All Activity

This stream auto-updates   

  1. Past hour
  2. I’m guessing based on what you have said. Its more than likely wrong. If you are unhiding and then clicking "Update access point" button you might be resetting wireless networks. After unhiding can you reconnect wlan2 to your internet AP again and then do you and clients get internet?
  3. Does it capture any creds when you submit that box? You don't need a valid login, just send anything and see if the Bunny stops blinking Yellow. Are you getting anything in the loot folder? Do you have any network shares you can try as well? I finished reading the other forum topic and learned about running responder from the command line. I think this could help figure out what is not working properly. Like I said, I've used this on other computers and have not had any issues so I'm thinking maybe it is something that Win 10 is doing to mitigate this attack. It is hard to troubleshoot when everything is working right but I did see the same as you after removing all save LAN networked shares from the computer. Do you have any local network shares that you could try to see if that causes the payload to finish?
  4. Today
  5. Follow parameter tested at real flight with firmware version .200 g_config_go_home_gohome_idle_vel, default 10, only for RTH speed, I tested with 15 is ok g_config_mode_normal_cfg_vert_vel_up, default 4, ascend speed at GPS mode in meter/second g_config_mode_normal_cfg_vert_vel_down, #default -3, descend speed at gps mode g_config_mode_sport_cfg_vert_vel_up, #default 5, I set it to 10, ascend like a rocket, be careful about battery overload g_config_mode_sport_cfg_vert_vel_down, #default -3, set -10 but it only reach -5m/s in real flight this are some g_config_mode_XXX_cfg_vert_acc_up/down, it have higher value as default, I'm not sure what it does, but just make sure set it to not lower than "no _acc" one g_config_fw_cfg_max_speed <-- set to 20 but no different in real flight, default is 10 for "height_limit", I did change all from /controller/config/user and it work. some parameters about "airport" will be test on tomorrow, and following parameters not tested yet "g_config_avoid_obstacle_limit_cfg_safe_dis" <-- obstacle distant ? g_config_landing_smart_landing_height_L1 <-- smart landing at -0.7 meter ? "g_config_voltage2_level1_smart_battert_gohome" "DEFAULT": 15, "g_config_voltage2_level2_smart_battert_land" "DEFAULT": 10, Now, I want to find out which parameters control about real MAX speed (sport mode is 20m/s in real flight) and 10m/s limit when obstacle detection is ON, but seem no parameters relevant to it.
  6. Thanks man!
  7. Nobody has any suggestions then? Or is this the wrong forum/badly worded etc?
  8. this trick is VERY version specific That's why .....I tried version 1.0.8 with -option b4 and seem no different than normal.
  9. Yes, it would be fairly simple to script up a tool to enumerate something like this but with the large potential address space it is unlikely to find anything. If you want to see an example, this is a similar tool I wrote years ago to look through Amazon buckets: https://digi.ninja/projects/bucket_finder.php I would strongly advise against doing it and I wouldn't take any proof of concepts to the estate agents as doing so would be admitting to performing unauthorised testing against their site. They may be grateful, they may get police and lawyers involved.
  10. That is indeed possible and can be easily done. If you send me recordings I can analyze them, since I can decode the protocol. Then you even know what it does exactly.
  11. I have the full unlock pack and programme from copteresafe is there a way of sniffing the usb traffic as it jailbreaks? so that I can reproduce it and flash it through a different programme. please let me know. inbox me. my messages on here are limited still. contact me through Mavproxyuser . he now has my email address
  12. Recently I have subscribed to a website for Real Estate agency, since I am look to buy a house. One of the requirements was to upload a scan of my passport. Already a bit anxious about the security I have covered sensitive elements with black tape before scanning and added a watermark stating the purpose of the scan before uploading. Not really suprised I got a mail stating my subscription was received with a direct link to the passport image uploaded. I have subscribed a second time to find out that the proces is the same and the link showed similar layout/components: <URL> / attachment_answers/000/428/835/<filename>.jpg.jpg?<id value> Compairing the received URL's to the image I did not find usable logic (for me). The numbering in the URL seems to be site generated (and problably related to project and subscription numbering), but not easy guessable/predictable. The filename corresponds to my uploaded filename + jpg extension (hence the double jpg). The ID value does not seem to prevent anything (removing still displays the passport image). Since I did not discover any real security countermeasures, I am wondering if tooling exists or could easily be created/scripted that is able to discover other images on the site, some sort of image scraping. Googling this question only returns scrapers with (wordlisting? bruteforcing?) filenames or directories. I want to know both for my own education (I'm active in the IT audit & security domain) and to be able to notify the Real Estate agency, but provided with a Proof of Concept (if it's easy to perform and within legal boundaries/responsible disclosure). Could anyone indicate wheter or not this is possible? And maybe an indication of effort and/or tooling required? If this requires additional information and/or further background of my intentions, please let me know what is required.
  13. Will you share with the rest of the group the parameter names you changed... this will go well with the web socket code I posted above (and shared with you previously).
  14. Anyone else obtaining CopterSafe binaries (shoot me a PM)... we should start a pool of known good Serial, User, Hardware Fingerprint, csupdater.exe combinations and keep them in a private repo. We currently know that the binaries are heavily protected (for obvious reasons). It should be trivial to unmask them so to speak.
  15. I can almost certainly confirm that coptersafe is only adjusting fc parameters and not rooting the device. It also doesn't update the device as mentioned before.
  16. There is really no point in sharing if others do not reciprocate... ;) Must keep a cycle of love going...
  17. Thanks for your work, appreciated. Besides im trying to go the CopterSafe Route and see, what this tool is exactly doing.
  18. At this point, I am also wondering what the steps are to duplicate Aaron Luo's work on a newer SDK version. https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Aaron-Luo-Drones-Hijacking-Multi-Dimensional-Attack-Vectors-And-Countermeasures-UPDATED.pdf At the very least the Java Class has changed a little bit since the talk. Has anoyone taken JEB to it yet? https://www.pnfsoftware.com (JEB is well worth the $$$ btw)
  19. So for those of you that missed the information I shared with this gentleman... here is some sample code to communicate with the DJI Assistant Web Socket. There are some things left for you as an exercise, but this will give you a solid start. #!/usr/bin/python import binascii from websocket import * ws = create_connection("ws://localhost:19870/general") ws.settimeout(1) while 1: try: result = ws.recv() except WebSocketTimeoutException: break if result == "": break print result # {"SEQ":"12345","CMD":""} - Get command list on any service. # ws://localhost:19870/controller/p4_ext/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"get_info"} - Serial Number & User Token # ws://localhost:19870/controller/config/user/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"EnterFcSdCard"} # # {"SEQ":"12345","CMD":"read","INDEX":"fly_limit_height"} ws.close()
  20. I am one of the few folks that does have root access. A mate of mine has done the work, so unfortunately I can not share his private work. A few folks here have been rooted by me to help us gather information about the internals of the Mavic however. You may catch a few random folks discussing things that can not be done without root, there is a good chance they have no clue about how root access is obtained. A few folks have nice friends with private tools. P0V's work is something we have all been chasing. I initially dug in as I suspected the mythical "whitelist" files never existed outside of the factory. I believe at this point someone (P0V?) has manually generated one, as opposed to the claims of having extracted one from a firmware dump, or to have *found* one on an early firmware version. I do not believe the wive's tale about being able to "spoof hosts" on the whitelist as a means to use the Secure Debug (adb) on Mavic, or P4, i2 or Spark. I have not seen anyone beyond a small handful to figure out the easter egg to unlock the Assistant in full. I gave a very big hint a month or so back however. Simply run the assistant with the "-h" flag. I have noticed that having root, or Admin privs (on your own machine) *may* have some impact on being able to open up the extra options. Usage: /Applications/Assistant.app/Contents/MacOS/Assistant [options] Options: -h, --help Displays this help. -v, --version Displays version information. --debugger Run with a debugger window --minimum Show controller log minimum --console Run assistant as a console service, No browser Window! --template Load controller config from template! --force_upgrade Ignore the version when upgrade ENC firmware! --bypass <DEVICE> force all device as param [Receiver]|[DEVICE]|[Version] eg Controller|ai900v2|3.1.0.2 --noskip As default, upgrade pack file will skip those device that is not connected, if define no skip, will try to upgrade all pack file --factory Open Factory page --baud_rate <DEVICE> set com device baud rate --auto_upgrade enable auto upgrade --cache_wget_file debug only, used to cache wget files --inrup internal upgrade tool --adb_logcat Start ADB logcat function --auto_test Set to auto test mode --test_server Set to test server --1706 Set DJI Vision to 1706 --sws Set Env to SWS These are some photos from someone else that caught the hint. https://github.com/droner69/MavicPro/tree/master/DJI_Assistant_2_Dev_Pictures I can tell you that at times this trick is VERY version specific. So if you are having issues... try a different version. You can find an archive of the binaries in my git repo. https://github.com/MAVProxyUser/DJIAssistant2Binaries There *MAY* be something special to the DebuggerOptions.txt file... I have extracted all the unique options from all the versions and placed them here if anyone wants to help figure it out: https://raw.githubusercontent.com/MAVProxyUser/DJIAssistant2Binaries/master/DebuggerOptionsUnique.txt
  21. Love the way he drops teasers and goes quiet tho
  22. Using litchi ,Turning updates off and not upgrading firmware is a start
  23. Yes but the problem is that when the exploit leaks out it will be only days before it is patched. Finding a generic way of rooting the device which can't be patched is more difficult.
  24. mavproxyuser provide some sample code to change parameters, which working well on my drone (I unlock some limitation, faster rth, ascend, descend speed) but I want to know how to "hack" dji assistant, I guess is about "sdk level"
  1. Load more activity