Mould King 33043 Super F Quad - HS6200 RF chip

More
20 Feb 2016 02:02 #43341 by dc59
Mould King 33043 Super F Quad SPI capture data :
www.mediafire.com/download/10wxe8a938vx9qg/MK33043-01%7E05.zip

It used a HS6200 RF chip, it's is compatible with BK2425, nRF24L01+
www.sunrisedigit.com/en/Show.asp?id=38

Would someone confirm it ? and deviate it ?

But I got problem when I captured SPI data, I can't bint it with quad. if my analyzer connected to TX ...... :(

Thanks a lot.

Please Log in or Create an account to join the conversation.

More
20 Feb 2016 02:10 #43342 by dc59
Forgot the pictures.



Attachments:

Please Log in or Create an account to join the conversation.

More
20 Feb 2016 18:13 #43372 by planger
The nrf24L01 decoder is giving good results at leats right after init. So yes it's a nrf24L01 compatible chip. There are multiple unknown registers at the begining but if there is a datasheet somewhere it should not be an issue.

Please Log in or Create an account to join the conversation.

More
20 Feb 2016 23:47 - 20 Feb 2016 23:47 #43388 by dc59

planger wrote: The nrf24L01 decoder is giving good results at leats right after init. So yes it's a nrf24L01 compatible chip. There are multiple unknown registers at the begining but if there is a datasheet somewhere it should not be an issue.


Hi Pascal,

Thanks for your help. it's a great news to know that's a nrf24l01 compatible chip,
I uploaded the datasheet of HS6200 HERE and hope it could help.
Last edit: 20 Feb 2016 23:47 by dc59.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
21 Feb 2016 16:59 #43420 by goebish
I had a look at the datasheet, there's a good chance that it's directly compatible with the nrf24, the only thing is that the HS6200 can do 500kbps while the nrf24l01+ can't (only 250kbps/1Mbps/2Mbps), I've to check in your captures which bitrate this protocol is using.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
21 Feb 2016 17:18 - 21 Feb 2016 17:28 #43422 by goebish
Hmmm it requires a new decoder as switching register banks doesn't work the same than with Beken chips.
Last edit: 21 Feb 2016 17:28 by goebish.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
21 Feb 2016 18:11 - 21 Feb 2016 18:15 #43424 by goebish
Ok, looks like it's using 500kbps, so there's nothing to do with a NRF24L01 :(
34 W_REGISTER(06 RF_SETUP) 47

0x47 = 0100 0111, which means 4dbm output, 500kbps, no continuous wave :(

It might be possible to emulate it with the A7105, but that would require quite a bit of work ...


No, I was wrong, I think it's using 1Mbps after all.
Last edit: 21 Feb 2016 18:15 by goebish.

Please Log in or Create an account to join the conversation.

More
22 Feb 2016 00:25 #43436 by dc59

goebish wrote: Ok, looks like it's using 500kbps, so there's nothing to do with a NRF24L01 :(
34 W_REGISTER(06 RF_SETUP) 47

0x47 = 0100 0111, which means 4dbm output, 500kbps, no continuous wave :(

It might be possible to emulate it with the A7105, but that would require quite a bit of work ...


No, I was wrong, I think it's using 1Mbps after all.


Good news ~~ Thanks a lot. :woohoo: :woohoo: :woohoo:

Please Log in or Create an account to join the conversation.

More
25 Feb 2016 12:50 #43607 by mdon
Hi guys,

Any news about using nrf24l01 to clone HS6200? I'm trying unsuccessfully.

What about 0x1E and 0x1F HS6200 registers that are not present in nrf24L01. Analyzing SPI I can see that they are used frequently. Do you have the same situation?

thanks

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
25 Feb 2016 13:12 - 25 Feb 2016 13:20 #43609 by goebish
I think I won't try to implement the protocol unless I have a machine with the same rf chip to make tests myself.

I only quickly looked at the captures & datasheet and I think a slight emulation layer will be required as the HS6200 "protocol engine" is not directly compatible with nrf24l01 shockburst mode. (see chapter 7.3 in HS6200 datasheet)

Register 0x1E set the "2 byte guard" among other things, that's 2 extra bytes that are not in nrf24l01 shockburst packets, (it's the same than having n+2 address length actually...) hence it probably needs to be emulated: that mean adding those 2 bytes to the start of the packet, shifting the actual payload 1 bit right because of the 9 bit Packet Control Field (that we have to generate too...) and computing the CRC ourselves... and probably other "fun" stuffs ;)
Last edit: 25 Feb 2016 13:20 by goebish.

Please Log in or Create an account to join the conversation.

More
25 Feb 2016 14:47 #43614 by mdon
You're right. Thanks for your reply.

I was trying a nrf clone because I don't have another HS6200 unless the one from the controller and couldn't find an easy way to order another. But I will find a solution.

thanks

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
25 Feb 2016 16:08 - 25 Feb 2016 16:51 #43618 by goebish
First thing to do if you've a nrf24 + arduino is to set it to the same bitrate (if not 500kbps of course...), address and channel than the TX, disable shockburst & CRC, then listen for payload length + 8 bytes to confirm it's using its "protocol engine" (shockburst variant), but from what I understand to the capture, this mode is enabled, though dynamic payload length and auto ack are disabled.

When this is confirmed, it shouldn't be hard to emulate ...

Are you working on it already or should I order a MK33043 ? ;)
Last edit: 25 Feb 2016 16:51 by goebish.

Please Log in or Create an account to join the conversation.

More
25 Feb 2016 16:26 #43622 by mdon
I'm working on it ;) thanks

in fact It's not the mk33043, but another drone using the same transceiver.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
25 Feb 2016 16:30 #43624 by goebish
Ah OK, maybe yours does not use the "protocol engine", in this case no emulation is required, it should be directly compatible.

Try to sniff as I explained, that should help to sort things out ;)

Please Log in or Create an account to join the conversation.

More
25 Feb 2016 17:02 #43627 by mdon
I tried and it's not directly compatible :(

Sniffing directly the Tx SPI I have this code:

File Attachment:

File Name: sample4.txt
File Size:539 KB


Apparently it uses the HS6200 "protocol engine". I will set the same address, data rate, channel, disable enhanced shockburst, disable CRC and try it out.

I let you know the result :)
Attachments:

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
25 Feb 2016 17:09 - 25 Feb 2016 17:26 #43628 by goebish
Don't worry if you don't see the actual payload in sniffed packets, that's because it's shifted 1 bit to the right because of the PCF ;) (and the remaining 7 bits of the last sniffed byte is noise)
But at least we should see what can be done to make it compatible with nrf24.
Last edit: 25 Feb 2016 17:26 by goebish.

Please Log in or Create an account to join the conversation.

More
26 Feb 2016 14:43 - 26 Feb 2016 14:44 #43673 by mdon
Good news. It's possible to sniff the HS6200 using nrf.

I'm receiving these messages:




I know sniffing the SPI with a logic analyzer that the transmitter sends the payload: 0x00;0x80;0x40;0x80;0x80;0x40;0x40;0x00;0xBF

As shown:
6.686249 00074 13675 0xB0 0x0E Disable autoack on this specific packet
6.686300 00052 13675 0x00 0xAE Data: 0b00000000 (0x00)
6.686350 00050 13675 0x80 0xA6 Data: 0b10000000 (0x80)
6.686417 00067 13675 0x40 0x60 Data: 0b01000000 (0x40)
6.686467 00050 13675 0x80 0xA8 Data: 0b10000000 (0x80)
6.686535 00068 13675 0x80 0x98 Data: 0b10000000 (0x80)
6.686584 00050 13675 0x40 0x98 Data: 0b01000000 (0x40)
6.686652 00068 13675 0x40 0x98 Data: 0b01000000 (0x40)
6.686702 00050 13675 0x00 0x98 Data: 0b00000000 (0x00)
6.686769 00067 13675 0xBF 0x98 Data: 0b10111111 (0xBF)

I've already shifted the bits to correct 9 bits PCF. My arduino code:

File Attachment:

File Name: arduino_code.txt
File Size:2 KB


I don't know exactly why it's not working. Any ideas?

Analyzing many cases I can see a pattern, at least for the first payload byte the most significant bit is flipped.
Attachments:
Last edit: 26 Feb 2016 14:44 by mdon.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
26 Feb 2016 14:49 - 26 Feb 2016 14:54 #43674 by goebish
Great :)

What are you talking about when you say it doesn't work ? TX emulation ?

edit: ah OK, you're not able to decode the actual payload, I'll have a look at that.
At least there's no occurrence of the word 'scramble' or 'scrambling' in the datasheet ;)
Last edit: 26 Feb 2016 14:54 by goebish.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
26 Feb 2016 15:11 - 26 Feb 2016 15:15 #43676 by goebish
Can you give another sniffed / actual payload pair ? (+sniffed raw, not decoded)

Maybe payload (and CRC) is xored with a static table, as the xn297, even if it's not stated in the datasheet (or I missed it).
Last edit: 26 Feb 2016 15:15 by goebish.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
26 Feb 2016 15:40 - 26 Feb 2016 15:48 #43679 by goebish
...or try to xor your decoded payload with
0x80, 0xf5, 0x3b, 0x0d, 0x6d, 0x2a, 0xf9, 0xbc, 0x51

then check if it works with payloads other than
0x00;0x80;0x40;0x80;0x80;0x40;0x40;0x00;0xBF

... and give me a raw packet please :)
Last edit: 26 Feb 2016 15:48 by goebish.

Please Log in or Create an account to join the conversation.

Time to create page: 0.409 seconds
Powered by Kunena Forum