/* * BruteForce, Remote sniffing and Status-Tool for Pluggit AP300 * * If you have an "normal" nRF905 module, the distance between the nRF905 and the AP300 wireless module must be less than 1m!!! */ /* * PIN config for Arduino Pro Mini to nRF905 * * 7 -> PWR * 8 -> CE * 9 -> TxEN * 2 -> CD * 3 -> DR * 10 -> CSN * 12 -> MISO * 11 -> MOSI * 13 -> SCK */ #include #include /* * ONLY USE BRUTEFORCE OR REMOTE_SNIFFING */ #define BRUTEFORCE 1 // enable(1)/disable(0) bruteforce #if BRUTEFORCE #define TIMEOUT 250 // 250ms data timeout #else #define TIMEOUT 1000 // 1 secon data timeout #endif #define REMOTE_SNIFFING 0 // enable(1)/disable(0) remote sniffing uint8_t payload[4][NRF905_MAX_PAYLOAD]; uint8_t plCounter; ////////////////////////////////////////////////////////////////////////// void nRF905_Config(byte buf1[], byte buf2[]) { // Set control register 0 - CHANNEL nRF905_setConfigReg0(0x76); // config reg 1 nRF905_setConfigReg1(0x0E); // config reg 2 nRF905_setConfigReg2(0x44); // Set payload sizes nRF905_setPayloadSizes(0x20); // set TX and Rx addresses nRF905_setTXAddress(buf1); // set Rx addres nRF905_setRXAddress(buf2); // read config register 9 - just to be conform with data detected by sniffing nRF905_getConfigReg(9); // set config register 9 nRF905_setConfigReg9(0xDB); // Clear DR by reading receive payload nRF905_flushRecBuffer(); } ////////////////////////////////////////////////////////////////////////// void nRF905_Initialise(byte buf1[], byte buf2[]) { pinMode(PWR_MODE, OUTPUT); digitalWrite(PWR_MODE, LOW); // activate power down mode pinMode(TRX_EN, OUTPUT); digitalWrite(TRX_EN, LOW); // activate standby mode pinMode(TX_EN, OUTPUT); pinMode(CSN, OUTPUT); pinMode(CD, INPUT); pinMode(DR, INPUT); digitalWrite(CSN, HIGH); SPI.begin(); SPI.setClockDivider(SPI_CLOCK_DIV2); nRF905_Config(buf1, buf2); Serial.println(F("nRF905 configured...")); #if NRF905_INTERRUPTS // Set interrupts REG_EXTERNAL_INT_CTL |= BIT_EXTERNAL_INT_CTL; nRF905_interrupt_on(); Serial.println(F("nRF905 interrupts...")); #endif // leave config mode nRF905_powerUp(); Serial.println(F("nRF905 powered up...")); } /////////////////////////////////////////////////////////////////// void setup() { byte buf1[] = {0x00, 0x00, 0x07, 0x7A}; // Address of device to send to (4 bytes) = TXADDR byte buf2[] = {0x00, 0x00, 0x07, 0x7A}; // Address of this device (4 bytes) = RXADDR Serial.begin(57600); Serial.println(F("Client started")); // Start up nRF905_Initialise(buf1, buf2); Serial.println(F("nRF905 initialised")); plCounter = 0; } ////////////////////////////////////////////////////// nRF905_radio_state_t nRF905_getStatus(void) { if (!digitalRead(PWR_MODE)) return NRF905_RADIO_STATE_POWER_DOWN; else if (!digitalRead(TRX_EN)) return NRF905_RADIO_STATE_STANDBY; else if (!digitalRead(TX_EN)) { if (!digitalRead(DR)) return NRF905_RADIO_STATE_RX; else return NRF905_RADIO_STATE_RX_END; } else { if (!digitalRead(DR)) return NRF905_RADIO_STATE_TX; else return NRF905_RADIO_STATE_TX_END; } } ///////////////////////////////////////////////////////////// // brute force counter byte bf[] = {0x00, 0x00}; ///////////////////////////////////////////////////////////// void loop() { byte ret; // HEX-Code for getting the address in brute force mode char wr_for_bruteforce[] = {0x90, 0x80, 0x03, 0x04, 0x00, 0x00, 0x0C}; // HEX-Code from Remote Control to get status from AP300 (This code are sniffed from the remote control after having the valid address and set this programm in received mode and not sending data!!!!!) char wr_get_status[] = {0x90, 0x80, 0x03, 0x04, 0x00, 0x00, 0x0C, 0xF3, 0xDB, 0xDA, 0xD3, 0xB7, 0x3E, 0x67, 0x7E, 0x0F, 0xEC, 0x3F, 0x30, 0xC0, 0xDF, 0xB5, 0xFF, 0x4D, 0xCC, 0x7C, 0xF5, 0x8F, 0xD5, 0xD0, 0x2F, 0x7B}; //// BRUTE FORCE #if !REMOTE_SNIFFING #if BRUTEFORCE nRF905_powerDown(); byte buf1[] = {0x00, 0x00, bf[0], bf[1]}; // Address of device to send to (4 bytes) = TXADDR byte buf2[] = {0x00, 0x00, bf[0], bf[1]}; // Address of this device (4 bytes) = RXADDR byte view[] = {0x00, 0x00, bf[0], bf[1]}; // Address of this device (4 bytes) = VIEW Serial.print(F("TESTING ADDRESS: 0x")); Serial.print(view[2], HEX); Serial.print(F(", 0x")); Serial.println(view[3], HEX); // very simple counter if(bf[1] == 255) { bf[0]++; bf[1] = 0; } else { bf[1]++; } nRF905_Initialise(buf1, buf2); //slow but good ;-) #endif #endif // set start time for timeout unsigned long startTime = millis(); //// SET DATA #if !REMOTE_SNIFFING Serial.println(F("setting data ...")); // Set payload data #if BRUTEFORCE ret = nRF905_setData(wr_for_bruteforce, sizeof(wr_for_bruteforce)); #else ret = nRF905_setData(wr_get_status, sizeof(wr_get_status)); #endif if (ret) Serial.println(F("Error by setting data!")); //// SEND DATA Serial.println(F("sending data ...")); // Send payload (send fails if other transmissions are going on, keep trying until success) while(1) { ret = nRF905_send(); if (ret==0) break; else { Serial.print(F("nRF905_send returned: ")); Serial.println(ret); delay(100); } } #endif //// RECEIVE DATA Serial.println(F("receiving data ...")); // Put into receive mode nRF905_receive(); //// GETTING DATA #define buffer payload // Make buffer for reply unsigned long time0 = millis() + TIMEOUT; // Wait for reply with timeout while(1) { ret = nRF905_getData(&buffer[plCounter][0], NRF905_MAX_PAYLOAD); if (ret==0) {plCounter++; break;} // Got data // check timeout if ( millis() > time0 ) break; } //// EVALUATE DATA if ( ret==0 ) { // data received. Do nothing, wait for time-out for display received data #if BRUTEFORCE Serial.print(F("Reply from Pluggit AP300. The brute force was successful. The matching Address is: {0x00, 0x00, 0x")); Serial.print(view[2], HEX); Serial.print(F(", 0x")); Serial.print(view[3], HEX); Serial.println(F("}")); while (1); #else Serial.print(F("Reply from Pluggit AP300: ")); for (uint8_t y = 0; y