singlag
-
Posts
21 -
Joined
-
Last visited
Posts posted by singlag
-
-
43 minutes ago, MacIak said:
I should have been clearer, sorry...
Increasing output beyond FCC (and overheat) is indeed a different subject.
Im just interested for now in the FCC mode the 4.1.3 enforces.
Does this really increase output to FCC in both the RC and Mavic?!
Also when it comes to measuring output: Is this as simple as that? Or is the system increasing TX power as signal gets weaker up to a maximum to save battery?
I did a flight test about it, Fcc mod on Mavic Pro only increase rc output power, but the hd video link remain unchange
test flight video with fcc(us) ce(hk) change on the fly, watch the signal bar, HD remain unchange when switching fcc/ce
-
30 minutes ago, enderffx said:
FCC - Mod:
By the way, tried with RF meter, you do not have to change provider ID or country code or anything at all (S7 Edge, Nougat).
Simply install 4.0.6, hit thst SN 11 times, use password, US, FC SN and GO.
In the original chinese forum where singlag pointed us (thanks again) there is something about "changing FC SN" so i used my FC SN to be sure. And i wrote it down before.
Greetings,
Ender
no need to input sn, just leave it blank
the popup menu after submit said, it only updated country code
dji go will use drone gps or device gps to query location form internet and then set fcc/ce, so you must disconnect from data network while.using this fcc mod
and I guess it send a shell command like "iw reg set US"; if it is correct, we may use this exploit to execute some shell command to enable telnet.d, then get root ?
-
14 hours ago, singlag said:
translate chinese word from screenshot
enter password <- contact Nathan.yan for password
data upload uuid=344....
user center uid=7210
HK enter country code
enter SN enter testing SN
Set
password = djitestcc
country code set success, try set to US if you are at Euro and tell us the result
-
11 hours ago, fredz said:
Hmm @singlag I installed 1.1.2.573 on Windows 10 but Ctrl-Shift-i doesn't work. It really does for you?
@fredz 1.06 and 1.1.2.573 is ok
-
5 minutes ago, singlag said:
found something about ce/fcc switching, this method is from dji china forum, i try to translate to english here
It is depend on dji go app
how it work:
dji go app will first get location from data network, if no data network, then it will get from sim card carrier/operator; if no data network and no sim card, then set to CE as default
so, you can fake it by a android with root
1) clean install, remove all cache from dji go app (not sure is it necessary)
2) disconnect from data network
3) use app to fake country operater code to US
http://androidadvices.com/fake-country-operator-carrier-download-paid-android-apps/
4) start dji go app
how to check result ?
the only version can check is 4.0.6
go to setting, keep click on "Flight Controller SN", then it will pop up a secret menu and show country code
actually there is a password to change code manually, and also device SN !
but he don't share the password because it is too danger to share to public (but I guess we can change SN by web socket command ?)
attached secret menu creenshot found on my phone
translate chinese word from screenshot
enter password <- contact Nathan.yan for password
data upload uuid=344....
user center uid=7210
HK enter country code
enter SN enter testing SN
Set
-
found something about ce/fcc switching, this method is from dji china forum, i try to translate to english here
It is depend on dji go app
how it work:
dji go app will first get location from data network, if no data network, then it will get from sim card carrier/operator; if no data network and no sim card, then set to CE as default
so, you can fake it by a android with root
1) clean install, remove all cache from dji go app (not sure is it necessary)
2) disconnect from data network
3) use app to fake country operater code to US
http://androidadvices.com/fake-country-operator-carrier-download-paid-android-apps/
4) start dji go app
how to check result ?
the only version can check is 4.0.6
go to setting, keep click on "Flight Controller SN", then it will pop up a secret menu and show country code
actually there is a password to change code manually, and also device SN !
but he don't share the password because it is too danger to share to public (but I guess we can change SN by web socket command ?)
attached secret menu creenshot found on my phone
- 1
-
2 hours ago, fredz said:
Hmm @singlag I installed 1.1.2.573 on Windows 10 but Ctrl-Shift-i doesn't work. It really does for you?
yes, the one from github
I take a screenshot to you tomorrow
-
2 hours ago, fredz said:
On Mac or Windows? Ctrl-Shift-i on Windows seems to only work with some old beta versions...
no, work on 1.1.2.573 too
-
5 hours ago, enderffx said:
Do you have any idea if that version supports Spark as well ? If not then all this probably is irrelevant for Spark, right ?
---Trying to get a grip on this, but just beeing a regular coder and not well versed on hacking / rev engeneering its hard for me---
Ender
I'm using new version of dji assistant now (27/5/2017), i think it can support Spark
-
11 hours ago, jan2642 said:
Anyone here who can translate these ? Many thanks!
Also promising for the path I'm on: the available commands on /controller/board_test:
{ "EXIST_COMMANDS": [ "get_status_info", "set_status_info", "start_process", "start_test" ], "SEQ": "12345" }
Now trying to figure out how to pass on arguments to start_test & start_process...
自動 = auto
一鍵查詢 = check/query in 1 click (mean check all item)
機型 = model number
固件版本 = firmware version
I can't see this factory screen on version 1.0.6
-
3 minutes ago, MavproxyUser said:
As you guys keep working out *fun* parameters, share them here for folks to use with the websocket tool =]
1 more thing want to modifly is, disable the beep noise on controller
- 1
-
3 hours ago, droner69 said:
I have successfully gotten coptersafe's tool to work with differing hardware fingerprints using VM's to test, but I don't have another mavic to see if this method works with differing serial numbers. If someone could send me their coptersafe "full pack" binary and or name/keys, I can test the method to see if it works using my mavic's serial, and then hopefully create a patch/crack.
Below is the sequence of events that the coptersafe "Mountain Pack - speed+atti" tool goes through to patch to the mavic. I used wireshark and usbpcap to get this info. His tool writes to the external EEPROM on FC.
0 $Vp`EHNH*DC4l*p`cSc5=p`PC-PC<MSFT 5.07 } $Vp`ZEH@O**CD4l*p`cSc56*local V[RC]handle_wristband_channel 0|0|0|0|0|0|0 W[RC]1 1 1 (0|0)|0 0e X[API]api_ctrl_health_flag 0 Z[SEND DATA][Info] [Pub] In last second 0 bytes data were sent1 Z[SEND DATA][Info] [Pub] In last second 0 bytes data were sent1 d[PITOT]dev diff press 0.0000004 [DEV]call:comm_recorder_data, block_id:5000, data_len:26` 6 216420 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1; B[FMU/LED]call set_forearm_led_status' v[OSD]display_mode 1P w[RC]wristbnad cnt 02 x[RC]handle_wristband_channel 0|0|0|0|0|0|0S y[RC]1 1 1 (0|0)|0 0 z[API]api_ctrl_health_flag 0 |[SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26>9 =[FLYLIMIT]>>sending limit areas:[0] [OSD]display_mode 1E [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0/ [RC]1 1 1 (0|0)|0 0B [API]api_ctrl_health_flag 0 t [SEND DATA][Info] [Pub] In last second 0 bytes data were sent - [PITOT]dev diff press 0.000000 <[DEV]call:comm_recorder_data, block_id:5000, data_len:26D8Ua$ z 216520 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1U3 [FMU/LED]call set_forearm_led_statussU" [OSD]display_mode 1U" [RC]wristbnad cnt 0 ` ,U,6*74WM220 AC Ver.AR, p 227477 [L-SYS]NAVI wm220 20170112|132359I 'NAVI wm220 20170112|1323594 p 227478 [L-SEND DATA]assistant connect changed:last(0) != current(1) XXXXXXXXXXXXXX" #(first 14 of mavic serial number) p[DEV]call:comm_recorder_data, block_id:5000, data_len:267 p[FLYLIMIT]>>sending limit areas:[0]s q[OSD]display_mode 1 q[RC]wristbnad cnt 0R q[RC]handle_wristband_channel 0|0|0|0|0|0|0 q[RC]1 1 1 (0|0)|0 0 q[API]api_ctrl_health_flag 0 3o q[SEND DATA][Info] [Pub] In last second 0 bytes data were sent &q[PITOT]dev diff press 0.000000q q 227520 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1Q r[FMU/LED]call set_forearm_led_statusl r[DEV]call:comm_recorder_data, block_id:5000, data_len:26 8s[OSD]display_mode 1* 9s[RC]wristbnad cnt 0 :s[RC]handle_wristband_channel 0|0|0|0|0|0|0 ;s[RC]1 1 1 (0|0)|0 0- <s[API]api_ctrl_health_flag 0 .M >s[SEND DATA][Info] [Pub] In last second 0 bytes data were sent>R u[DEV]call:comm_recorder_data, block_id:5000, data_len:262x Wu[OSD]display_mode 1# Xu[RC]wristbnad cnt 0 Yu[RC]handle_wristband_channel 0|0|0|0|0|0|0 Zu[RC]1 1 1 (0|0)|0 0] [u[API]api_ctrl_health_flag 0 { ]u[SEND DATA][Info] [Pub] In last second 0 bytes data were sent gu[PITOT]dev diff press 0.000000/V 8v 227620 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 Dv[FMU/LED]call set_forearm_led_statusu .w[DEV]call:comm_recorder_data, block_id:5000, data_len:26 yw[OSD]display_mode 1x1 zw[RC]wristbnad cnt 0 {w[RC]handle_wristband_channel 0|0|0|0|0|0|0 |w[RC]1 1 1 (0|0)|0 0 }w[API]api_ctrl_health_flag 0 Y w[SEND DATA][Info] [Pub] In last second 0 bytes data were sent_ My[DEV]call:comm_recorder_data, block_id:5000, data_len:26 y[OSD]display_mode 1D y[RC]wristbnad cnt 0M y[RC]handle_wristband_channel 0|0|0|0|0|0|08 y[RC]1 1 1 (0|0)|0 0R y[API]api_ctrl_health_flag 0 s y[SEND DATA][Info] [Pub] In last second 0 bytes data were sent y[PITOT]dev diff press 0.000000/G yz 227720 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 z[FMU/LED]call set_forearm_led_statush z 227728 [L-SEND DATA]assistant connect changed:last(1) != current(0) z 227728 [L-CFG]lock_assistant z 227728 [L-SEND DATA]lock assistant!W d{[FLYLIMIT]>>sending limit areas:[0] u{[DEV]call:comm_recorder_data, block_id:5000, data_len:26` {[OSD]display_mode 1 {[RC]wristbnad cnt 0Um {[RC]handle_wristband_channel 0|0|0|0|0|0|0@ {[RC]1 1 1 (0|0)|0 0 {[API]api_ctrl_health_flag 0 < {[SEND DATA][Info] [Pub] In last second 0 bytes data were sent/% `g $T33p``B2c<wpad 0;r ll$@^p`E2`*6<wpad `Z $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA }[DEV]call:comm_recorder_data, block_id:5000, data_len:26D# }[OSD]display_mode 1(@ }[RC]wristbnad cnt 0 }[RC]handle_wristband_channel 0|0|0|0|0|0|0 }[RC]1 1 1 (0|0)|0 0_t }[API]api_ctrl_health_flag 0 Y\ }[SEND DATA][Info] [Pub] In last second 0 bytes data were sent }[PITOT]dev diff press 0.0000004 ~ 227820 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 ~[FMU/LED]call set_forearm_led_status `| $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA [DEV]call:comm_recorder_data, block_id:5000, data_len:26k [OSD]display_mode 1 [RC]wristbnad cnt 0e [RC]handle_wristband_channel 0|0|0|0|0|0|0 [RC]1 1 1 (0|0)|0 0, [API]api_ctrl_health_flag 0 [SEND DATA][Info] [Pub] In last second 0 bytes data were sentn ` $\p`ENc**: FHFAEBEECACACACACACACACACACACAAA [DEV]call:comm_recorder_data, block_id:5000, data_len:26 [OSD]display_mode 1$2 ![RC]wristbnad cnt 0 "[RC]handle_wristband_channel 0|0|0|0|0|0|0 #[RC]1 1 1 (0|0)|0 025 $[API]api_ctrl_health_flag 0 &[SEND DATA][Info] [Pub] In last second 0 bytes data were sent 0[PITOT]dev diff press 0.000000*S 227920 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1e [FMU/LED]call set_forearm_led_statusSd [DEV]call:comm_recorder_data, block_id:5000, data_len:26 B[OSD]display_mode 1 C[RC]wristbnad cnt 0 D[RC]handle_wristband_channel 0|0|0|0|0|0|0| E[RC]1 1 1 (0|0)|0 0q7 F[API]api_ctrl_health_flag 0 H[SEND DATA][Info] [Pub] In last second 0 bytes data were sent; 227979 [L-CFG]unlock_assistantTH 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.limit_height_abs_without_gps 227979 [L-CFG]2500.000000 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.limit_height_absd 227979 [L-CFG]2500.000000 227979 [L-CFG][_var_set] save(var->addr)m 227979 [L-CFG]set g_config.flying_limit.limit_height_rel2 227979 [L-CFG]2500.000000M 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.flying_limit.height_limit_enabled_P 227979 [L-CFG]2h 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.tilt_atti_range 227979 [L-CFG]60.000000| 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.vert_vel_up 227979 [L-CFG]10.000000 227979 [L-CFG][_var_set] save(var->addr) 227979 [L-CFG]set g_config.mode_sport_cfg.vert_vel_downsU( 227979 [L-CFG]-10.000000U8*8 rXU8 227979 [L-CFG][_var_set] save(var->addr)?UE 227979 [L-CFG]set g_config.mode_sport_cfg.vert_acc_upg 227979 [L-CFG]10.000000dU8*8 ARUS 227980 [L-SEND DATA]assistant connect changed:last(0) != current(1)( 227980 [L-CFG][_var_set] save(var->addr)PJ 227980 [L-CFG]set g_config.mode_sport_cfg.vert_acc_downE 227980 [L-CFG]-10.000000 227980 [L-CFG][_var_set] save(var->addr)!AU; 227980 [L-CFG]set g_config.fw_cfg.max_speedU' 227980 [L-CFG]20.0000002nU8*CA 227985 [L-EMBEDDED]Eeprom write offset:2f8 9 ` eUe 227988 [L-GPS]<GPS INFO>[monitor][0][0]:lce:1,sfe:0,dit:80,fe:2,dynseed 912 cnt 912025 *[FLYLIMIT]>>sending limit areas:[0] 0 227993 [L-EMBEDDED]Eeprom write offset:458 b I[DEV]call:comm_recorder_data, block_id:5000, data_len:26] ` 227997 [L-EMBEDDED]Eeprom write offset:930 v [OSD]display_mode 1 [RC]wristbnad cnt 0M5 [RC]handle_wristband_channel 0|0|0|0|0|0|0X [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 s [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [PITOT]dev diff press 0.0000001( i 228020 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1= u[FMU/LED]call set_forearm_led_status l[DEV]call:comm_recorder_data, block_id:5000, data_len:26h [OSD]display_mode 1hW [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0 [RC]1 1 1 (0|0)|0 0 } [API]api_ctrl_health_flag 0 %h [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26N [OSD]display_mode 1 [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0U [RC]1 1 1 (0|0)|0 00 [API]api_ctrl_health_flag 0 % [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [PITOT]dev diff press 0.000000B 228120 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 [FMU/LED]call set_forearm_led_status [DEV]call:comm_recorder_data, block_id:5000, data_len:26d* [OSD]display_mode 1L [RC]wristbnad cnt 0Z [RC]handle_wristband_channel 0|0|0|0|0|0|09b [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 | [SEND DATA][Info] [Pub] In last second 0 bytes data were sent [DEV]call:comm_recorder_data, block_id:5000, data_len:26Q [OSD]display_mode 1 [RC]wristbnad cnt 0j [RC]handle_wristband_channel 0|0|0|0|0|0|0g [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 [SEND DATA][Info] [Pub] In last second 0 bytes data were sentl [PITOT]dev diff press 0.000000` 228220 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1 [FMU/LED]call set_forearm_led_status_ N 228230 [L-SEND DATA]assistant connect changed:last(1) != current(0)1 O 228230 [L-CFG]lock_assistant P 228230 [L-SEND DATA]lock assistant! [FLYLIMIT]>>sending limit areas:[0]M; [DEV]call:comm_recorder_data, block_id:5000, data_len:26 2[OSD]display_mode 1d^ 3[RC]wristbnad cnt 0 4[RC]handle_wristband_channel 0|0|0|0|0|0|0 5[RC]1 1 1 (0|0)|0 0t 6[API]api_ctrl_health_flag 0 8[SEND DATA][Info] [Pub] In last second 0 bytes data were sentx [DEV]call:comm_recorder_data, block_id:5000, data_len:26, Q[OSD]display_mode 1 R[RC]wristbnad cnt 0 S[RC]handle_wristband_channel 0|0|0|0|0|0|07 T[RC]1 1 1 (0|0)|0 0< U[API]api_ctrl_health_flag 0 W[SEND DATA][Info] [Pub] In last second 0 bytes data were sente a[PITOT]dev diff press 0.0000004 2 228320 [L-FMU/MOTOR]set act status, num:1, r_id:37764728, res:0, id:201, status:1M >[FMU/LED]call set_forearm_led_statusy =[DEV]call:comm_recorder_data, block_id:5000, data_len:26H s[OSD]display_mode 1E t[RC]wristbnad cnt 0S u[RC]handle_wristband_channel 0|0|0|0|0|0|0 v[RC]1 1 1 (0|0)|0 0 w[API]api_ctrl_health_flag 0 & y[SEND DATA][Info] [Pub] In last second 0 bytes data were sentu \[DEV]call:comm_recorder_data, block_id:5000, data_len:263 [OSD]display_mode 1 [RC]wristbnad cnt 0 [RC]handle_wristband_channel 0|0|0|0|0|0|0L [RC]1 1 1 (0|0)|0 0 [API]api_ctrl_health_flag 0 k [SEND DATA][Info] [Pub] In last second 0 bytes data were sentK [PITOT]dev diff press 0.000000
60" tilt in sport mode, it is crazy.....
-
18 minutes ago, MavproxyUser said:
As I recall it... they have progressively added *checks* as the versions went on. With regard to the connection time outs and such, that is your big hint right there for the other versions. Have you considered using Wireshark to see what DJI Assistant wants to talk to *before* giving you access to the unlocked menus? It does vary across versions with regard to what those pre-requisite connections, or interactions may be. Another hint is to try running the program from the console... (older versions were WAY more chatty than newer ones).
I assume you noticed it hangs looking for *something* very specific, see if you can spot it here. THIS trick is pretty well "burned" seems more and more people figured it out.$ /Applications/Assistant_1_0_4.app/Contents/MacOS/Assistant --debugger 2017-06-26 14:10:23.670 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/b/: Error Domain=NSCocoaErrorDomain Code=260 "The file “b” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/b/, NSFilePath=/private/tmp/b, NSUnderlyingError=0x7fd241416cd0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} 2017-06-26 14:10:23.671 Assistant[1928:56248989] kCFURLVolumeIsAutomountedKey missing for file:///private/tmp/a/: Error Domain=NSCocoaErrorDomain Code=260 "The file “a” couldn’t be opened because there is no such file." UserInfo={NSURL=file:///private/tmp/a/, NSFilePath=/private/tmp/a, NSUnderlyingError=0x7fd241603af0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} PING swsf.djicorp.com (198.105.254.130): 56 data bytes --- swsf.djicorp.com ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss 2017_05_27@22_38_01 - Sat May 27 22:38:01 2017 [ 30] reserved 2017_05_28@00_40_16 - Sun May 28 00:40:16 2017 [ 29] reserved 2017_05_29@21_22_07 - Mon May 29 21:22:07 2017 [ 28] reserved 2017_06_01@12_05_46 - Thu Jun 1 12:05:46 2017 [ 25] reserved 2017_06_01@12_06_41 - Thu Jun 1 12:06:41 2017 [ 25] reserved 2017_06_01@12_09_35 - Thu Jun 1 12:09:35 2017 [ 25] reserved 2017_06_02@13_27_13 - Fri Jun 2 13:27:13 2017 [ 24] reserved 2017_06_02@13_30_34 - Fri Jun 2 13:30:34 2017 [ 24] reserved 2017_06_02@13_48_07 - Fri Jun 2 13:48:07 2017 [ 24] reserved 2017_06_02@13_48_50 - Fri Jun 2 13:48:50 2017 [ 24] reserved 2017_06_02@13_49_26 - Fri Jun 2 13:49:26 2017 [ 24] reserved 2017_06_02@13_49_44 - Fri Jun 2 13:49:44 2017 [ 24] reserved 2017_06_02@13_51_34 - Fri Jun 2 13:51:34 2017 [ 24] reserved 2017_06_02@13_51_47 - Fri Jun 2 13:51:47 2017 [ 24] reserved 2017_06_02@16_35_52 - Fri Jun 2 16:35:52 2017 [ 24] reserved 2017_06_02@16_56_49 - Fri Jun 2 16:56:49 2017 [ 24] reserved 2017_06_02@16_57_49 - Fri Jun 2 16:57:49 2017 [ 24] reserved 2017_06_02@16_58_15 - Fri Jun 2 16:58:15 2017 [ 24] reserved 2017_06_02@17_02_19 - Fri Jun 2 17:02:19 2017 [ 24] reserved 2017_06_04@12_49_31 - Sun Jun 4 12:49:31 2017 [ 22] reserved 2017_06_04@12_56_15 - Sun Jun 4 12:56:15 2017 [ 22] reserved 2017_06_04@12_58_12 - Sun Jun 4 12:58:12 2017 [ 22] reserved 2017_06_04@18_08_44 - Sun Jun 4 18:08:44 2017 [ 22] reserved 2017_06_04@18_10_02 - Sun Jun 4 18:10:02 2017 [ 22] reserved 2017_06_04@18_10_20 - Sun Jun 4 18:10:20 2017 [ 22] reserved 2017_06_04@18_11_16 - Sun Jun 4 18:11:16 2017 [ 22] reserved 2017_06_05@07_57_20 - Mon Jun 5 07:57:20 2017 [ 21] reserved 2017_06_05@08_57_29 - Mon Jun 5 08:57:29 2017 [ 21] reserved 2017_06_05@09_31_07 - Mon Jun 5 09:31:07 2017 [ 21] reserved 2017_06_05@12_48_21 - Mon Jun 5 12:48:21 2017 [ 21] reserved 2017_06_05@12_49_52 - Mon Jun 5 12:49:52 2017 [ 21] reserved 2017_06_05@12_55_33 - Mon Jun 5 12:55:33 2017 [ 21] reserved 2017_06_05@13_51_39 - Mon Jun 5 13:51:39 2017 [ 21] reserved 2017_06_05@14_07_27 - Mon Jun 5 14:07:27 2017 [ 21] reserved 2017_06_05@15_38_05 - Mon Jun 5 15:38:05 2017 [ 21] reserved 2017_06_05@15_43_37 - Mon Jun 5 15:43:37 2017 [ 21] reserved 2017_06_06@00_51_55 - Tue Jun 6 00:51:55 2017 [ 20] reserved 2017_06_06@09_50_06 - Tue Jun 6 09:50:06 2017 [ 20] reserved 2017_06_07@13_20_03 - Wed Jun 7 13:20:03 2017 [ 19] reserved 2017_06_18@00_17_56 - Sun Jun 18 00:17:56 2017 [ 8] reserved 2017_06_18@15_21_20 - Sun Jun 18 15:21:20 2017 [ 8] reserved 2017_06_20@10_10_08 - Tue Jun 20 10:10:08 2017 [ 6] reserved 2017_06_20@16_01_01 - Tue Jun 20 16:01:01 2017 [ 6] reserved 2017_06_21@13_02_48 - Wed Jun 21 13:02:48 2017 [ 5] reserved 2017_06_21@22_14_43 - Wed Jun 21 22:14:43 2017 [ 5] reserved 2017_06_21@22_16_41 - Wed Jun 21 22:16:41 2017 [ 5] reserved 2017_06_24@00_59_00 - Sat Jun 24 00:59:00 2017 [ 2] reserved 2017_06_26@14_02_45 - Mon Jun 26 14:02:45 2017 [ 0] reserved log:[dServer ] Service at19870 qt.network.ssl: QSslSocket: cannot resolve SSL_set_psk_client_callback qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_client_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_1_server_method qt.network.ssl: QSslSocket: cannot resolve TLSv1_2_server_method qt.network.ssl: QSslSocket: cannot resolve SSL_select_next_proto qt.network.ssl: QSslSocket: cannot resolve SSL_CTX_set_next_proto_select_cb qt.network.ssl: QSslSocket: cannot resolve SSL_get0_next_proto_negotiated qt.network.ssl: QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated log:[dServer ] 1 Connected <- root
If you know the answer, just pipe up for the others that are tired of my riddles. =]thx, I will try on tomorrow, it is 2am at my timezone now :p
-
2 hours ago, singlag said:
this trick is VERY version specific
That's why .....I tried version 1.0.8 with -option b4 and seem no different than normal.
Update: only DJI Assistant2 Beta112 is working for my windows 7 PC, but the firmware page seem having problem, connection timeout while loading firmware list
-
52 minutes ago, MavproxyUser said:
Will you share with the rest of the group the parameter names you changed... this will go well with the web socket code I posted above (and shared with you previously).
Follow parameter tested at real flight with firmware version .200
g_config_go_home_gohome_idle_vel, default 10, only for RTH speed, I tested with 15 is ok
g_config_mode_normal_cfg_vert_vel_up, default 4, ascend speed at GPS mode in meter/second
g_config_mode_normal_cfg_vert_vel_down, #default -3, descend speed at gps mode
g_config_mode_sport_cfg_vert_vel_up, #default 5, I set it to 10, ascend like a rocket, be careful about battery overload
g_config_mode_sport_cfg_vert_vel_down, #default -3, set -10 but it only reach -5m/s in real flightthis are some g_config_mode_XXX_cfg_vert_acc_up/down, it have higher value as default, I'm not sure what it does, but just make sure set it to not lower than "no _acc" one
g_config_fw_cfg_max_speed <-- set to 20 but no different in real flight, default is 10
for "height_limit", I did change all from /controller/config/user and it work.
some parameters about "airport" will be test on tomorrow, and following parameters not tested yet
"g_config_avoid_obstacle_limit_cfg_safe_dis" <-- obstacle distant ?
g_config_landing_smart_landing_height_L1 <-- smart landing at -0.7 meter ?
"g_config_voltage2_level1_smart_battert_gohome" "DEFAULT": 15,
"g_config_voltage2_level2_smart_battert_land" "DEFAULT": 10,
Now, I want to find out which parameters control about real MAX speed (sport mode is 20m/s in real flight) and 10m/s limit when obstacle detection is ON, but seem no parameters relevant to it.
-
49 minutes ago, thatdumbdronie said:
I have the full unlock pack and programme from copteresafe
is there a way of sniffing the usb traffic as it jailbreaks?
so that I can reproduce it and flash it through a different programme.please let me know.
inbox me. my messages on here are limited still.
contact me through Mavproxyuser . he now has my email address
try wireshark and burp suite
-
1 hour ago, MavproxyUser said:
I am one of the few folks that does have root access. A mate of mine has done the work, so unfortunately I can not share his private work. A few folks here have been rooted by me to help us gather information about the internals of the Mavic however. You may catch a few random folks discussing things that can not be done without root, there is a good chance they have no clue about how root access is obtained. A few folks have nice friends with private tools.
P0V's work is something we have all been chasing. I initially dug in as I suspected the mythical "whitelist" files never existed outside of the factory. I believe at this point someone (P0V?) has manually generated one, as opposed to the claims of having extracted one from a firmware dump, or to have *found* one on an early firmware version. I do not believe the wive's tale about being able to "spoof hosts" on the whitelist as a means to use the Secure Debug (adb) on Mavic, or P4, i2 or Spark.
I have not seen anyone beyond a small handful to figure out the easter egg to unlock the Assistant in full. I gave a very big hint a month or so back however. Simply run the assistant with the "-h" flag. I have noticed that having root, or Admin privs (on your own machine) *may* have some impact on being able to open up the extra options.
Usage: /Applications/Assistant.app/Contents/MacOS/Assistant [options] Options: -h, --help Displays this help. -v, --version Displays version information. --debugger Run with a debugger window --minimum Show controller log minimum --console Run assistant as a console service, No browser Window! --template Load controller config from template! --force_upgrade Ignore the version when upgrade ENC firmware! --bypass <DEVICE> force all device as param [Receiver]|[DEVICE]|[Version] eg Controller|ai900v2|3.1.0.2 --noskip As default, upgrade pack file will skip those device that is not connected, if define no skip, will try to upgrade all pack file --factory Open Factory page --baud_rate <DEVICE> set com device baud rate --auto_upgrade enable auto upgrade --cache_wget_file debug only, used to cache wget files --inrup internal upgrade tool --adb_logcat Start ADB logcat function --auto_test Set to auto test mode --test_server Set to test server --1706 Set DJI Vision to 1706 --sws Set Env to SWS
These are some photos from someone else that caught the hint.
https://github.com/droner69/MavicPro/tree/master/DJI_Assistant_2_Dev_Pictures
I can tell you that at times this trick is VERY version specific. So if you are having issues... try a different version. You can find an archive of the binaries in my git repo. https://github.com/MAVProxyUser/DJIAssistant2Binaries
There *MAY* be something special to the DebuggerOptions.txt file... I have extracted all the unique options from all the versions and placed them here if anyone wants to help figure it out: https://raw.githubusercontent.com/MAVProxyUser/DJIAssistant2Binaries/master/DebuggerOptionsUnique.txt
this trick is VERY version specific
That's why .....I tried version 1.0.8 with -option b4 and seem no different than normal.
-
mavproxyuser provide some sample code to change parameters, which working well on my drone (I unlock some limitation, faster rth, ascend, descend speed)
but I want to know how to "hack" dji assistant, I guess is about "sdk level"
-
any more hints for open hidden menu form dji assistant and root the drone ?
i'm can use web socket to change the parameters now, but want to learn more about this, thx
-
10 hours ago, kariem112 said:
I have seen on twitter (https://twitter.com/TheDJIProblem) that someone changed the DJI Assistant 2 software so that he could write parameters directly to the drone.. ..
It might be possible to enable adb there?
https://github.com/droner69/MavicPro
more about dji assistant 2 debug/factory menu
anyone know how to enable it ?
by the way, mavproxyuser have provide python code to send/read parameters to drone, but it only allow to set thing with defined "range"
such as limit height, only allow to set 20 to 500
but you can set more than 500meter from dji assistant hidden menu
DJI Configs parser, for FCC and 32 channel and other stuff
in Community Projects
Posted
seem not work on my mavic pro (.200 + 4.1.3 fcc patched)