apnar Posted December 4, 2015 Posted December 4, 2015 (edited) This is a guide on how to receive, send, log, spoof, etc. all Insteon RF traffic in your house.First, let me say that I can’t take credit for any of this. All the credit goes to Peter Shipley (evilpete) who did the research on the Insteon wireless protocol for his defcon presentation and then graciously released documentation and his code. This was discussed originally in this thread: http://forum.universal-devices.com/topic/16596-this-could-be-bad/. You can also see the slides from his defcon presentation here: https://github.com/evilpete/insteonrf/blob/master/Doc/insteon_defcon23.pdfThere are obviously security implications to this, but at the moment I’m more interested in the functional gains that may be had. In particular the ability to actually debug Insteon issues and easily log all Insteon traffic in my house. Eventually I could see the software maturing to allow fully replacing the PLM.As the information on all the various components and software are a little spread around I figured I’d write up a step-by-step guide for those that want to get started but like me do not have any experience with RF hacking.References:insteonrf: https://github.com/evilpete/insteonrfrfcat: https://bitbucket.org/atlas0fd00m/rfcat/overviewanother project that used cc1111 and rfcat (covers flashing rfcat): http://v3gard.com/tag/rfcat/ What to buy:You’ll need some hardware to actually talk RF, there are a number of options evilpete’s software supports but for someone who is only going to use the hardware for working with Insteon (as opposed to broader RF hacking) the cheapest and easiest is something using the TI cc1111 chip. The chip then needs to be programed with a firmware called rfcat.If I were to do this again I would purchase a device called the Yard Stick One. It has the proper chip and is also pre-flashed with the rfcat firmware. As such it should be plug-and-play. Depending on antenna choice you’re looking at around $100-$129 for it:https://greatscottgadgets.com/yardstickone/https://hakshop.myshopify.com/products/yard-stick-one?variant=6649135621The other option, which I went with before finding the yard stick one, is to buy a cc1111 evaluation board from TI called the CC1111EMK868-915. You can buy it directly from TI or many other of the usual electronics distribution houses for around $75:http://www.ti.com/tool/cc1111emk868-915The problem is that it doesn’t come with the rfcat firmware installed and you need another device to program it. I opted to get a board called the GoodFET to do the firmware flashing. It unfortunately ran another $50 which was a little pricey for a one time use device, at least I could get it Prime. If anyone wants me to flash their CC1111EMK868-915 with rfcat for them I’m happy to do so, just message me.http://goodfet.sourceforge.net/http://smile.amazon.com/Hackaday-Goodfet42/dp/B015P8219Y/https://www.adafruit.com/products/1279Installing software:At this point I’ll assume you have a cc1111 device with rfcat firmware on it plugged into your computer. I did all this on a Ubuntu 14.04.3 LTS LiveCD clean boot to make sure I didn’t miss any steps. Nothing seemed too Ubuntu specific though so should work on most other Linux distros (with appropriate package manager changes). For better or for worse I did it all as root as well. # make sure you can see dongle lsusb #….mine looks like…. #…. #Bus 002 Device 006: ID 1d50:6048 OpenMoko, Inc. #…. # install base software add-apt-repository universe apt-get update apt-get install sdcc git python-usb # grab software mkdir /root/insteon cd /root/insteon wget https://bitbucket.org/atlas0fd00m/rfcat/downloads/rfcat_150225.tgz tar xvfz rfcat_150225.tgz ln -s rfcat_150225 rfcat git clone https://github.com/evilpete/insteonrf.git insteonrf # install rfcat client tools cd /root/insteon/rfcat python setup.py install Sending and receiving Insteon commands:In classic unix fashion evilpete has broken commands up into small tools that each do one major thing. There are four commands that are important:rf_reciv.py - This listens for any insteon RF traffic and outputs binary ascii to std-outrf_send.py - This takes binary ascii via std-in and broadcasts it as insteon RF trafficprint_pkt.py - This takes binary ascii via std-in and outputs human readable decoded insteon packetssend_comm.py - This takes command line arguments to build an insteon command and outputs binary ascii on std-outYou can then use pipes and such to chain commands together. # The most basic thing is to watch all the insteon RF traffic cd /root/insteon/insteonrf ./rf_reciv.py | ./print_pkt.py #you will see something like this with each line being a decoded packet bandwidth 187500.0 0F : 52 4E 29 : 47 E7 34 : 13 00 DD crc DD 0B : 52 4E 29 : 47 E7 34 : 13 00 19 00 00 AA crc 19 07 : 52 4E 29 : 47 E7 34 : 13 00 55 00 00 AA crc 55 03 : 52 4E 29 : 47 E7 34 : 34 00 91 00 CRC B6 2B : 47 E7 34 : 52 4E 29 : 13 13 27 : 47 E7 34 : 52 4E 29 : 29 00 45 00 00 AA CRC 7F 23 : 47 E7 34 : 52 4E 29 : 13 00 00 00 CRC 81 23 : 47 E7 34 : 52 4E 29 : 13 00 81 00 crc 81 # or log the traffic to a file ./rf_reciv.py > /tmp/insteon.out # then look at it later cat /tmp/insteon.out | ./print_pkt.py # example to send an insteon command ./send_comm.py -d 163FE5 -s 132580 13 00 | ./rf_send.py For newer Insteon devices the source specified must be in its link table, so you’ll need to pick the appropriate source address (such as your PLM). I will note that the software is still pretty rough around the edges. I've had it crash out on me more than a few times from what I'm guessing is packets it doesn't quite understand yet. I hope to get some time over the holidays to put a little work into it and push my changes back over to eveilpete. Edited December 4, 2015 by apnar
evilpete Posted December 4, 2015 Posted December 4, 2015 (edited) This is a guide on how to receive, send, log, spoof, etc. all Insteon RF traffic in your house. First, let me say that I can’t take credit for any of this. All the credit goes to Peter Shipley (evilpete) who did the research on the Insteon wireless protocol for his defcon presentation and then graciously released documentation and his code. This was discussed originally in this thread: http://forum.universal-devices.com/topic/16596-this-could-be-bad/. You can also see the slides from his defcon presentation here: https://github.com/evilpete/insteonrf/blob/master/Doc/insteon_defcon23.pdf Feel free to send me push requests, most of the python code was written where is was beating with a hammer till it worked. The demodulation code in C has been rewritten and needs to be linted and checked in. Edited December 7, 2015 by evilpete
Recommended Posts