nmap

Just about to run an nmap scan on my drone to see what is exposed. The camera module (can also control the drone) communicates with a phone or tablet via an app and WiFi. There is, as far as I know, no Windows software to do the same thing or I’d WireShark it.

Before that, I bounced a full scan off my Pi. (hxxp ‘cos Textile’s parsing is poo)

Starting Nmap 6.47 ( hxxp://nmap.org ) at 2016-01-16 20:09 Romance Standard Time
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 20:09
Scanning 192.168.1.10 [1 port]
Completed ARP Ping Scan at 20:09, 1.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:09
Completed Parallel DNS resolution of 1 host. at 20:09, 0.00s elapsed
Initiating SYN Stealth Scan at 20:09
Scanning raspberrypi.home (192.168.1.10) [1000 ports]
Discovered open port 80/tcp on 192.168.1.10
Discovered open port 23/tcp on 192.168.1.10
Completed SYN Stealth Scan at 20:09, 6.64s elapsed (1000 total ports)
Initiating Service scan at 20:10
Scanning 2 services on raspberrypi.home (192.168.1.10)
Completed Service scan at 20:11, 82.45s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against raspberrypi.home (192.168.1.10)
Retrying OS detection (try #2) against raspberrypi.home (192.168.1.10)
NSE: Script scanning 192.168.1.10.
Initiating NSE at 20:11
Completed NSE at 20:15, 210.34s elapsed
Nmap scan report for raspberrypi.home (192.168.1.10)
Host is up (0.028s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet?
80/tcp open  http    WebJames/0.48
|_http-methods: GET POST HEAD
| http-server-header: Software version grabbed from Server header.
| Consider submitting a service fingerprint.
|_Run with --script-args http-server-header.skip
|_http-title: Rick's server
MAC Address: B8:27:EB:D9:E9:22 (Raspberry Pi Foundation)
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (97%), Wyse ThinOS 5.2 (95%),
  NCR 5676 or 5688 automated teller machine (94%), HP LaserJet 4350 printer (93%),
  HP LaserJet 4250 printer (93%), HP ProCurve 2524 switch or 9100c Digital Sender
  printer (93%), RISCOS Ltd RISC OS 6.20 (91%), HP LaserJet 2420 printer (91%), Xerox
  Document Centre 440 or WorkCentre Pro 55 printer (90%), Cisco AP340 WAP (VxWorks
  5.4) (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   28.08 ms raspberrypi.home (192.168.1.10)

NSE: Script Post-scanning.
Read data files from: E:\Nmap
OS and Service detection performed.
Please report any incorrect results at hxxp://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 329.64 seconds
           Raw packets sent: 1099 (50.664KB) | Rcvd: 1028 (41.804KB)

I like that. RISC OS 5 only 91% looks like RISC OS 6.20. It looks more like a switch, more like a printer, more like a cash machine. Cool.

Shortened version of scan of drone.

After a DHCP connection, the address of the gateway is 172.16.10.1 (a less common private network address) which is the drone’s internal AP.

Scanning 172.16.10.1 [1 port]
Completed ARP Ping Scan at 20:33, 0.77s elapsed (1 total hosts)
Scanning 172.16.10.1 [1000 ports]
Discovered open port 80/tcp on 172.16.10.1
Discovered open port 8888/tcp on 172.16.10.1
Host is up (0.0080s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE         VERSION
80/tcp   open  http?
|_http-title: wifi setting
8888/tcp open  sun-answerbook?
MAC Address: 20:F4:1B:03:A8:3C (Unknown)
No exact OS matches for host

The “best guess” is a British Gas GS-Z3 data logger. Hmmm. ;-)

Using both browser and telnet to port 8888 resulted in nothing. A connection, but silent.

Connecting with a browser to port 80 resulted in a small configuration panel:

<html>
<head><title>wifi setting</title></head>
<body>
<form  action="/" method="POST">
<select name="mode"><option value="AP"selected="selected">Ap</option>
<option value="client">client</option></select>SSID:
<input type="text" value=DR-BEE-XXXXXX name="wifi_ssid">
password:
<input type="text" value= name="wifi_pwd">
<input type="submit" value="set">
</form>
<form  action="/reboot" method="POST">
reboot
<input type="submit" value="set">
</form>
</body>
</html>

(impressive, Textile didn’t screw this up!)

The “reboot” option appeared to crash the thing; and I’m wondering if the rest of the configuration (if it works) isn’t somewhat dangerous. Sure, you can alter the SSID and give it a password; but on the other hand it looks like you can also switch it from AP mode to client mode. Well, if you do that, how are you ever going to communicate with the device again? It is supposed to be, and function as, and AP. Does it even know how to connect to other APs?

I backed up the PNJdrone app and sent it to the PC. Android APK files are just zip files really. Inside, lots of stuff that I waded through, and it looks as if it is a custom protocol set up on a socket. Undoubtedly on port 8888, but nothing that can be determined by looking at a binary in Notepad++.

Some quick Google-fu suggests that most (all?) of the lower end FPV drones use extremely similar methods. Not identical as I initially put the wrong app on my iPad at first and it failed to connect, but the description given in the comments of this app (different company, different app maker, cached text view of an app on Google Play, in German (report in English)) suggests pretty much the same as I’ve found. You’ll need to cut and paste. Textile can’t cope with URLs containing URLs and ‘weird’ characters.
http://webcache.googleusercontent.com/search?q=cache:PwO5EzK3ciYJ:https://play.google.com/store/apps/details%3Fid%3Dcom.lewei.multiple.lewei%26hl%3Dde&num=1&hl=en&gl=uk&strip=1&vwsrc=0

There’s probably a warehouse in China churning these AP/cameras out by the billion, and all the drone makers are making their own minor tweaks just so some other app won’t work.

These things seem to have exploded onto the scene this winter, so I’m hoping in maybe a couple of months somebody might be able to reverse engineer some interesting hacks. It’s a toy really, but that doesn’t mean there isn’t potential to do stuff with a flying camera that has a processor inside. (^_^)

Connection to RISC OS? None. That’s why it is in Aldershot.
Connection to Acorn? Tenuous. The drone appears to use a custom ARM M-0 based SoC (of sorts), and it is possible that the camera does as well, but the information has been erased from the chip surface. http://www.heyrick.co.uk/blog/index.php?diary=20151028 bottom picture.

Oh well. There was nothing on TV anyway.
I’ll make a hot chocolate and go back to reading In The After.

MAC Address: 20:F4:1B:03:A8:3C (Unknown)

The MAC lookup in NMAP appears to be out of date.
The info here says it’s a chinese manufacture

There’s probably a warehouse in China churning these AP/cameras out by the billion

Well the NIC was made by people with a registered office on the mainland adjacent to Hong Kong but the numbers might be a mild exaggeration. :)

Wild guess: port 80 is the simple settings and port 8888 is the data port for user transmissions. Sending it something like ? might get a response.

So, you have a drone! I think it’s a bit unfair to target British Gas – they fixed our boiler for nothing because they said they couldn’t fix it!

Why not target Syria – they seem to need some help in one form or another!

I hope your public liability assurance is “courante”!

;-|

So, you have a drone!

Have since October. Unfortunately the only time that is usually good for flying (no wind, no rain) is the middle of the night. Not so useful for the camera!

Why not target Syria – they seem to need some help in one form or another!

Not that kind of drone, John. (^_^)

I hope your public liability assurance is “courante”!

I don’t fly with others nearby. I know some idiots think it is cool to buzz planes and people, but really that sort of thing just gives model aircraft operators a bad name.
Thankfully there is a lot of space here, and the only risks are wind blowing it into a tree, or the cat thinking it looks like incoming dinner and something to catch.

20:F4:1B ==> Shenzhen Bilian electronic CO.,LTD

Thanks for the link.

If you compare the picture at the bottom here: http://www.heyrick.co.uk/blog/index.php?diary=20151028
with this: http://www.lb-link.cn/index.php/products/view?pid=185

Looks like that’s the WiFi module. Based upon the Marvell Avastar 88W8782 (datasheet: http://www.marvell.com/wireless/assets/Marvell_Avastar_88W8782_SoC-002_PB.pdf) it appears as if the WiFi module is wired up as some sort of SD card style interface (http://www.cnblogs.com/shangdawei/p/3484297.html scroll down for the pictures).

The tech docs are available only under NDA, so the story more or less ends here. But hey, it is an ARMv5T processor inside the thing. So if the camera is an ARM, the WiFi is an ARM, and the flight controller is an ARM… Jeez. This “toy” has way more processing power then my RiscPC!

So if the camera is an ARM, the WiFi is an ARM, and the flight controller is an ARM…

I think the trick these days is spooting the bits that aren’t ARM

By converse, the microcontroller in the remote controller is an 8051 clone that seems fairly well documented: http://www.keil.com/dd/docs/datashts/nuvoton/n79e845_844_843a_ds.pdf (it’s the 844 variant). Not an ARM. ;-)

Hi Rick! I just found a drone in my backyard, haha, so after having some issues turning it on, I finally did it. But I haven’t found an app(android) to make the drone fly, “GX_UFO” and “PNJ fly” only shows me the camera, so I tried to connect via my browser to the drone’s ip (same as yours: 172.16.10.1) and shows me exactly the same information that you mentioned. I was wondering if you could tell me if you are able to control the drone with a phone app, or if you have more information about this drone (maybe a Windows software is available by now, IDK). Well, thank you very much in advance!

20:F4:1B ==> Shenzhen Bilian electronic CO.,LTD

There address is:
Shenzhen Bilian electronic CO.,LTD
NO 268, Fuqian Rd,Jutang Community,Guanlan town,
LongHua new dist
ShenZhen Guangdong 518110
CHINA

My !MACadd app from http://kevsoft.co.uk