With Thunderstorm today it was not a great day to fly, so I decided to dig in the internals a bit.
It turns there are at least three small separate systems inside of the camera.
Linux system #1 - the wifi manager, gives out dhcp leases and such. Lives at ip address 192.168.1.2, based on openwrt. Root password is 19881209
- Nothing really interesting there.
Linux system #2 - general purpose system. Lives at 192.168.1.1 This one provides file access to pictures and videos when accessed from your phone app for example, also provides telemetry.
- Telemetry is provided on port 2001 (obtained from serial port 0 on the SoC at 115200 bps)
- web server on port 80 that does not seem to serve any useful purpose, there's half removed lua stuff from openwrt that does not really work.
- another web server on port 1026 - This one you use to access pictures from phone app.
* When you go to "Album" apge in the app, it sends a control signal to the camera and camera enters "usb storage" mode, becoming visible as a usb flashdrive to this ystem that is then mounted to /mnt/sda1
System #3 - This is the actual camera. Lives at 192.168.1.10 It runs something very similar to what GoPro systems run (Ambarella)
- udp port 9000 is the video stream port. Possiblty it also has some camera control.
- tcp port 22 - This one is a mystery. It answers with "SSH-2.0-OpenSSH_6.2", but I checked RAM dumps and such and I do not see it having openssh inside, so I am not really sure where does this come from. Some sort of additional embedded node? root password unknown.
- This system mounts the sdcard most of the time to write stuff there and such.
- This system is mildly scriptable in the same way as GoPro cameras, so at least some of their scripts would work here as well, though some more investigations are needed (see e.g. this resource for a big compilation of recipes:
https://github.com/KonradIT/autoexechack )
In order to make your scripts you write them to the root folder of the sdcard into the file named autoexec.ash in unix text format (meaning there's ony \n at the end of the line, not \n\r), this file is executed when you turn on the camera
Available commands are:
Code:
addr2func bp cardmgr cat
cd chmod config cp
cpu date deletedir dmesg
dramcfg drives dsputil echo
eeprom eval false ffuc
format hal help history
hotboot ioerr jobs kill
ls md5 mesg mkboot
mkdir morph mv flashdb
nice poweroff pref ps
pwd ramdisk readb readl
readw reboot reset resume
rm rmdir savebin sleep
suspend sysmon t test
time touch trap true
vol writeb writel writew
yyinfo usbclass ver vin
sm corefreq dramfreq idspfreq
dll cleandir volcfg firmfl
nvd nftl bbt romfs
Inside of the RTOS running there, the "D:\" drive is the sdcard, so if you write there, you'll be able to obtain htese files from sdcard later. Unix-style redirects work too so you can capture command output.
E.g. this is process list obtained with "ps >d:\ps.txt" line in autoexec.ash
Code:
ID PRI STAT ACT WUP SUS NAME
2 5 DELAYED 0 0 0 main_task
3 120 WAIT_FLG 0 0 0 print_daemon_task
4 3 SLEEP 0 0 0 abs_prktask
5 5 SLEEP 0 0 0 abs_prktask
6 1 WAIT_SEM 0 0 0 abs_prktask
7 5 SLEEP 0 0 0 abs_prktask
8 5 SLEEP 0 0 0 abs_prktask
9 45 WAIT_FLG 0 0 0 Message Manager
10 16 WAIT_RDTQ 0 0 0 peri_task
11 55 WAIT_FLG 1 0 0 CEC Message Handler
12 57 WAIT_RDTQ 0 0 0 button_task
13 93 WAIT_RDTQ 0 0 0 func_button_task
14 56 WAIT_RDTQ 0 0 0 scardmgr_task
15 38 WAIT_RDTQ 0 0 0 stktask_func
16 37 WAIT_RDTQ 0 0 0 debou_task
17 50 WAIT_MBX 0 0 0 prfile2
18 64 WAIT_FLG 0 0 0 FWLD
19 17 WAIT_RDTQ 0 0 0 audio_init_task
20 31 WAIT_RDTQ 0 0 0 audio_timer_task
21 40 WAIT_RDTQ 0 0 0 audio_main_task
22 34 WAIT_RDTQ 0 0 0 audio_beep_task
23 32 WAIT_RDTQ 0 0 0 audio_input_process_task
24 32 WAIT_RDTQ 0 0 0 audio_output_process_task
25 15 WAIT_FLG 0 0 0 iav_vdsp
26 61 WAIT_RDTQ 0 0 0 cavlc_task
27 51 WAIT_FLG 0 0 0 Host Control Manager
28 18 WAIT_FLG 0 0 0 adc
29 92 WAIT_FLG 0 0 0 Storage monitor
30 95 WAIT_FLG 0 0 0 PCBR monitor
31 26 WAIT_FLG 0 0 0 Framerate monitor (VDSP)
32 25 WAIT_FLG 0 0 0 Framerate monitor (AVSYNC)
33 96 WAIT_FLG 0 0 0 Smart VBR monitor
34 97 WAIT_FLG 0 0 0 Smart VBR monitor
35 78 WAIT_FLG 0 0 0 Graphics2 Command Handler
36 22 WAIT_FLG 0 0 0 Image Algo Task
37 17 WAIT_FLG 0 0 0 Image VIN Task
38 63 WAIT_FLG 0 0 0 Image Adjust
39 41 WAIT_FLG 0 0 0 Recorder State Transition Manager
40 81 WAIT_FLG 0 0 0 Recorder Mux Manager
41 101 DELAYED 0 0 0 Preview YUV Processor
42 23 WAIT_FLG 0 0 0 Recorder Snapshot Shutter Controller
43 42 WAIT_FLG 0 0 0 Player FLOW CTRL Manager
44 82 WAIT_FLG 0 0 0 Player DeMux Manager
45 79 WAIT_FLG 0 0 0 AMBA Editor2 Command Manager
46 83 WAIT_FLG 0 0 0 AMBA Editor2 Mux/Demux Manager
47 87 WAIT_FLG 0 0 0 DCF Refresh Task
48 47 WAIT_FLG 0 0 0 Graphics2 switch DCHAN vout task
49 88 WAIT_FLG 0 0 0 App Async Operation Manager
50 58 DELAYED 0 0 0 App Button Manager
51 92 WAIT_RDTQ 0 0 0 camera_host_task
52 91 WAIT_RDTQ 0 0 0 uart_msg_handler_task
53 90 WAIT_FLG 0 0 0 uart0_msg_rx_task
54 90 WAIT_FLG 0 0 0 uart1_msg_rx_task
55 94 DELAYED 0 0 0 camera_state_check_task
56 110 SLEEP 0 0 0 d:\autoexec.ash
57 110 RUNNING 0 0 0 ps
We'll see if DJI actually provides me with some source code that I requested from them as part of GPL compliance too.