xref: /openwifi/doc/app_notes/csi_fuzzer.md (revision 261bb9eef73c3da1bda8d992c145e07cdacfaaac) 
1<!--
2Author: Xianjun jiao
3SPDX-FileCopyrightText: 2021 UGent
4SPDX-License-Identifier: AGPL-3.0-or-later
5-->
6
7[ACM WiSec 2021. Openwifi CSI fuzzer for authorized sensing and covert channels](https://dl.acm.org/doi/pdf/10.1145/3448300.3468255)
8
9CSI (Channel State Information) of WiFi systems is available in some WiFi chips and can be used for sensing the environment (keystrokes, people, object) passively and secretly.
10
11## Concept
12
13How could a CSI fuzzer stop unauthorized sensing?
14
15![](./csi-fuzzer-system-before-vs-now.png)
16
17CSI fuzzer implementation principle.
18
19![](./csi-fuzzer-principle.png)
20
21## Demo instructions
22
23Thanks to the full-duplex capability and CSI extraction feature of openwifi, you can monitor the artificial channel response via [side channel](./csi.md) by Tx-Rx over the air coupling without affecting the normal operation/traffic of openwifi. Before the self-monitoring, the auto-mute during Tx needs to be disabled.
24
25The full demo steps are:
26
27```
28ssh [email protected]
29(password: openwifi)
30
31cd openwifi
32
33./fosdem-11ag.sh
34(setup openwifi AP)
35
36./sdrctl dev sdr0 set reg xpu 1 1
37(Disable auto-muting to listen self-TX)
38
39insmod side_ch.ko num_eq_init=0
40
41./side_ch_ctl wh1h2001
42./side_ch_ctl wh6hffffffff
43(Let's only monitor self-beacon-TX CSI over-the-air loopback)
44
45./side_ch_ctl g1
46```
47Go to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. You should see the over-the-air loopback CSI when CSI fuzzer is not enabled. Then stop the python3 side_info_display.py script to ease the next step.
48
49Start another ssh session to the openwifi board:
50```
51ssh [email protected]
52(password: openwifi)
53
54cd openwifi
55
56./csi_fuzzer_scan.sh 1
57(CSI fuzzer applies possible artificial CSI by scanning all values)
58(csi_fuzzer.sh is called. Please read both scripts to understand these commands)
59```
60
61Go to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. Now you should see that CSI keeps changing like in this [video](https://youtu.be/aOPYwT77Qdw).
62
63# Further explanation on parameters
64
65CSI fuzzer in openwifi system architecture and related commands.
66
67![](./csi-fuzzer-implementation.png)
68
69# Example fuzzed CSI
70
71CSI self-monitoring before fuzzing.
72
73![](./csi-fuzzer-beacon-ant-back-0.jpg)
74
75CSI self-monitoring after  fuzzing command: `csi_fuzzer.sh 1 45 0 13`
76
77![](./csi-fuzzer-beacon-ant-back-1-45-0-13.jpg)
78
79`csi_fuzzer_scan.sh` can scan the c1 and c2 in different styles/modes by calling `csi_fuzzer.sh`.
80