DJI Protocol – Day 9 – Final Report

If you expect a final report-worthy summary, spaning several paragraphs, the reality might hit you hard. Enough words have been lost in my Master Thesis “DJI Wi-Fi Protocol Reverse Engineering”, covering everything on this blog and beyond, such that we offer you a publicly available link to the thesis instead. You might find conspicuous definition …

DJI Protocol – Day 6 – Progress Report

After some flights and live investigations with our custom network monitoring tool we did generate a lot of data, ready for further offline analysis. However, one strength of the live investigation tool is its capability to sort and filter network traffic, which isn’t available anymore after the application has been closed, resulting in the need …

DJI Protocol – Drone – Connection Establishment

Identifier Description Payload length 0x08 After the operator has sent a connection establishment packet, the drone’s response is a connection establishment confirmation. 8 Address Bytes Findings 0x00 – 0x01 2 Packet Length – ((0x01 & 0x0F) << 8) + 0x00 0x02 – 0x03 2 Session Identifier – Value retrieved by Handshake at position 0x02 – 0x03 0x04 – 0x06 3 Padding …

DJI Protocol – Day 5 – Progress Report

We already got some hints and clues within our last packet inspection about a possible drone-rotation command. However, the reverse-engineering process is quite intense as too many unknown variables are in the game. Thus, we require a better overall strategy for this project. The DJI Protocol – Packet Types page will fully feature all known …

DJI Protocol – Day 4 – Progress Report

We dived into a specific packet-type last time, but couldn’t extract each and every byte purpose. However, we were able to identify one important thingy: 0x00-0x01. Those two bytes indicate the packet’s content. Hence, now we are capable of assigning each sent packet (operator to drone) to a specific group, based on their unique identifier. …

DJI Protocol – Day 3 – Progress Report

Within the last post we were able to find the termination sequence for rather large UDP packets. However, we decided to change the direction of our analysis from drone-to-client packets to client-to-drone packets, as they carry a much smaller payload and may provide a better foundation for the overall reverse-engineering process. Besides the AES encryption …