You are currently browsing the category archive for the ‘RF’ category.

A few days ago I read about NCC Group’s Sniffle tool, a BLE sniffer for Bluetooth 4.X and 5. Given my interest and previous track record at looking into the security of BLE devices, I could not stop myself from testing it.

The tool is available on NCC Group’s Github, along with quite good documentation. It was not hard to install all the prerequisites and set up everything following their documentation. My environment is pretty well set up for this type of experimentation and devices, so from Python to PySerial, I did not have to do much. All the TI-specific tools should be installed in their default folders suggested upon install (when running the .run files) and one will not have any major issues.

So far, I have been able to run the sniffer on the TI CC26x2R Launchpad Board. The firmware loads without issue and the board is ready to use. Note that, as I will describe below, I have been having a bit of stability/buggyness issues with the sniffer. Whenever something acts up a bit, the best thing to do is to reload the firmware. That seems to get things fixed for me most of the times.


Once the firmware is loaded, it is easy to start running captures. Given the simplicity of the radio it’s running on, the sniffer can only scan one channel at a time, so you are either scanning ADV channels (37, 38 and 39) or following a connection. Therefore, unless you happen to catch an actual connection establishment, you should expect to only see ADV-related messages on your first captures.


Once you are all set up, it is highly recommended to dump the traffic being captured to a pcap file using sniffle’s -o option. Looking at one of the captures I took, I see the expected advertising traffic. A whole bunch of Apple devices (in my experience, always very “loud” at sending ADV-related traffic) from my neighbors, some smart TVs (including mine; it’s been the subject of my research before and I know like the back of my hand the characteristics of its ADV packets) and some interesting devices that I will explore when I have more time.


Now that I am all set up, I will start taking actual captures of devices connecting and will test how reliable Sniffle’s ability to follow connections is. By the way, once you capture a full initial pairing and connection establishment, you should be able to process the pcap with Crackle to bruteforce the LTK session key and decrypt traffic. This is possible unless the pairing is being done with the Out of Band method. In my experience, the only device that I have observed in the wild using OOB pairing is the Apple Watch, though.

While using Sniffle I have noticed some instability. Every now and then I get weird errors raised by sniffle when having trouble parsing certain packets. See example above for a crash when it parses a packet that, allegedly, has an incorrect length field. I have observed similar parsing errors happening from time to time. When this happens, sniffle seems to get stuck when you try running it again. The quickest fix is to reload the firmware.


Once I have some time I will continue playing with sniffle. With two kids now, time is a very scarce resource! 🙂

EDIT (10/04/2019): Correction to myself. Bluetooth 5 *should* be using Diffie-Hellman for the handshake to derive STK which encrypts the handshake to exchange LTK. If that is the case, even when sniffing a full initial pairing+connection, one could not be able to brute force anything. I have to find myself a Bluetooth 5 device and capture that traffic. I’ll update when I have some time.

Recently I had the pleasure to meet Dr. Ted Rappaport and attend to a very interesting talk he gave at NYU Poly. The topic of the talk was his proposed “renaissance of wireless communications“. It was very exciting to meet him in person given the fact that I pretty much started learning all I know from his book “Wireless Communications: Principles and practices“. I actually realized, when sitting there listening to his talk, that I should have bought my copy of the book to get it signed. After all, his book and Proakis’ “Digital Communications” are the two pillars of everything I like. Learning about the Fourier Transform when I was 19 in school was an eye opening and told me that, indeed, I was in the right place (right major). A couple of classes I took over the following years (COM-1, COM-2 and RadioCom at the ETSETB) required me to read those two books and then I knew that I was on the right major and I also knew what I wanted to do.

Anyhow, back to Rappaport’s talk. I find his view very interesting. Essentially he is proposing to design communication systems on the milliliter-wave range, at very high frequencies, and he is actually proving it possible at NYU Wireless.


These frequency ranges are known for, in some cases, suffer of extreme propagation attenuation due to the interaction of the electromagnetic waves with oxygen molecules, which brings down the signal well over 10dB per kilometer. In this cases with high attenuation, Rappaport is proposing to create “wisper nets” that die off quickly in way less than a meter of propagation. This way, multiple parts of a complex system can be connected, making wires unnecessary. And the fact that these networks have such a short range, one does not have to worry about external attackers sniffing the traffic or injecting stuff in them.

The other frequency ranges suffer from a still reasonable attenuation that, according to some initial results, could host the future 5G wireless systems. These systems would have a huge bandwidth (BW), allowing for great throughput. Although I had the chance to ask a couple of questions, I forgot to ask him whether he thinks that the huge increase in throughput will come purely from increased BW (plenty of available BW at the frequency ranges he is proposing!) or he expects advanced modulation techniques to play a substantial role as well. After all, we are getting close to Shannon’s limits in terms of bits per second per Hertz (bps/Hz).

Based on the observations of Martin Cooper, the capacity of wireless systems has been somehow steadily doubling every 30 months. This increase has been due to (these numbers are extracted from: M.–S Alouini and A.J. Goldsmith, “Area Spectral Efficiency of Cellular Mobile Radio Systems,” IEEE Transactions on Vehicular Technology, vol. 48, no. 4, pp. 1047 – 1066, July 1999) a wider spectrum (25x gain), spectrum splicing (5x), better modulations (5x… these, I believe, was before OFDMA. I wonder if OFDMA increased capacity more than 5 times…) and a huge gain (x1600) by reducing the size of the cells. Although there’s a huge improvement by making cells smaller, it does not make sense to make them much smaller than now (metro-, pico- and femto-cells), so I guess sooner or later we’ll have to look into new directions. And spatial diversity, another topic discussed in Rappaport’s talk, has always been the one I have always seen more promising and suitable. If to that you add a huge BW at the millimeter-wave range, even better!

The Samsung Focus Flash is a Windows-OS smart-phone that was released last November 2011. It would be just another (good) smart-phone with Windows OS if it wasn’t because, to my knowledge, it is the first cell-phone ever to come equipped with an antenna matching network.

A matching network is a portion of the RF circuit that matches the antenna impedance to the rest of the system (typically 50 ohms). When a cell-phone antenna is tested in an anechoic chamber, it is done considering very specific user scenarios using phantom heads and hands. However, if a specific case or hand grip is not tested and this happens to be a specially bad condition for the antenna we may end up in troube. Our skin is slightly conductive so, when touching an antenna, it will slightly change its impedance and it might mess up its matching with the RF chain. If you happen to bridge with your finger two different antennas or sections of the same antenna, then is when the whole matching gets messed up and Apple goes mainstream for an actual design mistake.

Actually, anything conductive getting into the near-field of the antenna (about a fraction of the wavelength) will potentially disrupt the impedance matching. I will not go into too many details but, when an antenna is well matched most of the RF power is actually transferred and radiated from to the antenna.  But if the matching is bad the less power is transmitted/received independently of how good the signal level is. There are hundreds of examples of people showing this with an iPhone 4 in YouTube.

A tunable matching network adapts to these changes in a dynamic environment to make sure that the impedance matching of the antenna is optimum at all times. This network is intelligent enough to help the antenna to be matched to the system in any user scenario! This is when s smartphone gets really smart.

In the case of the Samsung Focus Flash, the matching network is build by an Orange County-based RF programmable solutions manufacturer, Wispry. You can read this article for more details of the A2101 tuning module based on MEMS. I am surprised that Samsung is not advertising this cool feature for their phone…I think it may be a good selling point!

Very cool stuff… the iPhone 4 might not have had all those antenna problems had it had one of this inside…

From wiSpry:

Using WiSpry’s core digital capacitor technology and tunable digital capacitor arrays (TDCA), WiSpry can support its customers with development of tunable impedance matching networks. Implementing inductors in a variety of ways, WiSpry’s front-end matching networks are capable of matching networks with up to 19:1 VSWR. TIM’s feature low voltage operation, high linearity, accuracy, and high Quality factor (Q) performance coupled and small size.
TDCA’s available for implementation into TIM’s range from standard 5pF, 10pF & 20pF arrays up to custom configurations (~30pF +) for higher capacitance values. Both series and shunt capacitors are available so that virtually any network topology can be implemented.

Teardown: Samsung Focus Flash.

From a colleague in LinkedIn, I have recently found out about AgO Inc. This SoCal-based company is the responsible of AnXplorer, a new analog and RF circuits too that, “after a designer creates an unsized circuit, design variables, and objectives, generates an optimized, centered circuit that meets or exceeds the design objectives across all corners specified by the user, using a new multi-algorithmic optimization strategy aided by an expert system. By centering the design across all specified, process, temperature and voltage corners, AnXplorer achieves a robust design that enhances the yield and improves the probability of first-time silicon success“.

This product offers a novel optimization process based on simulations and equations that improves other tools based on convex or gradient-based optimization techniques. It is also compatible with commonly used circuit design tools, such as SPICE, Cadence Spectre, Mentor Eldo and Legend Design Technology MSIM.

Read more about the tool at the press release at EE Times.

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me:

Blog Stats

  • 145,779 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.