Add nrf24sniff from https://github.com/xMasterX/all-the-plugins

git-subtree-dir: nrf24sniff
git-subtree-mainline: e6f063277381c7b9aa6397d9e4b8531ecbef359d
git-subtree-split: 933c0e911d36134b1df431ba4fddf78de2c46dfd

nrf24sniff/.gitsubtree

@@ -0,0 +1 @@
+https://github.com/xMasterX/all-the-plugins dev base_pack/nrfsniff

nrf24sniff/application.fam

@@ -0,0 +1,22 @@
+App(
+    appid="nrf24_sniffer",
+    name="[NRF24] Sniffer",
+    apptype=FlipperAppType.EXTERNAL,
+    entry_point="nrfsniff_app",
+    requires=["gui"],
+    stack_size=2 * 1024,
+    order=70,
+    fap_icon="nrfsniff_10px.png",
+    fap_category="GPIO",
+    fap_author="@mothball187 & @xMasterX",
+    fap_version="1.1",
+    fap_description="App captures addresses to use with NRF24 Mouse Jacker app to perform mousejack attacks",
+    fap_private_libs=[
+        Lib(
+            name="nrf24",
+            sources=[
+                "nrf24.c",
+            ],
+        ),
+    ],
+)

nrf24sniff/lib/nrf24/nrf24.c

@@ -0,0 +1,530 @@
+#include "nrf24.h"
+#include <furi.h>
+#include <furi_hal.h>
+#include <furi_hal_resources.h>
+#include <assert.h>
+#include <string.h>
+
+void nrf24_init() {
+    furi_hal_spi_bus_handle_init(nrf24_HANDLE);
+    furi_hal_spi_acquire(nrf24_HANDLE);
+    furi_hal_gpio_init(nrf24_CE_PIN, GpioModeOutputPushPull, GpioPullUp, GpioSpeedVeryHigh);
+    furi_hal_gpio_write(nrf24_CE_PIN, false);
+}
+
+void nrf24_deinit() {
+    furi_hal_spi_release(nrf24_HANDLE);
+    furi_hal_spi_bus_handle_deinit(nrf24_HANDLE);
+    furi_hal_gpio_write(nrf24_CE_PIN, false);
+    furi_hal_gpio_init(nrf24_CE_PIN, GpioModeAnalog, GpioPullNo, GpioSpeedLow);
+}
+
+void nrf24_spi_trx(
+    FuriHalSpiBusHandle* handle,
+    uint8_t* tx,
+    uint8_t* rx,
+    uint8_t size,
+    uint32_t timeout) {
+    UNUSED(timeout);
+    furi_hal_gpio_write(handle->cs, false);
+    furi_hal_spi_bus_trx(handle, tx, rx, size, nrf24_TIMEOUT);
+    furi_hal_gpio_write(handle->cs, true);
+}
+
+uint8_t nrf24_write_reg(FuriHalSpiBusHandle* handle, uint8_t reg, uint8_t data) {
+    uint8_t tx[2] = {W_REGISTER | (REGISTER_MASK & reg), data};
+    uint8_t rx[2] = {0};
+    nrf24_spi_trx(handle, tx, rx, 2, nrf24_TIMEOUT);
+    return rx[0];
+}
+
+uint8_t
+    nrf24_write_buf_reg(FuriHalSpiBusHandle* handle, uint8_t reg, uint8_t* data, uint8_t size) {
+    uint8_t tx[size + 1];
+    uint8_t rx[size + 1];
+    memset(rx, 0, size + 1);
+    tx[0] = W_REGISTER | (REGISTER_MASK & reg);
+    memcpy(&tx[1], data, size);
+    nrf24_spi_trx(handle, tx, rx, size + 1, nrf24_TIMEOUT);
+    return rx[0];
+}
+
+uint8_t nrf24_read_reg(FuriHalSpiBusHandle* handle, uint8_t reg, uint8_t* data, uint8_t size) {
+    uint8_t tx[size + 1];
+    uint8_t rx[size + 1];
+    memset(rx, 0, size + 1);
+    tx[0] = R_REGISTER | (REGISTER_MASK & reg);
+    memset(&tx[1], 0, size);
+    nrf24_spi_trx(handle, tx, rx, size + 1, nrf24_TIMEOUT);
+    memcpy(data, &rx[1], size);
+    return rx[0];
+}
+
+uint8_t nrf24_flush_rx(FuriHalSpiBusHandle* handle) {
+    uint8_t tx[] = {FLUSH_RX};
+    uint8_t rx[] = {0};
+    nrf24_spi_trx(handle, tx, rx, 1, nrf24_TIMEOUT);
+    return rx[0];
+}
+
+uint8_t nrf24_flush_tx(FuriHalSpiBusHandle* handle) {
+    uint8_t tx[] = {FLUSH_TX};
+    uint8_t rx[] = {0};
+    nrf24_spi_trx(handle, tx, rx, 1, nrf24_TIMEOUT);
+    return rx[0];
+}
+
+uint8_t nrf24_get_maclen(FuriHalSpiBusHandle* handle) {
+    uint8_t maclen;
+    nrf24_read_reg(handle, REG_SETUP_AW, &maclen, 1);
+    maclen &= 3;
+    return maclen + 2;
+}
+
+uint8_t nrf24_set_maclen(FuriHalSpiBusHandle* handle, uint8_t maclen) {
+    assert(maclen > 1 && maclen < 6);
+    uint8_t status = 0;
+    status = nrf24_write_reg(handle, REG_SETUP_AW, maclen - 2);
+    return status;
+}
+
+uint8_t nrf24_status(FuriHalSpiBusHandle* handle) {
+    uint8_t status;
+    uint8_t tx[] = {R_REGISTER | (REGISTER_MASK & REG_STATUS)};
+    nrf24_spi_trx(handle, tx, &status, 1, nrf24_TIMEOUT);
+    return status;
+}
+
+uint32_t nrf24_get_rate(FuriHalSpiBusHandle* handle) {
+    uint8_t setup = 0;
+    uint32_t rate = 0;
+    nrf24_read_reg(handle, REG_RF_SETUP, &setup, 1);
+    setup &= 0x28;
+    if(setup == 0x20)
+        rate = 250000; // 250kbps
+    else if(setup == 0x08)
+        rate = 2000000; // 2Mbps
+    else if(setup == 0x00)
+        rate = 1000000; // 1Mbps
+
+    return rate;
+}
+
+uint8_t nrf24_set_rate(FuriHalSpiBusHandle* handle, uint32_t rate) {
+    uint8_t r6 = 0;
+    uint8_t status = 0;
+    if(!rate) rate = 2000000;
+
+    nrf24_read_reg(handle, REG_RF_SETUP, &r6, 1); // RF_SETUP register
+    r6 = r6 & (~0x28); // Clear rate fields.
+    if(rate == 2000000)
+        r6 = r6 | 0x08;
+    else if(rate == 1000000)
+        r6 = r6;
+    else if(rate == 250000)
+        r6 = r6 | 0x20;
+
+    status = nrf24_write_reg(handle, REG_RF_SETUP, r6); // Write new rate.
+    return status;
+}
+
+uint8_t nrf24_get_chan(FuriHalSpiBusHandle* handle) {
+    uint8_t channel = 0;
+    nrf24_read_reg(handle, REG_RF_CH, &channel, 1);
+    return channel;
+}
+
+uint8_t nrf24_set_chan(FuriHalSpiBusHandle* handle, uint8_t chan) {
+    uint8_t status;
+    status = nrf24_write_reg(handle, REG_RF_CH, chan);
+    return status;
+}
+
+uint8_t nrf24_get_src_mac(FuriHalSpiBusHandle* handle, uint8_t* mac) {
+    uint8_t size = 0;
+    uint8_t status = 0;
+    size = nrf24_get_maclen(handle);
+    status = nrf24_read_reg(handle, REG_RX_ADDR_P0, mac, size);
+    return status;
+}
+
+uint8_t nrf24_set_src_mac(FuriHalSpiBusHandle* handle, uint8_t* mac, uint8_t size) {
+    uint8_t status = 0;
+    uint8_t clearmac[] = {0, 0, 0, 0, 0};
+    nrf24_set_maclen(handle, size);
+    nrf24_write_buf_reg(handle, REG_RX_ADDR_P0, clearmac, 5);
+    status = nrf24_write_buf_reg(handle, REG_RX_ADDR_P0, mac, size);
+    return status;
+}
+
+uint8_t nrf24_get_dst_mac(FuriHalSpiBusHandle* handle, uint8_t* mac) {
+    uint8_t size = 0;
+    uint8_t status = 0;
+    size = nrf24_get_maclen(handle);
+    status = nrf24_read_reg(handle, REG_TX_ADDR, mac, size);
+    return status;
+}
+
+uint8_t nrf24_set_dst_mac(FuriHalSpiBusHandle* handle, uint8_t* mac, uint8_t size) {
+    uint8_t status = 0;
+    uint8_t clearmac[] = {0, 0, 0, 0, 0};
+    nrf24_set_maclen(handle, size);
+    nrf24_write_buf_reg(handle, REG_TX_ADDR, clearmac, 5);
+    status = nrf24_write_buf_reg(handle, REG_TX_ADDR, mac, size);
+    return status;
+}
+
+uint8_t nrf24_get_packetlen(FuriHalSpiBusHandle* handle) {
+    uint8_t len = 0;
+    nrf24_read_reg(handle, RX_PW_P0, &len, 1);
+    return len;
+}
+
+uint8_t nrf24_set_packetlen(FuriHalSpiBusHandle* handle, uint8_t len) {
+    uint8_t status = 0;
+    status = nrf24_write_reg(handle, RX_PW_P0, len);
+    return status;
+}
+
+uint8_t
+    nrf24_rxpacket(FuriHalSpiBusHandle* handle, uint8_t* packet, uint8_t* packetsize, bool full) {
+    uint8_t status = 0;
+    uint8_t size = 0;
+    uint8_t tx_pl_wid[] = {R_RX_PL_WID, 0};
+    uint8_t rx_pl_wid[] = {0, 0};
+    uint8_t tx_cmd[33] = {0}; // 32 max payload size + 1 for command
+    uint8_t tmp_packet[33] = {0};
+
+    status = nrf24_status(handle);
+
+    if(status & 0x40) {
+        if(full)
+            size = nrf24_get_packetlen(handle);
+        else {
+            nrf24_spi_trx(handle, tx_pl_wid, rx_pl_wid, 2, nrf24_TIMEOUT);
+            size = rx_pl_wid[1];
+        }
+
+        tx_cmd[0] = R_RX_PAYLOAD;
+        nrf24_spi_trx(handle, tx_cmd, tmp_packet, size + 1, nrf24_TIMEOUT);
+        nrf24_write_reg(handle, REG_STATUS, 0x40); // clear bit.
+        memcpy(packet, &tmp_packet[1], size);
+    } else if(status == 0) {
+        nrf24_flush_rx(handle);
+        nrf24_write_reg(handle, REG_STATUS, 0x40); // clear bit.
+    }
+
+    *packetsize = size;
+    return status;
+}
+
+uint8_t nrf24_txpacket(FuriHalSpiBusHandle* handle, uint8_t* payload, uint8_t size, bool ack) {
+    uint8_t status = 0;
+    uint8_t tx[size + 1];
+    uint8_t rx[size + 1];
+    memset(tx, 0, size + 1);
+    memset(rx, 0, size + 1);
+
+    if(!ack)
+        tx[0] = W_TX_PAYLOAD_NOACK;
+    else
+        tx[0] = W_TX_PAYLOAD;
+
+    memcpy(&tx[1], payload, size);
+    nrf24_spi_trx(handle, tx, rx, size + 1, nrf24_TIMEOUT);
+    nrf24_set_tx_mode(handle);
+
+    while(!(status & (TX_DS | MAX_RT))) status = nrf24_status(handle);
+
+    if(status & MAX_RT) nrf24_flush_tx(handle);
+
+    nrf24_set_idle(handle);
+    nrf24_write_reg(handle, REG_STATUS, TX_DS | MAX_RT);
+    return status & TX_DS;
+}
+
+uint8_t nrf24_power_up(FuriHalSpiBusHandle* handle) {
+    uint8_t status = 0;
+    uint8_t cfg = 0;
+    nrf24_read_reg(handle, REG_CONFIG, &cfg, 1);
+    cfg = cfg | 2;
+    status = nrf24_write_reg(handle, REG_CONFIG, cfg);
+    furi_delay_ms(5000);
+    return status;
+}
+
+uint8_t nrf24_set_idle(FuriHalSpiBusHandle* handle) {
+    uint8_t status = 0;
+    uint8_t cfg = 0;
+    nrf24_read_reg(handle, REG_CONFIG, &cfg, 1);
+    cfg &= 0xfc; // clear bottom two bits to power down the radio
+    status = nrf24_write_reg(handle, REG_CONFIG, cfg);
+    //nr204_write_reg(handle, REG_EN_RXADDR, 0x0);
+    furi_hal_gpio_write(nrf24_CE_PIN, false);
+    return status;
+}
+
+uint8_t nrf24_set_rx_mode(FuriHalSpiBusHandle* handle) {
+    uint8_t status = 0;
+    uint8_t cfg = 0;
+    //status = nrf24_write_reg(handle, REG_CONFIG, 0x0F); // enable 2-byte CRC, PWR_UP, and PRIM_RX
+    nrf24_read_reg(handle, REG_CONFIG, &cfg, 1);
+    cfg |= 0x03; // PWR_UP, and PRIM_RX
+    status = nrf24_write_reg(handle, REG_CONFIG, cfg);
+    //nr204_write_reg(REG_EN_RXADDR, 0x03) // Set RX Pipe 0 and 1
+    furi_hal_gpio_write(nrf24_CE_PIN, true);
+    furi_delay_ms(2000);
+    return status;
+}
+
+uint8_t nrf24_set_tx_mode(FuriHalSpiBusHandle* handle) {
+    uint8_t status = 0;
+    uint8_t cfg = 0;
+    furi_hal_gpio_write(nrf24_CE_PIN, false);
+    nrf24_write_reg(handle, REG_STATUS, 0x30);
+    //status = nrf24_write_reg(handle, REG_CONFIG, 0x0E); // enable 2-byte CRC, PWR_UP
+    nrf24_read_reg(handle, REG_CONFIG, &cfg, 1);
+    cfg &= 0xfe; // disable PRIM_RX
+    cfg |= 0x02; // PWR_UP
+    status = nrf24_write_reg(handle, REG_CONFIG, cfg);
+    furi_hal_gpio_write(nrf24_CE_PIN, true);
+    furi_delay_ms(2);
+    return status;
+}
+
+void nrf24_configure(
+    FuriHalSpiBusHandle* handle,
+    uint8_t rate,
+    uint8_t* srcmac,
+    uint8_t* dstmac,
+    uint8_t maclen,
+    uint8_t channel,
+    bool noack,
+    bool disable_aa) {
+    assert(channel <= 125);
+    assert(rate == 1 || rate == 2);
+    if(rate == 2)
+        rate = 8; // 2Mbps
+    else
+        rate = 0; // 1Mbps
+
+    nrf24_write_reg(handle, REG_CONFIG, 0x00); // Stop nRF
+    nrf24_set_idle(handle);
+    nrf24_write_reg(handle, REG_STATUS, 0x1c); // clear interrupts
+    if(disable_aa)
+        nrf24_write_reg(handle, REG_EN_AA, 0x00); // Disable Shockburst
+    else
+        nrf24_write_reg(handle, REG_EN_AA, 0x1F); // Enable Shockburst
+
+    nrf24_write_reg(handle, REG_DYNPD, 0x3F); // enable dynamic payload length on all pipes
+    if(noack)
+        nrf24_write_reg(handle, REG_FEATURE, 0x05); // disable payload-with-ack, enable noack
+    else {
+        nrf24_write_reg(handle, REG_CONFIG, 0x0C); // 2 byte CRC
+        nrf24_write_reg(handle, REG_FEATURE, 0x07); // enable dyn payload and ack
+        nrf24_write_reg(
+            handle, REG_SETUP_RETR, 0x1f); // 15 retries for AA, 500us auto retransmit delay
+    }
+
+    nrf24_set_idle(handle);
+    nrf24_flush_rx(handle);
+    nrf24_flush_tx(handle);
+
+    if(maclen) nrf24_set_maclen(handle, maclen);
+    if(srcmac) nrf24_set_src_mac(handle, srcmac, maclen);
+    if(dstmac) nrf24_set_dst_mac(handle, dstmac, maclen);
+
+    nrf24_write_reg(handle, REG_RF_CH, channel);
+    nrf24_write_reg(handle, REG_RF_SETUP, rate);
+    furi_delay_ms(200);
+}
+
+void nrf24_init_promisc_mode(FuriHalSpiBusHandle* handle, uint8_t channel, uint8_t rate) {
+    //uint8_t preamble[] = {0x55, 0x00}; // little endian
+    uint8_t preamble[] = {0xAA, 0x00}; // little endian
+    //uint8_t preamble[] = {0x00, 0x55}; // little endian
+    //uint8_t preamble[] = {0x00, 0xAA}; // little endian
+    nrf24_write_reg(handle, REG_CONFIG, 0x00); // Stop nRF
+    nrf24_write_reg(handle, REG_STATUS, 0x1c); // clear interrupts
+    nrf24_write_reg(handle, REG_DYNPD, 0x0); // disable shockburst
+    nrf24_write_reg(handle, REG_EN_AA, 0x00); // Disable Shockburst
+    nrf24_write_reg(handle, REG_FEATURE, 0x05); // disable payload-with-ack, enable noack
+    nrf24_set_maclen(handle, 2); // shortest address
+    nrf24_set_src_mac(handle, preamble, 2); // set src mac to preamble bits to catch everything
+    nrf24_set_packetlen(handle, 32); // set max packet length
+    nrf24_set_idle(handle);
+    nrf24_flush_rx(handle);
+    nrf24_flush_tx(handle);
+    nrf24_write_reg(handle, REG_RF_CH, channel);
+    nrf24_write_reg(handle, REG_RF_SETUP, rate);
+
+    // prime for RX, no checksum
+    nrf24_write_reg(handle, REG_CONFIG, 0x03); // PWR_UP and PRIM_RX, disable AA and CRC
+    furi_hal_gpio_write(nrf24_CE_PIN, true);
+    furi_delay_ms(100);
+}
+
+void hexlify(uint8_t* in, uint8_t size, char* out) {
+    memset(out, 0, size * 2);
+    for(int i = 0; i < size; i++)
+        snprintf(out + strlen(out), sizeof(out + strlen(out)), "%02X", in[i]);
+}
+
+uint64_t bytes_to_int64(uint8_t* bytes, uint8_t size, bool bigendian) {
+    uint64_t ret = 0;
+    for(int i = 0; i < size; i++)
+        if(bigendian)
+            ret |= bytes[i] << ((size - 1 - i) * 8);
+        else
+            ret |= bytes[i] << (i * 8);
+
+    return ret;
+}
+
+void int64_to_bytes(uint64_t val, uint8_t* out, bool bigendian) {
+    for(int i = 0; i < 8; i++) {
+        if(bigendian)
+            out[i] = (val >> ((7 - i) * 8)) & 0xff;
+        else
+            out[i] = (val >> (i * 8)) & 0xff;
+    }
+}
+
+uint32_t bytes_to_int32(uint8_t* bytes, bool bigendian) {
+    uint32_t ret = 0;
+    for(int i = 0; i < 4; i++)
+        if(bigendian)
+            ret |= bytes[i] << ((3 - i) * 8);
+        else
+            ret |= bytes[i] << (i * 8);
+
+    return ret;
+}
+
+void int32_to_bytes(uint32_t val, uint8_t* out, bool bigendian) {
+    for(int i = 0; i < 4; i++) {
+        if(bigendian)
+            out[i] = (val >> ((3 - i) * 8)) & 0xff;
+        else
+            out[i] = (val >> (i * 8)) & 0xff;
+    }
+}
+
+uint64_t bytes_to_int16(uint8_t* bytes, bool bigendian) {
+    uint16_t ret = 0;
+    for(int i = 0; i < 2; i++)
+        if(bigendian)
+            ret |= bytes[i] << ((1 - i) * 8);
+        else
+            ret |= bytes[i] << (i * 8);
+
+    return ret;
+}
+
+void int16_to_bytes(uint16_t val, uint8_t* out, bool bigendian) {
+    for(int i = 0; i < 2; i++) {
+        if(bigendian)
+            out[i] = (val >> ((1 - i) * 8)) & 0xff;
+        else
+            out[i] = (val >> (i * 8)) & 0xff;
+    }
+}
+
+// handle iffyness with preamble processing sometimes being a bit (literally) off
+void alt_address_old(uint8_t* packet, uint8_t* altaddr) {
+    uint8_t macmess_hi_b[4];
+    uint8_t macmess_lo_b[2];
+    uint32_t macmess_hi;
+    uint16_t macmess_lo;
+    uint8_t preserved;
+
+    // get first 6 bytes into 32-bit and 16-bit variables
+    memcpy(macmess_hi_b, packet, 4);
+    memcpy(macmess_lo_b, packet + 4, 2);
+
+    macmess_hi = bytes_to_int32(macmess_hi_b, true);
+
+    //preserve least 7 bits from hi that will be shifted down to lo
+    preserved = macmess_hi & 0x7f;
+    macmess_hi >>= 7;
+
+    macmess_lo = bytes_to_int16(macmess_lo_b, true);
+    macmess_lo >>= 7;
+    macmess_lo = (preserved << 9) | macmess_lo;
+    int32_to_bytes(macmess_hi, macmess_hi_b, true);
+    int16_to_bytes(macmess_lo, macmess_lo_b, true);
+    memcpy(altaddr, &macmess_hi_b[1], 3);
+    memcpy(altaddr + 3, macmess_lo_b, 2);
+}
+
+bool validate_address(uint8_t* addr) {
+    uint8_t bad[][3] = {{0x55, 0x55}, {0xAA, 0xAA}, {0x00, 0x00}, {0xFF, 0xFF}};
+    for(int i = 0; i < 4; i++)
+        for(int j = 0; j < 2; j++)
+            if(!memcmp(addr + j * 2, bad[i], 2)) return false;
+
+    return true;
+}
+
+bool nrf24_sniff_address(FuriHalSpiBusHandle* handle, uint8_t maclen, uint8_t* address) {
+    bool found = false;
+    uint8_t packet[32] = {0};
+    uint8_t packetsize;
+    //char printit[65];
+    uint8_t status = 0;
+    status = nrf24_rxpacket(handle, packet, &packetsize, true);
+    if(status & 0x40) {
+        if(validate_address(packet)) {
+            for(int i = 0; i < maclen; i++) address[i] = packet[maclen - 1 - i];
+
+            /*
+            alt_address(packet, packet);
+
+            for(i = 0; i < maclen; i++)
+                address[i + 5] = packet[maclen - 1 - i];
+            */
+
+            //memcpy(address, packet, maclen);
+            //hexlify(packet, packetsize, printit);
+            found = true;
+        }
+    }
+
+    return found;
+}
+
+uint8_t nrf24_find_channel(
+    FuriHalSpiBusHandle* handle,
+    uint8_t* srcmac,
+    uint8_t* dstmac,
+    uint8_t maclen,
+    uint8_t rate,
+    uint8_t min_channel,
+    uint8_t max_channel,
+    bool autoinit) {
+    uint8_t ping_packet[] = {0x0f, 0x0f, 0x0f, 0x0f}; // this can be anything, we just need an ack
+    uint8_t ch = max_channel + 1; // means fail
+    nrf24_configure(handle, rate, srcmac, dstmac, maclen, 2, false, false);
+    for(ch = min_channel; ch <= max_channel + 1; ch++) {
+        nrf24_write_reg(handle, REG_RF_CH, ch);
+        if(nrf24_txpacket(handle, ping_packet, 4, true)) break;
+    }
+
+    if(autoinit) {
+        FURI_LOG_D("nrf24", "initializing radio for channel %d", ch);
+        nrf24_configure(handle, rate, srcmac, dstmac, maclen, ch, false, false);
+        return ch;
+    }
+
+    return ch;
+}
+
+bool nrf24_check_connected(FuriHalSpiBusHandle* handle) {
+    uint8_t status = nrf24_status(handle);
+
+    if(status != 0x00) {
+        return true;
+    } else {
+        return false;
+    }
+}

nrf24sniff/lib/nrf24/nrf24.h

@@ -0,0 +1,373 @@
+#pragma once
+#include <stdbool.h>
+#include <stdint.h>
+#include <furi_hal_spi.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define R_REGISTER 0x00
+#define W_REGISTER 0x20
+#define REGISTER_MASK 0x1F
+#define ACTIVATE 0x50
+#define R_RX_PL_WID 0x60
+#define R_RX_PAYLOAD 0x61
+#define W_TX_PAYLOAD 0xA0
+#define W_TX_PAYLOAD_NOACK 0xB0
+#define W_ACK_PAYLOAD 0xA8
+#define FLUSH_TX 0xE1
+#define FLUSH_RX 0xE2
+#define REUSE_TX_PL 0xE3
+#define RF24_NOP 0xFF
+
+#define REG_CONFIG 0x00
+#define REG_EN_AA 0x01
+#define REG_EN_RXADDR 0x02
+#define REG_SETUP_AW 0x03
+#define REG_SETUP_RETR 0x04
+#define REG_DYNPD 0x1C
+#define REG_FEATURE 0x1D
+#define REG_RF_SETUP 0x06
+#define REG_STATUS 0x07
+#define REG_RX_ADDR_P0 0x0A
+#define REG_RF_CH 0x05
+#define REG_TX_ADDR 0x10
+
+#define RX_PW_P0 0x11
+#define TX_DS 0x20
+#define MAX_RT 0x10
+
+#define nrf24_TIMEOUT 500
+#define nrf24_CE_PIN &gpio_ext_pb2
+#define nrf24_HANDLE &furi_hal_spi_bus_handle_external
+
+/* Low level API */
+
+/** Write device register
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      reg     - register
+ * @param      data    - data to write
+ *
+ * @return     device status
+ */
+uint8_t nrf24_write_reg(FuriHalSpiBusHandle* handle, uint8_t reg, uint8_t data);
+
+/** Write buffer to device register
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      reg     - register
+ * @param      data    - data to write
+ * @param      size    - size of data to write
+ *
+ * @return     device status
+ */
+uint8_t nrf24_write_buf_reg(FuriHalSpiBusHandle* handle, uint8_t reg, uint8_t* data, uint8_t size);
+
+/** Read device register
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      reg     - register
+ * @param[out] data    - pointer to data
+ *
+ * @return     device status
+ */
+uint8_t nrf24_read_reg(FuriHalSpiBusHandle* handle, uint8_t reg, uint8_t* data, uint8_t size);
+
+/** Power up the radio for operation
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_power_up(FuriHalSpiBusHandle* handle);
+
+/** Power down the radio
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_idle(FuriHalSpiBusHandle* handle);
+
+/** Sets the radio to RX mode
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_rx_mode(FuriHalSpiBusHandle* handle);
+
+/** Sets the radio to TX mode
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_tx_mode(FuriHalSpiBusHandle* handle);
+
+/*=============================================================================================================*/
+
+/* High level API */
+
+/** Must call this before using any other nrf24 API
+ * 
+ */
+void nrf24_init();
+
+/** Must call this when we end using nrf24 device
+ * 
+ */
+void nrf24_deinit();
+
+/** Send flush rx command
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ *
+ * @return     device status
+ */
+uint8_t nrf24_flush_rx(FuriHalSpiBusHandle* handle);
+
+/** Send flush tx command
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ *
+ * @return     device status
+ */
+uint8_t nrf24_flush_tx(FuriHalSpiBusHandle* handle);
+
+/** Gets the RX packet length in data pipe 0
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     packet length in data pipe 0
+ */
+uint8_t nrf24_get_packetlen(FuriHalSpiBusHandle* handle);
+
+/** Sets the RX packet length in data pipe 0
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      len - length to set
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_packetlen(FuriHalSpiBusHandle* handle, uint8_t len);
+
+/** Gets configured length of MAC address
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     MAC address length
+ */
+uint8_t nrf24_get_maclen(FuriHalSpiBusHandle* handle);
+
+/** Sets configured length of MAC address
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      maclen - length to set MAC address to, must be greater than 1 and less than 6
+ * 
+ * @return     MAC address length
+ */
+uint8_t nrf24_set_maclen(FuriHalSpiBusHandle* handle, uint8_t maclen);
+
+/** Gets the current status flags from the STATUS register
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     status flags
+ */
+uint8_t nrf24_status(FuriHalSpiBusHandle* handle);
+
+/** Gets the current transfer rate
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     transfer rate in bps
+ */
+uint32_t nrf24_get_rate(FuriHalSpiBusHandle* handle);
+
+/** Sets the transfer rate
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      rate - the transfer rate in bps
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_rate(FuriHalSpiBusHandle* handle, uint32_t rate);
+
+/** Gets the current channel
+ * In nrf24, the channel number is multiplied times 1MHz and added to 2400MHz to get the frequency
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     channel
+ */
+uint8_t nrf24_get_chan(FuriHalSpiBusHandle* handle);
+
+/** Sets the channel
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      frequency - the frequency in hertz
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_chan(FuriHalSpiBusHandle* handle, uint8_t chan);
+
+/** Gets the source mac address
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param[out] mac - the source mac address
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_get_src_mac(FuriHalSpiBusHandle* handle, uint8_t* mac);
+
+/** Sets the source mac address
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      mac - the mac address to set
+ * @param      size - the size of the mac address (2 to 5)
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_src_mac(FuriHalSpiBusHandle* handle, uint8_t* mac, uint8_t size);
+
+/** Gets the dest mac address
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param[out] mac - the source mac address
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_get_dst_mac(FuriHalSpiBusHandle* handle, uint8_t* mac);
+
+/** Sets the dest mac address
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      mac - the mac address to set
+ * @param      size - the size of the mac address (2 to 5)
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_set_dst_mac(FuriHalSpiBusHandle* handle, uint8_t* mac, uint8_t size);
+
+/** Reads RX packet
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param[out] packet - the packet contents
+ * @param[out] packetsize - size of the received packet
+ * @param      full - boolean set to true, packet length is determined by RX_PW_P0 register, false it is determined by dynamic payload length command
+ * 
+ * @return     device status
+ */
+uint8_t
+    nrf24_rxpacket(FuriHalSpiBusHandle* handle, uint8_t* packet, uint8_t* packetsize, bool full);
+
+/** Sends TX packet
+ *
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      packet - the packet contents
+ * @param      size - packet size
+ * @param      ack - boolean to determine whether an ACK is required for the packet or not
+ * 
+ * @return     device status
+ */
+uint8_t nrf24_txpacket(FuriHalSpiBusHandle* handle, uint8_t* payload, uint8_t size, bool ack);
+
+/** Configure the radio
+ * This is not comprehensive, but covers a lot of the common configuration options that may be changed
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      rate - transfer rate in Mbps (1 or 2)
+ * @param      srcmac - source mac address
+ * @param      dstmac - destination mac address
+ * @param      maclen - length of mac address
+ * @param      channel - channel to tune to
+ * @param      noack - if true, disable auto-acknowledge
+ * @param      disable_aa - if true, disable ShockBurst
+ * 
+ */
+void nrf24_configure(
+    FuriHalSpiBusHandle* handle,
+    uint8_t rate,
+    uint8_t* srcmac,
+    uint8_t* dstmac,
+    uint8_t maclen,
+    uint8_t channel,
+    bool noack,
+    bool disable_aa);
+
+/** Configures the radio for "promiscuous mode" and primes it for rx
+ * This is not an actual mode of the nrf24, but this function exploits a few bugs in the chip that allows it to act as if it were.
+ * See http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html for details.
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      channel - channel to tune to
+ * @param      rate - transfer rate in Mbps (1 or 2) 
+ */
+void nrf24_init_promisc_mode(FuriHalSpiBusHandle* handle, uint8_t channel, uint8_t rate);
+
+/** Listens for a packet and returns first possible address sniffed
+ * Call this only after calling nrf24_init_promisc_mode
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      maclen - length of target mac address
+ * @param[out] addresses - sniffed address
+ * 
+ * @return     success
+ */
+bool nrf24_sniff_address(FuriHalSpiBusHandle* handle, uint8_t maclen, uint8_t* address);
+
+/** Sends ping packet on each channel for designated tx mac looking for ack
+ * 
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * @param      srcmac - source address
+ * @param      dstmac - destination address
+ * @param      maclen - length of address
+ * @param      rate - transfer rate in Mbps (1 or 2) 
+ * @param      min_channel - channel to start with
+ * @param      max_channel - channel to end at
+ * @param      autoinit - if true, automatically configure radio for this channel
+ * 
+ * @return     channel that the address is listening on, if this value is above the max_channel param, it failed
+ */
+uint8_t nrf24_find_channel(
+    FuriHalSpiBusHandle* handle,
+    uint8_t* srcmac,
+    uint8_t* dstmac,
+    uint8_t maclen,
+    uint8_t rate,
+    uint8_t min_channel,
+    uint8_t max_channel,
+    bool autoinit);
+
+/** Converts 64 bit value into uint8_t array
+ * @param      val  - 64-bit integer
+ * @param[out] out - bytes out
+ * @param      bigendian - if true, convert as big endian, otherwise little endian
+ */
+void int64_to_bytes(uint64_t val, uint8_t* out, bool bigendian);
+
+/** Converts 32 bit value into uint8_t array
+ * @param      val  - 32-bit integer
+ * @param[out] out - bytes out
+ * @param      bigendian - if true, convert as big endian, otherwise little endian
+ */
+void int32_to_bytes(uint32_t val, uint8_t* out, bool bigendian);
+
+/** Converts uint8_t array into 32 bit value
+ * @param      bytes  - uint8_t array
+ * @param      bigendian - if true, convert as big endian, otherwise little endian
+ * 
+ * @return     32-bit value
+ */
+uint32_t bytes_to_int32(uint8_t* bytes, bool bigendian);
+
+/** Check if the nrf24 is connected
+ * @param      handle  - pointer to FuriHalSpiHandle
+ * 
+ * @return     true if connected, otherwise false
+*/
+bool nrf24_check_connected(FuriHalSpiBusHandle* handle);
+
+#ifdef __cplusplus
+}
+#endif

nrf24sniff/nrfsniff.c

@@ -0,0 +1,505 @@
+#include <furi.h>
+#include <furi_hal.h>
+#include <gui/gui.h>
+#include <input/input.h>
+#include <notification/notification_messages.h>
+#include <stdlib.h>
+
+#include <nrf24.h>
+#include <toolbox/stream/file_stream.h>
+
+#define LOGITECH_MAX_CHANNEL 85
+#define COUNT_THRESHOLD 2
+#define DEFAULT_SAMPLE_TIME 8000
+#define MAX_ADDRS 100
+#define MAX_CONFIRMED 32
+
+#define NRFSNIFF_APP_PATH_FOLDER STORAGE_APP_DATA_PATH_PREFIX
+#define NRFSNIFF_APP_FILENAME "addresses.txt"
+#define TAG "nrfsniff"
+
+typedef enum {
+    EventTypeTick,
+    EventTypeKey,
+} EventType;
+
+typedef struct {
+    EventType type;
+    InputEvent input;
+} PluginEvent;
+
+typedef struct {
+    FuriMutex* mutex;
+} PluginState;
+
+char rate_text_fmt[] = "Transfer rate: %dMbps";
+char sample_text_fmt[] = "Sample Time: %d ms";
+char channel_text_fmt[] = "Channel: %d    Sniffing: %s";
+char preamble_text_fmt[] = "Preamble: %02X";
+char sniff_text_fmt[] = "Found: %d       Unique: %u";
+char addresses_header_text[] = "Address,rate";
+char sniffed_address_fmt[] = "%s,%d";
+char rate_text[46];
+char channel_text[38];
+char sample_text[32];
+char preamble_text[14];
+char sniff_text[38];
+char sniffed_address[14];
+
+uint8_t target_channel = 0;
+uint32_t found_count = 0;
+uint32_t unique_saved_count = 0;
+uint32_t sample_time = DEFAULT_SAMPLE_TIME;
+uint8_t target_rate = 8; // rate can be either 8 (2Mbps) or 0 (1Mbps)
+uint8_t target_preamble[] = {0xAA, 0x00};
+uint8_t sniffing_state = false;
+char top_address[12];
+
+uint8_t candidates[MAX_ADDRS][5] = {0}; // last 100 sniffed addresses
+uint32_t counts[MAX_ADDRS];
+uint8_t confirmed[MAX_CONFIRMED][5] = {0}; // first 32 confirmed addresses
+uint8_t confirmed_idx = 0;
+uint32_t total_candidates = 0;
+uint32_t candidate_idx = 0;
+
+static int get_addr_index(uint8_t* addr, uint8_t addr_size) {
+    for(uint32_t i = 0; i < total_candidates; i++) {
+        uint8_t* arr_item = candidates[i];
+        if(!memcmp(arr_item, addr, addr_size)) return i;
+    }
+
+    return -1;
+}
+
+static int get_highest_idx() {
+    uint32_t highest = 0;
+    int highest_idx = 0;
+    for(uint32_t i = 0; i < total_candidates; i++) {
+        if(counts[i] > highest) {
+            highest = counts[i];
+            highest_idx = i;
+        }
+    }
+
+    return highest_idx;
+}
+
+// if array is full, start over from beginning
+static void insert_addr(uint8_t* addr, uint8_t addr_size) {
+    if(candidate_idx >= MAX_ADDRS) candidate_idx = 0;
+
+    memcpy(candidates[candidate_idx], addr, addr_size);
+    counts[candidate_idx] = 1;
+    if(total_candidates < MAX_ADDRS) total_candidates++;
+    candidate_idx++;
+}
+
+static void render_callback(Canvas* const canvas, void* ctx) {
+    furi_assert(ctx);
+    const PluginState* plugin_state = ctx;
+    furi_mutex_acquire(plugin_state->mutex, FuriWaitForever);
+
+    uint8_t rate = 2;
+    char sniffing[] = "Yes";
+
+    // border around the edge of the screen
+    canvas_draw_frame(canvas, 0, 0, 128, 64);
+    canvas_set_font(canvas, FontSecondary);
+
+    if(target_rate == 0) rate = 1;
+
+    if(!sniffing_state) strcpy(sniffing, "No");
+
+    snprintf(rate_text, sizeof(rate_text), rate_text_fmt, (int)rate);
+    snprintf(channel_text, sizeof(channel_text), channel_text_fmt, (int)target_channel, sniffing);
+    snprintf(sample_text, sizeof(sample_text), sample_text_fmt, (int)sample_time);
+    //snprintf(preamble_text, sizeof(preamble_text), preamble_text_fmt, target_preamble[0]);
+    snprintf(sniff_text, sizeof(sniff_text), sniff_text_fmt, found_count, unique_saved_count);
+    snprintf(
+        sniffed_address, sizeof(sniffed_address), sniffed_address_fmt, top_address, (int)rate);
+    canvas_draw_str_aligned(canvas, 10, 10, AlignLeft, AlignBottom, rate_text);
+    canvas_draw_str_aligned(canvas, 10, 20, AlignLeft, AlignBottom, sample_text);
+    canvas_draw_str_aligned(canvas, 10, 30, AlignLeft, AlignBottom, channel_text);
+    //canvas_draw_str_aligned(canvas, 10, 30, AlignLeft, AlignBottom, preamble_text);
+    canvas_draw_str_aligned(canvas, 10, 40, AlignLeft, AlignBottom, sniff_text);
+    canvas_draw_str_aligned(canvas, 30, 50, AlignLeft, AlignBottom, addresses_header_text);
+    canvas_draw_str_aligned(canvas, 30, 60, AlignLeft, AlignBottom, sniffed_address);
+
+    furi_mutex_release(plugin_state->mutex);
+}
+
+static void input_callback(InputEvent* input_event, FuriMessageQueue* event_queue) {
+    furi_assert(event_queue);
+
+    PluginEvent event = {.type = EventTypeKey, .input = *input_event};
+    furi_message_queue_put(event_queue, &event, FuriWaitForever);
+}
+
+static void hexlify(uint8_t* in, uint8_t size, char* out) {
+    memset(out, 0, size * 2);
+    for(int i = 0; i < size; i++)
+        snprintf(out + strlen(out), sizeof(out + strlen(out)), "%02X", in[i]);
+}
+
+static bool save_addr_to_file(
+    Storage* storage,
+    uint8_t* data,
+    uint8_t size,
+    NotificationApp* notification) {
+    size_t file_size = 0;
+    uint8_t linesize = 0;
+    char filepath[42] = {0};
+    char addrline[14] = {0};
+    char ending[4];
+    uint8_t* file_contents;
+    uint8_t rate = 1;
+    Stream* stream = file_stream_alloc(storage);
+
+    if(target_rate == 8) rate = 2;
+    snprintf(ending, sizeof(ending), ",%d\n", rate);
+    hexlify(data, size, addrline);
+    strcat(addrline, ending);
+    linesize = strlen(addrline);
+    strcpy(filepath, NRFSNIFF_APP_PATH_FOLDER);
+    strcat(filepath, "/");
+    strcat(filepath, NRFSNIFF_APP_FILENAME);
+    stream_seek(stream, 0, StreamOffsetFromStart);
+
+    // check if address already exists in file
+    if(file_stream_open(stream, filepath, FSAM_READ_WRITE, FSOM_OPEN_APPEND)) {
+        bool found = false;
+        file_size = stream_size(stream);
+        stream_seek(stream, 0, StreamOffsetFromStart);
+        if(file_size > 0) {
+            file_contents = malloc(file_size + 1);
+            memset(file_contents, 0, file_size + 1);
+            if(stream_read(stream, file_contents, file_size) > 0) {
+                char* line = strtok((char*)file_contents, "\n");
+
+                while(line != NULL) {
+                    if(!memcmp(line, addrline, 12)) {
+                        found = true;
+                        break;
+                    }
+                    line = strtok(NULL, "\n");
+                }
+            }
+            free(file_contents);
+        }
+
+        if(found) {
+            FURI_LOG_I(TAG, "Address exists in file. Ending save process.");
+            stream_free(stream);
+            return false;
+        } else {
+            if(stream_write(stream, (uint8_t*)addrline, linesize) != linesize) {
+                FURI_LOG_I(TAG, "Failed to write bytes to file stream.");
+                stream_free(stream);
+                return false;
+            } else {
+                FURI_LOG_I(TAG, "Found a new address: %s", addrline);
+                FURI_LOG_I(TAG, "Save successful!");
+
+                notification_message(notification, &sequence_success);
+
+                stream_free(stream);
+                unique_saved_count++;
+                return true;
+            }
+        }
+    } else {
+        FURI_LOG_I(TAG, "Cannot open file \"%s\"", filepath);
+        stream_free(stream);
+        return false;
+    }
+}
+
+void alt_address(uint8_t* addr, uint8_t* altaddr) {
+    uint8_t macmess_hi_b[4];
+    uint32_t macmess_hi;
+    uint8_t macmess_lo;
+    uint8_t preserved;
+    uint8_t tmpaddr[5];
+
+    // swap bytes
+    for(int i = 0; i < 5; i++) tmpaddr[i] = addr[4 - i];
+
+    // get address into 32-bit and 8-bit variables
+    memcpy(macmess_hi_b, tmpaddr, 4);
+    macmess_lo = tmpaddr[4];
+
+    macmess_hi = bytes_to_int32(macmess_hi_b, true);
+
+    //preserve lowest bit from hi to shift to low
+    preserved = macmess_hi & 1;
+    macmess_hi >>= 1;
+    macmess_lo >>= 1;
+    macmess_lo = (preserved << 7) | macmess_lo;
+    int32_to_bytes(macmess_hi, macmess_hi_b, true);
+    memcpy(tmpaddr, macmess_hi_b, 4);
+    tmpaddr[4] = macmess_lo;
+
+    // swap bytes back
+    for(int i = 0; i < 5; i++) altaddr[i] = tmpaddr[4 - i];
+}
+
+static bool previously_confirmed(uint8_t* addr) {
+    bool found = false;
+    for(int i = 0; i < MAX_CONFIRMED; i++) {
+        if(!memcmp(confirmed[i], addr, 5)) {
+            found = true;
+            break;
+        }
+    }
+
+    return found;
+}
+
+static void wrap_up(Storage* storage, NotificationApp* notification) {
+    uint8_t ch;
+    uint8_t addr[5];
+    uint8_t altaddr[5];
+    char trying[12];
+    int idx;
+    uint8_t rate = 0;
+    if(target_rate == 8) rate = 2;
+
+    nrf24_set_idle(nrf24_HANDLE);
+
+    while(true) {
+        idx = get_highest_idx();
+        if(counts[idx] < COUNT_THRESHOLD) break;
+
+        counts[idx] = 0;
+        memcpy(addr, candidates[idx], 5);
+        hexlify(addr, 5, trying);
+        FURI_LOG_I(TAG, "trying address %s", trying);
+        ch = nrf24_find_channel(nrf24_HANDLE, addr, addr, 5, rate, 2, LOGITECH_MAX_CHANNEL, false);
+        FURI_LOG_I(TAG, "find_channel returned %d", (int)ch);
+        if(ch > LOGITECH_MAX_CHANNEL) {
+            alt_address(addr, altaddr);
+            hexlify(altaddr, 5, trying);
+            FURI_LOG_I(TAG, "trying alternate address %s", trying);
+            ch = nrf24_find_channel(
+                nrf24_HANDLE, altaddr, altaddr, 5, rate, 2, LOGITECH_MAX_CHANNEL, false);
+            FURI_LOG_I(TAG, "find_channel returned %d", (int)ch);
+            memcpy(addr, altaddr, 5);
+        }
+
+        if(ch <= LOGITECH_MAX_CHANNEL) {
+            hexlify(addr, 5, top_address);
+            found_count++;
+            save_addr_to_file(storage, addr, 5, notification);
+            if(confirmed_idx < MAX_CONFIRMED) memcpy(confirmed[confirmed_idx++], addr, 5);
+            break;
+        }
+    }
+}
+
+static void clear_cache() {
+    found_count = 0;
+    unique_saved_count = 0;
+    confirmed_idx = 0;
+    candidate_idx = 0;
+    target_channel = 2;
+    total_candidates = 0;
+    memset(candidates, 0, sizeof(candidates));
+    memset(counts, 0, sizeof(counts));
+    memset(confirmed, 0, sizeof(confirmed));
+}
+
+static void start_sniffing() {
+    nrf24_init_promisc_mode(nrf24_HANDLE, target_channel, target_rate);
+}
+
+int32_t nrfsniff_app(void* p) {
+    UNUSED(p);
+    uint8_t address[5] = {0};
+    uint32_t start = 0;
+    hexlify(address, 5, top_address);
+    FuriMessageQueue* event_queue = furi_message_queue_alloc(8, sizeof(PluginEvent));
+    PluginState* plugin_state = malloc(sizeof(PluginState));
+    plugin_state->mutex = furi_mutex_alloc(FuriMutexTypeNormal);
+    if(!plugin_state->mutex) {
+        furi_message_queue_free(event_queue);
+        FURI_LOG_E(TAG, "cannot create mutex\r\n");
+        free(plugin_state);
+        return 255;
+    }
+
+    uint8_t attempts = 0;
+    bool otg_was_enabled = furi_hal_power_is_otg_enabled();
+    while(!furi_hal_power_is_otg_enabled() && attempts++ < 5) {
+        furi_hal_power_enable_otg();
+        furi_delay_ms(10);
+    }
+
+    furi_delay_ms(100);
+
+    nrf24_init();
+
+    bool nrf_ready = false;
+    if(nrf24_check_connected(nrf24_HANDLE)) {
+        nrf_ready = true;
+    } else {
+        nrf_ready = false;
+        FURI_LOG_E(TAG, "NRF24 not connected");
+    }
+
+    // Set system callbacks
+    ViewPort* view_port = view_port_alloc();
+    view_port_draw_callback_set(view_port, render_callback, plugin_state);
+    view_port_input_callback_set(view_port, input_callback, event_queue);
+
+    // Open GUI and register view_port
+    Gui* gui = furi_record_open(RECORD_GUI);
+    gui_add_view_port(gui, view_port, GuiLayerFullscreen);
+
+    NotificationApp* notification = furi_record_open(RECORD_NOTIFICATION);
+
+    Storage* storage = furi_record_open(RECORD_STORAGE);
+    storage_common_migrate(storage, EXT_PATH("nrfsniff"), NRFSNIFF_APP_PATH_FOLDER);
+    storage_common_mkdir(storage, NRFSNIFF_APP_PATH_FOLDER);
+
+    PluginEvent event;
+    for(bool processing = true; processing;) {
+        FuriStatus event_status = furi_message_queue_get(event_queue, &event, 100);
+        furi_mutex_acquire(plugin_state->mutex, FuriWaitForever);
+
+        if(event_status == FuriStatusOk) {
+            // press events
+            if(event.type == EventTypeKey) {
+                if(event.input.type == InputTypePress ||
+                   (event.input.type == InputTypeLong && event.input.key == InputKeyBack)) {
+                    switch(event.input.key) {
+                    case InputKeyUp:
+                        // toggle rate  1/2Mbps
+                        if(!sniffing_state) {
+                            if(target_rate == 0)
+                                target_rate = 8;
+                            else
+                                target_rate = 0;
+                        }
+                        break;
+                    case InputKeyDown:
+                        // toggle preamble
+                        if(!sniffing_state) {
+                            if(target_preamble[0] == 0x55)
+                                target_preamble[0] = 0xAA;
+                            else
+                                target_preamble[0] = 0x55;
+
+                            nrf24_set_src_mac(nrf24_HANDLE, target_preamble, 2);
+                        }
+                        break;
+                    case InputKeyRight:
+                        // increment channel
+                        //if(!sniffing_state && target_channel <= LOGITECH_MAX_CHANNEL)
+                        //    target_channel++;
+                        sample_time += 500;
+                        break;
+                    case InputKeyLeft:
+                        // decrement channel
+                        //if(!sniffing_state && target_channel > 0) target_channel--;
+                        if(sample_time > 500) sample_time -= 500;
+                        break;
+                    case InputKeyOk:
+                        // toggle sniffing
+                        if(nrf_ready) {
+                            sniffing_state = !sniffing_state;
+                            if(sniffing_state) {
+                                clear_cache();
+                                start_sniffing();
+                                start = furi_get_tick();
+                            } else {
+                                wrap_up(storage, notification);
+                            }
+                        } else {
+                            notification_message(notification, &sequence_error);
+                            if(nrf24_check_connected(nrf24_HANDLE)) {
+                                nrf_ready = true;
+                            } else {
+                                nrf_ready = false;
+                                FURI_LOG_E(TAG, "NRF24 not connected");
+                            }
+                        }
+
+                        break;
+                    case InputKeyBack:
+                        if(event.input.type == InputTypeLong) {
+                            if(nrf_ready) {
+                                if(sniffing_state) {
+                                    wrap_up(storage, notification);
+                                }
+                            } else {
+                                if(nrf24_check_connected(nrf24_HANDLE)) {
+                                    nrf_ready = true;
+                                } else {
+                                    nrf_ready = false;
+                                    FURI_LOG_E(TAG, "NRF24 not connected");
+                                }
+                            }
+                            processing = false;
+                        }
+                        break;
+                    default:
+                        break;
+                    }
+                }
+            }
+        }
+
+        if(sniffing_state) {
+            if(nrf24_sniff_address(nrf24_HANDLE, 5, address)) {
+                int idx;
+                uint8_t* top_addr;
+                if(!previously_confirmed(address)) {
+                    idx = get_addr_index(address, 5);
+                    if(idx == -1)
+                        insert_addr(address, 5);
+                    else
+                        counts[idx]++;
+
+                    top_addr = candidates[get_highest_idx()];
+                    hexlify(top_addr, 5, top_address);
+                }
+            }
+
+            if(furi_get_tick() - start >= sample_time) {
+                target_channel++;
+                if(target_channel > LOGITECH_MAX_CHANNEL) target_channel = 2;
+                {
+                    wrap_up(storage, notification);
+                    start_sniffing();
+                }
+
+                start = furi_get_tick();
+            }
+        }
+
+        furi_mutex_release(plugin_state->mutex);
+        view_port_update(view_port);
+    }
+
+    clear_cache();
+    sample_time = DEFAULT_SAMPLE_TIME;
+    target_rate = 8; // rate can be either 8 (2Mbps) or 0 (1Mbps)
+    sniffing_state = false;
+    nrf24_deinit();
+
+    if(furi_hal_power_is_otg_enabled() && !otg_was_enabled) {
+        furi_hal_power_disable_otg();
+    }
+
+    view_port_enabled_set(view_port, false);
+    gui_remove_view_port(gui, view_port);
+    furi_record_close(RECORD_GUI);
+    furi_record_close(RECORD_NOTIFICATION);
+    furi_record_close(RECORD_STORAGE);
+    view_port_free(view_port);
+    furi_message_queue_free(event_queue);
+    furi_mutex_free(plugin_state->mutex);
+    free(plugin_state);
+
+    return 0;
+}