Thread: Discussion DSMX Hacking
View Single Post
Old Dec 06, 2012, 11:36 AM
hammer22 is offline
Find More Posts by hammer22
Registered User
United States, NH, Exeter
Joined Oct 2010
99 Posts
Its important to note that the real GUID of the radio is, as printk says, a 32 bit value which the receiver learns at bind time. 16 of those bits are the actual GUID that is transmitted as the first 2 bytes of every data packet sent. It is those 2 bytes that are modified with the model match number. The other 16 bits become a pair of CRC seed values used to build the checksum of each data packet. This also aids in making sure the receiver only receives packets from the correct transmitter because it will reject the packet if the CRCs do not match. The CRC seed values do not change with the model match number.

So a Spektrum radio with 50 model memories actually had 50 different GUIDs; one for each model memory slot.

The way Spektrum handles the model match number is to take the base radio GUID, (model memory 1 actually has a model match number of 0, model memory 2 has model match value 1 etc...) and XOR that with the single byte model match number. The new GUID that is produced is used any time that particular model memory is selected.

The DSMX frequency hopping algorithm appears to use the entire 32 bit GUID to calculate the hopping pattern.
hammer22 is offline Find More Posts by hammer22
Reply With Quote