5

I am trying to reverse engineer some data received over serial port.

The hardware sending the data consists of a gps, compass and a power monitoring unit (which sends information about the battery).

I received three types of messages of varying length. These are given below:

55 BB 55 BB 33 00 E7 29 B4 BD D7 82 61 39 23 C4 04 74 04 38 6B 02 12 8E 8D F3 E3 D7 4B 59 91 9C 01 98 0F C5 43 95 D2 03 D2 CC 4B B1 9A A2 54 8C 99 4A 00 DD 02 AB CD 

55 BB 55 BB 38 00 85 1F EA BD DE D0 87 7F 14 9A 5C 46 78 7A D1 E7 29 56 2E 7D F9 A9 FF DE E4 6C F2 F5 26 0D EF CD 6A ED B0 28 1D 9E DB 9D 8E BA 5F 58 26 3F B3 DD 03 00 A6 73 AB CD

55 BB 55 BB 24 00 F3 8B FD F6 BF D0 B0 06 05 8D 7C 40 19 CF 29 72 0E 88 B5 0F 4E 56 67 1C 56 AE F8 A3 01 00 DE 05 AB CD

What i have understood so far is:

  1. Each message starts with 55 BB 55 BB which i assume is the Message Header.

  2. The field (byte 5) is the length of the message from 5th till the last byte.

  3. It is then followed by 00 which might mark the start of payload.

  4. The last two bytes are always AB CD which might be a trailing header.

  5. The fourth last and third last bytes might be checksum for the message.

  6. The fifth last byte is always zero which might indicate the end of payload.

The checksum is obtained by using The 8-bit Fletcher Checksum Algorithm described in the TCP alternate checksum options document (rfc1145).

The data in the payload doesn't make sense. I have to figure out the order as well any encryption that might be occurring. It seems as they are Xoring the data and the Xor mask changes everytime. But they are sending the Xor mask in the data. I tried Xoring the whole string with each byte but couldn't obtain something similar to known values for Lat/Long.

Can somebody provide some guidance on how should i proceed?

Some work has been done here before. Rcgroups Post#15

Here is a rft file containing the rest of the data. 4shared Link RTF File

Majid Khan
  • 59
  • 1
  • You may be interested by this question: What is the most efficient way to detect and to break xor encryption? – perror Dec 10 '13 at 16:14
  • Do you know what kind of GPS is in the unit? I know quite a bit about several several GPS protocols I might be able to help. If it is an older GPS chances are it could be encoded in a non standard floating point format such as VAX Double or CAPS 48bit floats etc... – cb88 Dec 17 '13 at 23:23
  • What exactly is open? There's lot of work done in http://www.rcgroups.com/forums/showpost.php?p=26248426&postcount=62 – Thomas Weller Dec 20 '13 at 13:00
  • Can you tell the lat and long that you would expect to appear somewhere in the sample? Also, can you share the rest of the data in some format that isn't Windows only? Some of use use other operating systems. Also, if it's really RTF, a much easier format for automated processing would be plain text or plain binary. – Edward Jan 08 '14 at 03:13
  • I will share the details soon. Thanks for the support @Edward – Majid Khan Jan 08 '14 at 05:32
  • @cb88 No label on GPS. It has a battery backup, and appears to be using ublox neo GPS module. The entire GPS setup is driven by an Atmel SAM3 Cortex-M3 processor. http://www.rcgroups.com/forums/showthread.php?t=1510587 – Majid Khan Jan 08 '14 at 05:39
  • It's always easiest to look at how other code is already doing it if you can. – offbyseveral Jun 26 '14 at 22:34
  • Did you successfully make it? I am doing this stuff thesedays as well. From DJI data link to PC. Have any advice? Thx –  Apr 11 '15 at 14:37
  • @SungwookJung No i didn't pursue it further. If you wish, we could start together. – Majid Khan Apr 29 '15 at 06:55
  • You should read this thread: http://www.phantompilots.com/threads/lightbridge-firmware-hack.77073/ I found some magic sequence that may help you, you can find them on the thread. I found the same protocol on DJI Lightbridge, and i would like to know where it comes from. – Gaucho May 05 '16 at 18:36

0 Answers0