- Posts: 1386
JD 395 cx-10
- victzh
- Offline
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
DEMOD_CAL 0x03 0xA7 0x00 0xDF 0x0B
RF_CAL 0x95 0x2B 0x83 0x61 0xB0 0x9A 0xCA
BB_CAL 0x20 0x9C 0x67 0x84 0x7F
compare it with what happens in CX-10
DEMOD_CAL 0x03 0xA7 0xc4 0xDF 0x0B
RF_CAL 0x9C 0xAB 0xBB 0x61 0xB0 0x9A 0xC9
BB_CAL 0x20 0x9C 0x67 0x84 0x4C
These small differences can lead to frequencies slightly shifted, modulation parameters changed, and I don't know what can happen to baseband!
Almost no hope to control it with nRF24L01+. Beken on the other hand probably could be tuned if they'd be a bit more open on their "register bank 1".
As an experiment, can some happy owner of XN297 and working PPM module try and load stock parameters from datasheet and check whether it can control the heli in that state or not?
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
victzh wrote: As an experiment, can some happy owner of XN297 and working PPM module try and load stock parameters from datasheet and check whether it can control the heli in that state or not?
Doesn't work, aircraft doesn't bind with default BB_CAL, RF_CAL and DEMOD register values on the transmitter.
I also tried to have the xn297 to communicate with a nrf24l01+ this way, but it didn't work. Also tried to disable CRC, listen on other channel #, but no luck...
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
Please Log in or Create an account to join the conversation.
- PhracturedBlue
- Offline
- Posts: 4402
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
Oh well, at least we can make PPM modules after a bit of butchery, that's better than nothing.
I might get a newer "CX-10A", I guess it's using yet another protocol to play with
Please Log in or Create an account to join the conversation.
- hexfet
- Offline
- Posts: 1891
The datasheet describes them as "debug registers".
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
(RF_CAL is completely different)
0x1F BB_CAL: 20 9C 28 44 27
0x1E RF_CAL: AA AA 49 7F 59 4C 0D
0x19 DEMOD_CAL: 03 A7 20 BD 0B
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
As I noticed the values of the registers were not what they were supposed to be at startup, I tried to set the values as in the datasheet instead of what we found in the capture... and it works, I can control the copter.
Also, it looks like register 0x1E holds a value in the nrf24l01+ (05 2B 80 00 ? not the same length than same register in xn297...), attempting to read registers 0x19 and 0x1F on the nrf24l01+ just returns a bunch of 00s.
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
CX-10 bounds on channel 2, which translates to channel frequency 2402MHz. I have HackRF Jawbreaker SDR with which I captured the signal.
CX-10 TX transmits a packet every 1.5ms with center frequency 2402MHz and width approximately 1.2MHz at -30dB which seems to be normal for 1Mbps.
My code uses nRF24L01+ and transmits packets with center frequency 2402.2MHz! and probably slightly wider in bandwidth.
I checked the available literature and it never mentions this 200KHz deviation.
I am not so sure about calibration of HackRF, it can be other way around- nRF24L0+ transmits on 2402MHz, and XN297 on 2401.8MHz, but other than this it's very clear difference in center frequency of 200KHz.
At 1Mbps it can easily be the reason of incompatibility of these chips, and without knowledge about "debug" registers of nRF we will not be able to compensate for it.
It would be great if someone with more precise instruments can confirm this.
Please Log in or Create an account to join the conversation.
- SeByDocKy
- Offline
- Posts: 1016
victzh wrote: I've got very strange results comparing original CX-10 (green board) TX and my own code (assembled from different sources - hexfet's Deviation module and couple of Arduino PPM modules).
CX-10 bounds on channel 2, which translates to channel frequency 2402MHz. I have HackRF Jawbreaker SDR with which I captured the signal.
CX-10 TX transmits a packet every 1.5ms with center frequency 2402MHz and width approximately 1.2MHz at -30dB which seems to be normal for 1Mbps.
My code uses nRF24L01+ and transmits packets with center frequency 2402.2MHz! and probably slightly wider in bandwidth.
EDIT : in the section 5.2 of the nRF24L01+ documention, you hade DeltaF_1M = 160Khz of deviation.... Can be set ? somewhere ?
I checked the available literature and it never mentions this 200KHz deviation.
I am not so sure about calibration of HackRF, it can be other way around- nRF24L0+ transmits on 2402MHz, and XN297 on 2401.8MHz, but other than this it's very clear difference in center frequency of 200KHz.
At 1Mbps it can easily be the reason of incompatibility of these chips, and without knowledge about "debug" registers of nRF we will not be able to compensate for it.
It would be great if someone with more precise instruments can confirm this.
Damned for 200Khz versus 2402Mhz so a deviation of 1/1000 is enough to desynchronize everything ....
Look section 5.2 of the nRF24L01 documention .... Devation at 1Mbits is 160Khz ....
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
On the other hand 200KHz is 83ppm deviation at 2.4GHz. It means shitty crystal, but for module for $3-5 bucks they can easily use 100ppm crystal.
My other experiment with Beken 2421 module is even more puzzling - it holds frequency correctly, but no binding happens.
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
I finally demodulated the binding packets using an excellent HackRF Jawbreaker and Gnu Radio. I used www.inguardians.com/pubs/GRC_signal_analysis_InGuardians_v1.pdf as a guide.
The results are the following: if I use my own code and both nRF24L01 and Beken 2421 I can successfully demodulate the signal and can see preamble (0xAA), the address (five 0xCC bytes), and following packet bytes.
If I try to demodulate XN297 I can see some demodulated signal which coincides with the radio signal but have no such well defined structure - I can't see the preamble and address - just some bytes arbitrarily appearing.
I will look at it more - I have an impression that it is passed through some scrambler. It is untypical to do so - usually only the contents of the packet is scrambled and preamble and address are as is.
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
Is the Jawbreaker, the "beta" version of the one, I'm confused ?
Meanwhile, I reversed yet another XN297 protocol, for the Eachine 3D X4:
gist.github.com/goebish/6095bb2d95037297641d
Please Log in or Create an account to join the conversation.
- victzh
- Offline
- Posts: 1386
Jawbreaker is the last beta - fully functional, but less convenient. It lives in an antistatic bag and I get it out of it and put on antenna and USB every time I need to use it. On the other hand, I've got it for free as a part of the beta program - who am I to complain
I was not very lucky with XN297 so far - I soldered to CX-10 green TX and tried to isolate the MCU so that I can use it with my own code but keep an ability to switch back to the native code to keep the baseline for comparison. This approach fails - the other elements on the TX board feed MCU enough to interfere with my code.
I ordered another CX-10 - and got a red version! So, I'm waiting for Eachine H7 which is guaranteed to have XN297 in it in a detachable form.
Next I plan to first make my code work with CX-10 green and Eachine's XN297 and make a comparison RF traces of biding sequence with XN297, Beken, and Nordic. CX-10 binding is luckily uses one RF channel so it's easy to catch. I can publish these traces for analysis - just set up GNU radio and you can read it from file. You don't need HackRF or any other SDR for this.
Please Log in or Create an account to join the conversation.
- goebish
- Offline
- I Void Warranties
- Posts: 2631
Please Log in or Create an account to join the conversation.
- Daryoon
- Offline
- Posts: 260
Always appreciate you guys developing and continuing to push Deviation forward.
Please Log in or Create an account to join the conversation.
- Home
- Forum
- Development
- Protocol Development
- JD 395 cx-10