Thursday, October 27, 2016

LoRa Security issue

With all the issues occurred a week ago where an estimated 100000 end devices caused the flooding and lot of US services and websites being affected made ma to look more closely to the LoRa protocol. 

According to the specification of the LoRaWAN the MAC Frame Payload Encryption (FRMPayload 4.4.3) the encryption scheme used is based on the generic algorithm described in the IEEE 82.15.4/2006 using AES with a key length of 128 bits.

Looking on the key this can be NwkSKey if FPort is zero or AppSKey if FPort is 0x01 ..0xFF. So it is a fixed key. This key is used to encrypt / decrypt as I've explained in this blog post. 

The problem appears on the first frame when every time will have the same key and probably the same data, so if someone is intercepting this for few times the key K and Ai can be found.


Since the Ai is the same the only way to keep the LoRaWAN secure is to send as first data a RANDOM payload and maybe also an random value of FCntUp. 

In this way will be harder to find the K and decode the payload. 

I hope that the next version of LoRaWAN protocol will address the security issues we encounter these days.

Sunday, October 23, 2016

LoRa meetings in Eindhoven

Last week I've spend a quality time together with other LoRa fans here in Eindhoven. I've found that they will try to build some gateways where Lorna Goulden (organizer) and Frank Beks ( tech ) where helping other LoRa and TTN enthusiasts to build their first LoRa gateway so I've went in.

Build and connect your gateway

Next meeting will be in November where nodes will be build so data will be transmitted through the new gateways.

Last weekend I was there just to meet the guys ( I already have gateway and nodes) but in November I will do a short presentation about LoRaWAN 1.0.

Soldering the new gateways

New MOTE online

As you know I've received ten modules from and I couldn't wait to test them, so today I've solder the first one.

Because the modules are build to be surface mount and I didn't had a board for that I had to improvise. To connect the pads to my development board I've used old terminals from resistors or LEDs. This step was much easy comparing to niceRF modules since the distance between the center of pads is 2mm instead of 1mm.

DRF1276G from

DRF1276G modules is connected to an ESP8266 NodeMCU module and it runs the LMIC code.

Other great feature of the DRF1276G module is that I can solder a SMA connector for external antenna directly on it.

9 to go now...

I am curious if the one of the other 16 gateways in Eindhoven are receiving my data transmitted by my three nodes because I  receive packets transmitted by others.

Saturday, October 22, 2016

In plan: ESP8266 with GPS and LoRa

Few months ago I bought an GPS receiver from along with an GPS antenna.

The board is "free", just need to pay $10 for delivery :-)
I recommend you to take also the antenna for an extra $9 since without it the board is useless.

The board is :

* 100MHz 32bit LEON3 Sparc-V8 + IEEE-754 Compliant Floating Point Unit
* 1024KB Flash Memory + 212KB RAM
* 1x full duplex asynchronous UART
* 1x SPI shared with GPIO
* 1x 2-wire interface shared GPIO
* Atomic clock synchronized P1PPS time reference with +/-10nsec accuracy
* 167 channel Venus 8 engine
* Uses GPS, SBAS, QZSS signals
* 1 ~ 10 Hz update rate
* Position accuracy 2.5m CEP 
* Velocity accuracy 0.1m/sec
* Warm start TTFF under open sky 29sec average
* Cold start TTFF under open sky 30sec average
* Cold start sensitivity -148dBm
* Tracking sensitivity -165dBm
* Operating range : (altitude < 18km) or (speed < 515m/sec), both not exceeded simultaneously
The plan is to connect the GPS with the ESP8266 and with the new LoRa modules from to have a full LoRaWAN module.
I guess can use this setup also as a single channel gateway for LoRaWAN. It will be very small, cheap, battery operated, ideal for demos, students and as a LoRa STARTER KIT.

LoRa gateway antennas

Finally my LoRa gateway has both antennas. One +2dB for the gateway ( there is a bigger one with +7dB on its way to me. I hope I will receive it next week)  and one for the GPS module that is on the linklabs board.

I've order the antenna from to be delivered in one week instead of one month.

Before I had for the 868Mhz band an 8.2 cm wire (1/4 wave lenght) converted from an 2.4Ghz WiFi antenna. I've used only the base to be able to mount it on the gateway and I've soldered to wire.

Old home made antenna vs the new 2dB 

The full setup needs just a proper waterproof case to be mounted outside.

Both antennas in place

GPS is working, I see the coordinates and altitude but more important now I am ready for class B and for precise downlink messages from my Network Server.

Wednesday, October 19, 2016

New LoRa modules from

Santa Claus came early this year for me with 10 great modules from You can buy them easy on tindie,com , or give them an email.

Modules are based on SX1276 chip have the code DRF1276G with the full specs:

  •  (G)FSK/4(G)FSK/LoRa Modulation
  •  868/915MHz transceiver
  •  20dBm output power
  •  -139dBm sensitivity
  •  Standard SPI interface
  •  127dB dynamic Range RSSI
  •  Automatic RF sense and CAD monitor
  •  Data Rate: <300 kbps
  •  Standby current: <1uA
  • Supply voltage: 1.8~3.6V

Dorji DRF1276G LoRa 868Mhz modules

Comparing them with other modules I have, from niceRF, the space between the pads is 2mm versus 1mm on niceRF so there is more easy to solder them on. Also have pins on both sides so is much easy to design a good PCB. See a picture with the niceRF LoRa module.

niceRF SX1276  v1.1 868Mhz LoRa module

I will connect them to the ESP8266 on the SPI I will let you know about the progress.

You can connect them to this ESP module or this one which is battery operated (keep in mind that are 3.3V modules) and don't forget to read this post.

Another nice thing abut this modules is that you can use them as a single channel gateway for LoRa so you will make an economy of few hundred euros so you can buy more modules and test or deploy your network.

Finally my LoRa gateway will be happy to receive another 10 motes. I am waiting for ideas what to connect as sensors for  nodes. 

Other software I am working on is a new LoRa Network Server that will be deployed as SaaS into the cloud so anyone can have a LoRa Server in a matter of minutes. With this server will be very easy to deploy your private LoRa network.

As a status, the Rx (uplink) part is done and I am working now on the TX ( downlink).  The network server will support for the beginning the latest version (2) and I will add previous version (1) later on.

My LoRa Gateway

Wednesday, October 12, 2016

ESP32 now on preorder

Good new today !!!

Today the ESP32 is on preoder on banggood. Delivery will start by the end of October.

If you are in the first 50 orders $7.69, up to 200 $8.69 and $9.69 after that.

As a reminder the specs from the official espressif site are:

Key Features

  • 240 MHz dual core Tensilica LX6 microcontroller with 600 DMIPS
  • Integrated 520 KB SRAM
  • Integrated 802.11BGN HT40 Wi-Fi transceiver, baseband, stack and LWIP
  • Integrated dual mode Bluetooth (classic and BLE)
  • 16 MByte flash
  • 2.2V to 3.6V operating voltage
  • -40°C to +125°C operating temperature
  • On-board PCB antenna / IPEX connector for external antenna


  • Ultra low noise analog amplifier
  • Hall sensor
  • 10x capacitive touch interface
  • 32 kHz crystal oscillator

32x GPIO

  • 3 x UARTs, including hardware flow control
  • 3 x SPI
  • 2 x I2S
  • 12 x ADC input channels
  • 2 x DAC
  • 2 x I2C
  • PWM/timer input/output availabe on every GPIO pin
  • OpenOCD debug interface with 32 kB TRAX buffer
  • SDIO master/slave 50 MHz
  • Supports external SPI flash up to 16 MB
  • SD-card interface support

Security Related

  • WEP, WPA/WPA2 PSK/Enterprise
  • Hardware accelerated encryption: AES / SHA2 / Elliptical Curve Cryptography / RSA-4096


  • Supports sniffer, station, softAP and Wi-Fi direct modes
  • Max data rate of 150 Mbps@11n HT40, 72 Mbps@11n HT20, 54 Mbps@11g, and 11 Mbps@11b
  • Maximum transmit power of 19.5 dBm@11b, 16.5 dBm@11g, 15.5 dBm@11n
  • Minimum receiver sensitivity of -98 dBm
  • 135 Mbps UDP sustained throughput
  • 2.5 μA deep sleep current