- Posts: 43
Furibee F36 protocol attempt
- xxx
- 
				Topic Author 
- Offline
Findings:
I used a nrf24 to attempt to find packets, and used carrier detect to find likely channels.
So far it seems bind is on channel 2, it lasts for a bout 1 second. If throttle is high, the bind signal finishes, and I presume the tx waits until throttle is lowered.
Rate is 1Mbps.
The tx sends large packets, possibly continuous. The payload length is over 32 and possibly over 64. Within the payload there are several repeating sequences of a few bytes.
After bind, I am receiving data on ch 54, maybe other channels as well as I have not thoroughly searched all channels.
The packets also seems to have very long length, and have a number of repeating sequences, some of 8 bytes repeating several times in a raw. I have not been able to find any bytes that change with stick movements, and I have checked at least 64 consecutive bytes ( believed to be)
In conclusion, it seems the protocol will not be nrf24 compatible, due to the use of long packets. There is also likely to be a FEC scheme, or some other kind of encoding , which masks visible changes with changes in tx inputs.
Example bind sequence ( part of a larger stream) on ch 2
144 46 160 12 30 211 136 142 144 46 181 43 225 1 131 142 226 201 181 43 225 1 131 142 226 201 140 176 164 138 126Example data stream ( part of a larger stream) : ch 54
78 34 195  43  64 103 203 154  76  13 120 109  14  87  16  10 212 175 132   6  14  59 139  39  48  99 248 ***170 *** 85 145The above are likely not bit aligned as I was unable to find a definite start, although I found what looks like an end ( it has 255 at the end before noise )
perhaps this will help others somehow.For sniffing I used the 2 bytes nrf address option ( not listed in the datasheet) and pieces of packets, to stitch together into larger portions.
silverxxx
Please Log in or Create an account to join the conversation.
- magic_marty
- 
				
- Offline
- Posts: 706
Please Log in or Create an account to join the conversation.
- magic_marty
- 
				
- Offline
- Posts: 706
Any progress on deviating the F36 ? i have 2 and would love to fly them with my 12s..
Until then i'm going to have to unsolder the gimbles in one of the transmitters and switch them around so i can fly on mode 3 ..Really sux doing it cause i did one of my cx10 tx before it was added to deviation..
Please Log in or Create an account to join the conversation.
- xxx
- 
				Topic Author 
- Offline
- Posts: 43
Seems it would be LT8910 or similar radio, which I don't have around the place.
silverxxx
Please Log in or Create an account to join the conversation.
- magic_marty
- 
				
- Offline
- Posts: 706
Please Log in or Create an account to join the conversation.
- xxx
- 
				Topic Author 
- Offline
- Posts: 43
silverxxx
Please Log in or Create an account to join the conversation.
- magic_marty
- 
				
- Offline
- Posts: 706
Please Log in or Create an account to join the conversation.
- bikemike
- 
				
- Offline
- Posts: 42
xxx wrote: Rate is 1Mbps.
The tx sends large packets, possibly continuous. The payload length is over 32 and possibly over 64. Within the payload there are several repeating sequences of a few bytes.
How did you determine that the bitrate is 1Mbps and that the payload is more than 32 bytes?
Did you find an address to use that would allow you to receive packets without all the noise that comes with sniffing with a 2 byte address (0x00 0x55 or 0x00 0xAA)?
Please Log in or Create an account to join the conversation.
- xxx
- 
				Topic Author 
- Offline
- Posts: 43
To find it's over 32 bytes, I used a sequence from the middle of the payload as the address for the next payload, and stitched them together. Sadly I stitched them together many times and never got a full packet.
There are also many 8 byte sequences that repeat in the stream, sometimes with small differences in some bytes
I haven't found a definite start of the packet, I think you can use a larger address size, the 0x55 preamble seems not necessary so you can use anything in the middle of the packet, but I might be wrong.
The main issue is the nrf24 won't receive over 32 bytes, and due to the repeating sequences in the stream, there are some places you can't "skip" past as they repeat too many times. I think a lt8910 is required for this.
Note also, the posted sequences are likely not bit aligned correctly. I have also tried a 8to10 decoder, which is one supported encoding by the LT89xx , that did not work out. The LT89xx also supports 1 to 3 FEC and interleaving , and if those were used, they would explain why there are so many repeating 8 byte sequences imo
silverxxx
Please Log in or Create an account to join the conversation.
- magic_marty
- 
				
- Offline
- Posts: 706
How much does a over the air sniffer cost ? I would be interested in investing in one if not to expensive but have no experience using such equipment ..
Please Log in or Create an account to join the conversation.
- bikemike
- 
				
- Offline
- Posts: 42
In my initial testing with the receive power detector I see activity on ch 60-63, 67-69, 73-75, and 79-81.
Sniffing channel 68 and channel 80 I found the following stream of bytes repeated somewhat often:
A AA AA 60 C7 F1 54 AB 22 92 90 58 C5 54 C3 61 98 16 F6 27 98 18 
and 
A AA AA 98 31 FC 55 2A C8 A4 A4 16 31 55 30 D8 66 5 BD 89 E6 6 
and
55 54 C1 8F E2 A9 56 45 25 20 B1 8A A9 86 C3 30 2D EC 4F 30 30  I'm sure there are others but I've only taken a quick glance at the captures.
Please Log in or Create an account to join the conversation.
- SirDomsen
- 
				
- Offline
Please Log in or Create an account to join the conversation.
- xxx
- 
				Topic Author 
- Offline
- Posts: 43
I also tried 3 byte address, that seemed to not receive anything, presumably because the preamble is missing
silverxxx
Please Log in or Create an account to join the conversation.
- goebish
- 
				
- Offline
- NRF Weirdo
- Posts: 2633

I might get a F36 to give it a try too. I'm currently working on the gw008 which doesn't have an exposed spi bus either. It's almost done, I've to add some code to the xn297 emulation layer because this protocol is using xn297 enhanced packet format (10 bit PCF between address and payload fields), which has never been implemented until now.
I used SDR (hackrf+gnuradio+custom code) to snif and decode the packets from stock Tx.
Please Log in or Create an account to join the conversation.
- goebish
- 
				
- Offline
- NRF Weirdo
- Posts: 2633
uint8_t addr[] = { 0x0f, 0x71}; // xn297 preamble is 0x710f55
If a xn297 is transmitting on this channel at proper bitrate you should receive packets in this form:
55 2f 7d 87 26 49 a3 62 4c 9e 91 9c 30 92 69 ee 1f c7 62 .....
ignore the first 55 which is the end of the xn297 preamble, following bytes are the address (scrambled and in reverse order), then (optionnaly) 10 bit PCF (scrambled), then the payload (scrambled and bit reversed), then the crc + (eventually) 6 bit noise because of the 2 bit shift introduced by the PCF.
Please Log in or Create an account to join the conversation.
- xxx
- 
				Topic Author 
- Offline
- Posts: 43
What is the 10 bit PCF and when is it sent? I don't remember anything like this in the datasheet, but of course it's in chinese. Is it to do with ack?
silverxxx
Please Log in or Create an account to join the conversation.
- goebish
- 
				
- Offline
- NRF Weirdo
- Posts: 2633
7 bit payload length
2 bit pcf id (incremented after an ack packet is received or after too many retries without receiving an ack)
1 bit no_ack flag (ask for an ACK if 0)
This is the datasheet I have, XN297L ("debug registers" are not the same than non L version), v1.6, Chinese only
drive.google.com/file/d/0B9Xtm43hpQfbV3l...YkU/view?usp=sharing
That's a pity the F36 isn't using a xn297 RF core, if it's using some sort of Manchester encoding, FEC and/or whitening it might not be easy ...
Please Log in or Create an account to join the conversation.
- bikemike
- 
				
- Offline
- Posts: 42
CHANNEL: 80, ADDR: 56 97 56 97 56 , 250kbps (my tx hops between channels 61,68,74, and 80).
The bytes looks somewhat consistently like this without sticks(and throttle down):
97 56 91 6E 96 D4 97 56 97 56 95 6E 96 D4 93 AD 95 57 A2 5A 55 15 AA 6A AA 6A B4 A2 55 11 6A AA One similarity is that the locations where the bytes start changing are all 56 when centered and 57 when lowest for roll, pitch, and throttle.
Please Log in or Create an account to join the conversation.
- SirDomsen
- 
				
- Offline
 Keep it up!
 Keep it up!			Please Log in or Create an account to join the conversation.
- xxx
- 
				Topic Author 
- Offline
- Posts: 43
I ran a 2 byte nrf address with random numbers and no signal, 1Mbps, this is what it comes up to:
The worst addresses for noise are those similar to 0x55 or 0xAA , basically with many alternate 1s and 0s.
The best, noise proof addresses are those with long 0 or 1 sequences
The packet counts are over 5 seconds,and the worst address lets in just over 200 packets per second
So this would mean the internal nrf24 noise is made up of oscillating 0 and 1 very close together.
silverxxx
Please Log in or Create an account to join the conversation.
- 
											Home
					
											
							  
- 
											Forum
					
											
							  
- 
											Development
					
											
							  
- 
											Protocol Development
					
											
							  
- Furibee F36 protocol attempt
 
           
			