launching binaries in EABI chroot
christian1656 opened this issue · 7 comments
hello,
in the past few days i spent a lot of time trying to unscramble some old logs from a mavic.
unfortunately the windows executable release doesn't work for me. as @eried i also just get scrambled output.
next i installed pip, pycrypto...
at the end i got the same result. i'm quite sure that there is a problem with the used aes-key
so i started trying to extract the aes-key from the bin file (the logs that i try to unscramble are captured with a build from 9 Dec 2016, so i've used V01.03.0200_Mavic_dji_system.bin).
now i stuck at the following point:
Launch the binary in a chroot via qemu-user-static
which binary is meant here:
- the bin-file (
V01.03.0200_Mavic_dji_system.bin)? - an extracted *sig-file which u get from using binwalk on
V01.03.0200_Mavic_dji_system.bin- file? - or an extracted file which u get from using binwalk on a *.sig file?
- or maybe several files?
Sorry for the stupid question but i'm absolutely new to this topic.
i would appreciate any help, thank you!
chris christian1656@aon.at
try the latest python code instead of the .exe... the key changed. I never regenerated the .zip and .exe with latest code.
The binary to launch is "./busybox tcpsvd -vE 0.0.0.0 21 ./busybox ftpd -wv /tmp/"
thanks for your quick replay @MAVProxyUser
i used the "old aes-key" from old python code
\x74\x68\x69\x73\x2d\x61\x65\x73\x2d\x6b\x65\x79\x00\x00\x00\x00
and also tryed the aes-key provided by @jezzab with new python code
\x59\x50\x31\x4E\x61\x67\x37\x5A\x52\x26\x44\x6A\x00\x00\x00\x00
are there other keys?
@ my problem with extracting the aes-key
i launched ./busybox tcpsvd -vE 0.0.0.0 21 ./busybox ftpd -wv /tmp/
but nothing happened after the listening started
./busybox tcpsvd -vE 0.0.0.0 21 ./busybox ftpd -wv /tmp/
tcpsvd: listening on 0.0.0.0:21, starting
i think i made a mistake when i copied the files into the chroot folder. here is what i did
- installed eabi chroot as described in https://wiki.ubuntu.com/ARM/BuildEABIChroot
- downloaded the Firmware
V01.03.0200_Mavic_dji_system.binfrom git https://github.com/MAVProxyUser/dji_system.bin - used binwalk on downloaded firmware
sudo binwalk -e V01.03.0200_Mavic_dji_system.bin - gained full access to extracted directory by
sudo chmod -R a+xrw * - checked extracted sig files
grep busybox wm* -r
Binary file wm220_0100_v02.04.03.85_20161222_ca02.pro.fw.sig matches
Binary file wm220_0801_v01.03.12.04_20161222.pro.fw.sig matches
Binary file wm220_0805_v01.01.00.68_20161216.pro.fw.sig matches
- then i used binwalk on wm220_0805_v01.01.00.68_20161216.pro.fw.sig
sudo binwalk -e wm220_0801_v01.03.12.04_20161222.pro.fw.sig - got full access to files
sudo chmod -R a+xrw * - copied the extracted folder into eabi-chroot directory
sudo cp Downloads/_V01.03.0200_Mavic_dji_system.bin.extracted/_wm220_0801_v01.03.12.04_20161222.pro.fw.sig.extracted/ eabi-chroot/ -r
- then i changed the root
sudo chroot eabi-chroot/ - launched busybox
./_wm220_0801_v01.03.12.04_20161222.pro.fw.sig.extracted/system/xbin/busybox tcpsvd -vE 0.0.0.0 21 ./_wm220_0801_v01.03.12.04_20161222.pro.fw.sig.extracted/system/xbin/busybox ftpd -wv /tmp/
tcpsvd: listening on 0.0.0.0:21, starting
and then nothing more happens...
btw i tried it on ubuntu 14.04 LTS - 32 bit
and ubuntu 16.04 LTS - 64 bit
again, thank you for your help!
once the FTP is listening... you have to use an ftp client to get and put a file... then use aes-finder against the PID and extract key from memory.
Can you provide a log file?
ok i think now i understand the procedure 😄
i thought i have to launch another binary inside chroot before i launch busybox so that the listener get some information from another task which is running inside eabi chroot... it would never have occurred to me. thank you! i will continue playing around with it tomorrow.
@jezzab
i don't own a mavic by myself so i just have some "old" *.DAT-files. I need to know which information is included in the logfiles before i go out and buy one. Beside the GPS position, height and orientation of the drone, the orientation of the camera gimbal is important for me. Unfortunately this information is not provided in DatCon https://datfile.net/
dat-file mavic:
FLY095.zip
You know this repo 'DJI_ftpd_aes_unscramble' is for decrypting a file that was downloaded via FTP from the Aircraft/Remote Control/Goggles? As the ftpd server encrypts plain text/binary files on upload to the PC.
When following the readme, I had to do a few adaptations to have everything working
First I face some errors like qemu: Unsupported syscall: 376 when launching aes-finder from the chroot side so I tryed lauching it from non-chroot side, which gave no error but no key either.
The chroot setup following the ubuntu linked page do not have /proc and /sys mounted
I setup the following little script to start it with /proc and /sys mounted
CHROOTTARGET=/home/user/eabi-chroot grep -q "${CHROOTTARGET}/proc " /proc/mounts || sudo mount -t proc proc ${CHROOTTARGET}/proc grep -q "${CHROOTTARGET}/sys " /proc/mounts || sudo mount -t sysfs sys ${CHROOTTARGET}/sys sudo chroot ~user/eabi-chroot
after that I launched ./busybox tcpsvd -vE 0.0.0.0 21 ./busybox ftpd -wv /ftp/ (changed /tmp/ to /ftp/ from the readme) from the chroot side (I had to create /ftp first)
then from non chroot side I initiated a ftp transfer to 0.0.0.0 and still from non chroot side launched aes-finder
this sequence of operation was successfull to extract AES key on my environment.