MLINK protocol analysis, CRC ?

More
05 Dec 2013 14:09 #16296 by heligator
MLINK protocol analysis, CRC ? was created by heligator
I had a look at the MLINK protocol from Multiplex, which uses the CYRF6936 (=> no hardware change to Devo transmitters):

It uses frequency hopping over 39 channels with a hopping rate of about 160Hz. There seems a hopping table with two times 39 entries, each half has each channel only once. For further robustness it uses DSSS with 64 chip SDR rate. During binding the hopping table and the chipping code are transferred.

There are 16 servo channels available with 12 bit resolution, each stored in a 16 bit word. Packet length is fixed to 8 bytes. Unfortunaltely, CYRF6936 internal CRC generation is switched off and the last byte of each packet is a selfmade CRC.

Maybe somebody has an idea, how this CRC is calculated ? Without valid CRC, a MLINK receiver won't accept data from a Devo transmitter.

Here are some packet examples, last byte is some CRC. The hopping table index seems to be included somehow:
(all numbers in HEX)

channel 03, hopping table index 1c:
09 09 7e 08 2d 06 db 1e 

channel 03, hopping table index 2e:
09 09 7e 08 2d 06 db 6b  => same data as on index 1c, but different CRC

channel 03, hopping table index 1c:
09 09 7e 08 2d 06 db 1e  => same data and same index gives same CRC

channel 03, hopping table index 2e:
09 09 7e 08 2d 06 dc e8  => single data bit changed (db=>dc), many CRC bits changed (6b=>e8)


channel 15, hopping table index 0:
01 07 91 07 91 07 91 33 
80 07 91 07 91 07 91 99 

channel 15, hopping table index 48:
01 07 91 07 91 07 91 fe 
0a 00 00 07 91 07 91 b7 
80 07 91 07 91 07 91 54 

Packet examples during binding, which appears on channel 1. This transfer shows the hopping table starting with 15, 3b, 23, 2b, 09,...:
...
0f 05 00 00 00 00 a2 bc 
0f 06 7e 15 3b 23 2b 08 
0f 07 09 41 21 47 07 14 
0f 08 4d 09 29 1f 2d 43 
0f 09 13 47 0f 33 21 dc 
0f 0a 2f 0b 3f 11 49 fb 
0f 0b 0d 39 27 3b 03 89 
...

Please Log in or Create an account to join the conversation.

More
05 Dec 2013 14:56 - 05 Dec 2013 14:56 #16297 by FDR
Replied by FDR on topic MLINK protocol analysis, CRC ?
Jeez!
Their receivers are from 50€ to even 210€...
Last edit: 05 Dec 2013 14:56 by FDR.

Please Log in or Create an account to join the conversation.

More
05 Dec 2013 15:04 #16298 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
Do you have SPI traces?
I'm not understanding what you mean.
Where is the chipping code transferred?
What do you mean by hopping index? What is hopping...obviously not the channel, since it changes independently.
Are the channels packed, or did they just use 12 of every 16 bits?
what indicates which channel is being transmitted?
Do you known the syntax of the packet? You only have 7 bytes if the last is a CRC, so what are they?


For me to do it, I'll likely need a lot of sequential samples > 1000 channel transfers with no changes to the stick during that time. It is very difficult to reverse a CRC from sporadic samples unless the algorithm is very simple.

Since we see a different CRC for each transfer even if the values are the same, it implies that either the index is used in the calculation, or that there is a counter that is being included (basically the same thing).
It is unlikely to be an accumulated crc, since dropping a packet would screw that up. Almost every protocol has used a standard CRC (usually CRC8), but finding the values means knowing the initialization value as well as all values being CRCed.

Please Log in or Create an account to join the conversation.

More
05 Dec 2013 16:12 #16300 by heligator
Replied by heligator on topic MLINK protocol analysis, CRC ?
Hi PhracturedBlue,

yes, I had a closer look at the SPI interface using some microcontroller. ;) Attached is some data. I have already extracted TX packet data and channel changes in the .TXT file and the servo data in the CSV file.


> Where is the chipping code transferred?

It is written in the DATA_CODE_ADR register and the TX transmits it to the RX during binding. The SOP_CODE_ADR keeps the default value. Preamble is 33 33 04. MFG_ID doesn't appear in the packet data.


> What do you mean by hopping index?

The line in the channel list. Every time it hops it changes the channel (frequency). But every channel is present two times in the channel list. Btw. only odd channels from 3 to 79 are used. On each channel two or three packets are sent before hopping to the next channel.


> Are the channels packed, or did they just use 12 of every 16 bits?

They just use 12 of every 16 bits.


> what indicates which channel is being transmitted?

The first byte shows what the packet contains:
   1 2/3 4/5 6/7   => packet bytes
hex    s   s   s   => s=servo number
  01  12  10   8  
  02   -  16  14
  09  11   9   7
  0a   -  15  13
  80   6   4   2
  88   5   3   1

For this I fed in some PPM data with ascending pulse length for 16 servos. :cheer:

It is mainly the CRC thing which remains unclear. I guess that there is a counter from 0 to 77 to access the channel list (= hopping table). After this counter reaches 77, it goes back to 0 and everything repeats, including the CRC (with same counter value, same data gives same CRC). So I think this counter is included in the CRC.

If needed, I can try to get more data samples.
Attachments:

Please Log in or Create an account to join the conversation.

More
05 Dec 2013 18:32 - 05 Dec 2013 18:34 #16302 by kreidler
Replied by kreidler on topic MLINK protocol analysis, CRC ?

FDR wrote: Jeez!
Their receivers are from 50€ to even 210€...

Jepp, more expensive than an OrangeRX R615 ;) ....Every transmitter has fail-safe function. Many of them do have two receiver integrated and also many of them do have telemetry ability with MSB sensors connected (Multiplex Sensor Bus). The protocol for this sensor bus is open available on request from Multiplex. Multiplex is offering ground displays for older TX or if you wish to have a bigger display. A small BT adaptor connected to this port could be used e.g. by https://play.google.com/store/apps/details?id=de.ubitrc.souffleuse (sorry seems to be German only at the moment).

BTW: You know this: http://www.stoeckli.net/?p=37 for communication between Tx and HF?

Please continue +1
Last edit: 05 Dec 2013 18:34 by kreidler.

Please Log in or Create an account to join the conversation.

More
05 Dec 2013 20:08 - 05 Dec 2013 20:19 #16303 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
I see the modulo-78 iteration based on indices that you mentioned, and that you have the same crc for each same-packet that has the same index.

I was not able to identify anything obvious when incorporating the index into a crc8 calculation, nor via a sum or xor algorithm, but I only spent a few minutes on it so far.

Can you generate data for:
* All channels have the same value
** to see how the prefix affects the crc
* All channels have a value of '0'
** similar to above, but reducing the number of variables
* one set of channel values, and then a swapped set (for instance 1st set: s12=0x600, s10=0x400, s8=0x200, then 2nd set: s12=0x400, s10=0x600, s8=0x200)
** to see if the order of the values affects the crc

Getting ~1000 packets for each test would be great using the same syntax in your prior mail (the current data repeats modulo 218, so 500 packets is probably sufficient)
Last edit: 05 Dec 2013 20:19 by PhracturedBlue.

Please Log in or Create an account to join the conversation.

More
06 Dec 2013 17:30 #16333 by heligator
Replied by heligator on topic MLINK protocol analysis, CRC ?
I use a TX module with PPM input, so I have limited control over the servo data. Servo data seem to have values between about 700 and 3300, so I can't get zeroes. Swapping values is OK.

I have appended TXT files in same format (if this is OK) and extracted servo data in CSV format. In CSV, it is easier to see some values toggling +-1. Also included is the Perl script for extracting servo data.
Attachments:

Please Log in or Create an account to join the conversation.

More
07 Dec 2013 02:03 #16349 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
Unfortunately, the 'data-same' isn't useful because not every channel is the same. What i really want is to have only a single bit in the data-set change between adjacent packets (on the same index) so we can see how a single bit affects the result. However, data-no-ppm.txt does appear to have data that meets my needs in this regards.

What is going on in 'data-ascending.txt'? I don't see any variation (though there are a couple spurious results that look interesting)

The data-swap shows that the order is important to the calculation (so it isn't something trivial like a sum (i.e. the function is not commutative)

I'll spend some more time with your new dumps and see if anything jumps out.

Please Log in or Create an account to join the conversation.

More
07 Dec 2013 15:55 #16371 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
So here are the interesting data sets I'm focusing on:
the syntax I'm using is:
seven byte packet -- chksum (channel-channel-index)
set a single bit:
02 00 00 0c ca 0b 78 -- 24 (3b-0001)
02 00 00 0c ca 0b 79 -- 7a (3b-0001)

01 0a 27 08 d6 07 84 -- 60 (3b-0001)
11 0a 27 08 d6 07 84 -- 9b (3b-0001)

88 05 8a 04 38 02 e7 -- de (09-0004)
88 05 8a 04 39 02 e7 -- 75 (09-0004)

two bit change:
01 07 91 07 91 07 91 -- 8a (3b-0001)
80 07 91 07 91 07 91 -- 20 (3b-0001)

single digit off by one:
01 0a 27 08 d5 07 84 -- 84 (3b-0001)
01 0a 27 08 d6 07 84 -- 60 (3b-0001)

09 09 7e 08 2d 06 db -- 81 (23-0002)
09 09 7e 08 2d 06 dc -- 02 (23-0002)

01 0a 27 08 d5 07 84 -- fe (2b-0003)
01 0a 27 08 d6 07 84 -- 1a (2b-0003)

(also one bit change)
88 05 8a 04 38 02 e7 -- a4 (23-0002)
88 05 8a 04 39 02 e7 -- 0f (23-0002)

09 79 5b 58 1f 16 e2 -- ce (09-0004)
09 79 5b 58 1f 16 e3 -- 90 (09-0004)

only channel is different
01 0a 27 08 d6 07 84 -- d7 (35-0059)
01 0a 27 08 d6 07 84 -- dd (45-0067)
01 0a 27 08 d6 07 84 -- eb (29-0011)
01 0a 27 08 d6 07 84 -- ee (47-0007)
01 0a 27 08 d6 07 84 -- f0 (4d-0047)
01 0a 27 08 d6 07 84 -- f5 (37-0035)
01 0a 27 08 d6 07 84 -- fa (49-0023)
01 0a 27 08 d6 07 84 -- ff (3b-0027)

same checksum
09 07 91 07 91 07 91 -- 00 (25-0052)
09 07 d8 07 d8 07 d8 -- 00 (1d-0062)
80 07 d8 07 d9 07 d8 -- 00 (41-0005)

0a 00 00 07 91 07 91 -- 01 (31-0077) 
0a 00 00 07 d8 07 d8 -- 01 (0d-0024) 

0a 00 00 07 91 07 91 -- 0e (43-0057) 
02 00 00 07 90 07 90 -- 0e (21-0006) 

Please Log in or Create an account to join the conversation.

More
07 Dec 2013 17:11 #16377 by heligator
Replied by heligator on topic MLINK protocol analysis, CRC ?
This is some interesting data and I still don't have a clue how the checksum is calculated.

data-ascending.txt refers to servo data: On PPM input servo 1 has 1ms, servo 2 a litte more, ... up to servo 16 which has 2ms.

My timer for PPM generation is coarse. On monday I will try to use a better timer to provoke single-bit changes inside a byte, e.g. 12 => 32. For this the timer needs at least a 0.5us resolution.

Please Log in or Create an account to join the conversation.

More
09 Dec 2013 01:11 #16434 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
I spent some more time on this, and didn't make much progress. I'm not a cryptographer, so I don't really know how to go about detecting sensitivity. It could easily be something as simple as a CRC where I don't know the order that the bits are processed. Or it could be something like a pearson hash where you need to know both the order and the mapping table

We need much better constrained data I think,
For instance for a single channel-index, vary each byte from 0 to 0xff keeping all others constant. Of course this isn't actually possible given the PPM constraints, but as much as possible this is the kind of data I'd need to see dependence on each byte. We could probably eliminate some possible algorithms that way. But even with that kind of data, I'm not sure I'll be able to do much. This just isn't my area of expertise.

Please Log in or Create an account to join the conversation.

More
09 Dec 2013 04:41 - 09 Dec 2013 04:55 #16435 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
Well, I've started to find some interesting patterns:
In all of the following cases, the checksum is the same when the 1st byte is different by 8 and the channel index is different by 8:
02 00 00 07 91 07 91 -- 32 (3b-0001)
0a 00 00 07 91 07 91 -- 32 (4d-0009)

0a 00 00 07 91 07 91 -- 74 (35-0059)
02 00 00 07 91 07 91 -- 74 (43-0051)

02 00 00 07 91 07 91 -- 9a (17-0036)
0a 00 00 07 91 07 91 -- 9a (17-0044)

0a 00 00 07 91 07 91 -- bd (07-0064)
02 00 00 07 91 07 91 -- bd (0f-0056)

0a 00 00 07 91 07 91 -- c8 (19-0074)
02 00 00 07 91 07 91 -- c8 (29-0066)

02 00 00 07 91 07 91 -- d2 (3f-0021)
0a 00 00 07 91 07 91 -- d2 (41-0029)

0a 00 00 07 91 07 91 -- fb (13-0014)
02 00 00 07 91 07 91 -- fb (21-0006)

0a 00 00 07 d8 07 d8 -- 11 (35-0059)
02 00 00 07 d8 07 d8 -- 11 (43-0051)

02 00 00 07 d8 07 d8 -- 57 (3b-0001)
0a 00 00 07 d8 07 d8 -- 57 (4d-0009)

0a 00 00 07 d8 07 d8 -- 9e (13-0014)
02 00 00 07 d8 07 d8 -- 9e (21-0006)

0a 00 00 07 d8 07 d8 -- ad (19-0074)
02 00 00 07 d8 07 d8 -- ad (29-0066)

02 00 00 07 d8 07 d8 -- b7 (3f-0021)
0a 00 00 07 d8 07 d8 -- b7 (41-0029)

0a 00 00 07 d8 07 d8 -- d8 (07-0064)
02 00 00 07 d8 07 d8 -- d8 (0f-0056)

02 00 00 07 d8 07 d8 -- ff (17-0036)
0a 00 00 07 d8 07 d8 -- ff (17-0044)

Here is another data sample that correlates well with the above. the ist byte is different by 16 and the channel index is different by 16:
11 0a 27 08 d6 07 84 -- 80 (3d-0037)
01 0a 27 08 d6 07 84 -- 80 (3f-0021)

But here are 2 data sets that don't fit the above pattern:
b0 06 33 04 e1 03 90 -- 3f (47-0007)
80 06 33 04 e1 03 90 -- 3f (49-0023)

88 05 8a 04 39 02 e7 -- 81 (07-0008)
c8 05 8a 04 39 02 e7 -- 81 (15-0072)

In the following cases the checksum is the same when the 1st byte is different by 0x7f and the last byte by 1 and the channel index by 4, but there is only one data set that matches the criteria, so it isn't as indicative as the above, though it happens at many channel indices
09 07 d8 07 d8 07 d8 -- 00 (1d-0062)
88 07 d8 07 d8 07 d9 -- 00 (11-0058)

09 07 d8 07 d8 07 d8 -- 05 (13-0050)
88 07 d8 07 d8 07 d9 -- 05 (1b-0054)

09 07 d8 07 d8 07 d8 -- 0a (1b-0070)
88 07 d8 07 d8 07 d9 -- 0a (29-0066)

09 07 d8 07 d8 07 d8 -- 22 (1f-0038)
88 07 d8 07 d8 07 d9 -- 22 (05-0034)

09 07 d8 07 d8 07 d8 -- 27 (0b-0042)
88 07 d8 07 d8 07 d9 -- 27 (03-0046)

09 07 d8 07 d8 07 d8 -- 28 (0d-0030)
88 07 d8 07 d8 07 d9 -- 28 (27-0026)

09 07 d8 07 d8 07 d8 -- 2d (21-0018)
88 07 d8 07 d8 07 d9 -- 2d (11-0022)

09 07 d8 07 d8 07 d8 -- 39 (23-0002)
88 07 d8 07 d8 07 d9 -- 39 (21-0006)

09 07 d8 07 d8 07 d8 -- 3c (13-0014)
88 07 d8 07 d8 07 d9 -- 3c (09-0010)

09 07 d8 07 d8 07 d8 -- 43 (09-0004)
88 07 d8 07 d8 07 d9 -- 43 (07-0008)

09 07 d8 07 d8 07 d8 -- 46 (0f-0016)
88 07 d8 07 d8 07 d9 -- 46 (1f-0012)

09 07 d8 07 d8 07 d8 -- 52 (05-0032)
88 07 d8 07 d8 07 d9 -- 52 (03-0028)

09 07 d8 07 d8 07 d8 -- 57 (0b-0020)
88 07 d8 07 d8 07 d9 -- 57 (0d-0024)

09 07 d8 07 d8 07 d8 -- 58 (25-0040)
88 07 d8 07 d8 07 d9 -- 58 (17-0036)

09 07 d8 07 d8 07 d8 -- 5d (17-0044)
88 07 d8 07 d8 07 d9 -- 5d (19-0048)

09 07 d8 07 d8 07 d8 -- 84 (1d-0068)
88 07 d8 07 d8 07 d9 -- 84 (15-0072)

09 07 d8 07 d8 07 d8 -- 8b (0f-0056)
88 07 d8 07 d8 07 d9 -- 8b (25-0052)

09 07 d8 07 d8 07 d8 -- 8e (23-0060)
88 07 d8 07 d8 07 d9 -- 8e (07-0064)

09 07 d8 07 d8 07 d8 -- a3 (0d-0024)
88 07 d8 07 d8 07 d9 -- a3 (0b-0020)

09 07 d8 07 d8 07 d8 -- a6 (03-0028)
88 07 d8 07 d8 07 d9 -- a6 (05-0032)

09 07 d8 07 d8 07 d8 -- a9 (19-0048)
88 07 d8 07 d8 07 d9 -- a9 (17-0044)

09 07 d8 07 d8 07 d8 -- ac (17-0036)
88 07 d8 07 d8 07 d9 -- ac (25-0040)

09 07 d8 07 d8 07 d8 -- b2 (1f-0012)
88 07 d8 07 d8 07 d9 -- b2 (0f-0016)

09 07 d8 07 d8 07 d8 -- b7 (07-0008)
88 07 d8 07 d8 07 d9 -- b7 (09-0004)

09 07 d8 07 d8 07 d8 -- c8 (09-0010)
88 07 d8 07 d8 07 d9 -- c8 (13-0014)

09 07 d8 07 d8 07 d8 -- cd (21-0006)
88 07 d8 07 d8 07 d9 -- cd (23-0002)

09 07 d8 07 d8 07 d8 -- d3 (03-0046)
88 07 d8 07 d8 07 d9 -- d3 (0b-0042)

09 07 d8 07 d8 07 d8 -- d6 (05-0034)
88 07 d8 07 d8 07 d9 -- d6 (1f-0038)

09 07 d8 07 d8 07 d8 -- d9 (11-0022)
88 07 d8 07 d8 07 d9 -- d9 (21-0018)

09 07 d8 07 d8 07 d8 -- dc (27-0026)
88 07 d8 07 d8 07 d9 -- dc (0d-0030)

09 07 d8 07 d8 07 d8 -- f1 (1b-0054)
88 07 d8 07 d8 07 d9 -- f1 (13-0050)

09 07 d8 07 d8 07 d8 -- f4 (11-0058)
88 07 d8 07 d8 07 d9 -- f4 (1d-0062)

09 07 d8 07 d8 07 d8 -- fe (29-0066)
88 07 d8 07 d8 07 d9 -- fe (1b-0070)

And lastly, here are some interesting cases where the1st byte is different, and the channel id is different but the chksum is exactly one different. It may be coincidence, though the 1st and 2nd cases lead me to believe it is not:
88 07 91 07 91 07 91 -- 24 (1b-0054)
80 07 91 07 91 07 91 -- 25 (2d-0013)


88 07 91 07 91 07 91 -- 5e (0f-0056)
80 07 91 07 91 07 91 -- 5f (47-0015)

88 07 91 07 91 07 91 -- 21 (11-0058)
09 07 91 07 91 07 91 -- 22 (17-0044)

88 07 91 07 91 07 91 -- 87 (05-0032)
88 07 91 07 91 07 91 -- 88 (17-0044)
Last edit: 09 Dec 2013 04:55 by PhracturedBlue.

Please Log in or Create an account to join the conversation.

More
09 Dec 2013 19:00 - 09 Dec 2013 19:01 #16452 by heligator
Replied by heligator on topic MLINK protocol analysis, CRC ?
I have upgraded PPM input with an exact 8MHz timer and hardware-controlled PWM output. But it appears, that PPM input of the TX module isn't sampled that exact. I cannot control the least significant bit precisely and there seems a dependency betweeen the servo channels.

In the appended data, I incremented one value per line (=> servo channels 4, 5, 7 & 13) and set other set servo data to 0x0800. Maybe this helps.

Unfortunately in this data some bits are appearing wrong, especially in the first column, sorry. I'm looking for the reason. :blink:

Additionally, I have appended CYRF6936 initialisation in the style as in dsm2.c. :cheer:
Attachments:
Last edit: 09 Dec 2013 19:01 by heligator.

Please Log in or Create an account to join the conversation.

More
09 Dec 2013 19:02 - 09 Dec 2013 19:04 #16453 by heligator
Replied by heligator on topic MLINK protocol analysis, CRC ?
2nd try to append initialisazion, this time zipped.
Attachments:
Last edit: 09 Dec 2013 19:04 by heligator.

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 05:24 - 10 Dec 2013 05:36 #16462 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
here is some more interesting info:
80 08 00 08 03 08 01 -- 8a (3b - 0001)
80 08 00 08 03 08 01 -- f0 (2b - 0003)
80 08 00 08 03 08 01 -- 7e (41 - 0005)
80 08 00 08 03 08 01 -- 04 (47 - 0007)
80 08 00 08 03 08 01 -- 7b (4d - 0009)
and
01 07 91 07 91 07 91 -- 8a (3b - 0001)
01 07 91 07 91 07 91 -- f0 (2b - 0003)
01 07 91 07 91 07 91 -- 7e (41 - 0005)
01 07 91 07 91 07 91 -- 04 (47 - 0007)
01 07 91 07 91 07 91 -- 7b (4d - 0009)

Note that the chksum is identical for the same index despite the data being quite different.
This implies that '01 07 91 07 91 07 91' hashes to the same value as '80 09 00 08 03 08 01' and that the channel index is appended to either the beginning or end of the sequence (but not the middle)
There are many data sets that all hold the same pattern.

And here is another interesting pattern:
88 08 13 08 02 08 02 -- 3d (23 - 0002)
88 08 13 08 02 08 02 -- 47 (09 - 0004)
88 08 13 08 02 08 02 -- c9 (21 - 0006)
88 08 13 08 02 08 02 -- b3 (07 - 0008)
09 08 01 08 01 08 07 -- b3 (23 - 0002)
09 08 01 08 01 08 07 -- c9 (09 - 0004)
09 08 01 08 01 08 07 -- 47 (21 - 0006)
09 08 01 08 01 08 07 -- 3d (07 - 0008)
note the chksm values are reversed for the same indices. this also repeats for indices 10, 12, 14, 16 and 18, 20, 22, 24, etc

and here is a similar pattern using odd indices
88 08 13 08 02 08 02 -- 3d (23 - 0002)
88 08 13 08 02 08 02 -- 47 (09 - 0004)

88 08 13 08 02 08 02 -- c9 (21 - 0006)
88 08 13 08 02 08 02 -- b3 (07 - 0008)

88 08 13 08 02 08 02 -- cc (09 - 0010)
88 08 13 08 02 08 02 -- b6 (1f - 0012)

88 08 13 08 02 08 02 -- 38 (13 - 0014)
88 08 13 08 02 08 02 -- 42 (0f - 0016)
80 08 01 08 0d 08 01 -- b3 (3b - 0001)
80 08 01 08 0d 08 01 -- c9 (2b - 0003)

80 08 01 08 0d 08 01 -- 47 (41 - 0005)
80 08 01 08 0d 08 01 -- 3d (47 - 0007)

80 08 01 08 0d 08 01 -- 42 (4d - 0009)
80 08 01 08 0d 08 01 -- 38 (29 - 0011)

80 08 01 08 0d 08 01 -- b6 (2d - 0013)
80 08 01 08 0d 08 01 -- cc (47 - 0015)
Last edit: 10 Dec 2013 05:36 by PhracturedBlue.

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 10:13 #16466 by kreidler
Replied by kreidler on topic MLINK protocol analysis, CRC ?

heligator wrote: During binding the hopping table and the chipping code are transferred.

I do not know if it makes a difference when transmitting the normal data but while binding I assume that 'Fast response' either 14ms or 21ms will be transferred as well as the chip has to transmit via the reduced channels of the 'France mode' also.
Telemetry information should be transferred only to the Tx. What about the new feature 'ID' for the small RX-5 which allows the Tx to switch to a different model automatically? Could this feature also affect the CRC?

Please Log in or Create an account to join the conversation.

More
10 Dec 2013 18:46 #16499 by heligator
Replied by heligator on topic MLINK protocol analysis, CRC ?
> "Telemetry information should be transferred only to the Tx. What about the new feature 'ID' for the small RX-5 which allows the Tx to switch to a different model automatically? Could this feature also affect the CRC?"

Sorry, I have no telemetry RX and no ID-RX. I bought the "light" receivers without telemetry. Unfortunately they not just lack telemetry (which I was aware of), but also a PA/LNA for better range and a PC interface for configuring the RX and for software updates.

My TX module "HFMG" supports 'Fast response' and 'France mode'. I have appended data with these modes. 'France mode' could be interesting for the CRC, as there are less channels.

I got PPM input more precise (there was a bug) and now I'm able to modify a servo channel while the others keep stable: data is inc3.txt.
Attachments:

Please Log in or Create an account to join the conversation.

More
11 Dec 2013 04:52 - 11 Dec 2013 05:31 #16513 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
Not much time today, but I thought I'd formalize what I seem to know:
chksum = f1(x,y)
x = f2(7-byte packet)
y = channel-id
I know the following 2 data sets:
f1(x1,y1) = f1(x2,y2) (y1 between 0 and 76)
where:
y2 = (1 + int((y1-2)/8))*(8 - (y1-2)mod 8)
And:
f1(x1,y1) = f1(x3,y3) (y1 between 0 and 76)
where:
y3 = (1 + int((y1-2)/8))*(8 - (y1-2)mod 8) -1

At least for the data samples above, the following seems to fit:
f1(x, y) = f(x xor (y-1))
Though I'm not sure how much it helps, it may make it more likely that the algorithm is something like a pearson hash than like a crc.
Last edit: 11 Dec 2013 05:31 by PhracturedBlue.

Please Log in or Create an account to join the conversation.

More
11 Dec 2013 13:53 - 11 Dec 2013 13:54 #16527 by PhracturedBlue
Replied by PhracturedBlue on topic MLINK protocol analysis, CRC ?
inc3.txt is really useful, but there is a bit more I could use.
it looks like you varried ch1, ch2, ch3, but I'd rather you varied channels 4, 5, 7, 13
But I'd like to see you do all of them (usiung the same range you used in inc3) so I can see the full sequence.
so for instance, doing channels 7,9,11 would let me see variation in the 3rd,5th, and 7th byte of the '09' packet
But just doing all channels would be better than just those

Also, for channels 1,2,3,4,5,6 and 13,14,15,16 it'd be really helpful to sweep the entire range of legal inputs.

You seem to be staying on the same channel before incrementing for about the right time. I am looking to see each channel-index come up at least once for each packet which you are getting, so the rate that you are varying the input seems right.

I'm still looking through the data in inc3. I've found some patterns like the following:
We get similar repeats to what I saw before when the last byte is different by 4 (and if it is different by 1, 2, or 3 there is no overlap in the checksum values)
09 08 00 08 00 07 fa -- 44 (23 - 0002)
09 08 00 08 00 07 fa -- 3e (09 - 0004)
09 08 00 08 00 07 fa -- b0 (21 - 0006)
09 08 00 08 00 07 fa -- ca (07 - 0008)

09 08 00 08 00 07 fe -- ca (05 - 0034)
09 08 00 08 00 07 fe -- b0 (17 - 0036)
09 08 00 08 00 07 fe -- 3e (1f - 0038)
09 08 00 08 00 07 fe -- 44 (25 - 0040)

There is also a pattern when the 5th byte varies:
80 08 00 07 fc 08 00 -- 9c (3b - 0001)
80 08 00 07 fc 08 00 -- e6 (2b - 0003)
80 08 00 07 fc 08 00 -- 68 (41 - 0005)
80 08 00 07 fc 08 00 -- 12 (47 - 0007)

80 08 00 07 fc 08 00 -- 9c (3b - 0001)
80 08 00 07 fc 08 00 -- e6 (2b - 0003)
80 08 00 07 fc 08 00 -- 68 (41 - 0005)
80 08 00 07 fc 08 00 -- 12 (47 - 0007)
Last edit: 11 Dec 2013 13:54 by PhracturedBlue.

Please Log in or Create an account to join the conversation.

More
12 Dec 2013 18:36 #16555 by heligator
Replied by heligator on topic MLINK protocol analysis, CRC ?
inc-all.txt is sweeping all servo channels from 0x7f9 to 0x803 simultaneously. Sweeping the lower byte from 0x800 to 0x8ff will take more than one hour. I will try that tomorrow. For this, is it better to sweep all servo channels simultaneously or to sweep only one channel per line ?

I have modified the format a little. Instead of "ch 15" now it is "15 00" where 15 is the RF channel and 00 is the index. For this, I implemented an index counter in the microcontroller. This seems to be more reliable than counting "ch" lines in the text file, because during data transfer sometimes some bytes are swallowed.
Attachments:

Please Log in or Create an account to join the conversation.

Time to create page: 0.100 seconds
Powered by Kunena Forum