Jump to content

DJI Configs parser, for FCC and 32 channel and other stuff


Recommended Posts

Edit: According to Marcocappe 's feedback, the config i made doesn't work on ios but some other ios config works. By analysis the file i see only 2 major differences: the file length and the byte 47

in order to determine what is the key for ios parser to work, i create 2 other configs for test purpose(all with SDR boost)

https://pan.baidu.com/s/1kV3KWlD

1 is with byte 47,  2 is with byte 47 and file length extended

It's regret that I still dont get an IOS device for test yet ... so anybody's help would be much grateful.

 

By far what i can confirm is that the config does no boost on P3A app 3.1.5 fw 1.10.090, neither direct sdr function calls. And mavic pro does work on 550 fw and 4.0.7 and some other versions, all test on android

 

Hello guys this's my recent discovery 

Dji go uses configs, Most people knows how to enable 32 channel but there are hidden functions. I checked in the app, follow the DJI parser and create this config file, this will force the dji drone to run in FCC mode(still getting the list), and also, 32 channels for phantom and inspire

This is the android config parser located in dji.pilot.publics.c.a

  public static void a(Context paramContext)
  {
    int i = 1;
    File localFile = new File(paramContext.getExternalFilesDir(null), f);
    if (!localFile.exists())
      label25: return;
    dji.pilot.c.a.j = 0;
    while (true)
    {
      int j;
      try
      {
        RandomAccessFile localRandomAccessFile = new RandomAccessFile(localFile, "r");
        localRandomAccessFile.seek(36L);
        if (localRandomAccessFile.readInt() != i)
          break label178;
        j = i;
        label59: a = j;
        localRandomAccessFile.skipBytes(2);
        int k = localRandomAccessFile.readShort();
        if ((k < 0) || (k > 2))
          break label184;
        dji.pilot.c.a.j = k;
        label92: localRandomAccessFile.skipBytes(5);
        int l = localRandomAccessFile.readByte();
        if ((l & 0x1) == 0)
          break label201;
        i1 = i;
        b = i1;
        if ((l & 0x2) == 0)
          break label207;
        i2 = i;
        c = i2;
        if ((l & 0x4) == 0)
          break label213;
        i3 = i;
        d = i3;
        if ((l & 0x8) == 0)
          break label219;
        e = i;
        label178: label184: localRandomAccessFile.close();
      }
      catch (FileNotFoundException localFileNotFoundException)
      {
        localFileNotFoundException.printStackTrace();
        break label25:
        j = 0;
        break label59:
        dji.pilot.c.a.j = 0;
        break label92:
      }
      catch (IOException localIOException)
      {
        localIOException.printStackTrace();
      }
      break label25:
      label201: int i1 = 0;
      continue;
      label207: int i2 = 0;
      continue;
      label213: int i3 = 0;
      continue;
      label219: i = 0;
    }

 

i've done a research of all the variables, and know a is  "isopenallchannel",  dji.pilot.c.a.j is a switch for different upgrade url, b,c,d,e are sdr flags

  private void x()
  {
    if (dji.pilot.publics.c.a.b)
    {
      DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite1 = new DataOsdSetSdrAssitantWrite();
      localDataOsdSetSdrAssitantWrite1.a().start(null);
      localDataOsdSetSdrAssitantWrite1.join();
    }
    if (dji.pilot.publics.c.a.c)
    {
      DataOsdSetSdrForceBoost localDataOsdSetSdrForceBoost = new DataOsdSetSdrForceBoost();
      localDataOsdSetSdrForceBoost.start(null);
      localDataOsdSetSdrForceBoost.join();
    }
    if (dji.pilot.publics.c.a.d)
    {
      DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite2 = new DataOsdSetSdrAssitantWrite();
      localDataOsdSetSdrAssitantWrite2.b().start(null);
      localDataOsdSetSdrAssitantWrite2.join();
    }
    if (!dji.pilot.publics.c.a.e)
      return;
    DataOsdSetSdrAssitantWrite localDataOsdSetSdrAssitantWrite3 = new DataOsdSetSdrAssitantWrite();
    localDataOsdSetSdrAssitantWrite3.c().start(null);
    localDataOsdSetSdrAssitantWrite3.join();
  }

b and c represent force FCC and force SDR boost, d/e currently unknown. in my config opens b, in sdr boost config opens c

 

update: this is the IOS config parser decompiled

// DJIAppSettings - (void)loadDJICfg
void __cdecl -[DJIAppSettings loadDJICfg](struct DJIAppSettings *self, SEL a2)
{
  struct DJIAppSettings *v2; // r10@1
  int v3; // r0@1
  int v4; // r0@1
  int v5; // r5@1
  int v6; // r0@1
  struct DJICameraSettingObject *v7; // r4@1
  int v8; // r0@1
  int v9; // r0@1
  int v10; // r6@1
  int v11; // r1@2
  int v12; // r0@3
  int v13; // r1@5
  int v14; // r0@6
  int v15; // r1@8
  int v16; // r0@9
  int v17; // r0@9
  signed int v18; // r0@10
  int v19; // r1@13
  int v20; // r0@14
  int v21; // r1@16
  int v22; // r0@17
  int v23; // r1@19
  int v24; // r0@20
  char v25; // r5@20
  SEL v26; // r1@28
  char v27; // r2@28
  int v28; // r3@28
  int v29; // [sp+2Ch] [bp+8h]@0

  v2 = self;
  v3 = j__objc_msgSend(&OBJC_CLASS___DJIFileHelper, "fetchDocumentPath");
  v4 = j__objc_retainAutoreleasedReturnValue(v3);
  v5 = v4;
  v6 = j__objc_msgSend(v4, "stringByAppendingPathComponent:");
  v7 = (struct DJICameraSettingObject *)j__objc_retainAutoreleasedReturnValue(v6);
  j__objc_release(v5);
  v8 = j__objc_msgSend(&OBJC_CLASS___NSData, "dataWithContentsOfFile:");
  v9 = j__objc_retainAutoreleasedReturnValue(v8);
  v10 = v9;
  if ( v9 )
  {
    v2->_canUseIllegalChannels = 0;
    v2->_mfiDisable = 0;
    v2->_firmwareServiceType = 0;
    v2->_limitCameraRecordingTime = 1;
    v2->_simulatorInternalDisable = 0;
    if ( (unsigned int)j__objc_msgSend(v9, "length") >= 0x29 )
    {
      v12 = j__objc_retainAutorelease(v10, v11);
      if ( *(_BYTE *)(j__objc_msgSend(v12, "bytes") + 39) == 1 )
        v2->_canUseIllegalChannels = 1;
    }
    if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2A )
    {
      v14 = j__objc_retainAutorelease(v10, v13);
      if ( *(_BYTE *)(j__objc_msgSend(v14, "bytes") + 40) == 1 )
        v2->_mfiDisable = 1;
    }
    if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2D )
    {
      v16 = j__objc_retainAutorelease(v10, v15);
      v17 = *(_BYTE *)(j__objc_msgSend(v16, "bytes") + 43);
      if ( v17 == 2 )
        v18 = 2;
      else
        v18 = v17 == 1;
      v2->_firmwareServiceType = v18;
    }
    if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2E )
    {
      v20 = j__objc_retainAutorelease(v10, v19);
      if ( *(_BYTE *)(j__objc_msgSend(v20, "bytes") + 44) == 1 )
        v2->_limitCameraRecordingTime = 0;
    }
    if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x2F )
    {
      v22 = j__objc_retainAutorelease(v10, v21);
      if ( *(_BYTE *)(j__objc_msgSend(v22, "bytes") + 45) == 1 )
        v2->_simulatorInternalDisable = 1;
    }
    if ( (unsigned int)j__objc_msgSend(v10, "length") >= 0x31 )
    {
      v24 = j__objc_retainAutorelease(v10, v23);
      v25 = *(_BYTE *)(j__objc_msgSend(v24, "bytes") + 48);
      if ( v25 & 1 )
        j__objc_msgSend(v2, "setSdr_force_fcc:");
      if ( v25 & 2 )
        j__objc_msgSend(v2, "setSdr_force_boost:");
      if ( v25 & 4 )
        j__objc_msgSend(v2, "setSdr_force_2_3_G:");
      if ( v25 & 8 )
        j__objc_msgSend(v2, "setSdr_force_2_5_G:");
    }
  }
  j__objc_release(v10);
  j_j__objc_release_1(v7, v26, v27, v28, v29);
}

I only see a different that the SDR  config byte is byte 48, while in android it's byte 49. The ios config has some extra flags for useless purpose. Then i don't know why ios doesn't work, for I have already set the byte 48 the same as byte 49 on android. 

 

Here is something new I found on DJISDRBoostLogic on IOS:

if ( j__objc_msgSend(&OBJC_CLASS___DJIProductManager, "currentProductCode") == 13
    || j__objc_msgSend(&OBJC_CLASS___DJIProductManager, "currentProductCode") == 21 )
  {
    v2 = j__objc_msgSend(&OBJC_CLASS___DJIAppSettings, "instance");
    v3 = (struct DJICameraSettingObject *)j__objc_retainAutoreleasedReturnValue(v2);
    if ( j__objc_msgSend(v3, "sdr_force_fcc") )
    {
      v4 = j__objc_msgSend(&OBJC_CLASS___DJISDRParamWritePack, "alloc");
      v5 = j__objc_msgSend(v4, "initRequestFromGround:target:addr:dataType:data:");
      v6 = j__objc_msgSend(&OBJC_CLASS___DJIPackManager, "sharedInstance");
      v7 = j__objc_retainAutoreleasedReturnValue(v6);
      j__objc_msgSend(v7, "sendPack:option:completion:");
      j__objc_release(v7);
      j__objc_release(v5);
    }
    if ( j__objc_msgSend(v3, "sdr_force_boost") )
    {
      v8 = j__objc_msgSend(&OBJC_CLASS___DJIOFDMPack, "alloc");
      v9 = j__objc_msgSend(v8, "initRequest");
      v10 = v9;
      v11 = j__objc_msgSend(v9, "extHeader");
      *(_BYTE *)(v11 + 1) = *(_BYTE *)(v11 + 1) & 0xE0 | 9;
      *(_BYTE *)(j__objc_msgSend(v10, "extHeader") + 5) = 9;
      *(_BYTE *)(j__objc_msgSend(v10, "extHeader") + 6) = 60;
      v12 = j__objc_msgSend(&OBJC_CLASS___DJIPackManager, "sharedInstance");
      v13 = j__objc_retainAutoreleasedReturnValue(v12);
      j__objc_msgSend(v13, "sendPack:completion:");
      j__objc_release(v13);
      j__objc_release(v10);
    }
....

It seems that the DJISDRBoostLogic  works only for Product code 13 & 21, that is KumquatX (Mavic Pro) and KumquatL (Mavic unknown)

 

 

For a conclusion , The config bytes are arranges as follows:

                                                        Use All Channel(Int)    unused 2        FirmwareUrl(short)        unused 5           Sdr cfg

for Android:         [36 bytes unused]     00 00 00 01              00 00                 00 00                    00 00 00 00 00         01

                                                       unused 3   Use All Channel(Byte)    mfi    unused 2     FirmwareUrl(Byte)     CameraRec    simulator       unused 2     Sdr cfg      unused

for IOS:         [36 bytes unused]     00 00 00               01                       00       00 00                   00                           00                00                00 00            01              00

 

The firmware url is a selection of these url

    arrayOfString1[0] = "https://upgrade.bgcentre.com/links/links/pilot_v2";
    arrayOfString1[1] = "http://upgrade.dj2006.net/redirect/links/GO_Test";
    arrayOfString1[2] = "http://upgrade.dj2006.net/redirect/links/GO_Debug";

not know extactly if these are upgrade url

Sdr cfg is a byte with sdr flags,

0x01 is Sdr Force FCC

0x02 is Sdr Force Boost

0x04 is Sdr Force 2 3  (dont know what really mean, 2.3Ghz?)

0x08 is Sdr Force 2 5  (dont know what really mean, 2.5Ghz?)

on IOS sdr cfg , by looking at the code , seems only work for Mavic (still not test yet)

 

 

I uploaded to baidu think maybe you can download too

http://pan.baidu.com/s/1pKZP8K

For android dji go, put .DJI.Configs into /Android/data/dji.pilot/files/

For android dji go 4, put .DJI.Configs into /Android/data/dji.go.v4/files/

For ios, put this into related DJI app, not test on IOS but I think it might also work

 

The SDR boost version can be found here, try at your own risk for this have unknown side effect for your device

download http://pan.baidu.com/s/1miDRrrq password: 7dbz

Edited by 微风小杨
edit
Link to comment
Share on other sites

Hi and thanx!

To confirm - this is a version with FCC and 32, without boost over FCC? (i am asking because in config is "DJI CONFIG FOR BOOST"). FCC is enough for me (and safe).

Could you tell in which place in djigo app are coded the values for config? I would like to dig into it.

Edited by Kyokushin
Link to comment
Share on other sites

14 minutes ago, Kyokushin said:

Hi and thanx!

To confirm - this is a version with FCC and 32, without boost over FCC? (i am asking because in config is "DJI CONFIG FOR BOOST"). FCC is enough for me (and safe).

Could you tell in which place in djigo app are coded the values for config? I would like to dig into it.

it's located in dji.pilot.public.c.a, maybe vary in package within different version

and yes , this config only force FCC, not further boost up, but i think you will found way in that class

Link to comment
Share on other sites

8 hours ago, MacIak said:

How is this different to what's already in the 4.1.3v5 version (FCC default)?

Also, does this also boost the mavic side (HD)?

Thanks.

The signal strength would be identical to the  countrycode FCC default app.

There is also a SDR boost version, This will outperform FCC. yes , this version boost the mavic side. but try at your own risk for this have unknown effect on the device

download https://pan.baidu.com/s/1sljUQlv password: 9ajb

Link to comment
Share on other sites

1 hour ago, 微风小杨 said:

The signal strength would be identical to the  countrycode FCC default app.

There is also a SDR boost version, This will outperform FCC. yes , this version boost the mavic side. but try at your own risk for this have unknown effect on the device

download https://pan.baidu.com/s/1sljUQlv password: 9ajb

seem not work on my mavic pro (.200 + 4.1.3 fcc patched)

Link to comment
Share on other sites

Is there actually any proof out there that also the HD is better/boosted? 

Field test shows no increase of HD signal in same conditions.(LoS, unobstructed, little interference, non congested area.)

Edited by MacIak
add text
Link to comment
Share on other sites

2 hours ago, MacIak said:

Is there actually any proof out there that also the HD is better/boosted? 

Field test shows no increase of HD signal in same conditions.(LoS, unobstructed, little interference, non congested area.)

do you use IOS or Android? Our result is simply represented by distance doubled

Edited by 微风小杨
add
Link to comment
Share on other sites

In the stock CE system the "HD" link is stronger than the rc signal. So when the RC is boosted to FCC, the range will increase until the HD signal in CE mode becomes unusable. This might indeed double the range.

The question is: when a flightleg is flown in CE mode and HD is observed to drop to 1-2  bars, when flying the same route in FCC mode, is the HD link proven to be stronger (3-4 bars)?

In my tests the HD remained unchanged.

Im on android.

Link to comment
Share on other sites

8 hours ago, MacIak said:

In the stock CE system the "HD" link is stronger than the rc signal. So when the RC is boosted to FCC, the range will increase until the HD signal in CE mode becomes unusable. This might indeed double the range.

The question is: when a flightleg is flown in CE mode and HD is observed to drop to 1-2  bars, when flying the same route in FCC mode, is the HD link proven to be stronger (3-4 bars)?

In my tests the HD remained unchanged.

Im on android.

i know that HD will become the short part when FCC is open. but we do observed a siginificant improvement on HD with the sdr boost config. our test is fly with the stock config/FCC config to the farest distance until rc or hd drops to empty, then re-enter dji go with config to see how the signal change. 

can you provide the firmware version you use?

Edited by 微风小杨
Link to comment
Share on other sites

2 hours ago, GCBrent said:

I cant seem to download it from Baidu, I don't know chinese. Is there any other link to the files? I have iOS as well, has it been tested to work on iOS? I have version 4.1.3

Some of my friend say it do not work on ios, some say will, the ios uses a slightly different parser on the SDR config byte, i'll do some test with ios to see how ios parser works

you can just press the button on baidu link 下载(372B)

Edited by 微风小杨
add
Link to comment
Share on other sites

1 minute ago, 微风小杨 said:

Some of my foes say it do not work on ios, some say will, the ios uses a slightly different parser on the SDR config byte, i'll do some test with ios to see how ios parser works

Thanks for that! I wouldn't mind testing either if I can get a link to it... Baidu is impossible for non-English speaking noobs.

Link to comment
Share on other sites

9 hours ago, 微风小杨 said:

i know that HD will become the short part when FCC is open. but we do observed a siginificant improvement on HD with the sdr boost config. our test is fly with the stock config/FCC config to the farest distance until rc or hd drops to empty, then re-enter dji go with config to see how the signal change. 

can you provide the firmware version you use?

I m on .0200 and go4 4.1.3

Im indeed hesitant on using sdr cause the mentioned heating issue.

Link to comment
Share on other sites

21 hours ago, MacIak said:

I m on .0200 and go4 4.1.3

Im indeed hesitant on using sdr cause the mentioned heating issue.

i think in most situation the FCC is good enough for about 4~5 km remote control outside the city. With reflect board mounted on wavelength and manually set HD to 10mhz bandwidth with proper channel this can be extend like +80 percent, getting further distance is meanless unless you are those like one-way-tripper cause battery drains really quick. The sdr config is just for test or for those who fly upon the city, in my city(Shenzhen) with FCC i can only get around 2.0 km before HD flash red in 20mhz bandwidth mode.  

For the test around my friends most android user with newer FW/App (like 550, 800, 900, with App 4.0.7/4.1.3)get positive result with SDR and FCC configs, don't know if 200 is too old or something, and dont know if there are differences between dji go in china and outside.  And most IOS user test get negative result, i think the ios have a different config parser, or the config should place in a special folder i dont know , will try to do some reverse around ios app

Edited by 微风小杨
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...