Messages in mavic_rooting
[2017-06-27 22:39:02]
hdnes :
@hdnes has joined the channel
[2017-06-27 22:39:28]
hdnes :
I figured I would start a specific channel for rooting specific questions
[2017-06-28 00:57:37]
hdnes :
I’m sort of at a loss as to what is the current method and/or how many people have actually rooted (not on old firmware)
[2017-06-28 01:00:11]
json :
@json has joined the channel
[2017-06-28 01:02:02]
hdnes :
I get the general idea is to patch “adb_en.sh” or something of the like once you get in via ADB mode. But how do you get in the first time
[2017-06-28 01:19:06]
json :
Probably spme flag set by a file on an sdcard maybe?!?
[2017-06-28 01:19:40]
json :
On the p3p it was P3X_FW_DEBUG case sensitive
[2017-06-28 01:45:38]
hostile :
@hostile has joined the channel
[2017-06-28 01:59:13]
hostile :
mount -o remount,rw /system
[2017-06-28 01:59:14]
hostile :
echo /system/bin/adb_en.sh >> /system/bin/start_dji_system.sh
[2017-06-28 01:59:26]
hostile :
^--- This will allow you root persistence once you obtain it...
[2017-06-28 01:59:40]
hostile :
this is the **least** risky method.
[2017-06-28 02:00:10]
hostile :
@json P3p has adb access?
[2017-06-28 02:00:17]
hdnes :
cool, makes sense. Is there a method for getting to that point
[2017-06-28 02:00:28]
hostile :
not a public one ATM.
[2017-06-28 02:07:53]
hdnes :
is there a expected path foward at the momentn
[2017-06-28 02:11:24]
hostile :
I HAVE root. not sure what others are doing yet. =]
[2017-06-28 02:13:13]
hdnes :
your root came from the “non-public” method correct?
[2017-06-28 02:13:18]
hostile :
yes
[2017-06-28 02:13:23]
hdnes :
rog, now I’m up to speed
[2017-06-28 02:13:30]
hostile :
=]
[2017-06-28 02:14:15]
hdnes :
how many others have rooted do you think at this point
[2017-06-28 02:14:24]
hdnes :
haven’t really seen to much out there
[2017-06-28 03:17:11]
mingtao :
@mingtao has joined the channel
[2017-06-28 03:17:36]
hostile :
mmm I'd wager maybe 5 tops (having gained on their own) and a few maybe having had it handed to them.
[2017-06-28 03:20:33]
hdnes :
I’ll have it handed to me if someone is willing :wink:
[2017-06-28 04:16:53]
droner69 :
@droner69 has joined the channel
[2017-06-28 04:34:34]
json :
No
[2017-06-28 04:59:08]
jan2642 :
@jan2642 has joined the channel
[2017-06-28 05:04:53]
terabyte :
@terabyte has joined the channel
[2017-06-28 05:06:57]
terabyte :
Lol ditto on having it handed. Doubt it tho.
[2017-06-28 05:08:40]
terabyte :
I've been able to ftp into the drone and unencrypt files but that's are far as I went.
[2017-06-28 05:08:53]
terabyte :
Mavic on .400 firmware
[2017-06-28 05:11:27]
hdnes :
@terabyte , nice!
[2017-06-28 07:14:34]
d51 :
@d51 has joined the channel
[2017-06-28 07:29:20]
kilrah :
@kilrah has joined the channel
[2017-06-28 07:53:15]
freaky123 :
@freaky123 has joined the channel
[2017-06-28 13:34:45]
cs2000 :
@cs2000 has joined the channel
[2017-06-28 14:45:15]
jan2642 :
Alright…
[2017-06-28 14:45:27]
jan2642 :
Now that the kids can go play with all the parameters, it’s time for the real work :wink:
[2017-06-28 14:45:33]
jan2642 :
Did anyone already scrutinised all the shell scripts ? e.g. looking for dangerous use of backticks, $( ) or eval ?
[2017-06-28 15:10:10]
cs2000 :
Sorry if I'm being a noob here, but reading that some people (including at least 1 in this chat) have obtained root, why is it being kept secret. Nobody from DJI is here, why not share the method between us, and let us all progress further? If its firmware specific, great,. download the FW files for backup for if/when DJI pull them
[2017-06-28 15:12:31]
hostile :
because... DJI will fix it immediately and then no one will have root **ever**
[2017-06-28 15:13:00]
hostile :
just like some idiot instantly leaked the copter safe commands (before he even knew how to use them) then went complaining about how to get into Assistant param menu
[2017-06-28 15:13:19]
hostile :
aka the answer is because "people are dumb" ALSO... there is MANY MANY man hours of time put into it
[2017-06-28 15:13:42]
hostile :
those that did so don't wanna see their work burned in minutes. Look at how the firmware is being pulled from DJI server RIGHT now...
[2017-06-28 15:13:47]
hostile :
they are in **react** mode.
[2017-06-28 15:13:56]
hostile :
we can NOT give them reasons to react to us
[2017-06-28 15:14:35]
cs2000 :
Riiiiight, idiots !
It seems silly, theres like 10 people in here, several of them could already have the solution but don't/wont share it. I know firm iPhone jailbreakling that you want to save exploits. Fut surely if we keep the firmware they work on stashed safely, then we will alsys have this exploit method to use?
[2017-06-28 15:18:45]
hostile :
we need to get the firmware backed spoofed first
[2017-06-28 15:18:53]
hostile :
working on it in now! <https://forums.hak5.org/index.php?/topic/41304-mavicpilotscom-alternative-coptersafe-hack-mod-discussion/&do=findComment&comment=293514>
[2017-06-28 15:21:01]
fldatatek :
@fldatatek has joined the channel
[2017-06-28 18:00:33]
hostile :
What does the P3X_FW_DEBUG do specifically?
[2017-06-28 19:31:09]
fredz :
@fredz has joined the channel
[2017-06-28 20:05:25]
stealhertz :
@stealhertz has joined the channel
[2017-06-28 20:29:43]
artu-ole :
@artu-ole has joined the channel
[2017-06-29 03:26:26]
xigougou :
@xigougou has joined the channel
[2017-06-29 06:08:20]
tom4711 :
@tom4711 has joined the channel
[2017-06-29 09:34:45]
jan2642 :
Could someone with IDA decompile this function: __ZN11P4DeviceDLL17GetHandlerCreatorEv ? It’s in libDJI1860Service.dylib. I’m currently using Hopper and would like to see the difference in decompiler output (as it currently makes my head hurt :slightly_smiling_face: )
[2017-06-29 09:51:50]
freaky123 :
You know what it is used for or not?
[2017-06-29 09:52:19]
freaky123 :
I hate c++ for rev. engineering
[2017-06-29 09:52:29]
freaky123 :
I will do in an hour or so
[2017-06-29 10:01:44]
jan2642 :
Thanks. I don’t know exactly what it does, I just looked for a typical C++ function with a bunch of lambda’s where Hopper has a hard time producing decent readable decompiled code. If IDA is much better, it might be worthwhile to switch and learn a new tool.
[2017-06-29 11:06:28]
freaky123 :
ohh your looking at the osx version
[2017-06-29 11:06:39]
freaky123 :
I was already searching for that stuff now in the windows and couldn't find xD
[2017-06-29 11:06:48]
freaky123 :
letme check
[2017-06-29 11:08:51]
freaky123 :
woow this is epic
[2017-06-29 11:08:57]
freaky123 :
the osx version has all the debug symbols xD
[2017-06-29 11:10:37]
freaky123 :
but I don't have that function
[2017-06-29 11:10:41]
freaky123 :
can you share your dylib
[2017-06-29 11:10:49]
freaky123 :
prolly I have an older assistant or something like that
[2017-06-29 11:10:52]
freaky123 :
@jan2642
[2017-06-29 11:14:47]
freaky123 :
every function is now named in the osx version.. really stupid to leave all the debug symbols
[2017-06-29 11:16:35]
freaky123 :
this is so easy now
[2017-06-29 11:16:50]
freaky123 :
lol previously I was struggling with the windows c++ version 32 bits
[2017-06-29 11:16:57]
freaky123 :
but the mac osx 64 bits is awsome
[2017-06-29 11:38:52]
jan2642 :
Never looked at the windows binaries but if they don’t have symbols I can image that reverse engineering that is quite a feat :wink:
[2017-06-29 11:39:23]
jan2642 :
(this from the 1.1.2 beta)
[2017-06-29 12:13:20]
funkyjunky :
@funkyjunky has joined the channel
[2017-06-29 12:23:40]
freaky123 :
sorry got a bit desctraced with other stuff gonna look at it now
[2017-06-29 12:25:34]
freaky123 :
this is mine
[2017-06-29 12:25:50]
freaky123 :
couldn't find the function first but ida fixes all the naming
[2017-06-29 12:40:32]
jan2642 :
Thanks
[2017-06-29 12:40:52]
jan2642 :
At first sight I would say that there’s no clear winner in this case :slightly_smiling_face:
[2017-06-29 13:32:45]
hostile :
@jan2642 glad to see someone finally take DJI1860Service (.dll or .dylib) apart as I suggested a week or so ago. =]
[2017-06-29 13:34:31]
hostile :
we need to hunt for stack overflows in the drone side services
[2017-06-29 13:45:27]
jan2642 :
Do you refer to stack overflows in the drone’s code or in the application/service ?
[2017-06-29 13:46:18]
hostile :
I am **hoping** to find one running on the drone application services. (there are a few TCP ports open for example)
[2017-06-29 13:47:46]
jan2642 :
you mean these I suppose:
21/tcp open ftp
5001/tcp open commplex-link
8897/tcp open unknown
8898/tcp open unknown
8899/tcp open ospf-lite
8902/tcp open unknown
8903/tcp open unknown
8904/tcp open unknown
8905/tcp open unknown
8906/tcp open unknown
8907/tcp open unknown
8908/tcp open unknown
8909/tcp open unknown
8912/tcp open wcbackup
8913/tcp open dragonfly
8914/tcp open unknown
20002/tcp open commtact-http
22350/tcp open CodeMeter
[2017-06-29 14:04:34]
freaky123 :
the problem is finding the correct stuff.. btw for those services look in dji.json there the protocol is described
[2017-06-29 14:25:42]
yiqiangao :
@yiqiangao has joined the channel
[2017-06-29 16:32:09]
crash9999 :
@crash9999 has joined the channel
[2017-06-29 18:01:50]
hdnes :
Even if one were to mod firmware. Doesn't it have to be signed?
[2017-06-29 18:02:21]
hdnes :
Anyone willing to lead a horse to some keys
[2017-06-29 18:11:21]
jan2642 :
Keys we have (freaky123's github), but it's only the public part of the 4096bits RSA keys :-(
[2017-06-29 18:12:24]
freaky123 :
Yes thus without root we are still not able to modify the firmware
[2017-06-29 18:13:33]
hdnes :
So gaining root can’t be done through custom firmware is what you are saying
[2017-06-29 18:14:30]
freaky123 :
Yes that is indeed what you can conclude. Except when there is a bug in the signature checking
[2017-06-29 18:15:19]
freaky123 :
Either you need the private RSA key or an SHA256 collision
[2017-06-29 18:16:53]
hdnes :
gaining root gets you the private key no?
[2017-06-29 18:46:45]
freaky123 :
No gets you the access to bypass the rsa signature or edit the rsa public key
[2017-06-29 18:47:12]
freaky123 :
Although you cannot edit it in the bootloader and thus edit the kernel
[2017-06-29 18:48:32]
freaky123 :
Since that is protected by the secure boot of the LC chip
[2017-06-29 19:04:11]
jan2642 :
Is there any documentation on the LeadCore secure boot method ? I've worked with quite a few SoC's already and what I've always found amusing is that Freescale's method is called "high assurance boot". That sounds a lot like: "We have a method but can't guarantee that it's actually secure" :-)
[2017-06-29 19:29:58]
freaky123 :
No there isn't anything available on documentation for the LC
[2017-06-29 19:31:25]
freaky123 :
But I've found both a linux kernel and a U-boot repo for the LC containing some information
[2017-06-29 20:52:23]
hostile :
@diff are you in here?
[2017-06-29 20:52:26]
diff :
@diff has joined the channel
[2017-06-30 09:31:53]
darksimpson :
@freaky123 repo with uboot sources? can you share link pls?
[2017-06-30 09:34:13]
ender :
Guys, i am just leeching, throw me out w/o bad feelings, i wont trouble you though. And in the unlikely event that i got an idea i’ll let you know :stuck_out_tongue:
[2017-06-30 09:36:29]
darksimpson :
@freaky123 I will cite from ~random to here to continue conversation
[2017-06-30 09:38:17]
darksimpson :
@freaky123 Do you mean sign it with PRAK? They use asymmetrical signing afaik?
[2017-06-30 09:38:31]
darksimpson :
According secure boot, unfortunately I can't find any datasheets/code for this LC platform, so I don't know anything about how booting works. What can I see is that it similar to Redmi 2A, and on Redmi there is no secure booting. I can speculate that all secure thing lies in u-boot itself, need to disassemble thoroughly when get sufficient time for this. Or I am not right?
[2017-06-30 09:38:54]
darksimpson :
Hmm, I found a part 'key' in bootarea.img, signed with PRAK (if I remember it right) and scrambled with RREK (also if I remember right), usual DJI image with only one chunk named 'IAEK'... It is not IAEK?
[2017-06-30 09:46:38]
freaky123 :
Yeah I ment PRAK
[2017-06-30 09:47:01]
freaky123 :
It is not the correct IAEK
[2017-06-30 09:47:07]
darksimpson :
:blush:
[2017-06-30 09:47:11]
freaky123 :
That is a placeholder
[2017-06-30 09:47:37]
freaky123 :
The LC has the secure boot in the chips efuses
[2017-06-30 09:48:16]
freaky123 :
Thus not in the U-boot. Can only be bypassed by soldering a new LC chip on
[2017-06-30 09:49:04]
darksimpson :
LC also really use asymmetric crypto to auth boot?
[2017-06-30 09:49:25]
darksimpson :
Shame (
[2017-06-30 09:50:07]
freaky123 :
The LC also uses RSA
[2017-06-30 09:50:21]
darksimpson :
Can you share link to u-boot repo? Want to dig in booting proccess slightly )
[2017-06-30 09:50:39]
freaky123 :
Though they only are capable of saving a hash in the efuse of the key
[2017-06-30 09:51:35]
freaky123 :
<https://github.com/GitHubZYX/uboot/>
[2017-06-30 09:51:50]
darksimpson :
Thx!
[2017-06-30 09:51:59]
freaky123 :
This one is close to the one of dji
[2017-06-30 09:52:34]
freaky123 :
That is where I got my u-boot signing script from
[2017-06-30 09:53:19]
darksimpson :
efuses is otp like in majority of other systems, right?
[2017-06-30 09:53:43]
freaky123 :
Yes
[2017-06-30 09:54:34]
darksimpson :
Bad things... Okay. What is about console that is running mksh?
[2017-06-30 09:54:58]
freaky123 :
Not sure about that one but it must be somewhere
[2017-06-30 09:55:19]
freaky123 :
It is ttyS1 on the mavic and ttyS3 on the TX
[2017-06-30 09:56:13]
darksimpson :
You got IAEK out? Is it really starts mksh on these UARTS?
[2017-06-30 09:56:23]
freaky123 :
But yeah I have no data on the LC except for a bootloader and kernel I found
[2017-06-30 09:56:32]
darksimpson :
I think it must be in ramdrive somewhere.
[2017-06-30 09:57:16]
freaky123 :
I got the IAEK out but that took me an extreme amount of work
[2017-06-30 09:58:00]
freaky123 :
And actually not worth it
[2017-06-30 09:58:56]
darksimpson :
Ok, if you don't want to share, it us your right ) I have no right to blame for it ) But ok.
[2017-06-30 09:59:11]
darksimpson :
Is mksh is really started on these uarts?
[2017-06-30 09:59:28]
freaky123 :
Ao my advice is to not spend the time in getting it since the encrypted parts of the kernel which use this key are useless
[2017-06-30 09:59:45]
freaky123 :
Yes a console is opened at these uarts
[2017-06-30 10:00:01]
freaky123 :
At least that parameter is given to the kernel
[2017-06-30 10:01:54]
darksimpson :
I see that parameter from logs, but can't find where mksh is started exactly (like getty and other things).
[2017-06-30 10:03:27]
freaky123 :
mksh is run when opening a console.. so that it requires a password based on your DAAK
[2017-06-30 10:04:14]
darksimpson :
Can you share decrypted ramdrive image pls? And what is the first chunk for (don't remember exactly how it names, TZ...smoething)? Ivm from my phone now and cant see it.
[2017-06-30 10:04:37]
freaky123 :
and when you have root the IAEK is even more useless since you can already access the root partition
[2017-06-30 10:05:26]
darksimpson :
Yes, I know, but want to places allpeaces of puzxle together
[2017-06-30 10:06:13]
freaky123 :
you have LRFS and TZOS
[2017-06-30 10:07:58]
darksimpson :
What is inside TZOS?
[2017-06-30 10:08:31]
darksimpson :
LRFS is a ramdrive root fs as I think.
[2017-06-30 10:08:52]
freaky123 :
never looked inside it that much
[2017-06-30 10:09:15]
freaky123 :
@freaky123 uploaded a file: [TZOS Strings](https://dji-rev.slack.com/files/freaky123/F622GHKK5/tzos_strings.txt)
[2017-06-30 10:09:31]
darksimpson :
According to size, it contains some more things in recivery image, than in normal.img
[2017-06-30 10:11:23]
freaky123 :
I will take a look in IDA
[2017-06-30 10:11:38]
freaky123 :
but at first my guess was that it was just some part of the kernel
[2017-06-30 10:11:46]
darksimpson :
Is it an executable binary?
[2017-06-30 10:11:56]
freaky123 :
I guess
[2017-06-30 10:12:14]
darksimpson :
What is in snippet, I can't view it correctly from phone?
[2017-06-30 10:12:40]
freaky123 :
strings from the decrypted file
[2017-06-30 10:12:57]
freaky123 :
binwalk can't find anything interesting
[2017-06-30 10:14:00]
darksimpson :
Can you share decrypted tzos (and ramdrive also, pls). I will take a look also.
[2017-06-30 10:14:44]
freaky123 :
I will do that later
[2017-06-30 10:17:33]
freaky123 :
LibTomCrypt is in the tzos
[2017-06-30 10:17:39]
darksimpson :
Thank you. Also, only for my interest, can you tell just a little, what you have done to get IAEK? I also want to do it for myself, but with some help it will be more efficient ) But it is on your choise, of course.
[2017-06-30 10:18:13]
darksimpson :
Hm..
[2017-06-30 10:19:36]
darksimpson :
But why?
[2017-06-30 10:19:48]
freaky123 :
You need to find their small fault they forgot todo something. When they would have done that it would have almost been impossible to retrieve the key
[2017-06-30 10:20:00]
freaky123 :
I don't know why yet
[2017-06-30 10:20:03]
freaky123 :
just fired up IDA
[2017-06-30 10:21:39]
darksimpson :
Ok. I need to look in bootarea with IDA as I want, or in some other places also?
[2017-06-30 10:24:34]
freaky123 :
you also need root access
[2017-06-30 10:26:04]
jan2642 :
Don’t know much about the boot procedure of these devices, but I have once used tomcrypt for checking a chain of signatures: romboot validates uboot, uboot validates kernel, kernel validates rootfs, etc
[2017-06-30 10:26:28]
darksimpson :
They forgot to clear IAEK from memory?
[2017-06-30 10:27:07]
freaky123 :
I found out what the TZOS is
[2017-06-30 10:27:08]
freaky123 :
<https://github.com/OP-TEE/optee_os>
[2017-06-30 10:27:52]
jan2642 :
The LC stores a hash of the public key in OTP ? Freescale does that and that’s why they call it “High Assurance Boot”. In theory it’s possible to find another key pair with hash collision, chances are slim though..
[2017-06-30 10:28:45]
freaky123 :
yes indeed @jan2642
[2017-06-30 10:29:24]
jan2642 :
rent-a-botnet ? :wink:
[2017-06-30 10:31:09]
freaky123 :
eacddc63263e047791ac2f53a622cb78541d03e321d8a3bfa9be8fd3f2aaaf77
[2017-06-30 10:31:13]
freaky123 :
is the hash you need to find
[2017-06-30 10:31:52]
freaky123 :
you can see in my scripts how to calculate it
[2017-06-30 10:32:01]
freaky123 :
but it's a SHA256
[2017-06-30 10:33:38]
darksimpson :
I think it is almost impossible (
[2017-06-30 10:33:58]
freaky123 :
yeah chances are close to 0
[2017-06-30 10:34:57]
freaky123 :
you can get all this info from the U-Boot repo
[2017-06-30 10:42:51]
jan2642 :
Ugh.. Hopper keeps giving higher priority to data accesses over code accesses which causes it to misinterpret what is code and what is data. I can find a lot of ‘interesting’ functions that are seemingly never called because the calls are hidden in ‘data’. I guess I need to find access to IDA…
[2017-06-30 10:43:39]
freaky123 :
IDA has similar problems I can say, so you have todo manual searches
[2017-06-30 10:44:01]
freaky123 :
Did you btw at least made a script for hopper to use the debug function calls to name all functions?
[2017-06-30 10:49:33]
jan2642 :
Hehe.. partially, it still gets confused when dealing with inlined finctions.
[2017-06-30 10:52:07]
freaky123 :
haha yeah I also have that
[2017-06-30 10:52:18]
freaky123 :
but generaly I just take the first ^^
[2017-06-30 10:53:07]
freaky123 :
For Ida I can share you my script and structures though
[2017-06-30 10:58:36]
freaky123 :
@jan2642 <https://github.com/fvantienen/dji_rev/blob/master/symbols/headers.h>
[2017-06-30 11:06:42]
freaky123 :
TZOS - > trust zone os
[2017-06-30 11:08:26]
freaky123 :
@jan2642 that file consists the structures from the FW which could be extremely useful in some cases
[2017-06-30 11:25:53]
jan2642 :
Cool, thanks! I’ll see if I can find an IDA copy somewhere tonight.
[2017-06-30 11:42:30]
darksimpson :
I have a latest (I think) pub avail IDA ) Can share if you want )
[2017-06-30 11:56:00]
jan2642 :
@darksimpson Thanks, that would save me some hassle.
[2017-06-30 11:58:23]
darksimpson :
Ok, link it here or upload somewhere? I will do it a bit later as now I need to go on the meeting and then do some high priority work, may be a couple of hours to wait.
[2017-06-30 12:14:18]
hostile :
@darksimpson /etc/init* kicks off the mksh, and I do not believe there is a traditional getty running.
[2017-06-30 14:29:37]
jan2642 :
Dilemma.. Keep on searching for a software hack or open it up, find the serial port and have instant satisfaction. :wink:
[2017-06-30 14:46:02]
darksimpson :
Oh, serial port... Just a moment.
[2017-06-30 14:46:12]
darksimpson :
I've promised
[2017-06-30 14:47:35]
darksimpson :
moment
[2017-06-30 14:49:00]
freaky123 :
Nice hq photos :) tnx a lot
[2017-06-30 14:49:57]
darksimpson :
It really looks like U(S)ART from LC
[2017-06-30 14:50:20]
darksimpson :
Needs testing, I will, but not at this moment, may be somebody can do.
[2017-06-30 14:50:47]
darksimpson :
@freaky123 If neede I can upload more detailed HQ photos with traces
[2017-06-30 14:51:02]
freaky123 :
That would be awsome
[2017-06-30 14:51:23]
freaky123 :
Did you also look at the mavic main boards and fc boards or not yet?
[2017-06-30 14:52:03]
darksimpson :
Not yet, but I think in several days I will disassemble, look and make photos.
[2017-06-30 14:52:39]
freaky123 :
Yeah the photos I found on the inet are ok but not as clear as yours
[2017-06-30 14:55:03]
darksimpson :
NOTE! If sb want to test it for UART:
1. NEVER ever connect 3V3 converters to this pnis at it is HIGHLY probable 1V8 or 1V2, or even 0V8 and you will burn gates and/or chip part;
2. Test with multimeter first for IO voltage. TX line must hold high VCC_IO voltage when no traffic, RX usually in Z;
3. Use proper USB <> UART <> Level shifter to connect to this interface.
[2017-06-30 14:57:25]
freaky123 :
Tnx for the advice
[2017-06-30 14:57:42]
darksimpson :
Ok ) Now uploading RC photos
[2017-06-30 15:06:13]
darksimpson :
Ah, the battery also
[2017-06-30 15:06:39]
freaky123 :
Wow you did already a lot of work
[2017-06-30 15:07:06]
darksimpson :
I've still not loaded my 16 tons to get root (
[2017-06-30 15:09:48]
darksimpson :
ICs on battery: bq30z554 (near analogue, 556 actually), msp430g2755 MCU
[2017-06-30 15:10:54]
freaky123 :
The fw for the battery is not encrypted btw ;)
[2017-06-30 15:11:34]
darksimpson :
Looks like battery communicating with AC thru powerline (or using UART in top and bottom contacts, but traces are hidden betwen layers, and on charger top and bottom contacts market as N/C).
[2017-06-30 15:12:07]
darksimpson :
Thx, I know ) But I do not like 430, used it in several projects and dropped
[2017-06-30 15:12:39]
darksimpson :
But 430s are good in low enegry performance, of corsa
[2017-06-30 15:13:14]
darksimpson :
But I prefer EFM32 for low energy in my designs )
[2017-06-30 15:13:42]
freaky123 :
Uart
[2017-06-30 15:13:53]
darksimpson :
top/bottom contacts?
[2017-06-30 15:14:22]
freaky123 :
Yes my guess if you look at the pinout on the multi charger
[2017-06-30 15:14:48]
freaky123 :
Since there the rest is named power and those are nc
[2017-06-30 15:15:12]
darksimpson :
Yes, but it may be actually N/C )
[2017-06-30 15:15:38]
freaky123 :
Yeah for charging prolly not needed
[2017-06-30 15:15:50]
darksimpson :
Need to test it, but I'm very lazy to do. May be if it will help somebody only.
[2017-06-30 15:16:39]
darksimpson :
Charging/discharging/kepping/protection is all handled by BQ, it is a smart thing, used it in several designs also/
[2017-06-30 15:17:17]
darksimpson :
I need to say, overall, that I'm as hardware engineer very impressed by Mavic hardware.
[2017-06-30 15:17:40]
darksimpson :
:heart:
[2017-06-30 15:20:14]
darksimpson :
Oh, I will upload new IDA and need to get back to work till evening.
[2017-06-30 15:21:32]
darksimpson :
@jan2642 where to upload IDA? Here, or outside here?
[2017-06-30 15:25:32]
darksimpson :
Ok, shared on my storage
[2017-06-30 15:25:33]
darksimpson :
<http://stor.darksimpson.com/sharing/4TZDBAn2W>
[2017-06-30 15:26:00]
darksimpson :
pass is 3183, link will valid till 2 Jul
[2017-06-30 16:08:08]
cucuveauamov :
@cucuveauamov has joined the channel
[2017-06-30 16:29:38]
hostile :
Thanks for the documents @darksimpson !
[2017-06-30 16:29:45]
hostile :
on the UART
[2017-06-30 16:33:53]
darksimpson :
?
[2017-06-30 16:35:40]
darksimpson :
ah, pictures! no problem )
[2017-07-01 09:59:10]
jan2642 :
@hostile That tar trick on twitter most definitely works on the mavic.
[2017-07-01 10:16:31]
rulppa :
also with latest fw? cant test because i have no mavic yet, inspire2 doesnt have ftp at all (or wifi mode)
[2017-07-01 10:27:10]
rulppa :
Tcpip over usb, just 5 ports open, 4 for websocket and 17500 for ip broadcasting
[2017-07-01 10:37:09]
opcode :
sure Inspire 2 has ftp. just pulled FW 48 hours ago.
[2017-07-01 10:42:52]
rulppa :
umm, i dont see any more open ports. just 49188, 57621 for what i believe ac uses to reply back 19870 and 19871 ws
[2017-07-01 10:44:49]
rulppa :
Assistant 2721 root 52u IPv6 0x6d314862c9214385 0t0 TCP [::1]:19870->[::1]:51076 (ESTABLISHED)
DJIBrowse 2724 root 60u IPv6 0x6d314862c9236385 0t0 TCP [::1]:51075->[::1]:19870 (ESTABLISHED)
DJIBrowse 2724 root 105u IPv6 0x6d314862c9214e05 0t0 TCP [::1]:51076->[::1]:19870 (ESTABLISHED)
[2017-07-01 10:48:29]
rulppa :
if the ftp is enabled by default, then i feel stupid, 192.162.43.2 is only ipv4 i can see and scanned all open ports
[2017-07-01 10:49:08]
jan2642 :
@rulppa tried it with qemu on an extracted .700 mavic fw.
[2017-07-01 10:51:02]
rulppa :
ok, planning to use last .900 when the thing comes, not worried about nfz’s. no need to fly when i cant. but wouldnt be a problem with root access anyway.
[2017-07-01 10:51:19]
darksimpson :
Who and why is handing over this info on twitter? It is my findings and I don't want to show it to public, especially DJI, til we do something really working.
[2017-07-01 10:53:23]
opcode :
@rulppa just to clarify, you dont see or have port 21 on your inspire 2?
[2017-07-01 10:53:45]
rulppa :
thats right, nothing on port 21.
[2017-07-01 10:54:45]
jan2642 :
@darksimpson: on twitter, @TheDJIProblem
[2017-07-01 10:55:36]
darksimpson :
I think this behavior is not so smart.
[2017-07-01 10:55:44]
rulppa :
well its soon on facebook gp too, thedumbdroner here=fb group admin
[2017-07-01 10:56:14]
rulppa :
i scanned the ports exactly like that, nothing. what fw you are at with the i2?
[2017-07-01 10:56:50]
opcode :
check the ip, you used a different one?
[2017-07-01 10:56:56]
rulppa :
ip is .3 for me tho, not .2 but i guess that varies
[2017-07-01 10:56:59]
rulppa :
yeah
[2017-07-01 10:57:34]
rulppa :
loading batteries now and going to flight soon, will check later. but i dont see why it would use 2 different ips?
[2017-07-01 10:57:59]
jan2642 :
@rulppa: .3 is the address the dhcp server on the drone assigns to your pc, the drone itself is on .2
[2017-07-01 10:58:19]
opcode :
correct
[2017-07-01 10:58:23]
rulppa :
…ok, now i feel stupid.
[2017-07-01 10:58:26]
rulppa :
thanks :slightly_smiling_face:
[2017-07-01 10:58:28]
opcode :
:wink:
[2017-07-01 11:01:02]
rulppa :
opcode, your i2 with latest fw or older one?
[2017-07-01 11:01:14]
darksimpson :
Ban out?
Why do this? For DJI to fix things even before we make st working?
[2017-07-01 11:01:50]
rulppa :
because idiot.
[2017-07-01 11:06:45]
opcode :
@rulppa 01.00.0330
[2017-07-01 11:07:49]
rulppa :
i guess im too late for that train, they must have fixed the bug with the latest fw. i just wanted more features and didnt stay on old fw
[2017-07-01 11:08:52]
opcode :
oh, so you are on the most recent FW?
[2017-07-01 11:08:59]
rulppa :
yeah
[2017-07-01 11:09:37]
opcode :
are you able to change the nfz and height parameters?
[2017-07-01 11:10:32]
rulppa :
no airport nears by, so i cant test does it work, but only reason why it wouldnt, those params are on the dji app too and the app refreshes those params everytime.
[2017-07-01 11:10:55]
darksimpson :
Btw, on what of last fw is still possible to change height and speed params?
[2017-07-01 11:11:29]
opcode :
@darksimpson thats what im just trying to find out, as rulppa is on the current FW for I2.
[2017-07-01 11:11:51]
rulppa :
just change the search radius for the airport to 1meter and then disable whole thing, but as said, nearest airport/nfz-zone is like 80km away and i wouldnt want to fly there anyway
[2017-07-01 11:12:54]
darksimpson :
On .800 (mavic) I can't write params over Websocket, error is tgat param is not found.
[2017-07-01 11:12:58]
rulppa :
i really dont understand the way CS did the NFZ thing, because to mee it still looks pretty much same as A2 based nfz-zones, even with the latest mavic fw which my friend has
[2017-07-01 11:13:43]
darksimpson :
May be still possible to send CDC commands directly, but I've not digged deep into it, now working on root.
[2017-07-01 11:13:53]
opcode :
@rulppa to clairfy, you see the same ws paramters on your current firmware, but as soon as you connect DJI Go, they get a reset?
[2017-07-01 11:15:35]
rulppa :
opcode, i dont know if they do, but if it doenst work thats must be the case. dji go3 had all params done like that, when flashing new fw-module using new parameters, there was only one or two versions of dji go which actually had proper “reset all settings” params and after that, they got updated from the fw. then they removed that option and one would need to edit param files with .apk too to get it work.
[2017-07-01 11:15:52]
rulppa :
so, they MIGHT use this same trick with geo/nfz now.
[2017-07-01 11:16:15]
rulppa :
but, just with params related to geo/nfz, not with the rest obiviously..
[2017-07-01 11:21:49]
rulppa :
opcode, nothing gets reset, all works but i do not know if the NFZ works or will just that get reset, or is coptersafe just stupid, because the way the unlocked it, feels odd to me while there is other params that did the same thing. pretty sure the way they did, is not on the go app also, and wasnt before. nfz-database needs to match, or it will use the one app has, not the one on the ac params. open the app and find params there.
[2017-07-01 11:26:12]
rulppa :
im sure next go4 will revert back to later verion go3 system (params-wise) and load the params from the app, because there is no way to flush them unless you open the .apk/.ipa and put the values there, or be able to properly flush them.
[2017-07-01 13:32:54]
the_lord :
NFZ avalable on the below versions only, all other options are avalable on all versions
– Spark : 1.00.0300
– Mavic Pro : 1.03.0700, 1.03.0400
– Phantom 4 Pro/Adv : 1.03.0509
– Inspire 2 : 1.00.0330
[2017-07-01 13:33:18]
the_lord :
coptersafe send DUML commands just like the assistant
[2017-07-01 13:37:06]
the_lord :
====================================
g_config_airport_limit_cfg_cfg_disable_airport_fly_limit = 1
Assistant message:
55 14 04 6D 2A 03 E3 76 40 03 E3 01 00 01 00 A5 02 01 92 98
CSupdater message:
55 14 04 6d 2a 03 a1 5d 40 03 e3 01 00 01 00 a5 02 01 da 6d
the Payload "01 00 A5 02 01" in little indian = 1
g_config_airport_limit_cfg_cfg_limit_data = 20250910
Assistant message:
55 17 04 38 2A 03 48 7A 40 03 E3 01 00 01 00 A7 02 1E 01 35 01 44 A8
CSupdater message:
55 17 04 38 2a 03 3c 5d 40 03 e3 01 00 01 00 a7 02 1e 01 35 01 4a 21
the Payload "01 00 A7 02 1E 01 35 01" in little indian = 20250910
[2017-07-01 13:39:30]
the_lord :
@jan2642 @darksimpson
how the tar trick will work if the system on mavic is mounted as ro not rw??
[2017-07-01 13:45:19]
darksimpson :
Will work if we'll find what we can overwrite in rw parts.
[2017-07-01 13:45:28]
darksimpson :
Now searching.
[2017-07-01 13:46:04]
darksimpson :
And dissecting update comnands to replay it on any crafted payload without Assistant
[2017-07-01 14:18:04]
fldatatek :
.600 let me set the parameters in A2 for NFZ but I haven't had a chance yet to go test and see if I can actually fly in a NFZ. But it took the parameters and they were persistent between power cycles of the aircraft and A2
[2017-07-01 14:55:22]
hostile :
This "ro" patch on /system was in response to P0V exploit... this is the public "dir transversal" from "underground 0day". The "red herring"
[2017-07-02 01:36:13]
hdnes :
@hostile, can you explain your work with evil.sh?
[2017-07-02 01:38:08]
hdnes :
I see that it’s got adb_en.sh inside. Are you inferring that POV’s claims are now potentially realistic through this vector?
[2017-07-02 01:39:02]
hdnes :
The only real catch is then getting that script to run via ftp expliot (that no longer works)
[2017-07-02 01:44:32]
hdnes :
Ok I think I follow now, you created evil.sh using the exploit and you included adb_en.sh. How does one then get that to copy over or run etc. Missing the follow through
[2017-07-02 01:45:08]
hdnes :
and I guess the fact still stands that this isn’t an actual vector anymore since they obfuscated ftp with AES
[2017-07-02 01:46:15]
hostile :
Soon.
[2017-07-02 01:46:37]
hostile :
AES is only on download FWIW
[2017-07-02 01:46:50]
hostile :
that "fact" is an assumption
[2017-07-02 01:46:54]
hostile :
sit tight
[2017-07-02 01:47:02]
hostile :
this may be a good 4th
[2017-07-02 01:47:09]
hdnes :
Solid bro!
[2017-07-02 06:58:57]
hostile :
Beta testing now <https://github.com/MAVProxyUser/P0VsRedHerring.git>
[2017-07-02 08:14:49]
ender :
great, just “endian”, not “indian”, not to belittle anyone :stuck_out_tongue:
[2017-07-02 08:16:47]
the_lord :
typo
[2017-07-02 10:38:05]
baboom :
I was able to on .800. Don't know for .900. NFZ parameters are not available on .800
[2017-07-02 19:44:40]
hostile :
Anyone working with the RedHerring exploit... feel free to talk amongst yourselves.
[2017-07-02 19:45:21]
hostile :
@the_lord @hdnes @coldflake @freaky123 @darksimpson @jan2642 @rulppa @hotelzululima @opcode @diff @ender you are all currently the chosen few.
[2017-07-02 19:46:25]
coldflake :
@coldflake has joined the channel
[2017-07-02 19:46:25]
hotelzululima :
@hotelzululima has joined the channel
[2017-07-02 19:47:46]
opcode :
installed ruby + all the needed gem´s, installed adb. making myself familiar with Android FS/P4P to check what is what at the moment.
[2017-07-02 19:48:54]
jan2642 :
I’m also browsing the FS at the moment to find a suitable vector.
[2017-07-02 19:49:33]
hostile :
This is gonna be a gymnastics game for the noobs... I figure a few folks working together and you'll have a solid technique for rooting with the tool. I gave plenty of hints in the header. I was able to root Spark with one file overwrite, and a reboot, greeting me with ADB. do make sure you have done a "git pull" and have the latest version. The last commit fixes a bug that WILL brick your bird if you overwrite the wrong file. <https://github.com/MAVProxyUser/P0VsRedHerring/commit/716fa28b60c7af2404918ee844c4bf2d75b39d1e>
[2017-07-02 19:49:56]
the_lord :
I'm getting Mac book now :)
[2017-07-02 19:50:22]
hostile :
I saw someone in general running OSX from VirtualBox earlier in the week for Assistant work... seems legit here.
[2017-07-02 19:56:16]
opcode :
@the_lord :smile:
[2017-07-02 19:57:12]
hdnes :
Has this channel been switched to private
[2017-07-02 19:57:56]
hdnes :
Don't know how to tell from my phone
[2017-07-02 20:02:11]
hostile :
I don't think so. I'm not worried about it...
[2017-07-02 20:02:32]
hostile :
even with a complete how to... this exploit takes some love, and special conditions, and knowhow
[2017-07-02 20:03:15]
hostile :
I'm gonna flip the repo to public probably at midnight tomorrow, or maybe at noon
[2017-07-02 20:05:48]
jan2642 :
I’m I right to assume that /system/bin is writable at the time of the update ?
[2017-07-02 20:06:40]
hostile :
depends on the bird... and firmware version
[2017-07-02 20:06:45]
hostile :
Spark seems **always** writable.
[2017-07-02 20:07:10]
hostile :
/dev/block/platform/comip-mmc.1/by-name/cache /cache ext4 rw,noatime,data=ordered 0 0
[2017-07-02 20:07:15]
hostile :
/dev/block/platform/comip-mmc.1/by-name/blackbox /blackbox ext4 rw,noatime,data=ordered 0 0
[2017-07-02 20:07:22]
hostile :
/dev/block/platform/comip-mmc.1/by-name/userdata /data ext4 rw,noatime,data=ordered 0 0
[2017-07-02 20:07:42]
hostile :
(duplicates)
[2017-07-02 20:07:50]
hostile :
/dev/block/platform/comip-mmc.1/by-name/userdata /ftp/upgrade ext4 rw,noatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/blackbox /ftp/blackbox/vision ext4 rw,noatime,data=ordered 0 0
[2017-07-02 20:07:54]
hostile :
(special)
[2017-07-02 20:07:56]
hostile :
none /sys/kernel/debug debugfs rw,relatime 0 0
[2017-07-02 20:08:09]
hostile :
tmpfs /tmp tmpfs rw,relatime,size=32768k 0 0
tmpfs /var tmpfs rw,relatime,size=2048k 0 0
tmpfs /ftp tmpfs rw,relatime,size=1024k 0 0
[2017-07-02 20:08:10]
hostile :
tmpfs /dev tmpfs rw,nosuid,relatime,size=8192k,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[2017-07-02 20:08:32]
hostile :
(could be interesting... I've seen scripts look for .sh on /sdcard to run in some versions)
[2017-07-02 20:08:37]
hostile :
/dev/block/mmcblk1p1 /sdcard vfat rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0
[2017-07-02 20:09:10]
hostile :
let me update this Spark and verify **latest** is still "rw"
[2017-07-02 20:09:14]
hostile :
/dev/block/platform/comip-mmc.1/by-name/system /system ext4 rw,relatime,data=ordered 0 0
[2017-07-02 20:10:56]
hdnes :
I’m assuming you followed POV’s leads to the T[rue]
[2017-07-02 20:12:03]
hostile :
everything I could find I wrote in the exploit header
[2017-07-02 20:12:13]
hostile :
following to a "T" leads in misdirection
[2017-07-02 20:12:20]
hostile :
I suspect we can own via /data write too
[2017-07-02 20:13:39]
hostile :
I'm wondering for example... on birds where /system is NOT rw...
[2017-07-02 20:13:53]
hostile :
We CAN write to /data/local.prop which is a special file for android...
[2017-07-02 20:14:06]
hostile :
root@wm100_dz_ap0001_v5:/ # busybox strings /init | grep local
/data/local.prop
[2017-07-02 20:14:12]
hostile :
question is does init actually use it...
[2017-07-02 20:14:51]
hostile :
so there are plenty of options and exploration paths outside the Vanilla Spark root and suspected OLLLLD Mavic (pre-ship shill beta variant)
[2017-07-02 20:14:51]
the_lord :
System on latest spark fw is rw
[2017-07-02 20:15:08]
hostile :
thx brother. saves me the update. =]
[2017-07-02 20:15:20]
jan2642 :
I don’t know what the PATH is but there are a lot of calls in e.g. dji_sys using popen() or system() without full path. Would it be possible a writable part is earlier in the path ?
[2017-07-02 20:15:55]
hostile :
on that note... mksh does some goofy shit...
[2017-07-02 20:16:44]
hostile :
root@wm100_dz_ap0001_v5:/ # echo $PATH
/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
root@wm100_dz_ap0001_v5:/ # exit
Kevins-iMac:protocol kfinisterre$ adb shell
root@wm100_dz_ap0001_v5:/ # echo $PATH
/data/.bin:/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
this is behavior from /etc/mkshrc
for p in ~/.bin; do
[[ -d $p/. ]] || continue
[[ :$PATH: = :$p: ]] || PATH=$p:$PATH
done
You can create the dir over ftp
ftp> mkdir .bin
257 Operation successful
[2017-07-02 20:17:12]
hostile :
BUT... most everything runs from /init at boot... so not 100% sure this path is taken...
[2017-07-02 20:17:19]
hostile :
it IS once you shell in... but not useful then.
[2017-07-02 20:18:33]
jan2642 :
And the home directory is /ftp ?
[2017-07-02 20:19:53]
hostile :
$home == /data
[2017-07-02 20:20:07]
hostile :
which == /ftp/upgrade
[2017-07-02 20:20:33]
hostile :
very curious behavior for sure
[2017-07-02 20:21:05]
jan2642 :
Does the adb shell still invoke /system/etc/mkshrc ? Or in other words: do you also get “input <username debuglevel password> to start debug” ?
[2017-07-02 20:21:30]
hostile :
that depends on how you overwrite and **what** you overwrite.
[2017-07-02 20:21:38]
hostile :
for me... no
[2017-07-02 20:21:42]
hostile :
I just shell out to insta root
[2017-07-02 20:21:50]
jan2642 :
good point :wink:
[2017-07-02 20:22:57]
jan2642 :
As far as I can tell, the default mkshrc will always ask for it, so I don’t think mksh is used anywhere else than adb shell & tty.
[2017-07-02 20:23:19]
hostile :
/system/bin/sh is symlinked to mksh
[2017-07-02 20:23:21]
hostile :
FWIW
[2017-07-02 20:23:38]
hostile :
I think it handles different when symlinked as "sh" vs "mksh" tho.
[2017-07-02 20:23:51]
hostile :
and perhaps does not run .profile, and things of that nature.
[2017-07-02 20:24:05]
hostile :
else simply writhing to /data/.profile would be valuable
[2017-07-02 20:24:12]
hostile :
I am not 100% sure tho.
[2017-07-02 20:24:19]
hostile :
I have not had much time to play on my Mavic with this.
[2017-07-02 20:24:33]
hostile :
just enough to confirm the file write was successful in /data
[2017-07-02 20:24:38]
hostile :
and then to root the spark via /system
[2017-07-02 20:25:24]
freaky123 :
/system is only writable in certain situations like update on certain systemsbut
[2017-07-02 20:26:19]
jan2642 :
adb_en.sh will create /tmp/dji/secure_debug and mkshrc will not ask for credentials when /tmp/dji/secure_debug exists.
[2017-07-02 20:26:40]
jan2642 :
so no password on adb shell once adb_en.sh has been invoked.
[2017-07-02 20:30:58]
hostile :
so jan... YOU too can create /tmp/dji/secure_debug with this bug I just shared. FWIW
[2017-07-02 20:31:17]
hostile :
but that is neither here nor there.
[2017-07-02 20:31:24]
hostile :
sounds like everyone has some wheels turning.
[2017-07-02 20:31:25]
hostile :
have fun.
[2017-07-02 20:32:50]
freaky123 :
you need to find the tty terminal on the device
[2017-07-02 20:32:54]
freaky123 :
that would be promissing
[2017-07-02 20:36:38]
jan2642 :
I’ve only got it for 3 weeks, not sure if I’m already willing to open it up :wink:
[2017-07-02 20:36:53]
jan2642 :
Doesn’t @darksimpson already know where the tty is on the mavic ?
[2017-07-02 20:38:09]
hostile :
it's not that bad to open up Jan...
[2017-07-02 20:38:16]
jan2642 :
mksh on the tty will ask for credentials unless /tmp/dji/secure_debug exists before mksh is invoked. That will be impossible with this methid.
[2017-07-02 20:38:27]
hostile :
only thing to watch... is the Wifi card, behind the LED panel on the back.
[2017-07-02 20:38:37]
hostile :
don't jab it with a screw driver... you WILL pierce the cable
[2017-07-02 20:38:49]
hostile :
but even that is not end of the world (just baro loss and $30 fix)
[2017-07-02 20:38:59]
freaky123 :
and know which screws to unscrew before opening xD
[2017-07-02 20:39:43]
hostile :
also just buy a core board on eBay for like $80
[2017-07-02 20:39:52]
hostile :
and power via lipo and test Leads
[2017-07-02 20:39:57]
hostile :
(tip from @the_lord )
[2017-07-02 20:40:50]
jan2642 :
You guys are really selling this :slightly_smiling_face: I’m leaving on a short trip tomorrow morning and I’d like this thing to be able to fly then.
[2017-07-02 20:41:39]
darksimpson :
Yes, it definitely will work, if I can get my hands on it soon I think.
[2017-07-02 20:43:38]
darksimpson :
Creds on tty is not a problem, you know, info is available how to get it for your drone / rc
[2017-07-02 20:46:14]
jan2642 :
I know, just looking for a way without in case they close that door.
[2017-07-02 20:49:26]
jan2642 :
If /data == /ftp/upgrade, are there other places writable on mavic (other than tmpfs’s) ?
[2017-07-02 20:54:03]
hostile :
all pasted above
[2017-07-02 20:54:18]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1499026030183847>
[2017-07-02 20:54:29]
hostile :
full list below that
[2017-07-02 21:03:30]
jan2642 :
That single core board is indeed a good idea, it would be a cheaper brick than a full mavic :slightly_smiling_face:
[2017-07-02 21:08:20]
opcode :
executing hostiles script, assistant 2 kicked me out, login window with verification code, but no code shown. WTF?
[2017-07-02 21:14:21]
rulppa :
yeah got same lol
[2017-07-02 21:16:46]
opcode :
cause is --test_server
[2017-07-02 21:18:17]
opcode :
@hostile any idea?
[2017-07-02 21:19:52]
hdnes :
are you guys running the same version Assistant
[2017-07-02 21:20:20]
opcode :
1.1.2
[2017-07-02 21:20:52]
hdnes :
<https://dl.djicdn.com/downloads/dji_assistant/20170527/DJI+Assistant+2+1.1.2.573+2017_05_27+17_45_27+6e0216bf(b21de8d8).pkg>
[2017-07-02 21:21:45]
opcode :
reinstalling
[2017-07-02 21:21:55]
opcode :
@hdnes thx for the link
[2017-07-02 21:21:58]
hdnes :
I checked the hash on it yesterday
[2017-07-02 21:22:29]
hdnes :
if the MD5 doesn’t check out, you can get it from the bin repo
[2017-07-02 21:26:54]
rulppa :
had 1.1.2-2, will try that later, now need some sleep
[2017-07-02 21:30:09]
hdnes :
did you check hash?
[2017-07-02 21:30:36]
hdnes :
if the hash passs, not even worth your time getting off the repo
[2017-07-02 21:30:54]
opcode :
how do i do that?
[2017-07-02 21:31:06]
hdnes :
md5 in terminal
[2017-07-02 21:31:38]
hdnes :
@hostile, hashed the assistant file itself not the .pkg
[2017-07-02 21:33:14]
hdnes :
have to open the contents of the app to pull out just the assistant
[2017-07-02 21:34:04]
hdnes :
literally just type md5 (with a space) then drag and drop the file onto terminal
[2017-07-02 21:34:06]
hdnes :
enter
[2017-07-02 21:34:51]
opcode :
792b5622e895ca6d041be158f21a28f9
[2017-07-02 21:35:37]
hdnes :
792b5622e895ca6d041be158f21a28f9
[2017-07-02 21:35:51]
hdnes :
Back to @hostile then
[2017-07-02 21:36:25]
opcode :
maybe for a fast block, dji simply removed or manipulted the log in.
[2017-07-02 21:38:03]
hdnes :
Don’t see how unless the log in page is served from webserver dynamiclly
[2017-07-02 21:38:35]
opcode :
yes, simply blocked the verification code generator.
[2017-07-02 21:38:55]
hdnes :
what do you mean, don’t follow
[2017-07-02 21:39:05]
hdnes :
was I right and you blocked the http traffic?
[2017-07-02 21:39:55]
opcode :
no, i mean DJI is simply blocking the verification code generator. or does this work on your side?
[2017-07-02 21:40:20]
hdnes :
I haven’t got that far. I don’t have a file or a location that I’m comfortable running it
[2017-07-02 21:41:12]
hdnes :
what file and location were you running the script with?
[2017-07-02 21:42:50]
opcode :
for testing created an .txt and put it in /data/
[2017-07-02 21:43:05]
opcode :
just for testing purposes that this expolit is working
[2017-07-02 21:43:29]
hdnes :
that’s easy enough
[2017-07-02 21:45:24]
opcode :
yeah, and you cant mess something up. if this is working, then i will make myself familiar with the android filesystem
[2017-07-02 21:49:44]
hdnes :
cool let me spool it up
[2017-07-02 22:09:02]
hostile :
"maybe for a fast block, dji simply removed or manipulted the log in." I've seen that...
[2017-07-02 22:09:13]
hostile :
check your hosts file entries maybe
[2017-07-02 22:09:19]
hostile :
login before running the exploit
[2017-07-02 22:09:26]
hostile :
run as root from command line so the cookie is stored
[2017-07-02 22:09:43]
hostile :
I don't think it is an intentional block.. just nuanced shat app code
[2017-07-02 22:31:42]
hostile :
technically any assistant with --test_server should work I think
[2017-07-02 22:31:53]
hostile :
I have not double checked any FWIW short of 1_1_0 and 1_1_2
[2017-07-02 22:46:20]
hdnes :
nope same issue, don’t know what the NFZ update looks like so can’t use dev mode really to find anything. Does it pop up a whole other window?
[2017-07-02 22:48:15]
hostile :
Run wireshark plz
[2017-07-02 22:48:16]
hdnes :
there isn’t anything to click on in dev menus
[2017-07-02 22:48:35]
hostile :
Cat /etc/hosts also
[2017-07-02 22:49:05]
hdnes :
127.0.0.1 [flysafe.aasky.net](http://flysafe.aasky.net)
[2017-07-02 22:49:21]
hostile :
You missing one needed
[2017-07-02 22:49:25]
hostile :
I'm at water park
[2017-07-02 22:49:37]
hdnes :
cool enjoy, I’ll keep digging
[2017-07-02 23:11:35]
hdnes :
[flight-staging.aasky.net](http://flight-staging.aasky.net)
[2017-07-02 23:12:00]
hdnes :
hmm
[2017-07-03 00:04:28]
hdnes :
After the hostfiles are modified, connecting to the aircraft takes like 2 min until a time out.
[2017-07-03 00:04:37]
hdnes :
still not past login
[2017-07-03 00:10:15]
hostile :
Tcpdump or I can't tell anything...
[2017-07-03 00:11:16]
hostile :
I think you need the [swsf.djicorp.com](http://swsf.djicorp.com) one also
[2017-07-03 00:11:24]
hdnes :
I suck at wireshark, but did see the one above
[2017-07-03 00:11:29]
hdnes :
I’ll add that one also and try
[2017-07-03 00:11:52]
hostile :
Also... you don't have anything running on port 80 already do you? Also check Mac firewall
[2017-07-03 00:12:50]
hostile :
All you need to do is "tcpdump -i en0 -w savefile" as root ( or what ever interface is your main net interface )
[2017-07-03 00:13:30]
hdnes :
let me peruse a second
[2017-07-03 00:14:04]
hdnes :
how can you push a new line in ruby… Meaning I have a logic statement that super long and I want to simply write it on the next line
[2017-07-03 00:14:10]
hdnes :
to make the code cleaner
[2017-07-03 00:15:14]
hdnes :
\ ?
[2017-07-03 00:15:59]
hostile :
In the car ATM... paste a snippet?
[2017-07-03 00:16:24]
hostile :
You mean print a carriage return to screen ?
[2017-07-03 00:16:39]
hostile :
"\n"
[2017-07-03 00:17:38]
hdnes :
I think this is correct
[2017-07-03 00:18:28]
hostile :
You shouldn't need to block flight-staging....
[2017-07-03 00:18:47]
hdnes :
ok
[2017-07-03 00:18:57]
hdnes :
so just leave /swsf in then
[2017-07-03 00:19:13]
hostile :
I'll try to check on a clean Mac later tonight hopefully
[2017-07-03 00:23:04]
hdnes :
swsf got me in past login
[2017-07-03 00:23:37]
hostile :
Pow
[2017-07-03 00:23:40]
hdnes :
but not sure what I’m supposed to be seeing… to confirm
[2017-07-03 00:23:48]
hostile :
I'll update git
[2017-07-03 00:23:57]
hostile :
You should see the assistant start...
[2017-07-03 00:24:07]
hostile :
Click your device...
[2017-07-03 00:24:20]
hostile :
Click update when asked to do the NFZ
[2017-07-03 00:24:30]
hdnes :
yeah never get anything like that
[2017-07-03 00:24:37]
hostile :
So on that screen you should have seen an NFZ update query.
[2017-07-03 00:24:47]
hostile :
Did the script ever see http hits?
[2017-07-03 00:24:59]
hostile :
Try browsing <http://localhost> and check the script console
[2017-07-03 00:25:13]
hdnes :
went straight there with nothing else
[2017-07-03 00:25:40]
hostile :
did the script have any out put?
[2017-07-03 00:25:49]
hostile :
if not... you likely have something blocking port 80
[2017-07-03 00:26:49]
hdnes :
script is waiting on me to accept NFZ
[2017-07-03 00:26:51]
hostile :
ok well the wberick IS working
[2017-07-03 00:26:53]
hostile :
then accept it
[2017-07-03 00:27:01]
hdnes :
…. nothing to accecpt :wink:
[2017-07-03 00:27:15]
hostile :
"script is waiting on me to accept NFZ"
[2017-07-03 00:27:21]
hostile :
either it is waiting, or it isn't
[2017-07-03 00:27:24]
hostile :
lol
[2017-07-03 00:27:30]
hostile :
you click "confirm"
[2017-07-03 00:27:32]
hostile :
and it goes...
[2017-07-03 00:28:24]
hdnes :
I think I follow, one sec
[2017-07-03 00:28:40]
hdnes :
how long does it take?
[2017-07-03 00:31:15]
hdnes :
definitely don’t follow.
[2017-07-03 00:32:10]
hdnes :
Don’t have any UI that pops up to “confirm”
[2017-07-03 00:36:05]
hdnes :
You definitely have to be logged in prior to .rb to get it to skip login. However no firmware pops up and no “confrim” NFZ pops up either, just the blank screen posted before
[2017-07-03 00:57:47]
hostile :
ok so what you need to so is make sure ALL of your other Assistant copies are closed
[2017-07-03 00:57:54]
hostile :
let me see your hosts file now?
[2017-07-03 01:00:02]
hostile :
TCPdump please?
[2017-07-03 01:00:08]
hostile :
or wireshark?
[2017-07-03 01:01:54]
hostile :
lets do a sanity check
[2017-07-03 01:02:24]
hostile :
without the exploit... and without the flysafe.aasky entry but WITH the swsf entry manually run:
[2017-07-03 01:02:27]
hostile :
/Applications/Assistant.app/Contents/MacOS/Assistant --test_server --factory
[2017-07-03 01:02:28]
hdnes :
sure, just started from scratch after force quitting anything with assitant in the name
[2017-07-03 01:02:39]
hdnes :
one sec
[2017-07-03 01:02:55]
hostile :
(with the drone on, and connected)
[2017-07-03 01:03:32]
hostile :
I usually first see
[2017-07-03 01:04:19]
hostile :
you must click allow
[2017-07-03 01:04:49]
hdnes :
ok…
[2017-07-03 01:04:56]
hdnes :
so don’t see that
[2017-07-03 01:05:07]
hdnes :
but I might have denied it months ago on some other work
[2017-07-03 01:05:25]
hdnes :
exact same results for your manual test
[2017-07-03 01:05:27]
hostile :
(or firewall is off)
[2017-07-03 01:05:53]
hostile :
well if you get exact same results... you have some tcpdumping to do...
[2017-07-03 01:05:59]
hostile :
and find out where those requests are failing
[2017-07-03 01:06:45]
hostile :
also you are running test as root?
[2017-07-03 01:06:46]
hostile :
$ sudo /Applications/Assistant.app/Contents/MacOS/Assistant --test_server
[2017-07-03 01:06:56]
hdnes :
yeah
[2017-07-03 01:09:22]
hostile :
comment out this line:
[2017-07-03 01:09:23]
hostile :
Logger: WEBrick::Log.new("/dev/null"),
[2017-07-03 01:10:02]
hostile :
takes about 10 seconds.... you should see this when running properly
[2017-07-03 01:10:53]
hostile :
also
[2017-07-03 01:10:56]
hostile :
change this line:
[2017-07-03 01:10:57]
hostile :
pid = spawn("/Applications/Assistant.app/Contents/MacOS/Assistant --test_server --factory", :out => "/dev/null", :err => "/dev/null")
[2017-07-03 01:10:59]
hostile :
to:
[2017-07-03 01:11:04]
hostile :
pid = spawn("/Applications/Assistant.app/Contents/MacOS/Assistant --test_server --factory")
[2017-07-03 01:11:12]
hostile :
and lets see if we can get some debugging
[2017-07-03 01:13:40]
hdnes :
[2017-07-02 18:13:01] WARN TCPServer Error: Address already in use - bind(2)
[2017-07-03 01:14:18]
hdnes :
[2017-07-02 18:13:54] INFO WEBrick::HTTPServer#start: pid=17336 port=80
timeout dev: Lb_mcu_sky(5)
[2017-07-03 01:15:51]
hostile :
I think those are both fine
[2017-07-03 01:16:17]
hdnes :
nothing else sticks out
[2017-07-03 01:16:41]
hostile :
and when it kicks off the assistant you see NOTHING on the console?
[2017-07-03 01:18:42]
hostile :
<http://localhost> in your browser plz
[2017-07-03 01:20:09]
hdnes :
[2017-07-02 18:19:43] ERROR `/' not found.
[2017-07-03 01:20:52]
hostile :
next <http://flysafe.aasky.net>
[2017-07-03 01:21:33]
hdnes :
exact same
[2017-07-03 01:21:53]
hostile :
k
[2017-07-03 01:22:03]
hostile :
so the redirect is occurring for sure
[2017-07-03 01:22:10]
hdnes :
seems like it
[2017-07-03 01:22:23]
hostile :
this is a Mavic?
[2017-07-03 01:22:28]
hdnes :
yeah
[2017-07-03 01:22:30]
hostile :
lets manually run:
[2017-07-03 01:22:44]
hostile :
/Applications/Assistant.app/Contents/MacOS/Assistant without test_server
[2017-07-03 01:23:07]
hostile :
do you have any other mods installed btw?
[2017-07-03 01:23:13]
hostile :
settings or otherwise?
[2017-07-03 01:23:19]
hostile :
may need to factory default it first
[2017-07-03 01:24:02]
hostile :
comment out
[2017-07-03 01:24:03]
hostile :
AccessLog: [],
[2017-07-03 01:24:31]
hdnes :
hmm maybe disabled NFZ?
[2017-07-03 01:24:39]
hdnes :
let me reset that
[2017-07-03 01:24:42]
hostile :
comment out the access log
[2017-07-03 01:24:47]
hostile :
localhost - - [02/Jul/2017:21:24:15 EDT] "GET /api/v3/geofence/onboard_static_data?version=01.00.00.03&timestamp=1499045055&signature=1CBA2B3DE686F1A63E6A0759A3EB0555550FE47381DEAE2E9A380FF00F1C0A08 HTTP/1.1" 200 101
- -> /api/v3/geofence/onboard_static_data?version=01.00.00.03&timestamp=1499045055&signature=1CBA2B3DE686F1A63E6A0759A3EB0555550FE47381DEAE2E9A380FF00F1C0A08
[2017-07-03 01:24:47]
hostile :
then you **should** see:
[2017-07-03 01:24:59]
hostile :
or similar
[2017-07-03 01:29:17]
hdnes :
not sure where I should see that?
[2017-07-03 01:29:26]
hostile :
shortly after assistant fires off
[2017-07-03 01:29:37]
hdnes :
running manually in term
[2017-07-03 01:29:40]
hostile :
you should see it on the exploit console
[2017-07-03 01:29:41]
hdnes :
or through RedH
[2017-07-03 01:29:51]
hostile :
exploit console needs to be open, it provides the http socket
[2017-07-03 01:30:07]
hdnes :
two terms then, trying now
[2017-07-03 01:30:21]
hostile :
even if you manually kick off , you always need the exploit **open**
[2017-07-03 01:31:53]
hdnes :
time on open: RNDIS_Phantom4&/dev/cu.usbmodem1425 0ms!
ws url:<ws://localhost:19871/controller/vision_calibration/e2daa04e6f040f21929af1ce23812aba77092f98>, exe:/Applications/Assistant.app/Contents/MacOS/VisionStarter
push RNDIS_Phantom4&/dev/cu.usbmodem1425 e2daa04e6f040f21929af1ce23812aba77092f98
[2017-07-03 01:32:01]
hdnes :
That’s all I’m seeing
[2017-07-03 01:32:12]
hostile :
so something is wrong with your DNS redirection
[2017-07-03 01:32:26]
hostile :
it works for your browser... but NOT for the app when you run it on command line
[2017-07-03 01:32:40]
hdnes :
interesting
[2017-07-03 01:32:41]
hostile :
I'm gonna push a debug version to the git with all the changes you **shuold** have
[2017-07-03 01:32:51]
hostile :
what version of OSX do you have?
[2017-07-03 01:33:04]
hdnes :
10.12.4
[2017-07-03 01:33:30]
hostile :
sudo killall -HUP mDNSResponder
[2017-07-03 01:35:43]
hdnes :
same same
[2017-07-03 01:36:10]
hdnes :
I’m seeing the firmware pop up now which I’m assuming is a bad thing
[2017-07-03 01:36:17]
hostile :
yep
[2017-07-03 01:36:23]
hostile :
means your hosts entries are not working
[2017-07-03 01:36:23]
hdnes :
yeah as you expected
[2017-07-03 01:36:58]
hostile :
"git pull"
[2017-07-03 01:37:01]
hostile :
just pushed some changes
[2017-07-03 01:37:04]
hostile :
something funky on your box tho
[2017-07-03 01:37:14]
hostile :
make clean hosts file
[2017-07-03 01:37:15]
hostile :
reboot
[2017-07-03 01:37:20]
hostile :
try again with the latest git push
[2017-07-03 01:40:35]
hdnes :
Same response as my manual edits
[2017-07-03 01:43:27]
hostile :
Well you gonna have to debug the networking issues....
[2017-07-03 01:57:37]
hdnes :
let me try on the other machine
[2017-07-03 01:59:52]
hdnes :
I’m getting the “allow network access” messages like you mentioned on the other machine, but now I’m stuck at the login screen again
[2017-07-03 02:02:13]
hdnes :
Ok, past log in and similar results. Fresh machine fresh install
[2017-07-03 02:02:38]
hdnes :
got logged in under sudo, rand exploit, logs in but no firmware shows up and no prompt to update
[2017-07-03 02:13:21]
hostile :
Exploit console should show a connection... if it doesn't something isn't working
[2017-07-03 02:13:35]
hostile :
localhost - - [02/Jul/2017:21:24:15 EDT] "GET /api/v3/geofence/onboard_static_data?version=01.00.00.03&timestamp=1499045055&signature=1CBA2B3DE686F1A63E6A0759A3EB0555550FE47381DEAE2E9A380FF00F1C0A08 HTTP/1.1" 200 101
- -> /api/v3/geofence/onboard_static_data?version=01.00.00.03&timestamp=1499045055&signature=1CBA2B3DE686F1A63E6A0759A3EB0555550FE47381DEAE2E9A380FF00F1C0A08
[2017-07-03 02:13:38]
hostile :
Stuff like this
[2017-07-03 02:14:17]
hostile :
You did "git pull" right?
[2017-07-03 02:16:47]
hdnes :
yeah
[2017-07-03 02:17:52]
hdnes :
probably should see what others are getting at this point. Considered I’ve replicated on a fresh machine
[2017-07-03 02:19:57]
hostile :
I'll start on a clean box maybe later
[2017-07-03 02:20:48]
hdnes :
I do have a VPN, but not sure if it’s on the clean machine. I don’t think it is
[2017-07-03 02:32:51]
hostile :
are you **using** the VPN actively?
[2017-07-03 02:33:04]
hostile :
(while trying to use this code)
[2017-07-03 02:33:12]
hdnes :
both on and off
[2017-07-03 02:33:17]
hdnes :
nothing really changed
[2017-07-03 02:33:57]
hdnes :
actually shit, it was installed on the other machine also, but not running
[2017-07-03 02:34:20]
hdnes :
Yeah, I guess wait for someone else to get further before I waste a bunch of time
[2017-07-03 02:34:30]
hdnes :
both of my machines have the vpn
[2017-07-03 02:34:46]
hdnes :
going to do food and actual adulting today.
[2017-07-03 05:53:19]
hfman :
@hostile - I've been out all day long. I don't have OSX native, but I do have El Capitan in a VM. Is there any benefit to joining your GitHub space?
[2017-07-03 05:56:25]
hfman :
...and Assistant 2 already installed in that VM and working as it is supposed to.
[2017-07-03 06:12:39]
hostile :
sure...
[2017-07-03 06:14:06]
hostile :
@here I can confirm writing to /data/dji/cfg/test/ota and /cache/ota.zip may have interesting results.
[2017-07-03 06:37:16]
opcode :
problem still persist, unable to login. additionally, the new script gives me: WARN TCPServer Error: Address already in use - bind(2) **and** and on the ws url timeout dev: Lb_mcu_sky(5)
[2017-07-03 06:58:08]
hostile :
both of those errors are fine
[2017-07-03 06:58:18]
hostile :
login error is some other issue...
[2017-07-03 06:58:30]
hostile :
TCPDUMP!!!!
[2017-07-03 06:58:41]
hostile :
WiresharK!
[2017-07-03 07:14:20]
rulppa :
just checking if i have it right, ftp-traversal bug is still there, can reach out of the ftp-home dir, but the filesystem is read only. how ever, i could use that to download all the files from the drone?
[2017-07-03 07:14:40]
rulppa :
would help to choose magic place to write i guess..
[2017-07-03 07:27:03]
d51 :
I think(just imagine) Mavproxy's closed script looks like WS proxy. Curious what it was. anyway I was late. good luck for selected ppl.
[2017-07-03 07:28:00]
rulppa :
is there a way to trigger recovery mode so i could just live on the edge and overwrite original recovery_update.sh with the .rb
[2017-07-03 07:29:14]
rulppa :
d51, he said he will make it available for all today, if you missed the beta
[2017-07-03 07:33:00]
d51 :
Oh, sounds great. I was waisting time to invest WS params. then I found some suspicious one found. Anyone found cheat_backdoor on AC firmware? I believe it assistant triggers AC to get root easily(not a secret FTPd fuzzing method)
[2017-07-03 07:33:45]
opcode :
@hostile i had firefox still running. closed, problem solved. login error still persits.
[2017-07-03 07:34:04]
rulppa :
@d51 thats for setting countrycode from the app, if the app has backdoor feature enabled aka FCC/CE "hack"
[2017-07-03 07:35:09]
d51 :
U mean "g_config_api_entry_cfg_cheat_backdoor" for FCC/CE? huh?
[2017-07-03 07:35:28]
rulppa :
yeah, but it gets enabled from the app
[2017-07-03 07:35:55]
rulppa :
you mean something else that that?
[2017-07-03 07:36:01]
rulppa :
than
[2017-07-03 07:43:39]
d51 :
Why script traversing [ti.com](http://ti.com), or openpilot??? or u captured whole your PC traffics? lol
[2017-07-03 07:45:08]
hdnes :
openpilot is part of the script
[2017-07-03 07:58:18]
d51 :
I already check cheat_backdoor to 0, then it does not affected APP communications including FCC/CE mods. (I already analysis done and addresed 'djitestcc' at here first time. that was me)
[2017-07-03 08:00:41]
jan2642 :
@hdnes all your http traffic is to port 5001 instead of port 80, there’s not a single connection to port 80 in that capture…
[2017-07-03 08:01:03]
hdnes :
thanks that explains it
[2017-07-03 08:01:24]
jan2642 :
Do you have a proxy configured ?
[2017-07-03 08:01:43]
hdnes :
vpn is installed
[2017-07-03 08:01:59]
hdnes :
but should have been off
[2017-07-03 08:02:16]
hdnes :
but I think that’s what might be messing with it
[2017-07-03 08:03:12]
jan2642 :
Probably.. Also, all http request are to localhost:5001 so it seems something is redirecting all http traffic
[2017-07-03 08:03:47]
hdnes :
thanks
[2017-07-03 08:04:11]
jan2642 :
Which vpn software is this ? (just out of curiosity)
[2017-07-03 08:06:48]
hdnes :
golden frog
[2017-07-03 08:07:44]
hdnes :
could I then just open the server on 5001>
[2017-07-03 08:07:54]
hdnes :
to avoid having a big mess of uninstalling etc etc
[2017-07-03 08:08:10]
hdnes :
looking for path of least resistiance
[2017-07-03 08:12:32]
jan2642 :
I guess the VPN is already bound to that port on localhost so the binding by the script will fail.
[2017-07-03 08:13:27]
hdnes :
thats what I thought you’d say
[2017-07-03 08:13:41]
hdnes :
well not enough sleep, tomorrow
[2017-07-03 08:45:08]
rulppa :
so, any "chosen ones" awake? few ideas i would like to discuss privately
[2017-07-03 08:50:07]
jan2642 :
@rulppa I’m awake but a bit time constrained by other duties
[2017-07-03 09:42:41]
the_lord :
i'm awake but couldn't run the script on OSX Lion 10.7.5 so now i'm upgrading the machine to EL Captain
[2017-07-03 09:43:51]
rulppa :
are we ok to discuss here openly or not, about the .rb?
[2017-07-03 09:44:07]
the_lord :
you need to ask @hostile
[2017-07-03 11:11:23]
opcode :
Got it working. Used Assistant 1.1.0. Noiw to figure out what to put where. :slightly_smiling_face:
[2017-07-03 11:18:17]
rulppa :
what was your problem with 1.1.2? login without captcha triggered by --test_server?
[2017-07-03 11:26:27]
opcode :
yes. and no question came up asking for NFZ update.
[2017-07-03 11:31:03]
rulppa :
ok, need to try that.
[2017-07-03 12:54:10]
hostile :
Nice job @opcode ! you are officially the first one to get a file write
[2017-07-03 12:54:40]
hostile :
"no question came up asking for NFZ update." interesting! But this is **exactly** why I needed to beta the code. To shake out bugs. =]
[2017-07-03 13:02:19]
the_lord :
@hostile
we were asking, can we discuss here or you'll create private channel for the "chosen ones"
[2017-07-03 13:03:08]
the_lord :
BTW the P4, P4p and inspire 2 are waiting you :slightly_smiling_face:
[2017-07-03 13:09:49]
hostile :
@d51 calls to [OpenPilot.com](http://OpenPilot.com) are for Leak control... I am an old OpenPilot dev / flight test team member.
[2017-07-03 13:10:06]
hostile :
@d51 script should not be calling ti.com... likely something else on your machine.
[2017-07-03 13:10:34]
hostile :
@rulppa yes free to discuss openly here... please do
[2017-07-03 13:17:16]
rulppa :
opcode, have link for the 1.1.0.app?
[2017-07-03 13:40:03]
ender :
the assistant binaries are still up in git
[2017-07-03 13:40:06]
ender :
(mac & win)
[2017-07-03 13:40:33]
ender :
<https://github.com/MAVProxyUser/DJIAssistant2Binaries>
[2017-07-03 13:41:10]
rulppa :
so.. had idea if we could boot android image from the drones sd or usb and after that mount the actual dji version with adb and change the ro to rw for newer firmwares, so.. can these birds boot from sd or usb?
[2017-07-03 13:41:48]
rulppa :
trying to figure “easy” way to get r+w where we need
[2017-07-03 13:43:20]
rulppa :
hostile, is it the actual init scripts before start_dji_system what clears the /tmp/dji/ ?
[2017-07-03 13:44:54]
hostile :
I think /tmp is cleared on reboot, just like any modern Unix OS. as it is just a temporary ram disk.
[2017-07-03 13:45:11]
hostile :
I need to write a tutorial on extracting the system startup scripts from the images
[2017-07-03 13:45:15]
hostile :
so they can be examined
[2017-07-03 13:45:26]
hostile :
@freaky123's image.py should work just fine
[2017-07-03 13:45:34]
rulppa :
so it needs to be powered at the time of the boot, dunno if possible tho
[2017-07-03 13:45:56]
hostile :
/tmp is an unlikely "at boot" vector for attack
[2017-07-03 13:46:37]
rulppa :
i would like to get the triggering file for ADB there, or kinda keep it there.
[2017-07-03 13:49:14]
the_lord :
drones are still rooted if anyone wants me to check anything for him before i switch them off
[2017-07-03 13:50:09]
rulppa :
find these and add snippet /init init.rc and init.rc.usb
[2017-07-03 14:26:13]
rulppa :
thanks
[2017-07-03 14:29:05]
the_lord :
wlcm
[2017-07-03 16:37:12]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues>
[2017-07-03 16:37:12]
hostile :
those of you in here working with RedHerring... please file issues for the problems you have had so I can make sure they get addressed. Add as much detail as you have (about specific versions of assistant not working for example)
[2017-07-03 16:37:19]
hostile :
thanks @here
[2017-07-03 16:48:07]
opcode :
@hostile the only issue was a snippet of Independence Day. :smile:
But for now, I'm stuck. I noticed all your hints, I.e. Your fireworks.tar and the exploit documentation . But t I can't guess how to trigger the tar, known as the magic file. I guess, it's my lack of knowledge of the file system.
[2017-07-03 16:48:38]
hostile :
which platform are you on?
[2017-07-03 16:48:55]
hostile :
for **now** I have only successfully triggered on Spark
[2017-07-03 16:49:11]
hostile :
the .tar should trigger on NFZ file download
[2017-07-03 16:49:15]
hostile :
so let me explain how I found this...
[2017-07-03 16:49:55]
hostile :
first I noticed when switching between $ /Applications/Assistant.app/Contents/MacOS/Assistant and $ /Applications/Assistant.app/Contents/MacOS/Assistant --test_server
[2017-07-03 16:49:55]
opcode :
OS X
[2017-07-03 16:50:10]
hostile :
I noticed that every alternate time I would run... I got a request to update the NFZ
[2017-07-03 16:50:37]
hostile :
once applied... the **other** command which ever it was, would trigger it again
[2017-07-03 16:50:48]
hostile :
so steps are... (with spark)
[2017-07-03 16:51:00]
hostile :
Turn on Spark... plug it in
[2017-07-03 16:51:16]
hostile :
make sure ALL assistants are closed, make sure host file is not fucked up with weird entries.
[2017-07-03 16:52:04]
hostile :
next you want to obtain a **known** good copy of the startup script.
[2017-07-03 16:52:21]
hostile :
start_dji_system.sh seems fine (for Spark)
[2017-07-03 16:52:56]
hostile :
add the following line...
[2017-07-03 16:52:58]
hostile :
$ tail -n2 start_dji_system.sh
/system/bin/adb_en.sh
[2017-07-03 16:53:10]
hostile :
(tail is just showing you said line... don't add that!)
[2017-07-03 16:53:28]
hostile :
this makes it so at the end of the DJI startup script... ADB just fires sans any fuckery
[2017-07-03 16:53:42]
hostile :
next
[2017-07-03 16:53:46]
hostile :
make sure everything is closed
[2017-07-03 16:53:48]
hostile :
$ sudo ./RedHerring.rb /system/bin/start_dji_system.sh start_dji_system.sh
[2017-07-03 16:53:57]
hostile :
this will kick off the Assistant
[2017-07-03 16:54:06]
hostile :
after about 10 seconds it will prompt you for NFZ update
[2017-07-03 16:54:13]
hostile :
let me get a screen shot
[2017-07-03 16:54:39]
opcode :
That's the point. Without a good copy of the startup script I'm lost.
[2017-07-03 16:54:57]
hostile :
that script is easy as fuck to obtain...
[2017-07-03 16:55:07]
hostile :
binwalk it out of a firmware upgrade ...
[2017-07-03 16:55:43]
hostile :
I don't want to **provide** it as DJI could claim I am giving their intellectual property
[2017-07-03 16:56:12]
hostile :
<https://github.com/droner69/MavicPro/blob/master/MavicPro_Scripts/start_dji_system.sh>
[2017-07-03 16:56:16]
hostile :
may be a good place to start...
[2017-07-03 16:56:51]
hostile :
so next... when starting Assitant as root if firewall is enabled...
[2017-07-03 16:57:05]
hostile :
I believe if you have denied this in the past... it will cause failure
[2017-07-03 16:57:14]
hostile :
so allow that...
[2017-07-03 16:57:26]
hostile :
then you should get this prompt....
[2017-07-03 16:57:41]
hostile :
which is where the magic happens if you are lucky my script has redirected this download to your computer
[2017-07-03 16:57:49]
hostile :
and will supply a fake NFZ update with malicious shit in it .
[2017-07-03 16:58:07]
hostile :
if you see 100% OK then you had a successful unpack
[2017-07-03 16:58:09]
opcode :
Fireworks.tar
[2017-07-03 16:58:16]
hostile :
correct
[2017-07-03 16:58:31]
opcode :
Thanks for the guide
[2017-07-03 16:59:03]
opcode :
Hope I can try later, I'm away tomorrow till Saturday, no mac, no testing. :expressionless:
[2017-07-03 16:59:33]
hostile :
should be trivial to port to windows. I think @the_lord has had some success
[2017-07-03 16:59:50]
hostile :
nothing specific to the mac fwiw. Just that I use mac. and can't be asked to dual dev all the time
[2017-07-03 17:00:02]
hostile :
and wanted to stop gap the leaks
[2017-07-03 17:00:10]
hostile :
cuz most people are dumb ass windows users.
[2017-07-03 17:00:23]
opcode :
Yes, but the assistant version may cause trouble. 1.1.2 and 1.0.9 prompted me for this shitty verification code
[2017-07-03 17:00:36]
hostile :
yeah that is what I want you to file an issue on please
[2017-07-03 17:00:41]
hostile :
so it can be investigated further
[2017-07-03 17:00:49]
hostile :
should take two seconds to get some detail in there
[2017-07-03 17:00:50]
opcode :
Will do
[2017-07-03 17:01:00]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/new>
[2017-07-03 17:01:16]
hostile :
I'm trying to do some clean up now to make it presentable
[2017-07-03 17:01:31]
opcode :
I sensed you a log from 1.0.9 log, that may help to investigate
[2017-07-03 17:01:45]
hostile :
thx I did see.
[2017-07-03 17:01:52]
the_lord :
actually tar on windows couldn't handle the symlink and spawn is not supported as well
[2017-07-03 17:01:55]
hostile :
careful with those logs btw... your email pass is sent in clear text
[2017-07-03 17:02:00]
the_lord :
for that i brought Mac machine
[2017-07-03 17:02:02]
hostile :
make sure anyone helping you debug is trusted.
[2017-07-03 17:02:18]
opcode :
I trust you. :smile:
[2017-07-03 17:02:27]
hostile :
@the_lord if you send me a .diff of your code... I'll fix this windows symlink problem
[2017-07-03 17:02:53]
hostile :
or send me the whole code I can diff it myself easily
[2017-07-03 17:03:03]
hostile :
alreanately if you **want** make a new branch in my repo
[2017-07-03 17:03:07]
hostile :
and commit your changes there
[2017-07-03 17:17:08]
darksimpson :
Oh, definitely will rewrite it on Java, need to make @hostile 's work shine crossplatform. But before also need to eliminate one issue (md5 one) and give my 5 cents to this - ability to use without assistant at all.
[2017-07-03 17:19:18]
hostile :
ruby is just as cross platform as Java FWIW... both require an interpreter to be installed. =] but by all means have at it!
[2017-07-03 17:21:41]
darksimpson :
No, ruby way is wrong. Let holywar begins!!!
[2017-07-03 17:22:01]
hostile :
hahah I give zero fucks on $better
[2017-07-03 17:22:50]
darksimpson :
At least, ruby on windows is strange thing )
[2017-07-03 17:23:09]
hostile :
=]
[2017-07-03 17:23:27]
darksimpson :
Oh, just another idiomatic I don't understand, fcuk! (
[2017-07-03 17:23:33]
hostile :
There is a salary comparison somewhere of developer favored language vs pay. I'll need to find it.
[2017-07-03 17:23:48]
hostile :
"Zero fucks" does not have a proper translation?
[2017-07-03 17:24:24]
hostile :
=]
[2017-07-03 17:24:34]
darksimpson :
Literally it means for me as no problems with sth
[2017-07-03 17:25:00]
hostile :
correct... you can have your holy war! I have no real opinion. in other words. =]
[2017-07-03 17:25:12]
darksimpson :
Ah )
[2017-07-03 17:26:05]
hostile :
found it!
[2017-07-03 17:26:05]
darksimpson :
Zero fucks on what is better. Ok )
[2017-07-03 17:26:07]
hostile :
<https://robertsinterests.wordpress.com/2017/06/15/developers-who-use-spaces-make-more-money-than-those-who-use-tabs-stack-overflow-blog/>
[2017-07-03 17:26:48]
hostile :
#ZFG is abbreviation for Zero Fucks Given. =]
[2017-07-03 17:27:17]
hostile :
above average Java Salary like $10,000 less than Ruby. =]
[2017-07-03 17:27:47]
ender :
haha, i am C++ & Objective-C that means i understand zero fucks of Java & ruby, is that a correct usae of ZFG ? :stuck_out_tongue:
[2017-07-03 17:27:55]
hostile :
YES!!!!
[2017-07-03 17:27:56]
hostile :
lol
[2017-07-03 17:28:27]
hostile :
"I have zero fucks" better than "understand"
[2017-07-03 17:28:31]
hostile :
but nailed it!
[2017-07-03 17:28:39]
hostile :
ok back to cleaning up this exploit for me
[2017-07-03 17:32:10]
ender :
p.s. gotta use tabs, its the 21'st century :stuck_out_tongue:
[2017-07-03 17:47:03]
darksimpson :
Oh, perfetto, about spaces and tabs! Let me tell a story from life and work of my dad in still in USSR. Just about that, but in slightly different profession. My dad is a conductor (musician, I mean). So, when he was a student in college, he sometimes take part-time work to write some musical scores for city orchestra (for different parades, etc). So, if you will take into musical score, it consists of a chunks, named bars. Also, we have a musical time, that tells, simplifying, how many musical notes will fit into one bar. Ok. Lets take some march score, for example. Usually, it's time is 4/4. So four quarter notes fits in one bar. And the interesting thing was that score in that years was paid for bars, yeah. Nor notes, neither overall musical content. By bars. So the trick was a perfect. Simply give that score not 4/4, but 2/4, so two quarter notes into one bar :) As a result, he has absol-fuckin-lutely same musical content, but x2 bars overall. Then, a special man who paid the money (and not understand something in music) simply counted bars and voila, x2 money for the same work, yeah :) Sorry for offtop, anyway )
[2017-07-03 17:54:47]
darksimpson :
And ah. Tabs for indents, spaces for align )
[2017-07-03 17:59:20]
ender :
great story, thx for sharing :wink:
[2017-07-03 17:59:31]
hdnes :
I'm moving over the next few days so no help from me. Good luck. See you guys on the other side
[2017-07-03 18:00:28]
ender :
dont loose stuff & good luck :wink:
[2017-07-03 18:03:31]
hostile :
set the channel description: Good place to start: https://dji-rev.slack.com/archives/C60KELF6H/p1499100595408585
[2017-07-03 18:09:40]
rwijnhov :
Can I get added to GitHub? Username rwijnhov
[2017-07-03 18:20:02]
hostile :
done
[2017-07-03 18:22:12]
cs2000 :
@hostile I know you've been testing this on a spark I believe. Has anyone tried on a mavic?
I'm not going to join your closed group whilst youre still in development as I have nothing to add, but look forward to a release when it happens. Its a good thing youre not making it as simple as "click me and youre rooted". we need a certain barrier to entry!
[2017-07-03 18:25:23]
hostile :
feel free...
[2017-07-03 18:25:26]
hostile :
what is your github name?
[2017-07-03 18:25:52]
hostile :
I'm probably gonna let it loose tonight around midnight EST
[2017-07-03 18:32:22]
mavpac :
ID4
[2017-07-03 18:32:52]
mavpac :
And btw its way more than "a certain barrier" ;-)
[2017-07-03 18:36:00]
cs2000 :
@hostile my username is the same as on here :slightly_smiling_face:
[2017-07-03 18:36:34]
cs2000 :
I would certainly try, as long as I'm not looking at running a script and have a £1k paperweight :wink:
[2017-07-03 19:01:28]
droner69 :
Looks like I'm having the same problems as hdnes was having. I'm trying with the MP on MacOS Sierra, and I can't get the NFZ update to spawn. The webserver is working, and I can <http://localhost/flysafe_db_files/GetRoot> in my web browser. Tried 1.1.2.573 and 1.1.0. Gonna start fresh and try again.
[2017-07-03 19:18:14]
hostile :
@cs2000 you've been added
[2017-07-03 19:24:32]
cs2000 :
Thanks, il take a look
[2017-07-03 19:30:13]
hostile :
Would you mac users in @channel please run this command from me with one of your DJI aircraft plugged in. system_profiler SPUSBDataType | grep "DJI:" -A19
[2017-07-03 19:30:24]
hostile :
expected output:
[2017-07-03 19:30:25]
hostile :
$system_profiler SPUSBDataType | grep "DJI:" -A19
DJI:
Product ID: 0x001f
Vendor ID: 0x2ca3
Version: ff.ff
Serial Number: 0123456789ABCDEF
Speed: Up to 480 Mb/sec
Manufacturer: DJI
Location ID: 0x14300000 / 31
Current Available (mA): 500
Current Required (mA): 0
Extra Operating Current (mA): 0
Media:
File-CD Gadget:
Capacity: 15.93 GB (15,927,345,152 bytes)
Removable Media: Yes
BSD Name: disk4
Logical Unit: 0
Partition Map Type: Unknown
USB Interface: 2
[2017-07-03 19:34:32]
ender :
My Spark :
[2017-07-03 19:34:34]
ender :
Product ID: 0x001f
Vendor ID: 0x2ca3
Version: ff.ff
Serial Number: 0123456789ABCDEF
Speed: Up to 480 Mb/sec
Manufacturer: DJI
Location ID: 0x14100000 / 10
Current Available (mA): 500
Current Required (mA): 0
Extra Operating Current (mA): 0
Media:
File-CD Gadget:
Capacity: 64,02 GB (64.020.807.680 bytes)
Removable Media: Yes
BSD Name: disk3
Logical Unit: 0
Partition Map Type: Unknown
USB Interface: 2
[2017-07-03 19:35:39]
ender :
my mavic
[2017-07-03 19:35:42]
ender :
Product ID: 0x001f
Vendor ID: 0x2ca3
Version: ff.ff
Serial Number: 0123456789ABCDEF
Speed: Up to 480 Mb/sec
Manufacturer: DJI
Location ID: 0x14100000 / 15
Current Available (mA): 500
Current Required (mA): 0
Extra Operating Current (mA): 0
[2017-07-03 19:35:51]
kilrah :
mavic:
[2017-07-03 19:35:57]
kilrah :
```DJI:
Product ID: 0x001f
Vendor ID: 0x2ca3
Version: ff.ff
Serial Number: 0123456789ABCDEF
Speed: Up to 480 Mb/sec
Manufacturer: DJI
Location ID: 0x14123000 / 5
Current Available (mA): 500
Current Required (mA): 0
Extra Operating Current (mA): 0
Media:
File-CD Gadget:
Capacity: 63.85 GB (63 847 792 640 bytes)
Removable Media: Yes
BSD Name: disk1
Logical Unit: 0
Partition Map Type: Unknown
USB Interface: 2```
[2017-07-03 19:36:03]
ender :
not really exciting :wink:
[2017-07-03 19:36:16]
hostile :
this helps me in code confirm a device is connected properly
[2017-07-03 19:36:18]
hostile :
for debugging
[2017-07-03 19:36:28]
hostile :
probably gonna add the logic direct in the script
[2017-07-03 19:42:42]
rulppa :
Damn got too much beer while heading home from work, wife and kid left me to spend quality time for a week and then these things seems to happen. Already at bed but will go back to garage where i have mac and gi e you atleast i2 infos
[2017-07-03 19:44:30]
mavpac :
@ender wow my mavic has the same s/n as yours!!!
[2017-07-03 19:44:37]
mavpac :
:D
[2017-07-03 19:44:43]
rulppa :
Lol
[2017-07-03 19:44:54]
ender :
:stuck_out_tongue:
[2017-07-03 19:45:06]
hostile :
hah at that level we all have the same one
[2017-07-03 19:48:37]
rulppa :
DJI:
Product ID: 0x001f
Vendor ID: 0x2ca3
Version: ff.ff
Serial Number: 0123blabla789ABCDEF
Speed: Up to 480 Mb/sec
Manufacturer: DJI
Location ID: 0x14600000 / 8
Current Available (mA): 500
Current Required (mA): 0
Extra Operating Current (mA): 0
Media:
File-CD Gadget:
Capacity: 64,07 GB (64 071 139 328 bytes)
Removable Media: Yes
BSD Name: disk3
Logical Unit: 0
Partition Map Type: Unknown
USB Interface: 2
[2017-07-03 19:48:53]
rulppa :
if you need real serial, pm.
[2017-07-03 19:51:44]
rulppa :
now, while im back at the garage… anyone with 1.1.0.app link?
[2017-07-03 19:52:07]
hans112 :
<https://github.com/MAVProxyUser/DJIAssistant2Binaries/tree/master/OSX>
[2017-07-03 19:52:25]
rulppa :
manhug
[2017-07-03 19:53:00]
hans112 :
I am creating my Mac VM, will send details later
[2017-07-03 19:53:28]
hans112 :
hehehehe lol @rulppa
[2017-07-03 19:53:58]
hostile :
I just added a change so thanks to those running... if someone with an Inspire or Phantom shows differnt output let me know
[2017-07-03 19:54:19]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/c3c62caee1934b24529b6441f681ba3c671f3930>
[2017-07-03 19:55:01]
cs2000 :
Code looks good @hostile , appreciate the work that's gone into it. I don't have my Mac around currently so cant test (I get the Windows version isn't working). Question about launching it however. I see in the code the script wants some launch variables. Am I right in thinking we open terminal as root, then type "ruby RedHerring.rb /system/bin/pwnt.sh /tmp/xxx'", but those two launch variables, what does there? The ones in your example correct, or should I be editing something. I'm gonna need a _little_ more to go on !
[2017-07-03 19:55:29]
hostile :
Usage: ruby RedHerring.rb <remote_path_to_write_to> <local_file_to_write>
[2017-07-03 19:55:42]
hostile :
first arg is where you want to write on the remote drone
[2017-07-03 19:55:50]
hostile :
second arg is file local to you that will be pushed
[2017-07-03 19:56:46]
cs2000 :
Ahh ok
[2017-07-03 19:57:46]
hans112 :
and the file to write could be, for example, an existing .sh file with an extra line of code at the very end of that file :stuck_out_tongue:
[2017-07-03 19:59:30]
hostile :
nailed it
[2017-07-03 19:59:37]
hostile :
see the topic of this room
[2017-07-03 19:59:44]
hostile :
oh wait haha it never got set
[2017-07-03 20:00:09]
hans112 :
:laughing:
[2017-07-03 20:00:15]
mingtao :
any interested full dump of emmc from Mavic ?
<http://dropmefiles.com/Y330R>
[2017-07-03 20:00:19]
cs2000 :
haha don't worry, I remember reading that earlier, ive scrolled up and had a look :wink:
[2017-07-03 20:00:21]
hostile :
set the channel topic: Start here: <https://dji-rev.slack.com/archives/C60KELF6H/p1499100610413431>
[2017-07-03 20:00:49]
hostile :
thanks @mingtao you this this via hot air removal?
[2017-07-03 20:00:56]
mingtao :
yes
[2017-07-03 20:01:04]
hostile :
any notes on your technique and the tools (hardware and software) would be well welcomed
[2017-07-03 20:01:30]
cs2000 :
Probably a stupid question, but should there be two spaces between this special line? After the .sh and before / "-n2 start_dji_system.sh /system/bin/adb_en.sh"
[2017-07-03 20:01:46]
hostile :
@mingtao this says files were deleted
[2017-07-03 20:02:05]
mingtao :
fuck... will upload again
[2017-07-03 20:02:20]
hostile :
read the note
[2017-07-03 20:02:21]
hostile :
(tail is just showing you said line... don't add that!)
[2017-07-03 20:02:30]
mingtao :
<http://dropmefiles.com/Y330R>
[2017-07-03 20:02:30]
cs2000 :
DJI quick on the :gun:
[2017-07-03 20:02:32]
hostile :
tail is a unix command..
[2017-07-03 20:02:39]
hostile :
-n2 says show me the last two lines of this specific file
[2017-07-03 20:02:52]
mingtao :
also use Rstudio for recovey files from dump
[2017-07-03 20:03:28]
hostile :
you have done nice work. I was scared to do this to mine for fear of runining the PCB
[2017-07-03 20:03:46]
cs2000 :
Ahh, ok, I know tail, didn't know -X2 would show you X amount of lines. So actually the command is
# RedHerring Additions
start_dji_system.sh
/system/bin/adb_en.sh
[2017-07-03 20:03:52]
hostile :
your files have this error though
[2017-07-03 20:04:05]
cs2000 :
lol @hostile we have 2 bricked mavics, didn't need another one did we :stuck_out_tongue_winking_eye:
[2017-07-03 20:04:21]
mingtao :
@hostile check twice all ok
[2017-07-03 20:04:25]
hostile :
correct @cs2000 the very last line in my start_dji_system.sh is /system/bin/adb_en.sh
[2017-07-03 20:04:39]
hostile :
We've got a bricked P4 too
[2017-07-03 20:04:40]
hostile :
lol
[2017-07-03 20:04:44]
mingtao :
will upload for any other file hosting
[2017-07-03 20:04:48]
hostile :
$90 will unbrick you with new core board
[2017-07-03 20:05:06]
cs2000 :
By the way, that download works fine for me. ant me to shove it on my FTP?
[2017-07-03 20:05:15]
hostile :
sure!
[2017-07-03 20:05:37]
cs2000 :
OK, give me a bit, good to have a few cop[pies anyway _JUST_ in case
[2017-07-03 20:06:09]
mingtao :
<http://dropmefiles.com/Y330R> - all ok checked once again
[2017-07-03 20:10:39]
mingtao :
whant to <https://github.com/MAVProxyUser/P0VsRedHerring> )!
[2017-07-03 20:10:49]
mingtao :
username mingtaoxin
[2017-07-03 20:11:13]
hostile :
added
[2017-07-03 20:11:57]
mingtao :
thanks! ready to Fuck DJI )
[2017-07-03 20:15:03]
kilrah :
hostile: p4p:
DJI:
Product ID: 0x001f
Vendor ID: 0x2ca3
Version: ff.ff
Serial Number: 0123456789ABCDEF
Speed: Up to 480 Mb/sec
Manufacturer: DJI
Location ID: 0x14124000 / 10
Current Available (mA): 500
Current Required (mA): 0
Extra Operating Current (mA): 0
[2017-07-03 20:21:24]
the_lord :
SUCCESS
[2017-07-03 20:21:47]
the_lord :
i could copy the test file
[2017-07-03 20:24:44]
hostile :
I added some notes for those of you that want to extract scripts from firmware images to use as a basis for your overwrites.
[2017-07-03 20:24:44]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/73b1d6a12b34d7548c0b4cdd4d45e89e3d01b6f6>
[2017-07-03 20:26:38]
the_lord :
next test will be overwrite the init files :open_mouth:
new board ordered :smile:
[2017-07-03 20:27:22]
hostile :
Spark pops instantly! I am stressing out trying to find a path for others. /cache may be the path to enlightenment. combined with a selective /data write.
[2017-07-03 20:29:51]
hfman :
So how did the actual bricks happen? Details so we can avoid making same mistake?
[2017-07-03 20:30:23]
hostile :
early versions didn't make the script write +x properly
[2017-07-03 20:30:28]
hostile :
and folks manually playing made accidents
[2017-07-03 20:30:37]
hfman :
ah.. makes sense
[2017-07-03 20:30:41]
hostile :
IF say for example you wrote the **wrong** content to your startup script..
[2017-07-03 20:30:43]
hostile :
you are fucked
[2017-07-03 20:30:47]
hfman :
eyp
[2017-07-03 20:31:06]
hostile :
/system/bin/start_offline_liveview.sh **may** be a safer target
[2017-07-03 20:31:11]
hostile :
to prevent total brick
[2017-07-03 20:31:25]
hostile :
caveat is I have NOT tested that
[2017-07-03 20:31:40]
hfman :
So, you got a custom start script working fine for Spark, but nobody has done the same for MP?
[2017-07-03 20:31:46]
hostile :
also I think some shit like /data/local.prop could be interesting
[2017-07-03 20:31:51]
hostile :
depending on how the android OS handles
[2017-07-03 20:31:56]
hostile :
there ARE special files laying around...
[2017-07-03 20:32:11]
hostile :
/dev/__properties__ as another example
[2017-07-03 20:32:24]
hostile :
MP has "ro" /system on all firmware I have seen
[2017-07-03 20:32:29]
hostile :
thats the bitch there
[2017-07-03 20:32:37]
hostile :
hence /cache may be the way to go
[2017-07-03 20:32:39]
hfman :
I see, so looking elsewhere
[2017-07-03 20:33:01]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/RedHerring.rb#L171>
[2017-07-03 20:33:12]
hostile :
see notes on OTA.zip handling
[2017-07-03 20:33:37]
hostile :
examine how test_ota.sh works after detecting the presence of file /data/dji/cfg/test/ota (which you can create)
[2017-07-03 20:33:49]
hostile :
it interacts with /cache/ota.zip (which you can also write)
[2017-07-03 20:33:57]
hostile :
this is possible brick territory tho
[2017-07-03 20:34:05]
hostile :
also may be prime downgrade territory
[2017-07-03 20:34:23]
hostile :
(if you can find signed OTA files and they **have** been seen laying around DJI servers
[2017-07-03 20:35:36]
hfman :
Being as I'm not rooted, kinda like stumbling around in a completely dark room...
[2017-07-03 20:36:11]
hostile :
see my notes on extracting the filesystem using image.py or binwalk and start shining your flash light around
[2017-07-03 20:36:20]
hostile :
remember P0V did all of this without root...
[2017-07-03 20:36:31]
hostile :
so no excuses :wink:
[2017-07-03 20:36:33]
hfman :
Ah, true, hadn't though through this... makes sense
[2017-07-03 20:36:52]
hfman :
(I'm still on the honeydoo list, so just dropping by when I can...
[2017-07-03 21:26:40]
cs2000 :
@hostile sorry I forgot about the upload I was doing for you, here's the files from earlier!
<https://polybotes.feralhosting.com/dji/>
The EMMC dump is in the .....im sure you get it :wink:
[2017-07-03 21:52:18]
ender :
nite, happy 4'th of July :wink:
[2017-07-03 22:28:29]
d51 :
great attack surface findings. <https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/RedHerring4Win.rb#L110>
[2017-07-04 00:15:38]
asoka :
Hi I am not a programmer but really good at finding information in the net :slightly_smiling_face: lucky to find you great guys :slightly_smiling_face: I am all over mavic...please allow access to <https://github.com/MAVProxyUser/P0VsRedHerring> to follow your progress Tx!
[2017-07-04 00:16:12]
hostile :
Share a github username please
[2017-07-04 00:16:18]
hostile :
And I will add you
[2017-07-04 01:22:13]
asoka :
daivatam tx!
[2017-07-04 01:23:12]
hostile :
you've been added
[2017-07-04 02:36:26]
hostile :
@hdnes @coldflake I think I figured out the login issue...
[2017-07-04 02:36:46]
hdnes :
Cool
[2017-07-04 02:36:59]
hdnes :
Is it mavic specific
[2017-07-04 02:37:12]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/1#issuecomment-312764515>
[2017-07-04 02:38:00]
hdnes :
Ahh I see
[2017-07-04 02:43:13]
hostile :
I am pushing a fix that should work with V1.1.2
[2017-07-04 02:43:21]
hdnes :
Awesome
[2017-07-04 02:43:30]
hdnes :
I'll likely be able to test tonight
[2017-07-04 02:47:27]
hostile :
git pull
[2017-07-04 06:04:56]
cucuveauamov :
can you add me to this git repository? I do penetration testing and reverse reverse engineering as a hobby. I have a mavic pro and soon will have dji matice 100. I think I can help with this project. the username is cucuveauamov
[2017-07-04 06:17:54]
hostile :
DJI Independence Day - Spark Rooted July 4th (P0V retro sploit)
[2017-07-04 06:17:56]
hostile :
<https://www.youtube.com/watch?v=BTQ_CTih1HM>
[2017-07-04 06:18:05]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring>
[2017-07-04 06:18:12]
hostile :
Repo is now public access...
[2017-07-04 06:21:07]
hans112 :
:smile:
[2017-07-04 07:01:39]
d51 :
YOLO! no test just do it.
[2017-07-04 07:17:41]
hans112 :
I tried several version of tje assistant software, but the nfz does not pop up
[2017-07-04 07:17:58]
hans112 :
I did see the login with the captcha, and was able to login
[2017-07-04 07:18:53]
hans112 :
and localhost shows the rubu webserver
[2017-07-04 07:20:45]
hostile :
guess you have some work to do... this took me a month to sort out. :wink:
[2017-07-04 07:21:04]
hans112 :
hehehehe
[2017-07-04 07:21:19]
hostile :
make sure you did a "git pull"
[2017-07-04 07:21:24]
hostile :
and that you do so often as I change it
[2017-07-04 07:21:28]
hostile :
read the commit log...
[2017-07-04 07:21:44]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commits/master>
[2017-07-04 07:21:48]
hostile :
this is the path to manhood
[2017-07-04 07:21:59]
hostile :
I'm teaching you fuckers to fish... not placing it on your platter
[2017-07-04 07:22:01]
hostile :
=]
[2017-07-04 07:22:52]
hans112 :
I will pray for you in church :wink:
[2017-07-04 07:22:58]
ender :
I’d like fish-fingers while you’re at it ! :wink:
[2017-07-04 07:23:11]
d51 :
DJI blocks some product ser#
<https://app-service.skypixel.com/api/invalid_md5_list>
<https://app-service.skypixel.com/api/invalid_sn_list>
I also block skypixel on hosts files
{"status":0,"invalid_battery_md5_list":["c02bd42367d6146c744cbcfa2c8dd922"]}
{"status":0,"invalid_battery_sn_list":["1152308289","1145224098"]}
[2017-07-04 07:23:32]
d51 :
but why battery? lol
[2017-07-04 07:23:42]
hostile :
@hans112 sounds like you outta pray for more knowledge in your brain... and perhaps pray for root?
[2017-07-04 07:23:43]
hostile :
heh
[2017-07-04 07:23:57]
hostile :
fake batteries... @d51
[2017-07-04 07:23:58]
hans112 :
I was too late.. burning in hell already
[2017-07-04 07:24:01]
hostile :
counterfeit
[2017-07-04 07:24:18]
hostile :
I'm not theistic anyway... your hell may not be mine.
[2017-07-04 07:24:21]
hostile :
**grin**
[2017-07-04 09:17:32]
rulppa :
./RedHerring.rb:213:in `<main>': uninitialized constant Net (NameError) hmm ?
[2017-07-04 10:05:35]
rulppa :
oh, ffs didnt have gems because fresh osx install, soerry
[2017-07-04 10:13:12]
cs2000 :
@hostile Did you see my message to you late lastnight? Got those EMMC dumps uploaded that Mingtao provided
[2017-07-04 10:15:06]
rulppa :
aaand i2 latest fw is not r+w, no surprise tho..
[2017-07-04 11:37:14]
mstranger :
can you add me to github project to see the progress too?
[2017-07-04 11:38:04]
hans112 :
it is public now..
[2017-07-04 11:38:11]
hans112 :
so no need to add i guess? :slightly_smiling_face:
[2017-07-04 11:38:28]
hans112 :
has anyone tried it on a mac VM?
[2017-07-04 11:38:37]
mstranger :
ah ok. thanx
[2017-07-04 12:36:19]
hostile :
@mstranger you should be able to openly view the repo
[2017-07-04 12:36:21]
hostile :
Haha even the original man himself stopped by to congratulate me.
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/3>
[2017-07-04 12:42:15]
rulppa :
anyone here with osx and able to actually run the image.py? python3,
[2017-07-04 12:42:24]
rulppa :
sh-3.2# python3 image.py wm620_1203_v01.02.00.46_20160918.pro.fw.sig
Traceback (most recent call last):
File "image.py", line 27, in <module>
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'
[2017-07-04 12:42:41]
rulppa :
and i do have, crypto installed, uninstalled and installed again, no go.
[2017-07-04 12:42:54]
rulppa :
pycrypto and crypto, both.
[2017-07-04 12:42:57]
hostile :
Please make an issue here. <https://github.com/MAVProxyUser/P0VsRedHerring/issues/new>
[2017-07-04 12:43:43]
hostile :
I think I know the answer... and will reply there
[2017-07-04 12:45:16]
rulppa :
done
[2017-07-04 12:45:23]
rulppa :
kinda busy watching the indepence day lol
[2017-07-04 12:45:46]
hostile :
hrmm did you click send on the issue?
[2017-07-04 12:45:51]
hostile :
link plz
[2017-07-04 12:46:02]
rulppa :
What‽
Your browser did something unexpected. Please contact us if the problem persists.
[2017-07-04 12:46:04]
rulppa :
ffw..
[2017-07-04 12:46:38]
rulppa :
need to switch browers, opera failed me
[2017-07-04 12:48:23]
rulppa :
done again
[2017-07-04 12:49:09]
rulppa :
opera is kinky, tried answeting hak5 secret question 2 days, untill i figured its the opera, not my answer. always said its wrong no matter how i wrote it :confused:
[2017-07-04 13:28:14]
rulppa :
is there other way to get what i want, image.py just doesnt work for me and i need to get i2 files, can use mavic .shs or i will brick for sure..
[2017-07-04 13:29:07]
hostile :
Share some of your .sig files with @freaky123 ?
[2017-07-04 13:29:22]
hostile :
Can you show the error here?
[2017-07-04 13:30:12]
rulppa :
sure.. @freaky123 willing to do that?
[2017-07-04 13:30:13]
rulppa :
sh-3.2# python3 image.py wm620_1203_v01.02.00.46_20160918.pro.fw.sig
Traceback (most recent call last):
File "image.py", line 27, in <module>
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto
[2017-07-04 13:32:03]
the_lord :
I guess this file for the ESC
[2017-07-04 13:32:13]
the_lord :
1203
[2017-07-04 13:32:55]
the_lord :
You need to check the 800X files
[2017-07-04 13:34:05]
rulppa :
sh-3.2# python3 image.py wm620_0801_v01.00.00.82_20170601.pro.fw.sig
Traceback (most recent call last):
File "image.py", line 27, in <module>
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'
[2017-07-04 13:34:07]
rulppa :
doesnt matter
[2017-07-04 13:34:58]
rulppa :
0800 files i have on firm_cache, but nothing with 800x tho
[2017-07-04 13:36:18]
freaky123 :
This is really a install error of the crypto library
[2017-07-04 13:36:45]
freaky123 :
1203 is indeed for the last esc 1200 is the first esc
[2017-07-04 13:36:59]
freaky123 :
But I can confirm they are exactly the same
[2017-07-04 13:38:44]
hostile :
You can also use "binwalk -e" to extract
[2017-07-04 13:45:07]
kilrah :
you must not have both Crypto and pycrypto
[2017-07-04 13:45:16]
kilrah :
remove both and install pycrypto only
[2017-07-04 13:45:22]
kilrah :
<https://stackoverflow.com/questions/31485110/no-module-named-crypto-cipher>
[2017-07-04 13:48:30]
rulppa :
i have both
[2017-07-04 13:48:41]
rulppa :
but i will try once more and remove both first
[2017-07-04 13:51:29]
kilrah :
the point is that's the problem, you must only have one insalled, NOT both
[2017-07-04 13:52:42]
rulppa :
binwalk :heart:
[2017-07-04 14:17:08]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/5>
[2017-07-04 14:17:23]
hostile :
some ideas on how to find vulnerable versions
[2017-07-04 14:33:04]
hans112 :
I can't get the nfz pop up to appear.... I tried all available versions for Mac.. I can see the files being prepared, but never the nfz update. I work on Mac os in a VM. Tried logging in first, then log in with the test server command... Still no joy :thinking_face: so I need to pray or does anyone have a clue what the solution could be ?
[2017-07-04 14:33:58]
hostile :
Tcpdump is your friend
[2017-07-04 14:34:21]
hostile :
Be sure you "git pull" and use most recent version (tested with 1.1.2)
[2017-07-04 14:35:06]
hostile :
If you share tcpdump or wireshark log it will help. Be sure to delete packet with your password to go portal
[2017-07-04 14:36:06]
hans112 :
Ok, thanks. Will try that and see if anything pops up...
[2017-07-04 15:57:30]
rulppa :
is there a way to open those .img:s included in fw, bootarea, img normal.img etc?
[2017-07-04 16:04:03]
rulppa :
ext4fuse?
[2017-07-04 16:09:06]
freaky123 :
my image.py tool
[2017-07-04 16:09:29]
freaky123 :
except for bootarea.img that is a different kind of image
[2017-07-04 16:10:02]
freaky123 :
that is just directly dd'ed into the bootarea
[2017-07-04 16:14:46]
rulppa :
trying to find original init files from the i2 fw
[2017-07-04 16:15:24]
rulppa :
to get the r+w without using mavics init, because idk how much different those are, probably same but just to be sure..
[2017-07-04 16:17:48]
rulppa :
are those files inside one of those .imgs anyway?
[2017-07-04 18:43:28]
hans112 :
@hostile with what firmware version is the nfz update notification tested ? I had a friend's Mavic (.700) connected to a regular DJI assistant, and the notification popped up directly.... I am on .400 , should that make any difference?
[2017-07-04 18:46:36]
hostile :
Firmware version should not matter as far as I know. Currently tied to assistant functionality. Tested with 1.1.2
[2017-07-04 18:48:47]
hans112 :
Ok. I will test the .700 and then the .400 with the same setup. If there is something different on the .400 I will log and let you know
[2017-07-04 19:07:18]
droner69 :
I could not get the NFZ uodate to pop up on my .400 either. Tried on Sierra and El Capitan macOS versions. I'm gonna try the .700 as well and test.
[2017-07-04 19:20:43]
hostile :
Tcpdump anyone having issues also make sure your hosts file is clean before starting
[2017-07-04 19:34:41]
droner69 :
Updated to .700 and now it works perfectly :D
[2017-07-04 19:37:03]
hostile :
I've been wondering if a Reset to defaults would be in order first
[2017-07-04 19:37:18]
hostile :
Did you have any altered FlyC parameters ?
[2017-07-04 19:39:36]
droner69 :
I reset defaults yesterday and then even reflashed .400 before trying other set ups and could never get it
[2017-07-04 19:40:19]
hans112 :
Ahh oké. That might explain something. I have altered parameters on my .400. you flashed a clean .700 and then the nfz update notification came?
[2017-07-04 19:41:35]
hostile :
@droner69 would you file an issue in github and explain exactly that so it can be looked into further ?
[2017-07-04 19:42:10]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/new>
[2017-07-04 19:42:40]
hostile :
You can pick either of the latest two firmware versions at the very least
[2017-07-04 19:51:52]
droner69 :
I just also tried your beta RedHerring.rb from 7/2/2017 with the assistant auto start still in it and it works as well now
[2017-07-04 19:51:53]
droner69 :
Yeah no problem at all
[2017-07-04 20:10:18]
mingtao :
so .. is any way to update Mavic to .700 ?
[2017-07-04 20:10:35]
asoka :
yep this was prepared to ask myself :slightly_smiling_face:
[2017-07-04 20:11:03]
mingtao :
i try with exploit... but stuck
[2017-07-04 20:13:29]
hostile :
@droner69 never mind on the new issue... add notes here plz <https://github.com/MAVProxyUser/P0VsRedHerring/issues/1>
[2017-07-04 20:19:12]
droner69 :
Oops just posted it before seeing this. I'll transfer it there
[2017-07-04 20:21:28]
mstranger :
so guys are you close to be able downgrade firmware?
[2017-07-04 20:26:26]
hostile :
@mstranger i suspect /data/ota.zip and test_ota.sh can make that happen...
[2017-07-04 20:31:57]
mossad911 :
dumb question but say DJI closes the loop with a firmware update that blocks downgrading or edits the bootloader, then even if you found a way to root the mavic, that would only work on prexisting units that had not been forced updated to firmware 900 or above?
[2017-07-04 20:43:38]
mstranger :
good news hostile . mossad911 shure thing is that dji have an aye on what the scene is working, and logic says that they will close any "holes" exist with a firmware update maybe?
[2017-07-04 20:44:57]
mossad911 :
that is why they have the app forcing updates, and why they pulled all fw except 900.
[2017-07-04 20:45:08]
mossad911 :
so even a root mavic won't get ahead.
[2017-07-04 20:47:20]
mstranger :
what ever the will patch will be after .900, so stay under 900 and will be free
[2017-07-04 20:49:02]
mossad911 :
Sure I will, I'm still on 400. I'm staying most of the population of Mavic owners will be forced onto whatever is next that won't be able to go back.
[2017-07-04 21:06:09]
hostile :
this is a cat and mouse game... always room for them to make mistakes, also all part of the fun "say DJI closes the loop with a firmware update that blocks downgrading or edits the bootloader,"
[2017-07-04 21:07:41]
mossad911 :
It is asymetric though, ultimtaely security wins.
[2017-07-04 21:08:00]
hostile :
not when humans are involved...
[2017-07-04 21:08:20]
hostile :
they can't afford to make this ship unexploitable.
[2017-07-04 21:08:27]
hostile :
we'd never be able to afford the product
[2017-07-04 21:11:36]
mossad911 :
Yes. And one last thing, that Brendan Schulman is a real work of art with his snobby proactive policy of self appeasement. And Bezos/Amazon just wants the hobbyist drone out the way so they can do their delivery thing. DJI wants to go "enterprise" and see the wave of the future, like how Nvidia woke up and realized instead of gaming cards they need to be doing AI. Apple might buy DJI and then DJI will be able to make a security tight product
[2017-07-04 21:24:39]
fldatatek :
Got out and tested .400 with the setting changes to disable NFZ within 1 mile of the tower in a Class D airspace (airport is closed today as it is no longer a military base but a airport owned by the city/county) and I had zero issues taking off (only flew it 10 feet off the ground as a test, have no plans to actually fly there).
[2017-07-04 21:30:55]
mossad911 :
@fidatatek, when you changed the values for that setting where you put in 2025 something, did it stick or did it revert back to "2" afterwards?
[2017-07-04 21:31:27]
mossad911 :
I don't have a NFZ to test but another guy online says it reverts and he can't even start engines. he is on 400
[2017-07-04 21:31:30]
fldatatek :
Nope mine stuck. Even power cycled the aircraft and A2 to verify
[2017-07-04 21:33:14]
mossad911 :
u were are on stock 400 or used the VM to revert back?
[2017-07-04 21:33:38]
fldatatek :
used VM to revert back
[2017-07-04 21:33:47]
hostile :
@mossad911 schulmann and I... at AUVSU mid **heated** conversation.
[2017-07-04 21:33:48]
fldatatek :
I was at .600 before I reverted.
[2017-07-04 21:33:49]
hostile :
<https://twitter.com/d0tslash/status/862670999942307840>
[2017-07-04 21:33:57]
hostile :
Monica trolled us.
[2017-07-04 21:38:04]
mossad911 :
Hmmm...so what happened? that was taken in May.
[2017-07-05 08:43:24]
hans112 :
@hostile Yes, on .700 firmware the nfz notification pops up ... On .400 is does not. Thanks!
[2017-07-05 08:44:31]
singlag :
I do a range test about fcc vs ce, it seem only affect RC signal but no video signal improve, strange
[2017-07-05 08:44:51]
singlag :
wrong channel:speak_no_evil:
[2017-07-05 08:49:10]
the_lord :
you can exploit the /amt/country.txt with tar
NOT TESTED
[2017-07-05 08:49:53]
the_lord :
from mavic kernel log (country code replaced with XX for privacy)
<6>[ 4.000981] c0 41 (kworker/0:1) Regulatory domain changed to country: XX
<6>[ 4.000991] c0 41 (kworker/0:1) (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
<6>[ 4.001001] c0 41 (kworker/0:1) (2402000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
<6>[ 4.001011] c0 41 (kworker/0:1) (5735000 KHz - 5835000 KHz @ 20000 KHz), (500 mBi, 1400 mBm)
[2017-07-05 08:50:12]
the_lord :
i don't know if this is FCC or CE tho
[2017-07-05 08:52:15]
rulppa :
thats the frequency for 2.4 and 5g.... and shows only CE i think
[2017-07-05 08:53:04]
rulppa :
maybe it defaults back to that, if it doenst get proper country code for FCC
[2017-07-05 08:58:04]
the_lord :
i'm not sure if the country i'm in is considered CE or FCC
[2017-07-05 08:58:24]
the_lord :
how many watts the 2000 mBm ??
[2017-07-05 09:16:37]
rulppa :
0.1w?
[2017-07-05 09:17:08]
asoka :
search online converter?
[2017-07-05 09:18:00]
the_lord :
i searched but didn't find
[2017-07-05 09:18:10]
the_lord :
otherwise i will not ask :slightly_smiling_face:
[2017-07-05 09:18:44]
rulppa :
me neither
[2017-07-05 09:18:57]
rulppa :
dunno if that can be converted to watts at all
[2017-07-05 09:19:24]
asoka :
<http://www.rapidtables.com/convert/power/dBm_to_mW.htm>
[2017-07-05 09:21:36]
the_lord :
it is not dBm
[2017-07-05 09:21:40]
the_lord :
it is mBm
[2017-07-05 09:28:00]
asoka :
what is mBm?> :slightly_smiling_face:
[2017-07-05 09:29:11]
asoka :
Yep now I see but I don't know what is mBm, mBi...first time seeing
[2017-07-05 09:31:51]
asoka :
But they correspond to standard dBm of remote in CE and FCC...and suggested that the range is tuned according to need between that limits
[2017-07-05 09:33:19]
the_lord :
so does it mean 2000 mBm i'm on FCC mode?
[2017-07-05 09:34:11]
the_lord :
can anybody who made the FCC mod send the kernelxx.log files so we can double check?
[2017-07-05 09:40:41]
asoka :
Hmm , I hurried to take conclusions when I am at work and doing other stuff :)) (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) this is what they state about that parameters...need more researching
[2017-07-05 09:44:23]
asoka :
<http://sss-mag.com/calcdb.html>
[2017-07-05 14:12:11]
hostile :
'BTW mounting /system RO is "the standard" for android' from a friend.
[2017-07-05 14:20:22]
d51 :
your friend's answer correct
[2017-07-05 14:28:28]
hostile :
We had some success last night with /data/properties as a write location attempting to create persistent properties hoping they'd be used at boot.
[2017-07-05 14:29:43]
d51 :
I will make my own fail-safe root/custom functions with SDcard
[2017-07-05 14:30:19]
d51 :
after my OSX repair.
[2017-07-05 14:31:30]
d51 :
it will be easy to share(for offline flight sight friends) and recovery.
[2017-07-05 14:32:32]
the_lord :
@d51 can you explain more details please
[2017-07-05 14:32:34]
hans112 :
That sounds promising
[2017-07-05 14:34:19]
rulppa :
Asked about this before, can we boot from sd? Had same thing in my mind
[2017-07-05 14:34:35]
d51 :
not a big skills. If some configs goes wrong, pull the sdcard then reboot it. works normal.
[2017-07-05 14:35:29]
d51 :
Ah meaning boot from SDC? I think need to work flash's boot point modify.
[2017-07-05 14:36:14]
rulppa :
Sdc or usb stick,does it try those before normal boot, idk
[2017-07-05 14:39:19]
d51 :
Working with boot flash I think. Like PC-BIOS's default boot point 0x80h(DISK1) to 0x81h(DISK2)
[2017-07-05 14:40:07]
d51 :
also need to change recovery image too.(DJI checks their system integrity?)
[2017-07-05 14:40:35]
d51 :
I found APP it does
[2017-07-05 15:49:50]
hostile :
@channel Ok folks... we are having some progress writing to /data/properties We need just a LITTLE help from folks that understand android and we can likely have some success on ALL platforms. What we found is that DJI seems to have removed the /data/property folder and as such no persistent settings are maintained.
This will give you a basic understanding of android properties...
<https://chengyihe.wordpress.com/2016/12/05/android-readwrite-system-properties/>
<https://chengyihe.wordpress.com/2016/12/05/android-persist-system-properties/>
To test the theory out... I used a craft I already have root on and created the /data/property folder (which we can do via the tar file and other methods)
root@wm220_dz_ap0002_v1:/data/ # mkdir /data/property
root@wm220_dz_ap0002_v1:/data/ # setprop persist.service.adb.debuggable 1
root@wm220_dz_ap0002_v1:/data/ # setprop persist.service.adb.enable 1
root@wm220_dz_ap0002_v1:/data/ # setprop persist.sys.usb.config rndis,mass_storage,bulk,acm,adb
I did an adb pull of the /data/property directory so I could examine it.
root@wm220_dz_ap0002_v1:/data/property # ls -al
-rw------- root root 1 1980-01-01 00:37 persist.service.adb.debuggable
-rw------- root root 1 1980-01-01 00:36 persist.service.adb.enable
-rw------- root root 31 1980-01-01 00:37 persist.sys.usb.config
$ ls
persist.service.adb.debuggable persist.service.adb.enable persist.sys.usb.config
$ xxd persist.service.adb.debuggable
00000000: 31 1
$ xxd persist.service.adb.enable
00000000: 31 1
$ xxd persist.sys.usb.config
00000000: 726e 6469 732c 6d61 7373 5f73 746f 7261 rndis,mass_stora
00000010: 6765 2c62 756c 6b2c 6163 6d2c 6164 62 ge,bulk,acm,adb
Upon rebooting the drone it was immediately clear the properties took hold as the boot was different. We don't fully understand the process, but are digging in. As an example at one point we reduced the power of the ADB shell to NOT be root via "service.adb.root [1]"
shell@wm220_dz_ap0002_v1:/ $
Reading the source to init has helped... specifically their comment on writable directories leading to security bugs.
<https://android.googlesource.com/platform/system/core/+/kitkat-release/init/init.c>
<https://android.googlesource.com/platform/system/core/+/kitkat-release/rootdir/init.rc>
# IMPORTANT: Do not create world writable files or directories.
# This is a common source of Android security bugs.
Right now we need to keep digging into how the internals of the android boot process work, any help is welcome! <https://chengyihe.wordpress.com/2016/12/05/android-how-system-properties-are-loaded-at-boot-time/>
[2017-07-05 15:51:59]
hostile :
Detail kept in git here... <https://github.com/MAVProxyUser/P0VsRedHerring/issues/5>
[2017-07-05 15:55:51]
hfman :
@hostile ... interesting findings. Unfortunately, I am of zero help when it comes to android...
[2017-07-05 15:56:28]
the_lord :
before i add the persist properties to /data via ftp i didn't see anything related to adb kernel log
but after the add i can see it
[2017-07-05 15:57:25]
hostile :
@hfman put on your big girl panties like the rest of us... I know fuck all about it too. =]
[2017-07-05 15:58:29]
the_lord :
i've never dealt with android
[2017-07-05 15:58:32]
hfman :
ya, I hear you!
[2017-07-05 15:58:55]
hostile :
@the_lord thanks for the help last night! We've both lost much sleep this month lol
[2017-07-05 15:59:14]
the_lord :
most welcome
[2017-07-05 15:59:21]
hostile :
Grab a machette and blaze a trail with us. =]
[2017-07-05 16:12:40]
jan2642 :
I would love to help with all this but my resources are very limited as I am on vacation with the family in the middle of nowhere...
[2017-07-05 16:14:47]
the_lord :
enjoy
[2017-07-05 16:14:49]
jan2642 :
Also no android specific knowledge but I'll read up as soon as the webpages load at this blazing speed
[2017-07-05 16:14:57]
jan2642 :
Thx
[2017-07-05 16:15:49]
hostile :
@jan2642 that is all we are doing... I have very little android experience
[2017-07-05 16:18:43]
jan2642 :
This morning I briefly looked at test_ota but I don't know if that's the way in. It allows you to put an unsigned normal.img in the recovery that likely will be flashed the next boot but won't the bootloader check the kernel's signature ? That would likely brick it...
[2017-07-05 16:20:32]
freaky123 :
Yes it checks
[2017-07-05 16:20:56]
jan2642 :
Makes sense
[2017-07-05 16:38:50]
hostile :
but what about old techniques of changing the mount flags on /system for example...
[2017-07-05 16:39:09]
hostile :
<https://forum.xda-developers.com/showthread.php?t=2073775>
[2017-07-05 16:40:10]
hostile :
aka... drop a modded /cache/ota.zip set to change /system flags... then drop the file /data/dji/cfg/test/ota which will make kick off /system/bin/test_ota.sh
[2017-07-05 16:40:24]
hostile :
that **could** work on ALL platforms as both /cache and /data are writable by us.
[2017-07-05 16:46:00]
hostile :
<https://github.com/osm0sis/Android-Image-Kitchen>
[2017-07-05 16:46:47]
jan2642 :
Yes but it would flash a normal.img without proper signature. test_ota.sh only unzips normal.img from ota.zip
[2017-07-05 16:47:28]
hostile :
what verifies the signature?
[2017-07-05 16:47:38]
hostile :
they are using Android test keys...
[2017-07-05 16:47:49]
hostile :
[ro.build.description]: [full_wm220_dz_ap0002_v1-userdebug 4.4.4 KTU84Q eng.jenkins.20170619.214217 test-keys]
[2017-07-05 16:48:00]
hostile :
@diff where the fuck are you man! this is your territory
[2017-07-05 16:48:59]
jan2642 :
Normal.img contains the kernel which is verified by the bootloader
[2017-07-05 16:50:10]
hostile :
is this how you bricked me before @freaky123 basically?
[2017-07-05 16:53:00]
jan2642 :
Do you have the private key of the test keys ? E.g. at work we also use test & production keys but while our test keys are known by the developers, they are not by the outside world and a device has to be marked as 'dev' before it will accept the test key.
[2017-07-05 16:53:14]
hostile :
SO @jan2642 re the unzipping process... I am wondering about bugs in the the minzip implementation also FWIW.
[2017-07-05 16:53:31]
hostile :
<https://android.googlesource.com/platform/libcore/+/2da1bf57a6631f1cbd47cdd7692ba8743c993ad9>
[2017-07-05 16:55:20]
hostile :
I just have access to otacerts.zip
[2017-07-05 16:56:03]
jan2642 :
Good point (but that bug is in android's java, not applicable here)
[2017-07-05 16:56:20]
hostile :
not true
[2017-07-05 16:56:30]
hostile :
/sbin/recovery uses Minzip to unpack ota.zip
[2017-07-05 16:56:43]
hostile :
poke around and read the logs in /cache/recovery
[2017-07-05 16:57:23]
hostile :
root@wm220_dz_ap0002_v1:/cache/recovery # cat last_install
/cache/ota.zip
1
[2017-07-05 16:58:27]
hostile :
you can see right here minzip is called
[2017-07-05 16:58:28]
hostile :
Finding update package...
I:Update location: /cache/ota.zip
Opening update package...
I:read key e=3 hash=20
I:1 key(s) loaded from /res/keys
Verifying update package...
I:comment is 1738 bytes; signature 1720 bytes from end
I:whole-file signature verified against key 0
I:verify_file returned 0
Installing update...
E:Could not open fifo /etc/upgrade_sts, err 6.
E:Process 90, result -1.
E:Write value to fifo_udsts failure. err 9.
Creating filesystem with parameters:
Size: 134217728
Block size: 4096
Blocks per group: 32768
Inodes per group: 8192
Inode size: 256
Journal blocks: 1024
Label:
Blocks: 32768
Block groups: 1
Reserved block group size: 7
Created filesystem with 11/8192 inodes and 1550/32768 blocks
minzip: Extracted 0 file(s)
minzip: Extracted 353 file(s)
[2017-07-05 16:58:58]
hostile :
@freaky123 are ALL images checked?
[2017-07-05 16:59:26]
hostile :
normal.img bootarea.img and recovery.img
[2017-07-05 17:06:58]
jan2642 :
Minzip is a small native implementation, not in Java. I found a link but my internet is too slow to load it: <https://android.googlesource.com/platform/bootable/recovery/+/28a566f7731b4cb76d2a9ba16d997ac5aeb07dad/minzip/>
[2017-07-05 17:09:17]
hostile :
android java is always weird though as it hits native code via JNI shit
[2017-07-05 17:09:27]
hostile :
gonna keep poking!
[2017-07-05 17:10:26]
hostile :
so on that note...
[2017-07-05 17:10:27]
hostile :
<https://android.googlesource.com/platform/bootable/recovery/+/28a566f7731b4cb76d2a9ba16d997ac5aeb07dad>
[2017-07-05 17:10:36]
hostile :
"Fix integer overflows in recovery procedure."
[2017-07-05 17:10:41]
hostile :
I recall that impacted 5.x
[2017-07-05 17:10:47]
hostile :
was 4.x legacy code also vuln?
[2017-07-05 17:11:05]
jan2642 :
Is there even any java code running on a Mavic ? I haven't seen any Dalvik things in the extracted filesystems
[2017-07-05 17:17:32]
ender :
---BTW--- If you need some GUI App quick’n’dirty i work in Qt multiplatform , so i can wrap a GUI around stuff you do…, of course the usual job vs kids vs wife constraints hinder me but i’ll try ----
[2017-07-05 17:17:37]
hostile :
I've not seen
[2017-07-05 17:17:48]
hostile :
P4+ screen does this, but that is off topic
[2017-07-05 17:24:34]
jan2642 :
I quickly went through all the shell scripts this morning grepping for use of backticks and $( but haven't found any obvious holes... In my limited time I'm also still digging through dji_sys looking for use of system(), popen() & execve(). I don't know yet if any of the other tools running on the Mavic use these calls.
[2017-07-05 17:27:14]
ender :
@the_lord , just saw your file “disable_dji_limits.txt”, beeing curious i tried to dload but it stalls, any idea ?!
[2017-07-05 17:37:29]
the_lord :
How did you try to load?
[2017-07-05 17:40:59]
jan2642 :
The most promising path I'm on is to invoke the test_*.sh scripts. There are references both in dji_sys and Assistant (the /board_test WS) but so far no such luck. I don't know the WS syntax for /board_test and there's nothing about it in the Phantom wireshark dissector. Add to that that the C++ the Assistant service is written in a hell to disassemble/decompile... Still some work left...
[2017-07-05 17:41:18]
ender :
well, just pressed download in the slack interface :slightly_smiling_face: like always…
[2017-07-05 17:42:23]
the_lord :
When i go home I'll send it to you
[2017-07-05 17:42:59]
ender :
np, just saying
[2017-07-05 17:43:09]
ender :
maybe someone actually needs it :wink:
[2017-07-05 18:01:51]
the_lord :
@ender
i just downloaded the file its working fine
<https://dji-rev.slack.com/files/the_lord/F61TPJE3F/disable_dji_limits.txt>
[2017-07-05 18:10:32]
singlag :
@the_lord 1000 mbm should be = 20dbm, so 2000mbm = 20dbm = 100mw = ce mode
[2017-07-05 18:11:00]
the_lord :
@singlag thank you so much
[2017-07-05 18:11:46]
singlag :
:slightly_smiling_face:
[2017-07-05 18:12:01]
the_lord :
you mean 1000 mBm = 10dbm or 20 dbm?
[2017-07-05 18:12:37]
singlag :
oops, 1000mbm = 10dbm
[2017-07-05 18:12:42]
singlag :
typo
[2017-07-05 18:12:57]
hostile :
@jan2642 "The most promising path I'm on is to invoke the test_*.sh scripts. " you and me both brother! been staring at them for weeks lol
[2017-07-05 18:13:17]
hostile :
lots of goofy shit you can touch in /data to start them
[2017-07-05 18:41:08]
jan2642 :
@hostile at the end of dji_sys is a large array with a bunch of test scripts in them accompanied with a sequence number. They are referenced by **mp_test** functions in dji_sys. These functions have similar names as the board_test WS commands: start
[2017-07-05 18:41:32]
jan2642 :
... start_test, start_process, etc.
[2017-07-05 18:42:59]
jan2642 :
One of the referenced scripts is secure_debug.sh (at index 8 if memory serves me right)
[2017-07-05 18:44:31]
the_lord :
index 0x14 = 20 decimal
[2017-07-05 18:46:29]
hostile :
" A secret command can be sent over USB which would switch a debug flag, and would run ADB over USB on the next boot. This ADB server allows regular debug root shell (basically, fully owning the Mavic)." - <https://www.rcgroups.com/forums/showpost.php?p=36232471&postcount=15113>
[2017-07-05 18:46:31]
hostile :
:wink:
[2017-07-05 18:47:03]
jan2642 :
My memory failed me... ;-)
[2017-07-05 18:48:33]
jan2642 :
@hostile exactly that...
[2017-07-05 18:49:20]
hostile :
heh @freaky123 this looks like an insta bricker
[2017-07-05 18:49:22]
hostile :
"Vold 2.1 (the revenge) firing up
/data/.first_flash
format udisk when .first_flash exist!
busybox mkfs.vfat /dev/block/platform/comip-mmc.1/by-name/udisk"
[2017-07-05 18:53:44]
jan2642 :
Anyone has dtrace scripts to sniff the USB serial port ? Otherwise I'd have to run usbpcap in a windows VM.
[2017-07-05 19:52:41]
hostile :
anyone already having root these are useful for debugging.
root@wm220_dz_ap0002_v1:/ # setprop ctl.stop dji_flight
root@wm220_dz_ap0002_v1:/ # setprop ctl.stop dji_encoding
root@wm220_dz_ap0002_v1:/ # setprop ctl.stop dji_uav
root@wm220_dz_ap0002_v1:/ # setprop ctl.stop dji_hdvt_uav
root@wm220_dz_ap0002_v1:/ # setprop ctl.stop dji_hdvt_monitor
root@wm220_dz_ap0002_v1:/ # setprop ctl.stop dji_monitor
root@wm220_dz_ap0002_v1:/ # busybox ps | grep dji_
229 0 0:03 /system/bin/dji_sys
root@wm220_dz_ap0002_v1:/ # dji_flight
area_num:0
uid:
0x98 0x9a 0x25 0x3b 0x0a 0xf3 0x54 0x4e 0xee 0x01 0x9e 0xd1 0x75 0x10 0xd3 0x0d
[2017-07-05 19:52:56]
hostile :
Quick way to kill the processes so you can start them manually
[2017-07-05 19:58:10]
freaky123 :
Yes but then with the bootloader
[2017-07-05 20:01:14]
freaky123 :
Nope that is the fc sd card
[2017-07-05 20:12:10]
hostile :
ahh i saw u-disk and thought it was where uboot sat.
[2017-07-05 20:12:19]
hostile :
Well that makes a nice quick log file wiper in any case.
[2017-07-05 20:23:04]
freaky123 :
;)
[2017-07-06 00:16:12]
diff :
agh, sorry all
[2017-07-06 00:16:20]
diff :
family vacation stuff :wink:
[2017-07-06 00:29:29]
hostile :
@diff we need that Android ninja of yours :)
[2017-07-06 01:02:19]
diff :
So we have code execution on the drone?
[2017-07-06 01:02:51]
diff :
We should be able to upgrade any of their apps since they are all test signed
[2017-07-06 01:03:06]
diff :
Late boarding the plane. If there is WiFi I'll try to catch up on the back log
[2017-07-06 01:06:16]
diff :
Is anyone available to tldr where we are at?
[2017-07-06 01:07:11]
diff :
Or is the repo the most up to date stuff
[2017-07-06 04:35:19]
hostile :
there are actually NO apps on the drone!
[2017-07-06 04:35:25]
hostile :
nothing Java, no apks, etc.
[2017-07-06 06:05:59]
hostile :
@channel I THINK I just rooted them all... cross your fingers.
[2017-07-06 06:06:33]
hostile :
$ telnet 192.168.42.2 1234
Trying 192.168.42.2...
Connected to 192.168.42.2.
Escape character is '^]'.
id;
uid=0(root) gid=0(root)
[2017-07-06 06:06:35]
hostile :
on reboot
[2017-07-06 06:06:36]
hostile :
=]
[2017-07-06 06:06:37]
rwijnhov :
Thats amazing
[2017-07-06 06:06:54]
hostile :
using Red Herring
[2017-07-06 06:09:14]
hostile :
$ cat grep
/system/xbin/busybox touch /tmp/xxx.$$
/system/xbin/busybox touch /data/yyy.$$
/system/xbin/busybox nc -l -p 1234 -e /system/xbin/sh &
[2017-07-06 06:09:30]
hostile :
only need to drop a +x file in /upgrade/.bin/grep
[2017-07-06 06:09:38]
hostile :
after doing a mkdir /upgrade/.bin
[2017-07-06 06:11:26]
hans112 :
:D
[2017-07-06 06:39:13]
jan2642 :
@hostile cool! I’ll give it try somewhere today. How does it get triggered ? Looks like its PATH related.
[2017-07-06 06:39:27]
jan2642 :
s/its/it’s
[2017-07-06 06:39:38]
hostile :
**confirmed** we just rooted Mavic with RedHerring. - <https://github.com/MAVProxyUser/P0VsRedHerring/commit/94e6f2c098a1c8556320d0ee994f3b6fa3e1ff03> Phantom4 series, Mavic Pro, Inspire 2, and Spark #Jailbreak
[2017-07-06 06:40:18]
hostile :
I'm gonna let them find that needle...
[2017-07-06 07:00:40]
jan2642 :
Ok, I think I see it but I’ll keep quiet for now :wink:
[2017-07-06 07:03:25]
jan2642 :
Congratulations on finding that, I looked many times at it and missed it every time…
[2017-07-06 07:08:33]
d51 :
Nice hunting! maybe I think @hostile has no job, How many time do u spent for bothering your mavic? lol
[2017-07-06 07:17:45]
hostile :
maybe this is my job :wink:
[2017-07-06 07:18:26]
jan2642 :
Then today it’s time to ask for a raise :wink:
[2017-07-06 07:18:32]
hostile :
LOL
[2017-07-06 08:03:40]
bjoneseying :
Congrats on the find guys
[2017-07-06 11:59:49]
coldflake :
AWESOME! JUST AWESOME!
[2017-07-06 12:06:58]
rwijnhov :
do we have it working on windows yet? Or still no soup for us ?
[2017-07-06 12:29:34]
the_lord :
i'm testing it now on Mac
[2017-07-06 12:29:40]
the_lord :
it gave me telnet
[2017-07-06 12:30:02]
the_lord :
but the drone's telnet is garbage none of the commands is working
[2017-07-06 12:31:25]
coldflake :
@rwijnhov No not yet, but as soon as I am done with my stupid app I hope that @hostile will be helpful (wink wink man) so that I can code it for windows in speed of light.
[2017-07-06 12:31:29]
the_lord :
my bad
i was connecting to the wrong port
[2017-07-06 12:58:03]
hostile :
the_lord.... type ";" after your commands... this is normal for this type of shell.
[2017-07-06 12:58:38]
hostile :
@here I'll look at windows compatibility today
[2017-07-06 12:59:57]
hostile :
@the_lord so you had success?
[2017-07-06 13:00:31]
the_lord :
not yet
[2017-07-06 13:04:53]
the_lord :
@hostile is it ok like this
sudo ruby RedHerring.rb /data/ grep
[2017-07-06 13:05:05]
the_lord :
the update failed after 100%
[2017-07-06 13:05:21]
hostile :
you have bad command line arguement
[2017-07-06 13:05:32]
hostile :
sudo ruby RedHerring.rb /data/.bin/grep grep
[2017-07-06 13:05:45]
the_lord :
ohh my bad
[2017-07-06 13:06:17]
hostile :
"/data/.bin/grep" being the file to overwrite on the drone... and "grep" being the file in your current directory named "grep" for pushing to the drone
[2017-07-06 13:07:22]
the_lord :
understood
[2017-07-06 13:08:06]
the_lord :
update complete
[2017-07-06 13:09:25]
the_lord :
but no telnet on 192.168.42.2:1234
[2017-07-06 13:09:33]
hostile :
reboot
[2017-07-06 13:09:34]
the_lord :
should i reboot the drone?
[2017-07-06 13:09:35]
hostile :
yup
[2017-07-06 13:10:23]
the_lord :
nothing
[2017-07-06 13:10:30]
rulppa :
ok back home, let me join the party :slightly_smiling_face:
[2017-07-06 13:10:42]
hostile :
ftp in and check /update/.bin
[2017-07-06 13:10:46]
hostile :
make sure grep binary exists
[2017-07-06 13:11:02]
hostile :
and make sure it is "+x"
[2017-07-06 13:11:10]
the_lord :
its there
[2017-07-06 13:11:42]
hostile :
let me hit you in a PM and see what the problem is
[2017-07-06 13:11:45]
hostile :
I JUST woke up
[2017-07-06 13:12:32]
the_lord :
grep is -rwxr-xr-x
[2017-07-06 13:12:55]
hostile :
cat grep for me
[2017-07-06 13:13:03]
hostile :
let me make sure there is not a typo in it
[2017-07-06 13:13:11]
hostile :
one of the git pushes had an error
[2017-07-06 13:13:20]
hostile :
calling "nc" from /xbin in correctly
[2017-07-06 13:13:22]
hostile :
IIRC
[2017-07-06 13:13:45]
hostile :
hah
[2017-07-06 13:13:49]
hostile :
I didn't git push before bed I think
[2017-07-06 13:13:52]
hostile :
bash-3.2$ git push
Counting objects: 6, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 772 bytes | 0 bytes/s, done.
Total 6 (delta 3), reused 0 (delta 0)
remote: Resolving deltas: 100% (3/3), completed with 2 local objects.
To <https://github.com/MAVProxyUser/P0VsRedHerring.git>
bb3d419..0461b3e master -> master
[2017-07-06 13:14:25]
hostile :
make sure you don't have this error
[2017-07-06 13:14:25]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/bb3d41956cf2f86ac9f4f9c988cc483b4b7ce7da>
[2017-07-06 13:15:45]
rulppa :
ok, i have the port 1234 open, BUT connection get refused when i try to telnet it
[2017-07-06 13:16:10]
hostile :
how are you determining it is "open"?
[2017-07-06 13:16:12]
the_lord :
its /system/bin/sh &
[2017-07-06 13:16:32]
rulppa :
with scanning all the ports, osx sees the port open
[2017-07-06 13:16:40]
the_lord :
before i was using port 21 :slightly_smiling_face:
[2017-07-06 13:16:43]
hostile :
@ that is your problem
[2017-07-06 13:16:44]
hostile :
reboot
[2017-07-06 13:16:46]
hostile :
and telnet in
[2017-07-06 13:16:54]
hostile :
the net cat closes after the first connection and is no longer open
[2017-07-06 13:16:57]
hostile :
until next reboot
[2017-07-06 13:17:18]
hostile :
for some reason the adb_en.sh doesn't fire from my script and I need to see why
[2017-07-06 13:18:11]
hostile :
THIS **should** work
[2017-07-06 13:18:13]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/3f5536d633e6263db2bbc554bc5441c1b2cfe4d9>
[2017-07-06 13:18:38]
rulppa :
hostile, thanks. works now like a charm. THANK YOU!
[2017-07-06 13:18:53]
hostile :
yes!
[2017-07-06 13:18:55]
hostile :
Mavic Pro?
[2017-07-06 13:19:01]
rulppa :
if you have paypal, i want to remember you with something.
[2017-07-06 13:19:07]
rulppa :
seriously, this is great.
[2017-07-06 13:19:10]
hostile :
no no friend... not necessary
[2017-07-06 13:19:15]
hostile :
just share with others and help them
[2017-07-06 13:19:19]
hostile :
only payment I need is that
[2017-07-06 13:19:20]
rulppa :
inspire2, no mavic here yet.
[2017-07-06 13:19:50]
rulppa :
(latest fw)
[2017-07-06 13:21:15]
rwijnhov :
you guys a lightyears ahead of me now :disappointed:
[2017-07-06 13:22:24]
the_lord :
i'm pulling last change
[2017-07-06 13:27:16]
the_lord :
not working with me :disappointed:
after 100% complete
reboot
no telnet no adb
[2017-07-06 13:27:51]
the_lord :
i'll clean everything and start from the beginning
[2017-07-06 13:28:12]
hostile :
the_lord for the 3rd time mate... PM me and we can root you (via other means) and debug this. :wink:
[2017-07-06 13:28:48]
hostile :
fire the pipe off
[2017-07-06 13:28:54]
hostile :
also this is Mavic? or P4?
[2017-07-06 13:29:03]
the_lord :
not everyone has this privilege
[2017-07-06 13:29:12]
the_lord :
Mavic
[2017-07-06 13:29:40]
the_lord :
if i PMed you means i gave up :slightly_smiling_face:
[2017-07-06 13:29:44]
hostile :
cool!
[2017-07-06 13:29:50]
hostile :
I'll let you debug!
[2017-07-06 13:29:58]
hostile :
if you get stuck you know how to find me =]
[2017-07-06 13:30:39]
the_lord :
maybe because of the /data/property shit we put last night :smile:
[2017-07-06 13:33:23]
hostile :
oh yeah
[2017-07-06 13:33:24]
hostile :
delete that
[2017-07-06 13:33:50]
hostile :
shuold not stop the command from firing tho.
[2017-07-06 14:08:10]
rulppa :
how the fuck this keeps to replacing start_dji_system.sh to original one
[2017-07-06 14:08:40]
rulppa :
chmodded the new one, even touched to get same time and date, but no.
[2017-07-06 14:10:30]
hostile :
mount -o remount,rw /system
[2017-07-06 14:10:31]
hostile :
then do it
[2017-07-06 14:10:32]
hostile :
:wink:
[2017-07-06 14:10:49]
hostile :
@rulppa --^
[2017-07-06 14:11:39]
hostile :
@fldatatek what is the point of that link... what does it have to do with rooting DJI products? are you SPAMMIng lazer products?
[2017-07-06 14:12:04]
rulppa :
hostile, thanks. will try again :slightly_smiling_face:
[2017-07-06 14:12:12]
rulppa :
hard because cant see shit with telnet :slightly_smiling_face:
[2017-07-06 14:21:28]
rulppa :
bleh, now its there and edited but doesnt fire the adb ..
[2017-07-06 14:21:46]
rulppa :
need to check later, anyway this is great.
[2017-07-06 14:24:46]
the_lord :
don't reboot your drone
[2017-07-06 14:24:52]
the_lord :
how did you add it?
[2017-07-06 14:30:12]
rulppa :
i have rebooted it many times :slightly_smiling_face:
[2017-07-06 14:36:14]
rulppa :
oh it was there, rooted. just doesnt see with port scan
[2017-07-06 14:52:09]
the_lord :
congratulation for your rooted inspire 2
[2017-07-06 14:52:27]
rulppa :
:heart:
[2017-07-06 14:53:27]
mstranger :
congratz hostile !
[2017-07-06 14:54:03]
the_lord :
it is really brilliant idea to symlink the grep
[2017-07-06 14:54:24]
rulppa :
^
[2017-07-06 14:59:58]
hostile :
thx @mstranger
[2017-07-06 15:01:53]
fallengod :
can we run linux apps on our drones now?
[2017-07-06 15:06:12]
hostile :
sure
[2017-07-06 15:06:31]
hostile :
we used a "linux app" to extract their encryption keys. You just need to cross compile one (a "linux app")
[2017-07-06 15:17:41]
fallengod :
<https://github.com/zougloub/libseek>
[2017-07-06 15:18:07]
fallengod :
can do u think we can run something like this?
[2017-07-06 15:19:26]
hostile :
you'll have to take root and play on your own sir...
[2017-07-06 15:19:30]
hostile :
this is all FRESH as fuck
[2017-07-06 15:19:56]
hostile :
in theory... "if you want to view paradise simply look around and view it"
[2017-07-06 15:20:02]
hostile :
<https://www.youtube.com/watch?v=r2pt2-F2j2g>
[2017-07-06 16:15:02]
the_lord :
YESSSSSSSSS i got root
after fighting with blind telnet and forgetting the ; thousands times :smile:
[2017-07-06 16:15:43]
hostile :
hahaha
[2017-07-06 16:15:50]
hostile :
it was a semi intentional stopgap
[2017-07-06 16:15:58]
hostile :
old 90s hackers would be very familiar with it
[2017-07-06 16:16:30]
the_lord :
i was playing at that time
[2017-07-06 16:16:35]
hans112 :
Nice... I will test tonight :D
[2017-07-06 16:23:17]
hfman :
@hostile - great work, incredible persistence on your part.
[2017-07-06 16:24:45]
hostile :
**hat tip**, not without help at all... lots of folks here colloborating.
[2017-07-06 18:57:54]
ender :
@fallengod i did exactly that in the Bebop with my Seek Flir :slightly_smiling_face:
[2017-07-06 18:59:34]
ender :
If you use Mavic (or Spark) in WiFi mode you can also send stream from Seek or use a crosscompiled USB2WiFi and run a Windoze App that “thinks” Seek is connected via USB to the Windoze PC. Unlimited possibilities…We can talk in general about it, OT here bit time :stuck_out_tongue:
[2017-07-06 19:00:55]
hostile :
oh nice @here I see one of you pushed a Cygwin patch for windows users...
[2017-07-06 19:00:56]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/cd93baac92dd1dad02d93a2e16bd3f320a0d1012>
[2017-07-06 19:02:22]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/30b54aede0446a9d03efc3b52fda9455b48cc3b6>
[2017-07-06 19:08:50]
hostile :
can anyone in @channel confirm RedHerring in latest form works against P4?
[2017-07-06 19:09:01]
hostile :
I've seen positive confirmation for all but that one.
[2017-07-06 19:14:23]
fallengod :
Can u tell me more about the wifi2usb?
[2017-07-06 20:20:57]
ender :
@fallengod , Yes, i run a custom version of “Virtualhere”, google it, low bandwith here, i am on vacation. @beach now :slightly_smiling_face:
[2017-07-06 20:29:11]
ms30250 :
totally new to all this so forgive my ignorance
[2017-07-06 20:29:48]
ms30250 :
i was able to rollback to .400 per tutorials but am more interested in a root option and possibly installing .700
[2017-07-06 20:29:58]
ms30250 :
where do i start? lol
[2017-07-06 20:35:58]
hostile :
@ms30250 You seek the Red Herring my friend... <https://www.youtube.com/watch?v=BTQ_CTih1HM>
[2017-07-06 20:38:56]
ms30250 :
running windows but also have a Qnap to run VMS on as well as a pi
[2017-07-06 20:45:33]
guest :
@hostile (P0V) Why did you run the "retro sploit" on the Spark and not the Mavic? Don't have a Mavic or is the Spark more fun to fly, or..... Is it less expensive when bricked??
[2017-07-06 20:46:07]
guest :
In the video that is....
[2017-07-06 20:48:40]
hostile :
@guest at the time /system was "rw" and on Mavic it was "ro", and the technique was not finished yet... see <https://github.com/MAVProxyUser/P0VsRedHerring/issues/5> for details
[2017-07-06 20:53:12]
ms30250 :
so fellas
[2017-07-06 20:53:46]
ms30250 :
i may be in over my head here, Ill probably lurk until i have a better clue
[2017-07-06 20:54:12]
hostile :
"running windows " <https://github.com/MAVProxyUser/P0VsRedHerring/commit/30b54aede0446a9d03efc3b52fda9455b48cc3b6>
[2017-07-06 20:54:35]
hostile :
lurk and learn...
[2017-07-06 20:54:39]
hostile :
feed your brain
[2017-07-06 20:55:38]
ms30250 :
lol "puts "Sorry you're running Windows, but at least you're using Cygwin!""
[2017-07-06 20:55:41]
guest :
@hostile I see. Good that you guys managed to set it to "rw". Can't wait till you guys make a nice how to on this :slightly_smiling_face: Keep up the good work!
[2017-07-06 20:57:15]
hostile :
"Can't wait till you guys make a nice how to on this: that is in the .rb file... and by viewing the video. That is as close are you are gonna get. We want you to feed your brain. The tool functions as is.
[2017-07-06 20:58:09]
hostile :
set the channel topic: Come here to eat like a king. We teach you to fish... you supply your own silver platter.
[2017-07-06 20:58:32]
guest :
LOL
[2017-07-06 20:59:28]
rulppa :
Im sure danny the king mercer puts up nice howto brick mavic soon on the fb group :)
[2017-07-06 21:00:39]
guest :
Does Android have something like etc/shadow ?
[2017-07-06 21:01:10]
ms30250 :
probably an ignorant question (im sure the answer is "anything you want") but what are people using root access for so far?
[2017-07-06 21:01:58]
ms30250 :
I really just want to be able to flash firmwares as I please. I assume there will be cooked firmwares in the future with all the good stuff backed in and the bad stuff removed ?
[2017-07-06 21:02:24]
ms30250 :
the whole needing to be logged in and connected to app thing is bullshit
[2017-07-06 21:04:50]
diff :
@guest no
[2017-07-06 21:05:12]
diff :
@ms30250 personally? hardening right now and looking for some flaws/issues
[2017-07-06 21:05:14]
rulppa :
First thing i did was remove the god damn boot.wav, listened it too long while trying to root it :joy:
[2017-07-06 21:05:28]
hostile :
Is that only on Inspire 2?
[2017-07-06 21:05:32]
hostile :
I have not seen it elsewhere
[2017-07-06 21:05:41]
hostile :
I wanted to replace it with a scream
[2017-07-06 21:05:55]
hostile :
<https://www.youtube.com/watch?v=AwSra5p8MDw>
[2017-07-06 21:06:01]
rulppa :
Haha
[2017-07-06 21:06:19]
hostile :
this was your Inspire, right? PLEASE test replacing the file with something else?
[2017-07-06 21:06:36]
hostile :
I recall seeing it in /data I think... totally forget it has been over a month since I rooted an inspire
[2017-07-06 21:06:56]
rulppa :
Its mine, but im at bed already. Will change it tomorrow
[2017-07-06 21:08:29]
rulppa :
I was tempted to swap it something else but all my favorite wav places back from 1990 seemed to be down lol
[2017-07-06 22:22:49]
ms30250 :
already lost
[2017-07-06 22:23:00]
ms30250 :
I have cygwin installed and drone connected
[2017-07-06 22:23:06]
ms30250 :
abd seems to work
[2017-07-06 22:23:24]
ms30250 :
is there a script i run or a director in need to be in ?
[2017-07-06 22:23:42]
ms30250 :
directory*
[2017-07-06 22:33:02]
the_lord :
could you adb shell ? @ms30250
[2017-07-06 22:39:15]
ms30250 :
I can eun "adb devices"
[2017-07-06 22:39:34]
ms30250 :
it comes back with no devices like in the video
[2017-07-06 22:41:06]
ms30250 :
i did install cygwin on a drive other than my C drive but added it to system variable
[2017-07-06 22:41:18]
ms30250 :
not sure if that makes a difference
[2017-07-06 22:41:29]
ms30250 :
all linux commnads were working
[2017-07-06 22:41:59]
diff :
@ms30250 do you have any other andorid devices you caan check out?
[2017-07-06 22:42:06]
diff :
sounds like a bad adb set up
[2017-07-06 22:42:22]
ms30250 :
so it should have seen the mavic?
[2017-07-06 22:42:42]
ms30250 :
yes, i can check my watch and phone
[2017-07-06 22:44:04]
hostile :
For what exploit? RedHerring does not leave you an adb shell with current version of you are not on Spark and using start dji system overwrite
[2017-07-06 22:44:21]
hostile :
You get a root shell via 192.168.42.2 port 1234 telnet to it
[2017-07-06 22:44:48]
hostile :
Using the grep technique
[2017-07-06 22:45:07]
ms30250 :
i am following the video
[2017-07-06 22:45:20]
ms30250 :
its starts in a blank shell
[2017-07-06 22:45:24]
ms30250 :
so i did the same
[2017-07-06 22:45:43]
ms30250 :
I guess i really have no idea where i should be starting
[2017-07-06 22:48:43]
coldflake :
Where is the file located?
[2017-07-06 22:49:19]
diff :
need to replace it with <https://www.youtube.com/watch?v=Hzlt7IbTp6M>
[2017-07-06 22:51:30]
hostile :
@coldflake I think only on Inspire
[2017-07-06 23:53:31]
hfman :
So another stupid question... how best to "undo" what RedHerring does? I pretty much have followed what it does, but a bit lost on the Upgrade NFZ portion of the thing.
[2017-07-06 23:58:02]
coldflake :
I see, damn, would have been fun to replace that .wav file :wink:
[2017-07-06 23:59:50]
hostile :
@hfman simply rm /update/.bin and it's all gone
[2017-07-07 00:00:20]
hostile :
/update is aka /data
[2017-07-07 00:00:26]
hfman :
Ya, that's what I figured...
[2017-07-07 00:00:40]
hostile :
Non destructive ...
[2017-07-07 00:01:04]
hfman :
Have you guys seen that other sites are getting shut down due to DJI aggressive tactics?
[2017-07-07 00:01:23]
hfman :
I think already known, but mavicunlocked is gone totally now.
[2017-07-07 00:02:19]
hfman :
So believe it or not, I haven't tried this on my Mavic. Was going to give it a shot on OSX in a VM.
[2017-07-07 00:08:29]
hostile :
People using trademarked names and copyrighted IP. Makes for an easy takedown
[2017-07-07 00:19:45]
coldflake :
[nolimitdronez.com](http://nolimitdronez.com) will not be shut down :wink:
[2017-07-07 00:20:15]
coldflake :
It will go live on sunday as the latest
[2017-07-07 00:20:54]
coldflake :
as @hostile mentions, its a bad idea to use TM :wink:
[2017-07-07 00:34:49]
hfman :
@hostile .. so this didn't work entirely in VM. Got a minute to help debug?
[2017-07-07 00:36:45]
the_lord :
@hfman it should work on VM
[2017-07-07 00:36:49]
the_lord :
what OS?
[2017-07-07 00:36:55]
hfman :
El Capitan
[2017-07-07 00:38:37]
hfman :
It seemed to stall when it went to show the colorized message
[2017-07-07 00:39:16]
the_lord :
ha
[2017-07-07 00:39:20]
the_lord :
look
[2017-07-07 00:39:23]
hfman :
I did the gem install colorize, but not sure what it means when it says:
[2017-07-07 00:39:36]
hostile :
turn your speakers up...
[2017-07-07 00:39:40]
hostile :
it is busy speaking to you
[2017-07-07 00:39:46]
hostile :
during the pause
[2017-07-07 00:39:46]
the_lord :
first run the assistant normally and login
[2017-07-07 00:40:10]
hfman :
"Please run 'gem install colorize and net/http' - meaning what to do with net/http
[2017-07-07 00:40:21]
hfman :
Ah, I was wondering if I should be logged in with Assistant.
[2017-07-07 00:40:34]
hostile :
either you are missing the colorize gem, or the net/http gem
[2017-07-07 00:40:40]
hfman :
I honestly don't know if this VM supports sound
[2017-07-07 00:40:41]
hostile :
"gem install colorize"
[2017-07-07 00:40:45]
hfman :
Yes, did that
[2017-07-07 00:40:57]
hostile :
could be net/http getitng pissed.
[2017-07-07 00:41:08]
hostile :
just yank the .red, .blue, etc off the script
[2017-07-07 00:41:11]
hostile :
colorize is not needed
[2017-07-07 00:41:14]
hostile :
was just cosmetic
[2017-07-07 00:41:34]
hfman :
But I don't have to do anything specific for /net/http, right?
[2017-07-07 00:41:40]
hostile :
@hfman " so this didn't work entirely in VM. Got a minute to help debug?" not really man... chilling with my Autistic son ATM
[2017-07-07 00:41:52]
hostile :
just the Tracking call that hits my server :wink:
[2017-07-07 00:41:56]
hostile :
which you can also remove
[2017-07-07 00:42:02]
hostile :
the "leak control"
[2017-07-07 00:42:12]
hfman :
Ah, right. Well, I had network disabled as well...
[2017-07-07 00:42:32]
hostile :
Just yank this line... <https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/RedHerring.rb#L225>
[2017-07-07 00:42:49]
hostile :
"Net::HTTP.start("[www.openpilotlegacy.org](http://www.openpilotlegacy.org)") do |http| resp = http.get("/RedHerring.txt") end # Old Beta Release Leak Control... you can remove this"
[2017-07-07 00:43:06]
hostile :
that probably what it was hanging for....
[2017-07-07 00:43:45]
hostile :
# grep RedHerring.txt /var/log/apache2/other_vhosts_access.log.1 /var/log/apache2/other_vhosts_access.log | awk '{print $2}' | sort | uniq | wc -l
28
[2017-07-07 00:43:56]
hostile :
aka only 30 of you in the world using RedHerring successfully (ish)
[2017-07-07 00:44:23]
hostile :
give or take those that know ruby and were smart enough to pull / read the source and yank the pre-release leak control
[2017-07-07 00:46:03]
hfman :
Trying again with no changes for the moment
[2017-07-07 00:47:20]
hfman :
Seems I get all the lines echod back from Ruby as well, rather annoying.
[2017-07-07 00:48:12]
hfman :
Last line i see: system("say Please eyeball the following message... blah blah"
[2017-07-07 00:50:43]
hfman :
Even after removing that line, it hangs at that same point...
[2017-07-07 00:59:15]
the_lord :
i kept it to say hi to you :wink:
[2017-07-07 00:59:49]
hfman :
I don't think that is the problem...
[2017-07-07 01:00:05]
the_lord :
for me i had to delete all generated file every time before i start the RedHerring
[2017-07-07 01:02:59]
hfman :
Okay, I did that, trying again.
[2017-07-07 01:07:13]
hfman :
Arghh... still stuck. Is this ruby script supposed to output every line in the script as it runs?
[2017-07-07 01:08:34]
hfman :
Ah, it's the sound stuff. Since my VM doesn't appear to support sound, the 'say' commands are hanging.
[2017-07-07 01:10:58]
the_lord :
it was annoying me and i disabled it
[2017-07-07 01:11:09]
hfman :
lol
[2017-07-07 01:12:09]
the_lord :
but its good to know what's going on when its in the back ground
[2017-07-07 01:12:42]
hfman :
Does the script spew every line to the terminal when you run it?
[2017-07-07 01:12:53]
hfman :
It's like it's running in debug mode or something...
[2017-07-07 01:13:41]
hostile :
depends on which git commit you are using...
[2017-07-07 01:13:46]
hostile :
beta version was pretty verbose
[2017-07-07 01:13:58]
hfman :
I think this is the latest
[2017-07-07 01:14:05]
hostile :
@hfman can you file a git issue on the Sound bug plz
[2017-07-07 01:14:29]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/new>
[2017-07-07 01:14:33]
hfman :
Sure. It might be a problem with VirtualBox.. not sure. It's properly enabled in the VM settings, but just not working.
[2017-07-07 01:14:54]
hostile :
I'll just add a command line flag to remove it and see if I can catch an exception if there is a problem with it.
[2017-07-07 01:20:09]
hfman :
Okay... got to the end, launched Assistant 2, it did the NFZ upgrade.
[2017-07-07 01:20:29]
hfman :
Launched youtube, etc. Now what? Reboot Mavic and try to telnet to it?
[2017-07-07 01:23:49]
hfman :
Okay, rebooted Mavic, can telnet to port 1234. Guess it worked?
[2017-07-07 01:24:12]
hfman :
Oh, btw... if I did not prepare any files, what actually got sent to the Mavic with the NFZ Upgrade?
[2017-07-07 01:24:55]
the_lord :
congratulation for the rooted Mavic
[2017-07-07 01:29:21]
hostile :
"what actually got sent to the Mavic with the NFZ Upgrade?" see fireworks.tar in the directory that you ran the exploit from
[2017-07-07 01:29:26]
hostile :
that is **it**
[2017-07-07 01:29:32]
hostile :
nothing else is sent to your Mavic
[2017-07-07 01:30:01]
hostile :
funny thing is alone... the .tar is worthless
[2017-07-07 01:30:09]
hostile :
you gotta know the mechanics of how to trigger the unpack
[2017-07-07 01:30:10]
hostile :
=]
[2017-07-07 01:30:13]
hfman :
...and I notice that I can only telnet after the first Mavic reboot... 2nd onward cant connect. Correct?
[2017-07-07 01:30:25]
hostile :
it will take folks a while to duplcate my work from scratch and **rip** it.
[2017-07-07 01:30:29]
hostile :
correct
[2017-07-07 01:30:33]
hostile :
the shell dies..
[2017-07-07 01:30:35]
hostile :
reboot again
[2017-07-07 01:30:37]
hostile :
it will be back
[2017-07-07 01:30:44]
hostile :
you can make it more persistant
[2017-07-07 01:31:01]
hfman :
I did reboot the Mavic, but telnet not worky... tried couple times.
[2017-07-07 01:31:13]
hostile :
did you delete the grep file?
[2017-07-07 01:31:19]
hostile :
cuz once you do that it is done
[2017-07-07 01:31:31]
hostile :
you'll need to re-exploit it
[2017-07-07 01:31:32]
hostile :
mount -o remount,rw /system
[2017-07-07 01:31:34]
hfman :
Nope, just telnet, nothing else...
[2017-07-07 01:31:37]
hostile :
echo /system/bin/adb_en.sh >> /system/bin/start_dji_system.sh
[2017-07-07 01:31:47]
hostile :
double check /upgrade/.bin via ftp
[2017-07-07 01:31:50]
hostile :
I suspect it is gone
[2017-07-07 01:32:11]
hostile :
if you port scan it... the port closes
[2017-07-07 01:32:18]
hfman :
So I'm an idiot, this script still has me a bit confused.
[2017-07-07 01:32:21]
hostile :
define no worky btw..
[2017-07-07 01:32:27]
hfman :
I understand the ftp stuff, etc.
[2017-07-07 01:32:28]
hostile :
telnet did not open at all?
[2017-07-07 01:32:41]
hfman :
So after running RedHerring, did the NFZ update, etc.
[2017-07-07 01:32:46]
hostile :
not really
[2017-07-07 01:32:47]
hostile :
=]
[2017-07-07 01:32:51]
hostile :
it is a fake NFZ file
[2017-07-07 01:32:53]
hostile :
with an exploit it in
[2017-07-07 01:32:55]
hfman :
Reboot Mavic... and could telnet to it fine. Didn't do anything else
[2017-07-07 01:33:03]
hostile :
type id;
[2017-07-07 01:33:07]
hostile :
at the telnet prompt
[2017-07-07 01:33:11]
hfman :
Rebooted Mavic again. Telnet no longer works.
[2017-07-07 01:33:20]
hostile :
if telnet is not working...
[2017-07-07 01:33:29]
hostile :
means something is wrong with /data/.bin (via shell)
[2017-07-07 01:33:45]
hostile :
or /upgrade/.bin via ftp
[2017-07-07 01:33:51]
hostile :
delete all contents and try again
[2017-07-07 01:33:55]
hostile :
(re-root)
[2017-07-07 01:34:01]
hostile :
and take your persistance with the above command
[2017-07-07 01:35:21]
hfman :
Delete all contents from local shell, or from /data/.bin on MP?
[2017-07-07 01:35:32]
hostile :
on drone
[2017-07-07 01:35:41]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1499391097918032>
[2017-07-07 01:35:54]
hfman :
So I gotta rerun RedHerring I guess to get to that point...
[2017-07-07 01:36:57]
the_lord :
yes
[2017-07-07 01:41:00]
hfman :
So run the above echo command after I'm telnet'd in? That seems dangerous!!
[2017-07-07 01:41:16]
hfman :
(I'm back in now on telnet)
[2017-07-07 01:42:31]
hfman :
And if I do something like 'ls /data/.bin' - no output.
[2017-07-07 01:49:00]
the_lord :
don't forget to put ; after each command
[2017-07-07 01:49:05]
hfman :
Right
[2017-07-07 01:49:07]
hfman :
So...
[2017-07-07 01:49:16]
hostile :
if you fail the first time... it fucks it up too.
[2017-07-07 01:49:22]
hostile :
reboot =]
[2017-07-07 01:49:49]
hostile :
"if I do something like 'ls /data/.bin' - no output." that explains why you are not getting a shell then
[2017-07-07 01:49:50]
hostile :
:wink:
[2017-07-07 01:50:00]
hostile :
"So run the above echo command after I'm telnet'd in? That seems dangerous!!" it is...
[2017-07-07 01:50:05]
hostile :
that is why I did not include it by default
[2017-07-07 01:50:16]
hostile :
not interested in a fuck ton of bricks and pissed off people
[2017-07-07 01:50:17]
hostile :
lol
[2017-07-07 01:50:21]
hfman :
Yep
[2017-07-07 01:50:43]
hfman :
So... what's the difference between data/.bin , and data/upgrade ? I don't have data/.bin
[2017-07-07 01:51:01]
hostile :
so via ftp... /data is /upgrade
[2017-07-07 01:51:11]
hostile :
once you are **on** the bird... is is /data
[2017-07-07 01:51:26]
hostile :
the ftpd is running out of a specific directory that is not /
[2017-07-07 01:51:53]
the_lord :
/data/.bin you can see it from ftp
[2017-07-07 01:51:57]
hfman :
Gawd, I'm so friggin confused.
[2017-07-07 01:52:04]
the_lord :
don't be
[2017-07-07 01:52:20]
the_lord :
just run mount -o remount,rw /system;
[2017-07-07 01:52:25]
the_lord :
then the echo
[2017-07-07 01:52:29]
hostile :
the fact you are **here** willing to learn... is good
[2017-07-07 01:52:35]
hostile :
your skill will increment as a result
[2017-07-07 01:52:53]
hostile :
"I'm so friggin confused." this too shall pass with time
[2017-07-07 01:53:09]
hfman :
I mean I have pretty good unix skills, but this is a bit beyond my comprehension.
[2017-07-07 01:53:11]
hostile :
perhaps Teamviewer and someone would be willing to remote in and help out
[2017-07-07 01:53:24]
hostile :
hfman this is an old 90s hacker technique. =]
[2017-07-07 01:53:27]
hostile :
get off my lawn!
[2017-07-07 01:53:28]
hostile :
:wink:
[2017-07-07 01:53:49]
hostile :
the ";" alone is enough to keep folks busy for fucking hours
[2017-07-07 01:53:49]
hfman :
yeah, I was only hacking on Amigas back in those days
[2017-07-07 01:53:53]
the_lord :
few weeks ago i didn't know anything about android/linux/Mac
no body introduced miss Ruby to me
[2017-07-07 01:54:10]
hostile :
"/bin/sh -i;" makes the shell more usable usually. didn't try on this tho
[2017-07-07 01:54:42]
hfman :
I guess 'set -o vi' won't do much either. Oh, and there aint no bash on this bitch either...
[2017-07-07 01:54:52]
the_lord :
at least you can see your session
my telnet was blind
[2017-07-07 01:55:50]
hostile :
vi is on there... I use it all the time (just via adb0
[2017-07-07 01:55:56]
hfman :
Okay, help explain again to me why if I reboot the Mavic right now, i lose telnet ability? I'm a bit lost on that right now.
[2017-07-07 01:55:59]
hostile :
you can kick off an ADB shell once you have that telnet open btw
[2017-07-07 01:56:08]
hostile :
no clue.... that is odd.
[2017-07-07 01:56:18]
hostile :
your /data/.bin/grep **should** stay intact
[2017-07-07 01:56:20]
hostile :
OH WAIT!
[2017-07-07 01:56:23]
hostile :
you are using latest
[2017-07-07 01:56:24]
hostile :
=]
[2017-07-07 01:56:29]
hostile :
I forgot
[2017-07-07 01:56:45]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/18d0c534041ba8ffc70e8dc512bdce2f2d70afd6>
[2017-07-07 01:56:50]
hostile :
I was trying to make adb fire...
[2017-07-07 01:57:02]
hostile :
+rm -rf /data/.bin/grep
[2017-07-07 01:57:12]
hfman :
And if I understand, I need some ADB tools on OSX for that to be of any use?
[2017-07-07 01:57:22]
hostile :
cuz @the_lord was having ADB insta close when he ran it... because of this
[2017-07-07 01:57:36]
hostile :
yeah u can install via brew.
[2017-07-07 01:57:54]
hfman :
(Actually, I was going to switch back to Windows to do everything else once I got it rooted)
[2017-07-07 01:58:03]
the_lord :
i use the Mac just to run the tool then from windows i telnet and adb shell
[2017-07-07 01:58:10]
hfman :
...OSX in a VM is pretty slim and painful,
[2017-07-07 01:58:18]
hfman :
Yeah, that's the ticket.
[2017-07-07 01:58:47]
the_lord :
man after you run the tool you reboot the drone and connect it to windows
[2017-07-07 01:59:01]
the_lord :
this was my telnet
[2017-07-07 01:59:24]
hostile :
sorry about that last commit! totally forgot I did it before wife an son came home
[2017-07-07 01:59:25]
the_lord :
i kept forgetting the ; and every line i have to type pwd; to let it reply
[2017-07-07 02:00:08]
hfman :
Hey, no problem. Now I can start learning the next phase.... more to study up on.
[2017-07-07 02:00:51]
hostile :
welcome to the very small club my friend
[2017-07-07 02:01:45]
hfman :
So... this puppy will still fly no issue with this, right?
[2017-07-07 02:02:15]
hfman :
(As it stands). I just gotta be careful and not brick it....
[2017-07-07 02:03:53]
hfman :
So @the_lord - the image you pasted. It looks like you are having adb start, instead of the normal mavic startup - correct?
[2017-07-07 02:04:23]
the_lord :
no
[2017-07-07 02:04:45]
the_lord :
i'm just showing you my blind telnet
[2017-07-07 02:05:21]
hfman :
Oh, wait.. duh... >>, so you were appending adb start at the end of the normal startup?
[2017-07-07 02:05:28]
the_lord :
in this screen i was adding the adb_en to the startup
[2017-07-07 02:05:38]
the_lord :
yes exactly
[2017-07-07 02:05:49]
the_lord :
then reboot
[2017-07-07 02:05:59]
hfman :
And what's the purpose of the mount ?
[2017-07-07 02:06:09]
the_lord :
after that you delete the .bin via ftp and you are good to go with adb
[2017-07-07 02:06:39]
the_lord :
the /system is ro
[2017-07-07 02:07:00]
the_lord :
so we remount it as rw to be able to add the adb to start
[2017-07-07 02:07:08]
hfman :
Ah, okay. Starting to make sense...
[2017-07-07 02:08:27]
hfman :
You guys rock... thanks for helping a FOG thru this. WIsh I could help more, but I can at least say this has been tested in a VM and WORKS
[2017-07-07 02:08:45]
hfman :
I'll open an issue on the sound stuff...
[2017-07-07 02:26:11]
hdnes :
So 300 messages behind. Skimmed and seems like ro Mavic has been cracked?
[2017-07-07 02:26:34]
hdnes :
Couldn't find the golden nugget in all the noise? Am I reading correctly
[2017-07-07 02:33:40]
the_lord :
all models were confirmed
[2017-07-07 02:33:57]
the_lord :
waiting someone to try it on P4 not P4pro
[2017-07-07 02:59:11]
hdnes :
I can try P4 tomorrow
[2017-07-07 02:59:35]
hdnes :
Out for work but back tomorrow.
[2017-07-07 02:59:47]
hdnes :
What's the in?
[2017-07-07 02:59:59]
hdnes :
In a nut shell. I must have missed it
[2017-07-07 03:00:21]
hdnes :
Or is it on github and I can just read the commit history I suppose?
[2017-07-07 03:01:48]
the_lord :
i don't know what was the last thing you heard
[2017-07-07 03:04:19]
hdnes :
Spark was rooted using start script because it was rw. Everything else was on standby because it was ro
[2017-07-07 03:06:08]
the_lord :
now pull updated RedHerring.rb and
sudo ruby RedHerring.rb /data/.bin/grep grep
and after reboot you should be able to telnet 192.168.42.2 1234
[2017-07-07 03:07:16]
the_lord :
and don't forget ; after every command :joy:
[2017-07-07 03:11:07]
hostile :
@hdnes if you wanna see how we got there... <https://github.com/MAVProxyUser/P0VsRedHerring/issues/5>
[2017-07-07 03:11:16]
hdnes :
Thanks!
[2017-07-07 03:11:46]
hdnes :
More important to find the breadcrumbs than to hit run and see telnet
[2017-07-07 03:11:59]
hdnes :
Get nothing from the latter
[2017-07-07 03:12:04]
hostile :
and THAT sir is why you are a good fit here.
[2017-07-07 03:12:15]
hostile :
someone told me I talk in riddles the other day...
[2017-07-07 03:12:21]
hostile :
there is a reason for that... forces you to learn
[2017-07-07 06:05:54]
hdnes :
Up to speed, solid work
[2017-07-07 06:06:04]
hdnes :
Testing tomorrow.
[2017-07-07 07:04:29]
hans112 :
Does DJI assistant show a 100% success after the file has successfully been uploaded?
[2017-07-07 07:13:42]
hans112 :
After de seconde time it did apparently....
[2017-07-07 07:31:27]
hans112 :
What have I been missing in the past hours? :) The file seems to have been uploaded, but telnet or adb is a no go :thinking_face:
[2017-07-07 07:32:32]
rulppa :
boot the drone and telnet in, port 1234?
[2017-07-07 07:32:54]
hans112 :
Yep... Rebooted and tried telnetting into it
[2017-07-07 07:33:14]
rulppa :
you did member to telnet to 1234 and not defaul port?
[2017-07-07 07:34:25]
hans112 :
Yes... Let me redo the process and check again. Is there another way to check if the file was uploaded right ?
[2017-07-07 07:40:34]
hans112 :
Very strange.. upload seems to go right again, but no telnet or adb.
[2017-07-07 07:42:08]
hans112 :
Ftp still works though, so the bird is reachable
[2017-07-07 08:13:56]
jan2642 :
Try adb shell
[2017-07-07 08:27:12]
hans112 :
Device null not found...
[2017-07-07 08:27:28]
hans112 :
Adb version 1.0.32
[2017-07-07 08:27:34]
hans112 :
What version do you use ?
[2017-07-07 08:33:08]
rulppa :
try adb devices first
[2017-07-07 08:33:11]
rulppa :
then adb shell
[2017-07-07 08:33:32]
hans112 :
That gives an empty list
[2017-07-07 08:33:45]
hans112 :
I have an old version... Let me try to update first and try again
[2017-07-07 08:37:09]
hans112 :
Nope.. after update, same thing.
[2017-07-07 08:37:24]
hans112 :
Is there any other way to check if the files have been uploaded to the bird
[2017-07-07 08:37:25]
hans112 :
?
[2017-07-07 08:43:26]
freaky123 :
For adb to work you need ro add the specific usb id to the adb devices list
[2017-07-07 09:01:49]
hans112 :
Can you elaborate? With -l it does not show a device at all...
[2017-07-07 09:05:40]
freaky123 :
You need some adb...ini in your home folder with the correct id
[2017-07-07 09:07:38]
hans112 :
I tried it in windows ;) since adb was already installed there... Normally you see the hardware in the device list ...
[2017-07-07 09:08:07]
hans112 :
Also, telnet is not working. That makes me think somethint went wrong when uploading the grep file. Is there a way to check it ?
[2017-07-07 09:08:17]
hans112 :
To rule that part out ...
[2017-07-07 12:04:31]
hostile :
if telnet does not work... ftp in check /upgrade/.bin
[2017-07-07 12:04:39]
hostile :
and make sure there is a "grep" file with +x perms
[2017-07-07 12:05:02]
hostile :
current red herring no longer leaves ADB open... unlness using the old spark technique.
[2017-07-07 12:36:36]
freaky123 :
ok so lets make my promise true by creating my own upgrade tool :slightly_smiling_face:
[2017-07-07 12:36:58]
freaky123 :
still a bit in dubio about either doing it in python or c
[2017-07-07 12:39:33]
freaky123 :
gonna do it in c since I will reuse all my work I have already done
[2017-07-07 12:40:34]
freaky123 :
btw I could also make it in such a way the internal upgrade tool works from the assistant that you can upgrade parts
[2017-07-07 12:40:54]
freaky123 :
I also noticed about implementing it that way the signatures are never checked xD
[2017-07-07 12:41:05]
freaky123 :
although you can't upgrade everything with that is my guess
[2017-07-07 12:56:37]
hans112 :
No grep file in the upgrade/.bin .... That would be an explanation ;) ... The only question left is.. why? Process seem to work, finishes at 100%
[2017-07-07 13:02:10]
hans112 :
I can see the .tar , symlink and all that stuff on the Mac
[2017-07-07 13:21:52]
hostile :
post reboot the exploit deletes itself
[2017-07-07 13:21:59]
hostile :
you should see the files before the reboot
[2017-07-07 13:22:09]
hostile :
sometimes the Assistant version makes a difference
[2017-07-07 13:22:27]
hostile :
on the RedHerring console, can you see the HTTP connections hitting?
[2017-07-07 13:22:32]
hostile :
they print out as they occur
[2017-07-07 13:23:59]
hans112 :
Euh.. I must have been drunk... Post reboot the exploit is deleted ? :joy: My bad.. let me check that.
[2017-07-07 13:26:59]
hans112 :
So, after doing this (and not rebooting), someone could, hypothetically, upload the altered start_dji_system.sh file, right ?
[2017-07-07 13:33:57]
hostile :
"start_dji_system.sh " yeah after mount -o rw, /system
[2017-07-07 13:44:25]
hans112 :
So, to prevent me from screwing things up again:
1. Use exploit
2. "mount -o rw, /system" to make it writable (use telnet with ; ;)
3. Use exploit to replace start_dji_system.sh
[2017-07-07 13:44:34]
hans112 :
4. Clean silver plate
[2017-07-07 13:45:25]
hans112 :
:stuck_out_tongue:
[2017-07-07 14:10:51]
hostile :
@hans112 " Use exploit to replace start_dji_system.sh" no.. use telnet shell to make changes.
[2017-07-07 14:11:28]
freaky123 :
for people who are willing to follow my progress on my own upgrade tool:
```
MSG[1001 -> 0801] Seq: 15544 Attrib: 40 Cmdset: 0 Cmd: 7 Size 9: 000000000000000000
MSG[1001 -> 0801] Seq: 15545 Attrib: 40 Cmdset: 0 Cmd: 12 Size 1: 00
MSG[1001 -> 0801] Seq: 15548 Attrib: 40 Cmdset: 0 Cmd: 8 Size 13: 00000C7E060000000000000204
MSG[1001 -> 0801] Seq: 15867 Attrib: 40 Cmdset: 0 Cmd: 10 Size 17: 0013E53D1DBAF2C54A4F204AF21B840AF0
```
these are the messages prolly needed for upgrading.. although cmd: 12 is not really needed it will request the upgrade status
[2017-07-07 14:11:30]
hostile :
@hans112 <https://dji-rev.slack.com/archives/C60KELF6H/p1499391097918032>
[2017-07-07 14:11:52]
hostile :
@freaky123 make a new chan? #upgrade_tool
[2017-07-07 14:12:15]
freaky123 :
not really needed I think.. since it won't take that long ^^
[2017-07-07 14:12:44]
freaky123 :
gonna boot up ida now to parse the content of cmd: 8 and cmd: 10
[2017-07-07 14:12:53]
freaky123 :
that is the only part I still need
[2017-07-07 14:46:35]
darksimpson :
@freaky123 I can tell you contents of cmd 8 as I've already parsed it.
[2017-07-07 14:48:14]
darksimpson :
Still stuck (as you know) on cmd 10 MD5 calculation. Spend several hours lasr evening on it but without any success, just dissected md5 funcs to see it is the same as ref. But md5 still not matches. Probabky I miss something small, fuck.
[2017-07-07 14:48:42]
darksimpson :
This is one thing stops me from writing complete upgrade tool now.
[2017-07-07 14:49:40]
darksimpson :
cmd 8: firts 4 bytes is payload size, then zeros, then 2 bytes upg type and 2 bytes upg path
[2017-07-07 14:49:49]
darksimpson :
as DJI names it
[2017-07-07 14:49:54]
freaky123 :
tnx
[2017-07-07 14:50:03]
freaky123 :
the first packet is like this:
```
enter_upgrade_mode(7) size 9:
- 1B (unknown offset 69 in struct)
- 1B (upgrade_package_type, should be 0 or 1)
- 7B unused
```
[2017-07-07 14:50:25]
darksimpson :
yes
[2017-07-07 14:50:53]
darksimpson :
no questions about fitst and second packets, only the md5 (
[2017-07-07 14:51:19]
freaky123 :
yeah gonna look that up for you now as well
[2017-07-07 14:51:42]
darksimpson :
Sorry, I tell you wrong, not 2 bytes, but 1 byte for type and 'path'
[2017-07-07 14:52:14]
darksimpson :
Not near mt pc now, so trying to retrieve from my own memory )
[2017-07-07 14:57:07]
darksimpson :
This MD5 thing now really makes me rage everytime. I've completely dissected every MD5 calc func to see that it is exactly matches one of,a references Ivve found. Also doublechecked again a function that calculates md5 on file itself and a chunk of code thst compares it against packet contents. Seems like normal things, but hash still not matches. Oh I know that things, I absolutely sure that simply missed some small thing laying on the very prominent place...
[2017-07-07 14:57:53]
freaky123 :
xD
[2017-07-07 14:57:57]
freaky123 :
that sucks
[2017-07-07 14:58:18]
freaky123 :
yeah this is the second packet:
```
accept_upgrade_data(8) size 13:
- 1B unused
- 4B image_size
- 6B unused
- 1B image_path (0, 1 or 2)
- 1B image_type (4 = dji_system.bin)
```
[2017-07-07 14:58:22]
martinbogo :
Helooooo freaky123
[2017-07-07 14:58:28]
freaky123 :
hello
[2017-07-07 14:58:38]
darksimpson :
that's true
[2017-07-07 14:58:45]
martinbogo :
I finally paid attention to the post on HAK5, nice to "meet" you :slightly_smiling_face:
[2017-07-07 14:58:53]
freaky123 :
^^
[2017-07-07 14:59:06]
darksimpson :
yes
[2017-07-07 15:00:04]
darksimpson :
also 8 = dji_data.bin or whats it name
[2017-07-07 15:00:21]
freaky123 :
so this packet here gives `00000C7E060000000000000204`, image_size: 818694, image_path=2, image_type=4
[2017-07-07 15:02:55]
darksimpson :
image_path as I saw from dissecting, describes some 'old' and 'new' way, also here or in first packet (don't remember) it can point that we transmit payload not over ftp and by cdc, IIRC
[2017-07-07 15:03:29]
freaky123 :
yes indeed
[2017-07-07 15:03:50]
freaky123 :
last packet:
```
finish_upgrade_data(10) size 17:
- 1B unused
- 16B MD5 sum
```
[2017-07-07 15:04:43]
darksimpson :
Agrh :rage: md5 sum
[2017-07-07 15:04:43]
martinbogo :
@darksimpson : Walk me through the MD5 issue. I'm currently working on a hardware issue, so I'm a completely fresh set of eyes.
[2017-07-07 15:05:36]
freaky123 :
wait a sec...
[2017-07-07 15:05:50]
freaky123 :
lol that md5 with image_path == 2 is not as I thought
[2017-07-07 15:06:19]
darksimpson :
hm?
[2017-07-07 15:06:46]
freaky123 :
it is not checked at all
[2017-07-07 15:07:18]
freaky123 :
there is a `if ( upgrade_s->image_path == 1 )` check
[2017-07-07 15:07:55]
martinbogo :
They are wasting a byte for a one-bit flag?
[2017-07-07 15:08:17]
darksimpson :
Hm. I noticed it earlier that modyfing one byte in tar file not breaks update, I told you about it, but then completely got out it from my head...
[2017-07-07 15:08:20]
freaky123 :
they are wasting a lot more bytes for other stuff
[2017-07-07 15:08:32]
freaky123 :
^^
[2017-07-07 15:08:47]
freaky123 :
so this makes writing a upgrade script soo much easier
[2017-07-07 15:11:21]
darksimpson :
Yes indeed. So I can state my stupidity now and here and get my ass to drink some coffee. Shit.
[2017-07-07 15:11:32]
freaky123 :
lol
[2017-07-07 15:12:15]
darksimpson :
How many time was spent to look inside md5 checking sub, but never ever look around it (
[2017-07-07 15:13:11]
darksimpson :
Hm, but still interested what a kind of.fuck they sending in packet inplace of the real sum?
[2017-07-07 15:14:00]
freaky123 :
yeah would still be interesting but requires a look at the other side
[2017-07-07 15:14:01]
freaky123 :
^^
[2017-07-07 15:14:12]
freaky123 :
first gonna wrap up my tool
[2017-07-07 15:14:36]
darksimpson :
Indeed, but let this for a spare time of course.
[2017-07-07 15:17:16]
darksimpson :
Ok, now you can finish your tool and I at last will be able to port red herring to my java tool and finish my upgrade functionality. May be it will be useful for someone.
[2017-07-07 15:18:37]
freaky123 :
```
/* Enter upgrade mode */
uint8_t data[1024];
memset(data, 0, 1024);
comm_send_req(&comm, COMM_DEV_SKY_DM3XX, 1, COMM_CMD_SET_GENERAL_UPGRADE_ENTER << 8 | 0, data, 9);
/* Start accepting data */
uint32_t filesize = atoi(argv[2]);
memcpy(&data[1], filesize, 4);
data[11] = 2; // image_path
data[12] = 4; // image_type
comm_send_req(&comm, COMM_DEV_SKY_DM3XX, 1, COMM_CMD_SET_GENERAL_UPGRADE_ACCEPT_DATA << 8 | 0, data, 13);
sleep(20); // Wait 20 seconds for the upload
/* Finish the upgrade */
memset(data, 0, 1024);
comm_send_req(&comm, COMM_DEV_SKY_DM3XX, 1, COMM_CMD_SET_GENERAL_UPGRADE_FINISH_DATA << 8 | 0, data, 17);
```
[2017-07-07 15:18:43]
freaky123 :
I think this is all there iss
[2017-07-07 15:22:19]
darksimpson :
Yes, also as a some kind of sport, can try to investigate how to send payload data directly over cdc (as the exploit is small) and use this functionality )
[2017-07-07 15:22:42]
freaky123 :
yes that is also not so hard.. but maybe for later
[2017-07-07 15:24:48]
darksimpson :
I've also almost completely investigated how assistand pulls firmware from dji servers, need to replicate this proccess also. And the main thing is that it looks like they not completely remove older firmwares from servers, but only fron listing desctiption xml, so if we know what fw we need, we can download it. Need to check it thoroughly.
[2017-07-07 15:25:32]
darksimpson :
They use some kind of 'protection' in their rpc web api also, but I think I found,what is it
[2017-07-07 15:25:36]
freaky123 :
ok wait because of LSB my byte order is incorrect ^^
[2017-07-07 15:28:11]
freaky123 :
yeah that was also on my wishlist figuring out their signature for the API
[2017-07-07 15:28:30]
freaky123 :
but that would be awesome to download some really old firmwares
[2017-07-07 15:28:38]
darksimpson :
I think i've found it in js shit
[2017-07-07 15:28:50]
darksimpson :
utils.js specifically
[2017-07-07 15:29:02]
darksimpson :
but need to check as will have time
[2017-07-07 15:29:07]
darksimpson :
or you can
[2017-07-07 15:29:24]
freaky123 :
first gonna try this upgrade stuff
[2017-07-07 15:29:34]
darksimpson :
of corsa )
[2017-07-07 15:29:41]
kilrah :
nice, so same type of hack as downloading old ios apps would be possible
[2017-07-07 15:29:54]
freaky123 :
I can at least generate messages:
```
SEND[1001 -> 0801] Seq: 0 Attrib: 40 Cmdset: 0 Cmd: 7 Size 9: 000000000000000000
SEND[1001 -> 0801] Seq: 1 Attrib: 40 Cmdset: 0 Cmd: 8 Size 13: 000000007B0000000000000204
SEND[1001 -> 0801] Seq: 2 Attrib: 40 Cmdset: 0 Cmd: 10 Size 17: 0000000000000000000000000000000000
```
[2017-07-07 15:30:06]
freaky123 :
a lot of 00's ^^
[2017-07-07 15:30:42]
darksimpson :
The eyes of DJI stuff when they see it, i think )
[2017-07-07 16:02:55]
freaky123 :
g2g grab some beer gonna finish and test this tonight
[2017-07-07 16:07:11]
martinbogo :
freaky123 : Good news. I have finished hooking all chips to JTAG and digital analyzer
[2017-07-07 16:08:03]
martinbogo :
@freaky123 : Board is fully instrumented, and I'll start doing boundary scans later this afternoon
[2017-07-07 16:08:06]
freaky123 :
and got something interesting?
[2017-07-07 16:08:14]
freaky123 :
have some pictures? :smile:
[2017-07-07 16:08:25]
martinbogo :
I'll be posting everything to my blog and here
[2017-07-07 16:08:38]
freaky123 :
cool
[2017-07-07 16:08:43]
martinbogo :
How do I make a new channel on slack?
[2017-07-07 16:08:50]
martinbogo :
"hardware"?
[2017-07-07 16:09:08]
darksimpson :
I second this
[2017-07-07 16:09:10]
freaky123 :
I created it
[2017-07-07 16:09:16]
hfman :
Just hit the '+' button next to Channels
[2017-07-07 16:47:06]
hostile :
~hardware
[2017-07-07 18:35:29]
hostile :
darksimpson: talk to @the_lord about that... he was looking into signature generation via .js too
[2017-07-07 20:26:43]
rulppa :
first world problems, rooted mavic before even got propellers installed/tried does it even spin the motors (new drone) who to blame if it doesnt :confused: atleast adb works ..
[2017-07-07 20:44:11]
freaky123 :
hahaha same for me.. before I got my drone the first thing I did is root it
[2017-07-07 20:44:54]
freaky123 :
and the fun part was that I designed my root tool before I got my mavic
[2017-07-07 20:46:51]
freaky123 :
I even fixed the bugs in my root program before I got it with the help of @hostile :slightly_smiling_face: which was really nice and saved my some time
[2017-07-07 20:47:38]
rulppa :
:smile:
[2017-07-07 20:50:37]
hans112 :
Hehehe
[2017-07-07 20:50:46]
hans112 :
Does it fly with adb on ?
[2017-07-07 20:53:48]
rulppa :
if the engines doesnt spin, it will LOL
[2017-07-07 20:56:36]
oanerm :
hans112: Maybe without DJI GO, but in DJI GO 4 is check and it will not fly with adb on.
[2017-07-07 21:05:20]
freaky123 :
ok my own updater tool fails a bit.. got to check some stuff on the newer firmware etc.
[2017-07-07 21:05:56]
freaky123 :
getting some NACK's instead of ACK's
[2017-07-07 21:06:00]
freaky123 :
:stuck_out_tongue:
[2017-07-07 21:07:11]
freaky123 :
gonna make a new recording tomorrow with newest firmwares and also disect the newest dji_sys and see if there is a difference or if I'm doing something wrong
[2017-07-07 21:07:24]
freaky123 :
must be some stupid mistake
[2017-07-07 21:09:22]
freaky123 :
I failed miserably somewhere
[2017-07-07 21:15:49]
hostile :
so @freaky123 I am doing some debugging...
[2017-07-07 21:15:53]
hostile :
root 108 102 1172 636 c0065d8c b6f03e40 S strace
shell 113 108 3560 184 ffffffff 0001902c S /sbin/adbd
[2017-07-07 21:16:06]
hostile :
$ adb shell
error: no devices/emulators found
[2017-07-07 21:16:22]
hostile :
can the chan do git integration on <https://github.com/MAVProxyUser/P0VsRedHerring.git> ?
[2017-07-07 21:16:38]
hostile :
I don't know how to add it
[2017-07-07 21:16:58]
hostile :
but I am wondering if ADB won't fire cuz of the permissions it is running with, so trying to strace it
[2017-07-07 21:17:08]
hostile :
@bin4ry this may interest you too....
[2017-07-07 21:32:22]
diff :
@hostile what do you mean exactly?
[2017-07-07 21:32:32]
diff :
where are you trying to run adb shell... ?
[2017-07-07 22:20:32]
hostile :
from RedHerring
[2017-07-07 22:20:52]
hostile :
@diff # cat grep
/system/xbin/busybox touch /tmp/RedHerring.$$
/system/xbin/busybox touch /data/InYourGrill.$$
/system/xbin/busybox nc -l -p 1234 -e /system/bin/sh &
rm -rf /data/.bin/grep
strace -s2000 -o /data/adb_trace -vvvff /sbin/adbd
[2017-07-07 22:21:19]
hostile :
for what ever reason we can't get it to kick off **proper** it never works, even though the process starts.
[2017-07-07 22:27:46]
diff :
but to be clear
[2017-07-07 22:27:56]
diff :
are you running the adb command inside that shell?
[2017-07-07 22:28:01]
diff :
or from your host machine?
[2017-07-07 22:28:14]
diff :
adb is likely already running on the device (just not as root?)
[2017-07-07 22:28:30]
diff :
so i'd imagine you need to kill it for the /sbin/adbd to execute properly
[2017-07-07 22:28:49]
diff :
does that amke sense?
[2017-07-07 22:33:06]
hostile :
"adbd" is running on the drone. "adb" is running on my computer
[2017-07-07 22:33:34]
hostile :
it should not be running until *I* start it (as root) but it reverts to "shell"?
[2017-07-07 22:33:42]
hostile :
error: no devices/emulators found
[2017-07-07 22:33:47]
hostile :
shell 113 108 3560 184 ffffffff 0001902c S /sbin/adbd
[2017-07-07 22:34:03]
hostile :
it should NOT be running otherwise I don't think
[2017-07-07 22:34:20]
hostile :
I'll do a ps before I try to kick it off and verify later
[2017-07-07 22:39:40]
diff :
ah well likely we need to set specific props
[2017-07-07 22:39:42]
diff :
give me a second
[2017-07-07 22:40:46]
diff :
you'll need to set service.adb.root to 1 i believe
[2017-07-07 22:40:54]
diff :
let me stop check on a android device here
[2017-07-07 22:41:38]
diff :
`setprop service.adb.root 1`
[2017-07-07 22:41:46]
diff :
that should trigger a restart of adb (if it's running)
[2017-07-07 22:41:56]
diff :
or if it starts running, it will drop into root rather than shell
[2017-07-07 22:42:00]
diff :
(should)
[2017-07-07 22:57:23]
the_lord :
i think i figured out why /data/__property__ is failing to keep the adb started
[2017-07-07 22:57:41]
the_lord :
the init is starting the adb as we saw in the log
[2017-07-07 22:57:59]
the_lord :
but then the init is starting the start_dji_system.sh
[2017-07-07 22:58:59]
diff :
hmm
[2017-07-07 22:59:18]
the_lord :
in the .sh its stopping the adb
if $debug; then
/system/bin/adb_en.sh
else
setprop sys.usb.config rndis,mass_storage,bulk,acm
fi
[2017-07-07 22:59:58]
the_lord :
this is the only reason i found why the adb stopped running
[2017-07-07 23:02:42]
diff :
you think the `/system/bin/adb_en.sh` is the part causing it to stop?
[2017-07-07 23:02:44]
diff :
or the latter?
[2017-07-07 23:02:56]
the_lord :
the later
[2017-07-07 23:03:23]
the_lord :
because $debug=false
[2017-07-07 23:03:44]
the_lord :
debug=false
grep production /proc/cmdline >> /dev/null
if [ $? != 0 ];then
debug=true # engineering version, enable adb by default
else
cmdline=`cat /proc/cmdline`
temp=${cmdline##*board_sn=}
board=${temp%% *}
in_whitelist.sh $board
if [ $? == 0 ]; then
debug=true
fi
fi
if $debug; then
/system/bin/adb_en.sh
else
setprop sys.usb.config rndis,mass_storage,bulk,acm
fi
[2017-07-07 23:04:16]
the_lord :
we don't have the white list so its always false
[2017-07-07 23:09:10]
diff :
`setprop sys.usb.config rndis,mass_storage,bulk,acm`
[2017-07-07 23:09:15]
diff :
not sure what in that would disable adb?
[2017-07-07 23:09:19]
diff :
or cause it to restart
[2017-07-07 23:09:37]
the_lord :
it restarts the USB without adb
[2017-07-07 23:09:49]
the_lord :
its omitting the adb
[2017-07-07 23:10:33]
hfman :
Perhaps rndis doesn't co-exist peacefully with adb ?
[2017-07-07 23:10:41]
the_lord :
no
[2017-07-07 23:10:53]
diff :
ah, i gotcha
[2017-07-07 23:11:03]
diff :
this was in the init file?
[2017-07-07 23:11:22]
diff :
pardon no
[2017-07-07 23:11:23]
diff :
it was start_dji_system.sh
[2017-07-07 23:11:43]
diff :
if you drop a file into /data/properties/
[2017-07-07 23:11:49]
diff :
name it `sys.usb.config`
[2017-07-07 23:12:01]
diff :
and the contents to `rndis,mass_storage,bulk,acm,adb`
[2017-07-07 23:12:32]
diff :
that should make the setprop on those values to be set prior to the `.sh`
[2017-07-07 23:12:40]
diff :
and the system can reject it
[2017-07-07 23:12:42]
the_lord :
no
[2017-07-07 23:13:01]
the_lord :
the system is accepting it and starting the adb
[2017-07-07 23:13:03]
the_lord :
<11>[ 1.108294] c1 1 (init) init: using deprecated syntax for specifying property 'sys.usb.config', use ${name} instead
<6>[ 1.110339] c1 1 (init) android functions_store: rndis,mass_storage,bulk,acm,adb
<6>[ 1.110565] c1 1 (init) rndis_function_bind_config MAC: 00:00:00:00:00:00
<4>[ 1.110652] c1 1 (init) android_usb gadget: using random self ethernet address
<4>[ 1.110686] c1 1 (init) android_usb gadget: using random host ethernet address
<11>[ 1.111155] c1 84 (ueventd) init: add network interface: rndis0
<6>[ 1.112754] c1 1 (init) rndis0: MAC 2e:71:d3:a4:e6:67
<6>[ 1.112772] c1 1 (init) rndis0: HOST MAC 36:87:93:9f:a4:39
<6>[ 1.112911] c1 1 (init) bulk_bind_config
<6>[ 1.112958] c1 1 (init) adb_bind_config
<4>[ 1.123021] c1 1 (init) u2d_usb_init
<11>[ 1.125059] c3 84 (ueventd) init: exec CMD: /system/bin/ifconfig rndis0 192.168.42.2
<11>[ 1.129651] c1 1 (init) init: using deprecated syntax for specifying property 'sys.usb.config', use ${name} instead
<6>[ 1.133606] c3 110 (adbd) adb_open
[2017-07-07 23:13:09]
diff :
props, if i remember correctly, are set from init, then data init, then /data/properties/
[2017-07-07 23:13:24]
the_lord :
later the system is starting start_dji_system.sh
[2017-07-07 23:13:35]
the_lord :
which restarting the USB without adb
[2017-07-07 23:13:53]
diff :
maybe this is a silly question
[2017-07-07 23:13:57]
diff :
but why not just edit that script?
[2017-07-07 23:14:32]
diff :
if not possible, it was mentioned that `in_whitelist.sh` doesn't exist, so create it and have it kill the current process :smile:
[2017-07-07 23:15:02]
the_lord :
the in_whitelist.sh do exist
[2017-07-07 23:15:38]
the_lord :
but it check the board SN against the white list which we don't know/have
[2017-07-07 23:15:55]
diff :
ahh
[2017-07-07 23:16:25]
diff :
what about just editing the original script?
[2017-07-07 23:16:51]
the_lord :
how will you access to edit the original script??!!
[2017-07-07 23:17:08]
diff :
can you run this; `ls -l /dev/block/`
[2017-07-07 23:17:19]
the_lord :
i was trying to enable the adb using the persist method
[2017-07-07 23:17:39]
diff :
I'm at work with no drone :confused:
[2017-07-07 23:18:06]
hfman :
Doesn't root give you access to edit the original script?
[2017-07-07 23:18:12]
the_lord :
and in the log it showed that it started then stopped and we didn't know why
[2017-07-07 23:18:24]
the_lord :
yes root gives me access
[2017-07-07 23:18:34]
the_lord :
but we were trying to find another way to root
[2017-07-07 23:19:01]
diff :
@the_lord can you dump a directory listing of `/dev/block` and `/dev/sock` ?
[2017-07-07 23:19:04]
hfman :
Ah, true
[2017-07-07 23:19:25]
the_lord :
@diff yes sure
[2017-07-07 23:19:54]
diff :
`cat /proc/net/unix` would be good too
[2017-07-07 23:20:06]
diff :
often issues in those directories that we can exploit
[2017-07-07 23:20:18]
diff :
or, they are hinted at in there :smile:
[2017-07-07 23:21:28]
the_lord :
root@wm220_dz_ap0002_v1:/ # cat /proc/net/unix
Num RefCount Protocol Flags Type St Inode Path
d05fec00: 00000002 00000000 00000000 0002 01 3521 @/duss/mb/0x1f00
cf03e3c0: 00000002 00000000 00000000 0002 01 2703 @/duss/mb/0x907
cf03e680: 00000002 00000000 00000000 0002 01 2704 @/duss/mb/0x805
cf03e100: 00000002 00000000 00000000 0002 01 2702 @/duss/mb/0x804
cf03de40: 00000002 00000000 00000000 0002 01 2689 @/duss/mb/0x803
cf03db80: 00000002 00000000 00000000 0002 01 2688 @/duss/mb/0x802
d05ff9c0: 00000002 00000000 00000000 0002 01 3646 @/duss/mb/0x900
cf03d8c0: 00000002 00000000 00000000 0002 01 2681 @/duss/mb/0x801
cf03d600: 00000002 00000000 00000000 0002 01 2647 @/duss/mb/0x800
cf03fc80: 00000002 00000000 00000000 0002 01 3070 @/duss/mb/0x1107
d05ff180: 00000002 00000000 00000000 0002 01 3632 @/sdr/sdrs_hdvt_socket
d05fde40: 00000002 00000000 00000000 0002 01 3128 @/duss/mb/0x1105
d05fe100: 00000002 00000000 00000000 0002 01 3130 @/duss/mb/0x1104
d05feec0: 00000002 00000000 00000000 0002 01 3522 @/duss/mb/0xa02
cf03d080: 00000002 00000000 00000000 0002 01 2635 @/duss/monitor
cf03c840: 00000002 00000000 00010000 0001 01 2628 @android:debuggerd
d05ff440: 00000002 00000000 00000000 0002 01 3634 @/sdr/sdrs_socket
d05fcdc0: 00000002 00000000 00010000 0001 01 2004 /dev/socket/property_service
d05ff700: 00000002 00000000 00000000 0002 01 3638 @/sdr/sdrs_log_socket
cf03eec0: 00000002 00000000 00010000 0001 01 2852 @jdwp-control
d05fe940: 00000002 00000000 00000000 0002 01 3520 @/duss/mb/0x0
cf03cb00: 00000002 00000000 00000000 0002 01 2631
d05fd340: 00000003 00000000 00000000 0001 03 2010
cf03ec00: 00000003 00000000 00000000 0001 03 2850
cf03f700: 00000003 00000000 00000000 0001 03 2855
d05fd600: 00000002 00000000 00000000 0002 01 3076
cf03d340: 00000002 00000000 00000000 0002 01 2639
cf03e940: 00000003 00000000 00000000 0001 03 2849
cf03f440: 00000003 00000000 00000000 0001 03 2854
cf03c580: 00000002 00000000 00000000 0002 01 2606
d05fd8c0: 00000002 00000000 00000000 0002 01 3119
d05fe3c0: 00000002 00000000 00000000 0002 01 3131
cf03f180: 00000003 00000000 00000000 0001 03 2853
cf03cdc0: 00000002 00000000 00000000 0002 01 2634
d05fdb80: 00000002 00000000 00000000 0002 01 3125
d05fd080: 00000003 00000000 00000000 0001 03 2009
d05fe680: 00000002 00000000 00000000 0002 01 3150
cf03f9c0: 00000003 00000000 00000000 0001 03 2856
root@wm220_dz_ap0002_v1:/ #
[2017-07-07 23:22:18]
the_lord :
root@wm220_dz_ap0002_v1:/ # ls -l /dev/block/
brw------- root root 7, 0 1980-01-01 00:00 loop0
brw------- root root 7, 1 1980-01-01 00:00 loop1
brw------- root root 7, 2 1980-01-01 00:00 loop2
brw------- root root 7, 3 1980-01-01 00:00 loop3
brw------- root root 7, 4 1980-01-01 00:00 loop4
brw------- root root 7, 5 1980-01-01 00:00 loop5
brw------- root root 7, 6 1980-01-01 00:00 loop6
brw------- root root 7, 7 1980-01-01 00:00 loop7
brw------- root root 179, 0 1980-01-01 00:00 mmcblk0
brw------- root root 179, 32 1980-01-01 00:00 mmcblk0boot0
brw------- root root 179, 64 1980-01-01 00:00 mmcblk0boot1
brw------- root root 179, 1 1980-01-01 00:00 mmcblk0p1
brw------- root root 179, 10 1980-01-01 00:00 mmcblk0p10
brw------- root root 179, 11 1980-01-01 00:00 mmcblk0p11
brw------- root root 179, 12 1980-01-01 00:00 mmcblk0p12
brw------- root root 179, 13 1980-01-01 00:00 mmcblk0p13
brw------- root root 179, 14 1980-01-01 00:00 mmcblk0p14
brw------- root root 179, 2 1980-01-01 00:00 mmcblk0p2
brw------- root root 179, 3 1980-01-01 00:00 mmcblk0p3
brw------- root root 179, 4 1980-01-01 00:00 mmcblk0p4
brw------- root root 179, 5 1980-01-01 00:00 mmcblk0p5
brw------- root root 179, 6 1980-01-01 00:00 mmcblk0p6
brw------- root root 179, 7 1980-01-01 00:00 mmcblk0p7
brw------- root root 179, 8 1980-01-01 00:00 mmcblk0p8
brw------- root root 179, 9 1980-01-01 00:00 mmcblk0p9
brw------- root root 179, 96 1980-01-01 00:00 mmcblk0rpmb
drwxr-xr-x root root 1980-01-01 00:00 platform
brw------- root root 254, 0 1980-01-01 00:00 zram0
root@wm220_dz_ap0002_v1:/ #
[2017-07-07 23:22:58]
the_lord :
there is no /dev/sock
[2017-07-07 23:23:18]
diff :
hmm yea
[2017-07-07 23:23:20]
diff :
odd
[2017-07-07 23:23:22]
diff :
but interesting
[2017-07-07 23:26:16]
the_lord :
RedHerring is based on NFZ update which is not applicable for the RC
[2017-07-07 23:27:06]
the_lord :
so i was hoping to enable adb using the persist property
[2017-07-07 23:39:39]
hostile :
don't forget @the_lord re: <https://dji-rev.slack.com/archives/C60KELF6H/p1499468243475167> /data/property does not exist so persistant settings don't take until we make them and that is where __properties__ partially comes from
[2017-07-07 23:40:33]
hostile :
@diff I've tried both adb_en.sh and adbd... I wonder if there is no tty... I used to have ttyme.c but can't find it. Cuz once shelled in... adb_en.sh works fine.
[2017-07-07 23:40:40]
hostile :
sorry btw... afk with fam
[2017-07-07 23:42:48]
hostile :
so there are two issues..
[2017-07-07 23:42:52]
hostile :
one properties based start...
[2017-07-07 23:42:58]
hostile :
second is start from "grep" script to be clear
[2017-07-07 23:43:03]
hostile :
I've been talking about the latter
[2017-07-07 23:43:07]
the_lord :
@hostile yes we created it and its eating the bait but unfortunately init is triggering the persist before start_dji_system.sh
[2017-07-07 23:43:08]
hostile :
I'm off for ice cream!
[2017-07-07 23:45:03]
the_lord :
i'll try something to trigger adb from grep and let you know the result
[2017-07-07 23:50:33]
diff :
hmm odd
[2017-07-07 23:51:02]
asoka :
<https://github.com/mefistotelis/phantom-firmware-tools/issues/20>
[2017-07-08 01:01:59]
hostile :
@the_lord try setting the props. then firing /sbin/adb see latest git commit
[2017-07-08 02:04:06]
hdnes :
What was the work today about? I thought tellnet was hot?
[2017-07-08 02:04:47]
hdnes :
fine tuning a method to get adb to run directly, vice tellnet>start_dji.sh mods ?
[2017-07-08 02:13:39]
hostile :
telnet works fine...
[2017-07-08 02:13:43]
hostile :
we just adding **features**
[2017-07-08 02:13:55]
hostile :
start_dji.sh makes me paranoid
[2017-07-08 02:14:00]
hostile :
so trying to avoid it
[2017-07-08 02:14:52]
hdnes :
gotcha, so you are trying to get adb without the in between telnet step I guess>
[2017-07-08 02:15:36]
hdnes :
because I’m assuming turning on adb permanently through tellnet is straight forward.
[2017-07-08 02:16:14]
hdnes :
I feel like someone mentioned this method through start_dji.sh using telnet. You not recommending it?
[2017-07-08 02:17:01]
hostile :
yeah its acting weird
[2017-07-08 02:17:16]
hostile :
if you fuck up start_dji.sh it is an insta brick
[2017-07-08 02:17:22]
hostile :
game over
[2017-07-08 02:22:28]
hostile :
I just pushed a fix to make the shell on port 1234 persistant.
[2017-07-08 02:22:37]
hostile :
sh-3.2# git diff
diff --git a/grep b/grep
index 8256194..adaca57 100644
--- a/grep
+++ b/grep
@@ -1,7 +1,15 @@
/system/xbin/busybox touch /tmp/RedHerring.$$
/system/xbin/busybox touch /data/InYourGrill.$$
-/system/xbin/busybox nc -l -p 1234 -e /system/bin/sh &
rm -rf /data/.bin/grep
-strace -s2000 -o /data/adb_trace -vvvff /sbin/adbd
+
+echo RedHerring > /sys/class/android_usb/android0/iSerial
+setprop service.adb.root 1
+setprop service.adb.tcp.port -1
+setprop sys.usb.config rndis,mass_storage,bulk,acm,adb
+busybox devmem 0xe10093d0 8 0x40 #enable uart
+sleep 1
+/sbin/adbd&
+while true; do /system/xbin/busybox nc -l -p 1234 -e /system/bin/sh & done
+
[2017-07-08 02:33:46]
hdnes :
Are shell and telnet synonymous
[2017-07-08 02:34:27]
hdnes :
Or is shell ADB
[2017-07-08 02:34:44]
hdnes :
By the looks above it's ADB
[2017-07-08 02:44:25]
fldatatek :
Just to throw one from left field.... Has anyone thought about the simulator in A2. How does it talk to the FC and is there anything there that can be exploited.
[2017-07-08 03:07:30]
the_lord :
hostile: this is exactly what i was thinking to do :slightly_smiling_face:
[2017-07-08 03:20:09]
hostile :
Yes shell is telnet
[2017-07-08 03:20:17]
hostile :
Adb auto start still not workin
[2017-07-08 03:25:47]
hdnes :
Is the telnet passwordable?
[2017-07-08 03:26:06]
hdnes :
I'm assuming it's simply open?
[2017-07-08 03:31:44]
hostile :
Why would you password it?
[2017-07-08 03:34:12]
hdnes :
Ha. Yeah I guess just trying to figure out what the password was mainly.
[2017-07-08 04:08:57]
hostile :
there isn't one =]
[2017-07-08 04:09:19]
hostile :
android doesn't have a passwd file and I think is considered a single user system, even though it is sandboxed
[2017-07-08 04:13:27]
hfman :
so @hostile, adbd still won't stay running with your change? That approach looked hopeful.
[2017-07-08 04:20:30]
hostile :
nope
[2017-07-08 04:20:59]
hostile :
gonna check the straces I took earlier shortly
[2017-07-08 04:46:50]
hostile :
"# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;"
[2017-07-08 04:46:53]
hostile :
I bet it is a tty issue
[2017-07-08 04:46:54]
hostile :
<https://android.googlesource.com/platform/system/sepolicy/+/6b8e0994f0aab91ba070546280f62b7723c01376/adbd.te>
[2017-07-08 04:58:07]
hfman :
Why do you suspect that?
[2017-07-08 05:08:42]
hostile :
@the_lord I fixed it...
[2017-07-08 05:08:44]
hostile :
Kevins-iMac:~ kfinisterre$ adb devices
List of devices attached
RedHerringHasFangs device
[2017-07-08 05:09:03]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/153de53a917b36ea56e39fb2c62246131fe8a8c6>
[2017-07-08 05:09:11]
hostile :
Git pull...
[2017-07-08 05:09:33]
hfman :
Hmmm... I was going to ask if the boot rom has ro.secure=1, preventing you running it as root
[2017-07-08 05:10:07]
hostile :
so now... post exploit... reboot, and you get an unlimited shell on port 1234 via telnet (close it as many times as you want) and, ADB now starts indicating the custom name of "RedHerring" to help you know it works
[2017-07-08 05:10:10]
the_lord :
what about RC?
[2017-07-08 05:10:13]
hostile :
reboot again and all gone
[2017-07-08 05:10:23]
hostile :
you should have already sniffed the Request lord!
[2017-07-08 05:10:27]
hostile :
it is https?
[2017-07-08 05:10:34]
hostile :
cuz if so, that is a problem
[2017-07-08 05:10:35]
the_lord :
no http
[2017-07-08 05:10:40]
hostile :
gimme the link then
[2017-07-08 05:10:47]
hostile :
its a 3 line fix
[2017-07-08 05:11:07]
hostile :
back in a bit tho.. wife bet time.
[2017-07-08 05:11:12]
hostile :
JUST fixed the ADB shit
[2017-07-08 05:13:03]
hostile :
@the_lord what is the http link that sends the JSON to further download the firmware files
[2017-07-08 05:13:04]
hfman :
So you just had to stop/start it. Interesting
[2017-07-08 05:33:28]
hostile :
@the_lord <https://github.com/MAVProxyUser/P0VsRedHerring/commit/808d47ae72e181db3cd68a7fae9a83d58cfa5adb>
[2017-07-08 05:49:47]
the_lord :
now the assistant can't see the version of the RC
[2017-07-08 05:50:02]
the_lord :
and not showing the upgrade/downgrade
[2017-07-08 05:51:27]
the_lord :
ok my bad i was using --test_server
[2017-07-08 05:51:49]
hostile :
yeah it needs more work dude...
[2017-07-08 05:51:55]
hostile :
you gonna need to spoof back the list of devices
[2017-07-08 05:52:17]
hostile :
I think the host name may be a DNS round robin / CDN to several Amazon hostnames too
[2017-07-08 05:52:47]
the_lord :
but on RedHerring after please select connected device,....
nothing
[2017-07-08 05:53:03]
hostile :
exactly...
[2017-07-08 05:53:10]
hostile :
you open assistant on own now
[2017-07-08 05:53:17]
hostile :
and its not going to see a downgrade list...
[2017-07-08 05:53:31]
hostile :
that code needs written by someone willing to sniff the response and put it int hte code
[2017-07-08 05:53:34]
hostile :
its a different code path
[2017-07-08 05:53:43]
hostile :
I'll get to it after I put the windows shit in
[2017-07-08 05:53:45]
hostile :
doing that now
[2017-07-08 05:53:48]
the_lord :
got it
[2017-07-08 05:53:50]
hostile :
if you don't figure it out
[2017-07-08 05:54:02]
hostile :
that was my best attempt at heading you the right way
[2017-07-08 05:55:14]
hostile :
yeh looks like DNS dsldevice.attlocal.net.domain: 63716+ A? [flight-staging.aasky.net](http://flight-staging.aasky.net). (42)
[2017-07-08 08:23:54]
hostile :
@the_lord I just pushed a fuck tonne of changes toward windows compatibility...
[2017-07-08 08:26:24]
the_lord :
will git pull and test later
[2017-07-08 08:27:18]
hostile :
still some bugs
[2017-07-08 08:27:21]
hostile :
but tired AF
[2017-07-08 10:20:07]
bin4ry :
@hostile sorry was asleep already as you wrote. nice that you did it, stuff with adbd is most of the times a bit tricky since you have to keep in mind all init.*.rc scripts aswell. this guys will restart your adbd on special cases (init.usb.rc will restart adbd if you set sys.usb.....=blablabla,adb). but afterall it seems like you managed to get it work now,
for rooting future device versions, i think the coolest and best way would be to reboot the device into recovery mode somehow (the mode where it applys the ota.zip). Becasue if we can achieve that we might be able to root it very easy. the android rom itself and so the ota.zip is signed with test-keys, becasue dji has added another layer of "security" by signing the images itself (normal.img etc.) BUT as far as i saw it, they let android handle the ota extraction and verification of the zip. So inside the zip is a installation zip which we should be able to modify :wink:, so my hope is that maybe through the apk we might be able to send out a "fake" ota.zip with a rooting script inside instead of a installation zip, i will try to verify this after the weekend because i don't have any time to work on stuff this weekend :slightly_smiling_face:
[2017-07-08 10:29:31]
bin4ry :
so what we should do now since we have a device with proper adb access we can try to verify this ota theory, i.e. we should try to create a ota.zip sign it with test-keys and then only include something into the script which is not harmfull. f.e. write a foo file to /system or so
[2017-07-08 12:59:16]
hostile :
@bin4ry we can drop a binary in /cache/ota.zip cuz it is writable. In the "grep" script we can just call: "setprop sys.powerctl reboot,recovery" , and she reboots immediately. And unpacks the OTA.zip and starts into the script.
<https://dji-rev.slack.com/archives/D64660HQS/p1499286897294898>
[2017-07-08 12:59:35]
hostile :
so IF you wanna rig up an OTA.zip... that **only** has a modded install script. Send it my way
[2017-07-08 12:59:38]
hostile :
and I'll test it.
[2017-07-08 13:26:43]
bin4ry :
That's cool. Do you have an original ota or a link for me? Will take a look when I am home alter today again. Have to drive car now :joy:
[2017-07-08 14:40:50]
hostile :
@the_lord just pushed some more
[2017-07-08 14:41:04]
hostile :
uhhh yeah there is an OTA.zip in the test servers http... I'll have to look again
[2017-07-08 14:41:31]
hostile :
@freaky123 do you remember that link off top of your head? I need to go to zoo
[2017-07-08 14:41:55]
hostile :
anyone here can adb pull /cache/ota.zip too... I am just not personally **ever** handing out binaries as it were (from the bird or tx)
[2017-07-08 15:49:23]
bin4ry :
i see, well we should take a look into the original binary before i send you a custom one, i want to take a look into the original to make see first if i am right and they use android standard system on top of their own verify system
[2017-07-08 15:49:32]
bin4ry :
i found the links you spoke of
[2017-07-08 15:49:57]
bin4ry :
this amazon testservers right? there are some ota links but they download just 400mb of 0's lol
[2017-07-08 15:53:33]
hostile :
@the_lord see latest git commit... windows is almost done
[2017-07-08 15:55:06]
hostile :
They must have nulled those Amazon ota zips...
[2017-07-08 15:55:16]
hostile :
Anyone here can get ya one tho.
[2017-07-08 15:56:40]
bin4ry :
that would be nice, so please someone upload one for me :wink: stays with me, so no worries
[2017-07-08 15:59:19]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/1278ca86cc125d571a9d1348d4b864707870f389>
[2017-07-08 16:26:21]
hfman :
@bin4ry - I can probably pull that for you... where is it located?
[2017-07-08 16:57:37]
hostile :
/cache/ota.zip
[2017-07-08 16:58:22]
hfman :
Yep... question for you. I have RedHerring from a day ago. Can I safely start ADBD from the telnet shell? Don't want to brick this mutha
[2017-07-08 17:14:21]
hfman :
anybody???
[2017-07-08 17:20:26]
hdnes :
Guess it depends upon how you do it
[2017-07-08 17:21:14]
hdnes :
but no experience here, @hostile mentioned last night that he’s avoiding modifying the start_dji.sh script for this reason.. One could theoretically start adb by modifying this so…
[2017-07-08 17:21:28]
hfman :
Just sitting at the telnet prompt with root.
[2017-07-08 17:21:44]
hfman :
Could easily do it, just don't know if it is wise...
[2017-07-08 17:21:48]
hdnes :
can you not copy through telnet?
[2017-07-08 17:22:03]
hfman :
No, nor ftp
[2017-07-08 17:22:18]
hdnes :
why not through telnet?
[2017-07-08 17:22:41]
hfman :
how the heck do you transfer files via telnet??
[2017-07-08 17:22:55]
hdnes :
maybe you can’t, I’m used to ssh
[2017-07-08 17:23:15]
hfman :
Right, there is no scp on this bird.
[2017-07-08 17:23:38]
hdnes :
yeah scp is my normal method
[2017-07-08 17:23:43]
hfman :
Ah well, Guess I'll take the safe path and update my Herring a bit.
[2017-07-08 17:26:25]
hans112 :
That's sounds like a wise plan anyhow...
[2017-07-08 17:26:31]
hans112 :
To be sure ;)
[2017-07-08 17:36:40]
hostile :
@hfman just git pull... adb shell added to auto start post exploitation
[2017-07-08 17:36:56]
hostile :
Should not brick if using the "grep" technique
[2017-07-08 17:37:39]
hfman :
Right.. I was just asking that if I am sitting at a root telnet, can I simply start adbd?
[2017-07-08 17:38:10]
hostile :
Ftp put the new grep file manually to /upgrade/.bin via ftp
[2017-07-08 17:38:31]
hostile :
chmod 755 grep via telenet
[2017-07-08 17:38:34]
hostile :
Reboot
[2017-07-08 17:38:39]
hfman :
put works? I tried get, it just hangs.
[2017-07-08 17:38:56]
hostile :
Then your ftp client is goofy
[2017-07-08 17:38:58]
freaky123 :
what is the idea here? sorry was busy
[2017-07-08 17:39:02]
hostile :
Just re exploit
[2017-07-08 17:39:16]
hostile :
He wants to enable the adb shell persists without brick risk
[2017-07-08 17:39:29]
hostile :
Easiest way now is update and use the new grep file
[2017-07-08 17:39:36]
hfman :
Actually, I just want to adb shell so I can pull ota.zip
[2017-07-08 17:40:03]
freaky123 :
ok :slightly_smiling_face:
[2017-07-08 17:52:28]
bin4ry :
hey cool, if you would get it @hfman that would be awesome :slightly_smiling_face: thank you
[2017-07-08 18:28:22]
hfman :
So... I can't tell if this is doing anything:
[2017-07-08 18:28:25]
hfman :
C:\t>"C:\Program Files\Android\ADB_Win\adb" devices -l
List of devices attached
RedHerringHasFangs device product:full_wm220_dz_ap0002_v1 model:L1860 device:wm220_dz_ap0002_v1
C:\t>"C:\Program Files\Android\ADB_Win\adb" pull /cache/ota.zip C:\t
[2017-07-08 18:28:46]
hfman :
It's just sitting there, nothing showing up in the destination directory yet.
[2017-07-08 18:29:15]
hostile :
Omit dest dir?
[2017-07-08 18:29:39]
hfman :
This is a large file, does it not output anything while it is pulling?
[2017-07-08 18:30:04]
hfman :
I tried both with and without dest dir
[2017-07-08 18:31:43]
hfman :
41MB, shouldn't take TOO long I would think...
[2017-07-08 18:35:46]
hfman :
Sigh, even teeny files in that directory hang. Must be a stupid windows 10 thing.
[2017-07-08 18:46:52]
bin4ry :
hm, could be that you have win10 problems :wink:
[2017-07-08 18:47:32]
hfman :
Yeah, this is a pain... Telnet works fine, but apparently FTP and now ADB don't. Crap...
[2017-07-08 18:49:01]
hfman :
Lemme try this from my OSX VM.
[2017-07-08 18:56:55]
bin4ry :
thx for the pain :slightly_smiling_face:
[2017-07-08 19:26:15]
hostile :
@hfman "cp /cache/ota.zip /data;" via telnet , then ftp in and snag it from /update/ota.zip
[2017-07-08 19:26:29]
hostile :
You can type "hash" for hash marks on each. Yet downloaded for progress
[2017-07-08 19:31:28]
hfman :
so.... things are weird. I can't telnet in from OSX any longer, yet I can from Windows. So have that cp command going, but it's taking a LONG time, not sure if it is doing anything.
[2017-07-08 19:32:15]
hfman :
I thought maybe adb was hosing things up on osx, killed adb on osx, but still can't telnet in. Can ping on OSX, just not telnet. Stuff is odd.
[2017-07-08 19:32:43]
hfman :
So let me ask, does this mavic have some kind of safety built in to prevent certain things if battery is at or below 50%?
[2017-07-08 19:33:40]
freaky123 :
not that I know of, I have adb'ed into the device at very low batteries
[2017-07-08 19:35:22]
hfman :
A 2nd telnet session, I do see /data/ota.zip, but the 1st session with the cp command has not returned. Maybe it doesn't spit anything out when complete?
[2017-07-08 19:38:01]
hfman :
what did you mean by 'hash' ?
[2017-07-08 19:47:46]
hfman :
To be clear, /data maps to /upgrade, not /update. Getting file now in OSX.
[2017-07-08 19:48:26]
hostile :
Hash is for ftp...
[2017-07-08 19:48:34]
hostile :
Yeah typo
[2017-07-08 19:48:41]
hostile :
Sorry! was at zoo on a ride lol
[2017-07-08 19:49:43]
hfman :
Okay, got it. Now gotta get it over to windows. Bin4ry, I'll PM you with a private ftp. PLEASE PLEASE don't distribute
[2017-07-08 19:51:15]
bin4ry :
Thanks. Will never distribute no worry
[2017-07-08 19:51:21]
hostile :
@hfman they are all the same and there is no unique personal identifying info in said file fwiw. Just given my position I'm
Not distributing anything that be misconstrued as DJI property so to speak. Even if half the shit in the ota.zip violated GPL ;)
[2017-07-08 19:52:15]
hfman :
yep, just exercising caution, DMCA, yada yada
[2017-07-08 19:52:41]
bin4ry :
I only need it to analyze and see it I am right and to know if I can do a very own version nothing from you inside :wink:
[2017-07-08 20:02:43]
hfman :
@bin4ry - slack says you are in DND - you have message
[2017-07-08 20:04:52]
hostile :
@hfman yeah... I was #2 person to have DMCA thrown at them... Luckily I have Granick to tell em to fuck off. <http://www.theregister.co.uk/2002/07/31/hp_invokes_dmca_to_quash/>
[2017-07-08 20:05:25]
hostile :
"could be fined up to $500,000 and imprisoned for up to five years" is so 15 years ago :wink:
[2017-07-08 20:06:38]
hfman :
Wow... didn't know you had that business. Still doing it?
[2017-07-08 20:07:09]
hostile :
I've been around for a while mate... "SnoSoft" my old company quoted here. <http://weis2007.econinfosec.org/papers/29.pdf>
[2017-07-08 20:07:29]
hostile :
I use my vulnerability research now working for a counter drone company FWIW.
[2017-07-08 20:08:08]
hfman :
I'm an FOG at Verizon, survived the meltdown of MCI, got bought by Verizon, still working in Network Management Systems. We have got a SHIT pot of security things going on these days.
[2017-07-08 21:45:30]
hfman :
FYI, I can report that adb, etc all works fine on VM based OSX.
[2017-07-08 22:17:27]
hostile :
This ALMOST works...
[2017-07-08 22:17:28]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/340ff3f766e50d0e7fa5f7a0182ac01d4c98b90f>
[2017-07-08 22:17:43]
hostile :
For windows... I think there is a minor fix needed to the .tar creation now
[2017-07-08 22:17:47]
hostile :
@the_lord ---^
[2017-07-09 02:56:04]
the_lord :
i tried to root the RC by doing the following:
copied the fireworks.tar (renamed to dji_system.bin) to RC manually via ftp then sent the DUML command for upgrade
the RC just deleted the dji_system.bin and didn't extract it
[2017-07-09 02:57:09]
the_lord :
this is the DUML which made the RC to delete the file
551604FC2A2DE7274000070000000000000000009F44
[2017-07-09 03:07:28]
hostile :
If anyone is bored... these are windows fixes.
[2017-07-09 03:07:28]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/ca480e3ed0c9cd15a0baa645a6868f7e93e62e4b>
[2017-07-09 03:15:06]
the_lord :
ok i figured out why
[2017-07-09 03:15:15]
the_lord :
210 277 I DUSS&63[sys_event_finish_upgrade:1269]:: 0xa:ftp file /ftp/upgrade/dji_system.bin, file_size=-1, info->img_size(30023168)
[2017-07-09 03:16:39]
the_lord :
the original dji_system.bin size is 30,025,232 bytes
[2017-07-09 03:17:13]
the_lord :
and the fireworks size is 3,584 bytes
[2017-07-09 03:22:24]
hfman :
Hey @hostile, I'll check that out later.... looking good. Don't let the crap that went down get you down, it's all the shits and we don't need it. You're the hero here... keeping the ball rollin.
[2017-07-09 03:54:46]
the_lord :
sorry this is the correct log message
DUSS&63[sys_event_finish_upgrade:1269]:: 0xa:ftp file /ftp/upgrade/dji_system.bin, file_size=3584, info->img_size(30023168)
DUSS&63[sys_event_finish_upgrade:1279]:: 0xa:ftp transfer encounter error or the img_size is not correct
[2017-07-09 03:55:06]
the_lord :
the RC is expecting specific file size
[2017-07-09 03:55:22]
the_lord :
i'll try to match the size and test again
[2017-07-09 04:13:10]
hfman :
Wonder how it even knows what the file size is? Seems odd... and totally different from the Mavic behavior.
[2017-07-09 04:20:44]
hostile :
@hfman totally different code path... this is system upgrade , not NFZ update. that is why
[2017-07-09 04:20:58]
hostile :
@darksimpson @freaky123 you seeing what @the_lord is messing with?
[2017-07-09 04:25:05]
the_lord :
i guess the assistant is sending the size before sending the file via DUML
[2017-07-09 04:25:44]
hostile :
we can probably pad it out. =]
[2017-07-09 04:25:58]
the_lord :
i'm not familiar with tar
[2017-07-09 04:26:00]
hostile :
add some files with a bunch of 11111111 in them
[2017-07-09 04:26:43]
hostile :
then use --append
[2017-07-09 04:26:44]
the_lord :
i though to edit the tar file with hex edit and fill it with 000000 at the end
[2017-07-09 04:26:58]
hostile :
no like create a file of how ever big you want (maybe with dd)
[2017-07-09 04:27:41]
hostile :
see how I add files to the fireworks.tar in Red Herring
[2017-07-09 04:27:51]
the_lord :
i saw
[2017-07-09 04:28:06]
the_lord :
but in that case i don't know the output size
[2017-07-09 04:28:15]
hostile :
so you need to add one meg to the file? do this...
[2017-07-09 04:28:16]
hostile :
dd if=/dev/zero of=output.file bs=1024 count=1024
[2017-07-09 04:28:21]
hostile :
it will make a one meg file full of zeros
[2017-07-09 04:28:28]
hostile :
ls -alk fireworks.tar
[2017-07-09 04:28:35]
hostile :
and keep appending to it until it is big enough
[2017-07-09 04:29:13]
the_lord :
can't just add the size difference at the end of the tar file?
[2017-07-09 04:29:31]
hostile :
some tar unpacks fine with garbage at end. some doesnt
[2017-07-09 04:29:40]
hostile :
try it
[2017-07-09 04:29:53]
the_lord :
brb
[2017-07-09 04:30:37]
hostile :
sh-3.2# file fireworks.tar
fireworks.tar: POSIX tar archive
sh-3.2# tar tvf fireworks.tar
-rw-r--r-- 0 root staff 37 Jul 8 01:50 Burning0day.txt
lrwxr-xr-x 0 root staff 0 Jul 8 01:50 symlink -> /data/.bin
-rwxr-xr-x 0 root staff 517 Jul 8 01:50 symlink/grep
sh-3.2# echo AAAAAAAAAAAAAAA >> fireworks.tar
sh-3.2# echo AAAAAAAAAAAAAAA >> fireworks.tar
sh-3.2# echo AAAAAAAAAAAAAAA >> fireworks.tar
sh-3.2# echo AAAAAAAAAAAAAAA >> fireworks.tar
sh-3.2# echo AAAAAAAAAAAAAAA >> fireworks.tar
sh-3.2# echo AAAAAAAAAAAAAAA >> fireworks.tar
sh-3.2# echo AAAAAAAAAAAAAAA >> fireworks.tar
sh-3.2# tar tvf fireworks.tar
-rw-r--r-- 0 root staff 37 Jul 8 01:50 Burning0day.txt
lrwxr-xr-x 0 root staff 0 Jul 8 01:50 symlink -> /data/.bin
-rwxr-xr-x 0 root staff 517 Jul 8 01:50 symlink/grep
[2017-07-09 04:30:41]
hostile :
yeh... make work fine
[2017-07-09 04:31:22]
the_lord :
your tar is already filled with 0 at the end
[2017-07-09 04:31:27]
the_lord :
it may work
[2017-07-09 04:31:34]
the_lord :
fingers crossed
[2017-07-09 04:32:14]
the_lord :
now file size exactly matched
[2017-07-09 04:32:19]
hostile :
nice
[2017-07-09 04:35:11]
the_lord :
dropping the file without sending DUML doesn't make anything
[2017-07-09 04:35:26]
the_lord :
i'll start sending DUML commands
[2017-07-09 04:36:58]
hostile :
yes, as expected
[2017-07-09 04:37:11]
hostile :
how did you get that error the first time about incorrect size?
[2017-07-09 04:42:44]
the_lord :
from upgrade log
[2017-07-09 04:48:10]
martinbogo :
you can transfer files via telnet if you use sz/xz -- old BBS way of doing it
[2017-07-09 04:48:47]
martinbogo :
You can also use netcat/socat
[2017-07-09 04:49:45]
martinbogo :
<https://en.wikipedia.org/wiki/ZMODEM> ( if you want to go totally primitive )
[2017-07-09 04:50:34]
martinbogo :
<ftp://ftp.cs.pdx.edu>, maintained in directory /pub/zmodem
[2017-07-09 04:52:05]
the_lord :
ate the bait :slightly_smiling_face:
[2017-07-09 04:52:14]
the_lord :
the grep file extracted to .bin
[2017-07-09 04:52:25]
the_lord :
but no symlink in upgrade folder
[2017-07-09 04:52:29]
the_lord :
i'll restart now
[2017-07-09 04:53:22]
the_lord :
Yessssssssssssssssssssssssssss
[2017-07-09 04:53:47]
the_lord :
Mavic RC with latest firmware version officially ROOTED
[2017-07-09 04:58:48]
hostile :
POW!
[2017-07-09 04:59:19]
hostile :
push out a branch
[2017-07-09 04:59:26]
hostile :
nice work lord!
[2017-07-09 04:59:44]
martinbogo :
Well done the_lord.
[2017-07-09 04:59:46]
hostile :
that same technique probably works on normal update file of the bird too
[2017-07-09 05:00:10]
martinbogo :
the_lord : This technique -should- also work on the P4 then
[2017-07-09 05:00:38]
the_lord :
any one else from DJI????
[2017-07-09 05:00:45]
the_lord :
bhaaaaaaaa
[2017-07-09 05:01:12]
martinbogo :
<https://media.giphy.com/media/Rgn6cUfaN5zW/giphy.gif>
[2017-07-09 05:02:04]
martinbogo :
So you copied the fireworks.tar ( with customized payload ), then executed DUML?
[2017-07-09 05:02:13]
the_lord :
yes
[2017-07-09 05:03:16]
hostile :
Mutated Herrings have hit the seas...
[2017-07-09 05:03:59]
the_lord :
i believe i'm the first in the world who rooted an RC using RedHerring :slightly_smiling_face:
[2017-07-09 05:04:11]
hostile :
the DumlHerring aka Dumb Herring lol
[2017-07-09 05:04:20]
the_lord :
hahahaha
[2017-07-09 05:04:36]
hostile :
@the_lord I believe you are too!
[2017-07-09 05:08:41]
martinbogo :
Well .. best part of science is replicating the result
[2017-07-09 05:09:24]
martinbogo :
the_lord : What firmware revision did you load?
[2017-07-09 05:09:26]
martinbogo :
Latest?
[2017-07-09 05:11:43]
martinbogo :
Also, while I'm on MacOS, the patch still works .. just need to use unix tar vs windows cygwin
[2017-07-09 05:11:49]
martinbogo :
easy enough
[2017-07-09 05:12:14]
the_lord :
ahh my bad it seems the RC on 1.3.800 now
at the begging i was upgrading and downgrading normally with assistant between 1.3.900 and 1.3.800 the only available versions
and i was sniffing the DUML commands
[2017-07-09 05:12:28]
hostile :
all that has been fixed as of tonight too @martinbogo windows and nix should work fine either or
[2017-07-09 05:12:56]
martinbogo :
okay .. let me grab Mavic #2, and see what firmware I have loaded
[2017-07-09 05:13:03]
hostile :
I even had some spare time to push a default web page to <http://localhost>
[2017-07-09 05:13:07]
the_lord :
i just used the RedHerring to generate the fireworks.tar file
[2017-07-09 05:13:16]
martinbogo :
hostile : Should I check out the master branch then?
[2017-07-09 05:13:21]
hostile :
yessir
[2017-07-09 05:13:25]
martinbogo :
doing it now
[2017-07-09 05:13:28]
the_lord :
then from ftp i copied it to upgrade folder then DUML
[2017-07-09 05:14:03]
martinbogo :
cloned the git repo
[2017-07-09 05:14:51]
martinbogo :
Mavic is at 0.3.0800 .. check
[2017-07-09 05:16:57]
martinbogo :
urgh .. "Plug in your drone... and try again"
[2017-07-09 05:17:13]
martinbogo :
Always the idiotic problem of getting the Mavic to be seen in OSX Sierra
[2017-07-09 05:18:17]
hostile :
/usr/sbin/system_profiler SPUSBDataType | grep "DJI:" -A19
[2017-07-09 05:18:19]
hostile :
type that for me?
[2017-07-09 05:18:43]
hostile :
I moved a FUCK tone of stuff around tonight working windows I have not heavily regression tested OSX yet
[2017-07-09 05:19:01]
hostile :
sh-3.2# ruby RedHerring.rb a grep
Running as root... thanks!
Device check running
found DJI Aircraft
Press <enter> after reading this comment from DJI, also verify you have 50% or more battery
"DJI strongly discoura
[2017-07-09 05:19:01]
hostile :
**MY** device check does work tho
[2017-07-09 05:19:13]
the_lord :
OSX works fine with me
[2017-07-09 05:19:15]
martinbogo :
I should see 0x2ca3 ... but I have problems with this mavic
[2017-07-09 05:19:18]
martinbogo :
One sec.
[2017-07-09 05:19:40]
martinbogo :
( remember, my boards come from bricked and crashed drones ... the connectors can be a bit .. tweaky )
[2017-07-09 05:20:58]
hfman :
Way to go Lord!
[2017-07-09 05:21:48]
hfman :
So what exactly did you push? A copy of what you got form the DJI Server? I'm just wondering if we have a way to push .700 with this?
[2017-07-09 05:21:54]
martinbogo :
system("open [https://www.youtube.com/watch?v=bhGfpwfae-k"](https://www.youtube.com/watch?v=bhGfpwfae-k%22)) ( cute )
[2017-07-09 05:22:23]
hostile :
comment out "Leak Control" too Martin... if so inclined
[2017-07-09 05:22:51]
hostile :
root@debian:~# grep RedHerring.txt /var/log/apache2/other_vhosts_access.log.1 /var/log/apache2/other_vhosts_access.log | awk '{print $2}' | sort | uniq | wc -l
36
[2017-07-09 05:22:53]
martinbogo :
heh .. you open [openpilotlegacy.org](http://openpilotlegacy.org)? Also cute
[2017-07-09 05:23:01]
hostile :
nothing malicious... just keeping track of the proliferation
[2017-07-09 05:23:04]
the_lord :
i'm thinking maybe we can tar the upgrade files and force the drone to take them
[2017-07-09 05:23:05]
hostile :
small crowd ATM.
[2017-07-09 05:23:08]
the_lord :
same way
[2017-07-09 05:23:09]
martinbogo :
Makes sense .. it's just a webbug
[2017-07-09 05:23:16]
hostile :
(assuming few saw that, or are connected)
[2017-07-09 05:23:57]
martinbogo :
why the whole "50% battery" warning text?
[2017-07-09 05:24:00]
martinbogo :
Cover-ass?
[2017-07-09 05:24:10]
hostile :
built into the Assistant
[2017-07-09 05:24:11]
hostile :
:confused:
[2017-07-09 05:24:20]
martinbogo :
Oh for pete's sake.
[2017-07-09 05:24:21]
hostile :
it won't even fire the update
[2017-07-09 05:25:18]
martinbogo :
I think I have a bad USB port on the #2 mavic mainboard
[2017-07-09 05:25:28]
martinbogo :
I'll go get #3 .. haven't even unpacked it from the box yet
[2017-07-09 05:25:39]
hfman :
@the_lord - so will I be able to root my RC if it is on .700?
[2017-07-09 05:26:28]
the_lord :
this rooting method not related to FW version
[2017-07-09 05:26:46]
the_lord :
i'm thinking to use it to upgrade/downgrade the drone/RC
[2017-07-09 05:27:11]
hostile :
on Windows does Assistatn have to run as Admin?
[2017-07-09 05:27:14]
hfman :
Yeah, it sounds like it just might work...
[2017-07-09 05:27:26]
martinbogo :
?Heh.. I JUST watched "Today I found out" on Red Herring .. it was very funny/informative
[2017-07-09 05:27:30]
hfman :
@hostile, no I don't think so.
[2017-07-09 05:27:32]
the_lord :
@hostile no
[2017-07-09 05:27:55]
hostile :
link @martinbogo ?
[2017-07-09 05:28:00]
the_lord :
brb
[2017-07-09 05:28:09]
hostile :
Try new USB cable?
[2017-07-09 05:28:50]
martinbogo :
Cable is good .. I just took a loupe to look at the connector -- it has a cracked lead on the pad for D+
[2017-07-09 05:28:53]
martinbogo :
I'll solder it later.
[2017-07-09 05:29:28]
martinbogo :
I have four mavics now ... two for CPU/hardware teardowns, one that will never fly again but should be fine for software testing, and one flyable one
[2017-07-09 05:29:31]
hostile :
manufacturing is hard lol
[2017-07-09 05:29:38]
martinbogo :
crashing is hard-er
[2017-07-09 05:30:02]
martinbogo :
I also have two P4's .. and a LOT of what we're doing here should be applicable to the P4
[2017-07-09 05:30:10]
martinbogo :
P4/P4 Pro
[2017-07-09 05:30:25]
hostile :
yeah should be cross line Spark, P4, Mavic, I2.
[2017-07-09 05:30:43]
martinbogo :
Not sure .. doens't the I2 have a different system setup?
[2017-07-09 05:30:49]
martinbogo :
The P4 and Mavic share a heritage
[2017-07-09 05:30:58]
hostile :
nope
[2017-07-09 05:31:06]
hostile :
I've already rooted it as have several here
[2017-07-09 05:31:16]
hostile :
the Herring ate it early on
[2017-07-09 05:31:25]
martinbogo :
( Myriad MA2100 in the Phantom )
[2017-07-09 05:33:25]
the_lord :
@martinbogo sent you the DUML
[2017-07-09 05:34:01]
the_lord :
i'll go bring cigarettes then test downgrade a core board
[2017-07-09 05:34:20]
the_lord :
and i have another RC which begging me for root :slightly_smiling_face:
[2017-07-09 05:34:54]
martinbogo :
Got the DUML
[2017-07-09 05:36:02]
martinbogo :
Bah .. #2 battery is 31%, the one in #3 is completely flat
[2017-07-09 05:36:11]
martinbogo :
Will take me ~30 minutes to charge it up
[2017-07-09 05:36:41]
martinbogo :
I've been playing with the hardware all afternoon .. trying to get arbitrary code execution.
[2017-07-09 05:37:01]
martinbogo :
which is different than rooting ... different goal -- make an open source firmware
[2017-07-09 05:38:57]
martinbogo :
@hostile :
Product ID: 0x001f
Vendor ID: 0x2ca3
[2017-07-09 05:39:01]
martinbogo :
We have connection
[2017-07-09 05:39:17]
martinbogo :
Weird that it shows up as a File-CD Gadget... but there you go
[2017-07-09 05:46:27]
martinbogo :
@hostile : For the mac version, you may want to call Spotlight to find the Assistant, or prompt for the path
[2017-07-09 05:47:00]
martinbogo :
on my system, I had in in /Users/djihacking/Applications/Assistant.app/Contents/MacOS/Assistant ..
[2017-07-09 05:47:10]
martinbogo :
I altered the path in the ruby file as appropriate
[2017-07-09 05:47:58]
martinbogo :
although shelling out is "bad" -- you could call mdfind
[2017-07-09 05:48:36]
jezzab :
Someone tested Rh on the P4 yet?
[2017-07-09 05:48:39]
hostile :
yeah I was originally executing it for the end user... decided to make it a little less lazy =]
[2017-07-09 05:48:53]
hostile :
@the_lord or @coldflake did you test p4 yet?
[2017-07-09 05:49:00]
hostile :
short of your brick lord :wink:
[2017-07-09 05:49:06]
hostile :
*beats a dead horse*
[2017-07-09 05:49:09]
martinbogo :
jezzab : not yet -- I'm charging the Mavic up to 50% so I can confirm @the_lord 's work :slightly_smiling_face:
[2017-07-09 05:49:34]
jezzab :
Ill give it a while
[2017-07-09 05:49:37]
jezzab :
*whirl
[2017-07-09 05:49:47]
martinbogo :
Woot. You might want to edit the script a bit :slightly_smiling_face:
[2017-07-09 05:49:58]
martinbogo :
@hostile left some ... rickrolls of a sort in there
[2017-07-09 05:50:00]
jezzab :
start with the bird first
[2017-07-09 05:50:12]
jezzab :
he was doin the RC wasnt he? Good work btw!
[2017-07-09 05:50:26]
martinbogo :
yeah, RC
[2017-07-09 05:50:43]
jezzab :
@hostile your Winblows version work? Or should I do it in linux?
[2017-07-09 05:50:51]
jezzab :
Saw you were updating it
[2017-07-09 05:50:58]
martinbogo :
Script works in Linux?
[2017-07-09 05:51:10]
hostile :
I am checking literally RIGHT now.
[2017-07-09 05:51:12]
martinbogo :
*saw references OSX paths and such*
[2017-07-09 05:51:15]
hostile :
haven't tested on linux TBH
[2017-07-09 05:51:27]
hostile :
NDIS ip may be different or need set
[2017-07-09 05:51:41]
hostile :
Assistant doesn't work on linux
[2017-07-09 05:51:44]
hostile :
so didn't bother
[2017-07-09 05:52:01]
martinbogo :
**nod** does yours -always- come up 192.168.42.2?
[2017-07-09 05:52:09]
hostile :
yessir
[2017-07-09 05:52:20]
martinbogo :
Weird .. well so does mine.
[2017-07-09 05:52:22]
martinbogo :
So, that's good
[2017-07-09 05:52:29]
jezzab :
yeah mine does
[2017-07-09 05:52:29]
the_lord :
@martinbogo the DUML i used was from assistant to RC
i didn't sniff the drone
most probably it will not be the same
[2017-07-09 05:52:46]
martinbogo :
the_lord : understood
[2017-07-09 05:53:12]
martinbogo :
Either way, I need to get charged up to 50% before any of this works
[2017-07-09 05:53:25]
martinbogo :
Because .. Assistant. **sigh** there -has- to be a way to patch that
[2017-07-09 05:53:57]
martinbogo :
(( I'm using DJI Assistant 2 v1.1.2-2 )
[2017-07-09 05:57:03]
hostile :
with @the_lord DUML commands... it is moot
[2017-07-09 05:57:19]
hostile :
I may implement them in my code to eliminate Assistant
[2017-07-09 05:57:34]
hostile :
and mirror his method. I added support for it earlier yesterday I think
[2017-07-09 05:57:34]
martinbogo :
That would be wise, I think
[2017-07-09 05:57:38]
hostile :
days blending together
[2017-07-09 05:57:38]
martinbogo :
use websockets/sockets directly
[2017-07-09 05:57:55]
hostile :
well DUML != websockets
[2017-07-09 05:58:00]
martinbogo :
yeah, I know.
[2017-07-09 05:58:01]
hostile :
websockets need assistant
[2017-07-09 05:58:03]
the_lord :
WS requires assistant
[2017-07-09 05:58:14]
the_lord :
duhh
[2017-07-09 05:58:27]
hostile :
I'm thinking more like serial the way Chrome CleanFlight configurator works
[2017-07-09 05:58:50]
hostile :
open port... bark down it
[2017-07-09 05:59:17]
jezzab :
Right so fire up Assistant and fire up the ruby script?
[2017-07-09 05:59:25]
the_lord :
"open port... bark down it" this is what i'm doing exactly but from .net application
[2017-07-09 06:00:49]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commit/808d47ae72e181db3cd68a7fae9a83d58cfa5adb#diff-1f0f693f9f2ad4b867d01477f0c449dcR145>
[2017-07-09 06:01:15]
hostile :
@martinbogo this was the start of support for what Lord is doing now... then he branched off to dropping the file on his own
[2017-07-09 06:01:16]
hostile :
=]
[2017-07-09 06:08:20]
hostile :
glad you here HZL!
[2017-07-09 06:08:28]
hostile :
long overdue for some realtime interaction. **salute**
[2017-07-09 06:08:56]
martinbogo :
@hostile : 551A04B12A2DEC2740000800001ECA010000000000000204D329 --- file size located
[2017-07-09 06:09:52]
martinbogo :
001ECA010 = endian flipped 0x1CA1E00 = expected file size: 30023168
[2017-07-09 06:10:35]
martinbogo :
@hotelzululima : We're in the same generation.. and yeah. :disappointed:
[2017-07-09 06:11:10]
martinbogo :
@hotelzululima : It's only been a couple years, still feel the missing spot
[2017-07-09 07:10:31]
hostile :
anyone following latest Herring patches... seems the windows file is fucky for some reason
[2017-07-09 07:10:44]
hostile :
last bit fails still
[2017-07-09 07:10:48]
hostile :
will fix in morning when I wake up
[2017-07-09 07:10:52]
jezzab :
I must be missing something here. I cannot get the image.py to decrypt the fw. fails
[2017-07-09 07:11:08]
hostile :
error?
[2017-07-09 07:11:09]
jezzab :
ive even run it in linux.
[2017-07-09 07:11:20]
hostile :
run via python3
[2017-07-09 07:11:38]
hostile :
image.py for herring is depreciated anyway
[2017-07-09 07:11:45]
hostile :
it was only needed on Spark
[2017-07-09 07:11:54]
hostile :
new technique roots all and does not need it
[2017-07-09 07:12:00]
hostile :
use the "grep" file in the repo
[2017-07-09 07:12:00]
jezzab :
ah right
[2017-07-09 09:07:22]
jezzab :
using the mac. Everythings great except no NFZ popup :confused:
[2017-07-09 09:07:33]
jezzab :
on P4
[2017-07-09 09:09:47]
the_lord :
just rooted another Mavic RC FW 1.03.0400 same way :slightly_smiling_face:
[2017-07-09 09:09:59]
jezzab :
dunno what im doing wrong
[2017-07-09 09:10:18]
jezzab :
sudo ruby RedHerring.rb /data/.bin/grep grep
[2017-07-09 09:10:29]
jezzab :
then firing up with --test_server
[2017-07-09 09:10:44]
jezzab :
its had a hissy on the signin screen now
[2017-07-09 09:10:56]
jezzab :
using the latest app is that an issue?
[2017-07-09 09:11:23]
the_lord :
i used 1.1.2 when i was using the assistant
[2017-07-09 09:11:44]
jezzab :
yeah thats what im using hmm
[2017-07-09 09:12:15]
jezzab :
when running with test_server its trying to make me login but its like it has no net access because it cant load the verify code image either
[2017-07-09 09:12:17]
jezzab :
weird
[2017-07-09 09:12:22]
jezzab :
getting close lol
[2017-07-09 09:12:25]
the_lord :
yes
[2017-07-09 09:12:41]
the_lord :
you should start assistant first without test_server and log in
[2017-07-09 09:12:49]
the_lord :
then close the assistant
[2017-07-09 09:12:53]
jezzab :
I did that the first time.
[2017-07-09 09:12:59]
jezzab :
ahh i had 2 instances
[2017-07-09 09:13:04]
the_lord :
run ruby -> assistant with test_server
[2017-07-09 09:13:36]
the_lord :
we are using the assistant just to trigger the DUML update
[2017-07-09 09:13:44]
the_lord :
now i'm doing it without assistant
[2017-07-09 09:14:09]
jezzab :
ah yup. Nice
[2017-07-09 09:14:49]
the_lord :
i sniffed the assistant and fetched the DUML of RC upgrade
[2017-07-09 09:18:04]
jezzab :
I get no NFZ popup. Just says Cannot Load Firmware List
[2017-07-09 09:18:45]
jezzab :
im not running the latest 2.00 FW that just came out for the P4
[2017-07-09 09:19:55]
jezzab :
Only options i have is Restore Factory defaults
[2017-07-09 09:20:13]
jezzab :
but thats not going to kick in any DUML stuff is it?
[2017-07-09 09:21:20]
jezzab :
This thing's resisting.
[2017-07-09 09:23:35]
the_lord :
after the NFZ popup hit confirm
[2017-07-09 09:24:15]
jezzab :
Thats the problem
[2017-07-09 09:24:18]
jezzab :
There IS no popup
[2017-07-09 09:25:28]
jezzab :
ive seen the popup on hostiles vid.
[2017-07-09 09:25:48]
jezzab :
got me fucked
[2017-07-09 09:26:24]
jezzab :
if you tested with 112 then its not the app
[2017-07-09 09:27:11]
the_lord :
what are you getting on assistant?
[2017-07-09 09:31:10]
the_lord :
as hostile says tcpdump is your friend
[2017-07-09 09:31:24]
jezzab :
righto
[2017-07-09 09:32:55]
jezzab :
Is this a P4 thing?
[2017-07-09 09:33:02]
jezzab :
Or an Aussie thing lol
[2017-07-09 09:33:38]
jezzab :
or is it because the firmware im running i dont think has the NFZs?
[2017-07-09 09:33:48]
jezzab :
the V2.00 states that it does
[2017-07-09 09:34:09]
the_lord :
if your FW doesn't have NFZ it will not kick off
[2017-07-09 09:34:32]
jezzab :
Hmmm
[2017-07-09 09:34:53]
jezzab :
The question now is to upgrade to V2.00 that came out 3 days ago or not :confused:
[2017-07-09 09:35:20]
the_lord :
if i'm in your shoes i will not upgrade
[2017-07-09 09:35:36]
jezzab :
Im gettin that vibe
[2017-07-09 09:35:46]
jezzab :
well this is fucked lol
[2017-07-09 09:35:57]
jezzab :
damned if I do and damned if I dont
[2017-07-09 09:36:18]
the_lord :
don't worry soon you'll be able to root without assistant
[2017-07-09 09:36:32]
the_lord :
just like what i did with the RC
[2017-07-09 09:36:34]
jezzab :
Will it kick off tho?
[2017-07-09 09:36:44]
jezzab :
irregardless of the NFZ shit
[2017-07-09 09:36:53]
the_lord :
yes
[2017-07-09 09:36:58]
jezzab :
too easy
[2017-07-09 09:37:07]
the_lord :
there is no NFZ in the RC
[2017-07-09 09:37:14]
jezzab :
good point
[2017-07-09 09:37:53]
jezzab :
and i cant sniff the tcp packets because there is only upgrade to V2.00 lol
[2017-07-09 09:37:58]
jezzab :
There is only one fw release
[2017-07-09 09:38:51]
the_lord :
stay where you are and enjoy playing with the parameters
[2017-07-09 09:39:56]
jezzab :
I'll keep playing with the crayons while the other guys are playing with the Derwent's :stuck_out_tongue:
[2017-07-09 09:40:11]
jezzab :
oh well
[2017-07-09 09:40:31]
jezzab :
thanks for the help. appreciate it
[2017-07-09 09:40:47]
the_lord :
unfortunately my p4 is bricked otherwise i can sniff it for you
[2017-07-09 09:42:16]
jezzab :
all good man.
[2017-07-09 09:44:37]
jezzab :
ahhhhh
[2017-07-09 09:44:50]
jezzab :
me rikey!
[2017-07-09 09:44:54]
jezzab :
says i can roll back
[2017-07-09 09:51:58]
the_lord :
i don't believe a shit from DJI
[2017-07-09 09:52:20]
the_lord :
how you'll roll back if the FW is removed from the server
[2017-07-09 10:00:18]
jezzab :
i downloaded it
[2017-07-09 10:00:26]
jezzab :
from the bird
[2017-07-09 10:00:37]
jezzab :
ok
[2017-07-09 10:00:41]
jezzab :
its rooted :slightly_smiling_face:
[2017-07-09 10:00:49]
jezzab :
worked after the V2.00 update
[2017-07-09 10:00:53]
jezzab :
can telnet to 1234
[2017-07-09 10:01:31]
jezzab :
and your right. It doesnt show in the list to roll back. gotta love that bullshit
[2017-07-09 10:02:43]
the_lord :
@hostile so P4 RedHerring confirmed
[2017-07-09 10:02:49]
jezzab :
Yup!
[2017-07-09 10:03:01]
jezzab :
But must be running latest fw 6/7/17
[2017-07-09 10:03:17]
jezzab :
well
[2017-07-09 10:03:21]
jezzab :
with the app anyway
[2017-07-09 10:03:27]
jezzab :
your way wouldnt matter
[2017-07-09 10:07:21]
jezzab :
Thats interesting. i never had the rel abs height params before. They are there now
[2017-07-09 11:48:36]
coldflake :
@jezzab The latest firmware for P4 gives you rel abs height params?
[2017-07-09 11:49:18]
jezzab :
Yup
[2017-07-09 11:49:41]
jezzab :
Matchs the mavic params I've seen
[2017-07-09 11:50:02]
coldflake :
Wow
[2017-07-09 11:50:25]
coldflake :
So the new firmware are basically more "open" than the older one?
[2017-07-09 11:50:55]
jezzab :
Seems to match the mavic. But adds in the NFZ stuff
[2017-07-09 11:51:11]
coldflake :
The nfz stuff is also there?
[2017-07-09 11:51:36]
jezzab :
It's applied. Have to login or no fly etc
[2017-07-09 11:52:02]
coldflake :
Ah I see
[2017-07-09 11:52:10]
jezzab :
Same as the mavic and stuff. Just seems they caught it all up
[2017-07-09 11:52:41]
coldflake :
Lol with lols on it, because I didn't dare to upgrade before I heard the tale from someone else :)
[2017-07-09 11:52:50]
coldflake :
Interesting
[2017-07-09 11:53:14]
coldflake :
As you know I am making an app to handle these g_config across models
[2017-07-09 11:53:24]
jezzab :
I was scared coz it came out two days after all the hacks lol
[2017-07-09 11:53:26]
the_lord :
@jezzab the message you shared earlier from the mobile or the assistant?
[2017-07-09 11:53:55]
coldflake :
It's a fucking mess but with this new info, it seems more to be dependent on which build the firmware are made from rather than being model specific
[2017-07-09 11:54:27]
coldflake :
Here I talk about the naming, the actual values will of course be different, simply due to the physical differences between a P4 and a mavic
[2017-07-09 11:54:38]
jezzab :
Yeah
[2017-07-09 11:54:40]
coldflake :
@jezzab exactly
[2017-07-09 11:55:09]
jezzab :
Which one was that mate
[2017-07-09 11:55:20]
coldflake :
@jezzab So the taunting question: Did you upgrade because you have big balls or because you were stupid? ;)
[2017-07-09 11:55:44]
coldflake :
...read: humor all over the post ;)
[2017-07-09 11:55:56]
jezzab :
I figured I had nothing to lose and thought the root hack would work.
[2017-07-09 11:56:11]
coldflake :
Good point :)
[2017-07-09 11:56:22]
jezzab :
And I didn't think they would have fixed anything because they would have rolled out and update for all models
[2017-07-09 11:56:57]
jezzab :
So some logic and hope lol
[2017-07-09 11:57:22]
coldflake :
Good thinking my friend
[2017-07-09 11:58:12]
jezzab :
But if you need any values or fields checked just give me a yell
[2017-07-09 11:58:41]
jezzab :
Being what looks the same should make your life easier. Assuming they have the newer fw
[2017-07-09 12:00:16]
coldflake :
Yes, that sounds great, I would love if you could test out the speed mod and let me know the values that works
[2017-07-09 12:00:52]
coldflake :
I have translated it from Mav to the old P4 fw and were only able to squeeze it up to 97 km/h
[2017-07-09 12:01:17]
coldflake :
Tilt angle at 60 is in fucking sane BTW :)
[2017-07-09 12:01:33]
jezzab :
I'll fire it up and take a look at the values. They may have changed the values to match mav
[2017-07-09 12:01:36]
jezzab :
Lol
[2017-07-09 12:01:49]
coldflake :
I dont think so
[2017-07-09 12:02:14]
coldflake :
Because the P4 is a much heavier and more klunky bird than the Mav
[2017-07-09 12:02:34]
coldflake :
Which could explain that max value of ascending speed is 9 m sec
[2017-07-09 12:02:43]
coldflake :
Please prove me wrong :)
[2017-07-09 12:03:21]
jezzab :
shoot me a pm. save cluttering up here
[2017-07-09 12:04:04]
the_lord :
the one said you can roll back
[2017-07-09 12:04:30]
jezzab :
Was from the assistant
[2017-07-09 12:04:36]
jezzab :
but it doesnt show the firmware
[2017-07-09 12:05:06]
nickmv :
i mean, P4 weighs twice as much but can go faster horizontally
[2017-07-09 12:05:24]
nickmv :
i feel like it should be able to outclimb/accelerate a Mavic
[2017-07-09 12:20:26]
jezzab :
mav left - P4 right
[2017-07-09 12:33:08]
nickmv :
i orig had the coptersafe-level settings applied but found it was asking way too much of the mavic's battery
[2017-07-09 12:34:06]
nickmv :
i think i have my sport upward settings both to 8, and it works great and doesnt kill the battery
[2017-07-09 12:34:10]
hans112 :
Yep.. especially the ascending...
[2017-07-09 12:34:15]
nickmv :
ie. not getting warnings that often at all
[2017-07-09 12:34:24]
nickmv :
on full stick up
[2017-07-09 12:34:29]
hans112 :
Does 8 work without any warnins, or less warnings ?
[2017-07-09 12:34:55]
nickmv :
yeah, so i found that the warnings seem to correlate often with the RPMs. of course one of those warnings is max motor speed so thats expected
[2017-07-09 12:35:09]
nickmv :
but the batt discharge error seems to happen when that max motor happens
[2017-07-09 12:35:17]
nickmv :
not always, but prob 25-50%
[2017-07-09 12:35:44]
nickmv :
so I dialed it back from 22mph upwards to effectively 18 (10 down to 8). Found that the RPMs werent always at 900+.
[2017-07-09 12:35:51]
nickmv :
If RPMs reach 900, get ready for warnings soon
[2017-07-09 12:38:43]
nickmv :
while all the "high power" tweaks are cool, i think the coolest is being able to adjust the tilt angle in GPS mode, so you can get more speed out of it
[2017-07-09 12:39:10]
nickmv :
that and just slight tweaks to those numbers
[2017-07-09 13:30:15]
kilrah :
at 8 i also had battery warnings after a relatively long climb (15s or so)
[2017-07-09 13:30:29]
kilrah :
i think i might settle for 6-7
[2017-07-09 13:30:46]
kilrah :
but i've now replaced sport with atti anyway...
[2017-07-09 13:31:57]
kilrah :
i might increase the vertical speeds a tad in normal mode instead
[2017-07-09 13:32:44]
rpouetpouet :
Hey @kilrah could you elaborate why loosing the GPS in ATTI instead of keeping it in sport mode?
[2017-07-09 13:34:16]
kilrah :
Becasue i like flying atti at times, you can often get smoother footage by letting it "glide" naturally instead of trying to make a progressive slowdown on the relatively poor sticks
[2017-07-09 13:34:39]
kilrah :
also in atti indoor flight, boat catching etc are safe
[2017-07-09 13:34:58]
kilrah :
and it's also safer to be able to manually switch to atti in case the gps/compass went bonkers before it decides to do it by itself
[2017-07-09 13:38:42]
rpouetpouet :
@kilrah ok, thanks for the explanations. Not doing a lot of boat, never really thought of that. I usually fly in open spaces, GPS signals are quite reliable
[2017-07-09 13:39:27]
rpouetpouet :
Oh, not mentioning the NFZ "problem" totally solved in ATTI no?
[2017-07-09 13:39:55]
kilrah :
hehe nope
[2017-07-09 13:40:17]
kilrah :
it's jsut a "control law" difference i.e. what flight parameter the sticks control
[2017-07-09 13:40:26]
kilrah :
gps and everything are still working in the background, you're jsut not relying on them for anything flight path related
[2017-07-09 13:42:05]
kilrah :
technically in GPS mode the sticks control the setpoint for forward/sideways ground speed, while in atti they control the setpoint for the tilt/roll angles (i.e. one control loop deeper)
[2017-07-09 14:41:35]
hostile :
"worked after the V2.00 update" congrats @jezzab welcome to the very small club! only about 40 or so of us rooting with the herring
[2017-07-09 14:42:13]
hostile :
Literally... last night the success counter was at 36.
[2017-07-09 14:42:17]
hostile :
It now sits at 37
[2017-07-09 14:42:23]
hostile :
that would probably be you :wink:
[2017-07-09 14:42:48]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1499577771292715>
[2017-07-09 14:44:04]
coldflake :
I think I will upgrade my fw and have some red herrings for dinner tonight. App almost done, kids shipped to their mom, great days ahead!
[2017-07-09 15:12:35]
bin4ry :
i think i have good news
[2017-07-09 15:13:18]
bin4ry :
this is the OTA cert on top, and the test-key private key on bottom
[2017-07-09 15:13:21]
bin4ry :
they match
[2017-07-09 15:13:23]
bin4ry :
:smile:
[2017-07-09 15:13:28]
bin4ry :
so we can sign ota's
[2017-07-09 15:16:06]
bin4ry :
@hostile :wink:
[2017-07-09 15:18:13]
nickmv :
oh snap
[2017-07-09 15:19:01]
bin4ry :
will create a ota.zip which will create a testfile in /system
[2017-07-09 15:23:11]
hostile :
niiiiiiiiiiiiice
[2017-07-09 15:23:18]
rpouetpouet :
@bin4ry how did you do that?
[2017-07-09 15:23:23]
hostile :
I found some other key on the Inspire2 btw...
[2017-07-09 15:23:30]
hostile :
let me find it right quick
[2017-07-09 15:26:54]
bin4ry :
wil lbe back in 1h
[2017-07-09 15:26:58]
bin4ry :
then will post a ota.sh
[2017-07-09 15:27:01]
bin4ry :
*zip
[2017-07-09 15:28:40]
hostile :
/system/lib/libdji_auth.so:rm /vendor/cert/%s
dji/duml/service/dji_auth/auth/dji_auth_cmd.c
auth %s
/proc/cmdline
drak=
[-] derive module type key failed at dji_auth
[-] derive module type id failed at dji_auth
board_id=
too small output lenth, %d < %d
invalid key
[-] dji_auth failed when encryption, exit
[-] dji_auth failed, invailid encrypt algorithm
[-] dji_auth failed when compare,
%x vs %x at %d
/vendor/cert/
ATTRIBUTE CERTIFICATE
/system/etc/dji.aa.crt
dji/duml/service/dji_auth/cert/cert.c
There is no ac file
There is no cert file
Error getting AC issuer name
Error getting cert subject name, AAAAAHHH
Error getting pub key from issuer cert
Error verifying AC signature
...
board_sn=
saak=
dji/duml/service/dji_auth/util/auth_util.c
can't dump data
Cannot open output file %s.
dji/duml/service/dji_auth/event/event.c
receive security comm: peer_host=0x%x, subcmd=0x%x
certification is being sent maybe, try again
certification is parsing maybe, try again
[2017-07-09 15:28:44]
hostile :
AA Attribute Authority (also called AC Issuer)
An authority trusted by one or more users to create and sign attribute certificate. It is important to note that the AA is responsible for the attribute certificates during their whole lifetime, not just for issuing them [3].
AA can be any entity in the network having objects in its control. In literature, the AA is often called AC Issuer. <http://www.tml.tkk.fi/Opinnot/Tik-110.501/2000/papers/nykanen.pdf>
[2017-07-09 15:29:03]
hostile :
No clue what the fuck it is for, or what /system/lib/libdji_auth.so is used for...
[2017-07-09 15:29:30]
hostile :
Unrelated to the OTA... but you jogged my brain.
[2017-07-09 15:30:02]
hostile :
bin4ry: @diff ...
[2017-07-09 15:33:15]
diff :
Yes. The otas seem to be test keys
[2017-07-09 15:33:28]
diff :
Someone else was saying they are checked at a different part of boot though?
[2017-07-09 15:38:49]
bin4ry :
@diff: what should be tested? as far as i see, ota.zip will be tested like this: test_ota.sh extracts normal.img -> checks normal.img with dji_verify. if it is ok it will reboot to recovery
[2017-07-09 15:38:58]
bin4ry :
now recovery will just handle ota.zip
[2017-07-09 15:39:07]
bin4ry :
i can include normal.img to trick the first test
[2017-07-09 15:39:15]
bin4ry :
and then just not include it to edify script
[2017-07-09 15:39:47]
hostile :
yeah @freaky123 knows the DJI bootloader does some checks... and will brick ya up. But I think @bin4ry is plotting on using /cache/ota.zip and a touch in /data to kick off test_ota.sh and use that to execute commands in the ota launch script.
[2017-07-09 15:40:02]
bin4ry :
exactly
[2017-07-09 15:40:31]
bin4ry :
anything you want me to include into the ota.zip
[2017-07-09 15:40:53]
hans112 :
Some fresh fish ;)
[2017-07-09 15:41:04]
bin4ry :
mount("ext4", "EMMC", "/dev/block/platform/comip-mmc.1/by-name/system", "/system");
package_extract_dir("system", "/system");
set_metadata("/system/bin/fluffy.sh", "uid", 0, "gid", 0, "mode", 06755, "capabilities", 0x0, "selabel", "u:object_r:su_exec:s0");
unmount("/system");
[2017-07-09 15:41:11]
bin4ry :
thats what i have in there yet
[2017-07-09 15:43:33]
diff :
On phone. At computer soon
[2017-07-09 15:45:14]
hostile :
do /data/fulffy.sh in a path the user controls and isn't "ro"
[2017-07-09 15:45:33]
hostile :
or are you dropping your own fluffy.sh into /system via the .zip then running it?
[2017-07-09 15:45:38]
hostile :
not familiar with how ota.zip works
[2017-07-09 15:45:39]
bin4ry :
yes exactly
[2017-07-09 15:45:40]
bin4ry :
own file
[2017-07-09 15:45:50]
hostile :
short of the quick glance at the ANdroid page description of the process
[2017-07-09 15:50:53]
diff :
@hostile @bin4ry ota should work as follows
[2017-07-09 15:50:59]
diff :
drop file to /sdcard/ota.zip normally
[2017-07-09 15:51:21]
diff :
reboot into recovery, recovery will pick it up and attempt to check the signature vs what is in otacerts.zip
[2017-07-09 15:51:24]
diff :
if it matches, will apply
[2017-07-09 15:55:14]
hostile :
we can also force it to run via test_ota.zip
[2017-07-09 15:55:25]
hostile :
there is a file checked by startup scripts
[2017-07-09 15:55:31]
hostile :
if exists in /data then kicks it off
[2017-07-09 15:56:10]
diff :
:thumbsup:
[2017-07-09 15:58:08]
martinbogo :
Does anyone have the memory start address for the kernel handy?
[2017-07-09 15:58:36]
martinbogo :
*is doing a hardware scan, and working on a uEFI solution to replace u-boot*
[2017-07-09 15:59:27]
bin4ry :
nope sorry @martinbogo
[2017-07-09 15:59:49]
bin4ry :
here is the ota file @hostile
[2017-07-09 15:59:51]
bin4ry :
if it works
[2017-07-09 16:00:05]
bin4ry :
it will create an sh script called fluffy.sh in /system/bin
[2017-07-09 16:00:13]
bin4ry :
you can run it and it will tell you important stuff
[2017-07-09 16:00:21]
freaky123 :
I have th address somewhere @martinbogo
[2017-07-09 16:00:35]
diff :
@martin if you have root on the device, you should be able to just pull the file which is loaded as the kernel at boot
[2017-07-09 16:00:43]
diff :
**@martinbogo
[2017-07-09 16:00:47]
freaky123 :
With or without the signing?
[2017-07-09 16:01:10]
martinbogo :
I have the kernel ... I need to know where u-boot is putting the kernel
[2017-07-09 16:01:15]
martinbogo :
without
[2017-07-09 16:01:42]
martinbogo :
freaky123 : I have control of registger 0-3
[2017-07-09 16:02:43]
freaky123 :
Nice :)
[2017-07-09 16:03:02]
freaky123 :
Ok letme check on my windows ida virtual pc
[2017-07-09 16:03:35]
bin4ry :
@diff: you are right about the OTA procedure, but the problem is "how to kick off recovery boot?"
[2017-07-09 16:03:54]
bin4ry :
either there is a cmd we can send to the drone without having a shell already
[2017-07-09 16:03:59]
diff :
`adb reboot recovery`
[2017-07-09 16:03:59]
martinbogo :
@freaky123 : Windriver RTOS boots much the same way as linux, and I was able to use the vectors at 0xffff0000
[2017-07-09 16:04:16]
bin4ry :
yah
[2017-07-09 16:04:19]
bin4ry :
i you have adb already
[2017-07-09 16:04:29]
martinbogo :
the phys offset is different, damnit
[2017-07-09 16:04:35]
martinbogo :
I expect ( 0x6400000 )
[2017-07-09 16:04:43]
diff :
if that fails -- `adb reboot-bootloader`
[2017-07-09 16:04:59]
bin4ry :
yes, but we would need a way to trigger a recobery boot WITHOUT adb
[2017-07-09 16:04:59]
diff :
otherwise, if you didn't have access to `adb` ... phones normally have a button combo to do it :confused:
[2017-07-09 16:05:01]
martinbogo :
@freaky123 : If you have a booted + rooted one running at the moment -- can you pull off the kernel config for me?
[2017-07-09 16:05:07]
bin4ry :
with adb it is no problem
[2017-07-09 16:05:35]
bin4ry :
if we can trigger it different we can use it as a rooting method for newer firmware when the current exploit is closed
[2017-07-09 16:05:45]
bin4ry :
so i hope there is a trigger somewhere to kick of ota process
[2017-07-09 16:05:47]
diff :
right
[2017-07-09 16:06:03]
diff :
well, if we figure out the update process from assistant to drone
[2017-07-09 16:06:05]
martinbogo :
/proc/config.gz or variant
[2017-07-09 16:06:08]
diff :
maybe we can pass it over that way
[2017-07-09 16:06:25]
bin4ry :
thats what i am thinking too
[2017-07-09 16:07:18]
bin4ry :
dji signed the whole rom with test-keys, they rely on their uboot to verify the images, which does not apply for filesystem changes we do with edify, so i think we found another loophole here
[2017-07-09 16:07:35]
diff :
:thumbsup:
[2017-07-09 16:07:51]
bin4ry :
now a brave person for testing please
[2017-07-09 16:11:15]
martinbogo :
@bin4ry : Once I'm done with the hardware bench scan, happy to
[2017-07-09 16:11:19]
martinbogo :
2-3 hours?
[2017-07-09 16:11:39]
martinbogo :
I want to replace the bootloader entirely, and switch from uboot to uEFI
[2017-07-09 16:11:44]
bin4ry :
cool do as you wish, sadly i cannot test myself due to "no drone" :smile:
[2017-07-09 16:11:56]
bin4ry :
that would be so cool
[2017-07-09 16:12:02]
martinbogo :
do what we do -- buy a crashed one, for the mainboards
[2017-07-09 16:12:26]
bin4ry :
i will do soon enough, cannot spend more money atm, waiting for my new job to start, currently in transition
[2017-07-09 16:12:40]
bin4ry :
so ... a bit software play as long as i have to wait for the big one
[2017-07-09 16:12:50]
martinbogo :
Well _so far_ I don't see any reason why it won't work -- effectively, all the security is built into two places at the moment -- efuses + TrustZone
[2017-07-09 16:12:53]
bin4ry :
and my wifes spark is untouchable for me :stuck_out_tongue:
[2017-07-09 16:13:28]
bin4ry :
how much did you pay for a crashed one ?
[2017-07-09 16:13:33]
martinbogo :
If I clear out the efuses, the signing key is lost ( oh well ) but the LC1860C becomes programmable and the memory map is fully open
[2017-07-09 16:13:41]
bin4ry :
i see
[2017-07-09 16:13:49]
bin4ry :
that would offer many possibilites
[2017-07-09 16:14:06]
martinbogo :
w/o it, the chip expects a signed bootloader, and will not start, and it's JTAG is disabled
[2017-07-09 16:18:06]
hostile :
@bin4ry I've mentioned how to fire ota a few times use search bar on test_ota.sh
[2017-07-09 16:18:47]
bin4ry :
yeah
[2017-07-09 16:18:52]
bin4ry :
i read that
[2017-07-09 16:19:00]
bin4ry :
but i meant without access to a current exploit
[2017-07-09 16:20:28]
bin4ry :
becasue now we would need to create the ota file in /data/.... and /data/dji/cfg/test/ota
[2017-07-09 16:20:35]
bin4ry :
to kick off the test_ota.zip
[2017-07-09 16:20:40]
hostile :
Yeh which you can do via ftp
[2017-07-09 16:20:57]
hostile :
You'd need a symlink into /cache tho
[2017-07-09 16:21:44]
bin4ry :
i thought you need that
[2017-07-09 16:21:49]
bin4ry :
ok
[2017-07-09 16:21:55]
bin4ry :
even better then :wink:
[2017-07-09 16:22:03]
bin4ry :
so if you would like to test it i would be happy
[2017-07-09 16:22:26]
bin4ry :
if that works i would be bold and overwrite in_whitelist.sh
[2017-07-09 16:22:29]
bin4ry :
:stuck_out_tongue:
[2017-07-09 16:25:43]
freaky123 :
kernel config is not available
[2017-07-09 16:25:48]
freaky123 :
@martinbogo
[2017-07-09 16:26:14]
freaky123 :
but I can compile kernel modules through some difficult ways
[2017-07-09 16:27:26]
freaky123 :
the 0x6400000 seems familiar but will confirm it now
[2017-07-09 16:31:42]
freaky123 :
btw do you mean the kernel or the bootloader?
[2017-07-09 16:37:27]
freaky123 :
0xE0040000 is the bootloader start address
[2017-07-09 16:38:16]
freaky123 :
bootloader flash partition starts at: E003FA00
[2017-07-09 16:38:40]
freaky123 :
that extra part is the header from the signature
[2017-07-09 16:40:05]
freaky123 :
pli image is at E005FA00
[2017-07-09 16:40:12]
freaky123 :
key image at E0060A00
[2017-07-09 16:40:20]
freaky123 :
and tl420 at E0061A00
[2017-07-09 16:40:38]
freaky123 :
is this what you wanted to know @martinbogo ?
[2017-07-09 16:44:10]
freaky123 :
the unpacked kernel starts at 0xC0008000
[2017-07-09 16:54:27]
the_lord :
@bin4ry I can test when i go home
[2017-07-09 16:54:29]
bin4ry :
anyone know what this level in "in_whitelist.sh" will do ?
[2017-07-09 16:54:31]
bin4ry :
echo $level > /tmp/dji/secure_debug
[2017-07-09 16:54:50]
bin4ry :
@the_lord cool
[2017-07-09 16:55:47]
the_lord :
I'm driving home now
[2017-07-09 16:56:47]
hostile :
Yeah I'm at Chuck E. Cheese with the kid
[2017-07-09 16:57:14]
freaky123 :
no not sure about the levels
[2017-07-09 16:57:18]
freaky123 :
^^
[2017-07-09 16:57:55]
bin4ry :
lol
[2017-07-09 16:58:04]
bin4ry :
yeah what is inside the whitelist file itself ?
[2017-07-09 16:58:36]
bin4ry :
i can do a ota.zip with a modded whitelist sh but i want to know which level i should hardcode to it
[2017-07-09 16:58:36]
coldflake :
@hostile nice t-shirt ;)
[2017-07-09 16:58:53]
freaky123 :
that is just a tool for the developers to place on the drone to enalbe adb at boot every time
[2017-07-09 16:59:17]
freaky123 :
it contains the board_sn (board serial number) and the level of debugging which should be enabled
[2017-07-09 16:59:21]
freaky123 :
and that's it
[2017-07-09 16:59:23]
bin4ry :
yes i know that
[2017-07-09 16:59:24]
freaky123 :
but it needs to be signed
[2017-07-09 16:59:29]
bin4ry :
but there has to be more to it
[2017-07-09 16:59:30]
bin4ry :
line=`grep "\<board sn=\"$board\"" $wlist`
if [ -n "$line" ]; then
temp=${line##*level=\"}
level=${temp%%\"*}
mkdir -p /tmp/dji
echo $level > /tmp/dji/secure_debug
[2017-07-09 16:59:42]
freaky123 :
why does are need to be more?
[2017-07-09 16:59:47]
bin4ry :
adb is already enabled by the exit 0 from it
[2017-07-09 16:59:51]
bin4ry :
so why write secure_debug
[2017-07-09 16:59:53]
bin4ry :
at all ?
[2017-07-09 17:00:14]
freaky123 :
because they fail and don't communicate between dev teams?
[2017-07-09 17:00:22]
freaky123 :
on what is set already and what not
[2017-07-09 17:00:25]
bin4ry :
lol
[2017-07-09 17:00:29]
freaky123 :
or legacy movement of stuff
[2017-07-09 17:00:33]
bin4ry :
yeah but you don'T need secure_debug to kick off adb
[2017-07-09 17:00:45]
bin4ry :
they even write inside the adb_en.sh again
[2017-07-09 17:01:02]
freaky123 :
you can also access the tty then without login
[2017-07-09 17:01:21]
bin4ry :
so i guess it will enable debug on dji binary files
[2017-07-09 17:01:23]
bin4ry :
or smth
[2017-07-09 17:01:29]
bin4ry :
just poking around here
[2017-07-09 17:06:25]
bin4ry :
ok, then, we can definetly go this way (thx testkeys) so we can overwrite start_dji_system.sh with a edited version if we want as an alternative to the current root. all one needs is to put the ota.zip to /cache/ota.zip and create a /data/dji/cfg/test/ota file, this will trigger test_ota.sh and this will run the recovery where the custom ota will not overwrite the partiton with normal.img but only mount /system and then extract the files included to it **tada**
[2017-07-09 17:06:26]
bin4ry :
:wink:
[2017-07-09 17:15:49]
bin4ry :
will be offline for today, see you folks tomorrow then :slightly_smiling_face:
[2017-07-09 17:15:51]
opcode :
root@wm331_dz_vp0001_v2:/ # ps
USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 504 336 c012cf04 0001a6f0 S /init
root 2 0 0 0 c0085ec4 00000000 S kthreadd
root 3 2 0 0 c008cb1c 00000000 S ksoftirqd/0
root 4 2 0 0 c0080b78 00000000 S kworker/0:0
root 5 2 0 0 c0080b78 00000000 S kworker/0:0H
root 6 2 0 0 c0080b78 00000000 S kworker/u10:0
root 7 2 0 0 c008cb1c 00000000 S migration/0
root 8 2 0 0 c00ca470 00000000 S rcu_preempt
root 9 2 0 0 c00ca168 00000000 S rcu_bh
root 10 2 0 0 c00ca168 00000000 S rcu_sched
root 11 2 0 0 c008cb1c 00000000 S watchdog/0
root 12 2 0 0 c008cb1c 00000000 S watchdog/1
root 13 2 0 0 c008cb1c 00000000 S migration/1
[2017-07-09 17:16:06]
opcode :
root @ P4P ..... thanks for all the help guys. :slightly_smiling_face:
[2017-07-09 17:18:55]
hostile :
Welcome to the club
[2017-07-09 17:23:15]
martinbogo :
@opcode : Hey, since I'm still stuck doing a hardware scan ... would you do me a quick favor? Can you see if there is a /proc/config.gz?
[2017-07-09 17:24:28]
martinbogo :
also /proc/cmdline?
[2017-07-09 17:24:47]
freaky123 :
no /proc/config
[2017-07-09 17:24:53]
freaky123 :
but /proc/cmdline yes
[2017-07-09 17:25:18]
martinbogo :
Awesome
[2017-07-09 17:25:22]
martinbogo :
Thank you for the > the unpacked kernel starts at 0xC0008000
[2017-07-09 17:25:51]
martinbogo :
THAT's what I needed ... the 0xC0008000 offet is very common with ARM + U-Boot, so that's good
[2017-07-09 17:26:01]
freaky123 :
:slightly_smiling_face:
[2017-07-09 17:27:32]
martinbogo :
/arch/arm/kernel/vmlinux.lds
[2017-07-09 17:27:36]
martinbogo :
Perfect
[2017-07-09 17:27:45]
martinbogo :
So, they aren't doing anything strange with the boot memory map
[2017-07-09 17:28:14]
martinbogo :
@freaky123 : Can you PM me a snippet with the contents of /proc/cmdline?
[2017-07-09 17:28:30]
martinbogo :
@freaky123 : I may have found the Ambarella address
[2017-07-09 19:03:00]
the_lord :
why did you sign the ota.zip if the code is not verifying it?
#dji_verify -n normal /tmp/normal.img
[2017-07-09 19:12:55]
the_lord :
and the test_ota.sh will not extract the fluffy.sh to /system/bin/
because they are only extracting the normal.img
busybox unzip /cache/ota.zip normal.img -d /tmp
[2017-07-09 19:15:13]
hostile :
We need to check all variants of that script
[2017-07-09 19:15:30]
hostile :
In old dumps
[2017-07-09 19:16:22]
the_lord :
i just tested on my laptop this code and it only unzipped the normal.img to /tmp
[2017-07-09 19:34:59]
the_lord :
next test downgrade it to 1.03.0700 DumlHerring :sweat_smile:
[2017-07-09 19:35:29]
hans112 :
Something smells fishy.... :yum:
[2017-07-09 19:42:31]
the_lord :
now i'm preparing the upgrade files of 1.03.0700
[2017-07-09 19:45:44]
hans112 :
It would be great if it worked ... That would mean updates and downgrades without VM ?
[2017-07-09 19:46:49]
mavicbreak :
something very exciting is happening :)
[2017-07-09 19:47:29]
kilrah :
yummy
[2017-07-09 19:47:36]
kilrah :
yep
[2017-07-09 20:01:26]
bin4ry :
Thx for that info!
[2017-07-09 20:08:22]
bin4ry :
@the_lord this is not the important part. This check only looks if normal IMG is inside the zip if it is it will reboot the phone to recovery. Here the magic happens. Android recovery kicks in and will ahndle the stuff. So what trst_ota.sh does is ONLY write the file location to recovery command and then reboot into recovery if the ota.zip file has an normal.img inside. Android recovery will once you are inside take the ota.zip parse it and check it's signature against the a signature provided on /system partition do the currently I installed rom. the updater binary inside the zip which will read the updater script (also inside the zip). This will now do what I wrote to the scriot. In the original script it will now write the normal.img to partition. I removed thst, it will only copy fluffy.sh to system/bin/fluffy.sh to show that we can write there from recovery without problem. Hope I explained it well enough :grinning:
[2017-07-09 20:10:19]
the_lord :
@bin4ry loud and clear
[2017-07-09 20:11:00]
bin4ry :
Cool. Well it should work I am pretty sure of that
[2017-07-09 20:11:16]
bin4ry :
And if it does we have a nice way to do all kinds of stuff
[2017-07-09 20:11:22]
bin4ry :
In a secure manner
[2017-07-09 20:11:28]
the_lord :
i'll test it after downgrade test because i got this core board for the downgrade purpose after that i don't care if its bricked
[2017-07-09 20:11:36]
bin4ry :
Ok sure
[2017-07-09 20:11:40]
bin4ry :
Thank you for that
[2017-07-09 20:11:54]
bin4ry :
I am away now since it is late here
[2017-07-09 20:11:58]
bin4ry :
So don't hurry
[2017-07-09 20:12:08]
the_lord :
@hostile BTW i noticed the 1.03.0700 creates symlink folder but the latest 1.03.0800 and 1.03.0900 doesn't create symlink
[2017-07-09 20:12:09]
bin4ry :
Gn8
[2017-07-09 20:12:16]
the_lord :
good night
[2017-07-09 21:31:21]
martinbogo :
night :slightly_smiling_face:
[2017-07-09 21:38:22]
skywalk3r :
Gn
[2017-07-09 22:33:55]
hotelzululima :
night all.. beautiful afternoon here :slightly_smiling_face:
[2017-07-09 23:47:59]
jezzab :
Mornin here.
[2017-07-09 23:48:11]
jezzab :
Anyone end up trying the OTA file?
[2017-07-10 06:14:19]
hdnes :
What’s actually in the grep file that gets removed?
[2017-07-10 06:53:31]
jayemdee :
@the_lord did you achieve root with just DUML last nite? Im on 0700 and willing to test... can you share the code ?
[2017-07-10 06:55:29]
hdnes :
ditto
[2017-07-10 08:50:07]
bin4ry :
anyone had the chance to test my ota.zip :smiley: ?
[2017-07-10 09:12:55]
hostile :
Flying today... maybe tonight sorry!
[2017-07-10 09:22:14]
bin4ry :
okay
[2017-07-10 10:03:31]
the_lord :
@bin4ry GM
just to recap
i'll copy you ota.zip to SDC then put ota file in /data/dji/cfg/test/ota
that's it?
[2017-07-10 10:06:01]
the_lord :
BTW there is already ota.zip in the /cache
[2017-07-10 10:06:51]
the_lord :
@jayemdee not DUML alone
i used the RedHerring tar file
[2017-07-10 12:28:57]
the_lord :
@bin4ry ??
[2017-07-10 12:30:07]
bin4ry :
sorry did not notice here
[2017-07-10 12:30:13]
bin4ry :
drop the file to /cache/ota.zip
[2017-07-10 12:30:20]
bin4ry :
then create /data/dji/cfg/test/ota
[2017-07-10 12:30:34]
bin4ry :
then it should work
[2017-07-10 12:32:11]
the_lord :
so basically you are testing your signing keys right?
[2017-07-10 12:32:39]
the_lord :
because if we can access /cache/ that means we already have adb access
[2017-07-10 12:33:31]
bin4ry :
yes, i want to test if the signing keys do work, if the approach with the signing keys work i will hunt a way to get the ota on the device :smiley:
[2017-07-10 12:33:52]
bin4ry :
i think there has to be a way to transfer the OTA from phone / app to it, since that is what an ota is for :stuck_out_tongue:
[2017-07-10 12:34:55]
the_lord :
got it
[2017-07-10 12:35:11]
bin4ry :
thank you very much :slightly_smiling_face:
[2017-07-10 12:37:03]
the_lord :
will test it now since the downgrade test may take long time
[2017-07-10 12:37:36]
bin4ry :
:smile:
[2017-07-10 12:37:41]
bin4ry :
crossing fingers
[2017-07-10 12:45:46]
the_lord :
how long should it take?
[2017-07-10 12:46:19]
the_lord :
after putting ota in /data/dji/cfg/test and reboot
the board rebooted many times
[2017-07-10 12:46:42]
bin4ry :
it should reboot once to recovery
[2017-07-10 12:46:49]
bin4ry :
than it should reboot again to boot
[2017-07-10 12:46:54]
bin4ry :
then sometimes a third time
[2017-07-10 12:46:58]
bin4ry :
after that it sohuld be good
[2017-07-10 12:47:36]
the_lord :
not accessible now
[2017-07-10 12:47:54]
bin4ry :
hm, fck it should not harm the device after all
[2017-07-10 12:48:08]
bin4ry :
does it still reboot ?
[2017-07-10 12:49:00]
the_lord :
no
[2017-07-10 12:49:28]
the_lord :
i rebooted manually now and still no ping
[2017-07-10 12:49:37]
the_lord :
actually no RNDIS
[2017-07-10 12:49:53]
bin4ry :
oh
[2017-07-10 12:51:02]
bin4ry :
actually i cannot understand that, it should not influence the boot at all
[2017-07-10 12:51:25]
the_lord :
i can see the DJI virtual com port
[2017-07-10 12:51:51]
bin4ry :
mount("ext4", "EMMC", "/dev/block/platform/comip-mmc.1/by-name/system", "/system");
package_extract_dir("system", "/system");
set_metadata("/system/bin/fluffy.sh", "uid", 0, "gid", 0, "mode", 06755, "capabilities", 0x0, "selabel", "u:object_r:su_exec:s0");
unmount("/system");
[2017-07-10 12:51:56]
bin4ry :
that is what i am doing
[2017-07-10 12:52:02]
bin4ry :
so only adding a file
[2017-07-10 12:53:07]
the_lord :
what about the normal.img in your ota.zip?
[2017-07-10 12:53:13]
the_lord :
is it the same as original?
[2017-07-10 12:53:25]
bin4ry :
it is the orginal from the firmware
[2017-07-10 12:53:30]
bin4ry :
but it does not get written at all
[2017-07-10 12:53:41]
bin4ry :
in the orignal updater_script they write it
[2017-07-10 12:53:46]
bin4ry :
it do not
[2017-07-10 12:53:48]
the_lord :
i'll check if assistant can see it or not
[2017-07-10 12:54:16]
bin4ry :
in the original updater_script they do write reocvery, boot and normal, also copy oversome files to system
[2017-07-10 12:54:32]
bin4ry :
i only keep the normal.img inside the file becasue test_ota.sh checks for it presence
[2017-07-10 12:56:50]
the_lord :
assistant can't see it
[2017-07-10 12:58:03]
bin4ry :
hmm, fuck. i have an assumption
[2017-07-10 12:58:24]
bin4ry :
after reboot normally the boot.mode resets
[2017-07-10 12:58:47]
bin4ry :
maybe it is noit doing this on dji drones
[2017-07-10 12:58:49]
the_lord :
is it still in recovery mode?
[2017-07-10 12:59:01]
bin4ry :
so it would reboot into recovery every time
[2017-07-10 12:59:12]
the_lord :
for that there is DJI virtual serial port
[2017-07-10 12:59:27]
bin4ry :
what is attached there can you connect ?
[2017-07-10 13:00:42]
the_lord :
i have terminal which usually i use it to send DUML
[2017-07-10 13:00:57]
the_lord :
now once i open the com port it hangs
[2017-07-10 13:01:27]
bin4ry :
fuck
[2017-07-10 13:01:32]
bin4ry :
i am so sorry
[2017-07-10 13:01:39]
the_lord :
don't be
[2017-07-10 13:01:56]
the_lord :
brick ++; :smile:
[2017-07-10 13:02:06]
bin4ry :
dji sends this out at the end of their ota
[2017-07-10 13:02:07]
bin4ry :
run_program("/sbin/env","-d", "boot.mode");
[2017-07-10 13:02:11]
bin4ry :
i did not see that
[2017-07-10 13:02:38]
bin4ry :
i really think it is still inside recovery
[2017-07-10 13:02:45]
the_lord :
me too
[2017-07-10 13:02:54]
the_lord :
how can i access it in recovery?
[2017-07-10 13:03:11]
the_lord :
the ota file should be in /data/dji/cfg/test
[2017-07-10 13:03:38]
the_lord :
it should stay in recovery
[2017-07-10 13:03:48]
bin4ry :
once you are able to remove the file in /cache/
[2017-07-10 13:03:54]
bin4ry :
it should do it
[2017-07-10 13:04:05]
the_lord :
how i'll remove it?
[2017-07-10 13:04:07]
bin4ry :
but for that we need access to a tty somewhere
[2017-07-10 13:04:17]
the_lord :
i don't have access
[2017-07-10 13:04:32]
the_lord :
all my ttl stuff are 3.3 / 5 v
[2017-07-10 13:05:55]
bin4ry :
i have no idea ... only he virtual serial port would be the way in
[2017-07-10 13:06:29]
jan2642 :
you’d need something like this: FTDI TTL-232RG-VREG1V8-WE
[2017-07-10 13:06:53]
bin4ry :
if you are able to send the command /sbin/env -d boot.mode
[2017-07-10 13:07:01]
bin4ry :
then it should reboot to normal again
[2017-07-10 13:08:45]
bin4ry :
i am sorry :confused:
[2017-07-10 13:08:50]
bin4ry :
hopefully we get it back somehow
[2017-07-10 13:08:55]
the_lord :
don't be sorry
[2017-07-10 13:09:01]
bin4ry :
i am :confused:
[2017-07-10 13:09:07]
the_lord :
its just a core board
[2017-07-10 13:09:07]
jan2642 :
Available on Farnell, Digikey, mouser, …
[2017-07-10 13:09:13]
bin4ry :
bcs i did not see the 1 line of code
[2017-07-10 13:09:44]
the_lord :
and i didn't buy this board
i got it for free
[2017-07-10 13:09:50]
the_lord :
so don't be sorry please
[2017-07-10 13:10:00]
bin4ry :
ok :wink:
[2017-07-10 13:10:14]
the_lord :
it is for this purpose
[2017-07-10 13:10:17]
bin4ry :
but i better temove the fluffy ota before anyone else come to ideas
[2017-07-10 13:12:06]
the_lord :
[2017-07-10 13:12:06]
the_lord :
this is the bricked board
<https://dji-rev.slack.com/files/the_lord/F66QHNEQ6/image_uploaded_from_ios.jpg>
[2017-07-10 13:13:08]
bin4ry :
:skull_and_crossbones:
[2017-07-10 13:13:09]
the_lord :
usually while in recovery mode what do you do?
[2017-07-10 13:13:32]
bin4ry :
if you unzip the ota.zip you will understand
[2017-07-10 13:13:42]
bin4ry :
recovery will execute the updater_script
[2017-07-10 13:13:48]
bin4ry :
and execute it's commands 1 by 1
[2017-07-10 13:13:54]
bin4ry :
then it will reboot
[2017-07-10 13:13:56]
the_lord :
no i mean when you put a device in recovery mode what do you do from PC ?
[2017-07-10 13:14:26]
bin4ry :
that depends, on recovery on phones normally you do not have access to it in first place
[2017-07-10 13:14:35]
bin4ry :
but you can enabled sideloading of OTA packages
[2017-07-10 13:15:02]
bin4ry :
but to do that you need a touchscreen and volume rockers on standard recovery
[2017-07-10 13:15:16]
bin4ry :
other than that no interaction from user in recovery mode
[2017-07-10 13:15:32]
the_lord :
i see
[2017-07-10 13:15:44]
jan2642 :
Anyone bidding on this ? If so, I won’t. <http://www.ebay.com/itm/DJI-Mavic-Pro-Parts-As-Is-Board-And-Body-/272750372424?hash=item3f81306648:g:y7MAAOSwyWZZXZM5>
[2017-07-10 13:15:54]
kilrah :
recovery on phones typically has a little menu with wipe cache, data etc
[2017-07-10 13:16:28]
bin4ry :
i still try to extract the complete ramdisk from this recovery.img
[2017-07-10 13:16:33]
bin4ry :
maybe we find another trigger in there
[2017-07-10 13:17:40]
the_lord :
\USB#VID_2CA3&PID_001F#0123456789ABCDEF#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
[2017-07-10 13:18:31]
bin4ry :
wait a sec i saw this pid before
[2017-07-10 13:19:27]
bin4ry :
yah DJI USB mode
[2017-07-10 13:19:38]
the_lord :
but not responding
[2017-07-10 13:20:04]
the_lord :
i'll try darksimpson LC1860 tools
[2017-07-10 13:20:37]
bin4ry :
ok
[2017-07-10 13:23:56]
the_lord :
it requires u-boot.bin and some other shit i don't have
[2017-07-10 13:27:37]
bin4ry :
hmmm, where are the other guys playing around with the hardware much longer already here? @freaky123 f.e., they should have it
[2017-07-10 13:28:47]
freaky123 :
yeah that tool requires some stuff but you need the IAEK key from your chip first before you can flash a new u-boot
[2017-07-10 13:29:32]
freaky123 :
we need to figure out that tool a bit more before we can use it
[2017-07-10 13:30:44]
bin4ry :
@freaky123 the recovery.img i posted a few posts ago, i cannot decrypt it with your image.py for some reason. mind to take a look ?
[2017-07-10 13:31:04]
freaky123 :
where does it come from?
[2017-07-10 13:31:04]
bin4ry :
it does create the KERN file but fails on the LRFS
[2017-07-10 13:31:15]
freaky123 :
yes because those are encrypted
[2017-07-10 13:31:22]
freaky123 :
the kernel isn't
[2017-07-10 13:31:55]
freaky123 :
LRFS = .... Root File System
TZOS = Trust Zone OS
those two are encrypted
[2017-07-10 13:32:12]
freaky123 :
I can decrypt them but aren't extremely usefull
[2017-07-10 13:32:36]
bin4ry :
i see, i would have loved to take a look into the recovery ramdisk, thats why i did try that
[2017-07-10 13:32:46]
bin4ry :
so see if there is another trigger to leave recovery boot
[2017-07-10 13:32:50]
the_lord :
don't worry @bin4ry i arranged to get another core board for free
[2017-07-10 13:33:06]
bin4ry :
:smile:
[2017-07-10 13:33:09]
freaky123 :
are you stuck in recovery mode then?
[2017-07-10 13:33:15]
bin4ry :
yes we think so
[2017-07-10 13:33:18]
the_lord :
it seems so yes
[2017-07-10 13:33:22]
bin4ry :
i forgot to remobe the boot.mod from env
[2017-07-10 13:33:28]
bin4ry :
boot.mode
[2017-07-10 13:33:38]
bin4ry :
insidde my modded ota.zip
[2017-07-10 13:33:50]
bin4ry :
so it seems the board is still booting into recovery every time
[2017-07-10 13:34:12]
freaky123 :
that is a difficult situation
[2017-07-10 13:34:27]
bin4ry :
indeed, and since he said there is a usb device
[2017-07-10 13:34:37]
bin4ry :
i thought taking a look into the ramdisk cannot hurt
[2017-07-10 13:34:37]
freaky123 :
what type of usb device?
[2017-07-10 13:34:43]
bin4ry :
so see what they init in there
[2017-07-10 13:34:51]
bin4ry :
\USB#VID_2CA3&PID_001F#0123456789ABCDEF#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
[2017-07-10 13:34:59]
bin4ry :
in normal boot this can be
[2017-07-10 13:35:57]
bin4ry :
but as i cannot open the ramdisk from recovery ... well you know already :smile:
[2017-07-10 13:36:43]
freaky123 :
this is part of the TZOS
[2017-07-10 13:36:49]
bin4ry :
i see
[2017-07-10 13:37:13]
freaky123 :
I can only find 0123456789ABCDEF in the TZOS
[2017-07-10 13:37:20]
freaky123 :
so the usb device is from the TZOS
[2017-07-10 13:37:56]
bin4ry :
ok
[2017-07-10 13:38:02]
the_lord :
of course the board was rooted before this ota test FYI
[2017-07-10 13:38:19]
freaky123 :
these are the unencrypted recovery blocks
[2017-07-10 13:38:50]
freaky123 :
you can then take a look yourself :wink: and see if you can figure out a way in
[2017-07-10 13:38:59]
bin4ry :
thx
[2017-07-10 13:40:57]
the_lord :
freaky do you know what should be packed in dji_system.bin for upgrade/downgrade?
[2017-07-10 13:41:43]
bin4ry :
how did you decrypt it btw? i thought you included all teh dec keys into your tools? :smile:
[2017-07-10 13:45:39]
hostile :
@bin4ry “it is just a flesh wound” - @the_lord <https://www.youtube.com/watch?v=-6VTci1Bunk>
[2017-07-10 13:46:53]
bin4ry :
hehe
[2017-07-10 13:48:02]
bin4ry :
it is enabling this i nrecovery by default
[2017-07-10 13:48:03]
bin4ry :
setprop sys.usb.config rndis,mass_storage,bulk,acm
[2017-07-10 13:48:40]
bin4ry :
so this is what shows up on your device
[2017-07-10 13:52:27]
freaky123 :
I decrypted it with magic
[2017-07-10 13:52:32]
hostile :
@the_lord this should catch the update… while true ; do cp /data/dji_system.bin /data/xxx.bin; done
[2017-07-10 13:52:35]
bin4ry :
ahahah :slightly_smiling_face:
[2017-07-10 13:53:04]
the_lord :
thanks
[2017-07-10 13:53:14]
bin4ry :
cannot seem to find the key you mentioned somewhere in your files :wink:
[2017-07-10 13:53:22]
the_lord :
when i get the new core board within few hours
[2017-07-10 13:53:59]
hostile :
<https://www.youtube.com/watch?v=-w6m-nhUcos>
[2017-07-10 13:54:14]
hostile :
*pours out some liquor for your core board*
[2017-07-10 13:54:23]
hostile :
$respect
[2017-07-10 13:54:27]
the_lord :
LoL
[2017-07-10 13:55:10]
freaky123 :
getting this specific key bricked @hostile's board :wink:
[2017-07-10 13:55:26]
bin4ry :
i understand :smile:
[2017-07-10 13:55:40]
hostile :
for the revolution!
[2017-07-10 13:56:05]
freaky123 :
but prolly soon we will be able to unbrick it
[2017-07-10 13:56:15]
hostile :
yep!
[2017-07-10 13:56:36]
hostile :
I hear Dany is pioneering the technique as we speak! Sorry had to!
[2017-07-10 13:56:37]
hostile :
ok back to work
[2017-07-10 14:10:08]
martinbogo :
@freaky123 : I _may_ have extracted the key out of TrustZone this morning
[2017-07-10 14:10:39]
martinbogo :
@freazy123 : Would you PM me the dump you got out of the efuses?
[2017-07-10 14:10:57]
freaky123 :
yeah np
[2017-07-10 14:14:03]
martinbogo :
@freaky123 : thanks. I have all four core boards instrumented ... full workday for me today, so I won't be able to get back to this until I get back to home base for the evening.
[2017-07-10 15:41:38]
opcode :
could someone help me mounting the dumped .img from my p4p on osx? i dont get it, as its a rawdiskimage.
[2017-07-10 15:51:14]
freaky123 :
The fs image I mounted in ubuntu
[2017-07-10 15:52:29]
opcode :
oh no. not another emulator. :smile:
[2017-07-10 16:05:27]
rulppa :
does it smell like bricks here?
[2017-07-10 16:40:21]
hostile :
@opcode what OS are you on?
[2017-07-10 16:40:41]
hostile :
the dumped disk image should actually be multiple dumped partitions
[2017-07-10 16:41:10]
hostile :
I use ext4fuse from brew. <https://github.com/gerard/ext4fuse>
[2017-07-10 16:54:24]
opcode :
OSX. ext4fuse is available. Mount Point?
[2017-07-10 16:56:02]
bin4ry :
@the_lord i have a fixed ota.zip now :see_no_evil:
[2017-07-10 16:56:15]
bin4ry :
removing all the env stuff
[2017-07-10 16:56:48]
bin4ry :
but we can wait until we can un-brick, in the meantime i seach for a deploy mechanism
[2017-07-10 16:57:01]
bin4ry :
i don't want to cause another brick :cry:
[2017-07-10 17:21:14]
hans112 :
<https://youtu.be/YR5ApYxkU-U>
[2017-07-10 18:57:21]
hostile :
@opcode ext4fuse mountpoint is any directory you want… mkdir /tmp/zzz then use /tmp/zzz are your mountpoint for example
[2017-07-10 18:58:06]
hostile :
@bin4ry I may be wiling to risk a brick when I get home… I’ve got $100 for the cause as it were =]
[2017-07-10 19:11:39]
samd12 :
I will donate for the cause!!!!
[2017-07-10 19:12:37]
freaky123 :
@bin4ry I know how you feel
[2017-07-10 19:47:17]
opcode :
@hostile only img mountable are mmcblk0p5.img and mmcblk0p10.img. The others "Partition doesn't contain EXT4 filesystem". Additionally i dont have read permission problems on some folders, even with su.
[2017-07-10 20:09:02]
hostile :
mount it as root
[2017-07-10 20:09:10]
hostile :
yeah some of the partitions are “data” or encrypted.
[2017-07-10 20:12:47]
opcode :
Root doesn't help. No read permission.
[2017-07-10 20:13:08]
hostile :
mount it as root
[2017-07-10 20:13:10]
hostile :
not as a normal user
[2017-07-10 20:13:20]
hostile :
fuse mounts can only be seen by the user mounting them
[2017-07-10 20:14:16]
opcode :
sudo ext4fuse doesn't help anyway.
[2017-07-10 20:14:31]
hostile :
$ file *
mmcblk0boot0.img: DOS executable (COM)
mmcblk0boot1.img: DOS executable (COM)
mmcblk0p1.img: data
mmcblk0p10.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)
mmcblk0p11.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)
mmcblk0p12.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)
mmcblk0p13.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)
mmcblk0p14.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)
mmcblk0p2.img: data
mmcblk0p3.img: data
mmcblk0p4.img: data
mmcblk0p5.img: Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)
mmcblk0p6.img: data
mmcblk0p7.img: data
mmcblk0p8.img: data
mmcblk0p9.img: data
mmcblk0rpmb.img: data
Kevins-MacBook-Pro:Inspire2 kfinisterre$ mkdir /tmp/zzz
Kevins-MacBook-Pro:Inspire2 kfinisterre$ sudo su
Password:
sh-3.2# ext
ext4fuse extcheck extconv extractbb extractres
sh-3.2# ext4fuse mmcblk0p11.img /tmp/zzz
[2017-07-10 20:14:40]
hostile :
sh-3.2# ls /tmp/zzz
cert firmware lost+found
[2017-07-10 20:14:50]
hostile :
sh-3.2# find /tmp/zzz/
/tmp/zzz/
/tmp/zzz//lost+found
/tmp/zzz//cert
/tmp/zzz//cert/dji.aa.crt
/tmp/zzz//firmware
/tmp/zzz//firmware/cnn_model.tar
/tmp/zzz//firmware/cpld.fw
/tmp/zzz//firmware/ma2155_sec.mvcmd
/tmp/zzz//firmware/ma2155_sec.mvfc
/tmp/zzz//firmware/ma2155_sec_dump.mvcmd
/tmp/zzz//firmware/ma2155_sec_dump.mvfc
[2017-07-10 20:14:52]
hostile :
works fine for me…
[2017-07-10 20:24:12]
opcode :
Got it. Thanks again. Is it worth peeking into these files? Did you already take a look around?
[2017-07-10 20:25:19]
hostile :
certainly many things worth running through IDA pro.
[2017-07-10 20:25:29]
hostile :
simple example… that .dji.aa.crt above… we don’t know what it does.
[2017-07-10 20:25:59]
hostile :
see: <https://dji-rev.slack.com/archives/C60KELF6H/p1499614120380351>
[2017-07-10 20:26:09]
opcode :
Hmm. Don't have ida. 500 bucks. :-(
[2017-07-10 20:26:14]
hostile :
so yeah… definitely worth playing and taking apart further.
[2017-07-10 20:26:20]
hostile :
man up and torrent it like everyone else. lol
[2017-07-10 20:26:38]
hostile :
or google for a random .rar on a ftp server
[2017-07-10 20:28:22]
opcode :
Hehe. :wink:
[2017-07-10 21:07:33]
the_lord :
i got another core board any one wana brick it ??:joy::joy::joy::joy:
[2017-07-10 21:07:57]
freaky123 :
I know a way
[2017-07-10 21:09:50]
the_lord :
a way for bricking or fix ?? :stuck_out_tongue_winking_eye:
[2017-07-10 21:11:13]
freaky123 :
brick it
[2017-07-10 21:11:52]
the_lord :
LoL
[2017-07-10 21:16:57]
freaky123 :
you were the one in recovery loop?
[2017-07-10 21:17:21]
freaky123 :
gonna unbrick that one now ^^ prolly know some ways
[2017-07-10 21:17:25]
freaky123 :
got 2 check some stuff
[2017-07-10 21:17:42]
freaky123 :
lets boot up ida
[2017-07-10 21:19:16]
freaky123 :
how much to unbrick it? ^^ (just joking)
[2017-07-10 21:20:41]
freaky123 :
they boot up a specific recovery binary
[2017-07-10 21:23:20]
freaky123 :
interesting in recovery these keys are loaded:
```
{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}
```
[2017-07-10 21:28:09]
freaky123 :
btw this is a normal android recovery boot
[2017-07-10 21:28:17]
freaky123 :
so prolly normal recovery stuff should work
[2017-07-10 21:28:46]
freaky123 :
dji_sys is started so prolly vcom connection should work with the assistant
[2017-07-10 21:32:08]
freaky123 :
also there could be a root serial available
[2017-07-10 21:32:18]
freaky123 :
but asks for login.. so hopefully you have your DAAK?
[2017-07-10 21:32:48]
the_lord :
talking to me?
[2017-07-10 21:34:08]
freaky123 :
were you the one with the bricked board in recovery then yes
[2017-07-10 21:34:11]
freaky123 :
:stuck_out_tongue:
[2017-07-10 21:35:14]
the_lord :
i don't think i got the DAAK for this board
[2017-07-10 21:36:43]
freaky123 :
when it is in recovery and I'm correct there should still be a vcom connection to dji_sys available
[2017-07-10 21:38:50]
the_lord :
i can see the serial port but i couldn't even open the port
[2017-07-10 21:39:24]
the_lord :
and to not waste your time the board is not with me now i left it in the work shop and got another one
[2017-07-10 21:39:43]
freaky123 :
aha
[2017-07-10 21:40:13]
the_lord :
when i opened the port no output and the application just hang
[2017-07-10 21:40:35]
the_lord :
i couldn't send anything
[2017-07-10 21:59:49]
freaky123 :
it is either a VCOM or an adb port
[2017-07-10 22:00:01]
freaky123 :
so 2 ways to get into the device prolly
[2017-07-10 22:02:22]
bin4ry :
it is not adb
[2017-07-10 22:02:30]
bin4ry :
from recovery ramdisk you see it sets
[2017-07-10 22:02:57]
bin4ry :
the sys.usb. blabla without adb
[2017-07-10 22:03:48]
bin4ry :
setprop sys.usb.config rndis,mass_storage,bulk,acm
[2017-07-10 22:04:02]
bin4ry :
which fits the devid 1f
[2017-07-10 22:04:20]
the_lord :
anybody can confirm the --test_server is not getting NFZ db
[2017-07-10 22:04:21]
bin4ry :
#rndis,mass_storage,bulk for DJI USB
on property:sys.usb.config=rndis,mass_storage,bulk,acm
write /sys/class/android_usb/android0/enable 0
write /sys/class/android_usb/android0/idVendor 2ca3
write /sys/class/android_usb/android0/idProduct 1f
write /sys/class/android_usb/android0/f_acm/instances 1
write /sys/class/android_usb/android0/functions $sys.usb.config
write /sys/class/android_usb/android0/f_rndis/wceis 1
write /sys/class/android_usb/android0/enable 1
setprop sys.usb.state $sys.usb.config
[2017-07-10 22:20:40]
freaky123 :
yes but inside the recovery binary there is a miniadb
[2017-07-10 22:28:54]
jezzab :
@the_lord my P4 did that with pre V2.00 fw
[2017-07-10 22:29:25]
hostile :
I rooted a p4a today fwiw
[2017-07-10 22:30:28]
freaky123 :
p4a? what is the a?
[2017-07-10 22:30:40]
the_lord :
i just tested it and it didn't give me the NFZ prompt
[2017-07-10 22:31:18]
the_lord :
already rooted with DUML but was testing the NFZ from test_server and it didn't work
[2017-07-10 22:58:18]
hfman :
@the_lord - were you logged into Asst2? I think you have to be for the NFZ thing to work?
[2017-07-10 22:59:39]
the_lord :
yes logged in
[2017-07-10 23:02:41]
hfman :
OSX or Win?
[2017-07-10 23:03:53]
the_lord :
win
[2017-07-10 23:04:05]
jezzab :
what fw is it?
[2017-07-10 23:04:17]
the_lord :
i don't actually need it but i was wondering did DJI remove it?
[2017-07-10 23:04:31]
the_lord :
the assistant 1.1.2
[2017-07-10 23:04:38]
jezzab :
on the board
[2017-07-10 23:04:51]
the_lord :
1.03.05
[2017-07-10 23:05:04]
the_lord :
but without --test_server it got the NFZ
[2017-07-10 23:05:13]
jezzab :
i see
[2017-07-10 23:05:18]
the_lord :
with --test_server its not getting anything
[2017-07-10 23:05:40]
the_lord :
again i don't need as i can root without it but i'm wondering DID DJI remove it?
[2017-07-10 23:07:31]
the_lord :
i'm now more worried may they monitor my account as from my location i can't see SPARK FW downgrade
[2017-07-10 23:14:37]
hfman :
Has anybody even fully tested the Win version? I've only done it with OSX.
[2017-07-10 23:18:09]
oanerm :
And win version is ready already? If yes I can test it, maybe it will also be possible to make it on Raspberry platform
[2017-07-10 23:31:20]
the_lord :
i was testing the assistant without RedHerring
[2017-07-10 23:32:40]
the_lord :
you can easily force the assistant to send you NFZ db by deleting the ftp/upgrade/nfz which is /data/nfz and reboot
[2017-07-10 23:45:46]
oanerm :
So you mean to delete complete upgrade folder on FTP and restart it and connect to DJI assistant will force NFZ update?
[2017-07-10 23:49:25]
the_lord :
no not complete upgrade folder come on
only the nfz folder
[2017-07-10 23:49:43]
the_lord :
no force it will show the prompt without --test_server
[2017-07-10 23:50:30]
the_lord :
sorry my bad i edited above
[2017-07-10 23:51:39]
oanerm :
This seems to not work on my Mavic ( .400) I just renamed nfz folder and rebooted. No NFZ update dialog.
[2017-07-10 23:51:54]
the_lord :
it checks the new NFZ data from the server against the /ftp/upgrade/upgrade/backup/wm220_0905_v00.00.01.04_20170301.pro.fw.sig
and generate nfz.sig
[2017-07-10 23:52:49]
the_lord :
this board on 1.03.0500 and first time connected to assistant created the nfz for the first time
[2017-07-10 23:53:06]
the_lord :
before connecting to assistant there was no nfz folder
[2017-07-10 23:53:48]
the_lord :
this is from the upgrade log
[sys_flight_data_do_upgra: 180]:: create /data/nfz for first time
[2017-07-10 23:55:14]
oanerm :
Thanks for explanation I will try it tomorrow, 2AM here :slightly_smiling_face:
[2017-07-11 00:57:20]
hdnes :
I have the same issue with no NFZ popping up with Rherring, 0.400
[2017-07-11 00:57:51]
the_lord :
i'm without RedHerring
[2017-07-11 00:58:05]
hdnes :
can you share code for me to try duml
[2017-07-11 00:58:08]
the_lord :
i'm thinking maybe like the spark FW based on location
[2017-07-11 00:58:21]
the_lord :
drone or rc?
[2017-07-11 01:28:10]
hdnes :
I don't currently have a root solution beings RH is having issues with .400. @the_lord can you share your DUML method
[2017-07-11 01:31:59]
the_lord :
i sniffed the assistant during the upgrade then studied the upgrade log to understand the process of the DUML
[2017-07-11 01:32:17]
the_lord :
i'll try to make fast how to
[2017-07-11 01:47:54]
hdnes :
you running with ruby?
[2017-07-11 01:48:18]
hdnes :
python?
[2017-07-11 01:49:46]
the_lord :
i use .net application to open the serial port and bark on it as what @hostile said :joy:
[2017-07-11 01:57:58]
hdnes :
that’s solid work
[2017-07-11 01:58:13]
hdnes :
going to take a hot minute to write that in python
[2017-07-11 01:58:26]
hdnes :
but not terrible
[2017-07-11 02:05:45]
hostile :
nice work on the DUML @the_lord !
[2017-07-11 02:06:13]
hostile :
very exciting to see spinoffs that are **more** functional sans Assistant! I took the short cut route =]
[2017-07-11 02:12:52]
the_lord :
yes its me :slightly_smiling_face:
[2017-07-11 02:13:26]
hdnes :
I’d seen the crc work before but my first question was this and looks like you answered it
[2017-07-11 02:14:42]
hdnes :
I’d spent like 2 hrs on their crc like 6 months ago and nothing obvious worked (XOR etc). So I just did simple packet replay because I didn’t need to change the size of the packet.
[2017-07-11 02:15:17]
hdnes :
One could always just padd with comments or something to get the file size to be the same without calcing the CRC but this is more elegant
[2017-07-11 02:16:07]
the_lord :
i do the same i inserts zeros at the end of the tar to match the size
[2017-07-11 02:16:45]
the_lord :
but when you want to use it for upgrade/downgrade you have to change it and calculate the CRC
[2017-07-11 02:18:23]
the_lord :
drone
551A04B12A286B5740000800002AA00600000000000002047243
[2017-07-11 02:18:45]
the_lord :
RC
551A04B12A2DEC2740000800001ECA010000000000000204D329
[2017-07-11 02:20:25]
the_lord :
for the upgrade/downgrade the last command in text file should be the md5sum of the file but what i saw in log is its always accepting my command i don't know why
upgrade/downgrade needs more work and test
[2017-07-11 02:27:02]
hostile :
Try Reveng @the_lord <http://reveng.sourceforge.net>
[2017-07-11 02:27:09]
hostile :
For your CRC stuff
[2017-07-11 02:29:15]
the_lord :
DJI are not using standard CRC and glove puppet on github already posted the calculation code
[2017-07-11 02:32:48]
hostile :
@the_lord I rooted a P4a today btw. root@wm332_dz_vp0001_v1:/ #
[2017-07-11 02:33:14]
hdnes :
I saw but didn’t see the answer what’s P4a?
[2017-07-11 02:33:20]
hdnes :
advanced?
[2017-07-11 02:33:24]
hostile :
yessir
[2017-07-11 02:33:30]
hdnes :
didn’t know was a thing
[2017-07-11 02:33:37]
hostile :
there is a Pro+ too
[2017-07-11 02:33:45]
hdnes :
yeah I guess now that I think of it
[2017-07-11 02:34:58]
the_lord :
but which way?
RedHerring or ur DUML?
[2017-07-11 02:36:02]
hdnes :
@the_lord, the .tar that you are renaming to .bin is the same .tar generated using the grep and RedHerring
[2017-07-11 02:36:25]
the_lord :
exactly
[2017-07-11 02:36:40]
the_lord :
for that its called DumlHerring :smile:
[2017-07-11 02:37:04]
the_lord :
no assistant required
[2017-07-11 02:38:13]
the_lord :
now you can root even from Rpi
[2017-07-11 02:39:10]
hdnes :
or android app :wink:
[2017-07-11 02:39:25]
the_lord :
hahahaha yes
[2017-07-11 02:40:34]
the_lord :
you know this will enable telnet and from there you can enjoy
[2017-07-11 02:43:09]
the_lord :
GN guys its 5:45 am here
[2017-07-11 02:52:17]
hdnes :
Cool
[2017-07-11 02:52:29]
hdnes :
gn
[2017-07-11 05:09:40]
hdnes :
Got the CRC running in python
[2017-07-11 05:52:16]
hdnes :
Almost got pyDUMLHerring to generate packets
[2017-07-11 06:41:15]
hans112 :
I missed the last couple of hours... But does this mean you can downgrade and upgrade without assistant? To any version ?
[2017-07-11 06:43:03]
hdnes :
no, I’m working on replicating @the_lord ‘s work rooting without using Assistant
[2017-07-11 06:43:34]
hdnes :
that being said, someone could take this work at apply it to the upgrade/downgrade solution beings the keys are floating around
[2017-07-11 06:44:30]
hdnes :
packets are all generated in python now, just need to hook up to pyusb. Might be convinced to switch to Ruby if someone wants to help
[2017-07-11 06:46:12]
hdnes :
@the_lord , file size is 4096 for the fireworks.tar. Does this output seem correct?
[2017-07-11 06:46:13]
hdnes :
55 1A 04 B1 2A 28 6B 57 40 00 08 00 00 10 00 00 00 00 00 00 00 00 02 04 69 6D
[2017-07-11 06:46:29]
hans112 :
Nice :D
[2017-07-11 06:46:45]
hdnes :
suck at endianness
[2017-07-11 06:46:53]
hdnes :
but I think I got it correct
[2017-07-11 06:47:08]
hdnes :
with the generated checksum’s correct endianess also
[2017-07-11 07:12:15]
opcode :
yyy/ /yyy//lost+found
/yyy//firmware
/yyy//firmware/cnn_model.tar
/yyy//firmware/cpld.fw
/yyy//firmware/cpld01.fw
/yyy//firmware/cpld02.fw
/yyy//firmware/cpld03.fw
/yyy//firmware/ma2155_sec.mvcmd
/yyy//firmware/ma2155_sec.mvfc
/yyy//firmware/ma2155_sec_dump.mvcmd
/yyy//firmware/ma2155_sec_dump.mvfc seems like .crt is not present at P4P <https://dji-rev.slack.com/archives/C60KELF6H/p1499718329596215>
[2017-07-11 09:10:09]
cs2000 :
Amazing to see work still progressing on rooting. I may be a dumb windoze user, but only because its required for my work :wink: I'm happy to crack out the max, or boot up into a Linux distro, but as I'm not a coder, I see no benefit to me rooting at this time. I'm looking/waiting for a windows version and I can test with that since it will also need debugging :wink:
[2017-07-11 09:53:07]
bin4ry :
@freaky123 @hostile, @err0r4o4 and me found the db encryption keys
[2017-07-11 10:00:00]
cs2000 :
What goodies does this unlock?
[2017-07-11 10:01:47]
bin4ry :
nfz db, geo geo1860
[2017-07-11 11:34:34]
jan2642 :
Wasn’t this already found ? There’s was a repo on github but I can’t seem to find it anymore.
[2017-07-11 11:35:36]
hans112 :
Yes, I remember that to. It was on @hostile s GitHub I think ?
[2017-07-11 11:37:46]
freaky123 :
yeah a while back
[2017-07-11 11:38:18]
hans112 :
Is this the same ?
[2017-07-11 11:38:55]
freaky123 :
partly I think
[2017-07-11 11:39:06]
freaky123 :
sorry currently busy with other stuff
[2017-07-11 11:39:27]
hans112 :
No problem, just curious :)
[2017-07-11 12:18:59]
the_lord :
@jan2642 yes it was there but hostile made it private it was for the dji go nfz db
[2017-07-11 12:19:34]
the_lord :
the drones db is not password protected but signed against the module 0905
[2017-07-11 12:20:36]
jan2642 :
Just out of curiosity, is the signature checked at runtime or only when upgrading ?
[2017-07-11 12:21:14]
the_lord :
generated on upgrading
not sure if its checked at runtime
[2017-07-11 12:21:27]
the_lord :
but if they don't check it why are they signing it
[2017-07-11 12:21:46]
the_lord :
dji_flight deals with this DB
[2017-07-11 12:22:16]
the_lord :
i'm not an IDA guy for that i'm getting the info from the upgrade log
[2017-07-11 12:28:58]
jan2642 :
took a quick look, there are no references to signature verification in dji_flight so it seems the sig is only validated during upgrade.
[2017-07-11 12:37:29]
hostile :
<!here> I opened up the repo again
[2017-07-11 12:37:32]
hostile :
<https://github.com/MAVProxyUser/dji.nfzdb>
[2017-07-11 14:24:22]
hotelzululima :
forked :slightly_smiling_face:
[2017-07-11 14:24:47]
vo :
i’m standing right next to Brendan, lol. he is busy running some event
[2017-07-11 14:26:50]
freaky123 :
Brendan of DJI? @vo
[2017-07-11 14:27:19]
vo :
yeah lol. the Drone Advisory Committee is doing some “field research”
[2017-07-11 14:34:42]
hostile :
HAHAHAH
[2017-07-11 14:34:47]
hostile :
that means they are idling in our Slack
[2017-07-11 14:34:50]
hostile :
LOLOLOLOL
[2017-07-11 14:34:58]
hostile :
@vo tell him Kevin Said hi
[2017-07-11 14:35:05]
hostile :
we are actually amicable
[2017-07-11 14:35:18]
hostile :
ask him if he has his Department 13 challenge coin on him
[2017-07-11 14:35:23]
hostile :
ask if he will show it to you
[2017-07-11 14:36:18]
err0r4o4 :
wait, I'm grabbing some popcorn
[2017-07-11 14:36:46]
hans112 :
Can we get a video connection up and running ?
[2017-07-11 14:36:55]
hans112 :
@err0r4o4 hand me the cola please
[2017-07-11 14:37:10]
vo :
lol, yeah i mean Brendan actually thinks it’s cool that people are having fun with poking at the security flaws, he’s kinda on our side in a weird “but i still work for dji so i gotta do what they say” kinda way
[2017-07-11 14:38:22]
hostile :
he confirmed with me many times “I have NOT sent out any C&Ds” FWIW
[2017-07-11 14:38:32]
hostile :
almost implying he had no intent over the “hacking” as it were.
[2017-07-11 14:38:52]
hostile :
Jon Resnick actually to my face at AUVSI encouraged me to “keep breaking our stuff and poking around”
[2017-07-11 14:39:15]
hostile :
@vo are you in Town today?
[2017-07-11 14:39:22]
hostile :
I am in MD…. (I fly out at 8pm)
[2017-07-11 14:39:51]
vo :
yeah i’m in dc area
[2017-07-11 14:40:03]
hostile :
Can you make it to Columbia in a reasonable amount of time?
[2017-07-11 14:40:15]
vo :
jon is here too lol.
[2017-07-11 14:40:31]
hostile :
heh maybe I should come to your party with DJI!
[2017-07-11 14:40:32]
hostile :
:wink:
[2017-07-11 14:40:53]
vo :
@hostile nah they’re leaving after they fly the mavic
[2017-07-11 14:41:45]
hostile :
You should offer to root it for them via Red Herring
[2017-07-11 14:41:54]
hostile :
“do you guys need root?”
[2017-07-11 14:42:06]
vo :
if you are around DCA you can chill at my office, tons of robots and drones. you can see our drone crusher machine lol
[2017-07-11 14:42:43]
cs2000 :
drone crusher sounds scary!
[2017-07-11 14:43:31]
vo :
it’s not really a drone crusher, it’s a drone aircraft carrier, with robot arms. we’re still in testing mode so the thing sometimes crushes a quadcopter instead of what it’s supposed to do
[2017-07-11 14:44:02]
vo :
needs tuning.
[2017-07-11 14:44:30]
hostile :
@vo let me see if I can get out that way.. I have no vehicle ATM is biggest problem
[2017-07-11 14:45:39]
vo :
but thanks to rooting the mavic there’s a few interesting things i might be able to do now. NFZs were never a big deal to me but being able to control system level stuff, turn on and off sensors, reroute network packets, etc.
[2017-07-11 14:46:35]
vo :
one thing i really want to be able to do is control the mavic without the DJI controller in the loop at all
[2017-07-11 14:47:23]
vo :
e.g. kind of like the wifi-link approach but from a PC. and maybe 20+ mavics
[2017-07-11 14:49:14]
martinbogo :
vo : You're going to need the mavic's link .. at the very least, you will need one controller OR a replacement that is it's equivalent.
[2017-07-11 14:49:36]
martinbogo :
vo : Unless you don't care to have any live control .. and everything is running waypoints or other pre-determined flight routined
[2017-07-11 14:52:06]
jan2642 :
Wouldn’t this be possible with a decent SDR once the protocol / modulation is understood ? The RC itself also uses an SDR AFAIK.
[2017-07-11 14:56:50]
martinbogo :
... a very, very cautious "yeeeees.... but with a lot of work." you're better off rooting the RC, and using that to do your dirty work for you
[2017-07-11 14:57:58]
hostile :
@jan2642 the company I work for (at my day job) “mitigates” DJI aircraft via SDR… so yes is the short answer
[2017-07-11 14:59:30]
jan2642 :
That’s already done, @the_lord rooted the RC. ‘Only’ thing left is decoding the protocol (which is IP based according to p0v’s post)
[2017-07-11 15:05:19]
hostile :
and the modulation…
[2017-07-11 15:05:24]
hostile :
at the RF level
[2017-07-11 15:13:37]
jan2642 :
Given that it’s 2.4 GHz and the required throughput it’s probably based on wifi/LTE so OFDM is the likely candidate. Why invent something new if off-the-shelve stuff exists… It looks like they re-used the LeadCore Android BSP, one could assume that they use whatever the supplier of the SDR hardware provides.
[2017-07-11 15:18:09]
vo :
the mavic does have wifi and i am mostly interested in automated (no person in the loop) kind of operation, i figured there might be a way to get the mavic to stop complaining about the RC not being present
[2017-07-11 15:18:24]
vo :
that would be a minimal way of controlling the drone without the remote
[2017-07-11 16:17:36]
hostile :
@jan2642 the SDR manufacturer is german IIRC
[2017-07-11 16:17:37]
hostile :
ACP…
[2017-07-11 16:17:59]
hostile :
<http://www.newacp.ch>
[2017-07-11 16:28:40]
jan2642 :
@hostile ok, we have some native German speakers and you know a master in social engineering ;-)
[2017-07-11 16:56:17]
bin4ry :
i speak native german
[2017-07-11 16:56:27]
bin4ry :
and have a master of science in physics :wink:
[2017-07-11 16:56:39]
bin4ry :
but this website (ch domain) is swiss
[2017-07-11 17:01:11]
hdnes :
<https://github.com/hdnes/pyduml>
[2017-07-11 17:05:32]
jayemdee :
why dont you guys just include the payload (malicious tarball) as well ?
[2017-07-11 17:05:51]
jayemdee :
rather then assembling it on the local machine
[2017-07-11 17:06:51]
hdnes :
@the_lord, does that packet seem correct?
[2017-07-11 17:07:07]
the_lord :
i'm reading your code right now
[2017-07-11 17:07:10]
jayemdee :
and do i understand the exploit correctly that its actually the NFZ update process on the drone which does the untar and overwrites the startup script with our appended shell script to start adb/etc
[2017-07-11 17:07:20]
hdnes :
55 1A 04 B1 2A 28 6B 57 40 00 08 00 00 10 00 00 00 00 00 00 00 00 02 04 69 6D
[2017-07-11 17:07:25]
hdnes :
for a file size of 4069
[2017-07-11 17:08:12]
hfman :
I've been meaning to ask... what exactly does 'DUML' mean?
[2017-07-11 17:08:30]
hdnes :
redherring is using the NFZ update, this DUML exploit is using the firmware update
[2017-07-11 17:08:51]
hdnes :
DUML is DJI’s custom protocol at the lower levels
[2017-07-11 17:09:00]
hdnes :
that goes over raw usb to the drone
[2017-07-11 17:09:12]
hfman :
So it's some kind of serial protocol?
[2017-07-11 17:09:13]
jayemdee :
right but in both cases its the update process which does the untar and delivers the payload
[2017-07-11 17:09:17]
jayemdee :
right ?
[2017-07-11 17:09:55]
hdnes :
correct that’s the idea
[2017-07-11 17:09:58]
jayemdee :
unpacks the tarball to the symlinked location
[2017-07-11 17:10:00]
the_lord :
DJI communicate DUML to their products over serial port
[2017-07-11 17:10:24]
jayemdee :
is it an acronym?
[2017-07-11 17:10:34]
jayemdee :
DUML
[2017-07-11 17:11:07]
the_lord :
i think they mean DJI Unified Modeling Language
[2017-07-11 17:11:53]
jayemdee :
ahh :slightly_smiling_face:
[2017-07-11 17:11:55]
jayemdee :
sounds legit
[2017-07-11 17:12:05]
the_lord :
this cheat sheet explain the structure of DUML
<https://github.com/mefistotelis/phantom-firmware-tools/files/1100429/20170625_phantom3_message_cheatsheets.xlsx>
[2017-07-11 17:13:57]
jayemdee :
with the duml method, how is fireworks.tar placed on the drone fs and what method is used to get it there ?
[2017-07-11 17:14:02]
jayemdee :
thats not clear to me yet
[2017-07-11 17:14:16]
the_lord :
ftp
[2017-07-11 17:14:23]
jayemdee :
same location ?
[2017-07-11 17:14:27]
jayemdee :
as redherring?
[2017-07-11 17:14:43]
the_lord :
you copy it manually to ftp/upgrade/
[2017-07-11 17:15:03]
jayemdee :
i dont see any code in hdnes's python DUML to place it there
[2017-07-11 17:15:09]
hdnes :
I haven’t got there yet
[2017-07-11 17:15:11]
hdnes :
:wink:
[2017-07-11 17:15:20]
hdnes :
just finished writing the packet generation
[2017-07-11 17:15:23]
jayemdee :
ahhh i see so he is just referencing it in the exisiting code to calculate checksums ?
[2017-07-11 17:15:40]
hdnes :
correct
[2017-07-11 17:15:43]
jayemdee :
(sorry dont know why i am talking about you in third person since you are here)
[2017-07-11 17:15:49]
jayemdee :
lol
[2017-07-11 17:15:57]
the_lord :
calculating CRC and file size
[2017-07-11 17:16:09]
jayemdee :
right... got it :slightly_smiling_face:
[2017-07-11 17:16:32]
jayemdee :
does it matter what its called when you put it in /upgrade
[2017-07-11 17:16:36]
hdnes :
Just wanted to walk the dog through @the_lord method using python and that was as far as I got last night
[2017-07-11 17:16:47]
hdnes :
yeah it’s got to be renamed
[2017-07-11 17:16:56]
jayemdee :
to?
[2017-07-11 17:17:05]
hdnes :
dji_system.bin
[2017-07-11 17:17:37]
hdnes :
I’ll probably have it working tonight so just watch for the code, unless you are savy enough to take it from here and push me the rest
[2017-07-11 17:17:45]
hdnes :
I’m at work all day so….
[2017-07-11 17:18:22]
jayemdee :
nah i dont think i will have time to finish it but I like this approach much better
[2017-07-11 17:18:24]
the_lord :
@jayemdee <https://dji-rev.slack.com/files/the_lord/F67HE06TZ/thelord_dumlherring.txt>
[2017-07-11 17:18:25]
jayemdee :
its more elegant
[2017-07-11 17:19:00]
hdnes :
likely to be more persistent that’s for sure
[2017-07-11 17:19:17]
hdnes :
I can’t get the Assistant approach to work on my machine
[2017-07-11 17:19:19]
jayemdee :
well it still relies on the tar bug
[2017-07-11 17:19:24]
hdnes :
hence why I’m working this angle
[2017-07-11 17:19:28]
hdnes :
correct
[2017-07-11 17:19:32]
hdnes :
but not on Ass
[2017-07-11 17:19:56]
the_lord :
on step three you should copy the dji_system.bin file to /ftp/upgrade then proceed with next steps
[2017-07-11 17:20:01]
jayemdee :
oh you mean for doing more than just getting root
[2017-07-11 17:20:59]
jayemdee :
regarding not relying on Ass i mean
[2017-07-11 17:21:00]
the_lord :
the tar bug still exist even with the latest FW
[2017-07-11 17:21:59]
the_lord :
i approached this way as a begging of the upgrade/downgrade without assistant
[2017-07-11 17:24:02]
hfman :
So you initiate the upgrade mode via serial... but then you simply have the ability to FTP to /upgrade ??
[2017-07-11 17:25:54]
the_lord :
the FTP is always there
you initiate the upgrade mode via serial
ftp the file to drone OR rc
start the upgrade by serial
this is exactly what the assistant is doing
[2017-07-11 17:26:24]
hfman :
Ah, I see now...
[2017-07-11 17:26:32]
hdnes :
:smirk:
[2017-07-11 17:27:14]
the_lord :
one of the DUML commands enables the reporting so you can trace back the upgrade status from your application if you want
[2017-07-11 17:27:15]
hdnes :
@the_lord , you able to verify my crc and file size on that packet lines up with yours?
[2017-07-11 17:28:03]
the_lord :
by mistake i deleted my original tar file i'll copy it from the mac machine and test
[2017-07-11 17:28:52]
the_lord :
in the case of upgrade/downgrade its better to check the status but for rooting no need
[2017-07-11 17:29:23]
hdnes :
when you turn on reporting, how does it actually report it back to you>
[2017-07-11 17:29:57]
hfman :
@the_lord- I have goggles... what do I need to do to sniff the packets that are sent for goggles upgrade? Should probably add them into the mix.
[2017-07-11 17:30:55]
the_lord :
i have googles but i didn't sniff its traffic yet
[2017-07-11 17:31:27]
hfman :
I take it you sniffed the USB traffic via wireshark?
[2017-07-11 17:32:18]
the_lord :
no
[2017-07-11 17:33:03]
martinbogo :
all hail the Bus Pirate :slightly_smiling_face:
[2017-07-11 17:34:11]
hfman :
Yeah... I hear that. I use a Xminilab for those kinds of things too.. it's pretty slick.
[2017-07-11 17:34:29]
hdnes :
cool!
[2017-07-11 17:35:10]
the_lord :
for me it worth the 65$
[2017-07-11 17:37:02]
the_lord :
you can install it free for 14 days IIRC
[2017-07-11 17:37:53]
hfman :
Looks like $165, not 65?
[2017-07-11 17:38:18]
the_lord :
i selected only the serial monitor
[2017-07-11 17:38:27]
the_lord :
without the life time upgrade
[2017-07-11 17:39:10]
hfman :
Ah, I see. Is it just straight RS-232 over USB?
[2017-07-11 17:39:17]
hfman :
(The DJI products)
[2017-07-11 17:39:18]
the_lord :
usb
[2017-07-11 17:39:35]
the_lord :
virtual serial port
[2017-07-11 17:39:54]
hfman :
Got it...
[2017-07-11 17:40:18]
martinbogo :
And it's a lot cheaper than a seleae logic Pro :slightly_smiling_face:
[2017-07-11 17:40:24]
martinbogo :
( which does the same thing, and more )
[2017-07-11 17:43:40]
hdnes :
@hfman, not to get technical but you are mostly understanding it
[2017-07-11 17:52:53]
martinbogo :
By the way -- if anyone ius getting into digital analysis ---
[2017-07-11 17:53:34]
martinbogo :
<http://www.ebay.com/itm/282379402993> ( DSlogic -- open source FPGA based analyzer )
[2017-07-11 18:11:44]
jayemdee :
@hdnes : just sat down and looking at your code again... at this point you are just assembling the packets you will send and calculating filesize and crc but there is no send of this data yet in the code, right?
[2017-07-11 18:12:14]
hdnes :
correct
[2017-07-11 18:12:37]
hdnes :
I’ve got the pyusb commands laying around in some other code, I just have to put it together tonight
[2017-07-11 18:13:05]
jayemdee :
so you are at step 4 basically ?
[2017-07-11 18:13:16]
jayemdee :
from the_lords little quick and dirty how to ?
[2017-07-11 18:13:44]
jayemdee :
or actually pre step 4 ?
[2017-07-11 18:13:57]
jayemdee :
next step is to send 551A04B12A2DEC2740000800YYYYYYYY0000000000000204XXXX
[2017-07-11 18:14:14]
hdnes :
correct
[2017-07-11 18:14:14]
jayemdee :
and then finally send 551E048A2A2D022840000A00AEDA7E27718A752E3B0E5C0F1744BBEB9960 to start the upgrade
[2017-07-11 18:14:30]
hdnes :
I’ve got all of the packets generated
[2017-07-11 18:14:31]
jayemdee :
ok just making sure i understood your progress :slightly_smiling_face:
[2017-07-11 18:14:43]
jayemdee :
nice work :slightly_smiling_face:
[2017-07-11 18:16:23]
jayemdee :
im still actually surprised its this complex to be honest
[2017-07-11 18:16:39]
jayemdee :
where is that magic USB packet POV claimed to exist
[2017-07-11 18:16:50]
jayemdee :
which fires up adb service
[2017-07-11 18:17:00]
jayemdee :
(i know i keep harping on this)
[2017-07-11 18:17:03]
jayemdee :
lol
[2017-07-11 18:17:09]
hdnes :
this isn’t the DUML to fire up ADB,
[2017-07-11 18:17:17]
jayemdee :
yes i know
[2017-07-11 18:17:19]
hdnes :
but it’s going to look very very similar to this
[2017-07-11 18:17:29]
jayemdee :
i mean im surprised its this complex to get shell access
[2017-07-11 18:18:16]
jayemdee :
this is a very round about method to achieve something which i belive there must be a much less complex method for to achieve the same thing
[2017-07-11 18:18:41]
hdnes :
oh for sure, but none of us have the engineer’s app that has the ADB enable button
[2017-07-11 18:18:47]
jayemdee :
hehe
[2017-07-11 18:18:51]
hdnes :
so we can’t sniff the magic ADB DUML packet
[2017-07-11 18:18:56]
jayemdee :
indeed :smile:
[2017-07-11 18:19:32]
jayemdee :
but we do have root access to the drone itself
[2017-07-11 18:19:46]
jayemdee :
no clues there ? at the recieving end ?
[2017-07-11 18:20:35]
hdnes :
I don’t currently have root so can’t say. My guess is there isn’t a human readable file that outlines their DUML protocol floating around on the drone
[2017-07-11 18:20:37]
jayemdee :
and why hasnt POV shared ?
[2017-07-11 18:21:00]
jayemdee :
someone found it apparently
[2017-07-11 18:21:13]
jayemdee :
why not make the info publlic domain ?
[2017-07-11 18:21:17]
the_lord :
it DOES exist and I don't think anyone who knows it will ever give it to anyone
[2017-07-11 18:21:42]
hdnes :
I’m not sure that he has
[2017-07-11 18:21:58]
hdnes :
his conversation last night was that he didn’t have an ADB packet I thought
[2017-07-11 18:22:00]
jayemdee :
how come? what am i missing ?
[2017-07-11 18:22:52]
jayemdee :
out of fear that DJI would change it ?
[2017-07-11 18:23:22]
the_lord :
as far as i know there is 2 or 3 persons who know it and will never give it to anybody
even this magic adb is not straight forward
[2017-07-11 18:23:22]
jayemdee :
hmmm...
[2017-07-11 18:23:52]
the_lord :
and its not the same command for all drones it is based on board SN and other stuff
[2017-07-11 18:24:24]
the_lord :
if they give it to the public DJI definitely will fix it the same day
[2017-07-11 18:24:55]
jayemdee :
ahhh i see
[2017-07-11 18:26:10]
the_lord :
for that @hostile thankfully gave us the RedHerring method to start our way inside the drone
[2017-07-11 18:26:32]
jayemdee :
but to be honest IMO...publicly stating that a packet can be send to fire up adb with root permissions is the same as making public the command.... if DJI is reading they know they have been found out and will change it
[2017-07-11 18:27:26]
hdnes :
well of course they have that command? I don’t think anyone would have guessed that they wouldn’t have had it
[2017-07-11 18:27:38]
the_lord :
since P0V found the symlic till now DJI didn't fix it :slightly_smiling_face:
[2017-07-11 18:27:41]
hdnes :
but the process and actual packet keeps you from getting in
[2017-07-11 18:27:58]
the_lord :
don't waste your time looking for this magic adb unless you are an IDA expert
[2017-07-11 18:28:06]
jayemdee :
hehehe ok ok
[2017-07-11 18:29:16]
the_lord :
honestly i tried and gave up coz i'm not IDA expert and i'm sure the one who found it he spent many many days and nights to get it
[2017-07-11 18:29:39]
jayemdee :
ok point taken ill stop dreaming :slightly_smiling_face:
[2017-07-11 18:29:45]
jayemdee :
lol
[2017-07-11 18:34:14]
hotelzululima :
so voltage compatible with this stuff
[2017-07-11 18:36:06]
jan2642 :
I'm still looking (for the challenge) but when (if...) I find it I won't make it public for the same reasons.
[2017-07-11 18:38:00]
martinbogo :
**nopd**
[2017-07-11 18:39:09]
hotelzululima :
will try when back from NFZ location for bin4rys apk test
[2017-07-11 18:39:38]
the_lord :
you've been almost there :wink:
[2017-07-11 18:41:59]
hotelzululima :
@the_lord thanx for the excellent DUML cheatsheet
[2017-07-11 18:42:23]
the_lord :
most welcome
[2017-07-11 18:43:39]
jan2642 :
I know I am, I have all the bits and pieces, just need to find the trigger ;-) If only I had more time to spare, but I guess that counts for all of us.
[2017-07-11 18:45:09]
the_lord :
i know the concept but i don't know how to check the variables values in IDA
[2017-07-11 18:54:37]
jan2642 :
I'm using another tool, Hopper. Downside is that it can only deal with simple data structs. Maybe I should convert to IDA... I have 2 weeks of vacation coming up, we'll see...
[2017-07-11 19:12:04]
hdnes :
MD5 is now calculating
[2017-07-11 19:30:35]
hdnes :
where in the byte stream does it need to go and is it big or little endian?
[2017-07-11 19:31:07]
hdnes :
or I guess maybe we don’t know quite yet because we can’t verify with a hash of an actual .bin?
[2017-07-11 19:42:34]
the_lord :
i'm not sure about the md5sum yet as i couldn't replicate the md5 of the original file
[2017-07-11 19:42:43]
the_lord :
i need to repeat the test
[2017-07-11 19:45:41]
hdnes :
ok, let me know, should be pretty easy to insert in. How did you stumble onto the idea that it was the md5? or just a guess
[2017-07-11 19:46:00]
the_lord :
from the upgrade log
[2017-07-11 19:46:10]
hdnes :
ok
[2017-07-11 19:46:51]
the_lord :
DUSS&63[sys_event_finish_upgrade:1269]:: 0xa:ftp file /ftp/upgrade/dji_system.bin, file_size=122938880, info->img_size(122938880)
DUSS&63[sys_event_finish_upgrade:1286]:: 0xa:path_use=2, type_use=4, data_store=1, info->recv_size(0), info->img_size(122938880)
DUSS&63[sys_event_finish_upgrade:1336]:: 0xa:Md5sum check ok......
[2017-07-11 19:47:04]
the_lord :
this is from old upgrade log
[2017-07-11 19:48:15]
hdnes :
ok, I found where it goes in the sequence I think
[2017-07-11 19:48:35]
the_lord :
last command is the md5
[2017-07-11 19:48:49]
hdnes :
yeah, I mean exactly in the last packet
[2017-07-11 19:49:03]
hdnes :
I’ll write it up now.
[2017-07-11 19:49:15]
hdnes :
So how did you get yours to pass in general?
[2017-07-11 19:49:39]
hdnes :
just copied the packet from a good upgrade and it took the replayed packet
[2017-07-11 19:50:13]
the_lord :
yes from good upgrade
[2017-07-11 19:51:17]
the_lord :
for that i'm not sure if they are only checking the md5 of the DUML or not
[2017-07-11 19:52:52]
hdnes :
well I got it all working just now
[2017-07-11 19:53:14]
hdnes :
…meaning I got the md5 calculating and inserting into the packet with updated crc
[2017-07-11 19:54:29]
the_lord :
i'll test later as i have to leave now
[2017-07-11 22:57:55]
diff :
re: what is wrong with the adb file?
[2017-07-11 22:58:00]
diff :
they modified it extensively?
[2017-07-11 23:58:31]
the_lord :
@hdnes
i just sniffed the upgrade twice and confirmed the last command contains the md5sum of the dji_system.bin and its sent as it is not little endian
md5sum of the file
0F5DF69DFABFD0A2353694C573507469
sniffed command
551E048A2A288D3340000A00 0F5DF69DFABFD0A2353694C573507469 327A
[2017-07-11 23:59:01]
hdnes :
awesome, I’ll validate and push
[2017-07-12 00:02:42]
hdnes :
looks like it’s already correct as is
[2017-07-12 00:07:32]
hdnes :
the endianess doesn’t really jive logically in the code, but it’s producing the correct result so I’m leaving it
[2017-07-12 00:07:47]
the_lord :
but the weird thing is the dji_system.bin itself it doesn't look like a standard tar file
each time i upgrade it generate different file contains the same FW files
[2017-07-12 00:08:16]
hdnes :
so different file name, but same contents?
[2017-07-12 00:08:58]
the_lord :
same file name same FW files but the files are not identical and the header of the file is plain text
[2017-07-12 00:09:41]
hdnes :
interesting.. is that an efuses thing?
[2017-07-12 00:09:46]
the_lord :
as if there is separator inserted between the FW files before they joined in one file
[2017-07-12 00:22:26]
the_lord :
another weird thing is the assistant started the upgrade regardless the battery percentage which was 5% :open_mouth:
[2017-07-12 00:23:59]
hotelzululima :
@the_lord did you have DJI battery turned on or off?
[2017-07-12 00:24:07]
hotelzululima :
ie the variable
[2017-07-12 00:24:19]
hotelzululima :
on the drone
[2017-07-12 00:26:01]
the_lord :
on
[2017-07-12 00:28:08]
hdnes :
is that the only difference? The section right after the header?
[2017-07-12 00:28:35]
hdnes :
might be a time stamp?
[2017-07-12 00:29:56]
hdnes :
@freaky123, is this some pseudo random efuses “ride-along” being sent in the firmware .bin?
[2017-07-12 00:31:07]
the_lord :
uploading the two files
[2017-07-12 00:31:14]
hdnes :
perfect
[2017-07-12 00:31:39]
hdnes :
I’m zero up to speed on efuses
[2017-07-12 00:32:20]
hdnes :
but at a minimum, we can get people with VM’s to share these bin files and we should be all set?
[2017-07-12 01:05:54]
hdnes :
@hostile, seems like all that’s requried is tarring the sigs
[2017-07-12 01:06:18]
the_lord :
exactly
[2017-07-12 03:01:44]
hfman :
What do you need from the VMs? I made a .700 VM
[2017-07-12 03:09:39]
the_lord :
root your mavic
then upgrade to .700 or refresh the FW and during the upgrade
adb pull /ftp/upgrade/dji_system.bin c:\SOMEWHERE\dji_system.bin
[2017-07-12 03:09:53]
the_lord :
we need the dji_system.bin of the .700
[2017-07-12 03:10:25]
the_lord :
then we may be able to use it to upgrade/downgrade any mavic to .700 using DUML
[2017-07-12 03:10:48]
the_lord :
the dji_system.bin actually contains the FW sig files
[2017-07-12 03:13:14]
hdnes :
we might be able to .tar the sig files on @droner69's repo
[2017-07-12 03:13:28]
hdnes :
but getting the adb raw .bin of guys copters would be ideal
[2017-07-12 03:13:52]
the_lord :
nop @droner69 repo is missing the cfg file
[2017-07-12 03:14:13]
the_lord :
i already have all the files but original file is much better
[2017-07-12 03:14:41]
hdnes :
damn
[2017-07-12 03:14:57]
hdnes :
maybe @droner69 has the configs privately somewhere
[2017-07-12 03:15:31]
hdnes :
But @hfman, any .bin’s you can adb off would be great!
[2017-07-12 03:16:40]
the_lord :
i already have the cfg of 1.2.0810, 1.2.9, 1.3.2, 1.3.400, .500, .700, .800 and .900
[2017-07-12 03:17:19]
hdnes :
cool, does that mean we are all set then?
[2017-07-12 03:17:37]
hdnes :
at least for the cfg’s that match @droner69's .sigs
[2017-07-12 03:17:59]
the_lord :
as i said using original bin file is less risky than generated file by us
[2017-07-12 03:18:07]
hdnes :
true
[2017-07-12 03:18:36]
the_lord :
if no one is welling to get the original file at that time i'm ready to test the generated one
[2017-07-12 03:18:37]
hdnes :
but in a pinch …. I’m sure @hostile will brick one for the team
[2017-07-12 03:18:53]
hdnes :
:wink:
[2017-07-12 03:19:14]
hostile :
Happy too... I have two spare core boards
[2017-07-12 03:19:15]
the_lord :
i already bricked 2 mavic boards and 1 P4 and ready to brick another 3 mavics
[2017-07-12 03:19:23]
hdnes :
suck
[2017-07-12 03:19:24]
hostile :
Lolololol
[2017-07-12 03:19:34]
hostile :
For the revolution!
[2017-07-12 03:19:42]
the_lord :
but i'm saving them for more important stuff
[2017-07-12 03:55:51]
hfman :
I can get the original. I am already at .700, so all you need me to do is ftp it down, right?
[2017-07-12 03:58:51]
hdnes :
yeah, or adb
[2017-07-12 03:59:00]
hfman :
Okay, I'll work on it...
[2017-07-12 03:59:09]
hdnes :
if you adb it off you don’t have to unencrypt it
[2017-07-12 04:00:25]
hfman :
Ah, okay....
[2017-07-12 04:00:31]
hfman :
Where to put?
[2017-07-12 04:02:16]
hdnes :
you get it off?
[2017-07-12 04:02:39]
hfman :
Got get it rooted again, just getting setup to do that.
[2017-07-12 04:03:07]
hdnes :
well maybe the decrypted ftp route is the best then?
[2017-07-12 04:03:19]
hdnes :
don’t know what the shortest path might be
[2017-07-12 04:03:23]
hdnes :
I’ll let you sort that
[2017-07-12 04:03:26]
hfman :
Your choice, gotta root either way... will only take a sec.
[2017-07-12 04:03:31]
hdnes :
cool
[2017-07-12 04:03:36]
hdnes :
adb then
[2017-07-12 04:03:41]
hfman :
Roger that
[2017-07-12 04:12:33]
hfman :
Oh, crap, so I have to pull this off DURING the upgrade?
[2017-07-12 04:13:10]
hfman :
Because I've got it rooted, but don't see it right now...
[2017-07-12 04:13:10]
timmytron :
Like indiana jones stealing the golden idol statue.
[2017-07-12 04:13:30]
hfman :
(sorry, I'm dense sometimes...)
[2017-07-12 04:15:06]
hdnes :
so I’m not 100% sure, but @the_lord mentioned that the .bin file is left in the /upgrade folder after an update. I’m assuming you have at least updated once. Maybe it deletes after reboot?
[2017-07-12 04:15:27]
hdnes :
not sure exactly how long the .bin file stays in after the ftp putting it on the drone.
[2017-07-12 04:16:26]
hfman :
Right, this might be tricky. My VM is in Windows, and I've already proven that for whatever reason, I can only get adb to work in OSX. So somehow I need to switch to OSX after the refresh of the firmware I guess.
[2017-07-12 04:18:57]
hdnes :
hmm yeah, indiana jones that bitch
[2017-07-12 04:19:01]
hdnes :
ha don’t know
[2017-07-12 04:20:28]
hfman :
My vision driver doesn't install correctly normally, right now I have Win10 booted in unsigned driver mode, so it does install correctly. I wonder if having that driver installed correctly now will fix my ftp and adb problems in Win 10 (I doubt it, but who knows)
[2017-07-12 04:26:52]
hfman :
Yeah, it appears I can do adb work in Windows now.
[2017-07-12 04:27:57]
hfman :
BUT... the question is... I presume I have to unroot to do the upgrade/refresh procedure, but then I have to reboot to root... I may lose the dji_system.bin in the process (mavic may delete it on reboot)
[2017-07-12 04:29:49]
hfman :
Thoughts? Leave it rooted and try doing the refresh/upgrade? Don't want to brick this bitch.
[2017-07-12 04:30:53]
hdnes :
I’m not familiar enough to answer to be honest. I don’t think you’ll brick it by pushing legit firmware after root
[2017-07-12 04:32:10]
hfman :
No rush then at the moment? I may wait till morning, gotta turn in shortly. Work can be such a drag...
[2017-07-12 04:32:57]
hdnes :
same
[2017-07-12 04:33:01]
hfman :
I'd like to see if others can weigh in on the question.
[2017-07-12 04:33:37]
hfman :
All for jonesin this thing, but some things spook me.
[2017-07-12 04:33:58]
timmytron :
with all things I've rooted and reflashed in the past its always been safe to flash when rooted as all its doing is correcting what was changed in the first place.
[2017-07-12 04:35:00]
hfman :
Yeah, so the Mavic reboots a couple times during the upgrade. Won't I lose root if it does?
[2017-07-12 04:35:25]
hfman :
(I can leave herring in place of course, but just thinking out loud here)
[2017-07-12 04:35:50]
timmytron :
yeah, presumably if you're gonna lose anything it'll just be root
[2017-07-12 04:36:05]
hfman :
Yes, and if so, no way to adb pull any longer...
[2017-07-12 04:36:26]
hfman :
Seems like a catch22
[2017-07-12 04:36:34]
timmytron :
I guess that depends when it comes up and is available. If its generated earlier on through the flashing process it might be there to fish out prior to the first reboot
[2017-07-12 04:36:59]
hfman :
Timing might be critical...
[2017-07-12 04:37:16]
timmytron :
I'm no scientist, but you could try grabbing right after starting the flash. Yeah, timing will be critical and may take a bit of trial and error
[2017-07-12 04:37:36]
hfman :
Like maybe pull it right after it downloads? adb may not even respond at that point.
[2017-07-12 04:37:52]
hfman :
...actually "uploads" is the correct term
[2017-07-12 04:38:13]
timmytron :
Right, I thought you were trying to retrieve something out of it.
[2017-07-12 04:38:38]
hfman :
Trying to get dji_system.bin right after Assistant sends it to the Mavic.
[2017-07-12 04:39:18]
timmytron :
Yeah, you want to extract that from the Mavic right after its landed to pry it open and eat all that juicy goo on the inside like a ripe berry.
[2017-07-12 04:39:51]
timmytron :
There's no harm in just trying over and over again is there? It's either gonna give you something or come up empty right?
[2017-07-12 04:40:33]
hfman :
Maybe. Just a bit worried about stepping into uncharted territory.
[2017-07-12 04:41:23]
timmytron :
Hah, you're already balls deep in it imho. I'm happy to risk my Mavic because I'll just buy a new one if I break it, but you're the guy with that .700 fw. Not me.
[2017-07-12 04:41:35]
hfman :
Yep.
[2017-07-12 04:42:56]
hfman :
Other issue is, the VM doesn't have any ADB tools
[2017-07-12 04:43:34]
hfman :
Have to think about this, the logistics of how to make this all work.
[2017-07-12 05:05:35]
timmytron :
surely you can just install an ADB tool on there
[2017-07-12 05:07:11]
hdnes :
yeah not 100% sure
[2017-07-12 05:33:00]
hfman :
Yes, I can install an ADB tool, but it has to be when the Mavic is connected...
[2017-07-12 05:34:55]
hfman :
@the_lord - let me know what your thoughts are when you get back. Specifically, at what point can I pull the dji_system.bin, and when do you think it will get deleted. My VM has limited tools, and not sure how long that .bin will exist after it is pushed to the Mavic.
[2017-07-12 06:12:37]
jan2642 :
Hostile posted this a while back, it should safely copy the update to a persistent place.
[2017-07-12 06:15:53]
hdnes :
Solid move @jan2642 @hostile
[2017-07-12 07:22:07]
hostile :
Try Minimal Fastboot & ADB package ... <https://forum.xda-developers.com/showthread.php?t=2317790>
[2017-07-12 13:26:02]
jayemdee :
@hdnes I did a little work on your pyduml
[2017-07-12 13:40:35]
the_lord :
i thought maybe @hfman doesn't want to run anything from his drone for that i suggested adb pull
[2017-07-12 13:43:24]
the_lord :
@hfman as you know the upgrade/refresh process is as following:
downloading 0 -> 100%
transmitting 0 -> 100%
upgrading 0 -> 100%
once the upgrading started you can adb pull the dji_system.bin and yes after completing the upgrade you will lose the root which is not big deal as you can root back easily
[2017-07-12 13:57:37]
hfman :
Got it... I'll work on that a bit later this morning...
[2017-07-12 13:58:32]
the_lord :
thanks
[2017-07-12 13:59:22]
the_lord :
best time to pull the bin file is at the beginning of the upgrading process
[2017-07-12 13:59:54]
the_lord :
the bin file is more than 100 MB
[2017-07-12 14:00:34]
hfman :
And presumably adb_pull can still run in a telnet session while the upgrade is underway?
[2017-07-12 14:02:04]
the_lord :
not telnet
from terminal you just run
adb pull /ftp/upgrade/dji_system.bin c:\ANY FOLDER/dji_system.bin
[2017-07-12 14:02:43]
hfman :
Ah, right.. just starting the first cup of java, brain not engaged yet.
[2017-07-12 14:03:45]
jayemdee :
@hdness <https://github.com/AnnihilaT/pyduml/blob/master/pyduml.py>
[2017-07-12 14:03:52]
hfman :
I tested making sure I have access to adb tools on a USB stick from within my VM, along with Putty.
[2017-07-12 14:03:57]
jayemdee :
dont know if you want to implement any of that
[2017-07-12 14:07:38]
jayemdee :
at the moment it depends on having installed Assistant for the RNDIS ftp upload parts or that on a linux box you do a #modprobe rndis_host; ifconfig usb0 192.168.42.1 up
[2017-07-12 14:22:56]
hdnes :
I think the optimal solution would be to use pyusb and avoid relying on Assistant as much as possible. Great work.
[2017-07-12 14:24:25]
jayemdee :
yes i agree thats where we want to end up for sure
[2017-07-12 14:27:25]
jayemdee :
we can just change upload_tarball() function to do it with pyusb when ready
[2017-07-12 14:27:57]
jayemdee :
what happens if i enter upgrade mode and reporting and then reboot it ?
[2017-07-12 14:28:29]
jayemdee :
can i test any parts of this without worrying about bricking a drone ?
[2017-07-12 14:28:37]
jayemdee :
any of the packet sending i mean ?
[2017-07-12 14:29:51]
the_lord :
why do you want to send them?
if you didn't copy the din file to drone you can send any command of them safely
[2017-07-12 14:43:06]
jayemdee :
ok nice
[2017-07-12 14:43:29]
jayemdee :
well i want to test if pyusb code to send the packets is working ?
[2017-07-12 14:45:45]
the_lord :
ahh i see
good luck
[2017-07-12 15:00:43]
andyca57 :
good morning question i got a the firmware for the p4pro thanks to cs2000 but is a total 22 files not sure how to loaded to assistance2 or compile it to a .bin file, any assistance i would appreciate or web link on how to would be great ...thanks
[2017-07-12 15:02:16]
andyca57 :
do to all firmware remove from djiservers i want to have a backup thank you
[2017-07-12 15:03:33]
andyca57 :
is Firmware 01.03.0509
[2017-07-12 15:04:53]
opcode :
good afternoon. :slightly_smiling_face: there is no "manual" way right now to load FW offline to the bird. Keep the Backup and see what the future brings.
[2017-07-12 15:05:59]
hostile :
@jayemdee "at the moment it depends on having installed Assistant for the RNDIS ftp" fwiw... HoRNDIS is NOT a DJI product... and can be installed standalone sans assistant.
[2017-07-12 15:06:13]
hostile :
and other OS's have their own NDIS support as you noted above re usb0
[2017-07-12 15:06:40]
hostile :
This is the OSX driver... <http://joshuawise.com/horndis>
[2017-07-12 15:06:57]
andyca57 :
opcode thank you
[2017-07-12 15:07:20]
opcode :
np
[2017-07-12 15:08:24]
the_lord :
currently we are testing the manual way to upgrade/downgrade so as opcode said keep them safe definitely we will need them
[2017-07-12 15:09:03]
opcode :
@the_lord if you need I2 backups for testing, give me a shout.
[2017-07-12 15:09:31]
the_lord :
thank you
[2017-07-12 15:10:24]
the_lord :
i don't dare to send manual commands to I2 as its not mine :slightly_smiling_face: and i can't afford it :sweat_smile:
[2017-07-12 15:11:43]
opcode :
hehe, its a beast of a machine. but who knows if we need the backups to compare Mavic, P4, P4P, I2 etc ...
[2017-07-12 15:14:29]
hostile :
make sure you have DJI Care on that shit ! lol
[2017-07-12 15:15:42]
opcode :
haha, ive got a local insurance, which even covers flyaways. :slightly_smiling_face:
[2017-07-12 15:28:56]
dreadwing007 :
State Farm?
[2017-07-12 15:29:29]
dreadwing007 :
Was looking into the insurance option but wasn't sure how many of your drones it covers and how they determine replacements
[2017-07-12 15:31:19]
martinbogo :
I have AIG : <https://www.aig.com/business/insurance/specialty/unmanned-aircraft-system>
[2017-07-12 15:33:30]
opcode :
No, im from Europe. In the last 2 Years a lot of Drone Insurances emerged, especially for Pro Users. Really affordable.
[2017-07-12 15:34:12]
dreadwing007 :
@martinbogo I'll check that out, what do they charge per year and does it cover full replacement?
[2017-07-12 15:42:38]
martinbogo :
Covers full LIABILITY and replacement ... it's not cheap.
[2017-07-12 15:42:43]
martinbogo :
There's cheaper insurance out there :slightly_smiling_face:
[2017-07-12 15:43:07]
martinbogo :
I have ~$2M coverage, which is what's required for a commercial drone operator
[2017-07-12 15:43:24]
martinbogo :
required/required for the contracts I fly
[2017-07-12 15:43:54]
andyca57 :
2 mil wow
[2017-07-12 15:46:11]
andyca57 :
question who is the closes competitor to DJI in the drone market
[2017-07-12 15:46:19]
martinbogo :
Walkera?
[2017-07-12 15:46:26]
martinbogo :
PArrot?
[2017-07-12 15:46:44]
martinbogo :
Although for sheer output, EHang
[2017-07-12 15:46:54]
martinbogo :
and EHang is working on things like sky taxis ( heh )
[2017-07-12 15:47:26]
the_lord :
i tested all these brands
quality wise nothing comparable to DJI
[2017-07-12 15:47:49]
martinbogo :
ehang is also neck-and-neck with Intel in the "sky drone light show" swarm space -- they launched a 1000 drone show last year, and this year followed up with a 2000 drone swarm
[2017-07-12 15:48:00]
the_lord :
EHang if they pay me 100 Billion i will not try their taxi
[2017-07-12 15:51:26]
martinbogo :
Heh.
[2017-07-12 15:52:45]
martinbogo :
EHang real-world flight testing is taking place -- <https://www.youtube.com/watch?v=FTLoN2zthuw>
[2017-07-12 15:53:02]
martinbogo :
The thing looks stable, and has all the avionics you'd expect in a modern airplane/helicopter
[2017-07-12 15:53:15]
andyca57 :
wow a 1000 drones i hate to be the one to maintenances
[2017-07-12 15:53:31]
martinbogo :
It can sustain up to two motor failures, on any two motors ( including both on the same arm )
[2017-07-12 15:55:20]
hfman :
So update report... root on the mavic interferes with the upgrade in the VM. The VM won't reconnect to the rooted Mavic. I'll have to play around with different flavors of rooting. Suspect having adbd might have something to do with it.
[2017-07-12 15:56:34]
dreadwing007 :
I'm going to check with State Farm as they seem cheap for the normal drone operator .)
[2017-07-12 15:56:40]
the_lord :
fake and no human inside
[2017-07-12 15:56:47]
martinbogo :
@dreadwing007 I nearly went with them ... great company
[2017-07-12 15:57:06]
martinbogo :
@hfman : After reboot, did you remember to bring up the interface?
[2017-07-12 15:57:31]
the_lord :
physically not possible to balance if two motors on the same arm
[2017-07-12 15:58:47]
the_lord :
ok guys i couldn't wait to receive original bin file and tried to upgrade from 1.03.0500 to 1.03.0700 using my generated bin file but it failed due to cfg file signing
[2017-07-12 15:59:17]
hfman :
Bring up what interface?
[2017-07-12 15:59:49]
hfman :
@the_lord ... did that cause any bricking?
[2017-07-12 15:59:57]
the_lord :
nop
[2017-07-12 16:00:19]
the_lord :
simply aborted the upgrade by itself
[2017-07-12 16:00:42]
hfman :
That's good.
[2017-07-12 16:01:03]
hostile :
MIT has a maple leaf algo tho...
[2017-07-12 16:01:31]
hostile :
can spin with control... human inside would likely get realllllly fucking sick before a hard landing
[2017-07-12 16:02:35]
hostile :
and yes... actually... @the_lord it turns into a Y6 if they blow two motors... they'd have to change the mixing algorithem on the fly in a failsafe attempt
[2017-07-12 16:02:46]
hostile :
if they blow a 3rd motor... they'd have no yaw control
[2017-07-12 16:03:06]
hostile :
NONE of these scenarios I want to play out while I am in one. lol
[2017-07-12 16:03:48]
hostile :
the X8-> X6 failsafe algorithm would be impressive, I suspect vaporware tho @martinbogo (having fucked with flight code at that level myself)
[2017-07-12 16:04:19]
hostile :
maybe a ninja like @freaky123 could pull that off, but not me in OpenPIlot land! =]
[2017-07-12 16:04:43]
hostile :
I'm sure @hotelzululima would have some commentary in this line...
[2017-07-12 16:05:34]
the_lord :
still the weight balance is not possible even with Y6 since the motors layout is X shape and not Y
[2017-07-12 16:06:15]
hostile :
@hfman ADB shouldn't stop the connection. Although I did note on OSX... multiple /dev/tty device nodes were created during exploitaion at one point I had 177 devices from a long night of dev =]
[2017-07-12 16:06:32]
hostile :
is this a P4 by chance @hfman ? cuz they can be picky on the USB -> Assistant connect
[2017-07-12 16:06:49]
hostile :
I have one at the office that refuses to talk to Assistant post rooting as well, where as others don't care.
[2017-07-12 16:06:51]
hfman :
It doesn't stop the connection... just Asst2 refuses to "see" the mavic to proceed with upgrade with root on the Mavic.
[2017-07-12 16:06:54]
hostile :
try "adb stop" ?
[2017-07-12 16:07:08]
hostile :
or "stop adb" what ever the command is. kill -9 the process ?
[2017-07-12 16:07:17]
hfman :
On the mavic?
[2017-07-12 16:07:19]
hostile :
yeah
[2017-07-12 16:07:33]
hfman :
Yeah, I could try that... hang on...
[2017-07-12 16:08:05]
hostile :
in theory... DJI could be doing nasty shit too
[2017-07-12 16:08:10]
hostile :
we've not yet **nulled** the http and https connections in full for Assistant
[2017-07-12 16:08:22]
hostile :
some are made via IP, and others via DNS entry
[2017-07-12 16:08:24]
hfman :
Crap, gotta re-root. I unrooted it to confirm the VM was still working correctly.
[2017-07-12 16:09:01]
hfman :
In my VM, network is disabled (but I'll have to re-enable it ultimately to telnet in...)
[2017-07-12 16:09:27]
hostile :
I got this for example over July 4th weekend...
[2017-07-12 16:09:50]
martinbogo :
It is the maple leaf alg that is used when two motors are out.
[2017-07-12 16:09:58]
hostile :
we need to eventually eyeball the Assistant chattyness too
[2017-07-12 16:10:01]
martinbogo :
The goal is to land, passenger alive. That's it
[2017-07-12 16:10:14]
hfman :
I've seen at least one other person report that dialog
[2017-07-12 16:10:26]
hostile :
They could actually pull **control** if they reverted to Y6 mode
[2017-07-12 16:10:32]
opcode :
account-api ... hmmm ...
[2017-07-12 16:10:43]
hostile :
wouldn't get nasty till that yaw loss on a 3rd motor outage
[2017-07-12 16:11:12]
martinbogo :
@hostile : Very likely .. but in the safety video I saw recently, they showed a slow corkscrew-to-ground
[2017-07-12 16:11:31]
hostile :
I put a LOT of time and money into y6 research for OpenPIlot
[2017-07-12 16:11:32]
hostile :
<https://www.youtube.com/watch?v=BtFUVq5ILzE>
[2017-07-12 16:11:45]
martinbogo :
I think that their limitation may be the fundamental one that we all have to deal with -- current limitations to the motors.
[2017-07-12 16:11:46]
hostile :
The ChupaCabra was sick as fuck!
[2017-07-12 16:12:34]
the_lord :
the cfg file i used was corrupted i need to pull another file and try again
[2017-07-12 16:12:34]
martinbogo :
@hostile : Same here :slightly_smiling_face: I 'm sure they =could= pull off control. In my opinion, they went with the slow rotation due to design limits on their motor controllers.
[2017-07-12 16:12:43]
martinbogo :
Yeah, it was.
[2017-07-12 16:13:42]
martinbogo :
Real, but no human.
[2017-07-12 16:13:48]
hans112 :
Block it won't work I guess ? It pulls something online before it starts... I might check ws or fiddler later tonight to see what it does
[2017-07-12 16:14:47]
martinbogo :
I've seen the ehang 184 fly .. they have been doing test flights at a flight range here in TX
[2017-07-12 16:17:53]
hostile :
<https://github.com/SasquatchLabs/Chubracabara>
[2017-07-12 16:25:32]
hostile :
yeah this would be how you spoof the login for Assistant I suspect. =]
[2017-07-12 16:31:53]
hans112 :
;)
[2017-07-12 16:33:01]
hfman :
SWEET
[2017-07-12 16:41:25]
hotelzululima :
@the_lord you have a .700 upgrade working ?? Fantastic!!
[2017-07-12 16:41:37]
the_lord :
still in progress
[2017-07-12 16:41:54]
the_lord :
but yes all indications seams its working
[2017-07-12 16:42:56]
the_lord :
since the signed files were unsigned and extracted to cache that means my bin file passed all dji verification
[2017-07-12 16:43:01]
hotelzululima :
waiting waiting waiting.. evryone on pins and needles!!
[2017-07-12 16:45:19]
martinbogo :
Oh! Thread re-appeared :slightly_smiling_face:
[2017-07-12 16:45:47]
martinbogo :
@the_lord : Damn .. well done
[2017-07-12 16:46:30]
hans112 :
Drums....
[2017-07-12 17:05:15]
hfman :
Well- success after complete?
[2017-07-12 17:10:25]
hans112 :
Still drums....
[2017-07-12 17:11:35]
dreadwing007 :
lol
[2017-07-12 17:20:48]
the_lord :
the board i was testing on already not upgrading properly even with assistant i just wanted to confirm the bin file is working correctly
now i'm upgrading a real Mavic to 1.03.0900 then will try to downgrading it to 1.03.0700 using my bin
[2017-07-12 17:21:06]
jayemdee :
2 questions...
1) has anyone discovered any thing major differences between the dji startup scripts for different firmwares that would break/brick anything if the right one isnt used (ie. startup script from 0400 is used in a 0700 install)
2) can someone send me a pre-made fireworks .tar
[2017-07-12 17:22:05]
hans112 :
Still drums ;) would be nice if it works !
[2017-07-12 17:32:52]
hostile :
Spark startup script did not work on Mavic for me... is best example I can provide
[2017-07-12 17:34:10]
jayemdee :
does this tarball look right ?
[2017-07-12 17:34:35]
hostile :
pushing one to the repo for you now
[2017-07-12 17:34:57]
hostile :
[master ba2144c] Add fireworks.tar to repo for jaydee
[2017-07-12 17:35:11]
jayemdee :
[root@godfather pyduml] :slightly_smiling_face: # tar -tvf dji_system.bin
-rw-r--r-- root/root 43 2017-07-12 18:09 n0day.txt
lrwxrwxrwx root/root 0 2017-07-12 18:20 symlink -> /system/bin/start_dji_system.sh
-rwxr-xr-x root/root [9460 2017-07-12](tel:94602017-07-12) 18:24 symlink/start_dji_system.sh
[2017-07-12 17:35:17]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/raw/master/fireworks.tar>
[2017-07-12 17:35:23]
jayemdee :
oh thank you ! :slightly_smiling_face:
[2017-07-12 17:35:52]
hostile :
the grep technique is **safer** than overwriting star_dji_system.sh for now
[2017-07-12 17:36:01]
hostile :
if you fuck that script up... you get a brick
[2017-07-12 17:36:07]
hostile :
and we have no way to repair ATM
[2017-07-12 17:36:19]
hostile :
it won't even talk to Assistant if you fuck up start_dji_system.sh
[2017-07-12 17:36:23]
jayemdee :
can you explain how the grep system works ?
[2017-07-12 17:36:26]
jayemdee :
in a few words
[2017-07-12 17:37:10]
hostile :
"~" translates to $HOME
and $HOME is set to /data in dji_start_system.sh
fucking Rube gold berg machine
[2017-07-12 17:41:13]
jayemdee :
ok guess i need more words than that :slightly_smiling_face:
[2017-07-12 17:41:26]
jayemdee :
are you overwriting the grep binary ?
[2017-07-12 17:41:53]
jayemdee :
with the contents of this -> <https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/grep>
[2017-07-12 17:42:25]
hfman :
No, the new grep is in the path for other scripts to pick up
[2017-07-12 17:42:28]
jayemdee :
or you are dropping a chmod +x grep in /data/.bin
[2017-07-12 17:42:34]
hfman :
(Namely, the adb start script)
[2017-07-12 17:43:27]
hfman :
You are correct... is dropping a new grep in /data/.bin - that is our magic file.
[2017-07-12 17:44:21]
jayemdee :
aha :slightly_smiling_face: clever :slightly_smiling_face: i get it now :slightly_smiling_face:
[2017-07-12 17:44:41]
hfman :
DJI could close that path by reversing the order at which they add dirs to the path.
[2017-07-12 17:44:47]
jayemdee :
indeed
[2017-07-12 17:44:50]
hostile :
yeah and they will
[2017-07-12 17:44:53]
hfman :
Yep
[2017-07-12 17:44:54]
hostile :
so prep for it
[2017-07-12 17:44:57]
jayemdee :
but putting our evil grep first in the path
[2017-07-12 17:44:59]
hostile :
and get your other exploits ready :wink:
[2017-07-12 17:45:01]
jayemdee :
doesnt break anything else ?
[2017-07-12 17:45:04]
hostile :
nope
[2017-07-12 17:46:53]
hans112 :
If the evil grep is in place, would a fix by reversing the order still work for DJI.?
[2017-07-12 17:47:37]
hostile :
I'm not going to discuss fixing it any further
[2017-07-12 17:47:41]
hostile :
and I suggest you all not speculate
[2017-07-12 17:47:47]
hostile :
we don't know who is here and I've already said enough
[2017-07-12 17:47:50]
hostile :
let it fester
[2017-07-12 17:47:54]
jayemdee :
:smile:
[2017-07-12 17:48:05]
hostile :
don't worry about the semantics of it... just abuse it till it gets closed.
[2017-07-12 17:48:28]
hostile :
=]
[2017-07-12 17:48:37]
hans112 :
Hehehehe
[2017-07-12 17:49:10]
hostile :
#nomorefreebugs lol
[2017-07-12 17:49:11]
hostile :
<https://threatpost.com/no-more-free-bugs-software-vendors-032309/72484/>
[2017-07-12 17:49:29]
jayemdee :
lol
[2017-07-12 17:49:32]
jayemdee :
hear hear !
[2017-07-12 17:51:00]
hans112 :
:joy: :joy: :joy:
[2017-07-12 17:54:31]
the_lord :
I DID IT :muscle:
[2017-07-12 17:54:35]
hans112 :
Nice :D
[2017-07-12 17:54:39]
hans112 :
Well done, good news
[2017-07-12 17:55:13]
jayemdee :
:+1:
[2017-07-12 17:55:17]
hans112 :
Gives less dependence on assistant :)
[2017-07-12 17:55:20]
jayemdee :
nice job!
[2017-07-12 17:55:25]
the_lord :
now i can crash my flying mavic without worrying about the FW :joy:
[2017-07-12 17:55:25]
hfman :
Very nice @the_lord - you done well. So you can confirm we no longer need dji_system.bin ?
[2017-07-12 17:56:11]
hdnes :
Solid work brother, I’ll sync with you later tonight to codify the process in python
[2017-07-12 17:56:13]
the_lord :
yes me personally i don't need it
[2017-07-12 18:00:12]
hotelzululima :
fucking YAY!! Congratulations @the_lord
[2017-07-12 18:00:23]
vk2fro :
Nice work!!
[2017-07-12 18:07:33]
samuelson :
Amazing work. Well above my head!
[2017-07-12 18:18:46]
kilrah :
Awesome! Do we have all cfg files now? A bunch were missing
[2017-07-12 18:19:52]
the_lord :
i have everything needed for the mavic and i think i can arrange some P4p and I2 beloved versions
[2017-07-12 18:21:03]
kilrah :
cool
[2017-07-12 18:27:00]
dreadwing007 :
That's going to be extremely useful. I am having an I2 shipped so have no idea of the FW it will have installed.
[2017-07-12 18:42:30]
mavicbreak :
@the_lord very nice thank you!
[2017-07-12 19:04:08]
opcode :
@the_lord Great work! P4P and I2 Versions would be great.
[2017-07-12 19:18:21]
nickmv :
holy shit
[2017-07-12 19:18:29]
nickmv :
nice work on the FW flash
[2017-07-12 19:18:41]
the_lord :
thanks in first place to @freaky123 and @hostile for the root which helped a lot in tracing the upgrade process
[2017-07-12 19:19:17]
nickmv :
@the_lord do we have the key to decrypt/unpack the files for any firmware and flash, or was that specific to 700?
[2017-07-12 19:19:57]
hostile :
Yeah Lord you were the first person we **handed** root to IIRC.
[2017-07-12 19:20:23]
hostile :
I should share the r00t_pipe.sh tools I used to pipe you out to my server.
[2017-07-12 19:20:29]
the_lord :
but still i don't know how did you do it :joy:
[2017-07-12 19:20:33]
hostile :
=]
[2017-07-12 19:20:47]
hostile :
and thank you for respectfully never capturing the DUML as well
[2017-07-12 19:21:52]
the_lord :
@nickmv no keys required in this process
[2017-07-12 19:22:11]
samd12 :
You freaking guys are amazing!!!!
[2017-07-12 19:22:13]
the_lord :
if you have the cfg and sig files of the FW you can do it
[2017-07-12 19:22:18]
nickmv :
and any FW?
[2017-07-12 19:22:46]
mavicbreak :
@the_lord I have a VM .700 but i am very excited about this downgrade option. I am not an expert but in python, ruby and android but I read a lot and at the weekend I will try if I can get root to mavic. Eventually I spent some time to sanitize my VM almost every sensitive data including the user account is wiped out so its ready to share. But if your method works most probably VM is already the past :)
[2017-07-12 19:22:50]
the_lord :
yes it should work with any FW but i didn't test as i only have mavic for testing
[2017-07-12 19:23:22]
nickmv :
thats incredible man
[2017-07-12 19:24:39]
nickmv :
id love to get on 900FW with latest 4.1.3 modded apk with NFZ disabled
[2017-07-12 19:24:46]
nickmv :
that'd be picture-perfect scenario
[2017-07-12 19:25:34]
the_lord :
while studying the upgrade process i noticed things related to NFZ so i'm planning to find a way to disable NFZ on any FW
[2017-07-12 19:28:01]
kilrah :
wow
[2017-07-12 19:33:20]
kilrah :
we can grab the .cfg's we're missing from the aircraft ftp and decrypt them with @hostile 's dji_ftpd_descrambler.py right?
[2017-07-12 19:33:53]
mavicbreak :
bin4ry made some apk-s today with nfz disabled (4.1.3) If they work @nickmv your problem is gone.
[2017-07-12 19:34:46]
nickmv :
yeah i need someone with 900 to confirm NFZ disablement is done
[2017-07-12 19:35:07]
nickmv :
i know @teamdollyllama and a few others were testing it
[2017-07-12 19:35:15]
nickmv :
@hotelzululima as well, i believe
[2017-07-12 19:56:33]
hfman :
So @the_lord , I did manage to grab dji_system.bin as part of the .700 upgrade. It definitely gets wiped out after the upgrade is finished. But I grabbed it and put it into a safe place.
[2017-07-12 19:57:01]
hfman :
Oh, and my root didn't get wiped out... still there after the upgrade.
[2017-07-12 19:58:24]
hostile :
nice some upgrades kill dji_start_system.sh
[2017-07-12 19:58:27]
hostile :
are you grep rooted?
[2017-07-12 19:58:30]
hostile :
that should persist
[2017-07-12 19:58:34]
hfman :
I am...
[2017-07-12 19:58:40]
hostile :
niiiiiiiiiiice
[2017-07-12 19:58:56]
hfman :
...and as found earlier, can't have adbd running on the Mavic when doing the VM suspended upgrade.
[2017-07-12 19:59:08]
hostile :
whoot
[2017-07-12 20:04:11]
hfman :
I think the reason adbd running interferes is because the VM has to install additional drivers when it comes up... adbd was not running when I built this VM. Maybe installing those other drivers borks Assistant2 and it doesn't 'see' the Mavic anymore while in the wait.
[2017-07-12 20:06:01]
ender :
Hi guys, i have been out of the loop and will be for a few more days as i need to work on a device for real world job that we only have for 10 days :disappointed: I assume there are still only “you need to think and read up” ways to root yet, right ? (Spark). No housewifes version ? :wink:
[2017-07-12 20:06:29]
ender :
@the_lord GREAT news about downgrading !!!!!
[2017-07-12 20:06:43]
hfman :
It's all in RedHerring...
[2017-07-12 20:14:38]
ender :
whats the current difficulty from 1 to 10 (1 = iPhone using IT girl, 5 = c++ coder w/o hacking abilities, 10 & freaky, hostile, th_lord, …) ? :wink:
[2017-07-12 20:14:42]
ender :
9 ?
[2017-07-12 20:17:12]
hostile :
@ender the literal one liner is "ruby RedHerring.rb /data/.bin/grep grep" with latest repo. THAT is the housewives version... I removed the riddle of "find your own easter eggs" by dropping the mksh ->mkshrc PATH vulnerability.
[2017-07-12 20:17:37]
hostile :
aka the "grep" technique
[2017-07-12 20:18:46]
ender :
sounds great !
[2017-07-12 20:19:44]
ender :
crossread about the grep method but wasnt 100% on the implications :wink:
[2017-07-12 22:18:55]
hostile :
@freaky123 I feel like that ADB block ala Assistant is new... I don't recall that at all.
[2017-07-12 22:19:00]
hostile :
do you?
[2017-07-12 22:20:56]
hfman :
Are you talking about my experience with VM upgrade?
[2017-07-12 22:21:14]
hostile :
it is happening to me now outside of a VM in my native OSX
[2017-07-12 22:21:22]
hostile :
and I don't recall having an issue using them simultaneously before
[2017-07-12 22:21:46]
hostile :
I could just be insane, sleep deprived, etc.
[2017-07-12 22:21:56]
hfman :
Meaning, you can't do anything with Assistant if ADB is running on Mavic?
[2017-07-12 22:22:02]
hostile :
yes
[2017-07-12 22:22:07]
hostile :
it won't connect...
[2017-07-12 22:22:17]
ms30250 :
this stuff is so far above my head. Been trying to follow for almost a week
[2017-07-12 22:22:20]
hostile :
the little USB icon never shows the connection animation, nor the drone.
[2017-07-12 22:22:31]
hostile :
it will come to you in due time MS
[2017-07-12 22:22:37]
ms30250 :
Is there somewhere i should look to get a hi level of the workflow
[2017-07-12 22:22:48]
hostile :
the source code
[2017-07-12 22:23:00]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/RedHerring.rb>
[2017-07-12 22:23:05]
hostile :
this is extremely verbose...
[2017-07-12 22:24:02]
ms30250 :
I assume that is a script that invokes other scripts ?
[2017-07-12 22:24:13]
hostile :
read the source...
[2017-07-12 22:24:58]
ms30250 :
k
[2017-07-12 22:25:03]
ms30250 :
ill be back....
[2017-07-12 22:25:10]
hostile :
SOO weird @hfman ... I JUST got it working again
[2017-07-12 22:25:23]
hostile :
I have no rhyme or reason
[2017-07-12 22:25:37]
hostile :
but it definately was telling me to fuck off for a bit
[2017-07-12 22:25:51]
hfman :
So what workflow was busted? Just trying to connect Asst2 to Mavic? Or trying to do a firmware upgrade with Asst2?
[2017-07-12 22:26:17]
hostile :
for me often IF adb shell was running, Assistant flat out was not connecting to my Spark
[2017-07-12 22:26:26]
hostile :
couldn't even get to upgrade screen
[2017-07-12 22:26:46]
hfman :
With a normal, non-beta Asst?
[2017-07-12 22:26:55]
hostile :
yeh
[2017-07-12 22:27:05]
hostile :
I have never used this Beta everyone is talking about
[2017-07-12 22:27:12]
hfman :
...and logged in to Asst right?
[2017-07-12 22:27:13]
hostile :
I don't even know the source of it
[2017-07-12 22:27:16]
hostile :
yup
[2017-07-12 22:27:52]
hfman :
Maybe the spark just didn't get connected up right or something.
[2017-07-12 22:28:32]
hfman :
For me it can be a bit hit or miss on the VMs, as I have control in realtime which USB devices gets handed to the VM
[2017-07-12 22:28:53]
hfman :
But I don't think I've seen it misbehave natively
[2017-07-12 22:29:30]
hfman :
COuld be that Asst2 is hitting mother ship servers somewhere, and they are playing around with techniques on the mother ship.
[2017-07-12 22:30:52]
hfman :
I've no doubt they are watching closely, looking for ways to close the holes without forcing an upgrade.
[2017-07-12 22:31:17]
hostile :
some poor sap has their job cut out for them
[2017-07-12 22:39:36]
jezzab :
adb doesnt persist after reboot on my P4.
[2017-07-12 22:41:24]
hostile :
read the grep script...
[2017-07-12 22:41:30]
hostile :
you can change that
[2017-07-12 22:41:49]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/grep#L3>
[2017-07-12 22:41:51]
hostile :
remove line 3
[2017-07-12 22:42:06]
jezzab :
I havent checked it in a couple of days since I did it so Ill have a read
[2017-07-12 22:42:26]
jezzab :
ahh yes. i see
[2017-07-12 22:42:26]
hostile :
"rm -rf /data/.bin/grep " was added to help enable adb persist
[2017-07-12 22:44:21]
jezzab :
thanks
[2017-07-12 22:48:43]
hfman :
@hostile ... I have a ton of jpgs and bmps in that cali dir, but none of them are readable.
[2017-07-12 22:49:39]
hfman :
quite a few jpgs around 5-6k, and a dozen or so bmps that are all 691264
[2017-07-12 22:54:12]
hostile :
I suspect if you've done your own calibration after ward, it could get wiped too
[2017-07-12 22:54:27]
hostile :
I've recalibrated my mavic many times though
[2017-07-12 22:54:36]
hostile :
Mavic had .bmp factory images
[2017-07-12 22:55:09]
hostile :
how did you pull your images?
[2017-07-12 22:55:50]
hfman :
I just did ftp
[2017-07-12 23:06:34]
hostile :
you need to decrypt them
[2017-07-12 23:06:57]
hostile :
<https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble>
[2017-07-12 23:07:07]
hostile :
the code was bad with padding on some files... so could be why if you already did
[2017-07-12 23:07:16]
hostile :
pull em via adb
[2017-07-12 23:18:17]
hfman :
I see...
[2017-07-12 23:49:26]
hotelzululima :
my test with version 22 of ALL.apk was not successful.. no motor activation but no audible alarms(which were a byproduct of starting props sucessfully on V21_
[2017-07-12 23:54:50]
vk2fro :
Just trying to get root on my mavic (mac os x), ran the script, and it prompts me to launch Assistant with root privs and accept the NFZ database update, but I don't get that update....
[2017-07-12 23:55:15]
vk2fro :
(FW V .400)
[2017-07-12 23:55:27]
hdnes :
there are unsolved issues with .400
[2017-07-12 23:55:30]
hdnes :
I’m in the same boat
[2017-07-12 23:55:42]
hfman :
Did you launch it with --test_server args?
[2017-07-12 23:55:51]
vk2fro :
yes tried that as well.
[2017-07-12 23:56:05]
hdnes :
the solution for .400 is to upgrade to .800 or .900
[2017-07-12 23:56:14]
vk2fro :
ok :slightly_smiling_face:
[2017-07-12 23:56:17]
hdnes :
I didn’t want to do that
[2017-07-12 23:56:23]
vk2fro :
can always roll back with my VM though.
[2017-07-12 23:56:37]
hdnes :
because then you lose some of the param changing ability
[2017-07-12 23:56:47]
hfman :
@hdnes - confirmed issues with root on .400 ?
[2017-07-12 23:56:59]
hdnes :
… that’s why I’ve been working on pyDUML with @the_lord
[2017-07-12 23:57:05]
hdnes :
<https://github.com/hdnes/pyduml/tree/pyusb>
[2017-07-12 23:57:29]
hdnes :
it’s dual purpose, enables downgrades without VM as well as root access
[2017-07-12 23:57:47]
hdnes :
it’s almost done. @the_lord hasn’t tested all the pieces and I’m just scripting it in python
[2017-07-12 23:57:55]
vk2fro :
ok well I
[2017-07-12 23:57:57]
hdnes :
it’s 90% done, I’ll finish and test tonight
[2017-07-12 23:58:19]
vk2fro :
I'll ctrlX out of the redherring script and charge my batteries up for tonight :slightly_smiling_face:
[2017-07-12 23:58:41]
hdnes :
I’m probably going to pull and all nighter and finish it up
[2017-07-13 00:00:01]
vk2fro :
Sounds like you will be busy hdnes :slightly_smiling_face:
[2017-07-13 00:02:47]
hdnes :
I’m hoping not. @jayemdee did the only part I didn’t have sample code for so I think it’s going to be copy paste and tweak tonight and it’ll be done.
[2017-07-13 00:03:46]
hdnes :
@hfman, yeah .400 never gets NFZ to popup for some reason on Assistant
[2017-07-13 00:03:58]
hdnes :
regardless of mode you sudo into etc.
[2017-07-13 00:04:21]
hdnes :
and because I don’t have a vm for .700 I’m having to get in via the DUML route, which helps lots of people with other things
[2017-07-13 00:04:56]
vk2fro :
I'd actually like to get to .700 for the googles.
[2017-07-13 00:04:59]
vk2fro :
goggles LOL
[2017-07-13 00:05:30]
hdnes :
well the binary is around and pyDUML allows the install
[2017-07-13 00:05:44]
vk2fro :
just ordered a dualboot chuwi tablet - android side for flying, windows side for parameter changing in the field.
[2017-07-13 00:09:14]
vk2fro :
What do you loose by going to .800 apart from the NFZ parameter?
[2017-07-13 00:17:07]
hdnes :
maybe altitude restriction but not sure
[2017-07-13 00:27:39]
ms30250 :
im making progress
[2017-07-13 00:27:57]
ms30250 :
this is kind of fun, thanks for not giving me the answers hostile
[2017-07-13 00:29:02]
hostile :
THAT is what helps keep this community together
[2017-07-13 00:29:08]
hostile :
we all working together to learn
[2017-07-13 00:40:58]
ms30250 :
I have FTP! does that require root?
[2017-07-13 00:41:06]
ms30250 :
I assume I am rooted at this point ?
[2017-07-13 00:43:23]
ms30250 :
does this make me a tiny bit more respectable than a script kiddie?
[2017-07-13 00:45:57]
hostile :
FTP is always up...
[2017-07-13 00:46:06]
hostile :
if you got the 100% post NFZ update...
[2017-07-13 00:46:07]
hostile :
reboot
[2017-07-13 00:46:23]
hostile :
and you should have both "adb shell" and "telnet 192.168.42.2 1234" available for root acess
[2017-07-13 00:46:33]
hostile :
telnet requires ; after every command
[2017-07-13 00:46:37]
ms30250 :
RedHerring has been here before... /upgrade/.bin still exists
Usage: ruby RedHerring.rb <remote_path_to_write_to> <local_file_to_write>
ex: ruby RedHerring.rb /system/bin/pwnt.sh /tmp/xxx
[2017-07-13 00:47:04]
ms30250 :
maybe im not there yet lol
[2017-07-13 00:47:38]
ms30250 :
assistant wants me to login
[2017-07-13 00:47:56]
hostile :
assistant always needs you to login...
[2017-07-13 00:48:38]
hostile :
you can always ftp in and check the content of /upgrade/.bin to see if "grep" exists to know if exploit unpacked successfully
[2017-07-13 00:50:09]
ms30250 :
assistant captcha is missing
[2017-07-13 00:55:54]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/1#issuecomment-312764515>
[2017-07-13 00:56:00]
ms30250 :
.tar
[2017-07-13 00:56:05]
hostile :
you must first login via command line as root
[2017-07-13 00:56:13]
hostile :
without the exploit to set your cookie
[2017-07-13 00:56:24]
ms30250 :
i dont think im there yet
[2017-07-13 00:56:34]
hostile :
yes you are
[2017-07-13 00:56:39]
hostile :
that is why your captcha does not work
[2017-07-13 00:56:39]
ms30250 :
ok
[2017-07-13 00:56:56]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/1#issuecomment-312764503>
[2017-07-13 00:57:10]
hostile :
"It appears as if you can login first via:
sudo /Applications/Assistant.app/Contents/MacOS/Assistant
then when you go back to:
sudo /Applications/Assistant.app/Contents/MacOS/Assistant --test_server you will no longer be asked to login."
[2017-07-13 00:57:18]
hostile :
make sure your hosts file is clean before doing this
[2017-07-13 00:57:23]
hostile :
remove teh redirects in it
[2017-07-13 00:57:26]
hostile :
sudo pico /etc/hosts
[2017-07-13 00:57:32]
hostile :
yank the shit at the bottom
[2017-07-13 01:22:51]
ms30250 :
i dont see anything in my hosts file. Maybe im looking at the wrong one but everything is commented out
[2017-07-13 01:24:31]
vk2fro :
I had several entries in mine pertaining to dji after I ran the script partway through - happens early on in the piece.
[2017-07-13 01:25:50]
ms30250 :
i assume we are talking about he windows system32 hosts file?
[2017-07-13 01:27:22]
vk2fro :
/windows/system32/drivers/etc/hosts - I'm on a mac but have several windows VM's so know where to get to it.
[2017-07-13 01:28:27]
ms30250 :
yup, mine is clean
[2017-07-13 01:28:42]
ms30250 :
nothing uncommented in it
[2017-07-13 01:29:16]
ms30250 :
-- test server prompts me to login with no captcha
[2017-07-13 01:30:01]
ms30250 :
i tried loggin in then going back to --test but no dice
[2017-07-13 01:31:56]
ms30250 :
staring at firmware upgrade screen but nothing about NFZ update
[2017-07-13 01:32:45]
vk2fro :
FW .400?
[2017-07-13 01:32:49]
ms30250 :
yup
[2017-07-13 01:33:04]
ms30250 :
used VM to roll back from .800
[2017-07-13 01:33:16]
hostile :
by clean I mean remove any entries for DJI stuff
[2017-07-13 01:33:21]
vk2fro :
wont work on .400
[2017-07-13 01:33:23]
hostile :
you have to hit the server and get your cookie set
[2017-07-13 01:33:39]
hostile :
(for the login)
[2017-07-13 01:33:58]
ms30250 :
define "hit server" Im close to hitting a server for sure lol
[2017-07-13 01:34:03]
hostile :
lol
[2017-07-13 01:34:17]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1499907416572892>
[2017-07-13 01:34:27]
hostile :
you have to login to their server to get your cookie...
[2017-07-13 01:35:13]
ms30250 :
im logged in now
[2017-07-13 01:35:25]
ms30250 :
mavic and assistant running
[2017-07-13 01:38:54]
ms30250 :
now im running in --test_server and see no firmware but not being prompted to update NFZ
[2017-07-13 01:50:09]
hfman :
@hdnes indicated this procedure still doesn't work for those who are on .400 .
[2017-07-13 01:51:09]
hfman :
echoed by @vk2fro above
[2017-07-13 01:51:30]
ms30250 :
hmmm, that makes sense
[2017-07-13 01:51:37]
ms30250 :
should i upgrade to .800
[2017-07-13 01:52:11]
hfman :
Your choice. What are your goals?
[2017-07-13 01:52:42]
ms30250 :
i would like the newest features but not have to worry about NFZ
[2017-07-13 01:52:58]
ms30250 :
i dont care about all the other parameters just hate having to be logged in for nfz
[2017-07-13 01:53:03]
ms30250 :
some bullshit
[2017-07-13 01:53:25]
hfman :
Root really doesn't offer that at all. It is a mean to an end, which has not yet been defined.
[2017-07-13 01:54:00]
ms30250 :
right.. I assume it will lead to custom firmware
[2017-07-13 01:54:23]
hfman :
Parameter changing is the best way to avoid NFZ, or use the hacked DJI go firmware that bin4ry has been working on.
[2017-07-13 01:54:23]
ms30250 :
i used to love flashing custom roms on my phones
[2017-07-13 01:54:43]
hostile :
unless you can patch dji_sys... obtaining root does not immediately get you there, but it easily can...
[2017-07-13 01:54:45]
ms30250 :
hacked firmware or hacked app
[2017-07-13 01:55:07]
ms30250 :
im flying with a ipad
[2017-07-13 01:55:09]
hostile :
"--debugger" or the websocket is the **easiest** way to change params FWIW.
[2017-07-13 01:55:22]
hostile :
iOS hackers are not here
[2017-07-13 01:55:25]
hostile :
it is a harder game
[2017-07-13 01:55:49]
vk2fro :
Thats why I ordered a cheap but powerful chuwi tablet to fly with and keep as my main flying screen.
[2017-07-13 01:55:52]
ms30250 :
yup seems like i have all the worst options for what im trying to do
[2017-07-13 01:56:20]
ms30250 :
i bought a 400 dollar ipad cause my s7 was crasjing
[2017-07-13 01:58:34]
ms30250 :
well gentlemen, I haven given up and appreciate the support tonight
[2017-07-13 01:58:53]
ms30250 :
im sure it gets old feeding crumbs to rookies
[2017-07-13 01:58:53]
hostile :
do come back!
[2017-07-13 01:58:56]
hostile :
don't give up so easily
[2017-07-13 01:59:02]
hostile :
half the folks here are rookies
[2017-07-13 01:59:04]
hostile :
just like you
[2017-07-13 01:59:11]
hostile :
and have spent weeks bettering their own skillsets
[2017-07-13 01:59:17]
ms30250 :
not giving up... the lady is asking when im gonna get off the computer :disappointed:
[2017-07-13 01:59:22]
hostile :
good!
[2017-07-13 01:59:25]
hostile :
I hear that one.
[2017-07-13 01:59:29]
hostile :
the game warden controls all
[2017-07-13 01:59:35]
ms30250 :
lol indeed
[2017-07-13 01:59:47]
hostile :
"I'm sure it gets old feeding crumbs to rookies" - honestly no...
[2017-07-13 01:59:53]
hostile :
I enjoy it when people have a break through
[2017-07-13 01:59:54]
ms30250 :
ill be back tomorrow... Im getting this bitch rooted
[2017-07-13 02:00:00]
ms30250 :
its a matter of principal now
[2017-07-13 02:00:07]
hostile :
simple example... Pyduml is being created by someone who has only use python 5 times...
[2017-07-13 02:00:16]
hostile :
we all bettering ourselves here!
[2017-07-13 02:00:24]
hostile :
we'll be happy to see you tomorrow!
[2017-07-13 02:00:56]
ms30250 :
lol
[2017-07-13 02:02:09]
ms30250 :
night all
[2017-07-13 02:40:25]
hotelzululima :
night!
[2017-07-13 04:09:11]
jezzab :
hmm
[2017-07-13 04:10:22]
jezzab :
was able to use adb after RH for the last couple of days but wasnt persistant. Removed the 'rm -rf /data/.bin/grep' from the grep script and now adb devices shows the P4 but when i connect it drops out. Also I can connect with telnet but no data is returned anymore and i have trailing with :wink:
[2017-07-13 04:10:26]
jezzab :
grr ;
[2017-07-13 04:11:29]
jezzab :
ok so it must be there as it shows the serial with ADB devies. but when connecting with shell and it dropping out the adb is changing to RedHerringHasFangs
[2017-07-13 04:11:42]
jezzab :
so its firing the grep script on connect im assuming
[2017-07-13 04:12:09]
jezzab :
assistant connect fine, everything works fine just cant adb shell or tell telnet
[2017-07-13 04:18:51]
hostile :
"Removed the 'rm -rf /data/.bin/grep' from the grep script and now adb devices shows the P4 but when i connect it drops out" this is EXACTLY why it was added...
[2017-07-13 04:19:05]
hostile :
to enable the adb to exist ONLY at the first reboot
[2017-07-13 04:19:19]
hostile :
it is your responsibility to keep it via modification of dji_start_system.sh
[2017-07-13 04:19:26]
hostile :
I wasn't gonna risk doing it in automated fashion
[2017-07-13 04:19:38]
hostile :
ftp in and remove the grep script
[2017-07-13 04:19:59]
hostile :
then adb will work... then YOU need to set up shop elsewhere
[2017-07-13 04:22:27]
jezzab :
righto
[2017-07-13 04:22:57]
jezzab :
live and learn
[2017-07-13 04:24:28]
jezzab :
thanks
[2017-07-13 04:25:06]
hostile :
sure man
[2017-07-13 04:25:07]
hostile :
np
[2017-07-13 04:25:13]
hostile :
congrats on your root... still a small club
[2017-07-13 04:26:13]
jezzab :
go in there a couple of days ago lol (with your help)
[2017-07-13 04:26:32]
jezzab :
just getting back to it and wanted to make tit a little more permanent :slightly_smiling_face:
[2017-07-13 04:27:26]
hostile :
then on to helping us understand more of the internals. =]
[2017-07-13 04:27:34]
hostile :
downgrade looms on the horizon
[2017-07-13 04:29:01]
jezzab :
I think the fw files i ripped before the V2.00 upgrade are no good. They are encrypted(becauase of aes ftp) but you guys are ripping clean files straight from upgrade dir over adb?
[2017-07-13 04:31:29]
jezzab :
P4 fw not Mavic
[2017-07-13 04:54:10]
vk2fro :
how long should the Redherring script take to run after confirming the NFZ update?
[2017-07-13 04:54:35]
hostile :
did you get 100% ?
[2017-07-13 04:54:45]
hostile :
if you got 100% it is already done...
[2017-07-13 04:54:48]
hostile :
you can kill it
[2017-07-13 04:54:53]
vk2fro :
I got 100% in assistant
[2017-07-13 04:54:59]
hostile :
kill it and reboot
[2017-07-13 04:55:02]
hostile :
should have a shell
[2017-07-13 04:55:12]
hostile :
(don't reboot again, it will be gone unless you secured it)
[2017-07-13 04:55:24]
hostile :
can someone test the http page on RedHerring for me btw?
[2017-07-13 04:55:35]
hostile :
with the exploit running... open your web browser
[2017-07-13 04:55:38]
hostile :
go to <http://localhost>
[2017-07-13 04:56:38]
vk2fro :
haha I have root :slightly_smiling_face:
[2017-07-13 04:57:05]
vk2fro :
so now to secure it - assume editing startup script?
[2017-07-13 04:58:12]
hostile :
yeah dji_start_system.sh or what ever it's called... you can add to the end of it. if you fuck it up you can also brick the system.
[2017-07-13 04:59:08]
jezzab :
@hostile "Im here to distract you"
[2017-07-13 04:59:19]
vk2fro :
Yay! adb shell. :slightly_smiling_face:
[2017-07-13 04:59:30]
hostile :
mount -o remount,rw /system
[2017-07-13 04:59:31]
hostile :
echo /system/bin/adb_en.sh >> /system/bin/start_dji_system.sh
[2017-07-13 04:59:33]
hostile :
reboot
[2017-07-13 04:59:48]
hostile :
make sure you get BOTH ">>" in there!!!
[2017-07-13 05:00:00]
hostile :
">" alone will overwrite it and fuck you proper
[2017-07-13 05:00:59]
jezzab :
hmm trying to find this damn grep file and delete it lol fw refresh was useless
[2017-07-13 05:01:13]
vk2fro :
done :slightly_smiling_face:
[2017-07-13 05:01:19]
hostile :
/data/.bin/grep
[2017-07-13 05:01:28]
hostile :
if left stock it rm's itself
[2017-07-13 05:01:40]
hostile :
it won't be there after the first reboot
[2017-07-13 05:02:03]
vk2fro :
rooted permenantly now :slightly_smiling_face:
[2017-07-13 05:02:09]
hostile :
yessir
[2017-07-13 05:02:13]
jezzab :
yeah will someone (me) removed the rm lol
[2017-07-13 05:02:22]
hostile :
heh
[2017-07-13 05:02:31]
hostile :
"chattr +i" may be a better way to keep it
[2017-07-13 05:02:43]
hostile :
but unsure if this has other ramifications
[2017-07-13 05:02:56]
jezzab :
found it
[2017-07-13 05:08:17]
vk2fro :
thankyou for the help hostile. :slightly_smiling_face:
[2017-07-13 05:09:03]
hostile :
for sure brother
[2017-07-13 05:09:05]
hostile :
congrats
[2017-07-13 05:11:20]
vk2fro :
Ty - wasnt too hard to pull off. but those 3 lines in the adb shell helped - knowing my luck I would have borked it and ended up with a $1500 paperweight.
[2017-07-13 05:11:44]
hostile :
Core board is only $90 to replace... also an experience worth doing once.
[2017-07-13 05:11:45]
hostile :
=]
[2017-07-13 05:11:52]
hostile :
many of us are part of the brick club
[2017-07-13 05:11:57]
hostile :
may need to order some t-shirts lol
[2017-07-13 05:12:19]
vk2fro :
Its those of you in that club that saves us less knowledgable from doing the same. :slightly_smiling_face:
[2017-07-13 05:12:30]
hostile :
some of us even openly volunteering to test each others untested code at risk of a brick...
[2017-07-13 05:12:43]
hostile :
some hella brotherhood in here.
[2017-07-13 05:13:27]
vk2fro :
Now to work out how to get it down to .700 from .800
[2017-07-13 05:13:33]
hfman :
Anybody keeping an eye on minions that moved to BAND? I have zero interest in what they are doing over there, but wondered if anybody wandered over.
[2017-07-13 05:14:49]
hfman :
I did manage to grab dji_system.bin from .700 if anybody is interested. The DUML stuff is quite a lot over my head.
[2017-07-13 05:16:58]
hfman :
Wow... sure got quiet awful quick!!:thinking_face:
[2017-07-13 05:17:30]
vk2fro :
That would give me a head start hfman
[2017-07-13 05:19:39]
hfman :
Lessee how lord and @hdnes do with their work... I know they basically got it working today.
[2017-07-13 05:20:45]
vk2fro :
Yes I saw the screen shot of lords downgrading and the two assistant shots (first on .900, second on .700)
[2017-07-13 05:21:49]
hfman :
I just have to be careful putting out a bin, DMCA and all ya know...
[2017-07-13 05:23:01]
hostile :
@hfman last I checked they were eating table scraps from this morning. ;)
[2017-07-13 05:23:58]
hfman :
Wondering how to capture the equiv from the RC and goggles...
[2017-07-13 05:44:22]
jezzab :
Fixed and persistent adb. Thank yo muchly
[2017-07-13 05:48:29]
vk2fro :
hmm... seem to have lost ftp access
[2017-07-13 05:52:56]
hans112 :
Can you still fly when adb is started ?
[2017-07-13 05:53:15]
hostile :
@vk2fro by doing what...
[2017-07-13 05:53:35]
vk2fro :
just by making root persistant
[2017-07-13 05:54:17]
hostile :
is adb still there?
[2017-07-13 05:54:22]
hostile :
what OS you on?
[2017-07-13 05:54:28]
vk2fro :
yes it is, os x
[2017-07-13 05:54:28]
hostile :
unplug all, reboot all
[2017-07-13 05:54:39]
vk2fro :
ok brb
[2017-07-13 05:56:38]
vk2fro :
ok that fixed it LOL
[2017-07-13 05:56:42]
jezzab :
just fired up the motors so i say yes lol
[2017-07-13 05:58:22]
jezzab :
No errors and app says ready to fly
[2017-07-13 05:58:45]
hans112 :
Heheheheh great.
[2017-07-13 05:58:53]
jezzab :
Happy days :wink:
[2017-07-13 11:15:30]
bin4ry :
@hostile are you still up for the ota test? i am just afraid after the last time, but iam pretty sure that this time it should work since i added the code to exit recovery
[2017-07-13 11:16:33]
bin4ry :
just afraif that <https://www.youtube.com/watch?v=ONnE4VIzum8>
[2017-07-13 11:16:41]
bin4ry :
*afraid
[2017-07-13 13:07:00]
the_lord :
I'm ready to test your ota.zip
[2017-07-13 13:07:57]
the_lord :
@hfman what's the size of your bin file?
[2017-07-13 13:08:02]
bin4ry :
cool
[2017-07-13 13:08:04]
bin4ry :
here it comes
[2017-07-13 13:09:10]
the_lord :
I just woke up so give me some time and will report back I'm still on mobile
[2017-07-13 13:09:21]
bin4ry :
yeah sure, thanks very much
[2017-07-13 13:34:14]
hostile :
I just woke up too
[2017-07-13 13:34:33]
freaky123 :
I woke a bit earlier but now I can finaly do some stuff
[2017-07-13 13:34:33]
hostile :
if Lord hasn't completed it... I will test after I finish this DUML exploit port to ruby
[2017-07-13 13:44:34]
the_lord :
@freaky123 what's required to unbrick it if stuck in recovery
copy of cmdline is enough?
[2017-07-13 13:45:42]
freaky123 :
do you still have adb connection?
[2017-07-13 13:46:04]
the_lord :
i didn't start the test yet so i don't want to do the same mistake twice
[2017-07-13 13:46:37]
freaky123 :
if you still have DUML access to the deice then I will be able to get it out by enabling adb again
[2017-07-13 13:46:52]
freaky123 :
but not 100% sure if DUML is available so you need to check that
[2017-07-13 13:47:27]
the_lord :
last board you asked me about board SN or something
[2017-07-13 13:47:56]
freaky123 :
ohh that stuff
[2017-07-13 13:48:02]
freaky123 :
yeah a copy of cmdline is enough
[2017-07-13 13:48:08]
the_lord :
anyways i'll take backup of cmdline then test the ota.zip
[2017-07-13 13:48:24]
freaky123 :
yeah that should be enough
[2017-07-13 13:48:29]
freaky123 :
the daak is in there
[2017-07-13 14:33:28]
hfman :
@the_lord - my dji_system.bin is 108,934,144 bytes
[2017-07-13 14:33:34]
the_lord :
@bin4ry same shit but different smell
[2017-07-13 14:34:09]
the_lord :
@hfman can you PM me your bin file please as the one i generated is about double the size
[2017-07-13 14:34:28]
hfman :
Sure... stand by
[2017-07-13 14:34:30]
bin4ry :
@the_lord still stuck ?
[2017-07-13 14:34:34]
the_lord :
yes
[2017-07-13 14:35:05]
bin4ry :
oh no
[2017-07-13 14:35:10]
bin4ry :
did you unbrick ?
[2017-07-13 14:35:18]
the_lord :
i don't know how
[2017-07-13 14:35:31]
bin4ry :
<https://dji-rev.slack.com/archives/C60KELF6H/p1499944593605172>
[2017-07-13 14:35:34]
bin4ry :
?
[2017-07-13 14:35:38]
bin4ry :
<https://www.youtube.com/watch?v=ONnE4VIzum8>
[2017-07-13 14:35:42]
bin4ry :
??
[2017-07-13 14:35:44]
bin4ry :
hope not
[2017-07-13 14:36:48]
the_lord :
just like the previous one
[2017-07-13 14:37:20]
bin4ry :
fck
[2017-07-13 14:37:29]
bin4ry :
i cannot understand why
[2017-07-13 14:37:42]
bin4ry :
now it should perfectly remove the env boot.mod and
[2017-07-13 14:37:47]
freaky123 :
so you have 2 bricked now?
[2017-07-13 14:37:49]
bin4ry :
reset it to normal boot
[2017-07-13 14:38:03]
the_lord :
yes two bricked with ota.zip
[2017-07-13 14:38:15]
bin4ry :
thx for testing
[2017-07-13 14:38:20]
freaky123 :
what exactly did you do? then I can see what is happening
[2017-07-13 14:38:28]
bin4ry :
we did this
[2017-07-13 14:38:44]
bin4ry :
reboot recovery
[2017-07-13 14:38:48]
bin4ry :
copy one file over
[2017-07-13 14:38:52]
freaky123 :
and what do you get from `lsusb`?
[2017-07-13 14:38:53]
bin4ry :
and then quit
[2017-07-13 14:39:25]
freaky123 :
you first goto recovery?
[2017-07-13 14:39:43]
bin4ry :
yes
[2017-07-13 14:39:46]
the_lord :
i deleted the /cache/ota.zip
then copied bin4ry ota.zip file to /cache/ota.zip
then copied empty file named ota to /data/dji/cfg/test/ota
then reboot
[2017-07-13 14:40:14]
bin4ry :
this file will trigger test_ota.sh
[2017-07-13 14:40:27]
bin4ry :
which sets env. boot.mode = recovery
[2017-07-13 14:40:30]
bin4ry :
and reboots
[2017-07-13 14:40:40]
bin4ry :
then in recovery we remount system rw
[2017-07-13 14:40:43]
bin4ry :
copy 1 file
[2017-07-13 14:40:45]
hostile :
I suspect you included two updates... based on what I looked at last night.
[2017-07-13 14:40:51]
bin4ry :
remove env boot.mod
[2017-07-13 14:41:25]
the_lord :
i added the files based on the content of the cfg file
[2017-07-13 14:41:27]
bin4ry :
wait here is the script
[2017-07-13 14:41:30]
freaky123 :
ok
[2017-07-13 14:41:47]
bin4ry :
like on original OTA
[2017-07-13 14:41:47]
freaky123 :
but now when it is in recovery mode what do you get from `lsusb`?
[2017-07-13 14:44:34]
freaky123 :
you need to sync as well I think
[2017-07-13 14:45:31]
freaky123 :
but I looked at the recovery boot etc. and saw that it stars dji_sys, which makes it possible to talk DUML
[2017-07-13 14:45:38]
freaky123 :
and for me to gain root access
[2017-07-13 14:46:31]
hostile :
@the_lord here is an alternate method for you
[2017-07-13 14:46:31]
bin4ry :
missing sync should not keep it in recovery IMHO
[2017-07-13 14:46:32]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1499518756298139>
[2017-07-13 14:47:09]
hostile :
aka if you are in over ADB. "setprop sys.powerctl reboot,recovery" will do what you need
[2017-07-13 14:47:24]
the_lord :
i'm unable to do anything with the board
[2017-07-13 14:47:33]
the_lord :
maybe your pipe can work?
[2017-07-13 14:47:34]
freaky123 :
but yeah now he needs to get out of recovery
[2017-07-13 14:47:39]
hostile :
I mean in the future... until freaky figures it out
[2017-07-13 14:47:48]
freaky123 :
@the_lord can you open op lsusb
[2017-07-13 14:47:50]
bin4ry :
we have no problem triggering rec
[2017-07-13 14:47:53]
bin4ry :
only getting out
[2017-07-13 14:47:55]
hostile :
oh yeah you could likely use my Root Pipe to share the USB out to freaky to try to speak to
[2017-07-13 14:48:01]
freaky123 :
or at least show what usb devices pop up
[2017-07-13 14:48:13]
hostile :
you have access to the ssh keys in the private repo if you need the pipe @freaky123
[2017-07-13 14:48:16]
bin4ry :
last time usb devid 1f showed up
[2017-07-13 14:48:18]
the_lord :
only DJI serial port
[2017-07-13 14:48:26]
hostile :
lord is quite familiar with getting it up
[2017-07-13 14:48:29]
freaky123 :
that is enough for me to get in
[2017-07-13 14:49:18]
hostile :
<privrepo>blob/remote_rooter/tools/RemoteRootSteps.txt
[2017-07-13 14:49:46]
freaky123 :
but not that familiar with the remote root pipe.. but maybe @hostile can run it.. but you need to remove the reboot and leave it open from the start
[2017-07-13 14:49:49]
hostile :
<privreop>blob/remote_rooter/tools/dji_r00t_admin.sh
[2017-07-13 14:49:50]
hostile :
should get you up
[2017-07-13 14:49:52]
freaky123 :
then he can adb into the device
[2017-07-13 14:50:12]
hostile :
he's locked out now tho...
[2017-07-13 14:50:24]
hostile :
so you'd need the pipe up and then a working exploit
[2017-07-13 14:50:37]
hostile :
it is unclear if the **other** one works at this level with the revoery dji_sys
[2017-07-13 14:50:45]
freaky123 :
I know it works
[2017-07-13 14:50:49]
freaky123 :
I checked it
[2017-07-13 14:50:53]
freaky123 :
so our exploit still works
[2017-07-13 14:50:58]
hostile :
ok l0rd...
[2017-07-13 14:51:01]
hostile :
run the pipe
[2017-07-13 14:51:06]
hostile :
I'll quickly see if we can talk to you
[2017-07-13 14:51:11]
hostile :
should be apparant right away
[2017-07-13 14:51:19]
the_lord :
pipe apps are up and running
[2017-07-13 14:51:23]
hostile :
sec
[2017-07-13 14:51:23]
the_lord :
can you see me?
[2017-07-13 14:51:25]
freaky123 :
and since he says that only the serial port pops up.. this must be the duml
[2017-07-13 14:52:28]
hostile :
done
[2017-07-13 14:52:33]
hostile :
I didn't get any response packets tho
[2017-07-13 14:52:40]
freaky123 :
```
on boot
ifup lo
hostname localhost
domainname localdomain
write /sys/block/mmcblk0boot0/force_ro 0
write /sys/block/mmcblk0boot1/force_ro 0
class_start default
setprop service.adb.root 1
setprop sys.usb.config rndis,mass_storage,bulk,acm
class_start core
start dji_sys
# start dji_mb_ctrl
start recovery
#Start the crash_counter check operation
start crash_counter
```
[2017-07-13 14:52:51]
freaky123 :
oh that should not be correct you should get something back
[2017-07-13 14:52:56]
hostile :
$ ./dji_r00t_admin.sh
Kicking off Tunnel
Sleeping before Socat fires
sleeping 5, then kicking off ADB enable exploit
admin must take care!
using port: /tmp/dji_r00t_pipe
using command: "adb_en.sh NonSecurePrivilege"
MavicUAV exploit sent, check 'adb devices'
SEND[xxxxxxx censored]
[2017-07-13 14:53:05]
hostile :
Be patient, killing ssh tunnel
End user should have seen an InOut(): ReadFile(hC0C) ERROR Invalid argument (22) error
Make sure they did not get OpenC0C(): CreateFile(.COM20) ERROR No such file or directory (2) or similar
[2017-07-13 14:53:33]
hostile :
so you know the drill @the_lord ... but I assume based on how it responded you didn't hear the tell tale signs of the USB cycling
[2017-07-13 14:54:14]
the_lord :
nothing here
[2017-07-13 14:54:42]
hostile :
got none
[2017-07-13 14:54:42]
hostile :
I usually get a packet back too...
[2017-07-13 14:54:52]
hostile :
lemme double check the server make sure no stale pipes from last run
[2017-07-13 14:54:56]
freaky123 :
seems like the serial does nothing
[2017-07-13 14:55:18]
hostile :
so i suspected originally... you can use the TX/RX pads
[2017-07-13 14:55:28]
hostile :
and speak DUML down then when it was in this state
[2017-07-13 14:55:38]
the_lord :
i tried before to send get SN DUML but i couldn't even send it my application frozen
[2017-07-13 14:55:42]
hostile :
but had no way to investigate
[2017-07-13 14:56:05]
hostile :
yeah IMHO... she doesn't have dji_sys up, or it is on a different interface
[2017-07-13 14:56:13]
hostile :
and the USB isn't up yet
[2017-07-13 14:56:40]
hostile :
do you have a Saleae @the_lord ?
[2017-07-13 14:56:41]
the_lord :
don't send any DUML as i'll fire the sniffer
[2017-07-13 14:56:52]
hostile :
you can kill the pipes
[2017-07-13 14:57:12]
the_lord :
killed
[2017-07-13 14:57:44]
freaky123 :
btw the /cache/ota.zip is quite persistent.. it tries it forever I see now while other update methods have a crash counter
[2017-07-13 14:57:57]
the_lord :
i don't have Saleae
[2017-07-13 14:58:33]
hostile :
so maybe try looping SN query
[2017-07-13 14:58:35]
hostile :
and power the board
[2017-07-13 14:58:37]
bin4ry :
i hope you get it running agian, feeling bad asking you to try. Seems that this is not a good way for now until we can easily unbrick them :confused:
[2017-07-13 14:58:41]
the_lord :
this was my concern from the beginning who will delete the /data/dji/cfg/test/ota file?
[2017-07-13 14:58:41]
hostile :
maybe there is a race condition
[2017-07-13 14:58:48]
hostile :
if not @martinbogo is our next hope
[2017-07-13 14:59:05]
hostile :
@bin4ry we all know why we are here
[2017-07-13 14:59:15]
bin4ry :
yah, but i hate it to brick one board
[2017-07-13 14:59:18]
hostile :
for the revolution!
[2017-07-13 14:59:21]
bin4ry :
lolz
[2017-07-13 14:59:24]
hostile :
alas... we probably should buy @the_lord a nice gift after all this
[2017-07-13 14:59:43]
the_lord :
don't feel sad @bin4ry
these boards are for testing and if didn't test we will never learn
[2017-07-13 14:59:44]
hostile :
He's currently got the brick king status
[2017-07-13 14:59:52]
bin4ry :
:wink:
[2017-07-13 15:02:55]
freaky123 :
I'm not so sure if it is still in recovery mode or in which mode it is
[2017-07-13 15:02:57]
freaky123 :
and why
[2017-07-13 15:03:05]
freaky123 :
so it's quite difficult to debug
[2017-07-13 15:03:07]
the_lord :
the board is not responding
[2017-07-13 15:03:52]
freaky123 :
ok and do you have some 1.5v serial listener or a scope to see if the tx/rx pads have some data?
[2017-07-13 15:04:23]
the_lord :
nope :disappointed:
[2017-07-13 15:04:49]
hostile :
@the_lord can you source ANY kind of logic analyzer?
[2017-07-13 15:05:00]
hostile :
I'd be curious to see what the various sets of pads are doing right now
[2017-07-13 15:05:26]
hostile :
BusPirate?
[2017-07-13 15:05:44]
the_lord :
shipping the board to any of you guys is much easier than finding logic analyzer HERE
[2017-07-13 15:07:43]
the_lord :
i still have two more boards for testing + flyable mavic
[2017-07-13 15:07:55]
bin4ry :
let's see if @martinbogo has some ideas
[2017-07-13 15:08:38]
opcode :
@the_lord my condolences :slightly_frowning_face:
[2017-07-13 15:09:42]
cs2000 :
Ive lost count of how many boards we have bricked now as a community, poor things lol. I'm sure one day we will get them back, but all in the name of knowledge I guess!
[2017-07-13 15:10:12]
the_lord :
martinbogo speaks Marsian i don't understand anything about his alien gear :joy:
[2017-07-13 15:12:36]
hostile :
LOLOLOL
[2017-07-13 15:50:23]
martinbogo :
@the_lord : You need a logic analyzer?
[2017-07-13 15:50:51]
the_lord :
i need to know how to use it in first place :slightly_smiling_face:
[2017-07-13 15:51:00]
martinbogo :
OH! you want me to analyze and/or fix it .. sure :slightly_smiling_face:
[2017-07-13 15:51:43]
the_lord :
i don't care about fixing the board
but we wanted to understand what's going on
[2017-07-13 15:52:09]
martinbogo :
@the_lord : are you US or EU?
[2017-07-13 15:52:17]
the_lord :
ME
[2017-07-13 15:53:05]
martinbogo :
... Montenegro?
[2017-07-13 15:53:10]
hostile :
Middle East
[2017-07-13 15:53:11]
martinbogo :
**chuckle**
[2017-07-13 15:53:17]
hostile :
=]
[2017-07-13 15:53:22]
martinbogo :
Dubai?
[2017-07-13 15:53:31]
the_lord :
:joy:
[2017-07-13 15:53:35]
the_lord :
nop
[2017-07-13 15:53:49]
hostile :
**confirmed** not in theater... vetted by me FWIW lol
[2017-07-13 15:53:53]
martinbogo :
Damn ... I have a friend in Dubai with a great lab.
[2017-07-13 15:54:05]
the_lord :
PM please
[2017-07-13 18:16:27]
martinbogo :
No, don't use a bus pirate WITHOUT modification
[2017-07-13 18:16:30]
martinbogo :
use a level shifter
[2017-07-13 18:17:01]
martinbogo :
1.6V is as high as you should go ... some of the pins aren't even 2V tolerant
[2017-07-13 18:22:23]
hotelzululima :
perhaps we can set a flag in the root procedure that if the root is unsucessful it writes a flag so that on the next boot an nonroot emergency bailout environment is booted?(might help on cutting down bricks to have such logic in the rooting toys?)
[2017-07-13 18:23:44]
hotelzululima :
nah never mind mind thinking is getting too convoluted already…
[2017-07-13 23:20:05]
vk2fro :
I wonder if one could build a 1.5 to 3,3v level conveter (and use optoisolators on both sides to isolate the voltages) to allow a BP to be connected?
[2017-07-14 00:25:34]
fldatatek :
These will work to 1.8v <https://www.sparkfun.com/products/12009>
[2017-07-14 00:26:12]
fldatatek :
These go down to 1.5v <https://www.pololu.com/product/2595>
[2017-07-14 01:50:47]
hdnes :
pyduml successfully rooted my .400!
[2017-07-14 01:50:59]
hostile :
FUCK yes!
[2017-07-14 01:51:04]
hostile :
can I cop that .400 file?
[2017-07-14 01:51:10]
hostile :
oh I see PM's you may have already sent
[2017-07-14 01:51:52]
fldatatek :
nice
[2017-07-14 01:52:57]
hdnes :
what .400 file do you need the .bin? I used fireworks not sure we can get the .400.bin of my machine?
[2017-07-14 01:56:05]
vk2fro :
nice work hdnes!
[2017-07-14 01:56:21]
vk2fro :
Now I can wind back to .400 and root it :wink:
[2017-07-14 01:56:47]
hdnes :
pyduml will let you roll back to .400 AND root!
[2017-07-14 01:57:36]
vk2fro :
Time to get out the mavic again (and stop watching mikeselectricstuff on youtube) for half an hour or so :slightly_smiling_face:
[2017-07-14 01:59:46]
hdnes :
gotcha bitch! Thanks @hostile @the_lord @jayemdee
[2017-07-14 01:59:56]
vk2fro :
:slightly_smiling_face:
[2017-07-14 02:12:26]
jezzab :
whats with the typo in the init. environ.rc
exoprt HAL_LIB /system/lib/libduml_hal.so
[2017-07-14 02:15:08]
hostile :
LOL #China
[2017-07-14 02:15:10]
hostile :
I saw that too
[2017-07-14 02:15:25]
hostile :
I was gonna abuse that for the "grep" bug
[2017-07-14 02:15:38]
hostile :
since it isn't in path
[2017-07-14 02:15:44]
hostile :
it will get called from /data/.bin
[2017-07-14 02:16:03]
hostile :
so you could do "RubyRedHerring.rb /data/.bin/exoport grep"
[2017-07-14 02:16:04]
hostile :
=]
[2017-07-14 02:16:16]
jezzab :
ah right lol
[2017-07-14 02:18:50]
jezzab :
so libduml_hal.so is for setting and getting the camera settings via DUML?
[2017-07-14 02:23:47]
vk2fro :
Looking at pyDUML code it appears i need a dji_system.bin still.
[2017-07-14 02:24:04]
hdnes :
yeah, same as renamed fireworks.tar
[2017-07-14 02:24:24]
hdnes :
or any dji_system.bin you want to firmware update to :wink:
[2017-07-14 02:24:46]
vk2fro :
ok so if I cp fireworks.tar dji_system.bin, it should work?
[2017-07-14 02:25:05]
hdnes :
assuming your fireworks.tar was generated correctly, yes
[2017-07-14 02:26:26]
vk2fro :
yes I successfully rooted on .800 so should have a fireworks.tar hanging about.
[2017-07-14 02:26:44]
hdnes :
there you go,
[2017-07-14 02:26:57]
vk2fro :
mine is 4kb in size.
[2017-07-14 02:27:07]
hdnes :
close enough
[2017-07-14 02:27:20]
vk2fro :
I just don't want to brick it :stuck_out_tongue:
[2017-07-14 02:28:04]
hdnes :
yeah for sure,
[2017-07-14 02:28:18]
hdnes :
if it worked on the .800 you should be safe
[2017-07-14 02:28:29]
hdnes :
how are you rolling back to .400
[2017-07-14 02:28:36]
hdnes :
using pyduml or VM
[2017-07-14 02:28:37]
vk2fro :
VM
[2017-07-14 02:28:53]
vk2fro :
I only have the encrypted .400 files.
[2017-07-14 02:29:01]
vk2fro :
so have to use the VM.
[2017-07-14 02:29:24]
hdnes :
might have the .400 soon, might worth holding off
[2017-07-14 02:29:26]
hdnes :
:wink:
[2017-07-14 02:29:32]
vk2fro :
ok
[2017-07-14 02:30:36]
vk2fro :
at present I have it rooted on .800 along with a full filesystem dump as well. so I can explore the filesystem without having the drone draining a battery.
[2017-07-14 02:33:11]
vk2fro :
noob to all this hacking stuff, but learning fast - never thought I'd spend so much time in Terminal.app :slightly_smiling_face:
[2017-07-14 02:41:52]
jezzab :
Any ideas what this key is for?
[2017-07-14 03:11:01]
hostile :
@hdnes here... I did you a solid. Hopefully this works! <https://github.com/hdnes/pyduml/releases>
[2017-07-14 03:11:29]
hostile :
<https://github.com/hdnes/pyduml/releases/tag/v0.1>
[2017-07-14 03:12:01]
hdnes :
Slick!
[2017-07-14 03:13:12]
vk2fro :
Nice - I'll test that once I'm back on .400 hostile. :slightly_smiling_face:
[2017-07-14 03:26:54]
hostile :
anyone trying to copy firmware files during download can try either:
[2017-07-14 03:26:55]
hostile :
while true ; do cp /data/dji_system.bin /data/xxx.bin; done
[2017-07-14 03:26:56]
hostile :
or
[2017-07-14 03:27:09]
hostile :
adb pull /data/dji_system.bin
[2017-07-14 03:27:14]
hostile :
once the update has started
[2017-07-14 03:34:13]
djayeyeballs :
anyone know what g_config_mode_normal_cfg_rc_scale is for?
[2017-07-14 03:34:18]
jezzab :
ffs i really should have read the help for adb, ive been copying to /tmp/cam_storage for all the files lol
[2017-07-14 03:45:33]
hfman :
So.... this does the FC... but what about the RC? Or even the goggles?
[2017-07-14 03:46:01]
hfman :
It looks like we need @the_lord's method for the RC ?
[2017-07-14 03:50:22]
hostile :
yes...
[2017-07-14 03:50:30]
hostile :
its just a different DUML id...
[2017-07-14 03:50:53]
hostile :
@the_lord has Goggles to test...
[2017-07-14 03:51:54]
hfman :
I'd sure like to snag .400 dji_system.bin...
[2017-07-14 03:52:36]
vk2fro :
I'm already on it. :slightly_smiling_face:
[2017-07-14 03:55:18]
vk2fro :
just waiting on an updated pyduml.exe from hostile and I'll have the 400.bin in a jiffy.
[2017-07-14 03:59:27]
hfman :
Not clear what you are going to do. Root with pyduml, then send .400 with the VM and adb it back after it sends it?
[2017-07-14 03:59:40]
vk2fro :
exactly.
[2017-07-14 04:00:26]
hfman :
Right... I suppose I could do the same, but not confident the VM will work for me (the VMWare VM requires a bit more host processing power than I have here)
[2017-07-14 04:00:53]
vk2fro :
I have enough of that - I7 7700k OC at 5Ghz with 32Gb ram :slightly_smiling_face:
[2017-07-14 04:02:01]
fldatatek :
:stuck_out_tongue: I have I7-7700HQ but unfortunately no skills for this
[2017-07-14 04:03:19]
vk2fro :
I knew this powerful rig would be more useful than for just playing flight simulators :slightly_smiling_face:
[2017-07-14 04:03:35]
fldatatek :
lol
[2017-07-14 04:04:13]
fldatatek :
I have mine for CAD work and photo editing and video rendering
[2017-07-14 04:04:46]
vk2fro :
on the hackintosh side, this machine is great for FCP :slightly_smiling_face:
[2017-07-14 04:04:59]
fldatatek :
I bet
[2017-07-14 04:05:29]
fldatatek :
I use photoshop and premier pro and fusion360 for CAD
[2017-07-14 04:05:50]
vk2fro :
Then I can walk across the room to the opposite end of the spectrum - a commodore 64 :slightly_smiling_face:
[2017-07-14 04:06:06]
fldatatek :
Mine is actually a MSI gaming laptop.. But weighs under 4 lbs
[2017-07-14 04:06:24]
vk2fro :
I have a macbook pro as my portable.
[2017-07-14 04:06:41]
vk2fro :
old 2012 model the one you can still upgrade everything in except the cpu.
[2017-07-14 04:06:47]
fldatatek :
nice
[2017-07-14 04:07:21]
fldatatek :
this one has a nvidia 1060 video card and dual 256GB SSD drives and 16GB memory
[2017-07-14 04:07:50]
fldatatek :
<http://www.bestbuy.com/site/msi-15-6-laptop-intel-core-i7-16gb-memory-nvidia-geforce-gtx-1060-1tb-hard-drive-256gb-solid-state-drive-aluminum-black/5712735.p?skuId=5712735>
[2017-07-14 04:08:07]
hotelzululima :
I have the same A1286. from 2012 BEST machoine they ever made.
[2017-07-14 04:08:44]
vk2fro :
Sure is - I have a pair of 525 Crucial SSD's in mine. Ones for windoze, the other for Sierra
[2017-07-14 04:09:29]
hotelzululima :
I couldnt get sata6 working the the superdrive bay.. did have maverick at the time to apply the code fixes and never went back and did it..
[2017-07-14 04:09:34]
hotelzululima :
didnt
[2017-07-14 04:09:46]
the_lord :
i got the 400.bin
[2017-07-14 04:09:54]
hotelzululima :
cool..
[2017-07-14 04:10:00]
hostile :
drop it for me in PM or #pyduml plz
[2017-07-14 04:10:20]
vk2fro :
oh well done the_lord :slightly_smiling_face:
[2017-07-14 04:11:33]
the_lord :
@hostile uploading to pyduml
[2017-07-14 04:39:07]
vk2fro :
pyduml.py is telling me no compatible aircraft yet I can see it in assistant??
[2017-07-14 04:39:53]
hostile :
git pull
[2017-07-14 04:39:55]
hostile :
I am working on it
[2017-07-14 04:40:01]
vk2fro :
ok
[2017-07-14 04:40:07]
hostile :
actively working on fixing it
[2017-07-14 04:40:23]
vk2fro :
cheers
[2017-07-14 04:49:10]
hotelzululima :
hmm vk2fro and I have the exact same a1286 model wondering if something funky going on with usb.core.find as the mavic is technically on a USB3 interface in USB2 mode we BOTH report funkiness with usb.core.find(trying pydump in trepan3k debugger as I write this)
[2017-07-14 04:50:11]
vk2fro :
No I am on a hackintosh atm :slightly_smiling_face:
[2017-07-14 04:50:17]
hotelzululima :
ah
[2017-07-14 04:50:28]
hotelzululima :
forget that then
[2017-07-14 04:52:30]
hotelzululima :
@hostile having exact same issue with pyduml.py as I did with my test code extracted from the usb.core tutorial.. usb.core.find finds some devices but not others and not sure I understand why at this point looking into it
[2017-07-14 04:53:11]
vk2fro :
I will plug the aircraft into a usb 2.0 port and see what I get.
[2017-07-14 04:53:40]
hotelzululima :
I personally would be fascinated.. as I have nothing but USB3 in front of me at moment
[2017-07-14 04:54:16]
vk2fro :
Same.
[2017-07-14 04:54:18]
hotelzululima :
and I am exploring pydump.py with the trepan3k debugger
[2017-07-14 04:54:26]
hotelzululima :
no joy??
[2017-07-14 04:54:37]
vk2fro :
no, no joy.
[2017-07-14 04:54:44]
hotelzululima :
and the same USB cable works for other mavic related purposes?
[2017-07-14 04:54:58]
hotelzululima :
ie rndis and usb.storage?
[2017-07-14 04:55:08]
vk2fro :
yes, I was even able to root it using redherring using the same usb 3 port
[2017-07-14 04:55:18]
hotelzululima :
ok thatnx
[2017-07-14 04:55:26]
vk2fro :
(when it was running fw.800)
[2017-07-14 04:55:42]
vk2fro :
I will try a reboot of the PC,
[2017-07-14 04:56:34]
hotelzululima :
I should try that next but waiting for a core board A on sunday as the mavic in front of me being used for debug owned by someone else
[2017-07-14 04:56:54]
hotelzululima :
and cant afford to fuck it up :slightly_smiling_face:
[2017-07-14 04:59:07]
vk2fro :
Well mines my only mavic so I should stop right now and wait for hostile and co to fix pyduml.
[2017-07-14 04:59:41]
jjofthedrums :
do you guys need a V01.03.0600 bin?
[2017-07-14 05:01:44]
vk2fro :
yes pm it to hostile - hes the one collecting them :slightly_smiling_face:
[2017-07-14 05:03:57]
hostile :
@jjofthedrums yes plz
[2017-07-14 05:04:04]
hostile :
send via PM
[2017-07-14 05:04:07]
jjofthedrums :
I would need to be walked through it, if that's worth the trouble
[2017-07-14 05:04:23]
hostile :
sh-3.2# python pyduml.py /dev/tty.usbmodem40
55 16 04 FC 2A 28 65 57 40 00 07 00 00 00 00 00 00 00 00 00 27 D3
55 0E 04 66 2A 28 68 57 40 00 0C 00 88 20
55 1A 04 B1 2A 28 6B 57 40 00 08 00 00 E6 53 07 00 00 00 00 00 00 02 04 6D 4A
55 1E 04 8A 2A 28 F6 57 40 00 0A 00 A5 AC 03 74 62 B4 F9 02 BF A6 CB 8D 9F E3 95 AE 46 2C
Firmware Upload Complete
[2017-07-14 05:04:25]
hostile :
check Git...
[2017-07-14 05:04:30]
hostile :
may need to pip install something
[2017-07-14 05:05:13]
hostile :
01-01 00:42:08.996 233 32718 I DUSS&63[ sys_p1_unsign_img:1829]:: dji_verify -n 0000 -o /cache/upgrade/unsignimgs/wm330_0000.xml /ftp/upgrade/upgrade/signimgs/wm220.cfg.sig success.
01-01 00:42:08.996 233 32718 I DUSS&63[sys_p1_get_filelist_from:3815]:: succeed to unsign cfg file.
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 50]:: root name: dji
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 53]:: child name: device
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 59]:: get device_id wm220 from xml
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 69]:: formal = 01.03.0400
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 82]:: release version = 01.03.0400
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 88]:: parsed version:1.3.400
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 91]:: anti rool back = 1
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 96]:: from = 2017/02/10
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 103]:: expire = 2018/02/10
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 117]:: module id: 0305
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 120]:: module version: 34.04.00.23
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 123]:: hardware version:
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_parse_cfg: 126]:: module file_name = wm220_0305_v34.04.00.23_20161122.pro.fw.sig
01-01 00:42:08.998 233 32718 I DUSS&63[ sys_p1_add_up_file:2333]:: get hw_ver[NULL] from file /ftp/upgrade/upgrade/signimgs//wm220_0305_v34.04.00.23_20161122.pro.fw.sig
[2017-07-14 05:05:41]
hostile :
<https://github.com/hdnes/pyduml/commit/dca7a687c1d1aff7a23247218911d3072f10b957>
[2017-07-14 05:05:45]
hostile :
pull this commit...
[2017-07-14 05:12:52]
vk2fro :
got it - and attacking the correct usbmodem too - now just need dji_system.bin - assume thats fireworks.tar which I need to rename.
[2017-07-14 05:13:56]
hostile :
or a firmware file you wish to downgrade to
[2017-07-14 05:46:22]
hostile :
@the_lord @hdnes <https://giphy.com/gifs/happy-leonardo-dicaprio-cheers-QMkPpxPDYY0fu>
[2017-07-14 05:49:43]
hans112 :
Rooting without assistant, up and downgrade without assistant, changing parameters without assistant.... Can I conclude that the birds are: <https://youtu.be/HgkpGfImg38>
[2017-07-14 05:51:25]
hotelzululima :
heh heh heh.. @hostile Should have called tit the “repossess your drone from DJI” .app
[2017-07-14 05:53:23]
mavicbreak :
If I have a .700 VM and pull out dji_system.bin during upgrade is that mean I can downgrade/upgrade back to .700 anytime when rooted? Bin is for one specific drone or the one pulled from mavic works with every mavic?
[2017-07-14 05:54:33]
the_lord :
without rooting can work with every mavic
[2017-07-14 05:56:11]
the_lord :
first time i downgraded from 1.03.0900 to 700 i generated the bin file myself and i used the root just to double check its status
[2017-07-14 05:58:10]
hostile :
we need to check the .sigs that come from the factory too
[2017-07-14 05:58:15]
hostile :
in the /upgrade folder
[2017-07-14 05:59:04]
hotelzululima :
hmm @the_lord is that downgrade bin available?.. lost mine at the start of all of this when forced to upgrade to .900 and didnt know to save the cache at the time to capture .700 .sigs
[2017-07-14 06:01:59]
mavicbreak :
Hostile is collecting the bins on git I guess.
[2017-07-14 06:03:18]
hostile :
PM me github usernames...
[2017-07-14 06:05:02]
hotelzululima :
found them
[2017-07-14 06:06:10]
hostile :
sh-3.2# git lfs track "*.bin"
Tracking "*.bin"
[2017-07-14 06:06:32]
hotelzululima :
thanx
[2017-07-14 06:06:34]
hostile :
sh-3.2# git add V*bin
[2017-07-14 06:07:13]
hostile :
[master 6af630e] All currently **extracted** DJI firmware fileswq
5 files changed, 13 insertions(+)
create mode 100644 .gitattributes
create mode 100644 V01.03.0400_Mavic_dji_system.bin
create mode 100644 V01.03.0700_Mavic_dji_system.bin
create mode 100644 V01.03.0800_Mavic_dji_system.bin
create mode 100644 V01.03.0900_Mavic_dji_system.bin
[2017-07-14 06:07:30]
hostile :
<https://github.com/MAVProxyUser/dji_system.bin.git>
[2017-07-14 06:07:38]
hostile :
Gonna need github usernames for access tho
[2017-07-14 06:07:51]
hostile :
sh-3.2# git push origin master
Git LFS: (0 of 4 files) 18.64 MB / 433.15 MB
[2017-07-14 06:07:59]
hostile :
...
[2017-07-14 06:08:25]
hotelzululima :
git clone <https://github.com/MAVProxyUser/dji_system.bin.git>
Cloning into ‘dji_system.bin’...
remote: Repository not found.
fatal: repository ‘<https://github.com/MAVProxyUser/dji_system.bin.git/>’ not found
[2017-07-14 06:08:39]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1500012458455028>
[2017-07-14 06:08:46]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1500012198406952>
[2017-07-14 06:11:47]
the_lord :
good night all
[2017-07-14 06:13:00]
hostile :
if you on this list... you have acess
[2017-07-14 06:13:10]
hostile :
they still uploading so sit tight
[2017-07-14 06:14:19]
hostile :
<https://github.com/MAVProxyUser/dji_system.bin/invitations>
[2017-07-14 06:14:31]
hostile :
for anyone that **should** be on the list.
[2017-07-14 06:14:50]
hostile :
sh-3.2# git push origin master
Git LFS: (1 of 4 files) 293.47 MB / 433.15 MB
[2017-07-14 06:14:53]
hostile :
still pushing to master tho
[2017-07-14 06:15:25]
jezzab :
hmm during doing a fw Refresh I cant see /data/dji_system.bin
[2017-07-14 06:15:33]
jezzab :
was going to rip the P4 one
[2017-07-14 06:15:51]
vk2fro :
it will be so good to ditch the VM and just use the python script to up/downgrade and root etc.
[2017-07-14 06:16:25]
hostile :
I had to add more Datapacks to my Git...
[2017-07-14 06:16:40]
hostile :
fuckers exceeding my quota! with the Assistant binaries
[2017-07-14 06:17:16]
hotelzululima :
ouch!
[2017-07-14 06:17:50]
hotelzululima :
thanx so much…
[2017-07-14 06:18:35]
hostile :
sh-3.2# git push origin master
Git LFS: (4 of 4 files) 433.15 MB / 433.15 MB
Counting objects: 7, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (7/7), 982 bytes | 0 bytes/s, done.
Total 7 (delta 0), reused 0 (delta 0)
To <https://github.com/MAVProxyUser/dji_system.bin.git>
7b9a9a4..6af630e master -> master
[2017-07-14 06:18:37]
hostile :
boom it is done
[2017-07-14 06:18:53]
hostile :
<https://github.com/MAVProxyUser/dji_system.bin/commit/6af630e4b93945723c0947f6245c3b1908e21146>
[2017-07-14 06:20:20]
vk2fro :
got them :slightly_smiling_face:
[2017-07-14 06:22:15]
hostile :
@channel ANYONE trying to follow the pyduml work, beware... the downgrade takes a LONG time... be careful... be patient. The LEDs on your bird will give you an idea. IF you already have root... I suggest watching: # busybox tail -f /ftp/upgrade/dji/log/upgrade00.log
[2017-07-14 06:22:20]
hostile :
be careful...
[2017-07-14 06:23:50]
hotelzululima :
sounds like for folk on .800-.900 that if we root first we WONT lose root on the downgrade. to .400 or .700 . am I stating that correctly?
[2017-07-14 06:24:06]
hotelzululima :
or am I confused :slightly_smiling_face:
[2017-07-14 06:24:25]
vk2fro :
do I need to copy the .700 .sig files to the ftp/upgrade folder on the bird?
[2017-07-14 06:24:29]
hostile :
you can get it back by pushing fireworks.tar via the same bug...
[2017-07-14 06:24:36]
hostile :
in the current repo
[2017-07-14 06:24:51]
hotelzululima :
was referring to tailing the upgrade.log
[2017-07-14 06:24:58]
hotelzululima :
from root during the process
[2017-07-14 06:25:12]
hostile :
oh yeah... would have to pull via FTP and decrypt I guess
[2017-07-14 06:25:17]
hostile :
or just live like a man
[2017-07-14 06:25:20]
hostile :
and take your chances
[2017-07-14 06:25:24]
hostile :
watch the LEDs
[2017-07-14 06:25:30]
hostile :
and quench your ass up like the other 3 of us did
[2017-07-14 06:25:31]
hotelzululima :
heh heh
[2017-07-14 06:25:46]
hostile :
@the_lord said you can catch status via --debugger, but I am unsure
[2017-07-14 06:25:55]
hfman :
I tried rooting the RC... it definitely "upgraded", but don't seem to have root yet. I used the proper RC command signatures.
[2017-07-14 06:25:58]
hostile :
time to init 0 here
[2017-07-14 06:26:12]
hostile :
Youl'll have to re-root post upgrade for now...
[2017-07-14 06:26:24]
hostile :
use <https://github.com/hdnes/pyduml/blob/master/fireworks.tar>
[2017-07-14 06:26:28]
hostile :
as your .bin file
[2017-07-14 06:26:30]
hostile :
reboot
[2017-07-14 06:26:32]
hostile :
you'll have root
[2017-07-14 06:26:32]
hotelzululima :
in the morning after a few more willing volunteers(fools rush in) volunteer their HW for the next 8 hours till I awaken and read about all the fun
[2017-07-14 06:26:52]
hotelzululima :
indeed..
[2017-07-14 06:27:07]
hotelzululima :
now just awaiting the rc portion of this..
[2017-07-14 06:27:13]
hostile :
sniff the ID
[2017-07-14 06:27:14]
hostile :
:wink:
[2017-07-14 06:27:16]
hostile :
works fine...
[2017-07-14 06:27:19]
hotelzululima :
k
[2017-07-14 06:27:32]
hostile :
that is how lord found it in the first palce
[2017-07-14 06:27:34]
hostile :
chasing the RC
[2017-07-14 06:27:39]
hfman :
@hostile, as posted just a bit above, I couldn't get root to 'take' on the RC
[2017-07-14 06:27:52]
hostile :
its a different DUML id...
[2017-07-14 06:27:58]
hostile :
you all will need to sniff it
[2017-07-14 06:28:01]
hfman :
Yes, I have that...
[2017-07-14 06:28:09]
hostile :
should work fine...
[2017-07-14 06:28:12]
hostile :
init 0 for me!
[2017-07-14 06:28:18]
hostile :
I'm sure it will shake out
[2017-07-14 06:28:21]
hfman :
Per something Lord posted a couple days ago.
[2017-07-14 06:28:22]
hostile :
peace all
[2017-07-14 06:28:23]
hotelzululima :
my need are simply downgrade for the controller..
[2017-07-14 06:28:33]
hotelzululima :
night @hostile
[2017-07-14 06:28:44]
hfman :
Night! Great job kind sir...
[2017-07-14 06:29:17]
mavicbreak :
good n and thx
[2017-07-14 06:29:40]
hostile :
someone make sure ole Danny Boy FB group sees it so he can take credit by time the OGs wake :wink:
[2017-07-14 06:30:04]
mavicbreak :
:joy:
[2017-07-14 06:32:42]
hotelzululima :
so the original @the_lord checklist for DUML SHOULD have the correct DUML as he was rooting the controller at the time if I recall correctly.. no sniffing DUMLS necessary works already done
[2017-07-14 06:32:55]
hotelzululima :
its in files
[2017-07-14 06:33:45]
hotelzululima :
this one <https://dji-rev.slack.com/files/the_lord/F67HE06TZ/thelord_dumlherring.txt>
[2017-07-14 06:34:58]
hotelzululima :
he has both sets of DUMLS in there
[2017-07-14 06:35:21]
hotelzululima :
should be a simple copy and paste :slightly_smiling_face: will try in morning
[2017-07-14 06:50:14]
hfman :
Yes, I have these. I agree it should work, but not working for me.
[2017-07-14 06:51:28]
hostile :
keep in mind... the file size must match his... and the CRC
[2017-07-14 06:51:41]
hostile :
tail your upgrade log to figure why the fialures
[2017-07-14 06:51:45]
hostile :
pull via ftp if have to
[2017-07-14 06:52:02]
hfman :
Well, no can do without root!
[2017-07-14 06:52:19]
hostile :
FTP...
[2017-07-14 06:52:20]
hfman :
pyduml properly calculates file size, no?
[2017-07-14 06:52:28]
hostile :
then AES reverse
[2017-07-14 06:53:01]
hfman :
I can't even ftp the file back down, it's not there afterwards.
[2017-07-14 06:54:21]
hostile :
yeh deleted by process
[2017-07-14 06:54:32]
hostile :
you would want to pull log file to see errors
[2017-07-14 06:54:37]
hostile :
log file is NOT deleted
[2017-07-14 06:56:36]
jezzab :
so the upgrade bin is just a tar file of the sig files?
[2017-07-14 07:02:07]
hostile :
yes
[2017-07-14 07:02:36]
jezzab :
so we could tar up the files in the cache?
[2017-07-14 07:03:05]
jezzab :
ive tried ripping it when doing a fw refresh but it doesnt appear in /data
[2017-07-14 07:03:07]
jezzab :
on P4
[2017-07-14 07:05:05]
jezzab :
im running the latest V2.00 fw but I did rip the old fw 1.6 via ftp before rooting
[2017-07-14 07:05:24]
jezzab :
but its encrypted and i could decrypt it but i dont know how reliable the AES decrypter is
[2017-07-14 07:06:41]
jezzab :
just trying to make a backup of the original and latest for future reference
[2017-07-14 07:10:20]
hotelzululima :
assistant --adb-logcat would get it would it not?(after shutting down interfaces post login?)
[2017-07-14 07:10:33]
hotelzululima :
on upgrade log
[2017-07-14 07:11:46]
hotelzululima :
on @hfman issue about pulling log without root?
[2017-07-14 07:18:15]
skywalk3r :
Will a quick easy tutorial be available for root ?
[2017-07-14 07:18:43]
hostile :
not unless you make it... we aren't really into **videos** and "compiling", Faqs and such here
[2017-07-14 07:18:54]
hostile :
too busy with work
[2017-07-14 07:19:01]
hostile :
sleves rolled up and shit
[2017-07-14 07:19:32]
skywalk3r :
Quite hard to keep up to date ... you guys are working way too fast haha :joy:
[2017-07-14 07:19:42]
hostile :
the info will wait for you =]
[2017-07-14 07:20:01]
skywalk3r :
Thanks @hostile @the_lord & @hdnes great job :clap::skin-tone-3:
[2017-07-14 07:20:21]
hostile :
@the_lord and @hdnes too... now for real... bed
[2017-07-14 07:32:55]
bin4ry :
@hostile can you add me to github ?
[2017-07-14 07:33:02]
bin4ry :
good mornin all :smile:
[2017-07-14 07:34:06]
guest :
good morning
[2017-07-14 07:39:06]
skywalk3r :
@hostile add me too please (Skywalker787)
[2017-07-14 07:43:54]
bin4ry :
is the bin file created on the bird on in assistant? asked different: do i need root to pull the file or can i pause VM and find it in some temp folder ?
[2017-07-14 07:47:28]
jezzab :
my understanding it should be on the bird @ /data/
[2017-07-14 07:48:18]
jezzab :
assistant tar's up the sig files, renames it ro dji_system.bin and uploads it
[2017-07-14 07:49:03]
bin4ry :
i see, so why catch it from the bird?
[2017-07-14 07:49:15]
jezzab :
its already tarred and feathered
[2017-07-14 07:49:24]
bin4ry :
just asking bcs i have backed the firmware cache
[2017-07-14 07:49:30]
jezzab :
but i wouldnt mine a look to see if we can just tar it ourselves
[2017-07-14 07:49:31]
bin4ry :
for spark 300 and spark 400
[2017-07-14 07:49:36]
jezzab :
same
[2017-07-14 07:49:42]
jezzab :
for P4
[2017-07-14 07:49:58]
jezzab :
have the latest and the older firmware for P4 i ripped over ftp so its encrypted
[2017-07-14 07:50:00]
jezzab :
latest isnt
[2017-07-14 07:50:06]
bin4ry :
:smile:
[2017-07-14 07:50:20]
jezzab :
i have done a fw refresh but it doesnt create the file :disappointed:
[2017-07-14 07:51:19]
jezzab :
so if i can tar myself i can test roll back. but im iffy on the AES decrypter
[2017-07-14 07:51:33]
jezzab :
sure i read somewhere its throwing in some extra pad bytes
[2017-07-14 07:52:08]
bin4ry :
i see
[2017-07-14 07:52:15]
jezzab :
i did notice though that the cache files don't have the cfg file
[2017-07-14 07:52:26]
jezzab :
eg wm330.cfg.sig
[2017-07-14 07:52:45]
jezzab :
but its on the bird with the rest of the sig files in /data/upgrade/backup
[2017-07-14 07:53:01]
jezzab :
not sure if its required. i need to see a dji_system.bin and check it out
[2017-07-14 07:53:39]
jezzab :
need to get one. even a mavic one
[2017-07-14 07:53:50]
jezzab :
will checkout the tar layout and see if i can replicate it
[2017-07-14 07:54:43]
bin4ry :
yah, tell me if you made it and what to take care of if you achieve it
[2017-07-14 07:56:55]
jezzab :
will do
[2017-07-14 07:58:06]
bin4ry :
thx
[2017-07-14 08:06:44]
jezzab :
so anyone got a dji_system.bin they wanna share lol?
[2017-07-14 08:06:50]
jezzab :
dont care what version
[2017-07-14 10:16:31]
jezzab :
still havent got a real dji_system.bin but I tar'd up my V2.00 fw with the cfg file (i could see in the logs it converts it to xml so its needed)
[2017-07-14 10:16:57]
jezzab :
ran the pyduml with the tar i made. uploaded, installed, rebooted and its still alive lol
[2017-07-14 10:17:21]
jezzab :
i need to know how good the AES ftp file decrypter is before I try the older firmware
[2017-07-14 10:23:39]
jezzab :
hmm comparing again unenc V2 and decrypted V1.6 of the same module file I dont trust it at all. it should start with IM*H, the aes decryption does not :disappointed:
[2017-07-14 10:24:20]
jezzab :
its there another one around somewhere for the ftp files that are ripped?
[2017-07-14 10:53:28]
jezzab :
right. the openssl way is better. No padding. But the first 0x10 bytes are wrong. Reading back it looks like its xor + 30 + position and then xor + 57 + pos. seems to work by hand with calc, but ill test a good known one and pull it over ftp and decrypt and compare. then should be able to slap up a quick program
[2017-07-14 10:59:15]
jayemdee :
has this been tested and confirmed working ---> <https://github.com/hdnes/pyduml/tree/RubyPort>
[2017-07-14 11:09:06]
jezzab :
w00t decrypt works.
[2017-07-14 11:09:22]
jezzab :
not sure
[2017-07-14 11:12:15]
kilrah :
hmm yes or no :grin:
[2017-07-14 11:12:48]
kilrah :
I did extract my 700 that way and it looked similar enough to one from another FW, but is it really?
[2017-07-14 11:14:21]
jezzab :
the aes decrypt script isnt quite right the first 16 bytes are wrong and the file is padded
[2017-07-14 11:14:46]
jezzab :
ive just tested and I can get it 100% byte for byte match from ftp download to adb download
[2017-07-14 11:15:01]
jezzab :
which means i can make up my downgrade tar for the P4
[2017-07-14 11:15:05]
jezzab :
....or break it
[2017-07-14 11:15:34]
kilrah :
so you're submitting a patch to the decrypt script?
[2017-07-14 11:16:01]
jezzab :
nah i just slapped up a C# windows console program to fix the header. Not really a python/ruby guy lol
[2017-07-14 11:16:36]
jezzab :
if you use openssl its great but header is wrong. then i just run the program to fix the header. its a quick hackup, ill try and automate it later
[2017-07-14 11:17:13]
jezzab :
by the looks of it, its better to get it from ftp then the firm_cache as firm_cache is missing a file.
[2017-07-14 11:17:22]
jezzab :
the cfg file
[2017-07-14 11:17:36]
bin4ry :
what in it anywaY?
[2017-07-14 11:18:00]
bin4ry :
did you take a look inside ?
[2017-07-14 11:18:53]
jezzab :
the cfg file gets unsigned and saved as an xml file a dir back
[2017-07-14 11:19:07]
jezzab :
nah i still havent seen a genuine dji_system.bin
[2017-07-14 11:19:13]
jezzab :
i just made my own and prayed
[2017-07-14 11:19:22]
jezzab :
it reflashed the firmware fine :slightly_smiling_face:
[2017-07-14 11:19:39]
jezzab :
but i started with clean sig and cfg files of the same firmware i have
[2017-07-14 11:19:53]
bin4ry :
ok
[2017-07-14 11:19:56]
jezzab :
just decrypting the old firmware i had for P4 and trying to make up a dji_system.bin
[2017-07-14 11:20:30]
jezzab :
just mixing and matching in linux and windows cmd atm. drving me insane
[2017-07-14 11:20:42]
jezzab :
if i type clear, cls, ls, dir one more time im gonna scream
[2017-07-14 11:21:09]
bin4ry :
lol
[2017-07-14 11:21:10]
bin4ry :
:smile:
[2017-07-14 11:22:19]
jezzab :
hmm need more beer
[2017-07-14 11:32:57]
bin4ry :
i see it already: when i come back home later today @jezzab has finished a conversion script from firm_cache to bin
[2017-07-14 11:32:59]
bin4ry :
:smile:
[2017-07-14 11:36:59]
jezzab :
gotta see how i can do it with python. need to work out how to read a file into an array and then flip some bits and then write it back out. ill test this first. hopefully i wont be ordering a core board and not flying for a week lol
[2017-07-14 11:49:29]
jezzab :
here goes nothing.....
[2017-07-14 11:51:40]
bin4ry :
:joy:
[2017-07-14 11:51:48]
bin4ry :
i trust in that you'll figure it
[2017-07-14 11:59:26]
jezzab :
failed
[2017-07-14 11:59:34]
jezzab :
but i am still in adb etc
[2017-07-14 11:59:38]
jezzab :
dare not reboot lol
[2017-07-14 12:01:31]
jezzab :
i know why
[2017-07-14 12:01:34]
jezzab :
lets try this again
[2017-07-14 12:01:56]
kilrah :
scary
[2017-07-14 12:03:52]
guest :
hmmmm
root@E7440:/mnt/c/Users/Guest/Mavic/pyduml# ./pyduml.py
Traceback (most recent call last):
File "./pyduml.py", line 129, in <module>
main()
File "./pyduml.py", line 23, in main
configure_usb()
File "./pyduml.py", line 52, in configure_usb
ser = serial.Serial(sys.argv[1])
IndexError: list index out of range
root@E7440:/mnt/c/Users/Guest/Mavic/pyduml#
[2017-07-14 12:08:37]
jezzab :
it upgrading
[2017-07-14 12:08:39]
jezzab :
20% done
[2017-07-14 12:08:42]
skyhawk :
@guest I would assume you have to put your serial port name as parameter to pyduml
[2017-07-14 12:09:11]
skyhawk :
like: pyduml.py /dev/ttyUSB0 (in Linux)
[2017-07-14 12:09:46]
guest :
hmmm I see.. Lets start up my old linux system and try again.
[2017-07-14 12:10:08]
skyhawk :
It should work in Windows too.
[2017-07-14 12:10:32]
guest :
need to go now but will try later.. tnx
[2017-07-14 12:11:11]
guest :
see this now: ser = serial.Serial(sys.argv[1])
[2017-07-14 12:11:22]
guest :
so yes. needs to be set :confused:
[2017-07-14 12:11:29]
guest :
will try later
[2017-07-14 12:12:05]
jezzab :
52%
[2017-07-14 12:14:20]
jezzab :
wtf didnt they include tail. would save cat'ing the damn log file over and over lol
[2017-07-14 12:15:30]
jezzab :
rebooting..... lets seee
Woohoo!
[2017-07-14 12:17:32]
hans112 :
Hehehe nice
[2017-07-14 12:17:40]
jezzab :
downgraded from V2.00 to V1.02 with just the ftp encrypted files. Decrypted, repackaged
[2017-07-14 12:17:46]
jezzab :
happy days!
[2017-07-14 12:17:57]
jezzab :
hmm gotta root it again
[2017-07-14 12:21:05]
skyhawk :
@guest Yes, these two lines:
ser = serial.Serial(sys.argv[1])
IndexError: list index out of range
say that there is missing a parameter (because the index out of range) and as it is the input argument to Serial() it should be the serial port name
[2017-07-14 13:27:47]
samd12 :
which pyduml needs testing
[2017-07-14 13:30:54]
freaky123 :
btw @the_lord I'm also willing to take a look at your bricked main board if you want.. but I think the shipping costs to the Netherlands are quite high
[2017-07-14 13:32:48]
djayeyeballs :
Thanks kilrah
[2017-07-14 13:36:35]
samd12 :
I donate with $ to help pay the caost
[2017-07-14 13:39:38]
the_lord :
no problem @freaky123
thankfully @bin4ry bricked two boards :slightly_smiling_face: so i can ship one for you and one for matrinbogo
[2017-07-14 13:40:28]
the_lord :
sending the board to you is more useful than keeping it with me coz what takes hours with you takes days with me :smile:
[2017-07-14 13:41:31]
freaky123 :
that would be nice, that way we might be able to figure out what happened
[2017-07-14 13:42:56]
samd12 :
lord you take paypal
[2017-07-14 14:09:18]
the_lord :
save your money my friend
[2017-07-14 14:11:29]
freaky123 :
this is where I'm busy with now :slightly_smiling_face:
[2017-07-14 14:12:25]
freaky123 :
after mapping out the obvious pins I can start logging the rest of the pins
[2017-07-14 14:13:29]
freaky123 :
also need to open the gps to check where those pins goto and see what they they are.. because prolly can guess that at that side
[2017-07-14 14:14:20]
freaky123 :
but first wanna check the battery connection pcb and see how that's connected.. if it is connected to the FC or or the main board
[2017-07-14 14:14:34]
freaky123 :
wit I guess I can check that in fw ^^ letme check
[2017-07-14 14:15:12]
freaky123 :
to the FC
[2017-07-14 14:16:37]
freaky123 :
also "bvision" should be connected to the fc
[2017-07-14 14:20:59]
freaky123 :
ohh lol I'm sending all this in the wrong channel ^^ wanted this in hardware :stuck_out_tongue:
[2017-07-14 14:25:59]
hostile :
This port needs the CRC code fixed... I got side tracked cleaning up the main python version
[2017-07-14 14:26:57]
hostile :
Please post me a git issue with your notes... <https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble/issues> people keep saying this... but I still nave no official feedback @jezzab
[2017-07-14 14:27:32]
hostile :
share your C# into the git issues @jezzab and explain the problem as you understand it so I can fix it.
[2017-07-14 14:28:21]
guest :
You think that it's got enough grounding?
[2017-07-14 14:28:24]
guest :
:slightly_smiling_face:
[2017-07-14 14:30:46]
hostile :
"wtf didnt they include tail. would save cat'ing the damn log file over and over lol" LOL I dunno! Maybe cuz we all been staying up late AF for weeks now! we allll went to bed at the same time last night @hdnes @the_lord and I... we are sleep depraved as fuck right now. Heh. Patches welcome!!!!!
[2017-07-14 14:31:57]
freaky123 :
haha ^^ I guess
[2017-07-14 14:32:44]
freaky123 :
it's always like this, so it's always best to first map the voltage and ground lines.. saves a lot of hassle when trying to figure out the rest
[2017-07-14 14:33:14]
jezzab :
Done
[2017-07-14 14:33:34]
jezzab :
Done
[2017-07-14 14:34:11]
jezzab :
But im using openssl as per your example and the file is good (no padding) bar the header problem
[2017-07-14 14:35:46]
jezzab :
i mean when you are logged into ADB shell. There is no tail. So i couldnt tail -f, i had to keep catting the damn log file thru the whole upgrade. PITA
[2017-07-14 14:40:16]
martinbogo :
Always map Vcc, Valt ( 3.3/5/12/etc ), and GND first
[2017-07-14 14:40:31]
martinbogo :
It helps guard against Stupidity(tm) later
[2017-07-14 14:43:48]
jezzab :
@hostile an issue i see with the firm_cache backups is there is no cfg file in there. the app must be creating it on the fly. it does exist on the ftp.
[2017-07-14 14:44:32]
the_lord :
the assistant downloads it from DJI servers
[2017-07-14 14:44:46]
the_lord :
you can find it in the drone/RC
[2017-07-14 14:44:56]
jezzab :
at the time of flashing and its not saved?
[2017-07-14 14:45:08]
jezzab :
yes you can (ftp/adb) but its not in the cache dir
[2017-07-14 14:45:45]
the_lord :
it IS saved in the drone
[2017-07-14 14:45:51]
jezzab :
and its needed for the upgrade. the best i can see anyway as its arranging the whole thing after its unsigned and converted to the wm330.xml or what ever
[2017-07-14 14:46:01]
jezzab :
yeah i know its saved on the drone
[2017-07-14 14:46:14]
jezzab :
but im talking about the firm_cache dir
[2017-07-14 14:46:24]
jezzab :
maybe i should explain better
[2017-07-14 14:46:41]
the_lord :
in firm_cache dir only the FW sig files and no cfg
[2017-07-14 14:46:55]
jezzab :
yup thats exactly what im saying
[2017-07-14 14:47:11]
jezzab :
so all of these "backups" fromt he firm_cache dir are useless without the cfg file
[2017-07-14 14:47:38]
the_lord :
yes for that several days ago i mentioned the cfg files
[2017-07-14 14:47:41]
jezzab :
so you would either need the cfg file for every set OR rip from ftp and decrypt
[2017-07-14 14:47:54]
the_lord :
exactly
[2017-07-14 14:48:05]
jezzab :
i remember reading that. im just understanding things a bit better now how it all works so forgive me
[2017-07-14 14:48:57]
jezzab :
so i was thinking it would be nice to combine a few scripts. Rip the ftp/cfg/sig files, decrypt, repack to dji_system.bin
[2017-07-14 14:49:06]
jezzab :
and thats your "backup"
[2017-07-14 14:52:41]
hfman :
@the_lord - have you ever seen any issues with ftp working correctly on your RC? I've found that I can't do pyduml due to FTP interface not coming up cleanly. It's there, but it just doesn't work most of the time.
[2017-07-14 14:54:22]
hfman :
Same issue on two different PCs, different cables, etc. I can always FTP in, but I cant get (or put) anything, that's when the wheels fall off.
[2017-07-14 14:56:12]
the_lord :
usually for ftp i use filezilla and didn't face any problem
[2017-07-14 14:56:29]
the_lord :
i didn't use pyduml
[2017-07-14 14:56:33]
hostile :
we can solve that later =]
[2017-07-14 14:57:00]
hostile :
I bet ya can patch dji_sys to not give a fuck
[2017-07-14 14:57:06]
hfman :
But you basically did the same thing as pyduml..
[2017-07-14 14:58:00]
hostile :
@hfman only works at boot IF usb plugged in
[2017-07-14 14:58:11]
hostile :
I think or maybe that is ADB
[2017-07-14 14:58:13]
hostile :
I forget
[2017-07-14 14:58:27]
hfman :
My problem is more fundamental. Just plugging in the RC, ftp transfers error out, doing nothing else.
[2017-07-14 14:59:02]
hfman :
@hostile , I think that is true. Must be plugged in before powering up, else nothing works at all on the USB port.
[2017-07-14 14:59:49]
hostile :
ifconfig and give yourself an IP if you have to...
[2017-07-14 14:59:56]
hostile :
I've seen the NDIS interface NOT have an IP before...
[2017-07-14 15:00:28]
hfman :
It's got an IP... I can FTP in no issue. Just get/put is what gets borked.
[2017-07-14 15:00:44]
hfman :
I think it gets borked as soon as I get in:
[2017-07-14 15:01:12]
hfman :
C:\t>ftp 192.168.42.2
Connected to 192.168.42.2.
220 Operation successful
500 Unknown command
User (192.168.42.2:(none)):
230 Operation successful
ftp> get upgrade/dji/log/upgrade00.log
200 Operation successful
Connection closed by remote host.
[2017-07-14 15:01:37]
hfman :
See that first 500 Unknown command? I have a feeling that's where it is going sour.
[2017-07-14 15:03:25]
jezzab :
out of curiosity, what happens when you use a web browser @hfman?
[2017-07-14 15:03:42]
hfman :
Lemme try...
[2017-07-14 15:04:41]
hfman :
LOL, that seems to work fine...
[2017-07-14 15:04:45]
jezzab :
because i had an issue with that in windows with the drone and ftp
[2017-07-14 15:05:00]
jezzab :
works in the browser, on a mac and a REAL ftp program
[2017-07-14 15:05:08]
jezzab :
but i cannot get it to work on windows cmd
[2017-07-14 15:05:09]
hfman :
Yeah, I have NO issue with the drone, only the RC.
[2017-07-14 15:05:44]
hfman :
Because of this, the pyduml ftp put doesn't work...
[2017-07-14 15:05:55]
jezzab :
ah right
[2017-07-14 15:10:43]
hfman :
Yeah, I guess I'll just have to keep messing around. Odd that chrome doesn't have issue with it. Let me check VM OSX... I think it also had issues.
[2017-07-14 15:11:38]
the_lord :
@hfman i faced problem with windows and ftp for that i ether use mac or filezilla
[2017-07-14 15:12:31]
hdnes :
@hfman, only tested on mac so far and just know that the file is deleted immediately after un-tarring process so you’ll likely never see it unless you comment out the last to packets beings sent.
[2017-07-14 15:13:07]
hdnes :
ftp on pyduml is the only real shaky part of the code and needs to be robust-ified
[2017-07-14 15:13:51]
hdnes :
@jayemdee, had some robsistification code in there that @hostile and I struggled with and ultimately it got pulled out
[2017-07-14 15:14:03]
hostile :
yeah the stuff I put up last night was a QUICK fix
[2017-07-14 15:14:06]
hostile :
so I could go to sleep
[2017-07-14 15:14:17]
hostile :
needs more error handling
[2017-07-14 15:14:18]
hdnes :
should get pushed back in after it’s all checked out
[2017-07-14 15:16:51]
hfman :
ftp works okay with OSX VM... however it's really really tricky to hand off the USB port from Windows to VM (only tricky with the RC, the Mavic and goggles I don't have this issue). Must be something odd that Windows is doing with the RC USB port.
[2017-07-14 15:17:50]
hdnes :
i’ve heard that the RC is done differently (obviously DUML is different) but didn’t get to ask what specifically they were talk about
[2017-07-14 15:21:50]
jayemdee :
trying issuing passive command ?
[2017-07-14 15:22:00]
jayemdee :
before doing anything else
[2017-07-14 15:22:06]
jayemdee :
and see if a directory listing works
[2017-07-14 15:23:23]
jayemdee :
ive had issues where i could login but then no data more would be sent and turning on passive fixed it for me
[2017-07-14 15:23:30]
jayemdee :
maybe a "red herring" tho
[2017-07-14 15:23:47]
jayemdee :
even a directory listing would not work until sending passive
[2017-07-14 15:27:09]
jayemdee :
saw this happen on windows and linux
[2017-07-14 15:28:58]
hdnes :
yeah that might be it. What do you mean by sending passive?
[2017-07-14 15:30:13]
hdnes :
@jayemdee, I’m betting this is exactly what the difference was
[2017-07-14 16:11:56]
jayemdee :
i think the protocol command is PASV
[2017-07-14 16:13:47]
jayemdee :
FTP.set_pasv(val)
Enable “passive” mode if val is true, otherwise disable passive mode. (In Python 2.0 and before, passive mode was off by default; in Python 2.1 and later, it is on by default.)
[2017-07-14 16:14:02]
jayemdee :
maybe thats the difference ?
[2017-07-14 16:14:13]
jayemdee :
you had older python than me ?
[2017-07-14 16:15:04]
jayemdee :
[root@godfather pyduml] :slightly_smiling_face: # python -V
Python 2.7.3
[2017-07-14 16:15:19]
jayemdee :
yuh it was on by default for me
[2017-07-14 16:15:33]
jayemdee :
so i didnt code anything to turn it on as it just worked for me
[2017-07-14 16:15:55]
jayemdee :
but from windows cmd line and ftp client in linux cmd line i had to manually turn it on for anything to work
[2017-07-14 16:17:14]
jayemdee :
FTP.storbinary(command, fp[, blocksize, callback, rest])
[2017-07-14 16:17:40]
jayemdee :
has a callback you could debug by writing a # to console or something for each successfully written block ?
[2017-07-14 16:17:45]
hostile :
can an add a check for OS... and adjust code accordginlt in an if statement
[2017-07-14 16:21:58]
jayemdee :
Using normal or passive FTP, a client begins a session by sending a request to communicate through TCP port 21, the port that is conventionally assigned for this use at the FTP server. This communication is known as the Control Channel connection.
Using "normal" FTP communication, the client requestor also includes in the same PORT command packet on the Control Channel a second port number that is to be used when data is to be exchanged; the port-to-port exchange for data is known as the Data Channel.
[2017-07-14 16:22:10]
jayemdee :
Using passive FTP, a PASV command is sent instead of a PORT command. Instead of specifying a port that the server can send to, the PASV command asks the server to specify a port it wishes to use for the Data Channel connection.
[2017-07-14 16:34:01]
jayemdee :
yeah look
[2017-07-14 16:34:09]
jayemdee :
04:24:47.929982 IP 192.168.42.3.49561 > 192.168.42.2.ftp: Flags [P.], seq 25:31, ack 79, win 4115, options [nop,nop,TS val 345403699 ecr 323949], length 6: FTP: PASV
[2017-07-14 16:34:18]
jayemdee :
assistant sets PASV as well
[2017-07-14 16:34:24]
jayemdee :
must be it
[2017-07-14 16:34:37]
the_lord :
yes
[2017-07-14 16:35:00]
the_lord :
even filezilla when i copy file it uses PASV
[2017-07-14 16:35:00]
jayemdee :
thats a simple fix :slightly_smiling_face:
[2017-07-14 16:35:11]
jayemdee :
yuh all web browsers set pasv as well
[2017-07-14 16:35:12]
the_lord :
for that i sent you the tcpdump
[2017-07-14 16:39:08]
hfman :
But didn't we read that python 2.7 should already default to passive?
[2017-07-14 16:43:52]
hotelzululima :
(holds up hand) I thought we were supposed to be using Python2 and pip3 ?? or is this something else?
[2017-07-14 16:44:24]
hostile :
worked with both for me
[2017-07-14 16:44:27]
hostile :
py2 and py3
[2017-07-14 16:44:45]
hostile :
if you use pip3... protip it installs shit for py3 path :wink:
[2017-07-14 16:48:42]
jayemdee :
yer on a mac
[2017-07-14 16:48:50]
jayemdee :
who the hell uses macs :slightly_smiling_face:
[2017-07-14 16:48:59]
jayemdee :
jk :smile:
[2017-07-14 16:49:36]
hostile :
the OG's :wink:
[2017-07-14 16:49:43]
jayemdee :
haha :slightly_smiling_face:
[2017-07-14 16:51:39]
jayemdee :
i still code in pico/nano in putty on linux boxes... that's gotta be some kinda gangsta, no?
[2017-07-14 16:53:30]
jayemdee :
was playing with yer ruby today @hostile and changing those OSX system calls to linux equivalents
[2017-07-14 16:53:35]
hans112 :
Lil bowbow sounds good
[2017-07-14 16:53:37]
hans112 :
;)
[2017-07-14 16:53:54]
jayemdee :
still afraid to hook up the drone and "fire ze missiles!" though lol
[2017-07-14 16:55:36]
the_lord :
@hostile for me in pyduml the md5sum didn't work
[2017-07-14 16:56:33]
jayemdee :
@the_lord for linux this was my change
[2017-07-14 16:56:36]
jayemdee :
[root@godfather pyduml] :slightly_smiling_face: # git diff | grep md5
- fireworksmd5 = %x[md5 fireworks.tar | cut -f4 -d" "]
+ fireworksmd5 = %x[/usr/bin/md5sum fireworks.tar | cut -f1 -d" "]
- print fireworksmd5
+ print "Local MD5: " + fireworksmd5
[2017-07-14 16:57:09]
the_lord :
i'm on Micro$hit windows 10
[2017-07-14 16:57:14]
jayemdee :
oh yuh
[2017-07-14 16:57:28]
jayemdee :
dont know if there is md5sum for windows
[2017-07-14 16:57:30]
hotelzululima :
OUCH!!
[2017-07-14 16:57:34]
jayemdee :
and surely not grep
[2017-07-14 16:57:38]
jayemdee :
or cut
[2017-07-14 16:57:40]
jayemdee :
hehe
[2017-07-14 16:57:42]
hotelzululima :
install cygwin..
[2017-07-14 16:57:48]
the_lord :
i used to do it manually on bash
[2017-07-14 16:57:52]
kilrah :
who doesn't have mingw/msys installed...
[2017-07-14 16:57:52]
jayemdee :
thats heavy handed approach
[2017-07-14 16:58:00]
hotelzululima :
and get all of those toys in windows
[2017-07-14 16:58:09]
jayemdee :
install all of cygwin for a few bins ?
[2017-07-14 16:58:25]
guest :
crap..
root@E7440:/mnt/c/guest/mavic/pyduml@ lsusb
unable to initialize libusb: -99
going to reinstall this laptop...
[2017-07-14 16:58:26]
hotelzululima :
install off of cygwin to deal with ANY part of windows..
[2017-07-14 16:58:34]
hotelzululima :
all of cygwin
[2017-07-14 16:58:48]
jayemdee :
uninstall windows
[2017-07-14 16:58:48]
hotelzululima :
fucking windows is NASTY!!!
[2017-07-14 16:58:54]
jayemdee :
and install a real OS
[2017-07-14 16:58:58]
jayemdee :
hahah kidding :slightly_smiling_face:
[2017-07-14 16:58:58]
kilrah :
use msys, you can select individual packages then :wink:
[2017-07-14 16:59:05]
guest :
true
[2017-07-14 16:59:10]
jayemdee :
my main machine is win 7
[2017-07-14 16:59:34]
jayemdee :
but i have so many terminals and remote sessions to other machines that its more of a thin client for me
[2017-07-14 16:59:36]
hotelzululima :
there ya go @jayemdee move ALL your windows environments to VM’s and run linux!!
[2017-07-14 17:00:02]
kilrah :
I'm on W10 and have been doing open source dev for years on Win without issue
[2017-07-14 17:00:17]
kilrah :
it's very rare I do need to fire a linux VM for something...
[2017-07-14 17:00:38]
kilrah :
linux doesn't give me satisfying operation for my unconvnetional desktop setup
[2017-07-14 17:00:49]
jayemdee :
linux sucks as a desktop OS
[2017-07-14 17:00:51]
jayemdee :
imo
[2017-07-14 17:00:55]
jayemdee :
its a server
[2017-07-14 17:01:15]
jayemdee :
and people keep trying to make it a desktop OS
[2017-07-14 17:01:17]
hfman :
So odd... pyduml md5 worked fine for me last night. In Windows...
[2017-07-14 17:01:33]
jayemdee :
@hfman whats the problem ?
[2017-07-14 17:01:52]
hfman :
@the_lord said it didn't work for him??
[2017-07-14 17:02:22]
hfman :
I was responding to this...
[2017-07-14 17:03:37]
hostile :
yeah the Ruby port of Pyduml needs the CRC fixed...
[2017-07-14 17:03:57]
hostile :
that stuff was just for where I left off in debugging... bigger issue is CRC needs fixed
[2017-07-14 17:04:09]
jayemdee :
ahhh sorry.... thought you were saying it worked last night but wasnt working now
[2017-07-14 17:04:15]
hostile :
that + you posted was for me to merge root and downgrade
[2017-07-14 17:04:32]
jayemdee :
<< less beer
[2017-07-14 17:04:42]
the_lord :
Traceback (most recent call last):
File "pyduml.py", line 129, in <module>
main()
File "pyduml.py", line 24, in main
generate_update_packets()
File "pyduml.py", line 110, in generate_update_packets
filehash.update(open(dir_path).read())
File "C:\Program Files\Python36\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x90 in position 678: character maps to <undefined>
[2017-07-14 17:04:48]
hostile :
NOT the Ruby port... the regular python works as of last night.
[2017-07-14 17:05:09]
hostile :
THIS is why I fucking hate python and write in Ruby :wink:
[2017-07-14 17:05:24]
jayemdee :
does ruby have functions ?
[2017-07-14 17:05:27]
jayemdee :
lol
[2017-07-14 17:05:39]
the_lord :
i'm thinking to make my own desktop application on VB :sweat_smile:
[2017-07-14 17:05:44]
jayemdee :
hahaha
[2017-07-14 17:06:16]
hostile :
Chrome App!
[2017-07-14 17:06:21]
the_lord :
or stay doing it manually as i did at the first time
[2017-07-14 17:06:21]
jayemdee :
actually couldnt we do all of this in nodejs
[2017-07-14 17:06:28]
jayemdee :
bundle it into an electron app
[2017-07-14 17:06:34]
hostile :
Port RedHerring / DUMLHerring to ALL the things!
[2017-07-14 17:06:35]
jayemdee :
and have windows and mac os
[2017-07-14 17:06:42]
jayemdee :
single codebase
[2017-07-14 17:07:08]
jayemdee :
all the things :heart:
[2017-07-14 17:07:32]
the_lord :
first time i saw python code i said "what the fuck why all the code is reversed" :joy:
[2017-07-14 17:07:48]
jayemdee :
haha
[2017-07-14 17:08:17]
jayemdee :
im still waiting for the BASIC port
[2017-07-14 17:08:30]
the_lord :
and if you have py2.7 code you need to rewrite it to work on py3.6
[2017-07-14 17:09:32]
the_lord :
i guess this weekend i'll wipe the dust from my old XP laptop and write VB desktop application
[2017-07-14 17:09:34]
hans112 :
Pascal
[2017-07-14 17:09:46]
teamdollyllama :
<https://github.com/hdnes/pyduml/releases/tag/v1> is this what I should be running to root.?
[2017-07-14 17:09:48]
jayemdee :
argh bitcoin taking a hit today :confused:
[2017-07-14 17:13:18]
jayemdee :
someone mentioned a pretty valid reason the other nite why not to do it in a chrome app
[2017-07-14 17:13:23]
jayemdee :
but i dont remember what it was
[2017-07-14 17:13:25]
jayemdee :
lol
[2017-07-14 17:14:10]
jayemdee :
yuh :confused:
[2017-07-14 17:14:11]
hotelzululima :
since chrome already does adb sucessfully no reason why NOT to except javascript (YECCCHHHH!!!)
[2017-07-14 17:14:51]
jayemdee :
Google has announced it is to discontinue support for Chrome web apps starting this year. Windows, macOS and Linux users will lose support for finding, installing and opening web apps installed from the Chrome Web Store over the next two years.Aug 23, 2016
[2017-07-14 17:14:56]
jayemdee :
how about that for a reason ?
[2017-07-14 17:15:20]
kilrah :
Yep, that
[2017-07-14 17:16:12]
kilrah :
still have no friggin clue why they'd want to do that
[2017-07-14 17:16:42]
kilrah :
as if that would make people start buying chromebooks to continue using them, yeah right
[2017-07-14 17:18:56]
hotelzululima :
its because “SECURITY”(Its Magic)(get out of here damn david copperfield!!)
[2017-07-14 17:31:00]
hostile :
what ever will CleanFlight / betaflight do!?
[2017-07-14 17:34:01]
hostile :
Chrome doesn't speak DUML tho
[2017-07-14 18:02:19]
martinbogo :
Switch to being what they always have been -- full apps
[2017-07-14 18:02:39]
martinbogo :
All a Chrome app is really, is wrapped around WebKit
[2017-07-14 18:05:44]
hostile :
heh revert! :wink:
[2017-07-14 18:37:34]
djayeyeballs :
can pyduml work for the spark as well?
[2017-07-14 18:41:48]
hfman :
pyduml is properly ftp'ing the bin file to the RC... have confirmed. But something isn't right with the MD5 or something, as the RC is not processing it at all and deleting it.
[2017-07-14 18:42:14]
hostile :
pull the log file...
[2017-07-14 18:42:27]
the_lord :
the DUML messages in pyduml are for drone only and not for RC
[2017-07-14 18:43:04]
hfman :
@the_lord - I understand that... I have used your cmds captured for the RC.
[2017-07-14 18:43:33]
hfman :
(Substituted the ones for the RC)
[2017-07-14 18:43:35]
hostile :
post which byted you changed
[2017-07-14 18:43:38]
hostile :
"git diff"
[2017-07-14 18:43:42]
hostile :
so we can see exactly
[2017-07-14 18:43:51]
hfman :
Sure:
[2017-07-14 18:45:36]
hfman :
# Mavic RC
packet_1 = bytearray.fromhex(u'55 16 04 FC 2A 2D E7 27 40 00 07 00 00 00 00 00 00 00 00 00 9F 44')
packet_2 = bytearray.fromhex(u'55 0E 04 66 2A 2D EA 27 40 00 0C 00 2C C8')
packet_3 = bytearray.fromhex(u'55 1A 04 B1 2A 2D EC 27 40 00 08 00')
packet_4 = bytearray.fromhex(u'55 1E 04 8A 2A 2D 02 28 40 00 0A 00')
[2017-07-14 18:46:09]
hfman :
Everything else is the same...
[2017-07-14 18:46:52]
djayeyeballs :
@hostile can the pyduml be modified to work with the spark? is the basic idea the same between the two drones?
[2017-07-14 18:52:24]
hfman :
So has anybody else tested pyduml with the RC? I'm at a dead end here.
[2017-07-14 18:52:49]
the_lord :
do it manually
[2017-07-14 18:53:19]
the_lord :
send first 2 cmds
then copy the bin manually
then send last 2 cmds
[2017-07-14 18:56:11]
hfman :
Well... I guess I'm just trying to find out why it's broken. File size? CRC? MD5? If I do all that manually I can easily make mistakes.
[2017-07-14 18:57:52]
the_lord :
i did it many times manually :smile:
[2017-07-14 18:58:43]
hfman :
What firmware was your RC on?
[2017-07-14 19:03:36]
hostile :
universal in theory...
[2017-07-14 19:22:48]
the_lord :
i tested on .400, .800 and .900
[2017-07-14 19:49:21]
martinbogo :
console=ttyS3,921600 vmalloc=412M android firmware_class.path=/vendor/firmware isolcpus=3,4 initrd=0x07400000,1M lcpart=mmcblk0=gpt:0:2000:200,ddr:2000:2000:200,env:4000:2000:200,panic:6000:2000:200,amt:8000:8000:200,factory:10000:4000:200,factory_out:14000:4000:200,recovery:18000:8000:200,normal:20000:8000:200,system:28000:40000:200,vendor:68000:20000:200,cache:88000:80000:200,blackbox:108000:400000:200,userdata:508000:240000:200 chip_sn=REDACTED board_sn=0SOMETHINGX daak=REDACTED daek=REDACTED drak=REDACTED production quiet board_id=0xe330101a
[2017-07-14 20:13:00]
hfman :
Question... if transferring small files via FTP using BIN mode... are they supposed to end up being 16 bytes larger after being transferred to copter or RC?
[2017-07-14 20:14:28]
hfman :
I'm wondering if that is why pyduml is failing to take on RC (although it doesn't fail on copter)
[2017-07-14 20:16:04]
freaky123 :
Could be that the folesize is changed because of aes key encryption
[2017-07-14 20:16:18]
freaky123 :
That must always be devidable by 16
[2017-07-14 20:17:53]
hfman :
So ftp put is also fiddling with AES?
[2017-07-14 20:18:17]
freaky123 :
No the get only
[2017-07-14 20:18:48]
hfman :
Yeah, that's what I thought. So I'm a bit baffled why they are getting padded up on a put?
[2017-07-14 20:20:10]
hfman :
And in my specific case, dji_system.bin is already 4096, but it ends up being 4112 on the copter or the RC after the binary ftp put.
[2017-07-14 20:21:00]
hfman :
...and does so no matter how the ftp is done (manually, python, mac, doesn't matter)
[2017-07-14 20:25:53]
freaky123 :
And if you pull it then?
[2017-07-14 20:26:01]
freaky123 :
Yoy can compare it
[2017-07-14 20:44:34]
ender :
guys, i want to downgrade my spark to .300, am i right that i should root it first on .400 to get that bin file for all ?
[2017-07-14 20:45:00]
the_lord :
no
[2017-07-14 20:45:03]
ender :
oh
[2017-07-14 20:45:20]
ender :
the bin isnt there or we dont need it ?
[2017-07-14 20:45:49]
the_lord :
if you want to downgrade using assistant you need to use VPN to change your location
[2017-07-14 20:46:01]
the_lord :
some reported that they can see the .300 from germany
[2017-07-14 20:46:11]
ender :
i can see .300 from here
[2017-07-14 20:46:17]
ender :
(de)
[2017-07-14 20:46:32]
the_lord :
if you want to downgrade without assistant you'll need the .300 bin file
[2017-07-14 20:46:45]
ender :
i just did not want to spoil .400 bin file if we still need it as its not on github
[2017-07-14 20:47:12]
ender :
Spark was upgraded from .300 to .400 from previous owner
[2017-07-14 20:47:26]
the_lord :
the file is no more on the drone
[2017-07-14 20:47:33]
ender :
okay :disappointed:
[2017-07-14 20:47:53]
ender :
so how is the wrokflow to get .300 file after downgrading ?
[2017-07-14 20:48:02]
the_lord :
once you see 100% on assistant it deletes the file
[2017-07-14 20:48:07]
ender :
*%$& mac keyboard i want cherry+click
[2017-07-14 20:48:25]
ender :
okay, any way for a dumbass to get the .300 ? :slightly_smiling_face:
[2017-07-14 20:48:46]
ender :
more worth then the .400 anyways IMO
[2017-07-14 20:49:10]
the_lord :
you can root the current version then downgrade with assistant and once it shows upgrading you can adb pull the 300 bin
[2017-07-14 20:50:00]
ender :
ohhhkay, pls see the “dumbass” above :slightly_smiling_face:
[2017-07-14 20:50:28]
the_lord :
i got feeling maybe only me (my location) who can't see spark .300 and can't get debugger on assistant
[2017-07-14 20:50:44]
ender :
assistant shows upgrading, and WHILE its doing so i adb to the Sparky and leech the file (ftp folder ?!)
[2017-07-14 20:51:20]
the_lord :
adb pull /ftp/upgrade/dji_system.bin LOCAL FOLDER
[2017-07-14 20:51:28]
hfman :
Okay, I can report more on pyduml on RC. I had to create /upgrade/.bin dir - otherwise couldn't see the grep file via FTP. Upgrade worked, it untarred the file and created grep, but still no root on RC.
[2017-07-14 20:51:28]
ender :
japp
[2017-07-14 20:51:33]
the_lord :
but you need to root it before you start this process
[2017-07-14 20:51:56]
ender :
of course and i do that pull while its downgrading, right ? or do i need to pause it somehow ?
[2017-07-14 20:51:58]
the_lord :
@hfman you'll see it after reboot
[2017-07-14 20:52:14]
hfman :
Yes, I know... it wasn't there after many tries..
[2017-07-14 20:52:24]
hfman :
I've done this a ton on the copter
[2017-07-14 20:52:26]
the_lord :
no need to pause anything just pull it once it finish transmitting the file
[2017-07-14 20:53:25]
ender :
okay, housewives way of rooting would probably be that windows exe (0.1) by hdnes, do you agree ?
[2017-07-14 20:53:56]
the_lord :
i didn't test it
[2017-07-14 20:54:18]
the_lord :
@hfman which tar file you used to root?
[2017-07-14 20:54:27]
the_lord :
what's the content of grep file?
[2017-07-14 20:54:43]
the_lord :
worst case you should be able to telnet
[2017-07-14 20:54:49]
hfman :
I used the one in pyduml, I slightly modified it not to delete itself.
[2017-07-14 20:54:55]
ender :
i got a mac & w10 here, assistant 112(beta) on both.
[2017-07-14 20:55:04]
ender :
Just searching for the dumbest way to root…
[2017-07-14 20:55:08]
hfman :
@the_lord - no telnet, no adb
[2017-07-14 20:56:02]
the_lord :
@ender easiest way RedHerring from mac
[2017-07-14 20:56:25]
ender :
looking in my stuff…
[2017-07-14 20:56:28]
ender :
haha
[2017-07-14 20:57:43]
ender :
that one (with git pull hostile from 12.07. :
[2017-07-14 20:57:44]
ender :
ruby RedHerring.rb /data/.bin/grep grep
[2017-07-14 20:57:45]
martinbogo :
the_lord -- any idea what the blackbox is?
[2017-07-14 20:57:50]
martinbogo :
in /blackbox?
[2017-07-14 20:58:21]
ender :
@martinbogo istnt that the glued microSD ?
[2017-07-14 20:58:49]
martinbogo :
I'm in the P4
[2017-07-14 20:58:56]
martinbogo :
so, no glued SSD's in here
[2017-07-14 20:58:56]
ender :
oops
[2017-07-14 20:59:04]
ender :
sry
[2017-07-14 20:59:11]
ender :
<--- will shut up
[2017-07-14 20:59:49]
the_lord :
there is microSD in P4 also
[2017-07-14 21:06:45]
hfman :
@the_lord :
[2017-07-14 21:12:40]
ender :
crap, can i use the stock ruby on OSX (sierra) ? i installed colorize & http but cannot find ftp ?!
[2017-07-14 21:15:15]
ender :
forget it, ftp seems to be bundled with http gem install. i like ruby like PITA :wink: Now battery ran below 50%, its one of those days…
[2017-07-14 21:29:25]
ender :
@the_lord, adb ready, charging to > 50% to TRY to root, is there any reason why i cant go back & forth to get both .300 &.400 ? (Probably need to reroot every time, but…)
[2017-07-14 21:30:59]
the_lord :
nothing prevent you from going back and forth
[2017-07-14 21:31:50]
ender :
thought so… started stuff, hopefully the nfz thingy is happening
[2017-07-14 21:32:53]
ender :
oops, prolly “127.0.0.1 [swsf.djicorp.com](http://swsf.djicorp.com)” should disappear from hosts :wink:
[2017-07-14 21:33:28]
ender :
hehe and “127.0.0.1 [flysafe.aasky.net](http://flysafe.aasky.net)”
[2017-07-14 21:44:04]
ender :
guys i need help… after cleaning up my hosts i restarted redherring and the sudoed assistant now wants my login. ALSO it wants a verification code but shows no image. ?!?!
[2017-07-14 21:45:46]
hans112 :
Try an older version
[2017-07-14 21:46:41]
ender :
will do… but sparky isnt supported by much older versions i fear, got 112 here.
[2017-07-14 21:47:41]
hostile :
Hey can you all cap that spark .300 binary!!
[2017-07-14 21:47:52]
the_lord :
no man
[2017-07-14 21:47:58]
hostile :
An ftp sniffer could do this too fwiw
[2017-07-14 21:48:00]
the_lord :
first start assistant and login
[2017-07-14 21:48:18]
the_lord :
then close it and run ruby then start assistant --test_server
[2017-07-14 21:48:31]
ender :
aye sir !
[2017-07-14 21:49:02]
ender :
(normal start or sudoed ?)
[2017-07-14 21:49:04]
hostile :
Grep is removed on reboot... by grep. Telnet to port 1234 or use adb shell
[2017-07-14 21:49:28]
the_lord :
just normal start to login
[2017-07-14 21:49:46]
hostile :
Windows exe is fucked up... ive got my son so gotta wait till bed time
[2017-07-14 21:49:57]
ender :
haha normal doesnt want login
[2017-07-14 21:50:33]
the_lord :
:open_mouth:
[2017-07-14 21:50:38]
hostile :
DJI support log files... as pulled by blackbox tab in Assistant. That is why I created the aes bypass in fact
[2017-07-14 21:51:24]
ender :
i tried the second way of starting dji A --> “sudo /Applications/Assistant.app/Contents/MacOS/Assistant”
[2017-07-14 21:51:35]
hostile :
See git issues... possible closed ones... all explained
[2017-07-14 21:51:36]
ender :
now login shows verification icon, was able to log in
[2017-07-14 21:51:45]
ender :
but no nfz update…
[2017-07-14 21:52:07]
the_lord :
man first assistant start just to cache the log in
[2017-07-14 21:52:25]
the_lord :
then close everything and start the RedHerring process
[2017-07-14 21:52:36]
hostile :
Read here... add your experience here <https://github.com/MAVProxyUser/P0VsRedHerring/issues/1>
[2017-07-14 21:52:38]
ender :
yes thought so, but it doesnt ask :slightly_smiling_face:
[2017-07-14 21:52:59]
hans112 :
It worked only with sudo in my case... First without test argument , then with
[2017-07-14 21:53:00]
ender :
reading…
[2017-07-14 21:53:19]
the_lord :
hans112 exactly
[2017-07-14 21:53:25]
hostile :
Please save the OGs time and use the search bar! ;)
[2017-07-14 21:53:34]
hostile :
Slack search is epic
[2017-07-14 21:53:43]
ender :
sry !
[2017-07-14 21:53:48]
hostile :
"Search: login" probably will find it
[2017-07-14 21:53:56]
hostile :
Just harassing ya it's all good
[2017-07-14 21:54:09]
ender :
nope you’re perfectly right.
[2017-07-14 21:54:13]
hostile :
Gotta teach you guys to fish tho... we've given out buckets of herrings. ;)
[2017-07-14 21:54:52]
hfman :
FYI- I got root on RC (thanks @the_lord ) - pyduml will require some work
[2017-07-14 21:55:37]
the_lord :
most welcome
[2017-07-14 21:55:46]
hans112 :
Wel done !!
[2017-07-14 21:55:56]
hans112 :
Same principal?
[2017-07-14 21:56:39]
hfman :
Yeah, for the most part. Haven't gotten adbd up yet, it kinda blows things up. Gonna have to fiddle.
[2017-07-14 21:57:03]
hans112 :
Ok, I might have time this weekend to root the RC... :)
[2017-07-14 22:05:41]
ender :
okay 1.1.0 works better, confirmed nfz.. script stalled it seems… hmmm
[2017-07-14 22:07:18]
ms30250 :
man im slow... i just put together "redherring" and all the teach you to fish references
[2017-07-14 22:07:23]
ms30250 :
ha
[2017-07-14 22:07:30]
ender :
its stalled here, uh oh…
[2017-07-14 22:07:31]
ender :
localhost - - [15/Jul/2017:00:04:24 CEST] “GET /api/v3/geofence/onboard_static_data?version=01.00.01.04&timestamp=1500069864&signature=2385B5C37C7CE33B7FBEF01560DF3488E40DADDB91D575F8457EBE69F0A09AC1 HTTP/1.1” 200 101
- -> /api/v3/geofence/onboard_static_data?version=01.00.01.04&timestamp=1500069864&signature=2385B5C37C7CE33B7FBEF01560DF3488E40DADDB91D575F8457EBE69F0A09AC1
Hopefully you dropped your file in a magic location!
no herring present in /tmp, which is a good thing...
undefined Update Failed means YOU failed... otherwise
100% Complete means your write file took
localhost - - [15/Jul/2017:00:04:36 CEST] “GET /flysafe_db_files/GetRoot HTTP/1.1" 200 4096
- -> /flysafe_db_files/GetRoot
localhost - - [15/Jul/2017:00:04:42 CEST] “GET /api/v3/geofence/onboard_static_data?version=01.00.01.04&timestamp=1500069882&signature=CB91D8CB0D33895953365157C435279A67D9481F277DF287411DDD1901AEFA1B HTTP/1.1” 200 101
- -> /api/v3/geofence/onboard_static_data?version=01.00.01.04&timestamp=1500069882&signature=CB91D8CB0D33895953365157C435279A67D9481F277DF287411DDD1901AEFA1B
[2017-07-14 22:09:23]
hostile :
Code was last Tested with 1.1.2 fwiw
[2017-07-14 22:09:49]
ender :
so, should i kill stuff ?!?
[2017-07-14 22:10:00]
ender :
i dont think good is happening anymore :slightly_smiling_face:
[2017-07-14 22:10:33]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/issues/1#issuecomment-312764503>
[2017-07-14 22:10:35]
ender :
>tested with 1.1.2 --> well that had this login problem
[2017-07-14 22:10:51]
hostile :
Different host names for different versions...
[2017-07-14 22:11:12]
hostile :
DUML Herring with fireworks.tar not working for you?
[2017-07-14 22:11:22]
hostile :
Red herring is almost depreciated :)
[2017-07-14 22:11:34]
ender :
well i groked the grep version was better :slightly_smiling_face:
[2017-07-14 22:12:04]
hostile :
Safer... and DUML herring uses a prepacked fireworks.tar with grep technique built in fwiw
[2017-07-14 22:12:10]
hans112 :
Now reboot drone once and try to telnet or adb ...
[2017-07-14 22:12:37]
ender :
ah okay… so i have to call it a day, damn, i saved these 2 hours , damn work :stuck_out_tongue:
[2017-07-14 22:13:06]
hans112 :
After second reboot, everything is gone and you have to root again
[2017-07-14 22:13:33]
ender :
okay… adb devices doesnt list any
[2017-07-14 22:13:58]
ender :
@hans112 : you experienced the same stall and it still got rooted ?
[2017-07-14 22:14:04]
hans112 :
Yes..
[2017-07-14 22:14:14]
hans112 :
Stall, but 100% right ?
[2017-07-14 22:14:25]
ender :
i posted output a page above
[2017-07-14 22:14:52]
ender :
kevin likes to sound cryptic but there is a 100% in there :stuck_out_tongue: :wink:
[2017-07-14 22:14:58]
hans112 :
Did assistant show :100: in green ?
[2017-07-14 22:15:04]
hans112 :
Upload :100:
[2017-07-14 22:15:06]
ender :
yes
[2017-07-14 22:15:16]
hans112 :
Oke. Then turn off drone. And turn on again
[2017-07-14 22:15:27]
ender :
adb via usb i assume or wia wifi with spark in wifi mode ?
[2017-07-14 22:15:28]
hans112 :
And check adb or telnet (port 1234)
[2017-07-14 22:15:33]
hans112 :
USB
[2017-07-14 22:15:53]
ender :
will plug to pc, dont trust adb on mac
[2017-07-14 22:16:14]
hans112 :
:+1:
[2017-07-14 22:16:46]
ender :
haha on pc theres a bag of fish found :slightly_smiling_face:
[2017-07-14 22:17:30]
hans112 :
Hehehe congrats
[2017-07-14 22:17:36]
ender :
stupid thing, any adb recommendations for OSX :slightly_smiling_face: i wanted to “quickly” pull .300 bin
[2017-07-14 22:17:59]
ender :
well, it was like needing 5 people to screw in the bulb but thanks
[2017-07-14 22:18:15]
hans112 :
Euh.. I don't have a Mac, used VM... And that is the only time I did something on a Mac :laughing:
[2017-07-14 22:18:27]
hans112 :
So cant help with that
[2017-07-14 22:18:41]
hfman :
There's a truncated version of ADB for both OSX and Windows... I think on the google site. Like a simple toolset
[2017-07-14 22:18:45]
ender :
using the one from Android sdk (2015)
[2017-07-14 22:18:46]
hfman :
Works fine
[2017-07-14 22:18:56]
ender :
yes i am using that on win hfman
[2017-07-14 22:18:56]
hfman :
Ya, you don't need the entire SDK
[2017-07-14 22:19:10]
ender :
i need it as i code for android :stuck_out_tongue:
[2017-07-14 22:20:15]
vk2fro :
Morning :slightly_smiling_face:
[2017-07-14 22:20:32]
ender :
<https://github.com/simmac/minimal_adb_fastboot/blob/master/osx/adb>
[2017-07-14 22:20:40]
ender :
that one works ! thx for the fish
[2017-07-14 22:22:08]
ender :
need to start a quick shell to rm-rf some stuff :stuck_out_tongue:
[2017-07-14 22:25:30]
ender :
pulling .300 now !
[2017-07-14 22:27:54]
ender :
any way to check integrity b4 uploading it somewhere ?
[2017-07-14 22:28:29]
ender :
ah okay, it unpacks clean so i guess its okay…
[2017-07-14 22:28:40]
ender :
spark does a lot of beebing now, lets see
[2017-07-14 22:29:59]
ender :
done, doing the same now to get .400…
[2017-07-14 22:31:01]
hans112 :
,:+1:
[2017-07-14 22:31:47]
ender :
should i just upload the .300 (and later .400) and post link here ? Or any specific upload location ?!
[2017-07-14 22:32:16]
hans112 :
The GitHub that @hostile put up I guess ?
[2017-07-14 22:34:26]
ender :
yep !
[2017-07-14 22:35:59]
ender :
haha needs to be smaller < 25MB
[2017-07-14 22:37:13]
ender :
uhhh now on .300, trying that ruby scrip with grep again but it stalls & timeouts here after pressing enter:
[2017-07-14 22:37:14]
ender :
“Connecting to the drone and looking for old herrings...”
[2017-07-14 22:37:30]
ender :
hmmm, not good.
[2017-07-14 22:38:02]
ender :
here is the .300 Spark FW:
[2017-07-14 22:38:03]
ender :
<https://we.tl/L4K8eD5x0L>
[2017-07-14 22:39:47]
ender :
will reboot and try again otherwise just go to bed :slightly_smiling_face:
[2017-07-14 22:40:32]
ender :
(really hope DJI did not f*ck up .300 which *I* would do if i were them)
[2017-07-14 22:49:15]
ender :
seems to work now after rebooting all, but stupid battery is < 50%…
[2017-07-14 22:49:46]
ender :
have 3 Sparky bats on order, will kill one and add tons of standard lipos to that flying rat :wink:
[2017-07-14 22:56:37]
ender :
okay .400 is there, will upload as well…
[2017-07-14 22:56:45]
ender :
and back to .300 :slightly_smiling_face:
[2017-07-14 22:56:51]
vk2fro :
gotta love it when you press command q instead of command w on a mac. GRRRR :stuck_out_tongue:
[2017-07-14 23:02:30]
ender :
okay, SPark .400 here:
[2017-07-14 23:02:32]
ender :
<https://we.tl/q1oO2ThkTz>
[2017-07-14 23:20:48]
vk2fro :
am I missing something? error message: serial.serialutil.SerialException: [Errno 2] could not open port tty.usbmodem14E5: [Errno 2] No such file or directory: 'tty.usbmodem14E5'
[2017-07-14 23:20:58]
vk2fro :
(relates to pyduml)
[2017-07-14 23:21:23]
the_lord :
what OS?
[2017-07-14 23:21:29]
vk2fro :
OS X
[2017-07-14 23:22:09]
the_lord :
you need to check where is your drone/rc connected
[2017-07-14 23:23:11]
skyhawk :
@vk2fro tty.usbmodem14E5 does not seem to be the right serial port for the drone. Are there any other ports listed in your devices?
[2017-07-14 23:23:17]
vk2fro :
its at tty.usbmodem14E5
[2017-07-14 23:23:32]
vk2fro :
ok will check.
[2017-07-14 23:24:54]
vk2fro :
ah huh! ttys002
[2017-07-14 23:24:56]
vk2fro :
lets see
[2017-07-14 23:25:24]
hostile :
Add /dev/
[2017-07-14 23:25:55]
vk2fro :
14
[2017-07-14 23:26:07]
vk2fro :
14E5 is working - stupid me forgetting /dev
[2017-07-14 23:26:40]
vk2fro :
woot! firmware update complete. .700 here I come :slightly_smiling_face:
[2017-07-14 23:27:06]
hdnes :
do we have a list of: target_id target_index
[2017-07-14 23:27:08]
ender :
guys, i am back to .300 and now have permanent root. adb shell works of course. but telnet does not.
[2017-07-14 23:27:33]
ender :
192.168.42.2:1234 is via horndis / usb, right ? (Sparks wifi is 192.168.2.XXX)
[2017-07-14 23:27:40]
vk2fro :
I have front flashing lights and all the hallmarks of an updating firmware :slightly_smiling_face:
[2017-07-14 23:28:00]
ender :
great vk2fro, wanna do that, need to learn that next on my mav
[2017-07-14 23:28:08]
ender :
which tool you used ?!
[2017-07-14 23:28:24]
vk2fro :
pyduml
[2017-07-14 23:30:36]
ender :
ah me idiot, i need linux box with modprobe or start assistant.
[2017-07-14 23:30:51]
ender :
did anyone get telnet via Spark / Mavic WiFi ?
[2017-07-14 23:30:54]
vk2fro :
what OS are you on?
[2017-07-14 23:30:56]
ender :
osx
[2017-07-14 23:31:07]
vk2fro :
just homebrew install python :slightly_smiling_face:
[2017-07-14 23:31:39]
vk2fro :
no need to fire up VM or use linux. OSX will do it natively with homebrew. You'll also need libusb
[2017-07-14 23:31:44]
ender :
to use telnet ?! naaahhh
[2017-07-14 23:32:02]
vk2fro :
oh my bad LOL
[2017-07-14 23:32:05]
ender :
actually i need telnet via spark wifi, thats the whole point for me thats why i needed root :slightly_smiling_face:
[2017-07-14 23:33:07]
ender :
ohhhh late, gnight guys & thx for the help !
[2017-07-14 23:33:47]
skyhawk :
good night
[2017-07-14 23:33:58]
vk2fro :
night ender
[2017-07-14 23:34:19]
vk2fro :
wow yr not wrong about this firmware update taking its time LOL
[2017-07-14 23:38:12]
jezzab :
All happenin
[2017-07-14 23:40:15]
vk2fro :
is root persistant with pyduml or do I need to make it so editing start_dji_system.sh
[2017-07-14 23:40:31]
hostile :
@vk2fro that was the point at which I was shitting myself
[2017-07-14 23:40:45]
jezzab :
@ender you can just use adb shell.
[2017-07-14 23:40:46]
hostile :
You need to edit. Intentionally not persistent
[2017-07-14 23:40:49]
jezzab :
Same lol
[2017-07-14 23:41:10]
hostile :
If you already have root you can tail the log...
[2017-07-14 23:41:26]
vk2fro :
already checked with assistant - I'm on .700
[2017-07-14 23:41:27]
jezzab :
You can't tail. There is no tail
[2017-07-14 23:41:32]
jezzab :
Well I couldn't
[2017-07-14 23:41:48]
jezzab :
I wish there was. I was cat cat cat sweat cat cat cat
[2017-07-14 23:41:48]
hostile :
"busybox tail"
[2017-07-14 23:41:55]
jezzab :
Doh
[2017-07-14 23:42:09]
hostile :
Alll the good commands need busybox Typed first
[2017-07-14 23:42:32]
hostile :
"busybox shithere"
[2017-07-14 23:43:22]
jezzab :
Oh well. It kept me busy during the downgrade
[2017-07-14 23:51:58]
vk2fro :
After a lot of scrolling up, I found where you told me how to make it permenant hostile. Now have permenant root :slightly_smiling_face:
[2017-07-14 23:52:07]
hostile :
:)
[2017-07-14 23:52:12]
hostile :
That's the spirit!
[2017-07-15 00:00:37]
vk2fro :
Thanks immensly for the help guys :slightly_smiling_face:
[2017-07-15 00:02:40]
hostile :
Good job dude
[2017-07-15 00:05:03]
vk2fro :
I made a little text document so I can ease the wear on my mouse wheel :wink:
[2017-07-15 00:06:02]
hostile :
Lol
[2017-07-15 00:46:17]
jezzab :
There is only two fw for the P4 right? V2.00.0106 and V1.02.0602?
[2017-07-15 04:08:05]
jezzab :
Tried to upload them to the github but is bitching about over 25mb?
[2017-07-15 04:08:32]
vk2fro :
stick em on wetransfer
[2017-07-15 04:08:42]
vk2fro :
it took the >100mb mavic ones I uploaded.
[2017-07-15 04:08:57]
vk2fro :
then hostile can add them to the git
[2017-07-15 04:31:58]
hostile :
@jezzab IF you wanna put em on your own git... <https://git-lfs.github.com>
[2017-07-15 04:32:05]
hostile :
but hell.. just drag the files here bro
[2017-07-15 04:32:23]
hostile :
slack does just fine with dragged files... then I can up em into git
[2017-07-15 04:43:23]
jezzab :
@hostile tell me when you have downloaded and i will delete the messages
[2017-07-15 04:44:32]
jezzab :
Both of these i have rebuilt and tested.
[2017-07-15 04:45:47]
vk2fro :
Thanks jezzab - now I can do my mates P4 when he comes over :slightly_smiling_face:
[2017-07-15 04:51:35]
jezzab :
I'm just glad I backed up v1.02 before I upgraded the other day via ftp lol.
[2017-07-15 04:53:55]
hostile :
@jezzab so these are manual built ones?
[2017-07-15 04:54:01]
hostile :
pulling now
[2017-07-15 04:56:33]
jezzab :
correct
[2017-07-15 04:56:47]
jezzab :
there was no way to get them with a fw refresh, the dji_sys file would not pop up
[2017-07-15 04:57:00]
jezzab :
I have downgraded and upgraded with them both. no problem
[2017-07-15 04:57:49]
hostile :
I've heard VPN and specific countries can get older variants
[2017-07-15 04:58:00]
jezzab :
yeah i heard that whisper too
[2017-07-15 04:58:06]
jezzab :
Aus.... no go
[2017-07-15 04:58:54]
jezzab :
Even though the pop up when you upgrade specifically says "You can roll back the firmware if you wish"
[2017-07-15 04:59:01]
jezzab :
Absolute bullshit
[2017-07-15 04:59:09]
hostile :
=]
[2017-07-15 05:00:20]
jezzab :
lord warned me but at the time the only way to root was RH and NFZ. but NFZ wasnt part of the old V1.02 fw on P4. So i had to go to V2.0 to do it
[2017-07-15 05:00:28]
jezzab :
hence the ftp backup
[2017-07-15 05:01:04]
jezzab :
rolled the dice, played the game and won in the end thanks to a lot of ppls work and testing
[2017-07-15 05:10:03]
hostile :
@channel Any brave souls? @the_lord @hdnes ?
sh-3.2# cp ba2144c_UniversalFireworksTar_dji_system.bin mavic_combined_700_root.tar
sh-3.2# gtar --concatenate --file mavic_combined_700_root.tar V01.03.0700_Mavic_dji_system.bin
sh-3.2# tar tvf mavic_combined_700_root.tar
-rw-r--r-- 0 root staff 37 Jul 9 01:51 Burning0day.txt
lrwxr-xr-x 0 root staff 0 Jul 9 01:51 symlink -> /data/.bin
-rwxr-xr-x 0 root staff 517 Jul 9 01:51 symlink/grep
-rwxrwxrwx 0 0 users 55072 Jul 12 15:41 wm220_0305_v34.04.00.23_20161122.pro.fw.sig
-rwxrwxrwx 0 0 users 1537056 Jul 12 15:41 wm220_0306_v03.02.30.13_20170405.pro.fw.sig
-rwxrwxrwx 0 0 users 20768 Jul 12 15:41 wm220_1200_v01.09.00.00_20161204.pro.fw.sig
-rwxrwxrwx 0 0 users 20768 Jul 12 15:41 wm220_1201_v01.09.00.00_20161204.pro.fw.sig
-rwxrwxrwx 0 0 users 20768 Jul 12 15:41 wm220_1202_v01.09.00.00_20161204.pro.fw.sig
-rwxrwxrwx 0 0 users 20768 Jul 12 15:41 wm220_1203_v01.09.00.00_20161204.pro.fw.sig
-rwxrwxrwx 0 0 users 28416 Jul 12 15:41 wm220_1100_v01.00.07.24_20161206.pro.fw.sig
-rwxrwxrwx 0 0 users 43488 Jul 12 15:41 wm220_0803_v00.00.04.08_20170314.pro.fw.sig
-rwxrwxrwx 0 0 users 15180832 Jul 12 15:41 wm220_0100_v02.02.56.29_20170317.pro.fw.sig
-rwxrwxrwx 0 0 users 37489024 Jul 12 15:41 wm220_0100_v02.06.04.84_20170324_ca02.pro.fw.sig
-rwxrwxrwx 0 0 users 60128 Jul 12 15:41 wm220_0101_v02.06.04.84_20170324_ca02.pro.fw.sig
-rwxrwxrwx 0 0 users 196544 Jul 12 15:41 wm220_0101_v02.02.56.29_20170317.pro.fw.sig
-rwxrwxrwx 0 0 users 91584 Jul 12 15:41 wm220_0400_v01.50.12.01_20170414.pro.fw.sig
-rwxrwxrwx 0 0 users 26432 Jul 12 15:41 wm220_0804_v01.00.00.08_20170113.pro.fw.sig
-rwxrwxrwx 0 0 users 4142592 Jul 12 15:41 wm220_0907_v47.26.02.11_20170419.pro.fw.sig
-rwxrwxrwx 0 0 users 41515328 Jul 12 15:41 wm220_0801_v01.05.00.20_20170331.pro.fw.sig
-rwxrwxrwx 0 0 users 5320416 Jul 12 15:41 wm220_0802_v01.00.03.08_20170116.pro.fw.sig
-rwxrwxrwx 0 0 users 3052000 Jul 12 15:41 wm220_0805_v01.01.00.87_20170427.pro.fw.sig
-rwxrwxrwx 0 0 users 92096 Jul 12 15:41 wm220_0905_v00.00.01.04_20170301.pro.fw.sig
-rwxrwxrwx 0 0 users 5888 Jul 12 15:41 wm220.cfg.sig
[2017-07-15 05:12:22]
hostile :
sh-3.2# git commit -a
[master 8a89f29] Add P4 "crafted" files from jezzab
4 files changed, 10 insertions(+), 1 deletion(-)
create mode 100644 V1.02.0602_P4crafted.dji_system.bin
create mode 100644 V2.00.0106_P4crafted.dji_system.bin
create mode 100644 mavic_combined_700_root.bin
sh-3.2# git push
Git LFS: (0 of 3 files) 4.86 MB / 257.59 MB
[2017-07-15 05:22:05]
jezzab :
Its nasty but if Windows users wanna decrypt an ftp file....
[2017-07-15 05:23:48]
jezzab :
resultant file will have .decrypt on the end. Original file will remain
[2017-07-15 05:23:49]
hostile :
any brave souls? <https://github.com/MAVProxyUser/dji_system.bin/blob/master/mavic_combined_700_root.bin>
[2017-07-15 05:41:12]
hostile :
heh
[2017-07-15 05:41:15]
hostile :
01-01 00:18:21.081 242 376 E DUSS&63[sys_up_status_push_threa: 885]:: Sending upgrade status to app_host 0xa01 failed, result=-1002
01-01 00:18:22.787 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3148]:: upgrade.sh results: Success: remount /vendor back to ro ok
01-01 00:18:22.787 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3148]::
01-01 00:18:22.788 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3164]:: cd /data/upgrade; chmod 777 upgrade.sh; ./upgrade.sh exit status 0, return 0
01-01 00:18:22.788 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3172]:: cd /data/upgrade; chmod 777 upgrade.sh; ./upgrade.sh success.
01-01 00:18:23.005 242 24940 I DUSS&63[ sys_check_version: 82]:: Different version.
[2017-07-15 05:41:15]
hostile :
wtf is this shit?
[2017-07-15 05:41:28]
hostile :
can we just ftp in during a normal upgrade and stomp that file , and it gets executed?
[2017-07-15 05:41:55]
hostile :
ahh... we'd have to catch the timing perfect
[2017-07-15 05:41:57]
hostile :
01-01 00:18:17.073 242 376 I DUSS&63[sys_up_status_push_threa: 871]:: +++++++ Sending upgrade status for upgrading_stage, len: 11, app_host=0xa01, mod_id=0xe9 (09.07), status 1, progress: 25, total_progress: 82
01-01 00:18:17.074 242 24940 I DUSS&63[sys_p1_load_upgrade_data:2550]:: upgrade file /cache/upgrade/unsignimgs//wm220_0907_v47.26.02.11_20170419.pro.fw is unencrypted.
01-01 00:18:17.076 242 376 E DUSS&63[sys_up_status_push_threa: 885]:: Sending upgrade status to app_host 0xa01 failed, result=-1002
01-01 00:18:17.149 242 24940 I DUSS&63[ sys_upgrade_p1_hw:2903]:: load upgrade data success
01-01 00:18:17.544 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3118]:: tar results: modemarm.pro.fw
01-01 00:18:17.544 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3118]:: tar results: modemdsp_gnd.pro.fw
01-01 00:18:17.544 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3118]:: tar results: modemdsp_uav.pro.fw
01-01 00:18:17.544 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3118]:: tar results: upgrade.sh
01-01 00:18:17.544 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3126]:: busybox tar -xvf /data/upgrade/temp.zip -C /data/upgrade exit status 0, return 0
01-01 00:18:17.580 242 24940 I DUSS&63[sys_upgrade_up_from_scri:3148]:: upgrade.sh results: Success: remount /vendor to rw ok
[2017-07-15 05:42:33]
hostile :
lol OR stomp /data/upgrade/temp.zip I guess?
[2017-07-15 05:42:49]
hostile :
bet we could catch those race conditions @freaky123 ...
[2017-07-15 05:46:32]
vk2fro :
<https://github.com/vk2fro/Little_Pilot-Hacking> posted the instructions pdf on github. Saves spamming the chat with updates :slightly_smiling_face:
[2017-07-15 05:48:44]
hostile :
you should post as .txt file and move .pdfs to releases tab
[2017-07-15 05:48:46]
hostile :
IMHO
[2017-07-15 05:48:50]
hostile :
so we can track the changes
[2017-07-15 05:49:19]
hostile :
<https://github.com/vk2fro/Little_Pilot-Hacking/releases>
[2017-07-15 05:49:32]
vk2fro :
Will do - I'll move it to textwrangler later tonight.
[2017-07-15 05:49:45]
hostile :
word. thx pimp!
[2017-07-15 05:49:50]
hostile :
very much appreciated
[2017-07-15 05:49:54]
vk2fro :
then post as text
[2017-07-15 05:50:10]
vk2fro :
don't need that bloatware on my mac :
[2017-07-15 05:50:12]
vk2fro :
:stuck_out_tongue:
[2017-07-15 05:51:22]
vk2fro :
anyway I'm off for a flight - ciao
[2017-07-15 08:33:35]
vk2fro :
Flight went well. Spent two batteries on rooted but otherwise stock .700 and as a bonus my gimbal is behaving on startup now - no more "clunk clunk" during initialisation ation :-)
[2017-07-15 08:35:39]
vk2fro :
Tomorrow if weather permits I'll do the websockets mods and take the mavic and the octa both out for a fly. Just need to replace an esc on the octa.
[2017-07-15 13:09:11]
jezzab :
my beer to useful coding range has been exceeded. Ill reconvene tomorrow and sort the CRC16 stuff and then can proceed. hooroo
[2017-07-15 13:09:31]
hostile :
Lol switch to weed ! ;)
[2017-07-15 13:09:45]
hostile :
Much better ratios available to stay useful haha
[2017-07-15 13:10:28]
jezzab :
lmao. god now days id fall asleep!
[2017-07-15 13:12:47]
guest :
anyone here who can point me in the right direction where to get a .0700 bin for my mavic ?
[2017-07-15 13:13:35]
guest :
nice bin :slightly_smiling_face:
[2017-07-15 13:13:38]
jezzab :
All the coding inspiration in there. Its taken its toll lol
[2017-07-15 13:14:18]
jezzab :
Just gotta sort the CRC16 tomorrow. Its fine by hand in hexworkshop. Just cant get working C# code. rest is done for the upload GUI. My usual CRC16 stuff is CCITT but she no good :disappointed:
[2017-07-15 13:14:38]
jezzab :
then work on the backup/download from ftp and decrypt aes
[2017-07-15 13:16:14]
jezzab :
do that in the morn
[2017-07-15 13:17:47]
jezzab :
re-inventing the wheel but its all in one app, albeit a windows GUI app. The kiddies can use the mouse and click their heart out and ride the herring. Really should think of a name. DUMLdee DUMLdoo was funny 6 beers ago.....
[2017-07-15 14:54:49]
dreadwing007 :
Was able to upgrade/downgrade on my Linux mint box but seems the adb devices does not return any devices when running the fireworks.bin
[2017-07-15 14:55:01]
dreadwing007 :
Any suggestions other than running it via mac
[2017-07-15 14:58:35]
hostile :
@jezzab DUMLderp or DerpyDUML :)
[2017-07-15 15:49:44]
martinbogo :
**sigh** Can we have one, just ONE, hacking tool that doesn't have a 4chan name?
[2017-07-15 15:50:13]
hostile :
glad you saw what I **intentionally** did there =]
[2017-07-15 15:50:18]
hostile :
gotta have thick memes
[2017-07-15 15:50:27]
hostile :
cuz you know nothing is relevant these days sans a name lol
[2017-07-15 16:00:19]
martinbogo :
*****ggggrrrrooooaaannnn*****
[2017-07-15 16:00:31]
martinbogo :
We're all grown-ups, pretending to be kids, pretending to be grown-ups
[2017-07-15 16:00:34]
martinbogo :
**rolls eyes**
[2017-07-15 16:05:42]
hostile :
I assume you also hit <http://localhost/> in a browser while RedHerring was running?
[2017-07-15 16:20:49]
martinbogo :
----- has anyone managed to make a permanent modification to init.rc and it's friends?
[2017-07-15 16:33:26]
freaky123 :
That is not possible
[2017-07-15 16:33:33]
freaky123 :
They are signed
[2017-07-15 16:34:22]
freaky123 :
So if you am managing todo that it would be groundbreaking that the private signing key is on the device
[2017-07-15 16:36:06]
martinbogo :
haven't yet .. thinking of modifying them from /system/system_start_dji.sh and then forcing init to reload
[2017-07-15 16:36:22]
martinbogo :
but That Could Be A Bad Idea(tm)
[2017-07-15 16:36:42]
hostile :
worth a core board tho
[2017-07-15 16:36:43]
hostile :
fuck it
[2017-07-15 16:36:50]
hostile :
I’ve bricked for less
[2017-07-15 16:36:51]
hostile :
hahah
[2017-07-15 16:41:07]
martinbogo :
this busybox init responds to SIGHUP
[2017-07-15 16:41:11]
martinbogo :
it has the patch
[2017-07-15 16:41:26]
martinbogo :
won't brick, unless I really REALLY screw up
[2017-07-15 16:42:21]
freaky123 :
It will boot up recovery if the signature of the normal doesn't comply anymore
[2017-07-15 16:42:41]
freaky123 :
And then you can dd back normal
[2017-07-15 16:42:49]
freaky123 :
If you made a backup
[2017-07-15 16:55:16]
martinbogo :
well, here goes
[2017-07-15 16:55:18]
martinbogo :
and it works :slightly_smiling_face:
[2017-07-15 16:55:38]
martinbogo :
I am replacing init.rc from /system/etc/init.rc.saved ( a copy I make with changes )
[2017-07-15 16:55:43]
martinbogo :
then I do kill -HUP 1
[2017-07-15 16:56:44]
martinbogo :
YAY!
[2017-07-15 16:56:49]
martinbogo :
instant ADB
[2017-07-15 16:56:54]
martinbogo :
works
[2017-07-15 17:07:33]
hostile :
more techniques to add to the stash!
[2017-07-15 17:07:45]
hostile :
thx for hammering that out Bogo
[2017-07-15 17:19:33]
martinbogo :
well, now I have ADB running whenever I want
[2017-07-15 17:19:38]
martinbogo :
but I made another small discovery ---
[2017-07-15 17:19:40]
martinbogo :
init .. has been modified
[2017-07-15 17:19:46]
hfman :
Did anybody come up with a solid way to do the tarball in windows? I need an easier way to change the grep file.
[2017-07-15 17:19:58]
martinbogo :
It's not a symlink to busybox init
[2017-07-15 17:19:58]
martinbogo :
1|root@wm330_dz_vp0001_v5:/ # busybox stat init
File: init
Size: 179496 Blocks: 352 IO Block: 4096 regular file
Device: 1h/1d Inode: 1435 Links: 1
Access: (0750/-rwxr-x---) Uid: ( 0/ UNKNOWN) Gid: ( 0/ UNKNOWN)
Access: 1980-01-01 21:56:52.000000000
Modify: 1970-01-01 00:00:00.000000000
Change: 1970-01-01 00:00:00.000000000
[2017-07-15 17:20:03]
martinbogo :
or hard link
[2017-07-15 17:20:12]
martinbogo :
it's it's own flavor of init... with part of the initscript built in
[2017-07-15 17:20:16]
martinbogo :
and it's not listening to HUP
[2017-07-15 17:53:07]
hostile :
@hfman the last commit to RedHerring has a Windows fix... but it is untested
[2017-07-15 17:59:46]
knorren :
Hi, has anyone got this error when downgrading with pyduml:
[2017-07-15 17:59:48]
knorren :
ftp.mkdir("/upgrade/.bin")
[2017-07-15 17:59:56]
knorren :
AttributeError: FTP instance has no attribute 'mkdir'
[2017-07-15 18:07:40]
martinbogo :
I have SSH access to my P4, and it should work on all platforms ( phantom 4, p4p, I2, mavic... )
[2017-07-15 18:08:25]
martinbogo :
Once rooted
[2017-07-15 18:08:26]
martinbogo :
5]
to create the host keys and install dropbear:
[1:06]
ADB copy the files over to /system/xbin
[1:06]
chmod 755 /system/xbin/dropbear
chmod 755 /system/xbin/scp
chmod 700 /system/xbin/dropbearkey
[1:06]
then create the host keys
[1:06]
mkdir /system/etc/dropbear
cd /system/etc/dropbear
dropbearkey -t rsa -f /system/etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /system/etc/dropbear/dropbear_dss_host_key
[2017-07-15 18:08:48]
martinbogo :
then you can add the following to /system/bin/start_dji_system.sh
[2017-07-15 18:08:54]
martinbogo :
mount -o remount,rw /system
[2017-07-15 18:09:00]
martinbogo :
then -- to edit the file
[2017-07-15 18:09:19]
martinbogo :
# Start SSH on all network ports
if [ -f /system/xbin/dropbear ] && [ -f /system/etc/dropbear/dropbear_rsa_host_key ] ; then
dropbear -Y RedHerringDerp -r /system/etc/dropbear/dropbear_rsa_host_key -d
/system/etc/dropbear/dropbear_dss_host_key
fi
[2017-07-15 18:09:39]
martinbogo :
Also -- I have a static compiled "nano" if you want a simpler editor
[2017-07-15 18:10:17]
martinbogo :
install the same way ( make /system read-write, then use ADB to copy the files into /system/etc and /system/xbin )
[2017-07-15 18:12:48]
martinbogo :
to get 'nano' to work, you will need to export some shell variables
[2017-07-15 18:12:52]
martinbogo :
export TERM=linux
[2017-07-15 18:13:01]
martinbogo :
export TERMINFO=/system/etc/terminfo
[2017-07-15 18:13:54]
martinbogo :
> TO ACCESS THE SSH DAEMON -- if you have newer OpenSSH, it will barf on the insecure algorithm/crypto dropbear uses <<<
[2017-07-15 18:13:55]
martinbogo :
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.42.2
[2017-07-15 18:14:09]
martinbogo :
You will need to implicitly allow the algorithm as shown
[2017-07-15 18:16:49]
hfman :
I think that's a bug. Should be ftp.mkd
[2017-07-15 18:17:31]
martinbogo :
Sage:protocol root# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.42.2
root@192.168.42.2's password:
root@wm330_dz_vp0001_v5:/ # setenv TERM linux
root@wm330_dz_vp0001_v5:/ # setenv TERMINFO /system/etc/terminfo
root@wm330_dz_vp0001_v5:/ #
[2017-07-15 18:17:36]
martinbogo :
TA-da!
[2017-07-15 18:17:43]
martinbogo :
and yes, nano works beautifully
[2017-07-15 18:18:43]
hfman :
@martinbogo - what's the true value to have ssh vs. raw?
[2017-07-15 18:20:08]
martinbogo :
hfman : I'm having problems with ADB crashing ... ssh daemon is stable for me, and of course having an SSH daemon means you get scp/sftp for free :slightly_smiling_face:
[2017-07-15 18:20:16]
vk2fro :
:slightly_smiling_face:
[2017-07-15 18:20:16]
martinbogo :
it frees me from having to use ADB
[2017-07-15 18:20:42]
hfman :
Ah, bonus. Yep, see the value now
[2017-07-15 18:21:10]
vk2fro :
15 free spins! well done martinbogo!
[2017-07-15 18:25:26]
hans112 :
Nano means less risk of killing the bird. . :) Nice !!
[2017-07-15 18:26:22]
fldatatek :
Great work @martinbogo ..
[2017-07-15 18:27:23]
martinbogo :
Also, I think I just got Wifi working
[2017-07-15 18:27:25]
martinbogo :
BRIEFLY
[2017-07-15 18:27:37]
martinbogo :
there is a full WiFi AP stack in there, supported by the LC1860
[2017-07-15 18:27:46]
martinbogo :
in theory, also bluetooth
[2017-07-15 18:42:46]
anethnicgroup :
Any way i can get added to the Git? You all have peaked my interest as this brings back the good days of android! Username: Soitis636
[2017-07-15 18:46:05]
hostile :
Any collaborator here can add you... someone please do. I'm out ATM
[2017-07-15 18:50:54]
knorren :
Ok, I now noticed that line 75 "ftp.mkdir" was added for 12hrs ago.. "#Add mkdir to support root merge..."
[2017-07-15 18:51:17]
martinbogo :
@fldatatek : Thank you
[2017-07-15 18:51:43]
martinbogo :
@fldatatek : @hostile and I are talking about something like a "feature selector" to pick what you want to do when rooting
[2017-07-15 18:51:51]
martinbogo :
enable ADB, install dropbear, install nano, etc
[2017-07-15 18:52:06]
fldatatek :
Oh that would be sweet..
[2017-07-15 18:52:42]
fldatatek :
I wish I could help but unfortunately I have no programming/reversing skills.. :disappointed:
[2017-07-15 18:52:56]
martinbogo :
@fldatatek : then .. um .. why do you want/need access to the git repo?
[2017-07-15 18:53:11]
fldatatek :
Archiving...
[2017-07-15 18:53:25]
martinbogo :
@fldatatek : GitHub is well archived, replicated, and protected :slightly_smiling_face:
[2017-07-15 18:53:30]
martinbogo :
plus, distributed :slightly_smiling_face:
[2017-07-15 18:53:39]
fldatatek :
but also subject to take down request..
[2017-07-15 18:53:57]
martinbogo :
@fldatatek : Thaaaaat's not how "git"works :slightly_smiling_face:
[2017-07-15 18:53:59]
hans112 :
I think there are backups somewhere ;)
[2017-07-15 18:54:11]
martinbogo :
it's decentralized .. any clone is a potential new source
[2017-07-15 18:54:24]
fldatatek :
One thing I do have skills in though is webhosting and networking.
[2017-07-15 18:54:29]
martinbogo :
GitHub is just a convenient place for #core to collaborate :slightly_smiling_face:
[2017-07-15 18:54:30]
hostile :
Yeah and a fuck ton of people forked too
[2017-07-15 18:54:44]
hostile :
So we should have good proliferation
[2017-07-15 18:55:54]
hans112 :
Forked it, knived it...
[2017-07-15 18:56:42]
fldatatek :
Yep.. forked , backed all the git repos locally and remotely (private server).
[2017-07-15 18:56:46]
martinbogo :
:deadpool: MAXIMUM EFFORT
[2017-07-15 18:57:13]
fldatatek :
Lets just say DJI would have a serious game of whack-a-mole on their hands
[2017-07-15 18:57:20]
hostile :
Nailed it :)
[2017-07-15 18:57:33]
anethnicgroup :
I honestly want access so i can see if any of my tricks i picked up through android through the years of contributing on XDA can be of any use here.
[2017-07-15 18:58:47]
hostile :
And a mass takedown on GitHub across multiple private forks would make a nice headline ;)
[2017-07-15 18:58:54]
anethnicgroup :
^ this
[2017-07-15 18:59:00]
fldatatek :
But really I probably need to start learning some basic programming. At least so I can get to a point of being able to talk to our programmers on their level.
[2017-07-15 18:59:17]
hostile :
@anethnicgroup did you get added ?
[2017-07-15 18:59:57]
anethnicgroup :
not yet. My username on Git is Soitis636
[2017-07-15 19:00:45]
hostile :
Added
[2017-07-15 19:02:08]
fldatatek :
@hostile are we to a point now where I could safely grab the bin's from a A3 and N3 without bricking it? (keeping in mind my noobness)
[2017-07-15 19:02:29]
fldatatek :
If so I have both A3's and N3 flight controllers coming this week.
[2017-07-15 19:04:18]
fldatatek :
I just can't brick them because I need them for aircraft I am building with them
[2017-07-15 19:09:37]
martinbogo :
Then please don't brick them :slightly_smiling_face:
[2017-07-15 19:10:38]
martinbogo :
in all seriousness -- so far, once we have the right DUML ( DJI unified markup .. used to communicate to the bird/RC during an upgrade and other actions from Assistant ) and keys, the exploit seems to work across all platforms
[2017-07-15 19:10:57]
martinbogo :
this allows arbitrary execution of ADB ( or other programs )
[2017-07-15 19:11:25]
martinbogo :
however, we -cannot- modify the main system image ( yet )
[2017-07-15 19:11:52]
martinbogo :
that's what I'm working on .. seeing if there is a way for me to either clear the efuse area, or extract keys from it
[2017-07-15 19:12:18]
fldatatek :
cool...
[2017-07-15 19:13:58]
fldatatek :
The N3 is just going to be a "boxquad" test platform for our software so it won't actually be on a aircraft.
[2017-07-15 19:14:54]
fldatatek :
I work for a company building aircraft to do task so we are mainly a software company writing code to control the aircraft using DJI SDK.
[2017-07-15 19:15:48]
fldatatek :
but I am the guy that builds and maintains all the aircraft plus does all the CAD work and 3D printing for new prototype parts.
[2017-07-15 19:15:57]
kilrah :
cool
[2017-07-15 19:16:40]
fldatatek :
we have lots of other sensors we add to the aircraft so I have to figure out how to fit them..
[2017-07-15 19:21:27]
hostile :
@fldatatek a3 and n3 are not Android iirc... those are raw flight controllers. This technique need not apply. Only the unlocked assistant and we sockets work on those
[2017-07-15 19:21:58]
fldatatek :
Oh ok thx @hostile
[2017-07-15 19:22:35]
hostile :
[websockets_work](#C602A457B) and [factory_mode_access](#C5ZSB6CM6) probably what you want...
[2017-07-15 19:23:42]
fldatatek :
Yep been playing with those..
[2017-07-15 19:28:48]
dpitman :
Is this what you guys made up or what dji calls it? "DUML ( DJI unified markup language"
[2017-07-15 19:32:56]
hostile :
freaky says it is likey "MB" protocol.. but we gonna roll with DUML.. and yeah that is the best guess on meaning. Other alternative was DannyUnderMyLeftnut
[2017-07-15 19:33:47]
dpitman :
haha, thanks!
[2017-07-15 19:34:55]
fldatatek :
LOL
[2017-07-15 19:44:29]
hfman :
So, I've got adbd running on the RC- hopefully can pull the .bin file before too long. The RC is a lot trickier to work with the way the usb initializes.
[2017-07-15 19:45:15]
hfman :
also have pyduml modified to do either copter or RC, your choice at commandline.
[2017-07-15 19:46:14]
hostile :
@hfman adb pull all the images from /upgrade
[2017-07-15 19:46:23]
hostile :
give them to @the_lord
[2017-07-15 19:46:35]
hostile :
he can hand roll a .bin
[2017-07-15 19:46:38]
hfman :
Oh, you don't think dji_system.bin is the better way to go?
[2017-07-15 19:46:43]
hostile :
I am archiving both
[2017-07-15 19:46:55]
hostile :
I **like** to have the **official** ones
[2017-07-15 19:47:04]
hostile :
but am also helping folks get up with "crafted" ones
[2017-07-15 19:47:11]
hostile :
all going into the git LFS
[2017-07-15 19:47:26]
hfman :
One big drag about the RC, it seems that no matter what, if you fire up adbd, it kills telnet. Haven't figured out a way around that.
[2017-07-15 19:47:40]
hostile :
not a big deal
[2017-07-15 19:48:14]
hfman :
Okay, I'll pull 'em with adb
[2017-07-15 19:50:09]
hfman :
@hostile, you talking about everything here: ?
[2017-07-15 19:50:35]
the_lord :
which version hfman?
[2017-07-15 19:50:41]
hfman :
.700 on the RC
[2017-07-15 19:50:53]
the_lord :
i can craft one as i have all the files
[2017-07-15 19:51:01]
hostile :
@hfman poke around in there... look for the .sigs
[2017-07-15 19:51:05]
hostile :
snag em
[2017-07-15 19:51:49]
hfman :
These:
[2017-07-15 19:52:32]
hfman :
Guess @the_lord doesn't need 'em!!
[2017-07-15 19:53:33]
hfman :
I still may try to grab the one during upgrade... just to have it. May not be able to get it as the telnet is really tricky. Didn't we determine adbd is killed during the upgrade?
[2017-07-15 20:00:18]
hfman :
Pulled... want 'em @hostile ??
[2017-07-15 20:13:52]
mavicbreak :
@hfman will you push the modified pyduml to github where its possible to select between copter and rc?
[2017-07-15 20:16:20]
hfman :
Yeah, I think I'll have conflicts, but will do before too long. Friggin RC is giving me fits
[2017-07-15 20:19:00]
hfman :
The other thing, you need a different fireworks.tar
[2017-07-15 20:21:45]
mavicbreak :
for controller downgrade ??
[2017-07-15 20:30:18]
ender :
@martinbogo , i need to compile stuff statically for the bird at some point, did you do anything special or is it just a standard ARM Linux compile or ???
[2017-07-15 20:30:51]
freaky123 :
I compiled just normal ARM linux previously
[2017-07-15 20:30:58]
ender :
(i tried out some stuff that worked beautifully but not from myself)
[2017-07-15 20:31:08]
martinbogo :
standard ARM linux compile with a v7 target
[2017-07-15 20:31:16]
ender :
v7 okay
[2017-07-15 20:32:55]
ender :
btw i played around with USB forwarding via WiFi and i saw that the Spark has WiFi & Vision connected via USB is that of any interest ?!
[2017-07-15 20:33:33]
ender :
damn this is rooting channel, sorry, i shutup !
[2017-07-15 20:38:40]
hostile :
That's legit talk here!
[2017-07-15 20:39:31]
freaky123 :
@ender I knew already
[2017-07-15 20:39:44]
freaky123 :
they use several usb -> ethernet connections internally
[2017-07-15 20:39:58]
freaky123 :
just an easy way to connect components
[2017-07-15 20:42:21]
hfman :
Not for downgrade, no- for rooting.
[2017-07-15 20:55:02]
ender :
freaky, i connected the vision USB of the spark to my W10, obviously no driver, is there anything known in it that would be useful to be controlled by win / mac (probably some diag stuff in DJI factory…)
[2017-07-15 20:57:16]
freaky123 :
the vision usb is an RNDIS device
[2017-07-15 20:57:23]
freaky123 :
so you can access the network
[2017-07-15 20:58:00]
ender :
okay ! just noticed it, have very littly time and its only a sideffect of my games with the spark.
[2017-07-15 20:58:03]
ender :
Interesting.
[2017-07-15 20:58:59]
ender :
WHats your estimate are things like bitrate / max resolution (i suspect Spark can do 2,7k), DNG enable things in Android properties or stuff in vision system ?!
[2017-07-15 20:59:12]
ender :
(just a guess, your guess may be better then my thought)
[2017-07-15 21:02:01]
hfman :
@hdnes , @hostile - I don't appear to have privs to commit to pyduml on git...
[2017-07-15 21:04:02]
nickmv :
any recommendations on a cheap android tablet with rom support?
[2017-07-15 21:04:08]
nickmv :
(for flying P4P)
[2017-07-15 21:04:25]
nickmv :
still using an N7 and think i could improve choppiness probaby
[2017-07-15 21:07:52]
hostile :
@hfman submit a pull request after forking
[2017-07-15 21:10:06]
ender :
@freaky123 : is there anyone / info anywhere about whats going on in the Vison System and how to talk to it via network or is that uncharted terrain ?!
[2017-07-15 21:10:20]
freaky123 :
no not documented but known
[2017-07-15 21:11:54]
ender :
upload your brain please :slightly_smiling_face:
[2017-07-15 21:12:08]
freaky123 :
^^ @hostile also knows some stuff
[2017-07-15 21:12:08]
ender :
no rough map of anything anywhere ?!
[2017-07-15 21:12:16]
ender :
i never guessed :wink:
[2017-07-15 21:12:25]
freaky123 :
no in my brain is most parts.. don't have time for writing most of the times
[2017-07-15 21:12:34]
freaky123 :
if I can remember I keep it like that :stuck_out_tongue:
[2017-07-15 21:12:35]
hostile :
google mavic DIKFER Mavproxyuser
[2017-07-15 21:12:55]
hostile :
memetic info transfer is the strongest method
[2017-07-15 21:12:58]
ender :
reading…
[2017-07-15 21:12:59]
hostile :
fuck a wiki
[2017-07-15 21:12:59]
hostile :
:wink:
[2017-07-15 21:13:17]
ender :
haha, i cant even memorize wifes birthday :slightly_smiling_face:
[2017-07-15 21:13:31]
hostile :
“siri when is my old ladies birthday?”
[2017-07-15 21:13:31]
freaky123 :
haha I can't remember that either
[2017-07-15 21:13:38]
freaky123 :
but remembering important stuff I do ^^
[2017-07-15 21:13:58]
ender :
actually i have a friend calling me for everything important as he knows i ignore my calendar notices :stuck_out_tongue:
[2017-07-15 21:14:11]
ender :
and “old lady” would get me fried btw
[2017-07-15 21:15:21]
ender :
oh heck direct interface to the ambarella, no DJI sh*t ! amberalle is modded in numerous ways…
[2017-07-15 21:15:32]
ender :
did you try any ambarella mods yet =!
[2017-07-15 21:21:52]
hfman :
@hostile - Pull request submitted.
[2017-07-15 21:22:40]
hostile :
k ill look tonight…. with son in backyard right now
[2017-07-15 21:27:14]
ender :
no better time spent ever :slightly_smiling_face:
[2017-07-15 21:27:59]
hostile :
<https://github.com/hdnes/pyduml/pull/4>
[2017-07-15 21:28:18]
hostile :
ill merge soon or @hdnes will…
[2017-07-15 21:28:27]
hostile :
thx @hfman
[2017-07-15 21:28:35]
hostile :
@hotelzululima ---^
[2017-07-15 21:53:29]
hotelzululima :
YAY!!!
[2017-07-15 21:53:42]
hotelzululima :
just looked at the pull
[2017-07-15 21:55:17]
hotelzululima :
in richmond visiting with my 2 other dobies I helped rehome and raise(rescues)
[2017-07-15 21:55:37]
hotelzululima :
will try sunday.. on target hw
[2017-07-15 21:55:49]
hotelzululima :
on first downgrade and root..
[2017-07-15 22:03:32]
hfman :
Sorry, there is a teeny bug in that. The second time you run it, it will bomb out. Fixing now
[2017-07-15 22:26:47]
beecoding :
Guys I have rooted the .800 firmware and I want to downgrade to the .700. No success at all using the pyduml. Any ideas? Using that pull request code I get a "Connection timed out" error
[2017-07-15 22:31:14]
the_lord :
first time i downgraded to 700 i was on rooted 900
[2017-07-15 22:42:16]
beecoding :
... via pyduml?
[2017-07-15 22:42:59]
the_lord :
i've never used it :slightly_smiling_face:
[2017-07-15 22:43:16]
the_lord :
only to check the CRC and file size
[2017-07-15 22:43:54]
the_lord :
coz md5sum didn't work with me on windows
[2017-07-15 23:04:52]
beecoding :
I'm trying to use it on my linux laptop. Upgraded to 900 to test and no success again
[2017-07-15 23:24:06]
hfman :
Let me check downgrading to .700. I haven't done an actual downgrade with pyduml, only root. What do you mean "pull request code" you get a timeout?
[2017-07-15 23:33:30]
beecoding :
I mean using the code you provided in your fork and submitted as a pull request and i get these messages:
```Traceback (most recent call last):
File "pyduml.py", line 166, in <module>
main()
File "pyduml.py", line 39, in main
upload_binary()
File "pyduml.py", line 84, in upload_binary
ftp = FTP("192.168.42.2", "Gimme", "DatROot!")
File "/usr/lib/python2.7/ftplib.py", line 120, in __init__
self.connect(host)
File "/usr/lib/python2.7/ftplib.py", line 135, in connect
self.sock = socket.create_connection((self.host, self.port), self.timeout)
File "/usr/lib/python2.7/socket.py", line 575, in create_connection
raise err
socket.error: [Errno 110] Connection timed out```
[2017-07-15 23:40:08]
hfman :
without running the pyduml, can you ftp to your mavic?
[2017-07-15 23:40:41]
hfman :
(BTW- I am in the process of sending .700 firmware to my copter in windows right now)
[2017-07-15 23:41:49]
hostile :
@beecoding your RNDIS driver looks fucked
[2017-07-15 23:42:38]
hostile :
@beecoding on linux I think you must manually give usb0 the proper IP address of the drone.
[2017-07-15 23:52:57]
beecoding :
I can ftp to my mavic without the script
[2017-07-15 23:53:23]
beecoding :
@hostile how am I supposed to do that?
[2017-07-15 23:54:09]
hostile :
let me know when you figure it out.
[2017-07-15 23:54:10]
hostile :
<https://docs.python.org/2/library/pdb.html>
[2017-07-15 23:54:34]
hostile :
i'd suggest tcpdump / wireshark as well
[2017-07-15 23:54:42]
hostile :
feel free to dump us a network capture
[2017-07-15 23:55:11]
hostile :
(of port 21)
[2017-07-16 00:00:16]
hostile :
Does the version in master not work for you?
[2017-07-16 00:01:20]
beecoding :
it stops with the mkdir error
[2017-07-16 00:06:39]
hostile :
Maybe investigate that...
[2017-07-16 00:06:54]
hostile :
You've got two examples to get familiar with
[2017-07-16 00:06:59]
hostile :
We love pull requests
[2017-07-16 00:07:40]
hostile :
There is a ruby port that needs its crc fixed if you are bored its in its own branch
[2017-07-16 00:08:42]
beecoding :
oh
[2017-07-16 00:08:58]
beecoding :
i figured out that the ftp stops working after some time
[2017-07-16 00:09:04]
beecoding :
lemme check why
[2017-07-16 00:14:22]
beecoding :
looks like its my drivers
[2017-07-16 00:14:24]
hfman :
Well folks... I have a feeling my Mavic is bricked...
[2017-07-16 00:14:25]
beecoding :
rebooting
[2017-07-16 00:14:49]
beecoding :
what happened?
[2017-07-16 00:15:07]
hfman :
Downgraded to .400 with pyduml. All was proceeding fine.
[2017-07-16 00:15:32]
avg.bob :
what is the version of ubuntu you are using my old laptop's version, needs a lot of tools to be installed that should be there. - nm going with latest ubuntu
[2017-07-16 00:15:35]
hfman :
I was tailing out the upgrade file... it then did a reboot (which was expected) after maybe 10 minutes or so.
[2017-07-16 00:15:45]
avg.bob :
what are you all using?
[2017-07-16 00:16:11]
hfman :
It comes back up, get tones, but no fan, no pc connectivity, and won't connect to controller.
[2017-07-16 00:16:21]
beecoding :
shit
[2017-07-16 00:16:37]
avg.bob :
damn
[2017-07-16 00:16:38]
hfman :
@hostile ... had you tried going down to .400 ?
[2017-07-16 00:18:15]
beecoding :
What are you going to do? Did someone brick their mavic too until now?
[2017-07-16 00:18:56]
hfman :
THis is last meaningful message in log when it rebooted:
[2017-07-16 00:18:57]
hfman :
01-01 00:16:11.586 3464 28392 I DUSS&63[sys_p1_push_ongoing_stat:2961]:: Push to 0xa01 for module 0x801, overall upgrade progress: 86 (18:3:0), stop_pushing=0
[2017-07-16 00:19:42]
hfman :
I think it stopped at 86%. It might expect more from Assis2, not sure.
[2017-07-16 00:20:49]
beecoding :
Does it show up in Assis2?
[2017-07-16 00:21:34]
hfman :
No. The comm ports come up, but I can't ping it, Assis2 can't see it, can't FTP to it.
[2017-07-16 00:22:37]
hfman :
Now previously, I pushed .700 back to it with pyduml, that went fine... no issues after that "refresh".
[2017-07-16 00:26:31]
hostile :
its probably mid update...
[2017-07-16 00:26:37]
hostile :
did you fire it like 3 times?
[2017-07-16 00:26:56]
hostile :
reboot your box... wait for the update to complete (takes like 5 minutes)
[2017-07-16 00:27:54]
hfman :
OMG... I let it cool down, Assist FInally saw it again, showed it at 96% complete, just went to 99%, reboot, still at 99% at the moment.
[2017-07-16 00:28:24]
hostile :
:wink:
[2017-07-16 00:28:29]
hfman :
@hostile - wait... not understanding what you are saying. Are you saying I have to fire puduml three times???
[2017-07-16 00:28:39]
hostile :
no I was wondering if you were impatient
[2017-07-16 00:28:46]
hostile :
cuz if you do... it will take long AF
[2017-07-16 00:28:46]
hostile :
heh
[2017-07-16 00:28:53]
hostile :
especially if you wait till like 75%
[2017-07-16 00:28:55]
hostile :
and fire it again
[2017-07-16 00:28:59]
hostile :
(back to 0%)
[2017-07-16 00:29:10]
hostile :
then you shake your first... wait till like 25%
[2017-07-16 00:29:11]
hostile :
fire again
[2017-07-16 00:29:12]
hostile :
lol
[2017-07-16 00:29:15]
hfman :
No.... so after the first reboot... what do you suppose we are supposed to do?
[2017-07-16 00:29:19]
hostile :
meanwhile your Mavil like Yo relax!
[2017-07-16 00:29:30]
hostile :
you sit and wait like 5 minutes plus for the whole process to complete
[2017-07-16 00:29:36]
hostile :
it will make happy startup tones when it is done
[2017-07-16 00:29:42]
hostile :
go get some coffee and come back later
[2017-07-16 00:30:01]
hfman :
with no blinky lights, etc... just wait for it to make final happy sounds?
[2017-07-16 00:30:04]
hostile :
yes
[2017-07-16 00:30:11]
hfman :
I'm pretty sure I waited at least 5, but maybe not.
[2017-07-16 00:30:16]
hostile :
yes wait for it
[2017-07-16 00:30:26]
hostile :
it gets a little unnerving
[2017-07-16 00:30:33]
hfman :
Stu Assit2 shows it stuck at 99%... just wait more? (At least fan is on now...)
[2017-07-16 00:30:43]
hostile :
yup... just wait
[2017-07-16 00:30:48]
hostile :
unless it says 100%
[2017-07-16 00:30:52]
hostile :
you aint done son
[2017-07-16 00:30:58]
hostile :
if you bored you can upll upgrade00.log
[2017-07-16 00:31:26]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1500013335623091>
[2017-07-16 00:31:56]
hfman :
Yokay sir. Yes, I was aware of that... didn't realize you get tones after the reboot some time later...
[2017-07-16 00:33:05]
hfman :
Tailing the upgrade log again... not much of interest at the moment...
[2017-07-16 00:33:22]
hostile :
final field shows upgrade_progress % I think
[2017-07-16 00:33:36]
hfman :
This over and over:
[2017-07-16 00:33:37]
hfman :
07-15 18:33:23.171 3304 4941 I DUSS&63[ sys_usb_switch: 316]:: mode: 0, up_status 5, conn_pc 1, conn_app_timeout 3, cam_rt_mode 0, cam_mode 5
[2017-07-16 00:33:50]
hostile :
yeah but what about the %age
[2017-07-16 00:34:14]
hfman :
In Assistant 2? It's still at 99%
[2017-07-16 00:34:23]
hostile :
no in the log
[2017-07-16 00:34:28]
hostile :
grep "%" log
[2017-07-16 00:34:44]
hostile :
heh with the **real** grep
[2017-07-16 00:34:49]
hfman :
Well, I haven't pulled it. Just tailing it. Above line over and over
[2017-07-16 00:34:57]
hostile :
stop tailing it
[2017-07-16 00:35:00]
hfman :
adbd isn't up...
[2017-07-16 00:35:00]
hostile :
and grep it
[2017-07-16 00:35:39]
hfman :
ah, okay. Hmmm... how to grep. I need to make sure my herring isn't used.
[2017-07-16 00:37:15]
hfman :
won't any |grep use herring grep?
[2017-07-16 00:37:46]
hostile :
just mv it or rm it out of the way
[2017-07-16 00:37:50]
hostile :
or type the full path out
[2017-07-16 00:40:08]
hfman :
got any thoughts on cmdline?
[2017-07-16 00:40:19]
hfman :
grep perc upgrade00.log ?
[2017-07-16 00:41:20]
hfman :
busybox tail -100f upgrade00.log doesn't do anything, so not sure what I've got in the way of tools
[2017-07-16 00:42:23]
hostile :
just copy the whole damn log off?
[2017-07-16 00:42:36]
hostile :
via ftp and decrypt it with the AES tool
[2017-07-16 00:42:39]
hostile :
drop the result here
[2017-07-16 00:42:46]
hfman :
Ya, guess I could do that...
[2017-07-16 00:42:51]
hostile :
save us all some time
[2017-07-16 00:42:52]
hostile :
=]
[2017-07-16 00:48:04]
hfman :
I think it's okay. I went back to home in Assis2, then clicked Mavic again. Shows this:
[2017-07-16 00:48:53]
hostile :
you should have a telnet shell on port 1234
[2017-07-16 00:49:00]
hostile :
and "adb devices" should show you the herring
[2017-07-16 00:49:24]
hostile :
you can't run adb until you telnet in and remove /data/.bin/grep
[2017-07-16 00:49:26]
hostile :
via telnet
[2017-07-16 00:49:38]
hfman :
Yeah, telnet is fine, adb isn't running cause my latest herring didn't have that.
[2017-07-16 00:49:41]
hostile :
(assuming you are using the 400 combined)
[2017-07-16 00:50:07]
hfman :
I'm using just .400. My previous root is still there, it didn't get wiped out.
[2017-07-16 00:50:35]
hfman :
(I don't mod the dji_startup... just start things with herring)
[2017-07-16 01:04:05]
hfman :
I think the logs confirm:
[2017-07-16 01:04:07]
hfman :
07-15 18:27:10.837 3614 5475 I DUSS&63[sys_up_status_push_threa: 871]:: +++++++ Sending upgrade status for upgrading_stage, len: 11, app_host=0xa01, mod_id=0xa8 (08.05), status 0, progress: 100, total_progress: 99
07-15 18:27:12.838 3614 5475 I DUSS&63[sys_up_status_push_threa: 871]:: +++++++ Sending upgrade status for upgrading_stage, len: 11, app_host=0xa01, mod_id=0xa8 (08.05), status 0, progress: 100, total_progress: 99
07-15 18:27:13.178 3614 5478 I DUSS&63[ sys_usb_switch: 316]:: mode: 0, up_status 4, conn_pc 1, conn_app_timeout 3, cam_rt_mode 0, cam_mode 5
07-15 18:27:13.440 3614 10877 I DUSS&63[ sys_p1_upgrade_all:3471]:: All upgrade success, reboot.
07-15 18:27:13.641 3614 10877 I DUSS&63[sys_p1_active_reboot_for:5150]:: app_host=0xa01
[2017-07-16 01:06:17]
hfman :
SOOO... that said. PYDUML works fine under windows- just gotta REMAIN PATIENT, don't get ahead of the game!!! Thanks @hostile...
[2017-07-16 01:06:52]
hostile :
" progress: 100, total_progress: 99" that is it bro!
[2017-07-16 01:07:01]
hostile :
"All upgrade success, reboot."
[2017-07-16 01:07:06]
hostile :
boom
[2017-07-16 01:07:25]
hfman :
Now back to .700 ... :slightly_smiling_face:
[2017-07-16 01:08:05]
hfman :
BTW... when "refreshing", even with PYDUML, it goes quite a bit faster. That's partly why I got tripped up.
[2017-07-16 01:18:26]
beecoding :
does anyone know how to reinstall or fix my RNDIS driver in Ubuntu 16.04?
[2017-07-16 01:18:44]
beecoding :
it doesn't even get a IP adress when connected
[2017-07-16 01:22:56]
hostile :
ifconfig usb0 192.168.42.3 up
[2017-07-16 01:27:34]
beecoding :
the ip shows up but I can't reach the Mavic and cant ping my adress from adb
[2017-07-16 01:34:19]
avg.bob :
is brew an osx related thing? trying to get it to work in ubuntu. i had root on a borrowed osx laptop that i had to give back
[2017-07-16 01:37:18]
beecoding :
I used to have a fork of it for linux
[2017-07-16 01:37:30]
beecoding :
<http://linuxbrew.sh/>
[2017-07-16 01:37:47]
avg.bob :
thanks
[2017-07-16 02:07:41]
beecoding :
After trying the pyduml a lot of times I made it...
[2017-07-16 02:19:44]
hdnes :
ha… Just pushed new code that’s a little cleaner!
[2017-07-16 02:19:48]
hdnes :
congrats
[2017-07-16 02:49:38]
hostile :
brew is akin to apt on linux @avg.bob
[2017-07-16 02:52:59]
hfman :
@hdnes... did you not see my pull? I think you messed up the ftp mkdir stuff again...
[2017-07-16 02:53:53]
hdnes :
no I didn’t I just didn’t understand it exactly
[2017-07-16 02:54:08]
hdnes :
explain and I’ll correct it
[2017-07-16 02:54:24]
hdnes :
my impression was that the mkdir was only for the RC
[2017-07-16 02:54:35]
hfman :
No, it's for both devices
[2017-07-16 02:54:38]
hostile :
mkdir leave it there **always**
[2017-07-16 02:54:43]
hdnes :
it wouldn’t run on the mavic
[2017-07-16 02:54:46]
hfman :
mkdir doesn't even work...
[2017-07-16 02:54:52]
hfman :
That's why I fixed it...
[2017-07-16 02:54:56]
hostile :
fix your pythons..
[2017-07-16 02:54:59]
hostile :
or check version
[2017-07-16 02:55:05]
hostile :
or specify which version the user is intended to use...
[2017-07-16 02:55:16]
hdnes :
ok I’m tracking now
[2017-07-16 02:55:16]
hostile :
all of this can be compensated for in the script
[2017-07-16 02:55:20]
hostile :
python2 script.py
[2017-07-16 02:55:24]
hfman :
ftp.mkd
[2017-07-16 02:55:26]
hostile :
then python3 script.py
[2017-07-16 02:55:47]
hostile :
and make sure there is no fuckery
[2017-07-16 02:55:53]
hdnes :
@hostile can you sort it then beings you are upto speed, should be the only issue with the current push
[2017-07-16 02:55:57]
hfman :
And you can't create it if it is already there... so you have to check to see if it is there first.
[2017-07-16 02:56:08]
hostile :
I'm off doing other shit for the night
[2017-07-16 02:56:12]
hostile :
and have a pile of other code to fix
[2017-07-16 02:56:20]
hostile :
so I'mma let you all and any other volunteers handle it
[2017-07-16 02:56:21]
hostile :
=]
[2017-07-16 02:56:26]
hdnes :
ok, I’ll play with it if I can figure it out now that I understand
[2017-07-16 02:56:42]
avg.bob :
@hostile so then i just use apk-get or install instead of brew? brew is a pain to get wroking on my flavor of ubuntu
[2017-07-16 02:56:42]
hfman :
so on some versions of python, ftp.mkd doesn't work? That's friggin goofy...
[2017-07-16 02:56:56]
hostile :
```
import sys
if sys.version_info < (2, 4):
raise "must use python 2.5 or greater"
else:
# syntax error in 2.4, ok in 2.5
x = 1 if True else 2
print x
```
[2017-07-16 02:57:07]
hostile :
yes @avg.bob
[2017-07-16 02:57:14]
hostile :
or be a man and install manually :wink:
[2017-07-16 02:57:20]
hfman :
My python is 2.7
[2017-07-16 02:57:27]
hostile :
that is great...
[2017-07-16 02:57:28]
hfman :
mkd should work on 'em all
[2017-07-16 02:57:34]
hostile :
test
[2017-07-16 02:57:34]
hostile :
understand that your userbase may not be...
[2017-07-16 02:57:35]
hostile :
:wink:
[2017-07-16 02:57:48]
hostile :
and code accordingly. <https://dji-rev.slack.com/archives/C60KELF6H/p1500173816302080>
[2017-07-16 02:59:31]
avg.bob :
@hostile I'm relearning so much. this linux machine has not been powered up since 2007 :scream: thanks for all the guidance
[2017-07-16 02:59:39]
hfman :
far as I am aware, ftp.mkd is applicable across all versions of python.
[2017-07-16 02:59:45]
hfman :
That's why I FIXED it...
[2017-07-16 03:01:01]
hdnes :
ok let me try mkd
[2017-07-16 03:02:04]
hfman :
So did you say my pull wouldn't run on your mavic?
[2017-07-16 03:17:16]
beecoding :
My python is at 2.7.12 and the new version is working without errors
[2017-07-16 03:18:16]
jezzab :
just about ready to see if this gui will flash.
[2017-07-16 03:26:11]
jezzab :
the MD5 is in the order its generated right its not inverted LSB like the rest
[2017-07-16 03:26:14]
jezzab :
Looks right
[2017-07-16 03:26:38]
jezzab :
Nevermind
[2017-07-16 03:28:53]
the_lord :
jezzab i'm ready to verify anything you may need
[2017-07-16 03:30:20]
jezzab :
cheers mate.
[2017-07-16 03:34:32]
vk2fro :
count me in too - I'll give it a shot.
[2017-07-16 03:34:45]
jezzab :
well all the DUML packets look good. backchecked in hexworkshop and calc'd manually and every matches. Just gotta sort the ftp upload now
[2017-07-16 03:38:13]
jezzab :
551E048A2A28F65740000A0036E11566AE6E303EC5C407F9C0F6C3820FA5
[2017-07-16 03:38:33]
jezzab :
MD5: 36e11566ae6e303ec5c407f9c0f6c382
[2017-07-16 03:38:47]
jezzab :
look correct @the_lord?
[2017-07-16 03:39:02]
the_lord :
i'll check
[2017-07-16 03:39:37]
jezzab :
thanks
[2017-07-16 03:40:53]
hdnes :
Git Pull. Just fixed ftp
[2017-07-16 03:40:54]
the_lord :
looks good and CRC too ok
[2017-07-16 03:41:09]
jezzab :
sweet
[2017-07-16 03:41:10]
hdnes :
PyDUML working with RC now too
[2017-07-16 03:41:15]
jezzab :
nice
[2017-07-16 03:41:17]
hdnes :
and more user friendly
[2017-07-16 03:46:38]
vk2fro :
what dependency am I missing (mac os x), error about serial
[2017-07-16 03:46:54]
vk2fro :
File "/usr/local/lib/python2.7/site-packages/serial/serialposix.py", line 268, in open
raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 2] could not open port tty.usbmodem14E5: [Errno 2] No such file or directory: 'tty.usbmodem14E5'
[2017-07-16 03:47:33]
vk2fro :
never mind - forgot the /dev LOL
[2017-07-16 03:48:07]
vk2fro :
firmware update complete! :slightly_smiling_face:
[2017-07-16 03:58:35]
jezzab :
is the creation of .bin required just for the fw upgrade? or just for root/grep?
[2017-07-16 03:59:24]
the_lord :
@hdnes
C:\ADB\DUMLHerring\pyduml>python pyduml.py com3
---------------------------------------------------------------
Select device number as follows: Aircraft = [1], RC = [2] : 2
---------------------------------------------------------------
Running Exploit for RC
---------------------------------------------------------------
You picked an option not yet supported
Traceback (most recent call last):
File "pyduml.py", line 179, in <module>
main()
File "pyduml.py", line 33, in main
write_packet(packet_1) # Enter upgrade mode (delete old file if exists)
NameError: name 'packet_1' is not defined
C:\ADB\DUMLHerring\pyduml>
[2017-07-16 04:00:46]
hdnes :
Port string example in the code
[2017-07-16 04:03:04]
hdnes :
That's code hostile modified and I don't have pc to test.
[2017-07-16 04:03:36]
hdnes :
But it should be tty or similar
[2017-07-16 04:11:26]
hostile :
"NameError: name 'packet_1' is not defined"
[2017-07-16 04:11:30]
hostile :
actually no it isn't...
[2017-07-16 04:11:42]
hostile :
read the backtrace
[2017-07-16 04:11:45]
hostile :
:wink:
[2017-07-16 04:11:56]
hostile :
@hdnes ...
[2017-07-16 04:13:13]
hdnes :
Sorry on phone. Missed that. Thought it was a serial problem
[2017-07-16 04:14:23]
the_lord :
i didn't get what do you mean
[2017-07-16 04:16:05]
hostile :
@channel Share with the .bins with who ever you want now... <https://github.com/MAVProxyUser/dji_system.bin>
[2017-07-16 04:16:37]
hdnes :
Just move the global higher up
[2017-07-16 04:16:49]
hdnes :
I'll fix after I get home.
[2017-07-16 04:17:47]
the_lord :
this is what i did but i wanted you to know
[2017-07-16 04:18:43]
hdnes :
Awesome thanks
[2017-07-16 04:19:23]
the_lord :
i HATE python
[2017-07-16 04:19:32]
hdnes :
Ha sorry
[2017-07-16 04:19:49]
the_lord :
i put it up above device and its still complaining about it
[2017-07-16 04:19:59]
hdnes :
I do as well. But it did seem to be the most agnostic choice that I knew I could get working.
[2017-07-16 04:21:07]
hdnes :
It's strange you are getting the else option though
[2017-07-16 04:21:28]
hdnes :
Versus the elif option.
[2017-07-16 04:29:00]
hostile :
heh why do you think I write in ruby!
[2017-07-16 04:47:45]
hfman :
You have to declare globals as global in every def they are used in.
[2017-07-16 04:47:56]
hfman :
Otherwise they are local to the def
[2017-07-16 04:48:06]
the_lord :
hmmmm
[2017-07-16 04:48:40]
hfman :
I had all this working, and it was basically ripped out and replaced.
[2017-07-16 04:49:40]
hostile :
it was failing for me and 2 others in the chat when you published
[2017-07-16 04:49:50]
hostile :
when ever it was originally starting to work
[2017-07-16 04:49:52]
hostile :
=]
[2017-07-16 04:50:02]
hostile :
I need to get back to fixing the ruby port and letting you code your shit
[2017-07-16 04:50:12]
hostile :
and me focus on any variants in my own comfort zone.
[2017-07-16 04:50:32]
hfman :
Nope, my code was re-written and that's when it broke. My pull wasn't properly pulled.
[2017-07-16 04:50:56]
hostile :
ahh I thought hdness wrote that
[2017-07-16 04:51:05]
hostile :
you twos names are confusing
[2017-07-16 04:51:15]
hostile :
brain not working!
[2017-07-16 04:51:16]
hostile :
heh
[2017-07-16 04:51:31]
hfman :
np... we'll get it fixed.
[2017-07-16 04:51:37]
hostile :
welcome to the fun world of being a dev!
[2017-07-16 04:53:07]
hfman :
So I do have something to contribute tonight as well.. the real dji_system.bin from the RC. It was a total bitch to grab that.. on my machine the RC is really cranky on the adb and telnet ports due to it trying to get comms up with a phone or whatever.
[2017-07-16 04:53:28]
hostile :
good fucking man!
[2017-07-16 04:53:35]
hostile :
paste it into slack
[2017-07-16 04:53:40]
hostile :
I'll pull it into the GIT lfs
[2017-07-16 04:54:04]
hfman :
The telnet goes silent very shortly after the port comes alive... gotta catch it right at the right time.
[2017-07-16 04:54:24]
hfman :
Yeah, I have to adb it down... still on the RC at the moment in a safe place.
[2017-07-16 04:54:27]
vk2fro :
I assume you had to be quick to grab that bin from the RC hfman :slightly_smiling_face:
[2017-07-16 04:54:52]
hfman :
Took about a zillion times to get to a telnet at the right time.
[2017-07-16 04:54:56]
hostile :
@hfman I JUST opened the repo public... it would be sweet if you can snag that before I go to bed
[2017-07-16 04:55:20]
hfman :
Yeah, working on getting ADB back up... hang tight.
[2017-07-16 04:55:21]
vk2fro :
I bet!
[2017-07-16 04:56:00]
hostile :
if you have telnet... just place the grep into /data/.bin/grep (via ftp to /upgrade/.bin/"
[2017-07-16 04:56:12]
hostile :
and chmod 755 /data/.bin/grep from telnet
[2017-07-16 04:56:13]
hostile :
then reboot
[2017-07-16 04:58:01]
hfman :
right... but getting to telnet is a real trick on the RC (for me).... so just gonna slap it again with DUML to get adb back up.
[2017-07-16 05:02:39]
hfman :
@hostile, where ya want it?
[2017-07-16 05:03:41]
jezzab :
Total progress of upgrade: 20%
[2017-07-16 05:03:43]
jezzab :
:slightly_smiling_face:
[2017-07-16 05:06:28]
the_lord :
how are you checking the upgrade? tail or your app
[2017-07-16 05:06:31]
hfman :
How the heck do you drop a big file here in slack?
[2017-07-16 05:06:47]
the_lord :
drag drop
[2017-07-16 05:07:14]
hfman :
sheesh... it's the simple things. :stuck_out_tongue_winking_eye:
[2017-07-16 05:07:19]
hostile :
lawl
[2017-07-16 05:07:48]
jezzab :
@the_lord adb. busybox tail -f upgrade00.log
[2017-07-16 05:08:09]
jezzab :
all done, rebooted and happy days :slightly_smiling_face:
[2017-07-16 05:08:11]
jezzab :
works lol
[2017-07-16 05:08:25]
hostile :
would you expect any less? :wink:
[2017-07-16 05:08:34]
hostile :
this ain't danny boys crew!
[2017-07-16 05:08:45]
the_lord :
if you would like to parse the received packets i can get you the DUML of upgrade status
[2017-07-16 05:10:18]
hostile :
@here who is gonna capture the Goggles .bin file?
[2017-07-16 05:10:19]
hostile :
:wink:
[2017-07-16 05:10:21]
jezzab :
that would be cool
[2017-07-16 05:10:44]
vk2fro :
I'll be too late to that party - cant afford the goggles till next month :stuck_out_tongue:
[2017-07-16 05:10:58]
the_lord :
@hostile talking to me?
[2017-07-16 05:11:11]
vk2fro :
by then someone will have already got the bin for them :slightly_smiling_face:
[2017-07-16 05:12:40]
hostile :
$ git push
Git LFS: (0 of 1 files) 9.81 MB / 28.63 MB
[2017-07-16 05:13:02]
hostile :
I am gonna try a trick in a sec...
[2017-07-16 05:13:17]
the_lord :
the goggles are already rooted by you :wink:
[2017-07-16 05:13:39]
hostile :
--bypass <DEVICE> force all device as param [Receiver]|[DEVICE]|[Version]
eg Controller|ai900v2|3.1.0.2
[2017-07-16 05:13:52]
hostile :
<https://dji-rev.slack.com/archives/C5ZR0QXUG/p1500158994372555>
[2017-07-16 05:14:00]
hostile :
I think we can collect all teh Pokemon with that
[2017-07-16 05:14:01]
hostile :
and VPN
[2017-07-16 05:14:02]
hostile :
...
[2017-07-16 05:15:13]
the_lord :
when i wake up i'll get you the i2 and goggles
[2017-07-16 05:15:21]
the_lord :
GN
[2017-07-16 05:15:28]
hostile :
sweet dreams princess
[2017-07-16 05:16:54]
jezzab :
now to work on the backup stuff
[2017-07-16 05:20:47]
hfman :
I just gave the .700 RC dji_system.bin, he's pushed it to GIT. I just tested upgrading the RC with pyduml, looks good.
[2017-07-16 05:21:18]
hfman :
@the_lord , you the man! Now I just need somebody to sniff the goggles upgrade! I don't have any tools to do that.
[2017-07-16 05:21:57]
vk2fro :
hfman, how long did the RC take to upgrade?
[2017-07-16 05:22:05]
hfman :
Barely 2 minutes
[2017-07-16 05:22:29]
hfman :
(But, I think it takes less time if the firmware is the same as what is on it)
[2017-07-16 05:22:41]
hfman :
I'll try going down to .400, then back to 700 to time it.
[2017-07-16 05:23:12]
vk2fro :
mabye I need to root it first.
[2017-07-16 05:23:33]
hfman :
...handy to tail out the upgrade log...
[2017-07-16 05:24:55]
vk2fro :
true
[2017-07-16 05:25:38]
vk2fro :
ok rooted it - do I need to power cycle it to take effect?
[2017-07-16 05:27:56]
vk2fro :
ok got root :slightly_smiling_face:
[2017-07-16 05:32:33]
hfman :
Yep, only about 2 minutes to put it down to .400
[2017-07-16 05:37:39]
hfman :
Ya know what.. I recommend after upgrading the RC, give it a couple mins after the reboot, and connect Assistant2 to it - it helps to "complete" the upgrade, and now I don't have any trouble bringing up Telnet. I think the upgrade process is trying to tell Assistant that it is done, but it can't.
[2017-07-16 05:38:29]
hdnes :
script worked fine for me. fireworks isn’t quite right I think because it’s not rooting the RC, but the python as currently on the repo had no issues
[2017-07-16 05:38:46]
vk2fro :
worked for me - I have a rooted RC now
[2017-07-16 05:39:05]
hdnes :
using the fireworks.tar in the repo?
[2017-07-16 05:39:11]
vk2fro :
yes
[2017-07-16 05:39:30]
hdnes :
cool, I don’t know what @thelord’s issue was then?
[2017-07-16 05:39:32]
hostile :
key to rooting is /data/.bin
[2017-07-16 05:39:37]
hostile :
if it ain't there you ain't getting root
[2017-07-16 05:39:45]
hostile :
always spot check it via ftp
[2017-07-16 05:39:59]
hdnes :
yeah, it showed up after running script but adb isn’t hot after root
[2017-07-16 05:40:12]
hostile :
yeah read the git commit =]
[2017-07-16 05:40:19]
hostile :
"adb devices" work?
[2017-07-16 05:40:30]
hostile :
IF so then you have to rm "grep" for adb to work
[2017-07-16 05:40:35]
hostile :
they conflict with each other
[2017-07-16 05:40:38]
hdnes :
negative
[2017-07-16 05:40:42]
hostile :
really annoying AF
[2017-07-16 05:40:47]
hostile :
which update.tar did you use?
[2017-07-16 05:40:50]
hostile :
a combined?
[2017-07-16 05:40:53]
hostile :
or regular
[2017-07-16 05:40:56]
hdnes :
no just regular
[2017-07-16 05:40:58]
hfman :
I haven't had any issues with adb and grep conflicting??
[2017-07-16 05:40:59]
hostile :
use a combined
[2017-07-16 05:41:13]
hostile :
it will be there on reboot and down /upgrade
[2017-07-16 05:41:48]
hostile :
depends on where / how you have fired your ADB.
[2017-07-16 05:42:09]
hfman :
I fire it in grep
[2017-07-16 05:42:38]
hfman :
...and don't lose root / grep on upgrade/downgrade
[2017-07-16 05:45:02]
hostile :
yeah if you leave it in place it should always fire
[2017-07-16 05:45:02]
hdnes :
and @hfman are you using the fireworks.tar in the repo?
[2017-07-16 05:45:25]
hfman :
Just slightly modified... I don't delete grep
[2017-07-16 05:45:55]
hfman :
When I want to unroot, I just telnet in and delete the grep.
[2017-07-16 05:46:14]
hdnes :
interesting, because mine still isn’t taking
[2017-07-16 05:46:23]
hostile :
@hdnes try a combined please
[2017-07-16 05:46:45]
hostile :
clean up /data/.bin and use the combined
[2017-07-16 05:47:05]
hostile :
make sure you leave /data/.bin just clean up "grep"
[2017-07-16 05:47:08]
hfman :
What isn't taking? Do you see grep in /data/.bin ?
[2017-07-16 05:47:15]
hdnes :
yeah it’s there
[2017-07-16 05:47:23]
hostile :
most imporantly is it chmod 755
[2017-07-16 05:47:28]
hostile :
ls plz
[2017-07-16 05:47:35]
hostile :
if it has no "x" flags it won't run
[2017-07-16 05:48:11]
hdnes :
can’t chmod without root?
[2017-07-16 05:48:12]
hfman :
So what isn't working? Telnet?
[2017-07-16 05:48:20]
hdnes :
either telnet or adb
[2017-07-16 05:48:27]
hostile :
ls /data/.bin plz
[2017-07-16 05:48:38]
hostile :
or via ftp /upgrade/.bin
[2017-07-16 05:49:26]
hdnes :
-rwxr-xr-x 1 0 20 528 Jul 9 05:51 grep
[2017-07-16 05:50:04]
hostile :
rm it
[2017-07-16 05:50:07]
hostile :
try a combined
[2017-07-16 05:50:10]
hostile :
report back
[2017-07-16 05:50:29]
hfman :
RC or Mavic?
[2017-07-16 05:50:33]
hdnes :
RC
[2017-07-16 05:51:12]
hfman :
May be having the same trouble I had all friggin day. Did you actually downgrade or upgrade it yet, or just root?
[2017-07-16 05:51:26]
hdnes :
straight to root
[2017-07-16 05:51:45]
hdnes :
well straight to attempting to root
[2017-07-16 05:52:16]
vk2fro :
I have root, but lost ftp access - can adb in.
[2017-07-16 05:52:36]
vk2fro :
(RC)
[2017-07-16 05:55:05]
hostile :
unlpug and replug USB for ftp access probably
[2017-07-16 05:55:10]
hostile :
I bet interface has bad IP
[2017-07-16 05:55:22]
hostile :
those RNDIS drivers are awful
[2017-07-16 05:55:34]
hdnes :
combined is only for aircraft correct?
[2017-07-16 05:56:11]
hostile :
make one ...
[2017-07-16 05:56:18]
hostile :
it is in the readme
[2017-07-16 05:56:20]
hostile :
its easy AF
[2017-07-16 05:56:32]
hostile :
need gtar
[2017-07-16 05:56:35]
hostile :
not regular tar
[2017-07-16 06:06:22]
hfman :
@hostile - where did the .400 RC bin go? I got it from your repo last night, could have sworn.
[2017-07-16 06:06:48]
hfman :
I got it from somewhere last night...
[2017-07-16 06:07:58]
hostile :
I didn't have an RC bin last night
[2017-07-16 06:08:07]
hostile :
I had a .400 mavic bin
[2017-07-16 06:08:45]
hfman :
NM, I got it from another soul here. I can't really make it available without permission.
[2017-07-16 06:09:03]
hostile :
sheeeeeeeeeeit
[2017-07-16 06:09:09]
hostile :
read the headder on my GPL rant
[2017-07-16 06:09:12]
hostile :
tar tvf it
[2017-07-16 06:09:19]
hostile :
if there is nothing special in it... I'd argue otherwise
[2017-07-16 06:09:20]
hostile :
:wink:
[2017-07-16 06:09:39]
hostile :
<https://github.com/MAVProxyUser/dji_system.bin>
[2017-07-16 06:09:45]
hostile :
files are fair game mang...
[2017-07-16 06:10:01]
hfman :
Well, it came from somebody here who has done a ton of work and very well might care, not my call.
[2017-07-16 06:10:10]
hfman :
I'll ping him...
[2017-07-16 06:10:47]
hostile :
I'm busting my ass out here folks... don't be whoarding .bins :wink:
[2017-07-16 06:12:03]
hfman :
eh? I KNOW you have a MP .400 bin...
[2017-07-16 06:12:25]
hostile :
every bin I have is in that repo...
[2017-07-16 06:12:33]
hostile :
unless I've lost track of it cuz of my son...
[2017-07-16 06:12:44]
hfman :
I just looked man... there's one there.
[2017-07-16 06:12:46]
hostile :
been in dad mode last 3 days
[2017-07-16 06:13:00]
hostile :
link me and I'll add it
[2017-07-16 06:13:15]
hfman :
It's on your GIT!!! The MP 400 bin...
[2017-07-16 06:14:11]
hostile :
"Mavic Pro"... not "Mavic Pro RC"
[2017-07-16 06:14:16]
hostile :
=]
[2017-07-16 06:14:44]
hfman :
I was simply responding to this:
[2017-07-16 06:15:18]
hostile :
ahh you talking the hand rolled ones?
[2017-07-16 06:15:45]
hostile :
I'm still looking for **original** ones if possible
[2017-07-16 06:16:33]
hfman :
Ah, well... I can work on a .400 RC original, painful to do as it is. Won't get to it today for sure, gonna go fly the hotliner and Chameleon.
[2017-07-16 06:17:10]
hostile :
I'll add those as "crafted"
[2017-07-16 06:17:10]
hfman :
Better hurry tho, my VMWare trial is about to expire...
[2017-07-16 06:19:56]
hostile :
oh wait!
[2017-07-16 06:20:14]
hostile :
going back through the prv DM those are legit extracted from Mossad911 VM =]
[2017-07-16 06:27:51]
hostile :
<https://dji-rev.slack.com/archives/C5ZR0QXUG/p1500186446838902>
[2017-07-16 06:28:05]
hostile :
thx guys!
[2017-07-16 06:41:36]
hdnes :
no joy on the combined method either?
[2017-07-16 06:42:30]
hdnes :
using non-delete fireworks and .400 RC
[2017-07-16 06:45:01]
hostile :
this is against the RC?
[2017-07-16 06:47:01]
hdnes :
yeah
[2017-07-16 06:53:02]
hostile :
gonna need to pull and decrypt the upgrade log and post it bro
[2017-07-16 06:55:01]
hdnes :
it’s also not connecting to assistant anymore..
[2017-07-16 06:55:17]
hdnes :
but ftp is still up and it’s accecpting commands
[2017-07-16 06:55:30]
hostile :
reboot all the things
[2017-07-16 06:55:36]
hdnes :
tell me about it
[2017-07-16 06:55:38]
hostile :
going to bed fucking dog just puked and woke my kid up
[2017-07-16 06:55:44]
hdnes :
fun
[2017-07-16 06:55:51]
hdnes :
tomorrow
[2017-07-16 06:55:52]
hdnes :
later
[2017-07-16 07:16:48]
hdnes :
Does the RC have to be connected to the app during the root/upgrade?
[2017-07-16 07:17:36]
hfman :
Which app?
[2017-07-16 07:18:38]
hostile :
please pull the log file...
[2017-07-16 07:18:46]
hdnes :
yeah Im reading it now
[2017-07-16 07:18:52]
hostile :
post it here please
[2017-07-16 07:19:27]
hostile :
I would suggest no app...
[2017-07-16 07:19:29]
hostile :
personally
[2017-07-16 07:20:01]
hdnes :
yeah, didn’t figure it was needed but there are lots of err on not connect with app
[2017-07-16 07:20:05]
hdnes :
one sec on the log
[2017-07-16 07:20:56]
vk2fro :
Finally - controller on .700 and rooted. :slightly_smiling_face:
[2017-07-16 07:22:38]
hfman :
Don't global variables have to be defined as global in all defs where they are used?
[2017-07-16 07:22:53]
hdnes :
I’m not needing it apparently
[2017-07-16 07:23:00]
hdnes :
it’s running fine as is
[2017-07-16 07:23:07]
hdnes :
(minus the whole not root thing)
[2017-07-16 07:24:13]
hfman :
Looks like it finished...
[2017-07-16 07:24:48]
hdnes :
yeah, …..
[2017-07-16 07:25:54]
hostile :
tty only works at boot btw.. and USB must be plugged in
[2017-07-16 07:26:00]
hostile :
maybe you only have a window
[2017-07-16 07:26:20]
hdnes :
what do you mean
[2017-07-16 07:27:54]
hfman :
ignore my question about globals. I understand now how they work in python.
[2017-07-16 07:28:00]
hdnes :
cool
[2017-07-16 07:29:51]
hfman :
Are you powering up the RC WHILE it is plugged into the computer?
[2017-07-16 07:30:37]
hdnes :
maybe… if I understand you correctly
[2017-07-16 07:30:49]
hdnes :
should I be powering it on then plugging it in
[2017-07-16 07:30:59]
hdnes :
not sure how that’s different
[2017-07-16 07:31:04]
hfman :
Yes, RC is special. TTY, ADB, FTP, all gets disabled if it isn't on a PC when it is powered up.
[2017-07-16 07:31:13]
hdnes :
ahh fuck me
[2017-07-16 07:31:20]
hfman :
So plug in first, THEN power up.
[2017-07-16 07:31:38]
hdnes :
…ok well that’s what I’ve been doing
[2017-07-16 07:31:45]
hfman :
Okay. FTP working?
[2017-07-16 07:31:48]
hdnes :
yeah
[2017-07-16 07:32:03]
hfman :
do you see grep in /upgrade/.bin via FTP?
[2017-07-16 07:32:07]
hdnes :
yeah
[2017-07-16 07:32:11]
hdnes :
every time
[2017-07-16 07:32:23]
hfman :
It should work. What is the contents of your grep? per GIT?
[2017-07-16 07:32:50]
hdnes :
I’ve tried both fireworks.tar’s now
[2017-07-16 07:33:03]
hostile :
what version is your RC?
[2017-07-16 07:33:09]
hdnes :
firmware wise
[2017-07-16 07:33:13]
hostile :
do you know if /system is writable?
[2017-07-16 07:33:16]
hostile :
try it...
[2017-07-16 07:33:22]
hostile :
may not have grep in mksh
[2017-07-16 07:33:34]
hfman :
Currently .700, but root worked on .400 earlier when I had it on .400
[2017-07-16 07:34:29]
hfman :
Again, the RC is a bitch... I found that adbd is pretty reliable, but telnet bombs out frequently as soon as the port comes up.
[2017-07-16 07:35:25]
hfman :
(although it seems mine is way more reliable after downgrading/upgrading. Not sure what's up with that.
[2017-07-16 07:35:48]
hfman :
Reboot the RC again, keep it plugged into the PC
[2017-07-16 07:36:33]
hfman :
Actually, try this. Unplug the RC, power it off, plug it back in, power it back on. Sometimes that seems to make a difference (although why I cannot explain)
[2017-07-16 07:36:59]
hfman :
...has to do with the charge circuitry...
[2017-07-16 07:37:17]
vk2fro :
that could be true as part of the OS might still be running to show the charge % or battery full message.
[2017-07-16 07:37:39]
hfman :
makes sense
[2017-07-16 07:38:59]
vk2fro :
which fireworks are people using to root - universal?
[2017-07-16 07:39:01]
hfman :
if that doesn't work... plug in Assistant. I've seen that the upgrade keeps trying to "tell" assistant it is done, even after reboots....
[2017-07-16 07:39:30]
hfman :
Plug it Assistant, and it clears that behavior...
[2017-07-16 07:39:59]
hfman :
@vk2fro - i use the full one that was in RedHerring I think, let me compare.
[2017-07-16 07:40:41]
hdnes :
it’s not connecting to Assistant anymore
[2017-07-16 07:41:30]
hfman :
Really? Turn it off and on while Assis is up..
[2017-07-16 07:42:04]
hdnes :
yeah still nothing
[2017-07-16 07:42:18]
hdnes :
ok…..
[2017-07-16 07:42:20]
hdnes :
I got it
[2017-07-16 07:42:32]
hdnes :
I think you guys are right….
[2017-07-16 07:42:42]
hdnes :
it has to do with the charing keeping it on or something
[2017-07-16 07:42:54]
hdnes :
there is a very specific sequence
[2017-07-16 07:43:18]
hdnes :
after root:
[2017-07-16 07:43:28]
hdnes :
1: unplug before turning off
[2017-07-16 07:43:32]
hdnes :
2: turn off
[2017-07-16 07:43:41]
hdnes :
3: turn on (without usb connected)
[2017-07-16 07:43:47]
hdnes :
4: turn off
[2017-07-16 07:43:54]
hdnes :
5: hook up usb and turn on
[2017-07-16 07:44:22]
hfman :
So ya got telnet and adb?
[2017-07-16 07:45:04]
hdnes :
ehh, it’s now showing up in devices but shell is not linking in
[2017-07-16 07:45:25]
hdnes :
let me check telnet
[2017-07-16 07:45:48]
hdnes :
yeah telnet is hot
[2017-07-16 07:46:26]
hfman :
@vk2fro - I use fireworks.tar in pyduml
[2017-07-16 07:46:56]
vk2fro :
ok thats the one I use - maybe my macs RNDIS drivers are screwy
[2017-07-16 07:47:04]
vk2fro :
I will reinstall them.
[2017-07-16 07:48:45]
hdnes :
new to telnet… how to I make this persistent so I don’t have to deal with this shit again using telnet
[2017-07-16 07:48:49]
vk2fro :
that fixed it :slightly_smiling_face:
[2017-07-16 07:48:50]
hdnes :
same commands with ;
[2017-07-16 07:49:34]
hfman :
I've yet to figure out a way to automatically send that friggin ;
[2017-07-16 07:49:57]
hfman :
What are you trying to persist?
[2017-07-16 07:50:02]
hdnes :
adb
[2017-07-16 07:50:11]
vk2fro :
you can do that with adb shell
[2017-07-16 07:50:20]
hdnes :
can’t get adb to go hot right now
[2017-07-16 07:50:21]
hdnes :
only telnet
[2017-07-16 07:50:23]
hfman :
The standard fireworks it is persistent
[2017-07-16 07:50:37]
hdnes :
not adb though right?
[2017-07-16 07:50:49]
hfman :
If you got telnet, please cat out grep and paste here...
[2017-07-16 07:51:11]
hfman :
Yes, adb stays up on mine across boots, it's in the grep
[2017-07-16 07:52:22]
hdnes :
cat grep;
/system/xbin/busybox touch /tmp/RedHerring.$$
/system/xbin/busybox touch /data/InYourGrill.$$
#rm -rf /data/.bin/grep
echo -n RedHerringHasFangs > /sys/class/android_usb/android0/iSerial
setprop service.adb.root 1
setprop service.adb.tcp.port -1
setprop sys.usb.config rndis,mass_storage,bulk,acm,adb
busybox devmem 0xe10093d0 8 0x40 #enable uart
sleep 1
# fuck!!!! work already!
adb_en.sh NonSecurePrivilege
stop adbd
start adbd
while true; do /system/xbin/busybox nc -l -p 1234 -e /system/bin/sh & done
[2017-07-16 07:53:20]
hfman :
Yep, that's exactly what I have
[2017-07-16 07:53:57]
hfman :
do an adb kill-server just to recycle it (on your pc)
[2017-07-16 07:54:25]
hfman :
'adb kill-server'
[2017-07-16 07:55:00]
hdnes :
I was able to add adb_en.sh using tellnet so that should help
[2017-07-16 07:55:08]
hdnes :
lets see if adb is better
[2017-07-16 07:55:36]
hfman :
Usually when I do that, it kills my telnet
[2017-07-16 07:55:37]
hdnes :
same behavior: adb trys to connect then doesn’t within a second
[2017-07-16 07:55:49]
hfman :
did you kill adb on PC
[2017-07-16 07:56:06]
hdnes :
yeah
[2017-07-16 07:56:09]
hdnes :
didn’t help
[2017-07-16 07:56:22]
hfman :
And your PC environment is?
[2017-07-16 07:56:27]
hdnes :
OSX
[2017-07-16 07:56:32]
hfman :
native?
[2017-07-16 07:56:36]
hdnes :
yes
[2017-07-16 07:56:44]
hfman :
What ADB toolset you using?
[2017-07-16 07:57:09]
hdnes :
can’t remember but one I installed through terminal. And works with Mavic no issues
[2017-07-16 07:58:46]
hfman :
I got mine here, probably same, but to be sure:
[2017-07-16 07:58:47]
hfman :
<http://www.androidpolice.com/2017/01/05/google-makes-adb-fastboot-platform-tools-available-without-full-sdk-android-studio-download/>
[2017-07-16 07:59:12]
hfman :
So you have a directory ADB-OSX ?
[2017-07-16 07:59:36]
hfman :
actually ADB_OSX ?
[2017-07-16 08:01:03]
hfman :
nevermind, that was MY naming convention...
[2017-07-16 08:01:43]
hdnes :
well interestingly, adb is gone now even though I made it persistent
[2017-07-16 08:01:43]
hfman :
Probably something like:
[2017-07-16 08:02:34]
hdnes :
yeah that’s what I got, but the terminal command is likely using the one that I previously installed
[2017-07-16 08:03:12]
hfman :
Dunno... I guess you've got a few things to work out. I found OSX to be super reliable, even within a VM which is all I have.
[2017-07-16 08:03:38]
hfman :
(maybe that's why it is... gawd wouldn't that be something)
[2017-07-16 08:04:48]
hfman :
I'm outta here. Good work everyone!
[2017-07-16 08:07:15]
hdnes :
thanks, I’m in via adb. I think it’s a power cycle, usb connection thing
[2017-07-16 08:08:08]
jezzab :
whos using windows here?
[2017-07-16 08:08:36]
hfman :
Me, mostly
[2017-07-16 08:09:12]
vk2fro :
I tested pyduml.py in windows VM earlier and it worked - thats how I got my RC out of the funky no ip address mode.
[2017-07-16 08:09:44]
jezzab :
ok. just wanted to see if someone could test this app so far.
[2017-07-16 08:10:16]
vk2fro :
well I can if you like - have a windows 7 and windows 10VM ready to go.
[2017-07-16 08:48:06]
jezzab :
Happy days. Worked thru a Windows VM in OSX lol
[2017-07-16 08:54:59]
hdnes :
what’s the app and where is it located
[2017-07-16 08:55:58]
jezzab :
Not located anywhere except my PC atm lol.
[2017-07-16 08:57:30]
jezzab :
effectively the same as pyDUML but for windows. And a few other things
[2017-07-16 08:58:01]
jezzab :
checks the dji_system.bin is valid (has a IM*H marker in the correct place
[2017-07-16 08:58:23]
jezzab :
just load a dji_system.bin, hit flash and your away
[2017-07-16 08:58:42]
jezzab :
ignore the name I couldnt think of anything lmao
[2017-07-16 09:00:01]
jezzab :
@the_lord said he has the status packets. I would like to show the progress of the internal upgrade as its happening. Take some of the mystery out of it. No everyone wants to root and tail -f their upgrade log
[2017-07-16 09:09:59]
vk2fro :
Yes i blew away my copy after testing as jezzab is not ready to release yet.
[2017-07-16 09:11:42]
vk2fro :
On a hackintosh no less!
[2017-07-16 09:33:40]
hdnes :
cool, if @the_lord gets the DUML for the status packets I’ll decode them also
[2017-07-16 09:38:52]
samuelson :
Wow. The app looks great for a noob like me. Will hope for a release. :grin:
[2017-07-16 09:46:08]
d95gas :
Jezzab I am running Windows 7 and Windows 10, both x86 & x64. Happy to do any testing in my environments.... Need to return what little I can to you guys.
[2017-07-16 10:17:48]
jezzab :
@hdnes I'm not a python coder but fuck me you can do things easier than C# lol you certainly can't just add two bytes to an static array in C#. And your VID USB detection is like one line! Brilliant
[2017-07-16 10:20:07]
hdnes :
I thought that was pretty elegant. Sure makes it easy to read
[2017-07-16 10:20:29]
hdnes :
and intuitve
[2017-07-16 10:21:54]
jezzab :
Oh it is. You've done well. It made sense to me and like i said im not a python bloke.
[2017-07-16 10:22:10]
jezzab :
28 lines in C# to determine the COM port lmao
[2017-07-16 10:22:14]
hdnes :
i’m not either….
[2017-07-16 10:22:57]
jezzab :
And the same with the ftp upload. So simple in python.
[2017-07-16 10:23:36]
jezzab :
actually no thats not true. its about the same
[2017-07-16 10:34:49]
jezzab :
Impressive. Well done
[2017-07-16 11:13:52]
jayemdee :
oh hey this is cool
[2017-07-16 11:14:06]
jayemdee :
looks like they are using udt lib to stream the video
[2017-07-16 11:14:21]
jayemdee :
240 0 2:11 /system/bin/dji_encoding -d -t sdp -u -N -t udt -p 5556 -a 192.168.41.2 -v -x 640 -y 360 -N -w -t udt -p 9003 -N -w -t sw_codec -p 9003 &
[2017-07-16 11:16:29]
hdnes :
@hostile, another license breach?
[2017-07-16 11:16:42]
jayemdee :
yuh i would say so
[2017-07-16 11:19:07]
jayemdee :
run with wireless in active mode
dji_encoding -a 192.168.1.200 [-p 9000] [-t tcp|udp|ddp|udt]
[2017-07-16 11:19:26]
jayemdee :
so we could change the output to any network device
[2017-07-16 11:21:09]
jezzab :
That's cool
[2017-07-16 11:21:45]
jayemdee :
dji_encoding --help
[2017-07-16 11:37:39]
jayemdee :
@hdnes @hostile suggest you remove both of these lines from fireworks
[2017-07-16 11:37:58]
jayemdee :
#/system/xbin/busybox touch /data/InYourGrill.$$
#rm -rf /data/.bin/grep
[2017-07-16 11:38:26]
jayemdee :
the first line is making a new file in /ftp/upgrade everytime it runs
[2017-07-16 11:38:43]
jayemdee :
which will make a mess i guess new file every reboot
[2017-07-16 11:41:10]
jayemdee :
and shouldnt we make grep behave like a trojaned real grep ?
[2017-07-16 11:41:21]
jayemdee :
if we make it persistent in this way ?
[2017-07-16 12:24:47]
ender :
@jaydee, we had similar on the Bebop, did you play around with lower stream resolution = less lag at high distance ?!?
[2017-07-16 12:25:47]
kilrah :
it does that automatically already...
[2017-07-16 12:38:32]
jayemdee :
@ender no havent played with it yet
[2017-07-16 12:38:54]
jayemdee :
has anyone had an issue on windows with not being able to see any adb devices after rooting ?
[2017-07-16 12:39:08]
jayemdee :
i got a root shell on port 1234 but cant get in with adb shell
[2017-07-16 12:39:20]
jayemdee :
and the device shows up like this now in device manager
[2017-07-16 12:39:48]
ender :
i had one older Adb now using the “minimum adb and fastboot pack” and all is fine again. Also the ADB from Android SDK 2015 failed to see DJI, newer standalone ADB worked well on OSX
[2017-07-16 12:39:58]
ender :
driver ?!
[2017-07-16 12:41:10]
ender :
@kilrah ah okay. you have any idea what resolutions @ which badwidth they use ? Or do they keep res and only play with bitrate ?!
[2017-07-16 12:41:44]
freaky123 :
Bebop uses similar encoding chips from On2 (Hantro, Google)
[2017-07-16 12:42:17]
ender :
okay, i saw similar crashes when stream whas corrupt, that explains it :slightly_smiling_face:
[2017-07-16 12:42:21]
ender :
haha
[2017-07-16 12:42:23]
freaky123 :
not really chips.. but they bought the designs for in the SoC
[2017-07-16 12:42:37]
freaky123 :
so you get the idea :wink:
[2017-07-16 12:43:15]
freaky123 :
still not sure what the amberella is doing.. since the main CPU is also having multiple ISPs(Image Signal Processors)
[2017-07-16 12:43:22]
freaky123 :
also similar to Bebop
[2017-07-16 12:44:04]
ender :
you are talking mavic or spark or both ?
[2017-07-16 12:44:39]
freaky123 :
they normally do AWB(Auto white balancing) and AE(Auto Exposure) and some other fancy image optimising stuff like debayering etc.
[2017-07-16 12:44:54]
freaky123 :
Mavic for sure.. but I think the spark also has an amberella core right?
[2017-07-16 12:45:20]
ender :
i did not go deeper, only saw the “Vision” USB stuff and then asked here :slightly_smiling_face:
[2017-07-16 12:45:52]
ender :
Hopefully have some time later. I liked poking around in those $30 “4k” action cameras to make them usable.
[2017-07-16 12:46:43]
ender :
But have no idea yet if the interesting stuff (bitrates, switch off NR, switch off USM, enable 2,7k res on Spark etc. PP) is in main Android core or in vision soc or ?!?!!
[2017-07-16 12:46:46]
kilrah :
Resolution at least switches form 1080 to 720, below that I believe it's bitrate only but haven't checked factually
[2017-07-16 12:47:27]
ender :
kilrah THAT i knew, i didnt notice lower res so YES i thing probably BR reduction.
[2017-07-16 12:47:47]
kilrah :
I would expect the ambarella to do all the image processing and recording to SD, plus feeding a secondary stream to the encoder for the live transmission
[2017-07-16 12:47:47]
freaky123 :
bitrates are in the LC(main core)
[2017-07-16 12:47:47]
ender :
I could live with smooth 480p @ high distance instead of laggy 720p
[2017-07-16 12:47:53]
freaky123 :
there are the hantro encoders
[2017-07-16 12:48:05]
kilrah :
it doesn't get laggy
[2017-07-16 12:48:10]
ender :
okay that licensed stuff.. great !
[2017-07-16 12:48:39]
ender :
@kilrah well it does for me --> low fps AND a bit more lag
[2017-07-16 12:48:46]
freaky123 :
which exact licensing stuff.. then I will notify DJI as well about that
[2017-07-16 12:48:49]
kilrah :
which is what's awesome with ocusync
[2017-07-16 12:49:22]
kilrah :
well you'll have dropped packets, so at some point there won't be a choice and frames will be dropped
[2017-07-16 12:49:30]
kilrah :
but it behaves VERY cleanly on the mavic
[2017-07-16 12:49:49]
ender :
yes, on Spark the problem is worse but still awesome.
[2017-07-16 12:49:56]
freaky123 :
that is just that the connection logic of the ocusync is prolly better than normal wifi stack
[2017-07-16 12:50:02]
kilrah :
does a really good job at maintaining "something" and with little lag even when transmission has fallen down to "awful" levels even if it looks crud
[2017-07-16 12:50:04]
freaky123 :
it is more optimised for live streaming
[2017-07-16 12:50:06]
ender :
i agree on Ocu doing a good job, no doubt
[2017-07-16 12:50:23]
ender :
yes freaky, i know…
[2017-07-16 12:50:31]
kilrah :
on spark since it's wifi it will be worse regardless of what you try
[2017-07-16 12:50:32]
freaky123 :
but internally it's just similar to a normal ethernet connection
[2017-07-16 12:51:06]
freaky123 :
yeah with wifi you have to oblige to the rules and can only tweak some parameters to make it better for live streaming
[2017-07-16 12:51:10]
freaky123 :
but it is not designed for that
[2017-07-16 12:52:15]
kilrah :
you can get something better with wifi adapters (see wifibroadcast) but it's not wifi anymore
[2017-07-16 12:52:23]
ender :
@kilrah i AM satisfied with Spark performance.
[2017-07-16 12:52:38]
kilrah :
just using the adapter to send out stuff with a few OSI layers of the normal stack bypassed
[2017-07-16 12:52:51]
ender :
lets say after CE power + better Antennae (see hardware)
[2017-07-16 12:53:36]
ender :
Ocusync is also not tooooooo far away from WiFi :slightly_smiling_face: But of course optimized and sneaky power stuff… I wonder if / when FCC & CE will clamp down on that.
[2017-07-16 12:54:14]
kilrah :
it is VERY different when you look at the spectrum
[2017-07-16 12:54:31]
kilrah :
closer to the COFDM usually used for broadcast systems
[2017-07-16 12:54:50]
ender :
okay, did not know about that.
[2017-07-16 12:55:13]
ender :
but a good job anyways :slightly_smiling_face:
[2017-07-16 12:55:36]
ender :
Mavic Ocu on CE is still slightly better then Spark with better ANtennae & FCC :wink:
[2017-07-16 12:56:21]
freaky123 :
I haven't looked at the spektrum yet..
[2017-07-16 12:56:33]
freaky123 :
wanna try to hack the Ocusync as well once I find the time
[2017-07-16 12:56:53]
freaky123 :
when I achieve that.. it would be extremely awesome and you can takeover any drone flying with ocusync
[2017-07-16 12:57:51]
ender :
Do you guys think there is any truth to that “crossover firmware” claim that lets one use the Mavic RC to control Spark ?
[2017-07-16 12:58:14]
ender :
in other words can the Ocusync HW do “Spark flavour” WiFi (2,4G only of course) ?
[2017-07-16 12:58:38]
ender :
Ocusync HW was said to be able to generate WIFI afair…
[2017-07-16 12:59:00]
freaky123 :
could maybe work
[2017-07-16 12:59:04]
freaky123 :
but depends
[2017-07-16 12:59:33]
ender :
i yet have to find that guy again, it was in my Moverio group…
[2017-07-16 12:59:39]
kilrah :
Since Ocusync-capable hardware uses an SDR in theory anything is possible
[2017-07-16 12:59:51]
ender :
First i shrugged it off but his credentials were trustworthy…
[2017-07-16 12:59:54]
kilrah :
but then it might be "possible with a couple of years of software dev" kind of thing
[2017-07-16 13:00:10]
ender :
okay, so we can fake GPS position with Mavic RC :wink:
[2017-07-16 13:01:09]
maier :
hi all can someone tell me how to disable nfz ?
[2017-07-16 13:09:22]
hans112 :
Welcome
[2017-07-16 13:25:50]
jayemdee :
can anyone tell me if they have seen this after rooting --- > <https://dji-rev.slack.com/files/jayedee/F6AGR20UF/image.png>
[2017-07-16 13:49:26]
vk2fro :
I think it would be cool if we could use a mavic RC to fly a spark as I want one :-)
[2017-07-16 13:50:29]
hostile :
@hdnes "same behavior: adb trys to connect then doesn’t within a second" if you see my original comments... due to fuckery IF you want the ADB shell, you have to remove grep, make your shit persistant on your own after that echo >> technique and reboot
[2017-07-16 13:50:47]
vk2fro :
I could give it to a friend to fly with their iPhone but when I visit, take it up for a spin with the mavic RC
[2017-07-16 13:52:22]
hostile :
@jezzab lol at DUMLdore!
[2017-07-16 13:56:44]
vk2fro :
DUMLdore 64 ;-)
[2017-07-16 13:57:04]
vk2fro :
Push play on tape ;-)
[2017-07-16 13:58:53]
hostile :
@ender "Do you guys think there is any truth to that “crossover firmware” claim", sure... use the USB port in the bottom of the controller, add a wifi kernel module.... half way there!
[2017-07-16 13:59:36]
hostile :
@maier you may be in the wrong place... I suggest using the search bar first.
[2017-07-16 14:00:00]
hostile :
@maier maybe try [websockets_work](#C602A457B) or [factory_mode_access](#C5ZSB6CM6) ?
[2017-07-16 14:01:02]
hostile :
@jezzab when ya sharing?
[2017-07-16 15:14:13]
nickmv :
@hostile I'm sure it's probably beating a dead horse, buuuut....
[2017-07-16 15:14:41]
nickmv :
well, most likely all
[2017-07-16 15:38:27]
ender :
@hostile LOL, i meant just by FW of course, he stated he got it for DJI… Like i said, have to look up that guy…
[2017-07-16 16:12:55]
ender :
I hope i get some time this evening IF you have a hint for a starting point to change / play with vision parameters like bitrate i’d be glad :wink:
[2017-07-16 19:38:04]
jayemdee :
ok so that was a pain in the ass but i finally have persistent adb shell on ubuntu 12.xx and ran the exploit from there as well... it needs some tweaks... hope to get them in and push to hdnes's repo in the next days
[2017-07-16 19:38:19]
jayemdee :
*from ubuntu 12.xx
[2017-07-16 19:40:00]
hdnes :
what are the tweaks
[2017-07-16 19:56:59]
jayemdee :
well you need to modify udev rules and also ~/.android/adb_usb.ini file for adb shell to work
[2017-07-16 19:57:22]
jayemdee :
and then there is the 0 byte ftp transfer issue that needs solved as well
[2017-07-16 19:57:36]
jayemdee :
so i will be looking into that and hopefully solving it in the next day or two
[2017-07-16 19:58:28]
jayemdee :
at least on my system i think its passive mode issue (my hunch)
[2017-07-16 19:58:37]
jayemdee :
passive mode should be set to true
[2017-07-16 19:58:57]
jayemdee :
shouldnt ever hurt anything and probably is the buggy issues you guys ran into with my first code
[2017-07-16 19:59:13]
jayemdee :
but i will test it and see
[2017-07-16 20:00:50]
jayemdee :
and im a bit worried that leaving that grep file as persistent is causing unnecessary load on the CPU because when i login with adb shell my terminal is spammed with
[2017-07-16 20:01:39]
jayemdee :
while true is a bit aggressive :slightly_smiling_face:
[2017-07-16 20:02:09]
jayemdee :
seems to be trying to spawn as many netcat shell bound instances as it can
[2017-07-16 20:02:19]
jayemdee :
and failing of course after the first
[2017-07-16 20:04:17]
hostile :
maybe a typo... lol
[2017-07-16 20:04:36]
hostile :
it **shouldn't** fire until closed
[2017-07-16 20:04:53]
jayemdee :
yuh would think so as well but look :slightly_smiling_face:
[2017-07-16 20:05:01]
hostile :
that was to fix people complaining about missing it on the first reboot / connection
[2017-07-16 20:05:10]
jayemdee :
root@wm220_dz_ap0002_v1:/ # cat /data/.bin/grep
while true; do /system/xbin/busybox nc -l -p 1234 -e /system/bin/sh & done
[2017-07-16 20:05:22]
hostile :
& shouldn't be there I think.
[2017-07-16 20:05:25]
hostile :
someone can test
[2017-07-16 20:05:27]
hostile :
I'll patch it
[2017-07-16 20:05:39]
jayemdee :
ahhhh yes
[2017-07-16 20:05:41]
jayemdee :
thats wrong
[2017-07-16 20:05:43]
hostile :
that was a fix for **something** I probably did wrong
[2017-07-16 20:05:47]
jayemdee :
thats backgrounding it
[2017-07-16 20:05:56]
hostile :
yeh test... get back to me
[2017-07-16 20:05:57]
jayemdee :
its sending everyone of them into the background
[2017-07-16 20:05:58]
hostile :
will patch later
[2017-07-16 20:06:15]
jayemdee :
i think it should be ; done
[2017-07-16 20:06:37]
jayemdee :
ok ill test now actually but
[2017-07-16 20:07:11]
hostile :
lol "while true is a bit aggressive :slightly_smiling_face" code written by "hostile" not expected to be **aggressive** :wink:
[2017-07-16 20:07:59]
jayemdee :
and actually on linux at least its supposed to be: while [ true ]; do something done
[2017-07-16 20:08:04]
jayemdee :
oops
[2017-07-16 20:10:08]
jayemdee :
oh brackets arent implicitly needed sorry
[2017-07-16 20:10:27]
jayemdee :
but yuh the & is for sure backgrounding every iteration
[2017-07-16 20:12:21]
jayemdee :
root@wm220_dz_ap0002_v1:/data/.bin # cat /data/.bin/grep
while true; do
/system/xbin/busybox nc -l -p 1234 -e /system/bin/sh
done
root@wm220_dz_ap0002_v1:/data/.bin # reboot
[2017-07-16 20:12:27]
jayemdee :
lets test that
[2017-07-16 20:12:30]
jayemdee :
rebooting
[2017-07-16 20:12:31]
jayemdee :
hehe
[2017-07-16 20:13:10]
jayemdee :
hmm strange no that didnt fix it
[2017-07-16 20:13:27]
jayemdee :
nc: bind: Address already in use
nc: bind: Address already in use
nc: bind: Address already in use
nc: bind: Address already in use
nc: bind: Address already in use
nc: bind: Address already in use
nc: bind: Address already in use
nc: bind: Address already in use
[2017-07-16 20:15:34]
jayemdee :
lets try this
[2017-07-16 20:15:35]
jayemdee :
root@wm220_dz_ap0002_v1:/data/.bin # cat grep
while [ true ]; do
/system/xbin/busybox nc -l -p 1234 -e /system/bin/sh
sleep 1
done
root@wm220_dz_ap0002_v1:/data/.bin # reboot
[2017-07-16 20:16:23]
jayemdee :
well at least that slows down the spam to one per second
[2017-07-16 20:16:28]
jayemdee :
but something still isnt right
[2017-07-16 20:16:45]
jayemdee :
every second trying to fire up a new one
[2017-07-16 20:18:51]
hotelzululima :
LMAO! sorry kids.. “sorcerer’s apprentice mode hard at work I see!!”
[2017-07-16 20:19:47]
hotelzululima :
did anyone make any progress on running this stuff inside of qemu-arm at all(thought @hostile was looking at it at one point)..
[2017-07-16 20:21:40]
hotelzululima :
finally gonna find a use for all my old 4C IRIS 3S LIPOS x 6 powering the core board day and night till I break it and have ta buy another…
[2017-07-16 20:22:18]
hotelzululima :
qemu-arm preruns would easily detect the above SA syndrome
[2017-07-16 20:23:08]
hotelzululima :
ok neat time(dobie is going FINALLY!!!!)
[2017-07-16 20:23:18]
hotelzululima :
s/neat/beach/g
[2017-07-16 20:23:57]
jayemdee :
removing the grep script entirely results in load on the cpu going grom average of +30 to 1.83
[2017-07-16 20:24:08]
jayemdee :
would highly advise not to leave that grep in place
[2017-07-16 20:24:29]
jayemdee :
and make your access persistent by another method
[2017-07-16 20:32:04]
hostile :
see what I get for fixing noob complaints
[2017-07-16 20:32:07]
hostile :
:wink:
[2017-07-16 20:34:09]
hotelzululima :
the & is indeed the issue…
[2017-07-16 20:34:39]
jayemdee :
sorry hostile not banging on your awesome work just trying to improve :slightly_smiling_face:
[2017-07-16 20:35:16]
jayemdee :
now that i can tail the upgrade log in real time im gonna work on that weird ftp driver issue you guys were having (and me too)
[2017-07-16 20:43:52]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-16 20:44:58]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-16 20:50:03]
jayemdee :
weird
[2017-07-16 20:50:24]
jayemdee :
i cannot reproduce my own FTP bug that made me do a manual root earlier today with hdnes
[2017-07-16 20:50:35]
jayemdee :
the exploit now just works as it should
[2017-07-16 20:50:39]
jayemdee :
pffft
[2017-07-16 20:52:45]
hdnes :
well good. The passive thing probably fixed it
[2017-07-16 20:53:08]
jayemdee :
i didnt put that in yet... im just yusing the same code you and I were using this morning
[2017-07-16 20:53:17]
jayemdee :
and now it works
[2017-07-16 20:53:23]
jayemdee :
:open_mouth:
[2017-07-16 20:53:27]
hdnes :
cool I guess
[2017-07-16 20:53:34]
jayemdee :
no not cool!
[2017-07-16 20:53:36]
jayemdee :
haha
[2017-07-16 20:53:44]
jayemdee :
i want to know why it was broke
[2017-07-16 20:53:47]
jayemdee :
and fix it
[2017-07-16 20:54:59]
jayemdee :
rebooting and trying again
[2017-07-16 20:57:07]
jayemdee :
worked again
[2017-07-16 20:57:10]
jayemdee :
thats odd
[2017-07-16 20:57:21]
jayemdee :
you changed anything in the code since we were together this morning ?
[2017-07-16 20:57:49]
hdnes :
nothing that would affect ftp
[2017-07-16 20:58:02]
hdnes :
only added goggle support
[2017-07-16 20:58:33]
jayemdee :
strange
[2017-07-16 21:00:13]
jayemdee :
whatever that problem we ran into this morning seems to be gone
[2017-07-16 21:02:40]
hdnes :
good
[2017-07-16 21:09:22]
jayemdee :
@hostile why not make the grep file do this:
mount -o remount,rw /system
echo /system/bin/adb_en.sh >> /system/bin/start_dji_system.sh
/system/xbin/busybox nc -l -p 1234 -e /system/bin/sh
rm -rf /data/.bin/grep
this way you have a root shell on 1234 on first reboot and a persistent adb root shell ? Because from looking furthur, although the & was causing a problem i think also what is causing a problem is alot of other dji scripts calling grep and getting the wrong one
[2017-07-16 21:10:30]
jayemdee :
oh wait... what i just proposed means you need two reboots for adb shell and first reboot you have netcat root shell only and second reboot only adb shell
[2017-07-16 21:10:57]
jayemdee :
**deletes message**
[2017-07-16 21:13:12]
jayemdee :
aha! i reproduced the bug
[2017-07-16 21:13:15]
jayemdee :
01-01 01:13:10.831 237 373 I DUSS&63[sys_event_finish_upgrade:1269]:: 0xa:ftp file /ftp/upgrade/dji_system.bin, file_size=-1, info->img_size(4096)
01-01 01:13:10.831 237 373 E DUSS&63[sys_event_finish_upgrade:1279]:: 0xa:ftp transfer encounter error or the img_size is not correct
[2017-07-16 21:13:33]
hostile :
@jayemdee cuz i am not responsible for other peoples bricks... that is not a safe technique for the masses
[2017-07-16 21:13:34]
jayemdee :
that is fucking random!
[2017-07-16 21:13:51]
hostile :
that error means the file is not there =]
[2017-07-16 21:13:56]
jayemdee :
@hostile fair enough :slightly_smiling_face:
[2017-07-16 21:18:32]
jayemdee :
in this case
[2017-07-16 21:18:56]
jayemdee :
then its some kind of weird race condition
[2017-07-16 21:19:03]
jayemdee :
cuz i saw it appear
[2017-07-16 21:19:15]
jayemdee :
with a size of 0 bytes
[2017-07-16 21:19:46]
jayemdee :
i think the error is actually saying we saw your bin file but it didnt match the size you told us it was
[2017-07-16 21:22:27]
martinbogo :
jaydee : I already have a compiled SSH for you
[2017-07-16 21:22:29]
martinbogo :
MUCH easier :slightly_smiling_face:
[2017-07-16 21:22:36]
martinbogo :
and it is easily made persistent
[2017-07-16 21:22:54]
jayemdee :
dropbear?
[2017-07-16 21:22:58]
martinbogo :
dropbear :slightly_smiling_face:
[2017-07-16 21:23:02]
jayemdee :
nice ! :slightly_smiling_face:
[2017-07-16 21:23:04]
hostile :
can you make these into .tar files?
[2017-07-16 21:23:11]
martinbogo :
@hostile : Working on it, man :slightly_smiling_face:
[2017-07-16 21:23:11]
hostile :
so we can append them to the existing .bins?
[2017-07-16 21:23:12]
jayemdee :
tar is better indeed
[2017-07-16 21:23:14]
hostile :
thx pimp!
[2017-07-16 21:23:18]
hostile :
sorry I already knew that
[2017-07-16 21:23:20]
hostile :
=]
[2017-07-16 21:23:25]
hostile :
damn familiy life!
[2017-07-16 21:23:29]
jayemdee :
i see an app store coming for rooted dji drones
[2017-07-16 21:23:30]
martinbogo :
but if jaydee is in a hurry, it's easy to install via ADB
[2017-07-16 21:23:51]
martinbogo :
jaydee : So you don't have to go through the pain -- do you want nano as well?
[2017-07-16 21:24:00]
jayemdee :
yes please!!!
[2017-07-16 21:24:09]
jayemdee :
haha nice :slightly_smiling_face:
[2017-07-16 21:24:11]
hans112 :
Yes please :D
[2017-07-16 21:24:16]
hans112 :
Thanks
[2017-07-16 21:24:22]
jayemdee :
these are statically linked binaries ?
[2017-07-16 21:24:22]
martinbogo :
There are a couple things you need to do to get nano working
[2017-07-16 21:24:26]
martinbogo :
yep :slightly_smiling_face:
[2017-07-16 21:24:36]
jayemdee :
trojans included ?
[2017-07-16 21:24:39]
jayemdee :
:smile:
[2017-07-16 21:24:42]
martinbogo :
install dropbear into /system/xbin
[2017-07-16 21:24:50]
martinbogo :
CLEAN .. jeez guys, compiled from source :slightly_smiling_face:
[2017-07-16 21:24:56]
jayemdee :
jk! :slightly_smiling_face:
[2017-07-16 21:25:18]
martinbogo :
nano -- you need to put the terminfo into the /system folder-- and before you use nano
[2017-07-16 21:25:22]
martinbogo :
setenv TERM=linux
[2017-07-16 21:25:28]
martinbogo :
setenv TERMINFO=/system/etc/terminfo
[2017-07-16 21:25:56]
hostile :
@jayemdee heh we need Cydia or apt on this bitch
[2017-07-16 21:25:57]
hostile :
lol
[2017-07-16 21:26:13]
martinbogo :
There is no way to get these variables permanently into the SSH session ( yet ) because SSH doesn't load env variables yet
[2017-07-16 21:28:00]
martinbogo :
now, for dropbear -- add this line into /system/bin/start_dji_system.sh
[2017-07-16 21:28:02]
martinbogo :
# Start SSH on all network ports
if [ -f /system/xbin/dropbear ] && [ -f /system/etc/dropbear/dropbear_rsa_host_key ] ; then
dropbear -Y RedHerringDerp -r /system/etc/dropbear/dropbear_rsa_host_key -d
/system/etc/dropbear/dropbear_dss_host_key
fi
[2017-07-16 21:28:14]
martinbogo :
create the dropbear_rsa_host_key in /system/etc/dropbear
[2017-07-16 21:28:58]
martinbogo :
dropbearkey -t rsa -s 1024 -f /system/etc/dropbear_rsa_host_key ( after creating the directory )
[2017-07-16 21:29:45]
martinbogo :
also -- don't forget -- you need to mount -o remount,rw /system to make all this work :slightly_smiling_face:
[2017-07-16 21:30:02]
hans112 :
Thanks for the spoon-feeding :smile:
[2017-07-16 21:30:07]
martinbogo :
If you are using a NEW version of OpenSSH -- it will complain about the cipher being weak ( cause it is )
[2017-07-16 21:30:29]
martinbogo :
so to ssh ( on OSX for example )
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.42.2
[2017-07-16 21:30:47]
martinbogo :
Eh, until I finish the tar .. this is it
[2017-07-16 21:30:56]
martinbogo :
@hostile One of the reasons I can't "just tar it" is that we have to generate the key
[2017-07-16 21:31:18]
martinbogo :
@hostile I'm trying to figure out how to instruct people to post-run the generation of the RSA key
[2017-07-16 21:31:24]
hans112 :
Really appreciate it :clap: thanks
[2017-07-16 21:32:00]
martinbogo :
@hostile : How hard would it be to have you add some kind of post-processing hook?
[2017-07-16 21:32:02]
hostile :
make a static one **evil face** tell em at login via an echo that they should change it if they care
[2017-07-16 21:32:18]
hostile :
I think there is an upgrade.sh that is dropped
[2017-07-16 21:32:22]
hostile :
but we have not tested
[2017-07-16 21:32:22]
martinbogo :
eeerrrghh .. no. That's too insecure/evil
[2017-07-16 21:32:29]
hostile :
I was making a joke..
[2017-07-16 21:32:48]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1500097317207872>
[2017-07-16 21:33:03]
martinbogo :
@hostile : When the bin is installed, do we have an ADB command, shell system() call, or anything?>
[2017-07-16 21:33:08]
hostile :
unsure of the method as of this point
[2017-07-16 21:33:16]
hostile :
grep on reboot!
[2017-07-16 21:33:28]
martinbogo :
grep on reboot?
[2017-07-16 21:33:36]
martinbogo :
OH!
[2017-07-16 21:33:40]
martinbogo :
wait, I know .. let me test something
[2017-07-16 21:33:43]
martinbogo :
I can change that script to
[2017-07-16 21:34:31]
martinbogo :
"If you have the binary dropbearkey -- and no /system/etc/dropbear -- mount the filesystem rw, generate the keys ( rsa + dss ), then mount the filesystem ro"
[2017-07-16 21:34:37]
hostile :
off to Chuck E Cheese and park...
[2017-07-16 21:34:49]
hostile :
we'll get a proper cydia out of this yet
[2017-07-16 21:35:03]
martinbogo :
Well it's a little tight/small in there for cydia .. but yeah
[2017-07-16 21:35:10]
martinbogo :
it would be nice to have a apt-repo of signed packages.
[2017-07-16 21:35:15]
martinbogo :
Want me to cross-compile dpkg/apt?
[2017-07-16 21:35:44]
martinbogo :
We would need people to run some kind of proxy/gateway through RNDIS
[2017-07-16 21:35:57]
martinbogo :
but it's certainly possible
[2017-07-16 21:36:09]
hostile :
there we go apt probably better reference.
[2017-07-16 21:36:11]
hostile :
yes!
[2017-07-16 21:36:25]
martinbogo :
Well, I've got spare time -- go have fun with kiddo!
[2017-07-16 21:37:22]
martinbogo :
@hans112 @jayemdee : The password I've defaulted is for <<ANY>> username you throw at it .. you could try logging in as "derp" in thery
[2017-07-16 21:37:30]
martinbogo :
the password is fixed as "RedHerringDerp"
[2017-07-16 21:37:49]
martinbogo :
because @hostile is silly, and did the whole meme thing, and I felt like joining in
[2017-07-16 21:37:57]
martinbogo :
it would be MUCH BETTER to use privkey auth!
[2017-07-16 21:38:06]
hans112 :
Hehehehe
[2017-07-16 21:38:09]
hans112 :
I will join to
[2017-07-16 21:38:12]
martinbogo :
:deadpool: MAXIMUM EFFORT
[2017-07-16 21:38:23]
hostile :
DUMLdore was EPIC! who ever did that btw - Potter memes for the win!
[2017-07-16 21:39:13]
fallengod :
LOL
[2017-07-16 21:39:54]
jayemdee :
@martinbogo Very nice work! was hoping people would jump on x-compiling shit we are missing ! :+1:
[2017-07-16 21:40:19]
jayemdee :
@martinbogo how about tcpdump ?
[2017-07-16 21:40:46]
hostile :
I think tcpdump and strace are already in busybox!
[2017-07-16 21:40:57]
jayemdee :
are they!?
[2017-07-16 21:41:14]
jayemdee :
130|root@wm220_dz_ap0002_v1:/ # busybox tcpdump
tcpdump: applet not found
[2017-07-16 21:41:43]
hostile :
try this one
[2017-07-16 21:41:44]
hostile :
<http://www.androidtcpdump.com/download/4.9.0/tcpdump>
[2017-07-16 21:41:55]
hostile :
I've used that in the past for other arm systems
[2017-07-16 21:42:14]
jayemdee :
k!
[2017-07-16 21:42:39]
ender :
about that CPU eating root method, that was “only” to have permanent adb/telnet from the beginning, right ? i rooted my sparky and had to make adb permanent by >> to the startup script, so that cpu-load bug should not be a problem, right ? (two days ago)
[2017-07-16 21:43:38]
jayemdee :
@ender if you remove that grep script in /data/.bin then yes - the excessive cpu usage is gone
[2017-07-16 21:44:01]
jayemdee :
but so is your adb shell and netcat shell unless you made adb persistent via dji startup script
[2017-07-16 21:44:15]
ender :
hmm, i meant: the redherring from 2 days ago was not doing that, right ?
[2017-07-16 21:44:26]
jayemdee :
doing what ?
[2017-07-16 21:44:34]
jayemdee :
actually its easier
[2017-07-16 21:44:39]
hans112 :
Nope.. you added a line to make it persistent right ?
[2017-07-16 21:44:44]
jayemdee :
ls -l /data/.bin
[2017-07-16 21:44:47]
ender :
wasnt the previous redherring deleting the fake greap after first boot ?!
[2017-07-16 21:44:50]
jayemdee :
if you have a grep there
[2017-07-16 21:44:53]
jayemdee :
still
[2017-07-16 21:44:58]
jayemdee :
its eating CPU
[2017-07-16 21:45:01]
hostile :
check the commit log
[2017-07-16 21:45:02]
ender :
i thought so and adb’ed into it and added line to startup
[2017-07-16 21:45:03]
jayemdee :
it always did
[2017-07-16 21:45:10]
hans112 :
Then removing is best option
[2017-07-16 21:45:15]
jayemdee :
yup
[2017-07-16 21:45:15]
hostile :
@ender yeah and people were complaining. =]
[2017-07-16 21:45:16]
ender :
ah okay, so i need to fix my sparky
[2017-07-16 21:45:20]
hans112 :
You won't lose anything
[2017-07-16 21:45:24]
hans112 :
(adb )
[2017-07-16 21:45:40]
ender :
damn now you really got me confused.
[2017-07-16 21:45:46]
hostile :
make it persist after first reboot on your own hans
[2017-07-16 21:45:56]
hans112 :
Yes.. have done that already
[2017-07-16 21:46:30]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/commits/master/grep>
[2017-07-16 21:47:06]
hans112 :
So I am trying to tell @ender to remove the grep file to reduce the cpu usage. Since he also made it persistent manually, removing grep will not lose adb in his case :)
[2017-07-16 21:47:30]
jayemdee :
ender lets start over.... grep gets called from the /data/.bin $PATH at boot (and many times after that actually) if you have persistent root access via the startup script then you dont need the grep "trojan" anymore
[2017-07-16 21:47:34]
ender :
yes, i was just not sure how old that “bug” was
[2017-07-16 21:47:43]
ender :
but its ooold so i need to remove grep
[2017-07-16 21:47:48]
ender :
okay on that :slightly_smiling_face:
[2017-07-16 21:47:53]
jayemdee :
btw @hostile i found some more binaries that get called all the time by the system
[2017-07-16 21:48:02]
ender :
I managed to make that simple question complicated
[2017-07-16 21:48:05]
hostile :
"exoport" lol
[2017-07-16 21:48:18]
jayemdee :
@hostile wc is another you could "hijack"
[2017-07-16 21:48:52]
jayemdee :
just watching `busybox ps` in a terminal is showing me that there is shit being called all the time by scripts that are running
[2017-07-16 21:49:58]
jayemdee :
not sure if they all have the same issue with being prepended in the path before the real target
[2017-07-16 21:50:36]
jayemdee :
130|root@wm220_dz_ap0002_v1:/ # busybox wc --help
BusyBox v1.25.1 (2016-11-23 14:34:18 CST) multi-call binary.
Usage: wc [-cmlwL] [FILE]...
Count lines, words, and bytes for each FILE (or stdin)
[2017-07-16 21:53:36]
martinbogo :
# DropBear SSH Daemon
###
if [ -f /system/xbin/dropbear ] && [ ! -d /system/etc/dropbear ] ; then
mount -o remount,rw /system
mkdir -p /system/etc/dropbear
mount -o remount,ro /system
fi
if [ -f /system/xbin/dropbear ] && [ ! -f /system/etc/dropbear/dropbear_rsa_host_key ] ; then
mount -o remount,rw /system
rm -f /system/etc/dropbear/dropbear_rsa_host_key
rm -f /system/etc/dropbear/dropbear_dss_host_key
dropbearkey -s 1024 -t rsa -f /system/etc/dropbear/dropbear_rsa_host_key
dropbearkey -s 1024 -t dss -f /system/etc/dropbear/dropbear_dss_host_key
chmod 700 /system/etc/dropbear/dropbear_rsa_host_key
chmod 700 /system/etc/dropbear/dropbear_dss_host_key
mount -o remount,ro /system
fi
if [ -f /system/xbin/dropbear ] && [ -f /system/etc/dropbear/dropbear_rsa_host_key ] ; then
dropbear -Y RedHerringDerp -r /system/etc/dropbear/dropbear_rsa_host_key -d
fi
[2017-07-16 21:53:47]
hostile :
shell builtins for mksh are annoying AF btw
[2017-07-16 21:53:52]
martinbogo :
There --- this script will create the keys, checks for stuff, etc
[2017-07-16 21:54:02]
hostile :
re: hihacking @jayemdee --^
[2017-07-16 21:54:40]
hdnes :
anyone having issues with connecting to assistant after persistent root
[2017-07-16 21:55:18]
hostile :
I hear Assistant doesn't like ADB running
[2017-07-16 21:55:31]
martinbogo :
Well, that's what SSH is for **grin**
[2017-07-16 21:55:37]
martinbogo :
We should agree on a netcat port by the way
[2017-07-16 21:55:47]
martinbogo :
and also start a shell session on nc
[2017-07-16 21:56:04]
martinbogo :
it's not secure, but it is useful for debugging and would avoid the whole 'adb running all the time' problem
[2017-07-16 21:56:06]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-16 21:56:11]
hostile :
1234 for legacy purposes **trollface**
[2017-07-16 21:56:16]
martinbogo :
EW
[2017-07-16 21:56:17]
martinbogo :
EW
[2017-07-16 21:56:17]
martinbogo :
EW
[2017-07-16 21:56:30]
martinbogo :
too many things collide with port 1234
[2017-07-16 21:56:43]
martinbogo :
1337 ... it follows the 'meme' theme
[2017-07-16 21:56:49]
martinbogo :
**grin**
[2017-07-16 21:56:53]
martinbogo :
and it's not privileged
[2017-07-16 21:57:11]
martinbogo :
I also like 8047 ( BOAT )
[2017-07-16 21:58:27]
jayemdee :
lol
[2017-07-16 21:59:26]
jayemdee :
well @hostile delivered the method thanks to a silly busybox tar bug and we are now all free to make our own payload if we dont like his
[2017-07-16 21:59:31]
jayemdee :
speaking of which!
[2017-07-16 21:59:39]
jayemdee :
was thinking about this today
[2017-07-16 22:00:02]
jayemdee :
DJI has a shit ton of testing to do if they want to replace busybox to patch this tar issue
[2017-07-16 22:00:30]
jayemdee :
i really think that its a quite huge issue for them to replace the entire busybox binary
[2017-07-16 22:00:43]
martinbogo :
@hostile Is there any way in busybox for me to do an xinetd-style "daemon" listen for nc?
[2017-07-16 22:00:46]
martinbogo :
so that it's persistent?
[2017-07-16 22:00:55]
martinbogo :
or anyone else who knows...
[2017-07-16 22:01:30]
martinbogo :
jaydee :No, its easy to replace the busybox -- which is why we have to preserve downgrade
[2017-07-16 22:01:48]
martinbogo :
We have other exploits, but we REALLY don't want to use them if at all possible.
[2017-07-16 22:01:53]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-16 22:02:10]
jayemdee :
its easy to replace it but i mean that they need to do alot of TESTING to make sure the replacement doesnt effect anything else ?
[2017-07-16 22:02:40]
jayemdee :
or can you just recompile the functionalitu of the "tar" applet in busybox without touching anything else ?
[2017-07-16 22:03:12]
ender :
okay, my Spark did NOT have that problem, i prolly used old fish :slightly_smiling_face:
[2017-07-16 22:03:23]
ender :
no cpu load no grep in /data/.bin
[2017-07-16 22:03:25]
ender :
sry
[2017-07-16 22:12:51]
hostile :
@ender spark has rw /system
[2017-07-16 22:13:17]
hostile :
@martinbogo I'd have to google and literaly walkign out to zoo now
[2017-07-16 22:13:45]
martinbogo :
I'm googling :slightly_smiling_face: This was a "what's in your head" kind of question :slightly_smiling_face:
[2017-07-16 22:23:14]
ender :
haha
[2017-07-16 22:23:42]
ender :
/dev/null
[2017-07-16 22:30:42]
ender :
arghl… redherring is not showing nfz in dji assistant,not my day, will try tomorrow and report…
[2017-07-16 22:35:19]
the_lord :
you need pyduml to root the 400
[2017-07-16 23:51:19]
jezzab :
Ill add in the stuff for the RC and goggles into DUMLdore but I have a P4 so wont be able to play along at home
[2017-07-17 00:55:41]
jezzab :
done
[2017-07-17 01:28:42]
jezzab :
you know if you start a duml refresh/downgrade/upgrade and then open assistant it will show the progress automatically
[2017-07-17 01:29:36]
jezzab :
if your not a tail -f kinda person or dont have adb access
[2017-07-17 01:31:22]
hostile :
@martinbogo tcpd is installed... look how they kick off ftpd for example
[2017-07-17 01:51:06]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 01:57:07]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 01:59:00]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 02:58:35]
samuelson :
Hey jezzab.
Is the DUMLdore application for windows released??
I'm unable to locate it.
Sorry to bother you.
[2017-07-17 03:10:42]
jezzab :
No its not sorry. Still workin on it
[2017-07-17 03:17:46]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 03:20:06]
samuelson :
No worries. Will wait patiently :blush:
[2017-07-17 04:08:23]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 04:28:45]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 04:30:45]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 05:26:35]
jezzab :
backup works. downloads, decrypts, fixes header and just seeing if i can re-tar/package
[2017-07-17 05:48:44]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 07:38:44]
jezzab :
well it works. backed up the fw and then just wrote it straight back in
[2017-07-17 07:44:21]
ender :
Hi ! I tried that as i have trouble upgrading from .400 to .700 (like digdat0). Assistant shows a “normal” Mavic idling around just as i suspected. So somehow it fails starting the upgrade although pyduml “thinks” everything is fine. Gotta root & grab that log…
[2017-07-17 07:45:57]
jezzab :
just grab it from ftp
[2017-07-17 07:46:03]
jezzab :
ill decrypt it
[2017-07-17 07:47:10]
jezzab :
<ftp://192.168.42.2/upgrade/dji/log/upgrade00.log>
[2017-07-17 07:50:44]
ender :
will do & report back !
[2017-07-17 07:51:14]
ender :
is it really 00 ? there are a lot ending with …06.log ?!
[2017-07-17 07:51:26]
ender :
so you want 00.log, not the “latest” one ?!
[2017-07-17 07:51:35]
jezzab :
00 is the latest one
[2017-07-17 07:51:46]
ender :
ok !
gotta love that numbering scheme
[2017-07-17 07:51:53]
jezzab :
yup
[2017-07-17 07:52:18]
jezzab :
when you adb you use: busybox tail -f upgrade00.log to see the current working log
[2017-07-17 07:53:01]
jezzab :
send it in a PM if you want
[2017-07-17 07:56:07]
ender :
bird NOT flying upside down now ? :stuck_out_tongue:
[2017-07-17 07:57:29]
kilrah :
woow awesome :heart:
[2017-07-17 08:56:33]
jezzab :
just need someone to test it now lol
[2017-07-17 09:16:03]
ender :
i am about to flashback my mav from .800 (freshly upgraded by assistant) back to git .700 version, may i serve as a tester :slightly_smiling_face:
[2017-07-17 09:16:24]
ender :
or would you advise normal pyduml because of my “special case” ?!
[2017-07-17 09:17:48]
ender :
okay, going pyduml route, see you on the other side then :slightly_smiling_face:
[2017-07-17 09:19:26]
jezzab :
sorry mate was away from the PC
[2017-07-17 09:19:48]
ender :
did not start yet, return button yearns for pressing :slightly_smiling_face:
[2017-07-17 09:20:02]
jezzab :
haha one sec
[2017-07-17 09:29:03]
samuelson :
I can test if needed wanted to go from the VM 0400 to the git 0700.
[2017-07-17 09:50:38]
guest :
@jezzab are you the person working on the .exe?
[2017-07-17 09:50:57]
guest :
ie: patcher / rooter / bakcup?
[2017-07-17 09:56:01]
jezzab :
yeah mate
[2017-07-17 10:09:44]
ender :
i am currently also testing it, chatting with jezzjab. The issue i have ( no up / downgrades with pyduml OR jezzjabs win binary) continues but its NOT a fault of jezzjabs binary!!!!
[2017-07-17 10:09:59]
ender :
maybe give it some minutes samuelson.
[2017-07-17 10:53:07]
guest :
@jezzab nice one!
[2017-07-17 10:54:00]
jezzab :
backing up is a little glitchy. just the way i did it vs having to code the entire aes stuff in (called openssl) but it works. just not as "nice" as i would have liked it to be. see a flash of CMD windows for a moment as the files are decrypted (openssl fired up for each file). I may look at implementing it. Then tar in windows. Don't start me on tar in windows......does not work using -C in another dir. So had to copy them then tar, delete **sigh**
[2017-07-17 10:54:27]
jezzab :
flashing is fine. but havent tested goggles or rc coz i only have a P4 but shouldnt be a problem. packets are correct
[2017-07-17 10:57:26]
guest :
hmmm i'm about to go for a holiday, and would like to take my mavic (working) with me.
[2017-07-17 10:57:42]
guest :
so i'm not going to test it for you
[2017-07-17 10:57:47]
guest :
:slightly_smiling_face:
[2017-07-17 10:58:06]
kilrah :
you can probably use 7-zip to make the tar
[2017-07-17 10:58:14]
kilrah :
there's a command line tool
[2017-07-17 10:59:02]
jezzab :
ill look at it.
[2017-07-17 10:59:19]
jezzab :
tar works but you have to be in the same dir so you dont get the . file
[2017-07-17 10:59:28]
kilrah :
ok
[2017-07-17 10:59:32]
jezzab :
works in linux no probs with -C... but windows grrrr
[2017-07-17 10:59:40]
jezzab :
**shakes first**
[2017-07-17 11:00:21]
jezzab :
@guest haha all good :slightly_smiling_face:
[2017-07-17 13:45:20]
hostile :
@jezzab welcome to my world... <https://github.com/MAVProxyUser/P0VsRedHerring/commit/a39fbf89852008c9f32254f890a3c97d55470af8>
[2017-07-17 14:04:17]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 14:19:33]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 14:19:33]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 14:26:54]
jezzab :
Is there a charge counter limit on the battery or is that bullshit? And if so is it full discharge and recharge or what? Coz damn with this testing I've been charging lol
[2017-07-17 14:29:02]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 14:50:09]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 15:30:32]
hans112 :
I am about to root my RC.. is there anything that needs to be tested? .700 right now
[2017-07-17 15:31:30]
the_lord :
my advice is to use grep contains only telnet and from telnet do what ever you want
[2017-07-17 15:31:39]
the_lord :
and don't forget the ; after each command
[2017-07-17 15:31:48]
hans112 :
yes, i still cry about that :smile:
[2017-07-17 15:31:51]
hans112 :
;
[2017-07-17 15:31:52]
hans112 :
;
[2017-07-17 15:31:55]
hans112 :
and again
[2017-07-17 15:31:56]
hans112 :
;
[2017-07-17 15:32:00]
the_lord :
:joy:
[2017-07-17 15:32:07]
the_lord :
don't tell me
[2017-07-17 15:32:57]
hans112 :
heheheheh
[2017-07-17 15:33:37]
hostile :
I love you guys
[2017-07-17 15:36:01]
hfman :
So @hans112 - did you mess something up somehow by forgetting ; ?
[2017-07-17 15:37:21]
ender :
<--- hans impersonator Nah i never forget stuff …. …. …. ;
[2017-07-17 15:38:04]
hfman :
I'm just wondering what to watch out for, if forgetting ; can cause harm.
[2017-07-17 15:39:28]
hans112 :
nope.. you just need to reconnect a few more times and retype some commands :grimacing:
[2017-07-17 15:40:10]
the_lord :
it doesn't harm but it was pissing me off keep typing the same command again and again
[2017-07-17 17:28:35]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 17:28:35]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 18:18:54]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 19:07:57]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 19:13:41]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 19:14:25]
hans112 :
:thinking_face: I can't get the RC to root.... The process seem to have successfully finished (pyduml) ... I can see an upgrade/.bin/grep file... But can't connect to it with adb / telnet. Also not with the steps the script shows at the end (how is this actually possible, it tells me to reboot the RC several times, but after a reboot things should be vansihed or not??)
[2017-07-17 19:15:43]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 21:19:22]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 21:22:18]
the_lord :
@hans112 the only way let me root the RC was using only telnet in grep without anything related to adb and without any while true do
[2017-07-17 21:33:56]
martinbogo :
frig
[2017-07-17 21:33:57]
martinbogo :
frig
[2017-07-17 21:33:58]
martinbogo :
frig
[2017-07-17 21:34:03]
martinbogo :
I need to learn how to git :slightly_smiling_face:
[2017-07-17 21:34:16]
martinbogo :
and I've been using GIT for years ... and yet I still make the same stupid mistakes :slightly_smiling_face:
[2017-07-17 21:48:24]
kilrah :
hah
[2017-07-17 21:52:17]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 21:53:04]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 21:53:29]
martinbogo :
There is a conflict, and it will need a merge, but there you go
[2017-07-17 21:53:40]
martinbogo :
this time I got the nano.tar file
[2017-07-17 21:55:22]
kilrah :
you don't need to cancel a PR if you did something wrong, can continue committing in the branch and it gets added
[2017-07-17 21:57:41]
martinbogo :
... huh
[2017-07-17 21:57:49]
martinbogo :
well, I cancelled, and re-created it
[2017-07-17 21:57:51]
martinbogo :
works?
[2017-07-17 21:58:10]
kilrah :
looks like it, but for next time you know you don't need :slightly_smiling_face:
[2017-07-17 22:05:42]
hostile :
I'll check later this eve @martinbogo back on dad duty
[2017-07-17 22:19:24]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-17 22:19:38]
martinbogo :
There .. clean branch :slightly_smiling_face:
[2017-07-18 00:49:33]
hostile :
JUST getting kid down .. may not get to it tonight. as a heads up
[2017-07-18 00:50:17]
jezzab :
think i got the whole ftp upload thing sorted. Will have to see if @ender can check when hes back. Even put in a pretty progress bar on the upload and download lol
[2017-07-18 00:50:20]
jezzab :
ohhh lala
[2017-07-18 00:53:14]
vk2fro :
I can run a check if you like jezzab
[2017-07-18 00:53:43]
jezzab :
cheers
[2017-07-18 00:54:32]
vk2fro :
shoot me the file in pm you would like me to test and I’ll fire up the windows VM
[2017-07-18 02:04:53]
martinbogo :
@hostile @freaky123 @the_lord --- Hey, you three want to double-check my "bull=shit-o-meter" is working?
[2017-07-18 02:04:54]
martinbogo :
<https://www.skysafe.io/>
[2017-07-18 02:05:25]
martinbogo :
They claim they can --safely-- take over P4/Mavic/I2 in flight .... but they demonstrate against P2/P3
[2017-07-18 02:05:33]
martinbogo :
P2/P3 is basically a naza32, right?
[2017-07-18 02:05:50]
martinbogo :
P4/I2/Mavic/Spark is a whole different beast when it comes to RC->bird comms
[2017-07-18 02:11:03]
martinbogo :
( I am -very- interested in the comms passed on LightBridge and such between P4 and the RC, Mavic and the RC, Occusync between the Spark and the phone/rc )
[2017-07-18 02:11:26]
the_lord :
No P2 is Naza V2 not naze32
Which uses Futaba like RC
[2017-07-18 02:15:13]
martinbogo :
Yeah, trivial to hack
[2017-07-18 02:15:21]
the_lord :
Yes
[2017-07-18 02:15:40]
martinbogo :
So, claiming it works on newer drones, though -- utter bullshittium
[2017-07-18 02:17:13]
the_lord :
Until the moment I didn't see any device which can deal with LB and ocysinc
Many are claiming
[2017-07-18 02:18:32]
the_lord :
There is Singaporean device when i asked them to visit them and see the device they just gave stupid excuses and stopped responding
[2017-07-18 02:29:16]
martinbogo :
Same .. there's a company here in Austin with the same claims, and upon asking them to demonstrate using a brand-new out-of-box mavic, they begged off
[2017-07-18 02:30:01]
martinbogo :
HOWEVER -- DIUx ( military anti-drone tech D13 ) has demonstrated a successful take-over of an unmodified P4P
[2017-07-18 02:30:14]
martinbogo :
so, they may have cracked at least part of the communication channel of LightBridge 2
[2017-07-18 02:30:40]
martinbogo :
Or are able to take advantage of some loss-of-signal or test behavior
[2017-07-18 02:30:55]
martinbogo :
We have root, so we can start decoding the dji radio
[2017-07-18 02:41:01]
hotelzululima :
yep
[2017-07-18 02:41:08]
hotelzululima :
thats next..
[2017-07-18 02:55:39]
hostile :
"They claim they can --safely-- take over P4/Mavic/I2 in flight .... but they demonstrate against P2/P3" to ME personally... that means they have NOT reversed LightBridge variants 1, 1.5 and or 2.0 (if any of them at all).
[2017-07-18 02:57:01]
hostile :
@martinbogo your info sources are keen to me. =] You seem to have info that most don't have access to
[2017-07-18 02:57:33]
hostile :
I unfortunately can't discuss the semantics of (the D13) platform (which I contribute to for my day job ) here, beyond any thing shared in public marketing info, etc
[2017-07-18 02:59:46]
hostile :
BTW @martinbogo they STILL don't have a new demo video out!? lol.
[2017-07-18 03:00:48]
hostile :
that one is like 2 years old IIRC
[2017-07-18 03:01:02]
hostile :
3 days ago...
[2017-07-18 03:01:03]
hostile :
<https://vimeo.com/225631600>
[2017-07-18 03:40:06]
martinbogo :
That video is _utterly_ unconvincing.
[2017-07-18 03:40:33]
martinbogo :
I could replicate that with two drones, and using a controller for a controlled RTL/RHL
[2017-07-18 03:41:00]
martinbogo :
@hostile : I'm not your average bear. I do work with SOCOM
[2017-07-18 03:41:06]
martinbogo :
adjacent to -- not FOR
[2017-07-18 03:41:36]
martinbogo :
@hostile : I just won't work with DIUx
[2017-07-18 03:51:23]
hotelzululima :
easy enough to duplicate that effect with a simple flowgraph for GRC and a hackrf and a SunHANS amps its a preprogrammed response to loss of signal..
[2017-07-18 03:52:30]
hotelzululima :
I suspect replay attacks ie record a couple second if IQ sample and simply play them back would be somewhat sucessful…
[2017-07-18 03:52:37]
hans112 :
ok, will try that later today :) thanks!
[2017-07-18 03:53:18]
hotelzululima :
we will find out if they incorporated a sequence number in ocusync eal fast(and its definitely
[2017-07-18 03:53:32]
hotelzululima :
in the ip/TCP layer..
[2017-07-18 04:14:55]
martinbogo :
Tomorrow, I get my Amazon Prime Day cool thing.
[2017-07-18 04:15:01]
martinbogo :
An eHang GhostDrone 2.0
[2017-07-18 04:15:16]
martinbogo :
and yeah .. I'm going to rip that thing open like it's an egg, and try to find the linux yolk-y goodness inside
[2017-07-18 04:15:26]
martinbogo :
because I'm certain the GhostDrone also abuses the GPL
[2017-07-18 04:17:09]
martinbogo :
(( Direcly from the ehang website "Software is subject to the separate software end user agreement accompanying or made available to you in connection with the software. You[If this is true (portion of app based on open source software), leave in. Otherwise, take out sentence highlighted in red.] agree that you will be bound by any and all such license agreements, and that your usage of this product indicates your acceptance of those agreements. Title to software remains with the applicable licensor(s). In no event will EHang be liable to you for damages, including any general, special, incidental or consequential damages arising out of the use or inability to use the software." ))
Note, they didn't bother checking or editing
[2017-07-18 04:17:21]
hostile :
May be time to revive Month Of X Bugs... and do a month of drone bugs. =]
[2017-07-18 04:17:28]
martinbogo :
No kidding :slightly_smiling_face:
[2017-07-18 05:12:11]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[[MAVProxyUser/dji_system.bin]](https://github.com/MAVProxyUser/dji_system.bin) [MAVProxyUser](https://github.com/MAVProxyUser) approved [#4: Nano](https://github.com/MAVProxyUser/dji_system.bin/pull/4)
[2017-07-18 05:12:18]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 05:12:19]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 05:13:26]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 05:18:25]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 05:18:26]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 05:19:20]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 13:44:29]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 13:47:43]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 13:53:18]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 13:53:18]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 13:53:44]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 13:53:44]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 17:58:35]
martinbogo :
dji_sys, decompiled
[2017-07-18 18:01:02]
hotelzululima :
thanx perusing..
[2017-07-18 18:02:16]
martinbogo :
<https://retdec.com/decompilation/show.php?id=1lgqBLN3j4&what=cfg.function_e764>
[2017-07-18 18:02:21]
martinbogo :
This calls recovery
[2017-07-18 18:02:25]
martinbogo :
There are a LOT of system calls in there
[2017-07-18 18:07:16]
martinbogo :
dji_amt_board decompiled
[2017-07-18 18:08:20]
martinbogo :
dji_vision decompiled
[2017-07-18 18:10:10]
martinbogo :
REALLY stupid call in one of the programs -- __sprintf_chk((char *)&command, 0, 64, "mkdir -p %s", "/tmp/dji/amt/sec/");
[2017-07-18 18:10:20]
martinbogo :
That's not exploitable at all ... nope
[2017-07-18 18:10:41]
hostile :
_chk yo! :wink:
[2017-07-18 18:11:12]
hostile :
one of the other guys here mentioned system() of file names in firmware bins as well
[2017-07-18 18:11:55]
martinbogo :
yeah ... although strings <stuff> is usefull .. full decompile is better
[2017-07-18 18:11:58]
martinbogo :
I also have function graphs
[2017-07-18 18:12:13]
martinbogo :
__strcat_chk((char *)&file_path, "otp.bin", 64);
[2017-07-18 18:12:18]
martinbogo :
I found the OTP handler
[2017-07-18 18:12:44]
martinbogo :
int32_t function_17c7a in the decompiled dji_sys
[2017-07-18 18:13:08]
martinbogo :
// 0x18032
__strcat_chk((char *)&file_path, "iaek.bin", 64);
[2017-07-18 18:13:33]
martinbogo :
although later they actually DO some proper bounds checking
[2017-07-18 18:13:34]
martinbogo :
if (strncmp("iaek.bin", (char *)file2, :sunglasses: == 0) {
[2017-07-18 18:14:47]
hostile :
the infamous dji_sys patches are looming =]
[2017-07-18 18:18:33]
martinbogo :
Bah --- I'll recompile:)
[2017-07-18 18:18:40]
martinbogo :
binpatching is ... dicey
[2017-07-18 18:23:16]
martinbogo :
0x18426 ... function has an interesting call out to a shell script
[2017-07-18 18:23:17]
martinbogo :
if (v8 % 256 == 1) {
// 0x184c8
__sprintf_chk((char **)&command, 0, 256, "test_boardsn.sh %s", (char **)v14);
[2017-07-18 18:23:27]
martinbogo :
This happens during OTA, I think.
[2017-07-18 18:25:10]
martinbogo :
void function_18aa8 checks if the USB is connected
[2017-07-18 18:25:23]
martinbogo :
int32_t fd = open("/sys/class/android_usb/android0/state", O_RDONLY);
[2017-07-18 18:28:25]
martinbogo :
THIS is the function I need to figure out:
[2017-07-18 18:28:27]
martinbogo :
void function_1a21e
[2017-07-18 18:28:40]
martinbogo :
"Disable motor ...\n"
[2017-07-18 18:36:58]
hostile :
lol you got THAT clean of a decompile outta Hexrays?
[2017-07-18 18:37:03]
hostile :
that you can recompile? heh
[2017-07-18 18:37:40]
hostile :
I've seen that test_boardsn.sh before when hunting for other shit.
[2017-07-18 18:37:59]
hostile :
can't wait to see Ardu / PPZ on Mavic lol
[2017-07-18 18:47:50]
martinbogo :
I'm on Hexray's beta back-end
[2017-07-18 18:54:02]
martinbogo :
This function shows the bus addresses of the various peripherals
[2017-07-18 18:55:18]
martinbogo :
Damn .. couldn't decompile dji_vision.. it's too complex for the decompiler to handle
[2017-07-18 18:55:27]
martinbogo :
it times out, even after 30 minutes
[2017-07-18 18:55:31]
hostile :
I've seen these while debugging dji_sys before =] all the addresses for the "routes"
[2017-07-18 18:57:36]
martinbogo :
dji_monitor
[2017-07-18 18:57:49]
martinbogo :
It's basically a wrapper
[2017-07-18 18:58:00]
martinbogo :
and it's dynamically linked.. interesting
[2017-07-18 19:09:05]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-18 20:54:25]
nopcode :
hi... is there a way to root .0900 or 0800 yet?
[2017-07-18 21:05:55]
hostile :
red herring
[2017-07-18 21:06:02]
hostile :
dumlherring
[2017-07-18 21:10:31]
nopcode :
oh cool. and if i use that to downgrade my mavic from 800 to 400, would i have to do it to the RC as well?
[2017-07-18 21:12:10]
vk2fro :
You don’t need to root to downgrade. you can just flash.
[2017-07-18 21:13:03]
nopcode :
but using dumlherring? or is there a safer option?
[2017-07-18 21:13:39]
vk2fro :
dumlherring is for root - you want to use pyduml if you want to flash.
[2017-07-18 21:14:50]
nopcode :
ah i see. and what about the rc?
[2017-07-18 21:15:03]
nopcode :
should i flash that as well, using the same FW image?
[2017-07-18 21:15:44]
hostile :
no
[2017-07-18 21:15:47]
hostile :
see the repo
[2017-07-18 21:15:51]
hostile :
there are RC specific images
[2017-07-18 21:16:10]
derstefan :
I think he is referring to the version
[2017-07-18 21:16:24]
nopcode :
ah i see, thank you. i should flash both to the same version though, right?
[2017-07-18 21:17:09]
vk2fro :
Its always a good idea to have RC, Craft and Goggles (if you have them) on the same version to avoid GO 4 whinging about firmware mismatches.
[2017-07-18 21:18:10]
derstefan :
on the note, just out of couriosity what about the fw for the batteries?
[2017-07-18 21:18:34]
vk2fro :
From memory you reflash the aircraft to the same version with each battery connected.
[2017-07-18 21:19:22]
kilrah :
you can also not care about them
[2017-07-18 21:20:16]
nopcode :
i'm kind of torn between waiting for a way to remove NFZ restrictions from 0900 and downgrading to 0400 and flipping the parameter...
[2017-07-18 21:20:46]
vk2fro :
I am on .700 until .900 gets patched.
[2017-07-18 21:21:11]
nopcode :
since you guys are seeming to be digging into the fw, someone should soon find the code that evaluated the parameter in 0400 and match that to the 0900 code
[2017-07-18 21:21:20]
kilrah :
i have 3 batts on 900 and one on 700 (the one I downgraded with)
[2017-07-18 21:21:44]
nopcode :
does 700 still have the nfz parameter in that debug console?
[2017-07-18 21:21:46]
vk2fro :
do you get a FW mismatch in go with a 900 battery connected to the aircraft?
[2017-07-18 21:21:56]
vk2fro :
yes it does nopcode
[2017-07-18 21:22:00]
kilrah :
700 has everything yes
[2017-07-18 21:22:10]
nopcode :
oh so no need to go back all the way to 400 - good to know
[2017-07-18 21:22:18]
kilrah :
nope no mismatch - but since I run the custom apk's and that doesn't check versions....
[2017-07-18 21:22:25]
vk2fro :
No you can just backflash to 700 and be done with it.
[2017-07-18 21:22:29]
kilrah :
i don't think i had mismatches earlier either
[2017-07-18 21:22:46]
kilrah :
i think it only pops up if battery is older, not if it's newer
[2017-07-18 21:22:51]
nopcode :
does pyduml work on windows? osx? since it mentions something about devices in /dev
[2017-07-18 21:22:58]
vk2fro :
ok - I did with an 800 battery on .400 with unmodded ios app
[2017-07-18 21:23:12]
kilrah :
ok
[2017-07-18 21:23:57]
vk2fro :
pm me nopcode and I’ll guide you through the process so we don’t fill the ~mavic_rooting room with a fw flash guide
[2017-07-19 00:19:46]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 00:20:39]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 01:11:16]
herfemp :
@vk2fro I am interested too (guidance fw flashing)
[2017-07-19 01:12:06]
vk2fro :
I’ve edited the wiki - should help now.
[2017-07-19 01:12:37]
vk2fro :
<http://dji.retroroms.info/start>
[2017-07-19 01:13:15]
vk2fro :
oops wrong link - fixed.
[2017-07-19 02:35:11]
fldatatek :
If anyone needs a cheap board I found a few for around $53 on ebay. I picked one up so I can play without sacrificing my Mavic. <http://www.ebay.com/itm/122602675911>
[2017-07-19 02:47:32]
hotelzululima :
damn if I hadnt just gotten one for 69.00 from another source..
[2017-07-19 02:47:43]
hotelzululima :
oh well good to know..
[2017-07-19 05:08:03]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 05:32:18]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 05:35:13]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 10:34:50]
jayemdee :
Im curious why we are putting OS specific system() calls in pyduml ? This doesnt make the code portable and is (generally speaking) bad practice...
[2017-07-19 10:35:13]
jayemdee :
@hdnes and @hostile
[2017-07-19 10:37:24]
jayemdee :
import platform
print ("\nPreparing to run pythonDUML exploit from a " + platform.system() + " Machine")
[2017-07-19 10:38:46]
jayemdee :
why make a pure python exploit and then start hardcoding in OS specific system() calls ? I mean if you REALLY have to do that couldnt you at least detect your own OS before doing so so that it doesnt break it for anyone not on your OS ?
[2017-07-19 10:45:18]
jayemdee :
and whats the thinking behind remove_stale_bin() ? just force copy over it if a new one is selected? I dont like code deleting shit from my filesystem :disappointed:
[2017-07-19 10:49:03]
jayemdee :
Oh i just realized that didnt go into the master branch yet... good :slightly_smiling_face:
[2017-07-19 10:52:36]
jayemdee :
I hope we can keep the code portable by using command line arguments for things that can vary wildly and OS detection for when thats not feasible and for the love of GOD dont be lazy with system() calls! why use a portable language at all if you are gonna cripple it with calls to binaries and devices that may or may not even be there :slightly_smiling_face:
[2017-07-19 10:52:59]
jayemdee :
*steps off his soap box*
[2017-07-19 10:53:57]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 11:18:29]
nopcode :
yeah system() is baaad
[2017-07-19 11:18:37]
nopcode :
python stdlib has everything
[2017-07-19 11:38:38]
vk2fro :
My bad - it was me who added those calls - am new to programming. Will change to stdlib and remove (or optionally backup) the old bin.
[2017-07-19 11:39:00]
vk2fro :
remove = remove the code that deletes
[2017-07-19 11:40:36]
jayemdee :
well the delete was just my own opinion... i would find it irritating if i want to test the same thing over and over while coding that my file keeps getting deleted :slightly_smiling_face:
[2017-07-19 11:40:54]
jayemdee :
and good work and nice idea to add a menu driven interface like this
[2017-07-19 11:41:24]
vk2fro :
it makes finding the device and choosing options a lot simpler.
[2017-07-19 11:42:31]
jayemdee :
the device on linux will be /dev/ttyACMx (debian flavors)
[2017-07-19 11:42:45]
jayemdee :
not cu.usbxxxxx
[2017-07-19 11:42:59]
vk2fro :
OSX it changes often. So it still needs to be hunted down.
[2017-07-19 11:43:16]
jayemdee :
yes could be under linux as well
[2017-07-19 11:43:38]
vk2fro :
on mint a p4 always appeared as /dev/ttyACM0
[2017-07-19 11:43:50]
vk2fro :
so did its controller.
[2017-07-19 11:44:20]
jayemdee :
yes it can vary wildly
[2017-07-19 11:44:28]
jayemdee :
which is why i think it should stay a command line option
[2017-07-19 11:45:26]
jayemdee :
this robustification is unlikely to be without bugs and could be the last thing we do to make it "ready for the masses"
[2017-07-19 11:45:28]
jayemdee :
IMO :slightly_smiling_face:
[2017-07-19 11:46:24]
vk2fro :
I’ll make the detection routine optional - if it doesn’t detect an argument, it’ll ask the user to do the plug unplug thing
[2017-07-19 11:47:00]
jayemdee :
that sounds reasonable and make it work for linux! :slightly_smiling_face:
[2017-07-19 11:47:30]
jayemdee :
check out
[2017-07-19 11:47:36]
jayemdee :
platform.system()
[2017-07-19 11:47:46]
jayemdee :
which returns "Windows", "Linux" etc
[2017-07-19 11:48:07]
vk2fro :
and thats the other goal - getting it to be operational on Windows.
[2017-07-19 11:49:14]
vk2fro :
Anyway more than eager to learn - this is fun stuff. But not tonight. I need a break from it all. been playing with code all day :slightly_smiling_face:
[2017-07-19 11:51:22]
jayemdee :
hehe :slightly_smiling_face: enjoy
[2017-07-19 12:18:57]
djayeyeballs :
anyone else have trouble telnet into 192.168.42.2 after running fireworks? it just hangs for me
[2017-07-19 12:19:05]
djayeyeballs :
port 1234
[2017-07-19 12:20:30]
jezzab :
did you reboot?
[2017-07-19 12:20:34]
jezzab :
after applying
[2017-07-19 12:21:00]
jezzab :
actually, you had it working before?
[2017-07-19 12:22:08]
djayeyeballs :
yes reboot after applying. using putty it appears to be connecting.. but no prompt shows up and no error.. just hangs
[2017-07-19 12:23:16]
djayeyeballs :
have tried like 5 times now and same thing
[2017-07-19 12:23:46]
jezzab :
There won't be a prompt
[2017-07-19 12:24:01]
jezzab :
Try typing:
ls;
[2017-07-19 12:30:51]
djayeyeballs :
just hanging lets me type but no response
[2017-07-19 12:31:19]
jezzab :
You put the ; on the end?
[2017-07-19 12:31:33]
jezzab :
Hmm
[2017-07-19 12:33:59]
djayeyeballs :
if I close the session and try again I get connection refused
[2017-07-19 12:42:15]
the_lord :
if you close the session you need to reboot
[2017-07-19 12:42:32]
the_lord :
after you connect type
id;
pwd;
[2017-07-19 12:42:42]
the_lord :
it will respond
[2017-07-19 12:44:49]
djayeyeballs :
if I reboot and try to connect I get connection refused, I have to run dumldore again
[2017-07-19 12:45:14]
the_lord :
i don't know which grep/fireworks you are using
[2017-07-19 12:45:30]
the_lord :
once you connect to telnet type
id;
pwd;
[2017-07-19 12:45:39]
djayeyeballs :
UniversalFireworksTar_dji_system.bin
[2017-07-19 12:45:49]
the_lord :
and don't forget the ; after each command
[2017-07-19 12:46:06]
the_lord :
i don't know what's its content
[2017-07-19 12:46:10]
the_lord :
i use my own
[2017-07-19 12:46:20]
djayeyeballs :
can I try yours?
[2017-07-19 12:46:36]
jezzab :
It won't work with DUMLdore
[2017-07-19 12:46:41]
djayeyeballs :
ah ok
[2017-07-19 12:46:42]
jezzab :
Will say it's invalid
[2017-07-19 12:46:55]
jezzab :
It has to detect Burning0day
[2017-07-19 12:47:03]
jezzab :
At 0x00
[2017-07-19 12:47:24]
jezzab :
Just use the fireworks.tar from pyduml
[2017-07-19 12:47:35]
jezzab :
Which should be the same anyway but yeah
[2017-07-19 12:48:25]
the_lord :
using bin for rooting doesn't take long time
[2017-07-19 12:48:37]
the_lord :
only few seconds then reboot and you are good to go
[2017-07-19 12:48:51]
jezzab :
Sorry it's just the DUMLdore validation, I'm trying to stop ppl fucking up.and only create the .bin if it's a fireworks.tar with a Burning header
[2017-07-19 12:50:51]
jezzab :
Or reaaaaally needed because the bird won't accept a wrong bin anyway but still. Was paranoia at the time
[2017-07-19 12:53:19]
hostile :
@jayemdee don't forget ... this is literally @hdnes's 5th python program **ever**... I've not had much hand in his code base short of the initial drop it had some errors that made it only work on HDs machine... but yeah fix em, send a Pull Request to him and help him learn better python practices! He's still learning to fish
[2017-07-19 12:54:25]
djayeyeballs :
still just hangs
[2017-07-19 12:54:46]
hostile :
@nopcode @jayemdee @hdnes "yeah system() is baaad"... best to work together, educate each other, etc. No need to bike shed as it were =]
[2017-07-19 12:54:47]
hostile :
<http://bikeshed.org>
[2017-07-19 12:55:02]
jezzab :
Not reaaaaally needed because the bird won't accept a wrong bin anyway but still. Was paranoia at the time
[2017-07-19 12:55:32]
djayeyeballs :
no response
[2017-07-19 12:55:44]
jezzab :
Does adb show anything?
[2017-07-19 12:55:58]
hostile :
"well the delete was just my own opinion..." hehe "patches welcome".
[2017-07-19 12:56:04]
hostile :
as the joke goes from: <https://www.youtube.com/watch?v=-F-3E8pyjFo>
[2017-07-19 12:56:10]
djayeyeballs :
no, no devices listed
[2017-07-19 12:56:33]
hostile :
dev work gets fun when many people are working together in branches in git and merging code...
[2017-07-19 12:56:44]
hostile :
it is a learning experience for sure!
[2017-07-19 12:57:02]
djayeyeballs :
of course I have to be the one with the problems.. fml
[2017-07-19 12:57:12]
hostile :
@here you guys could start adding more command line options / flags too... make **defaults** optional features
[2017-07-19 12:57:57]
jezzab :
Try unplugging the USB and back in
[2017-07-19 12:58:00]
hostile :
@djayeyeballs "anyone else have trouble telnet into 192.168.42.2 after running fireworks?" sometimes your terminal window is blind... shal I assume you are in windows? I'd bet the commands are working blindly. I think @the_lord had issue with this at one time
[2017-07-19 12:58:11]
jezzab :
Got I sound like windows tech support
[2017-07-19 12:58:38]
hostile :
IF you miss the FIRST ";" it fucks it up from then on out... and yes after the first loss it is gone till reboot cuz of a bug in the grep script that was "fixed" recently.
[2017-07-19 12:59:17]
hostile :
@djayeyeballs "if I reboot and try to connect I get connection refused, I have to run dumldore again" this is becasue the grep script deletes it self... that first post exploitation reboot you need to make your access persistant
[2017-07-19 13:00:20]
hostile :
yeah best to try and handle stupid users
[2017-07-19 13:00:28]
cs2000 :
Sorry for the probably dumb question, but the steps for doing that manually?
[2017-07-19 13:00:56]
djayeyeballs :
I pulled fireworks from your git hostile
[2017-07-19 13:02:14]
jezzab :
Had a guy select Remote Controller and try and flash in the AC bin to upgrade the AC.... wondered why it wouldn't eork
[2017-07-19 13:02:37]
djayeyeballs :
I am trying to make it persist, but telnet not working after first reboot as stated I have run the commands to make it persist and same thing as images show, and no add devices listed
[2017-07-19 13:02:52]
jezzab :
Sent a screen shot and asked if he was doing RC... no I'm doing AC
[2017-07-19 13:02:53]
djayeyeballs :
Adb
[2017-07-19 13:05:52]
jayemdee :
@djayeyeballs FYI: if you use netcat to connect rather than telnet you have a better functioning shell with no need for the ; command terminators each time
[2017-07-19 13:06:20]
jayemdee :
nc 192.168.42.2 -p 1234
[2017-07-19 13:06:28]
djayeyeballs :
Will try that thanks @jayemdee
[2017-07-19 13:11:34]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 13:11:35]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 13:17:03]
jayemdee :
Yeah it actually wasnt even HDNES's code i went off about which was my first mistake! I woke up grumpy and thought SHIT this was cleanish code, i was helping to make it cleaner, and now its NIGHTMARE! Then i realized i was in the wrong branch and it was a new guys code i was looking at. I was thinking HOW THE HELL THEY MERGED THIS TO MASTER!!!! but i hadnt had my coffee yet...
[2017-07-19 13:21:24]
jayemdee :
its actually my first time in python but good programming practices are universal and agnostic to language (at least amongst similar types) and I'm a bit of a stickler for clean readable modular code :slightly_smiling_face:
[2017-07-19 13:21:43]
jayemdee :
at least in my opinion :slightly_smiling_face:
[2017-07-19 13:21:47]
jayemdee :
for what its worth haha
[2017-07-19 15:37:23]
djayeyeballs :
still no luck getting persist, tried on a different computer and exact same thing
[2017-07-19 15:39:09]
djayeyeballs :
netcat gave me an error regarding the -o in mount -o remount,rw /system
[2017-07-19 15:55:52]
jayemdee :
which error ?
[2017-07-19 15:56:57]
hdnes :
Yeah. I specifically broke out the UI code because it's going to be a mess for a while likely.
[2017-07-19 15:57:10]
hdnes :
Too many moving parts
[2017-07-19 15:57:39]
hdnes :
But pull requests on master are much appreciated.
[2017-07-19 16:00:02]
djayeyeballs :
-o not recognized or something along those lines
[2017-07-19 16:03:31]
djayeyeballs :
I have flashed to fresh .400 firmware (spark), flashed perfectly, ftp looks good, have .bin and inyourgrill101.. still telnet hangs on both machines and no adb devices. Would be great if there were some clear instructions out there (which I had hoped to make for this) for windows
[2017-07-19 16:05:13]
djayeyeballs :
I know I can use pyduml but the point here is to test DUMLdore (which appears to work ok) but the root persist is going to be an issue I think
[2017-07-19 16:06:02]
djayeyeballs :
inyourgrill102 sorry
[2017-07-19 16:08:57]
martinbogo :
@djayeyeballs : mount -o remount,rw /system --- you may need to put it in quotes
[2017-07-19 16:09:09]
martinbogo :
netcat does parse your input
[2017-07-19 16:09:19]
martinbogo :
but if you can get adbd running, do that
[2017-07-19 16:09:22]
martinbogo :
then you can adb shell
[2017-07-19 16:11:55]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 16:14:45]
djayeyeballs :
@martinbogo I will give that a go
[2017-07-19 16:20:13]
hostile :
Net cat still needed a ";" last I checked so may keep it.
[2017-07-19 16:20:51]
hostile :
Lack of "clear instructions" makes ya learn and work for it :)
[2017-07-19 16:22:04]
djayeyeballs :
@hostile no doubt, I am all for learning and working for it man. Just hoping to figure this out so I can make it easier for someone else in the future
[2017-07-19 16:24:06]
djayeyeballs :
and prevent the flood of questions that are going to come from this so we can spend more time doing and less time explaining
[2017-07-19 16:24:17]
hostile :
Google netcat and ";" if ya need it's an old 90s style hacker technique
[2017-07-19 16:24:44]
djayeyeballs :
thanks
[2017-07-19 16:29:34]
hotelzululima :
@hostile.. wonder what ever happened to the Hobbit??
[2017-07-19 16:29:47]
hotelzululima :
whoops
[2017-07-19 16:29:58]
hotelzululima :
wrong area nevah mind
[2017-07-19 16:34:05]
hotelzululima :
BTW more on subject I just tried PYDUML on an rpi3 under Kali Linux.. unsuccessful.. not so sure it wasn’t mods to environment.. will retry tonight with latest raspian
[2017-07-19 16:34:14]
hotelzululima :
python3 ./pyduml.py /dev/ttyACM0
--------------------------------------------------------------------------
Select device number as follows: Aircraft = [1], RC = [2], Goggles = [3] : 1
--------------------------------------------------------------------------
--------------------------------------------------------------------------
You picked an option not yet supported
Traceback (most recent call last):
File “./pyduml.py”, line 226, in <module>
main()
File “./pyduml.py”, line 46, in main
write_packet(packet_1) # Enter upgrade mode (delete old file if exists)
NameError: name ‘packet_1’ is not defined
root@kali:/home/gwen/pyduml#
[2017-07-19 16:35:28]
hotelzululima :
obviously I need to step through pyduml with trepan3k and find the grief..
[2017-07-19 16:35:47]
hotelzululima :
more later AFK for next 8 hours(on road)
[2017-07-19 16:43:12]
hostile :
@hotelzululima git pull?
[2017-07-19 16:43:46]
hotelzululima :
did..
[2017-07-19 16:43:55]
hotelzululima :
also unset PYTHONPATH
[2017-07-19 16:44:22]
hotelzululima :
damn that core board stinky when warm…
[2017-07-19 16:44:52]
hotelzululima :
have to swap rear O2 sensor and pass smog in next week so be busy for a while
[2017-07-19 16:45:05]
hotelzululima :
bb tonite
[2017-07-19 16:53:50]
hostile :
fix the typo then...
[2017-07-19 16:53:58]
hostile :
you know python bro! read the fooking error
[2017-07-19 16:54:00]
hostile :
=]
[2017-07-19 16:54:39]
hostile :
I suspect now minor variations in python version are giving headaches. also you must recall the question on how to use global variables. I suspect fuckery
[2017-07-19 16:54:54]
hostile :
your python path should have NOTHING to do with a packet being defined in the code...
[2017-07-19 16:55:00]
hostile :
I assume you spot checked it?
[2017-07-19 17:03:27]
hotelzululima :
of course and how could it after an unset :slightly_smiling_face: and looked at it same code sucessful on osx
[2017-07-19 17:04:03]
hotelzululima :
and packet1 IS defined.. btw the python and rubies for raspian and kali rpi have a LOT of fucking bugs…
[2017-07-19 17:04:17]
hotelzululima :
which is what we may be running into here..
[2017-07-19 17:05:01]
hotelzululima :
and is my first though.. could not get the python version of zerobin running to save my life in the env
[2017-07-19 17:05:17]
hotelzululima :
s/though/thought/g
[2017-07-19 17:05:57]
hotelzululima :
btw another thing I noticed creeping in is ^M line ending(although the one I spotted was fixed in the next pull
[2017-07-19 17:06:12]
hostile :
"which is what we may be running into here.." yeah man... I HATE python
[2017-07-19 17:06:13]
hotelzululima :
as folks are doing the work from windows/
[2017-07-19 17:06:23]
hotelzululima :
i know
[2017-07-19 17:06:24]
hostile :
I need to go fix the CRC in ruby right now in fact
[2017-07-19 17:07:04]
hotelzululima :
but I like it as full of fuckery as it is.. I LIKED algol-60 in its time :slightly_smiling_face:
[2017-07-19 17:07:12]
hostile :
=]
[2017-07-19 17:07:46]
hotelzululima :
and yes done rooted already on target and exploring..
[2017-07-19 17:07:55]
hotelzululima :
thanx…!!
[2017-07-19 17:08:13]
hotelzululima :
trying to catch up now…
[2017-07-19 17:10:40]
hotelzululima :
will; bring rpi3 with core board on road and figure out tonight
[2017-07-19 17:11:49]
hostile :
"done rooted " whoot!
[2017-07-19 17:23:29]
hotelzululima :
thinking about a mission computer rpi 0-w running android mobilesdk over the wifilink or usb directing the mavic sans ocusync :slightly_smiling_face:
[2017-07-19 17:37:00]
guest :
any change of getting MC (Midnight Commander) running on a rooted mavic? it would really make my life so much easier browsing things!
[2017-07-19 17:43:36]
hostile :
LOLOLOL
[2017-07-19 17:43:44]
hostile :
dude you've really dated yourself
[2017-07-19 17:43:50]
hostile :
is that shit still around even!?
[2017-07-19 17:43:59]
hostile :
yeah... you have root start compiling bro!
[2017-07-19 17:44:41]
fldatatek :
damn that is a bit old school
[2017-07-19 17:45:52]
hostile :
Initial release 1994; 23 years ago
[2017-07-19 17:46:04]
hostile :
heh @martinbogo ... challenge accepted?
[2017-07-19 17:46:19]
hostile :
do you have details on your compile setup so others can try their hand too btw?
[2017-07-19 17:46:32]
hostile :
we really need to get apt, and maybe gcc going native!
[2017-07-19 17:54:46]
martinbogo :
You want midnight commander?
[2017-07-19 17:54:55]
martinbogo :
Hmmm .. that would require compiling something static with ncurses...
[2017-07-19 17:55:06]
martinbogo :
I can try, but that's a lot more complex than dropbear and nano
[2017-07-19 17:55:22]
martinbogo :
( nano was compiled with curses-light )
[2017-07-19 17:55:39]
hostile :
martin... gcc native?
[2017-07-19 17:55:41]
hostile :
=]
[2017-07-19 17:55:52]
hostile :
we can slow compile anything or chroot compile then perhaps
[2017-07-19 17:56:01]
hostile :
from the native environment
[2017-07-19 17:56:08]
hostile :
as I did for solo
[2017-07-19 17:56:16]
martinbogo :
my compile setup is fairly straightforward ... I use a Debian 8 Android development toolkit, and compile for eabi arm v7
[2017-07-19 17:57:18]
hostile :
drop the cross compile flags? I figure a few can get the basics and roll, anything special beyond that though?
[2017-07-19 17:58:02]
martinbogo :
There aren't any flags per se
[2017-07-19 17:58:44]
martinbogo :
just use the makefile, with --target arm-eabi-gcc
[2017-07-19 17:59:13]
martinbogo :
i.e.)
[2017-07-19 17:59:14]
martinbogo :
./configure –host=arm-eabi CC=arm-eabi-gcc CPPFLAGS=”-I$ANDROID_ROOT/build/platforms/android-3/arch-arm/usr/include/” CFLAGS=”-nostdlib” LDFLAGS=”-Wl,-rpath-link=$ANDROID_ROOT/build/platforms/android-3/arch-arm/usr/lib/ -L$ANDROID_ROOT/build/platforms/android-3/arch-arm/usr/lib/” LIBS=”-lc “
[2017-07-19 17:59:23]
martinbogo :
that kind of thing
[2017-07-19 18:00:17]
martinbogo :
-march=armv7-a -mfloat-abi=softfp -mfpu=vfpv3-d16
[2017-07-19 18:00:54]
hostile :
I'm pretty familiar, just wanted some other compile notes on hand
[2017-07-19 18:00:57]
hostile :
much appreciated
[2017-07-19 18:18:19]
kilrah :
how much free space is there on the filesystem?
[2017-07-19 18:25:16]
martinbogo :
1|root@wm330_dz_vp0001_v5:/ # df
Filesystem Size Used Free Blksize
/dev 8.0M 128.0K 7.9M 4096
/tmp 32.0M 16.0K 32.0M 4096
/var 2.0M 12.0K 2.0M 4096
/ftp 1024.0K 0.0K 1024.0K 4096
/amt 11.7M 64.0K 11.7M 4096
/vendor 59.0M 6.8M 52.2M 4096
/system 122.0M 98.8M 23.2M 4096
/data 1.1G 105.3M 1010.5M 4096
/blackbox 1.9G 729.3M 1.2G 4096
/cache 248.0M 55.0M 192.9M 4096
/ftp/upgrade 1.1G 105.3M 1010.5M 4096
/ftp/blackbox 1.9G 729.3M 1.2G 4096
[2017-07-19 18:25:22]
martinbogo :
Depends what part of the filesystem you are in
[2017-07-19 18:25:31]
martinbogo :
this filesystem has a lot of mounted devices
[2017-07-19 18:25:51]
hostile :
we also have /sdcard
[2017-07-19 18:25:52]
kilrah :
1G in data
[2017-07-19 18:26:42]
hostile :
$ git push
Git LFS: (0 of 3 files) 3.21 MB / 233.00 MB
[2017-07-19 18:26:44]
martinbogo :
yes .. I use /data/hack_control for my experiments, for example
[2017-07-19 18:27:10]
kilrah :
guess blackbox and sdcard would be the same, apparently your onboard sd is 2 gigs
[2017-07-19 18:27:18]
martinbogo :
@hostile : You can't count on /sdcard --- it gets mounted/unmounted for a lot of things
[2017-07-19 18:27:32]
martinbogo :
the /data partition is always mounted, always available, and rw
[2017-07-19 18:27:38]
hostile :
indeed
[2017-07-19 18:27:40]
kilrah :
how nice
[2017-07-19 18:28:29]
martinbogo :
root@wm330_dz_vp0001_v5:/data # mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,size=8192k,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /tmp tmpfs rw,relatime,size=32768k 0 0
tmpfs /var tmpfs rw,relatime,size=2048k 0 0
tmpfs /ftp tmpfs rw,relatime,size=1024k 0 0
/dev/block/platform/comip-mmc.1/by-name/amt /amt ext4 ro,relatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/vendor /vendor ext4 ro,relatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/system /system ext4 ro,relatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/userdata /data ext4 rw,noatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/blackbox /blackbox ext4 rw,noatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/cache /cache ext4 rw,noatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/userdata /ftp/upgrade ext4 rw,noatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/blackbox /ftp/blackbox ext4 rw,noatime,data=ordered 0 0
[2017-07-19 18:28:48]
jayemdee :
lol @midnight commander :slightly_smiling_face:
[2017-07-19 18:32:48]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-19 18:34:22]
hostile :
set the channel topic: Come here to eat like a king. We teach you to fish... you supply your own silver platter. <https://www.youtube.com/watch?v=r2pt2-F2j2g>
[2017-07-19 18:34:27]
hostile :
<https://www.youtube.com/watch?v=r2pt2-F2j2g>
[2017-07-19 18:36:09]
guest :
okay you guys win... no "old school" midnight commander...
[2017-07-19 18:36:27]
guest :
:disappointed:
[2017-07-19 18:37:22]
martinbogo :
Oh .. don't you fret .. I'm compiling it :slightly_smiling_face:
[2017-07-19 18:37:41]
martinbogo :
It's just got a LOT of dependencies ... not sure how many I have to drag in
[2017-07-19 18:37:55]
jayemdee :
[root@godfather pyduml] :slightly_smiling_face: # python pyduml.py
Preparing to run pythonDUML exploit from a Linux Machine.
Error: No arguments entered.
Usage: python pyduml.py <your device> <debugmode>(optional)
(Serial Port should resemble: '/dev/cu.usbmodem1425' or linux should be something like /dev/ttyACM0)
[root@godfather pyduml] :slightly_smiling_face: # python pyduml.py /dev/ttyACM0
Preparing to run pythonDUML exploit from a Linux Machine.
Error: Could not open port/dev/ttyACM0.
[2017-07-19 18:38:20]
hostile :
@guest at least you didn't ask for emacs
[2017-07-19 18:38:27]
guest :
hehe
[2017-07-19 18:38:32]
jayemdee :
im robustificating!
[2017-07-19 18:38:34]
jayemdee :
again
[2017-07-19 18:42:29]
hans112 :
I like that word :+1:
[2017-07-19 18:48:41]
kilrah :
Do we have backups of /data? This seems not to be touched by the upgrades, so depending on what's on there it might be wise to keep archives of that too...
[2017-07-19 18:49:15]
kilrah :
unless it's all logging/unimportant generated stuff
[2017-07-19 20:08:38]
hostile :
@martinbogo I think we need tp try to adb install some shit like this... <https://play.google.com/store/apps/details?id=com.pdaxrom.cctools>
[2017-07-19 20:09:12]
hostile :
<https://play.google.com/store/apps/details?id=com.n0n3m4.gcc4droid>
[2017-07-19 20:09:40]
hostile :
"It contains GCC 5.3.0 with Bionic (Android libc)"
[2017-07-19 20:10:02]
hostile :
<https://play.google.com/store/apps/details?id=com.n0n3m4.droidc>
[2017-07-19 23:34:07]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-20 00:07:00]
djayeyeballs :
this look ok to you guys?
[2017-07-20 00:08:35]
djayeyeballs :
still can't see abd devices though
[2017-07-20 00:16:11]
djayeyeballs :
any hints on enabling usb debug on AC?
[2017-07-20 00:25:18]
djayeyeballs :
--inrup?
[2017-07-20 00:45:26]
djayeyeballs :
I must be missing something here, adb should be enabled on reboot after fireworks shouldn't it?
[2017-07-20 00:47:30]
hostile :
what device?
[2017-07-20 00:47:39]
hostile :
are you rooting
[2017-07-20 00:47:59]
djayeyeballs :
spark
[2017-07-20 00:48:45]
djayeyeballs :
maybe I should ditch windows...
[2017-07-20 00:55:16]
hostile :
I mean clearly you already have root above...
[2017-07-20 00:55:23]
hostile :
so learn to use linux and maintain your root
[2017-07-20 00:55:25]
hostile :
=]
[2017-07-20 00:55:37]
czokie :
So many lines there...
[2017-07-20 00:56:04]
hostile :
adb_en.sh calls grep IIRC...
[2017-07-20 00:56:12]
hostile :
so you may wanna rm the grep script
[2017-07-20 00:56:13]
hostile :
I forget
[2017-07-20 00:56:14]
hostile :
heh
[2017-07-20 00:56:20]
hostile :
lost track of some of this shit.
[2017-07-20 00:56:26]
hostile :
operating in a root shell is kinda second nature
[2017-07-20 00:56:39]
hostile :
and when it fails I just go into debug mode
[2017-07-20 00:56:42]
hostile :
maybe try strace?
[2017-07-20 00:58:52]
djayeyeballs :
yeah I read you recommended that many times .. rm grep... windows is just not right.. was hoping to help others by getting this done in windows, but I'm done. Nothing works right and it's all jumping through hoops and hurdles to get anywhere
[2017-07-20 00:59:28]
djayeyeballs :
upgrade and downgrade offline work fine though
[2017-07-20 01:03:04]
hostile :
you have root...
[2017-07-20 01:03:08]
hostile :
everything worked fine
[2017-07-20 01:03:12]
hostile :
your problem is persistant root
[2017-07-20 01:03:17]
hostile :
this is unrelated to windows
[2017-07-20 01:03:31]
hostile :
short of perhaps a general infamiliarity with the linux variant that android uses.
[2017-07-20 01:03:51]
hotelzululima :
I rooted it 3 or four times before I decided to seal the deal and make it permanent :slightly_smiling_face:
[2017-07-20 01:04:46]
hostile :
"it's all jumping through hoops and hurdles to get anywhere" lol how the fuck do you think WE feel... and we handed it to you with a pretty bow on it.
[2017-07-20 01:04:53]
hotelzululima :
was trying to set up a monitor to see the duml
[2017-07-20 01:04:58]
hostile :
pull your skirt up...
[2017-07-20 01:05:14]
hotelzululima :
pyduml is as easy as falling off a log nowadays
[2017-07-20 01:05:30]
hotelzululima :
prolly easier
[2017-07-20 01:06:13]
hotelzululima :
wondering about android equivalents to inotify now
[2017-07-20 01:23:24]
djayeyeballs :
@hostile no disrespect intended by my frustration
[2017-07-20 01:26:36]
djayeyeballs :
I come from a C#/windows background, not unix. I understand they are worlds apart and have much respect for the work you and others are doing here. I will keep my comments to myself from here on out.
[2017-07-20 01:32:48]
hostile :
comments are fine! just encouraging you NOT to give up
[2017-07-20 01:32:56]
hostile :
and letting you know right now... windows has NOTHING to do with your issues
[2017-07-20 01:33:05]
hostile :
your issues are at the level of retaining root...
[2017-07-20 01:33:27]
hostile :
a few tcp forwards and someone can perhaps get into your machine via the telnet
[2017-07-20 01:33:31]
hostile :
or Teamviewer?
[2017-07-20 01:33:37]
hostile :
but you HAVE root...
[2017-07-20 01:37:48]
djayeyeballs :
I just need a break. 2 kids, 2 jobs, and now this on top lol.. I don't want a spoon feed. I will get this..
[2017-07-20 01:50:29]
hostile :
heh I get ya man!
[2017-07-20 02:40:20]
hotelzululima :
@djayeyeballs you MAY find <http://dji.retroroms.info/> of assistance.. its dones by some members who have documented their experience as they these procedures went through and turned it into a wiki
[2017-07-20 06:24:18]
hdnes :
this is way old, but anyone think the DUML is of any use?
[2017-07-20 06:24:22]
hdnes :
<https://phantompilots.com/threads/lightbridge-firmware-problem-and-solution-firmware-version-not-found-by-dji-assistant-tool.77073/>
[2017-07-20 07:04:17]
kilrah :
if the issue is that it doesn't boot, not really...
[2017-07-20 07:05:25]
jezzab :
They use DUML like packets with that.
[2017-07-20 07:05:47]
jezzab :
Just dont seem to use an ftp server as well
[2017-07-20 07:06:20]
jezzab :
I would assume the P4 remote is exactly like that process as mine doesnt have ftp etc
[2017-07-20 07:06:35]
jezzab :
I havent logged the serial packets because it doesnt even show in Assistant :disappointed:
[2017-07-20 07:13:50]
hdnes :
interesting
[2017-07-20 07:26:12]
jezzab :
I guess really its just a custom command set to do what you want. Like most stuff.
[2017-07-20 07:42:41]
hotelzululima :
All kinds of fun by rooting first, I was at .900 and then tailing the log as I downgrade to .700 on the ac next is rc
[2017-07-20 07:48:26]
hotelzululima :
whoops just replaced myself and kicked out !
[2017-07-20 08:28:44]
hotelzululima :
BTW AC&RC downgraded to .700 slick as a greased pig… and then rerooted :slightly_smiling_face: excellent Job!! kudos to all.!!. its about as close to turn key as one can get in the cli, handles the covered software releases that I have tried so far and performs as advertised.. cant ask for more than that.. and folks.. some of us PREFER the shell as opposed to a gui driven hot mess :slightly_smiling_face:
[2017-07-20 08:40:44]
hans112 :
I have a big problem... There is something in my grill (rc).....
[2017-07-20 13:36:10]
hostile :
@hans112 lol
[2017-07-20 13:36:22]
hostile :
I wonder how many folks got that was a refrence to 90s IRC
[2017-07-20 13:36:29]
hostile :
*slaps you around with a large trout*
[2017-07-20 13:36:38]
hostile :
"Red Herring in your grill (mouth)"
[2017-07-20 13:36:57]
hostile :
<http://www.urbandictionary.com/define.php?term=trout%20slap>
[2017-07-20 13:37:19]
hostile :
Which is of course an old Month Python meme... <https://www.youtube.com/watch?v=WsfiD78Cy0s>
[2017-07-20 13:45:36]
the_lord :
i was trying to sniff the NFZ db upgrade
i upgraded the mavic to .0900, deleted /amt/nfz/ and the files nfz.db nfz.sig
but i'm not getting NFZ upgrade from assistant
of course restarted many times but still i'm unable to get NFZ upgrade even with --test_server
[2017-07-20 13:46:16]
the_lord :
before i was able to get NFZ upgrade only if i delete the NFZ directory from FTP
[2017-07-20 13:49:38]
hostile :
weird
[2017-07-20 13:49:59]
hostile :
I suspect we need to to put some work into Assistant.app sniffs
[2017-07-20 14:13:57]
the_lord :
are you still able to get NFZ upgrade?
[2017-07-20 14:15:12]
the_lord :
i noticed after reboot the /amt/nfz/ files were created again
[2017-07-20 14:18:21]
hostile :
haven't tried in a while
[2017-07-20 14:18:46]
hostile :
I am not using 900 much at all...
[2017-07-20 14:18:53]
hostile :
I suspect the NFZ handles differently.
[2017-07-20 14:26:22]
the_lord :
i was on .700 and didn't get the NFZ upgrade for that i upgraded to .900 to check
[2017-07-20 14:32:45]
hfman :
Very odd... I am on .700, and get the NFZ upgrade request almost every time I boot. I get it on both Assistant 2 and GO 4.
[2017-07-20 14:35:11]
the_lord :
i'll try it with VPN
[2017-07-20 14:48:28]
hostile :
@the_lord what is the status of your hosts file?
[2017-07-20 14:48:30]
hostile :
clean it
[2017-07-20 14:49:44]
the_lord :
only this in my hosts
127.0.0.1 [swsf.djicorp.com](http://swsf.djicorp.com)
[2017-07-20 15:43:09]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-20 16:19:03]
the_lord :
guys, anyone here living close to NFZ with rooted mavic PM me please
[2017-07-20 16:23:10]
hotelzululima :
100 miles from my nfz home :slightly_smiling_face:
[2017-07-20 16:23:21]
hotelzululima :
can check tomorrow
[2017-07-20 16:23:55]
hotelzululima :
if no one else by then
[2017-07-20 16:25:21]
hfman :
Meaning a RED NFZ? Yes, I have one relatively close...
[2017-07-20 16:28:15]
the_lord :
thanks HZL
[2017-07-20 16:28:22]
the_lord :
hfman PM please
[2017-07-20 16:41:51]
vk2fro :
the_lord I am inside an NFZ
[2017-07-20 16:42:24]
the_lord :
you need rooted mavic on 1.03.0900
[2017-07-20 16:42:43]
vk2fro :
ok will upgrade my aircraft hold on.
[2017-07-20 16:43:16]
hans112 :
@vk2fro always nice to do when you know you can downgrade right ?:smile:
[2017-07-20 16:43:39]
vk2fro :
yes LOL
[2017-07-20 16:53:40]
vk2fro :
ok shes flashing
[2017-07-20 16:54:39]
vk2fro :
are you going to want me to see if I can arm the motors on a rooted aircraft?
[2017-07-20 16:55:41]
the_lord :
PM please
[2017-07-20 17:10:53]
martinbogo :
I am almost done creating a cross-compilation environment that works in Windows / Mac / Linux
[2017-07-20 17:11:05]
martinbogo :
Bare-metal compiling on the Mavic / P4 is a BAD idea
[2017-07-20 17:11:30]
martinbogo :
There isn't enough RAM onboard the device for complex compiles
[2017-07-20 17:11:35]
martinbogo :
better to cross and install
[2017-07-20 17:30:49]
hostile :
although for small things is may be nice to test some of the .apk gcc installs already on GooglePlay
[2017-07-20 17:30:59]
hostile :
a nice toolkit will be ballerAF
[2017-07-20 17:41:30]
martinbogo :
almost there
[2017-07-20 17:41:46]
martinbogo :
I'm basically packaging crosstools-ng w/ the correct settings
[2017-07-20 17:41:58]
martinbogo :
Having issues with the .pkg for OSX HighSierra
[2017-07-20 17:42:10]
martinbogo :
I have it working in Sierra, and in Yosemite
[2017-07-20 17:42:21]
martinbogo :
The linux .tar.gz works for all 64 bit systems
[2017-07-20 17:42:30]
martinbogo :
the windows one works for all 64 bit systems
[2017-07-20 17:42:33]
martinbogo :
so far, so good
[2017-07-20 17:43:45]
kilrah :
@martinbogo forscp with dropbear, did you need to change root password?
[2017-07-20 17:45:07]
martinbogo :
no .. just make sure you launch the daemon with the "all users same password" OR make sure you configure certs
[2017-07-20 17:45:08]
martinbogo :
your choice
[2017-07-20 17:45:31]
martinbogo :
For some reason, I broke having dropbear run by default ... I need to see what went wrong in my startup script
[2017-07-20 17:45:41]
martinbogo :
adb works
[2017-07-20 18:07:27]
martinbogo :
Is there any circumstance in which /system/bin/start_dji_system.sh would not run?
[2017-07-20 18:09:33]
hostile :
if it is not chmod +x
[2017-07-20 18:09:34]
hostile :
=]
[2017-07-20 18:09:42]
hostile :
or if you setprop to make it not run
[2017-07-20 18:09:45]
hostile :
(see init)
[2017-07-20 18:10:11]
hostile :
or stop start_dji_system I think iirc
[2017-07-20 18:12:39]
martinbogo :
hmm .. nope
[2017-07-20 18:12:41]
martinbogo :
Ahhh ...
[2017-07-20 18:12:45]
martinbogo :
it EXITS in themiddle
[2017-07-20 18:12:55]
martinbogo :
damnit .. I was hoping I could just append the dropbear start script at the end
[2017-07-20 18:12:56]
martinbogo :
but no.
[2017-07-20 18:12:59]
martinbogo :
it stops halfway through
[2017-07-20 18:13:22]
martinbogo :
That is a _really_ stupid way to create a script -- an exit condition int he middle is UGH..
[2017-07-20 18:14:22]
kilrah :
oh? weird, cause the documented adb persistence is at the end
[2017-07-20 18:14:33]
martinbogo :
not on p4
[2017-07-20 18:14:36]
martinbogo :
it's in the beginnign on p4
[2017-07-20 18:14:40]
kilrah :
so it should get there in _most_ cases?
[2017-07-20 18:14:41]
kilrah :
ah
[2017-07-20 18:14:48]
kilrah :
dang, keep forgetting :smile:
[2017-07-20 18:18:08]
hostile :
" I was hoping I could just append the dropbear start script at the end" we append the adb shell to the end... when did it start existing in the middle? that may be a recent change
[2017-07-20 18:18:38]
hostile :
we need to get that proper documented up
[2017-07-20 18:18:38]
kilrah :
mavic/P4 done differently it seems
[2017-07-20 18:18:46]
hostile :
may be part of the headache folks are having keeping persistance
[2017-07-20 18:19:01]
kilrah :
btw I finally rooted earlier
[2017-07-20 18:19:55]
kilrah :
not managed the remote though, never get the "updating" and no adb on reboot (even with the documented fluffing
[2017-07-20 18:19:58]
kilrah :
will have to check later
[2017-07-20 18:20:23]
martinbogo :
@hostile : Confirmed .. when I move the "start dropbear" portion of the script earlier on ( where ADB is enabled ) it works
[2017-07-20 18:20:33]
martinbogo :
so the script bombs out/exits somewhere before the end
[2017-07-20 18:20:54]
hostile :
cool that is useful to know
[2017-07-20 18:40:57]
hostile :
heheheheheheh here we go again!
[2017-07-20 19:27:52]
kilrah :
LOL
[2017-07-20 19:34:53]
hans112 :
:joy:
[2017-07-20 19:34:53]
hans112 :
But hey... He is sorry
[2017-07-20 20:01:38]
kilrah :
for the record - I think I found a reliable way to root the remote
[2017-07-20 20:02:07]
kilrah :
send the root using pyduml, then straight flash a new firmware
[2017-07-20 20:02:14]
kilrah :
after reboot you're rooted
[2017-07-20 20:02:27]
aciid :
I found that doing the it in the other order works aswell, "on first try"
[2017-07-20 20:02:58]
kilrah :
trying the exploit only multiple times including using the recommended "if having trouble" method never got me anywhere, but the above worked first try twice
[2017-07-20 20:03:06]
kilrah :
ok
[2017-07-20 20:03:39]
aciid :
but I think it's because pyduml doesn't send correct firmwareupgrade command it wont reboot is the problem
[2017-07-20 20:03:44]
aciid :
its a miss or hit
[2017-07-20 20:03:52]
kilrah :
probably yes, seems the most liekly issue
[2017-07-20 20:04:15]
aciid :
I was pondering on whats actually going down there, with no exception handling its just trial and error
[2017-07-20 20:04:38]
kilrah :
in which case I need to mention I used DUMLdore to send the FW - unfortunately @jezzab didn't open source it, so can't easily check for differences :wink:
[2017-07-20 20:05:13]
kilrah :
since it's a different implementation, could be avoiding a bug in pyduml
[2017-07-20 20:14:47]
kilrah :
but I don't think so, becasue after failed attempts .bin/grep WAS visible using ftp so the RC must have processed the file
[2017-07-20 20:15:55]
guest :
so basically:
- pyduml ..... UniversalFireworksTar_dji_system.bin
- pyduml ..... V01.03.0700_RC_Mavic_dji_system.bin
- reboot.
rooted?
[2017-07-20 20:16:11]
aciid :
while true; do /system/xbin/busybox nc -l -p 1234 -e /system/bin/sh & done
ilarilind at Acer 2400 in ~/bin/mavic/pyduml on master [?]
$
[2017-07-20 20:16:35]
aciid :
could be that the most recent version of fireworks tar which contains the non CPU hog also works better than this one xD
[2017-07-20 20:16:51]
aciid :
I had problems with this one on the RC
[2017-07-20 20:17:45]
kilrah :
I used the latest, pulled the pyduml repo jsut before trying
[2017-07-20 20:18:07]
kilrah :
9487f86a713cb3a3cf459247b65ff250366ce741
[2017-07-20 20:18:15]
hostile :
@kilrah best way to check if grep ran, is to check your grill in /data
[2017-07-20 20:18:44]
kilrah :
that's the weird thing, once I finally got adb access I was at 105 or so
[2017-07-20 20:18:55]
kilrah :
so _something_was happening, but ADB didn't get enabled
[2017-07-20 20:19:09]
aciid :
ilarilind at Acer 2400 in ~/bin/mavic/pyduml on master
$ strings fireworks.tar | tail -n 1
while true; do /system/xbin/busybox nc -l -p 1234 -e /system/bin/sh & done
ilarilind at Acer 2400 in ~/bin/mavic/pyduml on master
[2017-07-20 20:19:11]
hostile :
@kilrah did you try making your own combined file per the instructions in the repo?
[2017-07-20 20:19:12]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1500580927954544>
[2017-07-20 20:19:17]
aciid :
weird, latest has this
[2017-07-20 20:19:25]
aciid :
741
[2017-07-20 20:20:06]
kilrah :
@hostile nah, on Windows and not comfortable attempting to craft tars with symlinks on there, sounds not even possible
[2017-07-20 20:20:25]
hostile :
it IS possible
[2017-07-20 20:20:34]
hostile :
i know for a fact it can be done in the bash Ubuntu implementation
[2017-07-20 20:20:50]
kilrah :
I've never installed/tried that yet
[2017-07-20 20:21:01]
aciid :
@hostile has this version
<https://github.com/MAVProxyUser/P0VsRedHerring/blob/c60e5d298edb5ced1c5cdcc79060d4c5418e7965/fireworks.tar#L17-L18>
[2017-07-20 20:21:03]
hostile :
I think it is a matter of finding the right .tar file
[2017-07-20 20:21:14]
hostile :
another option is to use a static fireworks.tar that is known to work
[2017-07-20 20:21:15]
aciid :
pyduml doens't have the CPU fix
[2017-07-20 20:21:19]
hostile :
and when on windows just don't try to **make** one
[2017-07-20 20:21:19]
kilrah :
unrelated, but in case it's useful I can confirm current pyduml from commit mentioned above works flawlessly on win
[2017-07-20 20:21:34]
hostile :
also considered a generic fireworks.tar with a bunch of sumlinks to /system /data, etc.
[2017-07-20 20:21:45]
hostile :
and then the python code can just append to it
[2017-07-20 20:21:51]
hostile :
which any OS should be able to do
[2017-07-20 20:22:11]
hostile :
file a git issue...
[2017-07-20 20:22:15]
hostile :
and link the one in RedHerring
[2017-07-20 20:22:35]
hostile :
<https://github.com/hdnes/pyduml/issues/new>
[2017-07-20 20:23:06]
hostile :
refrence: <https://github.com/MAVProxyUser/P0VsRedHerring/commit/c60e5d298edb5ced1c5cdcc79060d4c5418e7965>
[2017-07-20 20:23:18]
hostile :
and <https://github.com/MAVProxyUser/P0VsRedHerring/commit/a3c196f6ff1f88695d317840fcb553e53a6633fe>
[2017-07-20 20:23:22]
kilrah :
I like to file issues when I understand what's wrong, not the case here :smile:
[2017-07-20 20:23:31]
hostile :
in the issue you create and then @hdnes can get to it in his copious free time.
[2017-07-20 20:23:48]
hostile :
the issue is he does not have the latest fix for the CPU hog in pyduml as mentioned above
[2017-07-20 20:23:58]
hostile :
<https://dji-rev.slack.com/archives/C60KELF6H/p1500582075541027>
[2017-07-20 20:24:18]
hostile :
either way somoen should probably file that issue
[2017-07-20 20:24:20]
kilrah :
ooh funny, thought it was the opposite
[2017-07-20 20:24:29]
hostile :
file the issue... comment on it
[2017-07-20 20:24:36]
hostile :
and help us figure it out
[2017-07-20 20:24:43]
hostile :
stuff gets lost in slack sans a git issue
[2017-07-20 20:24:46]
martinbogo :
crosstools compiling :slightly_smiling_face:
[2017-07-20 20:24:58]
hostile :
nice!!!!!
[2017-07-20 20:25:38]
martinbogo :
That covers OSX/Sierra OSX/HighSierra ... I have Linux ( Ubuntu current - Zesty ) and Windows ( Win 10 ) building
[2017-07-20 20:25:45]
martinbogo :
windows will require the installation of CygWin
[2017-07-20 20:25:46]
hostile :
bump!
[2017-07-20 20:25:49]
martinbogo :
I don't know any other way to do it
[2017-07-20 20:25:56]
hostile :
bash
[2017-07-20 20:26:02]
martinbogo :
no, bash didn't work
[2017-07-20 20:26:05]
martinbogo :
I -had- to install cygwin
[2017-07-20 20:26:08]
hostile :
weird
[2017-07-20 20:26:14]
martinbogo :
I tried the new WindowsPowershell bash ... something went very wrong
[2017-07-20 20:26:19]
hostile :
if it works on linux... you'd think it woudl work there
[2017-07-20 20:26:25]
hostile :
but alas...
[2017-07-20 20:26:28]
martinbogo :
Weeeelll... it's linux, or so I hear
[2017-07-20 20:26:29]
hostile :
post that shit!
[2017-07-20 20:26:30]
hostile :
:wink:
[2017-07-20 20:26:31]
martinbogo :
running under Windows
[2017-07-20 20:26:43]
martinbogo :
Not yet. I'm going to do the full GCC toolchain test once it's all compiled
[2017-07-20 20:26:44]
hostile :
UMSDos evolved lol
[2017-07-20 20:27:14]
martinbogo :
because I had to build against the headers for kernel 3.10.105
[2017-07-20 20:27:26]
martinbogo :
the P4 runs 3.10.62
[2017-07-20 20:27:31]
martinbogo :
the mavic runs something similar, right?
[2017-07-20 20:28:55]
kilrah :
issue up
[2017-07-20 20:29:17]
kilrah :
hopefully not too far off :smile:
[2017-07-20 20:57:42]
teamdollyllama :
What are you referring to as "cpu fix" when I run adb shell top, i'm getting no more than 13% total cpu usage on remote or drone....there is a grep process listed but using 0% cpu
[2017-07-20 20:58:25]
hostile :
that is good
[2017-07-20 20:59:45]
kilrah :
should be
[2017-07-20 21:00:07]
kilrah :
in my case I `python pyduml com4`
[2017-07-20 21:00:17]
kilrah :
then flashed using dumldore
[2017-07-20 21:00:24]
kilrah :
then reboot
[2017-07-20 21:00:25]
guest :
will give it a go later today..
[2017-07-20 21:00:33]
kilrah :
and rooted
[2017-07-20 21:00:47]
kilrah :
then persistence as per instructions if you want
[2017-07-20 21:01:12]
guest :
:+1:
[2017-07-20 21:19:33]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-20 21:20:52]
martinbogo :
FANTASTIC
[2017-07-20 21:20:57]
martinbogo :
I got dpkg to build
[2017-07-20 21:21:34]
martinbogo :
that's a good first step . it's actually fairly easy to make .deb / .udeb files in a cross environment, qemu, and of course on a raspi
[2017-07-20 21:21:35]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-20 21:21:41]
martinbogo :
( raspi, by the way, is a compatible architecture )
[2017-07-20 21:25:03]
hostile :
@martinbogo the timing of our simultaneous updates...
[2017-07-20 21:25:06]
hostile :
BIG shit is afoot
[2017-07-20 21:25:32]
martinbogo :
@hostile : I'm not sure about the paths where things will go
[2017-07-20 21:25:43]
martinbogo :
Android doesn't have paths in the right places
[2017-07-20 21:25:58]
martinbogo :
I hate using /data, but I think I'm going to have do do shit like
[2017-07-20 21:26:18]
martinbogo :
/data/djireverse/bin
[2017-07-20 21:26:25]
hostile :
I think that is fine
[2017-07-20 21:26:32]
martinbogo :
/data/djireverse/var ... etc.. etc
[2017-07-20 21:26:46]
martinbogo :
Yeah, but it's going to get weird.
[2017-07-20 21:26:48]
hostile :
it will help with cleanup
[2017-07-20 21:26:52]
hostile :
PATHING...
[2017-07-20 21:27:00]
martinbogo :
We need to pick a path, and call it "home"
[2017-07-20 21:27:06]
aciid :
chroot?
[2017-07-20 21:27:16]
hostile :
hah sad my first thought was /data/fuckdanny
[2017-07-20 21:27:26]
martinbogo :
Okay .. I am going to say -- LETS USE /data/djireverse/ as the new root path for now
[2017-07-20 21:27:31]
martinbogo :
like /usr/local would be
[2017-07-20 21:27:41]
martinbogo :
and move all binaries, libraries, and such in there .. there's 8GB
[2017-07-20 21:27:51]
hostile :
/data/local
[2017-07-20 21:27:54]
martinbogo :
and lets AVOID using sdcard for anything, since that's prone to failure
[2017-07-20 21:28:06]
martinbogo :
/data/local it is
[2017-07-20 21:28:06]
aciid :
keep the writes in mininum
[2017-07-20 21:28:18]
martinbogo :
I like it, and it's a common enough UNIX way of doing thing that people will understand
[2017-07-20 21:28:24]
hostile :
AFK for now... someone else test single sig updates with pyduml please! and when @hdnes gets back... and @jezzab have them get the tools ready for some cherry picking!
[2017-07-20 21:28:36]
martinbogo :
HOWEVER -- always use /tmp for real tmp .. since it's a tmpfs
[2017-07-20 21:28:38]
martinbogo :
etc
[2017-07-20 21:28:53]
martinbogo :
/data/local/tmp should always be a link to /tmp
[2017-07-20 21:29:20]
martinbogo :
okay .. working on the first "rooted basic install" then
[2017-07-20 21:30:05]
martinbogo :
it will have dropbear, nano, and depending on size, the gnu utilities ( gcc, linker, gettext, glib, multilib, etc )
[2017-07-20 21:30:55]
martinbogo :
I'll check the size of everything once the GCC build finished on my machine
[2017-07-20 21:31:02]
martinbogo :
it's building GCC stage 1 now
[2017-07-20 21:52:01]
martinbogo :
Sage:bin martinb$ ./arm-unknown-linux-gnueabi-gcc --version
arm-unknown-linux-gnueabi-gcc (crosstool-NG crosstool-ng-1.23.0) 6.3.0
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
[2017-07-20 22:51:47]
jezzab :
public byte[] FWarray;
byte[] packet1_ac = { 0x55, 0x16, 0x04, 0xFC, 0x2A, 0x28, 0x65, 0x57, 0x40, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0xD3 }; //Enter upgrade mode (delete old file if exists)
byte[] packet2_ac = { 0x55, 0x0E, 0x04, 0x66, 0x2A, 0x28, 0x68, 0x57, 0x40, 0x00, 0x0C, 0x00, 0x88, 0x20 }; //Enable Reporting
byte[] packet3_ac = { 0x55, 0x1A, 0x04, 0xB1, 0x2A, 0x28, 0x6B, 0x57, 0x40, 0x00, 0x08, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x04, 0xFF, 0xFF }; //Payload
byte[] packet4_ac = { 0x55, 0x1E, 0x04, 0x8A, 0x2A, 0x28, 0xF6, 0x57, 0x40, 0x00, 0x0A, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; //MD5
<snip>
if (rdoAircraft.Checked == true)
{
serialPort1.Write(packet1_ac, 0, packet1_ac.Length);
serialPort1.Write(packet2_ac, 0, packet2_ac.Length);
toolStripStatusLabel1.Text = "Starting serial comms";
uint filesize = (uint)FWarray.Length;
byte[] filesize_array = BitConverter.GetBytes(filesize);
//copy bytes for filesize
Buffer.BlockCopy(filesize_array, 0, packet3_ac, 12, filesize_array.Length);
//calc crc and insert
uint crc = CalcCRC(packet3_ac, packet3_ac.Length - 2);
byte[] crc_array = BitConverter.GetBytes(crc);
Buffer.BlockCopy(crc_array, 0, packet3_ac, 24, 2);
//MD5 stuff
MD5 md5Hash = MD5.Create();
byte[] hash = md5Hash.ComputeHash(FWarray);
Buffer.BlockCopy(hash, 0, packet4_ac, 12, hash.Length);
crc = CalcCRC(packet4_ac, packet4_ac.Length - 2);
crc_array = BitConverter.GetBytes(crc);
Buffer.BlockCopy(crc_array, 0, packet4_ac, 28, 2);
toolStripStatusLabel1.Text = "Uploading Firmware. Please wait...";
if (fireworks == 1)
MakeFtpDir();
using (Session session = new Session())
{
// Will continuously report progress of transfer
session.FileTransferProgress += SessionFileTransferProgress;
// Connect
session.Open(sessionOptions);
session.PutFiles(filename, "/upgrade/dji_system.bin").Check();
if (session.FileExists("/upgrade/dji_system.bin")) { }
else
System.Threading.Thread.Sleep(5000);
session.Close();
}
serialPort1.Write(packet3_ac, 0, packet3_ac.Length);
serialPort1.Write(packet4_ac, 0, packet4_ac.Length);
toolStripStatusLabel1.Text = "Firmware Uploaded";
if(fireworks == 1)
MessageBox.Show("Red Herring has been applied!\r\nYou must reboot to apply the root patch");
else
MessageBox.Show("Upgrade has begun. \r\nPlease allow up to 15 mins for installation\r\nWait for the beeps and watch the LEDs for status\r\nIt will reboot when complete\r\nYou can ppen Assistant2 to view current progress");
[2017-07-20 23:34:59]
martinbogo :
rebuilding the toolchain -- glibc is just too frigging big
[2017-07-20 23:35:04]
martinbogo :
I'm going to try with uClibc
[2017-07-21 07:41:43]
jezzab :
@kilrah Here...
[2017-07-21 07:42:01]
kilrah :
yup thanks
[2017-07-21 07:42:30]
jezzab :
changed a bit since this morning but the basics
[2017-07-21 14:00:31]
jayemdee :
this is latest pyduml with the newest fireworks.tar while we wait for HDnes to merge my pull request
<https://github.com/jayemdee/pyduml>
[2017-07-21 14:00:58]
jayemdee :
curious if it works better on the RC
[2017-07-21 14:01:25]
jayemdee :
could have been either the ftp passive mode being wrong or the cpu hog in the older fireworks.tar
[2017-07-21 14:08:05]
hostile :
Nice work on submitting a PR @jayemdee <https://github.com/hdnes/pyduml/pull/11>
[2017-07-21 14:08:28]
hostile :
it is always nice to see people push fixes instead of just barking complaints. =]
[2017-07-21 14:45:54]
jayemdee :
hehe guilty! :smile:
[2017-07-21 15:50:54]
jayemdee :
Could someone get me lsusb vendor:device id's for RC and GOGGLES with lsusb please :slightly_smiling_face:
[2017-07-21 15:57:59]
jayemdee :
working on this:
[root@godfather pyduml] :disappointed: # python test.py
The device you selected is not plugged in.
[root@godfather pyduml] :disappointed: # python test.py
/dev/ttyACM0
[root@godfather pyduml] :slightly_smiling_face: #
[2017-07-21 15:58:20]
jayemdee :
automatically find and select the right device on mac, win, and linux
[2017-07-21 15:59:00]
the_lord :
vid:pid are same for all DJI products
[2017-07-21 15:59:08]
jayemdee :
oh really ?
[2017-07-21 15:59:16]
jayemdee :
easy as fuck then :slightly_smiling_face: thanks ! :slightly_smiling_face:
[2017-07-21 16:04:22]
jayemdee :
anyone on a mac and win pc can test if my code is portable ?
[2017-07-21 16:04:28]
jayemdee :
its tiny
[2017-07-21 16:04:45]
jayemdee :
you need python and pyserial and a dji device plugged in
[2017-07-21 16:09:02]
jayemdee :
import sys
from serial.tools import list_ports
def find_port():
try:
dji_dev = list(list_ports.grep("2ca3:001f"))[0][0]
return dji_dev
except:
sys.exit("Error: No DJI deivce found plugged to your system.")
if __name__ == '__main__':
print(find_port())
[2017-07-21 16:09:56]
jayemdee :
can anyone try ?
[2017-07-21 16:20:09]
the_lord :
actually the correct com port is com 3 not 4
[2017-07-21 16:20:21]
jayemdee :
do you have 2 devices connected ?
[2017-07-21 16:20:51]
jayemdee :
by any chance ?
[2017-07-21 16:21:04]
the_lord :
no
i don't know why when ever i connect any DJI device it shows 2 com ports one is accessible and one is not
[2017-07-21 16:21:25]
jayemdee :
hmm strange
[2017-07-21 16:21:29]
jayemdee :
win 10 ?
[2017-07-21 16:21:33]
the_lord :
yes win 10
[2017-07-21 16:21:43]
the_lord :
after dinner i'll test on Mac
[2017-07-21 16:21:47]
jayemdee :
ok thanks :slightly_smiling_face:
[2017-07-21 16:25:04]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/RedHerring.rb#L80>
[2017-07-21 16:25:13]
hostile :
see this line @jayemdee
[2017-07-21 16:25:26]
hostile :
vs.
[2017-07-21 16:25:27]
hostile :
<https://github.com/MAVProxyUser/P0VsRedHerring/blob/master/RedHerring.rb#L106>
[2017-07-21 16:29:50]
jayemdee :
shame... works a charm on linux
[2017-07-21 16:31:01]
jayemdee :
and shortly after unplugging
[2017-07-21 16:31:51]
jayemdee :
i wonder if its normal that you have two idientical com ports under windows or if its a relic of all your l33t hacking
[2017-07-21 16:32:01]
hostile :
dmesg
[2017-07-21 16:32:03]
jayemdee :
tried deleting one of them and replugging ?
[2017-07-21 16:32:09]
hostile :
and snag most recent ACM entry?
[2017-07-21 16:32:22]
jayemdee :
no dmesg under windows
[2017-07-21 16:32:35]
jayemdee :
im trying to make portable code that works over all 3 OS's
[2017-07-21 16:32:51]
jayemdee :
using the pyserial list_ports.grep method
[2017-07-21 16:33:04]
jayemdee :
it works fine for linux
[2017-07-21 16:33:20]
jayemdee :
but returns the wrong com port for the_lord since he has two of the same devices for some reason
[2017-07-21 16:33:33]
jayemdee :
but not sure if thats normal or some border scenario
[2017-07-21 16:33:39]
jayemdee :
:stuck_out_tongue:
[2017-07-21 16:33:57]
jayemdee :
you got a drone there with you @hostile ?
[2017-07-21 16:34:24]
hostile :
yeah I have several, but I am neck deep in CHerry picking firmware testing
[2017-07-21 16:34:35]
jayemdee :
ahh ok :slightly_smiling_face: wont distract you then :slightly_smiling_face:
[2017-07-21 16:39:14]
the_lord :
i'm sure its problem in my machine
coz even coptersafe software fails to communicate with my dji if i didn't delete the extra com port
[2017-07-21 16:39:36]
hostile :
and my program too
[2017-07-21 16:39:38]
hostile :
remember =]
[2017-07-21 16:40:00]
jayemdee :
i somehow screwed up all the shit on my win machine as well and cant get any com device at all so i cant test win or mac
[2017-07-21 16:41:02]
jayemdee :
i guess for now ill build in autodetection as first step with a message how to overide and keep the command line port specification built in for cases like yours (and mine) :slightly_smiling_face:
[2017-07-21 16:52:51]
hfman :
I also have always had two com ports under windows 10
[2017-07-21 16:53:12]
jayemdee :
strange
[2017-07-21 16:53:18]
hostile :
<https://dji-rev.slack.com/archives/C64R5L1HN/p1500655989725915>
[2017-07-21 16:53:44]
jayemdee :
was that after or before you rooted and enabled adbd ?
[2017-07-21 16:53:59]
hostile :
this is a different platform... this is connected to via wifi
[2017-07-21 16:54:07]
hostile :
and hitting the IP directly
[2017-07-21 16:54:18]
jayemdee :
oh that comment was for @hfman
[2017-07-21 16:55:20]
hfman :
@jayemdee , it's always been that way.. since day one.
[2017-07-21 16:56:03]
hfman :
Two different computers, always each showing two com ports. Even in Windows 7 running in a VM.
[2017-07-21 16:56:46]
jayemdee :
and is it the first or second one which is the right one to hit ?
[2017-07-21 16:56:48]
jayemdee :
for you ?
[2017-07-21 16:56:57]
hfman :
Believe it or not, it varies...
[2017-07-21 16:58:08]
hfman :
Many of my virtual ports do this, on other hardware.
[2017-07-21 16:59:44]
jayemdee :
well help me test this out :slightly_smiling_face:
[2017-07-21 16:59:45]
jayemdee :
<https://github.com/jayemdee/pyduml>
[2017-07-21 17:00:08]
jayemdee :
i went ahead and pushed it since i maintained the ability to specify from command line which port is correct
[2017-07-21 17:02:02]
jayemdee :
now its time to fire up the grill and make some MEEEEAAAAT! :slightly_smiling_face:
[2017-07-21 17:02:12]
jayemdee :
my girls are hungry! :slightly_smiling_face:
[2017-07-21 20:41:58]
hostile :
boom Ruby works @hdnes
[2017-07-21 20:43:37]
hostile :
<https://github.com/hdnes/pyduml/blob/RubyPort/DUMLHerring.rb>
[2017-07-21 20:48:30]
hdnes :
Solid bro!
[2017-07-21 20:48:46]
hdnes :
All the shiny fishes
[2017-07-21 20:48:49]
hostile :
I'm gonna delete that branch and move it to its own repo
[2017-07-21 20:48:56]
hdnes :
Sounds good
[2017-07-21 20:55:33]
hostile :
<https://github.com/MAVProxyUser/DUMLrub/blob/master/DUMLHerring.rb>
[2017-07-21 20:55:33]
hostile :
new home
[2017-07-21 20:56:58]
kilrah :
rubaDUML :laughing:
[2017-07-21 20:57:40]
hostile :
LOL
[2017-07-21 20:57:47]
hostile :
rubbaDubDUML
[2017-07-21 20:58:11]
hostile :
damnit... now you gonna make me rename the repo
[2017-07-21 20:58:17]
kilrah :
ROFL
[2017-07-21 20:58:38]
hostile :
sh-3.2# git mv DUMLHerring.rb rubbaDubDUML.rb
[2017-07-21 20:59:02]
hostile :
[master 264f67b] Damnit kilrah!
1 file changed, 0 insertions(+), 0 deletions(-)
rename DUMLHerring.rb => rubbaDubDUML.rb (100%)
[2017-07-21 20:59:11]
hostile :
sh-3.2# git push
Counting objects: 2, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (2/2), 285 bytes | 0 bytes/s, done.
Total 2 (delta 0), reused 0 (delta 0)
To <https://github.com/MAVProxyUser/DUMLrub.git>
ff4813a..264f67b master -> master
[2017-07-21 20:59:26]
hans112 :
Since English is not my native language... Can some actually pronounce it ? :grimacing:
[2017-07-21 20:59:38]
hostile :
Rub A Dub Dub... like in the bath tub!
[2017-07-21 20:59:55]
hostile :
<https://en.wikipedia.org/wiki/Rub-a-dub-dub>
[2017-07-21 21:00:28]
hans112 :
Nice :)
[2017-07-21 21:01:13]
hans112 :
Hey! rub-a-dub, ho! rub-a-dub, three maids in a tub,
And who do you think were there?
The butcher, the baker, the candlestick-maker,
And all of them gone to the fair.[2]
[2017-07-21 21:02:16]
kilrah :
hah didn't even know of it
[2017-07-21 21:02:23]
kilrah :
was thinking more of this
[2017-07-21 21:04:41]
hans112 :
That I know :sunglasses: but not that it is called Rub-A-Dub
[2017-07-21 21:07:28]
kilrah :
interestingly it seems hard to find references to it in english <http://www.rhizomedevelopment.com/jamaican-music-in-a-rub-a-dub-style/>
[2017-07-21 21:07:42]
kilrah :
in french it's a much more common name
[2017-07-21 21:54:11]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-22 01:35:09]
hotelzululima :
hmm I knew about dub in the early ’80s but NOT rub-a-dub!!!
[2017-07-22 01:45:17]
hdnes :
If this resonates with you then we are friends
[2017-07-22 05:47:13]
jayemdee :
nice thank you
[2017-07-22 06:31:41]
djayeyeballs :
anyone decrypt the fc_db.db database?
[2017-07-22 07:45:31]
jayemdee :
does anyone else have a /data/tombstones directory ?
[2017-07-22 07:45:38]
jayemdee :
i never noticed that one before
[2017-07-22 07:45:56]
kilrah :
what devices? seen that around on some at least
[2017-07-22 07:47:09]
jayemdee :
mavic
[2017-07-22 07:48:41]
jayemdee :
something strange just happened while testing... grep got called right after i rooted the device by some other system script it seems and restarted my already existing adbd but netcat seems to fail... i think there is something wrong with the newest fireworks.tar
[2017-07-22 07:51:58]
jayemdee :
if so its just with the line that starts the shell on 1234 with netcat
[2017-07-22 07:52:15]
jayemdee :
anyway automated linux version is ready :slightly_smiling_face:
[2017-07-22 07:53:25]
jayemdee :
i expect it should also work fine on mac and windows
[2017-07-22 08:04:24]
jayemdee :
<https://github.com/jayemdee/pyduml>
[2017-07-22 15:48:57]
ed209 :
Excuse my ignorance, I've tried search and not turned up any answers in this and other channels: Is there any exploits or similar abilities with the P3?
[2017-07-22 15:52:49]
hans112 :
I think even better :)
[2017-07-22 15:53:38]
hans112 :
<https://github.com/mefistotelis/phantom-firmware-tools>
[2017-07-22 16:00:20]
ed209 :
Shit. 6mo old? I never heard anything about this! Thanks will have a look!
[2017-07-22 21:14:37]
martinbogo :
Phantom =3= firwmare
[2017-07-22 21:14:45]
martinbogo :
P3 was a lot easier :slightly_smiling_face:
[2017-07-22 21:15:31]
hostile :
quite a bit of the p3 scene hands out on thie mefistotelis issues <https://github.com/mefistotelis/phantom-firmware-tools/issues>
[2017-07-22 21:25:00]
martinbogo :
@hostile : I snagged one of those ES120 motion control screwdrivers that @hotelzululima found
[2017-07-22 21:25:37]
martinbogo :
@hostile : Full cross-compile toolchain complete. Hosts we can support : OSX Sierra, OSX HighSierra, Linux ( most 64 bit ), Windows 10 64 bit
[2017-07-22 21:25:49]
martinbogo :
@hostile : It's a LOT of data .. how much storage do you get on github?
[2017-07-22 21:26:15]
martinbogo :
@hostile : I think it's the kind of thing that should be hosted on fileshare / mega / etc
[2017-07-22 21:26:28]
martinbogo :
Or amazon S3 + CDN, that kind of thing
[2017-07-22 21:27:00]
martinbogo :
Also, who was it that ( insanely ) wanted midnight commander on the mavic? I got the @#$% thing to compile, it was a lot of work
[2017-07-22 21:27:06]
martinbogo :
totally insane
[2017-07-22 21:27:20]
martinbogo :
it's like trying to compile ircd, or a MUD client
[2017-07-22 21:32:57]
hostile :
academics get unlimited github IIRC, except for LFS
[2017-07-22 21:34:08]
hostile :
it was @guest right?
[2017-07-22 21:34:46]
guest :
yes me... MC all the way :slightly_smiling_face:
[2017-07-22 21:51:59]
jayemdee :
when you guys root the RC do either ports work or the larger USB one should be used ?
[2017-07-22 21:52:17]
hotelzululima :
I used the USB-c one
[2017-07-22 21:52:23]
jayemdee :
and is there anything interesting happening on there ?
[2017-07-22 21:52:58]
hotelzululima :
well.. its the inside of your RC :slightly_smiling_face: that should be justification enough
[2017-07-22 21:53:45]
jayemdee :
haha indeed but im so lazy to find a type A connector
[2017-07-22 21:53:57]
jayemdee :
but i got type c sitting here so in I go :slightly_smiling_face:
[2017-07-22 21:53:59]
jayemdee :
lol
[2017-07-22 21:54:00]
hotelzululima :
micro USB worked just fin
[2017-07-22 21:54:05]
jayemdee :
great :slightly_smiling_face:
[2017-07-22 21:54:08]
jayemdee :
diving in
[2017-07-22 21:55:30]
hotelzululima :
just DO it!!! :slightly_smiling_face:
[2017-07-22 21:56:54]
hotelzululima :
mavic right??
[2017-07-22 21:58:06]
jayemdee :
yuh
[2017-07-22 22:05:12]
hdnes :
do we have dropbear running persistently yet? Any guides?
[2017-07-22 22:07:09]
jayemdee :
is there a start_dji_system.sh on the RC as well ?
[2017-07-22 22:07:37]
jayemdee :
grep got dropped in /data/.bin but first reboot had no netcat shell or adb running
[2017-07-22 22:07:45]
jayemdee :
trying again
[2017-07-22 22:07:56]
hdnes :
yeah there is
[2017-07-22 22:08:04]
hdnes :
it was a real bitch to get it persistant
[2017-07-22 22:10:49]
jayemdee :
yeh its certainly finicky
[2017-07-22 22:12:17]
jayemdee :
and grep isnt getting removed between reboots on the RC
[2017-07-22 22:12:28]
jayemdee :
something about the environment is behaving diff from the mavic
[2017-07-22 22:14:05]
hdnes :
yeah, having the usb plugged in might be keeping the OS running
[2017-07-22 22:14:15]
hdnes :
that’s the going theory last I read
[2017-07-22 22:14:31]
hdnes :
so it’s not actually rebooting
[2017-07-22 22:14:52]
jayemdee :
ahaaa
[2017-07-22 22:14:56]
hdnes :
But I couldn’t get in through ADB right away, I used telnet to make it persistent
[2017-07-22 22:14:59]
jayemdee :
that would make send
[2017-07-22 22:15:03]
jayemdee :
sense
[2017-07-22 22:15:11]
jayemdee :
let me try that
[2017-07-22 22:15:13]
hdnes :
maybe… once you figure it out, write the steps down
[2017-07-22 22:15:20]
jayemdee :
ok will do :slightly_smiling_face:
[2017-07-22 22:15:22]
jayemdee :
on it
[2017-07-22 22:15:40]
hdnes :
because what’s in pyDUML now is just my best guess and we don’t really have a second data point
[2017-07-22 22:15:53]
jayemdee :
well whats in there works
[2017-07-22 22:15:56]
jayemdee :
everytime for me
[2017-07-22 22:15:58]
jayemdee :
4 times now
[2017-07-22 22:16:01]
jayemdee :
it drops the sauce
[2017-07-22 22:16:11]
jayemdee :
but i dont see the grep file
[2017-07-22 22:16:14]
jayemdee :
being hooked
[2017-07-22 22:16:16]
jayemdee :
at reboot
[2017-07-22 22:16:22]
jayemdee :
but i havent disconnected cable
[2017-07-22 22:16:33]
jayemdee :
and i dont see the InYourGrill file getting touched
[2017-07-22 22:16:37]
jayemdee :
and grep isnt getting removed
[2017-07-22 22:16:49]
jayemdee :
all these things point to the device not actually having restarted yet
[2017-07-22 22:16:52]
jayemdee :
would make sense
[2017-07-22 22:16:55]
jayemdee :
gonna test :slightly_smiling_face:
[2017-07-22 22:17:23]
jayemdee :
maybe this device when you power off goes into low power mode or something and istn actually powering down
[2017-07-22 22:17:52]
hostile :
@hdnes see notes from the pull request. <https://github.com/MAVProxyUser/dji_system.bin/pull/5>
[2017-07-22 22:18:07]
hdnes :
yeah was reading now actually, thanks
[2017-07-22 22:25:54]
jayemdee :
kilrah good info but im curious as to why
[2017-07-22 22:26:07]
jayemdee :
it means that the way the device inits is different to the mavic
[2017-07-22 22:26:21]
jayemdee :
and i want to know what that difference is
[2017-07-22 22:26:40]
jayemdee :
after many reboot the grep file is still there although if hooked from startup script it should have deleted itself
[2017-07-22 22:26:46]
jayemdee :
so thats odd
[2017-07-22 22:26:48]
jayemdee :
to me
[2017-07-22 22:26:59]
jayemdee :
does anyone have a startup script for the RC ?
[2017-07-22 22:27:02]
jayemdee :
i can look at ?
[2017-07-22 22:35:34]
kilrah :
(last line added for adb)
[2017-07-22 22:35:47]
jayemdee :
thank you! :slightly_smiling_face:
[2017-07-22 22:36:27]
kilrah :
(fw .900)
[2017-07-22 22:37:59]
hdnes :
@jayemdee , new merge isn’t connecting to my RC
[2017-07-22 22:38:27]
jayemdee :
win ?
[2017-07-22 22:38:41]
jayemdee :
which error you getting ?
[2017-07-22 22:39:08]
hdnes :
Error: No DJI device found plugged to your system. Please re-plug / reboot device and try again.
[2017-07-22 22:39:19]
hdnes :
Actually it’s not connecting to anything: OSX
[2017-07-22 22:39:26]
jayemdee :
you can still use old style tty as first argument maybe its autosensing the wrong comport?
[2017-07-22 22:39:46]
jayemdee :
you see it there with lsusb ?
[2017-07-22 22:39:52]
jayemdee :
or the osx equivalent ?
[2017-07-22 22:44:07]
jayemdee :
@hdnes can you run this code and tell me what it says on your machine ?
[2017-07-22 22:44:11]
jayemdee :
import sys
from serial.tools import list_ports
def find_port():
try:
dji_dev = list(list_ports.grep("2ca3:001f"))[0][0]
return dji_dev
except:
sys.exit("Error: No DJI deivce found plugged to your system.")
if __name__ == '__main__':
print(find_port())
[2017-07-22 22:44:41]
jayemdee :
if it gives same error
[2017-07-22 22:45:34]
hdnes :
same error
[2017-07-22 22:48:11]
hdnes :
works with manual /dev argument
[2017-07-22 22:49:42]
jayemdee :
yuh i kept old behavior in since i couldnt test on all platforms
[2017-07-22 22:50:18]
jayemdee :
so at least nothing is broken but some of the new smarter auto detection shit isnt working becuase i dont have a mac
[2017-07-22 22:50:34]
jayemdee :
remove the exception
[2017-07-22 22:50:40]
jayemdee :
and see what error you get
[2017-07-22 22:50:56]
jayemdee :
from list(list_ports.grep("2ca3:001f"))[0][0]
[2017-07-22 22:51:12]
jayemdee :
the exception handler is masking the real error here i think
[2017-07-22 22:51:18]
jayemdee :
can you try that for me ?
[2017-07-22 22:52:45]
hdnes :
Traceback (most recent call last):
File “pyduml.py”, line 257, in <module>
main()
File “pyduml.py”, line 24, in main
configure_usbserial()
File “pyduml.py”, line 93, in configure_usbserial
comport = find_port()
File “pyduml.py”, line 70, in find_port
dji_dev = list(list_ports.grep(“2ca3:001f”))[0][0]
IndexError: list index out of range
[2017-07-22 22:55:22]
jayemdee :
ahh yes i know what this is
[2017-07-22 22:55:47]
jayemdee :
i think you might be using the wrong pyserial or it needs upgraded
[2017-07-22 22:55:54]
jayemdee :
which version of python ?
[2017-07-22 22:57:03]
jayemdee :
@hdnes can you try pip install --upgrade pyserial
[2017-07-22 22:57:59]
jayemdee :
you dont have more than one DJI device plugged in ?
[2017-07-22 22:58:01]
hdnes :
Solved
[2017-07-22 22:58:08]
jayemdee :
what was it ?
[2017-07-22 22:58:12]
hdnes :
pip install --upgrade pyserial
[2017-07-22 22:58:16]
jayemdee :
nice :slightly_smiling_face:
[2017-07-22 22:58:33]
hdnes :
yeah, thanks for the help
[2017-07-22 22:59:31]
jayemdee :
older versions _I THINK_ had platform specific shit for the list_ports() method so calls to it would fail if you didnt do something like:
[2017-07-22 22:59:36]
jayemdee :
from serial.tools import list_ports_darwin
[2017-07-22 22:59:40]
jayemdee :
from serial.tools import list_posix
[2017-07-22 22:59:44]
jayemdee :
from serial.tools import list_windows
[2017-07-22 22:59:47]
jayemdee :
something like that
[2017-07-22 22:59:58]
jayemdee :
i think newest version got rid of this shit
[2017-07-22 23:00:51]
jayemdee :
i built a bunch of hand holding in the newest PR you merged
[2017-07-22 23:01:08]
jayemdee :
pretty hard to do anything wrong now :slightly_smiling_face:
[2017-07-22 23:01:43]
jayemdee :
oh i meant to ask you !
[2017-07-22 23:02:06]
jayemdee :
when you plug device to OSX, does RNDIS auto configure an interface and IP address for you ?
[2017-07-22 23:02:10]
jayemdee :
or you have to do that by hand ?
[2017-07-22 23:02:15]
jayemdee :
for ftp access
[2017-07-22 23:03:34]
hdnes :
I think it’s automatic
[2017-07-22 23:04:06]
jayemdee :
linux isnt thats what utils.py was for
[2017-07-22 23:04:26]
jayemdee :
to set an ip addy and bring up usb0 interface with an ip address so it can ftp
[2017-07-22 23:04:55]
jayemdee :
ok nice so dont need to do anything for win or mac then
[2017-07-22 23:06:11]
jayemdee :
ill update README with deps needed and the pyserial upgrade information
[2017-07-22 23:13:09]
hdnes :
cool
[2017-07-22 23:17:18]
jayemdee :
its just pyserial right ?
[2017-07-22 23:17:24]
jayemdee :
we dont have any other deps ?
[2017-07-22 23:17:29]
jayemdee :
got rid of pyusb
[2017-07-22 23:17:42]
jayemdee :
the rest is standard python shit right ?
[2017-07-22 23:17:55]
jayemdee :
oh no pathlib and ftplib ?
[2017-07-22 23:18:21]
hdnes :
yeah seems right
[2017-07-22 23:19:09]
jayemdee :
ftplib is native i think
[2017-07-22 23:23:36]
jayemdee :
<https://github.com/hdnes/pyduml/pull/12>
[2017-07-22 23:37:19]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-22 23:39:49]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-23 00:21:10]
martinbogo :
I don't think so
[2017-07-23 00:21:18]
hdnes :
yeah not clear to me how to even run the patch on the aircraft. It doesn’t have any of the tools required to do so?
[2017-07-23 00:21:23]
martinbogo :
the patch uses if-conditionals, and simply doesn't run if the conditions are not met. I think it's safe
[2017-07-23 00:21:26]
hdnes :
patch, patch_file
[2017-07-23 00:21:36]
martinbogo :
hdnes : It has ALL the tools
[2017-07-23 00:21:41]
martinbogo :
hdnes : busybox patch
[2017-07-23 00:21:47]
hdnes :
ahh damn
[2017-07-23 00:21:51]
hdnes :
right in front of me
[2017-07-23 00:21:56]
martinbogo :
hdnes : they didn't break out all the symbolic links, but busybox is -really- overbuilt
[2017-07-23 00:22:13]
martinbogo :
there is also "vi" in there, if you like it
[2017-07-23 00:22:15]
martinbogo :
busybox vi
[2017-07-23 00:22:37]
hdnes :
yeah been using that one, that’s why I should have caught this on my own..
[2017-07-23 00:23:10]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-23 00:23:34]
hdnes :
I’m looking through it now that I got the patch running
[2017-07-23 04:46:07]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-23 04:46:07]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-23 04:46:59]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-23 04:53:29]
slackimportuser_kdacimk1upg73d5f3o6ibkd5wr :
[2017-07-23 14:58:01]
martinbogo :
@hostile : I am almost done creating a micro Debian deb install environment
[2017-07-23 14:58:36]
martinbogo :
Everything is pathed into /data/opt --- e.g. ) /data/opt/sbin /data/opt/bin /data/opt/lib /data/opt/var /data/opt/lib -- /data/opt/tmp is a symlink to /tmp
[2017-07-23 14:58:55]
martinbogo :
Testing on P4 and Mavic boards
[2017-07-23 14:59:34]
martinbogo :
My one challenge left is to, somehow, get a global addition to $PATH for all shells spawned. Normally, this is done by adding the environment variables to INIT, but that's not possible at the moment
[2017-07-23 15:07:47]
martinbogo :
@hostile Hey! I just got a poke from a friend at Linaro -- our poke at Bruce has had some domino effects at DJI
[2017-07-23 15:08:31]
martinbogo :
@hostile : DJI got in contact with Rob Landley ( of Android ToyBox fame ) and they had _specific_ inquiries about the BSD vs GPL licensing
[2017-07-23 15:09:11]
martinbogo :
@hostile : I fully expect that they are going to attempt to rebuild their firmware to use ToyBox instead of busybox .. although I'm not sure ToyBox supports everything they use/need
[2017-07-23 15:09:46]
martinbogo :
@hostile : Toybox is BSD licensed... specifically created to allow Android installs to get around the GPL issues ... so, something?
[2017-07-23 15:10:57]
martinbogo :
@hostile : If you look at the check-in log for ToyBox, a lot more LSB functionality was fixed in the last week or so
[2017-07-23 15:11:57]
martinbogo :
-- note -- tftpd is implemented, ftpd is not
[2017-07-23 15:13:45]
martinbogo :
root@wm330_dz_vp0001_v5:/ # toybox-armv7l
acpi base64 basename blkid blockdev bunzip2 bzcat cal cat catv chattr
chgrp chmod chown chroot chrt chvt cksum clear cmp comm count cp cpio
cut date df dirname dmesg dos2unix du echo egrep eject env expand
factor fallocate false fgrep file find flock free freeramdisk fsfreeze
fstype fsync ftpget ftpput grep groups halt head help hexedit hostname
hwclock id ifconfig inotifyd insmod install ionice iorenice iotop
kill killall killall5 link ln login logname losetup ls lsattr lsmod
lspci lsusb makedevs md5sum microcom mix mkdir mkfifo mknod mkpasswd
mkswap mktemp modinfo mount mountpoint mv nbd-client nc netcat netstat
nice nl nohup nproc od oneit partprobe passwd paste patch pgrep pidof
pivot_root pkill pmap poweroff printenv printf ps pwd pwdx readahead
readlink realpath reboot renice reset rev rfkill rm rmdir rmmod sed
seq setsid sha1sum shred sleep sort split stat strings su swapoff
swapon switch_root sync sysctl tac tail taskset tee time timeout top
touch true truncate tty tunctl umount uname uniq unix2dos unlink uptime
usleep uudecode uuencode vconfig vmstat w wc which who whoami xargs
xxd yes
[2017-07-23 15:26:56]
hotelzululima :
heh heh.. they cant do ANYTHING about the previous code they released… wonder how much money in the piggy bank :slightly_smiling_face:
[2017-07-23 15:27:09]
hotelzululima :
Bruce has standing woohoo…!!
[2017-07-23 15:45:15]
hostile :
@martinbogo abuse that dumb mksh bug that allows for $HOME to =/data and drop a .profile?
[2017-07-23 15:45:58]
hostile :
Excellent regarding Toybox. Nice to have insight to their lateral movements
[2017-07-23 15:47:01]
hostile :
Bruce agreed to $0 settlement @hotelzululima ... if they share other GPL bits
[2017-07-23 15:47:49]
hostile :
Heh @martinbogo if they could leave that tar bug in there that would be great ;)
[2017-07-23 15:48:26]
hotelzululima :
shit bruce should have held them up for funding the FSF!!
[2017-07-23 15:48:30]
martinbogo :
tar is not yet implemented in toybox
[2017-07-23 15:48:32]
martinbogo :
or toolbox
[2017-07-23 15:49:57]
martinbogo :
This is the pending check-in for tar on ToyBox : <https://github.com/landley/toybox/blob/f86f2f4e9a20d235b24ea86e4dddd0485165306f/toys/pending/tar.c>
[2017-07-23 15:59:57]
hdnes :
Ha solid find
[2017-07-23 16:32:57]
hdnes :
@hostile , sent pull request
[2017-07-23 16:56:27]
hostile :
thx bro I'll scope it in a bit
[2017-07-24 21:48:02]
guson :
so downgrading the mavic fw to .700, can i upload settings to it that will persist? meaning the settings you can do in the dji assistant dev menu. or are they lost and reverted to default if I reboot the mavic/change battery?. cannot read to this info anywhere. I use IOS with FCC mod (in EU), and want some other features such as faster GPS mode, landing <10% battery tweak etc. what will I benefit from more if I use the modified android DJI GO app vs IOS DJI GO?, or can all be done with .700 and settings uploaded with assistant to mavic?
[2017-07-24 21:51:44]
kilrah :
They persist and always have.
[2017-07-24 21:52:20]
guson :
so most except NFZ removal I can get on .900 as well? (meaning no need to downgrade fw).
[2017-07-24 21:54:18]
kilrah :
nfz and atti don’t work on 800 and 900, rest is fine.
[2017-07-24 21:56:02]
guson :
great. thanks.
[2017-07-24 22:00:42]
martinbogo :
Would someone be so kind as to help @tyras? He has questions about removing NFZ on P4
[2017-07-24 22:00:51]
tyras :
@tyras has joined the channel
[2017-07-24 22:20:07]
hostile :
we need some context on what ya know and what ya don’t…
[2017-07-24 22:20:18]
hostile :
what have you tried @tyras , what has failed?
[2017-07-24 22:20:22]
hostile :
where are you stuck ?
[2017-07-24 22:20:38]
hostile :
oh and what aircraft!?
[2017-07-24 22:39:06]
martinbogo :
@hostile : He wants to do it on a P4
[2017-07-24 22:41:06]
hostile :
what firmware? where are you stuck? is the public shared info not working?
[2017-07-24 22:50:19]
tyras :
Hello
[2017-07-24 22:50:25]
tyras :
I have p4
[2017-07-24 22:50:29]
tyras :
I checked all versions
[2017-07-24 22:50:52]
tyras :
I cant seem to find nfz configs in parameters tab
[2017-07-24 22:51:06]
tyras :
I want to remove it on my aircraft
[2017-07-24 22:51:08]
tyras :
I have ios
[2017-07-24 22:58:57]
hostile :
which params are you checking and which versions?
[2017-07-24 22:59:39]
hostile :
@coldflake NLD app work for you?
[2017-07-25 03:44:14]
hdnes :
no joy rooting P4P? Anyone had any luck with the P4P?
[2017-07-25 03:47:36]
hostile :
what is **current** firmware version
[2017-07-25 03:50:55]
hdnes :
1.02.0304
[2017-07-25 03:54:38]
martinbogo :
hdnes : I have thoroughly rooted my P4, but have not tried the P4P yet
[2017-07-25 03:54:53]
martinbogo :
hdnes : Oh! @tyras' P4P
[2017-07-25 03:56:12]
hostile :
@hdnes and what is **latest** available to download?
[2017-07-25 03:56:38]
hdnes :
1.04.0602
[2017-07-25 03:57:49]
hostile :
could be part of it I suppose?
[2017-07-25 03:57:58]
hostile :
don't have one.. very few here do
[2017-07-25 04:02:37]
hdnes :
Strange, now it just worked…..
[2017-07-25 04:02:47]
hdnes :
no clue…
[2017-07-25 04:03:44]
hdnes :
hmm, interesting. It’s kinda acting like my Mavic RC did
[2017-07-25 04:03:56]
hostile :
Bogo had issues with that
[2017-07-25 04:04:14]
hdnes :
it’s showing the adb device now, but not connecting…. no telnet
[2017-07-25 04:04:20]
hdnes :
well stalling on telnet
[2017-07-25 04:04:50]
hostile :
rm grep
[2017-07-25 04:04:54]
hostile :
and adb shell
[2017-07-25 04:04:57]
hostile :
rm grep via ftp
[2017-07-25 04:05:45]
hdnes :
boom
[2017-07-25 04:05:49]
hdnes :
thanks bro
[2017-07-25 04:05:53]
hdnes :
what’s going on there
[2017-07-25 04:13:41]
the_lord :
i rooted several P4P with no issues and could disable the NFZ too
[2017-07-25 04:26:40]
martinbogo :
if adbd dies -- you can restart it ( which brings it back ) resend the DUML exploit, or just use another path
[2017-07-25 04:26:46]
martinbogo :
I installed dropbear and called it a day
[2017-07-25 04:27:00]
martinbogo :
but you can also get netcat in and telnet, etc.
[2017-07-25 04:27:14]
hdnes :
yeah, about to dropbear it
[2017-07-25 04:27:24]
martinbogo :
hdnes -- two thing
[2017-07-25 04:27:37]
martinbogo :
put your dropbear line(s) HIGH up in start_dji_system.sh .. not at the end
[2017-07-25 04:27:56]
martinbogo :
I read through the script, and there are some conditions earlier on that cause it to exit at start before it reaches the end
[2017-07-25 04:28:10]
martinbogo :
I suggest putting the start of dropbear after adbd is started
[2017-07-25 04:28:13]
martinbogo :
right after
[2017-07-25 04:28:25]
martinbogo :
and if you have already set up dropbear ( key files, etc )
[2017-07-25 04:28:40]
martinbogo :
then I suggest you use the one-liner rather than the if statements I did ( they are very .. um .. conservative )
[2017-07-25 04:28:56]
martinbogo :
going to sleep all.
[2017-07-25 04:29:03]
martinbogo :
goodnight :slightly_smiling_face: ( it's 23:11 here )
[2017-07-25 04:29:08]
martinbogo :
23:29 rather
[2017-07-25 04:29:15]
martinbogo :
See you all later
[2017-07-25 04:30:37]
the_lord :
most important thing in P4
DON'T FORGET TO chmod 755 :joy:
[2017-07-25 04:32:26]
martinbogo :
oh god! Yeah .. don't forget to make sure your start_dji_system.sh is executable!
[2017-07-25 04:32:49]
martinbogo :
@the_lord : We need to make a list of "must be executable" scripts and make sure we sanity check them at startup
[2017-07-25 04:32:50]
hdnes :
why would it not be if you just vi it
[2017-07-25 04:32:51]
martinbogo :
and shutdown
[2017-07-25 04:33:02]
martinbogo :
@hdnes : Some people do backup copies .. you know :slightly_smiling_face:
[2017-07-25 04:33:18]
hdnes :
I checked mine after manual persistent edit and it’s fine
[2017-07-25 04:33:24]
martinbogo :
or do mv thing.sh think.bak and then cp thing.bak thing or similar
[2017-07-25 04:33:30]
martinbogo :
it's important to pay attention to details :slightly_smiling_face:
[2017-07-25 04:34:36]
hdnes :
as always, get you everytime
[2017-07-25 04:35:09]
the_lord :
i was in a hurry and forgot it
[2017-07-25 04:35:28]
the_lord :
vi never worked correctly with me on DJI drones
[2017-07-25 04:46:06]
hostile :
probably your terminal
[2017-07-25 04:51:53]
martinbogo :
One of the reasons I install 'nano'
[2017-07-25 04:52:05]
martinbogo :
busybox 'vi' is .. very .. very .. very simple and untested compared to 'vi' or 'vim'
[2017-07-25 04:52:46]
the_lord :
my terminal was adb shell
[2017-07-25 04:56:54]
hdnes :
tricky part with dropbear on multiple aircraft now… had to copy keys over because the ip is the same
[2017-07-25 04:57:11]
hdnes :
multiple ways to do it I guess… but this simplifies things
[2017-07-25 17:06:00]
martinbogo :
@hotelzululima : Yep.. very useable. It just does "funny things" sometimes when you don't expect it to.
[2017-07-25 17:06:13]
martinbogo :
@hotelzululima : For example -- when it hits a file with unicode, it can really break
[2017-07-25 17:39:58]
hdnes :
@martinbogo , you get what I’m putting down?
[2017-07-25 17:58:46]
martinbogo :
@hdnes : That's why I went with the "least secure" option to start wtih ( just setting password "RedHerringDerp"
[2017-07-25 17:58:47]
martinbogo :
)
[2017-07-25 17:59:45]
hdnes :
I’m referring to the DUML solution you were looking for to mount the sd
[2017-07-25 18:00:07]
hdnes :
when you get the sd mounted, it’s Read Only, so you couldn’t drop anything on it anyway
[2017-07-25 18:04:02]
martinbogo :
hdnes : ahh .. no, you misunderstood
[2017-07-25 18:04:18]
martinbogo :
hdnes : The fact that it _showed up_ means dji_sys is still running
[2017-07-25 18:04:26]
martinbogo :
This is a Good Thing
[2017-07-26 12:55:24]
jan2642 :
Nothing in the release notes about fixing root holes... Who dares to try it ? (I have no spark)
[2017-07-26 13:02:09]
djayeyeballs :
removed config values to bypass height and nfz
[2017-07-26 13:03:25]
sincoder :
in 400 , it is already removed
[2017-07-26 13:03:35]
sincoder :
Only 300 have
[2017-07-26 13:06:29]
djayeyeballs :
nfz is removed in .400?
[2017-07-26 13:06:50]
djayeyeballs :
I was only on .400 briefly and then went back to .300
[2017-07-26 13:10:24]
hostile :
@jan2642 I'll try it in a few hours.
[2017-07-26 13:12:21]
hans112 :
Living on the edge @hostile :sunglasses:
[2017-07-26 13:17:53]
kilrah :
thought zfz setting was in 400 (it precisely surprised several)
[2017-07-26 13:33:15]
djayeyeballs :
@hostile
[2017-07-26 13:45:54]
hostile :
thx brother
[2017-07-26 13:59:58]
kilrah :
cool
[2017-07-26 14:00:04]
kilrah :
no downgrade lock?
[2017-07-26 14:01:19]
djayeyeballs :
haven't tried to upgrade / downgrade, just used assistant to upgrade and then backed up the firmware using DUMLdore
[2017-07-26 14:05:17]
kilrah :
we need to know if it's still possible to downgrade before saying it's ok to try it
[2017-07-26 14:06:28]
kilrah :
every new firmware now carries a risk of being a one-way trip
[2017-07-26 14:11:53]
djayeyeballs :
for sure
[2017-07-26 14:16:37]
djayeyeballs :
currently downgrading back to 300 via DUMLdore... so far so good
[2017-07-26 14:23:17]
djayeyeballs :
SUCCESS
[2017-07-26 14:23:38]
djayeyeballs :
going to try upgrade back to 500 via DUMLdore
[2017-07-26 14:24:18]
kilrah :
:heart:
[2017-07-26 14:35:05]
djayeyeballs :
SUCCESS upgraded and downgraded to .500 firmware with DUMLdore
[2017-07-26 14:37:39]
solution :
Great! Is it also possible with Spark-RC?
[2017-07-26 14:37:52]
djayeyeballs :
I don't have spark-RC sorry
[2017-07-26 14:50:31]
hostile :
@jezzab can you make DUMLDore set the uid and gid to 0 in the tar files? You are leaking peoples names... and making md5 tracking of tars difficult
[2017-07-26 14:50:44]
hostile :
$ tar tvf Spark_V01_00_0500_dji_system.bin
-rw-rw-rw- 0 Steve 0 55072 Jul 26 09:11 wm100_0305_v34.11.00.21_20161010.pro.fw.sig
-rw-rw-rw- 0 Steve 0 1477408 Jul 26 09:11 wm100_0306_v03.02.37.55_20170722.pro.fw.sig
-rw-rw-rw- 0 Steve 0 93952 Jul 26 09:11 wm100_0400_v01.00.01.25_20170706.pro.fw.sig
-rw-rw-rw- 0 Steve 0 65959232 Jul 26 09:11 wm100_0801_v00.00.06.72_20170710.pro.fw.sig
-rw-rw-rw- 0 Steve 0 5751904 Jul 26 09:11 wm100_0802_v00.04.11.47_20170719.pro.fw.sig
-rw-rw-rw- 0 Steve 0 20214240 Jul 26 09:11 wm100_0805_v01.01.01.53_20170721.pro.fw.sig
-rw-rw-rw- 0 Steve 0 2939360 Jul 26 09:11 wm100_0905_v01.00.01.04_20170602.pro.fw.sig
-rw-rw-rw- 0 Steve 0 82848 Jul 26 09:11 wm100_1100_v01.00.00.64_20170718.pro.fw.sig
-rw-rw-rw- 0 Steve 0 20768 Jul 26 09:11 wm100_1200_v01.09.00.00_20170428.pro.fw.sig
-rw-rw-rw- 0 Steve 0 20768 Jul 26 09:11 wm100_1201_v01.09.00.00_20170428.pro.fw.sig
-rw-rw-rw- 0 Steve 0 20768 Jul 26 09:11 wm100_1202_v01.09.00.00_20170428.pro.fw.sig
-rw-rw-rw- 0 Steve 0 20768 Jul 26 09:11 wm100_1203_v01.09.00.00_20170428.pro.fw.sig
[2017-07-26 14:50:44]
hostile :
example
[2017-07-26 14:50:59]
hostile :
should be uid 0 instead of Steve's uid
[2017-07-26 15:22:55]
jezzab :
Will be resolved tomorrow :wink: Unfortunately it will only be good for the ppl that actually go to my github, every man and his dog forum hero has ripped the repo and slapped it on a file sharing site with the fw files and called it their own with 5,000,000 backslaps from other forum members. But ill do my bit
[2017-07-26 15:24:22]
hostile :
you should add a flag to check current version vs latest
[2017-07-26 15:24:27]
hostile :
and inform user new version available
[2017-07-26 15:25:27]
jezzab :
Its moved that way now........
[2017-07-26 15:26:02]
hostile :
any chance you can make the traffic view visible on github again
[2017-07-26 15:26:27]
hostile :
I’ve been trying to see where all the data is proliferating yours is only one not open out of the main toolsets
[2017-07-26 15:26:36]
jezzab :
? I havent changed any settings on GH.
[2017-07-26 15:26:47]
jezzab :
Unless its default to private or something?
[2017-07-26 15:27:41]
jezzab :
If there is a setting then fire away, ill change it
[2017-07-26 15:27:46]
hostile :
checking
[2017-07-26 15:28:22]
hostile :
<https://github.com/jezzab/DUMLdore/graphs/contributors>
[2017-07-26 15:28:33]
hostile :
do **YOU** have a traffic tab there?
[2017-07-26 15:28:45]
jezzab :
yup
[2017-07-26 15:29:04]
hostile :
hrmm I wonder if it is cuz I am not a contributer on your repo
[2017-07-26 15:29:21]
hostile :
will you add me as a contributer?
[2017-07-26 15:29:32]
hostile :
Mavproxyuser (I won’t commit anything)
[2017-07-26 15:29:39]
jezzab :
give it a go
[2017-07-26 15:30:30]
hostile :
yeah weird. <https://github.com/jezzab/DUMLdore/graphs/traffic> just won’t work for me
[2017-07-26 15:31:14]
jezzab :
I cant see your /graphs/traffic either
[2017-07-26 15:31:25]
jezzab :
I assumes it was private
[2017-07-26 15:31:38]
hostile :
there we go
[2017-07-26 15:31:42]
hostile :
I had to accept
[2017-07-26 15:31:45]
hostile :
one sec I’ll add you
[2017-07-26 15:31:49]
jezzab :
ok
[2017-07-26 15:32:39]
jezzab :
Ah there ya go
[2017-07-26 15:32:43]
jezzab :
Shows the traffic
[2017-07-26 15:33:09]
jezzab :
almost a mirror image of mine lol
[2017-07-26 15:33:26]
jezzab :
the russians love me more though lol
[2017-07-26 15:33:38]
jezzab :
I wanna see some more from *.[dji.com](http://dji.com) :stuck_out_tongue:
[2017-07-26 15:34:12]
hostile :
there added you to all my repos
[2017-07-26 15:34:57]
hostile :
you know if you click the domain name you can see the individual URL’s right?
[2017-07-26 15:35:09]
jezzab :
Yup
[2017-07-26 15:35:23]
jezzab :
Always love the private.php
[2017-07-26 15:35:33]
hostile :
right!? lol
[2017-07-26 15:35:36]
jezzab :
Lots of private msgs going on there lol
[2017-07-26 15:36:19]
hostile :
I’m gonna clean my repos up a bit and then both of us need to follow suit with @bin4ry and link the OG repos in the README
[2017-07-26 15:36:43]
jezzab :
Can do. Lead the way I'll follow the format
[2017-07-26 15:36:51]
jezzab :
In the AM
[2017-07-26 15:38:37]
jezzab :
It is good to link the wiki. Seems to filter out a lot.i haven't done that
[2017-07-26 15:38:48]
hostile :
<https://github.com/Bin4ry/deejayeye-modder/commit/41f9da273d461ee50754f2600b908dc627b8ca48#diff-1e290ac8433d555bce009b162cb869d0>
[2017-07-26 15:38:49]
hostile :
<https://github.com/Bin4ry/deejayeye-modder/commit/66da2af12b9b3a987b103be269690a94a56dfa02#diff-1e290ac8433d555bce009b162cb869d0>
[2017-07-26 15:38:56]
hostile :
yeah the wiki is baller
[2017-07-26 15:39:42]
hostile :
<https://github.com/Bin4ry/deejayeye-modder/commit/aef3db6eb8c895014e47f9b0837fee34f7f5e0d2#diff-1e290ac8433d555bce009b162cb869d0>
[2017-07-26 15:45:44]
jezzab :
Ok I'm gonna crash. No doubt wake up and see the Paypal receipt for the mavic too lol. I'll read back in the morning for all this and we can sync it all up with the link/repos
[2017-07-26 15:45:56]
hostile :
=]
[2017-07-26 15:45:59]
hostile :
peace man
[2017-07-26 15:49:32]
jezzab :
PS or just push the README.md u want :)
[2017-07-26 16:00:58]
cs2000 :
no more storage space in slack lol
[2017-07-26 16:09:09]
kilrah :
naming convention is different :wink: nvm
[2017-07-26 20:47:16]
guson :
If I downgrade my Mavic from 900 to 700, can my rc, batteries and dji go 4 (IOS) be on the highest firmwares/versions without any issues or should I also downgrade RC and batteries? I am on a Mac having VM fusion, can I run dumbledore there or should I do it on a true pc?
[2017-07-26 20:48:46]
hans112 :
<http://dji.retroroms.info>
[2017-07-26 22:37:30]
jezzab :
@hostile re: tarring the dji_system.bin, users and MD5s. The users is fine, gotten rid of that but the MD5 is always going to change as it will have different date stamps on the files, and the order of the files may change
[2017-07-26 23:39:18]
hostile :
we don't really need to go that anal... but at the very least would be nice to stop leaking peoples usernames
[2017-07-26 23:39:33]
jezzab :
yeah thats easy and done
[2017-07-26 23:40:00]
hostile :
but yeah perhaps we can maintain date stamp as well.
[2017-07-26 23:40:13]
hostile :
will need to dig further
[2017-07-26 23:41:05]
jezzab :
how far does the rabbits hole go.... people are backing up their own firmware. There is copies of nearly all the firmware. Its not truely "The Ultimate Firmware Backup Utility" lol
[2017-07-26 23:41:44]
jezzab :
TUFBU
[2017-07-26 23:44:00]
hostile :
this is why I am working on Cherrypicker...
[2017-07-26 23:44:13]
jezzab :
Exactly
[2017-07-26 23:44:31]
jezzab :
Ill push the tar usr/grp stuff now
[2017-07-27 20:27:34]
paranoidi :
Curious, are you able to flash custom firmwares already or is some signature dickery preventing that? A week of lurking has not yet revealed that :)
[2017-07-27 20:32:24]
guson :
@digdat0 charles proxy 3.12 that you link to just opens and closes (all in 1 sec) on my mac. can i use the newer v4 instead?. found a guide online that uses v4 instead (for other software, but IOS downgrading) : <https://medium.com/@dixitakansha15/how-to-download-older-version-of-latest-ios-app-from-appstore-91c28d2407d9>
[2017-07-27 21:36:40]
guson :
charles v4 for mac/win is a paid app for 50usd, but works as a charm. downloading all IOS versions now :slightly_smiling_face:
[2017-07-27 21:48:26]
digdat0 :
@guson yes you can use charles 4 no problem with that
[2017-07-27 23:49:19]
hostile :
@paranoidi yes via CherryPicker.rb
[2017-07-27 23:49:38]
hostile :
<https://github.com/MAVProxyUser/DUMLrub/blob/master/CherryPicker.rb>
[2017-07-28 01:22:14]
hdnes :
dropbear only working if adb_en.sh is run
[2017-07-28 01:22:32]
hdnes :
I pulled abd off and dropbear doesn’t like the password or something
[2017-07-28 01:22:37]
hostile :
weird
[2017-07-28 01:24:09]
hdnes :
busybox devmem 0xe10093d0 8 0x40 #enable uart
[2017-07-28 01:24:10]
hdnes :
?
[2017-07-28 01:24:35]
hostile :
needed to enable the hardware uart
[2017-07-28 01:24:41]
hdnes :
maybe?
[2017-07-28 01:25:34]
hdnes :
udhcpd need also?
[2017-07-28 01:25:35]
hostile :
I'm just saying that is what it does
[2017-07-28 01:25:54]
hostile :
udhcpcd is what gives you the IP address on the RNDIS
[2017-07-28 01:26:04]
hdnes :
so yes
[2017-07-28 01:46:07]
hdnes :
thomas.edison UnSecure Privilege deadbeefdeadbeefdeadbeefdeadbeef
[2017-07-28 01:55:03]
hdnes :
I got it
[2017-07-28 01:55:20]
hdnes :
I’ll do a pull request later
[2017-07-28 03:09:27]
hostile :
whoot
[2017-08-02 10:37:09]
guson :
@digdat0 or who may know the answer: quick questions after following your great downgrade guides from .900 to .700 and from IOS v 4.14 to 4.08, as well as changing all parameters (gps+, sportmode+ NFZ, etc) I have few quick questions: 1. App complains that NFZ database is old. does it mean it wants to update the app from the AC where setting is year 2025 (and mo, day per your guide), or what happens if I say yes in the app?. 2: app nags about 2 batteries not having same firmware (except battery installed at time of downgrade). Something to be concerned about, or can I fix it easily?. 3: App nags me about upgrading to later firmware, can this message be hidden or so (like a param in AC fooling the app etc?).
[2017-08-02 10:44:48]
the_lord :
1) upgrading the NFZ db will not affect the NFZ disable
2) you can downgrade the batteries to .700 by confirm the message it shows in assistant/go app
3) as far as i know there is no param to prevent FW version check
[2017-08-02 10:46:50]
bin4ry :
for 3) use firewall on iOS if you want to stop this, only option apart from using modded android app
[2017-08-02 10:50:01]
kilrah :
@the_lord are you sure of 2) ? I believe it will instead upgrade both aircraft and battery to 900
[2017-08-02 10:50:12]
the_lord :
yes sure
[2017-08-02 10:50:16]
kilrah :
it does the battery only BUT AFAIK that's only if AC is on latest already
[2017-08-02 10:50:59]
the_lord :
if it gave you firmware mismatch and you confirm it will upgrade/downgrade the mismatched module to the drones current FW
[2017-08-02 10:52:54]
mavicbreak :
for info there is no firewall possibility on iOS as all application are sandboxed. You may switch off wifi or not, thats it.
[2017-08-02 10:53:14]
kilrah :
unless jailbroken
[2017-08-02 10:53:56]
mavicbreak :
yep
[2017-08-02 10:54:45]
bin4ry :
ok, i was just technically speaking. going offline while the app is running is no solution imho, it is unsafe if you are unlucky
[2017-08-02 10:55:57]
kilrah :
why?
[2017-08-02 10:56:20]
kilrah :
oo, finally got 4.1.4 on android
[2017-08-04 18:53:34]
ms30250 :
US Army reportedly asks units to stop using DJI drones, citing cybersecurity concerns
<https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity>
Shared from my Google feed
[2017-08-04 19:04:45]
kilrah :
posted and discussed long ago in ~general ...
[2017-08-04 19:25:47]
hostile :
Just a new article
[2017-08-04 19:25:55]
hostile :
The copycats will be thick
[2017-08-04 19:44:54]
hotelzululima :
indeed
[2017-08-04 19:45:03]
hotelzululima :
its multiplying
[2017-08-04 19:49:43]
pure3d :
the Verge decides to use a different stock image eh
[2017-08-04 19:49:50]
pure3d :
not the phantom file photo
[2017-08-04 19:53:09]
hotelzululima :
color of the bikeshed
[2017-08-08 15:14:45]
martinbogo :
Because we know eHang is JUST as bad
[2017-08-08 15:14:59]
martinbogo :
I'm still waiting on a GhostDrone 2.0 to arrive in the lab
[2017-08-08 15:31:34]
hostile :
yeah I took your mavicrooting photo about them denying you the source and told him best to not run his mouth cuz they are next. =]
[2017-08-08 15:31:46]
hostile :
censored the names more
[2017-08-08 18:43:05]
fred756 :
Sorry if I have missed something but is there a way to obtain write access to the internal SD card?
[2017-08-08 18:46:19]
hostile :
use search bar in ~general yesterday...
[2017-08-08 18:50:08]
fred756 :
Thanks @hostile do I need to be rooted to use that?
[2017-08-08 18:51:50]
kilrah :
yup
[2017-08-08 18:53:06]
fred756 :
Thank you, need to do some reading :+1:
[2017-08-08 18:53:52]
kilrah :
look on the wiki too...
[2017-08-08 19:38:48]
jan2642 :
<vent>
Aargh, I'm so stupid! I can almost read ARM machine code, yet I completely forgot about the LSB being set on function pointers if the target is in thumb mode.. Now those bloody tables I was looking for a while back are there in plain sight. /me smacks himself with a huge herring!
</vent>
(don't worry if this doesn't make sense, I just had to get some frustration off my chest, I'm all better now)
[2017-08-08 19:45:58]
hostile :
damn math!
[2017-08-09 13:21:26]
freaky123 :
Lol @jan2642 which tables?
[2017-08-09 13:24:55]
hostile :
DUML commands I think
[2017-08-09 13:25:33]
jan2642 :
The ones in dji_sys mapping the duml cmd’s onto the actual functions.
[2017-08-09 13:55:02]
jan2642 :
00 5a could be fun…
[2017-08-09 14:31:44]
freaky123 :
Aha lol
[2017-08-09 14:32:26]
freaky123 :
I find it strange that sometimes the commandsets are reused
[2017-08-09 14:49:58]
hostile :
lazy coders
[2017-08-09 14:50:14]
hostile :
all the P4 / Mavic / etc still has "P3" references all over the place.
[2017-08-09 14:55:52]
jan2642 :
I’ve only looked in the dji_sys’es of Mavic & Mavic RC and there’s indeed some strange stuff in there. Strange as in things that are not applicable to Mavic or not applicable to the RC e.g. initialisation functions for completely different platforms. Maybe they’re not allowed to use #ifdef…
[2017-08-09 15:01:25]
bin4ry :
go4 has still all code from go <4 in it, even if it does not offically support the devices though
[2017-08-09 15:01:29]
bin4ry :
lazy coders ... yes
[2017-08-09 15:01:30]
bin4ry :
:smile:
[2017-08-09 15:02:03]
bin4ry :
they don't care for the devices i think. too much time pressure too less code review
[2017-08-09 15:10:59]
hostile :
imagine this month =]
[2017-08-09 15:11:34]
djayeyeballs :
I am convinced that Go4 should be like 40mb, not the current 100+ what a mess
[2017-08-09 15:11:39]
hostile :
good news is the app should run better sans Tinker wrapping it!
[2017-08-09 15:11:47]
hostile :
like this is a **known** performance hit to use Tinker
[2017-08-09 15:12:44]
bin4ry :
there is so much space for optimization
[2017-08-09 15:13:05]
bin4ry :
if someone would pay me for it i would create an good dji app
[2017-08-09 15:13:11]
bin4ry :
:wink:
[2017-08-09 15:13:35]
hostile :
I wanna see this Derbycon demo of Tencent Tinker being used to inject malicious code! Bogo said it was already given at CANSEC in march.
[2017-08-09 15:13:51]
bin4ry :
btw. @hostile i think we can steal the spark from midair using a wifi attack
[2017-08-09 15:14:03]
bin4ry :
i read that
[2017-08-09 15:14:23]
bin4ry :
if you find some presentaion video or text i would love to see what she did there
[2017-08-09 15:14:39]
hostile :
if the default password is still 12341234 all bets are off
[2017-08-09 15:14:47]
bin4ry :
nah thats fore the remote
[2017-08-09 15:14:55]
bin4ry :
but thats a threat too, since the remote accepts multiple connections
[2017-08-09 15:15:09]
bin4ry :
spark itself does only allow 1 connection, and it vanishes once the RC is connected
[2017-08-09 15:15:11]
bin4ry :
but still
[2017-08-09 15:15:13]
bin4ry :
...
[2017-08-09 15:15:14]
bin4ry :
....
[2017-08-09 15:15:27]
hostile :
spark uses wpa_supplicant to talk to the RC via WPA. What other **open** channels does it have>?
[2017-08-09 15:15:32]
bin4ry :
there is a function in dji go, requesting the wifi pwd
[2017-08-09 15:15:37]
hostile :
I assumed spark shit its own AP off when the RC was added..
[2017-08-09 15:15:38]
bin4ry :
:wink:
[2017-08-09 15:15:50]
hostile :
yeah but DJI go has to be connected to the network already...
[2017-08-09 15:15:56]
hostile :
chicken / egg
[2017-08-09 15:15:59]
bin4ry :
no
[2017-08-09 15:16:05]
bin4ry :
you can connect to the RC
[2017-08-09 15:16:11]
bin4ry :
which is at default pwd
[2017-08-09 15:16:14]
bin4ry :
12341234
[2017-08-09 15:16:30]
hostile :
I never did look if that can be changed I assume it can
[2017-08-09 15:16:43]
bin4ry :
but who does? just playing the idea here
[2017-08-09 15:16:57]
bin4ry :
i can most likely overtake the control to the RC
[2017-08-09 15:16:57]
hostile :
indeed... and again that THAT case all bets are off
[2017-08-09 15:16:57]
hostile :
=]
[2017-08-09 15:17:10]
hostile :
I need to get the Aaron Lao work duplicated on a current SDK
[2017-08-09 15:17:21]
hostile :
make connections to thi API ports sans authentication
[2017-08-09 15:17:39]
hostile :
<https://twitter.com/thedjiproblem/status/878247565111812097>
[2017-08-09 15:17:50]
hostile :
the SDk functions have changed since his Defcon talk tho
[2017-08-09 15:17:58]
hostile :
I been too busy to find the replacements
[2017-08-09 15:17:59]
bin4ry :
i see, most likely only minor changes
[2017-08-09 15:18:15]
hostile :
yeah I bet diffing the SDK versions would make it stick out like a sore thumb too
[2017-08-09 15:18:20]
bin4ry :
yah
[2017-08-09 15:18:33]
hostile :
did you get that .diff yesterday of 400 -401?
[2017-08-09 15:18:35]
hostile :
when tinker was added
[2017-08-09 15:18:37]
bin4ry :
yes
[2017-08-09 15:18:39]
bin4ry :
thanks for that
[2017-08-09 15:18:43]
hostile :
it is interesting to eyeball
[2017-08-09 15:19:09]
hostile :
63134:+import com.tencent.bugly.beta.tinker.TinkerManager;
63714:+ TinkerManager.cleanPatch();
64428:+import com.tencent.bugly.beta.tinker.TinkerManager$TinkerListener;
64429:+import com.tencent.bugly.beta.tinker.TinkerManager;
64430:+import com.tencent.bugly.beta.tinker.TinkerReport$Reporter;
64657:+ if(TinkerManager.isTinkerManagerInstalled()) {
64658:+ v14.J = TinkerManager.getTinkerId();
64659:+ as.a(“TINKER_ID:” + v14.J, new Object[0]);
64660:+ v14.K = TinkerManager.getNewTinkerId();
64661:+ as.a(“NEW_TINKER_ID:” + v14.K, new Object[0]);
64662:+ TinkerManager.getInstance().setTinkerListenter(new TinkerListener(v14) {
64666:+ as.a(“Tinker patch failure, result: ” + arg4, new Object[0]);
64675:+ as.a(“Tinker patch success, result: ” + arg4, new Object[0]);
64733:+ TinkerManager.getInstance().setTinkerReport(new Reporter() {
64735:+ as.e(“Tinker report code:” + arg3, new Object[0]);
[2017-08-09 15:19:12]
hostile :
oh hi there =]
[2017-08-09 15:19:18]
bin4ry :
@hotelzululima it wraps all around and is designed very strange, i cannot tell you how much it takes up on performance
[2017-08-09 15:19:46]
bin4ry :
i am worring more about the seucreity issue itself
[2017-08-09 15:20:02]
bin4ry :
as the first thing i thought was to fake an update package to implement my own functions
[2017-08-09 15:20:10]
bin4ry :
and i am most likely not the only one thinking this way :smile:
[2017-08-09 15:20:44]
hotelzululima :
hot patch frameworks are ALWAYS a security concern.. rarely used for the purposes intended most often hijacked for nefarious purposes…
[2017-08-09 15:21:12]
bin4ry :
absolutely correct
[2017-08-09 15:22:05]
hotelzululima :
since 80's folks on my end of things regard hotpatching frameworks one step removed from self modifying code… both bad both evil
[2017-08-09 15:22:47]
hotelzululima :
and then having the 10cent twitter account get suspended on top??
[2017-08-09 15:22:57]
bin4ry :
hehe
[2017-08-09 15:23:15]
bin4ry :
well we have the same mindset here, i am really worried about security
[2017-08-09 15:23:29]
bin4ry :
think rogue wifi in starbucks and fake update or such
[2017-08-09 15:23:44]
bin4ry :
not only concerned about dji itself
[2017-08-09 15:24:03]
hostile :
@bin4ry I agree... we need to figure out if their tinker forces signing... and IF they used the test keys for example cuz that would be an EPIC way to push mods out of our group to the app.
[2017-08-09 15:24:23]
hostile :
yeah dude the Tencent Twitter suspension is WEEEEEEIRD
[2017-08-09 15:24:41]
bin4ry :
@hostile we could just create a own patch
[2017-08-09 15:24:46]
hotelzululima :
heh I am looking at a shiny new hammer called tinker for modifying(infecting) android .APK aftermarket
[2017-08-09 15:24:47]
bin4ry :
tinker github has the cli tool for that
[2017-08-09 15:24:55]
hostile :
yeah I would have already.. was having issues with compile and didn't have time to sort out
[2017-08-09 15:25:28]
bin4ry :
i did not care to test it , only saw it there
[2017-08-09 15:58:08]
jan2642 :
Regarding that Spark RC: if you flood the Spark with fake deauth packets it won’t be able to associate with RC.
[2017-08-09 16:13:23]
freaky123 :
As expected
[2017-08-09 16:20:55]
hostile :
thats not same as taking it over so to speak
[2017-08-09 16:30:55]
martinbogo :
nope.
[2017-08-09 17:38:36]
bin4ry :
No need for deauth if RC WiFi PWD is not changed :joy:
[2017-08-09 17:42:30]
jan2642 :
It's a DoS, preventing the Spark from talking to the Rc.
[2017-08-09 19:09:27]
kilrah :
randomly got my phone connected to friend’s spark rc wifi while he was flying using otg earlier
[2017-08-09 19:09:35]
kilrah :
didn’t get access though :stuck_out_tongue:
[2017-08-09 19:32:11]
hostile :
derp
[2017-08-09 19:32:27]
hostile :
does that show up to assistant? perhaps the --adb_console options work
[2017-08-09 19:32:34]
hostile :
or what ever they were
[2017-08-09 19:34:45]
hostile :
--adb_logcat Start ADB logcat function
[2017-08-09 19:34:46]
hostile :
try that
[2017-08-09 19:39:18]
hostile :
interesting
[2017-08-09 19:39:50]
hostile :
cat /proc/pidoflogcat/cmdline
[2017-08-09 19:41:42]
the_lord :
logcat
[2017-08-09 19:46:28]
hostile :
lol seems like a half baked implementation
[2017-08-09 19:46:47]
the_lord :
i'm logged in as shell not root
[2017-08-09 19:47:07]
hostile :
can you put a "logcat" file in ~/.bin
[2017-08-09 19:47:12]
hostile :
heh see if it is dumb enough to execute it?
[2017-08-09 19:47:34]
hostile :
I bet the same mkshrc bug exists
[2017-08-09 19:47:55]
the_lord :
let me first figure out how to login as root
[2017-08-09 19:48:05]
hostile :
"su"
[2017-08-09 19:48:24]
the_lord :
i tried it its not found
[2017-08-09 20:05:05]
the_lord :
no busybox here
[2017-08-09 20:17:31]
the_lord :
i found screen recorder application
shell@gl300e:/system/bin $ screenrecord --help
Usage: screenrecord [options] <filename>
Android screenrecord v1.2. Records the device's display to a .mp4 file.
Options:
--size WIDTHxHEIGHT
Set the video size, e.g. "1280x720". Default is the device's main
display resolution (if supported), 1280x720 if not. For best results,
use a size supported by the AVC encoder.
--bit-rate RATE
Set the video bit rate, in bits per second. Value may be specified as
bits or megabits, e.g. '4000000' is equivalent to '4M'. Default 4Mbps.
--bugreport
Add additional information, such as a timestamp overlay, that is helpful
in videos captured to illustrate bugs.
--time-limit TIME
Set the maximum recording time, in seconds. Default / maximum is 1800.
--verbose
Display interesting information on stdout.
--help
Show this message.
Recording continues until Ctrl-C is hit or the time limit is reached.
[2017-08-09 20:17:52]
hostile :
yeah this is a standard android utilituy
[2017-08-09 20:18:03]
hostile :
I moved all the bits over to Goggles... and could not get them to work unfortunately
[2017-08-09 20:18:06]
hostile :
Goggles has it removed
[2017-08-09 20:18:37]
the_lord :
i'm familiar with android so excuse me :slightly_smiling_face:
[2017-08-09 20:19:27]
the_lord :
maybe this one will work on goggles or all are the same?
[2017-08-09 20:19:59]
hostile :
@martinbogo mentioned the issues may be kernel video permissions related on Goggles
[2017-08-09 20:45:03]
the_lord :
uploading the DJI-P4P.apk now
[2017-08-09 20:48:19]
opcode :
@the_lord take a look over at ~crystalsky_rooting also, should be nearly the same. :slightly_smiling_face:
[2017-08-09 20:49:12]
the_lord :
<https://drive.google.com/open?id=0B3wIy_i8O8a2T2hWSU05WE5RM2s>
[2017-08-09 21:22:46]
the_lord :
thanks @opcode
[2017-08-09 23:58:18]
hdnes :
Wait… how did you find out that it was enabled out of the box?
[2017-08-09 23:58:28]
hdnes :
what made you think to try?
[2017-08-10 01:30:34]
goof :
imagination / fluke
[2017-08-16 23:46:59]
carlcox89 :
guys, is there any way to modify the files on the internal sd card ? I would like to modify the file that resides on the internal sd which stores info regarding parameter changing
[2017-08-16 23:50:59]
jezzab :
<http://dji.retroroms.info/howto/known-duml-commands>
[2017-08-16 23:51:03]
jezzab :
should be a good start :wink:
[2017-08-16 23:53:16]
carlcox89 :
thanks :smile:
[2017-08-17 01:40:38]
czokie :
@jezzab "Here's one I prepared before" :slightly_smiling_face:
[2017-08-17 07:51:06]
kilrah :
Note the file seems to be cleared when doing a "factory reset" (good to check anyway after doing it)
[2017-08-17 17:44:24]
peppo-online :
Hey guys, if my Mavic downgrade from .900 to .700 hangs @ 82% for like 10 minutes...do I have to worry/restart?
[2017-08-17 17:44:47]
peppo-online :
Via Dumldore
[2017-08-17 19:17:08]
pure3d :
check the lights on your drone--are the red front lights still flashing slowly? If so, it's still updating--DO NOT power off your drone!
[2017-08-17 19:17:30]
pure3d :
it'll reboot a few times and do the DJI startup sound
[2017-08-17 19:17:45]
pure3d :
when you can connect your RC to the drone, then it means the update has finished
[2017-08-17 19:48:36]
ender :
can REALLY take a while. If it doesnt work the log will help !
[2017-08-17 20:25:57]
kilrah :
if he's still hanged by now no choice but to reboot - actually his battery would already be empty anyway :laughing:
[2017-08-17 20:55:07]
ender :
right :slightly_smiling_face:
[2017-08-18 20:07:29]
mavpac :
@peppo-online It can take a while. Only worry/restart if it takes 30mins.
And normally it wont brick the mavic unless you didnt try to flash a phantom firmware :-)
[2017-08-19 14:27:30]
pure3d :
and definitely don't try flashing P4 fw to a P4P :sweat_smile:
[2021-10-26 17:50:15]
test :
test joined the channel.
[2021-10-30 12:20:45]
jj :
madmaqx joined the channel.
[2021-10-31 00:22:34]
will :
will joined the channel.
[2021-10-31 07:40:55]
w0h :
w0h joined the channel.
[2021-10-31 07:41:07]
w0h :
@w0h left the channel.
[2021-11-10 03:18:04]
flyinghacker :
flyinghacker joined the channel.
[2021-11-10 17:09:41]
polarfly :
polarfly joined the channel.
[2021-11-12 10:42:40]
cs2000 :
cs2000 joined the channel.
[2021-11-12 10:42:51]
cs2000 :
dji-rev-bot added to the channel by cs2000.
[2021-11-12 10:43:02]
cs2000 :
@cs2000 left the channel.
[2021-11-12 22:51:12]
yoawedojboompeaill :
yoawedojboompeaill joined the channel.
[2021-11-14 00:33:43]
jackxorjack :
jackxorjack joined the channel.
[2021-11-14 00:36:41]
jackxorjack :
@jackxorjack left the channel.
[2021-11-21 20:29:26]
apsnboy :
apsnboy joined the channel.
[2021-12-04 00:06:35]
galbb12 :
galbb12 joined the channel.
[2021-12-04 23:06:04]
aol :
aol joined the channel.
[2021-12-07 00:38:35]
tissy :
tissy joined the channel.
[2021-12-10 08:22:50]
il1oo0 :
il1oo0 joined the channel.
[2022-01-08 22:00:21]
lurker :
lurker joined the channel.
[2022-01-13 15:10:47]
idzik :
idzik joined the channel.
[2022-01-19 16:18:35]
j4ck :
j4ck joined the channel.
[2022-01-26 20:14:20]
mavic2reverser :
mavic2reverser joined the channel.
[2022-01-31 08:47:38]
jackmax :
jackson joined the channel.
[2022-02-09 17:15:50]
djifans :
djifans joined the channel.
[2022-03-03 15:11:19]
gh :
ghartabc joined the channel.
[2022-03-09 15:37:15]
mainframe :
mainframe joined the channel.
[2022-03-13 15:08:05]
zgvs2 :
zgvs2 joined the channel.
[2022-03-21 09:28:06]
ggonzalez :
ggonzalez joined the channel.
[2022-03-24 00:47:08]
fredmicrowave :
fredmicrowave joined the channel.
[2022-03-24 02:01:22]
pangjammy :
pangjammy joined the channel.
[2022-03-24 16:26:51]
speatuk :
speatuk joined the channel.
[2022-03-24 16:31:51]
speatuk :
@speatuk left the channel.
[2022-03-27 23:15:40]
jezzab :
jezzab joined the channel.
[2022-03-30 11:18:20]
windoze :
windoze joined the channel.
[2022-04-03 14:58:45]
ronykom :
ronykom joined the channel.
[2022-04-03 15:00:32]
theoa :
theoa joined the channel.
[2022-04-04 10:21:35]
argonaut :
argonaut joined the channel.
[2022-04-04 15:57:36]
sdfsf :
test_crack joined the channel.
[2022-04-04 15:59:30]
sdfsf :
Hi, how cani root mavic mini?
[2022-04-06 16:02:36]
sdfsf :
@sdfsf left the channel.
[2022-04-07 07:56:54]
goguma :
goguma joined the channel.
[2022-04-07 14:04:19]
john_duff :
john_duff joined the channel.
[2022-04-07 21:00:42]
sambuko :
shtigran88 joined the channel.
[2022-04-09 03:34:41]
alxgacc :
alxgacc joined the channel.
[2022-04-09 03:37:32]
alxgacc :
@alxgacc left the channel.
[2022-04-12 06:23:21]
hotelzululima :
hotelzululima joined the channel.
[2022-04-18 09:25:43]
enigma2 :
enigma2 joined the channel.
[2022-04-28 19:42:25]
powellste :
powellste joined the channel.
[2022-04-28 21:59:21]
vtcats :
vtcats joined the channel.
[2022-05-18 12:37:11]
testuser00001 :
testuser00001 joined the channel.
[2022-05-23 20:48:09]
jjbyrnes29 :
jjbyrnes29 joined the channel.
[2022-06-03 19:53:10]
shiftag :
shiftag joined the channel.
[2022-06-07 19:00:05]
emeraldmaster :
emeraldmaster joined the channel.
[2022-06-25 04:58:09]
deniss-i979 :
deniss-i979 joined the channel.
[2022-06-30 17:40:19]
zorast :
zorast joined the channel.
[2022-07-12 21:25:57]
boris.plintovic :
boris.plintovic joined the channel.
[2022-07-12 21:33:51]
boris.plintovic :
@boris.plintovic left the channel.
[2022-07-15 20:02:56]
ixoid :
ixoid joined the channel.
[2022-07-29 13:43:01]
viiince :
viiince joined the channel.
[2022-08-08 12:12:32]
micronica :
micronica joined the channel.
[2022-09-03 16:41:22]
anesta :
anesta joined the channel.
[2022-09-13 03:54:32]
nmikus :
nmikus joined the channel.
[2022-09-19 12:50:44]
urca87 :
urca87 joined the channel.
[2022-09-26 01:24:48]
jackmax :
jackmax joined the channel.
[2022-09-27 10:47:54]
herr.frei :
herr.frei joined the channel.
[2022-09-27 10:48:15]
herr.frei :
@herr.frei left the channel.
[2022-10-16 11:06:24]
jack117wb :
jack117wb joined the channel.
[2022-10-16 13:34:22]
cr :
datum joined the channel.
[2022-10-20 16:14:11]
creased :
creased joined the channel.
[2022-10-26 06:32:05]
crashing_bird :
crashing_bird joined the channel.
[2022-10-30 07:11:27]
bob.alki :
bob.alki joined the channel.
[2022-11-01 10:19:09]
rameezahmed1998 :
rameezahmed1998 joined the channel.
[2022-11-10 05:52:17]
areoc :
areoc joined the channel.
[2022-11-10 06:34:37]
areoc :
@areoc left the channel.
[2022-11-12 06:22:20]
pingspike :
pingspike joined the channel.
[2022-12-04 16:15:40]
retrocall :
retrocall joined the channel.
[2022-12-05 07:18:43]
prettymuchathrowaway69 :
prettymuchathrowaway69 joined the channel.
[2022-12-31 21:25:30]
trueandfalse :
spartaksm99 joined the channel.
[2023-01-01 17:18:07]
trueandfalse :
@spartaksm99 left the channel.
[2023-01-05 00:40:54]
gde :
gde joined the channel.
[2023-01-05 00:41:58]
gde :
@gde left the channel.
[2023-01-05 18:59:57]
anzz :
anzz joined the channel.
[2023-01-05 19:00:48]
anzz :
@anzz left the channel.
[2023-01-06 12:06:51]
mavic2pro666 :
xiamen66 joined the channel.
[2023-01-06 15:42:39]
mizyazya :
mizyazya joined the channel.
[2023-01-25 08:35:09]
sparkyws :
sparkyws joined the channel.
[2023-01-26 02:30:48]
trueandfalse :
trueandfalse joined the channel.
[2023-01-26 02:31:34]
trueandfalse :
@trueandfalse left the channel.
[2023-01-26 02:39:22]
trueandfalse :
trueandfalse joined the channel.
[2023-02-08 08:21:31]
accountfrompl :
accountfrompl joined the channel.
[2023-02-21 06:13:36]
gudvin :
gudvin joined the channel.
[2023-02-21 06:15:22]
gudvin :
@gudvin left the channel.
[2023-02-21 18:08:58]
gudvin :
gudvin joined the channel.
[2023-02-21 18:09:20]
gudvin :
@gudvin left the channel.
[2023-02-25 23:27:46]
dji_kurat :
dji_kurat joined the channel.
[2023-03-09 10:20:58]
mud :
mud joined the channel.
[2023-03-11 07:55:32]
baxove :
derowey joined the channel.
[2023-03-11 07:56:47]
baxove :
@derowey left the channel.
[2023-03-23 06:13:42]
chinanumberone :
chinanumberone joined the channel.
[2023-03-23 16:50:06]
sappy :
sappy joined the channel.
[2023-03-24 17:54:08]
efimato_re :
efimato_re joined the channel.
[2023-04-02 21:45:33]
tacticaltot :
tacticaltot joined the channel.
[2023-04-11 15:47:01]
blowfish448 :
blowfish448 joined the channel.
[2023-04-16 14:50:10]
gareb :
gareb joined the channel.
[2023-04-19 09:20:35]
tylkologin :
tylkologin joined the channel.
[2023-04-19 22:54:39]
fedosgad :
fedosgad joined the channel.
[2023-04-27 11:09:28]
r3v0k3r :
r3v0k3r joined the channel.
[2023-05-08 22:52:41]
andrej :
andrej joined the channel.
[2023-05-08 22:53:15]
andrej :
@andrej left the channel.
[2023-05-27 05:22:51]
drmsucks :
drmsucks joined the channel.
[2023-05-30 18:08:01]
qgig :
qgig joined the channel.
[2023-05-30 18:08:13]
qgig :
@qgig left the channel.
[2023-06-11 01:13:33]
milenovic :
milenovic joined the channel.
[2023-06-19 23:44:25]
martymcfly :
martymcfly joined the channel.
[2023-07-04 01:18:46]
johnnokomis :
johnnokomis joined the channel.
[2023-07-24 03:00:50]
dji-rev.concierge132 :
dji-rev.concierge132 joined the channel.
[2023-07-24 03:02:56]
dji-rev.concierge132 :
@dji-rev.concierge132 left the channel.
[2023-07-28 14:22:09]
smartjq :
smartjq joined the channel.
[2023-08-13 06:13:04]
deonisray :
deonisray joined the channel.
[2023-08-24 18:57:16]
bengutt :
bengutt joined the channel.
[2023-09-13 10:14:52]
molda :
molda joined the channel.
[2023-09-27 21:19:45]
johndohn :
johndohn joined the channel.
[2023-10-04 07:23:38]
poohtocs :
poohtocs joined the channel.
[2023-10-15 20:50:22]
dumldore_newbi :
dumldore_newbi joined the channel.
[2023-11-12 15:38:14]
jester_j :
jester_j joined the channel.
[2024-01-15 14:54:11]
shinoby :
shinoby joined the channel.
[2024-01-18 15:43:54]
basilius :
basilius joined the channel.
[2024-02-01 19:04:08]
joyz :
joyz joined the channel.
[2024-02-01 19:04:28]
joyz :
@joyz left the channel.
[2024-02-06 14:06:18]
xpk :
xpk joined the channel.
[2024-02-06 19:59:12]
ryantkasher :
ryantkasher joined the channel.
[2024-02-09 09:43:37]
s1m0n :
s1m0n joined the channel.
[2024-02-11 07:17:50]
otter :
otter joined the channel.
[2024-02-12 20:45:03]
lining-preps.0u :
lining-preps.0u joined the channel.
[2024-02-20 14:54:45]
xpk :
Hey, iam looking for good documents regarding the DUML protocol
[2024-04-03 01:42:28]
dreamtree :
dreamtree joined the channel.
[2024-04-26 11:39:36]
priegor :
priegor joined the channel.
[2024-05-09 00:02:06]
punishman :
punishman joined the channel.
[2024-05-14 14:12:09]
symza :
symza joined the channel.
[2024-05-21 07:01:23]
wag-on :
wag-on joined the channel.
[2024-06-25 18:04:56]
swaggyc :
swaggyc joined the channel.
[2024-06-25 18:05:13]
swaggyc :
@swaggyc left the channel.
[2024-07-01 17:30:06]
mrsmith :
mrsmith joined the channel.
[2024-07-26 15:52:30]
theguac :
theguac joined the channel.
[2024-07-26 15:53:35]
ogini_ayotanom :
ogini_ayotanom joined the channel.
[2024-08-21 20:18:34]
alt.nq-5711k93 :
alt.nq-5711k93 joined the channel.
[2024-08-22 14:38:46]
swaggyc :
swaggyc joined the channel.
[2024-08-31 15:43:07]
zar1n :
zar1n joined the channel.
[2024-08-31 15:43:23]
zar1n :
@zar1n left the channel.
[2024-09-05 23:23:20]
vitaliy79 :
vitaliy79 joined the channel.
[2024-09-05 23:24:16]
vitaliy79 :
@vitaliy79 left the channel.
[2024-09-09 14:41:47]
ar2rgo :
ar2rgo joined the channel.
[2024-09-11 20:55:23]
taters66 :
taters66 joined the channel.
[2024-09-28 22:15:47]
ki4gyw :
ki4gyw joined the channel.
[2024-10-21 01:53:32]
supermario7331 :
supermario7331 joined the channel.
[2024-12-23 13:01:53]
osama-binladen :
osama-binladen joined the channel.
×
User Info
Username:
Last Login:
First Name:
Last Name: