Tuesday, March 1, 2011

GoodFET on the TelosB, TMote Sky

by Travis Goodspeed <travis at radiantmachines.com>
with kind thanks to Sergey Bratus, Ryan Speers, and Ricky Melgares,
for contributions of code, conversation, and general neighborliness.

Telos B

As I was recently reminded that the Crossbow Telos B and Sentilla TMote Sky devices litter most universities, left over from wireless sensor network research, it seemed like a perfect target. As such, I'm happy to announce that the GoodFET firmware now fully supports the Telos B and TMote, and also that support for the Zolertia Z1 mote will be coming soon. KillerBee integration should come in the next few weeks, but there's plenty of fun to be had in the meantime.

This brief tutorial will walk you through cross-compiling the GoodFET firmware for the Telos B or TMote Sky, as well as simple packet sniffing and injection. As the GoodFET project is always being refactored in one way or another, you can expect a bit of this to change.

Compiling the Firmware

A port of the GoodFET firmware is defined by three things. First, the $platform environment variable defines the header file from which port definitions come. Most platforms just use platforms/goodfet.h, which is loaded when $platform is undefined or set to 'goodfet'. Some devices, such as the two varieties of the Next Hope Badge and the Telos B, use ports which are not the same as the standard GoodFET's layout. In particular, it's rather common for the Slave-Select (!SS) line to be unique to the hardware layout of a particular board. Setting $platform to 'telosb' takes care of this.

Additionally, the Telos B uses the MSP430F1611 chip, so $mcu must be set to 'msp430x1611'. (That's with an 'x', as the linker doesn't care whether the chip is in the F, G, or C variants.)

Finally, a normal GoodFET includes a lot of modules for things like JTAG and similar protocols that the Telos B does not include wiring for. Although leaving them in doesn't hurt, it does make the firmware larger, which is annoying when repeatedly recompiling and reflashing during firmware development. To restrict support to just the monitor, the SPI Flash chip, and the Chipcon SPI radio, it is handy to set $config to 'monitor spi ccspi'.

export platform=telosb
export mcu=msp430x1611
export config='monitor ccspi spi'
make clean install

Accessing the SPI Flash

The Telos B is reset in a manner very different from the GoodFET, courtesy of a bit-banged I2C controller. Someday we'll figure out how to auto-detect this, but until then you will need to have $platform set to 'telosb' just as you did when compiling.

The Telos B contains a Numonyx M25P80 SPI Flash chip, which is compatible with the goodfet.spiflash client. Unfortunately, most units use a variety of this chip that does not respond to a request for its model number. (According to the datasheet, this feature is only available in the 110nm version. Datasheets have a way of phrasing bugs as if they were just optional features.) On those lucky units with a properly behaving chip, run 'goodfet.spiflash info' to get its capacity and model number. Upgrading to a larger chip or replacing the SMD unit with a socketed one will cause no problems, as the client will automatically adapt.

GoodFET for the Telos B

You may also use the standard peek, erase, dump, and flash verbs to access the contents of the chip. When the chip refuses to identify itself, the GoodFET will default to a size of 8Mb, so explicit ranges needed be given for things like 'goodfet.spiflash dump telosb_m25p80.bin'.

As the M25P80 chip is not access-controlled in any way, it's a handy way to grab old data from a node. On some academically-sourced devices, you might find leftover data or code from LogStorage or Deluge. On commercial devices, these chips sometimes keep hold more interesting things.

Sniffing ZigBee, 802.15.4

While the Flash chip is a neat little toy and handy for forensics, most users of the Telos B port will be interested in the CC2420 radio. As a final collaboration between Ember and Chipcon, the '2420 was one of the first popular 802.15.4 chips, and it is still quite handy for reversing and exploit ZigBee devices. Just as before, you must set $platform to be 'telosb' or the client will not connect.

To sniff raw 802.15.4 packets on channel 11, just call 'goodfet.ccspi sniff 11'. This enables promiscuous mode, so you will see traffic from all PANs and to all MACs in the region. If you are only interested in broadcast traffic, use 'goodfet.ccspi bsniff 11' instead.
goodfet.ccspi sniff 11

As much fun as it is to sit with the 802.15.4 and ZigBee protocol documentation to figure out what a packet means the first time, white-washing this particular fence quickly becomes boring. For that reason, Ryan Speers and Ricky Melgares at Dartmouth tossed together a Scapy module for dissecting these sorts of packets. It's in the scappy-com Mercurial repository, so check it out with "hg clone http://hg.secdev.org/scapy-com" then run "sudo python setup.py install" after the prerequisite packages have been installed.

Once the community build of Scapy has been installed, you can run 'goodfet.ccspi sniffdissect 11' to print the Scapy dissections of various packets. As this code is less than a week old, there are a few kinks to work out, so ignore the warning messages that pop up at the beginning of the log. (Scapy likes to initialize the operating system's networking stack even though we're using a GoodFET instead. This is infuriating on OpenBSD, but merely an annoyance on OS X and Linux.)

802.15.4 Scapy

If you have no other 15.4 equipment to play with, you can do a transmission test with 'goodfet.ccspi txtest 11'. In the following section, I'll show you to how to send and receive packets in a Python script, which is useful for talking to the myriad of wireless sensors that have less than serious security.

Scripting the CC2420

The GoodFET project is built as a number of client scripts which are written in spaghetti code, features from which are slowly moved out of spaghetti and into classes. That is to say, the heavy lifting should be in GoodFETCCSPI.py, while short and sweet client scripts will be found in goodfet.ccspi. As an example, this section will cover the functioning of 'goodfet.ccspi txtoscount' which implements the radio protocol spoken by the TinyOS RadioCountToLeds application.

Rather than go into too much detail, I'll just point out the lines that are most instructive. Just like sing-along cartoons, this only works if you read the code, so please open up your favorite editor and follow along. While you're at it, use 'svn blame' to figure out which new GoodFET developer wrote that routine. If too much time has passed, you'll also need to back up to the revision that was current when I wrote this review. Then jump back a few more revisions to figure out which bugs of mine had to be fixed before his code worked. Isn't revision control nifty?

By default, the CC2420 only receives packets addressed to the local PAN and MAC as well as those sent to the broadcast address. In order to receive promiscuously, allowing the client to automatically identify any devices on the channel, it is necessary to enable promiscuous mode with 'client.RF_promiscuity(1)'. You might also want to tune away from the default channel with 'client.RF_setchan()'.

Also, as checksums must be correct in any outbound traffic, it is necessary to enable the AUTOCRC mode with 'client.RF_autocrc(1)'. This appends a checksum to every outbound packet, and it also rejects any inbound packets with invalid checksums, which is helpful to reduce noise but would sometimes accidentally rejects packets from non-compliant devices during sniffing. (TinyOS always uses the AUTOCRC feature, so it isn't an issue in this particular application.)

Packet reception, as is standard among the radio modules, is performed by 'client.RF_rxpacket()'. This method returns None if no packet has been received, so a synchronous application ought to spin in a loop until something else is returned.

Finally, the routine needs to broadcast its own reply, either from a stock template or from the sniffed packet. This is accomplished by passing an array of bytes to 'client.RF_txpacket(packet)'.

That's really all there is to it.


The GoodFET is primarily a tool for reverse engineering, and integration with other tools is a priority. KillerBee and Kismet plugins are already in development, and clients for all sorts of 802.15.4 devices will be written as hardware becomes available. Support for the CC2420's AES engine will also be added, so that encrypted packets can be sniffed once keys are sniffed from the air or by syringe with a bus analyzer.

That's all folks. Grab a Telos B or TMote and start poking at devices. Good targets might include Z-Wave door locks and ZigBee thermostats.


Bianca said...
This comment has been removed by a blog administrator.
Travis Goodspeed said...

With the new build system, don't bother defining $config, $platform, or $mcu.
export board=telosb
make clean install
goodfet.ccspi info

Also, I mistakenly thought that ZWave was a form of Zigbee. It's not, but you can sniff it with a GirlTech IMME's CC1110 radio.


Sean said...

Hi, Nice project. Can you please tell me where can I download the TelosB codes of this project?

Blogger said...

Did you know that you can create short links with Shortest and get cash from every visit to your short urls.

Blogger said...

Teeth Night Guard is providing personalized fitting and high quality customized dental guards.

Blogger said...

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you need to watch this video
right away...

(VIDEO) Text Your Ex Back?

Blogger said...


Get professional trading signals sent to your cell phone daily.

Follow our signals right now & make up to 270% daily.

Roman reigns said...

I liked the way you wrote the article. It was very straightforward and your knowledge on the subject is fantastic.

Reverse Engineering in USA
Reverse Engineering in UK

The Travelius said...

Malaysia Holiday Package.
Malaysia Tour Package.
Malaysia Trip Package.
Malaysia Travel Packages.
Malaysia Honeymoon Package.
Malaysia Tour Packages from India.
Malaysia Tour Package for Couple.
Malaysia Holiday Deals.

Entertaining Game Channel said...

This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST TrainDrivingSimulatorFreeGames

Puremelda said...

Many students are undecided about the best affordable custom research papers and informative speech essay help company to deal with due to the high number of companies that offer similar services.

meldaresearch said...

Through the assistance of our Custom College Papers, you will get the best assignment help that will earn you good grades. Order Custom Essay Service from us and benefit from the knowledge and experience of professionals in different academic fields.

The India said...

iso registration in delhi
iso certification in faridabad
ISO 9001 Certification in Noida
website designing services
SEO Service Consultant

The India said...

iso certification in noida
iso certification in delhi
ce certification in delhi
iso 14001 certification in delhi
iso 22000 certification in delhi
iso consultants in noida

The India said...

we have provide the best fridge repair service.
fridge repair in faridabad
Videocon Fridge Repair in Faridabad
Whirlpool Fridge Repair in Faridabad
Hitachi Fridge Repair In Faridabad
Washing Machine Repair in Noida
godrej washing machine repair in noida
whirlpool Washing Machine Repair in Noida
IFB washing Machine Repair in Noida
LG Washing Machine Repair in Noida

The India said...

we have provide the best ppc service.
ppc company in gurgaon
website designing company in Gurgaon
PPC company in Noida
seo company in gurgaon
PPC company in Mumbai
PPC company in Chandigarh
Digital Marketing Company

The India said...

Rice Bags Manufacturers
Pouch Manufacturers
wall putty bag manufacturers
fertilizer bag manufacturers
Lyrics with music

Hari ji said...

Thanks for Fantasctic blog and its to much informatic which i never think ..Keep writing and grwoing your self

add name in birth certificate
name add in birth certificate
birth certificate in delhi
download birth certificate online
birth certificate in ghaziabad
birth certificate in gurgaon
birth certificate in noida
how to get birth certificate in delhi
birth certificate online
how to download birth certificate

Amber Collins said...

Thanks for sharing such a nice Blog.I like it.


meldaresearch said...

Are you looking to buy Already Written Essays from the best writers? You are not alone. When given Custom Dissertation Services, many students look Best Essay Writing Company for help.

jacklinemelda said...

Online Custom Essay Services are affordable, with rates that are relatively lower in comparison with other Legitimate Custom Essay Writing Services since they allow learners to estimate charges when placing Legitimate Custom Writing Service Orders.

Florahmelda said...

Professional Coursework Writing Services online produces different assignments, including Coursework Writing Assistance, to help students deal with the Coursework Assignment Writing challenges they face every day.

Karolinax said...

League Of Legends 10.1 Yama Notları

sri said...

Thank you for excellent article.You made an article that is interesting.


SEO King of Earth.. visit asiainfotech.in said...

GST Registration

This tax came into applied in India July 1, 2017 through the multiple Amendment of the Constitution of India. The GST replaced existing many Central and State Government taxes.

This article is really helpful to you, Every business and offices required GST Registration in Delhi and GST Registration in Gurgaon. We also provide professional service for gst return, gst guidanace, gst certificate download as well as we provide GST Registration in Noida and GST Registration in Bangalore.

Get complete detail about gst registration, GST registration status, gst procedure, gst number, gst guide. GST experts in India provided by yourdoorstep will assist you through the entireprocess. Online GST Registration File your GST application & get your GSTIN number Online. Agents and consultanst at yourdoorstep help you to get GST Registration done online in 3 hours without any problem.

Our GST Colsultants also available for gst registration in chandigarh, gst registration in faridabad, gst registration in mumbai and gst registration in ahmedabad.

We are best in gst services, duplicate gst certificate, gst renewal n etc

SEO King of Earth.. visit asiainfotech.in said...

Best Digital Marketing Company

Digital Marketing Expert

SEO Expert & Company

Website Design and Development Company

Best IT Consultant

Biggest Pharma Company


If you want to watch free TV shows and movies using streaming websites then there is no alternative as compared to putlocker. Also, we made a list of alternatives like Putlocker sites that you can use to stream movies and TV shows.

Here is the official Putlocker website with a lot of trending and popular movies to watch.

Hosting companies and law enforcement are always taking down free streaming sites, including long-time favorite Putlockers. So what are you supposed to do when your usual top pick for free streaming isn’t working anymore?

Don’t put away that popcorn just yet! I tested 47 leading streaming sites for safety, usability, and speed. After careful review and ranking based on streaming catalog size, content, and quality, I’ve found offical proxy site of Putlockers.

Agarwal Packers an Movers said...

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers an Movers said...

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers an Movers said...

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers an Movers said...

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers

Agarwal Packers and Movers