Preview

Journal of «Almaz – Antey» Air and Space Defence Corporation

Advanced search

UAV control hack system

https://doi.org/10.38013/2542-0542-2021-2-35-41

Abstract

The paper presents an alternative solution to the problem of drone hacking over a radio channel and uses signal spoofing of a global positioning system (GPS, GLONASS). Within the framework of the study, block diagram and operation algorithm of the system were developed and experimental data were obtained.

Keywords


For citations:


Adzhakhunov E.A., Nikolaev O.V. UAV control hack system. Journal of «Almaz – Antey» Air and Space Defence Corporation. 2021;(2):35-41. https://doi.org/10.38013/2542-0542-2021-2-35-41

Introduction

Nowadays, the problems of UAV hacking are solved mainly by barrage jamming or brute force. These methods have a major drawback: full or partial UAV destruction which may lead to demolition of objects and infliction of harm to human health. The systems with total control hacking via radio channel and systems using spoofing attacks have been developed significantly but such devices use each method separately which may result in UAV control system change-over to another control method [1].

General diagram of UAV control via radio channel is shown in Fig. 1. Certain commands are transmitted from the control panel to UAV receiver, then the data are transferred to the flight controller which is responsible for execution and distribution of all basic functions of the drone aircraft. Depending on received command and readings of sensors installed in a specific device the built-in software, using a certain algorithm, transmits control signals to the UAV motors. Thus, the flight controller is a sort of “brain” of the aircraft [2].

 

Fig. 1. General diagram of interaction between UAV control panel and internal components based on flight controller Arduino Mega 2560

 

Type, modulation and frequency of control signals depend on the communication protocol implemented between the transmitter and receiver on board UAV. Usually the protocols used in the transmitters are provided by one manufacturer only. Some brands allow to use several protocols depending on available receivers.

Let’s review specifications of commonly used models of UAV control systems which are given in Table 1.

 

Table 1

Specifications of UAV control systems

All equipment being discussed operates at the frequencies of 2.4 to 2.485 GHz with QPSK (Quadrature Phase Shift Keying) and GFSK (Gaussian Frequency-Shift Keying) modulation.

System development

As part of the studies the system based on transceiver was developed. The transceiver receives control signals from the UAV control panel, performs processing and simulation of control signals. Simultaneously, this transceiver transmits false coordinates to GNSS. The transceiver is developed following the procedures of software defined radio (SDR) [3].

Figure 2 shows a block diagram of the developed system where AS – Antenna System, ASU – Antenna Switching Unit, BPF – BandPass Filter, QDM – Quadrature Demodulator, QM – Quadrature Modulator, LNA – Low Noise Amplifier, PA – Power Amplifier, ADC – Analogue-to-Digital Converter, DAC – Digitalto-Analogue Converter, SPU – Signal Processing Unit.

 

Fig. 2. Block diagram of UAV hack system

 

Generalised specifications of the control hack system are given in Table 2.

 

Table 2

Specifications of system being developed

A certain logic signal is supplied to control contacts of the input SHF switch through the microprocessor. Using this signal, the switching over between the switch channels is carried out. Thus the change-over between the signals of antenna, transmitter and receiver takes place. Then the signal is transferred to the amplification stage, in this case – to a low-noise amplifier (LNA) where the signal is amplified and is further selected by the band-pass filter (BPF).

To consider the quadrature phase-shift keying (QPSK) and to prevent loss of information coded in the phase, a complex exponential signal is shaped as a heterodyne signal or, in other words, sine and cosine signals simultaneously.

As a result, separation into quadrature components I and Q takes place by mixing with the heterodyne signal which is controlled by frequency synthesizer with PLLS.

The signals are digitized in ADC and sent to the microprocessor where signal filtering and processing is carried out, the control protocol is determined and proper control signals are generated. Comparison is performed by the method of signal correlation analysis [4].

After generation of the signals, digital-toanalogue conversion, selection and amplification of control signals is performed in SPU.

At the same time false coordinates are generated and transmitted to GNSS. A constellation of GPS satellites is specified via a file of GPStransmission ephemeris. Ephemeris file for daily GPS-broadcasting (brdc) is a merge of individual navigation files into a single one.

These files are used for generation of simulated pseudorange and Doppler mode for GPS satellites in the field of view. These simulated range data are later used for generation of digitized I/Q samples for the GPS signal.

To increase the calculation rate the signal processing unit is built on the basis of programmable logic integrated circuit (PLIC) Artix7 [5].

Let us consider the input module of antenna switch in details. The input module is an SHF switch to which the receive path, transmit path and antenna are connected through a corresponding adapter. Block diagram of the input SHF-unit is shown in Figure 3.

 

Fig. 3. Block diagram of input SHF-unit

 

Microcircuit HMC595A manufactured by Analog Devices was selected as a switch. Figure 4 shows an electric schematic diagram of the respective module. The microcircuit is easily connected, and no complicated design solutions are required. Inverter SN74LVC2G04 is required for control via one input, it executes a Boolean function Y = A.

 

Fig. 4. Electric schematic diagram of SHF switch input module

 

Operation algorithm of the designed SHFswitch module is as follows: a control signal shown in the electric schematic diagram in Fig. 4 and corresponding to the high and low logic level (High/Low) is sent from the control device to the control contact (CTL). The signal provides alternative switching over between SHF-switch channels in accordance with the microcircuit truth table (a shape of the control logic signal can be transmitted from the control device as a pulse-amplitude modulation signal). Signal sources (receiver, transmitter) are connected to the corresponding leads (Input 1, Input 2).

Experimental studies

During experimental studies UAV control signals were intercepted by control system FlySky fsi6 and Radiolink at9s and the intercepted signals were processed for control protocol identification. The control signal intercepted from control panel FlySky fsi6 can be seen in Fig. 5. Phase transformation indicates this is the frequency modulation GFSK.

 

Fig. 5. Registered flow of control packets

 

After demodulation of one control packet which is shown in Fig. 6, the packet digitization is performed. After decoding, proper control signals are shaped based on the identified bit train.

 

Fig. 6. Demodulated signal

 

The situation is different for interception and decoding of signals by Radiolink at9s because this control system uses another modulation type – QPSK.

Figure 7 shows the received signal with noises and a constellation chart; the chart shows a cloud of phase samples which is meaningless.

 

Fig. 7. Received signal and chart of signal constellation

 

To obtain a protocol without errors, the receiver clock frequency is restored with the use of a digital multiphase filter unit. The unit performs the following: clock frequency restoration, receiver filter conditioning to eliminate ISI issues, and signal decimation, and produces samples at the rate of 1 sps. The signal constellation after the processing is shown in Fig. 8.

 

Fig. 8. Chart of signal constellation without noise

 

Upon additional filtering and passing of the signal through a digital equaliser the unit demodulates the signal with further control protocol decoding.

Conclusion

As can be seen from the above, during the studies a software and hardware complex has been developed on the basis of software and hardware radio system. The complex comprises two transmission channels to combine UAV hacking methods. Experimental studies of the complex were carried out which enabled to prove the possibility of control protocol hack.

Analysis of control signals was performed for two different control systems with GFSK and QPSK modulation methods, respectively.

Results obtained in the course of the studies provide the basis for further research in the field of electronic warfare and upgrading of UAV control hack system.

References

1. Мировое воздушное пространство беззащитно перед БПЛА, считают эксперты. URL: https://ria.ru/20181221/1548394586.html (дата обращения: 20.10.2020).

2. Hofmann-Wellenhof B., Lichtenegger H., Wasle E. GNSS – global navigation satellite systems: GPS, Glonass and more, 1st ed. SpringerVerlag Wien, 2008.

3. Аджахунов Э. А. Комплекс перехвата управления и спуфинга сигналов ГНСС БАС: дипломный проект. Томск: ТУСУР, 2020.

4. Кудряков С. А. Радиотехнические цепи и сигналы. СПб., 2015.

5. Artix-7. URL: https://www.xilinx.com/products/silicon-devices/fpga/artix-7.html (дата обращения: 21.11.2020).


About the Authors

E. A. Adzhakhunov
Federal State Independent Institution (FSII) “Military Innovative Technopolis “ERA”
Russian Federation

Adzhakhunov Eldar Akhmadzhanovich – Senior Operator, Research Company. 
Science research interests: communication systems, signal processing, radio navigation. 

Anapa



O. V. Nikolaev
Federal State Independent Institution (FSII) “Military Innovative Technopolis “ERA”
Russian Federation

Nikolaev Oleg Vladimirovich – Senior Operator, Research Company.
Science research interests: embedded technologies, ML, DS, AI. 

Anapa



Review

For citations:


Adzhakhunov E.A., Nikolaev O.V. UAV control hack system. Journal of «Almaz – Antey» Air and Space Defence Corporation. 2021;(2):35-41. https://doi.org/10.38013/2542-0542-2021-2-35-41

Views: 1489


Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.


ISSN 2542-0542 (Print)