hardsploit_gui 2.3 → 2.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +22 -22
- data/Rakefile +1 -1
- data/bin/hardsploit_gui +3 -3
- data/lib/Firmwares/FPGA/I2C/I2C_INTERACT/HARDSPLOIT_FIRMWARE_FPGA_I2C_INTERACT.rpd +0 -0
- data/lib/Firmwares/FPGA/PARALLEL/NO_MUX_PARALLEL_MEMORY/HARDSPLOIT_FIRMWARE_FPGA_NO_MUX_PARALLEL_MEMORY.rpd +0 -0
- data/lib/Firmwares/FPGA/SPI/SPI_INTERACT/HARDSPLOIT_FIRMWARE_FPGA_SPI_INTERACT.rpd +0 -0
- data/lib/Firmwares/FPGA/SPI/SPI_SNIFFER/HARDSPLOIT_FIRMWARE_FPGA_SPI_SNIFFER.rpd +0 -0
- data/lib/Firmwares/FPGA/SWD/SWD_INTERACT/HARDSPLOIT_FIRMWARE_FPGA_SWD_INTERACT.rpd +0 -0
- data/lib/Firmwares/FPGA/UART/UART_INTERACT/HARDSPLOIT_FIRMWARE_FPGA_UART_INTERACT.rpd +0 -0
- data/lib/Firmwares/FPGA/VersionFPGA.rb +5 -5
- data/lib/Firmwares/UC/VersionUC.rb +12 -12
- data/lib/HardsploitAPI/Core/HardsploitAPI.rb +210 -210
- data/lib/HardsploitAPI/Core/HardsploitAPI_CONSTANT.rb +150 -150
- data/lib/HardsploitAPI/Core/HardsploitAPI_ERROR.rb +109 -109
- data/lib/HardsploitAPI/Core/HardsploitAPI_FIRMWARE.rb +305 -305
- data/lib/HardsploitAPI/Core/HardsploitAPI_PROGRESS.rb +28 -28
- data/lib/HardsploitAPI/Core/HardsploitAPI_USB_COMMUNICATION.rb +166 -166
- data/lib/HardsploitAPI/Modules/I2C/HardsploitAPI_I2C.rb +356 -356
- data/lib/HardsploitAPI/Modules/NO_MUX_PARALLEL_MEMORY/HardsploitAPI_NO_MUX_PARALLEL_MEMORY.rb +206 -206
- data/lib/HardsploitAPI/Modules/NRF24L01/HardsploitAPI_NRF24L01.rb +306 -306
- data/lib/HardsploitAPI/Modules/SPI/HardsploitAPI_SPI.rb +340 -340
- data/lib/HardsploitAPI/Modules/SPI_SNIFFER/HardsploitAPI_SPI_SNIFFER.rb +83 -83
- data/lib/HardsploitAPI/Modules/SWD/HardsploitAPI_SWD.rb +367 -367
- data/lib/HardsploitAPI/Modules/SWD/HardsploitAPI_SWD_DEBUG.rb +89 -89
- data/lib/HardsploitAPI/Modules/SWD/HardsploitAPI_SWD_MEM_AP.rb +61 -61
- data/lib/HardsploitAPI/Modules/SWD/HardsploitAPI_SWD_STM32.rb +121 -121
- data/lib/HardsploitAPI/Modules/TEST/HardsploitAPI_TEST_INTERACT.rb +98 -98
- data/lib/HardsploitAPI/Modules/UART/HardsploitAPI_UART.rb +196 -196
- data/lib/Hardsploit_gui.rb +96 -96
- data/lib/LICENSE.txt +674 -674
- data/lib/README.md +22 -22
- data/lib/TRADEMARK +2 -2
- data/lib/class/Chip_editor.rb +304 -304
- data/lib/class/Chip_management.rb +496 -496
- data/lib/class/Command_editor.rb +216 -216
- data/lib/class/Command_table.rb +233 -233
- data/lib/class/Console.rb +26 -26
- data/lib/class/ErrorMsg.rb +312 -312
- data/lib/class/Export.rb +140 -140
- data/lib/class/Export_manager.rb +124 -124
- data/lib/class/Firmware.rb +70 -70
- data/lib/class/Generic_commands.rb +260 -260
- data/lib/class/{i2c → I2C}/I2c_command.rb +51 -51
- data/lib/class/{i2c → I2C}/I2c_export.rb +95 -95
- data/lib/class/{i2c → I2C}/I2c_import.rb +117 -117
- data/lib/class/{i2c → I2C}/I2c_scanner.rb +114 -114
- data/lib/class/{i2c → I2C}/I2c_settings.rb +148 -148
- data/lib/class/Import.rb +193 -193
- data/lib/class/{parallel → PARALLEL}/Parallel_export.rb +118 -118
- data/lib/class/{parallel → PARALLEL}/Parallel_import.rb +113 -113
- data/lib/class/{parallel → PARALLEL}/Parallel_settings.rb +81 -81
- data/lib/class/Progress_bar.rb +32 -32
- data/lib/class/{spi → SPI}/Spi_export.rb +108 -108
- data/lib/class/{spi → SPI}/Spi_import.rb +159 -159
- data/lib/class/{spi → SPI}/Spi_settings.rb +108 -108
- data/lib/class/{spi → SPI}/Spi_sniffer.rb +101 -101
- data/lib/class/Signal_mapper.rb +120 -120
- data/lib/class/Wire_helper.rb +230 -230
- data/lib/class/swd/Swd.rb +125 -125
- data/lib/class/swd/Swd_scanner.rb +121 -121
- data/lib/class/swd/Swd_settings.rb +76 -76
- data/lib/class/uart/Uart_baudrate.rb +62 -62
- data/lib/class/uart/Uart_console.rb +115 -115
- data/lib/class/uart/Uart_settings.rb +102 -102
- data/lib/db/associations.rb +138 -138
- data/lib/db/database.rb +4 -4
- data/lib/db/development.sqlite3 +0 -0
- data/lib/db/migrate/004_create_manufacturers.rb +13 -13
- data/lib/db/migrate/005_create_packages.rb +13 -13
- data/lib/db/migrate/006_create_chip_types.rb +11 -11
- data/lib/db/migrate/007_create_buses.rb +11 -11
- data/lib/db/migrate/008_create_signals.rb +14 -14
- data/lib/db/migrate/009_create_chips.rb +25 -25
- data/lib/db/migrate/010_create_commands.rb +21 -21
- data/lib/db/migrate/011_create_bytes.rb +19 -19
- data/lib/db/migrate/012_create_i2c_settings.rb +21 -21
- data/lib/db/migrate/013_create_spi_settings.rb +26 -26
- data/lib/db/migrate/014_create_parallel_settings.rb +21 -21
- data/lib/db/migrate/015_create_pins.rb +19 -19
- data/lib/db/migrate/016_create_uses.rb +17 -17
- data/lib/db/migrate/017_create_swd_settings.rb +19 -19
- data/lib/db/migrate/018_create_uart_settings.rb +22 -22
- data/lib/db/schema.rb +157 -157
- data/lib/db/seeds.rb +161 -161
- data/lib/gui/gui_chip_editor.rb +349 -349
- data/lib/gui/gui_chip_management.rb +377 -377
- data/lib/gui/gui_command_editor.rb +219 -219
- data/lib/gui/gui_export.rb +132 -132
- data/lib/gui/gui_export_manager.rb +93 -93
- data/lib/gui/gui_generic_commands.rb +202 -202
- data/lib/gui/gui_generic_export.rb +164 -164
- data/lib/gui/gui_generic_import.rb +142 -142
- data/lib/gui/gui_i2c_command.rb +116 -116
- data/lib/gui/gui_i2c_settings.rb +230 -230
- data/lib/gui/gui_import.rb +131 -131
- data/lib/gui/gui_parallel_settings.rb +195 -195
- data/lib/gui/gui_progress_bar.rb +85 -85
- data/lib/gui/gui_signal_mapper.rb +121 -121
- data/lib/gui/gui_signal_scanner.rb +146 -146
- data/lib/gui/gui_spi_import.rb +126 -126
- data/lib/gui/gui_spi_settings.rb +313 -313
- data/lib/gui/gui_spi_sniffer.rb +112 -112
- data/lib/gui/gui_swd_settings.rb +166 -166
- data/lib/gui/gui_uart_baudrate.rb +114 -114
- data/lib/gui/gui_uart_console.rb +164 -164
- data/lib/gui/gui_uart_settings.rb +243 -243
- data/lib/gui/gui_wire_helper.rb +99 -99
- data/lib/gui_designer/gui_chip_editor.ui +549 -549
- data/lib/gui_designer/gui_chip_management.ui +886 -886
- data/lib/gui_designer/gui_command_editor.ui +350 -350
- data/lib/gui_designer/gui_export.ui +171 -171
- data/lib/gui_designer/gui_export_manager.ui +115 -115
- data/lib/gui_designer/gui_generic_commands.ui +342 -342
- data/lib/gui_designer/gui_generic_export.ui +202 -202
- data/lib/gui_designer/gui_generic_import.ui +165 -165
- data/lib/gui_designer/gui_i2c_command.ui +148 -148
- data/lib/gui_designer/gui_i2c_settings.ui +292 -292
- data/lib/gui_designer/gui_import.ui +168 -168
- data/lib/gui_designer/gui_parallel_settings.ui +247 -247
- data/lib/gui_designer/gui_progress_bar.ui +86 -86
- data/lib/gui_designer/gui_signal_mapper.ui +179 -179
- data/lib/gui_designer/gui_signal_scanner.ui +261 -261
- data/lib/gui_designer/gui_spi_settings.ui +446 -446
- data/lib/gui_designer/gui_spi_sniffer.ui +156 -156
- data/lib/gui_designer/gui_swd_settings.ui +189 -189
- data/lib/gui_designer/gui_uart_baudrate.ui +161 -161
- data/lib/gui_designer/gui_uart_console.ui +284 -284
- data/lib/gui_designer/gui_uart_settings.ui +280 -280
- data/lib/gui_designer/gui_wire_helper.ui +117 -117
- data/lib/images/search.png +0 -0
- data/lib/logs/error.log +0 -63
- data/lib/models/bus.rb +19 -19
- data/lib/models/byte.rb +29 -29
- data/lib/models/chip.rb +41 -41
- data/lib/models/chip_type.rb +14 -14
- data/lib/models/command.rb +20 -20
- data/lib/models/i2c_setting.rb +41 -41
- data/lib/models/manufacturer.rb +14 -14
- data/lib/models/package.rb +26 -26
- data/lib/models/parallel_setting.rb +37 -37
- data/lib/models/pin.rb +14 -14
- data/lib/models/signall.rb +20 -20
- data/lib/models/spi_setting.rb +67 -67
- data/lib/models/swd_setting.rb +25 -25
- data/lib/models/uart_setting.rb +52 -52
- data/lib/models/use.rb +6 -6
- data/lib/startHardsploit.rb +10 -10
- metadata +14 -14
data/lib/HardsploitAPI/Modules/NO_MUX_PARALLEL_MEMORY/HardsploitAPI_NO_MUX_PARALLEL_MEMORY.rb
CHANGED
@@ -1,206 +1,206 @@
|
|
1
|
-
#!/usr/bin/ruby
|
2
|
-
#===================================================
|
3
|
-
# Hardsploit API - By Opale Security
|
4
|
-
# www.opale-security.com || www.hardsploit.io
|
5
|
-
# License: GNU General Public License v3
|
6
|
-
# License URI: http://www.gnu.org/licenses/gpl.txt
|
7
|
-
#===================================================
|
8
|
-
|
9
|
-
class HardsploitAPI_PARALLEL
|
10
|
-
public
|
11
|
-
def initialize
|
12
|
-
#to be sure the singleton was initialize
|
13
|
-
HardsploitAPI.instance.connect
|
14
|
-
end
|
15
|
-
|
16
|
-
def readManufactuerCodeMemory
|
17
|
-
write_command_Memory_WithoutMultiplexing(0x00000000,0x90) #ReadDeviceIdentifierCommand
|
18
|
-
return readByteFromMemory(1) #Read from 1 to 1 = read 1 byte at 1
|
19
|
-
end
|
20
|
-
|
21
|
-
def readDeviceIdMemory
|
22
|
-
write_command_Memory_WithoutMultiplexing(0x00000000,0x90) #ReadDeviceIdentifierCommand
|
23
|
-
return readByteFromMemory(0)#Read 0
|
24
|
-
end
|
25
|
-
|
26
|
-
def writeByteToMemory(address,value)
|
27
|
-
#Write data in word mode and read Five status register
|
28
|
-
write_command_Memory_WithoutMultiplexing(address,0x0040)
|
29
|
-
write_command_Memory_WithoutMultiplexing(address,value)
|
30
|
-
return readByteFromMemory(0)
|
31
|
-
end
|
32
|
-
|
33
|
-
def readMode
|
34
|
-
#go in read mode
|
35
|
-
write_command_Memory_WithoutMultiplexing(0x000000,0x00FF)
|
36
|
-
end
|
37
|
-
|
38
|
-
def eraseBlockMemory(blockAddress)
|
39
|
-
#Read Five Word
|
40
|
-
write_command_Memory_WithoutMultiplexing(blockAddress,0x0020) #Block erase command
|
41
|
-
statut = write_command_Memory_WithoutMultiplexing(blockAddress,0x00D0) #Confirm Block erase command
|
42
|
-
|
43
|
-
timeout = 10
|
44
|
-
# while (statut != 128 ) && (timeout >= 0)
|
45
|
-
#
|
46
|
-
# puts "#{statut} #{timeout}"
|
47
|
-
# statut = readByteFromMemory(0) #read statut register
|
48
|
-
# sleep(100)
|
49
|
-
# if timeout == 0 then
|
50
|
-
# return statut
|
51
|
-
# else
|
52
|
-
# timeout = timeout-1
|
53
|
-
# end
|
54
|
-
# end
|
55
|
-
for ty in 0..4
|
56
|
-
puts readByteFromMemory(0)
|
57
|
-
end
|
58
|
-
|
59
|
-
puts "Return timeout"
|
60
|
-
return statut
|
61
|
-
end
|
62
|
-
|
63
|
-
def clearStatusRegisterOfMemory
|
64
|
-
#Clear Statut register
|
65
|
-
write_command_Memory_WithoutMultiplexing(0x000000,0x50)
|
66
|
-
end
|
67
|
-
|
68
|
-
def unlockBlock (blockAddress)
|
69
|
-
write_command_Memory_WithoutMultiplexing(blockAddress,0x0060) #Lock Block Command
|
70
|
-
write_command_Memory_WithoutMultiplexing(blockAddress,0x00D0) #UnLock Command
|
71
|
-
return readByteFromMemory(0x000000) #read statut register
|
72
|
-
end
|
73
|
-
|
74
|
-
def write_command_Memory_WithoutMultiplexing(address,data)
|
75
|
-
packet = HardsploitAPI.prepare_packet
|
76
|
-
packet.push 0 #16 bits
|
77
|
-
packet.push (1500/6.66).floor #latency at 1500ns
|
78
|
-
|
79
|
-
packet.push ((address & 0xFF000000) >> 24 ) #AddStart3
|
80
|
-
packet.push ((address & 0x00FF0000) >> 16 ) #AddStart2
|
81
|
-
packet.push ((address & 0x0000FF00) >> 8 ) #AddStart1
|
82
|
-
packet.push ((address & 0x000000FF) >> 0) #AddStart0
|
83
|
-
packet.push 0x20 #Memory write command
|
84
|
-
packet.push ((data & 0xFF00) >> 8 ) #Data HIGHT BYTE
|
85
|
-
packet.push ((data & 0xFF) >> 0) #Data LOW BYTE
|
86
|
-
|
87
|
-
|
88
|
-
result = HardsploitAPI.instance.sendAndReceiveDATA(packet,1000)
|
89
|
-
if result == USB_STATE::TIMEOUT_RECEIVE then
|
90
|
-
raise "TIMEOUT"
|
91
|
-
elsif result[4] == (data & 0xFF)
|
92
|
-
|
93
|
-
return readByteFromMemory(0)
|
94
|
-
else
|
95
|
-
raise "ERROR BAD RESPONSE"
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
def readByteFromMemory(address)
|
100
|
-
packet = Array.new
|
101
|
-
packet.push 0 #low byte of lenght of trame refresh automaticly before send by usb
|
102
|
-
packet.push 0 #high byte of lenght of trame refresh automaticly before send by usb
|
103
|
-
packet.push HardsploitAPI.lowByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
|
104
|
-
packet.push HardsploitAPI.highByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
|
105
|
-
|
106
|
-
packet.push 0x50 #Command RAW COMMUNICATION TO FPGA FIFO
|
107
|
-
|
108
|
-
|
109
|
-
#16 bits
|
110
|
-
packet.push 0
|
111
|
-
packet.push (1500/6.66).floor
|
112
|
-
|
113
|
-
|
114
|
-
packet.push ((address & 0xFF000000) >> 24 ) #AddStart3
|
115
|
-
packet.push ((address & 0x00FF0000) >> 16 ) #AddStart2
|
116
|
-
packet.push ((address & 0x0000FF00) >> 8 ) #AddStart1
|
117
|
-
packet.push ((address & 0x000000FF) >> 0) #AddStart0
|
118
|
-
|
119
|
-
packet.push 0x10 #Memory read command
|
120
|
-
packet.push ((address & 0xFF000000) >> 24 ) #AddStart3
|
121
|
-
packet.push ((address & 0x00FF0000) >> 16 ) #AddStop2
|
122
|
-
packet.push ((address & 0x0000FF00) >> 8 ) #AddStop1
|
123
|
-
packet.push ((address & 0x000000FF) >> 0) #AddStop0
|
124
|
-
|
125
|
-
result = sendAndReceiveDATA(packet,1000)
|
126
|
-
|
127
|
-
if result == USB_STATE::TIMEOUT_RECEIVE then
|
128
|
-
return "TIMEOUT"
|
129
|
-
else
|
130
|
-
if result.size == 6 then
|
131
|
-
return HardsploitAPI.BytesToInt(result[4] , result[5])
|
132
|
-
else
|
133
|
-
raise "BAD RESPONSE"
|
134
|
-
end
|
135
|
-
end
|
136
|
-
end
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
# Read parallele memory in asynchronous mode (blocking function) but callBack data is used to receive packet
|
143
|
-
# * +addressStart+:: 32 bits address
|
144
|
-
# * +addressStop+:: 32 bits address
|
145
|
-
# * +bits8_or_bits16_DataSize+:: 0 for 8 bits operation & 1 for 16 bits operation
|
146
|
-
# * +latency+:: latency in ns range 7ns to 1600ns=1,6ms
|
147
|
-
# Return USB_STATE End with TIMEOUT_RECEIVE but need to check if received the right number of bytes to ensure all is correct
|
148
|
-
def read_Memory_WithoutMultiplexing(path:,addressStart: , addressStop:, bits8_or_bits16_DataSize:, latency:)
|
149
|
-
numberOfByteReaded = 0
|
150
|
-
packet = HardsploitAPI.prepare_packet
|
151
|
-
|
152
|
-
#Chek if 8bits or 16 bits
|
153
|
-
if bits8_or_bits16_DataSize == true then
|
154
|
-
packet.push 1
|
155
|
-
else
|
156
|
-
packet.push 0
|
157
|
-
end
|
158
|
-
|
159
|
-
#Check latency value
|
160
|
-
if ((latency >= 7) and (latency <= 1600)) then
|
161
|
-
packet.push (latency/6.66).floor
|
162
|
-
else
|
163
|
-
raise TypeError, 'Latency value must be from 7 to 1695'
|
164
|
-
end
|
165
|
-
|
166
|
-
#Check address
|
167
|
-
if (addressStop <= addressStart ) then
|
168
|
-
raise TypeError, 'Stop address is less than start address'
|
169
|
-
end
|
170
|
-
|
171
|
-
packet.push ((addressStart & 0xFF000000) >> 24 ) #AddStart3
|
172
|
-
packet.push ((addressStart & 0x00FF0000) >> 16 ) #AddStart2
|
173
|
-
packet.push ((addressStart & 0x0000FF00) >> 8 ) #AddStart1
|
174
|
-
packet.push ((addressStart & 0x000000FF) >> 0) #AddStart0
|
175
|
-
|
176
|
-
packet.push 0x10 #Memory read command
|
177
|
-
packet.push ((addressStop & 0xFF000000) >> 24 ) #AddStart3
|
178
|
-
packet.push ((addressStop & 0x00FF0000) >> 16 ) #AddStop2
|
179
|
-
packet.push ((addressStop & 0x0000FF00) >> 8 ) #AddStop1
|
180
|
-
packet.push ((addressStop & 0x000000FF) >> 0) #AddStop0
|
181
|
-
|
182
|
-
HardsploitAPI.instance.sendPacket(packet)
|
183
|
-
|
184
|
-
if bits8_or_bits16_DataSize then
|
185
|
-
sizeCalculated = (addressStop-addressStart+1)
|
186
|
-
else
|
187
|
-
sizeCalculated = (addressStop-addressStart+1)*2
|
188
|
-
end
|
189
|
-
file = File.open(path,"wb")
|
190
|
-
numberOfByteReaded = 0
|
191
|
-
while true
|
192
|
-
tmp= HardsploitAPI.instance.receiveDATA(2000)
|
193
|
-
#remove header (4 bytes 2 for size 2 for type of command)
|
194
|
-
tmp = tmp.bytes.drop(4)
|
195
|
-
file.write tmp.pack('C*')
|
196
|
-
|
197
|
-
numberOfByteReaded = numberOfByteReaded + tmp.size
|
198
|
-
HardsploitAPI.instance.consoleInfo "Receive #{numberOfByteReaded} of #{sizeCalculated}"
|
199
|
-
if numberOfByteReaded >= sizeCalculated then
|
200
|
-
file.close
|
201
|
-
#Exit because we received all data
|
202
|
-
return
|
203
|
-
end
|
204
|
-
end
|
205
|
-
end
|
206
|
-
end
|
1
|
+
#!/usr/bin/ruby
|
2
|
+
#===================================================
|
3
|
+
# Hardsploit API - By Opale Security
|
4
|
+
# www.opale-security.com || www.hardsploit.io
|
5
|
+
# License: GNU General Public License v3
|
6
|
+
# License URI: http://www.gnu.org/licenses/gpl.txt
|
7
|
+
#===================================================
|
8
|
+
|
9
|
+
class HardsploitAPI_PARALLEL
|
10
|
+
public
|
11
|
+
def initialize
|
12
|
+
#to be sure the singleton was initialize
|
13
|
+
HardsploitAPI.instance.connect
|
14
|
+
end
|
15
|
+
|
16
|
+
def readManufactuerCodeMemory
|
17
|
+
write_command_Memory_WithoutMultiplexing(0x00000000,0x90) #ReadDeviceIdentifierCommand
|
18
|
+
return readByteFromMemory(1) #Read from 1 to 1 = read 1 byte at 1
|
19
|
+
end
|
20
|
+
|
21
|
+
def readDeviceIdMemory
|
22
|
+
write_command_Memory_WithoutMultiplexing(0x00000000,0x90) #ReadDeviceIdentifierCommand
|
23
|
+
return readByteFromMemory(0)#Read 0
|
24
|
+
end
|
25
|
+
|
26
|
+
def writeByteToMemory(address,value)
|
27
|
+
#Write data in word mode and read Five status register
|
28
|
+
write_command_Memory_WithoutMultiplexing(address,0x0040)
|
29
|
+
write_command_Memory_WithoutMultiplexing(address,value)
|
30
|
+
return readByteFromMemory(0)
|
31
|
+
end
|
32
|
+
|
33
|
+
def readMode
|
34
|
+
#go in read mode
|
35
|
+
write_command_Memory_WithoutMultiplexing(0x000000,0x00FF)
|
36
|
+
end
|
37
|
+
|
38
|
+
def eraseBlockMemory(blockAddress)
|
39
|
+
#Read Five Word
|
40
|
+
write_command_Memory_WithoutMultiplexing(blockAddress,0x0020) #Block erase command
|
41
|
+
statut = write_command_Memory_WithoutMultiplexing(blockAddress,0x00D0) #Confirm Block erase command
|
42
|
+
|
43
|
+
timeout = 10
|
44
|
+
# while (statut != 128 ) && (timeout >= 0)
|
45
|
+
#
|
46
|
+
# puts "#{statut} #{timeout}"
|
47
|
+
# statut = readByteFromMemory(0) #read statut register
|
48
|
+
# sleep(100)
|
49
|
+
# if timeout == 0 then
|
50
|
+
# return statut
|
51
|
+
# else
|
52
|
+
# timeout = timeout-1
|
53
|
+
# end
|
54
|
+
# end
|
55
|
+
for ty in 0..4
|
56
|
+
puts readByteFromMemory(0)
|
57
|
+
end
|
58
|
+
|
59
|
+
puts "Return timeout"
|
60
|
+
return statut
|
61
|
+
end
|
62
|
+
|
63
|
+
def clearStatusRegisterOfMemory
|
64
|
+
#Clear Statut register
|
65
|
+
write_command_Memory_WithoutMultiplexing(0x000000,0x50)
|
66
|
+
end
|
67
|
+
|
68
|
+
def unlockBlock (blockAddress)
|
69
|
+
write_command_Memory_WithoutMultiplexing(blockAddress,0x0060) #Lock Block Command
|
70
|
+
write_command_Memory_WithoutMultiplexing(blockAddress,0x00D0) #UnLock Command
|
71
|
+
return readByteFromMemory(0x000000) #read statut register
|
72
|
+
end
|
73
|
+
|
74
|
+
def write_command_Memory_WithoutMultiplexing(address,data)
|
75
|
+
packet = HardsploitAPI.prepare_packet
|
76
|
+
packet.push 0 #16 bits
|
77
|
+
packet.push (1500/6.66).floor #latency at 1500ns
|
78
|
+
|
79
|
+
packet.push ((address & 0xFF000000) >> 24 ) #AddStart3
|
80
|
+
packet.push ((address & 0x00FF0000) >> 16 ) #AddStart2
|
81
|
+
packet.push ((address & 0x0000FF00) >> 8 ) #AddStart1
|
82
|
+
packet.push ((address & 0x000000FF) >> 0) #AddStart0
|
83
|
+
packet.push 0x20 #Memory write command
|
84
|
+
packet.push ((data & 0xFF00) >> 8 ) #Data HIGHT BYTE
|
85
|
+
packet.push ((data & 0xFF) >> 0) #Data LOW BYTE
|
86
|
+
|
87
|
+
|
88
|
+
result = HardsploitAPI.instance.sendAndReceiveDATA(packet,1000)
|
89
|
+
if result == USB_STATE::TIMEOUT_RECEIVE then
|
90
|
+
raise "TIMEOUT"
|
91
|
+
elsif result[4] == (data & 0xFF)
|
92
|
+
|
93
|
+
return readByteFromMemory(0)
|
94
|
+
else
|
95
|
+
raise "ERROR BAD RESPONSE"
|
96
|
+
end
|
97
|
+
end
|
98
|
+
|
99
|
+
def readByteFromMemory(address)
|
100
|
+
packet = Array.new
|
101
|
+
packet.push 0 #low byte of lenght of trame refresh automaticly before send by usb
|
102
|
+
packet.push 0 #high byte of lenght of trame refresh automaticly before send by usb
|
103
|
+
packet.push HardsploitAPI.lowByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
|
104
|
+
packet.push HardsploitAPI.highByte(HardsploitAPI::USB_COMMAND::FPGA_COMMAND)
|
105
|
+
|
106
|
+
packet.push 0x50 #Command RAW COMMUNICATION TO FPGA FIFO
|
107
|
+
|
108
|
+
|
109
|
+
#16 bits
|
110
|
+
packet.push 0
|
111
|
+
packet.push (1500/6.66).floor
|
112
|
+
|
113
|
+
|
114
|
+
packet.push ((address & 0xFF000000) >> 24 ) #AddStart3
|
115
|
+
packet.push ((address & 0x00FF0000) >> 16 ) #AddStart2
|
116
|
+
packet.push ((address & 0x0000FF00) >> 8 ) #AddStart1
|
117
|
+
packet.push ((address & 0x000000FF) >> 0) #AddStart0
|
118
|
+
|
119
|
+
packet.push 0x10 #Memory read command
|
120
|
+
packet.push ((address & 0xFF000000) >> 24 ) #AddStart3
|
121
|
+
packet.push ((address & 0x00FF0000) >> 16 ) #AddStop2
|
122
|
+
packet.push ((address & 0x0000FF00) >> 8 ) #AddStop1
|
123
|
+
packet.push ((address & 0x000000FF) >> 0) #AddStop0
|
124
|
+
|
125
|
+
result = sendAndReceiveDATA(packet,1000)
|
126
|
+
|
127
|
+
if result == USB_STATE::TIMEOUT_RECEIVE then
|
128
|
+
return "TIMEOUT"
|
129
|
+
else
|
130
|
+
if result.size == 6 then
|
131
|
+
return HardsploitAPI.BytesToInt(result[4] , result[5])
|
132
|
+
else
|
133
|
+
raise "BAD RESPONSE"
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
|
139
|
+
|
140
|
+
|
141
|
+
|
142
|
+
# Read parallele memory in asynchronous mode (blocking function) but callBack data is used to receive packet
|
143
|
+
# * +addressStart+:: 32 bits address
|
144
|
+
# * +addressStop+:: 32 bits address
|
145
|
+
# * +bits8_or_bits16_DataSize+:: 0 for 8 bits operation & 1 for 16 bits operation
|
146
|
+
# * +latency+:: latency in ns range 7ns to 1600ns=1,6ms
|
147
|
+
# Return USB_STATE End with TIMEOUT_RECEIVE but need to check if received the right number of bytes to ensure all is correct
|
148
|
+
def read_Memory_WithoutMultiplexing(path:,addressStart: , addressStop:, bits8_or_bits16_DataSize:, latency:)
|
149
|
+
numberOfByteReaded = 0
|
150
|
+
packet = HardsploitAPI.prepare_packet
|
151
|
+
|
152
|
+
#Chek if 8bits or 16 bits
|
153
|
+
if bits8_or_bits16_DataSize == true then
|
154
|
+
packet.push 1
|
155
|
+
else
|
156
|
+
packet.push 0
|
157
|
+
end
|
158
|
+
|
159
|
+
#Check latency value
|
160
|
+
if ((latency >= 7) and (latency <= 1600)) then
|
161
|
+
packet.push (latency/6.66).floor
|
162
|
+
else
|
163
|
+
raise TypeError, 'Latency value must be from 7 to 1695'
|
164
|
+
end
|
165
|
+
|
166
|
+
#Check address
|
167
|
+
if (addressStop <= addressStart ) then
|
168
|
+
raise TypeError, 'Stop address is less than start address'
|
169
|
+
end
|
170
|
+
|
171
|
+
packet.push ((addressStart & 0xFF000000) >> 24 ) #AddStart3
|
172
|
+
packet.push ((addressStart & 0x00FF0000) >> 16 ) #AddStart2
|
173
|
+
packet.push ((addressStart & 0x0000FF00) >> 8 ) #AddStart1
|
174
|
+
packet.push ((addressStart & 0x000000FF) >> 0) #AddStart0
|
175
|
+
|
176
|
+
packet.push 0x10 #Memory read command
|
177
|
+
packet.push ((addressStop & 0xFF000000) >> 24 ) #AddStart3
|
178
|
+
packet.push ((addressStop & 0x00FF0000) >> 16 ) #AddStop2
|
179
|
+
packet.push ((addressStop & 0x0000FF00) >> 8 ) #AddStop1
|
180
|
+
packet.push ((addressStop & 0x000000FF) >> 0) #AddStop0
|
181
|
+
|
182
|
+
HardsploitAPI.instance.sendPacket(packet)
|
183
|
+
|
184
|
+
if bits8_or_bits16_DataSize then
|
185
|
+
sizeCalculated = (addressStop-addressStart+1)
|
186
|
+
else
|
187
|
+
sizeCalculated = (addressStop-addressStart+1)*2
|
188
|
+
end
|
189
|
+
file = File.open(path,"wb")
|
190
|
+
numberOfByteReaded = 0
|
191
|
+
while true
|
192
|
+
tmp= HardsploitAPI.instance.receiveDATA(2000)
|
193
|
+
#remove header (4 bytes 2 for size 2 for type of command)
|
194
|
+
tmp = tmp.bytes.drop(4)
|
195
|
+
file.write tmp.pack('C*')
|
196
|
+
|
197
|
+
numberOfByteReaded = numberOfByteReaded + tmp.size
|
198
|
+
HardsploitAPI.instance.consoleInfo "Receive #{numberOfByteReaded} of #{sizeCalculated}"
|
199
|
+
if numberOfByteReaded >= sizeCalculated then
|
200
|
+
file.close
|
201
|
+
#Exit because we received all data
|
202
|
+
return
|
203
|
+
end
|
204
|
+
end
|
205
|
+
end
|
206
|
+
end
|
@@ -1,306 +1,306 @@
|
|
1
|
-
#!/usr/bin/ruby
|
2
|
-
#===================================================
|
3
|
-
# Hardsploit API - By Opale Security
|
4
|
-
# www.opale-security.com || www.hardsploit.io
|
5
|
-
# License: GNU General Public License v3
|
6
|
-
# License URI: http://www.gnu.org/licenses/gpl.txt
|
7
|
-
#===================================================
|
8
|
-
|
9
|
-
require_relative '../../Core/HardsploitAPI'
|
10
|
-
require_relative '../../Modules/SPI/HardsploitAPI_SPI'
|
11
|
-
class HardsploitAPI_NRF24L01
|
12
|
-
public
|
13
|
-
# Instruction Mnemonics
|
14
|
-
R_REGISTER = 0x00
|
15
|
-
W_REGISTER = 0x20
|
16
|
-
REGISTER_MASK = 0x1F
|
17
|
-
ACTIVATE = 0x50
|
18
|
-
R_RX_PL_WID = 0x60
|
19
|
-
R_RX_PAYLOAD = 0x61
|
20
|
-
W_TX_PAYLOAD = 0xA0
|
21
|
-
W_ACK_PAYLOAD = 0xA8
|
22
|
-
FLUSH_TX = 0xE1
|
23
|
-
FLUSH_RX = 0xE2
|
24
|
-
REUSE_TX_PL = 0xE3
|
25
|
-
NOP = 0xFF
|
26
|
-
|
27
|
-
#Register map
|
28
|
-
NRF24L01_00_CONFIG = 0x00
|
29
|
-
NRF24L01_01_EN_AA = 0x01
|
30
|
-
NRF24L01_02_EN_RXADDR = 0x02
|
31
|
-
NRF24L01_03_SETUP_AW = 0x03
|
32
|
-
NRF24L01_04_SETUP_RETR = 0x04
|
33
|
-
NRF24L01_05_RF_CH = 0x05
|
34
|
-
NRF24L01_06_RF_SETUP = 0x06
|
35
|
-
NRF24L01_07_STATUS = 0x07
|
36
|
-
NRF24L01_08_OBSERVE_TX = 0x08
|
37
|
-
NRF24L01_09_CD = 0x09
|
38
|
-
NRF24L01_0A_RX_ADDR_P0 = 0x0A
|
39
|
-
NRF24L01_0B_RX_ADDR_P1 = 0x0B
|
40
|
-
NRF24L01_0C_RX_ADDR_P2 = 0x0C
|
41
|
-
NRF24L01_0D_RX_ADDR_P3 = 0x0D
|
42
|
-
NRF24L01_0E_RX_ADDR_P4 = 0x0E
|
43
|
-
NRF24L01_0F_RX_ADDR_P5 = 0x0F
|
44
|
-
NRF24L01_10_TX_ADDR = 0x10
|
45
|
-
NRF24L01_11_RX_PW_P0 = 0x11
|
46
|
-
NRF24L01_12_RX_PW_P1 = 0x12
|
47
|
-
NRF24L01_13_RX_PW_P2 = 0x13
|
48
|
-
NRF24L01_14_RX_PW_P3 = 0x14
|
49
|
-
NRF24L01_15_RX_PW_P4 = 0x15
|
50
|
-
NRF24L01_16_RX_PW_P5 = 0x16
|
51
|
-
NRF24L01_17_FIFO_STATUS = 0x17
|
52
|
-
NRF24L01_1C_DYNPD = 0x1C
|
53
|
-
NRF24L01_1D_FEATURE = 0x1D
|
54
|
-
|
55
|
-
# Bit mnemonics
|
56
|
-
NRF24L01_00_MASK_RX_DR = 6
|
57
|
-
NRF24L01_00_MASK_TX_DS = 5
|
58
|
-
NRF24L01_00_MASK_MAX_RT = 4
|
59
|
-
NRF24L01_00_EN_CRC = 3
|
60
|
-
NRF24L01_00_CRCO = 2
|
61
|
-
NRF24L01_00_PWR_UP = 1
|
62
|
-
NRF24L01_00_PRIM_RX = 0
|
63
|
-
NRF24L01_07_RX_DR = 6
|
64
|
-
NRF24L01_07_TX_DS = 5
|
65
|
-
NRF24L01_07_MAX_RT = 4
|
66
|
-
|
67
|
-
# Bitrates
|
68
|
-
NRF24L01_BR_1M = 0
|
69
|
-
NRF24L01_BR_2M = 1
|
70
|
-
NRF24L01_BR_250K = 2
|
71
|
-
NRF24L01_BR_RSVD = 3
|
72
|
-
|
73
|
-
TXRX_OFF = 0
|
74
|
-
TX_EN = 1
|
75
|
-
RX_EN = 2
|
76
|
-
|
77
|
-
def BV(x)
|
78
|
-
return (1 << x)
|
79
|
-
end
|
80
|
-
|
81
|
-
def sendAndReceiveSPI(packet)
|
82
|
-
begin
|
83
|
-
return @spi.spi_Interact(payload:packet)
|
84
|
-
rescue HardsploitAPI::ERROR::HARDSPLOIT_NOT_FOUND
|
85
|
-
puts "Hardsploit not found"
|
86
|
-
rescue HardsploitAPI::ERROR::USB_ERROR
|
87
|
-
puts "USB ERROR"
|
88
|
-
end
|
89
|
-
end
|
90
|
-
|
91
|
-
def initialize()
|
92
|
-
#Speed Range 1-255 SPI clock = 150Mhz / (2*speed) tested from 3 to 255 (25Mhz to about 0.3Khz)
|
93
|
-
@spi = HardsploitAPI_SPI.new(speed:8,mode:0) # 150/(2*8) = 9.3Mhz
|
94
|
-
@rf_setup = 0x0F
|
95
|
-
@tout =0
|
96
|
-
end
|
97
|
-
|
98
|
-
def initDrone(channel:,address:)
|
99
|
-
config = BV(NRF24L01_00_EN_CRC) | BV(NRF24L01_00_CRCO) | BV(NRF24L01_00_PRIM_RX)
|
100
|
-
NRF24L01_WriteReg(NRF24L01_00_CONFIG, config);
|
101
|
-
NRF24L01_WriteReg(NRF24L01_01_EN_AA, 0x0f); # Auto Acknoledgement
|
102
|
-
NRF24L01_Activate(0x73); #Allow write feature reg
|
103
|
-
NRF24L01_WriteReg( NRF24L01_1D_FEATURE,0x06); #enableDynamicPayloads
|
104
|
-
NRF24L01_WriteReg( NRF24L01_1C_DYNPD,0x3f); #enableDynamicPayloads
|
105
|
-
NRF24L01_WriteReg(NRF24L01_02_EN_RXADDR, 0x01); # Enable data pipe 0
|
106
|
-
NRF24L01_WriteReg(NRF24L01_03_SETUP_AW, 0x03); # 5-byte RX/TX address
|
107
|
-
#NRF24L01_WriteReg(NRF24L01_04_SETUP_RETR, 0xFF); # 4ms retransmit t/o, 15 tries
|
108
|
-
NRF24L01_WriteReg(NRF24L01_05_RF_CH, channel); # Channel - bind
|
109
|
-
setBitrate(NRF24L01_BR_250K)
|
110
|
-
setPower(3) #Max power
|
111
|
-
NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70); # Clear data ready, data
|
112
|
-
NRF24L01_WriteReg(NRF24L01_11_RX_PW_P0, 16);
|
113
|
-
NRF24L01_WriteReg(NRF24L01_17_FIFO_STATUS, 0x00);
|
114
|
-
NRF24L01_WriteRegisterMulti(NRF24L01_0A_RX_ADDR_P0,address);
|
115
|
-
NRF24L01_WriteRegisterMulti(NRF24L01_10_TX_ADDR, address);
|
116
|
-
|
117
|
-
initialize();
|
118
|
-
|
119
|
-
config |= BV(NRF24L01_00_PWR_UP);
|
120
|
-
NRF24L01_WriteReg(NRF24L01_00_CONFIG, config);
|
121
|
-
|
122
|
-
valid_packets = missed_packets = bad_packets = 0;
|
123
|
-
|
124
|
-
NRF24L01_SetTxRxMode(TXRX_OFF);
|
125
|
-
NRF24L01_SetTxRxMode(RX_EN);
|
126
|
-
# puts "EN_AA"
|
127
|
-
# p NRF24L01_ReadReg(NRF24L01_01_EN_AA)
|
128
|
-
# puts "EN_RXADDR"
|
129
|
-
# p NRF24L01_ReadReg(NRF24L01_02_EN_RXADDR)
|
130
|
-
# puts "SETUP_AW"
|
131
|
-
# p NRF24L01_ReadReg(NRF24L01_03_SETUP_AW)
|
132
|
-
# puts "RF_CH"
|
133
|
-
# p NRF24L01_ReadReg(NRF24L01_05_RF_CH)
|
134
|
-
# puts "RX_PW_P0"
|
135
|
-
# p NRF24L01_ReadRegisterMulti(NRF24L01_0A_RX_ADDR_P0,5)
|
136
|
-
# puts "TX_PW_P0"
|
137
|
-
# p NRF24L01_ReadRegisterMulti(NRF24L01_10_TX_ADDR,5)
|
138
|
-
# puts "RX_ADDR_P0"
|
139
|
-
# p NRF24L01_ReadReg(NRF24L01_0A_RX_ADDR_P0)
|
140
|
-
# puts "TX_ADDR"
|
141
|
-
# p NRF24L01_ReadReg(NRF24L01_10_TX_ADDR)
|
142
|
-
# puts "config"
|
143
|
-
# p config
|
144
|
-
end
|
145
|
-
|
146
|
-
def NRF24L01_WriteReg(reg, data)
|
147
|
-
result = sendAndReceiveSPI([ (W_REGISTER | (REGISTER_MASK & reg)),data ])
|
148
|
-
return result[1]
|
149
|
-
end
|
150
|
-
|
151
|
-
def NRF24L01_WriteRegisterMulti(reg, payload)
|
152
|
-
tmppayload = Array.new
|
153
|
-
tmppayload.push (W_REGISTER | (REGISTER_MASK & reg))
|
154
|
-
tmppayload.push *payload
|
155
|
-
result = sendAndReceiveSPI(tmppayload)
|
156
|
-
return result[0]
|
157
|
-
end
|
158
|
-
|
159
|
-
def NRF24L01_WritePayload(payload)
|
160
|
-
tmpWpayload = Array.new
|
161
|
-
tmpWpayload.push (W_TX_PAYLOAD)
|
162
|
-
tmpWpayload.push *payload
|
163
|
-
result = sendAndReceiveSPI(tmpWpayload)
|
164
|
-
return result[0]
|
165
|
-
end
|
166
|
-
|
167
|
-
def NRF24L01_ReadReg(reg)
|
168
|
-
result = sendAndReceiveSPI([R_REGISTER | (REGISTER_MASK & reg) ,0xFF ])
|
169
|
-
return result[1]
|
170
|
-
end
|
171
|
-
|
172
|
-
def readPayloadSize
|
173
|
-
result = sendAndReceiveSPI([R_RX_PL_WID ,0xFF ])
|
174
|
-
return result[1]
|
175
|
-
end
|
176
|
-
|
177
|
-
def NRF24L01_ReadRegisterMulti(reg,length)
|
178
|
-
tab = Array.new
|
179
|
-
tab.push (R_REGISTER | (REGISTER_MASK & reg))
|
180
|
-
tab.push *Array.new(length, 0xFF)
|
181
|
-
return sendAndReceiveSPI(tab).drop(1) #remove the first byte
|
182
|
-
end
|
183
|
-
|
184
|
-
def readPayload(length)
|
185
|
-
tab = Array.new
|
186
|
-
tab.push R_RX_PAYLOAD
|
187
|
-
tab.push *Array.new(length, 0xFF)
|
188
|
-
return sendAndReceiveSPI(tab).drop(1) #remove the first byte
|
189
|
-
end
|
190
|
-
|
191
|
-
def readAvailableData
|
192
|
-
return readPayload(readPayloadSize)
|
193
|
-
end
|
194
|
-
|
195
|
-
def Strobe(state)
|
196
|
-
result = sendAndReceiveSPI([state])
|
197
|
-
return result[0];
|
198
|
-
end
|
199
|
-
|
200
|
-
def NRF24L01_FlushTx()
|
201
|
-
return Strobe(FLUSH_TX);
|
202
|
-
end
|
203
|
-
|
204
|
-
def NRF24L01_FlushRx()
|
205
|
-
return Strobe(FLUSH_RX);
|
206
|
-
end
|
207
|
-
|
208
|
-
def NRF24L01_Activate(code)
|
209
|
-
result = sendAndReceiveSPI([ACTIVATE ,code])
|
210
|
-
return result[0];
|
211
|
-
end
|
212
|
-
|
213
|
-
def dataAvailable()
|
214
|
-
result = sendAndReceiveSPI([R_REGISTER ,HardsploitAPI_NRF24L01::NRF24L01_07_STATUS])
|
215
|
-
if ((result[0] & BV(HardsploitAPI_NRF24L01::NRF24L01_07_RX_DR))>>6)==1
|
216
|
-
return true
|
217
|
-
else
|
218
|
-
return false
|
219
|
-
end
|
220
|
-
end
|
221
|
-
|
222
|
-
def changeChannel(channel:)
|
223
|
-
NRF24L01_WriteReg(NRF24L01_05_RF_CH, channel)
|
224
|
-
end
|
225
|
-
|
226
|
-
def setBitrate(bitrate)
|
227
|
-
#Note that bitrate 250kbps (and bit RF_DR_LOW) is valid only
|
228
|
-
#for nRF24L01+. There is no way to programmatically tell it from
|
229
|
-
#older version, nRF24L01, but the older is practically phased out
|
230
|
-
#by Nordic, so we assume that we deal with with modern version.
|
231
|
-
|
232
|
-
# Bit 0 goes to RF_DR_HIGH, bit 1 - to RF_DR_LOW
|
233
|
-
@rf_setup = (@rf_setup & 0xD7) | ((bitrate & 0x02) << 4) | ((bitrate & 0x01) << 3);
|
234
|
-
return NRF24L01_WriteReg(NRF24L01_06_RF_SETUP, @rf_setup);
|
235
|
-
end
|
236
|
-
|
237
|
-
# Power setting is 0..3 for nRF24L01
|
238
|
-
def setPower(nrf_power)
|
239
|
-
if (nrf_power < 0) or (nrf_power > 3) then
|
240
|
-
raise "NRF setPower, wrong must be between 0 and 3"
|
241
|
-
end
|
242
|
-
@rf_setup = (@rf_setup & 0xF9) | ((nrf_power & 0x03) << 1)
|
243
|
-
return NRF24L01_WriteReg(NRF24L01_06_RF_SETUP, @rf_setup)
|
244
|
-
end
|
245
|
-
|
246
|
-
def CE_lo
|
247
|
-
@spi.pulse = 0
|
248
|
-
end
|
249
|
-
|
250
|
-
def CE_hi
|
251
|
-
@spi.pulse = 1
|
252
|
-
end
|
253
|
-
|
254
|
-
def NRF24L01_SetTxRxMode(mode)
|
255
|
-
if(mode == TX_EN) then
|
256
|
-
CE_lo()
|
257
|
-
#sleep(0.5)
|
258
|
-
NRF24L01_WriteReg(NRF24L01_07_STATUS, (1 << NRF24L01_07_RX_DR) | (1 << NRF24L01_07_TX_DS) | (1 << NRF24L01_07_MAX_RT)) #reset the flag(s)
|
259
|
-
NRF24L01_WriteReg(NRF24L01_00_CONFIG, (1 << NRF24L01_00_EN_CRC)| (1 << NRF24L01_00_CRCO) | (1 << NRF24L01_00_PWR_UP)) #switch to TX mode
|
260
|
-
#sleep(0.5)
|
261
|
-
CE_hi()
|
262
|
-
elsif (mode == RX_EN) then
|
263
|
-
CE_lo()
|
264
|
-
# sleep(0.5)
|
265
|
-
NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70) # reset the flag(s)
|
266
|
-
NRF24L01_WriteReg(NRF24L01_00_CONFIG, 0x0F) # switch to RX mode
|
267
|
-
NRF24L01_WriteReg(NRF24L01_07_STATUS, (1 << NRF24L01_07_RX_DR) | (1 << NRF24L01_07_TX_DS) | (1 << NRF24L01_07_MAX_RT)) #reset the flag(s)
|
268
|
-
NRF24L01_WriteReg(NRF24L01_00_CONFIG, (1 << NRF24L01_00_EN_CRC)| (1 << NRF24L01_00_CRCO) | (1 << NRF24L01_00_PWR_UP) | (1 << NRF24L01_00_PRIM_RX)) #switch to RX mode
|
269
|
-
# sleep(0.5)
|
270
|
-
CE_hi()
|
271
|
-
else
|
272
|
-
NRF24L01_WriteReg(NRF24L01_00_CONFIG, (1 << NRF24L01_00_EN_CRC)) #PowerDown
|
273
|
-
CE_lo()
|
274
|
-
end
|
275
|
-
end
|
276
|
-
|
277
|
-
def reset()
|
278
|
-
NRF24L01_SetTxRxMode(TXRX_OFF)
|
279
|
-
NRF24L01_FlushTx()
|
280
|
-
NRF24L01_FlushRx()
|
281
|
-
return true
|
282
|
-
end
|
283
|
-
|
284
|
-
def Read()
|
285
|
-
tabdataread = Array.new
|
286
|
-
if dataAvailable()
|
287
|
-
NRF24L01_WriteReg(0x07,BV(HardsploitAPI_NRF24L01::NRF24L01_07_RX_DR))
|
288
|
-
tabdataread.push *readPayload(16)
|
289
|
-
return tabdataread
|
290
|
-
else
|
291
|
-
return tabdataread
|
292
|
-
end
|
293
|
-
end
|
294
|
-
|
295
|
-
def Send(dataSend)
|
296
|
-
NRF24L01_SetTxRxMode(TXRX_OFF)
|
297
|
-
NRF24L01_FlushTx()
|
298
|
-
NRF24L01_WritePayload(dataSend)
|
299
|
-
NRF24L01_SetTxRxMode(TX_EN)
|
300
|
-
sleep(0.1)
|
301
|
-
NRF24L01_SetTxRxMode(TXRX_OFF)
|
302
|
-
NRF24L01_FlushTx()
|
303
|
-
NRF24L01_FlushRx()
|
304
|
-
NRF24L01_SetTxRxMode(RX_EN);
|
305
|
-
end
|
306
|
-
end
|
1
|
+
#!/usr/bin/ruby
|
2
|
+
#===================================================
|
3
|
+
# Hardsploit API - By Opale Security
|
4
|
+
# www.opale-security.com || www.hardsploit.io
|
5
|
+
# License: GNU General Public License v3
|
6
|
+
# License URI: http://www.gnu.org/licenses/gpl.txt
|
7
|
+
#===================================================
|
8
|
+
|
9
|
+
require_relative '../../Core/HardsploitAPI'
|
10
|
+
require_relative '../../Modules/SPI/HardsploitAPI_SPI'
|
11
|
+
class HardsploitAPI_NRF24L01
|
12
|
+
public
|
13
|
+
# Instruction Mnemonics
|
14
|
+
R_REGISTER = 0x00
|
15
|
+
W_REGISTER = 0x20
|
16
|
+
REGISTER_MASK = 0x1F
|
17
|
+
ACTIVATE = 0x50
|
18
|
+
R_RX_PL_WID = 0x60
|
19
|
+
R_RX_PAYLOAD = 0x61
|
20
|
+
W_TX_PAYLOAD = 0xA0
|
21
|
+
W_ACK_PAYLOAD = 0xA8
|
22
|
+
FLUSH_TX = 0xE1
|
23
|
+
FLUSH_RX = 0xE2
|
24
|
+
REUSE_TX_PL = 0xE3
|
25
|
+
NOP = 0xFF
|
26
|
+
|
27
|
+
#Register map
|
28
|
+
NRF24L01_00_CONFIG = 0x00
|
29
|
+
NRF24L01_01_EN_AA = 0x01
|
30
|
+
NRF24L01_02_EN_RXADDR = 0x02
|
31
|
+
NRF24L01_03_SETUP_AW = 0x03
|
32
|
+
NRF24L01_04_SETUP_RETR = 0x04
|
33
|
+
NRF24L01_05_RF_CH = 0x05
|
34
|
+
NRF24L01_06_RF_SETUP = 0x06
|
35
|
+
NRF24L01_07_STATUS = 0x07
|
36
|
+
NRF24L01_08_OBSERVE_TX = 0x08
|
37
|
+
NRF24L01_09_CD = 0x09
|
38
|
+
NRF24L01_0A_RX_ADDR_P0 = 0x0A
|
39
|
+
NRF24L01_0B_RX_ADDR_P1 = 0x0B
|
40
|
+
NRF24L01_0C_RX_ADDR_P2 = 0x0C
|
41
|
+
NRF24L01_0D_RX_ADDR_P3 = 0x0D
|
42
|
+
NRF24L01_0E_RX_ADDR_P4 = 0x0E
|
43
|
+
NRF24L01_0F_RX_ADDR_P5 = 0x0F
|
44
|
+
NRF24L01_10_TX_ADDR = 0x10
|
45
|
+
NRF24L01_11_RX_PW_P0 = 0x11
|
46
|
+
NRF24L01_12_RX_PW_P1 = 0x12
|
47
|
+
NRF24L01_13_RX_PW_P2 = 0x13
|
48
|
+
NRF24L01_14_RX_PW_P3 = 0x14
|
49
|
+
NRF24L01_15_RX_PW_P4 = 0x15
|
50
|
+
NRF24L01_16_RX_PW_P5 = 0x16
|
51
|
+
NRF24L01_17_FIFO_STATUS = 0x17
|
52
|
+
NRF24L01_1C_DYNPD = 0x1C
|
53
|
+
NRF24L01_1D_FEATURE = 0x1D
|
54
|
+
|
55
|
+
# Bit mnemonics
|
56
|
+
NRF24L01_00_MASK_RX_DR = 6
|
57
|
+
NRF24L01_00_MASK_TX_DS = 5
|
58
|
+
NRF24L01_00_MASK_MAX_RT = 4
|
59
|
+
NRF24L01_00_EN_CRC = 3
|
60
|
+
NRF24L01_00_CRCO = 2
|
61
|
+
NRF24L01_00_PWR_UP = 1
|
62
|
+
NRF24L01_00_PRIM_RX = 0
|
63
|
+
NRF24L01_07_RX_DR = 6
|
64
|
+
NRF24L01_07_TX_DS = 5
|
65
|
+
NRF24L01_07_MAX_RT = 4
|
66
|
+
|
67
|
+
# Bitrates
|
68
|
+
NRF24L01_BR_1M = 0
|
69
|
+
NRF24L01_BR_2M = 1
|
70
|
+
NRF24L01_BR_250K = 2
|
71
|
+
NRF24L01_BR_RSVD = 3
|
72
|
+
|
73
|
+
TXRX_OFF = 0
|
74
|
+
TX_EN = 1
|
75
|
+
RX_EN = 2
|
76
|
+
|
77
|
+
def BV(x)
|
78
|
+
return (1 << x)
|
79
|
+
end
|
80
|
+
|
81
|
+
def sendAndReceiveSPI(packet)
|
82
|
+
begin
|
83
|
+
return @spi.spi_Interact(payload:packet)
|
84
|
+
rescue HardsploitAPI::ERROR::HARDSPLOIT_NOT_FOUND
|
85
|
+
puts "Hardsploit not found"
|
86
|
+
rescue HardsploitAPI::ERROR::USB_ERROR
|
87
|
+
puts "USB ERROR"
|
88
|
+
end
|
89
|
+
end
|
90
|
+
|
91
|
+
def initialize()
|
92
|
+
#Speed Range 1-255 SPI clock = 150Mhz / (2*speed) tested from 3 to 255 (25Mhz to about 0.3Khz)
|
93
|
+
@spi = HardsploitAPI_SPI.new(speed:8,mode:0) # 150/(2*8) = 9.3Mhz
|
94
|
+
@rf_setup = 0x0F
|
95
|
+
@tout =0
|
96
|
+
end
|
97
|
+
|
98
|
+
def initDrone(channel:,address:)
|
99
|
+
config = BV(NRF24L01_00_EN_CRC) | BV(NRF24L01_00_CRCO) | BV(NRF24L01_00_PRIM_RX)
|
100
|
+
NRF24L01_WriteReg(NRF24L01_00_CONFIG, config);
|
101
|
+
NRF24L01_WriteReg(NRF24L01_01_EN_AA, 0x0f); # Auto Acknoledgement
|
102
|
+
NRF24L01_Activate(0x73); #Allow write feature reg
|
103
|
+
NRF24L01_WriteReg( NRF24L01_1D_FEATURE,0x06); #enableDynamicPayloads
|
104
|
+
NRF24L01_WriteReg( NRF24L01_1C_DYNPD,0x3f); #enableDynamicPayloads
|
105
|
+
NRF24L01_WriteReg(NRF24L01_02_EN_RXADDR, 0x01); # Enable data pipe 0
|
106
|
+
NRF24L01_WriteReg(NRF24L01_03_SETUP_AW, 0x03); # 5-byte RX/TX address
|
107
|
+
#NRF24L01_WriteReg(NRF24L01_04_SETUP_RETR, 0xFF); # 4ms retransmit t/o, 15 tries
|
108
|
+
NRF24L01_WriteReg(NRF24L01_05_RF_CH, channel); # Channel - bind
|
109
|
+
setBitrate(NRF24L01_BR_250K)
|
110
|
+
setPower(3) #Max power
|
111
|
+
NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70); # Clear data ready, data
|
112
|
+
NRF24L01_WriteReg(NRF24L01_11_RX_PW_P0, 16);
|
113
|
+
NRF24L01_WriteReg(NRF24L01_17_FIFO_STATUS, 0x00);
|
114
|
+
NRF24L01_WriteRegisterMulti(NRF24L01_0A_RX_ADDR_P0,address);
|
115
|
+
NRF24L01_WriteRegisterMulti(NRF24L01_10_TX_ADDR, address);
|
116
|
+
|
117
|
+
initialize();
|
118
|
+
|
119
|
+
config |= BV(NRF24L01_00_PWR_UP);
|
120
|
+
NRF24L01_WriteReg(NRF24L01_00_CONFIG, config);
|
121
|
+
|
122
|
+
valid_packets = missed_packets = bad_packets = 0;
|
123
|
+
|
124
|
+
NRF24L01_SetTxRxMode(TXRX_OFF);
|
125
|
+
NRF24L01_SetTxRxMode(RX_EN);
|
126
|
+
# puts "EN_AA"
|
127
|
+
# p NRF24L01_ReadReg(NRF24L01_01_EN_AA)
|
128
|
+
# puts "EN_RXADDR"
|
129
|
+
# p NRF24L01_ReadReg(NRF24L01_02_EN_RXADDR)
|
130
|
+
# puts "SETUP_AW"
|
131
|
+
# p NRF24L01_ReadReg(NRF24L01_03_SETUP_AW)
|
132
|
+
# puts "RF_CH"
|
133
|
+
# p NRF24L01_ReadReg(NRF24L01_05_RF_CH)
|
134
|
+
# puts "RX_PW_P0"
|
135
|
+
# p NRF24L01_ReadRegisterMulti(NRF24L01_0A_RX_ADDR_P0,5)
|
136
|
+
# puts "TX_PW_P0"
|
137
|
+
# p NRF24L01_ReadRegisterMulti(NRF24L01_10_TX_ADDR,5)
|
138
|
+
# puts "RX_ADDR_P0"
|
139
|
+
# p NRF24L01_ReadReg(NRF24L01_0A_RX_ADDR_P0)
|
140
|
+
# puts "TX_ADDR"
|
141
|
+
# p NRF24L01_ReadReg(NRF24L01_10_TX_ADDR)
|
142
|
+
# puts "config"
|
143
|
+
# p config
|
144
|
+
end
|
145
|
+
|
146
|
+
def NRF24L01_WriteReg(reg, data)
|
147
|
+
result = sendAndReceiveSPI([ (W_REGISTER | (REGISTER_MASK & reg)),data ])
|
148
|
+
return result[1]
|
149
|
+
end
|
150
|
+
|
151
|
+
def NRF24L01_WriteRegisterMulti(reg, payload)
|
152
|
+
tmppayload = Array.new
|
153
|
+
tmppayload.push (W_REGISTER | (REGISTER_MASK & reg))
|
154
|
+
tmppayload.push *payload
|
155
|
+
result = sendAndReceiveSPI(tmppayload)
|
156
|
+
return result[0]
|
157
|
+
end
|
158
|
+
|
159
|
+
def NRF24L01_WritePayload(payload)
|
160
|
+
tmpWpayload = Array.new
|
161
|
+
tmpWpayload.push (W_TX_PAYLOAD)
|
162
|
+
tmpWpayload.push *payload
|
163
|
+
result = sendAndReceiveSPI(tmpWpayload)
|
164
|
+
return result[0]
|
165
|
+
end
|
166
|
+
|
167
|
+
def NRF24L01_ReadReg(reg)
|
168
|
+
result = sendAndReceiveSPI([R_REGISTER | (REGISTER_MASK & reg) ,0xFF ])
|
169
|
+
return result[1]
|
170
|
+
end
|
171
|
+
|
172
|
+
def readPayloadSize
|
173
|
+
result = sendAndReceiveSPI([R_RX_PL_WID ,0xFF ])
|
174
|
+
return result[1]
|
175
|
+
end
|
176
|
+
|
177
|
+
def NRF24L01_ReadRegisterMulti(reg,length)
|
178
|
+
tab = Array.new
|
179
|
+
tab.push (R_REGISTER | (REGISTER_MASK & reg))
|
180
|
+
tab.push *Array.new(length, 0xFF)
|
181
|
+
return sendAndReceiveSPI(tab).drop(1) #remove the first byte
|
182
|
+
end
|
183
|
+
|
184
|
+
def readPayload(length)
|
185
|
+
tab = Array.new
|
186
|
+
tab.push R_RX_PAYLOAD
|
187
|
+
tab.push *Array.new(length, 0xFF)
|
188
|
+
return sendAndReceiveSPI(tab).drop(1) #remove the first byte
|
189
|
+
end
|
190
|
+
|
191
|
+
def readAvailableData
|
192
|
+
return readPayload(readPayloadSize)
|
193
|
+
end
|
194
|
+
|
195
|
+
def Strobe(state)
|
196
|
+
result = sendAndReceiveSPI([state])
|
197
|
+
return result[0];
|
198
|
+
end
|
199
|
+
|
200
|
+
def NRF24L01_FlushTx()
|
201
|
+
return Strobe(FLUSH_TX);
|
202
|
+
end
|
203
|
+
|
204
|
+
def NRF24L01_FlushRx()
|
205
|
+
return Strobe(FLUSH_RX);
|
206
|
+
end
|
207
|
+
|
208
|
+
def NRF24L01_Activate(code)
|
209
|
+
result = sendAndReceiveSPI([ACTIVATE ,code])
|
210
|
+
return result[0];
|
211
|
+
end
|
212
|
+
|
213
|
+
def dataAvailable()
|
214
|
+
result = sendAndReceiveSPI([R_REGISTER ,HardsploitAPI_NRF24L01::NRF24L01_07_STATUS])
|
215
|
+
if ((result[0] & BV(HardsploitAPI_NRF24L01::NRF24L01_07_RX_DR))>>6)==1
|
216
|
+
return true
|
217
|
+
else
|
218
|
+
return false
|
219
|
+
end
|
220
|
+
end
|
221
|
+
|
222
|
+
def changeChannel(channel:)
|
223
|
+
NRF24L01_WriteReg(NRF24L01_05_RF_CH, channel)
|
224
|
+
end
|
225
|
+
|
226
|
+
def setBitrate(bitrate)
|
227
|
+
#Note that bitrate 250kbps (and bit RF_DR_LOW) is valid only
|
228
|
+
#for nRF24L01+. There is no way to programmatically tell it from
|
229
|
+
#older version, nRF24L01, but the older is practically phased out
|
230
|
+
#by Nordic, so we assume that we deal with with modern version.
|
231
|
+
|
232
|
+
# Bit 0 goes to RF_DR_HIGH, bit 1 - to RF_DR_LOW
|
233
|
+
@rf_setup = (@rf_setup & 0xD7) | ((bitrate & 0x02) << 4) | ((bitrate & 0x01) << 3);
|
234
|
+
return NRF24L01_WriteReg(NRF24L01_06_RF_SETUP, @rf_setup);
|
235
|
+
end
|
236
|
+
|
237
|
+
# Power setting is 0..3 for nRF24L01
|
238
|
+
def setPower(nrf_power)
|
239
|
+
if (nrf_power < 0) or (nrf_power > 3) then
|
240
|
+
raise "NRF setPower, wrong must be between 0 and 3"
|
241
|
+
end
|
242
|
+
@rf_setup = (@rf_setup & 0xF9) | ((nrf_power & 0x03) << 1)
|
243
|
+
return NRF24L01_WriteReg(NRF24L01_06_RF_SETUP, @rf_setup)
|
244
|
+
end
|
245
|
+
|
246
|
+
def CE_lo
|
247
|
+
@spi.pulse = 0
|
248
|
+
end
|
249
|
+
|
250
|
+
def CE_hi
|
251
|
+
@spi.pulse = 1
|
252
|
+
end
|
253
|
+
|
254
|
+
def NRF24L01_SetTxRxMode(mode)
|
255
|
+
if(mode == TX_EN) then
|
256
|
+
CE_lo()
|
257
|
+
#sleep(0.5)
|
258
|
+
NRF24L01_WriteReg(NRF24L01_07_STATUS, (1 << NRF24L01_07_RX_DR) | (1 << NRF24L01_07_TX_DS) | (1 << NRF24L01_07_MAX_RT)) #reset the flag(s)
|
259
|
+
NRF24L01_WriteReg(NRF24L01_00_CONFIG, (1 << NRF24L01_00_EN_CRC)| (1 << NRF24L01_00_CRCO) | (1 << NRF24L01_00_PWR_UP)) #switch to TX mode
|
260
|
+
#sleep(0.5)
|
261
|
+
CE_hi()
|
262
|
+
elsif (mode == RX_EN) then
|
263
|
+
CE_lo()
|
264
|
+
# sleep(0.5)
|
265
|
+
NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70) # reset the flag(s)
|
266
|
+
NRF24L01_WriteReg(NRF24L01_00_CONFIG, 0x0F) # switch to RX mode
|
267
|
+
NRF24L01_WriteReg(NRF24L01_07_STATUS, (1 << NRF24L01_07_RX_DR) | (1 << NRF24L01_07_TX_DS) | (1 << NRF24L01_07_MAX_RT)) #reset the flag(s)
|
268
|
+
NRF24L01_WriteReg(NRF24L01_00_CONFIG, (1 << NRF24L01_00_EN_CRC)| (1 << NRF24L01_00_CRCO) | (1 << NRF24L01_00_PWR_UP) | (1 << NRF24L01_00_PRIM_RX)) #switch to RX mode
|
269
|
+
# sleep(0.5)
|
270
|
+
CE_hi()
|
271
|
+
else
|
272
|
+
NRF24L01_WriteReg(NRF24L01_00_CONFIG, (1 << NRF24L01_00_EN_CRC)) #PowerDown
|
273
|
+
CE_lo()
|
274
|
+
end
|
275
|
+
end
|
276
|
+
|
277
|
+
def reset()
|
278
|
+
NRF24L01_SetTxRxMode(TXRX_OFF)
|
279
|
+
NRF24L01_FlushTx()
|
280
|
+
NRF24L01_FlushRx()
|
281
|
+
return true
|
282
|
+
end
|
283
|
+
|
284
|
+
def Read()
|
285
|
+
tabdataread = Array.new
|
286
|
+
if dataAvailable()
|
287
|
+
NRF24L01_WriteReg(0x07,BV(HardsploitAPI_NRF24L01::NRF24L01_07_RX_DR))
|
288
|
+
tabdataread.push *readPayload(16)
|
289
|
+
return tabdataread
|
290
|
+
else
|
291
|
+
return tabdataread
|
292
|
+
end
|
293
|
+
end
|
294
|
+
|
295
|
+
def Send(dataSend)
|
296
|
+
NRF24L01_SetTxRxMode(TXRX_OFF)
|
297
|
+
NRF24L01_FlushTx()
|
298
|
+
NRF24L01_WritePayload(dataSend)
|
299
|
+
NRF24L01_SetTxRxMode(TX_EN)
|
300
|
+
sleep(0.1)
|
301
|
+
NRF24L01_SetTxRxMode(TXRX_OFF)
|
302
|
+
NRF24L01_FlushTx()
|
303
|
+
NRF24L01_FlushRx()
|
304
|
+
NRF24L01_SetTxRxMode(RX_EN);
|
305
|
+
end
|
306
|
+
end
|