Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dji mini 4 pro decode with dji_imah_fwsig #384

Open
HackTeacher opened this issue Mar 9, 2024 · 3 comments
Open

dji mini 4 pro decode with dji_imah_fwsig #384

HackTeacher opened this issue Mar 9, 2024 · 3 comments

Comments

@HackTeacher
Copy link

I downloaded the latest firmware of dji mini 4 pro from DDD, and used binwalk to export some .sig files, and then used dji_imah_fwsig.py to decrypt, but it reported an error and analyzed the code and found that the key was wrong, so I want to know how to do it Looking for key? Analyze dji_upgrade and extract it from it?
@hackycrash
Copy link

hackycrash commented Sep 18, 2024
edited
Loading

Decryption keys in dji_imah_fwsig.py seems deprecated.

Is there a generic method to get decryption key? @mefistotelis

I am trying to find a way to get decryption key for dji osmo action 4 firmware.

If you let me know, i will do it and contribute to this project.

@mefistotelis
Copy link
Collaborator

mefistotelis commented Sep 18, 2024
edited
Loading

Is there a generic method to get decryption key?

No. The methods changed between devices, as DJI tried to patch all the holes in their implementation.

The remaining methods are not public, and can be published only by the people who extracted the keys.

Breaking into the ARM TrustZone does require studying the subject in detail.

When we were starting, it was enough to create a .tar file which stores file name like | cat /proc/meminfo and using it as FW update file. The DJI update procedure would extract the TAR, and execute a command on each file inside - executing the command provided. Then we used race condition while starting two FW updates at the same time, and start installation of 2nd FW after passing verification of only the 1st one. In the meantime we also used storing symbolic links is TAR files, and few other techniques. When TrustZone was introduced, we used some holes DJI made to workaround their lack of understanding of its rules - some special commands. On other platforms we used various techniques to capture encrypted binaries, starting at bootloader, then analyzed them to find a hole in next layer. Sometimes DJI was also publishing stuff they did not intended to publish, like giving drones with early pre-release FW to influencers, or just publishing FW or other files with some extra presents inside.

@KTM1551
Copy link

KTM1551 commented Sep 28, 2024
edited
Loading

Yea i tried recently to do this same thing and got as far as the.sig files. I was getting errors as well and it was just the main information and nothing else to see.

I was working with an Avata FW file. V01.03.0000

The tool to Extract the files from the .sig files doesn't seem to work on these newer drones like stated above.

I would love to try something easier first, and then try the DJI FW again lol..

It's definitely not something you can just research on your own and learn, ive found out pretty quickly.
I dont have any training in coding like this. I wish I did, it's like a giant puzzle that i would love to solve or even just make some more progress lol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mefistotelis @HackTeacher @KTM1551 @hackycrash