Skip to content
forked from cureHsu/EZ-Wave

Tools for Evaluating and Exploiting Z-Wave Networks using Software-Defined Radios.

Notifications You must be signed in to change notification settings

bryant1410/EZ-Wave

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Updates / News

06-16-2016:

  • Added ZWave_B210.grc to the repository because I was having trouble getting ZWave.grc to work with Ettus B210s.
  • preamble_impl.cc has been modified to allow up to 200 symbol length preambles. Previously it only had enough space for 80, which, for some reason, caused underflow events when transmitting on Ettus B210s. If you are using an Ettus B210, set your preamble_length variable to 200 (after pulling the latest version).

06-07-2016: We have added the ability to send and receive beams. Beams are used to wake-up battery powered devices.

  • Receiving Beams: packet_sink_impl.cc now extracts beam frames. They show up in your Wireshark captures too!
  • Sending Beams: preamble_impl.cc is modified to send an arbitrary number of continuous beam frames to wake up a target. This is specified by utlizing the 8 byte header appended to a Z-Wave frame sent to the gnuradio Z-Wave transmitter. Byte 0 is still used to identify the frame as a Z-Wave encapsulation frame. Byte 1 indicates the number of beam frames sent before the encapsulated frame is sent. Byte 2 is used to specify the target NodeID to wake-up. The remaining bytes are still 0x00.
  • Regarding the number of beam frames, we use 250 for long continuous beams and 75 for short continuous beams.
  • Wireshark note: If beams clutter up your captures, filter them out with !zwave_beam in filter textbox.

EZ-Wave

EZ-Wave: Tools for Evaluating and Exploiting Z-Wave Networks using Software-Defined Radios. The tools depend heavily on a modified form of the Scapy-Radio Z-Wave gnuRadio transciever (https://bitbucket.org/cybertools/scapy-radio/overview). A special thanks goes out to the Scapy-Radio guys for providing this useful tool to the public, which also sports modules for Bluetooth and ZigBee for those interested in such things.

Notes

ezstumbler: passive Z-Wave network discovery and active network enumeration

ezrecon: Z-Wave device interrogation including:

  • Manufacturer and device name
  • Software/firmware versions
  • Supported Z-Wave command classes
  • Device configuration settings

ezfingerprint: determines device's Z-Wave module generation (3rd or 5th gen) using a PHY layer manipulation technique (preamble length manipulation).

Requirements

**Tested on Ubuntu 14.04 only

Python 2.7

GNU Radio 3.7+ (recommend Pybombs: https://gnuradio.org/redmine/projects/pybombs/wiki/QuickStart)

Wireshark 1.12 to 2.0.1 (https://code.wireshark.org/review/wireshark)

Mercurial (sudo apt-get install mercurial -y)

**Default configuration is for 2 HackRF One SDRs. Other SDRs can be use by modifying the GRC files accordingly post install ($HOME/.scapy/radio).

OsmocomSDR (http://sdr.osmocom.org/trac/wiki/GrOsmoSDR)

HackRF host software (https://github.com/mossmann/hackrf/tree/master/host)

Installation

The setup script will clone Scapy-radio (https://bitbucket.org/cybertools/scapy-radio/) and modify installation files

./setup.sh

Install Scapy-radio

cd $HOME/scapy-radio
./install.sh scapy
./install.sh blocks

Open [gnuradio prefix]/etc/gnuradio/conf.d/grc.conf in a text editor and append ":/usr/local/share/gnuradio/grc/blocks" to global_blocks_path

./install.sh grc

Install Wireshark dissector

Copy all files in EZ-Wave/setup/wireshark to [wireshark]/epan/dissectors

cd [wireshark]
./autogen.sh
./configure
make
sudo make install
sudo ldconfig

Usage

ezstumbler

ezstumbler.py [-h, --help] [-p, --passive] [-t, --timeout] [-a, --active] [--homeid]
      -p, --passive            Conduct a passive scan for a set time (secs)
      -t, --timeout             Timeout (secs) for scans, default=60
      -a, --active              Conduct an active scan for a set time (secs)
      --homeid                 4 byte HomeID to scan (ex: 0x1a2b3c4d)

30s passive followed by active scan:

ezstumbler.py --timeout=30

passive scan:

ezstumbler.py --passive

active scan:

ezstumbler.py --active --homeid=0x1a2b3d4e

ezrecon

ezrecon.py [-h, --help] [-c, --config] [-t, --timeout] homeid nodeid
      homeid                 4 byte HomeID of target network (ex: 0x1a2b3c4d)
      nodeid                  Target device NodeID (in decimal, <233)
      -c, --config            Include scan of device configuration settings (takes a while)
      -t, --timeout           Stop scanning after a given time (secs, default=30)

ezrecon.py 0x1a2b3c4d 20

ezfingerprint

ezfingerprint.py homeid nodeid
      homeid            4 byte HomeID of target network (ex: 0x1a2b3c4d)
      nodeid            Target device NodeID (in decimal, <233)

ezfingerprint.py 0x1a2b3c4d 20

About

Tools for Evaluating and Exploiting Z-Wave Networks using Software-Defined Radios.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 44.4%
  • Python 26.1%
  • C++ 25.8%
  • Shell 3.7%