FCC hack in 2023

Confucian · Apr 2, 2023

Hi All
This may be an "old cherry", has anyone here successfully hacked P3P from CE to FCC . ?
I have spent many hours reading and trying things that may of worked in 2017 but due to the authors moving on to other things and PS's being considered legacy tech today no loner work.

quaddamage · Apr 3, 2023

I just set all the attenuation values to 0. So I'm getting CE compliant frequency channels, but at max power available to the OFDM board.

Confucian · Apr 3, 2023

quaddamage said:
I just set all the attenuation values to 0. So I'm getting CE compliant frequency channels, but at max power available to the OFDM board.

hi quaddamage.
Ok so not wishing to appear completley dim, which Attenuation values and how do you change them.

quaddamage · Apr 3, 2023

Confucian said:
which Attenuation values

All of them. On both sides (AC and RC).

For example, here are the names of all parameters on AC side:

Code:

$ grep name P3X_FW_V01.07.0060_m0900.json
                "name" : "og_hardcoded.lightbridge_stm32.packet_received_attenuation_override"
                "name" : "og_hardcoded.lightbridge_stm32.packet_received_attenuation_value"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.mcu_firmware_version"

So:
1. Enabled attenuation_override, set override value to 0
2. Set all per-board values to 0 (not sure idea which board I have)
3. Incremented version number, so that I can flash it without the debug forcing

Confucian said:
how do you change them

Extract, modify, repack. Then flash.

Harleydude · Apr 8, 2023

Another way is to use a hacked version of the DJI Assistant software, which allows the user to access parameters otherwise not accessible by the average user. This is what I used to hack all the limits out of my P4P and my Mavic Pro. It's been years since I've used this, so I can't give you a tutorial, but I can give you some bread crumbs;

1) DJI Assistant software (MAY require the legacy version - I can't remember).
2) There is a hack to open up the software, which opens up options to go into "Parameter Mode" (or something like that).
3) Once the hacked version of DJI Assistant is open, there is a boolean option to put the software into "Parameter Mode."
4) One in parameter mode you have the option to change parameters embedded in the firmware. HUGE WARNING: You can really screw your bird up if you're not careful. Take notes. Change one value at a time. Fly with caution.

Google and YouTube are your friends. I BELIEVE YouTuber DigDat0 is a good place to start. Now you know what to look for.

Good luck.

D

geekgai · Aug 12, 2023

Confucian said:
Hi All
This may be an "old cherry", has anyone here successfully hacked P3P from CE to FCC . ?
I have spent many hours reading and trying things that may of worked in 2017 but due to the authors moving on to other things and PS's being considered legacy tech today no loner work.

Hi, I own a P3A, and I've been trying to crack CE to FCC for years too, without success. Are you successful so far?

geekgai · Aug 12, 2023

quaddamage said:

All of them. On both sides (AC and RC).

For example, here are the names of all parameters on AC side:

Code:

$ grep name P3X_FW_V01.07.0060_m0900.json
                "name" : "og_hardcoded.lightbridge_stm32.packet_received_attenuation_override"
                "name" : "og_hardcoded.lightbridge_stm32.packet_received_attenuation_value"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx1_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx2_ce"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad4_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad5_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar6_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ar7_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx1_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.board_ad2_attenuation_tx2_fcc"
                "name" : "og_hardcoded.lightbridge_stm32.mcu_firmware_version"

So:
1. Enabled attenuation_override, set override value to 0
2. Set all per-board values to 0 (not sure idea which board I have)
3. Incremented version number, so that I can flash it without the debug forcing

Extract, modify, repack. Then flash.

Hello, quaddamage. On AC, we need to modify the m900 module to increase the transmission power, so which module should we modify to increase the transmission power on RC? In addition, can the latest official firmware (AC and RC are both the latest versions) be modified successfully?

quaddamage · Aug 12, 2023

geekgai said:
which module should we modify to increase the transmission power on RC

I couldn't remember, so I checked the project on github. In the test they're executing to validate changes:
dji-firmware-tools XV4 format test results

In there, I found the following log messages. I think they explain everything you wanted to know:

Code:

INFO     test_lightbridge_stm32_hardcoder1:test_lightbridge_stm32_hardcoder1.py:55 Testcase file: out/gl300abc-radio_control/C1_FW_V01.00.0004-split1/C1_FW_V01.00.0004_m1400.elf
INFO     test_lightbridge_stm32_hardcoder1:test_lightbridge_stm32_hardcoder1.py:129 ./lightbridge_stm32_hardcoder.py -vvv -x -e out/gl300abc-radio_control/C1_FW_V01.00.0004-split1/C1_FW_V01.00.0004_m1400.elf -o out/gl300abc-radio_control/C1_FW_V01.00.0004-split1/C1_FW_V01.00.0004_m1400.json
INFO     test_lightbridge_stm32_hardcoder1:test_lightbridge_stm32_hardcoder1.py:160 ./lightbridge_stm32_hardcoder.py -vvv -u -o out/gl300abc-radio_control/C1_FW_V01.00.0004-split1/C1_FW_V01.00.0004_m1400.mod.json -e out/gl300abc-radio_control/C1_FW_V01.00.0004-split1/C1_FW_V01.00.0004_m1400.mod.elf
INFO     test_lightbridge_stm32_hardcoder1:test_lightbridge_stm32_hardcoder1.py:55 Testcase file: out/gl300abc-radio_control/C1_FW_v01.09.0000-split1/C1_FW_v01.09.0000_m1401.elf
INFO     test_lightbridge_stm32_hardcoder1:test_lightbridge_stm32_hardcoder1.py:129 ./lightbridge_stm32_hardcoder.py -vvv -x -e out/gl300abc-radio_control/C1_FW_v01.09.0000-split1/C1_FW_v01.09.0000_m1401.elf -o out/gl300abc-radio_control/C1_FW_v01.09.0000-split1/C1_FW_v01.09.0000_m1401.json
INFO     test_lightbridge_stm32_hardcoder1:test_lightbridge_stm32_hardcoder1.py:160 ./lightbridge_stm32_hardcoder.py -vvv -u -o out/gl300abc-radio_control/C1_FW_v01.09.0000-split1/C1_FW_v01.09.0000_m1401.mod.json -e out/gl300abc-radio_control/C1_FW_v01.09.0000-split1/C1_FW_v01.09.0000_m1401.mod.elf

geekgai said:
an the latest official firmware (AC and RC are both the latest versions) be modified successfully

I can't remember if I tried that; just try and look at what the script is giving. If it can export the params to JSON format, then modifying them will work. If it doesn't work, the related parameters will be just missing.

Search

Search

FCC hack in 2023

Confucian

quaddamage

Confucian

quaddamage

Harleydude

geekgai

geekgai

quaddamage

Similar threads

Recent Posts

Members online

Forum statistics