that run this network there are a lot of them

– it's called the Globalstar network –

They fly really low across the earth, and they fly on very tight and fast orbits

they move from horizon to horizon in 15 to 20 minutes

which means that you either need like a sweatshop army of kids trying aim the satellite dishes is going across

or you have to make it computer controlled.

Stepping back from the SC a little, Adam laurie made some work on geostationary satellites

that stay in one position in the sky

he gave two sets of talks – one in 2008 and the second in 2010

He used a DVB-S card connected to a sat dish with a diseqc motor

so they could move the satellite dish in order to scan a region of the horizon.

His tool is publicly available at satmap you can grab it at this URL

And then after he finds a signal, he has a feed scannner.

Normally when you have sat TV, you provider gives you a listing of the frequencies

and your provider gives you an exact orbital position to aim your satellite dish at

But adam's tool allows you to scan to see which frequencys are in use

and which protocols are in use once you've correctly aimed your dish

he also describes a technique from moving your dish left and right while doing this in order to identify where the satellites are

This recording here is from reimplementation and I made as Adams work in order to catch up with it

In this diagram the x-axis shows the azimuth, this shows how much left or right my sat dish has moved.

the y-axis shows the frequency and all these dots are strong signals

Every vertical bar in which you see chunks of frequencies, that's a satellite.

but the stay in the same position so it's easy for me to repeat this experiment its easy for me to rerun it

and to find the same satellites in the same position. It's easy to debug this.

But it can't move in elevation. This diagram is just a small slice of the sky.

We're looking at a single line maybe 10 degrees across. Maybe only five degrees across.

Hacking KU-band – the television satellites – has the advantage that you can use cheap standardized hardware.

I bought one one of this DVB-S cards in Mauerpark, Berlin for 3 euros.

You can use standardized disecq motors, you can but them at a satellite TV shop.

TV signals come with video feeds, so you can actually see pictures.

There was a scandal a couple of years ago, where you could actually see drone feeds bouncing off satellites.

I in the the nineties it was very popular to listen to the sorta unedited sections of interviews

when people would be interviewed over a satellite before Skype and such things became options

and and the there also networking signals here using TCP IP packets

So you can actually turn your DVB-S card as promiscuous ethernet adapter.

and start sniffing all the traffic that comes across

this is also a great way to get free down link bandwidth because you can just fled packets at an address

that you know will be routed to you or several addresses and then used if it out as the legitimate receiver ignores them

But it also has some disadavntages. It only works with geostationary satellites. If the satellite moves, you can't track it.

you dish awesome is very slowly and it only moves left and right it won't move up and down

You're limited on standardized signals. While it's great that you get video and his TCP/IP

you're never going to get anything weird – you not gonna get any the mobile data

are you not going to get brazilian truck-drivers – we will get to those in a bit

I misspoke, you will actually get brazilian truck-drivers in this.

I bought a satellite dish – one of the best things about living in america is that you can buy

an industrial hardware cheap as dirt on e-bay

I know things are likely used to be XXXX in human children anymore

This sat dish here on the left – the one in the radome – that's my dish.

And to the right, that's the boat it came from. <i>applaus</i>

This came from a military ship. But the dish itself is also available to civilians for very large yachts.

the dish itself as a fellcom 81 and it was intended for use with the network called in Inmarsat

Imarsat allows for telephone connections and also data connections when you're on a boat.

If the crew wants to call home or wants to go to AOL keywords

or whatever was popular back when this was common they could do that

Teh dish was desgined to be at the very top of a ships' mast.

The reason why is that at the top of the mast there aren't any obstructions – it has a clear view of the sky in all directions.

But there's a complication for being on the top of the mast.

which is that the ship is rocking beneath you and you're moving more than the rest the ship

So they have stepper-motors for azimuth elevation and tilt and they have spinning gyroscopes.

back before the iPhone there is this dark dark time whens gyroscopes actually spun

this is the sort of gyros that it has – actually four of them so that it can measure its movement

and than it has a control computer. The idea is that the dish itself can be moved while remaining absolutely stable with regard to the gyroscopes

it compensates for the rocking of the ship beneath it as it's targeting a stationary satellite

In america this costs two 250 dollars

but its electronics equipment so while you think that would only be a 180 euro it's more like 2500

that's before import duties and it being impounded

we also have this lovely culture in which people love excuses to use their trucks so the guy that I but as from offered to deliver it to my home from the two hundred dollars it was an 11 hours drive

But if you wanted this, you'd have to carry this in your carry-on luggage and it could be awkward.

I got this dish and I decided I had to do something with it site created the southern appalachians space agency

I'm from the state of Tennessee formerly known as the State of Franklin and till north carolina invaded us

It's ok, I know europeans suck at history. <i>laughing</i>

now I'm trying to think you've had a show you on a map for Tennessee is without having a map but gonna its okay in a sec a jogger finisher get it send

Texas is our first colony but it's actually a decent drive to the east dewey's you don't actually have to go anyways

I took these motors which were designed to be able to move the a satellite dish to compensate for the rocking the ship

and repurposed them to track through the sky while the ground is stable

we don't have very many earthquakes in Tennessee – the last one that we had made rivers run the wrong direction but its okay – it's a geography thing

This allows me to track things that are moving through the sky, but it doesn't actually matter where they're moving, because that's just a software problem.

so in addition to tracking objects that are in low Earth orbit by a software patch I can also track
things that are in deep space it's not much harder to track and deep space probes or stars than it is to track items in low-earth orbit

And then i added an software defined radio which allows me to record a signal now and demodulate it later. Which is necssary when you want to reverse engineer a signal.

because a lot of the downlink of the satellites are completely non completely undocumented and being able to tune in to the right frequency is only half that you also need

You also need a recording of sufficent quality to reverse engineer later on.

We are sort of spoiled by software defined radios. When doing software defined radio work we usually have a very good signal to work from

having high quality signals for later reverse engineering is necessary.

I really wanted to be able to identify undocumented downlinks for low earth orbit in the same way that we already do this for and geo stationary orbit using tools like the ones that Adam Loria and Jin XXX made,

I built a software framework as a collection of python daemons.

..

there's a beagle board inside the radome, and there's a server in my home.

..

For maintenance, i can make my laptop pretend to be my dish, and can have steppers on my desk

..

Voyager 2 doesn't acutally come into the sky because of my position in the northern hemisphere.

..

..

This isn't accurate enough to target the dish, so

..

This is skytee helping out with the dish. He's zip-tying it because we know everything about duct-taping wehre i come from, but we know nothing about zip ties, so I had to bring in a german engineer.

..

..

As this thing spins around, by original design there's a ring connector where all the signals go through.

..

And that worked in the 90s because it had no reason to send anything faster than 9600 baud.

..

It can only move 400 degrees around,

..

We've got hte beagle board on the left, a usb-hub on the right and a

..

it also takes care of updating the motor position

..

The stepper motors themselves are the originals that the dish was designed with. They run into an EggBot-Board, which was designed to

..

so you can actually aim a satellite dish that's taller than you with technology easier than what's needed for a 3d printer.

..

The satellite dish sits in Tennessee,

..

..

So instead we took the radomeâthat's frank, that's my catâgive him cheers.

..

We took tape and we ran tape down the edges of the radome and then marked it.

..

And then you can sort of scan the sky for a stationary

..

and you can recover your position.

..

..

But I can also arrange it as a polar plot, which gives me a plot of what the radome is seeing.

..

[applause] A significant portion of the gui client was written while i was stuck on the U-Bahn connected using 3g

..

You can take the data out of this and run it through scientific software

..

..

The daemons that build this up, you need a norbit prediction daemon.

..

You need to update the orbits themselves.

..

..

But this format isn't incredibly accurate for satellites that correct their orbit.

..

So you need a daemon that grounds the new files from spacetrack and this is just a matter of a recursive

..

you also need motor control because you need to move the dish physically to

..

and then you need radio daemons to

..

and then after that you start to take software recorderings of that

..

So for orbit prediction i began with a DOS program that had been ported to Unix called predict. This works but it's garbage. It only supports 20 stars

..

because it's designed for astronomy photographers that want to take pictures of things

..

because otherwise you have to set an alarm clock for the half-hour pass where you can record them.

..

..

So i managed to track every single item in geostat orbit this thick ring here is the clarke-bell of all geostationary satellites as viewed from my northern hemisphere [?]

..

All IPC is running through this PostreSQL

..

you then send it simple commands, like SM,3000,500,-400

..

And then it will count that out, and send me back an OK. If i want to disable the motors, i'll send them em,0,0

..

EM,1,1 will enable both motors in 1/16s

..

You can see the motors themselves with the belts and the geartrains. This thing on the right would probably be illegal for me to turn on

..

The belts and stuff need to be measured to figure out what the reduction is

..

the IMU unit , this vectornav vn100 is a

..

it costs 500$ which was more than all of the other components together.

..

Now for position calculation, the elevation itself comes from the IMU. The azimuth

..

so the accelerometer will drift while the compass will be confused by the magnetic fields while the

..

and the IMU will be come of a backup how to make it reliable, but at the moment the position

..

..

The radio daomens. The first is a spectrum analyzer. It just measures the strength of the frequency

..

the downlink recorder dumps the IQ values

..

directly to an NFS share.

..

Client GUI is PyGame

..

Also notes these faint blue lines are positions where i saw particularly strong signals

..

I'm running out of time by these markers. does this mean we skip Q&amp;amp;A or that I get kickd off of stage?

..

It takes SDR, it can provide maps of used different satellites in the sky.

..

I'd also like to make other ground stations. The software that I wrote should be portable

..

Another way that you can do it, the way that it's traditionally done to track stationary satellites is with a YAGI antenna

..

This is my van, my van is amazing. <i>applause</i>

Thanks to nick farr. I had a bit to much too drink in

But you want a news-van. And I said Hell yes, I want a news van!

..

But most importantly, it does SECAM

..

This is the control panel, and that's my talk! [applause]