In the previous two episodes I talked about how search officials became convinced that the plane had to have gone into the southern Indian Ocean because they didn’t think that debris could be planted, and they didn’t think that Inmarsat data could be tampered with.

Today I discus a third belief: that the plane had to have been hijacked by the captain because that’s who was in the cockpit, and the plane can only be flown from there. It was a reasonable-sounding assumption, but it turns out to be wrong. There is a relatively simple way to fly the plane from the electronics bay, and I was able to figure it out in detail by looking at publicly available documents and talking to professors at aeronautical universities and retired control system engineers.

To help me explain it all, I’m honored to be joined today by John Waters, a former US Air Force fighter pilot who now flies 777s for a living, and is also the host of the excellent Afterburn Defence podcast.

As I told John, I was able to develop a sufficiently detailed description of how such a takeover could be accomplished that I was able to apply for a patent in Germany. My hope is that the issuance of the patent that might prod the search authorities to reconsider their sense of certainty.

Here, in a nutshell, is how the exploit works.

777 Control Architecture

First, let’s consider how 777 flight controls operate under normal circumstances.

On the flight deck are two sets of controls for use by the captain and first officer: a yoke and wheel to control pitch and roll, and foot pedals to control yaw. These are not mechanically linked to the flight surfaces, but are outfitted with transducers that convert the motion of the controls into analog electrical signals that are transmitted via direct wiring to a box in the electronics bay called the ACE, or Actuator Control Electronics.

The electronics bay is located directly under the flight deck. The ACE is housed inside a metal case that is seated on a rack at the front of the electronics bay. Pieces of equipment like the ACE that can be removed and replaced swiftly are called Line Replaceable Units, or LRUs. To swap out a faulty LRU for a new one, maintenance crew will depower the unit by pulling the circuit breaker dedicated to that particular LRU, disconnect the data cables and power plug, physically remove the box, replace it with the new box, reattach the cables, and reset the circuit breaker.

To maximize safety, the overall design of the 777 is characterized by a high degree of redundancy, so that the failure of a single piece of equipment will not jeopardize the aircraft as a whole. To that end, the two sets of flight controls on the flight deck send their analog signals not to one ACE, but to four: Center, Left1, Left2, and Right. These are located in the electronics bay on racks E1, E2, and E5.

Each ACE unit processes the incoming analog signals from the flight deck and outputs analog signals to the Power Control Units (PCUs) that move each of the flight control surfaces.

Each PCU is powered by a hydraulic system pressurized to 3000 psi by engine-driven pumps. It uses this hydraulic pressure to push pistons that move ailerons, flaperons and elevators up and down and the rudder side to side.

The rate at which the actuator piston moves is proportional to the voltage sent to the PCU from the ACE. The position of the piston is detected by a sensor called a Linear Variable Differential Transducer (LVDT) and transmitted via dedicated electrical wire to the ACE. This feedback allows the ACE to maintain closed servo loop control of the PCU.

Note that there are no electronics with the PCU; it simply generates a linear physical response in proportion to the current sent by the ACE.

In principle one PCU is sufficient to move each control surface, but in the interest of redundancy, multiple PCUs are tasked with moving each primary flight control surface so that if one fails the other will be able to do the job. There is one PCU on each spoiler; two PCUs on each aileron, flaperon, and elevator; and three PCUs on the rudder.

For the sake of redundancy, each ACE controls PCUs on a variety of flight control surfaces, so that if three ACEs fail, the last one remaining will still be able to turn the plane on all three axes.

For instance, in the figure below we see that ACE C provides command inputs to the left outboard aileron, left outboard spoiler #1, left inboard spoiler #7, right inboard spoiler #8, the right flaperon, right outboard spoiler #10 and #14, left elevator and the rudder.

In normal operation, the ACEs do not simply translate the control inputs from the flight deck into control outputs to the PCUs. Instead, the analog signals from the flight deck are digitised and sent via the ARINC 629 data bus to the Primary Flight Computers (PFCs), which interpret the pilot inputs and calculates what movements of the flight control surfaces will be necessary to achieve the desired state. For instance, if a pilot pulls back on the yoke, the PFC will interpret this as a desire to achieve a change in pitch at the specified rate, and will calculate the elevator deflection required to achieve this rate. The PFC then outputs digital commands to the ACEs, which translate them into the analog signals for the PCUs.

The high level of redundancy in the 777 flight control system makes it highly robust in the face of malfunction and maintenance issues, but does nothing to protect the system from malicious attack.

If a passenger were suitably equipped and motivated to do so, it would be possible to cut the flight deck out of the flight control feedback loop using a piece of equipment I will call the “override module.” This is functionally an ACE emulator that incorporates some additional functions. Though it replaces an LRU, it can be considerably smaller thanks to the ongoing miniaturization, perhaps no bigger than a Raspberry Pi.

To implement the takeover, the user would open the unlocked hatch at the front of the first-class cabin and descend via ladder into the electronics bay. And then:

1. Depower the Center ACE by pulling its circuit breaker.

2. Detach the 28 V DC power cable, ARINC 629 digital connector, and analog data connectors from the Center ACE, located in rack E2-5, as seen in Figure 1, and remove the LRU from the rack.

3. Plug in the Override Module to the electrical power and data plugs at the E2-5 rack slot. Reset the circuit breaker.

4. Pull circuit breakers to depower the L1, L2, and R ACEs. The flight instruments on the flight deck will no longer have any effect on the flight control surfaces. Essentially, the pilots have been locked out of the fly-by-wire flight control system.

Mechanical Linkage

As a final backup in the event of total electrical failure, the designers of the 777 provided a way for the flight crew to control a small subset of flight control surfaces via mechanical linkages.

The #4 and #11 spoilers, which in normal operation are controlled by the L2 ACE, are also linked to the flight deck controls via cables that run through the electronics bay. The flight crew could use these spoilers to achieve a modest amount of roll control.

Pitch trim in the 777 is accomplished by movement of the entire horizontal stabilizer via a jackscrew. According to author Gregg Bartley, “the stabilizer is commanded via the cables through the aisle stand levers only and otherwise is commanded through the ACEs.”

If one were to try to control a 777 from the electronics bay while an uncooperative flight crew was in the cockpit, they might try to use these mechanical linkages to thwart that effort.

However, as these cables down from the flight deck through the electronics bay, they could be physically severed by simple tool such as a bolt cutter.

Flying the Aircraft from the Override Module

The system described does not command engine power or landing gear, so does not provide the full functionality of aircraft control. As such would not be able to, for instance, bring the aircraft in for landing, but would allow the user to obtain enough control to fully command the plane’s movements while it is in the air.

To practically implement a takeover of the flight control system, one would need to not only move the plane’s flight control surfaces, but also to monitor the plane’s response to these movements. How to do that is outside the scope of the current exercise, but it is worth noting that flight data (attitude, airspeed, altitude, heading) is broadcast unencrypted by the ADIRS over the ARINC 629 data buses. One can envisage a simple hand-held device that collects and displays this information in a PFD-type display.

In conclusion, while it is true in almost every case that an airplane can only be controlled from the cockpit, that is not universally the case. Thanks to a unique combination of features incorporated into the design of the 777, this aircraft’s flight control surfaces can be commanded from the electronics bay.

Personally, I am not recommending that anyone to this. But I think it’s important for the authorities to recognize the possibility, both in order to better understand what might have happened to MH370, and to prevent similar events from occurring in the future.