def printpacket(packet):
s="";
i=0;
- #print "Printing packet."
for foo in packet:
i=i+1;
- #if i>packet[0]+1: break;
s="%s %02x" % (s,foo);
- print "%s" %s;
+ print "# %s" %s;
+simplepacketcount=0;
def handlesimplicitipacket(packet):
s="";
i=0;
-
- for foo in packet:
- i=i+1;
- #if i>packet[0]+1: break;
- s="%s %02x" % (s,foo);
- print "\n%s" %s;
-
+ global simplepacketcount;
+ simplepacketcount=simplepacketcount+1;
len=packet[0];
if len<12: return;
port=packet[9];
info=packet[10];
seq=packet[11];
- #payload begins at byte 12.
-
+ #payload begins at byte 10.
-
- if port==0x03:
+ if packet[len+2]&0x80==0:
+ print "# Dropped broken packet.";
+ elif port==0x20:
+ #data packet
+ counter=packet[11];
+ button=packet[12];
+ x=packet[13];
+ y=packet[14];
+ z=packet[15];
+ print "%09i %03i %4i %4i %4i" % (simplepacketcount,button,x,y,z);
+ sys.stdout.flush();
+ elif port==0x02:
+ #Link request. Gotta send a proper reply to get data.
+ tid=packet[13];
+ #14 ff ff ff ff 3c b7 e3 98
+ #02 03 c9
+ #01 97
+ #ef be ad de 3d 00 02
+ reply=[0x10,
+ src[0], src[1], src[2], src[3],
+ 0x78,0x56,0x34,0x10, #my address.
+ port, 0x21, seq,
+ 0x81, tid, #reply, tid
+
+ 0x20,0x00,0xad,0xde, #link token
+ 0x00]; #no security
+ #printpacket(reply);
+ print "#FIXME FAST: repeatedly broadcasting ACK to catch LINK on the next attempt.";
+ for foo in range(1,50):
+ client.RF_txpacket(reply);
+
+ pass;
+ elif port==0x03:
#print "Join request.";
+ #printpacket(packet);
if packet[12]!=1:
print "Not a join request. WTF?";
return;
tid=packet[13];
reply=[0x12, #reply is one byte shorter
src[0], src[1], src[2], src[3],
- 1,1,1,1, #my address
+ 0x78,0x56,0x34,0x10, #my address.
port, 0x21, seq,
0x81, tid, #reply, tid
- 1,1,1,1,
- #4,3,2,1, #default join token
- #8,7,6,5, #default link token
- #0xFF,0xFF,0xFF,0xFF,
+ 0xef,0xbe,0xad,0xde, #Join token
0x00]; #no security
- printpacket(reply);
- client.RF_txpacket(reply);
-
+ #printpacket(reply);
+ print "#FIXME FAST: repeatedly broadcasting ACK to catch JOIN on the next attempt.";
+ #printpacket(reply);
+ for foo in range(1,50):
+ client.RF_txpacket(reply);
+
+
elif port==0x04:
print "Security request.";
elif port==0x05:
print "%s carrier [freq]\n\tHolds a carrier on [freq] Hz." % sys.argv[0];
print "%s reflex [freq]\n\tJams on [freq] Hz." % sys.argv[0];
print "%s sniffsimpliciti [us|eu|lf]\n\tSniffs SimpliciTI packets." % sys.argv[0];
+ print "%s sniffdash7 [lf]\n\tSniffs Dash7. (untested)" % sys.argv[0];
+
sys.exit();
if len(sys.argv)>2:
client.RF_setfreq(eval(sys.argv[2]));
client.RF_carrier();
- #printconfig();
- #print "\nHolding a carrier wave.";
while(1):
time.sleep(1);
client.RF_idle();
client.config_simpliciti();
- client.pokebysym("MDMCFG4", 0x0c); #ultrawide
- client.pokebysym("FSCTRL1", 0x12); #IF of 457.031
- client.pokebysym("FSCTRL0", 0x00);
- client.pokebysym("FSCAL2" , 0x2A); #above mid
- client.pokebysym("MCSM0" , 0x00); # Main Radio Control State Machine
- client.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
-
- client.pokebysym("TEST2" , 0x88) # Various test settings.
- client.pokebysym("TEST1" , 0x35) # Various test settings.
- client.pokebysym("TEST0" , 0x09) # Various test settings.
-
- threshold=200;
+ threshold=100;
if len(sys.argv)>2:
client.RF_setfreq(eval(sys.argv[2]));
print "Listening on %f MHz." % (client.RF_getfreq()/10**6);
print "Jamming if RSSI>=%i" % threshold;
- #FIXME, ugly
+ client.pokebyte(0xFE00,threshold,"xdata"); #Write threshold to shellcode.
+ client.shellcodefile("reflex.ihx");
+ rssi=0;
+ while 1:
+ while(0==client.ishalted()):
+ rssi=0;
+ rssi=client.peek8(0xFE00,"xdata");
+ print "Activated jamming with RSSI of %i, going again for another packet." % rssi;
+ #client.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000
+ client.resume();
+
RFST=0xDFE1
client.CC_RFST_CAL(); #SCAL
time.sleep(1);
maxrssi=0;
while 1:
-
client.CC_RFST_RX(); #SRX
rssi=client.RF_getrssi();
client.CC_RFST_IDLE(); #idle
client.config_simpliciti();
- threshold=200;
if len(sys.argv)>2:
client.RF_setfreq(eval(sys.argv[2]));
- print "Listening on %3.6f MHz." % (client.RF_getfreq()/10.0**6);
+ print "Listening on %f MHz." % (client.RF_getfreq()/10.0**6);
#FIXME, ugly
RFST=0xDFE1
print "%02x %04i %s" % (rssi,rssi, string);
if(sys.argv[1]=="sniffsimpliciti"):
- #TODO remove all poke() calls.
region="us";
if len(sys.argv)>2:
region=sys.argv[2];
client.config_simpliciti(region);
+ print "Listening as %x on %f MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10.0**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ packet=client.RF_rxpacket();
+ printpacket(packet);
+ sys.stdout.flush();
+if(sys.argv[1]=="sniffdash7"):
+ region="lf";
+ if len(sys.argv)>2:
+ region=sys.argv[2];
+
+ client.CC1110_crystal();
+ client.RF_idle();
+
+ client.config_dash7(region);
+
print "Listening as %x on %f MHz" % (client.RF_getsmac(),
client.RF_getfreq()/10.0**6);
#Now we're ready to get packets.
sys.stdout.flush();
if(sys.argv[1]=="simpliciti"):
- #TODO remove all poke() calls.
region="us";
if len(sys.argv)>2:
region=sys.argv[2];
client.config_simpliciti(region);
- print "Listening as %x on %f MHz" % (client.RF_getsmac(),
+ print "# Listening as %x on %f MHz" % (client.RF_getsmac(),
client.RF_getfreq()/10.0**6);
#Now we're ready to get packets.
while 1:
projects / goodfet / blobdiff