Jump to content

jan2642

Members
  • Posts

    5
  • Joined

  • Last visited

Posts posted by jan2642

  1. 11 hours ago, jan2642 said:

    Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese :dry: (and I forgot to take a screenshot).

    Anyone here who can translate these ? Many thanks!

     

    Also promising for the path I'm on: the available commands on /controller/board_test:

    {
        "EXIST_COMMANDS": [
            "get_status_info",
            "set_status_info",
            "start_process",
            "start_test"
        ],
    	"SEQ": "12345"
    }

    Now trying to figure out how to pass on arguments to start_test & start_process...

    • Upvote 1
  2. 10 hours ago, MavproxyUser said:

    Certainly an interesting rabbit hole to head down... I am off on the opposite end of the spectrum worried about the NFZ references in dji_flight ("nfz gps not reliable", "INIT DB", "LOAD DB"), and dji_vision ("nfz monitor", and "query_nfz") and such. See the notes above about how to coax that window into opening. Patching these may be a quick path to enlightenment. 

    Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese :dry: (and I forgot to take a screenshot).

    • Upvote 1
  3. 2 hours ago, MavproxyUser said:

    Thanks for that... this seems to be interesting reading on the root of the subject. I was not familiar with it. 

    https://segmentfault.com/a/1190000006087527

    https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fsegmentfault.com%2Fa%2F1190000006087527&edit-text=&act=url

    He suggests a few ways to "patch" the cause of the issue. 

    I skipped attempting to cross-compile an alternative linker and went for the binary patch, basically changing a branch instruction into a nop.

    I focused more on dji_sys since it has a reference to secure_debug.sh.

    It contains a list of test scripts with an index number, here are a few:

    1 test_cpld.sh
    2 test_mem.sh
    3 test_flash.sh
    ...
    19 test_enck.sh
    20 secure_debug.sh
    ...
    23 echo sucess (with typo)
    ...

    They are referenced by functions called sys_mp_test_xxx but I haven't figured out yet how to trigger those. I was thinking the --factory option to Assistant might help but in my version (1.1.0) it doesn't seem to do anything.

  4. I'm no android expert so maybe there are easier ways to do this...

    You can run the extracted binaries with qemu-arm like this:

    To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74

    Libc will look for "/dev/__properties__".  It has to be 262144 bytes large, start with the following bytes: '2c 00 00 00 00 00 00 00 50 52 4f 50 ab d0 6e fc', owned by uid 0, gid 0 and chmod 600.

    A symlink /system to the actual system/ directory is needed to make absolute path resolving work.

    (I don't know if it's a factor but I'm running in a VM as the root user)

    root@kali:~# qemu-arm -L . system/bin/dji_vision -h
    usage:
    set global debug level if it's not set
           system/bin/dji_vision -D 2
    set module debug level
           system/bin/dji_vision -d 2
    set monitor info options
           system/bin/dji_vision -m 2

    There might be more interesting executables though :wink:

    • Upvote 1
×
×
  • Create New...