After earning my European Drone Operator Licence, I took on the task of finding a drone to pilot. While navigating AliExpress I came across a reasonably priced drone that met the characteristics of what I was looking for. Mostly, a drone that allows me to operate it in EU airspace, since the licence mentions a series of requirements that have to be met in order to do it. So, I ended up purchasing it, and it arrived in my place two weeks later.
In the past I built a rudimentary MAVLink ground telemetry station after reading about this protocol and how it is the standard for drone companies all over the world. It is a very simple app that reads the byte stream from the serial port to which a drone is connected, processes the stream finding MAVLink messages, and decodes them. Since this works with the MAVLink simulator by ardupilot, I wanted to test it out with a real system, hence I bought a drone.
Now, the question is, does this drone use MAVLink? From the first inspection it didn't seem like it: the Android companion app did not show any information that might indicate so. So, in order to find out, I set out a plan to decompile the APK:
- Extract the APK using ML Manager
- Decompile and search for MAVLink
- ??? depends on the previous step
1. Extract the APK using ML Manager
The companion app is called KY UFO by cooingdv. After installing it on my Android device, I used ML Manager by Javier Santos V to extract the APK to the device storage and copy it over to my Linux machine.
After that, I checked the file type using file:
$ file com.cooingdv.kyufo_1.7.1.apks
com.cooingdv.kyufo_1.7.1.apks: Zip archive data, at least v2.0 to extract, compression method=deflate
So, as expected, the .apks file is a ZIP file, like all Android APKs.
2. Decompile and search for MAVLink
Now it's the time to decompile. APKS files are ZIPs that store one or more APK files. I
started
by extracting the APKS file in order to check what APKs (lowercase 's', plural) it holds.
$ mkdir -p extracted && unzip -o com.cooingdv.kyufo_1.7.1.apks -d extracted/
This dumped a series of APKs, but we will focus on two of them: base.apk and split_config.arm64_v8a.apk. This is pretty common in Android development nowadays, in order to lower Android APK sizes, one APK has the business logic (base) and other APK holds assets specific to your Android device (high resolution icons when available, etc).
So, we continued:
$ mkdir -p extracted/base && unzip -o extracted/base.apk -d extracted/base/
$ mkdir -p extracted/arm64 && unzip -o extracted/split_config.arm64_v8a.apk -d extracted/arm64/
Both APKs dumped a classes.dex file. This file holds the bytecode of the app. In order to check the code of the app, it would be necessary to run jadx on this and decompile it. We are going to skip that for now and we are going to run strings. Strings (GNU strings) is a Linux program that prints the printable character sequences that are at least 4 characters long (or the number given with the options below) and are followed by an unprintable character (source: strings(1) — Linux manual page).