Sniffing and decoding NRF24L01+ and bluetooth LE packets for under $30

in tools, wireless by DP | 6 comments

IMG_20140121_020724220_HDR

Omri writes:

In this long post I am going to describe my journey to sniff and decode popular digital wireless protocols off the air for very cheap. So cheap practicality anyone can obtain the equipment quickly.
I was able to decode NRF24L01+ and Bluetooth Low Energy protocols using RTL-SDR.
As far as I can see, this is the first time the NRF24L01+ is being decoded, especially considering the low entry price for the hardware. Given the extreme popularity of this transceiver, we are likely to see a wave of hackers attacking the security of many wireless gadgets, and they are likely to succeed as security is usually the last priority for hardware designers of such cheap gadgets.

This entry was posted in tools, wireless and tagged , .

Comments

  1. mossmann says:

    Everyone in the #ubertooth IRC channel is puzzling over why this person never mentions the considerable prior work done to implement much more complete Bluetooth LE monitoring capabilities on Ubertooth One. I have a hard time seeing how an rtl-sdr solution would be able to hop along with a target LE device like we do with Ubertooth. Also a whole lot of work went into gr-bluetooth for Bluetooth monitoring with GNU Radio; it would make a lot of sense to start with that code (or at least the libbtbb library) instead of duplicating all that effort. It’s all open source.

    That said, the article does a good job of introducing the concept of using an LNB for doing 2.4 GHz stuff with rtl-sdr. It has many applications beyond LE.

  2. Omri says:

    Mossmann,
    Apologize for not mentioning ubertooth. the bulk of the work was done for sniffing NRF, as you can see in the post. adding BTLE was really an hour effort in the last day after I saw the post how to emulate btle with an nrf transceiver. I can definitely use gr-bluetooth if I can get the hopping working.

    btw, in terms of timing, it seems the rtl-sdr can hop fast enough for some timing configurations but I’m not yet able to meet the absolute minimum (6ms if I am not mistaken). do you have experience on what devices usually use in real products?

    • mossmann says:

      I believe you are correct that the minimum tuning time is around 6 ms. I forget sometimes that it is so long for LE compared with classic Bluetooth. The TX/RX switch time for LE is only 150 microseconds, but that doesn’t matter to a sniffer. Perhaps you are right that the rtl-sdr can follow an LE connection. I look forward to the results!

      It didn’t even occur to me at first, but your hardware configuration is exactly what I hoped to create in the early days of Project Ubertooth. I ended up going a different direction and designing my own hardware, but I originally wanted to piece together a TV tuner and a downconverter of some sort. It’s really cool to see that the idea can work even though I wasn’t able to figure out how to do it at the time.

  3. Xykon says:

    I ordered an RTL-SDR dongle at DealExtreme more than a year ago but it never arrived. Even complained about it several times but never got any results. I also backed the HackRF one but shipping was pushed back to May… I’d really like to get started on an SDR project soon, the stuff they are doing seems to be very interesting.

    • mossmann says:

      I recommend nooelec.com and hackerwarehouse.com for rtl-sdr dongles. They sell devices guaranteed to work with rtl-sdr, and they are both operated by people I know and trust. For the prices you can find on DealExtreme, however, you could just order a second there and accept the loss of the first.

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.