- Posts: 9
Mould King 33043 Super F Quad - HS6200 RF chip
- mdon
-
- Offline
Less
More
26 Feb 2016 15:57 #43681
by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
SPI sniffed: AE A6 60 A8 98 56 AA 40 CB
received by nrf: 2E 53 5B A5 F5 7C 53 FC 9A
received by nrf: 2E 53 5B A5 F5 7C 53 FC 9A
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 16:02 - 26 Feb 2016 16:03 #43683
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hey, looks like it matches the xor table I posted on the previous page 
2E 53 5B A5 F5 7C 53 FC 9A xor 80 f5 3b 0d 6d 2a f9 bc 51 = AE A6 60 A8 98 56 AA 40 CB
2E 53 5B A5 F5 7C 53 FC 9A xor 80 f5 3b 0d 6d 2a f9 bc 51 = AE A6 60 A8 98 56 AA 40 CB
Last edit: 26 Feb 2016 16:03 by goebish.
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 16:06 - 26 Feb 2016 16:53 #43684
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
next thing to do is to check if CRC is xor'ed (scrambled) as well, then find from what the CRC is generated, are the 2 bytes guards included ? (PCF is, as the CRC changes when packet ID bit changes), and is the CRC generator (CRC16 CCITT) fed with scrambled or unscrambled payload, in which order, with bits order reversed or not etc...
Need a hand with that ?
Also, we've to hope this scrambling table is static, as with the xn297. We'll also have to find a HS6200 donator so we can send longer payloads with an actual chip to guess the rest of the scrambling table.
Need a hand with that ?
Also, we've to hope this scrambling table is static, as with the xn297. We'll also have to find a HS6200 donator so we can send longer payloads with an actual chip to guess the rest of the scrambling table.
Last edit: 26 Feb 2016 16:53 by goebish.
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 17:00 - 26 Feb 2016 17:16 #43689
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
From the datasheet:
"The CRC is the error detection mechanism in the packet. It may either be 1 or 2 bytes and is calculated over the address, Packet Control Field and Payload."
initial value: 0xffff
polynomial: 0x1021
xorout: if we need one (other than 0x0000 or 0xffff) that probably means crc is scrambled too.
looks like the 2 byte guard is not fed to the crc generator (or maybe it's an omission in the datasheet ...)
at least that's one piece of the puzzle
and we need a crc generator that we can feed with an arbitary number of bits, not only bytes because of the PCF (again... I hate this thing
) as this one:
github.com/RFStorm/mousejack/blob/master/src/radio.c#L107
hmmm I've to check how I can feed a payload to crc reveng that's not a multiple of 8 bit.
"The CRC is the error detection mechanism in the packet. It may either be 1 or 2 bytes and is calculated over the address, Packet Control Field and Payload."
initial value: 0xffff
polynomial: 0x1021
xorout: if we need one (other than 0x0000 or 0xffff) that probably means crc is scrambled too.
looks like the 2 byte guard is not fed to the crc generator (or maybe it's an omission in the datasheet ...)
at least that's one piece of the puzzle
and we need a crc generator that we can feed with an arbitary number of bits, not only bytes because of the PCF (again... I hate this thing
github.com/RFStorm/mousejack/blob/master/src/radio.c#L107
hmmm I've to check how I can feed a payload to crc reveng that's not a multiple of 8 bit.
Last edit: 26 Feb 2016 17:16 by goebish.
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 18:28 - 26 Feb 2016 18:29 #43699
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Can you post a couple of raw packets, as received by the nrf24 please, with guard, pcf, payload, crc and remaining 7 bit noise ? And also tell me which address is used.
Last edit: 26 Feb 2016 18:29 by goebish.
- mdon
-
- Offline
Less
More
- Posts: 9
26 Feb 2016 18:46 #43701
by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
for now I have 3 raw packets:
Control power up:
address: 55 42 9C 8F C9
Payload sent (9 bytes): AE A6 60 A8 98 56 AA 40 CB
32 bytes received: 55 55 27 97 29 AD D2 FA BE 29 FE 4D 5A DE 3B FB 7E BB DD DD AA 39 CA 71 CD 66 AF 9E EE 72 CD 28
Landing:
address: AE A6 60 A8 98
Payload sent (9 bytes): 00 80 40 80 80 40 40 00 BF
32 bytes received: AE AE 25 C0 3A BD C6 F6 B5 5C DE 77 59 50 EF 7E FA EF EB DA 1F 71 AB 22 5A 51 CD 34 BD D2 A8 DD
Full throttle
address: AE A6 60 A8 98
Payload sent (9 bytes): FF 80 40 80 80 40 40 00 BF
32 bytes received: AE AE 25 BF BA BD C6 F6 B5 5C DE 48 D8 F2 2F 7F FA 77 FF FD FF FF 77 FE F7 F5 2A 33 6E C8 55 52
conclusions for now:
guard bytes = first address byte
flight address is sent as power up payload
flight first payload byte refers to throttle
Control power up:
address: 55 42 9C 8F C9
Payload sent (9 bytes): AE A6 60 A8 98 56 AA 40 CB
32 bytes received: 55 55 27 97 29 AD D2 FA BE 29 FE 4D 5A DE 3B FB 7E BB DD DD AA 39 CA 71 CD 66 AF 9E EE 72 CD 28
Landing:
address: AE A6 60 A8 98
Payload sent (9 bytes): 00 80 40 80 80 40 40 00 BF
32 bytes received: AE AE 25 C0 3A BD C6 F6 B5 5C DE 77 59 50 EF 7E FA EF EB DA 1F 71 AB 22 5A 51 CD 34 BD D2 A8 DD
Full throttle
address: AE A6 60 A8 98
Payload sent (9 bytes): FF 80 40 80 80 40 40 00 BF
32 bytes received: AE AE 25 BF BA BD C6 F6 B5 5C DE 48 D8 F2 2F 7F FA 77 FF FD FF FF 77 FE F7 F5 2A 33 6E C8 55 52
conclusions for now:
guard bytes = first address byte
flight address is sent as power up payload
flight first payload byte refers to throttle
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 18:48 #43702
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Thanks, that should help me to check / sort out CRC.
I'll have a look at that tonight.
I'll have a look at that tonight.
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 18:50 #43704
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
can you confirm that xor'ing your decoded payload with
80 f5 3b 0d 6d 2a f9 bc 51
yields good results ?
80 f5 3b 0d 6d 2a f9 bc 51
yields good results ?
- mdon
-
- Offline
Less
More
- Posts: 9
26 Feb 2016 18:54 #43705
by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
Yes, it seems perfect.
const byte xor_table[9] = {0x80,0xf5,0x3b,0x0d,0x6d,0x2a,0xf9,0xbc,0x51};
const byte xor_table[9] = {0x80,0xf5,0x3b,0x0d,0x6d,0x2a,0xf9,0xbc,0x51};
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 19:02 - 26 Feb 2016 20:51 #43707
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Cool, so it's probably static, I mean it's always the same table whatever the address is ... (well, as victzh suggested for the xn297, there's probably no hardcoded table inside the chip, my guess is those xor are probably the result of the 8 bit CRC generator fed with 0s or something like that, this has to be checked, the fact that the 1st value is 0x80 is interesting ...)
So now that's only a matter of generating the CRC
So now that's only a matter of generating the CRC
Last edit: 26 Feb 2016 20:51 by goebish.
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
26 Feb 2016 23:03 - 27 Feb 2016 14:35 #43722
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Last edit: 27 Feb 2016 14:35 by goebish.
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
27 Feb 2016 14:45 #43771
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
I'm trying to code something to generate the packets to be sent by the nrf24... all this shifting is giving me headaches, but I should succeed, eventually
- planger
-
- Offline
27 Feb 2016 15:01 #43772
by planger
Replied by planger on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hi Goebish, If you look at my LT8900 emulation, the bit shifting of the buffer is implemented. You can give it the number of bits you want which is just 1 in your case if I'm correct (LT8900 is anything between 4 to 18bits).
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
27 Feb 2016 16:43 - 27 Feb 2016 18:25 #43774
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Need a bit of clean up, but I got it:
(only the msb is relevant in the last byte of the generated raw packet)
crappy POC code:
gist.github.com/goebish/a7b5607dc36af06b0cdd
don't forget to alternate the value of pid between packets, especially if 2 successive packets are identical, or the 2nd and following ones might be ignored by the rx.
(only the msb is relevant in the last byte of the generated raw packet)
crappy POC code:
gist.github.com/goebish/a7b5607dc36af06b0cdd
don't forget to alternate the value of pid between packets, especially if 2 successive packets are identical, or the 2nd and following ones might be ignored by the rx.
Last edit: 27 Feb 2016 18:25 by goebish.
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
29 Feb 2016 14:41 #43881
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
mdon, do you need more help ?
You didn't tell which machine you were working on
For the MK33043, I'll either have to wait that you sacrifice the HS6200 in your stock TX (well, no really, this can be done in a non destructive way) so you can send and sniff longer packets to fill the scrambling table, or I'll have to order one myself ... or 'just' crack the scrambling table generation algo (there's probably one), but I'm lazy
Pascal, yes, when we'll add these new chips emulation in DeviationTX we'll try to use common code as much as possible for all the chips (CRC algo, bit shifting ...)
You didn't tell which machine you were working on
For the MK33043, I'll either have to wait that you sacrifice the HS6200 in your stock TX (well, no really, this can be done in a non destructive way) so you can send and sniff longer packets to fill the scrambling table, or I'll have to order one myself ... or 'just' crack the scrambling table generation algo (there's probably one), but I'm lazy
Pascal, yes, when we'll add these new chips emulation in DeviationTX we'll try to use common code as much as possible for all the chips (CRC algo, bit shifting ...)
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
10 Mar 2016 09:59 #44367
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
No reply ?
I'll wait 1 or 2 days then order a mk33043 then.
I'll wait 1 or 2 days then order a mk33043 then.
- mdon
-
- Offline
Less
More
- Posts: 9
10 Mar 2016 13:16 #44373
by mdon
Replied by mdon on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hi.
I was traveling.
Now I'm working on another project, but I'm warm to resume Nrf->HS6200 hobby asap. sorry
I was traveling.
Now I'm working on another project, but I'm warm to resume Nrf->HS6200 hobby asap. sorry
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
12 Apr 2016 19:05 - 12 Apr 2016 19:05 #46376
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Looks like someone has ordered a MK 33043 for me (you know who you are, thanks
), so I should be able to continue the work on that in a few weeks
Last edit: 12 Apr 2016 19:05 by goebish.
- dc59
-
Topic Author
- Offline
Less
More
- Posts: 799
12 Apr 2016 22:20 #46388
by dc59
Good news for me!
Replied by dc59 on topic Mould King 33043 Super F Quad - HS6200 RF chip
goebish wrote: Looks like someone has ordered a MK 33043 for me (you know who you are, thanks
), so I should be able to continue the work on that in a few weeks
- goebish
-
- Offline
- NRF Weirdo
Less
More
- Posts: 2633
14 May 2016 22:01 #48459
by goebish
Replied by goebish on topic Mould King 33043 Super F Quad - HS6200 RF chip
Hmmm I've a bad news, looks like not all the MouldKing Super-F are the same, mine has only 1 chip in the TX and is compatible with the CX-10 protocol, please read from here for more info 
www.deviationtx.com/forum/protocol-devel...m9916?start=80#48435
www.deviationtx.com/forum/protocol-devel...m9916?start=80#48435
Time to create page: 0.211 seconds
-
Home
-
Forum
-
Development
-
Protocol Development
- Mould King 33043 Super F Quad - HS6200 RF chip