Please select Into the mobile phone version | Continue to access the computer ver.
How to decrypt S1 firmware
3255 10 2019-11-29
Uploading and Loding Picture ...(0/1)
o(^-^)o
sevreNniarB
lvl.4
Germany
Offline

Prerequisites  
  • Root access to the RMS1
  • ADB
  
How to  
Let's say you have access to the RMS1 latest firmware files… should be really easy, because they are already on your computer, right?

debug#1.jpg
  
Use [adb push] to get the file to your S1. I personally use the S1 destination dir [usbstorage] in the [data] directory:
debug#2.jpg

When done use the DJI tool [dji_verify] to extract the firmware file:
debug#6.jpg

[dji_verify -n 0801 -o 0801.unsig xw607_0801_v00.11.06.96_20191111.pro.fw.sig]
  
-n 0801 - handles the header of the original image name
  
-o 0801.unsig - will be the decrypted file

xw607_0801_v00.11.06.96_20191111.pro.fw.sig – is your source encrypted FW file

Executing the command it will take some time and decrypt the FW file...

When done, pull the file from your S1 folder:
debug#3.jpg
  
Rename the pulled file to e.g. from 0801.unsig to 0801.zip. Use your favorite zip tool (I use Winrar) and open the file:
debug#4.jpg

From this point do whatever you want... I use it for analysis Don't forget to clear the local stored files on the S1 - you will run out of memory if you don't do so.

Cheers
2019-11-29
Use props
DJI Stephen
Super Moderator

Offline

Hello and good day sevreNniarB. Thank you for sharing this information with us and thank you for your valued support. .
2019-11-30
Use props
g1107
lvl.4
China
Offline

2019-11-30
Use props
albertr
lvl.4
United States
Offline

Nice! I suspect you have looked at the content of these F/W images already? Anything interesting you want to share? Is DJI using python extensively or  binary applications?

-albertr
2019-12-1
Use props
BGA
Captain
United States
Offline

albertr Posted at 12-1 06:50
Nice! I suspect you have looked at the content of these F/W images already? Anything interesting you want to share? Is DJI using python extensively or  binary applications?

-albertr

There is a lot of python code. The plaintext SDK is mostly python, for example. But there are also specific services running in the robot that are native binaries.
2019-12-1
Use props
albertr
lvl.4
United States
Offline

Thanks, @BGA. I'll guess I will have to take a look now ;-) We haven't updated the firmware on my son's S1 yet and I'm hesitant to do it. Did anyone capture the URLs to download firmware updates from or can share firmware files?

-albertr
2019-12-2
Use props
sevreNniarB
lvl.4
Germany
Offline

albertr Posted at 12-2 09:17
Thanks, @BGA. I'll guess I will have to take a look now ;-) We haven't updated the firmware on my son's S1 yet and I'm hesitant to do it. Did anyone capture the URLs to download firmware updates from or can share firmware files?

-albertr

You can update, it is safe.

The URLs in the RMS1 software are encrypted and work with JSON, maybe I will take a look in the future.

Cheers
2019-12-2
Use props
albertr
lvl.4
United States
Offline

Do you know how to flash the firmware without S1 application? I.e. upload it to "intelligent" controller and trigger it to reboot to recovery and flash it?
Is it possible to flash the older versions of the firmware, or DJI is preventing it?

Thanks,
-albertr
2019-12-4
Use props
BGA
Captain
United States
Offline

albertr Posted at 12-4 06:04
Do you know how to flash the firmware without S1 application? I.e. upload it to "intelligent" controller and trigger it to reboot to recovery and flash it?
Is it possible to flash the older versions of the firmware, or DJI is preventing it?

I did no try, but this might be possible, yes. I am not sure downgrading the firmware is possible as it might have extra checks for that. Also it is probably not easy to flash a custom firmware (not signed by DJI).

2019-12-4
Use props
sevreNniarB
lvl.4
Germany
Offline

  
It should work like with all other DJI products

Problem is that the authors of DumlDore and the DJI Tools seem not to be very eager to invest time in the RMS1, but this is understandable. Everything is already there it just needs to be adapted. When you e.g. use DumlDore it manages to get the RMS1 in 'Update mode', but the rest of the puzzle is missing incl. a working 'red herring' (remote executable exploit) for the RMS1.
  

A FW downgrade option is already available in the DJI workbench version, but we don't have access to it. The files are located at local DJI servers (there is a differentiation for dev, test, exp, …). We only see the end-user workbench.

  
Downloading FW versions without software is not rocket since, but it is bound to your DJI account. I will not publish the method here, because that is crossing a line... Imho the best way to archive older firmware atm is to backup your local \RoboMaster_Data\StreamingAssets\FirmwareUpgradeEncrypted folder an keep it
  

It seems the user base it not large enough and the demand for this kind of stuff is really low.
   
2019-12-4
Use props
djiuser_KCWp47vdeRGe
lvl.1
United States
Offline

sevreNniarB Posted at 2019-12-4 15:01
It should work like with all other DJI products
Problem is that the authors of DumlDore and the DJI Tools seem not to be very eager to invest time in the RMS1, but this is understandable. Everything is already there it just needs to be adapted. When you e.g. use DumlDore it manages to get the RMS1 in 'Update mode', but the rest of the puzzle is missing incl. a working 'red herring' (remote executable exploit) for the RMS1.  
A FW downgrade option is already available in the DJI workbench version, but we don't have access to it. The files are located at local DJI servers (there is a differentiation for dev, test, exp, …). We only see the end-user workbench.

Stop by DJI-Rev and see us. The DumlDore author is there, I'm one of the original "OG"'s, we simply don't have access to the firmware, we are however happy to support it.
https://dji-rev.com/signup_email
3-26 16:12
Use props
Advanced
You need to log in before you can reply Login | Register now

Credit Rules