- Posts: 71
XK X520 VTOL plane (with captures)
- gdenton
- Topic Author
- Offline
Less
More
24 May 2018 02:10 - 24 May 2018 02:14 #69398
by gdenton
XK X520 VTOL plane (with captures) was created by gdenton
Anyone interested in adding this protocol?
The transmitter says S-FHSS but when I opened it up I discovered it actually has an XN297LCU transceiver.
The SPI captures from the TX are stored to:
drive.google.com/drive/folders/1BsHZHZrn...a0MUBsAT?usp=sharing
The *.csv.txt files are decoded, the *SHORT.csv.txt files have the repetitive idle packets removed.
Here's what I've decoded so far:
scramble enabled
1Mbps
no AA
packet size is 16 bytes
normal packet period is around 4100µs
- bind TX ID: 0x68 0x94 0xA6 0xD5 0xC3
- 1 time bind channel 0x28
- 1 time bind packet (not the same every power on?):
power on #1: 62 EC D8 D9 1B 0F 1D 4D C7 F0 10 F4 7E 7C 30 15
power on #2: E2 E8 D8 59 1B 0F 1D CD 83 F0 10 F4 7E 74 30 15
power on #3: E3 E8 D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 74 30 95
power on #4: E2 EC D8 D9 1A 0F 1D 4D C3 F2 10 F4 7E 74 30 15
power on #5: E2 E8 D8 D9 9B 0F 1D CD 83 F0 18 F4 7E 74 30 95
I made some much shorter (~2") probes for the next 5 samples:
power on #6: 62 E8 D8 D9 1A 0F 1D CD 87 F0 10 F4 7E 74 30 B5
power on #7: E2 EC D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 74 30 B5
power on #8: E2 EC D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 7C 30 B5
power on #9: E2 E8 D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 7C 30 95
power on #10: E2 EC D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 74 30 35
then repeats the following until throttle stick is moved up/down:
- bind channels 2 times each: 0x39 0x1C 0x07 0x24 0x3E 0x2B 0x47 0x0E
- bind packet:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x51 0x55 0x23 0x00 0x00 0x40 0x40 0xC0 0x09
after throttle stick is moved up/down:
- normal TX ID: 0xA5 0x37 0xC5 0x4A 0xD3
- normal channels 2 times each: 0x4A 0x3F 0x4D 0x34
- normal packet idle (vertical mode):
0x00 0x00 0x00 0x00 0x40 0x40 0x40 0x51 0x55 0x23 0x00 0x00 0x40 0x40 0x00 0x09
- normal packet[0]: throttle stick down = 0x00 up = 0xFF
- normal packet[1]: rudder stick center = 0x00 left = 0x7F right = 0xFF
- normal packet[2]: elevator stick center = 0x00 down = 0x7F up = 0xFF
- normal packet[3]: aileron stick center = 0x00 left = 0x7F right = 0xFF
- normal packet[4]: rudder subtrim center = 0x40 left = 0x02 right = 0x7E
- normal packet[5]: elevator subtrim center = 0x40 down = 0x02 up = 0x7E
- normal packet[6]: aileron subtrim center = 0x40 left = 0x02 right = 0x7E
- normal packet[7]: 0x51
- normal packet[8]: 0x55
- normal packet[9]: 0x23
- normal packet[10]: 0x00 = vertical 0x04 = horizontal 6G 0x10 = horizontal 3D
- normal packet[11]: momentary 0x40 = auto takeoff or landing
- normal packet[12]: normally 0x40 but:
also 0x44, 0x48, 0x4C with rudder stick movement
also 0x44, 0x4C with throttle stick movement
- normal packet[13]: normally 0x40 but:
also 0x44, 0x4A, 0x4E, 0x4F with aileron stick movement
also 0x42 with elevator stick movement
- normal packet[14]: 0x00
- normal packet[15]: checksum
Any input or help would be greatly appreciated.
The transmitter says S-FHSS but when I opened it up I discovered it actually has an XN297LCU transceiver.
The SPI captures from the TX are stored to:
drive.google.com/drive/folders/1BsHZHZrn...a0MUBsAT?usp=sharing
The *.csv.txt files are decoded, the *SHORT.csv.txt files have the repetitive idle packets removed.
Here's what I've decoded so far:
scramble enabled
1Mbps
no AA
packet size is 16 bytes
normal packet period is around 4100µs
- bind TX ID: 0x68 0x94 0xA6 0xD5 0xC3
- 1 time bind channel 0x28
- 1 time bind packet (not the same every power on?):
power on #1: 62 EC D8 D9 1B 0F 1D 4D C7 F0 10 F4 7E 7C 30 15
power on #2: E2 E8 D8 59 1B 0F 1D CD 83 F0 10 F4 7E 74 30 15
power on #3: E3 E8 D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 74 30 95
power on #4: E2 EC D8 D9 1A 0F 1D 4D C3 F2 10 F4 7E 74 30 15
power on #5: E2 E8 D8 D9 9B 0F 1D CD 83 F0 18 F4 7E 74 30 95
I made some much shorter (~2") probes for the next 5 samples:
power on #6: 62 E8 D8 D9 1A 0F 1D CD 87 F0 10 F4 7E 74 30 B5
power on #7: E2 EC D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 74 30 B5
power on #8: E2 EC D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 7C 30 B5
power on #9: E2 E8 D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 7C 30 95
power on #10: E2 EC D8 D9 1B 0F 1D CD C7 F0 10 F4 7E 74 30 35
then repeats the following until throttle stick is moved up/down:
- bind channels 2 times each: 0x39 0x1C 0x07 0x24 0x3E 0x2B 0x47 0x0E
- bind packet:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x51 0x55 0x23 0x00 0x00 0x40 0x40 0xC0 0x09
after throttle stick is moved up/down:
- normal TX ID: 0xA5 0x37 0xC5 0x4A 0xD3
- normal channels 2 times each: 0x4A 0x3F 0x4D 0x34
- normal packet idle (vertical mode):
0x00 0x00 0x00 0x00 0x40 0x40 0x40 0x51 0x55 0x23 0x00 0x00 0x40 0x40 0x00 0x09
- normal packet[0]: throttle stick down = 0x00 up = 0xFF
- normal packet[1]: rudder stick center = 0x00 left = 0x7F right = 0xFF
- normal packet[2]: elevator stick center = 0x00 down = 0x7F up = 0xFF
- normal packet[3]: aileron stick center = 0x00 left = 0x7F right = 0xFF
- normal packet[4]: rudder subtrim center = 0x40 left = 0x02 right = 0x7E
- normal packet[5]: elevator subtrim center = 0x40 down = 0x02 up = 0x7E
- normal packet[6]: aileron subtrim center = 0x40 left = 0x02 right = 0x7E
- normal packet[7]: 0x51
- normal packet[8]: 0x55
- normal packet[9]: 0x23
- normal packet[10]: 0x00 = vertical 0x04 = horizontal 6G 0x10 = horizontal 3D
- normal packet[11]: momentary 0x40 = auto takeoff or landing
- normal packet[12]: normally 0x40 but:
also 0x44, 0x48, 0x4C with rudder stick movement
also 0x44, 0x4C with throttle stick movement
- normal packet[13]: normally 0x40 but:
also 0x44, 0x4A, 0x4E, 0x4F with aileron stick movement
also 0x42 with elevator stick movement
- normal packet[14]: 0x00
- normal packet[15]: checksum
Any input or help would be greatly appreciated.
Last edit: 24 May 2018 02:14 by gdenton. Reason: added info
Please Log in or Create an account to join the conversation.
Time to create page: 0.051 seconds
- Home
- Forum
- Development
- Protocol Development
- XK X520 VTOL plane (with captures)