-
Notifications
You must be signed in to change notification settings - Fork 2
/
drone.py
158 lines (126 loc) · 5.91 KB
/
drone.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
from scapy.all import *
from scapy.layers.dot11 import RadioTap, Dot11, Dot11WEP
from arc4 import ARC4
import zlib
udp_seq = 0
#from OG's code
def calc_pkt55_checksum(packet, plength):
crc =[0x0000, 0x1189, 0x2312, 0x329b, 0x4624, 0x57ad, 0x6536, 0x74bf,
0x8c48, 0x9dc1, 0xaf5a, 0xbed3, 0xca6c, 0xdbe5, 0xe97e, 0xf8f7,
0x1081, 0x0108, 0x3393, 0x221a, 0x56a5, 0x472c, 0x75b7, 0x643e,
0x9cc9, 0x8d40, 0xbfdb, 0xae52, 0xdaed, 0xcb64, 0xf9ff, 0xe876,
0x2102, 0x308b, 0x0210, 0x1399, 0x6726, 0x76af, 0x4434, 0x55bd,
0xad4a, 0xbcc3, 0x8e58, 0x9fd1, 0xeb6e, 0xfae7, 0xc87c, 0xd9f5,
0x3183, 0x200a, 0x1291, 0x0318, 0x77a7, 0x662e, 0x54b5, 0x453c,
0xbdcb, 0xac42, 0x9ed9, 0x8f50, 0xfbef, 0xea66, 0xd8fd, 0xc974,
0x4204, 0x538d, 0x6116, 0x709f, 0x0420, 0x15a9, 0x2732, 0x36bb,
0xce4c, 0xdfc5, 0xed5e, 0xfcd7, 0x8868, 0x99e1, 0xab7a, 0xbaf3,
0x5285, 0x430c, 0x7197, 0x601e, 0x14a1, 0x0528, 0x37b3, 0x263a,
0xdecd, 0xcf44, 0xfddf, 0xec56, 0x98e9, 0x8960, 0xbbfb, 0xaa72,
0x6306, 0x728f, 0x4014, 0x519d, 0x2522, 0x34ab, 0x0630, 0x17b9,
0xef4e, 0xfec7, 0xcc5c, 0xddd5, 0xa96a, 0xb8e3, 0x8a78, 0x9bf1,
0x7387, 0x620e, 0x5095, 0x411c, 0x35a3, 0x242a, 0x16b1, 0x0738,
0xffcf, 0xee46, 0xdcdd, 0xcd54, 0xb9eb, 0xa862, 0x9af9, 0x8b70,
0x8408, 0x9581, 0xa71a, 0xb693, 0xc22c, 0xd3a5, 0xe13e, 0xf0b7,
0x0840, 0x19c9, 0x2b52, 0x3adb, 0x4e64, 0x5fed, 0x6d76, 0x7cff,
0x9489, 0x8500, 0xb79b, 0xa612, 0xd2ad, 0xc324, 0xf1bf, 0xe036,
0x18c1, 0x0948, 0x3bd3, 0x2a5a, 0x5ee5, 0x4f6c, 0x7df7, 0x6c7e,
0xa50a, 0xb483, 0x8618, 0x9791, 0xe32e, 0xf2a7, 0xc03c, 0xd1b5,
0x2942, 0x38cb, 0x0a50, 0x1bd9, 0x6f66, 0x7eef, 0x4c74, 0x5dfd,
0xb58b, 0xa402, 0x9699, 0x8710, 0xf3af, 0xe226, 0xd0bd, 0xc134,
0x39c3, 0x284a, 0x1ad1, 0x0b58, 0x7fe7, 0x6e6e, 0x5cf5, 0x4d7c,
0xc60c, 0xd785, 0xe51e, 0xf497, 0x8028, 0x91a1, 0xa33a, 0xb2b3,
0x4a44, 0x5bcd, 0x6956, 0x78df, 0x0c60, 0x1de9, 0x2f72, 0x3efb,
0xd68d, 0xc704, 0xf59f, 0xe416, 0x90a9, 0x8120, 0xb3bb, 0xa232,
0x5ac5, 0x4b4c, 0x79d7, 0x685e, 0x1ce1, 0x0d68, 0x3ff3, 0x2e7a,
0xe70e, 0xf687, 0xc41c, 0xd595, 0xa12a, 0xb0a3, 0x8238, 0x93b1,
0x6b46, 0x7acf, 0x4854, 0x59dd, 0x2d62, 0x3ceb, 0x0e70, 0x1ff9,
0xf78f, 0xe606, 0xd49d, 0xc514, 0xb1ab, 0xa022, 0x92b9, 0x8330,
0x7bc7, 0x6a4e, 0x58d5, 0x495c, 0x3de3, 0x2c6a, 0x1ef1, 0x0f78]
# Seeds
#v = 0x1012 # Naza M
#v = 0x1013 # Phantom 2
#v = 0x7000 # Naza M V2
v = 0x3692 # P3/P4/Mavic
for i in range(0, plength):
vv = v >> 8
v = vv ^ crc[((packet[i] ^ v) & 0xFF)]
return v
def produce_sc(frag: int, seq: int) -> int:
return (seq << 4) + frag
def swap32(i):
return struct.unpack("<I", struct.pack(">I", i))[0]
def send_arp(ivcounter):
#New Drone
arp = Raw(load=bytes.fromhex("000010002c0000000c0071160000ec0008400000ffffffffffff34d262b7631138d262b8058f0010000000005988daddf26b79203634a941c08f698efa00dbba44e55d0aa7a935f1f11d1598178f10a1d3f1d643"))
return arp
def send_beacon(ivcounter):
#New Drone
beacon = Raw(load=bytes.fromhex("000010002c0000000c0071160000ec0080000000ffffffffffff34d262b7631138d262b8058f0000a7e1b0000000000064001200000001068c98b048606c03019506020000dd0900037f01010000ff7f44056164686f63"))
return beacon
def send_udp(payload, ivcounter):
# Create the RadioTap header
radiotap = RadioTap(Rate=0x0c)
# You can set the properties of the header, such as the version, length, and flags
radiotap.version = 0
# radiotap.len = 18
# Set the present flags
radiotap.present = 0x0000002c
# Set the data rate
radiotap.rate = 0x0c
# Set the channel frequency
radiotap.ChannelFrequency = 5745
# Set the channel flags
radiotap.ChannelFlags = 0x0040
# Set the antenna signal
radiotap.dBm_AntSignal = -18
# radiotap.dBm_AntNoise= 0
radiotap.len = 0x10
# The LLC header information
llc = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
llc_org_code = Raw(load=bytes.fromhex("000000"))
llc_type = Raw(load=bytes.fromhex("0800"))
# Define the source and destination IP addresses
src_ip = "192.168.2.2"
dst_ip = "192.168.2.1"
ip_pkt = IP(src=src_ip, dst=dst_ip, id=0x0000, flags=2, frag=0)
# Define the source and destination port numbers
src_port = 10002
dst_port = 9003
payload = Raw(load=bytes.fromhex(payload))
# Create the UDP packet
udp_pkt = llc / llc_org_code / llc_type / ip_pkt / \
UDP(sport=src_port, dport=dst_port) / payload
# Calculate the CRC32 checksum
crc = zlib.crc32(udp_pkt.build()) & 0xffffffff # Calculate the checksum
# crc = swap32(crc) # Swap the bytes
crc = crc.to_bytes(4, 'little') # Convert the checksum to bytes
crcpkt = Raw(load=crc) # Create the Raw layer
# Add the CRC32 checksum to the UDP packet
udp_pkt2 = udp_pkt / crcpkt
# Define the source and destination MAC addresses
src_mac = "34:d2:62:b7:63:11" # RC MAC
dst_mac = "34:d2:62:b8:05:8f" # Drone MAC
bssid_mac = "38:d2:62:b8:05:8f" # Drone MAC
global udp_seq
sc = produce_sc(0, 256+udp_seq)
udp_seq += 1
# Create the Dot11 layer, specifying the source and destination MAC addresses
dot11 = Dot11(addr1=dst_mac, addr2=src_mac,
addr3=bssid_mac, type=2, FCfield=0x0840, SC=sc)
# Set IV and key
iv = ivcounter.to_bytes(3, byteorder='big')
#key = b'\x44\x56\x4b\x52\x52' # DVKRR
key = b'\x4A\x5A\x52\x4A\x42' # JZRJB
# Encrypt UDP Packet
# Create seed and cipher
seed = iv + key
rc4 = ARC4(seed)
wep = rc4.encrypt(udp_pkt.build())
seed = iv + key
rc4 = ARC4(seed)
wep2 = rc4.encrypt(udp_pkt2.build())
# Combine the Dot11 layer and the encrypted data payload to create the final packet
final_packet = radiotap / Raw(load=bytes.fromhex("00")) / dot11 / Dot11WEP(
wepdata=RawVal(wep), iv=iv, keyid=0, icv=RawVal(wep2[-4:]))
return final_packet