Jump to content

MavicPilots.com Alternative CopterSafe Hack & Mod Discussion


MavproxyUser

Recommended Posts

Well, it seems the conversation over at MavicPilots.com on discussing Jailbreaking, Height Restriction Bypass, and g_config changes, or anything related to "modding" DJI firmware settings for NFZ, etc is just out of pocket per the admins. They've been deleting threads left and right. 

Update: For those of you that are more active... stop by and see us in slack. Don't come ask dumb questions! Stop by with the mindset of participation. 

Updated slack invite link:

https://join.slack.com/t/dji-rev/shared_invite/enQtMjk5OTEyMzcyMjI3LTdlZjY4NzQ5M2M2NmE5ZWM4OTgyNThmZDVmZjdjODE4ODYyNmYwZjYxMDcyYzcxNmZlYzI5ZjI2ZGQ2NGY1ZTc

200w.gif#5-grid1

MavicPilots History on the Drama Llama: 

"So this has turned into a communist forum!!" 

 “Mods continuing to delete posts will be a quick downward spiral for this forum and become a wasteland in no time” 

https://archive.fo/tfZEg#selection-957.1-957.44

 

DDOIHfMV0AAhLBU.jpg


I wanna talk about patching the dji_flight binary, anyone game? 

DDDhwq6VYAEtoSV.jpg

How about the best way to edit parameters, set better min, and max values, etc. ?

DClHJsuUQAArWEN.png

Who's got root? Lets talk about what you do *after* you Jailbreak your DJI Spark, or Jailbreak your DJI Mavic, or Jailbreak your DJI Phantom4 (P4), what is next? 

$ adb shell
root@wm100_dz_ap0001_v5:/ #

root@wm220_dz_ap0002_v1:/ #

root@wm220_dz_rp0010_v1:/ #

root@wm220_dz_ah0001_v5:/ #


How about you guys getting down and funky inside the DJI Assistant application? I see you! Come holla! 

DClLJuBUIAAIaE5.jpg

I see you out there playing with web sockets... no lie, come talk with us! 

DBktBGKUMAAB8D1.jpg

Lets all make a better place to discuss getting root and having fun with our DJI products. That *other* place is a bit stuffy. ;) 

 

 

Edited by MavproxyUser
drama llama
Link to comment
Share on other sites

9 hours ago, MavproxyUser said:

Well, it seem the conversation over at MavicPilots.com on discussing Jailbreaking, Height Restriction Bypass, and g_config changes, or anything related to "modding" DJI firmware settings for NFZ, etc is just out of pocket per the admins. They've been deleting threads left and right. 

DDOIHfMV0AAhLBU.jpg


I wanna talk about patching the dji_flight binary, anyone game? 

DDDhwq6VYAEtoSV.jpg

How about the best way to edit parameters, set better min, and max values, etc. ?

DClHJsuUQAArWEN.png

Who's got root? Lets talk about what you do *after* you Jailbreak your DJI Spark, or Jailbreak your DJI Mavic, or Jailbreak your DJI Phantom4 (P4), what is next? 

$ adb shell
root@wm100_dz_ap0001_v5:/ #

root@wm220_dz_ap0002_v1:/ #

root@wm220_dz_rp0010_v1:/ #

root@wm220_dz_ah0001_v5:/ #


How about you guys getting down and funky inside the DJI Assistant application? I see you! Come holla! 

DClLJuBUIAAIaE5.jpg

I see you out there playing with web sockets... no lie, come talk with us! 

DBktBGKUMAAB8D1.jpg

Lets all make a better place to discuss getting root and having fun with our DJI products. That *other* place is a bit stuffy. ;) 

 

 

So have you managed to root? And change parameters through assistant. 

There is a massive following who would be very happy for a free way of doing this 

Link to comment
Share on other sites

 

mavproxyuser provide some sample code to change parameters, which working well on my drone (I unlock some limitation, faster rth, ascend, descend speed)

but I want to know how to "hack" dji assistant, I guess is about "sdk level"

Link to comment
Share on other sites

5 minutes ago, Freaky123 said:

Yes but the problem is that when the exploit leaks out it will be only days before it is patched. Finding a generic way of rooting the device which can't be patched is more difficult.

Using litchi ,Turning updates off and not upgrading firmware is a start 

Link to comment
Share on other sites

52 minutes ago, MavJailBreak said:

So have you managed to root? And change parameters through assistant. 

There is a massive following who would be very happy for a free way of doing this 

I am one of the few folks that does have root access. A mate of mine has done the work, so unfortunately I can not share his private work. A few folks here have been rooted by me to help us gather information about the internals of the Mavic however. You may catch a few random folks discussing things that can not be done without root, there is a good chance they have no clue about how root access is obtained. A few folks have nice friends with private tools. 

P0V's work is something we have all been chasing. I initially dug in as I suspected the mythical "whitelist" files never existed outside of the factory. I believe at this point someone (P0V?) has manually generated one, as opposed to the claims of having extracted one from a firmware dump, or to have *found* one on an early firmware version. I do not believe the wive's tale about being able to "spoof hosts" on the whitelist as a means to use the Secure Debug (adb) on Mavic, or P4, i2 or Spark. 

I have not seen anyone beyond a small handful to figure out the easter egg to unlock the Assistant in full. I gave a very big hint a month or so back however. Simply run the assistant with the "-h" flag. I have noticed that having root, or Admin privs (on your own machine) *may* have some impact on being able to open up the extra options. 

Usage: /Applications/Assistant.app/Contents/MacOS/Assistant [options]

Options:
  -h, --help            Displays this help.
  -v, --version         Displays version information.
  --debugger            Run with a debugger window
  --minimum             Show controller log minimum
  --console             Run assistant as a console service, No browser Window!
  --template            Load controller config from template!
  --force_upgrade       Ignore the version when upgrade ENC firmware!
  --bypass <DEVICE>     force all device as param [Receiver]|[DEVICE]|[Version]
                        eg Controller|ai900v2|3.1.0.2
  --noskip              As default, upgrade pack file will skip those device
                        that is not connected, if define no skip, will try to
                        upgrade all pack file
  --factory             Open Factory page
  --baud_rate <DEVICE>  set com device baud rate
  --auto_upgrade        enable auto upgrade
  --cache_wget_file     debug only, used to cache wget files
  --inrup               internal upgrade tool
  --adb_logcat          Start ADB logcat function
  --auto_test           Set to auto test mode
  --test_server         Set to test server
  --1706                Set DJI Vision to 1706
  --sws                 Set Env to SWS

 

These are some photos from someone else that caught the hint. 

https://github.com/droner69/MavicPro/tree/master/DJI_Assistant_2_Dev_Pictures

I can tell you that at times this trick is VERY version specific. So if you are having issues... try a different version. You can find an archive of the binaries in my git repo. https://github.com/MAVProxyUser/DJIAssistant2Binaries

There *MAY* be something special to the DebuggerOptions.txt file... I have extracted all the unique options from all the versions and placed them here if anyone wants to help figure it out: https://raw.githubusercontent.com/MAVProxyUser/DJIAssistant2Binaries/master/DebuggerOptionsUnique.txt

Edited by MavproxyUser
Link to comment
Share on other sites

16 minutes ago, singlag said:

 

mavproxyuser provide some sample code to change parameters, which working well on my drone (I unlock some limitation, faster rth, ascend, descend speed)

but I want to know how to "hack" dji assistant, I guess is about "sdk level"

So for those of you that missed the information I shared with this gentleman... here is some sample code to communicate with the DJI Assistant Web Socket. There are some things left for you as an exercise, but this will give you a solid start. 

 

#!/usr/bin/python
import binascii

from websocket import *
ws = create_connection("ws://localhost:19870/general")
ws.settimeout(1)

while 1:
    try:
        result =  ws.recv()
    except WebSocketTimeoutException:
        break

    if result == "": break
    print result

# {"SEQ":"12345","CMD":""} - Get command list on any service. 

# ws://localhost:19870/controller/p4_ext/787d599803c40b695ac8b44d276cd7e48b5d5e69
# {"SEQ":"12345","CMD":"get_info"} - Serial Number & User Token

# ws://localhost:19870/controller/config/user/787d599803c40b695ac8b44d276cd7e48b5d5e69
# {"SEQ":"12345","CMD":"EnterFcSdCard"} 
#
# {"SEQ":"12345","CMD":"read","INDEX":"fly_limit_height"}

ws.close()

 

Link to comment
Share on other sites

18 minutes ago, singlag said:

but I want to know how to "hack" dji assistant, I guess is about "sdk level"

At this point, I am also wondering what the steps are to duplicate Aaron Luo's work on a newer SDK version. 

https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Aaron-Luo-Drones-Hijacking-Multi-Dimensional-Attack-Vectors-And-Countermeasures-UPDATED.pdf

At the very least the Java Class has changed a little bit since the talk. Has anoyone taken JEB to it yet? https://www.pnfsoftware.com (JEB is well worth the $$$ btw)

DDApgRhU0AAhM88.jpg

DDApgRxVwAASKwC.jpg

DDApgSMVwAAgbrp.jpg

DDApgSpVwAEv365.jpg

 

Link to comment
Share on other sites

1 minute ago, MavproxyUser said:

So for those of you that missed the information I shared with this gentleman... here is some sample code to communicate with the DJI Assistant Web Socket. There are some things left for you as an exercise, but this will give you a solid start. 

 


#!/usr/bin/python
import binascii

from websocket import *
ws = create_connection("ws://localhost:19870/general")
ws.settimeout(1)

while 1:
    try:
        result =  ws.recv()
    except WebSocketTimeoutException:
        break

    if result == "": break
    print result

# {"SEQ":"12345","CMD":""} - Get command list on any service. 

# ws://localhost:19870/controller/p4_ext/787d599803c40b695ac8b44d276cd7e48b5d5e69
# {"SEQ":"12345","CMD":"get_info"} - Serial Number & User Token

# ws://localhost:19870/controller/config/user/787d599803c40b695ac8b44d276cd7e48b5d5e69
# {"SEQ":"12345","CMD":"EnterFcSdCard"} 
#
# {"SEQ":"12345","CMD":"read","INDEX":"fly_limit_height"}

ws.close()

 

Thanks for your work, appreciated.

Besides im trying to go the CopterSafe Route and see, what this tool is exactly doing.

  • Upvote 1
Link to comment
Share on other sites

I have the full unlock pack and programme from copteresafe

 

is there a way of sniffing the usb traffic as it jailbreaks?
so that I can reproduce it and flash it through a different programme.

please let me know.

inbox me. my messages on here are limited still.

contact me through Mavproxyuser . he now has my email address

Link to comment
Share on other sites

1 hour ago, MavproxyUser said:

I am one of the few folks that does have root access. A mate of mine has done the work, so unfortunately I can not share his private work. A few folks here have been rooted by me to help us gather information about the internals of the Mavic however. You may catch a few random folks discussing things that can not be done without root, there is a good chance they have no clue about how root access is obtained. A few folks have nice friends with private tools. 

P0V's work is something we have all been chasing. I initially dug in as I suspected the mythical "whitelist" files never existed outside of the factory. I believe at this point someone (P0V?) has manually generated one, as opposed to the claims of having extracted one from a firmware dump, or to have *found* one on an early firmware version. I do not believe the wive's tale about being able to "spoof hosts" on the whitelist as a means to use the Secure Debug (adb) on Mavic, or P4, i2 or Spark. 

I have not seen anyone beyond a small handful to figure out the easter egg to unlock the Assistant in full. I gave a very big hint a month or so back however. Simply run the assistant with the "-h" flag. I have noticed that having root, or Admin privs (on your own machine) *may* have some impact on being able to open up the extra options. 


Usage: /Applications/Assistant.app/Contents/MacOS/Assistant [options]

Options:
  -h, --help            Displays this help.
  -v, --version         Displays version information.
  --debugger            Run with a debugger window
  --minimum             Show controller log minimum
  --console             Run assistant as a console service, No browser Window!
  --template            Load controller config from template!
  --force_upgrade       Ignore the version when upgrade ENC firmware!
  --bypass <DEVICE>     force all device as param [Receiver]|[DEVICE]|[Version]
                        eg Controller|ai900v2|3.1.0.2
  --noskip              As default, upgrade pack file will skip those device
                        that is not connected, if define no skip, will try to
                        upgrade all pack file
  --factory             Open Factory page
  --baud_rate <DEVICE>  set com device baud rate
  --auto_upgrade        enable auto upgrade
  --cache_wget_file     debug only, used to cache wget files
  --inrup               internal upgrade tool
  --adb_logcat          Start ADB logcat function
  --auto_test           Set to auto test mode
  --test_server         Set to test server
  --1706                Set DJI Vision to 1706
  --sws                 Set Env to SWS

 

These are some photos from someone else that caught the hint. 

https://github.com/droner69/MavicPro/tree/master/DJI_Assistant_2_Dev_Pictures

I can tell you that at times this trick is VERY version specific. So if you are having issues... try a different version. You can find an archive of the binaries in my git repo. https://github.com/MAVProxyUser/DJIAssistant2Binaries

There *MAY* be something special to the DebuggerOptions.txt file... I have extracted all the unique options from all the versions and placed them here if anyone wants to help figure it out: https://raw.githubusercontent.com/MAVProxyUser/DJIAssistant2Binaries/master/DebuggerOptionsUnique.txt

this trick is VERY version specific

That's why .....I tried version 1.0.8 with -option b4 and seem no different than normal. :unsure:

Link to comment
Share on other sites

49 minutes ago, thatdumbdronie said:

I have the full unlock pack and programme from copteresafe

 

is there a way of sniffing the usb traffic as it jailbreaks?
so that I can reproduce it and flash it through a different programme.

please let me know.

inbox me. my messages on here are limited still.

contact me through Mavproxyuser . he now has my email address

try wireshark and burp suite

Link to comment
Share on other sites

52 minutes ago, MavproxyUser said:

Will you share with the rest of the group the parameter names you changed... this will go well with the web socket code I posted above (and shared with you previously). 

Follow parameter tested at real flight with firmware version .200

g_config_go_home_gohome_idle_vel, default 10, only for RTH speed, I tested with 15 is ok
g_config_mode_normal_cfg_vert_vel_up, default 4, ascend speed at GPS mode in meter/second
g_config_mode_normal_cfg_vert_vel_down, #default -3, descend speed at gps mode 
g_config_mode_sport_cfg_vert_vel_up, #default 5, I set it to 10, ascend like a rocket, be careful about battery overload
g_config_mode_sport_cfg_vert_vel_down, #default -3, set -10 but it only reach -5m/s in real flight

this are some g_config_mode_XXX_cfg_vert_acc_up/down, it have higher value as default, I'm not sure what it does, but just make sure set it to not lower than "no _acc" one

 

g_config_fw_cfg_max_speed <-- set to 20 but no different in real flight, default is 10

for "height_limit", I did change all from  /controller/config/user and it work.

some parameters about "airport" will be test on tomorrow, and following parameters not tested yet

"g_config_avoid_obstacle_limit_cfg_safe_dis" <-- obstacle distant ? 

g_config_landing_smart_landing_height_L1 <-- smart landing at -0.7 meter ? 

"g_config_voltage2_level1_smart_battert_gohome"            "DEFAULT": 15,

"g_config_voltage2_level2_smart_battert_land"         "DEFAULT": 10,

 

Now, I want to find out which parameters control about real MAX speed (sport mode is 20m/s in real flight) and 10m/s limit when obstacle detection is ON, but seem no parameters relevant to it.

Link to comment
Share on other sites

1 hour ago, singlag said:

Follow parameter tested at real flight with firmware version .200

g_config_go_home_gohome_idle_vel, default 10, only for RTH speed, I tested with 15 is ok
g_config_mode_normal_cfg_vert_vel_up, default 4, ascend speed at GPS mode in meter/second
g_config_mode_normal_cfg_vert_vel_down, #default -3, descend speed at gps mode 
g_config_mode_sport_cfg_vert_vel_up, #default 5, I set it to 10, ascend like a rocket, be careful about battery overload
g_config_mode_sport_cfg_vert_vel_down, #default -3, set -10 but it only reach -5m/s in real flight

this are some g_config_mode_XXX_cfg_vert_acc_up/down, it have higher value as default, I'm not sure what it does, but just make sure set it to not lower than "no _acc" one

 

g_config_fw_cfg_max_speed <-- set to 20 but no different in real flight, default is 10

for "height_limit", I did change all from  /controller/config/user and it work.

some parameters about "airport" will be test on tomorrow, and following parameters not tested yet

"g_config_avoid_obstacle_limit_cfg_safe_dis" <-- obstacle distant ? 

g_config_landing_smart_landing_height_L1 <-- smart landing at -0.7 meter ? 

"g_config_voltage2_level1_smart_battert_gohome"            "DEFAULT": 15,

"g_config_voltage2_level2_smart_battert_land"         "DEFAULT": 10,

 

Now, I want to find out which parameters control about real MAX speed (sport mode is 20m/s in real flight) and 10m/s limit when obstacle detection is ON, but seem no parameters relevant to it.

Thanks for sharing brother... 

Link to comment
Share on other sites

2 hours ago, singlag said:

this trick is VERY version specific

That's why .....I tried version 1.0.8 with -option b4 and seem no different than normal. :unsure:

Update: only DJI Assistant2 Beta112 is working for my windows 7 PC, but the firmware page seem having problem, connection timeout while loading firmware list

Link to comment
Share on other sites

8 minutes ago, singlag said:

Update: only DJI Assistant2 Beta112 is working for my windows 7 PC, but the firmware page seem having problem, connection timeout while loading firmware list

As I recall it... they have progressively added *checks* as the versions went on. With regard to the connection time outs and such, that is your big hint right there for the other versions. Have you considered using Wireshark to see what DJI Assistant wants to talk to *before* giving you access to the unlocked menus? It does vary across versions with regard to what those pre-requisite connections, or interactions may be. Another hint is to try running the program from the console... (older versions were WAY more chatty than newer ones). 

I assume you noticed it hangs looking for *something* very specific, see if you can spot it here. THIS trick is pretty well "burned" seems more and more people figured it out.

$ /Applications/Assistant_1_0_4.app/Contents/MacOS/Assistant --debugger
2017-06-26 14:10:23.670 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/b/: Error Domain=NSCocoaErrorDomain Code=260 "The file “b” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/b/, NSFilePath=/private/tmp/b, NSUnderlyingError=0x7fd241416cd0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}
2017-06-26 14:10:23.671 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/a/: Error Domain=NSCocoaErrorDomain Code=260 "The file “a” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/a/, NSFilePath=/private/tmp/a, NSUnderlyingError=0x7fd241603af0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}
PING swsf.djicorp.com (198.105.254.130): 56 data bytes
--- swsf.djicorp.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
2017_05_27@22_38_01 - Sat May 27 22:38:01 2017 [ 30] reserved
2017_05_28@00_40_16 - Sun May 28 00:40:16 2017 [ 29] reserved
2017_05_29@21_22_07 - Mon May 29 21:22:07 2017 [ 28] reserved
2017_06_01@12_05_46 - Thu Jun 1 12:05:46 2017 [ 25] reserved
2017_06_01@12_06_41 - Thu Jun 1 12:06:41 2017 [ 25] reserved
2017_06_01@12_09_35 - Thu Jun 1 12:09:35 2017 [ 25] reserved
2017_06_02@13_27_13 - Fri Jun 2 13:27:13 2017 [ 24] reserved
2017_06_02@13_30_34 - Fri Jun 2 13:30:34 2017 [ 24] reserved
2017_06_02@13_48_07 - Fri Jun 2 13:48:07 2017 [ 24] reserved
2017_06_02@13_48_50 - Fri Jun 2 13:48:50 2017 [ 24] reserved
2017_06_02@13_49_26 - Fri Jun 2 13:49:26 2017 [ 24] reserved
2017_06_02@13_49_44 - Fri Jun 2 13:49:44 2017 [ 24] reserved
2017_06_02@13_51_34 - Fri Jun 2 13:51:34 2017 [ 24] reserved
2017_06_02@13_51_47 - Fri Jun 2 13:51:47 2017 [ 24] reserved
2017_06_02@16_35_52 - Fri Jun 2 16:35:52 2017 [ 24] reserved
2017_06_02@16_56_49 - Fri Jun 2 16:56:49 2017 [ 24] reserved
2017_06_02@16_57_49 - Fri Jun 2 16:57:49 2017 [ 24] reserved
2017_06_02@16_58_15 - Fri Jun 2 16:58:15 2017 [ 24] reserved
2017_06_02@17_02_19 - Fri Jun 2 17:02:19 2017 [ 24] reserved
2017_06_04@12_49_31 - Sun Jun 4 12:49:31 2017 [ 22] reserved
2017_06_04@12_56_15 - Sun Jun 4 12:56:15 2017 [ 22] reserved
2017_06_04@12_58_12 - Sun Jun 4 12:58:12 2017 [ 22] reserved
2017_06_04@18_08_44 - Sun Jun 4 18:08:44 2017 [ 22] reserved
2017_06_04@18_10_02 - Sun Jun 4 18:10:02 2017 [ 22] reserved
2017_06_04@18_10_20 - Sun Jun 4 18:10:20 2017 [ 22] reserved
2017_06_04@18_11_16 - Sun Jun 4 18:11:16 2017 [ 22] reserved
2017_06_05@07_57_20 - Mon Jun 5 07:57:20 2017 [ 21] reserved
2017_06_05@08_57_29 - Mon Jun 5 08:57:29 2017 [ 21] reserved
2017_06_05@09_31_07 - Mon Jun 5 09:31:07 2017 [ 21] reserved
2017_06_05@12_48_21 - Mon Jun 5 12:48:21 2017 [ 21] reserved
2017_06_05@12_49_52 - Mon Jun 5 12:49:52 2017 [ 21] reserved
2017_06_05@12_55_33 - Mon Jun 5 12:55:33 2017 [ 21] reserved
2017_06_05@13_51_39 - Mon Jun 5 13:51:39 2017 [ 21] reserved
2017_06_05@14_07_27 - Mon Jun 5 14:07:27 2017 [ 21] reserved
2017_06_05@15_38_05 - Mon Jun 5 15:38:05 2017 [ 21] reserved
2017_06_05@15_43_37 - Mon Jun 5 15:43:37 2017 [ 21] reserved
2017_06_06@00_51_55 - Tue Jun 6 00:51:55 2017 [ 20] reserved
2017_06_06@09_50_06 - Tue Jun 6 09:50:06 2017 [ 20] reserved
2017_06_07@13_20_03 - Wed Jun 7 13:20:03 2017 [ 19] reserved
2017_06_18@00_17_56 - Sun Jun 18 00:17:56 2017 [  8] reserved
2017_06_18@15_21_20 - Sun Jun 18 15:21:20 2017 [  8] reserved
2017_06_20@10_10_08 - Tue Jun 20 10:10:08 2017 [  6] reserved
2017_06_20@16_01_01 - Tue Jun 20 16:01:01 2017 [  6] reserved
2017_06_21@13_02_48 - Wed Jun 21 13:02:48 2017 [  5] reserved
2017_06_21@22_14_43 - Wed Jun 21 22:14:43 2017 [  5] reserved
2017_06_21@22_16_41 - Wed Jun 21 22:16:41 2017 [  5] reserved
2017_06_24@00_59_00 - Sat Jun 24 00:59:00 2017 [  2] reserved
2017_06_26@14_02_45 - Mon Jun 26 14:02:45 2017 [  0] reserved
log:[dServer   ] Service at19870
qt.network.ssl: QSslSocket: cannot resolve SSL_set_psk_client_callback
qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_client_method
qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_client_method
qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_server_method
qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_server_method
qt.network.ssl: QSslSocket: cannot resolve SSL_select_next_proto
qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb
qt.network.ssl: QSslSocket: cannot resolve SSL_get0_next_proto_negotiated
qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated
log:[dServer   ] 1    Connected <- root
 
If you know the answer, just pipe up for the others that are tired of my riddles. =] 
Link to comment
Share on other sites

I'm no android expert so maybe there are easier ways to do this...

You can run the extracted binaries with qemu-arm like this:

To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74

Libc will look for "/dev/__properties__".  It has to be 262144 bytes large, start with the following bytes: '2c 00 00 00 00 00 00 00 50 52 4f 50 ab d0 6e fc', owned by uid 0, gid 0 and chmod 600.

A symlink /system to the actual system/ directory is needed to make absolute path resolving work.

(I don't know if it's a factor but I'm running in a VM as the root user)

root@kali:~# qemu-arm -L . system/bin/dji_vision -h
usage:
set global debug level if it's not set
       system/bin/dji_vision -D 2
set module debug level
       system/bin/dji_vision -d 2
set monitor info options
       system/bin/dji_vision -m 2

There might be more interesting executables though :wink:

  • Upvote 1
Link to comment
Share on other sites

2 minutes ago, jan2642 said:

I'm no android expert so maybe there are easier ways to do this...

You can run the extracted binaries with qemu-arm like this:

To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74

Libc will look for "/dev/__properties__".  It has to be 262144 bytes large, start with the following bytes: '2c 00 00 00 00 00 00 00 50 52 4f 50 ab d0 6e fc', owned by uid 0, gid 0 and chmod 600.

A symlink /system to the actual system/ directory is needed to make absolute path resolving work.

(I don't know if it's a factor but I'm running in a VM as the root user)


root@kali:~# qemu-arm -L . system/bin/dji_vision -h
usage:
set global debug level if it's not set
       system/bin/dji_vision -D 2
set module debug level
       system/bin/dji_vision -d 2
set monitor info options
       system/bin/dji_vision -m 2

There might be more interesting executables though :wink:

/dev/__properties__ is the Android android: persist system properties are stored. When you type "getprop" this is what you see. 

These are what the default properties on my Mavic look like. 

root@wm220_dz_ap0002_v1:/ # getprop
[dalvik.vm.lockprof.threshold]: [500]
[dalvik.vm.stack-trace-file]: [/data/anr/traces.txt]
[dji.encoding_service]: [1]
[dji.flight_service]: [1]
[dji.hdvt_service]: [1]
[dji.monitor_service]: [1]
[dji.sdrs]: [1]
[dji.sdrs_log]: [1]
[dji.system_service]: [1]
[dji.vision_service]: [1]
[init.svc.adbd]: [running]
[init.svc.console]: [running]
[init.svc.dji_encoding]: [running]
[init.svc.dji_flight]: [running]
[init.svc.dji_hdvt_uav]: [running]
[init.svc.dji_monitor]: [running]
[init.svc.dji_sys]: [running]
[init.svc.dji_vision]: [running]
[init.svc.sdrs]: [running]
[init.svc.sdrs_log]: [running]
[init.svc.start_dji_system]: [stopped]
[init.svc.ueventd]: [running]
[net.bt.name]: [Android]
[net.change]: [net.bt.name]
[persist.sys.adb.backroot]: [0]
[persist.sys.usb.config]: [adb]
[persist.sys.vold.primary]: [0]
[ro.allow.mock.location]: [0]
[ro.baseband]: [unknown]
[ro.board.platform]: [lc1860]
[ro.bootloader]: [unknown]
[ro.bootmode]: [unknown]
[ro.build.characteristics]: [default]
[ro.build.date.utc]: [1490926279]
[ro.build.date]: [Fri Mar 31 10:11:19 CST 2017]
[ro.build.description]: [full_wm220_dz_ap0002_v1-userdebug 4.4.4 KTU84Q eng.jenkins.20170331.101040 test-keys]
[ro.build.display.id]: [leadcore1860]
[ro.build.host]: [APServer01]
[ro.build.id]: [KTU84Q]
[ro.build.product]: [wm220_dz_ap0002_v1]
[ro.build.tags]: [test-keys]
[ro.build.type]: [userdebug]
[ro.build.user]: [jenkins]
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [eng.jenkins.20170331.101040]
[ro.build.version.release]: [4.4.4]
[ro.build.version.sdk]: [19]
[ro.debuggable]: [1]
[ro.factorytest]: [0]
[ro.hardware]: [leadcoreinnopower]
[ro.product.board]: [evb2]
[ro.product.brand]: [Leadcore]
[ro.product.cpu.abi2]: [armeabi]
[ro.product.cpu.abi]: [armeabi-v7a]
[ro.product.device]: [wm220_dz_ap0002_v1]
[ro.product.hardware.version]: [Ver0606]
[ro.product.locale.language]: [en]
[ro.product.locale.region]: [US]
[ro.product.manufacturer]: [LEADCORE]
[ro.product.model]: [L1860]
[ro.product.name]: [full_wm220_dz_ap0002_v1]
[ro.revision]: [0]
[ro.secure]: [1]
[ro.serialno]: []
[ro.wifi.channels]: []
[service.adb.root]: [1]
[service.adb.tcp.port]: [-1]
[sys.usb.config]: [rndis,mass_storage,bulk,acm,adb]
[sys.usb.state]: [rndis,mass_storage,bulk,acm,adb]
[wl.link.prefer]: [SDR]

I've attached a copy of the resulting file, in the event it is useful for you. 

__properties__

Link to comment
Share on other sites

10 minutes ago, jan2642 said:

I'm no android expert so maybe there are easier ways to do this...

You can run the extracted binaries with qemu-arm like this:

To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74

 

Thanks for that... this seems to be interesting reading on the root of the subject. I was not familiar with it. 

https://segmentfault.com/a/1190000006087527

https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fsegmentfault.com%2Fa%2F1190000006087527&edit-text=&act=url

He suggests a few ways to "patch" the cause of the issue. 

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...