EEVblog Electronics Community Forum
Electronics => Projects, Designs, and Technical Stuff => Topic started by: omeriko9 on July 20, 2015, 10:07:46 pm
-
Hello everybody! My first time here :)
EE & hardware reversing is a major hobby of mine. After many hours of EEVblog videos, I've found myself wandering around this forum pages, and thought it might be a great place to try get some help from you guys.
For couple of weeks now, I'm struggling to replicate a cheap quadcopter's remote control (several models, actually), by using an Arduino Nano with NRF24L01. I have experience with this configuration and have done a couple of projects using this nice 2.4Ghz transceiver. So I've used a Saleae 4 channels logic analyzer to sniff the SPI bus from the RC's MCU to the BK2423 (NRF24 air-compatible).
I've figured out most of the initialization, channels and address settings, by carefully following the BK2423 specs, yet I've failed every time :\ After many weeks of trying different commands/timings, I've come to the stage where I make the NRF24 replicate the exact same messages (channels changes, payloads changes, addresses, timings), but the quadcopter simply won't bind or response...
I've uploaded my question to http://reverseengineering.stackexchange.com/questions/9331/reversing-a-2-4ghz-quadcopter-remote-control (http://reverseengineering.stackexchange.com/questions/9331/reversing-a-2-4ghz-quadcopter-remote-control) with all the links and pictures, got some leads, but no solution.
Anyone here with some experience replicating RC? What might I be missing here?...
-
What might I be missing here?...
http://www.rcgroups.com/radios-135/ (http://www.rcgroups.com/radios-135/)
-
..but how does this module bind to your quadcopter?
-
..but how does this module bind to your quadcopter?
Well what I have discovered is that, surprisingly, the remote control does not listen to the quadcopter at all! Not even on the interrupt channel. The remote control broadcast it's messages to the air, and when the quadcopter finds something he likes, he happily binds and response to the RC commands.
I have all the commands parsed, and I'm sending the same, but it still won't response.
What might I be missing here?...
http://www.rcgroups.com/radios-135/ (http://www.rcgroups.com/radios-135/)
Yeah I had dilemma about posting here. It's not a pure "This low pass filter cutoff mismatches the spec of this capacitor with values bla bla" analog circuit question. Unfortunately I am not trying to replicate one of the well-branded RC models, but a cheap Chinese one, which makes this project more of a reversing signal process.
I would still much appreciate anyone with tips or experience with this matter.
-
I was thinking about doing something similar with the A7105 Hubsan X4 protocol, I've no idea if this is feasible or if I have the neccessary skills......
However, I did find this post which goes into some depth about the binding process, it's not exactly what you're looking for, but it may be of some help.....
http://www.rcgroups.com/forums/showthread.php?t=1773853 (http://www.rcgroups.com/forums/showthread.php?t=1773853)
Steve.
-
I'm not sure I understand. The RC stuff uses specific protocols like DSM2 with spread spectrum. It just happens to be on 2.4GHz. That's why they use spread spectrum, so they can use unlicensed spectrum and cohabitate nicely.
If your 2.4GHz module isn't designed for that, how can it work? It's not enough to just send out at 2.4GHz, IMO. Each DSM transmitter has its own UID so the quadcopter can remember what it's binded with.
Your module looks like a high bandwidth data sender-outer. A RC radio even for a quadcopter just spits out 60 frames a second of very simple data.
Are you sure it even has enough range? I've flown quads out of sight...
https://en.wikipedia.org/wiki/Radio-controlled_helicopter
under "Spread spectrum"
I didn't see anything resembling that in the NRF24L01 description. I'd buy a DSM2 module and play with that.
-
OP said the RC protocol in use is compatible with the NRF24 - I'm guessing its one of those toy indoors nano size quads from China, so not the same as standard RC gear.
BK2423 (NRF24 air-compatible)
If you have access to an SA you could compare the RF protocol between the two.
Also, stating the obvious, but that page you pointed to has an update with NRF24 code: https://dl.dropboxusercontent.com/u/2248531/blog/nfr24L01_mod.zip
-
I'm guessing its one of those toy indoors nano size quads from China, so not the same as standard RC gear.
Exactly.
The Arduino code that guy posted is pretty much useless as I've discovered that each remote uses a different set of predefined assumptions. Some of them actually perform binding and listens to Rx and some just assume the drone will bind without verifying.
I have no access to a spectrum analyzer or other fancy equipment, just the logic analyzer, but I did ordered a couple of BK2423 just to make sure that's not the issue. Other then replication of the exact commands I'm pretty lost on what to check next...