Eachine H1 a.k.a. Mini Ninja
30 Oct 2014 12:46 - 30 Oct 2014 13:00 #26220
by alibenpeng
Eachine H1 a.k.a. Mini Ninja was created by alibenpeng
Hi,
I've got me one of these and none of the protocols I've tested so far seems to work (and I've tested all but the "expensive" ones like FrSky or DSMX). The transceiver is nothing I've ever seen before (picture attached) and also completely unmarked. All 2.4GHz transceivers I've seen so far come in TQFP packages, not in SOIC, SOP, or whatever this is.
I've tried to trace data on the SPI bus (or what I believe to be the SPI bus), but they look all broken. The clock signal looks irregular and at ~87kHz it is way too slow for an SPI clock.
Also, those traces were quite hard to capture, as connecting wires to those pins seems to derail the signals and it took quite a few tries to capture a successfull bind, for example. Especially the clock signal seems to be VERY sensitive to the "antenna" that is the LA wire. I had to keep it extremely short to be able to capture anything on it without breaking communications between MCU and transceiver.
Can anybody tell me what I'm looking at, or give me some advice on how to make a proper capture?
Thanks,
Ali
I've got me one of these and none of the protocols I've tested so far seems to work (and I've tested all but the "expensive" ones like FrSky or DSMX). The transceiver is nothing I've ever seen before (picture attached) and also completely unmarked. All 2.4GHz transceivers I've seen so far come in TQFP packages, not in SOIC, SOP, or whatever this is.
I've tried to trace data on the SPI bus (or what I believe to be the SPI bus), but they look all broken. The clock signal looks irregular and at ~87kHz it is way too slow for an SPI clock.
Also, those traces were quite hard to capture, as connecting wires to those pins seems to derail the signals and it took quite a few tries to capture a successfull bind, for example. Especially the clock signal seems to be VERY sensitive to the "antenna" that is the LA wire. I had to keep it extremely short to be able to capture anything on it without breaking communications between MCU and transceiver.
Can anybody tell me what I'm looking at, or give me some advice on how to make a proper capture?
Thanks,
Ali
Please Log in or Create an account to join the conversation.
31 Oct 2014 08:57 #26235
by btoschi
Replied by btoschi on topic Eachine H1 a.k.a. Mini Ninja
I have captures of the entire stuff and (somewhere lost on my desktop 
) scribbles where I've analyzed the format (includig bind sequence) in detail.
I'll search this evening and post details on protocol ... no need to do that work twice.
) scribbles where I've analyzed the format (includig bind sequence) in detail.I'll search this evening and post details on protocol ... no need to do that work twice.
Please Log in or Create an account to join the conversation.
01 Nov 2014 11:25 - 01 Nov 2014 11:26 #26245
by btoschi
Replied by btoschi on topic Eachine H1 a.k.a. Mini Ninja
SeBy mentioned that he also had trouble sniffing traffic on H1 transmitter.
I'll check your setup this evening, sounds like some pins are not really the proper ones
Reagarding Down-converter based 2.4GHz sniffing: This will only work until the protocol starts to channel-hop - which is okay in this scenario, but makes its unusable to check any issues with frequency hopping (simply, the SDR cannot switch channels fast enough, as far as I know).
I've thought about emulating it with nRF before, but yet had no idea how to start.
You can send almost anything as _real_ payload (including preambles and headers of LT8910) and just ignore that NRF protocol header and footer being added automagically.
Can make receipting harder for LT chip (in case NRF has similar sync, as it has), but it should sync to its own preambles within ANY random data.
I'll check your setup this evening, sounds like some pins are not really the proper ones
Reagarding Down-converter based 2.4GHz sniffing: This will only work until the protocol starts to channel-hop - which is okay in this scenario, but makes its unusable to check any issues with frequency hopping (simply, the SDR cannot switch channels fast enough, as far as I know).
I've thought about emulating it with nRF before, but yet had no idea how to start.
You can send almost anything as _real_ payload (including preambles and headers of LT8910) and just ignore that NRF protocol header and footer being added automagically.
Can make receipting harder for LT chip (in case NRF has similar sync, as it has), but it should sync to its own preambles within ANY random data.
Please Log in or Create an account to join the conversation.
02 Nov 2014 15:00 #26261
by SeByDocKy
Replied by SeByDocKy on topic Eachine H1 a.k.a. Mini Ninja
Good to see some people involved with the LT8910 
... coz other nanoquad & micro can be hacked too. I hope it will be possible to use our "old" nRF24L01
... coz other nanoquad & micro can be hacked too. I hope it will be possible to use our "old" nRF24L01 Please Log in or Create an account to join the conversation.
04 Nov 2014 14:24 - 04 Nov 2014 19:38 #26282
by alibenpeng
Replied by alibenpeng on topic Eachine H1 a.k.a. Mini Ninja
I'm happy to announce that I've got my first proper SPI capture. It looks promisingly close to SeBy's, down to the syncword in registers 36-39. No idea what made it so hard the first ten times around, but I guess, verifying stuff with the datasheet instead of just assuming I've got the right pins helps.
I've also got the CRC generation and bit shifting of the payload packet working, so I was even able to send a few first (unsuccessfull) bind packets.
What I've done is make the CRC polynomial configurable (only among the 4 most common, not a free 16 bit number) via the model_opts dialog and rotate the trailer with every bind packet that gets sent out.
But without being able to sniff packets from the air, this is about as far as I'll get. Hopefully the down converter gets here soon...
I am coding directly in Deviation, with the emu and lots of debugging, to see if my code even does what it's supposed to, and if I got something worth testing, I flash it to my Devo8. I've used to go the Arduino/AVR route when I built my own PPM modules for the 9X (using/porting Deviation protocol code).
BTW, I've got a Makefile based toolchain for the AVR that includes the Arduino libs. The Arduino IDE just wasn't bearable. I'm a Linux Admin by trade, so, by definition, my coding skills are limited and I feel strongly about the text editor I use.
I've also got the CRC generation and bit shifting of the payload packet working, so I was even able to send a few first (unsuccessfull) bind packets.
What I've done is make the CRC polynomial configurable (only among the 4 most common, not a free 16 bit number) via the model_opts dialog and rotate the trailer with every bind packet that gets sent out.
But without being able to sniff packets from the air, this is about as far as I'll get. Hopefully the down converter gets here soon...
I am coding directly in Deviation, with the emu and lots of debugging, to see if my code even does what it's supposed to, and if I got something worth testing, I flash it to my Devo8. I've used to go the Arduino/AVR route when I built my own PPM modules for the 9X (using/porting Deviation protocol code).
BTW, I've got a Makefile based toolchain for the AVR that includes the Arduino libs. The Arduino IDE just wasn't bearable. I'm a Linux Admin by trade, so, by definition, my coding skills are limited and I feel strongly about the text editor I use.
Please Log in or Create an account to join the conversation.
07 Nov 2014 10:18 - 07 Nov 2014 10:18 #26309
by btoschi
Replied by btoschi on topic Eachine H1 a.k.a. Mini Ninja
Great findings, looking reasonable and fine.
Regarding the 0a/8a bind channel, I've most propably overlooked that only with 0a the actual transmission bit is set - did not spent too much time on these protocols and I've learned most LT8910 features during investigation, as such my first findings are most propably wrong on many things (be warned)
I'll check if I can check this evening ... My last evening-task (repairing a dead Phantom 2 Vision) finished successfully.
Side note on the Phantom: How can one build such over-computerized thing and not giving any opportunity to read error codes via PC / App ??? (Did I mention no GPS details, ... ???) Most things are accessible via WiFi protocol - see www.rcgroups.com/forums/showthread.php?t=2212861 .
Regarding the 0a/8a bind channel, I've most propably overlooked that only with 0a the actual transmission bit is set - did not spent too much time on these protocols and I've learned most LT8910 features during investigation, as such my first findings are most propably wrong on many things (be warned
)I'll check if I can check this evening ... My last evening-task (repairing a dead Phantom 2 Vision) finished successfully.
Side note on the Phantom: How can one build such over-computerized thing and not giving any opportunity to read error codes via PC / App ??? (Did I mention no GPS details, ... ???) Most things are accessible via WiFi protocol - see www.rcgroups.com/forums/showthread.php?t=2212861 .
Please Log in or Create an account to join the conversation.
13 Jan 2015 09:08 #27647
by alibenpeng
Replied by alibenpeng on topic Eachine H1 a.k.a. Mini Ninja
Quick update:
I've got my downconverter delivered, only to find out I've ordered the wrong one. I got one for 2.2-2.4GHz, while what I needed was one for 2.4-2.6GHz. Which is what I now ordered.
I'll be back in another few weeks, then, I guess..
I've got my downconverter delivered, only to find out I've ordered the wrong one. I got one for 2.2-2.4GHz, while what I needed was one for 2.4-2.6GHz. Which is what I now ordered.
I'll be back in another few weeks, then, I guess..
Please Log in or Create an account to join the conversation.
Time to create page: 0.115 seconds
-
Home
-
Forum
-
Development
-
Protocol Development
- Eachine H1 a.k.a. Mini Ninja