From d7a0172551852ded405f29bb747f68c3fdacae03 Mon Sep 17 00:00:00 2001 From: Colonel Panic Date: Sun, 10 May 2026 20:13:33 -0400 Subject: [PATCH] =?UTF-8?q?sync=20OUIs=20with=20@nitekry/nite-oui-collecti?= =?UTF-8?q?on=20=E2=80=94=2012=20adds,=201=20demote?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Brings the target OUI array up to parity with @NitekryDPaul's upstream nite-oui-collection (April 2026): - Adds 12 prefixes: 04:0d:84, f0:82:c0, 1c:34:f1, 38:5b:44, 94:34:69, b4:e3:f9, b4:1e:52, 14:b5:cd, 94:2a:6f, f4:e2:c6, d4:11:d6, e0:0a:f6 - Demotes f8:a2:d6 — flagged as a Sony Media Player false positive in his my_tested_flock.md notes, retained only as documentation in the dataset's "Demoted / low confidence" section. Active firmware count is now 42 (29 from @NitekryDPaul's original set, 12 April 2026 additions, 1 from Michael / DeFlockJoplin). Also: replaces the stylised cyrillic researcher name with its decoded form OrdoOuroborous and links his GitHub @nitekry, since the unicode glyphs don't render reliably and made the credit hard to follow. --- README.md | 35 +++++++++++--------- datasets/NitekryDPaul_wifi_ouis.md | 52 ++++++++++++++++++++++++------ main.cpp | 15 ++++++--- 3 files changed, 73 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 288b459..12ce720 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,16 @@ -# Flock-You: Promiscuous WiFi Edition (`promiscious-dev` branch) +# Flock-You: Promiscuous WiFi Edition (`promiscious` branch) Flock You **Passive 2.4 GHz promiscuous-mode detector for Flock Safety surveillance infrastructure. Runs standalone or feeds the Flask dashboard over USB for live GPS-tagged wardriving.** -> **Dev note:** This is the `promiscious-dev` branch — adds the -> DeFlockJoplin wildcard-probe tightening and a 31st OUI on top of the -> `promiscious` baseline. See "Further research" below. - --- ## Credit -All WiFi promiscuous detection research — the **30-OUI target list**, the **promiscuous-mode strategy**, and the **addr1-receiver detection technique** — is the work of **ØяĐöØцяöЪöяцฐ / @NitekryDPaul**. The firmware here is a mod of his original firmware with added SPIFFS persistence and Flask-dashboard integration. Full research writeup: [`datasets/NitekryDPaul_wifi_ouis.md`](datasets/NitekryDPaul_wifi_ouis.md). +All WiFi promiscuous detection research — the **41-OUI Flock Safety target list**, the **promiscuous-mode strategy**, and the **addr1-receiver detection technique** — is the work of **OrdoOuroborous / @NitekryDPaul** (GitHub [@nitekry](https://github.com/nitekry)). The firmware here is a mod of his original work with added SPIFFS persistence and Flask-dashboard integration. Upstream OUI source: [nitekry/nite-oui-collection](https://github.com/nitekry/nite-oui-collection). Full research writeup: [`datasets/NitekryDPaul_wifi_ouis.md`](datasets/NitekryDPaul_wifi_ouis.md). -Additional research credit to **Michael / DeFlockJoplin** for the **wildcard-probe-request signature** and the 31st OUI (`82:6b:f2`). Field-tested to 11/12 cameras caught with only 2 false positives in Joplin. Source: [DeflockJoplin/flock-you](https://github.com/DeflockJoplin/flock-you). +Additional research credit to **Michael / DeFlockJoplin** for the **wildcard-probe-request signature** and OUI `82:6b:f2`. Field-tested to 11/12 cameras caught with only 2 false positives in Joplin. Source: [DeflockJoplin/flock-you](https://github.com/DeflockJoplin/flock-you). --- @@ -43,7 +39,7 @@ Checking `addr1` in addition to `addr2` picks those silent stations up. It requi - `addr1` is broadcast (`ff:ff:ff:ff:ff:ff`) in beacons and broadcasts — **multicast filter** - Modern devices use randomised (locally-administered) MACs that can't be fingerprinted by OUI — **randomised-MAC filter** on byte 0 bit 1 -Both are applied before the OUI match. This whole approach, including the 30-OUI list, is **@NitekryDPaul's research**. +Both are applied before the OUI match. This whole approach, including the 41-OUI list, is **@NitekryDPaul's research**. --- @@ -53,7 +49,7 @@ Michael / DeFlockJoplin used the OUI + addr1/addr2/addr3 work above as a startin > The cameras are hopping channels and sending out a wildcard WiFi probe request on every channel. This specific type of request combined with OUI matching has created what seems to be a fairly unique signature. -His drive-test in Joplin caught **11 of 12 cameras** with only **2 false positives**. The 12th camera was doing the same wildcard-probe behaviour but with an OUI (`82:6b:f2`) that wasn't in @NitekryDPaul's original 30 — it's now the 31st entry in our list, credited to him. +His drive-test in Joplin caught **11 of 12 cameras** with only **2 false positives**. The 12th camera was doing the same wildcard-probe behaviour but with an OUI (`82:6b:f2`) that wasn't in @NitekryDPaul's original set — it's now in our list, credited to him. The tightened signature that's active on this branch: @@ -104,15 +100,22 @@ The split between callback and loop is deliberate: the WiFi task has hard real-t ## OUI target list (@NitekryDPaul research) -All lowercase, colon-separated. 31 Flock Safety infrastructure prefixes: +All lowercase, colon-separated. 42 Flock Safety infrastructure prefixes — +29 from @NitekryDPaul's original set, 12 from his April 2026 additions, plus +1 from Michael / DeFlockJoplin. `f8:a2:d6` from the original set has been +demoted as a Sony Media Player false positive (see +[`datasets/NitekryDPaul_wifi_ouis.md`](datasets/NitekryDPaul_wifi_ouis.md)). ``` 70:c9:4e 3c:91:80 d8:f3:bc 80:30:49 b8:35:32 14:5a:fc 74:4c:a1 08:3a:88 9c:2f:9d c0:35:32 -94:08:53 e4:aa:ea f4:6a:dd f8:a2:d6 24:b2:b9 -00:f4:8d d0:39:57 e8:d0:fc e0:4f:43 b8:1e:a4 -70:08:94 58:8e:81 ec:1b:bd 3c:71:bf 58:00:e3 -90:35:ea 5c:93:a2 64:6e:69 48:27:ea a4:cf:12 +94:08:53 e4:aa:ea f4:6a:dd 24:b2:b9 00:f4:8d +d0:39:57 e8:d0:fc e0:4f:43 b8:1e:a4 70:08:94 +58:8e:81 ec:1b:bd 3c:71:bf 58:00:e3 90:35:ea +5c:93:a2 64:6e:69 48:27:ea a4:cf:12 +04:0d:84 f0:82:c0 1c:34:f1 38:5b:44 94:34:69 ← Apr 2026 adds +b4:e3:f9 b4:1e:52 14:b5:cd 94:2a:6f f4:e2:c6 +d4:11:d6 e0:0a:f6 82:6b:f2 ← contributed by Michael / DeFlockJoplin ``` @@ -253,8 +256,8 @@ The BLE-only sibling of this firmware lives on the [`main` branch](https://githu ## Acknowledgments -- **ØяĐöØцяöЪöяцฐ (@NitekryDPaul)** — **WiFi promiscuous detection research**: the 30-OUI Flock Safety target list and the addr1-receiver detection technique that are the baseline of this firmware. The code here is a mod of his original work. -- **Michael / DeFlockJoplin** ([DeflockJoplin/flock-you](https://github.com/DeflockJoplin/flock-you), [deflockjoplin.today](https://deflockjoplin.today)) — **wildcard-probe-request signature** + the 31st OUI (`82:6b:f2`). Drive-tested in Joplin to 11/12 cameras caught with only 2 false positives. +- **OrdoOuroborous (@NitekryDPaul, GitHub [@nitekry](https://github.com/nitekry))** — **WiFi promiscuous detection research**: the 41-OUI Flock Safety target list and the addr1-receiver detection technique that are the baseline of this firmware. The code here is a mod of his original work. Upstream OUI tracking: [nite-oui-collection](https://github.com/nitekry/nite-oui-collection). +- **Michael / DeFlockJoplin** ([DeflockJoplin/flock-you](https://github.com/DeflockJoplin/flock-you), [deflockjoplin.today](https://deflockjoplin.today)) — **wildcard-probe-request signature** + OUI `82:6b:f2`. Drive-tested in Joplin to 11/12 cameras caught with only 2 false positives. - **Will Greenberg** ([@wgreenberg](https://github.com/wgreenberg)) — BLE manufacturer company ID detection (`0x09C8` XUNTONG) sourced from his [flock-you](https://github.com/wgreenberg/flock-you) fork (used by the BLE companion on `main`) - **[DeFlock](https://deflock.me)** ([FoggedLens/deflock](https://github.com/FoggedLens/deflock)) — crowdsourced ALPR location data and detection methodologies. Datasets included in `datasets/` - **[GainSec](https://github.com/GainSec)** — Raven BLE service UUID dataset (`raven_configurations.json`) used by the BLE companion diff --git a/datasets/NitekryDPaul_wifi_ouis.md b/datasets/NitekryDPaul_wifi_ouis.md index fc4261d..c57f25f 100644 --- a/datasets/NitekryDPaul_wifi_ouis.md +++ b/datasets/NitekryDPaul_wifi_ouis.md @@ -1,8 +1,8 @@ # Flock Safety WiFi OUIs — Research by @NitekryDPaul -**Researcher:** ØяĐöØцяöЪöяцฐ (**@NitekryDPaul**) +**Researcher:** OrdoOuroborous (**@NitekryDPaul**, GitHub [@nitekry](https://github.com/nitekry)) -This dataset documents Flock Safety and related surveillance-infrastructure WiFi MAC-address OUIs (first three octets) discovered through 2.4 GHz promiscuous-mode analysis. All 30 prefixes below were identified by @NitekryDPaul during his promiscuous-mode research on Flock camera air traffic. +This dataset documents Flock Safety and related surveillance-infrastructure WiFi MAC-address OUIs (first three octets) discovered through 2.4 GHz promiscuous-mode analysis. The 42 active prefixes below come from @NitekryDPaul's promiscuous-mode research on Flock camera air traffic (41) and Michael / DeFlockJoplin's wildcard-probe drive-testing (1). Upstream OUI source: [nitekry/nite-oui-collection](https://github.com/nitekry/nite-oui-collection). One prefix from the original set (`f8:a2:d6`) has been demoted — see the [Demoted](#demoted--low-confidence) section. ## Why promiscuous mode @@ -10,12 +10,15 @@ Flock stations spend most of their duty cycle asleep, waking briefly to upload a This addr1 technique is @NitekryDPaul's discovery and is the basis of the `promiscuis-flock-you` firmware. -## OUI list (31 prefixes, lowercase, colon-separated) +## OUI list (42 prefixes, lowercase, colon-separated) -@NitekryDPaul contributed the first 30. The 31st (`82:6b:f2`) was contributed -by **Michael / DeFlockJoplin** during follow-up drive-testing in Joplin — it's -the OUI of the 12th camera in his field test, which the original list didn't -catch. See [DeflockJoplin/flock-you](https://github.com/DeflockJoplin/flock-you). +@NitekryDPaul contributed 41 active prefixes — 29 from his original +promiscuous-mode set plus 12 from his April 2026 additions in +[nite-oui-collection](https://github.com/nitekry/nite-oui-collection). +The 42nd (`82:6b:f2`) was contributed by **Michael / DeFlockJoplin** during +follow-up drive-testing in Joplin — it's the OUI of the 12th camera in his +field test, which the original list didn't catch. See +[DeflockJoplin/flock-you](https://github.com/DeflockJoplin/flock-you). ``` 70:c9:4e @@ -31,7 +34,6 @@ c0:35:32 94:08:53 e4:aa:ea f4:6a:dd -f8:a2:d6 24:b2:b9 00:f4:8d d0:39:57 @@ -48,6 +50,18 @@ ec:1b:bd 64:6e:69 48:27:ea a4:cf:12 +04:0d:84 +f0:82:c0 +1c:34:f1 +38:5b:44 +94:34:69 +b4:e3:f9 +b4:1e:52 +14:b5:cd +94:2a:6f +f4:e2:c6 +d4:11:d6 +e0:0a:f6 82:6b:f2 ``` @@ -68,7 +82,6 @@ a4:cf:12 | 94:08:53 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | | e4:aa:ea | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | | f4:6a:dd | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | -| f8:a2:d6 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | | 24:b2:b9 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | | 00:f4:8d | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | | d0:39:57 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | @@ -85,8 +98,29 @@ a4:cf:12 | 64:6e:69 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | | 48:27:ea | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | | a4:cf:12 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul | +| 04:0d:84 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| f0:82:c0 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| 1c:34:f1 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| 38:5b:44 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| 94:34:69 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| b4:e3:f9 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| b4:1e:52 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| 14:b5:cd | Flock Safety infrastructure (high confidence) | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| 94:2a:6f | Flock Safety infrastructure (high confidence) | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| f4:e2:c6 | Flock Safety infrastructure (high confidence) | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| d4:11:d6 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | +| e0:0a:f6 | Flock Safety infrastructure | WiFi 2.4 GHz | @NitekryDPaul (Apr 2026) | | 82:6b:f2 | Flock Safety infrastructure | WiFi 2.4 GHz (wildcard probe) | Michael / DeFlockJoplin | +## Demoted / low confidence + +These prefixes were in earlier revisions of the list but have been removed +from the active firmware OUI array. + +| Prefix | Reason | Source | +|---|---|---| +| `f8:a2:d6` | Low confidence; observed hitting a Sony Media Player rather than a Flock device. Demoted per @NitekryDPaul's [my_tested_flock.md](https://github.com/nitekry/nite-oui-collection/blob/main/groups/flockers/my_tested_flock.md) field notes. | @NitekryDPaul | + ## Detection strategy For each observed 802.11 management or data frame: diff --git a/main.cpp b/main.cpp index 4621777..e610564 100644 --- a/main.cpp +++ b/main.cpp @@ -82,12 +82,19 @@ static const size_t SSID_KEYWORD_COUNT = sizeof(target_ssid_keywords) / sizeof(t // ============================================================ static const char* target_ouis[] = { + // @NitekryDPaul / OrdoOuroborous — original promiscuous-mode set, 29 OUIs. + // f8:a2:d6 has been demoted (Sony Media Player false positive — see + // nite-oui-collection/groups/flockers/my_tested_flock.md). "70:c9:4e", "3c:91:80", "d8:f3:bc", "80:30:49", "b8:35:32", "14:5a:fc", "74:4c:a1", "08:3a:88", "9c:2f:9d", "c0:35:32", - "94:08:53", "e4:aa:ea", "f4:6a:dd", "f8:a2:d6", "24:b2:b9", - "00:f4:8d", "d0:39:57", "e8:d0:fc", "e0:4f:43", "b8:1e:a4", - "70:08:94", "58:8e:81", "ec:1b:bd", "3c:71:bf", "58:00:e3", - "90:35:ea", "5c:93:a2", "64:6e:69", "48:27:ea", "a4:cf:12", + "94:08:53", "e4:aa:ea", "f4:6a:dd", "24:b2:b9", "00:f4:8d", + "d0:39:57", "e8:d0:fc", "e0:4f:43", "b8:1e:a4", "70:08:94", + "58:8e:81", "ec:1b:bd", "3c:71:bf", "58:00:e3", "90:35:ea", + "5c:93:a2", "64:6e:69", "48:27:ea", "a4:cf:12", + // @NitekryDPaul April 2026 additions (nite-oui-collection). + "04:0d:84", "f0:82:c0", "1c:34:f1", "38:5b:44", "94:34:69", + "b4:e3:f9", "b4:1e:52", "14:b5:cd", "94:2a:6f", "f4:e2:c6", + "d4:11:d6", "e0:0a:f6", // Contributed by Michael / DeFlockJoplin — discovered via wildcard-probe // + OUI signature during field testing. The 12th camera in his drive-test // used this prefix and wasn't in @NitekryDPaul's original 30.