For the week of Christmas 2014, I went to visit some friends down in the Bay Area. We originally planned to take a road trip further south to Santa Barbara and back via CA-1, but somehow that did not happen. We ended up visiting places nearby, relaxing, and flying my DJI Phantom 2 Vision+ in different parts of the Bay Area.

I am a proud owner of a DJI Phantom 2 Vision+ since September. I got it from my dad who had been flying it in China for a few months.

My impression for the drone is that it’s almost too hard to crash. My dad could not handle Halo on Xbox and he was still able to fly the drone by controling one axis at a time. This drone is truly remarkable in its ease of use.

For advanced users, DJI has something called the Naza-M mode that can be turned on to allow for fancier ways to control the drone.

The drone’s primary flight control is done via a 5.8GHz remote controller, just like any other common RC planes. However, the drone also features 2.4GHz Wi-Fi connection for first person view, GPS waypoint programming, camera control, etc. These are auxiliary functions that can be performed on your iOS or Android phone through an app.

DJI uses two OpenWrt systems for this to work. One is on the drone itself, and the other is located in a little box attached to the remote controller that acts as a Wi-Fi range extender. OpenWrt on the drone exposes a hidden wireless AP. The range extender connects to that AP and in turn exposes a visible wireless AP for the phone to connect to.

Both APs are unencrypted. Both systems on the network have well-known IP addresses. Both run SSH daemons. And the root password on both systems is simply “19881209”.

The system on the drone itself connects to onboard embedded flight control systems via serial ports. These ports are actually exposed on the network using ser2net daemons.

One can imagine that hijacking such drone over the air might not be too hard. Fortunately, the waypoint programming protocol is “encrypted” by some obscure cipher. But I am sure a closer look at the Android client would reveal how it works eventually.

Nevertheless, hijacker can still mess around with the drone’s onboard system to make the flight unpleasant. Check out this reverse engineering to see what’s available so far.

Since the firmware is actually OpenWrt, it can be configured like any OpenWrt systems. I’ve already encrypted both Wi-Fi APs on my Phantom 2. So far I have not encountered any problems with the customization. I would encourage you to do the same just to be safe.