Power zone (FCC/CE) in GL300a/b/c RC Firmware

[MrBurnsAT]

RC Firmware must be changeable too.

Some limitations was added with RC Firmwares 1.6 and newer. Output Power is reduced from 25mW to 10mW in CE Mode.

And It should be possible to change CE to FCC Mode (RC Checks via GPS location and Sets than FCC or CE Mode, USA = FCC, Europe = CE

[mefistotelis]

Actually, the power output mode needs to be changed in both transmitter in radio controller and in the transmitter on OFDM board.

It's good to know the change in power was made with 1.6 - it should allow to find the change by comparing two firmwares. Please make sure that this information is correct, if you can.

[MrBurnsAT]

Yes the change was with RC Firmware 1.6 (C1_FW_v01.06.0000.bin) (DJI support confirmed me this! They must do this because of local laws)

Craft and RC Firmwares are not the same since 1.3.2 which was the last Craft and RC update which was done by USB drive. Since there RC Firmware is only updated via DJI GoApp.

And not every craft firmware Version there was a RC Firmware Update. For P3 actual RC Firmware is 1.6 (where encryption of the Transmission also has been changed)

RC Firmware 1.6 is only compatible with craft firmware 1.8 or newer!!!

[mefistotelis]

Thank you, I didn't know many of these facts. I will take a look at RC firmware.

[mefistotelis]

In Ph3 Pro/Adv the hardware related to RF transmission is different than for Ph3 Std.

It would seem that transmission is configured by: m1500 radio transmitter 'IG810 LB2_68013_TX' and m1600 radio receiver 'IG810 LB2_68013_RX ground'

I don't know whether these transmitters are visible from any other firmware as network interfaces.

I also don't know if the tx power is configurable within these firmwares directly, or sent to it from a more complex module.

EDIT: We now have wikis which explain what each hardware chip does, and what each FW module does.

[mefistotelis]

Yes the change was with RC Firmware 1.6 (C1_FW_v01.06.0000.bin) (DJI support confirmed me this! They must do this because of local laws)

I compared C1_FW_V01.05.0080 and C1_FW_V01.06.0000. The only modules which are different between these versions are m1400 and m1401, which are MCUs for A and B remotes.

Will look in detail at this module.

[notsolowki]

mefistotelis : these seems to be lots of variables in mi09.bin have you had and success defining any of them. and can you tell me what the FPGA ground module is?

[mefistotelis]

Will arm_bin2elf.py work on RC firmware m1400/m1401

Yes; but I'm not sure what is the correct base address. Without it, some pointers may lead to invalid locations. Maybe it's 0? Not sure, will figure it out later.

The ".bss" section should probably start at 0x10000000. Its size seem to extend to 0x50000000, but so much data would slow down any disassembler - I will try to select narrowed area.

these seems to be lots of variables in mi09.bin have you had and success defining any of them.

I'm not sure what you mean, you shoul ask for specific mXXYY module.

can you tell me what the FPGA ground module is?

I'm not sure what is the function of FPGAs used in the drone. I don't have much experience in analysing synthesised hardware programming; without debug symbols, it is very hard to grasp the purpose of the circuit. Hardware definition is something completely different than processor programming, even if the languages seem to look alike.

[mefistotelis]

RC hacking update:

We don't know what information the RC receives to set output power:

• if it receives GPS coordinates, then the firmware must have definition of CE area
• if it receives simple "set CE mode" instruction, then CE area definition must be in the aircraft FW

Either way, since we know how the CE area is defined in the mobile app (for P3 Standard), we can expect one of the firmware modules will have similar float/double numbers within. I believe this is the best starting point for getting the CE/FCC code - search for coordinates.

I tried looking at the RC firmware code directly, but this isn't easy - there are almost no debug messages which would allow to locate points of interests.

[ferraript]

@mefistotelis: thanks for info who knows, maybe P3X and P3A obey that SetPowerMode command too :) I edited my DJI GO in a way I was talking about, but I have no resources to actually measure, if it has any effect

[notsolowki]

i can tell you i had a fly away at a really high altitude and i was 9,000ft away before i was loosing signal but i never totally lost it. could someone use a mltimeter to measure the mw from the antenna output?

[rulppa]

Measured GL300A and B model radios, without GPS-lock, both 0.72-0.76mW. I will measure again during weekend, with GPS lock. Tested with RC 1.5.8 only, 1.7.6 doesnt seem to work with 1.6 radio.

[ferraript]

1.7.6 doesnt seem to work with 1.6 radio

yeah, that's right RC FW 1.6 (and newer) is compatible only with AC FW 1.8 (and newer) and since you said you don't have Android phone, I doubt you'll be able to downgrade RC to 1.4.3 to test power output :-(

[mefistotelis]

I prepared a list of places in C1_FW_V01.06.0000 which could store Europe coordinates. Now each of the matches needs to be checked.

How I made the list:

# Europe is around 71,-18 .. 27,50; match -19..0 and 0..69 with no exponent
ls -1 C1_FW_*.bin | xargs -I {} sh -c 'od -tfF -w4 {} | sed "s/^\(.*\)/{}: \1/g"' | grep '^.*: [0-9]*[ ]*\([1-6]\?[0-9]\|[-][1]\?[0-9]\)\([.][0-9]*\)\?$' | grep -v "^.*: [0-9]*[ ]*[-]\?0\([.][0-9]*\|\)$" > _match_f1.txt
ls -1 C1_FW_*.bin | xargs -I {} sh -c 'od -tfD -w8 -j0 {} | sed "s/^\(.*\)/{}: \1/g"' | grep '^.*: [0-9]*[ ]*\([1-6]\?[0-9]\|[-][1]\?[0-9]\)\([.][0-9]*\)\?$' | grep -v "^.*: [0-9]*[ ]*[-]\?0\([.][0-9]*\|\)$" > _match_d1.txt
ls -1 C1_FW_*.bin | xargs -I {} sh -c 'od -tfD -w8 -j4 {} | sed "s/^\(.*\)/{}: \1/g"' | grep '^.*: [0-9]*[ ]*\([1-6]\?[0-9]\|[-][1]\?[0-9]\)\([.][0-9]*\)\?$' | grep -v "^.*: [0-9]*[ ]*[-]\?0\([.][0-9]*\|\)$" > _match_d2.txt
# Now assuming lon lat coords are adjacent, let's find 71..27 and get one before and one after
grep -B1 -A1 '^.*: [0-9]*[ ]*[2-7][0-9]\([.][0-9]*\)\?$' _match_f1.txt > _match_f1b.txt
grep -B1 -A1 '^.*: [0-9]*[ ]*[2-7][0-9]\([.][0-9]*\)\?$' _match_d1.txt > _match_d1b.txt
grep -B1 -A1 '^.*: [0-9]*[ ]*[2-7][0-9]\([.][0-9]*\)\?$' _match_d2.txt > _match_d2b.txt

Files with list of possible coords: _match_d1b.txt _match_d2b.txt _match_f1b.txt

[ferraript]

interesting (and crazy linux commands :D )

just remember, that coordinates may be saved in different ways in DJI GO, Europe is stored as (55.529627,15.702531,2824707), where coordinates are double and radius is int but, for example, coordinates may be stored as long (and they are then divided by 1000000) or, they can be stored in radian format, so 55.529627° = 0.969174823554

[KennethMcNutt]

Also thought this might be useful.. DJI PHANTOM 3 PROFESSIONAL HASHES AND PASSWORDS

UPDATE: ftp password is cracked: admin999

Some hashes and passwords:

1. System access:

root:$6$zi2k1pqQ$aYoxWoM9suJzq4xcIz0Uh/sMBQxIrM7QzqpNH.UMrX6TAmBx37jN0ygKlnpmHkgilWV5YzpfikkaylTWWo8RU0:16184:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp::10933:0:99999:7::: sync::10933:0:99999:7::: shutdown::10933:0:99999:7::: halt::10933:0:99999:7::: uucp::10933:0:99999:7::: operator::10933:0:99999:7::: ftp:$6$Kt6U5MHk$aCy81r9Wz49TlfDwSPHkx8bEouNFdt0khJg7Pj1HOJtECe5.t9KfNWOKKQXnyVqjd5whliLQGTQkXfB8p3rBX/:10933:0:99999:7::: nobody::10933:0:99999:7::: default::10933:0:99999:7::: a8sdk:HHTiH8SGMjHoM:0:0:99999:7::: root, ftp, default, a8sdk has an access to /bin/sh

2. Wireless networks:

ESSID=Amba_AP PASSWORD=PWFORAMBA

ESSID=amba_boss PASSWORD=1234567890 P.S.

Wi-Fi Channel is number 5

ifconfig wlan0 192.168.42.1 …dhcp-range=192.168.42.2,192.168.42.6

Have a safe flight! ;-)

[notsolowki]

@FERRARIPT what would be involved in making the latest dji go app send all the parameters like 2.4

[ferraript]

@notsolowki: I don't know if I would be able to hack DJI GO 3 in such a way in 2.4.3, there is one class (dji\pilot\fpv\stage\cs) with onClick method and according to clicked button, it does some actions if "Reset All Settings" is clicked, there are some checks and in the end DataFlycResetParams class sends command to AC

however, in 3.0.1, every button has its own class and onClick method (fortunately?) class for "Reset All Settings" button exists (dji\setting\ui\flyc\ResetView), but it's not used maybe I could redirect actions from here to another button - and the most similar button (I mean with similar class structure) is ClearFlightLogsButton

but I can't guarantee it will work

I still think the easiest way is to use DJI GO 2 with existing "Reset All Settings" button

[notsolowki]

someone pointed this out to me

there is a lot of FDI things, freqs, max. FCC ids, (all fcc id's starts with with FDI) so i think this is the way to get more power out? (dB/mW) as you might know, when eg. inspire1 controller is hooked to I1, measuring it's power, its WAY better than same remote, linked to p3p. (same remote, same fw, just different pairing process which adjust the output)

There is one interesting number..

" "defaultValue" : 0.150000, "name" : "g_config.fdi.max_ctrl_frequency_power_0""

This is what i think it will affect..

https://dl.dropboxusercontent.com/u/1177154/phantompilots/p3p/Video 06-02-2017, 16.28.33.mov

left work already, i will test tomorrow to see if it "handshakes" with more power when the number is more than 0.15, what do you think?

[mefistotelis]

"name" : "g_config.fdi.max_ctrl_frequency_power_0""

Sounds promising. I will check it in the code.

EDIT: checked. The value does not seem to be used for any computations in the flight controller itself, so it is possible it's used for another module.

[notsolowki]

does that mean it could change the output power?

[mefistotelis]

It could. This means the value isn't used by the flight controller directly, but this also means its value is not set by flight controller based on home point. It would be best to check by experiment.

[mefistotelis]

I have a change which I need to test as part of developing the FCC hack.

I need someone with RF Power Meter to test it. If there's anyone interested, please give me a firmware version you prefer.

There is a chance of bricking your RC with this; I will do my best to verify it on my end, but still, volunteer takes the risk. Anyone interested?

[notsolowki]

Upload version 1.5.8. Thanks,

[rulppa]

I'm from europe (CE-mode), able to measure directly from RC, GL300A and B versions. I can test the 1.5.8 if needed.

[mefistotelis]

Here's the modification in two firmwares: C1_FW_V01.05.0080 C1_FW_V01.06.0000 Dl link: https://mega.nz/#!hcV0URSB!GauZgmpVWEF3Hf8d5N0NPtjSjQT4IcoAPJa3Fs7J9Lg

What is modified:

xxd  -p -c1024 C1_FW_V01.06.0000_mi06.bin | \
  sed 's/\(00b5..4.85b0\)\(c17a\)\(..71017ac1f34112022a..d141f0800101720021\)/\10121\3/' | \
  xxd -r -p -c1024 > C1_FW_V01.06.0000_mi06-mod.bin

xxd  -p -c1024 C1_FW_V01.05.0080_mi06.bin | \
  sed 's/\(00b5..4.85b0\)\(c17a\)\(..71017ac1f34112022a..d141f0800101720021\)/\10121\3/' | \
  xxd -r -p -c1024 > C1_FW_V01.05.0080_mi06-mod.bin

In assembly:

85 B0      SUB             SP, SP, #0x14
-C1 7A      LDRB            R1, [R0,#0xB]
+01 21      MOVS            R1, #1
91 71       STRB            R1, [R2,#(zone_is_fcc - 0x100005E8)]
01 7A       LDRB            R1, [R0,#8]

[rulppa]

New to android and cant currently do this with iOS. Whats the location where go app downloads these files before up/downgrade so i can replace with new one?

[ferraript]

Whats the location where go app downloads these files before up/downgrade so i can replace with new one?

was mentioned here

[rulppa]

@ferraript

Under /Android/ i have only 3 directories, data, media and obb. So not there, or i need rooted device to view those folders, idk. Time to get some sleep, i will try another device tomorrow, which i believe i can root. Can't root this one :(

[ferraript]

no, it's just written in specific way :D it's in internal SD card, in DJI/dji.pilot/package

[rulppa]

Oh ok, what kind of way is that, to give directory that actually exists but is wrong lol. Downgrading now.

[rulppa]

Upgrade failed at 65%, trying to "Retry" .. beeping is different than with original 1.5.8 before it fails. Let you know later if its bricked or not :/

[rulppa]

Ok, retry failed too. Here is video, https://dl.dropboxusercontent.com/u/1177154/github/fcc-modded1.5.8-fw.mov

After reboot, it says it's 1.5.8 (was 1.6.0) but i think RC has the original 1.5.8 stored as backup somewhere if flashing fails or something. There is no difference with RF meter, still CE mode so thats my best guess.

I did measure output with original 1.5.8 and 1.6.0 too, they are same, so rumor that 1.5.8 gives more output, is false.

[rulppa]

^ this is with GL300B, i will try GL300A tomorrow if it wants to eat it.

[mefistotelis]

i will try GL300A tomorrow

Please do; there are two modules for MCU in the file, and I only modded one - it's very possible that the change only works with GL300A.

For the update fail - this is unexpected. I am not able to find anything wrong with the binaries I provided, all checksums seem ok.. it's a pity we don't have any details on the fail. Edit: Maybe the mobile has stored information about checksum of each version of each module?

[ferraript]

Maybe the mobile has stored information about checksum of each version of each module?

if you mean mobile like DJI GO, then the answer is no, it has not

[mefistotelis]

I did measure output with original 1.5.8 and 1.6.0 too, they are same, so rumor that 1.5.8 gives more output, is false.

Well this is also unexpected. Did you made sure that the drone recorded its home point (via GPS) before measuring?

Based on several answers from DJI Support, we're assuming that the drone sets the power zone after its home point is set. Without home point set, the drone will stay at CE levels. The mod should also set the power mode to FCC only after home point is stored.

[MrBurnsAT]

I have a Information of reduced Output Power at 1.6 RC Firmware

Confirmed By DJI themselve!!!

They had to do this because of lokal laws in Europe. Only 10mW are allowed! So they must reduce it from 25mW to 10mW.

If u dont trust me ich can send u the Chat log with DJI!

[CirConFleX]

Only 10mW ? It's hard to believe. But before, 25mW was for FCC not CE no ?

[MrBurnsAT]

No all in CE Mode!

FCC is Sending with 100mW !!!

[rulppa]

@MrBurnsAT what DJI says, i have zero faith - there is 13 pages long thread (phantompilots) where half of the writers have different "proof" from DJI (emails) every one there (at dji) has different, confirmed, rock-proof solid answer, very nice but all the answers were totally different and most of the ones were confirmed by "dji techs" ...

P3A/P old model has slightly better range, because they used OFDM v1 board, after new motor P3P/A came, they did use V1 board for sometime, until they made new v2 board, which is different. Due heating issues they lowered output and made many changes with the board, not many people knows this, but i do have both OFDM boards and they are different, but this has nothing to do with RC at all. Most people just do now know about 2 revisions with the OFDM-module and might also agree that 1.5.8 was better. RF meter doesn't lie, DJI does because the ones who answers your questions, do not know shit.

When 1.5.8 is connects with v1 board, it might handshake with more power, i have not tested this, yet.

@mefistotelis I was able to flash the GL300A version, i will test with RF meter soon and let you know. About GPS, didn't have lock (measured with unmodified fw's 1-2weeks ago and without lock and with one - no difference) but in this case, there might be one. I will let you know.

About modified 1.5.8 not sure if it's the A model, or was my microusb cable bad. I will confirm this also later today and try to flash B model again.

[MrBurnsAT]

B Modell is only via GoApp down or update able

I Downgradet my (b version) to 1.4.0030 because im using Old Litchi Versions

[rulppa]

@mefistotelis GL300A 1.5.8 fcc-modded, same power (around between 13-15mw) with GPS lock and without. Maybe someone else can test it too, to confirm.

[mefistotelis]

Thanks for testing. Looks like I will have to spent more time on searching how FCC/CE is selected.

[CirConFleX]

@rulppa is your RF meter good quality ?

[rulppa]

@CirConFleX http://www.immersionrc.com/fpv-products/rfpowermeter/ that one

[KennethMcNutt]

@MrBurnsAT commented on Jan 20 So now we need a Phantom Standard owner

Who would try this for us.

I own A P3S and a P3P this is my video.. This is how I downgrade.. I would like to try to get back to 1.5.7... I believe this is the only method that would downgrade A/C and R/C ?? I admin a group of 7500+ all about the P3S I am sure I can find people to help!! ;) https://www.youtube.com/watch?v=9rrlC6PcQVQ

[KennethMcNutt]

I have tested the 1.5.8 range... I say it worked??? https://www.youtube.com/watch?v=2HQH-tVbvzc https://youtu.be/u5h4Tp0jJro https://www.youtube.com/watch?v=pybFdfMdxHY It may have something more to do with the "ack" in the wifi parameters than with the with the dB..

[mefistotelis]

I wonder if the transmitter scales RF power output with distance to the drone, like cellphones do.

That would explain both: same power measurement and longer range on 1.5.8..

@KennethMcNutt - just to confirm, are all the videos recorded on P3 Pro?

[KennethMcNutt]

Yes, All P3P. I used the same P3P.. I tested same time of day.. I stood in the same place.. The first video was no windsurfer Next was with windsurfer and 1.8.0 R/C 1.8.8 A/C Then windsurfer and 1.5.8 R/C 1.7.6 A/C

[CirConFleX]

So we have to test with RF meter during flight to see if signal increases.