n15c
lvl.1
United States
Offline
|
Hello everyone,
I try to make a small conclusion about this whole thread, so it is easier to understand the situation.
Findings in this thread:
- It exists a FCC-Hack for the RC, which can be found under http://dji-fcc.com/djifcc.zip and can be unpacked using the password "dji"
- Any attempts to connect via ADB fail due to the missing vendor key or a authorization to the android device
- There is a "special mode" which can be activated as described here: https://forum.dji.com/forum.php?mod=viewthread&tid=265378
- The djifcc.exe is protected by a anti-debugging mechanism
- People who paid for the DJI-FCC hack are able to connect using ADB and install their own APK's
- The developer mode setting is not available, thus the adb authorization is not possible
- The policy of DJI to lock all these ADB access violates the terms and conditions of android
My findings:
- The djifcc.exe contains a hardcoded SSL certificate of the server, thus it is not possible to intercept the encrypted web traffic without further modification of the application. With the private certificate file, which stored on the server dji-fcc.com it is possible to intercept the web traffic and maybe modify the response of the server to activate the application.
- The exe-file contains a anti-debugging mechanism which is resistant to "ScyllaHide", a Plugin for x64dbg to hide the debugger
- The djifcc.exe does not use a system proxy. Therefore it is necessary to use a software like Proxifier to intercept the web traffic
- The djifcc.exe does not seem to use the android debug bridge. Using the libusb0.dll in the corresponding directory it seems to communicate directly with the usb controller.
- Using the libusb-Library it was possible to identify the controller as following
Dev (bus 2, device 28): 2CA3 - 1023 speed: 480M
Manufacturer: DJI
Product: APQ8053-QRD _SN:********
This information leads us to a SoC of qualcomm (https://www.qualcomm.com/products/technology/processors/application-processors/apq8053#Overview)
My conclusion:
If we really want to understand how the hack is working, we need to investigate the communication between the libusb and the device. If we have the necessary commands of the library we are able to write a small application which modifies the necessary parameters and allows us to connect via ADB.
If you have any comments or ideas, feel free to respond!
|
|