paint-brush
How to Reverse Engineer a Drone With Wireshark Using Packet Dissectionby@angelinatsuboi
7,978 reads
7,978 reads

How to Reverse Engineer a Drone With Wireshark Using Packet Dissection

by Angelina Tsuboi26mMay 19th, 2023
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

This article outlines the steps I took to reverse engineer DJI drones using packet monitoring techniques with Wireshark. I also delve into the details of packet dissection and how you can develop your own protocol dissector using the Lua programming language. As more advanced drone systems are put into place and integrated into various sectors, it becomes ever more important to take into account the vulnerabilities they may pose.
featured image - How to Reverse Engineer a Drone With Wireshark Using Packet Dissection
Angelina Tsuboi HackerNoon profile picture

As more advanced drone systems are put into place and integrated into various sectors, it becomes ever more important to take into account the vulnerabilities they may pose in order to ensure the security of their applications.

Ever since I became interested in aerospace cybersecurity, one thing I always wanted to find a way to hack was UAVs. In this article, I outline the steps I took to reverse engineer DJI drones using packet monitoring techniques with Wireshark and delve into the details of packet dissection and how you can develop your own protocol dissector using the Lua programming language.

Although reverse engineering drones is no easy feat, they are still vulnerable to a wide range of cyber threats which could result in severe repercussions. By outlining the process I took to reverse engineer my way into DJI drones to expose sensitive information stored within packet data, I hope the research highlights existing vulnerabilities in order to find better alternatives to safeguard existing drone systems.

Table of Contents

  • Unmanned Aerial Vehicle
  • Drones Deconstructed 
  • Vulnerabilities of UAV
  • What is Packet Sniffing and Analysis
  • What is Wireshack? 
  • Wireshack Display Filters
  • What is Packet Dissection? 
  • Packet Dissection with Wireshack
  • Reverse Engineering DJI Drones
  • DJI Packet Dissection with Wireshack
  • Diving Deeper into Wireshack Dissectors 
  • Setup Dissector with Wireshack

Unmanned Aerial Vehicle

An Unmanned Aerial Vehicle (UAV for short) is an aircraft that does not carry any pilot or passengers onboard. Most of the time the term is applied to drones, but other types of UAV vehicles exist such as NASA’s Global Hawk which is a high-altitude, long-endurance UAV meant for research purposes. UAVs are used for a wide variety of applications such as search and rescue missions, data collection, military and law enforcement, aerial photography, etc. Compared to conventional aircraft, UAVs possess a compact form, exhibit heightened agility, accuracy, and precision in their maneuvers, and prove cost-effective, rendering them widely favored for diverse commercial and consumer applications like delivery services and aerial surveying.


Drones Deconstructed

As this article will delve into drone forensics, it’s important to provide a quick overview of the components that make up the DJI Phantom 4. While it’s worth noting that the components housed by a drone may vary depending on the brand or version, most UAVs share a significant majority of components.

Chassis: the chassis of the drone is the physical frame that holds together all the components. the chassis is typically constructed of lightweight materials such as plastic or carbon fiber to reduce the drone’s overall flight performance by reducing drag and weight

Drone Motor: drones use motors to create the necessary amount of lift for flight. most drones usually have a quadcopter configuration which consists of four motors: two clockwise spinning motors and two counterclockwise spinning motors to equalize the turning force. This configuration exists because Newton’s Third Law states that for every action there is an equal and opposite reaction, so having the same number of counter and clockwise motors provides the drone with flight coordination through equalized turning force

Drone Flight Controller: the flight controller of a drone acts like its brain. the flight controller takes in inputs from sensors on board the drone such as the GPS module in order to give specific instructions to the electronic speed controllers (ESCs) to control the motors

GPS Module: global positioning satellite (GPS) module uses two different global positioning systems to pinpoint the drone’s location. Using the GPS module, the drone can calculate its geolocation based on the duration of time it took for transmitted signals to arrive from different satellites

Electronic Speed Controller (ESC): ESCs are the middle man between the power distribution board of the drone and the motors. They use signals from the flight controller to control the amount of power allocated to a motor

Power Port Module: the power port is a module that displays that measure the amount of power coming from the battery and distributes that power to the drone’s ESCs and flight controller

Obstacle Avoidance Sensors: some drones include stereo vision sensors on their frame. These sensors calculate the distance between the drone and the obstacle in front of the sensor by computing the depth via the image pixels captured by each sensor

3-Axis Gimbal: the gimbal stabilizes the camera attached to the drone to stabilize footage. When sensors notice movement about any axis, they signal the gimbal to make the proper adjustments to smoothen the camera footage

Drone Battery: batteries provide power to the drone. Some batteries also include features such as over-charge protection, power output communication, etc

Drone Camera: the camera of the drone is used to film footage and take pictures. The image sensor in the camera captures incoming rays of light and processes them into a digital image

Drone Antennas: drone antennas act as a transmission system for relaying information between the controller and the drone

Downward Ultrasonic Obstacle Avoidance Sensor: these sensors are used to calculate the drone’s height above the ground. The height can be computed by sending a high-frequency sound pulse from one sensor and measuring the amount of time it takes for the other sensor to receive it

Flight LED: flight LEDs are usually used to indicate the direction the drone is flying. Two flashing red lights indicate the front of the drone and flashing green lights indicate the back

Joysticks: joysticks are used to control the drone by translating the physical movement of the sticks into information that the controller can communicate to the drone as movement directions

Main Remote Controller Board: the remote controller board retrieves useful telemetry about the drone such as its altitude, location, and camera imagery

Main Camera Board: the camera board processes data from the imaging sensor and gimbal motors to synthesize stable footage

Vulnerabilities of UAVs

Although UAVs are used for a wide range of applications, like every other device with an onboard computer system, they are vulnerable to a range of cybersecurity threats. Some of the most common cybersecurity threats with UAVs include:

Unauthorized Access: UAVs are vulnerable to unauthorized by bad actors who can either intercept or spoof wireless signals used to control the drone. This allows the hacker to control the drone or passively steal information from them.

Data Theft: UAVs are equipped with a wide variety of sensors actively collecting information about their environments such as photos, videos, and telemetry readings. This data can be vulnerable to interception from hackers who can use it for nefarious purposes

Denial of Service: a more specific attack that hackers can employ to hack drones is a Denial of Service. This occurs when a hacker launches a DOS on the same wireless communication system of the drone, disrupting its ability to receive or transmit data

As more security vulnerabilities are discovered with the rising popularity of UAVs, it is necessary for security researchers to forensically analyze devices for malicious purposes. A subfield within cybersecurity called forensics analysis focuses on collecting and analyzing data from an attack for investigative purposes

This process comes in handy in real-life crime scenarios when digital information of a computer system is seized and needs to be investigated. Oftentimes, the wide majority of the information on the machine is not related to the crime and must be filtered down to break down the crime scenarios.

There is a wide range of illegal applications of drones such as contraband drops to unauthorized areas, drug drops over foreign borders, and unsolicited surveillance. In the aftermath of many of these scenarios, digital forensics is utilized to determine information such as device ownership and any data linked to the crime.

study conducted on common drone models in various crime scenes demonstrated that information such as media files in the photo or video format, flight patterns, locations, and owner information were most conducive to success for digital forensics cases conducted by law enforcement investigators. Although the investigators of the study were able to filter down information about the crime using digital forensics techniques, the study stated that state and federal legislation has not properly handled the regulations behind drone technology and consequently leaves many stakeholders vulnerable. Overall, they concluded that the lack of forensics tools and universal drone structure made it necessary for more data extraction methods to be developed.

To play a part in tackling the lack of UAV forensics tools, I will be demonstrating how I created a packet dissection script for Wireshark using the programming language Lua to find useful network information during digital forensics scenarios. The tool is a first-hand application of digital forensics skills to gather useful information about UAVs which could be used during investigative situations to gather more data related to the crime that took place.

What is Packet Sniffing and Analysis?

Packet Sniffing is the act of intercepting and examining packets of data as they are transmitted over a specified network. This technique is utilized by cybersecurity professionals in order to track down vulnerabilities, diagnose faults and performance for their network, or discover threats.

On a computer, the network interface card (also known as NIC) is a hardware component that includes an embedded circuit board that allows the computer to interface with networks and perform packet sniffing. More elaborate sniffing for cybersecurity or hacking purposes often requires the NIC to be put into promiscuous mode which allows the computer to retrieve surrounding network traffic. Using a decoding process, sniffers can get access to encoded information stored in data packets as they are transported over a network. Sniffing can be broken down into two general categories: active and passive sniffing.

Passive Sniffing

Passive sniffing consists of only listening to packets that are being sent over as network traffic. It is often used as a reconnaissance technique to gauge pertinent information about traffic and the type of data that is being passed over a network. This allows security professionals to analyze the network for any anomalies or suspicious activity such as network troubleshooting (using network traffic as a metric for network issues) and performance optimization by identifying areas of congestion.

Active Sniffing

Active sniffing is a technique utilized in packet injection/spoofing applications that are intended to elicit a response from network devices. For instance, an attacker might send a specific packet in order to trick a specific device or application into responding with sensitive information. This could be used to conduct multiple mischievous activities such as orchestrating a man-in-the-middle (MiTM) attack and hijacking network sessions. Active sniffing is a little trickier to detect than passive sniffing because it was built to masquerade as the surrounding network traffic. Active sniffing is conducted by intentionally inputting address resolution protocol (ARP) packets in order to overload the switch content address memory (CAM) table. This leads to legitimate network traffic being transported to different ports which serve as the foundation for spoofing attacks such as ARP Spoofing, dynamic host configuration protocol (DHCP) attacks, and DNS (domain name system) poisoning.

OSI Model

The OSI (known as Open Systems Interconnection) model is used to conceptualize how disparate components of a network communicate with one another. The model is presented as a seven-layer model that includes a standardized rule set of how different devices and programs can intercommunicate through the network.



The OSI model can be segmented into several layers: Application, Presentation, Session, Transport, Network, Datalink, and Physical.

Physical Layer
This describes the physical characteristics of the network that is responsible for the physical connection between devices such as cabling, connectors, and signaling. In this layer, data is transferred via bits.

Data link layer
In this layer, data is formatted into packets and transmitted over the network. The data link layer also ensures that your data does not contain any internal errors. Data is transferred using frames.

Network layer
The network layer handles how packets are addressed and sent over the network by finding the optimal way to send the packet. In this stage, IP addresses are attached to the header of the packet.

Transport layer
The transport layer is the transition between the network and session layers. This layer uses network protocols such as UDP and TCP in order to determine how to transmit data between applications. The data transported in this layer is called a segment.

Session Layer
This layer defines how applications establish and maintain connections with each other.

Presentation layer
The presentation layer converts the data from segments into a more human-readable format. This layer also covers the encryption and decryption of packets.

Application layer
The application layer is what is used to interface with users. It defines the protocols and interfaces that can be used by applications to communicate with the network.

Packet Information Breakdown

In networking, a packet is a small segment of a larger message. Any form of data that is passed over a network is split into packets. Once they are passed through the network, those packets are reconstructed by the device that receives them.

Packets sent over a network have the header, payload, and trailer included in their structure. I will be using the IPv4 packet as an example to demonstrate the type of information contained within a packet.

1. Packet Header
The packet header is the initial portion of a packet. It contains addressing and other data that is required for the packet to reach its destination. The IPv4 header contains 13 fields…

Version: version number of the internet protocol used (ie. IPv4)

- Internet Header Length (IHL): 
length of the entire IP header

- Explicit Congestion Notification: 
information on the congestion information seen enroute

- Total Length: 
length of the entire IP packet (including the header and body)

- Identification: 
if the IP packet is fragmented, each packet will contain a corresponding identification number to identify the original IP packet they belong to

- Flags: 
indication of whether the packet is large enough to be fragmented

- Fragment Offset: 
positioning of the fragment in the IP packet

- Time to Live (TTL): 
the number of routers the packet has left to cross to avoid looping of the network

- Protocol: 
the network layer at the destination host the packet belongs to (ie. TCP = 6, UDP = 17, and ICMP = 1)

- Header Checksum: 
checksum value of the entire header used to confirm that the packet does not contain any errors

Source Address: 32-bit address of the sender (source) of the packet

- Destination Address: 
32-bit address of the Receiver (destination) of the packet

- Options: 
optional field that can contain information like Record Route, Timestamps, etc

2. Payload
The payload of a packet includes the actual data the packet intends to carry to its destination. In the case of the IPV4 packet, the payload is given a padding of 0 bits to ensure the packet ends within the 32-bit limitation.

3. Trailer
Sometimes packets can contain an ending to their packet called the trailer. Although the IPV4 packet structure does not contain a trailer, Ethernet frames contain a trailer to include information that network adapters on the ethernet need to process the frame.

What is Wireshark?

Wireshark is a widely-used and open-sourced network protocol and packet analysis tool. It allows you to capture network packets from sources such as wireless (IEEE.802.11), Bluetooth, Ethernet, token rings, etc. Wireshark also includes a packet filtering capability that lets you filter the log stream of packets as they are displayed on your screen.

Using Wireshark for Packet Analysis

The Wireshark interface contains different panes for displaying packet information. The main panel displays the list of all the packets flowing through the network. If you select an individual packet, two panes should pop up near the bottom of the screen containing more specific packet data. The details for each of the column categories in the main panel are as follows:

No.: the packet number in the capture file

Time: the time this packet was captured after packet sniffing was initiated

Source: IP address and port number of the sending device

Destination: IP address and port number of the receiving device

Protocol: the type of packet (ie. TCP, UDP, HTTP, etc)

Info: more informational content about the packet which will vary on what type of packet is captured

Those are the preconfigured informational columns in Wireshark, but there are many more columns available to be shown in the tool such as TTL, checksum, etc by selecting it the “Columns” settings.

The Packet Details section of the tool shows you more interpretable information about the packet which varies depending on the packet type. The bottom pane, Packet Bytes, shows the packet contents in the pure hexadecimal format.

Wireshark Capture Filters

The capture filters in Wireshark limit the packets captured by the inserted filter. If you might have noticed, Wireshark capture filters follow the same format as tcpdump which is another popular network packet capture tool. The syntax of packet captures adheres to the Berkeley Packet Filter (BPF) syntax expressions. Some common capture filters for Wireshark include…

Capture traffic only to and from the IP address 172.18.5.4:

host 172.18.5.4

Capture traffic to or from a range of IP addresses:

net 192.168.0.0/24

OR

net 192.168.0.0 mask 255.255.255.0

Capture traffic from a range of IP addresses:

src net 192.168.0.0/24

OR

src net 192.168.0.0 mask 255.255.255.0

Capture DNS traffic (port 53):

port 53

Capture except all ARP and DNS traffic:

port not 53 and not arp

Capture only IPv4 packets:

ip

Capture only Ethernet packets (EAPOL):

ether proto 0x888e

Wireshark Display Filters

The display filters feature in Wireshark lets you narrow down the type of packets shown in the captured packet list. Common examples of display filters include the following:

Protocol-based Filters:

You can filter packet traffic based on the network protocol

http

The example above only shows packets with the HTTP protocol

Filter packets by address (ie. IP address filtering):

You can filter packets via the address of the sender or the receiver

ip.src == x.x.x.x

The above shows traffic coming from a specific IP address

Port-based Filters:

You can filter packet traffic based on the port number being used

http

The example above only shows TCP packets with port 80

Time-based Filters:

You can filter packets based on the time they were captured

frame.time >= "YYYY-MM-DD HH:MM:SS" && frame.time <= "YYYY-MM-DD HH:MM:SS

The example above only shows packets within a selected time range

Content-based filters:

You can filter packets based on the content of the packets

frame contains google

The example above shows packets whose contents contain the keyword “google”

What is Packet Dissection?

While the process of packet analysis is used to get a general overview of network traffic patterns, packet dissection involves a much more narrow approach. Packet dissection refers to the process of dissecting individual packets into their distinct components (ie. headers, payload contents, etc) to gain valuable knowledge of network processes or the device being monitored. Some applications that packet dissections can be used for include protocol analysis and forensics.

Packet Dissection with Wireshark

Lucky for us, Wireshark contains an integrated toolset for performing thorough packet dissection on each packet that is transported across a network. Some techniques to perform packet dissection include…

Protocol Decoding: you can view the protocol details for each packet by expanding the layer details in the packet details pane. This is useful for decoding various protocols such as TCP, UDP, DNS, etc

TCP Streams: Wireshark also contains a feature that displays the TCP stream of all the packets flowing through a TCP connection. To use this feature, select a packet that belongs to a TCP connection, right-click on the packet, and select “Follow > TCP Stream”

Color Coding: you can also visualize packets based on specific criteria such as packet length or protocol type. To see this feature, go to “View” and click “Coloring Rules”

Flow Graphs: Wireshark has a feature that displays a flow graph showing the timing and sequence details of a packet between two machines. To configure a flow graph, go to “Conservation Filter” and select the “TCP” option. This creates a filter that shows all the packets being passed between two machines. Then, select “Statistics” and “TCP Stream Graphs” to create the flow graph

Packet Dissection for Protocol Analysis

Packet dissection can be applied in order to analyze which types of network protocols are being utilized by and how they are being used. To try out protocol analysis with Wireshark, begin by capturing packets with your selected network interface. Then, as packets are captured, they should transmit a variety of protocols such as HTTP (port 80), HTTPS (port 443), SSH (port 22), and SNTMP, etc. Let’s use HTTP for our packet dissection example. Begin by selecting a packet with the HTTP protocol assigned to it like below by filtering with the http keyword...



Once the packet is selected, expand the Transmission Control Protocol (TCP) menu to see the relevant information for the packet.



Once the packet details are expanded, you can analyze different fields of the protocol such as the Source and destination IP addresses, source and destination ports, HTTP method used (GET, POST, DELETE, etc) and the HTTP response code.


Packet Dissection for Forensics

Packet dissection can also be used for digital forensics in order to extract information behind particular network incidents. For instance, imagine a situation where a hacker sends over sensitive information over your network to a remote server. We can use display filters in Wireshark to isolate traffic coming for the hacker’s machine using the IP address of the hacker’s device and the IP address of the remote server. Then, we can use packet dissection tools offered by Wireshark such as the “Follow TCP Stream” feature in order to reconstruct the TCP data stream between the hacker and remote server. By using this information, you can reveal hidden information the hacker sent to the remote server like the transfer of any malicious files or images. This application of packet dissection can also be applied to analyze network traffic and detect for any criminal activity.

Reverse Engineering DJI Drones

Reverse engineering is the process of deconstructing and analyzing a system in order to understand how it works “under the hood” and extract pertinent information from it. This process is often done through an iterative process deconstructing specific aspects of a system, analyzing its technical specifications and code, and running specific tests to examine its outcomes. As for the case of UAV hacking, we can apply reverse engineering principles to analyze a drone’s software and firmware, extract telemetry information, and identify vulnerabilities to exploit. For this research experiment, I decided to reverse engineer the DJI Mini 2 — a small, compact drone designed for recreational use developed by a popular drone company called DJI.


Man-In-the-Middle Configuration

Since passive eavesdropping does not return any reverse-engineerable result, I instead used an artificial and eavesdrop-friendly network configuration to allow for wireless communication between the drone and the operator to be inspectable and interceptable by following the configuration below:

a) Drone: the done initializes the process by starting an access point used for direct communication with its network peers

b) MITM AP: we establish a second virtual network with our machine masquerading as the AP for the mobile client

c) MITM Client: the MITM client directly connects with the drone forwarding the MITM AP’s networks to the drone and vice versa

d) MITM Machine: the MITM machine is the device used for eavesdropping by connecting via the NAT (Network Address Translation) the virtual MITM AP’s with the internal NIC of the MITM client

e) Operator: the operator is the mobile device running the DJI application that connects via Wi-Fi the drone representative (MITM-AP)

Access Point Configuration

In order to configure the MITM AP, I used the create_ap command to create a virtual AP over the command line on my machine.

sudo create_ap wlan0 wlan0 Operator 12345678 -w 2 -c 2 -m nat --freq-band 2.4 --country US

This command was designed to eliminate the number of disturbances between the connection by focusing on the 2.4GHz frequency and establishing the following parameters:

-w 2
 WPA2-PSK in CCMP cipher mode

-c 2
 usage of arbitrary and static unoccupied channel

-m nat
 NAT to connect between virtual AP and physical NIC

--freq-band 2.4
 selecting only the 2.4GHz band

--country US
 putting the right country code to comply with local regulations

Intercommunication Eavesdropping

For eavesdropping, I used the command line tool in order to optimize performance for the MITM network. With tcpdump captured network packets will be stored within a corresponding PCAP file which can later be analyzed by an array of network analysis programs. I also implemented additional filters to reduce the range of the captured output to only consist of relevant network packets between the drone and the machine.

sudo tcpdump --interface=ap0 -n udp host 192.168.2.1 
-w /tmp/dumps/capture.pcap

-n 
avoids DNS resolutions

udp 
ignores any TCP packets

host 192.168.2.1
 ensures the packets displayed are drone related

Research Specifications

For conducting digital forensics research on the DJI Mini 2, I tried to reverse engineer the DJI Wi-Fi protocol by analyzing the network packets sent by the drone using Wireshark. To determine the exact protocol structure of the packets transmitted by the drone, I used bit-precise reasoning to classical each individual bit. Throughout the process, I found the following filter predicates in Wireshark to be the most useful:

!dns && !mdns && !icmp
 since only application-level network packets are relevant for this process, we can exclude the DNS, Internet Control Message Protocol (ICMP), and Multicast DNS (MDNS) protocols from our search

ip.src == 192.168.2.1
 The IP address 192.168.2.1 represents the IP address of the drone. Here, we specify the source and destination to be filtered by that IP.

data.len == 1472
 In this example, only packets with the length of 1472 bytes are included in the result view displaying drone packets with that exact payload size

data.data[0] == 0x00
 this compares the static hex value against the payload content of the initial index. This is useful because mid-flight packet inspection focuses on the co-related changes between the protocol and the operator’s drone control instructions

Packet Information

With the packets obtained using Wireshark, I focused on the payload from index 0x2A to the Ethernet frame length. Although the entire packet does include information, the bytes of data from 0x2A to the end suffice for reverse engineering purposes. I included the Ethernet OSI model layers table below for reference:

Payload Encryption

Although the entire communication stream is encrypted, the decrypted stream of data can still compromise the integrity of the encryption. One method of decrypting information with UAV systems is to have a side-by-side comparison between multiple payloads to identify patterns. The Electronic Codebook Mode (ECB) produces a sequence of deterministic data applying the same pseudorandom permutation to each plaintext block to create repeater ciphertext blocks. We can apply this in our reverse engineering process to possibly encounter a pseudo-random payload or two identical payloads within the UDP packets. Although I was unable to find any identical payloads, there were many that were very similar to one another. For example, the images below show two packets where only 5 bytes differ. The two payloads are very similar and even indicate an incrementation of one which is evident of an unencrypted stream of data.

Deductive Reasoning

The main approach I used for reverse engineering the DJI Mini 2 was to apply deductive reasoning to compare payloads based on correlating operator inputs. Using the direct drone control instructions (ie. landing, movement, take off, etc), I forced the operator to signal the representative network packet. The control instructions were capable of signaling the command type and the payload content. Then the packets were compared with one another using the aforementioned binary comparison technique revealing the command structure and parameter values. Packet analysis revealed a high-traffic protocol consisting mostly of drone-to-operator packets that relied on the Maximum Transmission Unit (MTU).

Bit-Precise Reasoning

In order to garner more information about the data stored within the transmitted packets, a technique called bit-precise reasoning was used for the analysis of bits within the 56-byte payloads to make specific judgments about the property of each packet. To simplify the process, clusters were used to aggregate payloads to each be the exact same length. I highly recommend reading this research paper which dives deep into the bit-precision method for reverse engineering drones to learn more about this technique. The below table below displays a general overview of the information that was able to be extracted using bit-precise reasoning.

DJI Packet Dissection with Wireshark

Throughout this research process I learned that packet dissection for reconnaissance and for digital forensics/reverse engineering call for entirely disparate approaches. Fortunately, packet dissection using passive reconnaissance and a network communication dissector came in really handy for analyzing the communication interfaces of the DJI Mini 2.

To get started with the packet dissection process, I downloaded the PCAP files listed within this repository of DJI communication packet dumps which includes an expansive log of communication data for all sorts of DJI drones using Wireshark. Once the PCAP files were downloaded, I analyzed them using Wireshark using different dissectors.

Analyzing Information Formats

Before going deeper into the specific packet dissection process of DJI packet dumps, it is worth mentioning all the

UART Communication: UART stands for Universal Asynchronous Receiver-Transmitter is a commonly used serial protocol to transmit information between electronic devices that utilize the asynchronous flow of data bits sequentially over a single communication line

DUML Streams: DUML stands for DJI Universal Markup Language which describes the close-sourced protocol for DJI communication. It is used to control the internal settings of the device or to initiate firmware updates

KML Files: Also known as Keyhole Markup Language, these are XML files by heart used for specifically displaying geographic data in mapping software. KML files contain data about specific locations, shapes, paths, and other geographical features

DAT Flight Logs: DAT stands for Digital Audio Tape. They refer to the recorded flight data stored on Digital Audio Tapes. DAT files include pertinent flight information for analysis

The PCAP file within the DJI packet dumps repository contains a huge dump of communication logs from various DJI hardware. This storage of communication logs allows us to decipher the internal communications of protocols alongside a fine reference point for probing for hardware issues within the hardware. For instance the the first log file p3x_ofdm_to_center_run1 contains a communication dump from the DJI P3X Receiver Board UART dump. The data dump features a bilateral communication between an OFDM (Orthogonal Frequency Division Multiplexing) MCU (Microcontroller Unit) and FC (Flight Controller) on the drone using a ribbon cable and the program comm_serial2pcap.py.

Setting up Wireshark

In order to set up a foundational DJI communication dissection, I used the communication dissection files listed within the DJI firmware tools. The communication dissection tools, provide the following functionalities:

- Display fields within captured DUML packets from a drone source

- Show fields within packets stored in binary flight

- Record DAT files

- Visualize flights via the KML export feature

The tools also let you analyze protocol commands through the following options:

- DUML stream-based PCAP files

- PCAP files containing dumps of USB/Ethernet communication within embedded DUML payloads

- DAT Flight Log-based PCAP files

To start getting your environment set up, download all the .lua files listed under this link. Then, within Wireshark open the About Wireshark menu and go to the Folders tab.

Then, click the file path reference to Personal Lua Plugins and paste in all the file contents.

Once that is set up, refresh Wireshark using the Ctrl+Shift+L command to load up all the communication dissection tools. Once that is loaded, open 

Preferences -> Protocols -> DLT_USER -> Edit
 and make the assignments according to the image below:

After the DLT table is initialized, go to 

Preferences -> Appearance -> Columns
 and adjust the settings to display the protocol information you want. The following is an example of one way it can be configured:

Communication Dissection

From the communication dissection tools, we can extract the following information from the DJI communication protocols:

Firmware File Structure: the dissector can delineate information about the structure of firmware files like headers, sections, and data sections

Firmware Components: the tools can also extract individual firmware components like the bootloader, flight control firmware, camera firmware, gimbal firmware, etc

Configuration Parameters: configuration parameters can also be looked into which provides settings information for components like the camera, flight control, and sensors

Scripts: code snippets and executable binaries can also be uncovered within the firmware file

Encryption: depending on the situation, the dissector can also be capable to decrypting and encrypting portions of firmware files revealing information about the firmware encryption process

File System Contents: if a firmware file includes a file system, the tools can also extract and analyze contents within that file system

Diving Deeper into Wireshark Dissectors

In Wireshark, a dissector is responsible for interpreting and decoding network protocols. Dissectors are useful because they analyze the captured network packets and extract useful information out of them such as the protocol’s structure, fields, and encoding rules, and display them in a human-readable format.

Wireshark also lets you develop your own custom dissectors using a programming language called Lua. Although Wireshark was written in C and dissectors for the program are typically written in C, however, Wireshark also allows dissectors be written in the Lua programming language to make the learning curve less steep for people who are new to development. Lua is a multi-paradigm, procedural, and functional programming language with integrated object-oriented features. Although choosing Lua as the language for dissector development does compromise on speed, it is favorable in most circumstances because of its light weight and ease to learn.

Basic Introduction to Lua

Like I mentioned before, Lua features an intuitive and simple code syntax while keeping in mind speed, portability, and integration with other programs making it easy to pick up without sacrificing much functionality and performance. Here are some basic code snippets outlining the foundational features of the language:

Variables and Operations

local a = 25
local b = 5

local result = a + b

print(result) -- Output: 30

Conditional Statements

local temperature = 15
local heatSetting = 0

if temperature < 0 then heatSetting = 3
elseif temperature <= 20 then heatSetting = 2
else heatSetting = 1 end

print(heatSetting) -- Output: 2

Loops

-- While Loops
local i = 0

while i < 10 do 
  i = i + 1
end

print(i) -- Output: 10
-- For Loops
local i = 0

-- i = first, last, delta
for i = 0, 10, 1 do
  print(i)
end

print(i) -- Output: 10

Tables

local new_table = {}

-- Table value assignment
new_table[20] = 10
new_table["x"] = "test"
a.x = 10  

Functions

function add(arg1, arg2)
    return arg1 + arg2
end

local added_number = add(2, 3)
print(added_number) -- Output: 5

Summary Notes about Lua

Lua is dynamically-typed

Scope is either specified as local or global. Global is the default

Semicolons are not necessary making whitespace hold more value

-- denotes a comment

i = i + 1 used for variable incrementation

~= used in place of !=

Types are: string, number, boolean, nil, function, userdata, thread and table

Nil is used for a non-value

In conditionals: nil and false are falsy, the rest are thruthy.

Lua‘s only data structure is table. Tables implements associative arrays. Associative arrays can be indexed by both numbers and other types like strings. They are dynamic and often called objects.

Setup Dissector with Wireshark

To setup dissector development with Lua scripts in Wireshark, click on 

Help -> About Wireshark -> Folders
. From there, click on either the Personal Lua Plugins or Global Lua Plugins folder reference. The path should look something like C:\Program Files\Wireshark\plugins\2.4.2 on WindowsTo create a dissector, initialize a file within that directory like 
example.lua
. The script will automatically be applied once Wireshark is reloaded. You can reload Wireshark by either restarting the application or by reloading all Lua scripts using Ctrl+Shift+L.

Setting up a Protocol

Now that you have everything setup, I will walk you through a rudimentary dissector script that extracts and displays information about a custom protocol.

-- Create a new protocol for our custom protocol
local custom_protocol = Proto("CustomProtocol", "Custom Protocol")

-- Define the fields of our custom protocol
local field1 = ProtoField.uint8("custom_protocol.field1", "Field 1", base.DEC)
local field2 = ProtoField.string("custom_protocol.field2", "Field 2")

-- Register the fields to the custom protocol
custom_protocol.fields = { field1, field2 }

-- Create a function to dissect the packets of our custom protocol
function custom_protocol.dissector(buffer, pinfo, tree)
  -- Create a subtree for our custom protocol in the Wireshark GUI
  local subtree = tree:add(custom_protocol, buffer(), "Custom Protocol Data")

  -- Extract and display the values of Field 1 and Field 2
  local field1_value = buffer(0, 1):uint()
  subtree:add(field1, buffer(0, 1)):append_text(" (Value: " .. field1_value .. ")")

  local field2_value = buffer(1, 5):string()
  subtree:add(field2, buffer(1, 5)):append_text(" (Value: " .. field2_value .. ")")
end

-- Register our custom protocol as a dissector in Wireshark
local udp_port = DissectorTable.get("udp.port")
udp_port:add(12345, custom_protocol)

- the code begins by initializing a custom protocol using the Proto object called 

CustomProtocol


a fields table for the protocol is initialized containing two custom fields: 
field1
and
field2


the dissector function for the protocol is initialized which is called once for every packet which has the type of the custom protocol. The function takes in the parameters 
buffer
pinfo
, and 
tree
. buffer includes the packet’s buffer and Tvb objectpinfo contains columns of the packet list, and tree is the tree root

- Inside the dissector function, we create a subtree within the Wireshark Packet Details section showing our custom protocol as a field

- Within the tree view section, we display the packet information for each of the respective fields within the custom protocol

- Lastly, we assign a protocol to a port. In this case, the port used is 

12345
 for UDP

Conclusion

Overall, using Wireshark in conjunction with a few DJI-based communication dissectors, we were able to reveal sensitive information transmitted by DJI drones through their communication protocols. I hope this outlined extensive research process elucidated a few reverse engineering techniques that you could apply during your cybersecurity process to possibly find vulnerabilities within existing systems. Moreover, I hope this report proved that although drone hacking might be a bit tedious, it is not impossible. It is important to keep pushing the boundaries of what is currently known about a system in order to highlight existing flaws before they are noticed by bad actors. In this case, we revealed that drone protocols even for large, trusted brand manufacturers like DJI are still vulnerable to data interception and reverse engineering. By taking this into consideration, constructive action steps can be taken to mitigate these existing vulnerabilities and solidify the security of drone communication channels.

Also published here.