DJI – The ART of obfuscation
PaulHoule | 233 points | 17mon ago | blog.quarkslab.com
matsemann|17mon ago
10 years ago I "reverse engineered" the protocol of their controllers so that I could use it for drone simulators on my PC. When plugging in the controller to update the firmware, I noticed their software could read stick positions. So I just dumped all the data on the serial and looked at what changed and what remained static when moving one stick all the way to the left, right etc. And just copied the patterns of whatever the software used to prod the controller. Then I used a joystick library to emulate my readings as an xbox controller.
https://github.com/Matsemann/mDjiController/
sverhagen|17mon ago
I worked for a company that had a cloud solution to manage drone fleets, and we tried ingesting log files. We had a small team working on that, and we were grateful to use and/or learn from what was available in GitHub repositories like yours (although I don't recognize yours specifically). There was a lot of trial and error, a lot of magic numbers, and stuff was still wrong half the time. And then... they leveled up the encryption of the log files, and it was game-over. Their new solution gave limited access to vendors willing to work through the legalities. If I remember correctly, it required the log file, or at least parts of it to be uploaded to get the keys to unlock it. Not something US companies, like big utilities, were very keen on.
Zuiii|17mon ago
I've always been interested in buying a dji drone but never pulled the trigger precisely because of crap like this. Give me a well documented interface and don't call home/include IoT.
Is it really that hard?
sverhagen|17mon ago
It's not that hard, but that's not what DJI offers. Their business (and, who knows, maybe political) incentives are different, so they chose a closed, guarded system. By the way, it's what everyone did in the 80's/90's, so why would some contingent of companies not be that way now.
eigenvalue|17mon ago
Seems like it's basically impossible to ever prevent this kind of black box strategy. It's similar to the problem of secure DRM on videos-- at some point you need to decode the stuff to play it on the screen, and you can intercept it at that point. They need to send the commands to the drone in a timely way for it to work, and you can control those commands and know what commands you're sending. Although I guess they could XOR that command stream with some kind of one-time pad or something so you can never mimic it going forward, so maybe not? But whatever the stream of bits getting XORed to the command stream, that would need to exist in the memory in the drone unit, so with enough persistence and skill maybe you could crack it for a particular drone at least. I guess all they need to do is make it uneconomically hard to do for an arbitrary individual drone unit.
MartijnBraam|17mon ago
This looks like the DJI can bus protocol used for the accessory ports on at least the DJI RS2. There's some documentation for the headers in the protocol in the DJI RS2 SDK pdf.
matsemann|17mon ago
Cool that it's now a usable SDK. Afaik there was nothing when I made this a decade ago, but perhaps I didn't look in the correct places or asked the correct people.
dji4321234|17mon ago
It's called DUML/DUSS, there's a lot of documentation about it in http://github.com/o-gs/dji-firmware-tools
sagz|17mon ago
There's also something fishy about DJI in that their Android app to control their drones is intentionally not listed on the Play Store. I've never seen a manufacturer require side loading.
Anyone know why it's not on the Play Store? (On iOS it is on the App Store, well because there isn't another way till this DMA thing kicks in)
londons_explore|17mon ago
The play store is banned in China. So sideloading/alternate app stores are the main way most users install apps there.
Their china-based engineers might not even consider it important to support the play store.
As a non-US citizen, I frequently see how US based engineering teams just don't understand local markets/customs. This is just being on the other side of that.
BoiledCabbage|17mon ago
And yet tons of other apps from China seem to make it to the play store. And it's not like DJI isn't aware of how many devices they sell overseas.
It's almost as if it were intentional.
lazide|17mon ago
Android isn’t a huge market segment for high end drones, and when it is, it’s almost always purpose specific/dedicated devices. ‘Juice not worth the squeeze’ and all.
vetinari|17mon ago
Their dedicated controllers use AOSP under the hood.
But since they control entire device, there's no need for Play Framework, Play Store and whatever is needed for certification just to ship it.
lazide|17mon ago
Yup. Aka dedicated devices.
dheera|17mon ago
> And yet tons of other apps from China seem to make it to the play store.
The Play Store versions of some of those apps are likely not the same as the side-loaded version.
dylan604|17mon ago
It's precisely those differences that make me concerned about what they are doing with the side loaded versions.
secretsatan|17mon ago
They recently dropped support for the iOS SDK and stopped releasing new versions, they've been moving away from iOS in general in favour of using their own controllers.
That they don't want to release through the official android app stores for a free app is a bit sus.
m-p-3|17mon ago
We clamped down our MDM policies to disallow sideloading on corporate devices, when we asked DJI when they planned to submit their app on the Play Store and they basically told us never, we decided to remove all DJI drones from our fleet.
neom|17mon ago
What did you replace the DJI drones with?
ikekkdcjkfke|17mon ago
Buy cheap dedicated motorolas?
bandergirl|17mon ago
> Anyone know why it's not on the Play Store?
Can’t think of any reason that isn’t sketchy. The article gives a clue already.
If the app passes Apple’s review, then it could pass Google’s review.
sschueller|17mon ago
You can side load android, you can't side load Apple (without jailbreak). Having to deal with two review processes instead of just one saves money and headaches. Also since they are dealing with US sanctions they probably had to fill out all kinds of stuff and submit that to Apple which they would also have to do for Google but again, they can just side load instead.
LoganDark|17mon ago
> You can side load android, you can't side load Apple (without jailbreak).
Did Cydia Impactor stop working or something? Sure you need a developer account, but then you can use the account to sideload any third-party IPA.
rnmmrnm|17mon ago
see Epic suit i guess.
dheera|17mon ago
I don't use their app at all, I just use the DJI RC. In any case I wouldn't recommend controlling a drone from a phone running a bunch of background tasks that may pop up notifications and phone calls while you're trying to dodge obstacles.
dylan604|17mon ago
do not disturb mode is your friend here, or even airplane mode
rideontime|17mon ago
Wouldn't airplane mode prevent you from communicating with the drone?
zero_iq|17mon ago
No, it doesn't.
The phone doesn't need to broadcast anything to control the drone directly. The phone talks to the remote control unit, which is what broadcasts signals to control the drone. You don't need wifi or mobile internet, or even bluetooth to fly a DJI drone (the phone connects by cable to the remote control unit).
(Actually, that's not 100% true -- if you're in a locked zone that requires permission to fly (such as near airfields or other protected sites), you will need internet access to start your flight and unlock the zone using your DJI account. Otherwise the drone may refuse to fly into restricted zones.)
You don't even need the phone at all -- the remote unit is quite capable of controlling the drone in flight with the phone switched off.
dylan604|17mon ago
why? it just turns off the cell radio. wifi/bluetooth is still enabled, or at least they can be re-enabled if they are turned off.
rideontime|17mon ago
Don't people typically fly their drones outdoors?
dylan604|17mon ago
[flagged]
Saris|17mon ago
As I remember their app downloads a binary package after installation from an unknown source, and that's against Google ToS as far as I know.
malermeister|17mon ago
Here's a dark conspiracy theory for ya: Consumer drones (including DJIs) are being used in warfare more and more frequently, including the war in Ukraine.
The Chinese government, while not openly supporting Russia, has been repeatedly accused of covertly doing so. Imagine what kind of harm a device used for reconnaissance could do if it secretly works for the other side.
Staple_Diet|17mon ago
That's not a theory as much as it is an acknowledged fact, and why DJI are banned from many 5-Eyes facilities.
L_226|17mon ago
no even that - DJI are potentially collecting thousands if not millions of hours of telemetry about how small drones are used in real-life combat. This is absolutely invaluable to developing countermeasures or optimising their own offensive platforms.
tomaskafka|17mon ago
Also mapping all of the western world, and sending the most detailed 3d maps of western infrastructure to servers of a company that's a part of the chinese military complex.
sofixa|17mon ago
DJI's app wasn't on the Play Store for years before Russia invaded Ukraine, so that's somewhat unlikely.
spacebanana7|17mon ago
I don't have a source to hand, but I've heard their drones were used in Syria for several years before Ukraine
sannee|17mon ago
If my Googling is correct, it seems to have been removed around 2020-2021. Russia first invaded Ukraine in 2014 though.
swells34|17mon ago
China effectively banned the Play Store in 2010. Your Google-fu leaves something to be desired.
https://cybernews.com/resources/how-to-access-google-play-ap...
jedilord|17mon ago
[dead]
jijijijij|17mon ago
I very much assume, involved militaries are aware of this possibility and are not blindly trusting Chinese consumer drones right off the shelves, have soldiers in every unit install random sideloaded apps. Lol.
They likely flash verified firmware and use a verified app version, not the latest one from DJI's website... Maybe they have their own code, by now. Especially with reconnaissance drones. The Ukrainians probably need to do this, not just because of the obvious possibility of a "backdoor", but RF adaptability in the EM warfare situation.
I would worry more about contractor John Doe bringing a compromised private phone to a government or industrial facility. Not sure a highres video feed from a drone could be easily exfiltrated unnoticed, anyway, since they usually don't come with WWAN hardware built-in. But the phone itself would be able do all sorts of reconnaissance and become an attack vector in a sensitive context. Then again, this is not specific to drone (software), but all untrusted software people install.
WhereIsTheTruth|17mon ago
Are you suggesting we should ban Starlink because it is used in warfare both in Ukraine and in the middle east?
sverhagen|17mon ago
If you're very principled about it: possibly, probably, yes?
Otherwise, it might depend whose side you're on?
travoc|17mon ago
Hah, everybody is principled until the first bullet whizzes by.
dylan604|17mon ago
It's not any different from people that do not shop at WalMart, Amazon, etc because of differences with the corporation. It's not hard once you quit making excuses
randall|17mon ago
https://twitter.com/AustingrahamZ1/status/102938549721336627...
WhereIsTheTruth|17mon ago
Perhaps i expect too much from ordinary people
https://www.businessinsider.com/elon-musk-tesla-spacex-secre...
yard2010|17mon ago
No conspiracy here, just hard cold truth.
dev1ycan|17mon ago
To submit an app you'd have to give free access to your source code to a potential rival, DJI is a huge brand, it'd be easy for the US government to basically get access to such code and clone it.
I'm surprised people really think it's anything other than wanting to protect their IP.
notso411|17mon ago
[dead]
WhereIsTheTruth|17mon ago
When you are leader in the market, you want to make sure your competition isn't able to reverse engineer your products, including google
danpalmer|17mon ago
Why would sideloading prevent Google from reverse engineering the product?
zakki|17mon ago
You meant google can't buy DJI product and Android phone to reverse engineer the product?
squarefoot|17mon ago
This, and also they still have the firmware which stays in the drone hardware and very likely is where the most important code is. Cloning the app wouldn't give much advantage to a competitor.
WhereIsTheTruth|17mon ago
That's the point, they are not forced to remove some protections to please google and whoever is running Google
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
Drone business is important to the military industrial complex
This however is akin to malware development, i wouldn't want to install such software
nulld3v|17mon ago
Google accepts obfuscated apps though (even ones that are heavily obfuscated). I've never heard of anyone getting their app rejected due to obsfucation.