Reflects the changes in nite-oui-collection commit 1ed6333 (his
"Update MAC status and remove unnecessary sections" push earlier
today):
- 08:3a:88 picks up a "BLE Ring conflict" flag. The firmware
array is unchanged — promiscuous WiFi detection isn't affected
— but a header comment in main.cpp now calls out the caveat,
and the dataset markdown grows a new "Flagged but still tracked"
section so BLE consumers (oui-spy-unified-blue's flockyou mode)
know to expect occasional Ring-doorbell false positives on this
prefix.
- The "Demoted / low confidence" section in the dataset markdown
now also catalogues cc:cc:cc and 00:0c:e7 — both Removed in his
notes, but only f8:a2:d6 was documented here previously.
OUI count is unchanged (42); the firmware array doesn't need to
move. This is documentation-tracking so the next sync against
nite-oui-collection has clean priors to diff against.
Brings the target OUI array up to parity with @NitekryDPaul's upstream
nite-oui-collection (April 2026):
- Adds 12 prefixes: 04:0d:84, f0:82:c0, 1c:34:f1, 38:5b:44, 94:34:69,
b4:e3:f9, b4:1e:52, 14:b5:cd, 94:2a:6f, f4:e2:c6, d4:11:d6, e0:0a:f6
- Demotes f8:a2:d6 — flagged as a Sony Media Player false positive
in his my_tested_flock.md notes, retained only as documentation in
the dataset's "Demoted / low confidence" section.
Active firmware count is now 42 (29 from @NitekryDPaul's original set,
12 April 2026 additions, 1 from Michael / DeFlockJoplin).
Also: replaces the stylised cyrillic researcher name with its decoded
form OrdoOuroborous and links his GitHub @nitekry, since the unicode
glyphs don't render reliably and made the credit hard to follow.
Adds Michael / DeFlockJoplin's high-precision detection method on top of
the NitekryDPaul baseline: a Flock camera is flagged when it transmits a
Probe Request (type=0 subtype=4) with a wildcard SSID IE (tag 0 len 0)
AND its addr2 matches the OUI list. Drive-test in Joplin: 11/12 cameras
caught with only 2 false positives.
- New AlertType ALERT_WILDCARD_PROBE, emitted as detection_method
'wifi_wildcard_probe' (high-precision class)
- Wildcard-probe hits suppress the addr2 broad alert for the same frame
to prevent double counting; non-probe OUI matches still emit as
'wifi_oui_addr2'
- IE parser returns tri-state (1=wildcard / 0=directed / -1=no SSID IE),
with FCS-trailer retry only on the -1 no-IE case
- addr1 receiver-side sleeper-catch and the optional addr3 + SSID paths
are unchanged — wildcard is purely additive
- 31st OUI 82:6b:f2 added to target_ouis[] and to the dataset doc; it's
the OUI of the 12th camera in Michael's drive-test that the original
30 didn't catch
- README explains the wildcard-probe method, credits Michael with a link
to github.com/DeflockJoplin/flock-you, and bumps Acknowledgments
Source: https://github.com/DeflockJoplin/flock-you
30 Flock Safety infrastructure OUIs identified by @NitekryDPaul via
2.4 GHz promiscuous-mode analysis, including the addr1-receiver
detection technique that catches Flock STAs during burst-sleep
duty cycles. Full credit and methodology in the new file.
Colonel Panic