General Firmware Discussion

[notsolowki]

okay so the big question, now that we have a known non-encrypted flight controller "1.7". what are the options as far as changing some angles of the aircraft. like more speed. thanks

[mefistotelis]

maybe I didn't correctly understand this request "clone to upper level folder, '../pyelftools'"

Yes, I'm pretty sure that's the cause. Do as the message says.

[ferraript]

and this path, '../pyelftools', is related to what folder? arm_bin2elf.py location? Python installation folder? somewhere else?

[mefistotelis]

You could always try both. Or you can modify the script to point to the location you want. Good thing about Python is that you can always check what's up in the source code.

To answer the question: paths are relative to CWD.

[ferraript]

ok, conversion to ELF done, opened in IDA but it doesn't look easier to read at all :D I tried to load map file from this repository, but as I supposed, it's made for P3X bin only, so it doesn't work for my P3A bin

I think I'm giving up on this, it's very complicated for me I will have to rely on your, as you wrote, years of practice

[notsolowki]

@mefistotelis if i bytepatch the flight controller module am i going to have a crc or checksum error.

[Powershell-coder]

@notsolowki see #13

[notsolowki]

mefistotelis i notice some of the phantom 4 firmware is not encrypted. the headers are similar but not exactly the same could your fwcon.py tools be update to support extracting of the phantom 4 firmwares? thanks

[mefistotelis]

I haven't looked much at P4 firmwares; I'm not really interested in them.

From the samples people sent me, they seem to be distributes as single modules, not the whole package. Modules are compressed with lz4 algorithm.

Where did you found downloads of P4 firmwares?

[notsolowki]

i found on the dji website. it was phantom 4 pro i was looking at. the fw was almost a whole GB

https://www.dji.com/phantom-4-pro/info

[notsolowki]

do they mean the phantom 4 pro + rc or pro+ raido controller im sorry i thought it was both firmwares.

Phantom 4 Pro+ Remote Controller Firmware v01.01.01.01

[notsolowki]

@mefistotelis : do you think the startup tones are in the ESC firmware or is it possibly in the flight controllers firmware? i would really like to get rid of them

[mefistotelis]

do you think the startup tones are in the ESC firmware or is it possibly in the flight controllers firmware

I don't know. They may also be in both.

[polarisax]

Hello to all! I read you for a couple of weeks and I find this very interesting forum! I'm a holder of a phantom 3 adv (fw.1.4.10 +, 1.3.20 + rc, DJIGO 2.4.3) I am aware of the fact that the only modifiable firmware is the 1.7. Unfortunately it has some features I do not like, such as the GEO fence and the inability 'to clear the logs from the internal flash. Personally I would be interested in changing the maximum height (I live in the Alps) and the change ascent e descent speeds. I was wondering if I can somehow manage to make these changes while remaining with version 1.4.10 (or 1.3). I wonder how it is possible using the old version of Litchi make the changes on the maximum share even with the old firmware (1.4) while not 'can do this with the modified version of DJGO 2.4.3. If the old firmware allows the height's change where is the problem? I am available to share my little tech knowledge and perform some tests! Thank you all for the wonderful work!

Have a good day!

[ferraript]

@polarisax , you can find answer to your Litchi question here so you don't need to have FW 1.7 for breaking the 500 m height limit you need Litchi 2.3.1 or older I have AC 1.4.10, RC 1.4.30, DJI GO 2.4.3 and I can set max height limit to 6000 m with Litchi 2.0.6 yesterday I flew up to 1208 m

[notsolowki]

@mefistotelis can you investigate the cheat_backdoor parameter? Just a very odd parameter. I mean what could have they possibly added that for?!?

[polarisax]

@ferraript thank you so much for your interesting tips!! I'll try it ASAP.

[notsolowki]

does anyone on here have IOS can you confirm what 'ESC stop beeping' does?

[GlovePuppet]

There is a command / handler table in the FC that looks very familiar to the Naza M (I may have the cmd bytes the wrong way round ):

cmd_handler_t struc ; (sizeof=0x8) 00000000 cmd DCW ? 00000002 pad DCW ? 00000004 handler DCD ? 00000008 cmd_handler_t ends

.data:080A6678 cmd_handlers cmd_handler_t <0x100, 0, 0x8042091> .data:080A6678 cmd_handler_t <0x700, 0, 0x80420F3> .data:080A6678 cmd_handler_t <0xB00, 0, 0x8042125> .data:080A6678 cmd_handler_t <0xC00, 0, 0x8042161> .data:080A6678 cmd_handler_t <0x3200, 0, 0x8042A7D> .data:080A6678 cmd_handler_t <0xF100, 0, 0x8042BDF> .data:080A6678 cmd_handler_t <0xF003, 0, 0x809F0C1> .data:080A6678 cmd_handler_t <0xF103, 0, 0x809F247> .data:080A6678 cmd_handler_t <0xF203, 0, 0x809F5B9> .data:080A6678 cmd_handler_t <0xF303, 0, 0x809F409> .data:080A6678 cmd_handler_t <0xF403, 0, 0x8046313> .data:080A6678 cmd_handler_t <0xF703, 0, 0x809F145> .data:080A6678 cmd_handler_t <0xF803, 0, 0x809F2E1> .data:080A6678 cmd_handler_t <0xF903, 0, 0x809F6AB> .data:080A6678 cmd_handler_t <0xFA03, 0, 0x809F49B> .data:080A6678 cmd_handler_t <0xFC03, 0, 0x804A8DB> .data:080A6678 cmd_handler_t <0xFD03, 0, 0x80420E1> .data:080A6678 cmd_handler_t <0x3903, 0, 0x8042187> .data:080A6678 cmd_handler_t <0x3A03, 0, 0x80421C5> .data:080A6678 cmd_handler_t <0x3D03, 0, 0x8042BAD> .data:080A6678 cmd_handler_t <0x7103, 0, 0x80422D5> .data:080A6678 cmd_handler_t <0x7003, 0, 0x8042349> .data:080A6678 cmd_handler_t <0x7403, 0, 0x8042239> .data:080A6678 cmd_handler_t <0x7503, 0, 0x804226D> .data:080A6678 cmd_handler_t <0x7603, 0, 0x80422A9> .data:080A6678 cmd_handler_t <0x8003, 0, 0x807CAA1> .data:080A6678 cmd_handler_t <0x8203, 0, 0x807CB69> .data:080A6678 cmd_handler_t <0x8403, 0, 0x807CBCF> .data:080A6678 cmd_handler_t <0x8603, 0, 0x807CC45> .data:080A6678 cmd_handler_t <0x8703, 0, 0x807CCCF> .data:080A6678 cmd_handler_t <0x8303, 0, 0x807CE09> .data:080A6678 cmd_handler_t <0x8503, 0, 0x807CE59> .data:080A6678 cmd_handler_t <0x9C03, 0, 0x807CD37> .data:080A6678 cmd_handler_t <0x9D03, 0, 0x807CDAD> .data:080A6678 cmd_handler_t <0x8A03, 0, 0x807D35F> .data:080A6678 cmd_handler_t <0x8B03, 0, 0x807D79B> .data:080A6678 cmd_handler_t <0x8C03, 0, 0x807D7DF> .data:080A6678 cmd_handler_t <0x9603, 0, 0x807D863> .data:080A6678 cmd_handler_t <0x9903, 0, 0x807D92B> .data:080A6678 cmd_handler_t <0x9A03, 0, 0x807D9D5> .data:080A6678 cmd_handler_t <0x9B03, 0, 0x807DA43> .data:080A6678 cmd_handler_t <0x9703, 0, 0x807DA69> .data:080A6678 cmd_handler_t <0x9803, 0, 0x807DE23> .data:080A6678 cmd_handler_t <0x9003, 0, 0x807D12D> .data:080A6678 cmd_handler_t <0x9103, 0, 0x807D27D> .data:080A6678 cmd_handler_t <0x9203, 0, 0x807D2C1> .data:080A6678 cmd_handler_t <0x9303, 0, 0x807D31D> .data:080A6678 cmd_handler_t <0x8D03, 0, 0x809FA71> .data:080A6678 cmd_handler_t <0x8E03, 0, 0x809FABD> .data:080A6678 cmd_handler_t <0x2A03, 0, 0x8042C43> .data:080A6678 cmd_handler_t <0x2F03, 0, 0x8042F7B> .data:080A6678 cmd_handler_t <0x3003, 0, 0x8043033> .data:080A6678 cmd_handler_t <0x3103, 0, 0x8043089> .data:080A6678 cmd_handler_t <0x101, 0, 0x8043199> .data:080A6678 cmd_handler_t <0x4603, 0, 0x8042439> .data:080A6678 cmd_handler_t <0x5203, 0, 0x8042461> .data:080A6678 cmd_handler_t <0x3F03, 0, 0x8042583> .data:080A6678 cmd_handler_t <0x4103, 0, 0x804268F> .data:080A6678 cmd_handler_t <0x4703, 0, 0x804279B> .data:080A6678 cmd_handler_t <0x6203, 0, 0x80427D5> .data:080A6678 cmd_handler_t <0x6403, 0, 0x80429D1> .data:080A6678 cmd_handler_t <0x5003, 0, 0> .data:080A6678 cmd_handler_t <0x5103, 0, 0x8089BC7> .data:080A6678 cmd_handler_t <0x5203, 0, 0x8089C53> .data:080A6678 cmd_handler_t <0x5303, 0, 0x8089C89> .data:080A6678 cmd_handler_t <0x5403, 0, 0> .data:080A6678 cmd_handler_t <0xAA03, 0, 0x804324B> .data:080A6678 cmd_handler_t <0x3303, 0, 0x8042AD1> .data:080A6678 cmd_handler_t <0x3403, 0, 0x8042AF5> .data:080A6678 cmd_handler_t <0x3B03, 0, 0x8042B1D> .data:080A6678 cmd_handler_t <0x3C03, 0, 0x8042B77> .data:080A6678 cmd_handler_t <0x6003, 0, 0x80432DD> .data:080A6678 cmd_handler_t <0xAB03, 0, 0x804325D> .data:080A6678 cmd_handler_t <0xAC03, 0, 0x804329D> .data:080A6678 cmd_handler_t <0x8002, 0, 0x8083199> .data:080A6678 cmd_handler_t <0x504, 0, 0x8042C05> .data:080A6678 cmd_handler_t <0x1C04, 0, 0x8042C13> .data:080A6678 cmd_handler_t <0x1C06, 0, 0x8042A11> .data:080A6678 cmd_handler_t <0x1C03, 0, 0x8042A11> .data:080A6678 cmd_handler_t <0x1107, 0, 0x8043243> .data:080A6678 cmd_handler_t <0>

There is also a response handler table

.data:080B2DB0 rsp_handlers cmd_handler_t <0x100, 0, 0x8048ADD> .data:080B2DB8 cmd_handler_t <0x3206, 0, 0x8048B0D> .data:080B2DC0 cmd_handler_t <0x102, 0, 0x8083149> .data:080B2DC8 cmd_handler_t <0x202, 0, 0x8083149> .data:080B2DD0 cmd_handler_t <0x1002, 0, 0x8083149> .data:080B2DD8 cmd_handler_t <0>

[GlovePuppet]

Just scanning the command handlers

cmd_b00 - Request MCU reboot, log "sender%d request mc reboot\r\n" cmd_1C04 - Set gimbal type, log "gimbal type:%d\r\n" cmd_3B03 - Set RC lost action, log "[%2X]Set RC LOST ACT:%d" cmd_3C03 - Get RC lost action, log "[%2X]Get RC LOST ACT:%d" cmd_3D03 - Set time zone, log "timezone set:%d" cmd_F100 - Set OFDM_TX state, log "[Err] OFDM_TX State:0x%.8x" (doesn't appear to be an error)

cmd_b00 is interesting, the string it logs suggests that the source of the command is recorded in the command packet. It looks like the fifth byte is the source and the sixth byte is the destination

rsp_100 - Battery version, packet source must be 5, log "bat version:v%.8x"

[MrBurnsAT]

Found some new links to Inspire firmwares (X3).

U may add them to supported firmwares list

here is an archive which i found http://www.panorobot.com/dji/inspire_firmwares.htm

Here the original DJI Links http://dl.djicdn.com/downloads/inspire_1/en/Inspire_1_Firmwarev1.2.01.03_en.zip http://dl.djicdn.com/downloads/inspire_1/cn/Inspire_1_Firmwarev1.2.01.03_cn.zip

http://dl.djicdn.com/downloads/inspire_1/en/Inspire_1_Firmwarev1.2.1.06_en.zip http://dl.djicdn.com/downloads/inspire_1/cn/Inspire_1_Firmwarev1.2.1.06_cn.zip

http://dl.djicdn.com/downloads/inspire_1/en/Inspire_1_Firmwarev1.3.0.00_en.zip http://dl.djicdn.com/downloads/inspire_1/cn/Inspire_1_Firmwarev1.3.0.00_cn.zip

http://dl.djicdn.com/downloads/inspire_1/en/Inspire_1_Firmwarev1.4.0.10_en.zip http://dl.djicdn.com/downloads/inspire_1/cn/Inspire_1_Firmwarev1.4.0.10_cn.zip

https://dl.djicdn.com/downloads/inspire_1/WM610_FW_V01.05.00.30.zip

https://dl.djicdn.com/downloads/inspire_1/WM610_FW_V01.06.00.40.zip

https://dl.djicdn.com/downloads/inspire_1/WM610_FW_V01.07.00.90.zip

https://dl.djicdn.com/downloads/inspire_1/WM610_FW_V01.08.01.00.zip

[mefistotelis]

Thank you @MrBurnsAT, I will add them.

[MAVProxyUser]

@notsolowki "okay so the big question, now that we have a known non-encrypted flight controller", perhaps the bigger question is what would you do with more than one non-encrypted binary?

A little bird told me about some forked GitHub repos and a DMCA attempt... you uh... may want to fork this. https://github.com/MAVProxyUser/spray-system/blob/master/app/aes/aes.c#L38

[GlovePuppet]

const unsigned char kTableAt88[32] =
{ 0x82, 0x31, 0x4E, 0x66, 0xE1, 0xD1, 0xF5, 0x13, 0xB6, 0x53, 0xd2, 0xC6, 0x93, 0x7F, 0x39, 0x72, 0xC1, 0xa8, 0x3f, 0x8c, 0x29, 0x55, 0x15, 0xC6, 0x9B, 0xb3, 0x66, 0x28, 0x0a, 0x26, 0xe1, 0x2F, };

That's really similar to the key I found in the NAZA M FW to decrypt the "per device" AT88SC seed

https://hackaday.io/project/19995-hacking-dji-naza-m/log/53751-big-dump

Key: 82314e66e1d1f513b653d2c6937f3972 IV: 00000000000000000000000000000000

[GlovePuppet]

what would you do with more than one non-encrypted binary?

Well, if I had one plain text FW (which we do) and could fix up any hashes then I would probably modify the plain text binary to dump the bootloader and obtain the FW encryption key ;) That's assuming I hadn't lost interest anyway

[MAVProxyUser]

@GlovePuppet just let it marinate a bit... that is some yummy soup above. You've got the gas on now. Stir it a bit more.

[GlovePuppet]

Or just say what you have to say. I kinda lost interest some months ago

[MAVProxyUser]

Those with the proper interest will figure it out... no need to force feed anyone. =] Enjoy!

[mefistotelis]

@GlovePuppet I just replaced the key in your djicrypt.py with:

Key = "96709aD326674AC382B66927E6d88421"

and - Phantom 3 firmwares are properly decrypted with it.

[GlovePuppet]

@mefistotelis Too much drama for me ;)

So, a reasonable guess is that the second half of kTableAt88[] is used to decrypt the AT88 seed except I don't think the P3 uses AT88, I think it uses a more modern part (ATSHA204 maybe?). Of course, I could be wrong

[mefistotelis]

a reasonable guess is that the second half of kTableAt88[] is used to decrypt the AT88 seed

It is also possible that the second half is just unused.

I don't think the P3 uses AT88, I think it uses a more modern part (ATSHA204 maybe?)

Well, there isn't many unknown chips on the FC board. Actually there's only one - it has 8 legs and marking "3E AH C" (I'm not sure about the first two letters). If there is any crypto memory external to STM uC, it has to be this one. See here, in top left: https://raw.githubusercontent.com/wiki/mefistotelis/phantom-firmware-tools/P3C-photos/P3C-Flight-Controller-aka-MC-boardv5a-btm.png

I've also seen AT88 initialized by the DM365 media processor in Ph3 (used on P3X gimbal and GL300a RC), not sure whether it is used there and for what purpose.

[GlovePuppet]

@mefistotelis

Yeah, that chip was my guess too. There is a string ref to SHA2 in the FC FW and I didn't see any of the AT88 code in the P3 (in Naza M/P2 they just copy/pasted the entire Atmel example code). Of course, that doesn't mean it isn't there.

ATSHA2 is available in UDFN/XDFN packages, data sheet quotes part numbers:

ATSHA204A-MAHCZ-T

[mefistotelis]

I see similar chip on the other modules - gimbal top board and gl300a interface board. Markings there are "C 5A AK". It is also on P3C camera encoder board.

[jan2642]

It is also possible that the second half is just unused.

This is likely the case. There seems to be people in DJI with the firm belief that AES128 keys are 32 bytes. There are quite a few examples in Mavic FW where they do this as well.

[danieltroger]

Phantom 3 firmwares are properly decrypted with it.

@mefistotelis you have to decrypt the flight controller binaries, I assume? Has anybody got a clue what I'm doing wrong?

daniel@ssd-mini:/tmp/pf/phantom-firmware-tools$ ./dji_fwcon.py -vv -x -p ../in/P3C_FW_V01.07.0090.bin 
../in/P3C_FW_V01.07.0090.bin: Opening for extraction
../in/P3C_FW_V01.07.0090.bin: Package format version 2016 detected
../in/P3C_FW_V01.07.0090.bin: Header:
{   'entry_count': 1,
    'hdrend_offs': 118,
    'magic': 305419896,
    'magic_ver': 1,
    'manufacturer': b'DJI',
    'model': b'P3C',
    'padding': '00000000000000000000',
    'timestamp': 1482763035,
    'ver_latest': 17236058,
    'ver_latest_enc': 138513957,
    'ver_rollbk': 17170512,
    'ver_rollbk_enc': 138448431}
../in/P3C_FW_V01.07.0090.bin: Module index 0
{   'decrypted_len': 876288,
    'decrypted_md5': '612310e9114593f2c4d1feb073af2379',
    'dt_offs': 118,
    'encrypt_type': 1,
    'reserved2': 1,
    'spcoding': 16,
    'splvalue': 0,
    'stored_len': 876288,
    'stored_md5': 'c3c535640bd2fdadd6c3f5249d2c7122',
    'target': 'm0306',
    'target_name': 'main '
                   'controller '
                   "'A3' "
                   'app',
    'version': '02.04.5142'}
../in/P3C_FW_V01.07.0090.bin: Headers checksum 81C3 matches.
../in/P3C_FW_V01.07.0090.bin: Extracting module index 0, 876288 bytes
../in/P3C_FW_V01.07.0090.bin: Module index 0 stored checksum c3c535640bd2fdadd6c3f5249d2c7122
daniel@ssd-mini:/tmp/pf/phantom-firmware-tools$ python ../c.py -d -i P3C_FW_V01.07.0090_m0306.bin -o m0306_dec.bin
Decrypting...
Input file is " P3C_FW_V01.07.0090_m0306.bin
Output file is " m0306_dec.bin
daniel@ssd-mini:/tmp/pf/phantom-firmware-tools$ md5sum m0306_dec.bin 
40f564067d65975ff6e6152acd23fd39  m0306_dec.bin
daniel@ssd-mini:/tmp/pf/phantom-firmware-tools$ ./dji_flyc_param_ed.py -vv -x -m m0306_dec.bin 
m0306_dec.bin: Opening for extraction
Traceback (most recent call last):
  File "./dji_flyc_param_ed.py", line 716, in <module>
    main(sys.argv[1:])
  File "./dji_flyc_param_ed.py", line 697, in main
    flyc_extract(po,fwmdlfile)
  File "./dji_flyc_param_ed.py", line 558, in flyc_extract
    raise ValueError("Flight controller parameters array signature not detected in input file.")
ValueError: Flight controller parameters array signature not detected in input file.
daniel@ssd-mini:/tmp/pf/phantom-firmware-tools$ grep -i key ../c.py 
    crypto = AES.new(Key.decode("hex"), AES.MODE_CBC, IV.decode("hex"))
    crypto = AES.new(Key.decode("hex"), AES.MODE_CBC, IV.decode("hex"))
Key = "96709aD326674AC382B66927E6d88421"
daniel@ssd-mini:/tmp/pf/phantom-firmware-tools$ 

[mefistotelis]

Update to latest dji_fwcon - it does the decryption automatically.

[danieltroger]

Oh, I'm an idiot. Thanks again