Skip to content

Commit

Permalink
removed .class files, added Main.java
Browse files Browse the repository at this point in the history
  • Loading branch information
@validev
validev committed Apr 15, 2021
1 parent c108e0e commit 14a9966
Show file tree
Hide file tree
Showing 3 changed files with 140 additions and 70 deletions.
Binary file removed src/com/cunninglogic/ubersploits/CRC.class
View file
Binary file not shown.
Binary file removed src/com/cunninglogic/ubersploits/Main.class
View file
Binary file not shown.
210 changes: 140 additions & 70 deletions src/com/cunninglogic/ubersploits/Main.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ public class Main {
private static FTPClient ftpClient;

public static void main(String[] args) {
System.out.println("UberSploits v0.1 by jcase");
System.out.println("UberSploits v0.2 by jcase,validev");
System.out.println("Please see licensing details for the libraries we use inside the libs directory.\n");

System.out.println("UberSploits is an exploit delivery tool for DJI, it effectively brings back to life a bunch" +
Expand All @@ -34,9 +34,41 @@ public static void main(String[] args) {

classLoader = Main.class.getClassLoader();

int count = 1;

System.out.println("Choose target port: (* suggested port)");
System.out.println("\nChoose target:");
System.out.println("\t[1] Aircraft (e.g. Mavic Pro)");
System.out.println("\t[2] Remote Control (e.g. Mavic Pro RC)");
String str = "";
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));

int target;
System.out.print("Choose target: ");
while (true) {
try {
str = br.readLine();
} catch (IOException e) {
e.printStackTrace();
}
try {

target = Integer.parseInt(str.trim());

if ((target > 2) || (target < 1)) {
System.out.println("[!] Invalid target selection");
System.out.print("Choose target: ");
} else {
System.out.println("Using Target: " + target);
break;
}
} catch (NumberFormatException e) {
System.out.println("[!] Invalid target selection");
System.out.print("Choose target: ");
}
}


int count = 1;
System.out.println("\nChoose target port: (* suggested port)");
for (SerialPort s : SerialPort.getCommPorts()) {
if (s.getDescriptivePortName().contains("DJI")) {
System.out.print("*");
Expand All @@ -48,8 +80,8 @@ public static void main(String[] args) {

System.out.println("\t[E] Exit");

String str = "";
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
int port;
br = new BufferedReader(new InputStreamReader(System.in));
System.out.print("Choose port: ");
while (true) {
try {
Expand All @@ -65,7 +97,7 @@ public static void main(String[] args) {
}


int port = Integer.parseInt(str.trim());
port = Integer.parseInt(str.trim());

if ((port > count) || (port < 1)) {
System.out.println("[!] Invalid port selection");
Expand All @@ -83,99 +115,93 @@ public static void main(String[] args) {

if (activePort == null) {
System.out.println("Couldn't find port, exiting");
return;
System.exit(0);
}

if (activePort.isOpen()) {
System.out.println(activePort.getSystemPortName() + " is already open");
activePort.closePort(); //meh why not
return;
System.exit(0);
}

if (!activePort.openPort()) {
System.out.println("Couldn't open port, please close all other DUML/DJI Apps and try again");
activePort.closePort(); //meh why not
return;
System.exit(0);
}

activePort.setBaudRate(115200);

System.out.println("Reading payload");
System.out.println("\nReading payload ...");

String payloadfile = "";
String ftptarget = "";
switch(target) {
case 1: payloadfile = "resources/payload.bin";
ftptarget = "upgrade/data_copy.bin";
break;
case 2: payloadfile = "resources/payloadRC.bin";
ftptarget = "upgrade/dji_system.bin";
break;
default:
System.out.println("Invalid target. Exiting.");
System.exit(0);
}

InputStream is = classLoader.getResourceAsStream("resources/payload.bin");
InputStream is = classLoader.getResourceAsStream(payloadfile);
byte[] payload = null;
try {
payload = isToArray(classLoader.getResourceAsStream("resources/payload.bin"));
payload = isToArray(classLoader.getResourceAsStream(payloadfile));
is.close();
} catch (IOException e) {
e.printStackTrace();
}

System.out.println("Entering upgrade mode");
write(UPGRADE_MODE_ENTER());
System.out.println("Entering upgrade mode ...");
write(UPGRADE_MODE_ENTER(target));

try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Sending filesize");
write(UPGRADE_DATA(payload.length));
if(target==2) {
System.out.println("Enable reporting ...");
write(UPGRADE_MODE_ENABLE_REPORTING());

Thread.sleep(1000);
}

System.out.println("Sending filesize ...");
write(UPGRADE_DATA(target, payload.length));

try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Uploading payload");
ftpClient = new FTPClient();
try {
System.out.println("Uploading payload ...");
ftpClient = new FTPClient();
ftpClient.connect("192.168.42.2", 21);
ftpClient.login("dontforget","aboutjcase");
ftpClient.enterLocalPassiveMode();
ftpClient.setFileType(ftpClient.BINARY_FILE_TYPE);
is = classLoader.getResourceAsStream("resources/payload.bin");
ftpClient.storeFile("/upgrade/data_copy.bin", is);
is = classLoader.getResourceAsStream(payloadfile);
ftpClient.storeFile(ftptarget, is);
is.close();
} catch (IOException e) {
e.printStackTrace();
}

try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Executing update");
write(UPGRADE_FINISH_DATA(payload));
System.out.println("Executing upgrade ...");
write(UPGRADE_FINISH_DATA(target, payload));


try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}

System.out.println("Finished (system may still be processing the update)");
System.out.println("Finished! adb access should be enabled.\n");

try {
ftpClient.disconnect();
activePort.closePort();
} catch (IOException e) {

} catch (Exception e) {
e.printStackTrace();
}
}

private static void write(byte[] packet) {
private static void write(byte[] packet) throws Exception {
activePort.writeBytes(packet,packet.length);
try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}
Thread.sleep(1000);
}

private static byte[] isToArray(InputStream is) throws IOException {
Expand All @@ -193,22 +219,56 @@ private static byte[] isToArray(InputStream is) throws IOException {

return buffer.toByteArray();
}
/*
UPGRADE_MODE_ENTER - 0,HS,28637,55 16 04 FC 2A 28 B8 51 40 00 07 00 00 00 00 00 00 00 00 00 9F BF
UPGRADE_DATA 0,HS,28831,55 1A 04 B1 2A 28 BB 51 40 00 08 00 C8 57 08 00 00 00 00 00 00 00 02 08 2E 88
UPGRADE_FINISH_DATA 0,HS,46759,55 1E 04 8A 2A 28 CE 51 40 00 0A 00 A5 1B BF 03 A2 B5 0D F6 DB 1C 5B 28 EF 5D 7A D9 9E 39
*/

private static byte[] UPGRADE_MODE_ENTER() {
byte[] packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x28,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00};
/*
NFZ delivery, AC
UPGRADE_MODE_ENTER - 0,HS,28637,55 16 04 FC 2A 28 B8 51 40 00 07 00 00 00 00 00 00 00 00 00 9F BF
UPGRADE_DATA 0,HS,28831,55 1A 04 B1 2A 28 BB 51 40 00 08 00 C8 57 08 00 00 00 00 00 00 00 02 08 2E 88
UPGRADE_FINISH_DATA 0,HS,46759,55 1E 04 8A 2A 28 CE 51 40 00 0A 00 A5 1B BF 03 A2 B5 0D F6 DB 1C 5B 28 EF 5D 7A D9 9E 39
Upgrade delivery, RC
Change target from 28 to 2D
change upgrade data mode from 02 08 tp 02 04
*/

private static byte[] UPGRADE_MODE_ENTER(int target) throws Exception {
byte[] packet;
switch(target) {
case 1:
packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x28,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00};
break;
case 2:
packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x2D,(byte)0xB8,0x51,0x40,0x00,0x07,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00};
break;
default:
throw new Exception();
}
return CRC.pktCRC(packet);
}

private static byte[] UPGRADE_MODE_ENABLE_REPORTING() {
byte[] packet = new byte[] {0x55,0x16,0x04,(byte)0xFC,0x2A,0x2D,(byte)0xB8,0x51,0x40,0x00,0x0C,0x00};
return CRC.pktCRC(packet);
}

private static byte[] UPGRADE_DATA(int fileSize) {
byte[] packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x28,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x08};
private static byte[] UPGRADE_DATA(int target, int fileSize) throws Exception {
byte[] packet;
switch(target) {
case 1:
packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x28,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x08};
break;
case 2:
packet = new byte[] {0x55,0x1A,0x04,(byte)0xB1,0x2A,0x2D,(byte)0xBB,0x51,0x40,0x00,0x08,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x04};
break;
default:
throw new Exception();
}

byte[] size = ByteBuffer.allocate(4).putInt(fileSize).array();

packet[12] = size[3];
Expand All @@ -219,10 +279,20 @@ private static byte[] UPGRADE_DATA(int fileSize) {
return CRC.pktCRC(packet);
}

private static byte[] UPGRADE_FINISH_DATA(byte[] payload) {
byte[] packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x28,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

private static byte[] UPGRADE_FINISH_DATA(int target, byte[] payload) throws Exception {
byte[] packet;
switch(target) {
case 1:
packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x28,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
break;
case 2:
packet = new byte[] {0x55,0x1E,0x04,(byte)0x8A,0x2A,0x2D,(byte)0xCE,0x51,0x40, 0x00, 0x0A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
break;
default:
throw new Exception();
}
byte[] md5 = payload;

try {
Expand Down

0 comments on commit 14a9966

Please sign in to comment.