i=0;
for foo in packet:
i=i+1;
- #if i>client.packetlen: break;
- s="%s %02x" % (s,ord(foo));
- print "%s" %s;
+ s="%s %02x" % (s,foo);
+ print "# %s" %s;
+simplepacketcount=0;
+def handlesimplicitipacket(packet):
+ s="";
+ i=0;
+ global simplepacketcount;
+ simplepacketcount=simplepacketcount+1;
+
+ len=packet[0];
+ if len<12: return;
+
+ dst=[packet[1],
+ packet[2],
+ packet[3],
+ packet[4]];
+ src=[packet[5],
+ packet[6],
+ packet[7],
+ packet[8]];
+ port=packet[9];
+ info=packet[10];
+ seq=packet[11];
+ #payload begins at byte 10.
+
+ if packet[len+2]&0x80==0:
+ print "# Dropped broken packet.";
+ elif port==0x20:
+ #data packet
+ counter=packet[11];
+ button=packet[12];
+ x=packet[13];
+ if x>=128: x=0-(x^0xFF)-1;
+ y=packet[14];
+ if y>=128: y=0-(y^0xFF)-1;
+ z=packet[15];
+ if z>=128: z=0-(z^0xFF)-1;
+
+ print "%09i %03i %4i %4i %4i" % (simplepacketcount,button,x,y,z);
+ sys.stdout.flush();
+ elif port==0x02:
+ #Link request. Gotta send a proper reply to get data.
+ tid=packet[13];
+ #14 ff ff ff ff 3c b7 e3 98
+ #02 03 c9
+ #01 97
+ #ef be ad de 3d 00 02
+ reply=[0x10,
+ src[0], src[1], src[2], src[3],
+ 0x78,0x56,0x34,0x10, #my address.
+ port, 0x21, seq,
+ 0x81, tid, #reply, tid
+
+ 0x20,0x00,0xad,0xde, #link token
+ 0x00]; #no security
+ #printpacket(reply);
+ print "#FIXME FAST: repeatedly broadcasting ACK to catch LINK on the next attempt.";
+ for foo in range(1,50):
+ client.RF_txpacket(reply);
+
+ pass;
+ elif port==0x03:
+ #print "Join request.";
+ #printpacket(packet);
+ if packet[12]!=1:
+ print "Not a join request. WTF?";
+ return;
+ tid=packet[13];
+ reply=[0x12, #reply is one byte shorter
+ src[0], src[1], src[2], src[3],
+ 0x78,0x56,0x34,0x10, #my address.
+ port, 0x21, seq,
+ 0x81, tid, #reply, tid
+
+ 0xef,0xbe,0xad,0xde, #Join token
+ 0x00]; #no security
+ #printpacket(reply);
+ print "#FIXME FAST: repeatedly broadcasting ACK to catch JOIN on the next attempt.";
+ #printpacket(reply);
+ for foo in range(1,50):
+ client.RF_txpacket(reply);
+
+
+ elif port==0x04:
+ print "Security request.";
+ elif port==0x05:
+ print "Frequency request.";
+ elif port==0x06:
+ print "Management request.";
+ else:
+ print "Unknown Port %02x" %port;
+
if(len(sys.argv)==1):
print "Usage: %s verb [objects]\n" % sys.argv[0];
print "%s erase" % sys.argv[0];
print "%s test" % sys.argv[0];
print "%s term" % sys.argv[0];
print "%s info" % sys.argv[0];
+ print "%s infotest" % sys.argv[0];
print "%s halt" % sys.argv[0];
print "%s regs" % sys.argv[0];
print "%s dumpcode $foo.hex [0x$start 0x$stop]" % sys.argv[0];
print "%s peek 0x$iram" % sys.argv[0];
print "%s poke 0x$iram 0x$val" % sys.argv[0];
print "%s peekcode 0x$start [0x$stop]" % sys.argv[0];
-
+ print "\n"
+ print "%s rssi [freq]\n\tGraphs signal strength on [freq] Hz." % sys.argv[0];
print "%s carrier [freq]\n\tHolds a carrier on [freq] Hz." % sys.argv[0];
print "%s reflex [freq]\n\tJams on [freq] Hz." % sys.argv[0];
print "%s sniffsimpliciti [us|eu|lf]\n\tSniffs SimpliciTI packets." % sys.argv[0];
+ print "%s sniffdash7 [lf]\n\tSniffs Dash7. (untested)" % sys.argv[0];
+ print "%s snifficlicker [us]\n\tSniffs iClicker." % sys.argv[0];
+ print "\n";
+ print "%s simpliciti [us|eu|lf]\n\tSimpliciti access point for Chronos watch." % sys.argv[0];
+ print "%s iclicker [us|eu|lf]\n\tSniffs iClicker packets as ASCII." % sys.argv[0];
sys.exit();
if len(sys.argv)>2:
client.RF_setfreq(eval(sys.argv[2]));
client.RF_carrier();
- #printconfig();
- #print "\nHolding a carrier wave.";
while(1):
time.sleep(1);
client.RF_idle();
client.config_simpliciti();
- client.pokebysym("MDMCFG4", 0x0c); #ultrawide
- client.pokebysym("FSCTRL1", 0x12); #IF of 457.031
- client.pokebysym("FSCTRL0", 0x00);
- client.pokebysym("FSCAL2" , 0x2A); #above mid
- client.pokebysym("MCSM0" , 0x00); # Main Radio Control State Machine
-
- client.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
-
- client.pokebysym("TEST2" , 0x88) # Various test settings.
- client.pokebysym("TEST1" , 0x35) # Various test settings.
- client.pokebysym("TEST0" , 0x09) # Various test settings.
- threshold=200;
+ threshold=100;
if len(sys.argv)>2:
client.RF_setfreq(eval(sys.argv[2]));
print "Listening on %f MHz." % (client.RF_getfreq()/10**6);
print "Jamming if RSSI>=%i" % threshold;
+ client.pokebyte(0xFE00,threshold,"xdata"); #Write threshold to shellcode.
+ client.shellcodefile("reflex.ihx");
+ rssi=0;
+ while 1:
+ while(0==client.ishalted()):
+ rssi=0;
+ rssi=client.peek8(0xFE00,"xdata");
+ print "Activated jamming with RSSI of %i, going again for another packet." % rssi;
+ #client.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000
+ client.resume();
+
+
+if(sys.argv[1]=="rssi"):
+ client.CC1110_crystal();
+ client.RF_idle();
+
+ client.config_simpliciti();
+
+ if len(sys.argv)>2:
+ client.RF_setfreq(eval(sys.argv[2]));
+ print "Listening on %f MHz." % (client.RF_getfreq()/10.0**6);
+
#FIXME, ugly
RFST=0xDFE1
- client.pokebyte(RFST,0x01); #SCAL
+ client.CC_RFST_CAL();
time.sleep(1);
- maxrssi=0;
while 1:
-
- client.pokebyte(RFST,0x02); #SRX
+ client.CC_RFST_RX();
rssi=client.RF_getrssi();
- client.pokebyte(RFST,0x04); #idle
+ client.CC_RFST_IDLE(); #idle
time.sleep(0.01);
- rssi=rssi;
string="";
for foo in range(0,rssi>>2):
string=("%s."%string);
- print "%02x %04i %04i %s" % (rssi,rssi, maxrssi, string);
- if rssi>maxrssi:
- maxrssi=(rssi);
- if rssi>threshold:
- #print "Triggered jamming for 1s.";
- client.RF_carrier();
- time.sleep(1);
- print "JAMMING JAMMING JAMMING JAMMING";
+ print "%02x %04i %s" % (rssi,rssi, string);
+
+if(sys.argv[1]=="sniff"):
+ client.CC1110_crystal();
+ client.RF_idle();
+
+ #client.config_simpliciti(region);
+
+ print "Listening as %x on %f MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10.0**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ packet=client.RF_rxpacket();
+ printpacket(packet);
+ sys.stdout.flush();
if(sys.argv[1]=="sniffsimpliciti"):
- #TODO remove all poke() calls.
+ region="us";
+ if len(sys.argv)>2:
+ region=sys.argv[2];
client.CC1110_crystal();
client.RF_idle();
+ client.config_simpliciti(region);
- client.config_simpliciti("lf");
- #client.RF_setfreq(2481 * 10**6);
+ print "Listening as %x on %f MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10.0**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ packet=client.RF_rxpacket();
+ printpacket(packet);
+ sys.stdout.flush();
+if(sys.argv[1]=="sniffook"):
+ region="lf";
+ if len(sys.argv)>2:
+ region=sys.argv[2];
- #OpenBeacon defines these in little endian as follows.
- #client.RF_setmaclen(5); # SETUP_AW for 5-byte addresses.
- #0x01, 0x02, 0x03, 0x02, 0x01
- #client.RF_setsmac(0x0102030201);
- #'O', 'C', 'A', 'E', 'B'
- #client.RF_settmac(0x424541434F);
+ client.CC1110_crystal();
+ client.RF_idle();
- #Set packet length of 16.
- #client.RF_setpacketlen(16);
+ client.config_ook(region);
+ print "Listening for OOK on %f MHz" % (client.RF_getfreq()/10.0**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ packet=client.RF_rxpacket();
+ printpacket(packet);
+ sys.stdout.flush();
+if(sys.argv[1]=="sniffdash7"):
+ region="lf";
+ if len(sys.argv)>2:
+ region=sys.argv[2];
+
+ client.CC1110_crystal();
+ client.RF_idle();
+
+ client.config_dash7(region);
+
+ print "Listening as %x on %f MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10.0**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ packet=client.RF_rxpacket();
+ printpacket(packet);
+ sys.stdout.flush();
+if(sys.argv[1]=="snifficlicker"):
+ region="us";
+ if len(sys.argv)>2:
+ region=sys.argv[2];
+
+ client.CC1110_crystal();
+ client.RF_idle();
- print "Listening as %010x on %i MHz" % (client.RF_getsmac(),
- client.RF_getfreq()/10**6);
+ client.config_iclicker(region);
+
+ print "Listening as %x on %f MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10.0**6);
#Now we're ready to get packets.
while 1:
packet=None;
while packet==None:
- #time.sleep(0.1);
packet=client.RF_rxpacket();
printpacket(packet);
sys.stdout.flush();
+if(sys.argv[1]=="iclicker"):
+ buttons=[0, 'A', 'j', 3, 4, 'B',
+ 6, 7, 8, 9, 'E', 0xB, 0xC,
+ 'C', 'D', 0xF];
+ region="us";
+ if len(sys.argv)>2:
+ region=sys.argv[2];
+
+ client.CC1110_crystal();
+ client.RF_idle();
+
+ client.config_iclicker(region);
+
+ print "Listening as %x on %f MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10.0**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ packet=client.RF_rxpacket();
+ printpacket(packet);
+ button=((packet[5]&1)<<3) | (packet[6]>>5);
+ print "Button %c" % buttons[button];
+ sys.stdout.flush();
+
+if(sys.argv[1]=="simpliciti"):
+ region="us";
+ if len(sys.argv)>2:
+ region=sys.argv[2];
+
+ client.CC1110_crystal();
+ client.RF_idle();
+
+ client.config_simpliciti(region);
+
+ print "# Listening as %x on %f MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10.0**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ packet=client.RF_rxpacket();
+ handlesimplicitipacket(packet);
+ sys.stdout.flush();
-if(sys.argv[1]=="explore"):
- print "Exploring undefined commands."
- print "Status: %s" %client.status();
-
- cmd=0x04; #read status
- for foo in range(0,0x5):
- client.CCcmd([(0x0F<<3)|(0x00)|0x03,0x09<<3]);
- print "Status %02x: %s" % (foo,client.status());
- for foo in range(0,3):
- print "PC: %04x" % client.CCgetPC();
if(sys.argv[1]=="term"):
GoodFETConsole(client).run();
if(sys.argv[1]=="test"):
if(sys.argv[1]=="halt"):
print "Halting CPU."
client.halt();
+
+if(sys.argv[1]=="infotest"):
+ while 1:
+ client.start();
+ print "Ident %s" % client.CCidentstr();
if(sys.argv[1]=="info"):
print "Ident %s" % client.CCidentstr();