1 00:00:03,280 --> 00:00:09,400 I'm Dominic's bill oh yeah this is 2 00:00:06,370 --> 00:00:12,580 ridiculous radios I added some things to 3 00:00:09,400 --> 00:00:14,769 it since I read slide thanks welcome it 4 00:00:12,580 --> 00:00:19,000 ridiculous our radios because it's more 5 00:00:14,769 --> 00:00:21,310 ridiculous at least one minute I'm on 6 00:00:19,000 --> 00:00:23,200 Twitter if that's your thing that's on 7 00:00:21,310 --> 00:00:26,950 it yes I'm not really on any other 8 00:00:23,200 --> 00:00:28,570 social media it's like like it was so 9 00:00:26,950 --> 00:00:33,850 I'll I suppose thanks like oh yeah 10 00:00:28,570 --> 00:00:36,670 definitions it sorry to the camera 11 00:00:33,850 --> 00:00:38,230 operator so I just want to thank some 12 00:00:36,670 --> 00:00:40,059 people I'd like to I like to put thanks 13 00:00:38,230 --> 00:00:43,928 up at the front because one by the end 14 00:00:40,059 --> 00:00:45,940 of this talk will be rough and - I like 15 00:00:43,929 --> 00:00:50,230 to make it very clear but none of this 16 00:00:45,940 --> 00:00:52,480 work is I mean this work is all original 17 00:00:50,230 --> 00:00:54,879 work that I've done with people across 18 00:00:52,480 --> 00:00:56,828 for gadgets but it's based on a lot of 19 00:00:54,879 --> 00:00:59,289 people there's a lot of historical words 20 00:00:56,829 --> 00:01:00,729 related to it not everything in this is 21 00:00:59,289 --> 00:01:02,530 something revolutionary that I came up 22 00:01:00,729 --> 00:01:04,300 with right before this tool a lot of the 23 00:01:02,530 --> 00:01:07,119 stuff is based on ideas from other 24 00:01:04,300 --> 00:01:11,048 people and there is people who help me 25 00:01:07,119 --> 00:01:13,960 get demos together and the one person we 26 00:01:11,049 --> 00:01:17,110 won't mention on this is Alex who is the 27 00:01:13,960 --> 00:01:19,179 fourth row and let me a soldering iron 28 00:01:17,110 --> 00:01:22,119 this morning here's me using the 29 00:01:19,180 --> 00:01:25,719 sovereign on this morning because only 30 00:01:22,119 --> 00:01:27,159 of butane miles and lands he's inside so 31 00:01:25,719 --> 00:01:28,719 I work for graceful gadgets always so 32 00:01:27,159 --> 00:01:29,469 let's get through this night all 33 00:01:28,719 --> 00:01:31,630 right 34 00:01:29,469 --> 00:01:34,329 I heard I well Chris credits I write 35 00:01:31,630 --> 00:01:38,350 software and things I am NOT Tim Brown 36 00:01:34,329 --> 00:01:40,449 as your my bio says in the in the book 37 00:01:38,350 --> 00:01:41,710 that you've all been given so if you 38 00:01:40,450 --> 00:01:43,270 don't do me a solid and just cross that 39 00:01:41,710 --> 00:01:46,048 line out in your booklets I trust you 40 00:01:43,270 --> 00:01:49,449 all to do that I'm going to present four 41 00:01:46,049 --> 00:01:52,450 different sort projects together in this 42 00:01:49,450 --> 00:01:55,060 in this presentation they are two 43 00:01:52,450 --> 00:02:00,670 receivers and two transmitters they're 44 00:01:55,060 --> 00:02:02,439 generally radios that are designed in in 45 00:02:00,670 --> 00:02:03,969 ways that can be built on top of 46 00:02:02,439 --> 00:02:05,889 hardware without having to think about 47 00:02:03,969 --> 00:02:10,079 radio engineering 48 00:02:05,890 --> 00:02:14,260 they're fairly simple radios to design 49 00:02:10,080 --> 00:02:15,850 we're not we're not building a hack RF 50 00:02:14,260 --> 00:02:18,160 or or something suit 51 00:02:15,850 --> 00:02:20,680 complicated a high quality radio 52 00:02:18,160 --> 00:02:22,120 receiver or transmitter it's it's a sort 53 00:02:20,680 --> 00:02:25,630 proof-of-concept like can we make a 54 00:02:22,120 --> 00:02:29,380 thing worth once and so generally these 55 00:02:25,630 --> 00:02:31,900 have all worked once and I have a I have 56 00:02:29,380 --> 00:02:34,840 a demo that even when it works works 57 00:02:31,900 --> 00:02:36,970 from about a foot away and given the 58 00:02:34,840 --> 00:02:39,010 audience is more than a foot away that 59 00:02:36,970 --> 00:02:41,020 demo is I will I'm more than happy to do 60 00:02:39,010 --> 00:02:42,310 a live and but no one will be able to 61 00:02:41,020 --> 00:02:46,000 see that it works you just gonna have to 62 00:02:42,310 --> 00:02:48,190 go and believe me on that one so so they 63 00:02:46,000 --> 00:02:50,320 start up with disclaimer you should know 64 00:02:48,190 --> 00:02:51,609 and understand your local laws I'm not 65 00:02:50,320 --> 00:02:55,299 saying you have to obey them that's in 66 00:02:51,610 --> 00:02:57,610 target to you however thing that's 67 00:02:55,300 --> 00:03:00,430 notable is that car keys character 68 00:02:57,610 --> 00:03:01,960 openers that a lot of radio things that 69 00:03:00,430 --> 00:03:04,030 aren't Bluetooth or Wi-Fi or or whatever 70 00:03:01,960 --> 00:03:06,460 but are unlicensed and you can just have 71 00:03:04,030 --> 00:03:08,650 a full 33 megahertz if you start playing 72 00:03:06,460 --> 00:03:10,840 around with them you're very much in the 73 00:03:08,650 --> 00:03:12,550 middle of where the UK Tetra frequencies 74 00:03:10,840 --> 00:03:14,650 are etc frequencies are used for 75 00:03:12,550 --> 00:03:17,020 ambulance dispatch and fire engines and 76 00:03:14,650 --> 00:03:18,910 if you miscalculate and get your 77 00:03:17,020 --> 00:03:20,860 frequency off quite a bit and you jam an 78 00:03:18,910 --> 00:03:24,070 ambulance signal that's really really 79 00:03:20,860 --> 00:03:28,360 bad so I clearly try to obey that all 80 00:03:24,070 --> 00:03:32,489 when I do this stuff my my overarching 81 00:03:28,360 --> 00:03:35,230 feeling on it eriously just don't be 82 00:03:32,490 --> 00:03:37,630 wait don't interfere with other people 83 00:03:35,230 --> 00:03:39,609 you don't get in their way 84 00:03:37,630 --> 00:03:42,640 and still stick to your own stuff and 85 00:03:39,610 --> 00:03:44,380 generally I prefer to build receivers 86 00:03:42,640 --> 00:03:46,119 rather than transmitters anyway to snoop 87 00:03:44,380 --> 00:03:52,269 on other people instead of interfering 88 00:03:46,120 --> 00:03:54,970 with them and I will demonstrate at 89 00:03:52,270 --> 00:03:57,340 least one of the transmitters I won't be 90 00:03:54,970 --> 00:03:59,620 demonstrating today but at home video 91 00:03:57,340 --> 00:04:01,480 form because it wouldn't be legal to be 92 00:03:59,620 --> 00:04:05,200 transmitted effort me to demonstrate in 93 00:04:01,480 --> 00:04:08,380 the UK anyway because of Amazon so start 94 00:04:05,200 --> 00:04:09,640 with scenario we can get cheap 95 00:04:08,380 --> 00:04:11,380 microcontrollers there are micro 96 00:04:09,640 --> 00:04:13,630 controls and absolutely everything go 97 00:04:11,380 --> 00:04:16,060 there or whatever there are loads and 98 00:04:13,630 --> 00:04:17,890 loads of them inside every either like 99 00:04:16,060 --> 00:04:19,899 train twice you have your phone has a 100 00:04:17,890 --> 00:04:22,029 ton of them it's not just the processor 101 00:04:19,899 --> 00:04:24,489 it's the baseband is the Bluetooth chip 102 00:04:22,029 --> 00:04:28,039 is the Wi-Fi chair bits but a thing that 103 00:04:24,490 --> 00:04:30,169 controls power delivery to the 104 00:04:28,039 --> 00:04:31,430 both in the charger at the other end of 105 00:04:30,169 --> 00:04:34,460 the cable your phone when you're 106 00:04:31,430 --> 00:04:37,099 charging the phone there in I mean like 107 00:04:34,460 --> 00:04:38,388 I cannot see this everything here has 108 00:04:37,099 --> 00:04:39,979 microcontrollers and there's a mouse 109 00:04:38,389 --> 00:04:42,550 here that's money in it probably it's 110 00:04:39,979 --> 00:04:45,050 Radio packs headphones everything and 111 00:04:42,550 --> 00:04:46,400 they're all running firmware most of 112 00:04:45,050 --> 00:04:48,319 them running custom firmware designed 113 00:04:46,400 --> 00:04:52,008 for their application and if we can 114 00:04:48,319 --> 00:04:53,750 modify that firmware can we maybe get it 115 00:04:52,009 --> 00:04:55,639 to do interesting things and we approach 116 00:04:53,750 --> 00:04:58,250 this from the idea of things like air 117 00:04:55,639 --> 00:05:01,250 gap networks if we're able to modify the 118 00:04:58,250 --> 00:05:05,090 code running on our laptop can we just 119 00:05:01,250 --> 00:05:07,819 use say for example your keyboard 120 00:05:05,090 --> 00:05:10,099 controller to receive wireless or 121 00:05:07,819 --> 00:05:11,690 transmit wireless signals now a lot of 122 00:05:10,099 --> 00:05:13,159 these microcontrollers have a ton of 123 00:05:11,690 --> 00:05:15,650 stuff built in it's not where it always 124 00:05:13,159 --> 00:05:18,680 necessarily used but it's it's built in 125 00:05:15,650 --> 00:05:20,780 anyway and these are peripherals various 126 00:05:18,680 --> 00:05:22,880 things so if anyone's here for Joe's 127 00:05:20,780 --> 00:05:27,799 talk earlier he gave presentation about 128 00:05:22,880 --> 00:05:30,409 how you could run spy and JTAG and UART 129 00:05:27,800 --> 00:05:32,030 and I squid see all of the same chip so 130 00:05:30,409 --> 00:05:34,969 now someone might take that chip and 131 00:05:32,030 --> 00:05:37,669 embed it in a product for the spy 132 00:05:34,969 --> 00:05:39,860 functionality but they don't entirely 133 00:05:37,669 --> 00:05:42,049 disable the other functionality if we 134 00:05:39,860 --> 00:05:44,180 can unlock that and use that then we can 135 00:05:42,050 --> 00:05:46,430 get it to do JTAG or we can get it to do 136 00:05:44,180 --> 00:05:49,280 I squid C or us or whatever else we want 137 00:05:46,430 --> 00:05:51,320 to do and so if we can pick up an 138 00:05:49,280 --> 00:05:53,090 off-the-shelf microcontroller with an 139 00:05:51,320 --> 00:05:55,130 analog to digital converter net can we 140 00:05:53,090 --> 00:05:57,859 build a very simple radio receiver at 141 00:05:55,130 --> 00:06:00,229 space so we call this breadboard SCR 142 00:05:57,860 --> 00:06:04,370 it's using a soulfulness breadboard and 143 00:06:00,229 --> 00:06:08,030 it looks like this this is on the left 144 00:06:04,370 --> 00:06:09,770 hand side this is a great pet one which 145 00:06:08,030 --> 00:06:12,619 is just a microcontroller breakout board 146 00:06:09,770 --> 00:06:15,139 that we designed a graceful gadgets this 147 00:06:12,620 --> 00:06:17,210 doesn't require that piece of hardware 148 00:06:15,139 --> 00:06:18,680 the software I've written works for that 149 00:06:17,210 --> 00:06:20,870 piece of public but you could go and 150 00:06:18,680 --> 00:06:22,130 build this on top of other platforms as 151 00:06:20,870 --> 00:06:25,699 long as it has an animal and once 152 00:06:22,130 --> 00:06:27,319 digital converter there are three wires 153 00:06:25,699 --> 00:06:28,849 connecting that to our other circuit 154 00:06:27,319 --> 00:06:30,620 board I don't know how well you can see 155 00:06:28,849 --> 00:06:33,080 that but those two components are a 156 00:06:30,620 --> 00:06:35,060 diode and a resistor because we could 157 00:06:33,080 --> 00:06:40,190 hopper engineers we've done second 158 00:06:35,060 --> 00:06:41,810 diagram the circuit diagram shows you 159 00:06:40,190 --> 00:06:45,919 the three wires 160 00:06:41,810 --> 00:06:48,830 the diode and resistor and and this is a 161 00:06:45,919 --> 00:06:51,139 radio this is a radio receiver when we 162 00:06:48,830 --> 00:06:54,250 first tested it Mike's first comment was 163 00:06:51,139 --> 00:06:56,660 WOW it transmits as much as it receives 164 00:06:54,250 --> 00:06:58,190 you really shouldn't use this like this 165 00:06:56,660 --> 00:07:02,690 is not a good radio this will get you in 166 00:06:58,190 --> 00:07:06,560 trouble with calm but you should you you 167 00:07:02,690 --> 00:07:08,480 should use this as a base like this is 168 00:07:06,560 --> 00:07:12,020 essentially what most software-defined 169 00:07:08,480 --> 00:07:14,240 radios are and then everything else is 170 00:07:12,020 --> 00:07:17,599 just to improve the signal quality the 171 00:07:14,240 --> 00:07:19,550 bandwidth the interference all these 172 00:07:17,600 --> 00:07:23,150 sorts of things is what most of the rest 173 00:07:19,550 --> 00:07:27,590 of the board is bought now so the way 174 00:07:23,150 --> 00:07:30,799 this works is we I mean let me explain 175 00:07:27,590 --> 00:07:32,179 the the circuit diagram first so the 176 00:07:30,800 --> 00:07:33,979 clock signal comes out of a 177 00:07:32,180 --> 00:07:37,070 microcontroller that's whatever 178 00:07:33,979 --> 00:07:39,020 frequency wants to tune to we combine 179 00:07:37,070 --> 00:07:41,450 that oh wow I shouldn't lean on the 180 00:07:39,020 --> 00:07:50,299 buttons for so I clicking I'm sorry 181 00:07:41,450 --> 00:07:51,830 Bella professional so so what we want to 182 00:07:50,300 --> 00:07:54,800 do is we have a we have a frequency we 183 00:07:51,830 --> 00:07:56,750 want to receive we generate that 184 00:07:54,800 --> 00:07:59,750 frequency with the clock on the 185 00:07:56,750 --> 00:08:01,430 microcontroller we combine that with the 186 00:07:59,750 --> 00:08:03,110 signal come from the antenna goes 187 00:08:01,430 --> 00:08:05,360 through a diode the diode acts as a 188 00:08:03,110 --> 00:08:07,010 mixer it combines those two and and when 189 00:08:05,360 --> 00:08:09,770 you mix two signals together what you 190 00:08:07,010 --> 00:08:13,039 end up with is one of those signals 191 00:08:09,770 --> 00:08:14,359 shifted downwards in frequency by the 192 00:08:13,039 --> 00:08:16,639 other one 193 00:08:14,360 --> 00:08:19,039 so what we end up doing if we put 433 194 00:08:16,639 --> 00:08:21,080 megahertz in to the clock we get 195 00:08:19,039 --> 00:08:23,240 whatever we receive over-the-air shifted 196 00:08:21,080 --> 00:08:25,550 down by 433 makers we stopped with an 197 00:08:23,240 --> 00:08:27,770 ADC and then we put it into can you 198 00:08:25,550 --> 00:08:29,930 radio has anyone used a new radio before 199 00:08:27,770 --> 00:08:32,120 going to some quick show of hands okay 200 00:08:29,930 --> 00:08:34,099 this this is typically rated flow graph 201 00:08:32,120 --> 00:08:37,159 I'm more than happy to talk people 202 00:08:34,099 --> 00:08:39,409 through it individually later but it's 203 00:08:37,159 --> 00:08:41,718 probably not all that interesting as a 204 00:08:39,409 --> 00:08:43,370 group exercise essentially what this 205 00:08:41,719 --> 00:08:46,850 does is to take the analogs digital 206 00:08:43,370 --> 00:08:51,020 converter samples and turns them into 207 00:08:46,850 --> 00:08:53,390 audio and in FM t modulates them and 208 00:08:51,020 --> 00:08:56,060 does various data conversion things 209 00:08:53,390 --> 00:08:57,590 throttling speed and stuff like that and 210 00:08:56,060 --> 00:08:59,660 what you end up with is a is a graph 211 00:08:57,590 --> 00:09:02,750 coming out on the left hand side here 212 00:08:59,660 --> 00:09:05,360 you can see on the top section of these 213 00:09:02,750 --> 00:09:07,010 two plots it's what we're most 214 00:09:05,360 --> 00:09:08,210 interested in on the left hand side this 215 00:09:07,010 --> 00:09:11,090 there's silence and on the right hand 216 00:09:08,210 --> 00:09:14,000 side you can see FM audio being 217 00:09:11,090 --> 00:09:15,740 modulated there and the the the 218 00:09:14,000 --> 00:09:18,890 amplitude there is the is the audio that 219 00:09:15,740 --> 00:09:22,480 we're receiving and if you light up in 220 00:09:18,890 --> 00:09:25,910 in the spectrum thanks Mike you can see 221 00:09:22,480 --> 00:09:27,290 and try and point at this and see if 222 00:09:25,910 --> 00:09:29,990 this works this will not come out well 223 00:09:27,290 --> 00:09:32,480 of the video you can see audio here so 224 00:09:29,990 --> 00:09:33,950 this is we we sample the the red line 225 00:09:32,480 --> 00:09:36,430 which is where our signal is on the top 226 00:09:33,950 --> 00:09:39,860 and on the bottom plot we're looking at 227 00:09:36,430 --> 00:09:40,969 FM demodulation of that and one of the 228 00:09:39,860 --> 00:09:42,380 things that gives us a way is we 229 00:09:40,970 --> 00:09:44,360 transmitted this with a little handheld 230 00:09:42,380 --> 00:09:45,950 ham radio and in the end of the 231 00:09:44,360 --> 00:09:48,440 transmission when you let go of the 232 00:09:45,950 --> 00:09:50,870 button it sends out a pilot time and the 233 00:09:48,440 --> 00:09:52,160 pilot tone is just a sine wave and you 234 00:09:50,870 --> 00:09:55,370 can see that right in the far right hand 235 00:09:52,160 --> 00:09:56,959 side you have a very regular signal 236 00:09:55,370 --> 00:09:58,340 being transmitted and that's a good sign 237 00:09:56,960 --> 00:10:05,920 that we got the signal that we wanted 238 00:09:58,340 --> 00:10:05,920 and wait I have to do a microphone thing 239 00:10:06,150 --> 00:10:09,199 [Music] 240 00:10:09,220 --> 00:10:19,700 that work hey can you still hear me Wow 241 00:10:14,950 --> 00:10:22,400 I think it's not one providing feedback 242 00:10:19,700 --> 00:10:24,140 because it works but we'll see we shall 243 00:10:22,400 --> 00:10:27,740 see what happens okay I should be able 244 00:10:24,140 --> 00:10:29,689 to load up this flow graph breadboard 245 00:10:27,740 --> 00:10:31,040 SDR narrowband FM this is the same flow 246 00:10:29,690 --> 00:10:33,110 graph you just saw but it's loading from 247 00:10:31,040 --> 00:10:36,110 file because I can't transmit in the UK 248 00:10:33,110 --> 00:10:38,300 I don't have a license so I'm not not 249 00:10:36,110 --> 00:10:39,950 demonstrating the transmitter I'm just 250 00:10:38,300 --> 00:10:42,949 demonstrating and all that it was safe 251 00:10:39,950 --> 00:10:45,020 the data as as we received it and 252 00:10:42,950 --> 00:10:56,320 hopefully I've just realized I need 253 00:10:45,020 --> 00:10:56,319 audio out benign so 254 00:10:56,890 --> 00:11:01,790 so Mike and I were able to transmit with 255 00:10:59,150 --> 00:11:04,939 this ham radio and then with a 256 00:11:01,790 --> 00:11:07,160 microcontroller that costs I think the 257 00:11:04,940 --> 00:11:10,010 chip itself costs about ten ten pounds 258 00:11:07,160 --> 00:11:12,020 something like that and we were able to 259 00:11:10,010 --> 00:11:13,460 then take two of them two components and 260 00:11:12,020 --> 00:11:17,090 build a radio that we can receive 261 00:11:13,460 --> 00:11:18,910 hammering it with so that that's a good 262 00:11:17,090 --> 00:11:25,540 start 263 00:11:18,910 --> 00:11:31,219 all right you want something and also 264 00:11:25,540 --> 00:11:32,959 maybe this should be full screen okay so 265 00:11:31,220 --> 00:11:35,000 if you're building a radio in software 266 00:11:32,960 --> 00:11:37,340 you guys we don't need multiple one we 267 00:11:35,000 --> 00:11:40,340 can build very very simple radios we can 268 00:11:37,340 --> 00:11:41,900 build a radio that receives data with 269 00:11:40,340 --> 00:11:43,940 only two components so if you can 270 00:11:41,900 --> 00:11:45,650 smuggle a diode and a resistor into your 271 00:11:43,940 --> 00:11:48,050 air-gapped Network we can probably build 272 00:11:45,650 --> 00:11:50,510 a receiver on that end I want to find 273 00:11:48,050 --> 00:11:51,890 software without having to smuggle in a 274 00:11:50,510 --> 00:11:56,689 hack RF or a thing that looks like a 275 00:11:51,890 --> 00:11:58,580 radio to anyone else also our antenna 276 00:11:56,690 --> 00:12:00,860 was just a piece of wire you'll see 277 00:11:58,580 --> 00:12:02,630 throughout this presentation we're not 278 00:12:00,860 --> 00:12:04,400 super picky about the antennas to be 279 00:12:02,630 --> 00:12:06,050 used for this mostly because we're 280 00:12:04,400 --> 00:12:07,670 working in a lab environment we're 281 00:12:06,050 --> 00:12:09,949 working in a in the mountains outside 282 00:12:07,670 --> 00:12:11,510 Denver in Colorado there's not as much 283 00:12:09,950 --> 00:12:13,310 radio noises there would be if you were 284 00:12:11,510 --> 00:12:15,950 doing it here and we generally trying to 285 00:12:13,310 --> 00:12:17,810 be good citizens about it and not 286 00:12:15,950 --> 00:12:21,950 transmit too much but we're doing 287 00:12:17,810 --> 00:12:26,959 everything super low power so scenario 288 00:12:21,950 --> 00:12:28,970 two we got we've got data into a device 289 00:12:26,960 --> 00:12:30,470 that is not we've got radio signals 290 00:12:28,970 --> 00:12:32,990 received by a device there's no 291 00:12:30,470 --> 00:12:36,620 traditional radio can we transmit them 292 00:12:32,990 --> 00:12:41,900 back out let's say we we're in again I 293 00:12:36,620 --> 00:12:44,240 got Network can we use a microcontroller 294 00:12:41,900 --> 00:12:46,310 to transmit things so cause of clock 295 00:12:44,240 --> 00:12:48,800 signal transmitters his basement of 296 00:12:46,310 --> 00:12:52,459 people's work Mike Walters who's sat in 297 00:12:48,800 --> 00:12:54,920 the third row did this back in 2016 at 298 00:12:52,460 --> 00:12:56,150 security I think I mean not as a 299 00:12:54,920 --> 00:12:58,790 presentation because it's at a room 300 00:12:56,150 --> 00:13:00,860 somewhere playing around but he was able 301 00:12:58,790 --> 00:13:04,010 to turn on 302 00:13:00,860 --> 00:13:06,110 remote-controlled light bulb using just 303 00:13:04,010 --> 00:13:09,290 turning on and off the clock signal on 304 00:13:06,110 --> 00:13:10,850 sweetie has done a fun tenor which was a 305 00:13:09,290 --> 00:13:15,709 hacker but I think it's disco point 306 00:13:10,850 --> 00:13:17,390 phone and they they were able the group 307 00:13:15,710 --> 00:13:21,500 who didn't were able to toggle like 308 00:13:17,390 --> 00:13:24,800 along a very long trace on the PCB so 309 00:13:21,500 --> 00:13:25,940 that they could transmit data and 310 00:13:24,800 --> 00:13:29,719 Raspberry Pi at home works in a slightly 311 00:13:25,940 --> 00:13:30,650 different way so sorry with our cut 312 00:13:29,720 --> 00:13:32,960 people trying to get photos outside 313 00:13:30,650 --> 00:13:34,430 before I skipped it I will publish the 314 00:13:32,960 --> 00:13:39,740 slides afterwards as long as your photos 315 00:13:34,430 --> 00:13:41,540 you it's fine so again Lee this is this 316 00:13:39,740 --> 00:13:43,460 is my transmitter again I'm using the 317 00:13:41,540 --> 00:13:45,890 the great Fed board because I have one 318 00:13:43,460 --> 00:13:47,330 on my desk as well use it and I wrote 319 00:13:45,890 --> 00:13:50,060 the solver for it so it's a lot easier 320 00:13:47,330 --> 00:13:52,910 to know what I'm doing that is my 321 00:13:50,060 --> 00:13:54,949 antenna now again this antenna was 322 00:13:52,910 --> 00:13:56,780 picked in the same way we picked the 323 00:13:54,950 --> 00:13:58,400 previous antenna which was I reached 324 00:13:56,780 --> 00:14:01,579 into a box of wires and pulled one out 325 00:13:58,400 --> 00:14:03,800 and then I plugged into the board and it 326 00:14:01,580 --> 00:14:04,490 worked so I didn't replace it if it 327 00:14:03,800 --> 00:14:05,780 hadn't worked 328 00:14:04,490 --> 00:14:08,000 I may have replaced it with one of the 329 00:14:05,780 --> 00:14:10,640 different lengths but you can do you 330 00:14:08,000 --> 00:14:13,970 know math but why do maths when it works 331 00:14:10,640 --> 00:14:15,680 first time so how's this work I like to 332 00:14:13,970 --> 00:14:18,260 turn up the game from from what my 333 00:14:15,680 --> 00:14:20,719 walters did so instead of doing on/off 334 00:14:18,260 --> 00:14:23,390 King I did a frequency shift keying I 335 00:14:20,720 --> 00:14:25,040 want to do it 315 megahertz which is why 336 00:14:23,390 --> 00:14:27,890 I can't demo in the UK because that's 337 00:14:25,040 --> 00:14:30,290 not an unlicensed band here but it's 338 00:14:27,890 --> 00:14:33,140 really common in the US and in fact it 339 00:14:30,290 --> 00:14:35,930 is it's very common for all those things 340 00:14:33,140 --> 00:14:40,010 Carlos garage door openers those sorts 341 00:14:35,930 --> 00:14:41,839 of things now one thing I could do is 342 00:14:40,010 --> 00:14:44,810 what Roderick yfm does I could just 343 00:14:41,840 --> 00:14:47,420 modify the clock generator on the fly 344 00:14:44,810 --> 00:14:50,750 that's a bit complicated and seem like a 345 00:14:47,420 --> 00:14:52,250 lot of effort and code but the nice 346 00:14:50,750 --> 00:14:54,110 thing about my microcontroller is having 347 00:14:52,250 --> 00:14:56,870 multiple clock generators so PLL is a 348 00:14:54,110 --> 00:14:59,060 facelock boots just a fancy word for a 349 00:14:56,870 --> 00:15:01,910 clock generator for the purposes of this 350 00:14:59,060 --> 00:15:05,719 talk is much fancier than that but they 351 00:15:01,910 --> 00:15:07,640 say that I could use two of them as long 352 00:15:05,720 --> 00:15:09,320 as I just say what my USB interface so I 353 00:15:07,640 --> 00:15:12,890 did that I couldn't give me here the 354 00:15:09,320 --> 00:15:14,230 device but I could generate two signals 355 00:15:12,890 --> 00:15:16,000 one at 305 356 00:15:14,230 --> 00:15:19,300 because on one or three hundred fifteen 357 00:15:16,000 --> 00:15:21,880 point one and then I use the seu the SCU 358 00:15:19,300 --> 00:15:23,890 is just a pin matrix it just decides 359 00:15:21,880 --> 00:15:26,140 which which functionality inside the 360 00:15:23,890 --> 00:15:27,699 chip is connected to outside if you 361 00:15:26,140 --> 00:15:29,830 remember Joe talking about things 362 00:15:27,700 --> 00:15:33,370 earlier he talked about how sometimes 363 00:15:29,830 --> 00:15:34,690 JTAG is not available on chip because 364 00:15:33,370 --> 00:15:36,880 they're using those pins of something 365 00:15:34,690 --> 00:15:38,650 else that's what the seu is it - not 366 00:15:36,880 --> 00:15:40,450 almost any microcontroller of a 367 00:15:38,650 --> 00:15:42,280 reasonable complexity you just don't 368 00:15:40,450 --> 00:15:43,360 have enough pins around the chip for the 369 00:15:42,280 --> 00:15:46,480 functionality that you want to produce 370 00:15:43,360 --> 00:15:50,860 so you use this matrix to switch things 371 00:15:46,480 --> 00:15:52,750 pins on up so the the SC you just decide 372 00:15:50,860 --> 00:15:54,340 which pin is connected to the output and 373 00:15:52,750 --> 00:15:56,530 now I can switch back and forth between 374 00:15:54,340 --> 00:15:59,560 two frequencies just by changing the 375 00:15:56,530 --> 00:16:02,290 sust you just points to which pin is 376 00:15:59,560 --> 00:16:04,089 connected so I just change which clock 377 00:16:02,290 --> 00:16:08,230 is put out at the given time and I can 378 00:16:04,090 --> 00:16:11,170 send frequency shift key later so this 379 00:16:08,230 --> 00:16:14,260 is my car I load the code and if you 380 00:16:11,170 --> 00:16:17,800 look at the front curve it unlocks this 381 00:16:14,260 --> 00:16:19,270 actually works so well that Mike had not 382 00:16:17,800 --> 00:16:20,829 started filming this when I ran it the 383 00:16:19,270 --> 00:16:24,160 first time and because my car uses 384 00:16:20,830 --> 00:16:25,900 rolling coves we then had to get cat for 385 00:16:24,160 --> 00:16:27,939 another code you have to be away from 386 00:16:25,900 --> 00:16:29,319 the car when you do it so this resulted 387 00:16:27,940 --> 00:16:31,570 in Mike and Mike Horstman a night 388 00:16:29,320 --> 00:16:33,610 running up and down the road outside our 389 00:16:31,570 --> 00:16:35,170 our office building to get out the frame 390 00:16:33,610 --> 00:16:38,850 to my car to capture a couple of key 391 00:16:35,170 --> 00:16:41,410 presses then decode them visually using 392 00:16:38,850 --> 00:16:42,790 in spectrum and then load that into 393 00:16:41,410 --> 00:16:44,980 firmware and then running back to the 394 00:16:42,790 --> 00:16:46,449 car to running again so we did that 395 00:16:44,980 --> 00:16:48,760 about three or four times but but we 396 00:16:46,450 --> 00:16:52,090 find the gutter now one thing is 397 00:16:48,760 --> 00:16:53,770 interesting about this is that my car my 398 00:16:52,090 --> 00:16:56,110 car center frequency the frequency is 399 00:16:53,770 --> 00:16:58,420 expecting to see the signal on is 315 400 00:16:56,110 --> 00:17:00,820 point zero zero five bill I can 401 00:16:58,420 --> 00:17:02,800 configure my clocks back easily 402 00:17:00,820 --> 00:17:05,710 again like it seemed like a lot of 403 00:17:02,800 --> 00:17:10,359 effort to try and skim it by that much 404 00:17:05,710 --> 00:17:13,210 so I put a 350 point zero five that's 45 405 00:17:10,359 --> 00:17:15,909 kilohertz off the frequency deviation 406 00:17:13,210 --> 00:17:19,270 between the binary one and zero is only 407 00:17:15,910 --> 00:17:21,460 25 kilos so I'm outside of the range 408 00:17:19,270 --> 00:17:24,040 that it's expecting for its original 409 00:17:21,460 --> 00:17:25,890 signal plus I couldn't configure it to 410 00:17:24,040 --> 00:17:28,950 get the 25 kilohertz range 411 00:17:25,890 --> 00:17:31,740 I got plus and minus 50 kilohertz it 412 00:17:28,950 --> 00:17:34,260 does not care it absolutely works and 413 00:17:31,740 --> 00:17:35,940 part of the reason is it's a bit like 414 00:17:34,260 --> 00:17:37,650 lock-picking if you go and talk to 415 00:17:35,940 --> 00:17:38,730 people that lock-picking they say the 416 00:17:37,650 --> 00:17:40,590 only reason you can pick locks is 417 00:17:38,730 --> 00:17:42,299 manufacturing tolerances we can't 418 00:17:40,590 --> 00:17:45,030 manufacture a lot so perfect that you 419 00:17:42,299 --> 00:17:47,760 can't you know nudge the pins and things 420 00:17:45,030 --> 00:17:50,190 like that it's the same deal why build a 421 00:17:47,760 --> 00:17:52,080 radio that is so carefully and precisely 422 00:17:50,190 --> 00:17:53,549 controlled that I can't transmit - it's 423 00:17:52,080 --> 00:17:55,350 slightly off frequency into my car 424 00:17:53,549 --> 00:17:57,809 you've already got rolling codes for 425 00:17:55,350 --> 00:17:59,820 security you want it to work when my 426 00:17:57,809 --> 00:18:02,100 battery's low you want it to work in 427 00:17:59,820 --> 00:18:04,020 weird conditions once it's work in the 428 00:18:02,100 --> 00:18:06,780 presence of noise so you can build a 429 00:18:04,020 --> 00:18:09,840 radio as cheaply as possible and that 430 00:18:06,780 --> 00:18:12,389 means that you don't have super perfect 431 00:18:09,840 --> 00:18:14,250 filters you don't have you know 432 00:18:12,390 --> 00:18:16,140 rejection of those signals that are just 433 00:18:14,250 --> 00:18:18,780 slightly out of bound and as long as my 434 00:18:16,140 --> 00:18:21,020 my signal is powerful enough and like 435 00:18:18,780 --> 00:18:23,610 look how far away I am from the receiver 436 00:18:21,020 --> 00:18:27,120 then it still works and I can still 437 00:18:23,610 --> 00:18:28,469 unlock my car I guess the other reason I 438 00:18:27,120 --> 00:18:30,209 can't do this is what I know is my car 439 00:18:28,470 --> 00:18:32,460 is thousands of miles away and it'd be 440 00:18:30,210 --> 00:18:36,390 tricky to get get it here and into this 441 00:18:32,460 --> 00:18:40,650 building for a very very quick and dull 442 00:18:36,390 --> 00:18:43,559 demo okay so so our learning is like not 443 00:18:40,650 --> 00:18:45,900 only can we build it in software and we 444 00:18:43,559 --> 00:18:47,190 don't need much hardware but if it 445 00:18:45,900 --> 00:18:50,580 oscillates like a radio as a clock 446 00:18:47,190 --> 00:18:53,429 signal does and then it emits as a radio 447 00:18:50,580 --> 00:18:55,139 when we plug a wire into that pen then 448 00:18:53,429 --> 00:18:56,970 it's a regular just because the 449 00:18:55,140 --> 00:18:58,799 microcontroller calls their clock signal 450 00:18:56,970 --> 00:19:00,870 and it's designed to share the clock 451 00:18:58,799 --> 00:19:02,400 with other chips on the same circuit 452 00:19:00,870 --> 00:19:04,949 board doesn't mean it's not a regular 453 00:19:02,400 --> 00:19:07,770 it's still able to transmit where it's 454 00:19:04,950 --> 00:19:12,210 still able to use later you use it to 455 00:19:07,770 --> 00:19:14,610 transmit data so this one's gone to a 456 00:19:12,210 --> 00:19:21,179 third scenario in terms of time yeah 457 00:19:14,610 --> 00:19:25,799 wait let me go make it so the scenario 458 00:19:21,179 --> 00:19:28,230 is that there will be regimes they'll be 459 00:19:25,799 --> 00:19:30,150 governments around the world where they 460 00:19:28,230 --> 00:19:32,160 do not allow us to help us animals 461 00:19:30,150 --> 00:19:33,960 Dishman versus the first radio relied on 462 00:19:32,160 --> 00:19:36,300 us having a cheap analog to digital 463 00:19:33,960 --> 00:19:37,830 converter inside a radio inside a 464 00:19:36,300 --> 00:19:40,280 microcontroller sorry so we could use 465 00:19:37,830 --> 00:19:43,350 flow record but 466 00:19:40,280 --> 00:19:45,629 there might be regimes around the world 467 00:19:43,350 --> 00:19:47,370 that limit access to animals digital 468 00:19:45,630 --> 00:19:49,020 converters and I know everyone's 469 00:19:47,370 --> 00:19:51,389 thinking who would possibly do that and 470 00:19:49,020 --> 00:19:53,550 here's a page out of the US government 471 00:19:51,390 --> 00:19:54,660 regulations on Export Control and they 472 00:19:53,550 --> 00:19:56,760 limit access to analog to digital 473 00:19:54,660 --> 00:19:58,440 converters and in fact they live in 474 00:19:56,760 --> 00:20:00,150 access to high precision analog Sutra 475 00:19:58,440 --> 00:20:02,160 converters because they can be used for 476 00:20:00,150 --> 00:20:04,290 advanced radio systems and things like 477 00:20:02,160 --> 00:20:06,360 that all sorts of all sorts of things 478 00:20:04,290 --> 00:20:08,879 require kind of converting data between 479 00:20:06,360 --> 00:20:11,010 London Digital tonight and admittedly 480 00:20:08,880 --> 00:20:13,500 these are incredibly high high precision 481 00:20:11,010 --> 00:20:16,260 and we're looking at a resolution of 12 482 00:20:13,500 --> 00:20:18,420 bits or more that's an output rate of 483 00:20:16,260 --> 00:20:21,750 200 million words per second so it's 12 484 00:20:18,420 --> 00:20:24,660 bit 200 megahertz ABC that is quite far 485 00:20:21,750 --> 00:20:28,830 and away higher spec than we have on any 486 00:20:24,660 --> 00:20:30,690 of the pub consumer st oz out there but 487 00:20:28,830 --> 00:20:32,100 it is something to consider that we 488 00:20:30,690 --> 00:20:33,840 might not have access to it is not 489 00:20:32,100 --> 00:20:34,830 beyond the realms of possibility that we 490 00:20:33,840 --> 00:20:37,320 might have a microcontroller that 491 00:20:34,830 --> 00:20:41,010 doesn't have any so can we use a digital 492 00:20:37,320 --> 00:20:42,720 i/o then we come to the GPIO pin the 493 00:20:41,010 --> 00:20:44,700 receiver so we're going to build a 494 00:20:42,720 --> 00:20:48,450 receiver that works instead of using 495 00:20:44,700 --> 00:20:51,330 analog data uses digital data and this 496 00:20:48,450 --> 00:20:55,320 is where we get a bit messy okay so 497 00:20:51,330 --> 00:20:56,879 there's some very here and there are not 498 00:20:55,320 --> 00:20:59,610 a whole lot of people in the room so I'm 499 00:20:56,880 --> 00:21:00,860 going to delve into it but don't worry 500 00:20:59,610 --> 00:21:03,240 if you get a bit lost 501 00:21:00,860 --> 00:21:05,969 it's probably the my explanation is bad 502 00:21:03,240 --> 00:21:08,630 and I will happily try again in front of 503 00:21:05,970 --> 00:21:10,770 a white board with pallet paper later 504 00:21:08,630 --> 00:21:14,580 this is the first generation that we 505 00:21:10,770 --> 00:21:17,070 built and this the the silver box you 506 00:21:14,580 --> 00:21:19,470 can see the back is a TV tuner it's 507 00:21:17,070 --> 00:21:21,510 ripped from like an old video recorder 508 00:21:19,470 --> 00:21:25,320 and you can just pull that out and it 509 00:21:21,510 --> 00:21:27,809 will it will give you a good RF front 510 00:21:25,320 --> 00:21:29,669 end so instead of using those two 511 00:21:27,809 --> 00:21:31,139 components that we used on the the first 512 00:21:29,670 --> 00:21:33,780 fret board SDR 513 00:21:31,140 --> 00:21:35,790 we're we're taking in a higher quality 514 00:21:33,780 --> 00:21:37,110 radio and it's got an amplification in 515 00:21:35,790 --> 00:21:38,700 there and it's got some good filtering 516 00:21:37,110 --> 00:21:41,280 in there and so we're getting a better 517 00:21:38,700 --> 00:21:42,540 quality radio simple answer and I would 518 00:21:41,280 --> 00:21:44,129 have liked a demo this and this is 519 00:21:42,540 --> 00:21:47,670 actually how we captured the key presses 520 00:21:44,130 --> 00:21:49,080 for my from my keyboard however a piece 521 00:21:47,670 --> 00:21:52,230 of hardware landed on my desk last week 522 00:21:49,080 --> 00:21:52,949 and I thought I couldn't give this 523 00:21:52,230 --> 00:21:55,260 presentation 524 00:21:52,950 --> 00:21:57,150 without trying to sneak an additional 525 00:21:55,260 --> 00:21:59,010 thing into it so this has not been we 526 00:21:57,150 --> 00:22:00,750 have spoken about this publicly yeah we 527 00:21:59,010 --> 00:22:03,330 only got it working last week I only go 528 00:22:00,750 --> 00:22:06,090 to working with my laptop yesterday and 529 00:22:03,330 --> 00:22:09,389 I'm going to attempt a live demo and it 530 00:22:06,090 --> 00:22:10,800 may go wrong quits so we we know a lot 531 00:22:09,390 --> 00:22:12,870 of our experimental boards off some 532 00:22:10,800 --> 00:22:18,419 flowers quince is a flowering plant 533 00:22:12,870 --> 00:22:20,939 don't Matt me this board is a comparator 534 00:22:18,420 --> 00:22:22,950 and a comparator just says is this 535 00:22:20,940 --> 00:22:28,490 signal greater than or lower than a 536 00:22:22,950 --> 00:22:31,860 threshold and it currently connects to 537 00:22:28,490 --> 00:22:34,260 the RF content on hack RF now admittedly 538 00:22:31,860 --> 00:22:38,310 this has been using an RF to build up 539 00:22:34,260 --> 00:22:40,830 low great radio by bypassing the good 540 00:22:38,310 --> 00:22:43,950 bits of hack RF but this is because it's 541 00:22:40,830 --> 00:22:45,320 a prototype so in the future the Quinns 542 00:22:43,950 --> 00:22:47,640 board will have a whole lot on this 543 00:22:45,320 --> 00:22:50,580 basically where it says Queens it will 544 00:22:47,640 --> 00:22:55,800 have a whole lot of additional circuitry 545 00:22:50,580 --> 00:22:57,899 to do kind of analog analog electronics 546 00:22:55,800 --> 00:22:59,940 to shift for supercool gigahertz range 547 00:22:57,900 --> 00:23:01,800 down to base bounce so that we can solve 548 00:22:59,940 --> 00:23:04,050 it but right now we're using the hacker 549 00:23:01,800 --> 00:23:06,030 app for that so the hacker app will 550 00:23:04,050 --> 00:23:07,379 change the 2.4 gigahertz and then we 551 00:23:06,030 --> 00:23:09,720 connect to the expansion header on a 552 00:23:07,380 --> 00:23:11,130 carafe and we solve that with the great 553 00:23:09,720 --> 00:23:12,660 fat there's no rotation transfer 554 00:23:11,130 --> 00:23:14,580 happening on that a correct we're just 555 00:23:12,660 --> 00:23:16,260 using as a as a tuner so we're only 556 00:23:14,580 --> 00:23:21,090 using the analog exception of that was 557 00:23:16,260 --> 00:23:23,790 no SDR happen at all on the Quinns board 558 00:23:21,090 --> 00:23:25,970 what we're doing is we're sampling using 559 00:23:23,790 --> 00:23:28,680 a digital pin it is either on or off 560 00:23:25,970 --> 00:23:33,350 there is no analog component to this and 561 00:23:28,680 --> 00:23:38,130 that means we sample one bit 562 00:23:33,350 --> 00:23:39,629 now conversion a problem we're going to 563 00:23:38,130 --> 00:23:43,020 meet more than one bit of dynamic range 564 00:23:39,630 --> 00:23:45,060 to look at our signals this is really 565 00:23:43,020 --> 00:23:46,260 common in SDR you want a lot of dynamic 566 00:23:45,060 --> 00:23:48,659 range she wants as much as possible 567 00:23:46,260 --> 00:23:50,460 people talk about 12 bay DC's ain't bad 568 00:23:48,660 --> 00:23:53,460 DC's is ain't there enough for this than 569 00:23:50,460 --> 00:23:55,620 the other and things so we thought the 570 00:23:53,460 --> 00:23:57,720 the best solution to show that 8 bits of 571 00:23:55,620 --> 00:23:59,669 ADC in a prep is more than enough for 572 00:23:57,720 --> 00:24:00,340 anybody would be to build a radio that 573 00:23:59,670 --> 00:24:02,710 decode 574 00:24:00,340 --> 00:24:07,810 with one bit of ABC one bit of dynamic 575 00:24:02,710 --> 00:24:09,370 range and see how that works so we're 576 00:24:07,810 --> 00:24:11,740 gonna use a technique called over sample 577 00:24:09,370 --> 00:24:14,469 and decimate this thing it works in one 578 00:24:11,740 --> 00:24:18,070 direction and this is where the sort of 579 00:24:14,470 --> 00:24:19,210 maths comes in and I'm not going to talk 580 00:24:18,070 --> 00:24:22,600 about the maths I'm just gonna show some 581 00:24:19,210 --> 00:24:25,450 graphs but what we do is we take 16 582 00:24:22,600 --> 00:24:27,610 samples like this and for every pair of 583 00:24:25,450 --> 00:24:29,860 samples we average them to get one in 584 00:24:27,610 --> 00:24:32,110 the middle now if you're averaging two 585 00:24:29,860 --> 00:24:34,780 numbers so these are all 0 or 1 on bit 586 00:24:32,110 --> 00:24:37,270 values if you're averaging those those 587 00:24:34,780 --> 00:24:40,480 values you gain a bit of dynamic range 588 00:24:37,270 --> 00:24:43,690 you can have half values if you do it 589 00:24:40,480 --> 00:24:45,160 again you can have more values and so 590 00:24:43,690 --> 00:24:47,650 now we have four different values 591 00:24:45,160 --> 00:24:48,730 clusters there on the one I guess that's 592 00:24:47,650 --> 00:24:51,220 it anyway 593 00:24:48,730 --> 00:24:52,840 we have more values that we can have and 594 00:24:51,220 --> 00:24:55,540 if you keep doing this and keep doing 595 00:24:52,840 --> 00:24:57,909 this you gain for every time you have 596 00:24:55,540 --> 00:24:59,950 your sample rate you gain one bit of 597 00:24:57,910 --> 00:25:03,070 dynamic range if it's bit more 598 00:24:59,950 --> 00:25:05,290 complicated than that but roughly now 599 00:25:03,070 --> 00:25:08,379 this means if we saw pull if we have a 600 00:25:05,290 --> 00:25:09,399 very narrow signal and we sample way way 601 00:25:08,380 --> 00:25:12,250 wider than we need to 602 00:25:09,400 --> 00:25:14,470 we can then decimate to just gain our 603 00:25:12,250 --> 00:25:16,360 sample a signal back and we get more 604 00:25:14,470 --> 00:25:17,620 dynamic range still work in the other 605 00:25:16,360 --> 00:25:20,110 direction you can't get more bandwidth 606 00:25:17,620 --> 00:25:22,360 by sampling a higher range and then 607 00:25:20,110 --> 00:25:26,919 working the other way it only works this 608 00:25:22,360 --> 00:25:29,590 way so it looks like this this is a 609 00:25:26,920 --> 00:25:34,030 slightly more complicated flow graph but 610 00:25:29,590 --> 00:25:38,199 essentially this is doing a a it's doing 611 00:25:34,030 --> 00:25:41,310 a lot but but this is this is the main 612 00:25:38,200 --> 00:25:46,090 domain book that we care of here is the 613 00:25:41,310 --> 00:25:47,889 vs. we put a at the top to kind of read 614 00:25:46,090 --> 00:25:50,000 them from from where you are but the top 615 00:25:47,890 --> 00:25:52,190 two on the right we have a 616 00:25:50,000 --> 00:25:54,529 the decimates and we have a rational 617 00:25:52,190 --> 00:25:56,870 resource law but also decimates and so 618 00:25:54,529 --> 00:26:01,789 what we gain there is dynamic range as 619 00:25:56,870 --> 00:26:03,139 we lose as we we lose bandwidth but we 620 00:26:01,789 --> 00:26:05,029 don't care about that with because what 621 00:26:03,139 --> 00:26:08,240 we're looking at is a 1 megahertz signal 622 00:26:05,029 --> 00:26:10,129 now what we're going to solve lat 623 00:26:08,240 --> 00:26:12,620 because it's a dis why open digital 624 00:26:10,129 --> 00:26:15,230 opens a useful fast binary interfaces so 625 00:26:12,620 --> 00:26:17,870 we can solve 100 mega Hertz so we can 626 00:26:15,230 --> 00:26:19,759 hunter makes office a second but we only 627 00:26:17,870 --> 00:26:22,789 need one mega sample second so we can 628 00:26:19,759 --> 00:26:25,070 decimate and we gain a number of bits of 629 00:26:22,789 --> 00:26:29,629 dynamic range in order to receive things 630 00:26:25,070 --> 00:26:34,059 so using one bit sampling and substitute 631 00:26:29,629 --> 00:26:34,059 determine switch much fun together 632 00:26:37,840 --> 00:26:47,090 ok I've only run this once I've only had 633 00:26:41,600 --> 00:26:56,029 this work once so everyone hope they 634 00:26:47,090 --> 00:27:00,980 worked for me sure I want I've got a 635 00:26:56,029 --> 00:27:05,200 copy and paste the command so I'm just 636 00:27:00,980 --> 00:27:07,429 tuning the hack RF at first to you a 637 00:27:05,200 --> 00:27:09,049 freaking thing it's just gonna dump 638 00:27:07,429 --> 00:27:11,029 songs into a file somewhere I'm not 639 00:27:09,049 --> 00:27:13,129 going to use that file for anything then 640 00:27:11,029 --> 00:27:14,720 what I'm going to do is use the the 641 00:27:13,129 --> 00:27:16,039 great fit that's attached and I'm just 642 00:27:14,720 --> 00:27:17,809 going to use the logic analyzer function 643 00:27:16,039 --> 00:27:19,250 of it to stomp all those pins as quickly 644 00:27:17,809 --> 00:27:21,649 as possible right now I have a 645 00:27:19,250 --> 00:27:23,960 limitation of Pi USB and my firmware 646 00:27:21,649 --> 00:27:26,178 that means I only get 17 mega mega 647 00:27:23,960 --> 00:27:30,590 Sophos a second I just need to do some 648 00:27:26,179 --> 00:27:34,970 tracking to get out to 100 and then I 649 00:27:30,590 --> 00:27:38,658 should be able to go wait yes then I 650 00:27:34,970 --> 00:27:43,840 turn on a device that should be next to 651 00:27:38,659 --> 00:27:47,779 my phone and what we're using here 652 00:27:43,840 --> 00:27:50,389 connect excellent and then I'm just 653 00:27:47,779 --> 00:27:56,350 going to very briefly generate some some 654 00:27:50,389 --> 00:27:58,000 traffic ok so that 655 00:27:56,350 --> 00:27:59,740 that's generated some traffic and it's 656 00:27:58,000 --> 00:28:04,120 all being saved to this quince for not 657 00:27:59,740 --> 00:28:07,120 that far so let's kill it off let's go 658 00:28:04,120 --> 00:28:08,979 to our complicated flow graph now what 659 00:28:07,120 --> 00:28:11,979 this is going to read is that file but I 660 00:28:08,980 --> 00:28:16,450 just broke it so give me turn my 661 00:28:11,980 --> 00:28:17,679 headphones off that's gonna read this 662 00:28:16,450 --> 00:28:21,399 file that we just wrote and it's gonna 663 00:28:17,679 --> 00:28:24,279 output to a file called temp D mod so 664 00:28:21,399 --> 00:28:27,600 I'm just gonna run this now what you'll 665 00:28:24,279 --> 00:28:29,860 see is in the top graph hopefully 666 00:28:27,600 --> 00:28:31,149 creatively hopefully there you go this 667 00:28:29,860 --> 00:28:33,549 is doing what's called burst tagging 668 00:28:31,149 --> 00:28:35,199 it's finding packets in the data so if 669 00:28:33,549 --> 00:28:36,700 you see these all look fairly regular 670 00:28:35,200 --> 00:28:38,039 these are all the packets that were 671 00:28:36,700 --> 00:28:41,379 transmitted that I was able to pick up 672 00:28:38,039 --> 00:28:44,158 these are Bluetooth packets so what I'm 673 00:28:41,379 --> 00:28:47,350 doing is simultaneously I am able to 674 00:28:44,159 --> 00:28:50,110 receive 17 megabytes of data and then 675 00:28:47,350 --> 00:28:53,699 take that one bit value and convert it 676 00:28:50,110 --> 00:28:56,469 to enough bits to pull a Bluetooth data 677 00:28:53,700 --> 00:28:57,610 but because that's done in the filter 678 00:28:56,470 --> 00:29:01,690 because that's done for a specific 679 00:28:57,610 --> 00:29:03,279 frequency I'm able to do it 17 times one 680 00:29:01,690 --> 00:29:04,960 stage Bluetooth Channel in that 70 681 00:29:03,279 --> 00:29:06,580 megahertz chunks once again it's up to a 682 00:29:04,960 --> 00:29:07,570 hundred megahertz I'll be able to do it 683 00:29:06,580 --> 00:29:09,490 for every Bluetooth channel 684 00:29:07,570 --> 00:29:11,129 simultaneously and be able to sniff all 685 00:29:09,490 --> 00:29:14,710 Bluetooth connections within range 686 00:29:11,129 --> 00:29:20,129 simultaneously just using one bit ADC 687 00:29:14,710 --> 00:29:24,490 software so and just to hopefully prove 688 00:29:20,129 --> 00:29:26,408 if I run I output my data into a file 689 00:29:24,490 --> 00:29:28,480 format that is accepted by bluetooth 690 00:29:26,409 --> 00:29:32,220 tools because I happen to know a 691 00:29:28,480 --> 00:29:34,750 developer or both because it's me and 692 00:29:32,220 --> 00:29:36,940 what you'll notice is I was able to pull 693 00:29:34,750 --> 00:29:40,509 out all these Bluetooth packets and this 694 00:29:36,940 --> 00:29:42,940 el ap is the address is the MAC address 695 00:29:40,509 --> 00:29:45,190 of my bluetooth headphones and I'm going 696 00:29:42,940 --> 00:29:46,840 to pull all these packets out now the 697 00:29:45,190 --> 00:29:48,159 channel information and verus on the 698 00:29:46,840 --> 00:29:49,330 clock information is all wrong at the 699 00:29:48,159 --> 00:29:51,220 moment because it's just a proof of 700 00:29:49,330 --> 00:29:53,590 concept but I was able to accurately 701 00:29:51,220 --> 00:29:55,360 receive and decode Bluetooth packets but 702 00:29:53,590 --> 00:29:58,330 I was only using a digital i/o pin and 703 00:29:55,360 --> 00:30:00,189 no animal to digital converter at all so 704 00:29:58,330 --> 00:30:06,580 we don't even need an analog to digital 705 00:30:00,190 --> 00:30:08,920 converter to digitize radio husband 706 00:30:06,580 --> 00:30:10,449 excellence wait enough to go back 707 00:30:08,920 --> 00:30:13,549 and keep the weight off right away 708 00:30:10,450 --> 00:30:13,549 [Music] 709 00:30:14,580 --> 00:30:25,510 all right Howard it's time all right 710 00:30:19,870 --> 00:30:28,810 Oh interesting we might sleep over us 711 00:30:25,510 --> 00:30:31,060 seize the function of my music so I'm 712 00:30:28,810 --> 00:30:32,649 going to have to use the old method so 713 00:30:31,060 --> 00:30:33,370 one bit diagram is more than enough for 714 00:30:32,650 --> 00:30:34,870 anybody 715 00:30:33,370 --> 00:30:40,860 everyone can stop complaining about 716 00:30:34,870 --> 00:30:43,000 8-bit eighty-six okay final scenario 717 00:30:40,860 --> 00:30:45,010 there's a thing called pseudo Doppler 718 00:30:43,000 --> 00:30:48,670 direction-finding there are there are a 719 00:30:45,010 --> 00:30:51,129 piece of hardware called the use for 720 00:30:48,670 --> 00:30:54,490 finding radio signals so they are the 721 00:30:51,130 --> 00:30:55,900 idea of them is that they are you want 722 00:30:54,490 --> 00:30:58,270 to be able to track down people who are 723 00:30:55,900 --> 00:30:59,860 transmitting now in general mostly that 724 00:30:58,270 --> 00:31:01,420 you want to track down our people who 725 00:30:59,860 --> 00:31:03,939 are interfering with you ham radio 726 00:31:01,420 --> 00:31:06,430 operators use them a lot generally if 727 00:31:03,940 --> 00:31:08,560 you transmit on a ham radio band 728 00:31:06,430 --> 00:31:10,930 accidentally because without a license 729 00:31:08,560 --> 00:31:13,149 ham radio operators will track you down 730 00:31:10,930 --> 00:31:16,360 because it anyone else they are I mean 731 00:31:13,150 --> 00:31:19,560 oh they're so good at it because they 732 00:31:16,360 --> 00:31:23,439 care very passionate about it rationally 733 00:31:19,560 --> 00:31:25,810 so might developed a pseudo topper 734 00:31:23,440 --> 00:31:27,760 direction-finding rig we call an antenna 735 00:31:25,810 --> 00:31:33,280 switching board it's also known as an 736 00:31:27,760 --> 00:31:37,060 opera cake because we want food so can 737 00:31:33,280 --> 00:31:38,770 we find some way to subvert it so I'm 738 00:31:37,060 --> 00:31:41,050 calling this direction pointer to 739 00:31:38,770 --> 00:31:42,250 direction fighter because I couldn't 740 00:31:41,050 --> 00:31:45,370 think of a better name than better love 741 00:31:42,250 --> 00:31:47,470 and hider and I even wrote the word so 742 00:31:45,370 --> 00:31:50,159 I'm gonna say I can make my phone be 743 00:31:47,470 --> 00:31:56,920 mine quickie thing again 744 00:31:50,160 --> 00:31:59,740 okay that's France all right sit up top 745 00:31:56,920 --> 00:32:01,630 the direction pointing not only am I not 746 00:31:59,740 --> 00:32:04,540 good enough explaining things to get out 747 00:32:01,630 --> 00:32:06,510 and at the time I have but it's already 748 00:32:04,540 --> 00:32:08,800 been done by my husband and Skylar 749 00:32:06,510 --> 00:32:10,180 actually got a couple years ago there's 750 00:32:08,800 --> 00:32:11,649 a link on this slide go watch their 751 00:32:10,180 --> 00:32:13,150 video and they'll explain how super 752 00:32:11,650 --> 00:32:15,700 Doppler works and how it was with our 753 00:32:13,150 --> 00:32:22,300 board and how we were able to attempt to 754 00:32:15,700 --> 00:32:22,450 find things but but essentially huh this 755 00:32:22,300 --> 00:32:24,760 is 756 00:32:22,450 --> 00:32:27,070 your keyboard it's just a bunch of ports 757 00:32:24,760 --> 00:32:28,629 and it switches antennas so you can have 758 00:32:27,070 --> 00:32:29,830 an input coming in and it switches to an 759 00:32:28,630 --> 00:32:32,290 antenna and you can electronically 760 00:32:29,830 --> 00:32:33,610 switch your signal between antennas it's 761 00:32:32,290 --> 00:32:34,899 really really useful for 762 00:32:33,610 --> 00:32:37,209 direction-finding it's also useful for 763 00:32:34,900 --> 00:32:40,030 light if you set up a ham radio rig and 764 00:32:37,210 --> 00:32:41,050 your ones herb switch between antennas 765 00:32:40,030 --> 00:32:42,399 that you're using and give them 766 00:32:41,050 --> 00:32:43,780 frequency or you want to switch in 767 00:32:42,400 --> 00:32:49,420 different filter banks and things like 768 00:32:43,780 --> 00:32:54,160 that so let's talk about radio again if 769 00:32:49,420 --> 00:32:56,350 we have to face shifting so does anyone 770 00:32:54,160 --> 00:32:57,910 know about different has ever studied 771 00:32:56,350 --> 00:33:00,760 radio things different forms of 772 00:32:57,910 --> 00:33:03,490 modulation phase shifting any of the 773 00:33:00,760 --> 00:33:05,620 stuff hands up okay well I'm gonna try 774 00:33:03,490 --> 00:33:09,010 and say things that you understand and 775 00:33:05,620 --> 00:33:10,300 I'm not very good about so you should 776 00:33:09,010 --> 00:33:11,560 look the top of a textbook if you really 777 00:33:10,300 --> 00:33:13,629 want to understand that and I can 778 00:33:11,560 --> 00:33:15,970 recommend some textbooks to look 779 00:33:13,630 --> 00:33:18,100 properly understand it and understand 780 00:33:15,970 --> 00:33:19,240 the maths or anything like that really 781 00:33:18,100 --> 00:33:24,010 don't want to put mass into my 782 00:33:19,240 --> 00:33:27,460 presentation so I didn't phase shifting 783 00:33:24,010 --> 00:33:29,050 is where you take a signal and instead 784 00:33:27,460 --> 00:33:30,880 of changing the frequency of the 785 00:33:29,050 --> 00:33:35,139 amplitude signal to change where you are 786 00:33:30,880 --> 00:33:37,900 in the way for a given time so phase 787 00:33:35,140 --> 00:33:40,180 shift keying works by making rate jumps 788 00:33:37,900 --> 00:33:42,640 in the signal jumping from one point of 789 00:33:40,180 --> 00:33:45,010 the signal to another when we're doing 790 00:33:42,640 --> 00:33:47,350 Direction finding what we do is we take 791 00:33:45,010 --> 00:33:49,420 multiple antennas and we switch between 792 00:33:47,350 --> 00:33:52,300 them rapidly and usually in a circle and 793 00:33:49,420 --> 00:33:53,080 that gives us a phase shift based on 794 00:33:52,300 --> 00:33:55,090 where you're coming from 795 00:33:53,080 --> 00:33:57,070 so essentially what happens is where you 796 00:33:55,090 --> 00:34:00,580 are on the waveform is different at the 797 00:33:57,070 --> 00:34:02,409 two antennas at the same time so you 798 00:34:00,580 --> 00:34:04,419 don't want the size of your array to be 799 00:34:02,410 --> 00:34:06,490 about the distance across already out of 800 00:34:04,420 --> 00:34:08,530 third of your wavelength and that means 801 00:34:06,490 --> 00:34:10,239 that if you rapidly switch from one end 802 00:34:08,530 --> 00:34:13,090 to the other you'll see the same signal 803 00:34:10,239 --> 00:34:15,429 but you'll see it just slightly off from 804 00:34:13,090 --> 00:34:18,850 where it was and you can use that to try 805 00:34:15,429 --> 00:34:22,330 and calculate the direction but we can 806 00:34:18,850 --> 00:34:23,020 make that happen too we can induce a 807 00:34:22,330 --> 00:34:25,150 phase shift 808 00:34:23,020 --> 00:34:26,770 and they're there for the diffraction 809 00:34:25,150 --> 00:34:28,330 point in triggers that think it sees a 810 00:34:26,770 --> 00:34:34,179 patient but it's actually what we 811 00:34:28,330 --> 00:34:35,489 control so this is a diagram I made in 812 00:34:34,179 --> 00:34:38,899 the hotel room 813 00:34:35,489 --> 00:34:42,149 at the time I thought it explained it so 814 00:34:38,899 --> 00:34:45,719 implements time space shifting out right 815 00:34:42,149 --> 00:34:48,330 but essentially like if you have if you 816 00:34:45,719 --> 00:34:50,638 have two different lengths of cable or 817 00:34:48,330 --> 00:34:54,659 two different placed antennas you will 818 00:34:50,639 --> 00:34:56,220 be waveform that electricity that you're 819 00:34:54,659 --> 00:34:57,869 transmitting electromagnets in the in 820 00:34:56,219 --> 00:35:00,359 transmitting will reach them at 821 00:34:57,869 --> 00:35:03,599 different times and therefore different 822 00:35:00,359 --> 00:35:05,549 parts of that wave cycle and so what we 823 00:35:03,599 --> 00:35:07,230 can do to introduce a phase shift in 824 00:35:05,550 --> 00:35:09,000 something is have two different lengths 825 00:35:07,230 --> 00:35:12,599 of cables these are often called delay 826 00:35:09,000 --> 00:35:14,520 lines I spoke to someone about this 827 00:35:12,599 --> 00:35:16,380 earth about a year ago and they said oh 828 00:35:14,520 --> 00:35:19,230 yeah use delay lines I used to work in 829 00:35:16,380 --> 00:35:22,320 fiber-optic we used to just run bounce 830 00:35:19,230 --> 00:35:24,210 data between Silicon Valley and Los 831 00:35:22,320 --> 00:35:26,550 Angeles to just conducive to lay into 832 00:35:24,210 --> 00:35:29,790 the data because that's long enough for 833 00:35:26,550 --> 00:35:31,950 it to ley line at the speed of light or 834 00:35:29,790 --> 00:35:35,099 just like 30 kilometers of coiled 835 00:35:31,950 --> 00:35:39,089 fiber-optic just as a delay loop in that 836 00:35:35,099 --> 00:35:43,220 lab but we don't with RF we didn't have 837 00:35:39,089 --> 00:35:46,500 to climb hooking at us and therefore a 838 00:35:43,220 --> 00:35:49,169 quarter of a wavelength is about three 839 00:35:46,500 --> 00:35:51,150 centimeters and therefore these four 840 00:35:49,170 --> 00:35:53,670 cables that hook up to my upper cake are 841 00:35:51,150 --> 00:35:54,810 all all centimeters all for each other 842 00:35:53,670 --> 00:35:58,170 three centimeters off from each other 843 00:35:54,810 --> 00:36:05,240 and that means I can induce a phase 844 00:35:58,170 --> 00:36:07,530 shift by cycling through them so Oh 845 00:36:05,240 --> 00:36:09,089 openly preventing response was that this 846 00:36:07,530 --> 00:36:12,330 video would work and we shall see what 847 00:36:09,089 --> 00:36:14,490 happens so this is a direction-finding 848 00:36:12,330 --> 00:36:18,299 rig this is one we set up the 2.4 849 00:36:14,490 --> 00:36:20,759 gigahertz you can see in the glass the 850 00:36:18,300 --> 00:36:23,940 four antennas they are at four different 851 00:36:20,760 --> 00:36:28,160 locations and then they're separated by 852 00:36:23,940 --> 00:36:30,570 roughly a third full wavelength and that 853 00:36:28,160 --> 00:36:33,750 feeds into the applicator which feeds 854 00:36:30,570 --> 00:36:39,300 into a Corral we just attach to my 855 00:36:33,750 --> 00:36:41,160 laptop what's the slope I thought so 856 00:36:39,300 --> 00:36:42,410 that's Mike laptop he's running his 857 00:36:41,160 --> 00:36:45,529 direction-finding code on it already 858 00:36:42,410 --> 00:36:47,879 this is my laptop this is my transmitter 859 00:36:45,530 --> 00:36:48,510 and I have went too late lines on it but 860 00:36:47,880 --> 00:36:51,300 I'm not using 861 00:36:48,510 --> 00:36:53,220 I'm just gonna start transmitting just 862 00:36:51,300 --> 00:36:57,210 some data just gonna send some dates 863 00:36:53,220 --> 00:36:58,649 around and I didn't pause it quite the 864 00:36:57,210 --> 00:37:00,720 right moment but you'll see on Mike's 865 00:36:58,650 --> 00:37:03,930 display in the top right corner there's 866 00:37:00,720 --> 00:37:06,390 a sort of baby bath fuzzy blue dog that 867 00:37:03,930 --> 00:37:10,319 gives us a direction from his direction 868 00:37:06,390 --> 00:37:12,690 pointing really to my transmitter and we 869 00:37:10,320 --> 00:37:14,580 are able to kind of use that and if you 870 00:37:12,690 --> 00:37:17,070 calibrated properly he knows what the 871 00:37:14,580 --> 00:37:18,509 transmitter is so what I want to do is 872 00:37:17,070 --> 00:37:22,290 make it so his software mobile the 873 00:37:18,510 --> 00:37:25,020 receives it correctly so what I do is I 874 00:37:22,290 --> 00:37:26,880 just start looping through those four 875 00:37:25,020 --> 00:37:30,270 different tables at different lengths 876 00:37:26,880 --> 00:37:31,620 and you'll see we now have almost my 877 00:37:30,270 --> 00:37:33,930 tenders with bouncing around all over 878 00:37:31,620 --> 00:37:36,150 the place so we now don't have any idea 879 00:37:33,930 --> 00:37:39,750 of the direction of the of the 880 00:37:36,150 --> 00:37:41,670 transmitter so we're able to use the 881 00:37:39,750 --> 00:37:43,830 exactly the direction finding rig that 882 00:37:41,670 --> 00:37:47,220 he's using to detect us to subvert this 883 00:37:43,830 --> 00:37:50,759 detection so you see it's jumping all 884 00:37:47,220 --> 00:37:52,589 over the place oh that's really not what 885 00:37:50,760 --> 00:37:53,880 I want to see there we go so adding a 886 00:37:52,590 --> 00:37:55,950 phase shift certainly men sitting over 887 00:37:53,880 --> 00:37:57,960 low now this is really gonna destroy 888 00:37:55,950 --> 00:38:00,419 your signal if your signal relies on pay 889 00:37:57,960 --> 00:38:02,010 shifts and things like that but if 890 00:38:00,420 --> 00:38:05,130 you're using on/off key the frequency 891 00:38:02,010 --> 00:38:08,250 shift then it's not you can you can get 892 00:38:05,130 --> 00:38:09,540 away with it so and this is going to be 893 00:38:08,250 --> 00:38:11,610 very quick because I'm running out of 894 00:38:09,540 --> 00:38:13,259 time and this is the demo that only 895 00:38:11,610 --> 00:38:14,820 works from about a foot away so I'm not 896 00:38:13,260 --> 00:38:19,140 going to do it because Graham's already 897 00:38:14,820 --> 00:38:21,300 his give is till next but since we can 898 00:38:19,140 --> 00:38:23,970 modify the phase to support a direction 899 00:38:21,300 --> 00:38:25,290 finding can we take a signal that is 900 00:38:23,970 --> 00:38:27,629 being transmitted and has no face 901 00:38:25,290 --> 00:38:29,360 component that we care about and add a 902 00:38:27,630 --> 00:38:32,670 covert channel over the top of it 903 00:38:29,360 --> 00:38:34,350 can we add on a face shift key signal to 904 00:38:32,670 --> 00:38:36,210 an existing radio so I'm not even 905 00:38:34,350 --> 00:38:38,370 talking about like building an SDR and 906 00:38:36,210 --> 00:38:41,580 talking about taking taking our 907 00:38:38,370 --> 00:38:45,600 operative board which looks like this 908 00:38:41,580 --> 00:38:48,750 and a microcontrollers controller and no 909 00:38:45,600 --> 00:38:50,310 radio or just take an existing radio 910 00:38:48,750 --> 00:38:55,880 that we do not care about could be a 911 00:38:50,310 --> 00:38:58,560 handheld ham radio device it could be 912 00:38:55,880 --> 00:38:59,420 any radio that could be a Wi-Fi device 913 00:38:58,560 --> 00:39:02,240 it 914 00:38:59,420 --> 00:39:06,680 also the a Bluetooth number so this is 915 00:39:02,240 --> 00:39:08,328 my transmitter this is a a like $3 916 00:39:06,680 --> 00:39:11,509 Bluetooth Don what picked up from Amazon 917 00:39:08,329 --> 00:39:13,130 we cut the trace to the to the antenna 918 00:39:11,510 --> 00:39:16,579 on so ordered we just sold on the cable 919 00:39:13,130 --> 00:39:17,990 and then we called out one of the test 920 00:39:16,579 --> 00:39:19,730 functions that they left in the firmware 921 00:39:17,990 --> 00:39:21,919 and the thing and got it's just trust me 922 00:39:19,730 --> 00:39:27,260 transmit signal on a single channel and 923 00:39:21,920 --> 00:39:29,750 so this was my my transmitter and so all 924 00:39:27,260 --> 00:39:31,339 I'm doing is transmitting a 2.4 925 00:39:29,750 --> 00:39:36,230 gigahertz carrier out of that and then 926 00:39:31,339 --> 00:39:38,390 externally I'm just taking the Aquacade 927 00:39:36,230 --> 00:39:41,059 board and I'm adding that phase shift so 928 00:39:38,390 --> 00:39:42,950 this is in spectrum again grateful for 929 00:39:41,059 --> 00:39:44,990 this sort of work and you can see this 930 00:39:42,950 --> 00:39:47,450 is a face plots of the bottom of the 931 00:39:44,990 --> 00:39:48,618 signal you see the top and these just 932 00:39:47,450 --> 00:39:49,910 shows that these drums that are 933 00:39:48,619 --> 00:39:53,599 happening and these are kind of 934 00:39:49,910 --> 00:39:57,529 instantaneous these dots right here here 935 00:39:53,599 --> 00:39:59,450 here and so we're able to create 936 00:39:57,530 --> 00:40:02,809 instantaneous base jumps by switching 937 00:39:59,450 --> 00:40:06,020 between different different lengths of 938 00:40:02,809 --> 00:40:09,619 table on your paper so we have 2.4 939 00:40:06,020 --> 00:40:13,790 gigahertz we have we can add phase shift 940 00:40:09,619 --> 00:40:15,170 keying we can actually switch these 11 941 00:40:13,790 --> 00:40:16,940 million times a second if we want to 942 00:40:15,170 --> 00:40:18,950 that's how quickly our switches work 943 00:40:16,940 --> 00:40:20,450 that's what faster than that but 11 944 00:40:18,950 --> 00:40:24,230 million is going to be really convenient 945 00:40:20,450 --> 00:40:26,180 in direct sequence spread spectrum is 946 00:40:24,230 --> 00:40:29,059 actually just really really fast phase 947 00:40:26,180 --> 00:40:33,859 shift keying so we could generate the 948 00:40:29,059 --> 00:40:35,780 DSM s signal at 2.4 gigahertz and 11 949 00:40:33,859 --> 00:40:41,960 megabits now does anyone know what let 950 00:40:35,780 --> 00:40:44,450 me make a bit dsss signalized gram it is 951 00:40:41,960 --> 00:40:47,349 Wi-Fi Wow 952 00:40:44,450 --> 00:40:49,819 there you go so we're able to produce a 953 00:40:47,349 --> 00:40:51,680 completely fictional Wi-Fi network from 954 00:40:49,819 --> 00:40:53,329 a bluetooth dongle an antenna and two 955 00:40:51,680 --> 00:40:56,000 lengths of antenna cable that are 956 00:40:53,329 --> 00:40:57,589 different off by a half wavelength 957 00:40:56,000 --> 00:41:00,730 between the two and switch back and 958 00:40:57,589 --> 00:41:02,599 forth between them 11 megahertz using 959 00:41:00,730 --> 00:41:03,589 antenna switching board had a 960 00:41:02,599 --> 00:41:04,880 microcontroller 961 00:41:03,589 --> 00:41:07,910 to generate a Wi-Fi network that never 962 00:41:04,880 --> 00:41:09,199 existed it is completely pointless but 963 00:41:07,910 --> 00:41:13,069 it's really good fun to do these sorts 964 00:41:09,199 --> 00:41:15,499 of things this works from guaranty a 965 00:41:13,069 --> 00:41:17,180 distance of about a foot and it really 966 00:41:15,499 --> 00:41:18,799 really does not work at conferences when 967 00:41:17,180 --> 00:41:21,379 everyone's got Wi-Fi and Bluetooth going 968 00:41:18,799 --> 00:41:22,910 so it is not possible while I was able 969 00:41:21,380 --> 00:41:27,019 to transmit from my phone to my 970 00:41:22,910 --> 00:41:28,489 headphones and receive receive Bluetooth 971 00:41:27,019 --> 00:41:29,899 packets in the middle for some reason 972 00:41:28,489 --> 00:41:32,509 this is just not powerful enough to 973 00:41:29,900 --> 00:41:33,739 really get two phones but we have 974 00:41:32,509 --> 00:41:35,989 managed to pick it up in quiet 975 00:41:33,739 --> 00:41:37,339 environments in our office and you can 976 00:41:35,989 --> 00:41:39,559 see one of these is my phone one of 977 00:41:37,339 --> 00:41:42,229 these is my boss's phone I explained and 978 00:41:39,559 --> 00:41:45,829 we were to receive these the same the 979 00:41:42,229 --> 00:41:48,859 same network on both so external 980 00:41:45,829 --> 00:41:51,289 modulator or lanterns which you can have 981 00:41:48,859 --> 00:41:53,660 a Coco channel to any existing radio if 982 00:41:51,289 --> 00:41:55,759 you can connect it at you your coma 983 00:41:53,660 --> 00:41:58,879 channel does not interfere with the 984 00:41:55,759 --> 00:42:00,049 existing underlying radio signal again 985 00:41:58,880 --> 00:42:01,789 thanks to all these people who are 986 00:42:00,049 --> 00:42:02,989 involved thanks to Alex for lending his 987 00:42:01,789 --> 00:42:04,579 soldering on this morning even though I 988 00:42:02,989 --> 00:42:06,890 didn't run the demos I needed to solder 989 00:42:04,579 --> 00:42:10,849 this morning so that was potentially a 990 00:42:06,890 --> 00:42:14,598 waste of time and I will not take 991 00:42:10,849 --> 00:42:15,920 questions because a pretend to and grant 992 00:42:14,599 --> 00:42:17,539 probably wants to scare set up for his 993 00:42:15,920 --> 00:42:19,999 talk but I would say questions outside 994 00:42:17,539 --> 00:42:21,319 or just find me around I'm very 995 00:42:19,999 --> 00:42:23,058 approachable just come and ask me 996 00:42:21,319 --> 00:42:24,949 questions if you have them you can find 997 00:42:23,059 --> 00:42:26,809 me on Twitter or great spark edits and 998 00:42:24,949 --> 00:42:28,309 Twitter and all of the code should be on 999 00:42:26,809 --> 00:42:30,229 one of close two repositories to 1000 00:42:28,309 --> 00:42:31,519 implementing of these so if you want to 1001 00:42:30,229 --> 00:42:33,678 go ahead and implement these radios 1002 00:42:31,519 --> 00:42:36,828 yourself do it legally do it safely 1003 00:42:33,679 --> 00:42:40,209 don't interfere with ambulances and have 1004 00:42:36,829 --> 00:42:40,209 fun with breakfast thank you very much