Thursday, November 16, 2017

DJI UAV Drone ID

Working with Department13, Kismet now supports the DroneID UAV telemetry extensions!

What is DroneID?

Drone ID is a set of records created by DJI (the drone/UAV company) for identifying UAVs.
DJI intends to release drone ID as a public standard, but have preemptively enabled it across much of their hardware line. Through the efforts of several firmware reverse engineers (Freek van Tienen and Jan Dumon), we have the structure of the data being sent; more info is available in Freek's repository at github
A device with Drone ID enabled broadcasts the serial number, current location, height, horizontal and vertical speeds, pitch, roll, yaw, and the home location of the drone (where it took off from, and where it will return after a go-home command or loss of control.

Deep-diving into Drone ID

For more info about the Drone ID packet format and how it's used, check out the D13 white paper Anatomy of DJI Drone Identification Implementation.

Drone ID in Kismet

For Wi-Fi devices, the DroneID is attached to the beacon frame as a Vendor IE tag (tag 221); Kismet decodes this with a Kaitai parser and attaches it to the packet decoding records.
Kismet defines a new, generic phy, which it attaches to device records; A Wi-Fi device beaconing DroneID packets will contain both dot11.device and uav.device records:
"dot11.device": {
    "dot11.device.typeset": 1,
    "dot11.device.client_map": {},
    "dot11.device.advertised_ssid_map": {
        "447349704": {
            "dot11.advertisedssid.ssid": "Mavic-380000",
            "dot11.advertisedssid.ssidlen": 12,
            "dot11.advertisedssid.beacon": 1,
 ...
"uav.device": {
    "uav.manufacturer": "",
    "uav.serialnumber": "08RDE150010000",
    "uav.last_telemetry": {
        "uav.telemetry.location": {
            "kismet.common.location.lat": 40.000000,
            "kismet.common.location.lon": -83.00000,
            "kismet.common.location.alt": 273,
            "kismet.common.location.speed": 0,
...

Kismet tracks the serial number, home location, most recent telemetry location, and the past 128 telemetry locations.

Finding drones via the Kismet API

Devices which include DroneID records will have a 'UAV / Drone' category in the device details, but it's also possible to automate using the Kismet API.
The regex API in the Kismet REST interface allows for easy matching against drones, for example from the rest_examples/uav_list.py script:
def per_device(d):
    print d['kismet.device.base.macaddr'],
    print d['dot11.device']['dot11.device.last_beaconed_ssid'],
    print d['uav.device']['uav.serialnumber'],
    print d['uav.device']['uav.last_telemetry']['uav.telemetry.location']['kismet.common.location.lat'],
    print d['uav.device']['uav.last_telemetry']['uav.telemetry.location']['kismet.common.location.lon']

...

kr = KismetRest.KismetConnector(uri)

regex = [
    [ "uav.device/uav.serialnumber", ".+" ]
]

kr.smart_device_list(callback = per_device, regex = regex)