Local Reproduction/ CA - YOW region - DJI Air 2s - OcuSync 3.0

[obriensystems]

Good Morning, thank you for the excellent article and associated repo for capturing droneID radio traffic. I was also under the impression that DroneID was encrypted. There was a POC last year in Ottawa that tracked a range of 40KM from YOW. I didn't realize the

OcuSync 2.0 to 3.0 I wish to contribute to your project first by cloning your repo and reproducing your base setup towards the goal of automated tracking of various drones starting with my DJI Air 2S with a mini 2 as a backup. If required I will move up to the Mavik 3.

I currently fly the drone in Transport Canada approved airspace under the VLOS flight certificate and would like to combine your software/hardware setup eventually with AI based visual tracking.

Background: found your repo and paper via the Wired Magazine article https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/

I will leave project reproduction and status on your repo as I go - in this issue id - with your permission or on my fork.

Work Items

WI 1: 20230302: SDN selection

The purchase of the SDN radio is a bit more expensive that the first drone itself so I would like to verify the recommended model. On your readme the model is https://github.com/RUB-SysSec/DroneSecurity#drone-id-receiver-for-dji-ocusync-20 "Ettus USRP B205-mini"

On your paper https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f217_paper.pdf the model is a USRP B200mini "Our setup uses a USRP B200mini SDR that we connect to a laptop"

I assume the following model is supported and will purchase https://www.ettus.com/all-products/usrp-b205mini-i/

20230307: Order from Digilent

Ettus USRP B205mini-i: 1x1, 70MHz-6GHz SDR/Cognitive Radio(USRP B205mini-i Options: USRP B205mini-i with enclosure)	471-045

1	$1,354.00 USD

20230313: USRP B205mini-i received (minus enclosure until July)

• reusing antennas from one of my dual band 2.4-5.8 routers
• purchasing a 30 dB fixed Attenuator
• following
• https://www.hackster.io/whitney-knitter/getting-started-with-the-ettus-b205mini-in-gnu-radio-e0d3ea
• https://www.hackster.io/whitney-knitter/basic-rf-test-verification-on-the-b205mini-with-gnu-radio-1cd612
• https://digilent.com/blog/getting-started-with-the-ettus-usrp-b205mini-i-gnu-radio/
• https://github.com/EttusResearch/ettus-docker/tree/master/ubuntu-uhd
• https://files.ettus.com/manual/page_install.html
• https://files.ettus.com/manual/page_usrp_b200.html

Links

• https://www.ni.com/en-ca/innovations/case-studies/19/skysafe-defeats-commercial-drone-threats-with-open-source-sdr.html

[n0vichkov]

Hi, we are trying to reproduce the same and after our investigations we got an answer that proposed decoding method does not work with DJI Air 2S with OsuSync 3.0 (we have tested live receiver (with some changes for USRP X310 as RF) and offline decoder. I suppose, that modulation and decoding method differs

[fmichaelobrien]

I just received my USRP B205mini - setting up I don't expect it to detect my Mavic 3 classic or Air 2s, hopefully the mini 2 works

Update on a request of the tracking exercise in YOW http://wiki.obrienlabs.cloud/display/DEV/Drone+Developer+Guide#DroneDeveloperGuide-News

[maxx]

@fmichaelobrien @n0vichkov looking forward to hearing how it went with occusync 2.0! please update if you were successful. I haven't yet seen a successful reproduction and am waiting for someone to confirm before I dive in.

[obriensystems]

Still at step 1: new to SDR - setting up my B205mini using a VMware Ubuntu VM on one of older Mac's (intel chip) Following Whitney's tutorials https://www.hackster.io/whitney-knitter/getting-started-with-the-ettus-b205mini-in-gnu-radio-e0d3ea https://www.hackster.io/whitney-knitter/basic-rf-test-verification-on-the-b205mini-with-gnu-radio-1cd612

[aholtzma-am]

If you post a baseband recording of Occusync 3.0, I can take a look to see what the differences are wrt 2.0.

[Vlad71527]

Hi aholtzma-am vs

[aholtzma-am]

Can you post the baseband files?

[Vlad71527]

https://drive.google.com/file/d/1tTH773umwQrek_QaHCVn9fYpJtGBJ3UH/view?usp=sharing

[tmbinc]

@Vlad71527 - unfortunately your images don't work anymore here (404 from github)

The first one looked like a regular data packet, with a (variable; from a certain set) ZC symbol at the beginning, in the middle, and at the end.

The second one looked like a DroneID packet, with two (fixed - always 600 and 147) ZC symbols in the middle (around a data symbol). The latter should decode just fine. Do you have timestamps for within your capture?

So far I have not seen any OcuSync version not using DroneID packets in the same format. (The only difference seems to be whether the empty prefix symbols are there or not.) Difficulties to decode seem mostly from the fact that the somewhat basic synchronization algorithm used here requires a very good quality signal.

[gettyhub]

Is there any way to make this work with antsdr or bladeRF?

[Skeletoskull]

I am using X310 for this, has someone used it for this project, if yes what I should change to make the code work for my x310