X5C Clone using XN297L

More
08 Sep 2016 01:32 - 09 Sep 2016 12:01 #53614 by Toybomb
X5C Clone using XN297L was created by Toybomb
Hi All,

Recently I purchased this X5C-1 Clone ( world.taobao.com/item/527888255460.htm ) and was hoping to use it with a 9xr with Multiprotocol but none of them would bind with the quad (even after flashing the latest github firmware). So I opened the TX and found that it used an XN297 RF chip. Right now i've figured out the SPI pins and the part of the payload that is being sent over SPI. My challenge now is to get the nrf24L01 chip to talk to XN297, could anyone give some pointers or hints ?


What i've figured out from the TX when starting

W_REGISTER: RX_PW_P0 = 63
R_REGISTER: RX_PW_P0
FLUSH_TX
FLUSH_RX
W_REGISTER: STATUS = 70
W_REGISTER: BB_CAL = 209C67844C
W_REGISTER: RF_CAL = BCABBB61B09ADD
W_REGISTER: DEMOD_CAL = 03A7C4DF0B
W_REGISTER: TX_ADDR = 4AB399B5D2
W_REGISTER: RX_ADDR_P0 = 4AB399B5D2
W_REGISTER: EN_AA = 00
W_REGISTER: SETUP_AW = 03
W_REGISTER: SETUP_RETR = 00
W_REGISTER: RF_CH = 12
W_REGISTER: RF_SETUP = 07
W_REGISTER: RX_PW_P0 = 0C <- This corresponds with the payload size
W_REGISTER: RX_PW_P1 = 0C <- This corresponds with the payload size
W_REGISTER: ACTIVATE
W_REGISTER: DYNPD = 00
W_REGISTER: FEATURE = 00
ACTIVATE
W_REGISTER: CONFIG = 0E

Once its bound, it hops between channels 0x19, 0x28, and 0x05

Playing around with the sticks and buttons and monitoring changes to the SPI payload, i figured out below

AA BB CC DD EE FF GG HH II JJ KK LL - Payload

AA/BB/CC = Set to 00/ Dont know what this does yet.
DD = Throttle (0x00 - 0xFE) / Camera (0x01)
EE = Ail (0xA0 resting, 0x81 Left, 0xBE Right) / Lights + 0x40
FF = Ele (0x20 resting, 0x3E Up, 0x01 Down) / Flip + 0x40
GG = Rud (0x20 resting, 0x3E Left, 0x01 Right) / Video + 0x80
HH = Trim (Left [0x0 - 0x20], Right [0xFF - E0])
II = Speedup button (L/M/H - 0x40/0x80/0xC0)
JJ = Trim (Up [0x0 - 0x20], Down [0xFF - E0])
KKLL = CRC16_X_25 (Polynomial = 0x1021, Initial Value = 0xFFFF, Final Xor Value = 0xFFFF www.sunshine2k.de/coding/javascript/crc/crc_js.html )
KKLL = CRC16 (Polynomial = 0x8408

Bind sequence sends a packet like this
0x2a 0x96 0xa9 0x25 0x24 0x00 0x00 0x00 0x9e 0x84 0x00 0x00
First 5 bytes tells it to switch the TX_ADDR

Attaching some of the dumps i took using Saleae Logic. Also afew dumps taken using Pulseview (To decode add SPI filter, configure CLK as D2, MISO as D1, MOSI as D0, CS# as D3, chip type xn297)
Attachments:
Last edit: 09 Sep 2016 12:01 by Toybomb.

Please Log in or Create an account to join the conversation.

More
08 Sep 2016 04:41 - 08 Sep 2016 04:48 #53621 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
I managed to get my hands on another remote, attaching images and pulseview dump of binding & arming packets.

Remote 1 - Arm

Remote 2 - Arm


Remote 1 - Bind


Remote 2 - Bind


Remote 1 - D0:MOSI, D1:MISO, D2:CLK, D3:CS#
Remote 2 - D4:MOSI, D5MISO:, D6:CLK, D7:CS#

File Attachment:

File Name: Remote_Bin..._Arm.zip
File Size:41 KB
Attachments:
Last edit: 08 Sep 2016 04:48 by Toybomb. Reason: pulseview spi pins

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 00:02 - 09 Sep 2016 00:04 #53651 by goebish
Replied by goebish on topic X5C Clone using XN297L
It is pretty similar to the hontai protocol, looks like a good starting point ;)
Last edit: 09 Sep 2016 00:04 by goebish.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 00:16 - 09 Sep 2016 00:43 #53652 by goebish
Replied by goebish on topic X5C Clone using XN297L

KKLL = CRC16_X_25 (Polynomial = 0x1021, Initial Value = 0xFFFF, Final Xor Value = 0xFFFF www.sunshine2k.de/coding/javascript/crc/crc_js.html )

Are you sure of that ? because it looks like this is the only difference with hontai protocol, which is using poly = 0x8408

Also check if void ht_init2() is necessary or not. It shouldn't be necessary if data address = txid, just modify it so nrf24 address = txid if this protocol works like that ... it is required ... you'll have to check if the txid / address algo matches.
Last edit: 09 Sep 2016 00:43 by goebish.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 00:47 #53653 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
Thank you sir, yes it does look exactly like the hontai protocol, thank you for pointing that out, i'm trying to get my nrf24 with arduino to read the tx protocol but cannot seem to get it to work. No data gets received. this is what i have so far, am i doing something wrong?
#define MOSI_pin  5             // MOSI-D5
#define SCK_pin   4             // SCK-D4
#define CS_pin    6             // CS-D6
#define CE_pin    3             // CE-D3
#define MISO_pin  7             // MISO-D7

static const uint8_t tx_rx_id[] = {0xD2,0xB5,0x99,0xB3,0x4A};

void setup() {
    Serial.begin(115200);
    printf_begin();
    //RF module pins
    pinMode(MOSI_pin, OUTPUT);
    pinMode(SCK_pin, OUTPUT);
    pinMode(CS_pin, OUTPUT);
    pinMode(CE_pin, OUTPUT);
    pinMode(MISO_pin, INPUT);
    
    NRF24L01_Reset();
    NRF24L01_Initialize();
    NRF24L01_SetTxRxMode(RX_EN);
    NRF24L01_SetTxRxMode(TX_EN);
    delay(10);
    XN297_SetTXAddr(tx_rx_id,5);
    XN297_SetRXAddr(tx_rx_id,5);
    NRF24L01_FlushTx();
    NRF24L01_FlushRx();
    
    NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70);     // Clear data ready, data sent, and retransmit
    NRF24L01_WriteReg(NRF24L01_01_EN_AA, 0x00);      // No Auto Acknowledgment on all data pipes
    NRF24L01_SetBitrate(NRF24L01_BR_250K);            //NRF24L01_BR_1M / NRF24L01_BR_250K
    NRF24L01_SetPower(3);                             // maximum rf power
    NRF24L01_Activate(0x73);
    NRF24L01_WriteReg(NRF24L01_04_SETUP_RETR, 0x00);
    NRF24L01_WriteReg(NRF24L01_1C_DYNPD, 0x00);       // Disable dynamic payload length on all pipes
    NRF24L01_WriteReg(NRF24L01_1D_FEATURE, 0x00);     // Set feature bits on
    NRF24L01_Activate(0x73);
    NRF24L01_WriteReg(NRF24L01_05_RF_CH, 0x0);    //Bind to channel
    NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70);
    NRF24L01_FlushRx();
}
void loop() {
  printf("Waiting for data...");
  while(!(NRF24L01_ReadReg(NRF24L01_07_STATUS) & 0x40)) {}
  XN297_ReadPayload(test_packet, 12+2);
  printf("Got Data...");
}

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 00:55 - 09 Sep 2016 01:00 #53654 by goebish
Replied by goebish on topic X5C Clone using XN297L
bitrate is 1Mbps, not 250kbps.

Also, you don't set the nrf24 to RX mode
NRF24L01_SetTxRxMode(RX_EN);
XN297_Configure(_BV(NRF24L01_00_EN_CRC) | _BV(NRF24L01_00_CRCO) | _BV(NRF24L01_00_PWR_UP) | _BV(NRF24L01_00_PRIM_RX));

But you don't need to do that, I think you already have all the necessary informations to add the protocol as an Hontai sub-format.

Just try to change the crc polynomial first, with a bit of luck it will be working ;)

edit: modified code.
Last edit: 09 Sep 2016 01:00 by goebish.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 01:13 #53655 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
Thank you sir, as stated above, i dont have a devo radio :D (9xr) , and the guys at multiprotocol have not ported the hontai code, the goal right now for me is to get my arduino+nrf to read packets from xn297 (this will help with future protocol breaking :) for me) then move to porting the code to multiprotocol.

I've made the changes and it still isn't reading data.
 NRF24L01_Reset();
    NRF24L01_Initialize();
    NRF24L01_SetTxRxMode(RX_EN);
    XN297_Configure(_BV(NRF24L01_00_EN_CRC) | _BV(NRF24L01_00_CRCO) | _BV(NRF24L01_00_PWR_UP) | _BV(NRF24L01_00_PRIM_RX));
    delay(10);
    XN297_SetRXAddr(tx_rx_id,5);
    NRF24L01_FlushRx();
    
    NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70);     // Clear data ready, data sent, and retransmit
    NRF24L01_WriteReg(NRF24L01_01_EN_AA, 0x00);      // No Auto Acknowledgment on all data pipes
    NRF24L01_SetBitrate(NRF24L01_BR_1M);            //NRF24L01_BR_1M / NRF24L01_BR_250K
    NRF24L01_SetPower(3);                             // maximum rf power
    NRF24L01_Activate(0x73);
    NRF24L01_WriteReg(NRF24L01_04_SETUP_RETR, 0x00);
    NRF24L01_WriteReg(NRF24L01_1C_DYNPD, 0x00);       // Disable dynamic payload length on all pipes
    NRF24L01_WriteReg(NRF24L01_1D_FEATURE, 0x00);     // Set feature bits on
    NRF24L01_Activate(0x73);
    NRF24L01_WriteReg(NRF24L01_05_RF_CH, 0x0);    //Bind to channel
    NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70);
    NRF24L01_FlushRx();
    delay(150);

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 01:17 - 09 Sep 2016 01:22 #53656 by goebish
Replied by goebish on topic X5C Clone using XN297L
You also need to enable RX pipe and set the length
NRF24L01_WriteReg(NRF24L01_11_RX_PW_P0, 12); // rx pipe 0, 12 bytes
NRF24L01_WriteReg(NRF24L01_02_EN_RXADDR, 0x01);  // Enable data pipe 0 only

Also, set it to RX mode at the end of the init sequence, not at the beginning.

Anyway, I don't get why you want to do that, you won't collect more stuffs than with the SPI capture.
Last edit: 09 Sep 2016 01:22 by goebish.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 01:46 #53657 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
I realize that, i would still like to have it work with an arduino+nrf24, I've made the changes but it still doesn't work :/
    NRF24L01_Reset();
    NRF24L01_Initialize();
    
    XN297_SetRXAddr(tx_rx_id,5);
    NRF24L01_FlushRx();
    NRF24L01_WriteReg(NRF24L01_07_STATUS, 0x70);     // Clear data ready, data sent, and retransmit
    XN297_Configure(_BV(NRF24L01_00_EN_CRC) | _BV(NRF24L01_00_CRCO) | _BV(NRF24L01_00_PWR_UP) | _BV(NRF24L01_00_PRIM_RX));
    NRF24L01_WriteReg(NRF24L01_01_EN_AA, 0x00);      // No Auto Acknowledgment on all data pipes
    NRF24L01_WriteReg(NRF24L01_02_EN_RXADDR, 0x01);  // Enable data pipe 0 only
    NRF24L01_WriteReg(NRF24L01_05_RF_CH, 0x0);    //Bind to channel
    NRF24L01_SetBitrate(NRF24L01_BR_1M);            //NRF24L01_BR_1M / NRF24L01_BR_250K
    NRF24L01_SetPower(3);                             // maximum rf power
    NRF24L01_Activate(0x73);                              // Activate feature register
    NRF24L01_WriteReg(NRF24L01_04_SETUP_RETR, 0x00);
    NRF24L01_WriteReg(NRF24L01_1C_DYNPD, 0x00);       // Disable dynamic payload length on all pipes
    NRF24L01_WriteReg(NRF24L01_1D_FEATURE, 0x00);     // Set feature bits on
    NRF24L01_WriteReg(NRF24L01_11_RX_PW_P0, 0x0C); // rx pipe 0, payload size
    NRF24L01_FlushRx();
    NRF24L01_SetTxRxMode(RX_EN);
    delay(150);

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 02:15 #53660 by goebish
Replied by goebish on topic X5C Clone using XN297L
put XN297_Configure at the end of init.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 05:39 #53667 by mjbudden
Replied by mjbudden on topic X5C Clone using XN297L
The Activate command only works when the NRF24 is in standby mode. So, as @goebish says, you need to put the Configure and SetRxTx commands at the end of init.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 05:42 #53668 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
I did a hackjob port to multiprotocol and i was able to bind using the hontai protocol (using the CRC in there instead of 0x1021). thank you once again!

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 08:45 - 09 Sep 2016 08:46 #53676 by goebish
Replied by goebish on topic X5C Clone using XN297L
Ok, so you only had to change the crc polynomial from 0x8408 to 0x1021 to make it work ?
Or is it 100% the same protocol ?.
Last edit: 09 Sep 2016 08:46 by goebish.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 08:57 #53678 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
It looks to be 100% same protocol, I've msg'd Pascal on RC Groups and he is helping port the hontai code over, will revert once I've tested it.

Please Log in or Create an account to join the conversation.

More
09 Sep 2016 09:02 #53680 by goebish
Replied by goebish on topic X5C Clone using XN297L
Ok, we've nothing to do for Deviation then, perfect :P

Please Log in or Create an account to join the conversation.

More
10 Sep 2016 03:36 - 10 Sep 2016 03:37 #53707 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
the code has been ported by Pascal, here are my observations from testing the code.
the quad uses the JJRCX1 sub protocol instead of hontai but uses the XN297 to transmit (JJRCX1 uses NRF24)
so there is some work to be done after all :)

since my quad does not have a camera i could not test video/picture
but i was able to use the calibration/flip/RTH/headless/toggle lights modes
Last edit: 10 Sep 2016 03:37 by Toybomb.

Please Log in or Create an account to join the conversation.

More
26 Sep 2016 07:58 - 26 Sep 2016 08:00 #54278 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
goebish,

the F-805C arrived today, and the protocol is not the same as the hontai protocol it seems. attaching some sigrrok spi dumps, it seems to be using the XN297 chip

on startup
BB_CAL - 0x209C7F3FCD
RF_CAL - 0x9CABBB79B09ADA
DEMOD_CAL - 0x03A7C4DF0B
TX_ADDR - 0xBBBCBDBEBF
RX_ADDR_P0 - 0xBBBCBDBEBF
FLUSH_RX
FLUSH_TX
STATUS - 0x70
EN_AA - 0
EN_RXADDR - 01
SETUP_AW - 03
RF_CH - 02
SETUP_RETR
RX_PW_P0 - 0x0A
RF_SETUP - 0x01
ACTIVATE
DYNPD - 0x00

then it goes on for abit on these channels
0x30, 0x35, 0x3A, 0x40 (Channel Hop)
A0 8D 12 00 00 A5 A5 A5 00 83

then it continues on this
0x44, 0x4B, 0x34, 0x3B (Channel Hop)
00 00 00 00 40 40 40 00 00 15




File Attachment:

File Name: F805C.zip
File Size:124 KB
Attachments:
Last edit: 26 Sep 2016 08:00 by Toybomb.

Please Log in or Create an account to join the conversation.

More
26 Sep 2016 09:13 #54279 by Toybomb
Replied by Toybomb on topic X5C Clone using XN297L
A quick look at the protocol

AA BB CC DD EE FF GG HH II JJ

AA - Throttle 0x00-0xFF (Trim 0x00-0x1E)
BB - Yaw Left - 0x00-0x7F, Right 0x80-0xFF
CC - Pitch Up - 0x80-0xFF, Down 0x00-0x7F
DD - Roll Left - 0x00-0x7F, Right 0x80-0xFF
EE - Start 0x40, (Yaw Trim Right Plus 0x00-0x1E, Yaw Trim Left Minus 0x00-0x1E)
FF - Start 0x40, (Pitch Trim Up Plus 0x00-0x1E, Pitch Trim Down Minus 0x00-0x1E)
GG - Start 0x40, (Roll Trim Right Plus 0x00-0x1E, Roll Trim Left Minus 0x00-0x1E)
HH - Headless 0x02, RTH 0x01
II - Video button pressed + 0x10, Picture button pressed, 0x08, Headless 0x80, RTH 0x40, Mode Slow/Fast + 0x04, Flip 0x01
JJ - Checksum?

Please Log in or Create an account to join the conversation.

Time to create page: 0.075 seconds
Powered by Kunena Forum