The DJI Assistant PC application and the FC communicate over the USB VCP, the PC application sends commands to FC which then responds. The commands and response packets take the form:

55 AA 55 AA LL LL 00 00 00 CC CC ...... CR CR

Where:

55 AA 55 AA - Fixed, four byte start of packet

LL - 16 bit little endian, the length of the packet excluding the four byte start of packet

CC 16 bit little endian, the identity of the command (or response)

CR 16 bit little endian, the CRC of the packet excluding the start of packet

The commands and their responses are identified by a 16 bit number, typically the response identity is the command identity + 1. For example, the Poll command identity is 0x0101 and the response identity is 0x0102

The DJI bootloader offers very few commands but the applications support a very large number. I don't intend to document all of them but instead offer a few of the more interesting commands and their responses here

Poll (Command 0x0101, response 0x0102) The response contains the ten digit serial number and the four byte 'device version' mentioned in the previous post. If the DJI bootloader is being polled then the four bytes contain 0x00000060

Fetch License (Command 0x25C, response 0x25D) The response contains the ten digit serial number, the 32 ASCII characters representing the MD5 digest of the license file and the 16 license flags, also expressed as ASCII chars 0 or 1 (both of these are described in the previous post)

Write License (Command 0x25E, response TBD) TBD

Reset Attempt Counter (Command 0x0260, no response) This command resets the 'serial number attempt counter' to 30. This counter is decremented by one if an invalid md5 hash is sent to the FC

As mentioned previously, the CRC used is the CRC-ITU 16 bit CRC, there is a slight twist here however. The seed used when calculating the CRC changes depending on the FC type. So far I have found the following: