GNU Radio module and Wireshark dissector for the Nordic Semiconductor nRF24L Enhanced Shockburst protocol.
Clone or download
Latest commit 5c46860 Sep 27, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
apps License updates. Sep 26, 2016
cmake License updates. Sep 26, 2016
docs License updates. Sep 26, 2016
examples Added example channelized transmitter/receiver scripts. Sep 15, 2016
grc License updates. Sep 26, 2016
include/nordic License updates. Sep 26, 2016
lib Memory cleanup. Sep 27, 2016
python License updates. Sep 26, 2016
swig License updates. Sep 26, 2016
wireshark Added ACK and keepalive classifier logic to the Microsoft dissector, … Sep 14, 2016
.gitignore Initial commit. Sep 14, 2016
CMakeLists.txt License updates. Sep 26, 2016
LICENSE Added license (GPLv3) Sep 16, 2016
MANIFEST.md Initial commit. Sep 14, 2016
README.md Update README.md Sep 15, 2016

README.md

gr-nordic

GNU Radio module and Wireshark dissector for the Nordic Semiconductor nRF24L Enhanced Shockburst protocol.

external c++ classes

nordic_rx

Receiver class which consumes a GFSK demodulated bitstream and reconstructs Enhanced Shockburst packets. PDUs are printed standard out and sent to Wireshark.

nordic_tx

Transmitter class which consumes nordictap structs, generates Enhanced Shockburst packets, and produces a byte stream to be fed to a GFSK modulator.

python examples

All python examples use the osmosdr_source/osmosdr_sink blocks, and are SDR agnostic.

nordic_receiver.py

Single channel receiver. Listening on channel 4 (2404MHz) with a 2Mbps data rate, 5 byte address, and 2 byte CRC is invoked as follows:

./nordic_receiver.py --channel 4 --data_rate 2e6 --crc_length 2 --address_length 5 --samples_per_symbol 2 --gain 40

nordic_auto_ack.py

Single channel receiver with auto-ACK. Listening (and ACKing) on channel 4 (2404MHz) with a 2Mbps data rate, 5 byte address, and 2 byte CRC is invoked as follows:

./nordic_auto_ack.py --channel 4 --data_rate 2e6 --crc_length 2 --address_length 5 --samples_per_symbol 2 --gain 40

nordic_sniffer_scanner.py

Sweeping single channel receiver, which sweeps between channels 2-83 looking for Enhanced Shockburst packets. During receive activity, it camps on a given channel until idle.

./nordic_sniffer_scanner.py

microsoft_mouse_sniffer.py

Microsoft mouse/keyboard following receiver. When launched, this script will sweep between the 24 possible Microsoft wireless keyboard/mouse channels. When a device is found, it switches to that device's 4-channel group, sweeping between that set to follow the device.

./microsoft_mouse_sniffer.py

nordic_channelized_receiver.py

Channelized receiver example, which tunes to 2414MHz, and receives 2Mbps Enhanced Shockburst packets on channels 10, 14, and 18.

./nordic_channelized_receiver.py

nordic_channelized_transmitter.py

Channelized transmitter example, which tunes to 2414MHz, and transmits 2Mbps Enhanced Shockburst packets on channels 10, 14, and 18.

./nordic_channelized_transmitter.py

wireshark dissector

The wireshark dissector will display Enhanced Shockburst packets in Wireshark. The logic is very straightforward, and will be simple to extend to classify various device types.

wireshark/nordic_dissector.lua

wireshark -X lua_script:wireshark/nordic_dissector.lua -i lo -k -f udp

nRF24LU1+ research firmware

Corresponding research firmware for the nRF24LU1+ chips (including Logitech Unifying dongles) is available here.

Documentation on the packet formats covered by the MouseJack and KeySniffer vulnerability sets is available here.