WPS (White hat wardriving)

[jmumby]

Prologue

WPS or Wireless Positioning System is described as the use of wireless access points to determine geographical location.

Virtually all modern handheld devices incorporate a wireless connection Ipod Touch, Playstation portable, Laptops and even phones. What they don't have is GPS. Now the purest would argue that GPS is the only reliable method of accurately calculating geographic location and for the most part this is true but when GPS meets the the high rise building the playing field changes. Some GPS units cannot even penetrate the humble roof of the average domestic house let alone 30 stories of concrete and steel.

Wireless on the other hand is designed to go through many walls, each wireless access point is unique and in this modern world wireless AP's are plentyfull. Drive down the average suburban street and my Ipod Touch picks up on average 4-5 access points every 100 metres or so.

So WPS is perfect? No not really -

Access points are only really situated in suburbs and towns, if your lost in the middle of the desert WPS will not help you.

Signal strength is dependent on many variables weather, cars parked near the access points.

Access points move, get replaced, die etc.

For WPS to work the unit accessing the access point location needs access to a look up table.

During this project I hope to address these issues and hopefully have a solution for some of them.

So how does WPS work?

Your access point (assuming you have one) will advertise a MAC address, the MAC address lives in the http://www.petri.co.il/osi_concepts.htm data-link layer of the OSI model. It is required to make a connection on a network, if your wireless gadget picks up on a wireless connection you have the access points MAC address.

To find the MAC address of the computer you are on right now goto a command prompt and type ipconfig /all (windows) you will get something back like this

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : 802.11b WLAN PCI
Physical Address. . . . . . . . . : 00-08-A1-52-AE-DE
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1

Here it is listed as Physical Address.

To find MAC address of other computers on your network type arp -a

Interface: 192.168.0.3 --- 0x3
Internet Address      Physical Address      Type\
192.168.0.1           00-18-4d-5e-46-XX     dynamic

I know the gateway for my PC is my access point so the MAC of my access point is 00-08-A1-52-AE-XX using google earth I can find the longitude and latitude of my house and use this access point to find my location or anyone else can for that matter.

The only time that the MAC is not available may be when the Access point has MAC filtering turned on. This method blocks access via the MAC address of the gadget attempting to connect to it. Depending on router this will virtually make the access point invisible or in my case advertise the Access point but deny access. Many other methods may be available to prevent external access to a router which I will undoubtedly discover. Considering most users fail to even activate the simplest of security on there router I doubt this will be too much of an issue.

So all I need to do now is drive around the streets stop every time my laptop finds a wireless network use google earth to find longitude and latitude and we are set. I should finish my small town by 2010.

Alternatively I could use a program like net-stumbler with a GPS and drive around and get the laptop to do all the work. Considering it costs $1.80 a litre for fuel at the moment I cringe at the thought also how slow would I need to drive to make sure I get an accurate reading? Even at a log every second I'm several meters away from the actual hit point by the time it 's all saved to disk. I could put a laptop in a bag and cycle around with that but the weight and battery life come into the equation.

So I figure the solution is to make a unit about the size of two cigarette packets and strap it to the bike and go for gold.

 

[manuka]

Phew! Interesting but (as mentioned earlier) I'm not convinced this has merits beyond your own neighbourhood. Even then WiFi LOS "view corridors" can massively bias readings. Is this PICAXE related? Stan

 

[jmumby]

Hardware.

To carry out this project I expect i will need four items of hardware, other than connectors and power supply etc.

- GPS
- 802.11 wireless adapter
- Picaxe
- Storage device

My basic theory is shown in the diagram. The wireless adapter and GPS will feed into the Picaxe in a synchronous fashion. The data will be formatted to a yet to be decided format and saved to memory as a CSV file or a file type easily translated on a PC.

I have gathered these core items together and I will give a brief description below as to why I selected them and how it will work within the tool.

GPS
I have chosen a EM-406a from Sparkfun electronics. I selected this unit because it comes as a complete package including an aerial and it was the cheapest on the site! This unit will be pretty much good to go out of the box albeit it has a strange 2.8v output for the serial. Like most GPS 'sensors' this unit transmits RS-232 data at 4800baud.

802.11 Wireless Adapter
You can get pretty crazy when it comes to an RS232 to wireless adapter, prices can reach the thousands. But for my humble budget I needed something that would not only be cheap but also gather MAC address as this is key to the tool. A few days trolling the web and I found Lantronix supply what I need for justifiable price. Lantonix has 3 or 4 adapters but only the OEM WiPort (according to the site) has the scan ability to 'sniff out' MAC address. Not only that the NZ reseller is in the same town as me so it was destiny.

Picaxe
I'm not totally committed to this Picaxe yet but I'm gonna leave the trusty 18x which has never let me down and go 28x1. The reason for which is the 28x1 scratchpad. The data coming in MAC address, signal strength, AP name, Longitude, Latitude and Altitude should just squeeze in the 127 byte buffer for manipulation before dumping on the memory card. I have not played with the scratchpad on this chip so I may have the concept wrong on many angles but I hope it will perform as I in-visage. Also with a 16Mhz resonator I can crank up the speed of the GPS and WIFI for more dense readings.

Storage Device
4d uDrive came to my attention at just the right time. I have bought a DOSonCHip but the effort involved to get this going with out a prototype board would be too much of a hassle for prototyping. I get the uDrive fairly inexpensively and it will just work. Well I hope so, the 4D systems OLED's I have used work perfectly as long as you follow the manual. The only down side at the moment is lack of FAT support but apparently this is coming.

All of these items operate serially. The GPS comes in stock at 4800 baud but can be turned up to any speed the Picaxe can handle as does the WiPort and Im guessing the uDrive will be like other 4D hardware and sense the speed at start up.

All but the WiPort operate at 5 volts. The Wiport requires 3.3 volts but has 5v tolerant I/O. As mentioned the GPS has 2.8v Output but TTL input so it will be a bit of a mixed bag.

 

[jmumby]

GPS Hardware

EM-406a

This module comes with everything required (aside from power supply) to start getting GPS data.
The unit has six pins 1. Ground, 2. Vin, 3. RX, 4. TX, 5. Another ground and 6. 1PPS (Pulse per second). You can read the some what lean datasheet for more specs.

The only trouble I had with this unit was sending NMEA commands. Which ended up not being the modules problem but rather my cautious nature of trying not to brick it. The data sheet says it has an output of 2.85volts so I assumed that this ment it would only withstand this as an input so tried to drop the output of the Picaxe with zeners and voltage dividers. Reading it again the datasheet says TTL level so as soon as I connected directly to the module it was away!

When you connect the module the LED on the module will stay on until it has a fix. The first time it could not get a fix under a roof. I propped it up on the window sill and in about 2 minutes the LED started to blink and we had a fix.

Fix or no fix the module will stream out RS232 data (4800 baud) GGA, GSA, GSV the empty data is typically just a whole bunch of commas. Using the SERIN qualifier you can grab the specific info you want. GGA, GSA and GSV have most of the data you need, longitude, latitude, altitude and UTC time. I prefer GLL as it has all I require for this project however it is not on by default so you will need to send a NMEA command to turn it on

'Turn off all messages
SEROUT 1,T4800,("$PSRF103,00,00,00,01*24",CR,LF) 'GGA
SEROUT 1,T4800,("$PSRF103,00,00,00,01*24",CR,LF) 'GGA
SEROUT 1,T4800,("$PSRF103,01,00,00,01*25",CR,LF) 'GLL
SEROUT 1,T4800,("$PSRF103,02,00,00,01*26",CR,LF) 'GSA
SEROUT 1,T4800,("$PSRF103,03,00,00,01*27",CR,LF) 'GSV
SEROUT 1,T4800,("$PSRF103,04,00,00,01*20",CR,LF) 'RMC
SEROUT 1,T4800,("$PSRF103,05,00,00,01*21",CR,LF) 'VTG

'Turn on GLL with 1 second frequency
SEROUT 1,T4800,("$PSRF103,01,00,01,01*24",CR,LF)

'get latitude echo to console
serin 1,T4800,("GPGLL"),B0,B1,B2,B3,B4,B5,B6,B7,B8,B9,B0,B10
sertxd("Latitude:",B1,B2,B3,B4,B5,B6,B7,B8,B9," ",B10,CR,LF)

'get Longitude, B0 out latitude echo to console
serin 2,T4800,("GPGLL"),B0,B0,B0,B0,B0,B0,B0,B0,B0,B0,B0,B0,B0,B11,B12,B13,B14,B15,B16,B17,B18,B19,B20,B0,B21
sertxd("Longitude:",B11,B12,B13,B14,B15,B16,B17,B18,B19,B20," ",B21,CR,LF)

GOTO GLL

This code will send your current longitude and latitude to the terminal. 18x users may have to setfreq 8 first and t2400 the baud.

All the NMEA commands relevant to this module are in the datasheet as are the methods to turn them on and set the frequency etc. You should do a search for a NMEA check sum generator as the checksum for each command is different. The checksum is the number after the * in the serout command.

For some reason after I issue NMEA commands the status LED on the unit just stays dim and I haven't worked out how to get the 1PPS pin working yet. So the only way to know if it has a fix in this state is to watch the output.

This module also does course over ground and ground speed which I have tested with a simple loop and it seems to work ok.

The diagram I have supplied shows how simple it was to connect this up. I have left out the reset circuit and download circuit but aside from that, that's all it needs

Relevant threads: http://www.picaxeforum.co.uk/showthread.php?t=8910

 

[Exeunter]

jmumby-

did you ever figure out the issue with the LED being dim? I am also running an EM-406A hooked up to a picaxe, and after doing some timing tests (just standard NMEA polling), the LED went dim and stayed dim (without the blinking to indicate a satellite fix). The unit is still correctly responding correctly to NMEA polling messages.
I've tried sending a cold reset command, and a minute later it was successful and came online again, but the LED is still dim. if you did figure it out, i'd be interested in what might have caused it to happen.

 

[jmumby]

No I haven't worked it out yet. If you leave it long enough the supercap dies and it pretty much reset's itself. I was going to use the 1PPS connection to run an LED but the datasheet says that the module does not accept the NMEA command to control it !?!?!. You should try the sparkfun forum.