Crowdfund hacker to build custom firmware?

Status
Not open for further replies.
Im In for sure. I wish I was a developer. Although, Id probably be divorced if I was since Id stay on the project till it was figured out.
I have basic knowledge, played with bootloaders, and a little MiTM, in the past for experimental. I also have some $ resources Id put forth in an effort.
 
  • Like
Reactions: stulpin300m
Added @Muva Bee and @Apilot101 to our list of technical resources.

Once we get enough folks who are committed to it, we'll set up some threads in the firmware section and get to work.

As for the money, it can go towards a P3 if we need to have one to experiment with. Or hungry devs. Or we can make it a bounty!
 
  • Like
Reactions: gfredrone
ianwood said:
Added @Muva Bee and @Apilot101 to our list of technical resources.

Once we get enough folks who are committed to it, we'll set up some threads in the firmware section and get to work.

As for the money, it can go towards a P3 if we need to have one to experiment with. Or hungry devs. Or we can make it a bounty!
Click to expand...
Guy who cracks gets a new P3??? lol
 
ianwood said:
So who here other than Shammyh has some technical capabilities to start hacking this thing? Let's start some lists:

Devs:
@Shammyh
@Muva Bee
@Apilot101

And who else wants to throw in some monetary support? So far, we've got:

Contributors :
@flyNfrank
@aka1ceman
@skeeterest
@jasonb777
@ianwood (just added myself)
@Apilot101
Click to expand...

I can provide funding, but is the Phantom 3 Standard chipset completely different than the Pro/Advanced? Not sure I'd be left out on support.
 
WetDog said:
And a free letter from the DJI legal department!
Click to expand...
Haha. I was yesterday reading some review about geofence on their forum. Very bad engineering by DJI.

I hope to grab day of free time this weekend and make more progress, or at least ask on few better places online for some advice.
 
  • Like
Reactions: ianwood and gfredrone
I have a question for our tech dudes :)

I'm thinking on just editing firmware version and tricking device to install that one.
That should be possible to do in HEX editor in 10mins with 99% confidence that something will not go wrong.

BUT: I would like to make sure we can trick device to install custom versioned firmware and then successfully getting back to original one. That would give us confidence that we will not brick device or damage it in any way and user can revert back any time.

You thing that's good idea for start?
 
  • Like
Reactions: StevenQX and stulpin300m
Hi all,
I am by no means professional but have spent quite a few years reverse engineering software and hardware mostly for fun but also because i like to know how things work and customise them to my liking.

I have been busy with work so am a little late to this party but i spent a few hours over the past few nights exploring the iOS and Android DJI GO apps sources, the SDK binaries, and the firmware and have found a lot in regards to NFZ's and bypassing them. On a side note there is also a lot of references to the Phantom 4 in there.
From what i have found i don't believe we need to touch firmware / risk bricking as the apps seem to manage the NFZ data and then push it to the flight controller which stores it and does what it is told.
Anyway i have successfully ran a mitm attack by emulating the NFZ server via a proxy to return a modified NFZ database with all disabled zones enabled and it seems to be working.
There is a lot of work to be done before this is usable but it seems the easiest way to do this.
Everything is encrypted and obfuscated making progress rather slow but i have extracted a few keys and am working on decrypting what i need.
My current plan is to run a modified app that still phones home to DJI and passes data back and forth as it should but tells the flight controller everything is always ok in regards to NFZ's even when it really isn't so it caches a constantly clean file.
I will try and get some more usable information and post details over the weekend.

Please note that whilst i disagree with the way DJI has done some things i can understand why so i will not be removing any safety limits or the like only allowing the pilot to decide when and where they want to fly.

Stay Safe and Happy Flying ;)
 
  • Like
Reactions: Kyokushin, StevenQX, Shammyh and 4 others
Muva Bee said:
I have a question for our tech dudes :)

I'm thinking on just editing firmware version and tricking device to install that one.
That should be possible to do in HEX editor in 10mins with 99% confidence that something will not go wrong.

BUT: I would like to make sure we can trick device to install custom versioned firmware and then successfully getting back to original one. That would give us confidence that we will not brick device or damage it in any way and user can revert back any time.

You thing that's good idea for start?
Click to expand...
That would be a good start. At least P3 Owners would have the choice of which firmware works best for their quad. I spent all day yesterday trying to get the quad to roll back a 2nd fw version.
 
Apilot101 said:
That would be a good start. At least P3 Owners would have the choice of which firmware works best for their quad. I spent all day yesterday trying to get the quad to roll back a 2nd fw version.
Click to expand...
Did it went successful? Is there any step by step guide. Thanks!
 
Muva Bee said:
Did it went successful? Is there any step by step guide. Thanks!
Click to expand...
I was successful in downgrading the rc only from 1.5.7 down to 1.3.2.
I have had No success taking a 1.5 down quad to 1.3. I did get it down to 1.4 but would like 1 more.
I spent all day yesterday trying to get the quad to take an older firmware. I didn't get a chance to write off a step-by-step guide.
 
Muva Bee said:
I have a question for our tech dudes :)

I'm thinking on just editing firmware version and tricking device to install that one.
That should be possible to do in HEX editor in 10mins with 99% confidence that something will not go wrong.

BUT: I would like to make sure we can trick device to install custom versioned firmware and then successfully getting back to original one. That would give us confidence that we will not brick device or damage it in any way and user can revert back any time.

You thing that's good idea for start?
Click to expand...

so whats the way of getting it to go down another firmware version? Modify the "vlink" line in the firmware?

I may be willing to try going from 1.3.2 to 1.1.9 after I went from 1.4.1 to 1.3.2...
What I'm thinking of doing is changing the Record vlink line to make it record the previous firmware as 1.3.2 instead of what is actually on the P3P itself right now as 1.4.1. So I guess I can try with 1.3.2 firmware and just get it to rewrite that in the P3P record. Then reinstall 1.3.2 without the mod, just to make sure its fresh, and then go down to 1.1.9 since it thinks it was never on 1.4.1...
 
DiluxEdition said:
so whats the way of getting it to go down another firmware version? Modify the "vlink" line in the firmware?

I may be willing to try going from 1.3.2 to 1.1.9 after I went from 1.4.1 to 1.3.2...
What I'm thinking of doing is changing the Record vlink line to make it record the previous firmware as 1.3.2 instead of what is actually on the P3P itself right now as 1.4.1. So I guess I can try with 1.3.2 firmware and just get it to rewrite that in the P3P record. Then reinstall 1.3.2 without the mod, just to make sure its fresh, and then go down to 1.1.9 since it thinks it was never on 1.4.1...
Click to expand...
Something like this. We need someone who know this stuff or did things like this to let us know is this possible on DJI firmwares

I can't wait to brick my P3 when i comes back from "my camera is out of focus" -> "send it back to dealer" thing
 
  • Like
Reactions: ianwood
I've been reading the firmware in hex for a while now and I cant figure out how it gets the firmware version. I think it compiles it within the p3, so I guess its encrypted somehow. I have no clue what or how to decrypt...

one possible thing could be to delete the rollback line or modify it so it will allow rollback to whatever you want...
 
I think the actual words you see in the hex editor are just for messages for the logs or whatever. I think the important stuff is all encrypted.
 
[DJI_UEG] %s: Get Version Link Fail!
[DJI_UEG] Nand Version Link, LatestVersion[%02d.%02d.%04d] RollbackVersion[%02d.%02d.%04d]
[%08d]Record vlink %02d.%02d.%04d <-> %02d.%02d.%04d (flow = %d).

I have a feeling this has something to do with restricting the downgrade. Or is this just info for the log?
 
It's a simple crc check for firmware roll back upgrade the old firmware crc is checked against current and previous that allows you to roll back once.
 
Status
Not open for further replies.

Similar threads

dent5877
Notice people having problems when updating firmware
Replies
14
Views
1K
Software
DoomMeister
DoomMeister
B- Scene Films
Gimbal wheel failure and resolution
Replies
1
Views
1K
Phantom 3 Pro/Adv
pilot2
P
GEE_TEE
P3 Pro motors won't start
Replies
3
Views
1K
Phantom 3 Pro/Adv
Capt KO
Capt KO
T
P3A - Unresponsive Gimbal & Camera, Won't upgrade firmware.
Replies
1
Views
1K
Phantom 3 Pro/Adv
quaddamage
quaddamage
ip_droning
P3 Firmware Firmware update on "orphan" P3 SE without camera.
Replies
2
Views
1K
Firmware
ip_droning
ip_droning

Recent Posts

Members online

No members online now.
Total: 544 (members: 0, guests: 544)

Forum statistics

Threads
143,094
Messages
1,467,599
Members
104,980
Latest member
ozmtl