Cc2540 Usb Dongle Driver
| Project CC2540 | |
|---|---|
| Reverse engineering the CC2540 BLE sniffer dongle | |
| Status | Stalled |
| Contact | bertrik |
| Last Update | 2018-05-13 |
- 3Analysis
- 4Protocol
- 4.2Reading BLE frames
Status
在使用CC2541DK-MINI Revision 1.0.4开发板时,套件里有个cc2540 dongle,但dongle的驱动一直没安装上,驱动安装时参考的《swru270c.pdf》,驱动文件用的是 :C:Texas InstrumentsBLE-CC254x-1.4.2.2AccessoriesDrivers;. 电脑相关软件环境:Microsoft.NET Framework 4.6.2版本,win7 64 位旗. I installed a window 8 customer preview on my older laptop and I purchased an IOMega USB 4.0 adapter. Then I connected to the TI CC2540 demo kit. I can see the device is added into the device manager under Bluetooth. Then I downloaded WdpSample code and compiled them in windows 8 release x64 configuration. Then I tried to follow the steps to.
Description The CC2540 USB Dongle is a complete example of how to use the USB enabled Bluetooth Low Energy (BLE) Wireless MCU. The reference design can be used to enable Bluetooth Smart and Internet of Things applications on any system that contains a USB host. Also, note that the dongle is plug and play on Windows 10 PC. You can run Bluetooth Driver Installeron all Windows versions, from Vista to Windows 10. For downloading. If you think you might be experiencing a problem with the TI driver, you might try first testing whether the device can be recognized by other bluetooth-compatible devices. If it turns out the driver is the problem, since it is created by TI, you might also try looking on the TI forums to see if a work-around is already available.
At this point (2017-05-09), the status is:
- it is pretty clear which commands the default sniffer firmware understands
- I wrote a little test program to dump raw BLE frames
- there is no plugin for WireShark yet
Introduction
This page is about the CC2540 bluetooth low-energy sniffer dongle and getting it to work with Linux.A nice end result could be that it becomes possible to sniff directly in WireShark with this dongle.
I have such a 'WeBee' dongle that can be found for about E15,- on websites like Aliexpress.
It's supposedly a CC2540 (or compatible) dongle, the USB id is 0451:16b3.
Turnitin free. download full version. Interesting links:
Analysis
USB descriptor
When plugging this stick into a Linux machine, you can see it uses only one bulk endpoint.
Reading the identification from the stick with the 0xC0 command, results in the following 8-byte response
You can recognise the 2540 type number in there.
USB logs from Windows
This USB device does actually work with Windows:
I've captured a log of the communication over USB while the BLE is capturing bluetooth traffic from some iBeacon, using USB pcap.
In the logs, I cannot see any firmware blobs being downloaded to the stick.Probably the stick comes with a pre-loaded firmware of itself to do the BLE sniffing.
The USB control transfer request codes seem to match up with the code in https://github.com/christianpanton/ccsniffer/blob/master/ccsniffer.py
- 0xC0, GET_IDENT: returns some kind of identifier
- 0xC5, SET_POWER
- 0xC6, GET_POWER
- 0xC9, no idea, this appears in my USB logs but I can't find it in the python code
- 0xD0, START
- 0xD1, STOP
- 0xD2, SET CHAN
Ti Cc2540 Usb Dongle Driver
Protocol
In the windows sniffer software, it seems there are only two things communicated:
- towards the stick: which radio channel to sniff, and some other radio settings
- from the stick: raw sniffed BLE frames
Configuring the radio
This appears to be done using USB control transfers.
The following requests are sent:
| Request type | Request | Value | Index | Data | Description |
|---|---|---|---|---|---|
| 0x40 | 0xC5 | 0 | 4 | - | Set power |
| 0xC0 | 0xC6 | 0 | 0 | 0x00 | Get power |
| 0xC0 | 0xC6 | 0 | 0 | 0x04 | Get power |
| 0x40 | 0xC9 | 0 | 0 | - | ??? |
| 0x40 | 0xD2 | 0 | 0 | 0x27 | Set channel |
| 0x40 | 0xD2 | 0 | 1 | 0x00 | Set channel |
| 0x40 | 0xD0 | 0 | 0 | - | Start capture |
Request type 0x40 is a vendor-specific device request from host-to-device.Request type 0xC0 is a vendor-specific device request from device-to-host.
Reading BLE frames
This appears to be done using USB bulk input transfers.
I can see a lot of similarities between the USB log and the BLE sniffer log.
Cc2540 Usb Dongle Driver Windows 10
Each frame starts with a byte indicating the type of frame, following by two bytes indicating the length of the rest of the frame (encoded as little endian).
data frames
Usb Dongle Driver Download
The bulk USB data starts off with two bytes indicating the length of the rest of the data.
In the example image on the right:
- 00: 0 means this is a data frame
- 31 00: length of rest of frame encoded in little endian = 49 bytes decimal
- 39 04 29 54: part of the time stamp
- 2c d6 be .: data frame contents
unknown frames (tick or 'alive'?)
The stick also returns 4-byte frames, alternating between
and
Interpretation: Waves nls vst.
- 01: 1 means this is a frame of type 1
- 01 00: length of the rest of the frame encoded in little endian = 1 byte
- 40 or C0: unknown data byte
Software
Preliminary code can be found athttps://github.com/bertrik/cc2540
It connects to the dongle and dumps raw USB packets to stdout.
Bluetooth Usb Dongle Software Download
This software requires libusb-1.0-dev