Differences

This shows you the differences between two versions of the page.

--- howto:dji_ftpd_aes_unscramble [2017/07/28 13:19]
czokie
+++ howto:dji_ftpd_aes_unscramble [2019/01/15 23:00] (current)
czokie
@@ Line 10: / Line 10: @@
 This method is published [[https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble|here]].
-FIXME: Eventually, I want to expand this out to explain how to backup a firmware image file from a DJI device, including duml commands required to activate FTP.
 ===== 1. Toolchain =====
@@ Line 39: / Line 35: @@
 Windows executable release created via:
-```
+<code>
 c:\python27\Scripts\pyinstaller.exe --add-data=wget_bins;wget_bins dji_ftpd_descrambler.py
-```
+</code>
 If not using packaged release for Windows, make sure you have pip, and that pycrypto is installed
@@ Line 48: / Line 44: @@
 Mirror the FTPD via the script, OR manually pull down a target file.
-```
+<code>
 $ python dji_ftpd_descrambler.py 192.168.42.2
 --2017-05-25 23:57:13--  ftp://GPL:*password*@192.168.42.2/
@@ Line 68: / Line 64: @@
 00000080: 0dfc fcb3 8aab 5f06 aace 0f41 a6c6 fb89  ......_....A....
 00000090: 5d13 a609 c74a 7318 4734 2d95 d5bc b975  ]....Js.G4-....u
-```
+</code>
 Descramble the file... profit!
-```
+<code>
 $ python dji_ftpd_descrambler.py DJI_aes_ftp_dump/192.168.42.2/upgrade/dji/log/cp_assert.log  | head -n 10
     PBS^U\5] [0x0] state=0, reset phy
@@ Line 83: / Line 79: @@
 [2017/04/14 14:44:8] [0x4c3] state=3, recv shakehand req
 [2017/04/14 14:44:8] [0x530] state from 3 to connect
-```
+</code>
 On Windows the process works the same, with alternate synatx on the command line.
 You can use the new bash interface:
-```
+<code>
 MavproxyUser@DESKTOP-QPUF664 MINGW64 ~/Desktop/DJI_ftpd_aes_unscramble (master)
 $ python dji_ftpd_descrambler.py kernel00.log
@@ Line 98: / Line 94: @@
 <7>[  356.750230] c0 419 (dji_hdvt_gnd) bridge: start_xmit info: lmi42 xmit skb ce39fa80 CP busy!
 <7>[  356.814311] c0 461 (keyscan_task) bridge: start_xmit info: lmi42 xmit skb ce39fa80 CP ready!
-```
+</code>
 Or make use of the standard cmd.exe interface:
-```
+<code>
 C:\Users\MavproxyUser\Desktop\DJI_ftpd_aes_unscramble>python dji_ftpd_descrambler.py kernel00.log | more
 !!!New kernel log start!!!
@@ Line 118: / Line 114: @@
 <4>[    0.000000] c0 0 (swapper)     Framebuffer : 0x16800000 - 0x17800000  (  16 MB)
 -- More  --
-```
+</code>
 Alternatively on windows you can use the precompied .exe (see the Releases tab)
-```
+<code>
 C:\Users\kfinisterre\Desktop\dji_ftpd_descrambler>dji_ftpd_descrambler.exe c:\Users\kfinisterre\Desktop\kernel01.log | more
 h
@@ Line 126: / Line 122: @@
 <7>[ 1380.255734] c1 11916 (kworker/u10:0) bridge: drop 0xd28c packet due to buffer full
 <7>[ 1382.825736] c0 26031 (kworker/u10:1) bridge: drop 0xd2f0 packet due to buffer full
-```
+</code>
 Description:
@@ Line 133: / Line 129: @@
 I miss the good ole days of public tar & feathering over GPL violations!
-```
+<code>
 "The following products and/or projects appear to use BusyBox, but do not appear to release source code as required by the BusyBox license. This is a violation of the law! The distributors of these products are invited to contact Erik Andersen if they have any confusion as to what is needed to bring their products into compliance, or if they have already brought their product into compliance and wish to be removed from the Hall of Shame."
-```
+</code>
-```
+<code>
 This page is no longer updated, these days, BusyBox handles enforcement of our license via our fiscal sponsor, Software Freedom Conservancy instead. Please email <gpl@busybox.net> if you believe you've found a violation of BusyBox's license, the GPLv2.
 Previously, this page listed products that included BusyBox but included neither source code nor offer for one. The BusyBox project has decided to not publicly shame companies until Conservancy has an opportunity to talk privately with companies who violate the GPL to convince them to comply with BusyBox's license.
-```
+</code>
 https://web-beta.archive.org/web/20130116093247/http://busybox.net/shame.html
@@ Line 150: / Line 146: @@
-On OSX you can navigate to: /Applications/Assistant_1_1_0.app/Contents/MacOS/Data/firm_cache
+On OSX you can navigate to: /Applications/Assistant_1_1_0.app/Contents/MacOS/Data/firm_cache\\
 On Windows to: C:\Program Files (x86)\DJI Product\DJI Assistant 2\ Assistant\Data\firm_cache
 Run binwalk with the extraction flag against any appropriate firmware file.
-```
+<code>
 $ grep busybox wm* -r
 Binary file wm220_0100_v02.05.04.34_20170209_ca02.pro.fw.sig matches
@@ Line 165: / Line 161: @@
 Binary file wm220_1301_v01.05.00.23_20170418.pro.fw.sig matches
 Binary file wm220_2801_v01.02.21.01_20170421.pro.fw.sig matches
-```
+</code>
 Pick one... just make sure it doesn't contain busybox for the Ambarella SoC (contained within the squashfs)
-```
+<code>
 $ binwalk -e wm220_0801_v01.04.17.03_20170120.pro.fw.sig
-```
+</code>
 Launch the binary in a chroot via qemu-user-static.
 https://wiki.ubuntu.com/ARM/BuildEABIChroot
-```
+<code>
 # ./busybox tcpsvd -vE 0.0.0.0 21 ./busybox ftpd -wv /tmp/
 tcpsvd: listening on 0.0.0.0:21, starting
 tcpsvd: status 1/30
 tcpsvd: start 9062 127.0.0.1:21-127.0.0.1:39922
-```
+</code>
 Download, compile, and run aes-finder against the ftp binary. Extract the AES key by running against the PID.
 https://github.com/mmozeiko/aes-finder
-```
+<code>
 $ sudo ./a.out -9062
 Searching PID 9062 ...
@@ Line 192: / Line 188: @@
 $ echo -e "\x74\x68\x69\x73\x2d\x61\x65\x73\x2d\x6b\x65\x79\x00\x00\x00\x00"
 this-aes-key
-```
+</code>
 This oddly enough was the string that made me look for the routine in the first place. It shows up in clear text in the binary.
@@ Line 204: / Line 200: @@
 Simply replace the AES key with the one above in the tool provided by seasonalvegetables3.
-```
+<code>
 #Key = "7F0B9A5026674ADA0BB64F27E6D8C8A6"
 Key = "746869732d6165732d6b657900000000"
 IV = "00000000000000000000000000000000"
-```
+</code>
 This project will recurvively download the contents of the ftp server, and decrypt them for you in a local plaintext mirror.
 In essence using code in this repo would be the same as running:
-```
+<code>
 $ wget -m ftp://GPL:Violation@192.168.42.2/
-```
+</code>
 Followed by:
-```
+<code>
 python djicrypt.py -d -i downloadedfile -o outputfile
-```
+</code>
 Alternately you can just use openssl:
-```
+<code>
 openssl enc -d -nosalt -in downloadedfile -aes-128-cbc -K 746869732d6165732d6b657900000000 -iv 00000000000000000000000000000000
-```
+</code>
 And of course *our* script as detailed above in Usage:
@@ Line 233: / Line 229: @@
 $ python dji_ftpd_descrambler.py  /tmp/192.168.42.2_drone/upgrade/dji/log/kernel01.log  | grep daak | head -n 1
-```
+<code>
 <5>[    0.000000] c0 0 (swapper) Kernel command line: watchdog_thresh=3 console=ttyS1,921600 vmalloc=412M android firmware_class.path=/vendor/firmware isolcpus=2,3,4
 initrd=0x07400000,1M lcpart=mmcblk0=gpt:0:2000:200,ddr:2000:2000:200,env:4000:2000:200,panic:6000:2000:200,amt:8000:20000:200,factory:28000:4000:200,factory_out:2c000:4000:200,
@@ Line 239: / Line 235: @@
 chip_sn=31337000 board_sn=01EAT2D111XXXX daak=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA daek=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA drak=6f707f2962351d75bc089ac34da119fa
 saak=6f402fb8625205ce9bdd580217d218d8 waek=WIFIPASS production quiet board_id=0xe2200026
-```
+</code>
 ===== Credit =====
@@ Line 245: / Line 241: @@
   * Subsequent bug fixes created by Czokie.
   * Earlier work was based on https://hackaday.io/project/19995-hacking-dji-naza-m/log/53751-big-dump

User Tools

Site Tools

Differences

Page Tools