AdamLaurie/ChronIC AdamLaurie/ChronIC

  • Stars
    star
    119
  • Rank 297,930 (Top 6 %)
  • Language
    C
  • Created over 11 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
AdamLaurie/ChronIC
github

AdamLaurie

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A wearable Sub-GHz RF hacking tool

ChronIC - Chronos Integrated Commander

A wearable Sub-GHz RF hacking tool.

Latest version:

https://github.com/AdamLaurie/ChronIC

Based on the EZ430 Chronos project from Texas Instruments:

http://processors.wiki.ti.com/index.php/EZ430-Chronos

This tool allows transmission of arbitrary RF data from the wristwatch component of the Chronos dev kit:

http://www.ti.com/tool/ez430-chronos&DCMP=Chronos&HQS=Other+OT+chronos

A worked example of hacking my doorbell can be found here:

http://adamsblog.rfidiot.org/2013/03/you-can-ring-my-bell-adventures-in-sub.html

INSTALLATION

Firmware

The code is designed to compile with the free size-restricted version of CCStudio from TI:

http://www.ti.com/tool/ccstudio

To achieve this, much of the original functionality is commented out, but if you have access to the unrestricted compiler it should be easy enough to re-enable.

It's also possible to bypass this restriction altogether, as it's enforced by the IDE not the compiler/linker, so when the size limit is reached all you need to do is drop to a shell and run make manually, e.g.

'cd CCS/868MHz\ -\ Unrestricted\ CCS\ Platinum && make clean ChronIC_868MHz.out'

I do my main development under Linux but it's also tested and working under Windows.

Checkout latest code from github:

git clone git://github.com/AdamLaurie/ChronIC.git

Start CCStudio and import the project from the CCS sub-folder of the repo:

File/Import.../Existing CCS Eclipse Projects

Build:

Project/Build Project

Note that if you don't want to go to the trouble of building from source, I've included the current 433 and 868 compiled versions in the '433MHz - Unrestricted CCS Platinum' and '868MHz - Unrestricted CCS Platinum' directories.

Install via RF Bootloader with Chronos Control Center:

Windows: http://www.ti.com/lit/zip/slac341

Linux: http://www.ti.com/lit/zip/slac388

Python CLI

Change directory to the 'python' folder in the git repo.

sudo python ./setup.py install

Create a file in /etc/udev/rules.d called 20-chronos.rules with the following line in it:

SUBSYSTEMS=="usb" ATTRS{idVendor}=="0451" ATTRS{idProduct}=="16a6" MODE:="0666" SYMLINK+="CHRONOS"

NOTE: The idVendor & idProduct will need to be replaced by your own device's IDs... can be found by ... typing "lsusb" into a terminal after inserting your usb access point - the two are seperated by a colon.

Reload the udev rules:

sudo udevadm control --reload-rules

This will automatically create the device /dev/CHRONOS when you plug in the Chronos USB dongle, and make it non-root accessible. This is the default device chronic-cli.py will try to open, but something else can be specified on the command line if you prefer not to play with udev.

USE

In normal use the watch has two main 'menus': one for the top row, and one for the bottom. Pressing the * button cycles through the top row menus and pressing # cycles the bottom row. When a particular menu item is shown, pressing the UP or DOWN buttons activates its function. In ChronIC, this is normally 'selecting' that menu item, but when the normal 'time/date' items are shown, pressing UP or DOWN will always transmit the data associated with each button. Selecting a menu item will display an 'R' symbol against that item when cycling through, showing that it is currently active.

To associate specific data with a button, you can either transmit the data to the watch using SYNC mode (selected on the lower menu) and the python helper app 'chronic-cli.py', or you can choose a pre-programmed data set which includes correct timing, frequency, modulation etc. from the upper menu. An example called 'BELL' will select the appropriate data and transmission settings to ring my doorbell, should you happen to be in my neighbourhood. :)

SETTINGS

The following parameters can be set with the python cli:

BAUD RF Modem baudrate in Hz.

BYRON Configure for Byron doorbell emulation (433).

DELAY <1-255> Milliseconds delay between each REPEAT.

DOWN DATA to be sent by DOWN button. Three sequences of up to 63 bytes each.

FREQ Frequency e.g. 433920000.

FRIEDLAND Configure for Friedland doorbell emulation (868).

MAN <ON|OFF> Manchester Encoding ON or OFF.

MOD <FSK|GFSK|OOK|MSK> Modulation:

                            FSK -  Frequency Shift Keying
                            GFSK - Gaussian Frequency Shift Keying
                            OOK -  On-Off Keying (in Amplitude Shift Keying mode)
                            MSK - Multiple Frequency Shift Keying

PORT The serial port your Chronos USB dongle lives on (default /dev/CHRONOS). This should be set as the first command if the default does not exist.

PULSE RF Modem baudrate expressed as pulsewidth (e.g. a pulsewidth of 0.000320 seconds is 3124.23 Hz). In ASK/OOK mode, the baudrate is generally the pulsewidth of the shortest pulse found in the original signal.

REPEAT <1-255> Number of times to send DATA SEQUENCES when button pressed.

RUKU Configure for Ruku garage door opener emulation (433).

SERIAL USB dongle comms baudrate (default 115200).

TIME Set TIME/DATE to match PC.

UP DATA to be sent by UP button. Three sequences of up to 63 bytes each.

EXIT Exit SYNC mode on watch.

Examples:

Send a fairly well known signal:

chronic-cli.py FREQ 433920000 MAN OFF MOD OOK PULSE .008 DELAY 255 REPEAT 5 UP aaaa0000aaaa0000aaaa0000aaaaaaaaaaaa0000aaaaaaaaaaaa0000aaaaaaaaaaaa0000aaaa0000aaaa0000aaaa0000 '' ''  EXIT

Manually configure to ring my doorbell:

chronic-cli.py FREQ 433920000 MAN OFF MOD OOK PULSE .000320 DELAY 0 REPEAT 60 UP 2C92496DB2000000 '' '' DOWN 2C92496DB2000000 '' '' EXIT

The helper app also includes a couple of examples showing how easy it is to hardwire specific configurations. These are 'BYRON' and 'RUKU', which are my doorbell and a simple garage door opener respectively.

Enjoy! Adam

More Repositories

1

RFIDIOt

python RFID / NFC library & tools
Python
1,040
star
2

RFIDler

RFIDler - Software defined RFID (LF) Reader/Writer/Emulator
C
450
star
3

rompar

Semi-automatic extraction of data from microscopic images of Masked ROM.
Python
164
star
4

hdmi-sniff

sniff HDMI DDC (I2C) traffic
Python
88
star
5

sjcam

A python CLI tool for controlling SJCAM WiFi Sports Cameras
Python
80
star
6

hdmi-rip

Python
36
star
7

mphidflash

Automatically exported from code.google.com/p/mphidflash
C
31
star
8

cribtastic

A cryptographic crib maniplation tool
Python
20
star
9

marc4dasm

Atmel MARC4 disassembler
Python
16
star
10

satmap

A feedhunter's visualisation tool.
Python
16
star
11

hdmi-mjpeg

Video/Audio extractor for HDMI network extender.
10
star
12

i2c-dump

dump i2c eeprom with bus pirate
Python
4
star
13

esp32_flash_extract

Extract code and data regions from ESP32 (ESP8266) binary image created by esptool read_flash command (from block 0).
Python
4
star
14

csb-2mr8xh

HTML
1
star