jan2642
-
Posts
5 -
Joined
-
Last visited
Posts posted by jan2642
-
-
11 hours ago, jan2642 said:
Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese (and I forgot to take a screenshot).
Anyone here who can translate these ? Many thanks!
Also promising for the path I'm on: the available commands on /controller/board_test:
{ "EXIST_COMMANDS": [ "get_status_info", "set_status_info", "start_process", "start_test" ], "SEQ": "12345" }
Now trying to figure out how to pass on arguments to start_test & start_process...
- 1
-
10 hours ago, MavproxyUser said:
Certainly an interesting rabbit hole to head down... I am off on the opposite end of the spectrum worried about the NFZ references in dji_flight ("nfz gps not reliable", "INIT DB", "LOAD DB"), and dji_vision ("nfz monitor", and "query_nfz") and such. See the notes above about how to coax that window into opening. Patching these may be a quick path to enlightenment.
Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese (and I forgot to take a screenshot).
- 1
-
2 hours ago, MavproxyUser said:
Thanks for that... this seems to be interesting reading on the root of the subject. I was not familiar with it.
https://segmentfault.com/a/1190000006087527
He suggests a few ways to "patch" the cause of the issue.
I skipped attempting to cross-compile an alternative linker and went for the binary patch, basically changing a branch instruction into a nop.
I focused more on dji_sys since it has a reference to secure_debug.sh.
It contains a list of test scripts with an index number, here are a few:
1 test_cpld.sh
2 test_mem.sh
3 test_flash.sh
...
19 test_enck.sh
20 secure_debug.sh
...
23 echo sucess (with typo)
...They are referenced by functions called sys_mp_test_xxx but I haven't figured out yet how to trigger those. I was thinking the --factory option to Assistant might help but in my version (1.1.0) it doesn't seem to do anything.
-
I'm no android expert so maybe there are easier ways to do this...
You can run the extracted binaries with qemu-arm like this:
To avoid the AT_SECURE error, find the following bytes in /system/bin/linker: 2e 70 20 b1 df f8 74 and replace them with: 2e 70 00 bf df f8 74
Libc will look for "/dev/__properties__". It has to be 262144 bytes large, start with the following bytes: '2c 00 00 00 00 00 00 00 50 52 4f 50 ab d0 6e fc', owned by uid 0, gid 0 and chmod 600.
A symlink /system to the actual system/ directory is needed to make absolute path resolving work.
(I don't know if it's a factor but I'm running in a VM as the root user)
root@kali:~# qemu-arm -L . system/bin/dji_vision -h usage: set global debug level if it's not set system/bin/dji_vision -D 2 set module debug level system/bin/dji_vision -d 2 set monitor info options system/bin/dji_vision -m 2
There might be more interesting executables though
- 1
MavicPilots.com Alternative CopterSafe Hack & Mod Discussion
in Community Projects
Posted
Pasting the image failed, here's a link to the screenshot: https://pasteboard.co/2iGUb4qna.png