User Tools

Site Tools

Translations of this page:

howto:phantom-firmware-tools

phantom-firmware-tools

The firmware tools described below can be used to do all sorts of fun stuff on your DJI device. The two main things that are of interest here include sniffing and interpreting comms to your aircraft, and firmware tweaking.

1. Toolchain

Install your toolchain as per the instructions here. You only need to do this once… but check the instructions to see if there are any new tools that you may need.

2. Get the phantom-firmware-tools magic

If this is your first time using phantom-firmware-tools, you will need to checkout the code from git.

cd ~/Documents/
git clone https://github.com/mefistotelis/phantom-firmware-tools.git
cd phantom-firmware-tools

If you have done this before and you want to make sure you have the latest code, you just need to sync to the most recent version

cd ~/Documents/phantom-firmware-tools
git pull

3. Install wireshark

4. Install the comm disectors for wireshark

cp comm_dissector/wireshark/* ~/.config/wireshark/

5. Capture some traffic

python3 comm_serial2pcap.py -b115200 -f /tmp/wsf /dev/tty.usbmodem* /dev/tty.usbmodem*

The intent is for this command to sit between two serial ports, with serial breakout and capturing the serial TX and RX streams, being duplicated into two ports. I don't have a hardware breakout yet, so I have not yet tried this.

6. serialsnoop.sh

The code below was created by jan2642 as an alternate way of sniffing duml. It is still a prototype at this stage but listed here to provide a way for Mac users to get some duml love.

serialsnoop.sh
#!/bin/sh
 
# Listen in on serial port connections.
# (Note that max packet size is hardcoded to be 512)
# Written by jan2642
 
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <path to serial port>"
fi
 
/usr/sbin/dtrace -n '
inline string PATHNAME	 = "'$1'";
 
#pragma D option quiet
#pragma D option switchrate=10hz
/* #pragma D option bufpolicy=ring */
 
dtrace:::BEGIN
{
}
 
syscall::open:entry, syscall::open_nocancel:entry, syscall::open_extended:entry
{
    self->path = arg0;
    self->file_open_in_progress = 1;
}
 
syscall::open:return, syscall::open_nocancel:return, syscall::open_extended:return
/self->file_open_in_progress && (PATHNAME == copyinstr(self->path))/
{
    the_pid = pid;
    the_fd = arg1;
 
    self->path = 0;
    self->file_open_in_progress = 0;
}
 
syscall::*read:entry
/pid == the_pid && arg0 == the_fd/
{ 
    self->read_in_progress = 1;
    self->read_ptr = arg1;
}
 
syscall::*read:return
/self->read_in_progress/
{
    if (arg0 > 0) {
        printf("==+ %s IN %d : ", execname, (int)arg0);
        tracemem(copyin(self->read_ptr, arg0), 512);
        printf("==-\n");
    }
 
    self->read_in_progress = 0;
}
 
syscall::*write:entry
/pid == the_pid && arg0 == the_fd/
{ 
    if (arg2 > 0) {
        printf("==+ %s OUT %d : ", execname, (int)arg2);
        tracemem(copyin(arg1, arg2), 512);
        printf("==-\n");
    }
}
 
' 2> /dev/null | python -c '
import sys
 
def parse_block(buf):
    lines = buf.split("\n");
    meta = lines[0].split(" ")
 
    proc = meta[1]
    direction = meta[2]
    size = int(meta[3])
 
    print("%s %-3s %5d :" % (proc, direction, size)),
 
    if size > 512:
        size = 512 
 
    for i in xrange(0, (size / 16) + 1):
        data = lines[2 + i].strip().split(" ")
        remain = 16
        if i == size / 16:
            remain = size % 16
        for j in xrange(0, remain):
            print("%s" % data[j + 1]),
    print("")
 
for line in sys.stdin:
    if line.startswith("==+"):
        buf = "";
    if line.startswith("==-"):
        parse_block(buf)
    buf += line
'
 
# vim: expandtab:ts=4:sw=4

Contribute

[✓ kornvichs, 2019-02-17]DUML dumping has never worked for me on OSX. Need to understand how this could work including hardware required.

howto/phantom-firmware-tools.txt · Last modified: 2019/02/17 06:18 by kornvichs