Table of Contents

P0V Root Kit for DJI aircraft

This document describes one of the early rootkit approaches for DJI aircraft. The instructions below assume you are running on OSX. Most of these instructions will readily translate to most Linux variants.

1. Toolchain

Install your toolchain as per the instructions here. You only need to do this once… but check the instructions to see if there are any new tools that you may need.

2. Get firmware

3. Get the RedHerring magic

If this is your first time using RedHerring, you will need to checkout the code from git.

cd ~/Documents/
git clone https://github.com/MAVProxyUser/P0VsRedHerring.git
cd P0VsRedHerring

If you have done this before and you want to make sure you have the latest code, you just need to sync to the most recent version

cd ~/Documents/P0VsRedHerring
git pull

4. Run the master script using the grep method

sudo ruby RedHerring.rb /data/.bin/grep grep

5. Start DJI assistant

Open a new window, and start DJI assistant … connect to your aircraft, and view the list of available firmware updates… and then close DJI assistant. This will set a login cookie that will be re-used for the next command

/Applications/Assistant.app/Contents/MacOS/Assistant 

6. Start DJI assistant in test_server mode

/Applications/Assistant.app/Contents/MacOS/Assistant --test_server

This sends our fireworks via the NFZ database upload, to get root access.

7. Get a list of ads devices (see if it all worked)

adb devices

8. Connect to the adb shell

adb shell

9. Make ADB persistent

To make it easier to get back into your aircraft via ADB next time, you can add a command to the boot init script. Beware. This command is modifying a startup script. If you get it wrong, that could be … well … bad. Don't do this more than once, unless you change your firmware to re-patch the startup script.

mount -o remount,rw /system
echo /system/bin/adb_en.sh >> /system/bin/start_dji_system.sh
reboot

Credits