Firmware Decompile - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki
Reverse engineering the ArduPilot firmware used in Damn Vulnerable Drone
Damn Vulnerable Drone > Attack Scenarios > Firmware Attacks > Firmware Decompile
Firmware decompilation allows attackers to reverse engineer the flight control logic, parameter logic, and security flaws embedded in the compiled autopilot firmware. This technique is crucial for identifying hardcoded behaviors, exploitable functions, or undocumented MAVLink commands.
In Damn Vulnerable Drone, we’ll extract the running firmware binary used by the ArduPilot SITL instance, decompile it with Ghidra, and explore its internal structure for hacking opportunities.
⚠️ Solution Guide
Access the flight-controller Docker container:
docker exec -it flight-controller bashSearch for the arducopter binary:
find / -name "arducopter" 2>/dev/nullExpected output:
/home/ardupilot/ArduCopter/build/sitl/bin/arducopterFrom your host terminal, copy the file out:
docker cp ardupilot:/home/ardupilot/ArduCopter/build/sitl/bin/arducopter ./arducopter.binUse the file utility:
file arducopter.binExpected output:
ELF 64-bit LSB executable, x86-64, dynamically linkedQuick static recon with strings:
strings arducopter.bin | lessDump disassembly (optional):
objdump -D -M intel arducopter.bin > arducopter.asm- Open Ghidra
- Create a new non-shared project
- Import
arducopter.bin - Accept default analysis options
- Begin reversing
Search for MAVLink handlers, param_find(), strcpy, flight mode logic, and state machine transitions.
Download a real .apj firmware image:
wget https://firmware.ardupilot.org/Copter/stable/Pixhawk1/arducopter.apjExtract using binwalk:
binwalk -e arducopter.apjExplore extracted ELF binaries using the same steps above.