Better reflex jamming, using shellcode on the target.

git-svn-id: https://svn.code.sf.net/p/goodfet/code/trunk@788 12e2690d-a6be-4b82-a7b7-67c4a43b65c8

diff --git a/client/GoodFETCC.py b/client/GoodFETCC.py
index 358bfc0..67c1be9 100644 (file)
--- a/client/GoodFETCC.py
+++ b/client/GoodFETCC.py
@@ -150,6 +150,8 @@ class GoodFETCC(GoodFET):
             #time.sleep(0.1);
             #print "Waiting for shell code to return.";
         return;
             #time.sleep(0.1);
             #print "Waiting for shell code to return.";
         return;

+    def ishalted(self):
+        return self.CCstatus()&0x20;

     def shellcode(self,code,wait=1):
         """Copy a block of code into RAM and execute it."""
         i=0;
     def shellcode(self,code,wait=1):
         """Copy a block of code into RAM and execute it."""
         i=0;


@@ -224,15 +226,19 @@ class GoodFETCC(GoodFET):
             self.pokebysym("FREQ2"    , 0x21)   # Frequency control word, high byte.
             self.pokebysym("FREQ1"    , 0x71)   # Frequency control word, middle byte.
             self.pokebysym("FREQ0"    , 0x7a)   # Frequency control word, low byte.
             self.pokebysym("FREQ2"    , 0x21)   # Frequency control word, high byte.
             self.pokebysym("FREQ1"    , 0x71)   # Frequency control word, middle byte.
             self.pokebysym("FREQ0"    , 0x7a)   # Frequency control word, low byte.

-        if band=="ismus" or band=="us":
+        elif band=="ismus" or band=="us":

             self.pokebysym("FREQ2"    , 0x22)   # Frequency control word, high byte.
             self.pokebysym("FREQ1"    , 0xB1)   # Frequency control word, middle byte.
             self.pokebysym("FREQ0"    , 0x3B)   # Frequency control word, low byte.
             self.pokebysym("FREQ2"    , 0x22)   # Frequency control word, high byte.
             self.pokebysym("FREQ1"    , 0xB1)   # Frequency control word, middle byte.
             self.pokebysym("FREQ0"    , 0x3B)   # Frequency control word, low byte.

-        if band=="ismlf" or band=="lf":
+        elif band=="ismlf" or band=="lf":

             self.pokebysym("FREQ2"    , 0x10)   # Frequency control word, high byte.
             self.pokebysym("FREQ1"    , 0xB0)   # Frequency control word, middle byte.
             self.pokebysym("FREQ0"    , 0x71)   # Frequency control word, low byte.
             self.pokebysym("FREQ2"    , 0x10)   # Frequency control word, high byte.
             self.pokebysym("FREQ1"    , 0xB0)   # Frequency control word, middle byte.
             self.pokebysym("FREQ0"    , 0x71)   # Frequency control word, low byte.

-        
+        elif band=="none":
+            band="none";
+        else:
+            #Got a frequency, not a band.
+            self.RF_setfreq(eval(band));

         self.pokebysym("MDMCFG4"  , 0x7B)   # Modem configuration.
         self.pokebysym("MDMCFG3"  , 0x83)   # Modem configuration.
         self.pokebysym("MDMCFG2"  , 0x13)   # Modem configuration.
         self.pokebysym("MDMCFG4"  , 0x7B)   # Modem configuration.
         self.pokebysym("MDMCFG3"  , 0x83)   # Modem configuration.
         self.pokebysym("MDMCFG2"  , 0x13)   # Modem configuration.


@@ -261,7 +267,7 @@ class GoodFETCC(GoodFET):
         self.pokebysym("PKTCTRL1" , 0x04)   # Packet automation control, w/ lqi
         #self.pokebysym("PKTCTRL1" , 0x00)   # Packet automation control. w/o lqi
         self.pokebysym("PKTCTRL0" , 0x05)   # Packet automation control, w/ checksum.
         self.pokebysym("PKTCTRL1" , 0x04)   # Packet automation control, w/ lqi
         #self.pokebysym("PKTCTRL1" , 0x00)   # Packet automation control. w/o lqi
         self.pokebysym("PKTCTRL0" , 0x05)   # Packet automation control, w/ checksum.

-        self.pokebysym("PKTCTRL0" , 0x00)   # Packet automation control, w/o checksum, fixed length
+        #self.pokebysym("PKTCTRL0" , 0x00)   # Packet automation control, w/o checksum, fixed length

         self.pokebysym("ADDR"     , 0x01)   # Device address.
         self.pokebysym("PKTLEN"   , 0xFF)   # Packet length.
         
         self.pokebysym("ADDR"     , 0x01)   # Device address.
         self.pokebysym("PKTLEN"   , 0xFF)   # Packet length.
         


@@ -565,9 +571,7 @@ class GoodFETCC(GoodFET):
         self.data=[adr&0xff, val&0xff];
         self.writecmd(self.APP,0x02, 2, self.data);
         return ord(self.data[0]);
         self.data=[adr&0xff, val&0xff];
         self.writecmd(self.APP,0x02, 2, self.data);
         return ord(self.data[0]);

-    def pokebyte(self,adr,val,mem="data"):
-        if mem!="data":
-            print "FIXME: poking of non data bytes not yet supported.";
+    def pokebyte(self,adr,val,mem="xdata"):

         self.CCpokedatabyte(adr,val);
     def CCpokedatabyte(self,adr,val):
         """Write a byte to data memory."""
         self.CCpokedatabyte(adr,val);
     def CCpokedatabyte(self,adr,val):
         """Write a byte to data memory."""

diff --git a/client/goodfet.cc b/client/goodfet.cc
index 696daf8..e8de384 100755 (executable)
--- a/client/goodfet.cc
+++ b/client/goodfet.cc
@@ -130,35 +130,29 @@ if(sys.argv[1]=="reflex"):
     client.RF_idle();
     
     client.config_simpliciti();
     client.RF_idle();
     
     client.config_simpliciti();

-    client.pokebysym("MDMCFG4",   0x0c);  #ultrawide
-    client.pokebysym("FSCTRL1",   0x12);  #IF of 457.031
-    client.pokebysym("FSCTRL0",   0x00); 
-    client.pokebysym("FSCAL2" ,   0x2A);  #above mid
-    client.pokebysym("MCSM0"  ,   0x00);  # Main Radio Control State Machine

     
     

-    client.pokebysym("FSCAL3"   , 0xEA)   # Frequency synthesizer calibration.
-    client.pokebysym("FSCAL2"   , 0x2A)   # Frequency synthesizer calibration.
-    client.pokebysym("FSCAL1"   , 0x00)   # Frequency synthesizer calibration.
-    client.pokebysym("FSCAL0"   , 0x1F)   # Frequency synthesizer calibration.
-        
-    client.pokebysym("TEST2"    , 0x88)   # Various test settings.
-    client.pokebysym("TEST1"    , 0x35)   # Various test settings.
-    client.pokebysym("TEST0"    , 0x09)   # Various test settings.
-    
-    threshold=200;
+    threshold=100;

     if len(sys.argv)>2:
         client.RF_setfreq(eval(sys.argv[2]));
     print "Listening on %f MHz." % (client.RF_getfreq()/10**6);
     print "Jamming if RSSI>=%i" % threshold;
     
     if len(sys.argv)>2:
         client.RF_setfreq(eval(sys.argv[2]));
     print "Listening on %f MHz." % (client.RF_getfreq()/10**6);
     print "Jamming if RSSI>=%i" % threshold;
     

-    #FIXME, ugly
+    client.pokebyte(0xFE00,threshold,"xdata"); #Write threshold to shellcode.
+    client.shellcodefile("reflex.ihx");
+    rssi=0;
+    while 1:
+        while(0==client.ishalted()):
+            rssi=0;
+        rssi=client.peek8(0xFE00,"xdata");
+        print "Activated jamming with RSSI of %i, going again for another packet." % rssi;
+        client.resume();
+    

     RFST=0xDFE1
     client.CC_RFST_CAL(); #SCAL
     time.sleep(1);
     
     maxrssi=0;
     while 1:
     RFST=0xDFE1
     client.CC_RFST_CAL(); #SCAL
     time.sleep(1);
     
     maxrssi=0;
     while 1:

-        

         client.CC_RFST_RX(); #SRX
         rssi=client.RF_getrssi();
         client.CC_RFST_IDLE(); #idle
         client.CC_RFST_RX(); #SRX
         rssi=client.RF_getrssi();
         client.CC_RFST_IDLE(); #idle


@@ -180,10 +174,9 @@ if(sys.argv[1]=="rssi"):
     
     client.config_simpliciti();
     
     
     client.config_simpliciti();
     

-    threshold=200;

     if len(sys.argv)>2:
         client.RF_setfreq(eval(sys.argv[2]));
     if len(sys.argv)>2:
         client.RF_setfreq(eval(sys.argv[2]));

-    print "Listening on %3.6f MHz." % (client.RF_getfreq()/10.0**6);
+    print "Listening on %f MHz." % (client.RF_getfreq()/10.0**6);

         
     #FIXME, ugly
     RFST=0xDFE1
         
     #FIXME, ugly
     RFST=0xDFE1

diff --git a/shellcode/chipcon/cc1110/Makefile b/shellcode/chipcon/cc1110/Makefile
index a1e3e5f..12df0f3 100644 (file)
--- a/shellcode/chipcon/cc1110/Makefile
+++ b/shellcode/chipcon/cc1110/Makefile
@@ -8,7 +8,7 @@
 # Use lower RAM if needed.
 
 CC=sdcc --code-loc 0xF000 
 # Use lower RAM if needed.
 
 CC=sdcc --code-loc 0xF000 

-objs=crystal.ihx txpacket.ihx rxpacket.ihx txrxpacket.ihx
+objs=crystal.ihx txpacket.ihx rxpacket.ihx txrxpacket.ihx reflex.ihx

 
 all: $(objs)
 
 
 all: $(objs)
 

diff --git a/shellcode/chipcon/cc1110/reflex.c b/shellcode/chipcon/cc1110/reflex.c
new file mode 100644 (file)
index 0000000..6bfec59
--- /dev/null
+++ b/shellcode/chipcon/cc1110/reflex.c
@@ -0,0 +1,57 @@
+#include <cc1110.h>
+#include "cc1110-ext.h"
+
+char __xdata at 0xfe00 packet[256] ;
+
+void sleepMillis(int ms) {
+       int j;
+       while (--ms > 0) { 
+               for (j=0; j<1200;j++); // about 1 millisecond
+       };
+}
+
+//! Reflexively jam on the present channel by responding to a signal with a carrier wave.
+void main(){
+  unsigned char threshold=packet[0], i=0, rssi=0;;
+  
+  
+  //Disable interrupts.
+  RFTXRXIE=0;
+  
+  //idle a bit.
+  RFST=RFST_SIDLE;
+  while(MARCSTATE!=MARC_STATE_IDLE);
+
+  while(1){
+    //Wait for the transmission.
+    RFST=RFST_SRX;
+    rssi=0;
+    //Wait for RSSI to settle.
+    sleepMillis(10);
+    //Delay until the RSSI is above the threshold.
+    while(rssi<threshold){
+      rssi=RSSI^0x80;
+      packet[0]=rssi;
+    }
+    
+    //idle a bit.
+    RFST=RFST_SIDLE;
+    while(MARCSTATE!=MARC_STATE_IDLE);
+    
+    
+    SYNC1=0xAA;
+    SYNC0=0xAA;
+    
+    //Transmit carrier for 10ms
+    RFST=RFST_STX;
+    while(MARCSTATE!=MARC_STATE_TX);
+    sleepMillis(10);
+    
+    //Carrier will clear when the loop continue,
+    //but we can HALT to give the host a chance to take over.
+    HALT;
+  }  
+  RFST = RFST_SIDLE; //End transmit.
+  
+  HALT;
+}