Accessing the P2 wifi repeater and camera

[kwatts]

When I did have the P2 Vision (crash and burn, faulty battery, which, DJI seemed to ignore - support is really taking a dive there) I spent a few hrs and was able to fully get the telemetry data and control. It was using the native libs, but, there is a way to connect and for those of you at there that are good at network protocols may be able to figure out the communication protocol being used.

In any case (and apologies if this has been posted/found already):
- To connect to the repeater, you can ssh [email protected] or go to http://192.168.1.1:80/openwrt and for both the admin password is "19881209".
- You can just connect
directly to the wifi from your laptop... seems a bit flakey but
generally works
- The (android) app has a native lib you can use to communicate through as well.

 

[verygreen]

With Thunderstorm today it was not a great day to fly, so I decided to dig in the internals a bit.

It turns there are at least three small separate systems inside of the camera.

Linux system #1 - the wifi manager, gives out dhcp leases and such. Lives at ip address 192.168.1.2, based on openwrt. Root password is 19881209
- Nothing really interesting there.
Linux system #2 - general purpose system. Lives at 192.168.1.1 This one provides file access to pictures and videos when accessed from your phone app for example, also provides telemetry.
- Telemetry is provided on port 2001 (obtained from serial port 0 on the SoC at 115200 bps)
- web server on port 80 that does not seem to serve any useful purpose, there's half removed lua stuff from openwrt that does not really work.
- another web server on port 1026 - This one you use to access pictures from phone app.
* When you go to "Album" apge in the app, it sends a control signal to the camera and camera enters "usb storage" mode, becoming visible as a usb flashdrive to this ystem that is then mounted to /mnt/sda1

System #3 - This is the actual camera. Lives at 192.168.1.10 It runs something very similar to what GoPro systems run (Ambarella)
- udp port 9000 is the video stream port. Possiblty it also has some camera control.
- tcp port 22 - This one is a mystery. It answers with "SSH-2.0-OpenSSH_6.2", but I checked RAM dumps and such and I do not see it having openssh inside, so I am not really sure where does this come from. Some sort of additional embedded node? root password unknown.
- This system mounts the sdcard most of the time to write stuff there and such.
- This system is mildly scriptable in the same way as GoPro cameras, so at least some of their scripts would work here as well, though some more investigations are needed (see e.g. this resource for a big compilation of recipes: https://github.com/KonradIT/autoexechack )

In order to make your scripts you write them to the root folder of the sdcard into the file named autoexec.ash in unix text format (meaning there's ony \n at the end of the line, not \n\r), this file is executed when you turn on the camera
Available commands are:

	addr2func	bp		cardmgr		cat	
	cd		chmod		config		cp	
	cpu		date		deletedir	dmesg	
	dramcfg		drives		dsputil		echo	
	eeprom		eval		false		ffuc	
	format		hal		help		history	
	hotboot		ioerr		jobs		kill	
	ls		md5		mesg		mkboot	
	mkdir		morph		mv		flashdb	
	nice		poweroff	pref		ps	
	pwd		ramdisk		readb		readl	
	readw		reboot		reset		resume	
	rm		rmdir		savebin		sleep	
	suspend		sysmon		t		test	
	time		touch		trap		true	
	vol		writeb		writel		writew	
	yyinfo		usbclass	ver		vin	
	sm		corefreq	dramfreq	idspfreq
	dll		cleandir	volcfg		firmfl	
	nvd		nftl		bbt		romfs

Inside of the RTOS running there, the "D:\" drive is the sdcard, so if you write there, you'll be able to obtain htese files from sdcard later. Unix-style redirects work too so you can capture command output.
E.g. this is process list obtained with "ps >d:\ps.txt" line in autoexec.ash

 ID  PRI      STAT ACT WUP SUS  NAME
  2    5   DELAYED   0   0   0  main_task
  3  120  WAIT_FLG   0   0   0  print_daemon_task
  4    3     SLEEP   0   0   0  abs_prktask
  5    5     SLEEP   0   0   0  abs_prktask
  6    1  WAIT_SEM   0   0   0  abs_prktask
  7    5     SLEEP   0   0   0  abs_prktask
  8    5     SLEEP   0   0   0  abs_prktask
  9   45  WAIT_FLG   0   0   0  Message Manager
 10   16 WAIT_RDTQ   0   0   0  peri_task
 11   55  WAIT_FLG   1   0   0  CEC Message Handler
 12   57 WAIT_RDTQ   0   0   0  button_task
 13   93 WAIT_RDTQ   0   0   0  func_button_task
 14   56 WAIT_RDTQ   0   0   0  scardmgr_task
 15   38 WAIT_RDTQ   0   0   0  stktask_func
 16   37 WAIT_RDTQ   0   0   0  debou_task
 17   50  WAIT_MBX   0   0   0  prfile2
 18   64  WAIT_FLG   0   0   0  FWLD
 19   17 WAIT_RDTQ   0   0   0  audio_init_task
 20   31 WAIT_RDTQ   0   0   0  audio_timer_task
 21   40 WAIT_RDTQ   0   0   0  audio_main_task
 22   34 WAIT_RDTQ   0   0   0  audio_beep_task
 23   32 WAIT_RDTQ   0   0   0  audio_input_process_task
 24   32 WAIT_RDTQ   0   0   0  audio_output_process_task
 25   15  WAIT_FLG   0   0   0  iav_vdsp
 26   61 WAIT_RDTQ   0   0   0  cavlc_task
 27   51  WAIT_FLG   0   0   0  Host Control Manager
 28   18  WAIT_FLG   0   0   0  adc
 29   92  WAIT_FLG   0   0   0  Storage monitor
 30   95  WAIT_FLG   0   0   0  PCBR monitor
 31   26  WAIT_FLG   0   0   0  Framerate monitor (VDSP)
 32   25  WAIT_FLG   0   0   0  Framerate monitor (AVSYNC)
 33   96  WAIT_FLG   0   0   0  Smart VBR monitor
 34   97  WAIT_FLG   0   0   0  Smart VBR monitor
 35   78  WAIT_FLG   0   0   0  Graphics2 Command Handler
 36   22  WAIT_FLG   0   0   0  Image Algo Task
 37   17  WAIT_FLG   0   0   0  Image VIN Task
 38   63  WAIT_FLG   0   0   0  Image Adjust
 39   41  WAIT_FLG   0   0   0  Recorder State Transition Manager
 40   81  WAIT_FLG   0   0   0  Recorder Mux Manager
 41  101   DELAYED   0   0   0  Preview YUV Processor
 42   23  WAIT_FLG   0   0   0  Recorder Snapshot Shutter Controller
 43   42  WAIT_FLG   0   0   0  Player FLOW CTRL Manager
 44   82  WAIT_FLG   0   0   0  Player DeMux Manager
 45   79  WAIT_FLG   0   0   0  AMBA Editor2 Command Manager
 46   83  WAIT_FLG   0   0   0  AMBA Editor2 Mux/Demux Manager
 47   87  WAIT_FLG   0   0   0  DCF Refresh Task
 48   47  WAIT_FLG   0   0   0  Graphics2 switch DCHAN vout task
 49   88  WAIT_FLG   0   0   0  App Async Operation Manager
 50   58   DELAYED   0   0   0  App Button Manager
 51   92 WAIT_RDTQ   0   0   0  camera_host_task
 52   91 WAIT_RDTQ   0   0   0  uart_msg_handler_task
 53   90  WAIT_FLG   0   0   0  uart0_msg_rx_task
 54   90  WAIT_FLG   0   0   0  uart1_msg_rx_task
 55   94   DELAYED   0   0   0  camera_state_check_task
 56  110     SLEEP   0   0   0  d:\autoexec.ash 
 57  110   RUNNING   0   0   0  ps

We'll see if DJI actually provides me with some source code that I requested from them as part of GPL compliance too.

 

[verygreen]

btw, as an afterthought - The nonexistent security of this system means that it would be pretty simple to trivial for somebody to connect to a running phantom vision, intercept the telemetry at the very least, or replace the telemetry with a spoofed one (only for purposes of displaying in the app).
It also might be possible to control the camera too.

 

[dragonash]

btw, as an afterthought - The nonexistent security of this system means that it would be pretty simple to trivial for somebody to connect to a running phantom vision, intercept the telemetry at the very least, or replace the telemetry with a spoofed one (only for purposes of displaying in the app).
It also might be possible to control the camera too.

I think it would be better to be able to force the dji extender to work with other wifi cameras... like the FC40.

 

[verygreen]

Well, that should not be hard to do, though I don't have means to test it.

Basically, turn on your range extender and camera.
Connect to Range extender on a laptop.
After connecting in a web browser go to http://192.168.1.2
Use root password of 19881209. This will bring you to usual openwrt web interface
Go to the "Network tab"
Go to Wifi subtab.
There you'll see two entries: "SSID FC200_XXXXX" Mode client - this is the connection to camera.
and: "SSID Phantom_XXXX" Mode Master - This is the base station you'll connect to.

Now you either an add a new client connection here or edit existing client one using your different camera SSID and things will just work I suspect. This should even allow to have multiple cmeras paired (but probably only using one at a time)

Additionally you can set a wifi password on the master connection in otder to avoid hijacking of the link by others.

 

[zenoshrdlu]

Thanks for these investigations. I'm not sure yet what use to make of them, but as a keen CHDK/SDM hacker I'm sure there are scripts I'll be able to make and use.

 

[dragonash]

Well, that should not be hard to do, though I don't have means to test it.

Basically, turn on your range extender and camera.
Connect to Range extender on a laptop.
After connecting in a web browser go to http://192.168.1.2
Use root password of 19881209. This will bring you to usual openwrt web interface
Go to the "Network tab"
Go to Wifi subtab.
There you'll see two entries: "SSID FC200_XXXXX" Mode client - this is the connection to camera.
and: "SSID Phantom_XXXX" Mode Master - This is the base station you'll connect to.

Now you either an add a new client connection here or edit existing client one using your different camera SSID and things will just work I suspect. This should even allow to have multiple cmeras paired (but probably only using one at a time)

Additionally you can set a wifi password on the master connection in otder to avoid hijacking of the link by others.

Very interesting.
But would it save the settings after a reboot? (I dont have one to test)

 

[AnselA]

We'll see if DJI actually provides me with some source code that I requested from them as part of GPL compliance too.

:twisted:

Let's hope DJI will not change the root passwd in future firmware upgrades...

 

[verygreen]

Very interesting.
But would it save the settings after a reboot? (I dont have one to test)

Yes, it will save the settings of course.
After all how do you think they save their own settings.

 

[verygreen]

Let's hope DJI will not change the root passwd in future firmware upgrades...

Well, they never even updated this part of firmware.
The "camera firmware" update you saw only updates the actual camera thing that lives on 192.168.1.10

The repeater thing image was built on 7/18/2013, the camera-wifi image was built on 10/8/2013.
Neither of them actually reads the sdcard for updates either. So the only realistic way I see to update those firmwares is by uploading updates there via wifi when the DJI app is connected. But then the problem is, there is no internet connection to download the image from somewhere should it appear that the two systems out of date. Those systems are also not accessible when you connect via USB, so Assistant app on the computer could not update them either.

It's not like it's totally impossible, mind you. They can cache the latest version in the app if you happen to run the app when there's real internet (though t's dangerous as it might cause data overages unexpectedly), or they can ship the latest images inside of the app every time there's an app update (making the app image grow quite a bit).
But overall it seems like there were no plans to make updates to those wifi components ever.

 

[dragonash]

Very interesting.
But would it save the settings after a reboot? (I dont have one to test)

Yes, it will save the settings of course.
After all how do you think they save their own settings.

trials with the fc40 camera resulted in the opposite.
We were able to change the SSID of the camera, but it would not save after reboot

 

[AnselA]

- another web server on port 1026 - This one you use to access pictures from phone app.

I managed to connect to 192.168.1.2 but 192.168.1.1:1026 failed. It could be even useful to download DNG files, which vision app doesn't support.

 

[verygreen]

- another web server on port 1026 - This one you use to access pictures from phone app.

I managed to connect to 192.168.1.2 but 192.168.1.1:1026 failed. It could be even useful to download DNG files, which vision app doesn't support.

You are right, it's not really http as it turned out, even though it is driven by php-fcgi.

Anyway, if you need to download the files, including dmg - you just need to enter the "Album" mode from your phone app, and after that use ssh from your computer to get content of /mnt/sda1. Use any number of freely available windows ssh clients, or openssh is already shipped with MacOS out of the box.

 

[isopro]

I was wondering when i spotted the dBm setting in the OpenWrt Barrier it is set to max available setting of 27 dBm, would there be a way to tweak this some way in order to increase output power of the Phantom 2 vision over 27 dBm or it is the max output power that this hardware can do ?

 

[AnselA]

Anyway, if you need to download the files, including dmg - you just need to enter the "Album" mode from your phone app, and after that use ssh from your computer to get content of /mnt/sda1. Use any number of freely available windows ssh clients, or openssh is already shipped with MacOS out of the box.

Thanks, that is really tempting way to get around Vision app bug. And one can get the large DNG files directly to a spacy network drive... (But I am currently busy, it will take a week or so before I can test it.)

 

[brizey]

port the nazagps decoder lib for arduino and you could make a nice where is my drone map ser2net

 

[retrait]

to verygreen:

I have a P 2 Vision and for some reasons I had to do a reset the wifi repeater in order to have the network shown on my iPhone but not realized that I had to rebind the camera afterwards. No QR code as my box was tossed away. Well, Tech Support from DJI was not avail after several days but this thread has helped me to retrieve my Camera's MAC ID. I was able to access the camera as before. Had to to a hard power-cycle and was able to see my camera to work. I am thrilled. I would like to express my appreciations.

 

[zenoshrdlu]

I'm very interested in capturing the telemetry that is transmitted via 192.168.1.1 port 2001. What's the best way of capturing the stream for analysis on a Mac laptop (I'm not that familiar with linux tools, but am happy with java networking)?

Further on, what would be the best way of doing this on my Nexus tablet while running the DJI app - would it be possible to run a proxy server on the Nexus which connected to the range extender and logged the telemetry while providing a pass-through link for the DJI app to access the Phantom?

 

[brizey]

think it may be udt over udp

 

[isopro]

ok so when i found this thread i noticed in the router config there is an option to set the dBm at 27(501mw) i tryed playing with that option and applying changes but it would always show as :


Mode: Client | SSID: FC200_008fa8
BSSID: 60:60:1F:******* | Encryption: None
Channel: 1 (2.412 GHz) | Tx-Power: 20 dBm

after testing i noticed that if i change the country code to BO and apply then it shows as

Mode: Client | SSID: FC200_008fa8
BSSID: 60:60:1F:******* | Encryption: None
Channel: 1 (2.412 GHz) | Tx-Power: 27 dBm

but if i reboot the Phantom and reconnect it shows that the BO country code setting was saved BUT show as 20 even if i try to apply 27 setting it stay at 20:

Mode: Client | SSID: FC200_008fa8
BSSID: 60:60:1F:******* | Encryption: None
Channel: 1 (2.412 GHz) | Tx-Power: 20 dBm

But If i set again to US after it goes back to 27 until i reboot :

Mode: Client | SSID: FC200_008fa8
BSSID: 60:60:1F:******* | Encryption: None
Channel: 1 (2.412 GHz) | Tx-Power: 27 dBm

So changing the country code while the phantom is booted actually change the dBm setting according to how it is config but rebooting reset that dBm change while keeping the country code applyed.
I still have to test if this actually increase FPV range of the wifi, and if yes how could i simplify this process in a couple of click or even a simple software.
I would like to know the opinion of someone more experienced then me and here it is raining right now so i cant go out and do a range test, if someone could try this and provide feedback here or msg me in private.
Im also wondering if i put WPA2 encryption and change the name of the Master Connection if i risk bricking the Camera or Repeater, and if there's a way to reset everything to default in case i make a mistake testing ?