Tagged: quadcopter

Tech Minds: Video on DJI Drone Detection on the AntSDR E200

Just recently we posted about the release of some firmware for the AntSDR E200 which allows it to decode DJI DroneID. DroneID is a protocol designed to transmit the position of the drone and operator to authorized entities such as law enforcements and operators of critical infrastructure.

In his latest video Matt from the Tech Minds YouTube channel shows this firmware in action. In the video he first shows how to install the firmware, and how to connect to its serial output. He goes on to test it with his DJI Mini 4 Pro and show some live DroneID frames being decoded.

DJI Drone Hacking Using Software Defined Radio ANTSDR E200

DJI DroneID Detection Running on the AntSDR E200 CPU

DJI is a major manufacturer of consumer drones and their drones implement an RF protocol called DroneID which is designed to transmit the position of the drone and operator to authorized entities such as law enforcements and operators of critical infrastructure. 

Recently the AntSDR team have managed to get DJI DroneID decoding working on the AntSDR's onboard ARM processor. The decoding software runs on board the AntSDR E200 and outputs decoded data via the serial or network port. The AntSDR E200 is an SDR that is based on the AD9361 chip and has a 70 MHz to 6 GHz tuning range, 56 MHz of bandwidth and 12-bit ADC. It has 2x2 full duplex TX/RX channels and has an onboard FPGA with ARM CPU core.

They make use of existing code on GitHub from  https://github.com/proto17/dji_droneid and https://github.com/RUB-SysSec/DroneSecurity, both of which implement reverse engineered decoders for DroneID.

The update from AntSDR shows how to install the firmware onto the device and get it up an running. They note that drones that use Occusync 2 or 3 like the Mini2 or Mini3Pro work best, because other models may be encrypted or have a slightly different protocol which doesn't work with these decoders.

Aaron, creator of DragonOS has also uploaded a video showing the decoder in action.

DragonOS FocalX Decoding DJI DroneID w/ AntSDR E200 (MicroPhase)

Remote Spectrum Monitoring Drone with OpenWebRX, Raspberry Pi and an RTL-SDR

Recently Zoltan of rfsparkling.com wrote in to us to show us how he combined efforts with András (programmer of the OpenWebRX software) to create a proof of concept remote spectrum monitoring drone. The drone uses an RTL-SDR connected to a Raspberry Pi, and the Raspberry Pi runs an OpenWebRX server which broadcasts the radio data via 4G mobile internet. The full connection flow chart goes as follows:

[Drone] Antenna –> RTL-SDR –> RPi 2 –> OpenWebRX Server –> 4G mobile net –> … Internet … [Notebook] –> 4G mobile net –> Browser with OpenWebRX client

Zoltan writes that some possible applications include emergency communications, ham radio, 3D spectrum mapping, etc. In the future he also hopes to add TX capabilities, so that the drone can also work a a makeshift transceiver tower. The biggest limitation that Zoltan noted is the flight time of only about 10 minutes. However, a solution he suggests for future experiments is using wire powered drones.

In previous posts we showed Hak5’s remote RTL-SDR ADS-B drone. Their results were not particularly great, however Zoltan and András’ results seem to be much better.

The video below shows an example of Zoltan and András’ drone experiments.

Remote Spectrum Analyzer Drone With OpenWebRX using RTL-SDR and Raspberry Pi

Stealing a Drone with Software Defined Radio

PHDays (Positive Hack Days) is a yearly forum with a focus on ethical hacking and security. During this years forum which took place in June, the organizers set up a competition where the goal was to “steal” or take control of a Syma X8C quadcopter drone. The drone runs on the nRF24L01 module, which from previous posts we have seen can easily be sniffed and decoded with an RTL-SDR or other SDR.

To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.

The Syma X8C drone to be stolen in the competition.
The Syma X8C drone to be stolen in the competition.

Monitoring Drone FPV Frequency Usage with a USRP Software Defined Radio

Over on YouTube balint256 (Balint), a researcher at Ettus (creators of the USRP line of software defined radios) has uploaded a video showing how he is using his USRP to help with frequency management at FPV time trial racing events. FPV a.k.a First Person View is a term used to describe the act of flying a remote controlled aircraft such as a quadcopter with an onboard camera that transmits live video down to the pilot. FPV racing is a new sport where pilots race FPV controlled drones around a track.

One important technical challenge at these events is frequency management. FPV drones use many frequencies at around 2.4 GHz for control and 5.8/2.4/1.3 GHz for video. With many drones in the air it is important that frequencies are managed appropriately so as to not jam each others signals.

To try and solve this problem Balint has been using GNU Radio coupled with a USRP X310 software defined radio to get very wide band RF spectrum waterfall views of the 2.4 and 5.8 GHz bands. In the waterfalls he is able to see when control signals and video signals are transmitted and at what frequency, and is able to tell if any are overlapping and jamming each other.

SDR Wideband Spectrum Monitoring for Drone FPV Frequency Management

In addition to this, Balint has also been working on his custom software defined radio based digital video downlink. Back in March we posted about his earlier work on this concept. In the video Balint demonstrates his drone with an on board USRP E310 which is used to send a custom 4.2 Mbps video downlink.

SDR digital video downlink (custom drone FPV) with E310 + webcam

Using a USRP E310 for Digital Video Downlink and Scanning on a Drone

Balint, one of the researchers at Ettus Research (the company behind the USRP range of software defined radios) has recently uploaded a video to YouTube showing one of his projects where he is prototyping the use of a digital signal for transmitting digital FPV video on a drone. The drone carries a USRP E310 SDR and transmits a QPSK video down developed in GNU Radio to a receiver on the ground.

FPV strands for “first person view” and is a growing hobby where remote controlled aircraft such as quadcopter drones are flown in first person view using live video from an on board camera.

Drone + SDR: USRP E310 real-time digital video downlink (teaser)

In another video balint also shows how the on board E310 can be used to transmit frequency scan FFT data via a WiFi link. This can be very useful for getting an antenna up high enough to get good reception for a scan.

Drone + SDR: USRP E310 airborne spectrum monitoring (teaser)

HackRF Controlling a Quadcopter

Over on YouTube user Mike has uploaded a video showing a quadcopter being controlled by the HackRF, a low cost transmit capable software defined radio. Mike uses a Hubson X4 quadcopter and controls it with a USB joystick coupled with GNU Radio. According to a tweet by Micheal Ossmann (the inventor of the HackRF), there were initially USB latency issues that caused problems, but have since been fixed by Mike.

HackRF quadcopter control

Hak5: Improvements to the ADS-B Antenna Drone

Previously we posted about the Hak5 teams attempt to create an ADS-B quadcopter receiver which carried a coax collinear antenna, ran the ADS-B decoder dump1090 on board and then transmitted the decoded ADS-B data back to a laptop on the ground via WiFi. Their results were poor due to various factors.

In the latest video they read comments from fans which explain why they had such poor results, then apply some of those recommendations to a second experiment. Previously they had trouble keeping the WiFi connection alive due to poor reception, so now they use a WiFi Yagi to boost the signal strength. They also reduced the number of elements on their coax collinear antenna and moved away from the broadcast RF transmitter that they were near in their last video.

There isn’t a big increase in the number of planes picked up in the second experiment but it was much more successful compared to the first.

A Better Aircraft Seeking Drone Antenna, Hak5 1613