Many modern radio control (RC) systems use frequency hopping to prevent interference. Unfortunately, hopping all over the 2.4GHz band can interfere with video or WiFi using the same frequency band. [Befinitiv] was trying to solve this problem when he realized that most of the systems used a TI CC2500 chip and a microcontroller. The microcontroller commands the chip via SPI and controls the frequency by writing into a frequency register.
Updating the microcontroller firmware was impractical. The firmware is encrypted, for one thing. In addition, the change would have to be reinserted on any future updates and repeated for every RC vendor. So [Befinitiv] took a different approach. He did a classic man in the middle attack by inserting an CPLD in between the controller and the CC2500.
A CPLD is–in simple terms–a small FPGA. There are usually some internal architectural differences, but you configure them with Verilog or VHDL just like an FPGA. What [Befinitiv] did was monitor the SPI clock line and intercept the data line. For most operations, the CPLD just passes the data through. However, when it sees a channel register write, it changes the data on the fly. This is, as you’d expect timing sensitive, which is why he used a programmable logic device instead of a microcontroller.
Of course, both the transmitter and receiver require modification. The system worked and continues to work regardless of software changes and will even work on other CC2500-based systems.
This is certainly less racy than the last CC2500 hack we covered. But it is a fine piece of work, nevertheless. Even if your current set up doesn’t use the CC2500, you could also mod it (see the video below).
Thanks to [lageos] for the tip.