- Posts: 18
Teach us your protocol reversing tricks oh wise PB
- th9xer
- Topic Author
- Offline
Probably safe to assume people reading this far will already be familiar with the code of the current protocols.
I'll take anything you can offer but a few pointers and maybe some code from your test rig would be supreme. I realize it may not be well polished but it wouldn't bother me.
As a starter how on earth to you derive the channel hopping tables ?
Thanks so everything so far !
Cam.
Please Log in or Create an account to join the conversation.
- SeByDocKy
- Offline
- Posts: 1016
th9xer wrote: So PB any chance you could put your Fravia hat on for 10 minutes and teach us some of your protocol reversing techniques? If I remember correctly I have heard you talk about test rigs involving Raspberry Pi's and Arduinos. A few tricks and tips might help more people to help you, do doubt you have learnt much through your various protocol travels.
Probably safe to assume people reading this far will already be familiar with the code of the current protocols.
I'll take anything you can offer but a few pointers and maybe some code from your test rig would be supreme. I realize it may not be well polished but it wouldn't bother me.
As a starter how on earth to you derive the channel hopping tables ?
Thanks so everything so far !
Cam.
+1 for me
Not only PB, but also victzh, hexfet, etc... .
"give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime" would be translated into
"give a man a protocol and you make him able to fly a new model; teach a man to hack a protocol and your protocol folder will be full" ....
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
Then if you're lucky, you'll just understand what's going on - there are protocols without any frequency hopping, encryption etc.
If you're slightly less lucky, your protocol is using table frequency hopping - there is a limited table with base sequences and some variations thereof.
You need to get as many correspondences between TX id and frequency hopping sequence as possible. For this you need to put logic analyzer on RX and use mock TX algorithm to bind to many different TX ids. It is useful to make this as automated as possible - connect to bind or reset button on your RX and guide it from your program.
For this setup you also need some luck - some RXs when they get initial binding packet with new TX id start following the whole sequence, so you just record it using your logic analyzer.
Some wait for the first valid packet to follow the sequence - this is a bit more problematic. You need to generate bind packet, then listen to RX for the channel it expects packet on and then generate this packet and only after these dances RX follow with the whole FH sequence.
After you got many correspondences you need to understand the logic. You begin to stare at these long files and write scripts to analyze them - sort in various order, for instance. It can take days or minutes depending on complexity and your experience. It is somewhat close to cryptanalysis, but usually people don't try to protect their protocols very hard. The most complex protocol so far reversed, DSMX, took weeks and collaboration of many people. They also had some luck - authors of DSMX used Linear Feedback Shift Register (LFSR) from the literature with some variations.
Some protocols don't bother with secrecy so much that they just pass the sequence as a part of binding process - HiSky does this.
Also, there is CRC algorithms used by some protocols, they need similar approach.
Best way to learn is to try it yourself. Get soldering iron and cheap TX or RX with reasonably accessible SPI bus and try it.
Please Log in or Create an account to join the conversation.
- PhracturedBlue
- Offline
- Posts: 4402
The only thing I'll add is that I found my RaspberryPi really useful for the automation victzh talked about (when trying to find hopping tables, etc).
I ported the deviation protocol stack to the Raspberry Pi such that the Deviation protocol code can be run there with no modifications. since there is no upload step, it is nice to be able to change the code, compile and immediately test. For development of for a new chip or a complex protocol, it is really handy.
The relevant code is here:
bitbucket.org/PhracturedBlue/rpi_protocols
Note that it is currently in flux. I'm resyncing it with the latest protocol code at the moment, but in a couple days it should work again.
FYI, for an example of a protocol I wasn't able to figure out:
www.deviationtx.com/forum/protocol-devel...rotocol-analysis-crc
The protocol is trivial, but I wasn't able to figure out the checksum byte after several days of effort. I think we have everything we need to figure it out, I just don't get it.
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
Please Log in or Create an account to join the conversation.
- th9xer
- Topic Author
- Offline
- Posts: 18
victzh where might I find your decoding scripts? I'll swap you for my A7105 script.
Instructions and link here:
code.google.com/p/rc-ppm-2-spi/wiki/Usingdecodepl
Also PhracturedBlue many thanks for the link to the RaspPi code.
Thanks again.
Cam.
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
They take as an input CSV files decoded by Saleae SPI protocol handler, so no extra signals like CE for nRF24L01 are present.
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
Please Log in or Create an account to join the conversation.
- th9xer
- Topic Author
- Offline
- Posts: 18
Cam.
Please Log in or Create an account to join the conversation.
- th9xer
- Topic Author
- Offline
- Posts: 18
Nice article here on guessing CRC's
www.cosc.canterbury.ac.nz/greg.ewing/ess...rse-Engineering.html It has some basic tests to prove it is a CRC at all, then deduce the poly, etc.
Essential reading: www.ross.net/crc/crcpaper.html (No doubt you already know this, mainly mentioned for the reference of others)
Interesting but not totally relevant www.danielvik.com/2010/10/calculating-reverse-crc.html
Then I stumbled upon this jem ! It can automate the guessing for you
sourceforge.net/projects/reveng/
I have just had a quick play with it and it would seem Multiplex are changing the initial CRC register contents on a per channel basis.
This testing is based on data from here www.deviationtx.com/forum/protocol-devel...art=0&start=20#16371
Feed the program this line:
reveng -w 8 -s 2309097e082d06db81 2309097e082d06dc02 2388058a043802e7a4 2388058a043902e70f 2388058a043802e7a4
Data is formatted so channel number is the first byte, checksum the last, the rest is the payload.
and it reports:
width=8 poly=0x31 init=0xf9 refin=true refout=true xorout=0x00 check=0xbc name=(none)
feed it:
reveng -w 8 -s 3b010a2708d6078460 3b110a2708d607849b 3b010791079107918a 3b8007910791079120 3b010a2708d5078484 3b010a2708d6078460
it reports:
width=8 poly=0x31 init=0x79 refin=true refout=true xorout=0x00 check=0x18 name=(none)
Mess with any of the data and it reports:
reveng: no models found
Sorry for poor formatting, the entire time I was typing this I got "Loading BBCode editor... ". Maybe you want to move this to the other thread, your call.
Exciting stuff
Cam.
EDIT: More testing done - It certainly doesn't hold true for all the data, some of the anomalies you found in the data where the same data has a different checksum obviously fail. like:
11 88 07 d8 07 d8 07 d9 00
11 88 07 d8 07 d8 07 d9 2d
11 09 07 d8 07 d8 07 d8 d9
11 09 07 d8 07 d8 07 d8 f4
11 88 07 91 07 91 07 91 21
Genuine errors perhaps ? (Although the 2nd and 4th lines potentially share a common CRC, not enough data to nail it to one)
again channel 1st, checksum last, payload the rest.
I have tested a good few others packets and checksums can always be found. Polynomial never changes, it's listed here en.wikipedia.org/wiki/Cyclic_redundancy_...nd_standardized_CRCs , so makes sense.
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
Different CRC for the same data can be explained by adding some other factor, say odd and even packets. If you add such info to checksummed sequence you'll get your variable CRC. To check this you need longer sequence of packets.
Please Log in or Create an account to join the conversation.
- PhracturedBlue
- Offline
- Posts: 4402
This is a really good find on 'reveng' though!
Please Log in or Create an account to join the conversation.
- Home
- Forum
- Development
- Protocol Development
- Teach us your protocol reversing tricks oh wise PB