Jump to content

jan2642

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

jan2642's Achievements

Newbie

Newbie (1/14)

  1. jan2642
    Pasting the image failed, here's a link to the screenshot: https://pasteboard.co/2iGUb4qna.png
  2. jan2642
    Anyone here who can translate these ? Many thanks! Also promising for the path I'm on: the available commands on /controller/board_test: { "EXIST_COMMANDS": [ "get_status_info", "set_status_info", "start_process", "start_test" ], "SEQ": "12345" } Now trying to figure out how to pass on arguments to start_test & start_process...
  3. jan2642
    Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese (and I forgot to take a screenshot).
  4. jan2642
    I skipped attempting to cross-compile an alternative linker and went for the binary patch, basically changing a branch instruction into a nop. I focused more on dji_sys since it has a reference to secure_debug.sh. It contains a list of test scripts with an index number, here are a few: 1 test_cpld.sh 2 test_mem.sh 3 test_flash.sh ... 19 test_enck.sh 20 secure_debug.sh ... 23 echo sucess (with typo) ... They are referenced by functions called sys_mp_test_xxx but I haven't figured out yet how to trigger those. I was thinking the --factory option to Assistant might help but in my version (1.1.0) it doesn't seem to do anything.
  5. jan2642
    I'm no android expert so maybe there are easier ways to do this... You can run the extracted binaries with qemu-arm like this: To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74 Libc will look for "/dev/__properties__". It has to be 262144 bytes large, start with the following bytes: '2c 00 00 00 00 00 00 00 50 52 4f 50 ab d0 6e fc', owned by uid 0, gid 0 and chmod 600. A symlink /system to the actual system/ directory is needed to make absolute path resolving work. (I don't know if it's a factor but I'm running in a VM as the root user) root@kali:~# qemu-arm -L . system/bin/dji_vision -h usage: set global debug level if it's not set system/bin/dji_vision -D 2 set module debug level system/bin/dji_vision -d 2 set monitor info options system/bin/dji_vision -m 2 There might be more interesting executables though
×
×
  • Create New...