1
00:00:00,000 --> 00:00:09,120
silent 30C3 preroll titles
2
00:00:09,120 --> 00:00:11,950
applause
3
00:00:11,950 --> 00:00:15,000
Travis Goodspeed: First I need
to apologize for typesetting this
4
00:00:15,000 --> 00:00:20,080
in OpenOffice. I know that the
text looks like a ransom note.
5
00:00:20,080 --> 00:00:24,509
But that’s what happens
when you don’t use LaTex.
6
00:00:24,509 --> 00:00:27,630
I’d also like to give a shoutout to
Collin Mulliner if he is here,
7
00:00:27,630 --> 00:00:29,680
and our Dinosaur rock band.
8
00:00:29,680 --> 00:00:33,230
laughs, applause
9
00:00:33,230 --> 00:00:36,870
We’re a Christian rock band, we’re
called ‘Jesus lives in the ISS’ and
10
00:00:36,870 --> 00:00:46,070
we know that he is always watching us,
but we think that it’s easier for him
11
00:00:46,070 --> 00:00:50,199
to hear our prayers when
he’s, you know, in an orbit
12
00:00:50,199 --> 00:00:55,689
that passes over us. So we need to use
orbital tracking to know when to pray!
13
00:00:55,689 --> 00:00:57,749
laughter
14
00:00:57,749 --> 00:01:00,899
As I’m sure you can guess I’m not
recognized as a legal minority religion
15
00:01:00,899 --> 00:01:06,140
in Germany. I’d also like to thank skytee
16
00:01:06,140 --> 00:01:11,010
and Fabienne Serrière and Adam Laurie
17
00:01:11,010 --> 00:01:16,810
and Jim Geovedi for some
prior satellite tracking work,
18
00:01:16,810 --> 00:01:20,350
and the Scooby Crew at Dartmouth
College for all sorts of fun
19
00:01:20,350 --> 00:01:24,689
whenever I bounce out there.
This is the mission patch
20
00:01:24,689 --> 00:01:28,329
of the Southern Appalachian
Space Agency (SASA).
21
00:01:28,329 --> 00:01:33,790
applause and cheers
22
00:01:33,790 --> 00:01:36,920
This was drawn by Scott Beibin and there
are a few pieces of my people’s native
23
00:01:36,920 --> 00:01:42,610
culture that I need to point out here. On
the right the little Dinosaur type thing
24
00:01:42,610 --> 00:01:48,149
with his finger going out, you might
call him E.T. but we call these things
25
00:01:48,149 --> 00:01:51,530
‘buggers’. They are like this tall, and
they are green and that’s why the man
26
00:01:51,530 --> 00:01:55,990
on the left has a shotgun.
laughter
27
00:01:55,990 --> 00:02:00,909
Because he doesn’t want to be abducted.
You got a satellite dish in the middle
28
00:02:00,909 --> 00:02:04,350
and it’s sitting on sinter blocks because
that’s also a piece of my people’s
29
00:02:04,350 --> 00:02:10,259
native culture. There’s a moonshine
still in the background.
30
00:02:10,259 --> 00:02:15,120
That’s kind of like Vodka but you
make it at home and from corn.
31
00:02:15,120 --> 00:02:19,820
And then there’s the mountain… a piece…
it looks like there are snow peaks
32
00:02:19,820 --> 00:02:24,530
on those mountain tops. But our mountains
aren’t tall enough to have snow.
33
00:02:24,530 --> 00:02:28,679
These are actually that we’ve blown off
the lids of the mountains for coal mining.
34
00:02:28,679 --> 00:02:32,490
Which is another piece of
my people’s native culture.
35
00:02:32,490 --> 00:02:37,001
And at the top, in space you can see
the ISS, and you can see a banana,
36
00:02:37,001 --> 00:02:41,580
and you can see what I think is a bulb.
This is to signify space trash.
37
00:02:41,580 --> 00:02:45,909
I mean there’s a lot of stuff up there.
And, you know it’s symbolism that matters
38
00:02:45,909 --> 00:02:51,260
in these things, you know?
39
00:02:51,260 --> 00:02:54,729
At BerlinSides, in May of 2012
40
00:02:54,729 --> 00:03:00,520
I did a lecture on reverse-
engineering the SPOT Connect.
41
00:03:00,520 --> 00:03:05,289
The SPOT Connect is a little
hockey puck type thing
42
00:03:05,289 --> 00:03:08,950
– this is what it looks like.
And these things are great.
43
00:03:08,950 --> 00:03:13,790
It weighs a bit more than your cell phone
but it runs off of a couple of batteries,
44
00:03:13,790 --> 00:03:17,680
it connects to your phone by Bluetooth.
45
00:03:17,680 --> 00:03:21,840
Originally these were emergency locator
beacons. So if you’re going hiking…
46
00:03:21,840 --> 00:03:24,569
have any of you seen the movie where
the guy has to cut off his arm
47
00:03:24,569 --> 00:03:30,760
with a dull knife? If you’re hiking and
you don’t want that same experience
48
00:03:30,760 --> 00:03:34,349
you buy one of these things. And
then there’s an emergency button
49
00:03:34,349 --> 00:03:38,760
you can push that transmits your
GPS coordinates by satellite
50
00:03:38,760 --> 00:03:44,180
to rescue workers. But that was boring,
so they had to add social media.
51
00:03:44,180 --> 00:03:46,540
laughs, laughter
52
00:03:46,540 --> 00:03:49,680
So in addition to keeping you
from chewing off your own arm
53
00:03:49,680 --> 00:03:54,920
this device will also allow you to
tweet and make Facebook posts.
54
00:03:54,920 --> 00:04:00,370
laughs, laughter
55
00:04:00,370 --> 00:04:05,350
The idea is that as you’re running…
here I’m crossing the Schuylkill River
56
00:04:05,350 --> 00:04:10,010
in Philadelphia and the Android
phone on the left is making a post.
57
00:04:10,010 --> 00:04:15,659
And I did an article on reverse-
engineering the Bluetooth side
58
00:04:15,659 --> 00:04:22,430
of these things. Because… I use a weird
brand of phone that Microsoft killed off,
59
00:04:22,430 --> 00:04:27,520
and I’m terribly bitter about it. But
I also figured out the physical layer.
60
00:04:27,520 --> 00:04:34,930
And that’s what this diagram shows.
This transmits at 1.6125 GHz.
61
00:04:34,930 --> 00:04:40,830
And it sends a pseudo-random stream, so
each one of these zeros is a long chunk
62
00:04:40,830 --> 00:04:44,140
where it’s bouncing back and forth
between two different frequencies.
63
00:04:44,140 --> 00:04:48,750
And the same for the ones.
But the way that the pattern works
64
00:04:48,750 --> 00:04:54,551
is that it switches the signal whenever
it is going from the 0 signal
65
00:04:54,551 --> 00:04:59,080
to the 1 signal. And internally, there are
these little pops that you can actually
66
00:04:59,080 --> 00:05:03,910
identify on a software defined radio
recording. And this is how you can
67
00:05:03,910 --> 00:05:08,040
reverse-engineer the signal that
the SPOT Connect is sending up
68
00:05:08,040 --> 00:05:14,510
to its satellite network.
69
00:05:14,510 --> 00:05:18,330
Everything is clear text on this.
And it’s completely unencrypted.
70
00:05:18,330 --> 00:05:25,040
It just has your serial number, your GPS
coordinates, and a bit of ASCII text.
71
00:05:25,040 --> 00:05:29,759
So if you listen on this frequency and
you have the correct recording software
72
00:05:29,759 --> 00:05:33,630
you can actually watch all of the SPOT
Connect messages that are transmitting
73
00:05:33,630 --> 00:05:39,530
up from your location. And this would be
great except that this is designed for
74
00:05:39,530 --> 00:05:44,490
hiking in areas where there’s no cell
phone service. So having an antenna
75
00:05:44,490 --> 00:05:47,990
on the uplink frequency is kind of
useless. You know you would actually
76
00:05:47,990 --> 00:05:52,290
have to go out to a national park, find
some guy who is about to chew his arm off,
77
00:05:52,290 --> 00:05:55,639
and then you could listen to his uplink
where he is like tweeting: “Hey, I’m gonna
78
00:05:55,639 --> 00:06:00,699
chew my arm off”, you know?
laughter
79
00:06:00,699 --> 00:06:09,810
So that’s great as a proof of concept
but it’s not really anything practical.
80
00:06:09,810 --> 00:06:13,460
The current state of that was that I knew
the protocol and I could sniff the uplinks.
81
00:06:13,460 --> 00:06:17,300
But I wanted to sniff the downlinks. So
it’s easy for me to get the thing that
82
00:06:17,300 --> 00:06:21,509
goes up to the satellite. But what I wanted
was what comes down from the satellite.
83
00:06:21,509 --> 00:06:27,400
And that requires a satellite dish. But
a geo-stationary dish isn’t good enough
84
00:06:27,400 --> 00:06:32,249
because the satellites that run this
network – there are a lot of them,
85
00:06:32,249 --> 00:06:37,710
it’s called the Globalstar network,
they fly really low across the earth,
86
00:06:37,710 --> 00:06:43,289
and they fly across the earth in very
tight, very fast orbits. So they’ll move
87
00:06:43,289 --> 00:06:48,889
from horizon to horizon in 15 to 20
minutes. Which means that you either need
88
00:06:48,889 --> 00:06:53,789
like a sweat shop army of kids
trying to aim the satellite dish
89
00:06:53,789 --> 00:07:01,259
as it’s going across or you need
to make it computer-controlled.
90
00:07:01,259 --> 00:07:04,490
Stepping back from the SPOT
Connect for a little bit, and
91
00:07:04,490 --> 00:07:08,009
discussing some prior research.
Adam Laurie did some work
92
00:07:08,009 --> 00:07:12,099
with geostationary satellites.
These are the satellites that stay
93
00:07:12,099 --> 00:07:16,449
in one position in the sky.
He gave two sets of talks
94
00:07:16,449 --> 00:07:23,740
– one in 2008 and the second in
2010. And he used a DVB-S card
95
00:07:23,740 --> 00:07:28,169
connected to a satellite dish with
a DiSEqC motor, so that it could move
96
00:07:28,169 --> 00:07:34,330
the satellite dish left and right in order
to scan a region of the horizon.
97
00:07:34,330 --> 00:07:37,259
His tool is publicly available,
it’s called satmap.
98
00:07:37,259 --> 00:07:41,289
You can grab it at this URL.
99
00:07:41,289 --> 00:07:46,130
And then after he finds a signal he has
a feed scanner. Normally when you use
100
00:07:46,130 --> 00:07:51,270
Satellite TV your provider gives you
a listing of the frequencies, and
101
00:07:51,270 --> 00:07:58,199
your provider gives you an exact orbital
position to aim your satellite dish at.
102
00:07:58,199 --> 00:08:02,330
But Adam’s tool allows you to scan to
see which frequencies are in use and
103
00:08:02,330 --> 00:08:06,949
which protocols are in use, once
you’ve correctly aimed your dish.
104
00:08:06,949 --> 00:08:09,699
And he also describes a technique
for moving your dish left and right
105
00:08:09,699 --> 00:08:15,780
while doing this in order to
identify where the satellites are.
106
00:08:15,780 --> 00:08:19,639
This recording here is from
a re-implementation that I made
107
00:08:19,639 --> 00:08:24,430
of Adam’s work, in order to
catch up with it. In this diagram
108
00:08:24,430 --> 00:08:30,199
the x-axis – because you move left
and right – that shows the azimuth,
109
00:08:30,199 --> 00:08:35,049
that shows how far left or right my
satellite dish has moved. And then
110
00:08:35,049 --> 00:08:40,860
the y-axis shows the frequency. And
all of these dots are strong signals.
111
00:08:40,860 --> 00:08:48,290
So every vertical bar in which you see
chunks of frequencies, that’s a satellite.
112
00:08:48,290 --> 00:08:52,230
But these stay in the same position. So
it’s easy for me to repeat this experiment.
113
00:08:52,230 --> 00:08:56,780
It’s easy for me to re-run it, and to find
the same satellites in the same position.
114
00:08:56,780 --> 00:09:04,700
It’s easy to debug this.
But it can’t move in elevation.
115
00:09:04,700 --> 00:09:08,170
This diagram is actually
a very small slice of the sky.
116
00:09:08,170 --> 00:09:14,450
We’re looking at a single line,
maybe 10 degrees across.
117
00:09:14,450 --> 00:09:17,750
Maybe only 5 degrees across.
118
00:09:17,750 --> 00:09:22,690
So hacking Ku-band – the television
satellites – has the advantage
119
00:09:22,690 --> 00:09:27,420
that you can use cheap standardized
hardware. I bought one of these DVB-S cards
120
00:09:27,420 --> 00:09:33,520
in Mauerpark, in Berlin for 3 Euro. You
can use standardized DiSEqC motors,
121
00:09:33,520 --> 00:09:37,270
you can buy them at a satellite TV shop.
122
00:09:37,270 --> 00:09:42,020
TV signals come with video feeds
so you can actually see pictures.
123
00:09:42,020 --> 00:09:45,580
There was a scandal about 4..5 years
ago where they were finding
124
00:09:45,580 --> 00:09:50,350
drone [control] feeds that were being
bounced across these satellites.
125
00:09:50,350 --> 00:09:56,890
In the nineties it was very popular to
listen to the sort of unedited sections
126
00:09:56,890 --> 00:09:59,910
of interviews, when people would
be interviewed over a satellite,
127
00:09:59,910 --> 00:10:04,910
before Skype and such
things became options. And
128
00:10:04,910 --> 00:10:08,750
there are also networking signals here
using TCP/IP packets. So you can actually
129
00:10:08,750 --> 00:10:13,900
turn your DVB-S card into
a promiscuous ethernet adapter,
130
00:10:13,900 --> 00:10:18,010
and start sniffing all of the traffic that
comes across. This is also a great way
131
00:10:18,010 --> 00:10:23,750
to get free downlink bandwidth. Because
you can just flood packets at an address
132
00:10:23,750 --> 00:10:27,660
that, you know, will be routed to
you, or several addresses, and
133
00:10:27,660 --> 00:10:32,670
then you sniff it out as the
legitimate receiver ignores them.
134
00:10:32,670 --> 00:10:37,100
But it also has some disadvantages. It
only works for geostationary satellites.
135
00:10:37,100 --> 00:10:40,570
If the satellite is not staying in the
same position relative to the ground
136
00:10:40,570 --> 00:10:46,750
then you can’t track it. Your
dish also moves very slowly.
137
00:10:46,750 --> 00:10:50,410
And it only moves left and right.
It won’t move up and down.
138
00:10:50,410 --> 00:10:53,030
And you’re limited to standardized
signals. So while it’s great that you get
139
00:10:53,030 --> 00:10:59,230
video and TCP/IP you’re never
going to get anything weird.
140
00:10:59,230 --> 00:11:05,230
You’re not gonna get any mobile
data, you’re not going to get any
141
00:11:05,230 --> 00:11:10,670
Brazilian truck-drivers – we’ll
get to those in a bit. laughs
142
00:11:10,670 --> 00:11:15,710
I misspoke, you actually will get
Brazilian truck-drivers in this.
143
00:11:15,710 --> 00:11:19,360
So I bought a satellite dish. One of the
best things about living in America is
144
00:11:19,360 --> 00:11:25,530
that you can buy industrial
hardware cheap as dirt on ebay.
145
00:11:25,530 --> 00:11:29,190
I know things aren’t likely used to being
a cat bite to (?)(?) human children anymore.
146
00:11:29,190 --> 00:11:33,400
But this satellite dish here on
the left – the one in the radome –
147
00:11:33,400 --> 00:11:40,980
that’s my dish. And to the right,
that’s the boat that it came from.
148
00:11:40,980 --> 00:11:49,890
applause
laughs
149
00:11:49,890 --> 00:11:53,770
This came from a military ship.
But the dish itself is also available
150
00:11:53,770 --> 00:11:57,620
for civilian use on very large yachts.
151
00:11:57,620 --> 00:12:01,750
The dish itself is a Felcom 81 and it
was intended for use with a network
152
00:12:01,750 --> 00:12:08,210
called Inmarsat. Inmarsat allows
for telephone connections,
153
00:12:08,210 --> 00:12:12,890
and also data connections when you’re on
a boat. So if the crew wants to call home
154
00:12:12,890 --> 00:12:18,010
or wants to go to AOL Keywords
155
00:12:18,010 --> 00:12:23,530
or whatever was popular back when
this was common they could do that.
156
00:12:23,530 --> 00:12:28,420
And the dish was designed to sit
at the very top of a ship’s mast.
157
00:12:28,420 --> 00:12:31,660
The reason why is that at the top of
the mast there aren’t any obstructions
158
00:12:31,660 --> 00:12:35,360
– it has a clear view of the sky in all
directions. But there’s a complication
159
00:12:35,360 --> 00:12:39,230
with being on the top of the mast. Which
is that the ship is rocking beneath you
160
00:12:39,230 --> 00:12:43,860
and you’re moving more
than the rest of the ship.
161
00:12:43,860 --> 00:12:47,880
So they have stepper motors
for azimuth, elevation and tilt.
162
00:12:47,880 --> 00:12:52,800
And then they have spinning gyroscopes.
Back before the iPhone there was
163
00:12:52,800 --> 00:12:57,950
this dark, dark time when
gyroscopes actually spun.
164
00:12:57,950 --> 00:13:01,900
And this is the sort of gyroscope that
it has. It actually has 4 of them so
165
00:13:01,900 --> 00:13:05,670
that it can measure its movement.
166
00:13:05,670 --> 00:13:10,940
And then it has a control computer. So the
idea is that the dish itself can be moved
167
00:13:10,940 --> 00:13:15,620
while remaining absolutely stable
with regard to the gyroscopes.
168
00:13:15,620 --> 00:13:20,000
So it compensates for the rocking of
the ship beneath it as it’s targeting
169
00:13:20,000 --> 00:13:27,530
a stationary satellite.
In America this costs 250 dollars
170
00:13:27,530 --> 00:13:32,080
but it’s electronics equipment, so while
you think that would only be a 180 Euro
171
00:13:32,080 --> 00:13:40,080
it’s more like 2500. And that’s before
import duties and it being impounded.
172
00:13:40,080 --> 00:13:44,680
We also have this lovely culture in which
people love excuses to use their trucks.
173
00:13:44,680 --> 00:13:50,600
So the guy that I bought this from offered
to deliver it to my home for only $200.
174
00:13:50,600 --> 00:13:57,340
It was an 11-hour drive.
175
00:13:57,340 --> 00:14:00,330
But if you wanted this you’d have to
bring it back in your carry-on luggage
176
00:14:00,330 --> 00:14:05,500
and that could be awkward.
177
00:14:05,500 --> 00:14:09,490
I got this dish and I decided I had
to do something with it. So I created
178
00:14:09,490 --> 00:14:15,040
the Southern Appalachian Space Agency.
I’m from the state of Tennessee,
179
00:14:15,040 --> 00:14:19,520
formerly known as the State of Franklin
until North Carolina invaded us.
180
00:14:19,520 --> 00:14:22,270
It’s ok, I know Europeans suck at history.
181
00:14:22,270 --> 00:14:30,310
laughs
laughter and applause
182
00:14:30,310 --> 00:14:33,180
Now I’m trying to think of how to show
you on a map where Tennessee is
183
00:14:33,180 --> 00:14:36,930
without having a map. But, you know,
it’s okay, I know you suck at geography
184
00:14:36,930 --> 00:14:39,750
and will forget it soon. (?)
185
00:14:39,750 --> 00:14:41,550
From audience: It’s very
near Texas, to the north.
186
00:14:41,550 --> 00:14:48,471
Travis: Texas is our first colony. But
it’s actually a decent drive to the east.
187
00:14:48,471 --> 00:14:53,470
Due east (?). You don’t
actually have to go it anyways.
188
00:14:53,470 --> 00:14:57,990
So what I did was I took these motors
which were designed to be able to move
189
00:14:57,990 --> 00:15:03,250
the satellite dish to compensate
for the rocking the ship and
190
00:15:03,250 --> 00:15:09,550
I re-purposed them to track through
the sky while the ground is stable.
191
00:15:09,550 --> 00:15:12,580
We don’t have very many earthquakes in
Tennessee. The last one that we had
192
00:15:12,580 --> 00:15:18,310
made rivers run the wrong direction.
But it’s okay – it’s a geography thing.
193
00:15:18,310 --> 00:15:22,060
laughs
So this allows me to track things
194
00:15:22,060 --> 00:15:26,500
that are moving through the sky.
But it doesn’t actually matter
195
00:15:26,500 --> 00:15:30,330
where they’re moving in the sky because
that’s just a software problem.
196
00:15:30,330 --> 00:15:35,540
So in addition to tracking objects that
are in low-earth orbit by a software patch
197
00:15:35,540 --> 00:15:41,770
I can also track things that are in deep
space. It’s not much harder to track
198
00:15:41,770 --> 00:15:47,830
deep space probes or stars than it
is to track items in low-earth orbit.
199
00:15:47,830 --> 00:15:52,640
And then I added a software defined radio
which allows me to record a signal now
200
00:15:52,640 --> 00:15:57,920
and then demodulate it later.
Which is necessary if you intend
201
00:15:57,920 --> 00:16:02,810
to reverse-engineer a signal. Because
a lot of the downlinks from these satellites
202
00:16:02,810 --> 00:16:07,630
are completely non… completely
undocumented. And being able
203
00:16:07,630 --> 00:16:11,220
to tune in to the right frequency is only
half of it. You also need a recording
204
00:16:11,220 --> 00:16:15,510
of sufficient quality that you can
reverse-engineer it after the fact.
205
00:16:15,510 --> 00:16:19,680
We’re sort of spoiled by software
defined radios in that when doing
206
00:16:19,680 --> 00:16:27,220
software defined radio work we usually
have a very good signal to work from.
207
00:16:27,220 --> 00:16:33,610
So having high quality signals for later
reverse-engineering is necessary.
208
00:16:33,610 --> 00:16:39,310
I really wanted to be able to identify
undocumented downlinks for low-earth orbit
209
00:16:39,310 --> 00:16:44,310
in the same way that we already
do this for geo-stationary orbit
210
00:16:44,310 --> 00:16:49,990
using tools like the ones that Adam
Laurie and Jim Geovedi made.
211
00:16:49,990 --> 00:16:54,500
So I built a software framework as
a collection of Python daemons.
212
00:16:54,500 --> 00:16:58,720
And these run across a home
area network in my house.
213
00:16:58,720 --> 00:17:03,780
There’s a Beaglebone inside of the Radome.
214
00:17:03,780 --> 00:17:09,539
And an x86 server in the house. Or AMD64,
whatever the kids call it these days.
215
00:17:09,539 --> 00:17:13,230
And then I used Postgres for coordination.
So that all of these daemons can talk
216
00:17:13,230 --> 00:17:19,290
to each other without… without me really
caring which machine they’re on.
217
00:17:19,290 --> 00:17:25,969
So for maintenance I can have my
laptop pretending to be the dish,
218
00:17:25,969 --> 00:17:30,790
and I can have stepper motors on my desk,
and I can watch them spin, and I can even
219
00:17:30,790 --> 00:17:35,010
make a model of the dish and swap these
components in and out without the rest of
220
00:17:35,010 --> 00:17:42,700
the network being confused. This also
allows for SQL injection attacks to
221
00:17:42,700 --> 00:17:48,260
physically move my dish. Which is why the
sensor network is not on one of those
222
00:17:48,260 --> 00:17:52,620
fancy WEB 2.0 things. Because of you could
inject, say, “UPDATE target SET name=
223
00:17:52,620 --> 00:17:55,910
‘VOYAGER 1’”. Then my dish would physically
move and start tracking Voyager 1
224
00:17:55,910 --> 00:18:01,440
through the sky. Voyager 2
225
00:18:01,440 --> 00:18:07,190
doesn’t actually come into the sky because
of my position in the Northern hemisphere.
226
00:18:07,190 --> 00:18:11,170
So, it’s okay, I know you suck at
geography. But Voyager 1 is going up,
227
00:18:11,170 --> 00:18:15,440
and Voyager 2 is going down.
228
00:18:15,440 --> 00:18:19,260
There’s a Realtek software defined radio
for the radio reception. Although
229
00:18:19,260 --> 00:18:24,370
these things are garbage. So I’m in the
process of replacing this for the HackRF.
230
00:18:24,370 --> 00:18:29,760
There’s also an EiBot board for motor
control. We’ll get back to that in a minute.
231
00:18:29,760 --> 00:18:34,560
And there’s an Inertial Measurement Unit
from VectorNav which actually measures
232
00:18:34,560 --> 00:18:39,510
using the fancy MEMS gyroscopes and
a MEMS compass how I’m moving.
233
00:18:39,510 --> 00:18:44,700
This isn’t accurate enough to target
the dish, so I’m still counting steps
234
00:18:44,700 --> 00:18:49,830
to move the dish. But it is accurate
enough to tell me when my belts
235
00:18:49,830 --> 00:18:56,520
have broken. Or when I’m up
against a physical obstruction.
236
00:18:56,520 --> 00:19:01,510
This is skytee helping
me out with the dish.
237
00:19:01,510 --> 00:19:04,950
He’s zip-tying it. Because, you know
we know everything about duct tape
238
00:19:04,950 --> 00:19:07,260
where I come from, but we don’t know
anything about zip-ties. So I had
239
00:19:07,260 --> 00:19:10,920
to bring in a German engineer.
laughter
240
00:19:10,920 --> 00:19:14,270
We call him a gerry wigger(?)
but, you know…
241
00:19:14,270 --> 00:19:20,020
This is the satellite dish itself. And you
can sort of see in this photograph
242
00:19:20,020 --> 00:19:25,420
where we’ve strapped on the equipment.
There’s like an umbilical cord.
243
00:19:25,420 --> 00:19:29,700
Or more like a spinal column that actually
runs up the back of the dish. So we just
244
00:19:29,700 --> 00:19:36,820
added new cables onto that line.
And then zip-tied them in place.
245
00:19:36,820 --> 00:19:42,390
And skytee came up with all these
crazy ideas like that we should use
246
00:19:42,390 --> 00:19:46,570
chains and zip-ties to make sure that the
cables don’t tear themselves out. And
247
00:19:46,570 --> 00:19:51,890
that worked tremendously well in practice.
So, as this thing spins around,
248
00:19:51,890 --> 00:19:57,680
by the original design there’s a ring
connector that all of the signals
249
00:19:57,680 --> 00:20:01,220
go through. That all of the networking
goes through. That all of the rest
250
00:20:01,220 --> 00:20:05,680
goes through. And that worked in the
nineties because it had no reason
251
00:20:05,680 --> 00:20:11,310
to send anything faster than 9600 baud.
252
00:20:11,310 --> 00:20:18,050
But with the modern signals going across
it I need 100 MBit/s or even GB ethernet,
253
00:20:18,050 --> 00:20:22,290
that’s not enough, I need more than
two wires. So there’s a cable that comes
254
00:20:22,290 --> 00:20:25,290
across it, and then I rely on the
software to keep it from wrapping
255
00:20:25,290 --> 00:20:31,180
that cable around itself. So it can only
move, say, 400 degrees around.
256
00:20:31,180 --> 00:20:34,730
But that’s still more than a full circle.
So by stopping halfway and moving back
257
00:20:34,730 --> 00:20:39,710
I can prevent it from getting snagged.
258
00:20:39,710 --> 00:20:43,400
We’ve got the Beaglebone on the left,
in the middle there’s a USB hub
259
00:20:43,400 --> 00:20:47,550
and on the right is the motor controller.
260
00:20:47,550 --> 00:20:52,640
The Beaglebone runs Debian Linux and
takes care of sending the software defined
261
00:20:52,640 --> 00:21:00,220
radio recordings over the network. It also
takes care of updating the motor positions
262
00:21:00,220 --> 00:21:06,210
to be the ones that the database
declares should be current.
263
00:21:06,210 --> 00:21:13,060
The stepper motors themselves are the
originals that the dish was designed with.
264
00:21:13,060 --> 00:21:17,810
And they’re running to an EiBot Board.
The EiBot board was intended
265
00:21:17,810 --> 00:21:24,560
for plotting on Easter eggs
laughs, laughter
266
00:21:24,560 --> 00:21:27,740
I feel, you know… is that neat?
267
00:21:27,740 --> 00:21:32,830
laughs
applause
268
00:21:32,830 --> 00:21:37,750
So you can actually aim a satellite dish
that’s as tall as you are, with of these
269
00:21:37,750 --> 00:21:42,470
fancy motors using less sophisticated
equipment than what’s used
270
00:21:42,470 --> 00:21:47,330
in a 3D printer. Don’t panic, though.
271
00:21:47,330 --> 00:21:51,360
It’s a hell of a lot more
reliable than a 3D printer.
272
00:21:51,360 --> 00:21:55,420
But we needed some sort of backup in
addition to the inertial measurement unit
273
00:21:55,420 --> 00:21:59,360
telling us when the device
had snagged itself.
274
00:21:59,360 --> 00:22:05,180
It would also help to have
a visual queue. Because
275
00:22:05,180 --> 00:22:09,810
the satellite dish sits in Tennessee, and
while I love my home town, and, you know
276
00:22:09,810 --> 00:22:15,170
I’m very proud of being Tennessean, it’s
also a long way to travel when you need
277
00:22:15,170 --> 00:22:20,830
to re-orient the dish. Using an
accelerometer it’s easy enough
278
00:22:20,830 --> 00:22:26,120
to correct the elevation. Because you can
use the accelerometer as a level, and
279
00:22:26,120 --> 00:22:31,220
you can use that to tell how high up the
dish is pointing, at an absolute scale.
280
00:22:31,220 --> 00:22:38,370
But the compass isn’t very accurate. So
instead, as a backup we have a webcam
281
00:22:38,370 --> 00:22:44,300
that’s taped to the top. Taping
is my people’s native culture.
282
00:22:44,300 --> 00:22:47,710
We have it taped to the top, and then
it’s pointing backwards. So this gives us
283
00:22:47,710 --> 00:22:52,280
like a rear view camera,
from the dish’s position.
284
00:22:52,280 --> 00:22:57,179
So as the dish sits
inside of its radome…
285
00:22:57,179 --> 00:23:00,920
– junk cars in the yard are also
my people’s native tradition!
286
00:23:00,920 --> 00:23:04,340
laughs, laughter
287
00:23:04,340 --> 00:23:09,670
So the dish sits there next to
my brother’s Toyota Supra.
288
00:23:09,670 --> 00:23:13,770
And that thing, you know,
that thing flies as soon as it gets
289
00:23:13,770 --> 00:23:17,800
an engine put back in it.
laughter
290
00:23:17,800 --> 00:23:21,860
So it sits there and it’s moving but
externally you can’t see where it is.
291
00:23:21,860 --> 00:23:26,019
Which means that I can’t call my family
in Tennessee and blackmail them into
292
00:23:26,019 --> 00:23:29,620
– yet again – looking at my dish to tell
where it’s pointed. There are bolts
293
00:23:29,620 --> 00:23:32,882
that hold this down, it takes half an hour
to remove the lid, another half an hour
294
00:23:32,882 --> 00:23:37,390
to put it back on.
295
00:23:37,390 --> 00:23:43,230
So instead we took the radome…
that’s Frank, he’s my cat.
296
00:23:43,230 --> 00:23:45,500
Give a “Cheers!” for Frank!
297
00:23:45,500 --> 00:23:51,500
applause and cheers
298
00:23:51,500 --> 00:23:56,460
Yeah, we had such a great time with Frank.
And we never knew that she was pregnant.
299
00:23:56,460 --> 00:24:02,950
If you happen to need kittens and wanna
pay the customs fees I’ll hook you up!
300
00:24:02,950 --> 00:24:10,580
So then we took tape and ran tape
down the edges of the radome,
301
00:24:10,580 --> 00:24:15,090
and then marked it. So from the markings
you can tell which clock position
302
00:24:15,090 --> 00:24:20,230
the back of the satellite dish is pointing
at. So if you point the dish towards 12:00
303
00:24:20,230 --> 00:24:25,870
you know that you’re roughly at 6:00,
so you know that it’s pointing South.
304
00:24:25,870 --> 00:24:29,110
And then you can sort of scan the sky
for a stationary target, and navigate
305
00:24:29,110 --> 00:24:32,950
off of that, to recover your position.
306
00:24:32,950 --> 00:24:39,620
Software-wise… remember, the
whole thing runs through Postgres,
307
00:24:39,620 --> 00:24:45,750
so I just tunnel the Postgres over SSH,
and then I wrote a Python client
308
00:24:45,750 --> 00:24:52,120
that displays the satellite positions
and the satellite state in PyGame.
309
00:24:52,120 --> 00:24:54,820
This is intended for making those games
where you see the rabbit and the rabbit
310
00:24:54,820 --> 00:25:00,550
jumps on the other rabbit. But it… works!
And it works perfectly well enough
311
00:25:00,550 --> 00:25:04,940
to target the dish. Because all that this
software has to do is plot the positions
312
00:25:04,940 --> 00:25:10,570
of the satellites, and give orders back to
the database when I click on a satellite
313
00:25:10,570 --> 00:25:15,270
or click on a position.
It can also display stars.
314
00:25:15,270 --> 00:25:21,350
So the red items are satellites which are
not selected. The green item is GOES-3
315
00:25:21,350 --> 00:25:25,470
which is the satellite that I’m targeting.
And then the white items are
316
00:25:25,470 --> 00:25:32,140
stars in the sky. Now this is
a plot in which the azimuth
317
00:25:32,140 --> 00:25:37,230
is on the X axis, and the elevation is on
the Y axis. But I can also arrange it
318
00:25:37,230 --> 00:25:42,160
into a polar plot. Which sort of gives me
an upside-down view of the satellite dish
319
00:25:42,160 --> 00:25:47,520
looking at the sky.
I doubt you can read it but
320
00:25:47,520 --> 00:25:55,330
just above the green circle in the center,
that’s Polaris which is the North star.
321
00:25:55,330 --> 00:25:58,770
It’s also weird because, you know,
working on this, you know, I thought
322
00:25:58,770 --> 00:26:02,170
that I got really good at astronomy
until I realized that I only knew
323
00:26:02,170 --> 00:26:07,940
what the stars looked like during the day.
laughter, laughs
324
00:26:07,940 --> 00:26:12,010
And it being PyGame you can
actually run it on a mobile device.
325
00:26:12,010 --> 00:26:17,960
So the same client that runs on my
laptop can also run on my Nokia N900.
326
00:26:17,960 --> 00:26:26,140
laughs
applause
327
00:26:26,140 --> 00:26:32,940
A significant portion of the GUI client for
this was written while stuck on the U-Bahn,
328
00:26:32,940 --> 00:26:38,330
connected over 3G, SSH through
and just using emacs on the phone.
329
00:26:38,330 --> 00:26:44,590
laughter, laughs
applause
330
00:26:44,590 --> 00:26:49,270
If you’re one of those people who needs to
complain about the N900 being too old,
331
00:26:49,270 --> 00:26:54,260
it also runs on the N9.
332
00:26:54,260 --> 00:26:59,020
And then you can take the data out of this
and run it through scientific software.
333
00:26:59,020 --> 00:27:03,100
In addition of the software defined radio
recordings themselves being dumped out
334
00:27:03,100 --> 00:27:09,720
to a text file or a binary file on disk
you can also dump out things like
335
00:27:09,720 --> 00:27:14,590
the received signal strength indicators
(RSSI). So this is a screenshot in which
336
00:27:14,590 --> 00:27:18,340
I’m identifying different satellites that
I’ve seen in the sky based upon
337
00:27:18,340 --> 00:27:23,040
their downlink signal peaks. You can see
the noise floor there, at the bottom,
338
00:27:23,040 --> 00:27:28,320
and then there’s a rather strong signal on
the left. And a weaker, narrower signal
339
00:27:28,320 --> 00:27:34,780
on the right. Now, the
daemons that build this up…
340
00:27:34,780 --> 00:27:38,400
you need an orbit prediction daemon.
Because you need to know
341
00:27:38,400 --> 00:27:41,490
where the satellites are and where
they’re going, and where they will be
342
00:27:41,490 --> 00:27:45,830
by the time you get to them.
343
00:27:45,830 --> 00:27:50,760
You need to update the orbits themselves.
344
00:27:50,760 --> 00:27:55,150
LEO satellites are described in TLE files,
345
00:27:55,150 --> 00:27:58,191
these are called ‘Two Line Entry’ and
they’re called ‘Two Line Entry’ because
346
00:27:58,191 --> 00:28:01,970
they’re three lines long.
laughter
347
00:28:01,970 --> 00:28:07,610
These were originally used by NORAD for
inter-continental ballistic missile tracking.
348
00:28:07,610 --> 00:28:11,251
And because a ballistic missile
is basically in orbit, it’s just that
349
00:28:11,251 --> 00:28:14,980
that orbit happens
to collide with the earth.
350
00:28:14,980 --> 00:28:20,380
But this format isn’t terribly accurate
for satellites that adjust their own orbit.
351
00:28:20,380 --> 00:28:26,930
So anything that has fuel, or has engines,
or changes mass will vary its position.
352
00:28:26,930 --> 00:28:34,160
And this also doesn’t account for drag.
Because, you know, the missile itself,
353
00:28:34,160 --> 00:28:38,200
you know it goes up it goes down, it’s
not orbiting enough for the light drag
354
00:28:38,200 --> 00:28:43,030
in the upper atmosphere to matter. But for
a satellite it does. So these Two Line Entries
355
00:28:43,030 --> 00:28:47,760
will work for a matter of days or maybe
a couple of weeks. But they don’t last
356
00:28:47,760 --> 00:28:55,090
longer than that. So you need a daemon
that grabs the new files from Space Track.
357
00:28:55,090 --> 00:28:57,971
And this is just a matter of like
a recursive WGET, and then
358
00:28:57,971 --> 00:29:02,880
parsing the files. And that still needs
to be done. You also need motor control,
359
00:29:02,880 --> 00:29:06,780
because you need to move the dish
physically to track your target.
360
00:29:06,780 --> 00:29:10,600
You need input for the Inertial
Measurement Unit. This comes over
361
00:29:10,600 --> 00:29:15,240
a low voltage serial port. And then
you need radio daemons to handle
362
00:29:15,240 --> 00:29:20,590
spectrum analysis or downlink recording.
And these you’ll have several of them,
363
00:29:20,590 --> 00:29:29,040
you have to swap them out. So you’ll begin
by using the spectrum analyzer to identify
364
00:29:29,040 --> 00:29:33,730
that your aim is accurate, that you’re
accurately tracking the targets
365
00:29:33,730 --> 00:29:37,630
well enough to get a recording from
them. And then after that you begin
366
00:29:37,630 --> 00:29:42,130
to take software defined recordings off
them. And, eventually, you might have
367
00:29:42,130 --> 00:29:48,130
a standalone application that parses
what you’re receiving. Such as
368
00:29:48,130 --> 00:29:55,550
the Osmocom guys did with OpenGMR.
369
00:29:55,550 --> 00:29:59,810
So for orbit prediction I began
with a DOS program that had been
370
00:29:59,810 --> 00:30:04,550
ported to Unix, called PREDICT.
371
00:30:04,550 --> 00:30:10,360
And this worked, but it’s garbage.
372
00:30:10,360 --> 00:30:16,070
It only supports 20 satellites plus the
sun, the moon, Venus and Mars.
373
00:30:16,070 --> 00:30:24,460
But no other planets because it’s
designed for astronomy photographers
374
00:30:24,460 --> 00:30:28,800
who want to get a picture of something
as it comes over the horizon. You know,
375
00:30:28,800 --> 00:30:33,890
I need to track hundreds of targets and
then write a script to opportunistically
376
00:30:33,890 --> 00:30:37,640
pick the ones that I want to record.
Because otherwise you have to like
377
00:30:37,640 --> 00:30:44,880
set an alarm clock for the half-hour pass
in which you can play with something.
378
00:30:44,880 --> 00:30:48,900
That software does allow you to query the
results by UDP, though. So you can just
379
00:30:48,900 --> 00:30:55,000
send it a flood of request packets,
then it will flood back with the data
380
00:30:55,000 --> 00:31:00,860
you’re looking for. So I switched to
a library called PyEphem which allows you
381
00:31:00,860 --> 00:31:05,960
to track hundreds of birds. It has no
UDP nonsense. It will also calculate
382
00:31:05,960 --> 00:31:12,940
satellites, planets and stars.
And the really nifty thing about this
383
00:31:12,940 --> 00:31:18,090
is that you tell it… you know, it being
a library you tell it when to update
384
00:31:18,090 --> 00:31:23,030
the individual object that you’re
interested in. So you can update
385
00:31:23,030 --> 00:31:26,710
objects that are out of view or
uninteresting more slowly
386
00:31:26,710 --> 00:31:33,300
than the ones that you care about.
So I managed to track every single item
387
00:31:33,300 --> 00:31:39,230
in geo-stationary orbit. This thick
ring here is the Clarke Belt
388
00:31:39,230 --> 00:31:47,000
of all satellites in geo-stationary orbit,
as viewed from my Southern horizon.
389
00:31:47,000 --> 00:31:53,880
applause
390
00:31:53,880 --> 00:31:58,460
The Two Line Entry files you can get
freely from CELESTRAK.COM.
391
00:31:58,460 --> 00:32:02,370
So this is just a simple script that
grabs them and then inserts them.
392
00:32:02,370 --> 00:32:06,990
And the prediction daemon will actually
select them as it is loading up.
393
00:32:06,990 --> 00:32:14,010
Because all inter process communication is
running through this Postgres database.
394
00:32:14,010 --> 00:32:16,540
And this daemon can be moved to
a different machine if I needed
395
00:32:16,540 --> 00:32:21,730
more computing power, or anything
like that. The motor control demon…
396
00:32:21,730 --> 00:32:27,470
well, the EiBot board is designed to take
stepper motor commands. It shows up
397
00:32:27,470 --> 00:32:33,429
as USB Serial device on Linux. So as
I plug it in to the Beaglebone it appears
398
00:32:33,429 --> 00:32:41,660
as /dev/ttyACM0. And the baud rate doesn’t
matter. Because this is a USB device.
399
00:32:41,660 --> 00:32:48,810
You could then send it simple commands.
Like ‘SM,3000,500,-400’ means that I wanna
400
00:32:48,810 --> 00:32:55,559
move a stepper motor for 3000 ms. I want
the first motor to move 500 forwards,
401
00:32:55,559 --> 00:33:03,330
that’s UP, and the second one to move
400 LEFT which is backwards 400 steps.
402
00:33:03,330 --> 00:33:07,540
And then it will count that out, and
then it sends me back an OK.
403
00:33:07,540 --> 00:33:11,981
If I want to disable the motors, I send
‘EM,0,0’. This allows the motors to be
404
00:33:11,981 --> 00:33:16,429
freely spun. Because normally a stepper
motor will physically hold its position,
405
00:33:16,429 --> 00:33:22,500
you need to turn them off in
order to slide the dish around.
406
00:33:22,500 --> 00:33:28,260
‘EM,1,1’ will enable both motors
in 1/16-of-a-step mode.
407
00:33:28,260 --> 00:33:31,340
Stepper motors can do fractional
steps because they’re
408
00:33:31,340 --> 00:33:37,800
holding themselves in position.
409
00:33:37,800 --> 00:33:41,390
You can see the motors themselves
with the belts and the gear train.
410
00:33:41,390 --> 00:33:46,800
This thing on the right would probably
be illegal for me to turn on.
411
00:33:46,800 --> 00:33:53,100
The thing on the right is a 250 W
amplifier. laughter
412
00:33:53,100 --> 00:33:58,780
The stepper motors themselves just have
six wires. In a lot of 3D printer type stuff
413
00:33:58,780 --> 00:34:02,690
they ignore the middle two. So you just
drop off the middle two wires, you run
414
00:34:02,690 --> 00:34:07,100
the other four to your stepper
controller, and you’re good to go.
415
00:34:07,100 --> 00:34:10,079
The belts and stuff need to be measured
in order to figure out exactly
416
00:34:10,079 --> 00:34:16,639
what the gear reduction is. Because you
need to know how many steps form a degree.
417
00:34:16,639 --> 00:34:23,250
The IMU unit, this Vectornav VN100,
it’s a MEMS gyroscope and accelerometer
418
00:34:23,250 --> 00:34:28,380
and a compass in a single box.
It costs $500 which was
419
00:34:28,380 --> 00:34:33,780
more than all of the other
equipment put together.
420
00:34:33,780 --> 00:34:37,280
The compass is confused by the stepper
motors because the compass is measuring
421
00:34:37,280 --> 00:34:40,280
magnetic fields. So you need to
mount this physically as far away
422
00:34:40,280 --> 00:34:46,159
from the stepper motors as possible. And
the gyroscope is confused by motor jerk
423
00:34:46,159 --> 00:34:50,310
which is a shame because stepper motors
work as a series of jerks rather than
424
00:34:50,310 --> 00:34:56,510
as a single consistent motion. And the
accelerometer is confused by gimbal lock,
425
00:34:56,510 --> 00:35:00,880
so you have to switch it to
a quaternion mode in order to get
426
00:35:00,880 --> 00:35:05,640
consistent values out of it. And if I had
to do this over again I’d really try
427
00:35:05,640 --> 00:35:10,610
to drop this piece of garbage. But it’s
a lovely technology when it works.
428
00:35:10,610 --> 00:35:12,310
some laughter
429
00:35:12,310 --> 00:35:19,010
Now for position calculations: the
elevation itself comes from the IMU,
430
00:35:19,010 --> 00:35:24,160
the azimuth comes from the motor daemon.
This is because the accelerometer
431
00:35:24,160 --> 00:35:29,710
can very accurately tell which way
the earth’s gravity is pulling it
432
00:35:29,710 --> 00:35:34,410
whereas the accelerometer has to integrate
jerks over time in order to figure out
433
00:35:34,410 --> 00:35:38,890
its position. So the
accelerometer will drift
434
00:35:38,890 --> 00:35:46,410
and the compass will be confused by the
magnetic fields while the elevation is
435
00:35:46,410 --> 00:35:53,300
just a single accelerometer
that doesn’t drift.
436
00:35:53,300 --> 00:35:59,760
And the IMU will become
a backup for these things
437
00:35:59,760 --> 00:36:03,480
in order to figure out how to make
it reliable. But at the moment
438
00:36:03,480 --> 00:36:09,100
the position measurement is infinitely
more reliable. The tilt motor
439
00:36:09,100 --> 00:36:13,970
I’m not using at present because on
a ship that’s rocking it’s necessary
440
00:36:13,970 --> 00:36:20,290
to tilt the dish. On a satellite dish
that’s staying still the only useful
441
00:36:20,290 --> 00:36:26,280
tilting the dish is so that you can follow
the arc of a satellite through the sky
442
00:36:26,280 --> 00:36:30,020
by only moving a single motor.
Photopgraphers do this when they’re
443
00:36:30,020 --> 00:36:35,210
trying to get long exposures of moving
satellites. At the moment my software
444
00:36:35,210 --> 00:36:39,180
doesn’t support this feature. But
if it turns out to be necessary
445
00:36:39,180 --> 00:36:43,960
to get higher quality
recordings I might add it.
446
00:36:43,960 --> 00:36:47,430
There are radio daemons. The
first is a spectrum analyzer.
447
00:36:47,430 --> 00:36:51,480
This just measures the signal strength
on each frequency. And it does it by the
448
00:36:51,480 --> 00:36:58,230
power spectral density function.
449
00:36:58,230 --> 00:37:02,900
And the strength itself will
vary with the position error.
450
00:37:02,900 --> 00:37:07,050
So this allows you to figure out how
far off you are by sort of testing,
451
00:37:07,050 --> 00:37:09,690
by overshooting just a little bit,
or undershooting just a little bit
452
00:37:09,690 --> 00:37:15,170
to center on your target. The downlink
recorder dumps the IQ values
453
00:37:15,170 --> 00:37:19,950
in the software defined radio
directly to an NFS share,
454
00:37:19,950 --> 00:37:24,749
which can later be decoded and
read and reverse-engineered.
455
00:37:24,749 --> 00:37:30,260
We’ve got a whole table of spectrum
data. And then I plot that in a tool
456
00:37:30,260 --> 00:37:36,840
called Viewpoints which NASA releases
for dealing with giant scatter plots
457
00:37:36,840 --> 00:37:44,480
in multiple dimensions. Each view takes
two dimensions, and it’s tons of fun.
458
00:37:44,480 --> 00:37:47,570
The client GUI is this PyGame. I have
Postgres for communications, and
459
00:37:47,570 --> 00:37:51,590
the server does all the heavy lifting,
so the Beaglebone itself never has
460
00:37:51,590 --> 00:37:58,260
to do anything complicated with
regards to software defined radio.
461
00:37:58,260 --> 00:38:03,610
This is also about these faint blue lines
are positions at which I’ve seen
462
00:38:03,610 --> 00:38:09,620
particularly strong signals in order to
identify which satellites are active
463
00:38:09,620 --> 00:38:14,190
and which ones are inactive.
Because satellites die over time.
464
00:38:14,190 --> 00:38:17,920
And particularly useful targets we’re
reverse-engineering are satellites that are
465
00:38:17,920 --> 00:38:22,910
out-of-commission or outdated.
I’m running out of time by these markers.
466
00:38:22,910 --> 00:38:24,930
Does that mean that we’re skipping
questions, or does that mean that
467
00:38:24,930 --> 00:38:28,910
I need to be off the stage?
mumbling to stage
468
00:38:28,910 --> 00:38:35,880
Not having Q&A, okay. So today I get
accurate tracking of satellites.
469
00:38:35,880 --> 00:38:41,020
And this thing can run unattended 24h
a day for months without maintenance.
470
00:38:41,020 --> 00:38:46,030
Like I said: it’s nothing like a 3D printer.
laughter
471
00:38:46,030 --> 00:38:49,970
It takes software defined radio
recordings, it can provide maps
472
00:38:49,970 --> 00:38:54,920
of views of different
satellites in the sky.
473
00:38:54,920 --> 00:38:59,920
The next step is I want to publish
a ‘port scan’ of the entire sky.
474
00:38:59,920 --> 00:39:04,460
So which frequencies are in use on which
birds, for every bird that ever comes
475
00:39:04,460 --> 00:39:08,490
above Tennessee, on every
downlink that fits my antenna
476
00:39:08,490 --> 00:39:12,230
as well as a database of software
defined radio recordings. If anyone
477
00:39:12,230 --> 00:39:19,000
would care to donate a truckload
of disks – that might be handy.
478
00:39:19,000 --> 00:39:23,080
I’d also like to make other ground
stations. The software that I’ve written
479
00:39:23,080 --> 00:39:25,910
ought to be portable to new hardware.
So there’s nothing that should keep you
480
00:39:25,910 --> 00:39:30,950
from being able to port this to run on
your own dish. And I have a large yard,
481
00:39:30,950 --> 00:39:36,530
so I could conceivably have
a dozen of these things.
482
00:39:36,530 --> 00:39:38,910
Another way that you can do it, and
the way that it’s traditionally done
483
00:39:38,910 --> 00:39:45,230
for, say, cube satellites is having
Yagis or other loosely directional antennas
484
00:39:45,230 --> 00:39:48,910
in order to receive the signals.
I went with a dish because I wanted
485
00:39:48,910 --> 00:39:54,920
more selectivity. I wanted to be able to
get reverse-engineerable recordings
486
00:39:54,920 --> 00:40:03,020
rather than intentional ones for which
I already knew the downlink protocol.
487
00:40:03,020 --> 00:40:07,990
So this is my van, my van is amazing.
488
00:40:07,990 --> 00:40:15,620
applause
489
00:40:15,620 --> 00:40:19,300
Thanks to Nick Farr. I had a bit too
much to drink in Montreal and
490
00:40:19,300 --> 00:40:24,440
I called Nick Farr and I said: “Nick,
I want a DUKW”, like these amphibious
491
00:40:24,440 --> 00:40:28,500
troop transport vehicles. And Nick
said: “Sorry, I can’t get you one but
492
00:40:28,500 --> 00:40:32,000
you want a news van!” And I said:
“Hell yeah, I want a news van!”
493
00:40:32,000 --> 00:40:35,430
So – this pole in the background, that’s
not a lighting pole. That’s actually
494
00:40:35,430 --> 00:40:43,369
part of the van.
laughter
495
00:40:43,369 --> 00:40:49,590
This is the antenna retracted. This mast
goes up 20 m by pneumatic power.
496
00:40:49,590 --> 00:40:55,180
There’s an air compressor in the back.
Here is the control panel,
497
00:40:55,180 --> 00:40:57,880
there’s an air-conditioned
office in the middle.
498
00:40:57,880 --> 00:41:02,480
laughter, laughs
499
00:41:02,480 --> 00:41:08,910
This has four 19" server racks as well
as some A/V equipment that was left over.
500
00:41:08,910 --> 00:41:14,100
I was particularly excited about the
video monitor which supports PAL
501
00:41:14,100 --> 00:41:18,460
which you folks are familiar with,
NTSC or “Never The Same Color”
502
00:41:18,460 --> 00:41:21,840
which is my people’s native culture…
laughter
503
00:41:21,840 --> 00:41:25,610
But most importantly, it does SECAM,
the system essentially contrary
504
00:41:25,610 --> 00:41:29,530
to the American method.
laughs
505
00:41:29,530 --> 00:41:34,230
laughter and applause
506
00:41:34,230 --> 00:41:41,130
So in addition to my radio equipment
I’m adding my Soviet PDP-11 which was…
507
00:41:41,130 --> 00:41:45,360
laughs
…and that’s not a joke. I have a Soviet
508
00:41:45,360 --> 00:41:51,540
PDP-11 thanks to the kind folks at the
Positive Hacking Days conference.
509
00:41:51,540 --> 00:41:58,200
This is the control panel,
and that’s my talk!
510
00:41:58,200 --> 00:42:13,340
applause
511
00:42:13,340 --> 00:42:17,740
Herald: Thank you so much.
There actually is time for Q&A now.
512
00:42:17,740 --> 00:42:20,672
Travis: Well, first I’d like to introduce
you to my cat. If we could go back
513
00:42:20,672 --> 00:42:25,691
to the prior image. This is Frank!
We didn’t know it at that time, but
514
00:42:25,691 --> 00:42:31,570
Frank was not dad (?) when this picture was
taken. If you’d like kittens get in touch!
515
00:42:31,570 --> 00:42:34,800
Okay. Are there any questions?
516
00:42:34,800 --> 00:42:39,030
Question: Great talk. What’s the most
interesting signal you decoded so far?
517
00:42:39,030 --> 00:42:44,650
Travis: At the moment I’m sort of stuck
at the L band range. Because of filters
518
00:42:44,650 --> 00:42:48,220
that I have yet to remove. So everything
gets attenuated, and becomes annoyingly
519
00:42:48,220 --> 00:42:54,720
quiet outside of the 1.5 ..1.6 -ish range.
520
00:42:54,720 --> 00:43:00,210
The Globalstar network is what I’m
most interested in targeting next.
521
00:43:00,210 --> 00:43:03,050
I can’t wait to see what
people are tweeting
522
00:43:03,050 --> 00:43:07,029
while they should be enjoying nature.
523
00:43:07,029 --> 00:43:08,850
Herald: Is there a question
from the internet?
524
00:43:08,850 --> 00:43:12,890
Signal Angel: Yeah, the internet has
many questions. So first one was:
525
00:43:12,890 --> 00:43:18,430
Is there really no authentication or
encryption on the Q band IP services?
526
00:43:18,430 --> 00:43:24,859
So you can just spoof at will? And…
527
00:43:24,859 --> 00:43:28,540
can the birds see the physical
location of the source
528
00:43:28,540 --> 00:43:34,650
accurately enough to
find who is spoofing?
529
00:43:34,650 --> 00:43:41,200
Travis: I’m not an expert in Ku band. The…
for the downlink the bird has no clue
530
00:43:41,200 --> 00:43:45,750
as to the location of the dish. Because
you’re only listening. They can roughly
531
00:43:45,750 --> 00:43:49,530
figure out your geographic area because…
they need to figure out where
532
00:43:49,530 --> 00:43:53,590
the spot beam is going. So they might know
whether you’re in, say, Germany or
533
00:43:53,590 --> 00:44:01,720
in France. But they won’t know whether
you’re in Heidelberg or Mannheim.
534
00:44:01,720 --> 00:44:07,420
They do have forms of authentication for
many satellite networks. Satellite TV
535
00:44:07,420 --> 00:44:11,950
is one of the best-protected network
services because of the satellite wars
536
00:44:11,950 --> 00:44:16,580
in the nineties in which TV pirates would
fight back and forth with smart card
537
00:44:16,580 --> 00:44:23,330
designers. But there are also many
unencrypted links. And there are…
538
00:44:23,330 --> 00:44:31,260
because of standard protocols those
are particularly easy to find in Ku band.
539
00:44:31,260 --> 00:44:37,390
Question: You’ve been talking about
using RTLSDR from osmocom.
540
00:44:37,390 --> 00:44:42,470
And you were talking about your spectrum
analysis program. Is this one working
541
00:44:42,470 --> 00:44:45,810
with RTLSDR?
542
00:44:45,810 --> 00:44:53,970
Travis: So… RTLSDR… so I’m using
the RTLSDR, not the OsmoSDR.
543
00:44:53,970 --> 00:44:58,900
Which are separate. The spectrum
analyzer is working with the RTLSDR.
544
00:44:58,900 --> 00:45:03,230
My complaint about the RTLSDR is that
when you have a strong signal next to
545
00:45:03,230 --> 00:45:08,230
a weak signal the weak signal is
utterly useless for interpretation.
546
00:45:08,230 --> 00:45:13,330
Question: Okay. Thank you.
547
00:45:13,330 --> 00:45:15,490
Herald: Another question
from the internet?
548
00:45:15,490 --> 00:45:19,180
Signal Angel: Okay, next question from
the internet is: How do you record
549
00:45:19,180 --> 00:45:24,490
the radio signal from the dish,
at what sampling rate?
550
00:45:24,490 --> 00:45:29,890
Travis: The RTLSDR samples at 2 million
samples per second. As soon as I switch it
551
00:45:29,890 --> 00:45:37,250
over to the HackRF I’ll be having
20 million samples per second.
552
00:45:37,250 --> 00:45:41,900
The sampling rate can be reduced once
the bandwidth of the signal is known.
553
00:45:41,900 --> 00:45:46,390
For reduced storage. And the
recordings can also be compressed.
554
00:45:46,390 --> 00:45:53,300
But it’s still a hell of a lot of storage.
555
00:45:53,300 --> 00:45:54,659
Herald: Any other questions?
556
00:45:54,659 --> 00:45:57,770
Signal Angel: The internet
has more questions…
557
00:45:57,770 --> 00:45:59,860
Herald: Okay…
558
00:45:59,860 --> 00:46:04,380
Signal Angel: Did you look into obtaining
a capacitive high-bandwidth coupler as used
559
00:46:04,380 --> 00:46:09,880
for the rotary gantries in CT scanners?
Those can apparently transmit contactless
560
00:46:09,880 --> 00:46:13,420
several GBytes per
second, bi-directionally.
561
00:46:13,420 --> 00:46:16,109
Travis: I’ve not looked into those.
It seemed better to have an umbilical
562
00:46:16,109 --> 00:46:21,820
cable and to be careful not to snap it.
563
00:46:21,820 --> 00:46:25,630
The whole thing was done for a budget
of less than 2000 Dollars, and can be
564
00:46:25,630 --> 00:46:31,640
recreated for less than a budget of 1000
[Dollars]. And they… so we tried to avoid
565
00:46:31,640 --> 00:46:36,140
fancy parts. The local radio shack loved
us because we’d swing in and buy all sorts
566
00:46:36,140 --> 00:46:39,880
of crazy stuff. As soon as we told them
that we wanted the satellite dish to
567
00:46:39,880 --> 00:46:41,300
dance Gangnam style…
laughs
568
00:46:41,300 --> 00:46:48,740
laughter
569
00:46:48,740 --> 00:46:50,820
in German, strong accent:
Danke, gerne!
570
00:46:50,820 --> 00:46:53,810
applause
571
00:46:53,810 --> 00:46:56,610
silent postroll titles
572
00:46:56,610 --> 00:47:02,893
subtitles created by c3subtitles.de
in the year 2017. Join, and help us!