enderffx Posted June 23, 2017 Posted June 23, 2017 Hi again, i guess you are aware of the Firmware mods & firmware mods that are available from "coptersafe.com", right ? It seems they were able to do just that: decrypt,mod and encrypt the sig FW files ?! Or how do you think the'd done it ? Greetings, Ender Quote
Freaky123 Posted June 23, 2017 Posted June 23, 2017 I don't think he changes the firmware update files, since as explained earlier requires the private RSA key. Since it is most likely coptersafe doesn't have that key, I think he can circumvent that by either rooting the device or doesn't need it since only parameters are needed to be changed in order to achieve what he wants. Next to that you made a misconception between encrypting and signing, which is not the same. The firmware files are signed (and only a tiny part is encrypted) and doesn't need any encryption. Most parts of the firmware don't even require encryption and is optionally described in the header. Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 Hello Freaky, you are of course right about encryption and signing mixup. Thats more due to the stae of mind i wrote in then to misconception but i take the point :-) They install an exe installer that cares for uploading the patched FW files to the Mavic. Hmm, that Installer could of course root the Mavic beforehand... IF its the case that they "just" modify the parameters, are those in question unsigned and unencrypted in the decomposed fw file ?! That would be strange, right ? Greetings, Ender Quote
Freaky123 Posted June 23, 2017 Posted June 23, 2017 (edited) Those parameters can also be adjusted by commands through USB or wifi. In the firmware they are unencrypted and signed. Edited June 23, 2017 by Freaky123 Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 (edited) Yes, so you are saying: as they are signed its unlikely That coptersafe can modify them beforehand, so they may root the mavic and switch off signing check, then upload FW with modified parameters and/or binaries and they'll be done with it, right ? Is that what you feel they do most likely ? If so, maybe they leave the Mavic rooted, that could be checked by one of their customers... (ADB Shell ?!) Greetings, Ender Edited June 23, 2017 by enderffx more typos then usual Quote
Freaky123 Posted June 23, 2017 Posted June 23, 2017 They don't even need to modify the firmware anymore when rooted, since then they can adjust the parameters. But most likely they don't even root the device, but just send the parameters and the mavic just accepts them since it is only limited by the GUI. Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 Hi yet again, hmm, they Do patch the FW files, that much is known. And they really go through a flashing process. (Right now they offer patched .400 & .700 versions, so if you apply their mod you end up with the selected FW version whatever your version was before). Stranger things have happened, but i wish i knew whats going on :-) Ender Quote
Freaky123 Posted June 23, 2017 Posted June 23, 2017 Then most likely they have requested firmware from DJI where NFZ etc. are removed because they have a license or something like that.. Since I don't see any realistic option in signing firmware. Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 IMO DJI would never do that and they also offer 500+ m Altitude hack and SPorts+ mode. DJI would NEVER allow that, so they clearly somehow broke into the system... Hmmm, Ender Quote
Freaky123 Posted June 23, 2017 Posted June 23, 2017 If someone has access to his installer I would be happy to take a look. But I still think it is almost impossible to get these upgrade files signed, unless you have inside information and can get access to the RSA key. I reverse engineered like 99% of their upgrade process and can parse the files etc. so I'm pretty sure this isn't the easiest way in, there are other easier ways. Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 Ifyou have any idea on making that work let us know :-) I'll ask if someone shares the installer, bt those guys want to protect their $400 Investment. Silly amount of money they must be mad... Ender Quote
martinbogo Posted June 23, 2017 Posted June 23, 2017 @Freaky123 I managed to root my Phantom 4, using an older firmware. I think what coptersafe are doing, is first rooting, then _disabling_ code signing and then uploading modified firmware. Unfortunately, I have not been able to replicate rooting on the current firmware, and my exploit no longer works. I also think they may have modified ADB and either added a different authentication scheme, or added AES to ADB as well. I can't get an ADB shell to work even with a rooted filesystem. Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 Interesting... So if you downgrade the FW and root could you not insert stuff to stay rooted after the update or at least to ease the process ? Ender Quote
Freaky123 Posted June 23, 2017 Posted June 23, 2017 Some parts (partitions) aren't updated during the firmware upgrade/downgrade, so it depends. Quote
martinbogo Posted June 23, 2017 Posted June 23, 2017 @enderfix, @freaky123 Correct, once I upgraded, and then downgraded, I could no longer use my FTP root exploit. I am fuzzing a Mavic and a Phantom 4 ( not plus or pro ) now to try to find other rootable exploit entry points. Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 Ahh was that the famous path traversal exploit ? POV mentioned that and i tried all i could to later learn that it was fixed in the FW version i used... Ender Quote
Freaky123 Posted June 23, 2017 Posted June 23, 2017 What are exactly all your goals what each of you wanna achieve by rooting the device? Since I'm not really interested about the fly limits etc, but just wanna look how the device works and maybe run some custom stuff on it. Quote
enderffx Posted June 23, 2017 Posted June 23, 2017 Actually i have 2 gioals: As a Quadcopter pilot i'd love to have FCC tranbsmit power instead of CE but thats not too important as the Mavic has fantastic penetration and range even in CE country. Much more i'd love to cross compile for the Mavic to use USB Hardware. Either via Interfacing and processing the data directy OR by using an Android USB via WiFi client to do the processing in the Ground station. I am doing that on the Bebop 1 & 2 by Bebop with success. And of course it bugs me to have bought a device i do not have 100% access to. I'd also like to increase Bitrate of 2.7k h.264 (it was higher in the first FW's afaik and 4k makes no sense with the tiny optics, i measured that in a MavicPilots Thread). I'd also like to do Multiple Exposure and averaging & denpoising stuff as i am originally programming for image processing. All kinds of stuff but #1 would be the USB Server stuff... Ender Quote
martinbogo Posted June 23, 2017 Posted June 23, 2017 @freaky123 For my part... I'm a software engineer, and I have a lot of experience with UAV software ( I worked on the code circa 1990's MIT Media Lab, and then again for ArduPilot and such. ) I want to continue extending the capabilities of the platform, by adding new and different features to DJI drones, eventually replacing the firmware entirely with on open-source one that everyone can extend and enjoy. For my part, I have experience with things like motor-out recovery and flight, image-recognition flight and terrain guidance, acrobatic flight.. etc. Quote
fossil Posted June 24, 2017 Posted June 24, 2017 Has anyone looked what's on the SD card inside? Is this where all the firmware and files etc actually live? It's irritatingly hard to open, but, it still might be quicker to mod by popping the card and writing on it? (easy to backup that way too...) Quote
enderffx Posted June 24, 2017 Posted June 24, 2017 (edited) 46 minutes ago, fossil said: Has anyone looked what's on the SD card inside? Is this where all the firmware and files etc actually live? It's irritatingly hard to open, but, it still might be quicker to mod by popping the card and writing on it? (easy to backup that way too...) It is said to contain the flight logs. Makes a lot of sense in any case, easy data retrival even if the Mainboard is zapped or was emerged in water... (POV stated that afair) Ender Edited June 24, 2017 by enderffx Quote
MingTao Posted June 24, 2017 Posted June 24, 2017 so i can see .. no way to root mavic or Ph4 ?? as i can understand for rooting we need board serial number from whitelist... and when drone start , if board_SN in whitelist, he can enable debug uart .. i`m right? Quote
enderffx Posted June 24, 2017 Posted June 24, 2017 1 minute ago, MingTao said: so i can see .. no way to root mavic or Ph4 ?? as i can understand for rooting we need board serial number from whitelist... and when drone start , if board_SN in whitelist, he can enable debug uart .. i`m right? Sounds good, but as you state "no root" its probably not easy :-) So i obviously have to ask: Where to get board SN ? Where is the debug UART, via USB2Serial onthe regular port ? Or the hidden one ? or testpoints on the PCB ? Ender Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.