In the last months I've been working on my PhD thesis, which involves breaking LoRaWAN in a few ways (I'm studying cybersecurity) and I'm 1mm near to my goal, but I'm quite stuck on a stupid thing. I'm using a Libellium board with a Microchip RN2483A LoRa chip mounted on it and I'm playing around with it. I've managed to send arbitrary pre-made join requests to a real gateway/network server and now I'm finally sniffing downlink packets all around me (I've spent two days figuring out that downlink messages are done using inverse polarization, I was going mad because of it). The next step I need is to recreate using my board a downlink packet, specifically a join-accept one.
Using my custom code on a board I'm able to send a custom join request and sniff the relative join-accept, but when I send out a packet using the same transmission parameters, my board seems to ignore it. What can it be?
Join request (sent by me) parameters: frequency 868.1, radio power 15, spreading factor 12, coding rate 4/5, bandwidth 125Khz, crc mode ON.
Join accept receiving configuration (working): the same but using frequency 869.525 and inverted polarization.
So I assumed I just needed to send the fake join accept packet using the same configuration I used to receive the real one from the real gatway, but it didn't work. What am I missing?
N.B. I have access to real and already accepted join-accept, and I can reset my board so I'm sure it's not a problem with integrity or memory of the board.
EDIT: I've discovered my board can't send frames using inverted polarity, so this is the problem for now. I'm looking for a different board with these capability so I'll update the answer as soon as I get the new device.
You cannot use a previously captured join accept message as a response to a new join request. It won't be accepted by the end device. Every join request includes a different devnonce that makes every join request (and join accept) unique. The only way to break the LoRaWAN security is to read out the AppKey from the LoRaWAN end-device. If you know the AppKey and can capture the Join Request, you can create a valid Join Accept. If you cannot read out the AppKey from the device (because it is not stored on its flash memory but rather on a Secure element) you have no way to create a valid Join Accept.