×

Notice

The forum is in read only mode.
  1. Forum
  3. Development
  5. Protocol Development
  7. Mould King 33043 Super F Quad - HS6200 RF chip

Mould King 33043 Super F Quad - HS6200 RF chip

More
20 Feb 2016 02:02 #43341 by dc59
Mould King 33043 Super F Quad - HS6200 RF chip was created by dc59
Mould King 33043 Super F Quad SPI capture data :
www.mediafire.com/download/10wxe8a938vx9qg/MK33043-01%7E05.zip

It used a HS6200 RF chip, it's is compatible with BK2425, nRF24L01+
www.sunrisedigit.com/en/Show.asp?id=38

Would someone confirm it ? and deviate it ?

But I got problem when I captured SPI data, I can't bint it with quad. if my analyzer connected to TX ...... :(

Thanks a lot.
More
20 Feb 2016 02:10 #43342 by dc59
Replied by dc59 on topic Mould King 33043 Super F Quad - HS6200 RF chip
Forgot the pictures.



Attachments:
More
20 Feb 2016 18:13 #43372 by planger
Replied by planger on topic Mould King 33043 Super F Quad - HS6200 RF chip
The nrf24L01 decoder is giving good results at leats right after init. So yes it's a nrf24L01 compatible chip. There are multiple unknown registers at the begining but if there is a datasheet somewhere it should not be an issue.
More
20 Feb 2016 23:47 - 20 Feb 2016 23:47 #43388 by dc59
Replied by dc59 on topic Mould King 33043 Super F Quad - HS6200 RF chip

planger wrote: The nrf24L01 decoder is giving good results at leats right after init. So yes it's a nrf24L01 compatible chip. There are multiple unknown registers at the begining but if there is a datasheet somewhere it should not be an issue.


Hi Pascal,

Thanks for your help. it's a great news to know that's a nrf24l01 compatible chip,
I uploaded the datasheet of HS6200 HERE and hope it could help.
Last edit: 20 Feb 2016 23:47 by dc59.
More
21 Feb 2016 16:59 #43420 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
I had a look at the datasheet, there's a good chance that it's directly compatible with the nrf24, the only thing is that the HS6200 can do 500kbps while the nrf24l01+ can't (only 250kbps/1Mbps/2Mbps), I've to check in your captures which bitrate this protocol is using.
More
21 Feb 2016 17:18 - 21 Feb 2016 17:28 #43422 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hmmm it requires a new decoder as switching register banks doesn't work the same than with Beken chips.
Last edit: 21 Feb 2016 17:28 by goebish.
More
21 Feb 2016 18:11 - 21 Feb 2016 18:15 #43424 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Ok, looks like it's using 500kbps, so there's nothing to do with a NRF24L01 :(
34 W_REGISTER(06 RF_SETUP) 47

0x47 = 0100 0111, which means 4dbm output, 500kbps, no continuous wave :(

It might be possible to emulate it with the A7105, but that would require quite a bit of work ...

No, I was wrong, I think it's using 1Mbps after all.
Last edit: 21 Feb 2016 18:15 by goebish.
More
22 Feb 2016 00:25 #43436 by dc59
Replied by dc59 on topic Mould King 33043 Super F Quad - HS6200 RF chip

goebish wrote: Ok, looks like it's using 500kbps, so there's nothing to do with a NRF24L01 :(
34 W_REGISTER(06 RF_SETUP) 47

0x47 = 0100 0111, which means 4dbm output, 500kbps, no continuous wave :(

It might be possible to emulate it with the A7105, but that would require quite a bit of work ...

No, I was wrong, I think it's using 1Mbps after all.


Good news ~~ Thanks a lot. :woohoo: :woohoo: :woohoo:
More
25 Feb 2016 12:50 #43607 by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hi guys,

Any news about using nrf24l01 to clone HS6200? I'm trying unsuccessfully.

What about 0x1E and 0x1F HS6200 registers that are not present in nrf24L01. Analyzing SPI I can see that they are used frequently. Do you have the same situation?

thanks
More
25 Feb 2016 13:12 - 25 Feb 2016 13:20 #43609 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
I think I won't try to implement the protocol unless I have a machine with the same rf chip to make tests myself.

I only quickly looked at the captures & datasheet and I think a slight emulation layer will be required as the HS6200 "protocol engine" is not directly compatible with nrf24l01 shockburst mode. (see chapter 7.3 in HS6200 datasheet)
File Attachment:

Register 0x1E set the "2 byte guard" among other things, that's 2 extra bytes that are not in nrf24l01 shockburst packets, (it's the same than having n+2 address length actually...) hence it probably needs to be emulated: that mean adding those 2 bytes to the start of the packet, shifting the actual payload 1 bit right because of the 9 bit Packet Control Field (that we have to generate too...) and computing the CRC ourselves... and probably other "fun" stuffs ;)
Last edit: 25 Feb 2016 13:20 by goebish.
More
25 Feb 2016 14:47 #43614 by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
You're right. Thanks for your reply.

I was trying a nrf clone because I don't have another HS6200 unless the one from the controller and couldn't find an easy way to order another. But I will find a solution.

thanks
More
25 Feb 2016 16:08 - 25 Feb 2016 16:51 #43618 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
First thing to do if you've a nrf24 + arduino is to set it to the same bitrate (if not 500kbps of course...), address and channel than the TX, disable shockburst & CRC, then listen for payload length + 8 bytes to confirm it's using its "protocol engine" (shockburst variant), but from what I understand to the capture, this mode is enabled, though dynamic payload length and auto ack are disabled.

When this is confirmed, it shouldn't be hard to emulate ...

Are you working on it already or should I order a MK33043 ? ;)
Last edit: 25 Feb 2016 16:51 by goebish.
More
25 Feb 2016 16:26 #43622 by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
I'm working on it ;) thanks

in fact It's not the mk33043, but another drone using the same transceiver.
More
25 Feb 2016 16:30 #43624 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Ah OK, maybe yours does not use the "protocol engine", in this case no emulation is required, it should be directly compatible.

Try to sniff as I explained, that should help to sort things out ;)
More
25 Feb 2016 17:02 #43627 by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
I tried and it's not directly compatible :(

Sniffing directly the Tx SPI I have this code:

File Attachment:

File Name: sample4.txt
File Size:539 KB


Apparently it uses the HS6200 "protocol engine". I will set the same address, data rate, channel, disable enhanced shockburst, disable CRC and try it out.

I let you know the result :)
Attachments:
More
25 Feb 2016 17:09 - 25 Feb 2016 17:26 #43628 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Don't worry if you don't see the actual payload in sniffed packets, that's because it's shifted 1 bit to the right because of the PCF ;) (and the remaining 7 bits of the last sniffed byte is noise)
But at least we should see what can be done to make it compatible with nrf24.
Last edit: 25 Feb 2016 17:26 by goebish.
More
26 Feb 2016 14:43 - 26 Feb 2016 14:44 #43673 by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
Good news. It's possible to sniff the HS6200 using nrf.

I'm receiving these messages:




I know sniffing the SPI with a logic analyzer that the transmitter sends the payload: 0x00;0x80;0x40;0x80;0x80;0x40;0x40;0x00;0xBF

As shown:
6.686249 00074 13675 0xB0 0x0E Disable autoack on this specific packet
6.686300 00052 13675 0x00 0xAE Data: 0b00000000 (0x00)
6.686350 00050 13675 0x80 0xA6 Data: 0b10000000 (0x80)
6.686417 00067 13675 0x40 0x60 Data: 0b01000000 (0x40)
6.686467 00050 13675 0x80 0xA8 Data: 0b10000000 (0x80)
6.686535 00068 13675 0x80 0x98 Data: 0b10000000 (0x80)
6.686584 00050 13675 0x40 0x98 Data: 0b01000000 (0x40)
6.686652 00068 13675 0x40 0x98 Data: 0b01000000 (0x40)
6.686702 00050 13675 0x00 0x98 Data: 0b00000000 (0x00)
6.686769 00067 13675 0xBF 0x98 Data: 0b10111111 (0xBF)

I've already shifted the bits to correct 9 bits PCF. My arduino code:

File Attachment:

File Name: arduino_code.txt
File Size:2 KB


I don't know exactly why it's not working. Any ideas?

Analyzing many cases I can see a pattern, at least for the first payload byte the most significant bit is flipped.
Attachments:
Last edit: 26 Feb 2016 14:44 by mdon.
More
26 Feb 2016 14:49 - 26 Feb 2016 14:54 #43674 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Great :)

What are you talking about when you say it doesn't work ? TX emulation ?

edit: ah OK, you're not able to decode the actual payload, I'll have a look at that.
At least there's no occurrence of the word 'scramble' or 'scrambling' in the datasheet ;)
Last edit: 26 Feb 2016 14:54 by goebish.
More
26 Feb 2016 15:11 - 26 Feb 2016 15:15 #43676 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Can you give another sniffed / actual payload pair ? (+sniffed raw, not decoded)

Maybe payload (and CRC) is xored with a static table, as the xn297, even if it's not stated in the datasheet (or I missed it).
Last edit: 26 Feb 2016 15:15 by goebish.
More
26 Feb 2016 15:40 - 26 Feb 2016 15:48 #43679 by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
...or try to xor your decoded payload with
0x80, 0xf5, 0x3b, 0x0d, 0x6d, 0x2a, 0xf9, 0xbc, 0x51

then check if it works with payloads other than
0x00;0x80;0x40;0x80;0x80;0x40;0x40;0x00;0xBF

... and give me a raw packet please :)
Last edit: 26 Feb 2016 15:48 by goebish.
  1. Forum
  3. Development
  5. Protocol Development
  7. Mould King 33043 Super F Quad - HS6200 RF chip
Time to create page: 0.385 seconds
Powered by Kunena Forum
Re-enable mobile display