Stub.
cat /proc/misc
50 log_radio
ls /sys/devices
ls -lR /sys |grep spi
lrwxrwxrwx root root 2018-03-04 11:28 log_radio -> ../../devices/virtual/misc/log_radio
lrwxrwxrwx root root 2018-03-04 11:28 10:50 -> ../../devices/virtual/misc/log_radio
drwxr-xr-x root root 2013-01-21 16:50 log_radio
/sys/devices/virtual/misc/log_radio:
/sys/devices/virtual/misc/log_radio/power:
root@gl300e:/ #
/sys/bus/usb/drivers/MOSCHIP usb-ethernet driver
The DJI Assistant 2 (v1.1.2 win32, alternative link to DJI Assistant 2 v 1.1.2), in combination with wireshark and usbpcap, is very useful for acquiring access to both the controller and the drone, as it demonstrates how the devices communicate over USB.
The main idea here is to send arbitrary shell commands across USB, and ultimately get a remote shell. Spoiler alert: it didn't work.
DJI Assistant gives the option to "Restore Factory Defaults" on the controller. When selecting this option, the controller sends the following over USB (VID: 2CA3, PID: 0008):
dji26656677; (the numbers are part of DJI's Shenzhen office phone number).
echo --wipe_all > /cache/recovery/command;
reboot recovery;
These are evidently shell commands. The first command seems to be some kind of magic that allows recovery mode. The USB channel that the drone communicates to the PC over is referred to by DJI as DJIDeviceCommandIo. Here is an example log file from DJI Assistant 2 of the upgrade (Located at %APPDATA%\Roaming\DJI Assistant 2\log\).
[13:16:59][RootContext ] General Ver: 1.1.2.573 2017/05/27 16:55:38 6e0216bf
[13:16:59][DevMgr ] DLL : DJIBatteryHub ignore!
[13:16:59][DevMgr ] DLL : DJIFlightDataService ignore!
[13:16:59][DevMgr ] DLL : DJIRadarService ignore!
[13:16:59][DevMgr ] DLL : DJIUsbService ignore!
[13:16:59][DevMgr ] DLL : DJIWatchService ignore!
[13:16:59][DevMgr ] DLL : In2UsbReader ignore!
[13:17:00][dServer ] 1 Connected <- root
[13:17:06][DevMgr ] Device Arrival : COM13
[13:17:06][DJIDeviceCommandIo ] open COM13
[13:17:06][SerialIo ] Open COM13 success!
[13:17:06][DEV_ID ] open device succeed
[13:17:06][gen_idf_COM13 ] Change to target: Ofdm_ground(0)
[13:17:06][SerialIo ] Free COM13 success!
[13:17:06][CommandIo ] DJIDeviceCommandIo closed.
[13:17:06][Identifier2 ] [Ofdm_ground , WM331_A7_LPC1, 5.21.17.0 ], App
[13:17:06][DLL Matcher ] device service ready! COM13
[13:17:06][DEVICE ] FileKeySrc: {
"CONNECTION_RECEIVER": "Ofdm_ground",
"DEVICE": "WM331_A7_LPC1",
"FILE": "COM13"
}
[13:17:06][DevMgr ] 561258f06d5af4e6dfa0ed596964dcb354ed85d3, COM13
[13:17:06][DJIDeviceCommandIo ] open COM13
[13:17:07][SerialIo ] Open COM13 success!
[13:17:07][DevMgr ] DevArrival, Ofdm_ground, WM331_A7_LPC1, 5.21.17.0, 561258f06d5af4e6dfa0ed596964dcb354ed85d3, ACTIVATED
[13:17:09][dServer ] Disconnected! /general, root
[13:17:10][dServer ] 2 Connected <- root
[13:17:10][dServer ] 3 Connected <- UpgradeView
[13:17:10][dServer ] Disconnected! /controller/upgrade/561258f06d5af4e6dfa0ed596964dcb354ed85d3, UpgradeView
[13:17:10][dServer ] 4 Connected <- UpgradeView
[13:17:20][dServer ] Disconnected! /general, root
[13:17:20][dServer ] Disconnected! /controller/upgrade/561258f06d5af4e6dfa0ed596964dcb354ed85d3, UpgradeView
Link to full log dump located in attachments
Link to packet capture located in attachments
One way to approach this would be to emulate the device's networking capabilities. This would involve quite a bit of hackery in libusb, and for what is trying to be achieved (enabling a root shell), is not worth the time. Another way to go about it would be to simply edit the string containing the hardcoded command.
Link to IDA database located in attachments (Requires IDA Version 7)
Here, we can see the dji26656677 string inside of the DJIRcService.dll binary (located at C:\Program Files (x86)\DJI Product\DJI Assistant 2\Assistant\Services, sha256sum: 90e8df162e590f577e8a42441bac781a9e4b3c43fc09bb8442b28410cbe2c3ec). This string can be modified to alter the text sent across USB without ever having to touch a libusb implementation.
I tried running adb, adb_en.sh, reboot, shutdown, no matter what I couldn't seem to get a visible effect to happen. So in the end I'm not even sure if this works.
1. DJI LightBridge Related Information.
2. HackRF related
3. We may want to focus one DJI Model, which we may have the most information about it.
operates on frequency:
5.725GHz - 5.825GHz
2.4GHz - 2.483GHz
also see: 5.1GHz (undocumented?)
Unpacked firmware for Phantom 4
https://drive.google.com/open?id=0B-XYiVT82WrRbnktdEQzaEpPdW8
FCC IDs:
Controller: SS3-GL300F1609
915.938 - 925.538
5730.0 - 5845.0
2406.5 - 2476.5
Drone: SS3-WM331A1609
5727.0 - 5821.3
2404.0 - 2478.8
https://www.youtube.com/watch?v=EMPNALfJMxU
https://www.youtube.com/watch?v=aNN2l4kMV6I