Search the Community
Showing results for tags 'dji fcc'.
-
DJI Configs parser, for FCC and 32 channel and other stuff
微风小杨 posted a topic in Community Projects
Edit: According to Marcocappe 's feedback, the config i made doesn't work on ios but some other ios config works. By analysis the file i see only 2 major differences: the file length and the byte 47 in order to determine what is the key for ios parser to work, i create 2 other configs for test purpose(all with SDR boost) https://pan.baidu.com/s/1kV3KWlD 1 is with byte 47, 2 is with byte 47 and file length extended It's regret that I still dont get an IOS device for test yet ... so anybody's help would be much grateful. By far what i can confirm is that the config does no boost on P3A app 3.1.5 fw 1.10.090, neither direct sdr function calls. And mavic pro does work on 550 fw and 4.0.7 and some other versions, all test on android Hello guys this's my recent discovery Dji go uses configs, Most people knows how to enable 32 channel but there are hidden functions. I checked in the app, follow the DJI parser and create this config file, this will force the dji drone to run in FCC mode(still getting the list), and also, 32 channels for phantom and inspire This is the android config parser located in dji.pilot.publics.c.a public static void a(Context paramContext) { int i = 1; File localFile = new File(paramContext.getExternalFilesDir(null), f); if (!localFile.exists()) label25: return; dji.pilot.c.a.j = 0; while (true) { int j; try { RandomAccessFile localRandomAccessFile = new RandomAccessFile(localFile, "r"); localRandomAccessFile.seek(36L); if (localRandomAccessFile.readInt() != i) break label178; j = i; label59: a = j; localRandomAccessFile.skipBytes(2); int k = localRandomAccessFile.readShort(); if ((k < 0) || (k > 2)) break label184; dji.pilot.c.a.j = k; label92: localRandomAccessFile.skipBytes(5); int l = localRandomAccessFile.readByte(); if ((l & 0x1) == 0) break label201; i1 = i; b = i1; if ((l & 0x2) == 0) break label207; i2 = i; c = i2; if ((l & 0x4) == 0) break label213; i3 = i; d = i3; if ((l & 0x8) == 0) break label219; e = i; label178: label184: localRandomAccessFile.close(); } catch (FileNotFoundException localFileNotFoundException) { localFileNotFoundException.printStackTrace(); break label25: j = 0; break label59: dji.pilot.c.a.j = 0; break label92: } catch (IOException localIOException) { localIOException.printStackTrace(); } break label25: label201: int i1 = 0; continue; label207: int i2 = 0; continue; label213: int i3 = 0; continue; label219: i = 0; } i've done a research of all the variables, and know a is "isopenallchannel", dji.pilot.c.a.j is a switch for different upgrade url, b,c,d,e are sdr flags private void x() { if (dji.pilot.publics.c.a.b) { DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite1 = new DataOsdSetSdrAssitantWrite(); localDataOsdSetSdrAssitantWrite1.a().start(null); localDataOsdSetSdrAssitantWrite1.join(); } if (dji.pilot.publics.c.a.c) { DataOsdSetSdrForceBoost localDataOsdSetSdrForceBoost = new DataOsdSetSdrForceBoost(); localDataOsdSetSdrForceBoost.start(null); localDataOsdSetSdrForceBoost.join(); } if (dji.pilot.publics.c.a.d) { DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite2 = new DataOsdSetSdrAssitantWrite(); localDataOsdSetSdrAssitantWrite2.b().start(null); localDataOsdSetSdrAssitantWrite2.join(); } if (!dji.pilot.publics.c.a.e) return; DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite3 = new DataOsdSetSdrAssitantWrite(); localDataOsdSetSdrAssitantWrite3.c().start(null); localDataOsdSetSdrAssitantWrite3.join(); } b and c represent force FCC and force SDR boost, d/e currently unknown. in my config opens b, in sdr boost config opens c update: this is the IOS config parser decompiled // DJIAppSettings - (void)loadDJICfg void __cdecl -[DJIAppSettings loadDJICfg](struct DJIAppSettings *self, SEL a2) { struct DJIAppSettings *v2; // r10@1 int v3; // r0@1 int v4; // r0@1 int v5; // r5@1 int v6; // r0@1 struct DJICameraSettingObject *v7; // r4@1 int v8; // r0@1 int v9; // r0@1 int v10; // r6@1 int v11; // r1@2 int v12; // r0@3 int v13; // r1@5 int v14; // r0@6 int v15; // r1@8 int v16; // r0@9 int v17; // r0@9 signed int v18; // r0@10 int v19; // r1@13 int v20; // r0@14 int v21; // r1@16 int v22; // r0@17 int v23; // r1@19 int v24; // r0@20 char v25; // r5@20 SEL v26; // r1@28 char v27; // r2@28 int v28; // r3@28 int v29; // [sp+2Ch] [bp+8h]@0 v2 = self; v3 = j__objc_msgSend(&OBJC_CLASS___DJIFileHelper, "fetchDocumentPath"); v4 = j__objc_retainAutoreleasedReturnValue(v3); v5 = v4; v6 = j__objc_msgSend(v4, "stringByAppendingPathComponent:"); v7 = (struct DJICameraSettingObject *)j__objc_retainAutoreleasedReturnValue(v6); j__objc_release(v5); v8 = j__objc_msgSend(&OBJC_CLASS___NSData, "dataWithContentsOfFile:"); v9 = j__objc_retainAutoreleasedReturnValue(v8); v10 = v9; if ( v9 ) { v2->_canUseIllegalChannels = 0; v2->_mfiDisable = 0; v2->_firmwareServiceType = 0; v2->_limitCameraRecordingTime = 1; v2->_simulatorInternalDisable = 0; if ( (unsigned int)j__objc_msgSend(v9, "length") >= 0x29 ) { v12 = j__objc_retainAutorelease(v10, v11); if ( *(_BYTE *)(j__objc_msgSend(v12, "bytes") + 39) == 1 ) v2->_canUseIllegalChannels = 1; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2A ) { v14 = j__objc_retainAutorelease(v10, v13); if ( *(_BYTE *)(j__objc_msgSend(v14, "bytes") + 40) == 1 ) v2->_mfiDisable = 1; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2D ) { v16 = j__objc_retainAutorelease(v10, v15); v17 = *(_BYTE *)(j__objc_msgSend(v16, "bytes") + 43); if ( v17 == 2 ) v18 = 2; else v18 = v17 == 1; v2->_firmwareServiceType = v18; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2E ) { v20 = j__objc_retainAutorelease(v10, v19); if ( *(_BYTE *)(j__objc_msgSend(v20, "bytes") + 44) == 1 ) v2->_limitCameraRecordingTime = 0; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2F ) { v22 = j__objc_retainAutorelease(v10, v21); if ( *(_BYTE *)(j__objc_msgSend(v22, "bytes") + 45) == 1 ) v2->_simulatorInternalDisable = 1; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x31 ) { v24 = j__objc_retainAutorelease(v10, v23); v25 = *(_BYTE *)(j__objc_msgSend(v24, "bytes") + 48); if ( v25 & 1 ) j__objc_msgSend(v2, "setSdr_force_fcc:"); if ( v25 & 2 ) j__objc_msgSend(v2, "setSdr_force_boost:"); if ( v25 & 4 ) j__objc_msgSend(v2, "setSdr_force_2_3_G:"); if ( v25 & 8 ) j__objc_msgSend(v2, "setSdr_force_2_5_G:"); } } j__objc_release(v10); j_j__objc_release_1(v7, v26, v27, v28, v29); } I only see a different that the SDR config byte is byte 48, while in android it's byte 49. The ios config has some extra flags for useless purpose. Then i don't know why ios doesn't work, for I have already set the byte 48 the same as byte 49 on android. Here is something new I found on DJISDRBoostLogic on IOS: if ( j__objc_msgSend(&OBJC_CLASS___DJIProductManager, "currentProductCode") == 13 || j__objc_msgSend(&OBJC_CLASS___DJIProductManager, "currentProductCode") == 21 ) { v2 = j__objc_msgSend(&OBJC_CLASS___DJIAppSettings, "instance"); v3 = (struct DJICameraSettingObject *)j__objc_retainAutoreleasedReturnValue(v2); if ( j__objc_msgSend(v3, "sdr_force_fcc") ) { v4 = j__objc_msgSend(&OBJC_CLASS___DJISDRParamWritePack, "alloc"); v5 = j__objc_msgSend(v4, "initRequestFromGround:target:addr:dataType:data:"); v6 = j__objc_msgSend(&OBJC_CLASS___DJIPackManager, "sharedInstance"); v7 = j__objc_retainAutoreleasedReturnValue(v6); j__objc_msgSend(v7, "sendPack:option:completion:"); j__objc_release(v7); j__objc_release(v5); } if ( j__objc_msgSend(v3, "sdr_force_boost") ) { v8 = j__objc_msgSend(&OBJC_CLASS___DJIOFDMPack, "alloc"); v9 = j__objc_msgSend(v8, "initRequest"); v10 = v9; v11 = j__objc_msgSend(v9, "extHeader"); *(_BYTE *)(v11 + 1) = *(_BYTE *)(v11 + 1) & 0xE0 | 9; *(_BYTE *)(j__objc_msgSend(v10, "extHeader") + 5) = 9; *(_BYTE *)(j__objc_msgSend(v10, "extHeader") + 6) = 60; v12 = j__objc_msgSend(&OBJC_CLASS___DJIPackManager, "sharedInstance"); v13 = j__objc_retainAutoreleasedReturnValue(v12); j__objc_msgSend(v13, "sendPack:completion:"); j__objc_release(v13); j__objc_release(v10); } .... It seems that the DJISDRBoostLogic works only for Product code 13 & 21, that is KumquatX (Mavic Pro) and KumquatL (Mavic unknown) For a conclusion , The config bytes are arranges as follows: Use All Channel(Int) unused 2 FirmwareUrl(short) unused 5 Sdr cfg for Android: [36 bytes unused] 00 00 00 01 00 00 00 00 00 00 00 00 00 01 unused 3 Use All Channel(Byte) mfi unused 2 FirmwareUrl(Byte) CameraRec simulator unused 2 Sdr cfg unused for IOS: [36 bytes unused] 00 00 00 01 00 00 00 00 00 00 00 00 01 00 The firmware url is a selection of these url arrayOfString1[0] = "https://upgrade.bgcentre.com/links/links/pilot_v2"; arrayOfString1[1] = "http://upgrade.dj2006.net/redirect/links/GO_Test"; arrayOfString1[2] = "http://upgrade.dj2006.net/redirect/links/GO_Debug"; not know extactly if these are upgrade url Sdr cfg is a byte with sdr flags, 0x01 is Sdr Force FCC 0x02 is Sdr Force Boost 0x04 is Sdr Force 2 3 (dont know what really mean, 2.3Ghz?) 0x08 is Sdr Force 2 5 (dont know what really mean, 2.5Ghz?) on IOS sdr cfg , by looking at the code , seems only work for Mavic (still not test yet) I uploaded to baidu think maybe you can download too http://pan.baidu.com/s/1pKZP8K For android dji go, put .DJI.Configs into /Android/data/dji.pilot/files/ For android dji go 4, put .DJI.Configs into /Android/data/dji.go.v4/files/ For ios, put this into related DJI app, not test on IOS but I think it might also work The SDR boost version can be found here, try at your own risk for this have unknown side effect for your device download http://pan.baidu.com/s/1miDRrrq password: 7dbz