[Reversing Mavic Pro Firmware]

The new slack invite url: https://join.slack.com/dji-rev/shared_invite/MjA4MjQ2NjI4OTEzLTE0OTkzNTIyMjEtZjg5NWY1ZjlhZA

[MavicPilots.com Alternative CopterSafe Hack & Mod Discussion]

I will release more info and tools later on: https://github.com/fvantienen/dji_rev
There is already a python script that can extract the image file format as well. Would be nice if it can be cleaned up a bit, but at least it works.

[MavicPilots.com Alternative CopterSafe Hack & Mod Discussion]

Ok I will try to share some more information in the hope people will help get more and more information. I will first give the image format (which is also the sig format):

• Header
  • 4B Magic ("IM*H")
  • 4B Version (Currenly only 1 is seen)
  • 8B ??
  • 4B Header size
  • 4B RSA signature size
  • 4B Payload size
  • 12B Unknown
  • 4B Auth key identifier
  • 4B Encryption key identifier
  • 16B Scramble key
  • 32B Image name
  • 60B ??
  • 4B Block count
  • 32B SHA256 payload
• Per Block info
  • 4B Name
  • 4B Start offset
  • 4B Output size
  • 4B Attributes (Last bit 0 means ecrypted)
  • 16B ??
• RSA Signature of the Header (Size and Auth key described in header)
• Actual block data (Start offset 0)

[Reversing Mavic Pro Firmware]

I think too many people already supplied the needed information, thus my guess is most people don't need it anymore. I've already extracted exactly how it works, and it does no special magic but only setting some parameters in the FC to certain values.

[MavicPilots.com Alternative CopterSafe Hack & Mod Discussion]

Is there already someone who has tried to JTAG the FC arm chip? Or at least figured out the pinout?

Or did someone already figure out if there is terminal over uart for the LC chip?

[MavicPilots.com Alternative CopterSafe Hack & Mod Discussion]

That is indeed possible and can be easily done. If you send me recordings I can analyze them, since I can decode the protocol. Then you even know what it does exactly.

[MavicPilots.com Alternative CopterSafe Hack & Mod Discussion]

I can almost certainly confirm that coptersafe is only adjusting fc parameters and not rooting the device. It also doesn't update the device as mentioned before.

[MavicPilots.com Alternative CopterSafe Hack & Mod Discussion]

Yes but the problem is that when the exploit leaks out it will be only days before it is patched. Finding a generic way of rooting the device which can't be patched is more difficult.

[Reversing Mavic Pro Firmware]

Ok that is not that much, but I think for example that the FC has a separate jtag bus, since it is on another pcb. So hope to find that pinout somehow, maybe be desoldering the chip and then following the traces etc.

[Reversing Mavic Pro Firmware]

@martinbogo

On the LC I know from the bootloader that they indeed disabled JTAG. But I think that for the FC chip I know a way of enabling it, thus wanted to know if someone knows the pinout. Which devices did respond?

[Reversing Mavic Pro Firmware]

Has someone already figured out the JTAG of the FC chip(which is next to the sd-card)? Because I'm really interested in that one, since I have encrypted firmware of both the loader and the fc, but wanna see if it is possible to decrypt them through JTAG.

[Reversing Mavic Pro Firmware]

What are exactly all your goals what each of you wanna achieve by rooting the device? Since I'm not really interested about the fly limits etc, but just wanna look how the device works and maybe run some custom stuff on it.

[Reversing Mavic Pro Firmware]

Some parts (partitions) aren't updated during the firmware upgrade/downgrade, so it depends.

[Reversing Mavic Pro Firmware]

If someone has access to his installer I would be happy to take a look. But I still think it is almost impossible to get these upgrade files signed, unless you have inside information and can get access to the RSA key. I reverse engineered like 99% of their upgrade process and can parse the files etc. so I'm pretty sure this isn't the easiest way in, there are other easier ways.

[Reversing Mavic Pro Firmware]

Then most likely they have requested firmware from DJI where NFZ etc. are removed because they have a license or something like that.. Since I don't see any realistic option in signing firmware.

[Reversing Mavic Pro Firmware]

They don't even need to modify the firmware anymore when rooted, since then they can adjust the parameters. But most likely they don't even root the device, but just send the parameters and the mavic just accepts them since it is only limited by the GUI.

[Reversing Mavic Pro Firmware]

Those parameters can also be adjusted by commands through USB or wifi. In the firmware they are unencrypted and signed.

[Reversing Mavic Pro Firmware]

I don't think he changes the firmware update files, since as explained earlier requires the private RSA key. Since it is most likely coptersafe doesn't have that key, I think he can circumvent that by either rooting the device or doesn't need it since only parameters are needed to be changed in order to achieve what he wants.

Next to that you made a misconception between encrypting and signing, which is not the same. The firmware files are signed (and only a tiny part is encrypted) and doesn't need any encryption. Most parts of the firmware don't even require encryption and is optionally described in the header.

[Reversing Mavic Pro Firmware]

You can't modify the sig files, because they are signed by an RSA key. Hence the sig extension, for signature.

On the device this signature is checked and thus makes this a useless bug except for downgrading further.

[Reversing Mavic Pro Firmware]

You could try but I know they disable the JTAG at all production models by writing that to the efuses.

[Reversing Mavic Pro Firmware]

2 hours ago, MavproxyUser said:

The command line options on Assistant seem interesting... (this works on Windows too)

 

$ /Applications/Assistant_1_1_0.app/Contents/MacOS/Assistant --help

Usage: /Applications/Assistant_1_1_0.app/Contents/MacOS/Assistant [options]

Options:

  -h, --help            Displays this help.

  -v, --version         Displays version information.

  --debugger            Run with a debugger window

  --minimum             Show controller log minimum

  --console             Run assistant as a console service, No browser Window!

  --template            Load controller config from template!

  --force_upgrade       Ignore the version when upgrade ENC firmware!

  --bypass <DEVICE>     force all device as param [Receiver]|[DEVICE]|[Version]

                        eg Controller|ai900v2|3.1.0.2

  --noskip              As default, upgrade pack file will skip those device

                        that is not connected, if define no skip, will try to

                        upgrade all pack file

  --factory             Open Factory page

  --baud_rate <DEVICE>  set com device baud rate

  --auto_upgrade        enable auto upgrade

  --cache_wget_file     debug only, used to cache wget files

  --inrup               internal upgrade tool

  --adb_logcat          Start ADB logcat function

  --auto_test           Set to auto test mode

  --test_server         Set to test server

  --1706                Set DJI Vision to 1706

  --sws                 Set Env to SWS

 

Does any of this work and show anything else when opening the app?

[Reversing Mavic Pro Firmware]

Nice :) I would love to help to get more stuff done, but stil halve to wait on my Mavic or firmware files.

[Reversing Mavic Pro Firmware]

Could someone share the latest Mavic Pro firmware and/or maybe the old one from this topic? I currently don't have a Mavic yet, but am in the process of getting one.