DJI Mavic, Air and Mini Drones
Friendly, Helpful & Knowledgeable Community
Join Us Now

Thoughts on hacking Mavic 2 NFZ/HEIGHT/SPEED...

mavicn00b said:
Parameter's are available but not NFZ/height limit, thats been disabled in firmware in the M1P for quite some time now. I think the ones that still work are mostly related to enabling ATTI, climb/top speeds etc
Click to expand...
This is NOT true for the MP1 buddy! There IS a way!
 
Tesadorn said:
This is NOT true for the MP1 buddy! There IS a way!
Click to expand...
param based attacks on the NFZ on newer firmware are indeed dead. Other routes still exist indeed however.
 
I recently sold my MP with old firmware, no restrictions with parameter mods. It's pretty awesome to fly up a mountain 3500' to the top and look around, staying <400AGL of course. That's why I'm keeping my P4P, for that very purpose when needed. My M2Z is my new favorite craft because of the zoom. I can get really close to animals, however there are more restrictions.

1547440972104.png

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Last edited:
  • Like
Reactions: ff22
John Locke said:
I recently sold my MP with old firmware, no restrictions with parameter mods. It's pretty awesome to fly up a mountain 3500' to the top and look around, staying <400AGL of course. That's why I'm keeping my P4P, for that very purpose when needed. My M2Z is my new favorite craft because of the zoom. I can get really close to animals, however there are more restrictions.

View attachment 58760

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
Click to expand...

Great image. Have not looked at your video yet.
 
HoozierDroneDaddy said:
You can adjust the Height/Distance in the settings up to 500m/8000m respectively. This is AGL. Unless you are in a country that allows you to go higher, or want to violate legal limits, or create safety issues in the NAS, why would you need to adjust them higher than these limits. The limitation are AGL, so if you are up in the mountains or some other location with altitude, these limits start at the take off location, so there should not be a reasonable reason to adjust them above the 500/8000 meter settings. Unless you are doing research, then you could apply for a waiver or authorization and do so in a controlled/authorized environment. Just my humble opinion.
Click to expand...
I was going to post some detailed examples, but I'll be more pithy and simply say you lack much of an imagination.
 
To all working on unlocking Mavics 2, would you mind sharing some technical details on your approach?

I'm someone considering purchasing M2P. Due to area where I live, altitude unlock is a must for me - if I have to wait few more months, I will. However, as I also work in IT, I did some reading, and it doesn't look good to me. If I understand it correcly, config files on Mavics 2 are protected by ARM TrustZone. The same technology is used to protect millions of phones, if there was a breach it would have much more serious implications than just people removing NFZ on their drones. From what I found, there were only a couple of hacks so far:
CLKSCREW: Exposing the perils of security-oblivious energy management
Android SoC security keys extracted: Qualcomm TrustZone in question [UPDATE]
These require some serious skills, and it seems unlikely someone in relatively small drone community will be able to pull something like that off.
What other vectors of attack are there? One would be traditionally firmware update path, but unless DJI screwed up signature enforcement, or someone steals/leaks their private keys (what would be criminal) it's unlikely to bear any fruit. Also, there's a problem with no 'insecure' firmware availability, as it was well protected from the beginning. With my rudimentary knowledge, it seems like best bet would be finding some kind of engineering mode, which likely is there for DJI's internal purposes, but if it hasn't been found so far, it's likely well hidden.
 
Last edited:
  • Like
Reactions: ABLomas and Point Zero
Tsun said:
To all working on unlocking Mavics 2, would you mind sharing some technical details on your approach?

I'm someone considering purchasing M2P. Due to area where I live, altitude unlock is a must for me - if I have to wait few more months, I will. However, as I also work in IT, I did some reading, and it doesn't look good to me. If I understand it correcly, config files on Mavics 2 are protected by ARM TrustZone. The same technology is used to protect millions of phones, if there was a breach it would have much more serious implications than just people removing NFZ on their drones. From what I found, there were only a couple of hacks so far:
CLKSCREW: Exposing the perils of security-oblivious energy management
Android SoC security keys extracted: Qualcomm TrustZone in question [UPDATE]
These require some serious skills, and it seems unlikely someone in relatively small drone community will be able to pull something like that off.
What other vectors of attack are there? One would be traditionally firmware update path, but unless DJI screwed up signature enforcement, or someone steals/leaks their private keys (what would be criminal) it's unlikely to bear any fruit. Also, there's a problem with no 'insecure' firmware availability, as it was well protected from the beginning. With my rudimentary knowledge, it seems like best bet would be finding some kind of engineering mode, which likely is there for DJI's internal purposes, but if it hasn't been found so far, it's likely well hidden.
Click to expand...

Details shared when released, bad form asking us prior to being ready to release.

Yes the drone uses trustzone, but that has nothing to do with preventing root, nor protecting any configs. SELinux was a larger annoyance with root, was. On the m2 trustzone mostly handles encryption related tasks. The main issue he is not trustzone, it is that they appear to have actually paid someone to audit the Mavic Air, which resulted in many known bugs being fixed, and that carried over to the M2.

Many many trustzone exploits have existed, it isnt some magically unhackable thing, just many dont understand it. M2 uses the OPTEE trustzone, not one I have seen on phones, and I've hacked on the trustzones of a lot of phones.

Insecure firmware exists, its called every **** firmware DJI has ever released.
 
  • Like
Reactions: Tsun and lolo780
If it's a bad form I apologize to all offended, I'm used to move in circles where collaboration an openness are the norm. Thank you @jcase for sharing as much as you did.
 
Tsun said:
If it's a bad form I apologize to all offended, I'm used to move in circles where collaboration an openness are the norm. Thank you @jcase for sharing as much as you did.
Click to expand...

No worries, openess gets bugs patched in this world, especially if details are shared before it is fully ready
 
Tsun said:
To all working on unlocking Mavics 2, would you mind sharing some technical details on your approach?

I'm someone considering purchasing M2P. Due to area where I live, altitude unlock is a must for me - if I have to wait few more months, I will. However, as I also work in IT, I did some reading, and it doesn't look good to me. If I understand it correcly, config files on Mavics 2 are protected by ARM TrustZone. The same technology is used to protect millions of phones, if there was a breach it would have much more serious implications than just people removing NFZ on their drones. From what I found, there were only a couple of hacks so far:
CLKSCREW: Exposing the perils of security-oblivious energy management
Android SoC security keys extracted: Qualcomm TrustZone in question [UPDATE]
These require some serious skills, and it seems unlikely someone in relatively small drone community will be able to pull something like that off.
What other vectors of attack are there? One would be traditionally firmware update path, but unless DJI screwed up signature enforcement, or someone steals/leaks their private keys (what would be criminal) it's unlikely to bear any fruit. Also, there's a problem with no 'insecure' firmware availability, as it was well protected from the beginning. With my rudimentary knowledge, it seems like best bet would be finding some kind of engineering mode, which likely is there for DJI's internal purposes, but if it hasn't been found so far, it's likely well hidden.
Click to expand...

You could change the pressure transducer on the ac so for the same received voltage it’s voltage pressure glideslope is altered
 
  • Like
Reactions: goodlettjr and lolo780

Similar threads

C
Lost my M2 Pro with DH- weird speed limit descend
Replies
22
Views
1K
Mavic 2 Pro
Conservative Nihilist
Conservative Nihilist
M
Drone-hacks Mavic air 2
Replies
12
Views
326
General Discussions
Felix le Chat
F
A
Mavic 3 (standard) allegedly not supported by Drone-Hacks, contrary to info on their web site?
Replies
7
Views
913
Mavic 3
Antero52
A
K
Camera black after installing the hack from Drone-Hacks.com
Replies
13
Views
1K
Firmware & Software
CtrlAltDlt
C
J
30m Height Limit Bypass (GPS related)?
Replies
7
Views
2K
Control Apps - DJI, Litchi, Autopilot, etc...
HoozierDroneDaddy
HoozierDroneDaddy
Lycus Tech Mavic Air 3 Case

DJI Drone Deals

1. NEO
2. Flip
3. Mini 4k
4. Mini 4 Pro
5. Air 3s
6. Avata 2
7. Mavic 3 Pro

New Threads

Members online

Total: 351 (members: 20, guests: 331)

Forum statistics

Threads
135,729
Messages
1,609,330
Members
164,177
Latest member
LuVo
Want to Remove this Ad? Simply login or create a free account