DJI DronID isn't detected ( operator error )?

[jdevelop]

Drone

Working with the Mavic 2 and trying to get the DroneID on the channel 6 - to no avail.

With using "opendroneid" as a filter for the protocols I get nothing.

WiFi mode

iwconfig  wlan0mon 
wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.437 GHz  
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

WireShark version:

Version 4.2.6 (Git v4.2.6 packaged as 4.2.6-1).

Compiled (64-bit) using GCC 14.1.1 20240522, with GLib 2.80.3, with Qt 6.7.2,
with libpcap, with POSIX capabilities (Linux), with libnl 3, with zlib 1.3.1,
with PCRE2, with Lua 5.2.4, with GnuTLS 3.8.6 and PKCS #11 support, with Gcrypt
1.11.0-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.62.1, with
nghttp3 1.4.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.13.2, without libsmi, with QtMultimedia, without automatic updates, with
Minizip, with binary plugins.

Running on Linux 6.10.0-arch1-2, with Intel(R) Xeon(R) E-2176M  CPU @ 2.70GHz
(with SSE4.2), with 63528 MB of physical memory, with GLib 2.80.4, with Qt
6.7.2, with libpcap 1.10.4 (with TPACKET_V3), with zlib 1.3.1, with PCRE2 10.44
2024-06-07, with c-ares 1.29.0, with GnuTLS 3.8.6, with Gcrypt 1.11.0-unknown,
with nghttp2 1.62.1, with nghttp3 1.4.0, with brotli 1.1.0, with LZ4 1.9.4, with
Zstandard 1.5.6, with light display mode, with HiDPI, with XDG_SESSION_TYPE=tty,
with QPA plugin "xcb", with LC_TYPE=en_US.UTF-8, binary plugins supported.

Channel hopping

I also tried to hop channels:

for ch in `seq 1 12`; do echo $ch; iw dev wlan0mon set channel $ch HT20 && iwconfig wlan0mon; sleep 60; done; 

Observation

Without that filter I can certainly see the packets being captured by WireShark. Am I missing something?

Thank you!

[gabrielcox]

@jdevelop , Please include a small capture file (an export of just a few records will be fine). You can also filter by MAC once you see who's sending the RID packets to limit what you're capturing.

[jdevelop]

@gabrielcox I'm getting a ton of packets on channel 6 ( and even moreso while hopping ). Is there a way to filter things that are of particular interest? Thank you!

[gabrielcox]

@jdevelop

This is under "File->Export". That allows you to save a pcap file. You can save selected/highlighted packets.

[jdevelop]

Can you please help me to understand what PCAP filter expression can I use to get RID packets filtered as there's none I can find labeled with any RID? I assumed that I can just use "opendroneid" as an view filter expression ( as I can do with the sample PCAP files provided with this repo ) - but in reality I don't get any RID packets from my WiFi card.

So perhaps there's some way to troubleshoot it?

[gabrielcox]

I would try to find the source MAC address that the drone might be broadcasting from, then look at the packets from that address.

You can set the filter as: wlan.sa == xx:xx:xx....

The Remote ID 802.11 frame will have a tag with type "Vendor Specific"(221) And an OUI of fa:0b:bc (Cen) The vendor specific OUI type should be 13 (0x0d) Then followed by the data.

If you find a packet matching this pattern, and the sniffer is not identifying it as opendroneid, then either the dissector is not loading, or something else is in the data causing the dissector not to match it.

[jdevelop]

Thanks a lot! I have some suspicion that my DJI may actually transmit its DroneID on 5GHz band, as I wasn't successful of detecting virtually anything resembling that type of beacon frame. I wonder if there's a Mac address I can find for my Mavic anywhere? It doesn't have anything on the carapace or box.

[friissoren]

The drone might not start transmitting until it is in the air?

Try to find the drone using the Android app first, just to sanity check there even is a signal.

[jdevelop]

That's an interesting question, I didn't actually try to fly the drone - just turn it on and connect to the controller.

I also tried a few android apps to detect the drone presence - none of them worked. I checked that I indeed have the most recent firmware and it has RemoteID functionality baked in.

Let me try to test it in the fly mode and see if it works.

[gabrielcox]

@friissoren If it's compliant, It's required to broadcast after POST -- before taking flight.

@jdevelop First make sure that on the wi-if interface you are sniffing it is not connected to any network. That way, the only traffic you should be seeing is "broadcast traffic". If you browse through the broadcast traffic you're getting, you may be able to find something with an identifiable DJI SSID (or see something else in the packet that clues you that you're receiving it from the drone. Likewise, when seeing broadcasts from other devices, they often have something that identifies them. Also, you can lookup a suspecting MAC address at https://dnschecker.org/mac-lookup.php .

This first part is a bit of a hunt. To make it a little more "interesting" some devices randomize their MAC addresses on every power on (as a privacy feature) -- I'm unsure if DJI does this.

[jdevelop]

Yeah, I thought that the DroneID shall be broadcasted once a drone is initialized. So will see. As per the traffic - I use airmon-start on my PC to capture the packets, and it indeed collects a ton of data. Hard to say whether I have some suspicious SSIDs - there are just too many broadcasts going on.

But I figured that you may be referring to the mobile apps - so you suggest to disconnect from all wireless networks, is that correct? Giving a second thought it is likely make sense as that software must set the particular channel to collect data and put the card in promiscuous mode so if I'm connected to anything - that won't work.

I'll give it a try. In the meantime - does anyone happen to have some Wireshark filter expression to look for a potential DJI packets broadcast? Would really appreciate it.

[gabrielcox]

@jdevelop yes, disconnect from any wireless network. Otherwise, if you're connected, when in promiscuous mode, all the data still flows, so you'll get all the data going to your computer, plus all the "Ethernet" broadcasts, ARP requests, etc. that are part of the normal "noise" within your network.

All you want are primitive wireless broadcasts (pre-connection), such as SSID advertisements. RID actually rides as additional payload on SSID advertisements.