How to help Ukrainian drone operators not to get killed (DJI hacking)

Continuing the discussion from Ukraine Invaded by the Russians - April 2022:

This “getting killed” part makes me think that some avid hackers should urgently provide solutions.

Problem: Chinese DJI drones transmit an unencrypted clear-text signal called “Aeroscope”. This signal identifies the drone and also broadcasts it’s GPS coordinates (and possibly also the coordinates of the controller).

DJI offers an Aeroscope device that can receive that signal and show the position of all drones nearby. That’s what Russians use for targeting drone operators with artillery (not landmines, of course, as the boy in the video says).

Theoretically there are several options how to prevent the Russians from finding drone operators in this way. I can think of these 8 + 1

1. Disable this signal
2. Jam this signal, so that it can’t be received well
3. Modify the content of this signal to make it useless or inaccurate
4. Modify or disable the input that the drone gets (GPS)
5. Send many additional garbage signals, so that the receiver doesn’t know which one to attack
6. Make the sending more directional, so that the controller direction gets the signal clearly but the enemy direction doesn’t
7. Remote control the controller, so that noone is actually near it
8. Reverse engineer the Aeroscope device and craft a signal that disables it (or maybe even somehow allows to locate it)

Bonus: create fake signals (regardless of drone usage) that make Russians shell their own positions if they don’t pay enough attention ^^

After a bit of googling I guess the easiest option is to use aluminum foil to cover the GPS receiver area on the drone (and possibly the controller), preventing the drone from knowing where it is and broadcasting that info. As far as I understand the drone will without GPS only fly up to a certain height (30m?) which might not be enough. Also there might be other limitations, so having GPS generally active might be beneficial for the operator.

So, unless this signal is essential for the drone control (and not just additional), the cleanest way would be to hack the firmware(s) to simply not send it. I’m guessing the drone only has one sender/receiver though, which is also used for the flight control functions - if it’s a separate sender then it could be shielded to not allow the signal out.

Depending on how the GPS is implemented, maybe putting a microcontroller between the GPS chip and the chip that does the signal sending, could work: modifying the GPS Position (for example shift it by a kilometer into an safe/empty direction). No idea about current GPS chips, but back in the day when I did GPS firmware “hacking”, the data transmission was trivial (serial protocol, clear text).

Any further ideas?

@slawa , @Marco , @au - wouldn’t a CNN headline like “Taiwan hackers help Ukraine win war” be good promotion for our beloved island nation?

“howto:start [dji.retroroms.info]” howto:start [dji.retroroms.info]

Maybe there is a way to change the software?

While it sounds like an interesting technical challenge - it irks me that my DJI is basically a mobile extension of the CCP’s surveillance network - I’m not sure it’d be a great idea for a State in Taiwan’s precarious position to get involved in a war on the other side of the planet, however tangentially …

I’m thinking the simplest solution would be to add an extra radio transceiver to the drone to detect each Aeroscope transmission and overwhelm it with a burst of noise (ie., 2 on your list). You wouldn’t even need to swamp the whole transmission, just enough of it to make the FEC fail.

I recently read that very old DJI models cannot be detected by Aeroscope…like pre 2014 models that use one way transmission?

Definitely remote controlling the controller is best practice for the first few attempts, no need to risk safety/life from assuming obscurity…

Great link, thanks! It could be challenging to change all firmwares of all possible drone types, but it seems like an technically ideal solution.

This link also shows that the GPS is on a separate module, attached by a wire with a plug. Should be easy to build an interposer board that filters and modifies the GPS coordinates on the fly.

The advantage would be that everything in the drone is left as it was, so all functions likely would stay usable (including returning to where it started). The only difference would be that whenever the drone position is shown on a map, it would be off by a pre-determined amount.

If you are the enemy, that would make the intercepted signal useless for you, or worst case even dangerous (if the starting/landing coordinates are on other enemy positions).

For the operator it wouldn’t matter much, since they would know how to correct for the error that they intentionally introduced.

Yep, models built before introduction of this feature seem safe from this easy detection method.

Of course, with enough engineering energy the enemy could still detect the drone through triangulation or of course radar, but not as easily as currently.

Such is the way of MANY Chinese products, including apps. And the way it works over there the government and the company really cannot be separated. So if the company is doing something, it certainly has CCP approval.

Yup, that could work if Aeroscope is a separate transmission, not part of the 2-way communication between drone and controller

Ah, good point. I was assuming it was entirely separate stream of wireless packets, but it could well be embedded into the stream of communication between drone and controller at the application layer.