DIY DJI Aeroscope
Last updated
Last updated
This project is a receiver for DJI's Drone-ID protocol. The receiver works either live with an SDR, or offline on pre-recorded captures.
If you're looking for the fuzzer, we will upload that shortly :)
The live receiver was tested with:
Ettus USRP B205-mini
DJI mini 2, DJI Mavic Air 2
Our software is a proof-of-concept receiver that we used to reverse-engineer an unknown protocol. Hence, it is not optimized for bad RF conditions, performance, or range.
Research Paper attached here:
We provide sample files in the samples/
folder.
The samples were directly dumped from the first stage of the live receiver that detects candidate frames and performs no other data processing; it usually hands them directly to the rest of the code that you can test offline.
You can use inspectrum
to visualize the raw sample file:
Create a virtual environment for Python and install the requirements:
You can now run the decoder on the sample file:
The script performs detection and decoding just as the live receiver would. It prints the decoded payload for each Drone-ID frame:
The summary contains decoding stats and flight path. In the mini2_sm
sample, the drone did not have GPS coordinates locked yet, and only the smartphone's location is transmitted:
For samples/mavic_air_2
both locations are transmitted:
The live receiver additionally requires the UHD driver and quite powerful machines (for captures at 50 MHz bandwidth).
Environment:
Ettus USRP B205-mini
DJI mini 2, DJI Mavic Air 2
First, setup the Python environment. Due to the UHD driver, this does not work with a virtual environment. If you previously activated a virtual environment, exit that environment first. Install Python requirements:
Install UHD:
Run the receiver:
The receiver will hop through a list of frequencies and, if a drone is detected, lock on that band.
If you're looking for a deeper dive into the processing steps, we suggest calling the offline decoder with
--debug
. This will enable a GUI with step-by-step decoding.
First, the SpectrumCapture
class performs packet detection and splits the capture file into individual frames:
Some of these packets are false-positives and we do not expect successful decoding. Start and end are in seconds, so you can use inspectrum to take a look at individual frames.
Next, the Packet
class detects the Zadoff-Chu sequences and performs time and frequency offset corrections. It splits the frames into individual OFDM symbols.
The Decoder
class gets the OFDM symbols and demodulates the subcarriers using QPSK. We do not know the QPSK orientation here, hence, we simply brute-force the orientation. decoder.magic()
performs the descrambling and turbo-decode.
DroneIDPacket
unpacks the resulting bitstream into the Drone-ID struct. At this point the message could be decoded, but might be corrupted (CRC check needed).
CRC check FAIL is easy to spot by looking at the Serial Number (should read 'SecureStorage?'):
At the very end, we print some statistics:
So in total we decoded 18 packets, 14 with correct CRC. Again, this is expected as the sample file includes Drone-ID Frames with greatly varying quality.
Is DJI's Drone-ID the same as the standardized, Bluetooth or WiFi-based "Remote ID"?
No. DJI uses a dedicated wireless protocol for its Drone-ID, hence the need to implement an receiver.
Can I use this software to locate drones from other manufacturers?
No. This software decodes DJI-specific protocols. It does not work with WiFi or Bluetooth-based "Remote ID".
Can I locate drones without this software?
Maybe. Since late 2022, the US or EU started requiring drone manufacturers to implement "Drone Remote ID" - an international standard that works on top of WiFi or Bluetooth. You can use a smartphone app to locate drones that support the standard. New drones already feature WiFi/Bluetooth-based "Remote ID", and existing drones are gradually retrofitted (e.g., through firmware updates).
Where can I find more information on the WiFi/Bluetooth-based Remote ID?
Standard documents in EU: EN 4709, US: ASTM F3411. For practical information, check out this page by the FAA. If you're looking for an open-source implementation (e.g., Android apps), we suggest opendroneid.org and their Github repositories.
Are you going to improve the receiver, introduce new features, or port to another SDR?
We're not planning to include new features at this point. The tool is provided as artifact along our academic paper and enables researchers to reproduce our results, and to help study the privacy implications. It is not meant for productive, reliable localization of drones.
Is your receiver the only receiver available?
No. The code in proto17/dji_droneid was developed in parallel. We think it's great and if you're interested in details, you should take a look at both implementations.
If you would like to cite our work, use the following BibTex entry: