Allowed flight in DJI No Fly

[aka1ceman]

Have you considered the possibility of attempting to remove DJI go no fly zone? I have a situation where I have legal permission to fly by control tower but DJI Go will not let me unless I upgrade to the newest firmware then register with them... Which I am not trying to do. I stopped upgrading at 1.6.

[ferraript]

I already tried editing DJI GO in this way, but it had no effect (besides the fact that red circle wasn't displayed on the map), because no-fly zones are stored in aircraft's firmware too

[aka1ceman]

On the older FW, I don't get red circles at all. Only a No Fly Zone and won't allow the motors to arm. Do you know the location of the file you found? I'm looking still

[notsolowki]

i wouldn't loose any sleep over it. there are other ways you could approach this problem. that dont require hacking.

[aka1ceman]

I have rolled back to 1.3.2 and have a working old Litchi and still not possible to bypass yet. I'm not trying to place aluminum foil over it....lol

[mefistotelis]

In my voyages through firmware, I wasn't able to find a list on NFZ areas. I'm sure the craft stores it somewhere, but it probably isn't a part of firmware update. I think it is updated separately, when the DJI Go app sends it.

And Dji Go gets it simply via HTTP: https://flysafe-api.dji.com/api/release_limitarea.json/?updated_at=

[notsolowki]

i found one in the base.apk its called flyforbid.json, i wonder if disabling airport mode in the flight controller would help.

[aka1ceman]

Could we redirect Go to look elsewhere ? Would that help?

[mefistotelis]

It would be interesting to try. The page address can be modified, but I'm pretty sure the app will use previous configuration if the answer it gets from HTTP request is invalid. Meaning, we need to set up a fake server which would answer with modified (or empty) but still valid list.

[ferraript]

yeah, I can see that webpage in DJI GO sources too for start, I would just change the latitude and longitude of nearest zone to something else and also I'd change updated_at parameter to newer date and save this file somewhere to web and change the address in DJI GO who wants to try? :)

[notsolowki]

where at in the dji source files does it point to the website?

[ferraript]

where at in the dji source files does it point to the website?

it depends on the version for example, in 2.4.3, it's in \dji\pilot\flyforbid\FlyforbidUpdateService.java in 3.1.1, it's in \dji\pilot\flyforbid\c.java

[notsolowki]

what happens if you edit out the website and change the json file to remove your lat,lng

[notsolowki]

well if it can fly without the phone i dont see how the mobile app could handle anything other than waypoints,mission. i think the solution is to further disassemble the firmware.. the nfz data is probably stored in encrypted format in one of those other modules

[notsolowki]

unless someone that specializes in java comes out of nowhere and develops an app that can send the new parameters we are stuck with what we have currently

[mefistotelis]

Mobile programming is one of the easiest.

Anyway, since you discovered how to use "default" settings, you can use them to test new values.

[notsolowki]

I didnt really test it I changed some pitch parameters, note i set them lower, To like 1 and 2 "same for mobile flyc" and when i restored default it set them higher. So idk what happened but i assume its not going to be that easy. Unless you have confirmed this?

[notsolowki]

It had to be somthing with flyc param in the app because when i installed the non modified flyc and restored defaults , my controller was back to normal and the gain values were too

[ferraript]

today I tried for myself, what I was suggesting I downloaded that original release_limitarea.json file, I edited it in a way that I moved all restricted areas somewhere to the ocean and I set update time to actual time I saved this edited file to my Google Drive and I put direct link into DJI GO instead their link I installed this DJI GO and... strange thing happened now it looks like DJI GO is using old GEO SYSTEM map, because there are two red circles now in my city, first one around the airport and second one around the whole city I was able to start the motors but DJI GO keeps popuping message about restricted area I'll give it another try...

[ferraript]

I figured out I was idiot because I hadn't noticed that in DJI GO sources, timestamp is appended to that address and so entire address to my file was invalid

second try: I changed the address of json file in a way that it is correct even after appending that timestamp result: DJI GO downloaded the file, but didn't import anything

then I noticed another thing, country is defiined as integer in DJI GO, but it is string in json file third try: I replaced all countries' strings for numbers in json file result: DJI GO downloaded and imported all areas from my json file

so all I need to do now is to check (in the field - somewhere near airport) if DJI GO really sends all those new nofly parameters to the AC too but we have bad frosty and windy weather here, so it'll take some time

[ferraript]

hi @TadbirPaydar thanks, well, until I try it in the field, it's too early to say maybe all of this is useless

I'm using DJI GO 2.4.3 with link to this flyforbid json file

[ferraript]

I don't use newer versions of DJI GO, because they are more complicated and they contain things I don't need / I don't like I don't use dex2jar + JD-GUI, because they cannot decompile everything and so it is not possible to recompile the code back completely so at first I decompile apk using jadx - it decompiles most of the code into java - then I use it to search for the parts I am interested in secondly, I decompile apk using APK Studio - it decompiles everything (but into smali code) - here I make my modifications and recompile it back to apk

[ferraript]

yeah, it's complicated like hell :D just another reason for not using firmwares with GEO

[ferraript]

I can assure you that all versions of DJI GO have NFZ, even DJI GO's predecessor, DJI Pilot, has NFZ so I'm afraid it's the same story with firmwares

[ferraript]

by the way, today I finally took my downgraded P3A outside to test my NFZ hack in DJI GO result is: it's not working AC wasn't able to penetrate border of NFZ and somehow (my tablet wasn't connected to internet), in DJI GO, there was once again large light-red circle over my whole city so there are two possibilities:

1. DJI GO didn't send my new hacked NFZ coordinates into the AC, but instead, AC sent its firmware-stored coordinates back to DJI GO
2. I deliberately hadn't touched the file flyforbid.json stored in DJI GO apk (in \res\raw), because I wanted to see on the map then where the border of NFZ exactly is - and who knows, maybe DJI GO uses that file for NFZs setting too

I am preparing new hacked DJI GO, this time I am replacing that flyforbid.json file too but I don't know when the good weather is to test it today there was dense mist with maybe 100 m visibility, they forecast rain for tomorrow

[ferraript]

In my voyages through firmware, I wasn't able to find a list on NFZ areas

@mefistotelis: I found it!!! in P3S_FW_V01.07.0060_mi01.bin, at address 0x0A1620, there is 85B0E6022F0F44017908 85B0E602, in Little-endian, is 48672901 2F0F4401, in Little-endian, is 21237551 7908, in Little-endian, is 2169 and (48.672901,21.237551,2169) are coordinates+radius of airport in my city

[mefistotelis]

Intersting. This is within an array which consists of 2500 entries. Each entry looks like:

00000000 NoFlyArea       struc ; (sizeof=0x22, mappedto_9) ; XREF: .data:no_fly_areas/r
00000000 field_0         DCD ?
00000004 lat             DCD ?                   ; base 10
00000008 lon             DCD ?                   ; base 10
0000000C radius          DCW ?                   ; base 10
0000000E field_E         DCW 9 dup(?)
00000020 field_20        DCW ?
00000022 NoFlyArea       ends

You should now try to figure out what the other information are. It should be possible to make NFZ editor, similar to the one we have for flyc_param_infos.

[ferraript]

Each entry looks like

actually, it's written in bin file too: ----lat------lon-----radi-con-cla-id----sta-----end-- and it fits: 4-byte latitude 4-byte longitude 2-byte radius 2-byte country_code 1-byte class 2-byte area_id 1-byte begin_at 1-byte end_at

[mefistotelis]

That would mean a single entry has 17 bytes; it's very possible - I might misinterpreted two entries as a single entry. That means the array size is 5000.

Using this info, start of the array is:

.data:080BDF64 array_80B5CAC_length DCD 4183           ; DATA XREF: sub_80945FE+4o
.data:080BDF64                                         ; sub_80945FE+Ar ...
.data:080BDF68 ; struct NoFlyArea no_fly_areas[]
.data:080BDF68 no_fly_areas    NoFlyArea <82517331, -62284533, 921, 0x7C,  0, 0x2372,  0,  0>
.data:080BDF68                 NoFlyArea <78246084, 15465563, 1338, 0x2E8,  0, 0x1004,  0,  0>
.data:080BDF68                 NoFlyArea <76531111, -68699279, 1872, 0x130,  0, 0x1CE7,  0,  0>
.data:080BDF68                 NoFlyArea <74716084, -94955196, 1601, 0x7C,  0, 0x23DF,  0,  0>
.data:080BDF68                 NoFlyArea <72980787, -84614546, 1084, 0x7C,  0, 0x2400,  0,  0>
.data:080BDF68                 NoFlyArea <71927778, 114080000, 1226, 0x283,  0, 0x27AC,  0,  0>
.data:080BDF68                 NoFlyArea <71698071, 128901473, 1666, 0x283,  0, 0xB22,  0,  0>
.data:080BDF68                 NoFlyArea <71285333, -156770125, 1271, 0x348,  0, 0xD89,  0,  0>
.data:080BDF68                 NoFlyArea <70910745, -153239640, 906, 0x348,  0, 0xF45,  0,  0>
.data:080BDF68                 NoFlyArea <70638041, -160002445, 1139, 0x348,  0, 0x3CC,  0,  0>
.data:080BDF68                 NoFlyArea <70625569, 147899927, 1254, 0x283,  0, 0x74B,  0,  0>

[ferraript]

that's not clear at the moment

today I was out at our airport to test my latest DJI GO hack this time I really deleted all real references to airport's NFZ settings when I started DJI GO at the place, all was good - no NFZ but as soon I started AC, DJI GO loaded NFZ info from it and boom, one dark-red circle with 2 km radius and one light-red circle with 4 km radius

conclusion is, NFZs must be deleted (or preferably coordinates changed) in AC's firmware first and then we can determine, if something needs to be done with DJI GO too or not

[ferraript]

I took 48.672901, tried to convert it into float, double, signed int (multiplied by 1000000) and I looked for the corresponding HEX value with both possibilities, that it could be written in big-endian or little-endian

[mefistotelis]

Before that array, there's another one which also stores airport coords. But this second array has 8-byte entries - just coods, no radius or other attributes.

[ferraript]

@TadbirPaydar you are looking into my patched release_limitarea.json file, that's why it doesn't work for you original is here

I did it in IDA and searched for "82517331" and "4EB1D53" which is latitude for first coordinate. but no result Any mistake ?

yes, in bin file it's written in little-endian, do you have to look for 531DEB04

[ferraript]

you have already asked this kind of question and I have already answered it I have no idea why AC doesn't update its NFZ list from DJI GO

but it's confirmed now that if there is specific NFZ stored in AC and it's not stored in DJI GO, DJI GO loads info about this NFZ from AC

and I think that it doesn't matter now we have to hope that @mefistotelis comes with some python script that could extract and update NFZ list within bin file and then we can do whatever we want with DJI GO, if needed

[mefistotelis]

I downgraded to my Patched version with 2 bytes changed

How did you patch it? Which version did you patch?

Do you know if phantom checks it's firmware CRC ?

Yes we know. Yes it does.

If so how can I bypass it or how to correct CRC of my patched firmware version ?

This is what the firmware tools are for.

[mefistotelis]

1. Do not downgrade and modify at the same time.
2. Use the tools to extract and re-pack firmware.

And if you want to know where CRC is, check it within the python code.

[mefistotelis]

I believe there is a downgrading instruction in #4 . Besides the reasons mentioned in that thread, you are merging two possibly dangerous operations.

Also, you can update one module only to increase safety.

[ferraript]

Did you test on P3X_FW_V01.10.0090.bin

no, because that FW is encrypted only 1.7 is not - that's why most of the talks here is about 1.7

I patched 2 bytes which belong to radius of my city Airport from "D0 D1" to "01 00" which make the radius 1 meter

it doesn't work like this no offence, but you know even less about byte patching than I do so don't make changes you don't understand at all

and now just let's hope your AC isn't bricked for good

[notsolowki]

No i think he did it right, besides the checksum of the file not matching. If his "byte-patching" was correct then he did it right. One way to tell would be to load the elf into ida and check his changes.

[ferraript]

in DJI GO 3, URL of NFZ list (and some other URLs) are also stored in libSDKRelativeJNI.so (in lib\armeabi-v7a folder of apk file)

[ferraript]

@mefistotelis, great work so far on dji_flyc_nofly_ed.py, exporting works just fine on P3A's bin I think that we, users, will never be able to thank you enough for all your work :+1:

[mefistotelis]

Looking at the exported zones, they're not really bloated much - only in places in really close vicinity to airports, and not more than 500m around stadiums and other gathering places. I expected them to be more restrictive.

[ferraript]

they can't afford to lock everything, who would buy such a product so they locked just the most important places where there is big risk that a lot of people could get hurt, like airports...

[notsolowki]

Great work mefistotelis!!

[notsolowki]

I think he wants to know if he can update firmware 1.10 with the 1.7.6 flight controller module

[mefistotelis]

update firmware 1.10 with the 1.7.6

Whether you "can" - yes, the update mechanism would allow that. But whether it is wise or have benefits - no, firmware is a collection of components which works best when at the same version.

[mefistotelis]

dji_flyc_nofly_ed.py does not work on P3X_FW_V01.10.0090.bin because of encryption

yes.

[mefistotelis]

I've looked at the Ambarella (camera) firmware, which drives updating from the SD card. Conclusions:

• Camera does not do the decryption - it sends the data unchanged(encrypted) to target (receiving) component
• Decryption may be done during update by the receiving component
• Decryption may also (for some or all components) be done during loading (startup) - in that case the receiving component would write the data to its storage in encrypted form, and decryption is done by a loader code working next to the real firmware. We know that some components do have a separate loader.

[notsolowki]

Maybe theres a way to dump the fw from the nands back to an sdcard? Maybe somthin is decrypted during the flash, i mean that would explain the 24hour wait during the flash process. But then again the flight controller isnt exncrypted and it takes a while. I would really like to see these esc's decrypted so i can just simply mute the startup tones, i think everyone in my house would thank you at that point lol

.

[notsolowki]

@tadbirpaydar maybe you have a spi device and you could probe the motherboard?

[notsolowki]

Is it true that you can request a code to enter in the event that your in a NFZ with permission to fly. If so seems like the cracking could be done to the app