SYMA S3X protocol

Hi,

For any protocol hacker, please find some saleaae 1.1.15 log (session and SPI) for this protocol of SYMA coaxial helicopter. Seems to be a nRF24L01+ compatible RF chips.

During capture, I played with the right stick : down then up then left then right and then clicking twice on the shoulder button




www.wetransfer.com/downloads/3338db4cb9e...0140208163902/0c78b5

PhracturedBlue wrote: Are you sure it is an nrf24L01? The initialization sequence looks more like it is a CC2500 (I am not 100% sure of that, I've never looked at the CC2520 or others, but it resembles the skyartec initialization much more than a cyrf, nrf24l1, or a7105).

No I am not sure at all .... so sorry if I said one more time a stupidity

Anyway, according to the CC2500 datasheet, the quartz must be 26-27Mhz ? For me, the quartz of the chip of this SYMA seems to be 16 Mhz only .... as for nRF24L01 compatible RF chips

Looked at the CC2500 datasheet and agree that the data looks like it's for that device or something compatible.

Two things about the SPI data. The MISO line is bouncing around when it should be stable, often in the middle of transferring the chip status byte. This chip does do some extra things with this line, but shouldn't be in the middle of a transfer when CSn is low. Also it seems the status byte has some unexpected values. Maybe an intermittent connection or short?

After the initialization the rest of the data is repeating a nearly identical sequence of just a few commands, none of which look like a data transfer. Did you have the 'copter bound during the capture? That didn't matter for the Syma protocol since the stock tx blindly forged ahead without detecting a bind failure.

At least it is processed by my decoding script for cc2500 without errors, and nRF24L01 script bails at it. There is not much of sensible traffic after the initialization - in my impression it tries to receive unsuccessfully. Is it transmitter of receiver?

hexfet wrote: Looked at the CC2500 datasheet and agree that the data looks like it's for that device or something compatible.

Two things about the SPI data. The MISO line is bouncing around when it should be stable, often in the middle of transferring the chip status byte. This chip does do some extra things with this line, but shouldn't be in the middle of a transfer when CSn is low. Also it seems the status byte has some unexpected values. Maybe an intermittent connection or short?

After the initialization the rest of the data is repeating a nearly identical sequence of just a few commands, none of which look like a data transfer. Did you have the 'copter bound during the capture? That didn't matter for the Syma protocol since the stock tx blindly forged ahead without detecting a bind failure.

No the copter is not switch on. If you need it, I can do it.

victzh wrote: At least it is processed by my decoding script for cc2500 without errors, and nRF24L01 script bails at it. There is not much of sensible traffic after the initialization - in my impression it tries to receive unsuccessfully. Is it transmitter of receiver?

This is the transmitter. Do you want that I bind the helicopter during the capture ?

Without binding this transmitter never starts sending data packets to control the copter, so it's necessary to capture the binding and after that the movement of the sticks.

hexfet wrote: Without binding this transmitter never starts sending data packets to control the copter, so it's necessary to capture the binding and after that the movement of the sticks.

Ok when I will be home, I will restart the sniffing process with binding

Seems to be the case.

BTW, do you need the decoding script? It's a bit primitive, but easier than look at hex numbers.

victzh wrote: Seems to be the case.

BTW, do you need the decoding script? It's a bit primitive, but easier than look at hex numbers.

script based on which language ? Don't laugh, I am working on windows box

victzh wrote: BTW, do you need the decoding script? It's a bit primitive, but easier than look at hex numbers.

Yes, please. That would be very helpful.

OK, here you go. And for nRF24L01 also.

It can be a slight incorrectness - the script does not report status of CC2500 operation, but internally it gets it only during the command byte. As there can be multibyte writes, status can be reported during each byte, and as I have little experience with CC2500 I don't know whether this important or not.

Also, decoding is very superficial - register names only, not bit fields.

Bad news ....

My S33 TX seems to be dead ... I am investingating ...

The TX looks exactly like the one of my Syma F3 - which uses a (slighly modified - trim seems to be different) V911 (FlySky) protocol.

My V911 binds fine with F3 TX, but when raising throttle the tail rotor goes full throttle w/o any chance to control (I first thought my V911 is dead, but it flies fine with V929 TXs).

Inside my F3 TX is a red pcb with an A7105 (next to power LED), main PCB is green and labeled "SYMA-217-TX V3" and "2012 8 9".

Please check what your TX PCB says.

btoschi wrote: My V911 binds fine with F3 TX, but when raising throttle the tail rotor goes full throttle w/o any chance to control (I first thought my V911 is dead, but it flies fine with V929 TXs).

This sounds a lot like what a v911 will do with a Syma X1 TX as well.

In that case it actually is flyable if you put the quadcopter TX in it's high rate mode - apparently, low rate is signaled by a high order bit which the v911 interprets as an extreme yaw command.

Do you have a link to a product page for the helicopter in question? The model number is yielding some, er, "interesting" search results, as it has certain visual similarities to another word.

www.symatoys.com/product/show/1885.html

Flies very nice, besides the fact that it starts to turn around faster and faster (you can compensate with rudder) with fly time. Not sure if that is due to gyro drift, gyro getting warmer or gyro voltage dropping ...
Anyway when I recall right my V911 has a similar issue

btoschi wrote: The TX looks exactly like the one of my Syma F3 - which uses a (slighly modified - trim seems to be different) V911 (FlySky) protocol.

My V911 binds fine with F3 TX, but when raising throttle the tail rotor goes full throttle w/o any chance to control (I first thought my V911 is dead, but it flies fine with V929 TXs).

Inside my F3 TX is a red pcb with an A7105 (next to power LED), main PCB is green and labeled "SYMA-217-TX V3" and "2012 8 9".

Please check what your TX PCB says.

Hi,


Unfortunatly, for this heli, any V91x1 TX are binding it .... and it's RF chip is not a A7105....