2.4GHz Radio Sniffer

BaldwinK

New Member
Constructed as a diagnostic for the radio tram project, this self-contained unit borrows ideas from the hacking community.

NRF24L01 radio modules allow for automatic message checking and retransmission for up to six devices. The frequency hopping ISM spectrum splits out radio channels and you do need to be set to the same RF channel to listen in. However the sniffer must not take an active part - only listen - yet it would be a seventh device so how is it done?

The tram radio network uses the default setting of five byte addresses with the default values for the higher order bytes. Only the LSB is loaded to the chip. So if the sniffer is set to a four byte address using the (same) default higher order bytes then it can receive a message.

First we need to turn off shockburst so there will be no acknowledgements. It proved necessary to issue this instruction twice as it is often ignored and the chip tries to join in.

The fifth address byte will now be in the data field and we can match this to a tram or turnout sending or receiving. However, because we are cheating the system the actual payload data will be shifted by one bit. This is easy enough to restore so that the commands and replies can be determined.

The sniffer uses the LCM1602 two line display with nibbles strobed in via an I2C bus. Bit banging proved too slow because the display could not be ready for the next decode so hi2c instructions were used. In turn this meant that the SPI instructions to the radio module had to be done the hard way.

Most of the rest of the code involves setting up special characters to give a mimic diagram of the track turnouts and showing the position and status of each tram. The blinking cursor is used if a command is waiting a reply.

It would appear that some wireless keyboards use this chip and the key strokes can be hacked using this method.
 

Attachments

Top