some guy doing an FCC hack permanent for RC pro Controller

DAFlys · Jan 17, 2023

FiShBuRn said:
That is not the official page, that is someone you wants to get money from others work...69usd!!

The original site is https://www.dji-fcc.com/, nothing to see there...

He has a deal to resell sincoders work making it easier to get it.

Bashy · Jan 17, 2023

Hi folks, am i right in thinking that the free hack still works ok, i.e. the one you have to apply every time?I haven't updated the DJI RC but its sods law that something goes amiss with this permanent version as i have only had it a very short while, just hope DJI doesn't do anything out of character now like bring out waypoints for the Mini 3 Pro, now that would be a kick in the teeth lol

FlowDrone · Jan 20, 2023

Be aware... applied the latest firmware update to the DJI RC this morning, then attempted to re-apply the FCC hack.... the FCC hack is no longer running.
Instead, it shows "connect faild" (with the typo) over and over again, and does nothing.

EDIT: Just read through the earlier messages about this... DAMNIT!

FlowDrone · Jan 20, 2023

A little analysis work to try and figure out what's going on.
The djifcc.exe file attempts to connect via HTTPS (on port 443) to IP address 47.100.49.90 (this IP resolves to Shanghai, China).
A port scan on that IP reveals that the physical machine IS running and connected to the internet, with both SSH (Port 22) and Microsoft Remote Desktop (port 3389) open and accepting connection attempts.
Looks to me as though the Authentication Service for this hack is running on someone's personal computer at home, and they have simply switched off the service application on that machine.

I don't know what they're up to, but the guy on Telegram is not even reading messages, let alone replying to them... and we are all left entirely in the blind.

FlowDrone · Jan 20, 2023

kogut7 said:
anybody used DJI RC Mini 3 and Mavic 3 FCC Hack • FCC mod for DJI Drones. Air 2S, Mini 3, Mavic 3, RC, RC Pro ?

Contacted him just now... his is the same one and it is also down (same server not running)

pyrolator · Jan 20, 2023

Looks like "Our Money is just blowing in the Wind"

FlowDrone · Jan 20, 2023

pyrolator said:
Looks like "Our Money is just blowing in the Wind"

I would say so, yes.
I'm kicking myself for not running a Wireshark scan back when the hack was functioning. I could've made a service to respond to the requests with an affirmative and trick the stupid program into working.

cah · Jan 20, 2023

I poked around a little bit when I ran it. It downloads files from their server, it's not just for authorisation.
I get the idea it grabs a couple of apks from your remote and sends them to the server for modification. Neat way of trying to keep the 'secret sauce' a bit more secret, although I suppose someone could have compared the apks against the originals.

FlowDrone · Jan 20, 2023

cah said:
I poked around a little bit when I ran it. It downloads files from their server, it's not just for authorisation.
I get the idea it grabs a couple of apks from your remote and sends them to the server for modification. Neat way of trying to keep the 'secret sauce' a bit more secret, although I suppose someone could have compared the apks against the originals.

Any idea where on the filesystem it was putting them? I can push APKs to the RC, and I may be able to recover the APKs from my VM

cah · Jan 20, 2023

They were in %temp% - it downloads a compressed file, a .tar file if I remember which extracts to a couple of (I think) .elf files. I deleted them, sadly.

FlowDrone · Jan 20, 2023

cah said:
They were in %temp% - it downloads a compressed file, a .tar file if I remember which extracts to a couple of (I think) .elf files. I deleted them, sadly.

Recovered the files (tarball and extracted contents) and analyzing them now

FlowDrone · Jan 20, 2023

Okay, what I have determined so far is that the downloaded payload is the ADB files (executable and DLL)
A script (which is hardcoded inside the djifcc.exe file, and was pre-encrpyted before hardcoding) is then executed, which runs a bunch of commands against adb. One of the things I can see in the adb.log file it does is enrolls a locally-generated SHA key with the RC, and I believe this is then somehow gaining elevated privilege to make filesystem changes on the RC.
Any additional payload must be embedded inside the djifcc.exe program itself, because I have found no additional payloads downloaded to the filesystem.

Richard1970 · Jan 20, 2023

Just cut your losses its a scam he's taken the money and run ,these hacks don't work its cat and mouse between the hackers and dji as soon as dji see a hack they implement a update which wipes the hack
Lesson learned today
I've been using the air2 /2s patch for years you don't gain that much

cah · Jan 20, 2023

Was there something else that was downloaded? The tar file I opened didn't have the ADB executable in (unless they were all called something.elf)

FlowDrone · Jan 20, 2023

cah said:
Was there something else that was downloaded? The tar file I opened didn't have the ADB executable in (unless they were all called something.elf)

Only the following files:
AdbWinUsbApi.dll, AdbWinApi.dll, adb.exe
They get downloaded into the %temp% folder, then the script runs which, amongst other things, invokes adb commands:
--- adb starting (pid 3684) ---
adb I 01-06 17:15:26 3684 3832 main.cpp:63] Android Debug Bridge version 1.0.41
adb I 01-06 17:15:26 3684 3832 main.cpp:63] Version 33.0.1-8253317
adb I 01-06 17:15:26 3684 3832 main.cpp:63] Installed as C:\Users\someuser\AppData\Local\Temp\adb.exe
adb I 01-06 17:15:26 3684 3832 main.cpp:63]
adb I 01-06 17:15:26 3684 3832 auth.cpp:417] adb_auth_init...
adb I 01-06 17:15:26 3684 3832 auth.cpp:220] User key 'C:\Users\someuser\.android\adbkey' does not exist...
adb I 01-06 17:15:26 3684 3832 auth.cpp:64] generate_key(C:\Users\someuser\.android\adbkey)...
adb I 01-06 17:15:27 3684 3832 auth.cpp:152] loaded new key from 'C:\Users\someuser\.android\adbkey' with fingerprint <LONG FINGERPRINT HERE>
adb I 01-06 17:15:27 3684 5948 transport.cpp:304] RM330UNIQUESERIALNUMBER: write thread spawning
adb I 01-06 17:15:27 3684 1392 transport.cpp:332] RM330UNIQUESERIALNUMBER: read thread spawning
adb I 01-06 17:15:27 3684 3832 transport.cpp:1623] fetching keys for transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:15:27 3684 3832 auth.cpp:469] Calling send_auth_response
adb I 01-06 17:15:27 3684 3832 auth.cpp:436] Calling send_auth_publickey
adb I 01-06 17:15:47 3684 1392 transport.cpp:336] RM330UNIQUESERIALNUMBER: read failed: Input/output error
adb I 01-06 17:15:47 3684 1392 transport.cpp:1225] RM330UNIQUESERIALNUMBER: connection terminated: read failed
adb I 01-06 17:15:47 3684 3832 adb.cpp:175] RM330UNIQUESERIALNUMBER: offline
adb I 01-06 17:15:47 3684 3832 transport.cpp:910] destroying transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:15:47 3684 3832 transport.cpp:404] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopping
adb I 01-06 17:15:48 3684 3832 transport.cpp:422] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopped
adb I 01-06 17:15:48 3684 3832 transport.cpp:291] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): destructing
adb I 01-06 17:15:48 3684 3832 transport.cpp:397] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): already stopped
adb I 01-06 17:16:02 3684 5392 transport.cpp:332] RM330UNIQUESERIALNUMBER: read thread spawning
adb I 01-06 17:16:02 3684 1356 transport.cpp:304] RM330UNIQUESERIALNUMBER: write thread spawning
adb I 01-06 17:16:02 3684 3832 adb.cpp:171] RM330UNIQUESERIALNUMBER: already offline
adb I 01-06 17:16:19 3684 5392 transport.cpp:336] RM330UNIQUESERIALNUMBER: read failed: Input/output error
adb I 01-06 17:16:19 3684 5392 transport.cpp:1225] RM330UNIQUESERIALNUMBER: connection terminated: read failed
adb I 01-06 17:16:19 3684 3832 adb.cpp:175] RM330UNIQUESERIALNUMBER: offline
adb I 01-06 17:16:19 3684 3832 transport.cpp:910] destroying transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:16:19 3684 3832 transport.cpp:404] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopping
adb I 01-06 17:16:19 3684 3832 transport.cpp:422] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopped
adb I 01-06 17:16:19 3684 3832 transport.cpp:291] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): destructing
adb I 01-06 17:16:19 3684 3832 transport.cpp:397] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): already stopped
adb I 01-06 17:16:29 3684 6068 transport.cpp:304] RM330UNIQUESERIALNUMBER: write thread spawning
adb I 01-06 17:16:29 3684 316 transport.cpp:332] RM330UNIQUESERIALNUMBER: read thread spawning
adb I 01-06 17:16:29 3684 3832 adb.cpp:171] RM330UNIQUESERIALNUMBER: already offline
adb I 01-06 17:17:53 3684 316 transport.cpp:336] RM330UNIQUESERIALNUMBER: read failed: Input/output error
adb I 01-06 17:17:53 3684 316 transport.cpp:1225] RM330UNIQUESERIALNUMBER: connection terminated: read failed
adb I 01-06 17:17:53 3684 3832 adb.cpp:175] RM330UNIQUESERIALNUMBER: offline
adb E 01-06 17:17:53 3684 6068 transport_usb.cpp:166] remote usb: 1 - write terminated: Input/output error
adb I 01-06 17:17:53 3684 3832 transport.cpp:910] destroying transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:17:53 3684 3832 transport.cpp:404] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopping
adb I 01-06 17:17:53 3684 3832 transport.cpp:422] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopped
adb I 01-06 17:17:53 3684 3832 transport.cpp:291] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): destructing
adb I 01-06 17:17:53 3684 3832 transport.cpp:397] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): already stopped

DAFlys · Jan 20, 2023

FlowDrone said:
Only the following files:
AdbWinUsbApi.dll, AdbWinApi.dll, adb.exe
They get downloaded into the %temp% folder, then the script runs which, amongst other things, invokes adb commands:
--- adb starting (pid 3684) ---
adb I 01-06 17:15:26 3684 3832 main.cpp:63] Android Debug Bridge version 1.0.41
adb I 01-06 17:15:26 3684 3832 main.cpp:63] Version 33.0.1-8253317
adb I 01-06 17:15:26 3684 3832 main.cpp:63] Installed as C:\Users\someuser\AppData\Local\Temp\adb.exe
adb I 01-06 17:15:26 3684 3832 main.cpp:63]
adb I 01-06 17:15:26 3684 3832 auth.cpp:417] adb_auth_init...
adb I 01-06 17:15:26 3684 3832 auth.cpp:220] User key 'C:\Users\someuser\.android\adbkey' does not exist...
adb I 01-06 17:15:26 3684 3832 auth.cpp:64] generate_key(C:\Users\someuser\.android\adbkey)...
adb I 01-06 17:15:27 3684 3832 auth.cpp:152] loaded new key from 'C:\Users\someuser\.android\adbkey' with fingerprint <LONG FINGERPRINT HERE>
adb I 01-06 17:15:27 3684 5948 transport.cpp:304] RM330UNIQUESERIALNUMBER: write thread spawning
adb I 01-06 17:15:27 3684 1392 transport.cpp:332] RM330UNIQUESERIALNUMBER: read thread spawning
adb I 01-06 17:15:27 3684 3832 transport.cpp:1623] fetching keys for transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:15:27 3684 3832 auth.cpp:469] Calling send_auth_response
adb I 01-06 17:15:27 3684 3832 auth.cpp:436] Calling send_auth_publickey
adb I 01-06 17:15:47 3684 1392 transport.cpp:336] RM330UNIQUESERIALNUMBER: read failed: Input/output error
adb I 01-06 17:15:47 3684 1392 transport.cpp:1225] RM330UNIQUESERIALNUMBER: connection terminated: read failed
adb I 01-06 17:15:47 3684 3832 adb.cpp:175] RM330UNIQUESERIALNUMBER: offline
adb I 01-06 17:15:47 3684 3832 transport.cpp:910] destroying transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:15:47 3684 3832 transport.cpp:404] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopping
adb I 01-06 17:15:48 3684 3832 transport.cpp:422] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopped
adb I 01-06 17:15:48 3684 3832 transport.cpp:291] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): destructing
adb I 01-06 17:15:48 3684 3832 transport.cpp:397] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): already stopped
adb I 01-06 17:16:02 3684 5392 transport.cpp:332] RM330UNIQUESERIALNUMBER: read thread spawning
adb I 01-06 17:16:02 3684 1356 transport.cpp:304] RM330UNIQUESERIALNUMBER: write thread spawning
adb I 01-06 17:16:02 3684 3832 adb.cpp:171] RM330UNIQUESERIALNUMBER: already offline
adb I 01-06 17:16:19 3684 5392 transport.cpp:336] RM330UNIQUESERIALNUMBER: read failed: Input/output error
adb I 01-06 17:16:19 3684 5392 transport.cpp:1225] RM330UNIQUESERIALNUMBER: connection terminated: read failed
adb I 01-06 17:16:19 3684 3832 adb.cpp:175] RM330UNIQUESERIALNUMBER: offline
adb I 01-06 17:16:19 3684 3832 transport.cpp:910] destroying transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:16:19 3684 3832 transport.cpp:404] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopping
adb I 01-06 17:16:19 3684 3832 transport.cpp:422] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopped
adb I 01-06 17:16:19 3684 3832 transport.cpp:291] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): destructing
adb I 01-06 17:16:19 3684 3832 transport.cpp:397] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): already stopped
adb I 01-06 17:16:29 3684 6068 transport.cpp:304] RM330UNIQUESERIALNUMBER: write thread spawning
adb I 01-06 17:16:29 3684 316 transport.cpp:332] RM330UNIQUESERIALNUMBER: read thread spawning
adb I 01-06 17:16:29 3684 3832 adb.cpp:171] RM330UNIQUESERIALNUMBER: already offline
adb I 01-06 17:17:53 3684 316 transport.cpp:336] RM330UNIQUESERIALNUMBER: read failed: Input/output error
adb I 01-06 17:17:53 3684 316 transport.cpp:1225] RM330UNIQUESERIALNUMBER: connection terminated: read failed
adb I 01-06 17:17:53 3684 3832 adb.cpp:175] RM330UNIQUESERIALNUMBER: offline
adb E 01-06 17:17:53 3684 6068 transport_usb.cpp:166] remote usb: 1 - write terminated: Input/output error
adb I 01-06 17:17:53 3684 3832 transport.cpp:910] destroying transport RM330UNIQUESERIALNUMBER
adb I 01-06 17:17:53 3684 3832 transport.cpp:404] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopping
adb I 01-06 17:17:53 3684 3832 transport.cpp:422] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): stopped
adb I 01-06 17:17:53 3684 3832 transport.cpp:291] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): destructing
adb I 01-06 17:17:53 3684 3832 transport.cpp:397] BlockingConnectionAdapter(RM330UNIQUESERIALNUMBER): already stopped

I snagged some of the files during the install, Ive got ads.exe and a tar file which contains the files I think were copied to the controller. But im not sure where they go.

FlowDrone · Jan 20, 2023

DAFlys said:
I snagged some of the files during the install, Ive got ads.exe and a tar file which contains the files I think were copied to the controller. But im not sure where they go.

Interesting... the unextensioned "fcc" file is an APK for DJI Go 5 (modified) and the libllg.so file is a Linux Library.
So, it looks like you caught the operative payload on your filesystem (I can't find or recover it on the Virtual Disk for the VM I performed this on).
Now, if we can figure out how to push both modified files to the RC via ADB (the missing piece of this puzzle) we can make a very simple patch program that anyone can freely use on their own RM330 controllers.

FlowDrone · Jan 20, 2023

Correction to my last... the "fcc" file (with no extension) is an ELF file, not an APK.

DAFlys · Jan 20, 2023

FlowDrone said:
Interesting... the unextensioned "fcc" file is an APK for DJI Go 5 (modified) and the libllg.so file is a Linux Library.
So, it looks like you caught the operative payload on your filesystem (I can't find or recover it on the Virtual Disk for the VM I performed this on).
Now, if we can figure out how to push both modified files to the RC via ADB (the missing piece of this puzzle) we can make a very simple patch program that anyone can freely use on their own RM330 controllers.

I also have a pubic/private key pair for adb.

FlowDrone · Jan 20, 2023

DAFlys said:
I also have a pubic/private key pair for adb.

Those are generated in the .android folder automatically when ADB server starts on your machine for the first time.
From what I can gather, his script Authorizes your Key with the Controller... but I can't figure out how it does it (this is what I'm looking at now)
If I can figure out how to get Debug-level access to invoke ADB commands (specifically adb reboot bootloader and adb push) then I can push the modified ELF and .SO files to the filesystem and replace the existing... which (in theory) should be all that's needed to force FCC mode.