Capturing data from cheap drone with the HackRF

More
17 Nov 2021 13:15 - 17 Nov 2021 13:17 #77618 by Carlson
Hi all. Here is cheap chinese drone so I need to recognise it's rf protocol and hook it from another nrf24l01 based device. Drone IC is PAN2025SB50X 2046BAb, remote one is PAN186CV 21C4CTa.

From the datasheets I know that frequency is 2.400-2.483GHz with 1MHz step, GFSK modulation, 250kbps / 1Mbps speed, preamble is 0x710F55, likely nrf24l01 compatible.
I've tried to research protocol using HackRf One, GNU Radio Companion and Baudline. The initial behaviour is: remote makes burst at 2.4201Ghz than if I turn on the drone remote switches to 2.4171Ghz. I know then many sniffers for nrf24l01 based systems exists, I've tried some of them, they are successfully show me packets from nrf but not from my remote. Then I found Goebish's xn297 dumper ( github.com/goebish/XN297_dumper ) and it shows me something:
There were not some notes about how data shows but how I've understood it is | address | ??? | payload | CRC. I was confused that when I'm moving sticks bytes changes including address. But it was first moment when I saw any data from remote and I've dived into .grc graph and visualized data via Scope Sink and tried to decode packet by hands,

it was something like 71 0F 55 E2 B3 92 EE 7D 44 1B 62 09 AE 8C 8C AE E4 C1 50 07 FF, preamble 710F55 and address E2 B3 92 are constant when I'm moving sticks. I've tried to send this packet permanently by HackRF but no drone reaction (indication didn't stopped flashing). Now I have two questions: how better to decode packets if they're right at all and what to do later? (I don't want to use DeviationTX, I want to make my own device). Honestly I have some doubts about nrf24l01 compatibility, how can I check it?
Last edit: 17 Nov 2021 13:17 by Carlson.

Please Log in or Create an account to join the conversation.

Time to create page: 0.033 seconds
Powered by Kunena Forum