HDnes Posted June 27, 2017 Share Posted June 27, 2017 @droner69, Not seeing how your pcap was generated? Where did you get the disector for the mavic protocol? Looking under the hood a little, the usb protocol looks very simiarl to the P3 disector on the P4 and the Mavic if not identical? The P3 one previously mentioned doesn't include lots of the things referenced in your capture. I'm looking to deep dive on this over the next few days and likely can offer some support if you guys can catch me up. 1 Quote Link to comment Share on other sites More sharing options...
fredz Posted June 27, 2017 Share Posted June 27, 2017 Works with DJI Assistant2 Beta112.zip on Windows @HDnes Quite amazing to see all this in a graphical way. Values are read-only though, how can this be changed? Any idea? 1 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 (edited) 4 hours ago, HDnes said: Ok, I got into Assitant Factory mode with a way easier method (at least on mac). Just open up developer settings and change factory_mode = true. Might have to enable debugging also. But that's the ticket. Should work on every version I'd think. That beings said, I answered my own question. I now see why the webproxy method doesn't work in it's entirety. You have to have write access to the min/maxes in order for those commands to take anything higher than the max etc. So rooting is the next step I suppose? Haven't seen nearly as much clear cut information on how to do this on the patched ftp. Is this where @MavproxyUser's decryptor comes into play? Does that python allow writing as well? Or does it simply read to produce the files similar to what's on @droner69 ? I'm loving that people are following the trail of bread crumbs... *hat tip*. At this point in the game I suspect quite a bit of the "dir traversal" on the FTPD was a red herring. In reality I think the "traversal" is the mere fact that the ftpd root is "/data" on the drone. There are a number of scripts that call things from "/data". It is *possible* that early versions of the ftpd allowed the placing of a symlink, OR that somehow you could trigger a .zip or .tar file to be unpacked with a symlink contained within. Think of the NFZ db as it gets pushed, I forget the filename but it is like data_transfer.tar or something. I've only seen ONE instance of a symlink depicted on the ftpd server... but I can't for the life of me figure how it got there. Note the "~" in the picture... http://kvadrik.blogspot.com/2017/03/dji-mavic-pro-500.html Really, the ONLY way this is possible is if DJI was stupid when they modified the Busybox source code and some how introduced it. It is also possible that the original factory firmware used a really old vulnerable version of Busybox, but that doesn't fully explain the behavior. P0V's original words were "Mavic it's restricted to '/ftp' directory. Luckily, there are underground 0day exploits for FTPD for path traversal. I can confirm that you can traverse out of the '/ftp' directory and reach the init scripts to set debug flag". I am not entirely convinced this isn't where the red herring lays, but I suspect so. https://www.rcgroups.com/forums/showthread.php?2747762-Official-DJI-Mavic-***Owner-and-Developer-sThread***/page1008#post36232471 I think the best hint here is to study the words in the old P3 paper: "Unfortunately, on the latest firmware (V01.07.0090), the root ftp access to the drone is chrooted and I wasn’t able to escape the /tmp directory" https://voidsec.com/hacking-dji-phantom-3/ I did note specifically "Port 21 is running vsFTPd 3.0.2 which as of the time of this writing, only has one minor known vulnerability" https://courses.csail.mit.edu/6.857/2016/files/9.pdf "Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing." https://bugzilla.redhat.com/show_bug.cgi?id=1187041 So in theory... it is possible at one time they used Vsftpd instead of Busybox ftpd on the Mavic, P4, or i2. This really jumped out at me, and fits my suspicions above regarding "~" "In particular aware that if a filename is accessible by a variety of names (perhaps due to symbolic links or hard links), then care must be taken to deny access to all the names." https://bugzilla.redhat.com/show_bug.cgi?id=1187041#c2 It seems a good start would be to locate a P3 on pre V01.07.0090 firmware and confirm how THAT ftpd handled. Then we need to figure if any of the REALLY early Mavic's shipped with that variant. It is possible P0V got ahold of a bird that was in engineering mode I suppose (meaning pre-release firmware version). The decryptor code was seemingly less useful at the end of the day for what folks are trying to accomplish here. I found the *most* utility to be in the fact that it could read the kernel log sans root. $ python dji_ftpd_descrambler.py kernel00.log oOZTPTP7] c0 1 (init) init: untracked pid 621 exited <7>[ 52.603083] c3 0 (swapper/3) Warnning: timer5 int-excep <7>[ 77.938720] c0 419 (dji_hdvt_gnd) bridge: start_xmit info: lmi42 xmit skb cb444000 CP busy! <7>[ 78.001593] c0 461 (keyscan_task) bridge: start_xmit info: lmi42 xmit skb cb444000 CP ready! <7>[ 162.814198] c3 439 (dji_hdvt_gnd) bridge: start_xmit info: lmi42 xmit skb ce24a300 CP busy! <7>[ 162.891897] c0 273 (MB_Socket_Recei) bridge: start_xmit info: lmi42 xmit skb ce24a300 CP ready! <7>[ 356.750230] c0 419 (dji_hdvt_gnd) bridge: start_xmit info: lmi42 xmit skb ce39fa80 CP busy! <7>[ 356.814311] c0 461 (keyscan_task) bridge: start_xmit info: lmi42 xmit skb ce39fa80 CP ready! Being able to pull the DAAK from the kernel command line was interesting for sure... <5>[ 0.000000] c0 0 (swapper) Kernel command line: watchdog_thresh=3 console=ttyS1,921600 vmalloc=412M android firmware_class.path=/vendor/firmware isolcpus=2,3,4 initrd=0x07400000,1M lcpart=mmcblk0=gpt:0:2000:200,ddr:2000:2000:200,env:4000:2000:200,panic:6000:2000:200,amt:8000:20000:200,factory:28000:4000:200,factory_out:2c000:4000:200, recovery:30000:8000:200,normal:38000:8000:200,system:40000:40000:200,vendor:80000:20000:200,cache:a0000:80000:200,blackbox:120000:400000:200,userdata:520000:228000:200 chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xe2200026 @hdnes "Or does it simply read to produce the files", yes... THAT. It is simply a tool to manually decrypt ONE file that you have already pulled, OR to attempt to pull the entire ftpd for you. Edited June 27, 2017 by MavproxyUser Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 3 hours ago, HDnes said: on MAC the short cut is: option + command + i or ⌥⌘i ⌥⌘r to reload after changing the settings Factory mode and debug is under Resources>local storage Clever trick! That may be useful for the "Preserve log" functionality alone. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 27 minutes ago, fredz said: Works with DJI Assistant2 Beta112.zip on Windows @HDnes Quite amazing to see all this in a graphical way. Values are read-only though, how can this be changed? Any idea? That could be version specific... they should NOT be read-only, you should have the ability to readily change them. There is however a specific subset that Are marked read only. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 3 hours ago, fredz said: You mean while the graphical version of DJI Assistant is open? As simple as that? Got a screenshot ? Yes... see my recent post above. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 BTW... I assume you all saw the Ground Control Station? Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 (edited) 16 hours ago, nickmv said: Just joining this thread/forum after being a CopterSafe customer. My Mavic is experiencing the forced autolanding due to critical battery issue, like mentioned on a previous thread for I believe the P3P. Is this still a known issue? I was 3600ft up when it engaged --- almost shat my pants, but luckily got it down after 7-8 mins. I don't think many folks have quite gotten there yet Nick. can you tell us more about this? Is there a fix on p3 ? We can likely find an analog in the config options. Did you by chance get video, or have the logs from the flight of it occurring? That would be interesting. You of course saw this already via GitHub comments. Edited June 27, 2017 by MavproxyUser Quote Link to comment Share on other sites More sharing options...
Opcode Posted June 27, 2017 Share Posted June 27, 2017 Got factory/debug working on OSX Assistant 1.1.2. But developer is still missing, as seen on Droner69´s Screenshots (Groundstation etc.) Wireshark doesnt tell me anything new, so im a bit stuck now. Did someone on Mavic/P4/P4P etc try this all with the newest FW? Im sure that all got patched out, DJI even changed the whole login process to preserve changes of the NFZ. Quote Link to comment Share on other sites More sharing options...
jan2642 Posted June 27, 2017 Share Posted June 27, 2017 11 hours ago, jan2642 said: Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese (and I forgot to take a screenshot). Anyone here who can translate these ? Many thanks! Also promising for the path I'm on: the available commands on /controller/board_test: { "EXIST_COMMANDS": [ "get_status_info", "set_status_info", "start_process", "start_test" ], "SEQ": "12345" } Now trying to figure out how to pass on arguments to start_test & start_process... 1 Quote Link to comment Share on other sites More sharing options...
jan2642 Posted June 27, 2017 Share Posted June 27, 2017 1 minute ago, jan2642 said: Anyone here who can translate these ? Many thanks! Pasting the image failed, here's a link to the screenshot: https://pasteboard.co/2iGUb4qna.png Quote Link to comment Share on other sites More sharing options...
ryan19 Posted June 27, 2017 Share Posted June 27, 2017 5 minutes ago, jan2642 said: Pasting the image failed, here's a link to the screenshot: https://pasteboard.co/2iGUb4qna.png ProductID: ____ []Auto Step ID Step Name [One-Click Check] Model: [Check] Product ID: [Check] Product SN: [Check] Firmware Version: [Check] Cheers Quote Link to comment Share on other sites More sharing options...
Freaky123 Posted June 27, 2017 Share Posted June 27, 2017 Ok I will try to share some more information in the hope people will help get more and more information. I will first give the image format (which is also the sig format): Header 4B Magic ("IM*H") 4B Version (Currenly only 1 is seen) 8B ?? 4B Header size 4B RSA signature size 4B Payload size 12B Unknown 4B Auth key identifier 4B Encryption key identifier 16B Scramble key 32B Image name 60B ?? 4B Block count 32B SHA256 payload Per Block info 4B Name 4B Start offset 4B Output size 4B Attributes (Last bit 0 means ecrypted) 16B ?? RSA Signature of the Header (Size and Auth key described in header) Actual block data (Start offset 0) Quote Link to comment Share on other sites More sharing options...
Freaky123 Posted June 27, 2017 Share Posted June 27, 2017 (edited) I will release more info and tools later on: https://github.com/fvantienen/dji_rev There is already a python script that can extract the image file format as well. Would be nice if it can be cleaned up a bit, but at least it works. Edited June 27, 2017 by Freaky123 1 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 For those of you that are more active... stop by and see us in slack. Don't come ask dumb questions! Stop by with the mindset of participation. https://join.slack.com/dji-rev/shared_invite/MjA0NTE3MzM5NjM0LTE0OTg1OTc5MjUtNzE0NWM3ODI5OQ Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 28, 2017 Author Share Posted June 28, 2017 Looks like the cat is out of the bag btw... https://github.com/mefistotelis/phantom-firmware-tools/issues/32#issuecomment-311488395 1 Quote Link to comment Share on other sites More sharing options...
singlag Posted June 28, 2017 Share Posted June 28, 2017 (edited) 11 hours ago, jan2642 said: Anyone here who can translate these ? Many thanks! Also promising for the path I'm on: the available commands on /controller/board_test: { "EXIST_COMMANDS": [ "get_status_info", "set_status_info", "start_process", "start_test" ], "SEQ": "12345" } Now trying to figure out how to pass on arguments to start_test & start_process... 自動 = auto 一鍵查詢 = check/query in 1 click (mean check all item) 機型 = model number 固件版本 = firmware version I can't see this factory screen on version 1.0.6 Edited June 28, 2017 by singlag Quote Link to comment Share on other sites More sharing options...
enderffx Posted June 28, 2017 Share Posted June 28, 2017 On 26.6.2017 at 7:51 PM, singlag said: Update: only DJI Assistant2 Beta112 is working for my windows 7 PC, but the firmware page seem having problem, connection timeout while loading firmware list Do you have any idea if that version supports Spark as well ? If not then all this probably is irrelevant for Spark, right ? ---Trying to get a grip on this, but just beeing a regular coder and not well versed on hacking / rev engeneering its hard for me--- Ender Quote Link to comment Share on other sites More sharing options...
singlag Posted June 28, 2017 Share Posted June 28, 2017 5 hours ago, enderffx said: Do you have any idea if that version supports Spark as well ? If not then all this probably is irrelevant for Spark, right ? ---Trying to get a grip on this, but just beeing a regular coder and not well versed on hacking / rev engeneering its hard for me--- Ender I'm using new version of dji assistant now (27/5/2017), i think it can support Spark Quote Link to comment Share on other sites More sharing options...
theLORD Posted June 28, 2017 Share Posted June 28, 2017 (edited) 12 hours ago, MavproxyUser said: Looks like the cat is out of the bag btw.. YES INDEED DJI pulled all the vulnerable firmware for all the drones (Spark, Mavic, P4p and Inspire 2) P4p: SPARK: Mavic: Edited June 28, 2017 by Mavic_1_2_9 Quote Link to comment Share on other sites More sharing options...
fredz Posted June 28, 2017 Share Posted June 28, 2017 26 minutes ago, singlag said: I'm using new version of dji assistant now (27/5/2017), i think it can support Spark On Mac or Windows? Ctrl-Shift-i on Windows seems to only work with some old beta versions... Quote Link to comment Share on other sites More sharing options...
kariem112 Posted June 28, 2017 Share Posted June 28, 2017 5 minutes ago, Mavic_1_2_9 said: DJI pulled all the vulnerable firmware for all the drones (Spark, Mavic, P4p and Inspire 2) Vulnerable how? I have seen they have removed the .700 firmare, which was still available yesterday :) Quote Link to comment Share on other sites More sharing options...
theLORD Posted June 28, 2017 Share Posted June 28, 2017 nothing is available today :) yesterday morning first thing I saw removed was the SPARK Quote Link to comment Share on other sites More sharing options...
enderffx Posted June 28, 2017 Share Posted June 28, 2017 2 hours ago, singlag said: I'm using new version of dji assistant now (27/5/2017), i think it can support Spark Yes, i can confirm, Spark supported by 112 versions of DJI Assistant ! Ender Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 28, 2017 Author Share Posted June 28, 2017 Ok folks... word on the street is that DJI is pulling firmware. Please start uploading your archived firmware to GoogleDrive and linking here or in slack https://dji-rev.slack.com #firm_cache on OSX /Applications/Assistant.app/Contents/MacOS/Data/firm_cache or on Windows C:\Program Files (x86)\DJI Product\DJI Assistant 2\Assistant\Data\firm_cache Please archive all contents such as: wm220_0100_v02.01.55.93_20170120.pro.fw.sig wm220_0100_v02.02.56.29_20170317.pro.fw.sig wm220_0100_v02.05.04.34_20170209_ca02.pro.fw.sig wm220_0100_v02.06.04.84_20170324_ca02.pro.fw.sig wm220_0101_v02.01.55.93_20170120.pro.fw.sig wm220_0101_v02.02.56.29_20170317.pro.fw.sig wm220_0101_v02.05.04.34_20170209_ca02.pro.fw.sig wm220_0101_v02.06.04.84_20170324_ca02.pro.fw.sig wm220_0305_v34.04.00.23_20161122.pro.fw.sig wm220_0306_v03.02.13.16_20170112.pro.fw.sig wm220_0306_v03.02.30.13_20170405.pro.fw.sig wm220_0400_v01.50.11.93_20170116.pro.fw.sig wm220_0400_v01.50.12.01_20170414.pro.fw.sig wm220_0600_v00.00.01.27_20161017.pro.fw.sig wm220_0601_v00.00.03.04_20170329.pro.fw.sig wm220_0603_v00.00.06.07_20170314.pro.fw.sig wm220_0801_v01.04.17.03_20170120.pro.fw.sig wm220_0801_v01.05.00.20_20170331.pro.fw.sig wm220_0802_v01.00.03.08_20170116.pro.fw.sig wm220_0803_v00.00.04.06_20160621.pro.fw.sig wm220_0803_v00.00.04.08_20170314.pro.fw.sig wm220_0804_v01.00.00.08_20170113.pro.fw.sig wm220_0805_v01.01.00.71_20161227.pro.fw.sig wm220_0805_v01.01.00.87_20170427.pro.fw.sig wm220_0905_v00.00.01.04_20170301.pro.fw.sig wm220_0907_v43.97.02.05_20170111.pro.fw.sig wm220_0907_v47.26.02.11_20170419.pro.fw.sig wm220_1100_v01.00.07.24_20161206.pro.fw.sig wm220_1200_v01.09.00.00_20161204.pro.fw.sig wm220_1201_v01.09.00.00_20161204.pro.fw.sig wm220_1202_v01.09.00.00_20161204.pro.fw.sig wm220_1203_v01.09.00.00_20161204.pro.fw.sig wm220_1301_v01.04.17.03_20170120.pro.fw.sig wm220_1301_v01.05.00.23_20170418.pro.fw.sig wm220_1407_v43.97.02.05_20170111.pro.fw.sig wm220_1407_v47.26.02.11_20170419.pro.fw.sig wm220_2801_v01.02.21.01_20170421.pro.fw.sig wm220_2803_v00.00.03.08_20170302_cd01.pro.fw.sig wm220_2803_v00.00.03.08_20170302_cd02.pro.fw.sig wm220_2807_v47.26.02.11_20170419.pro.fw.sig 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.