Yi Zhan i6S capture

More
28 Jan 2016 19:18 #42335 by goebish
Replied by goebish on topic Yi Zhan i6S capture
Here's a test build, check "YZ i6S" format option in MT99xx protocol.
Flags are still not implemented, let's check if it binds and flies first.

Devo 7e
Devo 10
source

Also, I separated H7 and MT9916 into 2 sub-formats, that should fix the issues people had. I checked that the H7 works fine, please check the MT9916 if you can.
I removed the annoying protocol trim channels and rate is fixed to high.

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 19:48 #42339 by SeByDocKy
Replied by SeByDocKy on topic Yi Zhan i6S capture

goebish wrote: Here's a test build, check "YZ i6S" format option in MT99xx protocol.
Flags are still not implemented, let's check if it binds and flies first.

Devo 7e
Devo 10
source

Also, I separated H7 and MT9916 into 2 sub-formats, that should fix the issues people had. I checked that the H7 works fine, please check the MT9916 if you can.
I removed the annoying protocol trim channels and rate is fixed to high.


not working :(

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 19:49 - 28 Jan 2016 19:50 #42340 by goebish
Replied by goebish on topic Yi Zhan i6S capture
Ok, maybe it doesn't like going to "expert" mode directly without being "unarmed" then "normal" first ...
Or maybe I misunderstand the flags, I haven't looked at all the captures yet.
I'll make some changes after diner ;)
Last edit: 28 Jan 2016 19:50 by goebish.

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 21:37 #42343 by goebish
Replied by goebish on topic Yi Zhan i6S capture
Oops, I noticed I had the checksum wrong, please try this one:

Devo 7e

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 21:49 #42344 by SeByDocKy
Replied by SeByDocKy on topic Yi Zhan i6S capture

goebish wrote: Oops, I noticed I had the checksum wrong, please try this one:

Devo 7e



Still not working :(

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 22:14 - 28 Jan 2016 22:24 #42345 by goebish
Replied by goebish on topic Yi Zhan i6S capture
Ok, I see something in init:

3 W_REGISTER(19) 1E

This is a XN297L specific register, it's not the same than on non "L" XN297 (it was a multi byte register) according to the datasheet, bit 0 of this register controls scrambling and is enabled by default, it is disabled here (0x1e & 1 = 0)...
Maybe disabling scrambing makes the xn297 air compatible with the nrf24l01 and doesn't require emulation layer (whitening) anymore... or a modified emulation layer.

hexfet (and victzh, if you're still reading), do you have any thought on that ?


google translate:

Scrambling function is enabled, open the scrambling function for data to be sent by the whitening operation, thereby reducing the length of a long 0 data,
So that both ends of the transceiver can require scrambling function identically configured
1: Enable scrambling
0: Close scrambling

Last edit: 28 Jan 2016 22:24 by goebish.

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 22:42 #42347 by SeByDocKy
Replied by SeByDocKy on topic Yi Zhan i6S capture

goebish wrote: Ok, I see something in init:

3 W_REGISTER(19) 1E

This is a XN297L specific register, it's not the same than on non "L" XN297 (it was a multi byte register) according to the datasheet, bit 0 of this register controls scrambling and is enabled by default, it is disabled here (0x1e & 1 = 0)...
Maybe disabling scrambing makes the xn297 air compatible with the nrf24l01 and doesn't require emulation layer (whitening) anymore... or a modified emulation layer.

hexfet (and victzh, if you're still reading), do you have any thought on that ?


google translate:

Scrambling function is enabled, open the scrambling function for data to be sent by the whitening operation, thereby reducing the length of a long 0 data,
So that both ends of the transceiver can require scrambling function identically configured
1: Enable scrambling
0: Close scrambling



Worth to try ....

Victzh contacted :)

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 23:10 #42348 by goebish
Replied by goebish on topic Yi Zhan i6S capture
I've not much hope, but let's try without XN297 emulation layer:
Devo 7e
(Obviously, H7 & MT9916 can't work with this version)

Please Log in or Create an account to join the conversation.

More
28 Jan 2016 23:26 #42349 by hexfet
Replied by hexfet on topic Yi Zhan i6S capture
I don't know if the scrambling is the only difference from the nRF air protocol. As SBDK said it's worth a try.. Maybe they wanted to make the L version compatible with the nRF for market reasons...

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 09:30 #42359 by SeByDocKy
Replied by SeByDocKy on topic Yi Zhan i6S capture

goebish wrote: I've not much hope, but let's try without XN297 emulation layer:
Devo 7e
(Obviously, H7 & MT9916 can't work with this version)


No still not binding :(

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 10:18 - 29 Jan 2016 11:08 #42362 by goebish
Replied by goebish on topic Yi Zhan i6S capture
So I guess I can't do much more without a xn297l to experiment with... any cheap machine that's using it ?
Or maybe you've a module in a stock TX you do not use anymore that you're willing to sacrifice in the name of science ? :)

I'm almost sure that scrambling can be disabled on the xn297 too, but we do not have a detailed datasheet for its DEMOD_CAL register :(
Last edit: 29 Jan 2016 11:08 by goebish.

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 11:12 - 29 Jan 2016 11:21 #42364 by goebish
Replied by goebish on topic Yi Zhan i6S capture
Also, I see this register (0x19 DEMOD_CAL bits 4:1) is also used to set GAUS_CAL, as I understand it sets frequency deviation and it is not set to default value here (1111 vs 0111 default), which means smaller deviation than default. Maybe this can be an issue too.... or not.

Gaussian filter output signal amplitude MCU to adjust the output signal size is one-size transmit frequency deviation determining factor
1111: a lesser extent
....
1000: Amplitude Medium
....
0000: a big margin

Last edit: 29 Jan 2016 11:21 by goebish.

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 11:32 #42365 by SeByDocKy
Replied by SeByDocKy on topic Yi Zhan i6S capture

goebish wrote: So I guess I can't do much more without a xn297l to experiment with... any cheap machine that's using it ?
Or maybe you've a module in a stock TX you do not use anymore that you're willing to sacrifice in the name of science ? :)

I'm almost sure that scrambling can be disabled on the xn297 too, but we do not have a detailed datasheet for its DEMOD_CAL register :(


The problem with mine is almost defective.. ... Even with the original TX, I need to turn on/off the transmitter several time before to bind. I will contact some other YZ i6s owners to help in testing at least.

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 11:34 #42366 by goebish
Replied by goebish on topic Yi Zhan i6S capture
I don't need an complete original i6S transmitter, only a xn297l rf breakout module, from any TX, but yes, that's better if the module is coming from a good known working TX :p

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 11:36 - 29 Jan 2016 11:44 #42367 by goebish
Replied by goebish on topic Yi Zhan i6S capture
The thing is I need to have a xn297l to put it in the same mode than the i6S TX does, then send some packets and try to sniff them using nrf24 semi promiscuity tricks to understand the difference with the current xn297 emulation layer.

... and if that's not enough that will be the opportunity for me to finally get a sdr dongle + MMDS down-converter to "see" what happens at the air level :)
Last edit: 29 Jan 2016 11:44 by goebish.

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 11:51 - 29 Jan 2016 13:14 #42368 by goebish
Replied by goebish on topic Yi Zhan i6S capture

hexfet wrote: I don't know if the scrambling is the only difference from the nRF air protocol.


Right, it probably reverse bits order too, and maybe the CRC16 initial and/or xorout values are not the same...
My guess is that it needs a stripped out version of the current emulation layer, but I don't want to experiment more without a module or TX, that's not convenient.

... and scrambling is one thing but I've not looked much at the other "CAL" registers... if some crazy stuffs are done on the baseband settings, that could make it totally incompatible with the nrf24.
Last edit: 29 Jan 2016 13:14 by goebish.

Please Log in or Create an account to join the conversation.

More
29 Jan 2016 14:01 - 29 Jan 2016 14:27 #42372 by goebish
Replied by goebish on topic Yi Zhan i6S capture
The datasheet of the xn297 (non L) confirms that scrambling can be disabled too on this chip:

Address and data table section 10 can select a scrambled, according to an enable / disable scrambling configuration bits


But unless I've the details for register 0x19 settings (I suppose) I've no idea how to disable it ...
ofc I could try flipping random bits but there are 40 of them :p

There's probably an updated datasheet somewhere, I mean the values we're seeing in xn297 captures don't come from nowhere, but there's no trace of it on our side of the internet :(
Last edit: 29 Jan 2016 14:27 by goebish.

Please Log in or Create an account to join the conversation.

More
30 Jan 2016 23:38 - 31 Jan 2016 01:25 #42438 by goebish
Replied by goebish on topic Yi Zhan i6S capture
What a ride ...

By tinkering with the 0x19 register on an actual xn297 I've been able to disable scrambling (write 0x00 instead of 0xa7 in the 4th byte, got this lucky guess after 3~4 attempts only...), then following travisgoodspeed and victzh steps, I've been able to sniff and decode the packets with a nrf24l01 :) (preamble+sync+payload)

"non scrambled" xn297 mode is almost directly compatible with the nrf24l01, at least if the nrf24 is the RX (with CRC disabled), in this mode the address is directly compatible, just that payload bytes are bit reversed (LSB first).

For TX mode emulation, we still have to forge packets as xn297 preamble is 4 bytes long instead of 1 (0x55, 0xf3, 0x1f, 0x55)

I still have to check CRC, shouldn't be difficult ...

That will require a few mods to the current xn297 layer to implement this "non scrambled" mode, but I'm pretty confident I should be able to make it work, looks simple enough :)
Last edit: 31 Jan 2016 01:25 by goebish.

Please Log in or Create an account to join the conversation.

More
31 Jan 2016 07:15 #42454 by SeByDocKy
Replied by SeByDocKy on topic Yi Zhan i6S capture

goebish wrote: What a ride ...

By tinkering with the 0x19 register on an actual xn297 I've been able to disable scrambling (write 0x00 instead of 0xa7 in the 4th byte, got this lucky guess after 3~4 attempts only...), then following travisgoodspeed and victzh steps, I've been able to sniff and decode the packets with a nrf24l01 :) (preamble+sync+payload)

"non scrambled" xn297 mode is almost directly compatible with the nrf24l01, at least if the nrf24 is the RX (with CRC disabled), in this mode the address is directly compatible, just that payload bytes are bit reversed (LSB first).

For TX mode emulation, we still have to forge packets as xn297 preamble is 4 bytes long instead of 1 (0x55, 0xf3, 0x1f, 0x55)

I still have to check CRC, shouldn't be difficult ...

That will require a few mods to the current xn297 layer to implement this "non scrambled" mode, but I'm pretty confident I should be able to make it work, looks simple enough :)



I am definitively impressed ... :)

Please Log in or Create an account to join the conversation.

More
31 Jan 2016 12:59 - 02 Feb 2016 20:55 #42457 by goebish
Replied by goebish on topic Yi Zhan i6S capture
Back to the playground...
As expected, CRC is easy:
$ reveng -w 16 -s aaa515a5a5ffffffffe803e8035f07e8030000d8b2 aaa515a5a5ffffffffd605d505e803e515020083fe

width=16  poly=0x1021  init=0x1d03  refin=true  refout=true  xorout=0x0000  check=0x3c2a  name=(none)
Same algo than scrambled mode version, except init is now 0x1d03 and there's no more xorout, simple ...

edit: well... not that simple
Last edit: 02 Feb 2016 20:55 by goebish.

Please Log in or Create an account to join the conversation.

Time to create page: 0.070 seconds
Powered by Kunena Forum