virtualabs / cc2531-killerbee-fw Goto Github PK

Thanks for this project!
I use a TI CC2531 to listen and decypher frames in ZigBee Pro and Green Power. However, since the last few weeks my dongle does not "hear" those frames and when I launch zbdump 0 packet is captured. I checked with another dongle and wireshark and I am sure there are some frames coming.
No error is raised by killerbee, so I think it comes from BumbleBee and its implementation inside KillerBee. After seeing your answer to my comment on your website I am waiting for the new version !

Thanks again for your work!

Firstly, thank you very much for this project. I have used the Atmel RAVEN USBSTICK in the past, but that is no longer available and my students have 'borrowed' all but one of my remaining devices. If I can get this working, it will be a God send.
I have managed to flash a CC2531 (via a Pi) and have made all the edits to Killerbee python scripts in your pull request so that the device is now picked up by zbid. However, when I try to run zbstumbler or zbwireshark, I get the error (originating from dev_bumblebee.py):

ImportError: cannot import name bytearray_to_bytes

and sure enough, looking through kbutils.py, I cannot see a definition for that function.

I am aware that the firmware excludes Bad FCS packets and I don't know if this will help the project.

When I have the original TI firmware on my CC2531 dongle and read packets into Wireshark, it requires me to set a different FCS format otherwise all the packets come out as Bad FCS.

Once I set it, all of those Bad FCS errors go away.

The setting is "FCS Format" under Protocols->IEEE 802.15.4 and the option that works is "Ti CC24xx metadata"

As I said in #5 I am not receiving any packets from killerbee zbdump with the Bumblebee v2.1 firmware.
I think they may all be Bad FCS? I don't know if the above issue is an issue or not.

I hope this helps in some way. Let me know if you want me to test anything or help in any way.

I have been trying to use your FW image, with your branch of Killerbee, but have been running into some issues while trying to run the active tests.

ZBReplay and ZBStumbler works as intended and I am able to retransmit packets that have already been captured. However, when I try to run ZBAssocflood I am met with this error:

ZBPANIDConflict continuously gives me the error that the resource is busy, but the dongle can handle running zbid, zbwireshark, and zbstumbler.

Aside from that, the passive tools all seem to be working correctly aside from zbdump. I can run zbdump but none of the packets are collected in the .pcap file.

I would really appreciate any help I could get!

I am running:

Ubuntu 20.04
Python 3.8.10
PyUSB 1.0.2-1build1
Installed Killerbee from your branch github

Running the first command as per instructions gives error about repositories not found, specifically the error message indicates that the submodule at path 'contiki/platform/stm32nucleo-spirit1/stm32cube-lib' could not be cloned because the corresponding repository at 'https://github.com/STclab/stm32nucleo-spirit1-lib/' was not found.

Cloning into 'cc2531-killerbee-fw'... remote: Enumerating objects: 119, done. remote: Counting objects: 100% (119/119), done. remote: Compressing objects: 100% (69/69), done. remote: Total 119 (delta 65), reused 96 (delta 45), pack-reused 0 Receiving objects: 100% (119/119), 175.94 KiB | 3.45 MiB/s, done. Resolving deltas: 100% (65/65), done. Submodule 'contiki' (https://github.com/contiki-os/contiki.git) registered for path 'contiki' Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki'... remote: Enumerating objects: 100481, done. remote: Total 100481 (delta 0), reused 0 (delta 0), pack-reused 100481 Receiving objects: 100% (100481/100481), 71.63 MiB | 8.27 MiB/s, done. Resolving deltas: 100% (72483/72483), done. Submodule path 'contiki': checked out 'eabb1ce3da23c1629efa83e58d26436378042aaa' Submodule 'cpu/cc26xx-cc13xx/lib/cc13xxware' (https://github.com/contiki-os/cc13xxware.git) registered for path 'contiki/cpu/cc26xx-cc13xx/lib/cc13xxware' Submodule 'cpu/cc26xx-cc13xx/lib/cc26xxware' (https://github.com/contiki-os/cc26xxware.git) registered for path 'contiki/cpu/cc26xx-cc13xx/lib/cc26xxware' Submodule 'platform/stm32nucleo-spirit1/stm32cube-lib' (https://github.com/STclab/stm32nucleo-spirit1-lib) registered for path 'contiki/platform/stm32nucleo-spirit1/stm32cube-lib' Submodule 'tools/cc2538-bsl' (https://github.com/JelmerT/cc2538-bsl.git) registered for path 'contiki/tools/cc2538-bsl' Submodule 'tools/mspsim' (https://github.com/contiki-os/mspsim.git) registered for path 'contiki/tools/mspsim' Submodule 'tools/sensniff' (https://github.com/g-oikonomou/sensniff.git) registered for path 'contiki/tools/sensniff' Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/cpu/cc26xx-cc13xx/lib/cc13xxware'... remote: Enumerating objects: 592, done. remote: Total 592 (delta 0), reused 0 (delta 0), pack-reused 592 Receiving objects: 100% (592/592), 952.44 KiB | 6.27 MiB/s, done. Resolving deltas: 100% (421/421), done. Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/cpu/cc26xx-cc13xx/lib/cc26xxware'... remote: Enumerating objects: 835, done. remote: Total 835 (delta 0), reused 0 (delta 0), pack-reused 835 Receiving objects: 100% (835/835), 1.46 MiB | 7.81 MiB/s, done. Resolving deltas: 100% (618/618), done. Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/platform/stm32nucleo-spirit1/stm32cube-lib'... remote: Repository not found. fatal: repository 'https://github.com/STclab/stm32nucleo-spirit1-lib/' not found fatal: clone of 'https://github.com/STclab/stm32nucleo-spirit1-lib' into submodule path '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/platform/stm32nucleo-spirit1/stm32cube-lib' failed Failed to clone 'platform/stm32nucleo-spirit1/stm32cube-lib'. Retry scheduled Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/tools/cc2538-bsl'... remote: Enumerating objects: 453, done. remote: Counting objects: 100% (41/41), done. remote: Compressing objects: 100% (28/28), done. remote: Total 453 (delta 19), reused 30 (delta 13), pack-reused 412 Receiving objects: 100% (453/453), 164.78 KiB | 3.29 MiB/s, done. Resolving deltas: 100% (201/201), done. Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/tools/mspsim'... remote: Enumerating objects: 9460, done. remote: Total 9460 (delta 0), reused 0 (delta 0), pack-reused 9460 Receiving objects: 100% (9460/9460), 7.10 MiB | 3.01 MiB/s, done. Resolving deltas: 100% (4449/4449), done. Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/tools/sensniff'... remote: Enumerating objects: 216, done. remote: Counting objects: 100% (18/18), done. remote: Compressing objects: 100% (11/11), done. remote: Total 216 (delta 7), reused 18 (delta 7), pack-reused 198 Receiving objects: 100% (216/216), 50.43 KiB | 1.05 MiB/s, done. Resolving deltas: 100% (110/110), done. Cloning into '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/platform/stm32nucleo-spirit1/stm32cube-lib'... remote: Repository not found. fatal: repository 'https://github.com/STclab/stm32nucleo-spirit1-lib/' not found fatal: clone of 'https://github.com/STclab/stm32nucleo-spirit1-lib' into submodule path '/home/kali/Documents/zigbee/cc2531-killerbee-fw/contiki/platform/stm32nucleo-spirit1/stm32cube-lib' failed Failed to clone 'platform/stm32nucleo-spirit1/stm32cube-lib' a second time, aborting fatal: Failed to recurse into submodule path 'contiki'
Tried flashing dongle with a hex file in release url (used cc-tool) but usb device can't be attached and is not recognized on my linux anymore.

Does anyone have a solution?

Occured when using zbwireshark to capture the zigbee unlock door packet command as below
pyusb version 1.0.1
cc2531 firmware 2.1r1
Any help ,Suggestion ?

Thank you.

└─$ sudo zbwireshark -c 25
\Auto-detection is being deprecated - Please specify hardware
Warning: You are using pyUSB 1.x, support is in beta.
zbwireshark: listening on 'CC2531 USB Dongle', channel 25, page 0 (2475.0 MHz), link-type DLT_IEEE802_15_4, capture size 127 bytes
Error args: (75, 'Overflow')
Traceback (most recent call last):
File "/usr/local/bin/zbwireshark", line 4, in
import('pkg_resources').run_script('killerbee==3.0.0b2', 'zbwireshark')
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 656, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1453, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.10/dist-packages/killerbee-3.0.0b2-py3.10-linux-x86_64.egg/EGG-INFO/scripts/zbwireshark", line 108, in
main()
File "/usr/local/lib/python3.10/dist-packages/killerbee-3.0.0b2-py3.10-linux-x86_64.egg/EGG-INFO/scripts/zbwireshark", line 84, in main
packet = kb.pnext()
File "/usr/local/lib/python3.10/dist-packages/killerbee-3.0.0b2-py3.10-linux-x86_64.egg/killerbee/init.py", line 442, in pnext
return self.driver.pnext(timeout)
File "/usr/local/lib/python3.10/dist-packages/killerbee-3.0.0b2-py3.10-linux-x86_64.egg/killerbee/dev_bumblebee.py", line 400, in pnext
self.process_rx()
File "/usr/local/lib/python3.10/dist-packages/killerbee-3.0.0b2-py3.10-linux-x86_64.egg/killerbee/dev_bumblebee.py", line 156, in process_rx
raise e
File "/usr/local/lib/python3.10/dist-packages/killerbee-3.0.0b2-py3.10-linux-x86_64.egg/killerbee/dev_bumblebee.py", line 149, in process_rx
nbytes = self.dev.read(Bumblebee.EP_IN, self.usb_rx_buffer, 10)
File "/usr/local/lib/python3.10/dist-packages/usb/core.py", line 983, in read
ret = fn(
File "/usr/local/lib/python3.10/dist-packages/usb/backend/libusb1.py", line 828, in bulk_read
return self.__read(self.lib.libusb_bulk_transfer,
File "/usr/local/lib/python3.10/dist-packages/usb/backend/libusb1.py", line 936, in __read
_check(retval)
File "/usr/local/lib/python3.10/dist-packages/usb/backend/libusb1.py", line 595, in _check
raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 75] Overflow

Tried flashing with hex files v2.1,rev1, v2.1 and v2.0 to my cc2531 using cc debugger.

The driver after debugger notifies us that everything went ok, doesn't show up in device manager and seems to be missing. Installing the default cc2531 back works without troubles.

Anyone got a solution to that as to what might be wrong?

i use killerbee to write a tool which try to connect the zigbee network
i use kb.inject to send assocition request to the zigbee gateway as a normal device,i don't know why the gateway return a response with pan denied

Hello,
I go into sdcc build following errors:

./contiki/cpu/cc253x/dev/clock.c:64: error 98: conflict with previous declaration of 'clock_delay_usec' for attribute 'type' at ./contiki/core/./sys/clock.h:141
from type 'void function ( unsigned-int fixed) __reentrant fixed'
  to type 'void function ( unsigned-int fixed) __reentrant fixed'

Can you provide with version used for sdcc please to be able to generate hex file?

Thanks,
Thomas

Hi, I am recently using your firmware, especially for the CMD_SEND_PKT part. I use KillerBee.inject to test it. It seems like that from KillerBee's output, everything is normal. But when I use Wireshark to sniff the spoofed packet, I found nothing.

So I am curious that how do you test your SEND_PKT functionality? Do you also use Wireshark to sniff the packets? Since I cannot sniff any packet, do you have any idea for me to debug it?

Problem Description

When using KillerBee to make state transitions from sniffer mode to transmission mode, the bumblebee will crash and disconnect with KillerBee. A small piece of test codes is given as follows.

kb = KillerBee();
kb.set_channel(25);
kb.sniffer_on();
kb.sniffer_off();
while True:
  pkt = create_packet(); // Any packet you want. One can also use create_beacon() in zbfakebeacon to create beacon packets to test
  kb.inject(pkt);

Running the above test codes, Bumblebee can send packets for the first time. However, for the second time, exceptions are triggered.

  File "/usr/local/lib/python3.8/dist-packages/killerbee-3.0.0b0-py3.8-linux-aarch64.egg/EGG-INFO/scripts/zbfakebeacon", line 94, in <module>
    kb.inject(pkt)
  File "/usr/local/lib/python3.8/dist-packages/killerbee-3.0.0b0-py3.8-linux-aarch64.egg/killerbee/__init__.py", line 358, in inject
    return self.driver.inject(packet, channel, count, delay, page)
  File "/usr/local/lib/python3.8/dist-packages/killerbee-3.0.0b0-py3.8-linux-aarch64.egg/killerbee/dev_bumblebee.py", line 389, in inject
    self.send_packet(packet)
  File "/usr/local/lib/python3.8/dist-packages/killerbee-3.0.0b0-py3.8-linux-aarch64.egg/killerbee/dev_bumblebee.py", line 180, in send_packet
    self.send_message(
  File "/usr/local/lib/python3.8/dist-packages/killerbee-3.0.0b0-py3.8-linux-aarch64.egg/killerbee/dev_bumblebee.py", line 169, in send_message
    sent += self.dev.write(Bumblebee.EP_OUT, buf[i*64:(i+1)*64])
  File "/usr/lib/python3/dist-packages/usb/core.py", line 943, in write
    return fn(
  File "/usr/lib/python3/dist-packages/usb/backend/libusb1.py", line 819, in bulk_write
    return self.__write(self.lib.libusb_bulk_transfer,
  File "/usr/lib/python3/dist-packages/usb/backend/libusb1.py", line 920, in __write
    _check(retval)
  File "/usr/lib/python3/dist-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 19] No such device (it may have been disconnected)

Solution

In PROCESS cc2531_rf_sniffer, before calling radio_got_packet(), first check the sniffer state of the radio, i.e., g_radio_state in radio.c. radio_got_packet() is called only if
g_radio_state.sniffer_enabled == SNIFFER ON

A fixed version is implemented in the latest commit of my repo . Please have a look first.

I am in a Zigbee dense area (~180 devices). I am getting USB overflows when bursts of packets come in.

Ubuntu 20.04
Python 3.8.10
Acxico USB CC2531 Sniffer Board with fw 2.1r1
KillerBee develop branch (4a8348c0f9d54f66ac748525eea763962e48a2e4)
AMD FX(tm)-8350 Eight-Core Processor

Hello,

I'm trying to use the zbjammer with the cc2531. I've flashed the cc2531 with the Bumblebee version 2.1 revision 1 and am using the develop branch of killerbee.

When I'm executing zbjammer I get the following error message:

❯ zbjammer -c 15
zbjammer: jamming channel 15
*** WARNING: this may not actually work on your hardware! Check with spectrum analyser!
*** NOTICE: it is your responsibility to comply with local law. Please check radio spectrum laws in your area before
    proceeding. Hit <ENTER> to continue or CTL-C to abort.
Traceback (most recent call last):
  File "/Users/emily/.pyenv/versions/3.10.4/bin/zbjammer", line 4, in <module>
    __import__('pkg_resources').run_script('killerbee==3.0.0b2', 'zbjammer')
  File "/Users/emily/.pyenv/versions/3.10.4/lib/python3.10/site-packages/pkg_resources/__init__.py", line 651, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/Users/emily/.pyenv/versions/3.10.4/lib/python3.10/site-packages/pkg_resources/__init__.py", line 1448, in run_script
    exec(code, namespace, namespace)
  File "/Users/emily/.pyenv/versions/3.10.4/lib/python3.10/site-packages/killerbee-3.0.0b2-py3.10-macosx-12.2-x86_64.egg/EGG-INFO/scripts/zbjammer", line 51, in <module>
    if not kb.jammer_on():
  File "/Users/emily/.pyenv/versions/3.10.4/lib/python3.10/site-packages/killerbee-3.0.0b2-py3.10-macosx-12.2-x86_64.egg/killerbee/__init__.py", line 459, in jammer_on
    return self.driver.jammer_on(channel=channel, method=method)
TypeError: Bumblebee.jammer_on() got an unexpected keyword argument 'method'

Does anybody know what I can do to resolve this issue?

Thanks,
Emily