some guy doing an FCC hack permanent for RC pro Controller

[FlowDrone]

DIE gave me some intresting results when scanning the map where I saved all files.

G:\rev eng\DJI FCC\djifcc.exe 917 msec
MSDOS
PE64
    Linker: Microsoft Linker(14.33)[Console64,console]

G:\rev eng\DJI FCC\libusb0.dll 108 msec
MSDOS
PE64
    Compiler: Microsoft Visual C/C++(2005)
    Linker: Microsoft Linker(8.0 or 11.0)[DLL64,signed]
    Overlay: Binary
        Certificate: WinAuth(2.0)[PKCS #7]
        audio: Jochen Hippel's module (.HIP)

G:\rev eng\DJI FCC\Pass DJI fcc.txt 42 msec
Binary
    Format: plain text

G:\rev eng\DJI FCC\readme.txt 42 msec
Binary
    Format: plain text

Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.

 

[hjadr]

Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.

Can you walk me through your process of extracting the device key and adb commands? I have some spare time tonight and might just take off where you stranded. I have 2 different PC's that I uses for the mod. I am curious if there is a difference in the files.
I fear the modded android pages would have been downloaded in a temp folder so they would get deleted after a reboot. That's what I would do....

 

[Dmitry Sistor]

Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.

Hi! Can you post ABD commands?
Before the advent of djifcc.exe, there was a program by the same author com2tcp.vmp.exe . Perhaps its decoding will help in your work? djifcc2.zip

 

[Jeanb]

I've looked at this before but it is not for me. I am using the DJI RC controller.

You can still use it with the RC controller. You need to set FCC as detailed with the RCN1, Keep the drone on and just open your RC controller, it should then be in FCC. See:

 

[hjadr]

Hi! Can you post ABD commands?
Before the advent of djifcc.exe, there was a program by the same author com2tcp.vmp.exe . Perhaps its decoding will help in your work? djifcc2.zip

Google-ing com2tcp.vmp.exe does give me some promising looking website. But it is in Russian (I think). So some may be lost in translation. Anyone.... ? DJI Mini 3 Pro/DJI Mini 3 - 4PDA

 

[Dmitry Sistor]

Google-ing com2tcp.vmp.exe does give me some promising looking website. But it is in Russian (I think). So some may be lost in translation. Anyone.... ? DJI Mini 3 Pro/DJI Mini 3 - 4PDA

The program is contained in the archive (djifcc2.zip) to which I gave a link djifcc2.zip

 

[hjadr]

If I use MS strings and export to a txt file to see whats in the .exe I find a couple of intresting text. But nothin usefull.

Spoiler

Line 1 : !This program cannot be run in DOS mode.
line 11: h.reloc
line 963: Sn=
line 2522: CertOpenStore
line 2621: LocalFree
line 225397: LocalAlloc
line 226292: Dji
line 63834: DJI
line 293856: dji-G}gi

Also the IP that the program is trying to connect to just point to china. Unless the ISP there share the real (street)adresses its nothing. No websites are hosted on that IP according to a simple reverse IP lookup.

 

[vladin]

Hi! Can you post ABD commands?
Before the advent of djifcc.exe, there was a program by the same author com2tcp.vmp.exe . Perhaps its decoding will help in your work? djifcc2.zip

Hi Dmitry! The program com2tcp.vmp.exe is for patching the drone, not the RC, right?

 

[Dmitry Sistor]

Hi Dmitry! The program com2tcp.vmp.exe is for patching the drone, not the RC, right?

Yes!

 

[DAFlys]

Google-ing com2tcp.vmp.exe does give me some promising looking website. But it is in Russian (I think). So some may be lost in translation. Anyone.... ? DJI Mini 3 Pro/DJI Mini 3 - 4PDA

that hack looks very like what you see when you do the djircfcc.exe on the controller.

Screenshot+at+Jun+29+23-21-40.png

 

[FlowDrone]

that hack looks very like what you see when you do the djircfcc.exe on the controller.

Screenshot+at+Jun+29+23-21-40.png

It's an earlier version of the same hack. Just ran the executable and can confirm it also attempts to connect to the same 47.100.49.90 IP address (and the service is still down on this address)

 

[paulg0]

Google-ing com2tcp.vmp.exe does give me some promising looking website. But it is in Russian (I think). So some may be lost in translation. Anyone.... ? DJI Mini 3 Pro/DJI Mini 3 - 4PDA

DJI Mini 3 Pro/DJI Mini 3 - 4PDA

DJI Mini 3 Pro/DJI Mini 3, [drone]

4pda-to.translate.goog

 

[Dmitry Sistor]

Sadly not so useful, beyond confirming that the executable was definitely packed (which we already know).
It reveals only that it is a Console Application for Win64 (64 bit Windows).
The DLL is actually a general USB Library used by many different applications, compiled in Microsoft C++ (and legitimately signed to prove its authenticity)
Thus far, we have extracted (I believe) ALL of the files that are downloaded each time the executable was run while the server was functioning.
I've also managed to extract from the binary the ADB commands executed to push the modified Android packages to the DJI RC.
I've also managed to obtain the Device Keys for my DJI RC (which I believe are actually device-specific)
However, my attempts to authenticate ADB so that I can push the files have, thus far, all failed.

There are many different keys inside the RC firmware, but there is no adb_keys among them...
If interested, here is the decrypted and unpacked firmware MM3.zip

 

[FlowDrone]

There are many different keys inside the RC firmware, but there is no adb_keys among them...
If interested, here is the decrypted and unpacked firmware MM3.zip

One of the files created by the patch back when the server was online was a file called ".ses"
Inside this plain-text document were two lines of string data, the first looked to be the serial of my DJI RC, the second is a key (which I believe is generated based on the serial)

 

[Macheti]

Hello drone pilots! Does anyone have a patch to open 5.8 GHz in 32 bit format? Required to test performance on Dji RC.

 

[Dmitry Sistor]

One of the files created by the patch back when the server was online was a file called ".ses"
Inside this plain-text document were two lines of string data, the first looked to be the serial of my DJI RC, the second is a key (which I believe is generated based on the serial)

As far as I understand, the program created this file and sent it to the server in order to save your device in the database for subsequent updates.
And what adb commands did you find?

 

[Sub-Zero]

Hello everybody! I found this file (.ses) on my hdd in the appdata\local\temp folder. There are 2 lines - the first of 13 digits and the second long of numbers and letters separated by a dash. Is it possible that the author of the hack used the DJI Assistant developer mode to hack?

 

[vladin]

Hello everybody! I found this file (.ses) on my hdd in the appdata\local\temp folder. There are 2 lines - the first of 13 digits and the second long of numbers and letters separated by a dash. Is it possible that the author of the hack used the DJI Assistant developer mode to hack?

It is absolutely possible, because he needs a way to get a root shell on the RC in order to replace the needed files through the adb. But in order to understand what exactly he is using, we need to unpack the djifcc.exe.

 

[Sub-Zero]

It is absolutely possible, because he needs a way to get a root shell on the RC in order to replace the needed files through the adb.

So we need to find a way to enable developer mode on version 2 DJI Assistant, which sees the DJ RC remote.

 

[Dmitry Sistor]

Hello everybody! I found this file (.ses) on my hdd in the appdata\local\temp folder. There are 2 lines - the first of 13 digits and the second long of numbers and letters separated by a dash. Is it possible that the author of the hack used the DJI Assistant developer mode to hack?

Mysterious .SES file in Temp folder​

Redirecting