Zigbee Sniffing on OpenBSD: Diving Deeper with the TI CC2531
A follow-up on Zigbee and BTLE sniffing, featuring the TI CC2531, upstream Kismet patches, and whsniff on OpenBSD.
In my previous post, I explored using the nRF52840 nice!Nano for dual-duty BTLE and Zigbee sniffing. While the BTLE side worked like a charm, the Zigbee side remained stubbornly silent in Kismet and Wireshark.
To rule out firmware or hardware limitations, I decided to go with a classic: the Texas Instruments CC2531 USB Dongle.
The Hardware: TI CC2531
I picked up a CC2531 dongle on eBay, pre-flashed with the sniffer firmware and equipped with a “proper” external antenna. Unlike the nice!Nano, the CC2531 is a dedicated 802.15.4 radio, making it a more reliable baseline for debugging Zigbee traffic.
Texas Instruments CC2531 with antenna
Fixing Kismet: Mutexes and Libusb
Kismet’s ti_cc_2531 capture source needed some serious attention to run on OpenBSD. The OS was throwing ABORT signals due to improper mutex usage—specifically double-unlocks and attempts to unlock mutexes that were never locked.
I also had to address a few libusb related issues surfacing on OpenBSD. For instance, libusb_detach_kernel_driver() isn’t supported on OpenBSD, so the code needed to gracefully skip that step rather than failing. Additionally, I added libusb_ref_device calls to ensure the device reference count stays accurate while in use.
The patches were merged upstream today! For anyone interested into the details, here’s the PR
With that, kismet finds the device, and can detect Zigbee devices.
Kismet detecting Zigbee devices on OpenBSD
Bridging to Wireshark: whsniff
Kismet is great for discovery, but for deep packet inspection, Wireshark is the gold standard. To get the data from the CC2531 into Wireshark, I looked at whsniff.
Initially, whsniff is geared towards Linux. However, with a tiny patch (see my Pull Request #25), it now compiles and runs on OpenBSD. This allows you to pipe the output directly into Wireshark:
# Example of piping whsniff into wireshark on OpenBSD
doas whsniff -c 11 | wireshark -k -i -This setup successfully allows me to analyze 802.15.4 network traffic in real-time.
Wireshark sniffing IEEE 802.15.4
Getting the traffic into Wireshark is only half the battle. Here are two things that will save you a lot of headache:
- Decryption: Zigbee traffic is usually encrypted. You can add the default ZigBeeAlliance09 trust center link key in hex format to Edit -> Preferences -> Protocols -> ZigBee -> Pre-configured Keys.
- Key (Hex):
5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39 - If that doesn’t work, you’ll need to grab the specific network key from your home automation controller (like Zigbee2MQTT).
- Key (Hex):
- Handling Noise: The 2.4GHz band is noisy. You will likely see many packets with a malformed FCS (Frame Check Sequence). To force Wireshark to decode these anyway, uncheck: Edit -> Preferences -> Protocols -> IEEE 802.15.4 -> “Dissect only good FCS”.
The nice!Nano Mystery
As for the nice!Nano/nRF52840 I still haven’t had success getting it to sniff 802.15.4 frames reliably on OpenBSD. It’s possible the signal strength is an issue or the firmware isn’t playing nice with my specific environment.
To investigate further, I’ve purchased a Sonoff Dongle M. My plan is to start my own home automation lab, which will allow me to place a Zigbee device in extremely close proximity to the nice!Nano to see if it’s a sensitivity issue.
Conclusion
The CC2531 remains a solid, inexpensive tool for the OpenBSD toolbox, especially now that the Kismet capture source is stabilized. While it’s an older chip, the external antenna and dedicated firmware make it a great “known good” device to have on your desk.
I also sent a Kismet port update, as well as a new port for whsniff, to ports@ today for review, and I hope they can be integrated into the ports tree soon.
Stay tuned for the next update once the Sonoff hardware arrives!