search

riverloopsec / killerbee

IEEE 802.15.4/ZigBee Security Research Toolkit
http://www.riverloopsecurity.com
Other
742 stars 215 forks source link

Rejoin request #248

Open BoxFighter opened 2 years ago

BoxFighter commented 2 years ago

Does anyone know how to construct a rejoin request packet?

jbasement commented 1 year ago

You can check the official ZigBee specification. Using this info you can manually construct a package. But I think practically the easiest solution would be to capture a rejoin request packet by triggering a rejoin request from a device. Then you can continue to modify this packet

Crypt0s commented 1 year ago

Frame Control | Dest Addr | Src Addr | Radius | Seq # | Dst IEEE Addr | Src IEEE Addr | Multicast Control | Source route Subframe | NWK Payload

where the NWK Payload is build out of:

Command Frame Identifier (1 octet) | Capability Information (1 octet)

Reference was "Zigbee Wireless Networks and Transceivers" by Shahin Farahani which is a very approachable explanation of 802.15.4/Zigbee Pages 104 and 106 in particular describe the Network (NWK) payloads for Zigbee over top of 802.15.4.

Crypt0s commented 1 year ago

I realize we're commenting on a necrotic support request but adding support for this would be interesting