Device: DJI RC 2 (RC331)
Firmware: V08.01.0100_rc331_dji_system (via DDD)
Module: rc331_0200_v11.94.10.85_20251204.pro.fw.sig (name="APP")
I managed to unlock the bootloader on RC 2, but then I got an error saying the decryption failed.
After some decompilation, I discovered that the encrypted APP mentioned in the prompt is included in the firmware. I then attempted to decrypt it using dji_imah_fwsig (w/ key PRAK-2020-01) and successfully extracted 0200 (flyapp).
However, when attempting to further decrypt 0200 (chunk FLYA), the operation failed.
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Opening for extraction and un-signing
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Warning: Header field 'reserved' is non-zero; the tool is not designed to handle this.
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Unpacking image...
OrderedDict([('magic', b'IM*H'),
('header_version', 2),
('size', 426181248),
('reserved', b'\x00\x00\xb6\x00'),
('header_size', 224),
('signature_size', 256),
('payload_size', 426180768),
('target_size', 426181248),
('os', 0),
('arch', 0),
('compression', 0),
('anti_version', 0),
('auth_alg', 262146),
('auth_key', 'PRAK'),
('enc_key', 'TBIE'),
('scram_key', b'\x179\xb10\xd6<]h\xf5\xfa\xfdC\xc4d\t\xd5'),
('name', 'flyapp'),
('type', 'RAW'),
('version', 0),
('date', 539300356),
('encr_cksum', 1750823939),
('reserved2', b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'),
('userdata', b''),
('entry', b'\x00\x00\x00\x00\x00\x00\x00\x00'),
('plain_cksum', 2509686653),
('chunk_num', 1),
('payload_digest', b'\xe7\xbf]z_"}\x9fm\xbf\x96\x84\x1d\x84,\x80\xc2%\xde\x98\xc1\xa4+\x13\xf5zX\xc9L\x08\x19\xfa')])
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Warning: Image file head signature does not match the length of auth key. Continuing anyway.
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Warning: Image file head signature verification caused cryptographic exception: Incorrect signature
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Warning: Image file head signature verification failed. Continuing anyway.
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Encrypted data checksum 0x685B7403 matches.
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Unpacking encrypted chunk 'FLYA'...
OrderedDict({'id': 'FLYA', 'offset': 0, 'size': 426180752, 'attrib': 0, 'address': 0, 'reserved': b'\x00\x00\x00\x00\x00\x00\x00\x00'}
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Un-signed 1 chunks, skipped/truncated 0 chunks.
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Decrypted chunks checksum 0xB53DD0FD, expected 0x9596C77D.
V08.01.0100_rc331_dji_system\rc331_0200_v11.94.10.85_20251204.pro.fw_0200.bin: Warning: Decrypted chunks checksum verification failed. Continuing anyway.I have tried all the TBIE keys in the script, but none of them worked.
Based on the firmware decompilation, the decryption key appears to be stored in the RPMB region and is read and decrypted by QSEE via the TEE. Since ARM TrustZone does not seem to be vulnerable to attack, are there any other ways to obtain the key? Or is there another way to get the customized DJI Fly app in RC 2?
Device: DJI RC 2 (RC331)
Firmware: V08.01.0100_rc331_dji_system (via DDD)
Module: rc331_0200_v11.94.10.85_20251204.pro.fw.sig (name="APP")
I managed to unlock the bootloader on RC 2, but then I got an error saying the decryption failed.
After some decompilation, I discovered that the encrypted APP mentioned in the prompt is included in the firmware. I then attempted to decrypt it using dji_imah_fwsig (w/ key PRAK-2020-01) and successfully extracted 0200 (flyapp).
However, when attempting to further decrypt 0200 (chunk FLYA), the operation failed.
I have tried all the TBIE keys in the script, but none of them worked.
Based on the firmware decompilation, the decryption key appears to be stored in the RPMB region and is read and decrypted by QSEE via the TEE. Since ARM TrustZone does not seem to be vulnerable to attack, are there any other ways to obtain the key? Or is there another way to get the customized DJI Fly app in RC 2?