This paper provides an overview of the dji-firmware-tools repository, an open-source suite of tools designed for analyzing, unpacking, modifying, and re-packing DJI drone firmware
. The tools, primarily developed by community researchers (notably under the
GitHub repository), allow advanced users to bypass OEM software limitations and understand the underlying software architecture of DJI flight controllers and gimbals.
Technical Analysis of dji-firmware-tools (o-gs/dji-firmware-tools) 1. Introduction
DJI drones run highly proprietary firmware that controls flight behavior, gimbal stabilization, and communication. DJI Assistant 2 software is typically used for official updates, but this OEM software restricts access to many flight controller parameters and locks advanced functions. The dji-firmware-tools-master
project provides a command-line alternative, acting as a powerful tool for security research, custom configuration, and gimbal calibration (e.g., repairing a "tilted horizon" on a Spark). 2. Core Components and Functionality
The toolset consists of several Python scripts that manipulate firmware components: dji_fwcon.py Dji-firmware-tools-master
: A DJI Firmware Container tool used to extract individual modules from a firmware package and rebuild containers after modification. dji_imah_fwsig.py : An "un-signer" and decryptor tool used to decrypt
files and unpack firmware modules. It also enables signing modified modules with keys found in the source code. comm_og_service_tool.py
: A service tool that interfaces with the flight controller to change parameters, such as NFZ limits, altitude caps, or specialized flight behaviors. amba_romfs.py
: A tool targeting Ambarella-based systems (like the A7/A9 SoCs) for extracting and rebuilding ROMFS filesystems. comm_dissector
: Lua scripts for Wireshark to analyze DJI proprietary communication protocols. 3. Firmware Structure and Security The firmware consists of encrypted and signed modules. The dji-firmware-tools
project has been instrumental in reverse-engineering these, revealing that: Encrypted Containers: Modules are often packed in This paper provides an overview of the dji-firmware-tools
containers, requiring decryption keys for access, which have been partially identified. MCU Encryption: STM32 MCU firmware is typically wrapped in
containers, while Atmel MCU firmware is often double-encrypted. Re-packaging:
The tools allow for modifying binary files and re-packing them, enabling customized firmware updates. 4. Key Use Cases DJI Spark Gimbal Calibration
DJI frequently updates its "Flight Controller" parameters to limit altitude, speed, or descent rate for safety compliance. Professional cinematographers may need higher descent speeds to outrun rain or specific yaw rates for complex shots. By unpacking the firmware, users can modify these hidden parameters.
dji_imah_fwsig.pySecurity is paramount for DJI. This tool handles the cryptographic signature verification. Researchers use it to understand how DJI signs its updates. By analyzing the signature algorithm, developers can attempt to create custom-signed firmware (though this is exceptionally difficult due to private key protection).
A user’s Phantom 4 Pro failed after a sudden power loss during an update. The drone would beep but not connect to the app. Using dji-firmware-tools-master: They downloaded an older, known-good firmware from an
dji_ft – newer tool for Mavic 2 / Mavic Air (still limited)djifp – for flight parameter decodingcryptokey research from the DjiDecrypt projectBottom line:
Great for learning about DJI’s old firmware structure and experimenting with P4/Inspire-era drones.
Useless for newer drones unless you have extracted crypto keys from hardware (which is extremely difficult).
If anyone has updated keys or patches for newer DJI firmware, would love to hear about it.
Happy reversing (safely). ✈️
Here’s a forum-style post you could use for sharing or discussing dji-firmware-tools-master on a platform like GitHub, Reddit (r/dji, r/Multicopter), or a drone hacking community.
Title: Reverse Engineering DJI Firmware – dji-firmware-tools-master Deep Dive
Body:
Just spent some time digging into the dji-firmware-tools-master repo (the popular collection of scripts and utilities for unpacking/analyzing DJI drone firmware). Thought I’d share a quick overview + practical use case for anyone looking to decrypt, extract, or inspect DJI .bin firmware files.