MavproxyUser Posted May 26, 2017 Share Posted May 26, 2017 I am unsure about downgrades... I know there are some flags in the firmware to prevent them in some cases, also they are time expired. Regardless, the FTP scramble works on all current versions, not just the older firmware. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted May 26, 2017 Share Posted May 26, 2017 This is about as *easy* as I can make the DJI Mavic FTP server file AES descrambling. There is a .Zip file with a .exe for windows users in the release. Mac users can use the source. https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble/releases Quote Link to comment Share on other sites More sharing options...
Terabyte Posted May 26, 2017 Share Posted May 26, 2017 Would this work on .400 mavic firmware? Also, would this allow editing of the max height? If so how? Thank you. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted May 26, 2017 Share Posted May 26, 2017 7 hours ago, Terabyte said: Would this work on .400 mavic firmware? Also, would this allow editing of the max height? If so how? Thank you. Yes... the AES descramble works on *current* firmware. ALL known firmware in which the downloads are scrambled. I suggest you scroll to the end of the README.md perhaps? I have yet to see the directory transversal bug *exploited*... I suspect adding AES was the fix to prevent future exploits, all the while patching the alleged ../ issue? https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble/blob/master/README.md I'll leave the exercise of understanding the value to you (the reader)... $ python dji_ftpd_descrambler.py /tmp/192.168.42.2_drone/upgrade/dji/log/kernel01.log | grep daak | head -n 1 <5>[ 0.000000] c0 0 (swapper) Kernel command line: watchdog_thresh=3 console=ttyS1,921600 vmalloc=412M android firmware_class.path=/vendor/firmware isolcpus=2,3,4 initrd=0x07400000,1M lcpart=mmcblk0=gpt:0:2000:200,ddr:2000:2000:200,env:4000:2000:200,panic:6000:2000:200,amt:8000:20000:200,factory:28000:4000:200,factory_out:2c000:4000:200, recovery:30000:8000:200,normal:38000:8000:200,system:40000:40000:200,vendor:80000:20000:200,cache:a0000:80000:200,blackbox:120000:400000:200,userdata:520000:228000:200 chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xBBBBBBBB Spend some time understanding how the system boots, and how it starts "secure debug" aka "adb" as we know it. If you figure something out, be neighborly and share! https://pastebin.com/WisT8b0c # get DAAK (Debug Application Authentication Key) cmdline=`cat /proc/cmdline` temp=${cmdline##*board_sn=} board=${temp%% *} temp=${cmdline##*daak=} daak=${temp%% *} Quote Link to comment Share on other sites More sharing options...
Terabyte Posted May 29, 2017 Share Posted May 29, 2017 I ran descrambler and receive this error: Traceback (most recent call last): File "dji_ftpd_descrambler.py", line 67, in <module> NameError: name 'system' is not defined Failed to execute script dji_ftpd_descrambler I don't see the dji_ftpd_descrambler.py file in that folder. How would I edit/add the name? if that's even required. Sorry for being so lost. Quote Link to comment Share on other sites More sharing options...
Terabyte Posted May 29, 2017 Share Posted May 29, 2017 When I ftp into the Mavic using CuteFTP the folders I see are: blackbox flyctrl upgrade I don't see the "DJI_aes_ftp_dump" What am I missing? Quote Link to comment Share on other sites More sharing options...
Terabyte Posted May 29, 2017 Share Posted May 29, 2017 I downloaded the kernel01.log form the FTP and tried running dji_ftpd_descrambler on it but it shows nothing just goes back to command prompt. Quote Link to comment Share on other sites More sharing options...
Terabyte Posted May 29, 2017 Share Posted May 29, 2017 LOL Sorry for all there replies. I finally got it decrypted and am able to read the information from the files downloaded. I'm currently on .400FW a little pointer on what I need to modify to get that upper limit raised... :))) thank you. Quote Link to comment Share on other sites More sharing options...
kariem112 Posted May 29, 2017 Share Posted May 29, 2017 I dont think it is that easy :) You can read the contents of the firmware, but I think we need a way to write files to the mavic... what folders do you see in your unencrypted folder? Quote Link to comment Share on other sites More sharing options...
theLORD Posted June 5, 2017 Share Posted June 5, 2017 hi all, i still have one of my Mavic drones on 1.2.0810 and all the FTP files are scrambled dotdotdow couldn't find any FTP traversal Quote Link to comment Share on other sites More sharing options...
Bambino1345 Posted June 5, 2017 Share Posted June 5, 2017 Any chance of a walkthrough guide to downgrade the firmware so as not to have to deal with the electronic flight muzzle in certain locations? Quote Link to comment Share on other sites More sharing options...
p4int Posted June 5, 2017 Share Posted June 5, 2017 Could someone elaborate on the command that was set over USB to enable ADB? Interesting things:- The Mavic runs Android KitKat.- A secret command can be sent over USB which would switch a debug flag, and would run ADB over USB on the next boot. This ADB server allows Quote Link to comment Share on other sites More sharing options...
kariem112 Posted June 6, 2017 Share Posted June 6, 2017 17 hours ago, Mavic_1_2_9 said: hi all, i still have one of my Mavic drones on 1.2.0810 and all the FTP files are scrambled dotdotdow couldn't find any FTP traversal Can you try it with a symlink? Quote Link to comment Share on other sites More sharing options...
theLORD Posted June 6, 2017 Share Posted June 6, 2017 2 minutes ago, kariem112 said: Can you try it with a symlink? what is symlink, i don't know it i can try anything you need i decrypted the kernel log and got the DAAK, but i don't know how to send the command to enable the ADB !! Quote Link to comment Share on other sites More sharing options...
kariem112 Posted June 6, 2017 Share Posted June 6, 2017 Just now, Mavic_1_2_9 said: what is symlink, i don't know it i can try anything you need i decrypted the kernel log and got the DAAK, but i don't know how to send the command to enable the ADB !! That is something we are all looking for ;) unless you are on the .200 or lower firmware, then there is an FTP traversal possibility. I have not found it yet, but according to the first post here it should exist. . A guess that is untested, is that is has something to do with a symlink.... one that you create in your /ftp folder. Once created, the FTP client is able to follow that link outside the /ftp folder... (once again, untested, so not sure) Quote Link to comment Share on other sites More sharing options...
theLORD Posted June 6, 2017 Share Posted June 6, 2017 2 minutes ago, kariem112 said: That is something we are all looking for ;) unless you are on the .200 or lower firmware, then there is an FTP traversal possibility. I have not found it yet, but according to the first post here it should exist. . A guess that is untested, is that is has something to do with a symlink.... one that you create in your /ftp folder. Once created, the FTP client is able to follow that link outside the /ftp folder... (once again, untested, so not sure) as i told you i have Mavic still on 1.2.0810 and another one with latest update. i will look for symlink online and try to do it my question is why all of us looking for rooting the Mavic? if just to disable the NFZ and/or altitude limit, there is Russian guy who figured out the serial commands and selling it as service Quote Link to comment Share on other sites More sharing options...
kariem112 Posted June 6, 2017 Share Posted June 6, 2017 Just now, Mavic_1_2_9 said: as i told you i have Mavic still on 1.2.0810 and another one with latest update. i will look for symlink online and try to do it my question is why all of us looking for rooting the Mavic? if just to disable the NFZ and/or altitude limit, there is Russian guy who figured out the serial commands and selling it as service Well, I do not know of such a Russian guy in the first place :) .. but more importantly, I would like to control any future updates by DJI. It is my device, and I don't want it to be crippled if DJI decides something weird… why are you looking for root? Quote Link to comment Share on other sites More sharing options...
theLORD Posted June 6, 2017 Share Posted June 6, 2017 Just now, kariem112 said: Well, I do not know of such a Russian guy in the first place :) .. but more importantly, I would like to control any future updates by DJI. It is my device, and I don't want it to be crippled if DJI decides something weird… why are you looking for root? i totally agree with you i want to root it to feel free and not controlled by overseas company :) Quote Link to comment Share on other sites More sharing options...
theLORD Posted June 6, 2017 Share Posted June 6, 2017 today i received the SPARK, i can confirm it is the same Mavic concept and the decryption password is the same. i didn't activate it yet, i took copy of its current firmware version 01.00.0006 if anyone need a copy of its firmware please let me know its wifi IP is 192.168.2.1 :) Quote Link to comment Share on other sites More sharing options...
enderffx Posted June 15, 2017 Share Posted June 15, 2017 Oh Lordy, mine will arive in a wekk. Ender <---- needs root. (In case of the Mavic to allow FCC instead of CE WiFi power) Greetings Quote Link to comment Share on other sites More sharing options...
cornholio Posted June 20, 2017 Share Posted June 20, 2017 is there a way you guys can up the video bitrate? would be nice to take it a little higher. thanks Quote Link to comment Share on other sites More sharing options...
enderffx Posted June 21, 2017 Share Posted June 21, 2017 Hi, Question: There is a way of interrupting the FW update process of DJI Assistant so you have the chance of accessing / modifying the "unpacked" seperate FW files contained in the one big archive. The idea is to run your mavic below 50% battery so DJI Assistant will pause and notify you to charge your Mavic and retry. AT that time you can access & mod the files (in firm_cache directory) This is dicussed starting here, with a guy managed to replce files with the one from another FW basically ending up with a mixed situation, lol: http://mavicpilots.com/threads/i-created-a-vm-so-we-can-all-forever-downgrade-to-400.16619/page-7#post-199036 So if we reach that point, would someone be able to decrypt, modify and encrypt FW files again ? Would that be a way of modding the desired parameters or at least tochange the behaviour to allow ADB root access ? Or am i completely on the wrong path here ? :-) Ender Quote Link to comment Share on other sites More sharing options...
enderffx Posted June 21, 2017 Share Posted June 21, 2017 Oops, forgot: The example of the guy mixing fw files show that al teast on that version of DJI Assitant tjere seems not to be an additional md5 check before starting to upload... Ender Quote Link to comment Share on other sites More sharing options...
Freaky123 Posted June 21, 2017 Share Posted June 21, 2017 You can't modify the sig files, because they are signed by an RSA key. Hence the sig extension, for signature. On the device this signature is checked and thus makes this a useless bug except for downgrading further. Quote Link to comment Share on other sites More sharing options...
enderffx Posted June 21, 2017 Share Posted June 21, 2017 3 hours ago, Freaky123 said: You can't modify the sig files, because they are signed by an RSA key. Hence the sig extension, for signature. On the device this signature is checked and thus makes this a useless bug except for downgrading further. I feared so, sorry for my ignorance and thanks for your Explanation ! Greetings, Ender Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.