====== phantom-firmware-tools ======

The firmware tools described below can be used to do all sorts of fun stuff on your DJI device. The two main things that are of interest here include sniffing and interpreting comms to your aircraft, and firmware tweaking.

===== 1. Toolchain =====
Install your toolchain as per the instructions [[.:toolchain|here]]. You only need to do this once... but check the instructions to see if there are any new tools that you may need.

===== 2. Get the phantom-firmware-tools magic =====
If this is your first time using phantom-firmware-tools, you will need to checkout the code from git.  

  cd ~/Documents/
  git clone https://github.com/mefistotelis/phantom-firmware-tools.git
  cd phantom-firmware-tools

If you have done this before and you want to make sure you have the latest code, you just need to sync to the most recent version

  cd ~/Documents/phantom-firmware-tools
  git pull

===== 3. Install wireshark =====

===== 4. Install the comm disectors for wireshark =====
  cp comm_dissector/wireshark/* ~/.config/wireshark/

===== 5. Capture some traffic =====
  python3 comm_serial2pcap.py -b115200 -f /tmp/wsf /dev/tty.usbmodem* /dev/tty.usbmodem*

The intent is for this command to sit between two serial ports, with serial breakout and capturing the serial TX and RX streams, being duplicated into two ports. I don't have a hardware breakout yet, so I have not yet tried this.

===== 6. serialsnoop.sh =====
The code below was created by jan2642 as an alternate way of sniffing duml. It is still a prototype at this stage but listed here to provide a way for Mac users to get some duml love.

<file bash serialsnoop.sh>
#!/bin/sh

# Listen in on serial port connections.
# (Note that max packet size is hardcoded to be 512)
# Written by jan2642

if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <path to serial port>"
fi

/usr/sbin/dtrace -n '
inline string PATHNAME	 = "'$1'";

#pragma D option quiet
#pragma D option switchrate=10hz
/* #pragma D option bufpolicy=ring */

dtrace:::BEGIN
{
}

syscall::open:entry, syscall::open_nocancel:entry, syscall::open_extended:entry
{
    self->path = arg0;
    self->file_open_in_progress = 1;
}

syscall::open:return, syscall::open_nocancel:return, syscall::open_extended:return
/self->file_open_in_progress && (PATHNAME == copyinstr(self->path))/
{
    the_pid = pid;
    the_fd = arg1;
    
    self->path = 0;
    self->file_open_in_progress = 0;
}

syscall::*read:entry
/pid == the_pid && arg0 == the_fd/
{ 
    self->read_in_progress = 1;
    self->read_ptr = arg1;
}

syscall::*read:return
/self->read_in_progress/
{
    if (arg0 > 0) {
        printf("==+ %s IN %d : ", execname, (int)arg0);
        tracemem(copyin(self->read_ptr, arg0), 512);
        printf("==-\n");
    }
    
    self->read_in_progress = 0;
}

syscall::*write:entry
/pid == the_pid && arg0 == the_fd/
{ 
    if (arg2 > 0) {
        printf("==+ %s OUT %d : ", execname, (int)arg2);
        tracemem(copyin(arg1, arg2), 512);
        printf("==-\n");
    }
}

' 2> /dev/null | python -c '
import sys

def parse_block(buf):
    lines = buf.split("\n");
    meta = lines[0].split(" ")

    proc = meta[1]
    direction = meta[2]
    size = int(meta[3])

    print("%s %-3s %5d :" % (proc, direction, size)),

    if size > 512:
        size = 512 

    for i in xrange(0, (size / 16) + 1):
        data = lines[2 + i].strip().split(" ")
        remain = 16
        if i == size / 16:
            remain = size % 16
        for j in xrange(0, remain):
            print("%s" % data[j + 1]),
    print("")

for line in sys.stdin:
    if line.startswith("==+"):
        buf = "";
    if line.startswith("==-"):
        parse_block(buf)
    buf += line
'

# vim: expandtab:ts=4:sw=4
</file>


===== Contribute =====
<todo #kornvichs:2019-02-17>DUML dumping has never worked for me on OSX. Need to understand how this could work including hardware required.</todo>