The DJI Assistant PC application and the FC communicate over the USB VCP, the PC application sends commands to FC which then responds. The commands and response packets take the form:
55 AA 55 AA LL LL 00 00 00 CC CC ...... CR CR
Where:
55 AA 55 AA - Fixed, four byte start of packet
LL - 16 bit little endian, the length of the packet excluding the four byte start of packet
CC 16 bit little endian, the identity of the command (or response)
CR 16 bit little endian, the CRC of the packet excluding the start of packet
The commands and their responses are identified by a 16 bit number, typically the response identity is the command identity + 1. For example, the Poll command identity is 0x0101 and the response identity is 0x0102
The DJI bootloader offers very few commands but the applications support a very large number. I don't intend to document all of them but instead offer a few of the more interesting commands and their responses here
Poll (Command 0x0101, response 0x0102) The response contains the ten digit serial number and the four byte 'device version' mentioned in the previous post. If the DJI bootloader is being polled then the four bytes contain 0x00000060
Fetch License (Command 0x25C, response 0x25D) The response contains the ten digit serial number, the 32 ASCII characters representing the MD5 digest of the license file and the 16 license flags, also expressed as ASCII chars 0 or 1 (both of these are described in the previous post)
Write License (Command 0x25E, response TBD) TBD
Reset Attempt Counter (Command 0x0260, no response) This command resets the 'serial number attempt counter' to 30. This counter is decremented by one if an invalid md5 hash is sent to the FC
As mentioned previously, the CRC used is the CRC-ITU 16 bit CRC, there is a slight twist here however. The seed used when calculating the CRC changes depending on the FC type. So far I have found the following:
Model | Seed |
Naza M Lite | 0x1012 |
Phantom 2 V+ | 0x1013 |
Naza M V2 | 0x7000 |
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.
Hi my friend !
I am working an NAZA BTU frames sended by the NM Assistant (on Ios).
I can see the dump frames with WireShark and the Adafruit BLE sniffer.
I confirm this frames on the bus-can (arduino + Pawlesky libraries).
The frames are the same as you describe in your post.
My problem is the CRC... I have download and tried your python routines.
But i find not the good CRC value ! I can send you dump if you want.
What tools ar you using for find CRC models ?
Best regard, Philippe
Are you sure? yes | no