DJI Mavic, Air and Mini Drones
Friendly, Helpful & Knowledgeable Community
Join Us Now

Thoughts on hacking Mavic 2 NFZ/HEIGHT/SPEED...

Parameter's are available but not NFZ/height limit, thats been disabled in firmware in the M1P for quite some time now. I think the ones that still work are mostly related to enabling ATTI, climb/top speeds etc
This is NOT true for the MP1 buddy! There IS a way!
 
This is NOT true for the MP1 buddy! There IS a way!
param based attacks on the NFZ on newer firmware are indeed dead. Other routes still exist indeed however.
 
I recently sold my MP with old firmware, no restrictions with parameter mods. It's pretty awesome to fly up a mountain 3500' to the top and look around, staying <400AGL of course. That's why I'm keeping my P4P, for that very purpose when needed. My M2Z is my new favorite craft because of the zoom. I can get really close to animals, however there are more restrictions.

1547440972104.png

 
Last edited:
  • Like
Reactions: ff22
I recently sold my MP with old firmware, no restrictions with parameter mods. It's pretty awesome to fly up a mountain 3500' to the top and look around, staying <400AGL of course. That's why I'm keeping my P4P, for that very purpose when needed. My M2Z is my new favorite craft because of the zoom. I can get really close to animals, however there are more restrictions.

View attachment 58760


Great image. Have not looked at your video yet.
 
You can adjust the Height/Distance in the settings up to 500m/8000m respectively. This is AGL. Unless you are in a country that allows you to go higher, or want to violate legal limits, or create safety issues in the NAS, why would you need to adjust them higher than these limits. The limitation are AGL, so if you are up in the mountains or some other location with altitude, these limits start at the take off location, so there should not be a reasonable reason to adjust them above the 500/8000 meter settings. Unless you are doing research, then you could apply for a waiver or authorization and do so in a controlled/authorized environment. Just my humble opinion.
I was going to post some detailed examples, but I'll be more pithy and simply say you lack much of an imagination.
 
To all working on unlocking Mavics 2, would you mind sharing some technical details on your approach?

I'm someone considering purchasing M2P. Due to area where I live, altitude unlock is a must for me - if I have to wait few more months, I will. However, as I also work in IT, I did some reading, and it doesn't look good to me. If I understand it correcly, config files on Mavics 2 are protected by ARM TrustZone. The same technology is used to protect millions of phones, if there was a breach it would have much more serious implications than just people removing NFZ on their drones. From what I found, there were only a couple of hacks so far:
CLKSCREW: Exposing the perils of security-oblivious energy management
Android SoC security keys extracted: Qualcomm TrustZone in question [UPDATE]
These require some serious skills, and it seems unlikely someone in relatively small drone community will be able to pull something like that off.
What other vectors of attack are there? One would be traditionally firmware update path, but unless DJI screwed up signature enforcement, or someone steals/leaks their private keys (what would be criminal) it's unlikely to bear any fruit. Also, there's a problem with no 'insecure' firmware availability, as it was well protected from the beginning. With my rudimentary knowledge, it seems like best bet would be finding some kind of engineering mode, which likely is there for DJI's internal purposes, but if it hasn't been found so far, it's likely well hidden.
 
Last edited:
To all working on unlocking Mavics 2, would you mind sharing some technical details on your approach?

I'm someone considering purchasing M2P. Due to area where I live, altitude unlock is a must for me - if I have to wait few more months, I will. However, as I also work in IT, I did some reading, and it doesn't look good to me. If I understand it correcly, config files on Mavics 2 are protected by ARM TrustZone. The same technology is used to protect millions of phones, if there was a breach it would have much more serious implications than just people removing NFZ on their drones. From what I found, there were only a couple of hacks so far:
CLKSCREW: Exposing the perils of security-oblivious energy management
Android SoC security keys extracted: Qualcomm TrustZone in question [UPDATE]
These require some serious skills, and it seems unlikely someone in relatively small drone community will be able to pull something like that off.
What other vectors of attack are there? One would be traditionally firmware update path, but unless DJI screwed up signature enforcement, or someone steals/leaks their private keys (what would be criminal) it's unlikely to bear any fruit. Also, there's a problem with no 'insecure' firmware availability, as it was well protected from the beginning. With my rudimentary knowledge, it seems like best bet would be finding some kind of engineering mode, which likely is there for DJI's internal purposes, but if it hasn't been found so far, it's likely well hidden.

Details shared when released, bad form asking us prior to being ready to release.

Yes the drone uses trustzone, but that has nothing to do with preventing root, nor protecting any configs. SELinux was a larger annoyance with root, was. On the m2 trustzone mostly handles encryption related tasks. The main issue he is not trustzone, it is that they appear to have actually paid someone to audit the Mavic Air, which resulted in many known bugs being fixed, and that carried over to the M2.

Many many trustzone exploits have existed, it isnt some magically unhackable thing, just many dont understand it. M2 uses the OPTEE trustzone, not one I have seen on phones, and I've hacked on the trustzones of a lot of phones.

Insecure firmware exists, its called every **** firmware DJI has ever released.
 
  • Like
Reactions: Tsun and lolo780
If it's a bad form I apologize to all offended, I'm used to move in circles where collaboration an openness are the norm. Thank you @jcase for sharing as much as you did.
 
If it's a bad form I apologize to all offended, I'm used to move in circles where collaboration an openness are the norm. Thank you @jcase for sharing as much as you did.

No worries, openess gets bugs patched in this world, especially if details are shared before it is fully ready
 
To all working on unlocking Mavics 2, would you mind sharing some technical details on your approach?

I'm someone considering purchasing M2P. Due to area where I live, altitude unlock is a must for me - if I have to wait few more months, I will. However, as I also work in IT, I did some reading, and it doesn't look good to me. If I understand it correcly, config files on Mavics 2 are protected by ARM TrustZone. The same technology is used to protect millions of phones, if there was a breach it would have much more serious implications than just people removing NFZ on their drones. From what I found, there were only a couple of hacks so far:
CLKSCREW: Exposing the perils of security-oblivious energy management
Android SoC security keys extracted: Qualcomm TrustZone in question [UPDATE]
These require some serious skills, and it seems unlikely someone in relatively small drone community will be able to pull something like that off.
What other vectors of attack are there? One would be traditionally firmware update path, but unless DJI screwed up signature enforcement, or someone steals/leaks their private keys (what would be criminal) it's unlikely to bear any fruit. Also, there's a problem with no 'insecure' firmware availability, as it was well protected from the beginning. With my rudimentary knowledge, it seems like best bet would be finding some kind of engineering mode, which likely is there for DJI's internal purposes, but if it hasn't been found so far, it's likely well hidden.

You could change the pressure transducer on the ac so for the same received voltage it’s voltage pressure glideslope is altered
 
Lycus Tech Mavic Air 3 Case

DJI Drone Deals

New Threads

Members online

Forum statistics

Threads
130,597
Messages
1,554,235
Members
159,603
Latest member
refrigasketscanada