From: travisutk Date: Sat, 11 Dec 2010 01:26:10 +0000 (+0000) Subject: Better reflex jamming, using shellcode on the target. X-Git-Url: http://git.rot13.org/?p=goodfet;a=commitdiff_plain;h=1beb021ea684138082d1eadbfd30e0c404444203 Better reflex jamming, using shellcode on the target. git-svn-id: https://svn.code.sf.net/p/goodfet/code/trunk@788 12e2690d-a6be-4b82-a7b7-67c4a43b65c8 --- diff --git a/client/GoodFETCC.py b/client/GoodFETCC.py index 358bfc0..67c1be9 100644 --- a/client/GoodFETCC.py +++ b/client/GoodFETCC.py @@ -150,6 +150,8 @@ class GoodFETCC(GoodFET): #time.sleep(0.1); #print "Waiting for shell code to return."; return; + def ishalted(self): + return self.CCstatus()&0x20; def shellcode(self,code,wait=1): """Copy a block of code into RAM and execute it.""" i=0; @@ -224,15 +226,19 @@ class GoodFETCC(GoodFET): self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte. self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte. self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte. - if band=="ismus" or band=="us": + elif band=="ismus" or band=="us": self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte. self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte. self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte. - if band=="ismlf" or band=="lf": + elif band=="ismlf" or band=="lf": self.pokebysym("FREQ2" , 0x10) # Frequency control word, high byte. self.pokebysym("FREQ1" , 0xB0) # Frequency control word, middle byte. self.pokebysym("FREQ0" , 0x71) # Frequency control word, low byte. - + elif band=="none": + band="none"; + else: + #Got a frequency, not a band. + self.RF_setfreq(eval(band)); self.pokebysym("MDMCFG4" , 0x7B) # Modem configuration. self.pokebysym("MDMCFG3" , 0x83) # Modem configuration. self.pokebysym("MDMCFG2" , 0x13) # Modem configuration. @@ -261,7 +267,7 @@ class GoodFETCC(GoodFET): self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum. - self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length + #self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length self.pokebysym("ADDR" , 0x01) # Device address. self.pokebysym("PKTLEN" , 0xFF) # Packet length. @@ -565,9 +571,7 @@ class GoodFETCC(GoodFET): self.data=[adr&0xff, val&0xff]; self.writecmd(self.APP,0x02, 2, self.data); return ord(self.data[0]); - def pokebyte(self,adr,val,mem="data"): - if mem!="data": - print "FIXME: poking of non data bytes not yet supported."; + def pokebyte(self,adr,val,mem="xdata"): self.CCpokedatabyte(adr,val); def CCpokedatabyte(self,adr,val): """Write a byte to data memory.""" diff --git a/client/goodfet.cc b/client/goodfet.cc index 696daf8..e8de384 100755 --- a/client/goodfet.cc +++ b/client/goodfet.cc @@ -130,35 +130,29 @@ if(sys.argv[1]=="reflex"): client.RF_idle(); client.config_simpliciti(); - client.pokebysym("MDMCFG4", 0x0c); #ultrawide - client.pokebysym("FSCTRL1", 0x12); #IF of 457.031 - client.pokebysym("FSCTRL0", 0x00); - client.pokebysym("FSCAL2" , 0x2A); #above mid - client.pokebysym("MCSM0" , 0x00); # Main Radio Control State Machine - client.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration. - client.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration. - client.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration. - client.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration. - - client.pokebysym("TEST2" , 0x88) # Various test settings. - client.pokebysym("TEST1" , 0x35) # Various test settings. - client.pokebysym("TEST0" , 0x09) # Various test settings. - - threshold=200; + threshold=100; if len(sys.argv)>2: client.RF_setfreq(eval(sys.argv[2])); print "Listening on %f MHz." % (client.RF_getfreq()/10**6); print "Jamming if RSSI>=%i" % threshold; - #FIXME, ugly + client.pokebyte(0xFE00,threshold,"xdata"); #Write threshold to shellcode. + client.shellcodefile("reflex.ihx"); + rssi=0; + while 1: + while(0==client.ishalted()): + rssi=0; + rssi=client.peek8(0xFE00,"xdata"); + print "Activated jamming with RSSI of %i, going again for another packet." % rssi; + client.resume(); + RFST=0xDFE1 client.CC_RFST_CAL(); #SCAL time.sleep(1); maxrssi=0; while 1: - client.CC_RFST_RX(); #SRX rssi=client.RF_getrssi(); client.CC_RFST_IDLE(); #idle @@ -180,10 +174,9 @@ if(sys.argv[1]=="rssi"): client.config_simpliciti(); - threshold=200; if len(sys.argv)>2: client.RF_setfreq(eval(sys.argv[2])); - print "Listening on %3.6f MHz." % (client.RF_getfreq()/10.0**6); + print "Listening on %f MHz." % (client.RF_getfreq()/10.0**6); #FIXME, ugly RFST=0xDFE1 diff --git a/shellcode/chipcon/cc1110/Makefile b/shellcode/chipcon/cc1110/Makefile index a1e3e5f..12df0f3 100644 --- a/shellcode/chipcon/cc1110/Makefile +++ b/shellcode/chipcon/cc1110/Makefile @@ -8,7 +8,7 @@ # Use lower RAM if needed. CC=sdcc --code-loc 0xF000 -objs=crystal.ihx txpacket.ihx rxpacket.ihx txrxpacket.ihx +objs=crystal.ihx txpacket.ihx rxpacket.ihx txrxpacket.ihx reflex.ihx all: $(objs) diff --git a/shellcode/chipcon/cc1110/reflex.c b/shellcode/chipcon/cc1110/reflex.c new file mode 100644 index 0000000..6bfec59 --- /dev/null +++ b/shellcode/chipcon/cc1110/reflex.c @@ -0,0 +1,57 @@ +#include +#include "cc1110-ext.h" + +char __xdata at 0xfe00 packet[256] ; + +void sleepMillis(int ms) { + int j; + while (--ms > 0) { + for (j=0; j<1200;j++); // about 1 millisecond + }; +} + +//! Reflexively jam on the present channel by responding to a signal with a carrier wave. +void main(){ + unsigned char threshold=packet[0], i=0, rssi=0;; + + + //Disable interrupts. + RFTXRXIE=0; + + //idle a bit. + RFST=RFST_SIDLE; + while(MARCSTATE!=MARC_STATE_IDLE); + + while(1){ + //Wait for the transmission. + RFST=RFST_SRX; + rssi=0; + //Wait for RSSI to settle. + sleepMillis(10); + //Delay until the RSSI is above the threshold. + while(rssi