Stolen SM modules

fahrenheit · September 19, 2005, 3:26pm

Hello everybody
I operate a small ISP, and two days earlier somebody stole two SM’s from the clients residences. How can I recover these.
The thiefs have changed the public IP and Password. They have made the IP local. Is there a possibility in recovering these units. Is thre a way to access the SM’m even if they have changed the Public to Local IP.

AMDXtreme · September 19, 2005, 3:39pm

I guess, you should file legal actions, if you have official receipts of the ESNs of your SM, which cannot be changed, then you can recover it.

Legal actions will solve this, because it is Robbery and Theft Case.

it is physically removed, then you should act physically also.

ahull · September 19, 2005, 3:49pm

If the radios were physically stolen, then how do you know what the culprits did with them?

Physically recovering the units would invlove the police catching the crook(s) after you file all approriate paperwork.

I’m alittle confused, but good luck.

fahrenheit · September 19, 2005, 5:04pm

Yes maybe I did explain it a bit confusing,
Yes the police have been to the scene of crime, they are saying we cannot do anything cuz there are no printes. The SM’s have been removed physicaly. They said if you can pinpoint the location or maybe just the area where you think the modules are we can then get warrants for searching. A friend of mine that also uses motorola told me thet I can use MAC adress to connect to the SM even if the SM is not public. I also have to tell you that the SM’s are still being registered in my AP’s. Thats how I know they changed to the LOCAL IP configuration. Any thought of how a MAC access can be acomplished.

wirelessSolutions · September 20, 2005, 12:03am

If you were able to access the SM and log into it, you would be able to see how far away it is from the AP… and perhaps you could make an attempt to find it that way? :?

micers · September 20, 2005, 3:50am

oops sorry. dupe.

micers · September 20, 2005, 3:57am

fahrenheit wrote:
Hello everybody
I operate a small ISP, and two days earlier somebody stole two SM's from the clients residences. How can I recover these.
The thiefs have changed the public IP and Password. They have made the IP local. Is there a possibility in recovering these units. Is thre a way to access the SM'm even if they have changed the Public to Local IP.

This is an excerpt from my "Sessions" on one of our APs:


LUID: 002 : MAC: 0a-00-3e-90-54-4a State: IN SESSION (Encrypt Active)
      Site Name : Paperback Writer 169.254.2.27
      Software Version : CANOPY 7.2.9 Jul 23 2005 01:49:03
      Software Boot Version : CANOPYBOOT 3.0
      FPGA Version : 070605 (DES Sched) P9
      Session Timeout: 0, AirDelay 12 (approximately 0.33 miles (1764 feet))
      Session Count: 1, Reg Count 1, Re-Reg Count 0
      RSSI (Avg/Last): 1622/1599   Jitter (Avg/Last): 1/2   Power Level (Avg/Last): -63/-63
      DnRate(S): 768 DnLimit(S): 1772 UpRate(S): 128 UpLimit(S): 256 (kbit)
      LoUpCIR(S): 0 LoDnCIR(S): 0 (kbps)
      Rate : VC 18 Rate 1X/1X

Notice that the Session Timeout line has a notation of the distance in feet from my AP to the client node. In this case it is 1764 feet. Now if I had a cluster of AP's I would know very accurately how far out the unit was from the AP to which it was registered. That would tell me how far and what part of the circle. It should be a trivial matter to locate the AP with that information.

If you use a calculator and a protractor you should be able to draw circles around your AP that goes right thru the location of each AP.

Then you go find the unit. Take a digital photo and drive straight to the police station. Give them the picture and the address and file charges.

bduley · September 20, 2005, 4:32pm

Is it possible to use the audio port of an AP to aim it at a SM? The audio port of the SM works very well at pointing you to the AP.

Anonymous1 · September 20, 2005, 6:21pm

An oscilloscope and a Yagi can lead you right to it once you do the protractor / map thing. Find out first where it PROBABLY is, then go find it.

Anonymous1 · September 20, 2005, 10:09pm

If you have a cluster of AP’s, knowing which AP it is registered to may or may not be a help. I have registered onto AP’s that were pointing the same way as my SM.

Example: My SM is pointed north to my tower with the cluster of AP’s on it, and the SM would log on to the AP pointing south at the SM and the AP pointing north away from the SM. This was at about a distance of 15-17 miles with a reflector.

The only way I know to connect to it, besides through a public IP, is select the coresponding LUID to the MAC address registered and try and get in that way, but if you don’t know the password then, well… SOL

AMDXtreme · September 21, 2005, 1:57pm

good suggestions. that could still be traced…

calculate the distance, as well as where your AP is facing, i am sure you can still see that physically.

hope those culprits will go to jail. =)

Sunroomstudio · September 24, 2005, 9:45am

micers wrote:
[quote="fahrenheit":39hnjvoy]Hello everybody
I operate a small ISP, and two days earlier somebody stole two SM's from the clients residences. How can I recover these.
The thiefs have changed the public IP and Password. They have made the IP local. Is there a possibility in recovering these units. Is thre a way to access the SM'm even if they have changed the Public to Local IP.

This is an excerpt from my "Sessions" on one of our APs:


LUID: 002 : MAC: 0a-00-3e-90-54-4a State: IN SESSION (Encrypt Active)
      Site Name : Paperback Writer 169.254.2.27
      Software Version : CANOPY 7.2.9 Jul 23 2005 01:49:03
      Software Boot Version : CANOPYBOOT 3.0
      FPGA Version : 070605 (DES Sched) P9
      Session Timeout: 0, AirDelay 12 (approximately 0.33 miles (1764 feet))
      Session Count: 1, Reg Count 1, Re-Reg Count 0
      RSSI (Avg/Last): 1622/1599   Jitter (Avg/Last): 1/2   Power Level (Avg/Last): -63/-63
      DnRate(S): 768 DnLimit(S): 1772 UpRate(S): 128 UpLimit(S): 256 (kbit)
      LoUpCIR(S): 0 LoDnCIR(S): 0 (kbps)
      Rate : VC 18 Rate 1X/1X

Notice that the Session Timeout line has a notation of the distance in feet from my AP to the client node. In this case it is 1764 feet. Now if I had a cluster of AP's I would know very accurately how far out the unit was from the AP to which it was registered. That would tell me how far and what part of the circle. It should be a trivial matter to locate the AP with that information.

If you use a calculator and a protractor you should be able to draw circles around your AP that goes right thru the location of each AP.

Then you go find the unit. Take a digital photo and drive straight to the police station. Give them the picture and the address and file charges.[/quote:39hnjvoy]

Wow, he's got a good connection, when you find him, can you send him to Aus to install the SM's for us as our installers are hopeless!!!

AMDXtreme · September 26, 2005, 2:26pm

@ Sunroomstudio:

give them a copy of the INstallation Manuals, i guess, they will memorize every page of it. =)

fahrenheit · October 1, 2005, 6:14pm

thank you all people seems like this situation is not going to get solved recently. I’m left only with one solution to stop their internet. What is the best way of blocking them from internet or from my AP’s, Can I use a firewall to block the MAC adresses (I don’t have an BAM server). Suggestions are very welcome.

micers · October 5, 2005, 3:28pm

fahrenheit wrote:
thank you all people seems like this situation is not going to get solved recently. I'm left only with one solution to stop their internet. What is the best way of blocking them from internet or from my AP's, Can I use a firewall to block the MAC adresses (I don't have an BAM server). Suggestions are very welcome.

If they are smart enough to steal an SM and reconfigure the password, then they are smart enough to change their MAC address and IP address. That would let them circumvent your firewall.

fahrenheit · October 5, 2005, 5:27pm

It’s not possible to change the MAC adress as I remember corectly. You can change it by using MAC command but it does not work even if it’s a valid MAC. Is there any possibility to ban them from my AP’s cause I don’t like to block the firewall. One more thing, if they disable the RF link does that mean that I can kiss those SM goodbye :(.Also for all of you here helping me, I’m very new to canopy.

P.S why didn’t motorola make any protection methods when they designed this system.

micers · October 5, 2005, 5:54pm

fahrenheit wrote:
It's not possible to change the MAC adress as I remember corectly. You can change it by using MAC command but it does not work even if it's a valid MAC. Is there any possibility to ban them from my AP's cause I don't like to block the firewall. One more thing, if they disable the RF link does that mean that I can kiss those SM goodbye :(.Also for all of you here helping me, I'm very new to canopy. :)

P.S why didn't motorola make any protection methods when they designed this system.

The unit acts as a bridge unless you have NAT turned on. If the thief turns off NAT and puts the IP address on the device he is bridging he can set whatever MAC address he wants on that devuce.

Motorola TELLS you how far out the system is from your tower. Why can't you just go take the unit? The unit is yours, right? It was stolen, right? You have a good idea who took it and you have enough information to prove to police that it is probably at a specific house. If you can PING the remote unit you can prove beyond any shadow of doubt the unit is at a specific house because you can put an SM in Spectrum Analyzer mode and use a directional antenna to prove a signal is coming from a specific house.

What exactly is stopping you from simply confiscating your property?

fahrenheit · October 5, 2005, 9:06pm

micers wrote:

The unit acts as a bridge unless you have NAT turned on. If the thief turns off NAT and puts the IP address on the device he is bridging he can set whatever MAC address he wants on that devuce.

Motorola TELLS you how far out the system is from your tower. Why can't you just go take the unit? The unit is yours, right? It was stolen, right? You have a good idea who took it and you have enough information to prove to police that it is probably at a specific house. If you can PING the remote unit you can prove beyond any shadow of doubt the unit is at a specific house because you can put an SM in Spectrum Analyzer mode and use a directional antenna to prove a signal is coming from a specific house.

What exactly is stopping you from simply confiscating your property?

What's stopping me is that I dont know where the SM are, I must again explain that these modules are in the crowded city not in rural places. There are around 500 Canopy SM's in my city. It's impossible to determine the location, and as i have no password cause they changed it I can't put SM's on spectrum analyzer mode. Even if you disable the NAT it still is not possible to change the mAC adress you can check around the forum this topic has been disscussed. The MAC adress is my only hope of getting some kind of revenge :evil:

micers · October 5, 2005, 9:17pm

fahrenheit wrote:
[quote="micers":133pvfxf]

The unit acts as a bridge unless you have NAT turned on. If the thief turns off NAT and puts the IP address on the device he is bridging he can set whatever MAC address he wants on that devuce.

Motorola TELLS you how far out the system is from your tower. Why can't you just go take the unit? The unit is yours, right? It was stolen, right? You have a good idea who took it and you have enough information to prove to police that it is probably at a specific house. If you can PING the remote unit you can prove beyond any shadow of doubt the unit is at a specific house because you can put an SM in Spectrum Analyzer mode and use a directional antenna to prove a signal is coming from a specific house.

What exactly is stopping you from simply confiscating your property?

What's stopping me is that I dont know where the SM are, I must again explain that these modules are in the crowded city not in rural places. There are around 500 Canopy SM's in my city. It's impossible to determine the location, and as i have no password cause they changed it I can't put SM's on spectrum analyzer mode. Even if you disable the NAT it still is not possible to change the mAC adress you can check around the forum this topic has been disscussed. The MAC adress is my only hope of getting some kind of revenge :evil:[/quote:133pvfxf]

Ok, understood you are in a tight busy environment. You need to understand that the distance the AP gives you is *VERY* accurate. The unit *WILL* be within thirty meters +/- of that distance from your AP. If you have a GPS you can easily use it to check the distance *BACK* to your tower . Any SM (not the missing SM) can be put into SA mode with a directional antenna and used to do direction finding.

Regarding your assertion that the MAC address can not be changed, if the Canopy acts like a true bridge the MAC address CAN be changed. If the Canopy acts like a layer two repeater and the Canopy firmware doesn't support changing the MAC then you are good to go. You may not WANT to filter at the firewall but you will have to filter there or at your gateway router.

Sorry to upset you. Wasn't my intention.

msmith · October 5, 2005, 9:54pm

Maybe you should continue this thread offline in some manner. If these people are smart enough to steal the SM, re-configure it and get into your network, perhaps they are also aware of this forum and are watching everything you are posting?