Using Frida for fun and profit - fpv-wtf/wtfos GitHub Wiki

The following is basic instructions for using Frida on DJI hardware.

Install frida-tools 15.1.17

wget https://github.com/frida/frida/releases/download/15.1.17/python3-frida_15.1.17-1.ubuntu-focal_amd64.deb
wget https://github.com/frida/frida/releases/download/15.1.17/python3-frida-tools_10.5.4-1.ubuntu-focal_all.deb
sudo apt install ./python3-frida_15.1.17-1.ubuntu-focal_amd64.deb
sudo apt install ./python3-frida-tools_10.5.4-1.ubuntu-focal_all.deb

Get the forked frida-server

wget https://github.com/fpv-wtf/frida-core/releases/download/15.1.17-2/frida-server

Run

adb connect 192.168.42.5
adb push ./frida-server /tmp
adb shell "chmod u+x /tmp/frida-server && /tmp/frida-server" &

List processes

frida-ps -D 192.168.42.5:5555

Trace malloc in dji_glasses

frida-trace -D 192.168.42.5:5555 -i calloc dji_glasses

See the Frida docs for more.

Get crazy

frida-trace -D 192.168.42.5:5555 -i "_ZN9MMSWindow*" -x "_ZN9MMSWindow7isShownEbb*" dji_gls_wm150

Direct adb connection on host

Get your device id from adb devices and replace -D 192.168.42.5:5555 with -D YOUR_ADB_DEVICE_ID in above commands.

Alternative method without Adb Connect

Goggles V1 and Airunits don't support 'adb connect' so this alternative method is required.

Start frida-server on goggles:

./frida-server -l 192.168.42.5

Connect goggles V2:

frida-trace -H 192.168.42.5 -i calloc dji_gls_wm150

Connect goggles V1:

frida-trace -H 192.168.42.5 -i calloc dji_glasses