This tutorial will cover how to practically sniff LoRa and save sniffed data to then retransmit it or create your messages.
HardwareElectronic Cats Flipper SubGHz Shield 🐬😼
- A Flipper Add-On/Shield with a built-in CC1101 and a SX1262 to work with SubGHz signals.
- Supports all major SubGHz ISM bands around the world (along with the correct firmware).
To simulate a P2P (peer-to-peer) communication, we used two BastWAN boards, one as the sender and the other as the receiver. But this can be performed by listening to actual LoRa/LoRaWAN devices.
We created a simple circuit to simulate a LoRa system with a TOF (time of flight) sensor, a loudness sensor, and a 0.91" I2C OLED display. Each time the TOF sensor detects an object in its range, it will read the distance of the object and the loudness level to then send it via LoRa at the frequency defined in the code. All of them are powered by a battery.
Once we have verified both boards were communicating between them, we can continue with the Flipper. Again, it is not needed to use the above setup, if you already have devices working with LoRa or just want to play around trying to catch information, you can do it.
Flipper Zero — LoRa implementationTo take advantage of the SX1262 on the SubGHz Shield, we must first install the app on the Flipper or the board will be useless.
- Flash the Unleashed firmware on its version 071e. We used qFlipper to do this.
You can download it from the official Unleashed GitHub repo.
Once our Flipper is running the correct version of Unleashed, it is time to install the app and prepare for sniffing.
- Install the LoRa Relay App developed by Electronic Cats. You only need the .fap file and save it on the Flipper's SD card. We recommend creating a new folder in the Apps folder or saving the file in an already created one.
You can download the latest version of the app from the official GitHub repo.
There are multiple ways to pass the.fap file to your Flipper: using qFlipper, the Flipper Lab website, the mobile Flipper app (if Experimental options are enabled), or simply plugging the SD card into your computer to copy the file.
As shown in the pictures, we created a new directory called Electronic Cats to save the app file so it is easier to reach the app.
Before starting sniffing, it is important to create a folder called lora in the Flipper SD card at the following path: SD Card/apps_data/, so the sessions can be recorded and saved in a data.log file.
Now you can start playing with the LoRa Relay app.
Sniffing LoRaOnce you attach the shield to the Flipper, you can open the app.
The app is pre-configured to work on 915MHz networks, but it is possible to change:
- Frequency
- Bandwidth
- Spread Factor
- Payload length
- Header type
- CRC (cyclic redundancy check)
- IQ
Since the sender BastWAN is configured to work on the 915 MHz frequency, there was no need to change any parameters in the Flipper app (for now).
Using the Sniffer feature is quite simple, you open it and wait for the Flipper to catch the LoRa messages and print them on the screen. To save the information for later usage, you can press the central D-pad button, and a saving icon will appear on the screen. Now the Flipper is acting as a middle-man device. Both the Flipper and the LoRa receiver will get the message from the sender.
The sniffing session can be opened with a plain text editor to read the captured information. The data.log file is located in the lora folder previously created. As shown below, the information captured is the date, time, frequency, bandwidth, signal strength (RSSI), and the message itself (payload).
Note: While the shield and app can sniff LoRaWAN packets, they cannot decrypt them (yet).Retransmit and inject.
The LoRa Relay app can not only sniff but also retransmit the sniffed data or create messages byte by byte. So if you want to retransmit the sniffed session to a different frequency, it is possible without exiting the Flipper LoRa app.
We set the second BastWAN (receiver) to start reading at a different frequency (433.33 MHz) to later configure the Flipper to the same frequency by going to settings > frequency in the LoRa app.
To test the communication, we use the option Send LoRa byte where we can build our message as a byte chain. Once you click on the save button, the message will be sent.
Alternatively, you can retransmit the data saved from the last sniffed session, or send any information as long as it has the correct format by using the option Transmitter.
That's it!
This tutorial, paired with the use of the hardware and software described, is a good example of how data can be sniffed in a LoRa system. And how it can be saved and transmitted. And you can do it all by yourself! Also, you can play by building and sending your messages as byte chains. If you are interested in learning more about this and other products, we invite you to visit our GitHub repository, where you will find our Flipper shields for this and other applications. The limit is your creativity😺.
Comments
Please log in or sign up to comment.