HobbyKing.com New Products Flash Sale
Reply
Thread Tools
Old Mar 21, 2012, 03:38 AM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,650 Posts
Quote:
Originally Posted by Mike43110 View Post
So, how would you start a firmware. Base OS required?
As it will be built from the ground up, any UI suggestions?
At the moment it looks like the UI was built using the parts from an IDE.

This looks to be quite interesting, unfortunately nobody can do anything without the protocols.
Will the DSM2 stuff already done be enough?
Its ARM machine code, no OS, all the UI would have to be done, there are development kits for this processor, it's just a matter of building a firmware from the ground up!
NorCalMatCat is online now Find More Posts by NorCalMatCat
Reply With Quote
Sign up now
to remove ads between posts
Old Mar 21, 2012, 01:13 PM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by Mike43110 View Post
This looks to be quite interesting, unfortunately nobody can do anything without the protocols.
Will the DSM2 stuff already done be enough?
To my knowledge, the only thing done was to implement the capability to interface with a DSM2 module scavenged from an old Transmitter (or the rare plugin module). You could do the same to a Devo if you wanted to use that module, but if you wanted to support DSM2 without any hardware modifications, the DSM protocol needs to be understood, and I don't think much work has happened on that front. This is the holy-grail of a Tx: a firmware only upgrade to support all 2.4GHz protocols. It is probably quite far away though.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Mar 21, 2012, 02:54 PM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,650 Posts
Quote:
Originally Posted by PhracturedBlue View Post
To my knowledge, the only thing done was to implement the capability to interface with a DSM2 module scavenged from an old Transmitter (or the rare plugin module). You could do the same to a Devo if you wanted to use that module, but if you wanted to support DSM2 without any hardware modifications, the DSM protocol needs to be understood, and I don't think much work has happened on that front. This is the holy-grail of a Tx: a firmware only upgrade to support all 2.4GHz protocols. It is probably quite far away though.
With the current hardware it's not going to happen, I think FHSS and DSSS require different hardware to work.
NorCalMatCat is online now Find More Posts by NorCalMatCat
Reply With Quote
Old Mar 21, 2012, 03:29 PM
Registered User
Joined Jun 2010
120 Posts
The CPU is based on an ARM Cortex M3 processor, IDA Pro disassembles the binaries just fine. While it's not trivial to reverse ARM binaries it's not impossible especially if you have a HW debugger available

I'm _still_ waiting for my Devo8S to arrive so I can get stuck in, all that's really need is the transmitter protocol (and the telemetry stuff of course) and we can begin developing a replacement firmware - no real hacking required coz there's nothing to prevent our own code running. Logging the SPI bus between CPU and CYRF chip is high on the "todo" list. It will be really interesting to compare the way the old Walkera stuff works with the Devo Tx's

Does any one use the Walkera telemetry? Would a PC based telemetry logger be interesting?

Edit: The cheap and cheesey DSM2 module I ripped out of the nasty Tx I got with my HZ Champ is based on the the CYRF6936 (looks a _lot_ like the satellite module from my AR6210).

Edit, not SiLabs but CY8C214
rcH4x0r is offline Find More Posts by rcH4x0r
Last edited by rcH4x0r; Mar 21, 2012 at 03:53 PM.
Reply With Quote
Old Mar 21, 2012, 03:31 PM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,650 Posts
Quote:
Originally Posted by rcH4x0r View Post
The CPU is based on an ARM Cortex M3 processor, IDA Pro disassembles the binaries just fine. While it's not trivial to reverse ARM binaries it's not impossible especially if you have a HW debugger available

I'm _still_ waiting for my Devo8S to arrive so I can get stuck in, all that's really need is the transmitter protocol (and the telemetry stuff of course) and we can begin developing a replacement firmware - no real hacking required coz there's nothing to prevent our own code running. Logging the SPI bus between CPU and CYRF chip is high on the "todo" list. It will be really interesting to compare the way the old Walkera stuff works with the Devo Tx's

Does any one use the Walkera telemetry? Would a PC based telemetry logger be interesting?
Do you have the equipment to reverse engineer the protocols? (I am assuming an oscilloscope pretty much all that is required?)
NorCalMatCat is online now Find More Posts by NorCalMatCat
Reply With Quote
Old Mar 21, 2012, 03:48 PM
Registered User
Joined Jun 2010
120 Posts
I sure do

-IDA Pro to reverse the firmware
-Logic Analyser to log the SPI bus and see how the CPU is driving the CYRF chip (see my site, rcH4x0r.com, for examples)
-ST-LINK to control the CPU via debug interface (SWD in this case)

If/when we understand the transmitter protocol we are free to do our own thing.

The DSM2 stuff is quite do-able too (same CYRF chip), even if they do something sneaky like encrypt the data we can get the chip cracked & dumped for a couple of hundred dollars in China
rcH4x0r is offline Find More Posts by rcH4x0r
Last edited by rcH4x0r; Mar 21, 2012 at 03:55 PM.
Reply With Quote
Old Mar 21, 2012, 04:29 PM
Registered User
Joined May 2011
657 Posts
Quote:
Originally Posted by rcH4x0r View Post
I sure do

-IDA Pro to reverse the firmware
-Logic Analyser to log the SPI bus and see how the CPU is driving the CYRF chip (see my site, rcH4x0r.com, for examples)
-ST-LINK to control the CPU via debug interface (SWD in this case)

If/when we understand the transmitter protocol we are free to do our own thing.

The DSM2 stuff is quite do-able too (same CYRF chip), even if they do something sneaky like encrypt the data we can get the chip cracked & dumped for a couple of hundred dollars in China
Welcome back!
It's a pity that you still don't have your tx! Where did you ordered from?

Could you send me the disassembled code? I would try to help to figure it up...
The question is: which fw to begin with? Most known hardware is the DEVO 8/8S, but it might be easier to look for the protocol in a simpler fw, like the DEVO 10...

Edit:
There are a few protocols to determine: auto-binding vs fixed id sending, normal flight control, receiving telemetry data, sending and receiving wireless model data transfer... etc
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Old Mar 21, 2012, 04:32 PM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,650 Posts
Quote:
Originally Posted by FDR_ View Post
Welcome back!
It's a pity that you still don't have your tx! Where did you ordered from?

Could you send me the disassembled code? I would try to help to figure it up...
The question is: which fw to begin with? Most known hardware is the DEVO 8/8S, but it might be easier to look for the protocol in a simpler fw, like the DEVO 10...
I second the decompiled code, I would like to start going through it and seeing what I can figure out.
NorCalMatCat is online now Find More Posts by NorCalMatCat
Reply With Quote
Old Mar 21, 2012, 07:23 PM
Registered User
Joined May 2010
32 Posts
Another disassembled code request.
Mike43110 is online now Find More Posts by Mike43110
Reply With Quote
Old Mar 21, 2012, 07:44 PM
Registered User
Joined Dec 2009
162 Posts
SPI bus between CPU and CYRF6936 is done.

Quote:
Originally Posted by rcH4x0r View Post
The CPU is based on an ARM Cortex M3 processor, IDA Pro disassembles the binaries just fine. While it's not trivial to reverse ARM binaries it's not impossible especially if you have a HW debugger available

I'm _still_ waiting for my Devo8S to arrive so I can get stuck in, all that's really need is the transmitter protocol (and the telemetry stuff of course) and we can begin developing a replacement firmware - no real hacking required coz there's nothing to prevent our own code running. Logging the SPI bus between CPU and CYRF chip is high on the "todo" list. It will be really interesting to compare the way the old Walkera stuff works with the Devo Tx's

Does any one use the Walkera telemetry? Would a PC based telemetry logger be interesting?

Edit: The cheap and cheesey DSM2 module I ripped out of the nasty Tx I got with my HZ Champ is based on the the CYRF6936 (looks a _lot_ like the satellite module from my AR6210).

Edit, not SiLabs but CY8C214
MISO, MOSI and not-SS are tied to the processor. I also found data transmission mode is 8DR.
derek4610 is offline Find More Posts by derek4610
Last edited by derek4610; Mar 21, 2012 at 07:46 PM. Reason: none
Reply With Quote
Old Mar 21, 2012, 07:52 PM
Registered User
Joined Jun 2010
120 Posts
In the pics already posted you can see both SPI interfaces are in use. One to the CYRF radio chip, the other to a 4MB SPI flash chip. Open questions are the ADCs for the joysticks and the LCD interface
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Mar 21, 2012, 07:57 PM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,650 Posts
Quote:
Originally Posted by rcH4x0r View Post
In the pics already posted you can see both SPI interfaces are in use. One to the CYRF radio chip, the other to a 4MB SPI flash chip. Open questions are the ADCs for the joysticks and the LCD interface
Yeah, getting the screen working and all control inputs working would be a very high priority well before protocols had to be tackled.
NorCalMatCat is online now Find More Posts by NorCalMatCat
Reply With Quote
Old Mar 21, 2012, 08:02 PM
Registered User
Joined Jun 2010
120 Posts
Quote:
Originally Posted by Mike43110 View Post
Another disassembled code request.
It doesn't quite work like that. You need IDA Pro 6 and then I can give you a dbase file that combined with the correct dfu file will let you examine the dissembly plus my comments so far
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Mar 21, 2012, 08:07 PM
Registered User
Joined May 2010
32 Posts
Quote:
Originally Posted by rcH4x0r View Post
It doesn't quite work like that. You need IDA Pro 6 and then I can give you a dbase file that combined with the correct dfu file will let you examine the dissembly plus my comments so far
Got IDA 6 Pro from uni already. Just need the dbase file. I assume the dfu file is the standard devo firmware file?

Just being able to see the output of the disassembler will be enough to start me off.
Mike43110 is online now Find More Posts by Mike43110
Reply With Quote
Old Mar 22, 2012, 12:35 AM
Registered User
Atomic Skull's Avatar
Joined Dec 2011
3,418 Posts
Quote:
Originally Posted by NorCalMatCat View Post
With the current hardware it's not going to happen, I think FHSS and DSSS require different hardware to work.
DSM2 is also a DSSS system (and a less robust one at that). But according to the hackers on the 9x forum that chip could also do FHSS. Walkera chose to use DSSS instead of FHSS because apparently they think their implementation of DSSS is better.
Atomic Skull is online now Find More Posts by Atomic Skull
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Wanted Broken Walkera Devo and Spektrum tx itsmillertime Aircraft - General - Radio Equipment (FS/W) 1 Mar 20, 2012 05:37 AM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - General - Radio Equipment (FS/W) 0 Oct 06, 2011 01:33 PM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - Electric - Helis (FS/W) 0 Oct 05, 2011 12:38 PM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz Radios 2 May 09, 2011 12:38 AM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz XHeli 0 May 06, 2011 12:19 AM