I bricked my p3s with ftp range mod - let's fix it together

Do anyone know which parts are affected on bricked P3? As I could the parts off my crashed P3S as long it not same damage components,

As one considered sending their drone back to DJI for repair?
Since the entire Wifi connection seems to disappear I think that it's a problem of file enconding or file permission during the edition process. The lines affected by the hack don't directly affect the wifi SSID broadcast so we can think that the entire file is somehow corrupted or something. If we're able to access these files through serial method via USB we'll find a way to restore the files integrity.
 
There is no hardware replacement involved in fixing this problem. It is a matter of file execution permissions and if/when someone manage to connect a telnet connection to the backdoor you simple add the "chmod +x rcS" command and everything is ok. The whole issue is to find that backdoor entry but I think a few of the previous suggestions of connecting a USB to TTL cable would do the trick - let us pray and hope....
 
  • Like
Reactions: sparkymarky
I tried the UART-Method but somehow the terminal of putty does not give information or something. Terminal stays black and with blinking cursor while the uart cable is to tx, rx and gnd connected. Probably driver issue or the uart cable driver does not work for windows 10
 
U-Boot 1.1.4 (Mar 24 2016 - 12:37:01)

MI124
DRAM: 32 MB
Flash: 8 MB
In: serial
Out: serial
Err: serial
Press ESC to abort autoboot in 1 seconds
ar7240>

Unknown command '' - try 'help'
ar7240>

ar7240>

ar7240> ls

Unknown command 'ls' - try 'help'
ar7240> ?

? - alias for 'help'
autoscr - run script from memory
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dhcp - invoke DHCP client to obtain IP/boot params
dnw - receive file from pc via usb
echo - echo args to console
erase - erase FLASH memory
ethreg - S26 PHY Reg rd/wr utility
exit - exit script
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
iminfo - print header information for application image
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
ping - send ICMP ECHO_REQUEST to network host
pll cpu-pll dither ddr-pll dither - Set to change CPU & DDR speed
pll erase
pll get
printenv- print environment variables
progmac - Set ethernet MAC addresses
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sleep - delay execution for some time
srifpll cpu-pll ddr-pll - To change CPU & DDR speed through srif
srifpll erase
srifpll get
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version
 
from bricked RC

U-Boot 1.1.4 (Mar 24 2016 - 12:37:01)

MI124
DRAM: 32 MB
Flash: 8 MB
In: serial
Out: serial
Err: serial
Press ESC to abort autoboot in 1 seconds
## Booting image at 9f050000 ...
Image Name: MIPS OpenWrt Linux-3.10.49
Created: 2016-04-18 4:37:14 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 905321 Bytes = 884.1 kB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x9f050040 ...OK
Uncompressing Kernel Image ... OK

Starting kernel ...

[ 0.000000] Linux version 3.10.49 (yello@ubuntu) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r2635) ) #1 Mon Apr 18 12:37:04 CST 2016
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 0001974c (MIPS 74Kc)
[ 0.000000] SoC: Atheros AR9342 rev 2
[ 0.000000] Clocks: CPU:560.000MHz, DDR:450.000MHz, AHB:225.000MHz, Ref:40.000MHz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 02000000 @ 00000000 (usable)
[ 0.000000] User-defined physical RAM map:
[ 0.000000] memory: 02000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x01ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x01ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
[ 0.000000] Kernel command line: board=DJI-WM305 console=ttyS0,115200 root=/dev/mtdblock3 init=/sbin/init mtdparts=ath-nor0:256k@0k(u-boot),64k@256k(u-boot-env),896k@320k(kernel1),3008k@1216k(rootfs1),896k@4224k(kernel2),3008k@5120k(rootfs2),64k@8128k(art),3904k@320k(firmware1),3904k@4224k(firmware2),8192k@0k(all) mem=32M rootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[ 0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 29180k/32768k available (2102k kernel code, 3588k reserved, 363k data, 220k init, 0k highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Calibrating delay loop... 278.93 BogoMIPS (lpj=1394688)
[ 0.070000] pid_max: default: 32768 minimum: 301
[ 0.070000] Mount-cache hash table entries: 512
[ 0.080000] NET: Registered protocol family 16
[ 0.080000] MIPS: machine is DJI WM305
[ 0.290000] ath_usb_init: id: 1122
[ 0.360000] bio: create slab <bio-0> at 0
[ 0.360000] Switching to clocksource MIPS
[ 0.370000] NET: Registered protocol family 2
[ 0.370000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[ 0.380000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[ 0.390000] TCP: Hash tables configured (established 512 bind 512)
[ 0.390000] TCP: reno registered
[ 0.390000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.400000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.410000] NET: Registered protocol family 1
[ 0.430000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.430000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.440000] msgmni has been set to 56
[ 0.450000] io scheduler noop registered
[ 0.450000] io scheduler deadline registered (default)
[ 0.460000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.480000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[ 0.490000] console [ttyS0] enabled, bootconsole disabled
[ 0.490000] console [ttyS0] enabled, bootconsole disabled
[ 0.500000] ar934x-hs-uart.0: ttyATH0 at MMIO 0x18500000 (irq = 14) is a AR934X UART
[ 0.510000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[ 0.520000] m25p80 spi0.0: found s25fl064k, expected m25p80
[ 0.530000] m25p80 spi0.0: s25fl064k (8192 Kbytes)
[ 0.530000] 10 cmdlinepart partitions found on MTD device ath-nor0
[ 0.540000] Creating 10 MTD partitions on "ath-nor0":
[ 0.540000] 0x000000000000-0x000000040000 : "u-boot"
[ 0.550000] 0x000000040000-0x000000050000 : "u-boot-env"
[ 0.560000] 0x000000050000-0x000000130000 : "kernel1"
[ 0.560000] 0x000000130000-0x000000420000 : "rootfs1"
[ 0.570000] 0x000000420000-0x000000500000 : "kernel2"
[ 0.580000] 0x000000500000-0x0000007f0000 : "rootfs2"
[ 0.580000] 0x0000007f0000-0x000000800000 : "art"
[ 0.590000] 0x000000050000-0x000000420000 : "firmware1"
[ 0.600000] 0x000000420000-0x0000007f0000 : "firmware2"
[ 0.600000] 0x000000000000-0x000000800000 : "all"
[ 0.610000] g_ether gadget: using random self ethernet address
[ 0.610000] g_ether gadget: using random host ethernet address
[ 0.620000] usb0: MAC ce:f4:f4:60:e9:92
[ 0.630000] usb0: HOST MAC 5a:9c:a9:37:48:1d
[ 0.630000] g_ether gadget: Ethernet Gadget, version: Memorial Day 2008
[ 0.640000] g_ether gadget: g_ether ready
[ 0.640000] TCP: cubic registered
[ 0.650000] NET: Registered protocol family 17
[ 0.650000] 8021q: 802.1Q VLAN Support v1.8
[ 1.440000] jffs2: notice: (1) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 1.450000] VFS: Mounted root (jffs2 filesystem) readonly on device 31:3.
[ 1.460000] Freeing unused kernel memory: 220K (802c9000 - 80300000)

init started: BusyBox v1.22.1 (2015-11-16 16:28:58 CST)

starting pid 219, tty '': '/etc/init.d/rcS'

can't run '/etc/init.d/rcS': No such file or directory

can't open /dev/ttyS0: No such file or directory

process '/bin/login' (pid 220) exited. Scheduling for restart.

can't open /dev/ttyS0: No such file or directory

process '/bin/login' (pid 221) exited. Scheduling for restart.

can't open /dev/ttyS0: No such file or directory

process '/bin/login' (pid 222) exited. Scheduling for restart.

can't open /dev/ttyS0: No such file or directory

process '/bin/login' (pid 223) exited. Scheduling for restart.

can't open /dev/ttyS0: No such file or directory

process '/bin/login' (pid 224) exited. Scheduling for restart.

can't open /dev/ttyS0: No such file or directory

process '/bin/login' (pid 225) exited. Scheduling for restart.
 
There is a new firmware that changed the root pw?
before update i just login without any password , after - it closed and login need password
passwd file -
root:$6$zi2k1pqQ$aYoxWoM9suJzq4xcIz0Uh/sMBQxIrM7QzqpNH.UMrX6TAmBx37jN0ygKlnpmHkgilWV5YzpfikkaylTWWo8RU0:16184:0:99999:7:::
 
how did you recover the remote controller, with what? via the micro usb on controller? or via the ports at main board?
 
via uart on wifi module - goto boot (press ESC at reset ) and then recovery like OPENWRT router
 
Which windows do you have and which chipset or uart-cable do you have? Putty stays at black screen with blinking cursor
 
also i found interesting info

if [ "$SEEN" -lt 1 ]
then
echo "REBOOT" > /dev/console
sync
reboot
elif [ "$SEEN" -gt 5 ]
then
echo "FACTORY RESET" > /dev/console
jffs2reset -y && reboot &
fi

if we press magic button more than 5 sec - system wil be reflashed - but it only work on worked transmitters
 
Ok I'm jumping in to see what I can find as well
 

Attachments

  • 1466190186886567366607.jpg
    1466190186886567366607.jpg
    3.5 MB · Views: 642
  • Like
Reactions: pszem
what is it?

UPD-we need find HG310.bin -( this is firmware for wifi module) - and boot.bin - this files unpacked from firmware , then put \tmp and update system .
 

Members online

Forum statistics

Threads
143,066
Messages
1,467,356
Members
104,934
Latest member
jody.paugh@fullerandsons.