Mavic firmware/general

[notsolowki]

How can we modify the parameters on the mavic drone. It seems like theres alot of info with missing parts all scattered everywhere?

[Mavic129]

connect your drone to assistant then open "simple WebSocket Client" on chrom and connect to ws://localhost:19870/general

or

follow MavproxyUser way: https://forums.hak5.org/index.php?/topic/41304-mavicpilotscom-alternative-coptersafe-hack-mod-discussion/&do=findComment&comment=293345

[fvantienen]

For newer firmwares this slack is getting active: https://join.slack.com/dji-rev/shared_invite/MjA0NTE3MzM5NjM0LTE0OTg1OTc5MjUtNzE0NWM3ODI5OQ

[notsolowki]

@mefistotelis @mavic

Mavic pro firmware containrs, https://github.com/droner69/MavicPro?files=1

[notsolowki]

mefistotelis https://github.com/fvantienen/dji_rev/blob/master/tools/image.py

[notsolowki]

@mefistotelis you can update the firmware with assistant 1.1.2 beta in developer mode, ran with --debugger in the shortcut. Then when in the program hit shift ctrl f10 do make int upgrade popup below the connected device name. From there it looks like you can manually flash, also if you type --help in the shortcut path it tells you more flags, and with never versions theres more options

[notsolowki]

https://forums.hak5.org/index.php?/topic/39735-reversing-mavic-pro-firmware/

[2008jiayu]

@@notsolowki where to download the dji assistant 1.1.2 beta

[notsolowki]

https://github.com/MAVProxyUser/DJIAssistant2Binaries/blob/master/Win/DJI%20Assistant2%20Beta112.zip

[notsolowki]

@glovepuppet @mefistotelis I wonder if it would be less time consuning to learn the serial data for the mavic rather than reverseing the firmware, do you think it would be a better approach to adress the parameters from the serial connection. I guess maybe someone could attemp to overide a max value this way and see what happens?

[adamazad]

A crowdsourcing on Facebook made it possible to override figure out how to edit parameters for Mavic Pro using DJI Assistant 2. Eventually, they managed to remove the height limit. They also used help from #32. They bundled everything into one text file with full instructions. I attached it here

Join the group, people are constantly putting providing more user-friendly tutorials.

[fvantienen]

@mefistotelis do you maybe know a way to talk to the ESC's on the P3 or where that is in the FC firmware? Since on the Mavic(which is similar in communication and stuff) I want to be able to control the motors in order to run custom firmware.

[notsolowki]

If you can do this, set g_config.flying_limit.limit_height_abs 2500.000000 Then why does @mavproxyuser and all these other people say you cant set them outside their max range?

[mefistotelis]

do you maybe know a way to talk to the ESC's on the P3 or where that is in the FC firmware?

In P3, FC talks to ESC via serial interface, in the same manner all other components communicate.

To find it in P3 FC firmware, search for ESC related strings, ie:

printf_sub_804BE9C("ESC:BUG,esc send a package to esc\r\n");

[MAVProxyUser]

@notsolowki I've only seen pictures of certain variables set beyond their implied max range, and seen the params that CopterSafe sends. Of course anything can be PhotoShopped.

https://github.com/mefistotelis/phantom-firmware-tools/issues/32#issuecomment-311488395

Personally... I was doing the opposite and limiting my Spark to 20 on max height and 20 on max distance. I've honestly never played with, or tested the limit_height_abs variable.

When I was playing around, I was only messing with fly_limit_height and I only tried to set it to 500 max, and my example (in the header) shows 111 which are of course valid values.

https://github.com/fvantienen/dji_rev/blob/master/tools/websocket_tool.py

Beyond that I've only verified that the airport NFZ settings can be altered by taking props off and starting the motors. I live inside an NFZ (and have to call the tower every time I go out), so this was very easy to test.

I honestly do not know the theory behind exactly what parameters allow the "max" to be abused. I'm sure if CopterSafe wanted to share, he could. But I did want to clear up the record regarding MY suggestions vs. observations, and possible suspicions.

[Mavic129]

dear @notsolowki to unlock all limits in any DJI drone you just need to do the following:

• connect your drone to DJI assistant from simple WebSocket client on Chrome connect to
• ws://localhost:19870/general to get your drone param path like: ws://localhost:19870/controller/config/user/YOUR DRONE NUMBERS HERE disconnect from general and connect to :
• ws://localhost:19870/controller/config/user/YOUR DRONE NUMBERS HERE in the command write the below commands one by one:

to disable NFZ:

{"SEQ":"yb0au5sq","CMD":"write","INDEX":"g_config_airport_limit_cfg_cfg_disable_airport_fly_limit","VALUE":1}
{"SEQ":"jg4anshw","CMD":"write","INDEX":"g_config_airport_limit_cfg_cfg_limit_data","VALUE":20250910}

---

to disable height limit:

{"SEQ":"acbm54ja","CMD":"write","INDEX":"g_config_flying_limit_limit_height_abs_without_gps","VALUE":2500}
{"SEQ":"vc4km1vi","CMD":"write","INDEX":"g_config_flying_limit_limit_height_abs","VALUE":2500}
{"SEQ":"maza5cgv","CMD":"write","INDEX":"g_config_flying_limit_limit_height_rel","VALUE":2500}
{"SEQ":"bn0kjbwv","CMD":"write","INDEX":"g_config_flying_limit_height_limit_enabled","VALUE":2}

---

to enable sport+

{"SEQ":"bsixzcic","CMD":"write","INDEX":"g_config_mode_sport_cfg_tilt_atti_range","VALUE":60}
{"SEQ":"04fbplxd","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_vel_up","VALUE":10}
{"SEQ":"04fbplxd","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_acc_up","VALUE":10}
{"SEQ":"fviwf4kz","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_vel_down","VALUE":-10}
{"SEQ":"fviwf4kz","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_acc_down","VALUE":-10}
{"SEQ":"uoo9h9u0","CMD":"write","INDEX":"g_config_fw_cfg_max_speed","VALUE":20}

---

Enjoy

[MrBurnsAT]

This will only Work for P4 and younger DJI Drones right!?

Or on P3 too?

[MAVProxyUser]

@MrBurnsAT I think the best way to phrase it, is it will work on DJI equipment that is based on A3 architecture. https://www.dji.com/a3

This includes the raw A3 itself, Spark, Mavic, Inspire2, and Phantom4.

I believe p3 series is based on slimmed down A2 architecture. https://www.dji.com/a2

[notsolowki]

Wow thanks everyone!!

[MrBurnsAT]

For sure is P3 built Up in A2!

[notsolowki]

@Mavic129 How did you come up with the byte seq, did you use a usb sniffer to flush out the commands??

[Mavic129]

i sniffed only Mavic 1.3.07, i believe commands will change based on drone type and FW

its more safe to use the WS as it is same for all drones

[notsolowki]

Honestly, i dont know why i didnt think of that, but thankyou for taking the time to doit!!! Im sire it will help alot of people, including myself

[MAVProxyUser]

@notsolowki based on the wording over at http://mavicunlocked.com I am going to assume the 2500 limit was specific to .400 firmware possibly (on Mavic, unknown analogs on other platforms)

[notsolowki]

So what happens when you use the websocket to try to overide a parameters max?

[Mavic129]

it will give you error message that its failed to set the value exceeding the max limit

[Mavic129]

BTW even coptersafe doesn't exceed the max limits

[notsolowki]

If theres soemthing you dont want dij to see or you want to pm, notsoluckiATgmailDOTcom

[notsolowki]

Really, so the only other options would be,

1. Firmware modification 2.root the drone?

The flight controller dont run android. Is it encrypted? @mefistotelis, do you have ida running lol

[mefistotelis]

I haven't checked the Mavic FW yet. I expect Ambarella runs Android, as new Ambarella SDK is based on it. During firmware update, I expect Ambarella to extract single modules from FW package and send them to specific components in encrypted form, same as it is in Ph3. Bootloaders of these components are tasked with decrypting.

[notsolowki]

@mefistotelis, here are some tools that may help in extracting individual binaries . They appear to be encrypted though.

https://github.com/fvantienen/dji_rev

Thats if your willing to do any work with the mavic. I personally would like to use some tools similar to the ph3. Im sure theres lots of people willing to test it

[fvantienen]

Both the LC and the amberella core are running android. And @mefistotelis is right about the part that the individual bootloaders decrypt the fw, but that is only for the FC and ESC's. I tried some known keys and ways to decrypt it but didn't work. When you start looking at the Mavic you should contact me as I can provide you with a lot of information.

[MAVProxyUser]

FWIW, I have shelled out on the Ambarella, and was not under the impression it was Android based. You can use the RNDIS access and a semi-known password to get in. It looks just like the Ambarella linux on the P3, the RTOS runs beneath it and there are weird IPC processes / services that are spoken to via "t" commands.

Much of the info in GoPRO or GTFO applies indirectly. https://www.youtube.com/watch?v=nofJJoj5iys https://www.defcon.org/images/defcon-21/dc-21-presentations/Manning-Lanier/DEFCON-21-Manning-Lanier-GoPro-or-GTFO-Updated.pdf

IIRC there are "t dji" commands that the SoC can execute... but again, it did not look very Androidish to me.

[FLDataTeK]

Looks like it here..

https://github.com/droner69/MavicPro/tree/master/Firmware/Firmware_01.03.0400/_RC_wm220_1301_v01.04.17.03_20170120.pro.fw.sig.extracted/system/bin

..............................

# init adb device serial
if [ -f /data/dji/cfg/adb_serial ]; then
serial=`cat /data/dji/cfg/adb_serial`
busybox printf "$serial" > /sys/class/android_usb/android0/iSerial
fi

[Mavic129]

@FLDataTeK I tested your method it didn't enable the ADB

[dmanisgnarly]

When trying to send the command for any of the above modes on FW700 via DJI assitant 2 on Win10, I get the following "garbage" error. The example below is the message log output for sport mode.

{"SEQ":"bsixzcic","CMD":"write","INDEX":"g_config_mode_sport_cfg_tilt_atti_range","VALUE":60} {"SEQ":"04fbplxd","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_vel_up","VALUE":10} {"SEQ":"04fbplxd","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_acc_up","VALUE":10} {"SEQ":"fviwf4kz","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_vel_down","VALUE":-10} {"SEQ":"fviwf4kz","CMD":"write","INDEX":"g_config_mode_sport_cfg_vert_acc_down","VALUE":-10} {"SEQ":"uoo9h9u0","CMD":"write","INDEX":"g_config_fw_cfg_max_speed","VALUE":20}} { "ERROR": "FAILURE", "ERROR_MESSAGE": "garbage at the end of the document" }

[Mavic129]

there is double }} ate the end of the command i never tried to execute all commands at once usually i execute them one by one

i updated the above post and removed the duplicate }

[dmanisgnarly]

Thanks! All is well now. I did not realize the strings had to be entered one at a time.

Received an over current discharge error within 5 mins, backed off briefly and finished the battery out. Will probably tweak some settings with a dev parameters spreadsheet I got ahold of last night.

[2008jiayu]

@Mavic129 I just update the LC1860 model using wrong firmware asisstant 2 beta, my drone cannt connect the computer now,how to recover it ,how can i go into the bootloader .😂 @notsolowki

[MAVProxyUser]

ouch... @2008jiayu enjoy your brick... hope you got DJI Care. Also... new core boards are like $90 on ebay.

[coptersafe]

@2008jiayu when connect drone to PC , have you any DJI COM port in device manager?

[devkadji]

I made a similar stupid mistake like @2008jiayu by flashing earlier FW version for FlightCtrl device (which went ok according do DJI Assistant beta 112). @coptersafe - yes, there is a DJI COM port device in the device manager. It had some driver-related issue so I had to edit the Vision_(Interface_3).inf file a bit to install the driver.

[2008jiayu]

@copersafe,yes ,have there are two usb ports ,the one is com port , the other is usb lan but it say the Cable not inserted @everyone

[2008jiayu]

help

[MAVProxyUser]

The DJI ftpd directory transversal exploit technique by P0V is now public... https://github.com/MAVProxyUser/P0VsRedHerring

https://www.youtube.com/watch?v=BTQ_CTih1HM

[skeimi]

Drone number here? Where i can see my "drone number"?

[skeimi]

Got it! :)

[Sarioah]

So I'm guessing all this is why the steaming pile of crap that is the P4 2.00.0106 FW was rushed out.... Hoping I can get this thing downgraded....

[MAVProxyUser]

@Goof245 stop by and see us... I'll repost this here, as referenced in the dji_system.bin repo, this is a good place to start: http://dji.retroroms.info

For those of you not in the loop, that want to help with the "retention" process regarding control of your DJI aircraft, please familiarize yourself with the following repos: 

This represents the front lines of the resistance as it were... "the movement" pretty well begins in all of these individual battle grounds. 

https://github.com/Bin4ry/deejayeye-modder - APK "tweaks" for settings & "mods" for additional / altered functionality 

https://github.com/hdnes/pyduml - Assistant-less firmware pushes and DUMLHacks referred to as DUMBHerring when used with "fireworks.tar" from RedHerring. DJI silently changes Assistant? great... we will just stop using it. 

https://github.com/MAVProxyUser/P0VsRedHerring - RedHerring,  aka "July 4th Independence Day exploit", "FTPD directory transversal 0day", etc. (Requires Assistant). We all needed a public root exploit... why not burn some 0day? 

https://github.com/MAVProxyUser/dji_system.bin - Current Archive of dji_system.bin files that compose firmware updates referenced by MD5 sum. These can be used to upgrade and downgrade, and root your I2, P4, Mavic, Spark, Goggles, and Mavic RC to your hearts content. (Use with pyduml or DUMLDore)

https://github.com/MAVProxyUser/firm_cache - Extracted contents of dji_system.bin, in the future will be used to mix and match pieces of firmware for custom upgrade files. This repo was previously private... it is now open. 

https://github.com/jezzab/DUMLdore - Even windows users need some love, so DUMLDore was created to help archive, and flash dji_system.bin files on windows platforms. 

So... that is all! Have fun folks, stop by Slack and see us if you get bored. #android_apk_patching, #archived_fw_flashing, #factory_mode_access, #firm_cache, #hardware, #mavic_rooting, #safety_shaming channels all have something for everyone. If not.. feel free to lurk in #general.

We are currently looking to archive as much firmware as possible if anyone wants to help... https://www.rcgroups.com/forums/showpost.php?p=37941901&postcount=1704

[stephengardner]

Mavic on fw 0400 here, successfully switched cfg_cfg_disable_airport_fly_limit to 1 and the cfg_cffg_limit_data to 20250915 but I'm still unable to take-off in an NFZ. GPS mode still disables this.

I live in Maryland, and it's far away, but still resides within 30 miles of DC. Is it possible that the DC limit is hard-coded or an entirely different parameter?

Also quick check for anyone with NFZ disabled - if you look on the map, is there still a red circle around DC? Is there a red circle anywhere else? On my map there is only a circle there, and nowhere else.

[ruckusman]

@MAVProxyUser - You will find a lot of useful information on the T commands - which are executed directly by the Ambarella RTOS, amongst the Gopro hacks here - mot are dedicated to camera control and configuration functions

https://github.com/KonradIT