Rq: hijacking quadcopters with a mavlink exploit

most of the MAVLINK modules work on 433MHz which can make Flipper 0 perfect device for this,

in the link below is more info about the hack, if somebody have a free time and skills to make this i will be glad to test on my drones.

3 Likes

That’s very interesting. I wouldn’t say the Flipper is perfect for this just yet but it seems plausible.

1 Like

most of the DIY drones uses telemetry radio “HM-TRP 433Mhz RF FSK Transceiver”
mavlink protocol is open.
also a lot of thinks can be done with mavlink connection, reading telemetry of the drone, sending control commands, see pilot position, load mission on the drone…

3 Likes

I am not familiar with MAVLINK modules, but most simple controllers on the subghz band are prone to replay atacks,there is a good defcon talk on youtube on pwning drones , but they are going more into wifi/2,4ghz range attacks and go for the commandline in the accespoint that is flying around. If it is really just on unencrypted 433 retro protocols, you could just try recording a bit raw and replay it while using the device to see what the results are? trail and error?

If you are really interested, i can advise you to check youtube on the defcon talk “All ur RFz belong to me” or close to that. It does take a dive into the subghz range on multiple levels and is definitely worth the time.

Check sites like rtl-sdr , and how you can decode/analyze protocols to see what you are working with.

1 Like

Sounds like they’re using 2.4 for the audio and video then 433 for control. On top of that there is the GPS. The Flipper can’t mess with GPS but that’s a very interesting attack vector. It’s being utilized by both sides in the Ukraine war. They trick the drone into thinking it’s in a no fly zone and it drops right out of the sky. Most commercially available drones have geofence limits that don’t let them fly near places like airports or nuclear plants.

1 Like

Most newer DIY quadcopters all use ExpressLRS (LoRa), older ones use FrSky or FlySky and mostly in the 2.4GHz band.

If you are looking for a nice list of protocols look up “multi-module”.

Video is generally transmitted on 5.8GHz, usually analog video and these days more digital as well.

1 Like

There are some nice ESP with LORA(all the common LORA bands) out so an add on board could be possible.

Or look into getting some corp written off accespoints you might find for next to nothing, nowdays you can even find aruba accespoints cheap that have full loranet passtrue options, you need some boredom and customizing some stuff, but a lot of accespoints etc also are becoming more like SDR’s, so there are a lot of options going into loranet or higher frequency applications.

1 Like

here is the code, but is not for flipper. GitHub - moayyad57/dronize-exploit: MavLink Protocol Drone Exploiting Tool
i can confirm old Telemetry modules works on 443Mhz, and the new Telemetry modules are on 868MHz

In the examples on github they are capturing , modifying crc of AES packet and injecting broken commands that make it crash/go out of control, but they also mention that a single radio is kinda useless and you will need more the read, modify and send out again semi real-time to break it.

1 Like

What’s about a DJI?