Phantom 4 pro

[notsolowki]

Do you think you can make your firmware tools work with p4p firmware. would be nice to be able to extract the p4p params. thats the only thing really stopping me from buying one right now lol.

[mefistotelis]

Currently I'm only interested in P3P/P3A.

[coptersafe]

about p4p (p4,p4p+,mavic,inspire 2 ) you have 2 ways :

1.you can write parameters directly to external EEPROM on FC (but you need password for EEPROM because it is secured)

2. spoof command when configuring drone via Assistant., yes . it is worked. . but at now i need more and more tests.

[coptersafe]

update: i make full flash from NAND with android from P4(P4PRO) , find some partitions ,lots of file - many logs , buts cant find system image.... if any need link for full flash from NAND - write me.

Also if any whant to help me with Android on P4(P4PRO) i will be grateful

[notsolowki]

you should just put the link on this page

[coptersafe]

http://dropmefiles.com/ZB5bw

[turnersr]

@coptersafe do you mind posting that link again?

[coptersafe]

This is a image for android based on Rockchip proc, also this for rc only. All binaries for p4 encrypted and signed. So i think reverse possible but not way for reflash p4 with new binary

[coptersafe]

@turnersr ,no i dont have any more this file.i found that file not useful for me..sorry

[coptersafe]

@vishaldeyiiest ublox chipset send signed packets with coordinates inside drone to FC.. so no any way injecting new coordinates into traffic

[coptersafe]

Video encrypted at fpga chip , on older version Dji useful altera cyclon v , at new version useful remarked IV but i cant identify them

[notsolowki]

Does anyone have a copy of the drone firmware

[coptersafe]

You can them download from Dji.

[notsolowki]

No it only the remote control firmware

[notsolowki]

I like to be able to configure the flight controller on tge p4 pro and the mavric

[coptersafe]

http://pro-dji-service-usa-cdn.aasky.net/paraconfig_file/7b9b2e04-4a8d-4810-bc17-246bee0c3610/wm331_0000_v01.02.0304_20170106.pro.cfg.sig

http://pro-dji-service-usa-cdn.aasky.net/paraconfig_file/7b9b2e04-4a8d-4810-bc17-246bee0c3610/wm331_0000_v01.02.0304_20170106.pro.cfg.sig

http://pro-dji-service-usa-cdn.aasky.net/firmware_file/48b8eae7-0acd-49ec-8414-e9c6553a6a85/59cef6691890eb7d19d65052bd55e69a.sig?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIITWQE7WYGWJGNYQ%2F2017030

you just need right link

[notsolowki]

What is wm331 is the sig file a binary container?

[coptersafe]

wm331 - p4pro , wm331_0000 - it is xml container file

[coptersafe]

@vishaldeyiiest i just send serial number to DJI and after make payment and approving from DJI , DJI make new firmware for needed serial number , and when you update drone you get new specific firmware . so... but we get this options special for goverment forces drone

[coptersafe]

@vishaldeyiiest Ambarella make video stream to Davinchi module via HDMI (or USB) and at the same time write video stream to microSD (H.264 or H.265) , then Davinchi send video to Encryption module Altera and then encrypted stream goes ro RF transceiver (AD9364 or same) ..

[coptersafe]

of course you can interrup video stream but you need pin password for RF module and password for decryption video

[coptersafe]

best way for hacking it is own drone ... pf course no any docs - only some scraps of info

[mefistotelis]

Documentation - you won't find much beyond what's on the wiki of this project. The wiki explains Phantom 3 HW and SW, but Ph4 is just an evolution of Ph3 Pro hardware. If you want more docs, you have to write them.

Security holes - your best bet would be to check older firmwares, maybe there is a version which has issues. We know the internal communication model to some extent, but I don't think anyone tried to crack Lightbridge.

Since we have the synthesized FPGA image, it would be worth checking if there are any tools for opening such image, and maybe even de-synthesizing it to some extent.

[notsolowki]

So copter safe ypu figured out how to communicate with the the flight crontroller thru a serial connection.? How long is this password?

[coptersafe]

@notsolowki password is13 symbol long, what you mean connect to fc?

[notsolowki]

I was referring to you saying there are 2 ways to configure the flight controller.

[mefistotelis]

I don't have any modules for Phantom 4 pro. Phantom 4 and Mavic seem to have different firmware distribution system. I never cared to look at it in detail.

For Phantom 3, you can extract the modules (including fpga image) from a full firmware package using the tools developed in this project. The tools also allow you to download all known Dji firmware packages (the tests can do that).

Description of specific modules of the firmware is here: https://github.com/mefistotelis/phantom-firmware-tools/wiki/DJI-Firmwares

[mefistotelis]

Can you give me an idea how can I verify that both band of frequencies(2.4 GHz and 5.8 GHz) are encrypted as claimed by DJI support?

It is possible to confirm that using high frequency SDR equipment (ie. HackRF board, or a lot more expensive but available at universities laboratory equipment, like Agilent devices), but that requires knowledge on how to figure out modulation and convert the signal to digital form. Reading datasheet of the transmitter used should allow you to figure out whether this will be easy or not.

Maybe it would be easier to tap to the output of FPGA before it goes to transmitter? You should check if there are service pins on the board which could allow to do that.

Also the RC firmware(aircraft not available) they claim to be encrypted, I have reverse engineered to some extent.

Yes, the firmware tools allow to extract C1 firmware package, and most modules are not encrypted. I think only the DaVinchi video decoder firmware module is encrypted.

[vishaldeyiiest]

@mefistotelis thanks a lot...I was hoping for some kind of radio scanner could do...otherwise I have to disassemble the drone...the firmware after extracting with binwalk gave me a total of >500 GB. Obvoiusly the whole assembly code base cannot be understood..I cannot find the bootloader also..

[mefistotelis]

Obvoiusly the whole assembly code base cannot be understood..

If you extract the modules with dji_fwcon.py, and propely use arm_bin2elf.py, then you can load the ARM binary modules (ie. m1400) into IDA Pro.

I cannot find the bootloader also..

Agreed. Most bootloaders are not included in the firmware package.

[mefistotelis]

Then it's probably not in the form of firmware package containing modules. Can't tell much more without having the binary.

[vishaldeyiiest]

@mefistotelis I got the firmware from DJI website..if you have time to look into it.. https://drive.google.com/file/d/0B4aR1zUqD_Jmd0ZkUlNHZXlTMGM/view?usp=sharing

[mefistotelis]

Wow, this thing is absurdly large.

Anyway, from the header, it looks like the normal firmware package. Probably some minor change was made to file format.

[mefistotelis]

Added support. Only two modules are inside, but one of them is ARM binary. The second is another package with RKFW magic.

EDIT - RKFW can be extracted: https://forum.xda-developers.com/showthread.php?t=2257331

[vishaldeyiiest]

@mefistotelis thanks for looking into it..yeah got two modules after running dji_fwcon.py. looking into RKFW.

[vishaldeyiiest]

@mefistotelis imgRePacker when executed on the second module cannot unpack, gives wrong file format..etc.. Even if reversing is possible, after some modification, is it possible to reflash with the modified firmware? There is a DJI Assistant...

[mefistotelis]

Even if reversing is possible, after some modification, is it possible to reflash with the modified firmware?

The dji_fwcon tool can re-pack the firmware after modifications, and it re-computes the checksums so that the firmware is accepted by the standard update process.

imgRePacker when executed on the second module cannot unpack

There is an open-source extractor, so if it doesn't work you can fix it (there are already a few forks): https://github.com/neo-technologies/rkflashtool/

[mefistotelis]

Yup, the rkflashtool works. I built a windows version using msys2, then:

rkunpack.exe GL300E_RC_v1130_20170307_mi00.bin

rkunpack: info: RKFW signature detected
rkunpack: info: version: 5.0.0
rkunpack: info: date: 2017-03-07 15:46:43
rkunpack: info: family: rk32xx
rkunpack: info: 00000066-0005b1ec BOOT                       (size: 373127)
rkunpack: info: 0005b1ed-405d41f0 embedded-update.img        (size: 1079480324)
unpacked

Doing it again I got more partitions:

rkunpack.exe embedded-update.img

rkunpack: info: RKAF signature detected
rkunpack: info: file size matches (1079480324 bytes)
rkunpack: info: manufacturer: RK3288
rkunpack: info: model: rk3288
rkunpack: info: number of files: 8
rkunpack: info: 00000800-00000800 package-file               (size: 528)
rkunpack: info: 00001000-000010b6 Image-out/loader.bin       (size: 373127)
rkunpack: info: 0005c800-0005c800 parameter                  (size: 1484)
rkunpack: info: 0005d000-0005d017 Image-out/misc.img         (size: 49152)
rkunpack: info: 00069000-00069cf7 Image-out/boot.img         (size: 6799360)
rkunpack: info: 006e5000-006e806f Image-out/recovery.img     (size: 25395200)
rkunpack: info: 01f1d000-01f99cb7 Image-out/system.img       (size: 1046855680)
rkunpack: info: 00000000-ffffffff RESERVED                   (size: 0)
unpacked

Now the partitions are a standard Android - and can be further extracted with tools for mobile phones.

[hankknah]

@mefistotelis I have downloaded the firmware which shared by @vishaldeyiiest and tried rkunpack tool, but it said "invalid signature". Can you share me the rkflashtool you maked or the firmware you have unpacked. Thank you.

[mefistotelis]

Can you share me the rkflashtool you maked or the firmware you have unpacked.

No. Make sure you know what format you have and what you're doing at each step of extraction.

[hankknah]

@mefistotelis Thank you. I have solved it.