In 2018 I created an ultimate wardriving system for 5 GHz Wi-Fi network logging, which provides an additional source for network identification. It is based on Raspberry PI computer installed inside a car, together with three MikroTik OmniTIK antennas.
Raspberry PI 3 (model B) is the mainboard for my wardriving system, together with…
- Aluminium case
In order to keep everything together I bought an aluminium case. Actually I have already had one Delock 59209 aluminium case for another Raspberry PI board, but… I could not obtain another one, because they were discontinued. Instead I bought a very similar Chinese clone, which does not have anodized surface and is easy to scratch.
- Sierra Wireless EM7305 – LTE module for GPS and GLONASS
I’ve been experimenting with some USB GNSS modules in the past, but their sensitivity and reliability was very questionable. In the meantime I found out that a LTE module in my laptop (MC7304) is a very reliable GNSS tracker. Therefore I decided to buy another Sierra Wireless module for Raspberry PI. The EM7305 module, which is actually the same as MC7304 (except it uses M.2 slot instead of miniPCIe), is widely available, because it was pre-installed in many laptops and can be obtained at bargain prices now. I bought mine for just $10. I also added three MHF4 → SMA pigtails for each antenna connector. Someday I might want to enable the LTE modem too.
These LTE modules are actually USB devices, so the M.2 to USB adapter provides direct connection to the USB bus. However, it requires a 3.3 V regulator, as the miniPCIe/M.2 port provides 3.3 V, not 5 V like the standard USB port. There is also a SIM card slot on the adapter’s bottom side. The adapter is much longer than M.2 card, but I managed to fit it inside the case. I also soldered a nut to the ethernet port and I screwed the adapter there (see photos below). Currently I don’t have any GNSS-dedicated passive SMA antenna, so I connected a random LTE rubber antenna (measured VSWR 3.5 @ 1575 MHz and 2.5 @ 1600 MHz). The GNSS module in EM7305 is very sensitive, so it works very well anyway.
- TPS61088 – voltage converter
The TPS61088-based module is a very efficient step-up voltage converter. Raspberry PI requires 5 V DC power input, but such voltage is generally too low for powering external MikroTik devices. Therefore I added such converter to provide 10 V PoE output. In this way, the Raspberry PI can be also powered using a USB power bank, together with external PoE device.
- PAM8403 – audio power amplifier & loudspeaker
This is a very cheap module for amplifying the audio output. I took an old loudspeaker from my Dell E7440 laptop. It perfectly fits into the case together with Raspberry PI and provides sound feedback (new network detection, GNSS fix loss, connection problems, etc).
- DS3231 – real-time clock
RTC module is not necessary, as the GNSS provides time synchronization. Though it is nice to have valid date and time at boot. DS3231SN is a great TXCO real-time clock IC, with 2 ppm accuracy specified within 0°C to +40°C temperature range. In a practical usage, the long-term accuracy seems to be much better than specified.
I had a spare Raspberry PI 3 model B board, but unfortunately without PoE header. I didn’t want to spend another $40 for the B+ version so I modified the Ethernet port on my own. It required a complete disassembly, including full (de-)soldering.
There is a small PCB board with a transformer in a plastic box inside the Ethernet port. On the opposite side there is a quadruple 75Ω resistor. It should be cut in half and soldered back, together with two wires for PoE supply, as can be seen below.
Similarly, I modified the USB port to provide 5 V input using full size connector, instead of small and crappy microUSB. I also put ferrite chokes on all cables to keep the radio interference in car at the lowest level. However, there is some interference at FM radio band over 100 MHz, even after switching the Ethernet link to 10 Mbps. Finally, I also added two small radiators for CPU and LAN/USB hub IC.
MikroTik OmniTIK 5HnD is an integrated access point device with built-in 5 GHz Wi-FI radio and two antennas for both vertical and horizontal polarization. They are soldered directly to the PCB without any additional losses. This device is capable of frequency tuning range from 4800 to 6100 MHz. I have the first versions of this device, with AR9280 radio IC, which is very reliable for network scanning (especially channel hopping). The new version is based on AR9344 which is unreliable for wardriving. Also, I bought these three used antennas at a price well below… a single new device.
The Raspberry PI setup is connected to one of three OmniTIK antennas. They have 5-port Ethernet switch, so I connected additional two units there. This is the U-5HnD model, so I modded the PoE injection across four of five available ports.
The Raspberry PI computer runs Arch Linux ARM operating system with three instances of my MTscan software, each available via VNC. This is a totally passive scanning, based on a sniffer tool in MikroTik RouterOS. Each OmniTIK streams received packets via TZSP (UDP) protocol, which are being parsed on Raspberry PI (beacons, probe responses). I use 110 ms channel hopping in the sniffer, as a typical beacon frame is sent every 102.4 ms.
Want more? See Warflying (Wi-Fi scanning) in an airplane up to 450 km.