Fooling around with LoRA – Meshtastic (2023)

Using Lilygo T-Beam v1.1

Ok, it has been quite a while, I got 2 Lilygo T-Beam https://meshtastic.org/docs/hardware/devices/tbeam/ in 2021 during covid time, but they were sitting in the drawer. Finally install Meshtastic firmware https://meshtastic.org/ to both of the T-beam board, the firmware installation is quite a child play with the web interface, as a firmware guy, it is too simple so cannot complaint, just go to this page https://flasher.meshtastic.org/ from your web browser (mine is Chrome), the rest is self-explaining. I connect the T-Beam micro-usb to my Win10 laptop, COM port on my machine is COM5, your might be different.

I heard about LoRa for quite sometime so while working on a 5G-NR radio, I said what a heck let see what LoRa really is and how much fun we can learn by tinkering with the available hardware that are laying around.

I want mostly try the off-the-grid texting feature, this is quite cool to have a texting system quite long range that runs autonomously. I tested with my phone Samsung A8, Samsung tablet and web version on a Windows 11 laptop, I am very pleased with the result. For phone and table I just simply install Meshtastic from the Appstore.

For a simple “long range” test, I just put one T-beam by the window and just walk around the neighborhood and texting back my location, the neighborhood is a city dense environment, le radio is on the 2nd floor, the longest distance is 544m, very good since it is not line-of-sight, tons of building/apartment’s separating the two radios. I am using the radio setting Long-Fast for this test.

While watching a Youtube from Meshtastic to improve range https://youtu.be/V3f-Y3EfsBU, I found out the stock antenna that came with the T-Beam is not a good one based on the NanoVNA measurements, I think I bough this NanoVNA sometime ago.

I am also impress with the on-board GPS, which is a module NEO-6M, the GPS update is quite accurate as I walked around the neighborhood.

One little quirk, no sure it is me or not, I was not able to connect 2 devices to the same T-beam Bluetooth simultaneously, the whole idea is the T-beam serve as “base station” to link up with the mesh of Meshtastic devices. Maybe I miss something, more to come.

I am so happy with the result I bought 2 more Lilygo Lora, a T-beam and a Lora32 (without GPS) to expand my experimentation.

I saw a Youtube where they integrate ATAK app to use Meshtastic, not sure if ATAK is useful but it can worth a test.

It could be very useful outdoor communication in location where mobile coverage is not present like national parks. If we can text while on the lake that would be nice, bonus is location provided by GPS.

LoRa Modulation Magic

Or how to decode a symbol that is below the noise floor, yes that is possible, there is this excellent video explaining all the mathematic behind LoRa modulation https://youtu.be/jHWepP1ZWTk for sure it is not for people who are not keen into signal processing mathematics, but for those who are, it is a very nice video with the Matlab code to generate a LoRa symbol signal and the demodulation of this, the author shows how the actual magic happens to retrieve the symbol where the signal is under the noise floor, i.e. SNR is negative!

More in deep of LoRa phy can be found here from this presentation Decoding the LoRa PHY (33c3) https://youtu.be/NoquBA7IMNc it is heavy stuff, the presenter had to reverse engineer the PHY based on little information available.

• https://meshtastic.letstalkthis.com/

Fooling around with SoftSDR via HackRF One and HackRF One with Portapack H2 and GNSS

Since I started to work on an O-RAN 5G RU radio last year (2021), my hobby of softsdr just got back to surface 😎 I work more specifically on the clock synchronization using PTP/SyncE.

I have got a HackRF One and later the Portapack H2 module, I am using Mayhem firmware for the Portapack.

Since PTP can be easily spoof, unless you protect with MACSEC, for some lazy reason, our HW/FPGA did not want to add MACSEC to protect the S-Plane/PTP. For security reason, I will not disclose where I work.

It is a child play to spoof PTP, I setup a network of many RPI with PTP, just save PTP traces from master clock and later replay those packets, we can see ptp4l goes crazy with large offset.

Some HW guy at work even goes to say PTP can be protected by GNSS, which I just told them it is the other way around as GNSS can be much more easy to attack over the air by spoofing or jamming the signal. As per new timing requirement for critical infrastructure (telecom, financial, power grid), it is essential to have an alternate clock source to back up GNSS.

I used the Portapack to replay GPS signal to my Ublox, after 2 minutes the Ublox lost it, that is time is reset to 23:59 and I lost positioning coordinate as well, worse thing is I remove the interfering signal and Ublox did not recover, I had to power-cycle the module. My theory is the Ubox entered anti-jamming anti-spoofing by trying to desense the receiver, maybe if I wait long enough it might remove the desense.

I recorded a video to demonstrate when the Ublox lost it (will upload here soon).

Some people think they can make gold from lead in 2022.

Fooling around with Atheros spectral scan in ath9k – ath10k

I found lately Sept 11,2013 latest ath9k has finally the spectral feature like the proprietary driver, it was there a while ago but only lately I resync with ath9k code.  I found this link http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/

and the graphical display of FFT samples

https://github.com/simonwunderlich/FFT_eval  (ath9k and ath10k)

https://github.com/kazikcz/ath9k-spectral-scan

Some cool discussion at: http://comments.gmane.org/gmane.linux.drivers.ath9k.devel/8409

In 2015 found some more info via youtube https://www.bastibl.net/ath9k-spectrum-scanning/

This could be very cool to convert cheap laptop to cheap wifi RF spectrum analyzer to troubleshoot RF problem in the field, not sure how accurate or useful it can be, but it is worth a try.

I have tried FFT_eval with my XB114/DNXA-H1 AR9390 card and it is working fine, I’m still fooling around with that.

I have the luxury of “owning” real spectrum analyzer, the Agilent Fieldfox and the PSA (deluxe version), just to make some people jealous 😎

Update Feb 2015

It occurred to me that Broadcom also have spectral FFT stuff in the driver, I happened to work on the 802.11ac radio and found some code about FFT, I mean the close-proprietary driver not the open source version, however the lack of sample/test program make it difficult for me to try out their FFT stuff.

Broadcom acquired Bandspeed so they really want you to “buy” Bandspeed solution for spectral analysis.  I asked many time Broadcom to have a simple test program…

Update Mar 2015

ath10k also has FFT like previous ath9k, as we know ath10k is for the new QCA98xx 802.11ac chipset, where as ath9k is for AR92xx AR93xx (Merlin type).

I unfortunately has only the CUS223 single band radio 5Ghz, I pretty much want to try using QCA98xx chipset in 2.4Ghz to FFT the whole 80Mhz as the radio is capable of VTH80.  The reason being to see the big 80Mhz without switching channel.

Fooling around with another wifi card mod Linksys AE1000

Nothing is better to improve wifi connectivity than a good antenna!!

My friend AB needs a way to optimize his 2 streams wifi card the Linksys AE1000 to his powerful MSM460, the internal antennas kind of suck! So we decide to mod the card with our wifi junk yard, and yes we do have a real wifi junk yard.

This card is dualband so yes we put an ok gain dualband antenna!

I did the solderering while AB did the mechanical design to hold the antenna in place!

Here is the pictures of our mod.

Since the AE1000 is a a 802.11n 2 streams, there are two antennas printed on the PCB.

So first remove the test RF connector, be careful not not to destroy the PCB trace.

Remove also the SMD cap as shown on the picture, cut the trace of the PCB antenna and solder the coax/pigtail.

When unsoldering, apply generously flux.

Do both side as there are two antennas.

Final result!

Linksys AE1000 mod

Solid 2 streams 300mpbs

Fooling around with “Design of the antenna FA20”

Many years ago 2007 I saw this patch array antenna the FA20 from a russian forum http://www.lan23.ru/wifi/fa20en.html, I really like the design.

I went on simulating it in Ansoft Designer 3 just to see how it performs, WOW super gain 18dbi and VSWR 1.25 accross wifi channel 1-11.  During xmas 2007 I decided to craft this antenna, I did not use the same material as the original author, I used brass sheet from http://www.deserres.ca/ a craft art product store, brass very easy to cut and solder to build the array, the idea to use brass sheet came from one of my hardware engineer colleague “wilfred”, he kind of knows my passion to build antenna.

I “borrowed” without permission a cookie sheet from the “wife” as my ground plane, she was not really happy but the wrath only last a day.  the nice thing about the cookie sheet is the border is already bent as the original FA20 design.

I used double-sided tape to get the 7mm distance between the ground plane and the patch.

FA-20 schematic

I stored my Ansoft Designer simulation else where among the mess of USB drives (next fooling would be setting up a NAS), if I happen to find the simulation files I will post them here later.

When all is done, I plug the antenna to my Dlink WNA1330  PCcard Atheros AR5212 (already mod with a pigtail), by the way this card is super easy to add your pigtail.  My jaw was falling when I saw the signal gain in Netstumbler!!  This card has antenna diversity so you much disable the antenna diversity switching and force the card to use antenna 1 (in my card mod), if you choose to tap on the other antenna then choose 2. Under linux using madwifi-ng you can change antenna diversity using sysctl, under Windows XP there is some registry keys you need to edit manually under your adapter NDIS setting, it took me awhile to figure out the one for XP.

Years later I had the chance to buy an Agilent Fieldfox Network/Spectrum Analyzer for my job, I quickly measured the VSWR and the result is stunning 1.2 VSRW from channel 1 to 11, it kind of confirm the simulation results.  Kudo to the russian author!!

I  nick name the FA20 as the “cookie sheet” antenna!  Anyway, just post this blog to share this antenna construction, as you can see, the construction looks sloppy/flimsy but performance wise it is real good.  I don’t see elsewhere on the net.

If you happen to build the FA20 the way I did, just post some feedback just to see how you did it.

Fooling around with WRT54G (again)

Many years ago I bought many WRT54G (GL, V4, GS V4, V5), at first I used dd-wrt in all modes, especially repeater and client mode.  I also put kismet on one of them.

To improve kismet range I made a 2 meters RG8 cable  with TNC-RP and N coupled to my cantenna (Nescafe), picture to follow.

Last year 2010 I spent a whole weekend to put Freeradius on one of the WRT54GL, I used openwrt whiterussian.  After hours and hours to find out the right EAP that fit on my 4MB flash, I got the Freeradius to authenticate my dd-wrt WRT150N and my cadillac access point HP MSM466 (EAP-PEAP).  I basically run Freeradius under Ubuntu to trim down the unwanted EAP.   It was quite headache to find free flash space, I removed all the not used modules to have only barebone router with Freeradius.

Now I try to backup my flash with the Freeradius, some people suggest to use JTAG but I saw a guy using CFE boot to backup the flash, much faster, so I decide to put serial on the WRT to access CFE.

A few week ago I saw a TP-LINK 941ND (2 streams with 3 radios chains) for $43, chipset is Atheros and has dd-wrt support, so I decide to give it a try to replace my WRT54G used as client bridge for a Sony tv which has only ethernet port.  It tooks 15min to flash dd-wrt.

To run client-bridge on TP-Link it took a while as to made it works, mac cloning was required, for some reason the wifi mac and the lan mac seems to be the same? so with mac cloning to have wifi mac a value +1 from lan mac.  Under Broadcom WRT54G all the mac address are different so no mac cloning is required there, client-bridge just works out-of-the-box.  I made a post under dd-wrt forum to thanks the guy who gave the mac cloning tip.

I don’t know why the genius behind Linksys marketing changed the router “look”, personally I hate the new”space-age UFO” look, they tried to make it look like an appliance you can put in the living room, so the guest to your house can say “wow what a nice looking UFO”.  I maybe old fashion but I prefer the WRT54G look.  I kind of like the Netgear vertical look.

D-link new router DIR-645 cylindrical smart antenna router is quite “shocking” in a good way, I went to FCC report to have peek inside and I’m quite impress with the design, I thought the DIR-645 used some new Atheros chipset but to my surprise the chipset is Ralink!?  The Tx power is also impressive >100mW (20dBm+).  The way the antenna array is setup remind me of Ruckus AP.  I really want to have a hang on the DIR-645 to see how it performs.  I’m a big fan of smart antenna, steer the signal to where the client device is a smart thing to do.

Fooling around with DNS tunnel

Experimenting DNS tunnel.

On my recent trip to Europe, I found it is frustrating to get free wifi access in airports, so far Montreal YUL has free wifi, so does Burlington BEV, but some other big airport simply don’t get it, as a traveler you can sit and wait hours before your next flight, if it is not delayed or cancelled.  Why piss off traveler by asking a few $$ to read emails and check weather update, updating facebook to keep in touch with our family.  We are not sitting hours in the airport just for the fun of it.

I wonder how much money those hotspot are making after all.

So far McDonald has free wifi, which is great! somebody kind of understood customer-fidelity-101 seminar.

While visiting Palma de Mallorca and Barcellona in Spain, I found these cities offer free wifi.

Links I find helpful:

1. http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
2. http://www.h-i-r.net/2010/03/dns-tunneling-part-1-intro-and.html
3. http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple
4. http://www.h3xstream.com/d/iodine

Youtube also has a few good tutorials on the subject.

At http://freedns.afraid.org you can register for free a sub-domain that will be redirect/handled by your “dns server”, this is an important piece part of the DNS tunnel puzzle.  In short you create a NS record that points to your DNS server to handle the sub-domain you register with your freedns.afraid.org.

So far I try on Ubuntu 10.4 OzymanDNS and latest iodine, so far so good except with iodine I had to reduce the MTU to quite low value to make it works, with OzymanDNS once you have all your perl stuff installed, I found Ozyman slightly faster than iodine?

Don’t expect super fast speed with DNS tunnel, the speed I got is in the “old days of modem 33kbps” ball park, it is better then zerobit/sec 😎

Next step is to put iodined on my venerable WRT54GL, I managed to recompile latest iodined 0.6 for kamikaze openwrt (it took a while to fuzz with the SDK), for tun driver I simply use the existing package to install it.  Test is pending…

I could simply use iodined on my x86 but that is too much energy to waste, so far WRT150N dd-wrt is my gateway and also being use as ssh tunnel server.  So the goal is to put Freeradius and iodined on WRT54GL.

Update May 2012 – First dns tunnel trial oversea

Iodine in Android ICS4.0 worked superfine at a resort in the Caribbean, I just installed myself in front of their internet cafe and did my test, facebook shown up so I guess the whole thing worked, I found their DNS server quite slow, that did not help dns tunnel but it worked ultra slow somehow.

Update Nov 2012

On my recent trip, I put iodine on my Android.   Tested successfully at Chicago (ORD), Honolulu (HNL), a little bit slow but hey keep you busy while waiting the next flight.  Los Angeles (LAX) has free and super fast wifi 😎 kudo!  ORD is the worse, delay flight 100%, no free wifi no wonder why as tons of travellers got stuck at ORD so why not sucking more their $$.

So far, all hotspots I tried is dns-tunnel friendly!

Update April 2013

On a beautiful trip to Greece/Turkey, I found Munich (MUC), Athens (ATH), Istanbul (IST) do not give free wifi but iodine works !!  In hotels where we stayed they mostly implemented html login, iodine worked fine too, wify used the “legit” login code on her iPad while I used iodine on my HP Touchpad.  I know some of the airports give 60minutes free wifi but you need to receive the code via SMS.

Most hotels now have free wifi, I believe latest survey from TripAdvisor shown free wifi is one the most important criteria, the second is breakfast.  99% of restaurants, coffee shops in Greece or Turkey have free wifi.

So the lesson to be learned here is free wifi attracts customers, some still does not get it, eventually they will.  Time will tell.

One thing I have not try yet is to use iodine on the airplane where they offer some hotspot.

It is a good think there is no “DNS tunnel” blocking,  maybe the setup to get DNS tunnel working is a little bit beyond the knowledge of most of the non-IT people, even most of IT people 😎

Until the next field trip!!

Update June 2013

On my way to visit a wireless cie in San Jose UBNT at the invitation of Robert Pera , I have a stop at Denver (DEN), no free wifi beside Boingo, I left home without my DNS server up so no internet while waiting in DEN.  DEN is a very strange airport in a sense that it is located in the middle of no where in the desert.  What strikes me more is the sign to tornado shelter!!

The good part is San Jose airport (SJC) does give free-wifi, great!  The last time I landed in SJC was like 12 years ago with the North and South terminals and one has to walk from the tarmac to the terminal 8-), I used to land at SFO and drive down to San Jose as there is direct flight from YUL to SFO.  Still as of today, there are no direct fly to SJC 8-( from Montreal YUL.

The San Jose airport totally changes to a modern airport!

Also, the visit at Ubiquiti was great, I was really impress of how small the team is versus the products they delivered to the market, talking about efficiency.  Robert was very nice to invite me and his team to his favorite sushi joint in the valley, the best sushi and sake.

On the way back to YUL, I had a stop at my worse airport, ORD, for some reason this time my flight was delayed by mechanical problem, in fact the flight from SJC to ORD also was delayed by mechanical issue, thanks GOD the problem was found while the plane is still on ground, the airline is AA.

Update July 2013

On a trip to California, Dallas DFW, Burbank BUR, Las Vegas LAS all have free wifi, we used the free wifi at BUR to get in touch with relative because our flight was cancelled (Asiana incident at SFO), thank you BUR.  Also the United staff at BUR were extremely kind to help us to book the return flight directly to YUL,  thank you Mary!

Again, ORD airport please provide free wifi.

Update March 2014

This year we travel to the middle east Dubai, one stop at London Heathrow LHR, no “free wifi” per se, however a latte at the Starbucks coffee shop gave us 1 hour of internet.

Dubai airport DXB seem to have free wifi but no real traffic could be made!

Contrary to Greece or Turkey, free wifi seem not to be widely available in either hotels or restaurants, again Starbucks coffee shop came into rescue.  When we visited Dubai Mall there is free wifi (AP from Aruba), however at the Emirates Mall no luck.  I still don’t understand in a rich location like Dubai, there is no free wifi in the mall.

We went on a cruise, luckily the cruise terminals in Dubai and Abu Dhabi provide free wifi, not very fast but just good enough for wify to update her FB.  I spotted the wifi access point in the ceiling so we move closer to the antenna to improve the signal.  You cannot imagine the amount of people (guest and staff) who hang out there to get wifi.  The AP in the terminal look like the one from Aruba.

On Costa Fortuna boat, wifi AP are from Cisco.

I regret not bringing my Android tablet loaded with iodine to test dns-tunnel capability like previous trips!