Zigbee malformed frame CVE-2022-39064

Hey hey,

has anyone already looked into zigbee malformed frame , i think that would be a great thing for the flipper:
CVE-2022-39064
https://www.synopsys.com/blogs/software-security/cyrc-advisory-ikea-tradfri-smart-lighting/#

Greets

Good idea. But as far as I know the IKEA implementation of ZigBee only speaks 2,4GHz. Out of range for the flipper.

[…]
Zigbee operates in the industrial, scientific and medical (ISM) radio bands: 2.4 GHz in most jurisdictions worldwide; though some devices also use 784 MHz in China, 868 MHz in Europe and 915 MHz in the US and Australia, however even those regions and countries still use 2.4 GHz for most commercial Zigbee devices for home use.
[…]
Source: Zigbee - Wikipedia

1 Like

It would be possible with a 3rd party Module, f.ex. ESP32 based over GPIO … But than the idea needs to be in the Forum ‘3rd Party’ or ‘Ideas’.

I’d like to underline my statement:

Follow IKEA TRÅDFRI modules where the Tradfri system is well documented. We take a look at the MCU: EFR32MG1P132F256GM32

On the Site is the document ‘Datasheet’ linked: https://www.silabs.com/documents/public/data-sheets/efr32mg1-datasheet.pdf

Page 5 says:
[…]
Feature Set Code – r2r1r0

r2: Reserved
r1: RF Type – 3 (TRX), 2 (RX), 1 (TX)
r0: Frequency Band – 1 (Sub-GHz), 2 (2.4 GHz), 3 (Dual-Band)
[…]

From the bold area of the MCU type, we can translate with the datasheet:
1 - reserved
3 - TRX … transmit/recieve capable
2 - 2.4GHz … No SubGHz support.

It is not only a Stack limitation, it is limited by the MCU.

but should sub-GHz be possible for Europe and USA, or am I misunderstanding, and TX would be enough to send an malformed frame

When the 2 would be a 0, SubGHz would be possible. If I’d would be a 3, dualband (2,4GHz and SubGHz) would be possible.
But there is a 2. What is, see in Datasheet, 2,4GHz only… No regional limits in the used MCU. As far as I can read.

And TX means ‘Transmit’ (aka Sending). How do you SEND a malformed frame to an only transmitting device? Even if this has nothing to do with the first question.