margerine
Episode 2: Revenge of the ¯\_(ツ)_/¯
margerine is a root exploit and adb enabler for the DJI Air Unit (wm150), Caddx Vista (lt150), FPV Goggles V1 (gl150), and FPV Googles V2 (gl170/gp150) from the same people that brought you USB Video Out.
Currently only works reliably on Windows and Mac OS X, Linux has strange issues in the USB stack - YMMW.
tl;dr;
Install nodejs v16 or above and the Javascript dependencies:
npm install
Remove your SD card for the duration of the exploit, power up the device, connect it via USB and run:
node margerine.js unlock
Have fun! consider donating and join us on our Discord.
Troubleshooting
- waving wand, result e0 - make sure you've followed all the instructions below, reboot your Goggles and try again. It should eventually work.
- The device might change it's COM port number on Windows (eg. COM4 -> COM5) in the middle of the exploit and error out. That's a good sign! Look up the new COM port in Device Manager (if auto detect didn't work for you) and re-run the exploit to finish everything up.
- The device being exploited should not be connected to anything else; i.e. Googles to AU or AU to Goggles.
- Make sure there's no SD card in your device.
- V2 Goggles must be flashed from DIY mode to 01.00.0606.
- Checking the menus in DIY mode is insufficient. Make sure Assistant says "Refresh" next to 0606, rather than "Downgrade". If you see "Downgrade", go ahead and downgrade.
- If you've flashed to 01.02.0015 in drone mode the exploit won't work and you can't downgrade at the moment, sorry.
- Despite the bigger version number 01.02.0020 in drone mode, goggles can be downgraded to 0606 in DIY mode.
Other notes
- Requires an internet connection. Challange signing procedure happens on Drone-Hacks server kindly provided by @bin4ry.
- Takes few minutes. Make sure your battery is not too low when powering AU/Vista from a quad.
- You have to run
node margerine.js lock before the Assistant will allow you to flash firmwares again.
- Disables SELinux for you
- On *150 remounts /proc/cmdline so that mp_state=engineering, which enables adb
- With great power comes great responsibility - you CAN bootloop/brick your device if you modify or delete important files. There are currently no low level recovery methods available.
What can I do with this?
- Play Doom
- Customize the UI theme in /system/gui/xml/themes/defult/theme.xml
- Pair an Air Unit (or Vista) to another Air Unit using
/system/bin/modem_info.sh reverse on one of them.
- Talk to connected devices via TCP or UDP. Goggles are 192.168.41.1 and air side is 192.168.41.2.
- Debug USB devices such as input on V2 Goggles (no OTG on V1) by
adb shell-ing into a connected Vista/AU and then using adb connect 192.168.41.1 && adb shell to debug wirelessily.
- Build stuff with the latest Android NDK armv7 architecture, target platform 23.
- A modified Directfb framebuffer library is available for drawing to an ARGB target to be overlaid on top of the video feed.
- Direct access to the framebuffer is not available, except via special undocumented DMI bullsh*t.
- Check out the dfbdoom project.
- Reverse engineer stuff with IDA, Ghidra and/or Frida.
Additional Documentation
Check out our wonderful wiki.
Advanced usage
node margerine --help
margerine <command>
Commands:
margerine unlock [serialport] unlock device and enable adb
margerine lock [serialport] disable adb and relock device
margerine proxy [port] start the built in http -> https proxy
margerine.js shell <command> [port] execute a command on rooted device,
once per reboot
Options:
--help Show help
--version Show version number
To-do
See the wiki.
It's spelled margarine
No, it's not.
Credits
While this is an original exploit by Joonas Trussmann, it would not have been even remotely possible without work by @tmbinc and @bin4ry. Also a shout out to the rest of the OG's for all their work on dji-firmware-tools.
Special thanks go to: @jaanuke, @funnel and @fichek over on our Discord.
Support the effort
If you'd like, you can support the effort on Open Collective, send some ETH to 0xbAB1fec80922328F27De6E2F1CDBC2F322397637 or BTC to 3L7dE5EHtyd2b1tXBwdnWC2MADkV2VTbrq.