- Posts: 2631
JD 395 cx-10
15 May 2015 10:29 - 15 May 2015 10:30 #32612
by goebish
Replied by goebish on topic JD 395 cx-10
I'm making
some progress
, I'm fairly confident it's almost there 
Please Log in or Create an account to join the conversation.
15 May 2015 10:30 #32613
by Durete
Replied by Durete on topic JD 395 cx-10
Yeahhh!!! 
Please Log in or Create an account to join the conversation.
16 May 2015 19:33 #32654
by closedsink
Replied by closedsink on topic JD 395 cx-10
goebish,
Very impressed that you figured this out.
Other than the limitation you mentioned for packet[2], are you assuming the data packet sequence is just randomly generated?
Very impressed that you figured this out.
Other than the limitation you mentioned for packet[2], are you assuming the data packet sequence is just randomly generated?
Please Log in or Create an account to join the conversation.
16 May 2015 20:04 - 16 May 2015 20:05 #32657
by goebish
Replied by goebish on topic JD 395 cx-10
Yes, but it has to be confirmed, I haven't tried against an actual RX yet
Not sure if packet[2] should be limited to 0x1F or 0x2F
Not sure if packet[2] should be limited to 0x1F or 0x2F
Please Log in or Create an account to join the conversation.
16 May 2015 22:35 - 19 May 2015 02:24 #32663
by closedsink
Replied by closedsink on topic JD 395 cx-10
I just coded it for Taranis XN297 module, for my green CX10, and it seems like it works. I constrained TXID[1] to be less than < 0x30 as you suggested.
I should verify the values are getting generated as expected, and then I'll update the code on my blog on rcgroups.
(edit - DONE!)
I should verify the values are getting generated as expected, and then I'll update the code on my blog on rcgroups.
(edit - DONE!)
Please Log in or Create an account to join the conversation.
22 May 2015 13:07 - 22 May 2015 13:36 #32864
by goebish
From what I understand, a 19 bytes payload should be fine as the size of preamble+sync+address+payload+crc is still less than 32 bytes long.
Replied by goebish on topic JD 395 cx-10
Looks like everything is working well with a 15 bytes payload (cx10 green, cg023 ...), but I can't get it to work with a 19 bytes payload (cx10 blue from which I know the aircraft ID). I know my code works because I can bind to a blue cx10 with it and a xn297 chip, but doesn't work with nrf24 + emulation layer.victzh wrote: BTW, answering your question about scrambling sequence - it's fixed, it covers both address, no matter the size (from 3 to 5 bytes) and then the message. The code in the emulation layer (as you probably figured by now) handles all of this for you. You just need to call some functions instead of calling native nRF24 ones. Also, note that the main body of message is bit-reversed - it gave me extra headache decoding it
From what I understand, a 19 bytes payload should be fine as the size of preamble+sync+address+payload+crc is still less than 32 bytes long.
Please Log in or Create an account to join the conversation.
24 May 2015 01:53 - 24 May 2015 02:25 #32907
by goebish
Replied by goebish on topic JD 395 cx-10
hey hey, that's it, I brute forced xorout for a 19 bytes payload:
0x61B1
So worst case is we have to store a table with values for every payload length we need.
0x61B1
So worst case is we have to store a table with values for every payload length we need.
Please Log in or Create an account to join the conversation.
24 May 2015 03:07 - 24 May 2015 18:43 #32909
by goebish
Replied by goebish on topic JD 395 cx-10
I fixed the CRC algorithm, for reference:
Payload size / xor out crc16:So,The first value of this table (0x0000) is missing, it is for 3 bytes address w/ 0 bytes payload, more code is required to crack it, I'm lazy and we'll probably never need it.
I have brute forced all the values (~550 tries per second, so an average of 1 minute for one 16 bit value) because I'm using a nrf24 as TX + a xn297 as RX (+2 arduino). It would have been easier with 2x xn297, by disabling crc on rx side and listening for 2 more bytes
These toys are a lot of fun
Payload size / xor out crc16:
for 5 bytes address:
00: 0x9BA7
01: 0x8BBB
02: 0x85E1
03: 0x3E8C
04: 0x451E
05: 0x18E6
06: 0x6B24
07: 0xE7AB
08: 0x3828
09: 0x8148
10: 0xD461
11: 0xF494
12: 0x2503
13: 0x691D
14: 0xFE8B
15: 0x9BA7
16: 0x8B17
17: 0x2920
18: 0x8B5F
19: 0x61B1
20: 0xD391
21: 0x7401
22: 0x2138
23: 0x129F
24: 0xB3A0
25: 0x2988 -> maximum payload size for 5 bytes address with CRC enabled.
--
**: 0x3448 -> for 4 bytes address w/ 0 byte payload, or 3 bytes address w/ 1 byte payloadstatic const u16 xn297_crc_xorout[] = {
0x0000, 0x3448, 0x9BA7, 0x8BBB, 0x85E1, 0x3E8C, 0x451E, 0x18E6,
0x6B24, 0xE7AB, 0x3828, 0x8148, 0xD461, 0xF494, 0x2503, 0x691D,
0xFE8B, 0x9BA7, 0x8B17, 0x2920, 0x8B5F, 0x61B1, 0xD391, 0x7401,
0x2138, 0x129F, 0xB3A0, 0x2988};
[snip]
if (xn297_crc) {
int offset = xn297_addr_len < 4 ? 1 : 0;
u16 crc = initial;
for (int i = offset; i < last; ++i) {
crc = crc16_update(crc, buf[i]);
}
crc ^= xn297_crc_xorout[xn297_addr_len - 3 + len];
buf[last++] = crc >> 8;
buf[last++] = crc & 0xff;
}I have brute forced all the values (~550 tries per second, so an average of 1 minute for one 16 bit value) because I'm using a nrf24 as TX + a xn297 as RX (+2 arduino). It would have been easier with 2x xn297, by disabling crc on rx side and listening for 2 more bytes
These toys are a lot of fun
Please Log in or Create an account to join the conversation.
25 May 2015 00:43 - 25 May 2015 14:26 #32946
by goebish
Replied by goebish on topic JD 395 cx-10
Yeah, I got emulated RX mode to work
Not sure it's OK for anything else than 5 bytes address length, but who cares ?
(edit: tested with every address length, no problem !)
nRF24l01 receiving packets from my stock Eachine 3D X4 transmitter while I move throttle stick:
15 bytes packet + 2 bytes crc.
It still needs to be implemented properly with CRC checking (well, not mandatory for what we need...) and all, but it works.
This paves the road for implementing the CX10-A (blue pcb) protocol !
I admit that it cost me 1500mg of aspirin to get the crc + read mode working
Not sure it's OK for anything else than 5 bytes address length, but who cares ?
(edit: tested with every address length, no problem !)
XN297_SetTXAddr(tx_addr, 5); // must do before SetRXAddr, even for RX only
XN297_SetRXAddr(tx_addr, 5);
NRF24L01_FlushRx();
NRF24L01_WriteReg(NRF24L01_11_RX_PW_P0, PAYLOAD_SIZE+2); // 15-byte payload + 2 bytes CRC
NRF24L01_SetTxRxMode(RX_EN); // must be called BEFORE XN297_Configure
// Power on, RX mode,
//NRF24L01_00_EN_CRC tells the emulation layer to emulate crc checking, tbd
XN297_Configure( BV(NRF24L01_00_EN_CRC) | BV(NRF24L01_00_CRCO)
| BV(NRF24L01_00_PWR_UP) | BV(NRF24L01_00_PRIM_RX));
while(!(NRF24L01_ReadReg(0x07) & 0x40)) {} // wait for RX FIFO data ready
XN297_ReadPayload(test_packet, PAYLOAD_SIZE+2);
u8 XN297_ReadPayload(u8 *msg, int len)
{
u8 res = NRF24L01_ReadPayload(msg, len);
for(u8 i=0; i<len; i++)
msg[i] = bit_reverse(msg[i]) ^ bit_reverse(xn297_scramble[i+xn297_addr_len]);
return res;
}nRF24l01 receiving packets from my stock Eachine 3D X4 transmitter while I move throttle stick:
15 bytes packet + 2 bytes crc.
It still needs to be implemented properly with CRC checking (well, not mandatory for what we need...) and all, but it works.
This paves the road for implementing the CX10-A (blue pcb) protocol !
victzh wrote: Also, note that the main body of message is bit-reversed - it gave me extra headache decoding it
I admit that it cost me 1500mg of aspirin to get the crc + read mode working
Please Log in or Create an account to join the conversation.
25 May 2015 02:34 #32947
by hexfet
Replied by hexfet on topic JD 395 cx-10
Very nice work Look forward to flying my cx10
Look forward to flying my cx10 Please Log in or Create an account to join the conversation.
25 May 2015 07:09 #32952
by victzh
Replied by victzh on topic JD 395 cx-10
That's how it works - you get distracted for a second, they'll complete your work for you
Nice work, goebish. I'm traveling now, can only watch, and I expect you'll have blue board working when I'm back by Wednesday.
Nice work, goebish. I'm traveling now, can only watch, and I expect you'll have blue board working when I'm back by Wednesday.
Please Log in or Create an account to join the conversation.
25 May 2015 14:35 - 26 May 2015 13:28 #32958
by goebish
Replied by goebish on topic JD 395 cx-10
I hope you do not mind
, I only wanted to fix crc for 19 bytes payload at first, just to try my blue CX10 with hardcoded aircraft id.
Then you know how it is, one thing leads to another, I cracked the CRC thing, while doing so I figured out how the whole process works then I had a quick try at read mode and it worked almost instantly (thanks to all the hard work you did before).
In the end, I still have not tested the blue cx10, but that's the easy part
Then you know how it is, one thing leads to another, I cracked the CRC thing, while doing so I figured out how the whole process works then I had a quick try at read mode and it worked almost instantly (thanks to all the hard work you did before).
In the end, I still have not tested the blue cx10, but that's the easy part
Please Log in or Create an account to join the conversation.
25 May 2015 16:05 #32964
by Stavross118
Replied by Stavross118 on topic JD 395 cx-10
Excuse my ignorance but does this mean soon I will be able to fly my cx10 and 11 both blue PCb,s on my devo 10 (already modded of course) very soon top guys both victzh and goebishgoebish wrote: I hope you do not mind
, I only wanted to fix crc for 19 bytes payload at first, just to try my blue CX10 with hardcoded aircraft id.
Then you know how it is, one thing leads to another, I cracked the CRC thing completely, while doing so I understood how the whole process works then I had a quick try at read mode and it worked almost instantly (thanks to all the hard work you did before).
In the end, I still have not tested the blue cx10, but that's the easy part
Please Log in or Create an account to join the conversation.
Time to create page: 0.125 seconds
-
Home
-
Forum
-
Development
-
Protocol Development
- JD 395 cx-10