Bluetooth Hacking?
OpenBeacon Tag

From OpenPCD

(Redirected from Ccc-sputnik.0.html)
Jump to: navigation, search


BruCON 2011 Active 2.4GHz OpenBeacon Proximity Tag was used to measure social interaction between BruCON participants and to track positions
Spurnik tag as used on the 25C3 CCC congress
PIC16F684 Microcontroller from Microchip on the OpenBeacon Tag running the code shown
round OpenBeacon tag

The OpenBeacon Tag consists of

Programming Work Flow

OpenBeacon Tag related firmware source may be found on our server for occasional browsing (pic16tag Firmware) and for development purposes in our git repository:

 git clone

Please refer to our compiler setup instuctions

Active 2.45Ghz Proximity Tracking RFID Tag Hardware Design

See our reference deployment for more information. The active 2.45GHz RFID Proximity Tag source code can be found at /firmware/pic16/tag-proximity. You can find the BruCON 2011 Tag Encryption Key here. You can find further instructions on using our GIT source code repository here.

You can support our project by buying OpenBeacon Active RFID Tags in our RFID hardware shop.

Active 2.45Ghz Tracking-Only RFID Tag Hardware Design

Download area for schematics and layout:

Understanding the tag source code

That's the main loop from main.c in the tag firmware. The line where the actual packet macro is transmitted to the nRF24L01 chip is highlighted. Basically first the packet is assembled, then the CRC calculated and the data encrypted (shuffle_tx_byteorder is used to adjust byte order to achieve platform independence). As final step RFCMD_Execute() triggers the transmitting process. Interesting feature ot this code is that the packet macro is prepended by a macro that adjust the transmit power on every transmission (g_MacroBeacon.rf_setup).

  while (1)
	g_MacroBeacon.rf_setup = NRF_RFOPTIONS | ((i & 3) << 1);
	g_MacroBeacon.env.pkt.hdr.size = sizeof (TBeaconTracker);
	g_MacroBeacon.env.pkt.hdr.proto = RFBPROTO_BEACONTRACKER;
	g_MacroBeacon.env.pkt.flags = CONFIG_PIN_SENSOR ? 0 : RFBFLAGS_SENSOR;
	g_MacroBeacon.env.pkt.strength = i;
	g_MacroBeacon.env.pkt.seq = htonl (seq);
	g_MacroBeacon.env.pkt.oid = htonl (oid);
	g_MacroBeacon.env.pkt.reserved = 0;
	crc = crc16 (g_MacroBeacon.env.datab,
		     sizeof (g_MacroBeacon.env.pkt) -
		     sizeof (g_MacroBeacon.env.pkt.crc));
	g_MacroBeacon.env.pkt.crc = htons (crc);
	// update code_block so on next power up
	// the seq will be higher or equal
	crc = seq >> 16;
	if (crc == 0xFFFF)
	if (crc == code_block)
	  store_incremented_codeblock ();
	// encrypt my data
	shuffle_tx_byteorder ();
	xxtea_encode ();
	shuffle_tx_byteorder ();
	// reset touch sensor pin
	sleep_jiffies (JIFFIES_PER_MS (10) +
		       (rand () % JIFFIES_PER_MS (180)));
	// send it away
	nRFCMD_Macro ((unsigned char *) &g_MacroBeacon);	status = (i & 0xF) == 0;
	if (status)
	nRFCMD_Execute ();
	if (status)
	if (++i >= 4)
	    i = 0;