- Posts: 9
Mould King 33043 Super F Quad - HS6200 RF chip
26 Feb 2016 16:02 - 26 Feb 2016 16:03 #43683
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hey, looks like it matches the xor table I posted on the previous page 
2E 53 5B A5 F5 7C 53 FC 9A xor 80 f5 3b 0d 6d 2a f9 bc 51 = AE A6 60 A8 98 56 AA 40 CB
2E 53 5B A5 F5 7C 53 FC 9A xor 80 f5 3b 0d 6d 2a f9 bc 51 = AE A6 60 A8 98 56 AA 40 CB
Please Log in or Create an account to join the conversation.
26 Feb 2016 16:06 - 26 Feb 2016 16:53 #43684
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
next thing to do is to check if CRC is xor'ed (scrambled) as well, then find from what the CRC is generated, are the 2 bytes guards included ? (PCF is, as the CRC changes when packet ID bit changes), and is the CRC generator (CRC16 CCITT) fed with scrambled or unscrambled payload, in which order, with bits order reversed or not etc...
Need a hand with that ?
Also, we've to hope this scrambling table is static, as with the xn297. We'll also have to find a HS6200 donator so we can send longer payloads with an actual chip to guess the rest of the scrambling table.
Need a hand with that ?
Also, we've to hope this scrambling table is static, as with the xn297. We'll also have to find a HS6200 donator so we can send longer payloads with an actual chip to guess the rest of the scrambling table.
Please Log in or Create an account to join the conversation.
26 Feb 2016 17:00 - 26 Feb 2016 17:16 #43689
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
From the datasheet:
"The CRC is the error detection mechanism in the packet. It may either be 1 or 2 bytes and is calculated over the address, Packet Control Field and Payload."
initial value: 0xffff
polynomial: 0x1021
xorout: if we need one (other than 0x0000 or 0xffff) that probably means crc is scrambled too.
looks like the 2 byte guard is not fed to the crc generator (or maybe it's an omission in the datasheet ...)
at least that's one piece of the puzzle
and we need a crc generator that we can feed with an arbitary number of bits, not only bytes because of the PCF (again... I hate this thing
) as this one:
github.com/RFStorm/mousejack/blob/master/src/radio.c#L107
hmmm I've to check how I can feed a payload to crc reveng that's not a multiple of 8 bit.
"The CRC is the error detection mechanism in the packet. It may either be 1 or 2 bytes and is calculated over the address, Packet Control Field and Payload."
initial value: 0xffff
polynomial: 0x1021
xorout: if we need one (other than 0x0000 or 0xffff) that probably means crc is scrambled too.
looks like the 2 byte guard is not fed to the crc generator (or maybe it's an omission in the datasheet ...)
at least that's one piece of the puzzle
and we need a crc generator that we can feed with an arbitary number of bits, not only bytes because of the PCF (again... I hate this thing
) as this one:github.com/RFStorm/mousejack/blob/master/src/radio.c#L107
hmmm I've to check how I can feed a payload to crc reveng that's not a multiple of 8 bit.
Please Log in or Create an account to join the conversation.
26 Feb 2016 19:02 - 26 Feb 2016 20:51 #43707
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Cool, so it's probably static, I mean it's always the same table whatever the address is ... (well, as victzh suggested for the xn297, there's probably no hardcoded table inside the chip, my guess is those xor are probably the result of the 8 bit CRC generator fed with 0s or something like that, this has to be checked, the fact that the 1st value is 0x80 is interesting ...)
So now that's only a matter of generating the CRC
So now that's only a matter of generating the CRC
Please Log in or Create an account to join the conversation.
26 Feb 2016 23:03 - 27 Feb 2016 14:35 #43722
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
I think I got it, it matches with your 3 raw packets:
So, the CRC generator (lfsr) is fed with:
Address (in reverse order) + pcf + payload (scrambled)
(guard bytes are not used in CRC computation)
.. and the CRC itself is not scrambled (xorout = 0).
So, the CRC generator (lfsr) is fed with:
Address (in reverse order) + pcf + payload (scrambled)
(guard bytes are not used in CRC computation)
.. and the CRC itself is not scrambled (xorout = 0).
Please Log in or Create an account to join the conversation.
27 Feb 2016 14:45 #43771
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
I'm trying to code something to generate the packets to be sent by the nrf24... all this shifting is giving me headaches, but I should succeed, eventually
Please Log in or Create an account to join the conversation.
27 Feb 2016 16:43 - 27 Feb 2016 18:25 #43774
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Need a bit of clean up, but I got it:
(only the msb is relevant in the last byte of the generated raw packet)
crappy POC code:
gist.github.com/goebish/a7b5607dc36af06b0cdd
don't forget to alternate the value of pid between packets, especially if 2 successive packets are identical, or the 2nd and following ones might be ignored by the rx.
(only the msb is relevant in the last byte of the generated raw packet)
crappy POC code:
gist.github.com/goebish/a7b5607dc36af06b0cdd
don't forget to alternate the value of pid between packets, especially if 2 successive packets are identical, or the 2nd and following ones might be ignored by the rx.
Please Log in or Create an account to join the conversation.
29 Feb 2016 14:41 #43881
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
mdon, do you need more help ?
You didn't tell which machine you were working on
For the MK33043, I'll either have to wait that you sacrifice the HS6200 in your stock TX (well, no really, this can be done in a non destructive way) so you can send and sniff longer packets to fill the scrambling table, or I'll have to order one myself ... or 'just' crack the scrambling table generation algo (there's probably one), but I'm lazy
Pascal, yes, when we'll add these new chips emulation in DeviationTX we'll try to use common code as much as possible for all the chips (CRC algo, bit shifting ...)
You didn't tell which machine you were working on
For the MK33043, I'll either have to wait that you sacrifice the HS6200 in your stock TX (well, no really, this can be done in a non destructive way) so you can send and sniff longer packets to fill the scrambling table, or I'll have to order one myself ... or 'just' crack the scrambling table generation algo (there's probably one), but I'm lazy
Pascal, yes, when we'll add these new chips emulation in DeviationTX we'll try to use common code as much as possible for all the chips (CRC algo, bit shifting ...)
Please Log in or Create an account to join the conversation.
10 Mar 2016 13:16 #44373
by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hi.
I was traveling.
Now I'm working on another project, but I'm warm to resume Nrf->HS6200 hobby asap. sorry
I was traveling.
Now I'm working on another project, but I'm warm to resume Nrf->HS6200 hobby asap. sorry
Please Log in or Create an account to join the conversation.
12 Apr 2016 19:05 - 12 Apr 2016 19:05 #46376
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Looks like someone has ordered a MK 33043 for me (you know who you are, thanks ), so I should be able to continue the work on that in a few weeks
), so I should be able to continue the work on that in a few weeks Please Log in or Create an account to join the conversation.
12 Apr 2016 22:20 #46388
by dc59
Good news for me!
Replied by dc59 on topic Mould King 33043 Super F Quad - HS6200 RF chip
goebish wrote: Looks like someone has ordered a MK 33043 for me (you know who you are, thanks
Good news for me! Please Log in or Create an account to join the conversation.
14 May 2016 22:01 #48459
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hmmm I've a bad news, looks like not all the MouldKing Super-F are the same, mine has only 1 chip in the TX and is compatible with the CX-10 protocol, please read from here for more info 
www.deviationtx.com/forum/protocol-devel...m9916?start=80#48435
www.deviationtx.com/forum/protocol-devel...m9916?start=80#48435
Please Log in or Create an account to join the conversation.
Time to create page: 0.073 seconds
-
Home
-
Forum
-
Development
-
Protocol Development
- Mould King 33043 Super F Quad - HS6200 RF chip