print "%s snifftp\n\tSniffs Turning Point Clicker traffic." % sys.argv[0];
print "%s sniffsf\n\tSniffs SparkFun Dongle traffic." % sys.argv[0];
print "";
+ print "%s sniffmacs \n\tSniffs for MAC addresses on the present channel." % sys.argv[0];
print "%s sniffprom [0xaa|0x55]\n\tSniffs promiscuously for a preamble of 0xAA or 0x55" % sys.argv[0];
print "%s autotune\n\tSearches for a valid destination address." % sys.argv[0];
print "";
print "%s sniffskybrake\n\tSniffs skybrake. [broken?]" % sys.argv[0];
print "%s sniffmskb\n\tSniffs MS KB. [broken?]" % sys.argv[0];
-
print "%s hosttp\n\tHosts Turning Point Clicker traffic." % sys.argv[0];
print "%s carrier [freq]\n\tHolds a carrier on [freq] Hz." % sys.argv[0];
rate=False;
chan=False;
sync=False;
+ startch=0; #Useful for forcing an early match.
def init(self,goodfet,
rate=True,chan=True,sync=True):
"""Initializes a link to the GoodFET for autotuning."""
client.poke(0x00,0x00); #Stop nRF
client.poke(0x01,0x00); #Disable Shockburst
client.poke(0x02,0x01); #Set RX Pipe 0
+
+ #Disable shockburst.
+ client.poke(0x1C,0x00);
+ client.poke(0x1D,0x00);
+
client.RF_setmaclen(2); # SETUP_AW for shortest
#historic
#print "%02x%02x invalid entry." % (sync,ord(packet[0]));
#This is a special kind of failure. Freq is probably right, but MAC is wrong.
return False;
- if mac=='5555555555' or mac=='aaaaaaaaaa':
+ if mac=='5555555555' or mac=='aaaaaaaaaa' or mac=='0000000000':
return False;
return True;
def handle(self,packet):
"""Handles a packet."""
#printpacket(packet);
+
if not self.validmac(packet):
- #print "Dropped packet:";
+ #print "Dropped packet from %s" % self.packetaddr(packet,justmac=True);
#printpacket(packet);
return;
+
addr=self.packetaddr(packet);
#Increment the address count.
It's important that this not get triggered by false positives."""
while 1:
+ self.retune();
start=time.mktime(time.localtime());
+ sys.stdout.flush();
while (time.mktime(time.localtime())-start) < delay:
packet=None;
while packet==None:
count=self.addresses[addr];
except:
count=0;
- if count>threshold:
+ if count>threshold and forever==False:
#Tune it in here?
client.tune(addr);
return addr;
- self.retune();
- sys.stdout.flush();
+
def retune(self):
"""Tunes to another channel or preamble looking for the next packet."""
#Swap the SYNC value most often.
if self.sync:
- sync=0xAA;
+ sync=0x00AA;
if count&1:
- sync=0x55;
+ sync=0x0055;
self.client.RF_setsmac(sync);
count=(count>>1);
if self.chan:
self.client.poke(0x05,
- (count+0x12)&0x7f);
+ (count+self.startch)&0x7f);
print "Tuned to %i MHz" % (
self.client.RF_getfreq()
/(10**6));
guesser.selftune(threshold=2,
forever=True);
+if(sys.argv[1]=="sniffmacs"):
+ #Reversal of transmitter code from nRF_CMD.c of OpenBeacon
+ #TODO remove all poke() calls.
+ guesser=AutoTuner();
+ guesser.init(client,rate=False,sync=True,chan=False);
+
+ #Longest length.
+ client.RF_setpacketlen(32);
+
+ #Power radio, prime for RX, no checksum
+ client.poke(0x00,0x70|0x03); #0x08 for checksum, 0x04 for two.
+
+ print "Holding autotune on %i MHz" % (
+ client.RF_getfreq()/10**6);
+ print "sync,mac,r5,r6";
+ #Now we're ready to get packets.
+ guesser.selftune(threshold=2,
+ forever=True);
+
if(sys.argv[1]=="sniffmskb"):
#MSWK 3000 v2.0
#TODO remove all poke() calls.
print "Searching for a keyboard.";
guesser=AutoTuner();
- guesser.init(client, rate=False, sync=True, chan=False);
+ guesser.init(client, rate=False, sync=True, chan=True);
guesser.selftune(threshold=4,forever=False,
- delay=3.0);
+ delay=10.0);
client.poke(0x00,0x00); #Stop nRF
client.poke(0x01,0x00); #Disable Shockburst
client.poke(0x02,0x01); #Set RX Pipe 0
- #client.RF_setmaclen(3);
+ client.RF_setmaclen(5);
#Finally, dynamic payload lengths need to be enabled.
#client.poke(0x01,0x01);
printmspacket(packet);
sys.stdout.flush();
+if(sys.argv[1]=="sniffant"):
+ #Prototyped on Garmin device.
+ #Channel hopping is pretty damned fast, hard to follow.
+ #This doesn't really work yet, still experimenting.
+
+ #Might be more effective to sniff knowing the MFG ID and Dev. ID,
+ #as these predict a lot of the MAC address.
+
+ client.poke(0x00,0x00); #Stop nRF
+ client.poke(0x01,0x00); #Disable Shockburst
+ client.poke(0x02,0x01); #Set RX Pipe 0
+
+ client.poke(0x05,57); #broadcast-only channel
+ client.poke(0x06,0x00); #1MBps
+ client.poke(0x07,0x78); #Reset status register
+
+ #Is this appropriate? Might be 3.
+ client.RF_setmaclen(5);
+
+
+ #Mac packet length, illegally 0-length address field.
+ client.RF_setpacketlen(16);
+
+ if len(sys.argv)>2:
+ client.tune(sys.argv[2]);
+ else:
+
+ print "Searching for ANT+.";
+
+ guesser=AutoTuner();
+ guesser.init(client, rate=False, sync=True, chan=True);
+ guesser.selftune(threshold=2,forever=False,
+ delay=9.0);
+
+ client.poke(0x00,0x00); #Stop nRF
+ client.poke(0x01,0x00); #Disable Shockburst
+ client.poke(0x02,0x01); #Set RX Pipe 0
+ client.RF_setmaclen(5);
+
+
+ client.poke(0x00,0x70|0x03); #prime radio.
+ print "Dumping ANT as %010x on %i MHz" % (client.RF_getsmac(),
+ client.RF_getfreq()/10**6);
+ #Now we're ready to get packets.
+ while 1:
+ packet=None;
+ while packet==None:
+ #time.sleep(1);
+ packet=client.RF_rxpacket();
+ #print ".";
+ printpacket(packet);
+ sys.stdout.flush();
+
if(sys.argv[1]=="sniffskybrake"):
sys.stdout.flush();
if(sys.argv[1]=="sniff"):
+ if len(sys.argv)>2:
+ print "Set MAC to %s" % sys.argv[2];
+ client.tune(sys.argv[2]);
+ client.RF_setmaclen(5);
+
#client.poke(0x00,0x00); #Stop nRF
client.poke(0x07,0x78); #Reset status register
projects / goodfet / blobdiff