Fw071 Posted at 2-21 13:54
I treid to debug the whole proces but unfortunately it has a debug protection build in

which app did you try for debugging ? xdbg ?
you have to find the entrypoint for the "debugger detected" window. Then you can first stop the debug detection. Afterwards, we'll have to figure out where it checks for "prohibited" message.

[ilkeraktuna] Posted at 2-22 00:34
which app did you try for debugging ? xdbg ?
you have to find the entrypoint for the "debugger detected" window. Then you can first stop the debug detection. Afterwards, we'll have to figure out where it checks for "prohibited" message.

Yeah, it was XDG. I tried some debugging plugins, but I couldn't get them to work. I've never used it before, so it's quite complicated...

[ilkeraktuna] Posted at 2-21 22:51
TR:
bal gibi bedava olur Aytaç. Çalışır yaparız.

They have it well closed. Do you know another way to see what this app does?

djiuser_jZElbzvkKfnV Posted at 2-22 11:46
[view_image]

actually if you know how to use xdbg, you can override that.
You can find that popup alert through "internal calls" with name "getwindow"
But I am not familiar with assembly, and I could not find the point where it jumps to that popup.
someone who has deep assembly knowledge can do it.

on the other hand, we can go with the USB capture if someone can decode it.

It will be much easier to track the adb commands that the exe does. Like it's seen in a video on bili bili (BV118411779t)

Look the title bar @ 1:58 it do some adb push fcc .... /data/....
Maybe if we can track all the adb command that executes it will be simpler

Another option could be to use a MITM attack faking the server, but we need to know the server address that it connects to

djiuser_1v5d3v9WCwLM Posted at 2-22 14:14
It will be much easier to track the adb commands that the exe does. Like it's seen in a video on bili bili (BV118411779t)

Look the title bar @ 1:58 it do some adb push fcc .... /data/....

First the tool download a file named fcc.rar to your %temp% that must be the fcc hack which is pushes to the data/dji application folder.

The server is not that hard to find i think if you turn on your firewall logging or using proces explorer? But you don't now how to reply or what to reply..

djiuser_1v5d3v9WCwLM Posted at 2-22 14:14
It will be much easier to track the adb commands that the exe does. Like it's seen in a video on bili bili (BV118411779t)

Look the title bar @ 1:58 it do some adb push fcc .... /data/....

I am not good at catching what you see on the video.
Are you sure that it sends an "adb push" ?
because I'm not sure if "adb push" will work on an "unauthorized" device

djiuser_1v5d3v9WCwLM Posted at 2-22 14:14
It will be much easier to track the adb commands that the exe does. Like it's seen in a video on bili bili (BV118411779t)

Look the title bar @ 1:58 it do some adb push fcc .... /data/....

what is the address for the video ?

[ilkeraktuna] Posted at 2-23 13:52
what is the address for the video ?

go on bili bili dot com and open a video, then look the link and change with the part in ( )

any updates on how to authorize on adb so i can install apks?

zasu425 Posted at 2-24 22:29
any updates on how to authorize on adb so i can install apks?

I could not find anything.
I asked some questions above about "adb push" but couldn't get an answer.

[ilkeraktuna] Posted at 2-25 12:30
I could not find anything.
I asked some questions above about "adb push" but couldn't get an answer.

I saw this https://m.youtube.com/watch?v=hSi93Cd1uNQ if you read the description it says that he was able  to get access to android system which he found out by accident now my question is if there’s a way to decompile the djifcc.exe and modify it so that we can get adb access with out having to pay $69 I have not been able to sleep because of this please someone we need closure

zasu425 Posted at 2-25 22:03
I saw this https://m.youtube.com/watch?v=hSi93Cd1uNQ if you read the description it says that he was able  to get access to android system which he found out by accident now my question is if there’s a way to decompile the djifcc.exe and modify it so that we can get adb access with out having to pay $69 I have not been able to sleep because of this please someone we need closure

It may be that the djirc.exe does not contain the command that interests us, but rather it is a private access to the developer's server and from there the necessary instructions are launched.  I have seen this way of hacking in similar applications to unlock iPhones (IOS versions only)

https://cracked.io/Thread-DJI-FCC

please bump this

Hi! I'm new here.
isn't there any possibility to enable developer mode using the sd card?

[ilkeraktuna] Posted at 2-26 11:03
https://cracked.io/Thread-DJI-FCC

please bump this

I still get the error if I leave it default tho?

vallopalo Posted at 2-26 12:20
Hi! I'm new here.
isn't there any possibility to enable developer mode using the sd card?

I’m pretty sure there has to be some kind of exploit

im going to look  and ask on xda developers maybe someone can help us with this

zasu425 Posted at 3-1 18:58
im going to look  and ask on xda developers maybe someone can help us with this

good idea. there are people who know android and adb better than anyone.
can you please provide the thread link you've posted ?
We can join you there...

Who has already unlocked the remote, share information about the installed system, version, build, processor, and more.
Ex. You can install aida64 for android

[ilkeraktuna] Posted at 3-1 21:20
good idea. there are people who know android and adb better than anyone.
can you please provide the thread link you've posted ?
We can join you there...

Ok I will post it here shortly

Martein Posted at 3-2 06:41
Who has already unlocked the remote, share information about the installed system, version, build, processor, and more.
Ex. You can install aida64 for android

I think someone posted the link to a bilibili video his name is micheal515 I looked around and saw that there’s 2 profiles I believe and he shows off his rc controller with full android access the bilibili site is all in Chinese but if you use chrome you can translate 90% of it maybe someone can get in touch with him and figure how it’s done I wasn’t able to the site is a little difficult

zasu425 Posted at 3-2 11:43
I think someone posted the link to a bilibili video his name is micheal515 I looked around and saw that there’s 2 profiles I believe and he shows off his rc controller with full android access the bilibili site is all in Chinese but if you use chrome you can translate 90% of it maybe someone can get in touch with him and figure how it’s done I wasn’t able to the site is a little difficult

If you read comments he says that's a private group where to ask, I think he's in touch with sincoder or someone that do the same thing, paid ofc.

In my spare time I'm working on this thing, trying to find the adb/exploit to do this.

djiuser_1v5d3v9WCwLM Posted at 3-2 12:26
If you read comments he says that's a private group where to ask, I think he's in touch with sincoder or someone that do the same thing, paid ofc.

In my spare time I'm working on this thing, trying to find the adb/exploit to do this.

I am also trying to do the same but I could not find any exploit.
Maybe it's not an exploit and "sincoder" has relation to people at DJI and he produces official signatures to use with Android on the RC.

[ilkeraktuna] Posted at 3-2 13:04
I am also trying to do the same but I could not find any exploit.
Maybe it's not an exploit and "sincoder" has relation to people at DJI and he produces official signatures to use with Android on the RC.

Probably, I read that DJI can't allow users to switch between CE and FCC but they're "sidely" giving us the opportunity to do that

djiuser_1v5d3v9WCwLM Posted at 3-3 00:03
Probably, I read that DJI can't allow users to switch between CE and FCC but they're "sidely" giving us the opportunity to do that

I wish it wouldn't be a paid solution

[ilkeraktuna] Posted at 3-3 07:06
I wish it wouldn't be a paid solution

i know me too i mean its android so there must be a way to exploit it maybe theres a way to flash rc pro firmware to the non pro rc controller idk if there compatible

has anyone already posted this to xda forum ? if yes, then could you please provide the URL for the thread ?

Hello everyone,

I try to make a small conclusion about this whole thread, so it is easier to understand the situation.

Findings in this thread:

• It exists a FCC-Hack for the RC, which can be found under http://dji-fcc.com/djifcc.zip and can be unpacked using the password "dji"
• Any attempts to connect via ADB fail due to the missing vendor key or a authorization to the android device
• There is a "special mode" which can be activated as described here: https://forum.dji.com/forum.php?mod=viewthread&tid=265378
• The djifcc.exe is protected by a anti-debugging mechanism
• People who paid for the DJI-FCC hack are able to connect using ADB and install their own APK's
• The developer mode setting is not available, thus the adb authorization is not possible
• The policy of DJI to lock all these ADB access violates the terms and conditions of android
  

My findings:

• The djifcc.exe contains a hardcoded SSL certificate of the server, thus it is not possible to intercept the encrypted web traffic without further modification of the application. With the private certificate file, which stored on the server dji-fcc.com it is possible to intercept the web traffic and maybe modify the response of the server to activate the application.
• The exe-file contains a anti-debugging mechanism which is resistant to "ScyllaHide", a Plugin for x64dbg to hide the debugger
• The djifcc.exe does not use a system proxy. Therefore it is necessary to use a software like Proxifier to intercept the web traffic
• The djifcc.exe does not seem to use the android debug bridge. Using the libusb0.dll in the corresponding directory it seems to communicate directly with the usb controller.
• Using the libusb-Library it was possible to identify the controller as following
  Dev (bus 2, device 28): 2CA3 - 1023 speed: 480M
    Manufacturer:              DJI
    Product:                   APQ8053-QRD _SN:********
  This information leads us to a SoC of qualcomm (https://www.qualcomm.com/products/technology/processors/application-processors/apq8053#Overview)
  

My conclusion:
If we really want to understand how the hack is working, we need to investigate the communication between the libusb and the device. If we have the necessary commands of the library we are able to write a small application which modifies the necessary parameters and allows us to connect via ADB.

If you have any comments or ideas, feel free to respond!

n15c Posted at 3-6 01:50
Hello everyone,

I try to make a small conclusion about this whole thread, so it is easier to analyze the problem.

Awesome analysis!

This bring me to dive into the steps that are necessary to apply the patch and I think that the "open DJI Assistant" in not only to verify that the controller is recognized but I think it is used to put the controller in a sort of "listen mode" (DJI assistant can do upgrade firmware, so it has to be capable of doing low level operation).
Furthermore, I navigate through the DJI Assistant folder and saw that there are cp210, STM etc drivers, so the libusb maybe it's used to communicate with such controller interface.

I hope this will help! I'll also continue doing my tests with some adb exploits

n15c Posted at 3-6 01:50
Hello everyone,

I try to make a small conclusion about this whole thread, so it is easier to analyze the problem.

Nice findings and good summary.
Thanks.

When I check the exe with xdbg64 , I see a reference to a warning for debugger. If we can remove that check or bypass it, maybe we can further analyse the exe.
Isn't that possible ?

anybody with any updates ?

nothing to see here

any update Guys ??

foobar2000 Posted at 2-17 13:15
First of all... its not related to the Video.

I just gained temporary access using a tool called DJI RC Fcc. As the name suggests its a tool to enable FCC mode globally. It is sold for a rather expensive amount and is operating in a 2-pass approach.

can you tell the registration code of the fcc tool

no updates guys ?

still no luck

The uhm.... webpage to unlock these features has been shutdown (imagine having payed for it...) and it now displays a message towards certain drone company

Chaitanya_22 Posted at 4-9 01:20
still no luck

Ah man!

Another thing is can they work out a deal with Apple? I would prefer IOS option for controllers. I’m not sure if it’s possible. If not then the DJI smart controller is not for me. nice idea but personally I find the android interface unfriendly and confusing. I hope you guys can figure out how to install apps on it! On a video on DJI academy they were using a controller with a screen and it had Firefox on it. I’m not really sure I entirely understand what is going on, but if you paid big $ for something you should be able to install stuff on it.

Has anyone tried djircfccDOTcom yet?
The old address with the minus in between just cusses at DJI so no more Licensing and so on.

It's sad that we can't sideload apps on the RC, Imagine using Dronelink on that thing oooohh that would be a dream come true