1. Forum
  3. Development
  5. Protocol Development
  7. JD 395 cx-10

JD 395 cx-10

More
01 Apr 2016 00:40 #45522 by harwoodr
Replied by harwoodr on topic JD 395 cx-10
Hey guys, I'm hoping someone can point me at any documentation for the "new" cx-10 red board protocol...

I'm playing with a nrf24 board on a raspberry pi, and I'd like to look at sniffing the packets sent to the cx-10 - any info would be appreciated.

Also, I have to say that the treasure trove of information I've found on these forums, the rcgroups forums and the associated github/bitbucket accounts of users here... has been very helpful and educational.

Thanks in advance - Ron.

Please Log in or Create an account to join the conversation.

More
14 May 2016 13:31 #48425 by goebish
Replied by goebish on topic JD 395 cx-10
Hi harwoodr, any chance you could get some logic captures of the SPI bus inside the newer "red" TX please ?
I'm not saying than dumping in the air with your setup is impossible, but that's only way harder ;)

Please Log in or Create an account to join the conversation.

More
09 Jul 2017 05:19 #63366 by Baldness
Replied by Baldness on topic JD 395 cx-10
For the love of god, i have been trying to get my mk33041 out of headless mode for literally the entire day.

Im not a programmer. Im not familiar with the "builds" section of this site where someone commented "go see my updates uploads". I cant for the life of me find the cx-10 green model for the Devo7e everyone says is working so great. PLEASE can you just attach it without calling me a newbie and giving me vague hints with acronyms on where to find it here. Im losing my mind, i lost my patience with this 6 hours ago.

Please Log in or Create an account to join the conversation.

More
14 Apr 2025 17:53 #78660 by goebish
Replied by goebish on topic JD 395 cx-10

victzh wrote: No, definitely I don't mind. I sat staring at the signals all my free time for 2 weeks and was very glad when after innumerous tries it finally started breathing. But it can be tiresome and I'm glad that you took part in finishing it up.

There are still puzzles, may be more of theoretical value. I don't believe that the XOR sequence and these XOROUT constants are stored somewhere in the chip. I think they are byproduct of some calculation, may be of CRC itself.


Hi, I know that was 10 years ago but I was finally able to generate the scrambling array with code ;)
This has been haunting my mind for some time but with the help of a GPT it has fallen eventually.
We've at least 4 crc xorout arrays now, I'll try to crack them as well.
#include <stdio.h>
#include <stdint.h>

int main(void) {
    uint8_t lfsr = 0x71;  // 7-bit LFSR seed (0b1110001)
    uint8_t xn297_scramble[39];

    for (int i = 0; i < 39; i++) {
        uint8_t byte = 0;
        for (int bit = 0; bit < 8; bit++) {
            uint8_t msb = (lfsr >> 6) & 1;          // extract MSB (bit6)
            byte = (byte << 1) | msb;               // MSB-first accumulation
            uint8_t feedback = msb ^ ((lfsr >> 2) & 1); // feedback = MSB xor bit2
            lfsr = ((lfsr << 1) & 0x7F) | feedback; // shift in feedback at LSB
        }
        xn297_scramble[i] = byte;
    }

    // Print the output in hex
    // Expected output
    // 0xE3, 0xB1, 0x4B, 0xEA, 0x85, 0xBC, 0xE5, 0x66, 0x0D, 0xAE, 
    // 0x8C, 0x88, 0x12, 0x69, 0xEE, 0x1F, 0xC7, 0x62, 0x97, 0xD5, 
    // 0x0B, 0x79, 0xCA, 0xCC, 0x1B, 0x5D, 0x19, 0x10, 0x24, 0xD3, 
    // 0xDC, 0x3F, 0x8E, 0xC5, 0x2F, 0xAA, 0x16, 0xF3, 0x95
    for (int i = 0; i < 39; i++) {
        printf("0x%02X", xn297_scramble[i]);
        if (i < 38) printf(", ");
        if ((i + 1) % 8 == 0) printf("\n");
    }

    return 0;
}

Please Log in or Create an account to join the conversation.

More
14 Apr 2025 19:28 #78661 by hexfet
Replied by hexfet on topic JD 395 cx-10
Thanks goebish! Happy to see your posts :)

Please Log in or Create an account to join the conversation.

More
14 Apr 2025 20:25 - 16 Apr 2025 19:25 #78663 by goebish
Replied by goebish on topic JD 395 cx-10
For reference:

The XN297 uses a 7-bit linear-feedback shift register (LFSR) to generate a whitening sequence. We determined that the whitening LFSR operates as follows:

  • The LFSR uses the primitive polynomial x^7+x^3+1. That means at each step, the new feedback bit is computed as the XOR of bit 6 and bit 2 of the current LFSR state
  • Shift Direction: The LFSR shifts left on each step, meaning the register’s bits move toward the MSB side. The MSB is output (shifted out) each cycle, and the newly computed feedback bit is inserted at the LSB (bit 0). This configuration causes the MSB of the LFSR to produce the whitening bit each cycle.
  • Bit Accumulation Order: Whitening bits are applied MSB-first per byte. Because the LFSR outputs the MSB bit each step, if we collect 8 output bits into a byte, the first output bit becomes the byte’s MSB, and the eighth output bit becomes the byte’s LSB. In other words, the whitening sequence bytes are formed in normal MSB-first bit order. This matches the given sequence representation in hex. (The actual radio transmits bits LSB-first, but the sequence is conventionally listed in MSB-first bytes​.)
  • Initial LFSR State: To reproduce the exact sequence observed (starting with 0xE3, 0xB1, 0x4B, ...), the LFSR must start from a specific seed. The initial 7-bit state that generates the sequence was found to be 0x71 (binary 1110001). This seed yields the first 8 output bits as 1110 0011 (0xE3), matching the sniffed data.

Using these parameters, the LFSR will produce the whitening byte sequence.
Last edit: 16 Apr 2025 19:25 by goebish.

Please Log in or Create an account to join the conversation.

  1. Forum
  3. Development
  5. Protocol Development
  7. JD 395 cx-10
Time to create page: 0.026 seconds
Powered by Kunena Forum
Force desktop display