wardriving
Added 'jump menu': Sept 25th 2025
Added radiation driving section: Oct 1 2025
Jump menu
Why wardrive
Links and resources
tbg vs Kismet GPS
Android Phones
Phone Placement
WigleFin
Scanning all the wifi
wifydra
Scan speed setting
CPU Throttling
BLE Scanning impacts wifi?
Programming the Signal Sleuth
Building the Signal Sleuth
tbg madness mods
It really matters where you put the LNA
Yagi vs panel (high gain build)
Radiation driving
thebaldgeek finds wardriving very relaxing and a great way to explore the world. Be it just a few blocks around where you live, or the planet. Seeing the ebb and flow of the density of WIFI access points gives him a bigger world view and a touch of humility that he appreciates.
Of course, there is also a baldgeek aspect to the hunt, the RF side of building a rig to capture as many SSIDs as you drive down any given length of road. tbg is fascinated by the idea that it's unknowable. No matter how much you tweak your setup, did you get them all? Is there some other change you can make to accurately catch any more SSID broadcast beacons?
Lastly, tbg is interested in contributing to large public data sets. Adding his travels to the larger community's pool scratches a part of his brain that needs it.
Over-simplifying, wardriving is about picking up as many Wifi SSID's as possible. Second to that, but very importantly, is having them accurately GPS tagged, and striking the balance between range and accuracy.
ie, if you run a high gain directional antenna, sure, you might get a few more SSID's, but they will be poorly tagged with GPS data and thus dilute the value of the data somewhat.
It’s crucial to make clear a common misconception. wardriving these days does NOT involve CONNECTING to the SSID. It is just passively listening and logging the SSID. That’s it.wardriving is not about warchalking or trying to hack any wifi, or get anything for free.
NO CONNECTION IS EVER MADE.
The only hacking that is going on is the fun of tweaking your rigs hardware to capture as many beacons as fast as possible.
thebaldgeek joined Wigle around Dec 2015. Before then, he was actively wardriving for about 5 years with many different setups - Orinoco cards in an HP Jornada, for example. He's been testing various setups and antennas, using the Wi-Fi SSIDs' broadcasts as signal sources, as the RF aspect is a strong interest.
Covid 2020 was good for wardriving, hardly any traffic and lots of home wifi's. You can see the slight bump in tbg's upload graph around that time. Sadly tbg had to go into the office every day during Covid - one of the worst 3 years of his life - he's still bitter.
Aug 2024 he got the bug again and started pushing for the 1 million mark (Aug 2025, hit the one million Wifi discovered by thebaldgeek. Sep 2025 broke into the top 200 leaderboard).
Once again, this page is a messy brain dump of notes and current setups tbg is running.
Why wardrive?
There are a lot of different goals and reasons to wardrive.
For tbg, living in Southern California (high population density and thus high geek density means that a lot of SoCal has already been wardriven by different methods) means that the big wifi nuggets have been mined and picked over to a good extent, so his goal is to build a rig/setup that will extract the flecks of wifi gold that others have missed from the same roads. This does NOT mean high-gain antennas, but rather ensuring that each and _every_ wifi SSID is geotagged as accurately as possible. This means using sensible antenna gain, lower ground speed, higher speed Wi-Fi channel scanning and very good GPS signal / many GPS sats fixing each SSID that is heard.
 |
| SoCal town of Temecula before and after being wardriven by thebaldgeek |
Your goals might be different. Regardless, take a pause to think about why you are wardriving, what your goals are, and how to reach them the most efficient and interesting way. Lastly, if you've not started wardriving yet, just know that its a marathon, not a sprint.
In June 2025, moving to North Idaho opened up a whole new area to wardrive. thebaldgeek found it a great way to get to know the new hometown location with the goal of diving every road possible. Pointing back to the opening paragraph, tbg found it a very helpful de-stressing / escape from the move. Driving while listening to his beloved pure trance is very therapeutic, and being able to add wardrving to the ‘reason’ was a key part of fighting a good amount of anxiety and depression - but enough of that.
Wardriving sites and resource links
Reddit wardrivers sub is pretty solid: https://www.reddit.com/r/wardrivers/Wigle forums are very quiet, but worth browsing: https://wigle.net/phpbb/index.php
Some Discord options are out there, drop a comment to this blog if you find some of value. tbg has heard good things about RF Hackers Sanctuary https://discord.com/invite/JjPQhKy Note, you won't find him there, he's a bit anti / burnt out with Discord for the past few years after a bad time in some servers a good while ago and the fact that they think they replace regular forums and thus gatekeep / lock up knowledge exchange.
This page is required reading: https://www.kismetwireless.net/posts/2022-07-71-wardriving/
Hard core Kismet build: https://www.busysignal.io/wardriveferris3/ Franky, all of BusySignal's blog is worth a read: https://www.busysignal.io/
Window coax passthrough 3D print from MrBill: https://www.thingiverse.com/thing:5678750
More wardriving 3D print ideas: https://www.thingiverse.com/search?q=%22wardriving%22&page=1
Why add Bluetooth to wardriving: https://deflock.me
Wigle overview and some wardriving basics: https://www.youtube.com/watch?v=1ibg0tgVugY
Community photo dump of builds: https://github.com/rfhs/rfhs-wiki/wiki/Community-Builds
Short tbg rant about Kismet
A lot of hard core wardrivers run kismet on a laptop or SBC and many (many) wifi adaptors.
This makes perfect sense and tbg tried really really hard to build such a rig.
One very horrible memorable week... Well, 5 FULL 8 hour days were spent trying to get Kismet to see a GPS, all to null result.
Nightly builds, distro images, build from source, 'apt-get install' were all tried to simply get Kisment to see any of the 4 tested GPS units.
Hundreds of purple links proved that tbg was not the only one to have the issue....
Regardless, Kismet is now dead to thebaldgeek. Not going back there again any time soon. (Its been a year since that week, his mind has not yet been changed even a tiny bit - yes, he's that pissed off and annoyed).
As such, this is why non-kismet builds are the focus of tbg.
Android Phones running Wigle.
Never throw out old Android phones. (But there are age limits.)
Old phones that are, say, more than 6-8+ years old often struggle to have the right SSL certificates, and so they can’t connect to the wigle.net servers. On some, you can side-load the old version of the Wigle APK and get the app running, but generally it's a bit more hassle than it's worth.
Safe to say that simply installing the Wigle app from the Google Play store and letting it run on your phone any time you are out and about is the easiest way to get going with wardriving.
Do note that Google decided to throttle the wifi channel scanning speed to save a bit of battery power; it's up to you if you want to enable developer mode and disable that throttle or not. tbg turns it off on every Android he has and has not really noticed that much of a battery life hit, but just know that it's an option, and be aware of the downsides. Of course, if it hurts your battery life, turn the throttle back on, experimentation is the name of the wardriving game.
And sorry iPhone folks. Apple does not like its users playing on the other side of its walled garden. Ask some friends, family, or co-workers if you can have / buy their old Android phones they have sitting in the top drawer going unused.
Phones that tbg has tested or currently uses as of Aug 2024:
Note 9 - not great
Pixel 5 - Okish
Pixel 8 Pro - pretty good. Daily driver phone and in-car wigle map display
Samsung G23 - solid. tbg sons daily driver. Tested in-car only.
Samsung G20 - Beast. No, really, this phone is the best wardriving Android that tbg has found hands down.
Nexus 7 - External antenna mod. Great setup, on the large size, but the external antenna mod makes it worth running. (Died Aug 2024 - display issues).
Aug 2025 tbg added:
Pixel 9 Pro XL - pretty good. Replaces the Pixel 8 as the in car daily driver
Note 20 Ultra - horrible. Returned back it to Amazon, it was so bad.
Wifydra - Interesting, mixed results (keep reading)
Aug 2024 tbg runs three phones on 98% of his wardrives, the P8P in the car showing the wigle map - it’s also scanning of course, P5 and G20 are the main scanners.
The P8P on the left: 2170
Samsung S20 on the right: 3570
Same drive. The S20 really is a wardriving beast.
Phone placement.
Clearly, just having a phone in the car on a vent or suction cup mount is the safest and cleanest way to set things up. If you have one Android phone as your daily wardriver, then just running the Wigle app while going about your life is fantastic and good fun.
Once you start running three or more phones, it gets a lot more fun and complicated keeping them charged and uploading after each run.
For a time around November 2024 tbg ran tasker to turn WiGLE scanning on & off as he left and arrived on his home Wifi. Tasker is not a free app, so there is some expense and its also somewhat complicated to setup. tbg did not find a clear how-to and really should write up how to do this, but in the end he found it too unreliable to be trustworthy. From 2025 onwards, he's not using it. YMMV.
tbg heard about one guy who runs five phones on every wardrive. 1 daily driver up front with him on the driver's side, one at the front of the car on the passenger side, one on the rear driver's side window, one on the rear passenger side window, and 1 in the middle of the back window. Pretty solid if somewhat crazy setup. Not something tbg wanted to replicate...
One thing tbg learned the hard way with L-Band ACARS is that often window tint can block GHz signals. In the case of cars, this includes the ceramic and 3M window tint (very popular in SoCal), or any brand tint that blocks UV radiation (heat). Tip. A lot of windscreens have a clear UV block tint. Test tip: Put your hand near your windscreen or window near your Android location, think about how warm from radiated heat it feels. Wind down the window and feel the direct sun heat. If the direct sun is greater, your car has UV blocking tint.
Given this first-hand experience from the placement of 1.7GHz satcom helix antennas, of course, he figured he should test it with his wardriving phone setup.
 |
| 3D printed 1.6Ghz helix. Don't point it out the window. |
tbg figured the best place for a GHz RF antenna is outside the car, outside the RF shield, getting an extra few feet of height does not hurt either..
thebaldgeek firmly believes this one change has given him a massive jump in the Wigle leaderboard rankings. Beyond just wardriving consistently, beyond driving new ground, just getting the phone outside of the Faraday cage that blocks about 50% of the signal!!!
Keep in mind the bulk of those numbers came from the Pixel 8 in the car and the Pixel 5 on the roof.
thg did not get the S20 till way late in those numbers. With the S20 on the roof, the numbers really kicked into high gear.
His point is, you can make any wardrive a lot more impactful by getting your backup device outside the cage.
Let's take a look at some numbers to back up that belief.
The commute to work is a good baseline. Take the same route at the same time each day.
Make five runs and see what the average is with the phone on the in-car vent mount.
Move the same phone outside and make the same baseline run 5 times, and see what the difference is.
P5 in-car five run average wifi SSIDs: 2456
P5 roof five run average wifi SSIDs: 4971
Stunning. Almost double the Wi-Fi SSIDs by having the phone on the roof of the car!!!
Same drive, same time, five working-day average. About double the number of SSIDs were heard by the exact same phone just by mounting it on the roof of the car!!!
(As an aside, tbg thinks the 2018 Chevrolet Bolt is the best wardiving car — it’s quiet, cheap, has a good enough turning circle, and most of all, a one-pedal driving mode with steering wheel mounted re-gen paddle that can't be beat for wardriving. He can drive for hours in a typical suburb and not have to lift his foot for the brake even once!).
Magnets in the base of the blue box floor are holding it to the roof. Not the best, but for a 40mph max speed, 32mph average, 5 drive run, it proved the point.
Please don’t reproduce this setup! You will break/lose your phone!
thebaldgeek then got his CAD / 3D printing guy on the job, and this is what he has now…
WiGLEfin
 |
| The wiglefin |
The lid pin pulls out, the lid slides up and off, and some foam edges the phone.
The WigleFin was sized to fit pretty much everything from the smallest to mega Samsung Note size.
It probably won't hold a folded flip phone or any of the new fold phones.
The foam case is up to you to make it custom for your phone.
Try not to fully wrap the phone, give it some air space to breath.
If its 100F outside, the phone can NEVER be cooler than 100F, even with vents etc, so don't fully wrap the phone, it will get much hotter than ambient.
 |
| Early prototype - too big and heavy |
No effort was made to watertight the fin. It's a fair weather wardrive accessory.
(tbg has wrapped the fin seam with tape and risked it - don't be tbg).
150lb pulling force magnets, four of them, hold the wiglefin to the roof. Tested at 87mph on Los Angeles freeways:- Just moving with the flow officer.
Zero movement with the kitchen drawer non-slip coating on the bottom of the fin.
Give the WigleFin base a once over before each use, it can pick up bits of metal real easy and you don't wanna scratch your car paint.
tbg is in the process of printing another red and another white ‘wiglefin’, so will have color matching fins for the two cars he drives. (The wife wants them to match in color when she’s in the car <shrug>)
DO NOT use this setup in North Dakota in winter, or Arizona/Texas in summer, you will kill both your phone and battery. This setup is for fair weather/temperature wardrives only. Keep it at 72F / 23C.
You can find the STL files here: https://thebaldgeek.github.io/wardrive.html
If you use them, or modify them (adding vents for example), please include a link to this blog or my GitHub page as a way of saying thanks and for letting folks know the source.
Also please let me know in the comments here what you ended up doing etc.
Scanning (all) the Wifi channels.
There are ~14 channels on 2.4Ghz and ~24 on 5Ghz. (Its more complicated than that).
The ‘trick’ is to scan _all_ of them looking for the SSID broadcasts while within range of each device while driving down the road at a safe speed.
The higher your ground speed, the less time you have to catch the SSID broadcast beacon.
If you have spent any time on the https://wigle.net/phpbb/index.php forums you would know that there is a lot of talk about what are the best scan speeds to try and push your phone(s) to pick up the most number of broadcasts for any given ground speed. Keep reading or skip ahead to the test tbg did to find the best scan speed for each of his Android devices.
This kismet webpage does a great job of describing all the challenges with the number of WIFI channels, the device scan speed and wardriving road speed.
Required reading! https://www.kismetwireless.net/posts/2022-07-71-wardriving/
This other page also explains the SSID broadcast time: https://wardriver.uk/how_it_works_3
Here is the key snip of information from that site:
...scanning WiFi; it scans channels 1-13 and spends 110ms on each channel meaning a full scan takes ~1.4 seconds. Since the average WiFi access point transmits a beacon every ~102ms, every channel hop should yield the vast majority of the WiFi APs in range operating on that channel.
Keep reading for information about the Wifydra that gets around the channel hopping speed limit issue - on 2.4Ghz at any rate.
The limitations of the Android app scanning through all these channels (pausing on each one at a time for a short time) is why most hardcore wardrivers run more than one phone. You will get a helpful overlap of each phone scanning different channels at different times. This is exactly why tbg runs three phones and the wifydra. It significantly increases the odds of successfully catching the broadcast of every 2.4GHz SSID at any given ground speed. Of course, the phones also pick up the 5Ghz and Bluetooth. Building a 5Ghz wifydra is on the hit list for many wardriving folks.
The other issue with the Android setup is that you cant specify the channel dwell time, just the total scan time. Keep reading for a lot more about finding and setting the scan time in the Wigle app.
One side effect of wardrving rig building is you somehow end up with a good collection of antennas.
Missing from this shot are tbg's many panels antennas.
tbg tends not to use Yagis or panels in his builds as you have to drive too slowly since high gain antennas have very narrow beamwidths and the GPS plots are not as clean as a good omni with solid ground plane.
WiGLE tip, your post drive maps should have the purple dots nice and close to the road and or clustered very cleanly. This means you have good scan speed, good GPS accuracy, and your Wi-Fi antenna gain is not too over the top.
wifhydra - scan ALL the 2.4Ghz channels ALL the time. #allTheWifi
https://github.com/lozaning/The_Wifydra
Build cost is about $120 to $210 USD, depending on options. (Note that the Wifydra in a box with real antennas is going to cost around the same cost as a refurb Samsung S20 here in the USA).
BOM:
$30 5 x PCB (5 is the min order).
$32 1 x GPS: https://www.adafruit.com/product/746
$9 1 x MicroSD breakout board: https://www.adafruit.com/product/254
$34 1 x Feather board: https://www.digikey.com/en/products/detail/adafruit-industries-llc/5300/16584014
$68 14 x https://www.seeedstudio.com/Seeed-XIAO-ESP32C3-p-5431.html
Note1: the ESP32C3 each come with a small flexible ‘patch’ antenna on a short coax cable.
Note2: the GPS module uses a CR1223 battery to retain time and GPS data between power cycles. Its highly recommended to buy a battery and put in the module as it will make power-up GPS lock a LOT quicker (less SSIDs saved with 000.000 lat / lon).
Extra tbg Options;
$35 2.4Ghz antenna and adaptor 14 x https://www.seeedstudio.com/2-4GHz-2-81dBi-Antenna-for-XIAO-ESP32C3-p-5475.html
GPS active antenna 1 x https://www.amazon.com/Waterproof-Active-Antenna-28dB-3-5VDC/dp/B00LXRQY9A
GPS adaptor cable 1 x https://www.amazon.com/dp/B00XW2LKNO
microSD card extender 1 x https://www.amazon.com/dp/B07WWVBK8V
Hard case 1 x https://www.amazon.com/dp/B094W9266D
Magnets x 1 set: https://www.amazon.com/dp/B0CC5HC4NG
Program the sub.ino into each ESP, make sure you edit the .ino (its a text file) and change the board number - look for the obvious comment a few lines into the file. They MUST be numbered 1 through 14, don’t use any other number system, the numbers are tied to the code in the dom.ino file in the feather board.
tbg labeled the boards so if he had an issue, he’d know which one it was, not required, but not a bad idea. The sub boards are numbered on the main PCB, but any sub can go in any location.
It's slow(ish) to program all 14 subs because the IDE has to compile for every board just due to changing the one-line boardID, and just FYI, we had to set the specific board type in the IDE. It auto-detects as "ESP32 Family Device" but won't compile unless you select "XIAO-ESP32-C3".
The only thing of note is that we had three of the 14 subs throw this message:
— Failed uploading: uploading error: exit status 2
Thankfully, both worked on retry.
1 Sub ESP32 totally failed. Tip, buy 1-2 extra and save having to reorder and extra shipping.
Program the dom.ino into the feather board.
NOTE!!!! Use the dom.ino code in thebaldgeeks comment. The main github dom.ino WILL NOT WORK with Wigle.
Note that we could not get the Dom to compile and download using the local IDE that we used for the Subs. Once we switched to the cloud based IDE, the dom compiled and downloaded without issue.
Solder up the +v, gnd and two I2C pads on each sub and the pins on the GPS and SD card boards.
Jumper each of the VCC, gnd and both sets of I2C pins on the main PCB.
Apply the three gaks. (1 cut track and three jumpers)
Click on any image to make them bigger/larger.
 |
| Cut track and reminder to bridge |
 |
| Three jumpers need to be added |
tbg never figured out why, but he could not power the board from the Gnd and Vcc pins just above the Dom Feather module.
The board will pull about 1.38 amps at 5 vDC. This is about 7 Watts.
The board worked when powered via the USB-C connector on the Dom Feather module.
(Not sure about why the tiny font on the Dom, if tbg ever works it out, will update this page).
When there is no satellite lock, the GPS will flash its fix LED every second. When the GPS has a fix, it will flash every 15 seconds.
There is no ‘safely remove’ the SD card requirement; the code writes each new SSID to the CSV log file and closes the file, so the card can be ejected at any time that its activity LED is not on. tbg just powers the rig off and pops the card.
After the drive, remove the SD card and put it in a reader on your computer, open the latest CSV and remove all the top entries that have 0,0 for the lat lon. They get logged as soon as you turn the board on and before the GPS has lock. You DONT want to upload these to Wigle.
Once you remove the top X number of entries (but NOT the first line with the descriptions), save that file either back to the SD card, or on your computer.
Log in to Wigle and upload all the CSV files created during the run. Best to wipe them out of the SD card once uploaded so you can keep track of what you have sent after each wardrive.
Wardriving on an electric longboard.
Top speed of 15mph, easy to quietly move around apartment complexes and other tight spaces.
The 'fun' thing about the Wifydra is that you don't have to go slow.
Since its scanning every channel very fast all at once, you can actully really move down the road and still catch every beacon.
thebaldgeek has found that the ESP32s are pretty deaf (keep reading) and need a really good high gain antenna and clear signal path (ie, on the roof).
The Wifydra has become his main freeway rig since +60MPH does not phase it at all. Less than that speed and the Androids are significantly better than the Wifydra.
September 2025 update.
New town, new stresses, wardrive to the rescue.
Not going to go into it, but thebaldgeek has a chance to wardrive, but not do as much ACARS website / hardware work as he would like. When the winter snow hits, that may flip 180 deg, but for now....
The brain dump on wardrving continues.
The Wigle forums are hit and miss for good information (Sep 2025 they have been down for well over a week), but some folks do some handwavy testing and tbg got sucked into one thread that proclaimed the Samsung Note 20 Ultra was the next big thing (better even than the astounding G20). So he dug deep (money is very tight) and got one off Amazon.
Doing the same drive 3-5 times quicky shows the difference between devices. The Note 20 is thousands of SSIDs behind every other phone. When mounted on the roof, it was about the same as an in car Droid. This is just unacceptable given it's price point (~300 USD). So it was returned.
Wigle scan speed setting
While the SS kit is in the mail, lets first settle the major Wigle forum question.
Time after time, post after post, people ask what the best scan speed is (in the dropdown of Wigle app) to pick up the most SSID broadcasts.
Most of the time, it's not answered. tbg thinks it's because it's a phone-by-phone setting and also / mostly because no one has come up with an easy-to-follow reproducible method to find out the best setting.
You can't just take someone's scan speed, stick it in the app on your phone and replicate their wardrive results.
So, let's think about how to find that number. Not so that you can just copy it and blindly put it in your phone - please don't do that - but so that you have a method of finding it for YOUR phone(s).
Here is the thing. It seems that not all Androids are the same (pretend shock).
Firstly, it seems clear that there are changes in chips for any given phone during the manufacturing run, but also in how folks set them up.
No two users are the same. Different apps, different background processes are running etc.
How do you find YOUR device best scan speed setting?
No one is saying tbg has _THE_ method, but here is how he went about it...
 |
| Wigle settings with scan speeds selected and the ones tbg tested highlighted |
Mount the Android in a fixed position. Does not have to be in the final position, but it would be best if it was. But being in a fixed position for every drive during this test is important. You want to reduce the number of variables to just one - changing the scan speed in the app.
In short. Drive the same route twice. Change only the scan speed between runs.
So, pick a route that is a least about 10 minutes in length and pretty typical of your ground speed.
Does not have to be based on your house location. Just two fixed points with a fixed route between them (that you can easily do over and over again - it should be an out-and-back) and should include a solid section of typical wardriving in your style.
Your typical wardrive speed is important. So make sure your chosen route is mostly at your typical wardriving speed because as you move past the SSID broadcast, you need to hear it and log it. Too fast of a ground speed with too slow of a scan rate and you will miss some.
Here is the process thebaldgeek took.
Three droids were tested. S20 on the roof. P5 and P9PXL in the car.
Set the first scan speed you want to measure.
Drive the route. Throw away the results. (Don't argue, just do it).
Drive the route.
Upload to Wigle. Exit the app. Start the app.
Drive the route.
Upload to Wigle. Exit the app. Start the app
Change the scan speed.
Drive the route.
Upload to Wigle. Exit the app. Start the app
Drive the route.
Upload to Wigle. Exit the app. Start the app
Change the scan speed.
Rince, lather, repeat for as many scan speeds you want to test.
You get the idea.
tbg did three different scan times as per the above screenshot - so 7 drives of the same route - yes, its going to take some time, but we are talking about quantifying and ensuring our wardrives are yielding the best results they can and giving us confidence we have tuned our rigs to the their very best performance.
Also keep in mind that once you do this for all your Androids, you should not need to do it again and no matter where you mount it or where you wardrive with it, you will know its scanning the Wifi to its maximin! #AllTheWifi
tbg thinks driving the exact same route at the exact same speed twice per test is important to ensure you have something to average. It is a good sanity check to see both drives have very similar numbers, so you know any change you are seeing over the whole process is a result of changing the scan speed vs some other anomaly in the (one) drive.
For example, the two drives on each phone at each scan speed only varied by about 10 to 20 wifi SSID's. Very consistent.
Once you are done uploading after the last drive, head over to Wigle and check your uploads page.
Now, lets dive into the numbers....
Firstly, wait. No, really, wait till you see 'success' for ALL the uploads. It could take minutes, hours or even days if there is a big event on at the time you run your test.
If you have only one device, hopefully you kept track of what order you changed the scan speeds at.
If, like tbg, you had more than one device, here is a tip...
Click on the arrow / three dots to drop down the name of the device that the upload came from.
Ok, lastly, JUST LOOK at the 'Number in File' column. Nothing else.
For this test, we just want to know how many SSID broadcasts have been seen on our very controlled drive.
So, with your numbers now clear, see what the average of your two drives per scan are and review or perhaps plot like them like tbg has here:
 |
| Samsung S20 |
 |
| Pixel 5 |
 |
| Pixel 9 Pro XL |
Safe to say, thebaldgeek is going to be leaving his Androids on 'nonstop' and take the battery life hit.
Your Droid(s) might be different. Your ground speed might be different. Your battery management needs might be different. Regardless, plan a route and get wardriving to find out your best scan speed setting.
Last graph on this topic....
Here tbg took the average of all three drives from each device.
The roof top mounted S20 is a solid choice for wardriving as a second (or primary) option.
CPU throttling
Since it seems clear that tbg's devices catch the most amount of SSID broadcasts while running `nonstop`, he wanted to make sure it really was not bound by any choke points, so if you dig into the Samsung settings, you will find this option....
To be clear, tbg has not done the 'drive test' with it on and off and looked at the two drive count to see if it made any difference, but in the sprit of this blog, sharing all the contents of thebaldgeeks brain, this is what he found and has done.
The Pixels sort of have something like it with backgrounding / (deep) sleep tasks and such, so you can mess with those to push WiGLE to the top of the CPU list.
BLE ScanningScanning Bluetooth impacts Wi-Fi count?
The next question that gets asked a ton is if turning on Bluetooth scanning impacts the number of WiFi that is picked up.
Again, don't copy paste tbg's answer here, just copy this method and find out for YOUR phone.
Same process as the Wi-Fi scan speed - just no need to upload it to WiGLE every time.
Do three drives with BLE on or off. Keep the last two.
Toggle the option, do two drives (restarting the app to reset the counts between each drive) and see what the numbers tell you.
tbg just cant stress enough the power of having a 4-5 mile loop that you can consistently drive over and over and benchmark these app and any rig hardware changes.
Don't forget to double check your Android settings. You can toggle the checkbox in the app settings page, but if its not turned on in the control panel, you don't get a warning - sanity check: Look at the WiGLE dashboard for 0 when off and hundreds or more BLE when turned on.
 |
| Pixel 5 |
 |
| Pixel 9 Pro XL |
 |
| Samsung G20 |
BTW, the ONLY 'use' for Bluetooth data that tbg has seen is (see the links section above) the discovery of FLOCK cameras. If you know of some other uses, please drop a comment to this blog.
Since it makes zero impact on the G20 and very little on the P9PXL, tbg is going to keep that data flowing via those two devices.
If you did not know, tbg picks up a bit of ACARS (text messages from aircraft), some of them are really cryptic and of no use right now, but what if we have a breakthrough and can understand them in 3 months time. Sure would be nice to have a deep data bucket to go back to.
If you don't scan it and log it, you can never ever made use of it.
If scanning and logging is has zero impact on your wardrive, then why not add to the data bucket that may end up being gold at some point down the road.
There are already a ton of requests for it, but yeah, tbg wishes there was an easy way to turn off BLE scanning in the wardriver dot uk and the Signal Sleuth. He just does not need 4+ devices scanning BLE and would rather his Signal Sleuth focus its scan speed on 5GHz Wi-Fi.
Programming the Signal Sleuth.
 |
| Signal Sleuth Slim kit |
First job is to program the three units.
A, B ESP32 and BW16.
 |
| BW16 is the unit in front |
If, unlike thebaldgeek, you'd rather watch a video about how to do this, I recommend you start with this video for an overview: https://www.youtube.com/watch?v=xgQsn6YhqSk
DONT action any of programming from the first 30 minutes, just watch it, but don't take too many detailed notes.
The main programming process is in the v1.1 YouTube: https://www.youtube.com/watch?v=h77B8F7grRE
tbg finds frame by frame working though videos tedious and would rather read and look at screenshots of how-do stuff....
Use what ever method your brain likes best. You have choices. (tbg has been told these writeups are useless as they are not in PDF format - Sorry you don't have that choice)
First up. Download the Arduino IDE and load up the board profiles.
Click on File -> Preferences -> Settings tab.
At the bottom of the settings tab, click on the icon for "additional Boards manager URLS":
Add the following two URLs
https://raw.githubusercontent.com/Ameba-AIoT/ameba-arduino-d/master/Arduino_package/package_realtek_amebad_index.json
https://raw.githubusercontent.com/espressif/arduino-esp32/gh-pages/package_esp32_index.json
Click Ok, to close that dialog.
Click Ok to close the preferences dialog.
Next is to load the libraries we need.
Hit up wardriver.uk github and get the versions mentioned.
The only variation is that you will need to get v2.3.8 of the OneWire library. NOT the v2.3.7 mentioned.
Just download the zips. You don't need to unzip them. You actually upload the zips to the Arduino IDE.
 |
| tbg has added the zip libraries needed already in this screenshot |
Keep the wardriver.uk page open as you need to setup the IDE correctly.
But, first, there are more files to get.
Download the a.ino and b.ino from the wardriver Github
Download the BW16.ino from: https://github.com/CoD-Segfault/BW16-Open-AT
With that, we are finally ready to start programming.
Start with the BW16.
In the IDE...
Point to the BW16 ino file and it will open it up in a new IDE.
Next, click on the board manger icon and type in 'bw' to find the correct board type.
And then select the known working version from the drop down list.
At this point, you will need to plug in the BW16 to the computer USB port.
If your computer does not find the BW16 board it probably also won't find the A or B board...
So add the driver for them as well.
Hit this webpage, download the driver files for your OS.
tbg made a 'wardrive' subdirectory and put everything in there.
https://www.silabs.com/software-and-tools/usb-to-uart-bridge-vcp-drivers?tab=downloads
Find the right .inf and right click it, select install.
Plug your BW16 board in.
First, select the correct comm port.
Note that your computer may have a different number. You can use the device manager to find it if you are unsure.
First, erase the BW16.
After it erases, remove the check from the erase option (back to disable).
Ok, swap out your USB-C for a USB-Micro and you can start on the A&B boards.
Next, make sure you select the known working board version. Chose a higher version at your own risk.
Now we have to make 100% sure that all the IDE configuration is spot on for programming the A&B boards.
So, first up, the board type.
Next, the upload speed.
Then the CPU Frequency.
Then the Flash Frequency.
Then the Flash Mode.
Then the Flash Size.
Then the Partition Scheme.
Then the PSRAM.
Finally the last one, the Events Run On.
Ok, now click the blue arrow button and program the A board.
thebaldgeek got two sets of errors from missing files.
The two missing ones were:
https://github.com/adafruit/Adafruit_BusIO/blob/master/Adafruit_I2CDevice.h
and
https://github.com/adafruit/Adafruit_BusIO/blob/master/Adafruit_SPIDevice.h
Download the missing files and put them in the A and B directories.
You will need to copy paste those two Adafruit files to the B directory to take care of compile errors as well.
Building the Signal Sleuth
Ok, programming done. Finally thebaldgeeks favorite and fun part, soldering!
Slight deburr with a straight file of the side of the GPS was needed to better fit against the SD card board.
One thing to note that tbg has not seen mentioned anywhere on any of the wardriver.uk or SS pages is that the GPS has 3.3vDC on the antenna socket. So you should use either an active antenna or an antenna that is NOT a DC short.
This means that you can run the tiny 'chip' GPS antenna that the SS comes with, or something a bit bigger that can attach to the roof of the car. These external antennas really perform better with a ground plane, even a paint tin lid will do wonders. On the outside of the car, looking up at the sky, the extra length of coax is even less of an issue since the signal to the puck is cleaner and its inbuilt amplifier easily over comes any coax loss.
The GPS Bias-T can source up to 50mA of current (at 3.3V). Keep that in mind if you plan on running an external active antenna.
tbg has removed the hydra from its case and put the SS in it to run some tests, so knowing the GPS has a bias-T voltage, he was able to run the same little active puck GPS antenna on the case and the SS picks up GPS lock very quicky and keeps solid sub 0.5 HDOP fix.
Back to the build.
You can see its a tight fit between the GPS and the SD card, but just removing the burr from the edge of the GPS is all that is needed for a night flush fit.
tbg wanted to put the antenna sockets on the same side as the parts so that the back of the SS was more flush - to do this, the display sits a little high.
Removing the pin spacer after the pins are soldered helps drop it closer to the main PCB.
Installing the antennas and keeping them straight while soldering the sockets ensures a nice neat final look on them.
The kit soldered together really really well.
Its a quick clean build with zero issues along the way.
The GPS plug (no matter what GPS plug, coax or antenna you use) can far to easily swing over and short (the GPS plug is ground) the positive of the GPS back up battery.
Last thing to do....
Plug it into a reader and into your computer.
Make sure its formatted to FAT32. No larger than 16Gb.
Make sure its blank.
Right click (on Windows) and create a new txt file.
Name it `cfg.txt`.
Edit the file and add the following since the Signal Sleuth has this extra 5GHz module.
sb_bw16=yes
tbg did not want the Signal Sleuth spinning up a softAP (software Access Point) every time it booted.
He also did not want it connecting to his home wifi as that also would have caused the SS to transmit.
tbg wanted the SS to be as close to receive only as possible (for explained reasons to come).
So tbg added the following line under that last one...
block_reconfigure=yes
This disables that whole first time bootup 'connect to this IP address' thing and disables the 1 minute softAP timer.
On power up, the SS will see this option in the file and drop straight into passive wardriving mode.
But do note it will mean you have to pop the SD card out and manually upload them via a card reader every time you want up upload your wardrive data.
Ok, drop the SD card into the Signal Sleuth and go for a drive!
G20 828
P5 522
The Signal Sleuth is at least in the game. Its not great, but its got potential.
The Hydra, as expected for a long time, is just not acceptable by any benchmark.
The heat generated is really quite a lot when it's enclosed. More so when it is exposed to sun (on the dash or roof of a car). Something to keep in mind when mounting in a case or car roof top mounting the unit.
Moved the Signal Sleuth off the back seat and onto the roof for a few drives.
Do note that tbg used more than just a single rubber band for the drive tests, but wanted to give you the idea of the antenna size / gain and counts...
With good 3ish db gain antennas the SS is still (back seat test as shown earlier) only just above the Pixel 5 (3-year older phone!), but still below the Pixel 9 and well below the S20.
Bumping the antennas to his best 6ish db antennas moved its SSID count to slightly above the Pixel 9, but still a lot below the S20.
To thebaldgeek this clearly showed that the ESP32's and to some extent the BW16 are just a bit deaf and might just reward the wardive rig builder with good numbers if the signal can be pumped a little harder into the SMA connector. (tbg suspects the same issue is plaguing the Wifydra).
So lets turn up the volume to 11.....
thebaldgeek insanity build of the Signal Sleuth / wardriver.uk
The 9db Alfa outdoor antenna showed up, so put it on the A side of the SS and the Wifi went from 3 to 18. Nice jump.Then put it on the B side and the WiFi went from 3 to 3.... uh...oh.
Moved it over to the BW16 and the 5GHz went from 1 to 4.
tbg wonders how many builders have done this test and if there some builds that are out there (not just of the SS and not just of the wardriver . uk, but every ESP32 Wifi build) that are deaf in one or both ears....
Its a simple A/B/C test and it really showed up a problem?
Looks like the Signal Sleuth / the wardriver build is going to take a pause while thebaldgeek waits for replacement parts to arrive.
BTW, the 'how it works' page is here: https://wardriver.uk/how_it_works_3
Here is tbg's GitHub ticket / solution: https://github.com/JosephHewitt/wardriver_rev3/issues/202
Turns out the live count on the 'B' ESP works very differently vs the 'A' ESP.
tbg ended up attaching the antenna for 1 minute on each SMA and then looking at the logged SSIDs on the SD card file.
Sure enough, the B side was working great. It just shows poor live numbers (unlike the A side), but the totals are what matters, and the SD card file showed plenty of B side SSIDs.
Ok with that glitch sorted.... next up is to yell in the ESP32 SMA connectors a bit louder....
tbg has found Alfa gear to be reliable in their specs and build quality.
As such he chose this 9dbi omni for the signal stick.
Do note they make a longer higher db one, but you quicky end up with a very narrow vertical beamwidth and that's not great for suburbs. Might be Ok for wide open country where you need a bit more reach. Also its almost 3 times as long . This 9dbi is about 12 inches. Perfect for around town wardriving and not screaming 'look at my hedgehog car!'
For the 'volume to 11' part, we need to run an antenna mounted LNA. Low Noise Amplifier.
Minor tbg rant....
The key to this whole build is to have the amplifier mounted AT THE ANTENNA.
You cant just put an amplifier in the car at the wifi stick and call it amplified. Its not even close to effective when mounted in front of the Wifi dongle.... In fact, many ADSB/ACARS installs have shown that often times putting the amp _at_ the stick is actually worse than no amp at all. The amp just overpowers the stick. Its AGC kicks in and the reception / decoding suffers.
tbg has the following analogy to help visualize this and drive the point home.
A loud hailer. The cone shaped mic > amp > speaker setup.
They work pretty good in a big crowd. Now, walk up to one person and put the speaker end of the cone against their ear, key up and say something.
Can you say over driven distorted induced deafness? Same device, different distance away from the listener.
You want the loud hailer at the antenna yelling in to the coax. It needs to be that distance away from the electronic ear that needs the actual information.
tbg wanted to test the Zeenko and also have the Nooelec wide band be part of the test.
The key here is that you need at least 2GHz to 8GHz bandwidth, low noise and high stability.
A quick A/B test showed the Nooelec has a good edge (you get what you pay for), so thebaldgeek went with that amp.
Also the Zeenko has a rechargeable battery built in, so that's a ticking time clock for a spicy pillow in your future. Also, it's yet another thing to charge and who knows about how it handles hot sun. The nooelec have proven to be robust in that regard.
And yes, every SMA is torqued. Its the only way to get both reliability and consistency.
More about tbg SMA wrench adventures here: https://community.airframes.io/t/sma-torque-wrench/70
Now to split the one coax signal into 4....
Again, make sure your splitter covers from 2GHz to 6GHz at the very least.
And yes, we know, splitters have loss, hence putting the LNA AT THE ANTENNA and having the antenna OUTSIDE the RF shield.
That extra clear gain will more than make up for the splitter loss.
Recall the 3.3V DC on the GPS output so it can drive an active antenna?
You DON'T want that voltage showing up on the input the ESPs. Also, it does not provide enough current to run the Nooelec LNA, if we try, the GPS might burn out or at the very least go into current limit and the LNA will not work as expected, so... we fit the DC block, and everything works great.
tbg still wants to use bias-t to drive the Nooelec, so using the external Bias-T injector gets the job done.
Again, make sure you get a 6GHz rated injector, not all of them go that high.
Your desired signal needs to go through the Bias-T, so make it a quality one.
Front view is messy but functional.
Back view is about the best.
Fits in the center cup holder just as planned from the very first solder joint.
Pretty clean. Coax from the back door in the bottom of the Bias-T injector, USB-A to the cig lighter USB for power and we are ready to wardrive!
The semi-ridged coax should not be forced on any 90deg bend, so just run it parallel to the door and it will just naturally compress the rubber seal and enter the car with no kinks.
thebaldgeek enhanced Signal Sleuth
BOM:
3 magnet truck mount: https://www.amazon.com/dp/B07W5NPVG3
Example pigtail (shop around): https://www.amazon.com/Boobrie-Pigtail-Extension-Antenna-Wirelessfor/dp/B07D9GQH39
We now know that the ESP32s are pretty deaf, so lets also turn it up to 11 for the Wifydra....
As already mentioned in this blog, tbg does not normally run high gain antennas and especially directional ones as most devices don't have the scan speed to get 3+ samples as the SSID beacon location flies through their narrow beamwidth and so you don't get very many GPS tags vs signal strength readings to feed to the WiGLE machine to chew on and plot the SSID location accurately.
But.
In the case of the Wifydra, its 14 individual receivers are scanning very fast (rate unknow), there is no CPU core or receiver sharing at all (unlike the wardriver.uk and Signal Sleuth).
Lets yell into the coax and see what we get.
First up, lets do the usual 2 drive average with this nice 20dBi Yagi Uda array.
Photo of said Yagi with the tinted window closed.
For all these tests, the output goes into a 4 channel splitter - tbg can not afford a bigger one at this time, so he used WiGLE stats to check which are the top four 2.4GHz channels in use and saw that they were: 1, 3, 6 and 11.
The 4 way splitter was thus attached to those receivers on the Wifydra.
Antennas were left on the other channels because why not.
636.
Ok, lets now add the Nooelec LNA to the back of the Yagi.
Here is the link to the panel antenna tbg is using: https://www.tupavco.com/products/panel-antenna-24ghz-wifi-20dbi-wireless-outdoor-18-directional-n-f
Reference drive count: 874.
Lastly, lets wind down the window.
887.
thebaldgeek is not done tinkering up there, so he needs a quick fix. The main thing is the SMA connectors and Nooelec LNA need protecting from the water.
Latex balloons are cheap and should do the job:
 |
| The main bit at the bottom needs protection from the wet |
 |
| Close up of the temporary mess |
 |
| Cut the tail off for the coax exit |
Radicode (Geiger counter)
He figures if he is out and about collecting Wi-Fi visualization data, may as well add radiation into the mix.
Two different wardrives on two different days in two different areas show slightly different (very minor) background radiation.
Just like WiGLE has a map, the Geiger counter folks also have a map. Its called Radiaverse.
 |
| Random suburb in Southern California - note, the red bit is super safe, its just the map scale. |
Here is another random wardrive radiation example. Interesting how parts of a city can change.
To be SUPER clear, the change is soooo tiny and all of the places that tbg has radiation driven have had normal amounts of background radiation - that's the whole point, looking for places that are not - but after 20,000 miles tbg is yet to find one... But hey, if you don't scan, you never know....
As as aside, some folks use the Radiacode to look for hot rocks, some use it to hunt down uranium glass (the unique red / orange colored ones), thebaldgeek is looking for old aircraft gauges with the glowing dials - he's not found any yet, but yeah, that's what his interest with the Radiacode is. (Along with wide area mapping).
tbg has two mount options for the Radiacode depending on what data he is after.
For run of the mill wardrives, the pool noodle cup holder is the goto.
Or, for something lower to the ground, tbg uses this Pelican case with magnets to clip on the lower panel door, or even underbody.
Comments
Post a Comment