Jump to content

Recommended Posts

Posted

Hi again,

i guess you are aware of the Firmware mods & firmware mods that are available from "coptersafe.com", right ?

It seems they were able to do just that: decrypt,mod and encrypt the sig FW files ?!

Or how do you think the'd done it ?

 

Greetings,

 

Ender

  • Replies 105
  • Created
  • Last Reply

Top Posters In This Topic

Posted

I don't think he changes the firmware update files, since as explained earlier requires the private RSA key. Since it is most likely coptersafe doesn't have that key, I think he can circumvent that by either rooting the device or doesn't need it since only parameters are needed to be changed in order to achieve what he wants.

Next to that you made a misconception between encrypting and signing, which is not the same. The firmware files are signed (and only a tiny part is encrypted) and doesn't need any encryption. Most parts of the firmware don't even require encryption and is optionally described in the header.

Posted

Hello Freaky,

you are of course right about encryption and signing mixup. Thats more due to the stae of mind i wrote in then to misconception but i take the point :-)

They install an exe installer that cares for uploading the patched FW files to the Mavic.

Hmm, that Installer could of course root the Mavic beforehand...

 

IF its the case that they "just" modify the parameters, are those in question unsigned and unencrypted in the decomposed fw file ?! That would be strange, right ?

 

Greetings,

 

Ender

Posted (edited)

Those parameters can also be adjusted by commands through USB or wifi. In the firmware they are unencrypted and signed.

Edited by Freaky123
Posted (edited)

Yes, so you are saying: as they are signed its unlikely That coptersafe can modify them beforehand, so they may root the mavic and switch off signing check, then upload FW with modified parameters and/or binaries and they'll be done with it, right ?

Is that what you feel they do most likely ?

 

If so, maybe they leave the Mavic rooted, that could be checked by one of their customers...

(ADB Shell ?!)

 

Greetings,

 

Ender

Edited by enderffx
more typos then usual
Posted

They don't even need to modify the firmware anymore when rooted, since then they can adjust the parameters. But most likely they don't even root the device, but just send the parameters and the mavic just accepts them since it is only limited by the GUI.

Posted

Hi yet again,

hmm, they Do patch the FW files, that much is known. And they really go through a flashing process.

(Right now they offer patched .400 & .700 versions, so if you apply their mod you end up with the selected FW version whatever your version was before).

Stranger things have happened, but i wish i knew whats going on :-)

 

Ender

Posted

Then most likely they have requested firmware from DJI where NFZ etc. are removed because they have a license or something like that.. Since I don't see any realistic option in signing firmware.

Posted

IMO DJI would never do that and they also offer 500+ m Altitude hack and SPorts+ mode.

DJI would NEVER allow that, so they clearly somehow broke into the system...

 

Hmmm,

 

Ender

Posted

If someone has access to his installer I would be happy to take a look. But I still think it is almost impossible to get these upgrade files signed, unless you have inside information and can get access to the RSA key. I reverse engineered like 99% of their upgrade process and can parse the files etc. so I'm pretty sure this isn't the easiest way in, there are other easier ways.

Posted

Ifyou have any idea on making that work let us know :-)

I'll ask if someone shares the installer, bt those guys want to protect their $400 Investment. Silly amount of money they must be mad...

Ender

Posted

 

@Freaky123

I managed to root my Phantom 4, using an older firmware.   I think what coptersafe are doing, is first rooting, then _disabling_ code signing and then uploading modified firmware.  Unfortunately, I have not been able to replicate rooting on the current firmware, and my exploit no longer works.   

I also think they may have modified ADB and either added a different authentication scheme, or added AES to ADB as well.  I can't get an ADB shell to work even with a rooted filesystem.

Posted

 

@enderfix, @freaky123

Correct, once I upgraded, and then downgraded, I could no longer use my FTP root exploit.   I am fuzzing a Mavic and a Phantom 4 ( not plus or pro ) now to try to find other rootable exploit entry points.  


 

Posted

Ahh was that the famous path traversal exploit ?

POV mentioned that and i tried all i could to later learn that it was fixed in the FW version i used...

 

Ender

Posted

What are exactly all your goals what each of you wanna achieve by rooting the device? Since I'm not really interested about the fly limits etc, but just wanna look how the device works and maybe run some custom stuff on it.

Posted

Actually i have 2 gioals:

As a Quadcopter pilot i'd love to have FCC tranbsmit power instead of CE but thats not too important as the Mavic has fantastic penetration and range even in CE country.

Much more i'd love to cross compile for the Mavic to use USB Hardware.

Either via Interfacing and processing the data directy OR by using an Android USB via WiFi client to do the processing in the Ground station.

I am doing that on the Bebop 1 & 2 by Bebop with success.

 

And of course it bugs me to have bought a device i do not have 100% access to.

 

I'd also like to increase Bitrate of 2.7k h.264 (it was higher in the first FW's afaik and 4k makes no sense with the tiny optics, i measured that in a MavicPilots Thread).

I'd also like to do Multiple Exposure and averaging & denpoising stuff as i am originally programming for image processing.

 

All kinds of stuff but #1 would be the USB Server stuff...

 

 

Ender

Posted

 

@freaky123

For my part... I'm a software engineer, and I have a lot of experience with UAV software ( I worked on the code circa 1990's MIT Media Lab, and then again for ArduPilot and such. )

I want to continue extending the capabilities of the platform, by adding new and different features to DJI drones, eventually replacing the firmware entirely with on open-source one that everyone can extend and enjoy.  For my part, I have experience with things like motor-out recovery and flight, image-recognition flight and terrain guidance, acrobatic flight.. etc.

 

 

Posted

Has anyone looked what's on the SD card inside?  Is this where all the firmware and files etc actually live?

It's irritatingly hard to open, but, it still might be quicker to mod by popping the card and writing on it? (easy to backup that way too...)

Posted (edited)
46 minutes ago, fossil said:

Has anyone looked what's on the SD card inside?  Is this where all the firmware and files etc actually live?

It's irritatingly hard to open, but, it still might be quicker to mod by popping the card and writing on it? (easy to backup that way too...)

It is said to contain the flight logs.

Makes a lot of sense in any case, easy data retrival even if the Mainboard is zapped or was emerged in water...

(POV stated that afair)

 

Ender

Edited by enderffx
Posted

so i can see .. no way to root mavic or Ph4 ?? 

as i can understand for rooting we need board serial number from whitelist... and when drone start , if board_SN in whitelist, he can enable debug uart .. i`m right?

Posted
1 minute ago, MingTao said:

so i can see .. no way to root mavic or Ph4 ?? 

as i can understand for rooting we need board serial number from whitelist... and when drone start , if board_SN in whitelist, he can enable debug uart .. i`m right?

Sounds good, but as you state "no root" its probably not easy :-)

So i obviously have to ask: Where to get board SN ?

Where is the debug UART, via USB2Serial onthe regular port ? Or the hidden one ? or testpoints on the PCB ?

 

Ender

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...