Reversing the Microchip Zena ZigBee Sniffer

Microchip Zena Network Analyzer

Microchip Zena Network Analyzer

A few days ago I bought a Microchip Zena ZigBee sniffer. This USB HID device comes with simple software for Windows that captures and decodes 2.4 GHz 802.15.4, ZigBee, MiWi (Microchip stack) and MiWi-P2P traffic. It's $150, which is a little steep considering that it is a PIC18LF with USB and a MRF24J40 radio, but I've had fun playing with it all the same.

The Zena 3.0 sniffer software provides a basic per-packet view of frames. I guess we are all spoiled by Wireshark, but I was hoping for more detail and a better UI. The Zena sniffer can save a capture in a proprietary file format, and can export selected frames (to the clipboard) in space-delimited hex bytes.

A cool accompanying feature is the network configuration display interface where Zena will identify all the parent/child relationships observed. You can specify a BMP background as a floorplan and move the nodes to their physical locations as well.

Zena Packet Capture Tool

Zena Packet Capture Tool

Zena Sniffer Network Configuration Display

Zena Sniffer Network Configuration Display

SnoopyPro Capture of Zena USB Traffic

SnoopyPro Capture of Zena USB Traffic

With no Linux support, I decided to write my own user space Linux driver to capture packets with the goal of integrating it into libpcap captures and other tools including Kismet Newcore. Plugging into a Linux box, it was clear that the device was using the USB HID, which was good news for me since it would be simpler to reverse the configuration details. Using the SnoopyPro USB sniffer, I was able to look at the USB packets, observing data from frames shown by the sniffer, as well as recording the configuration activity based on the channel I specified to capture on.

With this information, it was straightforward to identify the USB endpoint 0x01 as the control channel (for setting the channel) and USB endpoint 0x81 as the data endpoint (for delivering frames). Using PyUSB with the excellent Pymissle project by Scott Weston as an example, I quickly put together a tool that can set the channel number and capture frames from the Zena device, dumping the hex bytes to stdout.

Linux Microchip Zena data, isn't it beautiful?

Linux Microchip Zena data, isn't it beautiful?

The Python script is available here. It's hack, but it was enough to get me started on what will be my next post: zbfind, a location tracking and identification tool for ZigBee and 802.15.4 networks.

-Josh

May 10, 2009   Posted in: Hardware, Linux, Reverse Engineering, ZigBee

8 Responses

  1. Travis Goodspeed - May 15, 2009

    Good job, neighbor. Any chance you’d care to reverse the HID protocol for the EZ430RF2500 kit’s TUSB3410 chip?

    –Travis

  2. Joshua Wright - May 15, 2009

    Yes! I’m waiting for the CC2530 development kit to become available, but I can take a look at this in the meantime. Is this the right board to pick up: http://focus.ti.com/docs/toolsw/folders/print/ez430-rf2500.html?

    Thanks!

    -Josh

  3. dynaco - June 10, 2009

    Can you read the firmware of the ZENA controller?
    i want to create one due to save some dollars.
    I already bought the microchip RF module and i have the 2550 usb controller.
    All i need is the firmwaer for it.
    Please assist.

  4. rmelgares - January 8, 2011

    Just an FYI, I had to add a line to detach the kernel driver from the handle, as otherwise I couldn’t claim the device. I kept going around in circles writing different ways of opening and claiming a handle/device (thinking I wasn’t doing it right) before finding a solution. Thanks for the reverse engineering! You’ll soon find that Ryan Speers and I have been working on adding support for other devices into Killerbee, as well as some other features/modifications.

  5. jdesbonnet - January 11, 2011

    @rmelgares: yes, I encountered the same problem myself and eventually came up with a (ugly) solution. I’m using Ubuntu 10.4.

    The error message is:
    “usb.USBError: could not claim interface 0: Device or resource busy”

    Solution:
    While ZENA is *not* plugged in, look at files in /sys/bus/usb/drivers/usbhid/
    There should be files eg “1-3.1:1.0″. Now connect the ZENA. You will find a new file in that directory. Make note of it. For this example assume it’s “1-3.3:1.0″
    Now do:
    echo 1-3.3:1.0 > /sys/bus/usb/drivers/usbhid/unbind

    (replace the “1-3.3:1.0″ with whatever you find for your system)

    The python script should work.

    I’m working on a proper Zigbee sniffer for Linux using the Microchip ZENA. I’m wondering has anyone else progressed this further? Googling around doesn’t yield much for ZENA and Linux unfortunately.

  6. Joshua Wright - January 11, 2011

    I haven’t done any more with the Zena, instead focusing on the RZUSB stick and devices running the Linux standard serialdev 802.15.4 compliant firmware. The Zena is cool since it is so easy to add an external antenna adapter, but the $150 and no open-source firmware makes it a hard sell.

    -Josh

  7. jdesbonnet - January 30, 2011

    Can an XBee module be configured to act as a sniffer?

  8. jdesbonnet - February 13, 2011

    I started capturing ZigBee packet logs with the Zena and this script in earnest today. A few odd things I’ve noticed:

    Earlier in the day the script worked as is. After a reboot (some update must have kicked in) I started getting the ‘No error’ exception in setChannel() method. To fix I just caught and ignored it (as what was already done in the getDataPacket() method).

    Another more interesting observation: I can reliably crash the kernel by running this script. It doesn’t happen immediately, but after 2 – 20 minutes. Running as regular user or root doesn’t matter.

    I can reliably reproduce this crash on Ubuntu 10.4.2 (kernel 2.6.32-28-generic) on a real computer and Ubuntu 10.10 (2.6.35-25-generic) running in VirtualBox on a Windows 7 host OS. Both with libusb-0.1-4 and libusb-1.0-0 packages installed. 32 bit intel arch.

    I’m guessing this is a bug in libusb.

Leave a Reply

You must be logged in to post a comment.