I am having some errors with the decoding if i am capturing the correct data,
Does anyone had the demodulation failed error?

hi,

you made a really impressive work!

I am using your sw to get some droneID packets from a Mavic Air 2. I found some difficult to get those packets, i found and decoded some single droneID packets only saving demodulated data from my sdr and in some "random" bands and they looks like to be emitted very very rarely. When the drone use the first channel of 5.8 GHz band (center at 5735.5 MHz), i got some droneID packets centered at 5776.5 MHz emitted about every tens of second. In your paper the droneID packets should be emitted every 600 ms but i cant find them.

Do the droneID packets could be found in the same channel where other data (video ecc..) are sent? Because i searched there but i found no droneID packets.

thank you and br.

Maurice

Good Morning, thank you for the excellent article and associated repo for capturing droneID radio traffic.
I was also under the impression that DroneID was encrypted. There was a POC last year in Ottawa that tracked a range of 40KM from YOW. I didn't realize the

OcuSync 2.0 to 3.0
I wish to contribute to your project first by cloning your repo and reproducing your base setup towards the goal of automated tracking of various drones starting with my DJI Air 2S with a mini 2 as a backup. If required I will move up to the Mavik 3.

I currently fly the drone in Transport Canada approved airspace under the VLOS flight certificate and would like to combine your software/hardware setup eventually with AI based visual tracking.

Background: found your repo and paper via the Wired Magazine article https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/

I will leave project reproduction and status on your repo as I go - in this issue id - with your permission or on my fork.

Work Items

WI 1: 20230302: SDN selection

The purchase of the SDN radio is a bit more expensive that the first drone itself so I would like to verify the recommended model.
On your readme the model is https://github.com/RUB-SysSec/DroneSecurity#drone-id-receiver-for-dji-ocusync-20
"Ettus USRP B205-mini"

On your paper https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f217_paper.pdf the model is a USRP B200mini
"Our setup uses a USRP B200mini SDR that we connect to a laptop"

I assume the following model is supported and will purchase
https://www.ettus.com/all-products/usrp-b205mini-i/

20230307: Order from Digilent

20230313: USRP B205mini-i received (minus enclosure until July)

• reusing antennas from one of my dual band 2.4-5.8 routers
• purchasing a 30 dB fixed Attenuator
• following
• https://www.hackster.io/whitney-knitter/getting-started-with-the-ettus-b205mini-in-gnu-radio-e0d3ea
• https://www.hackster.io/whitney-knitter/basic-rf-test-verification-on-the-b205mini-with-gnu-radio-1cd612
• https://digilent.com/blog/getting-started-with-the-ettus-usrp-b205mini-i-gnu-radio/
• https://github.com/EttusResearch/ettus-docker/tree/master/ubuntu-uhd
• https://files.ettus.com/manual/page_install.html
• https://files.ettus.com/manual/page_usrp_b200.html

Links

• https://www.ni.com/en-ca/innovations/case-studies/19/skysafe-defeats-commercial-drone-threats-with-open-source-sdr.html

Good evening. I am trying to run your code for DJI Mavic Pro. I set legacy = True. I see that the packet is detected and demodulation is attempted. But the decoding gives an error and I don't see any results at the output. Please tell me in which direction I should look for the problem? Maybe recording IQ will help?

Hi,

Does it send regular wifi packets, like IEEE 802.11 ?

What I mean is, if it's just a standard 802.11 frames, then there could be a much cheaper option to catch it

hello,
I tried to capture the signal and decoding the OcuSync 3.0 signal from your file.
Can you please suggest Which parameters must be adjusted?
In your file it will help us.

A list of minimum SDR hardware requirements would be nice.
I have a NESDR 5, before playing with tools IDK if the frequencies to listen for are in the range of my device or not.

Why run the receiver live ，can’t find drone

Hello,

I have to ask - the freqs of the droneIDs that uses in your code - did you check them? did you really see droneIDs in ALL this freqs?
I read the droneID article - "DJI drone IDs are not encrypted" and the work from github - https://github.com/proto17/dji_droneid,
and never saw your freqs.

moreover - when I tried to find manually droneIDs in my missing freqs - I didn't find any.
so if you tested that - I would like to know.

Something else - Should droneID works with other DJI drones? like DJI Lightbridge?

I would appreciate a response on these issues.

I would like to ask a few questions on recording of IQ data as my recorded signal is not as clean and neat as the sample files recorded.
How did you record the Ocusync 2.0 signal from Mavic air 2 and mini 2? What was signal bandwidth the 2 drone is transmitting at?

Hello! Do you plan to add bladerf?

I tried, and it was far less than 640 milliseconds per data.Can you help me with this?

Does that work with OcuSync3 ?

Regarding the experimental results of my DJI Mavic Air 2, I continuously monitored the spectrum for more than ten minutes and did not seem to find a suitable DroneID burst signal. I have some thoughts below.

In your paper, it was mentioned that the DroneID data packet is broadcasted every 640ms, but the actual data frame is only 648 μs. Despite its high transmit frequency and bandwidth of 15.36MHz, it is approximately 600 μs of the duration makes it difficult to detect such signals in the spectrum. Is my analysis correct?

I also tried to record signals within a certain frequency band, such as (5755MHz-5805MHz), with a sampling bandwidth of 50M, but I was unable to successfully detect the corresponding DroneID signal.

Do you have any good suggestions?

Dear Sir;

I recorded the DJI MAVIC AIR 2 signal inside shielding room using adrv9361z7035 SDR board. I recorded the 3 Scenarios, one just ON (Mavic_air_2s_1000.fc32) and 2nd one turn on the propellers (Mavic_air_2s_1100.fc32) and 3rd take off (Mavic_air_2s_1110.fc32)and fly at the distance of 1m from the receiver. Whenever I run the offline receiver but decoding failed.I am sharing the complete log file and PNG files of in-spectrum testing. Kindly help needed. Please find the attachment.

DJI_MAVIC_AIR_2.zip

Thanks in advance

Hi,

I was not able to use the software, I always run into some numpy/scipy dependency hell. As not being a coding but a hardware guy, somehow I am stuck. Is there a recommended Linux distribution that should fulfil the expectations without too much fiddling? Latest Kubuntu obviously make trouble.

Hello, I would like to experiment with the fuzzer part of your system. can you upload it?

Also, it would be appreciated if you could tell us how to send and receive input and output through the DUML protocol.

first question:if we use LTE's point, zcsequence_t is directly frequency seq, in find_zc_seq()，author uses zcsequence_t corralte with symbol_f in frequency,so i think author look zcsequence_t as frequency seq in there,but in estimate_channel() function author uses zcsequence_f as frequency expected_signal , why ?
next question: in find_zc_angle(): i think author'aim is to find the initial constant phase offset, why use the angle value of zero freq point :angle(symbol_f[NCARRIERS//2]) as the estimation of angle? perhaps DJI dosenot send ZC zeropoint, so set this value to a constant real value,so the receiver can use this point's angle value as phase estimation directly?

When I tried to capture the data of DJI mini3 model, it failed

how did you create the sample files of those two drones given in the repository and how can i make similar file for my DJI drone and test it from the droneid_receiver_offline.py program.
and also, can I use LimeSDR instead of USRP for the live detection?

waiting for your reply.
Thank you

How to improve the code in order to improve system performance

I happen to have a USRP B200 SDR which works for your code. But it can not capture signals of my DJI Air 2S. Does it require a high SNR to extract the signal. How did you configure the parameters of your B200, or do you use a high gain antenna to get the signals and decode the drone ID? I am very curious. In my case, the code will never be touched for unqualified bw.

Please l want to learn from you how to track the exact location of a phone through it IMEI number.
Kindly chat me up [email protected]

First of all congratulations for your job,
I'm doing some research on drone communication and I noticed on your software that you refer also to c2 and beacon packets.
I also noticed that the code part for those packets is at very early stages.
I'd like to know from you, if possible, something more about c2 and beacon packets.

In my captures I often find this kind of packets that are bigger than 2 MHz in bandwidth and last for about 500us. (attached here) Are these ones the C2 packets? (if so I think we should correct the bandwidth in your code since it is slighlty smaller)

If not, could you provide some samples, or at least a screenshot of what should we expect (for C2 and Beacons)?

Thank you!