Do WiFi devices transmit packets when they are just turned on? - networking

I read a lot about WiFi sensors being used to track smart phones in Retail environment. The location triangulation is done on basis that a smart phone has its WiFi turned ON, be it in connected or unconnected state.
Case 1 : WiFi turned ON but unconnected
Why should a smart phone which has its WiFi turned ON need to transmit the packets, unless the user 'scans' for nearby WiFi networks?
Case 2 : WiFi turned ON and connected
Why should a smart phone transmit any packets, unless the user is browsing the net?
In both the above cases, there is a high chance that most of the time the WiFi device does not send any packet, which means none of the WiFi sensors detect it. If that is true, then the whole idea behind WiFi sensor based triangulation in Retail goes for toss, clearly with so many companies working on this, I must be wrong. Please answer with more than a yes or no, as to which packets are generally sent in both the above scenarios.

If wifi is turned on it will periodically search for new networks. This happens even if you are already connected to one, as it allows the device to connect to a 'better' network, if available.
Scanning/network discovery can be done in two ways. First is passive when a device listens to surrounding access point's (AP) beacon frames. These are basically advertisements for their network. The second method is called active. This is the most likely explanation of how the technology you mentioned works. Active scanning is when the device sends out a probe frame asking for available APs. These are generally ones that you have associated with previously, e.g. Your home network. These probes can be listened to from nearby 802.11 (wifi) devices, therefore tracking you.
Active and passive scanning
801.11 frames

As mentioned in #AndrewLeeming answer, one of the causes for data transmission data is scanning.
It's not necessary but normally it will be performed to find a network to connect to (or a better network in case of already connected). Active scanning can be turned off for power saving reasons. Passive scanning doesn't involve transmissions, so it's irrelevant to this question.
However, the most important reason for WiFi devices to transmit packets while connected is to let the AP know that the client is still available. Otherwise the AP will drop the link after a certain period of time without activity. Additionally, the clients might be in power save mode and instruct the AP not to transmit data to them. From time to time the client will inquire the AP to see if there are any pending packets for it.

Related

Is there a way to broadcast UDP packets with ESP8266 without wifi connection?

My question is regarding an ESP8266 board and the ESP-touch technology.
ESP-touch uses the length field of a UDP package to broadcast wifi ID and PW through a device (like a smartphone) to the chip (like in my case ESP 8266).
I want to turn this around, more specifically:
I want the ESP8266 chip to broadcast UDP packets with some sort of identifier-number in the length field of the UDP packet, without beeing connected to any wifi connection. Then these UDP packets are recieved by an app on a smartphone so the identifier-number can be extracted and used on the smartphone.
I am relatively new to this topic and do not know if this can work.
When I try to find any information online they all say that the first step is to connect the chip to a wifi. But I don't want that. The smartphone and the chip don't know each other and are not connected in any way. So I want this type of "broadcasting" so that the smartphone can recieve the package without really beeing connected to the chip.
I guess there must be some way to make it function like I explained above, but I can't find a way how this can work.
I don't need the chip to send UDP packets explicitely, it can be any type of package. I took UDP packet as an example because there is already the ESP-touch technology which is more or less similar.
The important thing is that the package that I send has a field where I can put some identifier-number in (not encrypted), which can then be recieved by another device like a smartphone where this identifier-number is extracted.
For clarification: I don't need to use ESP touch or anything related to that. I only stated this technology as an example. I just want to achieve the behavior stated above and in the picture! :)
This is an example picture how I want it to work:
No, it's not possible to send any packages without being connected to the network. ESP-touch or TI Smart Config or similar technologies utilize Monitor mode. As the name suggests, in this mode one can listen for packages, but can't send them.
ESPNOW provides data flow between ESP devices without connections via router. It is another feature of the Espressive API. There are tutorials for ESP8266 and ESP32...
https://randomnerdtutorials.com/esp-now-esp8266-nodemcu-arduino-ide/ .. https://www.instructables.com/ESP32-With-ESP-Now-Protocol/

How to spoof individual BLE packets

I'm doing a security analysis project on an IoT device that uses an unencrypted BLE connection (with ATT protocol) and I want to spoof an individual BLE packet with the source address of an already connected device. Is there some tool or API that would allow me to do this easily? I've already tried gatttool and spooftooph but they seem to be connection based and don't allow you to send out single packets with modified fields (as far as I could tell).
You will need some hardware where you can access the radio peripheral directly. What you basically need to do is to find or write a ble sniffer firmware, with the modification that it at a given moment sends a packet on the connection it is currently listening to. But note that the signal strength must be stronger than the original device's signal so it doesn't interfere.
The only open source project I'm aware of is Ubertooth. You will also be able to do this with an nRF52 but then you need to write your own sniffer firmware since Nordic Semiconductor's is closed source.
I can't comment on Emils reply yet, < 50 rep:
Nordic Semis nRF Sniffer v2 needs only the nRF52DK and wireshark to work as a general BLE sniffer. At 40$ it's not that expensive. I know for a fact they will release a new dongle soon that will sell for ~10-15 bucks if you can wait a a month or two.

Connecting to BLE using an initial out-of-band message

I am engineering two BLE devices, a central and peripheral. (Using a PSoC 4 BLE, not that it matters)
There will be a lot of these in a small space, maybe up to 8 within range, but hundreds of peripherals and tens of centrals all coming and going, with no particular rhyme or reason behind which one central/peripheral the user will want to pair at any given time.
I also have an unrelated technology that makes it very easy for the user to move a blob of data from the central to the peripheral of their choosing. I believe this will make pairing much easier in most but not all scenarios.
I figure the non-BLE blob would contain at least the central's mac address, and maybe a randomly generated pin or shared key. Because the blob can only go from the central to the peripheral, the receiving peripheral is really the only device that knows the addresses of the two devices that are supposed to connect.
However, as I understand it, peripherals can't make outgoing connections. I can't swap roles because I still need the BLE search to work the traditional way.
I can think of a lot of ways to get this done, but I'm very interested in hearing the opinion of someone who has worked with BLE long enough to know what might fit best (or if I'm wrong about some assumption).
Some constraints I'm working with:
The peripheral is battery powered.
The usual search and pair method must also still work.
My own half-baked ideas:
Make the peripheral able to be a central too, but then does that
introduce more nuances and complications?
Broadcast from the peripheral, "whoever has X mac address,
please connect to me"
Put a similar message in the advertising packet and increase advertising
rate.
Directed advertising similar to above?
You could let the "non-BLE blob" contain a static random address which the central generates. After the peripheral receives that, it starts advertising with that static random address. The central is also configured to initiate a connection to that particular static random address. Will this work?

Bluetooth Low Energy Profile/Service Selection

My requirement is as follows:
I need to send Proximity Sensor (Reed Switches/Magnetic Sensor) reading (On/Off) from two Input Pins to a central PC.
I need to use coin cell. So basically the app should be in sleep mode and once there is any interrupt on any of these two pins it should wake up to send its state to the central PC.
I have DA18450 chip and development board (murata ZY type) with me.
Dialog Semiconductor 18450
Murata Bluetooth Smart Development Board
I am a beginner to bluetooth technology and started reading about it just a week back.
Could someone guide me about the most apt Profile/Service suitable for my application?
If you want the device to actually sleep then it'd probably be best for it to just transmit data via advertising packets when the device awakens. Otherwise you have to maintain a connection which requires staying awake at some level. However, advertising packets are broadcast and the device can't know if anything received those packets (you could have it broadcast several times for a fixed period of time or have it constantly broadcast while the proximity alert is valid). Also, on the receiving end, with no connection there's no way of knowing the transmitting device is even there when nothing is being transmitted.
The advertising packets have a section for limited information and that's where you'd transmit data if you don't want to establish a connection.

wide area broadcast over wifi

I want to find a solution to broadcast voice over WiFi for the people in a march. Since Android and IPhone is the most popular devices among the people in the march, it would be great if i can find a solution for audio broadcast over wifi with limited budget.
I know that people in occupy movement use different app on their cell, but it is not suitable in a march in my city. As the authority in my country may temporarily shutdown the data over mobile network to disable the app.
If i can develop an app to gather the broadcast message (SSID) from a powerful wifi AP with a long-length directional antenna, I should able to deliver message among the people in the march. Is it a possible solution?
Also, is it possible to modify the AP to allow any device to join the AP without further acknowledgment and broadcast message to all devices in that network?
Any idea or opinion is welcome.
Many Thanks.
This will be difficult, especially with a large number of users. Since you only need to send audio in one direction, that will at least be a bit easier.
First, you're going to want to put that AP in the middle of the crowd with an omnidirectional antenna. Perhaps, in a backpack or something. Each phone on that network needs to "hear" when other phones are transmitting, or it will be a mess. Even though your application is one-way, 802.11 isn't.
Now, when you write your application, use UDP packets sent to the broadcast address. No need for TCP packets, as they will clog up your network anyway.
Use a simple voice codec, such as AMR. The codecs available vary from platform to platform. See this document for a list on Android: http://developer.android.com/guide/appendix/media-formats.html
Honestly, the easiest solution would be to go buy a small FM transmitter, since many phones have receivers in them anyway.

Resources