Giters

TheCluster / margerine

It's not butter, but it's root.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

margerine

Episode 2: Revenge of the ¯\_(ツ)_/¯

margerine is a root exploit and adb enabler for the DJI Air Unit (wm150), Caddx Vista (lt150), FPV Goggles V1 (gl150), and FPV Googles V2 (gl170/gp150) from the same people that brought you USB Video Out.

Currently only works reliably on Windows and Mac OS X, Linux has strange issues in the USB stack - YMMW.

tl;dr;

Install nodejs v16 or above and the Javascript dependencies:

npm install

Remove your SD card for the duration of the exploit, power up the device, connect it via USB and run:

node margerine.js unlock

Have fun! consider donating and join us on our Discord.

Troubleshooting

  • waving wand, result e0 - make sure you've followed all the instructions below, reboot your Goggles and try again. It should eventually work.
  • The device might change it's COM port number on Windows (eg. COM4 -> COM5) in the middle of the exploit and error out. That's a good sign! Look up the new COM port in Device Manager (if auto detect didn't work for you) and re-run the exploit to finish everything up.
  • The device being exploited should not be connected to anything else; i.e. Googles to AU or AU to Goggles.
  • Make sure there's no SD card in your device.
  • V2 Goggles must be flashed from DIY mode to 01.00.0606.
    • Checking the menus in DIY mode is insufficient. Make sure Assistant says "Refresh" next to 0606, rather than "Downgrade". If you see "Downgrade", go ahead and downgrade.
    • If you've flashed to 01.02.0015 in drone mode the exploit won't work and you can't downgrade at the moment, sorry.
    • Despite the bigger version number 01.02.0020 in drone mode, goggles can be downgraded to 0606 in DIY mode.

Other notes

  • Requires an internet connection. Challange signing procedure happens on Drone-Hacks server kindly provided by @bin4ry.
  • Takes few minutes. Make sure your battery is not too low when powering AU/Vista from a quad.
  • You have to run node margerine.js lock before the Assistant will allow you to flash firmwares again.
  • Disables SELinux for you
  • On *150 remounts /proc/cmdline so that mp_state=engineering, which enables adb
  • With great power comes great responsibility - you CAN bootloop/brick your device if you modify or delete important files. There are currently no low level recovery methods available.

What can I do with this?

  • Play Doom
  • Customize the UI theme in /system/gui/xml/themes/defult/theme.xml
  • Pair an Air Unit (or Vista) to another Air Unit using /system/bin/modem_info.sh reverse on one of them.
  • Talk to connected devices via TCP or UDP. Goggles are 192.168.41.1 and air side is 192.168.41.2.
  • Debug USB devices such as input on V2 Goggles (no OTG on V1) by adb shell-ing into a connected Vista/AU and then using adb connect 192.168.41.1 && adb shell to debug wirelessily.
  • Build stuff with the latest Android NDK armv7 architecture, target platform 23.
    • A modified Directfb framebuffer library is available for drawing to an ARGB target to be overlaid on top of the video feed.
    • Direct access to the framebuffer is not available, except via special undocumented DMI bullsh*t.
    • Check out the dfbdoom project.
  • Reverse engineer stuff with IDA, Ghidra and/or Frida.

Additional Documentation

Check out our wonderful wiki.

Advanced usage

node margerine --help
margerine <command>

Commands:
  margerine unlock [serialport]        unlock device and enable adb
  margerine lock [serialport]          disable adb and relock device
  margerine proxy [port]               start the built in http -> https proxy
  margerine.js shell <command> [port]  execute a command on rooted device,
                                       once per reboot
Options:
  --help     Show help                                               
  --version  Show version number

To-do

See the wiki.

It's spelled margarine

No, it's not.

Credits

While this is an original exploit by Joonas Trussmann, it would not have been even remotely possible without work by @tmbinc and @bin4ry. Also a shout out to the rest of the OG's for all their work on dji-firmware-tools.

Special thanks go to: @jaanuke, @funnel and @fichek over on our Discord.

Support the effort

If you'd like, you can support the effort on Open Collective, send some ETH to 0xbAB1fec80922328F27De6E2F1CDBC2F322397637 or BTC to 3L7dE5EHtyd2b1tXBwdnWC2MADkV2VTbrq.

About

It's not butter, but it's root.

License:MIT License

Languages

Language:JavaScript 100.0%