Skip to content
This repository has been archived by the owner on May 12, 2022. It is now read-only.

Mavic: Reverse Engineering

Jump to bottom
Kevin Elliott edited this page Nov 30, 2016 · 9 revisions

Hardware Specifications

Component Purpose Details Notes
Atheros AR6004 Wifi Spec Sheet, Data Sheet Dual-band power-efficient 802.11a/b/g/n WLAN 2.4ghz and 5ghz
Leadcore LC1860 Camera, LTE (optional support) Spec Sheet Camera processing SoC. Looks to support LTE for optional external LTE transceiver.
Realtek RTL8723BS Wifi, Bluetooth Spec Sheet Single-band 802.11b/g/n WLAN, Bluetooth 4.0 BLE, FM Radio (SDR?)

Firmware Specifications

Component Purpose Details Notes
Android 4.4 Operating System Used as a base OS for easy embedded support and low-power
Custom Scripts Feature integration A variety of in-house scripts are integrating with different components, managing the system, updating components, or otherwise ensuring the system is running correctly

Scripts

Command Purpose
adb_en.sh Enable Android Debugging over USB.
aging_temp_monitor.sh Factory aging test temperature monitor.
aging_test.sh Factory aging test.
antenna_switch.sh Switch between SDR and WIFI modes.
athsoftap.sh Setup the Atheros wifi.
bmgr Start Android bmgr.
camera-AP-308.cts Show the camera preview at 1920x1088.
camera_stress.cts Factory stress test for the camera.
check_1860_state.sh Evaluate the state of the Leadcore 1860.
check_lmi42_state.sh Evaluate the state of the LMI42.
dji_log_control.sh DJI log control management.
dji_net.sh Setup LMI42 network.
dji_vision_log_check.sh Legacy?
efuse_dump_check.sh Compare OTP dump to OTP reference.
efuse_enck.sh Check EFUSE encryption.
efuse_step1.sh Check OTP.
efuse_step2.sh Does nothing now. Legacy.
factory_out_test.sh Factory out test. Not used anymore. Legacy.
get_test_result.sh Utility for determining if a test passes or not.
ime Start Android ime.
input Start Android input. (Why?)
in_whitelist.sh Check against the whitelist.
lib_env.sh Setup some common global variables.
lib_test.sh Support routines for tests.
lib_test_cases.sh Support routines for tests.
lib_test_stress.sh Support routines for tests.
lib_test_utils.sh Support routines for tests.
load_wifi_modules.sh Load wifi driver kernel modules.
modem_info.sh LMI42 modem support functionality.
monkey Starts Android monkey.
nr.cl OpenCL: Noise reduction algorithm. (TYPOS!)
otp_flag.sh OTP flag commands.
panic_tombstone_check.sh Panic/tombstone check support.
parse_logcat.sh Logging for various services/modules.
part_check.sh Check partitions and mounts.
pm Start Android power management.
quit_offline_liveview.sh Quit the quality test mode for live view.
recovery_update.sh Ensure the recovery image is up to date.
secure_debug.sh Enable secure debug (DJI backdoor).
set_country_code.sh Store the country code.
set_test_result.sh Factory test result output.
set_time.sh Set the system time.
setup_usb_serial.sh Set up Android Debugger USB.
start_dji_system.sh Main DJI system startup procedure.
start_offline_liveview.sh Start the quality set mode for live view.
stress_test.sh Factory stress test.
svc Start Android svc.
test_a9.sh Diagnostic test: A9. (Android?)
test_a9_link.sh Diagnostic test: A9 YUV, SD card, image sensor, etc.
test_a9_usb.sh Diagnostic test: Ping computer from device.
test_boardsn.sh Diagnostic test: Board serial number.
test_cam.sh Diagnostic test: Camera.
test_cp_reset.sh Diagnostic test: CP test reset.
test_cp_uav.sh Diagnostic test: CP test.
test_cpld.sh Diagnostic test: CPLD. (?)
test_enck.sh Diagnostic test: Encrypt check.
test_fc.sh Diagnostic test: Fly control.
test_fc_status.sh Diagnostic test: Fly control status.
test_fc_usb.sh Diagnostic test: Support for USB flight control.
test_flash.sh Diagnostic test: Flash test. No longer used. Legacy.
test_get_psk.sh Diagnostic test: WIFI PSK (not yet implemented).
test_get_ssid.sh Diagnostic test: WIFI SSID (not yet implemented).
test_glass_key.sh Diagnostic test: Glass key (does not exist; was mentioned in dji_sys binary).
test_m0.sh Diagnostic test: M0. (?)
test_mac_addr.sh Diagnostic test: WIFI MAC address.
test_mem.sh Diagnostic test: Memory.
test_mp_stage.sh Diagnostic test: MP stage. (?)
test_multi_enc.sh Diagnostic test: Multi-encode.
test_ota.sh Diagnostic test: Verify OTA image.
test_pair_key.sh Diagnostic test: Pair key test.
test_productsn.sh Diagnostic test: Product serial number.
test_sdr.sh Diagnostic test: SDR network connection.
test_switch_gpio.sh Diagnostic test: GPIO switch.
test_thermal.sh Diagnostic test: Temperature of 1860, A9, PA.
test_uav.scr Diagnostic test: Network speed tests.
test_ultra_reset_pin.sh Diagnostic test: Some kind of GPIO pin reset test. (?)
test_wifi.sh Diagnostic test: Wifi.
test_wifi_antenna.sh Diagnostic test: Wifi signal strength.
test_wifi_init.sh Diagnostic test: Init wifi for test.
test_wifi_link.sh Diagnostic test: Wifi link.
wifi_debug.sh Capture wifi debugging output.
wifi_ff_tx.sh Start wifi fixed frequency transmit.
wifi_profiled_debug.sh Capture profiled wifi log.
wl_link_judge.sh Determine if board supports WIFI/SDR hardware switch.

Binaries

Command Purpose
test_opencl_nr Diagnostic test: OpenCL-based noise reduction.

System Startup

  1. Check partitions.
  2. Set CPU affinity for eMMC.
  3. Set CPU affinity for DMA.
  4. Evaluate whether to be in SDR or WIFI mode.
  5. Set mode for SDR or WIFI based on previous result.
  6. Examine assert log for size and prune if larger than 32KB.
  7. Set number of SDRs to 1.
  8. Set debugging off.
  9. If engineering version:
    1. Set debugging on.
  10. If not engineering version:
    1. Look for system board in a whitelist and enable debugging if exists.
  11. If debugging is enabled:
    1. Turn on ADB (Android Debugger) over USB.
  12. If debugging is not enabled:
    1. Set USB to RNDIS, Mass Storage, Bulk, and ACM.
  13. Enable SDR logging.
  14. Set the IP address of the USB network interface (usb0).
  15. Set the IP address of the RNDIS network interface (rndis0).
  16. Create some directories if they don’t exist yet.
  17. Clear previous DHCP daemon leases.
  18. Start DHCP daemon (udhcpd).
  19. Start FTP server on all interfaces.
  20. Create some directories if they don’t exist yet.
  21. Clean up dump files.
    1. Move previous dumps to an incremented filename.
    2. Create new dump directory.
    3. Move the newest dump into place if it exists.
  22. Start the SDR network to the UAV.
  23. Start DJI services.
    1. Enable monitor service.
    2. Enable HDVT service.
    3. Enable encoding service.
    4. Enable system service.
  24. If there is an SSD:
    1. Loop for 25 times attempting to mount the SSD.
  25. Enable vision service.
  26. Start the debugger daemon.
  27. Create some directories if they don’t exist yet.
  28. If the field trail is enabled:
    1. Enable libc malloc debug.
    2. Store logical to flash (for tracing issues).
  29. Set AMT state if it exists.
  30. Dump system/upgrade log to a special file:
    1. Remove upgrade log tarball (temporary file).
    2. Increment log filenames.
    3. Dump logcat to lowest log filename.
  31. If AMT state is FACTORY OUT:
    1. Remove old log.
    2. Test the FPGA up to 2 times.
    3. Set AMT state to FACTORY if it passes.
  32. When AMT state is FACTORY, AGING TEST, or FACTORY OUT:
    1. Kill encoding service.
  33. When AMT state is FACTORY:
    1. Enable writing to bootarea1 (for encoding).
  34. If filesystem test is enabled:
    1. Test the filesystem’s write capability.
  35. If wireless mode is SDR:
    1. Enable IP forwarding for IPV4.
    2. Forward packets between GLASS (bird?) and RC (remote control).
    3. Drop all other packets.
  36. If SDR testing is enabled:
    1. Test the SDR.
  37. If SDR testing is not enabled:
    1. If wireless mode is WIFI:
      1. Ensure that SSID is Mavic* not Maverick*.
      2. Set the PSK if it is configured, otherwise use the default (32ee9aa4).
      3. Set the MAC address if it is configured.
      4. Start the network service.
    2. If the wireless mode is not WIFI:
      1. Load the wifi modules. (Huh?)
  38. Update the recovery image (recovery.img).
  39. If AMT state is FACTORY, AGING TEST, or FACTORY OUT:
    1. Reset the wipe and crash counters.
    2. If AMT stat is AGING TEST:
      1. Start the aging test.
    3. Exit from system startup.
  40. Log out fatal errors (up to 32MB) to a rotated file.
  41. Check to see if services are running and hard exit for any failure:
    1. System service (dji_sys)
    2. HDVT service (dji_hdvt_uav)
    3. Vision service (dji_vision)
    4. Monitor service (dji_monitor)
    5. Encoding service (dji_encoding)
  42. Clear the wipe and crash counters.
  43. Check the Leadcore LC1860 state.
  44. Check for panics and tombstones.
  45. Start wifi debug logs if the proper USB is inserted.
  46. Check to see whether to do an auto OTA upgrade test or not.
  47. Check to see whether to do an auto reboot test or not.
  48. Finished.

Wifi Switching

Switch between SDR and WIFI modes. This occurs in the script antenna_switch.sh.

First, for all modes:

GPIO pins 6, 7, 8 and 9 are exported.

Then, for SDR mode:

GPIO 6 and 8 are set to 0.
GPIO 7 and 9 are set to 1.

Otherwise, for WIFI mode:

GPIO 7 and 9 are set to 0.
GPIO 6 and 8 are set to 1.

Networking

Networks

Network Purpose
192.168.1.0/24 A9 (Android?)
192.168.2.0/24 WIFI Mode
192.168.41.0/24 LMI42
192.168.42.0/24 RNDIS

A9 Network (192.168.1)

Address Purpose
192.168.1.1
192.168.1.2
192.168.1.3 USB on computer
192.168.1.10 USB on device

WIFI Mode Network (192.168.2)

Address Purpose
192.168.2.20-254 Guest devices

LMI42 Network (192.168.41)

Address Purpose
192.168.41.1 UAV over LMI42
192.168.41.2 GND (RC) over LMI42
192.168.41.3 GLASS over LMI42

RNDIS Network (192.168.42)

Address Purpose
? ?
Clone this wiki locally