Jump to content

Search the Community

Showing results for tags 'dji fcc'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • New USB Rubber Ducky
    • WiFi Pineapple
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
    • WiFi Coconut
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • Legacy Devices
    • Classic USB Rubber Ducky
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 1 result

  1. Edit: According to Marcocappe 's feedback, the config i made doesn't work on ios but some other ios config works. By analysis the file i see only 2 major differences: the file length and the byte 47 in order to determine what is the key for ios parser to work, i create 2 other configs for test purpose(all with SDR boost) https://pan.baidu.com/s/1kV3KWlD 1 is with byte 47, 2 is with byte 47 and file length extended It's regret that I still dont get an IOS device for test yet ... so anybody's help would be much grateful. By far what i can confirm is that the config does no boost on P3A app 3.1.5 fw 1.10.090, neither direct sdr function calls. And mavic pro does work on 550 fw and 4.0.7 and some other versions, all test on android Hello guys this's my recent discovery Dji go uses configs, Most people knows how to enable 32 channel but there are hidden functions. I checked in the app, follow the DJI parser and create this config file, this will force the dji drone to run in FCC mode(still getting the list), and also, 32 channels for phantom and inspire This is the android config parser located in dji.pilot.publics.c.a public static void a(Context paramContext) { int i = 1; File localFile = new File(paramContext.getExternalFilesDir(null), f); if (!localFile.exists()) label25: return; dji.pilot.c.a.j = 0; while (true) { int j; try { RandomAccessFile localRandomAccessFile = new RandomAccessFile(localFile, "r"); localRandomAccessFile.seek(36L); if (localRandomAccessFile.readInt() != i) break label178; j = i; label59: a = j; localRandomAccessFile.skipBytes(2); int k = localRandomAccessFile.readShort(); if ((k < 0) || (k > 2)) break label184; dji.pilot.c.a.j = k; label92: localRandomAccessFile.skipBytes(5); int l = localRandomAccessFile.readByte(); if ((l & 0x1) == 0) break label201; i1 = i; b = i1; if ((l & 0x2) == 0) break label207; i2 = i; c = i2; if ((l & 0x4) == 0) break label213; i3 = i; d = i3; if ((l & 0x8) == 0) break label219; e = i; label178: label184: localRandomAccessFile.close(); } catch (FileNotFoundException localFileNotFoundException) { localFileNotFoundException.printStackTrace(); break label25: j = 0; break label59: dji.pilot.c.a.j = 0; break label92: } catch (IOException localIOException) { localIOException.printStackTrace(); } break label25: label201: int i1 = 0; continue; label207: int i2 = 0; continue; label213: int i3 = 0; continue; label219: i = 0; } i've done a research of all the variables, and know a is "isopenallchannel", dji.pilot.c.a.j is a switch for different upgrade url, b,c,d,e are sdr flags private void x() { if (dji.pilot.publics.c.a.b) { DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite1 = new DataOsdSetSdrAssitantWrite(); localDataOsdSetSdrAssitantWrite1.a().start(null); localDataOsdSetSdrAssitantWrite1.join(); } if (dji.pilot.publics.c.a.c) { DataOsdSetSdrForceBoost localDataOsdSetSdrForceBoost = new DataOsdSetSdrForceBoost(); localDataOsdSetSdrForceBoost.start(null); localDataOsdSetSdrForceBoost.join(); } if (dji.pilot.publics.c.a.d) { DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite2 = new DataOsdSetSdrAssitantWrite(); localDataOsdSetSdrAssitantWrite2.b().start(null); localDataOsdSetSdrAssitantWrite2.join(); } if (!dji.pilot.publics.c.a.e) return; DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite3 = new DataOsdSetSdrAssitantWrite(); localDataOsdSetSdrAssitantWrite3.c().start(null); localDataOsdSetSdrAssitantWrite3.join(); } b and c represent force FCC and force SDR boost, d/e currently unknown. in my config opens b, in sdr boost config opens c update: this is the IOS config parser decompiled // DJIAppSettings - (void)loadDJICfg void __cdecl -[DJIAppSettings loadDJICfg](struct DJIAppSettings *self, SEL a2) { struct DJIAppSettings *v2; // r10@1 int v3; // r0@1 int v4; // r0@1 int v5; // r5@1 int v6; // r0@1 struct DJICameraSettingObject *v7; // r4@1 int v8; // r0@1 int v9; // r0@1 int v10; // r6@1 int v11; // r1@2 int v12; // r0@3 int v13; // r1@5 int v14; // r0@6 int v15; // r1@8 int v16; // r0@9 int v17; // r0@9 signed int v18; // r0@10 int v19; // r1@13 int v20; // r0@14 int v21; // r1@16 int v22; // r0@17 int v23; // r1@19 int v24; // r0@20 char v25; // r5@20 SEL v26; // r1@28 char v27; // r2@28 int v28; // r3@28 int v29; // [sp+2Ch] [bp+8h]@0 v2 = self; v3 = j__objc_msgSend(&OBJC_CLASS___DJIFileHelper, "fetchDocumentPath"); v4 = j__objc_retainAutoreleasedReturnValue(v3); v5 = v4; v6 = j__objc_msgSend(v4, "stringByAppendingPathComponent:"); v7 = (struct DJICameraSettingObject *)j__objc_retainAutoreleasedReturnValue(v6); j__objc_release(v5); v8 = j__objc_msgSend(&OBJC_CLASS___NSData, "dataWithContentsOfFile:"); v9 = j__objc_retainAutoreleasedReturnValue(v8); v10 = v9; if ( v9 ) { v2->_canUseIllegalChannels = 0; v2->_mfiDisable = 0; v2->_firmwareServiceType = 0; v2->_limitCameraRecordingTime = 1; v2->_simulatorInternalDisable = 0; if ( (unsigned int)j__objc_msgSend(v9, "length") >= 0x29 ) { v12 = j__objc_retainAutorelease(v10, v11); if ( *(_BYTE *)(j__objc_msgSend(v12, "bytes") + 39) == 1 ) v2->_canUseIllegalChannels = 1; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2A ) { v14 = j__objc_retainAutorelease(v10, v13); if ( *(_BYTE *)(j__objc_msgSend(v14, "bytes") + 40) == 1 ) v2->_mfiDisable = 1; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2D ) { v16 = j__objc_retainAutorelease(v10, v15); v17 = *(_BYTE *)(j__objc_msgSend(v16, "bytes") + 43); if ( v17 == 2 ) v18 = 2; else v18 = v17 == 1; v2->_firmwareServiceType = v18; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2E ) { v20 = j__objc_retainAutorelease(v10, v19); if ( *(_BYTE *)(j__objc_msgSend(v20, "bytes") + 44) == 1 ) v2->_limitCameraRecordingTime = 0; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2F ) { v22 = j__objc_retainAutorelease(v10, v21); if ( *(_BYTE *)(j__objc_msgSend(v22, "bytes") + 45) == 1 ) v2->_simulatorInternalDisable = 1; } if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x31 ) { v24 = j__objc_retainAutorelease(v10, v23); v25 = *(_BYTE *)(j__objc_msgSend(v24, "bytes") + 48); if ( v25 & 1 ) j__objc_msgSend(v2, "setSdr_force_fcc:"); if ( v25 & 2 ) j__objc_msgSend(v2, "setSdr_force_boost:"); if ( v25 & 4 ) j__objc_msgSend(v2, "setSdr_force_2_3_G:"); if ( v25 & 8 ) j__objc_msgSend(v2, "setSdr_force_2_5_G:"); } } j__objc_release(v10); j_j__objc_release_1(v7, v26, v27, v28, v29); } I only see a different that the SDR config byte is byte 48, while in android it's byte 49. The ios config has some extra flags for useless purpose. Then i don't know why ios doesn't work, for I have already set the byte 48 the same as byte 49 on android. Here is something new I found on DJISDRBoostLogic on IOS: if ( j__objc_msgSend(&OBJC_CLASS___DJIProductManager, "currentProductCode") == 13 || j__objc_msgSend(&OBJC_CLASS___DJIProductManager, "currentProductCode") == 21 ) { v2 = j__objc_msgSend(&OBJC_CLASS___DJIAppSettings, "instance"); v3 = (struct DJICameraSettingObject *)j__objc_retainAutoreleasedReturnValue(v2); if ( j__objc_msgSend(v3, "sdr_force_fcc") ) { v4 = j__objc_msgSend(&OBJC_CLASS___DJISDRParamWritePack, "alloc"); v5 = j__objc_msgSend(v4, "initRequestFromGround:target:addr:dataType:data:"); v6 = j__objc_msgSend(&OBJC_CLASS___DJIPackManager, "sharedInstance"); v7 = j__objc_retainAutoreleasedReturnValue(v6); j__objc_msgSend(v7, "sendPack:option:completion:"); j__objc_release(v7); j__objc_release(v5); } if ( j__objc_msgSend(v3, "sdr_force_boost") ) { v8 = j__objc_msgSend(&OBJC_CLASS___DJIOFDMPack, "alloc"); v9 = j__objc_msgSend(v8, "initRequest"); v10 = v9; v11 = j__objc_msgSend(v9, "extHeader"); *(_BYTE *)(v11 + 1) = *(_BYTE *)(v11 + 1) & 0xE0 | 9; *(_BYTE *)(j__objc_msgSend(v10, "extHeader") + 5) = 9; *(_BYTE *)(j__objc_msgSend(v10, "extHeader") + 6) = 60; v12 = j__objc_msgSend(&OBJC_CLASS___DJIPackManager, "sharedInstance"); v13 = j__objc_retainAutoreleasedReturnValue(v12); j__objc_msgSend(v13, "sendPack:completion:"); j__objc_release(v13); j__objc_release(v10); } .... It seems that the DJISDRBoostLogic works only for Product code 13 & 21, that is KumquatX (Mavic Pro) and KumquatL (Mavic unknown) For a conclusion , The config bytes are arranges as follows: Use All Channel(Int) unused 2 FirmwareUrl(short) unused 5 Sdr cfg for Android: [36 bytes unused] 00 00 00 01 00 00 00 00 00 00 00 00 00 01 unused 3 Use All Channel(Byte) mfi unused 2 FirmwareUrl(Byte) CameraRec simulator unused 2 Sdr cfg unused for IOS: [36 bytes unused] 00 00 00 01 00 00 00 00 00 00 00 00 01 00 The firmware url is a selection of these url arrayOfString1[0] = "https://upgrade.bgcentre.com/links/links/pilot_v2"; arrayOfString1[1] = "http://upgrade.dj2006.net/redirect/links/GO_Test"; arrayOfString1[2] = "http://upgrade.dj2006.net/redirect/links/GO_Debug"; not know extactly if these are upgrade url Sdr cfg is a byte with sdr flags, 0x01 is Sdr Force FCC 0x02 is Sdr Force Boost 0x04 is Sdr Force 2 3 (dont know what really mean, 2.3Ghz?) 0x08 is Sdr Force 2 5 (dont know what really mean, 2.5Ghz?) on IOS sdr cfg , by looking at the code , seems only work for Mavic (still not test yet) I uploaded to baidu think maybe you can download too http://pan.baidu.com/s/1pKZP8K For android dji go, put .DJI.Configs into /Android/data/dji.pilot/files/ For android dji go 4, put .DJI.Configs into /Android/data/dji.go.v4/files/ For ios, put this into related DJI app, not test on IOS but I think it might also work The SDR boost version can be found here, try at your own risk for this have unknown side effect for your device download http://pan.baidu.com/s/1miDRrrq password: 7dbz
×
×
  • Create New...