×

Notice

The forum is in read only mode.
  1. Forum
  3. Development
  5. Protocol Development
  7. HontaiTec Quadcopters (HT F801, HT F803,...)

HontaiTec Quadcopters (HT F801, HT F803,...)

More
14 Jun 2015 01:46 - 14 Jun 2015 01:49 #34037 by greenfly
Replied by greenfly on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Here is just a sample when I bind with the Devo and a fixed id (255)...
1.487178   > RX_PAYLOAD          61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 => 42 4c 4b 3a 00 ff 00 00 00 68 47 25 6a c0 8a c3 91
1.512747   > RX_ADDR_P0          2a 24 92 d9 6e 24                        => 4e 00 00 00 00 00
1.512779   > EN_RXADDR           22 01                                    => 4e 00
1.512791   = FLUSH_RX            e2                                       => 4e
1.512799   > STATUS              27 70                                    => 4e 00
1.512812   = FLUSH_RX            e2 00                                    => 0e 00
1.512824   > STATUS              27 42                                    => 0e 00
1.512837   > RX_ADDR_P0          2a 24 92 d9 6e 24                        => 0e 00 00 00 00 00
1.512869   > EN_RXADDR           22 01                                    => 0e 00
1.512882   > RF_CH               25 19                                    => 0e 00
1.512894   > CONFIG              20 33                                    => 0e 00
1.512907   = FLUSH_RX            e2                                       => 0e
Attachments:
Last edit: 14 Jun 2015 01:49 by greenfly. Reason: Add attachment
More
14 Jun 2015 13:41 #34057 by hexfet
Replied by hexfet on topic HontaiTec Quadcopters (HT F801, HT F803,...)

greenfly wrote: Let me make sure I understand what you need.
You want me to make captures of the bind process when I use a specific fixed ID on the Devo. 1..2..3..4..
I can do that... but what are we looking for?
Do you want all those capture files?

Yes, multiple captures are needed. We send different txid values (controlled by the fixed id in deviation) to the receiver and capture the rx address the receiver uses for that txid. Eventually with enough data we can create the same mapping used in the receiver so we can use randomly generated txids. This is what allows multiple copters of the same model to fly in the same area simultaneously.

I don't want the capture files ;) I've pm'd you and Durete a link to a google sheet. Please add the capture info there. Below is what it looks like so far. Seems like no work to do for the RF channels - they're always the same.
Fixed ID	RX Address
0	24 92 93 25 24
1	24 92 95 25 24
2	24 92 99 25 24
3	24 92 9b 25 24
4	24 92 a5 25 24
255	24 92 d9 6e 24
256	26 92 93 52 24
31242	54 b2 c9 25 24 
61956	2a da a5 25 24

There's maybe some hints of patterns there, but the mapping is not obvious. More captures are needed, and y'all have the quads :) Next step down the path is automation. The project I used for the symax captures is here , but you can build them with Arduino or any system that lets you control the nRF device.
More
14 Jun 2015 18:02 #34067 by greenfly
Replied by greenfly on topic HontaiTec Quadcopters (HT F801, HT F803,...)
OK, I can see how this can become a lot of work. I was able to do up to 33 before I wanted a better way. :sick: I'm beginning to see some repetition but nothing obvious to me overall.

I have Arduino(s) and just so happen to have a couple of nRF24L01 modules left over from the Devo module hack. I'm thinking it may be quicker to setup something with these. IDK.
More
14 Jun 2015 20:17 #34074 by hexfet
Replied by hexfet on topic HontaiTec Quadcopters (HT F801, HT F803,...)
It's definitely more fun to build something to do it :) Thanks for the data you captured.

It shows the third byte of the rx address cycles with the last 4 bits of the txid, but it's not a simple addition. At txid 33 the changes also affect the fourth byte of the tx address. From the original captures it looks like a non-zero next-to-last byte in the txid affects the first two rx address bytes. We're playing detective at this point.

Here's the 16-sample sequence in case someone can spot the pattern
Fixed ID	RX Address
0	24 92 93 25 24
1	24 92 95 25 24
2	24 92 99 25 24
3	24 92 9b 25 24
4	24 92 a5 25 24
5	24 92 a9 25 24
6	24 92 ab 25 24
7	24 92 ad 25 24
8	24 92 b3 25 24
9	24 92 b5 25 24
10	24 92 c9 25 24
11	24 92 cb 25 24
12	24 92 cd 25 24
13	24 92 d3 25 24
14	24 92 d5 25 24
15	24 92 d9 25 24
16	24 92 93 29 24
More
14 Jun 2015 21:46 - 14 Jun 2015 21:49 #34077 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Hi guys.
Sorry to not be very active this days, I was out of home most part of weekend.
I started to capture RX/TX id's from 34 and will continue as possible. Hope you could find any pattern.
Thanks Hexfet for your great explanations :) .
I think this thread is starting to be a great source of information, for anyone who wants to start to understand the SPI data and protocols. I'm learning a lot :)
Last edit: 14 Jun 2015 21:49 by Durete.
More
14 Jun 2015 22:13 #34079 by greenfly
Replied by greenfly on topic HontaiTec Quadcopters (HT F801, HT F803,...)
No worries... just having some fun. :cheer:
I'm learning a lot as well. Thanks to hexfet!

I think, we are going to try an automated solution for getting these numbers, if we can't figure out the pattern. I've got my Arduino ready to do the job. This ought to be interesting...
More
14 Jun 2015 22:17 #34080 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)
I have some Arduino boards and spare nRF module at hand, but as you know I have no idea to program :lol:
I would need the sketch to program. ;)
More
14 Jun 2015 22:29 #34081 by greenfly
Replied by greenfly on topic HontaiTec Quadcopters (HT F801, HT F803,...)
I would need a sketch as well... at least to begin with. I've been looking at the Arduino nRF24L01 support and it is pretty extensive. Lots of resources. Now I just need a place to begin. I've been looking for example sketches and libraries that would let me just connect, but so far I am not sure what will work.

This is all new to me!
More
15 Jun 2015 02:11 - 15 Jun 2015 04:13 #34090 by greenfly
Replied by greenfly on topic HontaiTec Quadcopters (HT F801, HT F803,...)
I have found one pattern that repeats...

Repeated Middle Byte
93
95
99
9b
a5
a9
ab
ad
b3
b5
c9
cb
cd
d3
d5
d9

Which is a set of 16 that when it repeats byte 4 is increased. In general it seems like the values increase as the id increases, so maybe this is the result of some multiplication calculation of the fixed id? For it to repeat the least significant byte every 16 steps might mean a multiplier divisible by 16? Doesn't bit-shifting act like a multiplier?

Detective work it is... clues attached.
Attachments:
Last edit: 15 Jun 2015 04:13 by greenfly. Reason: Correction
More
15 Jun 2015 04:38 #34096 by hexfet
Replied by hexfet on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Durete, could you make captures with the first three txid bytes set to 0 (in initialize_txid()), and fixed id's of 0 and 4369? I'd like to see if the first three bytes have any effect, and maybe learn something about initial values.

The 4 nibbles that we are changing seem to affect the first four bytes of the rx address, respectively. If each of those bytes only takes on 16 values a lookup based solution would be feasible. But they're not all incrementing in the same sequence. Are either of you up for 16 more captures, starting at zero and incrementing the fixed id by 4369 (0x1111) each time?

I haven't done Arduino but there are several projects using deviation code. From this post the code here looks nice. It shows what's involved to port the protocol. Then need to add an SPI sniffer to watch for the rx_payload and rx_addr_p0 commands. A reset output is also needed to force the quad to re-bind.
More
15 Jun 2015 07:17 #34103 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Hi guys.
@Hexfet. As soon I return home from work I will take those captures. :)
More
15 Jun 2015 14:23 - 15 Jun 2015 14:25 #34118 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Just captured Rx id. Using fixed TX id. as 00 00 00 00 00 and 00 00 00 11 11

Here the result:
Fixed ID    RX Address
0	    24 92 93 25 24   Using first 3 bytes 0x00;0x00;0x00 so Fixed id. 00 00 00 00 00
4369        26 94 95 29 24   Using first 3 bytes 0x00;0x00;0x00 so Fixed id. 00 00 00 11 11
Last edit: 15 Jun 2015 14:25 by Durete.
More
15 Jun 2015 14:46 #34119 by hexfet
Replied by hexfet on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Nice. Do you have time to do the other multiples (2-15) of 4369? It looks like the bytes in the rx address are independently affected by the nibbles in the last two bytes of the txid. If true we could do a lookup table that would give 65K possibilities - plenty for our purposes.

Is this with the initialize_txid function changed to set the first three txid bytes to 0?
More
15 Jun 2015 15:02 #34120 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)

hexfet wrote: Is this with the initialize_txid function changed to set the first three txid bytes to 0?


Yes, I think I do it right. Right?
//
    txid[0] = 0x00;
    txid[1] = 0x00;
    txid[2] = 0x00;
    txid[3] = (Model.fixed_id >> 8) & 0xff; //0xf2;
    txid[4] = Model.fixed_id & 0xff; //0x04;
}

So you want captures using Fixed id. from 2 to 15 with TX id. first 3 bytes fixed to 0x00 ? I'm right?
More
15 Jun 2015 15:11 #34121 by greenfly
Replied by greenfly on topic HontaiTec Quadcopters (HT F801, HT F803,...)
I think he needs captures with more multiple of 4369...

0
4369
8738
13107
17476
21845
26214
30583
34952
...
More
15 Jun 2015 15:20 #34122 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Ooopss, Ok, OK. Thanks !

Capturing...
More
15 Jun 2015 15:30 #34124 by greenfly
Replied by greenfly on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Sorry, I can't help at the moment. I'm done with my vacation and back to work. :(
After work though, I can help.
More
15 Jun 2015 15:32 #34125 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)
No prob mate :)
More
15 Jun 2015 16:00 - 15 Jun 2015 16:02 #34126 by Durete
Replied by Durete on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Just finished and added to the Google Spreadsheet :S
0	24 92 93 25 24	Fixed id. 00 00 00 00 00
4369	26 94 95 29 24	Fixed id. 00 00 00 11 11
8738	2a 96 99 2b 24	Fixed id. 00 00 00 22 22
13107	2c 9a 9b 2d 24	Fixed id. 00 00 00 33 33
17476	32 a4 a5 33 24	Fixed id. 00 00 00 44 44
21845	34 a6 a9 35 24	Fixed id. 00 00 00 55 55
26214	36 ac ab 49 24	Fixed id. 00 00 00 66 66
30583	4a b2 ad 4b 24	Fixed id. 00 00 00 77 77
34952	4c b4 b3 4d 24	Fixed id. 00 00 00 88 88
39321	4e b6 b5 59 24	Fixed id. 00 00 00 99 99
43690	54 ca c9 5b 24	Fixed id. 00 00 00 AA AA
48059	56 cc cb 65 24	Fixed id. 00 00 00 BB BB
52428	5a d2 cd 69 24	Fixed id. 00 00 00 CC CC
56797	64 d4 d3 6b 24	Fixed id. 00 00 00 DD DD
61166	66 d6 d5 6d 24	Fixed id. 00 00 00 EE EE
65535	6a da d9 6e 24	Fixed id. 00 00 00 FF FF
Last edit: 15 Jun 2015 16:02 by Durete.
More
15 Jun 2015 18:24 #34129 by hexfet
Replied by hexfet on topic HontaiTec Quadcopters (HT F801, HT F803,...)
Perfect. Looks like the first three bytes of the txid don't matter for the address used, which is nice :) Would you please check the rf channels in a capture with the first three txid bytes set to 0 and make sure they're still the same (5, 0x19, 0x28)?

I've pushed code that generates the tx address from the txid using a lookup table. It's very likely a numeric or combinatorial algorithm is used in the receiver, but it hasn't dawned on me. The lookup table matches all the data we've collected so far except for fixed id 256, for which I have my fingers crossed that the 52 in the fourth byte in the spreadsheet is just a transposition.

If the rf channels haven't changed then we're almost there!
  1. Forum
  3. Development
  5. Protocol Development
  7. HontaiTec Quadcopters (HT F801, HT F803,...)
Time to create page: 0.043 seconds
Powered by Kunena Forum
Re-enable mobile display