Spin Master protocol on 7e?

The Spin Master Air Hogs RC Elite Helix X4 Stunt quadcopter
uses the nRF24L01 chip. Has this protocol been investigated?
Is it the same as a protocol used by another company? TIA

Is it good?

Do you have photos of inside to evaluate feasibility of reversing the protocol? I need a detailed photo of the board near the nRF, both of RX and TX.

Have you tried binding the air hogs with the existing nrf24l01 protocols?

mwm wrote: Have you tried binding the air hogs with the existing nrf24l01 protocols?

The only other nRF24L01 TX that I have access to is for the Ares Ethos QX 75. I tried it. It did not work.

victzh wrote: Is it good?

Do you have photos of inside to evaluate feasibility of reversing the protocol? I need a detailed photo of the board near the nRF, both of RX and TX.

I hope these photos are acceptable. If not, I'll make some more.

That's disappointing. It uses LE1, not L01. It's a world of difference from the point of view of protocol reverse engineering. The protocol is inside the chip, which is not a simple radio, but a 8051 compatible MCU with RF front end.

So no way to tap SPI bus and decode the protocol, what you can do is only listen to the radio. It is hard, I've never done it and the chance of success is small. I'm still to decode my first protocol over the radio.

Another way is to contact Airhogs (sorry, there was a text about Ares, I mixed them up a bit), may be they are interested in Deviating their models.

I am looking at the SDR way - it opens new possibilities, but on the other hand, it's much more labor intensive. In this case you don't need SDR all the time though - just to learn some basic parameters of the protocol - bit rate, CRC, packet length, channels - then you can listen and decode packets from the comfort of nRF24L01 - the majority of decoding is done in it for you.

@alibenpeng here on this forum tried it with moderate success for a less popular chip - LT8900. He decoded the messages, but failed to emulate them with nRF24L01 - which is, admittedly, were ambitious. If you're curious - take a look www.deviationtx.com/forum/protocol-devel...-h1-a-k-a-mini-ninja .

I have both RTL-SDR with downconverter and HackRF, but I still did not get to actually using them. I mean, I see packets as a blobs on waterfall in SDR#, and it can help to decode at least frequencies, but that's it for now.

victzh and PhracturedBlue,

Thank you for your replies. It appears that I won't be able to use Deviation
to control my Helix X4. However, the CopterX thread in this forum pointed me to the CX-CT6C transmitter that also uses the nRF24LE1G chip. I believe I can use the Helix X4's RF board in the CX-CT6C to control the Helix X4.

Almost certainly, no. The situation with LE1 is following. The radio part is the same as in nRF24L01, but it is equipped with an extra MCU - 8051 compatible processor which handles the protocol and exchanges information with the main MCU in the controller. The protocol between the nRF23LE1 and main MCU is not defined anywhere - it can be arbitrary. So if you just transplant the module from your toy TX into CX-CT6C it most probably will not work.