Differences

This shows you the differences between two versions of the page.

--- howto:phantom-firmware-tools [2017/08/03 04:22]
czokie
+++ howto:phantom-firmware-tools [2019/02/17 06:18] (current)
kornvichs ToDo checked: DUML dumping has never worked for me on OSX. Need to understand how this could work including hardware required.
@@ Line 2: / Line 2: @@
 The firmware tools described below can be used to do all sorts of fun stuff on your DJI device. The two main things that are of interest here include sniffing and interpreting comms to your aircraft, and firmware tweaking.
-FIXME this is REALLY draft. Needs lots more work. Also, would be good to document how to do the hardware layer as intended in freaky's example.
 ===== 1. Toolchain =====
@@ Line 27: / Line 24: @@
 ===== 5. Capture some traffic =====
-  python3 comm_serial2pcap.py -b155200 -f /tmp/wsf /dev/tty.usbmodem* /dev/tty.usbmodem*
+  python3 comm_serial2pcap.py -b115200 -f /tmp/wsf /dev/tty.usbmodem* /dev/tty.usbmodem*
+The intent is for this command to sit between two serial ports, with serial breakout and capturing the serial TX and RX streams, being duplicated into two ports. I don't have a hardware breakout yet, so I have not yet tried this.
+===== 6. serialsnoop.sh =====
+The code below was created by jan2642 as an alternate way of sniffing duml. It is still a prototype at this stage but listed here to provide a way for Mac users to get some duml love.
+<file bash serialsnoop.sh>
+#!/bin/sh
+# Listen in on serial port connections.
+# (Note that max packet size is hardcoded to be 512)
+# Written by jan2642
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <path to serial port>"
+fi
+/usr/sbin/dtrace -n '
+inline string PATHNAME	 = "'$1'";
+#pragma D option quiet
+#pragma D option switchrate=10hz
+/* #pragma D option bufpolicy=ring */
+dtrace:::BEGIN
+{
+}
+syscall::open:entry, syscall::open_nocancel:entry, syscall::open_extended:entry
+{
+    self->path = arg0;
+    self->file_open_in_progress = 1;
+}
+syscall::open:return, syscall::open_nocancel:return, syscall::open_extended:return
+/self->file_open_in_progress && (PATHNAME == copyinstr(self->path))/
+{
+    the_pid = pid;
+    the_fd = arg1;
+    self->path = 0;
+    self->file_open_in_progress = 0;
+}
+syscall::*read:entry
+/pid == the_pid && arg0 == the_fd/
+{
+    self->read_in_progress = 1;
+    self->read_ptr = arg1;
+}
+syscall::*read:return
+/self->read_in_progress/
+{
+    if (arg0 > 0) {
+        printf("==+ %s IN %d : ", execname, (int)arg0);
+        tracemem(copyin(self->read_ptr, arg0), 512);
+        printf("==-\n");
+    }
+    self->read_in_progress = 0;
+}
+syscall::*write:entry
+/pid == the_pid && arg0 == the_fd/
+{
+    if (arg2 > 0) {
+        printf("==+ %s OUT %d : ", execname, (int)arg2);
+        tracemem(copyin(arg1, arg2), 512);
+        printf("==-\n");
+    }
+}
+' 2> /dev/null | python -c '
+import sys
+def parse_block(buf):
+    lines = buf.split("\n");
+    meta = lines[0].split(" ")
+    proc = meta[1]
+    direction = meta[2]
+    size = int(meta[3])
+    print("%s %-3s %5d :" % (proc, direction, size)),
+    if size > 512:
+        size = 512
+    for i in xrange(0, (size / 16) + 1):
+        data = lines[2 + i].strip().split(" ")
+        remain = 16
+        if i == size / 16:
+            remain = size % 16
+        for j in xrange(0, remain):
+            print("%s" % data[j + 1]),
+    print("")
+for line in sys.stdin:
+    if line.startswith("==+"):
+        buf = "";
+    if line.startswith("==-"):
+        parse_block(buf)
+    buf += line
+'
+# vim: expandtab:ts=4:sw=4
+</file>
-The intent is for this command to sit between two serial ports, with serial breakout and capturing the serial TX and RX streams, being duplicated into two ports. I don't have a hardware breakout yet, so I have not yet tried this.
+===== Contribute =====
+<todo #kornvichs:2019-02-17>DUML dumping has never worked for me on OSX. Need to understand how this could work including hardware required.</todo>

User Tools

Site Tools

Differences

Page Tools