Welcome to PhantomPilots.com

Sign up for a weekly email of the latest drone news & information

  1. CzokNorris

    Joined:
    Sep 15, 2016
    Messages:
    12
    Likes Received:
    7
    Hi,
    I got a phantom 4 broken off ebay and repaired it (broken voltage reg). I have been flying which is fun, but its annoying, that the link breaks down after 1000m-2500m and that I cant go higher than 500m (I live in the alps and want to go up mountains, always relatively close to ground, but still cant go up).
    Then I googled it and found out that the Phantom will transmit with 40mW only in CE controlled regions. Some people say it sets this automatically via GPS. I dislike that.

    I heard, that on older versions like the P3S there is a way to connect to the drone and set TX power to 27db. Unfortunately the P4 doesnt have WiFi, but instead some Lightbridge protocol it seems. This means it will be difficult to connect to the remote controller itself.

    The drone however can be connected to via USB which sets up a network link to the P4 from the USB host.

    I used nmap to scan for live hosts on 192.168.0.0/16
    The command is:
    nmap -sP 192.168.0.0/16
    on a mac, should be same on Linux.

    This showed, that there are two hosts up:
    192.168.42.2 (the phantom)
    192.168.42.3 (myself)

    I scanned for open ports on the Phantom (full range up to port 65k).
    nmap 192.168.42.2 -p-

    This showed that the following ports are open:
    21 (FTP)
    8905 (TCP, Protocol unknown?)
    8906 (TCP, Protocol unknown?)
    8907 (TCP, Protocol unknown?)
    8908 (TCP, Protocol unknown?)

    I tried to use SSH, but no open SSH ports and connection is being refused on the currently open ports.
    I tred to conect via telnet and there is varying degree of activity on those ports. They seem to be some kind of debug ports with varying levels of verbosity.
    Unfortunately most of the output is unreadable even though occasionally some readable strings seem to come up like ("gimbal lost! 1242U<ÇÂ%!≠fi\:
    uav on the ground! 1249U0CÇÂ%!≠fi]:*")...
    Very weird.
    Does anyone know how to read this? I treid to open it with various types of encoding, but it just looks unundrstandable whichever way I turn it.

    Do you guys think that DJI is encrypting this, or whats going on? Why encrypt that? Maybe its a local thing to make everyrhing unecessarily obscure and harder. I mean they dont have any additinal profit from that.. If I had a company like that, I would definitely leave everything open. If people want to transmit at 5W, its not my problem as long as the product is shipped compiant by default and the hack is reasonably hard so they cant tell me that it was on purpose. (I can still leak the hack on purpose in the hidden so the hobyyist community has an easier time "finding" it). Sometimes I really dont understand those businesses..

    I also FTPed into the bird. It seems like there are some files that look promising, but also seem to be encrypted or maybe I just dont know how to open them properly. For e.g. A file named config_table.xml. (I added it to my post).

    Does anyone know how to force this thing into Maximum TX Power mode (drone&remote for video link&control link)?
    Does anyone know how to bypass the 500m limit?
    Deos anyone know how to read those files?
    Does maybe anyone know how to interface with the remote?

    Also when I took the thing apart I noticed, that there is an additional SD card (4GB) on the Gimbal board? Anyone took a look on that?
    Does manybe someone know where there is a serial interface on the remote or the bird? Fro a console or something to control the boot process?

    I hope there are some people out there who got more progress than myself. It looks very interesting that there seems to be a real Operating System on the drone. Many mods possible.
    Just think about what we could do: Forward the data over cellular network for virtually unlimited range or do things like lift the battery restrictions to use standard lipos and stuff like that.
    If this thing annoys me too much I will just sell it off and drop the hobby I guess...

    PS: I also got a second Phantom 4 off ebay for ~180€ which could also be recovered (a flatfelx was defective). On this drone with older firmware the filesystem in FTP is similar, but some files are missing. Also in telnet the ports are the same, but the output looks substantially different. But I will sell off this drone now, so cant look into that one too much any more.

    PPS: Also I discovered an additional USB plug on the gimbal board inside the drone. Anyone any idea what this is for? Doesnt seem to show any life..
     

    Attached Files:

  2. Dacon Productions

    Joined:
    Jan 5, 2016
    Messages:
    592
    Likes Received:
    268
    Location:
    Gilbert, Arizona
    Tx power out is set by the GO app.
     
  3. CzokNorris

    Joined:
    Sep 15, 2016
    Messages:
    12
    Likes Received:
    7
    I don't think so.
    - The bird can be flown without connecting a smartphone.
    - There are also other apps using the sdk like Litchi.
    - The sdk reference on DJIs website doesn't mention such a feature.
    - In some other place I red that the Drones GPS location on startup is used.
    - Even if its set by the app, there should be options to override that like in the P3S range mod by altering the config file.

    Seems like we need access to the root file system of the Remote and the drone. Just modding one of them wont help much because we need the range for up-and downlink.

    Does anyone know anything about some Debug Modes of the drone, Serial ports, The telnet sockets? The encryption?
     
  4. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    About the 500mt limit: I think that to go higher you just have to reach 500mt then choose the RTH command on your remote and then keep pushing high the left stick. It should pass 500mt.

    W la figa
     
  5. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    I am very interested in this topic. Some internal programming mods would be awesome.

    W la figa
     
  6. neven

    Joined:
    Jan 5, 2016
    Messages:
    338
    Likes Received:
    113
    Location:
    Zagreb, Croatia, Europe
    That was patched in newer firmwares
     
  7. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    This means it doesn't work anymore?

    W la figa
     
  8. neven

    Joined:
    Jan 5, 2016
    Messages:
    338
    Likes Received:
    113
    Location:
    Zagreb, Croatia, Europe
    Haven't tested myself but others reported that it is not working.
     
  9. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    And I guess it's not app related right? Ouch

    W la figa
     
  10. neven

    Joined:
    Jan 5, 2016
    Messages:
    338
    Likes Received:
    113
    Location:
    Zagreb, Croatia, Europe
    AC firmware limitation. Barometer limit +500
     
  11. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    By chance do you know until what firmware version it worked?

    W la figa
     
  12. neven

    Joined:
    Jan 5, 2016
    Messages:
    338
    Likes Received:
    113
    Location:
    Zagreb, Croatia, Europe
    Last one without altitude limit was 1.19 and RTH exploit was patched probably somewhere around that drone-killer FW 1.5. Maybe one before or one after.
     
  13. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    So installing the 1.19 should be safe

    W la figa
     
  14. neven

    Joined:
    Jan 5, 2016
    Messages:
    338
    Likes Received:
    113
    Location:
    Zagreb, Croatia, Europe
    You can only downgrade one version.
     
  15. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    Then I am faked. I have some beautiful mountains, vertical ones, VERY vertical, that would be great to video with the p4 starting from the bottom. No one is there. No ppl no planes (obviously planes don't fly in between mountains) no nothing. Just a beautiful landscape. But I need about 1100mt.

    W la figa
     
  16. CzokNorris

    Joined:
    Sep 15, 2016
    Messages:
    12
    Likes Received:
    7
    Didnt work for me. I tried this some time ago when I saw this on Youtube. Does it work for you? Did you try?
     
  17. CzokNorris

    Joined:
    Sep 15, 2016
    Messages:
    12
    Likes Received:
    7
    Does anyone know anything about those telnet ports? Or some secret FTP account?
    Maybe some other direct acces to the linus file system. Any infos about those internal SD cards? Or hardeare serial ports?
    Does anyone know something about the encryption used? Cant be that hard after all.

    I looked at te firmware, but it also looks encrypted.
     
  18. wassala!

    Joined:
    Jul 20, 2016
    Messages:
    51
    Likes Received:
    8
    No I didn't so far but u guess it's not working

    W la figa
     
  19. neven

    Joined:
    Jan 5, 2016
    Messages:
    338
    Likes Received:
    113
    Location:
    Zagreb, Croatia, Europe
    Internal SD is "black box"
     
  20. CzokNorris

    Joined:
    Sep 15, 2016
    Messages:
    12
    Likes Received:
    7
    I found an Serial interface on the board of the P4. Does anyone know the baud rate, stop bits and things?