I was reading this reverse engineering post about a LoRaWAN occupancy sensor today:
Although I disagree with much of its tone (eg. “who needs more than one gateway!!1!!”, “never use an unprotected UART!”) I was interested to see how the author hijacked a device on TTN once they had extracted the AppKey. I have tried to recreate this but have been unable to divert traffic from a TTN Button into a new app with duplicate AppEUI and a DevEUI with the same AppKey as the old app. The device always joins the old app.
Looking for related posts I came across this: How can I reuse hardcoded AppEUI and AppKey after I deleted an application? which may be related.
Any thoughts on this? Has anyone managed to recreate this?
Edit: Reading the article’s comments, it’s interesting to see the correct use of the RN2483A which can store the keys itself. No need to re-send from the microcontroller each time.