#time.sleep(0.1);
#print "Waiting for shell code to return.";
return;
+ def ishalted(self):
+ return self.CCstatus()&0x20;
def shellcode(self,code,wait=1):
"""Copy a block of code into RAM and execute it."""
i=0;
self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
- if band=="ismus" or band=="us":
+ elif band=="ismus" or band=="us":
self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
- if band=="ismlf" or band=="lf":
+ elif band=="ismlf" or band=="lf":
self.pokebysym("FREQ2" , 0x10) # Frequency control word, high byte.
self.pokebysym("FREQ1" , 0xB0) # Frequency control word, middle byte.
self.pokebysym("FREQ0" , 0x71) # Frequency control word, low byte.
-
+ elif band=="none":
+ band="none";
+ else:
+ #Got a frequency, not a band.
+ self.RF_setfreq(eval(band));
self.pokebysym("MDMCFG4" , 0x7B) # Modem configuration.
self.pokebysym("MDMCFG3" , 0x83) # Modem configuration.
self.pokebysym("MDMCFG2" , 0x13) # Modem configuration.
self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
#self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
- self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
+ #self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
self.pokebysym("ADDR" , 0x01) # Device address.
self.pokebysym("PKTLEN" , 0xFF) # Packet length.
self.data=[adr&0xff, val&0xff];
self.writecmd(self.APP,0x02, 2, self.data);
return ord(self.data[0]);
- def pokebyte(self,adr,val,mem="data"):
- if mem!="data":
- print "FIXME: poking of non data bytes not yet supported.";
+ def pokebyte(self,adr,val,mem="xdata"):
self.CCpokedatabyte(adr,val);
def CCpokedatabyte(self,adr,val):
"""Write a byte to data memory."""
client.RF_idle();
client.config_simpliciti();
- client.pokebysym("MDMCFG4", 0x0c); #ultrawide
- client.pokebysym("FSCTRL1", 0x12); #IF of 457.031
- client.pokebysym("FSCTRL0", 0x00);
- client.pokebysym("FSCAL2" , 0x2A); #above mid
- client.pokebysym("MCSM0" , 0x00); # Main Radio Control State Machine
- client.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
- client.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
-
- client.pokebysym("TEST2" , 0x88) # Various test settings.
- client.pokebysym("TEST1" , 0x35) # Various test settings.
- client.pokebysym("TEST0" , 0x09) # Various test settings.
-
- threshold=200;
+ threshold=100;
if len(sys.argv)>2:
client.RF_setfreq(eval(sys.argv[2]));
print "Listening on %f MHz." % (client.RF_getfreq()/10**6);
print "Jamming if RSSI>=%i" % threshold;
- #FIXME, ugly
+ client.pokebyte(0xFE00,threshold,"xdata"); #Write threshold to shellcode.
+ client.shellcodefile("reflex.ihx");
+ rssi=0;
+ while 1:
+ while(0==client.ishalted()):
+ rssi=0;
+ rssi=client.peek8(0xFE00,"xdata");
+ print "Activated jamming with RSSI of %i, going again for another packet." % rssi;
+ client.resume();
+
RFST=0xDFE1
client.CC_RFST_CAL(); #SCAL
time.sleep(1);
maxrssi=0;
while 1:
-
client.CC_RFST_RX(); #SRX
rssi=client.RF_getrssi();
client.CC_RFST_IDLE(); #idle
client.config_simpliciti();
- threshold=200;
if len(sys.argv)>2:
client.RF_setfreq(eval(sys.argv[2]));
- print "Listening on %3.6f MHz." % (client.RF_getfreq()/10.0**6);
+ print "Listening on %f MHz." % (client.RF_getfreq()/10.0**6);
#FIXME, ugly
RFST=0xDFE1
--- /dev/null
+#include <cc1110.h>
+#include "cc1110-ext.h"
+
+char __xdata at 0xfe00 packet[256] ;
+
+void sleepMillis(int ms) {
+ int j;
+ while (--ms > 0) {
+ for (j=0; j<1200;j++); // about 1 millisecond
+ };
+}
+
+//! Reflexively jam on the present channel by responding to a signal with a carrier wave.
+void main(){
+ unsigned char threshold=packet[0], i=0, rssi=0;;
+
+
+ //Disable interrupts.
+ RFTXRXIE=0;
+
+ //idle a bit.
+ RFST=RFST_SIDLE;
+ while(MARCSTATE!=MARC_STATE_IDLE);
+
+ while(1){
+ //Wait for the transmission.
+ RFST=RFST_SRX;
+ rssi=0;
+ //Wait for RSSI to settle.
+ sleepMillis(10);
+ //Delay until the RSSI is above the threshold.
+ while(rssi<threshold){
+ rssi=RSSI^0x80;
+ packet[0]=rssi;
+ }
+
+ //idle a bit.
+ RFST=RFST_SIDLE;
+ while(MARCSTATE!=MARC_STATE_IDLE);
+
+
+ SYNC1=0xAA;
+ SYNC0=0xAA;
+
+ //Transmit carrier for 10ms
+ RFST=RFST_STX;
+ while(MARCSTATE!=MARC_STATE_TX);
+ sleepMillis(10);
+
+ //Carrier will clear when the loop continue,
+ //but we can HALT to give the host a chance to take over.
+ HALT;
+ }
+ RFST = RFST_SIDLE; //End transmit.
+
+ HALT;
+}