Freaky123

Active Members
  • Content count

    23
  • Joined

  • Last visited

  • Days Won

    1

About Freaky123

  • Rank
    Hak5 Fan
  1. The new slack invite url: https://join.slack.com/dji-rev/shared_invite/MjA4MjQ2NjI4OTEzLTE0OTkzNTIyMjEtZjg5NWY1ZjlhZA
  2. I will release more info and tools later on: https://github.com/fvantienen/dji_rev There is already a python script that can extract the image file format as well. Would be nice if it can be cleaned up a bit, but at least it works.
  3. Ok I will try to share some more information in the hope people will help get more and more information. I will first give the image format (which is also the sig format): Header 4B Magic ("IM*H") 4B Version (Currenly only 1 is seen) 8B ?? 4B Header size 4B RSA signature size 4B Payload size 12B Unknown 4B Auth key identifier 4B Encryption key identifier 16B Scramble key 32B Image name 60B ?? 4B Block count 32B SHA256 payload Per Block info 4B Name 4B Start offset 4B Output size 4B Attributes (Last bit 0 means ecrypted) 16B ?? RSA Signature of the Header (Size and Auth key described in header) Actual block data (Start offset 0)
  4. I think too many people already supplied the needed information, thus my guess is most people don't need it anymore. I've already extracted exactly how it works, and it does no special magic but only setting some parameters in the FC to certain values.
  5. Is there already someone who has tried to JTAG the FC arm chip? Or at least figured out the pinout? Or did someone already figure out if there is terminal over uart for the LC chip?
  6. That is indeed possible and can be easily done. If you send me recordings I can analyze them, since I can decode the protocol. Then you even know what it does exactly.
  7. I can almost certainly confirm that coptersafe is only adjusting fc parameters and not rooting the device. It also doesn't update the device as mentioned before.
  8. Yes but the problem is that when the exploit leaks out it will be only days before it is patched. Finding a generic way of rooting the device which can't be patched is more difficult.
  9. Ok that is not that much, but I think for example that the FC has a separate jtag bus, since it is on another pcb. So hope to find that pinout somehow, maybe be desoldering the chip and then following the traces etc.
  10. @martinbogo On the LC I know from the bootloader that they indeed disabled JTAG. But I think that for the FC chip I know a way of enabling it, thus wanted to know if someone knows the pinout. Which devices did respond?
  11. Has someone already figured out the JTAG of the FC chip(which is next to the sd-card)? Because I'm really interested in that one, since I have encrypted firmware of both the loader and the fc, but wanna see if it is possible to decrypt them through JTAG.
  12. What are exactly all your goals what each of you wanna achieve by rooting the device? Since I'm not really interested about the fly limits etc, but just wanna look how the device works and maybe run some custom stuff on it.
  13. Some parts (partitions) aren't updated during the firmware upgrade/downgrade, so it depends.
  14. If someone has access to his installer I would be happy to take a look. But I still think it is almost impossible to get these upgrade files signed, unless you have inside information and can get access to the RSA key. I reverse engineered like 99% of their upgrade process and can parse the files etc. so I'm pretty sure this isn't the easiest way in, there are other easier ways.
  15. Then most likely they have requested firmware from DJI where NFZ etc. are removed because they have a license or something like that.. Since I don't see any realistic option in signing firmware.