DJI Mavic, Air and Mini Drones
Friendly, Helpful & Knowledgeable Community
Join Us Now

some guy doing an FCC hack permanent for RC pro Controller

hjadr said:
DIE gave me some intresting results when scanning the map where I saved all files.

Code: 
G:\rev eng\DJI FCC\djifcc.exe 917 msec
MSDOS
PE64
    Linker: Microsoft Linker(14.33)[Console64,console]

G:\rev eng\DJI FCC\libusb0.dll 108 msec
MSDOS
PE64
    Compiler: Microsoft Visual C/C++(2005)
    Linker: Microsoft Linker(8.0 or 11.0)[DLL64,signed]
    Overlay: Binary
        Certificate: WinAuth(2.0)[PKCS #7]
        audio: Jochen Hippel's module (.HIP)

G:\rev eng\DJI FCC\Pass DJI fcc.txt 42 msec
Binary
    Format: plain text

G:\rev eng\DJI FCC\readme.txt 42 msec
Binary
    Format: plain text
Click to expand...
Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.
 
  • Like
Reactions: Cizzz
FlowDrone said:
Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.
Click to expand...
Can you walk me through your process of extracting the device key and adb commands? I have some spare time tonight and might just take off where you stranded. I have 2 different PC's that I uses for the mod. I am curious if there is a difference in the files.
I fear the modded android pages would have been downloaded in a temp folder so they would get deleted after a reboot. That's what I would do....
 
FlowDrone said:
Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.
Click to expand...
Hi! Can you post ABD commands?
Before the advent of djifcc.exe, there was a program by the same author com2tcp.vmp.exe . Perhaps its decoding will help in your work? djifcc2.zip
 
  • Like
Reactions: vladin
jbma said:
I've looked at this before but it is not for me. I am using the DJI RC controller.
Click to expand...
You can still use it with the RC controller. You need to set FCC as detailed with the RCN1, Keep the drone on and just open your RC controller, it should then be in FCC. See:
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Dmitry Sistor said:
Hi! Can you post ABD commands?
Before the advent of djifcc.exe, there was a program by the same author com2tcp.vmp.exe . Perhaps its decoding will help in your work? djifcc2.zip
Click to expand...

Google-ing com2tcp.vmp.exe does give me some promising looking website. But it is in Russian (I think). So some may be lost in translation. Anyone.... ? DJI Mini 3 Pro/DJI Mini 3 - 4PDA
 
If I use MS strings and export to a txt file to see whats in the .exe I find a couple of intresting text. But nothin usefull.

Line 1 : !This program cannot be run in DOS mode.
line 11: h.reloc
line 963: Sn=
line 2522: CertOpenStore
line 2621: LocalFree
line 225397: LocalAlloc
line 226292: Dji
line 63834: DJI
line 293856: dji-G}gi

Also the IP that the program is trying to connect to just point to china. Unless the ISP there share the real (street)adresses its nothing. No websites are hosted on that IP according to a simple reverse IP lookup.
 
FlowDrone said:
Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.
Click to expand...
There are many different keys inside the RC firmware, but there is no adb_keys among them...
If interested, here is the decrypted and unpacked firmware MM3.zip
 
Last edited:
Dmitry Sistor said:
There are many different keys inside the RC firmware, but there is no adb_keys among them...
If interested, here is the decrypted and unpacked firmware MM3.zip
Click to expand...
One of the files created by the patch back when the server was online was a file called ".ses"
Inside this plain-text document were two lines of string data, the first looked to be the serial of my DJI RC, the second is a key (which I believe is generated based on the serial)
 
Hello drone pilots! Does anyone have a patch to open 5.8 GHz in 32 bit format? Required to test performance on Dji RC.
 
FlowDrone said:
One of the files created by the patch back when the server was online was a file called ".ses"
Inside this plain-text document were two lines of string data, the first looked to be the serial of my DJI RC, the second is a key (which I believe is generated based on the serial)
Click to expand...
As far as I understand, the program created this file and sent it to the server in order to save your device in the database for subsequent updates.
And what adb commands did you find?
 
Hello everybody! I found this file (.ses) on my hdd in the appdata\local\temp folder. There are 2 lines - the first of 13 digits and the second long of numbers and letters separated by a dash. Is it possible that the author of the hack used the DJI Assistant developer mode to hack?
 
Sub-Zero said:
Hello everybody! I found this file (.ses) on my hdd in the appdata\local\temp folder. There are 2 lines - the first of 13 digits and the second long of numbers and letters separated by a dash. Is it possible that the author of the hack used the DJI Assistant developer mode to hack?
Click to expand...
It is absolutely possible, because he needs a way to get a root shell on the RC in order to replace the needed files through the adb. But in order to understand what exactly he is using, we need to unpack the djifcc.exe.
 
  • Like
Reactions: Dmitry Sistor
Sub-Zero said:
Hello everybody! I found this file (.ses) on my hdd in the appdata\local\temp folder. There are 2 lines - the first of 13 digits and the second long of numbers and letters separated by a dash. Is it possible that the author of the hack used the DJI Assistant developer mode to hack?
Click to expand...

Mysterious .SES file in Temp folder​

 

Similar threads

S
Problems with landing MAvic 3 Cine after FCC hack
Replies
17
Views
2K
Mavic 3
Thom_adams
T
macqi
Air 3 with rc 2 controller fcc hack
Replies
43
Views
18K
Air 3
emispo
E
J
Interchanging between RC and RC Pro
Replies
5
Views
274
Mavic 3 Pro
Chrislaf
Chrislaf
J
Mini 3 Pro and Integra Motion Combo
Replies
2
Views
1K
Mini 3
Johnb4604
J
J
Still Struggling for distance post FCC Mod
Replies
18
Views
5K
DJI RC Pro Controller
Octavio
Octavio
Lycus Tech Mavic Air 3 Case

DJI Drone Deals

1. NEO
2. Mini 3 Pro
3. Mini 4 Pro
4. Air 2s
5. Air 3
6. Avata 2
7. Mavic 3 Pro
8. Mavic 3 Classic

New Threads

Members online

Total: 356 (members: 4, guests: 352)

Forum statistics

Threads
134,659
Messages
1,597,274
Members
163,144
Latest member
flo1710
Want to Remove this Ad? Simply login or create a free account