This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
howto:dji_ftpd_aes_unscramble [2017/07/28 13:19] czokie |
howto:dji_ftpd_aes_unscramble [2019/01/15 23:00] (current) czokie |
||
---|---|---|---|
Line 10: | Line 10: | ||
This method is published [[https:// | This method is published [[https:// | ||
- | |||
- | FIXME: Eventually, I want to expand this out to explain how to backup a firmware image file from a DJI device, including duml commands required to activate FTP. | ||
- | |||
- | |||
===== 1. Toolchain ===== | ===== 1. Toolchain ===== | ||
Line 39: | Line 35: | ||
Windows executable release created via: | Windows executable release created via: | ||
- | ``` | + | < |
c: | c: | ||
- | ``` | + | </ |
If not using packaged release for Windows, make sure you have pip, and that pycrypto is installed | If not using packaged release for Windows, make sure you have pip, and that pycrypto is installed | ||
Line 48: | Line 44: | ||
Mirror the FTPD via the script, OR manually pull down a target file. | Mirror the FTPD via the script, OR manually pull down a target file. | ||
- | ``` | + | < |
$ python dji_ftpd_descrambler.py 192.168.42.2 | $ python dji_ftpd_descrambler.py 192.168.42.2 | ||
--2017-05-25 23: | --2017-05-25 23: | ||
Line 68: | Line 64: | ||
00000080: 0dfc fcb3 8aab 5f06 aace 0f41 a6c6 fb89 ......_....A.... | 00000080: 0dfc fcb3 8aab 5f06 aace 0f41 a6c6 fb89 ......_....A.... | ||
00000090: 5d13 a609 c74a 7318 4734 2d95 d5bc b975 ]....Js.G4-....u | 00000090: 5d13 a609 c74a 7318 4734 2d95 d5bc b975 ]....Js.G4-....u | ||
- | ``` | + | </ |
Descramble the file... profit! | Descramble the file... profit! | ||
- | ``` | + | < |
$ python dji_ftpd_descrambler.py DJI_aes_ftp_dump/ | $ python dji_ftpd_descrambler.py DJI_aes_ftp_dump/ | ||
PBS^U\5] [0x0] state=0, reset phy | PBS^U\5] [0x0] state=0, reset phy | ||
Line 83: | Line 79: | ||
[2017/04/14 14:44:8] [0x4c3] state=3, recv shakehand req | [2017/04/14 14:44:8] [0x4c3] state=3, recv shakehand req | ||
[2017/04/14 14:44:8] [0x530] state from 3 to connect | [2017/04/14 14:44:8] [0x530] state from 3 to connect | ||
- | ``` | + | </ |
On Windows the process works the same, with alternate synatx on the command line. | On Windows the process works the same, with alternate synatx on the command line. | ||
You can use the new bash interface: | You can use the new bash interface: | ||
- | ``` | + | < |
MavproxyUser@DESKTOP-QPUF664 MINGW64 ~/ | MavproxyUser@DESKTOP-QPUF664 MINGW64 ~/ | ||
$ python dji_ftpd_descrambler.py kernel00.log | $ python dji_ftpd_descrambler.py kernel00.log | ||
Line 98: | Line 94: | ||
< | < | ||
< | < | ||
- | ``` | + | </ |
Or make use of the standard cmd.exe interface: | Or make use of the standard cmd.exe interface: | ||
- | ``` | + | < |
C: | C: | ||
!!!New kernel log start!!! | !!!New kernel log start!!! | ||
Line 118: | Line 114: | ||
< | < | ||
-- More -- | -- More -- | ||
- | ``` | + | </ |
Alternatively on windows you can use the precompied .exe (see the Releases tab) | Alternatively on windows you can use the precompied .exe (see the Releases tab) | ||
- | ``` | + | < |
C: | C: | ||
h | h | ||
Line 126: | Line 122: | ||
<7>[ 1380.255734] c1 11916 (kworker/ | <7>[ 1380.255734] c1 11916 (kworker/ | ||
<7>[ 1382.825736] c0 26031 (kworker/ | <7>[ 1382.825736] c0 26031 (kworker/ | ||
- | ``` | + | </ |
Description: | Description: | ||
Line 133: | Line 129: | ||
I miss the good ole days of public tar & feathering over GPL violations! | I miss the good ole days of public tar & feathering over GPL violations! | ||
- | ``` | + | < |
"The following products and/or projects appear to use BusyBox, but do not appear to release source code as required by the BusyBox license. This is a violation of the law! The distributors of these products are invited to contact Erik Andersen if they have any confusion as to what is needed to bring their products into compliance, or if they have already brought their product into compliance and wish to be removed from the Hall of Shame." | "The following products and/or projects appear to use BusyBox, but do not appear to release source code as required by the BusyBox license. This is a violation of the law! The distributors of these products are invited to contact Erik Andersen if they have any confusion as to what is needed to bring their products into compliance, or if they have already brought their product into compliance and wish to be removed from the Hall of Shame." | ||
- | ``` | + | </ |
- | ``` | + | < |
This page is no longer updated, these days, BusyBox handles enforcement of our license via our fiscal sponsor, Software Freedom Conservancy instead. Please email < | This page is no longer updated, these days, BusyBox handles enforcement of our license via our fiscal sponsor, Software Freedom Conservancy instead. Please email < | ||
Previously, this page listed products that included BusyBox but included neither source code nor offer for one. The BusyBox project has decided to not publicly shame companies until Conservancy has an opportunity to talk privately with companies who violate the GPL to convince them to comply with BusyBox' | Previously, this page listed products that included BusyBox but included neither source code nor offer for one. The BusyBox project has decided to not publicly shame companies until Conservancy has an opportunity to talk privately with companies who violate the GPL to convince them to comply with BusyBox' | ||
- | ``` | + | </ |
https:// | https:// | ||
Line 150: | Line 146: | ||
- | On OSX you can navigate to: / | + | On OSX you can navigate to: / |
On Windows to: C:\Program Files (x86)\DJI Product\DJI Assistant 2\ Assistant\Data\firm_cache | On Windows to: C:\Program Files (x86)\DJI Product\DJI Assistant 2\ Assistant\Data\firm_cache | ||
Run binwalk with the extraction flag against any appropriate firmware file. | Run binwalk with the extraction flag against any appropriate firmware file. | ||
- | ``` | + | < |
$ grep busybox wm* -r | $ grep busybox wm* -r | ||
Binary file wm220_0100_v02.05.04.34_20170209_ca02.pro.fw.sig matches | Binary file wm220_0100_v02.05.04.34_20170209_ca02.pro.fw.sig matches | ||
Line 165: | Line 161: | ||
Binary file wm220_1301_v01.05.00.23_20170418.pro.fw.sig matches | Binary file wm220_1301_v01.05.00.23_20170418.pro.fw.sig matches | ||
Binary file wm220_2801_v01.02.21.01_20170421.pro.fw.sig matches | Binary file wm220_2801_v01.02.21.01_20170421.pro.fw.sig matches | ||
- | ``` | + | </ |
Pick one... just make sure it doesn' | Pick one... just make sure it doesn' | ||
- | ``` | + | < |
$ binwalk -e wm220_0801_v01.04.17.03_20170120.pro.fw.sig | $ binwalk -e wm220_0801_v01.04.17.03_20170120.pro.fw.sig | ||
- | ``` | + | </ |
Launch the binary in a chroot via qemu-user-static. | Launch the binary in a chroot via qemu-user-static. | ||
https:// | https:// | ||
- | ``` | + | < |
# ./busybox tcpsvd -vE 0.0.0.0 21 ./busybox ftpd -wv /tmp/ | # ./busybox tcpsvd -vE 0.0.0.0 21 ./busybox ftpd -wv /tmp/ | ||
tcpsvd: listening on 0.0.0.0:21, starting | tcpsvd: listening on 0.0.0.0:21, starting | ||
tcpsvd: status 1/30 | tcpsvd: status 1/30 | ||
tcpsvd: start 9062 127.0.0.1: | tcpsvd: start 9062 127.0.0.1: | ||
- | ``` | + | </ |
Download, compile, and run aes-finder against the ftp binary. Extract the AES key by running against the PID. | Download, compile, and run aes-finder against the ftp binary. Extract the AES key by running against the PID. | ||
https:// | https:// | ||
- | ``` | + | < |
$ sudo ./a.out -9062 | $ sudo ./a.out -9062 | ||
Searching PID 9062 ... | Searching PID 9062 ... | ||
Line 192: | Line 188: | ||
$ echo -e " | $ echo -e " | ||
this-aes-key | this-aes-key | ||
- | ``` | + | </ |
This oddly enough was the string that made me look for the routine in the first place. It shows up in clear text in the binary. | This oddly enough was the string that made me look for the routine in the first place. It shows up in clear text in the binary. | ||
Line 204: | Line 200: | ||
Simply replace the AES key with the one above in the tool provided by seasonalvegetables3. | Simply replace the AES key with the one above in the tool provided by seasonalvegetables3. | ||
- | ``` | + | < |
#Key = " | #Key = " | ||
Key = " | Key = " | ||
IV = " | IV = " | ||
- | ``` | + | </ |
This project will recurvively download the contents of the ftp server, and decrypt them for you in a local plaintext mirror. | This project will recurvively download the contents of the ftp server, and decrypt them for you in a local plaintext mirror. | ||
In essence using code in this repo would be the same as running: | In essence using code in this repo would be the same as running: | ||
- | ``` | + | < |
$ wget -m ftp:// | $ wget -m ftp:// | ||
- | ``` | + | </ |
Followed by: | Followed by: | ||
- | ``` | + | < |
python djicrypt.py -d -i downloadedfile -o outputfile | python djicrypt.py -d -i downloadedfile -o outputfile | ||
- | ``` | + | </ |
Alternately you can just use openssl: | Alternately you can just use openssl: | ||
- | ``` | + | < |
openssl enc -d -nosalt -in downloadedfile -aes-128-cbc -K 746869732d6165732d6b657900000000 -iv 00000000000000000000000000000000 | openssl enc -d -nosalt -in downloadedfile -aes-128-cbc -K 746869732d6165732d6b657900000000 -iv 00000000000000000000000000000000 | ||
- | ``` | + | </ |
And of course *our* script as detailed above in Usage: | And of course *our* script as detailed above in Usage: | ||
Line 233: | Line 229: | ||
$ python dji_ftpd_descrambler.py | $ python dji_ftpd_descrambler.py | ||
- | ``` | + | < |
< | < | ||
initrd=0x07400000, | initrd=0x07400000, | ||
Line 239: | Line 235: | ||
chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa | chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa | ||
saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xe2200026 | saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xe2200026 | ||
- | ``` | + | </ |
===== Credit ===== | ===== Credit ===== | ||
Line 245: | Line 241: | ||
* Subsequent bug fixes created by Czokie. | * Subsequent bug fixes created by Czokie. | ||
* Earlier work was based on https:// | * Earlier work was based on https:// | ||
- | |||
- |