====== Network Analysis Findings ====== Due to some of the "unusual" findings in reverse engineering of the DJI GO 4 code, Czokie decided to look at the network layer, and do a high level summary of what was found. You will find below a video of what happens when you start DJI GO, and more importantly - "who it is talking to". Traffic was split into two flows to make this easier to analyse. Make sure you maximise the window to read the details. {{ :faq:dataleakage:dji-leakage.mp4 |}} NOTE: The only thing we did here is to open DJI GO 4, and close it again. Thats all that was done. In the video, - You will see a screen capture of DJI go 4 opening and closing in the bottom left of the screen. - In the top left part of the screen are "proxied" connections, that were captured by "Charles Proxy". The IOS device was manually configured to use a proxy, to allow for easy capture of standard HTTP / HTTPS traffic. - In the shell window on the right, you will see tcpdump traffic to/from my iPhone during the test. ===== TCPDUMP traffic ===== The following flows were observed in the TCPDUMP traffic: ==== DNS ==== We saw DNS lookups for www.dji.com and flurry.adserver.prod.g04.yahoodns.net 10:11:24.530471 IP 192.168.1.3.54667 > 192.168.1.254.53: 28202+ A? www.dji.com. (29) 10:11:24.783716 IP 192.168.1.254.53 > 192.168.1.3.54667: 28202 9/0/0 CNAME d125tdjigxzobs.cloudfront.net., A 52.85.40.103, A 52.85.40.96, A 52.85.40.179, A 52.85.40.11, A 52.85.40.234, A 52.85.40.94, A 52.85.40.101, A 52.85.40.135 (200) 10:11:27.574531 IP 192.168.1.3.52840 > 192.168.1.254.53: 8601+ A? flurry.adserver.prod.g04.yahoodns.net. (55) 10:11:27.588855 IP 192.168.1.254.53 > 192.168.1.3.52840: 8601 2/0/0 A 106.10.164.125, A 180.222.100.7 (87) ==== TENCENT ==== We saw traffic to and from 203.205.146.122 on port 8080. This ip address is owned by [[https://dig.whois.com.au/ip/203.205.146.122|tencent]], which is the same company that makes the "Tinker" application, which is capable of "hot patching" applications. Note: The payload of this traffic has not been confirmed at this time. However, it is concerning considering the possibilities. 10:11:29.463469 IP 192.168.1.3.55169 > 203.205.146.122.8080: Flags [S], seq 1054717657, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 756311751 ecr 0,sackOK,eol], length 0 10:11:29.463814 IP 192.168.1.3.55168 > 203.205.146.122.8080: Flags [S], seq 3519445737, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 756311719 ecr 0,sackOK,eol], length 0 10:11:29.598919 IP 203.205.146.122.8080 > 192.168.1.3.55169: Flags [S.], seq 3470117832, ack 1054717658, win 14280, options [mss 1440,sackOK,TS val 747863253 ecr 756311751,nop,wscale 7], length 0 10:11:29.599415 IP 203.205.146.122.8080 > 192.168.1.3.55168: Flags [S.], seq 3530435815, ack 3519445738, win 14280, options [mss 1440,sackOK,TS val 296474005 ecr 756311719,nop,wscale 8], length 0 10:11:29.607864 IP 192.168.1.3.55168 > 203.205.146.122.8080: Flags [.], ack 1, win 4105, options [nop,nop,TS val 756311893 ecr 296474005], length 0 10:11:29.608235 IP 192.168.1.3.55169 > 203.205.146.122.8080: Flags [.], ack 1, win 4105, options [nop,nop,TS val 756311893 ecr 747863253], length 0 10:11:30.437345 IP 203.205.146.122.8080 > 192.168.1.3.55169: Flags [.], ack 272, win 123, options [nop,nop,TS val 747863502 ecr 756312551], length 0 10:11:30.450820 IP 203.205.146.122.8080 > 192.168.1.3.55168: Flags [.], ack 97, win 58, options [nop,nop,TS val 296474231 ecr 756312551], length 0 10:11:30.456335 IP 192.168.1.3.55181 > 203.205.146.122.8080: Flags [S], seq 1110120126, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 756312681 ecr 0,sackOK,eol], length 0 10:11:30.457184 IP 192.168.1.3.55182 > 203.205.146.122.8080: Flags [S], seq 1067157942, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 756312686 ecr 0,sackOK,eol], length 0 10:11:30.589398 IP 203.205.146.122.8080 > 192.168.1.3.55182: Flags [S.], seq 989094010, ack 1067157943, win 14280, options [mss 1440,sackOK,TS val 747863509 ecr 756312686,nop,wscale 7], length 0 10:11:30.591057 IP 203.205.146.122.8080 > 192.168.1.3.55181: Flags [S.], seq 3958106338, ack 1110120127, win 14280, options [mss 1440,sackOK,TS val 296474261 ecr 756312681,nop,wscale 8], length 0 10:11:30.592114 IP 192.168.1.3.55182 > 203.205.146.122.8080: Flags [.], ack 1, win 4105, options [nop,nop,TS val 756312826 ecr 747863509], length 0 10:11:30.593538 IP 192.168.1.3.55181 > 203.205.146.122.8080: Flags [.], ack 1, win 4105, options [nop,nop,TS val 756312827 ecr 296474261], length 0 10:11:30.861870 IP 203.205.146.122.8080 > 192.168.1.3.55182: Flags [.], ack 272, win 123, options [nop,nop,TS val 747863608 ecr 756312944], length 0 10:11:30.862131 IP 203.205.146.122.8080 > 192.168.1.3.55169: Flags [F.], seq 86, ack 272, win 123, options [nop,nop,TS val 747863608 ecr 756312709], length 0 10:11:30.863808 IP 203.205.146.122.8080 > 192.168.1.3.55181: Flags [.], ack 97, win 58, options [nop,nop,TS val 296474335 ecr 756312944], length 0 10:11:30.865047 IP 203.205.146.122.8080 > 192.168.1.3.55168: Flags [F.], seq 31, ack 97, win 58, options [nop,nop,TS val 296474335 ecr 756312706], length 0 10:11:30.886031 IP 192.168.1.3.55169 > 203.205.146.122.8080: Flags [F.], seq 272, ack 87, win 4102, options [nop,nop,TS val 756313080 ecr 747863608], length 0 10:11:30.886345 IP 192.168.1.3.55168 > 203.205.146.122.8080: Flags [F.], seq 134, ack 32, win 4104, options [nop,nop,TS val 756313083 ecr 296474335], length 0 10:11:30.940267 IP 203.205.146.122.8080 > 192.168.1.3.55168: Flags [R], seq 3530435846, win 0, length 0 10:11:31.020294 IP 203.205.146.122.8080 > 192.168.1.3.55168: Flags [R], seq 3530435847, win 0, length 0 10:11:31.020431 IP 203.205.146.122.8080 > 192.168.1.3.55168: Flags [R], seq 3530435847, win 0, length 0 10:11:35.582973 IP 192.168.1.3.55181 > 203.205.146.122.8080: Flags [F.], seq 134, ack 50, win 4103, options [nop,nop,TS val 756317383 ecr 296474381], length 0 10:11:35.583220 IP 192.168.1.3.55182 > 203.205.146.122.8080: Flags [F.], seq 272, ack 86, win 4102, options [nop,nop,TS val 756317383 ecr 747863617], length 0 10:11:35.715832 IP 203.205.146.122.8080 > 192.168.1.3.55182: Flags [F.], seq 86, ack 273, win 123, options [nop,nop,TS val 747864822 ecr 756317383], length 0 10:11:35.717864 IP 203.205.146.122.8080 > 192.168.1.3.55181: Flags [F.], seq 50, ack 135, win 58, options [nop,nop,TS val 296475548 ecr 756317383], length 0 10:11:36.017249 IP 192.168.1.3.55182 > 203.205.146.122.8080: Flags [F.], seq 272, ack 86, win 4102, options [nop,nop,TS val 756317939 ecr 747863617], length 0 10:11:36.160171 IP 203.205.146.122.8080 > 192.168.1.3.55181: Flags [F.], seq 50, ack 135, win 58, options [nop,nop,TS val 296475659 ecr 756317383], length 0 10:11:36.208882 IP 192.168.1.3.55181 > 203.205.146.122.8080: Flags [F.], seq 134, ack 50, win 4103, options [nop,nop,TS val 756317955 ecr 296474381], length 0 10:11:36.491354 IP 203.205.146.122.8080 > 192.168.1.3.55182: Flags [F.], seq 86, ack 273, win 123, options [nop,nop,TS val 747865016 ecr 756317939], length 0 10:11:37.103014 IP 203.205.146.122.8080 > 192.168.1.3.55181: Flags [R], seq 3958106389, win 0, length 0 10:11:37.178060 IP 203.205.146.122.8080 > 192.168.1.3.55182: Flags [R], seq 989094097, win 0, length 0 ==== UDP Port 19000 ===== UDP traffic has been observed talking to 209.9.106.12 on port 19000 which is an IP address owned by [[https://dig.whois.com.au/ip/209.9.106.12|pccw]] which is understood to be owned by Hong Kong Telecom. No further details on this traffic is available at this time. 10:11:29.571104 IP 192.168.1.3.50433 > 209.9.106.12.19000: UDP, length 128 10:11:29.814798 IP 209.9.106.12.19000 > 192.168.1.3.50433: UDP, length 347 ==== TCP Port 7001 ==== TCP traffic has been oberved talking to 103.229.215.31 on port 7001. [[https://dig.whois.com.au/ip/103.229.215.31|Guangdong LITONG Network Technology Limited]] This IP and PORT changes, but it is the first address in the answer paket of the UDP chatter on port 9000. This payload is not readable and we have no idea what it is used for. Very strange, if anyone has more info about this please add it here. For now this is "sketchy". 10:11:30.706436 IP 192.168.1.3.55187 > 103.229.215.31.7001: Flags [S], seq 2164181056, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 756312896 ecr 0,sackOK,eol], length 0 10:11:30.963145 IP 103.229.215.31.7001 > 192.168.1.3.55187: Flags [S.], seq 3068745205, ack 2164181057, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 10:11:31.086822 IP 192.168.1.3.55187 > 103.229.215.31.7001: Flags [.], ack 1, win 12592, length 0 10:11:31.818317 IP 103.229.215.31.7001 > 192.168.1.3.55187: Flags [.], ack 95, win 29, length 0 10:11:35.582593 IP 192.168.1.3.55187 > 103.229.215.31.7001: Flags [F.], seq 267, ack 181, win 12570, length 0 10:11:35.836991 IP 103.229.215.31.7001 > 192.168.1.3.55187: Flags [F.], seq 181, ack 268, win 29, length 0 10:11:36.603543 IP 192.168.1.3.55187 > 103.229.215.31.7001: Flags [F.], seq 267, ack 181, win 12570, length 0 10:11:36.743883 IP 103.229.215.31.7001 > 192.168.1.3.55187: Flags [F.], seq 181, ack 268, win 29, length 0 10:11:37.305624 IP 103.229.215.31.7001 > 192.168.1.3.55187: Flags [R], seq 3068745387, win 0, length 0 ===== Proxied Traffic ===== The flows below were proxied using usual OS level proxying. Details of the functionality of each of these flows will be added as time permits. ==== https://www.skypixel.com ==== Multiple requests during startup * /api/users/identifyable-user-id/ * GET /api/users/[[personally-identifiable-key]]/favorites?page=1&page_size=20&token=[[session-key]]&type=all * GET /api/users/[[personally-identifiable-key]]/home?page=1&page_size=20&[[token=session-key]]&type=all * GET /api/users/[[personally-identifiable-key]]/followings?page=1&page_size=20&[[token=session-key]]&type=all * GET /api/users/[[personally-identifiable-key]]/followers?page=1&page_size=20&token=[[session-key]]&type=all * /api/giftcards/ * GET /api/giftcards/popup?lang=en&token=[[session-key]] * GET /api/giftcards/has_new_giftcard?token=[[session-key]] * /api/msg/ * GET /api/msg/list?page=2&page_size=1&token=[[session-key]] * /api/photos/ * GET /api/photos/popular?page=77&page_size=5&token=token=[[session-key]] * /api/mobile/explore/ * GET /api/mobile/explore/splashes?lang=en * GET /api/mobile/explore/splashes?lang=en * GET /api/mobile/explore/alert?lang=en * /api/videos/ * GET /api/videos/popular?page=90&page_size=5&token=[[session-key]] * /api/ * GET /api/token_with_buckets HTTP/1.1 ==== https://mydjiflight.dji.com ==== * /api/static_resources/ * GET /api/static_resources/hot_update?md5=&os_platform=ios&signature=[[hash-value]]×tamp=[[timestamp]]&version=4.1.9 * /api/v2/flight_log/ * profile?user_id=my-userid * /api/v2/geocoder_service/ * geoip?lat=[[mylocation]]&lng=[[mylocation]] * geoip?lat=[[mylocation]]&lng=[[mylocation]] * geoip?lat=[[mylocation]]&lng=[[mylocation]] * /api/v2/ * POST register_device (Four times) ^device_sn|[[device_sn]]| ^app_version|[[4.1.9]]| ^lang|en| ^os_platform|ios| ^operator|[[my-carrier]]| ^os_version|[[10.3.2]]| ^api_version|1| ^sign|[[hash-value]]| ^app_name|djigo_ios| ^app_datetime|[[timestamp]]| * /api/djigo/ * POST /api/djigo/popupv2 ^app_version|[[4.1.9]]| ^lang|en| ^nation_code|AU| ^notify_type|0| ^os_platform|ios| ^signature|[[hash-value]]| ^time|[[timestamp]]| * /loadconfig/ * POST /loadconfig/geturl (3 times) ^os|ios| ^signature|[[hash-value]]| ^time|[[timestamp]]| ^version|[[4.1.9]]| * /links/links/pilot_br * GET /links/links/pilot_br * /getfile/ * POST /getfile/getallfile ^language|en| ^product_id|wm331| ^signature|[[hash-value]]| ^token|[[session-key]]| * /getfile/ * POST /getfile/download ^product_id|[[wm331]]| ^product_version|[[01.04.0602]]| ^signature|[[hash-value]]| ^token|[[session-key]]| * / * GET /getdayv3 * CONNECT https://mydjiflight.dji.com ==== https://active.dji.com ==== An unknown DJI service ==== https://ios.bugly.qq.com ==== [[https://en.wikipedia.org/wiki/Tencent_QQ|QQ]] is a Chinese instant messaging platform owned by [[https://en.wikipedia.org/wiki/Tencent|Tencent]] ==== https://apigateway.djiservice.org ==== ==== https://account-api.dji.com ==== An unknown DJI service ==== https://fffdrone.aasky.net ==== ==== https://play.googleapis.com ==== ==== http://pingma.qq.com ==== ==== http://hydra.alibaba.com ==== ==== https://cgi.connect.qq.com ==== ==== https://p24-buy.itunes.apple.com ==== ==== https://fusion.qq.com ==== ==== https://c-adash.ut.taobao.com ==== [[https://en.wikipedia.org/wiki/Taobao|Taobao]] is a Chinese online marketplace. ==== https://stats.jpush.cn ==== Some form of push notification interface. **This one sends a list of all installed apps on your phone to the service! Atleast on Android.** ==== http://d16koec4ujdumm.cloudfront.net ==== This is related to the DJI.com website ==== https://www.djiexplore.com ==== Unknown DJI activity. ==== https://flysafe-api.dji.com ==== Assumed to be DJI GEO related ==== http://flysafe-api.dji.com ==== Assumed to be DJI GEO related ==== https://configuration.apple.com ==== Unknown - may not be DJI related ==== https://adhoc.djiservice.org ==== An unknown DJI service ==== https://statistical-report.djiservice.org ==== Assumed to be tracking usage for DJI ==== https://https ==== Looks to be a bug in DJI-GO... ==== https://data.flurry.com ==== [[https://en.wikipedia.org/wiki/Flurry_(company)|Flurry]] ==== https://gsp-ssl.ls.apple.com ==== Not unusual traffic... ==== https://cdn-hz.skypixel.com ==== [[http://www.dji.com/|DJI]] owned video content site. ==== https://cdn-usa.skypixel.com ==== [[http://www.dji.com/|DJI]] owned video content site. ==== https://adash.ut.taobao.com ==== [[https://en.wikipedia.org/wiki/Taobao|Taobao]] is a Chinese online marketplace. ==== https://app-service.skypixel.com ==== [[http://www.dji.com/|DJI]] owned video content site.