1 / 26

Hacking the Phantom 2.0

Hacking the Phantom 2.0. by Team Reaper Jacob, Kyle, and Scott. Agenda. Hacking plans r ecap Problems with hacking plans New plan and sniffing SPI data Interpreting the data What we discovered Future work Questions. Original Plan. Prototyping system. End goal.

lester
Download Presentation

Hacking the Phantom 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking the Phantom 2.0 by Team Reaper Jacob, Kyle, and Scott

  2. Agenda • Hacking plans recap • Problems with hacking plans • New plan and sniffing SPI data • Interpreting the data • What we discovered • Future work • Questions

  3. Original Plan Prototyping system End goal

  4. Problems With Prototyping • Custom transceiver uncertainties • Used a transceiver module from DJI • Solved likely antenna and RF problems • Provided 100% accurate configuration information • Raspberry Pi Problems • No silicon for SPI slave mode • Master only • Use GPIO to read SPI signals • I/O clock too slow, miss and alias data • Operating system interferes with timing, miss more data

  5. New Plan • Use a FPGA to build a SPI bus sniffer • Custom hardware • Extremely fine-grained control • Very fast • Very complicated (VHDL) • Output snooped SPI data to FTDI chip on FPGA • Read FTDI chip into a C program on a computer

  6. Receive Side Snooping: Block Diagram

  7. Receive Side Snooping: Physical

  8. FPGA Simulations:Overview

  9. FPGA Simulations:Getting SPI Data

  10. FPGA Simulations: Output to FTDI

  11. Interpreting the Data (configuration) • Write register 0x1d value 0x19 MODE_OVERRIDE • Write register 0x32 value 0x3c AUTO_CAL_TIME • Write register 0x35 value 0x14 AUTO_CAL_OFFSET • Write register 0x1b value 0x55 TX_OFFSET_LSB • Write register 0x1c value 0x05 TX_OFFSET_MSB • Write register 0x06 value 0x4a RX_CFG * • Write register 0x10 value 0xe8 FRAMING_CFG • Write register 0x03 value 0x09 TX_CFG * • Write register 0x0c value 0xc4 XTAL_CTRL • Write register 0x0d value 0x04 IO_CFG • Write register 0x0e value 0x80 GPIO_CTRL • Write register 0x1e value 0x08 RX_OVERRIDE • Write register 0x15 value 0xbc CRC_SEED_LSB • Write register 0x16 value 0x8e CRC_SEED_MSB • Write register 0x0f value 0x21 XACT_CTRL • Write register 0x0e value 0x80 GPIO_CTRL • Write register 0x22 value 0x82c79036219eff17 * • Write register 0x1e value 0x08 RX_OVERRIDE • Write register 0x15 value 0xbc CRC_SEED_LSB * • Write register 0x16 value 0x8e CRC_SEED_MSB * • Write register 0x00 value 0x18 CHANNEL • Write register 0x05 value 0x83 RX_CTRL * *Configuration unique to Phantom

  12. Interpreting the Data cont. • Write register 0x1d value 0x19 MODE_OVERRIDE • 0x19h is 00011001 in binary

  13. Interpreting the Data cont. • Write register 0x32 value 0x3C AUTO_CAL_TIME • 0x3Ch is 00111100 in binary

  14. Interpreting the Data cont. • Write register 0x1b value 0x55 TX_OFFSET_LSB • 0x55h is 01010101 in binary

  15. Pairing • Receiver (on the drone) picks an arbitrary channel for communication • Monitor the receive signal strength indication (RSSI) and receive data interrupt • If no data within timeout, increase channel and repeat step 2. Otherwise, write channel value to non-volatile memory

  16. Interpreting the Data: Demonstration

  17. Possible Future Work • Hacking the current wireless communications opens many doors • The following slides explain only a few options

  18. Completely Autonomous Flight • Use Single Board Computer (SBC) to script flights • Use timers to send a wireless command to the drone for a specific amount of time

  19. Attach a SBC to the Drone • Spoof wireless transmitter using SBC • No more wireless communications • Unable to remotely JAM or take control of drone • Local image processing • Fly around using local landmarks • Follow specific people • Integrate to Phantom’s GPS • Move around by GPS coordinates

  20. Google Maps App • Click and go

  21. Control Multiple Drones • SPI communications can be fast enough to switch between channels to control multiple drones (up to the channel limit of 36) independently from one custom controller • Pair each drone to a specific channel

  22. Swarm • Autonomous swarming • Drones know where each other are using proximity sensing • Kyle’s Bluetooth pedestrian guidance • Sonar • Local cameras • No need for outside computation • No need for wireless communications for control if drones have a preprogrammed objective

  23. Replace Wireless Module • Use custom wireless module on wireless side • Spoof current wireless module on SPI side • Requires no change to NAZA controller • $40 Digi-RF radio modules are capable of line of sight range of 28 miles with a high gain antenna • Completely customize wireless packet • Can be low power on the drone side if they only receive • Mesh networks • Use other drones as repeaters

  24. Constraints • 2.2lb payload • Battery life • Law • Doesn’t matter if you intend to do something illegal

  25. References • http://www.dronefly.com • http://www.dji.com • http://www.cdc.gov/niosh/ershdb/EmergencyResponseCard_29750002.html • https://sites.google.com/site/mrdunk/interfacing-cypress-cyrf6936-to-avr-microcontrollers • http://www.cypress.com/?docID=30520 • https://sites.google.com/site/mrdunk/interfacing-cypress-cyrf6936-to-avr-microcontrollers • http://www.cypress.com/?docID=28606

More Related