HackerBox 0073: LAN Lord

Introduction: HackerBox 0073: LAN Lord

Welcome to HackerBox 0073. We will explore Wi-Fi channels and frequencies, configure the ESP8266 D1 Mini SoC, assemble the Open Source Wi-Fi Nugget, leverage the Wi-Fi Nugget as a communications security and hacking tool, introduce the Rtlduino dual-frequency wireless SoC, assemble a full-color TFT display platform for the Rtlduino, and leverage the platform to implement a Wi-Fi channel mapping tool capable of operating on both 2.4GHz and 5GHz wireless bands.

HackerBoxes is the monthly subscription box for enthusiasts of electronics and computer technology - Hardware Hackers - The Dreamers of Dreams.

There is a wealth of information for current and prospective members in the HackerBoxes FAQ. Almost all of the non-technical support emails that we receive are already answered there, so we'd really appreciate it if you can take a few minutes to read the FAQ.

Supplies

This Instructable contains information for getting started with HackerBox 0073. The full box contents are listed on the product page for HackerBox 0073 where the box is also available for purchase while supplies last. If you would like to automatically receive a HackerBox like this right in your mailbox each month with a $15 discount, you can subscribe at HackerBoxes.com and join the revolution!

A soldering iron, solder, and basic soldering tools are generally needed to work on the monthly HackerBox. A computer for running software tools is also required. Have a look at the HackerBox Core Workshop for a set of basic tools and a wide array of introductory activities and experiments.

Most importantly, you will need a sense of adventure, hacker spirit, patience, and curiosity. Building and experimenting with electronics, while very rewarding, can be tricky, challenging, and even frustrating at times. The goal is progress, not perfection. When you persist and enjoy the adventure, a great deal of satisfaction can be derived from this hobby. Take each step slowly, mind the details, and don't be afraid to ask for help.

Step 1: Wi-Fi Frequencies and Channels

The 802.11 standard provides several distinct radio frequency ranges for use in Wi-Fi communications. These range from 1000 MHz to 60 GHz bands. Currently, the most commonly used frequency bands are 2.4GHz and 5GHz.

Each range is divided into multiple channels numbered at 5 MHz spacing. Although channels are numbered at 5 MHz spacing, transmitters generally occupy at least 20 MHz, and standards allow for channels to be bonded together to form wider channels for higher throughput.

Each Wi-Fi channel is a small segment of a frequency through which wireless networks can send and receive data. The 2.4Ghz band is made up of 14 channels, 3 of which are non-overlapping channels. In the illustration the non-overlapping channels are shown with solid lines while the others are dotted. The 5Ghz band has 23 channels, 8 of which are defined for indoor routers and access points.

The 2.4GHz band provides a wide coverage area and is better at penetrating solid objects. It has a maximum data speed of 150Mbps. Unfortunately, 2.4GHz frequencies can suffer more interference and disturbance.

The 5 GHz frequencies support higher data speeds with reduced interference, put provide narrower coverage area and are less capable of penetrating solid objects.

Step 2: ESP8266 D1 Mini

The D1 Mini Module is based on the ESP8266 SOC. The ESP8266 SOC includes a microcontroller core, Wi-Fi circuitry, and an integrated TCP/IP protocol stack. The ESP8266 is capable of running code directly on its MCU core, or the ESP8266 can act as a communication peripheral to provide WiFi functionality to another microcontroller.

ESP8266 with the Arduino IDE

The D1 Mini Module can be programmed through the Arduino IDE. To set up the ESP8266 support within the Arduino IDE, follow Steps 1-5 of this tutorial.

In the IDE, select Tools > Board > ESP8266 Boards > LOLIN WEMOS D1 R2 & mini

Under Tools > Port select the COM port that appears when the D1 Mini is plugged in

Blink an LED

Open and upload the sketch: File > Example > ESP8266 > Blink

Once uploaded, the Blink sketch will flash the blue LED on the D1 Mini

You can experiment with changing both delay calls in the blink sketch to 2000, run the code, and then change them both to 200 and run the code again. Verify that the LED flashes ten times faster with the 200ms delays compared to the 2000ms delays.

Scan Wi-Fi Networks

The best thing about the ESP8266 is Wi-Fi support, so let's try it out. Grab the NetScan8266.ino sketch attached here. Program it into the D1 Mini.

Open Tools > Serial Monitor and set the baud rate to 9600.

The ESP8266 will scan for all 2.4GHz networks and then list out the SSID and RSSI of each one to the serial monitor.

Step 3: Assemble the Wi-Fi Nugget

The Wi-Fi Nugget is a cool hacking platform based on the D1 Mini module with an added OLED display, four push buttons, and an RGB WS2812B LED.

The Open Source Hardware Wi-Fi Nugget was designed by skickar and alexlynd. MOAR Nuggets can be purchased from Retia.

Assembly Notes:

Start with the four pushbuttons. They are not polarized and can be oriented in either direction.

Next set the LED. It must be correctly oriented, so find the little white triangle on one corner of he LED itself and the corner marking on the PCB silk screen. Turn the LED so that these line up.

Next solder on the ESP8266 D1 Mini using the header pins. After soldering, trim the pins close the Nugget PCB

ALWAYS WEAR SAFETY GLASSES WHEN CUTTING PINS

The last item to solder is the 1.3 inch OLED Display. Prior to soldering the OLED, it is a good idea to put some electrical tape (or carboard or plastic or whatever) between the display and the D1 mini pins that protrude underneath. This can help prevent things from shorting out and also makes the finished product feel nice and solid.

Shall We Play A Game?

This one has nothing to do with LANs, but games are always fun.

Give the attached arkanug.ino a shot.

Note that arkanug requires first setting up the library ssd1306 (by Alexey Dynda) through the Arduino IDE library manager.

Step 4: Wi-Fi Nugget Projects

This video demonstrates the power and versatility of the little ESP8266 SoC as a security tool.

Wi-Fi Nugget Packet Monitor code

Wi-Fi Nugget Quick Start video

Find additional videos and projects on HAK5 YouTube Channel

Search for "WiFi Nugget" on YouTube

Step 5: Rtlduino RTL8720DN Dual-Band IoT Module

The Rtlduino development board includes the BW16 dual-band Wi-Fi+Bluetooth SoC module. The BW16 is based on the RTL8720DN chip from Realtek (datasheet). The RTL8720 supports dual band (2.4GHz and 5GHz) Wireless LAN (Wi-Fi) and Bluetooth Low Energy (BLE 5.0). The RTL8720 incorporates two processing cores:

The first core is a high-performance MCU called the KM4. This high-performance core is ARM Cortex-M33 instruction set compatible (Armv8-M). The KM4 MCU is a 32-bit core supporting enhanced debug features, floating point computation, DSP instructions and incorporates a 3-stage pipeline.

The second core is a low power MCU called the KM0. This low-power core is ARM Cortex-M23 instruction set compatible (Armv8-M). The KM0 MCU is an energy-efficient "coprocessor" operating on a simple instruction set and reduced code size while remaining code-compatible and tool-compatible with the high-performance KM4 core.

Features:

  • Dual Band Wi-Fi: 2.4GHz and 5GHz
  • 802.11a/b/g/n
  • Supports HT20/HT40 mode
  • Low-power modes: beacon monitoring, receiver, suspend
  • Built-in AES/DES/SHA hardware engine
  • TrustZone-M and Secure Boot
  • SWD debug protection and prohibit mode
  • BLE and BT5.0 Bluetooth
  • High-Power Bluetooth Amplifier (7dBm)
  • Shared Wi-Fi and BT Antenna
  • Wi-Fi Modes: STA/AP/STA+AP

Reference: BW16 Documentation (Ai-Thinker)

MAKING FIRST CONTACT:

We suggest making first contact with, and reprogramming, the Rtlduino module prior to soldering the module or connecting anything to its pins. Simply connect the microUSB port on the Rtlduino to your PC and launch a serial terminal program such as the Arduino IDE Serial Monitor or PuTTY. Set the baud rate of the terminal to 38,400.

The terminal should display "AT COMMAND READY" and a # prompt from the Rtlduino. You can type "AT" through the terminal and receive an "OK" in response.

This AT command interface (reminiscent of Hayes modems and initial ESP8266 offerings) is provided by the firmware loaded into the Rtlduino at the factory. You can remove this firmware and run your own programs.

Step 6: Rtlduino - Removing the Factory Firmware

There are three different methods suggested on this forum for clearing the factory firmware on the Rtlduino. We have had success with Method 1 which performs an over the air (OTA) flash using your Wi-Fi network. The process is a little convoluted, so we've attempted to restate it below:

STEP 1. Download the AmebaD SDK

The SDK can be found at the ambiot GitHub.

STEP 2. Connect the Rtlduino to your Wi-Fi Network

This is done through the Rtlduino AP command interface

From the serial terminal, enter the AT Command: ATPN=SSID,password

Wait for the response: #ATPN OK

Note that the Wi-Fi network used needs to be the same one that your PC is on

STEP 3. Generate the OTA.bin File

Among the SDK files downloaded above, navigate to the folder "tools\AmbaD\Image_Tool"

Run image_tool.exe

Click the "Generate" tab

In the "Generate Target" dropdown, select OTA_All

Check the box next to "Bin 3"

On that same line, hit browse and navigate to that same "Image_Tool" folder

From that folder, select "imgtool_flashloader_amebad.bin"

Hit "Generate"

To save the output file, navigate to "tools\DownloadServer" among the same SDK files

Save the file into that folder as "ota.bin"

STEP 4. Find the IP Address of your PC
Open a Windows Command Prompt

Run "ipconfig"

Make a note of the full address shown as "IPv4 Address"

STEP 5. Launch the OTA Download Server

From the Windows Command Prompt, change the directory to:
“\tools\DownloadServer” (where you saved ota.bin)

Run start.bat

The tool will display "Listening on Port (NNNN) ... Waiting for client..."

Make a note of that port number.

STEP 6. Connect the OTA Client (the Rtlduino)

Go back to the serial terminal window

Enter the AT Command:

ATSO=IP_address,port_number

The response should show: ”Erase is ongoing…" and then eventually complete.

STEP 7. Check the Rtlduino Firmware Image

Press the reset button (RST) on the Rtlduino to check the serial output has updated

Step 7: Rtlduino - Configure and Test Arduino Tools

First we need to link together two serial ports of the Rtlduino. These are the Main Serial UART and the Log UART. We can link these two ports using two female-female jumpers on the pins shown in the image. The Serial_RX pin is connected to the Log_RX pin. The Serial_TX pin is connected to the Log_TX pin.

Next, install the Arduino IDE (this is probably already done)

Visit the GitHub repo for the Ameba Arduino SDK

Follow the instructions there for adding the additional board manager URL into the IDE

Follow the instructions to install the board manager for "Realtek Ameba Boards"

In the IDE, Select Tools > Board > AmebaD ARM Boards > RTL8720DN(BW16)

Select the appropriate COM port

Open File > Examples > Basics > Blink

Hit the upload icon (arrow button)

After compiling the code, the IDE will show "Please enter the upload mode (wait 5s)"

Press and hold both buttons on the Rtlduino, release the RST button, wait a second, release the Burn button

Hit the RST button again to reset the board and run the newly flashed blink sketch

Repeat the process whenever uploading a sketch to the Rtlduino

The Rtlduino actually has three different on-board LEDs. The define LED_BUILTIN in the blink sketch defaults to LED_G (green). Try replacing all three instances of LED_BUILTIN in the blink sketch with LED_R or LED_B.

Step 8: Rtlduino - TFT Display Interface PCB

Assembly

1) Apply two solder blobs to short across the serial port pads linking RX to RX and TX to TX. These connections replace the jumper wires used in the previous step.

2) Insert the four pin header into the PCB. Position the header with the black plastic and the long pins on the TFT side of the PCB and the short pins protruding through to the side of the PCB with the HackerBox logo. Solder the four header pins.

3) Insert the Rtlduino module onto the side of the PCB with the HackerBox logo. Solder the Rtlduino header pins.

4) Insert the TFT display module on the other side of the PCB. Position the TFT module so that it is floating a bit away from the black PCB by imagining that the yellow and black plastic header insulators are 1.5-2 times thicker than they are. Keep the red PCB and the black PCB parallel while soldering the first few pins. Solder the entire long TFT header to the black PCB and then solder the four pin header to the TFT module.

Install a Library for the TFT Display

Using the IDE Library Manager, install the library "Adafruit ILI9341"

Test the TFT Display with Fractals

Open the sketch File > Examples > Adafruit ILI9341 > mandelbrot

About 18 lines down under the comment "//use SPI" find the #define for TFT_DC

change #define TFT_DC from 10 to 8

Step 9: Rtlduino TFT - PCB Specs

The extra jumpers points on the PCB can be shorted to connect the SD card socket

The blue numbers in the image indicate the definitions of the Rtlduino pins within the Arduino environment

Arduino pins 6 and 7 are not needed by the TFT display and may be used for other I/O connections. Arduino pin 7 connects to the jumper pad labeled PA25 on the black PCB. Arduino pin 6 connects to the circular test pad labeled PB3 on the black PCB.

Step 10: Rtlduino - Dual Frequency Wi-Fi Mapping

Grab the attached DualWiFiMapper.ino sketch and burn it to the Rtlduino.

Feel the power of dual frequency Wi-Fi support?

We can now work with both 2.4GHz and 5GHz wireless channels.

Step 11: Wardriving

Wardriving is the act of searching for Wi-Fi wireless networks, usually from a moving vehicle, using a laptop or smartphone (or an SoC). Software for wardriving is freely available on the internet.

The term Wardriving is derived from the original wardialing. Wardialing is a method popularized by the film WarGames and is, in fact, named after the film. Wardialing consists of dialing every phone number in a specific sequence in search of modems.

Wardrivers often use a Wi-Fi-equipped device together with a GPS device to record the location of wireless networks. The results can then be uploaded to websites like WiGLE, openBmap or Geomena where the data is processed to form maps of the network neighborhood. There are also clients available for smartphones running Android that can upload data directly. For better range and sensitivity, antennas are built or bought, and vary from omnidirectional to highly directional.

(Wikipedia)

Step 12: Salty Security

Grab a new HackerBoxes T-Shirt!

This limited edition design was created by Salty Security.

Get 'em while they last from HackerBoxes, or directly from Salty Security where you can check out all their other sweet but SALTY merch.

Step 13: Trust Your Technolust.

We hope you are enjoying this month's HackerBox adventure into electronics, computer technology, and hacker culture. Reach out and share your success in the comments below or other social media. Also, remember that you can email support@hackerboxes.com anytime if you have a question or need some help.

What's Next? Join the revolution. Live the HackLife. Get a cool box of hackable gear delivered right to your mailbox each month. Surf over to HackerBoxes.com and sign up for your monthly HackerBox subscription.

10 People Made This Project!

Recommendations

  • Fix It Speed Challenge

    Fix It Speed Challenge
  • One Board Contest

    One Board Contest
  • New Year, New Skill Student Design Challenge

    New Year, New Skill Student Design Challenge

38 Comments

0
mbcharney
mbcharney

7 days ago

OK, so I have pretty much given up on trying to get this box to work. Not only does the smaller OLED display not power up nor display anything, I am not able to get the RTLduino to connect in anyway. I have been through everything on this pages comments and nothing work.
Guess I will toss this box in the junk pile for when I need a piece for another project.
Pretty disappointed with the "completeness" of the instructions for this box. I understand we are supposed to have a sense of adventure but after 3 days of trying everything I could find nothing worked!!
Just kind of sad to see the instructable for this hacker box be so lacking.

0
eburman
eburman

Reply 3 days ago

I don't consider this HackerBoxe to be junk. I had some troubles but I was able to work through them with the help of others who commented. In fact I'm very happy with this months box. I've learned quite a lot so far, and I intend to learn much more. Just saying nothing works for you doesn't help. Where do you want to begin?

0
mbcharney
mbcharney

Reply 2 days ago

This never happens:

Simply connect the microUSB port on the Rtlduino to your PC and
launch a serial terminal program such as the Arduino IDE Serial Monitor
or PuTTY. Set the baud rate of the terminal to 38,400. The
terminal should display "AT COMMAND READY" and a # prompt from the
Rtlduino. You can type "AT" through the terminal and receive an "OK" in
response.

And I can't find anything that says how to make the connection work.

0
HackerBoxes
HackerBoxes

Reply 2 days ago

The instructions are perfectly complete. Perhaps we can help...

When you say "the smaller OLED display not power up nor display anything" can you give a little more detail? The display doesn't do anything on its own, you have to connect it to the ESP8266, install a library, and then program the microcontroller to display output on the OLED. Did you do all of those things? Which steps worked? Which did not? At that point, what did happen? Give us something to work with here before incorrectly and rudely telling our instructor that their work is "sad" and "lacking".

Regarding the AT command line interface for the RTLduino: Check the USB cable (data and not just charge), COM port, baud rate, Newline/CR. If you are still not seeing the AT command line interface after carefully checking all those factors, it is possible, albeit rather unlikely, that the factory firmware is already cleared. (It would have been nice if they all came this way!) So try proceeding as though the steps to clear the factory firmware have already been completed.

It is a little confusing that you haven't emailed our support just like you have many, many, many times before. It is odd that you opted to skip that process for this box and instead just made vague, obnoxious public complaints (sad? lacking? that is not cool, and not useful at all - words like that don't belong here).

When you ask questions here, or contact support, always try to be very specific in providing useful detail so that we can give you meaningful help. Simply saying that two unrelated projects are junk and "nothing work" with no additional details or without asking specific questions to get assistance serves no useful purpose.

0
eburman
eburman

Reply 2 days ago

Are you certain that you selected the correct COM port that your computer needs in order to communicate with the RTLduino?

0
eburman
eburman

Question 7 weeks ago

So it appears that using the RTlduino and the AmebaD SDK is pretty solidly a NO-GO for those of us using MacOS and have no access to a Windows PC?

0
asmagill121
asmagill121

Answer 7 weeks ago

Ok, this is what has worked for me... I haven't soldered the stuff together yet, but I have been able to upload the Blink sketch with the Arduino IDE, so I'm assuming it all works for now. At any rate, here are the steps I took:

Go to https://github.com/ambiot/ambd_arduino and follow steps 1 and 2 to get the tools installed on your Mac

In Terminal, do the following (lines preceded with % should be typed in (without the % prompt); other lines are commentary or other instructions):

% mkdir working && cd working
% git clone https://github.com/ambiot/ambd_sdk.git
% cp ambd_sdk/component/soc/realtek/amebad/misc/bsp/image/* .
% cp ambd_sdk/tools/AmebaD/Image_Tool/imgtool_flashloader_amebad.bin .

Create gen.py from https://forum.amebaiot.com/t/resources-bw16-troub... (I used vi, but any text editor will do)

% python gen.py km0_km4_image2.bin 200000 ff

Attach the jumpers as described in this instructable under Step 7

Attach the RTL8720DN via USB to your Mac

In the Arduino program, check what port the RTL creates -- on my machine it was usbserial-1120, which I use below. It may differ on your machine.

Press both the Reset buttons and the Burn buttons at the same time. Release the Reset button while still pressing the Burn button. After a second, release the Burn button.

% ~/Library/Arduino15/packages/realtek/tools/ameba_d_tools/1.0.6/tools/macos/image_tool/amebad_image_tool /dev/tty.usbserial-1120

This will take a while; if you get an immediate response of:
error: Enter Uart Download Mode
Image tool closed!
Then, you either chose the wrong tty port or you released the Burn button too quickly -- try again.

If it seems to just sit there, then wait... it took at least a couple of minutes for me.
Once done, you should see something like:
All images are sent successfully!
error: Err:checksum error
Image tool closed!

I'm assuming the checksum error is because we basically sent a file of raw 0xff bytes, so it's not a valid program. In any case, I ignored this error, then continued with Step 7 of the instrucatable and have been able to load programs with the Arduino application.

Hope this helps!

0
eburman
eburman

Reply 5 days ago

Thank you so much asmagill121!!!!! It works! I've got the blinky sketch working on the RTL and presumably I'll be able to move forward from here. I truly appreciate that you took the time to provide detailed instructions. There's not a lot of people who are willing to put in that much effort. I don't think I would have been successful without your help. I did go down a rabbit hole with the terminal commands on my Mac. It seems that command line tools in Xcode was messed up when I upgraded to the latest version of MacOS Monterey. So I had to Google around to find out how to fix that problem. Stack Overflow provided the information that I needed to install the latest version of command line tools. After that I had to teach myself a bit about terminal commands so that I'd understand what was going on. For awhile I was stumped as to why the "cp" command wasn't working. Finally I realized that the "." at the end of the line is shorthand for the file path to the directory that is the destination for the copied files. I thought it was just a period ending a sentence so I didn't include it in the command. But when I figured out the "." is part of the command everything went exactly as you said it should. Learning how to work with the python scrip was a little sketchy too because I've never worked with that before, but eventually I figured that out too (I used Mu Editor). Also, knowing how to see hidden files was helpful so that I could check the Arduino15 directory and find the correct file path to run amebad_image_tool. It had changed from 1.0.6 to 1.0.7 so that had to be modified in the file path. But all's well that ends well, so hooray for you and hooray for me!

0
asmagill121
asmagill121

Reply 7 weeks ago

Hmm... Instructables doesn't seem to like extremely long lines with no breaks... The step which actually uploads the bin images will copy correctly if you select the two lines, but here it is expanded (when typed in, this should all be one line with no spaces between each sub directory):

~/Library/
Arduino15/
packages/
realtek/
tools/
ameba_d_tools/
1.0.6/
tools/
macos/
image_tool/
amebad_image_tool /dev/tty.usbserial-1120

0
asmagill121
asmagill121

Answer 7 weeks ago

I won't be able to try this myself until tomorrow sometime, but looking at Method 3 on at https://forum.amebaiot.com/t/resources-bw16-troub... I *think* us Mac users can use the amebad_image_tool bundled as part of the Arduino support code... again, I haven't tried this yet, but I think the important steps are to first add the URL to Arduino and download the board defintiion, then go to the link above and go to method 3 step 2 to use the python script to build the necessary .bin file, and finally, if you look closely at the image for step3, he's using the amebad_image_tool that is part of the Arduino bundle rather than from the github page.

Hopefully this makes sense... at least it's what I'm going to try tomorrow, and I'll let you know how it goes.

0
triplebamcam
triplebamcam

21 days ago

Hello - Got everything working, now wanting to dive a bit deeper. Can you provide a link/reference to the datasheet for the TFT display? I know we're using the adafruit ILI9341 library, but I'm betting that the library #define's needs fiddling with to get the touch portion working. I'm trying to play with the ILI9341 example library's onoffbutton example. The graphics draw nicely with the change to #define TFT_DC 8, but I'm betting more is needed. Thanks!

0
GaryK125
GaryK125

Question 21 days ago

Has anyone come up with a 3d printable case for the WiFi Mapper?

0
autotech
autotech

27 days ago

I am unable to get BLINK to work on the RTLduino.
According to the IDE the upload was successful.
any help, or suggestions will be greatly appreciated.
Mike

0
HackerBoxes
HackerBoxes

Reply 27 days ago

You have to remove the factory firmware image. See the information at this link:
https://forum.amebaiot.com/t/resources-bw16-troubl...
It explains that even when the IDE shows that the upload was successful, the uploaded image will not run if the factory image is still in place.

0
milo_rage
milo_rage

4 weeks ago

Did anybody have any issues with the WiFi Nugget display? Compiles and uploads no issues, I see it scanning packets on the serial monitor. 99% sure my soldering was good enough to connect everything.

I was able to get the game to work, so I know it's at least soldered correctly and the LCD is good.

0
mitch.enderby
mitch.enderby

6 weeks ago

Unable to upload the example sketch "Blink" onto the ESP8266 D1 Mini per Step 2. I've followed the provided directions, tried different combinations of configurations and even tried different reset button release timings. I can see it in the serial monitor, but all i get after attempting upload is "esptool.FatalError: Invalid head of packet (0xC4)".

0
ebchopra
ebchopra

Reply 5 weeks ago

Where does it say to hold the reset button? It works for me if I don't.

0
HackerBoxes
HackerBoxes

Reply 5 weeks ago

The D1 Mini has an auto-reset circuit based on the control signals from the PC serial interface. You should not need to use the reset button when programming the D1 Mini.

0
ebchopra
ebchopra

Question 5 weeks ago

Does anyone know how to get the other games in the ssd1306 library to work on the wifi nugget?