Flysky AFHDS 2A, protocol as used i10, i6, iT4,

More
16 Apr 2016 20:46 #46653 by stinkydiver73
Replied by stinkydiver73 on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
I learned IDA Pro a little bit for fun, and used the fs-ia6b receiver firmware as the example. Nothing serious, but i did a lot of boring droid work on it, given some fancy name for subs, figured out peripheral register uses. Maybe interresting. This receiver is stm32, the tx is freescale kinetis, booth are cortexM0-s.
Attachments:

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 20:58 - 17 Apr 2016 00:36 #46654 by goebish

Try
id=0x7736895A

I've already tried that, doesn't match either.
Don't worry, I'll crack it (but maybe there's nothing to crack and we can just send an arbitrary list of channels during bind, à la HiSky, this has to be checked), someone will lend me a TX / RX, that should make things easier ;)
Last edit: 17 Apr 2016 00:36 by goebish.

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 21:07 #46656 by goebish
@stinkydiver73, I can't open your files, IDA yells at me saying it has been created with a pir**** version of IDA ;)

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 21:11 #46657 by stinkydiver73
Replied by stinkydiver73 on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
sorry, IDA is too good :)

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 21:32 #46658 by Alexandro
Replied by Alexandro on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
@goebish
Box is packet , tomorrow i ship it with dhl to you.
i send the tracking Number with Private Message to You.

greetings Alex

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 21:34 #46659 by goebish
Thanks, no hurry ;)

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 22:18 #46661 by stinkydiver73
Replied by stinkydiver73 on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
If it still interresting, the "broken" ida db maybe recreated from the original binary in the previous zip and the idc dump.
(arm little, v6m, thumb2, ram 0x20000000, size 0x1000, rom 0x08000000, size 0x8000)
Attachments:

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 22:20 - 16 Apr 2016 22:23 #46662 by goebish
Thanks, I opened the bin but I wasn't sure of the RAM/ROM address.

... and I've to say I'm a n00b at ARM assy ;)
Last edit: 16 Apr 2016 22:23 by goebish.

Please Log in or Create an account to join the conversation.

More
16 Apr 2016 23:12 - 16 Apr 2016 23:30 #46667 by goebish
Sorry for being a di**, but what should I enter as Loading address & File offset ? (same window than RAM & ROM sections).

edit: nevermind, that's OK, and you did a really good job already :)
Last edit: 16 Apr 2016 23:30 by goebish.

Please Log in or Create an account to join the conversation.

More
17 Apr 2016 05:43 #46679 by stinkydiver73
Replied by stinkydiver73 on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
File offset is 0, the loading address is same as the ROM start. Let the automatic analyzer do the job first, then load the script. ARM processors have an arm mode(32bit) and the thumb-2 mode(16-32bit instructions), switchable runtime, but cortex M-s are thumb-2 only. If you see only 32bit instruction, than its garbage. IDA will/must mark thumb-2 sections with some virtual segment register bit. In the bin file the first 4 byte is where the stack pointer set initially, somewhere end of the ram, the second 4 byte where the execution start. It points to 0x08000281, means start at 0x08000280 with thumb-2 instrucion set.

Please Log in or Create an account to join the conversation.

More
17 Apr 2016 06:04 #46680 by stinkydiver73
Replied by stinkydiver73 on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
Two RCG members worked on the tx firmware. ThomHpl published the ida db, but it's an older format, i can't open it, maybe he can help. Dave Borthwick is the other jedi, we don't know what kind of tools he used, but he can recompile the dissassembly!!! They are in this thread:
FlySky FS-i6 8 channels firmware patch!
Benb0jangles keep the collection of files:
FlySky-i6-Mod-

Please Log in or Create an account to join the conversation.

More
17 Apr 2016 06:35 - 17 Apr 2016 06:52 #46682 by stinkydiver73
Replied by stinkydiver73 on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
I played with the tx firmware too, tried generating library signatures against the kinetis SDK with different compilers, no succes :)
Last edit: 17 Apr 2016 06:52 by stinkydiver73. Reason: typo

Please Log in or Create an account to join the conversation.

More
17 Apr 2016 09:55 - 17 Apr 2016 17:41 #46686 by goebish
Yes, I've read ThomHpl articles on his blog, that's awesome :)

I can't open his db in IDA either, but I've seen that his txid / channel sequence is stored in his bin (flash.dump, offset 0x1400 for txid, offset 0x1410 for channel list, stored in reverse order), it's in the MCU flash, not in external EEPROM, that's what makes me think channel sequence is not computed, but rather semi randomly generated (at factory ?, it's located before 0x1800 so it's not overwritten by firmware upgrades), or why would you store it ? But maybe I'm wrong, that's just some assumptions... I've to check with some code and an actual RX.
Last edit: 17 Apr 2016 17:41 by goebish.

Please Log in or Create an account to join the conversation.

More
17 Apr 2016 10:30 #46687 by Alexandro
Replied by Alexandro on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
Hello,

Box is on its Way to You.
Parts:
TGY-i10
RX 10 Channel
Temp. Sensor
RPM Sensor
Volt. Sensor
Wires ,Battery and other small Parts.
-> if you get stressed by the Sunshade on Display, then rip it off . I is only 2 sided glue Tape :)

The TX has the latest Firmware from H.K.
The RX has latest Firmware from FlySky ( may be here some new IDs for Future Alt. Sensor at the Protocol, At TX there are some Menu Points to Calibrate the ALT or Vario Sensor )

i hope it helps to get it to work on Deviation.
I have a 2nd set here to make Bug checking later , if there some Test Versions at some Point.

greetings Alex

Please Log in or Create an account to join the conversation.

More
17 Apr 2016 10:31 #46688 by goebish
Thank you :)

Please Log in or Create an account to join the conversation.

More
18 Apr 2016 06:54 #46732 by Alexandro
Replied by Alexandro on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
no problem :)

my 2 ct. for Info
at I10 TX ( Carson,Flysky,Turnigy )
The TX request on Binding the Version Number from the RX. If the Number is lower then the Version from the TX ,it warns and with ok at Menu it makes an Firmware update over the Air on the RX.
You cant get back to a lower Version with the I10 ( Message: Your Firmware Version is newer .......... )
You can re flash the Firmware with the I10 manual at the Menu Point RX but not downgrade
The RX Firmware is included into the TX Firmware.

some Things for info if some crazy Data comes up on the communication TX <-> RX

greetings Alex

Please Log in or Create an account to join the conversation.

More
18 Apr 2016 09:45 #46734 by goebish
Ah, that's good to know.
It is possible to upgrade the RXs from a computer ?

Please Log in or Create an account to join the conversation.

More
18 Apr 2016 11:56 - 18 Apr 2016 12:18 #46736 by Alexandro
Replied by Alexandro on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
Hello ,
no. There is no Interface to do it.
- no TX Module with PPM in to get an other Brand TX to the new 2A Protocol
- no External Telemetry Display
-> and after the Update is done, you have to Rebind the RX

here is a List of the supported Protocols ( TX / RX )
www.rc-network.de/forum/showthread.php/4...ewfull=1#post3623905

Some does 2A without Telemetry and the AFHDS2 is only for a small Number of RX

The older Protocols can be switched at the Menu of the I10 TX, so the older RX (Flysky,Tunigy, .... -> the Ver. of RX with one Big Antenna <- ). Which is already available from Deviation, Named Frsky (AFHDS)

greetings Alex

EDIT:
-> You can Downgrade the I10 ( i done it for Test with my Carson i10 ) but then the RX Channel Numbers are wrong. Here can be a Trap for rebuilding the Protocol , all the I10´s have a special country Code ( and some seller seller have its one Code) at the end of the Firmware File.
-> You can not change the Country or Seller Code to one other .
-> The Firmware for the TX is a EXE File for Windows and it checks the Transmitter Serial Code ( Country or Seller )

Here at Downloads ( right side ), the last file at the list. It is only for the Carson I10.
www.carson-modelsport.com/de/produkte/fe...htm?sArtNr=500501002

Or the Tunigy one , you can find it at H.K.
Last edit: 18 Apr 2016 12:18 by Alexandro.

Please Log in or Create an account to join the conversation.

More
21 Apr 2016 11:18 #46930 by goebish
I just got a parcel from DHL, I'll try to have a look at that during the week end ;)

Thanks Alexandro !

Please Log in or Create an account to join the conversation.

More
21 Apr 2016 12:03 #46931 by Alexandro
Replied by Alexandro on topic Flysky AFHDS 2A, protocol as used i10, i6, iT4,
Ok, nice :)

Please Log in or Create an account to join the conversation.

Time to create page: 0.102 seconds
Powered by Kunena Forum