# dji-firmware-tools
Tools for extracting, modding and re-packaging firmwares of [DJI](http://www.dji.com) multirotor drones.
# Motivation
The project started as an alternative implementation of the parser from [phantom-licensecheck](https://github.com/probonopd/phantom-licensecheck).
Over time it has grown to support many generations of DJI products.
It consists of tools which allow not only extraction, but also re-packing of
the previously extracted modules back into single file. There are also tools
which are supposed to be used on specific modules to extract and allow modification
of their content.
# Step by step instruction
Such instruction will not be provided. These tools are for engineers with vast
hardware and software knowledge. You need to know what you're doing to achieve
anything with these tools.
This is to make sure the tools won't be used by script kiddies to disable
security mechanisms and to allow breaking the law.
If you can't understand how the tools work, you should not use them. If any
warnings are shown, you must investigate the cause to make sure final firmware
will not be damaged. You are using the tools on your own risk.
# Firmware structure
Since all the tools are available in source code form, it is easy to check details
on the structure and protocols processed by these tools by looking at their source.
The source code is intended to also act as a format documentation.
For higher level and more hardware related info, check [the project Wiki](https://github.com/o-gs/dji-firmware-tools/wiki).
# Tools
Below the specific tools are described in short. Running them without parameters
will give you details on supported commands in each of them.
To get specifics about command line arguments of each tool, run them with `--help`
option. Some tools also have additional remarks in their headers - try viewing them.
### dji_xv4_fwcon.py
DJI Firmware xV4 Container tool; allows extracting modules from package file which
starts with `xV4`, or creating container by merging firmware modules. Use this tool
first, to extract the BIN file downloaded from DJI, as long as the file starts with
`xV4`.
Example: ```./dji_xv4_fwcon.py -vv -x -p P3X_FW_V01.08.0080.bin```
### dji_imah_fwsig.py
DJI Firmware IMaH Un-signer and Decryptor tool; allows to decrypt and un-sign module
from `.sig` file which starts with `IM*H`. Use this tool after untarring single
modules from a firmware package, to decrypt its content. The tool can also sign
an un-signed module, as long as private part of the chosen key is available.
Example: ```./dji_imah_fwsig.py -vv -u -i wm335_0306_v03.03.04.10_20180429.pro.fw.sig```
### dji_mvfc_fwpak.py
DJI Mavic Flight Controller Firmware Decryptor tool; removes second layer encryption
in Flight Controller firmware modules from several DJI products released around the
same period: Mavic Pro, Spark, Inspire 2 and Phantom 4. Does not accept `IM*H`
format - requires input files with first level encryption already removed.
Example: ```./dji_mvfc_fwpak.py dec -i wm220_0306_v03.02.40.11_20170918.pro.fw```
### amba_fwpak.py
Ambarella A7/A9 firmware pack tool; allows extracting partitions from the
firmware, or merging them back. Use this to extract Ambarella firmware from
files created after DJI Container is extracted. You can recognize the Ambarella
firmware by a lot of "Amba" strings within, or by a 32-char zero-padded string
at the beginning of the file.
Example: ```./amba_fwpak.py -vv -x -m P3X_FW_V01.08.0080_m0100.bin```
### amba_romfs.py
Ambarella A7/A9 firmware ROMFS filesystem tool; allows extracting single files
from ROMFS filesystem file, or rebuilding filesystem from the single files.
Use this after the Ambarella firmware is extracted. You can recognize ROMFS
partitions by file names near beginning of the file, surrounded by blocks of
0xff filled bytes.
Example: ```./amba_romfs.py -vv -x -p P3X_FW_V01.08.0080_m0100_part_rom_fw.a9s```
### amba_ubifs.sh
Linux script for mounting UBIFS partition from the Ambarella firmware. After
mounting, the files can be copied or modified. Use this after the Ambarella
firmware is extracted. The file containing UBIFS can be easily recognized
by `UBI#` at the beginning of the file.
Example: ```sudo ./amba_ubifs.sh P3X_FW_V01.08.0080_m0100_part_rfs.a9s```
### arm_bin2elf.py
Tool which wrapps binary executable ARM images with ELF header. If a firmware
contains binary image of executable file, this tool can rebuild ELF header for it.
The ELF format can be then easily disassembled, as most debuggers can read ELF files.
Note that using this tool on encrypted firmwares will not result in useable ELF.
Example: ```./arm_bin2elf.py -vv -e -b 0x8020000 -l 0x6000000 -p P3X_FW_V01.07.0060_m0306.bin```
The command above will cause the tool to try and detect where the border between
code (`.text`) and data (`.data`) sections should be. This detection is not perfect,
especially for binaries with no `.ARM.exidx` section between them. If `.ARM.exidx`
exists in the binary, the tool can easily find it and divide binary data properly,
treating `.ARM.exidx` as a separator between `.text` and `.data`.
In other words, position of the `.ARM.exidx` influences length of the `.text` section,
and starting offset of the `.data` section. If there is no `.ARM.exidx` section in
the file, it will still be used as separator, just with zero size.
After first look at the disassembly, it is good to check where the correct border
between `.text` and `.data` sections is located. File offset of this location can
be used to generate better ELF file.
Additional updates to the ELF after first look can include defining `.bss` sections.
These sections represent uninitialized RAM used by the binary. It is tempting to just
define one big section which covers whole RAM address range according to programming
guide of the chip, but that results in huge memory usage and related slowdowns while
disassembling the file.
Note that all section offsets are defined using start of the BIN file as reference,
or in other words - they assume base address of 0x0. If you have found proper location
of a section, remember to remove base address from the memory location before inserting
to the command line of this tool.
Base address can be often found in programming guide of the specific chip; sometimes it
may be shifted from that location, if the binary is loaded by an additional bootloader.
In such cases the bootloader takes the location from documentation, and the real firmware
binary is loaded at a bit higher base address.
Optimized examples for specific firmwares:
```./arm_bin2elf.py -vv -e -b 0x8020000 --section .ARM.exidx@0x085d34:0 --section .bss@0x07fe0000:0xA000 --section .bss2@0x17fe0000:0x30000 --section .bss3@0x37fe0000:0x30000 -p P3X_FW_V01.07.0060_m0306.bin```
```./arm_bin2elf.py -vv -e -b 0x000a000 --section .ARM.exidx@0x01ce50:0 --section .bss@0xfff6000:0x8000 --section .bss2@0x3fff6000:0x50000 --section .bss3@0xdfff6000:0x10000 -p C1_FW_V01.06.0000_m1400.bin```
```./arm_bin2elf.py -vv -e -b 0x000a000 --section .ARM.exidx@0x0193E0:0 --section .bss@0x1ff6000:0x4000 --section .bss2@0x1ffe000:0x1000 --section .bss3@0x1bff6000:0x2400 --section .bss4@0x1c01a000:0x2400 --section .bss5@0x40022000:0x50000 --section .bss6@0x400ee000:0x200 --section .bss7@0xe0004000:0x1200 -p C1_FW_V01.06.0000_m1401.bin```
```./arm_bin2elf.py -vv -e -b 0x8008000 --section .ARM.exidx@0x0D510:0 --section .bss@0x17FF7700:0x5A00 --section .bss2@0x37ff8000:0x6700 --section .bss3@0x38008000:0x5500 --section .bss4@0x38018000:0x2200 --section .bss5@0x3a1f8000:0x100 --section .bss6@0x3a418000:0x500 -p P3X_FW_V01.08.0080_m0900.bin```
```./arm_bin2elf.py -vv -e -b 0x8008000 --section .ARM.exidx@0x0136D0:0 --section .bss@0x17FF7700:0xC900 --section .bss2@0x37ff8000:0x6700 --section .bss3@0x38008000:0x5500 --section .bss4@0x38018000:0x7000 --section .bss5@0x48058800:0x100 -p P3X_FW_V01.11.0030_m0400.bin```
```./arm_bin2elf.py -vv -e -b 0x04200
没有合适的资源?快使用搜索试试~ 我知道了~
大疆firmware-tools-master
共115个文件
py:22个
map:21个
idc:21个
需积分: 14 2 下载量 200 浏览量
2022-03-15
18:27:32
上传
评论
收藏 13.5MB ZIP 举报
温馨提示
大疆firmware-tools-master
资源详情
资源评论
资源推荐
收起资源包目录
大疆firmware-tools-master (115个子文件)
supported_firmwares_xv4.csv 61KB
phantom_3_pro_body_det0.dae 4.59MB
phantom_3_pro_body_det1.dae 1.45MB
phantom_3_pro_body_det2.dae 370KB
phantom_3_pro_gimbal_arms_det0.dae 195KB
phantom_3_pro_gimbal_arms_det1.dae 134KB
phantom_3_pro_prop_stat_det0.dae 49KB
phantom_3_pro_gimbal_arms_det2.dae 42KB
phantom_3_pro_prop_spin_det0.dae 39KB
phantom_3_pro_prop_stat_det1.dae 32KB
phantom_3_pro_prop_spin_det1.dae 24KB
phantom_3_pro_prop_spin_det2.dae 15KB
phantom_3_pro_prop_stat_det2.dae 11KB
arm_bin2elf_template.elf 5KB
amba_sys2elf_template.elf 5KB
P3X_FW_V01.08.0080_m0100_part_sys.idc 25.07MB
P3X_FW_V01.11.0030_m0100_part_sys.idc 22.46MB
P3X_FW_V01.01.0008_m0100_part_sys.idc 21.53MB
wm220_0306_v03.02.35.05_20170525.pro.idc 9.85MB
wm100_0306_v03.02.43.20_20170920.pro.idc 7.35MB
P3X_FW_V01.07.0060_m0800-encode_usb.idc 4.84MB
P3X_FW_V01.07.0060_m0306.idc 4.56MB
C1_FW_V01.06.0000_m1300-usbclient.idc 4.17MB
C1_FW_V01.06.0000_m1400.idc 1.32MB
C1_FW_V01.06.0000_m1300-libcommon.idc 1.3MB
C1_FW_V01.05.0080_m1400.idc 1.22MB
C1_FW_V01.06.0000_m1401.idc 1.21MB
C1_FW_V01.05.0080_m1401.idc 1.09MB
P3X_FW_V01.11.0030_m0400.idc 767KB
P3X_FW_V01.08.0080_m0900.idc 598KB
P3X_FW_V01.07.0060_m0900.idc 583KB
P3X_FW_V01.11.0030_m0900.idc 525KB
P3X_FW_V01.04.0005_m0900.idc 486KB
wm220_0305_v34.04.00.23_20161122.pro.idc 403KB
wm220_0801_v01.04.17.03_20170120-dji_verify.idc 118KB
wm240_0801_v10.00.06.35_20180821-dji_verify.idc 107KB
LICENSE 34KB
dji-mavic-flyrec-proto.lua 513KB
dji-spark-flyrec-proto.lua 507KB
dji-p3-flyrec-proto.lua 465KB
dji-dumlv1-flyc.lua 194KB
dji-dumlv1-proto.lua 172KB
dji-dumlv1-camera.lua 96KB
dji-dumlv1-gimbal.lua 80KB
dji-write-kml.lua 73KB
dji-dumlv1-general.lua 54KB
dji-p3-batt-proto.lua 8KB
dji-p3.lua 1KB
dji-mavic.lua 1KB
dji-spark.lua 972B
init.lua 293B
P3X_FW_V01.08.0080_m0100_part_sys.map 831KB
P3X_FW_V01.11.0030_m0100_part_sys.map 704KB
P3X_FW_V01.01.0008_m0100_part_sys.map 663KB
wm220_0306_v03.02.35.05_20170525.pro.map 407KB
wm100_0306_v03.02.43.20_20170920.pro.map 345KB
C1_FW_V01.06.0000_m1300-usbclient.map 184KB
P3X_FW_V01.07.0060_m0800-encode_usb.map 173KB
P3X_FW_V01.07.0060_m0306.map 128KB
C1_FW_V01.06.0000_m1300-libcommon.map 62KB
C1_FW_V01.06.0000_m1400.map 26KB
wm220_0305_v34.04.00.23_20161122.pro.map 15KB
C1_FW_V01.05.0080_m1400.map 11KB
P3X_FW_V01.11.0030_m0400.map 11KB
C1_FW_V01.06.0000_m1401.map 9KB
wm220_0801_v01.04.17.03_20170120-dji_verify.map 9KB
P3X_FW_V01.08.0080_m0900.map 9KB
wm240_0801_v10.00.06.35_20180821-dji_verify.map 7KB
C1_FW_V01.05.0080_m1401.map 5KB
P3X_FW_V01.07.0060_m0900.map 5KB
P3X_FW_V01.11.0030_m0900.map 2KB
P3X_FW_V01.04.0005_m0900.map 2KB
README.md 18KB
README.md 2KB
phantom_3_pro_model.md 436B
wireshark-using-dji-dissector.png 151KB
wireshark-pref-columns.png 56KB
virtual_control_stick_back.png 32KB
wireshark-pref-user-dlt.png 20KB
virtual_control_stick_knob.png 4KB
one_px_transparent.png 95B
lua52.py 239KB
lightbridge_stm32_hardcoder.py 239KB
dji_flyc_hardcoder.py 161KB
amba_sys_hardcoder.py 124KB
dji_java_dupcdefs_to_lua.py 71KB
comm_og_service_tool.py 70KB
dji_wireshark_dissectors_to_markdown.py 57KB
dji_flyc_param_ed.py 45KB
dji_imah_fwsig.py 44KB
comm_mkdupc.py 39KB
dji_xv4_fwcon.py 32KB
amba_fwpak.py 29KB
arm_bin2elf.py 23KB
dji_flyc_nofly_ed.py 22KB
dm3xx_encode_usb_hardcoder.py 22KB
comm_dat2pcap.py 18KB
dji_rec_typedefs_to_lua.py 15KB
dji_mvfc_fwpak.py 13KB
amba_romfs.py 13KB
共 115 条
- 1
- 2
gs012
- 粉丝: 2
- 资源: 12
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0