Welcome to our Community
Wanting to join the rest of our members? Feel free to sign up today.
Sign up

Wifi modifications?

flyingblind

Well-known member
Joined
Feb 11, 2024
Messages
47
Reaction score
10
Location
Earth
Has anybody played around with the Bebop 2 Broadcom wifi radio? Like removing the bandwidth cap and increasing the channel width to 40mhz to increase throughput?
 
I found some commands that others might find useful. The Bebop 2 and the Skycontroller 2 use the same wifi chipset - Broadcom BCM43526. All of these commands are for 2.4ghz. You have to take the wifi adapter offline for most commands to work, this can be done with a script. The settings do not persist after a restart, this also can be done with a script (example below). The Bebop 2 also supports WDS bridging if you want to connect another router to it.


#1: Put the network adapter offline or online: bcmwl down / bcmwl up

#2: Change the transmit power: bcmwl txpwr1 -d powerindB
Note: Power is already set at its limit of 31.75dB (1496 mW). You can lower it to 20dB if you want to install an amp

#3: Enable frame burst (not enabled by default): bcmwl frameburst 1

#4: Change country code: bcmwl country 2digitcountrycode

#5: Display what channels are in your country: bcmwl channels

#6: View the current channel: bcmwl channel

#7: Change the channel (requires the adapter to be down): bcmwl chanspec 1-13

#8: Remove the bandwidth cap (allows for 40mhz channel width): bcmwl bw_cap 2g 0xff
Note: Increasing the channel width increases interference

#9: Set the channel to channel 3 and 2.4ghz channel width to 40mhz: bcmwl chanspec -c 3 -b 2 -w 40 -s 1

#10: Set the MCS rate to 7 with 40mhz channel width: bcmwl 2g_rate -h 7 -b 40

#11: Set the MCS rate to 7 and bandwidth to 20mhz channel width: bcmwl 2g_rate -h 7 -b 20

#12: Configure rateset so all rates are basic and allow MCS 15 (dual spacial streams): bcmwl rateset all

#13: Set the MCS rate to its highest with 20mhz channel width: bcmwl 2g_rate -h 15 -b 20
Note: MCS 15 gives you two spacial streams whereas MCS 7 only gives you one.

#14: Lock the 2.4ghz band. Necessary to enable some settings: bcmwl band b

#15: Restart the driver: bcmwl restart

#16: Display connected devices (stations): bcmwl assoclist

#17: Enable WDS bridging: bcmwl lazywds 1


A simple script to set the country to FR and the channel to 11 with MCS 7 and a 20mhz channel width:


Code:
#!/bin/sh

#take the network adapter offline
bcmwl down

#restart the driver
bcmwl restart

#set country code
bcmwl country FR

#lock 2ghz band b or 5ghz band a
bcmwl band b

#set the channel and channel width
bcmwl chanspec 11/20

#set 2g MCS rate. and bandwidth for 20mhz width
bcmwl 2g_rate -h 7 -b 20

#bring the network adapter back online
bcmwl up

exit 0
 
Last edited:
As an added bonus, here's how to change the color of the LED on the SkyController 2. Also includes battery information and setting axis threshholds. You can connect to the SkyController 2 with an asix 10/100 ethernet adapter plugged into the USB port then use adb (Android Debugging Tool) to establish a connection.

adb connect 192.168.53.1:9050
adb she
ll

#change LED colors or get battery information
/usr/bin/mpp_bb_cli <action> <argument>

Actions :
off : turn the led off
on <color> : turn the led on
blink <color1> <color2> <period> <cycle> : blink the led
th_set <axis> <th> : set axis threshold
th_del <axis> : delete axis threshold
stayon <flag> : stay on
autoreboot <flag> : auto reboot
bat : get battery information
raw <flag> : enable/disable raw mode

Arguments :
0 <= color <= 9
0 <= duty cycle <= 100
0 <= axis_nb <= 4
1 <= threshold <= 100
period in ms
flag 0 or 1
 
Last edited:
Increase throughput by ~40% while still using 20mhz channel width and 1 spacial stream (the defaults).

Code:
#!/bin/sh

#take the network adapter offline
bcmwl down

#restart the driver
bcmwl restart

#set country code - US has the highest txpwr
bcmwl country US

#enable frameburst - disabled by default
bcmwl frameburst 1

#mpc - minimum power consumption - enabled by default
bcmwl mpc 0

#lock 2ghz band b or 5ghz band a
bcmwl band b

#set bandwidth cap. 0x3 is 20/40mhz - 0xff is unrestricted
bcmwl bw_cap 2g 0x3

#set all rates to basic and allow MCS 7-15 
bcmwl rateset all

#set 2g rate MCS 7 and bandwidth for 20mhz channel width
bcmwl 2g_rate -h 7 -b 20
bcmwl 2g_mrate -h 7 -b 20

#set the channel and channel width
bcmwl chanspec 3/20

#bring the network adapter back up
bcmwl up


exit 0
 
Last edited:
Bebops and sc2 are vulnerable to wifi deauth attack so dont use them.

No way to enable PMF

Thank you, I'm aware PMF (mfp_config) isn't supported.
It's not going to keep me from flying, the likelihood of someone using a handheld deauther or Kali attack while in close enough proximity to me or the drone is really low. Handheld deauthers have terrible antennas and transmission distance. Someone with a Kali box might have better success with an amp and a large antenna. But I ask you, how many people do you know with that kind of a setup? That happens to be near where you're flying when you're flying? That isn't visible because, you know, drone..
It's a 9 year old drone.. with a 15 year old security vulnerability that isn't patched in a vast majority of 2.4ghz products. (ring doorbell security cameras don't support PMF..)
imo security through obscurity.
 
Last edited:
You have not done any bebop flying in heavy urban environments, try that and it will change your mind about continuing to use those drones. There are a myriad of problems you can run into.
 
You have not done any bebop flying in heavy urban environments, try that and it will change your mind about continuing to use those drones. There are a myriad of problems you can run into.

It's an old drone, I expect there to be some issues. All drones have issues in a densely populated urban environment... I can only get ~1200ft flight distance out of my DJI mini 2 (flying from the ground) whereas I'm able to only get 800-1000ft with the Bebop 2. I've had decent luck so far with manually changing channels to one's that aren't in use/have little traffic. Also turning off my phone's wifi after establishing a connection to the drone and using the controller's connection to the drone.
 
In order to make some changes to flight behavior, camera, etc. a service called dragon-prog needs to be shut down then restarted with whatever parameters you've chosen to implement. The Bebop Hacking Guide shows a way to shut down the dragon-prog service that requires you to locate the unique PID number of the service.

Instead, you can shut down dragon-prog via a single command that doesn't require you to locate the PID. You can then restart dragon-prog with the parameters you've chosen (detailed in the Bebop Hacking Guide).

Code:
dragon_ipc.sh dragon_shutdown
 
Last edited:

New Posts

Members online

No members online now.

Forum statistics

Threads
5,329
Messages
45,252
Members
8,073
Latest member
ScoopHunter