Pwnagotchi beacon data content

I stumbled across the pwnagotchi project, started by evilsocket, on Twitter a couple months ago. I ordered the parts I needed on Amazon a few days later, and then sat on them for a month until I had time to get it up and running. Turns out CWNE applications are time consuming!

pwnagotchi connected to wlanpi
pwnagotchi looking for wireless networks

Here’s the two main components I picked up:

You’ll also need a microsd card at least 8GB in size to get started, but I had some of those on hand already.

How the pwnagotchi tells others it exists

Now that I’ve had some time to play with my pwnagotchi, I got curious how it found other pwnagotchi’s in the wild. I assumed it was using WiFi rather than Bluetooth, so I fired up my WLANPi and started to take a look.

Wireshark capture from WLANPi showing pwnagotchi beacons.
Wireshark capture from WLANPi showing the pwnagotchi beacons

In a case of funny-and-not-really-surprising the pwnagotchi uses the address de:ad:be:ef:de:ad when sending beacons. I’m easily amused. There’s no SSID in the packet, but there are some extra parameters tacked on at the end that include a pile of information about your pwnagotchi.

Interestingly WiFi Explorer Pro and other WLAN survey tools I have didn’t show anything from the pwnagotchi. Perhaps it’s something non-standard that they aren’t decoding?

pwnagotchi beacon packet data contents

Data fields

Basically everything about the current state of your pwnagotchi is included, so when another pwnagotchi is listening and in the area it likely finds that beacon packet and sees a friend it needs to learn about.

  • {
  • “epoch”:11,
  • “face”:”(…_…)”,
  • “grid_version”:”1.10.1″,
  • “identity”:”xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
  • “name”:”pwnagotchi”,
  • “policy”:{
    • “advertise”:true,
    • “ap_ttl”:34,
    • “associate”:true,
    • “bond_encounters_factor”:20000,
    • “bored_num_epoch..s”:14,
    • “channels”:[1,2,3,6,7,8,11],
    • “deauth”:true,
    • “excited_num_epochs”:15,
    • “hop_recon_time”:54,
    • “max_inactive_scale”:5,
    • “max_interactions”:19,
    • “max_misses_for_recon”:8,
    • “min_recon_time”:17,
    • “min_rssi”:-71,
    • “recon_inactive_multiplier”:2,
    • “recon_time”:41,
    • “sad_num_epochs”:8,
    • “sta_ttl”:212},
    • “pwnd_run”:1,
    • “pwnd_tot”:100,
    • “session_id”:”3f:xx:c0:24:xx:xx”,
    • “timestamp”:1572218230,
    • “uptime”:6859,
    • “version”:”1.1.0RC0″
  • }

It looks like this follows the YAML format of the pwnagotchi config.yml file plus some added bits put in from the AI portion. If you’ve seen the out put from ‘journalctl -fu pwnagotchi’ on your pwnagotchi you should find the beacon data contents familiar.

Next Steps

So, the next step is to build another pwnagotchi, or find a friend with one so that we can make them be friends too. Then maybe there will be a full pwnagotchi association phase to take a look at, but until then there’s just the pwnagotchi beacon for my mostly sad pwnagotchi.

Remember kids, deauthentication packets against networks you don’t own isn’t legal in most places, and it isn’t ethical in any of them. If you’re playing with one of these make sure you’re a good Wifi neighbor.