dji-firmware-tools
dji-firmware-tools copied to clipboard
o-gs
Power zone (FCC/CE) in GL300a/b/c RC Firmware
RC Firmware must be changeable too.
Some limitations was added with RC Firmwares 1.6 and newer. Output Power is reduced from 25mW to 10mW in CE Mode.
And It should be possible to change CE to FCC Mode (RC Checks via GPS location and Sets than FCC or CE Mode, USA = FCC, Europe = CE
Actually, the power output mode needs to be changed in both transmitter in radio controller and in the transmitter on OFDM board.
It's good to know the change in power was made with 1.6 - it should allow to find the change by comparing two firmwares. Please make sure that this information is correct, if you can.
Yes the change was with RC Firmware 1.6 (C1_FW_v01.06.0000.bin) (DJI support confirmed me this! They must do this because of local laws)
Craft and RC Firmwares are not the same since 1.3.2 which was the last Craft and RC update which was done by USB drive. Since there RC Firmware is only updated via DJI GoApp.
And not every craft firmware Version there was a RC Firmware Update. For P3 actual RC Firmware is 1.6 (where encryption of the Transmission also has been changed)
RC Firmware 1.6 is only compatible with craft firmware 1.8 or newer!!!
Thank you, I didn't know many of these facts. I will take a look at RC firmware.
In Ph3 Pro/Adv the hardware related to RF transmission is different than for Ph3 Std.
It would seem that transmission is configured by:
m1500 radio transmitter 'IG810 LB2_68013_TX'
and
m1600 radio receiver 'IG810 LB2_68013_RX ground'
I don't know whether these transmitters are visible from any other firmware as network interfaces.
I also don't know if the tx power is configurable within these firmwares directly, or sent to it from a more complex module.
EDIT: We now have wikis which explain what each hardware chip does, and what each FW module does.
Yes the change was with RC Firmware 1.6 (C1_FW_v01.06.0000.bin) (DJI support confirmed me this! They must do this because of local laws)
I compared C1_FW_V01.05.0080 and C1_FW_V01.06.0000. The only modules which are different between these versions are m1400 and m1401, which are MCUs for A and B remotes.
Will look in detail at this module.
mefistotelis : these seems to be lots of variables in mi09.bin have you had and success defining any of them. and can you tell me what the FPGA ground module is?
Will arm_bin2elf.py work on RC firmware m1400/m1401
Yes; but I'm not sure what is the correct base address. Without it, some pointers may lead to invalid locations. Maybe it's 0? Not sure, will figure it out later.
The ".bss" section should probably start at 0x10000000. Its size seem to extend to 0x50000000, but so much data would slow down any disassembler - I will try to select narrowed area.
these seems to be lots of variables in mi09.bin have you had and success defining any of them.
I'm not sure what you mean, you shoul ask for specific mXXYY module.
can you tell me what the FPGA ground module is?
I'm not sure what is the function of FPGAs used in the drone. I don't have much experience in analysing synthesised hardware programming; without debug symbols, it is very hard to grasp the purpose of the circuit. Hardware definition is something completely different than processor programming, even if the languages seem to look alike.
RC hacking update:
We don't know what information the RC receives to set output power:
- if it receives GPS coordinates, then the firmware must have definition of CE area
- if it receives simple "set CE mode" instruction, then CE area definition must be in the aircraft FW
Either way, since we know how the CE area is defined in the mobile app (for P3 Standard), we can expect one of the firmware modules will have similar float/double numbers within. I believe this is the best starting point for getting the CE/FCC code - search for coordinates.
I tried looking at the RC firmware code directly, but this isn't easy - there are almost no debug messages which would allow to locate points of interests.
@mefistotelis: thanks for info who knows, maybe P3X and P3A obey that SetPowerMode command too :) I edited my DJI GO in a way I was talking about, but I have no resources to actually measure, if it has any effect
i can tell you i had a fly away at a really high altitude and i was 9,000ft away before i was loosing signal but i never totally lost it. could someone use a mltimeter to measure the mw from the antenna output?
Measured GL300A and B model radios, without GPS-lock, both 0.72-0.76mW. I will measure again during weekend, with GPS lock. Tested with RC 1.5.8 only, 1.7.6 doesnt seem to work with 1.6 radio.
1.7.6 doesnt seem to work with 1.6 radio
yeah, that's right RC FW 1.6 (and newer) is compatible only with AC FW 1.8 (and newer) and since you said you don't have Android phone, I doubt you'll be able to downgrade RC to 1.4.3 to test power output :-(
I prepared a list of places in C1_FW_V01.06.0000 which could store Europe coordinates. Now each of the matches needs to be checked.
How I made the list:
# Europe is around 71,-18 .. 27,50; match -19..0 and 0..69 with no exponent
ls -1 C1_FW_*.bin | xargs -I {} sh -c 'od -tfF -w4 {} | sed "s/^\(.*\)/{}: \1/g"' | grep '^.*: [0-9]*[ ]*\([1-6]\?[0-9]\|[-][1]\?[0-9]\)\([.][0-9]*\)\?$' | grep -v "^.*: [0-9]*[ ]*[-]\?0\([.][0-9]*\|\)$" > _match_f1.txt
ls -1 C1_FW_*.bin | xargs -I {} sh -c 'od -tfD -w8 -j0 {} | sed "s/^\(.*\)/{}: \1/g"' | grep '^.*: [0-9]*[ ]*\([1-6]\?[0-9]\|[-][1]\?[0-9]\)\([.][0-9]*\)\?$' | grep -v "^.*: [0-9]*[ ]*[-]\?0\([.][0-9]*\|\)$" > _match_d1.txt
ls -1 C1_FW_*.bin | xargs -I {} sh -c 'od -tfD -w8 -j4 {} | sed "s/^\(.*\)/{}: \1/g"' | grep '^.*: [0-9]*[ ]*\([1-6]\?[0-9]\|[-][1]\?[0-9]\)\([.][0-9]*\)\?$' | grep -v "^.*: [0-9]*[ ]*[-]\?0\([.][0-9]*\|\)$" > _match_d2.txt
# Now assuming lon lat coords are adjacent, let's find 71..27 and get one before and one after
grep -B1 -A1 '^.*: [0-9]*[ ]*[2-7][0-9]\([.][0-9]*\)\?$' _match_f1.txt > _match_f1b.txt
grep -B1 -A1 '^.*: [0-9]*[ ]*[2-7][0-9]\([.][0-9]*\)\?$' _match_d1.txt > _match_d1b.txt
grep -B1 -A1 '^.*: [0-9]*[ ]*[2-7][0-9]\([.][0-9]*\)\?$' _match_d2.txt > _match_d2b.txt
Files with list of possible coords: _match_d1b.txt _match_d2b.txt _match_f1b.txt
interesting (and crazy linux commands :D )
just remember, that coordinates may be saved in different ways in DJI GO, Europe is stored as (55.529627,15.702531,2824707), where coordinates are double and radius is int but, for example, coordinates may be stored as long (and they are then divided by 1000000) or, they can be stored in radian format, so 55.529627° = 0.969174823554
Also thought this might be useful.. DJI PHANTOM 3 PROFESSIONAL HASHES AND PASSWORDS
UPDATE: ftp password is cracked: admin999
Some hashes and passwords:
- System access:
root:$6$zi2k1pqQ$aYoxWoM9suJzq4xcIz0Uh/sMBQxIrM7QzqpNH.UMrX6TAmBx37jN0ygKlnpmHkgilWV5YzpfikkaylTWWo8RU0:16184:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp::10933:0:99999:7::: sync::10933:0:99999:7::: shutdown::10933:0:99999:7::: halt::10933:0:99999:7::: uucp::10933:0:99999:7::: operator::10933:0:99999:7::: ftp:$6$Kt6U5MHk$aCy81r9Wz49TlfDwSPHkx8bEouNFdt0khJg7Pj1HOJtECe5.t9KfNWOKKQXnyVqjd5whliLQGTQkXfB8p3rBX/:10933:0:99999:7::: nobody::10933:0:99999:7::: default::10933:0:99999:7::: a8sdk:HHTiH8SGMjHoM:0:0:99999:7::: root, ftp, default, a8sdk has an access to /bin/sh
- Wireless networks:
ESSID=Amba_AP PASSWORD=PWFORAMBA
ESSID=amba_boss PASSWORD=1234567890 P.S.
Wi-Fi Channel is number 5
ifconfig wlan0 192.168.42.1 …dhcp-range=192.168.42.2,192.168.42.6
Have a safe flight! ;-)
@FERRARIPT what would be involved in making the latest dji go app send all the parameters like 2.4
@notsolowki: I don't know if I would be able to hack DJI GO 3 in such a way in 2.4.3, there is one class (dji\pilot\fpv\stage\cs) with onClick method and according to clicked button, it does some actions if "Reset All Settings" is clicked, there are some checks and in the end DataFlycResetParams class sends command to AC
however, in 3.0.1, every button has its own class and onClick method (fortunately?) class for "Reset All Settings" button exists (dji\setting\ui\flyc\ResetView), but it's not used maybe I could redirect actions from here to another button - and the most similar button (I mean with similar class structure) is ClearFlightLogsButton
but I can't guarantee it will work
I still think the easiest way is to use DJI GO 2 with existing "Reset All Settings" button
someone pointed this out to me
there is a lot of FDI things, freqs, max. FCC ids, (all fcc id's starts with with FDI) so i think this is the way to get more power out? (dB/mW) as you might know, when eg. inspire1 controller is hooked to I1, measuring it's power, its WAY better than same remote, linked to p3p. (same remote, same fw, just different pairing process which adjust the output)
There is one interesting number..
" "defaultValue" : 0.150000, "name" : "g_config.fdi.max_ctrl_frequency_power_0""
This is what i think it will affect..
https://dl.dropboxusercontent.com/u/1177154/phantompilots/p3p/Video 06-02-2017, 16.28.33.mov
left work already, i will test tomorrow to see if it "handshakes" with more power when the number is more than 0.15, what do you think?
"name" : "g_config.fdi.max_ctrl_frequency_power_0""
Sounds promising. I will check it in the code.
EDIT: checked. The value does not seem to be used for any computations in the flight controller itself, so it is possible it's used for another module.
It could. This means the value isn't used by the flight controller directly, but this also means its value is not set by flight controller based on home point. It would be best to check by experiment.
I have a change which I need to test as part of developing the FCC hack.
I need someone with RF Power Meter to test it. If there's anyone interested, please give me a firmware version you prefer.
There is a chance of bricking your RC with this; I will do my best to verify it on my end, but still, volunteer takes the risk. Anyone interested?
I'm from europe (CE-mode), able to measure directly from RC, GL300A and B versions. I can test the 1.5.8 if needed.
Here's the modification in two firmwares: C1_FW_V01.05.0080 C1_FW_V01.06.0000 Dl link: https://mega.nz/#!hcV0URSB!GauZgmpVWEF3Hf8d5N0NPtjSjQT4IcoAPJa3Fs7J9Lg
What is modified:
xxd -p -c1024 C1_FW_V01.06.0000_mi06.bin | \ sed 's/\(00b5..4.85b0\)\(c17a\)\(..71017ac1f34112022a..d141f0800101720021\)/\10121\3/' | \ xxd -r -p -c1024 > C1_FW_V01.06.0000_mi06-mod.bin xxd -p -c1024 C1_FW_V01.05.0080_mi06.bin | \ sed 's/\(00b5..4.85b0\)\(c17a\)\(..71017ac1f34112022a..d141f0800101720021\)/\10121\3/' | \ xxd -r -p -c1024 > C1_FW_V01.05.0080_mi06-mod.bin
In assembly:
85 B0 SUB SP, SP, #0x14 -C1 7A LDRB R1, [R0,#0xB] +01 21 MOVS R1, #1 91 71 STRB R1, [R2,#(zone_is_fcc - 0x100005E8)] 01 7A LDRB R1, [R0,#8]
New to android and cant currently do this with iOS. Whats the location where go app downloads these files before up/downgrade so i can replace with new one?
Whats the location where go app downloads these files before up/downgrade so i can replace with new one?
was mentioned here
@ferraript
Under /Android/ i have only 3 directories, data, media and obb. So not there, or i need rooted device to view those folders, idk. Time to get some sleep, i will try another device tomorrow, which i believe i can root. Can't root this one :(
no, it's just written in specific way :D it's in internal SD card, in DJI/dji.pilot/package
Oh ok, what kind of way is that, to give directory that actually exists but is wrong lol. Downgrading now.