- Posts: 3
CX-10A CID
- ccees123
- 
				Topic Author 
- Offline
		Less
		More
		
			
	
		
			
	
						27 Nov 2018 15:10				#71902
		by ccees123
	
	
		
			
	
			
			 		
	
												
	
				CX-10A CID was created by ccees123			
			
				Hi guys, I'm currently working on a school project that requires us to do a replay attack on CX-10A. Since I'm new to this field, I don't know how to find the controller's identifier(CID). And without CID, I can not find the correct frequency hopping channels.
Does anyone know if there is a easy way to find CID or capture the packet? It is too hard to decode the signal from IQ values.
					Does anyone know if there is a easy way to find CID or capture the packet? It is too hard to decode the signal from IQ values.
Please Log in or Create an account to join the conversation.
- hexfet
- 
				
- Offline
		Less
		More
		
			
	
		- Posts: 1943
			
	
						27 Nov 2018 19:34				#71906
		by hexfet
	
	
		
			
	
			
			 		
	
												
	
				Replied by hexfet on topic CX-10A CID			
			
				If you have physical access to the tx or rx then capture from the nRF24L01 SPI interface.  Otherwise over-the-air is the only way I know.			
					Please Log in or Create an account to join the conversation.
- ccees123
- 
				Topic Author 
- Offline
		Less
		More
		
			
	
		- Posts: 3
			
	
						27 Nov 2018 20:30				#71907
		by ccees123
	
	
		
			
	
			
			 		
	
												
	
				Replied by ccees123 on topic CX-10A CID			
			
				Thank you so much for the answer. I do have physical access to devices. But what is nRF24L01 SPI interface? Is it hardware for nRF24L01? I'm currently using hackrf one. Wondering if I need to buy extra hardware.			
					Please Log in or Create an account to join the conversation.
- hexfet
- 
				
- Offline
		Less
		More
		
			
	
		- Posts: 1943
			
	
						27 Nov 2018 20:52				#71909
		by hexfet
	
	
		
			
	
			
			 		
	
												
	
				Replied by hexfet on topic CX-10A CID			
			
				You'll need a logic analyzer, preferably one with an SPI decoder.  Salae is popular.  See 
	 this thread
.
nRF24L01 is the radio chip in the CX-10. SPI is the hardware interface between it and the microprocessor.
					nRF24L01 is the radio chip in the CX-10. SPI is the hardware interface between it and the microprocessor.
Please Log in or Create an account to join the conversation.
- goebish
- 
				
- Offline
- NRF Weirdo
		Less
		More
		
			
	
		- Posts: 2633
			
	
						28 Nov 2018 12:08		 -  28 Nov 2018 21:36		#71920
		by goebish
	
	
		
			
	
	
			 		
	
												
	
				Replied by goebish on topic CX-10A CID			
			
				The CX10-A (blue PCB) doesn't use a nrf24l01 but a xn297 transceiver.
I don't want to do your homework, but here's what you can do if you really have to use a HackRF:
(I suppose you can't just use a logic analyzer connected to the stock controller as that would be too easy and considered cheating )
)
Use gnuradio to grab and demodulate the GFSK signal during bind (2402 MHz with transmitter powered on and quad powered off):
www.dropbox.com/s/sk28appcfpwtkap/xn297_gfsk_demod.grc?dl=1
(You'll have to replace the output filename in the file sink block and might have to tweak the freq fine slider until you see some activity in the "Data" scope sink dialog.)
Then use the demodulated output (0 & 1s & preamble markers) to decode and unscramble the xn297 packets, here's a C/Qt program to do that:
gist.github.com/goebish/d08d9a7458cc34eafe5cc6f64bf34ceb
(that's quick and dirty, crc is not checked ...)
You should end up with something like this (that's not a cx-10a in the video):
Then just look at the packets to retrieve the TXID, e.g in this picture the TXID is D7 23 63 27 :
(decoded from an actual CX10-A transmitter)
From that you can extrapolate the frequency hopping channels for your replay attack:
rf_channel[0] = 0x03 + (0xd7 & 0x0f) = 0x0a = 2410 MHz
rf_channel[1] = 0x16 + (0xd7 >> 4) = 0x23 = 2435 MHz
rf_channel[2] = 0x2d + (0x23 & 0x0f) = 0x30 = 2448 MHz
rf_channel[3] = 0x40 + (0x23 >> 4) = 0x42 = 2466 MHz
I'm not 100% sure but I believe that someone who reverse engineered the RX side told that only rf_channel[0] is used by the RX actually, that should be pretty easy to attack, just spam your packet(s) on this channel
... but I agree that for retrieving TXID it would be simpler to use an arduino with a nrf24l01 emulating a xn297 in rx mode, or just connect a logic analyzer to the stock controller (SPI) if you're allowed to.
					I don't want to do your homework, but here's what you can do if you really have to use a HackRF:
(I suppose you can't just use a logic analyzer connected to the stock controller as that would be too easy and considered cheating
 )
)Use gnuradio to grab and demodulate the GFSK signal during bind (2402 MHz with transmitter powered on and quad powered off):
www.dropbox.com/s/sk28appcfpwtkap/xn297_gfsk_demod.grc?dl=1
(You'll have to replace the output filename in the file sink block and might have to tweak the freq fine slider until you see some activity in the "Data" scope sink dialog.)
Then use the demodulated output (0 & 1s & preamble markers) to decode and unscramble the xn297 packets, here's a C/Qt program to do that:
gist.github.com/goebish/d08d9a7458cc34eafe5cc6f64bf34ceb
(that's quick and dirty, crc is not checked ...)
You should end up with something like this (that's not a cx-10a in the video):
Then just look at the packets to retrieve the TXID, e.g in this picture the TXID is D7 23 63 27 :
(decoded from an actual CX10-A transmitter)
From that you can extrapolate the frequency hopping channels for your replay attack:
rf_channel[0] = 0x03 + (0xd7 & 0x0f) = 0x0a = 2410 MHz
rf_channel[1] = 0x16 + (0xd7 >> 4) = 0x23 = 2435 MHz
rf_channel[2] = 0x2d + (0x23 & 0x0f) = 0x30 = 2448 MHz
rf_channel[3] = 0x40 + (0x23 >> 4) = 0x42 = 2466 MHz
I'm not 100% sure but I believe that someone who reverse engineered the RX side told that only rf_channel[0] is used by the RX actually, that should be pretty easy to attack, just spam your packet(s) on this channel

... but I agree that for retrieving TXID it would be simpler to use an arduino with a nrf24l01 emulating a xn297 in rx mode, or just connect a logic analyzer to the stock controller (SPI) if you're allowed to.
		Last edit: 28 Nov 2018 21:36  by goebish.			
			Please Log in or Create an account to join the conversation.
- goebish
- 
				
- Offline
- NRF Weirdo
		Less
		More
		
			
	
		- Posts: 2633
			
	
						02 Dec 2018 12:44		 -  04 Dec 2018 22:05		#71951
		by goebish
	
	
		
			
				
I don't think the protocol has changed, maybe the stock controller sends of few binding packets on data channels at the end of the bind sequence. (I don't have a working stock transmitter anymore)
Try to replay only on 2414 MHz.
Scan the ISM band to search for the used channels.
... or just get a logic analyzer ($5), connect it to the SPI bus in the TX, then you'll be sure 
			
					
	
	
			 		
	
												
	
				Replied by goebish on topic CX-10A CID			
			ccees123 wrote: Hi horbish. Really appreciate your help! However, I think there are something wrong with the protocol.
When I was listening at 2.402G, I got the the CID 0x12345bbb
You do not have permissions to access this page.
From the potocol: github.com/DeviationTX/deviation/blob/ma...doc/CX10Blue.txt#L63
I got the frequency hopping channels: 2.414, 2.433, 2.450 and 2.475.
Then I restarted devices and listened at 2.141, things looks fine and signals including both binding and flying phases
You do not have permissions to access this page.
You do not have permissions to access this page.
Then I did same thing again and listened at 2.433, I got the similar result as at 2.414.
You do not have permissions to access this page.
You do not have permissions to access this page.
And when I was listening at 2.45 and 2.475, no signal data was detected.
This hopping behavior doesn't make sense. Because if controller finished binding signal and started flying phase at 4.141. Then it should transmit command at 2.433 instead of similar binding and flying packet.
After controller and quad bind together, I tried to simply record and replay signals at 2.43, 2.45 and 2.475 which of course didn't fly the quad. So I'm wondering if the protocol of cx-10A has been changed.
I don't think the protocol has changed, maybe the stock controller sends of few binding packets on data channels at the end of the bind sequence. (I don't have a working stock transmitter anymore)
Try to replay only on 2414 MHz.
Scan the ISM band to search for the used channels.
... or just get a logic analyzer ($5), connect it to the SPI bus in the TX, then you'll be sure
 
			
		Last edit: 04 Dec 2018 22:05  by goebish.			
			Please Log in or Create an account to join the conversation.
- ccees123
- 
				Topic Author 
- Offline
		Less
		More
		
			
	
		- Posts: 3
			
	
						04 Dec 2018 17:41				#71977
		by ccees123
	
	
		
			
	
			
			 		
	
												
	
				Replied by ccees123 on topic CX-10A CID			
			
				Yeah, you are right, the protocol is correct, I just realized that I calculated the last two channel wrong. My program reads bytes in reverse order:)			
					Please Log in or Create an account to join the conversation.
		Time to create page: 0.072 seconds	
- 
											Home
					
											
							  
- 
											Forum
					
											
							  
- 
											Development
					
											
							  
- 
											Development
					
											
							  
- CX-10A CID
 
           
			