DiffLoc is a system designed to localize WiFi camera using a controlled diffraction approach. The system is built on a low-cost hardware platform using a Raspberry Pi, a stepper motor, and other off-the-shelf components.
-
Hardware:
- Raspberry Pi 4B (any version with WiFi support)
- USB WiFi Adapter (at least one can work on monitor mode, recommend TX-N600)
- Stepper Motor (ULN2003 control board and 5V 28BYJ-48 Stepper MotorStepper Motor)
- 3D-printed connecting rod and stand
- Aluminum metal plate (100X150X1 mm in our protype)(100×200×1 mm would be preferable, with a 5 cm protrusion at the top.)
- Power supply for the Raspberry Pi and external peripherals (Can use mobile power)
-
Software:
- Raspberry Pi OS (kernel 4.9 and firmware version 7_45_189 in our protype)
- Python 3.7
- Additional Python libraries (NumPy, sklearn, scipy, dpkt, tqdm and subprocess.)
-
Raspberry Pi Preparation:
- Install Raspberry Pi OS (Raspberry Pi's default OS).
- Ensure that WiFi is enabled and connected to the network.
- Connect the Raspberry Pi to a display and keyboard for initial setup.
- Install the necessary packages for CSI collection (using
nexmontool).
-
WiFi Adapter:
- Attach the USB WiFi adapter (Wi-Nic-1) to the Raspberry Pi for communication with the target device.
- Ensure that the another WiFi adapter (Wi-Nic-2) supports monitor mode to capture traffic.
-
Stepper Motor:
- Connect the stepper motor to the control board, ensuring that the wiring is correct for operation.
- The motor should rotate the metal plate around the receiver (Raspberry Pi) to create the diffraction effect.
- Test the motor's movement to confirm smooth rotation with no interruptions.
-
3D Printed Components:
- Use a stand to position the motor and metal plate around the receiver.
- Attach the thin metal plate to the stepper motor's rotating shaft.
- Install Nexmon (for CSI collection): Follow the Nexmon installation guide to enable CSI extraction on the Raspberry Pi 4B.
- Clone the Repository: git clone this repository and cd DiffLoc
- camsacn.py:
- Detect hidde WiFi camera and send Mac address and channel to locationfu.py for localization.
- Due to the difference in the RSSI values returned by the Raspberry Pi’s network card compared to standard methods, this code includes APs with readings of -39dBm or higher (as reported by the built-in Raspberry Pi network card) in the scanning range.
- locationfu.py:
- Applies a stepper motor to rotate the metal plate, recording the corresponding path loss variations.
- Processes the CSI data to estimate the target's azimuth angle using the diffraction-based localization model.
- setup.sh:
- Configure Nexmon csi tool.
- csitool:
- Tools for read and process nexmon csi data.
- locationp.py:
- The standalone localization module only requires setting the target MAC address and channel to begin localization.
- lg_v2:
- These two files contain the design schematics for the 3D-printed components used in our system.
- Ensure all dependencies are installed
- Use "airmon-ng start wlan 2" to make Wi-Nic-2 work on monitor mode.
- Run camsacn.py for camera detection and localization, please leave romm according to the promot of the system. You can use a phone connect to DiffLoc with ssh.
- If you want to test localization only, please use locationp.py and change the MAC address and channel to target's MAC address and channel.
Demo please refer to demo.mp4 in this project.
When detecting suspicious devices, it’s best to stay indoors and perform large movements to stimulate camera traffic. For camera detection, begin with active large movements inside the room, then leave the room during the second half of the detection process. For localization, we recommend that users remotely connect to the DiffLoc device via a smartphone or computer and leave the room to avoid activity-induced interference.
Note: Different types of USB WiFi NICs may fail to capture packets from certain camera models; however, switching to a different USB NIC can often resolve this issue. We are currently exploring the use of the Raspberry Pi’s built-in WiFi module as a potential solution.
Note: Our experiments were conducted using 2.4GHz WiFi. If using 5GHz WiFi, please adjust the relevant parameters accordingly—for example, change '--bandwidth', '20' to '--bandwidth', '40' in the location settings.
We welcome contributions to improve and extend DiffLoc. We have discussed the current limitations and potential improvements of DiffLoc in the paper. There remains significant room for enhancement in hardware design, algorithm refinement, and the overall localization workflow. We welcome further discussion and collaboration.
Thanks for nexmon_csi and CSIKit
DiffLoc is released under the MIT License. See the LICENSE file for more information.
@inproceedings{zhang2025diffloc,
author={Zhang, Xiang and Zhang, Jie and Yan, Huan and Huang, Jinyang and Ma, Zehua and Liu, Bin and Li, Meng and Chen, Kejiang and Guo, Qing and Zhang, Tianwei and Liu, Zhi},
booktitle = {The 34th USENIX Security Symposium},
title = {DiffLoc: WiFi Hidden Camera Localization Based on Electromagnetic Diffraction},
year = {2025},
address = {Seattle, WA, USA},
month =May}