Furibee F36 protocol attempt

More
03 Feb 2017 01:56 - 03 Feb 2017 02:03 #58679 by xxx
Furibee F36 protocol attempt was created by xxx
I have attempted to find more info about the furibee f36 protocol. As you may know, the quad and tx both use single mcu / rf ics and as such no spi to sniff as far as I know. There are no markings on either chips.

Findings:

I used a nrf24 to attempt to find packets, and used carrier detect to find likely channels.

So far it seems bind is on channel 2, it lasts for a bout 1 second. If throttle is high, the bind signal finishes, and I presume the tx waits until throttle is lowered.

Rate is 1Mbps.

The tx sends large packets, possibly continuous. The payload length is over 32 and possibly over 64. Within the payload there are several repeating sequences of a few bytes.

After bind, I am receiving data on ch 54, maybe other channels as well as I have not thoroughly searched all channels.

The packets also seems to have very long length, and have a number of repeating sequences, some of 8 bytes repeating several times in a raw. I have not been able to find any bytes that change with stick movements, and I have checked at least 64 consecutive bytes ( believed to be)

In conclusion, it seems the protocol will not be nrf24 compatible, due to the use of long packets. There is also likely to be a FEC scheme, or some other kind of encoding , which masks visible changes with changes in tx inputs.

Example bind sequence ( part of a larger stream) on ch 2
144 46 160 12 30 211 136 142 144 46 181 43 225 1 131 142 226 201 181 43 225 1 131 142 226 201 140 176 164 138 126

Example data stream ( part of a larger stream) : ch 54
78 34 195  43  64 103 203 154  76  13 120 109  14  87  16  10 212 175 132   6  14  59 139  39  48  99 248 ***170 *** 85 145

The above are likely not bit aligned as I was unable to find a definite start, although I found what looks like an end ( it has 255 at the end before noise )

perhaps this will help others somehow.For sniffing I used the 2 bytes nrf address option ( not listed in the datasheet) and pieces of packets, to stitch together into larger portions.

silverxxx
Last edit: 03 Feb 2017 02:03 by xxx.

Please Log in or Create an account to join the conversation.

More
03 Feb 2017 17:10 #58699 by magic_marty
Replied by magic_marty on topic Furibee F36 protocol attempt
I hope somebody does decode the protocol this looks like a kickazz little quad..I ordered one recently and plan on putting a AIO camera on it, but i fly on mode 3 which sucks cause all these and other only come on mode 1 which makes it difficult for me to fly..So hopefully it will be added to the long list of compatible models for deviation..Fingers crossed!

Please Log in or Create an account to join the conversation.

More
11 Feb 2017 06:25 #59051 by magic_marty
Replied by magic_marty on topic Furibee F36 protocol attempt
I hope somebody does decode the protocol this looks like a kickazz little quad..I ordered one recently and plan on putting a AIO camera on it, but i fly on mode 3 which sucks cause all these and other only come on mode 1 which makes it difficult for me to fly..So hopefully it will be added to the long list of compatible models for deviation..Fingers crossed!

Any progress on deviating the F36 ? i have 2 and would love to fly them with my 12s..
Until then i'm going to have to unsolder the gimbles in one of the transmitters and switch them around so i can fly on mode 3 ..Really sux doing it cause i did one of my cx10 tx before it was added to deviation..

Please Log in or Create an account to join the conversation.

More
11 Feb 2017 06:35 #59052 by xxx
Replied by xxx on topic Furibee F36 protocol attempt
I gave up as it looked to me I can't use a nrf24 to get further.

Seems it would be LT8910 or similar radio, which I don't have around the place.

silverxxx

Please Log in or Create an account to join the conversation.

More
11 Feb 2017 06:40 #59053 by magic_marty
Replied by magic_marty on topic Furibee F36 protocol attempt
I have the 4n1 module installed in my 12s any chance one of the other modules would bind to it?

Please Log in or Create an account to join the conversation.

More
11 Feb 2017 08:21 #59056 by xxx
Replied by xxx on topic Furibee F36 protocol attempt
It's really doubtful but anything is possible I guess

silverxxx

Please Log in or Create an account to join the conversation.

More
11 Feb 2017 09:08 #59058 by magic_marty
Replied by magic_marty on topic Furibee F36 protocol attempt
I tried all the different protocols and no luck so i swapped the gimbles and rewired the pots at least now i can fly it on mode 3 but those little toy transmitters suck compared to a full size tx...Maybe somebody will figure it out soon this is such a great little quad not to be on deviation..Really looking forward to my FuriBee F3 EVO Brushed Flight Controller to get here so i can bind it to my 12s...

Please Log in or Create an account to join the conversation.

More
15 Feb 2017 23:16 #59171 by bikemike
Replied by bikemike on topic Furibee F36 protocol attempt

xxx wrote: Rate is 1Mbps.

The tx sends large packets, possibly continuous. The payload length is over 32 and possibly over 64. Within the payload there are several repeating sequences of a few bytes.


How did you determine that the bitrate is 1Mbps and that the payload is more than 32 bytes?

Did you find an address to use that would allow you to receive packets without all the noise that comes with sniffing with a 2 byte address (0x00 0x55 or 0x00 0xAA)?

Please Log in or Create an account to join the conversation.

More
16 Feb 2017 00:18 #59175 by xxx
Replied by xxx on topic Furibee F36 protocol attempt
I used 2mbps originally and the bits were doubled up.

To find it's over 32 bytes, I used a sequence from the middle of the payload as the address for the next payload, and stitched them together. Sadly I stitched them together many times and never got a full packet.

There are also many 8 byte sequences that repeat in the stream, sometimes with small differences in some bytes

I haven't found a definite start of the packet, I think you can use a larger address size, the 0x55 preamble seems not necessary so you can use anything in the middle of the packet, but I might be wrong.

The main issue is the nrf24 won't receive over 32 bytes, and due to the repeating sequences in the stream, there are some places you can't "skip" past as they repeat too many times. I think a lt8910 is required for this.

Note also, the posted sequences are likely not bit aligned correctly. I have also tried a 8to10 decoder, which is one supported encoding by the LT89xx , that did not work out. The LT89xx also supports 1 to 3 FEC and interleaving , and if those were used, they would explain why there are so many repeating 8 byte sequences imo

silverxxx

Please Log in or Create an account to join the conversation.

More
17 Feb 2017 05:07 #59218 by magic_marty
Replied by magic_marty on topic Furibee F36 protocol attempt
So is there still a little hope or we just crap out of it?

How much does a over the air sniffer cost ? I would be interested in investing in one if not to expensive but have no experience using such equipment ..

Please Log in or Create an account to join the conversation.

More
17 Feb 2017 07:01 #59222 by bikemike
Replied by bikemike on topic Furibee F36 protocol attempt
There may still be hope. It's hard to say.

In my initial testing with the receive power detector I see activity on ch 60-63, 67-69, 73-75, and 79-81.

Sniffing channel 68 and channel 80 I found the following stream of bytes repeated somewhat often:

A AA AA 60 C7 F1 54 AB 22 92 90 58 C5 54 C3 61 98 16 F6 27 98 18 

and 

A AA AA 98 31 FC 55 2A C8 A4 A4 16 31 55 30 D8 66 5 BD 89 E6 6 

and

55 54 C1 8F E2 A9 56 45 25 20 B1 8A A9 86 C3 30 2D EC 4F 30 30  

I'm sure there are others but I've only taken a quick glance at the captures.

Please Log in or Create an account to join the conversation.

More
17 Feb 2017 21:18 #59250 by SirDomsen
Replied by SirDomsen on topic Furibee F36 protocol attempt
Goebish stated in the GW008 protocol thread that it might be possible to emulate it with a CC2500. Perhaps use a cc2500 for sniffing?

Please Log in or Create an account to join the conversation.

More
17 Feb 2017 21:52 #59252 by xxx
Replied by xxx on topic Furibee F36 protocol attempt
I tried some addresses from those posted by bikemike but I didn't get anything to receive.

I also tried 3 byte address, that seemed to not receive anything, presumably because the preamble is missing

silverxxx

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
19 Feb 2017 19:49 - 19 Feb 2017 20:05 #59331 by goebish
Replied by goebish on topic Furibee F36 protocol attempt
Just found this thread, thanks @koss ;)

I might get a F36 to give it a try too. I'm currently working on the gw008 which doesn't have an exposed spi bus either. It's almost done, I've to add some code to the xn297 emulation layer because this protocol is using xn297 enhanced packet format (10 bit PCF between address and payload fields), which has never been implemented until now.
I used SDR (hackrf+gnuradio+custom code) to snif and decode the packets from stock Tx.
Last edit: 19 Feb 2017 20:05 by goebish.

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
19 Feb 2017 20:23 - 21 Feb 2017 15:21 #59333 by goebish
Replied by goebish on topic Furibee F36 protocol attempt
There's a simple way to check if the RF is XN297 compatible, set your nrf24 listener to this 2 byte address:
uint8_t addr[] = { 0x0f, 0x71}; // xn297 preamble is 0x710f55
If a xn297 is transmitting on this channel at proper bitrate you should receive packets in this form:
55 2f 7d 87 26 49 a3 62 4c 9e 91 9c 30 92 69 ee 1f c7 62 .....
ignore the first 55 which is the end of the xn297 preamble, following bytes are the address (scrambled and in reverse order), then (optionnaly) 10 bit PCF (scrambled), then the payload (scrambled and bit reversed), then the crc + (eventually) 6 bit noise because of the 2 bit shift introduced by the PCF.
Last edit: 21 Feb 2017 15:21 by goebish.

Please Log in or Create an account to join the conversation.

More
19 Feb 2017 23:12 #59343 by xxx
Replied by xxx on topic Furibee F36 protocol attempt
Yes, I forgot to mention , it's not xn297 compatible, it was the first thing I tried.

What is the 10 bit PCF and when is it sent? I don't remember anything like this in the datasheet, but of course it's in chinese. Is it to do with ack?

silverxxx

Please Log in or Create an account to join the conversation.

  • goebish
  • goebish's Avatar
  • Away
  • I Void Warranties
More
19 Feb 2017 23:15 - 21 Feb 2017 15:26 #59344 by goebish
Replied by goebish on topic Furibee F36 protocol attempt


7 bit payload length
2 bit pcf id (incremented after an ack packet is received or after too many retries without receiving an ack)
1 bit no_ack flag (ask for an ACK if 0)

This is the datasheet I have, XN297L ("debug registers" are not the same than non L version), v1.6, Chinese only
drive.google.com/file/d/0B9Xtm43hpQfbV3l...YkU/view?usp=sharing

That's a pity the F36 isn't using a xn297 RF core, if it's using some sort of Manchester encoding, FEC and/or whitening it might not be easy ...
Last edit: 21 Feb 2017 15:26 by goebish.

Please Log in or Create an account to join the conversation.

More
20 Feb 2017 07:47 #59358 by bikemike
Replied by bikemike on topic Furibee F36 protocol attempt
I tried finding an address where I could see changes when moving the sticks. I'm not sure if this is helpful in any way but I finally found one that shows changes when I move the sticks:

CHANNEL: 80, ADDR: 56 97 56 97 56 , 250kbps (my tx hops between channels 61,68,74, and 80).

The bytes looks somewhat consistently like this without sticks(and throttle down):
97 56 91 6E 96 D4 97 56 97 56 95 6E 96 D4 93 AD 95 57 A2 5A 55 15 AA 6A AA 6A B4 A2 55 11 6A AA 
Roll seems to affect most of the packets starting at byte 2. Pitch affects bytes starting at 10. Throttle affects the bytes starting at 18. Yaw affects bytes starting at 27.

One similarity is that the locations where the bytes start changing are all 56 when centered and 57 when lowest for roll, pitch, and throttle.

Please Log in or Create an account to join the conversation.

More
20 Feb 2017 08:11 #59359 by SirDomsen
Replied by SirDomsen on topic Furibee F36 protocol attempt
Yeah, I love the way you guys hack these toys. Full of enthusiasm. Always cool to read about any progress B) Keep it up!

Please Log in or Create an account to join the conversation.

More
21 Feb 2017 00:51 - 21 Feb 2017 00:53 #59388 by xxx
Replied by xxx on topic Furibee F36 protocol attempt
In an somewhat unrelated way, I wanted to find out why some addresses let a lot of fake packets in, while others are better.

I ran a 2 byte nrf address with random numbers and no signal, 1Mbps, this is what it comes up to:

The worst addresses for noise are those similar to 0x55 or 0xAA , basically with many alternate 1s and 0s.

The best, noise proof addresses are those with long 0 or 1 sequences

The packet counts are over 5 seconds,and the worst address lets in just over 200 packets per second

So this would mean the internal nrf24 noise is made up of oscillating 0 and 1 very close together.

silverxxx
Attachments:
Last edit: 21 Feb 2017 00:53 by xxx.

Please Log in or Create an account to join the conversation.

Time to create page: 0.360 seconds
Powered by Kunena Forum