When you get FTP access to your DJI, you can push files to the aircraft using normal FTP commands (to a limited subset of directories due to /system being read only).

But, downloading is another matter. DJI modified the FTPD that is built into their firmware, to stop people getting access to the files, in an attempt to hide the fact that their aircraft is using GPL software in an unauthorised manner.

A number of people have already solved how to upload/download from an aircraft. There is even dumldore available to backup firmware, or push any version of firmware to your aircraft using these methods. But, this is a windows app. This is a DRAFT document, and still incomplete. Please feel free to contribute to the ongoing development of these instructions to download, and rebuild a firmware image file for a DJI aircraft.

Install your toolchain as per the instructions here. You only need to do this once… but check the instructions to see if there are any new tools that you may need.

If this is your first time using duml, you will need to checkout the code from git.

cd ~/Documents/
git clone https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble.git
cd DJI_ftpd_aes_unscramble

If you have done this before and you want to make sure you have the latest code, you just need to sync to the most recent version

cd ~/Documents/DJI_ftpd_aes_unscramble
git pull

OK. What we know so far… We already know the AES key, and this is used in both of the methods below. However, decryption is not enough. But, the first 16 bytes in the resulting decrypted file after raw decryption need some extra work. DJI are meddling with the original file content, to try and prevent people from getting to file content via FTP. In the python approach below, this is taken care of.

: However, the python method has another side effect. The file that is created is padded at the end with extra 0x10's during the AES decryption. We could assume all files that end with a number of 1 or more pad characters need to be stripped, but what happens if the real file ends with one or more of those characters? We need to find out how to do this properly.

Hostile (aka MavProxyUser) created this method that is published in Git here.

I was talking to Jezzab in #general about this - He gave me an alternate command

openssl enc -d -nosalt -in *.fw.sig -aes-128-cbc -K 746869732d6165732d6b657900000000 -iv 00000000000000000000000000000000 > output.fw.sig.decrypt