I would imagine that if the descent were to reach the point that pieces were flying off à la Silk Air 185, then it would be too late to meaningfully pull out of the dive.
As for the Avionics Handbook, I'm not sure what you're referring to...
The ACEs and PFCs communicate with each other, as well as with all other systems on the airplane, via triplex, bi-directional ARINC 629 Flight Controls data busses, referred to as L, C, and R. The connection from these electronic units to each of the data busses is via a stub cable and an ARINC 629 coupler. Each coupler may be removed and replaced without disturbing the integrity of the data bus itself.
and the System Operating Modes, Secondary and Direct:
Secondary - n the ‘‘Secondary” mode, the PFCs supply actuator position commands to the ACEs, just as in the ‘‘Normal” mode. However, functionality of the system is reduced. For example, the envelope protection functions are not active in the “Secondary” mode. The PFCs enter this mode automatically from the ‘‘Normal” mode when there are sufficient failures in the system or interfacing systems such that the ‘‘Normal” mode is no longer supported. An example of a set of failures that will automatically drop the system into the ‘‘Secondary” mode is total loss of airplane air data from the ADIRU and SAARU. The airplane is quite capable of being flown for a long period of time in the ‘‘Secondary” mode. It cannot, however, be dispatched in this condition.
Direct - In the ‘‘Direct” mode, the ACEs do not process commands from the PFCs. Instead, each ACE decodes pilot commands directly from the pilot controller transducers and uses them for the closed loop servo control of the actuators. This mode will automatically be entered due to total failure of all three PFCs, failures internal to the ACEs, loss of the flight controls ARINC 629 data busses, or some combination of these failures. It may also be selected manually via the PFC disconnect switch on the overhead panel in the flight deck. The airplane handling characteristics in the “Direct” mode closely match those of the ‘‘Secondary” mode.
Doesn't this prove that you can interrupt the system briefly by performing a software update, making the plane 'go dark', cut communications and fly in Secondary or Direct mode?
You wrote, "Doesn't this prove that you can interrupt the system briefly by performing a software update, making the plane 'go dark', cut communications and fly in Secondary or Direct mode?" That's the million dollar question -- it sure seems possible, especially in the context of the MSAG paper, but I'd really love to talk to someone who's an expert in both cybersecurity and the ARINC 629 bus specifically
Regarding satellites and SilkAir flight 185, could that descent have been recorded somehow? Just read about "replay of recorded authentic communications traffic" in this Security Threats Against Space Missions paper: https://public.ccsds.org/Pubs/350x1g3.pdf
Fascinating document, thanks ... do you mean, data was recorded from SilkAir and 'played back' via Inmarsat BFO data from MH370 to imply a similarly rapid suicidal descent?
Yes? If not SilkAir then another (Boeing?) flight with the same rapid descent data that Inmarsat have for MH370.
It sounds like you'd then have the access to Inmarsat, authentication etc required for the injection of real data, amended slightly to look like MH370 data.
It seems possible the 'injection' could have happened through any one of the back doors - AES, satellite, GES, network, Inmarsat London - and it would be seen as raw, unmanipulated data with no evidence suggesting otherwise.
I'm assuming this 'injection' would have been done in real time but I'm no satellite or hacking expert.
Sorry, had to break it down so that I understood what I think that means.
It's an interesting idea -- it's also possible that the recorded BFO value at 0:19 was an artifact of some other process and wasn't intended to have a particular meaning. The first BFO value at 18.25, for instance, was anomalous and investigators couldn't figure out how it was produced.
Hmm, regarding the steep descent - MH370 would have had parts fall off, so how would a controlled glide and safe ditching/landing have been possible?
Have you seen The Avionics Handbook produced in 2001?
I would imagine that if the descent were to reach the point that pieces were flying off à la Silk Air 185, then it would be too late to meaningfully pull out of the dive.
As for the Avionics Handbook, I'm not sure what you're referring to...
https://helitavia.com/avionics/TheAvionicsHandbook_Cap_11.pdf
Boeing B777 Fly-By-Wire Flight Controls
Oh, yes! Quite interesting, not very detailed but a good overview of the architecture. Was there anything in particular that caught your eye?
The architecture, yes, and ...
ARINC 629 Data Bus
The ACEs and PFCs communicate with each other, as well as with all other systems on the airplane, via triplex, bi-directional ARINC 629 Flight Controls data busses, referred to as L, C, and R. The connection from these electronic units to each of the data busses is via a stub cable and an ARINC 629 coupler. Each coupler may be removed and replaced without disturbing the integrity of the data bus itself.
and the System Operating Modes, Secondary and Direct:
Secondary - n the ‘‘Secondary” mode, the PFCs supply actuator position commands to the ACEs, just as in the ‘‘Normal” mode. However, functionality of the system is reduced. For example, the envelope protection functions are not active in the “Secondary” mode. The PFCs enter this mode automatically from the ‘‘Normal” mode when there are sufficient failures in the system or interfacing systems such that the ‘‘Normal” mode is no longer supported. An example of a set of failures that will automatically drop the system into the ‘‘Secondary” mode is total loss of airplane air data from the ADIRU and SAARU. The airplane is quite capable of being flown for a long period of time in the ‘‘Secondary” mode. It cannot, however, be dispatched in this condition.
Direct - In the ‘‘Direct” mode, the ACEs do not process commands from the PFCs. Instead, each ACE decodes pilot commands directly from the pilot controller transducers and uses them for the closed loop servo control of the actuators. This mode will automatically be entered due to total failure of all three PFCs, failures internal to the ACEs, loss of the flight controls ARINC 629 data busses, or some combination of these failures. It may also be selected manually via the PFC disconnect switch on the overhead panel in the flight deck. The airplane handling characteristics in the “Direct” mode closely match those of the ‘‘Secondary” mode.
Doesn't this prove that you can interrupt the system briefly by performing a software update, making the plane 'go dark', cut communications and fly in Secondary or Direct mode?
You wrote, "Doesn't this prove that you can interrupt the system briefly by performing a software update, making the plane 'go dark', cut communications and fly in Secondary or Direct mode?" That's the million dollar question -- it sure seems possible, especially in the context of the MSAG paper, but I'd really love to talk to someone who's an expert in both cybersecurity and the ARINC 629 bus specifically
Regarding satellites and SilkAir flight 185, could that descent have been recorded somehow? Just read about "replay of recorded authentic communications traffic" in this Security Threats Against Space Missions paper: https://public.ccsds.org/Pubs/350x1g3.pdf
Fascinating document, thanks ... do you mean, data was recorded from SilkAir and 'played back' via Inmarsat BFO data from MH370 to imply a similarly rapid suicidal descent?
Yes? If not SilkAir then another (Boeing?) flight with the same rapid descent data that Inmarsat have for MH370.
It sounds like you'd then have the access to Inmarsat, authentication etc required for the injection of real data, amended slightly to look like MH370 data.
It seems possible the 'injection' could have happened through any one of the back doors - AES, satellite, GES, network, Inmarsat London - and it would be seen as raw, unmanipulated data with no evidence suggesting otherwise.
I'm assuming this 'injection' would have been done in real time but I'm no satellite or hacking expert.
Sorry, had to break it down so that I understood what I think that means.
It's an interesting idea -- it's also possible that the recorded BFO value at 0:19 was an artifact of some other process and wasn't intended to have a particular meaning. The first BFO value at 18.25, for instance, was anomalous and investigators couldn't figure out how it was produced.