So, where were we? We’ve worked out how several components of the alarm use the CC1150 to send out signals, and now I want to emulate the signal and then play with it.
By far the easiest way to do this is to use the same CC1150 chip as in the authentic transmitters. I can be absolutely sure the 2-FSK modulation with ~50kHz deviation will be reproduced exactly. There are many other RF transmitter chips out there that can do this, but we know that these work and we already have the correct settings.
So, the first challenge is – where do I get a board with a CC1150 on it? Well, we have plenty of alarm sensors with neat little CC1150 daughterboards on them!
I chose a door contact as my victim – they are the cheapest and simplest sensors.
The daughterboard has an 8-pin interface, with a 0.1″ pitch pin header connecting the two. I need to desolder the board to use it. Desoldering pin headers is always a pain – you can’t desolder all 8 pins at a time. My technique now is:
- Chop the pin header along it’s length, separating the two boards. I have a nice pair of snips for this, but a Dremel with cut-off wheel can do it if they don’t fit.
- Chop the plastic spacer away from the pins, leaving you with just half the pins stuck in the board.
- Desolder the pins one at a time.
Now I have a small CC1150 board. I soldered a new pin header onto it, and a pin socket onto the rest of the door contact. This allows me to easily reconnect it to the door contact if I need to.
You’ll notice in the picture above that there is a small bridge wire. I desoldered and resoldered the CC1150 QLP package (just to see if I could) and burned a track in the process.
Now we need to drive this board using something. There are a plethora of options available to me:
- An Arduino board
- A mbed board
- A Bus Pirate
- A GoodFET
- A CC1110 development board (this would skip using the CC1150 board, as it has a built-in transceiver)
- One of the Ciseco CC11xx boards (again, this would skip the CC1150 board)
- Any of the other development boards I have lying around…
I decided I would use an Arduino board – specifically the Seeeduino Mega.
Why the Arduino? In reality, I’ve stopped using the Arduino environment and now use AVRGCC, so this is really just a nice little AVR development platform.
It won out over the mbed as I have had SPI issues with the mbed before.
The Bus Pirate and GoodFET are very similar, but require a host PC. I would like this standalone.
It seemed silly to implement this on a CC1110 chip, and I have had problems in implementing proprietary encoding schemes on it before.
Why the Mega? I find myself often using the extra pins and RAM as compared to the ATmega328p used in the Uno
So, now I have a RF board and something to control it. Next, I need to connect the two and write some code!
Ingeniería inversa un protocolo inalámbrico - | Indagadores |Seguridad informatica |Seguridad en internetJuly 1, 2013 at 11:38am
[…] y ver los datos que se transmiten . Con una buena dosis de razonamiento, [Andrew] descubierto cómo el código del sistema de alarma trabajó . Esta teoría fue probada mediante la conexión de uno de los radios hasta un Arduino y que han […]