Learn how to build a Zigbee Protocol Analyzer using a CC2531 dongle with Texas Instruments firmware. On this tutorial I will guide through the all process.
Table of Contents
Hardware Used
Hardware | Price | Store |
USB cc2531 Dongle | 5 | Vendor |
CC Debugger | 15 | Vendor |
cc2531 usb sniffer Features
The CC2531 USB dongle is a fully functional USB device that connects a PC to IEEE802.15.4 / ZigBee applications.
It has CC2531ZNP-Prod firmware and may be used as a Zigbee packet sniffer when inserted straight into a PC, Raspberry, etc.
- Flashed with CC2531ZNP-Prod firmware for zigbee2mqtt application
- Lead out 8 IO connectors
- Debug interface
- Size: 5.6*1.6*0.7cm
- Two buttons and two LEDs for user interaction
CC Debugger
The CC Debugger is a small programmer and debugger for the TI Low Power RF System-on-Chips.
It can be used together with IAR Embedded Workbench for 8051 (version 7.51A or later) for debugging and SmartRF Flash Programmer for flash programming.
The CC Debugger can also be used for controlling selected devices from SmartRF Studio.
Software Used
Software | Version | Download |
Debian Buster armv7l | 5.10.103-v7 | |
CC-Tool | ||
Wireshark | ||
WHsniff | 1.3 | WHsniff Git |
Texas Sniffer | Sniffer Firmware |
Install all dependencies
In order to all software work we need to install some dependencies, execute:
sudo apt-get install -y libusb-1.0-0-dev wireshark libboost-all-dev p7zip-full
Install CC-Tool
rfs@offensive-wireless:~/ZigBee_Sniffer $ git clone https://github.com/dashesy/cc-tool.git
rfs@offensive-wireless:~/ZigBee_Sniffer $ cd cc-tool
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./bootstrap
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./configure
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ make
Download Sniffer Firmware
rfs@offensive-wireless:~/ZigBee_Sniffer $ unzip swrc045z.zip -d firmware_extracted
$ 7z e firmware_extracted/Setup_SmartRF_Packet_Sniffer_2.18.0.exe bin/general/firmware/sniffer_fw_cc2531.hex
sudo <path-to>/cc-tool -e -w <path-to>/sniffer_fw_cc2531.hex
Write the Firmware into cc2531
rfs@offensive-wireless:~/ZigBee_Sniffer $ sudo ./cc-tool/cc-tool -e -w sniffer_fw_cc2531.hex
How to Install whsniff – Zigbee sniffer software
curl -L https://github.com/homewsn/whsniff/archive/v1.3.tar.gz | tar zx
cd whsniff-1.3
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ make
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ sudo make install
Zigbee Protocol Analyzer
sudo whsniff -c 11 | wireshark -k -i -
ssh rfs@192.168.4.221 "whsniff -c 18" | wireshark -k -i -
Configure our ZigBee Packet Sniffer to decode
Can zigbee sniffer see ieee mac address?
Yes, any ZigBee sniffer can see ieee MAC Address.
After