<i>silent 30C3 preroll titles</i>

<i>applause</i>

Travis Goodspeed: First I need
to apologize for typesetting this

in OpenOffice. I know that the
text looks like a ransom note.

But that’s what happens
when you don’t use LaTex.

I’d also like to give a shoutout to
Collin Mulliner if he is here,

and our Dinosaur rock band.

<i>laughs, applause</i>

We’re a Christian rock band, we’re
called ‘Jesus lives in the ISS’ and

we know that he is always watching us,
but we think that it’s easier for him

to hear our prayers when
he’s, you know, in an orbit

that passes over us. So we need to use
orbital tracking to know when to pray!

<i>laughter</i>

As I’m sure you can guess I’m not
recognized as a legal minority religion

in Germany. I’d also like to thank skytee

and Fabienne Serrière and Adam Laurie

and Jim Geovedi for some
prior satellite tracking work,

and the Scooby Crew at Dartmouth
College for all sorts of fun

whenever I bounce out there.
This is the mission patch

of the Southern Appalachian
Space Agency (SASA).

<i>applause and cheers</i>

This was drawn by Scott Beibin and there
are a few pieces of my people’s native

culture that I need to point out here. On
the right the little Dinosaur type thing

with his finger going out, you might
call him E.T. but we call these things

‘buggers’. They are like this tall, and
they are green and that’s why the man

on the left has a shotgun.
<i>laughter</i>

Because he doesn’t want to be abducted.
You got a satellite dish in the middle

and it’s sitting on sinter blocks because
that’s also a piece of my people’s

native culture. There’s a moonshine
still in the background.

That’s kind of like Vodka but you
make it at home and from corn.

And then there’s the mountain… a piece…
it looks like there are snow peaks

on those mountain tops. But our mountains
aren’t tall enough to have snow.

These are actually that we’ve blown off
the lids of the mountains for coal mining.

Which is another piece of
my people’s native culture.

And at the top, in space you can see
the ISS, and you can see a banana,

and you can see what I think is a bulb.
This is to signify space trash.

I mean there’s a lot of stuff up there.
And, you know it’s symbolism that matters

in these things, you know?

At BerlinSides, in May of 2012

I did a lecture on reverse-
engineering the SPOT Connect.

The SPOT Connect is a little
hockey puck type thing

– this is what it looks like.
And these things are great.

It weighs a bit more than your cell phone
but it runs off of a couple of batteries,

it connects to your phone by Bluetooth.

Originally these were emergency locator
beacons. So if you’re going hiking…

have any of you seen the movie where
the guy has to cut off his arm

with a dull knife? If you’re hiking and
you don’t want that same experience

you buy one of these things. And
then there’s an emergency button

you can push that transmits your
GPS coordinates by satellite

to rescue workers. But that was boring,
so they had to add social media.

<i>laughs, laughter</i>

So in addition to keeping you
from chewing off your own arm

this device will also allow you to
tweet and make Facebook posts.

<i>laughs, laughter</i>

The idea is that as you’re running…
here I’m crossing the Schuylkill River

in Philadelphia and the Android
phone on the left is making a post.

And I did an article on reverse-
engineering the Bluetooth side

of these things. Because… I use a weird
brand of phone that Microsoft killed off,

and I’m terribly bitter about it. But
I also figured out the physical layer.

And that’s what this diagram shows.
This transmits at 1.6125 GHz.

And it sends a pseudo-random stream, so
each one of these zeros is a long chunk

where it’s bouncing back and forth
between two different frequencies.

And the same for the ones.
But the way that the pattern works

is that it switches the signal whenever
it is going from the 0 signal

to the 1 signal. And internally, there are
these little pops that you can actually

identify on a software defined radio
recording. And this is how you can

reverse-engineer the signal that
the SPOT Connect is sending up

to its satellite network.

Everything is clear text on this.
And it’s completely unencrypted.

It just has your serial number, your GPS
coordinates, and a bit of ASCII text.

So if you listen on this frequency and
you have the correct recording software

you can actually watch all of the SPOT
Connect messages that are transmitting

up from your location. And this would be
great except that this is designed for

hiking in areas where there’s no cell
phone service. So having an antenna

on the uplink frequency is kind of
useless. You know you would actually

have to go out to a national park, find
some guy who is about to chew his arm off,

and then you could listen to his uplink
where he is like tweeting: “Hey, I’m gonna

chew my arm off”, you know?
<i>laughter</i>

So that’s great as a proof of concept
but it’s not really anything practical.

The current state of that was that I knew
the protocol and I could sniff the uplinks.

But I wanted to sniff the downlinks. So
it’s easy for me to get the thing that

goes up to the satellite. But what I wanted
was what comes down from the satellite.

And that requires a satellite dish. But
a geo-stationary dish isn’t good enough

because the satellites that run this
network – there are a lot of them,

it’s called the Globalstar network,
they fly really low across the earth,

and they fly across the earth in very
tight, very fast orbits. So they’ll move

from horizon to horizon in 15 to 20
minutes. Which means that you either need

like a sweat shop army of kids
trying to aim the satellite dish

as it’s going across or you need
to make it computer-controlled.

Stepping back from the SPOT
Connect for a little bit, and

discussing some prior research.
Adam Laurie did some work

with geostationary satellites.
These are the satellites that stay

in one position in the sky.
He gave two sets of talks

– one in 2008 and the second in
2010. And he used a DVB-S card

connected to a satellite dish with
a DiSEqC motor, so that it could move

the satellite dish left and right in order
to scan a region of the horizon.

His tool is publicly available,
it’s called satmap.

You can grab it at this URL.

And then after he finds a signal he has
a feed scanner. Normally when you use

Satellite TV your provider gives you
a listing of the frequencies, and

your provider gives you an exact orbital
position to aim your satellite dish at.

But Adam’s tool allows you to scan to
see which frequencies are in use and

which protocols are in use, once
you’ve correctly aimed your dish.

And he also describes a technique
for moving your dish left and right

while doing this in order to
identify where the satellites are.

This recording here is from
a re-implementation that I made

of Adam’s work, in order to
catch up with it. In this diagram

the x-axis – because you move left
and right – that shows the azimuth,

that shows how far left or right my
satellite dish has moved. And then

the y-axis shows the frequency. And
all of these dots are strong signals.

So every vertical bar in which you see
chunks of frequencies, that’s a satellite.

But these stay in the same position. So
it’s easy for me to repeat this experiment.

It’s easy for me to re-run it, and to find
the same satellites in the same position.

It’s easy to debug this.
But it can’t move in elevation.

This diagram is actually
a very small slice of the sky.

We’re looking at a single line,
maybe 10 degrees across.

Maybe only 5 degrees across.

So hacking Ku-band – the television
satellites – has the advantage

that you can use cheap standardized
hardware. I bought one of these DVB-S cards

in Mauerpark, in Berlin for 3 Euro. You
can use standardized DiSEqC motors,

you can buy them at a satellite TV shop.

TV signals come with video feeds
so you can actually see pictures.

There was a scandal about 4..5 years
ago where they were finding

drone [control] feeds that were being
bounced across these satellites.

In the nineties it was very popular to
listen to the sort of unedited sections

of interviews, when people would
be interviewed over a satellite,

before Skype and such
things became options. And

there are also networking signals here
using TCP/IP packets. So you can actually

turn your DVB-S card into
a promiscuous ethernet adapter,

and start sniffing all of the traffic that
comes across. This is also a great way

to get free downlink bandwidth. Because
you can just flood packets at an address

that, you know, will be routed to
you, or several addresses, and

then you sniff it out as the
legitimate receiver ignores them.

But it also has some disadvantages. It
only works for geostationary satellites.

If the satellite is not staying in the
same position relative to the ground

then you can’t track it. Your
dish also moves very slowly.

And it only moves left and right.
It won’t move up and down.

And you’re limited to standardized
signals. So while it’s great that you get

video and TCP/IP you’re never
going to get anything weird.

You’re not gonna get any mobile
data, you’re not going to get any

Brazilian truck-drivers – we’ll
get to those in a bit. <i>laughs</i>

I misspoke, you actually will get
Brazilian truck-drivers in this.

So I bought a satellite dish. One of the
best things about living in America is

that you can buy industrial
hardware cheap as dirt on ebay.

I know things aren’t likely used to being
a cat bite to (?)(?) human children anymore.

But this satellite dish here on
the left – the one in the radome –

that’s my dish. And to the right,
that’s the boat that it came from.

<i>applause</i>
<i>laughs</i>

This came from a military ship.
But the dish itself is also available

for civilian use on very large yachts.

The dish itself is a Felcom 81 and it
was intended for use with a network

called Inmarsat. Inmarsat allows
for telephone connections,

and also data connections when you’re on
a boat. So if the crew wants to call home

or wants to go to AOL Keywords

or whatever was popular back when
this was common they could do that.

And the dish was designed to sit
at the very top of a ship’s mast.

The reason why is that at the top of
the mast there aren’t any obstructions

– it has a clear view of the sky in all
directions. But there’s a complication

with being on the top of the mast. Which
is that the ship is rocking beneath you

and you’re moving more
than the rest of the ship.

So they have stepper motors
for azimuth, elevation and tilt.

And then they have spinning gyroscopes.
Back before the iPhone there was

this dark, dark time when
gyroscopes actually spun.

And this is the sort of gyroscope that
it has. It actually has 4 of them so

that it can measure its movement.

And then it has a control computer. So the
idea is that the dish itself can be moved

while remaining absolutely stable
with regard to the gyroscopes.

So it compensates for the rocking of
the ship beneath it as it’s targeting

a stationary satellite.
In America this costs 250 dollars

but it’s electronics equipment, so while
you think that would only be a 180 Euro

it’s more like 2500. And that’s before
import duties and it being impounded.

We also have this lovely culture in which
people love excuses to use their trucks.

So the guy that I bought this from offered
to deliver it to my home for only $200.

It was an 11-hour drive.

But if you wanted this you’d have to
bring it back in your carry-on luggage

and that could be awkward.

I got this dish and I decided I had
to do something with it. So I created

the Southern Appalachian Space Agency.
I’m from the state of Tennessee,

formerly known as the State of Franklin
until North Carolina invaded us.

It’s ok, I know Europeans suck at history.

<i>laughs</i>
<i>laughter and applause</i>

Now I’m trying to think of how to show
you on a map where Tennessee is

without having a map. But, you know,
it’s okay, I know you suck at geography

and will forget it soon. (?)

From audience: It’s very
near Texas, to the north.

Travis: Texas is our first colony. But
it’s actually a decent drive to the east.

Due east (?). You don’t
actually have to go it anyways.

So what I did was I took these motors
which were designed to be able to move

the satellite dish to compensate
for the rocking the ship and

I re-purposed them to track through
the sky while the ground is stable.

We don’t have very many earthquakes in
Tennessee. The last one that we had

made rivers run the wrong direction.
But it’s okay – it’s a geography thing.

<i>laughs</i>
So this allows me to track things

that are moving through the sky.
But it doesn’t actually matter

where they’re moving in the sky because
that’s just a software problem.

So in addition to tracking objects that
are in low-earth orbit by a software patch

I can also track things that are in deep
space. It’s not much harder to track

deep space probes or stars than it
is to track items in low-earth orbit.

And then I added a software defined radio
which allows me to record a signal now

and then demodulate it later.
Which is necessary if you intend

to reverse-engineer a signal. Because
a lot of the downlinks from these satellites

are completely non… completely
undocumented. And being able

to tune in to the right frequency is only
half of it. You also need a recording

of sufficient quality that you can
reverse-engineer it after the fact.

We’re sort of spoiled by software
defined radios in that when doing

software defined radio work we usually
have a very good signal to work from.

So having high quality signals for later
reverse-engineering is necessary.

I really wanted to be able to identify
undocumented downlinks for low-earth orbit

in the same way that we already
do this for geo-stationary orbit

using tools like the ones that Adam
Laurie and Jim Geovedi made.

So I built a software framework as
a collection of Python daemons.

And these run across a home
area network in my house.

There’s a Beaglebone inside of the Radome.

And an x86 server in the house. Or AMD64,
whatever the kids call it these days.

And then I used Postgres for coordination.
So that all of these daemons can talk

to each other without… without me really
caring which machine they’re on.

So for maintenance I can have my
laptop pretending to be the dish,

and I can have stepper motors on my desk,
and I can watch them spin, and I can even

make a model of the dish and swap these
components in and out without the rest of

the network being confused. This also
allows for SQL injection attacks to

physically move my dish. Which is why the
sensor network is not on one of those

fancy WEB 2.0 things. Because of you could
inject, say, “UPDATE target SET name=

‘VOYAGER 1’”. Then my dish would physically
move and start tracking Voyager 1

through the sky. Voyager 2

doesn’t actually come into the sky because
of my position in the Northern hemisphere.

So, it’s okay, I know you suck at
geography. But Voyager 1 is going up,

and Voyager 2 is going down.

There’s a Realtek software defined radio
for the radio reception. Although

these things are garbage. So I’m in the
process of replacing this for the HackRF.

There’s also an EiBot board for motor
control. We’ll get back to that in a minute.

And there’s an Inertial Measurement Unit
from VectorNav which actually measures

using the fancy MEMS gyroscopes and
a MEMS compass how I’m moving.

This isn’t accurate enough to target
the dish, so I’m still counting steps

to move the dish. But it is accurate
enough to tell me when my belts

have broken. Or when I’m up
against a physical obstruction.

This is skytee helping
me out with the dish.

He’s zip-tying it. Because, you know
we know everything about duct tape

where I come from, but we don’t know
anything about zip-ties. So I had

to bring in a German engineer.
<i>laughter</i>

We call him a gerry wigger(?)
but, you know…

This is the satellite dish itself. And you
can sort of see in this photograph

where we’ve strapped on the equipment.
There’s like an umbilical cord.

Or more like a spinal column that actually
runs up the back of the dish. So we just

added new cables onto that line.
And then zip-tied them in place.

And skytee came up with all these
crazy ideas like that we should use

chains and zip-ties to make sure that the
cables don’t tear themselves out. And

that worked tremendously well in practice.
So, as this thing spins around,

by the original design there’s a ring
connector that all of the signals

go through. That all of the networking
goes through. That all of the rest

goes through. And that worked in the
nineties because it had no reason

to send anything faster than 9600 baud.

But with the modern signals going across
it I need 100 MBit/s or even GB ethernet,

that’s not enough, I need more than
two wires. So there’s a cable that comes

across it, and then I rely on the
software to keep it from wrapping

that cable around itself. So it can only
move, say, 400 degrees around.

But that’s still more than a full circle.
So by stopping halfway and moving back

I can prevent it from getting snagged.

We’ve got the Beaglebone on the left,
in the middle there’s a USB hub

and on the right is the motor controller.

The Beaglebone runs Debian Linux and
takes care of sending the software defined

radio recordings over the network. It also
takes care of updating the motor positions

to be the ones that the database
declares should be current.

The stepper motors themselves are the
originals that the dish was designed with.

And they’re running to an EiBot Board.
The EiBot board was intended

for plotting on Easter eggs
<i>laughs, laughter</i>

I feel, you know… is that neat?

<i>laughs</i>
<i>applause</i>

So you can actually aim a satellite dish
that’s as tall as you are, with of these

fancy motors using less sophisticated
equipment than what’s used

in a 3D printer. Don’t panic, though.

It’s a hell of a lot more
reliable than a 3D printer.

But we needed some sort of backup in
addition to the inertial measurement unit

telling us when the device
had snagged itself.

It would also help to have
a visual queue. Because

the satellite dish sits in Tennessee, and
while I love my home town, and, you know

I’m very proud of being Tennessean, it’s
also a long way to travel when you need

to re-orient the dish. Using an
accelerometer it’s easy enough

to correct the elevation. Because you can
use the accelerometer as a level, and

you can use that to tell how high up the
dish is pointing, at an absolute scale.

But the compass isn’t very accurate. So
instead, as a backup we have a webcam

that’s taped to the top. Taping
is my people’s native culture.

We have it taped to the top, and then
it’s pointing backwards. So this gives us

like a rear view camera,
from the dish’s position.

So as the dish sits
inside of its radome…

– junk cars in the yard are also
my people’s native tradition!

<i>laughs, laughter</i>

So the dish sits there next to
my brother’s Toyota Supra.

And that thing, you know,
that thing flies as soon as it gets

an engine put back in it.
<i>laughter</i>

So it sits there and it’s moving but
externally you can’t see where it is.

Which means that I can’t call my family
in Tennessee and blackmail them into

– yet again – looking at my dish to tell
where it’s pointed. There are bolts

that hold this down, it takes half an hour
to remove the lid, another half an hour

to put it back on.

So instead we took the radome…
that’s Frank, he’s my cat.

Give a “Cheers!” for Frank!

<i>applause and cheers</i>

Yeah, we had such a great time with Frank.
And we never knew that she was pregnant.

If you happen to need kittens and wanna
pay the customs fees I’ll hook you up!

So then we took tape and ran tape
down the edges of the radome,

and then marked it. So from the markings
you can tell which clock position

the back of the satellite dish is pointing
at. So if you point the dish towards 12:00

you know that you’re roughly at 6:00,
so you know that it’s pointing South.

And then you can sort of scan the sky
for a stationary target, and navigate

off of that, to recover your position.

Software-wise… remember, the
whole thing runs through Postgres,

so I just tunnel the Postgres over SSH,
and then I wrote a Python client

that displays the satellite positions
and the satellite state in PyGame.

This is intended for making those games
where you see the rabbit and the rabbit

jumps on the other rabbit. But it… works!
And it works perfectly well enough

to target the dish. Because all that this
software has to do is plot the positions

of the satellites, and give orders back to
the database when I click on a satellite

or click on a position.
It can also display stars.

So the red items are satellites which are
not selected. The green item is GOES-3

which is the satellite that I’m targeting.
And then the white items are

stars in the sky. Now this is
a plot in which the azimuth

is on the X axis, and the elevation is on
the Y axis. But I can also arrange it

into a polar plot. Which sort of gives me
an upside-down view of the satellite dish

looking at the sky.
I doubt you can read it but

just above the green circle in the center,
that’s Polaris which is the North star.

It’s also weird because, you know,
working on this, you know, I thought

that I got really good at astronomy
until I realized that I only knew

what the stars looked like during the day.
<i>laughter, laughs</i>

And it being PyGame you can
actually run it on a mobile device.

So the same client that runs on my
laptop can also run on my Nokia N900.

<i>laughs</i>
<i>applause</i>

A significant portion of the GUI client for
this was written while stuck on the U-Bahn,

connected over 3G, SSH through
and just using emacs on the phone.

<i>laughter, laughs</i>
<i>applause</i>

If you’re one of those people who needs to
complain about the N900 being too old,

it also runs on the N9.

And then you can take the data out of this
and run it through scientific software.

In addition of the software defined radio
recordings themselves being dumped out

to a text file or a binary file on disk
you can also dump out things like

the received signal strength indicators
(RSSI). So this is a screenshot in which

I’m identifying different satellites that
I’ve seen in the sky based upon

their downlink signal peaks. You can see
the noise floor there, at the bottom,

and then there’s a rather strong signal on
the left. And a weaker, narrower signal

on the right. Now, the
daemons that build this up…

you need an orbit prediction daemon.
Because you need to know

where the satellites are and where
they’re going, and where they will be

by the time you get to them.

You need to update the orbits themselves.

LEO satellites are described in TLE files,

these are called ‘Two Line Entry’ and
they’re called ‘Two Line Entry’ because

they’re three lines long.
<i>laughter</i>

These were originally used by NORAD for
inter-continental ballistic missile tracking.

And because a ballistic missile
is basically in orbit, it’s just that

that orbit happens
to collide with the earth.

But this format isn’t terribly accurate
for satellites that adjust their own orbit.

So anything that has fuel, or has engines,
or changes mass will vary its position.

And this also doesn’t account for drag.
Because, you know, the missile itself,

you know it goes up it goes down, it’s
not orbiting enough for the light drag

in the upper atmosphere to matter. But for
a satellite it does. So these Two Line Entries

will work for a matter of days or maybe
a couple of weeks. But they don’t last

longer than that. So you need a daemon
that grabs the new files from Space Track.

And this is just a matter of like
a recursive WGET, and then

parsing the files. And that still needs
to be done. You also need motor control,

because you need to move the dish
physically to track your target.

You need input for the Inertial
Measurement Unit. This comes over

a low voltage serial port. And then
you need radio daemons to handle

spectrum analysis or downlink recording.
And these you’ll have several of them,

you have to swap them out. So you’ll begin
by using the spectrum analyzer to identify

that your aim is accurate, that you’re
accurately tracking the targets

well enough to get a recording from
them. And then after that you begin

to take software defined recordings off
them. And, eventually, you might have

a standalone application that parses
what you’re receiving. Such as

the Osmocom guys did with OpenGMR.

So for orbit prediction I began
with a DOS program that had been

ported to Unix, called PREDICT.

And this worked, but it’s garbage.

It only supports 20 satellites plus the
sun, the moon, Venus and Mars.

But no other planets because it’s
designed for astronomy photographers

who want to get a picture of something
as it comes over the horizon. You know,

I need to track hundreds of targets and
then write a script to opportunistically

pick the ones that I want to record.
Because otherwise you have to like

set an alarm clock for the half-hour pass
in which you can play with something.

That software does allow you to query the
results by UDP, though. So you can just

send it a flood of request packets,
then it will flood back with the data

you’re looking for. So I switched to
a library called PyEphem which allows you

to track hundreds of birds. It has no
UDP nonsense. It will also calculate

satellites, planets and stars.
And the really nifty thing about this

is that you tell it… you know, it being
a library you tell it when to update

the individual object that you’re
interested in. So you can update

objects that are out of view or
uninteresting more slowly

than the ones that you care about.
So I managed to track every single item

in geo-stationary orbit. This thick
ring here is the Clarke Belt

of all satellites in geo-stationary orbit,
as viewed from my Southern horizon.

<i>applause</i>

The Two Line Entry files you can get
freely from CELESTRAK.COM.

So this is just a simple script that
grabs them and then inserts them.

And the prediction daemon will actually
select them as it is loading up.

Because all inter process communication is
running through this Postgres database.

And this daemon can be moved to
a different machine if I needed

more computing power, or anything
like that. The motor control demon…

well, the EiBot board is designed to take
stepper motor commands. It shows up

as USB Serial device on Linux. So as
I plug it in to the Beaglebone it appears

as /dev/ttyACM0. And the baud rate doesn’t
matter. Because this is a USB device.

You could then send it simple commands.
Like ‘SM,3000,500,-400’ means that I wanna

move a stepper motor for 3000 ms. I want
the first motor to move 500 forwards,

that’s UP, and the second one to move
400 LEFT which is backwards 400 steps.

And then it will count that out, and
then it sends me back an OK.

If I want to disable the motors, I send
‘EM,0,0’. This allows the motors to be

freely spun. Because normally a stepper
motor will physically hold its position,

you need to turn them off in
order to slide the dish around.

‘EM,1,1’ will enable both motors
in 1/16-of-a-step mode.

Stepper motors can do fractional
steps because they’re

holding themselves in position.

You can see the motors themselves
with the belts and the gear train.

This thing on the right would probably
be illegal for me to turn on.

The thing on the right is a 250 W
amplifier. <i>laughter</i>

The stepper motors themselves just have
six wires. In a lot of 3D printer type stuff

they ignore the middle two. So you just
drop off the middle two wires, you run

the other four to your stepper
controller, and you’re good to go.

The belts and stuff need to be measured
in order to figure out exactly

what the gear reduction is. Because you
need to know how many steps form a degree.

The IMU unit, this Vectornav VN100,
it’s a MEMS gyroscope and accelerometer

and a compass in a single box.
It costs $500 which was

more than all of the other
equipment put together.

The compass is confused by the stepper
motors because the compass is measuring

magnetic fields. So you need to
mount this physically as far away

from the stepper motors as possible. And
the gyroscope is confused by motor jerk

which is a shame because stepper motors
work as a series of jerks rather than

as a single consistent motion. And the
accelerometer is confused by gimbal lock,

so you have to switch it to
a quaternion mode in order to get

consistent values out of it. And if I had
to do this over again I’d really try

to drop this piece of garbage. But it’s
a lovely technology when it works.

<i>some laughter</i>

Now for position calculations: the
elevation itself comes from the IMU,

the azimuth comes from the motor daemon.
This is because the accelerometer

can very accurately tell which way
the earth’s gravity is pulling it

whereas the accelerometer has to integrate
jerks over time in order to figure out

its position. So the
accelerometer will drift

and the compass will be confused by the
magnetic fields while the elevation is

just a single accelerometer
that doesn’t drift.

And the IMU will become
a backup for these things

in order to figure out how to make
it reliable. But at the moment

the position measurement is infinitely
more reliable. The tilt motor

I’m not using at present because on
a ship that’s rocking it’s necessary

to tilt the dish. On a satellite dish
that’s staying still the only useful

tilting the dish is so that you can follow
the arc of a satellite through the sky

by only moving a single motor.
Photopgraphers do this when they’re

trying to get long exposures of moving
satellites. At the moment my software

doesn’t support this feature. But
if it turns out to be necessary

to get higher quality
recordings I might add it.

There are radio daemons. The
first is a spectrum analyzer.

This just measures the signal strength
on each frequency. And it does it by the

power spectral density function.

And the strength itself will
vary with the position error.

So this allows you to figure out how
far off you are by sort of testing,

by overshooting just a little bit,
or undershooting just a little bit

to center on your target. The downlink
recorder dumps the IQ values

in the software defined radio
directly to an NFS share,

which can later be decoded and
read and reverse-engineered.

We’ve got a whole table of spectrum
data. And then I plot that in a tool

called Viewpoints which NASA releases
for dealing with giant scatter plots

in multiple dimensions. Each view takes
two dimensions, and it’s tons of fun.

The client GUI is this PyGame. I have
Postgres for communications, and

the server does all the heavy lifting,
so the Beaglebone itself never has

to do anything complicated with
regards to software defined radio.

This is also about these faint blue lines
are positions at which I’ve seen

particularly strong signals in order to
identify which satellites are active

and which ones are inactive.
Because satellites die over time.

And particularly useful targets we’re
reverse-engineering are satellites that are

out-of-commission or outdated.
I’m running out of time by these markers.

Does that mean that we’re skipping
questions, or does that mean that

I need to be off the stage?
<i>mumbling to stage</i>

Not having Q&A, okay. So today I get
accurate tracking of satellites.

And this thing can run unattended 24h
a day for months without maintenance.

Like I said: it’s nothing like a 3D printer.
<i>laughter</i>

It takes software defined radio
recordings, it can provide maps

of views of different
satellites in the sky.

The next step is I want to publish
a ‘port scan’ of the entire sky.

So which frequencies are in use on which
birds, for every bird that ever comes

above Tennessee, on every
downlink that fits my antenna

as well as a database of software
defined radio recordings. If anyone

would care to donate a truckload
of disks – that might be handy.

I’d also like to make other ground
stations. The software that I’ve written

ought to be portable to new hardware.
So there’s nothing that should keep you

from being able to port this to run on
your own dish. And I have a large yard,

so I could conceivably have
a dozen of these things.

Another way that you can do it, and
the way that it’s traditionally done

for, say, cube satellites is having
Yagis or other loosely directional antennas

in order to receive the signals.
I went with a dish because I wanted

more selectivity. I wanted to be able to
get reverse-engineerable recordings

rather than intentional ones for which
I already knew the downlink protocol.

So this is my van, my van is amazing.

<i>applause</i>

Thanks to Nick Farr. I had a bit too
much to drink in Montreal and

I called Nick Farr and I said: “Nick,
I want a DUKW”, like these amphibious

troop transport vehicles. And Nick
said: “Sorry, I can’t get you one but

you want a news van!” And I said:
“Hell yeah, I want a news van!”

So – this pole in the background, that’s
not a lighting pole. That’s actually

part of the van.
<i>laughter</i>

This is the antenna retracted. This mast
goes up 20 m by pneumatic power.

There’s an air compressor in the back.
Here is the control panel,

there’s an air-conditioned
office in the middle.

<i>laughter, laughs</i>

This has four 19" server racks as well
as some A/V equipment that was left over.

I was particularly excited about the
video monitor which supports PAL

which you folks are familiar with,
NTSC or “Never The Same Color”

which is my people’s native culture…
<i>laughter</i>

But most importantly, it does SECAM,
the system essentially contrary

to the American method.
<i>laughs</i>

<i>laughter and applause</i>

So in addition to my radio equipment
I’m adding my Soviet PDP-11 which was…

<i>laughs</i>
…and that’s not a joke. I have a Soviet

PDP-11 thanks to the kind folks at the
Positive Hacking Days conference.

This is the control panel,
and that’s my talk!

<i>applause</i>

Herald: Thank you so much.
There actually is time for Q&A now.

Travis: Well, first I’d like to introduce
you to my cat. If we could go back

to the prior image. This is Frank!
We didn’t know it at that time, but

Frank was not dad (?) when this picture was
taken. If you’d like kittens get in touch!

Okay. Are there any questions?

Question: Great talk. What’s the most
interesting signal you decoded so far?

Travis: At the moment I’m sort of stuck
at the L band range. Because of filters

that I have yet to remove. So everything
gets attenuated, and becomes annoyingly

quiet outside of the 1.5 ..1.6 -ish range.

The Globalstar network is what I’m
most interested in targeting next.

I can’t wait to see what
people are tweeting

while they should be enjoying nature.

Herald: Is there a question
from the internet?

Signal Angel: Yeah, the internet has
many questions. So first one was:

Is there really no authentication or
encryption on the Q band IP services?

So you can just spoof at will? And…

can the birds see the physical
location of the source

accurately enough to
find who is spoofing?

Travis: I’m not an expert in Ku band. The…
for the downlink the bird has no clue

as to the location of the dish. Because
you’re only listening. They can roughly

figure out your geographic area because…
they need to figure out where

the spot beam is going. So they might know
whether you’re in, say, Germany or

in France. But they won’t know whether
you’re in Heidelberg or Mannheim.

They do have forms of authentication for
many satellite networks. Satellite TV

is one of the best-protected network
services because of the satellite wars

in the nineties in which TV pirates would
fight back and forth with smart card

designers. But there are also many
unencrypted links. And there are…

because of standard protocols those
are particularly easy to find in Ku band.

Question: You’ve been talking about
using RTLSDR from osmocom.

And you were talking about your spectrum
analysis program. Is this one working

with RTLSDR?

Travis: So… RTLSDR… so I’m using
the RTLSDR, not the OsmoSDR.

Which are separate. The spectrum
analyzer is working with the RTLSDR.

My complaint about the RTLSDR is that
when you have a strong signal next to

a weak signal the weak signal is
utterly useless for interpretation.

Question: Okay. Thank you.

Herald: Another question
from the internet?

Signal Angel: Okay, next question from
the internet is: How do you record

the radio signal from the dish,
at what sampling rate?

Travis: The RTLSDR samples at 2 million
samples per second. As soon as I switch it

over to the HackRF I’ll be having
20 million samples per second.

The sampling rate can be reduced once
the bandwidth of the signal is known.

For reduced storage. And the
recordings can also be compressed.

But it’s still a hell of a lot of storage.

Herald: Any other questions?

Signal Angel: The internet
has more questions…

Herald: Okay…

Signal Angel: Did you look into obtaining
a capacitive high-bandwidth coupler as used

for the rotary gantries in CT scanners?
Those can apparently transmit contactless

several GBytes per
second, bi-directionally.

Travis: I’ve not looked into those.
It seemed better to have an umbilical

cable and to be careful not to snap it.

The whole thing was done for a budget
of less than 2000 Dollars, and can be

recreated for less than a budget of 1000
[Dollars]. And they… so we tried to avoid

fancy parts. The local radio shack loved
us because we’d swing in and buy all sorts

of crazy stuff. As soon as we told them
that we wanted the satellite dish to

dance Gangnam style…
<i>laughs</i>

<i>laughter</i>

<i>in German, strong accent:</i>
Danke, gerne!

<i>applause</i>

<i>silent postroll titles</i>

<i>subtitles created by c3subtitles.de
in the year 2017. Join, and help us!</i>