Simi Posted June 30, 2017 Share Posted June 30, 2017 1 hour ago, theLORD said: check my post here its much simpler: https://github.com/mefistotelis/phantom-firmware-tools/issues/36#issuecomment-312030452 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 4, 2017 Author Share Posted July 4, 2017 https://github.com/MAVProxyUser/P0VsRedHerring Quote Link to comment Share on other sites More sharing options...
enderffx Posted July 4, 2017 Share Posted July 4, 2017 Yihaaaaaa ! Gotta love herrings... Ender Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 6, 2017 Author Share Posted July 6, 2017 (edited) *confirmed* we just rooted Mavic, and Inspire2 with RedHerring. - https://github.com/MAVProxyUser/P0VsRedHerring/commit/94e6f2c098a1c8556320d0ee994f3b6fa3e1ff03 Phantom4 series, Mavic Pro, Inspire 2, and Spark #Jailbreak Edited July 6, 2017 by MavproxyUser Quote Link to comment Share on other sites More sharing options...
Simi Posted July 7, 2017 Share Posted July 7, 2017 On 6/26/2017 at 8:33 PM, MavproxyUser said: Thanks for that... this seems to be interesting reading on the root of the subject. I was not familiar with it. https://segmentfault.com/a/1190000006087527 https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fsegmentfault.com%2Fa%2F1190000006087527&edit-text=&act=url He suggests a few ways to "patch" the cause of the issue. wonderful ! Quote Link to comment Share on other sites More sharing options...
techspy Posted July 7, 2017 Share Posted July 7, 2017 Does having root get us any closer to using the FW dumps located here? And, will it allow us to modify these dumps and for example remove the NFZ from 800/900? https://github.com/droner69/MavicPro/tree/master/Firmware Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 7, 2017 Author Share Posted July 7, 2017 (edited) 30 minutes ago, techspy said: Does having root get us any closer to using the FW dumps located here? And, will it allow us to modify these dumps and for example remove the NFZ from 800/900? https://github.com/droner69/MavicPro/tree/master/Firmware short answer... yes. There is a HUGE hint to this in my *original* post in one of the statements I made, and photos I added (inside IDA pro). Edited July 7, 2017 by MavproxyUser Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 9, 2017 Author Share Posted July 9, 2017 I know a lot of Windows users have wanted to play... as of This commit I believe you guys are good to go. Let me know of any bugs please. https://github.com/MAVProxyUser/P0VsRedHerring/commit/ac04a117cbea49dfcfecd216b2ed62d751cd03dd Quote Link to comment Share on other sites More sharing options...
spamsuxx Posted July 9, 2017 Share Posted July 9, 2017 Hej all,I am on .700 and the patched DJI Go 4.1.3 Android app and it show "Cannot take off. Aircraft locked. Update to the latest version."I think at some point, before I manually install the patched DJI Go 4.1.3 app, the updated DJI Go app locked the Mavic (couple of days ago).I hoped that downgrading to the patched DJI Go 4.1.3v6 fixed the lock, but it didn't.So, did DJI set a flag in the Drones software itself or is there a remnant on my phone which prevents the Mavic from take off?Any suggestions are welcome.Cheers! Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 9, 2017 Author Share Posted July 9, 2017 3 hours ago, spamsuxx said: Hej all,I am on .700 and the patched DJI Go 4.1.3 Android app and it show "Cannot take off. Aircraft locked. Update to the latest version."I think at some point, before I manually install the patched DJI Go 4.1.3 app, the updated DJI Go app locked the Mavic (couple of days ago).I hoped that downgrading to the patched DJI Go 4.1.3v6 fixed the lock, but it didn't.So, did DJI set a flag in the Drones software itself or is there a remnant on my phone which prevents the Mavic from take off?Any suggestions are welcome.Cheers! Stop on by the slack mentioned in the first post... very few folks are on this thread these days... but slack is on and poppin. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 14, 2017 Author Share Posted July 14, 2017 Game over... Confirmed ability to downgrade firmware to any version you have the .bin for. Quote Link to comment Share on other sites More sharing options...
dv8ed Posted July 14, 2017 Share Posted July 14, 2017 Are .bins cached in our DJI Assistant by chance? Would love to save them. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 14, 2017 Author Share Posted July 14, 2017 They are sent via FTP ... You can catch via ADB (with existing root access) adb pull /data/dji_system.bin or Via cp (with existing root access) (and copy to a spot you control and can get to later) while true ; do cp /data/dji_system.bin /data/xxx.bin; done Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 16, 2017 Author Share Posted July 16, 2017 (edited) Current pyduml:https://github.com/hdnes/pyduml/commit/b7636619371462cf62f12b98e456e5a2f68e1b99 Current *combined* root/.400 Mavic downgrade. (this is no longer a private Git account... anyone can access it)https://github.com/MAVProxyUser/dji_system.bin/commit/c32b67c9853a195e4c8bfbf9a6e357c777675250 $ python pyduml.py /dev/tty.usbmodemXX 55 16 04 FC 2A 28 65 57 40 00 07 00 00 00 00 00 00 00 00 00 27 D3 55 0E 04 66 2A 28 68 57 40 00 0C 00 88 20 55 1A 04 B1 2A 28 6B 57 40 00 08 00 00 18 54 07 00 00 00 00 00 00 02 04 94 0B 55 1E 04 8A 2A 28 F6 57 40 00 0A 00 86 B3 22 02 66 12 E9 6F A0 93 73 BC 85 60 67 4A 6E 18 Firmware Upload Complete (wait 5 minutes, like for real!) # telnet 192.168.42.2 1234 Trying 192.168.42.2... Connected to 192.168.42.2. Escape character is '^]'. id; uid=0(root) gid=0(root) for ADB access... rm /data/.bin/grep; (via telnet) sh-3.2# adb devices List of devices attached RedHerringHasFangs device sh-3.2# adb shell root@wm220_dz_ap0002_v1:/ # To make your own:$ cp UniversalFireworksTar_dji_system.bin mavic_combined_400_root.bin $ gtar --concatenate --file mavic_combined_400_root.tar V01.03.0700_Mavic_dji_system.bin $ tar tvf mavic_combined_400_root.tar Edited July 18, 2017 by MavproxyUser Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 19, 2017 Author Share Posted July 19, 2017 we have several firmwares backed up... we are looking for folks across various platforms to help us archive historic firmware using DUMLdore. It would be nice if any of you Inspire2, or P4, P4+ owners could help us archive some of the historic firmware. Stop by slack in #archived_fw_flashing and ask how to use DUMLdore to get is dji_system.bin files for your specific version. You can of course go into Assistant and check your current version against the list below to see if it is something we are missing. The current list is as follows: MD5 (V01.00.0300_Spark_dji_system.bin) = bf81af1c10318e8549bb78b0fef85013 MD5 (V01.00.0330_I2_dji_system.bin) = 0a5c437812b91355c9ae0d4d28d505d1 MD5 (V01.00.0400_Spark_dji_system.bin) = 65f15f4cbe7d761459c7a09ebc660801 MD5 (V01.01.0010_I2_dji_system.bin) = 7d04f199bd872c9372fdebddbef3c404 MD5 (V01.02.0602_P4_dji_system.bin) = 36e11566ae6e303ec5c407f9c0f6c382 MD5 (V01.03.0400_Mavic_dji_system.bin) = a5ac037462b4f902bfa6cb8d9fe395ae MD5 (V01.03.0400_RC_Mavic_dji_system.bin) = d5f40b9231786d6d5053539a78a105c5 MD5 (V01.03.0500_Mavic_dji_system.bin) = 2934111740e9cec3cd65029754b71fd8 MD5 (V01.03.0550_Mavic_dji_system.bin) = 34bdb52c8b8b7468f6312a5febf1838d MD5 (V01.03.0550_RC_Mavic_dji_system.bin) = 06cc62f5d658c7461c758f3903b56c2a MD5 (V01.03.0509_P4P_dji_system.bin) = 93a1663f6675a813ed494e260bb54e89 MD5 (V01.03.0600_Mavic_dji_system.bin) = f3a40d447c39bf8e946f2b5a087dccd6 MD5 (V01.03.0600_RC_Mavic_dji_system.bin) = 06b7657e1c8a42faf4b6f847eefcb438 MD5 (V01.03.0700_Goggles_dji_system-2.bin) = 76eefdb955bfa416e2f43f2ac9f86b84 MD5 (V01.03.0700_Goggles_dji_system.bin) = 47e7ea9eb5f5609bbd8141f7edb3516c MD5 (V01.03.0700_Mavic_dji_system.bin) = 891904fad23add85e8c50a7902f272df MD5 (V01.03.0700_RC_Mavic_dji_system.bin) = 8c11d7e04c03142a50cc0c9538d49fa6 MD5 (V01.03.0800_Goggles_dji_system.bin) = e2c93ded968c148f94c7a81776ce1dfd MD5 (V01.03.0800_Mavic_dji_system.bin) = 6602c26ed0729581246853d7c988a4ae MD5 (V01.03.0800_RC_Mavic_dji_system.bin) = e2508fbf87ce87c0dc7fb7721e555901 MD5 (V01.03.0900_Goggles_dji_system.bin) = 1f82d27681217b4c388a593e4ba6f875 MD5 (V01.03.0900_Mavic_dji_system.bin) = 984446beb028443670091e07d3bbd752 MD5 (V01.03.0900_RC_Mavic_dji_system.bin) = beb6c9dea2a0ad5f688ada4d439e969f MD5 (V01.04.0602_P4P_dji_system.bin) = 2a6b5baba26aa3203ecdc5450ba0473f MD5 (V02.00.0106_P4_dji_system.bin) = a49944bb254354ec064bee13c491fa1e For those of you that can already use git, and have no problem figuring out DUMLDore just submit us a pull request similar to this:https://github.com/MAVProxyUser/dji_system.bin/pull/6/files Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 19, 2017 Author Share Posted July 19, 2017 DUMLdore can be found here of course. You can use it to backup your DJI aircraft. https://github.com/jezzab/DUMLdore Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted July 20, 2017 Author Share Posted July 20, 2017 (edited) I'll repost this here, as referenced in the dji_system.bin repo, this is a good place to start: http://dji.retroroms.info For those of you not in the loop, that want to help with the "retention" process regarding control of your DJI aircraft, please familiarize yourself with the following repos: This represents the front lines of the resistance as it were... "the movement" pretty well begins in all of these individual battle grounds. https://github.com/Bin4ry/deejayeye-modder - APK "tweaks" for settings & "mods" for additional / altered functionality https://github.com/hdnes/pyduml - Assistant-less firmware pushes and DUMLHacks referred to as DUMBHerring when used with "fireworks.tar" from RedHerring. DJI silently changes Assistant? great... we will just stop using it. https://github.com/MAVProxyUser/P0VsRedHerring - RedHerring, aka "July 4th Independence Day exploit", "FTPD directory transversal 0day", etc. (Requires Assistant). We all needed a *public* root exploit... why not burn some 0day? https://github.com/MAVProxyUser/dji_system.bin - Current Archive of dji_system.bin files that compose firmware updates referenced by MD5 sum. These can be used to upgrade and downgrade, and root your I2, P4, Mavic, Spark, Goggles, and Mavic RC to your hearts content. (Use with pyduml or DUMLDore) https://github.com/MAVProxyUser/firm_cache - Extracted contents of dji_system.bin, in the future will be used to mix and match pieces of firmware for custom upgrade files. This repo was previously private... it is now open. https://github.com/jezzab/DUMLdore - Even windows users need some love, so DUMLDore was created to help archive, and flash dji_system.bin files on windows platforms. So... that is all! Have fun folks, stop by Slack and see us if you get bored. #android_apk_patching, #archived_fw_flashing, #factory_mode_access, #firm_cache, #hardware, #mavic_rooting, #safety_shaming channels all have something for everyone. If not.. feel free to lurk in #general. We are currently looking to archive as much firmware as possible if anyone wants to help... https://www.rcgroups.com/forums/showpost.php?p=37941901&postcount=1704 Edited July 20, 2017 by MavproxyUser Quote Link to comment Share on other sites More sharing options...
khaled Posted August 11, 2017 Share Posted August 11, 2017 On 10/07/2017 at 1:17 AM, MavproxyUser said: Stop on by the slack mentioned in the first post... very few folks are on this thread these days... but slack is on and poppin. Hey can you please post a new Slack invite? the one in the OP no longer works. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted August 11, 2017 Author Share Posted August 11, 2017 8 hours ago, khaled said: Hey can you please post a new Slack invite? the one in the OP no longer works. Updated in original post... https://join.slack.com/t/dji-rev/shared_invite/MjIzMTI1MDA5MDcyLTE1MDIyMDgyNTItNzZkNTZhZjY4NQ Quote Link to comment Share on other sites More sharing options...
C. Dave P Posted September 30, 2017 Share Posted September 30, 2017 Shhhhhh, hear the crickets?? Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted October 1, 2017 Author Share Posted October 1, 2017 20 hours ago, C. Dave P said: Shhhhhh, hear the crickets?? NONE of the original group hangs out here any more... we exclusively operate on Slack and GitHub now... https://join.slack.com/t/dji-rev/shared_invite/MjIzMTI1MDA5MDcyLTE1MDIyMDgyNTItNzZkNTZhZjY4NQ #DeejayeyeHackingClub information repos aka "The OG's" (Original Gangsters) http://dji.retroroms.info/ - "Wiki" https://github.com/fvantienen/dji_rev - This repository contains tools for reverse engineering DJI product firmware images. https://github.com/Bin4ry/deejayeye-modder - APK "tweaks" for settings & "mods" for additional / altered functionality https://github.com/hdnes/pyduml - Assistant-less firmware pushes and DUMLHacks referred to as DUMBHerring when used with "fireworks.tar" from RedHerring. DJI silently changes Assistant? great... we will just stop using it. https://github.com/MAVProxyUser/P0VsRedHerring - RedHerring, aka "July 4th Independence Day exploit", "FTPD directory transversal 0day", etc. (Requires Assistant). We all needed a public root exploit... why not burn some 0day? https://github.com/MAVProxyUser/dji_system.bin - Current Archive of dji_system.bin files that compose firmware updates referenced by MD5 sum. These can be used to upgrade and downgrade, and root your I2, P4, Mavic, Spark, Goggles, and Mavic RC to your hearts content. (Use with pyduml or DUMLDore) https://github.com/MAVProxyUser/firm_cache - Extracted contents of dji_system.bin, in the future will be used to mix and match pieces of firmware for custom upgrade files. This repo was previously private... it is now open. https://github.com/MAVProxyUser/DUMLrub - Ruby port of PyDUML, and firmware cherry picking tool. Allows rolling of custom firmware images. https://github.com/jezzab/DUMLdore - Even windows users need some love, so DUMLDore was created to help archive, and flash dji_system.bin files on windows platforms. https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble - DJI has modified the GPL Busybox ftpd on Mavic, Spark, & Inspire 2 to include AES scrambling of downloaded files... this tool will reverse the scrambling https://github.com/darksimpson/jdjitools - Java DJI Tools, a collection of various tools/snippets tied in one CLI shell-like application. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted October 1, 2017 Author Share Posted October 1, 2017 None the less... some of you may be interested in my talk "KickStarting a Drone JailBrak Scene" Quote Link to comment Share on other sites More sharing options...
Geodesix Posted November 18, 2017 Share Posted November 18, 2017 I don't know if this was mentioned but... https://www.theregister.co.uk/2017/11/16/dji_private_keys_left_github/ Quote Link to comment Share on other sites More sharing options...
Carleido Posted December 25, 2017 Share Posted December 25, 2017 On 26/6/2017 at 5:57 PM, singlag said: Follow parameter tested at real flight with firmware version .200 g_config_go_home_gohome_idle_vel, default 10, only for RTH speed, I tested with 15 is ok g_config_mode_normal_cfg_vert_vel_up, default 4, ascend speed at GPS mode in meter/second g_config_mode_normal_cfg_vert_vel_down, #default -3, descend speed at gps mode g_config_mode_sport_cfg_vert_vel_up, #default 5, I set it to 10, ascend like a rocket, be careful about battery overload g_config_mode_sport_cfg_vert_vel_down, #default -3, set -10 but it only reach -5m/s in real flight this are some g_config_mode_XXX_cfg_vert_acc_up/down, it have higher value as default, I'm not sure what it does, but just make sure set it to not lower than "no _acc" one g_config_fw_cfg_max_speed <-- set to 20 but no different in real flight, default is 10 for "height_limit", I did change all from /controller/config/user and it work. some parameters about "airport" will be test on tomorrow, and following parameters not tested yet "g_config_avoid_obstacle_limit_cfg_safe_dis" <-- obstacle distant ? g_config_landing_smart_landing_height_L1 <-- smart landing at -0.7 meter ? "g_config_voltage2_level1_smart_battert_gohome" "DEFAULT": 15, "g_config_voltage2_level2_smart_battert_land" "DEFAULT": 10, Now, I want to find out which parameters control about real MAX speed (sport mode is 20m/s in real flight) and 10m/s limit when obstacle detection is ON, but seem no parameters relevant to it. Hi singlag, you have solved all the doubts about the parameter "g_config_fw_cfg_max_speed" ???I've test it... with fw .900 it always returns to 10, with fw .400 and .700 can be set to 20.I have not found any changes to this parameter, both at 20 and at 10 the flight is the same.Confirm that this parameter does not make any changes? Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted January 17, 2018 Author Share Posted January 17, 2018 This is the latest Slack invite link... https://join.slack.com/t/dji-rev/shared_invite/enQtMjk5OTEyMzcyMjI3LTdlZjY4NzQ5M2M2NmE5ZWM4OTgyNThmZDVmZjdjODE4ODYyNmYwZjYxMDcyYzcxNmZlYzI5ZjI2ZGQ2NGY1ZTc Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.