-
Notifications
You must be signed in to change notification settings - Fork 92
Decoding the LoRa PHY
The LoRa protocol was first brought to my attention in December 2015, when my team held a research meeting to discuss Low Power Wide Area Network (LPWAN) technologies. Given that we are motivated by the explosion of wireless technologies driven by the growth of mobile and IoT, LPWANs were a natural fit for our research objectives. In the weeks that followed I looked for LoRa signals in several major cities (New York, Boston, San Francisco, and Atlanta), but found none.
Some time thereafter I attended a security meetup in Cambridge, MA, where one of the presenters was from a technology firm called Senet. Senet's product is a commercial nationwide LPWAN service built on top of LoRaWAN, and conveniently they were headquartered in Portsmouth, NH. The next weekend I took a short field trip with my USRP and had my first captures of LoRa in the wild.
With these captures in hand, Balint Seeber and I were able to prototype some initial channelizing and de-chirping. However, in order to comprehensively analyze the encoding performed by the protocol, controlling the payload was essential. To achieve this I obtained two LoRaWAN radios from a hackathon. One of them, a Microchip development board containing a LoRa module, had an API to disable the Layer 2 LoRaWAN state machine, enabling control of raw physical layer frames. I used this as the source material for the rest of the project.
An initial prototype was made using a combination of GNU Radio and Python/Numpy.
A detailed walkthrough of my analysis process can be found in PoC||GTFO 0x13:
Additionally, my 33c3 presentation is a good source of information: