
Reverse Engineering Quadcopter Protocols - DanBC
https://mmelchior.wordpress.com/2016/06/06/qc-360-a1-p1/
======
jsmthrowaway
My Phantom 4 uses watered-down Lightbridge[0] which I haven't looked at
closely but which does tout at least some encryption. Its predecessor, on the
other hand, my Phantom 2 Vision Plus, uses two completely open SSIDs (one
hidden, one broadcast). I had a prototype of area denial for all Phantom
drones that operated that way cooked up in about two days, so there's a lot of
low-hanging fruit to reverse engineer here and not a lot of thought being put
into security.

Control itself uses a different, "traditional R/C" path (itself ripe for
disruption), but there's _plenty_ of possibilities from being hooked up to a
Phantom 2's SSID. There are two Linux-based computers on that network: the
"guts" and the camera controller. The root password for both is wide
knowledge, and you can brick an operating, in-flight Phantom 2 very easily
with nothing but your laptop.

Hint, hint for a startup here, since I've been on three threads now where
folks are looking for drone denial.

[0]: [http://www.dji.com/product/dji-
lightbridge](http://www.dji.com/product/dji-lightbridge)

------
grinich
I did this a few years ago, but for the Microkopter boards. It's amazing what
you can find while snooping the debug serial pins, and what you can ultimately
still control during flight.

That old code is on GH if anyone wants to fly with it ;)
[https://github.com/grinich/mikrokopter](https://github.com/grinich/mikrokopter)

------
yadsloof
I did something similar last year. The newer Nordic radios are backwards
compatible so I used an nRF51 to create a bridge between the quad's protocol
and BLE: [http://inductivekickback.blogspot.se/2015/11/ble-to-
shockbur...](http://inductivekickback.blogspot.se/2015/11/ble-to-shockburst-
bridge-for-syma-x4.html?m=1)

------
samlittlewood
This is a good repo of arduino based code to talk to many of the nordic based
toy quads - it converts the PPM signal from an RC transmitter:

[https://github.com/goebish/nrf24_multipro](https://github.com/goebish/nrf24_multipro)

Many of these little quads use the STM32F0xx Cortex-M0 micro controllers -
there are various replacement firmware efforts, eg:

[https://github.com/samuelpowell/CX10-FNRF/tree/blue-and-
red](https://github.com/samuelpowell/CX10-FNRF/tree/blue-and-red)

[https://github.com/silver13/h8mini-acro](https://github.com/silver13/h8mini-
acro)

------
stillsut
A cheaper and dirtier way to do this is to solder onto controller's pcb. Each
joystick drives an X and a Y variable resistor, and measuring the voltage
across output and gnd pins shows it ranges from 0 to 3.3V with 1.67V at
neutral position. After removing these resistors from the board, you attach
the pins to the arduino and you can analogwrite an output voltage[1] to mimic
the joystick movements.

This of course flows through to the radio transmitter and onto the drone
giving you computer control of the drone without reverse engineering radio and
packets. I'll be writing a blog post on this soon. [Though I would be curious
if anyone has done this with a Syma (D63) as it's a chinese company]

[1]: also need a low band pass filter (couple resistors and capacitor to trun
the arduino's pwm into true analog voltage)

------
halpme
Off-topic: but I'm really happy to see an increase in reverse engineering
threads here on HN.

