1 00:00:00,000 --> 00:00:09,120 *silent 30C3 preroll titles* 2 00:00:09,120 --> 00:00:11,950 *applause* 3 00:00:11,950 --> 00:00:15,000 Travis Goodspeed: First I need to apologize for typesetting this 4 00:00:15,000 --> 00:00:20,080 in OpenOffice. I know that the text looks like a ransom note. 5 00:00:20,080 --> 00:00:24,509 But that’s what happens when you don’t use LaTex. 6 00:00:24,509 --> 00:00:27,630 I’d also like to give a shoutout to Collin Mulliner if he is here, 7 00:00:27,630 --> 00:00:29,680 and our Dinosaur rock band. 8 00:00:29,680 --> 00:00:33,230 *laughs, applause* 9 00:00:33,230 --> 00:00:36,870 We’re a Christian rock band, we’re called ‘Jesus lives in the ISS’ and 10 00:00:36,870 --> 00:00:46,070 we know that he is always watching us, but we think that it’s easier for him 11 00:00:46,070 --> 00:00:50,199 to hear our prayers when he’s, you know, in an orbit 12 00:00:50,199 --> 00:00:55,689 that passes over us. So we need to use orbital tracking to know when to pray! 13 00:00:55,689 --> 00:00:57,749 *laughter* 14 00:00:57,749 --> 00:01:00,899 As I’m sure you can guess I’m not recognized as a legal minority religion 15 00:01:00,899 --> 00:01:06,140 in Germany. I’d also like to thank skytee 16 00:01:06,140 --> 00:01:11,010 and Fabienne Serrière and Adam Laurie 17 00:01:11,010 --> 00:01:16,810 and Jim Geovedi for some prior satellite tracking work, 18 00:01:16,810 --> 00:01:20,350 and the Scooby Crew at Dartmouth College for all sorts of fun 19 00:01:20,350 --> 00:01:24,689 whenever I bounce out there. This is the mission patch 20 00:01:24,689 --> 00:01:28,329 of the Southern Appalachian Space Agency (SASA). 21 00:01:28,329 --> 00:01:33,790 *applause and cheers* 22 00:01:33,790 --> 00:01:36,920 This was drawn by Scott Beibin and there are a few pieces of my people’s native 23 00:01:36,920 --> 00:01:42,610 culture that I need to point out here. On the right the little Dinosaur type thing 24 00:01:42,610 --> 00:01:48,149 with his finger going out, you might call him E.T. but we call these things 25 00:01:48,149 --> 00:01:51,530 ‘buggers’. They are like this tall, and they are green and that’s why the man 26 00:01:51,530 --> 00:01:55,990 on the left has a shotgun. *laughter* 27 00:01:55,990 --> 00:02:00,909 Because he doesn’t want to be abducted. You got a satellite dish in the middle 28 00:02:00,909 --> 00:02:04,350 and it’s sitting on sinter blocks because that’s also a piece of my people’s 29 00:02:04,350 --> 00:02:10,259 native culture. There’s a moonshine still in the background. 30 00:02:10,259 --> 00:02:15,120 That’s kind of like Vodka but you make it at home and from corn. 31 00:02:15,120 --> 00:02:19,820 And then there’s the mountain… a piece… it looks like there are snow peaks 32 00:02:19,820 --> 00:02:24,530 on those mountain tops. But our mountains aren’t tall enough to have snow. 33 00:02:24,530 --> 00:02:28,679 These are actually that we’ve blown off the lids of the mountains for coal mining. 34 00:02:28,679 --> 00:02:32,490 Which is another piece of my people’s native culture. 35 00:02:32,490 --> 00:02:37,001 And at the top, in space you can see the ISS, and you can see a banana, 36 00:02:37,001 --> 00:02:41,580 and you can see what I think is a bulb. This is to signify space trash. 37 00:02:41,580 --> 00:02:45,909 I mean there’s a lot of stuff up there. And, you know it’s symbolism that matters 38 00:02:45,909 --> 00:02:51,260 in these things, you know? 39 00:02:51,260 --> 00:02:54,729 At BerlinSides, in May of 2012 40 00:02:54,729 --> 00:03:00,520 I did a lecture on reverse- engineering the SPOT Connect. 41 00:03:00,520 --> 00:03:05,289 The SPOT Connect is a little hockey puck type thing 42 00:03:05,289 --> 00:03:08,950 – this is what it looks like. And these things are great. 43 00:03:08,950 --> 00:03:13,790 It weighs a bit more than your cell phone but it runs off of a couple of batteries, 44 00:03:13,790 --> 00:03:17,680 it connects to your phone by Bluetooth. 45 00:03:17,680 --> 00:03:21,840 Originally these were emergency locator beacons. So if you’re going hiking… 46 00:03:21,840 --> 00:03:24,569 have any of you seen the movie where the guy has to cut off his arm 47 00:03:24,569 --> 00:03:30,760 with a dull knife? If you’re hiking and you don’t want that same experience 48 00:03:30,760 --> 00:03:34,349 you buy one of these things. And then there’s an emergency button 49 00:03:34,349 --> 00:03:38,760 you can push that transmits your GPS coordinates by satellite 50 00:03:38,760 --> 00:03:44,180 to rescue workers. But that was boring, so they had to add social media. 51 00:03:44,180 --> 00:03:46,540 *laughs, laughter* 52 00:03:46,540 --> 00:03:49,680 So in addition to keeping you from chewing off your own arm 53 00:03:49,680 --> 00:03:54,920 this device will also allow you to tweet and make Facebook posts. 54 00:03:54,920 --> 00:04:00,370 *laughs, laughter* 55 00:04:00,370 --> 00:04:05,350 The idea is that as you’re running… here I’m crossing the Schuylkill River 56 00:04:05,350 --> 00:04:10,010 in Philadelphia and the Android phone on the left is making a post. 57 00:04:10,010 --> 00:04:15,659 And I did an article on reverse- engineering the Bluetooth side 58 00:04:15,659 --> 00:04:22,430 of these things. Because… I use a weird brand of phone that Microsoft killed off, 59 00:04:22,430 --> 00:04:27,520 and I’m terribly bitter about it. But I also figured out the physical layer. 60 00:04:27,520 --> 00:04:34,930 And that’s what this diagram shows. This transmits at 1.6125 GHz. 61 00:04:34,930 --> 00:04:40,830 And it sends a pseudo-random stream, so each one of these zeros is a long chunk 62 00:04:40,830 --> 00:04:44,140 where it’s bouncing back and forth between two different frequencies. 63 00:04:44,140 --> 00:04:48,750 And the same for the ones. But the way that the pattern works 64 00:04:48,750 --> 00:04:54,551 is that it switches the signal whenever it is going from the 0 signal 65 00:04:54,551 --> 00:04:59,080 to the 1 signal. And internally, there are these little pops that you can actually 66 00:04:59,080 --> 00:05:03,910 identify on a software defined radio recording. And this is how you can 67 00:05:03,910 --> 00:05:08,040 reverse-engineer the signal that the SPOT Connect is sending up 68 00:05:08,040 --> 00:05:14,510 to its satellite network. 69 00:05:14,510 --> 00:05:18,330 Everything is clear text on this. And it’s completely unencrypted. 70 00:05:18,330 --> 00:05:25,040 It just has your serial number, your GPS coordinates, and a bit of ASCII text. 71 00:05:25,040 --> 00:05:29,759 So if you listen on this frequency and you have the correct recording software 72 00:05:29,759 --> 00:05:33,630 you can actually watch all of the SPOT Connect messages that are transmitting 73 00:05:33,630 --> 00:05:39,530 up from your location. And this would be great except that this is designed for 74 00:05:39,530 --> 00:05:44,490 hiking in areas where there’s no cell phone service. So having an antenna 75 00:05:44,490 --> 00:05:47,990 on the uplink frequency is kind of useless. You know you would actually 76 00:05:47,990 --> 00:05:52,290 have to go out to a national park, find some guy who is about to chew his arm off, 77 00:05:52,290 --> 00:05:55,639 and then you could listen to his uplink where he is like tweeting: “Hey, I’m gonna 78 00:05:55,639 --> 00:06:00,699 chew my arm off”, you know? *laughter* 79 00:06:00,699 --> 00:06:09,810 So that’s great as a proof of concept but it’s not really anything practical. 80 00:06:09,810 --> 00:06:13,460 The current state of that was that I knew the protocol and I could sniff the uplinks. 81 00:06:13,460 --> 00:06:17,300 But I wanted to sniff the downlinks. So it’s easy for me to get the thing that 82 00:06:17,300 --> 00:06:21,509 goes up to the satellite. But what I wanted was what comes down from the satellite. 83 00:06:21,509 --> 00:06:27,400 And that requires a satellite dish. But a geo-stationary dish isn’t good enough 84 00:06:27,400 --> 00:06:32,249 because the satellites that run this network – there are a lot of them, 85 00:06:32,249 --> 00:06:37,710 it’s called the Globalstar network, they fly really low across the earth, 86 00:06:37,710 --> 00:06:43,289 and they fly across the earth in very tight, very fast orbits. So they’ll move 87 00:06:43,289 --> 00:06:48,889 from horizon to horizon in 15 to 20 minutes. Which means that you either need 88 00:06:48,889 --> 00:06:53,789 like a sweat shop army of kids trying to aim the satellite dish 89 00:06:53,789 --> 00:07:01,259 as it’s going across or you need to make it computer-controlled. 90 00:07:01,259 --> 00:07:04,490 Stepping back from the SPOT Connect for a little bit, and 91 00:07:04,490 --> 00:07:08,009 discussing some prior research. Adam Laurie did some work 92 00:07:08,009 --> 00:07:12,099 with geostationary satellites. These are the satellites that stay 93 00:07:12,099 --> 00:07:16,449 in one position in the sky. He gave two sets of talks 94 00:07:16,449 --> 00:07:23,740 – one in 2008 and the second in 2010. And he used a DVB-S card 95 00:07:23,740 --> 00:07:28,169 connected to a satellite dish with a DiSEqC motor, so that it could move 96 00:07:28,169 --> 00:07:34,330 the satellite dish left and right in order to scan a region of the horizon. 97 00:07:34,330 --> 00:07:37,259 His tool is publicly available, it’s called satmap. 98 00:07:37,259 --> 00:07:41,289 You can grab it at this URL. 99 00:07:41,289 --> 00:07:46,130 And then after he finds a signal he has a feed scanner. Normally when you use 100 00:07:46,130 --> 00:07:51,270 Satellite TV your provider gives you a listing of the frequencies, and 101 00:07:51,270 --> 00:07:58,199 your provider gives you an exact orbital position to aim your satellite dish at. 102 00:07:58,199 --> 00:08:02,330 But Adam’s tool allows you to scan to see which frequencies are in use and 103 00:08:02,330 --> 00:08:06,949 which protocols are in use, once you’ve correctly aimed your dish. 104 00:08:06,949 --> 00:08:09,699 And he also describes a technique for moving your dish left and right 105 00:08:09,699 --> 00:08:15,780 while doing this in order to identify where the satellites are. 106 00:08:15,780 --> 00:08:19,639 This recording here is from a re-implementation that I made 107 00:08:19,639 --> 00:08:24,430 of Adam’s work, in order to catch up with it. In this diagram 108 00:08:24,430 --> 00:08:30,199 the x-axis – because you move left and right – that shows the azimuth, 109 00:08:30,199 --> 00:08:35,049 that shows how far left or right my satellite dish has moved. And then 110 00:08:35,049 --> 00:08:40,860 the y-axis shows the frequency. And all of these dots are strong signals. 111 00:08:40,860 --> 00:08:48,290 So every vertical bar in which you see chunks of frequencies, that’s a satellite. 112 00:08:48,290 --> 00:08:52,230 But these stay in the same position. So it’s easy for me to repeat this experiment. 113 00:08:52,230 --> 00:08:56,780 It’s easy for me to re-run it, and to find the same satellites in the same position. 114 00:08:56,780 --> 00:09:04,700 It’s easy to debug this. But it can’t move in elevation. 115 00:09:04,700 --> 00:09:08,170 This diagram is actually a very small slice of the sky. 116 00:09:08,170 --> 00:09:14,450 We’re looking at a single line, maybe 10 degrees across. 117 00:09:14,450 --> 00:09:17,750 Maybe only 5 degrees across. 118 00:09:17,750 --> 00:09:22,690 So hacking Ku-band – the television satellites – has the advantage 119 00:09:22,690 --> 00:09:27,420 that you can use cheap standardized hardware. I bought one of these DVB-S cards 120 00:09:27,420 --> 00:09:33,520 in Mauerpark, in Berlin for 3 Euro. You can use standardized DiSEqC motors, 121 00:09:33,520 --> 00:09:37,270 you can buy them at a satellite TV shop. 122 00:09:37,270 --> 00:09:42,020 TV signals come with video feeds so you can actually see pictures. 123 00:09:42,020 --> 00:09:45,580 There was a scandal about 4..5 years ago where they were finding 124 00:09:45,580 --> 00:09:50,350 drone [control] feeds that were being bounced across these satellites. 125 00:09:50,350 --> 00:09:56,890 In the nineties it was very popular to listen to the sort of unedited sections 126 00:09:56,890 --> 00:09:59,910 of interviews, when people would be interviewed over a satellite, 127 00:09:59,910 --> 00:10:04,910 before Skype and such things became options. And 128 00:10:04,910 --> 00:10:08,750 there are also networking signals here using TCP/IP packets. So you can actually 129 00:10:08,750 --> 00:10:13,900 turn your DVB-S card into a promiscuous ethernet adapter, 130 00:10:13,900 --> 00:10:18,010 and start sniffing all of the traffic that comes across. This is also a great way 131 00:10:18,010 --> 00:10:23,750 to get free downlink bandwidth. Because you can just flood packets at an address 132 00:10:23,750 --> 00:10:27,660 that, you know, will be routed to you, or several addresses, and 133 00:10:27,660 --> 00:10:32,670 then you sniff it out as the legitimate receiver ignores them. 134 00:10:32,670 --> 00:10:37,100 But it also has some disadvantages. It only works for geostationary satellites. 135 00:10:37,100 --> 00:10:40,570 If the satellite is not staying in the same position relative to the ground 136 00:10:40,570 --> 00:10:46,750 then you can’t track it. Your dish also moves very slowly. 137 00:10:46,750 --> 00:10:50,410 And it only moves left and right. It won’t move up and down. 138 00:10:50,410 --> 00:10:53,030 And you’re limited to standardized signals. So while it’s great that you get 139 00:10:53,030 --> 00:10:59,230 video and TCP/IP you’re never going to get anything weird. 140 00:10:59,230 --> 00:11:05,230 You’re not gonna get any mobile data, you’re not going to get any 141 00:11:05,230 --> 00:11:10,670 Brazilian truck-drivers – we’ll get to those in a bit. *laughs* 142 00:11:10,670 --> 00:11:15,710 I misspoke, you actually will get Brazilian truck-drivers in this. 143 00:11:15,710 --> 00:11:19,360 So I bought a satellite dish. One of the best things about living in America is 144 00:11:19,360 --> 00:11:25,530 that you can buy industrial hardware cheap as dirt on ebay. 145 00:11:25,530 --> 00:11:29,190 I know things aren’t likely used to being a cat bite to (?)(?) human children anymore. 146 00:11:29,190 --> 00:11:33,400 But this satellite dish here on the left – the one in the radome – 147 00:11:33,400 --> 00:11:40,980 that’s my dish. And to the right, that’s the boat that it came from. 148 00:11:40,980 --> 00:11:49,890 *applause* *laughs* 149 00:11:49,890 --> 00:11:53,770 This came from a military ship. But the dish itself is also available 150 00:11:53,770 --> 00:11:57,620 for civilian use on very large yachts. 151 00:11:57,620 --> 00:12:01,750 The dish itself is a Felcom 81 and it was intended for use with a network 152 00:12:01,750 --> 00:12:08,210 called Inmarsat. Inmarsat allows for telephone connections, 153 00:12:08,210 --> 00:12:12,890 and also data connections when you’re on a boat. So if the crew wants to call home 154 00:12:12,890 --> 00:12:18,010 or wants to go to AOL Keywords 155 00:12:18,010 --> 00:12:23,530 or whatever was popular back when this was common they could do that. 156 00:12:23,530 --> 00:12:28,420 And the dish was designed to sit at the very top of a ship’s mast. 157 00:12:28,420 --> 00:12:31,660 The reason why is that at the top of the mast there aren’t any obstructions 158 00:12:31,660 --> 00:12:35,360 – it has a clear view of the sky in all directions. But there’s a complication 159 00:12:35,360 --> 00:12:39,230 with being on the top of the mast. Which is that the ship is rocking beneath you 160 00:12:39,230 --> 00:12:43,860 and you’re moving more than the rest of the ship. 161 00:12:43,860 --> 00:12:47,880 So they have stepper motors for azimuth, elevation and tilt. 162 00:12:47,880 --> 00:12:52,800 And then they have spinning gyroscopes. Back before the iPhone there was 163 00:12:52,800 --> 00:12:57,950 this dark, dark time when gyroscopes actually spun. 164 00:12:57,950 --> 00:13:01,900 And this is the sort of gyroscope that it has. It actually has 4 of them so 165 00:13:01,900 --> 00:13:05,670 that it can measure its movement. 166 00:13:05,670 --> 00:13:10,940 And then it has a control computer. So the idea is that the dish itself can be moved 167 00:13:10,940 --> 00:13:15,620 while remaining absolutely stable with regard to the gyroscopes. 168 00:13:15,620 --> 00:13:20,000 So it compensates for the rocking of the ship beneath it as it’s targeting 169 00:13:20,000 --> 00:13:27,530 a stationary satellite. In America this costs 250 dollars 170 00:13:27,530 --> 00:13:32,080 but it’s electronics equipment, so while you think that would only be a 180 Euro 171 00:13:32,080 --> 00:13:40,080 it’s more like 2500. And that’s before import duties and it being impounded. 172 00:13:40,080 --> 00:13:44,680 We also have this lovely culture in which people love excuses to use their trucks. 173 00:13:44,680 --> 00:13:50,600 So the guy that I bought this from offered to deliver it to my home for only $200. 174 00:13:50,600 --> 00:13:57,340 It was an 11-hour drive. 175 00:13:57,340 --> 00:14:00,330 But if you wanted this you’d have to bring it back in your carry-on luggage 176 00:14:00,330 --> 00:14:05,500 and that could be awkward. 177 00:14:05,500 --> 00:14:09,490 I got this dish and I decided I had to do something with it. So I created 178 00:14:09,490 --> 00:14:15,040 the Southern Appalachian Space Agency. I’m from the state of Tennessee, 179 00:14:15,040 --> 00:14:19,520 formerly known as the State of Franklin until North Carolina invaded us. 180 00:14:19,520 --> 00:14:22,270 It’s ok, I know Europeans suck at history. 181 00:14:22,270 --> 00:14:30,310 *laughs* *laughter and applause* 182 00:14:30,310 --> 00:14:33,180 Now I’m trying to think of how to show you on a map where Tennessee is 183 00:14:33,180 --> 00:14:36,930 without having a map. But, you know, it’s okay, I know you suck at geography 184 00:14:36,930 --> 00:14:39,750 and will forget it soon. (?) 185 00:14:39,750 --> 00:14:41,550 From audience: It’s very near Texas, to the north. 186 00:14:41,550 --> 00:14:48,471 Travis: Texas is our first colony. But it’s actually a decent drive to the east. 187 00:14:48,471 --> 00:14:53,470 Due east (?). You don’t actually have to go it anyways. 188 00:14:53,470 --> 00:14:57,990 So what I did was I took these motors which were designed to be able to move 189 00:14:57,990 --> 00:15:03,250 the satellite dish to compensate for the rocking the ship and 190 00:15:03,250 --> 00:15:09,550 I re-purposed them to track through the sky while the ground is stable. 191 00:15:09,550 --> 00:15:12,580 We don’t have very many earthquakes in Tennessee. The last one that we had 192 00:15:12,580 --> 00:15:18,310 made rivers run the wrong direction. But it’s okay – it’s a geography thing. 193 00:15:18,310 --> 00:15:22,060 *laughs* So this allows me to track things 194 00:15:22,060 --> 00:15:26,500 that are moving through the sky. But it doesn’t actually matter 195 00:15:26,500 --> 00:15:30,330 where they’re moving in the sky because that’s just a software problem. 196 00:15:30,330 --> 00:15:35,540 So in addition to tracking objects that are in low-earth orbit by a software patch 197 00:15:35,540 --> 00:15:41,770 I can also track things that are in deep space. It’s not much harder to track 198 00:15:41,770 --> 00:15:47,830 deep space probes or stars than it is to track items in low-earth orbit. 199 00:15:47,830 --> 00:15:52,640 And then I added a software defined radio which allows me to record a signal now 200 00:15:52,640 --> 00:15:57,920 and then demodulate it later. Which is necessary if you intend 201 00:15:57,920 --> 00:16:02,810 to reverse-engineer a signal. Because a lot of the downlinks from these satellites 202 00:16:02,810 --> 00:16:07,630 are completely non… completely undocumented. And being able 203 00:16:07,630 --> 00:16:11,220 to tune in to the right frequency is only half of it. You also need a recording 204 00:16:11,220 --> 00:16:15,510 of sufficient quality that you can reverse-engineer it after the fact. 205 00:16:15,510 --> 00:16:19,680 We’re sort of spoiled by software defined radios in that when doing 206 00:16:19,680 --> 00:16:27,220 software defined radio work we usually have a very good signal to work from. 207 00:16:27,220 --> 00:16:33,610 So having high quality signals for later reverse-engineering is necessary. 208 00:16:33,610 --> 00:16:39,310 I really wanted to be able to identify undocumented downlinks for low-earth orbit 209 00:16:39,310 --> 00:16:44,310 in the same way that we already do this for geo-stationary orbit 210 00:16:44,310 --> 00:16:49,990 using tools like the ones that Adam Laurie and Jim Geovedi made. 211 00:16:49,990 --> 00:16:54,500 So I built a software framework as a collection of Python daemons. 212 00:16:54,500 --> 00:16:58,720 And these run across a home area network in my house. 213 00:16:58,720 --> 00:17:03,780 There’s a Beaglebone inside of the Radome. 214 00:17:03,780 --> 00:17:09,539 And an x86 server in the house. Or AMD64, whatever the kids call it these days. 215 00:17:09,539 --> 00:17:13,230 And then I used Postgres for coordination. So that all of these daemons can talk 216 00:17:13,230 --> 00:17:19,290 to each other without… without me really caring which machine they’re on. 217 00:17:19,290 --> 00:17:25,969 So for maintenance I can have my laptop pretending to be the dish, 218 00:17:25,969 --> 00:17:30,790 and I can have stepper motors on my desk, and I can watch them spin, and I can even 219 00:17:30,790 --> 00:17:35,010 make a model of the dish and swap these components in and out without the rest of 220 00:17:35,010 --> 00:17:42,700 the network being confused. This also allows for SQL injection attacks to 221 00:17:42,700 --> 00:17:48,260 physically move my dish. Which is why the sensor network is not on one of those 222 00:17:48,260 --> 00:17:52,620 fancy WEB 2.0 things. Because of you could inject, say, “UPDATE target SET name= 223 00:17:52,620 --> 00:17:55,910 ‘VOYAGER 1’”. Then my dish would physically move and start tracking Voyager 1 224 00:17:55,910 --> 00:18:01,440 through the sky. Voyager 2 225 00:18:01,440 --> 00:18:07,190 doesn’t actually come into the sky because of my position in the Northern hemisphere. 226 00:18:07,190 --> 00:18:11,170 So, it’s okay, I know you suck at geography. But Voyager 1 is going up, 227 00:18:11,170 --> 00:18:15,440 and Voyager 2 is going down. 228 00:18:15,440 --> 00:18:19,260 There’s a Realtek software defined radio for the radio reception. Although 229 00:18:19,260 --> 00:18:24,370 these things are garbage. So I’m in the process of replacing this for the HackRF. 230 00:18:24,370 --> 00:18:29,760 There’s also an EiBot board for motor control. We’ll get back to that in a minute. 231 00:18:29,760 --> 00:18:34,560 And there’s an Inertial Measurement Unit from VectorNav which actually measures 232 00:18:34,560 --> 00:18:39,510 using the fancy MEMS gyroscopes and a MEMS compass how I’m moving. 233 00:18:39,510 --> 00:18:44,700 This isn’t accurate enough to target the dish, so I’m still counting steps 234 00:18:44,700 --> 00:18:49,830 to move the dish. But it is accurate enough to tell me when my belts 235 00:18:49,830 --> 00:18:56,520 have broken. Or when I’m up against a physical obstruction. 236 00:18:56,520 --> 00:19:01,510 This is skytee helping me out with the dish. 237 00:19:01,510 --> 00:19:04,950 He’s zip-tying it. Because, you know we know everything about duct tape 238 00:19:04,950 --> 00:19:07,260 where I come from, but we don’t know anything about zip-ties. So I had 239 00:19:07,260 --> 00:19:10,920 to bring in a German engineer. *laughter* 240 00:19:10,920 --> 00:19:14,270 We call him a gerry wigger(?) but, you know… 241 00:19:14,270 --> 00:19:20,020 This is the satellite dish itself. And you can sort of see in this photograph 242 00:19:20,020 --> 00:19:25,420 where we’ve strapped on the equipment. There’s like an umbilical cord. 243 00:19:25,420 --> 00:19:29,700 Or more like a spinal column that actually runs up the back of the dish. So we just 244 00:19:29,700 --> 00:19:36,820 added new cables onto that line. And then zip-tied them in place. 245 00:19:36,820 --> 00:19:42,390 And skytee came up with all these crazy ideas like that we should use 246 00:19:42,390 --> 00:19:46,570 chains and zip-ties to make sure that the cables don’t tear themselves out. And 247 00:19:46,570 --> 00:19:51,890 that worked tremendously well in practice. So, as this thing spins around, 248 00:19:51,890 --> 00:19:57,680 by the original design there’s a ring connector that all of the signals 249 00:19:57,680 --> 00:20:01,220 go through. That all of the networking goes through. That all of the rest 250 00:20:01,220 --> 00:20:05,680 goes through. And that worked in the nineties because it had no reason 251 00:20:05,680 --> 00:20:11,310 to send anything faster than 9600 baud. 252 00:20:11,310 --> 00:20:18,050 But with the modern signals going across it I need 100 MBit/s or even GB ethernet, 253 00:20:18,050 --> 00:20:22,290 that’s not enough, I need more than two wires. So there’s a cable that comes 254 00:20:22,290 --> 00:20:25,290 across it, and then I rely on the software to keep it from wrapping 255 00:20:25,290 --> 00:20:31,180 that cable around itself. So it can only move, say, 400 degrees around. 256 00:20:31,180 --> 00:20:34,730 But that’s still more than a full circle. So by stopping halfway and moving back 257 00:20:34,730 --> 00:20:39,710 I can prevent it from getting snagged. 258 00:20:39,710 --> 00:20:43,400 We’ve got the Beaglebone on the left, in the middle there’s a USB hub 259 00:20:43,400 --> 00:20:47,550 and on the right is the motor controller. 260 00:20:47,550 --> 00:20:52,640 The Beaglebone runs Debian Linux and takes care of sending the software defined 261 00:20:52,640 --> 00:21:00,220 radio recordings over the network. It also takes care of updating the motor positions 262 00:21:00,220 --> 00:21:06,210 to be the ones that the database declares should be current. 263 00:21:06,210 --> 00:21:13,060 The stepper motors themselves are the originals that the dish was designed with. 264 00:21:13,060 --> 00:21:17,810 And they’re running to an EiBot Board. The EiBot board was intended 265 00:21:17,810 --> 00:21:24,560 for plotting on Easter eggs *laughs, laughter* 266 00:21:24,560 --> 00:21:27,740 I feel, you know… is that neat? 267 00:21:27,740 --> 00:21:32,830 *laughs* *applause* 268 00:21:32,830 --> 00:21:37,750 So you can actually aim a satellite dish that’s as tall as you are, with of these 269 00:21:37,750 --> 00:21:42,470 fancy motors using less sophisticated equipment than what’s used 270 00:21:42,470 --> 00:21:47,330 in a 3D printer. Don’t panic, though. 271 00:21:47,330 --> 00:21:51,360 It’s a hell of a lot more reliable than a 3D printer. 272 00:21:51,360 --> 00:21:55,420 But we needed some sort of backup in addition to the inertial measurement unit 273 00:21:55,420 --> 00:21:59,360 telling us when the device had snagged itself. 274 00:21:59,360 --> 00:22:05,180 It would also help to have a visual queue. Because 275 00:22:05,180 --> 00:22:09,810 the satellite dish sits in Tennessee, and while I love my home town, and, you know 276 00:22:09,810 --> 00:22:15,170 I’m very proud of being Tennessean, it’s also a long way to travel when you need 277 00:22:15,170 --> 00:22:20,830 to re-orient the dish. Using an accelerometer it’s easy enough 278 00:22:20,830 --> 00:22:26,120 to correct the elevation. Because you can use the accelerometer as a level, and 279 00:22:26,120 --> 00:22:31,220 you can use that to tell how high up the dish is pointing, at an absolute scale. 280 00:22:31,220 --> 00:22:38,370 But the compass isn’t very accurate. So instead, as a backup we have a webcam 281 00:22:38,370 --> 00:22:44,300 that’s taped to the top. Taping is my people’s native culture. 282 00:22:44,300 --> 00:22:47,710 We have it taped to the top, and then it’s pointing backwards. So this gives us 283 00:22:47,710 --> 00:22:52,280 like a rear view camera, from the dish’s position. 284 00:22:52,280 --> 00:22:57,179 So as the dish sits inside of its radome… 285 00:22:57,179 --> 00:23:00,920 – junk cars in the yard are also my people’s native tradition! 286 00:23:00,920 --> 00:23:04,340 *laughs, laughter* 287 00:23:04,340 --> 00:23:09,670 So the dish sits there next to my brother’s Toyota Supra. 288 00:23:09,670 --> 00:23:13,770 And that thing, you know, that thing flies as soon as it gets 289 00:23:13,770 --> 00:23:17,800 an engine put back in it. *laughter* 290 00:23:17,800 --> 00:23:21,860 So it sits there and it’s moving but externally you can’t see where it is. 291 00:23:21,860 --> 00:23:26,019 Which means that I can’t call my family in Tennessee and blackmail them into 292 00:23:26,019 --> 00:23:29,620 – yet again – looking at my dish to tell where it’s pointed. There are bolts 293 00:23:29,620 --> 00:23:32,882 that hold this down, it takes half an hour to remove the lid, another half an hour 294 00:23:32,882 --> 00:23:37,390 to put it back on. 295 00:23:37,390 --> 00:23:43,230 So instead we took the radome… that’s Frank, he’s my cat. 296 00:23:43,230 --> 00:23:45,500 Give a “Cheers!” for Frank! 297 00:23:45,500 --> 00:23:51,500 *applause and cheers* 298 00:23:51,500 --> 00:23:56,460 Yeah, we had such a great time with Frank. And we never knew that she was pregnant. 299 00:23:56,460 --> 00:24:02,950 If you happen to need kittens and wanna pay the customs fees I’ll hook you up! 300 00:24:02,950 --> 00:24:10,580 So then we took tape and ran tape down the edges of the radome, 301 00:24:10,580 --> 00:24:15,090 and then marked it. So from the markings you can tell which clock position 302 00:24:15,090 --> 00:24:20,230 the back of the satellite dish is pointing at. So if you point the dish towards 12:00 303 00:24:20,230 --> 00:24:25,870 you know that you’re roughly at 6:00, so you know that it’s pointing South. 304 00:24:25,870 --> 00:24:29,110 And then you can sort of scan the sky for a stationary target, and navigate 305 00:24:29,110 --> 00:24:32,950 off of that, to recover your position. 306 00:24:32,950 --> 00:24:39,620 Software-wise… remember, the whole thing runs through Postgres, 307 00:24:39,620 --> 00:24:45,750 so I just tunnel the Postgres over SSH, and then I wrote a Python client 308 00:24:45,750 --> 00:24:52,120 that displays the satellite positions and the satellite state in PyGame. 309 00:24:52,120 --> 00:24:54,820 This is intended for making those games where you see the rabbit and the rabbit 310 00:24:54,820 --> 00:25:00,550 jumps on the other rabbit. But it… works! And it works perfectly well enough 311 00:25:00,550 --> 00:25:04,940 to target the dish. Because all that this software has to do is plot the positions 312 00:25:04,940 --> 00:25:10,570 of the satellites, and give orders back to the database when I click on a satellite 313 00:25:10,570 --> 00:25:15,270 or click on a position. It can also display stars. 314 00:25:15,270 --> 00:25:21,350 So the red items are satellites which are not selected. The green item is GOES-3 315 00:25:21,350 --> 00:25:25,470 which is the satellite that I’m targeting. And then the white items are 316 00:25:25,470 --> 00:25:32,140 stars in the sky. Now this is a plot in which the azimuth 317 00:25:32,140 --> 00:25:37,230 is on the X axis, and the elevation is on the Y axis. But I can also arrange it 318 00:25:37,230 --> 00:25:42,160 into a polar plot. Which sort of gives me an upside-down view of the satellite dish 319 00:25:42,160 --> 00:25:47,520 looking at the sky. I doubt you can read it but 320 00:25:47,520 --> 00:25:55,330 just above the green circle in the center, that’s Polaris which is the North star. 321 00:25:55,330 --> 00:25:58,770 It’s also weird because, you know, working on this, you know, I thought 322 00:25:58,770 --> 00:26:02,170 that I got really good at astronomy until I realized that I only knew 323 00:26:02,170 --> 00:26:07,940 what the stars looked like during the day. *laughter, laughs* 324 00:26:07,940 --> 00:26:12,010 And it being PyGame you can actually run it on a mobile device. 325 00:26:12,010 --> 00:26:17,960 So the same client that runs on my laptop can also run on my Nokia N900. 326 00:26:17,960 --> 00:26:26,140 *laughs* *applause* 327 00:26:26,140 --> 00:26:32,940 A significant portion of the GUI client for this was written while stuck on the U-Bahn, 328 00:26:32,940 --> 00:26:38,330 connected over 3G, SSH through and just using emacs on the phone. 329 00:26:38,330 --> 00:26:44,590 *laughter, laughs* *applause* 330 00:26:44,590 --> 00:26:49,270 If you’re one of those people who needs to complain about the N900 being too old, 331 00:26:49,270 --> 00:26:54,260 it also runs on the N9. 332 00:26:54,260 --> 00:26:59,020 And then you can take the data out of this and run it through scientific software. 333 00:26:59,020 --> 00:27:03,100 In addition of the software defined radio recordings themselves being dumped out 334 00:27:03,100 --> 00:27:09,720 to a text file or a binary file on disk you can also dump out things like 335 00:27:09,720 --> 00:27:14,590 the received signal strength indicators (RSSI). So this is a screenshot in which 336 00:27:14,590 --> 00:27:18,340 I’m identifying different satellites that I’ve seen in the sky based upon 337 00:27:18,340 --> 00:27:23,040 their downlink signal peaks. You can see the noise floor there, at the bottom, 338 00:27:23,040 --> 00:27:28,320 and then there’s a rather strong signal on the left. And a weaker, narrower signal 339 00:27:28,320 --> 00:27:34,780 on the right. Now, the daemons that build this up… 340 00:27:34,780 --> 00:27:38,400 you need an orbit prediction daemon. Because you need to know 341 00:27:38,400 --> 00:27:41,490 where the satellites are and where they’re going, and where they will be 342 00:27:41,490 --> 00:27:45,830 by the time you get to them. 343 00:27:45,830 --> 00:27:50,760 You need to update the orbits themselves. 344 00:27:50,760 --> 00:27:55,150 LEO satellites are described in TLE files, 345 00:27:55,150 --> 00:27:58,191 these are called ‘Two Line Entry’ and they’re called ‘Two Line Entry’ because 346 00:27:58,191 --> 00:28:01,970 they’re three lines long. *laughter* 347 00:28:01,970 --> 00:28:07,610 These were originally used by NORAD for inter-continental ballistic missile tracking. 348 00:28:07,610 --> 00:28:11,251 And because a ballistic missile is basically in orbit, it’s just that 349 00:28:11,251 --> 00:28:14,980 that orbit happens to collide with the earth. 350 00:28:14,980 --> 00:28:20,380 But this format isn’t terribly accurate for satellites that adjust their own orbit. 351 00:28:20,380 --> 00:28:26,930 So anything that has fuel, or has engines, or changes mass will vary its position. 352 00:28:26,930 --> 00:28:34,160 And this also doesn’t account for drag. Because, you know, the missile itself, 353 00:28:34,160 --> 00:28:38,200 you know it goes up it goes down, it’s not orbiting enough for the light drag 354 00:28:38,200 --> 00:28:43,030 in the upper atmosphere to matter. But for a satellite it does. So these Two Line Entries 355 00:28:43,030 --> 00:28:47,760 will work for a matter of days or maybe a couple of weeks. But they don’t last 356 00:28:47,760 --> 00:28:55,090 longer than that. So you need a daemon that grabs the new files from Space Track. 357 00:28:55,090 --> 00:28:57,971 And this is just a matter of like a recursive WGET, and then 358 00:28:57,971 --> 00:29:02,880 parsing the files. And that still needs to be done. You also need motor control, 359 00:29:02,880 --> 00:29:06,780 because you need to move the dish physically to track your target. 360 00:29:06,780 --> 00:29:10,600 You need input for the Inertial Measurement Unit. This comes over 361 00:29:10,600 --> 00:29:15,240 a low voltage serial port. And then you need radio daemons to handle 362 00:29:15,240 --> 00:29:20,590 spectrum analysis or downlink recording. And these you’ll have several of them, 363 00:29:20,590 --> 00:29:29,040 you have to swap them out. So you’ll begin by using the spectrum analyzer to identify 364 00:29:29,040 --> 00:29:33,730 that your aim is accurate, that you’re accurately tracking the targets 365 00:29:33,730 --> 00:29:37,630 well enough to get a recording from them. And then after that you begin 366 00:29:37,630 --> 00:29:42,130 to take software defined recordings off them. And, eventually, you might have 367 00:29:42,130 --> 00:29:48,130 a standalone application that parses what you’re receiving. Such as 368 00:29:48,130 --> 00:29:55,550 the Osmocom guys did with OpenGMR. 369 00:29:55,550 --> 00:29:59,810 So for orbit prediction I began with a DOS program that had been 370 00:29:59,810 --> 00:30:04,550 ported to Unix, called PREDICT. 371 00:30:04,550 --> 00:30:10,360 And this worked, but it’s garbage. 372 00:30:10,360 --> 00:30:16,070 It only supports 20 satellites plus the sun, the moon, Venus and Mars. 373 00:30:16,070 --> 00:30:24,460 But no other planets because it’s designed for astronomy photographers 374 00:30:24,460 --> 00:30:28,800 who want to get a picture of something as it comes over the horizon. You know, 375 00:30:28,800 --> 00:30:33,890 I need to track hundreds of targets and then write a script to opportunistically 376 00:30:33,890 --> 00:30:37,640 pick the ones that I want to record. Because otherwise you have to like 377 00:30:37,640 --> 00:30:44,880 set an alarm clock for the half-hour pass in which you can play with something. 378 00:30:44,880 --> 00:30:48,900 That software does allow you to query the results by UDP, though. So you can just 379 00:30:48,900 --> 00:30:55,000 send it a flood of request packets, then it will flood back with the data 380 00:30:55,000 --> 00:31:00,860 you’re looking for. So I switched to a library called PyEphem which allows you 381 00:31:00,860 --> 00:31:05,960 to track hundreds of birds. It has no UDP nonsense. It will also calculate 382 00:31:05,960 --> 00:31:12,940 satellites, planets and stars. And the really nifty thing about this 383 00:31:12,940 --> 00:31:18,090 is that you tell it… you know, it being a library you tell it when to update 384 00:31:18,090 --> 00:31:23,030 the individual object that you’re interested in. So you can update 385 00:31:23,030 --> 00:31:26,710 objects that are out of view or uninteresting more slowly 386 00:31:26,710 --> 00:31:33,300 than the ones that you care about. So I managed to track every single item 387 00:31:33,300 --> 00:31:39,230 in geo-stationary orbit. This thick ring here is the Clarke Belt 388 00:31:39,230 --> 00:31:47,000 of all satellites in geo-stationary orbit, as viewed from my Southern horizon. 389 00:31:47,000 --> 00:31:53,880 *applause* 390 00:31:53,880 --> 00:31:58,460 The Two Line Entry files you can get freely from CELESTRAK.COM. 391 00:31:58,460 --> 00:32:02,370 So this is just a simple script that grabs them and then inserts them. 392 00:32:02,370 --> 00:32:06,990 And the prediction daemon will actually select them as it is loading up. 393 00:32:06,990 --> 00:32:14,010 Because all inter process communication is running through this Postgres database. 394 00:32:14,010 --> 00:32:16,540 And this daemon can be moved to a different machine if I needed 395 00:32:16,540 --> 00:32:21,730 more computing power, or anything like that. The motor control demon… 396 00:32:21,730 --> 00:32:27,470 well, the EiBot board is designed to take stepper motor commands. It shows up 397 00:32:27,470 --> 00:32:33,429 as USB Serial device on Linux. So as I plug it in to the Beaglebone it appears 398 00:32:33,429 --> 00:32:41,660 as /dev/ttyACM0. And the baud rate doesn’t matter. Because this is a USB device. 399 00:32:41,660 --> 00:32:48,810 You could then send it simple commands. Like ‘SM,3000,500,-400’ means that I wanna 400 00:32:48,810 --> 00:32:55,559 move a stepper motor for 3000 ms. I want the first motor to move 500 forwards, 401 00:32:55,559 --> 00:33:03,330 that’s UP, and the second one to move 400 LEFT which is backwards 400 steps. 402 00:33:03,330 --> 00:33:07,540 And then it will count that out, and then it sends me back an OK. 403 00:33:07,540 --> 00:33:11,981 If I want to disable the motors, I send ‘EM,0,0’. This allows the motors to be 404 00:33:11,981 --> 00:33:16,429 freely spun. Because normally a stepper motor will physically hold its position, 405 00:33:16,429 --> 00:33:22,500 you need to turn them off in order to slide the dish around. 406 00:33:22,500 --> 00:33:28,260 ‘EM,1,1’ will enable both motors in 1/16-of-a-step mode. 407 00:33:28,260 --> 00:33:31,340 Stepper motors can do fractional steps because they’re 408 00:33:31,340 --> 00:33:37,800 holding themselves in position. 409 00:33:37,800 --> 00:33:41,390 You can see the motors themselves with the belts and the gear train. 410 00:33:41,390 --> 00:33:46,800 This thing on the right would probably be illegal for me to turn on. 411 00:33:46,800 --> 00:33:53,100 The thing on the right is a 250 W amplifier. *laughter* 412 00:33:53,100 --> 00:33:58,780 The stepper motors themselves just have six wires. In a lot of 3D printer type stuff 413 00:33:58,780 --> 00:34:02,690 they ignore the middle two. So you just drop off the middle two wires, you run 414 00:34:02,690 --> 00:34:07,100 the other four to your stepper controller, and you’re good to go. 415 00:34:07,100 --> 00:34:10,079 The belts and stuff need to be measured in order to figure out exactly 416 00:34:10,079 --> 00:34:16,639 what the gear reduction is. Because you need to know how many steps form a degree. 417 00:34:16,639 --> 00:34:23,250 The IMU unit, this Vectornav VN100, it’s a MEMS gyroscope and accelerometer 418 00:34:23,250 --> 00:34:28,380 and a compass in a single box. It costs $500 which was 419 00:34:28,380 --> 00:34:33,780 more than all of the other equipment put together. 420 00:34:33,780 --> 00:34:37,280 The compass is confused by the stepper motors because the compass is measuring 421 00:34:37,280 --> 00:34:40,280 magnetic fields. So you need to mount this physically as far away 422 00:34:40,280 --> 00:34:46,159 from the stepper motors as possible. And the gyroscope is confused by motor jerk 423 00:34:46,159 --> 00:34:50,310 which is a shame because stepper motors work as a series of jerks rather than 424 00:34:50,310 --> 00:34:56,510 as a single consistent motion. And the accelerometer is confused by gimbal lock, 425 00:34:56,510 --> 00:35:00,880 so you have to switch it to a quaternion mode in order to get 426 00:35:00,880 --> 00:35:05,640 consistent values out of it. And if I had to do this over again I’d really try 427 00:35:05,640 --> 00:35:10,610 to drop this piece of garbage. But it’s a lovely technology when it works. 428 00:35:10,610 --> 00:35:12,310 *some laughter* 429 00:35:12,310 --> 00:35:19,010 Now for position calculations: the elevation itself comes from the IMU, 430 00:35:19,010 --> 00:35:24,160 the azimuth comes from the motor daemon. This is because the accelerometer 431 00:35:24,160 --> 00:35:29,710 can very accurately tell which way the earth’s gravity is pulling it 432 00:35:29,710 --> 00:35:34,410 whereas the accelerometer has to integrate jerks over time in order to figure out 433 00:35:34,410 --> 00:35:38,890 its position. So the accelerometer will drift 434 00:35:38,890 --> 00:35:46,410 and the compass will be confused by the magnetic fields while the elevation is 435 00:35:46,410 --> 00:35:53,300 just a single accelerometer that doesn’t drift. 436 00:35:53,300 --> 00:35:59,760 And the IMU will become a backup for these things 437 00:35:59,760 --> 00:36:03,480 in order to figure out how to make it reliable. But at the moment 438 00:36:03,480 --> 00:36:09,100 the position measurement is infinitely more reliable. The tilt motor 439 00:36:09,100 --> 00:36:13,970 I’m not using at present because on a ship that’s rocking it’s necessary 440 00:36:13,970 --> 00:36:20,290 to tilt the dish. On a satellite dish that’s staying still the only useful 441 00:36:20,290 --> 00:36:26,280 tilting the dish is so that you can follow the arc of a satellite through the sky 442 00:36:26,280 --> 00:36:30,020 by only moving a single motor. Photopgraphers do this when they’re 443 00:36:30,020 --> 00:36:35,210 trying to get long exposures of moving satellites. At the moment my software 444 00:36:35,210 --> 00:36:39,180 doesn’t support this feature. But if it turns out to be necessary 445 00:36:39,180 --> 00:36:43,960 to get higher quality recordings I might add it. 446 00:36:43,960 --> 00:36:47,430 There are radio daemons. The first is a spectrum analyzer. 447 00:36:47,430 --> 00:36:51,480 This just measures the signal strength on each frequency. And it does it by the 448 00:36:51,480 --> 00:36:58,230 power spectral density function. 449 00:36:58,230 --> 00:37:02,900 And the strength itself will vary with the position error. 450 00:37:02,900 --> 00:37:07,050 So this allows you to figure out how far off you are by sort of testing, 451 00:37:07,050 --> 00:37:09,690 by overshooting just a little bit, or undershooting just a little bit 452 00:37:09,690 --> 00:37:15,170 to center on your target. The downlink recorder dumps the IQ values 453 00:37:15,170 --> 00:37:19,950 in the software defined radio directly to an NFS share, 454 00:37:19,950 --> 00:37:24,749 which can later be decoded and read and reverse-engineered. 455 00:37:24,749 --> 00:37:30,260 We’ve got a whole table of spectrum data. And then I plot that in a tool 456 00:37:30,260 --> 00:37:36,840 called Viewpoints which NASA releases for dealing with giant scatter plots 457 00:37:36,840 --> 00:37:44,480 in multiple dimensions. Each view takes two dimensions, and it’s tons of fun. 458 00:37:44,480 --> 00:37:47,570 The client GUI is this PyGame. I have Postgres for communications, and 459 00:37:47,570 --> 00:37:51,590 the server does all the heavy lifting, so the Beaglebone itself never has 460 00:37:51,590 --> 00:37:58,260 to do anything complicated with regards to software defined radio. 461 00:37:58,260 --> 00:38:03,610 This is also about these faint blue lines are positions at which I’ve seen 462 00:38:03,610 --> 00:38:09,620 particularly strong signals in order to identify which satellites are active 463 00:38:09,620 --> 00:38:14,190 and which ones are inactive. Because satellites die over time. 464 00:38:14,190 --> 00:38:17,920 And particularly useful targets we’re reverse-engineering are satellites that are 465 00:38:17,920 --> 00:38:22,910 out-of-commission or outdated. I’m running out of time by these markers. 466 00:38:22,910 --> 00:38:24,930 Does that mean that we’re skipping questions, or does that mean that 467 00:38:24,930 --> 00:38:28,910 I need to be off the stage? *mumbling to stage* 468 00:38:28,910 --> 00:38:35,880 Not having Q&A, okay. So today I get accurate tracking of satellites. 469 00:38:35,880 --> 00:38:41,020 And this thing can run unattended 24h a day for months without maintenance. 470 00:38:41,020 --> 00:38:46,030 Like I said: it’s nothing like a 3D printer. *laughter* 471 00:38:46,030 --> 00:38:49,970 It takes software defined radio recordings, it can provide maps 472 00:38:49,970 --> 00:38:54,920 of views of different satellites in the sky. 473 00:38:54,920 --> 00:38:59,920 The next step is I want to publish a ‘port scan’ of the entire sky. 474 00:38:59,920 --> 00:39:04,460 So which frequencies are in use on which birds, for every bird that ever comes 475 00:39:04,460 --> 00:39:08,490 above Tennessee, on every downlink that fits my antenna 476 00:39:08,490 --> 00:39:12,230 as well as a database of software defined radio recordings. If anyone 477 00:39:12,230 --> 00:39:19,000 would care to donate a truckload of disks – that might be handy. 478 00:39:19,000 --> 00:39:23,080 I’d also like to make other ground stations. The software that I’ve written 479 00:39:23,080 --> 00:39:25,910 ought to be portable to new hardware. So there’s nothing that should keep you 480 00:39:25,910 --> 00:39:30,950 from being able to port this to run on your own dish. And I have a large yard, 481 00:39:30,950 --> 00:39:36,530 so I could conceivably have a dozen of these things. 482 00:39:36,530 --> 00:39:38,910 Another way that you can do it, and the way that it’s traditionally done 483 00:39:38,910 --> 00:39:45,230 for, say, cube satellites is having Yagis or other loosely directional antennas 484 00:39:45,230 --> 00:39:48,910 in order to receive the signals. I went with a dish because I wanted 485 00:39:48,910 --> 00:39:54,920 more selectivity. I wanted to be able to get reverse-engineerable recordings 486 00:39:54,920 --> 00:40:03,020 rather than intentional ones for which I already knew the downlink protocol. 487 00:40:03,020 --> 00:40:07,990 So this is my van, my van is amazing. 488 00:40:07,990 --> 00:40:15,620 *applause* 489 00:40:15,620 --> 00:40:19,300 Thanks to Nick Farr. I had a bit too much to drink in Montreal and 490 00:40:19,300 --> 00:40:24,440 I called Nick Farr and I said: “Nick, I want a DUKW”, like these amphibious 491 00:40:24,440 --> 00:40:28,500 troop transport vehicles. And Nick said: “Sorry, I can’t get you one but 492 00:40:28,500 --> 00:40:32,000 you want a news van!” And I said: “Hell yeah, I want a news van!” 493 00:40:32,000 --> 00:40:35,430 So – this pole in the background, that’s not a lighting pole. That’s actually 494 00:40:35,430 --> 00:40:43,369 part of the van. *laughter* 495 00:40:43,369 --> 00:40:49,590 This is the antenna retracted. This mast goes up 20 m by pneumatic power. 496 00:40:49,590 --> 00:40:55,180 There’s an air compressor in the back. Here is the control panel, 497 00:40:55,180 --> 00:40:57,880 there’s an air-conditioned office in the middle. 498 00:40:57,880 --> 00:41:02,480 *laughter, laughs* 499 00:41:02,480 --> 00:41:08,910 This has four 19" server racks as well as some A/V equipment that was left over. 500 00:41:08,910 --> 00:41:14,100 I was particularly excited about the video monitor which supports PAL 501 00:41:14,100 --> 00:41:18,460 which you folks are familiar with, NTSC or “Never The Same Color” 502 00:41:18,460 --> 00:41:21,840 which is my people’s native culture… *laughter* 503 00:41:21,840 --> 00:41:25,610 But most importantly, it does SECAM, the system essentially contrary 504 00:41:25,610 --> 00:41:29,530 to the American method. *laughs* 505 00:41:29,530 --> 00:41:34,230 *laughter and applause* 506 00:41:34,230 --> 00:41:41,130 So in addition to my radio equipment I’m adding my Soviet PDP-11 which was… 507 00:41:41,130 --> 00:41:45,360 *laughs* …and that’s not a joke. I have a Soviet 508 00:41:45,360 --> 00:41:51,540 PDP-11 thanks to the kind folks at the Positive Hacking Days conference. 509 00:41:51,540 --> 00:41:58,200 This is the control panel, and that’s my talk! 510 00:41:58,200 --> 00:42:13,340 *applause* 511 00:42:13,340 --> 00:42:17,740 Herald: Thank you so much. There actually is time for Q&A now. 512 00:42:17,740 --> 00:42:20,672 Travis: Well, first I’d like to introduce you to my cat. If we could go back 513 00:42:20,672 --> 00:42:25,691 to the prior image. This is Frank! We didn’t know it at that time, but 514 00:42:25,691 --> 00:42:31,570 Frank was not dad (?) when this picture was taken. If you’d like kittens get in touch! 515 00:42:31,570 --> 00:42:34,800 Okay. Are there any questions? 516 00:42:34,800 --> 00:42:39,030 Question: Great talk. What’s the most interesting signal you decoded so far? 517 00:42:39,030 --> 00:42:44,650 Travis: At the moment I’m sort of stuck at the L band range. Because of filters 518 00:42:44,650 --> 00:42:48,220 that I have yet to remove. So everything gets attenuated, and becomes annoyingly 519 00:42:48,220 --> 00:42:54,720 quiet outside of the 1.5 ..1.6 -ish range. 520 00:42:54,720 --> 00:43:00,210 The Globalstar network is what I’m most interested in targeting next. 521 00:43:00,210 --> 00:43:03,050 I can’t wait to see what people are tweeting 522 00:43:03,050 --> 00:43:07,029 while they should be enjoying nature. 523 00:43:07,029 --> 00:43:08,850 Herald: Is there a question from the internet? 524 00:43:08,850 --> 00:43:12,890 Signal Angel: Yeah, the internet has many questions. So first one was: 525 00:43:12,890 --> 00:43:18,430 Is there really no authentication or encryption on the Q band IP services? 526 00:43:18,430 --> 00:43:24,859 So you can just spoof at will? And… 527 00:43:24,859 --> 00:43:28,540 can the birds see the physical location of the source 528 00:43:28,540 --> 00:43:34,650 accurately enough to find who is spoofing? 529 00:43:34,650 --> 00:43:41,200 Travis: I’m not an expert in Ku band. The… for the downlink the bird has no clue 530 00:43:41,200 --> 00:43:45,750 as to the location of the dish. Because you’re only listening. They can roughly 531 00:43:45,750 --> 00:43:49,530 figure out your geographic area because… they need to figure out where 532 00:43:49,530 --> 00:43:53,590 the spot beam is going. So they might know whether you’re in, say, Germany or 533 00:43:53,590 --> 00:44:01,720 in France. But they won’t know whether you’re in Heidelberg or Mannheim. 534 00:44:01,720 --> 00:44:07,420 They do have forms of authentication for many satellite networks. Satellite TV 535 00:44:07,420 --> 00:44:11,950 is one of the best-protected network services because of the satellite wars 536 00:44:11,950 --> 00:44:16,580 in the nineties in which TV pirates would fight back and forth with smart card 537 00:44:16,580 --> 00:44:23,330 designers. But there are also many unencrypted links. And there are… 538 00:44:23,330 --> 00:44:31,260 because of standard protocols those are particularly easy to find in Ku band. 539 00:44:31,260 --> 00:44:37,390 Question: You’ve been talking about using RTLSDR from osmocom. 540 00:44:37,390 --> 00:44:42,470 And you were talking about your spectrum analysis program. Is this one working 541 00:44:42,470 --> 00:44:45,810 with RTLSDR? 542 00:44:45,810 --> 00:44:53,970 Travis: So… RTLSDR… so I’m using the RTLSDR, not the OsmoSDR. 543 00:44:53,970 --> 00:44:58,900 Which are separate. The spectrum analyzer is working with the RTLSDR. 544 00:44:58,900 --> 00:45:03,230 My complaint about the RTLSDR is that when you have a strong signal next to 545 00:45:03,230 --> 00:45:08,230 a weak signal the weak signal is utterly useless for interpretation. 546 00:45:08,230 --> 00:45:13,330 Question: Okay. Thank you. 547 00:45:13,330 --> 00:45:15,490 Herald: Another question from the internet? 548 00:45:15,490 --> 00:45:19,180 Signal Angel: Okay, next question from the internet is: How do you record 549 00:45:19,180 --> 00:45:24,490 the radio signal from the dish, at what sampling rate? 550 00:45:24,490 --> 00:45:29,890 Travis: The RTLSDR samples at 2 million samples per second. As soon as I switch it 551 00:45:29,890 --> 00:45:37,250 over to the HackRF I’ll be having 20 million samples per second. 552 00:45:37,250 --> 00:45:41,900 The sampling rate can be reduced once the bandwidth of the signal is known. 553 00:45:41,900 --> 00:45:46,390 For reduced storage. And the recordings can also be compressed. 554 00:45:46,390 --> 00:45:53,300 But it’s still a hell of a lot of storage. 555 00:45:53,300 --> 00:45:54,659 Herald: Any other questions? 556 00:45:54,659 --> 00:45:57,770 Signal Angel: The internet has more questions… 557 00:45:57,770 --> 00:45:59,860 Herald: Okay… 558 00:45:59,860 --> 00:46:04,380 Signal Angel: Did you look into obtaining a capacitive high-bandwidth coupler as used 559 00:46:04,380 --> 00:46:09,880 for the rotary gantries in CT scanners? Those can apparently transmit contactless 560 00:46:09,880 --> 00:46:13,420 several GBytes per second, bi-directionally. 561 00:46:13,420 --> 00:46:16,109 Travis: I’ve not looked into those. It seemed better to have an umbilical 562 00:46:16,109 --> 00:46:21,820 cable and to be careful not to snap it. 563 00:46:21,820 --> 00:46:25,630 The whole thing was done for a budget of less than 2000 Dollars, and can be 564 00:46:25,630 --> 00:46:31,640 recreated for less than a budget of 1000 [Dollars]. And they… so we tried to avoid 565 00:46:31,640 --> 00:46:36,140 fancy parts. The local radio shack loved us because we’d swing in and buy all sorts 566 00:46:36,140 --> 00:46:39,880 of crazy stuff. As soon as we told them that we wanted the satellite dish to 567 00:46:39,880 --> 00:46:41,300 dance Gangnam style… *laughs* 568 00:46:41,300 --> 00:46:48,740 *laughter* 569 00:46:48,740 --> 00:46:50,820 *in German, strong accent:* Danke, gerne! 570 00:46:50,820 --> 00:46:53,810 *applause* 571 00:46:53,810 --> 00:46:56,610 *silent postroll titles* 572 00:46:56,610 --> 00:47:02,893 *subtitles created by c3subtitles.de in the year 2017. Join, and help us!*