User Tools

Site Tools

Translations of this page:

howto:p3fcchardmod

Tools to force FCC mode in Phantom 3 / Inspire 1 aircraft

This page is intended to document tools which can be used to force FCC mode in the Phantom 3 and Inspire 1 series. Alot of this content is derived from github discussion, credits to mefistotelis for his tool creations. https://github.com/o-gs/dji-firmware-tools/issues/10

A method has been created to enable FCC mode as well as changing other transmission settings. This requires extracting firmware for your Phantom 3 or Inspire 1 Remote control, modifying some settings, saving and re-compiling the firmware file. You will then need to install the firmware file onto the remote control to take effect.

Toolset

Make sure to review this GitHub with more info: https://github.com/o-gs/dji-firmware-tools

Create a folder, maybe named “P3FCC” and then download all of the files below into it.

  1. Download arm_bin2elf.py

Pre-reqs:

  1. Have installed Python 3 https://www.python.org/downloads/

NOTE: Make sure to SET PATH for Python during install. If you don't know what this means, google it.

  1. Install the following modules via pip install
    1. elftools
    2. pyelftools
    3. pycryptodome
    4. capstone
    5. keystone
    6. keystone-engine

Once these libraries are all installed you can use the tools to decrypt the firwmare files.

Firmware Files

We are targetting the 1400 or 1401 modules. The 1400 module is for the GL300A controller, the 1401 is for the GL300B/C controllers. <Need to include Inspire RC model>

You need to access the RC firmware files. You can find them on the DankDroneDownloader site

Direct links available as well:

Phantom 3 RC: <insert URL's for download>

Inspire RC:

<insert URL's for download>

Once downloaded, move the file into same folder as the files you downloaded earlier.

Extract the firmware file

You will go through these steps:

  1. Extract main firmware file
  2. Convert 1400/1401 module to ELF format
  3. Extract settings from the firmware file
  4. Edit the settings
  5. Re-make the firmware file
  6. Install the firmware file

Extracting the file:

  1. Drop to a command prompt, Start→Run→CMD.exe
  2. Navigate to the folder where the files are located. CD\p3FCC <enter>
  3. Type the following command:

dji_xv4_fwcon.py -vvv -x -p <firmwarename.bin>

  1. Now, open the folder and you should see the .1401 file.
  2. You can then type this command

arm_bin2elf.py -vv -e -b 0x000a000 –section .ARM.exidx@0x019300:0 –section .bss@0x1ff6000:0x4000 –section .bss2@0x1ffe000:0x1000 –section .bss3@0x1bff6000:0x2400 –section .bss4@0x1c01a000:0x2400 –section .bss5@0x40022000:0x50000 –section .bss6@0x400ee000:0x200 –section .bss7@0xe0004000:0x1200 -p <firmwarename_m1401.bin>

  1. you should see the .1401 elf file in the folder.
  2. You can now type this command:

lightbridge_stm32_hardcoder.py -vvv -x -e <firmwarename__m1401.elf>

  1. This will extract the settings and you can edit them in notepad or similar editting apps
Values it can extract and allow to modify
Parameter Name Description
og_hardcoded.lightbridge_stm32.packet_received_attenuation_override What to do when received a packet with transceiver power set request; 0 - use the received attenuation value, 1 - override the value with constant one
og_hardcoded.lightbridge_stm32.packet_received_attenuation_value Constant attenuation value used when packet_received_attenuation_override is enabled; unit depends on OFDM board type
og_hardcoded.lightbridge_stm32.board_ad3_attenuation_tx1_fcc Transceiver attenuation value for board type 3 with Analog Devices chip, change by 1 means 0.25 dBm
og_hardcoded.lightbridge_stm32.board_ad3_attenuation_tx2_fcc Transceiver attenuation value for board type 3 with Analog Devices chip, change by 1 means 0.25 dBm
og_hardcoded.lightbridge_stm32.board_ar0_attenuation_tx1_ce Transceiver attenuation value for board type 0 with Artosyn chip, change by 1 means 1 dBm
og_hardcoded.lightbridge_stm32.board_ar0_attenuation_tx2_ce Transceiver attenuation value for board type 0 with Artosyn chip, change by 1 means 1 dBm
og_hardcoded.lightbridge_stm32.board_ad3_attenuation_tx1_ce Transceiver attenuation value for board type 4 with Analog Devices chip, change by 1 means 0.25 dBm
og_hardcoded.lightbridge_stm32.board_ad3_attenuation_tx2_ce Transceiver attenuation value for board type 4 with Analog Devices chip, change by 1 means 0.25 dBm
og_hardcoded.lightbridge_stm32.power_zone_selection_override What to do when power zone is about to be selected from geo coordinates; 0 - set the value based on geolocation, 1 - override the value and set to FCC

Direct commands comm_mkdupc.py

You can also use the tool comm_mkdupc.py to send commands to the RC to see the status or change status.

These are commands to the RC plugged in via USB to PC using comm_mkdupc.py. This tool is a DUML Packet Builder with hex string output. https://github.com/o-gs/dji-firmware-tools

  • To set CE:

comm_mkdupc.py -vv –sender_type=PC –sender_index=1 –receiver_type=OFDM_Ground –ack_type=ACK_After_Exec –cmd_set=OFDM –cmd_id=6 –seq_num=5552 –payload_hex=“F7 FF 00”

  • To set FCC:

comm_mkdupc.py -vv –sender_type=PC –sender_index=1 –receiver_type=OFDM_Ground –ack_type=ACK_After_Exec –cmd_set=OFDM –cmd_id=6 –seq_num=5553 –payload_hex=“F7 FF 01”

  • To disallow the RC to reset the value by itself:

comm_mkdupc.py -vv –sender_type=PC –sender_index=1 –receiver_type=OFDM_Ground –ack_type=ACK_After_Exec –cmd_set=OFDM –cmd_id=6 –seq_num=5554 –payload_hex=“F9 FF 01”

  • To check (query) currently set zone:

comm_mkdupc.py -vv –sender_type=PC –sender_index=1 –receiver_type=OFDM_Ground –ack_type=ACK_After_Exec –cmd_set=OFDM –cmd_id=7 –seq_num=5555 –payload_hex=“F7 FF”

Install

Need to add install steps.

Misc

P1765Fw3.bin means something, service file name? gs_ofdm.bin? 1400 is probably used only by GL300a/b; the c version likely uses m1401

howto/p3fcchardmod.txt · Last modified: 2019/08/01 02:56 by digdat0