Welcome to PhantomPilots.com

Sign up for a weekly email of the latest drone news & information

Any hardcore coders around.. I've got the 3.08 firmware file

Discussion in 'Firmware' started by justin00, Jan 16, 2015.

  1. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
    So not sure if others have done the same.. but I've gotten the 3.08 firmware file...
    Its obviously written in something... and then compiled as its jibberish when you open it.. even 'strings' doesn't find anything useful :(
    I used a program similar to wireshark to obtain the file when it downloads when you connect the Phantom the PC and open assistant click on 3.08 upgrade.. You don't actually need to upgrade, it downloads the file before.

    Not sure if I can post it up on the forum ???

    If any experienced coders or anyone wants it let me know... its around 230kb..

    I'm a network eng (so out of my skillset) and can do basic scripts and trouble shoot random code... but this is waaay beyond my skill level.. as I said..

    Hoping someone can figure it out.. decompile.. modify.. recompile and then we can modify assistant program to download it :]

    Figured I would post this up as I haven't heard any other people mention the other firmware files... obviously its a quick way to brick the phantom lol.. thus why need experienced pro's :)
     
    dirkclod likes this.
  2. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
    Re: Any hardcore coders around.. I've got the 3.08 firmware

    Lol... no one interested in reverse engineering :(
    Well a few people have PM'd me... but oh well... guess we will just have to use what DJI give us.... :~(
     
  3. Ivan

    Joined:
    Dec 11, 2014
    Messages:
    41
    Likes Received:
    0
    Location:
    Split/Hvar, Croatia
    Re: Any hardcore coders around.. I've got the 3.08 firmware

    We exchanged few messages on PM, but I figured I'll write this here. I'm interested in this, however these things end up taking a lot of time when you get into it. And I personally can't invest that much time into it just now, since I'm also on a mission to finish my app using methods aproved by DJI. it's a pity those two things are actually not the same. I would love if the whole system was just open sourced.
    However I can give some general advices to anyone here having free time to invest into this. Few steps that could be done to extract more info:

    - By using network traffic monitors(wireshark) figure out the IP address/hostname of the server from which the firmware file si pulled

    - Figure out the port and protocol. Is it 80 and standard HTTP?

    - Figure out the message/command that is sent from the client(DJI Assistant software) to the server to initiate the download. Is it a standard HTTP GET containing remote path/URL?

    - Try to get at least one other firmware file beside the latest one. For example by figuring out if it can be downloaded from the same server from DJI drectly. Or if not, I saw somewhere around here there were instructions on how to downgrade phantom's firmware. I never looked into that, did someone already backup older firmware files? By comparing different firmware files it might be possible to figure out if the firmware is potentially using some sort of encryption or not

    - Use USB data traffic monitoring software(http://www.usblyzer.com) to check what is actually being pushed to the phantom during an actual upgrade

    - Crack open the NAZA-M v2 module inside the phantom and check what chip/architecture is actually being used.


    That's enough for now. Currently we don't have answers on any of those points. Although, Justin, since you already did some network traffic sniffing I believe you could easily get the answers to the first three points.
     
  4. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
    Re: Any hardcore coders around.. I've got the 3.08 firmware

    On phone now as laptop battery havibg issues..

    Basically assistant software just uses HTTP to talk to DJI servers so its all easy to see..

    Getting the actual firmware was tricky though.. spent hours tryibg to get a link or reconstruct a post or get request..all unsuccessful.. DJI have put in abit of effort to restrict access...

    In the end I used 'network miner' which stores the files you download.. so just clicked on 3.08 in upgrade section (which downloads the firmware before you update or cancel) and there it was.. as I said in PM its wierd.. not a file but a stream.. the firmware doesnt even have a filename... its called like "octetstream"... maybe it uses the "file" I got and something in the assistant s/w to put it all together in a proper format... who knows... big job ahead.. amyways 230kb.. if anyone wants give me your email.. i'll have a look for a free online hosting.. think dropbox on my phone will give me space..but for now email..

    Got alot of PMs regarding this now.. apologies for slowness.. will use my other laptop and reply to others when I get hone after diner later.
     
  5. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
  6. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
    Re: Any hardcore coders around.. I've got the 3.08 firmware

    BTW I've just added all of the files that came up.. my sniffer was started just before I clicked on "3.08" in the upgrade menu

    https://www.dropbox.com/sh/oh8rx0hlwnp4 ... U3Tja?dl=0

    The exciting server you want to look is the 66.175.220.9 one.. all 3 are DJI servers
     
  7. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
    Re: Any hardcore coders around.. I've got the 3.08 firmware

    Havnt had a look at that USB sniffer you posted up Ivan but have you had a look at all?? I'll have a play tomorrow after work.. 12am now and the Do-do-do-do beeps with wake up the gf :/

    If the firmware is encrypted or put together so to speak in the assistant software...surely the Phantom just receives the 'good' copy shall we say... unless ofcourse the phantom speaks jibberish and knows what it means lol.. Problem is also ofcourse if we do see sonething in a readable format and coukd modify it.. how would we feed it the new version... allthough alot of people much smarter than myself so im sure someone can figure out a way to hijack the session and feed it the data we want.. possible to do with TCP so perhaps with USB...


    could just be easier to kidnap a DJI employee ;)
     
  8. Ivan

    Joined:
    Dec 11, 2014
    Messages:
    41
    Likes Received:
    0
    Location:
    Split/Hvar, Croatia
    Re: Any hardcore coders around.. I've got the 3.08 firmware

    Hahaha

    No, I never tried to intercept raw USB data, but it should be doable! As for forcing the assistant to install the modified firmware, you would have to have two things:
    - Your own http server providing the file, sitting on the same IP or faking a DNS response if the assistant actually queries over a hostname
    - An modified firmare file that has a proper checksum, if they done things right the firmware file is actually signed. That could open a whole different set of headaches to this problem.

    Might be easier to figure out the USB upgrade protocol and write a custom flashing software.
     
  9. Doru Brad

    Joined:
    Aug 24, 2015
    Messages:
    38
    Likes Received:
    1
    Location:
    Oradea, Bihor, Romania
    Can I have the file? It might be that we can fool the app to download the old firmware instead and flash it using the app itself.
     
  10. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
    Hey my laptop died but I have hdd in a caddy... will see if I can find it... if not, once I get new laptop ill dl again. I suspect it was part of the firmware or encrypted.

    Hopefully you can figure it out. Give me a little rime and ill try find and send it over.
     
  11. Fyod

    Joined:
    May 21, 2014
    Messages:
    684
    Likes Received:
    61
    Location:
    Central EU
    If the software used to compile the hex or bin has any standard encryption, there's almost zero chance anyone will be able to decompile it into human readable format.
     
  12. justin00

    Joined:
    Sep 19, 2014
    Messages:
    1,143
    Likes Received:
    25
    Location:
    Australia
    ^^ yip thus the problem.
    used 'strings' command on it and finds nothing... very odd way it works though.. Like it didn't actually download a file such as blah.bin or blah.blah..
    it was just octetstream as I mentioned in posts above.. could only get it using network minor.. could do the same with wireshark, but network minor makes it much easier.

    ended up trying the USB sniffer ages ago.. couldn't get it to sniff out any data when I turned on phantom and phantom/pc were tx/rx via the USB... tried a few diff options/configs in the usb sniffer.. had no luck.

    When I have more time I might hook my home router upto serial/usb and see if it sniffs that out to atleast confirm the usb sniffer is configured/working.

    Kind of gave up on this... even if it was readable and in plain english and able to recompiled.. still have the task of somehow uploading it to the phantom... I imagine best way would be to setup a webserver locally and trick your pc into using that instead of actual DJI site, but miles off that stage.
    Seems like most people have P3 anyways now.. heck even before P3 came out there wasn't much interest in this, which was surprising..
     
  13. N017RW

    Joined:
    May 2, 2014
    Messages:
    6,245
    Likes Received:
    1,614
    Location:
    Palm Beach Co.- FL
    There has been interest but your findings have been the consensus here and elswhere for a while.

    Didn't expect much but you never know, you might have been... 'the one'!