Z-Force: Z-Wave packet interception and injection tool
- Authors: Behrang Fouladi, Sahand Ghanoun
- Source Code: to be released in mid September 2013
- Hardware Requirements: CC1110 RF Transceiver, USB to UART Bridge
- Release date: 14/08/2013
Z-Force is a radio modem that can intercept and inject raw Z-Wave frames including encrypted packets to arbitrary destinations and Z-Wave Home IDs. It was developed during our research project on Z-Wave home automation systems which was presented in BlackHat 2013 USA conference. Z-Force toolkit consists of the following hardware and software componetns:
- Two CC1110 RF transceivers used as receiver and transmitter interfaces
- CC1110 chip Firmware that implements Z-Wave physical and transport layers
- Two USB to UART bridge to facilitate communication with RF boards over virtual COM ports
- A GUI program written in C# that displays the intercepted Z-Wave frames and their payloads as well as enabling the user to replay a captured packet or send raw packets with arbitrary fields and payloads.
Setting up Z-Force hardware is straightforward: upload the RX and TX firmwares to receiver and transmitter CC1110 boards using Texas Instruments SmartRF flash programmer and connect them to your PC or laptop via USB to UART bridge. The following picture shows USB-UART bridge connections to CC1110 I/O pins:
connections to CC1110 I/O pins
After configuring the virtual COM port numbers associated with the receiver and transmitter boards in the GUI program, the kit is ready to intercept and send Z-Wave packets.