dji-firmware-tools
dji-firmware-tools copied to clipboard
o-gs
Phantom 4 pro
Do you think you can make your firmware tools work with p4p firmware. would be nice to be able to extract the p4p params. thats the only thing really stopping me from buying one right now lol.
about p4p (p4,p4p+,mavic,inspire 2 ) you have 2 ways :
1.you can write parameters directly to external EEPROM on FC (but you need password for EEPROM because it is secured)
- spoof command when configuring drone via Assistant., yes . it is worked. . but at now i need more and more tests.
update: i make full flash from NAND with android from P4(P4PRO) , find some partitions ,lots of file - many logs , buts cant find system image.... if any need link for full flash from NAND - write me.
Also if any whant to help me with Android on P4(P4PRO) i will be grateful
This is a image for android based on Rockchip proc, also this for rc only. All binaries for p4 encrypted and signed. So i think reverse possible but not way for reflash p4 with new binary
@turnersr ,no i dont have any more this file.i found that file not useful for me..sorry
@vishaldeyiiest ublox chipset send signed packets with coordinates inside drone to FC.. so no any way injecting new coordinates into traffic
Video encrypted at fpga chip , on older version Dji useful altera cyclon v , at new version useful remarked IV but i cant identify them
I like to be able to configure the flight controller on tge p4 pro and the mavric
http://pro-dji-service-usa-cdn.aasky.net/paraconfig_file/7b9b2e04-4a8d-4810-bc17-246bee0c3610/wm331_0000_v01.02.0304_20170106.pro.cfg.sig
http://pro-dji-service-usa-cdn.aasky.net/paraconfig_file/7b9b2e04-4a8d-4810-bc17-246bee0c3610/wm331_0000_v01.02.0304_20170106.pro.cfg.sig
http://pro-dji-service-usa-cdn.aasky.net/firmware_file/48b8eae7-0acd-49ec-8414-e9c6553a6a85/59cef6691890eb7d19d65052bd55e69a.sig?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIITWQE7WYGWJGNYQ%2F2017030
you just need right link
@vishaldeyiiest i just send serial number to DJI and after make payment and approving from DJI , DJI make new firmware for needed serial number , and when you update drone you get new specific firmware . so... but we get this options special for goverment forces drone
@vishaldeyiiest Ambarella make video stream to Davinchi module via HDMI (or USB) and at the same time write video stream to microSD (H.264 or H.265) , then Davinchi send video to Encryption module Altera and then encrypted stream goes ro RF transceiver (AD9364 or same) ..
of course you can interrup video stream but you need pin password for RF module and password for decryption video
best way for hacking it is own drone ... pf course no any docs - only some scraps of info
Documentation - you won't find much beyond what's on the wiki of this project. The wiki explains Phantom 3 HW and SW, but Ph4 is just an evolution of Ph3 Pro hardware. If you want more docs, you have to write them.
Security holes - your best bet would be to check older firmwares, maybe there is a version which has issues. We know the internal communication model to some extent, but I don't think anyone tried to crack Lightbridge.
Since we have the synthesized FPGA image, it would be worth checking if there are any tools for opening such image, and maybe even de-synthesizing it to some extent.
So copter safe ypu figured out how to communicate with the the flight crontroller thru a serial connection.? How long is this password?
I was referring to you saying there are 2 ways to configure the flight controller.
I don't have any modules for Phantom 4 pro. Phantom 4 and Mavic seem to have different firmware distribution system. I never cared to look at it in detail.
For Phantom 3, you can extract the modules (including fpga image) from a full firmware package using the tools developed in this project. The tools also allow you to download all known Dji firmware packages (the tests can do that).
Description of specific modules of the firmware is here: https://github.com/mefistotelis/phantom-firmware-tools/wiki/DJI-Firmwares
Can you give me an idea how can I verify that both band of frequencies(2.4 GHz and 5.8 GHz) are encrypted as claimed by DJI support?
It is possible to confirm that using high frequency SDR equipment (ie. HackRF board, or a lot more expensive but available at universities laboratory equipment, like Agilent devices), but that requires knowledge on how to figure out modulation and convert the signal to digital form. Reading datasheet of the transmitter used should allow you to figure out whether this will be easy or not.
Maybe it would be easier to tap to the output of FPGA before it goes to transmitter? You should check if there are service pins on the board which could allow to do that.
Also the RC firmware(aircraft not available) they claim to be encrypted, I have reverse engineered to some extent.
Yes, the firmware tools allow to extract C1 firmware package, and most modules are not encrypted. I think only the DaVinchi video decoder firmware module is encrypted.
@mefistotelis thanks a lot...I was hoping for some kind of radio scanner could do...otherwise I have to disassemble the drone...the firmware after extracting with binwalk gave me a total of >500 GB. Obvoiusly the whole assembly code base cannot be understood..I cannot find the bootloader also..
Obvoiusly the whole assembly code base cannot be understood..
If you extract the modules with dji_fwcon.py, and propely use arm_bin2elf.py, then you can load the ARM binary modules (ie. m1400) into IDA Pro.
I cannot find the bootloader also..
Agreed. Most bootloaders are not included in the firmware package.
Then it's probably not in the form of firmware package containing modules. Can't tell much more without having the binary.