Tuesday, January 12, 2010

KillerBee on a budget

At ToorCon 11, Joshua Wright handed out a pre-release version of his KillerBee framework, a set of tools for analysis of 802.15.4 and ZigBee wireless networks.

KillerBee requires a particular hardware device, Atmel's AVR RZUSBSTICK, an inexpensive USB dongle with a programmable microcontroller. Many of the KillerBee functions require custom firmware (written by Joshua) to be flashed onto the stick. While most Atmel products feature In-System Programming (ISP) which can be done with a low-cost programming device, the RZUSBSTICK unfortunately only provides a JTAG header for programming, and the JTAG debugger/programmer costs about $300.

The good news is that ISP can be used to program the RZUSBSTICK. The bad news is that it requires some tricky soldering to get it working. With a little guidance from those who have gone before me and SparkFun's excellent surface mount soldering tutorials under my belt, I was able to attach a 10-pin ISP header to my RZUSBSTICK and successfully flash it with the KillerBee firmware.

There are two kinds of AVR ISP headers, a 6-pin and a 10-pin version. I chose the 10-pin variety because my programmer has a 10-pin connector, but a simple adapter can allow you to use either. Both varieties use the same 6 signals: GND, VCC, RESET, SCK, MISO, and MOSI. I connected them with colored wire (28 or 30 AWG wirewrap wire) as follows:

signalcolorheader pinsource
GNDblack4,6,8,10JTAG header pin 2
VCCred2JTAG header pin 4
RESETwhite5JTAG header pin 6
SCKpurple7AT90USB1287 pin 11
MISObrown9AT90USB1287 pin 13
MOSIorange1AT86RF230 pin 22

I ran all six wires through the unused holes of the (unpopulated) JTAG header in order to provide some strain relief. Those connections to the individual chip pins are fragile! From there I ran them across the back of the board to a 10-pin header glued to the end of the stick.

My serial programmer works great when connected to an on-board serial port on an old PC, but its bit-banging technique is incredibly slow (about 3 bits per second) and unreliable when connected to a USB/serial adapter. I believe that trying to use it via USB was the cause of death of an ATtiny85 while working on a previous project. Anyway, with a good serial port, AVRDUDE does a fine job programming the RZUSBSTICK over ISP:

avrdude -c ponyser -p usb1287 -P /dev/ttyS0 -U flash:w:kb-rzusbstick1.hex

Now to find some target devices. . .