martinbogo

@freaky123 At this point, that's the way I'm going. There is someone that has already done a LOT of work already with both the Mavic and P4 series: If you aren't familiar with their work : https://twitter.com/TheDJIProblem It's a great step up, and there's plenty of code dumps, variable dumps, JSON examples, etc. -Martin

@freaky123 eMMC, Intel ma2100A vision processing, ed87458kb RF chip ( SDR!!! ) and Leadcore LC1160 power manager Couldn't get the Ambarella camera chip or the Ambarella memory to say hello, or the Leadcore CPU and it's associated memory

@freaky123 DJI has disabled JTAG just about everywhere they can. I did a boundary scan, and although I could find some devices responding, I wasn't able to do any debugging. There is absolutely no response from the Leadcore ARM chip, for example.

@freaky123 For my part... I'm a software engineer, and I have a lot of experience with UAV software ( I worked on the code circa 1990's MIT Media Lab, and then again for ArduPilot and such. ) I want to continue extending the capabilities of the platform, by adding new and different features to DJI drones, eventually replacing the firmware entirely with on open-source one that everyone can extend and enjoy. For my part, I have experience with things like motor-out recovery and flight, image-recognition flight and terrain guidance, acrobatic flight.. etc.

@enderfix, @freaky123 Correct, once I upgraded, and then downgraded, I could no longer use my FTP root exploit. I am fuzzing a Mavic and a Phantom 4 ( not plus or pro ) now to try to find other rootable exploit entry points.

@Freaky123 I managed to root my Phantom 4, using an older firmware. I think what coptersafe are doing, is first rooting, then _disabling_ code signing and then uploading modified firmware. Unfortunately, I have not been able to replicate rooting on the current firmware, and my exploit no longer works. I also think they may have modified ADB and either added a different authentication scheme, or added AES to ADB as well. I can't get an ADB shell to work even with a rooted filesystem.

I can confirm that the JTAG is disabled on all production mavic and Phantom drones. doing a boundary scan does reveal some of memory chips comma but the data is stored encrypted on the chip.

First post says "Anything should work with the Phantom 4" ... so far, I've been able to binwalk the P4 file... but I haven't been able to get ADB access. Any progress on dealing with newer P4/Mavic firmwares? Here is a tar of the latest Firmware I could find ( which I have unpacked ) for the Phantom 4. MEGA : Phantom 4 Firmware