Learn how to build a Zigbee Protocol Analyzer using a CC2531 dongle with Texas Instruments firmware. On this tutorial I will guide through the all process.

Hardware Used

HardwarePriceStore
USB cc2531 Dongle5Vendor
CC Debugger15Vendor
Hardware – ZigBee Sniffer

cc2531 usb sniffer Features

The CC2531 USB dongle is a fully functional USB device that connects a PC to IEEE802.15.4 / ZigBee applications.

It has CC2531ZNP-Prod firmware and may be used as a Zigbee packet sniffer when inserted straight into a PC, Raspberry, etc.

  • Flashed with CC2531ZNP-Prod firmware for zigbee2mqtt application
  • Lead out 8 IO connectors
  • Debug interface
  • Size: 5.6*1.6*0.7cm
  • Two buttons and two LEDs for user interaction
Zigbee Protocol Analyzer
Zigbee Protocol Analyzer

CC Debugger

The CC Debugger is a small programmer and debugger for the TI Low Power RF System-on-Chips.

It can be used together with IAR Embedded Workbench for 8051 (version 7.51A or later) for debugging and SmartRF Flash Programmer for flash programming.

Zigbee Protocol Analyzer
CC Debugger

The CC Debugger can also be used for controlling selected devices from SmartRF Studio.

Software Used

SoftwareVersionDownload
Debian Buster armv7l5.10.103-v7
CC-Tool
Wireshark
WHsniff1.3WHsniff Git
Texas SnifferSniffer Firmware
Software – ZigBee Sniffer

Install all dependencies

In order to all software work we need to install some dependencies, execute:

sudo apt-get install -y libusb-1.0-0-dev wireshark libboost-all-dev p7zip-full

Install CC-Tool

rfs@offensive-wireless:~/ZigBee_Sniffer $ git clone https://github.com/dashesy/cc-tool.git
rfs@offensive-wireless:~/ZigBee_Sniffer $ cd cc-tool
Zigbee Protocol Analyzer
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./bootstrap
Zigbee Protocol Analyzer
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./configure
Zigbee Protocol Analyzer
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ make
Zigbee Protocol Analyzer

Download Sniffer Firmware

Zigbee Protocol Analyzer
Zigbee Protocol Analyzer
rfs@offensive-wireless:~/ZigBee_Sniffer $ unzip swrc045z.zip -d firmware_extracted
Zigbee Protocol Analyzer
$ 7z e firmware_extracted/Setup_SmartRF_Packet_Sniffer_2.18.0.exe bin/general/firmware/sniffer_fw_cc2531.hex
Zigbee Protocol Analyzer
[Top] Zigbee Protocol Analyzer: What you need to know 16
sudo <path-to>/cc-tool -e -w <path-to>/sniffer_fw_cc2531.hex

Write the Firmware into cc2531

rfs@offensive-wireless:~/ZigBee_Sniffer $ sudo ./cc-tool/cc-tool -e -w sniffer_fw_cc2531.hex
Zigbee Protocol Analyzer

How to Install whsniff – Zigbee sniffer software

curl -L https://github.com/homewsn/whsniff/archive/v1.3.tar.gz | tar zx
cd whsniff-1.3
Zigbee Protocol Analyzer
[Top] Zigbee Protocol Analyzer: What you need to know 17
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ make
Zigbee Protocol Analyzer
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ sudo make install
Zigbee Protocol Analyzer

Zigbee Protocol Analyzer

sudo whsniff -c 11 | wireshark -k -i -
ssh rfs@192.168.4.221 "whsniff -c 18" | wireshark -k -i -

Configure our ZigBee Packet Sniffer to decode

Can zigbee sniffer see ieee mac address?

Yes, any ZigBee sniffer can see ieee MAC Address.

After