{"id":370,"date":"2017-03-18T14:06:07","date_gmt":"2017-03-18T14:06:07","guid":{"rendered":"http:\/\/www.inguardians.com\/?p=74"},"modified":"2018-11-30T21:08:44","modified_gmt":"2018-11-30T21:08:44","slug":"radio-communication-analysis-using-rfcat","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/blog\/radio-communication-analysis-using-rfcat\/","title":{"rendered":"Radio Communication Analysis using RfCat"},"content":{"rendered":"

[et_pb_section transparent_background=”off” allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”on” padding_mobile=”off” make_fullwidth=”off” use_custom_width=”off” width_unit=”off” custom_width_px=”1080px” custom_width_percent=”80%” make_equal=”off” use_custom_gutter=”off” fullwidth=”off” specialty=”off” admin_label=”section” disabled=”off”][et_pb_row make_fullwidth=”off” use_custom_width=”off” width_unit=”off” custom_width_px=”1080px” custom_width_percent=”80%” use_custom_gutter=”off” gutter_width=”3″ padding_mobile=”off” allow_player_pause=”off” parallax=”off” parallax_method=”on” make_equal=”off” column_padding_mobile=”on” parallax_1=”off” parallax_method_1=”on” parallax_2=”off” parallax_method_2=”on” parallax_3=”off” parallax_method_3=”on” parallax_4=”off” parallax_method_4=”on” admin_label=”row” disabled=”off”][et_pb_column type=”4_4″ disabled=”off” parallax=”off” parallax_method=”on” column_padding_mobile=”on”][et_pb_text background_layout=”light” text_orientation=”left” admin_label=”Text” use_border_color=”off” border_style=”solid” disabled=”off”]<\/p>\n

\t\t\t\t\tOriginal Post Author: Don C. Weber [Twitter: @cutaway<\/a>]
\nOriginal Date Published: 15 Oct 2013<\/p>\n

Many people think RfCat<\/a> is a very cool concept. The thought of monitoring and interacting with sub-gigahertz radio is very sexy. Hell, it IS sexy. Then people get an IM-ME<\/a>, a CC1111EMK<\/a>, or a ToorCon 14 badge<\/a> and they start using it and quickly realize that RfCat is not for the faint of heart. It is complex, only moderately documented, and you still need to understand about radios to be able to use it. However, once you do begin to understand radio configuration and manipulation, the ease of use and extensibility of RfCat becomes very apparent.<\/p>\n

To help people who want to use RfCat, we decided to tell you how we have been using it lately. We will outline, as best we can, the steps we have taken to get RfCat to capture and attempt communications with an insulin pump and remote that we acquired. We will show you how we obtained our RfCat settings, how this lead to packet capture and analysis, how we leveraged the captured data to conduct replay attacks, and how we maintain our configuration settings for future analysis efforts.<\/p>\n

We will admit to you before we start that we haven’t successfully communicated with either of these devices. That is how hardware and radio research goes. You have a breakthrough and then you have periods of stagnation and trying things every which way until you have another breakthrough. We mention this because if you are using RfCat for radio analysis, prepare for both. Research is hard. RfCat makes it a little easier.<\/p>\n

When you start RfCat you are greeted by the following help message.<\/p>\n

cutaway> rfcat -r
\n‘RfCat, the greatest thing since Frequency Hopping!’<\/div>\n

Research Mode: enjoy the raw power of rflib<\/p>\n

currently your environment has an object called “d” for dongle. this is how
\nyou interact with the rfcat dongle:
\n>>> d.ping()
\n>>> d.setFreq(433000000)
\n>>> d.setMdmModulation(MOD_ASK_OOK)
\n>>> d.makePktFLEN(250)
\n>>> d.RFxmit(“HALLO”)
\n>>> d.RFrecv()
\n>>> print d.reprRadioConfig()<\/p>\n

In [1]:<\/p>\n

The commands provided here are helpful and usable, but only if you are running RfCat the first time. These commands do not get you working on assessing radio communications. For that you need to understand radio configurations and how to gather that information for a specific device. We don’t have time to explain radio configuration, for that you should consider taking a radio class from Mike Ossmann<\/a>.<\/p>\n

Just like any other radio device research, we located the identification numbers for the insulin pump and remote and obtained the Federal Communications Commission<\/a> (FCC) testing and user manual documentation for each device. From these documents we extracted the relevant data such as operation frequencies and modulation. In this instance we determined that the radio would operate on 903 MHz using Frequency Shift Modulation (FSK). To confirm this information we leveraged a HackRF<\/a> and the Gqrx Software-Defined Radio<\/a> (SDR) spectrum analyzer (although any RTL-SDR module and spectrum analyzer combination will work) to capture a transmission from the insulin pump’s remote (see Figure 0x0). The wave patterned that occurred at the moment we turned on the remote confirmed these configurations.<\/p>\n<\/p>\n

\"\"<\/center><\/p>\n
Figure 0x0: Insulin Remote Transmission Captured Using HackRF and Gqrx<\/div>\n

 <\/p>\n

Other relevant radio configuration information can be ascertained by analyzing the Inphase and Quadrature (I\/Q) data captured by HackRF. However, analysis this data can be a long, laborious, and difficult process and it will result in educated guesses rather than specific values. Fortunately, as atlas<\/a> and Don C. Weber<\/a> have explained before, there are other methods to obtain this specific information. The hardware configuration of the insulin pump remote allowed us to leverage these techniques.<\/p>\n

We then popped the insulin remote open and extracted the radio configuration by tapping the pins between the remote device’s microcontroller and the Chipcon CC1101<\/a> radio. Using a Saleae Logic Analyzer<\/a> we retrieved the radio configuration bytes that the microcontroller sent to the radio to initiate its operation. Leveraging Saleae’s built-in Serial Peripheral Interface Bus (SPI) analyzer, we exported this information to a Comma Separate Value (CSV) file for easy reference and use (see Figure 0x1).<\/p>\n

\"\"<\/p>\n

 <\/p>\n

Figure 0x1: CC1101 Registers Captured Using Saleae Logic Analyser<\/div>\n

 <\/p>\n

Now, we could use these values to configure RfCat if we wanted to do so.<\/p>\n

In [1]: help(d.setRFRegister)<\/div>\n

Help on method setRFRegister in module rflib.cc1111client:<\/p>\n

setRFRegister(self, regaddr, value, suppress=False) method of rflib.RfCat instance
\nset the radio register ‘regaddr’ to ‘value’ (first setting RF state to IDLE, then returning to RX\/TX)
\nvalue is always considered a 1-byte value
\nif ‘suppress’ the radio state (RX\/TX\/IDLE) is not modified<\/p>\n

The problem is that these values are specific to the CC1101 Radio. If you used these values to set the CC1111EMK, you would get slightly, and perhaps drastically, different results. The primary issue is that the CC1101 operates with a 26 MHz clock while the CC1111EMK is configured with a 24 MHz clock. When the radio takes these values and computes the radio settings they will be different enough that the radios will not communicate.<\/p>\n

We could do a bunch of math to determine these values ourselves (and there is probably a way to use RfCat to do so), or we can do what developers do and plug these values into Texas Instruments’ (TI) SmartRF Studio<\/a>. SmartRF Studio has a “Register View” for each of the Chipcon radios it supports. With a little deductive reasoning we can determine which values belong to which registers (as labeled in Figure 0x2). We plug these values into the “Register View” (skipping the 0x00 values in this instance) (see Figure 0x2) and the values in the “RF Parameter” window (see Figure 0x3) are changed to the radio’s configuration. These are the values that we are going to use to configure RfCat.<\/p>\n<\/p>\n

\"\"<\/center><\/p>\n

Figure 0x2: SmartRF Studio CC1101 Register View<\/p>\n

 <\/p>\n<\/p>\n

\"\"<\/center><\/p>\n

Figure 0x3: SmartRF Studio CC1101 RF Parameters<\/p>\n

 <\/p>\n

We made the following configuration changes to RfCat using these SmartRF Studio outputs:<\/p>\n