RC Groups

RC Groups
    DIY Electronics
        Discussion Hubsan X4 protocol analysis

#1 PhracturedBlue Nov 20, 2012 08:16 AM

Hubsan X4 protocol analysis
 
I've started work on the Hubsan X4 protocol. Here are my initial findings.

You can find the latest documentation as part of the Deviation project in doc/Hubsan.txt:
https://bitbucket.org/PhracturedBlue/deviation/src

-----
The Hubsan X4 uses the A7105 transceiver chip for communication

Binding:
First the Tx scans the RSSI on the following channels and picks the best one:
14 1e 28 32 3c 46 50 5a 64 6e 78 82

Next it starts transmitting on the chosen frequency every 12 msec, listening
for a response after each transmission. The 1st packet (packet id 0x01) is
continuously broadcast until a response is received which begins the handshake.
Once the handshake starts, packets are transmitted at various rates as shown

There do not seem to be any special rules regarding the session ID or transmitter-ID.
using random values for these (for a given session) seems to work fine

Stage 1:
Once the 1st packet is received, subsequent packets are transmitted at 8msec intervals
Set the A7105 ID to '55 20 10 41'
---- Ex 1 ---
Tx: 01 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 12
Rx: 02 3c 2c b5 da b3 00 00 00 00 00 00 00 00 00 54
Tx: 03 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 10
Rx: 04 3c 2c b5 da b3 00 00 00 00 00 00 00 00 00 52
---- Ex 2 ---
Tx: 01 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 84
Rx: 02 32 44 a7 0d 0f 00 00 00 00 00 00 00 00 00 c5
Tx: 03 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 82
Rx: 04 32 44 a7 0d 0f 00 00 00 00 00 00 00 00 00 c3
---
aa bb cc dd ee ff gg hh ii jj kk ll mm nn oo pp
aa : current bind state
bb : chosen frequency
ccddeeff : ID to use for this session
gg : always Tx 08
hh-kk : ??
llmmnnoo: Transmiter ID(?)
pp : checksum

Stage 2:
Set the A7105 ID to 'cc dd ee ff' Packets still transmit at 8msec intervals
---- Ex 1 ---
Tx: 01 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 12
Rx: 02 3c 2c b5 da b3 03 07 20 03 01 00 00 00 00 26
---- Ex 2 ---
Tx: 01 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 84
Rx: 02 32 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 97

Stage 3:
the '09' packet is transmitted every 22msec
---- Ex 1 ---
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 02 2c b5 da b3 03 07 20 03 01 00 00 00 00 58
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 03 2c b5 da b3 03 07 20 03 01 00 00 00 00 57
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 04 2c b5 da b3 03 07 20 03 01 00 00 00 00 56
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 05 2c b5 da b3 03 07 20 03 01 00 00 00 00 55
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 06 2c b5 da b3 03 07 20 03 01 00 00 00 00 54
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 07 2c b5 da b3 03 07 20 03 01 00 00 00 00 53
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 08 2c b5 da b3 03 07 20 03 01 00 00 00 00 52
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 09 2c b5 da b3 03 07 20 03 01 00 00 00 00 51
---- Ex 2 ---
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 02 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bf
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 03 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 be
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 04 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bd
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 05 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bc
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 06 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bb
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 07 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 ba
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 08 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 b9
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 09 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 b8
---
aa bb cc dd ee ff gg hh ii jj kk ll mm nn oo pp
aa : current bind state (?)
bb : chosen frequency (Tx), count (Rx)
ccddeeff: chosen ID for this session
gg : always Tx 08
hh-kk : ??
llmmnnoo: Transmiter ID(?)
pp : checksum
Binding is complete once the Received data has 'bb' == '09'


Data transmission:
The Transmitter will transmit 4 data packets on the chosen frequency,
and then a single packet on freq + 0x23.
Packets are transmitted 10msec apart

Ex1: 20 00 00 00 80 00 7d 00 84 02 64 db 04 26 79 7b
Ex2: 20 00 00 00 80 00 7d 00 84 02 64 db 04 26 79 7b
aa bb cc dd ee ff gg hh ii jj kk ll mm nn oo pp
cc : throttle observed range: 0x00 - 0xff (smaller is down)
ee : rudder observed range: 0x34 - 0xcc (smaller is right)
gg : elevator observed range: 0x3e - 0xbc (smaller is up)
ii : aileron observed range: 0x45 - 0xc3 (smaller is right)
llmmnnoo: Transmiter ID(?)
pp : checksum
Checksums:
The checksum is calculated as 256 - ((sum of the 1st 15 bytes) modulo 256)

I will update more as I start experimenting to find the meaning of all the unknown bytes.

#2 PhracturedBlue Nov 21, 2012 09:58 AM

Well, the above information is enough to bind and fly a Hubsan X4.
There are lots of bytes whose value I don't know, but setting random values for the 'session ID' and 'transmitter ID', I have no issue binding or flying. There is a driver in the deviation source code now.

Note that the current code probably won't work with a scavenged V911 module. Inspection of that module shows that it does not have an antenna connected to the LNA input. I will test to be sure. On the other side, the handshake is not symetrical. It should be possible to complete the binding sequence without receiving any data from the model (though it won't be as reliable). If the V911 module isn't capable of completing the binding, I'll likely add an option for that.

For now, I've tested with an XL7105-SY (no external LNA/PA) and the '500m' module from ebay/aliexpress (has a ~16dBm PA), and both work well.

#3 PhracturedBlue Nov 21, 2012 09:59 AM

Also, the antenna on the Hubsan X4 Tx is purely decorative. There is no wire in the antenna. The Hubsan Tx uses an on-board antenna via the A7105 reference design, and has no external PA.

#4 dave1993 Nov 21, 2012 10:49 AM

thanks again for an excellent dissection. im tempted to buy a hubsan and a devo just to test out your code. unfortunately both a a bit too pricey for me atm. i wish there was an avr or arduino project for 7105/flysky like kreatures cc2500 thread. guess im still stuck with diy frsky for now.

#5 PhracturedBlue Nov 21, 2012 12:07 PM

Well, the V911 module works too surprisingly enough. I guess it has enough sensitivity without an antenna (or the antenna is connected and I just can't tell visually)

#6 PhracturedBlue Nov 21, 2012 12:11 PM

Quote:

Originally Posted by dave1993 (Post 23326353)
thanks again for an excellent dissection. im tempted to buy a hubsan and a devo just to test out your code. unfortunately both a a bit too pricey for me atm. i wish there was an avr or arduino project for 7105/flysky like kreatures cc2500 thread. guess im still stuck with diy frsky for now.

The code itself should be easy to port to Arduino I am currently doing protocol development on my Raspberry pi using the same code. It isn't 100% reliable due to the non-rt nature of linux, but it is fine for analysis and development. Of course you need enough knowledge to port the SPI routines, but otherwise it sould be nearly plug and play.

#7 jesolins Nov 21, 2012 01:10 PM

P,
Nice work! Any chance of getting this to work in a Futaba 9c?...;)
Cheers,
Jim
Quadrocopter and Tricopter Info Mega Link Index

#8 PhracturedBlue Nov 21, 2012 01:35 PM

Quote:

Originally Posted by jesolins (Post 23327420)
P,
Nice work! Any chance of getting this to work in a Futaba 9c?...;)
Cheers,
Jim
Quadrocopter and Tricopter Info Mega Link Index

No, that is completely unrealistic. The only way to do it would be something like the magic cube, or Hammer22's module that plugs into the trainer port. Not something I'm interested in doing

#9 jesolins Nov 21, 2012 01:43 PM

P,
OK. The Anylink/MagicCube trainer port or plug in modules would sure make life much easier with all the proprietary protocols in the multicopter micro and mini quads and other models out there. I did modify the Trunigy 9x module to work in the Futaba 9c for the WLToys multicopters. It would be great to have something like that for the Hubsan X4 too;)

I have a DEVO 10, but not sure I want to modify the internal hardware to do this, if it will even works on a DEVO 10?

Great work again!
Cheers,
Jim
Quadrocopter and Tricopter Info Mega Link Index


Quote:

Originally Posted by PhracturedBlue (Post 23327623)
No, that is completely unrealistic. The only way to do it would be something like the magic cube, or Hammer22's module that plugs into the trainer port. Not something I'm interested in doing


#10 RCaDDiCT! Nov 21, 2012 01:45 PM

Will you be releasing an updated version of Deviation software to support Hubsan X4 protocol? I've tried building firmware from latest source but not having much luck...

#11 PhracturedBlue Nov 21, 2012 01:48 PM

Quote:

Originally Posted by RCaDDiCT! (Post 23327696)
Will you be releasing an updated version of Deviation software to support Hubsan X4 protocol? I've tried building firmware from latest source but not having much luck...

We are in the final stages before the next release. I'm hopeful I'll get it out in the next week or so.

#12 RCaDDiCT! Nov 21, 2012 02:32 PM

Excellent! Thanks again:)

#13 mystman Nov 21, 2012 04:42 PM

Any chance to implement it into er9x firmware to use the 9x ?

#14 PhracturedBlue Nov 21, 2012 05:13 PM

Quote:

Originally Posted by mystman (Post 23329080)
Any chance to implement it into er9x firmware to use the 9x ?

Not without doing the same hardware modification I do for Devo Tx. The 9x hardware does not expose enough control over the A7105 transceiver to support using the same module with multiple protocols

#15 flyhigh42 Nov 26, 2012 09:49 PM

Quote:

Originally Posted by PhracturedBlue (Post 23329302)
Not without doing the same hardware modification I do for Devo Tx. The 9x hardware does not expose enough control over the A7105 transceiver to support using the same module with multiple protocols

Thanks so much for working on this - its great to see someone bringing light to the mystery box. I fly my Hubsan a lot and notice that it doesn't always bind right away. Now I see some of the variables at play!


All times are GMT -5. The time now is 04:51 PM.