This document describes one of the early rootkit approaches for DJI aircraft. The instructions below assume you are running on OSX. Most of these instructions will readily translate to most Linux variants.
Install your toolchain as per the instructions here. You only need to do this once… but check the instructions to see if there are any new tools that you may need.
If this is your first time using RedHerring, you will need to checkout the code from git.
cd ~/Documents/ git clone https://github.com/MAVProxyUser/P0VsRedHerring.git cd P0VsRedHerring
If you have done this before and you want to make sure you have the latest code, you just need to sync to the most recent version
cd ~/Documents/P0VsRedHerring git pull
sudo ruby RedHerring.rb /data/.bin/grep grep
Open a new window, and start DJI assistant … connect to your aircraft, and view the list of available firmware updates… and then close DJI assistant. This will set a login cookie that will be re-used for the next command
/Applications/Assistant.app/Contents/MacOS/Assistant
/Applications/Assistant.app/Contents/MacOS/Assistant --test_server
This sends our fireworks via the NFZ database upload, to get root access.
adb devices
adb shell
To make it easier to get back into your aircraft via ADB next time, you can add a command to the boot init script. Beware. This command is modifying a startup script. If you get it wrong, that could be … well … bad. Don't do this more than once, unless you change your firmware to re-patch the startup script.
mount -o remount,rw /system echo /system/bin/adb_en.sh >> /system/bin/start_dji_system.sh reboot