proto17
commented
1 year ago Stan,
I made some assumptions about DJI following the LTE spec, then did some research bout the LTE descrambler [1][2]. But, I was still stuck on how to figure out x2. I was given a hint to not overthink it. Still didn't have it, and was given another hint to treat everything as octets. So you'll see that x2 is just 0x12345678 where the left-most octet is missing its left-most bit 0b001_0010_.... I was worried I had to figure out cell tower parameters, but no need :smiley: There was still some brute force to be done. Getting the bits in the right order for example. But that part wasn't too bad. What made it much easier for me was that I was using a Mavic Mini 2 which transmits one extra OFDM symbol at the beginning. This symbol is annihilated by the descrambler which made it was easy to tell if what I had done was correct. Otherwise it would have been much harder to verify that things had worked properly.
Long story short: I had help and a bit of luck.
[1] https://www.sharetechnote.com/html/Handbook_LTE_PseudoRandomSequence.html [2] https://edadocs.software.keysight.com/pages/viewpage.action?pageId=6076479
penyaolu
Hi proto:
I find that the parameters of descrambler have been revealed in your github repository. May I ask how did you obtain these parameters? via brute force or firmware reverse engineering? Thanks!
Regards, Stan