So I’ve recently been dabbling into more niche hardware/wireless/RF protocols (thanks flipper zero) which is definitely a subject I’m less knowledgeable in. Of course the first time I used aircrack-ng was well over a decade ago now and I messed with NRF when keysniff and mousejacking was first published as well as reading/researching about Bluetooth, the Ubertooth One, etc. I definitely haven’t kept up as much as I’d like.
So when I got bit by the bug to set up a wireless monitoring/war driving set up mostly via Kismet, I dived right in.
I can go over my configuration/hardware I have specifically for that but as the hardware I have for that is very common, (Multiple Alfa NICs for Wifi+BT, CrazyRadio for NRF, Multiple RTL-SDRs for well RF) I would ideally like to include a z-wave sniffer, zigbee sniffer and whatever other (semi-)passive sniffer I can add to the set up.
Even with Google Search being pretty bad atm, I was able to find more on zigbee sniffing then Z-Wave, which will be apart of my next goal (to set up a “zniffer”).
As for the sniffing zigbee, I’m going to pickup a CCXXXX dongle and get that configured as it seems way easier, that said, when I recently bought some hardware from M5Stack (including a few M5Stack Core2 with one running Evil-M5Core2 now which is awesome!) I also bought a M5NanoC6 and a M5Stack Core2 Data Transfer Module (DTM) configured for Zigbee.
As of right now, I’ve only set up (I believe) the M5NanoC6 as a Zigbee Sniffer.
So let me go through the steps so you don’t have to try to figure it out yourself.
So within your terminal:
apt install cmake
pip3 install idf-component-manager --upgrade
Now plug in your M5NanoC6 via USB-C to your host box while holding down the button.
cd /opt
mkdir WIRELESS
cd WIRELESS
git clone --recursive https://github.com/espressif/esp-idf.git
cd esp-idf
./install.sh
chmod +x export.sh
./export.shNow you can try
cd examples/openthread/ot_rcp
idf.py set-target esp32c6If that doesn’t work as it didn’t for me
source ~/esp-idf/export.shNow if that still doesn’t work
source ~/.zshrcNow it should definitely work, and you can try to confirm
idf.py --helpNow we need to add two entries to sdkconfig.defaults file
nano examples/openthread/ot_rcp/sdkconfig.defaultsAdd the following under the ## Openthread ## Section
CONFIG_OPENTHREAD_NCP=y
CONFIG_OPENTHREAD_ENABLE_RAW_LINK_API=yFYI, the M5NanoC6 should be seen as a JTag/Serial USB Debug Device in Kali and is often defaulted to (especially if its the only USB plugged in)
/dev/ttyACM0Now lets properly compile
idf.py set-target esp32c6
idf.py build
Then flash
idf.py flash
You should get a success message after its done.
Lets now install Spinel to confirm its working as expected
apt install spinel
spinel-cli.py -u /dev/ttyACM0 -b 115200Now the CLI menu should open, confirming its working properly. Now CRTL+C to exit that
Now while still having the M5NanoC6 plugged in, press its button.
Now lets start the sniffer!
sudo sniffer.py -c 11 -n 1 --crc -u /dev/ttyACM0If you get an error after it states initializing sniffer… “cannot initialize sniffer” you should unplug and replug in the M5NanoC6, then try again. If that doesn’t work, unplug, replug in and then press the button before trying again.
It should then work!
In the next post (or maybe I’ll edit this one) I will show data captured as I don’t actually have any Zigbee devices (maybe that DTM for the Core2 will come in handy for this).
Additionally, be sure to set up Wireshark to properly display the packets and data using the Links below:
Wireshark Part of the Espressif Zigbee SDK Documentation
Resources:
Interesting Overview of Zigbee
ESPRESSIF Zigbee SDK Documentation
ESPRESSIF OpenThread Radio Co-Processor (OT_RCP)
PySpinel Sniffer Documentation
Here’s a link to the GitHub Repo I made with these instructions: GainSec Github