I surprised myself with the drone named in the title. I’m really enjoying flying this drone because I’ve always wanted to have some kind of device that can fly and the onboard 4K camera takes it to a whole new level.
The batteries are not a simple enclosures filled with toxic material with two contacts but they are called Intelligen Flight Batteries. We shouldn’t mystify it because it’s only a combination of a 2375mAh LiPo S3 battery and a microcontroller with few other parts. I bought the fly more combo with three batteries. Before the first fly I updated the firmwares and it really flew nice with the first battery. However when is used the other two the charged dropped from about 60% to 0% and I must land the drone. Fortunately it didn’t cause any problem because as a very first drone flight of my life I’ve chosen a large open area.
First I thought it was because of the cold weather. I watched about 250 drone tutorials before and they’ve told that batteries don’t really like lower temperatures. Few days later I flew again and there was not a single issue despite the weather was at least as cold as before.
Currently my best guess is that the first battery had the up-to-date firmware at the first flight because I used that battery during the firmware upgrade and I did a complete restart after the upgrade. The other two batteries were just inserted into the drone and it was in air after 10 seconds.
Logs
I’ve wanted to get the logs about this issue. The DJI Assistant 2 software supposed to do this, but in case of the Mavic Air it only offered an option to encrypt the log files and maybe (?) send it to the manufacturer.
This could not stop me, because after this I’ve sniffed the USB communication and I caught strings like this:
[L-BATTERY]battery app version: 1.72.4.3
Unfortunately I was not able to get any information about the issue but I found and XML file that describes the firmwares.
<dji>
<device id="wm230">
<firmware formal="01.00.0500">
<release version="01.00.0500" antirollback="3" antirollback_ext="cn:3" enforce="0" enforce_ext="cn:0" enforce_time="2018-09-25T02:21:09+00:00" from="2018/09/25" expire="2019/09/25">
<module id="0400" version="00.01.06.65" type="" group="ac" order="0" wait="0" size="328384" md5="fffd295d1ee001d66ac18aafc9fed449">wm230_0400_v00.01.06.65_20180312.pro.fw.sig</module>
<module id="1200" version="01.02.01.01" type="" group="ac" order="0" wait="0" size="27648" md5="1f4c44446003b7d1a2bc6902e132b3b3">wm230_1200_v01.02.01.01_20171207.pro.fw.sig</module>
<module id="1201" version="01.02.01.01" type="" group="ac" order="0" wait="0" size="27648" md5="f90c263fc8d877007f7e6731237ec9d2">wm230_1201_v01.02.01.01_20171207.pro.fw.sig</module>
<module id="1202" version="01.02.01.01" type="" group="ac" order="0" wait="0" size="27648" md5="218e463179fe0d9c565a48371cf988de">wm230_1202_v01.02.01.01_20171207.pro.fw.sig</module>
<module id="1203" version="01.02.01.01" type="" group="ac" order="0" wait="0" size="27648" md5="af4eb2c7826016ff2997acb9647dcf2d">wm230_1203_v01.02.01.01_20171207.pro.fw.sig</module>
<module id="1100" version="01.72.04.03" type="" group="ac" order="0" wait="1" size="89696" md5="cbca04b0bb70ce50633b18f4ec1cec4b">wm230_1100_v01.72.04.03_20180212.pro.fw.sig</module>
<module id="0801" version="10.00.13.03" type="" group="ac" order="1" wait="0" size="127789600" md5="81b42b42c27fbb6f3740ba74ddb65426">wm230_0801_v10.00.13.03_20180920.pro.fw.sig</module>
</release>
</firmware>
</device>
</dji>
This can also be found in the firmware packet but at this point I was not familiar with the forums from where you can download these packages. Anyway we can see that the module with the id of 100 has the same version which I’ve found in the log so this must be the firmware of the battery. The interesting part of this if the wait=”1″ attribute. I suspect that this indicates the necessity of a restart after the upgrade. The firmware itself is encrypted and the current private key is not yet leaked.
Sniffing battery communication
I was wondering what details can be extracted from the battery and in case of a future firmware upgrade I would be able to record the firwmare upgrade process and maybe the decrypted firmware too. The battery has 10 pins. Four of them has longer contacts so my guest was they are the ground pins. I was right. The other four on the opposite and was the positive contact. This left me with the two middle one as the pins for communication. I measured them with an oscilloscope and it turned out the it’s a 100kHz, 3.3V open-drain signal so it must be an I2C signal.
I did further measurements using a logic analyzer. Currently I can see that the battery’s I2C address is 0x16 and I know the register address of few registers with known values (i.e. serial number, version).
To be continued…