0

In the last months i'm working on my PhD thesis, which involves breaking LoRaWAN in a few ways (i'm studying cybersecuriy) and i'm 1mm near to my goal, but i'm quite stuck on a stupid thing. I'm using libellium board with a Microchip RN2483A lora chip mounted on it and i'm playing around with it. I've managed to send arbitrary pre-made join requests to a real gateway/network server and now i'm finally sniffing downlink packets all around me (i've spent two days to figure out that downlink messages are done using inverse polarization, i was going mad because of it). The next step i need is to recreate using my board a downlink packet, specifically a join-accept one.

Using my custom code on a board i'm able to send a custom join request and sniff the relative join-accept, but when i send out a packet using the same transmission parameters my board seems to ignore it. What can it be?

join request (sent by me) parameters: frequency 868.1, radio power 15, spreading factor 12, coding rate 4/5, bandwidth 125Khz, crc mode ON

join accept receiving configuration (working): the same but using frequency 869,525 and inverted polarization

So i assumed i just need to send the fake join accept packet using the same configuration i used to receive the real one from the real gatway, but it didn't work. What am i missing?

N.B. i have access to real and already accepted join-accept, and i can reset my board so i'm sure it's not a problem with integrity or memory of the board

EDIT: i've discovered my board can't send frames using inverted polarity, so this is the problem for now, i'm looking for a different board with these capability so i'll update the answer as soon as i get the new device

Rastafan
  • 108
  • 1
  • 7
  • have you checked the OTAA channels that are in use in your region? The gateway will probably ignore join requests on the wrong channel. Also a RN2483 can only listen to one frequency at a time, a concetrator board with 7 channels seems more useful for what you want to do. – Tarick Welling Apr 16 '21 at 11:32
  • @TarickWelling thanks for the answer, i'm sure the channels are ok because i can see the network server is answering me (i have access to it), and i can fix the frequency used by the device. I know the problem with listening only one frequency and i'm looking for a board like the one you mentioned. For now i've discovered that the board can't send frames with inverted IQ, so this is the problem for now. When i'll get the new board i'll update my answer with the new info – Rastafan Apr 19 '21 at 22:19

1 Answers1

1

You cannot use a previously captured join accept message as a response to a new join request. It won't be accepted by the end device. Every join request includes a different devnonce that makes every join request (and join accept) unique. The only way to break the LoRaWAN security is to read out the AppKey from the LoRaWAN end-device. If you know the AppKey and can capture the Join Request, you can create a valid Join Accept. If you cannot read out the AppKey from the device (because it is not stored on its flash memory but rather on a Secure element) you have no way to create a valid Join Accept.

Norbert Herbert
  • 229
  • 1
  • 4