- Posts: 3
Traxxas TQ
- izzy84075
- 
				Topic Author 
- Offline
		Less
		More
		
			
	
		
			
	
						17 Aug 2016 02:51				#52831
		by izzy84075
	
	
		
			
	
			
			 		
	
												
	
				Traxxas TQ was created by izzy84075			
			
				Uses the CYRF6936 and appears to be pretty simple, so far. Still learning my way around this radio, but looking at the other protocols using this radio, I think I picked a good one to start with.  
Only have a sample size of 1 so far, but here's my notes so far.
The "01 00" it starts with looks like an ID field, and then it looks suspiciously like 7 2-byte data fields. Possibly the first four bytes are something special and then 6 2-byte fields, as the trigger is wired to "channel 1" on the board, and comes out as "channel 1" on the receiver...
More experimentation to follow as I have time!
					
Only have a sample size of 1 so far, but here's my notes so far.
mfg_id: 7a b3 92 43 23 fd
sopcode:  {0xEF, 0x64, 0xB0, 0x2A, 0xD2, 0x8F, 0xB1, 0x2A},
"Idle" packet:				01 00 02 fb 02 f5 02 ee 00 00 00 00 02 ee 00 00
"Trigger somewhat pulled" packet:	01 00 02 f6 03 19 02 ee 00 00 00 00 02 ee 00 00The "01 00" it starts with looks like an ID field, and then it looks suspiciously like 7 2-byte data fields. Possibly the first four bytes are something special and then 6 2-byte fields, as the trigger is wired to "channel 1" on the board, and comes out as "channel 1" on the receiver...
More experimentation to follow as I have time!
Please Log in or Create an account to join the conversation.
- izzy84075
- 
				Topic Author 
- Offline
		Less
		More
		
			
	
		- Posts: 3
			
	
						17 Aug 2016 19:08				#52844
		by izzy84075
	
	
		
			
	
			
			 		
	
												
	
				Replied by izzy84075 on topic Traxxas TQ			
			
				Updated notes from today~!
All of my capturing so far has been with no receiver turned on, so there's probably a bunch that I haven't seen yet.
			
					All of my capturing so far has been with no receiver turned on, so there's probably a bunch that I haven't seen yet.
mfg_id: 7a b3 92 43 23 fd
While idling(With no receiver on, at least), it appears to alternate between two SOP code/CRC seed sets every once in a while:
	sopcode:  {0xEF, 0x64, 0xB0, 0x2A, 0xD2, 0x8F, 0xB1, 0x2A},
	crcseed: 0x27fe
	sopcode: {0x97,0xE5,0x14,0x72,0x7F,0x1A,0x14,0x72},
	crcseed: 0xa5a5
When in "bind" mode, it uses this SOP code/CRC seed:
	Binding sopcode: {0x3C, 0x37, 0xCC, 0x91, 0xE2, 0xF8, 0xCC, 0x91}
	Binding crcseed: 0x5a5a
	
	The transmitter appears to wait for the receiver to initiate binding, not the other way around.
	The transmitter never sent anything while in binding mode, only continuously checked for received packets.
"Idle" packet:					01 00 02 fb 02 f5 02 ee 00 00 00 00 02 ee 00 00
"Trigger somewhat pulled" packet:		01 00 02 f6 03 19 02 ee 00 00 00 00 02 ee 00 00
"Steering right" packet:			01 00 03 dc 02 f8 02 ee 00 00 00 00 02 ee 00 00
"Steering left" packet:				01 00 01 f5 02 f8 02 ee 00 00 00 00 02 ee 00 00
Trim adjusts steering output, as expected.
WIP Packet architecture:	aaaa cccc bbbb eeee dddd gggg ffff hhhh
	aaaa
		Packet type and/or "channel" ID?
			Never seen anything except 0x0100 here, but I only have one transmitter/receiver pair.
	bbbb
		Channel 1
			Range: Unknown, seems centered on ~0x02f5, probably roughly the same as Channel 2.
			Used for: Throttle
			
			Higher value is forward, lower value is reverse.
	cccc
		Channel 2
			Range: Seems to be roughly 0x01f5 - 0x03dc, center is ~0x02fb
			Used for: Steering
			
			Higher value is right, lower value is left.
	dddd
		Channel 3?
			Never seen anything except 0x0000 here
			Transmitter has an unpopulated "Channel 3" input marked on it's PCB, haven't tried hooking anything up to it yet.
	eeee
		Channel 4?
			Never seen anything except 0x02ee here
	ffff
		Channel 5?
			Never seen anything except 0x02ee here
	gggg
		Channel 6?
			Never seen anything except 0x0000 here
	hhhh
		Channel 7 or unused checksum?
			Never seen anything except 0x0000 here.
			This being channel 7 would not match the pattern of all the other channels, might be an unused checksum field?Please Log in or Create an account to join the conversation.
- izzy84075
- 
				Topic Author 
- Offline
		Less
		More
		
			
	
		- Posts: 3
			
	
						18 Aug 2016 01:08		 -  18 Aug 2016 01:55		#52855
		by izzy84075
	
	
		
			
	
	
			 		
	
												
	
				Replied by izzy84075 on topic Traxxas TQ			
			
				Hooked a pot up to the unpopulated CH3 input on the PCB, and nothing happened in the radio packets. Looking a bit closer at the pinout of the MCU, it wouldn't even actually be able to read a pot there, so I'm not sure what's going on there... Oh, it's an STM8S005K6 , by the way. The receiver has the same radio/processor pairing.
I do have an ST development kit, I should try connecting to this and see if I can dump it...
EDIT: Flash is protected on the MCU, sadly.
					I do have an ST development kit, I should try connecting to this and see if I can dump it...
EDIT: Flash is protected on the MCU, sadly.
		Last edit: 18 Aug 2016 01:55  by izzy84075.			
			Please Log in or Create an account to join the conversation.
		Time to create page: 0.027 seconds	
- 
											Home
					
											
							  
- 
											Forum
					
											
							  
- 
											Development
					
											
							  
- 
											Protocol Development
					
											
							  
- Traxxas TQ
