Reverse engineering and retrofitting robotic aerial vehicle control firmware using dispatch

Unmanned Aerial Vehicles as a service (UAVaaS) has increased the field deployment of Robotic Aerial Vehicles (RAVs) for different services such as transportation and terrain exploration. These RAVs are controlled by firmware, which is often closed-source, developed by vendors, and flashed into the ROM. While these binary blobs enable off-the-shelf management of RAVs, end users (individuals or organizations) have no idea if the control firmware is designed and implemented correctly, and can only rely on firmware updates from vendors when any vulnerability is discovered. This paper proposes DisPatch, the first reverse engineering and patching framework for understanding and improving controller design and implementation within RAV firmware. DisPatch first decompiles binary instructions and recovers controller functions and core controller variables by combining control theory with program analysis using symbolic execution and data flow analysis. End users can then write a patch in a domain-specific language (DSL), which will be translated and injected into the binary firmware by DisPatch automatically. We have applied DisPatch to two instances of commodity firmware from3DR IRIS+ and MantisQ RAVs and demonstrated 100% and 80.7% accuracy respectively in the controller decompilation. We have also shown the ability to prevent severe controller performance degradation by patching two real-world bugs with in the firmware and without breaking other functionality. Finally, we show that DisPatch introduces less than 0.53% of space overhead and 1.48% of runtime overhead without violating the soft real-time deadlines. DisPatch provides the first step towards an RAV binary firmware reverse engineering and patching system to customize controller design and implementation.