DJI-Rev Mattermost Archive

Public Channels

3d

accidental_mishaps

aeroscope-droneid

anafi

android

android_apk_patching

archived_fw_flashing

asfaf

autel

b3yond

cic

configs

crystalsky_rooting

d3vl

dankdronedownloader

DJI T40

dji-15

dji-fly

dji-go

dji-mini-se

dji-nfz

dji-rev

dji-reverse-engineering

djifaq

djifpv

dji_retroroms_wiki

drone-scene

dronehacks

drone_news

EnhancedWifi

evo

fc_sd_card_work

fimi

firm_cache

flylusive

frida

general

general

general

general

goggles_rooting

grey-arrows-drone-club

H6

hardware

inspire2

ios_ipa_install

ios_ipa_reversing

justnoinlaws

litchi

m2_reversing

mattermost_migration

mavic2

mavic2zoom

mavicair

mavicmini

mavicmininfz

mavic_air_2

mavic_rooting

mimo

mini3pro

mini4pro firmware decode

msdk_reversing

naza3-lightbridge2

nfz-kurdistan

nld

p4p

p4_yaw_centering

parameter_settings

random

RemoteID

remove altitude

SDR Hardware

software_dji_gimbal

spark

spoon-feeding

starbuck_release

UK

venting

Messages in EnhancedWifi

[2022-03-28 00:02:21] hostile : hostile joined the channel.
[2022-03-28 00:02:47] hostile : This appears to be the function where the "random" adhoc password is set for the Enhanced Wifi link.
[2022-03-28 00:44:03] will : will joined the channel.
[2022-03-28 00:49:14] cs2000 : cs2000 joined the channel.
[2022-03-28 01:17:28] hostile : looks like the Mini SE is using version 5.0.0.79 of the Atheros kernel module FWIW.
[2022-03-28 01:22:13] fredmicrowave : fredmicrowave joined the channel.
[2022-03-28 01:30:55] mavic2reverser : mavic2reverser joined the channel.
[2022-03-28 01:33:37] hostile : Nice that the Open Ath9k firmware proper supports the quarter rate channels. https://github.com/qca/open-ath9k-htc-firmware/search?q=quarter
[2022-03-28 01:33:37] hostile : Nice that the Open Ath9k firmware proper supports the quarter rate channels. https://github.com/qca/open-ath9k-htc-firmware/search?q=quarter
[2022-03-28 01:34:07] hostile : ```This is the firmware for the Qualcomm Atheros AR7010 and AR9271 USB 802.11n NICs.```
[2022-03-28 01:34:36] hostile : This needs tested. Having the ability to use USB nic's is key for mobile fuckery. Not everyone has an M.2 slot in their device.
[2022-03-28 02:04:17] hostile : This shit here is not in the regular driver. ""selected 11p 5M mode"
[2022-03-28 02:31:08] hostile : This is where it sets up the adhoc link, and preps the vendor IE
[2022-03-28 02:31:32] hostile : then it props the link up with the random password as a WEP key.
[2022-03-28 03:37:06] flyingkite : flyingkite joined the channel.
[2022-03-28 04:59:03] d95gas : d95gas joined the channel.
[2022-03-28 05:18:39] hostile : looks like possibly when downloading firmware it uses a different channel rate
[2022-03-28 05:19:11] hostile : seems the RC is the place that the request is made for the bw settings.
[2022-03-28 05:21:58] hostile : there is a width_switch.sh that handles the change.
[2022-03-28 05:23:25] hostile : Looks like it tries to make sure the width is good, and if not, falls back to the 5mhz channel spacing.
[2022-03-28 05:26:26] oakley75 : oakley75 joined the channel.
[2022-03-28 05:57:28] jezzab : jezzab joined the channel.
[2022-03-28 06:27:58] skyninja : skyninja joined the channel.
[2022-03-28 06:32:39] tmbinc : tmbinc joined the channel.
[2022-03-28 06:33:26] atlantic : atlantic joined the channel.
[2022-03-28 06:55:56] w0h : w0h joined the channel.
[2022-03-28 07:07:12] konraditurbe : konraditurbe joined the channel.
[2022-03-28 10:02:58] loaderbull : loaderbull joined the channel.
[2022-03-28 10:22:47] the_lord : the_lord joined the channel.
[2022-03-28 10:25:28] the_lord : watch their prices rises on aliexpress and taobao :sweat_smile:
[2022-03-28 10:43:20] doctor : doctor joined the channel.
[2022-03-28 10:50:38] j4ck : j4ck joined the channel.
[2022-03-28 11:16:43] dkovar : dkovar joined the channel.
[2022-03-28 13:21:01] lurker : lurker joined the channel.
[2022-03-28 14:03:15] droneuser : biosblob joined the channel.
[2022-03-28 14:39:10] faineg : faineg joined the channel.
[2022-03-28 15:13:08] w0h : Probably a dumb question, but does anyone know if the OccuSync drones also spit out the drone ID packets as WiFi beacons at 5 Mhz?
[2022-03-28 15:25:42] the_lord : Mavic 3 broadcasts EU droneID as WiFi beacon when its in EU country with mandatory droneID like France
[2022-03-28 15:30:05] the_lord :
[2022-03-28 15:44:18] hostile : @w0h that answer is no. Occusync does not send Wifi Beacons. The aeroscope has an AR600x series card in it specifically for receiving enhanced wifi droneid beacons. It uses SDR's for Lightbridge, and Occusync protocols.
[2022-03-28 15:52:55] fredmicrowave : Wifi beacons, from the drone, right ? That screenshot made me wondering.
[2022-03-28 15:53:07] hostile : correct
[2022-03-28 15:53:27] hostile : there are two specs in play droneID, and the EU spec
[2022-03-28 15:53:56] hostile : some drones also have a wifi card in them, there used to be an old Wifi mode where you flip a switch and fly from your phone with no RC.
[2022-03-28 15:54:45] fredmicrowave : Got it. tnx. Mp1 had that feature that nobody used.
[2022-03-28 15:54:57] hostile : so pedantically, no occusync isn't sending a wifi beacon, but the drone may indeed have multiple radios, one used for C2, and one as the wifi beacon perhaps?
[2022-03-28 15:55:12] w0h : Well I'm a bit confused now by both statements from @the_loard and @hostile. So the SDR in recent drones != Mini SE is exlusively used for OccuSync. AeroScope packets are part of OccuSync and differ from the drone ID implementation. For the EU drone ID implementation some drones have a wifi card that sends those packets. Is this correct?
[2022-03-28 15:55:12] w0h : Well I'm a bit confused now by both statements from @the_lord and @hostile. So the SDR in recent drones != Mini SE is exlusively used for OccuSync. AeroScope packets are part of OccuSync and differ from the drone ID implementation. For the EU drone ID implementation some drones have a wifi card that sends those packets. Is this correct?
[2022-03-28 15:55:12] w0h : Well I'm a bit confused now by both statements from @the_loard and @hostile. So the SDR in recent drones != Mini SE is exlusively used for OccuSync. AeroScope packets are part of OccuSync and differ from the drone ID implementation. For the EU drone ID implementation some drones have a wifi card that sends those packets.
[2022-03-28 15:55:32] hostile : Mini SE is not occusync it is Wifi
[2022-03-28 15:55:40] w0h : Yes that's what I meant
[2022-03-28 15:55:58] hostile : Aeroscope has it's own droneID beacons sent out of band over the RF layer it uses.
[2022-03-28 15:55:58] hostile : Occusync has it's own droneID beacons sent out of band over the RF layer it uses.
[2022-03-28 15:56:30] hostile : so yes Occusync as a datapipe, also has out of band droneid beacons parallel to it's c2 link.
[2022-03-28 15:56:55] hostile : Enhanced wifi uses vendor ie tags in the beacon packets to transmit.
[2022-03-28 16:00:01] the_lord : there is SDR and WiFi in Mavic 3 , SDR for Ocusync and WiFi for EU droneID/remoteID
[2022-03-28 16:00:13] the_lord : I believe I have picture of the WiFi PCB
[2022-03-28 16:00:18] w0h : Okay thank you very much, I think I mixed EU Drone ID, AeroScope and EnhancedWiFi.
[2022-03-28 16:01:33] w0h : Ok last question. Isn't the point of EU Drone ID that everyone can receive information about drones in the immediate vicinity? Why would DJI transmit this at a bandwidth of 5 Mhz? I am not aware of any current WiFi chips in smartphones that support 5 Mhz bandwidth.
[2022-03-28 16:03:24] fredmicrowave : Whe you look at a video named "mavic3 disassembly" on YT, the very first thing the guy removes is a small RF module on a separate board, Maybe wifi ?
[2022-03-28 16:04:42] the_lord : droneID is broadcasted using 5 Mhz WiFi if the drone is using WiFi only like Mini, Mini SE,... droneID is broadcasted using SDR if the drone is LB/OC EU droneID/remoteID is transmitted on regular WiFi like Parrot Anafi and Mavic 3, ...
[2022-03-28 16:05:26] w0h : Ah with drone ID meaning AeroScope drone ID?
[2022-03-28 16:06:03] w0h : Ok thanks everyone.. now I got it...
[2022-03-28 16:07:36] the_lord : from youtube
[2022-03-28 16:07:47] fredmicrowave : Yes, that one
[2022-03-28 16:08:12] the_lord : this is the WiFi module in M3
[2022-03-28 16:08:22] the_lord : yes
[2022-03-28 16:47:06] hostile : @w0h "Why would DJI transmit this at a bandwidth of 5 Mhz? I am not aware of any current WiFi chips in smartphones that support 5 Mhz bandwidth." this is only for enhanced wifi, not the EU variant. The 5mhz channel spacing is to make the link handle better as a point to point adhoc connection moving through the air. Unrelated to the droneID broadcasts in general.
[2022-03-28 16:48:48] hostile : I believe this is the one for the EU spec? is that right? https://github.com/opendroneid/transmitter-linux
[2022-03-28 16:48:48] hostile : I believe this is the one for the EU spec? is that right? https://github.com/opendroneid/transmitter-linux
[2022-03-28 16:49:20] w0h : Yes it also contains a demo app for android.
[2022-03-28 16:50:04] w0h : There's some additonal information in this document: https://asd-stan.org/wp-content/uploads/ASD-STAN_DRI_Introduction_to_the_European_digital_RID_UAS_Standard.pdf. But not that that interesting.
[2022-03-28 16:51:27] hostile : posted in ~aeroscope-droneid as second ago, but funny Mavlink now has droneID too. https://mavlink.io/en/messages/common.html#OPEN_DRONE_ID_BASIC_ID
[2022-03-28 17:21:25] hostile : @konraditurbe posted about the EU standard here @w0h https://dji-rev.com/dji-rev/pl/hb1hcw886fdgjfxxhhrpp3j7dy
[2022-03-28 17:27:01] skyninja : EU spec: ASD-STAN prEN 4709-002 (2021-10-01)
[2022-03-28 17:38:34] the_lord : https://github.com/khancyr/droneID_FR here is the French droneID generator
[2022-03-28 17:40:04] the_lord :
[2022-03-28 17:52:43] w0h : Yes thanks, that looks like the sample app.
[2022-03-28 18:52:36] skyninja : french national standard is/ will become obsolete in favour of the EU standard.
[2022-03-28 19:25:56] hostile : wish me luck with this USB based ATH9k. Gonna try to hopefully get it to speak quarter rate.
[2022-03-28 19:28:21] hostile :
[2022-03-28 20:04:02] hostile : Trying to get the open firmware to work now. Note the slight difference.
[2022-03-28 20:04:10] hostile :
[2022-03-28 20:06:45] hostile : doesn't like my attempt at putting it in 5mhz tho.
[2022-03-28 20:06:46] hostile :
[2022-03-28 20:57:24] hostile : Oh interesting... Messing around in qemu and noticed they may actually have moved to wpa-psk. That would be nice. I wonder if they use the ad-hoc with WEP to get the link up, then switch over to WPA psk.
[2022-03-28 20:57:30] hostile :
[2022-03-29 12:36:26] flyte9 : flyte9 joined the channel.
[2022-03-30 08:17:31] il1oo0 : il1oo0 joined the channel.
[2022-03-30 10:20:51] demion : demion joined the channel.
[2022-03-30 13:02:45] masskrug : masskrug joined the channel.
[2022-03-30 18:22:04] sergey.muhlynin : sergey.muhlynin joined the channel.
[2022-03-31 03:25:51] hostile : Ok folks i'm back up!
[2022-03-31 03:25:58] hostile : https://twitter.com/d0tslash/status/1509371029096914945
[2022-03-31 03:26:09] hostile : https://twitter.com/d0tslash/status/1509370168736161794
[2022-03-31 04:02:11] rflagg : rflagg joined the channel.
[2022-03-31 05:19:37] hostile : Welp Enhanced Wifi still cracks in 6 seconds. The link wasn't on that long TBH maybe a few minutes total.
[2022-03-31 05:19:37] hostile : Welp Enhanced Wifi still cracks in seconds. The link wasn't on that long TBH maybe a few minutes total.
[2022-03-31 05:26:28] hostile : use the --old-pcap option with kismetdb_to_pcap https://www.kismetwireless.net/docs/readme/kismetdb_to_pcap/ and then pass to aircrack-ng.
[2022-03-31 05:57:57] hostile : just confirmed the WEP key worked
[2022-03-31 06:00:18] hostile : https://wiki.wireshark.org/HowToDecrypt802.11
[2022-03-31 10:37:40] skyninja : The WEP password is always five random A-Z characters? I am trying to aircrack-ng some DJI traffic I captured with my outdoor hotspot. These drone are not my own, they just passed by.
[2022-03-31 10:41:26] skyninja : so i generated a wordlist with all combinations of five times A-Z. But no key found.
[2022-03-31 10:42:07] skyninja : Apparently I captured not enough IVs to find the key that way.
[2022-03-31 12:46:11] freaky123 : freaky123 joined the channel.
[2022-03-31 15:29:58] hostile : yes @skyninja Always
[2022-03-31 15:30:13] hostile : not sure about a-z but always 5 chars.
[2022-03-31 15:30:34] hostile : did you use airocrackng?
[2022-03-31 15:50:31] tmbinc : Is this related to the "wifi_key=xxxxxxxx" kernel cmdline argument?
[2022-03-31 15:50:55] skyninja : I used aircrack-ng version 1.6
[2022-03-31 15:51:27] tmbinc : wifi_key, at least on modern drones, is a function of the ProductSN
[2022-03-31 15:51:34] tmbinc : (and the internally fused global key)
[2022-03-31 15:51:42] tmbinc : i.e. we could compute it for any target
[2022-03-31 15:52:01] skyninja : cool.
[2022-03-31 15:52:23] tmbinc : I haven't checked how it's generated for Mini1 though
[2022-03-31 15:52:27] skyninja : is product SN same as drone id in the packets
[2022-03-31 15:52:46] tmbinc : I think so but I'm not sure
[2022-03-31 15:53:20] skyninja : I can provide you a droneid, if you calculate the key, then we can check (-:
[2022-03-31 15:54:34] tmbinc : It may be slightly different for mini though
[2022-03-31 15:54:43] hostile : I'd not seen that key argument @tmbinc very well could be. I assumed it to be "random" but yeah taking values to pre-generate makes sense
[2022-03-31 16:05:36] droneuser : aeroscope units probably have the wep global key
[2022-03-31 16:07:49] skyninja : The drone id is in the beacon frame that is unencrypted.
[2022-03-31 16:09:37] hostile : no @droneuser they don't. DroneID runs parallel to the c2 link, always has.
[2022-03-31 16:11:18] droneuser : then why did you need the wep key to see the drone ID in wireshark? wouldn't aeroscope theoretically need the decryption key too?
[2022-03-31 16:12:11] hostile : you don't
[2022-03-31 16:12:15] hostile : reread my post
[2022-03-31 16:12:49] hostile : https://twitter.com/d0tslash/status/1509414290922614784?s=20&t=f3RRKlK_HedJ5CKqVeo7FQ
[2022-03-31 16:12:58] hostile : click each photo, study closely
[2022-03-31 16:14:36] hostile : @tmbinc here are my captures from last night. SN is. 4AESJ850020470
[2022-03-31 16:15:11] hostile : Here is the "random" key function @tmbinc https://dji-rev.com/dji-rev/pl/fx9ajaqmcin97rpirn9ups4zir
[2022-03-31 16:17:55] hostile : @tmbinc /squashfs-root/bin/factory_test/wifi_info.sh I wonder if that command line option is for factory testing
[2022-03-31 16:23:58] droneuser : @hostile have you tested this on drones with ocusync and lightbridge?
[2022-03-31 16:25:55] hostile : that is different protocol
[2022-03-31 16:25:59] hostile : won't handle the same
[2022-03-31 16:26:15] hostile : see the ~aeroscope-droneid channel... that has been discussed there briefly. I'll move on to that next
[2022-03-31 16:26:35] hostile : occusync also broadcasts out of band from the c2 link
[2022-03-31 16:39:06] icer : icer joined the channel.
[2022-03-31 17:07:15] skyninja : If it has a random wi-fi password for the adhoc network, how do the remote controller and the drone choose the same password?
[2022-03-31 19:27:32] hostile : a *pairing* process is common. Aka probably set to 12341234 during pairing, then generates one to use permanantly. Unclear though.
[2022-03-31 21:45:50] hostile : @tmbinc this here covers what we discussed earlier. https://github.com/444A49/minifindings/blob/master/README.md?plain=1#L149 looks like I probably nailed it.
[2022-03-31 21:45:50] hostile : @tmbinc this here covers what we discussed earlier. https://github.com/444A49/minifindings/blob/master/README.md?plain=1#L149 looks like I probably nailed it.
[2022-03-31 21:46:18] hostile :
[2022-03-31 21:46:57] tmbinc : Agreed, mini1 doesn't seem to use the bootloader-derived wifi_key.
[2022-03-31 21:47:16] hostile : that is great info to have though. Makes popping the links quicker
[2022-03-31 21:49:14] hostile : I think it would be fun to demo inject stick control. I've done so with 3dr solo in the past. Doing it (publicly) with DUML would be neat. D13 has done private demos and .gov demos (BlackDart) injecting over LightBridge historically.
[2022-03-31 21:49:37] hostile : also live decode of video stream would be fun to demo
[2022-03-31 21:49:48] hostile : (and in essence hand some CUAS company free sauce)
[2022-03-31 23:37:49] quad808 : quad808 joined the channel.
[2022-03-31 23:39:55] glados : glados joined the channel.
[2022-04-01 08:51:55] skyninja : The captures I have do not have enough IVs for the normal aircrack-ng mode. A dictionary attack didn't work at first, but I have it working now. I use this to generate a dictionary with all combination of five letters A-Z:
[2022-04-01 08:52:09] skyninja :
[2022-04-01 08:52:44] skyninja : gcc -o gen_wordlist gen_wordlist.c && ./gen_wordlist > wordlist.txt
[2022-04-01 08:53:15] skyninja : you now have a wordlist with 26^5 = 11881376 words.
[2022-04-01 08:53:19] skyninja : then:
[2022-04-01 08:53:42] skyninja : aircrack-ng -a 1 -c -n 64 -w wordlist.txt your.pcap
[2022-04-01 08:54:11] skyninja : without the switches it did not work for me.
[2022-04-01 08:54:33] skyninja :
[2022-04-01 08:55:11] skyninja : you can test it on this iv.pcap, which are 20 IVs from the file that @hostile provided.
[2022-04-01 09:01:28] skyninja : you need to have a least 4 IVs.
[2022-04-01 09:02:23] skyninja : next goal: extract video.
[2022-04-01 09:50:07] freaky123 : I think I had the calculation somewhere, it is indeed based on the S/N
[2022-04-01 09:50:57] freaky123 : So in theory DJI can collect tje S/N with droneID and then use it to access the C2 link
[2022-04-01 09:53:00] freaky123 : The key was derived in the past something like this: UREK (User dependent and encrypts personal key pratition, EFUSED) - DAAK (Debug Application Authentication Key) - DAEK - WAEK (Wireless PSK key)
[2022-04-01 09:53:25] freaky123 : So from the UREK, but since the can calculate the DAAK based on the S/N they can also calculate the WAEK
[2022-04-01 09:54:44] skyninja : I have captures from the same drone on multiple days. Apparently the WEP key remains the same.
[2022-04-01 09:54:45] freaky123 : There are 2 options: - DJI has a database which links S/N to UREK (I know for sure they at least log it during production in some database) - DJI calculates the UREK based on the S/N with some key derivation
[2022-04-01 10:30:01] tmbinc : UREK is the cryptocell HUK?
[2022-04-01 10:31:46] tmbinc : Yes the CMPU process (the cryptocell provisioning process) exports the device unique key to the factory.
[2022-04-01 10:35:10] tmbinc : We already know that wifi_key= argument on the newer drones can be calculated using just the ProductSN and knowing the global key. For OcuSync, they derive this DJI-SAAK key in the bootloader, not sure how it's used.
[2022-04-01 10:48:32] skyninja : I see the WEP keys work for Mavic Mini and Mavic Air. Tello is also WEP, but apparently other key then five times A-Z. Tello is made by Ryze, so different sw dev line most likely.
[2022-04-01 10:59:33] kon : kon joined the channel.
[2022-04-01 11:28:44] skyninja : I added dji-firmware-tools/comm_dissector/wireshark lua scripts to Wireshark. Does anybody know how I can use these to see the DUML in de UDP stream between drone and remote controller. The README on the github page suggests that it is possible: "PCap files with dumps of USB/Ethernet communication with embedded DUML payloads, ie. WiFi connection between RC and a drone (for platforms which use that protocol)"
[2022-04-01 11:32:08] skyninja : DJI_DUMLv1_PROTO:register_heuristic("usb.bulk", heuristic_dissector) DJI_DUMLv1_PROTO:register_heuristic("tcp", heuristic_dissector)
[2022-04-01 11:32:27] skyninja : hmm... that doesn't look good, registers for TCP but not for UDP.
[2022-04-01 14:24:21] skyninja : Using Wireshark I can decrypt the WEP. Does anybody knwo how I can save the decrypted traffic to a pcap? Using airdecap-ng seems not to work.
[2022-04-01 14:53:55] hostile : this is relevant @skyninja
[2022-04-01 14:54:11] hostile : yes after you add decryption key, just save the file to a new name, it will be decrypted.
[2022-04-01 15:01:53] hostile : @freaky123 ahh I bet that is what the factory_test checks, that the WEP key calculation method works as expected
[2022-04-01 15:02:00] hostile : ``` ./squashfs-root/bin/factory_test/wifi_info.sh: #KEY_STRING=`cat /proc/cmdline | busybox awk -F ' ' '{for(i=1; i<=NF; i++) {if(match($i, "wifi_key")) {print $i}}}'` ```
[2022-04-01 15:07:24] skyninja : thanks @hostile , i will try it. read that document, but maybe not good enough.
[2022-04-01 15:08:15] skyninja : ah wait, i already filtered out udp and saved that, but that was still encrypted.
[2022-04-01 15:08:59] skyninja : ofcourse wireshark decrypts it on the fly, but it is encrypted in the file.
[2022-04-01 15:16:56] hostile : I did it just fine yesterday =] maybe you have to choose "export"
[2022-04-01 15:17:44] hostile :
[2022-04-01 16:13:41] skyninja : yes i did that one. i will retry. thanks.
[2022-04-02 04:39:33] hostile : boom. Making nice progress.
[2022-04-02 04:39:34] hostile : https://twitter.com/d0tslash/status/1510114482743386112
[2022-04-02 07:57:32] hotelzululima : hotelzululima joined the channel.
[2022-04-02 15:37:28] faineg : hi @hotelzululima
[2022-04-02 16:26:40] hotelzululima : Hi @faineg!!
[2022-04-02 21:13:57] priegor : priegor joined the channel.
[2022-04-03 00:51:01] daviskat : daviskat joined the channel.
[2022-04-03 02:16:00] joonas : joonas joined the channel.
[2022-04-03 06:38:01] mainframe : mainframe joined the channel.
[2022-04-03 09:57:19] speatuk : speatuk joined the channel.
[2022-04-03 12:48:32] zwon : zwon joined the channel.
[2022-04-03 15:02:20] ronykom : ronykom joined the channel.
[2022-04-04 09:42:53] enigma2 : enigma2 joined the channel.
[2022-04-04 11:58:18] skyninja : airdecap-ng was not working because it was adhoc wifi. I added a line of code an now it is working.
[2022-04-04 12:40:17] hostile : post the patch @skyninja ?
[2022-04-04 13:06:17] skyninja : sure. https://github.com/aircrack-ng/aircrack-ng/blob/master/src/airdecap-ng/airdecap-ng.c#L816 above this line that says ("case 1:"), add a line with "case 0:"
[2022-04-04 13:07:36] skyninja : I am not sure if this works in the general adhoc case, therefore I will not submit a patch to github.
[2022-04-04 15:08:59] skyninja : I made a wi-fi capture of a Mavic Pro in wi-fi mode. Then I use airdecap-ng to get the UDP traffic between the drone and the DJI Go 4 app on an Android tablet. It is easy to extract the video and play it with ffmpeg using as describe in "dji wifi tools".
[2022-04-04 15:10:45] skyninja : For the wi-fi captures of the Mavic Mini. You can also use the patched airdecap-ng to get the UDP traffic. But extracting the video as described in "dji wifi tools" does not work here.
[2022-04-04 15:12:12] skyninja : of course it extracts something, but ffmpeg cannot play it.
[2022-04-04 16:42:45] skyninja : i was trying with h264 tools, but maybe Mavic Mini is h265. Does anybody knows what video codec is used?
[2022-04-04 16:46:33] skyninja : a transcoded a random video to h265 and that seems like i get from the mini, so i think it is h265.
[2022-04-04 16:46:33] skyninja : I transcoded a random video to h265 and that seems like i get from the mini, so i think it is h265.
[2022-04-04 17:04:21] skyninja : I am now certain, because I see video now (-:
[2022-04-04 17:30:33] hostile : oh you got the video extract working?
[2022-04-04 17:30:44] hostile : what was stopping it from playing? the missing codec? just installed one?
[2022-04-04 17:31:57] hostile : that's a cool repo for sure. I'd not seen that one. https://github.com/Toemsel/dji-wifi-tools
[2022-04-04 17:33:37] joonas : when i first discovered the dji fpv goggles magic bytes to send to the usb bulk interface and dumped the data, it looked promising but neither vlc or ffmpeg could make sense of it. i uploaded the raw file to google drive to share for further research. when i came back in an hour and clicked my own drive link it started playing in the embedded player :D.
[2022-04-04 17:33:37] joonas : when i first discovered the dji goggles magic bytes to send to the usb bulk interface and dumped the data, it looked promising but neither vlc or ffmpeg could make sense of it. i uploaded the raw file to google drive to share for further research. when i came back in an hour and clicked my own drive link it started playing in the embedded player :D.
[2022-04-04 17:33:48] skyninja : It was not working because I was trying h264 all the time. it turned out to be h265.
[2022-04-04 17:34:59] skyninja : ffplay -f hevc extraced_video.bin
[2022-04-04 17:35:03] skyninja : and it works.
[2022-04-04 17:43:32] hostile : next step... demonstrating DUML injection for stick coordinates ;)
[2022-04-04 17:44:53] hostile : Need to first make the equivilant of this. https://github.com/MAVProxyUser/3DRSoloHacks/blob/master/Artoo_RC_Sticks_Decode.py
[2022-04-04 17:44:53] hostile : Need to first make the equivilant of this. https://github.com/MAVProxyUser/3DRSoloHacks/blob/master/Artoo_RC_Sticks_Decode.py
[2022-04-04 18:58:17] hostile : inject some of these perhaps?
[2022-04-04 18:58:22] hostile : ``` $ strings ./squashfs-root/lib/libduml_frwk.so | grep -i stick SW_Pro_Gnd_JoyStick_Send SW_Pro joystick send failed %d ```
[2022-04-04 19:17:52] hostile : of course it all goes to the same port.
[2022-04-04 19:29:52] hostile :
[2022-04-05 14:41:06] uskve : uskve joined the channel.
[2022-04-06 00:38:24] hostile : if you working with GunRadio and gr-ieee8020-11 make sure to change your default log level to warn. It will help with some unnecessary messages.
[2022-04-06 00:38:28] hostile :
[2022-04-06 00:44:13] hostile : I think we can add support here to parse the DroneID Beacon frames after they are captured. https://github.com/bastibl/gr-ieee802-11/blob/maint-3.8/lib/parse_mac.cc#L169
[2022-04-06 00:44:13] hostile : I think we can add support here to parse the DroneID Beacon frames after they are captured. https://github.com/bastibl/gr-ieee802-11/blob/maint-3.8/lib/parse_mac.cc#L169
[2022-04-06 00:44:40] hostile : could validate the mac address was proper here as well: https://github.com/bastibl/gr-ieee802-11/blob/maint-3.8/lib/parse_mac.cc#L222
[2022-04-06 00:44:40] hostile : could validate the mac address was proper here as well: https://github.com/bastibl/gr-ieee802-11/blob/maint-3.8/lib/parse_mac.cc#L222
[2022-04-06 00:49:51] hostile : Not entirely sure, but the pcap put out by gr-ieee802-11 is flakey. Supposed to be version 2.4, but not sure it actually is. https://github.com/bastibl/gr-foo/blob/maint-3.9/lib/wireshark_connector_impl.cc#L46
[2022-04-06 00:49:51] hostile : Not entirely sure, but the pcap put out by gr-ieee802-11 is flakey when using the build in Wireshark Connector from wifi_rx.grc . It is supposed to be version 2.4, but not sure it actually is. https://github.com/bastibl/gr-foo/blob/maint-3.9/lib/wireshark_connector_impl.cc#L46
[2022-04-06 00:49:51] hostile : Not entirely sure, but the pcap put out by gr-ieee802-11 is flakey. Supposed to be version 2.4, but not sure it actually is. https://github.com/bastibl/gr-foo/blob/maint-3.9/lib/wireshark_connector_impl.cc#L46
[2022-04-06 00:49:51] hostile : The pcap put out by gr-ieee802-11 can flakey when using the built in Wireshark Connector from wifi_rx.grc . I saw it report really incorrect capture lengths which pissed both wireshark & tcpdump off. https://github.com/bastibl/gr-foo/blob/maint-3.9/lib/wireshark_connector_impl.cc#L46
[2022-04-06 02:31:42] hostile : Took about 3 minutes to crack with the wordlist technique from @skyninja
[2022-04-06 02:33:42] hostile :
[2022-04-06 02:34:25] hostile : these are the small changes I'm using to quiet down the output of gr-ieee802-11 and set it to the default channel for EnhancedWifi here in US.
[2022-04-06 02:37:09] hostile : I've confirmed the beacons generated also parse cleanly using this scripts shared in ~aeroscope-droneid
[2022-04-06 02:37:38] hostile : included here for posterity
[2022-04-06 04:09:27] hostile : mmm now I want pCraft for droneid data! https://isc.sans.edu/forums/diary/Generating+PCAP+Files+from+YAML/25464/
[2022-04-06 04:09:50] hostile : could be cool to submit a PR. https://github.com/DevoInc/pCraft
[2022-04-06 05:22:48] hostile : meh I can't quite get spoofing sorted. Can anyone get this example to work? https://www.bastibl.net/gnuradio-wlan-scapy/
[2022-04-06 05:22:57] hostile : @icer ? ^
[2022-04-06 05:24:08] hostile : may be a solution here: https://github.com/bastibl/gr-ieee802-11/issues/119#issuecomment-623847844
[2022-04-06 05:29:16] hostile : more examples here: https://archive.fosdem.org/2019/schedule/event/gr_scapy/attachments/slides/3366/export/events/attachments/gr_scapy/slides/3366/gnuradio_meets_scapy.pdf if anyone wants to take a stab
[2022-04-06 05:29:33] hostile : @hotelzululima this should be an easy one for you ;)
[2022-04-06 05:33:43] hostile : seems finicky https://github.com/bastibl/gr-ieee802-11/issues/236
[2022-04-06 05:36:23] skyninja : just craft a packet, disable mac layer in gr-ieee802.11 and send it on udp to the flowgraph. sounds easy.
[2022-04-06 05:41:09] hostile : did... not getting detected by anything
[2022-04-06 05:41:22] hostile : the examples don't work for me
[2022-04-06 05:53:00] skyninja : i am away today so i cannot check
[2022-04-06 06:45:38] ttdqj4wj3hgcy5zg85qi : ttdqj4wj3hgcy5zg85qi joined the channel.
[2022-04-06 08:56:36] jan2642 : jan2642 joined the channel.
[2022-04-06 08:59:11] skarzhevsky : skarzhevsky joined the channel.
[2022-04-06 14:17:07] w4ts0n : w4ts0n joined the channel.
[2022-04-06 15:30:30] seraph1573 : seraph1573 joined the channel.
[2022-04-06 17:51:15] quad_fan : quad_fan joined the channel.
[2022-04-07 08:01:57] goguma : goguma joined the channel.
[2022-04-08 09:55:06] andrewbboo : andrewbboo joined the channel.
[2022-04-10 16:58:57] sincoder : sincoder joined the channel.
[2022-04-12 14:12:23] rebellion : rebellion joined the channel.
[2022-04-12 15:50:49] hostile : Thanks to @icer I've got a BladeRF in hand now. https://github.com/Nuand/bladeRF-wiphy/
[2022-04-12 19:09:07] hostile : For anyone following along using DragonOS I had to edit the driver a hair
[2022-04-12 19:09:11] hostile :
[2022-04-12 19:09:31] hostile : re: https://www.nuand.com/bladeRF-wiphy-instructions/#build-bladerf-mac80211-hwsim
[2022-04-12 19:10:12] hostile : seems to have to do with: https://www.spinics.net/lists/linux-wireless/msg209667.html
[2022-04-12 19:10:59] hostile : and: https://lore.kernel.org/all/202104100223.iZPxHYpm-lkp@intel.com/t/
[2022-04-12 20:00:48] galbb12 : galbb12 joined the channel.
[2022-04-13 05:39:54] zgvs2 : zgvs2 joined the channel.
[2022-04-14 00:31:28] zgvs2 : Hey @hostile did you ever get the USB Atheros 9271 working with 5mhz quarter rate on the open firmware or did you need to use the QCNFA222 in the end? I'm trying to figure out if I should bother trying with the usb dongle that will arrive in afew days or wait for the QCNFA222 coming in a month or so.
[2022-04-14 01:24:11] hostile : I did not have any luck, and didn't wind up tracking time down to troubleshoot it either :/
[2022-04-14 08:06:31] jackhmcd : jackhmcd joined the channel.
[2022-04-14 14:03:43] codeforge : codeforge joined the channel.
[2022-04-19 02:57:16] john.abbey : john.abbey joined the channel.
[2022-04-21 20:57:35] wavesahead : wavesahead joined the channel.
[2022-04-25 14:16:31] pinejuice : pinejuice joined the channel.
[2022-04-26 02:29:52] leo : leo joined the channel.
[2022-04-26 04:18:37] mrbou : mrbou joined the channel.
[2022-04-26 04:19:15] mrbou : @mrbou left the channel.
[2022-04-26 22:00:45] wavesahead : also, someone with atheros cards could show me the output of: iwlist wlan0 (or whatever iface you use) freq
[2022-04-26 22:33:26] hostile : ``` ciajeepdoors@AeroScopeWrecker:~$ iwlist wlp61s0 freq wlp61s0 32 channels in total; available frequencies : Channel 01 : 2.412 GHz Channel 02 : 2.417 GHz Channel 03 : 2.422 GHz Channel 04 : 2.427 GHz Channel 05 : 2.432 GHz Channel 06 : 2.437 GHz Channel 07 : 2.442 GHz Channel 08 : 2.447 GHz Channel 09 : 2.452 GHz Channel 10 : 2.457 GHz Channel 11 : 2.462 GHz Channel 36 : 5.18 GHz Channel 40 : 5.2 GHz Channel 44 : 5.22 GHz Channel 48 : 5.24 GHz Channel 52 : 5.26 GHz Channel 56 : 5.28 GHz Channel 60 : 5.3 GHz Channel 64 : 5.32 GHz Channel 100 : 5.5 GHz Channel 104 : 5.52 GHz Channel 108 : 5.54 GHz Channel 112 : 5.56 GHz Channel 116 : 5.58 GHz Channel 120 : 5.6 GHz Channel 124 : 5.62 GHz Channel 128 : 5.64 GHz Channel 132 : 5.66 GHz Channel 136 : 5.68 GHz Channel 140 : 5.7 GHz Channel 149 : 5.745 GHz Channel 153 : 5.765 GHz Current Frequency:5.24 GHz (Channel 48) ```
[2022-04-26 22:59:14] wavesahead : thank you kev
[2022-04-26 22:59:27] wavesahead : there you go chan 149
[2022-04-26 23:21:44] wavesahead : if you want to know quickly if a card supports our shenanigans, plug it and run iwlist with the freq option
[2022-04-26 23:21:54] wavesahead : grep for 5.745 GHz
[2022-04-26 23:22:28] wavesahead : @dragorn i dont want to bother you too much, but you are the kismet wiz, do you know any other cards or someone i could talk to re confirming what is supporting freq 5.745 GHz?
[2022-04-27 12:56:45] wavesahead : https://yo3iiu.ro/blog/?p=1301 < this might be useful for some people to modify the ath9 driver
[2022-04-27 12:57:08] wavesahead : quite a few hamradio ops doing sat work do this
[2022-04-27 14:14:45] jan2642 : If I remember correctly (and this goes back 4 years or so) the early aeroscope prototypes used a TPLink 702 travel router for wifi access. These use an Atheros AR9331 SoC and can run e.g OpenWRT, just like a gazillion other similar devices. Maybe that one can do 5MHz but I'm not certain.
[2022-04-27 14:14:45] jan2642 : If I remember correctly (and this goes back 4 years or so) the early aeroscope prototypes used a TPLink 702 travel router for wifi access. These use an Atheros AR9331 SoC an can run e.g OpenWRT, just like a gazillion other similar devices. Maybe that one can do 5MHz but I'm not certain.
[2022-04-27 14:18:47] hostile : There was an effort to get some common routers working. https://github.com/defencore/tech_documentation/blob/main/004-gl-ar750s-ext-openwrt.md
[2022-04-27 14:19:14] wavesahead : good point, the embedded SoCs that have compat atheros chips are a workable option. it's definitely cheaper than grabbing a mpcie and a soc with pcie support.
[2022-04-27 14:20:35] wavesahead : this is pretty good
[2022-04-27 14:20:35] hostile : Defenscore folks are in Ukraine now. The repo above was from some of our early interactions here trying to find reproducible setups that could be handed out. Feel free to help them further tool that image above.
[2022-04-27 14:24:36] wavesahead : well, one of the defencore people is ukrainian
[2022-04-27 14:35:21] hostile : thought there was more than one, but yes that is more accurate statement perhaps. None the less. Feel free to submit them PR's to that repo if you have things that can make it more functional.
[2022-04-27 14:36:05] wavesahead : the spacing ~5mhz, this is the only issue to address in software it seems
[2022-04-27 14:36:12] wavesahead : ive got some cards coming that are rtl based
[2022-04-27 14:36:54] hostile : finding non atheros support was hard.
[2022-04-27 14:37:17] hostile : I need to check if the BladeRF supports proper tuning to that channel with the API that Kismet uses
[2022-04-27 14:37:32] hostile : https://www.nuand.com/bladerf-wiphy-instructions/
[2022-04-27 14:37:37] wavesahead : rtl should work for channel 149, the question is the spacing.
[2022-04-27 14:38:03] hostile : I was historically unable to find anything that wasn't atheros, AND m.2. (no USB)
[2022-04-27 14:38:18] wavesahead : thats likely something that can be modified in the driver, but hw might also crap out if it isnt designed properly
[2022-04-27 14:38:37] wavesahead : since the rf design might make assumptions about bw
[2022-04-27 14:38:54] wavesahead : but anyway, worth a shot. they were cheap and can be used for packet injection if nothing else
[2022-04-27 14:47:28] hostile : TBH @wavesahead I'm really wondering about this too.
[2022-04-27 14:47:44] hostile : if the NexMon BCM4339 framework can allow us to tune to 5mhz channels and receive / generate 802.11 beacons? https://twitter.com/nexmon_dev/status/984544978537009152
[2022-04-27 14:47:58] hostile : https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio
[2022-04-27 14:47:58] hostile : https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio
[2022-04-27 14:48:17] hostile : This example looked promising, just not sure how to tune to 5mhz. https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/blob/master/payload_generation/generate_frame.m
[2022-04-27 14:48:17] hostile : This example looked promising, just not sure how to tune to 5mhz. https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/blob/master/payload_generation/generate_frame.m
[2022-04-27 14:49:17] hostile : ``` ieeeenc.set_rate(1); ```
[2022-04-27 14:49:26] hostile : doubt this supports quarter out the box
[2022-04-27 14:49:47] hostile : https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/blob/70733afcfd1a379d75d1423840716d8ef9cb8ab6/payload_generation/ieee_80211_encoder.m#L73
[2022-04-27 14:49:47] hostile : https://github.com/seemoo-lab/mobisys2018_nexmon_software_defined_radio/blob/70733afcfd1a379d75d1423840716d8ef9cb8ab6/payload_generation/ieee_80211_encoder.m#L73
[2022-04-27 14:50:22] hostile :
[2022-04-27 14:50:31] hostile : yeah by default only goes down to 1/2 rate looks like
[2022-04-27 14:51:29] hostile : supported devices could be interesting IF it worked.
[2022-04-27 14:51:36] hostile :
[2022-04-27 14:51:43] hostile : (includes several phones)
[2022-04-27 14:52:22] hostile : The few RasPi's in the list are pretty well commodity hardware could be easy to test.
[2022-04-27 14:55:49] jan2642 : The rate is not the same as the frequency bandwidth, it has to do with encoding (BPSK or QAM) and the amount of bits used for error correcting.
[2022-04-27 14:58:37] jan2642 :
[2022-04-27 14:58:56] jan2642 : 48 subcarriers is what is used in 20 MHz wifi.
[2022-04-27 15:00:58] jan2642 : In 802.11p that also seems the case, the spacing is just smaller for 10 & 5 MHz channels:
[2022-04-27 15:01:04] jan2642 :
[2022-04-27 15:10:02] wavesahead : ^
[2022-04-27 15:10:21] wavesahead : thats why i mentioned rf design quirks too
[2022-04-27 15:11:05] wavesahead : if the filters or rf path dont have enough tolerance to operate in that bandwidth it can produce hard to debug artifacts
[2022-04-27 15:11:16] wavesahead : likely not manifesting obviously
[2022-04-27 15:12:24] hostile : @jan2642 that "rate" and "bw" terminology made initially searching for this stuff years ago difficult. https://wiki.freebsd.org/dev/ath_hal%284%29/HalfQuarterRate
[2022-04-27 15:12:35] hostile : I've always known it since as "Quarter rate" support.
[2022-04-27 15:12:42] wavesahead : as an example mildly related i had packet loss in a mikrotik 10g switch doing L2... caused by one dangling vlan tag in the 1g phy... which is connected internally to the 10g phy. they should not let you do that across both, but they do, being mikrotik. symptoms were packet loss and arbtrary timing problems
[2022-04-27 15:12:54] hostile : how that translates into subcarriers... I'm not ultimately sure. Lot of this shit I'm admiditedly dumb on.
[2022-04-27 15:12:57] jan2642 : I think I have a gl-ar150s at home. If I find the time I'll check if I can get it to work with 5 MHz channels and see if it can detect a mavic air.
[2022-04-27 15:13:23] wavesahead : i have one i think, or the older model, but that wont do 5ghz
[2022-04-27 15:14:03] hostile : In my copious free time I'll grab one of my RasPi's and see if I can make it play with the nexmon packet generator
[2022-04-27 21:37:01] hostile : hostile updated the channel header to: sudo kismet -c youwifi0:channels=\"140W5,149W5,153W5,157W5,161W5, 165W5,\"
[2022-04-27 21:37:33] hostile : caught my system hopping on 165W unexpectedly! I didn't have it in my capture channels
[2022-04-28 14:24:15] jan2642 : This GL-AR750S doesn't seem to like 5 MHz channels... root@OpenWrt:~# iw dev wlan0 set channel 149 5MHz kernel reports: 5/10 MHz not supported command failed: Invalid argument (-22)
[2022-04-28 14:25:06] jan2642 : At least, on 5 GHz. On the 2.4 GHz interface it does accept it
[2022-04-28 14:25:35] hostile : may need 5ghz patches. I had to do that for injection on some kernels to attack the WEP on Mavic Air
[2022-04-28 14:25:48] hostile : do a channel list with it
[2022-04-28 14:25:54] hostile : does it even support 5ghz at all?
[2022-04-28 14:26:10] hostile : ``` iwlist wlan0 freq ```
[2022-04-28 14:26:10] hostile : iwlist wlan0 freq
[2022-04-28 14:26:19] jan2642 : It does: root@OpenWrt:~# iwinfo wlan0 freqlist 5.180 GHz (Channel 36) 5.200 GHz (Channel 40) 5.220 GHz (Channel 44) 5.240 GHz (Channel 48) 5.260 GHz (Channel 52) 5.280 GHz (Channel 56) 5.300 GHz (Channel 60) 5.320 GHz (Channel 64) 5.500 GHz (Channel 100) 5.520 GHz (Channel 104) 5.540 GHz (Channel 108) 5.560 GHz (Channel 112) 5.580 GHz (Channel 116) 5.600 GHz (Channel 120) 5.620 GHz (Channel 124) 5.640 GHz (Channel 128) 5.660 GHz (Channel 132) 5.680 GHz (Channel 136) 5.700 GHz (Channel 140) 5.720 GHz (Channel 144) 5.745 GHz (Channel 149) [restricted] 5.765 GHz (Channel 153) [restricted] 5.785 GHz (Channel 157) [restricted] 5.805 GHz (Channel 161) [restricted] 5.825 GHz (Channel 165) [restricted]
[2022-04-28 14:26:34] hostile : yeh see the restricted
[2022-04-28 14:26:41] hostile : either needs patched or regdom hacked.
[2022-04-28 14:28:28] jan2642 : It doesn't accept it on the non-restricted channels either. Is that normal ? Is 5 MHz only allowed on 149 and higher ?
[2022-04-28 14:29:31] hostile : kernel support varies widely. lemme see if I can get better detail
[2022-04-28 14:29:49] hostile : at least it works on 2.4, have you forced your drone to 2.4 channel and spot checked kismet reception?
[2022-04-28 14:31:30] hostile : Oh is that one with 2 cards inside? I know some have a 2.4 radio and a 5g radio. also check the config?
[2022-04-28 14:31:31] hostile :
[2022-04-28 14:32:22] hostile : https://github.com/aredn/aredn_ar71xx/blob/develop/patches/701-extended-spectrum.patch
[2022-04-28 14:32:23] hostile : https://github.com/aredn/aredn_ar71xx/blob/develop/patches/702-enable-country-hx.patch
[2022-04-28 14:32:30] jan2642 : It has indeed 2 different wifi interfaces. I've changed the reg to Belgium. Now the channels are no longer 'restricted' but still no 5 MHz: root@OpenWrt:~# iwinfo wlan0 freqlist 5.180 GHz (Channel 36) 5.200 GHz (Channel 40) 5.220 GHz (Channel 44) 5.240 GHz (Channel 48) 5.260 GHz (Channel 52) 5.280 GHz (Channel 56) 5.300 GHz (Channel 60) 5.320 GHz (Channel 64) 5.500 GHz (Channel 100) 5.520 GHz (Channel 104) 5.540 GHz (Channel 108) 5.560 GHz (Channel 112) 5.580 GHz (Channel 116) 5.600 GHz (Channel 120) 5.620 GHz (Channel 124) 5.640 GHz (Channel 128) 5.660 GHz (Channel 132) 5.680 GHz (Channel 136) 5.700 GHz (Channel 140) 5.720 GHz (Channel 144) 5.745 GHz (Channel 149) 5.765 GHz (Channel 153) 5.785 GHz (Channel 157) 5.805 GHz (Channel 161) 5.825 GHz (Channel 165) 5.845 GHz (Channel 169) 5.865 GHz (Channel 173) root@OpenWrt:~# iw dev wlan0 set channel 149 5MHz kernel reports: 5/10 MHz not supported command failed: Invalid argument (-22)
[2022-04-28 14:32:54] hostile : so is your 5ghz radio an AR10k instead of an AR9k then? that is likely why
[2022-04-28 14:36:36] jan2642 : I guess you're right: root@OpenWrt:~# ls -l /sys/devices/platform/ahb/18100000.wmac/net/wlan1/device/driver lrwxrwxrwx 1 root root 0 Apr 16 13:24 /sys/devices/platform/ahb/18100000.wmac/net/wlan1/device/driver -> ../../../../bus/platform/drivers/ath9k root@OpenWrt:~# ls -l /sys/devices/pci0000\:00/0000\:00\:00.0/net/wlan0/device/driver lrwxrwxrwx 1 root root 0 Apr 16 13:20 /sys/devices/pci0000:00/0000:00:00.0/net/wlan0/device/driver -> ../../../bus/pci/drivers/ath10k_pci
[2022-04-28 14:36:56] jan2642 : The 2.4 GHz is a 9K, the 5 GHz is a 10K
[2022-04-28 14:43:25] hostile : see if this is applied to your kernel? https://patchwork.kernel.org/project/ath10k/patch/20171120150115.0c0a8a3c@friiks.de/
[2022-04-28 14:43:36] hostile : I recall ath10k and 5mhz chan spacing is "fucky"
[2022-04-28 14:45:14] hostile : remember the ole reghack.c ? https://topic.alibabacloud.com/a/5-ghz-working-band-cracking-for-the-font-classtopic-s-color00c1deatherosfont-wireless-font-classtopic-s-color00c1denetworkfont-adapter-in-linuxubuntu_3_78_32962531.html
[2022-04-28 14:48:57] hostile : we used to use it here to enable channel 13 on the drones, remember?
[2022-04-28 14:58:15] wavesahead : europe requires 2.4 i think, at least for the uav id legal stuff
[2022-04-28 14:59:40] wavesahead : the sources should be there to recompile openwrt. do you have the links to the exact patches so i can take a look? im sure that the software patch is probably just a bitmask mod or such
[2022-04-28 15:05:23] hostile : I pasted what I have above. That's all I got on hand. It has been since 2017 since I dealt with it TBH.
[2022-04-28 15:05:42] hostile : I wonder why your ar9k is limited to 2.4 only
[2022-04-28 15:06:02] hostile : load balancing for the radios in the router ?
[2022-04-28 15:17:32] jan2642 : It's a dual band access point so it has to do both bands at the same time. It's probably also a lot easier for designing the RF path this way.
[2022-04-28 15:17:32] jan2642 : It's a dual band access point so it has to do both bands at the same time. It's probably also a lot easier for the designing the RF path this way.
[2022-04-28 15:18:02] wavesahead : can you force the 9k driver?
[2022-04-28 15:18:18] wavesahead : got a photo of the pcb? re rf path
[2022-04-28 15:34:55] jan2642 : I've looked at that patch but it's pure cosmetic. It fixes the errors caused in user space by allowing to set half & quarter channels but it doesn't actually do anything with those settings, it keeps on using 20 MHz channels.
[2022-04-28 15:36:08] jan2642 :
[2022-04-28 15:37:18] wavesahead : ack
[2022-04-28 15:41:52] wavesahead : @jan2642 weird, the secondary IC has the rf path to the 5ghz card but the main one has the 2.4ghz path
[2022-04-28 15:42:09] wavesahead : hmm
[2022-04-28 15:42:36] wavesahead : can you show me a lspci or lshw output if the tool is present? check where the bus is for the different drivers
[2022-04-28 15:43:06] wavesahead : i think they are separate, and a dedicated ic is used for the 5ghz, but the main IC has builtin 2.4 phy
[2022-04-28 20:12:13] jan2642 : Indeed, the 5GHz is on an external PCI bus, the 2.4GHz is on the internal AHB bus.
[2022-04-28 21:12:36] wavesahead : understood, that explains things. but it also means we can use them in parallel without issues, so it must be a software thing strictly
[2022-04-30 20:14:14] the_lord : isn't the P3 std use 5MHz? I have P3std RC, I don't see any sign of 5MHz its openWRT and Atheros AR9342 SOC any advise ?
[2022-05-01 03:20:55] hostile : p3std uses old school RC signal over 2.4ghz, like a spektrum, or futaba. The wifi / range extension was only for the video feed. Everything else went over the RC link. In japan it is a 900mhz link IIRC instead of 2.4ghz for the RC link.
[2022-05-01 03:21:25] hostile : the camera module had the wifi, not the drone / RC itself as I recall @the_lord
[2022-05-01 03:22:42] hostile : https://dl.djicdn.com/downloads/phantom_3_standard/20170629/P3C_FW_V01.09.0200.bin.zip
[2022-05-01 03:30:12] hostile : P3C_FW_V01.09.0200.bin seems to have the OpenWRT image in it.
[2022-05-01 04:03:15] the_lord : Yes I know all that The RC uplink is 5.8Ghz Camera and RC wifi on 2.4Ghz The RC works as wifi AP for the drone and mobile My question is how the Aeroscope can detect P3std 60KM away if it’s not enhancedWiFi AKA 5MHz rate/bandwidth??
[2022-05-01 04:27:33] hostile : I'd assume the beacon goes out over the standard RC link eh? as opposed to the video downlink?
[2022-05-01 04:28:12] hostile : if not we should see reminants of droneID in the openwrt image (which I'd not expect).
[2022-05-01 13:07:49] eseven : eseven joined the channel.
[2022-05-05 01:10:55] prz3mk0 : prz3mk0 joined the channel.
[2022-05-09 19:59:04] powellste : powellste joined the channel.
[2022-05-11 13:43:20] tissy : tissy joined the channel.
[2022-05-12 18:21:58] jjbyrnes29 : jjbyrnes29 joined the channel.
[2022-05-12 19:47:58] aholtzma : aholtzma joined the channel.
[2022-05-12 19:54:11] testuser00001 : testuser00001 joined the channel.
[2022-05-13 21:59:28] asdasdvoid : asdasdvoid joined the channel.
[2022-05-16 21:39:09] meta : meta joined the channel.
[2022-05-17 06:14:23] eddy : eddy joined the channel.
[2022-05-17 18:23:54] emeraldmaster : emeraldmaster joined the channel.
[2022-05-19 07:21:59] ashen : ashen joined the channel.
[2022-05-22 09:14:31] jack117wb : jack117wb joined the channel.
[2022-05-23 06:31:10] superlogical : superlogical joined the channel.
[2022-05-24 21:24:39] devdriver : devdriver joined the channel.
[2022-06-05 17:29:09] laen : laen joined the channel.
[2022-06-06 05:58:29] toto71 : toto71 joined the channel.
[2022-06-08 02:37:58] cyberid10t : id10t joined the channel.
[2022-06-08 07:21:35] oxolot : oxolot joined the channel.
[2022-06-08 15:38:23] mingtao : mingtao joined the channel.
[2022-06-13 08:43:22] albertoe : albertoe joined the channel.
[2022-06-18 06:32:07] nz-maori : nz-maori joined the channel.
[2022-06-22 20:27:40] fly4y : fly4y joined the channel.
[2022-06-24 03:13:17] n1ptune : n1ptune joined the channel.
[2022-06-28 12:59:42] jjelo : jjelo joined the channel.
[2022-07-08 15:54:28] staydji : staydji joined the channel.
[2022-07-09 05:43:21] ababak1990 : ababak1990 joined the channel.
[2022-07-15 17:53:17] xou : xou joined the channel.
[2022-07-18 15:44:30] dfessence : dfessence joined the channel.
[2022-07-19 00:09:30] hito_no_yume : yutasyutas joined the channel.
[2022-07-19 03:54:42] enk2022 : enk2022 joined the channel.
[2022-07-25 17:31:54] east2west : east2west joined the channel.
[2022-07-27 12:19:17] sups : sups joined the channel.
[2022-08-01 19:16:18] dmitry : dmitry joined the channel.
[2022-08-08 17:35:45] h_marshall : h_marshall joined the channel.
[2022-08-24 14:14:45] drlssl : drlssl joined the channel.
[2022-08-24 14:30:38] drlssl : Hello ,I have capture the camera udp packets as *.pcap file,but I don't know how to convert it to a video.I have read "dji wifi tool", but I still have a question about how to write the packet payload into a binary file( the format is what ? how to preprocess the udp packets payload ).I'm fresh on it, could anyone give me some suggestions ? :pleading_face:
[2022-08-24 17:21:10] skyninja : https://www.indie-dev.at/2021/05/19/dji-protocol-day-8-progress-report/
[2022-08-24 17:22:23] skyninja : filter out the packets with whtype == 0x02. dump the payload to a file. then play the file with ffplay -f hevc video.bin
[2022-08-24 22:29:49] drlssl : I do the similar thing, I just catch the udp packets whose length is 1472 and use scapy dump its raw payload ,then binary-write it into a new .h264 file, but finally I use ffplay ,I got a very dirty video which contains few human-readable constant and much mess color
[2022-08-25 06:19:36] skyninja : try hevc in stead of h264
[2022-08-25 14:01:23] digdat0 : digdat0 joined the channel.
[2022-08-27 15:15:11] oxolot : Anyone knows where exactly DAEK is stored or calculated in M3? What about Air2s?
[2022-08-27 16:36:11] tmbinc : There's no DAEK/DAAK anymore on DJI-silicon drones as far as I know
[2022-08-28 15:14:30] oxolot : What is left then? Or they are replaced with something? Is it somehow related to the fact that we can't find solution for M3?
[2022-08-28 15:16:56] tmbinc : Sorry, I'm missing the context. What would you like to do? SecureDebug?
[2022-08-28 15:27:24] oxolot : I would like to remove NFZ and 500 m height limits. Also new firmware versions block DroneID deactivation, so it would be nice to deal with that too.
[2022-09-26 01:21:04] jackmax : jackmax joined the channel.
[2022-09-27 08:51:02] herr.frei : herr.frei joined the channel.
[2022-09-29 10:46:06] wdesign : wdesign joined the channel.
[2022-10-03 09:43:20] urca87 : urca87 joined the channel.
[2022-10-03 20:13:53] alt.nq-5711k93 : alt.nq-5711k93 joined the channel.
[2022-10-04 07:45:37] xiaohuge365 : lixuans joined the channel.
[2022-10-27 06:58:57] crashing_bird : crashing_bird joined the channel.
[2022-10-30 07:12:21] bob.alki : bob.alki joined the channel.
[2022-10-30 15:22:06] richter08 : richter08 joined the channel.
[2022-11-10 03:49:18] areoc : areoc joined the channel.
[2022-11-12 06:20:45] pingspike : pingspike joined the channel.
[2022-11-30 01:50:02] plugandplaytor : plugandplaytor joined the channel.
[2022-12-05 07:26:58] prettymuchathrowaway69 : prettymuchathrowaway69 joined the channel.
[2022-12-09 15:50:54] ivar : ivar joined the channel.
[2022-12-20 12:37:11] milenovic : milenovic joined the channel.
[2023-01-04 15:35:54] denisbsu : denisbsu joined the channel.
[2023-01-06 13:40:22] zkar : zkar joined the channel.
[2023-01-19 14:37:08] ginostred : ginostred joined the channel.
[2023-01-25 08:34:57] sparkyws : sparkyws joined the channel.
[2023-01-26 17:34:53] barretop : barretop joined the channel.
[2023-01-28 20:23:51] jglx3p : jglx3p joined the channel.
[2023-02-07 22:29:31] accountfrompl : accountfrompl joined the channel.
[2023-02-17 05:54:28] ramzet : ramzet joined the channel.
[2023-02-24 05:25:30] ibndias : ibndias joined the channel.
[2023-03-09 10:20:32] mud : mud joined the channel.
[2023-03-23 16:40:44] dronez4u : dronez4u joined the channel.
[2023-03-24 08:15:38] retrocall : retrocall joined the channel.
[2023-03-24 17:50:07] efimato_re : efimato_re joined the channel.
[2023-03-30 08:47:01] stanlu : stanlu joined the channel.
[2023-04-04 15:52:39] brillio : brillio joined the channel.
[2023-04-11 15:44:25] blowfish448 : blowfish448 joined the channel.
[2023-04-19 21:04:24] fedosgad : fedosgad joined the channel.
[2023-04-28 10:27:42] supertester : supertester joined the channel.
[2023-05-26 20:01:11] rameezahmed1998 : rameezahmed1998 joined the channel.
[2023-05-31 10:59:57] rachfly : amirach joined the channel.
[2023-06-10 22:52:09] blablabrscht : blablabrscht joined the channel.
[2023-07-03 20:03:03] anzz : anzz joined the channel.
[2023-07-03 20:04:20] anzz : @anzz left the channel.
[2023-07-04 01:17:09] johnnokomis : johnnokomis joined the channel.
[2023-07-28 07:07:29] dreamtree : dreamtree joined the channel.
[2023-08-17 18:30:32] mgroberman : mgroberman joined the channel.
[2023-08-31 10:47:53] chrboesch : chrboesch joined the channel.
[2023-09-06 13:25:55] markus83 : markus83 joined the channel.
[2023-09-08 17:01:47] dong : dong joined the channel.
[2023-09-13 10:14:27] molda : molda joined the channel.
[2023-09-19 15:01:48] leperdu : leperdu joined the channel.
[2023-09-29 17:46:22] bengutt : bengutt joined the channel.
[2023-10-23 09:14:56] jdan7387 : jdan7387 joined the channel.
[2023-10-24 17:34:39] caseygibson : caseygibson joined the channel.
[2023-10-29 10:57:36] alex7593 : alex7593 joined the channel.
[2023-12-26 01:34:45] nicksapienza : nicksapienza joined the channel.
[2023-12-26 01:35:24] nicksapienza : @nicksapienza left the channel.
[2024-01-16 14:36:32] zjm605186980 : zjm605186980 joined the channel.
[2024-01-17 09:47:58] photogrant : photogrant joined the channel.
[2024-01-18 01:24:29] enk2022 : @enk2022 left the channel.
[2024-01-18 15:43:32] basilius : basilius joined the channel.
[2024-02-06 19:58:40] ryantkasher : ryantkasher joined the channel.
[2024-02-12 20:45:29] lining-preps.0u : lining-preps.0u joined the channel.
[2024-02-19 07:22:54] vindia : vindia joined the channel.
[2024-05-07 12:46:00] sarange : sarange joined the channel.
[2024-05-21 17:03:46] snackashack : snackashack joined the channel.
[2024-06-03 14:49:21] devinnorgarb : devinnorgarb joined the channel.
[2024-07-01 17:29:26] mrsmith : mrsmith joined the channel.
[2024-07-13 17:27:40] efwefaf : efwefaf joined the channel.
[2024-07-26 15:52:58] ogini_ayotanom : ogini_ayotanom joined the channel.
[2024-07-31 21:20:13] hate : hate joined the channel.
[2024-09-11 22:10:19] taters66 : taters66 joined the channel.
[2024-10-23 18:20:40] hab : hab joined the channel.
[2024-10-30 04:38:13] the.hope.ltd : the.hope.ltd joined the channel.
[2024-11-26 16:58:49] ox3d : ox3d joined the channel.
[2024-12-16 11:15:21] c3podaniel : c3podaniel joined the channel.
[2024-12-23 09:29:20] lana : lana joined the channel.