Jump to content

Reversing Mavic Pro Firmware


Geodesix

Recommended Posts

Hi again,

i guess you are aware of the Firmware mods & firmware mods that are available from "coptersafe.com", right ?

It seems they were able to do just that: decrypt,mod and encrypt the sig FW files ?!

Or how do you think the'd done it ?

 

Greetings,

 

Ender

Link to comment
Share on other sites

  • Replies 105
  • Created
  • Last Reply

Top Posters In This Topic

I don't think he changes the firmware update files, since as explained earlier requires the private RSA key. Since it is most likely coptersafe doesn't have that key, I think he can circumvent that by either rooting the device or doesn't need it since only parameters are needed to be changed in order to achieve what he wants.

Next to that you made a misconception between encrypting and signing, which is not the same. The firmware files are signed (and only a tiny part is encrypted) and doesn't need any encryption. Most parts of the firmware don't even require encryption and is optionally described in the header.

Link to comment
Share on other sites

Hello Freaky,

you are of course right about encryption and signing mixup. Thats more due to the stae of mind i wrote in then to misconception but i take the point :-)

They install an exe installer that cares for uploading the patched FW files to the Mavic.

Hmm, that Installer could of course root the Mavic beforehand...

 

IF its the case that they "just" modify the parameters, are those in question unsigned and unencrypted in the decomposed fw file ?! That would be strange, right ?

 

Greetings,

 

Ender

Link to comment
Share on other sites

Yes, so you are saying: as they are signed its unlikely That coptersafe can modify them beforehand, so they may root the mavic and switch off signing check, then upload FW with modified parameters and/or binaries and they'll be done with it, right ?

Is that what you feel they do most likely ?

 

If so, maybe they leave the Mavic rooted, that could be checked by one of their customers...

(ADB Shell ?!)

 

Greetings,

 

Ender

Edited by enderffx
more typos then usual
Link to comment
Share on other sites

They don't even need to modify the firmware anymore when rooted, since then they can adjust the parameters. But most likely they don't even root the device, but just send the parameters and the mavic just accepts them since it is only limited by the GUI.

Link to comment
Share on other sites

Hi yet again,

hmm, they Do patch the FW files, that much is known. And they really go through a flashing process.

(Right now they offer patched .400 & .700 versions, so if you apply their mod you end up with the selected FW version whatever your version was before).

Stranger things have happened, but i wish i knew whats going on :-)

 

Ender

Link to comment
Share on other sites

If someone has access to his installer I would be happy to take a look. But I still think it is almost impossible to get these upgrade files signed, unless you have inside information and can get access to the RSA key. I reverse engineered like 99% of their upgrade process and can parse the files etc. so I'm pretty sure this isn't the easiest way in, there are other easier ways.

Link to comment
Share on other sites

 

@Freaky123

I managed to root my Phantom 4, using an older firmware.   I think what coptersafe are doing, is first rooting, then _disabling_ code signing and then uploading modified firmware.  Unfortunately, I have not been able to replicate rooting on the current firmware, and my exploit no longer works.   

I also think they may have modified ADB and either added a different authentication scheme, or added AES to ADB as well.  I can't get an ADB shell to work even with a rooted filesystem.

Link to comment
Share on other sites

Actually i have 2 gioals:

As a Quadcopter pilot i'd love to have FCC tranbsmit power instead of CE but thats not too important as the Mavic has fantastic penetration and range even in CE country.

Much more i'd love to cross compile for the Mavic to use USB Hardware.

Either via Interfacing and processing the data directy OR by using an Android USB via WiFi client to do the processing in the Ground station.

I am doing that on the Bebop 1 & 2 by Bebop with success.

 

And of course it bugs me to have bought a device i do not have 100% access to.

 

I'd also like to increase Bitrate of 2.7k h.264 (it was higher in the first FW's afaik and 4k makes no sense with the tiny optics, i measured that in a MavicPilots Thread).

I'd also like to do Multiple Exposure and averaging & denpoising stuff as i am originally programming for image processing.

 

All kinds of stuff but #1 would be the USB Server stuff...

 

 

Ender

Link to comment
Share on other sites

 

@freaky123

For my part... I'm a software engineer, and I have a lot of experience with UAV software ( I worked on the code circa 1990's MIT Media Lab, and then again for ArduPilot and such. )

I want to continue extending the capabilities of the platform, by adding new and different features to DJI drones, eventually replacing the firmware entirely with on open-source one that everyone can extend and enjoy.  For my part, I have experience with things like motor-out recovery and flight, image-recognition flight and terrain guidance, acrobatic flight.. etc.

 

 

Link to comment
Share on other sites

Has anyone looked what's on the SD card inside?  Is this where all the firmware and files etc actually live?

It's irritatingly hard to open, but, it still might be quicker to mod by popping the card and writing on it? (easy to backup that way too...)

Link to comment
Share on other sites

46 minutes ago, fossil said:

Has anyone looked what's on the SD card inside?  Is this where all the firmware and files etc actually live?

It's irritatingly hard to open, but, it still might be quicker to mod by popping the card and writing on it? (easy to backup that way too...)

It is said to contain the flight logs.

Makes a lot of sense in any case, easy data retrival even if the Mainboard is zapped or was emerged in water...

(POV stated that afair)

 

Ender

Edited by enderffx
Link to comment
Share on other sites

1 minute ago, MingTao said:

so i can see .. no way to root mavic or Ph4 ?? 

as i can understand for rooting we need board serial number from whitelist... and when drone start , if board_SN in whitelist, he can enable debug uart .. i`m right?

Sounds good, but as you state "no root" its probably not easy :-)

So i obviously have to ask: Where to get board SN ?

Where is the debug UART, via USB2Serial onthe regular port ? Or the hidden one ? or testpoints on the PCB ?

 

Ender

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...