From d275b26024122967b01e4a6cfb02e53ab7c1371b Mon Sep 17 00:00:00 2001 From: travisutk Date: Thu, 9 Dec 2010 22:49:56 +0000 Subject: [PATCH] Packet sniffing kinda works. Need more regular transmitter to test. git-svn-id: https://svn.code.sf.net/p/goodfet/code/trunk@784 12e2690d-a6be-4b82-a7b7-67c4a43b65c8 --- client/GoodFET.py | 8 +++++- client/GoodFETCC.py | 60 +++++++++++++++++++++++++++++++++------------ client/goodfet.cc | 26 +++++++------------- 3 files changed, 61 insertions(+), 33 deletions(-) diff --git a/client/GoodFET.py b/client/GoodFET.py index 4c6e3ed..98c2494 100755 --- a/client/GoodFET.py +++ b/client/GoodFET.py @@ -382,7 +382,7 @@ class GoodFET: #TODO include memory in symbol. reg=self.symbols.get(name); return self.pokebyte(reg,val); - def pokebyte(self,address,value): + def pokebyte(self,address,value,memory="vn"): """Set a byte of memory by the monitor.""" self.data=[address&0xff,address>>8,value]; self.writecmd(0,0x03,3,self.data); @@ -544,6 +544,12 @@ class GoodFET: for foo in range(0,length): data[foo]=self.peek8(address+foo,memory); return data; + def pokeblock(self,address,bytes,memory="vn"): + """Poke a block of a data into memory at an address.""" + for foo in bytes: + self.pokebyte(address,foo,memory); + address=address+1; + return; def loadsymbols(self): """Load symbols from a file.""" return; diff --git a/client/GoodFETCC.py b/client/GoodFETCC.py index 3fe5870..23e6fca 100644 --- a/client/GoodFETCC.py +++ b/client/GoodFETCC.py @@ -114,7 +114,29 @@ class GoodFETCC(GoodFET): hz=freq*396.728515625; return hz; - + def shellcodefile(self,filename,wait=1): + """Run a fragment of shellcode by name.""" + #FIXME: should identify chip model number, use shellcode for that chip. + file=__file__; + file=file.replace("GoodFETCC.pyc","GoodFETCC.py"); + path=file.replace("client/GoodFETCC.py","shellcode/chipcon/cc1110/"); + #print "File\t%s" % file; + #print "Path\t%s" % path; + filename=path+filename; + #print "Loading shelcode from %s" % filename; + + #Load the shellcode. + h=IntelHex(filename); + for i in h._buf.keys(): + self.CCpokedatabyte(i,h[i]); + + #Execute it. + self.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000 + self.resume(); + while wait>0 and (0==self.CCstatus()&0x20): + time.sleep(0.1); + #print "Waiting for shell code to return."; + return; def shellcode(self,code,wait=1): """Copy a block of code into RAM and execute it.""" i=0; @@ -143,6 +165,9 @@ class GoodFETCC(GoodFET): 0xA5, #HALT ]; self.shellcode(code); + + #Slower to load, but produced from C. + #self.shellcodefile("crystal.ihx"); return; def RF_idle(self): """Move the radio to its idle state.""" @@ -199,7 +224,10 @@ class GoodFETCC(GoodFET): self.pokebysym("MDMCFG2" , 0x13) # Modem configuration. self.pokebysym("MDMCFG1" , 0x22) # Modem configuration. self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration. - self.pokebysym("CHANNR" , 0x00) # Channel number. + if band=="ismus" or band=="us": + self.pokebysym("CHANNR" , 0); # 20) # Channel number. + else: + self.pokebysym("CHANNR" , 0x00) # Channel number. self.pokebysym("DEVIATN" , 0x42) # Modem deviation setting (when FSK modulation is enabled). self.pokebysym("FREND1" , 0xB6) # Front end RX configuration. @@ -217,12 +245,13 @@ class GoodFETCC(GoodFET): self.pokebysym("TEST0" , 0x09) # Various test settings. #self.pokebysym("PA_TABLE0", 0xC0) # PA output power setting. self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control. - self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control. + #self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum. + self.pokebysym("PKTCTRL0" , 0x01) # Packet automation control, w/o checksum. self.pokebysym("ADDR" , 0x00) # Device address. self.pokebysym("PKTLEN" , 0xFF) # Packet length. - self.pokebysym("SYNC1",0xAA); - self.pokebysym("SYNC0",0xAA); + self.pokebysym("SYNC1",0x04); + self.pokebysym("SYNC0",0x05); def RF_carrier(self): """Hold a carrier wave on the present frequency.""" @@ -317,11 +346,12 @@ class GoodFETCC(GoodFET): """Get a packet from the radio. Returns None if none is waiting.""" RFST=0xDFE1 self.pokebyte(RFST,0x01); #SCAL - self.pokebyte(RFST,0x02); #SRX + #self.pokebyte(RFST,0x02); #SRX - print "Packet reception isn't working yet. Returning [RSSI]."; - time.sleep(0.1); - return [chr(self.RF_getrssi())]; + self.shellcodefile("rxpacket.ihx"); + #time.sleep(1); + self.halt(); + return self.peekblock(0xFE00,32,"data"); def RF_txpacket(self,payload): """Transmit a packet. Untested.""" @@ -502,12 +532,12 @@ class GoodFETCC(GoodFET): def CCdebuginstr(self,instr): self.writecmd(self.APP,0x88,len(instr),instr); return ord(self.data[0]); - def peekblock(self,adr,length,memory="vn"): - """Return a block of data.""" - data=[adr&0xff, (adr&0xff00)>>8, - length&0xFF,(length&0xFF00)>>8]; - self.writecmd(self.APP,0x91,4,data); - return [ord(x) for x in self.data] + #def peekblock(self,adr,length,memory="vn"): + # """Return a block of data, broken""" + # data=[adr&0xff, (adr&0xff00)>>8, + # length&0xFF,(length&0xFF00)>>8]; + # self.writecmd(self.APP,0x91,4,data); + # return [ord(x) for x in self.data] def peek8(self,address, memory="code"): if(memory=="code" or memory=="flash" or memory=="vn"): return self.CCpeekcodebyte(address); diff --git a/client/goodfet.cc b/client/goodfet.cc index 48729fc..9f0b353 100755 --- a/client/goodfet.cc +++ b/client/goodfet.cc @@ -16,10 +16,11 @@ from intelhex import IntelHex; def printpacket(packet): s=""; i=0; + #print "Printing packet." for foo in packet: i=i+1; #if i>client.packetlen: break; - s="%s %02x" % (s,ord(foo)); + s="%s %02x" % (s,foo); print "%s" %s; if(len(sys.argv)==1): @@ -126,7 +127,7 @@ if(sys.argv[1]=="rssi"): threshold=200; if len(sys.argv)>2: client.RF_setfreq(eval(sys.argv[2])); - print "Listening on %f MHz." % (client.RF_getfreq()/10**6); + print "Listening on %3.6f MHz." % (client.RF_getfreq()/10.0**6); #FIXME, ugly RFST=0xDFE1 @@ -145,13 +146,14 @@ if(sys.argv[1]=="rssi"): if(sys.argv[1]=="sniffsimpliciti"): #TODO remove all poke() calls. + region="us"; + if len(sys.argv)>2: + region=sys.argv[2]; client.CC1110_crystal(); client.RF_idle(); - - client.config_simpliciti("lf"); - #client.RF_setfreq(2481 * 10**6); + client.config_simpliciti(region); #OpenBeacon defines these in little endian as follows. #client.RF_setmaclen(5); # SETUP_AW for 5-byte addresses. @@ -164,8 +166,8 @@ if(sys.argv[1]=="sniffsimpliciti"): #client.RF_setpacketlen(16); - print "Listening as %010x on %i MHz" % (client.RF_getsmac(), - client.RF_getfreq()/10**6); + print "Listening as %x on %f MHz" % (client.RF_getsmac(), + client.RF_getfreq()/10.0**6); #Now we're ready to get packets. while 1: packet=None; @@ -177,16 +179,6 @@ if(sys.argv[1]=="sniffsimpliciti"): -if(sys.argv[1]=="explore"): - print "Exploring undefined commands." - print "Status: %s" %client.status(); - - cmd=0x04; #read status - for foo in range(0,0x5): - client.CCcmd([(0x0F<<3)|(0x00)|0x03,0x09<<3]); - print "Status %02x: %s" % (foo,client.status()); - for foo in range(0,3): - print "PC: %04x" % client.CCgetPC(); if(sys.argv[1]=="term"): GoodFETConsole(client).run(); if(sys.argv[1]=="test"): -- 2.20.1