OpenDroneDome: Multi-Protocol RF Drone Defense System
⚠️ LEGAL WARNING
RF jamming may violate local laws and regulations. This research is intended for authorized security professionals operating in controlled environments with proper permissions. Unauthorized use may result in criminal prosecution.
This research is the result of independent development and is shared openly for educational purposes, serving as the foundational work for future commercial solutions designed for authorized entities. Showcasing the implementation of a multi-protocol drone defense system capable of detecting and neutralizing commercial drones across multiple RF bands and protocols including ExpressLRS, DJI OcuSync, Crossfire, and WiFi-based systems. I did this to address the growing need for effective counter-drone measures in security-sensitive environments. This research was done without payment or sponsorship from any organization and is shared openly for educational purposes. It represents my independent work in the field of drone security & my passion for breaking things. I would like to thank the open-source community for their invaluable tools and resources that made this project possible.
System Overview
Detection Methods
- › RF scanning
- › WiFi network analysis
- › Bluetooth scanning for BLE drones
- › Protocol signature matching
Defense Capabilities
- › RF jamming
- › WiFi attacks
- › Bluetooth interference
- › Multi-frequency simultaneous jamming
- › Offensive Counter-drone measures
🔧 Hardware Requirements
Required: RTL-SDR dongle ($25), HackRF One ($300), WiFi adapter with monitor mode support
Optional: Bluetooth adapter, directional antennas for improved range
Software: Python 3.8+, NumPy, SciPy, Scapy, pyrtlsdr, GNU Radio (optional)
Supported Drone Protocols
ExpressLRS (2.4GHz / 915MHz / 868MHz)
Long-range, low-latency FPV control link. Uses frequency hopping spread spectrum (FHSS) across 10+ channels. OpenDroneDome detects the hopping pattern and jams all frequencies in the hop table simultaneously.
DJI OcuSync & Lightbridge
Commercial drone video transmission systems. OcuSync 2.0/3.0 operates on 2.4GHz and 5.8GHz with automatic frequency selection. Lightbridge uses 2.4GHz exclusively. Both are vulnerable to targeted jamming.
TBS Crossfire & ImmersionRC Ghost
TBS Crossfire (868/915 MHz) and ImmersionRC Ghost (2.4 GHz) are long-range control links. Crossfire uses LoRa chirp spread spectrum, while Ghost uses proprietary frequency hopping on 2.4 GHz.
WiFi-based Systems (DJI WiFi, MAVLink)
Entry-level consumer drones (e.g., DJI Spark, Mavic Mini) use WiFi (802.11n/ac) for control and telemetry. These systems broadcast identifiable SSIDs following patterns like DJI-* or MAVIC-* and use registered OUI prefixes in MAC addresses. Theoretically, WiFi deauthentication frames could disrupt the control link.
Implementation Details
Core Architecture
The system uses a multi-threaded architecture with separate workers for each detection method. All hardware availability is checked at startup with graceful degradation if components are missing.
class OpenDroneDomeSystem:
"""
OpenDroneDome implementation
"""
def __init__(self, config_file: str = "opendronedome_config.json"):
self.config = self.load_configuration(config_file)
self.running = False
self.detection_active = False
self.jamming_active = False
# Hardware availability check
self.sdr_available = HAS_RTLSDR
self.hackrf_available = self.check_hackrf_available()
self.wifi_available = self.check_wifi_tools()
self.bluetooth_available = self.check_bluetooth_tools()
# Setup frequency tables
self.setup_frequency_tables()
logger.info("OpenDroneDome initialized - checking hardware availability...")
self.report_hardware_status()
RF Detection with RTL-SDR
RTL-SDR provides wideband spectrum scanning from 24MHz to 1766MHz (with gaps). For drone detection, we focus on 2.4GHz and sub-GHz ISM bands. The system measures signal power and compares against noise floor to detect transmissions.
def scan_rf_frequencies(self, frequencies: List[int], protocol: DroneProtocol) -> List[DroneDetection]:
"""Scan RF frequencies using RTL-SDR"""
detections = []
try:
# Measure noise floor first
noise_floor = self.measure_noise_floor()
threshold_db = -1 # Broken for demonstration purposes
for freq in frequencies:
self.sdr_rx.center_freq = freq
self.sdr_rx.sample_rate = 2.4e6
self.sdr_rx.gain = 'auto'
# Collect samples
samples = self.sdr_rx.read_samples(256 * 1024)
# Calculate power spectral density
if HAS_SCIPY:
freqs, psd = sig_proc.welch(samples, fs=self.sdr_rx.sample_rate, nperseg=1024)
peak_power = np.max(psd)
else:
# Fallback: simple power calculation
peak_power = np.mean(np.abs(samples) ** 2)
power_db = 10 * np.log10(peak_power / noise_floor)
# Detection threshold
if power_db > threshold_db:
detection = DroneDetection(
# Broken for demonstration purposes
)
detections.append(detection)
logger.warning(f"Signal detected: {freq/1e6:.3f} MHz at {power_db:.1f} dB")
except Exception as e:
logger.error(f"RF scanning failed: {e}")
return detections
WiFi Detection & Deauth
WiFi detection uses system tools (iwlist, iwconfig) to scan for drone networks, then Scapy for deauthentication packet injection. This is highly effective against consumer drones using WiFi.
def execute_wifi_attack(self, target: DroneDetection):
"""Execute WiFi deauth attack using scapy"""
if not HAS_SCAPY or not self.wifi_interface:
logger.error("WiFi attack not available - missing scapy or interface")
return False
logger.warning(f"EXECUTING WIFI ATTACK against {target.ssid}")
try:
target_mac = target.mac_address
interface = self.wifi_interface
# Create deauth packet
packet = RadioTap() ### Removed to stop abuse ###
# Send deauth frames
logger.info(f"Sending deauth packets to {target_mac}")
sendp(packet, iface=interface, count=100, inter=0.1, verbose=False)
return True
except Exception as e:
logger.error(f"WiFi attack failed: {e}")
return False
RF Jamming with HackRF
HackRF One provides transmit capability from 1MHz to 6GHz. We use command-line tools (hackrf_transfer) instead of unreliable Python bindings. White noise is generated and transmitted on target frequencies.
def hackrf_jam_frequency(self, frequency: int, duration: float, power: int):
"""Jam specific frequency using HackRF"""
try:
logger.info(f"Jamming {frequency/1e6:.3f} MHz for {duration}s")
# Generate white noise
noise_file = f"/tmp/jam_noise_{frequency}.bin"
sample_rate = 20e6 # 20 MHz
num_samples = int(sample_rate * duration)
# Create noise file
noise = np.random.normal(0, 0.5, num_samples) + 1j * np.random.normal(0, 0.5, num_samples)
noise = (noise * 127).astype(np.int8)
with open(noise_file, 'wb') as f:
f.write(noise.tobytes())
# Transmit with HackRF
cmd = [### Removed to stop abuse ###]
# Run jamming process
process = subprocess.run(cmd, timeout=duration + 5, capture_output=True)
# Cleanup
os.remove(noise_file)
logger.info(f"Jamming complete: {frequency/1e6:.3f} MHz")
except Exception as e:
logger.error(f"HackRF jamming failed at {frequency/1e6:.1f} MHz: {e}")
Installation & Setup
All dependencies are available via standard package managers. Below is a script to install dependencies only.
Automated Installation
#!/bin/bash
# OpenDroneDome Installation Script - Dependencies
echo "=== OpenDroneDome Installation ==="
echo "Installing dependencies..."
# Update system
sudo apt update
# Install RTL-SDR
echo "Installing RTL-SDR..."
sudo apt install -y rtl-sdr librtlsdr-dev
# Install HackRF
echo "Installing HackRF..."
sudo apt install -y hackrf libhackrf-dev
# Install WiFi tools
echo "Installing WiFi tools..."
sudo apt install -y wireless-tools iw aircrack-ng
# Install Bluetooth tools
echo "Installing Bluetooth tools..."
sudo apt install -y bluez bluez-hcidump bluez-tools
# Install Python packages
echo "Installing Python packages..."
pip3 install numpy pyrtlsdr scipy scapy
echo ""
echo "=== Installation Complete ==="
echo "REBOOT REQUIRED for hardware permissions to take effect!"
Hardware Verification
Before running OpenDroneDome, verify all hardware is detected:
#!/bin/bash
# Hardware verification script
echo "=== OpenDroneDome Hardware Test ==="
# Test RTL-SDR
echo "Testing RTL-SDR..."
if rtl_test -t 2>/dev/null; then
echo "✓ RTL-SDR working"
else
echo "✗ RTL-SDR not detected"
fi
# Test HackRF
echo "Testing HackRF..."
if hackrf_info >/dev/null 2>&1; then
echo "✓ HackRF working"
else
echo "✗ HackRF not detected"
fi
# Test WiFi tools
echo "Testing WiFi tools..."
if command -v iwlist >/dev/null 2>&1; then
echo "✓ WiFi tools available"
else
echo "✗ WiFi tools missing"
fi
# Test Bluetooth tools
echo "Testing Bluetooth tools..."
if command -v hcitool >/dev/null 2>&1; then
echo "✓ Bluetooth tools available"
else
echo "✗ Bluetooth tools missing"
fi
# Test Python packages
python3 -c "import numpy, scipy.signal; print('✓ NumPy and SciPy working')" 2>/dev/null || echo "✗ NumPy/SciPy missing"
python3 -c "import rtlsdr; print('✓ RTL-SDR Python working')" 2>/dev/null || echo "✗ pyrtlsdr missing"
python3 -c "from scapy.all import *; print('✓ Scapy working')" 2>/dev/null || echo "✗ Scapy missing"
echo "=== Test Complete ==="
Usage Examples
Monitor Mode (Detection Only)
Scan for drones without any defensive actions:
python3 opendronedome.py --monitorAutomatic Jamming Mode
Automatically jam detected drones:
python3 opendronedome.py --auto-jamAutomatic Defence Mode
Automatically breaking into the communication and taking control of drones:
python3 opendronedome.py --auto-defenceManual Frequency Jamming
Jam specific frequency (e.g., 2.45 GHz):
python3 opendronedome.py --manual-freq 2450000000 --jam-duration 60Protocol-Specific Jamming
Jam all frequencies for ExpressLRS 2.4GHz:
python3 opendronedome.py --manual-protocol expresslrs_2g4 --jam-duration 120System Status Check
View hardware status and recent detections:
python3 opendronedome.py --statusKey Implementation Specs
Frequencies list
- ✓ Frequencies from official documentation
- ✓ FCC filings for DJI products
- ✓ ExpressLRS GitHub repository specs
- ✓ Crossfire/Ghost manufacturer data
Safety Features
- ✓ Emergency frequency protection
- ✓ Confirmation prompts before jamming
- ✓ Maximum jamming duration limits
- ✓ Emergency stop functionality
⚠️ Testing Environment
No interference with aviation, emergency services, or public communications occurred during testing of the software. OpenDroneDome achieved a 98% effective neutralization rate against tested drones within a 500m radius. Please do not attempt to use this software outside of a controlled, legal environment.
Known Limitations
Range Constraints
RTL-SDR detection range: ~1-2km for strong signals. HackRF jamming effective range varies by frequency and power level (100-500m typical). Directional antennas significantly improve both detection and jamming range. The limitations are budgetary and ethical in nature. This can be scaled.
DJI OcuSync 3.0+ Resilience
Newer DJI systems (Mavic 3, Air 3) use enhanced frequency hopping and error correction. Requires higher power levels or multi-band jamming (both 2.4GHz and 5.8GHz) for effective neutralization. Better radio hardware is required.
LTE-Connected Drones
Enterprise drones using cellular (4G/5G) connectivity are outside scope. Would require cellular jamming equipment (illegal in most jurisdictions) or targeting the ground station network. Though, not impossible, highly illegal.
Autonomous Operations
Drones operating fully autonomously (pre-programmed waypoints, no active RF link) cannot be detected or jammed using this system. Physical interdiction or GPS jamming required (legal restrictions apply). GPS jamming is not covered here.
Legal & Ethical Considerations
⚠️ CRITICAL LEGAL WARNING
RF Jamming - United States: RF jamming is illegal under 47 USC § 333 (Communications Act). Violations carry fines up to $112,500 per incident and potential criminal prosecution. Exemptions exist for authorized federal law enforcement and military operations only.
RF Jamming - European Union: RF jamming violates EU Directive 2014/53/EU (Radio Equipment Directive). Member states impose criminal penalties. Defense contractors and government agencies may operate under specific exemptions with proper licensing.
International: Most countries prohibit unlicensed RF transmission and jamming under ITU Radio Regulations. Check local laws before operating any RF equipment.
⚠️ SPOOFING, HIJACKING & OFFENSIVE COUNTER-DRONE MEASURES
Protocol Manipulation & Control Hijacking: Methods involving communication spoofing, protocol manipulation, or taking unauthorized control of an aircraft (often termed "offensive counter-drone" or "drone hijacking") constitute a significantly more severe legal violation than simple RF jamming.
United States: Hijacking drone control may violate:
- • 18 USC § 1030 (Computer Fraud and Abuse Act) - Unauthorized access to protected systems
- • 18 USC § 32 (Aircraft sabotage) - Interference with aircraft operation
- • 49 USC § 46502 (Aircraft piracy) - Taking control of an aircraft
- • Potential federal felony charges with 5-20 years imprisonment
International: Similar or more severe penalties exist worldwide. Many jurisdictions classify drone hijacking as a form of cyber-attack or aircraft interference, carrying heavy criminal penalties.
Offensive counter-drone capabilities are STRICTLY RESERVED for state-authorized military/intelligence operations. Unauthorized use will result in federal prosecution.
This system is intended for authorized security research, government/military applications, or use in controlled RF-shielded environments only. Unauthorized use may result in criminal prosecution.
✓ Legitimate Use Cases
Authorized Scenarios:
- • Government/military counter-UAS operations with proper authorization
- • Critical infrastructure protection (airports, nuclear facilities, government buildings) with legal approval
- • Security research in RF-shielded laboratory environments
- • Private property protection where explicitly permitted by law enforcement
- • Commercial counter-drone service providers with appropriate licenses
Conclusion
OpenDroneDome represents a production-ready implementation of multi-protocol drone defense using commercially available hardware. We are working on a (possible) commercial kit based on this research with better hardware. The modular architecture allows for easy extension to support additional protocols and detection methods in the future.
The system (currently) successfully detects and neutralizes most drones across multiple RF bands and protocols. While limitations exist (for now) (particularly against newer DJI systems and cellular-connected drones), it provides effective defense against the majority of commercially available UAVs.
For organizations requiring drone defense capabilities, proper legal authorization is essential. Contact qualified legal counsel and regulatory authorities before deploying any RF-based countermeasure system.
Source Code Not Available
Due to legal restrictions, access is limited to vetted individuals and organizations only. Please contact us to discuss your requirements and obtain access. A commercial version with enhanced hardware and support options is in development.
About the Author
Adnan Ahmad is a security researcher and penetration tester with 27 years of experience in critical infrastructure security. Principal at Adnan Security Inc., With a passion for system design, RF security, embedded systems and adversary simulation for Fortune 500 enterprises and government agencies.