Crowdfund hacker to build custom firmware?

Status
Not open for further replies.
I have a question for our tech dudes :)

I'm thinking on just editing firmware version and tricking device to install that one.
That should be possible to do in HEX editor in 10mins with 99% confidence that something will not go wrong.

BUT: I would like to make sure we can trick device to install custom versioned firmware and then successfully getting back to original one. That would give us confidence that we will not brick device or damage it in any way and user can revert back any time.

You thing that's good idea for start?
The firmware appears to have a last-known-good system for allowing the P3 to bypass a bad firmware install. I can attest to the fact that it works at least some of the time because the very first time I attempted to upgrade the firmware I decided that 20 minutes was really excessive and pulled the card.

Ensuring that this function is fairly bulletproof would be an important stop as P3's are really too light to be used as a door stop.

That said, I do not see any discussion about a JTAG interface - which I assume it has?

And further, there are a couple of other bits of software floating around that might be of interest:

MVOM0Fw.bin (that last circular thing is a zero). This, according to the readme file is:

The MVOM0Fw.bin is a service file created by DJi for devices, that got stuck during firmware updates. Only update the copter, not the rc.

and GS_OFDM.bin which appears to do something of the same thing.

I have both of these files and can put them up on Dropbox as long as Brendon promises not to make me run the new 'beta' software.
 
  • Like
Reactions: ianwood
I would equally assume there was a JTAG interface or similar for loading firmware at the factory and to recover "bricked" installs. What we need is a complete teardown with high resolution images including inside the flight controller and camera. Anybody found such images?

If not, this could be what we need to raise funds for. Anybody willing to donate a dead P3?
 
MVOM0Fw clears the data from 1 component. Its not really a 'service bin'... in hex editor it all seems encrypted. (this wont allow you to do much except get the p3 to update that 1 component again)
gs_ofdm.bin seems to clear the data on the remote.
there are a lot more .bin files mentioned in the firmware if you search for MVOM0Fw and scroll down or up...
 
  • Like
Reactions: Apilot101
OFDM is the Lightbridge air interface. Orthaganol Frequency Division Multiplexing. It is basically a MUXed uplink / downlink. Downlink is simply a wireless video delivery with data encoded into the audio channels (I think). Uplink is a mixture of FHSS or FASST with proprietary additional data channels. (I think).

The GS designation is probably "Ground Station" so I would agree it is for the RC. Just adding what I can figure out.
 
FC300XFw.bin ESCFw.bin MCAPPFw.bin MCLDRFw.bin MVOM4Fw.bin MVOM0Fw.bin CENTERFw.bin 765Fw.bin FPGAFw.bin 68013Fw.bin DM368Fw.bin GIMBALFw.bin BATTERYFw.bin CAMLDRFw.bin CAMBSTFw.bin CAMBCPUFw.bin CAMLCPUFw.bin WIFIFw.bin TEST3Fw.bin

And there are more
 
Let's stay on topic. Post here if:
  • You have technical knowledge to share or discuss.
  • Want to help technically.
  • Want to help financially.
EDIT: We will eventually move the technical discussion to the Firmware section but for now, let's keep it here to see who else wants to participate.
 
  • Like
Reactions: Apilot101
If this is regarding GEO, would someone even need to jailbreak the Phantom's firmware? Isn't GEO part of the app?
There has to be a design in the software that reads a no fly database that must be in the config files. If the config files could be altered to wipe the actual zones it would be defeated. DJI could implement some really sophisticated techniques making it hard to do that, such as encryption, checksums and encryption that calculates a hash and encrypts it to check if the data has been altered at run time. This may not be easy to defeat.
 
If anyone wants to take a moment to consider this, it might be worth thinking about.

I can include a hidden discussion forum along with the others on my website. Once logged in, only you will be able to see and access the forum. You can then set your preferences to send you a email if someone adds any content. That way there wont be the need to visit the forum to check activity. (As for the current discussion forum, it consist of very limited activity. A few years back I felt it to be more important to be part of this group without appearing as if I had some type of hidden agenda.)

Anyhow, I just wanted those that are participating in this subject to know this option is available. Other then that, it is good to see this is progressing.
 
I have a question for our tech dudes :)

I'm thinking on just editing firmware version and tricking device to install that one.
That should be possible to do in HEX editor in 10mins with 99% confidence that something will not go wrong.

BUT: I would like to make sure we can trick device to install custom versioned firmware and then successfully getting back to original one. That would give us confidence that we will not brick device or damage it in any way and user can revert back any time.

You thing that's good idea for start?
Sounds like a good approach. I doubt there is a checksum before installing. Can set the default value in FW to what is desired. This way just install and leave those value alone.
 
......and have found a lot in regards to NFZ's and bypassing them. On a side note there is also a lot of references to the Phantom 4 in there.
From what i have found i don't believe we need to touch firmware / risk bricking as the apps seem to manage the NFZ data and then push it to the flight controller...
I was really thinking about what you said here. Yes I like your idea and should work great for the NFZ issue. And in not saying to stop working on the idea. My only thought was this won't help those who have degraded characteristics due to updating firmware. I would also like to gain the ability to allow owners the choice to go to their older firmware if they choose.


For example. I have a 1.3.2 quad that I upgraded to 1.4 when I bought it (not knowing anything about P3s) then my dealer swapped my remote under warranty and thought I might like 1.5 on both my quad and rc. Not. 1.3 worked the best for me.

So now with the help of Dilux, I have been able to revert the rc back from 1.5 to 1.4 to 1.3 but not the quad.
 
.....I'm thinking on just editing firmware version and tricking device to install that one.
That should be possible to do in HEX editor in 10mins with 99% confidence that something will not go wrong.

BUT: I would like to make sure we can trick device to install custom versioned firmware and then successfully getting back to original one.
I wanted to let you know what I found to get my rc back. It might give you a little insight to the P3 setup.

I know that changing the name of a bin without changing hex or checksum usually doesn't work. I used to think different but now I'm guessing that the level of security on the RC is not as high as the quad. I was able to put the RC in service mode, have DJI Go download the latest 1.5. RC fw. Shut it down. Then replace it with 1.3. Rename the file exactly as the 1.5 file in the DJI directory. Then start again in service mode, and install. It installed thinking it was 1.5. Power down and back up, DJI Go app info shows it accepted it as 1.3.2. (And I did it 2 times to verify it worked)

I don't know if this will help with what your saying. I haven't messed with hex, bootloaders, or any of the sort since they hacked Dave's cards back in the day.
 
Shut up and take my money!

Count me in folks.

So who here other than Shammyh has some technical capabilities to start hacking this thing? Let's start some lists:

Devs:
@Shammyh
@Muva Bee
@Apilot101

And who else wants to throw in some monetary support? So far, we've got:

Contributors :
@flyNfrank
@aka1ceman
@skeeterest
@jasonb777
@ianwood (just added myself)
@Apilot101

ianwood, please update a list.

P.S.
msinger, FAA and USA is not the world and DJI is not only one UAV manufacturer.
Any other have no any limitations.
If some unresponsible folk would like to fly in NFZ he just self-authorise in geo on fake phone/prepaid or he use foil phantom hats. And probably he go to jail - his problem, not ours.
 
Last edited:
I'm not an expert with programming, but know a little more then the next guy. I'll be interested to see how this plays out, and I'll do some research and share anything I find!
 
  • Like
Reactions: Muva Bee
Could the internal sd card in the phantom have some data on it that controls how far you can downgrade?
 
Count me in!! One Canadian contributor here !


Sent from my iPhone using PhantomPilots mobile app
 
Could the internal sd card in the phantom have some data on it that controls how far you can downgrade?

That info is likely imbedded in the firmware on a flash chip near the Flight controller.
Haven't yet taken a Phantom apart to analyze the hardware.

The hidden SD card contains flight logs and possibly no fly zone data.

Which gives me an idea....
possible to erase this card to remove dji's crazy no fly zone updates?
 
  • Like
Reactions: jefffromearth
Good luck trying to get an app to work with it on the IPhone. They sandbox that pretty tight and they don't like mods.

Some good features of a hacked firmware:

* No altitude limit
* Report on wind conditions aloft (wind speed; turbulence)
* Report on weather conditions aloft (Barametric pressure; temperature)
* NFZ zapper
* Blackbox (Onboard telemetry over every move like on an airplane.)
* Rig the speaker that plays the beeps on the P3 to be a speaker system that you can play your voice over using the microphone of you cell phone.
* Easier uploads to healthydrones.
* Bird hunter mode (Just kidding -- I think...)

I know some of these are rouge but hey -- so is hacked firmware.
 
If anyone wants to take a moment to consider this, it might be worth thinking about.

I can include a hidden discussion forum along with the others on my website. Once logged in, only you will be able to see and access the forum. You can then set your preferences to send you a email if someone adds any content. That way there wont be the need to visit the forum to check activity. (As for the current discussion forum, it consist of very limited activity. A few years back I felt it to be more important to be part of this group without appearing as if I had some type of hidden agenda.)

Anyhow, I just wanted those that are participating in this subject to know this option is available. Other then that, it is good to see this is progressing.


I guess some simply lack the ability to hear the warning. Put all your time and effort into figuring this out, and I will guarantee a revision will be in place in the very next firmware update and all that effort will be wasted. As well the door to the good stuff will not be accessible as it once was.

Good luck.
 
Status
Not open for further replies.

Members online

No members online now.

Forum statistics

Threads
143,066
Messages
1,467,358
Members
104,936
Latest member
hirehackers