MavproxyUser

At this point, I am also wondering what the steps are to duplicate Aaron Luo's work on a newer SDK version. https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Aaron-Luo-Drones-Hijacking-Multi-Dimensional-Attack-Vectors-And-Countermeasures-UPDATED.pdf At the very least the Java Class has changed a little bit since the talk. Has anoyone taken JEB to it yet? https://www.pnfsoftware.com (JEB is well worth the $$$ btw)

So for those of you that missed the information I shared with this gentleman... here is some sample code to communicate with the DJI Assistant Web Socket. There are some things left for you as an exercise, but this will give you a solid start. #!/usr/bin/python import binascii from websocket import * ws = create_connection("ws://localhost:19870/general") ws.settimeout(1) while 1: try: result = ws.recv() except WebSocketTimeoutException: break if result == "": break print result # {"SEQ":"12345","CMD":""} - Get command list on any service. # ws://localhost:19870/controller/p4_ext/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"get_info"} - Serial Number & User Token # ws://localhost:19870/controller/config/user/787d599803c40b695ac8b44d276cd7e48b5d5e69 # {"SEQ":"12345","CMD":"EnterFcSdCard"} # # {"SEQ":"12345","CMD":"read","INDEX":"fly_limit_height"} ws.close()

I am one of the few folks that does have root access. A mate of mine has done the work, so unfortunately I can not share his private work. A few folks here have been rooted by me to help us gather information about the internals of the Mavic however. You may catch a few random folks discussing things that can not be done without root, there is a good chance they have no clue about how root access is obtained. A few folks have nice friends with private tools. P0V's work is something we have all been chasing. I initially dug in as I suspected the mythical "whitelist" files never existed outside of the factory. I believe at this point someone (P0V?) has manually generated one, as opposed to the claims of having extracted one from a firmware dump, or to have *found* one on an early firmware version. I do not believe the wive's tale about being able to "spoof hosts" on the whitelist as a means to use the Secure Debug (adb) on Mavic, or P4, i2 or Spark. I have not seen anyone beyond a small handful to figure out the easter egg to unlock the Assistant in full. I gave a very big hint a month or so back however. Simply run the assistant with the "-h" flag. I have noticed that having root, or Admin privs (on your own machine) *may* have some impact on being able to open up the extra options. Usage: /Applications/Assistant.app/Contents/MacOS/Assistant [options] Options: -h, --help Displays this help. -v, --version Displays version information. --debugger Run with a debugger window --minimum Show controller log minimum --console Run assistant as a console service, No browser Window! --template Load controller config from template! --force_upgrade Ignore the version when upgrade ENC firmware! --bypass <DEVICE> force all device as param [Receiver]|[DEVICE]|[Version] eg Controller|ai900v2|3.1.0.2 --noskip As default, upgrade pack file will skip those device that is not connected, if define no skip, will try to upgrade all pack file --factory Open Factory page --baud_rate <DEVICE> set com device baud rate --auto_upgrade enable auto upgrade --cache_wget_file debug only, used to cache wget files --inrup internal upgrade tool --adb_logcat Start ADB logcat function --auto_test Set to auto test mode --test_server Set to test server --1706 Set DJI Vision to 1706 --sws Set Env to SWS These are some photos from someone else that caught the hint. https://github.com/droner69/MavicPro/tree/master/DJI_Assistant_2_Dev_Pictures I can tell you that at times this trick is VERY version specific. So if you are having issues... try a different version. You can find an archive of the binaries in my git repo. https://github.com/MAVProxyUser/DJIAssistant2Binaries There *MAY* be something special to the DebuggerOptions.txt file... I have extracted all the unique options from all the versions and placed them here if anyone wants to help figure it out: https://raw.githubusercontent.com/MAVProxyUser/DJIAssistant2Binaries/master/DebuggerOptionsUnique.txt

Well, it seems the conversation over at MavicPilots.com on discussing Jailbreaking, Height Restriction Bypass, and g_config changes, or anything related to "modding" DJI firmware settings for NFZ, etc is just out of pocket per the admins. They've been deleting threads left and right. Update: For those of you that are more active... stop by and see us in slack. Don't come ask dumb questions! Stop by with the mindset of participation. Updated slack invite link: https://join.slack.com/t/dji-rev/shared_invite/enQtMjk5OTEyMzcyMjI3LTdlZjY4NzQ5M2M2NmE5ZWM4OTgyNThmZDVmZjdjODE4ODYyNmYwZjYxMDcyYzcxNmZlYzI5ZjI2ZGQ2NGY1ZTc MavicPilots History on the Drama Llama: "So this has turned into a communist forum!!" “Mods continuing to delete posts will be a quick downward spiral for this forum and become a wasteland in no time” https://archive.fo/tfZEg#selection-957.1-957.44 I wanna talk about patching the dji_flight binary, anyone game? How about the best way to edit parameters, set better min, and max values, etc. ? Who's got root? Lets talk about what you do *after* you Jailbreak your DJI Spark, or Jailbreak your DJI Mavic, or Jailbreak your DJI Phantom4 (P4), what is next? $ adb shell root@wm100_dz_ap0001_v5:/ # root@wm220_dz_ap0002_v1:/ # root@wm220_dz_rp0010_v1:/ # root@wm220_dz_ah0001_v5:/ # How about you guys getting down and funky inside the DJI Assistant application? I see you! Come holla! I see you out there playing with web sockets... no lie, come talk with us! Lets all make a better place to discuss getting root and having fun with our DJI products. That *other* place is a bit stuffy. ;)

Yes... the AES descramble works on *current* firmware. ALL known firmware in which the downloads are scrambled. I suggest you scroll to the end of the README.md perhaps? I have yet to see the directory transversal bug *exploited*... I suspect adding AES was the fix to prevent future exploits, all the while patching the alleged ../ issue? https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble/blob/master/README.md I'll leave the exercise of understanding the value to you (the reader)... $ python dji_ftpd_descrambler.py /tmp/192.168.42.2_drone/upgrade/dji/log/kernel01.log | grep daak | head -n 1 <5>[ 0.000000] c0 0 (swapper) Kernel command line: watchdog_thresh=3 console=ttyS1,921600 vmalloc=412M android firmware_class.path=/vendor/firmware isolcpus=2,3,4 initrd=0x07400000,1M lcpart=mmcblk0=gpt:0:2000:200,ddr:2000:2000:200,env:4000:2000:200,panic:6000:2000:200,amt:8000:20000:200,factory:28000:4000:200,factory_out:2c000:4000:200, recovery:30000:8000:200,normal:38000:8000:200,system:40000:40000:200,vendor:80000:20000:200,cache:a0000:80000:200,blackbox:120000:400000:200,userdata:520000:228000:200 chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xBBBBBBBB Spend some time understanding how the system boots, and how it starts "secure debug" aka "adb" as we know it. If you figure something out, be neighborly and share! https://pastebin.com/WisT8b0c # get DAAK (Debug Application Authentication Key) cmdline=`cat /proc/cmdline` temp=${cmdline##*board_sn=} board=${temp%% *} temp=${cmdline##*daak=} daak=${temp%% *}

This is about as *easy* as I can make the DJI Mavic FTP server file AES descrambling. There is a .Zip file with a .exe for windows users in the release. Mac users can use the source. https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble/releases

I am unsure about downgrades... I know there are some flags in the firmware to prevent them in some cases, also they are time expired. Regardless, the FTP scramble works on all current versions, not just the older firmware.

I am in the process of making this user friendly... here is the script to help you decrypt files off the ftp server. https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble.git

Yes... some of the functions do change the app behavior. Does anyone have wm220_debug_whitelist.xml.sig (mavic) or wm330_debug_whitelist.xml.sig (p4)? The encrypted form is fine... if someone can get me that file I can share a bit more about the file scrambling of the files pulled from the magic ftpd.

The command line options on Assistant seem interesting... (this works on Windows too) $ /Applications/Assistant_1_1_0.app/Contents/MacOS/Assistant --help Usage: /Applications/Assistant_1_1_0.app/Contents/MacOS/Assistant [options] Options: -h, --help Displays this help. -v, --version Displays version information. --debugger Run with a debugger window --minimum Show controller log minimum --console Run assistant as a console service, No browser Window! --template Load controller config from template! --force_upgrade Ignore the version when upgrade ENC firmware! --bypass <DEVICE> force all device as param [Receiver]|[DEVICE]|[Version] eg Controller|ai900v2|3.1.0.2 --noskip As default, upgrade pack file will skip those device that is not connected, if define no skip, will try to upgrade all pack file --factory Open Factory page --baud_rate <DEVICE> set com device baud rate --auto_upgrade enable auto upgrade --cache_wget_file debug only, used to cache wget files --inrup internal upgrade tool --adb_logcat Start ADB logcat function --auto_test Set to auto test mode --test_server Set to test server --1706 Set DJI Vision to 1706 --sws Set Env to SWS

Let me know if you guys have any specific questions... that is my work.

Thanks for that Martin... that was quite generous of you to share. Does anyone still have the original MAVIC firmware images? I didn't have the pleasure of my ftpd having dir traversal issues, so I am late to the party.