Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for Mavic Pro remote, lib updates, some shell scripts #3

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Added support for Mavic Pro remote, lib updates, some shell scripts #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c108e0e
Added support for Mavic Pro RC on latest firmware.
validev Apr 15, 2021
14a9966
removed .class files, added Main.java
validev Apr 15, 2021
a6487fa
typo
validev Apr 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/sh
JAVAC=`which javac`
if [ $JAVAC ]; then
echo Building classes ...
$JAVAC -cp libs/commons-net-3.8.0.jar:libs/jSerialComm-2.7.0.jar:src src/com/cunninglogic/ubersploits/CRC.java
RESULT1=$?
$JAVAC -cp libs/commons-net-3.8.0.jar:libs/jSerialComm-2.7.0.jar:src src/com/cunninglogic/ubersploits/Main.java
RESULT2=$?
if [ $RESULT1 = 0 ] && [ $RESULT2 = 0 ]; then
echo OK
fi
else
echo Error: No javac. Please install javac/jdk.
fi
Binary file removed libs/commons-net-3.6.jar
View file
Open in desktop
Binary file not shown.
Binary file added libs/commons-net-3.8.0.jar
View file
Open in desktop
Binary file not shown.
Binary file removed libs/jSerialComm-1.3.11.jar
View file
Open in desktop
Binary file not shown.
Binary file added libs/jSerialComm-2.7.0.jar
View file
Open in desktop
Binary file not shown.
7 changes: 7 additions & 0 deletions run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/sh
JAVA=`which java`
if [ $JAVA ]; then
$JAVA -cp libs/commons-net-3.8.0.jar:libs/jSerialComm-2.7.0.jar:src com/cunninglogic/ubersploits/Main
else
echo Error: No java. Please install java/jdk.
fi
210 changes: 140 additions & 70 deletions src/com/cunninglogic/ubersploits/Main.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ public class Main {
private static FTPClient ftpClient;

public static void main(String[] args) {
System.out.println("UberSploits v0.1 by jcase");
System.out.println("UberSploits v0.2 by jcase,validev");
System.out.println("Please see licensing details for the libraries we use inside the libs directory.\n");

System.out.println("UberSploits is an exploit delivery tool for DJI, it effectively brings back to life a bunch" +
Expand All @@ -34,9 +34,41 @@ public static void main(String[] args) {

classLoader = Main.class.getClassLoader();

int count = 1;

System.out.println("Choose target port: (* suggested port)");
System.out.println("\nChoose target:");
System.out.println("\t[1] Aircraft (e.g. Mavic Pro)");
System.out.println("\t[2] Remote Control (e.g. Mavic Pro RC)");
String str = "";
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));

int target;
System.out.print("Choose target: ");
while (true) {
try {
str = br.readLine();
} catch (IOException e) {
e.printStackTrace();
}
try {

target = Integer.parseInt(str.trim());

if ((target > 2) || (target < 1)) {
System.out.println("[!] Invalid target selection");
System.out.print("Choose target: ");
} else {
System.out.println("Using Target: " + target);
break;
}
} catch (NumberFormatException e) {
System.out.println("[!] Invalid target selection");
System.out.print("Choose target: ");
}
}


int count = 1;
System.out.println("\nChoose target port: (* suggested port)");
for (SerialPort s : SerialPort.getCommPorts()) {
if (s.getDescriptivePortName().contains("DJI")) {
System.out.print("*");
Expand All @@ -48,8 +80,8 @@ public static void main(String[] args) {

System.out.println("\t[E] Exit");

String str = "";
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
int port;
br = new BufferedReader(new InputStreamReader(System.in));
System.out.print("Choose port: ");
while (true) {
try {
Expand All @@ -65,7 +97,7 @@ public static void main(String[] args) {
}


int port = Integer.parseInt(str.trim());
port = Integer.parseInt(str.trim());

if ((port > count) || (port < 1)) {
System.out.println("[!] Invalid port selection");
Expand All @@ -83,99 +115,93 @@ public static void main(String[] args) {

if (activePort == null) {
System.out.println("Couldn't find port, exiting");
return;
System.exit(0);
}

if (activePort.isOpen()) {
System.out.println(activePort.getSystemPortName() + " is already open");
activePort.closePort(); //meh why not
return;
System.exit(0);
}

if (!activePort.openPort()) {
System.out.println("Couldn't open port, please close all other DUML/DJI Apps and try again");
activePort.closePort(); //meh why not
return;
System.exit(0);
}

activePort.setBaudRate(115200);

System.out.println("Reading payload");
System.out.println("\nReading payload ...");

String payloadfile = "";
String ftptarget = "";
switch(target) {
case 1: payloadfile = "resources/payload.bin";
ftptarget = "upgrade/data_copy.bin";
break;
case 2: payloadfile = "resources/payloadRC.bin";
ftptarget = "upgrade/dji_system.bin";
break;
default:
System.out.println("Invalid target. Exiting.");
System.exit(0);
}

InputStream is = classLoader.getResourceAsStream("resources/payload.bin");
InputStream is = classLoader.getResourceAsStream(payloadfile);
byte[] payload = null;
try {
payload = isToArray(classLoader.getResourceAsStream("resources/payload.bin"));
payload = isToArray(classLoader.getResourceAsStream(payloadfile));
is.close();
} catch (IOException e) {
e.printStackTrace();
}

System.out.println("Entering upgrade mode");
write(UPGRADE_MODE_ENTER());
System.out.println("Entering upgrade mode ...");
write(UPGRADE_MODE_ENTER(target));

try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Sending filesize");
write(UPGRADE_DATA(payload.length));
if(target==2) {
System.out.println("Enable reporting ...");
write(UPGRADE_MODE_ENABLE_REPORTING());

Thread.sleep(1000);
}

System.out.println("Sending filesize ...");
write(UPGRADE_DATA(target, payload.length));

try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Uploading payload");
ftpClient = new FTPClient();
try {
System.out.println("Uploading payload ...");
ftpClient = new FTPClient();
ftpClient.connect("192.168.42.2", 21);
ftpClient.login("dontforget","aboutjcase");
ftpClient.enterLocalPassiveMode();
ftpClient.setFileType(ftpClient.BINARY_FILE_TYPE);
is = classLoader.getResourceAsStream("resources/payload.bin");
ftpClient.storeFile("/upgrade/data_copy.bin", is);
is = classLoader.getResourceAsStream(payloadfile);
ftpClient.storeFile(ftptarget, is);
is.close();
} catch (IOException e) {
e.printStackTrace();
}

try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Executing update");
write(UPGRADE_FINISH_DATA(payload));
System.out.println("Executing upgrade ...");
write(UPGRADE_FINISH_DATA(target, payload));


try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Finished (system may still be processing the update)");
System.out.println("Finished! adb access should be enabled.\n");

try {
ftpClient.disconnect();
activePort.closePort();
} catch (IOException e) {

} catch (Exception e) {
e.printStackTrace();
}
}

private static void write(byte[] packet) {
private static void write(byte[] packet) throws Exception {
activePort.writeBytes(packet,packet.length);
try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}
Thread.sleep(1000);
}

private static byte[] isToArray(InputStream is) throws IOException {
Expand All @@ -193,22 +219,56 @@ private static byte[] isToArray(InputStream is) throws IOException {

return buffer.toByteArray();
}
/*

UPGRADE_MODE_ENTER - 0,HS,28637,55 16 04 FC 2A 28 B8 51 40 00 07 00 00 00 00 00 00 00 00 00 9F BF
UPGRADE_DATA 0,HS,28831,55 1A 04 B1 2A 28 BB 51 40 00 08 00 C8 57 08 00 00 00 00 00 00 00 02 08 2E 88
UPGRADE_FINISH_DATA 0,HS,46759,55 1E 04 8A 2A 28 CE 51 40 00 0A 00 A5 1B BF 03 A2 B5 0D F6 DB 1C 5B 28 EF 5D 7A D9 9E 39
*/

private static byte[] UPGRADE_MODE_ENTER() {
byte[] packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x28,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00};
/*
NFZ delivery, AC
UPGRADE_MODE_ENTER - 0,HS,28637,55 16 04 FC 2A 28 B8 51 40 00 07 00 00 00 00 00 00 00 00 00 9F BF
UPGRADE_DATA 0,HS,28831,55 1A 04 B1 2A 28 BB 51 40 00 08 00 C8 57 08 00 00 00 00 00 00 00 02 08 2E 88
UPGRADE_FINISH_DATA 0,HS,46759,55 1E 04 8A 2A 28 CE 51 40 00 0A 00 A5 1B BF 03 A2 B5 0D F6 DB 1C 5B 28 EF 5D 7A D9 9E 39

Upgrade delivery, RC
Change target from 28 to 2D
change upgrade data mode from 02 08 to 02 04

*/

private static byte[] UPGRADE_MODE_ENTER(int target) throws Exception {
byte[] packet;
switch(target) {
case 1:
packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x28,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00};
break;
case 2:
packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x2D,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00};
break;
default:
throw new Exception();
}
return CRC.pktCRC(packet);
}

private static byte[] UPGRADE_MODE_ENABLE_REPORTING() {
byte[] packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x2D,(byte)0xB8,0x51,0x40,0x00,0x0C,0x00};
return CRC.pktCRC(packet);
}

private static byte[] UPGRADE_DATA(int fileSize) {
byte[] packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x28,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x08};
private static byte[] UPGRADE_DATA(int target, int fileSize) throws Exception {
byte[] packet;
switch(target) {
case 1:
packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x28,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x08};
break;
case 2:
packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x2D,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x04};
break;
default:
throw new Exception();
}

byte[] size = ByteBuffer.allocate(4).putInt(fileSize).array();

packet[12] = size[3];
Expand All @@ -219,10 +279,20 @@ private static byte[] UPGRADE_DATA(int fileSize) {
return CRC.pktCRC(packet);
}

private static byte[] UPGRADE_FINISH_DATA(byte[] payload) {
byte[] packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x28,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

private static byte[] UPGRADE_FINISH_DATA(int target, byte[] payload) throws Exception {
byte[] packet;
switch(target) {
case 1:
packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x28,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
break;
case 2:
packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x2D,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
break;
default:
throw new Exception();
}
byte[] md5 = payload;

try {
Expand Down
Binary file added src/resources/payloadRC.bin
View file
Open in desktop
Binary file not shown.