- Posts: 2631
Yi Zhan i6S capture
28 Jan 2016 19:48 #42339
by SeByDocKy
not working
Replied by SeByDocKy on topic Yi Zhan i6S capture
goebish wrote: Here's a test build, check "YZ i6S" format option in MT99xx protocol.
Flags are still not implemented, let's check if it binds and flies first.
Devo 7e
Devo 10
source
Also, I separated H7 and MT9916 into 2 sub-formats, that should fix the issues people had. I checked that the H7 works fine, please check the MT9916 if you can.
I removed the annoying protocol trim channels and rate is fixed to high.
not working
Please Log in or Create an account to join the conversation.
28 Jan 2016 19:49 - 28 Jan 2016 19:50 #42340
by goebish
Replied by goebish on topic Yi Zhan i6S capture
Ok, maybe it doesn't like going to "expert" mode directly without being "unarmed" then "normal" first ...
Or maybe I misunderstand the flags, I haven't looked at all the captures yet.
I'll make some changes after diner
Or maybe I misunderstand the flags, I haven't looked at all the captures yet.
I'll make some changes after diner
Please Log in or Create an account to join the conversation.
28 Jan 2016 21:49 #42344
by SeByDocKy
Still not working
Replied by SeByDocKy on topic Yi Zhan i6S capture
goebish wrote: Oops, I noticed I had the checksum wrong, please try this one:
Devo 7e
Still not working
Please Log in or Create an account to join the conversation.
28 Jan 2016 22:14 - 28 Jan 2016 22:24 #42345
by goebish
Replied by goebish on topic Yi Zhan i6S capture
Ok, I see something in init:
3 W_REGISTER(19) 1E
This is a XN297L specific register, it's not the same than on non "L" XN297 (it was a multi byte register) according to the datasheet, bit 0 of this register controls scrambling and is enabled by default, it is disabled here (0x1e & 1 = 0)...
Maybe disabling scrambing makes the xn297 air compatible with the nrf24l01 and doesn't require emulation layer (whitening) anymore... or a modified emulation layer.
hexfet (and victzh, if you're still reading), do you have any thought on that ?
google translate:
3 W_REGISTER(19) 1E
This is a XN297L specific register, it's not the same than on non "L" XN297 (it was a multi byte register) according to the datasheet, bit 0 of this register controls scrambling and is enabled by default, it is disabled here (0x1e & 1 = 0)...
Maybe disabling scrambing makes the xn297 air compatible with the nrf24l01 and doesn't require emulation layer (whitening) anymore... or a modified emulation layer.
hexfet (and victzh, if you're still reading), do you have any thought on that ?
google translate:
Scrambling function is enabled, open the scrambling function for data to be sent by the whitening operation, thereby reducing the length of a long 0 data,
So that both ends of the transceiver can require scrambling function identically configured
1: Enable scrambling
0: Close scrambling
Please Log in or Create an account to join the conversation.
28 Jan 2016 22:42 #42347
by SeByDocKy
Worth to try ....
Victzh contacted
Replied by SeByDocKy on topic Yi Zhan i6S capture
goebish wrote: Ok, I see something in init:
3 W_REGISTER(19) 1E
This is a XN297L specific register, it's not the same than on non "L" XN297 (it was a multi byte register) according to the datasheet, bit 0 of this register controls scrambling and is enabled by default, it is disabled here (0x1e & 1 = 0)...
Maybe disabling scrambing makes the xn297 air compatible with the nrf24l01 and doesn't require emulation layer (whitening) anymore... or a modified emulation layer.
hexfet (and victzh, if you're still reading), do you have any thought on that ?
google translate:Scrambling function is enabled, open the scrambling function for data to be sent by the whitening operation, thereby reducing the length of a long 0 data,
So that both ends of the transceiver can require scrambling function identically configured
1: Enable scrambling
0: Close scrambling
Worth to try ....
Victzh contacted
Please Log in or Create an account to join the conversation.
29 Jan 2016 09:30 #42359
by SeByDocKy
No still not binding
Replied by SeByDocKy on topic Yi Zhan i6S capture
goebish wrote: I've not much hope, but let's try without XN297 emulation layer:
Devo 7e
(Obviously, H7 & MT9916 can't work with this version)
No still not binding
Please Log in or Create an account to join the conversation.
29 Jan 2016 10:18 - 29 Jan 2016 11:08 #42362
by goebish
Replied by goebish on topic Yi Zhan i6S capture
So I guess I can't do much more without a xn297l to experiment with... any cheap machine that's using it ?
Or maybe you've a module in a stock TX you do not use anymore that you're willing to sacrifice in the name of science ?
I'm almost sure that scrambling can be disabled on the xn297 too, but we do not have a detailed datasheet for its DEMOD_CAL register
Or maybe you've a module in a stock TX you do not use anymore that you're willing to sacrifice in the name of science ?
I'm almost sure that scrambling can be disabled on the xn297 too, but we do not have a detailed datasheet for its DEMOD_CAL register
Please Log in or Create an account to join the conversation.
29 Jan 2016 11:32 #42365
by SeByDocKy
The problem with mine is almost defective.. ... Even with the original TX, I need to turn on/off the transmitter several time before to bind. I will contact some other YZ i6s owners to help in testing at least.
Replied by SeByDocKy on topic Yi Zhan i6S capture
goebish wrote: So I guess I can't do much more without a xn297l to experiment with... any cheap machine that's using it ?
Or maybe you've a module in a stock TX you do not use anymore that you're willing to sacrifice in the name of science ?
I'm almost sure that scrambling can be disabled on the xn297 too, but we do not have a detailed datasheet for its DEMOD_CAL register
The problem with mine is almost defective.. ... Even with the original TX, I need to turn on/off the transmitter several time before to bind. I will contact some other YZ i6s owners to help in testing at least.
Please Log in or Create an account to join the conversation.
29 Jan 2016 11:34 #42366
by goebish
Replied by goebish on topic Yi Zhan i6S capture
I don't need an complete original i6S transmitter, only a xn297l rf breakout module, from any TX, but yes, that's better if the module is coming from a good known working TX 
Please Log in or Create an account to join the conversation.
29 Jan 2016 11:36 - 29 Jan 2016 11:44 #42367
by goebish
Replied by goebish on topic Yi Zhan i6S capture
The thing is I need to have a xn297l to put it in the same mode than the i6S TX does, then send some packets and try to sniff them using nrf24 semi promiscuity tricks to understand the difference with the current xn297 emulation layer.
... and if that's not enough that will be the opportunity for me to finally get a sdr dongle + MMDS down-converter to "see" what happens at the air level
... and if that's not enough that will be the opportunity for me to finally get a sdr dongle + MMDS down-converter to "see" what happens at the air level
Please Log in or Create an account to join the conversation.
29 Jan 2016 14:01 - 29 Jan 2016 14:27 #42372
by goebish
Replied by goebish on topic Yi Zhan i6S capture
The datasheet of the xn297 (non L) confirms that scrambling can be disabled too on this chip:
But unless I've the details for register 0x19 settings (I suppose) I've no idea how to disable it ...
ofc I could try flipping random bits but there are 40 of them
There's probably an updated datasheet somewhere, I mean the values we're seeing in xn297 captures don't come from nowhere, but there's no trace of it on our side of the internet
Address and data table section 10 can select a scrambled, according to an enable / disable scrambling configuration bits
But unless I've the details for register 0x19 settings (I suppose) I've no idea how to disable it ...
ofc I could try flipping random bits but there are 40 of them
There's probably an updated datasheet somewhere, I mean the values we're seeing in xn297 captures don't come from nowhere, but there's no trace of it on our side of the internet
Please Log in or Create an account to join the conversation.
30 Jan 2016 23:38 - 31 Jan 2016 01:25 #42438
by goebish
Replied by goebish on topic Yi Zhan i6S capture
What a ride ...
By tinkering with the 0x19 register on an actual xn297 I've been able to disable scrambling (write 0x00 instead of 0xa7 in the 4th byte, got this lucky guess after 3~4 attempts only...), then following travisgoodspeed and victzh steps, I've been able to sniff and decode the packets with a nrf24l01 (preamble+sync+payload)
"non scrambled" xn297 mode is almost directly compatible with the nrf24l01, at least if the nrf24 is the RX (with CRC disabled), in this mode the address is directly compatible, just that payload bytes are bit reversed (LSB first).
For TX mode emulation, we still have to forge packets as xn297 preamble is 4 bytes long instead of 1 (0x55, 0xf3, 0x1f, 0x55)
I still have to check CRC, shouldn't be difficult ...
That will require a few mods to the current xn297 layer to implement this "non scrambled" mode, but I'm pretty confident I should be able to make it work, looks simple enough
By tinkering with the 0x19 register on an actual xn297 I've been able to disable scrambling (write 0x00 instead of 0xa7 in the 4th byte, got this lucky guess after 3~4 attempts only...), then following travisgoodspeed and victzh steps, I've been able to sniff and decode the packets with a nrf24l01
(preamble+sync+payload)"non scrambled" xn297 mode is almost directly compatible with the nrf24l01, at least if the nrf24 is the RX (with CRC disabled), in this mode the address is directly compatible, just that payload bytes are bit reversed (LSB first).
For TX mode emulation, we still have to forge packets as xn297 preamble is 4 bytes long instead of 1 (0x55, 0xf3, 0x1f, 0x55)
I still have to check CRC, shouldn't be difficult ...
That will require a few mods to the current xn297 layer to implement this "non scrambled" mode, but I'm pretty confident I should be able to make it work, looks simple enough
Please Log in or Create an account to join the conversation.
31 Jan 2016 07:15 #42454
by SeByDocKy
I am definitively impressed ...
Replied by SeByDocKy on topic Yi Zhan i6S capture
goebish wrote: What a ride ...
By tinkering with the 0x19 register on an actual xn297 I've been able to disable scrambling (write 0x00 instead of 0xa7 in the 4th byte, got this lucky guess after 3~4 attempts only...), then following travisgoodspeed and victzh steps, I've been able to sniff and decode the packets with a nrf24l01
"non scrambled" xn297 mode is almost directly compatible with the nrf24l01, at least if the nrf24 is the RX (with CRC disabled), in this mode the address is directly compatible, just that payload bytes are bit reversed (LSB first).
For TX mode emulation, we still have to forge packets as xn297 preamble is 4 bytes long instead of 1 (0x55, 0xf3, 0x1f, 0x55)
I still have to check CRC, shouldn't be difficult ...
That will require a few mods to the current xn297 layer to implement this "non scrambled" mode, but I'm pretty confident I should be able to make it work, looks simple enough
I am definitively impressed ...
Please Log in or Create an account to join the conversation.
Time to create page: 0.077 seconds
-
Home
-
Forum
-
Development
-
Protocol Development
- Yi Zhan i6S capture