Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Freaky123

  1. The new slack invite url: https://join.slack.com/dji-rev/shared_invite/MjA4MjQ2NjI4OTEzLTE0OTkzNTIyMjEtZjg5NWY1ZjlhZA
  2. I will release more info and tools later on: https://github.com/fvantienen/dji_rev There is already a python script that can extract the image file format as well. Would be nice if it can be cleaned up a bit, but at least it works.
  3. Ok I will try to share some more information in the hope people will help get more and more information. I will first give the image format (which is also the sig format): Header 4B Magic ("IM*H") 4B Version (Currenly only 1 is seen) 8B ?? 4B Header size 4B RSA signature size 4B Payload size 12B Unknown 4B Auth key identifier 4B Encryption key identifier 16B Scramble key 32B Image name 60B ?? 4B Block count 32B SHA256 payload Per Block info 4B Name 4B Start offset 4B Output size 4B Attributes (Last bit 0 means ecrypted) 16B ?? RSA Signature of the Header (Size and Auth key described in header) Actual block data (Start offset 0)
  4. I think too many people already supplied the needed information, thus my guess is most people don't need it anymore. I've already extracted exactly how it works, and it does no special magic but only setting some parameters in the FC to certain values.
  5. Is there already someone who has tried to JTAG the FC arm chip? Or at least figured out the pinout? Or did someone already figure out if there is terminal over uart for the LC chip?
  6. That is indeed possible and can be easily done. If you send me recordings I can analyze them, since I can decode the protocol. Then you even know what it does exactly.
  7. I can almost certainly confirm that coptersafe is only adjusting fc parameters and not rooting the device. It also doesn't update the device as mentioned before.
  8. Yes but the problem is that when the exploit leaks out it will be only days before it is patched. Finding a generic way of rooting the device which can't be patched is more difficult.
  9. Ok that is not that much, but I think for example that the FC has a separate jtag bus, since it is on another pcb. So hope to find that pinout somehow, maybe be desoldering the chip and then following the traces etc.
  10. @martinbogo On the LC I know from the bootloader that they indeed disabled JTAG. But I think that for the FC chip I know a way of enabling it, thus wanted to know if someone knows the pinout. Which devices did respond?
  11. Has someone already figured out the JTAG of the FC chip(which is next to the sd-card)? Because I'm really interested in that one, since I have encrypted firmware of both the loader and the fc, but wanna see if it is possible to decrypt them through JTAG.
  12. What are exactly all your goals what each of you wanna achieve by rooting the device? Since I'm not really interested about the fly limits etc, but just wanna look how the device works and maybe run some custom stuff on it.
  13. Some parts (partitions) aren't updated during the firmware upgrade/downgrade, so it depends.
  14. If someone has access to his installer I would be happy to take a look. But I still think it is almost impossible to get these upgrade files signed, unless you have inside information and can get access to the RSA key. I reverse engineered like 99% of their upgrade process and can parse the files etc. so I'm pretty sure this isn't the easiest way in, there are other easier ways.
  15. Then most likely they have requested firmware from DJI where NFZ etc. are removed because they have a license or something like that.. Since I don't see any realistic option in signing firmware.
  16. They don't even need to modify the firmware anymore when rooted, since then they can adjust the parameters. But most likely they don't even root the device, but just send the parameters and the mavic just accepts them since it is only limited by the GUI.
  17. Those parameters can also be adjusted by commands through USB or wifi. In the firmware they are unencrypted and signed.
  18. I don't think he changes the firmware update files, since as explained earlier requires the private RSA key. Since it is most likely coptersafe doesn't have that key, I think he can circumvent that by either rooting the device or doesn't need it since only parameters are needed to be changed in order to achieve what he wants. Next to that you made a misconception between encrypting and signing, which is not the same. The firmware files are signed (and only a tiny part is encrypted) and doesn't need any encryption. Most parts of the firmware don't even require encryption and is optionally described in the header.
  19. You can't modify the sig files, because they are signed by an RSA key. Hence the sig extension, for signature. On the device this signature is checked and thus makes this a useless bug except for downgrading further.
  20. You could try but I know they disable the JTAG at all production models by writing that to the efuses.
  21. Does any of this work and show anything else when opening the app?
  22. Nice :) I would love to help to get more stuff done, but stil halve to wait on my Mavic or firmware files.
  23. Could someone share the latest Mavic Pro firmware and/or maybe the old one from this topic? I currently don't have a Mavic yet, but am in the process of getting one.
  • Create New...