Premise & Background:
The proliferation of cheap, lightweight WiFi embedded ("IoT") devices made me wonder. The WiFi association stack, DHCP client stack, et al. has to be incredibly lightweight and simple to fit in the firmware on, say, an ESP8266. If you programmed one to scan, find an AP, associate, get an address, and send a single packet - would it be able to do it fast enough to report its location from a moving vehicle?
[Aside: This is actually something I've wondered about for years, but the IoT chips offered a unique and low-cost way to try it.]
"But wait," you say, "there really aren't that many open APs these days. Most of them are captive or paywall portals, or at least make you agree to some goofy ToS."
Right, but as has been pointed out multiple times by multiple people all the way back to Dan Kaminsky's DNS tunneling talk in 2004 - hotspots diligently resolve DNS queries. All you have to do is base32 encode the data you want to send in the hostname of a valid DNS record request, and set up a DNS server for a subdomain (under a domain you own) to catch the queries.
If it works, you get near real-time telemetry over opportunistic WiFi links using DNS recursion! Think: "low cost LoJack with no data subscriptions".
Digistump Oak ESP8266 |
I used the Digistump Oak variant of the ESP8266 prototype boards. I like the fact that it can be flashed OTA, which proves to be useful once the device is deployed in something like an automobile.
In my testing, the complete chain from calling connectAP() to getting the DNS query response typically takes between 3 and 6 seconds, which is certainly fast enough from a slow moving vehicle.
Device Output
struct telem {
uint32_t tstamp; // GPS time in ctime format
int32_t lat; // Latitude * 1000000
int32_t lon; // Longitude * 1000000
uint8_t spd; // Speed in MPH
uint8_t sats; // Number of GPS satellites received
uint8_t id; // Arbitrary number for ACK
uint8_t mode; // Object state information
}; // 16 bytes total
The fields are largely self-explanatory. You'll notice that I used an 8-bit number for speed, so the max speed it will report is 255 MPH. Also, the 32-bit ctime field means it's vulnerable to the Year 2038 Problem.
The field worth explanation is "mode", which is set as follows:
Value | Meaning
255 | Startup position.
254 | Live. Transmitted and ACKed in realtime
1-n | Stored position
The first few position observations are always flagged as mode 255, regardless of whether they're able to be transmitted live or not. (This way you know where the device started.)
The stored position value is simply the number of 10-second intervals since last transmission modulo the MAX_INTERVAL setting. This is how the unit "downsamples" the stored waypoint resolution if the buffer fills up.
So... how well does it work?
Here's a plot on OpenStreetMaps of me driving to work one morning. The blue markers are live (mode 254) and the red markers are stored.
Technical Details
Hardware:
- Digistump Oak
- NMEA serial GPS module (e.g. uBlox or MTK)
Software:
The software for the Digistump Oak, as well as a PoC DNS server (in python) to log the output, is available here:
https://github.com/phreakmonkey/towl
https://github.com/phreakmonkey/towl
Check the README notes under both subdirectories for build dependencies / config notes.
Setup:
You'll need to host a custom nameserver on the Internet to receive the DNS queries. You'll also need to control a domain so that you can designate your DNS query receiver as a subdomain.
E.g. if you own the domain "MyDomain.com", you could designate a server to receive the TOWL queries by creating a NS record for "TOWL.MyDomain.com", pointing at the server you intend to run the catcher on. If said server is at IP address 1.2.3.4, then that record looks something akin to:
TOWL IN NS 1.2.3.4
Run the PoC code on the designated server. Be sure to configure both the TOWL devices and the server code for the "TOWL.MyDomain.com" domain name. (See README under each directory for instructions.)
Have fun!
gps tracker dns
Have fun!
gps tracker dns