some guy doing an FCC hack permanent for RC pro Controller

[DAFlys]

breaking news!
youtube have translation
topic related, what he say is that in latest fw of RC the hack you are talking about was blocked

How does he know as we cant install it due to server being down

 

[FlowDrone]

breaking news!
youtube have translation
topic related, what he say is that in latest fw of RC the hack you are talking about was blocked

From what I can see, there is nothing in the latest RC firmware that would prevent the normal FCC hack from functioning.
BTW: I extracted two keys from the FCC hack executable today. I'm continuing my attempts to use these to get ADB working. If/when I'm able to achieve that, the remainder of the hack is trivial to achieve (pushing the modified DJI Fly binaries we already have to the controller using ADB)

 

[DAFlys]

From what I can see, there is nothing in the latest RC firmware that would prevent the normal FCC hack from functioning.
BTW: I extracted two keys from the FCC hack executable today. I'm continuing my attempts to use these to get ADB working. If/when I'm able to achieve that, the remainder of the hack is trivial to achieve (pushing the modified DJI Fly binaries we already have to the controller using ADB)

Nice one. I tried running it with x64dbg but it detected the debugging attempt and quit on me.

 

[FlowDrone]

Nice one. I tried running it with x64dbg but it detected the debugging attempt and quit on me.

You can't hook a debugger onto it because the binary was "Packed" specifically to prevent reverse-engineering.
Fortunately, I managed to partially-unpack it... giving me more information via a Hex Editor (annoyingly the RCData, which would've been the best thing to unpack because it would give me every String value in there... including all the keys... wouldn't unpack).
I think this was double or even triple packed! Damned hackers... always know how to make things difficult!

 

[DAFlys]

You can't hook a debugger onto it because the binary was "Packed" specifically to prevent reverse-engineering.
Fortunately, I managed to partially-unpack it... giving me more information via a Hex Editor (annoyingly the RCData, which would've been the best thing to unpack because it would give me every String value in there... including all the keys... wouldn't unpack).
I think this was double or even triple packed! Damned hackers... always know how to make things difficult!

 

[DAFlys]

I might be wrong. But it felt like he had used winlicence to protect it.

 

[FlowDrone]

I might be wrong. But it felt like he had used winlicence to protect it.

I've been firing multiple unpackers at the executable to see what gives me more information. Fancy giving the WinLicense unpacker a shot? GitHub - ergrelet/unlicense: Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.

Honestly, the more help I have here, the quicker we can figure this thing out and solve our own issue rather than being at the mercy of someone else.

 

[vladin]

Those are generated in the .android folder automatically when ADB server starts on your machine for the first time.
From what I can gather, his script Authorizes your Key with the Controller... but I can't figure out how it does it (this is what I'm looking at now)
If I can figure out how to get Debug-level access to invoke ADB commands (specifically adb reboot bootloader and adb push) then I can push the modified ELF and .SO files to the filesystem and replace the existing... which (in theory) should be all that's needed to force FCC mode.

The problem is that new (adb) devices are not approved by the controller. You need DJI's private keys or a way to add your own key(s) to the controller.
My thoughts are, that in the earlier versions of the RC firmware, there might have been vulnerabilities, which were exploited by the hack's author to get adb access to the controller and replace the original files with the modded ones. But in the recent firmware, these vulnerabilities were fixed and that's why the hack can no longer gain access to the controller. Another possibility is, that the author of the hack is former dji employee, or somehow got their private keys and used them to inject the modded files. But in the latest firmware maybe the keys were changed.

 

[vladin]

From what I can see, there is nothing in the latest RC firmware that would prevent the normal FCC hack from functioning.
BTW: I extracted two keys from the FCC hack executable today. I'm continuing my attempts to use these to get ADB working. If/when I'm able to achieve that, the remainder of the hack is trivial to achieve (pushing the modified DJI Fly binaries we already have to the controller using ADB)

From what I understand, the FCC hack which is run on the android phone, instructs the RC-N1 controller to put the drone in FCC mode. The drone stays in this mode as long as it is not powered off and can be also controlled with the RC controller. This hack obviously is still working on the latest firmware and has nothing to do with the RC controller. It is run on the android device with the RC-N1 controller. RC controller is not modified in any way.
On the other hand, the other permanent hack for the RC controller is no longer working with the latest firmware, because it can no longer modify the files on the controller.
Even if we find a way to push the modded files to the controller, they may no longer work with the new firmware, because are based on an older version of the DJY Fly app. The new firmware may detect that the version of the app is not recent and may refuse to execute it.

 

[vladin]

I've been firing multiple unpackers at the executable to see what gives me more information. Fancy giving the WinLicense unpacker a shot? GitHub - ergrelet/unlicense: Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.

Honestly, the more help I have here, the quicker we can figure this thing out and solve our own issue rather than being at the mercy of someone else.

I would be glad to help in the reverse engineering of the djifcc.exe, but unfortunately I don't have it. If someone can send it to me, maybe I could find something and help the common cause.

 

[Bashy]

My Italian isn't good enough to understand what he's saying, but it looks like he's applying the N1 controller FCC hack, then using the RC to control it for the flight... that about right?

Yeah, he's basically done a copy of my video but in Italian, and it works well even if it is a bit of a faff, its free too but i couldn't be doing with the faffing myself and installed the permanent hack once i had some spare change.

 

[DAFlys]

I've been firing multiple unpackers at the executable to see what gives me more information. Fancy giving the WinLicense unpacker a shot? GitHub - ergrelet/unlicense: Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.

Honestly, the more help I have here, the quicker we can figure this thing out and solve our own issue rather than being at the mercy of someone else.

Doesn't appear its winlicence sadly-

ERROR - Failed to automatically detect packer version

 

[FiShBuRn]

The problem is that new (adb) devices are not approved by the controller. You need DJI's private keys or a way to add your own key(s) to the controller.
My thoughts are, that in the earlier versions of the RC firmware, there might have been vulnerabilities, which were exploited by the hack's author to get adb access to the controller and replace the original files with the modded ones. But in the recent firmware, these vulnerabilities were fixed and that's why the hack can no longer gain access to the controller. Another possibility is, that the author of the hack is former dji employee, or somehow got their private keys and used them to inject the modded files. But in the latest firmware maybe the keys were changed.

There is no evidence that "sincoder" hack doesnt work in the last DJI RC firmware...the server is down so there is no way to try it...

The djifcc.exe you can download it here: https://www.dji-fcc.com/djifcc.zip

 

[vladin]

There is no evidence that "sincoder" hack doesnt work in the last DJI RC firmware...the server is down so there is no way to try it...

The djifcc.exe you can download it here: https://www.dji-fcc.com/djifcc.zip

Thank you very much for the link, FiShBuRn. I downloaded the file and will start to analyze it.

If you have all the files (djifcc.exe, adb, modded app) on your computer, can't you just install the hack? Why would you still need the server?

 

[FiShBuRn]

Dont know for sure but in the first attempt you need to have a "key" to register the device.
Maybe this is the way to prevent "free" usage of the hack.

 

[vladin]

In the instructions it is written "Put the registration code in pass.txt".

Can someone confirm, if a connection to the server is still needed when running the hack, if you have all the files downloaded to your computer?

 

[Garry12]

A BIG thank you to all of you that are trying to figure this out. wish there was someway i could help but this is all beyond my skills but again thanks heaps. Im in New Zealand and bought my mini 3 pro yesterday.
im hoping i can get fcc hack were CE here also despite what the internet says.
can i ask to keep my hopes up do you guys beleive this is something we will crack eventually


any 1 need help getting the bigger batterys they sell them here happy to help

 

[vladin]

I found a forum in which a guy with nick clinkadink describes the whole process of applying the Sinecoder's hack in his post from 28 Sep 2022:

RC Pro Controller with FCC hack?

I'm still trying to figure out if any files are sent to and/or received from the server during the initial serial number registration (Step 6) and during the actual application of the hack (Step 8) and what these files are.

I'm also trying to find out if any information or files from the RC controller are sent to the server.

But in order to understand what exactly the djifcc.exe is doing and how, we need to reverse-engineer it.

 

[FlowDrone]

I found a forum in which a guy with nick clinkadink describes the whole process of applying the Sinecoder's hack in his post from 28 Sep 2022:

RC Pro Controller with FCC hack?

I'm still trying to figure out if any files are sent to and/or received from the server during the initial serial number registration (Step 6) and during the actual application of the hack (Step 8) and what these files are.

I'm also trying to find out if any information or files from the RC controller are sent to the server.

But in order to understand what exactly the djifcc.exe is doing and how, we need to reverse-engineer it.

Files are downloaded during the execution of the program. We've already pulled these files together.

Sadly, even if you have all the files on your machine, the program begins by establishing the connection to validate the key you put in "pass.txt" and if it can't do that (which it can't right now because the server is down) then it simply won't continue.
My progress has slowed considerably attempting to push the modified binaries onto the RM330, mainly because I can't get the controller to authorize my computer's self-signed key.
Will continue to keep you all informed if I make any headway here.

 

[Scoobychief]

In the instructions it is written "Put the registration code in pass.txt".

Can someone confirm, if a connection to the server is still needed when running the hack, if you have all the files downloaded to your computer?

yeah it does that is what hacks the rc controller somehow, without a connection to the server nothing will get writen to thr rc controller