protocol for WL Heli V911-s

I am looking for a protocol to control the WL Heli V911-s with the Devo.

Have you tried all available protocols and sub protocols?
From what I can see it should use flysky...

Yes I have.
There is no mode 1 transmitter. For this reason I want to fly with the Devo transmitter.

www.rcgroups.com/forums/showthread.php?3101508-Wl-v911s

Do yourself a favor and start with helis and quads on mode 2 (mode 3 is also suitable for pilots who want to have the throttle on the right stick), mode 1 & 4 is not good on these.
It will be more easy to have AIL & ELV on one stick.
After four decades on mode1 I switched for this reason nearly five years ago to mode 2 and since last year I even fly my planes on this mode.

I've looked at the mentioned RC groups link and 1 guy states that he has tried all the protocols without luck. They are using an all in one pan163cx RF chip so no spi dump.
If you are willing to send me the TX and heli I can try an over the air attack.
Pascal

Hello planger.. Thanks for the offer. My home country is Germany.
geobish ..gwoo8.. no function.

Dieter

Both goebish and I are located in France so not so far for shipping.
goebish in his precedent post was explaining that he has already used the attack over the air to reverse engineer the protcol gw008 (it was not for you to try), so he has first hand experience. On my side, I've also done some lately but only using a nrf as the receiver.
You are the one to choose if you want and where you want to send it.
Pascal

Thank you for your offer. By DHL, the heli is fast in France.
I'm going to send him to Geobish.
Please send me the address by PM.

dieter

ok..to Pascal..

planger wrote: I've looked at the mentioned RC groups link and 1 guy states that he has tried all the protocols without luck. They are using an all in one pan163cx RF chip so no spi dump.
If you are willing to send me the TX and heli I can try an over the air attack.
Pascal

I think that's me. I tried all protocols and most sub options and parameters except for enabling telemetry.
Here are the testing details: www.rcgroups.com/forums/showpost.php?p=40174852&postcount=135

I live in the northwest US and have a TX and heli available for snooping by any established Deviation developer in the US. I will be out of town off and on for the next few weeks, so it may take me a couple of days to respond.

Attached is a photo of the V911S TX main board. There are no components on the back side.

Just to give some news:

• Since it's a PAN chip and PAN is manufacturing the XN297, I first looked if the packets have the XN297 SYNC/MAC which is not the case
• I then tried sniffing with the NRF24L01 all frequencies/all rates with sync 0x55/0xAA but I couldn't correlate anything from the noise...
• I'm now trying to look at the packets from a SDR device.
  • This is my first time in this area so I need to learn.
  • The bind time is really small so I've looked for packets only for normal mode. I've settled on one frequency 2426GHz to study the packet within the hopping.
  • You can see where I am with the attached picture.

Next steps:

• I'll go back to the NRF and focus on this specific frequency now that I have one to focus on.
• Try to decode the packets within the SDR.

I am surprized they changed the RFchip for the new 911S.... now it's XN297 based .... ...
Hope guru's here will unbrick this one fast

Howdy
Anyone make any headway on this one , or is it looking grim?

Haven't spent enough time on it yet. Please be patient.
Pascal

I finally had some proper time to look at it and I've made small progress today.
It looks like it's a xn297l. At least the signature looks like it from decoding the first bytes of the payload (71 0F 55) through SDR.
I haven't looked at all at the payload content yet (ran out of time), just an outside view for now.
It's running @250Kbps and send something like 24 bytes including CRC after the sync word (to be verified).
The bind info seems to be sent on RF channel 35 at a really high rate 2.5ms first then 5ms, why not...
The freq hopping pattern changes at each power up. It uses 8 channels spaced by 5 except the first one which is 4 (strange...). It's hopping based on a table top->bottom, bottom->top, top ->bottom even then odd,...
Pascal