MavicPilots.com Alternative CopterSafe Hack & Mod Discussion

[HDnes]

@droner69, Not seeing how your pcap was generated?  Where did you get the disector for the mavic protocol?  Looking under the hood a little, the usb protocol looks very simiarl to the P3 disector on the P4 and the Mavic if not identical?  The P3 one previously mentioned doesn't include lots of the things referenced in your capture.  I'm looking to deep dive on this over the next few days and likely can offer some support if you guys can catch me up.

[fredz]

Works with DJI Assistant2 Beta112.zip on Windows @HDnes

Quite amazing to see all this in a graphical way. Values are read-only though, how can this be changed? Any idea?

[MavproxyUser]

4 hours ago, HDnes said:

Ok, I got into Assitant Factory mode with a way easier method (at least on mac).  Just open up developer settings and change factory_mode = true.  Might have to enable debugging also.  But that's the ticket.  Should work on every version I'd think.

That beings said, I answered my own question.  I now see why the webproxy method doesn't work in it's entirety.  You have to have write access to the min/maxes in order for those commands to take anything higher than the max etc.  So rooting is the next step I suppose?  Haven't seen nearly as much clear cut information on how to do this on the patched ftp.  Is this where @MavproxyUser's decryptor comes into play?  Does that python allow writing as well?  Or does it simply read to produce the files similar to what's on @droner69 ?

I'm loving that people are following the trail of bread crumbs... *hat tip*. 

At this point in the game I suspect quite a bit of the "dir traversal" on the FTPD was a red herring. In reality I think the "traversal" is the mere fact that the ftpd root is "/data" on the drone. There are a number of scripts that call things from "/data". It is *possible* that early versions of the ftpd allowed the placing of a symlink, OR that somehow you could trigger a .zip or .tar file to be unpacked with a symlink contained within. Think of the NFZ db as it gets pushed, I forget the filename but it is like data_transfer.tar or something. 

I've only seen ONE instance of a symlink depicted on the ftpd server... but I can't for the life of me figure how it got there. Note the "~" in the picture... 

http://kvadrik.blogspot.com/2017/03/dji-mavic-pro-500.html

 

Really, the ONLY way this is possible is if DJI was stupid when they modified the Busybox source code and some how introduced it. It is also possible that the original factory firmware used a really old vulnerable version of Busybox, but that doesn't fully explain the behavior.

P0V's original words were "Mavic it's restricted to '/ftp' directory. Luckily, there are underground 0day exploits for FTPD for path traversal. I can confirm that you can traverse out of the '/ftp' directory and reach the init scripts to set debug flag". I am not entirely convinced this isn't where the red herring lays, but I suspect so. 

https://www.rcgroups.com/forums/showthread.php?2747762-Official-DJI-Mavic-***Owner-and-Developer-sThread***/page1008#post36232471

I think the best hint here is to study the words in the old P3 paper:

"Unfortunately, on the latest firmware (V01.07.0090), the root ftp access to the drone is chrooted and I wasn’t able to escape the /tmp directory"

https://voidsec.com/hacking-dji-phantom-3/

I did note specifically "Port 21 is running vsFTPd 3.0.2 which as of the time of this writing, only has one minor known vulnerability"

https://courses.csail.mit.edu/6.857/2016/files/9.pdf

"Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing."

https://bugzilla.redhat.com/show_bug.cgi?id=1187041

So in theory... it is possible at one time they used Vsftpd instead of Busybox ftpd on the Mavic, P4, or i2. This really jumped out at me, and fits my suspicions above regarding "~"

"In particular aware that if a filename is accessible by a variety  of  names (perhaps  due  to symbolic links or hard links), then care must be taken to deny access to all the names."

https://bugzilla.redhat.com/show_bug.cgi?id=1187041#c2

 

It seems a good start would be to locate a P3 on pre V01.07.0090 firmware and confirm how THAT ftpd handled. Then we need to figure if any of the REALLY early Mavic's shipped with that variant. It is possible P0V got ahold of a bird that was in engineering mode I suppose (meaning pre-release firmware version). 

The decryptor code was seemingly less useful at the end of the day for what folks are trying to accomplish here. I found the *most* utility to be in the fact that it could read the kernel log sans root.

$ python dji_ftpd_descrambler.py kernel00.log
oOZTPTP7] c0 1 (init) init: untracked pid 621 exited
<7>[   52.603083] c3 0 (swapper/3) Warnning: timer5 int-excep
<7>[   77.938720] c0 419 (dji_hdvt_gnd) bridge: start_xmit info: lmi42 xmit skb cb444000 CP busy!
<7>[   78.001593] c0 461 (keyscan_task) bridge: start_xmit info: lmi42 xmit skb cb444000 CP ready!
<7>[  162.814198] c3 439 (dji_hdvt_gnd) bridge: start_xmit info: lmi42 xmit skb ce24a300 CP busy!
<7>[  162.891897] c0 273 (MB_Socket_Recei) bridge: start_xmit info: lmi42 xmit skb ce24a300 CP ready!
<7>[  356.750230] c0 419 (dji_hdvt_gnd) bridge: start_xmit info: lmi42 xmit skb ce39fa80 CP busy!
<7>[  356.814311] c0 461 (keyscan_task) bridge: start_xmit info: lmi42 xmit skb ce39fa80 CP ready!

Being able to pull the DAAK from the kernel command line was interesting for sure... 

<5>[    0.000000] c0 0 (swapper) Kernel command line: watchdog_thresh=3 console=ttyS1,921600 vmalloc=412M android firmware_class.path=/vendor/firmware isolcpus=2,3,4 
initrd=0x07400000,1M lcpart=mmcblk0=gpt:0:2000:200,ddr:2000:2000:200,env:4000:2000:200,panic:6000:2000:200,amt:8000:20000:200,factory:28000:4000:200,factory_out:2c000:4000:200,
recovery:30000:8000:200,normal:38000:8000:200,system:40000:40000:200,vendor:80000:20000:200,cache:a0000:80000:200,blackbox:120000:400000:200,userdata:520000:228000:200  
chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa 
saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xe2200026

 

@hdnes "Or does it simply read to produce the files", yes... THAT. It is simply a tool to manually decrypt ONE file that you have already pulled, OR to attempt to pull the entire ftpd for you. 

Edited June 27, 2017 by MavproxyUser

[MavproxyUser]

3 hours ago, HDnes said:

on MAC the short cut is:

option + command + i

or

⌥⌘i

⌥⌘r to reload after changing the settings

Factory mode and debug is under Resources>local storage

 

Clever trick! That may be useful for the "Preserve log" functionality alone. 

[MavproxyUser]

27 minutes ago, fredz said:

Works with DJI Assistant2 Beta112.zip on Windows @HDnes

Quite amazing to see all this in a graphical way. Values are read-only though, how can this be changed? Any idea?

That could be version specific... they should NOT be read-only, you should have the ability to readily change them. There is however a specific subset that Are marked read only. 

[MavproxyUser]

3 hours ago, fredz said:

You mean while the graphical version of DJI Assistant is open? As simple as that?

Got a screenshot ?

Yes... see my recent post above. 

[MavproxyUser]

BTW... I assume you all saw the Ground Control Station? 

[MavproxyUser]

16 hours ago, nickmv said:

Just joining this thread/forum after being a CopterSafe customer. My Mavic is experiencing the forced autolanding due to critical battery issue, like mentioned on a previous thread for I believe the P3P.

Is this still a known issue? I was 3600ft up when it engaged --- almost shat my pants, but luckily got it down after 7-8 mins.

 

 

I don't think many folks have quite gotten there yet Nick. can you tell us more about this? Is there a fix on p3 ? We can likely find an analog in the config options. 

Did you by chance get video, or have the logs from the flight of it occurring? That would be interesting. 

You of course saw this already via GitHub comments. 

Edited June 27, 2017 by MavproxyUser

[Opcode]

Got factory/debug working on OSX Assistant 1.1.2.

But developer is still missing, as seen on Droner69´s Screenshots (Groundstation etc.)

Wireshark doesnt tell me anything new, so im a bit stuck now.

 

Did someone on Mavic/P4/P4P etc try this all with the newest FW?

Im sure that all got patched out, DJI even changed the whole login process to preserve changes of the NFZ.

 

 

[jan2642]

11 hours ago, jan2642 said:

Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese  (and I forgot to take a screenshot).

Anyone here who can translate these ? Many thanks!

 

Also promising for the path I'm on: the available commands on /controller/board_test:

{
    "EXIST_COMMANDS": [
        "get_status_info",
        "set_status_info",
        "start_process",
        "start_test"
    ],
	"SEQ": "12345"
}

Now trying to figure out how to pass on arguments to start_test & start_process...

[jan2642]

1 minute ago, jan2642 said:

Anyone here who can translate these ? Many thanks!

Pasting the image failed, here's a link to the screenshot: https://pasteboard.co/2iGUb4qna.png

 

[ryan19]

5 minutes ago, jan2642 said:

Pasting the image failed, here's a link to the screenshot: https://pasteboard.co/2iGUb4qna.png

 

ProductID: ____ []Auto

Step ID              Step Name

[One-Click Check]

Model:       [Check]

Product ID: [Check]

Product SN: [Check]

Firmware Version: [Check]

 

Cheers

[Freaky123]

Ok I will try to share some more information in the hope people will help get more and more information. I will first give the image format (which is also the sig format):

• Header
  • 4B Magic ("IM*H")
  • 4B Version (Currenly only 1 is seen)
  • 8B ??
  • 4B Header size
  • 4B RSA signature size
  • 4B Payload size
  • 12B Unknown
  • 4B Auth key identifier
  • 4B Encryption key identifier
  • 16B Scramble key
  • 32B Image name
  • 60B ??
  • 4B Block count
  • 32B SHA256 payload
• Per Block info
  • 4B Name
  • 4B Start offset
  • 4B Output size
  • 4B Attributes (Last bit 0 means ecrypted)
  • 16B ??
• RSA Signature of the Header (Size and Auth key described in header)
• Actual block data (Start offset 0)

[Freaky123]

I will release more info and tools later on: https://github.com/fvantienen/dji_rev
There is already a python script that can extract the image file format as well. Would be nice if it can be cleaned up a bit, but at least it works.

Edited June 27, 2017 by Freaky123

[MavproxyUser]

For those of you that are more active... stop by and see us in slack. Don't come ask dumb questions! Stop by with the mindset of participation. 

https://join.slack.com/dji-rev/shared_invite/MjA0NTE3MzM5NjM0LTE0OTg1OTc5MjUtNzE0NWM3ODI5OQ

 

[MavproxyUser]

Looks like the cat is out of the bag btw...

https://github.com/mefistotelis/phantom-firmware-tools/issues/32#issuecomment-311488395

[singlag]

11 hours ago, jan2642 said:

 

Anyone here who can translate these ? Many thanks!

 

Also promising for the path I'm on: the available commands on /controller/board_test:

{
    "EXIST_COMMANDS": [
        "get_status_info",
        "set_status_info",
        "start_process",
        "start_test"
    ],
	"SEQ": "12345"
}

Now trying to figure out how to pass on arguments to start_test & start_process...

自動 = auto

一鍵查詢 = check/query in 1 click (mean check all item)

機型 = model number

固件版本 = firmware version

 

I can't see this factory screen on version 1.0.6

 

Edited June 28, 2017 by singlag

[enderffx]

On 26.6.2017 at 7:51 PM, singlag said:

Update: only DJI Assistant2 Beta112 is working for my windows 7 PC, but the firmware page seem having problem, connection timeout while loading firmware list

Do you have any idea if that version supports Spark as well ? If not then all this probably is irrelevant for Spark, right ?

---Trying to get a grip on this, but just beeing a regular coder and not well versed on hacking / rev engeneering its hard for me---

 

Ender

[singlag]

5 hours ago, enderffx said:

Do you have any idea if that version supports Spark as well ? If not then all this probably is irrelevant for Spark, right ?

---Trying to get a grip on this, but just beeing a regular coder and not well versed on hacking / rev engeneering its hard for me---

 

Ender

I'm using new version of dji assistant now (27/5/2017), i think it can support Spark

 

 

[theLORD]

12 hours ago, MavproxyUser said:

Looks like the cat is out of the bag btw..

YES INDEED

DJI pulled all the vulnerable firmware for all the drones (Spark, Mavic, P4p and Inspire 2)

P4p:

  

SPARK:

 Mavic:

Edited June 28, 2017 by Mavic_1_2_9

[fredz]

26 minutes ago, singlag said:

I'm using new version of dji assistant now (27/5/2017), i think it can support Spark

On Mac or Windows? Ctrl-Shift-i on Windows seems to only work with some old beta versions...

[kariem112]

5 minutes ago, Mavic_1_2_9 said:

DJI pulled all the vulnerable firmware for all the drones (Spark, Mavic, P4p and Inspire 2)

 

 

Vulnerable how? I have seen they have removed the .700 firmare, which was still available yesterday :) 

[theLORD]

nothing is available today :)

yesterday morning first thing I saw removed was the SPARK

[enderffx]

2 hours ago, singlag said:

I'm using new version of dji assistant now (27/5/2017), i think it can support Spark

 

 

Yes, i can confirm, Spark supported by 112 versions of DJI Assistant !

 

Ender

[MavproxyUser]

Ok folks... word on the street is that DJI is pulling firmware. 

Please start uploading your archived firmware to GoogleDrive and linking here or in slack https://dji-rev.slack.com #firm_cache 

on OSX

/Applications/Assistant.app/Contents/MacOS/Data/firm_cache

or on Windows 

C:\Program Files (x86)\DJI Product\DJI Assistant 2\Assistant\Data\firm_cache

 

Please archive all contents such as: 

wm220_0100_v02.01.55.93_20170120.pro.fw.sig
wm220_0100_v02.02.56.29_20170317.pro.fw.sig
wm220_0100_v02.05.04.34_20170209_ca02.pro.fw.sig
wm220_0100_v02.06.04.84_20170324_ca02.pro.fw.sig
wm220_0101_v02.01.55.93_20170120.pro.fw.sig
wm220_0101_v02.02.56.29_20170317.pro.fw.sig
wm220_0101_v02.05.04.34_20170209_ca02.pro.fw.sig
wm220_0101_v02.06.04.84_20170324_ca02.pro.fw.sig
wm220_0305_v34.04.00.23_20161122.pro.fw.sig
wm220_0306_v03.02.13.16_20170112.pro.fw.sig
wm220_0306_v03.02.30.13_20170405.pro.fw.sig
wm220_0400_v01.50.11.93_20170116.pro.fw.sig
wm220_0400_v01.50.12.01_20170414.pro.fw.sig
wm220_0600_v00.00.01.27_20161017.pro.fw.sig
wm220_0601_v00.00.03.04_20170329.pro.fw.sig
wm220_0603_v00.00.06.07_20170314.pro.fw.sig
wm220_0801_v01.04.17.03_20170120.pro.fw.sig
wm220_0801_v01.05.00.20_20170331.pro.fw.sig
wm220_0802_v01.00.03.08_20170116.pro.fw.sig
wm220_0803_v00.00.04.06_20160621.pro.fw.sig
wm220_0803_v00.00.04.08_20170314.pro.fw.sig
wm220_0804_v01.00.00.08_20170113.pro.fw.sig
wm220_0805_v01.01.00.71_20161227.pro.fw.sig
wm220_0805_v01.01.00.87_20170427.pro.fw.sig
wm220_0905_v00.00.01.04_20170301.pro.fw.sig
wm220_0907_v43.97.02.05_20170111.pro.fw.sig
wm220_0907_v47.26.02.11_20170419.pro.fw.sig
wm220_1100_v01.00.07.24_20161206.pro.fw.sig
wm220_1200_v01.09.00.00_20161204.pro.fw.sig
wm220_1201_v01.09.00.00_20161204.pro.fw.sig
wm220_1202_v01.09.00.00_20161204.pro.fw.sig
wm220_1203_v01.09.00.00_20161204.pro.fw.sig
wm220_1301_v01.04.17.03_20170120.pro.fw.sig
wm220_1301_v01.05.00.23_20170418.pro.fw.sig
wm220_1407_v43.97.02.05_20170111.pro.fw.sig
wm220_1407_v47.26.02.11_20170419.pro.fw.sig
wm220_2801_v01.02.21.01_20170421.pro.fw.sig
wm220_2803_v00.00.03.08_20170302_cd01.pro.fw.sig
wm220_2803_v00.00.03.08_20170302_cd02.pro.fw.sig
wm220_2807_v47.26.02.11_20170419.pro.fw.sig