240 lines
6.8 KiB
C++
240 lines
6.8 KiB
C++
/*
|
|
* BruteForce, Remote sniffing and Status-Tool for Pluggit AP300
|
|
*
|
|
* If you have an "normal" nRF905 module, the distance between the nRF905 and the AP300 wireless module must be less than 1m!!!
|
|
*/
|
|
|
|
/*
|
|
* PIN config for Arduino Pro Mini to nRF905
|
|
*
|
|
* 7 -> PWR
|
|
* 8 -> CE
|
|
* 9 -> TxEN
|
|
* 2 -> CD
|
|
* 3 -> DR
|
|
* 10 -> CSN
|
|
* 12 -> MISO
|
|
* 11 -> MOSI
|
|
* 13 -> SCK
|
|
*/
|
|
|
|
#include <nRF905.h>
|
|
#include <SPI.h>
|
|
|
|
/*
|
|
* ONLY USE BRUTEFORCE OR REMOTE_SNIFFING
|
|
*/
|
|
#define BRUTEFORCE 1 // enable(1)/disable(0) bruteforce
|
|
#if BRUTEFORCE
|
|
#define TIMEOUT 250 // 250ms data timeout
|
|
#else
|
|
#define TIMEOUT 1000 // 1 secon data timeout
|
|
#endif
|
|
|
|
#define REMOTE_SNIFFING 0 // enable(1)/disable(0) remote sniffing
|
|
|
|
uint8_t payload[4][NRF905_MAX_PAYLOAD];
|
|
uint8_t plCounter;
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
void nRF905_Config(byte buf1[], byte buf2[])
|
|
{
|
|
// Set control register 0 - CHANNEL
|
|
nRF905_setConfigReg0(0x76);
|
|
// config reg 1
|
|
nRF905_setConfigReg1(0x0E);
|
|
// config reg 2
|
|
nRF905_setConfigReg2(0x44);
|
|
// Set payload sizes
|
|
nRF905_setPayloadSizes(0x20);
|
|
// set TX and Rx addresses
|
|
nRF905_setTXAddress(buf1);
|
|
// set Rx addres
|
|
nRF905_setRXAddress(buf2);
|
|
// read config register 9 - just to be conform with data detected by sniffing
|
|
nRF905_getConfigReg(9);
|
|
// set config register 9
|
|
nRF905_setConfigReg9(0xDB);
|
|
// Clear DR by reading receive payload
|
|
nRF905_flushRecBuffer();
|
|
}
|
|
//////////////////////////////////////////////////////////////////////////
|
|
void nRF905_Initialise(byte buf1[], byte buf2[])
|
|
{
|
|
pinMode(PWR_MODE, OUTPUT);
|
|
digitalWrite(PWR_MODE, LOW); // activate power down mode
|
|
pinMode(TRX_EN, OUTPUT);
|
|
digitalWrite(TRX_EN, LOW); // activate standby mode
|
|
pinMode(TX_EN, OUTPUT);
|
|
pinMode(CSN, OUTPUT);
|
|
pinMode(CD, INPUT);
|
|
pinMode(DR, INPUT);
|
|
digitalWrite(CSN, HIGH);
|
|
|
|
SPI.begin();
|
|
SPI.setClockDivider(SPI_CLOCK_DIV2);
|
|
|
|
nRF905_Config(buf1, buf2);
|
|
Serial.println(F("nRF905 configured..."));
|
|
|
|
#if NRF905_INTERRUPTS
|
|
// Set interrupts
|
|
REG_EXTERNAL_INT_CTL |= BIT_EXTERNAL_INT_CTL;
|
|
nRF905_interrupt_on();
|
|
Serial.println(F("nRF905 interrupts..."));
|
|
#endif
|
|
|
|
// leave config mode
|
|
nRF905_powerUp();
|
|
Serial.println(F("nRF905 powered up..."));
|
|
}
|
|
///////////////////////////////////////////////////////////////////
|
|
void setup()
|
|
{
|
|
byte buf1[] = {0x00, 0x00, 0x07, 0x7A}; // Address of device to send to (4 bytes) = TXADDR
|
|
byte buf2[] = {0x00, 0x00, 0x07, 0x7A}; // Address of this device (4 bytes) = RXADDR
|
|
|
|
Serial.begin(57600);
|
|
Serial.println(F("Client started"));
|
|
|
|
// Start up
|
|
nRF905_Initialise(buf1, buf2);
|
|
Serial.println(F("nRF905 initialised"));
|
|
|
|
plCounter = 0;
|
|
}
|
|
//////////////////////////////////////////////////////
|
|
nRF905_radio_state_t nRF905_getStatus(void)
|
|
{
|
|
if (!digitalRead(PWR_MODE)) return NRF905_RADIO_STATE_POWER_DOWN;
|
|
else if (!digitalRead(TRX_EN)) return NRF905_RADIO_STATE_STANDBY;
|
|
else if (!digitalRead(TX_EN)) {
|
|
if (!digitalRead(DR)) return NRF905_RADIO_STATE_RX;
|
|
else return NRF905_RADIO_STATE_RX_END;
|
|
} else {
|
|
if (!digitalRead(DR)) return NRF905_RADIO_STATE_TX;
|
|
else return NRF905_RADIO_STATE_TX_END;
|
|
}
|
|
}
|
|
/////////////////////////////////////////////////////////////
|
|
// brute force counter
|
|
byte bf[] = {0x00, 0x00};
|
|
/////////////////////////////////////////////////////////////
|
|
void loop()
|
|
{
|
|
byte ret;
|
|
|
|
// HEX-Code for getting the address in brute force mode
|
|
char wr_for_bruteforce[] = {0x90, 0x80, 0x03, 0x04, 0x00, 0x00, 0x0C};
|
|
|
|
// HEX-Code from Remote Control to get status from AP300 (This code are sniffed from the remote control after having the valid address and set this programm in received mode and not sending data!!!!!)
|
|
char wr_get_status[] = {0x90, 0x80, 0x03, 0x04, 0x00, 0x00, 0x0C, 0xF3, 0xDB, 0xDA, 0xD3, 0xB7, 0x3E, 0x67, 0x7E, 0x0F, 0xEC, 0x3F, 0x30, 0xC0, 0xDF, 0xB5, 0xFF, 0x4D, 0xCC, 0x7C, 0xF5, 0x8F, 0xD5, 0xD0, 0x2F, 0x7B};
|
|
|
|
//// BRUTE FORCE
|
|
#if !REMOTE_SNIFFING
|
|
#if BRUTEFORCE
|
|
nRF905_powerDown();
|
|
|
|
byte buf1[] = {0x00, 0x00, bf[0], bf[1]}; // Address of device to send to (4 bytes) = TXADDR
|
|
byte buf2[] = {0x00, 0x00, bf[0], bf[1]}; // Address of this device (4 bytes) = RXADDR
|
|
byte view[] = {0x00, 0x00, bf[0], bf[1]}; // Address of this device (4 bytes) = VIEW
|
|
|
|
Serial.print(F("TESTING ADDRESS: 0x"));
|
|
Serial.print(view[2], HEX);
|
|
Serial.print(F(", 0x"));
|
|
Serial.println(view[3], HEX);
|
|
|
|
// very simple counter
|
|
if(bf[1] == 255) {
|
|
bf[0]++;
|
|
bf[1] = 0;
|
|
} else {
|
|
bf[1]++;
|
|
}
|
|
|
|
nRF905_Initialise(buf1, buf2); //slow but good ;-)
|
|
#endif
|
|
#endif
|
|
|
|
// set start time for timeout
|
|
unsigned long startTime = millis();
|
|
|
|
//// SET DATA
|
|
#if !REMOTE_SNIFFING
|
|
Serial.println(F("setting data ..."));
|
|
// Set payload data
|
|
#if BRUTEFORCE
|
|
ret = nRF905_setData(wr_for_bruteforce, sizeof(wr_for_bruteforce));
|
|
#else
|
|
ret = nRF905_setData(wr_get_status, sizeof(wr_get_status));
|
|
#endif
|
|
if (ret) Serial.println(F("Error by setting data!"));
|
|
|
|
//// SEND DATA
|
|
Serial.println(F("sending data ..."));
|
|
// Send payload (send fails if other transmissions are going on, keep trying until success)
|
|
while(1) {
|
|
ret = nRF905_send();
|
|
if (ret==0) break;
|
|
else {
|
|
Serial.print(F("nRF905_send returned: "));
|
|
Serial.println(ret);
|
|
delay(100);
|
|
}
|
|
}
|
|
#endif
|
|
|
|
|
|
//// RECEIVE DATA
|
|
Serial.println(F("receiving data ..."));
|
|
// Put into receive mode
|
|
nRF905_receive();
|
|
|
|
|
|
//// GETTING DATA
|
|
#define buffer payload // Make buffer for reply
|
|
unsigned long time0 = millis() + TIMEOUT; // Wait for reply with timeout
|
|
while(1)
|
|
{
|
|
ret = nRF905_getData(&buffer[plCounter][0], NRF905_MAX_PAYLOAD);
|
|
if (ret==0) {plCounter++; break;} // Got data
|
|
|
|
// check timeout
|
|
if ( millis() > time0 ) break;
|
|
}
|
|
|
|
|
|
//// EVALUATE DATA
|
|
if ( ret==0 )
|
|
{ // data received. Do nothing, wait for time-out for display received data
|
|
#if BRUTEFORCE
|
|
Serial.print(F("Reply from Pluggit AP300. The brute force was successful. The matching Address is: {0x00, 0x00, 0x"));
|
|
Serial.print(view[2], HEX);
|
|
Serial.print(F(", 0x"));
|
|
Serial.print(view[3], HEX);
|
|
Serial.println(F("}"));
|
|
while (1);
|
|
#else
|
|
Serial.print(F("Reply from Pluggit AP300: "));
|
|
for (uint8_t y = 0; y<plCounter; y++) {
|
|
for (byte i=0; i<NRF905_MAX_PAYLOAD; i++) {
|
|
ret = buffer[y][i];
|
|
if (ret<16) Serial.print(0, HEX);
|
|
Serial.print(ret, HEX);
|
|
}
|
|
Serial.println();
|
|
}
|
|
ret = 0;
|
|
plCounter = 0;
|
|
Serial.println();
|
|
|
|
// wait 5 seconds for next status
|
|
delay(5000);
|
|
#endif
|
|
} else { // time-out
|
|
Serial.println(F("time-out"));
|
|
Serial.println();
|
|
}
|
|
}
|
|
|