We programmed a passive packet sniffing application for LongeRange (LoRa) signals based on RIOT-OS. As hardware we used a LoRa board by STMicroelectronics (B-L072Z-LRWAN1).
LoRa and LoRaWAN
LoRa is a modulation technique used for wireless low power networks. LoRa uses fairly robust chirp signals and covers the physical layer. On top LoRaWAN covers the networking layers. LoRa reaches distances from 1 to 10 km depending on various factors (obstacles, height of antenna, antenna, parameters of transmission) and reaches data rates from 0.3 kbit/s to 50 kbit/s.
The actual payload of an LoRaWAN packet is encrypted. We can however read out various meta data information:
Time (long/int): timestamp counting since the start of the recording
ChannelFreq (long/int): frequency the packet was received on, for EUW this could be 867.1, 867.3, 867.5, 867.7, 867.9, 868.1, 868.3, 868.5
RSSI (int: -122-0): received signal strength indication in dBm
SNR (int: -20-10): signal to noise ratio
MType (int: 2, 4, 0): 0 - join request, 2 - unconfirmed data up packet, 4 - confirmed data up packet
DevAddr (string of 8 chars): device adress as hex string
ADR (int 0, 1): adaptive data rate 'off' or 'on'
ADRACKReq (int 0, 1): 1 requires acknowledgement ensuring ADR is still working
ACK (int 0, 1): acknowledgement needed or not
FCnt (int): frame count of the packet
FOptslen (int): size of fopts
FOpts (string): frameopts as hex string
FPort (int 0-255): 0 payload contains MAC commands, 1-223 payload is application specific, 224-255 is reserved for future use
Visualization
The Python Script creates a PDF report with several charts that display the information when executed in the command line. The script also provides features to choose a period of time to be evaluated in the report and to view more information about specific devices.
Hardware
We use a B-L072Z-LRWAN1 board from STMicroelectronics because it is supported by RIOT-OS and already has an LoRa Antenna. Other devices should also work if the appropriate configurations are made.We need to make a few modfications.We want to store the packages we receive onto a MicroSD card. This allows us to leave the device running for some time and we could easily switch the SD card to read out the data without moving the device. We use a MicroSD breakout board which might need some soldering (depending on your breakout board). Then we connect jumper wires according to the documentation of the B-L072Z-LRWAN1 board. As a second modification we want to power our board with batteries and still be able to flash it. Therefore we need to desolder the bridge at SB37<->NRST and solder a jumper wire onto SB37 which we could connect to CN12(5). If disconnected the board is powered by batteries, if connected we're able to flash it via the CN7 USB STLINK from where it is then powered aswell.
1 / 2
Demovideo
On the left side is our second B-L072Z-LRWAN1 device which is needed for testing purposes only. We flash a LoRaWAN testing package onto the board. 'pkg_semtec-loramac' is part of the RIOT repository. We set various LoRa parameters e.g. 'datarate' (dr) and 'adaptive datarate' (adr) and join a local The Things Network (TTN) gateway. On the right side we flash our package sniffing application onto the modified primary B-L072Z-LRWAN1 device. After flashing we press the button of the device which sets it into "listening-mode". After that we send test messages from the testing device. This is detected by our package sniffer and the received data is written onto the MicroSD card. Every time the device is set into listening-mode a new file is created on the MicroSD card. When the button is pressed and our device is in listening-mode LD1 (LED) lights up green.
Demonstration of the LoRa Packet Sniffer (right) with a second testing device (left)
The first table defines the wiring of the MicroSD Breakout Board with jumper cables and the board. The second table describes the wiring for optional battery operation.
Comments