General Firmware Discussion

[notsolowki]

okay so the big question, now that we have a known non-encrypted flight controller "1.7". what are the options as far as changing some angles of the aircraft. like more speed. thanks

[mefistotelis]

This is the content of /etc/inittab on the Ambarella Linux partition.

You skipped the header, which exlains what it is:

# Note: BusyBox init doesn't support runlevels.  The runlevels field is
# completely ignored by BusyBox init. If you want runlevels, use
# sysvinit.
#
# Format for each entry: :::
#
# id        == tty to run on, or empty for /dev/console
# runlevels == ignored
# action    == one of sysinit, respawn, askfirst, wait, and once
# process   == program to run

[mefistotelis]

All Linuxes are made of components; usually for each component there are several alternatives.

One of the components is so-called "init". It is explained on wiki what it is. Depending on the init used, there are different formats of init scripts which configure the initialization process. The script above comes from a simple init included in BusyBox package.

And yes, if you will uncomment these lines, it will most likely work. It will start getty on the tty (serial terminal) connected to usb.

What I'm not sure about is why are you getting any output on the termnial even without these lines.

[notsolowki]

i wonder what dji uses as a recovery method when they get "bricked" or messed up flashes

[mefistotelis]

How to change the flight controller parameters - this is what we'll be trying to figure out in #7 . It is evident that there is some kind of interface to these parameters. But how to access it, or is it read-only - I don't know.

[MrBurnsAT]

Like i sayed, there are always more versions out. Advanced Firmware 1.7.0060 has the same leak as the pro firmware

C:\Program Files (x86)\GnuWin32\bin>grep -r -A2 "target" D:\AdvFW/*.ini
D:\AdvFW/P3S_FW_V01.07.0060_mi00.ini:target=m0305
D:\AdvFW/P3S_FW_V01.07.0060_mi00.ini-version=34.02.0009
D:\AdvFW/P3S_FW_V01.07.0060_mi00.ini-encrypt_type=1
--
D:\AdvFW/P3S_FW_V01.07.0060_mi01.ini:target=m0306
D:\AdvFW/P3S_FW_V01.07.0060_mi01.ini-version=02.04.3328
D:\AdvFW/P3S_FW_V01.07.0060_mi01.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi02.ini:target=m0400
D:\AdvFW/P3S_FW_V01.07.0060_mi02.ini-version=01.41.0000
D:\AdvFW/P3S_FW_V01.07.0060_mi02.ini-encrypt_type=1
--
D:\AdvFW/P3S_FW_V01.07.0060_mi03.ini:target=m1100
D:\AdvFW/P3S_FW_V01.07.0060_mi03.ini-version=01.07.3841
D:\AdvFW/P3S_FW_V01.07.0060_mi03.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi04.ini:target=m1200
D:\AdvFW/P3S_FW_V01.07.0060_mi04.ini-version=01.10.0000
D:\AdvFW/P3S_FW_V01.07.0060_mi04.ini-encrypt_type=1
--
D:\AdvFW/P3S_FW_V01.07.0060_mi05.ini:target=m1201
D:\AdvFW/P3S_FW_V01.07.0060_mi05.ini-version=01.10.0000
D:\AdvFW/P3S_FW_V01.07.0060_mi05.ini-encrypt_type=1
--
D:\AdvFW/P3S_FW_V01.07.0060_mi06.ini:target=m1202
D:\AdvFW/P3S_FW_V01.07.0060_mi06.ini-version=01.10.0000
D:\AdvFW/P3S_FW_V01.07.0060_mi06.ini-encrypt_type=1
--
D:\AdvFW/P3S_FW_V01.07.0060_mi07.ini:target=m1203
D:\AdvFW/P3S_FW_V01.07.0060_mi07.ini-version=01.10.0000
D:\AdvFW/P3S_FW_V01.07.0060_mi07.ini-encrypt_type=1
--
D:\AdvFW/P3S_FW_V01.07.0060_mi08.ini:target=m1500
D:\AdvFW/P3S_FW_V01.07.0060_mi08.ini-version=01.01.0512
D:\AdvFW/P3S_FW_V01.07.0060_mi08.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi09.ini:target=m1700
D:\AdvFW/P3S_FW_V01.07.0060_mi09.ini-version=01.01.0263
D:\AdvFW/P3S_FW_V01.07.0060_mi09.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi10.ini:target=m1701
D:\AdvFW/P3S_FW_V01.07.0060_mi10.ini-version=01.00.0519
D:\AdvFW/P3S_FW_V01.07.0060_mi10.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi11.ini:target=m1900
D:\AdvFW/P3S_FW_V01.07.0060_mi11.ini-version=01.00.2144
D:\AdvFW/P3S_FW_V01.07.0060_mi11.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi12.ini:target=m0100
D:\AdvFW/P3S_FW_V01.07.0060_mi12.ini-version=01.23.4920
D:\AdvFW/P3S_FW_V01.07.0060_mi12.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi13.ini:target=m0101
D:\AdvFW/P3S_FW_V01.07.0060_mi13.ini-version=01.23.4920
D:\AdvFW/P3S_FW_V01.07.0060_mi13.ini-encrypt_type=0
--
D:\AdvFW/P3S_FW_V01.07.0060_mi14.ini:target=m0900
D:\AdvFW/P3S_FW_V01.07.0060_mi14.ini-version=02.13.0000
D:\AdvFW/P3S_FW_V01.07.0060_mi14.ini-encrypt_type=0

[MrBurnsAT]

I tested

P3X_FW_V01.01.0008 P3X_FW_V01.01.0009 P3X_FW_V01.01.1003 P3X_FW_V01.01.1007 P3X_FW_V01.02.0006 P3X_FW_V01.04.0001 P3X_FW_V01.04.0005 P3X_FW_V01.05.0011 P3X_FW_V01.08.0080 P3X_FW_V01.09.0060 P3X_FW_V01.10.0090

P3S_FW_V01.04.0001

WM610_FW_V01.03.00.00 WM610_FW_V01.04.00.10 WM610_FW_V01.05.00.30 WM610_FW_V01.06.00.40 WM610_FW_V01.07.00.90

But only P3S_FW_V01.07.0060 and P3X_FW_V01.07.0060 has unencrypted main controller firmware

[notsolowki]

has anyone found out where that annoying startup sound is programmed in at

[notsolowki]

If you start the drone with the csc command and before the motors do the 2 spins ups you flip the mode switch it skips the spin up and seem to operate fine until you press down right on the right stick it shuts off.

[ferraript]

I created Excel file containing all RC- and P3A-firmwares and their modules' version numbers, so it's easy to see when each module was upgraded is anybody interested?

[MrBurnsAT]

Yes pls

U can Post it on my hp http://www.gerhard-weinberger.at/phpBB2/viewforum.php?f=5

[aka1ceman]

Yes please. I have been collecting firmware for the last two years. It was until recent that I found there was a few I was missing. I have been saving them looking forward to a day like this where we could roll back and shoes which one we want to use.

[MrBurnsAT]

@aka1ceman

Could u have a look at my HP?

There is my Firmware Archive. And could u upload missing Firmware Versions?

That would be genious

[ferraript]

@mefistotelis: I'd like to upload xls file to your repository any chance of giving me one-time upload access?

@MrBurnsAT: there is supported_firmwares.csv in repository and it contains links too aren't they working? or are you looking for another firmware versions?

[mefistotelis]

I'd like to upload xls file to your repository

Such things are usually done by "pull requests". Clone the repo, push the change and you'll be given such option.

But I don't want XLS format in the repo; convert it to CSV first. Also, similar file is already in the repo; it would be better to update existing one.

[MrBurnsAT]

I ll make a Place where u can get any firmware Version. Not one form there, one from there and so on

Thats why i collect them

[aka1ceman]

Mr Burns yes, I have 1.1.1003 But whats funny is when I register on your site, it states UR Banned

Please note that you must provide a valid e-mail address before your user account is activated. You will receive an e-mail to the specified address, which contains an activation key.

No email yet. Wow, didnt know you had an issue with me....lol

[mefistotelis]

The more copies are there, the better.

For the supported_firmwares.csv - please note that there's a script "tests/test_all.sh" in the repo, which can be used to download and try extract all the firmwares in CSV file automatically. It normally tests only selected firmwares, but you may change it to set EXEC_FLAG=0x02 and it will download all which are downloadable.

[MrBurnsAT]

@aka1ceman which email Provider do u use

Maybe ive Banned it because of some spaming

[MrBurnsAT]

@mefistotelis ill try that

[aka1ceman]

gmail....lol I did get it with my protonmail I uploaded a copy here give this a shot.... https://ufile.io/eaf62

[MrBurnsAT]

Gmail was blocked

Try again now.

Cant open ur link. Get Virus/Spam warning

[mefistotelis]

Please note that there is a DL link for P3X_FW_V01.01.1003.bin within supported_firmwares.csv.

[ferraript]

I uploaded that xls file to my Google Drive it contains two sheets, one is for P3A and one for RC firmwares green color means that it's new version of the module if somebody of you has P3P firmwares downloaded, maybe you could fill those module versions for P3P firmwares too and share that file again

[MrBurnsAT]

@ferraript all Pro Firmwares are at my HP

http://www.gerhard-weinberger.at/phpBB2/viewtopic.php?f=5&t=9

[notsolowki]

honestly im surprised more people are not interested in this.?!!?

[ferraript]

not everybody needs those hacks and if somebody wants, maybe he is afraid of damaging the drone, or that hacking is complicated and as you can see in another thread, people are not even capable of repeating the steps you wrote

[notsolowki]

but at the same time its like why are they even here then

[MrBurnsAT]

I think many people would be Interested in this.

But not many people know of this here! I did about 20 downgrades with different people in the last 2 weeks. But no one had known of this here

I have hitherto been restrained to pass this on. Because I think too many people would make the whole messy.

Should I spread it further?

[notsolowki]

we need people in here that know what they are doing. seems that no one here knows how or is willing to test the parameters. and mefistotelis is not interested in the flight controllers parameters

[MrBurnsAT]

Ill do if i have time for it ;-)

But at the moment. Every day about 5 people ask me if i can help them with downgrading their Firmwares.

And ill give them step By Step Instructions (live) Because if something goes wrong, i can help emediatly

But i will really test Ur Firmware And i will do that.

Ok ill spread it further.

[MrBurnsAT]

Ill have a look After work.

[notsolowki]

that would be awesome thankyou!!!!!!

[notsolowki]

i bought digdats bricked gimbal hopefully it fixes my problem lol

[MrBurnsAT]

I think the way i did the Recover of the Phantom Would work for this Gimbal too

[MrBurnsAT]

Sorry had a look but dont find a way to check if its the esc or Gimbal Motor

[notsolowki]

Its a shot in the dark but you never know

[ferraript]

Android users still can't change aircraft's name and in mi01.bin there is text "choose a name for your inspire" @mefistotelis, any chance of finding out what needs to be done so AC will prompt for its name?

[notsolowki]

what exactly is the parameter that your talking about?

[notsolowki]

if your talking about a parameter thats not in flyc_param your probably going to learn how to byte patch, i would look in the app to see if you can find something that starts the process. it probably has some kind of falg that gets set if the name is or is not set

[ferraript]

I found a place in the app, where naming the AC is taking place: dji\pilot2\usercenter\a\h.java there is method e(), that reads name from EditText and sends it to the AC via class DataFlycSetPlaneName

but I haven't found an easy way to execute it "manually"

[notsolowki]

@mefistotelis : what could be soo much different about the 1.6 developer firmware? i wonder if the parameters already have a higher limit in this firmware

[mefistotelis]

@ferraript The most versatile way would be to create custom mobile app for this too. Another way would be to modify and re-compile a single .class file to do the change - but I never tried such java hacks and don't know a best way to make it happen.

@notsolowki no idea what the question is referring to.

[notsolowki]

i mean why did they even make a developer firmware

[mefistotelis]

While usually "developer version" of a software has some additional debugging code, I don't think it is the case with DJI. I'm pretty sure they call "developer version" something which other companies would call "release canditate version" - a version which needs broader testing, but is planned to become another release (if the tests will not reveal major issues).

[notsolowki]

I found alot of flies that relate to parameters and setup of the aircraft in the apk. If you look in , dji/midware/data/model/p3. I even see a flag to enable disable debughing

[notsolowki]

I cant find exactly what file ot was in. But i cann tell you ot clearly said , debug enable = flase

[notsolowki]

I even seen some things realted to output power of the remote. I dont know java so i cant tell you any specifics but it had somthing to do with sending and setting parameters. There must be a thousand files for tge parameters i ntgat location. I followed the files that were being imported and found all the settings Then i passed out from sleep deprevation and forgot lol

[ferraript]

@mefistotelis , I don't know where to ask, so I chose this general FW topic could you please give me some advice how to correctly import modules' bin files into IDA and do some research and changes just like you do? for example, how did you find those filenames? or, what do I have to do in IDA to change just one flyc param? (for example I noticed that when I changed just one number in those params through your dji_flyc_param_ed.py, resulting bin file differs in 3 bytes from original version)

[mefistotelis]

how to correctly import modules' bin files into IDA

Convert BIN to ELF using one of example commands in the README. Then open the ELF in IDA. Symbols: If you have .MAP file for the executable - use "loadmap" plug-in in IDA. If you have .IDC script - disable "analysis" when loading the ELF and then use "execute IDC" command; re-enable "analysis" after this it's loaded.

how to [..] do some research and changes

Check any IDA tutorial. Learn how to define structs, modify properties of functions, declare variables, use hex-rays. I have years of practice in IDA - it's not an easy path, but it is rewarding.

how did you find those filenames?

Defined a struct, then exported it.

what do I have to do in IDA to change just one flyc param

Define a struct, apply it to the params area, figure out what each parameter mean. I've notices the values are written in 3 variants, so updating 3 places.

[ferraript]

well, I had suspected that BIN needs to be converted to ELF but I didn't succeed I ran that arm_bin2elf.py script, it required pyelftools so I downloaded and installed it, but the script still ends with the same ImportError

maybe I didn't correctly understand this request "clone to upper level folder, '../pyelftools'"