Hi,
I got a phantom 4 broken off ebay and repaired it (broken voltage reg). I have been flying which is fun, but its annoying, that the link breaks down after 1000m-2500m and that I cant go higher than 500m (I live in the alps and want to go up mountains, always relatively close to ground, but still cant go up).
Then I googled it and found out that the Phantom will transmit with 40mW only in CE controlled regions. Some people say it sets this automatically via GPS. I dislike that.
I heard, that on older versions like the P3S there is a way to connect to the drone and set TX power to 27db. Unfortunately the P4 doesnt have WiFi, but instead some Lightbridge protocol it seems. This means it will be difficult to connect to the remote controller itself.
The drone however can be connected to via USB which sets up a network link to the P4 from the USB host.
I used nmap to scan for live hosts on 192.168.0.0/16
The command is:
nmap -sP 192.168.0.0/16
on a mac, should be same on Linux.
This showed, that there are two hosts up:
192.168.42.2 (the phantom)
192.168.42.3 (myself)
I scanned for open ports on the Phantom (full range up to port 65k).
nmap 192.168.42.2 -p-
This showed that the following ports are open:
21 (FTP)
8905 (TCP, Protocol unknown?)
8906 (TCP, Protocol unknown?)
8907 (TCP, Protocol unknown?)
8908 (TCP, Protocol unknown?)
I tried to use SSH, but no open SSH ports and connection is being refused on the currently open ports.
I tred to conect via telnet and there is varying degree of activity on those ports. They seem to be some kind of debug ports with varying levels of verbosity.
Unfortunately most of the output is unreadable even though occasionally some readable strings seem to come up like ("gimbal lost! 1242U<ÇÂ%!≠fi\:
uav on the ground! 1249U0CÇÂ%!≠fi]:*")...
Very weird.
Does anyone know how to read this? I treid to open it with various types of encoding, but it just looks unundrstandable whichever way I turn it.
Do you guys think that DJI is encrypting this, or whats going on? Why encrypt that? Maybe its a local thing to make everyrhing unecessarily obscure and harder. I mean they dont have any additinal profit from that.. If I had a company like that, I would definitely leave everything open. If people want to transmit at 5W, its not my problem as long as the product is shipped compiant by default and the hack is reasonably hard so they cant tell me that it was on purpose. (I can still leak the hack on purpose in the hidden so the hobyyist community has an easier time "finding" it). Sometimes I really dont understand those businesses..
I also FTPed into the bird. It seems like there are some files that look promising, but also seem to be encrypted or maybe I just dont know how to open them properly. For e.g. A file named config_table.xml. (I added it to my post).
Does anyone know how to force this thing into Maximum TX Power mode (drone&remote for video link&control link)?
Does anyone know how to bypass the 500m limit?
Deos anyone know how to read those files?
Does maybe anyone know how to interface with the remote?
Also when I took the thing apart I noticed, that there is an additional SD card (4GB) on the Gimbal board? Anyone took a look on that?
Does manybe someone know where there is a serial interface on the remote or the bird? Fro a console or something to control the boot process?
I hope there are some people out there who got more progress than myself. It looks very interesting that there seems to be a real Operating System on the drone. Many mods possible.
Just think about what we could do: Forward the data over cellular network for virtually unlimited range or do things like lift the battery restrictions to use standard lipos and stuff like that.
If this thing annoys me too much I will just sell it off and drop the hobby I guess...
PS: I also got a second Phantom 4 off ebay for ~180€ which could also be recovered (a flatfelx was defective). On this drone with older firmware the filesystem in FTP is similar, but some files are missing. Also in telnet the ports are the same, but the output looks substantially different. But I will sell off this drone now, so cant look into that one too much any more.
PPS: Also I discovered an additional USB plug on the gimbal board inside the drone. Anyone any idea what this is for? Doesnt seem to show any life..
I got a phantom 4 broken off ebay and repaired it (broken voltage reg). I have been flying which is fun, but its annoying, that the link breaks down after 1000m-2500m and that I cant go higher than 500m (I live in the alps and want to go up mountains, always relatively close to ground, but still cant go up).
Then I googled it and found out that the Phantom will transmit with 40mW only in CE controlled regions. Some people say it sets this automatically via GPS. I dislike that.
I heard, that on older versions like the P3S there is a way to connect to the drone and set TX power to 27db. Unfortunately the P4 doesnt have WiFi, but instead some Lightbridge protocol it seems. This means it will be difficult to connect to the remote controller itself.
The drone however can be connected to via USB which sets up a network link to the P4 from the USB host.
I used nmap to scan for live hosts on 192.168.0.0/16
The command is:
nmap -sP 192.168.0.0/16
on a mac, should be same on Linux.
This showed, that there are two hosts up:
192.168.42.2 (the phantom)
192.168.42.3 (myself)
I scanned for open ports on the Phantom (full range up to port 65k).
nmap 192.168.42.2 -p-
This showed that the following ports are open:
21 (FTP)
8905 (TCP, Protocol unknown?)
8906 (TCP, Protocol unknown?)
8907 (TCP, Protocol unknown?)
8908 (TCP, Protocol unknown?)
I tried to use SSH, but no open SSH ports and connection is being refused on the currently open ports.
I tred to conect via telnet and there is varying degree of activity on those ports. They seem to be some kind of debug ports with varying levels of verbosity.
Unfortunately most of the output is unreadable even though occasionally some readable strings seem to come up like ("gimbal lost! 1242U<ÇÂ%!≠fi\:
uav on the ground! 1249U0CÇÂ%!≠fi]:*")...
Very weird.
Does anyone know how to read this? I treid to open it with various types of encoding, but it just looks unundrstandable whichever way I turn it.
Do you guys think that DJI is encrypting this, or whats going on? Why encrypt that? Maybe its a local thing to make everyrhing unecessarily obscure and harder. I mean they dont have any additinal profit from that.. If I had a company like that, I would definitely leave everything open. If people want to transmit at 5W, its not my problem as long as the product is shipped compiant by default and the hack is reasonably hard so they cant tell me that it was on purpose. (I can still leak the hack on purpose in the hidden so the hobyyist community has an easier time "finding" it). Sometimes I really dont understand those businesses..
I also FTPed into the bird. It seems like there are some files that look promising, but also seem to be encrypted or maybe I just dont know how to open them properly. For e.g. A file named config_table.xml. (I added it to my post).
Does anyone know how to force this thing into Maximum TX Power mode (drone&remote for video link&control link)?
Does anyone know how to bypass the 500m limit?
Deos anyone know how to read those files?
Does maybe anyone know how to interface with the remote?
Also when I took the thing apart I noticed, that there is an additional SD card (4GB) on the Gimbal board? Anyone took a look on that?
Does manybe someone know where there is a serial interface on the remote or the bird? Fro a console or something to control the boot process?
I hope there are some people out there who got more progress than myself. It looks very interesting that there seems to be a real Operating System on the drone. Many mods possible.
Just think about what we could do: Forward the data over cellular network for virtually unlimited range or do things like lift the battery restrictions to use standard lipos and stuff like that.
If this thing annoys me too much I will just sell it off and drop the hobby I guess...
PS: I also got a second Phantom 4 off ebay for ~180€ which could also be recovered (a flatfelx was defective). On this drone with older firmware the filesystem in FTP is similar, but some files are missing. Also in telnet the ports are the same, but the output looks substantially different. But I will sell off this drone now, so cant look into that one too much any more.
PPS: Also I discovered an additional USB plug on the gimbal board inside the drone. Anyone any idea what this is for? Doesnt seem to show any life..
