-
-
Notifications
You must be signed in to change notification settings - Fork 436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GA-4H generic Ebay controller #902
Comments
attached below is a protocol dump made via visual studio code. |
Thanks, I'll have a look soon and let you know |
There are multiple issues:
Right now, I'm just unsure how it all works. I have the impression it is like the Turbo Racing with RF frequencies going all over the place without any specific pattern. But I can't see if the RF frequencies loop since the dumps are not long enough. |
Also if you could use logic v1 instead since they've never fixed the export bug in the SPI analyzer of the V2 despite many requests... |
More I look at it, more it looks like the Turbo racing protocol that I haven't been able to reverse on a different RF chip... I'm saying that from memory, I'll check my old dumps. |
Chip: XN297L Address from dumps: 45 8B 5A 00 The dumps look to have been done from 2 different TXs. I would need a good over the air dump from the 2 TXs over a long period of time using a bitrate of 250K using a 4 bytes TX address on channels 0x0F=15d, 0x23=35d, 0x4E=78d and any other channels with a good flow of packets starting by 0xF4. This might give some clues to figure out F3 and FC types. Packets:
P1=STR,P2=THR,P3=CH3,P4=CH4: 0x64..0x96..0xC8 100..150..200 ->small amplitude...
Type F3 = ?? Address: 55 45 05 08
Type FC = bind |
At this stage I need an extra long SPI dump from power on, over the air from the TXs you have like indicated previously and an extra dose of luck. |
Thanks for the feedback. Tonight i'll try and get all the information that you require. I thought that a couple of data bursts would be enough since we are talking about 2.4 ghz. |
Also yes. You are correct pascallanger. As I remember I used different transmitters. |
Yes, faster sample time on your logic analyzer and let it run for a LONG time
Please dump all the transmitters you have over the air as indicated previously |
i don´t know if i will find the time to do all that you asked of me this weekend but i managed to connect each of my 4 TX´s to the analyzer and make a start and bind. i have attached the new dumps made with LOGIC 1 this time. |
I will check if 8 million samples per second are enough but the dumps look ok. They give us some clues: TX1 address: 45 45 5A 18 Packets FC = bind sent on the bind address 55 45 05 08 :
Type FC = bind Packets F3 ?sync?
Type F3 = ?sync RF frequency? Packets F4 are common to all 4 TXs:
Type F4 = channels P1=STR,P2=THR,P3=CH3,P4=CH4: 0x64..0x96..0xC8 100..150..200 ->small amplitude... ======================== |
Great! "The dumps look to have been done from 2 different TXs. I would need a good over the air dump from the 2 TXs over a long period of time using a bitrate of 250K using a 4 bytes TX address on channels 0x0F=15d, 0x23=35d, 0x4E=78d and any other channels with a good flow of packets starting by 0xF4. This might give some clues to figure out F3 and FC types." Or did i just circumvent that with the logic analyzer? |
I think I have enough with the logic analyzer dumps you provided. If you could do one extra on any of the 4 TXs but really long, the longest the software allows you to do from startup. |
Ok. I'll give it a go later tonight. I assume that it just needs to stand idle during the sampling. Also something that might be interresting is that button 3 is toggle and Button 4 returns automatically. I assume though that the receivers channels 3 and 4 dont care about that and will modulate a ppm signal either way. |
Yes just let it still during the capture. |
the program limits me to a maximum of approximately 500 seconds. The analyzer is limited to this at 2MS/s. The program also limits me from lowering the sampling rate lower than 2MS/s. if i manage to increase the sample time i will post another zip-file. |
i managed to sample 1800 seconds. the file is too large to upload to this chat. |
RF covers all the frequencies from 0x05 to 0x4E at the exception of 0x10, 0x20, 0x30, 0x40, 0x4D |
F4 frequencies follows a pattern ABCD EFGH ABCD EFGH ABC ???? IJKL MNOP IJKL MNOP IJK ???? ... |
I confirm that this is nearly the same as the Turbo racing protocol (types F3,F4,FC) which is using a different RF chip but the payload looks the same. For sure the same manufacturer. |
F3 RF frequencies are calculated based on TX_ADDR[1] TX_ADDR[3]: The calculation of RF0 can't be 100% sure with the data we have, it could be one of these 3 solutions:
I'm not sure if 1 and 2 are equivalent or not... TX1: 45 45 5A 18 , F3:1A,2D -> RF0=1A , RF1=RF0+13=2D |
At this stage:
That's still a lot of unknowns... |
@davidrattvik Can you see if you can connect your logic analyzer on the RX? If you can that would allow us to send stuff to it and see how it will react. |
Absolutely! I will give it a try after work. I guess that we will send known data via the multi protocol module and analyse what the receiver spits out. |
Yep 👍 |
@davidrattvik Can you launch a dump of this receiver from power on, bind with an "unknown" TX (not the one it was bound to), let it run for a couple of seconds and finally turn off the TX? |
I've purchased a 5€ receiver on ebay but it might take a month or two to get here... So I rely on you for the dumps for the time being. |
sorry for the delay. Life got in the way. |
The files you uploaded so far are good. I don't think we need larger dumps. |
here are 4 more dumps. the amount of data that is saved in the idle unbound mode is very high. therefore i cannot sample more than a minute or so until the filesize gets too big. 2 MHz, 3 B Samples rx start, bindmode.zip 2 MHz, 3 B Samples. bind mode, tx start, bind.zip 2 MHz, 3 B Samples rx start. searching for bound tx.zip 2 MHz, 3 B Samples rx start, search, bindmode, tx start,.zip |
I missread this. I'll make another dump with binding to unknown and turning of tx. |
here is the one you requested. start, bind and tx turn off. |
You have a STM32 module has you can see on the big chip. |
There is a connection at that pin. I measured it with my multimeter. I'll hockey my oscilloscope to it to see where to connect |
i must have had a bad connection. now there is 3 data streams. |
I'm puzzled by the RX dump. Anyway, I think we could do something which is not great but:
If the RX receives the F3, I guess it will start to hop using that sync. Where it goes bad is if it doesn't receive the F3, it will continue hop but we can catch it on the next F3 and resync it. In this case it could lose a maximum of 19 packets -> (19+1)*14ms=280ms. There might be a trick to prevent this loss which is to send 2 x F4s, 1 F4 using the sync packet hopping and another F4 like if it has not received the F3 and we do that back to back. This way we should catch it whatever turns it took and send it back where we want it to be. |
ok so the module is ready to receive a custom protocol. |
Any luck with this? It would be cool to be able to emulate the turbo racing protocol, their cars are quickly gaining in popularity. |
Pascal got pretty far as I can see and I believe that he is taking some well deserved time of until the receiver that he ordered arrives. He is way ahead of me in understanding what is happening, but as far as I can tell, most of the protocol is understood and there are still some channel-switching that needs to be solved. Also pascal: no stress! Take your time and let me know if there is anything we/i can do to help you along. |
Something that just struck me regarding these receivers: if you start the transmitter first and then press bind on several receivers, all receivers will bind to the same transmitter equally . So their is no real "pairing" here. Just a receiver listening to the first signal it hears. What if we were to send ch1234 under the first ID. And then transmit ch5678 under another ID. If the transmitter switched between these 2 IDs every other data burst, it would then be possible to use the receivers together to form a 8ch receiver. |
@davidrattvik The receiver has been lost and I finally got a refund... Are you still available to test? I can try to code the protocol and see what we will end up with. |
Yes I am definitely available. Would you like me to purchase a new receiver for you? |
Hi and thank you for the work that you guys have done!
I have a bunch of common receivers that i believe would be nice to add to the protocol list.
I have captured a data stream from each of the pins on the transmitter chip (XN297L) ( it is connected to the common nRF24L01.
The controller does not seem to be smart in any way as you can connect multiple receivers to the same controller. you can also bind a receiver long after you started the controller. i tested this by running a couple receivers at the same time. during this time i connected another receiver and pressed the bind button on the reciever which connected directly and started to copy whart the other receivers where doing. therefore i don´t believe that there is any 2 way communication and that the controller sends its adress out at every data burst. the first adress that the reciever sees will be the one that it takes its commands from.
also there is no bind button on the transmitter.
each stream was captured with the controller in a different position.
Start no bind
Start bind
Full left
Full right
full throttle
full break
ch3 toggle
ch4 toggle.
I hope that i have collected enough data for you to be able to make a protocol from this.
captured with logic2
GA-4H.zip
The text was updated successfully, but these errors were encountered: