DJI Mavic privacy / backdoor

[Member]

After reading the news about the new firmware coming up which will enforce re-registering, make you accept a new privacy policy and will in long term likely force all Mavic usage out of cities, I have started the process of trying to save its current state so I would no longer be dependent on DJI if I ever needed to reinstall my app.

Already done:

- Used Helium + Carbon to back up the Go4 app + app-data on a non-rooted tablet in case the new Go app enforced the new firmware, some other policies or if I ever had to reinstall the tablet and the app which - again - would force me to connect to DJI with the account. If DJI ever goes bust or their servers are down, I need this backup otherwise my drone would be no more than a paperweight.

To do:

- Check where the app connects to
- Mitm connection to the DJI site
- Find out how current/old firmwares are downloaded
- Create a way to intercept the login process and return an 'OK'
- Create a way to upload an older firmware (if the option was later denied and wasn't enforced by the new firmware - though this is unlikely)

Now... I wasn't going to share any of this, but a minute ago when I started working on this, when I launched the app it connected to these:

1) graph.facebook.com

2) astat.bugly.qq.com

3) upgrade.dj2006.net

4) adash.m.taobao.com

5) upgrade.bgcentre.com

6) version.hybrid.api.here.com

7) download.vcdn.nokia.com

8) www.skypixel.com

9) www.djiexplore.com

10) mydjiflight.dji.com

11) statistical-report.djiservice.org


I haven't done any SSL mitm yet, but I'm already seeing this:

T *:* -> 52.200.19.217:80 [AP]
POST /upgrade/inspireinfo HTTP/1.1..Content-Type: application/x-www-form-ur
lencoded..Content-Length: 252..Host: upgrade.dj2006.net..Connection: Keep-A
live..Accept-Encoding: gzip....Data={"apptype":1,"appversion":"4.0.2","crea
tetime":1495916404107,"devicesn":"<MY SERIAL>","devicetype":1,"devicever
sion":"03.02.30.13","guid":"<MY DEVICE ID>","id":25,"
isUploaded":false,"productype":13,"user":"<MY USERNAME>"}

Phoning home with the serial and username and everything else is kind of expected (though still highly undesired). Posting crap to Facebook (I specifically avoided installing Facebook) and the Chinese QQ doesn't make me jump for joy. QQ is some debugging service for Android. Nokia / here.com are used for the map I think. Skypixel is used for the splash image. MyDJIflight.com - I don't know, it's on SSL but I hope it's not the server to receive all my flight logs automatically.

I do wonder what "isUploaded" means. Uploaded what.... It sounds suspicious.

Today I visited a friend, I took my two mavics, asked him to install the app to fly with me. According to the above (since my friend has Facebook on his phone) Facebook is able to connect him to flying my drone. And this is probably just the tip of the iceberg.

I know this is not much info but I'll post it if I find out anything new and interesting. If anyone's been over this or got any clues, I would appreciate the info myself. I'm a bit swamped with work so I'm doing this out of necessity, not the fun of debugging.

 

[stratos]

After reading the news about the new firmware coming up which will enforce re-registering, make you accept a new privacy policy and will in long term likely force all Mavic usage out of cities, I have started the process of trying to save its current state so I would no longer be dependent on DJI if I ever needed to reinstall my app.

Already done:

- Used Helium + Carbon to back up the Go4 app + app-data on a non-rooted tablet in case the new Go app enforced the new firmware, some other policies or if I ever had to reinstall the tablet and the app which - again - would force me to connect to DJI with the account. If DJI ever goes bust or their servers are down, I need this backup otherwise my drone would be no more than a paperweight.

To do:

- Check where the app connects to
- Mitm connection to the DJI site
- Find out how current/old firmwares are downloaded
- Create a way to intercept the login process and return an 'OK'
- Create a way to upload an older firmware (if the option was later denied and wasn't enforced by the new firmware - though this is unlikely)

Now... I wasn't going to share any of this, but a minute ago when I started working on this, when I launched the app it connected to these:

1) graph.facebook.com

2) astat.bugly.qq.com

3) upgrade.dj2006.net

4) adash.m.taobao.com

5) upgrade.bgcentre.com

6) version.hybrid.api.here.com

7) download.vcdn.nokia.com

8) www.skypixel.com

9) www.djiexplore.com

10) mydjiflight.dji.com

11) statistical-report.djiservice.org


I haven't done any SSL mitm yet, but I'm already seeing this:

T *:* -> 52.200.19.217:80 [AP]
POST /upgrade/inspireinfo HTTP/1.1..Content-Type: application/x-www-form-ur
lencoded..Content-Length: 252..Host: upgrade.dj2006.net..Connection: Keep-A
live..Accept-Encoding: gzip....Data={"apptype":1,"appversion":"4.0.2","crea
tetime":1495916404107,"devicesn":"<MY SERIAL>","devicetype":1,"devicever
sion":"03.02.30.13","guid":"<MY DEVICE ID>","id":25,"
isUploaded":false,"productype":13,"user":"<MY USERNAME>"}

Phoning home with the serial and username and everything else is kind of expected (though still highly undesired). Posting crap to Facebook (I specifically avoided installing Facebook) and the Chinese QQ doesn't make me jump for joy. QQ is some debugging service for Android. Nokia / here.com are used for the map I think. Skypixel is used for the splash image. MyDJIflight.com - I don't know, it's on SSL but I hope it's not the server to receive all my flight logs automatically.

I know this is not much info but I'll post it if I find out anything new and interesting. If anyone's been over this or got any clues, I would appreciate the info myself. I'm a bit swamped with work so I'm doing this out of necessity, not the fun of debugging.

Cant h8 spybook enough. Thanks for the investigation

 

[MacPap]

Very interesting

 

[BorisTheSpider]

Jesus H Christ, these fiends have no shame huh. Good work - I'll be interested to see how your work progresses.

 

[mavicn00b]

Shady Chinese company

 

[KiterTodd]

Ugh. That is all sketchy. On one hand, it could be a typical consumer company with good intentions to control quality and protect themselves from liability. On the other hand... it's China. U.S. consumers are buying these up like crazy. Is every drone now a point of presence for the Chinese government to look into our phones and lives? Sketchy...

 

[stratos]

That how this companies make profit spybook and snapfag and all those by selling your data. Your activities etc

 

[JP]

Its the world as we know it now. Its likely 95%(maybe even more) of the general consumer population is oblivious to all this tracking and sharing from smartphones, websites, drones, Facebook, Instagram, cloud, Google, etc etc. They are tracking everything and sharing it. Their "Privacy" agreements means absolutely nothing. Those are just ways to give people that "Feel good" so they will post away. In a way all this narcissistic behavior displayed by many will be their undoing.

Our Mavics are no different. They will soon be linked to hidden viewing by the NSA and a host of others Gov sites(Not counting what might be seen by other govts). I suspect that if you never fly near airports/ harbors and "Areas' of significant interest you will be off their radar. However if you bounce off NFZ's or restricted airspace they will be pinged just like the "key words" they track now on internet chatter.

This is why I do not have a Facebook, Linked In, or any social media acct and do not put anything on the cloud, You Tube, etc.

 

[Member]

To clarify a few things:

* They're not 'shady' per se. You have agreed to everything that is being done in the T&C. It's kind of like when you click 'Agree' that Apple can kidnap you and make you part of a human centipede.

* Many apps are sending a ton of info back about you and have remote remote killswitches and stuff. While logging MITM'd data, I noticed Samsung sending all info about my tablet on a regular basis and Google sending "antiabuse" stuff home with the serial and board number and a lot of other data. Doesn't mean I like it.

* The Facebook connection is most likely not something they wanted to build in specifically. When you build an app, in order to use some features (map, Facebook like etc) you have to use a library as is, and that library will communicate. Such libraries in the case of Mavic include those of Facebook, QQ, Bing, Google and some shady cryptic data is sent to Baidu as well. Also, lots of libraries for 'debugging' that if I understand it correctly post every little output, exception, action to some server who pour it into big data databases and can show cool looking charts to the developing company. And they remain even after the software is released so they can get info about how the software is used.

And now for some other info:

* As I have previously shown, when the app looks for an upgrade, it sends them your username, your device ID and your Mavic's unique ID.

* It posts your IP address specifically to see which country you are in as an extra measure.

* Even if you use a proxy and disable GPS on your device, when you connect the aircraft sends the app the GPS coordinates and in turn app sends home the aircraft serial, your username, misc device info and your location. It continues to send the GPS coordinates to DJI as long as you have internet and the aircraft is connected.

* Based on the GPS coordinates, DJI Go downloads a list of no-fly zones specific to the country. This is obviously so they can ban places in between firmware updates. Whether the list sent by the server is synced to the aircraft I don't know, but it's likely. I wish I could MITM the data between the app and the aircraft (or the remote controller).

* The app also downloads a list of blacklisted battery serial numbers and hashes (I'm guessing they are banning some custom made and sold batteries they found on the market).

{"status":0,"invalid_battery_md5_list":["c02bd42367d6146c744cbcfa2c8dd922"]}

* When the app looks for an update, the server's response decides if the upgrade should be forced.

{"update":true,"new_version":"4.0.7","new_version_code":22390,"apk_url":"https://adhoc-usa.djicdn.com/produc...fbc56bea5479b77b2eaf6ed28efb.apk?auth_key=***","update_log_en":"\u003cb\u003eRelease Note:\u003c/b\u003e\u003cbr\u003e\u003cul\u003e\u003cli\u003eAdded support for the Phantom 4 Advanced. \u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e","force_update":false,"new_md5":"c6a0fbc56bea5479b77b2eaf6ed28efb","target_size":116474062}

* There is an 'expiry' of firmwares, currently set to not enforced. Notice 'antirollback=1' and 'enforce=0'

<dji>
<device id="wm220">
<firmware formal="01.03.0550">
<release version="01.03.0550" antirollback="1" enforce="0" from="2017/04/05" expire="2018/04/05">
<module id="0305" version="34.04.00.23" type="" group="ac" size="55072" md5="c6fabddc843a0d9e6a6dd8f3c367add4">wm220_0305_v34.04.00.23_20161122.pro.fw.sig</module>
<module id="0306" version="03.02.21.31" type="" group="ac" size="1520416" md5="ce8e53632786ca555fcbe7c483d71309">wm220_0306_v03.02.21.31_20170402.pro.fw.sig</module>
...etc...

* To see if anything would happen in the future, I changed the date to 2020 in the app and everything still worked. But there's still some chance that the 2018/04/05 expiry will be enforced when the GPS reports a date after the expiry. It's very possible that the firmware itself will do some blocking when it sees the GPS time has passed a specific point.

* The latitude & longitude info obtained from the aircraft is continuously posted to acbe.aasky.net.

* When you first run the app and accept the t&c, the app downloads something called "gnss_assistnow_offline_data" which is a binary blob of the type "application/ubx". I don't know what this is.

I guess, the bottom line for me is:

* NEVER running DJI Go with internet access again.
* NEVER updating to a new firmware.
* FINGERS CROSSED that the firmware won't expire in 2018.

None of this is something you should necessarily be concerned about. Some people don't really care if their location is posted and tracked by all these entities.

Though these things annoy me, my main concern rather lies in that I don't want to lose the ability to fly because of whatever DJI decides in the future. These drones were not cheap, I purchased them for my own use and I did not RENT them for use until they decide to change the conditions or go bust. In the sea of text that we have all agreed to, I'm sure there's a clause that says it's all up to them, but that's not good enough for me. The legal text should not go completely against common sense. That's like making unenforceable or unconstitutional laws. The people will just break them or be 'close enough'.

 

[ecoleman]

 

[Nightowl702]

How much of this was in all the older versions of the software? We may have been flying with this from the beginning. This file, gnss_assistnow_offline_data, I would guess has something to do with the GPS. GNSS stands for Global Navigation Satellite System, and is the standard generic term for satellite navigation systems that provide autonomous geo-spatial positioning with global coverage. This term includes e.g. the GPS, GLONASS, Galileo, Beidou and other regional systems. GNSS is a term used worldwide The advantage to having access to multiple satellites is accuracy, redundancy and availability at all times. Though satellite systems don't often fail, if one fails GNSS receivers can pick up signals from other systems. Also if line of sight is obstructed, having access to multiple satellites is also a benefit. Common GNSS Systems are GPS, GLONASS, Galileo, Beidou and other regional systems.

 

[Nikon1]

And this is the type and depth of coverage that will ALWAYS draw me to MavicPilots first when I have a question or concern.

Thank you for all the research and sharing it!

 

[Member]

How much of this was in all the older versions of the software? We may have been flying with this from the beginning.

Most likely, yes. I doubt it's anything new.

This file, gnss_assistnow_offline_data, I would guess has something to do with the GPS. GNSS stands for Global Navigation Satellite System

Thanks. What had me mention this in the first place was the "application/ubx" part. Particularly: why download a binary every time, what is included in there? What is needed to be kept fresh about it? Is it something executed or used by the firmware? What is the difference when I don't have internet and go without it? Remember, everything that is is communicated back & forth is not required for flying.

 

[Kilrah]

Most likely Assisted GPS, which allows for much faster initial GPS fixes by downloading satellite almanac data from a server instead of having to acquire it from satellites themselves which could take minutes.

Most of the communication info and the servers that are contacted was already posted months ago so it's indeed nothing new, likely even way before the Mavic.

 

[Member]

Most likely Assisted GPS, which allows for much faster initial GPS fixes by downloading satellite almanac data from a server instead of having to acquire it from satellites themselves which could take minutes.

That makes sense. I'm sure that's it. Thanks for the info.

Most of the communication info and the servers that are contacted was already posted months ago so it's indeed nothing new, likely even way before the Mavic.

I didn't mean to double post. I even googled a few bits before posting this to avoid that. Sorry.

 

[Gary7399]

Very interesting. I can see how this could be a benefit to the Chinese. I just can't believe these people are smarter than us. Why can a us company manufacture something better in the drone market. I believe it's more of controlling what we do. They don't want us to have to much technology that can be used in their eyes as a means to see more of what our own government is doing. Although the majority of us don't think that way! Not trying to be a conspiracy theorist just penny for your thoughts. Thanks for the information.

 

[Kilrah]

Every large company whatever the field and origin does the exact same thing as soon as they've got the resources to invest in it and the legal side sorted, nothing to do with DJI or China.

The legal side is probably what would hold off the most ambitious things. Too much liability in the US. DJI doesn't care, at most their sales could be hurt in one country but being in China they'll never risk much more.

 

[Up & Adam]

I stopped updating my mavic a while ago, only ever fly with my iPad Pro, & in flight mode.
I've not had the dreaded message about signing in when there's an update because I haven't updated the app.

If it ain't broke, don't fix it.

The only thing I can't use now is the live maps, and the flight log maps, but I know where I am and where I've been.

 

[Member]

If it ain't broke, don't fix it.

I did this one final update because of the goggles. I'm definitely looking forward to getting that.

 

[Gary7399]

I don't know how everyone is doing this without updating my app made me update. I had no choice.