research and hijacking experiment of a brand uav

Posted by tzul at 2020-02-27




Here comes the drone

We have another drone, so happy! But as a technology party, as a curious person, I'm not very sorry for not engaging in a wave?


One hackrf

A computer with Kali Linux installed

Remote control UAV and supporting remote control

The configuration of hackrf environment is shown in the previous wechat article, which will not be covered here.


After repeated operation of the equipment, it was found that the information obtained was too little, even the specific frequency band of the UAV operation could not be known, only knowing that it was working near the 2.4G frequency band.

For more details, we disassembled the remote control and UAV.

Disassembling the remote control

It can be found that there is only one chip on the control board of the remote control, so this chip should be the control core of the whole remote control. The model of this chip is xns104. Inquiry shows that this is an ad type 2.4G high-speed wireless transceiver chip, which can be programmed and wireless transceiver communication.

Disassembly of UAV

1 is xn297l chip. But chip 2 was erased by the manufacturer. (it must be an important chip)

Now the chips are xn297l on UAV and xns104 on remote controller.

Xn297l chip has only the function of wireless receiving and transmitting, so it can't be used as the MCU of UAV. So it can be inferred that the chip to know the erased signal on the UAV should be a MCU chip.

The communication between UAV and remote controller is carried out by xn297l chip and xns104 chip. Xns104 chip integrates the function of xn297 chip, so the communication mechanism between them should be based on xn297 chip.

Next, we need to analyze the specific communication status of xn297l chip. Through the technical manual, we found such content, as shown below.

So it seems that replay attack is not feasible, but there is a bright future. When I turn to the bottom, I suddenly see the data format of xn297l, as shown in the following figure:

It can be found from the data message that the PID code only has two bits, so the PID used here is not to prevent replay attack, but to remove duplicate data message. Only two bit PID code can be traversed in a short time, so replay attack should be feasible. After confirming this, we can start the following hijacking operation.


To hijack this type of UAV, we need to get the signal from the remote control. Let's first look at the working mechanism of UAV.

Working mechanism:

Check the code for the first time, and confirm that the UAV is in a usable state

The second code matching successfully establishes the communication line between the remote controller and the UAV

Finally, the remote control successfully operated the UAV

The first two will be automatically completed when the remote controller and UAV are turned on, but for hijacking, we need to simulate these two steps to obtain the control right of UAV.

Obtain the primary code matching information of UAV and remote control:

Use gqrx under Kali Linux to determine the frequency of pairing information. Turn on the UAV separately. The channel performance is shown in the figure below. There is no information in the channel

After the remote control is turned on, a large number of contents begin to appear in the channel, as shown in the following figure

It can be seen from the above that the first code pairing information is only sent out by the remote controller, and the UAV only receives this information. Therefore, we can record the corresponding frequency band information to obtain the code matching process between the analog remote controller and the UAV.

Hackrf operation of recording information

hackrf_transfer –r fly.raw –f 2479000000 –g 16 –l 8 –s 8000000 –b 4000000  

After performing the above operations on Kali Linux, as shown in the following figure:

Obtain the secondary code matching information of UAV:

After getting the first code information of UAV, we need to get the second code information of UAV.

The second code pair information of UAV is more complex than the first code pair information, because after the first code pair is completed, the ACK mechanism is introduced into the second code pair to ensure that UAV receives the second code pair information.

Therefore, in this step, although replay attack can also be used, it is necessary to replay the data segments of the second pair of codes multiple times for the ACK mechanism. The specific recording operation is similar to the one-time code matching.

After the above message is obtained, the operation information of the aircraft can be obtained. The processing method of the operation information is the same as that of the secondary code pair. The difference is that we need to ensure the length of recording operation information to prevent the PID mechanism from discarding the replayed signal as a repeated message.

Replay process of happy:

In the previous post of doorbell replay, we used GNU radio to replay the signal. It has to be said that the visual software reduces many operation steps.

But this time, we directly use hackrf to replay the recorded signal. We wrote this operation as a shell script, and then we just need to execute the shell script. The specific shell script is as follows:


hackrf_transfer -t flystart.raw -f 2479000000 -a 1 -s 8000000 -b 4000000 -x 47  

hackrf_transfer -t flying.raw -f 2479000000 -a 1 -s 8000000 -b 400000 -x 47  


hackrf_transfer -t flystart.raw -f 2479000000 -a 1 -s 8000000 -b 4000000 -x 47  

hackrf_transfer -t flying.raw -f 2479000000 -a 1 -s 8000000 -b 400000 -x 47  

In this way, we have completed the hijacking of the UAV


As you can see, the plane is flying normally at the beginning of the period

Use hackrf to play the pre recorded descent information, and the plane will descend

The script is very simple, can't wait to try it!

Special attention:

Due to the existence of ACK and PID mechanism, please make sure that the UAV and remote control are on at the same time when recording the signal, otherwise, the recorded signal is likely to be invalid!

During the experiment, there are many devices working in the 2.4GHz frequency band, such as WiFi Bluetooth, etc., so please find a place with a better radio environment for this experiment! ​

Safety tips:

In the research process of this UAV, we can find that this UAV has the following weaknesses: first, the number of digits of PID code is not long enough, so that replay attack can be realized through some modifications and modifications; second, on the ACK mechanism, the security mechanism of ACK is not fully utilized, and the bidirectional authentication function of chip is not implemented on the code.

It is also hoped that relevant manufacturers can repair these two problems to make the UAV safer

*Author of this article: network security, reprint please indicate from