TX Power and other mods P4 via Telnet and FTP

Guys, I dont want to do this all alone.
Are any computer scientists here?
Dont you also want a shell into your Phantom? How awesome would that be. Does anyone know anything?

I had a little time yesterday. Used binwalk to descramble the latest P4 software update that is hidden in the DJI Assistant cache after downloading.
I think they might be using Android.
Also it seems like some serious encryption is in use. They are messing with E-Fuses.
I found two images inside the firmware which might be worth a look.
I suspect we need to reverse engineer the debuging protocol. I saw somewhere that on another one of their products they had some magic Hex strings that need to be sent to the serial of the Phantom to enable a shell. This would probably be best case.

Also it seems like the usb port on the phantom also provides access to a serial link directly.
Some battery into and Gimbal info seems to be sent from there occasionally, but no shell visible. Also doesnt react to my commands.

If someone knows about Embedded systems maybe you want to have a look at the unscrambled firmware that I added to this post.
If you need to unsceamble additional stuff, I suggest using binwalk -e [file] for this.

Since the upload here is too large for this forum, I added it here: _574629c244d828c2053fc4f1ef5d23e8.extracted.zip
 
  • Like
Reactions: hotashes and umneycreep
Can anyone here find something useful?
Where is the handler for the four telnet ports?
And for the serial interface?
 
Wish i could help... Would love to see someone hack a controller, A Inspire RX puts out 19 db when linked to an Inspire but drops to 12 db when linked to a P4 ?? Power output seems to be software controlled.
 
It looks like there are multiple layers of security going on. They are using efuses and disable debuging after the factory mode is switched off.
Currently the biggest change is to somehow modify the file start_dji_system.sh
Here they start a FTP server which we can possibly use to overwrite files. Also if we can modify the directory for ftpd from /ftp to /, then we will be almost there.
Biggest problem with this is still the weird bahaviour of garbled up output.
Does anyone have any cue, what is going on there? Why are files becoming gibberish and change size (increase slightly) when I upload them?
Is it just some incompatibitlty of filesystems, or did they modify the busybox ftpd to add some encryption thype stuff?

Also maybe we can somehow modify the start_dji_system.sh directly in flash. Any idea how to go about this? It seems like they are checking the partition on startup with
part_check.sh, but this file is mounted to the ftp accessible directoy (just infisible). So maybe someone is willing to venture and risk to brick their drone by trying to overwrite this file with an empty file over ftp? The empty file shoudl not be garbled up and can bypass this integrity check if I see correctly.

Is anyone there who knows about binary reverse engineering? Or about flash dumping and re-uploading? Please get in touch with me, I think this should be doable.
 
  • Like
Reactions: Turbomania and umneycreep
Interesting finding... It seems a straight android distribution with a patched setup by DJI system. the .img files need to be unpacked, but I don't think you'll find something interesting. bootarea.img is standard UBOOT system launcher.
I will find some spare time to look inside this stuff.
What get me astonished is to find and android system on P4 board... mhhh...:eek:
 
  • Like
Reactions: Turbomania
Can't help as it's not my area of expertise, but just want to say to OP, please don't stop looking into this! I'm amazed that there aren't more people trying to hack these things. Like you say, the possibilities are endless. I'm not surprised that DJI has implemented heavy encryption for this very reason.

All the more reason to keep trying. Keep up the good work.
 
  • Like
Reactions: Turbomania and hotashes
The Flying Swan said:
Can't help as it's not my area of expertise, but just want to say to OP, please don't stop looking into this! I'm amazed that there aren't more people trying to hack these things. Like you say, the possibilities are endless. I'm not surprised that DJI has implemented heavy encryption for this very reason.

All the more reason to keep trying. Keep up the good work.
Click to expand...

Cracking this requires some serious skills, time and money. It is not like thousands of Russian or Chinese hackers have few DJI drones laying around and nothing better to do. At some point they will but not yet.
 
  • Like
Reactions: The Flying Swan
neven said:
Cracking this requires some serious skills, time and money. It is not like thousands of Russian or Chinese hackers have few DJI drones laying around and nothing better to do. At some point they will but not yet.
Click to expand...
I'm pretty sure the first person that said "Hey, you know this iPhone - I can't download apps unless they've been approved by Apple, and I have no control over the OS - do you think we can do something about this?" will have been met with the same response. I'm not saying it's doesn't take expertise and time, I'm saying that without people like the OP, it will never happen. Was simply passing on kudos for exploring the unknown.
 
  • Like
Reactions: hotashes
The Flying Swan said:
I'm pretty sure the first person that said "Hey, you know this iPhone - I can't download apps unless they've been approved by Apple, and I have no control over the OS - do you think we can do something about this?" will have been met with the same response. I'm not saying it's doesn't take expertise and time, I'm saying that without people like the OP, it will never happen. Was simply passing on kudos for exploring the unknown.
Click to expand...

I meant to make a comparison between iPhone and Phantom in my reply but someone distracted me and I sent it without :)

George Hotz made a career (and probably some serious money) out of his iPhone jail break. And I agree, it only takes one genius to to achieve this, but I'm sure geohot wasn't the only one trying. iPhone was so much more interesting as a challenge for skilled people out there then DJI drone because it will make you a worldwide celebrity. So patience is all we need :)
 
The Flying Swan said:
I'm pretty sure the first person that said "Hey, you know this iPhone - I can't download apps unless they've been approved by Apple, and I have no control over the OS - do you think we can do something about this?" will have been met with the same response. I'm not saying it's doesn't take expertise and time, I'm saying that without people like the OP, it will never happen. Was simply passing on kudos for exploring the unknown.
Click to expand...

I know what you mean by previously jailbreaking the iPhone many moons ago which open up so many more options and made the device mine. Just how I wanted it to run. The thing here is the guys from the USA reverse engineered the iPhone on iOS and always drove new findings. When it came to the android I believe that was something somewhere in the Far East the peoples of China were pushing. I guess the reality is the phantom seeming to run android is not something the people in the us need to worry about as they have very little restrictions as we do in Europe. I agree for us here in the Europe we need help on reverse engineering this software (android) to enjoy the toy to full potential.


U.K. Side pushing the Phantom 4. Peace
 
neven said:
I meant to make a comparison between iPhone and Phantom in my reply but someone distracted me and I sent it without :)

George Hotz made a career (and probably some serious money) out of his iPhone jail break. And I agree, it only takes one genius to to achieve this, but I'm sure geohot wasn't the only one trying. iPhone was so much more interesting as a challenge for skilled people out there then DJI drone because it will make you a worldwide celebrity. So patience is all we need :)
Click to expand...

There were a few people who were working wonders around the hack on iOS; Aaron ash, muscle nerd, jay freeman, geo hot (sold out to the Chinese), poison ninja, just to name a few. Do you think they will do the hack on this android drone to help us in uk?


U.K. Side pushing the Phantom 4. Peace
 
Jailbreaking the Phantom would make you a phantompilots celebrity. What more could anyone ask for? And if someone was selling a modified OS that allowed me to fly unrestricted in the UK - or better yet, jump over to the cellular network when needed, I'd pay handsomely for it.
 
  • Like
Reactions: hotashes
The Flying Swan said:
Jailbreaking the Phantom would make you a phantompilots celebrity. What more could anyone ask for? And if someone was selling a modified OS that allowed me to fly unrestricted in the UK - or better yet, jump over to the cellular network when needed, I'd pay handsomely for it.
Click to expand...

I was casually thinking we needed somebody to get this done, us in the uk are far behind USA lol


U.K. Side pushing the Phantom 4. Peace
 
  • Like
Reactions: Turbomania
hotashes said:
There were a few people who were working wonders around the hack on iOS; Aaron ash, muscle nerd, jay freeman, geo hot (sold out to the Chinese), poison ninja, just to name a few. Do you think they will do the hack on this android drone to help us in uk?


U.K. Side pushing the Phantom 4. Peace
Click to expand...

Oh, the glorious days of limera1n and jeailbreak.me. I still own my first 1st gen iPhone with hardware modification which alowed me to use my Croatian SIM in AT&T phone, and i mean soldering iron and opening a phone, not some fancy SIM adapters :)

Anyway, if CE is enforced in Asian part of Russia thats our best bet :)
 
  • Like
Reactions: The Flying Swan and hotashes
neven said:
Oh, the glorious days of limera1n and jeailbreak.me. I still own my first 1st gen iPhone with hardware modification which alowed me to use my Croatian SIM in AT&T phone, and i mean soldering iron and opening a phone, not some fancy SIM adapters :)

Anyway, if CE is enforced in Asian part of Russia thats our best bet :)
Click to expand...

Ha ha Asian part of Russia, do you mean Syria lol


U.K. Side pushing the Phantom 4. Peace
 
I would imagine the DJI Phantom code would be Android, I have the funny feeling that the controller is Android too, would love to play but dont want to risk bricking my fav. toy.

Unless DJI were extremely naive, they would have encrypted the code in the update files and the loader will de-crypt them once in the drone - maybe even only decrypting at run-time.

My bet to open up the drone is to use its' hardware and replace the firmware with something like Dronecode ( Home | Dronecode ) - would probably be easier than trying to decrypt DJI code, and if you did work out how to decrypt DJI code, then I imagine it wouldnt take them more than a few milliseconds to change the encryption key (or the whole encryption method) and you are back to square-1 on the next release - similar to what happens with the iPhone jail-breaks on each of Apples' new release. The only difference is there are probably a billion or more iPhones out there so more lucrative to crack than a drone.
 
  • Like
Reactions: hotashes
I've not looked into anything like this on my P4 yet, but I'm definitely going to subscribe to this thread and watch closely! Looking forwards to anything usable! :)
 
  • Like
Reactions: hotashes

Similar threads

A
No auto-takeoff or auto-landing buttons on my display.
Replies
7
Views
428
Phantom 4 Discussion
JimD.
J
watersteps
Test flight stand?
Replies
7
Views
307
General Discussion
brigerdrones
brigerdrones
M
Is it worth replacing missing controller and batteries for DJI Phantom 4
Replies
8
Views
674
Phantom 4 Discussion
Fire Fly Drone Services
Fire Fly Drone Services
C
Javad LS GPS Base / Phantom4 RTK Rover
Replies
9
Views
592
Phantom 4 Discussion
jaja6009
J
P
Seeking Python Solution to Convert Phantom 4 .DAT Flight Logs to CSV
Replies
4
Views
496
Phantom 4 Discussion
BudWalker
B

Recent Posts

Members online

Total: 882 (members: 2, guests: 880)

Forum statistics

Threads
143,514
Messages
1,471,059
Members
105,489
Latest member
AlienzEyes