Now Reading
Constructing a Faraday cage with knowledge passthrough for ESP32 reverse engineering · ESP32 open MAC

Constructing a Faraday cage with knowledge passthrough for ESP32 reverse engineering · ESP32 open MAC

2024-01-14 09:29:21

First, a brief recap of what this mission is doing: the Wi-Fi stack for the ESP32 (a preferred, low cost microcontroller) is offered via a binary blob. We’re attempting to reverse engineer the software program and {hardware} to construct our personal open-source Wi-Fi stack. If this sounds attention-grabbing, I like to recommend you learn the first and second weblog posts. Nevertheless, this isn’t essential to learn the remainder of this weblog put up.

One drawback we encountered whereas reverse engineering the Wi-Fi {hardware}, is that there are numerous Wi-Fi packets flying via the air: even when idle, most entry factors broadcast a beacon packet about ten instances per second. Mixed with the info packets which are additionally despatched between entry factors and purchasers within the neighbourhood, this provides as much as numerous packets per second. One software we use in reverse engineering, is a Wi-Fi dongle in monitor mode: in that mode, the dongle captures all packets it sees, even packets not addressed to the dongle’s MAC deal with. This deluge of packets generally makes it onerous to seek out the only packet the ESP32 did or didn’t ship; in most situations, you may filter on MAC deal with, however since we’re nonetheless reverse engineering the {hardware}, we generally don’t know the MAC deal with a packet might be despatched with.

A easy (albeit not very sensible) technique to repair this, is to exit into the woods the place there aren’t any Wi-Fi gadgets. A greater strategy is to ‘insulate’ the ESP32 and Wi-Fi dongle from outdoors Wi-Fi transmitters. My first attempt at this was to immediately join the antenna connector of the ESP32 with the antenna connector of the dongle (with an attenuator in between, to make the sign weaker to not overpower the receiver).

Wi-Fi dongle connected to the ESP32, with two 30 dB attenuators in between

Nevertheless, this didn’t work: outdoors packets nonetheless leaked in. My second attempt concerned a really fundamental Faraday cage: a paint tin with a cut-out for the USB leads of the dongle and ESP32. To attempt to scale back RF leaking in by way of the USB leads, I added a number of ferrite chokes and closed the outlet with copper tape. This sadly didn’t work in addition to individuals on-line instructed it might; it solely additional attenuated outdoors packets with 10 dB. A ten× lower in energy would possibly sound spectacular, but it surely’s actually not: my laptop computer can obtain packets as quiet as -90 dBm; proper subsequent to an entry level the packets are about -35 dBm, so attenuating with solely 10 dB isn’t sufficient by an extended shot.

Paint tin with USB leads coming out of it

I additionally tried placing my telephone in a (turned off!) microwave, however this didn’t work both, it was nonetheless related to the Wi-Fi entry level.

Whereas researching on learn how to construct a correct Faraday cage that can be reasonably priced, I got here throughout the paper ‘Constructing and Testing an Financial Faraday Cage for Wi-fi, IoT
Computing Schooling and Analysis’ that appeared fairly good: for 793 USD, they constructed a Faraday cage with knowledge and energy passthrough: they achieved the info passthrough by utilizing an Ethernet-to-fiber converter; they achieved the facility passthrough by utilizing shopping for a used energy line filter from a MRI chamber. Merely defined, the paper proposes having two cupboards: an internal cupboard, lined in conductive material besides the place the door is, and an outer one, the place the door is roofed in material, sealing in opposition to the internal cupboard when the door is closed. If this isn’t totally clear, don’t fear, I’ll have footage later.

There are, for my part, some flaws in that paper:

  • they point out the invoice of supplies, however don’t give vital specs about what precisely it’s they used. For instance, their invoice of supplies states ‘Used 20A Powerline Filter’, however that is probably the most particular description of the facility line filter within the paper. By emailing the unique authors, I bought to know that they used a Lindgren EMI/RFI filter, ELUL-2020, obtained on eBay.
  • which brings me to the second level: they use second-hand materials for each the facility line filter (120 USD within the paper) and the cupboard (5 USD within the paper). Now, I don’t have something in opposition to re-using parts; I generally go to the scrapyard to scavenge helpful digital parts (motors, shows, …), however you can’t depend on the provision of these parts. Whereas it’s true that within the US, comparable filters might be purchased for ~200 USD on eBay, you can’t depend on these filters staying obtainable within the second-hand market. Moreover, in Belgium, the nation the place I reside, there don’t seem like any EMI energy filters obtainable on the net second hand markets. The import prices and transport expenses for getting a used energy line filter from the US could be prohibitive.
  • utilizing second-hand supplies in one thing the place the purpose is to make it low-cost feels a bit like dishonest: the supplies are low-cost since you did a superb job in acquiring one thing costly for a low value, not as a result of the supplies are inherently low-cost. A brand new EMI energy line filter is so costly that locations promoting them don’t even show the worth (“if you need to ask the worth, you possibly can’t afford it”).

I’ll attempt to solely use supplies which are generally obtainable, and hyperlink to what precisely I purchased. The principle variations between the strategy within the paper and my strategy are:

  • I constructed the internal and outer cupboards myself, from wooden. No particular instruments are wanted, solely a drill.
  • As a substitute of attempting to cross via energy, I’ll put a lead-acid battery contained in the Faraday cage and use buck-boost converters to transform to the required voltages for the fiber-optics converter and gadgets below take a look at. It will decrease the prices dramatically, to the purpose the place even after we’re utilizing all-new parts, the worth will nonetheless be decrease than the worth described within the paper.

(Please excuse me for the unhealthy picture high quality)

Initially, an image of the finished Faraday cage the place I’d wish to name consideration to:

  • this consists of two elements that slide into one another: the outer cupboard, created from medium-density fiber board (MDF board), and the internal cupboard, created from a picket skeleton lined with conductive material on 5 sides.
  • there may be conductive material on the internal aspect of the door. There may be foam tape between the material and the wooden on the entrance aspect of the internal dice; once you shut the door, the froth tape is compressed, urgent the material of the internal dice tightly in opposition to the material of the entrance door, creating an RF tight seal.
  • there’s a black latch on the door that may maintain the door shut (not proven very effectively right here, however I’ll present a greater image later).
  • within the high proper nook, you possibly can see a yellow fiber coming into the cage from behind.

Picture of the fully completed Faraday cage

That is the internal dice, constructed from wooden, earlier than it was lined with conductive material on 5 sides.

Inner cube

Right here, you possibly can see the 2 fiber-to-Ethernet converters. I used bidirectional converters: because of this just one fiber is used for each transmitting and receiving knowledge; versus unidirectional fiber that has a TX/RX pair. This was finished to reduce the scale of the connector, which in flip would make it attainable to suit via a smaller diameter copper tube.

Fiber setup

This can be a copper pipe that has the fiber going via it. On either side of the pipe, a small 3D printed cone was added to softly convert the diameter of the outer pipe to the diameter of the fiber. Conductive tape was used to seal the outlet within the copper pipe: solely a really small gap the place the fiber exits, stays. Since this gap is small enough in comparison with the wavelength of the two.4 GHz radio waves, the radio waves can’t enter by way of there.

This copper tube was then inserted via a gap within the material on the again of the internal dice. It was once more taped with conductive tape to each the within and out of doors to kind a superb seal.

See Also

End cap
Full pipe
End cap 3D printed part

That is the take a look at setup that’s positioned contained in the Faraday cage. It consists of:

  • A Raspberry Pi. This runs usbip, in order that the USB gadgets related to the Pi can be utilized from different computer systems on the community.
  • A 5V USB buck converter (inexperienced case) changing the 12V from the battery to 5V for the Pi
  • A TP-Hyperlink TL-WN722N v1 Wi-Fi dongle, used to seize packets (it may be put in monitor mode)
  • An ESP32, related to a JTAG debugger (not related by way of USB in the mean time)

Faraday ESP32 test setup

The Faraday cage was then examined by sniffing packets utilizing the Wi-Fi dongle inside. I first captured packets for 10 minutes whereas the door was open (so RF may enter), then captured packets for 10 minutes after the door was closed.

When the door was closed, no packets have been captured in any respect. So, as to nonetheless give an approximate decrease sure by how a lot the Faraday cage attenuates indicators at 2.4 GHz, I used each the strongest and weakest sign energy when the door was open:

>>> from scapy.all import *
>>> scapy_cap = rdpcap('faraday_captured_packets_door_open.pcapng')
>>> max(p.dBm_AntSignal for p in scapy_cap)
-12
>>> min(p.dBm_AntSignal for p in scapy_cap)
-81
>>> (-12) - (-81)
69

The weakest sign my wi-fi dongle may nonetheless obtain was -81 dBm. The strongest sign that arrived was -12 dBm. Because the Faraday cage blocked all packets, the facility of even the strongest sign must have been attenuated to under -81 dBm for it to not have the ability to be acquired anymore. So, a decrease sure of 69 dB attenuation is established. I do know that this won’t be totally appropriate (the wi-fi dongle won’t be calibrated, the geometry of the Faraday cage may have elevated sign energy when the door was open, and so forth.), however I believe it offers a adequate indication.

For a grand complete of 291.38 EUR, or about 318 USD.

You’ll have to 3D print varied objects, these are detailed at https://github.com/esp32-open-mac/faraday_cage

  1. Assemble outer shell. That is created from MDF, so watch out and positively pre-drill earlier than inserting screws, in any other case, you’d cut up the MDF. Do that even for screws that publicize you don’t have to pre-drill.
  2. Connect {hardware}
    1. Hinges
    2. Latch to maintain the door shut
    3. Non-obligatory: handles to raise the field
  1. Assemble dice
  2. Connect all {hardware}
    1. Holders for copper tube
    2. Stand-offs for backside plate
    3. Foam tape
  3. (Final!) Connect Faraday material, with thumbtacks. Don’t use a staple gun, you’d tear the material.

If in case you have any questions, open a GitHub situation at https://github.com/esp32-open-mac/faraday_cage or ship me an e mail by way of esp32-open-mac@devreker.be.

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top