Close

Demystifying the communication protocol (2)

A project log for DJI FPV - 6S Battery Compatibility Mod [Part 1]

I'm trying to mod/recreate the DJI FPV battery to use regular 6S lipo batteries. In a first attempt I try to replace the lipo cells.

AirCruiserAirCruiser 05/22/2022 at 11:200 Comments

Learn to speak dronish

Since my last post, I've recorded many drone <> battery communications, trying to decode the vocabulary and grammar. As mentioned, https://b3yond.d3vl.com/duml/ is a good place to start to decode the DUML (DJI Universal Markup Language) messages sent between the drone and the battery. A major disadvantage of this website is that the data fields cannot be decoded. So you are told what the subject of the message is (e.g. battery request), but not the exact information that is being transmitted. Furthermore, since there is no official documentation of DUML and all knowledge about it is reverse engineered, this website is unable to decrypt every message. But this is a common problem of all sources I found.

In this log, I don't want to discuss every aspect of DUML in detail. If you want to learn more about it, there are some really great resources. For example, a master's thesis by Thomas Christof and a related blog: https://epub.jku.at/obvulihs/download/pdf/6966648?originalFilename=true

A great collection of different tools for DJI firmware that also covers DUML:
https://github.com/o-gs/dji-firmware-tools/

This includes the Comm Dissector, which can be used to analyze communication with the DJI drone via Wireshark:
https://github.com/o-gs/dji-firmware-tools/tree/master/comm_dissector

Also helpful if you want to learn how to decode and encode DUML messages:
https://github.com/fpv-wtf/margerine/blob/master/src/packer.js

With this sources and some great hints and advice (thx to Joonas and bri3d) I learned to decode and encode DUML messages by my own.


Spoiler warning: In this log I will tell you many things that I have observed. But I really understand very few in detail.

Structure of a DUML message

DUML messages have a well-defined structure from which follows that they are at least 13 bytes long. There is a header, an address part and a data part. The hash of the header and the hash of the entire message are also transmitted (CRC8 and CRC16).

Byte Bits Description Comment
0 8 Delimiter Fixed value: 0x55
1 + 2 10 Packet Length Length of the entire DUML [bytes] (little endian)
C/C++: Length = ((duml[2] << 8) | (duml[1] & 255)) & 1023;
2 6 Protocol Version Fixed value: 0x01
C/C++: Version = (duml[2] & 252) >> 2;
3 8 Header CRC8 Custom initial value (0x77) and non-standard
hexadecimal lookup table
4 3 Sender ID C/C++: SenderID = duml[4] >> 5;
4 5 Sender Type C/C++: SenderType = duml[4] & 31;
5 3 Receiver ID C/C++: ReceiverID = duml[5] >> 5;
5 3 Receiver Type C/C++: ReceiverType = duml[5] & 31;
6 + 7 16 Sequence Number 16 bit integer (little endian)
C/C++: SeqNum= (duml[8] << 8) | (duml[7] & 255);
8 1 Command Type Request: 0x00
Response: 0x01
C/C++: CmdType = duml[8] >> 7;
8 3 Acknowledgement No ACK: 0x00
Before Exec: 0x02
After Exec: 0x03
C/C++: ACK = (duml[8] >> 4) & 7;
8 4 Encryption None: 0x00
AES 128: 0x01
Self Def: 0x02
Xor: 0x03
DES 56: 0x04
DES 112: 0x05
AES 192: 0x06
AES 256: 0x07

(DJI FPV only uses None (0x00))

C/C++: Encryption = duml[8] & 15;
9 8 Command Set Defines set of commands between sender and receiver
10 8 Command ID Command to be executed
11 : 10+n 8*n  Payload Data transmitted
11+n : 12+n 16 Packet CRC16 Custom initial value (0x3692) and non-standard
hexadecimal lookup table

C/C++: CRC16= (duml[12+n] << 8) | (duml[11+n] & 255);


As I know, byte decomposition, bitwise operations and things like that can be a bit confusing the first time. So I tried to show the translation of a duml massage into the values we are interested in a little bit more grafically. For this example we take the short duml massage "550E0466030BE322400D1900E0FE". In the upper row you find the byte and hex value information, below that the representation in bits. The background color of the bits indicates the information they represent. I tried to give each piece of information its own color. For example, the bits that encode the length of the duml message are blue, while the version bits are yellow. Below that are boxes with the information on how the values are calculated from the bits, each in the corresponding color.

I don't know if this more graphical representation helps. So let me know.

But what do the duml messages want to tell us? Who communicates with whom? What is the context and what is the content? Is this a question, an answer or just some information?

The delimiter, version, and hashes CRC8 and CRC16 are self-explanatory. So let's look at the rest. As you can imagine, sender/receiver type indicate the type of devices communicating. There are many different devices in the drone, but only a few communicate with the battery. These are:

It seems, that there can be different instances of the same device type. Therfore, the sender/receiver ID identifies the particular devices.

Now we know that the flight controller (3) is asking the battery (11) something. There are different command sets (CmdSets) that define the possible executable commands (CmdIDs). Unfortunately, the lists/interpretations of command sets and command IDs are very incomplete. What I was able to collect from the sources mentioned and interpret from the communication behavior is the following:

In our example the CmdSet is 13, so we know the smart battery command set is being used. But we get to the point where things get complicated. I couldn't find any further information about CmdID 25. Unfortunately, there are many unknown commands there, as you could see in the listing above. Besides the "unknown" commands, there are some listed that are marked with "(???)". This should indicate that I'm not entirely sure, but think they have some sort of the named function. There seem to be some requests that are repeated frequently, always with the same answer. So I guess they're like "are you still alive?" pings. If you know more, please let me know.


Getting the bigger picture

Now that we know how to read the messages, let's take a look at the whole communication and the context of the messages. In principle I would differ between the "initialization phase" (a few secounds) of the drone, the "normal operating mode" and the "error mode".

During the "initialization phase" some general information about the battery are transmitted to the drone and an authentication process is executed. But in principle you can say the "initialization phase" is much like the "normal operating mode" with some additional commands. 

Lets take a look at the fist 100 duml messages (about 4.5 secounds):

N|Timestamp  |ACK Sender[Type](ID)  |Receiver[Type](ID)|Command set              |Command ID                        |Seq.Num. |ACK              |Length |raw duml    
-|-----------|----------------------|------------------|-------------------------|----------------------------------|---------|-----------------|-------|---------------------------------------------------------------------------------------------------------------------
0 0.0000      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
1 0.0023      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
2 0.0167      Req from GIMBAL [04](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:    11  ACK: ACK    (2)  Len: 17 55110492040B0B00400D02A081062079A1
3 0.0185      ACK from BATTERY[11](0) to GIMBAL [04](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:    11  ACK: No ACK (0)  Len: 54 5536043D0B040B00800D0200A05F62000094FEFFFF8407000084070000EC00066400000000030000001301640000B803170400004075
4 0.1993      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
5 0.2011      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
6 0.3993      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
7 0.4191      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
8 0.5992      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
9 0.6023      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
10 0.7992      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
11 0.8013      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
12 0.9367      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:   950  ACK: ACK    (2)  Len: 14 550E0466030BB603400D1900D3C1
13 0.9558      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:   950  ACK: No ACK (0)  Len: 14 550E04660B03B603800D19005A09
14 0.9767      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:   995  ACK: ACK    (2)  Len: 17 55110492030BE303400D0200000000D7A0
15 0.9798      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:   995  ACK: No ACK (0)  Len: 54 5536043D0B03E303800D020000DA61000070FAFFFF8C0700008C070000EC00066400000000030000001301640000B80317040000DFC0
16 0.9967      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetBarCode [04]         SQ:   996  ACK: ACK    (2)  Len: 22 551604FC030BE403400D0400000000000000000053C7
17 0.9999      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetBarCode [04]         SQ:   996  ACK: No ACK (0)  Len: 32 5520047B0B03E403800D0400000E333757504B314241413130314B30000019B8
18 1.0167      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  1023  ACK: Yes BP (1)  Len: 17 55110492030BFF03200D030100000016AC
19 1.0199      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  1023  ACK: No ACK (0)  Len: 28 551C041B0B03FF03800D0300000644104010411059105D105E10E330
20 1.0367      Req from GIMBAL [04](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  1034  ACK: ACK    (2)  Len: 17 55110492040B0A04400D02A08106205AFA
21 1.0400      ACK from BATTERY[11](0) to GIMBAL [04](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  1034  ACK: No ACK (0)  Len: 54 5536043D0B040A04800D0200A0DA61000070FAFFFF8C0700008C070000EC00066400000000030000001301640000B80317040000215C
22 1.0567      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
23 1.0583      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
24 1.2567      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
25 1.2598      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
26 1.4566      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:   950  ACK: ACK    (2)  Len: 14 550E0466030BB603400D1900D3C1
27 1.4590      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:   950  ACK: No ACK (0)  Len: 14 550E04660B03B603800D19005A09
28 1.4766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
29 1.4790      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
30 1.6766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
31 1.6788      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
32 1.8766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
33 1.9266      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
34 1.9366      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  1952  ACK: ACK    (2)  Len: 14 550E0466030BA007400D190089B6
35 1.9398      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  1952  ACK: No ACK (0)  Len: 14 550E04660B03A007800D1900007E
36 1.9766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  1995  ACK: ACK    (2)  Len: 17 55110492030BCB07400D0200000000FA3E
37 1.9799      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  1995  ACK: No ACK (0)  Len: 54 5536043D0B03CB07800D020000A26100007CF7FFFF8C0700008C070000EC00066400000000030000001301640000B80317040000C50D
38 1.9967      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  2021  ACK: Yes BP (1)  Len: 17 55110492030BE507200D03010000006CA1
39 1.9999      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  2021  ACK: No ACK (0)  Len: 28 551C041B0B03E507800D030000064D104810441043103D103F101573
40 2.0166      Req from GIMBAL [04](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  2031  ACK: ACK    (2)  Len: 17 55110492040BEF07400D02A08106201FD7
41 2.0184      ACK from BATTERY[11](0) to GIMBAL [04](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  2031  ACK: No ACK (0)  Len: 54 5536043D0B04EF07800D0200A0A26100007CF7FFFF8C0700008C070000EC00066400000000030000001301640000B80317040000A5BE
42 2.0766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
43 2.0785      Req from BATTERY[11](0) to FLYC   [03](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12993  ACK: Yes BP (1)  Len: 17 551104920B03C132200E01020201008255
44 2.0966      ACK from FLYC   [03](0) to BATTERY[11](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12993  ACK: No ACK (0)  Len: 18 551204C7030BC132800E01000688130280F6
45 2.2766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
46 2.2792      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
47 2.4566      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  1952  ACK: ACK    (2)  Len: 14 550E0466030BA007400D190089B6
48 2.4598      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  1952  ACK: No ACK (0)  Len: 14 550E04660B03A007800D1900007E
49 2.4766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
50 2.4885      Req from BATTERY[11](0) to FLYC   [03](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12994  ACK: Yes BP (1)  Len: 17 551104920B03C232200E010102010048A6
51 2.4966      ACK from FLYC   [03](0) to BATTERY[11](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12994  ACK: No ACK (0)  Len: 18 551204C7030BC232800E010006891301AEEA
52 2.6766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
53 2.6797      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
54 2.8766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
55 2.8786      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
56 2.9366      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  2952  ACK: ACK    (2)  Len: 14 550E0466030B880B400D19008165
57 2.9389      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  2952  ACK: No ACK (0)  Len: 14 550E04660B03880B800D190008AD
58 2.9566      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetStatic [01]          SQ:  2973  ACK: Yes BP (1)  Len: 22 551604FC030B9D0B200D0101000000000000000023E6
59 2.9592      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetStatic [01]          SQ:  2973  ACK: No ACK (0)  Len: 54 5536043D0B039D0B800D010001280800000200706200002854DB0341544C204E5654202020574D31373014000021270000010072C286
60 2.9766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  2997  ACK: ACK    (2)  Len: 17 55110492030BB50B400D02000000008330
61 3.0036      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  2997  ACK: No ACK (0)  Len: 54 5536043D0B03B50B800D0200008361000068EFFFFF8C0700008C070000ED00066400000000030000001301640000BC031B0400008509
62 3.0166      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  3023  ACK: Yes BP (1)  Len: 17 55110492030BCF0B200D03010000000789
63 3.0192      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  3023  ACK: No ACK (0)  Len: 28 551C041B0B03CF0B800D030000063E103F10411045103F104110A902
64 3.0366      Req from GIMBAL [04](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  3033  ACK: ACK    (2)  Len: 17 55110492040BD90B400D02A0810620CF40
65 3.0393      ACK from BATTERY[11](0) to GIMBAL [04](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  3033  ACK: No ACK (0)  Len: 54 5536043D0B04D90B800D0200A08361000068EFFFFF8C0700008C070000ED00066400000000030000001301640000BC031B040000132A
66 3.0766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
67 3.0793      Req from BATTERY[11](0) to FLYC   [03](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12995  ACK: Yes BP (1)  Len: 17 551104920B03C332200E010202010078CE
68 3.0966      ACK from FLYC   [03](0) to BATTERY[11](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12995  ACK: No ACK (0)  Len: 18 551204C7030BC332800E010004881302B897
69 3.2766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
70 3.2792      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
71 3.4566      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  2952  ACK: ACK    (2)  Len: 14 550E0466030B880B400D19008165
72 3.4581      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  2952  ACK: No ACK (0)  Len: 14 550E04660B03880B800D190008AD
73 3.4766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
74 3.4781      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
75 3.6766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
76 3.6789      Req from BATTERY[11](0) to FLYC   [03](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12996  ACK: Yes BP (1)  Len: 17 551104920B03C432200E01010201005702
77 3.6966      ACK from FLYC   [03](0) to BATTERY[11](0) CMDset: LOG/MON [14]      CMDID[14]: Battery(unknown) [1]    SQ: 12996  ACK: No ACK (0)  Len: 18 551204C7030BC432800E0100048913010A3B
78 3.8766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
79 3.8796      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
80 3.9366      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  3998  ACK: ACK    (2)  Len: 14 550E0466030B9E0F400D1900DB12
81 3.9381      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  3998  ACK: No ACK (0)  Len: 14 550E04660B039E0F800D190052DA
82 3.9766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  4044  ACK: ACK    (2)  Len: 17 55110492030BCC0F400D0200000000A4FA
83 3.9792      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  4044  ACK: No ACK (0)  Len: 54 5536043D0B03CC0F800D0200004E61000028F1FFFF8C0700008C070000ED00066400000000030000001301640000BC031B040000F05D
84 3.9966      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  4071  ACK: Yes BP (1)  Len: 17 55110492030BE70F200D03010000002A17
85 3.9992      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ:  4071  ACK: No ACK (0)  Len: 28 551C041B0B03E70F800D03000006381039103B103E10381038107E7F
86 4.0166      Req from GIMBAL [04](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  4082  ACK: ACK    (2)  Len: 17 55110492040BF20F400D02A0810620E508
87 4.0358      ACK from BATTERY[11](0) to GIMBAL [04](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ:  4082  ACK: No ACK (0)  Len: 54 5536043D0B04F20F800D0200A04E61000028F1FFFF8C0700008C070000ED00066400000000030000001301640000BC031B040000D115
88 4.0566      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: Authentication [35]     SQ:  4101  ACK: ACK    (2)  Len: 16 55100456030B0510400D230002103F59
89 4.0594      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: Authentication [35]     SQ:  4101  ACK: No ACK (0)  Len: 16 551004560B030510800D23000210AF48
90 4.0766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
91 4.1427      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
92 4.1566      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: Authentication [35]     SQ:  4186  ACK: ACK    (2)  Len: 16 55100456030B5A10400D23000310DCCF
93 4.1591      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: Authentication [35]     SQ:  4186  ACK: No ACK (0)  Len: 272 551005080B035A10800D230003104B4C5630B4000000010000002400000038643835643735302D376665642D313165632D623336362D663764643039616631306238020000000E000000333757504B314241413130314B30000003000000150000009F06E6A9EC1F2A2D6272515C6A85549AF672E9DB4600000006000000470000003045022100BEB0D9095231F2B28C2C97FC22E223CECBF94B62A6004A4DC94424D7E6CA2B0D0220261B9E313F1CCB9CA8325C40012840194E99D37FE41A036EA8D39220D9D3ABAE000000000030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030B02F
94 4.2316      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: Authentication [35]     SQ:  4330  ACK: ACK    (2)  Len: 36 55240440030BEA10400D23000010E0160900903E727C9077C15B90A71DE890A7EE15D9E2
95 4.2361      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: Authentication [35]     SQ:  4330  ACK: No ACK (0)  Len: 16 551004560B03EA10800D230000104ED2
96 4.2766      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
97 4.2784      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
98 4.4566      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  3998  ACK: ACK    (2)  Len: 14 550E0466030B9E0F400D1900DB12
99 4.4593      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ:  3998  ACK: No ACK (0)  Len: 14 550E04660B039E0F800D190052DA

Sure, a lot of information, but basically you can boil it down to this: there is a loop with a duration of about 1 second where the FLYC and Gimbal ask for some battery information (GetPushDynamicData [CmdSet 13, CmdID 2]). Furthermore, the cell voltages are checked by the FLYC (GetPushCellVoltage [CmdSet 13, CmdID 3]). In between there are some pings (?) from the FLYC to the battery (BATT PING 1 [CmdSet 13, CmdID 25], BATT PING 2 [CmdSet 13, CmdID 67]). These pings always work the same. With BATT PING 1, the data "00" is sent and the battery responds with "00". For BATT PING 2, the data "0000" is sent and the battery responds with "11". At this point I would like to make it clear that I interpret these messages as pings, since they always appear to have the same effect and no "real" information is transmitted. Just some kind of "Are you there?" and "Yes, I'm still here". But that could be a negligent misunderstanding. Perhaps there are situations where other information is exchanged. 

After the authentication (approx. after 4.9 seconds), an additional ping ("Battery Ping???" [CmdSet 14, CmdID 2]) from the FLYC to the battery with the data "00" occurs in the loops. The response from the battery is "0001" every time. But just before [CmdSet 14, CmdID 33] runs for the first time (55.3 seconds after startup), "Battery Ping???" stops.

About 10.2 seconds after turning on the drone, there appears to be some sort of start signal from the PMU to the battery, with CmdSet 33 and CmdID 5 sending the data "01". The battery acknowledges this with "00". After that, the battery starts sending a request to the PMU within each loop (CmdSet 33, CmdID 6). The first data is "002e80", the second "002f80". And the third? You guessed it, "003080". The 3rd hex number seems to count up, starting at 2e (dec: 46).

However, there is also a command that has a longer period: About every 3 seconds there is a GetStatic (CmdSet 13, CmdID 1) request from the FLYC to the battery sending "010000000000000000". The answer seems to be "0001280800000400706200002854db0341544c204e5654202020574d31373014000021270000010072" in the most cases. But there are some runs where byte 7 is "02" instead of "04". Besides some undecoded stuff, within this hex string we find the string "ATL NVT WM170". "WM170" is the model number of the DJI FPV Racer.

Later, during the "normal operating mode" the cycles look much like this:

N   |Timestamp   |ACK Sender[Type](ID)  |Receiver[Type](ID)|Command set              |Command ID                        |Seq.Num. |ACK              |Length |raw duml    
----|------------|----------------------|------------------|-------------------------|----------------------------------|---------|-----------------|-------|---------------------------------------------------------------------------------------------------------------------
1300 56.9949      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ: 54992  ACK: ACK    (2)  Len: 17 55110492030BD0D6400D0200000000771C
1301 56.9968      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ: 54992  ACK: No ACK (0)  Len: 54 5536043D0B03D0D6800D020000EB61000028FDFFFF8C07000080070000F400066400000000030000001301640000D3033404000058CC
1302 57.0149      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ: 55041  ACK: Yes BP (1)  Len: 17 55110492030B01D7200D03010000006FBE
1303 57.0168      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushCellVoltage[03]  SQ: 55041  ACK: No ACK (0)  Len: 28 551C041B0B0301D7800D03000006521051105110551050105210CDA9
1304 57.0349      Req from GIMBAL [04](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ: 55048  ACK: ACK    (2)  Len: 17 55110492040B08D7400D02A08106201B1E
1305 57.0369      ACK from BATTERY[11](0) to GIMBAL [04](0) CMDset: SBATTERY[13]      CMDID[13]: GetPushDynamicData[02]  SQ: 55048  ACK: No ACK (0)  Len: 54 5536043D0B0408D7800D0200A0EB61000028FDFFFF8C07000080070000F400066400000000030000001301640000D3033404000073B8
1306 57.0949      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
1307 57.0970      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
1308 57.2949      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
1309 57.2976      Req from BATTERY[11](0) to PMU_ID7[29](7) CMDset: PMU(???)[33]      CMDID[33]: Ping??? [6]             SQ: 13138  ACK: No ACK (0)  Len: 16 551004560BFD5233002106005780C81A
1310 57.4548      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ: 54884  ACK: ACK    (2)  Len: 14 550E0466030B64D6400D19002555
1311 57.4755      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ: 54884  ACK: No ACK (0)  Len: 14 550E04660B0364D6800D1900AC9D
1312 57.4949      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
1313 57.4985      Req from BATTERY[11](0) to FLYC   [03](0) CMDset: LOG/MON [14]      CMDID[14]: DLog Battery Data [34]  SQ: 13139  ACK: Yes BP (1)  Len: 135 558704FB0B035333200E22891377030300000E048C078007F400531051105110541050105210020030FDFFFFC561D2610000EB6100000001380800000300030000004001400046004E003100380046003600370036003A00450053009A004C013600000000000000000034FDFFFF2CFDFFFF24FDFFFF28FDFFFF28FDFFFF30FDFFFF018C075436
1314 57.5148      ACK from FLYC   [03](0) to BATTERY[11](0) CMDset: LOG/MON [14]      CMDID[14]: DLog Battery Data [34]  SQ: 13139  ACK: No ACK (0)  Len: 17 55110492030B5333800E22000089131CD5
1315 57.6948      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
1316 57.6968      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 14 550E04660B031427800D4311C0E3
1317 57.8948      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 2 [67]        SQ: 10004  ACK: No ACK (0)  Len: 15 550F04A2030B1427000D430000C154
1318 57.8975      Req from BATTERY[11](0) to FLYC   [03](0) CMDset: LOG/MON [14]      CMDID[14]: DLog Battery Data [34]  SQ: 13140  ACK: Yes BP (1)  Len: 148 559404420B035433200E2288138400000000000000005902070059020700990364000E0044104010411059105D105E108C078C07DA617F6170FAFFFFEC00000003000000020000FF00002700000100039161000001FF00000000000000000000000040348034903422004BFE400131003600450044083C083C0840083808380838084BFE000000000000000000000000914F2AB0
1319 57.9148      ACK from FLYC   [03](0) to BATTERY[11](0) CMDset: LOG/MON [14]      CMDID[14]: DLog Battery Data [34]  SQ: 13140  ACK: No ACK (0)  Len: 17 55110492030B5433800E22000088132625
1320 57.9348      Req from FLYC   [03](0) to BATTERY[11](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ: 57163  ACK: ACK    (2)  Len: 14 550E0466030B4BDF400D1900A8BC
1321 57.9375      ACK from BATTERY[11](0) to FLYC   [03](0) CMDset: SBATTERY[13]      CMDID[13]: BATT PING 1 [25]        SQ: 57163  ACK: No ACK (0)  Len: 14 550E04660B034BDF800D19002174


There is still a loop with a duration of 1 secound that starts/ends by getting some battery information (GetPushDynamicData[02]) and cell voltages (GetPushCellVoltage[03]). But now the Log/Mon (CmdSet 14) requests DLog Battery Data (CmdID 34) comes into play. This change happens about 56 seconds after turning on the drone. There are basically two versions of this request sent from the battery to the FLYC that seem to alternate. The data field of the first starts with "8913" and the drone acknowledges with "00008913". Whereas the data field of the second starts with "8813" and the drone acknowledges to this with "00008813". Both contain information about the battery status, but differ a little. Interestingly, much of this information is already transmitted to the drone by the responses to [CmdSet 13, CmdID 2] and [CmdSet 13, CmdID 3]. I will say something later about the content of these duml messages and how to interpret them.

Sometimes the battery seems to think that it is a good idea to request some devices to restart. In this case [CmdSet 0, CmdID 11] (RestartDevice) is used with the data field "0002000000000000000000000000" (e.g. 551B04750B286C3940000B000200000000000000000000000088C2). The devices ackknowledge with "00".

There are some events that only occur once during the "initialization phase":

The first two steps are the same for each authentication. Therefore, and based on the content of the data fields, I think the drone first requests authentication from the battery which confirms this. Then the drone requests more information about the battery. If you interpret the bytes from the battery response as characters, you will find the serial number of the battery along with a lot of "crap" within the answer.

I think the unique data during the third request to the battery is part of some kind of a handshake. The battery acknowledges the reception of this and responds to it with the unique answer after the drone asks for it on the fourth request.

I have no clue how this handshake works and how to create a correct response to the request of the drone. But if the authentication fails, the drone goes into the "error mode". It starts to blink red, will not start the motors and the goggle will show you "battery communication error".

Later I will tell you why this don't have to be a deal breaker. But first, some more information about commands that only occur during the "initialization" phase.




Finally, coming to the point: The important commands...

It seems Hackaday has a text limit for the logs. So I have to get to the point in another log...

Discussions