Zigbee sniffing

I bought Attify's IoT Exploit lerning kit.
Since that was soooo fun, I want to show you some.

Zigbee sniffing with APImote

Zigbee is a global standard for wireless technology which supports low cost, highly reliable networks for device-to-device
communication.

In the lerning kit, APImote enables to monitor zigbee packets.
Following tools are used for hands-on demo.

All of these tools are included in the IoT Exploit learning kit.
(Since I bought this kit in beginning of 2019, contents may be changed.)

And also we can use VM image that required tools are installed.
https://github.com/adi0x90/attifyos

Upload code to Arduino Nano

Let's upload code to Arduino Nano with Arduino IDE.

It just sending text and counting up value.
#include 
int a=0;
SoftwareSerial mySerial(2,3); //RX, TX

void setup(){
	Serial.begin(2400); //baudrate: 2400bps
}

void loop(){
	Serial.println("Hello!!!");
	Serial.println(a);
	a++;
}


For just in case, check if it can build.
Sketch -> Verify/Compile

Then upload code to Arduino Nano.
Sketch -> Upload

If it failed to upload code, you should check the followings.
・Is board selected "Arduino Nano"?
・Port is correct?
・Does it work Get Board Info?

・Tools -> Get Board Info
It shows like this.
BN: Unknown board
VID: 1A86
PID: 7523
SN: Upload any sketch to obtain it

and also you may need to add user to dialout group for accessing serial port. 
$sudo usermod -a -G dialout <username>

Set up XBee

XBee is a wireless module which supports Zigbee.
Configure XBee by XCTU.
Important setting in this experiment is
CH : channel. This controls the frequency band that your XBee communicates over.
Interface Data Rate: baud rate. need to set same value with uploaded code to Arduino Nano.

Configuring Networks
https://learn.sparkfun.com/tutorials/exploring-xbees-and-xctu/configuring-networks

Capturing packets with APImote

Now let's start up gadgets.

Checking as if APImote being detected.
➜  tools git:(master) ✗ sudo python ./zbid
[sudo] password for oit: 
           Dev Product String       Serial Number
  /dev/ttyUSB0 GoodFET Api-Mote v2

Identifying the channel. It seem to be 16. It is matched which was set on XCTU (0x10).
➜  tools git:(master) ✗ sudo python ./zbstumbler -v
zbstumbler: Transmitting and receiving on interface '/dev/ttyUSB0'
Setting channel to 11.
Transmitting beacon request.
Setting channel to 12.
Transmitting beacon request.
Setting channel to 13.
Transmitting beacon request.
Setting channel to 14.
Transmitting beacon request.
Setting channel to 15.
Transmitting beacon request.
Setting channel to 16.
Transmitting beacon request.
# DEBUG Clearing overflow
Received frame.
Received frame is not a beacon (FCF=4188).
Received frame.
Received frame is not a beacon (FCF=4188).
Setting channel to 17.
Transmitting beacon request.
Setting channel to 18.
Transmitting beacon request.

Now starting capture. 
➜  tools git:(master) ✗ sudo zbwireshark -c 16


Strings and counting up values could be observed like this.



Comments

Post a Comment

Popular posts from this blog

Firmware dumping via SPI

Image
I tried firmware dumping via SPI with Attify badge and Attify OS. Target camera is this one.. This camera seems to be famous among the IoT hackers. You would find many IoT hacking blogs about this camera. After the preview, I have extracted board. This time, I'd like to focus on Flash memory. It looks mxic mx25l12835f. From model number, we can find data-sheet. MX25L12835F . Now, let's connect flash memory pin and Attify Badge. Attify badge pin layout is.. D0 : SCK D1 : MISO  D2 : MOSI  D3 : CS  I have connected flash memory and Attify badge like this. D0 - SCLK(6) D1 - SI(5)  D2 - SO(2)  D3 - CS(1)  GND - GND(4)  3.3V - VCC(8)  3.3V - RESET(7)  3.3V - WP(3)  We dont need to connect power plug to camera. It is supplied via badge. For testing, trying spiflash.py and -i parameter. According to the python code, it returns ChipID. This command can be used for connectivity tesingt. "00 00 00" or "FF FF FF" seem to mean fai
Read more

BochsでMBR debugging

Image
今回は前回取り出したPetyaに書き換えられてしまったMBRをBochsで動かしてみよう。 https://ja.wikipedia.org/wiki/Bochs Bochsはここから入手できる。 http://bochs.sourceforge.net/getcurrent.html Bochsも前に出てきたVMware同様PCエミュレータなのだけど、 こいつはMBRのdebugができてしまうんだ。 OSが起動するより前のコードを追えるってわけだね。 そりゃ面白そうだ~笑 キモは設定ファイルの書き方くらいかなと。 サンプルの設定ファイルがあるのでチェックしてみて。 Bochs-2.6.9\bochsrc-sample.txt   多分もっとシンプルにもできるんだと思うんだけど、、 筆者のはこんな感じ。 romimage: file=$BXSHARE/BIOS-bochs-latest vgaromimage: file=$BXSHARE/VGABIOS-lgpl-latest megs: 16 ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14 ata0-master: type=disk, path="petya.img", mode=flat, cylinders=1, heads=16, spt=63 boot: disk vga: extension=vbe mouse: enabled=0 log: nul logprefix: %t%e%d panic: action=fatal error: action=report info: action=report debug: action=ignore   こいつをファイル名を変えてbochsrcとして保存。.txtもいらない。 Bochs-2.6.9\bochsrc 設定ファイルのポイントは赤文字のところ!! path="" には取り出したMBRのパスを記入する。 そして、もうひとつ重要なのが、Bochsに読み込ませるディスクイメージのサイズは512の倍数でなければいけないんだ。 どういうこっちゃ??なのだけど、、 切り出したMBRをバイナリエディタで読み
Read more

BLE sniffing with UbertoothOne

Image
This time, I'd like to try monitoring smartlock's BLE packets with Ubertooth One. Smartlock  use this dongle and Ubertooth One Find BLE device  check BLE dongle is connected. ➜ ~ sudo hciconfig hci0: Type: BR/EDR Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN RX bytes:622 acl:0 sco:0 events:38 errors:0 TX bytes:952 acl:0 sco:0 commands:38 errors:0 Let's find BLE devices ➜ ~ sudo hcitool lescan LE Scan ... 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 18:62:E4:46:60:AB (unknown) <------ 18:62:E4:46:60:AB BlueFPL <------ 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) Then, trying gatttool. Peripheral is defined by service and characteristic. Each service contains charateristics which contains data. ➜ ~ sudo gatttool -I -b 18:62:E4:46:60:AB [ ][18:62:E4:46:60:AB][LE]> connect [CON][18:62:E4:46:60:AB][LE]> primary [CON][18:
Read more