Monday, January 24, 2011

Generic CC1110 Sniffing, Shellcode, and iClickers

Chipcon CC1110 Logo

Howdy y'all,

I haven't the time to write individual posts on these subjects, but I do have plenty of new features for the CC1110 that are worth sharing. Rather than explain how they were written in too much detail, I invite you to read the source code, which is mostly Python and C shellcode.

In order to follow along with these examples, you will need to have SmartRF Studio installed to /opt/smatrf7. While this requirement will go away in a few weeks, the GoodFET client temporarily needs SmartRF Studio for machine documentation about the CC1110. You can find more details on SmartRF requirements in the client page.

(1) Packet sniffing, and other neighborly scripts.

GoodFETCC now has packet sniffing support for the SimpliciTI protocol used by the Chronos watch. Not only that, but it implements the protocol well enough to act as an access point for the watch, collecting accelerometer data and deciphering it for the host.
GoodFET Simpliciti Sniffing!

Run an access point with ' simpliciti [band]'. (This command will likely change names soon, as it is a rather ugly hack which only supports the Chronos accelerometer feature.) The optional parameter should be us, eu, or lf for the American, European, and Low Frequency versions of the watch.
GoodFET SimpliciTI Client

Not only protocols intended for the GoodFET, but also others which are coincidentally compatible, are supported. Thanks to some register settings contributed by Mike Ossman, you can sniff and decipher i<clicker traffic with ' iclicker'. iclicker

The i<clicker uses a Xemics XE1203F (PDF) radio chip, shown below. The XE1203F is nearly as configurable as the CC11xx parts, except that it is limited to 2FSK encoding. Previously, this protocol could be sniffed with the GR-Clicker project and a USRP, but the highly-versatile CC1110 chip allows this to be done with neither a software defined radio nor a chip identical to that used by the transmitter.

If you find it handy to see when a device is broadcasting, you can produce an ASCII-art plot of signal strength with ' rssi [freq]':
GoodFET CC1110 RSSI Graph

Care to jam another transmitter? Just like with the Next Hope Badge's GoodFET mode, it takes a single command to hold a carrier wave.
' carrier [freq]'
Chipcon Carrier

(2) Shellcode, now for quiche-eaters!

At the risk of appearing to facilitate quiche-eating, I'd like to quickly explain the new shellcode interface for placing code fragments on a Chipcon 8051 target, such as the CC1110.

The Chipcon radios have certain functions which are timing sensitive, chief among these being the rewriting of flash memory and the use of the digital radio core. If flash memory is not pulsed with the correct timing, mis-writes will occur. If the radio is read too slowly, bytes will be missed and a buffer underflow will ruin the transaction. Similarly, a transmission might fail if the single-byte transmission buffer isn't refilled quickly enough. I've also had trouble, for reasons that I can poorly explain, configuring the crystal oscillator through the debugging interface without shellcode.

As I described in my CC2430 Debugging Notes, the recommended method of flashing memory is to write a small block of code into XDATA RAM which does the actual write, then to branch to this code, waiting for a HALT (0xA5) opcode to return control to the debugger. This routine is provided in SWRA124 as machine code with assembly comments, beginning with the fragment shown below.
CC2430 Flash Routine

While this is fine and dandy for code that works, it's a bit infuriating to debug code in machine language. (Is that opcode supposed to be 0xA5 or 0xA6? Is the length of this instruction correct? Similar frustration abounds.) To correct for this, the GoodFET project now has a trunk/shellcode directory in addition to trunk/firmware and trunk/client. Shellcode is compiled for target microcontrollers, in this case just the CC1110 by SDCC, the Small Device C Compiler.

For example, this is the code that used to configure the crystal oscillator on the CC1110, a prerequisite for any radio operations:
Chipcon Shellcode

That ugly mess becomes the following little fragment of C. It is compiled by 'sdcc --code-loc 0xF000 crystal.c' in order to place the code squarely within RAM, which is executable in this 8051 clone's unified memory architecture. (It's a Harvard chip that acts Von Neumann, or the other way around.)
CC1110 Crystal Shellcode

For inputs to these functions, and also for their return values, I find it more convenient to declare arrays at known locations than to read the symbol files to find them. The syntax for placing an array in XDATA memory at 0xFE00 is 'char __xdata at 0xfe00 packet[256];'. You can find examples of this in txpacket.c and rxpacket.c in the GoodFET repository.

(3) Care to join the fun?

There are a number of features remaining to be implemented in shellcode. Among them in a completed port of Ossmann's $15 Spectrum Analyzer, which I began in CC1110 Instrumentation in Python and you can find in the contrib/ directory of the GoodFET repository. By dropping the GUI interface and replacing it with timing delays, full spectrum scans can be made in decent time without requiring that anything in flash memory be changed.

Another handy tool would be an OOK sniffer that over-samples, using the infinite-packet-length trick described in the CC1110 datasheet to fill ram with a recording. Triggering on RSSI allows the beginning of the packet to be reliably timed, with oversampling allowing for correction on all later bits. I've begun to implement this as ' sniffook [freq]', but an enterprising neighbor should be able to start sniffing garage door remotes in short order.

A Morse-code library in combination with an external amplifier would also be neighborly for the licensed amateur bands. The ability of the microcontroller to quickly return and channel hop might be able to account for, among other things, the Doppler shift experienced in EME moon-bounce experiments, without losing backward compatibility with 19th century radio technology.

As a prize, I offer one ale apiece for GoodFET patches implementing these features.

Stay neighborly,
--Travis Goodspeed
<travis at>


Mike said...

Awesome informative.

I've just picked up a couple CC430 based chronos watch and intend to use them to brew-up a vehicle security system. This post is very informative/insightful towards that project.

BTW, isn't SmartRF Studio a windows-only install... but judging from your screenshot I may not have to cram windows back onto my Mac... ?

Travis Goodspeed said...

Howdy Mike,

These days, I install it to a VM then moved it to /opt/smartrf7 on my workstation. In the past, I've had success using it through Wine.

Have fun,

Jasbir said...

Here another cheap alternative way of CC1110 sniffing using a Waveshare dev board + an XRF module and smartRF Studio.

Unknown said...

Another handy tool would be an OOK sniffer that over-samples, using the infinite-packet-length trick described in the CC1110 datasheet to fill ram with a recording.

Oxford Security

Blogger said...

Did you know that you can create short urls with Shortest and receive dollars from every visit to your short urls.

Blogger said...

Order a professional Sparkling White Smiles Custom Teeth Whitening System online and get BIG DISCOUNTS!
* Up to 10 shades whiter in days!
* Professional Results Are Guaranteed.
* As good as your dentist.
* Same strength as dentists use.

Blogger said...

If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you need to watch this video
right away...

(VIDEO) Text Your Ex Back?

Blogger said...


Professional trading signals sent to your mobile phone every day.

Follow our signals NOW and make up to 270% per day.

SFCable said...

Thank you so much for posting this! i am going to keep it in mind and will use it if i remember.Ethernet Cables

Roman reigns said...

Great Blog... The information you shared is very effective for learners I have got some important suggestions from it, Keep Sharing such a nice blog.

Shop Drawings Preparation
Shop Drawings Preparation in USA

The Travelius said...

Sri Lanka Honeymoon Packages,
Sri Lanka Family Packages,
Sri Lanka Family Tour,
Sri Lanka Holiday Tour,
Sri Lanka Holiday Package,
Sri Lanka Family Trip,
Sri Lanka Holiday Offer,

Lara Gargett said...

Being a responsible assignment provider, they have never let any of the queries of students go unheard. They have also never hesitated to cater to urgent assignment order, even when the deadline is as short as 4 hours. Also, they provide a free copy of the Turnitin report. This is why students have always relied on them. Any subject be it economics, management, nursing or any other, Online Assignment Expert has always come out as the best Online assignment help firm all across the globe.

Entertaining Game Channel said...

This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST TrainDrivingSimulatorFreeGames

Puremelda said...

Our nursing essay writing services and college research paper service work collaboratively with our team of researchers to ensure that every order is thoroughly researched before drafting.

Angel Claudia said...

Students who encounter trouble with completing their top paper writing services and custom written college papers can contact our company as we have expert writers in the field.

meldaresearch said...

Your search for Custom Research Paper Writing Services ends here. Welcome to the home of best essay writers who are qualified in diverse fields. Our
Research Paper Writing Service
is proof that we are right near you. It is easy, place your order and get original plagiarism free assignments. What’s more, we keep everything confidential.

AltPartsInc said...

Thanks for sharing the blog and this great information which is definitely going to help us.
Mitsubishi laser parts

Sophie Grace said...

This is my first visit in this article your information is very cool and nice i am impressed your blog thank you sharing keep going and keep it up. Know about top account on instagram from site instastalker

Amber Collins said...

This is very fascinating, You are an excessively skilled blogger.

sitampan said...

Gunakan kesempatan emas bermain di wedeqq dan juga fifaqq. Jangan lupa untuk bergabung juga di taipanqq beserta kebanggan situs lipoqq yang dapat memberikan kemenangan yang mutlak.

Lihat juga halaman terkait lainnya dibawah ini :

meldaresearch said...

Are you looking to hire the best Custom College Papers Writing Services? It is helpful to note that the content of Legitimate Custom College Paper are unique and non-plagiarized and each Custom College Paper should be verified meticulously by editors before it can be sent to you. said...

Is a good post
I'm still in the beginning, but I'll do more to help my business.

john said...

آهنگ سینا پارسیان عصای موسی

Unknown said...

)에 지나지 않았다.
모든 것은 이제부터가 시작이었다.

사건의 전말은 이러하다. 찐빵에게 예고한 대로 그날 밤 웅지는 몇 개월
간 심혈을 기울여 추진했던 연구의 종지부를
찍을 그런 역사적인 날이었다. 그것은 바로 생물을 축소하는 액체! 웅지
의 이론에 따르면 그 액체를 뿌리기만 하면
사람이고, 동물이고, 식물이고 본래의 크기에서 줄어들어 어디에든 쉽게
들어갈 수 있는
[쿠키뉴스] 구현화 기자 = 카카오엔터프라이즈가LG전자와 전략적 파트너십을 체결하고 카카오의AI기술을LG의 가전 제품들과 연결한다.카카오엔터프라이즈는LG전자가 새롭게 출시하는2020년형 올레드,나노셀,울트라HD TV전 모델에 카카오의 스마트 스피커 카카오미니를 연동한다.카카오미니를…

دانلود آهنگ said...

آهنگ علی عبدالمالکی اعتراف
آهنگ میثم ابراهیمی هوای دلیه
آهنگ مسعود صادقلو بی آرایش said...

These days, the economy hasn't improved much because of the corona.
It is difficult to operate a web page.
Your site still has a high number of visits.
I'll refer to it. Thanks. 잡리그중계 said...

Hi. I'm running a community site that provides tourism and various information in Vietnam.
If you have a chance, you can come to see.
And thanks for sharing this bulletin board.
I am glad to leave a comment. I'll see you again ~ 하노이출장마사지

hamed221 said...

دانلود آهنگ مسیح و آرش دست به یکی

دانلود آهنگ محسن ابراهیم زاده گندمی

دانلود آهنگ سهراب پاکزاد میگیرم دست تورو

Qasim Khan said...

Thanks for sharing great post... Urdu Novels

Mithun Prakash said...

Nice Blog!
Massage Therapist Services
Maid Services in Toronto

Sales Fundaa said...

Helpful InformationCRM Software in Mumbai

GRSoft Developers said...

Great Research Solutions Pvt. Ltd. ( GRSoft ) is an IT company with no geographical boundaries and provides all that you can think of around IT including consulting, solutions, applications and outsourcing services.

Hire Software Developers

GRSoft Developers said...

GRSoft Gaming is an honor winning, Live Casino game advancement organization of India. We offer curiosity and inventive game development with an exceptionally talented group of developer. Our bleeding edge gaming innovation creates esteem included gaming arrangements. Quality is our real worry for club game development. We offer tweaked Casino game development benefits over the globe and help you furnish with customized development. With our Casino game, individuals couldn't imagine anything better than to chance their gaining and appreciate the advantages. We have created numerous effective games like the video poker game, Sports wagering game, online club game, lottery games, and numerous other common games.

Hire Dedicated Casino Game Developers