// Sergey Bratus
// DemystiPHYing 802.15.4 Digital Radio; or, How to Weaponize ingerprinting for PacketinPacket Mitigation Bypasses
The PHY layer of digital radio is commonly viewed as a black box that takes logical frames on one side of a radio connection and magically pops them out on the other (or doesn't, if control sums don't match). The internals of the black box are shrouded in mystery and magic. Antennas, modulation, and error correction are somehow involved, but they seem to exist in a different dimension that cannot be manipulated digitally at byte-level like call stacks, binaries, or parser bugs. For those of us who can't design radio circuits, it seems to be at best a minecraft game of GnuRadio blocks.
But in reality this just ain't so. The PHY in fact contains several digital layers and mechanisms, which can be manipulated without software-defined radio. We will demystify these mechanisms for the 802.15.4 PHY and will show them in action for sending arbitrary bytes and frames through the air without a software radio, sending frames that aren't heard by WIDS but heard by targets if they use different radio chips, "borrowing" error-correction logic to bypass defenses, and fingerprinting chipset families. Orson Welles may have beat us to the Packet-in-packet technique, but he has nothing on our one-eighth-of-a-nybble mitigation bypass and make-your-own-packet cut-out paper games!