Differences

This shows you the differences between two versions of the page.

--- howto:redherring [2017/07/15 06:39]
czokie created
+++ howto:redherring [2017/08/03 03:39] (current)
czokie [6. Start DJI assistant in test_server mode]
@@ Line 1: / Line 1: @@
 ====== P0V Root Kit for DJI aircraft ======
-===== 0. Preliminary =====
+This document describes one of the early rootkit approaches for DJI aircraft. The instructions below assume you are running on OSX. Most of these instructions will readily translate to most Linux variants.
-  * These instructions assume OSX on a mac.
-  * Install Python 3 if you don't already have it. You can get it from [[https://www.python.org/downloads/mac-osx/|Here]]
-  * You need something in your firmware cache on your MAC, otherwise you will need to install a version (or reinstall) using DJI assistant before proceeding.
-  * Install required python modules pycrypto
-  pip3 install pycrypto
+===== 1. Toolchain =====
+Install your toolchain as per the instructions [[.:toolchain|here]]. You only need to do this once... but check the instructions to see if there are any new tools that you may need.
-  * Install required Ruby modules colorise
+===== 2. Get firmware =====
-  sudo gem install colorize
+  * You need something in your firmware cache on your MAC, otherwise you will need to install a version (or reinstall) using DJI assistant before proceeding.
-  * Install adb (Android Debugger) for osx
+===== 3. Get the RedHerring magic =====
-  curl https://dl.google.com/android/repository/platform-tools-latest-darwin.zip > platform-tools-latest-darwin.zip
+If this is your first time using RedHerring, you will need to checkout the code from git.
-  unzip platform-tools-latest-darwin.zip platform-tools/adb
-  mv platform-tools/adb .
-  rm -rf platform-tools platform-tools-latest-darwin.zip
-  sudo mv adb /usr/local/bin/adb
-  * Get the code using git
   cd ~/Documents/
@@ Line 27: / Line 18: @@
   cd P0VsRedHerring
+If you have done this before and you want to make sure you have the latest code, you just need to sync to the most recent version
-===== 1. Get the code using GIT =====
-Freshen the code each time you want to root kit an aircraft
   cd ~/Documents/P0VsRedHerring
   git pull
-===== 2. Find the firmware file that needs to be tweaked =====
+===== 4. Run the master script using the grep method =====
-  grep start_dji_system /Applications/Assistant.app/Contents/MacOS/Data/firm_cache/*.fw.sig -r
-Note the path and filename that is returned. You will need it in the next step. The filename that was returned for me was\\ **/Applications/Assistant.app/Contents/MacOS/Data/firm_cache/wm331_0801_v01.01.03.89_20170519.pro.fw.sig**
-  ls -l `grep start_dji_system /Applications/Assistant.app/Contents/MacOS/Data/firm_cache/*.fw.sig -r | grep ^Binary | cut -d " " -f 3`
-===== 3. Extract a bin file from that image =====
-  python3 image.py **add path and filename here**
-===== 4. Confirm a bin file was extracted =====
-  ls *bin
-You should see your bin filename
-===== 5. Verify the file type of your bin file =====
-  file *.bin
-This should return: **Java archive data (JAR)**
-===== 6. Extract the startup script from the JAR file =====
-  tar xvf *.bin system/bin/start_dji_system.sh
-===== 7. Patch the startup script =====
-  echo /system/bin/adb_en.sh >> system/bin/start_dji_system.sh
-===== 8. Run the master script =====
-The next step will connect to your aircraft, so get it powered on and connected via USB... But this is the old one. You can PROBABLY skip this and go straight to the next step.
-  sudo ruby RedHerring.rb /system/bin/start_dji_system.sh system/bin/start_dji_system.sh
-===== 8b. Run the master script v2 =====
   sudo ruby RedHerring.rb /data/.bin/grep grep
-===== 9. Start DJI assistant =====
+===== 5. Start DJI assistant =====
 Open a new window, and start DJI assistant ... connect to your aircraft, and view the list of available firmware updates... and then close DJI assistant. This will set a login cookie that will be re-used for the next command
   /Applications/Assistant.app/Contents/MacOS/Assistant
-===== 10. Start DJI assistant in test_server mode =====
+===== 6. Start DJI assistant in test_server mode =====
   /Applications/Assistant.app/Contents/MacOS/Assistant --test_server
-This will take a while - but it will update the NFZ database with no active NFZ's. Quite DJI assistant once its done
+This sends our fireworks via the NFZ database upload, to get root access.
+===== 7. Get a list of ads devices (see if it all worked) =====
-===== 11. Get a list of ads devices (see if it all worked) =====
   adb devices
-===== 12. Connect to the adb shell =====
+===== 8. Connect to the adb shell =====
   adb shell
-===== Other tidbits =====
+===== 9. Make ADB persistent =====
-==== Confirm aircraft is connected ====
+To make it easier to get back into your aircraft via ADB next time, you can add a command to the boot init script. Beware. This command is modifying a startup script. If you get it wrong, that could be ... well ... bad. Don't do this more than once, unless you change your firmware to re-patch the startup script.
-  /usr/sbin/system_profiler SPUSBDataType | grep DJI: -A 19
+  mount -o remount,rw /system
+  echo /system/bin/adb_en.sh >> /system/bin/start_dji_system.sh
+  reboot
 ===== Credits =====
   * https://www.youtube.com/watch?v=BTQ_CTih1HM
   * with help from opcode at https://dji-rev.slack.com/

User Tools

Site Tools

Differences

Page Tools