singlag Posted June 26, 2017 Share Posted June 26, 2017 18 minutes ago, MavproxyUser said: As I recall it... they have progressively added *checks* as the versions went on. With regard to the connection time outs and such, that is your big hint right there for the other versions. Have you considered using Wireshark to see what DJI Assistant wants to talk to *before* giving you access to the unlocked menus? It does vary across versions with regard to what those pre-requisite connections, or interactions may be. Another hint is to try running the program from the console... (older versions were WAY more chatty than newer ones). I assume you noticed it hangs looking for *something* very specific, see if you can spot it here. THIS trick is pretty well "burned" seems more and more people figured it out. $ /Applications/Assistant_1_0_4.app/Contents/MacOS/Assistant --debugger 2017-06-26 14:10:23.670 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/b/: Error Domain=NSCocoaErrorDomain Code=260 "The file “b” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/b/, NSFilePath=/private/tmp/b, NSUnderlyingError=0x7fd241416cd0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} 2017-06-26 14:10:23.671 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/a/: Error Domain=NSCocoaErrorDomain Code=260 "The file “a” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/a/, NSFilePath=/private/tmp/a, NSUnderlyingError=0x7fd241603af0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} PING swsf.djicorp.com (198.105.254.130): 56 data bytes --- swsf.djicorp.com ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss 2017_05_27@22_38_01 - Sat May 27 22:38:01 2017 [ 30] reserved 2017_05_28@00_40_16 - Sun May 28 00:40:16 2017 [ 29] reserved 2017_05_29@21_22_07 - Mon May 29 21:22:07 2017 [ 28] reserved 2017_06_01@12_05_46 - Thu Jun 1 12:05:46 2017 [ 25] reserved 2017_06_01@12_06_41 - Thu Jun 1 12:06:41 2017 [ 25] reserved 2017_06_01@12_09_35 - Thu Jun 1 12:09:35 2017 [ 25] reserved 2017_06_02@13_27_13 - Fri Jun 2 13:27:13 2017 [ 24] reserved 2017_06_02@13_30_34 - Fri Jun 2 13:30:34 2017 [ 24] reserved 2017_06_02@13_48_07 - Fri Jun 2 13:48:07 2017 [ 24] reserved 2017_06_02@13_48_50 - Fri Jun 2 13:48:50 2017 [ 24] reserved 2017_06_02@13_49_26 - Fri Jun 2 13:49:26 2017 [ 24] reserved 2017_06_02@13_49_44 - Fri Jun 2 13:49:44 2017 [ 24] reserved 2017_06_02@13_51_34 - Fri Jun 2 13:51:34 2017 [ 24] reserved 2017_06_02@13_51_47 - Fri Jun 2 13:51:47 2017 [ 24] reserved 2017_06_02@16_35_52 - Fri Jun 2 16:35:52 2017 [ 24] reserved 2017_06_02@16_56_49 - Fri Jun 2 16:56:49 2017 [ 24] reserved 2017_06_02@16_57_49 - Fri Jun 2 16:57:49 2017 [ 24] reserved 2017_06_02@16_58_15 - Fri Jun 2 16:58:15 2017 [ 24] reserved 2017_06_02@17_02_19 - Fri Jun 2 17:02:19 2017 [ 24] reserved 2017_06_04@12_49_31 - Sun Jun 4 12:49:31 2017 [ 22] reserved 2017_06_04@12_56_15 - Sun Jun 4 12:56:15 2017 [ 22] reserved 2017_06_04@12_58_12 - Sun Jun 4 12:58:12 2017 [ 22] reserved 2017_06_04@18_08_44 - Sun Jun 4 18:08:44 2017 [ 22] reserved 2017_06_04@18_10_02 - Sun Jun 4 18:10:02 2017 [ 22] reserved 2017_06_04@18_10_20 - Sun Jun 4 18:10:20 2017 [ 22] reserved 2017_06_04@18_11_16 - Sun Jun 4 18:11:16 2017 [ 22] reserved 2017_06_05@07_57_20 - Mon Jun 5 07:57:20 2017 [ 21] reserved 2017_06_05@08_57_29 - Mon Jun 5 08:57:29 2017 [ 21] reserved 2017_06_05@09_31_07 - Mon Jun 5 09:31:07 2017 [ 21] reserved 2017_06_05@12_48_21 - Mon Jun 5 12:48:21 2017 [ 21] reserved 2017_06_05@12_49_52 - Mon Jun 5 12:49:52 2017 [ 21] reserved 2017_06_05@12_55_33 - Mon Jun 5 12:55:33 2017 [ 21] reserved 2017_06_05@13_51_39 - Mon Jun 5 13:51:39 2017 [ 21] reserved 2017_06_05@14_07_27 - Mon Jun 5 14:07:27 2017 [ 21] reserved 2017_06_05@15_38_05 - Mon Jun 5 15:38:05 2017 [ 21] reserved 2017_06_05@15_43_37 - Mon Jun 5 15:43:37 2017 [ 21] reserved 2017_06_06@00_51_55 - Tue Jun 6 00:51:55 2017 [ 20] reserved 2017_06_06@09_50_06 - Tue Jun 6 09:50:06 2017 [ 20] reserved 2017_06_07@13_20_03 - Wed Jun 7 13:20:03 2017 [ 19] reserved 2017_06_18@00_17_56 - Sun Jun 18 00:17:56 2017 [ 8] reserved 2017_06_18@15_21_20 - Sun Jun 18 15:21:20 2017 [ 8] reserved 2017_06_20@10_10_08 - Tue Jun 20 10:10:08 2017 [ 6] reserved 2017_06_20@16_01_01 - Tue Jun 20 16:01:01 2017 [ 6] reserved 2017_06_21@13_02_48 - Wed Jun 21 13:02:48 2017 [ 5] reserved 2017_06_21@22_14_43 - Wed Jun 21 22:14:43 2017 [ 5] reserved 2017_06_21@22_16_41 - Wed Jun 21 22:16:41 2017 [ 5] reserved 2017_06_24@00_59_00 - Sat Jun 24 00:59:00 2017 [ 2] reserved 2017_06_26@14_02_45 - Mon Jun 26 14:02:45 2017 [ 0] reserved log:[dServer ] Service at19870 qt.network.ssl: QSslSocket: cannot resolve SSL_set_psk_client_callback qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_server_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_server_method qt.network.ssl: QSslSocket: cannot resolve SSL_select_next_proto qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb qt.network.ssl: QSslSocket: cannot resolve SSL_get0_next_proto_negotiated qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated log:[dServer ] 1 Connected <- root If you know the answer, just pipe up for the others that are tired of my riddles. =] thx, I will try on tomorrow, it is 2am at my timezone now :p Quote Link to comment Share on other sites More sharing options...
Kyokushin Posted June 26, 2017 Share Posted June 26, 2017 I have a suggestion - try to look google and other searchers for phantompilots archive posts. It may help a bit. Quote Link to comment Share on other sites More sharing options...
hotelzululima Posted June 26, 2017 Share Posted June 26, 2017 6 hours ago, MavJailBreak said: Using litchi ,Turning updates off and not upgrading firmware is a start nah with the last series of updates.. even at .400 firmware.. you were caught and forced to upgrade... btdt hzl Quote Link to comment Share on other sites More sharing options...
jan2642 Posted June 26, 2017 Share Posted June 26, 2017 2 hours ago, MavproxyUser said: Thanks for that... this seems to be interesting reading on the root of the subject. I was not familiar with it. https://segmentfault.com/a/1190000006087527 https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fsegmentfault.com%2Fa%2F1190000006087527&edit-text=&act=url He suggests a few ways to "patch" the cause of the issue. I skipped attempting to cross-compile an alternative linker and went for the binary patch, basically changing a branch instruction into a nop. I focused more on dji_sys since it has a reference to secure_debug.sh. It contains a list of test scripts with an index number, here are a few: 1 test_cpld.sh 2 test_mem.sh 3 test_flash.sh ... 19 test_enck.sh 20 secure_debug.sh ... 23 echo sucess (with typo) ... They are referenced by functions called sys_mp_test_xxx but I haven't figured out yet how to trigger those. I was thinking the --factory option to Assistant might help but in my version (1.1.0) it doesn't seem to do anything. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 4 minutes ago, jan2642 said: I skipped attempting to cross-compile an alternative linker and went for the binary patch, basically changing a branch instruction into a nop. I focused more on dji_sys since it has a reference to secure_debug.sh. It contains a list of test scripts with an index number, here are a few: 1 test_cpld.sh 2 test_mem.sh 3 test_flash.sh ... 19 test_enck.sh 20 secure_debug.sh ... 23 echo sucess (with typo) ... They are referenced by functions called sys_mp_test_xxx but I haven't figured out yet how to trigger those. I was thinking the --factory option to Assistant might help but in my version (1.1.0) it doesn't seem to do anything. Certainly an interesting rabbit hole to head down... I am off on the opposite end of the spectrum worried about the NFZ references in dji_flight ("nfz gps not reliable", "INIT DB", "LOAD DB"), and dji_vision ("nfz monitor", and "query_nfz") and such. See the notes above about how to coax that window into opening. Patching these may be a quick path to enlightenment. Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 1 hour ago, Kyokushin said: I have a suggestion - try to look google and other searchers for phantompilots archive posts. It may help a bit. FWIW... I anticipated one of those threads getting eaten and preemptively added it to Achvive.is. The last page was archived 2 weeks ago though. https://archive.is/Ijk4Z Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 26, 2017 Author Share Posted June 26, 2017 15 minutes ago, jan2642 said: I skipped attempting to cross-compile an alternative linker and went for the binary patch, basically changing a branch instruction into a nop. Well played on that btw. I like the way you think. Quote Link to comment Share on other sites More sharing options...
Freaky123 Posted June 26, 2017 Share Posted June 26, 2017 Is there already someone who has tried to JTAG the FC arm chip? Or at least figured out the pinout? Or did someone already figure out if there is terminal over uart for the LC chip? Quote Link to comment Share on other sites More sharing options...
droner69 Posted June 26, 2017 Share Posted June 26, 2017 Here is a list of commands and parameters taken off of the mavic pro. Quote Link to comment Share on other sites More sharing options...
nickmv Posted June 26, 2017 Share Posted June 26, 2017 2 hours ago, hotelzululima said: nah with the last series of updates.. even at .400 firmware.. you were caught and forced to upgrade... btdt hzl Are you saying that the latest version of the App requires that you upgrade the firmware? If so, I'm totally not surprised --- typical DJI move of saying one thing and doing another. Quote Link to comment Share on other sites More sharing options...
nickmv Posted June 26, 2017 Share Posted June 26, 2017 Just joining this thread/forum after being a CopterSafe customer. My Mavic is experiencing the forced autolanding due to critical battery issue, like mentioned on a previous thread for I believe the P3P. Is this still a known issue? I was 3600ft up when it engaged --- almost shat my pants, but luckily got it down after 7-8 mins. Quote Link to comment Share on other sites More sharing options...
kariem112 Posted June 27, 2017 Share Posted June 27, 2017 3 hours ago, MavproxyUser said: FWIW... I anticipated one of those threads getting eaten and preemptively added it to Achvive.is. The last page was archived 2 weeks ago though. https://archive.is/Ijk4Z Not really ;) https://web.archive.org/web/20170624160235/http://mavicpilots.com/threads/how-to-exceed-max-altitude-for-mountain-flying.7592/page-14 Quote Link to comment Share on other sites More sharing options...
droner69 Posted June 27, 2017 Share Posted June 27, 2017 I have successfully gotten coptersafe's tool to work with differing hardware fingerprints using VM's to test, but I don't have another mavic to see if this method works with differing serial numbers. If someone could send me their coptersafe "full pack" binary and or name/keys, I can test the method to see if it works using my mavic's serial, and then hopefully create a patch/crack. Below is the sequence of events that the coptersafe "Mountain Pack - speed+atti" tool goes through to patch to the mavic. I used wireshark and usbpcap to get this info. His tool writes to the external EEPROM on FC. 0 $Vp`EHNH*DC4l*p`cSc5=p`PC-PC<MSFT 5.07 } $Vp`ZEH@O**CD4l*p`cSc56*local V[RC]handle_wristband_channel 0|0|0|0|0|0|0 W[RC]1 1 1 (0|0)|0 0e X[API]api_ctrl_health_flag 0 Z[SEND DATA][Info] [Pub] In last second 0 bytes data were sent1 Z[SEND DATA][Info] [Pub] In last second 0 bytes data were sent1 d[PITOT]dev diff press 0.0000004 [DEV]call:comm_recorder_data, block_id:5000, data_len:26` 6 216420 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1; B[FMU/LED]call set_forearm_led_status' v[OSD]display_mode 1P w[RC]wristbnad cnt 02 x[RC]handle_wristband_channel 0|0|0|0|0|0|0S y[RC]1 1 1 (0|0)|0 0 z[API]api_ctrl_health_flag 0 |[SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26>9 =[FLYLIMIT]>>sending limit areas:[0] [OSD]display_mode 1E [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0/ [RC]1 1 1 (0|0)|0 0B [API]api_ctrl_health_flag 0 t [SEND DATA][Info] [Pub] In last second 0 bytes data were sent - [PITOT]dev diff press 0.000000 <[DEV]call:comm_recorder_data, block_id:5000, data_len:26D8Ua$ z 216520 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1U3 [FMU/LED]call set_forearm_led_statussU" [OSD]display_mode 1U" [RC]wristbnad cnt 0 ` ,U,6*74WM220 AC Ver.AR, p 227477 [L-SYS]NAVI wm220 20170112|132359I 'NAVI wm220 20170112|1323594 p 227478 [L-SEND DATA]assistant connect changed:last(0) != current(1) XXXXXXXXXXXXXX" #(first 14 of mavic serial number) p[DEV]call:comm_recorder_data, block_id:5000, data_len:267 p[FLYLIMIT]>>sending limit areas:[0]s q[OSD]display_mode 1 q[RC]wristbnad cnt 0R q[RC]handle_wristband_channel 0|0|0|0|0|0|0 q[RC]1 1 1 (0|0)|0 0 q[API]api_ctrl_health_flag 0 3o q[SEND DATA][Info] [Pub] In last second 0 bytes data were sent &q[PITOT]dev diff press 0.000000q q 227520 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1Q r[FMU/LED]call set_forearm_led_statusl r[DEV]call:comm_recorder_data, block_id:5000, data_len:26 8s[OSD]display_mode 1* 9s[RC]wristbnad cnt 0 :s[RC]handle_wristband_channel 0|0|0|0|0|0|0 ;s[RC]1 1 1 (0|0)|0 0- <s[API]api_ctrl_health_flag 0 .M >s[SEND DATA][Info] [Pub] In last second 0 bytes data were sent>R u[DEV]call:comm_recorder_data, block_id:5000, data_len:262x Wu[OSD]display_mode 1# Xu[RC]wristbnad cnt 0 Yu[RC]handle_wristband_channel 0|0|0|0|0|0|0 Zu[RC]1 1 1 (0|0)|0 0] [u[API]api_ctrl_health_flag 0 { ]u[SEND DATA][Info] [Pub] In last second 0 bytes data were sent gu[PITOT]dev diff press 0.000000/V 8v 227620 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 Dv[FMU/LED]call set_forearm_led_statusu .w[DEV]call:comm_recorder_data, block_id:5000, data_len:26 yw[OSD]display_mode 1x1 zw[RC]wristbnad cnt 0 {w[RC]handle_wristband_channel 0|0|0|0|0|0|0 |w[RC]1 1 1 (0|0)|0 0 }w[API]api_ctrl_health_flag 0 Y w[SEND DATA][Info] [Pub] In last second 0 bytes data were sent_ My[DEV]call:comm_recorder_data, block_id:5000, data_len:26 y[OSD]display_mode 1D y[RC]wristbnad cnt 0M y[RC]handle_wristband_channel 0|0|0|0|0|0|08 y[RC]1 1 1 (0|0)|0 0R y[API]api_ctrl_health_flag 0 s y[SEND DATA][Info] [Pub] In last second 0 bytes data were sent y[PITOT]dev diff press 0.000000/G yz 227720 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 z[FMU/LED]call set_forearm_led_statush z 227728 [L-SEND DATA]assistant connect changed:last(1) != current(0) z 227728 [L-CFG]lock_assistant z 227728 [L-SEND DATA]lock assistant!W d{[FLYLIMIT]>>sending limit areas:[0] u{[DEV]call:comm_recorder_data, block_id:5000, data_len:26` {[OSD]display_mode 1 {[RC]wristbnad cnt 0Um {[RC]handle_wristband_channel 0|0|0|0|0|0|0@ {[RC]1 1 1 (0|0)|0 0 {[API]api_ctrl_health_flag 0 < {[SEND DATA][Info] [Pub] In last second 0 bytes data were sent/% `g $T33p``B2c<wpad 0;r ll$@^p`E2`*6<wpad `Z $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA }[DEV]call:comm_recorder_data, block_id:5000, data_len:26D# }[OSD]display_mode 1(@ }[RC]wristbnad cnt 0 }[RC]handle_wristband_channel 0|0|0|0|0|0|0 }[RC]1 1 1 (0|0)|0 0_t }[API]api_ctrl_health_flag 0 Y\ }[SEND DATA][Info] [Pub] In last second 0 bytes data were sent }[PITOT]dev diff press 0.0000004 ~ 227820 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 ~[FMU/LED]call set_forearm_led_status `| $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA [DEV]call:comm_recorder_data, block_id:5000, data_len:26k [OSD]display_mode 1 [RC]wristbnad cnt 0e [RC]handle_wristband_channel 0|0|0|0|0|0|0 [RC]1 1 1 (0|0)|0 0, [API]api_ctrl_health_flag 0 [SEND DATA][Info] [Pub] In last second 0 bytes data were sentn ` $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA [DEV]call:comm_recorder_data, block_id:5000, data_len:26 [OSD]display_mode 1$2 ![RC]wristbnad cnt 0 "[RC]handle_wristband_channel 0|0|0|0|0|0|0 #[RC]1 1 1 (0|0)|0 025 $[API]api_ctrl_health_flag 0 &[SEND DATA][Info] [Pub] In last second 0 bytes data were sent 0[PITOT]dev diff press 0.000000*S 227920 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1e [FMU/LED]call set_forearm_led_statusSd [DEV]call:comm_recorder_data, block_id:5000, data_len:26 B[OSD]display_mode 1 C[RC]wristbnad cnt 0 D[RC]handle_wristband_channel 0|0|0|0|0|0|0| E[RC]1 1 1 (0|0)|0 0q7 F[API]api_ctrl_health_flag 0 H[SEND DATA][Info] [Pub] In last second 0 bytes data were sent; 227979 [L-CFG]unlock_assistantTH 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.limit_height_abs_without_gps 227979 [L-CFG]2500.000000 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.limit_height_absd 227979 [L-CFG]2500.000000 227979 [L-CFG][_var_set] save(var->addr)m 227979 [L-CFG]set g_config.flying_limit.limit_height_rel2 227979 [L-CFG]2500.000000M 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.height_limit_enabled_P 227979 [L-CFG]2h 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.tilt_atti_range 227979 [L-CFG]60.000000| 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.vert_vel_up 227979 [L-CFG]10.000000 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.vert_vel_downsU( 227979 [L-CFG]-10.000000U8*8 rXU8 227979 [L-CFG][_var_set] save(var->addr)?UE 227979 [L-CFG]set g_config.mode_sport_cfg.vert_acc_upg 227979 [L-CFG]10.000000dU8*8 ARUS 227980 [L-SEND DATA]assistant connect changed:last(0) != current(1)( 227980 [L-CFG][_var_set] save(var->addr)PJ 227980 [L-CFG]set g_config.mode_sport_cfg.vert_acc_downE 227980 [L-CFG]-10.000000 227980 [L-CFG][_var_set] save(var->addr)!AU; 227980 [L-CFG]set g_config.fw_cfg.max_speedU' 227980 [L-CFG]20.0000002nU8*CA 227985 [L-EMBEDDED]Eeprom write offset:2f8 9 ` eUe 227988 [L-GPS]<GPS INFO>[monitor][0][0]:lce:1,sfe:0,dit:80,fe:2,dynseed 912 cnt 912025 *[FLYLIMIT]>>sending limit areas:[0] 0 227993 [L-EMBEDDED]Eeprom write offset:458 b I[DEV]call:comm_recorder_data, block_id:5000, data_len:26] ` 227997 [L-EMBEDDED]Eeprom write offset:930 v [OSD]display_mode 1 [RC]wristbnad cnt 0M5 [RC]handle_wristband_channel 0|0|0|0|0|0|0X [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 s [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [PITOT]dev diff press 0.0000001( i 228020 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1= u[FMU/LED]call set_forearm_led_status l[DEV]call:comm_recorder_data, block_id:5000, data_len:26h [OSD]display_mode 1hW [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0 [RC]1 1 1 (0|0)|0 0 } [API]api_ctrl_health_flag 0 %h [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26N [OSD]display_mode 1 [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0U [RC]1 1 1 (0|0)|0 00 [API]api_ctrl_health_flag 0 % [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [PITOT]dev diff press 0.000000B 228120 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 [FMU/LED]call set_forearm_led_status [DEV]call:comm_recorder_data, block_id:5000, data_len:26d* [OSD]display_mode 1L [RC]wristbnad cnt 0Z [RC]handle_wristband_channel 0|0|0|0|0|0|09b [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 | [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26Q [OSD]display_mode 1 [RC]wristbnad cnt 0j [RC]handle_wristband_channel 0|0|0|0|0|0|0g [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 [SEND DATA][Info] [Pub] In last second 0 bytes data were sentl [PITOT]dev diff press 0.000000` 228220 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 [FMU/LED]call set_forearm_led_status_ N 228230 [L-SEND DATA]assistant connect changed:last(1) != current(0)1 O 228230 [L-CFG]lock_assistant P 228230 [L-SEND DATA]lock assistant! [FLYLIMIT]>>sending limit areas:[0]M; [DEV]call:comm_recorder_data, block_id:5000, data_len:26 2[OSD]display_mode 1d^ 3[RC]wristbnad cnt 0 4[RC]handle_wristband_channel 0|0|0|0|0|0|0 5[RC]1 1 1 (0|0)|0 0t 6[API]api_ctrl_health_flag 0 8[SEND DATA][Info] [Pub] In last second 0 bytes data were sentx [DEV]call:comm_recorder_data, block_id:5000, data_len:26, Q[OSD]display_mode 1 R[RC]wristbnad cnt 0 S[RC]handle_wristband_channel 0|0|0|0|0|0|07 T[RC]1 1 1 (0|0)|0 0< U[API]api_ctrl_health_flag 0 W[SEND DATA][Info] [Pub] In last second 0 bytes data were sente a[PITOT]dev diff press 0.0000004 2 228320 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1M >[FMU/LED]call set_forearm_led_statusy =[DEV]call:comm_recorder_data, block_id:5000, data_len:26H s[OSD]display_mode 1E t[RC]wristbnad cnt 0S u[RC]handle_wristband_channel 0|0|0|0|0|0|0 v[RC]1 1 1 (0|0)|0 0 w[API]api_ctrl_health_flag 0 & y[SEND DATA][Info] [Pub] In last second 0 bytes data were sentu \[DEV]call:comm_recorder_data, block_id:5000, data_len:263 [OSD]display_mode 1 [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0L [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 k [SEND DATA][Info] [Pub] In last second 0 bytes data were sentK [PITOT]dev diff press 0.000000 1 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 29 minutes ago, kariem112 said: Not really ;) https://web.archive.org/web/20170624160235/http://mavicpilots.com/threads/how-to-exceed-max-altitude-for-mountain-flying.7592/page-14 I meant via the archive.is interface... I'm glad another crawler picked it up. I think you took me too literally though. 1 Quote Link to comment Share on other sites More sharing options...
droner69 Posted June 27, 2017 Share Posted June 27, 2017 10 minutes ago, MavproxyUser said: I meant via the archive.is interface... I'm glad another crawler picked it up. I think you took me too literally though. I made backups if the crawlers didn't get them. 2 Quote Link to comment Share on other sites More sharing options...
singlag Posted June 27, 2017 Share Posted June 27, 2017 3 hours ago, droner69 said: I have successfully gotten coptersafe's tool to work with differing hardware fingerprints using VM's to test, but I don't have another mavic to see if this method works with differing serial numbers. If someone could send me their coptersafe "full pack" binary and or name/keys, I can test the method to see if it works using my mavic's serial, and then hopefully create a patch/crack. Below is the sequence of events that the coptersafe "Mountain Pack - speed+atti" tool goes through to patch to the mavic. I used wireshark and usbpcap to get this info. His tool writes to the external EEPROM on FC. 0 $Vp`EHNH*DC4l*p`cSc5=p`PC-PC<MSFT 5.07 } $Vp`ZEH@O**CD4l*p`cSc56*local V[RC]handle_wristband_channel 0|0|0|0|0|0|0 W[RC]1 1 1 (0|0)|0 0e X[API]api_ctrl_health_flag 0 Z[SEND DATA][Info] [Pub] In last second 0 bytes data were sent1 Z[SEND DATA][Info] [Pub] In last second 0 bytes data were sent1 d[PITOT]dev diff press 0.0000004 [DEV]call:comm_recorder_data, block_id:5000, data_len:26` 6 216420 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1; B[FMU/LED]call set_forearm_led_status' v[OSD]display_mode 1P w[RC]wristbnad cnt 02 x[RC]handle_wristband_channel 0|0|0|0|0|0|0S y[RC]1 1 1 (0|0)|0 0 z[API]api_ctrl_health_flag 0 |[SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26>9 =[FLYLIMIT]>>sending limit areas:[0] [OSD]display_mode 1E [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0/ [RC]1 1 1 (0|0)|0 0B [API]api_ctrl_health_flag 0 t [SEND DATA][Info] [Pub] In last second 0 bytes data were sent - [PITOT]dev diff press 0.000000 <[DEV]call:comm_recorder_data, block_id:5000, data_len:26D8Ua$ z 216520 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1U3 [FMU/LED]call set_forearm_led_statussU" [OSD]display_mode 1U" [RC]wristbnad cnt 0 ` ,U,6*74WM220 AC Ver.AR, p 227477 [L-SYS]NAVI wm220 20170112|132359I 'NAVI wm220 20170112|1323594 p 227478 [L-SEND DATA]assistant connect changed:last(0) != current(1) XXXXXXXXXXXXXX" #(first 14 of mavic serial number) p[DEV]call:comm_recorder_data, block_id:5000, data_len:267 p[FLYLIMIT]>>sending limit areas:[0]s q[OSD]display_mode 1 q[RC]wristbnad cnt 0R q[RC]handle_wristband_channel 0|0|0|0|0|0|0 q[RC]1 1 1 (0|0)|0 0 q[API]api_ctrl_health_flag 0 3o q[SEND DATA][Info] [Pub] In last second 0 bytes data were sent &q[PITOT]dev diff press 0.000000q q 227520 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1Q r[FMU/LED]call set_forearm_led_statusl r[DEV]call:comm_recorder_data, block_id:5000, data_len:26 8s[OSD]display_mode 1* 9s[RC]wristbnad cnt 0 :s[RC]handle_wristband_channel 0|0|0|0|0|0|0 ;s[RC]1 1 1 (0|0)|0 0- <s[API]api_ctrl_health_flag 0 .M >s[SEND DATA][Info] [Pub] In last second 0 bytes data were sent>R u[DEV]call:comm_recorder_data, block_id:5000, data_len:262x Wu[OSD]display_mode 1# Xu[RC]wristbnad cnt 0 Yu[RC]handle_wristband_channel 0|0|0|0|0|0|0 Zu[RC]1 1 1 (0|0)|0 0] [u[API]api_ctrl_health_flag 0 { ]u[SEND DATA][Info] [Pub] In last second 0 bytes data were sent gu[PITOT]dev diff press 0.000000/V 8v 227620 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 Dv[FMU/LED]call set_forearm_led_statusu .w[DEV]call:comm_recorder_data, block_id:5000, data_len:26 yw[OSD]display_mode 1x1 zw[RC]wristbnad cnt 0 {w[RC]handle_wristband_channel 0|0|0|0|0|0|0 |w[RC]1 1 1 (0|0)|0 0 }w[API]api_ctrl_health_flag 0 Y w[SEND DATA][Info] [Pub] In last second 0 bytes data were sent_ My[DEV]call:comm_recorder_data, block_id:5000, data_len:26 y[OSD]display_mode 1D y[RC]wristbnad cnt 0M y[RC]handle_wristband_channel 0|0|0|0|0|0|08 y[RC]1 1 1 (0|0)|0 0R y[API]api_ctrl_health_flag 0 s y[SEND DATA][Info] [Pub] In last second 0 bytes data were sent y[PITOT]dev diff press 0.000000/G yz 227720 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 z[FMU/LED]call set_forearm_led_statush z 227728 [L-SEND DATA]assistant connect changed:last(1) != current(0) z 227728 [L-CFG]lock_assistant z 227728 [L-SEND DATA]lock assistant!W d{[FLYLIMIT]>>sending limit areas:[0] u{[DEV]call:comm_recorder_data, block_id:5000, data_len:26` {[OSD]display_mode 1 {[RC]wristbnad cnt 0Um {[RC]handle_wristband_channel 0|0|0|0|0|0|0@ {[RC]1 1 1 (0|0)|0 0 {[API]api_ctrl_health_flag 0 < {[SEND DATA][Info] [Pub] In last second 0 bytes data were sent/% `g $T33p``B2c<wpad 0;r ll$@^p`E2`*6<wpad `Z $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA }[DEV]call:comm_recorder_data, block_id:5000, data_len:26D# }[OSD]display_mode 1(@ }[RC]wristbnad cnt 0 }[RC]handle_wristband_channel 0|0|0|0|0|0|0 }[RC]1 1 1 (0|0)|0 0_t }[API]api_ctrl_health_flag 0 Y\ }[SEND DATA][Info] [Pub] In last second 0 bytes data were sent }[PITOT]dev diff press 0.0000004 ~ 227820 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 ~[FMU/LED]call set_forearm_led_status `| $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA [DEV]call:comm_recorder_data, block_id:5000, data_len:26k [OSD]display_mode 1 [RC]wristbnad cnt 0e [RC]handle_wristband_channel 0|0|0|0|0|0|0 [RC]1 1 1 (0|0)|0 0, [API]api_ctrl_health_flag 0 [SEND DATA][Info] [Pub] In last second 0 bytes data were sentn ` $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA [DEV]call:comm_recorder_data, block_id:5000, data_len:26 [OSD]display_mode 1$2 ![RC]wristbnad cnt 0 "[RC]handle_wristband_channel 0|0|0|0|0|0|0 #[RC]1 1 1 (0|0)|0 025 $[API]api_ctrl_health_flag 0 &[SEND DATA][Info] [Pub] In last second 0 bytes data were sent 0[PITOT]dev diff press 0.000000*S 227920 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1e [FMU/LED]call set_forearm_led_statusSd [DEV]call:comm_recorder_data, block_id:5000, data_len:26 B[OSD]display_mode 1 C[RC]wristbnad cnt 0 D[RC]handle_wristband_channel 0|0|0|0|0|0|0| E[RC]1 1 1 (0|0)|0 0q7 F[API]api_ctrl_health_flag 0 H[SEND DATA][Info] [Pub] In last second 0 bytes data were sent; 227979 [L-CFG]unlock_assistantTH 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.limit_height_abs_without_gps 227979 [L-CFG]2500.000000 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.limit_height_absd 227979 [L-CFG]2500.000000 227979 [L-CFG][_var_set] save(var->addr)m 227979 [L-CFG]set g_config.flying_limit.limit_height_rel2 227979 [L-CFG]2500.000000M 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.height_limit_enabled_P 227979 [L-CFG]2h 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.tilt_atti_range 227979 [L-CFG]60.000000| 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.vert_vel_up 227979 [L-CFG]10.000000 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.vert_vel_downsU( 227979 [L-CFG]-10.000000U8*8 rXU8 227979 [L-CFG][_var_set] save(var->addr)?UE 227979 [L-CFG]set g_config.mode_sport_cfg.vert_acc_upg 227979 [L-CFG]10.000000dU8*8 ARUS 227980 [L-SEND DATA]assistant connect changed:last(0) != current(1)( 227980 [L-CFG][_var_set] save(var->addr)PJ 227980 [L-CFG]set g_config.mode_sport_cfg.vert_acc_downE 227980 [L-CFG]-10.000000 227980 [L-CFG][_var_set] save(var->addr)!AU; 227980 [L-CFG]set g_config.fw_cfg.max_speedU' 227980 [L-CFG]20.0000002nU8*CA 227985 [L-EMBEDDED]Eeprom write offset:2f8 9 ` eUe 227988 [L-GPS]<GPS INFO>[monitor][0][0]:lce:1,sfe:0,dit:80,fe:2,dynseed 912 cnt 912025 *[FLYLIMIT]>>sending limit areas:[0] 0 227993 [L-EMBEDDED]Eeprom write offset:458 b I[DEV]call:comm_recorder_data, block_id:5000, data_len:26] ` 227997 [L-EMBEDDED]Eeprom write offset:930 v [OSD]display_mode 1 [RC]wristbnad cnt 0M5 [RC]handle_wristband_channel 0|0|0|0|0|0|0X [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 s [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [PITOT]dev diff press 0.0000001( i 228020 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1= u[FMU/LED]call set_forearm_led_status l[DEV]call:comm_recorder_data, block_id:5000, data_len:26h [OSD]display_mode 1hW [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0 [RC]1 1 1 (0|0)|0 0 } [API]api_ctrl_health_flag 0 %h [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26N [OSD]display_mode 1 [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0U [RC]1 1 1 (0|0)|0 00 [API]api_ctrl_health_flag 0 % [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [PITOT]dev diff press 0.000000B 228120 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 [FMU/LED]call set_forearm_led_status [DEV]call:comm_recorder_data, block_id:5000, data_len:26d* [OSD]display_mode 1L [RC]wristbnad cnt 0Z [RC]handle_wristband_channel 0|0|0|0|0|0|09b [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 | [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26Q [OSD]display_mode 1 [RC]wristbnad cnt 0j [RC]handle_wristband_channel 0|0|0|0|0|0|0g [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 [SEND DATA][Info] [Pub] In last second 0 bytes data were sentl [PITOT]dev diff press 0.000000` 228220 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 [FMU/LED]call set_forearm_led_status_ N 228230 [L-SEND DATA]assistant connect changed:last(1) != current(0)1 O 228230 [L-CFG]lock_assistant P 228230 [L-SEND DATA]lock assistant! [FLYLIMIT]>>sending limit areas:[0]M; [DEV]call:comm_recorder_data, block_id:5000, data_len:26 2[OSD]display_mode 1d^ 3[RC]wristbnad cnt 0 4[RC]handle_wristband_channel 0|0|0|0|0|0|0 5[RC]1 1 1 (0|0)|0 0t 6[API]api_ctrl_health_flag 0 8[SEND DATA][Info] [Pub] In last second 0 bytes data were sentx [DEV]call:comm_recorder_data, block_id:5000, data_len:26, Q[OSD]display_mode 1 R[RC]wristbnad cnt 0 S[RC]handle_wristband_channel 0|0|0|0|0|0|07 T[RC]1 1 1 (0|0)|0 0< U[API]api_ctrl_health_flag 0 W[SEND DATA][Info] [Pub] In last second 0 bytes data were sente a[PITOT]dev diff press 0.0000004 2 228320 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1M >[FMU/LED]call set_forearm_led_statusy =[DEV]call:comm_recorder_data, block_id:5000, data_len:26H s[OSD]display_mode 1E t[RC]wristbnad cnt 0S u[RC]handle_wristband_channel 0|0|0|0|0|0|0 v[RC]1 1 1 (0|0)|0 0 w[API]api_ctrl_health_flag 0 & y[SEND DATA][Info] [Pub] In last second 0 bytes data were sentu \[DEV]call:comm_recorder_data, block_id:5000, data_len:263 [OSD]display_mode 1 [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0L [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 k [SEND DATA][Info] [Pub] In last second 0 bytes data were sentK [PITOT]dev diff press 0.000000 60" tilt in sport mode, it is crazy..... Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 11 minutes ago, singlag said: 60" tilt in sport mode, it is crazy..... As you guys keep working out *fun* parameters, share them here for folks to use with the websocket tool =] Quote Link to comment Share on other sites More sharing options...
singlag Posted June 27, 2017 Share Posted June 27, 2017 3 minutes ago, MavproxyUser said: As you guys keep working out *fun* parameters, share them here for folks to use with the websocket tool =] 1 more thing want to modifly is, disable the beep noise on controller 1 Quote Link to comment Share on other sites More sharing options...
MavproxyUser Posted June 27, 2017 Author Share Posted June 27, 2017 3 minutes ago, singlag said: 1 more thing want to modifly is, disable the beep noise on controller @droner69 I noticed from your "Mountain Pack - speed+atti" dump above the following params: g_config.flying_limit.limit_height_abs_without_gps 2500 g_config.flying_limit.limit_height_absd 2500 g_config.flying_limit.limit_height_rel2 2500 g_config.flying_limit.height_limit_enabled_P 2 g_config.mode_sport_cfg.tilt_atti_range 60 g_config.mode_sport_cfg.vert_vel_up 10 g_config.mode_sport_cfg.vert_vel_downs -10 g_config.mode_sport_cfg.vert_acc_up 10 g_config.mode_sport_cfg.vert_acc_down -10 g_config.fw_cfg.max_speed 20 Quote Link to comment Share on other sites More sharing options...
jan2642 Posted June 27, 2017 Share Posted June 27, 2017 10 hours ago, MavproxyUser said: Certainly an interesting rabbit hole to head down... I am off on the opposite end of the spectrum worried about the NFZ references in dji_flight ("nfz gps not reliable", "INIT DB", "LOAD DB"), and dji_vision ("nfz monitor", and "query_nfz") and such. See the notes above about how to coax that window into opening. Patching these may be a quick path to enlightenment. Thanks for the spoon-fed clue, I've found the factory window. Unfortunately it's in Chinese (and I forgot to take a screenshot). 1 Quote Link to comment Share on other sites More sharing options...
HDnes Posted June 27, 2017 Share Posted June 27, 2017 Mostly following the general gist here but... Why does @droner69 care to patch the CS script when its essentially replicating the websocket trick? Am I missing something? Does the websocket trick require root and @droner69 is trying to find that in? Just trying to get a lay of the land before I start poking. Thanks Quote Link to comment Share on other sites More sharing options...
HDnes Posted June 27, 2017 Share Posted June 27, 2017 1 hour ago, HDnes said: Mostly following the general gist here but... Why does @droner69 care to patch the CS script when its essentially replicating the websocket trick? Am I missing something? Does the websocket trick require root and @droner69 is trying to find that in? Just trying to get a lay of the land before I start poking. Thanks Ok, I got into Assitant Factory mode with a way easier method (at least on mac). Just open up developer settings and change factory_mode = true. Might have to enable debugging also. But that's the ticket. Should work on every version I'd think. That beings said, I answered my own question. I now see why the webproxy method doesn't work in it's entirety. You have to have write access to the min/maxes in order for those commands to take anything higher than the max etc. So rooting is the next step I suppose? Haven't seen nearly as much clear cut information on how to do this on the patched ftp. Is this where @MavproxyUser's decryptor comes into play? Does that python allow writing as well? Or does it simply read to produce the files similar to what's on @droner69 ? 1 Quote Link to comment Share on other sites More sharing options...
fredz Posted June 27, 2017 Share Posted June 27, 2017 @HDnes Where do you see the developer settings and set factory_mode? Quote Link to comment Share on other sites More sharing options...
HDnes Posted June 27, 2017 Share Posted June 27, 2017 2 minutes ago, fredz said: @HDnes Where do you see the developer settings and set factory_mode? on MAC the short cut is: option + command + i or ⌥⌘i ⌥⌘r to reload after changing the settings Factory mode and debug is under Resources>local storage Quote Link to comment Share on other sites More sharing options...
fredz Posted June 27, 2017 Share Posted June 27, 2017 You mean while the graphical version of DJI Assistant is open? As simple as that? Got a screenshot ? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.