by Team Reaper Jacob, Kyle, and Scott

Slides:



Advertisements
Similar presentations
Two Way Remote Control Dr. Abdelhafid Bouhraoua. Outline Context, Motivations and Applications Principle of Operation Components Implementation Problems.
Advertisements

IE 419/519 Wireless Networks Lecture Notes #6 Spread Spectrum.
BLUETOOTH TM :A new radio interface providing ubiquitous connectivity Jaap C.Haartsen Ericssion Radio System B.V IEEE.
Anatomy of Radio LAN Onno W. Purbo
Tri-Band RF Transceivers for Dynamic Spectrum Access By Nishant Kumar and Yu-Dong Yao.
DATA COLLECTION USING ZIGBEE NETWORK Timothy Melton Moscow, ID.
Software Defined Radio Testbed Team may11-18 Members: Alex Dolan, Mohammad Khan, Ahmet Unsal Adviser: Dr. Aditya Ramamoorthy.
Page 1 CONFIDENTIAL EZRadioPRO EZRadioPRO™ December 2007.
Oscilloscope Watch Teardown. Agenda History and General overview Hardware design: – Block diagram and general overview – Choice of the microcontroller.
VIRGINIA POLYTECHNIC INSTITUTE & STATE UNIVERSITY MOBILE & PORTABLE RADIO RESEARCH GROUP MPRG Channel Frame Error Rate for Bluetooth in the Presence of.
Robo Car Upgrade Peter Busha 4/15/2014. Background O Limited Mobility O Messy Connections O No Auto Power Switch.
Wireless Networks and Spread Spectrum Technologies.
UNDER EMBARGO UNTIL OCTOBER 27, 2008 C Y F I ™ Low-Power RF Reliable. Simple. Power-Efficient.
RADIO FREQUENCY MODULE. Introduction  An RF module is a small electronic circuit used to transmit and receive radio signals.  As the name suggests,
Sattam Al-Sahli – Emad Al-Hemyari –
SDP 11 PDR Team Goeckel Group: Adebayo Adeyemi, Joseph Hayward, Mark Kohls, Simon McAuliffe Advisor: Dennis Goeckel PDR Keeping The Secret.
A Project Team Members: Shamlan AlbaharRifaah Alkhamis Doug BloomquistChris Deboer.
Wireless Sensors and Wireless Sensor Networks (WSN) Darrell Curry.
Integrated  -Wireless Communication Platform Jason Hill.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 5th Lecture Christian Schindelhauer.
Communications Baseband PDR Communications Baseband Project
Wireless Data Acquisition for SAE Car Project by: J.P. Haberkorn & Jon Trainor Advised by: Mr. Steven Gutschlag.
ESTeem Training Class Radio Technology Overview. Radio Basics Terminology – Familiarization with radio expressions Basic Components – Transmitter – Receiver.
Team Members Jordan Bennett Kyle Schultz Min Jae Lee Kevin Yeh.
Wireless LAN Technology. WIRELESS LAN TECHNOLOGY SPREAD SPECTRUM LAN Configuration Except for quite small offices, a spread spectrum wireless LAN makes.
Johan Montelius Radio Access Johan Montelius
This document includes confidential data that shall not be duplicated, used, distributed, or disclosed for any purpose unless authorized by Siemens. SIEMENS.
Stacy Drake Bluetooth Vs. Wi-Fi. What is Bluetooth?
ESTeem Training Class ESTeem Overview. ESTeem Product Categories Licensed Serial – Long Range Application – Exclusive Use of FCC Frequency – PLC Emulation.
Bi-Directional RF Data Communication A Robot Control Device Team BDRFC.
Wireless Sensor Monitoring Group Members: Daniel Eke (COMPE) Brian Reilly (ECE) Steven Shih (ECE) Sponsored by:
System parameters and performance CDMA-2000, W-CDMA (UMTS), GSM 900, WLAN a, WLAN b, Bluetooth. By Øystein Taskjelle.
BAT11B WLAN Overview  Wireless LAN AP (Access Point) or  Wireless LAN AC (Access Client)  RF Technology: b  Antenna Connection: Two external.
By : Anand Yadav. What is Zigbee?  The CC2520 is Texas Instrument’s second generation ZigBee/IEEE RF transceiver for the 2.4 GHz unlicensed.
Ultima 3 Product Family Presentation. Presentation Outline Product Family Overview Competitive Advantages Applications Competitive Analysis.
Complementary Code Keying with PIC based microcontrollers for The Wireless Radio Communications.
Presented by Hampton Smith  An IEEE (Institute for Electrical and Electronics Engineers) protocol ratified in 1997 which defines a standard.
Overview Overview  Skills of AMERICAN TECHNOLOGIES Inc. CapabilitiesCapabilities  What is Spread Spectrum Technology?  ACT’s Products and Services.
Cypress Roadmap: Wireless/RF
Communications Hardware for a UAV Sensor Network ECE 791- Oral Project Proposal ECE Faculty Advisor: Nicholas Kirsch Ph.D. October 28, 2011 Presented By:
EA PROJETO EM ELETRÔNICA APLICADA Bruno Mourão Siqueira.
BLUETOOTH TECHNOLOGY Coexistence Of Bluetooth And Wi-Fi
Doc.: IEEE /235r0 Submission May 2001 Philips SemiconductorsSlide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)
Wireless Networks Standards and Protocols & x Standards and x refers to a family of specifications developed by the IEEE for.
Design Constraint Presentation Team 5: Sports Telemetry Device.
WLAN.
Wireless Protocols. 2 Outline MACA 3 ISM: Industry, Science, Medicine unlicensed frequency spectrum: 900Mhz, 2.4Ghz, 5.1Ghz, 5.7Ghz.
CSCI 465 D ata Communications and Networks Lecture 23 Martin van Bommel CSCI 465 Data Communications & Networks 1.
Maze Twinbots Group 28 Uyen Nguyen – EE Ly Nguyen – EE Luke Ireland - EE.
TI Confidential – NDA Restrictions High output power under 915 MHz FCC regulations without FHSS Digital modulation.
Voice Controlled Home Automation System Group 13 Zhe Gong Hongchuan Li.
Product Overview 박 유 진박 유 진.  Nordic Semiconductor ASA(Norway 1983)  Ultra Low Power Wireless Communication System Solution  Short Range Radio Communication(20.
SmartCup – Team 42 Harington Lee, Chirag Patil, Arjun Sharma 1.
PROJECT OVERVIEW GSM SECTION BLUE TOOTH SECTION SOFTWARE DEVELOPMENT CIRCUIT DEVELOPMENT LESSONS LEARNED AND CHALLENGES FACED.
Wireless LAN Concepts. Wireless LAN Standards.
박 유 진.  Short RF Range(~10m)  Reduce range by obstruction  Low data rate(1Mbps)  Normal Audio data rate : 1.5 Mbps  CD Quality Audio data rate :
Lecture 41 IEEE /ZigBee Dr. Ghalib A. Shah
1 March 24, 2016 By Jay, Mihai, and Ryan Wi-Fi. 2 A GENDA ❖ Overview ➢ History ➢ The Big Picture ❖ IEEE Standard ➢ Headers ➢ Payload ❖ Properties.
1 Serial Peripheral Interface What is it? Basic SPI Capabilities Protocol Pros and Cons Uses Serial Peripheral Interface
Some Bluetooth Background
Bluetooth 4.0: Low Energy.
Introducing the Arduino boards & some supporting modules
Wireless Technologies
Wireless Sensor Networks 5th Lecture
November 18 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Device Technology for WNAN Date Submitted:
Joe Trefilek Jeff Kubascik Paul Scheffler Matt Rockey
Joe Trefilek Jeff Kubascik Paul Scheffler Matt Rockey
Wireless LANs (Geier Book, Chapter 2)
Manual Robotics ..
Team RAPTORS Joe Trefilek Jeff Kubascik Paul Scheffler Matt Rockey
Presentation transcript:

by Team Reaper Jacob, Kyle, and Scott Hacking the Phantom by Team Reaper Jacob, Kyle, and Scott

Agenda Drone Overview Security Overview Hacking Plans Hardening Options

Drone Overview Base Drone $479.00 GoPro Hero 3 Black $399.99 Dronefly.com GoPro Hero 3 Black $399.99 64GB High Speed Micro SD $129.99 Spare 2200 mAH Battery $27.00 Complete Starter Package $1035.98

Drone Features Receiver Range GPS Wind Compensation 1000m (.6 miles) GPS Accurate Within .8 m Vertical 2.5m Horizontal Wind Compensation Max Speed 10m/sec (22mph) Payload 1000grams (2.2 pounds)

Drone Modifications 2 axis Gimble Fatshark First Person Video Motors Zenmuse H3-2D $699 More control and less Jelloing Fatshark First Person Video Can Transmit from GoPro Live Flight View Can record video from goggles $299.99 Motors Blades Batteries

Drone Reactions People oblivious Turkey Police Neighborhood Spying Youtube

Current Hacks Unable to find documentation on attacking the drone’s wireless communication, only modifications

Communications – High Level

Communications – Protocol 2.4 GHz Direct Sequence Spread Spectrum Unlicensed ISM band (2.400 GHz to 2.483 GHz)

Communications – Microcontroller Atmel ATMEGA Microcontroller Gives interface to wireless module for drone’s Master Controller

Communications - Chip Cypress CYRF6936 – WirelessUSB LP 2.4 GHz Radio SoC Transmit power: up to +4 dBm Receive sensitivity: up to -97 dBm DSSS data rates up to 250 kbps, GFSK data rate of 1 Mbps 98 different channels available

Interface to Chip 4 MHz Serial Peripheral Interface (SPI) 4 pin serial communications protocol SCK, MISO, MOSI, SS Easily implemented (i.e. Raspberry Pi) Used to configure and send data to CYRF6936 Cypress Semiconductor Corporation - Document #: 38-16015 Rev. *J – page 1

Data Transmission Modes GFSK (Gaussian frequency-shift keying) Mode 1 Mbps, no DSSS 8DR Mode 8 bits per symbol transmitted DDR Mode 2 bits per symbol transmitted SDR 1 bit per symbol transmitted Lower data rates reduce error rate

Typical Packet Structure GFSK and 8DR have a max payload of 40 bytes DDR and SDR have a max payload of 16 bytes Optional packet framing SOP required in GFSK and 8DR, optional in DDR, not supported in SDR If SOP enabled, length field required Length field required in GFSK and 8DR modes CRC 16 has a configurable seed Cypress Semiconductor Corporation - Document #: 38-16015 Rev. *J – page 5

Potential Hacking Options Targeted Take over control Interference Area of Effect Jamming the 2.4 GHz ISM frequency band

Targeted Attack Plan: Prototyping Items needed: Two transceiver chips Two breakout boards Two sets of supporting circuitry Prototype both with Raspberry Pi

Prototyping Block Diagram

Targeted Attack Plan: System Investigation Use an oscilloscope to see SPI signals from microcontroller to receiver chip on the DJI Phantom Determine how the CYRF6936 is configured for receiving data from the remote control Mimic the receiver chip configuration on the prototype system Stimulate remote control and see what actions on the remote control correspond to data payload content

System Investigation Block Diagram

Targeted Attack: Custom Control Once we have an understanding of the packet payload and operating modes, we can simulate the remote control and send commands to the DJI Phantom We should receive some sort of acknowledge at least, hopefully some data feedback.

Targeted Attack: Field Trials Use Raspberry Pi and CYRF6936 in transmit mode to interfere with existing communication between the remote control and DJI Phantom Change operating modes Send the DJI Phantom away, attempt to turn it off Send malformed packet payloads and see how it behaves.

Targeted Attack: Field Trial Block Diagram

Potential Challenges Payload data may be encrypted Unlikely because of small microcontroller connected to CYRF6936 Scoping out SPI configuration may take a while Interference between Raspberry Pi and remote control may result in erratic and non-deterministic behavior. Range of Raspberry Pi will be shorter than remote control due to decreased signal integrity. If we were to build a custom PCB, we can overcome this and drastically increase the strength of the transmit signal with a power amplifier.

Cost of Development BOM: Time to develop estimated at 40 hours 2x 12 MHz Crystal (~$10) 2x CYRF6936 (~$10) 2x Breakout Board (~$25) 2x Antenna (~$5) 2x Passives (~10$) Total Cost ~$60 Time to develop estimated at 40 hours

Area of Effect: Jamming Need a lot of power for a small radius of jamming (need to be close to operator) Possible to jam 2.4 GHz frequency band FCC violations, jamming 2.4 GHz band is illegal When the GoPro transmits the video via 2.4GHz band, the DJI Phantom has erratic behavior and flies off Would expect similar effect with jamming the transmitter

Hardening Encrypt packet payload Requires more hardware, but possible Get a transceiver that has a wider bandwidth (1 GHz – 10 GHz) and implements dynamic frequency hopping May not exist, but if it does it probably violates FCC regulations

References http://www.dronefly.com http://www.dji.com http://www.cdc.gov/niosh/ershdb/EmergencyResponseCard_29750002.html https://sites.google.com/site/mrdunk/interfacing-cypress-cyrf6936-to-avr-microcontrollers http://www.cypress.com/?docID=30520 http://www.cypress.com/?docID=28606

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.