CX-10A CID

More
27 Nov 2018 15:10 #71902 by ccees123
CX-10A CID was created by ccees123
Hi guys, I'm currently working on a school project that requires us to do a replay attack on CX-10A. Since I'm new to this field, I don't know how to find the controller's identifier(CID). And without CID, I can not find the correct frequency hopping channels.

Does anyone know if there is a easy way to find CID or capture the packet? It is too hard to decode the signal from IQ values.

Please Log in or Create an account to join the conversation.

More
27 Nov 2018 19:34 #71906 by hexfet
Replied by hexfet on topic CX-10A CID
If you have physical access to the tx or rx then capture from the nRF24L01 SPI interface. Otherwise over-the-air is the only way I know.

Please Log in or Create an account to join the conversation.

More
27 Nov 2018 20:30 #71907 by ccees123
Replied by ccees123 on topic CX-10A CID
Thank you so much for the answer. I do have physical access to devices. But what is nRF24L01 SPI interface? Is it hardware for nRF24L01? I'm currently using hackrf one. Wondering if I need to buy extra hardware.

Please Log in or Create an account to join the conversation.

More
27 Nov 2018 20:52 #71909 by hexfet
Replied by hexfet on topic CX-10A CID
You'll need a logic analyzer, preferably one with an SPI decoder. Salae is popular. See this thread .

nRF24L01 is the radio chip in the CX-10. SPI is the hardware interface between it and the microprocessor.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
28 Nov 2018 12:08 - 28 Nov 2018 21:36 #71920 by goebish
Replied by goebish on topic CX-10A CID
The CX10-A (blue PCB) doesn't use a nrf24l01 but a xn297 transceiver.

I don't want to do your homework, but here's what you can do if you really have to use a HackRF:
(I suppose you can't just use a logic analyzer connected to the stock controller as that would be too easy and considered cheating ;))

Use gnuradio to grab and demodulate the GFSK signal during bind (2402 MHz with transmitter powered on and quad powered off):
www.dropbox.com/s/sk28appcfpwtkap/xn297_gfsk_demod.grc?dl=1

(You'll have to replace the output filename in the file sink block and might have to tweak the freq fine slider until you see some activity in the "Data" scope sink dialog.)

Then use the demodulated output (0 & 1s & preamble markers) to decode and unscramble the xn297 packets, here's a C/Qt program to do that:
gist.github.com/goebish/d08d9a7458cc34eafe5cc6f64bf34ceb
(that's quick and dirty, crc is not checked ...)

You should end up with something like this (that's not a cx-10a in the video):

Then just look at the packets to retrieve the TXID, e.g in this picture the TXID is D7 23 63 27 :

(decoded from an actual CX10-A transmitter)

From that you can extrapolate the frequency hopping channels for your replay attack:

rf_channel[0] = 0x03 + (0xd7 & 0x0f) = 0x0a = 2410 MHz
rf_channel[1] = 0x16 + (0xd7 >> 4) = 0x23 = 2435 MHz
rf_channel[2] = 0x2d + (0x23 & 0x0f) = 0x30 = 2448 MHz
rf_channel[3] = 0x40 + (0x23 >> 4) = 0x42 = 2466 MHz

I'm not 100% sure but I believe that someone who reverse engineered the RX side told that only rf_channel[0] is used by the RX actually, that should be pretty easy to attack, just spam your packet(s) on this channel ;)

... but I agree that for retrieving TXID it would be simpler to use an arduino with a nrf24l01 emulating a xn297 in rx mode, or just connect a logic analyzer to the stock controller (SPI) if you're allowed to.
Last edit: 28 Nov 2018 21:36 by goebish.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
02 Dec 2018 12:44 - 04 Dec 2018 22:05 #71951 by goebish
Replied by goebish on topic CX-10A CID

ccees123 wrote: Hi horbish. Really appreciate your help! However, I think there are something wrong with the protocol.

When I was listening at 2.402G, I got the the CID 0x12345bbb

You do not have permissions to access this page.


From the potocol: github.com/DeviationTX/deviation/blob/ma...doc/CX10Blue.txt#L63
I got the frequency hopping channels: 2.414, 2.433, 2.450 and 2.475.

Then I restarted devices and listened at 2.141, things looks fine and signals including both binding and flying phases
You do not have permissions to access this page.

You do not have permissions to access this page.


Then I did same thing again and listened at 2.433, I got the similar result as at 2.414.
You do not have permissions to access this page.

You do not have permissions to access this page.


And when I was listening at 2.45 and 2.475, no signal data was detected.

This hopping behavior doesn't make sense. Because if controller finished binding signal and started flying phase at 4.141. Then it should transmit command at 2.433 instead of similar binding and flying packet.

After controller and quad bind together, I tried to simply record and replay signals at 2.43, 2.45 and 2.475 which of course didn't fly the quad. So I'm wondering if the protocol of cx-10A has been changed.


I don't think the protocol has changed, maybe the stock controller sends of few binding packets on data channels at the end of the bind sequence. (I don't have a working stock transmitter anymore)
Try to replay only on 2414 MHz.
Scan the ISM band to search for the used channels.
... or just get a logic analyzer ($5), connect it to the SPI bus in the TX, then you'll be sure ;)
Last edit: 04 Dec 2018 22:05 by goebish.

Please Log in or Create an account to join the conversation.

More
04 Dec 2018 17:41 #71977 by ccees123
Replied by ccees123 on topic CX-10A CID
Yeah, you are right, the protocol is correct, I just realized that I calculated the last two channel wrong. My program reads bytes in reverse order:)

Please Log in or Create an account to join the conversation.

Time to create page: 0.270 seconds
Powered by Kunena Forum