Reverseengineering the Hubsan Wifi Drones
MCenderdragon wrote 08/09/2020 at 10:34 • 1 pointI aquired a cheap Hubsan Drone (H216A, X4 Desire) and wanted to know if its possible to control it without their app. The Drone opens a WiFi where you can connect your phone to controll it via an App. Using Bluestack & Wireshark I got some information of how it works.
The Drone has always a IP of 192.168.31.111 and open Ports TCP: 8855, 8866 and UDP 8867.As large amount of data is send from the Drone on port 8855 I guess that is the video feed, and 8866 is for status in both directions. I have no idea what the UDP is for but it is send from the App to the drone so it could be the controls.
My Question is: what is the best why to analyze this data? What possibilites are there to find out what the video format used is? Or is it a better approach to try and disassamble their app ?
Edit 1: exporting the full video stream made it readable by media info: Its a AVC Video Stream, 640*360 at 25FPS, AVC (Main@L3) (CABAC / 1 Ref Frames)
Edit 2: AFter decompiling the App and searching through the code I found the 8866 port is used to open soemthing the call a MAVLink, and thanksfully MAVLink is a fully documented Protokoll.
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.
Try connecting a computer as well as a phone to the wifi and use Wireshark to analyse what's being sent back and forth
Are you sure? yes | no
I did, that is how I found the video format, but the rest i binary gibberish, so looking though the source code to decode the packages is most likely easier.
Are you sure? yes | no
You might try just doing a hexdump of the app with Cannonical mode (-C) enabled. It's possible that you will see a whole bunch of ascii comands to play with. That and looking at the data streams from wireshark and try to get a feel for how the commands are structured.
This is not as rigorous as reverse assembling, but a whole lot less work. If the actual commands are binary, or just a packet structure with controller states wedged into fixed offsets in the packet, it won't help. Try the low hanging fruit first.
Not sure what format the app is coing to be in. If it is an elf file, there are tools that list all the stuff that needs to link runtime. If the app writers used an existing video library, you might get the name of the library from this which would probably be a good clue as to the video format.
Are you sure? yes | no