Zigbee: TICC 2531

The Texas Instruments CC2531 is a chip used for 802.15.4 communications. To use it with Kismet, it must be flashed with the sniffer firmware provided by TI. Often the devices are available with the sniffer firmware pre-flashed.

Kismet must be compiled with support for libusb to use TICC2531; you will need libusb-1.0-dev (or the equivalent for your distribution), and you will need to make sure that the TI CC 2531 option is enabled in the output from ./configure.

To use the TI CC2531 capture, you must have a TI CC2531 dongle flashed with the sniffer firmware. You can flash this yourself with a CC-Debugger or purchase one online from many retailers.

Note: It seems that while many CC2531 devices are advertised as pre-flashed with the sniffer firmware, they appear not to be!

802.15.4 (Zigbee) #

The 802.15.4 standard is a low-bandwidth low-power networking standard. A commercial implementation is Zigbee, however other devices also implement the 802.15.4 physical layer.

Detecting and classifying 802.15.4 networks can be challenging, as they may transmit infrequently. Often 802.15.4 networks report fragmentary network IDs, which may lead to multiple networks being identified as a single device; this is unavoidable due to how 802.15.4 addressing works.

802.15.4 channels #

802.15.4 / Zigbee operates in up to 3 bands. You will need a device for each band. Most devices support the more common 2.4GHz band, with support for 800 and 900MHz being much rarer (currently only supported via the Freaklabs hardware).

Channels are a fixed width and are identified only by channel number (ie 1, 12, 13, 14). There are no options for wide or fast channels in 802.15.4.

Despite sharing the frequency range with Wi-Fi on the 2.4GHz band, 802.15.4 uses a different physical encoding standard; a Wi-Fi card is not able to see 802.15.4 packets or networks, and an 802.15.4 device is not able to see Wi-Fi packets.

TI CC2531 concerns #

The sniffer firmware in the TI CC2531 sometimes goes into a permanent error state until the device is physically re-initialized - by disconnecting it from USB and reconnecting it. Unfortunately, there does not seem to be any way to automate this process, as once the device enters an error state, it will remain in that state and cannot be reinitialized over USB.

TI CC2531 interfaces #

TI CC2531 datasources in Kismet can be referred to as simply ticc2531-...:

kismet -c ticc2531-0

When using multiple TICC devices, they can be specified either in order discovered by the system (ticc2531-0, ticc2531-1, etc), or by USB path. If you need to know which specific device is being configured, use the USB path - however, this path may be subject to change if USB devices are moved, new USB devices added, etc.

To find the location on the USB bus, look at the output of kismet_cap_ti_cc_2531 --list:

Kismet will also list available TI CC2531 devices automatically in the datasources list.

Supported Hardware #

Any USB device based on the CC2531 chip, and flashed with the TI sniffer firmware, should work. Beware! Many online vendors sell identical-looking devices based on the CC2531 chip, which is not the same thing!

This datasource should work on any platform, so long as the appropriate libraries are available.

Source parameters #

Naming and description options #

All data sources accept the common naming and description options.

Channel control options #

source=ticc2531-0:name=Foo,channel_hop=false,channel=12

source=ticc2531-00:name=Foo,channels="12,13,14,15"

kismet -c 'ticc2531-00:name=Foo,channels="12,13,14,15"'