Any more detail on the techniques to obtain adb access?

[MAVProxyUser]

Can you detail anything further on putting the Mavic into fastboot, or ADB mode?

[singlag]

ftp path traversal vulnerability was patched since .200 firmware by dji, so you cany escape the "/ftp" jail and modify init scripts by ftp

have tried connect to drone via com port used by dji assistant 2, it keep send out some.data on screen, but not sure how to send data to drone (and what hex packet for enable adb)

while upgrade firmware, dji go / dji assistant have send "magic package" to enable adb on next boot, you can try to capture it

[MAVProxyUser]

I ran across this gem in the Assistant

/Applications/Assistant.app/Contents/MacOS/Assistant

Options:
-h, --help Displays this help.
-v, --version Displays version information.
--debugger Run with a debugger window
--minimum Show controller log minimum
--console Run assistant as a console service, No browser Window!
--template Load controller config from template!
--force_upgrade Ignore the version when upgrade ENC firmware!
--bypass force all device as param [Receiver]|[DEVICE]|[Version]
eg Controller|ai900v2|3.1.0.2
--noskip As default, upgrade pack file will skip those device
that is not connected, if define no skip, will try to
upgrade all pack file
--factory Open Factory page
--baud_rate set com device baud rate
--auto_upgrade enable auto upgrade
--cache_wget_file debug only, used to cache wget files
--inrup internal upgrade tool
--adb_logcat Start ADB logcat function
--auto_test Set to auto test mode
--test_server Set to test server
--1706 Set DJI Vision to 1706
--sws Set Env to SWS

It also works on windows.

[singlag]

tried but it still not enable adb on drone
if you are using .400 fw or later, try to capture the serial port and usb RNDIS Network package when trigger fw upgrade/downgrade, it should send something to drone for enable adb / recovery mode (i'm using .200 and cant downgrade to .200 after upgrade, so I can't try)

[singlag]

I found a tx/rx pin on main pcb, is it the console port we can try ?

[MAVProxyUser]

do you have a Saleae Logic probe?
https://www.saleae.com

[MAVProxyUser]

Does anyone here have a copy of wm220_debug_whitelist.xml.sig (mavic) or wm330_debug_whitelist.xml.sig (p4)? even the normal /tmp/whitelist.xml would be fine. This is the ADB whitelist... I need to see the contents.

Even if the file is scrambled by the ftp service I can read it. They have added a chintzy AES stop gap to prevent people from downloading the files and reading them. It is very easy to pull from memory (on the ftpd side) and use the AES key locally to decrypt said files.

[MAVProxyUser]

Has anyone connected to the 'dikfer' port? (not the real name of course!)
http://mavicpilots.com/threads/whats-the-internal-usb-port-for-the-one-behind-the-status-led.1693/

[MAVProxyUser]

Turns out the Dikfer port has an RNDIS driver attached, and it connects to the Ambarella Soc. You can assign an IP in the 192.168.1.xxx range and telnet to the SoC.

Likewise I have figured the ftpd downloads are AES encrypted, and subsequently I have devised a way to make the FTP AES descrambling easy for random people. There is a .exe in the Releases section if you pull down the v1.0 tagged .zip file.

https://github.com/MAVProxyUser/DJI_ftpd_aes_unscramble/blob/master/README.md