Locating exact physical position of a wardriver or AP

TheHonk · 04-07-2006

I've taken a couse in GPS and would volunteer to offer up the equations and pseudocode to calculate the physical location (in LLA [Lat/Long/Alt]) of a static (non-moving) war-driver, leecher, or AP.

I did a search on here and found people talkikng about triangulation, but that won't work very well with just three points. I figure if you can time a basic connection command (or ping) to the remote point from at least 4 locations over a long period of time, you should be able to get a good LLA estimate of it. Here's my rough algorithm:

Warm up your GPS (get complete almanac: 12 minutes)
Get within range of the target AP/client
Establish a connection, and time how long a round trip is (ping, or attempt a connection and wait for rejection) - call this the GROSS TIME
Repeat this process over and over again and take an average for this ONE location you are sitting still at.
Move to a new locations and repeat previous step. Make sure you do it over several minutes if possible, the longer the span- the better you GPS measurement of yourself will be. Make sure you're recording YOUR GPS location (convert the LLA to XYZ-ECEF) with each stop you make.
Convert each gross-time into a PROPAGATION TIME. You'll need to subract off how long it took the remote AP/client to process and respond, and how long it took for your client to process and display it. [This could be calculated/calibrated for thru experimentation with two points at known distances].
Take these times (equivilent to phase/cycle counts in how GPS works) , divide them by two (round-trip time -> one way trip time) and convert them into distances (time*speed_of_light_in_air). call this distance a PSEUDORANGE.
you now have 4 or more points, each with a sphere around it indicating how far away (on average)
Use these pseudoranges in the same linearized matrix formula that GPS uses and iterate on it until a tolerance is reached (prolly 10 feet?) I can give this formula at a later date if anyone actually decides to use this. It's fairly simple, but inverting and multiplying the matrices is CPU costly (at least in an interpreter like I use: MATLAB).
Voila, now you can convert that XYZ-ECEF back into LLA- that's where your "new friend's" AP/client is!

Increasing each of the following will increase the accuracy of your foe's position:

Number of pings made at each location
Number of locations you stop at
The length of time you spend at each location (longer means higher accuracy position of your reference station). You may want to set your reciever (or in my case set my code) to a "survey" mode. This is what I call it when you tell the reciever that you're not moving- so that it can average out each sat measurement and give you a really accurate pos fix.

I really think this can work- the only thing I don't know much about is how to best measure the propagation time of a signal. I know that encrypted or MAC filtering AP's will reject you, but it's still some sort of a connection and could be timed for round-trip.

I know I could write it in MATLAB, does anyone know of a way to compile MATLAB down into something fast like C++ or fortran?

TheHonk · 04-07-2006

A simple way to combat this in your AP's firmware would be about the same as what the US Air Force does/did with GPS -> Selective Availability [SA]. SA essentially reported inaccurate clock bias times for the sats.
You could program your AP or client's firmware to add a random and wildly changing delay to any requests for connections by unknkown client/AP's. This would cause people to get wildly changing round-trip times from a single location. The propagation time would be incredibly hard to calculate accurately- thus the algorithm doesn't work very well.

Another way to gauge your distance from a peer is through signal strength. I didn't bring this up the first time b/c it's not as reliable since it changes with geometry. If the signal goes thru a wall- the strength drops much quicker thru brick than air However, it doesn't really slow down much thru brick as compared to air (the speed can be considered constant).

Perhaps a mix of the two measurements can be combined (like psuedorange and carrier-phase in GPS measurements).

By the way, I just graduated- does anybody need to hire an Aerospace Engineer?

TheHonk · 04-07-2006

Ohhh! Becons, you can use becons! That would work really well too, and wouldn't require to send ANY traffic out of your computer. Just figure out their becon timer, but then you'll introduce a clock bias, need a bare min of 4 sample sites.
The best would be if you could get thier AP to send you the current time (NTP) to a really accurate value.

itsnotme · 04-07-2006

There's quite a few flaws in your theory. Weather has an impact on WiFi, so your propgation time would vary with the weather. If you're using your AP, you would slow down the ping response because you would have traffic going over the AP. There's probably a few other theories, but this is probably why you can't triangulate an client down to a specific spot.

G8tK33per · 04-07-2006

Quote:

Originally Posted by TheHonk

Establish a connection......

Wrong, fucknuts...that's not wardriving. Get a clue or get lost.

itsnotme · 04-07-2006

Quote:

Originally Posted by G8tK33per

Wrong, fucknuts...that's not wardriving. Get a clue or get lost.

Hmm I missed that one.

I must have too much beer in my system if I missed that one, but then again, you're the man.

G8tK33per · 04-07-2006

I'd rather have the beer.

itsnotme · 04-07-2006

Quote:

Originally Posted by G8tK33per

I'd rather have the beer.

Heh PM me an address and a brand of beer and I'll send you a case

streaker69 · 04-07-2006

Quote:

Originally Posted by TheHonk

By the way, I just graduated- does anybody need to hire an Aerospace Engineer?

Sure, we always need an extra hand down at our plant.

wrzwaldo · 04-07-2006

Quote:

Originally Posted by TheHonk

I've taken a couse in GPS and would volunteer to offer up the equations and pseudocode to calculate the physical location (in LLA [Lat/Long/Alt]) of a static (non-moving) war-driver, leecher, or AP.

I did a search on here and found people talkikng about triangulation, but that won't work very well with just three points. I figure if you can time a basic connection command (or ping) to the remote point from at least 4 locations over a long period of time, you should be able to get a good LLA estimate of it. Here's my rough algorithm:[list=1][*]Warm up your GPS (get complete almanac: 12 minutes)[*]Get within range of the target AP/client[*]Establish a connection, and time how long a round trip is (ping, or attempt a connection and wait for rejection) - call this the GROSS TIME

Now how exactly would you connect to the "(non-moving) war-driver"? Also note that (tri)angulation works quite well with 3 points as the name implies.

Quote:

In trigonometry and elementary geometry, triangulation is the process of finding a distance to a point by calculating the length of one side of a triangle, given measurements of angles and sides of the triangle formed by that point and two other reference points.

Congratulations you win a free ticket to the movies!

wrzwaldo · 04-07-2006

Quote:

Originally Posted by streaker69

Sure, we always need an extra hand down at our plant.

You guys must be looking for a turd counter?

streaker69 · 04-07-2006

Quote:

Originally Posted by wrzwaldo

You guys must be looking for a turd counter?

Actually looking for a hose monkey to wash down the pad when the trucks come in and dump solids.

Dutch · 04-07-2006

Quote:

Originally Posted by streaker69

Actually looking for a hose monkey to wash down the pad when the trucks come in and dump solids.

You got promoted to work with the liquid stuff now ?

/ducks and runs..

Dutch

streaker69 · 04-07-2006

Quote:

Originally Posted by Dutch

You got promoted to work with the liquid stuff now ?

/ducks and runs..

Dutch

I make my contribution several times a day.

brwrdrvr · 04-07-2006

Why would anyone want to triangulate th position of an AP??

You mean to tell me they set it up, put all the security on it and then forgot where they put the AP??

Is there a cloaking device you all haven't told me about?

By the way OP, for someone that as just finished a couse in GPS you sure don't know shit about wardriving. I suggest you read the legal writings on what you can and cannot do with someone elses network. You are such an asshat.

04-07-2006	#1 (permalink)
TheHonk Registered Member Join Date: Apr 2006 Posts: 3	algorithm for Locating exact physical position of a wardriver or AP I've taken a couse in GPS and would volunteer to offer up the equations and pseudocode to calculate the physical location (in LLA [Lat/Long/Alt]) of a static (non-moving) war-driver, leecher, or AP. I did a search on here and found people talkikng about triangulation, but that won't work very well with just three points. I figure if you can time a basic connection command (or ping) to the remote point from at least 4 locations over a long period of time, you should be able to get a good LLA estimate of it. Here's my rough algorithm: Warm up your GPS (get complete almanac: 12 minutes) Get within range of the target AP/client Establish a connection, and time how long a round trip is (ping, or attempt a connection and wait for rejection) - call this the GROSS TIME Repeat this process over and over again and take an average for this ONE location you are sitting still at. Move to a new locations and repeat previous step. Make sure you do it over several minutes if possible, the longer the span- the better you GPS measurement of yourself will be. Make sure you're recording YOUR GPS location (convert the LLA to XYZ-ECEF) with each stop you make. Convert each gross-time into a PROPAGATION TIME. You'll need to subract off how long it took the remote AP/client to process and respond, and how long it took for your client to process and display it. [This could be calculated/calibrated for thru experimentation with two points at known distances]. Take these times (equivilent to phase/cycle counts in how GPS works) , divide them by two (round-trip time -> one way trip time) and convert them into distances (timespeed_of_light_in_air). call this distance a PSEUDORANGE. you now have 4 or more points, each with a sphere around it indicating how far away (on average) Use these pseudoranges in the same linearized matrix formula that GPS uses and iterate on it until a tolerance is reached (prolly 10 feet?) I can give this formula at a later date if anyone actually decides to use this. It's fairly simple, but inverting and multiplying the matrices is CPU costly (at least in an interpreter like I use: MATLAB). Voila, now you can convert that XYZ-ECEF back into LLA- that's where your "new friend's" AP/client is! Increasing each of the following will increase the accuracy of your foe's position: Number of pings made at each location Number of locations you stop at The length of time you spend at each location (longer means higher accuracy position of your reference station). You may want to set your reciever (or in my case set my code) to a "survey" mode. This is what I call it when you tell the reciever that you're not moving- so that it can average out each sat measurement and give you a really accurate pos fix. I really think this can work- the only thing I don't know much about is how to best measure the propagation time of a signal. I know that encrypted or MAC filtering AP's will reject you, but it's still some sort of a connection and could be timed for round-trip. I know I could write it in MATLAB, does anyone know of a way to compile MATLAB down into something fast like C++ or fortran? Last edited by TheHonk : 04-07-2006 at 12:18 AM. Reason: clarifying thread title and differentiating it from other simple Triangulation methods*

04-07-2006	#7 (permalink)
G8tK33per Asshole Emeritus Join Date: May 2003 Location: S.E. VA. Posts: 5,939	I'd rather have the beer. __________________ "Benjamin is nobody's friend. If Benjamin were an ice cream flavor, he'd be pralines and dick." Sons of Confederate Veterans

04-07-2006	#15 (permalink)
brwrdrvr Cajun from Hell Join Date: Feb 2005 Location: Capitol City, Louisiana Posts: 3,295	Why would anyone want to triangulate th position of an AP?? You mean to tell me they set it up, put all the security on it and then forgot where they put the AP?? Is there a cloaking device you all haven't told me about? By the way OP, for someone that as just finished a couse in GPS you sure don't know shit about wardriving. I suggest you read the legal writings on what you can and cannot do with someone elses network. You are such an asshat. __________________ We need to hire more IT people so we can get more CADD work done.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

04-07-2006	#2 (permalink)
TheHonk Registered Member Join Date: Apr 2006 Posts: 3	A simple way to combat this in your AP's firmware would be about the same as what the US Air Force does/did with GPS -> Selective Availability [SA]. SA essentially reported inaccurate clock bias times for the sats. You could program your AP or client's firmware to add a random and wildly changing delay to any requests for connections by unknkown client/AP's. This would cause people to get wildly changing round-trip times from a single location. The propagation time would be incredibly hard to calculate accurately- thus the algorithm doesn't work very well. Another way to gauge your distance from a peer is through signal strength. I didn't bring this up the first time b/c it's not as reliable since it changes with geometry. If the signal goes thru a wall- the strength drops much quicker thru brick than air However, it doesn't really slow down much thru brick as compared to air (the speed can be considered constant). Perhaps a mix of the two measurements can be combined (like psuedorange and carrier-phase in GPS measurements). By the way, I just graduated- does anybody need to hire an Aerospace Engineer?

04-07-2006	#3 (permalink)
TheHonk Registered Member Join Date: Apr 2006 Posts: 3	Ohhh! Becons, you can use becons! That would work really well too, and wouldn't require to send ANY traffic out of your computer. Just figure out their becon timer, but then you'll introduce a clock bias, need a bare min of 4 sample sites. The best would be if you could get thier AP to send you the current time (NTP) to a really accurate value.

04-07-2006	#4 (permalink)
itsnotme Dumbass checker Join Date: Sep 2002 Location: Somewhere below Lake Ontario Posts: 1,076	There's quite a few flaws in your theory. Weather has an impact on WiFi, so your propgation time would vary with the weather. If you're using your AP, you would slow down the ping response because you would have traffic going over the AP. There's probably a few other theories, but this is probably why you can't triangulate an client down to a specific spot.