DJI Protocol – Day 6 – Progress Report

After some flights and live investigations with our custom network monitoring tool we did generate a lot of data, ready for further offline analysis. However, one strength of the live investigation tool is its capability to sort and filter network traffic, which isn’t available anymore after the application has been closed, resulting in the need …

DJI Protocol – Drone – Connection Establishment

Identifier Description Payload length 0x08 After the operator has sent a connection establishment packet, the drone’s response is a connection establishment confirmation. 8 Address Bytes Findings 0x00 1 Packet Identifier / Packet Length 0x01 1 Protocol Version 0x02 – 0x03 2 Session Identifier – Value retrieved by Handshake at position 0x02 – 0x03 0x04 – 0x06 3 Padding – …

DJI Protocol – Day 5 – Progress Report

We already got some hints and clues within our last packet inspection about a possible drone-rotation command. However, the reverse-engineering process is quite intense as too many unknown variables are in the game. Thus, we require a better overall strategy for this project. The DJI Protocol – Packet Types page will fully feature all known …

DJI Protocol – Day 4 – Progress Report

We dived into a specific packet-type last time, but couldn’t extract each and every byte purpose. However, we were able to identify one important thingy: 0x00-0x01. Those two bytes indicate the packet’s content. Hence, now we are capable of assigning each sent packet (operator to drone) to a specific group, based on their unique identifier. …

DJI Protocol – Day 3 – Progress Report

Within the last post we were able to find the termination sequence for rather large UDP packets. However, we decided to change the direction of our analysis from drone-to-client packets to client-to-drone packets, as they carry a much smaller payload and may provide a better foundation for the overall reverse-engineering process. Besides the AES encryption …

DJI Protocol – Day 2 – Progress Report

The first impressions while investigating the dump file were quite confusing. Several DNS requests against DJI domains have been sent, which led me to this interesting article. Without further research, one may assume that data could be collected and sent to those specific remote servers. Candidates: Statistics about the app performance, crash reports and fly-safe …