SIGNAL REAPER — Drone Countermeasure System

System Overview

Primary Function

RF JAM

Drone frequency disruption

TX Gain Range

47 dB

Configurable via TUI menu

Sample Rate

20 MHz

HackRF One native

Freq Coverage

1MHz–6GHz

Full HackRF range

Interface

curses

Button-driven TUI on Pi

Power

LiPo

Fully field-deployable

root@signal-reaper:~$ python3 Signal_Reaper.py

Initialising hardware...

hackrf_transfer [OK] Serial: 0000000000000000

wlan0 [OK] Monitor mode available

GPIO [OK] 4 inputs mapped

Loading modules...

pywifi [OK]

scapy [OK]

pyfiglet [OK]

nmap [OK]

hostapd [OK]

ffmpeg [OK]

Interface selected: wlan0

Ready.

Signal Monitor

2.4 GHz — Live Waveform

0 Hz600 MHz1.2 GHz1.8 GHz2.4 GHz

Capabilities

RF Jamming Drone Takedown Deauthentication Auth DoS WiFi Brute Force TCP Flooding Interface Scanning Monitor Mode Managed Mode Command Injection HackRF SDR Evil Twin Tello Relay Image Injection

Target Drone — DJI Tello

DJI TELLO

EDU / Standard Edition — Primary Test Target

Control Band

2.4 GHz

Protocol

WiFi 802.11n

Max Range

~100m

Flight Time

13 min

Weight

80g

Video

720p / 5MHz

SDK

Tello SDK 2.0

SSID Pattern

TELLO-XXXXXX

Identified Vulnerabilities

⚠ Attack Surface Analysis

Open WiFi Control Network — The Tello broadcasts an open, unencrypted WiFi AP (SSID: TELLO-XXXXXX). No WPA authentication is required to connect, making it trivially accessible to any device in range.

UDP Command Injection — All flight commands are sent as plaintext UDP packets to 192.168.10.1:8889. There is no authentication, token, or command signing — any device on the network can issue arbitrary flight commands.

No Encryption on Telemetry — State data (speed, battery, altitude, attitude) is broadcast over UDP:8890 in cleartext, readable by any listener on the network.

2.4 GHz Single-Band Dependency — The Tello operates exclusively on 2.4 GHz with no frequency hopping or fallback band. Broadband noise on this frequency range causes immediate loss of control link.

WiFi Deauth Susceptibility — As a standard 802.11n client, the Tello is vulnerable to spoofed deauthentication frames. Sending a broadcast deauth causes the controller app to immediately lose connection.

Countermeasure Methods Used

► Tested Attack Vectors

[1]RF broadband jam at 2.4 GHz via HackRF One + Yagi antenna — disrupts WiFi control link

[2]802.11 deauthentication flood targeting Tello BSSID via Scapy in monitor mode

[3]Direct UDP command injection — sending land / emergency to 192.168.10.1:8889 after associating with open AP

[4]Auth DoS against Tello AP to prevent legitimate controller reconnection

[5] Passive Video Feed Interception — NAL Unit Analysis (Off-Network) Attempted to intercept and decode the Tello's video downlink passively without associating to the drone's WiFi AP. The video stream is transmitted over UDP and wrapped in an H.264 bitstream. Using a wireless adapter in monitor mode, raw 802.11 data frames were captured and filtered by the Tello's BSSID. The H.264 stream was then extracted and parsed using NAL (Network Abstraction Layer) unit boundaries, specifically scanning for NAL unit type headers — 0x00000167 (SPS — Sequence Parameter Set, defines profile/level), 0x00000168 (PPS — Picture Parameter Set, defines encoding parameters), and 0x00000165 (IDR keyframe — Instantaneous Decoding Refresh).

⚠ Outcome: Reassembly of a coherent video feed proved difficult. Each video frame was heavily fragmented across multiple 802.11 data frames with no consistent ordering or sequence numbering recoverable at the capture layer. Without being associated to the AP, the full UDP session context (source port, RTP-style sequencing) was not easily reconstructable, causing NAL units to be received out of order or partially. The H.264 decoder (ffmpeg) was unable to consistently reconstruct frames, producing corrupted output or stalling on missing IDR keyframes.

► Status: One frame was partially recovered — the top portion of the frame was viewable, but the remainder was corrupted. Full frame reconstruction off-network remains unreliable due to fragmentation and missing sequence context.

[6] Evil Twin + Relay — Full Man-in-the-Middle on Tello Video & Commands A rogue AP is broadcast on the Tello's SSID and BSSID using hostapd on a USB WiFi adapter. The Pi's built-in adapter stays associated to the real Tello AP. When the phone connects to the fake AP, two relay threads bridge all traffic transparently — UDP commands (port 8889) are forwarded to the real drone and responses passed back, while the H.264 video stream (port 11111) is forwarded frame-by-frame from the drone to the phone.

Cat Image Injection: A JPEG or PNG image is pre-encoded to a single H.264 frame via ffmpeg at startup. Pressing c in the live menu replaces the real video feed with the cat frame for 5 seconds before transparently resuming normal relay — the phone's DJI app sees a seamless stream throughout.

► Status: Fully operational. Phone connects to fake AP, drone remains flyable via relay, image injection confirmed working.

Hardware Components

Raspberry Pi

Main compute unit — runs Signal_Reaper.py and orchestrates all attack modules via subprocess and Python libraries

PSR

PiSugar Battery

Dedicated UPS-style battery module that clips directly onto the Pi — provides clean, regulated power to the Raspberry Pi independently

HackRF One

SDR transceiver — 1 MHz to 6 GHz, 20 MSPS, half-duplex TX/RX. Primary jamming hardware

YGI

Yagi Antenna

High-gain directional antenna — focused RF beam for targeted jamming at range

AMP

RF Amplifier

Boosts TX output power from the HackRF, extending effective jamming range significantly

PWR

LiPo Battery

Dedicated high-current power supply for the RF amplifier — raw LiPo output fed through a DC-DC converter before the amp

DC-DC Boost/Buck Converter

Regulates LiPo voltage up or down to the exact voltage required by the RF amplifier — ensures stable, clean power under load

DSP

Portable Screen

Compact display connected to the Pi for curses TUI menu output in the field

BTN

GPIO Buttons

Physical Raspberry Pi buttons wired to GPIO — navigate the TUI menu without a keyboard

USB

USB WiFi Adapter

Second wireless interface — runs the Evil Twin AP via hostapd while the built-in adapter stays connected to the real Tello drone for relay mode

System Architecture

Signal Path

Raspberry Pi

→

HackRF One

→

RF Amplifier

→

Yagi Antenna

→

RF OUTPUT

Control Path

GPIO Buttons

→

Signal_Reaper.py TUI

→

hackrf_transfer

Power Path — Rail 1 (Compute)

PiSugar Battery

→

Raspberry Pi

→

HackRF One (USB)

Power Path — Rail 2 (RF Amp)

LiPo Battery

→

DC-DC Boost/Buck

→

RF Amplifier

Software Modules

■ RF Jamming

Pipes /dev/urandom into hackrf_transfer at a user-selected frequency. TX gain 0–47 dB, 20 MSPS sample rate. Terminates cleanly on keypress.

■ Deauthentication

Crafts 802.11 Deauth frames via Scapy. Requires monitor mode. Scans for targets and sends flood of deauth packets to disconnect clients.

■ Auth DoS

Floods an AP with authentication frames to exhaust its association table, preventing reconnection by legitimate clients or controllers.

■ WiFi Brute Force

Wordlist-based WPA-PSK cracker using nmcli. Scrollable network picker, progress bar, supports custom wordlist paths or manual entry.

■ TCP Flooding

High-volume raw TCP packet generation against a target IP and port. Tests network resilience and disrupts drone SDK communications.

■ Interface Management

Scans available wireless interfaces via pywifi, toggles between monitor and managed mode. Required precondition for most attack modules.

■ Command Injection

Network host discovery via nmap, ARP scanning, and targeted command injection against discovered hosts on the subnet.

■ Evil Twin + Tello Relay

Clones a target SSID via hostapd, spoofing the BSSID. Optional Tello relay mode bridges UDP commands and H.264 video between the phone and the real drone across two adapters. Supports live image injection into the video stream via ffmpeg pre-encoded H.264 frame.

Dependencies

python3 scapy pywifi pyfiglet curses hackrf_transfer nmcli nmap iwlist / iw hostapd ffmpeg subprocess socket threading

Target Frequencies

Band	Frequency	Target Use	Priority

TX Gain Reference

Evil Twin — Rogue AP + Tello Relay

█ Overview

A rogue access point is broadcast on the Tello's exact SSID and BSSID using hostapd on a USB WiFi adapter. The Raspberry Pi's built-in adapter remains connected to the real Tello drone. Two background threads transparently bridge all traffic between the phone and the drone — making the drone fully flyable through the fake AP while giving full interception capability.

Network Architecture

Evil Twin Relay — Data Flow

Phone (DJI App)

→

USB Adapter
Fake AP (hostapd)

→

Relay Threads
cmd + video

→

Built-in WiFi
Real Tello AP

→

DJI Tello
192.168.10.1

Image Injection Path

Image File
.jpg / .png

→

ffmpeg
encode to H.264

→

Video Relay Thread

→

Phone Video Feed
port 11111

Setup Requirements

Built-in WiFi

Connects to the real Tello AP (TELLO-XXXXXX). Selected as the relay adapter inside the Evil Twin menu. Handles all real drone communication.

USB WiFi Dongle

Selected as the primary interface in Scan Interfaces. Runs hostapd to broadcast the cloned SSID/BSSID on the same channel as the real drone.

IMG

Cat Image

Any .jpg or .png. Browsed via in-menu file picker. Pre-encoded to a single H.264 frame at startup — injected into the live video stream on demand.

Operation Flow

root@signal-reaper:~$ python3 Signal_Reaper.py

> Scan Interfaces → select USB dongle (wlan1)

> Evil Twin → scan + pick TELLO-XXXXXX

Channel detected [6] ← auto-detected

Enable Tello relay? [y]

Relay adapter → select wlan0 (built-in)

Connecting to Tello... [OK] 192.168.10.1 reachable

Select cat image → /home/pi/cat.jpg

Encoding H.264 [OK] 18432 bytes ready

hostapd started [OK] broadcasting TELLO-XXXXXX

Relay threads [OK] cmd:8889 video:11111

Phone connected: 192.168.10.x

Video: relaying... [ press c to inject cat ]

c inject cat image → VIDEO: >>> CAT ACTIVE <<< (5s)

q stop all → hostapd killed, MAC restored

Project Summary

Signal Reaper is a portable, self-contained RF countermeasure platform built on Raspberry Pi and HackRF One SDR hardware.

The system is operated entirely through a custom Python curses TUI, navigated via physical GPIO buttons — no keyboard required in the field.

The primary test target was a DJI Tello drone. Its open WiFi control network, unencrypted UDP command protocol, and single-band 2.4 GHz dependency make it highly susceptible to multiple attack vectors implemented in this system.

The HackRF One connected to a Yagi antenna and RF amplifier provides broadband noise jamming across the Tello's 2.4 GHz control frequency, causing immediate disconnection from the DJI mobile app.

The Evil Twin module clones the Tello's AP using hostapd on a USB WiFi adapter, while the Pi's built-in adapter stays connected to the real drone. Two relay threads transparently bridge UDP commands and H.264 video — making the drone fully flyable through the fake AP. A pre-encoded cat image frame can be injected into the live video feed on demand via a single keypress.

Powered by a LiPo battery, the complete system is fully field-deployable with no external power or network infrastructure required.

Legal Disclaimer

⚠ THIS PROJECT IS FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY.

RF jamming is illegal in most jurisdictions including Ireland, the EU, and the US under telecommunications law. Unauthorised network attacks violate the Computer Misuse Act, GDPR, and various other statutes.

This system was developed and tested ONLY on hardware owned by the builder in a controlled private environment. The author assumes zero liability for any misuse of this software, firmware, or hardware configuration.

DO NOT USE THIS SYSTEM IN PUBLIC AIRSPACE OR ON ANY DEVICE YOU DO NOT OWN.