Jump to content

Reversing Mavic Pro Firmware


Geodesix

Recommended Posts

  • Replies 105
  • Created
  • Last Reply

Top Posters In This Topic

7 hours ago, Terabyte said:

Would this work on .400 mavic firmware? Also, would this allow editing of the max height? If so how? Thank you.

Yes... the AES descramble works on *current* firmware. ALL known firmware in which the downloads are scrambled. 

I suggest you scroll to the end of the README.md perhaps? I have yet to see the directory transversal bug *exploited*... I suspect adding AES was the fix to prevent future exploits, all the while patching the alleged ../ issue? 

https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble/blob/master/README.md

I'll leave the exercise of understanding the value to you (the reader)...

$ python dji_ftpd_descrambler.py /tmp/192.168.42.2_drone/upgrade/dji/log/kernel01.log | grep daak | head -n 1

<5>[    0.000000] c0 0 (swapper) Kernel command line: watchdog_thresh=3 console=ttyS1,921600 vmalloc=412M android firmware_class.path=/vendor/firmware isolcpus=2,3,4 
initrd=0x07400000,1M lcpart=mmcblk0=gpt:0:2000:200,ddr:2000:2000:200,env:4000:2000:200,panic:6000:2000:200,amt:8000:20000:200,factory:28000:4000:200,factory_out:2c000:4000:200,
recovery:30000:8000:200,normal:38000:8000:200,system:40000:40000:200,vendor:80000:20000:200,cache:a0000:80000:200,blackbox:120000:400000:200,userdata:520000:228000:200  
chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa 
saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xBBBBBBBB
 

Spend some time understanding how the system boots, and how it starts "secure debug" aka "adb" as we know it. If you figure something out, be neighborly and share! 

https://pastebin.com/WisT8b0c

  1. # get DAAK (Debug Application Authentication Key)
  2. cmdline=`cat /proc/cmdline`
  3. temp=${cmdline##*board_sn=}
  4. board=${temp%% *}
  5. temp=${cmdline##*daak=}
  6. daak=${temp%% *}

 

 

Link to comment
Share on other sites

I ran descrambler and receive this error:

Traceback (most recent call last):
  File "dji_ftpd_descrambler.py", line 67, in <module>
NameError: name 'system' is not defined
Failed to execute script dji_ftpd_descrambler

 

I don't see the dji_ftpd_descrambler.py file in that folder. How would I edit/add the name? if that's even required. Sorry for being so lost.

Link to comment
Share on other sites

LOL Sorry for all there replies. I finally got it decrypted and am able to read the information from the files downloaded. I'm currently on .400FW a little pointer on what I need to modify to get that upper limit raised... :))) thank you.

Link to comment
Share on other sites

Could someone elaborate on the command that was set over USB to enable ADB?

 

Interesting things:
- The Mavic runs Android KitKat.
- A secret command can be sent over USB which would switch a debug flag, and would run ADB over USB on the next boot. This ADB server allows

 

Link to comment
Share on other sites

2 minutes ago, kariem112 said:

Can you try it with a symlink? 

what is symlink, i don't know it
i can try anything you need

i decrypted the kernel log and got the DAAK, but i don't know how to send the command to enable the ADB !!

Link to comment
Share on other sites

Just now, Mavic_1_2_9 said:

what is symlink, i don't know it
i can try anything you need

i decrypted the kernel log and got the DAAK, but i don't know how to send the command to enable the ADB !!

That is something we are all looking for ;) unless you are on the .200 or lower firmware, then there is an FTP traversal possibility. I have not found it yet, but according to the first post here it should exist. . 

A guess that is untested, is that is has something to do with a symlink.... one that you create in your /ftp folder. Once created, the FTP client is able to follow that link outside the /ftp folder... (once again, untested, so not sure)

Link to comment
Share on other sites

2 minutes ago, kariem112 said:

That is something we are all looking for ;) unless you are on the .200 or lower firmware, then there is an FTP traversal possibility. I have not found it yet, but according to the first post here it should exist. . 

A guess that is untested, is that is has something to do with a symlink.... one that you create in your /ftp folder. Once created, the FTP client is able to follow that link outside the /ftp folder... (once again, untested, so not sure)

as i told you i have Mavic still on 1.2.0810 and another one with latest update.

i will look for symlink online and try to do it

my question is why all of us looking for rooting the Mavic?

if just to disable the NFZ and/or altitude limit, there is Russian guy who figured out the serial commands and selling it as service 

Link to comment
Share on other sites

Just now, Mavic_1_2_9 said:

as i told you i have Mavic still on 1.2.0810 and another one with latest update.

i will look for symlink online and try to do it

my question is why all of us looking for rooting the Mavic?

if just to disable the NFZ and/or altitude limit, there is Russian guy who figured out the serial commands and selling it as service 

Well, I do not know of such a Russian guy in the first place :)  .. but more importantly, I would like to control any future updates by DJI. It is my device, and I don't want it to be crippled if DJI decides something weird… why are you looking for root?

Link to comment
Share on other sites

Just now, kariem112 said:

Well, I do not know of such a Russian guy in the first place :)  .. but more importantly, I would like to control any future updates by DJI. It is my device, and I don't want it to be crippled if DJI decides something weird… why are you looking for root?

i totally agree with you

i want to root it to feel free and not controlled by overseas company :)

Link to comment
Share on other sites

today i received the SPARK,

i can confirm it is the same Mavic concept and the decryption password is the same.

i didn't activate it yet, i took copy of its current firmware version 01.00.0006

if anyone need a copy of its firmware please let me know

its wifi IP is 192.168.2.1 :)

Link to comment
Share on other sites

  • 2 weeks later...

Hi, Question:

There is a way of interrupting the FW update process of DJI Assistant so you have the chance of accessing / modifying the "unpacked" seperate FW files contained in the one big archive.

The idea is to run your mavic below 50% battery so DJI Assistant will pause and notify you to charge your Mavic and retry.

AT that time you can access & mod the files (in firm_cache directory)

This is dicussed starting here, with a guy managed to replce files with the one from another FW basically ending up with a mixed situation, lol:

http://mavicpilots.com/threads/i-created-a-vm-so-we-can-all-forever-downgrade-to-400.16619/page-7#post-199036

 

So if we reach that point, would someone be able to decrypt, modify and encrypt FW files again ?

Would that be a way of modding the desired parameters or at least tochange the behaviour to allow ADB root access ?

Or am i completely on the wrong path here ?

 

:-)

 

Ender

 

Link to comment
Share on other sites

3 hours ago, Freaky123 said:

You can't modify the sig files, because they are signed by an RSA key. Hence the sig extension, for signature.

On the device this signature is checked and thus makes this a useless bug except for downgrading further.

I feared so, sorry for my ignorance and thanks for your Explanation !

Greetings,

 

Ender

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...