SYMA X5C-1, X11, X12

Ok, I captured SPI traces from my X11's trasmitter. Please, take a look Hexfet.

Removed SPI Capture

Thanks, this is good information. The tx address is different, as are the channels used in the data phase. The relation between them is not obvious so no quick fix. Will post more when I've had a chance to look in more detail.

There are two sets of differences between SeByDocKy's and Durete's traces. The tx address and channel differences affect binding. The other set is in the setup of the Beken register bank 1 and doesn't really affect the protocol.

Without further captures from other transmitters I don't think there's enough information to implement the randomized address. Currently two devo users flying this protocol at the same time will interfere with each other.

The only difference in the bind packets between SeByDocKy's data (call it S1) and Durete's (D1) is the tx address, so the channel sequence must be chosen based on something about the tx address. Here are the differences:
The channel sequence can be generated from a start number (14 and 15 here), so we need to figure out how to get the start number from the tx address. The capture from Durete's inbound X11C will be another data point, but still may not be enough. Ideas welcome.

The differences in the Beken chip set up appear to make Durete's tx transmit higher power, so maybe his is a later version? But some of the register settings don't match the data sheet so I'm not sure I trust it. Maybe the Syma designers have later info from Beken.

hexfet wrote: There are two sets of differences between SeByDocKy's and Durete's traces. The tx address and channel differences affect binding. The other set is in the setup of the Beken register bank 1 and doesn't really affect the protocol.

Without further captures from other transmitters I don't think there's enough information to implement the randomized address. Currently two devo users flying this protocol at the same time will interfere with each other.

The only difference in the bind packets between SeByDocKy's data (call it S1) and Durete's (D1) is the tx address, so the channel sequence must be chosen based on something about the tx address. Here are the differences:

      TX address        Channel Sequence
S1    3B B6 00 00 A2    15 35 1D 3D
D1    9A E9 02 00 A2    14 34 1C 3C

The channel sequence can be generated from a start number (14 and 15 here), so we need to figure out how to get the start number from the tx address. The capture from Durete's inbound X11C will be another data point, but still may not be enough. Ideas welcome.

The differences in the Beken chip set up appear to make Durete's tx transmit higher power, so maybe his is a later version? But some of the register settings don't match the data sheet so I'm not sure I trust it. Maybe the Syma designers have later info from Beken.

Interesting ..... I have also the V3 board too of the X11 ... but maybe they activate some extrasensitivity flag or they gave different threshold values for the symbol detection ...

@Seby
Do you have the X12?
Maybe some capture from your X12's transmitter, could add any info.

I have a co-worker waiting for a X5C-1, probably this week, I will try to persuade him to capture from his TX

BTW, I will capture SPI traces when receive my X11-C some day
I think this week is very probably...

Durete wrote: @Seby
Do you have the X12?
Maybe some capture from your X12's transmitter, could add any info.

I have a co-worker waiting for a X5C-1, probably this week, I will try to persuade him to capture from his TX

BTW, I will capture SPI traces when receive my X11-C some day
I think this week is very probably...

In fact, my SPI is coming from the X12 TX (since I was able to bind with the X11 and already started to mod it)... So maybe here is the explanation ....

SeByDocKy wrote:

Durete wrote: @Seby
Do you have the X12?
Maybe some capture from your X12's transmitter, could add any info.

I have a co-worker waiting for a X5C-1, probably this week, I will try to persuade him to capture from his TX

BTW, I will capture SPI traces when receive my X11-C some day
I think this week is very probably...

In fact, my SPI is coming from the X12 TX (since I was able to bind with the X11 and already started to mod it)... So maybe here is the explanation ....

Maybe Syma engineers programmed the X12 TX to emit at low power, because the X12 is a nano quad, and really don't need great range.

Usually it's impossible to recover the protocol just by recording two transmitters (there are trivial cases for sure, but this is not the one).

You have a piece of equipment which knows about all there frequency hopping sequences - the receiver. You need to recover this knowledge from the receiver.

What I did is I implemented part of the protocol in question and sniffed the receiver and fed it with many different TX ids and watched what channel the receiver expects the next packet at.

It allows you get more statistics for detailed analysis. Some protocols are easier, some contain very complicated algorithms, but you need some reasonable data set first.

victzh wrote: you need some reasonable data set first.

I agree. If it's not obvious from two transmitters, a few more likely won't be enough to reverse engineer the algorithm. Think I'll start shopping for one of these models...

I will add more data from at least one more TX, maybe 2...
This could be a good excuse to buy a X12 for me

Does anyone make a hi-res photo of receiver board? Before shopping you should evaluate feasibility of the project. Some boards are very hard to solder to. TX usually (there are exceptions surely) is easier to tap than RX.

victzh wrote: Does anyone make a hi-res photo of receiver board? Before shopping you should evaluate feasibility of the project. Some boards are very hard to solder to. TX usually (there are exceptions surely) is easier to tap than RX.

Furtunatly, the Beken used have a bigger packaging

I ordered an X12. Hopefully will be able to solder probes without damaging it. I did look at pictures of the board online. Almost bought just the board but wanted the X12 to fly around the office

Did anyone try to contact the Panchip about this XN297 chip? There is a possibility the can give us the datasheet.

I have not tried to contact them. Posted a link and google-translated version here , along with some comments.

Hello all. Thanks for the amazing collective of work. I'm. a virgin 7e owner, with a couple questions . #1- are there any extra rf modules needed for the 7e to support the syma x11 or is it firmware based ?
#2- The latest release says there is no more need to use the walkera dfuse tool. so do i just skip this step? #3- After i install deveation, do i then go back and download the zip file for syma x11 and place it in the model file on the devo 7e ? Thanks Gents !

HappyHi wrote: questions . #1- are there any extra rf modules needed for the 7e to support the syma x11 or is it firmware based ?
#2- The latest release says there is no more need to use the walkera dfuse tool. so do i just skip this step? #3- After i install deveation, do i then go back and download the zip file for syma x11 and place it in the model file on the devo 7e ? Thanks Gents !

1) The x11 protocol requires the nRF24L01+ or equivalent module.
2) Where's it say that? I always use dfuse.
3) Right idea. Model files can be copied to the models directory in USB mode (hold down EXT while powering up).

hexfet wrote: 1) The x11 protocol requires the nRF24L01+ or equivalent module.
2) Where's it say that? I always use dfuse.
3) Right idea. Model files can be copied to the models directory in USB mode (hold down EXT while powering up).

There must be a source for this fairy tale , because last week at least two user tried it this way...

www.deviationtx.com/

fourth header up from the bottom.. Its out of context.. its saying you no longer need dfuse to modify usb contents I belive.. dfuse is still needed to flash..

Neil