SYMA S3X protocol

More
08 Feb 2014 16:49 #19996 by SeByDocKy
SYMA S3X protocol was created by SeByDocKy
Hi,

For any protocol hacker, please find some saleaae 1.1.15 log (session and SPI) for this protocol of SYMA coaxial helicopter. Seems to be a nRF24L01+ compatible RF chips.

During capture, I played with the right stick : down then up then left then right and then clicking twice on the shoulder button




www.wetransfer.com/downloads/3338db4cb9e...0140208163902/0c78b5

Please Log in or Create an account to join the conversation.

More
08 Feb 2014 17:58 #20002 by PhracturedBlue
Replied by PhracturedBlue on topic SYMA S3X protocol
Are you sure it is an nrf24L01? The initialization sequence looks more like it is a CC2500 (I am not 100% sure of that, I've never looked at the CC2520 or others, but it resembles the skyartec initialization much more than a cyrf, nrf24l1, or a7105).

Please Log in or Create an account to join the conversation.

More
08 Feb 2014 19:35 #20003 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol

PhracturedBlue wrote: Are you sure it is an nrf24L01? The initialization sequence looks more like it is a CC2500 (I am not 100% sure of that, I've never looked at the CC2520 or others, but it resembles the skyartec initialization much more than a cyrf, nrf24l1, or a7105).


No I am not sure at all .... so sorry if I said one more time a stupidity :)

Please Log in or Create an account to join the conversation.

More
08 Feb 2014 20:58 - 08 Feb 2014 20:59 #20005 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol
Anyway, according to the CC2500 datasheet, the quartz must be 26-27Mhz ? For me, the quartz of the chip of this SYMA seems to be 16 Mhz only .... as for nRF24L01 compatible RF chips
Last edit: 08 Feb 2014 20:59 by SeByDocKy.

Please Log in or Create an account to join the conversation.

More
09 Feb 2014 22:39 #20038 by hexfet
Replied by hexfet on topic SYMA S3X protocol
Looked at the CC2500 datasheet and agree that the data looks like it's for that device or something compatible.

Two things about the SPI data. The MISO line is bouncing around when it should be stable, often in the middle of transferring the chip status byte. This chip does do some extra things with this line, but shouldn't be in the middle of a transfer when CSn is low. Also it seems the status byte has some unexpected values. Maybe an intermittent connection or short?

After the initialization the rest of the data is repeating a nearly identical sequence of just a few commands, none of which look like a data transfer. Did you have the 'copter bound during the capture? That didn't matter for the Syma protocol since the stock tx blindly forged ahead without detecting a bind failure.

Please Log in or Create an account to join the conversation.

More
09 Feb 2014 22:47 #20039 by victzh
Replied by victzh on topic SYMA S3X protocol
At least it is processed by my decoding script for cc2500 without errors, and nRF24L01 script bails at it. There is not much of sensible traffic after the initialization - in my impression it tries to receive unsuccessfully. Is it transmitter of receiver?

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 08:48 #20057 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol

hexfet wrote: Looked at the CC2500 datasheet and agree that the data looks like it's for that device or something compatible.

Two things about the SPI data. The MISO line is bouncing around when it should be stable, often in the middle of transferring the chip status byte. This chip does do some extra things with this line, but shouldn't be in the middle of a transfer when CSn is low. Also it seems the status byte has some unexpected values. Maybe an intermittent connection or short?

After the initialization the rest of the data is repeating a nearly identical sequence of just a few commands, none of which look like a data transfer. Did you have the 'copter bound during the capture? That didn't matter for the Syma protocol since the stock tx blindly forged ahead without detecting a bind failure.



No the copter is not switch on. If you need it, I can do it.

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 08:49 #20058 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol

victzh wrote: At least it is processed by my decoding script for cc2500 without errors, and nRF24L01 script bails at it. There is not much of sensible traffic after the initialization - in my impression it tries to receive unsuccessfully. Is it transmitter of receiver?


This is the transmitter. Do you want that I bind the helicopter during the capture ?

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 13:48 #20065 by hexfet
Replied by hexfet on topic SYMA S3X protocol
Without binding this transmitter never starts sending data packets to control the copter, so it's necessary to capture the binding and after that the movement of the sticks.

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 14:26 #20070 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol

hexfet wrote: Without binding this transmitter never starts sending data packets to control the copter, so it's necessary to capture the binding and after that the movement of the sticks.



Ok when I will be home, I will restart the sniffing process with binding

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 15:52 #20078 by victzh
Replied by victzh on topic SYMA S3X protocol
Seems to be the case.

BTW, do you need the decoding script? It's a bit primitive, but easier than look at hex numbers.

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 16:18 #20081 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol

victzh wrote: Seems to be the case.

BTW, do you need the decoding script? It's a bit primitive, but easier than look at hex numbers.


script based on which language ? Don't laugh, I am working on windows box :)

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 16:19 #20082 by hexfet
Replied by hexfet on topic SYMA S3X protocol

victzh wrote: BTW, do you need the decoding script? It's a bit primitive, but easier than look at hex numbers.

Yes, please. That would be very helpful.

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 20:21 - 10 Feb 2014 20:22 #20093 by victzh
Replied by victzh on topic SYMA S3X protocol
OK, here you go. And for nRF24L01 also.

It can be a slight incorrectness - the script does not report status of CC2500 operation, but internally it gets it only during the command byte. As there can be multibyte writes, status can be reported during each byte, and as I have little experience with CC2500 I don't know whether this important or not.

Also, decoding is very superficial - register names only, not bit fields.
Attachments:
Last edit: 10 Feb 2014 20:22 by victzh. Reason: Added files with acceptable types.

Please Log in or Create an account to join the conversation.

More
10 Feb 2014 20:51 #20096 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol
Bad news ....

My S33 TX seems to be dead ... I am investingating ... :(

Please Log in or Create an account to join the conversation.

More
11 Feb 2014 20:47 #20144 by btoschi
Replied by btoschi on topic SYMA S3X protocol
The TX looks exactly like the one of my Syma F3 - which uses a (slighly modified - trim seems to be different) V911 (FlySky) protocol.

My V911 binds fine with F3 TX, but when raising throttle the tail rotor goes full throttle w/o any chance to control (I first thought my V911 is dead, but it flies fine with V929 TXs).

Inside my F3 TX is a red pcb with an A7105 (next to power LED), main PCB is green and labeled "SYMA-217-TX V3" and "2012 8 9".

Please check what your TX PCB says.

Please Log in or Create an account to join the conversation.

More
11 Feb 2014 20:52 - 11 Feb 2014 20:58 #20145 by cstratton
Replied by cstratton on topic SYMA S3X protocol

btoschi wrote: My V911 binds fine with F3 TX, but when raising throttle the tail rotor goes full throttle w/o any chance to control (I first thought my V911 is dead, but it flies fine with V929 TXs).


This sounds a lot like what a v911 will do with a Syma X1 TX as well.

In that case it actually is flyable if you put the quadcopter TX in it's high rate mode - apparently, low rate is signaled by a high order bit which the v911 interprets as an extreme yaw command.

Do you have a link to a product page for the helicopter in question? The model number is yielding some, er, "interesting" search results, as it has certain visual similarities to another word.
Last edit: 11 Feb 2014 20:58 by cstratton.

Please Log in or Create an account to join the conversation.

More
11 Feb 2014 21:18 - 11 Feb 2014 21:22 #20146 by btoschi
Replied by btoschi on topic SYMA S3X protocol
www.symatoys.com/product/show/1885.html :P

Flies very nice, besides the fact that it starts to turn around faster and faster (you can compensate with rudder) with fly time. Not sure if that is due to gyro drift, gyro getting warmer or gyro voltage dropping ...
Anyway when I recall right my V911 has a similar issue :P
Last edit: 11 Feb 2014 21:22 by btoschi.

Please Log in or Create an account to join the conversation.

More
12 Feb 2014 07:03 #20168 by SeByDocKy
Replied by SeByDocKy on topic SYMA S3X protocol

btoschi wrote: The TX looks exactly like the one of my Syma F3 - which uses a (slighly modified - trim seems to be different) V911 (FlySky) protocol.

My V911 binds fine with F3 TX, but when raising throttle the tail rotor goes full throttle w/o any chance to control (I first thought my V911 is dead, but it flies fine with V929 TXs).

Inside my F3 TX is a red pcb with an A7105 (next to power LED), main PCB is green and labeled "SYMA-217-TX V3" and "2012 8 9".

Please check what your TX PCB says.


Hi,


Unfortunatly, for this heli, any V91x1 TX are binding it .... and it's RF chip is not a A7105.... :(

Please Log in or Create an account to join the conversation.

Time to create page: 0.064 seconds
Powered by Kunena Forum