패킷 분석을 사용하여 Wireshark로 드론을 리버스 엔지니어링하는 방법

As more advanced drone systems are put into place and integrated into various sectors, it becomes ever more important to take into account the vulnerabilities they may pose in order to ensure the security of their applications. Ever since I became interested in , one thing I always wanted to find a way to hack was UAVs. In this article, I outline the steps I took to reverse engineer DJI drones using packet monitoring techniques with Wireshark and delve into the details of packet dissection and how you can develop your own protocol dissector using the Lua programming language. aerospace cybersecurity Although reverse engineering drones is no easy feat, they are still vulnerable to a wide range of cyber threats which could result in severe repercussions. By outlining the process I took to reverse engineer my way into DJI drones to expose sensitive information stored within packet data, I hope the research highlights existing vulnerabilities in order to find better alternatives to safeguard existing drone systems. Table of Contents Unmanned Aerial Vehicle Drones Deconstructed Vulnerabilities of UAV What is Packet Sniffing and Analysis What is Wireshack? Wireshack Display Filters What is Packet Dissection? Packet Dissection with Wireshack Reverse Engineering DJI Drones DJI Packet Dissection with Wireshack Diving Deeper into Wireshack Dissectors Setup Dissector with Wireshack Unmanned Aerial Vehicle An Unmanned Aerial Vehicle (UAV for short) is an aircraft that does not carry any pilot or passengers onboard. Most of the time the term is applied to drones, but other types of UAV vehicles exist such as which is a high-altitude, long-endurance UAV meant for research purposes. UAVs are used for a wide variety of applications such as search and rescue missions, data collection, military and law enforcement, aerial photography, etc. Compared to conventional aircraft, UAVs possess a compact form, exhibit heightened agility, accuracy, and precision in their maneuvers, and prove cost-effective, rendering them widely favored for diverse commercial and consumer applications like delivery services and aerial surveying. NASA’s Global Hawk Drones Deconstructed As this article will delve into drone forensics, it’s important to provide a quick overview of the components that make up the DJI Phantom 4. While it’s worth noting that the components housed by a drone may vary depending on the brand or version, most UAVs share a significant majority of components. the chassis of the drone is the physical frame that holds together all the components. the chassis is typically constructed of lightweight materials such as plastic or carbon fiber to reduce the drone’s overall flight performance by reducing drag and weight Chassis: drones use motors to create the necessary amount of lift for flight. most drones usually have a quadcopter configuration which consists of four motors: two clockwise spinning motors and two counterclockwise spinning motors to equalize the turning force. This configuration exists because Newton’s Third Law states that for every action there is an equal and opposite reaction, so having the same number of counter and clockwise motors provides the drone with flight coordination through equalized turning force Drone Motor: the flight controller of a drone acts like its brain. the flight controller takes in inputs from sensors on board the drone such as the GPS module in order to give specific instructions to the electronic speed controllers (ESCs) to control the motors Drone Flight Controller: global positioning satellite (GPS) module uses two different global positioning systems to pinpoint the drone’s location. Using the GPS module, the drone can calculate its geolocation based on the duration of time it took for transmitted signals to arrive from different satellites GPS Module: ESCs are the middle man between the power distribution board of the drone and the motors. They use signals from the flight controller to control the amount of power allocated to a motor Electronic Speed Controller (ESC): the power port is a module that displays that measure the amount of power coming from the battery and distributes that power to the drone’s ESCs and flight controller Power Port Module: some drones include stereo vision sensors on their frame. These sensors calculate the distance between the drone and the obstacle in front of the sensor by computing the depth via the image pixels captured by each sensor Obstacle Avoidance Sensors: the gimbal stabilizes the camera attached to the drone to stabilize footage. When sensors notice movement about any axis, they signal the gimbal to make the proper adjustments to smoothen the camera footage 3-Axis Gimbal: batteries provide power to the drone. Some batteries also include features such as over-charge protection, power output communication, etc Drone Battery: the camera of the drone is used to film footage and take pictures. The image sensor in the camera captures incoming rays of light and processes them into a digital image Drone Camera: drone antennas act as a transmission system for relaying information between the controller and the drone Drone Antennas: these sensors are used to calculate the drone’s height above the ground. The height can be computed by sending a high-frequency sound pulse from one sensor and measuring the amount of time it takes for the other sensor to receive it Downward Ultrasonic Obstacle Avoidance Sensor: flight LEDs are usually used to indicate the direction the drone is flying. Two flashing red lights indicate the front of the drone and flashing green lights indicate the back Flight LED: joysticks are used to control the drone by translating the physical movement of the sticks into information that the controller can communicate to the drone as movement directions Joysticks: the remote controller board retrieves useful telemetry about the drone such as its altitude, location, and camera imagery Main Remote Controller Board: the camera board processes data from the imaging sensor and gimbal motors to synthesize stable footage Main Camera Board: Vulnerabilities of UAVs Although UAVs are used for a wide range of applications, like every other device with an onboard computer system, they are vulnerable to a range of cybersecurity threats. Some of the most common cybersecurity threats with UAVs include: UAVs are vulnerable to unauthorized by bad actors who can either intercept or spoof wireless signals used to control the drone. This allows the hacker to control the drone or passively steal information from them. UAVs are equipped with a wide variety of sensors actively collecting information about their environments such as photos, videos, and telemetry readings. This data can be vulnerable to interception from hackers who can use it for nefarious purposes a more specific attack that hackers can employ to hack drones is a Denial of Service. This occurs when a hacker launches a DOS on the same wireless communication system of the drone, disrupting its ability to receive or transmit data As more security vulnerabilities are discovered with the rising popularity of UAVs, it is necessary for security researchers to forensically analyze devices for malicious purposes. A subfield within cybersecurity called focuses on collecting and analyzing data from an attack for investigative purposes Unauthorized Access: Data Theft: Denial of Service: forensics analysis . This process comes in handy in real-life crime scenarios when digital information of a computer system is seized and needs to be investigated. Oftentimes, the wide majority of the information on the machine is not related to the crime and must be filtered down to break down the crime scenarios. There is a wide range of illegal applications of drones such as contraband drops to unauthorized areas, drug drops over foreign borders, and unsolicited surveillance. In the aftermath of many of these scenarios, digital forensics is utilized to determine information such as device ownership and any data linked to the crime. A conducted on common drone models in various crime scenes demonstrated that information such as media files in the photo or video format, flight patterns, locations, and owner information were most conducive to success for digital forensics cases conducted by law enforcement investigators. Although the investigators of the study were able to filter down information about the crime using digital forensics techniques, the study stated that state and federal legislation has not properly handled the regulations behind drone technology and consequently leaves many stakeholders vulnerable. Overall, they concluded that the lack of forensics tools and universal drone structure made it necessary for more data extraction methods to be developed. study To play a part in tackling the lack of UAV forensics tools, I will be demonstrating how I created a packet dissection script for Wireshark using the programming language to find useful network information during digital forensics scenarios. The tool is a first-hand application of digital forensics skills to gather useful information about UAVs which could be used during investigative situations to gather more data related to the crime that took place. Lua What is Packet Sniffing and Analysis? Packet Sniffing is the act of intercepting and examining packets of data as they are transmitted over a specified network. This technique is utilized by cybersecurity professionals in order to track down vulnerabilities, diagnose faults and performance for their network, or discover threats. On a computer, the network interface card (also known as NIC) is a hardware component that includes an embedded circuit board that allows the computer to interface with networks and perform packet sniffing. More elaborate sniffing for cybersecurity or hacking purposes often requires the NIC to be put into which allows the computer to retrieve surrounding network traffic. Using a decoding process, sniffers can get access to encoded information stored in data packets as they are transported over a network. Sniffing can be broken down into two general categories: and sniffing. promiscuous mode active passive Passive Sniffing Passive sniffing consists of only listening to packets that are being sent over as network traffic. It is often used as a reconnaissance technique to gauge pertinent information about traffic and the type of data that is being passed over a network. This allows security professionals to analyze the network for any anomalies or suspicious activity such as network troubleshooting (using network traffic as a metric for network issues) and performance optimization by identifying areas of congestion. Active Sniffing Active sniffing is a technique utilized in packet injection/spoofing applications that are intended to elicit a response from network devices. For instance, an attacker might send a specific packet in order to trick a specific device or application into responding with sensitive information. This could be used to conduct multiple mischievous activities such as orchestrating a man-in-the-middle (MiTM) attack and hijacking network sessions. Active sniffing is a little trickier to detect than passive sniffing because it was built to masquerade as the surrounding network traffic. Active sniffing is conducted by intentionally inputting address resolution protocol (ARP) packets in order to overload the switch content address memory (CAM) table. This leads to legitimate network traffic being transported to different ports which serve as the foundation for spoofing attacks such as ARP Spoofing, dynamic host configuration protocol (DHCP) attacks, and DNS (domain name system) poisoning. OSI Model The OSI (known as Open Systems Interconnection) model is used to conceptualize how disparate components of a network communicate with one another. The model is presented as a seven-layer model that includes a standardized rule set of how different devices and programs can intercommunicate through the network. The OSI model can be segmented into several layers: Application, Presentation, Session, Transport, Network, Datalink, and Physical. This describes the physical characteristics of the network that is responsible for the physical connection between devices such as cabling, connectors, and signaling. In this layer, data is transferred via . Physical Layer bits In this layer, data is formatted into packets and transmitted over the network. The data link layer also ensures that your data does not contain any internal errors. Data is transferred using . Data link layer frames The network layer handles how packets are addressed and sent over the network by finding the optimal way to send the packet. In this stage, IP addresses are attached to the header of the packet. Network layer The transport layer is the transition between the network and session layers. This layer uses network protocols such as UDP and TCP in order to determine how to transmit data between applications. The data transported in this layer is called a . Transport layer segment This layer defines how applications establish and maintain connections with each other. Session Layer The presentation layer converts the data from segments into a more human-readable format. This layer also covers the encryption and decryption of packets. Presentation layer The application layer is what is used to interface with users. It defines the protocols and interfaces that can be used by applications to communicate with the network. Application layer Packet Information Breakdown In networking, a packet is a small segment of a larger message. Any form of data that is passed over a network is split into packets. Once they are passed through the network, those packets are reconstructed by the device that receives them. Packets sent over a network have the header, payload, and trailer included in their structure. I will be using the IPv4 packet as an example to demonstrate the type of information contained within a packet. The packet header is the initial portion of a packet. It contains addressing and other data that is required for the packet to reach its destination. The IPv4 header contains 13 fields… - version number of the internet protocol used (ie. IPv4) length of the entire IP header information on the congestion information seen enroute length of the entire IP packet (including the header and body) if the IP packet is fragmented, each packet will contain a corresponding identification number to identify the original IP packet they belong to indication of whether the packet is large enough to be fragmented positioning of the fragment in the IP packet the number of routers the packet has left to cross to avoid looping of the network the network layer at the destination host the packet belongs to (ie. TCP = 6, UDP = 17, and ICMP = 1) checksum value of the entire header used to confirm that the packet does not contain any errors - 32-bit address of the sender (source) of the packet 32-bit address of the Receiver (destination) of the packet optional field that can contain information like Record Route, Timestamps, etc The payload of a packet includes the actual data the packet intends to carry to its destination. In the case of the IPV4 packet, the payload is given a padding of 0 bits to ensure the packet ends within the 32-bit limitation. Sometimes packets can contain an ending to their packet called the trailer. Although the IPV4 packet structure does not contain a trailer, Ethernet frames contain a trailer to include information that network adapters on the ethernet need to process the frame. 1. Packet Header Version: - Internet Header Length (IHL): - Explicit Congestion Notification: - Total Length: - Identification: - Flags: - Fragment Offset: - Time to Live (TTL): - Protocol: - Header Checksum: Source Address: - Destination Address: - Options: 2. Payload 3. Trailer What is Wireshark? Wireshark is a widely-used and open-sourced network protocol and packet analysis tool. It allows you to capture network packets from sources such as wireless (IEEE.802.11), Bluetooth, Ethernet, token rings, etc. Wireshark also includes a packet filtering capability that lets you filter the log stream of packets as they are displayed on your screen. The Wireshark interface contains different panes for displaying packet information. The main panel displays the list of all the packets flowing through the network. If you select an individual packet, two panes should pop up near the bottom of the screen containing more specific packet data. The details for each of the column categories in the main panel are as follows: Using Wireshark for Packet Analysis the packet number in the capture file No.: the time this packet was captured after packet sniffing was initiated Time: IP address and port number of the sending device Source: IP address and port number of the receiving device Destination: the type of packet (ie. TCP, UDP, HTTP, etc) Protocol: more informational content about the packet which will vary on what type of packet is captured Info: Those are the preconfigured informational columns in Wireshark, but there are many more columns available to be shown in the tool such as TTL, checksum, etc by selecting it the “Columns” settings. The section of the tool shows you more interpretable information about the packet which varies depending on the packet type. The bottom pane, , shows the packet contents in the pure hexadecimal format. Packet Details Packet Bytes Wireshark Capture Filters The capture filters in Wireshark limit the packets captured by the inserted filter. If you might have noticed, Wireshark capture filters follow the same format as which is another popular network packet capture tool. The syntax of packet captures adheres to the Berkeley Packet Filter (BPF) syntax expressions. Some common capture filters for Wireshark include… tcpdump Capture traffic only to and from the IP address 172.18.5.4: host 172.18.5.4 Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 OR net 192.168.0.0 mask 255.255.255.0 Capture traffic from a range of IP addresses: src net 192.168.0.0/24 OR src net 192.168.0.0 mask 255.255.255.0 Capture DNS traffic (port 53): port 53 Capture except all ARP and DNS traffic: port not 53 and not arp Capture only IPv4 packets: ip Capture only Ethernet packets (EAPOL): ether proto 0x888e Wireshark Display Filters The display filters feature in Wireshark lets you narrow down the type of packets shown in the captured packet list. Common examples of display filters include the following: Protocol-based Filters: You can filter packet traffic based on the network protocol http The example above only shows packets with the HTTP protocol Filter packets by address (ie. IP address filtering): You can filter packets via the address of the sender or the receiver ip.src == x.x.x.x The above shows traffic coming from a specific IP address Port-based Filters: You can filter packet traffic based on the port number being used http The example above only shows TCP packets with port 80 Time-based Filters: You can filter packets based on the time they were captured frame.time >= "YYYY-MM-DD HH:MM:SS" && frame.time <= "YYYY-MM-DD HH:MM:SS The example above only shows packets within a selected time range Content-based filters: You can filter packets based on the content of the packets frame contains google The example above shows packets whose contents contain the keyword “google” What is Packet Dissection? While the process of packet analysis is used to get a general overview of network traffic patterns, packet dissection involves a much more narrow approach. Packet dissection refers to the process of dissecting individual packets into their distinct components (ie. headers, payload contents, etc) to gain valuable knowledge of network processes or the device being monitored. Some applications that packet dissections can be used for include protocol analysis and forensics. Packet Dissection with Wireshark Lucky for us, Wireshark contains an integrated toolset for performing thorough packet dissection on each packet that is transported across a network. Some techniques to perform packet dissection include… you can view the protocol details for each packet by expanding the layer details in the packet details pane. This is useful for decoding various protocols such as TCP, UDP, DNS, etc Wireshark also contains a feature that displays the TCP stream of all the packets flowing through a TCP connection. To use this feature, select a packet that belongs to a TCP connection, right-click on the packet, and select “Follow > TCP Stream” you can also visualize packets based on specific criteria such as packet length or protocol type. To see this feature, go to “View” and click “Coloring Rules” Wireshark has a feature that displays a flow graph showing the timing and sequence details of a packet between two machines. To configure a flow graph, go to “Conservation Filter” and select the “TCP” option. This creates a filter that shows all the packets being passed between two machines. Then, select “Statistics” and “TCP Stream Graphs” to create the flow graph Protocol Decoding: TCP Streams: Color Coding: Flow Graphs: Packet Dissection for Protocol Analysis Packet dissection can be applied in order to analyze which types of network protocols are being utilized by and how they are being used. To try out protocol analysis with Wireshark, begin by capturing packets with your selected network interface. Then, as packets are captured, they should transmit a variety of protocols such as (port 80), HTTPS (port 443), SSH (port 22), and SNTMP, etc. Let’s use HTTP for our packet dissection example. Begin by selecting a packet with the HTTP protocol assigned to it like below by filtering with the http keyword... HTTP Once the packet is selected, expand the Transmission Control Protocol (TCP) menu to see the relevant information for the packet. Once the packet details are expanded, you can analyze different fields of the protocol such as the Source and destination IP addresses, source and destination ports, HTTP method used (GET, POST, DELETE, etc) and the HTTP response code. Packet Dissection for Forensics Packet dissection can also be used for digital forensics in order to extract information behind particular network incidents. For instance, imagine a situation where a hacker sends over sensitive information over your network to a remote server. We can use display filters in Wireshark to isolate traffic coming for the hacker’s machine using the IP address of the hacker’s device and the IP address of the remote server. Then, we can use packet dissection tools offered by Wireshark such as the “Follow TCP Stream” feature in order to reconstruct the TCP data stream between the hacker and remote server. By using this information, you can reveal hidden information the hacker sent to the remote server like the transfer of any malicious files or images. This application of packet dissection can also be applied to analyze network traffic and detect for any criminal activity. Reverse Engineering DJI Drones Reverse engineering is the process of deconstructing and analyzing a system in order to understand how it works “under the hood” and extract pertinent information from it. This process is often done through an iterative process deconstructing specific aspects of a system, analyzing its technical specifications and code, and running specific tests to examine its outcomes. As for the case of UAV hacking, we can apply reverse engineering principles to analyze a drone’s software and firmware, extract telemetry information, and identify vulnerabilities to exploit. For this research experiment, I decided to reverse engineer the DJI Mini 2 — a small, compact drone designed for recreational use developed by a popular drone company called DJI. Man-In-the-Middle Configuration Since passive eavesdropping does not return any reverse-engineerable result, I instead used an artificial and eavesdrop-friendly network configuration to allow for wireless communication between the drone and the operator to be inspectable and interceptable by following the configuration below: a) the done initializes the process by starting an access point used for direct communication with its network peers Drone: b) we establish a second virtual network with our machine masquerading as the AP for the mobile client MITM AP: c) the MITM client directly connects with the drone forwarding the MITM AP’s networks to the drone and vice versa d) the MITM machine is the device used for eavesdropping by connecting via the NAT (Network Address Translation) the virtual MITM AP’s with the internal NIC of the MITM client MITM Client: MITM Machine: e) the operator is the mobile device running the DJI application that connects via Wi-Fi the drone representative (MITM-AP) Operator: Access Point Configuration In order to configure the MITM AP, I used the command to create a virtual AP over the command line on my machine. create_ap sudo create_ap wlan0 wlan0 Operator 12345678 -w 2 -c 2 -m nat --freq-band 2.4 --country US This command was designed to eliminate the number of disturbances between the connection by focusing on the 2.4GHz frequency and establishing the following parameters: WPA2-PSK in CCMP cipher mode usage of arbitrary and static unoccupied channel NAT to connect between virtual AP and physical NIC selecting only the 2.4GHz band putting the right country code to comply with local regulations -w 2 -c 2 -m nat --freq-band 2.4 --country US Intercommunication Eavesdropping For eavesdropping, I used the command line tool in order to optimize performance for the MITM network. With captured network packets will be stored within a corresponding PCAP file which can later be analyzed by an array of network analysis programs. I also implemented additional filters to reduce the range of the captured output to only consist of relevant network packets between the drone and the machine. tcpdump -w /tmp/dumps/capture.pcap sudo tcpdump --interface=ap0 -n udp host 192.168.2.1 avoids DNS resolutions ignores any TCP packets ensures the packets displayed are drone related -n udp host 192.168.2.1 Research Specifications For conducting digital forensics research on the DJI Mini 2, I tried to reverse engineer the DJI Wi-Fi protocol by analyzing the network packets sent by the drone using Wireshark. To determine the exact protocol structure of the packets transmitted by the drone, I used bit-precise reasoning to classical each individual bit. Throughout the process, I found the following filter predicates in Wireshark to be the most useful: since only application-level network packets are relevant for this process, we can exclude the DNS, Internet Control Message Protocol (ICMP), and Multicast DNS (MDNS) protocols from our search !dns && !mdns && !icmp The IP address 192.168.2.1 represents the IP address of the drone. Here, we specify the source and destination to be filtered by that IP. ip.src == 192.168.2.1 In this example, only packets with the length of 1472 bytes are included in the result view displaying drone packets with that exact payload size data.len == 1472 this compares the static hex value against the payload content of the initial index. This is useful because mid-flight packet inspection focuses on the co-related changes between the protocol and the operator’s drone control instructions data.data[0] == 0x00 Packet Information With the packets obtained using Wireshark, I focused on the payload from index 0x2A to the Ethernet frame length. Although the entire packet does include information, the bytes of data from 0x2A to the end suffice for reverse engineering purposes. I included the Ethernet OSI model layers table below for reference: Payload Encryption Although the entire communication stream is encrypted, the decrypted stream of data can still compromise the integrity of the encryption. One method of decrypting information with UAV systems is to have a side-by-side comparison between multiple payloads to identify patterns. The Electronic Codebook Mode (ECB) produces a sequence of deterministic data applying the same pseudorandom permutation to each plaintext block to create repeater ciphertext blocks. We can apply this in our reverse engineering process to possibly encounter a pseudo-random payload or two identical payloads within the UDP packets. Although I was unable to find any identical payloads, there were many that were very similar to one another. For example, the images below show two packets where only 5 bytes differ. The two payloads are very similar and even indicate an incrementation of one which is evident of an unencrypted stream of data. Deductive Reasoning The main approach I used for reverse engineering the DJI Mini 2 was to apply deductive reasoning to compare payloads based on correlating operator inputs. Using the direct drone control instructions (ie. landing, movement, take off, etc), I forced the operator to signal the representative network packet. The control instructions were capable of signaling the command type and the payload content. Then the packets were compared with one another using the aforementioned binary comparison technique revealing the command structure and parameter values. Packet analysis revealed a high-traffic protocol consisting mostly of drone-to-operator packets that relied on the Maximum Transmission Unit (MTU). Bit-Precise Reasoning In order to garner more information about the data stored within the transmitted packets, a technique called bit-precise reasoning was used for the analysis of bits within the 56-byte payloads to make specific judgments about the property of each packet. To simplify the process, clusters were used to aggregate payloads to each be the exact same length. I highly recommend reading which dives deep into the bit-precision method for reverse engineering drones to learn more about this technique. The below table below displays a general overview of the information that was able to be extracted using bit-precise reasoning. this research paper DJI Packet Dissection with Wireshark Throughout this research process I learned that packet dissection for reconnaissance and for digital forensics/reverse engineering call for entirely disparate approaches. Fortunately, packet dissection using passive reconnaissance and a network communication dissector came in really handy for analyzing the communication interfaces of the DJI Mini 2. To get started with the packet dissection process, I downloaded the PCAP files listed within of DJI communication packet dumps which includes an expansive log of communication data for all sorts of DJI drones using Wireshark. Once the PCAP files were downloaded, I analyzed them using Wireshark using different dissectors. this repository Analyzing Information Formats Before going deeper into the specific packet dissection process of DJI packet dumps, it is worth mentioning all the UART stands for Universal Asynchronous Receiver-Transmitter is a commonly used serial protocol to transmit information between electronic devices that utilize the asynchronous flow of data bits sequentially over a single communication line DUML stands for DJI Universal Markup Language which describes the close-sourced protocol for DJI communication. It is used to control the internal settings of the device or to initiate firmware updates Also known as Keyhole Markup Language, these are XML files by heart used for specifically displaying geographic data in mapping software. KML files contain data about specific locations, shapes, paths, and other geographical features DAT stands for Digital Audio Tape. They refer to the recorded flight data stored on Digital Audio Tapes. DAT files include pertinent flight information for analysis UART Communication: DUML Streams: KML Files: DAT Flight Logs: The PCAP file within the DJI packet dumps repository contains a huge dump of communication logs from various DJI hardware. This storage of communication logs allows us to decipher the internal communications of protocols alongside a fine reference point for probing for hardware issues within the hardware. For instance the the first log file contains a communication dump from the DJI P3X Receiver Board UART dump. The data dump features a bilateral communication between an OFDM (Orthogonal Frequency Division Multiplexing) MCU (Microcontroller Unit) and FC (Flight Controller) on the drone using a ribbon cable and the program p3x_ofdm_to_center_run1 comm_serial2pcap.py . Setting up Wireshark In order to set up a foundational DJI communication dissection, I used the listed within the DJI firmware tools. The communication dissection tools, provide the following functionalities: communication dissection files - Display fields within captured DUML packets from a drone source - Show fields within packets stored in binary flight - Record DAT files - Visualize flights via the KML export feature The tools also let you analyze protocol commands through the following options: - DUML stream-based PCAP files - PCAP files containing dumps of USB/Ethernet communication within embedded DUML payloads - DAT Flight Log-based PCAP files To start getting your environment set up, download all the .lua files listed under this . Then, within Wireshark open the menu and go to the . link About Wireshark Folders tab Then, click the file path reference to and paste in all the file contents Personal Lua Plugins . Once that is set up, refresh Wireshark using the command to load up all the communication dissection tools. Once that is loaded, open and make the assignments according to the image below: Ctrl+Shift+L Preferences -> Protocols -> DLT_USER -> Edit After the DLT table is initialized, go to and adjust the settings to display the protocol information you want. The following is an example of one way it can be configured: Preferences -> Appearance -> Columns Communication Dissection From the communication dissection tools, we can extract the following information from the DJI communication protocols: the dissector can delineate information about the structure of firmware files like headers, sections, and data sections the tools can also extract individual firmware components like the bootloader, flight control firmware, camera firmware, gimbal firmware, etc configuration parameters can also be looked into which provides settings information for components like the camera, flight control, and sensors code snippets and executable binaries can also be uncovered within the firmware file depending on the situation, the dissector can also be capable to decrypting and encrypting portions of firmware files revealing information about the firmware encryption process if a firmware file includes a file system, the tools can also extract and analyze contents within that file system Firmware File Structure: Firmware Components: Configuration Parameters: Scripts: Encryption: File System Contents: Diving Deeper into Wireshark Dissectors In Wireshark, a is responsible for interpreting and decoding network protocols. Dissectors are useful because they analyze the captured network packets and extract useful information out of them such as the protocol’s structure, fields, and encoding rules, and display them in a human-readable format. dissector Wireshark also lets you develop your own custom dissectors using a programming language called . Although Wireshark was written in C and dissectors for the program are typically written in C, however, Wireshark also allows dissectors be written in the Lua programming language to make the learning curve less steep for people who are new to development. Lua is a multi-paradigm, procedural, and functional programming language with integrated object-oriented features. Although choosing Lua as the language for dissector development does compromise on speed, it is favorable in most circumstances because of its light weight and ease to learn. Lua Basic Introduction to Lua Like I mentioned before, Lua features an intuitive and simple code syntax while keeping in mind speed, portability, and integration with other programs making it easy to pick up without sacrificing much functionality and performance. Here are some basic code snippets outlining the foundational features of the language: Variables and Operations local a = 25 local b = 5 local result = a + b print (result) -- Output: 30 Conditional Statements local temperature = 15 local heatSetting = 0 if temperature < 0 then heatSetting = 3 elseif temperature <= 20 then heatSetting = 2 else heatSetting = 1 end print (heatSetting) -- Output: 2 Loops -- While Loops local i = 0 while i < 10 do i = i + 1 end print (i) -- Output: 10 -- For Loops local i = 0 -- i = first, last, delta for i = 0 , 10 , 1 do print (i) end print (i) -- Output: 10 Tables local new_table = {} -- Table value assignment new_table[ 20 ] = 10 new_table[ "x" ] = "test" a.x = 10 Functions function add (arg1, arg2) return arg1 + arg2 end local added_number = add( 2 , 3 ) print (added_number) -- Output: 5 Summary Notes about Lua Lua is dynamically-typed Scope is either specified as local or global. Global is the default Semicolons are not necessary making whitespace hold more value -- denotes a comment i = i + 1 used for variable incrementation ~= used in place of != Types are: string, number, boolean, nil, function, userdata, thread and table Nil is used for a non-value In conditionals: nil and false are falsy, the rest are thruthy. Lua‘s only data structure is Tables implements associative arrays. Associative arrays can be indexed by both numbers and other types like strings. They are dynamic and often called objects. table. Setup Dissector with Wireshark To setup dissector development with Lua scripts in Wireshark, click on . From there, click on either the Personal Lua Plugins or Global Lua Plugins folder reference. The path should look something like on Windows To create a dissector, initialize a file within that directory like . The script will automatically be applied once Wireshark is reloaded. You can reload Wireshark by either restarting the application or by reloading all Lua scripts using Help -> About Wireshark -> Folders C:\Program Files\Wireshark\plugins\2.4.2 . example.lua Ctrl+Shift+L . Setting up a Protocol Now that you have everything setup, I will walk you through a rudimentary dissector script that extracts and displays information about a custom protocol. custom_protocol.fields = { field1, field2 } -- Create a new protocol for our custom protocol local custom_protocol = Proto( "CustomProtocol" , "Custom Protocol" ) -- Define the fields of our custom protocol local field1 = ProtoField.uint8( "custom_protocol.field1" , "Field 1" , base.DEC) local field2 = ProtoField. string ( "custom_protocol.field2" , "Field 2" ) -- Register the fields to the custom protocol -- Create a function to dissect the packets of our custom protocol function custom_protocol.dissector (buffer, pinfo, tree) -- Create a subtree for our custom protocol in the Wireshark GUI local subtree = tree:add(custom_protocol, buffer(), "Custom Protocol Data" ) -- Extract and display the values of Field 1 and Field 2 local field1_value = buffer( 0 , 1 ):uint() subtree:add(field1, buffer( 0 , 1 )):append_text( " (Value: " .. field1_value .. ")" ) local field2_value = buffer( 1 , 5 ): string () subtree:add(field2, buffer( 1 , 5 )):append_text( " (Value: " .. field2_value .. ")" ) end -- Register our custom protocol as a dissector in Wireshark local udp_port = DissectorTable.get( "udp.port" ) udp_port:add( 12345 , custom_protocol) - the code begins by initializing a custom protocol using the Proto object called a fields table for the protocol is initialized containing two custom fields: and the dissector function for the protocol is initialized which is called once for every packet which has the type of the custom protocol. The function takes in the parameters , , and . buffer includes the packet’s buffer and , contains columns of the packet list, and is the tree root CustomProtocol field1 field2 buffer pinfo tree Tvb object pinfo tree - Inside the dissector function, we create a subtree within the Wireshark Packet Details section showing our custom protocol as a field - Within the tree view section, we display the packet information for each of the respective fields within the custom protocol - Lastly, we assign a protocol to a port. In this case, the port used is for UDP 12345 Conclusion Overall, using Wireshark in conjunction with a few DJI-based communication dissectors, we were able to reveal sensitive information transmitted by DJI drones through their communication protocols. I hope this outlined extensive research process elucidated a few reverse engineering techniques that you could apply during your cybersecurity process to possibly find vulnerabilities within existing systems. Moreover, I hope this report proved that although drone hacking might be a bit tedious, it is not impossible. It is important to keep pushing the boundaries of what is currently known about a system in order to highlight existing flaws before they are noticed by bad actors. In this case, we revealed that drone protocols even for large, trusted brand manufacturers like DJI are still vulnerable to data interception and reverse engineering. By taking this into consideration, constructive action steps can be taken to mitigate these existing vulnerabilities and solidify the security of drone communication channels. Also published here.