Changing tilt of aircraft

[notsolowki]

What is it going to take to achieve such a thing. im not sure that the mobile SDK will be able to accomplish this task. I'm sitting here looking at a binary with ida and have no clue what to do.

[mefistotelis]

Try searching for the names of parameters we've found in flight controller. If any SDK supports reading and writing these, it is likely that it will contains a few names.

[notsolowki]

i did find a few of the parameters in the guidance sdk. i think there is a maximum value set within the firmware somewhere that you cant override.

[mefistotelis]

In the struct at .data:080A6900 (from P3X_FW_V01.07.0060 flight controller) there are two float values which look like limits. They are at pos 0x14 within the struct (so in the struct definition I pasted earlier, they're "field_14".

Did you found the config parameter name for the tilt?

[notsolowki]

i was looking at g_config.control.atti_tilt_w_rate_0, although i really have no idea how to use ida. when i select the elf file it asks me what processor so i change it from metapc to arm little endian. i assume i have it right. do i have to build this structure array before i can see whats in it? thank you for all this help

[mefistotelis]

Opening ELF: The code is ARM little-endian; it will probably switch to it even if you won't select it, as ELF file incorporates that information.

Structs support: After the auto-analysis finishes, it is up to you to define everything which cannot be automated. This includes structs (unless the file has debug info which includes struct definitions).

[notsolowki]

.text:08068FB0                 LDR             R0, =aSmart_batteryT ; "[smart_battery]this fireware calc gohme"...
.text:08068FB2                 VSTR            D0, [SP,#0x10+var_10]
.text:08068FB6                 VLDR            D0, =7.80000019
.text:08068FBA                 VMOV            R2, R3, D0
.text:08068FBE                 BL              sub_806E08A

i think i remember seeing 7.800000 as the speed for rth in a log once

[notsolowki]

can you please tell me how you got to field_14. im trying to figure out what to do and im not really getting anywhere. and if i knew how to link these strings and functions i would be doing it. thanks

[mefistotelis]

You should just learn how to use IDA Pro. You should be able to find a tutorial, either written one or on a video. I learned IDA by myself, so I don't have any specific links.

First create the struct in "Structures" tab, then give type to the data in "IDA View" tab. Finally after looking at the data, you may give proper types to fields in "Structures", for example set field_14 as "float".

[notsolowki]

i can not figure this out. i don't even know how to create the structure. you have far more experience with this disassembly than i do. im going in a million directions, from your point of view where do you think it would be easiest to modify the parameters of the flight controller. to bad you haven't tried enabling serial on the usb port to see?

[mefistotelis]

Reverse engineering is complex, and learning IDA requires time. There's no shortcut. But there's also no better tool for the job.

If you want to check something simpler, try looking at Mobile SDK Panorama Demo - there's a file "flyc_param_infos" which is probably generated from the firmware and lists these parameters with limits.

The same demo contains a compiled Java code, which is able to modify these parameters.

[notsolowki]

interested in this one in particular "index" : 81, "typeID" : 0, "size" : 1, "attribute" : 11, "minValue" : 0, "maxValue" : 16, "defaultValue" : 16, "name" : "g_config.system_command.mapper[COMMAND_PANTILT_PITCH]_0"
how can i use this information to find it in the structure array. i wish i had an example from loading the binary, to locating a value in the structure array. im stuck at the structure i dont know how to do anything with it. all i can tell is where it starts and ends in ida view but cannot figure out how to convert it or anything, thankyou

[notsolowki]

when i extracted the apk i found flyc_param_infos .. you dont think its that easy???

[notsolowki]

i also see "index" : 363, "typeID" : 1, "size" : 2, "attribute" : 11, "minValue" : 0, "maxValue" : 6000, "defaultValue" : 3500, "name" : "g_config.serial_api_cfg.input_pitchlimit

which might explain how it communicates

[mefistotelis]

The values may be already at the limit, we don't know.

The code (Java code which I put in #7) definitely suggests that values of all parameters can be read on mobile device, and at least some of them (but maybe all) can be set to new value.

We need to write a mobile app to read/write these parameters. Then we will see whether that's enough, or we need FW modification too.

[notsolowki]

well i just modified the dji go app and set some valuse for height,pitch,roll,yaw. only thing i noticed is it says net height limit i put at 1000. JUST FOR TESTING. but when i put in 1000 it goes back to 500. and as far as roll pitch etc no change

[notsolowki]

does the dji app try to change the parameters? like when i change a parameter in flyc_param_infos

[notsolowki]

what the modify parameter all about? "index" : 1400, "typeID" : 0, "size" : 1, "attribute" : 11, "minValue" : 0, "maxValue" : 255, "defaultValue" : 0, "name" : "g_config.gear_cfg.hide_gear_en_0", "modify" : true

[mefistotelis]

I don't know what the dji app does. For the "modify" - you probably have the same ideas as me.

If you want to try FW modification:

Here's an IDC script to set up your IDA to the definitions I made: (link removed)

To use it:

1. Load the ELF into IDA, but UNCHECK the field "Analysis: enabled".
2. Load the IDC script from "File" menu
3. Re-enable "Analysis" in "Options -> General".

Now you have the structs defined.

[notsolowki]

have you had a look in the dji go apk?

[notsolowki]

to modify the FW would it have to be completely re-written or could the structure be changed with hex-edit.

[mefistotelis]

I'm not planning any work on Dji Go.

Binary data can be changed.

[notsolowki]

What are my options for changing the binary data of the structure parameters. I think making the app use the new parameters would be a simple task.

[mefistotelis]

Then go for it, do the app. There's no point of changing the limits in firmware until we have any means to test them.

[notsolowki]

in the app if you open it with winrar and navigate to res/raw/ theres a file flyc_param_infos, it looks like it hold all of the variables. but, for example the hight limit. default its 500m. if you set it to 1000 in flyc_param_infos and restart the app if will now say 0-1000m if you select 1000m its reverts back to 500. if you select 500 m it asks you to accept the responsibility then if you set it to 1000 it asks you to accept their agreement and changes back to 500. also i couldn't reinstall the modified apk. i had to install the apk navigate to /data/app/dji.pilot and open base.apk and change the parameters otherwise it wouldn't install

[notsolowki]

I have changed every parameter in the fw that relates to tilt, angle, pitch, max and min to 1 with no effect???

[notsolowki]

the only thing i could change that had any effect was the altitude limit. and even then i have not tested that in flight. i wonder whats going on

[notsolowki]

one thing i noticed in the actual mi01 binary is they had the go home speed set at 7.8000. i just wonder if the values im looking for are not in the structure array. and the go home speed wasn't a pitch or angular parameter it simply said go home speed. ive changed lots of parameters and not one of them effected the way the drone fly's normally. i didn't test waypoint or anything. here are some more interesting things in the binary

.text:0808300C flt_808300C DCFS 0.017453 ; DATA XREF: .text:loc_8082C12r .text:08083010 flt_8083010 DCFS 6.2832 ; DATA XREF: sub_8082C70+4r .text:08083014 flt_8083014 DCFS 60.0 ; DATA XREF: sub_8082C70+Cr .text:08083014 ; sub_8082D54+24r .text:08083018 flt_8083018 DCFS 100.0 ; DATA XREF: sub_8082CAC+12r .text:08083018 ; sub_8082D54+34r .text:0808301C flt_808301C DCFS 0.0 ; DATA XREF: sub_8082D54+Cr .text:0808301C ; sub_8082E7C:loc_8082F9Er .text:08083020 flt_8083020 DCFS 40.0 ; DATA XREF: sub_8082D54+1Cr .text:08083024 flt_8083024 DCFS 80.0 ; DATA XREF: sub_8082D54+2Cr .text:08083028 aWFLiftF DCB "w: %f, lift: %f",0 ; DATA XREF: sub_8082D54+8Ao .text:08083038 off_8083038 DCD dword_20001678 ; DATA XREF: sub_8082DFEr .text:08083038 ; .text:08082E74r .text:0808303C off_808303C DCD unk_2000314C ; DATA XREF: sub_8082E3Er .text:0808303C ; sub_8082E42+2r ... .text:08083040 flt_8083040 DCFS 0.0016667 ; DATA XREF: sub_8082E42+Cr .text:08083044 dbl_8083044 DCFD 0.0174532925 ; DATA XREF: sub_8082E7C+1Ar .text:0808304C dbl_808304C DCFD 3.14159265 ; DATA XREF: sub_8082E7C+8Cr .text:08083054 aCraftConfigura DCB "craft configuration motor coef",0xD,0xA,0 .text:08083054 ; DATA XREF: sub_8082FDC+Co .text:08083075 DCB 0, 0, 0

[mefistotelis]

It is possible that tilt is bound by multiple parameters.

[MrBurnsAT]

notsolowki how did u test the firmware?

Did u do it with connected mobile device and djigo APP running?

I would try it without! Only Craft and RC! No Mobile No GoApp

My thought is that the parameters in flyc_conf are only place holders without any used information in there.

When u start up ur Phantom and ur RC, i think then the real informations for the flyc_conf are transmitted/synced from the RC to the craft.

Maybe some informations More if a mobile device is connected and go APP is running.

Could that be possible?

If yes. We should really take a look in the RC Firmware If there are maybe the real informations stored

[notsolowki]

mrburns, i was thinking that. so i did try that and the results were the same. i changed alot of parameters. none of them effected the flight. i update the apps flyc_param_infos along with the flight controller. is it possible that the parameters im looking for ar not in the structure array? it seems very likely that they are in the flyc_param file but i dont know??!! i also notice that if i dont update the apps flyc_param it still populates the altitude limit box with the altitude chosen on the flight controller

[mefistotelis]

Before we assume that we need anything more, let's try with a simple parameter, like height limit. We know that changing it in DJI Go's flyc_param_infos influences the GUI, and we have the same parameter in flyc_param_infos from flight controller. Modifying both of these (and updating firmware + replacing file on tablet) should lift the limit.

[notsolowki]

yea the hight limit was lifted no problems even without update the flyc_ in the app. it still populated it with the \variable i chose regardless

[mefistotelis]

yea the hight limit was lifted no problems even without update the flyc_ in the app. it still populated it regardless

Hm, interesting. This means the direction of update goes in the other way that the one MrBurnsAT suggested - flyc_param_infos are transmitted from the craft, and the mobiledevice only contains placeholders.

[mefistotelis]

@notsolowki which of these have you tried?:

# grep "\(speed\|tilt\)" flyc_param_infos
                "name" : "g_config.control.tilt_atti_gain_0",
                "name" : "g_config.control.tilt_gyro_gain_0",
                "name" : "g_config.control.tilt_gyro_acc_gain_0",
                "name" : "g_config.advanced_function.pantilt_enabled_0",
                "name" : "g_config.pantilt.output_frequency_0",
                "name" : "g_config.pantilt.roll_travel.travel_min_0",
                "name" : "g_config.pantilt.roll_travel.travel_max_0",
                "name" : "g_config.pantilt.roll_travel.travel_center_0",
                "name" : "g_config.pantilt.pitch_travel.travel_min_0",
                "name" : "g_config.pantilt.pitch_travel.travel_max_0",
                "name" : "g_config.pantilt.pitch_travel.travel_center_0",
                "name" : "g_config.pantilt.yaw_travel.travel_min_0",
                "name" : "g_config.pantilt.yaw_travel.travel_max_0",
                "name" : "g_config.pantilt.yaw_travel.travel_center_0",
                "name" : "g_config.pantilt.roll_gain_0",
                "name" : "g_config.pantilt.pitch_gain_0",
                "name" : "g_config.pantilt.yaw_gain_0",
                "name" : "g_config.pantilt.reverse_output_0",
                "name" : "g_config.pantilt.roll_speed_0",
                "name" : "g_config.pantilt.pitch_speed_0",
                "name" : "g_config.pantilt.yaw_speed_0",
                "name" : "g_config.craft_model.motor_tilt_angle_0",
                "name" : "g_config.control.horiz_emergency_brake_tilt_max_0",
                "name" : "g_config.control.atti_tilt_w_rate_0",
                "name" : "g_config.control.manual_tilt_w_rate_0",
                "name" : "g_config.control.tilt_exp_mid_point_0",
                "name" : "g_config.control.dyn_tilt_min_0",
                "name" : "g_config.control.rc_tilt_sensitivity_0",
                "name" : "g_config.imu_para_cfg.imu_adv_func.vo_vel_with_large_tilt_deny_0",
                "name" : "g_config.novice_cfg.atti_tilt_w_rate_0",
                "name" : "g_config.gear_cfg.gear_speed_0",
                "name" : "wind_speed[0]_0"
                "name" : "wind_speed[1]_0"
                "name" : "wind_speed[2]_0"

[notsolowki]

all of them except "name" : "g_config.imu_para_cfg.imu_adv_func.vo_vel_with_large_tilt_deny_0" "name" : "wind_speed[0]_0" "name" : "wind_speed[1]_0" "name" : "wind_speed[2]_0" "name" : "g_config.control.tilt_atti_gain_0", "name" : "g_config.control.tilt_gyro_gain_0", "name" : "g_config.control.tilt_gyro_acc_gain_0", "name" : "g_config.advanced_function.pantilt_enabled_0", "name" : "g_config.pantilt.output_frequency_0",

[notsolowki]

i thought these two were borderline simple variables but they had no effect either

"index" : 323,
    "typeID" : 5,
    "size" : 2,
    "attribute" : 11,
    "minValue" : 1,
    "maxValue" : 20,
    "defaultValue" : 20,
    "name" : "g_config.control.vert_up_vel_0",
    "modify" : true
},
{
    "index" : 324,
    "typeID" : 5,
    "size" : 2,
    "attribute" : 11,
    "minValue" : 1,
    "maxValue" : 15,
    "defaultValue" : 10,
    "name" : "g_config.control.vert_down_vel_0",
    "modify" : true
},

and the low battery version of those variables did nothing either i matched these on the dji go apk flyc_

[MrBurnsAT]

That is plausible for me! The real informations are stored at the craft and will be transmitted to the RC. So the most regulations are done by the rc and not the craft.

But there must also be also most of this informations at the craft, because if u loose signal. Craft is retuning to home a specified speed, same with landing speed

Wind speed is Wind speed and has nothing to do with tilt.

If u load ur logs up to healthydrones u will See how fast wind was!

[notsolowki]

i think they set the rth speed slow so that you will always loose the drone if winds are above 10 mph, 3 times i had to override rth pitch to make it move. the speed is so low it just hovers against the slightest windws

[MrBurnsAT]

"g_config.control.vert_up_vel_0", looks for me if thats ascending speed

And "g_config.control.vert_down_vel_0" Should be descending speed

[notsolowki]

yea no doubt but they didnt effect anything in any mode. note i didnt try waypoint or anything automated

[mefistotelis]

Look at their limiting values - vert_up_vel_0 has 1..10, default=5. I think the craft goes up about 5 or 6 mps (meters per second). So min/max only set limits (I mean, limits of limits), and the "real" value is either in "default" or is controlled in a different way.

[notsolowki]

i was ascending at 11 mps till about 250 ft. and i had mine set at 10. then i reflashed it with them set at 20 no change.

[MrBurnsAT]

11mps thats really fast

[notsolowki]

im sorry 11 MPH so about 5m a sec

[mefistotelis]

Yeah, meters vs. miles - the non-metric system always causes problems.

Anyway in the spec DJI says:

Max Ascent Speed   5 m/s

To modify "real" limits and not only limits of limits, we need a custom made mobile app.

[notsolowki]

so the things that need changed are not in the flyc_param side of the app?

[MrBurnsAT]

PHANTOM 3 PROFESSIONALSPECS HomeProductsPhantom 3 ProfessionalSpecs AIRCRAFT

Weight (Battery & Propellers Included) 1280 g Diagonal Size (Propellers Excluded) 350 mm Max Ascent Speed 5 m/s Max Descent Speed 3 m/s Max Speed 16 m/s (ATTI mode) Max Service Ceiling Above Sea Level 19685 feet (6000 m) Max Flight Time Approx. 23 minutes Operating Temperature Range 32° to 104°F (0° to 40°C) Satellite Positioning Systems GPS/GLONASS Hover Accuracy Range Vertical: ±0.1 m (when Vision Positioning is active) ±0.5 m Horizontal: ±1.5 m GIMBAL

Controllable Range Pitch: -90° to +30° Stabilization 3-axis (pitch, roll, yaw) REMOTE CONTROLLER

Operating Frequency 2.400 - 2.483 GHz Max Transmission Distance FCC Compliant: 3.1 mi (5 km) CE Compliant: 2.2 mi (3.5 km) (Unobstructed, free of interference) Operating Temperature Range 32° to 104°F (0° to 40°C) Battery 6000 mAh LiPo 2S Transmitter Power (EIRP)
FCC: 20 dBm CE: 16 dBm Operating Current/Voltage 1.2 A@7.4 V INTELLIGENT FLIGHT BATTERY

Capacity 4480 mAh Voltage 15.2 V Battery Type LiPo 4S Energy 68 Wh Net Weight 365 g Operating Temperature Range 14° to 104°F (-10° to 40°C) Max Charging Power 100 W

VISION SYSTEM

Vision System Downward Vision System Velocity Range ≤8 m/s (2 m above ground) Altitude Range 30 - 300 cm Operating Range 50 - 300 cm Operating Environment Surface with clear pattern and adequate lighting (lux>15)

[mefistotelis]

When you're changing max height - flyc_params are used to increase limit of the limit, and then you can set the "real" limit value within the mobile app.

So with velocity, tilt or anything else - it's basically the same - you modified limits of limits and that's good, but now you need to set "real" value - the problem is, DJI Go doesn't have such function. Therefore you need a custom app.

[MrBurnsAT]

Maybe it will help to look at litchi!

I know up to Litchi Version 2.3.1 it was possible to break the height Limit with only choose it in the settings of the App (5m(or10m)-6000m)

With Firmware Versions up to max 1.4.0010

[notsolowki]

i will note that i didnt have to update the app for the new altitude limit to show. example. i set it at 5000 on the flight controller, in he app it still says 20-500 but the box is populated with 5000 until i try to change it then it goes to 500. do you think adding the parameters to the apps flyc_param would do any good?