MavproxyUser Posted June 26, 2017 Share Posted June 26, 2017 (edited) Well, it seems the conversation over at MavicPilots.com on discussing Jailbreaking, Height Restriction Bypass, and g_config changes, or anything related to "modding" DJI firmware settings for NFZ, etc is just out of pocket per the admins. They've been deleting threads left and right. Update: For those of you that are more active... stop by and see us in slack. Don't come ask dumb questions! Stop by with the mindset of participation. Updated slack invite link: https://join.slack.com/t/dji-rev/shared_invite/enQtMjk5OTEyMzcyMjI3LTdlZjY4NzQ5M2M2NmE5ZWM4OTgyNThmZDVmZjdjODE4ODYyNmYwZjYxMDcyYzcxNmZlYzI5ZjI2ZGQ2NGY1ZTc MavicPilots History on the Drama Llama: "So this has turned into a communist forum!!" “Mods continuing to delete posts will be a quick downward spiral for this forum and become a wasteland in no time” https://archive.fo/tfZEg#selection-957.1-957.44 I wanna talk about patching the dji_flight binary, anyone game? How about the best way to edit parameters, set better min, and max values, etc. ? Who's got root? Lets talk about what you do *after* you Jailbreak your DJI Spark, or Jailbreak your DJI Mavic, or Jailbreak your DJI Phantom4 (P4), what is next? $ adb shell root@wm100_dz_ap0001_v5:/ # root@wm220_dz_ap0002_v1:/ # root@wm220_dz_rp0010_v1:/ # root@wm220_dz_ah0001_v5:/ # How about you guys getting down and funky inside the DJI Assistant application? I see you! Come holla! I see you out there playing with web sockets... no lie, come talk with us! Lets all make a better place to discuss getting root and having fun with our DJI products. That *other* place is a bit stuffy. ;) Edited January 17, 2018 by MavproxyUser drama llama Quote Link to comment Share on other sites More sharing options...
singlag Posted June 26, 2017 Share Posted June 26, 2017 any more hints for open hidden menu form dji assistant and root the drone ? i'm can use web socket to change the parameters now, but want to learn more about this, thx Quote Link to comment Share on other sites More sharing options...
MavJailBreak Posted June 26, 2017 Share Posted June 26, 2017 9 hours ago, MavproxyUser said: Well, it seem the conversation over at MavicPilots.com on discussing Jailbreaking, Height Restriction Bypass, and g_config changes, or anything related to "modding" DJI firmware settings for NFZ, etc is just out of pocket per the admins. They've been deleting threads left and right. I wanna talk about patching the dji_flight binary, anyone game? How about the best way to edit parameters, set better min, and max values, etc. ? Who's got root? Lets talk about what you do *after* you Jailbreak your DJI Spark, or Jailbreak your DJI Mavic, or Jailbreak your DJI Phantom4 (P4), what is next? $ adb shell root@wm100_dz_ap0001_v5:/ # root@wm220_dz_ap0002_v1:/ # root@wm220_dz_rp0010_v1:/ # root@wm220_dz_ah0001_v5:/ # How about you guys getting down and funky inside the DJI Assistant application? I see you! Come holla! I see you out there playing with web sockets... no lie, come talk with us! Lets all make a better place to discuss getting root and having fun with our DJI products. That *other* place is a bit stuffy. ;) So have you managed to root? And change parameters through assistant. There is a massive following who would be very happy for a free way of doing this Quote Link to comment Share on other sites More sharing options...
singlag Posted June 26, 2017 Share Posted June 26, 2017 mavproxyuser provide some sample code to change parameters, which working well on my drone (I unlock some limitation, faster rth, ascend, descend speed) but I want to know how to "hack" dji assistant, I guess is about "sdk level" Quote Link to comment Share on other sites More sharing options...
Freaky123 Posted June 26, 2017 Share Posted June 26, 2017 Yes but the problem is that when the exploit leaks out it will be only days before it is patched. Finding a generic way of rooting the device which can't be patched is more difficult. 1 Quote Link to comment Share on other sites More sharing options...
MavJailBreak Posted June 26, 2017 Share Posted June 26, 2017 5 minutes ago, Freaky123 said: Yes but the problem is that when the exploit leaks out it will be only days before it is patched. Finding a generic way of rooting the device which can't be patched is more difficult. Using litchi ,Turning updates off and not upgrading firmware is a start Quote Link to comment Share on other sites More sharing options...
MavJailBreak Posted June 26, 2017 Share Posted June 26, 2017 Love the way he drops teasers and goes quiet tho Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 (edited) 52 minutes ago, MavJailBreak said: So have you managed to root? And change parameters through assistant. There is a massive following who would be very happy for a free way of doing this I am one of the few folks that does have root access. A mate of mine has done the work, so unfortunately I can not share his private work. A few folks here have been rooted by me to help us gather information about the internals of the Mavic however. You may catch a few random folks discussing things that can not be done without root, there is a good chance they have no clue about how root access is obtained. A few folks have nice friends with private tools. P0V's work is something we have all been chasing. I initially dug in as I suspected the mythical "whitelist" files never existed outside of the factory. I believe at this point someone (P0V?) has manually generated one, as opposed to the claims of having extracted one from a firmware dump, or to have *found* one on an early firmware version. I do not believe the wive's tale about being able to "spoof hosts" on the whitelist as a means to use the Secure Debug (adb) on Mavic, or P4, i2 or Spark. I have not seen anyone beyond a small handful to figure out the easter egg to unlock the Assistant in full. I gave a very big hint a month or so back however. Simply run the assistant with the "-h" flag. I have noticed that having root, or Admin privs (on your own machine) *may* have some impact on being able to open up the extra options. Usage: /Applications/Assistant.app/Contents/MacOS/Assistant [options] Options: -h, --help Displays this help. -v, --version Displays version information. --debugger Run with a debugger window --minimum Show controller log minimum --console Run assistant as a console service, No browser Window! --template Load controller config from template! --force_upgrade Ignore the version when upgrade ENC firmware! --bypass <DEVICE> force all device as param [Receiver]|[DEVICE]|[Version] eg Controller|ai900v2|3.1.0.2 --noskip As default, upgrade pack file will skip those device that is not connected, if define no skip, will try to upgrade all pack file --factory Open Factory page --baud_rate <DEVICE> set com device baud rate --auto_upgrade enable auto upgrade --cache_wget_file debug only, used to cache wget files --inrup internal upgrade tool --adb_logcat Start ADB logcat function --auto_test Set to auto test mode --test_server Set to test server --1706 Set DJI Vision to 1706 --sws Set Env to SWS These are some photos from someone else that caught the hint. https://github.com/droner69/MavicPro/tree/master/DJI_Assistant_2_Dev_Pictures I can tell you that at times this trick is VERY version specific. So if you are having issues... try a different version. You can find an archive of the binaries in my git repo. https://github.com/MAVProxyUser/DJIAssistant2Binaries There *MAY* be something special to the DebuggerOptions.txt file... I have extracted all the unique options from all the versions and placed them here if anyone wants to help figure it out: https://raw.githubusercontent.com/MAVProxyUser/DJIAssistant2Binaries/master/DebuggerOptionsUnique.txt Edited June 26, 2017 by MavproxyUser Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 16 minutes ago, singlag said: mavproxyuser provide some sample code to change parameters, which working well on my drone (I unlock some limitation, faster rth, ascend, descend speed) but I want to know how to "hack" dji assistant, I guess is about "sdk level" So for those of you that missed the information I shared with this gentleman... here is some sample code to communicate with the DJI Assistant Web Socket. There are some things left for you as an exercise, but this will give you a solid start. #!/usr/bin/python import binascii from websocket import * ws = create_connection("ws://localhost:19870/general") ws.settimeout(1) while 1: try: result = ws.recv() except WebSocketTimeoutException: break if result == "": break print result # {"SEQ":"12345","CMD":""} - Get command list on any service. # ws://localhost:19870/controller/p4_ext/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"get_info"} - Serial Number & User Token # ws://localhost:19870/controller/config/user/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"EnterFcSdCard"} # # {"SEQ":"12345","CMD":"read","INDEX":"fly_limit_height"} ws.close() Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 18 minutes ago, singlag said: but I want to know how to "hack" dji assistant, I guess is about "sdk level" At this point, I am also wondering what the steps are to duplicate Aaron Luo's work on a newer SDK version. https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Aaron-Luo-Drones-Hijacking-Multi-Dimensional-Attack-Vectors-And-Countermeasures-UPDATED.pdf At the very least the Java Class has changed a little bit since the talk. Has anoyone taken JEB to it yet? https://www.pnfsoftware.com (JEB is well worth the $$$ btw) Quote Link to comment Share on other sites More sharing options...
Opcode Posted June 26, 2017 Share Posted June 26, 2017 1 minute ago, MavproxyUser said: So for those of you that missed the information I shared with this gentleman... here is some sample code to communicate with the DJI Assistant Web Socket. There are some things left for you as an exercise, but this will give you a solid start. #!/usr/bin/python import binascii from websocket import * ws = create_connection("ws://localhost:19870/general") ws.settimeout(1) while 1: try: result = ws.recv() except WebSocketTimeoutException: break if result == "": break print result # {"SEQ":"12345","CMD":""} - Get command list on any service. # ws://localhost:19870/controller/p4_ext/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"get_info"} - Serial Number & User Token # ws://localhost:19870/controller/config/user/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"EnterFcSdCard"} # # {"SEQ":"12345","CMD":"read","INDEX":"fly_limit_height"} ws.close() Thanks for your work, appreciated. Besides im trying to go the CopterSafe Route and see, what this tool is exactly doing. 1 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 17 minutes ago, MavJailBreak said: Love the way he drops teasers and goes quiet tho There is really no point in sharing if others do not reciprocate... ;) Must keep a cycle of love going... Quote Link to comment Share on other sites More sharing options...
Freaky123 Posted June 26, 2017 Share Posted June 26, 2017 I can almost certainly confirm that coptersafe is only adjusting fc parameters and not rooting the device. It also doesn't update the device as mentioned before. 2 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 37 minutes ago, singlag said: I unlock some limitation, faster rth, ascend, descend speed) Will you share with the rest of the group the parameter names you changed... this will go well with the web socket code I posted above (and shared with you previously). Quote Link to comment Share on other sites More sharing options...
thatdumbdronie Posted June 26, 2017 Share Posted June 26, 2017 I have the full unlock pack and programme from copteresafe is there a way of sniffing the usb traffic as it jailbreaks? so that I can reproduce it and flash it through a different programme. please let me know. inbox me. my messages on here are limited still. contact me through Mavproxyuser . he now has my email address Quote Link to comment Share on other sites More sharing options...
Freaky123 Posted June 26, 2017 Share Posted June 26, 2017 (edited) That is indeed possible and can be easily done. If you send me recordings I can analyze them, since I can decode the protocol. Then you even know what it does exactly. Edited June 26, 2017 by Freaky123 1 Quote Link to comment Share on other sites More sharing options...
singlag Posted June 26, 2017 Share Posted June 26, 2017 1 hour ago, MavproxyUser said: I am one of the few folks that does have root access. A mate of mine has done the work, so unfortunately I can not share his private work. A few folks here have been rooted by me to help us gather information about the internals of the Mavic however. You may catch a few random folks discussing things that can not be done without root, there is a good chance they have no clue about how root access is obtained. A few folks have nice friends with private tools. P0V's work is something we have all been chasing. I initially dug in as I suspected the mythical "whitelist" files never existed outside of the factory. I believe at this point someone (P0V?) has manually generated one, as opposed to the claims of having extracted one from a firmware dump, or to have *found* one on an early firmware version. I do not believe the wive's tale about being able to "spoof hosts" on the whitelist as a means to use the Secure Debug (adb) on Mavic, or P4, i2 or Spark. I have not seen anyone beyond a small handful to figure out the easter egg to unlock the Assistant in full. I gave a very big hint a month or so back however. Simply run the assistant with the "-h" flag. I have noticed that having root, or Admin privs (on your own machine) *may* have some impact on being able to open up the extra options. Usage: /Applications/Assistant.app/Contents/MacOS/Assistant [options] Options: -h, --help Displays this help. -v, --version Displays version information. --debugger Run with a debugger window --minimum Show controller log minimum --console Run assistant as a console service, No browser Window! --template Load controller config from template! --force_upgrade Ignore the version when upgrade ENC firmware! --bypass <DEVICE> force all device as param [Receiver]|[DEVICE]|[Version] eg Controller|ai900v2|3.1.0.2 --noskip As default, upgrade pack file will skip those device that is not connected, if define no skip, will try to upgrade all pack file --factory Open Factory page --baud_rate <DEVICE> set com device baud rate --auto_upgrade enable auto upgrade --cache_wget_file debug only, used to cache wget files --inrup internal upgrade tool --adb_logcat Start ADB logcat function --auto_test Set to auto test mode --test_server Set to test server --1706 Set DJI Vision to 1706 --sws Set Env to SWS These are some photos from someone else that caught the hint. https://github.com/droner69/MavicPro/tree/master/DJI_Assistant_2_Dev_Pictures I can tell you that at times this trick is VERY version specific. So if you are having issues... try a different version. You can find an archive of the binaries in my git repo. https://github.com/MAVProxyUser/DJIAssistant2Binaries There *MAY* be something special to the DebuggerOptions.txt file... I have extracted all the unique options from all the versions and placed them here if anyone wants to help figure it out: https://raw.githubusercontent.com/MAVProxyUser/DJIAssistant2Binaries/master/DebuggerOptionsUnique.txt this trick is VERY version specific That's why .....I tried version 1.0.8 with -option b4 and seem no different than normal. Quote Link to comment Share on other sites More sharing options...
singlag Posted June 26, 2017 Share Posted June 26, 2017 49 minutes ago, thatdumbdronie said: I have the full unlock pack and programme from copteresafe is there a way of sniffing the usb traffic as it jailbreaks? so that I can reproduce it and flash it through a different programme. please let me know. inbox me. my messages on here are limited still. contact me through Mavproxyuser . he now has my email address try wireshark and burp suite Quote Link to comment Share on other sites More sharing options...
singlag Posted June 26, 2017 Share Posted June 26, 2017 52 minutes ago, MavproxyUser said: Will you share with the rest of the group the parameter names you changed... this will go well with the web socket code I posted above (and shared with you previously). Follow parameter tested at real flight with firmware version .200 g_config_go_home_gohome_idle_vel, default 10, only for RTH speed, I tested with 15 is ok g_config_mode_normal_cfg_vert_vel_up, default 4, ascend speed at GPS mode in meter/second g_config_mode_normal_cfg_vert_vel_down, #default -3, descend speed at gps mode g_config_mode_sport_cfg_vert_vel_up, #default 5, I set it to 10, ascend like a rocket, be careful about battery overload g_config_mode_sport_cfg_vert_vel_down, #default -3, set -10 but it only reach -5m/s in real flight this are some g_config_mode_XXX_cfg_vert_acc_up/down, it have higher value as default, I'm not sure what it does, but just make sure set it to not lower than "no _acc" one g_config_fw_cfg_max_speed <-- set to 20 but no different in real flight, default is 10 for "height_limit", I did change all from /controller/config/user and it work. some parameters about "airport" will be test on tomorrow, and following parameters not tested yet "g_config_avoid_obstacle_limit_cfg_safe_dis" <-- obstacle distant ? g_config_landing_smart_landing_height_L1 <-- smart landing at -0.7 meter ? "g_config_voltage2_level1_smart_battert_gohome" "DEFAULT": 15, "g_config_voltage2_level2_smart_battert_land" "DEFAULT": 10, Now, I want to find out which parameters control about real MAX speed (sport mode is 20m/s in real flight) and 10m/s limit when obstacle detection is ON, but seem no parameters relevant to it. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 1 hour ago, singlag said: Follow parameter tested at real flight with firmware version .200 g_config_go_home_gohome_idle_vel, default 10, only for RTH speed, I tested with 15 is ok g_config_mode_normal_cfg_vert_vel_up, default 4, ascend speed at GPS mode in meter/second g_config_mode_normal_cfg_vert_vel_down, #default -3, descend speed at gps mode g_config_mode_sport_cfg_vert_vel_up, #default 5, I set it to 10, ascend like a rocket, be careful about battery overload g_config_mode_sport_cfg_vert_vel_down, #default -3, set -10 but it only reach -5m/s in real flight this are some g_config_mode_XXX_cfg_vert_acc_up/down, it have higher value as default, I'm not sure what it does, but just make sure set it to not lower than "no _acc" one g_config_fw_cfg_max_speed <-- set to 20 but no different in real flight, default is 10 for "height_limit", I did change all from /controller/config/user and it work. some parameters about "airport" will be test on tomorrow, and following parameters not tested yet "g_config_avoid_obstacle_limit_cfg_safe_dis" <-- obstacle distant ? g_config_landing_smart_landing_height_L1 <-- smart landing at -0.7 meter ? "g_config_voltage2_level1_smart_battert_gohome" "DEFAULT": 15, "g_config_voltage2_level2_smart_battert_land" "DEFAULT": 10, Now, I want to find out which parameters control about real MAX speed (sport mode is 20m/s in real flight) and 10m/s limit when obstacle detection is ON, but seem no parameters relevant to it. Thanks for sharing brother... Quote Link to comment Share on other sites More sharing options...
singlag Posted June 26, 2017 Share Posted June 26, 2017 2 hours ago, singlag said: this trick is VERY version specific That's why .....I tried version 1.0.8 with -option b4 and seem no different than normal. Update: only DJI Assistant2 Beta112 is working for my windows 7 PC, but the firmware page seem having problem, connection timeout while loading firmware list Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 8 minutes ago, singlag said: Update: only DJI Assistant2 Beta112 is working for my windows 7 PC, but the firmware page seem having problem, connection timeout while loading firmware list As I recall it... they have progressively added *checks* as the versions went on. With regard to the connection time outs and such, that is your big hint right there for the other versions. Have you considered using Wireshark to see what DJI Assistant wants to talk to *before* giving you access to the unlocked menus? It does vary across versions with regard to what those pre-requisite connections, or interactions may be. Another hint is to try running the program from the console... (older versions were WAY more chatty than newer ones). I assume you noticed it hangs looking for *something* very specific, see if you can spot it here. THIS trick is pretty well "burned" seems more and more people figured it out. $ /Applications/Assistant_1_0_4.app/Contents/MacOS/Assistant --debugger 2017-06-26 14:10:23.670 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/b/: Error Domain=NSCocoaErrorDomain Code=260 "The file “b” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/b/, NSFilePath=/private/tmp/b, NSUnderlyingError=0x7fd241416cd0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} 2017-06-26 14:10:23.671 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/a/: Error Domain=NSCocoaErrorDomain Code=260 "The file “a” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/a/, NSFilePath=/private/tmp/a, NSUnderlyingError=0x7fd241603af0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} PING swsf.djicorp.com (198.105.254.130): 56 data bytes --- swsf.djicorp.com ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss 2017_05_27@22_38_01 - Sat May 27 22:38:01 2017 [ 30] reserved 2017_05_28@00_40_16 - Sun May 28 00:40:16 2017 [ 29] reserved 2017_05_29@21_22_07 - Mon May 29 21:22:07 2017 [ 28] reserved 2017_06_01@12_05_46 - Thu Jun 1 12:05:46 2017 [ 25] reserved 2017_06_01@12_06_41 - Thu Jun 1 12:06:41 2017 [ 25] reserved 2017_06_01@12_09_35 - Thu Jun 1 12:09:35 2017 [ 25] reserved 2017_06_02@13_27_13 - Fri Jun 2 13:27:13 2017 [ 24] reserved 2017_06_02@13_30_34 - Fri Jun 2 13:30:34 2017 [ 24] reserved 2017_06_02@13_48_07 - Fri Jun 2 13:48:07 2017 [ 24] reserved 2017_06_02@13_48_50 - Fri Jun 2 13:48:50 2017 [ 24] reserved 2017_06_02@13_49_26 - Fri Jun 2 13:49:26 2017 [ 24] reserved 2017_06_02@13_49_44 - Fri Jun 2 13:49:44 2017 [ 24] reserved 2017_06_02@13_51_34 - Fri Jun 2 13:51:34 2017 [ 24] reserved 2017_06_02@13_51_47 - Fri Jun 2 13:51:47 2017 [ 24] reserved 2017_06_02@16_35_52 - Fri Jun 2 16:35:52 2017 [ 24] reserved 2017_06_02@16_56_49 - Fri Jun 2 16:56:49 2017 [ 24] reserved 2017_06_02@16_57_49 - Fri Jun 2 16:57:49 2017 [ 24] reserved 2017_06_02@16_58_15 - Fri Jun 2 16:58:15 2017 [ 24] reserved 2017_06_02@17_02_19 - Fri Jun 2 17:02:19 2017 [ 24] reserved 2017_06_04@12_49_31 - Sun Jun 4 12:49:31 2017 [ 22] reserved 2017_06_04@12_56_15 - Sun Jun 4 12:56:15 2017 [ 22] reserved 2017_06_04@12_58_12 - Sun Jun 4 12:58:12 2017 [ 22] reserved 2017_06_04@18_08_44 - Sun Jun 4 18:08:44 2017 [ 22] reserved 2017_06_04@18_10_02 - Sun Jun 4 18:10:02 2017 [ 22] reserved 2017_06_04@18_10_20 - Sun Jun 4 18:10:20 2017 [ 22] reserved 2017_06_04@18_11_16 - Sun Jun 4 18:11:16 2017 [ 22] reserved 2017_06_05@07_57_20 - Mon Jun 5 07:57:20 2017 [ 21] reserved 2017_06_05@08_57_29 - Mon Jun 5 08:57:29 2017 [ 21] reserved 2017_06_05@09_31_07 - Mon Jun 5 09:31:07 2017 [ 21] reserved 2017_06_05@12_48_21 - Mon Jun 5 12:48:21 2017 [ 21] reserved 2017_06_05@12_49_52 - Mon Jun 5 12:49:52 2017 [ 21] reserved 2017_06_05@12_55_33 - Mon Jun 5 12:55:33 2017 [ 21] reserved 2017_06_05@13_51_39 - Mon Jun 5 13:51:39 2017 [ 21] reserved 2017_06_05@14_07_27 - Mon Jun 5 14:07:27 2017 [ 21] reserved 2017_06_05@15_38_05 - Mon Jun 5 15:38:05 2017 [ 21] reserved 2017_06_05@15_43_37 - Mon Jun 5 15:43:37 2017 [ 21] reserved 2017_06_06@00_51_55 - Tue Jun 6 00:51:55 2017 [ 20] reserved 2017_06_06@09_50_06 - Tue Jun 6 09:50:06 2017 [ 20] reserved 2017_06_07@13_20_03 - Wed Jun 7 13:20:03 2017 [ 19] reserved 2017_06_18@00_17_56 - Sun Jun 18 00:17:56 2017 [ 8] reserved 2017_06_18@15_21_20 - Sun Jun 18 15:21:20 2017 [ 8] reserved 2017_06_20@10_10_08 - Tue Jun 20 10:10:08 2017 [ 6] reserved 2017_06_20@16_01_01 - Tue Jun 20 16:01:01 2017 [ 6] reserved 2017_06_21@13_02_48 - Wed Jun 21 13:02:48 2017 [ 5] reserved 2017_06_21@22_14_43 - Wed Jun 21 22:14:43 2017 [ 5] reserved 2017_06_21@22_16_41 - Wed Jun 21 22:16:41 2017 [ 5] reserved 2017_06_24@00_59_00 - Sat Jun 24 00:59:00 2017 [ 2] reserved 2017_06_26@14_02_45 - Mon Jun 26 14:02:45 2017 [ 0] reserved log:[dServer ] Service at19870 qt.network.ssl: QSslSocket: cannot resolve SSL_set_psk_client_callback qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_server_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_server_method qt.network.ssl: QSslSocket: cannot resolve SSL_select_next_proto qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb qt.network.ssl: QSslSocket: cannot resolve SSL_get0_next_proto_negotiated qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated log:[dServer ] 1 Connected <- root If you know the answer, just pipe up for the others that are tired of my riddles. =] Quote Link to comment Share on other sites More sharing options...
jan2642 Posted June 26, 2017 Share Posted June 26, 2017 I'm no android expert so maybe there are easier ways to do this... You can run the extracted binaries with qemu-arm like this: To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74 Libc will look for "/dev/__properties__". It has to be 262144 bytes large, start with the following bytes: '2c 00 00 00 00 00 00 00 50 52 4f 50 ab d0 6e fc', owned by uid 0, gid 0 and chmod 600. A symlink /system to the actual system/ directory is needed to make absolute path resolving work. (I don't know if it's a factor but I'm running in a VM as the root user) root@kali:~# qemu-arm -L . system/bin/dji_vision -h usage: set global debug level if it's not set system/bin/dji_vision -D 2 set module debug level system/bin/dji_vision -d 2 set monitor info options system/bin/dji_vision -m 2 There might be more interesting executables though 1 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 2 minutes ago, jan2642 said: I'm no android expert so maybe there are easier ways to do this... You can run the extracted binaries with qemu-arm like this: To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74 Libc will look for "/dev/__properties__". It has to be 262144 bytes large, start with the following bytes: '2c 00 00 00 00 00 00 00 50 52 4f 50 ab d0 6e fc', owned by uid 0, gid 0 and chmod 600. A symlink /system to the actual system/ directory is needed to make absolute path resolving work. (I don't know if it's a factor but I'm running in a VM as the root user) root@kali:~# qemu-arm -L . system/bin/dji_vision -h usage: set global debug level if it's not set system/bin/dji_vision -D 2 set module debug level system/bin/dji_vision -d 2 set monitor info options system/bin/dji_vision -m 2 There might be more interesting executables though /dev/__properties__ is the Android android: persist system properties are stored. When you type "getprop" this is what you see. These are what the default properties on my Mavic look like. root@wm220_dz_ap0002_v1:/ # getprop [dalvik.vm.lockprof.threshold]: [500] [dalvik.vm.stack-trace-file]: [/data/anr/traces.txt] [dji.encoding_service]: [1] [dji.flight_service]: [1] [dji.hdvt_service]: [1] [dji.monitor_service]: [1] [dji.sdrs]: [1] [dji.sdrs_log]: [1] [dji.system_service]: [1] [dji.vision_service]: [1] [init.svc.adbd]: [running] [init.svc.console]: [running] [init.svc.dji_encoding]: [running] [init.svc.dji_flight]: [running] [init.svc.dji_hdvt_uav]: [running] [init.svc.dji_monitor]: [running] [init.svc.dji_sys]: [running] [init.svc.dji_vision]: [running] [init.svc.sdrs]: [running] [init.svc.sdrs_log]: [running] [init.svc.start_dji_system]: [stopped] [init.svc.ueventd]: [running] [net.bt.name]: [Android] [net.change]: [net.bt.name] [persist.sys.adb.backroot]: [0] [persist.sys.usb.config]: [adb] [persist.sys.vold.primary]: [0] [ro.allow.mock.location]: [0] [ro.baseband]: [unknown] [ro.board.platform]: [lc1860] [ro.bootloader]: [unknown] [ro.bootmode]: [unknown] [ro.build.characteristics]: [default] [ro.build.date.utc]: [1490926279] [ro.build.date]: [Fri Mar 31 10:11:19 CST 2017] [ro.build.description]: [full_wm220_dz_ap0002_v1-userdebug 4.4.4 KTU84Q eng.jenkins.20170331.101040 test-keys] [ro.build.display.id]: [leadcore1860] [ro.build.host]: [APServer01] [ro.build.id]: [KTU84Q] [ro.build.product]: [wm220_dz_ap0002_v1] [ro.build.tags]: [test-keys] [ro.build.type]: [userdebug] [ro.build.user]: [jenkins] [ro.build.version.codename]: [REL] [ro.build.version.incremental]: [eng.jenkins.20170331.101040] [ro.build.version.release]: [4.4.4] [ro.build.version.sdk]: [19] [ro.debuggable]: [1] [ro.factorytest]: [0] [ro.hardware]: [leadcoreinnopower] [ro.product.board]: [evb2] [ro.product.brand]: [Leadcore] [ro.product.cpu.abi2]: [armeabi] [ro.product.cpu.abi]: [armeabi-v7a] [ro.product.device]: [wm220_dz_ap0002_v1] [ro.product.hardware.version]: [Ver0606] [ro.product.locale.language]: [en] [ro.product.locale.region]: [US] [ro.product.manufacturer]: [LEADCORE] [ro.product.model]: [L1860] [ro.product.name]: [full_wm220_dz_ap0002_v1] [ro.revision]: [0] [ro.secure]: [1] [ro.serialno]: [] [ro.wifi.channels]: [] [service.adb.root]: [1] [service.adb.tcp.port]: [-1] [sys.usb.config]: [rndis,mass_storage,bulk,acm,adb] [sys.usb.state]: [rndis,mass_storage,bulk,acm,adb] [wl.link.prefer]: [SDR] I've attached a copy of the resulting file, in the event it is useful for you. __properties__ Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 10 minutes ago, jan2642 said: I'm no android expert so maybe there are easier ways to do this... You can run the extracted binaries with qemu-arm like this: To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74 Thanks for that... this seems to be interesting reading on the root of the subject. I was not familiar with it. https://segmentfault.com/a/1190000006087527 https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fsegmentfault.com%2Fa%2F1190000006087527&edit-text=&act=url He suggests a few ways to "patch" the cause of the issue. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.