Trying to hack the CX-32W drone to use it in my object tracking drone project

I am not going to touch the OpenCV part in this blog. Just the hacking attempt I guess. Our drone can be controlled by a remote controller and a smartphone app. The app is communicating over Wifi so you have to connect it to the drone’s wifi hotspot in order to control it and I want to configure the application to develop my own SDK so I will start with capturing the packets between my smartphone and the drone to see what’s going on and after that decompile the application to see if I can figure it out.

The drone is “CX-32W”, a “Cheerson Hobby” brand multicopter. It has 4 CW/CCW DC Motors, 7.4V 450 mAh Li-Po Battery, FPV Cam, a transmitter and a “Lewei50 single-board computer”. This mini computer has an operating system and modules in it.

Link!

I used nmap to scan the open ports. And I noticed ftp port is open. And tried to mess with it.The username was “root” and password was just blank. But unfortunately we don’t have the write permission just only read. Tried some combinations for the telnet, it didn’t work.

root@localhost:~# nmap -p 1-65535 192.168.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-30 19:52 +03
Nmap scan report for 192.168.0.1
Host is up (0.053s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
6789/tcp open  ibm-db2-admin
6790/tcp open  hnmp
7060/tcp open  unknown
8060/tcp open  aero
9060/tcp open  CardWeb-IO
MAC Address: 28:F3:66:CB:1D:78 (Shenzhen Bilian electronic)
Nmap done: 1 IP address (1 host up) scanned in 64.19 seconds

Captured the packets between the drone and my smart phone. Had some over 50000 UDP, 7060 TCP,8060 TCP ports. 192.168.0.1

I started looking at 50000 UDP first. The interface may look confusing. So i will try to explain it. Blue and “<—-” ones are the packets that sent by my application to drone. I figured out it’s “idle” state and my drone has to send them to keep connected.

We can imitate the communication with our computer by sending the same packets to the drone over wifi to it’s 50000 UDP Port.

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

UDP_IP = '192.168.0.1'
UDP_PORT = 50000
msg = bytes.fromhex('CC 80 80 80 80 00 00 33')
sock.sendto(msg, (UDP_IP, UDP_PORT))
sock.sendto(msg, (UDP_IP, UDP_PORT))
sock.sendto(msg, (UDP_IP, UDP_PORT))
sock.sendto(msg, (UDP_IP, UDP_PORT))
msg = bytes.fromhex('CC 82 7F 80 80 00 FD 33')
while True:
    sock.sendto(msg, (UDP_IP, UDP_PORT))
sock.close

The 8060 Port sending “lewei_cmd” and drone responds to it.

And the 7060, we have captured 6.3 MBs of packet over this port. I checked the app and the drone’s files and found out this is a H.264 I-Frame type data. I-Frame is like sends only the changed pixels to save data. Idk how this affects the readability of packets.

A packet of a single frame:

Checked the activity_main.xml to see if I can find out how to read the packets and explored a new world.

<com.lewei.multiple.lw93.MySurfaceView android:id=”@id/mySurfaceView” android:layout_width=”-1″ android:layout_height=”-1″ />