Monday, January 24, 2011

Generic CC1110 Sniffing, Shellcode, and iClickers

Chipcon CC1110 Logo

Howdy y'all,

I haven't the time to write individual posts on these subjects, but I do have plenty of new features for the CC1110 that are worth sharing. Rather than explain how they were written in too much detail, I invite you to read the source code, which is mostly Python and C shellcode.

In order to follow along with these examples, you will need to have SmartRF Studio installed to /opt/smatrf7. While this requirement will go away in a few weeks, the GoodFET client temporarily needs SmartRF Studio for machine documentation about the CC1110. You can find more details on SmartRF requirements in the client page.

(1) Packet sniffing, and other neighborly scripts.

GoodFETCC now has packet sniffing support for the SimpliciTI protocol used by the Chronos watch. Not only that, but it implements the protocol well enough to act as an access point for the watch, collecting accelerometer data and deciphering it for the host.
GoodFET Simpliciti Sniffing!

Run an access point with ' simpliciti [band]'. (This command will likely change names soon, as it is a rather ugly hack which only supports the Chronos accelerometer feature.) The optional parameter should be us, eu, or lf for the American, European, and Low Frequency versions of the watch.
GoodFET SimpliciTI Client

Not only protocols intended for the GoodFET, but also others which are coincidentally compatible, are supported. Thanks to some register settings contributed by Mike Ossman, you can sniff and decipher i<clicker traffic with ' iclicker'. iclicker

The i<clicker uses a Xemics XE1203F (PDF) radio chip, shown below. The XE1203F is nearly as configurable as the CC11xx parts, except that it is limited to 2FSK encoding. Previously, this protocol could be sniffed with the GR-Clicker project and a USRP, but the highly-versatile CC1110 chip allows this to be done with neither a software defined radio nor a chip identical to that used by the transmitter.

If you find it handy to see when a device is broadcasting, you can produce an ASCII-art plot of signal strength with ' rssi [freq]':
GoodFET CC1110 RSSI Graph

Care to jam another transmitter? Just like with the Next Hope Badge's GoodFET mode, it takes a single command to hold a carrier wave.
' carrier [freq]'
Chipcon Carrier

(2) Shellcode, now for quiche-eaters!

At the risk of appearing to facilitate quiche-eating, I'd like to quickly explain the new shellcode interface for placing code fragments on a Chipcon 8051 target, such as the CC1110.

The Chipcon radios have certain functions which are timing sensitive, chief among these being the rewriting of flash memory and the use of the digital radio core. If flash memory is not pulsed with the correct timing, mis-writes will occur. If the radio is read too slowly, bytes will be missed and a buffer underflow will ruin the transaction. Similarly, a transmission might fail if the single-byte transmission buffer isn't refilled quickly enough. I've also had trouble, for reasons that I can poorly explain, configuring the crystal oscillator through the debugging interface without shellcode.

As I described in my CC2430 Debugging Notes, the recommended method of flashing memory is to write a small block of code into XDATA RAM which does the actual write, then to branch to this code, waiting for a HALT (0xA5) opcode to return control to the debugger. This routine is provided in SWRA124 as machine code with assembly comments, beginning with the fragment shown below.
CC2430 Flash Routine

While this is fine and dandy for code that works, it's a bit infuriating to debug code in machine language. (Is that opcode supposed to be 0xA5 or 0xA6? Is the length of this instruction correct? Similar frustration abounds.) To correct for this, the GoodFET project now has a trunk/shellcode directory in addition to trunk/firmware and trunk/client. Shellcode is compiled for target microcontrollers, in this case just the CC1110 by SDCC, the Small Device C Compiler.

For example, this is the code that used to configure the crystal oscillator on the CC1110, a prerequisite for any radio operations:
Chipcon Shellcode

That ugly mess becomes the following little fragment of C. It is compiled by 'sdcc --code-loc 0xF000 crystal.c' in order to place the code squarely within RAM, which is executable in this 8051 clone's unified memory architecture. (It's a Harvard chip that acts Von Neumann, or the other way around.)
CC1110 Crystal Shellcode

For inputs to these functions, and also for their return values, I find it more convenient to declare arrays at known locations than to read the symbol files to find them. The syntax for placing an array in XDATA memory at 0xFE00 is 'char __xdata at 0xfe00 packet[256];'. You can find examples of this in txpacket.c and rxpacket.c in the GoodFET repository.

(3) Care to join the fun?

There are a number of features remaining to be implemented in shellcode. Among them in a completed port of Ossmann's $15 Spectrum Analyzer, which I began in CC1110 Instrumentation in Python and you can find in the contrib/ directory of the GoodFET repository. By dropping the GUI interface and replacing it with timing delays, full spectrum scans can be made in decent time without requiring that anything in flash memory be changed.

Another handy tool would be an OOK sniffer that over-samples, using the infinite-packet-length trick described in the CC1110 datasheet to fill ram with a recording. Triggering on RSSI allows the beginning of the packet to be reliably timed, with oversampling allowing for correction on all later bits. I've begun to implement this as ' sniffook [freq]', but an enterprising neighbor should be able to start sniffing garage door remotes in short order.

A Morse-code library in combination with an external amplifier would also be neighborly for the licensed amateur bands. The ability of the microcontroller to quickly return and channel hop might be able to account for, among other things, the Doppler shift experienced in EME moon-bounce experiments, without losing backward compatibility with 19th century radio technology.

As a prize, I offer one ale apiece for GoodFET patches implementing these features.

Stay neighborly,
--Travis Goodspeed
<travis at>


Mike said...

Awesome informative.

I've just picked up a couple CC430 based chronos watch and intend to use them to brew-up a vehicle security system. This post is very informative/insightful towards that project.

BTW, isn't SmartRF Studio a windows-only install... but judging from your screenshot I may not have to cram windows back onto my Mac... ?

Travis Goodspeed said...

Howdy Mike,

These days, I install it to a VM then moved it to /opt/smartrf7 on my workstation. In the past, I've had success using it through Wine.

Have fun,

Jas said...

Here another cheap alternative way of CC1110 sniffing using a Waveshare dev board + an XRF module and smartRF Studio.

Unknown said...

Another handy tool would be an OOK sniffer that over-samples, using the infinite-packet-length trick described in the CC1110 datasheet to fill ram with a recording.

Oxford Security

Blogger said...

Did you know that you can create short urls with Shortest and receive dollars from every visit to your short urls.

Blogger said...

Order a professional Sparkling White Smiles Custom Teeth Whitening System online and get BIG DISCOUNTS!
* Up to 10 shades whiter in days!
* Professional Results Are Guaranteed.
* As good as your dentist.
* Same strength as dentists use.

SFCable said...

Thank you so much for posting this! i am going to keep it in mind and will use it if i remember.Ethernet Cables

Roman reigns said...

Great Blog... The information you shared is very effective for learners I have got some important suggestions from it, Keep Sharing such a nice blog.

Shop Drawings Preparation
Shop Drawings Preparation in USA

Lara Gargett said...

Being a responsible assignment provider, they have never let any of the queries of students go unheard. They have also never hesitated to cater to urgent assignment order, even when the deadline is as short as 4 hours. Also, they provide a free copy of the Turnitin report. This is why students have always relied on them. Any subject be it economics, management, nursing or any other, Online Assignment Expert has always come out as the best Online assignment help firm all across the globe.

AltPartsInc said...

Thanks for sharing the blog and this great information which is definitely going to help us.
Mitsubishi laser parts

Sophie Grace said...

This is my first visit in this article your information is very cool and nice i am impressed your blog thank you sharing keep going and keep it up. Know about top account on instagram from site instastalker

Amber Collins said...

This is very fascinating, You are an excessively skilled blogger. said...

Is a good post
I'm still in the beginning, but I'll do more to help my business.
하노이가라오케 said...

)에 지나지 않았다.
모든 것은 이제부터가 시작이었다.

사건의 전말은 이러하다. 찐빵에게 예고한 대로 그날 밤 웅지는 몇 개월
간 심혈을 기울여 추진했던 연구의 종지부를
찍을 그런 역사적인 날이었다. 그것은 바로 생물을 축소하는 액체! 웅지
의 이론에 따르면 그 액체를 뿌리기만 하면
사람이고, 동물이고, 식물이고 본래의 크기에서 줄어들어 어디에든 쉽게
들어갈 수 있는
[쿠키뉴스] 구현화 기자 = 카카오엔터프라이즈가LG전자와 전략적 파트너십을 체결하고 카카오의AI기술을LG의 가전 제품들과 연결한다.카카오엔터프라이즈는LG전자가 새롭게 출시하는2020년형 올레드,나노셀,울트라HD TV전 모델에 카카오의 스마트 스피커 카카오미니를 연동한다.카카오미니를…

دانلود آهنگ said...

آهنگ علی عبدالمالکی اعتراف
آهنگ میثم ابراهیمی هوای دلیه
آهنگ مسعود صادقلو بی آرایش

hamed221 said...

دانلود آهنگ مسیح و آرش دست به یکی

دانلود آهنگ محسن ابراهیم زاده گندمی

دانلود آهنگ سهراب پاکزاد میگیرم دست تورو

Mithun Prakash said...

Nice Blog!
Massage Therapist Services
Maid Services in Toronto

GRSoft Developers said...

Great Research Solutions Pvt. Ltd. ( GRSoft ) is an IT company with no geographical boundaries and provides all that you can think of around IT including consulting, solutions, applications and outsourcing services.

Hire Software Developers

GRSoft Developers said...

GRSoft Gaming is an honor winning, Live Casino game advancement organization of India. We offer curiosity and inventive game development with an exceptionally talented group of developer. Our bleeding edge gaming innovation creates esteem included gaming arrangements. Quality is our real worry for club game development. We offer tweaked Casino game development benefits over the globe and help you furnish with customized development. With our Casino game, individuals couldn't imagine anything better than to chance their gaining and appreciate the advantages. We have created numerous effective games like the video poker game, Sports wagering game, online club game, lottery games, and numerous other common games.

Hire Dedicated Casino Game Developers

GRSoft Developers said...

GRSoft's Remote IT infrastructure services are custom tailored based upon your business needs. Our Remote IT infrastructure services align network architecture and end-to-end communication, to ensure your company has the best IT solutions. We provide wide array of IT infrastructure services, right from IT infrastructure and consulting support to managing the most complex of IT infrastructural issues, with absolute precision.

Remote IT Infrastructure Support Services

Dave said...

Hello everyone I want to introduce you guys to a group a private investigators who can help you with information you need in any situation in life and they are ready to follow you step by step until your case is cleared just contact +17078685071 and you will happily ever after

Zayn said...

Thanks for sharing this info.
Benefits Of Dooh In India
Wedding Photographer in Indore

Mussawir said...

You would love the content shared by us about the apps which can be run on the pc as well.
Achasoda B2B Marketplace

DrivenPerformancechiropractic said...
This comment has been removed by the author.
bretl460 said...

Our research paper assignment help follow an absolutely constructive method of paper composition, which allows them to cover every vital aspect of research.

Hindi Film said...

Best New Love Quotes Everyone searches the internet and you find many websites like our website LoveQuotesG.Com

Wedding Anniversary Quotes

Love Life Quotes

Hurt Quotes

Good Friday Quotes

Halloween Quotes

bretl460 said...

Avail the Best instant help assignment help at Assignment Studio. Hire 500+ Phd Experts to Get High Quality Assignment Service at the Best Discount.

Floyd Weise said...

Thanks for taking the time to share such an informative article with us. You have amazing insight on this, it's great to find a website that offers a fresh perspective to different people. Therefore, we are going to tell you about our Fake Information Generator profile. That helps you keep your private and outside world separate.

Hindi Film said...

I swear I couldn't love you more than I do right now, and yet I know I will tomorrow.

Best Famous Quotes For About Beer

Best Tuesday Morning Quotes

Best New Wednesday Quotes

Best New Vision Quotes

Dshred said...

The most important things when working out are flexibility and comfort. That is why Dshred has the best collection of Women’s Bottoms and Joggers to suit your needs. We have the best leggings for women and girls in Pakistan. Get high-quality gym trousers and yoga pants to suit your workout needs.

Best Exams Help said...

Online classes are provided by one of the best companies in the business, Best Exams Help. We are confident that our do my online course solutions will help you excel in your exams, so you can trust our team. Furthermore, you will gain a deeper understanding of the subject and will have your task completed with greater proficiency. Online Class Help is often sought out by students with limited budgets and poor writing skills.

earnkaroge said...

site is fantastic. I always find great knowledge from it. घर बैठे रोजगार के तरीके earnkaroge

Mr Frudo said...

Angel 800 - do you think it is real

Deepa's Appliances said...
This comment has been removed by the author.
Deepa's Appliances said...

There is a lot of useful information and the information given in every blog in your website is important

Also Read, Top 5 Best Cash Counting Machine

ideasontrend said...

Thanks for sharing your precious time to create this post, it's so informative, and the content makes the post more interesting.really appreciated. Goldie Hawn Jacket

Leyla Doyle said...
This comment has been removed by the author.
Pawan Singh said...

आपके द्वारा शेयर की गयी जानकारी बहुत ही शानदार है परंतु अगर आप भी paisa kamane wala app के बारे में जानकारी चाहते है तो यहाँ से पढ़ें।

Emma Jackson said...

Hello I’m grateful to have read your content thank you. What a nice blog! I have enjoyed reading through the article although I landed on this site. If you are having issues in getting your Web Designing Assignment Help completed accurately then do not hesitate Artificial Intelligence Assignment Help and get your papers checked Business Statistics Assignment Help by the in AU experts.

Long hope said...

Hello, I'm happy for the opportunity to read your information, and I appreciate it. What a wonderful blog! I had a good time reading the article. Machine learning corporate strategy is well recognized for transforming the way firms run, but it isn't all easy sailing. Many businesses are grappling with the idea that technology is too complex to relate to their business goals. The sky would be the limit if they could just bridge their AI/ML knowledge and abilities gaps. check out the related page Machine learning development Solutions

Anonymous said...

Good post Online Assignment help

Examo Mentor said...

Thanks for sharing such a good article

Examo Mentor said...

Best Business Ideas for students without investment

123bet said...

Well, I definitely like studying it. This article you have provided is very helpful.
สมัคร 123plus

Skylawilson said...

We write a dissertation help by researching the identified problems in a very systematic manner. The process starts by identifying the problems in the respective research field. This gets followed by study innumerable journal papers and peer-reviewed articles. Then the research gaps get detected. We check all kinds of secondary data sources and collect necessary primary sources to meet the detected gaps. The derivations and collected data are all analysed as per appropriate tools. This leads to the deliverance of unique conclusions and recommendations by the dissertation experts UK. The University guidelines in structuring the dissertations are followed very strictly.

Parth Bishnoi said...

Independence Day Quotes in Hindi में स्वतन्त्रता दिवस 2022 के लिए बेहतरीन कोट्स शेयर किए है। यदि आप भी स्वतन्त्रता दिवस पर अपने सोश्ल मीडिया अकाउंट पर Happy Independence Day 2022: Quotes, Wishes, Messages in Hindi शेयर करते है तो इस लेख को अंत तक जरूर पढ़े।

Sarkari Job 756 said...

Dr. Amit Agrawal is the Gastroenterologist in Indore and has 12 years of experience. Dr. Amit Agrawal offers the best treatment in the diagnosis of liver disorder, swallowing disorder, diarrhoea, constipation, stomach pain, and colon cancer treatment.

christian said...

Thank for sharing this site. but our site is named vintage jacket. Here celebrity jackets movie jackets and gaming jackets are available. Paul Bettany Wool-Blend Sweater visit now.

eddielydon said...

Your site is good Actually, i have seen your post and That was very informative and very entertaining for me. Billy Butcher Coat

Fht b said...

Kya Aapke pass bhi jio phone hai Agar hai toh kya Aap jaante ho ki Aake usse paisa bhi kama sakte ho Jio phone se paisa kamane ka Tarika Ghar baithe kamao

social Network said...

Kya Aapko bhi Ludo khelke paisa kamana chahte ho Ludo supreme Gold se paise kaise kamaye Ghar baithe kamao

social Network said...

Kya Aapko pata hai ki Aap kis Ludo App se Acha paisa kama sakte ho online Ludo Game paisa kamane wala Ab Har koi kamayega Ghar baithe

Angela said...

Search engine optimization service in weatherford texas

Vijay Kumar said...

Agar aap Daily ₹1000 tak kamana chahate hain to Paisa Kamane Wala App Download kare

Vijay Kumar said...

Womens ke lie Ghar Baithe Paise Kamane ke aasan tarike

shane watson said...

love it Alex art

Manish Kumar said...

aapko sayad pata nahi hoga ludo game khelkar paise kamaa skate hai isliye in Ludo Paise Kamane Wala Game download kare

Phaguni mandal said...

Aajkal paise kamane wala game Kai saare aa chuke hai aise me aa Game Khelo Paisa Jeeto Paytm Cash kamana chahte hai to abhi download kijiye

Manish Kumar said...

Agar aap real money game download karna chahta hai to in Paisa Kamane Wala App Download kare

Manish Kumar said...

paisa kamane ke liye kai saare games hai jise download karke acchi kmaai kar skate hai yaha par best paisa kamane wala games download ki jankari di hai jise donwload karke rojana kamaye ya aap chahe to Match Dekhne Wala Apps download karke bhi kamaa ksate hai

A.Rrajani said...

Nice Article, Thanks for sharing...Portfolio photographers in India

ireland assignment help said...

Want to pay for research paper writing? Our team of experienced writers is here to provide you with high-quality papers that meet your specific requirements. We understand the importance of academic success, which is why we offer reliable and affordable services that ensure you achieve your goals. Trust us to provide you with expert assistance that meets your unique needs

Anonymous said...

Interesting read! The use of iClickers and shellcode to exploit the CC1110 is concerning. It reminds me of how a bacterial infection can exploit vulnerabilities in the human body. It's crucial to prioritize security measures to prevent such exploits from happening.

Shubham singh patel said...

agar aapko onlirne paisa kamana hai, to aap paise kamane wala app download kar skte h.

Assignment Writing Service said...

We found your post really interesting. well done work.
We are on a mission to help students academically. As more students study marketing, getting a Marketing coursework help is essential for the, . Our experts indulge in extensive marketing research. We pledge to provide students,
Get 100% original work
24*7 assistance
plagiarism free work

Emma watson said...

The Goku Drip Black Puffer Jacket brags common sense with a touch of boldness. Its cozy hood with customizable drawstrings guarantees a customized fit, protecting you from lively breezes and adding a demeanor of secret to your presence. The jacket's overall style is enhanced by the front zipper closure, which is not only functional but also visually striking.

Admin said...

Mehandi Design Awesome Post Sir

Hazel D. Charest said...

Exploring the intricacies of Generic CC1110 Sniffing and Shellcode has been an eye-opening journey. The potential implications for security and privacy are profound, particularly in the context of technologies like iClickers. This intersection sheds light on the need for robust encryption protocols and heightened awareness of potential vulnerabilities. It's imperative that researchers and developers collaborate closely to fortify these systems against potential threats. Most students are drawn to these types of articles and information, but they are unable to prepare for their exams, If you have been struggling with your exams and want assistance, students can do my online exam for me - do my online exam and get higher grades on their examinations by providing them with the best available resources, including quality academic services.

Start My Online Class said...

Generic CC1110 Sniffing and Shellcode has been an eye-opening journey. The potential implications for security and privacy are profound. Most students are drawn to these types of articles and information, but they are unable to prepare for their exams, If you have been struggling with your exams and want assistance, students can do my class - help with my online class and get higher grades on their examinations by providing them with the best available resources, including quality academic services.

One Digital Stop said...

The potential implications for security and privacy are profound, particularly in the context of technologies like iClickers. This intersection sheds light on the need for robust encryption protocols and heightened awareness of potential vulnerabilities. Most students are drawn to these types of articles and information, but they are unable to prepare for their exams, If you have been struggling with your e-commerce project and want assistance, students can visit web design company - web design company near me and get the best performance on their website by providing them with the most excellent available resources, including quality web design services.

Jewel Galore said...

Elevate your fashion with the allure of Kundan set from Jewelgalore. Explore our diverse range of beautifully crafted pieces, each designed to make a statement and celebrate the cultural richness of Pakistan.


Uncover the academic treasures at osh state university, with a spotlight on the prestigious osuimf. As you traverse the campus, feel the pulse of intellectual energy emanating from Osh State University's diverse academic programs.

Shalamar Hospital said...

Shalamar Hospital, the premier the cancer hospital in Lahore , is dedicated to providing comprehensive oncology services, ensuring the well-being of our patients in their battle against cancer.

Apk Zone said...

Very amusing and informative posts. Lovely
Vidmate apk download it विडमेट ओरिजिनल

Robert Adler said...

Kudos to your blog for being a beacon of knowledge in the ever-evolving world of web and mobile app development! Your insights on top frameworks have proven invaluable for our team in San Diego , shaping our approach to crafting cutting-edge mobile applications. Your guidance has empowered us to explore new horizons about mobile app development orange county , delivering exceptional solutions to our clients. The wealth of information here is a game-changer, and we eagerly anticipate more pearls of wisdom in future posts. Cheers to elevating the standards of mobile app development!

samira said...

دانلود‌ آهنگ های جدید ایرانی شاد و ریمیکس آهنگ های ایران در موزیک ایرانی آهنگ جدید samira-212@

Jewel Galore said...

Jewelgalore presents an enchanting collection of necklace set . Explore our range of elegantly crafted pieces, each designed to add a touch of sophistication and charm to your style.

Paul said...

"Captivating read! The author skillfully weaves a tapestry of words that leaves me craving more insights on this fascinating 2D Animation Services

ema watson said...

Exploring topics like Generic CC1110 Sniffing, Shellcode, and iClickers requires a deep understanding of technical aspects. These subjects may involve intricate processes and potentially sensitive information. It's essential to approach such discussions responsibly and with ethical considerations. Meanwhile, maintaining personal health awareness is equally important. The "USA fentalert test pack wholesale and retail fulfillment service offers a convenient way to stay proactive about health while delving into technical domains. Balancing intellectual pursuits with health consciousness ensures a holistic and responsible approach to both knowledge acquisition and personal well-being.

Paul said...

Great Article i really like it keep sharing this with us Tote Cowhide Purse

Stella Paul said...

Delving into topics such as Generic CC1110 Sniffing, Shellcode, and iClickers necessitates a profound grasp of technical intricacies. These subjects often entail complex procedures and the handling of potentially sensitive data. Given the depth of knowledge required, individuals may benefit from consulting with a Professional Telehealth Company in USA to ensure they navigate these areas professionally and responsibly.

kevinlevin said...

Unleash your inner cowboy with John Dutton's quilted jacket. Crafted for adventure, designed for style. Yellowstone, here you come.
yellowstone quilted jacket

Modelsbank- said...


daya said...

nice article. agae aap ghar baithe game se paise kamane ki iccha rakhte hai to paisewalagames blogs par naye naye tarike dekhne ko mil jayenge.

Milano Group said...

The article on Generic CC1110 sniffing, shellcode, and iClickers dives into the world of hardware hacking and signal analysis, showcasing the technical intricacies of these systems. Just as customized hoodies can be tailored to fit individual preferences, this exploration highlights the customization and control hackers can achieve over embedded devices, opening new avenues for tech enthusiasts and professionals alike.