I wanted to try to run my own code on my drone, so I started poking around.
Someone dumped the entire firmware from the onboard storage, but unfortunately it seems like this is encrypted similarly to other DJI drones. And noone seems to have managed to get the keys to this yet, otherwise it would be simple to port the tools from here: o-gs/dji-firmware-tools
So then I started trying to interface with it over USB. By pressing the power button in some random order it eventually goes into some recovery mode where it appears as a USB ACM/serial adapter. I tried just connecting a serial adapter, but got nothing meaningful back. But the comm_serialtalk.py tool from the above repo seemed to be able to communicate, so it seems like it uses the DJI Universal Packet Container over serial.
Then I started looking at the UDP protocol for controlling it over wifi, and it seems pretty similar (same weird size encoding) though not identical; compare Low-Level Protocol to o-gs/dji-firmware-tools
It seems to possibly share some of the command IDs as well. I got a couple of 0x43 and 0x44 packets from it, which according to the wiki here are error responses, which makes sense since I don't know what I'm doing. But when connected I got a ton of 0xe packets from it, and while 0xe isn't documented in the wiki here according to the protocol dissectors for DUPC it's a heartbeat (which makes sense): o-gs/dji-firmware-tools
But it doesn't seem like everything matches, so I wonder if anyone has looked into this already, tried to match the known DUPC commands to what the app sends via UDP over wifi?
Someone dumped the entire firmware from the onboard storage, but unfortunately it seems like this is encrypted similarly to other DJI drones. And noone seems to have managed to get the keys to this yet, otherwise it would be simple to port the tools from here: o-gs/dji-firmware-tools
So then I started trying to interface with it over USB. By pressing the power button in some random order it eventually goes into some recovery mode where it appears as a USB ACM/serial adapter. I tried just connecting a serial adapter, but got nothing meaningful back. But the comm_serialtalk.py tool from the above repo seemed to be able to communicate, so it seems like it uses the DJI Universal Packet Container over serial.
Then I started looking at the UDP protocol for controlling it over wifi, and it seems pretty similar (same weird size encoding) though not identical; compare Low-Level Protocol to o-gs/dji-firmware-tools
It seems to possibly share some of the command IDs as well. I got a couple of 0x43 and 0x44 packets from it, which according to the wiki here are error responses, which makes sense since I don't know what I'm doing. But when connected I got a ton of 0xe packets from it, and while 0xe isn't documented in the wiki here according to the protocol dissectors for DUPC it's a heartbeat (which makes sense): o-gs/dji-firmware-tools
But it doesn't seem like everything matches, so I wonder if anyone has looked into this already, tried to match the known DUPC commands to what the app sends via UDP over wifi?
