GlovePuppet
commented
2 years ago Sure, I'll help if I can. What's up?
Open LeonTheo02 opened 2 years ago
GlovePuppet
commented
2 years ago Sure, I'll help if I can. What's up?
LeonTheo02
commented
2 years ago Sure, I'll help if I can. What's up?
Its a bit much to explain, do you have discord or some easier way to write :)
GlovePuppet
commented
2 years ago no, not really
On Sun, 22 Aug 2021 at 20:40, LeonTheo02 @.***> wrote:
Sure, I'll help if I can. What's up?
Its a bit much to explain, do you have discord or some easier way to write :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GlovePuppet/Naza-M-Hacking/issues/1#issuecomment-903361409, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEIJ73WEDVZITDZNPPCCAGDT6GKGPANCNFSM5CTO72KQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
-- www.nicecupoftea.com www.biscuit.com
LeonTheo02
commented
2 years ago Well ok, then ill just do it here :) I basically found this command list inside the Ronin Assistant App https://pastebin.com/bv6qT3yy Also inside the App I found this class that are responsible for building the Commands sent to the Ronin https://pastebin.com/kY9gHSLy
Now I am unsure how to create a script that lets me for example send the recalibration command to it. This should contain all the info I need right?
LeonTheo02
commented
2 years ago Just managed to pull the firmware off of the Assistant Software and decrypted it using the same key as Naza and all the others. It seems to contain references to an SD card and other features the Ronin Series does not even have... probably its just built out of "Drone Code" repurposed for the Gimbal...
LeonTheo02
commented
2 years ago I tried powering the Ronin directly from its power pins today and it shut off with the message "No Genuine Intellignet Battery", would it somehow also be possible with these files to patch out that check? (I have not much experience with ARM Code)
GlovePuppet
commented
2 years ago Have you tried capturing traffic between the Ronin and the app? If it's like theother DJI stuff then there's a CRC and you'll need to figure out the seed they are using
Can you repack that firmware file and update with it? If you can change one of the strings and it still boots that would confirm they're not doing any authentication checks on the FW
GlovePuppet
commented
2 years ago I don't see "No Genuine Intellignet Battery" in the FW file - it's probable there's a bootloader and it's doing the check. If you can modify the FW and it still boots then you can use that to dump the bootloader
Have you got any pics of the main board?
LeonTheo02
commented
2 years ago I did capture the bluetooth traffic and it looks like exactly the same stuff that the PC Software uses https://i.imgur.com/gcRT0IL.png https://i.imgur.com/b65QJql.png
For the CRC here is the class from the App that handles that https://pastebin.com/hpGcBBND And here is the class that calls that function and defines the CRC Seed and other static values https://pastebin.com/5tWv0yZQ
The check must be in firmware as the App is able to request if its a genuine battery via a command. I honestly doubt that the bootloader will check for changes in firmware as the whole Ronin Code in the App seems to be a cheap copy of the Naza Assistant with parts stripped out but still left in Code... Also I still dont have a PC Tool to send data to the Ronins USB Port, would your command sender work with modifications?
I do not have any pictures of the mainboard as I still have to get the right screwdriver to take off the front plate, luckily the FCC did that for me :) https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=3WFhoA8iGuZQVouO0bbe7g%3D%3D&fcc_id=SS3-HG8001501
Hey!
I am currently reverse engineering the Bluetooth and USB Command Set of the DJI Ronin M Gimbal and noticed that they look a lot like the Naza ones. Could you please contact me via email at leontheo293@gmail.com? I have a problem that I would need your help with.