This page has deprecated and will be archived. Please go to https://www.bitcraze.io/.
Thanks to a software from Cyber Explorer it is possible to sniff the NRF24 radio packet using an SDR radio.
Though the original method is using rtl-sdr with the rtl-fm program. This page aims at documenting how to setup an NRF sniffer with the HackRFBlue (which is fully compatible with HackRF One).
The procedure should be very similar with any GnuRadio-compatible SDR receiver.
To setup HackRF on Ubuntu the following packages needs to be installed:
sudo apt-get install gnuradio gr-osmosdr hackrf gqrx
Then you can verify that it works with:
$ hackrf_info Found HackRF board. Board ID Number: 2 (HackRF One) Firmware Version: 2014.08.1 Part ID Number: 0xa000cb3c 0x005c4746 Serial Number: 0x00000000 0x00000000 0x321864c8 0x3852321d $
On my Ubuntu I need to remove a hackrf module for it to actually work:
$ hackrf_info hackrf_open() failed: HACKRF_ERROR_LIBUSB (-1000) $ sudo rmmod hackrf $ hackrf_info Found HackRF board. Board ID Number: 2 (HackRF One) Firmware Version: 2014.08.1 Part ID Number: 0xa000cb3c 0x005c4746 Serial Number: 0x00000000 0x00000000 0x321864c8 0x3852321d $
To test that it is working well you can run gqrx:
Clone and make the NRF24-BTLE-Decoder program from Github:
$ git clone https://github.com/omriiluz/NRF24-BTLE-Decoder Cloning into 'NRF24-BTLE-Decoder'... remote: Counting objects: 25, done. remote: Total 25 (delta 0), reused 0 (delta 0), pack-reused 25 Unpacking objects: 100% (25/25), done. Checking connectivity... done. $ cd NRF24-BTLE-Decoder NRF24-BTLE-Decoder $ make gcc -std=gnu99 -Wall -O3 -o ./bin/nrf24-btle-decoder nrf24-btle-decoder.c nrf24-btle-decoder.c: In function ‘main’: nrf24-btle-decoder.c:370:4: warning: implicit declaration of function ‘strcmp’ [-Wimplicit-function-declaration] if (strcmp("nrf", optarg) == 0) decode_type = 1; ^ NRF24-BTLE-Decoder $ cd bin bin $ ls nrf24-btle-decoder bin $
The nrf24-btle-decoder software is designed to get sample at 2Msps via the standard input. To get data from gnuradio instead we create a fifo and cat this fifo in nrf24-btle-decoder:
bin $ mkfifo /tmp/fifo bin $ cat /tmp/fifo | ./nrf24-btle-decoder -d 1
The GNUradio companion receiver is a simple quadrature demodulator:
The source file can be downloaded there: nrf24_demod.grc.zip
This GNU Radio program will write the demodulated samples in the fifo, it will then be read by 'cat' and be piped into the decoder. When connected to a Crazyflie the output is:
bin $ cat /tmp/fifo | ./nrf24-btle-decoder -d 1 nrf24-btle-decoder, decode NRF24L01+ and Bluetooth Low Energy packets using RTL-SDR v0.4 1433238474.737783 NRF24 Packet start sample 20935, Threshold:5240, Address: 0xE7E7E7E7E7 length:0, pid:0, no_ack:0, CRC:0xD1E4 data: 1433238474.758950 NRF24 Packet start sample 37532, Threshold:5213, Address: 0xE7E7E7E7E7 length:15, pid:1, no_ack:0, CRC:0xFE8C data:3C 00 00 00 00 00 00 00 80 00 00 00 00 00 00 1433238474.778575 NRF24 Packet start sample 94927, Threshold:5123, Address: 0xE7E7E7E7E7 length:1, pid:2, no_ack:0, CRC:0x64C1 data:FF 1433238474.778681 NRF24 Packet start sample 95320, Threshold:6176, Address: 0xE7E7E7E7E7 length:0, pid:0, no_ack:0, CRC:0xD1E4 data: 1433238474.819749 NRF24 Packet start sample 186219, Threshold:5007, Address: 0xE7E7E7E7E7 length:15, pid:1, no_ack:0, CRC:0xFE8C data:3C 00 00 00 00 00 00 00 80 00 00 00 00 00 00 1433238474.853860 NRF24 Packet start sample 249975, Threshold:5108, Address: 0xE7E7E7E7E7 length:15, pid:0, no_ack:0, CRC:0xBEE5 data:3C 00 00 00 00 00 00 00 80 00 00 00 00 00 00 1433238474.879752 NRF24 Packet start sample 294095, Threshold:5076, Address: 0xE7E7E7E7E7 length:1, pid:3, no_ack:0, CRC:0x02A3 data:FF 1433238474.881214 NRF24 Packet start sample 298150, Threshold:4770, Address: 0xE7E7E7E7E7 length:1, pid:1, no_ack:0, CRC:0xCE67 data:FF 1433238474.882156 NRF24 Packet start sample 301571, Threshold:5302, Address: 0xE7E7E7E7E7 length:1, pid:2, no_ack:0, CRC:0x64C1 data:FF 1433238474.896965 NRF24 Packet start sample 321818, Threshold:5265, Address: 0xE7E7E7E7E7 length:1, pid:0, no_ack:0, CRC:0xA805 data:FF 1433238474.898889 NRF24 Packet start sample 325754, Threshold:5414, Address: 0xE7E7E7E7E7 length:1, pid:2, no_ack:0, CRC:0x64C1 data:FF 1433238474.943326 NRF24 Packet start sample 403294, Threshold:5538, Address: 0xE7E7E7E7E7 length:15, pid:3, no_ack:0, CRC:0x7E5E data:3C 00 00 00 00 00 00 00 80 00 00 00 00 00 00 1433238474.966901 NRF24 Packet start sample 504654, Threshold:4824, Address: 0xE7E7E7E7E7 length:1, pid:3, no_ack:0, CRC:0x02A3 data:FF
To stop sniffing, stop the GNURadio program and to re-run, run the decoder and then the gnuradio program.