Welcome to PhantomPilots.com

Sign up for a weekly email of the latest drone news & information

Accessing the P2 wifi repeater and camera

Discussion in 'Phantom 2 Vision Mods' started by kwatts, May 19, 2014.

  1. kwatts

    Joined:
    Feb 12, 2014
    Messages:
    7
    Likes Received:
    0
    When I did have the P2 Vision (crash and burn, faulty battery, which, DJI seemed to ignore - support is really taking a dive there) I spent a few hrs and was able to fully get the telemetry data and control. It was using the native libs, but, there is a way to connect and for those of you at there that are good at network protocols may be able to figure out the communication protocol being used.

    In any case (and apologies if this has been posted/found already):
    - To connect to the repeater, you can ssh root@192.168.1.1 or go to http://192.168.1.1:80/openwrt and for both the admin password is "19881209".
    - You can just connect
    directly to the wifi from your laptop... seems a bit flakey but
    generally works
    - The (android) app has a native lib you can use to communicate through as well.
     
  2. verygreen

    Joined:
    May 25, 2014
    Messages:
    7
    Likes Received:
    0
    With Thunderstorm today it was not a great day to fly, so I decided to dig in the internals a bit.

    It turns there are at least three small separate systems inside of the camera.

    Linux system #1 - the wifi manager, gives out dhcp leases and such. Lives at ip address 192.168.1.2, based on openwrt. Root password is 19881209
    - Nothing really interesting there.
    Linux system #2 - general purpose system. Lives at 192.168.1.1 This one provides file access to pictures and videos when accessed from your phone app for example, also provides telemetry.
    - Telemetry is provided on port 2001 (obtained from serial port 0 on the SoC at 115200 bps)
    - web server on port 80 that does not seem to serve any useful purpose, there's half removed lua stuff from openwrt that does not really work.
    - another web server on port 1026 - This one you use to access pictures from phone app.
    * When you go to "Album" apge in the app, it sends a control signal to the camera and camera enters "usb storage" mode, becoming visible as a usb flashdrive to this ystem that is then mounted to /mnt/sda1

    System #3 - This is the actual camera. Lives at 192.168.1.10 It runs something very similar to what GoPro systems run (Ambarella)
    - udp port 9000 is the video stream port. Possiblty it also has some camera control.
    - tcp port 22 - This one is a mystery. It answers with "SSH-2.0-OpenSSH_6.2", but I checked RAM dumps and such and I do not see it having openssh inside, so I am not really sure where does this come from. Some sort of additional embedded node? root password unknown.
    - This system mounts the sdcard most of the time to write stuff there and such.
    - This system is mildly scriptable in the same way as GoPro cameras, so at least some of their scripts would work here as well, though some more investigations are needed (see e.g. this resource for a big compilation of recipes: https://github.com/KonradIT/autoexechack )

    In order to make your scripts you write them to the root folder of the sdcard into the file named autoexec.ash in unix text format (meaning there's ony \n at the end of the line, not \n\r), this file is executed when you turn on the camera
    Available commands are:
    Code:
    	addr2func	bp		cardmgr		cat	
    	cd		chmod		config		cp	
    	cpu		date		deletedir	dmesg	
    	dramcfg		drives		dsputil		echo	
    	eeprom		eval		false		ffuc	
    	format		hal		help		history	
    	hotboot		ioerr		jobs		kill	
    	ls		md5		mesg		mkboot	
    	mkdir		morph		mv		flashdb	
    	nice		poweroff	pref		ps	
    	pwd		ramdisk		readb		readl	
    	readw		reboot		reset		resume	
    	rm		rmdir		savebin		sleep	
    	suspend		sysmon		t		test	
    	time		touch		trap		true	
    	vol		writeb		writel		writew	
    	yyinfo		usbclass	ver		vin	
    	sm		corefreq	dramfreq	idspfreq
    	dll		cleandir	volcfg		firmfl	
    	nvd		nftl		bbt		romfs	
    
    Inside of the RTOS running there, the "D:\" drive is the sdcard, so if you write there, you'll be able to obtain htese files from sdcard later. Unix-style redirects work too so you can capture command output.
    E.g. this is process list obtained with "ps >d:\ps.txt" line in autoexec.ash
    Code:
     ID  PRI      STAT ACT WUP SUS  NAME
      2    5   DELAYED   0   0   0  main_task
      3  120  WAIT_FLG   0   0   0  print_daemon_task
      4    3     SLEEP   0   0   0  abs_prktask
      5    5     SLEEP   0   0   0  abs_prktask
      6    1  WAIT_SEM   0   0   0  abs_prktask
      7    5     SLEEP   0   0   0  abs_prktask
      8    5     SLEEP   0   0   0  abs_prktask
      9   45  WAIT_FLG   0   0   0  Message Manager
     10   16 WAIT_RDTQ   0   0   0  peri_task
     11   55  WAIT_FLG   1   0   0  CEC Message Handler
     12   57 WAIT_RDTQ   0   0   0  button_task
     13   93 WAIT_RDTQ   0   0   0  func_button_task
     14   56 WAIT_RDTQ   0   0   0  scardmgr_task
     15   38 WAIT_RDTQ   0   0   0  stktask_func
     16   37 WAIT_RDTQ   0   0   0  debou_task
     17   50  WAIT_MBX   0   0   0  prfile2
     18   64  WAIT_FLG   0   0   0  FWLD
     19   17 WAIT_RDTQ   0   0   0  audio_init_task
     20   31 WAIT_RDTQ   0   0   0  audio_timer_task
     21   40 WAIT_RDTQ   0   0   0  audio_main_task
     22   34 WAIT_RDTQ   0   0   0  audio_beep_task
     23   32 WAIT_RDTQ   0   0   0  audio_input_process_task
     24   32 WAIT_RDTQ   0   0   0  audio_output_process_task
     25   15  WAIT_FLG   0   0   0  iav_vdsp
     26   61 WAIT_RDTQ   0   0   0  cavlc_task
     27   51  WAIT_FLG   0   0   0  Host Control Manager
     28   18  WAIT_FLG   0   0   0  adc
     29   92  WAIT_FLG   0   0   0  Storage monitor
     30   95  WAIT_FLG   0   0   0  PCBR monitor
     31   26  WAIT_FLG   0   0   0  Framerate monitor (VDSP)
     32   25  WAIT_FLG   0   0   0  Framerate monitor (AVSYNC)
     33   96  WAIT_FLG   0   0   0  Smart VBR monitor
     34   97  WAIT_FLG   0   0   0  Smart VBR monitor
     35   78  WAIT_FLG   0   0   0  Graphics2 Command Handler
     36   22  WAIT_FLG   0   0   0  Image Algo Task
     37   17  WAIT_FLG   0   0   0  Image VIN Task
     38   63  WAIT_FLG   0   0   0  Image Adjust
     39   41  WAIT_FLG   0   0   0  Recorder State Transition Manager
     40   81  WAIT_FLG   0   0   0  Recorder Mux Manager
     41  101   DELAYED   0   0   0  Preview YUV Processor
     42   23  WAIT_FLG   0   0   0  Recorder Snapshot Shutter Controller
     43   42  WAIT_FLG   0   0   0  Player FLOW CTRL Manager
     44   82  WAIT_FLG   0   0   0  Player DeMux Manager
     45   79  WAIT_FLG   0   0   0  AMBA Editor2 Command Manager
     46   83  WAIT_FLG   0   0   0  AMBA Editor2 Mux/Demux Manager
     47   87  WAIT_FLG   0   0   0  DCF Refresh Task
     48   47  WAIT_FLG   0   0   0  Graphics2 switch DCHAN vout task
     49   88  WAIT_FLG   0   0   0  App Async Operation Manager
     50   58   DELAYED   0   0   0  App Button Manager
     51   92 WAIT_RDTQ   0   0   0  camera_host_task
     52   91 WAIT_RDTQ   0   0   0  uart_msg_handler_task
     53   90  WAIT_FLG   0   0   0  uart0_msg_rx_task
     54   90  WAIT_FLG   0   0   0  uart1_msg_rx_task
     55   94   DELAYED   0   0   0  camera_state_check_task
     56  110     SLEEP   0   0   0  d:\autoexec.ash 
     57  110   RUNNING   0   0   0  ps 
    We'll see if DJI actually provides me with some source code that I requested from them as part of GPL compliance too.
     
  3. verygreen

    Joined:
    May 25, 2014
    Messages:
    7
    Likes Received:
    0
    btw, as an afterthought - The nonexistent security of this system means that it would be pretty simple to trivial for somebody to connect to a running phantom vision, intercept the telemetry at the very least, or replace the telemetry with a spoofed one (only for purposes of displaying in the app).
    It also might be possible to control the camera too.
     
  4. dragonash

    Joined:
    Mar 21, 2014
    Messages:
    906
    Likes Received:
    11
    Location:
    Brooklyn, NY

    I think it would be better to be able to force the dji extender to work with other wifi cameras... like the FC40. ;)
     
  5. verygreen

    Joined:
    May 25, 2014
    Messages:
    7
    Likes Received:
    0
    Well, that should not be hard to do, though I don't have means to test it.

    Basically, turn on your range extender and camera.
    Connect to Range extender on a laptop.
    After connecting in a web browser go to http://192.168.1.2
    Use root password of 19881209. This will bring you to usual openwrt web interface
    Go to the "Network tab"
    Go to Wifi subtab.
    There you'll see two entries: "SSID FC200_XXXXX" Mode client - this is the connection to camera.
    and: "SSID Phantom_XXXX" Mode Master - This is the base station you'll connect to.

    Now you either an add a new client connection here or edit existing client one using your different camera SSID and things will just work I suspect. This should even allow to have multiple cmeras paired (but probably only using one at a time)

    Additionally you can set a wifi password on the master connection in otder to avoid hijacking of the link by others.
     
  6. zenoshrdlu

    Joined:
    Apr 3, 2014
    Messages:
    91
    Likes Received:
    1
    Location:
    Totnes, Devon
    Thanks for these investigations. I'm not sure yet what use to make of them, but as a keen CHDK/SDM hacker I'm sure there are scripts I'll be able to make and use.
     
  7. dragonash

    Joined:
    Mar 21, 2014
    Messages:
    906
    Likes Received:
    11
    Location:
    Brooklyn, NY

    Very interesting.
    But would it save the settings after a reboot? (I dont have one to test)
     
  8. AnselA

    Joined:
    Jan 2, 2014
    Messages:
    896
    Likes Received:
    0
    Location:
    Declination +8° 11'
    :twisted:

    Let's hope DJI will not change the root passwd in future firmware upgrades...
     
  9. verygreen

    Joined:
    May 25, 2014
    Messages:
    7
    Likes Received:
    0
    Yes, it will save the settings of course.
    After all how do you think they save their own settings.
     
  10. verygreen

    Joined:
    May 25, 2014
    Messages:
    7
    Likes Received:
    0
    Well, they never even updated this part of firmware.
    The "camera firmware" update you saw only updates the actual camera thing that lives on 192.168.1.10

    The repeater thing image was built on 7/18/2013, the camera-wifi image was built on 10/8/2013.
    Neither of them actually reads the sdcard for updates either. So the only realistic way I see to update those firmwares is by uploading updates there via wifi when the DJI app is connected. But then the problem is, there is no internet connection to download the image from somewhere should it appear that the two systems out of date. Those systems are also not accessible when you connect via USB, so Assistant app on the computer could not update them either.

    It's not like it's totally impossible, mind you. They can cache the latest version in the app if you happen to run the app when there's real internet (though t's dangerous as it might cause data overages unexpectedly), or they can ship the latest images inside of the app every time there's an app update (making the app image grow quite a bit).
    But overall it seems like there were no plans to make updates to those wifi components ever.
     
  11. dragonash

    Joined:
    Mar 21, 2014
    Messages:
    906
    Likes Received:
    11
    Location:
    Brooklyn, NY
    trials with the fc40 camera resulted in the opposite.
    We were able to change the SSID of the camera, but it would not save after reboot
     
  12. AnselA

    Joined:
    Jan 2, 2014
    Messages:
    896
    Likes Received:
    0
    Location:
    Declination +8° 11'
    I managed to connect to 192.168.1.2 but 192.168.1.1:1026 failed. It could be even useful to download DNG files, which vision app doesn't support.
     
  13. verygreen

    Joined:
    May 25, 2014
    Messages:
    7
    Likes Received:
    0
    You are right, it's not really http as it turned out, even though it is driven by php-fcgi.

    Anyway, if you need to download the files, including dmg - you just need to enter the "Album" mode from your phone app, and after that use ssh from your computer to get content of /mnt/sda1. Use any number of freely available windows ssh clients, or openssh is already shipped with MacOS out of the box.
     
  14. isopro

    Joined:
    May 29, 2014
    Messages:
    387
    Likes Received:
    119
    I was wondering when i spotted the dBm setting in the OpenWrt Barrier it is set to max available setting of 27 dBm, would there be a way to tweak this some way in order to increase output power of the Phantom 2 vision over 27 dBm or it is the max output power that this hardware can do ?
     
  15. AnselA

    Joined:
    Jan 2, 2014
    Messages:
    896
    Likes Received:
    0
    Location:
    Declination +8° 11'
    Thanks, that is really tempting way to get around Vision app bug. And one can get the large DNG files directly to a spacy network drive... (But I am currently busy, it will take a week or so before I can test it.)
     
  16. brizey

    Joined:
    Jan 19, 2014
    Messages:
    70
    Likes Received:
    0
    Location:
    USA
    port the nazagps decoder lib for arduino and you could make a nice where is my drone map ser2net
     
  17. retrait

    Joined:
    May 30, 2014
    Messages:
    1
    Likes Received:
    0
    to verygreen:

    I have a P 2 Vision and for some reasons I had to do a reset the wifi repeater in order to have the network shown on my iPhone but not realized that I had to rebind the camera afterwards. No QR code as my box was tossed away. Well, Tech Support from DJI was not avail after several days but this thread has helped me to retrieve my Camera's MAC ID. I was able to access the camera as before. Had to to a hard power-cycle and was able to see my camera to work. I am thrilled. I would like to express my appreciations.
     
  18. zenoshrdlu

    Joined:
    Apr 3, 2014
    Messages:
    91
    Likes Received:
    1
    Location:
    Totnes, Devon
    I'm very interested in capturing the telemetry that is transmitted via 192.168.1.1 port 2001. What's the best way of capturing the stream for analysis on a Mac laptop (I'm not that familiar with linux tools, but am happy with java networking)?

    Further on, what would be the best way of doing this on my Nexus tablet while running the DJI app - would it be possible to run a proxy server on the Nexus which connected to the range extender and logged the telemetry while providing a pass-through link for the DJI app to access the Phantom?
     
  19. brizey

    Joined:
    Jan 19, 2014
    Messages:
    70
    Likes Received:
    0
    Location:
    USA
    think it may be udt over udp
     
  20. isopro

    Joined:
    May 29, 2014
    Messages:
    387
    Likes Received:
    119
    ok so when i found this thread i noticed in the router config there is an option to set the dBm at 27(501mw) i tryed playing with that option and applying changes but it would always show as :


    Mode: Client | SSID: FC200_008fa8
    BSSID: 60:60:1F:******* | Encryption: None
    Channel: 1 (2.412 GHz) | Tx-Power: 20 dBm

    after testing i noticed that if i change the country code to BO and apply then it shows as

    Mode: Client | SSID: FC200_008fa8
    BSSID: 60:60:1F:******* | Encryption: None
    Channel: 1 (2.412 GHz) | Tx-Power: 27 dBm

    but if i reboot the Phantom and reconnect it shows that the BO country code setting was saved BUT show as 20 even if i try to apply 27 setting it stay at 20:

    Mode: Client | SSID: FC200_008fa8
    BSSID: 60:60:1F:******* | Encryption: None
    Channel: 1 (2.412 GHz) | Tx-Power: 20 dBm

    But If i set again to US after it goes back to 27 until i reboot :

    Mode: Client | SSID: FC200_008fa8
    BSSID: 60:60:1F:******* | Encryption: None
    Channel: 1 (2.412 GHz) | Tx-Power: 27 dBm

    So changing the country code while the phantom is booted actually change the dBm setting according to how it is config but rebooting reset that dBm change while keeping the country code applyed.
    I still have to test if this actually increase FPV range of the wifi, and if yes how could i simplify this process in a couple of click or even a simple software.
    I would like to know the opinion of someone more experienced then me and here it is raining right now so i cant go out and do a range test, if someone could try this and provide feedback here or msg me in private.
    Im also wondering if i put WPA2 encryption and change the name of the Master Connection if i risk bricking the Camera or Repeater, and if there's a way to reset everything to default in case i make a mistake testing ?