In the last months, I've been working on my PhD thesis, which involves breaking LoRaWAN in a few ways (I'm studying cybersecurity) and I'm 1 mm near to my goal, but I'm quite stuck on a stupid thing.
I'm using a Libellium board with a Microchip RN2483A LoRa chip mounted on it, and I'm playing around with it. I've managed to send arbitrary premade join requests to a real gateway/network server, and now I'm finally sniffing downlink packets all around me (I've spent two days figuring out that downlink messages are done using inverse polarization, I was going mad because of it).
The next step I need is to recreate using my board a downlink packet, specifically a join-accept one.
Using my custom code on a board, I'm able to send a custom join request and sniff the relative join-accept, but when I send out a packet using the same transmission parameters, my board seems to ignore it. What can it be?
Join request (sent by me) parameters: frequency 868.1 MHz, radio power 15, spreading factor 12, coding rate 4/5, bandwidth 125 kHz, CRC mode ON.
Join accept receiving configuration (working): the same, but using frequency 869.525 MHz and inverted polarization.
So I assumed I just needed to send the fake join accept packet using the same configuration I used to receive the real one from the real gateway, but it didn't work. What am I missing?
N.B. I have access to real and already accepted join-accept, and I can reset my board, so I'm sure it's not a problem with integrity or memory of the board.
I've discovered my board can't send frames using inverted polarity, so this is the problem for now. I'm looking for a different board with these capability, so I'll update the answer as soon as I get the new device.
You cannot use a previously captured join accept message as a response to a new join request. It won't be accepted by the end device. Every join request includes a different devnonce that makes every join request (and join accept) unique. The only way to break the LoRaWAN security is to read out the AppKey from the LoRaWAN end-device. If you know the AppKey and can capture the Join Request, you can create a valid Join Accept. If you cannot read out the AppKey from the device (because it is not stored on its flash memory but rather on a Secure element) you have no way to create a valid Join Accept.