arxiv: 2605.11040 · v1 · submitted 2026-05-11 · 💻 cs.CR

Recognition: no theorem link

A Multi-Interface Firmware Acquisition and Validation Methodology for Low-Cost Consumer Drones: A Case Study on Three Holy Stone Platforms

Marco Carvalho, Sandesh More, Sneha Sudhakaran

Authors on Pith no claims yet

Pith reviewed 2026-05-13 01:22 UTC · model grok-4.3

classification 💻 cs.CR

keywords consumer UAVdrone firmwarefirmware extractionembedded systems securityentropy analysisIoT securitySPI flashSWD/JTAG

0 comments

The pith

Four low-cost acquisition methods plus entropy and structural checks produce validated firmware images from three Holy Stone drone models.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests four accessible ways to read firmware off the memory chips inside the HS175D, HS720, and HS360S consumer drones without expensive equipment or chip removal. It then applies a three-tier check—sliding-window entropy profiles, binwalk structural signatures, and EMBA static analysis—to separate useful images from tool artifacts that contain no real code. The validated images turn out to hold identifiable operating-system pieces, old library versions carrying known vulnerabilities, and no binary hardening. A reader should care because these drones are widely sold yet their software has stayed opaque, so a reproducible extraction baseline lets others begin security checks, rehosting experiments, or classroom work on real embedded systems.

Core claim

By evaluating SPI flash in-circuit reading, SWD/JTAG debug-port access, UART boot-message capture, and a clip-based contact method on three Holy Stone platforms, and confirming image quality through sliding-window Shannon entropy, binwalk signatures, and EMBA static analysis, the work obtains complete firmware images that contain identifiable OS components, aging libraries with known CVE exposure, and no binary-hardening mechanisms.

What carries the argument

The three-tier validation framework of sliding-window Shannon entropy profiling, binwalk structural-signature analysis, and EMBA static analysis, which separates genuine firmware from acquisition artifacts.

If this is right

Validated images support firmware rehosting for dynamic testing of consumer UAVs.
The extracted binaries reveal aging library stacks that carry known CVEs and lack hardening.
The corpus enables secure-boot assessment on entry-level embedded flight controllers.
The methodology supplies a starting point for embedded-systems security education using actual drone hardware.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same low-cost interfaces and validation steps could be applied to other entry-level drone brands that use comparable flash chips.
An automated pipeline built around the entropy-plus-signature checks might reduce manual effort when scanning large numbers of IoT devices.
Classroom exercises could use the released images to demonstrate practical firmware extraction without requiring students to purchase specialized hardware.

Load-bearing premise

The three-tier checks reliably separate real firmware from meaningless tool output and the four methods work on drone hardware beyond the three Holy Stone models examined.

What would settle it

Extracting images from a fourth consumer drone model where the acquisition methods succeed at the tool level yet every image fails the entropy, signature, and static-analysis tiers or contains no identifiable OS components.

Figures

Figures reproduced from arXiv: 2605.11040 by Marco Carvalho, Sandesh More, Sneha Sudhakaran.

**Figure 3.** Figure 3: Comparative flash memory layout maps for the HS175D [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗

**Figure 2.** Figure 2: Three-tier firmware dump validation framework. [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗

read the original abstract

Consumer unmanned aerial vehicles (UAVs) have evolved into capable computing platforms, yet their embedded firmware remains largely inaccessible to the security community. Entry-level models, in particular those marketed to first-time and younger operators, commonly ship with limited protection mechanisms and no public documentation of their software internals. This paper presents a systematic study of firmware extraction and validation applied to three Holy Stone consumer drone models: the HS175D, HS720, and HS360S. Rather than pursuing reverse-engineering outcomes, the work focuses on obtaining reliable, ground-truth firmware images across heterogeneous hardware designs using only commercially available, low-cost tooling. Four acquisition methods are evaluated SPI flash in-circuit reading, SWD/JTAG debug-port access, UART boot-message capture, and a clip-based contact approach that avoids chip desoldering and each is assessed for success rate, image completeness, and operational practicality. Post-acquisition quality is evaluated through sliding-window Shannon entropy profiling and structural-signature analysis using binwalk, together forming a three-tier validation framework that distinguishes validated images from those that appear successful at the tool level but contain no meaningful firmware content. Static analysis via the EMBA framework confirms that validated images contain identifiable OS components, aging library stacks with known CVE exposure, and no binary-hardening mechanisms. The resulting corpus and methodology provide a reproducible baseline for firmware rehosting, vulnerability analysis, secure-boot assessment, and embedded-systems education within the consumer UAV domain. Index Terms: consumer UAV, drone firmware, embedded systems security, entropy analysis, firmware extraction, IoT security, SPI flash, SWD/JTAG, UART.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper shows how to pull usable firmware dumps from three Holy Stone drones with cheap tools and a simple entropy-plus-binwalk filter, but the validation stops short of confirming the images actually run the drones' code.

read the letter

The core contribution is a documented set of low-cost extraction steps for the HS175D, HS720, and HS360S models. They compare SPI in-circuit reads, SWD/JTAG, UART boot logs, and a clip-on contact method, then apply sliding-window entropy, binwalk signatures, and EMBA static analysis to keep only the dumps that look like real firmware. The result is a small public corpus plus a repeatable checklist that other researchers can follow without desoldering chips or buying high-end debuggers. That practical focus is the part worth noting; most prior drone work either assumes you already have the firmware or jumps straight to reverse engineering without showing how the image was obtained cleanly.

Referee Report

3 major / 3 minor

Summary. The paper presents a systematic empirical study of firmware acquisition from three Holy Stone consumer drone models (HS175D, HS720, HS360S) using four low-cost methods: SPI flash in-circuit reading, SWD/JTAG debug access, UART boot capture, and a clip-based contact technique. It evaluates each method for success rate, image completeness, and practicality, then applies a three-tier validation framework (sliding-window Shannon entropy profiling, binwalk structural signatures, and EMBA static analysis) to filter out tool artifacts and confirm the presence of OS components, aging libraries, and known CVEs. The resulting corpus and methodology are positioned as a reproducible baseline for rehosting, vulnerability analysis, secure-boot assessment, and embedded-systems education in the consumer UAV domain.

Significance. If the validation framework holds, the work supplies a concrete, accessible set of real-world firmware images and extraction procedures for a previously under-documented class of devices. This directly supports downstream security research on low-cost UAVs, where public firmware has been scarce, and provides educational value through documented low-cost tooling. The empirical focus on heterogeneous hardware and the release of a corpus are strengths that could enable reproducible follow-on studies in IoT and embedded security.

major comments (3)

[§4 and §5] §4 (Validation Framework) and §5 (Results): The three-tier validation (entropy + binwalk + EMBA) is presented as sufficient to establish that acquired images constitute reliable ground-truth firmware. However, no external ground truth is used—no comparison against manufacturer update files, no functional boot or emulation tests, and no verification that Holy Stone-specific control code (flight-controller loops, sensor drivers) is present. This leaves open the possibility that validated images are plausible but incomplete or artifactual binaries that happen to pass the heuristics.
[§3 and Table 2] §3 (Acquisition Methods) and Table 2: Success rates, completeness metrics, and practicality assessments are reported for the four methods across the three platforms, yet the paper does not provide raw data excerpts, error bars, or statistical measures of variability. Without these, it is difficult to assess whether the reported differences between methods are robust or whether the corpus can serve as a stable baseline for rehosting and CVE analysis.
[§6] §6 (Discussion and Generalization): The claim that the methodology and corpus provide a reproducible baseline for the broader consumer UAV domain rests on testing only three Holy Stone models. No additional platforms or cross-vendor validation is described, so the generalization from these specific devices to other low-cost drones is asserted rather than demonstrated.

minor comments (3)

[Abstract] The abstract states that success rates and completeness are assessed but supplies no numerical values; adding one or two key quantitative results (e.g., percentage of validated images per method) would improve clarity.
[Figures 4-6] Figure captions for entropy plots and binwalk outputs should explicitly state the decision thresholds or signature sets used to classify an image as validated.
[§5] A short table summarizing the CVE counts and library versions identified by EMBA for each validated image would make the security findings more immediately usable.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the thoughtful and constructive review. We address each major comment point by point below, providing honest clarifications based on the scope and constraints of our case study. Revisions have been made where they strengthen the manuscript without altering its core claims.

read point-by-point responses

Referee: [§4 and §5] The three-tier validation (entropy + binwalk + EMBA) is presented as sufficient to establish that acquired images constitute reliable ground-truth firmware. However, no external ground truth is used—no comparison against manufacturer update files, no functional boot or emulation tests, and no verification that Holy Stone-specific control code is present. This leaves open the possibility that validated images are plausible but incomplete or artifactual binaries.

Authors: We acknowledge the absence of external ground truth such as manufacturer firmware images, which are not publicly released for these consumer models. Our three-tier framework (sliding-window entropy to identify non-random content, binwalk structural signatures, and EMBA component analysis) was designed specifically to filter acquisition artifacts, as evidenced by the rejection of several tool outputs that initially appeared successful but contained no identifiable firmware. Functional boot or emulation tests would require additional specialized setups beyond the low-cost acquisition focus of this work. In the revised manuscript, we have added explicit discussion of these limitations in §6 and clarified that the validated images serve as a practical baseline rather than exhaustive ground truth. revision: partial
Referee: [§3 and Table 2] Success rates, completeness metrics, and practicality assessments are reported for the four methods across the three platforms, yet the paper does not provide raw data excerpts, error bars, or statistical measures of variability. Without these, it is difficult to assess whether the reported differences between methods are robust.

Authors: The metrics derive from single acquisition runs per method per device, consistent with hardware experimentation where repeated trials risk device damage or are logistically constrained. No multi-trial data was collected for statistical variability. To improve transparency, we have added raw data excerpts and acquisition logs as supplementary material and revised the text in §3 to state that results represent observed outcomes from our experimental setup rather than statistically averaged values. revision: yes
Referee: [§6] The claim that the methodology and corpus provide a reproducible baseline for the broader consumer UAV domain rests on testing only three Holy Stone models. No additional platforms or cross-vendor validation is described, so the generalization is asserted rather than demonstrated.

Authors: We agree the study is limited to three models from one vendor and does not demonstrate cross-vendor applicability. The manuscript frames the contribution as a case study establishing accessible methods and a corpus for Holy Stone platforms and similar low-cost consumer drones. We have revised §6 to emphasize the case-study scope, remove any overgeneralized language, and explicitly recommend future cross-vendor work to extend the baseline. revision: yes

Circularity Check

0 steps flagged

No significant circularity; purely empirical case study with no derivations or self-referential reductions

full rationale

The paper describes four hardware-based firmware acquisition techniques applied to three specific Holy Stone drone models, followed by post-acquisition checks using sliding-window Shannon entropy, binwalk structural signatures, and EMBA static analysis. No equations, fitted parameters, predictions, or first-principles derivations appear in the work. The central claim is that the resulting images and methodology form a reproducible baseline; this rests on direct experimental outcomes and tool outputs rather than any reduction to inputs by construction. No self-citations are load-bearing for any theoretical result, and the validation framework is presented as a practical heuristic without claiming uniqueness theorems or ansatzes imported from prior author work. The study is self-contained as an empirical methodology paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is an empirical case study with no mathematical derivations. No free parameters, domain axioms, or invented entities are required beyond standard assumptions that commercial debug interfaces function as documented by hardware vendors.

pith-pipeline@v0.9.0 · 5601 in / 1207 out tokens · 48733 ms · 2026-05-13T01:22:57.003842+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

36 extracted references · 36 canonical work pages

[1]

Future UA V/Drone systems for intelligent active surveillance and monitoring,

T. Ahmadet al., “Future UA V/Drone systems for intelligent active surveillance and monitoring,”ACM Computing Surveys, vol. 58, no. 2, pp. 1–37, 2026

work page 2026
[2]

Cybersecurity of unmanned aerial vehicles: A survey,

Z. Yuet al., “Cybersecurity of unmanned aerial vehicles: A survey,” IEEE Aerospace and Electronic Systems Magazine, vol. 39, no. 9, pp. 182–215, 2024

work page 2024
[3]

A security review in the UA VNet era: Threats, countermeasures, and gap analysis,

A. Rugo, C. A. Ardagna, and N. E. Ioini, “A security review in the UA VNet era: Threats, countermeasures, and gap analysis,”ACM Computing Surveys, vol. 55, no. 2, pp. 21:1–21:35, 2023

work page 2023
[4]

A survey on cybersecurity attacks and defenses for unmanned aerial systems,

Z. Wanget al., “A survey on cybersecurity attacks and defenses for unmanned aerial systems,”Journal of Systems Architecture, vol. 138, p. 102870, 2023

work page 2023
[5]

A survey on security and privacy issues of UA Vs,

Y . Mekdadet al., “A survey on security and privacy issues of UA Vs,” Computer Networks, vol. 224, p. 109626, 2023

work page 2023
[6]

A survey of security in UA Vs and FANETs: Issues, threats, analysis of attacks, and solutions,

O. Ceviz, S. Sen, and P. Sadioglu, “A survey of security in UA Vs and FANETs: Issues, threats, analysis of attacks, and solutions,”IEEE Communications Surveys & Tutorials, vol. 27, no. 5, pp. 3227–3265, 2025

work page 2025
[7]

Security vulnerabilities of unmanned aerial vehicles and countermeasures: An experimental study,

V . Deyet al., “Security vulnerabilities of unmanned aerial vehicles and countermeasures: An experimental study,” inProc. 31st Int. Conf. VLSI Design and 17th Int. Conf. Embedded Systems, 2018

work page 2018
[8]

Behind the wings: The case of reverse engineering and drone hijacking in DJI enhanced Wi-Fi protocol,

D. Pratamaet al., “Behind the wings: The case of reverse engineering and drone hijacking in DJI enhanced Wi-Fi protocol,” arXiv:2309.05913, 2023

work page arXiv 2023
[9]

Drone security and the mysterious case of DJI’s DroneID,

N. Schilleret al., “Drone security and the mysterious case of DJI’s DroneID,” inProc. Network and Distributed System Security Symposium (NDSS), 2023

work page 2023
[10]

PiNcH: an effective, efficient, and robust solution to drone detection via network traffic analysis,

S. Sciancaleporeet al., “PiNcH: an effective, efficient, and robust solution to drone detection via network traffic analysis,”Computer Networks, vol. 168, p. 107044, 2020

work page 2020
[11]

Watch the skies: A study on drone attack vectors, forensic approaches, and persisting security challenges,

A. Adel and T. Jan, “Watch the skies: A study on drone attack vectors, forensic approaches, and persisting security challenges,”Future Internet, vol. 16, no. 7, p. 250, 2024

work page 2024
[12]

Comprehensive security assessment of holy stone drones: Examining attack vectors,

S. Moreet al., “Comprehensive security assessment of holy stone drones: Examining attack vectors,” inProc. Int. Conf. Cyber Warfare and Security, vol. 20, no. 1, 2025, pp. 574–583

work page 2025
[13]

Security analysis of HolyStone drones: Examining attack vectors and data extraction techniques,

S. A. More, “Security analysis of HolyStone drones: Examining attack vectors and data extraction techniques,” Master’s thesis, Florida Institute of Technology, Melbourne, FL, 2024

work page 2024
[14]

On-board deep-learning- based unmanned aerial vehicle fault cause detection and identification,

V . Sadhu, S. Zonouz, and D. Pompili, “On-board deep-learning- based unmanned aerial vehicle fault cause detection and identification,” arXiv:2005.00336, 2020

work page arXiv 2005
[15]

Avis: In-situ model checking for unmanned aerial vehicles,

M. Tayloret al., “Avis: In-situ model checking for unmanned aerial vehicles,” arXiv:2106.14959, 2021

work page arXiv 2021
[16]

CrazySim: A software-in-the-loop simulator for the crazyflie nano quadrotor,

D. Knoxet al., “CrazySim: A software-in-the-loop simulator for the crazyflie nano quadrotor,” 2022

work page 2022
[17]

A practical framework for multi-agent experiments in aerial robotics,

S. Llaneset al., “A practical framework for multi-agent experiments in aerial robotics,” 2024

work page 2024
[18]

Breaking all the things—a systematic survey of firmware extraction techniques for IoT devices,

S. Vasile, D. Oswald, and T. Chothia, “Breaking all the things—a systematic survey of firmware extraction techniques for IoT devices,” in Smart Card Research and Advanced Applications (CARDIS), ser. Lecture Notes in Computer Science. Springer, 2019, pp. 171–185

work page 2019
[19]

A survey on IoT & embedded device firmware security: Architecture, extraction techniques, and vulnerability analysis frameworks,

S. U. Haqet al., “A survey on IoT & embedded device firmware security: Architecture, extraction techniques, and vulnerability analysis frameworks,”Discover Internet of Things, vol. 3, no. 1, p. 17, 2023

work page 2023
[20]

A survey of firmware analysis techniques and tools,

B. A. Whipple, “A survey of firmware analysis techniques and tools,” Master’s thesis, University of Idaho, 2020

work page 2020
[21]

A testbed for security and privacy analysis of IoT devices,

A. Tekeoglu and A. S. Tosun, “A testbed for security and privacy analysis of IoT devices,” inProc. IEEE Int. Conf. Consumer Electronics, 2016

work page 2016
[22]

A review on cyber security issues and research challenges in internet of things,

A. Yasin and N. Jayapandian, “A review on cyber security issues and research challenges in internet of things,” inProc. 2nd Int. Conf. Electronics, Communication and Aerospace Technology, 2022

work page 2022
[23]

MetaEmu: An architecture ag- nostic rehosting framework for automotive firmware,

Z. Chen, S. L. Thomas, and F. D. Garcia, “MetaEmu: An architecture ag- nostic rehosting framework for automotive firmware,” arXiv:2208.03528, 2022

work page arXiv 2022
[24]

FIRM-COV: High-coverage greybox fuzzing for IoT firmware via optimized process emulation,

M. Kimet al., “FIRM-COV: High-coverage greybox fuzzing for IoT firmware via optimized process emulation,” 2021

work page 2021
[25]

Embedded firmware rehosting system through automatic peripheral modeling,

J. Leeet al., “Embedded firmware rehosting system through automatic peripheral modeling,” 2023

work page 2023
[26]

REMaQE: Reverse engineering math equations from executables,

M. Udeshiet al., “REMaQE: Reverse engineering math equations from executables,”ACM Transactions on Cyber-Physical Systems, vol. 8, no. 4, pp. 1–25, 2024

work page 2024
[27]

Challenges in drone firmware analyses and its solutions,

Y . Kim, K. Cho, and S. Kim, “Challenges in drone firmware analyses and its solutions,” arXiv:2312.16818, 2024

work page arXiv 2024
[28]

Dvatar: Simulating the binary firmware of drones,

Z. Wanget al., “Dvatar: Simulating the binary firmware of drones,” 2024

work page 2024
[29]

SecuPilot: A security coprocessor- integrated platform for autonomous UA V security,

Y . Agarwal and V . Raghunathan, “SecuPilot: A security coprocessor- integrated platform for autonomous UA V security,”ACM Transactions on Embedded Computing Systems, vol. 24, no. 5s, pp. 1–25, 2025

work page 2025
[30]

Blockchain-based secure firmware update using an UA V,

J. W. Seoet al., “Blockchain-based secure firmware update using an UA V,”Electronics, vol. 12, no. 10, p. 2189, 2023

work page 2023
[31]

flashrom: Open-source flash programming utility,

flashrom contributors, “flashrom: Open-source flash programming utility,” [Online]. Available: https://flashrom.org, 2024

work page 2024
[32]

Open on-chip debugger,

OpenOCD contributors, “Open on-chip debugger,” [Online]. Available: https://openocd.org, 2024

work page 2024
[33]

A mathematical theory of communication,

C. E. Shannon, “A mathematical theory of communication,”Bell System Technical Journal, vol. 27, no. 3, pp. 379–423, 1948

work page 1948
[34]

Binwalk: Firmware analysis tool,

C. Heffner, “Binwalk: Firmware analysis tool,” ReFirm Labs. [Online]. Available: https://github.com/ReFirmLabs/binwalk, 2010

work page 2010
[35]

EMBA – from firmware to exploit,

M. Messner and P. Eckmann, “EMBA – from firmware to exploit,” Presented at Black Hat Europe, London, UK. [Online]. Available: https: //github.com/e-m-b-a/emba, 2022

work page 2022
[36]

ARM security technology: Building a secure system using TrustZone technology,

ARM Limited, “ARM security technology: Building a secure system using TrustZone technology,” [Online]. Available: https://developer.arm. com/documentation/PRD29-GENC-009492/c, ARM Limited, Tech. Rep. PRD29-GENC-009492C, 2009

work page 2009